- 15 2月, 2008 2 次提交
-
-
由 Jan Blunck 提交于
audit_log_d_path() is a d_path() wrapper that is used by the audit code. To use a struct path in audit_log_d_path() I need to embed it into struct avc_audit_data. [akpm@linux-foundation.org: coding-style fixes] Signed-off-by: NJan Blunck <jblunck@suse.de> Acked-by: NChristoph Hellwig <hch@infradead.org> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: "J. Bruce Fields" <bfields@fieldses.org> Cc: Neil Brown <neilb@suse.de> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: James Morris <jmorris@namei.org> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Jan Blunck 提交于
* Use struct path in fs_struct. Signed-off-by: NAndreas Gruenbacher <agruen@suse.de> Signed-off-by: NJan Blunck <jblunck@suse.de> Acked-by: NChristoph Hellwig <hch@lst.de> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
- 02 2月, 2008 9 次提交
-
-
由 Eric Paris 提交于
Disabling audit at runtime by auditctl doesn't mean that we can stop allocating contexts for new processes; we don't want to miss them when that sucker is reenabled. (based on work from Al Viro in the RHEL kernel series) Signed-off-by: NEric Paris <eparis@redhat.com>
-
由 Eric Paris 提交于
execve arguments can be quite large. There is no limit on the number of arguments and a 4G limit on the size of an argument. this patch prints those aruguments in bite sized pieces. a userspace size limitation of 8k was discovered so this keeps messages around 7.5k single arguments larger than 7.5k in length are split into multiple records and can be identified as aX[Y]= Signed-off-by: NEric Paris <eparis@redhat.com>
-
由 Eric Paris 提交于
If we fail to get an ab in audit_log_pid_context this may be due to an exclude rule rather than a memory allocation failure. If it was due to a memory allocation failue we would have already paniced and no need to do it again. Signed-off-by: NEric Paris <eparis@redhat.com>
-
由 Eric Paris 提交于
This patch adds an end of event record type. It will be sent by the kernel as the last record when a multi-record event is triggered. This will aid realtime analysis programs since they will now reliably know they have the last record to complete an event. The audit daemon filters this and will not write it to disk. Signed-off-by: Steve Grubb <sgrubb redhat com> Signed-off-by: NEric Paris <eparis@redhat.com>
-
由 Eric Paris 提交于
In order to correlate audit records to an individual login add a session id. This is incremented every time a user logs in and is included in almost all messages which currently output the auid. The field is labeled ses= or oses= Signed-off-by: NEric Paris <eparis@redhat.com>
-
由 Eric Paris 提交于
Add uid, loginuid, and comm collection to OBJ_PID records. This just gives users a little more information about the task that received a signal. pid is rather meaningless after the fact, and even though comm isn't great we can't collect exe reasonably on this code path for performance reasons. Signed-off-by: NEric Paris <eparis@redhat.com>
-
由 Eric Paris 提交于
The syscall exit code will change ERESTART* kernel internal return codes to EINTR if it does not restart the syscall. Since we collect the audit info before that point we should fix those in the audit log as well. Signed-off-by: NEric Paris <eparis@redhat.com>
-
由 Al Viro 提交于
Keeping loginuid in audit_context is racy and results in messier code. Taken to task_struct, out of the way of ->audit_context changes. Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
由 Al Viro 提交于
all callers pass something->audit_context Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
- 23 10月, 2007 1 次提交
-
-
由 Randy Dunlap 提交于
Fix kernel-doc for auditsc parameter changes. Warning(linux-2.6.23-git17//kernel/auditsc.c:1623): No description found for parameter 'dentry' Warning(linux-2.6.23-git17//kernel/auditsc.c:1666): No description found for parameter 'dentry' Signed-off-by: NRandy Dunlap <randy.dunlap@oracle.com> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
- 21 10月, 2007 2 次提交
-
-
由 Al Viro 提交于
New kind of audit rule predicates: "object is visible in given subtree". The part that can be sanely implemented, that is. Limitations: * if you have hardlink from outside of tree, you'd better watch it too (or just watch the object itself, obviously) * if you mount something under a watched tree, tell audit that new chunk should be added to watched subtrees * if you umount something in a watched tree and it's still mounted elsewhere, you will get matches on events happening there. New command tells audit to recalculate the trees, trimming such sources of false positives. Note that it's _not_ about path - if something mounted in several places (multiple mount, bindings, different namespaces, etc.), the match does _not_ depend on which one we are using for access. Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
由 Al Viro 提交于
makes caller simpler *and* allows to scan ancestors Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
- 19 10月, 2007 1 次提交
-
-
由 Daniel Walker 提交于
Signed-off-by: NDaniel Walker <dwalker@mvista.com> Cc: David Woodhouse <dwmw2@infradead.org> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
- 17 10月, 2007 1 次提交
-
-
由 Jesper Juhl 提交于
This patch cleans up duplicate includes in kernel/ Signed-off-by: NJesper Juhl <jesper.juhl@gmail.com> Acked-by: NPaul E. McKenney <paulmck@linux.vnet.ibm.com> Reviewed-by: NSatyam Sharma <ssatyam@cse.iitk.ac.in> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
- 10 10月, 2007 1 次提交
-
-
由 Trond Myklebust 提交于
This will allow rpc.gssd to use inotify instead of dnotify in order to locate new rpc upcall pipes. This also requires the exporting of __audit_inode_child(), which is used by fsnotify_create() and fsnotify_mkdir(). Ccing David Woodhouse. Cc: David Woodhouse <dwmw2@infradead.org> Signed-off-by: NTrond Myklebust <Trond.Myklebust@netapp.com>
-
- 23 8月, 2007 1 次提交
-
-
由 Adrian Bunk 提交于
This patch fixes an off-by-one in a BUG_ON() spotted by the Coverity checker. Signed-off-by: NAdrian Bunk <bunk@stusta.de> Cc: Amy Griffis <amy.griffis@hp.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
- 08 8月, 2007 1 次提交
-
-
由 Al Viro 提交于
The check for audit_signals is misplaced and the check for audit_dummy_context() is missing; as the result, if we send a signal to auditd from task with NULL ->audit_context while we have audit_signals != 0 we end up with an oops. Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk> Acked-by: NJames Morris <jmorris@namei.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
- 29 7月, 2007 1 次提交
-
-
由 Peter Zijlstra 提交于
copy_from_user() returns the number of bytes not copied, hence 0 is the expected output. axi->mm might not be valid anymore when not equal to current->mm, do not dereference before checking that - thanks to Al for spotting that. Signed-off-by: NPeter Zijlstra <a.p.zijlstra@chello.nl> Tested-by: NSteve Grubb <sgrubb@redhat.com> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
- 22 7月, 2007 2 次提交
-
-
由 Al Viro 提交于
Selinux folks had been complaining about the lack of AVC_PATH records when audit is disabled. I must admit my stupidity - I assumed that avc_audit() really couldn't use audit_log_d_path() because of deadlocks (== could be called with dcache_lock or vfsmount_lock held). Shouldn't have made that assumption - it never gets called that way. It _is_ called under spinlocks, but not those. Since audit_log_d_path() uses ab->gfp_mask for allocations, kmalloc() in there is not a problem. IOW, the simple fix is sufficient: let's rip AUDIT_AVC_PATH out and simply generate pathname as part of main record. It's trivial to do. Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk> Acked-by: NJames Morris <jmorris@namei.org>
-
由 Steve Grubb 提交于
The mode fields for IPC records are not consistent. Some are hex, others are octal. This patch makes them all octal. Signed-off-by: NSteve Grubb <sgrubb@redhat.com> Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
- 20 7月, 2007 2 次提交
-
-
由 Ollie Wild 提交于
Remove the arg+env limit of MAX_ARG_PAGES by copying the strings directly from the old mm into the new mm. We create the new mm before the binfmt code runs, and place the new stack at the very top of the address space. Once the binfmt code runs and figures out where the stack should be, we move it downwards. It is a bit peculiar in that we have one task with two mm's, one of which is inactive. [a.p.zijlstra@chello.nl: limit stack size] Signed-off-by: NOllie Wild <aaw@google.com> Signed-off-by: NPeter Zijlstra <a.p.zijlstra@chello.nl> Cc: <linux-arch@vger.kernel.org> Cc: Hugh Dickins <hugh@veritas.com> [bunk@stusta.de: unexport bprm_mm_init] Signed-off-by: NAdrian Bunk <bunk@stusta.de> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Peter Zijlstra 提交于
The purpose of audit_bprm() is to log the argv array to a userspace daemon at the end of the execve system call. Since user-space hasn't had time to run, this array is still in pristine state on the process' stack; so no need to copy it, we can just grab it from there. In order to minimize the damage to audit_log_*() copy each string into a temporary kernel buffer first. Currently the audit code requires that the full argument vector fits in a single packet. So currently it does clip the argv size to a (sysctl) limit, but only when execve auditing is enabled. If the audit protocol gets extended to allow for multiple packets this check can be removed. Signed-off-by: NPeter Zijlstra <a.p.zijlstra@chello.nl> Signed-off-by: NOllie Wild <aaw@google.com> Cc: <linux-audit@redhat.com> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
- 17 7月, 2007 2 次提交
-
-
由 Henrik Kretzschmar 提交于
Fix parameter name in audit_core_dumps for kerneldoc. Signed-off-by: NHenrik Kretzschmar <henne@nachtwindheim.de> Cc: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Miloslav Trmac 提交于
Add TTY input auditing, used to audit system administrator's actions. This is required by various security standards such as DCID 6/3 and PCI to provide non-repudiation of administrator's actions and to allow a review of past actions if the administrator seems to overstep their duties or if the system becomes misconfigured for unknown reasons. These requirements do not make it necessary to audit TTY output as well. Compared to an user-space keylogger, this approach records TTY input using the audit subsystem, correlated with other audit events, and it is completely transparent to the user-space application (e.g. the console ioctls still work). TTY input auditing works on a higher level than auditing all system calls within the session, which would produce an overwhelming amount of mostly useless audit events. Add an "audit_tty" attribute, inherited across fork (). Data read from TTYs by process with the attribute is sent to the audit subsystem by the kernel. The audit netlink interface is extended to allow modifying the audit_tty attribute, and to allow sending explanatory audit events from user-space (for example, a shell might send an event containing the final command, after the interactive command-line editing and history expansion is performed, which might be difficult to decipher from the TTY input alone). Because the "audit_tty" attribute is inherited across fork (), it would be set e.g. for sshd restarted within an audited session. To prevent this, the audit_tty attribute is cleared when a process with no open TTY file descriptors (e.g. after daemon startup) opens a TTY. See https://www.redhat.com/archives/linux-audit/2007-June/msg00000.html for a more detailed rationale document for an older version of this patch. [akpm@linux-foundation.org: build fix] Signed-off-by: NMiloslav Trmac <mitr@redhat.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Alan Cox <alan@lxorguk.ukuu.org.uk> Cc: Paul Fulghum <paulkf@microgate.com> Cc: Casey Schaufler <casey@schaufler-ca.com> Cc: Steve Grubb <sgrubb@redhat.com> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
- 11 5月, 2007 6 次提交
-
-
由 Steve Grubb 提交于
Hi, I have been working on some code that detects abnormal events based on audit system events. One kind of event that we currently have no visibility for is when a program terminates due to segfault - which should never happen on a production machine. And if it did, you'd want to investigate it. Attached is a patch that collects these events and sends them into the audit system. Signed-off-by: NSteve Grubb <sgrubb@redhat.com> Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
由 Amy Griffis 提交于
Make more effort to detect previously collected names, so we don't log multiple PATH records for a single filesystem object. Add audit_inc_name_count() to reduce duplicate code. Signed-off-by: NAmy Griffis <amy.griffis@hp.com> Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
由 Amy Griffis 提交于
Handle the edge cases for POSIX message queue auditing. Collect inode info when opening an existing mq, and for send/receive operations. Remove audit_inode_update() as it has really evolved into the equivalent of audit_inode(). Signed-off-by: NAmy Griffis <amy.griffis@hp.com> Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
由 Amy Griffis 提交于
Audit contexts can be reused, so initialize a name's osid to the default in audit_getname(). This ensures we don't log a bogus object label when no inode data is collected for a name. Signed-off-by: NAmy Griffis <amy.griffis@hp.com> Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
由 Amy Griffis 提交于
When auditing syscalls that send signals, log the pid and security context for each target process. Optimize the data collection by adding a counter for signal-related rules, and avoiding allocating an aux struct unless we have more than one target process. For process groups, collect pid/context data in blocks of 16. Move the audit_signal_info() hook up in check_kill_permission() so we audit attempts where permission is denied. Signed-off-by: NAmy Griffis <amy.griffis@hp.com> Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
由 Al Viro 提交于
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
- 15 3月, 2007 1 次提交
-
-
由 Al Viro 提交于
GFP_KERNEL allocations in non-blocking context; fixed by killing an idiotic use of security_getprocattr(). Acked-by: NStephen Smalley <sds@tycho.nsa.gov> Acked-by: NJames Morris <jmorris@namei.org> Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
- 18 2月, 2007 1 次提交
-
-
由 Al Viro 提交于
Provide an audit record of the descriptor pair returned by pipe() and socketpair(). Rewritten from the original posted to linux-audit by John D. Ramsdell <ramsdell@mitre.org> Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
- 09 12月, 2006 2 次提交
-
-
由 Josef Sipek 提交于
Signed-off-by: NJosef Sipek <jsipek@fsl.cs.sunysb.edu> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
由 Peter Zijlstra 提交于
Fix the locking of signal->tty. Use ->sighand->siglock to protect ->signal->tty; this lock is already used by most other members of ->signal/->sighand. And unless we are 'current' or the tasklist_lock is held we need ->siglock to access ->signal anyway. (NOTE: sys_unshare() is broken wrt ->sighand locking rules) Note that tty_mutex is held over tty destruction, so while holding tty_mutex any tty pointer remains valid. Otherwise the lifetime of ttys are governed by their open file handles. This leaves some holes for tty access from signal->tty (or any other non file related tty access). It solves the tty SLAB scribbles we were seeing. (NOTE: the change from group_send_sig_info to __group_send_sig_info needs to be examined by someone familiar with the security framework, I think it is safe given the SEND_SIG_PRIV from other __group_send_sig_info invocations) [schwidefsky@de.ibm.com: 3270 fix] [akpm@osdl.org: various post-viro fixes] Signed-off-by: NPeter Zijlstra <a.p.zijlstra@chello.nl> Acked-by: NAlan Cox <alan@redhat.com> Cc: Oleg Nesterov <oleg@tv-sign.ru> Cc: Prarit Bhargava <prarit@redhat.com> Cc: Chris Wright <chrisw@sous-sol.org> Cc: Roland McGrath <roland@redhat.com> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: James Morris <jmorris@namei.org> Cc: "David S. Miller" <davem@davemloft.net> Cc: Jeff Dike <jdike@addtoit.com> Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> Cc: Jan Kara <jack@ucw.cz> Signed-off-by: NMartin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by: NAndrew Morton <akpm@osdl.org> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
- 07 12月, 2006 1 次提交
-
-
由 Joy Latten 提交于
An audit message occurs when an ipsec SA or ipsec policy is created/deleted. Signed-off-by: NJoy Latten <latten@austin.ibm.com> Signed-off-by: NJames Morris <jmorris@namei.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 04 12月, 2006 1 次提交
-
-
由 Al Viro 提交于
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
- 04 10月, 2006 2 次提交
-
-
由 Steve Grubb 提交于
Hi, This patch removes the rdev logging from the previous patch The below patch closes an unbounded use of name_count. This can lead to oopses in some new file systems. Signed-off-by: NSteve Grubb <sgrubb@redhat.com> Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
由 Alexander Viro 提交于
On Thu, Sep 28, 2006 at 04:03:06PM -0400, Eric Paris wrote: > After some looking I did not see a way to get into audit_log_exit > without having set the ppid. So I am dropping the set from there and > only doing it at the beginning. > > Please comment/ack/nak as soon as possible. Ehh... That's one hell of an overhead to be had ;-/ Let's be lazy. Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-