18 Aug, 2020
1 commit
-
Variables sig_pid, audit_sig_uid and audit_sig_sid
are only used in the audit.c file across the kernel
Hence it appears no reason for declaring them as globals
This patch removes their global declarations from the .h file
and change them into static in the .c file.Signed-off-by: Jules Irenge
Signed-off-by: Paul Moore
29 Jul, 2020
1 commit
-
Unfortunately the commit listed in the subject line above failed
to ensure that the task's audit_context was properly initialized/set
before enabling the "accompanying records". Depending on the
situation, the resulting audit_context could have invalid values in
some of it's fields which could cause a kernel panic/oops when the
task/syscall exists and the audit records are generated.We will revisit the original patch, with the necessary fixes, in a
future kernel but right now we just want to fix the kernel panic
with the least amount of added risk.Cc: stable@vger.kernel.org
Fixes: 1320a4052ea1 ("audit: trigger accompanying records when no rules present")
Reported-by: j2468h@googlemail.com
Signed-off-by: Paul Moore
23 Apr, 2020
1 commit
-
If audit_list_rules_send() fails when trying to create a new thread
to send the rules it also fails to cleanup properly, leaking a
reference to a net structure. This patch fixes the error patch and
renames audit_send_list() to audit_send_list_thread() to better
match its cousin, audit_send_reply_thread().Reported-by: teroincn@gmail.com
Reviewed-by: Richard Guy Briggs
Signed-off-by: Paul Moore
12 Mar, 2020
1 commit
-
When there are no audit rules registered, mandatory records (config,
etc.) are missing their accompanying records (syscall, proctitle, etc.).This is due to audit context dummy set on syscall entry based on absence
of rules that signals that no other records are to be printed.Clear the dummy bit if any record is generated.
The proctitle context and dummy checks are pointless since the
proctitle record will not be printed if no syscall records are printed.Please see upstream github issue
https://github.com/linux-audit/audit-kernel/issues/120Signed-off-by: Richard Guy Briggs
Signed-off-by: Paul Moore
09 Jul, 2019
1 commit
-
Pull audit updates from Paul Moore:
"This pull request is a bit early, but with some vacation time coming
up I wanted to send this out now just in case the remote Internet Gods
decide not to smile on me once the merge window opens. The patchset
for v5.3 is pretty minor this time, the highlights include:- When the audit daemon is sent a signal, ensure we deliver
information about the sender even when syscall auditing is not
enabled/supported.- Add the ability to filter audit records based on network address
family.- Tighten the audit field filtering restrictions on string based
fields.- Cleanup the audit field filtering verification code.
- Remove a few BUG() calls from the audit code"
* tag 'audit-pr-20190702' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:
audit: remove the BUG() calls in the audit rule comparison functions
audit: enforce op for string fields
audit: add saddr_fam filter field
audit: re-structure audit field valid checks
audit: deliver signal_info regarless of syscall
31 May, 2019
1 commit
-
Based on 1 normalized pattern(s):
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license as published by
the free software foundation either version 2 of the license or at
your option any later version this program is distributed in the
hope that it will be useful but without any warranty without even
the implied warranty of merchantability or fitness for a particular
purpose see the gnu general public license for more details you
should have received a copy of the gnu general public license along
with this program if not write to the free software foundation inc
59 temple place suite 330 boston ma 02111 1307 usaextracted by the scancode license scanner the SPDX license identifier
GPL-2.0-or-later
has been chosen to replace the boilerplate/reference in 1334 file(s).
Signed-off-by: Thomas Gleixner
Reviewed-by: Allison Randal
Reviewed-by: Richard Fontana
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190527070033.113240726@linutronix.de
Signed-off-by: Greg Kroah-Hartman
22 May, 2019
1 commit
-
When a process signals the audit daemon (shutdown, rotate, resume,
reconfig) but syscall auditing is not enabled, we still want to know the
identity of the process sending the signal to the audit daemon.Move audit_signal_info() out of syscall auditing to general auditing but
create a new function audit_signal_info_syscall() to take care of the
syscall dependent parts for when syscall auditing is enabled.Please see the github kernel audit issue
https://github.com/linux-audit/audit-kernel/issues/111Signed-off-by: Richard Guy Briggs
Signed-off-by: Paul Moore
29 Apr, 2019
1 commit
-
Signed-off-by: Al Viro
08 Feb, 2019
1 commit
-
auditsc_get_stamp() and audit_serial() are internal audit functions so
move their prototypes from include/linux/audit.h to kernel/audit.h
so they are not visible to the rest of the kernel.Signed-off-by: Richard Guy Briggs
Signed-off-by: Paul Moore
04 Feb, 2019
1 commit
-
Remove audit_context from struct task_struct and struct audit_buffer
when CONFIG_AUDIT is enabled but CONFIG_AUDITSYSCALL is not.Also, audit_log_name() (and supporting inode and fcaps functions) should
have been put back in auditsc.c when soft and hard link logging was
normalized since it is only used by syscall auditing.See github issue https://github.com/linux-audit/audit-kernel/issues/105
Signed-off-by: Richard Guy Briggs
Signed-off-by: Paul Moore
31 Jan, 2019
1 commit
-
Don't fetch fcaps when umount2 is called to avoid a process hang while
it waits for the missing resource to (possibly never) re-appear.Note the comment above user_path_mountpoint_at():
* A umount is a special case for path walking. We're not actually interested
* in the inode in this situation, and ESTALE errors can be a problem. We
* simply want track down the dentry and vfsmount attached at the mountpoint
* and avoid revalidating the last component.This can happen on ceph, cifs, 9p, lustre, fuse (gluster) or NFS.
Please see the github issue tracker
https://github.com/linux-audit/audit-kernel/issues/100Signed-off-by: Richard Guy Briggs
[PM: merge fuzz in audit_log_fcaps()]
Signed-off-by: Paul Moore
26 Jan, 2019
2 commits
-
Pull together all the audit syscall watch, mark and tree prototypes and
stubs into the same ifdef.Signed-off-by: Richard Guy Briggs
Signed-off-by: Paul Moore -
V3 namespaced file capabilities were introduced in
commit 8db6c34f1dbc ("Introduce v3 namespaced file capabilities")Add support for these by adding the "frootid" field to the existing
fcaps fields in the NAME and BPRM_FCAPS records.Please see github issue
https://github.com/linux-audit/audit-kernel/issues/103Signed-off-by: Richard Guy Briggs
Acked-by: Serge Hallyn
[PM: comment tweak to fit an 80 char line width]
Signed-off-by: Paul Moore
15 Jan, 2019
1 commit
-
Since the context is derived from the task parameter handed to
__audit_free(), hand the context to audit_kill_trees() so it can be used
to associate with a syscall record. This requires adding the context
parameter to kill_rules() rather than using the current audit_context.The callers of trim_marked() and evict_chunk() still have their context.
The EOE record was being issued prior to the pruning of the killed_tree
list.Move the kill_trees call before the audit_log_exit call in
__audit_free() and __audit_syscall_exit() so that any pruned trees
CONFIG_CHANGE records are included with the associated syscall event by
the user library due to the EOE record flagging the end of the event.See: https://github.com/linux-audit/audit-kernel/issues/50
See: https://github.com/linux-audit/audit-kernel/issues/59Signed-off-by: Richard Guy Briggs
[PM: fixed merge fuzz in kernel/audit_tree.c]
Signed-off-by: Paul Moore
27 Nov, 2018
1 commit
-
There are many places, notably audit_log_task_info() and
audit_log_exit(), that take task_struct pointers but in reality they
are always working on the current task. This patch eliminates the
task_struct arguments and uses current directly which allows a number
of cleanups as well.Acked-by: Richard Guy Briggs
Signed-off-by: Paul Moore
20 Nov, 2018
2 commits
-
Remove the CONFIG_AUDIT_WATCH and CONFIG_AUDIT_TREE config options since
they are both dependent on CONFIG_AUDITSYSCALL and force
CONFIG_FSNOTIFY.Signed-off-by: Richard Guy Briggs
Signed-off-by: Paul Moore -
The audit_log_session_info() function is only used in kernel/audit*, so
move its prototype to kernel/audit.hSigned-off-by: Richard Guy Briggs
Signed-off-by: Paul Moore
24 Feb, 2018
1 commit
-
Evidently the __mutex_owner() function was never intended for use
outside the core mutex code, so build a thing locking wrapper around
the mutex code which allows us to track the mutex owner.One, arguably positive, side effect is that this allows us to hide
the audit_cmd_mutex inside of kernel/audit.c behind the lock/unlock
functions.Reported-by: Peter Zijlstra
Reviewed-by: Richard Guy Briggs
Signed-off-by: Paul Moore
16 Nov, 2017
1 commit
-
Pull audit updates from Paul Moore:
"Another relatively small pull request for audit, nine patches total.The only real new bit of functionality is the patch from Richard which
adds the ability to filter records based on the filesystem type.The remainder are bug fixes and cleanups; the bug fix highlights
include:- ensuring that we properly audit init/PID-1 (me)
- allowing the audit daemon to shutdown the kernel/auditd connection
cleanly by setting the audit PID to zero (Steve)"* tag 'audit-pr-20171113' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:
audit: filter PATH records keyed on filesystem magic
Audit: remove unused audit_log_secctx function
audit: Allow auditd to set pid to 0 to end auditing
audit: Add new syscalls to the perm=w filter
audit: use audit_set_enabled() in audit_enable()
audit: convert audit_ever_enabled to a boolean
audit: don't use simple_strtol() anymore
audit: initialize the audit subsystem as early as possible
audit: ensure that 'audit=1' actually enables audit for PID 1
11 Nov, 2017
1 commit
-
We were treating it as a boolean, let's make it a boolean to help
avoid future mistakes.Reviewed-by: Richard Guy Briggs
Signed-off-by: Paul Moore
04 Sep, 2017
1 commit
-
struct timespec is not y2038 safe. Replace
all uses of timespec by y2038 safe struct timespec64.Even though timespec is used here to represent timeouts,
replace these with timespec64 so that it facilitates
in verification by creating a y2038 safe kernel image
that is free of timespec.The syscall interfaces themselves are not changed as part
of the patch. They will be part of a different series.Signed-off-by: Deepa Dinamani
Cc: Paul Moore
Cc: Richard Guy Briggs
Reviewed-by: Richard Guy Briggs
Reviewed-by: Arnd Bergmann
Acked-by: Paul Moore
Signed-off-by: Al Viro
13 Jun, 2017
1 commit
-
Fixed checkpatch.pl warnings of "function definition argument FOO
should also have an identifier name"Signed-off-by: Derek Robson
Reviewed-by: Richard Guy Briggs
Signed-off-by: Paul Moore
31 May, 2017
1 commit
-
Capabilities were augmented to include ambient capabilities in v4.3
commit 58319057b784 ("capabilities: ambient capabilities").Add ambient capabilities to the audit BPRM_FCAPS and CAPSET records.
The record contains fields "old_pp", "old_pi", "old_pe", "new_pp",
"new_pi", "new_pe" so in keeping with the previous record
normalizations, change the "new_*" variants to simply drop the "new_"
prefix.A sample of the replaced BPRM_FCAPS record:
RAW: type=BPRM_FCAPS msg=audit(1491468034.252:237): fver=2
fp=0000000000200000 fi=0000000000000000 fe=1 old_pp=0000000000000000
old_pi=0000000000000000 old_pe=0000000000000000 old_pa=0000000000000000
pp=0000000000200000 pi=0000000000000000 pe=0000000000200000
pa=0000000000000000INTERPRET: type=BPRM_FCAPS msg=audit(04/06/2017 04:40:34.252:237):
fver=2 fp=sys_admin fi=none fe=chown old_pp=none old_pi=none
old_pe=none old_pa=none pp=sys_admin pi=none pe=sys_admin pa=noneA sample of the replaced CAPSET record:
RAW: type=CAPSET msg=audit(1491469502.371:242): pid=833
cap_pi=0000003fffffffff cap_pp=0000003fffffffff cap_pe=0000003fffffffff
cap_pa=0000000000000000INTERPRET: type=CAPSET msg=audit(04/06/2017 05:05:02.371:242) : pid=833
cap_pi=chown,dac_override,dac_read_search,fowner,fsetid,kill,
setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,
net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,
sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,
sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,
mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
cap_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,
setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,
net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,
sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,
sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,
mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
cap_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,
setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,
net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,
sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,
sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,
mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
cap_pa=noneSee: https://github.com/linux-audit/audit-kernel/issues/40
Signed-off-by: Richard Guy Briggs
Acked-by: Serge Hallyn
Signed-off-by: Paul Moore
02 May, 2017
3 commits
-
struct timespec is not y2038 safe.
Audit timestamps are recorded in string format into
an audit buffer for a given context.
These mark the entry timestamps for the syscalls.
Use y2038 safe struct timespec64 to represent the times.
The log strings can handle this transition as strings can
hold upto 1024 characters.Signed-off-by: Deepa Dinamani
Reviewed-by: Arnd Bergmann
Acked-by: Paul Moore
Acked-by: Richard Guy Briggs
Signed-off-by: Paul Moore -
This is arguably the right thing to do, and will make it easier when
we start supporting multiple audit daemons in different namespaces.Signed-off-by: Paul Moore
-
We were setting the portid incorrectly in the netlink message headers,
fix that to always be 0 (nlmsg_pid = 0).Signed-off-by: Paul Moore
Reviewed-by: Richard Guy Briggs
28 Mar, 2017
1 commit
-
Commit 5b52330bbfe6 ("audit: fix auditd/kernel connection state
tracking") made inlining audit_signal_info() a bit pointless as
it was always calling into auditd_test_task() so let's remove the
inline function in kernel/audit.h and convert __audit_signal_info()
in kernel/auditsc.c into audit_signal_info().Reviewed-by: Richard Guy Briggs
Signed-off-by: Paul Moore
21 Mar, 2017
1 commit
-
What started as a rather straightforward race condition reported by
Dmitry using the syzkaller fuzzer ended up revealing some major
problems with how the audit subsystem managed its netlink sockets and
its connection with the userspace audit daemon. Fixing this properly
had quite the cascading effect and what we are left with is this rather
large and complicated patch. My initial goal was to try and decompose
this patch into multiple smaller patches, but the way these changes
are intertwined makes it difficult to split these changes into
meaningful pieces that don't break or somehow make things worse for
the intermediate states.The patch makes a number of changes, but the most significant are
highlighted below:* The auditd tracking variables, e.g. audit_sock, are now gone and
replaced by a RCU/spin_lock protected variable auditd_conn which is
a structure containing all of the auditd tracking information.* We no longer track the auditd sock directly, instead we track it
via the network namespace in which it resides and we use the audit
socket associated with that namespace. In spirit, this is what the
code was trying to do prior to this patch (at least I think that is
what the original authors intended), but it was done rather poorly
and added a layer of obfuscation that only masked the underlying
problems.* Big backlog queue cleanup, again. In v4.10 we made some pretty big
changes to how the audit backlog queues work, here we haven't changed
the queue design so much as cleaned up the implementation. Brought
about by the locking changes, we've simplified kauditd_thread() quite
a bit by consolidating the queue handling into a new helper function,
kauditd_send_queue(), which allows us to eliminate a lot of very
similar code and makes the looping logic in kauditd_thread() clearer.* All netlink messages sent to auditd are now sent via
auditd_send_unicast_skb(). Other than just making sense, this makes
the lock handling easier.* Change the audit_log_start() sleep behavior so that we never sleep
on auditd events (unchanged) or if the caller is holding the
audit_cmd_mutex (changed). Previously we didn't sleep if the caller
was auditd or if the message type fell between a certain range; the
type check was a poor effort of doing what the cmd_mutex check now
does. Richard Guy Briggs originally proposed not sleeping the
cmd_mutex owner several years ago but his patch wasn't acceptable
at the time. At least the idea lives on here.* A problem with the lost record counter has been resolved. Steve
Grubb and I both happened to notice this problem and according to
some quick testing by Steve, this problem goes back quite some time.
It's largely a harmless problem, although it may have left some
careful sysadmins quite puzzled.Cc: # 4.10.x-
Reported-by: Dmitry Vyukov
Signed-off-by: Paul Moore
22 Feb, 2017
1 commit
-
Pull audit updates from Paul Moore:
"The audit changes for v4.11 are relatively small compared to what we
did for v4.10, both in terms of size and impact.- two patches from Steve tweak the formatting for some of the audit
records to make them more consistent with other audit records.- three patches from Richard record the name of a module on module
load, fix the logging of sockaddr information when using
socketcall() on 32-bit systems, and add the ability to reset
audit's lost record counter.- my lone patch just fixes an annoying style nit that I was reminded
about by one of Richard's patches.All these patches pass our test suite"
* 'stable-4.11' of git://git.infradead.org/users/pcmoore/audit:
audit: remove unnecessary curly braces from switch/case statements
audit: log module name on init_module
audit: log 32-bit socketcalls
audit: add feature audit_lost reset
audit: Make AUDIT_ANOM_ABEND event normalized
audit: Make AUDIT_KERNEL event conform to the specification
14 Feb, 2017
1 commit
-
This adds a new auxiliary record MODULE_INIT to the SYSCALL event.
We get finit_module for free since it made most sense to hook this in to
load_module().https://github.com/linux-audit/audit-kernel/issues/7
https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-Load-Record-FormatSigned-off-by: Richard Guy Briggs
Acked-by: Jessica Yu
[PM: corrected links in the commit description]
Signed-off-by: Paul Moore
06 Dec, 2016
1 commit
-
Signed-off-by: Al Viro
30 Jul, 2016
1 commit
-
Pull audit updates from Paul Moore:
"Six audit patches for 4.8.There are a couple of style and minor whitespace tweaks for the logs,
as well as a minor fixup to catch errors on user filter rules, however
the major improvements are a fix to the s390 syscall argument masking
code (reviewed by the nice s390 folks), some consolidation around the
exclude filtering (less code, always a win), and a double-fetch fix
for recording the execve arguments"* 'stable-4.8' of git://git.infradead.org/users/pcmoore/audit:
audit: fix a double fetch in audit_log_single_execve_arg()
audit: fix whitespace in CWD record
audit: add fields to exclude filter by reusing user filter
s390: ensure that syscall arguments are properly masked on s390
audit: fix some horrible switch statement style crimes
audit: fixup: log on errors from filter user rules
29 Jun, 2016
1 commit
-
The only users of audit_get_tty and audit_put_tty are internal to
audit, so move it out of include/linux/audit.h to kernel.h and create
a proper function rather than inlining it. This also reduces kABI
changes.Suggested-by: Paul Moore
Signed-off-by: Richard Guy Briggs
[PM: line wrapped description]
Signed-off-by: Paul Moore
27 Jun, 2016
1 commit
-
RFE: add additional fields for use in audit filter exclude rules
https://github.com/linux-audit/audit-kernel/issues/5Re-factor and combine audit_filter_type() with audit_filter_user() to
use audit_filter_user_rules() to enable the exclude filter to
additionally filter on PID, UID, GID, AUID, LOGINUID_SET, SUBJ_*.The process of combining the similar audit_filter_user() and
audit_filter_type() functions, required inverting the meaning and
including the ALWAYS action of the latter.Include audit_filter_user_rules() into audit_filter(), removing
unneeded logic in the process.Keep the check to quit early if the list is empty.
Signed-off-by: Richard Guy Briggs
[PM: checkpatch.pl fixes - whitespace damage, wrapped description]
Signed-off-by: Paul Moore
25 Dec, 2015
1 commit
-
Make the inode argument of the inode_getsecid hook non-const so that we
can use it to revalidate invalid security labels.Signed-off-by: Andreas Gruenbacher
Acked-by: Stephen Smalley
Signed-off-by: Paul Moore
04 Nov, 2015
1 commit
-
This patch makes audit_tree_match return bool to improve readability
due to this particular function only using either one or zero as its
return value.No functional change.
Signed-off-by: Yaowei Bai
[PM: tweaked the subject line]
Signed-off-by: Paul Moore
09 Sep, 2015
1 commit
-
Pull audit update from Paul Moore:
"This is one of the larger audit patchsets in recent history,
consisting of eight patches and almost 400 lines of changes.The bulk of the patchset is the new "audit by executable"
functionality which allows admins to set an audit watch based on the
executable on disk. Prior to this, admins could only track an
application by PID, which has some obvious limitations.Beyond the new functionality we also have some refcnt fixes and a few
minor cleanups"* 'upstream' of git://git.infradead.org/users/pcmoore/audit:
fixup: audit: implement audit by executable
audit: implement audit by executable
audit: clean simple fsnotify implementation
audit: use macros for unset inode and device values
audit: make audit_del_rule() more robust
audit: fix uninitialized variable in audit_add_rule()
audit: eliminate unnecessary extra layer of watch parent references
audit: eliminate unnecessary extra layer of watch references
07 Aug, 2015
2 commits
-
This adds the ability audit the actions of a not-yet-running process.
This patch implements the ability to filter on the executable path. Instead of
just hard coding the ino and dev of the executable we care about at the moment
the rule is inserted into the kernel, use the new audit_fsnotify
infrastructure to manage this dynamically. This means that if the filename
does not yet exist but the containing directory does, or if the inode in
question is unlinked and creat'd (aka updated) the rule will just continue to
work. If the containing directory is moved or deleted or the filesystem is
unmounted, the rule is deleted automatically. A future enhancement would be to
have the rule survive across directory disruptions.This is a heavily modified version of a patch originally submitted by Eric
Paris with some ideas from Peter Moody.Cc: Peter Moody
Cc: Eric Paris
Signed-off-by: Richard Guy Briggs
[PM: minor whitespace clean to satisfy ./scripts/checkpatch]
Signed-off-by: Paul Moore -
This is to be used to audit by executable path rules, but audit watches should
be able to share this code eventually.At the moment the audit watch code is a lot more complex. That code only
creates one fsnotify watch per parent directory. That 'audit_parent' in
turn has a list of 'audit_watches' which contain the name, ino, dev of
the specific object we care about. This just creates one fsnotify watch
per object we care about. So if you watch 100 inodes in /etc this code
will create 100 fsnotify watches on /etc. The audit_watch code will
instead create 1 fsnotify watch on /etc (the audit_parent) and then 100
individual watches chained from that fsnotify mark.We should be able to convert the audit_watch code to do one fsnotify
mark per watch and simplify things/remove a whole lot of code. After
that conversion we should be able to convert the audit_fsnotify code to
support that hierarchy if the optimization is necessary.Move the access to the entry for audit_match_signal() to the beginning of
the audit_del_rule() function in case the entry found is the same one passed
in. This will enable it to be used by audit_autoremove_mark_rule(),
kill_rules() and audit_remove_parent_watches().This is a heavily modified and merged version of two patches originally
submitted by Eric Paris.Cc: Peter Moody
Cc: Eric Paris
Signed-off-by: Richard Guy Briggs
[PM: added a space after a declaration to keep ./scripts/checkpatch happy]
Signed-off-by: Paul Moore
23 Apr, 2015
1 commit
-
Pull audit fixes from Paul Moore:
"Seven audit patches for v4.1, all bug fixes.The largest, and perhaps most significant commit helps resolve some
memory pressure issues related to the inode cache and audit, there are
also a few small commits which help resolve some timing issues with
the audit log queue, and the rest fall into the always popular "code
clean-up" category.In general, nothing really substantial, just a nice set of maintenance
patches"* 'upstream' of git://git.infradead.org/users/pcmoore/audit:
audit: Remove condition which always evaluates to false
audit: reduce mmap_sem hold for mm->exe_file
audit: consolidate handling of mm->exe_file
audit: code clean up
audit: don't reset working wait time accidentally with auditd
audit: don't lose set wait time on first successful call to audit_log_start()
audit: move the tree pruning to a dedicated thread