19 Oct, 2007
1 commit
-
Just removing white space at the end of lines.
Signed-off-by: Daniel Walker
Cc: David Woodhouse
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
11 Oct, 2007
2 commits
-
This patch make processing netlink user -> kernel messages synchronious.
This change was inspired by the talk with Alexey Kuznetsov about current
netlink messages processing. He says that he was badly wrong when introduced
asynchronious user -> kernel communication.The call netlink_unicast is the only path to send message to the kernel
netlink socket. But, unfortunately, it is also used to send data to the
user.Before this change the user message has been attached to the socket queue
and sk->sk_data_ready was called. The process has been blocked until all
pending messages were processed. The bad thing is that this processing
may occur in the arbitrary process context.This patch changes nlk->data_ready callback to get 1 skb and force packet
processing right in the netlink_unicast.Kernel -> user path in netlink_unicast remains untouched.
EINTR processing for in netlink_run_queue was changed. It forces rtnl_lock
drop, but the process remains in the cycle until the message will be fully
processed. So, there is no need to use this kludges now.Signed-off-by: Denis V. Lunev
Acked-by: Alexey Kuznetsov
Signed-off-by: David S. Miller -
Each netlink socket will live in exactly one network namespace,
this includes the controlling kernel sockets.This patch updates all of the existing netlink protocols
to only support the initial network namespace. Request
by clients in other namespaces will get -ECONREFUSED.
As they would if the kernel did not have the support for
that netlink protocol compiled in.As each netlink protocol is updated to be multiple network
namespace safe it can register multiple kernel sockets
to acquire a presence in the rest of the network namespaces.The implementation in af_netlink is a simple filter implementation
at hash table insertion and hash table look up time.Signed-off-by: Eric W. Biederman
Signed-off-by: David S. Miller
18 Jul, 2007
1 commit
-
Currently, the freezer treats all tasks as freezable, except for the kernel
threads that explicitly set the PF_NOFREEZE flag for themselves. This
approach is problematic, since it requires every kernel thread to either
set PF_NOFREEZE explicitly, or call try_to_freeze(), even if it doesn't
care for the freezing of tasks at all.It seems better to only require the kernel threads that want to or need to
be frozen to use some freezer-related code and to remove any
freezer-related code from the other (nonfreezable) kernel threads, which is
done in this patch.The patch causes all kernel threads to be nonfreezable by default (ie. to
have PF_NOFREEZE set by default) and introduces the set_freezable()
function that should be called by the freezable kernel threads in order to
unset PF_NOFREEZE. It also makes all of the currently freezable kernel
threads call set_freezable(), so it shouldn't cause any (intentional)
change of behaviour to appear. Additionally, it updates documentation to
describe the freezing of tasks more accurately.[akpm@linux-foundation.org: build fixes]
Signed-off-by: Rafael J. Wysocki
Acked-by: Nigel Cunningham
Cc: Pavel Machek
Cc: Oleg Nesterov
Cc: Gautham R Shenoy
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
17 Jul, 2007
1 commit
-
Add TTY input auditing, used to audit system administrator's actions. This is
required by various security standards such as DCID 6/3 and PCI to provide
non-repudiation of administrator's actions and to allow a review of past
actions if the administrator seems to overstep their duties or if the system
becomes misconfigured for unknown reasons. These requirements do not make it
necessary to audit TTY output as well.Compared to an user-space keylogger, this approach records TTY input using the
audit subsystem, correlated with other audit events, and it is completely
transparent to the user-space application (e.g. the console ioctls still
work).TTY input auditing works on a higher level than auditing all system calls
within the session, which would produce an overwhelming amount of mostly
useless audit events.Add an "audit_tty" attribute, inherited across fork (). Data read from TTYs
by process with the attribute is sent to the audit subsystem by the kernel.
The audit netlink interface is extended to allow modifying the audit_tty
attribute, and to allow sending explanatory audit events from user-space (for
example, a shell might send an event containing the final command, after the
interactive command-line editing and history expansion is performed, which
might be difficult to decipher from the TTY input alone).Because the "audit_tty" attribute is inherited across fork (), it would be set
e.g. for sshd restarted within an audited session. To prevent this, the
audit_tty attribute is cleared when a process with no open TTY file
descriptors (e.g. after daemon startup) opens a TTY.See https://www.redhat.com/archives/linux-audit/2007-June/msg00000.html for a
more detailed rationale document for an older version of this patch.[akpm@linux-foundation.org: build fix]
Signed-off-by: Miloslav Trmac
Cc: Al Viro
Cc: Alan Cox
Cc: Paul Fulghum
Cc: Casey Schaufler
Cc: Steve Grubb
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
09 May, 2007
1 commit
-
Following the programming advice laid down in the gcc manual, make
sure the case "..." operator has spaces on either side.According to:
http://gcc.gnu.org/onlinedocs/gcc-4.1.2/gcc/Case-Ranges.html#Case-Ranges:
"Be careful: Write spaces around the ..., for otherwise it may be
parsed wrong when you use it with integer values."Signed-off-by: Robert P. J. Day
Cc: Al Viro
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
26 Apr, 2007
3 commits
-
Switch cb_lock to mutex and allow netlink kernel users to override it
with a subsystem specific mutex for consistent locking in dump callbacks.
All netlink_dump_start users have been audited not to rely on any
side-effects of the previously used spinlock.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
For the common "(struct nlmsghdr *)skb->data" sequence, so that we reduce the
number of direct accesses to skb->data and for consistency with all the other
cast skb member helpers.Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller -
So that it is also an offset from skb->head, reduces its size from 8 to 4 bytes
on 64bit architectures, allowing us to combine the 4 bytes hole left by the
layer headers conversion, reducing struct sk_buff size to 256 bytes, i.e. 4
64byte cachelines, and since the sk_buff slab cache is SLAB_HWCACHE_ALIGN...
:-)Many calculations that previously required that skb->{transport,network,
mac}_header be first converted to a pointer now can be done directly, being
meaningful as offsets or pointers.Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller
18 Feb, 2007
1 commit
-
The following patch adds a new mode to the audit system. It uses the
audit_enabled config option to introduce the idea of audit enabled, but
configuration is immutable. Any attempt to change the configuration
while in this mode is audited. To change the audit rules, you'd need to
reboot the machine.To use this option, you'd need a modified version of auditctl and use "-e 2".
This is intended to go at the end of the audit.rules file for people that
want an immutable configuration.This patch also adds "res=" to a number of configuration commands that did not
have it before.Signed-off-by: Steve Grubb
Signed-off-by: Al Viro
08 Dec, 2006
1 commit
-
Move process freezing functions from include/linux/sched.h to freezer.h, so
that modifications to the freezer or the kernel configuration don't require
recompiling just about everything.[akpm@osdl.org: fix ueagle driver]
Signed-off-by: Nigel Cunningham
Cc: "Rafael J. Wysocki"
Cc: Pavel Machek
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
06 Oct, 2006
1 commit
-
Squash this warning:
kernel/audit.c: In function 'kauditd_thread':
kernel/audit.c:367: warning: no return statement in function returning non-voidWe might as test kthread_should_stop(), although it's not very pointful at
present.The code which starts this thread looks racy - the kernel could start multiple
threads.Cc: Al Viro
Cc: Jeff Garzik
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
26 Sep, 2006
1 commit
-
Rename selinux_ctxid_to_string to selinux_sid_to_string to be
consistent with other interfaces.Signed-off-by: Stephen Smalley
Acked-by: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
12 Sep, 2006
1 commit
-
Add sanity checks for NULL audit_buffer consistent with other
audit_log* routines.Signed-off-by: Amy Griffis
Signed-off-by: Al Viro
03 Aug, 2006
1 commit
-
Always initialize the audit_inode_hash[] so we don't oops on list rules.
Signed-off-by: Amy Griffis
Signed-off-by: Al Viro
30 Jun, 2006
1 commit
-
This patch encapsulates the usage of eff_cap (in netlink_skb_params) within
the security framework by extending security_netlink_recv to include a required
capability parameter and converting all direct usage of eff_caps outside
of the lsm modules to use the interface. It also updates the SELinux
implementation of the security_netlink_send and security_netlink_recv
hooks to take advantage of the sid in the netlink_skb_params struct.
This also enables SELinux to perform auditing of netlink capability checks.
Please apply, for 2.6.18 if possible.Signed-off-by: Darrel Goeddel
Signed-off-by: Stephen Smalley
Acked-by: James Morris
Signed-off-by: David S. Miller
28 Jun, 2006
1 commit
-
locking init cleanups:
- convert " = SPIN_LOCK_UNLOCKED" to spin_lock_init() or DEFINE_SPINLOCK()
- convert rwlocks in a similar mannerthis patch was generated automatically.
Motivation:
- cleanliness
- lockdep needs control of lock initialization, which the open-coded
variants do not give
- it's also useful for -rt and for lock debugging in generalSigned-off-by: Ingo Molnar
Signed-off-by: Arjan van de Ven
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
20 Jun, 2006
6 commits
-
When an audit event involves changes to a directory entry, include
a PATH record for the directory itself. A few other notable changes:- fixed audit_inode_child() hooks in fsnotify_move()
- removed unused flags arg from audit_inode()
- added audit log routines for logging a portion of a stringHere's some sample output.
before patch:
type=SYSCALL msg=audit(1149821605.320:26): arch=40000003 syscall=39 success=yes exit=0 a0=bf8d3c7c a1=1ff a2=804e1b8 a3=bf8d3c7c items=1 ppid=739 pid=800 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 comm="mkdir" exe="/bin/mkdir" subj=root:system_r:unconfined_t:s0-s0:c0.c255
type=CWD msg=audit(1149821605.320:26): cwd="/root"
type=PATH msg=audit(1149821605.320:26): item=0 name="foo" parent=164068 inode=164010 dev=03:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_t:s0after patch:
type=SYSCALL msg=audit(1149822032.332:24): arch=40000003 syscall=39 success=yes exit=0 a0=bfdd9c7c a1=1ff a2=804e1b8 a3=bfdd9c7c items=2 ppid=714 pid=777 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 comm="mkdir" exe="/bin/mkdir" subj=root:system_r:unconfined_t:s0-s0:c0.c255
type=CWD msg=audit(1149822032.332:24): cwd="/root"
type=PATH msg=audit(1149822032.332:24): item=0 name="/root" inode=164068 dev=03:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_dir_t:s0
type=PATH msg=audit(1149822032.332:24): item=1 name="foo" inode=164010 dev=03:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_t:s0Signed-off-by: Amy Griffis
Signed-off-by: Al Viro -
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new locationAudit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145Signed-off-by: Amy Griffis
Signed-off-by: Al Viro -
Just a few minor proposed updates. Only the last one will
actually affect behavior. The rest are just misleading
code.Several AUDIT_SET functions return 'old' value, but only
return value
Signed-off-by: Al Viro -
Signed-off-by: Al Viro
-
Signed-off-by: Al Viro
-
We should not send a pile of replies while holding audit_netlink_mutex
since we hold the same mutex when we receive commands. As the result,
we can get blocked while sending and sit there holding the mutex while
auditctl is unable to send the next command and get around to receiving
what we'd sent.Solution: create skb and put them into a queue instead of sending;
once we are done, send what we've got on the list. The former can
be done synchronously while we are handling AUDIT_LIST or AUDIT_LIST_RULES;
we are holding audit_netlink_mutex at that point. The latter is done
asynchronously and without messing with audit_netlink_mutex.Signed-off-by: Al Viro
01 May, 2006
3 commits
-
Hi,
The patch below builds upon the patch sent earlier and adds subject label to
all audit events generated via the netlink interface. It also cleans up a few
other minor things.Signed-off-by: Steve Grubb
Signed-off-by: Al Viro
-
The below patch should be applied after the inode and ipc sid patches.
This patch is a reworking of Tim's patch that has been updated to match
the inode and ipc patches since its similar.[updated:
> Stephen Smalley also wanted to change a variable from isec to tsec in the
> user sid patch. ]Signed-off-by: Steve Grubb
Signed-off-by: Al Viro -
This patch provides the ability to filter audit messages based on the
elements of the process' SELinux context (user, role, type, mls sensitivity,
and mls clearance). It uses the new interfaces from selinux to opaquely
store information related to the selinux context and to filter based on that
information. It also uses the callback mechanism provided by selinux to
refresh the information when a new policy is loaded.Signed-off-by: Al Viro
01 Apr, 2006
1 commit
-
The boot cmdline is parsed in parse_early_param() and
parse_args(,unknown_bootoption).And __setup() is used in obsolete_checksetup().
start_kernel()
-> parse_args()
-> unknown_bootoption()
-> obsolete_checksetup()If __setup()'s callback (->setup_func()) returns 1 in
obsolete_checksetup(), obsolete_checksetup() thinks a parameter was
handled.If ->setup_func() returns 0, obsolete_checksetup() tries other
->setup_func(). If all ->setup_func() that matched a parameter returns 0,
a parameter is seted to argv_init[].Then, when runing /sbin/init or init=app, argv_init[] is passed to the app.
If the app doesn't ignore those arguments, it will warning and exit.This patch fixes a wrong usage of it, however fixes obvious one only.
Signed-off-by: OGAWA Hirofumi
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
21 Mar, 2006
9 commits
-
Make audit_init() failure path handle situations where the audit_panic()
action is not AUDIT_FAIL_PANIC (default is AUDIT_FAIL_PRINTK). Other uses
of audit_sock are not reached unless audit's netlink message handler is
properly registered. Bug noticed by Peter Staubach.Signed-off-by: Amy Griffis
Signed-off-by: Al Viro -
Hi,
This is a trivial patch that enables the possibility of using some auditing
functions within loadable kernel modules (ie. inside a Linux Security Module)._
Make the audit_log_start, audit_log_end, audit_format and audit_log
interfaces available to Loadable Kernel Modules, thus making possible
the usage of the audit framework inside LSMs, etc.Signed-off-by: >
Signed-off-by: Al Viro -
Semaphore to mutex conversion.
The conversion was generated via scripts, and the result was validated
automatically via a script as well.Signed-off-by: Ingo Molnar
Cc: David Woodhouse
Signed-off-by: Andrew Morton
Signed-off-by: Al Viro -
Updated patch to dynamically allocate audit rule fields in kernel's
internal representation. Added unlikely() calls for testing memory
allocation result.Amy Griffis wrote: [Wed Jan 11 2006, 02:02:31PM EST]
> Modify audit's kernel-userspace interface to allow the specification
> of string fields in audit rules.
>
> Signed-off-by: Amy GriffisSigned-off-by: Al Viro
(cherry picked from 5ffc4a863f92351b720fe3e9c5cd647accff9e03 commit) -
This fixes the per-user and per-message-type filtering when syscall
auditing isn't enabled.[AV: folded followup fix from the same author]
Signed-off-by: David Woodhouse
Signed-off-by: Al Viro -
This patch extends existing audit records with subject/object context
information. Audit records associated with filesystem inodes, ipc, and
tasks now contain SELinux label information in the field "subj" if the
item is performing the action, or in "obj" if the item is the receiver
of an action.These labels are collected via hooks in SELinux and appended to the
appropriate record in the audit code.This additional information is required for Common Criteria Labeled
Security Protection Profile (LSPP).[AV: fixed kmalloc flags use]
[folded leak fixes]
[folded cleanup from akpm (kfree(NULL)]
[folded audit_inode_context() leak fix]
[folded akpm's fix for audit_ipc_perm() definition in case of !CONFIG_AUDIT]Signed-off-by: Dustin Kirkland
Signed-off-by: David Woodhouse
Signed-off-by: Andrew Morton
Signed-off-by: Al Viro -
- Add a new, 5th filter called "exclude".
- And add a new field AUDIT_MSGTYPE.
- Define a new function audit_filter_exclude() that takes a message type
as input and examines all rules in the filter. It returns '1' if the
message is to be excluded, and '0' otherwise.
- Call the audit_filter_exclude() function near the top of
audit_log_start() just after asserting audit_initialized. If the
message type is not to be audited, return NULL very early, before
doing a lot of work.
[combined with followup fix for bug in original patch, Nov 4, same author]
[combined with later renaming AUDIT_FILTER_EXCLUDE->AUDIT_FILTER_TYPE
and audit_filter_exclude() -> audit_filter_type()]Signed-off-by: Dustin Kirkland
Signed-off-by: David Woodhouse
Signed-off-by: Al Viro -
The attached patch updates various items for the new user space
messages. Please apply.Signed-off-by: Steve Grubb
Signed-off-by: David Woodhouse -
- add kerneldoc for non-static functions;
- don't init static data to 0;
- limit lines to < 80 columns;
- fix long-format style;
- delete whitespace at end of some lines;(chrisw: resend and update to current audit-2.6 tree)
Signed-off-by: Randy Dunlap
Signed-off-by: Chris Wright
Signed-off-by: David Woodhouse
19 Jan, 2006
1 commit
-
EDAC requires a way to scrub memory if an ECC error is found and the chipset
does not do the work automatically. That means rewriting memory locations
atomically with respect to all CPUs _and_ bus masters. That means we can't
use atomic_add(foo, 0) as it gets optimised for non-SMPThis adds a function to include/asm-foo/atomic.h for the platforms currently
supported which implements a scrub of a mapped block.It also adjusts a few other files include order where atomic.h is included
before types.h as this now causes an error as atomic_scrub uses u32.Signed-off-by: Alan Cox
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
09 Jan, 2006
1 commit
-
This patch contains the following cleanups:
- make needlessly global functions static
- every file should include the headers containing the prototypes for
it's global functionsSigned-off-by: Adrian Bunk
Acked-by: "Paul E. McKenney"
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
13 Dec, 2005
1 commit
-
kauditd was causing suspends to fail because it refused to freeze. Adding
a try_to_freeze() to its sleep loop solves the issue.Signed-off-by: Pierre Ossman
Acked-by: Pavel Machek
Cc: David Woodhouse
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
28 Oct, 2005
1 commit
-
Signed-off-by: Al Viro
Signed-off-by: Linus Torvalds