19 Oct, 2007
1 commit
-
Signed-off-by: Daniel Walker
Cc: David Woodhouse
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
17 Oct, 2007
1 commit
-
This patch cleans up duplicate includes in
kernel/Signed-off-by: Jesper Juhl
Acked-by: Paul E. McKenney
Reviewed-by: Satyam Sharma
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
10 Oct, 2007
1 commit
-
This will allow rpc.gssd to use inotify instead of dnotify in order to
locate new rpc upcall pipes.This also requires the exporting of __audit_inode_child(), which is used by
fsnotify_create() and fsnotify_mkdir(). Ccing David Woodhouse.Cc: David Woodhouse
Signed-off-by: Trond Myklebust
23 Aug, 2007
1 commit
-
This patch fixes an off-by-one in a BUG_ON() spotted by the Coverity
checker.Signed-off-by: Adrian Bunk
Cc: Amy Griffis
Cc: Al Viro
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
08 Aug, 2007
1 commit
-
The check for audit_signals is misplaced and the check for
audit_dummy_context() is missing; as the result, if we send a signal to
auditd from task with NULL ->audit_context while we have audit_signals
!= 0 we end up with an oops.Signed-off-by: Al Viro
Acked-by: James Morris
Signed-off-by: Linus Torvalds
29 Jul, 2007
1 commit
-
copy_from_user() returns the number of bytes not copied, hence 0 is the
expected output.axi->mm might not be valid anymore when not equal to current->mm, do not
dereference before checking that - thanks to Al for spotting that.Signed-off-by: Peter Zijlstra
Tested-by: Steve Grubb
Signed-off-by: Linus Torvalds
22 Jul, 2007
2 commits
-
Selinux folks had been complaining about the lack of AVC_PATH
records when audit is disabled. I must admit my stupidity - I assumed
that avc_audit() really couldn't use audit_log_d_path() because of
deadlocks (== could be called with dcache_lock or vfsmount_lock held).
Shouldn't have made that assumption - it never gets called that way.
It _is_ called under spinlocks, but not those.Since audit_log_d_path() uses ab->gfp_mask for allocations,
kmalloc() in there is not a problem. IOW, the simple fix is sufficient:
let's rip AUDIT_AVC_PATH out and simply generate pathname as part of main
record. It's trivial to do.Signed-off-by: Al Viro
Acked-by: James Morris -
The mode fields for IPC records are not consistent. Some are hex, others are
octal. This patch makes them all octal.Signed-off-by: Steve Grubb
Signed-off-by: Al Viro
20 Jul, 2007
2 commits
-
Remove the arg+env limit of MAX_ARG_PAGES by copying the strings directly from
the old mm into the new mm.We create the new mm before the binfmt code runs, and place the new stack at
the very top of the address space. Once the binfmt code runs and figures out
where the stack should be, we move it downwards.It is a bit peculiar in that we have one task with two mm's, one of which is
inactive.[a.p.zijlstra@chello.nl: limit stack size]
Signed-off-by: Ollie Wild
Signed-off-by: Peter Zijlstra
Cc:
Cc: Hugh Dickins
[bunk@stusta.de: unexport bprm_mm_init]
Signed-off-by: Adrian Bunk
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
The purpose of audit_bprm() is to log the argv array to a userspace daemon at
the end of the execve system call. Since user-space hasn't had time to run,
this array is still in pristine state on the process' stack; so no need to
copy it, we can just grab it from there.In order to minimize the damage to audit_log_*() copy each string into a
temporary kernel buffer first.Currently the audit code requires that the full argument vector fits in a
single packet. So currently it does clip the argv size to a (sysctl) limit,
but only when execve auditing is enabled.If the audit protocol gets extended to allow for multiple packets this check
can be removed.Signed-off-by: Peter Zijlstra
Signed-off-by: Ollie Wild
Cc:
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
17 Jul, 2007
2 commits
-
Fix parameter name in audit_core_dumps for kerneldoc.
Signed-off-by: Henrik Kretzschmar
Cc: Al Viro
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Add TTY input auditing, used to audit system administrator's actions. This is
required by various security standards such as DCID 6/3 and PCI to provide
non-repudiation of administrator's actions and to allow a review of past
actions if the administrator seems to overstep their duties or if the system
becomes misconfigured for unknown reasons. These requirements do not make it
necessary to audit TTY output as well.Compared to an user-space keylogger, this approach records TTY input using the
audit subsystem, correlated with other audit events, and it is completely
transparent to the user-space application (e.g. the console ioctls still
work).TTY input auditing works on a higher level than auditing all system calls
within the session, which would produce an overwhelming amount of mostly
useless audit events.Add an "audit_tty" attribute, inherited across fork (). Data read from TTYs
by process with the attribute is sent to the audit subsystem by the kernel.
The audit netlink interface is extended to allow modifying the audit_tty
attribute, and to allow sending explanatory audit events from user-space (for
example, a shell might send an event containing the final command, after the
interactive command-line editing and history expansion is performed, which
might be difficult to decipher from the TTY input alone).Because the "audit_tty" attribute is inherited across fork (), it would be set
e.g. for sshd restarted within an audited session. To prevent this, the
audit_tty attribute is cleared when a process with no open TTY file
descriptors (e.g. after daemon startup) opens a TTY.See https://www.redhat.com/archives/linux-audit/2007-June/msg00000.html for a
more detailed rationale document for an older version of this patch.[akpm@linux-foundation.org: build fix]
Signed-off-by: Miloslav Trmac
Cc: Al Viro
Cc: Alan Cox
Cc: Paul Fulghum
Cc: Casey Schaufler
Cc: Steve Grubb
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
11 May, 2007
6 commits
-
Hi,
I have been working on some code that detects abnormal events based on audit
system events. One kind of event that we currently have no visibility for is
when a program terminates due to segfault - which should never happen on a
production machine. And if it did, you'd want to investigate it. Attached is a
patch that collects these events and sends them into the audit system.Signed-off-by: Steve Grubb
Signed-off-by: Al Viro -
Make more effort to detect previously collected names, so we don't log
multiple PATH records for a single filesystem object. Add
audit_inc_name_count() to reduce duplicate code.Signed-off-by: Amy Griffis
Signed-off-by: Al Viro -
Handle the edge cases for POSIX message queue auditing. Collect inode
info when opening an existing mq, and for send/receive operations. Remove
audit_inode_update() as it has really evolved into the equivalent of
audit_inode().Signed-off-by: Amy Griffis
Signed-off-by: Al Viro -
Audit contexts can be reused, so initialize a name's osid to the
default in audit_getname(). This ensures we don't log a bogus object
label when no inode data is collected for a name.Signed-off-by: Amy Griffis
Signed-off-by: Al Viro -
When auditing syscalls that send signals, log the pid and security
context for each target process. Optimize the data collection by
adding a counter for signal-related rules, and avoiding allocating an
aux struct unless we have more than one target process. For process
groups, collect pid/context data in blocks of 16. Move the
audit_signal_info() hook up in check_kill_permission() so we audit
attempts where permission is denied.Signed-off-by: Amy Griffis
Signed-off-by: Al Viro -
Signed-off-by: Al Viro
15 Mar, 2007
1 commit
-
GFP_KERNEL allocations in non-blocking context; fixed by killing
an idiotic use of security_getprocattr().Acked-by: Stephen Smalley
Acked-by: James Morris
Signed-off-by: Al Viro
Signed-off-by: Linus Torvalds
18 Feb, 2007
1 commit
-
Provide an audit record of the descriptor pair returned by pipe() and
socketpair(). Rewritten from the original posted to linux-audit by
John D. RamsdellSigned-off-by: Al Viro
09 Dec, 2006
2 commits
-
Signed-off-by: Josef Sipek
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Fix the locking of signal->tty.
Use ->sighand->siglock to protect ->signal->tty; this lock is already used
by most other members of ->signal/->sighand. And unless we are 'current'
or the tasklist_lock is held we need ->siglock to access ->signal anyway.(NOTE: sys_unshare() is broken wrt ->sighand locking rules)
Note that tty_mutex is held over tty destruction, so while holding
tty_mutex any tty pointer remains valid. Otherwise the lifetime of ttys
are governed by their open file handles. This leaves some holes for tty
access from signal->tty (or any other non file related tty access).It solves the tty SLAB scribbles we were seeing.
(NOTE: the change from group_send_sig_info to __group_send_sig_info needs to
be examined by someone familiar with the security framework, I think
it is safe given the SEND_SIG_PRIV from other __group_send_sig_info
invocations)[schwidefsky@de.ibm.com: 3270 fix]
[akpm@osdl.org: various post-viro fixes]
Signed-off-by: Peter Zijlstra
Acked-by: Alan Cox
Cc: Oleg Nesterov
Cc: Prarit Bhargava
Cc: Chris Wright
Cc: Roland McGrath
Cc: Stephen Smalley
Cc: James Morris
Cc: "David S. Miller"
Cc: Jeff Dike
Cc: Martin Schwidefsky
Cc: Jan Kara
Signed-off-by: Martin Schwidefsky
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
07 Dec, 2006
1 commit
-
An audit message occurs when an ipsec SA
or ipsec policy is created/deleted.Signed-off-by: Joy Latten
Signed-off-by: James Morris
Signed-off-by: David S. Miller
04 Dec, 2006
1 commit
-
Signed-off-by: Al Viro
04 Oct, 2006
2 commits
-
Hi,
This patch removes the rdev logging from the previous patch
The below patch closes an unbounded use of name_count. This can lead to oopses
in some new file systems.Signed-off-by: Steve Grubb
Signed-off-by: Al Viro -
On Thu, Sep 28, 2006 at 04:03:06PM -0400, Eric Paris wrote:
> After some looking I did not see a way to get into audit_log_exit
> without having set the ppid. So I am dropping the set from there and
> only doing it at the beginning.
>
> Please comment/ack/nak as soon as possible.Ehh... That's one hell of an overhead to be had ;-/ Let's be lazy.
Signed-off-by: Al Viro
30 Sep, 2006
1 commit
-
Add tty locking around the audit and accounting code.
The whole current->signal-> locking is all deeply strange but it's for
someone else to sort out. Add rather than replace the lock for acct.cSigned-off-by: Alan Cox
Acked-by: Arjan van de Ven
Cc: Al Viro
Cc: Oleg Nesterov
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
26 Sep, 2006
2 commits
-
Rename selinux_ctxid_to_string to selinux_sid_to_string to be
consistent with other interfaces.Signed-off-by: Stephen Smalley
Acked-by: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Eliminate selinux_task_ctxid since it duplicates selinux_task_get_sid.
Signed-off-by: Stephen Smalley
Acked-by: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
12 Sep, 2006
1 commit
-
add support for AUDIT_PERM predicate
Signed-off-by: Al Viro
03 Aug, 2006
6 commits
-
move that stuff downstream and into the only branch where it'll be
used.Signed-off-by: Al Viro
-
Signed-off-by: Al Viro
-
Signed-off-by: Al Viro
-
Signed-off-by: Al Viro
-
When an object is created via a symlink into an audited directory, audit misses
the event due to not having collected the inode data for the directory. Modify
__audit_inode_child() to copy the parent inode data if a parent wasn't found in
audit_names[].Signed-off-by: Amy Griffis
Signed-off-by: Al Viro -
When the specified path is an existing file or when it is a symlink, audit
collects the wrong inode number, which causes it to miss the open() event.
Adding a second hook to the open() path fixes this.Also add audit_copy_inode() to consolidate some code.
Signed-off-by: Amy Griffis
Signed-off-by: Al Viro
01 Jul, 2006
3 commits
-
This patch introduces object audit filters based on the elements
of the SELinux context.Signed-off-by: Darrel Goeddel
Acked-by: Stephen Smalleykernel/auditfilter.c | 25 +++++++++++++++++++++++++
kernel/auditsc.c | 40 ++++++++++++++++++++++++++++++++++++++++
security/selinux/ss/services.c | 18 +++++++++++++++++-
3 files changed, 82 insertions(+), 1 deletion(-)
Signed-off-by: Al Viro -
This patch renames some audit constant definitions and adds
additional definitions used by the following patch. The renaming
avoids ambiguity with respect to the new definitions.Signed-off-by: Darrel Goeddel
include/linux/audit.h | 15 ++++++++----
kernel/auditfilter.c | 50 ++++++++++++++++++++---------------------
kernel/auditsc.c | 10 ++++----
security/selinux/ss/services.c | 32 +++++++++++++-------------
4 files changed, 56 insertions(+), 51 deletions(-)
Signed-off-by: Al Viro -
Add support for a rule key, which can be used to tie audit records to audit
rules. This is useful when a watched file is accessed through a link or
symlink, as well as for general audit log analysis.Because this patch uses a string key instead of an integer key, there is a bit
of extra overhead to do the kstrdup() when a rule fires. However, we're also
allocating memory for the audit record buffer, so it's probably not that
significant. I went ahead with a string key because it seems more
user-friendly.Note that the user must ensure that filterkeys are unique. The kernel only
checks for duplicate rules.Signed-off-by: Amy Griffis
28 Jun, 2006
1 commit
-
Remove redundant kfree NULL checks from kernel/
Signed-off-by: Jesper Juhl
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds