Eric Lee / smarc-fsl-linux-kernel

04 Mar, 2011

1 commit

30 Oct, 2010

1 commit

  • d29be158a   Audit: add support to match lsm labels on user audit messages ... Browse Code »

    Add support for matching by security label (e.g. SELinux context) of
    the sender of an user-space audit record.

    The audit filter code already allows user space to configure such
    filters, but they were ignored during evaluation. This patch implements
    evaluation of these filters.

    For example, after application of this patch, PAM authentication logs
    caused by cron can be disabled using
    auditctl -a user,never -F subj_type=crond_t

    Signed-off-by: Miloslav Trmac
    Acked-by: Eric Paris
    Signed-off-by: Al Viro

    Miloslav Trmac
     

28 Jul, 2010

2 commits

  • a05fb6cc5   audit: do not get and put just to free a watch ... Browse Code »

    deleting audit watch rules is not currently done under audit_filter_mutex.
    It was done this way because we could not hold the mutex during inotify
    manipulation. Since we are using fsnotify we don't need to do the extra
    get/put pair nor do we need the private list on which to store the parents
    while they are about to be freed.

    Signed-off-by: Eric Paris

    Eric Paris
     
  • ae7b8f410   Audit: clean up the audit_watch split ... Browse Code »

    No real changes, just cleanup to the audit_watch split patch which we done
    with minimal code changes for easy review. Now fix interfaces to make
    things work better.

    Signed-off-by: Eric Paris

    Eric Paris
     

30 Mar, 2010

1 commit

  • 5a0e3ad6a   include cleanup: Update gfp.h and slab.h includes to prepare for breaking implic… ... Browse Code »

    …it slab.h inclusion from percpu.h

    percpu.h is included by sched.h and module.h and thus ends up being
    included when building most .c files. percpu.h includes slab.h which
    in turn includes gfp.h making everything defined by the two files
    universally available and complicating inclusion dependencies.

    percpu.h -> slab.h dependency is about to be removed. Prepare for
    this change by updating users of gfp and slab facilities include those
    headers directly instead of assuming availability. As this conversion
    needs to touch large number of source files, the following script is
    used as the basis of conversion.

    http://userweb.kernel.org/~tj/misc/slabh-sweep.py

    The script does the followings.

    * Scan files for gfp and slab usages and update includes such that
    only the necessary includes are there. ie. if only gfp is used,
    gfp.h, if slab is used, slab.h.

    * When the script inserts a new include, it looks at the include
    blocks and try to put the new include such that its order conforms
    to its surrounding. It's put in the include block which contains
    core kernel includes, in the same order that the rest are ordered -
    alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
    doesn't seem to be any matching order.

    * If the script can't find a place to put a new include (mostly
    because the file doesn't have fitting include block), it prints out
    an error message indicating which .h file needs to be added to the
    file.

    The conversion was done in the following steps.

    1. The initial automatic conversion of all .c files updated slightly
    over 4000 files, deleting around 700 includes and adding ~480 gfp.h
    and ~3000 slab.h inclusions. The script emitted errors for ~400
    files.

    2. Each error was manually checked. Some didn't need the inclusion,
    some needed manual addition while adding it to implementation .h or
    embedding .c file was more appropriate for others. This step added
    inclusions to around 150 files.

    3. The script was run again and the output was compared to the edits
    from #2 to make sure no file was left behind.

    4. Several build tests were done and a couple of problems were fixed.
    e.g. lib/decompress_*.c used malloc/free() wrappers around slab
    APIs requiring slab.h to be added manually.

    5. The script was run on all .h files but without automatically
    editing them as sprinkling gfp.h and slab.h inclusions around .h
    files could easily lead to inclusion dependency hell. Most gfp.h
    inclusion directives were ignored as stuff from gfp.h was usually
    wildly available and often used in preprocessor macros. Each
    slab.h inclusion directive was examined and added manually as
    necessary.

    6. percpu.h was updated not to include slab.h.

    7. Build test were done on the following configurations and failures
    were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
    distributed build env didn't work with gcov compiles) and a few
    more options had to be turned off depending on archs to make things
    build (like ipr on powerpc/64 which failed due to missing writeq).

    * x86 and x86_64 UP and SMP allmodconfig and a custom test config.
    * powerpc and powerpc64 SMP allmodconfig
    * sparc and sparc64 SMP allmodconfig
    * ia64 SMP allmodconfig
    * s390 SMP allmodconfig
    * alpha SMP allmodconfig
    * um on x86_64 SMP allmodconfig

    8. percpu.h modifications were reverted so that it could be applied as
    a separate patch and serve as bisection point.

    Given the fact that I had only a couple of failures from tests on step
    6, I'm fairly confident about the coverage of this conversion patch.
    If there is a breakage, it's likely to be something in one of the arch
    headers which should be easily discoverable easily on most builds of
    the specific arch.

    Signed-off-by: Tejun Heo <tj@kernel.org>
    Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>

    Tejun Heo
     

24 Jun, 2009

5 commits

  • 9d9609851   Audit: clean up all op= output to include string quoting ... Browse Code »

    A number of places in the audit system we send an op= followed by a string
    that includes spaces. Somehow this works but it's just wrong. This patch
    moves all of those that I could find to be quoted.

    Example:

    Change From: type=CONFIG_CHANGE msg=audit(1244666690.117:31): auid=0 ses=1
    subj=unconfined_u:unconfined_r:auditctl_t:s0-s0:c0.c1023 op=remove rule
    key="number2" list=4 res=0

    Change To: type=CONFIG_CHANGE msg=audit(1244666690.117:31): auid=0 ses=1
    subj=unconfined_u:unconfined_r:auditctl_t:s0-s0:c0.c1023 op="remove rule"
    key="number2" list=4 res=0

    Signed-off-by: Eric Paris

    Eric Paris
     
  • 35fe4d0b1   Audit: move audit_get_nd completely into audit_watch ... Browse Code »

    audit_get_nd() is only used by audit_watch and could be more cleanly
    implemented by having the audit watch functions call it when needed rather
    than making the generic audit rule parsing code deal with those objects.

    Signed-off-by: Eric Paris

    Eric Paris
     
  • cfcad62c7   audit: seperate audit inode watches into a subfile ... Browse Code »

    In preparation for converting audit to use fsnotify instead of inotify we
    seperate the inode watching code into it's own file. This is similar to
    how the audit tree watching code is already seperated into audit_tree.c

    Signed-off-by: Eric Paris

    Eric Paris
     
  • e85188f42   Audit: dereferencing krule as if it were an audit_watch ... Browse Code »

    audit_update_watch() runs all of the rules for a given watch and duplicates
    them, attaches a new watch to them, and then when it finishes that process
    and has called free on all of the old rules (ok maybe still inside the rcu
    grace period) it proceeds to use the last element from list_for_each_entry_safe()
    as if it were a krule rather than being the audit_watch which was anchoring
    the list to output a message about audit rules changing.

    This patch unfies the audit message from two different places into a helper
    function and calls it from the correct location in audit_update_rules(). We
    will now get an audit message about the config changing for each rule (with
    each rules filterkey) rather than the previous garbage.

    Signed-off-by: Eric Paris

    Eric Paris
     
  • 35aa901c0   Audit: fix audit watch use after free ... Browse Code »

    When an audit watch is added to a parent the temporary watch inside the
    original krule from userspace is freed. Yet the original watch is used after
    the real watch was created in audit_add_rules()

    Signed-off-by: Eric Paris

    Eric Paris
     

07 May, 2009

1 commit

  • 381a80e6d   inotify: use GFP_NOFS in kernel_event() to work around a lockdep false-positive ... Browse Code »

    There is what we believe to be a false positive reported by lockdep.

    inotify_inode_queue_event() => take inotify_mutex => kernel_event() =>
    kmalloc() => SLOB => alloc_pages_node() => page reclaim => slab reclaim =>
    dcache reclaim => inotify_inode_is_dead => take inotify_mutex => deadlock

    The plan is to fix this via lockdep annotation, but that is proving to be
    quite involved.

    The patch flips the allocation over to GFP_NFS to shut the warning up, for
    the 2.6.30 release.

    Hopefully we will fix this for real in 2.6.31. I'll queue a patch in -mm
    to switch it back to GFP_KERNEL so we don't forget.

    =================================
    [ INFO: inconsistent lock state ]
    2.6.30-rc2-next-20090417 #203
    ---------------------------------
    inconsistent {RECLAIM_FS-ON-W} -> {IN-RECLAIM_FS-W} usage.
    kswapd0/380 [HC0[0]:SC0[0]:HE1:SE1] takes:
    (&inode->inotify_mutex){+.+.?.}, at: [] inotify_inode_is_dead+0x35/0xb0
    {RECLAIM_FS-ON-W} state was registered at:
    [] mark_held_locks+0x68/0x90
    [] lockdep_trace_alloc+0xf5/0x100
    [] __kmalloc_node+0x31/0x1e0
    [] kernel_event+0xe2/0x190
    [] inotify_dev_queue_event+0x126/0x230
    [] inotify_inode_queue_event+0xc6/0x110
    [] vfs_create+0xcd/0x140
    [] do_filp_open+0x88d/0xa20
    [] do_sys_open+0x98/0x140
    [] sys_open+0x20/0x30
    [] system_call_fastpath+0x16/0x1b
    [] 0xffffffffffffffff
    irq event stamp: 690455
    hardirqs last enabled at (690455): [] _spin_unlock_irqrestore+0x44/0x80
    hardirqs last disabled at (690454): [] _spin_lock_irqsave+0x32/0xa0
    softirqs last enabled at (690178): [] __do_softirq+0x202/0x220
    softirqs last disabled at (690157): [] call_softirq+0x1c/0x50

    other info that might help us debug this:
    2 locks held by kswapd0/380:
    #0: (shrinker_rwsem){++++..}, at: [] shrink_slab+0x37/0x180
    #1: (&type->s_umount_key#17){++++..}, at: [] shrink_dcache_memory+0x11f/0x1e0

    stack backtrace:
    Pid: 380, comm: kswapd0 Not tainted 2.6.30-rc2-next-20090417 #203
    Call Trace:
    [] print_usage_bug+0x19f/0x200
    [] ? save_stack_trace+0x2f/0x50
    [] mark_lock+0x4bb/0x6d0
    [] ? check_usage_forwards+0x0/0xc0
    [] __lock_acquire+0xc62/0x1ae0
    [] ? slob_free+0x10c/0x370
    [] lock_acquire+0xe1/0x120
    [] ? inotify_inode_is_dead+0x35/0xb0
    [] mutex_lock_nested+0x63/0x420
    [] ? inotify_inode_is_dead+0x35/0xb0
    [] ? inotify_inode_is_dead+0x35/0xb0
    [] ? sched_clock+0x9/0x10
    [] ? lock_release_holdtime+0x35/0x1c0
    [] inotify_inode_is_dead+0x35/0xb0
    [] dentry_iput+0xbc/0xe0
    [] d_kill+0x33/0x60
    [] __shrink_dcache_sb+0x2d3/0x350
    [] shrink_dcache_memory+0x15a/0x1e0
    [] shrink_slab+0x125/0x180
    [] kswapd+0x560/0x7a0
    [] ? isolate_pages_global+0x0/0x2c0
    [] ? autoremove_wake_function+0x0/0x40
    [] ? trace_hardirqs_on+0xd/0x10
    [] ? kswapd+0x0/0x7a0
    [] kthread+0x5b/0xa0
    [] child_rip+0xa/0x20
    [] ? restore_args+0x0/0x30
    [] ? kthread+0x0/0xa0
    [] ? child_rip+0x0/0x20

    [eparis@redhat.com: fix audit too]
    Cc: Al Viro
    Cc: Matt Mackall
    Cc: Christoph Lameter
    Signed-off-by: Wu Fengguang
    Signed-off-by: Eric Paris
    Cc: Peter Zijlstra
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Wu Fengguang
     

06 Apr, 2009

1 commit

  • c28bb7da7   make the e->rule.xxx shorter in kernel auditfilter.c ... Browse Code »

    make the e->rule.xxx shorter in kernel/auditfilter.c
    --
    ---------------------------------
    Zhenwen Xu - Open and Free
    Home Page: http://zhwen.org
    My Studio: http://dim4.cn

    >From 99692dc640b278f1cb1a15646ce42f22e89c0f77 Mon Sep 17 00:00:00 2001
    From: Zhenwen Xu
    Date: Thu, 12 Mar 2009 22:04:59 +0800
    Subject: [PATCH] make the e->rule.xxx shorter in kernel/auditfilter.c

    Signed-off-by: Zhenwen Xu
    Signed-off-by: Al Viro

    Zhenwen Xu
     

05 Jan, 2009

5 commits

16 Nov, 2008

1 commit

  • 8f7b0ba1c   Fix inotify watch removal/umount races ... Browse Code »

    Inotify watch removals suck violently.

    To kick the watch out we need (in this order) inode->inotify_mutex and
    ih->mutex. That's fine if we have a hold on inode; however, for all
    other cases we need to make damn sure we don't race with umount. We can
    *NOT* just grab a reference to a watch - inotify_unmount_inodes() will
    happily sail past it and we'll end with reference to inode potentially
    outliving its superblock.

    Ideally we just want to grab an active reference to superblock if we
    can; that will make sure we won't go into inotify_umount_inodes() until
    we are done. Cleanup is just deactivate_super().

    However, that leaves a messy case - what if we *are* racing with
    umount() and active references to superblock can't be acquired anymore?
    We can bump ->s_count, grab ->s_umount, which will almost certainly wait
    until the superblock is shut down and the watch in question is pining
    for fjords. That's fine, but there is a problem - we might have hit the
    window between ->s_active getting to 0 / ->s_count - below S_BIAS (i.e.
    the moment when superblock is past the point of no return and is heading
    for shutdown) and the moment when deactivate_super() acquires
    ->s_umount.

    We could just do drop_super() yield() and retry, but that's rather
    antisocial and this stuff is luser-triggerable. OTOH, having grabbed
    ->s_umount and having found that we'd got there first (i.e. that
    ->s_root is non-NULL) we know that we won't race with
    inotify_umount_inodes().

    So we could grab a reference to watch and do the rest as above, just
    with drop_super() instead of deactivate_super(), right? Wrong. We had
    to drop ih->mutex before we could grab ->s_umount. So the watch
    could've been gone already.

    That still can be dealt with - we need to save watch->wd, do idr_find()
    and compare its result with our pointer. If they match, we either have
    the damn thing still alive or we'd lost not one but two races at once,
    the watch had been killed and a new one got created with the same ->wd
    at the same address. That couldn't have happened in inotify_destroy(),
    but inotify_rm_wd() could run into that. Still, "new one got created"
    is not a problem - we have every right to kill it or leave it alone,
    whatever's more convenient.

    So we can use idr_find(...) == watch && watch->inode->i_sb == sb as
    "grab it and kill it" check. If it's been our original watch, we are
    fine, if it's a newcomer - nevermind, just pretend that we'd won the
    race and kill the fscker anyway; we are safe since we know that its
    superblock won't be going away.

    And yes, this is far beyond mere "not very pretty"; so's the entire
    concept of inotify to start with.

    Signed-off-by: Al Viro
    Acked-by: Greg KH
    Signed-off-by: Linus Torvalds

    Al Viro
     

02 Aug, 2008

1 commit

25 Jun, 2008

2 commits

30 Apr, 2008

1 commit

  • 9781db7b3   Merge branch 'audit.b50' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current ... Browse Code »

    * 'audit.b50' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current:
    [PATCH] new predicate - AUDIT_FILETYPE
    [patch 2/2] Use find_task_by_vpid in audit code
    [patch 1/2] audit: let userspace fully control TTY input auditing
    [PATCH 2/2] audit: fix sparse shadowed variable warnings
    [PATCH 1/2] audit: move extern declarations to audit.h
    Audit: MAINTAINERS update
    Audit: increase the maximum length of the key field
    Audit: standardize string audit interfaces
    Audit: stop deadlock from signals under load
    Audit: save audit_backlog_limit audit messages in case auditd comes back
    Audit: collect sessionid in netlink messages
    Audit: end printk with newline

    Linus Torvalds
     

29 Apr, 2008

1 commit

  • 801678c5a   Remove duplicated unlikely() in IS_ERR() ... Browse Code »

    Some drivers have duplicated unlikely() macros. IS_ERR() already has
    unlikely() in itself.

    This patch cleans up such pointless code.

    Signed-off-by: Hirofumi Nakagawa
    Acked-by: David S. Miller
    Acked-by: Jeff Garzik
    Cc: Paul Clements
    Cc: Richard Purdie
    Cc: Alessandro Zummo
    Cc: David Brownell
    Cc: James Bottomley
    Cc: Michael Halcrow
    Cc: Anton Altaparmakov
    Cc: Al Viro
    Cc: Carsten Otte
    Cc: Patrick McHardy
    Cc: Paul Mundt
    Cc: Jaroslav Kysela
    Cc: Takashi Iwai
    Acked-by: Mike Frysinger
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Hirofumi Nakagawa
     

28 Apr, 2008

4 commits

  • 8b67dca94   [PATCH] new predicate - AUDIT_FILETYPE ... Browse Code »

    Argument is S_IF... | , where index is normally 0 or 1.
    Triggers if chosen element of ctx->names[] is present and the
    mode of object in question matches the upper bits of argument.
    I.e. for things like "is the argument of that chmod a directory",
    etc.

    Signed-off-by: Al Viro

    Al Viro
     
  • 7719e437f   [PATCH 2/2] audit: fix sparse shadowed variable warnings ... Browse Code »

    Use msglen as the identifier.
    kernel/audit.c:724:10: warning: symbol 'len' shadows an earlier one
    kernel/audit.c:575:8: originally declared here

    Don't use ino_f to check the inode field at the end of the functions.
    kernel/auditfilter.c:429:22: warning: symbol 'f' shadows an earlier one
    kernel/auditfilter.c:420:21: originally declared here
    kernel/auditfilter.c:542:22: warning: symbol 'f' shadows an earlier one
    kernel/auditfilter.c:529:21: originally declared here

    i always used as a counter for a for loop and initialized to zero before
    use. Eliminate the inner i variables.
    kernel/auditsc.c:1295:8: warning: symbol 'i' shadows an earlier one
    kernel/auditsc.c:1152:6: originally declared here
    kernel/auditsc.c:1320:7: warning: symbol 'i' shadows an earlier one
    kernel/auditsc.c:1152:6: originally declared here

    Signed-off-by: Harvey Harrison
    Signed-off-by: Al Viro

    Harvey Harrison
     
  • c782f242f   [PATCH 1/2] audit: move extern declarations to audit.h ... Browse Code »

    Leave audit_sig_{uid|pid|sid} protected by #ifdef CONFIG_AUDITSYSCALL.

    Noticed by sparse:
    kernel/audit.c:73:6: warning: symbol 'audit_ever_enabled' was not declared. Should it be static?
    kernel/audit.c:100:8: warning: symbol 'audit_sig_uid' was not declared. Should it be static?
    kernel/audit.c:101:8: warning: symbol 'audit_sig_pid' was not declared. Should it be static?
    kernel/audit.c:102:6: warning: symbol 'audit_sig_sid' was not declared. Should it be static?
    kernel/audit.c:117:23: warning: symbol 'audit_ih' was not declared. Should it be static?
    kernel/auditfilter.c:78:18: warning: symbol 'audit_filter_list' was not declared. Should it be static?

    Signed-off-by: Harvey Harrison
    Signed-off-by: Al Viro

    Harvey Harrison
     
  • 2532386f4   Audit: collect sessionid in netlink messages ... Browse Code »

    Previously I added sessionid output to all audit messages where it was
    available but we still didn't know the sessionid of the sender of
    netlink messages. This patch adds that information to netlink messages
    so we can audit who sent netlink messages.

    Signed-off-by: Eric Paris
    Signed-off-by: Al Viro

    Eric Paris
     

19 Apr, 2008

3 commits

  • 04305e4af   Audit: Final renamings and cleanup ... Browse Code »

    Rename the se_str and se_rule audit fields elements to
    lsm_str and lsm_rule to avoid confusion.

    Signed-off-by: Casey Schaufler
    Signed-off-by: Ahmed S. Darwish
    Acked-by: James Morris

    Ahmed S. Darwish
     
  • d7a96f3a1   Audit: internally use the new LSM audit hooks ... Browse Code »

    Convert Audit to use the new LSM Audit hooks instead of
    the exported SELinux interface.

    Basically, use:
    security_audit_rule_init
    secuirty_audit_rule_free
    security_audit_rule_known
    security_audit_rule_match

    instad of (respectively) :
    selinux_audit_rule_init
    selinux_audit_rule_free
    audit_rule_has_selinux
    selinux_audit_rule_match

    Signed-off-by: Casey Schaufler
    Signed-off-by: Ahmed S. Darwish
    Acked-by: James Morris

    Ahmed S. Darwish
     
  • 2a862b32f   Audit: use new LSM hooks instead of SELinux exports ... Browse Code »

    Stop using the following exported SELinux interfaces:
    selinux_get_inode_sid(inode, sid)
    selinux_get_ipc_sid(ipcp, sid)
    selinux_get_task_sid(tsk, sid)
    selinux_sid_to_string(sid, ctx, len)
    kfree(ctx)

    and use following generic LSM equivalents respectively:
    security_inode_getsecid(inode, secid)
    security_ipc_getsecid*(ipcp, secid)
    security_task_getsecid(tsk, secid)
    security_sid_to_secctx(sid, ctx, len)
    security_release_secctx(ctx, len)

    Call security_release_secctx only if security_secid_to_secctx
    succeeded.

    Signed-off-by: Casey Schaufler
    Signed-off-by: Ahmed S. Darwish
    Acked-by: James Morris
    Reviewed-by: Paul Moore

    Ahmed S. Darwish
     

15 Feb, 2008

2 commits

  • 1d957f9bf   Introduce path_put() ... Browse Code »

    * Add path_put() functions for releasing a reference to the dentry and
    vfsmount of a struct path in the right order

    * Switch from path_release(nd) to path_put(&nd->path)

    * Rename dput_path() to path_put_conditional()

    [akpm@linux-foundation.org: fix cifs]
    Signed-off-by: Jan Blunck
    Signed-off-by: Andreas Gruenbacher
    Acked-by: Christoph Hellwig
    Cc:
    Cc: Al Viro
    Cc: Steven French
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Jan Blunck
     
  • 4ac913785   Embed a struct path into struct nameidata instead of nd->{dentry,mnt} ... Browse Code »

    This is the central patch of a cleanup series. In most cases there is no good
    reason why someone would want to use a dentry for itself. This series reflects
    that fact and embeds a struct path into nameidata.

    Together with the other patches of this series
    - it enforced the correct order of getting/releasing the reference count on
    pairs
    - it prepares the VFS for stacking support since it is essential to have a
    struct path in every place where the stack can be traversed
    - it reduces the overall code size:

    without patch series:
    text data bss dec hex filename
    5321639 858418 715768 6895825 6938d1 vmlinux

    with patch series:
    text data bss dec hex filename
    5320026 858418 715768 6894212 693284 vmlinux

    This patch:

    Switch from nd->{dentry,mnt} to nd->path.{dentry,mnt} everywhere.

    [akpm@linux-foundation.org: coding-style fixes]
    [akpm@linux-foundation.org: fix cifs]
    [akpm@linux-foundation.org: fix smack]
    Signed-off-by: Jan Blunck
    Signed-off-by: Andreas Gruenbacher
    Acked-by: Christoph Hellwig
    Cc: Al Viro
    Cc: Casey Schaufler
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Jan Blunck
     

02 Feb, 2008

1 commit

21 Oct, 2007

1 commit

  • 74c3cbe33   [PATCH] audit: watching subtrees ... Browse Code »

    New kind of audit rule predicates: "object is visible in given subtree".
    The part that can be sanely implemented, that is. Limitations:
    * if you have hardlink from outside of tree, you'd better watch
    it too (or just watch the object itself, obviously)
    * if you mount something under a watched tree, tell audit
    that new chunk should be added to watched subtrees
    * if you umount something in a watched tree and it's still mounted
    elsewhere, you will get matches on events happening there. New command
    tells audit to recalculate the trees, trimming such sources of false
    positives.

    Note that it's _not_ about path - if something mounted in several places
    (multiple mount, bindings, different namespaces, etc.), the match does
    _not_ depend on which one we are using for access.

    Signed-off-by: Al Viro

    Al Viro
     

19 Oct, 2007

1 commit

22 Jul, 2007

2 commits

  • 74f2345b6   [PATCH] allow audit filtering on bit & operations ... Browse Code »

    Right now the audit filter can match on = != > < >= blah blah blah.
    This allow the filter to also look at bitwise AND operations, &

    Signed-off-by: Eric Paris
    Signed-off-by: Al Viro

    Eric Paris
     
  • c926e4f43   [PATCH] audit: fix broken class-based syscall audit ... Browse Code »

    The sanity check in audit_match_class() is wrong. We are able to audit
    2048 syscalls but in audit_match_class() we were accidentally using
    sizeof(_u32) instead of number of bits in _u32 when deciding how many
    syscalls were valid. On ia64 in particular we were hitting syscall
    numbers over the (wrong) limit of 256. Fixing the audit_match_class
    check takes care of the problem.

    Signed-off-by: Klaus Weidner
    Signed-off-by: Al Viro

    Klaus Weidner
     

18 Jul, 2007

1 commit

  • 6f686d3d1   kernel/auditfilter: kill bogus uninit'd-var compiler warning ... Browse Code »

    Kill this warning...

    kernel/auditfilter.c: In function ‘audit_receive_filter’:
    kernel/auditfilter.c:1213: warning: ‘ndw’ may be used uninitialized in this function
    kernel/auditfilter.c:1213: warning: ‘ndp’ may be used uninitialized in this function

    ...with a simplification of the code. audit_put_nd() can accept NULL
    arguments, just like kfree(). It is cleaner to init two existing vars
    to NULL, remove the redundant test variable 'putnd_needed' branches, and call
    audit_put_nd() directly.

    As a desired side effect, the warning goes away.

    Signed-off-by: Jeff Garzik

    Jeff Garzik
     

24 Jun, 2007

1 commit

  • 7b018b288   audit: fix oops removing watch if audit disabled ... Browse Code »

    Removing a watched file will oops if audit is disabled (auditctl -e 0).

    To reproduce:
    - auditctl -e 1
    - touch /tmp/foo
    - auditctl -w /tmp/foo
    - auditctl -e 0
    - rm /tmp/foo (or mv)

    Signed-off-by: Tony Jones
    Cc: Al Viro
    Cc:
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Tony Jones
     

16 May, 2007

1 commit