Eric Lee / smarc-fsl-linux-kernel

27 Jun, 2016

1 commit

  • 86b2efbe3   audit: add fields to exclude filter by reusing user filter ... Browse Code »

    RFE: add additional fields for use in audit filter exclude rules
    https://github.com/linux-audit/audit-kernel/issues/5

    Re-factor and combine audit_filter_type() with audit_filter_user() to
    use audit_filter_user_rules() to enable the exclude filter to
    additionally filter on PID, UID, GID, AUID, LOGINUID_SET, SUBJ_*.

    The process of combining the similar audit_filter_user() and
    audit_filter_type() functions, required inverting the meaning and
    including the ALWAYS action of the latter.

    Include audit_filter_user_rules() into audit_filter(), removing
    unneeded logic in the process.

    Keep the check to quit early if the list is empty.

    Signed-off-by: Richard Guy Briggs
    [PM: checkpatch.pl fixes - whitespace damage, wrapped description]
    Signed-off-by: Paul Moore

    Richard Guy Briggs
     

17 Jun, 2016

1 commit

01 Jun, 2016

1 commit

09 Feb, 2016

1 commit

04 Nov, 2015

1 commit

07 Aug, 2015

2 commits

  • 34d99af52   audit: implement audit by executable ... Browse Code »

    This adds the ability audit the actions of a not-yet-running process.

    This patch implements the ability to filter on the executable path. Instead of
    just hard coding the ino and dev of the executable we care about at the moment
    the rule is inserted into the kernel, use the new audit_fsnotify
    infrastructure to manage this dynamically. This means that if the filename
    does not yet exist but the containing directory does, or if the inode in
    question is unlinked and creat'd (aka updated) the rule will just continue to
    work. If the containing directory is moved or deleted or the filesystem is
    unmounted, the rule is deleted automatically. A future enhancement would be to
    have the rule survive across directory disruptions.

    This is a heavily modified version of a patch originally submitted by Eric
    Paris with some ideas from Peter Moody.

    Cc: Peter Moody
    Cc: Eric Paris
    Signed-off-by: Richard Guy Briggs
    [PM: minor whitespace clean to satisfy ./scripts/checkpatch]
    Signed-off-by: Paul Moore

    Richard Guy Briggs
     
  • 7f4929428   audit: clean simple fsnotify implementation ... Browse Code »

    This is to be used to audit by executable path rules, but audit watches should
    be able to share this code eventually.

    At the moment the audit watch code is a lot more complex. That code only
    creates one fsnotify watch per parent directory. That 'audit_parent' in
    turn has a list of 'audit_watches' which contain the name, ino, dev of
    the specific object we care about. This just creates one fsnotify watch
    per object we care about. So if you watch 100 inodes in /etc this code
    will create 100 fsnotify watches on /etc. The audit_watch code will
    instead create 1 fsnotify watch on /etc (the audit_parent) and then 100
    individual watches chained from that fsnotify mark.

    We should be able to convert the audit_watch code to do one fsnotify
    mark per watch and simplify things/remove a whole lot of code. After
    that conversion we should be able to convert the audit_fsnotify code to
    support that hierarchy if the optimization is necessary.

    Move the access to the entry for audit_match_signal() to the beginning of
    the audit_del_rule() function in case the entry found is the same one passed
    in. This will enable it to be used by audit_autoremove_mark_rule(),
    kill_rules() and audit_remove_parent_watches().

    This is a heavily modified and merged version of two patches originally
    submitted by Eric Paris.

    Cc: Peter Moody
    Cc: Eric Paris
    Signed-off-by: Richard Guy Briggs
    [PM: added a space after a declaration to keep ./scripts/checkpatch happy]
    Signed-off-by: Paul Moore

    Richard Guy Briggs
     

06 Aug, 2015

1 commit

  • 8c85fc9ae   audit: make audit_del_rule() more robust ... Browse Code »

    Move the access to the entry for audit_match_signal() to earlier in the
    function in case the entry found is the same one passed in. This will enable
    it to be used by audit_remove_mark_rule().

    Signed-off-by: Richard Guy Briggs
    [PM: tweaked subject line as it no longer made sense after multiple revs]
    Signed-off-by: Paul Moore

    Richard Guy Briggs
     

05 Aug, 2015

2 commits

12 Feb, 2015

1 commit

  • 7184487f1   Merge branch 'upstream' of git://git.infradead.org/users/pcmoore/audit ... Browse Code »

    Pull audit fix from Paul Moore:
    "Just one patch from the audit tree for v3.20, and a very minor one at
    that.

    The patch simply removes an old, unused field from the audit_krule
    structure, a private audit-only struct. In audit related news, we did
    a proper overhaul of the audit pathname code and removed the nasty
    getname()/putname() hacks for audit, you should see those patches in
    Al's vfs tree if you haven't already.

    That's it for audit this time, let's hope for a quiet -rcX series"

    * 'upstream' of git://git.infradead.org/users/pcmoore/audit:
    audit: remove vestiges of vers_ops

    Linus Torvalds
     

20 Jan, 2015

1 commit

24 Dec, 2014

2 commits

  • 66b3f4f0a   Merge branch 'upstream' of git://git.infradead.org/users/pcmoore/audit ... Browse Code »

    Pull audit fixes from Paul Moore:
    "Four patches to fix various problems with the audit subsystem, all are
    fairly small and straightforward.

    One patch fixes a problem where we weren't using the correct gfp
    allocation flags (GFP_KERNEL regardless of context, oops), one patch
    fixes a problem with old userspace tools (this was broken for a
    while), one patch fixes a problem where we weren't recording pathnames
    correctly, and one fixes a problem with PID based filters.

    In general I don't think there is anything controversial with this
    patchset, and it fixes some rather unfortunate bugs; the allocation
    flag one can be particularly scary looking for users"

    * 'upstream' of git://git.infradead.org/users/pcmoore/audit:
    audit: restore AUDIT_LOGINUID unset ABI
    audit: correctly record file names with different path name types
    audit: use supplied gfp_mask from audit_buffer in kauditd_send_multicast_skb
    audit: don't attempt to lookup PIDs when changing PID filtering audit rules

    Linus Torvalds
     
  • 041d7b98f   audit: restore AUDIT_LOGINUID unset ABI ... Browse Code »

    A regression was caused by commit 780a7654cee8:
    audit: Make testing for a valid loginuid explicit.
    (which in turn attempted to fix a regression caused by e1760bd)

    When audit_krule_to_data() fills in the rules to get a listing, there was a
    missing clause to convert back from AUDIT_LOGINUID_SET to AUDIT_LOGINUID.

    This broke userspace by not returning the same information that was sent and
    expected.

    The rule:
    auditctl -a exit,never -F auid=-1
    gives:
    auditctl -l
    LIST_RULES: exit,never f24=0 syscall=all
    when it should give:
    LIST_RULES: exit,never auid=-1 (0xffffffff) syscall=all

    Tag it so that it is reported the same way it was set. Create a new
    private flags audit_krule field (pflags) to store it that won't interact with
    the public one from the API.

    Cc: stable@vger.kernel.org # v3.10-rc1+
    Signed-off-by: Richard Guy Briggs
    Signed-off-by: Paul Moore

    Richard Guy Briggs
     

20 Dec, 2014

1 commit

  • 3640dcfa4   audit: don't attempt to lookup PIDs when changing PID filtering audit rules ... Browse Code »

    Commit f1dc4867 ("audit: anchor all pid references in the initial pid
    namespace") introduced a find_vpid() call when adding/removing audit
    rules with PID/PPID filters; unfortunately this is problematic as
    find_vpid() only works if there is a task with the associated PID
    alive on the system. The following commands demonstrate a simple
    reproducer.

    # auditctl -D
    # auditctl -l
    # autrace /bin/true
    # auditctl -l

    This patch resolves the problem by simply using the PID provided by
    the user without any additional validation, e.g. no calls to check to
    see if the task/PID exists.

    Cc: stable@vger.kernel.org # 3.15
    Cc: Richard Guy Briggs
    Signed-off-by: Paul Moore
    Acked-by: Eric Paris
    Reviewed-by: Richard Guy Briggs

    Paul Moore
     

20 Oct, 2014

1 commit

  • ab074ade9   Merge git://git.infradead.org/users/eparis/audit ... Browse Code »

    Pull audit updates from Eric Paris:
    "So this change across a whole bunch of arches really solves one basic
    problem. We want to audit when seccomp is killing a process. seccomp
    hooks in before the audit syscall entry code. audit_syscall_entry
    took as an argument the arch of the given syscall. Since the arch is
    part of what makes a syscall number meaningful it's an important part
    of the record, but it isn't available when seccomp shoots the
    syscall...

    For most arch's we have a better way to get the arch (syscall_get_arch)
    So the solution was two fold: Implement syscall_get_arch() everywhere
    there is audit which didn't have it. Use syscall_get_arch() in the
    seccomp audit code. Having syscall_get_arch() everywhere meant it was
    a useless flag on the stack and we could get rid of it for the typical
    syscall entry.

    The other changes inside the audit system aren't grand, fixed some
    records that had invalid spaces. Better locking around the task comm
    field. Removing some dead functions and structs. Make some things
    static. Really minor stuff"

    * git://git.infradead.org/users/eparis/audit: (31 commits)
    audit: rename audit_log_remove_rule to disambiguate for trees
    audit: cull redundancy in audit_rule_change
    audit: WARN if audit_rule_change called illegally
    audit: put rule existence check in canonical order
    next: openrisc: Fix build
    audit: get comm using lock to avoid race in string printing
    audit: remove open_arg() function that is never used
    audit: correct AUDIT_GET_FEATURE return message type
    audit: set nlmsg_len for multicast messages.
    audit: use union for audit_field values since they are mutually exclusive
    audit: invalid op= values for rules
    audit: use atomic_t to simplify audit_serial()
    kernel/audit.c: use ARRAY_SIZE instead of sizeof/sizeof[0]
    audit: reduce scope of audit_log_fcaps
    audit: reduce scope of audit_net_id
    audit: arm64: Remove the audit arch argument to audit_syscall_entry
    arm64: audit: Add audit hook in syscall_trace_enter/exit()
    audit: x86: drop arch from __audit_syscall_entry() interface
    sparc: implement is_32bit_task
    sparc: properly conditionalize use of TIF_32BIT
    ...

    Linus Torvalds
     

11 Oct, 2014

3 commits

24 Sep, 2014

2 commits

  • 219ca3942   audit: use union for audit_field values since they are mutually exclusive ... Browse Code »

    Since only one of val, uid, gid and lsm* are used at any given time, combine
    them to reduce the size of the struct audit_field.

    Signed-off-by: Richard Guy Briggs

    Richard Guy Briggs
     
  • e7df61f4d   audit: invalid op= values for rules ... Browse Code »

    Various audit events dealing with adding, removing and updating rules result in
    invalid values set for the op keys which result in embedded spaces in op=
    values.

    The invalid values are
    op="add rule" set in kernel/auditfilter.c
    op="remove rule" set in kernel/auditfilter.c
    op="remove rule" set in kernel/audit_tree.c
    op="updated rules" set in kernel/audit_watch.c
    op="remove rule" set in kernel/audit_watch.c

    Replace the space in the above values with an underscore character ('_').

    Coded-by: Burn Alting
    Signed-off-by: Richard Guy Briggs

    Burn Alting
     

07 Aug, 2014

1 commit

13 Apr, 2014

1 commit

  • 0b747172d   Merge git://git.infradead.org/users/eparis/audit ... Browse Code »

    Pull audit updates from Eric Paris.

    * git://git.infradead.org/users/eparis/audit: (28 commits)
    AUDIT: make audit_is_compat depend on CONFIG_AUDIT_COMPAT_GENERIC
    audit: renumber AUDIT_FEATURE_CHANGE into the 1300 range
    audit: do not cast audit_rule_data pointers pointlesly
    AUDIT: Allow login in non-init namespaces
    audit: define audit_is_compat in kernel internal header
    kernel: Use RCU_INIT_POINTER(x, NULL) in audit.c
    sched: declare pid_alive as inline
    audit: use uapi/linux/audit.h for AUDIT_ARCH declarations
    syscall_get_arch: remove useless function arguments
    audit: remove stray newline from audit_log_execve_info() audit_panic() call
    audit: remove stray newlines from audit_log_lost messages
    audit: include subject in login records
    audit: remove superfluous new- prefix in AUDIT_LOGIN messages
    audit: allow user processes to log from another PID namespace
    audit: anchor all pid references in the initial pid namespace
    audit: convert PPIDs to the inital PID namespace.
    pid: get pid_t ppid of task in init_pid_ns
    audit: rename the misleading audit_get_context() to audit_take_context()
    audit: Add generic compat syscall support
    audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL
    ...

    Linus Torvalds
     

03 Apr, 2014

1 commit

20 Mar, 2014

3 commits

  • f1dc4867f   audit: anchor all pid references in the initial pid namespace ... Browse Code »

    Store and log all PIDs with reference to the initial PID namespace and
    use the access functions task_pid_nr() and task_tgid_nr() for task->pid
    and task->tgid.

    Cc: "Eric W. Biederman"
    (informed by ebiederman's c776b5d2)
    Signed-off-by: Richard Guy Briggs

    Richard Guy Briggs
     
  • 099dd2351   audit: Send replies in the proper network namespace. ... Browse Code »

    In perverse cases of file descriptor passing the current network
    namespace of a process and the network namespace of a socket used by
    that socket may differ. Therefore use the network namespace of the
    appropiate socket to ensure replies always go to the appropiate
    socket.

    Signed-off-by: "Eric W. Biederman"
    Acked-by: Richard Guy Briggs
    Signed-off-by: Eric Paris

    Eric W. Biederman
     
  • 638a0fd2a   audit: Use struct net not pid_t to remember the network namespce to reply in ... Browse Code »

    While reading through 3.14-rc1 I found a pretty siginficant mishandling
    of network namespaces in the recent audit changes.

    In struct audit_netlink_list and audit_reply add a reference to the
    network namespace of the caller and remove the userspace pid of the
    caller. This cleanly remembers the callers network namespace, and
    removes a huge class of races and nasty failure modes that can occur
    when attempting to relook up the callers network namespace from a pid_t
    (including the caller's network namespace changing, pid wraparound, and
    the pid simply not being present).

    Signed-off-by: "Eric W. Biederman"
    Acked-by: Richard Guy Briggs
    Signed-off-by: Eric Paris

    Eric W. Biederman
     

09 Mar, 2014

1 commit

  • d211f177b   audit: Update kdoc for audit_send_reply and audit_list_rules_send ... Browse Code »

    The kbuild test robot reported:
    > tree: git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git for-next
    > head: 6f285b19d09f72e801525f5eea1bdad22e559bf0
    > commit: 6f285b19d09f72e801525f5eea1bdad22e559bf0 [2/2] audit: Send replies in the proper network namespace.
    > reproduce: make htmldocs
    >
    > >> Warning(kernel/audit.c:575): No description found for parameter 'request_skb'
    > >> Warning(kernel/audit.c:575): Excess function parameter 'portid' description in 'audit_send_reply'
    > >> Warning(kernel/auditfilter.c:1074): No description found for parameter 'request_skb'
    > >> Warning(kernel/auditfilter.c:1074): Excess function parameter 'portid' description in 'audit_list_rules_s

    Which was caused by my failure to update the kdoc annotations when I
    updated the functions. Fix that small oversight now.

    Signed-off-by: "Eric W. Biederman"

    Eric W. Biederman
     

08 Mar, 2014

1 commit

01 Mar, 2014

1 commit

28 Feb, 2014

1 commit

  • 48095d991   audit: Use struct net not pid_t to remember the network namespce to reply in ... Browse Code »

    In struct audit_netlink_list and audit_reply add a reference to the
    network namespace of the caller and remove the userspace pid of the
    caller. This cleanly remembers the callers network namespace, and
    removes a huge class of races and nasty failure modes that can occur
    when attempting to relook up the callers network namespace from a
    pid_t (including the caller's network namespace changing, pid
    wraparound, and the pid simply not being present).

    Signed-off-by: "Eric W. Biederman"

    Eric W. Biederman
     

14 Jan, 2014

5 commits

06 Nov, 2013

2 commits

  • 78122037b   audit: do not reject all AUDIT_INODE filter types ... Browse Code »

    commit ab61d38ed8cf670946d12dc46b9198b521c790ea tried to merge the
    invalid filter checking into a single function. However AUDIT_INODE
    filters were not verified in the new generic checker. Thus such rules
    were being denied even though they were perfectly valid.

    Ex:
    $ auditctl -a exit,always -F arch=b64 -S open -F key=/foo -F inode=6955 -F devmajor=9 -F devminor=1
    Error sending add rule data request (Invalid argument)

    Signed-off-by: Eric Paris
    Signed-off-by: Richard Guy Briggs
    Signed-off-by: Eric Paris

    Eric Paris
     
  • 42f74461a   audit: change decimal constant to macro for invalid uid ... Browse Code »

    SFR reported this 2013-05-15:

    > After merging the final tree, today's linux-next build (i386 defconfig)
    > produced this warning:
    >
    > kernel/auditfilter.c: In function 'audit_data_to_entry':
    > kernel/auditfilter.c:426:3: warning: this decimal constant is unsigned only
    > in ISO C90 [enabled by default]
    >
    > Introduced by commit 780a7654cee8 ("audit: Make testing for a valid
    > loginuid explicit") from Linus' tree.

    Replace this decimal constant in the code with a macro to make it more readable
    (add to the unsigned cast to quiet the warning).

    Cc: Stephen Rothwell
    Cc: "Eric W. Biederman"
    Signed-off-by: Richard Guy Briggs
    Signed-off-by: Eric Paris

    Richard Guy Briggs
     

10 Jul, 2013

2 commits

  • b9ce54c9f   audit: Fix decimal constant description ... Browse Code »

    Use proper decimal type for comparison with u32.

    Compilation warning was introduced by 780a7654 ("audit: Make testing for
    a valid loginuid explicit.")

    kernel/auditfilter.c: In function 'audit_data_to_entry':
    kernel/auditfilter.c:426:3: warning: this decimal constant is unsigned only in ISO C90 [enabled by default]
    if ((f->type == AUDIT_LOGINUID) && (f->val == 4294967295)) {

    Signed-off-by: Michal Simek
    Cc: Al Viro
    Cc: Eric Paris
    Acked-by: Geert Uytterhoeven
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Michal Simek
     
  • 2f992ee85   kernel/auditfilter.c: fix leak in audit_add_rule() error path ... Browse Code »

    If both 'tree' and 'watch' are valid we must call audit_put_tree(), just
    like the preceding code within audit_add_rule().

    Signed-off-by: Chen Gang
    Cc: Al Viro
    Cc: Eric Paris
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Chen Gang