1. 05 Apr, 2009 5 commits
    • Miloslav Trmac's avatar
      audit: ignore terminating NUL in AUDIT_USER_TTY messages · 55ad2f8d
      Miloslav Trmac authored
      AUDIT_USER_TTY, like all other messages sent from user-space, is sent
      NUL-terminated.  Unlike other user-space audit messages, which come only
      from trusted sources, AUDIT_USER_TTY messages are processed using
      This patch modifies AUDIT_USER_TTY handling to ignore the trailing NUL
      and use the "quoted_string" representation of the message if possible.
      Signed-off-by: default avatarMiloslav Trmac <mitr@redhat.com>
      Cc: Eric Paris <eparis@redhat.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Steve Grubb <sgrubb@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
    • Miloslav Trmac's avatar
      Audit: fix handling of 'strings' with NULL characters · b3897f56
      Miloslav Trmac authored
      currently audit_log_n_untrustedstring() uses audit_string_contains_control()
      to check if the 'string' has any control characters.  If the 'string' has an
      embedded NULL audit_string_contains_control() will return that the data has
      no control characters and will then pass the string to audit_log_n_string
      with the total length, not the length up to the first NULL.
      audit_log_n_string() does a memcpy of the entire length and so the actual
      audit record emitted may then contain a NULL and then whatever random memory
      is after the NULL.
      Since we want to log the entire octet stream (if we can't trust the data
      to be a string we can't trust that a NULL isn't actually a part of it)
      we should just consider NULL as a control character.  If the caller is
      certain they want to stop at the first NULL they should be using
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
    • Zhenwen Xu's avatar
      make the e->rule.xxx shorter in kernel auditfilter.c · c28bb7da
      Zhenwen Xu authored
      make the e->rule.xxx shorter in kernel/auditfilter.c
      Zhenwen Xu - Open and Free
      Home Page:	http://zhwen.org
      My Studio:	http://dim4.cn
      >From 99692dc640b278f1cb1a15646ce42f22e89c0f77 Mon Sep 17 00:00:00 2001
      From: Zhenwen Xu <Helight.Xu@gmail.com>
      Date: Thu, 12 Mar 2009 22:04:59 +0800
      Subject: [PATCH] make the e->rule.xxx shorter in kernel/auditfilter.c
      Signed-off-by: default avatarZhenwen Xu <Helight.Xu@gmail.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
    • Randy Dunlap's avatar
      auditsc: fix kernel-doc notation · 6b962559
      Randy Dunlap authored
      Fix auditsc kernel-doc notation:
      Warning(linux-2.6.28-git7//kernel/auditsc.c:2156): No description found for parameter 'attr'
      Warning(linux-2.6.28-git7//kernel/auditsc.c:2156): Excess function parameter 'u_attr' description in '__audit_mq_open'
      Warning(linux-2.6.28-git7//kernel/auditsc.c:2204): No description found for parameter 'notification'
      Warning(linux-2.6.28-git7//kernel/auditsc.c:2204): Excess function parameter 'u_notification' description in '__audit_mq_notify'
      Signed-off-by: default avatarRandy Dunlap <randy.dunlap@oracle.com>
      cc:	Al Viro <viro@zeniv.linux.org.uk>
      cc:	Eric Paris <eparis@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
    • Jiri Pirko's avatar
      audit: EXECVE record - removed bogus newline · ca96a895
      Jiri Pirko authored
      Added hunk that changes the comment, the rest is the same.
      EXECVE records contain a newline after every argument. auditd converts
      "\n" to " " so you cannot see newlines even in raw logs, but they're
      there nevertheless. If you're not using auditd, you need to work round
      them. These '\n' chars are can be easily replaced by spaces when
      creating record in kernel. Note there is no need for trailing '\n' in
      an audit record.
      record before this patch:
      "type=EXECVE msg=audit(1231421801.566:31): argc=4 a0=\"./test\"\na1=\"a\"\na2=\"b\"\na3=\"c\"\n"
      record after this patch:
      "type=EXECVE msg=audit(1231421801.566:31): argc=4 a0=\"./test\" a1=\"a\" a2=\"b\" a3=\"c\""
      Signed-off-by: default avatarJiri Pirko <jpirko@redhat.com>
      Acked-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
  2. 03 Apr, 2009 35 commits