1. 05 Aug, 2015 2 commits
  2. 04 Aug, 2015 1 commit
  3. 20 Jan, 2015 1 commit
  4. 23 Dec, 2014 1 commit
    • Richard Guy Briggs's avatar
      audit: restore AUDIT_LOGINUID unset ABI · 041d7b98
      Richard Guy Briggs authored
      A regression was caused by commit 780a7654:
      	 audit: Make testing for a valid loginuid explicit.
      (which in turn attempted to fix a regression caused by e1760bd5)
      
      When audit_krule_to_data() fills in the rules to get a listing, there was a
      missing clause to convert back from AUDIT_LOGINUID_SET to AUDIT_LOGINUID.
      
      This broke userspace by not returning the same information that was sent and
      expected.
      
      The rule:
      	auditctl -a exit,never -F auid=-1
      gives:
      	auditctl -l
      		LIST_RULES: exit,never f24=0 syscall=all
      when it should give:
      		LIST_RULES: exit,never auid=-1 (0xffffffff) syscall=all
      
      Tag it so that it is reported the same way it was set.  Create a new
      private flags audit_krule field (pflags) to store it that won't interact with
      the public one from the API.
      
      Cc: stable@vger.kernel.org # v3.10-rc1+
      Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      041d7b98
  5. 19 Dec, 2014 1 commit
    • Paul Moore's avatar
      audit: don't attempt to lookup PIDs when changing PID filtering audit rules · 3640dcfa
      Paul Moore authored
      Commit f1dc4867 ("audit: anchor all pid references in the initial pid
      namespace") introduced a find_vpid() call when adding/removing audit
      rules with PID/PPID filters; unfortunately this is problematic as
      find_vpid() only works if there is a task with the associated PID
      alive on the system.  The following commands demonstrate a simple
      reproducer.
      
      	# auditctl -D
      	# auditctl -l
      	# autrace /bin/true
      	# auditctl -l
      
      This patch resolves the problem by simply using the PID provided by
      the user without any additional validation, e.g. no calls to check to
      see if the task/PID exists.
      
      Cc: stable@vger.kernel.org # 3.15
      Cc: Richard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      Acked-by: default avatarEric Paris <eparis@redhat.com>
      Reviewed-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      3640dcfa
  6. 10 Oct, 2014 3 commits
  7. 23 Sep, 2014 2 commits
  8. 06 Aug, 2014 1 commit
  9. 02 Apr, 2014 1 commit
  10. 20 Mar, 2014 3 commits
  11. 08 Mar, 2014 1 commit
  12. 07 Mar, 2014 1 commit
  13. 28 Feb, 2014 2 commits
  14. 13 Jan, 2014 5 commits
  15. 05 Nov, 2013 2 commits
    • Eric Paris's avatar
      audit: do not reject all AUDIT_INODE filter types · 78122037
      Eric Paris authored
      commit ab61d38e tried to merge the
      invalid filter checking into a single function.  However AUDIT_INODE
      filters were not verified in the new generic checker.  Thus such rules
      were being denied even though they were perfectly valid.
      
      Ex:
      $ auditctl -a exit,always -F arch=b64 -S open -F key=/foo -F inode=6955 -F devmajor=9 -F devminor=1
      Error sending add rule data request (Invalid argument)
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      78122037
    • Richard Guy Briggs's avatar
      audit: change decimal constant to macro for invalid uid · 42f74461
      Richard Guy Briggs authored
      SFR reported this 2013-05-15:
      
      > After merging the final tree, today's linux-next build (i386 defconfig)
      > produced this warning:
      >
      > kernel/auditfilter.c: In function 'audit_data_to_entry':
      > kernel/auditfilter.c:426:3: warning: this decimal constant is unsigned only
      > in ISO C90 [enabled by default]
      >
      > Introduced by commit 780a7654 ("audit: Make testing for a valid
      > loginuid explicit") from Linus' tree.
      
      Replace this decimal constant in the code with a macro to make it more readable
      (add to the unsigned cast to quiet the warning).
      
      Cc: Stephen Rothwell <sfr@canb.auug.org.au>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      42f74461
  16. 09 Jul, 2013 3 commits
  17. 24 May, 2013 1 commit
  18. 07 May, 2013 1 commit
  19. 30 Apr, 2013 4 commits
  20. 29 Apr, 2013 1 commit
    • Chen Gang's avatar
      kernel/auditfilter.c: tree and watch will memory leak when failure occurs · 373e0f34
      Chen Gang authored
      In audit_data_to_entry() when a failure occurs we must check and free
      the tree and watch to avoid a memory leak.
      
        test:
          plan:
            test command:
              "auditctl -a exit,always -w /etc -F auid=-1"
              (on fedora17, need modify auditctl to let "-w /etc" has effect)
            running:
              under fedora17 x86_64, 2 CPUs 3.20GHz, 2.5GB RAM.
              let 15 auditctl processes continue running at the same time.
            monitor command:
              watch -d -n 1 "cat /proc/meminfo | awk '{print \$2}' \
                | head -n 4 | xargs \
                | awk '{print \"used \",\$1 - \$2 - \$3 - \$4}'"
      
          result:
            for original version:
              will use up all memory, within 3 hours.
              kill all auditctl, the memory still does not free.
            for new version (apply this patch):
              after 14 hours later, not find issues.
      Signed-off-by: default avatarChen Gang <gang.chen@asianux.com>
      Cc: Eric Paris <eparis@redhat.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      373e0f34
  21. 16 Apr, 2013 1 commit
    • Eric Paris's avatar
      audit: allow checking the type of audit message in the user filter · 62062cf8
      Eric Paris authored
      When userspace sends messages to the audit system it includes a type.
      We want to be able to filter messages based on that type without have to
      do the all or nothing option currently available on the
      AUDIT_FILTER_TYPE filter list.  Instead we should be able to use the
      AUDIT_FILTER_USER filter list and just use the message type as one part
      of the matching decision.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      62062cf8
  22. 10 Jan, 2013 1 commit
  23. 11 Oct, 2012 1 commit