1. 27 Jan, 2016 1 commit
  2. 13 Jan, 2016 1 commit
    • Paul Moore's avatar
      audit: force seccomp event logging to honor the audit_enabled flag · 96368701
      Paul Moore authored
      Previously we were emitting seccomp audit records regardless of the
      audit_enabled setting, a deparature from the rest of audit.  This
      patch makes seccomp auditing consistent with the rest of the audit
      record generation code in that when audit_enabled=0 nothing is logged
      by the audit subsystem.
      
      The bulk of this patch is moving the CONFIG_AUDIT block ahead of the
      CONFIG_AUDITSYSCALL block in include/linux/audit.h; the only real
      code change was in the audit_seccomp() definition.
      Signed-off-by: default avatarTony Jones <tonyj@suse.de>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      96368701
  3. 24 Dec, 2015 1 commit
  4. 04 Nov, 2015 2 commits
  5. 06 Aug, 2015 2 commits
    • Richard Guy Briggs's avatar
      audit: implement audit by executable · 34d99af5
      Richard Guy Briggs authored
      This adds the ability audit the actions of a not-yet-running process.
      
      This patch implements the ability to filter on the executable path.  Instead of
      just hard coding the ino and dev of the executable we care about at the moment
      the rule is inserted into the kernel, use the new audit_fsnotify
      infrastructure to manage this dynamically.  This means that if the filename
      does not yet exist but the containing directory does, or if the inode in
      question is unlinked and creat'd (aka updated) the rule will just continue to
      work.  If the containing directory is moved or deleted or the filesystem is
      unmounted, the rule is deleted automatically.  A future enhancement would be to
      have the rule survive across directory disruptions.
      
      This is a heavily modified version of a patch originally submitted by Eric
      Paris with some ideas from Peter Moody.
      
      Cc: Peter Moody <peter@hda3.com>
      Cc: Eric Paris <eparis@redhat.com>
      Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      [PM: minor whitespace clean to satisfy ./scripts/checkpatch]
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      34d99af5
    • Richard Guy Briggs's avatar
      audit: use macros for unset inode and device values · 84cb777e
      Richard Guy Briggs authored
      Clean up a number of places were casted magic numbers are used to represent
      unset inode and device numbers in preparation for the audit by executable path
      patch set.
      Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      [PM: enclosed the _UNSET macros in parentheses for ./scripts/checkpatch]
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      84cb777e
  6. 22 Jan, 2015 1 commit
    • Paul Moore's avatar
      audit: replace getname()/putname() hacks with reference counters · 55422d0b
      Paul Moore authored
      In order to ensure that filenames are not released before the audit
      subsystem is done with the strings there are a number of hacks built
      into the fs and audit subsystems around getname() and putname().  To
      say these hacks are "ugly" would be kind.
      
      This patch removes the filename hackery in favor of a more
      conventional reference count based approach.  The diffstat below tells
      most of the story; lots of audit/fs specific code is replaced with a
      traditional reference count based approach that is easily understood,
      even by those not familiar with the audit and/or fs subsystems.
      
      CC: viro@zeniv.linux.org.uk
      CC: linux-fsdevel@vger.kernel.org
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      55422d0b
  7. 20 Jan, 2015 1 commit
  8. 23 Dec, 2014 1 commit
    • Richard Guy Briggs's avatar
      audit: restore AUDIT_LOGINUID unset ABI · 041d7b98
      Richard Guy Briggs authored
      A regression was caused by commit 780a7654:
      	 audit: Make testing for a valid loginuid explicit.
      (which in turn attempted to fix a regression caused by e1760bd5)
      
      When audit_krule_to_data() fills in the rules to get a listing, there was a
      missing clause to convert back from AUDIT_LOGINUID_SET to AUDIT_LOGINUID.
      
      This broke userspace by not returning the same information that was sent and
      expected.
      
      The rule:
      	auditctl -a exit,never -F auid=-1
      gives:
      	auditctl -l
      		LIST_RULES: exit,never f24=0 syscall=all
      when it should give:
      		LIST_RULES: exit,never auid=-1 (0xffffffff) syscall=all
      
      Tag it so that it is reported the same way it was set.  Create a new
      private flags audit_krule field (pflags) to store it that won't interact with
      the public one from the API.
      
      Cc: stable@vger.kernel.org # v3.10-rc1+
      Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      041d7b98
  9. 19 Nov, 2014 1 commit
    • Al Viro's avatar
      new helper: audit_file() · 9f45f5bf
      Al Viro authored
      ... for situations when we don't have any candidate in pathnames - basically,
      in descriptor-based syscalls.
      
      [Folded the build fix for !CONFIG_AUDITSYSCALL configs from Chen Gang]
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      9f45f5bf
  10. 22 Oct, 2014 1 commit
  11. 23 Sep, 2014 4 commits
    • Richard Guy Briggs's avatar
      audit: use union for audit_field values since they are mutually exclusive · 219ca394
      Richard Guy Briggs authored
      Since only one of val, uid, gid and lsm* are used at any given time, combine
      them to reduce the size of the struct audit_field.
      Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      219ca394
    • Richard Guy Briggs's avatar
      audit: x86: drop arch from __audit_syscall_entry() interface · b4f0d375
      Richard Guy Briggs authored
      Since the arch is found locally in __audit_syscall_entry(), there is no need to
      pass it in as a parameter.  Delete it from the parameter list.
      
      x86* was the only arch to call __audit_syscall_entry() directly and did so from
      assembly code.
      Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: x86@kernel.org
      Cc: linux-kernel@vger.kernel.org
      Cc: linux-audit@redhat.com
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      
      ---
      
      As this patch relies on changes in the audit tree, I think it
      appropriate to send it through my tree rather than the x86 tree.
      b4f0d375
    • Eric Paris's avatar
      audit: fix build error when asm/syscall.h does not exist · a9ebe0b9
      Eric Paris authored
      avr32 does not have an asm/syscall.h file.  We need the
      syscall_get_arch() definition from that file for all arch's which
      support CONFIG_AUDITSYSCALL.  Obviously avr32 is not one of those
      arch's.  Move the include inside the CONFIG_AUDITSYSCALL such that we
      only do the include if we need the results.
      
      When the syscall_get_arch() call is moved inside __audit_syscall_entry()
      this include can be dropped entirely.  But that is going to require some
      assembly changes on x86* in a patch that is not ready for the tree...
      Reported-by: default avatarPaul Gortmaker <paul.gortmaker@windriver.com>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      a9ebe0b9
    • Eric Paris's avatar
      ARCH: AUDIT: audit_syscall_entry() should not require the arch · 91397401
      Eric Paris authored
      We have a function where the arch can be queried, syscall_get_arch().
      So rather than have every single piece of arch specific code use and/or
      duplicate syscall_get_arch(), just have the audit code use the
      syscall_get_arch() code.
      Based-on-patch-by: default avatarRichard Briggs <rgb@redhat.com>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Cc: linux-alpha@vger.kernel.org
      Cc: linux-arm-kernel@lists.infradead.org
      Cc: linux-ia64@vger.kernel.org
      Cc: microblaze-uclinux@itee.uq.edu.au
      Cc: linux-mips@linux-mips.org
      Cc: linux@lists.openrisc.net
      Cc: linux-parisc@vger.kernel.org
      Cc: linuxppc-dev@lists.ozlabs.org
      Cc: linux-s390@vger.kernel.org
      Cc: linux-sh@vger.kernel.org
      Cc: sparclinux@vger.kernel.org
      Cc: user-mode-linux-devel@lists.sourceforge.net
      Cc: linux-xtensa@linux-xtensa.org
      Cc: x86@kernel.org
      91397401
  12. 10 Apr, 2014 1 commit
    • Chris Metcalf's avatar
      AUDIT: make audit_is_compat depend on CONFIG_AUDIT_COMPAT_GENERIC · 312103d6
      Chris Metcalf authored
      On systems with CONFIG_COMPAT we introduced the new requirement that
      audit_classify_compat_syscall() exists.  This wasn't true for everything
      (apparently not for "tilegx", which I know less that nothing about.)
      
      Instead of wrapping the preprocessor optomization with CONFIG_COMPAT we
      should have used the new CONFIG_AUDIT_COMPAT_GENERIC.  This patch uses
      that config option to make sure only arches which intend to implement
      this have the requirement.
      
      This works fine for tilegx according to Chris Metcalf
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      312103d6
  13. 24 Mar, 2014 1 commit
  14. 20 Mar, 2014 2 commits
  15. 28 Feb, 2014 1 commit
  16. 14 Jan, 2014 1 commit
    • Joe Perches's avatar
      audit: Convert int limit uses to u32 · 3e1d0bb6
      Joe Perches authored
      The equivalent uapi struct uses __u32 so make the kernel
      uses u32 too.
      
      This can prevent some oddities where the limit is
      logged/emitted as a negative value.
      
      Convert kstrtol to kstrtouint to disallow negative values.
      Signed-off-by: default avatarJoe Perches <joe@perches.com>
      [eparis: do not remove static from audit_default declaration]
      3e1d0bb6
  17. 13 Jan, 2014 5 commits
  18. 05 Nov, 2013 3 commits
  19. 09 Jul, 2013 1 commit
    • Jeff Layton's avatar
      audit: fix mq_open and mq_unlink to add the MQ root as a hidden parent audit_names record · 79f6530c
      Jeff Layton authored
      The old audit PATH records for mq_open looked like this:
      
        type=PATH msg=audit(1366282323.982:869): item=1 name=(null) inode=6777
        dev=00:0c mode=041777 ouid=0 ogid=0 rdev=00:00
        obj=system_u:object_r:tmpfs_t:s15:c0.c1023
        type=PATH msg=audit(1366282323.982:869): item=0 name="test_mq" inode=26732
        dev=00:0c mode=0100700 ouid=0 ogid=0 rdev=00:00
        obj=staff_u:object_r:user_tmpfs_t:s15:c0.c1023
      
      ...with the audit related changes that went into 3.7, they now look like this:
      
        type=PATH msg=audit(1366282236.776:3606): item=2 name=(null) inode=66655
        dev=00:0c mode=0100700 ouid=0 ogid=0 rdev=00:00
        obj=staff_u:object_r:user_tmpfs_t:s15:c0.c1023
        type=PATH msg=audit(1366282236.776:3606): item=1 name=(null) inode=6926
        dev=00:0c mode=041777 ouid=0 ogid=0 rdev=00:00
        obj=system_u:object_r:tmpfs_t:s15:c0.c1023
        type=PATH msg=audit(1366282236.776:3606): item=0 name="test_mq"
      
      Both of these look wrong to me.  As Steve Grubb pointed out:
      
       "What we need is 1 PATH record that identifies the MQ.  The other PATH
        records probably should not be there."
      
      Fix it to record the mq root as a parent, and flag it such that it
      should be hidden from view when the names are logged, since the root of
      the mq filesystem isn't terribly interesting.  With this change, we get
      a single PATH record that looks more like this:
      
        type=PATH msg=audit(1368021604.836:484): item=0 name="test_mq" inode=16914
        dev=00:0c mode=0100644 ouid=0 ogid=0 rdev=00:00
        obj=unconfined_u:object_r:user_tmpfs_t:s0
      
      In order to do this, a new audit_inode_parent_hidden() function is
      added.  If we do it this way, then we avoid having the existing callers
      of audit_inode needing to do any sort of flag conversion if auditing is
      inactive.
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      Reported-by: default avatarJiri Jaburek <jjaburek@redhat.com>
      Cc: Steve Grubb <sgrubb@redhat.com>
      Cc: Eric Paris <eparis@redhat.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      79f6530c
  20. 07 May, 2013 1 commit
  21. 30 Apr, 2013 4 commits
  22. 16 Apr, 2013 1 commit
    • Eric Paris's avatar
      audit: allow checking the type of audit message in the user filter · 62062cf8
      Eric Paris authored
      When userspace sends messages to the audit system it includes a type.
      We want to be able to filter messages based on that type without have to
      do the all or nothing option currently available on the
      AUDIT_FILTER_TYPE filter list.  Instead we should be able to use the
      AUDIT_FILTER_USER filter list and just use the message type as one part
      of the matching decision.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      62062cf8
  23. 10 Apr, 2013 2 commits
  24. 11 Jan, 2013 1 commit