1. 27 Jun, 2016 1 commit
  2. 16 Jun, 2016 1 commit
  3. 31 May, 2016 1 commit
  4. 08 Feb, 2016 1 commit
  5. 04 Nov, 2015 1 commit
  6. 06 Aug, 2015 2 commits
    • Richard Guy Briggs's avatar
      audit: implement audit by executable · 34d99af5
      Richard Guy Briggs authored
      This adds the ability audit the actions of a not-yet-running process.
      
      This patch implements the ability to filter on the executable path.  Instead of
      just hard coding the ino and dev of the executable we care about at the moment
      the rule is inserted into the kernel, use the new audit_fsnotify
      infrastructure to manage this dynamically.  This means that if the filename
      does not yet exist but the containing directory does, or if the inode in
      question is unlinked and creat'd (aka updated) the rule will just continue to
      work.  If the containing directory is moved or deleted or the filesystem is
      unmounted, the rule is deleted automatically.  A future enhancement would be to
      have the rule survive across directory disruptions.
      
      This is a heavily modified version of a patch originally submitted by Eric
      Paris with some ideas from Peter Moody.
      
      Cc: Peter Moody <peter@hda3.com>
      Cc: Eric Paris <eparis@redhat.com>
      Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      [PM: minor whitespace clean to satisfy ./scripts/checkpatch]
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      34d99af5
    • Richard Guy Briggs's avatar
      audit: clean simple fsnotify implementation · 7f492942
      Richard Guy Briggs authored
      This is to be used to audit by executable path rules, but audit watches should
      be able to share this code eventually.
      
      At the moment the audit watch code is a lot more complex.  That code only
      creates one fsnotify watch per parent directory.  That 'audit_parent' in
      turn has a list of 'audit_watches' which contain the name, ino, dev of
      the specific object we care about.  This just creates one fsnotify watch
      per object we care about.  So if you watch 100 inodes in /etc this code
      will create 100 fsnotify watches on /etc.  The audit_watch code will
      instead create 1 fsnotify watch on /etc (the audit_parent) and then 100
      individual watches chained from that fsnotify mark.
      
      We should be able to convert the audit_watch code to do one fsnotify
      mark per watch and simplify things/remove a whole lot of code.  After
      that conversion we should be able to convert the audit_fsnotify code to
      support that hierarchy if the optimization is necessary.
      
      Move the access to the entry for audit_match_signal() to the beginning of
      the audit_del_rule() function in case the entry found is the same one passed
      in.  This will enable it to be used by audit_autoremove_mark_rule(),
      kill_rules() and audit_remove_parent_watches().
      
      This is a heavily modified and merged version of two patches originally
      submitted by Eric Paris.
      
      Cc: Peter Moody <peter@hda3.com>
      Cc: Eric Paris <eparis@redhat.com>
      Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      [PM: added a space after a declaration to keep ./scripts/checkpatch happy]
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      7f492942
  7. 05 Aug, 2015 2 commits
  8. 04 Aug, 2015 1 commit
  9. 20 Jan, 2015 1 commit
  10. 23 Dec, 2014 1 commit
    • Richard Guy Briggs's avatar
      audit: restore AUDIT_LOGINUID unset ABI · 041d7b98
      Richard Guy Briggs authored
      A regression was caused by commit 780a7654:
      	 audit: Make testing for a valid loginuid explicit.
      (which in turn attempted to fix a regression caused by e1760bd5)
      
      When audit_krule_to_data() fills in the rules to get a listing, there was a
      missing clause to convert back from AUDIT_LOGINUID_SET to AUDIT_LOGINUID.
      
      This broke userspace by not returning the same information that was sent and
      expected.
      
      The rule:
      	auditctl -a exit,never -F auid=-1
      gives:
      	auditctl -l
      		LIST_RULES: exit,never f24=0 syscall=all
      when it should give:
      		LIST_RULES: exit,never auid=-1 (0xffffffff) syscall=all
      
      Tag it so that it is reported the same way it was set.  Create a new
      private flags audit_krule field (pflags) to store it that won't interact with
      the public one from the API.
      
      Cc: stable@vger.kernel.org # v3.10-rc1+
      Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      041d7b98
  11. 19 Dec, 2014 1 commit
    • Paul Moore's avatar
      audit: don't attempt to lookup PIDs when changing PID filtering audit rules · 3640dcfa
      Paul Moore authored
      Commit f1dc4867 ("audit: anchor all pid references in the initial pid
      namespace") introduced a find_vpid() call when adding/removing audit
      rules with PID/PPID filters; unfortunately this is problematic as
      find_vpid() only works if there is a task with the associated PID
      alive on the system.  The following commands demonstrate a simple
      reproducer.
      
      	# auditctl -D
      	# auditctl -l
      	# autrace /bin/true
      	# auditctl -l
      
      This patch resolves the problem by simply using the PID provided by
      the user without any additional validation, e.g. no calls to check to
      see if the task/PID exists.
      
      Cc: stable@vger.kernel.org # 3.15
      Cc: Richard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      Acked-by: default avatarEric Paris <eparis@redhat.com>
      Reviewed-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      3640dcfa
  12. 10 Oct, 2014 3 commits
  13. 23 Sep, 2014 2 commits
  14. 06 Aug, 2014 1 commit
  15. 02 Apr, 2014 1 commit
  16. 20 Mar, 2014 3 commits
  17. 08 Mar, 2014 1 commit
  18. 07 Mar, 2014 1 commit
  19. 28 Feb, 2014 2 commits
  20. 13 Jan, 2014 5 commits
  21. 05 Nov, 2013 2 commits
    • Eric Paris's avatar
      audit: do not reject all AUDIT_INODE filter types · 78122037
      Eric Paris authored
      commit ab61d38e tried to merge the
      invalid filter checking into a single function.  However AUDIT_INODE
      filters were not verified in the new generic checker.  Thus such rules
      were being denied even though they were perfectly valid.
      
      Ex:
      $ auditctl -a exit,always -F arch=b64 -S open -F key=/foo -F inode=6955 -F devmajor=9 -F devminor=1
      Error sending add rule data request (Invalid argument)
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      78122037
    • Richard Guy Briggs's avatar
      audit: change decimal constant to macro for invalid uid · 42f74461
      Richard Guy Briggs authored
      SFR reported this 2013-05-15:
      
      > After merging the final tree, today's linux-next build (i386 defconfig)
      > produced this warning:
      >
      > kernel/auditfilter.c: In function 'audit_data_to_entry':
      > kernel/auditfilter.c:426:3: warning: this decimal constant is unsigned only
      > in ISO C90 [enabled by default]
      >
      > Introduced by commit 780a7654 ("audit: Make testing for a valid
      > loginuid explicit") from Linus' tree.
      
      Replace this decimal constant in the code with a macro to make it more readable
      (add to the unsigned cast to quiet the warning).
      
      Cc: Stephen Rothwell <sfr@canb.auug.org.au>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      42f74461
  22. 09 Jul, 2013 3 commits
  23. 24 May, 2013 1 commit
  24. 07 May, 2013 1 commit
  25. 30 Apr, 2013 1 commit