1. 08 Dec, 2006 2 commits
    • Josef Sipek's avatar
      [PATCH] struct path: convert kernel · a7a005fd
      Josef Sipek authored
      
      Signed-off-by: default avatarJosef Sipek <jsipek@fsl.cs.sunysb.edu>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      a7a005fd
    • Peter Zijlstra's avatar
      [PATCH] tty: ->signal->tty locking · 24ec839c
      Peter Zijlstra authored
      
      
      Fix the locking of signal->tty.
      
      Use ->sighand->siglock to protect ->signal->tty; this lock is already used
      by most other members of ->signal/->sighand.  And unless we are 'current'
      or the tasklist_lock is held we need ->siglock to access ->signal anyway.
      
      (NOTE: sys_unshare() is broken wrt ->sighand locking rules)
      
      Note that tty_mutex is held over tty destruction, so while holding
      tty_mutex any tty pointer remains valid.  Otherwise the lifetime of ttys
      are governed by their open file handles.  This leaves some holes for tty
      access from signal->tty (or any other non file related tty access).
      
      It solves the tty SLAB scribbles we were seeing.
      
      (NOTE: the change from group_send_sig_info to __group_send_sig_info needs to
             be examined by someone familiar with the security framework, I think
             it is safe given the SEND_SIG_PRIV from other __group_send_sig_info
             invocations)
      
      [schwidefsky@de.ibm.com: 3270 fix]
      [akpm@osdl.org: various post-viro fixes]
      Signed-off-by: default avatarPeter Zijlstra <a.p.zijlstra@chello.nl>
      Acked-by: default avatarAlan Cox <alan@redhat.com>
      Cc: Oleg Nesterov <oleg@tv-sign.ru>
      Cc: Prarit Bhargava <prarit@redhat.com>
      Cc: Chris Wright <chrisw@sous-sol.org>
      Cc: Roland McGrath <roland@redhat.com>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: James Morris <jmorris@namei.org>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Jeff Dike <jdike@addtoit.com>
      Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Cc: Jan Kara <jack@ucw.cz>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      24ec839c
  2. 07 Dec, 2006 1 commit
  3. 04 Dec, 2006 1 commit
  4. 04 Oct, 2006 2 commits
  5. 29 Sep, 2006 1 commit
  6. 26 Sep, 2006 2 commits
  7. 11 Sep, 2006 1 commit
  8. 03 Aug, 2006 6 commits
  9. 01 Jul, 2006 3 commits
    • Darrel Goeddel's avatar
      [PATCH] audit: support for object context filters · 6e5a2d1d
      Darrel Goeddel authored
      
      
      This patch introduces object audit filters based on the elements
      of the SELinux context.
      Signed-off-by: default avatarDarrel Goeddel <dgoeddel@trustedcs.com>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      
       kernel/auditfilter.c           |   25 +++++++++++++++++++++++++
       kernel/auditsc.c               |   40 ++++++++++++++++++++++++++++++++++++++++
       security/selinux/ss/services.c |   18 +++++++++++++++++-
       3 files changed, 82 insertions(+), 1 deletion(-)
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      6e5a2d1d
    • Darrel Goeddel's avatar
      [PATCH] audit: rename AUDIT_SE_* constants · 3a6b9f85
      Darrel Goeddel authored
      
      
      This patch renames some audit constant definitions and adds
      additional definitions used by the following patch.  The renaming
      avoids ambiguity with respect to the new definitions.
      Signed-off-by: default avatarDarrel Goeddel <dgoeddel@trustedcs.com>
      
       include/linux/audit.h          |   15 ++++++++----
       kernel/auditfilter.c           |   50 ++++++++++++++++++++---------------------
       kernel/auditsc.c               |   10 ++++----
       security/selinux/ss/services.c |   32 +++++++++++++-------------
       4 files changed, 56 insertions(+), 51 deletions(-)
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      3a6b9f85
    • Amy Griffis's avatar
      [PATCH] add rule filterkey · 5adc8a6a
      Amy Griffis authored
      
      
      Add support for a rule key, which can be used to tie audit records to audit
      rules.  This is useful when a watched file is accessed through a link or
      symlink, as well as for general audit log analysis.
      
      Because this patch uses a string key instead of an integer key, there is a bit
      of extra overhead to do the kstrdup() when a rule fires.  However, we're also
      allocating memory for the audit record buffer, so it's probably not that
      significant.  I went ahead with a string key because it seems more
      user-friendly.
      
      Note that the user must ensure that filterkeys are unique.  The kernel only
      checks for duplicate rules.
      Signed-off-by: default avatarAmy Griffis <amy.griffis@hpd.com>
      5adc8a6a
  10. 28 Jun, 2006 2 commits
  11. 23 Jun, 2006 1 commit
  12. 20 Jun, 2006 11 commits
    • Steve Grubb's avatar
      [PATCH] make set_loginuid obey audit_enabled · 41757106
      Steve Grubb authored
      
      
      Hi,
      
      I was doing some testing and noticed that when the audit system was disabled,
      I was still getting messages about the loginuid being set. The following patch
      makes audit_set_loginuid look at in_syscall to determine if it should create
      an audit event. The loginuid will continue to be set as long as there is a context.
      Signed-off-by: default avatarSteve Grubb <sgrubb@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      41757106
    • Amy Griffis's avatar
      [PATCH] log more info for directory entry change events · 9c937dcc
      Amy Griffis authored
      
      
      When an audit event involves changes to a directory entry, include
      a PATH record for the directory itself.  A few other notable changes:
      
          - fixed audit_inode_child() hooks in fsnotify_move()
          - removed unused flags arg from audit_inode()
          - added audit log routines for logging a portion of a string
      
      Here's some sample output.
      
      before patch:
      type=SYSCALL msg=audit(1149821605.320:26): arch=40000003 syscall=39 success=yes exit=0 a0=bf8d3c7c a1=1ff a2=804e1b8 a3=bf8d3c7c items=1 ppid=739 pid=800 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 comm="mkdir" exe="/bin/mkdir" subj=root:system_r:unconfined_t:s0-s0:c0.c255
      type=CWD msg=audit(1149821605.320:26):  cwd="/root"
      type=PATH msg=audit(1149821605.320:26): item=0 name="foo" parent=164068 inode=164010 dev=03:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_t:s0
      
      after patch:
      type=SYSCALL msg=audit(1149822032.332:24): arch=40000003 syscall=39 success=yes exit=0 a0=bfdd9c7c a1=1ff a2=804e1b8 a3=bfdd9c7c items=2 ppid=714 pid=777 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 comm="mkdir" exe="/bin/mkdir" subj=root:system_r:unconfined_t:s0-s0:c0.c255
      type=CWD msg=audit(1149822032.332:24):  cwd="/root"
      type=PATH msg=audit(1149822032.332:24): item=0 name="/root" inode=164068 dev=03:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_dir_t:s0
      type=PATH msg=audit(1149822032.332:24): item=1 name="foo" inode=164010 dev=03:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_t:s0
      Signed-off-by: default avatarAmy Griffis <amy.griffis@hp.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      9c937dcc
    • Amy Griffis's avatar
      [PATCH] audit: path-based rules · f368c07d
      Amy Griffis authored
      In this implementation, audit registers inotify watches on the parent
      directories of paths specified in audit rules.  When audit's inotify
      event handler is called, it updates any affected rules based on the
      filesystem event.  If the parent directory is renamed, removed, or its
      filesystem is unmounted, audit removes all rules referencing that
      inotify watch.
      
      To keep things simple, this implementation limits location-based
      auditing to the directory entries in an existing directory.  Given
      a path-based rule for /foo/bar/passwd, the following table applies:
      
          passwd modified -- audit event logged
          passwd replaced -- audit event logged, rules list updated
          bar renamed     -- rule removed
          foo renamed     -- untracked, meaning that the rule now applies to
      		       the new location
      
      Audit users typically want to have many rules referencing filesystem
      objects, which can significantly impact filtering performance.  This
      patch also adds an inode-number-based rule hash to mitigate this
      situation.
      
      The patch is relative to the audit git tree:
      http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
      and uses the inotify kernel API:
      http://lkml.org/lkml/2006/6/1/145
      
      Signed-off-by: default avatarAmy Griffis <amy.griffis@hp.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      f368c07d
    • George C. Wilson's avatar
      [PATCH] Audit of POSIX Message Queue Syscalls v.2 · 20ca73bc
      George C. Wilson authored
      This patch adds audit support to POSIX message queues.  It applies cleanly to
      the lspp.b15 branch of Al Viro's git tree.  There are new auxiliary data
      structures, and collection and emission routines in kernel/auditsc.c.  New hooks
      in ipc/mqueue.c collect arguments from the syscalls.
      
      I tested the patch by building the examples from the POSIX MQ library tarball.
      Build them -lrt, not against the old MQ library in the tarball.  Here's the URL:
      http://www.geocities.com/wronski12/posix_ipc/libmqueue-4.41.tar.gz
      
      
      Do auditctl -a exit,always -S for mq_open, mq_timedsend, mq_timedreceive,
      mq_notify, mq_getsetattr.  mq_unlink has no new hooks.  Please see the
      corresponding userspace patch to get correct output from auditd for the new
      record types.
      
      [fixes folded]
      Signed-off-by: default avatarGeorge Wilson <ltcgcw@us.ibm.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      20ca73bc
    • Al Viro's avatar
      [PATCH] deprecate AUDIT_POSSBILE · 014149cc
      Al Viro authored
      
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      014149cc
    • Al Viro's avatar
      [PATCH] inline more audit helpers · d8945bb5
      Al Viro authored
      
      
      pull checks for ->audit_context into inlined wrappers
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      d8945bb5
    • Linda Knippers's avatar
      [PATCH] update of IPC audit record cleanup · ac03221a
      Linda Knippers authored
      The following patch addresses most of the issues with the IPC_SET_PERM
      records as described in:
      https://www.redhat.com/archives/linux-audit/2006-May/msg00010.html
      
      
      and addresses the comments I received on the record field names.
      
      To summarize, I made the following changes:
      
      1. Changed sys_msgctl() and semctl_down() so that an IPC_SET_PERM
         record is emitted in the failure case as well as the success case.
         This matches the behavior in sys_shmctl().  I could simplify the
         code in sys_msgctl() and semctl_down() slightly but it would mean
         that in some error cases we could get an IPC_SET_PERM record
         without an IPC record and that seemed odd.
      
      2. No change to the IPC record type, given no feedback on the backward
         compatibility question.
      
      3. Removed the qbytes field from the IPC record.  It wasn't being
         set and when audit_ipc_obj() is called from ipcperms(), the
         information isn't available.  If we want the information in the IPC
         record, more extensive changes will be necessary.  Since it only
         applies to message queues and it isn't really permission related, it
         doesn't seem worth it.
      
      4. Removed the obj field from the IPC_SET_PERM record.  This means that
         the kern_ipc_perm argument is no longer needed.
      
      5. Removed the spaces and renamed the IPC_SET_PERM field names.  Replaced iuid and
         igid fields with ouid and ogid in the IPC record.
      
      I tested this with the lspp.22 kernel on an x86_64 box.  I believe it
      applies cleanly on the latest kernel.
      
      -- ljk
      Signed-off-by: default avatarLinda Knippers <linda.knippers@hp.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      ac03221a
    • Al Viro's avatar
      [PATCH] add filtering by ppid · 3c66251e
      Al Viro authored
      
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      3c66251e
    • Al Viro's avatar
      [PATCH] log ppid · f46038ff
      Al Viro authored
      
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      f46038ff
    • Al Viro's avatar
      e1396065
    • Al Viro's avatar
      [PATCH] execve argument logging · 473ae30b
      Al Viro authored
      
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      473ae30b
  13. 01 May, 2006 7 commits
    • Steve Grubb's avatar
      [PATCH] Audit Filter Performance · 2ad312d2
      Steve Grubb authored
      
      
      While testing the watch performance, I noticed that selinux_task_ctxid()
      was creeping into the results more than it should. Investigation showed
      that the function call was being called whether it was needed or not. The
      below patch fixes this.
      Signed-off-by: default avatarSteve Grubb <sgrubb@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      2ad312d2
    • Steve Grubb's avatar
      [PATCH] Rework of IPC auditing · 073115d6
      Steve Grubb authored
      
      
      1) The audit_ipc_perms() function has been split into two different
      functions:
              - audit_ipc_obj()
              - audit_ipc_set_perm()
      
      There's a key shift here...  The audit_ipc_obj() collects the uid, gid,
      mode, and SElinux context label of the current ipc object.  This
      audit_ipc_obj() hook is now found in several places.  Most notably, it
      is hooked in ipcperms(), which is called in various places around the
      ipc code permforming a MAC check.  Additionally there are several places
      where *checkid() is used to validate that an operation is being
      performed on a valid object while not necessarily having a nearby
      ipcperms() call.  In these locations, audit_ipc_obj() is called to
      ensure that the information is captured by the audit system.
      
      The audit_set_new_perm() function is called any time the permissions on
      the ipc object changes.  In this case, the NEW permissions are recorded
      (and note that an audit_ipc_obj() call exists just a few lines before
      each instance).
      
      2) Support for an AUDIT_IPC_SET_PERM audit message type.  This allows
      for separate auxiliary audit records for normal operations on an IPC
      object and permissions changes.  Note that the same struct
      audit_aux_data_ipcctl is used and populated, however there are separate
      audit_log_format statements based on the type of the message.  Finally,
      the AUDIT_IPC block of code in audit_free_aux() was extended to handle
      aux messages of this new type.  No more mem leaks I hope ;-)
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      073115d6
    • Steve Grubb's avatar
      [PATCH] More user space subject labels · ce29b682
      Steve Grubb authored
      
      
      Hi,
      
      The patch below builds upon the patch sent earlier and adds subject label to
      all audit events generated via the netlink interface. It also cleans up a few
      other minor things.
      Signed-off-by: default avatarSteve Grubb <sgrubb@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      ce29b682
    • Steve Grubb's avatar
      [PATCH] change lspp ipc auditing · 9c7aa6aa
      Steve Grubb authored
      
      
      Hi,
      
      The patch below converts IPC auditing to collect sid's and convert to context
      string only if it needs to output an audit record. This patch depends on the
      inode audit change patch already being applied.
      Signed-off-by: default avatarSteve Grubb <sgrubb@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      9c7aa6aa
    • Steve Grubb's avatar
      [PATCH] audit inode patch · 1b50eed9
      Steve Grubb authored
      
      
      Previously, we were gathering the context instead of the sid. Now in this patch,
      we gather just the sid and convert to context only if an audit event is being
      output.
      
      This patch brings the performance hit from 146% down to 23%
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      1b50eed9
    • Darrel Goeddel's avatar
      [PATCH] support for context based audit filtering, part 2 · 3dc7e315
      Darrel Goeddel authored
      
      
      This patch provides the ability to filter audit messages based on the
      elements of the process' SELinux context (user, role, type, mls sensitivity,
      and mls clearance).  It uses the new interfaces from selinux to opaquely
      store information related to the selinux context and to filter based on that
      information.  It also uses the callback mechanism provided by selinux to
      refresh the information when a new policy is loaded.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      3dc7e315
    • Al Viro's avatar