1. 11 Sep, 2006 1 commit
  2. 01 Jul, 2006 1 commit
    • Amy Griffis's avatar
      [PATCH] add rule filterkey · 5adc8a6a
      Amy Griffis authored
      Add support for a rule key, which can be used to tie audit records to audit
      rules.  This is useful when a watched file is accessed through a link or
      symlink, as well as for general audit log analysis.
      
      Because this patch uses a string key instead of an integer key, there is a bit
      of extra overhead to do the kstrdup() when a rule fires.  However, we're also
      allocating memory for the audit record buffer, so it's probably not that
      significant.  I went ahead with a string key because it seems more
      user-friendly.
      
      Note that the user must ensure that filterkeys are unique.  The kernel only
      checks for duplicate rules.
      Signed-off-by: default avatarAmy Griffis <amy.griffis@hpd.com>
      5adc8a6a
  3. 20 Jun, 2006 4 commits
    • Amy Griffis's avatar
      [PATCH] log more info for directory entry change events · 9c937dcc
      Amy Griffis authored
      When an audit event involves changes to a directory entry, include
      a PATH record for the directory itself.  A few other notable changes:
      
          - fixed audit_inode_child() hooks in fsnotify_move()
          - removed unused flags arg from audit_inode()
          - added audit log routines for logging a portion of a string
      
      Here's some sample output.
      
      before patch:
      type=SYSCALL msg=audit(1149821605.320:26): arch=40000003 syscall=39 success=yes exit=0 a0=bf8d3c7c a1=1ff a2=804e1b8 a3=bf8d3c7c items=1 ppid=739 pid=800 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 comm="mkdir" exe="/bin/mkdir" subj=root:system_r:unconfined_t:s0-s0:c0.c255
      type=CWD msg=audit(1149821605.320:26):  cwd="/root"
      type=PATH msg=audit(1149821605.320:26): item=0 name="foo" parent=164068 inode=164010 dev=03:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_t:s0
      
      after patch:
      type=SYSCALL msg=audit(1149822032.332:24): arch=40000003 syscall=39 success=yes exit=0 a0=bfdd9c7c a1=1ff a2=804e1b8 a3=bfdd9c7c items=2 ppid=714 pid=777 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 comm="mkdir" exe="/bin/mkdir" subj=root:system_r:unconfined_t:s0-s0:c0.c255
      type=CWD msg=audit(1149822032.332:24):  cwd="/root"
      type=PATH msg=audit(1149822032.332:24): item=0 name="/root" inode=164068 dev=03:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_dir_t:s0
      type=PATH msg=audit(1149822032.332:24): item=1 name="foo" inode=164010 dev=03:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_t:s0
      Signed-off-by: default avatarAmy Griffis <amy.griffis@hp.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      9c937dcc
    • Amy Griffis's avatar
      [PATCH] audit: path-based rules · f368c07d
      Amy Griffis authored
      In this implementation, audit registers inotify watches on the parent
      directories of paths specified in audit rules.  When audit's inotify
      event handler is called, it updates any affected rules based on the
      filesystem event.  If the parent directory is renamed, removed, or its
      filesystem is unmounted, audit removes all rules referencing that
      inotify watch.
      
      To keep things simple, this implementation limits location-based
      auditing to the directory entries in an existing directory.  Given
      a path-based rule for /foo/bar/passwd, the following table applies:
      
          passwd modified -- audit event logged
          passwd replaced -- audit event logged, rules list updated
          bar renamed     -- rule removed
          foo renamed     -- untracked, meaning that the rule now applies to
      		       the new location
      
      Audit users typically want to have many rules referencing filesystem
      objects, which can significantly impact filtering performance.  This
      patch also adds an inode-number-based rule hash to mitigate this
      situation.
      
      The patch is relative to the audit git tree:
      http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
      and uses the inotify kernel API:
      http://lkml.org/lkml/2006/6/1/145Signed-off-by: default avatarAmy Griffis <amy.griffis@hp.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      f368c07d
    • Al Viro's avatar
      e1396065
    • Al Viro's avatar
      [PATCH] fix deadlocks in AUDIT_LIST/AUDIT_LIST_RULES · 9044e6bc
      Al Viro authored
      We should not send a pile of replies while holding audit_netlink_mutex
      since we hold the same mutex when we receive commands.  As the result,
      we can get blocked while sending and sit there holding the mutex while
      auditctl is unable to send the next command and get around to receiving
      what we'd sent.
      
      Solution: create skb and put them into a queue instead of sending;
      once we are done, send what we've got on the list.  The former can
      be done synchronously while we are handling AUDIT_LIST or AUDIT_LIST_RULES;
      we are holding audit_netlink_mutex at that point.  The latter is done
      asynchronously and without messing with audit_netlink_mutex.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      9044e6bc
  4. 01 May, 2006 1 commit
    • Darrel Goeddel's avatar
      [PATCH] support for context based audit filtering, part 2 · 3dc7e315
      Darrel Goeddel authored
      This patch provides the ability to filter audit messages based on the
      elements of the process' SELinux context (user, role, type, mls sensitivity,
      and mls clearance).  It uses the new interfaces from selinux to opaquely
      store information related to the selinux context and to filter based on that
      information.  It also uses the callback mechanism provided by selinux to
      refresh the information when a new policy is loaded.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      3dc7e315
  5. 20 Mar, 2006 3 commits