1. 28 Apr, 2008 12 commits
    • Al Viro's avatar
      [PATCH] new predicate - AUDIT_FILETYPE · 8b67dca9
      Al Viro authored
      
      
      Argument is S_IF... | <index>, where index is normally 0 or 1.
      Triggers if chosen element of ctx->names[] is present and the
      mode of object in question matches the upper bits of argument.
      I.e. for things like "is the argument of that chmod a directory",
      etc.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      8b67dca9
    • Pavel Emelyanov's avatar
      [patch 2/2] Use find_task_by_vpid in audit code · 4a761b8c
      Pavel Emelyanov authored
      
      
      The pid to lookup a task by is passed inside audit code via netlink message.
      
      Thanks to Denis Lunev, netlink packets are now (since 2.6.24) _always_
      processed in the context of the sending task.  So this is correct to lookup
      the task with find_task_by_vpid() here.
      Signed-off-by: default avatarPavel Emelyanov <xemul@openvz.org>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      4a761b8c
    • Miloslav Trmac's avatar
      [patch 1/2] audit: let userspace fully control TTY input auditing · 41126226
      Miloslav Trmac authored
      
      
      Remove the code that automatically disables TTY input auditing in processes
      that open TTYs when they have no other TTY open; this heuristic was
      intended to automatically handle daemons, but it has false positives (e.g.
      with sshd) that make it impossible to control TTY input auditing from a PAM
      module.  With this patch, TTY input auditing is controlled from user-space
      only.
      
      On the other hand, not even for daemons does it make sense to audit "input"
      from PTY masters; this data was produced by a program writing to the PTY
      slave, and does not represent data entered by the user.
      Signed-off-by: default avatarMiloslav Trmac <mitr@redhat.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: David Woodhouse <dwmw2@infradead.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      41126226
    • Harvey Harrison's avatar
      [PATCH 2/2] audit: fix sparse shadowed variable warnings · 7719e437
      Harvey Harrison authored
      
      
      Use msglen as the identifier.
      kernel/audit.c:724:10: warning: symbol 'len' shadows an earlier one
      kernel/audit.c:575:8: originally declared here
      
      Don't use ino_f to check the inode field at the end of the functions.
      kernel/auditfilter.c:429:22: warning: symbol 'f' shadows an earlier one
      kernel/auditfilter.c:420:21: originally declared here
      kernel/auditfilter.c:542:22: warning: symbol 'f' shadows an earlier one
      kernel/auditfilter.c:529:21: originally declared here
      
      i always used as a counter for a for loop and initialized to zero before
      use.  Eliminate the inner i variables.
      kernel/auditsc.c:1295:8: warning: symbol 'i' shadows an earlier one
      kernel/auditsc.c:1152:6: originally declared here
      kernel/auditsc.c:1320:7: warning: symbol 'i' shadows an earlier one
      kernel/auditsc.c:1152:6: originally declared here
      Signed-off-by: default avatarHarvey Harrison <harvey.harrison@gmail.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      7719e437
    • Harvey Harrison's avatar
      [PATCH 1/2] audit: move extern declarations to audit.h · c782f242
      Harvey Harrison authored
      
      
      Leave audit_sig_{uid|pid|sid} protected by #ifdef CONFIG_AUDITSYSCALL.
      
      Noticed by sparse:
      kernel/audit.c:73:6: warning: symbol 'audit_ever_enabled' was not declared. Should it be static?
      kernel/audit.c:100:8: warning: symbol 'audit_sig_uid' was not declared. Should it be static?
      kernel/audit.c:101:8: warning: symbol 'audit_sig_pid' was not declared. Should it be static?
      kernel/audit.c:102:6: warning: symbol 'audit_sig_sid' was not declared. Should it be static?
      kernel/audit.c:117:23: warning: symbol 'audit_ih' was not declared. Should it be static?
      kernel/auditfilter.c:78:18: warning: symbol 'audit_filter_list' was not declared. Should it be static?
      Signed-off-by: default avatarHarvey Harrison <harvey.harrison@gmail.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      c782f242
    • Eric Paris's avatar
      Audit: MAINTAINERS update · 0ef1970d
      Eric Paris authored
      
      
      Change maintainers to include me and al viro
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      0ef1970d
    • Eric Paris's avatar
      Audit: increase the maximum length of the key field · a42da93c
      Eric Paris authored
      
      
      Key lengths were arbitrarily limited to 32 characters.  If userspace is going
      to start using the single kernel key field as multiple virtual key fields
      (example key=key1,key2,key3,key4) we should give them enough room to work.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      a42da93c
    • Eric Paris's avatar
      Audit: standardize string audit interfaces · b556f8ad
      Eric Paris authored
      
      
      This patch standardized the string auditing interfaces.  No userspace
      changes will be visible and this is all just cleanup and consistancy
      work.  We have the following string audit interfaces to use:
      
      void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len);
      
      void audit_log_n_string(struct audit_buffer *ab, const char *buf, size_t n);
      void audit_log_string(struct audit_buffer *ab, const char *buf);
      
      void audit_log_n_untrustedstring(struct audit_buffer *ab, const char *string, size_t n);
      void audit_log_untrustedstring(struct audit_buffer *ab, const char *string);
      
      This may be the first step to possibly fixing some of the issues that
      people have with the string output from the kernel audit system.  But we
      still don't have an agreed upon solution to that problem.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      b556f8ad
    • Eric Paris's avatar
      Audit: stop deadlock from signals under load · f09ac9db
      Eric Paris authored
      
      
      A deadlock is possible between kauditd and auditd under load if auditd
      receives a signal.  When auditd receives a signal it sends a netlink
      message to the kernel asking for information about the sender of the
      signal.  In that same context the audit system will attempt to send a
      netlink message back to the userspace auditd.  If kauditd has already
      filled the socket buffer (see netlink_attachskb()) auditd will now put
      itself to sleep waiting for room to send the message.  Since auditd is
      responsible for draining that socket we have a deadlock.  The fix, since
      the response from the kernel does not need to be synchronous is to send
      the signal information back to auditd in a separate thread.  And thus
      auditd can continue to drain the audit queue normally.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      f09ac9db
    • Eric Paris's avatar
      Audit: save audit_backlog_limit audit messages in case auditd comes back · f3d357b0
      Eric Paris authored
      
      
      This patch causes the kernel audit subsystem to store up to
      audit_backlog_limit messages for use by auditd if it ever appears
      sometime in the future in userspace.  This is useful to collect audit
      messages during bootup and even when auditd is stopped.  This is NOT a
      reliable mechanism, it does not ever call audit_panic, nor should it.
      audit_log_lost()/audit_panic() are called during the normal delivery
      mechanism.  The messages are still sent to printk/syslog as usual and if
      too many messages appear to be queued they will be silently discarded.
      
      I liked doing it by default, but this patch only uses the queue in
      question if it was booted with audit=1 or if the kernel was built
      enabling audit by default.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      f3d357b0
    • Eric Paris's avatar
      Audit: collect sessionid in netlink messages · 2532386f
      Eric Paris authored
      
      
      Previously I added sessionid output to all audit messages where it was
      available but we still didn't know the sessionid of the sender of
      netlink messages.  This patch adds that information to netlink messages
      so we can audit who sent netlink messages.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      2532386f
    • Eric Paris's avatar
      Audit: end printk with newline · 436c405c
      Eric Paris authored
      
      
      A couple of audit printk statements did not have a newline.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      436c405c
  2. 27 Apr, 2008 28 commits