1. 28 Apr, 2008 5 commits
    • Al Viro's avatar
      [PATCH] new predicate - AUDIT_FILETYPE · 8b67dca9
      Al Viro authored
      
      
      Argument is S_IF... | <index>, where index is normally 0 or 1.
      Triggers if chosen element of ctx->names[] is present and the
      mode of object in question matches the upper bits of argument.
      I.e. for things like "is the argument of that chmod a directory",
      etc.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      8b67dca9
    • Harvey Harrison's avatar
      [PATCH 2/2] audit: fix sparse shadowed variable warnings · 7719e437
      Harvey Harrison authored
      
      
      Use msglen as the identifier.
      kernel/audit.c:724:10: warning: symbol 'len' shadows an earlier one
      kernel/audit.c:575:8: originally declared here
      
      Don't use ino_f to check the inode field at the end of the functions.
      kernel/auditfilter.c:429:22: warning: symbol 'f' shadows an earlier one
      kernel/auditfilter.c:420:21: originally declared here
      kernel/auditfilter.c:542:22: warning: symbol 'f' shadows an earlier one
      kernel/auditfilter.c:529:21: originally declared here
      
      i always used as a counter for a for loop and initialized to zero before
      use.  Eliminate the inner i variables.
      kernel/auditsc.c:1295:8: warning: symbol 'i' shadows an earlier one
      kernel/auditsc.c:1152:6: originally declared here
      kernel/auditsc.c:1320:7: warning: symbol 'i' shadows an earlier one
      kernel/auditsc.c:1152:6: originally declared here
      Signed-off-by: default avatarHarvey Harrison <harvey.harrison@gmail.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      7719e437
    • Harvey Harrison's avatar
      [PATCH 1/2] audit: move extern declarations to audit.h · c782f242
      Harvey Harrison authored
      
      
      Leave audit_sig_{uid|pid|sid} protected by #ifdef CONFIG_AUDITSYSCALL.
      
      Noticed by sparse:
      kernel/audit.c:73:6: warning: symbol 'audit_ever_enabled' was not declared. Should it be static?
      kernel/audit.c:100:8: warning: symbol 'audit_sig_uid' was not declared. Should it be static?
      kernel/audit.c:101:8: warning: symbol 'audit_sig_pid' was not declared. Should it be static?
      kernel/audit.c:102:6: warning: symbol 'audit_sig_sid' was not declared. Should it be static?
      kernel/audit.c:117:23: warning: symbol 'audit_ih' was not declared. Should it be static?
      kernel/auditfilter.c:78:18: warning: symbol 'audit_filter_list' was not declared. Should it be static?
      Signed-off-by: default avatarHarvey Harrison <harvey.harrison@gmail.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      c782f242
    • Eric Paris's avatar
      Audit: standardize string audit interfaces · b556f8ad
      Eric Paris authored
      
      
      This patch standardized the string auditing interfaces.  No userspace
      changes will be visible and this is all just cleanup and consistancy
      work.  We have the following string audit interfaces to use:
      
      void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len);
      
      void audit_log_n_string(struct audit_buffer *ab, const char *buf, size_t n);
      void audit_log_string(struct audit_buffer *ab, const char *buf);
      
      void audit_log_n_untrustedstring(struct audit_buffer *ab, const char *string, size_t n);
      void audit_log_untrustedstring(struct audit_buffer *ab, const char *string);
      
      This may be the first step to possibly fixing some of the issues that
      people have with the string output from the kernel audit system.  But we
      still don't have an agreed upon solution to that problem.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      b556f8ad
    • Eric Paris's avatar
      Audit: end printk with newline · 436c405c
      Eric Paris authored
      
      
      A couple of audit printk statements did not have a newline.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      436c405c
  2. 18 Apr, 2008 3 commits
  3. 01 Mar, 2008 1 commit
  4. 19 Feb, 2008 1 commit
  5. 15 Feb, 2008 2 commits
  6. 01 Feb, 2008 9 commits
  7. 23 Oct, 2007 1 commit
  8. 21 Oct, 2007 2 commits
    • Al Viro's avatar
      [PATCH] audit: watching subtrees · 74c3cbe3
      Al Viro authored
      
      
      New kind of audit rule predicates: "object is visible in given subtree".
      The part that can be sanely implemented, that is.  Limitations:
      	* if you have hardlink from outside of tree, you'd better watch
      it too (or just watch the object itself, obviously)
      	* if you mount something under a watched tree, tell audit
      that new chunk should be added to watched subtrees
      	* if you umount something in a watched tree and it's still mounted
      elsewhere, you will get matches on events happening there.  New command
      tells audit to recalculate the trees, trimming such sources of false
      positives.
      
      Note that it's _not_ about path - if something mounted in several places
      (multiple mount, bindings, different namespaces, etc.), the match does
      _not_ depend on which one we are using for access.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      74c3cbe3
    • Al Viro's avatar
      [PATCH] pass dentry to audit_inode()/audit_inode_child() · 5a190ae6
      Al Viro authored
      
      
      makes caller simpler *and* allows to scan ancestors
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      5a190ae6
  9. 18 Oct, 2007 1 commit
  10. 17 Oct, 2007 1 commit
  11. 09 Oct, 2007 1 commit
  12. 23 Aug, 2007 1 commit
  13. 08 Aug, 2007 1 commit
  14. 29 Jul, 2007 1 commit
  15. 22 Jul, 2007 2 commits
    • Al Viro's avatar
      [PATCH] get rid of AVC_PATH postponed treatment · 4259fa01
      Al Viro authored
      
      
              Selinux folks had been complaining about the lack of AVC_PATH
      records when audit is disabled.  I must admit my stupidity - I assumed
      that avc_audit() really couldn't use audit_log_d_path() because of
      deadlocks (== could be called with dcache_lock or vfsmount_lock held).
      Shouldn't have made that assumption - it never gets called that way.
      It _is_ called under spinlocks, but not those.
      
              Since audit_log_d_path() uses ab->gfp_mask for allocations,
      kmalloc() in there is not a problem.  IOW, the simple fix is sufficient:
      let's rip AUDIT_AVC_PATH out and simply generate pathname as part of main
      record.  It's trivial to do.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Acked-by: default avatarJames Morris <jmorris@namei.org>
      4259fa01
    • Steve Grubb's avatar
      [PATCH] Make IPC mode consistent · 5b9a4262
      Steve Grubb authored
      
      
      The mode fields for IPC records are not consistent. Some are hex, others are
      octal. This patch makes them all octal.
      Signed-off-by: default avatarSteve Grubb <sgrubb@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      5b9a4262
  16. 19 Jul, 2007 2 commits
  17. 16 Jul, 2007 2 commits
    • Henrik Kretzschmar's avatar
      kerneldoc fix in audit_core_dumps · 6d9525b5
      Henrik Kretzschmar authored
      
      
      Fix parameter name in audit_core_dumps for kerneldoc.
      Signed-off-by: default avatarHenrik Kretzschmar <henne@nachtwindheim.de>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      6d9525b5
    • Miloslav Trmac's avatar
      Audit: add TTY input auditing · 522ed776
      Miloslav Trmac authored
      Add TTY input auditing, used to audit system administrator's actions.  This is
      required by various security standards such as DCID 6/3 and PCI to provide
      non-repudiation of administrator's actions and to allow a review of past
      actions if the administrator seems to overstep their duties or if the system
      becomes misconfigured for unknown reasons.  These requirements do not make it
      necessary to audit TTY output as well.
      
      Compared to an user-space keylogger, this approach records TTY input using the
      audit subsystem, correlated with other audit events, and it is completely
      transparent to the user-space application (e.g.  the console ioctls still
      work).
      
      TTY input auditing works on a higher level than auditing all system calls
      within the session, which would produce an overwhelming amount of mostly
      useless audit events.
      
      Add an "audit_tty" attribute, inherited across fork ().  Data read from TTYs
      by process with the attribute is sent to the audit subsystem by the kernel.
      The audit netlink interface is extended to allow modifying the audit_tty
      attribute, and to allow sending explanatory audit events from user-space (for
      example, a shell might send an event containing the final command, after the
      interactive command-line editing and history expansion is performed, which
      might be difficult to decipher from the TTY input alone).
      
      Because the "audit_tty" attribute is inherited across fork (), it would be set
      e.g.  for sshd restarted within an audited session.  To prevent this, the
      audit_tty attribute is cleared when a process with no open TTY file
      descriptors (e.g.  after daemon startup) opens a TTY.
      
      See https://www.redhat.com/archives/linux-audit/2007-June/msg00000.html
      
       for a
      more detailed rationale document for an older version of this patch.
      
      [akpm@linux-foundation.org: build fix]
      Signed-off-by: default avatarMiloslav Trmac <mitr@redhat.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
      Cc: Paul Fulghum <paulkf@microgate.com>
      Cc: Casey Schaufler <casey@schaufler-ca.com>
      Cc: Steve Grubb <sgrubb@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      522ed776
  18. 11 May, 2007 4 commits