1. 24 Jun, 2009 10 commits
    • Al Viro's avatar
      Fix rule eviction order for AUDIT_DIR · 916d7576
      Al Viro authored
      
      
      If syscall removes the root of subtree being watched, we
      definitely do not want the rules refering that subtree
      to be destroyed without the syscall in question having
      a chance to match them.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      916d7576
    • Eric Paris's avatar
      Audit: clean up all op= output to include string quoting · 9d960985
      Eric Paris authored
      
      
      A number of places in the audit system we send an op= followed by a string
      that includes spaces.  Somehow this works but it's just wrong.  This patch
      moves all of those that I could find to be quoted.
      
      Example:
      
      Change From: type=CONFIG_CHANGE msg=audit(1244666690.117:31): auid=0 ses=1
      subj=unconfined_u:unconfined_r:auditctl_t:s0-s0:c0.c1023 op=remove rule
      key="number2" list=4 res=0
      
      Change To: type=CONFIG_CHANGE msg=audit(1244666690.117:31): auid=0 ses=1
      subj=unconfined_u:unconfined_r:auditctl_t:s0-s0:c0.c1023 op="remove rule"
      key="number2" list=4 res=0
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      9d960985
    • Eric Paris's avatar
      Audit: move audit_get_nd completely into audit_watch · 35fe4d0b
      Eric Paris authored
      
      
      audit_get_nd() is only used  by audit_watch and could be more cleanly
      implemented by having the audit watch functions call it when needed rather
      than making the generic audit rule parsing code deal with those objects.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      35fe4d0b
    • Eric Paris's avatar
      audit: seperate audit inode watches into a subfile · cfcad62c
      Eric Paris authored
      
      
      In preparation for converting audit to use fsnotify instead of inotify we
      seperate the inode watching code into it's own file.  This is similar to
      how the audit tree watching code is already seperated into audit_tree.c
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      cfcad62c
    • Eric Paris's avatar
      Audit: clean up audit_receive_skb · ea7ae60b
      Eric Paris authored
      
      
      audit_receive_skb is hard to clearly parse what it is doing to the netlink
      message.  Clean the function up so it is easy and clear to see what is going
      on.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      ea7ae60b
    • Eric Paris's avatar
      Audit: cleanup netlink mesg handling · ee080e6c
      Eric Paris authored
      
      
      The audit handling of netlink messages is all over the place.  Clean things
      up, use predetermined macros, generally make it more readable.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      ee080e6c
    • Eric Paris's avatar
      Audit: unify the printk of an skb when auditd not around · 038cbcf6
      Eric Paris authored
      
      
      Remove code duplication of skb printk when auditd is not around in userspace
      to deal with this message.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      038cbcf6
    • Eric Paris's avatar
      Audit: dereferencing krule as if it were an audit_watch · e85188f4
      Eric Paris authored
      
      
      audit_update_watch() runs all of the rules for a given watch and duplicates
      them, attaches a new watch to them, and then when it finishes that process
      and has called free on all of the old rules (ok maybe still inside the rcu
      grace period) it proceeds to use the last element from list_for_each_entry_safe()
      as if it were a krule rather than being the audit_watch which was anchoring
      the list to output a message about audit rules changing.
      
      This patch unfies the audit message from two different places into a helper
      function and calls it from the correct location in audit_update_rules().  We
      will now get an audit message about the config changing for each rule (with
      each rules filterkey) rather than the previous garbage.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      e85188f4
    • Eric Paris's avatar
      Audit: better estimation of execve record length · b87ce6e4
      Eric Paris authored
      
      
      The audit execve record splitting code estimates the length of the message
      generated.  But it forgot to include the "" that wrap each string in its
      estimation.  This means that execve messages with lots of tiny (1-2 byte)
      arguments could still cause records greater than 8k to be emitted.  Simply
      fix the estimate.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      b87ce6e4
    • Eric Paris's avatar
      Audit: fix audit watch use after free · 35aa901c
      Eric Paris authored
      
      
      When an audit watch is added to a parent the temporary watch inside the
      original krule from userspace is freed.  Yet the original watch is used after
      the real watch was created in audit_add_rules()
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      35aa901c
  2. 23 Jun, 2009 30 commits