I think if we went back and looked at history we'd see that all of the
code originally had none of the if(!ab) checks after allocation and
they just sorta slowly crept in over time. I prefer this pattern, but
it used to be the opposite everywhere.
On Wed, 2018-02-21 at 19:02 -0500, Paul Moore wro
On Sat, 2017-12-09 at 10:28 -0800, Casey Schaufler wrote:
> On 12/9/2017 2:20 AM, Micka�l Sala�n wrote:
> > What about automatically create
> > and assign an ID to a process when it enters a namespace different
> > than
> > one of its parent process? This delegates the (permission)
> > respon
On Tue, 2017-02-28 at 21:49 +, Joan Jani wrote:
> This patch fixes the following checkpath.pl warning
> WARNING: Block comments use a trailing */ on a separate line
>
> like
>
> kernel/audit.c:135: WARNING: Block comments use a trailing */ on a
> separate line
> kernel/audit.c:170: WARNING:
All of the patches look good to me except most of those which change
the handling of `rc=`. I have a personal style preference for
rc = -ENOMEM;
val = kalloc();
if (!val)
goto err;
vs
val = kalloc();
if (!val) {
rc = -ENOMEM;
goto err;
}
because it saves 1 line and I think the compiler
On Fri, 2017-01-13 at 10:06 -0500, Richard Guy Briggs wrote:
> On 2017-01-13 09:42, Eric Paris wrote:
> > On Fri, 2017-01-13 at 04:51 -0500, Richard Guy Briggs wrote:
> > > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > > index 9d4443f..43d8003 10064
On Fri, 2017-01-13 at 04:51 -0500, Richard Guy Briggs wrote:
> 32-bit socketcalls were not being logged by audit on x86_64 systems.
> Log them. This is basically a duplicate of the call from
> net/socket.c:sys_socketcall(), but it addresses the impedance
> mismatch
> between 32-bit userspace proce
On Wed, 2016-05-11 at 14:54 +0200, Hector Marco-Gisbert wrote:
>
> El 21/04/16 a las 00:12, Kees Cook escribió:
> > On Tue, Apr 19, 2016 at 11:55 AM, Hector Marco-Gisbert > v.es> wrote:
> > > > On Wed, Apr 6, 2016 at 12:07 PM, Hector Marco-Gisbert > > > @upv.es> wrote:
> > > > > The minimum addr
or more likely
> > SECCOMP_RET_ERRNO in the rule set.
> >
> > The seccomp auditing was originally added by Eric with
> >
> > commit 85e7bac33b8d5edafc4e219c7dfdb3d48e0b4e31
> > Author: Eric Paris
> > Date: Tue Jan 3 14:2
Acked-by: Eric Paris
On Mon, 2015-09-21 at 11:45 -0700, Dave Hansen wrote:
> From: Dave Hansen
>
> There was a report that my patch:
>
> inotify: actually check for invalid bits in
> sys_inotify_add_watch()
>
> broke CRIU.
>
> The reason is that CRIU lo
Looks fine to me. And usually akpm picks them up these days.
On Wed, 2015-09-09 at 14:59 -0700, Dave Hansen wrote:
> On 06/30/2015 10:36 AM, Dave Hansen wrote:
> > From: Dave Hansen
> >
> > The comment here says that it is checking for invalid bits. But,
> > the mask is *actually* checking to e
This is already going to be in the audit log, right? We're going to
send a CONFIG_CHANGE record with old_pid == the existing auditd. I bet
it gets delivered to the old auditd.
But why is this a printk(KERN_WARN) ?
On Mon, 2015-09-07 at 12:48 -0400, Richard Guy Briggs wrote:
> Nothing prevents a n
On Mon, 2015-08-31 at 22:52 -0400, Paul Moore wrote:
> On Fri, Aug 28, 2015 at 10:03 PM, Luis R. Rodriguez
> wrote:
> > On Fri, Aug 28, 2015 at 06:26:05PM -0400, Paul Moore wrote:
> > > On Fri, Aug 28, 2015 at 7:20 AM, Roberts, William C
> > > wrote:
> > > > Even triggered updates make sense, sin
I have to admit, I'm partial to not merging this (with the other
patches). Changing object lifetimes in what i seem to remember is long
standing code (auditfilter, not auditexe) seems to me like something we
really would want to be git bisectable, not mushed with an unrelated
feature addition. But
; This means that there will both be nothing to notify for
> *and* implies that there is no need for clearing the ignore
> mask.
>
> This patch gave a 13.8% speedup in writes/second on my test,
> which is an improvement from the 10.8% that I saw with the
> last version.
>
>
On Sat, 2015-06-13 at 10:35 +0300, Yury wrote:
>
> On 13.06.2015 01:35, Waiman Long wrote:
> > On 06/12/2015 08:31 AM, Stephen Smalley wrote:
> > > On 06/12/2015 02:26 AM, Raghavendra K T wrote:
> > > > On 06/12/2015 03:01 AM, Waiman Long wrote:
> > > > > The inode_free_security() function just to
On Fri, 2015-06-12 at 08:31 -0400, Stephen Smalley wrote:
> On 06/12/2015 02:26 AM, Raghavendra K T wrote:
> > On 06/12/2015 03:01 AM, Waiman Long wrote:
> > > The inode_free_security() function just took the superblock's
> > > isec_lock
> > > before checking and trying to remove the inode securit
What kernel version was this? Didn't we have this problem and solve it
upstream some time ago? IPC could be allocated with a valid security
context, the ipc would be freed. the isec was free'd syncronously, but
then the ipc could stick around until some rcu period or some usage flag
got to 0, the
On Mon, 2014-12-29 at 13:06 +0800, ivo welch wrote:
> thank you, eric. will do. I read up on it above and now understand it
> better.
Great let us know if it keeps giving you trouble!
> the example in the man page seems somewhat misfortunate. I would use
> an example that does not, by default
LA Anderson Fink Center for Finance and Investments
> Free Finance Textbook, http://book.ivo-welch.info/
> Editor, Critical Finance Review,
> http://www.critical-finance-review.org/
>
>
> On Mon, Dec 29, 2014 at 7:13 AM, Eric Paris wrote:
> Why are you setting FA
Why are you setting FAN_OPEN_PERM and then not responding to perm
requests? Of course the system is going to appear locked, until you
start responding to open events, remove that mark, or close the fanotify
fd...
-Eric
On Fri, 2014-12-26 at 19:40 +0100, Heinrich Schuchardt wrote:
> Hello Ivo,
>
On Thu, 2014-12-18 at 13:44 -0500, Richard Guy Briggs wrote:
> On 14/12/18, Eric Paris wrote:
> > On Thu, 2014-12-18 at 12:46 -0500, Richard Guy Briggs wrote:
> > > On 14/12/18, Eric Paris wrote:
> > > > On Thu, 2014-12-18 at 11:45 -0500, valdis.kletni...@vt.edu w
On Thu, 2014-12-18 at 12:46 -0500, Richard Guy Briggs wrote:
> On 14/12/18, Eric Paris wrote:
> > On Thu, 2014-12-18 at 11:45 -0500, valdis.kletni...@vt.edu wrote:
> > > On Tue, 16 Dec 2014 20:09:54 -0500, Valdis Kletnieks said:
> > > > Spotted these two while b
On Thu, 2014-12-18 at 11:45 -0500, valdis.kletni...@vt.edu wrote:
> On Tue, 16 Dec 2014 20:09:54 -0500, Valdis Kletnieks said:
>
> > Spotted these two while booting single-user on 20141216. 20141208
> > doesn't throw these, so it's something in the last week or so..
>
> Gaah! Turns out that 201
I haven't looked into it, but I'd place my first bet on the audit
multicast code...
Richard?
On Tue, 2014-12-16 at 20:09 -0500, Valdis Kletnieks wrote:
> Not sure who's to blame here, but I'm tending towards selinux based on
> who was holding the locks...
>
> Spotted these two while booting sing
On Thu, 2014-11-20 at 12:12 +, David Drysdale wrote:
> [+linux-fsdevel, without the typo this time]
>
> On Wed, Nov 19, 2014 at 8:30 PM, David Miller wrote:
> > From: David Drysdale
> > Date: Tue, 18 Nov 2014 13:13:51 +
> >
> >> Hi folks,
> >>
> >> It looks like the value for O_PATH on s
[adding paul and richard]
On Tue, 2014-11-04 at 11:27 +0100, Miklos Szeredi wrote:
> From: Miklos Szeredi
>
> Audit rules disappear when an inode they watch is evicted from the cache.
> This is likely not what we want.
>
> The guilty commit is "fsnotify: allow marks to not pin inodes in core",
On Mon, 2014-10-27 at 21:52 +0100, Thomas Gleixner wrote:
> On Sun, 26 Oct 2014, Richard Guy Briggs wrote:
> > diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
> > index b553ed8..344b63f 100644
> > --- a/arch/x86/kernel/entry_32.S
> > +++ b/arch/x86/kernel/entry_32.S
> > @@ -447
On Mon, 2014-10-27 at 10:02 -0700, H. Peter Anvin wrote:
> On 10/27/2014 06:55 AM, Eric Paris wrote:
> > My patch was already committed to the -tip urgent branch. I believe any
> > optimization should be based on that branch, Richard. If you are trying
> > to wrangle ever
;
> After the call to __audit_syscall_entry all we need to do is get that
> now useless junk off the stack (pair of pops) and reload %eax with the
> original syscall so other stuff can keep going about it's business.
>
> Reported-by: Paulo Zanoni
> Signed-off-by: Eric Par
Commit-ID: 26c2d2b39128adba276d140eefa2745591b88536
Gitweb: http://git.kernel.org/tip/26c2d2b39128adba276d140eefa2745591b88536
Author: Eric Paris
AuthorDate: Thu, 23 Oct 2014 00:04:03 -0400
Committer: H. Peter Anvin
CommitDate: Fri, 24 Oct 2014 13:27:56 -0700
i386/audit: stop
On Thu, 2014-10-23 at 12:20 -0700, Andy Lutomirski wrote:
> On Thu, Oct 23, 2014 at 12:15 PM, Eric Paris wrote:
> > On Thu, 2014-10-23 at 11:39 -0700, Andy Lutomirski wrote:
> >> On 10/22/2014 09:04 PM, Eric Paris wrote:
> >> > git commit b4f0d3755c5e9cc86292d5fd
On Thu, 2014-10-23 at 15:30 -0400, Eric Paris wrote:
> On Thu, 2014-10-23 at 12:20 -0700, Andy Lutomirski wrote:
> > On Thu, Oct 23, 2014 at 12:15 PM, Eric Paris wrote:
> > > On Thu, 2014-10-23 at 11:39 -0700, Andy Lutomirski wrote:
> > >> On 10/22/2014 09:04 PM,
On Thu, 2014-10-23 at 11:39 -0700, Andy Lutomirski wrote:
> On 10/22/2014 09:04 PM, Eric Paris wrote:
> > git commit b4f0d3755c5e9cc86292d5fd78261903b4f23d4a was very very dumb.
> > It was writing over %esp/pt_regs semi-randomly on i686 with the expected
> > "system can&
scall_entry all we need to do is get that
now useless junk off the stack (pair of pops) and reload %eax with the
original syscall so other stuff can keep going about it's business.
Signed-off-by: Eric Paris
Cc: Thomas Gleixner
Cc: Ingo Molnar
Cc: "H. Peter Anvin"
Cc: x.
On Wed, 2014-10-22 at 14:43 -0700, H. Peter Anvin wrote:
> On 10/22/2014 02:38 PM, Eric Paris wrote:
> >
> > It was sent, numerous times, to the x86 list for reviews, and lived in
> > -next for 2 complete devel cycles without a complaint. I'm trying to
> > get an
On Wed, 2014-10-22 at 14:43 -0700, H. Peter Anvin wrote:
> On 10/22/2014 02:38 PM, Eric Paris wrote:
> >
> > It was sent, numerous times, to the x86 list for reviews, and lived in
> > -next for 2 complete devel cycles without a complaint. I'm trying to
> > get an
On Wed, 2014-10-22 at 23:36 +0200, Thomas Gleixner wrote:
> On Wed, 22 Oct 2014, Eric Paris wrote:
>
> > That's really serious. Looking now.
>
> Indeed its serious. And it's even more serious as this masterpiece of
> assembly wreckage was pulled in via your tree
That's really serious. Looking now.
On Wed, 2014-10-22 at 16:08 -0200, Paulo Zanoni wrote:
> Hi
>
> (Cc'ing everybody mentioned in the original patch)
>
> I work for Intel, on our Linux Graphics driver - aka i915.ko - and our
> QA team recently reported a regression on:
>
> commit b4f0d3755c5e
On Tue, 2014-10-21 at 17:08 -0400, Richard Guy Briggs wrote:
> On 14/10/21, Steve Grubb wrote:
> > On Tuesday, October 07, 2014 03:03:14 PM Eric Paris wrote:
> > > On Tue, 2014-10-07 at 14:23 -0400, Richard Guy Briggs wrote:
> > > > Log the event when a client atte
On Tue, 2014-10-21 at 17:56 -0400, Paul Moore wrote:
> * Change the audit_status.version field comment in include/uapi/linux/audit.h
> to "/* audit functionality bitmap */", or similar. We can't really change
> the
> structure now, but the comment is fair game.
Trying to think how to do thing
> Signed-off-by: Paul Moore
Acked-by: Eric Paris
> ---
> MAINTAINERS |5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/MAINTAINERS b/MAINTAINERS
> index c2066f4..86c24fd 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -1689,1
On Tue, 2014-10-21 at 10:18 -0700, j...@joshtriplett.org wrote:
> On Tue, Oct 21, 2014 at 08:37:00AM -0700, H. Peter Anvin wrote:
> > On 10/20/2014 02:48 PM, Pieter Smith wrote:
> > > Many embedded systems will not need this syscall, and omitting it
> > > saves space. Add a new EXPERT config optio
On Mon, 2014-10-20 at 16:25 -0400, Steve Grubb wrote:
> On Thursday, October 02, 2014 11:06:51 PM Richard Guy Briggs wrote:
> > This is a part of Peter Moody, my and Eric Paris' work to implement
> > audit by executable name.
>
> Does this patch set define an AUDIT_VERS
syscall_trace_enter/exit()
Burn Alting (1):
audit: invalid op= values for rules
Eric Paris (11):
audit: drop unused struct audit_rule definition
SH: define syscall_get_arch() for superh
UM: implement syscall_get_arch()
Alpha: define syscall_get_arch()
Having a hard time convincing myself of the next 2... Doesn't mean
they're wrong or bad, but my brain isn't seeing it today...
On Thu, 2014-10-02 at 22:05 -0400, Richard Guy Briggs wrote:
> Remove extra layer of audit_{get,put}_watch() calls.
>
> Signed-off-by: Richard Guy Briggs
> ---
> kerne
On Thu, 2014-10-02 at 22:05 -0400, Richard Guy Briggs wrote:
> When parent has just been created there is no need to search for the parent in
> the list. Add a parameter to skip the search
Since the parent was just allocated, and thus has an empty list, this
"search" is just as fast as the check
On Thu, 2014-10-02 at 22:05 -0400, Richard Guy Briggs wrote:
> New tree rules copy the path twice and discard the intermediary copy.
>
> This saves one pointer at the expense of one path string copy.
>
> Signed-off-by: Richard Guy Briggs
> ---
> kernel/audit_tree.c |9 +
> kernel/a
On Thu, 2014-10-02 at 22:05 -0400, Richard Guy Briggs wrote:
> Re-factor audit_rule_change() to reduce the amount of code redundancy and
> simplify the logic.
>
> Signed-off-by: Richard Guy Briggs
> ---
> kernel/auditfilter.c | 20 +++-
> 1 files changed, 7 insertions(+), 13 de
On Tue, 2014-10-07 at 14:23 -0400, Richard Guy Briggs wrote:
> Log the event when a client attempts to connect to the netlink audit multicast
> socket, requiring CAP_AUDIT_READ capability, binding to the
> AUDIT_NLGRP_READLOG
> group. Log the disconnect too.
>
> Sample output:
> time->Tue Oct 7
31:0:
> ./arch/openrisc/include/asm/syscall.h: In function 'syscall_get_arch':
> ./arch/openrisc/include/asm/syscall.h:77:9: error: 'EM_OPENRISC' undeclared
>
> Fix by moving EM_OPENRISC to include/uapi/linux/elf-em.h.
>
> Fixes: ce5d112827e5 ("ARCH: AUDI
On Fri, 2014-09-26 at 06:32 -0700, Guenter Roeck wrote:
> On 09/26/2014 12:59 AM, Stefan Kristiansson wrote:
> > On Fri, Sep 26, 2014 at 08:30:57AM +0200, Geert Uytterhoeven wrote:
> >> Hi Günther,
> >>
> >> [cc openrisc]
> >>
> >> On Thu, Sep 25, 2014 at 10:25 PM, Guenter Roeck wrote:
> >>> New b
Do you have a backtrace?
On Wed, Aug 13, 2014 at 8:30 AM, Al Viro wrote:
> On Wed, Aug 13, 2014 at 05:04:13PM +0530, shivnanda...@samsung.com wrote:
>> From: Shivnandan Kumar
>>
>> List element was freed by inode_free_security and then it uses rcu
>> element to point inode_free_rcu, since it in
On Wed, 2014-07-23 at 13:46 -0700, Andy Lutomirski wrote:
> On 07/23/2014 12:36 PM, Eric Paris wrote:
> > This is effectively a revert of 7b9a7ec565505699f503b4fcf61500dceb36e744
> > plus fixing it a different way...
>
> You sent something like this a couple days ago. What c
s called as it might use
~0, ~0 to denote 'all capabilities' for backward/forward compatibility.
This lets 'capsh --caps="all=eip" -- -c /bin/bash' run.
4) mask out undefined bit when we read a file capability off of disk as
again likely all bits are set in
t you
don't put those invalid bits in CAP_FULL_SET you won't get them in init
and you won't get them in any other task either.
Signed-off-by: Eric Paris
Cc: Andrew Vagin
Cc: Andrew G. Morgan
Cc: Serge E. Hallyn
Cc: Kees Cook
Cc: Steve Grubb
Cc: Dan Walsh
Cc: sta...@kernel.org
On Fri, 2014-07-11 at 12:32 -0400, Paul Moore wrote:
> On Friday, July 11, 2014 12:23:33 PM Eric Paris wrote:
> > On Fri, 2014-07-11 at 12:21 -0400, Paul Moore wrote:
> > > On Friday, July 11, 2014 12:16:47 PM Eric Paris wrote:
> > > > On Fri, 2014-07-11 at
On Fri, 2014-07-11 at 12:21 -0400, Paul Moore wrote:
> On Friday, July 11, 2014 12:16:47 PM Eric Paris wrote:
> > On Fri, 2014-07-11 at 12:11 -0400, Paul Moore wrote:
> > > On Thursday, July 10, 2014 09:06:02 PM H. Peter Anvin wrote:
> > > > Incidentally: do seccom
On Fri, 2014-07-11 at 12:11 -0400, Paul Moore wrote:
> On Thursday, July 10, 2014 09:06:02 PM H. Peter Anvin wrote:
> > Incidentally: do seccomp users know that on an x86-64 system you can
> > recevie system calls from any of the x86 architectures, regardless of
> > how the program is invoked? (Th
On Mon, 2014-06-09 at 16:36 -0700, Linus Torvalds wrote:
> On Mon, Jun 9, 2014 at 3:56 PM, Andy Lutomirski wrote:
> >
> > In this particular case, it's my patch, and I've never sent you a pull
> > request. I sort of assumed that secur...@kernel.org magically caused
> > acknowledged fixes to end u
This 'bug' feels very theoretical to me. There were about 3 kernel
releases back when inotify was rewriten onto fsnotify where it was
intentionally reusing wd's. So instead of a MAX_INT wrap all you have
to do was a single create/destroy/create to get reuse. Almost every
utility survived... Bu
...@vger.kernel.org
Signed-off-by: Andy Lutomirski
Signed-off-by: Eric Paris
---
kernel/auditsc.c | 27 ++-
1 file changed, 18 insertions(+), 9 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 254ce20..842f58a 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
stop selecting it.
Signed-off-by: Eric Paris
Cc: Andy Lutomirski
---
arch/x86/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 56f47ca..e11c4da 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -125,7 +125,7 @@ config X86
On Wed, 2014-05-28 at 19:40 -0700, Andy Lutomirski wrote:
> On Wed, May 28, 2014 at 7:09 PM, Eric Paris wrote:
> > NAK
> >
> > On Wed, 2014-05-28 at 18:44 -0700, Andy Lutomirski wrote:
> >> Here are some issues with the code:
> >> - It thinks that syscall
On Wed, 2014-05-28 at 19:27 -0700, Andy Lutomirski wrote:
> On Wed, May 28, 2014 at 7:23 PM, Eric Paris wrote:
> > On Wed, 2014-05-28 at 18:44 -0700, Andy Lutomirski wrote:
> >> Fixes an easy DoS and possible information disclosure.
> >>
> >> This does n
On Wed, 2014-05-28 at 18:44 -0700, Andy Lutomirski wrote:
> Fixes an easy DoS and possible information disclosure.
>
> This does nothing about the broken state of x32 auditing.
>
> Cc: sta...@vger.kernel.org
> Signed-off-by: Andy Lutomirski
> ---
> kernel/auditsc.c | 27 ++--
NAK
On Wed, 2014-05-28 at 18:44 -0700, Andy Lutomirski wrote:
> Here are some issues with the code:
> - It thinks that syscalls have four arguments.
Not true at all. It records the registers that would hold the first 4
entries on syscall entry, for use later if needed, as getting those
later on
On Tue, 2014-05-20 at 09:12 -0400, Richard Guy Briggs wrote:
> The purpose is to track namespaces in use by logged processes from the
> perspective of init_*_ns.
>
> 1/6 defines a function to generate them and assigns them.
>
> Use a serial number per namespace (unique across one boot of one kern
On Tue, 2014-05-13 at 11:30 -0400, Eric Paris wrote:
> On Tue, 2014-05-13 at 11:13 -0400, Richard Guy Briggs wrote:
> > On 14/05/13, Richard Guy Briggs wrote:
> > > On 14/05/10, Eric Paris wrote:
> > > > On Fri, 2014-05-09 at 20:27 -0400, Richard Guy Briggs wrote:
&
On Tue, 2014-05-13 at 11:13 -0400, Richard Guy Briggs wrote:
> On 14/05/13, Richard Guy Briggs wrote:
> > On 14/05/10, Eric Paris wrote:
> > > On Fri, 2014-05-09 at 20:27 -0400, Richard Guy Briggs wrote:
> > > > Generate and assign a serial number per
p to explicitely set syscall filters for this ABI.
> >
> > Link: http://sourceforge.net/p/libseccomp/mailman/message/32239040/
> > Cc: Andy Lutomirski
> > Cc: Eric Paris
> > Cc: Paul Moore
> > Cc: Ralf Baechle
> > Signed-off-by: Markos Chandras
> &g
On Fri, 2014-05-09 at 20:27 -0400, Richard Guy Briggs wrote:
Not so relevant because you delete all of this code later... But
still...
> +#ifdef CONFIG_NAMESPACES
> +void audit_log_namespace_info(struct audit_buffer *ab, struct task_struct
> *tsk)
> +{
> + struct nsproxy *nsproxy;
> +
> +
On Fri, 2014-05-09 at 20:27 -0400, Richard Guy Briggs wrote:
> Log the namespace serial numbers of a task in audit_log_task_info() which
> is used by syscall audits, among others..
>
> Idea first presented:
> https://www.redhat.com/archives/linux-audit/2013-March/msg00020.html
>
> Typical o
On Fri, 2014-05-09 at 20:27 -0400, Richard Guy Briggs wrote:
> Generate and assign a serial number per namespace instance since boot.
>
> Use a serial number per namespace (unique across one boot of one kernel)
> instead of the inode number (which is claimed to have had the right to change
> reser
If the CPU hits a softlockup this patch will also have it print the
information about all locks being held on the system. This might help
determine if a lock is being held too long leading to this problem.
Signed-off-by: Eric Paris
Cc: Frederic Weisbecker
Cc: Andrew Morton
Cc: Don Zickus
Cc
> >
> > > I wrote a small test program and found:
> > >
> > > The flag FMODE_NONOTIFY can be read by function fcntl from userspace.
> > > int flag = fcntl(fd, F_GETFL)
> > >
> > > In include/uapi/asm-generic/fcntl.h I found the following com
hecks on if
it can see individual records? so secadm_t running journalctl would see
them and sysadm running journalctl wouldn't see them?
Sounds elegant. Who is going to code it? *NOT IT!*
>
> On 04/24/2014 09:22 AM, Eric Paris wrote:
> > They would be equivalent if and only
wrote:
> Meaning looking at the journal would be equivalent to looking at
> /var/log/audit/audit.log.
>
>
> On 04/23/2014 11:37 AM, Eric Paris wrote:
>> On Wed, 2014-04-23 at 11:36 -0400, Daniel J Walsh wrote:
>>> I guess the problem would be that the sysadm_t would be a
Briggs
Cc: Thomas Gleixner
Cc: Ingo Molnar
Cc: "H. Peter Anvin"
Cc: x...@kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: linux-au...@redhat.com
Signed-off-by: Eric Paris
---
As this patch relies on changes in the audit tree, I think it
appropriate to send it through my tree rather th
On Wed, 2014-04-23 at 11:36 -0400, Daniel J Walsh wrote:
> I guess the problem would be that the sysadm_t would be able to look at
> the journal which would now contain the audit content.
right. so include it in the sysadm_secadm bool
>
> On 04/23/2014 10:42 AM, Eric Paris wrote
On Wed, 2014-04-23 at 09:40 -0400, Daniel J Walsh wrote:
> Here are the capabilities we currently give to sysadm_t with
> sysadm_secadm1.0.0Disabled
>
>allow sysadm_t sysadm_t : capability { chown dac_override
> dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable
>
On Tue, 2014-04-22 at 22:25 -0400, Steve Grubb wrote:
> On Tuesday, April 22, 2014 09:31:52 PM Richard Guy Briggs wrote:
> > This is a patch set Eric Paris and I have been working on to add a
> > restricted capability read-only netlink multicast socket to kernel audit to
>
On Tue, 2014-04-22 at 16:22 +1000, Stephen Rothwell wrote:
> Hi Eric,
>
> After merging the audit tree, today's linux-next build (sparc defconfig)
> failed like this:
>
> In file included from include/linux/audit.h:29:0,
> from mm/mmap.c:33:
> arch/sparc/include/asm/syscall.h: In
On Wed, 2014-04-16 at 14:02 +1000, Stephen Rothwell wrote:
> You could have avoided this by doing a fast forward merge of v3.15-rc1
> instead of the v3.14 merge (since everything in your tree before that
> merge was also in Linus' tree by v3.15-rc1).
This is a situation I've never really known th
igned-off-by: Vincent Donnefort
Things seem much happier now! Thank you sir!
Tested-by: Eric Paris
>
> diff --git a/drivers/gpio/gpio-ich.c b/drivers/gpio/gpio-ich.c
> index e73c675..7030422 100644
> --- a/drivers/gpio/gpio-ich.c
> +++ b/drivers/gpio/gpio-ich.c
> @@ -
A tad more information. I did a build of-rc1 with the GPIO_ICH module built in
so I could use addr2line to help you run it down. No idea if this is actually
useful for you...
$ addr2line --inline --exe=vmlinux 813fc4e0
/storage/kernel/ichx-rebase/drivers/gpio/gpio-ich.c:388
/storage/ke
ent to the MIPS people. I hope
that you can apply it as part of the merge itself...
On Thu, 2014-04-10 at 19:53 -0400, Eric Paris wrote:
> Linus,
>
> Please pull the audit tree for v3.15. You will have merge conflicts.
> I'll publish my branch "merge-test" where I at
pend on CONFIG_AUDIT_COMPAT_GENERIC (2014-04-10
17:51:29 -0400)
AKASHI Takahiro (2):
audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL
audit: Add generic compat syscall support
Chris Metcalf (1):
AUDIT: make audit_is_compat depend on CONFIG_AUDIT_
On Fri, 2014-04-04 at 15:00 +0200, David Herrmann wrote:
> 1)
> IN_IGNORED is async and _immediate_ in case a file got deleted. So if
> you use watch-descriptors as keys for your objects, an _already_ used
> key might be returned by inotify_add_watch() if an IN_IGNORED is
> queued for the old watc
On Wed, 2014-04-02 at 14:12 -0400, Mimi Zohar wrote:
> On Wed, 2014-04-02 at 14:00 -0400, Steve Grubb wrote:
> > Hello Mimi,
> >
> > On Wednesday, April 02, 2014 01:39:47 PM Mimi Zohar wrote:
> > > This change is already being upstreamed as commit 73a6b44 "Integrity:
> > > Pass commname via get_t
system...
Reported-by: Andre Tomt
Reported-by: Adam Richter
Signed-off-by: Eric Paris
---
kernel/audit.c | 12 +++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 3392d3e..95a20f3 100644
--- a/kernel/audit.c
+++ b/kernel/audi
> > I reworked the patch to be applicable again (the signature of fanotify_mark
> > has changed since Tvrtko's work).
> >
> > Signed-off-by: Heinrich Schuchardt
> The patch looks good to me. You can add:
> Reviewed-by: Jan K
On Tue, 2014-03-25 at 21:36 +0100, Andre Tomt wrote:
> *testing hat on*
>
> PAM within namespaces (say, LXC) does not work anymore with 3.14-rc8,
> making login, ssh etc fail in containers unless you boot with audit=0.
>
> This is due to a change in return value to user space; and is
> appearantl
I don't know tilegx, but I have replaced 223b24d807610 with
4b58841149dcaa5. I believe adding AUDIT_ARCH_COMPAT_GENERIC was
akashi-san's fix for this problem on mips. Is this a better fix?
Thanks
-Eric
On Thu, 2014-03-20 at 11:31 -0400, Chris Metcalf wrote:
> For architectures that use the asm
On Mon, 2014-03-17 at 13:14 -0700, Tony Luck wrote:
> On Thu, Jan 23, 2014 at 11:32 AM, Richard Guy Briggs wrote:
> > Added the functions task_ppid_nr_ns() and task_ppid_nr() to abstract the
> > lookup
> > of the PPID (real_parent's pid_t) of a process, including rcu locking, in
> > the
> > arbi
Every caller of syscall_get_arch() uses current for the task and no
implementors of the function need args. So just get rid of both of
those things. Admittedly, since these are inline functions we aren't
wasting stack space, but it just makes the prototypes better.
Signed-off-by: Eric Pari
On Mon, 2014-03-10 at 15:30 -0400, David Miller wrote:
> From: Eric Paris
> Date: Fri, 07 Mar 2014 17:52:02 -0500
>
> > The second user Eric patched, audit_send_list(), can grow without bound.
> > The number of skb's is going to be the size of the number of audit rules
On Sun, 2014-03-09 at 20:06 -0700, Eric W. Biederman wrote:
> Linus,
>
> Please pull the for-linus branch from the git tree:
>
>git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git
> for-linus
>
>HEAD: d211f177b28ec070c25b3d0b960aa55f352f731f audit: Update kdoc for
On Fri, 2014-03-07 at 19:48 -0500, David Miller wrote:
> From: Eric Paris
> Date: Fri, 07 Mar 2014 17:52:02 -0500
>
> > Audit is non-tolerant to failure and loss.
>
> Netlink is not a loss-less transport.
I'm happy to accept that (and know it to be true). How can I be
As usual Eric, your commentary is anything but useful. However your
technical thoughts are not off the mark. Can we stick to those?
On Wed, 2014-03-05 at 10:06 -0800, Eric W. Biederman wrote:
> Steve Grubb writes:
>
> > On Tuesday, March 04, 2014 07:21:52 PM David Miller wrote:
> >> From: ebie
On Thu, 2014-02-27 at 12:40 -0800, Andy Lutomirski wrote:
> Currently, dealing with Linux syscalls in an architecture-independent
> way is a mess. Here are some issues:
>
> 1. There's no clean way to map between syscall names and numbers on
> different architectures. The kernel contains a numbe
1 - 100 of 266 matches
Mail list logo
