rt part of ca57ec0f00c3f139c41bf6b0a5b9bcc95bbb2ad7 (2012-09-11) to fix
this.
Signed-off-by: Richard Guy Briggs
---
kernel/auditfilter.c | 12
1 files changed, 0 insertions(+), 12 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index f9fc54b..457ee39 100644
--
iable was re-used to catch the return code of the registration of
the genetlink thermal socket family.
Signed-off-by: Richard Guy Briggs
---
drivers/thermal/thermal_sys.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/thermal/thermal_sys.c b/drivers/thermal/thermal_sys.c
index 8c
From: Richard Guy Briggs
Hi,
This is a patch set Eric Paris and I have been working on to add a restricted
capability read-only netlink multicast socket to kaudit to enable
userspace clients such as systemd to consume audit logs, in addition to the
bidirectional auditd userspace client
From: Richard Guy Briggs
Currently netlink socket permissions are controlled by the
NL_CFG_F_NONROOT_{RECV,SEND} flags in the kernel socket configuration or by the
CAP_NET_ADMIN capability of the client. The former allows non-root users
access to the socket. The latter allows all network admin
From: Richard Guy Briggs
The hold queue flush code is an autonomous chunk of code that can be
refactored, removed from kauditd_thread() into flush_hold_queue() and
flattenned for better legibility.
Signed-off-by: Richard Guy Briggs
---
This is a code clean up in preparation to add a multicast
From: Richard Guy Briggs
Test first to see if there are any userspace multicast listeners bound to the
socket before starting the multicast send work.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/audit.c b/kernel/audit.c
From: Richard Guy Briggs
Add a netlink multicast socket with one group to kaudit for "best-effort"
delivery to read-only userspace clients such as systemd, in addition to the
existing bidirectional unicast auditd userspace client.
Currently, auditd is intended to use the CAP_AUDIT_C
From: Richard Guy Briggs
The kauditd_thread() task was started only after the auditd userspace daemon
registers itself with kaudit. This was fine when only auditd consumed messages
from the kaudit netlink unicast socket. With the addition of a multicast group
to that socket it is more
From: Richard Guy Briggs
The wait queue control code in kauditd_thread() was nested deeper than
necessary. The function has been flattened for better legibility.
Signed-off-by: Richard Guy Briggs
---
This is a code clean up in preparation to add a multicast netlink socket to
kaudit for read
On Thu, Aug 22, 2013 at 09:08:48PM +0200, Oleg Nesterov wrote:
> On 08/20, Richard Guy Briggs wrote:
> >
> > static inline int is_global_init(struct task_struct *tsk)
> > {
> > - return tsk->pid == 1;
> > + return task_pid_nr(tsk) == 1;
> > }
>
On Fri, Aug 23, 2013 at 08:36:21AM +0200, Peter Zijlstra wrote:
> On Thu, Aug 22, 2013 at 05:43:47PM -0400, Richard Guy Briggs wrote:
> > On Thu, Aug 22, 2013 at 10:05:55PM +0200, Peter Zijlstra wrote:
> > > On Tue, Aug 20, 2013 at 05:32:03PM -0400, Richard Guy Briggs wrote:
On Fri, Aug 23, 2013 at 09:28:07PM +0200, Oleg Nesterov wrote:
> On 08/22, Richard Guy Briggs wrote:
> >
> > On Thu, Aug 22, 2013 at 10:05:55PM +0200, Peter Zijlstra wrote:
> > >
> > > Why would you ever want to do this? It just makes these tests more
> >
> Subject: audit: kaudit_send_skb(): make non-blocking call to netlink_unicast()
>
> and now a protopatch from Konstantin which eparis likes.
>
> So, umm, guys, can you please devote a bit of time to working out what
> we should do here?
It is coming... I'm hearing repo
y: Justin Stephenson
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 91e53d0..939cff1 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -715,7 +715,7 @@ static int audit_receive_msg
r returns back to work.
> This is minimal patch for that bug.
Thanks Konstantin,
This patch is in my patchset...
> Signed-off-by: Konstantin Khlebnikov
> Cc: Andrew Morton
> Cc: Luiz Capitulino
> Cc: Richard Guy Briggs
> Cc: Eric Paris
> Cc: Chuck Anderson
> C
A newline was accidentally added during session ID helper refactorization in
commit 4d3fb709. This needlessly uses up buffer space, messes up syslog
formatting and makes userspace processing less efficient. Remove it.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |2 +-
1 files
-by: Luiz Capitulino
Signed-off-by: Dan Duval
Signed-off-by: Chuck Anderson
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |5 -
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 7b0e23a..772725e 100644
--- a/kernel/audit.c
+++ b
Re-named confusing local variable names (status_set and status_get didn't agree
with their command type name) and reduced their scope.
Future-proof API changes by not depending on the exact size of the audit_status
struct.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |
If wait_for_auditd() times out, go immediately to the error function rather
than retesting the loop conditions.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 12
1 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 772725e
reaahead-collector abuses the audit logging facility to discover which files
are accessed at boot time to make a pre-load list
Add a tuning option to audit_backlog_wait_time so that if auditd can't keep up,
or gets blocked, the callers won't be blocked.
Signed-off-by: Richard
8th are to add a config option to make the backlog wait time
configurable from the hard-coded default.
Richard Guy Briggs (8):
audit: avoid soft lockup due to audit_log_start() incorrect loop
termination
audit: reset audit backlog wait time after error recovery
audit: make use of
top
See:
https://lkml.org/lkml/2013/8/28/626
https://lkml.org/lkml/2013/9/2/471
https://lkml.org/lkml/2013/9/3/4
Signed-off-by: Luiz Capitulino
Signed-off-by: Konstantin Khlebnikov
Signed-off-by: Dan Duval
Signed-off-by: Chuck Anderson
Signed-off-by: Richard Guy Briggs
---
Duval
Signed-off-by: Chuck Anderson
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 42c68db..25fab2d 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -448,8 +448,10 @@ static in
See: https://lkml.org/lkml/2013/9/2/479
Signed-off-by: Dan Duval
Signed-off-by: Chuck Anderson
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 25fab2d..990d02f 100644
--- a/kernel/
ompiled default is too small to
see the lost messages without compiling a new kernel.
This patch adds a boot option (audit already has one to enable/disable it)
"audit_backlog_limit=" that overrides the default to allow the system
administrator to set the backlog limit.
Signed-off-by: R
On Wed, Sep 18, 2013 at 04:33:25PM -0400, Eric Paris wrote:
> On Wed, 2013-09-18 at 15:06 -0400, Richard Guy Briggs wrote:
> > reaahead-collector abuses the audit logging facility to discover which files
> > are accessed at boot time to make a pre-load list
> >
>
void bisect breakage.
> If you are going to go crazy and pass things is there a reason you do
> not add a patch to pass the bsd SCM_CREDS? That information seems more
> relevant in a security context and for making security decisions than
> about half the information you are pa
On Wed, Sep 04, 2013 at 10:58:30AM -0400, Richard Guy Briggs wrote:
> On Wed, Sep 04, 2013 at 12:42:26AM -0700, Eric W. Biederman wrote:
> > Jan Kaluza writes:
> > > this patchset against net-next (applies also to linux-next) adds 3 new
> > > types
> > &g
show
addressees.) Most of the kernel audit folks are on
linux-au...@redhat.com list.
> Oleg.
- RGB
--
Richard Guy Briggs
Senior Software Engineer
Kernel Security
AMER ENG Base Operating Systems
Remote, Ottawa, Canada
Voice: +1.647.777.2635
Internal: (81) 32635
Alt: +1.613.693.0684x3545
-
On Tue, Aug 27, 2013 at 07:21:55PM +0200, Oleg Nesterov wrote:
> On 08/20, Richard Guy Briggs wrote:
> >
> > Added the functions
> > task_ppid()
> > task_ppid_nr_ns()
> > task_ppid_nr_init_ns()
> > to safely abstract the loo
On Fri, Aug 30, 2013 at 01:37:09PM -0700, John Johansen wrote:
> On 08/30/2013 12:56 PM, Richard Guy Briggs wrote:
> > On Tue, Aug 27, 2013 at 07:21:55PM +0200, Oleg Nesterov wrote:
> >> On 08/20, Richard Guy Briggs wrote:
> > Most of the instances are current, but the one
On Tue, Sep 24, 2013 at 06:44:42PM +0200, Oleg Nesterov wrote:
> On 09/23, Richard Guy Briggs wrote:
> >
> > On Mon, Sep 16, 2013 at 04:20:35PM +0200, Oleg Nesterov wrote:
> > > Unless task == current ptrace_parent(task) is not safe even under
> > > rcu_read_loc
On Fri, Sep 20, 2013 at 10:47:50AM -0400, Eric Paris wrote:
> On Thu, 2013-09-19 at 17:18 -0400, Steve Grubb wrote:
> > On Wednesday, September 18, 2013 03:06:52 PM Richard Guy Briggs wrote:
> > > Re-named confusing local variable names (status_set and status_get didn't
you send a patch to fix the selinux hook?)
> Signed-off-by: Oleg Nesterov
Acked-by: Richard Guy Briggs
> ---
> security/apparmor/domain.c | 14 ++
> 1 files changed, 6 insertions(+), 8 deletions(-)
>
> diff --git a/security/apparmor/domain.c b/security/apparmo
audit_filter_task(tsk, &key);
> > - if (state == AUDIT_DISABLED)
> > + if (state == AUDIT_DISABLED) {
> > + clear_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
> > return 0;
> > + }
> >
> > if (!(context = audit_alloc_conte
On Tue, Apr 09, 2013 at 02:39:32AM -0700, Eric W. Biederman wrote:
> Andrew Morton writes:
> > On Wed, 20 Mar 2013 15:18:17 -0400 Richard Guy Briggs
> > wrote:
> >> audit rule additions containing "-F auid!=4294967295" were failing with
> >> EINVA
represents the parent. With this, the audit_names entries are back to
> looking like they did before.
This patch fixes the problem for me.
Tested-by: Richard Guy Briggs
> Cc: # v3.7+
> Cc: Richard Guy Briggs
> Reported-by: Jiri Jaburek
> Signed-off-by: Jeff Layton
> ---
When being refactored from audit_log_start() to audit_log_task_info(), in
commit e23eb920 the tty and ses fields in the log output got transposed.
Restore to original order to avoid breaking search tools.
Cc: sta...@vger.kernel.org # v3.6
Cc: Eric Paris
Signed-off-by: Richard Guy Briggs
Convert audit from only listening in init_net to use register_pernet_subsys()
to dynamically manage the netlink socket list.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 64 ++-
kernel/audit.h |4 +++
2 files changed, 57
event that specific case, returning an error of EACCES.
The case for preventing a newer auditd from registering itself if there is an
existing auditd is a more difficult case that is beyond the scope of this
patch.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |2 ++
1 files
rry picked from commit bcc85f0af31af123e32858069eb2ad8f39f90e67)
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h |6 +++---
kernel/auditsc.c |6 ++
kernel/capability.c |2 +-
3 files changed, 6 insertions(+), 8 deletions(-)
diff --git a/include/linux/audit.h
ve to the child process' pid
namespace.
(informed by ebiederman's 6c621b7e)
Cc: sta...@vger.kernel.org
Cc: Eric W. Biederman
Signed-off-by: Richard Guy Briggs
---
include/linux/sched.h | 23 +++
1 files changed, 23 insertions(+), 0 deletions(-)
diff --git a/includ
task->pid is an error prone construct and results in duplicate maintenance.
Start it's demise by modifying task_pid_nr to not use it.
(informed by ebiederman's 3a2e8c59)
Cc: "Eric W. Biederman"
Signed-off-by: Richard Guy Briggs
---
include/linux/sched.h |2 +-
1 file
This stops these four task helper functions from using the deprecated and
error-prone task->pid and task->tgid.
(informed by ebiederman's ea5a4d01)
Cc: "Eric W. Biederman"
Signed-off-by: Richard Guy Briggs
---
include/linux/sched.h |8
1 files changed, 4 inser
It doesn't make any sense to recallers to pass in a non-const struct
task so update the function signatures to only require a const struct
task.
(informed by ebiederman's c76b2526)
Cc: "Eric W. Biederman"
Signed-off-by: Richard Guy Briggs
---
include/
task->tgid is an error prone construct and results in duplicate maintenance.
Start it's demise by modifying task_tgid_nr to not use it.
Cc: "Eric W. Biederman"
Signed-off-by: Richard Guy Briggs
---
include/linux/sched.h |2 +-
1 files changed, 1 insertions(+), 1 deletion
er PID namespace.
Cc: "Eric W. Biederman"
(informed by ebiederman's c776b5d2)
Signed-off-by: Richard Guy Briggs
---
drivers/tty/tty_audit.c |3 ++-
kernel/audit.c | 15 ++-
kernel/auditfilter.c | 17 ++
initial pid namespace for reports
(informed by ebiederman's 5bf431da)
Cc: "Eric W. Biederman"
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 25 +++--
kernel/audit.h |4 ++--
kernel/auditsc.c |6 +++---
3 files changed, 24 insertions(+
. Ports
use the __u32 type, so re-type all portids accordingly.
(This patch is very similar to ebiederman's 5deadd69)
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h |2 +-
kernel/audit.c| 32
kernel/audit.h|
and provide a clear
abstraction of the frequently used init_pid_ns in task_pid_nr_ns() and
task_tgid_nr_ns().
Also added pid_nr_init_ns() to explicitly use init_pid_ns.
(informed by ebiederman's 3a2e8c59)
Cc: Eric W. Biederman
Signed-off-by: Richard Guy Briggs
---
include/lin
task_ppid_nr_init_ns() for PPIDs to anchor all audit filters in the
init_pid_ns.
(informed by ebiederman's 6c621b7e)
Cc: sta...@vger.kernel.org
Cc: Eric W. Biederman
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c|4 ++--
kernel/auditsc.c |2 +-
security/apparmor/au
From: Eric W. Biederman
Signed-off-by: "Eric W. Biederman"
(cherry picked from commit 6904431d6b41190e42d6b94430b67cb4e7e6a4b7)
Signed-off-by: Richard Guy Briggs
---
kernel/auditsc.c |6 --
1 files changed, 0 insertions(+), 6 deletions(-)
diff --git a/kernel/auditsc.
I don't see the point, but I'll let him explain
it.
Discuss.
Eric W. Biederman (5):
audit: Kill the unused struct audit_aux_data_capset
audit: Simplify and correct audit_log_capset
Richard Guy Briggs (7):
audit: fix netlink portid naming and types
pid: get ppid pid_t of task
On Thu, Aug 22, 2013 at 10:05:55PM +0200, Peter Zijlstra wrote:
> On Tue, Aug 20, 2013 at 05:32:03PM -0400, Richard Guy Briggs wrote:
> > This stops these four task helper functions from using the deprecated and
> > error-prone task->pid and task->tgid.
> >
> > (
On Tue, Apr 09, 2013 at 02:39:32AM -0700, Eric W. Biederman wrote:
> Andrew Morton writes:
> > On Wed, 20 Mar 2013 15:18:17 -0400 Richard Guy Briggs
> > wrote:
> >> audit rule additions containing "-F auid!=4294967295" were failing with
> >> EINVAL.
On Tue, Apr 09, 2013 at 02:16:22PM -0700, Eric W. Biederman wrote:
> Steve Grubb writes:
>
> > On Tuesday, April 09, 2013 02:39:32 AM Eric W. Biederman wrote:
> >> Andrew Morton writes:
> >> > On Wed, 20 Mar 2013 15:18:17 -0400 Richard Guy Briggs
> &
On Wed, Apr 10, 2013 at 12:20:18PM -0400, Richard Guy Briggs wrote:
> On Tue, Apr 09, 2013 at 02:16:22PM -0700, Eric W. Biederman wrote:
> > Steve Grubb writes:
> > > On Tuesday, April 09, 2013 02:39:32 AM Eric W. Biederman wrote:
> > >> Andrew Morton writes:
>
On Wed, Apr 10, 2013 at 11:02:43AM -0700, Eric W. Biederman wrote:
> Richard Guy Briggs writes:
> > On Tue, Apr 09, 2013 at 02:39:32AM -0700, Eric W. Biederman wrote:
> >> @@ -377,6 +383,12 @@ static struct audit_entry *audit_rule_to_entry(struct
> >> audit_rule *rule)
On Thu, May 09, 2013 at 09:29:18AM -0400, Steve Grubb wrote:
> On Tuesday, April 16, 2013 03:38:23 PM Richard Guy Briggs wrote:
> > On Tue, Apr 09, 2013 at 02:39:32AM -0700, Eric W. Biederman wrote:
> > > Andrew Morton writes:
> > > > On Wed, 20 Mar 2013 15:
On Thu, May 09, 2013 at 09:52:47AM -0400, Richard Guy Briggs wrote:
> On Thu, May 09, 2013 at 09:29:18AM -0400, Steve Grubb wrote:
> > On Tuesday, April 16, 2013 03:38:23 PM Richard Guy Briggs wrote:
> > > On Tue, Apr 09, 2013 at 02:39:32AM -0700, Eric W. Biederman wrote:
>
ng.
Cc: sta...@vger.kernel.org # v3.9
Cc: Eric Paris
Cc: Stephen Rothwell
Cc: "Eric W. Biederman"
Signed-off-by: Richard Guy Briggs
---
include/uapi/linux/audit.h |2 ++
kernel/auditfilter.c |2 +-
2 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/include/uap
imes.
> The log strings can handle this transition as strings can
> hold upto 1024 characters.
>
> Signed-off-by: Deepa Dinamani
> Cc: Paul Moore
> Cc: Eric Paris
> Cc: linux-au...@redhat.com
> Acked-by: Paul Moore
Acked-by: Richard Guy Briggs
> ---
> incl
On 2016-06-16 16:54, Paul Moore wrote:
> On Tue, Jun 14, 2016 at 5:04 PM, Richard Guy Briggs wrote:
> > RFE: add additional fields for use in audit filter exclude rules
> > https://github.com/linux-audit/audit-kernel/issues/5
> >
> > Re-factor and combi
check to quit early if the list is empty.
Signed-off-by: Richard Guy Briggs
---
v3: pull audit_filter_user_rules() into audit_filter() and simplify
logic.
v2: combine audit_filter_user() and audit_filter_type() into
audit_filter().
---
include/linux/audit.h |2 -
kernel/audit.c|4
Reported-by: Paul Wouters
Signed-off-by: Richard Guy Briggs
---
include/uapi/linux/xfrm.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/uapi/linux/xfrm.h b/include/uapi/linux/xfrm.h
index 1433389..1fc62b2 100644
--- a/include/uapi/linux/xfrm.h
+++ b/include/uapi
On 16/09/08, Richard Guy Briggs wrote:
> Reported-by: Paul Wouters
Oops, this above should read "nohats.ca".
> Signed-off-by: Richard Guy Briggs
> ---
> include/uapi/linux/xfrm.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/include/u
On 2017-08-16 18:21, Paul Moore wrote:
> On Mon, Aug 14, 2017 at 1:47 AM, Richard Guy Briggs wrote:
> > Hi David,
> >
> > I wanted to respond to this thread to attempt some constructive feedback,
> > better late than never. I had a look at your fsopen/fsmount() patc
On 2017-10-12 16:33, Casey Schaufler wrote:
> On 10/12/2017 7:14 AM, Richard Guy Briggs wrote:
> > Containers are a userspace concept. The kernel knows nothing of them.
> >
> > The Linux audit system needs a way to be able to track the container
> > provenance of event
On 2017-10-17 01:10, Casey Schaufler wrote:
> On 10/16/2017 5:33 PM, Richard Guy Briggs wrote:
> > On 2017-10-12 16:33, Casey Schaufler wrote:
> >> On 10/12/2017 7:14 AM, Richard Guy Briggs wrote:
> >>> Containers are a userspace concept. The kernel knows nothing
On 2017-10-11 20:57, Richard Guy Briggs wrote:
> The audit subsystem is adding a BPRM_FCAPS record when auditing setuid
> application execution (SYSCALL execve). This is not expected as it was
> supposed to be limited to when the file system actually had capabilities
> in an extend
On 2017-10-12 15:45, Steve Grubb wrote:
> On Thursday, October 12, 2017 10:14:00 AM EDT Richard Guy Briggs wrote:
> > Containers are a userspace concept. The kernel knows nothing of them.
> >
> > The Linux audit system needs a way to be able to track the container
> &g
On 2017-10-19 19:58, Paul Moore wrote:
> On Wed, Aug 23, 2017 at 7:03 AM, Richard Guy Briggs wrote:
> > Tracefs or debugfs were causing hundreds to thousands of PATH records to
> > be associated with the init_module and finit_module SYSCALL records on a
> > few modules when t
On 15/09/04, Paul Moore wrote:
> On Friday, September 04, 2015 05:14:54 AM Richard Guy Briggs wrote:
> > There are several reports of the kernel losing contact with auditd ...
>
> Even if this doesn't completely solve the problem, I like the extra reporting
> and robustnes
moved audit_strerror() text.
Reported-by: Vipin Rathor
Reported-by:
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 24 +++-
1 files changed, 19 insertions(+), 5 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 1c13e42..18cdfe2 100644
--- a/kernel/au
sting audit_pid other than attempting to send a message to see if
it fails. If no message to auditd has been attempted since auditd died
unnaturally or got killed, audit_pid will still indicate it is alive.
Signed-off-by: Richard Guy Briggs
---
Note: Would it be too bold to actually block the registr
On 15/09/07, Richard Guy Briggs wrote:
> Nothing prevents a new auditd starting up and replacing a valid
> audit_pid when an old auditd is still running, effectively starving out
> the old auditd since audit_pid no longer points to the old valid auditd.
>
> There isn't an easy
Eric, thanks for taking the time to review this...
> On Mon, 2015-09-07 at 12:48 -0400, Richard Guy Briggs wrote:
> > Nothing prevents a new auditd starting up and replacing a valid
> > audit_pid when an old auditd is still running, effectively starving out
> > the old audit
On 15/10/21, Joe Perches wrote:
> On Mon, 2015-10-19 at 12:10 -0400, Richard Guy Briggs wrote:
> > On 15/10/18, Scott Matheina wrote:
> > > On 10/14/2015 04:54 PM, Paul Moore wrote:
> > > > On Saturday, October 10, 2015 08:57:55 PM Scott Matheina wrote:
>
On 15/10/21, Scott Matheina wrote:
> On 10/21/2015 10:33 AM, Richard Guy Briggs wrote:
> > On 15/10/21, Joe Perches wrote:
> >> On Mon, 2015-10-19 at 12:10 -0400, Richard Guy Briggs wrote:
> >>> On 15/10/18, Scott Matheina wrote:
> >>>> On 10/14/2015 04
On 15/10/21, Scott Matheina wrote:
> On 10/21/2015 09:15 PM, Richard Guy Briggs wrote:
> > On 15/10/21, Scott Matheina wrote:
> >> On 10/21/2015 10:33 AM, Richard Guy Briggs wrote:
> >>> On 15/10/21, Joe Perches wrote:
> >>>> On Mon, 2015-10-19 at 12:1
Should auditd spawn threads, allow all members of its thread group to
use the audit_backlog_limit reserves to bypass the queue limits too.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel
When auditd is restarted, even though the kauditd_thread is present, it
remains dormant until the next audit log message is queued.
Wake up the kauditd_thread in the kauditd_wait queue immediately when
auditd registers its availability to drain the queue.
Signed-off-by: Richard Guy Briggs
timeout of 60 seconds (audit_backlog_wait_time).
Wake up the processes caught in the audit_backlog_wait queue when auditd
is no longer present so they can be sent instead to the hold queue.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |6 +-
1 files changed, 5 insertions(+), 1
used to check audit_cmd_mutex but another
process could have this locked on another cpu. Use rcu_read_lock() and
ACCESS_ONCE() to check audit_cmd_mutex.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |7 +--
1 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/kernel/audi
After auditd has recovered from an overflowed queue, the first process
that doesn't use reserves to make it through the queue checks should
reset the audit backlog wait time to the configured value. After that,
there is no need to keep resetting it.
Signed-off-by: Richard Guy Briggs
---
k
If the audit_backlog_limit is changed from a limited value to an
unlimited value (zero) while the queue was overflowed, wake up the
audit_backlog_wait queue to allow those processes to continue.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |3 ++-
1 files changed, 2 insertions(+), 1
This set of patches cleans up a number of corner cases in the management
of the audit queue.
Richard Guy Briggs (7):
audit: don't needlessly reset valid wait time
audit: include auditd's threads in audit_log_start() wait exception
audit: allow systemd to use queue reserves
audi
Treat systemd the same way as auditd, allowing it to overrun the queue to avoid
blocking.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 3917aad..384a1a1 100644
--- a/kernel
these cases (or any other unexpected ones for now), report the error and
re-schedule the thread, retrying up to 5 times.
Reported-by: Vipin Rathor
Reported-by:
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 43 +++
1 files changed, 39 inser
g for warnings to fix.
Again, another manifestation of that bug? That blank line should be
after the declaration and before the if statement.
> As you might have guessed, this is one of my first patches. I wasn't
> sure if a patch like this would even get reviewed, and resp
application. IOW, for people with audit compiled
> in and subscribed by journald but switched off, I think that the
> records shouldn't be emitted.
>
> If you agree, I can send the two-line patch.
This sounds reasonable to me. It isn't an AVC. Steve? Paul?
> --Andy
(kmalloc + strcpy), and signal a lost record via audit_log_lost.
>
> Signed-off-by: Yi Wang
> Reviewed-by: Jiang Biao
Reviewed-by: Richard Guy Briggs
> ---
> v2: use kstrdup instead of kmalloc + strcpy, and signal a lost
> record. Thanks to Eric and Paul.
>
> kernel/aud
t;
- restrict registration to single process or force all threads and
children into same container
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
but right now I
> am having to deal with half thought out patches for information leaks
> from speculative code paths, so I won't be able to give this much
> attention for a little bit.
>
> Eric
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operatin
On 2018-01-09 11:18, Simo Sorce wrote:
> On Tue, 2018-01-09 at 07:16 -0500, Richard Guy Briggs wrote:
> > Containers are a userspace concept. The kernel knows nothing of them.
> >
> > The Linux audit system needs a way to be able to track the container
> > prove
Audit link denied events for symlinks had duplicate PATH records rather
than just updating the existing PATH record. Update the symlink's PATH
record with the current dentry and inode information.
See: https://github.com/linux-audit/audit-kernel/issues/21
Signed-off-by: Richard Guy B
Audit link denied events for symlinks were missing the parent PATH
record. Add it. Since the full pathname may not be available,
reconstruct it from the path in the nameidata supplied.
See: https://github.com/linux-audit/audit-kernel/issues/21
Signed-off-by: Richard Guy Briggs
---
fs/namei.c
audit-kernel/issues/21
Signed-off-by: Richard Guy Briggs
---
fs/namei.c| 2 +-
include/linux/audit.h | 6 ++
kernel/audit.c| 17 ++---
3 files changed, 5 insertions(+), 20 deletions(-)
diff --git a/fs/namei.c b/fs/namei.c
index 9cc91fb..50d2533 100644
---
Audit link denied events emit disjointed records when audit is disabled.
No records should be emitted when audit is disabled.
See: https://github.com/linux-audit/audit-kernel/issues/21
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a
dit-kernel/issues/51
Richard Guy Briggs (4):
audit: make ANOM_LINK obey audit_enabled and audit_dummy_context
audit: link denied should not directly generate PATH record
audit: add refused symlink to audit_names
audit: add parent of refused symlink to audit_names
fs/namei.c| 5
1 - 100 of 1126 matches
Mail list logo
