linux/kernel/audit.c, branch v2.6.13

AUDIT: Unify auid reporting, put arch before syscall number

2005-05-23T20:35:28Z

These changes make processing of audit logs easier. Based on a patch from Steve Grubb Signed-off-by: David Woodhouse

AUDIT: Assign serial number to non-syscall messages

2005-05-21T20:08:09Z

Move audit_serial() into audit.c and use it to generate serial numbers on messages even when there is no audit context from syscall auditing. This allows us to disambiguate audit records when more than one is generated in the same millisecond. Based on a patch by Steve Grubb after he observed the problem. Signed-off-by: David Woodhouse

AUDIT: Fix inconsistent use of loginuid vs. auid, signed vs. unsigned

2005-05-20T23:22:31Z

The attached patch changes all occurrences of loginuid to auid. It also changes everything to %u that is an unsigned type. Signed-off-by: Steve Grubb Signed-off-by: David Woodhouse

AUDIT: Fix AVC_USER message passing.

2005-05-20T23:18:37Z

The original AVC_USER message wasn't consolidated with the new range of user messages. The attached patch fixes the kernel so the old messages work again. Signed-off-by: Steve Grubb Signed-off-by: David Woodhouse

AUDIT: Honour audit_backlog_limit again.

2005-05-19T13:55:56Z

The limit on the number of outstanding audit messages was inadvertently removed with the switch to queuing skbs directly for sending by a kernel thread. Put it back again. Signed-off-by: David Woodhouse

AUDIT: Send netlink messages from a separate kernel thread

2005-05-19T09:56:58Z

netlink_unicast() will attempt to reallocate and will free messages if the socket's rcvbuf limit is reached unless we give it an infinite timeout. So do that, from a kernel thread which is dedicated to spewing stuff up the netlink socket. Signed-off-by: David Woodhouse

AUDIT: Clean up logging of untrusted strings

2005-05-19T09:24:22Z

* If vsnprintf returns -1, it will mess up the sk buffer space accounting. This is fixed by not calling skb_put with bogus len values. * audit_log_hex was a loop that called audit_log_vformat with %02X for each character. This is very inefficient since conversion from unsigned character to Ascii representation is essentially masking, shifting, and byte lookups. Also, the length of the converted string is well known - it's twice the original. Fixed by rewriting the function. * audit_log_untrustedstring had no comments. This makes it hard for someone to understand what the string format will be. * audit_log_d_path was never fixed to use untrustedstring. This could mess up user space parsers. This was fixed to make a temp buffer, call d_path, and log temp buffer using untrustedstring. From: Steve Grubb Signed-off-by: David Woodhouse

AUDIT: Treat all user messages identically.

2005-05-18T09:21:07Z

It's silly to have to add explicit entries for new userspace messages as we invent them. Just treat all messages in the user range the same. Signed-off-by: David Woodhouse

AUDIT: fix max_t thinko.

2005-05-13T17:50:33Z

Der... if you use max_t it helps if you give it a type. Note to self: Always just apply the tested patches, don't try to port them by hand. You're not clever enough. Signed-off-by: David Woodhouse

AUDIT: Fix some spelling errors

2005-05-13T17:35:15Z

I'm going through the kernel code and have a patch that corrects several spelling errors in comments. From: Steve Grubb Signed-off-by: David Woodhouse