Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v2.6.30 2009-04-05T17:49:04Z 2009-04-05T17:49:04Z Eric Paris eparis@redhat.com 2009-03-10T22:00:14Z urn:sha1:def57543418a5f47debae28a0a9dea2effc11692 audit_log_d_path had spaces in the strings which would be emitted on the error paths. This patch simply replaces those spaces with an _ or removes the needless spaces entirely. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2009-04-05T17:43:36Z Miloslav Trmac mitr@redhat.com 2009-03-19T13:52:47Z urn:sha1:55ad2f8d340678397de5916b9cd960f17ebd7150 AUDIT_USER_TTY, like all other messages sent from user-space, is sent NUL-terminated. Unlike other user-space audit messages, which come only from trusted sources, AUDIT_USER_TTY messages are processed using audit_log_n_untrustedstring(). This patch modifies AUDIT_USER_TTY handling to ignore the trailing NUL and use the "quoted_string" representation of the message if possible. Signed-off-by: Miloslav Trmac <mitr@redhat.com> Cc: Eric Paris <eparis@redhat.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2009-04-05T17:43:24Z Miloslav Trmac mitr@redhat.com 2009-03-19T13:48:27Z urn:sha1:b3897f567100d18e0597f638b911d23aa5e0dd23 currently audit_log_n_untrustedstring() uses audit_string_contains_control() to check if the 'string' has any control characters. If the 'string' has an embedded NULL audit_string_contains_control() will return that the data has no control characters and will then pass the string to audit_log_n_string with the total length, not the length up to the first NULL. audit_log_n_string() does a memcpy of the entire length and so the actual audit record emitted may then contain a NULL and then whatever random memory is after the NULL. Since we want to log the entire octet stream (if we can't trust the data to be a string we can't trust that a NULL isn't actually a part of it) we should just consider NULL as a control character. If the caller is certain they want to stop at the first NULL they should be using audit_log_untrustedstring. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2008-12-09T07:27:41Z Al Viro viro@zeniv.linux.org.uk 2008-12-06T06:05:50Z urn:sha1:48887e63d6e057543067327da6b091297f7fe645 Timestamp in audit_context is valid only if ->in_syscall is set. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2008-12-09T07:27:37Z Eric Paris eparis@redhat.com 2008-11-05T17:47:09Z urn:sha1:a3f07114e3359fb98683069ae397220e8992a24a Currently audit=0 on the kernel command line does absolutely nothing. Audit always loads and always uses its resources such as creating the kernel netlink socket. This patch causes audit=0 to actually disable audit. Audit will use no resources and starting the userspace auditd daemon will not cause the kernel audit system to activate. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2008-08-01T16:15:16Z zhangxiliang zhangxiliang@cn.fujitsu.com 2008-07-31T02:11:19Z urn:sha1:20c6aaa39ab735c7ed78e4e5a214d250efae0a6e When the "status_get->mask" is "AUDIT_STATUS_RATE_LIMIT || AUDIT_STATUS_BACKLOG_LIMIT". If "audit_set_rate_limit" fails and "audit_set_backlog_limit" succeeds, the "err" value will be greater than or equal to 0. It will miss the failure of rate set. Signed-off-by: Zhang Xiliang <zhangxiliang@cn.fujitsu.com> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2008-08-01T16:05:35Z Vesa-Matti J Kari vmkari@cc.helsinki.fi 2008-07-22T21:06:13Z urn:sha1:1d6c9649e236caa2e93e3647256216e57172b011 Hello, According to my understanding there is an off-by-one bug in the function: audit_string_contains_control() in: kernel/audit.c Patch is included. I do not know from how many places the function is called from, but for example, SELinux Access Vector Cache tries to log untrusted filenames via call path: avc_audit() audit_log_untrustedstring() audit_log_n_untrustedstring() audit_string_contains_control() If audit_string_contains_control() detects control characters, then the string is hex-encoded. But the hex=0x7f dec=127, DEL-character, is not detected. I guess this could have at least some minor security implications, since a user can create a filename with 0x7f in it, causing logged filename to possibly look different when someone reads it on the terminal. Signed-off-by: Vesa-Matti Kari <vmkari@cc.helsinki.fi> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2008-06-25T03:36:35Z Peng Haitao penght@cn.fujitsu.com 2008-05-20T01:13:02Z urn:sha1:d8de72473effd674a3c1fe9621821f406f5587c9 The second argument "type" is not used in audit_filter_user(), so I think that type can be removed. If I'm wrong, please tell me. Signed-off-by: Peng Haitao <penght@cn.fujitsu.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2008-06-25T03:36:21Z Peng Haitao penght@cn.fujitsu.com 2008-05-16T02:15:04Z urn:sha1:13d5ef97f0675d789f559cfebc1df9d5e2b1879c The first argument "nlh->nlmsg_type" of audit_receive_filter() should be modified to "msg_type" in audit_receive_msg(). Signed-off-by: Peng Haitao <penght@cn.fujitsu.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2008-05-17T07:30:22Z Andrew Morton akpm@linux-foundation.org 2008-05-14T23:11:48Z urn:sha1:fcaf1eb8685a00a99259e138e403841e984385b0 Addresses http://bugzilla.kernel.org/show_bug.cgi?id=10663 Reporter: Daniel Marjamki <danielm77@spray.se> Cc: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>