linux/kernel/audit.c, branch v4.3Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
https://git.shady.money/linux/atom?h=v4.32015-09-08T20:34:59ZMerge branch 'upstream' of git://git.infradead.org/users/pcmoore/audit2015-09-08T20:34:59ZLinus Torvaldstorvalds@linux-foundation.org2015-09-08T20:34:59Zurn:sha1:425afcff13a4bea2a3cf6f395cbc66fc158852be
Pull audit update from Paul Moore:
"This is one of the larger audit patchsets in recent history,
consisting of eight patches and almost 400 lines of changes.
The bulk of the patchset is the new "audit by executable"
functionality which allows admins to set an audit watch based on the
executable on disk. Prior to this, admins could only track an
application by PID, which has some obvious limitations.
Beyond the new functionality we also have some refcnt fixes and a few
minor cleanups"
* 'upstream' of git://git.infradead.org/users/pcmoore/audit:
fixup: audit: implement audit by executable
audit: implement audit by executable
audit: clean simple fsnotify implementation
audit: use macros for unset inode and device values
audit: make audit_del_rule() more robust
audit: fix uninitialized variable in audit_add_rule()
audit: eliminate unnecessary extra layer of watch parent references
audit: eliminate unnecessary extra layer of watch references
audit: use macros for unset inode and device values2015-08-06T18:39:02ZRichard Guy Briggsrgb@redhat.com2015-08-06T03:48:20Zurn:sha1:84cb777e67814f2e06a99ff228f743409e9617e9
Clean up a number of places were casted magic numbers are used to represent
unset inode and device numbers in preparation for the audit by executable path
patch set.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
[PM: enclosed the _UNSET macros in parentheses for ./scripts/checkpatch]
Signed-off-by: Paul Moore <pmoore@redhat.com>
Merge branch 'upstream' of git://git.infradead.org/users/pcmoore/audit2015-06-27T20:53:16ZLinus Torvaldstorvalds@linux-foundation.org2015-06-27T20:53:16Zurn:sha1:4a10a91756ef381bced7b88cfb9232f660b92d93
Pull audit updates from Paul Moore:
"Four small audit patches for v4.2, all bug fixes. Only 10 lines of
change this time so very unremarkable, the patch subject lines pretty
much tell the whole story"
* 'upstream' of git://git.infradead.org/users/pcmoore/audit:
audit: Fix check of return value of strnlen_user()
audit: obsolete audit_context check is removed in audit_filter_rules()
audit: fix for typo in comment to function audit_log_link_denied()
lsm: rename duplicate labels in LSM_AUDIT_DATA_TASK audit message type
audit: fix for typo in comment to function audit_log_link_denied()2015-05-29T19:19:02ZShailendra Vermashailendra.capricorn@gmail.com2015-05-23T05:10:27Zurn:sha1:2201196479748b84e5526b2f81112fe2d0aaa37a
Signed-off-by: Shailendra Verma <shailendra.capricorn@gmail.com>
[PM: tweaked subject line]
Signed-off-by: Paul Moore <pmoore@redhat.com>
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs2015-04-27T00:22:07ZLinus Torvaldstorvalds@linux-foundation.org2015-04-26T22:48:49Zurn:sha1:9ec3a646fe09970f801ab15e0f1694060b9f19af
Pull fourth vfs update from Al Viro:
"d_inode() annotations from David Howells (sat in for-next since before
the beginning of merge window) + four assorted fixes"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
RCU pathwalk breakage when running into a symlink overmounting something
fix I_DIO_WAKEUP definition
direct-io: only inc/dec inode->i_dio_count for file systems
fs/9p: fix readdir()
VFS: assorted d_backing_inode() annotations
VFS: fs/inode.c helpers: d_inode() annotations
VFS: fs/cachefiles: d_backing_inode() annotations
VFS: fs library helpers: d_inode() annotations
VFS: assorted weird filesystems: d_inode() annotations
VFS: normal filesystems (and lustre): d_inode() annotations
VFS: security/: d_inode() annotations
VFS: security/: d_backing_inode() annotations
VFS: net/: d_inode() annotations
VFS: net/unix: d_backing_inode() annotations
VFS: kernel/: d_inode() annotations
VFS: audit: d_backing_inode() annotations
VFS: Fix up some ->d_inode accesses in the chelsio driver
VFS: Cachefiles should perform fs modifications on the top layer only
VFS: AF_UNIX sockets should call mknod on the top layer only
Merge branch 'upstream' of git://git.infradead.org/users/pcmoore/audit2015-04-22T21:49:23ZLinus Torvaldstorvalds@linux-foundation.org2015-04-22T21:49:23Zurn:sha1:27cf3a16b2535a490f8cf1d29a6634f1c70f7831
Pull audit fixes from Paul Moore:
"Seven audit patches for v4.1, all bug fixes.
The largest, and perhaps most significant commit helps resolve some
memory pressure issues related to the inode cache and audit, there are
also a few small commits which help resolve some timing issues with
the audit log queue, and the rest fall into the always popular "code
clean-up" category.
In general, nothing really substantial, just a nice set of maintenance
patches"
* 'upstream' of git://git.infradead.org/users/pcmoore/audit:
audit: Remove condition which always evaluates to false
audit: reduce mmap_sem hold for mm->exe_file
audit: consolidate handling of mm->exe_file
audit: code clean up
audit: don't reset working wait time accidentally with auditd
audit: don't lose set wait time on first successful call to audit_log_start()
audit: move the tree pruning to a dedicated thread
VFS: audit: d_backing_inode() annotations2015-04-15T19:06:55ZDavid Howellsdhowells@redhat.com2015-03-17T22:26:21Zurn:sha1:3b362157b2162719145d4f3d4f534357d89b45ce
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
audit: Remove condition which always evaluates to false2015-03-13T21:32:52ZPranith Kumarbobby.prani@gmail.com2015-03-11T18:08:19Zurn:sha1:724e7bfcc566375158219c1454b4b6fc416b2c4a
After commit 3e1d0bb6224f019893d1c498cc3327559d183674 ("audit: Convert int limit
uses to u32"), by converting an int to u32, few conditions will always evaluate
to false.
These warnings were emitted during compilation:
kernel/audit.c: In function ‘audit_set_enabled’:
kernel/audit.c:347:2: warning: comparison of unsigned expression < 0 is always
false [-Wtype-limits]
if (state < AUDIT_OFF || state > AUDIT_LOCKED)
^
kernel/audit.c: In function ‘audit_receive_msg’:
kernel/audit.c:880:9: warning: comparison of unsigned expression < 0 is
always false [-Wtype-limits]
if (s.backlog_wait_time < 0 ||
The following patch removes those unnecessary conditions.
Signed-off-by: Pranith Kumar <bobby.prani@gmail.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
audit: reduce mmap_sem hold for mm->exe_file2015-02-23T21:57:00ZDavidlohr Buesodave@stgolabs.net2015-02-23T02:20:09Zurn:sha1:5b28255278dd7e594c8dde317c2498b7dcbf900d
The mm->exe_file is currently serialized with mmap_sem (shared)
in order to both safely (1) read the file and (2) audit it via
audit_log_d_path(). Good users will, on the other hand, make use
of the more standard get_mm_exe_file(), requiring only holding
the mmap_sem to read the value, and relying on reference counting
to make sure that the exe file won't dissapear underneath us.
Additionally, upon NULL return of get_mm_exe_file, we also call
audit_log_format(ab, " exe=(null)").
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
[PM: tweaked subject line]
Signed-off-by: Paul Moore <pmoore@redhat.com>
audit: consolidate handling of mm->exe_file2015-02-23T21:55:47ZDavidlohr Buesodave@stgolabs.net2015-02-23T02:20:00Zurn:sha1:4766b199ef9e1ca6316ee4f8f9d80c2ba1ed0290
This patch adds a audit_log_d_path_exe() helper function
to share how we handle auditing of the exe_file's path.
Used by both audit and auditsc. No functionality is changed.
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
[PM: tweaked subject line]
Signed-off-by: Paul Moore <pmoore@redhat.com>