linux/kernel/audit.c, branch v4.7

Merge branch 'stable-4.7' of git://git.infradead.org/users/pcmoore/audit

2016-06-29T22:18:47Z

Pull audit fixes from Paul Moore: "Two small patches to fix audit problems in 4.7-rcX: the first fixes a potential kref leak, the second removes some header file noise. The first is an important bug fix that really should go in before 4.7 is released, the second is not critical, but falls into the very-nice- to-have category so I'm including in the pull request. Both patches are straightforward, self-contained, and pass our testsuite without problem" * 'stable-4.7' of git://git.infradead.org/users/pcmoore/audit: audit: move audit_get_tty to reduce scope and kabi changes audit: move calcs after alloc and check when logging set loginuid

audit: move audit_get_tty to reduce scope and kabi changes

2016-06-28T19:48:48Z

The only users of audit_get_tty and audit_put_tty are internal to audit, so move it out of include/linux/audit.h to kernel.h and create a proper function rather than inlining it. This also reduces kABI changes. Suggested-by: Paul Moore Signed-off-by: Richard Guy Briggs [PM: line wrapped description] Signed-off-by: Paul Moore

Merge branch 'stable-4.7' of git://git.infradead.org/users/pcmoore/audit

2016-05-19T01:46:55Z

Pull audit updates from Paul Moore: "Four small audit patches for 4.7. Two are simple cleanups around the audit thread management code, one adds a tty field to AUDIT_LOGIN events, and the final patch makes tty_name() usable regardless of CONFIG_TTY. Nothing controversial, and it all passes our regression test" * 'stable-4.7' of git://git.infradead.org/users/pcmoore/audit: tty: provide tty_name() even without CONFIG_TTY audit: add tty field to LOGIN event audit: we don't need to __set_current_state(TASK_RUNNING) audit: cleanup prune_tree_thread

audit: add tty field to LOGIN event

2016-04-26T21:19:16Z

The tty field was missing from AUDIT_LOGIN events. Refactor code to create a new function audit_get_tty(), using it to replace the call in audit_log_task_info() and to add it to audit_log_set_loginuid(). Lock and bump the kref to protect it, adding audit_put_tty() alias to decrement it. Signed-off-by: Richard Guy Briggs Signed-off-by: Paul Moore

audit: we don't need to __set_current_state(TASK_RUNNING)

2016-04-04T20:44:02Z

Remove the calls to __set_current_state() to mark the task as running and do some related cleanup in wait_for_auditd() to limit the amount of work we do when we aren't going to reschedule the current task. Signed-off-by: Paul Moore

Merge branch 'stable-4.6' of git://git.infradead.org/users/pcmoore/audit

2016-03-20T00:52:49Z

Pull audit updates from Paul Moore: "A small set of patches for audit this time; just three in total and one is a spelling fix. The two patches with actual content are designed to help prevent new instances of auditd from displacing an existing, functioning auditd and to generate a log of the attempt. Not to worry, dead/stuck auditd instances can still be replaced by a new instance without problem. Nothing controversial, and everything passes our regression suite" * 'stable-4.6' of git://git.infradead.org/users/pcmoore/audit: audit: Fix typo in comment audit: log failed attempts to change audit_pid configuration audit: stop an old auditd being starved out by a new auditd

tty: audit: Handle tty audit enable atomically

2016-01-28T00:41:04Z

The audit_tty and audit_tty_log_passwd fields are actually bool values, so merge into single memory location to access atomically. NB: audit log operations may still occur after tty audit is disabled which is consistent with the existing functionality Signed-off-by: Peter Hurley Signed-off-by: Greg Kroah-Hartman

tty: audit: Combine push functions

2016-01-28T00:41:04Z

tty_audit_push() and tty_audit_push_current() perform identical tasks; eliminate the tty_audit_push() implementation and the tty_audit_push_current() name. Signed-off-by: Peter Hurley Signed-off-by: Greg Kroah-Hartman

audit: log failed attempts to change audit_pid configuration

2016-01-25T23:04:15Z

Failed attempts to change the audit_pid configuration are not presently logged. One case is an attempt to starve an old auditd by starting up a new auditd when the old one is still alive and active. The other case is an attempt to orphan a new auditd when an old auditd shuts down. Log both as AUDIT_CONFIG_CHANGE messages with failure result. Signed-off-by: Richard Guy Briggs Signed-off-by: Paul Moore

audit: stop an old auditd being starved out by a new auditd

2016-01-25T23:04:15Z

Nothing prevents a new auditd starting up and replacing a valid audit_pid when an old auditd is still running, effectively starving out the old auditd since audit_pid no longer points to the old valid auditd. If no message to auditd has been attempted since auditd died unnaturally or got killed, audit_pid will still indicate it is alive. There isn't an easy way to detect if an old auditd is still running on the existing audit_pid other than attempting to send a message to see if it fails. An -ECONNREFUSED almost certainly means it disappeared and can be replaced. Other errors are not so straightforward and may indicate transient problems that will resolve themselves and the old auditd will recover. Yet others will likely need manual intervention for which a new auditd will not solve the problem. Send a new message type (AUDIT_REPLACE) to the old auditd containing a u32 with the PID of the new auditd. If the audit replace message succeeds (or doesn't fail with certainty), fail to register the new auditd and return an error (-EEXIST). This is expected to make the patch preventing an old auditd orphaning a new auditd redundant. V3: Switch audit message type from 1000 to 1300 block. Signed-off-by: Richard Guy Briggs Signed-off-by: Paul Moore