linux/kernel/auditfilter.c, branch v2.6.23

[PATCH] allow audit filtering on bit & operations

2007-07-22T13:57:02Z

Right now the audit filter can match on = != > < >= blah blah blah. This allow the filter to also look at bitwise AND operations, & Signed-off-by: Eric Paris Signed-off-by: Al Viro

[PATCH] audit: fix broken class-based syscall audit

2007-07-22T13:57:02Z

The sanity check in audit_match_class() is wrong. We are able to audit 2048 syscalls but in audit_match_class() we were accidentally using sizeof(_u32) instead of number of bits in _u32 when deciding how many syscalls were valid. On ia64 in particular we were hitting syscall numbers over the (wrong) limit of 256. Fixing the audit_match_class check takes care of the problem. Signed-off-by: Klaus Weidner Signed-off-by: Al Viro

kernel/auditfilter: kill bogus uninit'd-var compiler warning

2007-07-17T20:17:59Z

Kill this warning... kernel/auditfilter.c: In function ‘audit_receive_filter’: kernel/auditfilter.c:1213: warning: ‘ndw’ may be used uninitialized in this function kernel/auditfilter.c:1213: warning: ‘ndp’ may be used uninitialized in this function ...with a simplification of the code. audit_put_nd() can accept NULL arguments, just like kfree(). It is cleaner to init two existing vars to NULL, remove the redundant test variable 'putnd_needed' branches, and call audit_put_nd() directly. As a desired side effect, the warning goes away. Signed-off-by: Jeff Garzik

audit: fix oops removing watch if audit disabled

2007-06-24T15:59:12Z

Removing a watched file will oops if audit is disabled (auditctl -e 0). To reproduce: - auditctl -e 1 - touch /tmp/foo - auditctl -w /tmp/foo - auditctl -e 0 - rm /tmp/foo (or mv) Signed-off-by: Tony Jones Cc: Al Viro Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

audit_match_signal() and friends are used only if CONFIG_AUDITSYSCALL is set

2007-05-16T01:56:37Z

Signed-off-by: Al Viro Signed-off-by: Linus Torvalds

[PATCH] audit signal recipients

2007-05-11T09:38:25Z

When auditing syscalls that send signals, log the pid and security context for each target process. Optimize the data collection by adding a counter for signal-related rules, and avoiding allocating an aux struct unless we have more than one target process. For process groups, collect pid/context data in blocks of 16. Move the audit_signal_info() hook up in check_kill_permission() so we audit attempts where permission is denied. Signed-off-by: Amy Griffis Signed-off-by: Al Viro

[PATCH] minor update to rule add/delete messages (ver 2)

2007-02-18T02:30:09Z

I was looking at parsing some of these messages and found that I wanted what it was doing next to an op= for the parser to key on. Also missing was the list number and results. Signed-off-by: Steve Grubb Signed-off-by: Al Viro

[PATCH] audit: fix audit_filter_user_rules() initialization bug

2007-02-11T18:51:34Z

gcc emits this warning: kernel/auditfilter.c: In function 'audit_filter_user': kernel/auditfilter.c:1611: warning: 'state' is used uninitialized in this function I tend to agree with gcc - there are a couple of plausible exit paths from audit_filter_user_rules() where it does not set 'state', keeping the variable uninitialized. For example if a filter rule has an AUDIT_POSSIBLE action. Initialize to 'wont audit'. Fix whitespace damage too. Signed-off-by: Ingo Molnar Cc: Al Viro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

[PATCH] audit: fix kstrdup() error check

2006-12-22T16:55:49Z

kstrdup() returns NULL on error. Cc: David Woodhouse Signed-off-by: Akinobu Mita Cc: Al Viro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

[PATCH] kernel core: replace kmalloc+memset with kzalloc

2006-12-07T16:39:41Z

Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds