Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v2.6.24 2007-10-21T06:37:45Z 2007-10-21T06:37:45Z Al Viro viro@zeniv.linux.org.uk 2007-07-22T12:04:18Z urn:sha1:74c3cbe33bc077ac1159cadfea608b501e100344 New kind of audit rule predicates: "object is visible in given subtree". The part that can be sanely implemented, that is. Limitations: * if you have hardlink from outside of tree, you'd better watch it too (or just watch the object itself, obviously) * if you mount something under a watched tree, tell audit that new chunk should be added to watched subtrees * if you umount something in a watched tree and it's still mounted elsewhere, you will get matches on events happening there. New command tells audit to recalculate the trees, trimming such sources of false positives. Note that it's _not_ about path - if something mounted in several places (multiple mount, bindings, different namespaces, etc.), the match does _not_ depend on which one we are using for access. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2007-10-18T21:37:24Z Daniel Walker dwalker@mvista.com 2007-10-18T10:06:06Z urn:sha1:9ce34218a8b63594c8958b5a4ef8cce24d511e1b Signed-off-by: Daniel Walker <dwalker@mvista.com> Cc: David Woodhouse <dwmw2@infradead.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2007-07-22T13:57:02Z Eric Paris eparis@redhat.com 2007-06-04T21:00:14Z urn:sha1:74f2345b6be1410f824cb7dd638d2c10a9709379 Right now the audit filter can match on = != > < >= blah blah blah. This allow the filter to also look at bitwise AND operations, & Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2007-07-22T13:57:02Z Klaus Weidner klaus@atsec.com 2007-05-16T22:45:42Z urn:sha1:c926e4f432af0f61ac2b9b637fb51a4871a3fc91 The sanity check in audit_match_class() is wrong. We are able to audit 2048 syscalls but in audit_match_class() we were accidentally using sizeof(_u32) instead of number of bits in _u32 when deciding how many syscalls were valid. On ia64 in particular we were hitting syscall numbers over the (wrong) limit of 256. Fixing the audit_match_class check takes care of the problem. Signed-off-by: Klaus Weidner <klaus@atsec.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2007-07-17T20:17:59Z Jeff Garzik jeff@garzik.org 2007-07-17T01:25:01Z urn:sha1:6f686d3d14621b90f3793b705bdf9fa624fd29ca Kill this warning... kernel/auditfilter.c: In function ‘audit_receive_filter’: kernel/auditfilter.c:1213: warning: ‘ndw’ may be used uninitialized in this function kernel/auditfilter.c:1213: warning: ‘ndp’ may be used uninitialized in this function ...with a simplification of the code. audit_put_nd() can accept NULL arguments, just like kfree(). It is cleaner to init two existing vars to NULL, remove the redundant test variable 'putnd_needed' branches, and call audit_put_nd() directly. As a desired side effect, the warning goes away. Signed-off-by: Jeff Garzik <jeff@garzik.org> 2007-06-24T15:59:12Z Tony Jones tonyj@suse.de 2007-06-24T00:16:47Z urn:sha1:7b018b2888b32284e09bba9cccb5cd2e12199feb Removing a watched file will oops if audit is disabled (auditctl -e 0). To reproduce: - auditctl -e 1 - touch /tmp/foo - auditctl -w /tmp/foo - auditctl -e 0 - rm /tmp/foo (or mv) Signed-off-by: Tony Jones <tonyj@suse.de> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2007-05-16T01:56:37Z Al Viro viro@ftp.linux.org.uk 2007-05-15T19:37:10Z urn:sha1:327b9eebbf2b7ce632e93a9c1386d944af0dadf4 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2007-05-11T09:38:25Z Amy Griffis amy.griffis@hp.com 2007-03-29T22:01:04Z urn:sha1:e54dc2431d740a79a6bd013babade99d71b1714f When auditing syscalls that send signals, log the pid and security context for each target process. Optimize the data collection by adding a counter for signal-related rules, and avoiding allocating an aux struct unless we have more than one target process. For process groups, collect pid/context data in blocks of 16. Move the audit_signal_info() hook up in check_kill_permission() so we audit attempts where permission is denied. Signed-off-by: Amy Griffis <amy.griffis@hp.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2007-02-18T02:30:09Z Steve Grubb sgrubb redhat com 2006-12-14T16:48:47Z urn:sha1:a17b4ad778e1857944f5a1df95fb7758cd5cc58d I was looking at parsing some of these messages and found that I wanted what it was doing next to an op= for the parser to key on. Also missing was the list number and results. Signed-off-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2007-02-11T18:51:34Z Ingo Molnar mingo@elte.hu 2007-02-10T09:46:09Z urn:sha1:11f57cedcf382574a1e41d6cec2349f287fcea67 gcc emits this warning: kernel/auditfilter.c: In function 'audit_filter_user': kernel/auditfilter.c:1611: warning: 'state' is used uninitialized in this function I tend to agree with gcc - there are a couple of plausible exit paths from audit_filter_user_rules() where it does not set 'state', keeping the variable uninitialized. For example if a filter rule has an AUDIT_POSSIBLE action. Initialize to 'wont audit'. Fix whitespace damage too. Signed-off-by: Ingo Molnar <mingo@elte.hu> Cc: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>