Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v4.1 2015-02-12T04:07:47Z 2015-02-12T04:07:47Z Linus Torvalds torvalds@linux-foundation.org 2015-02-12T04:07:47Z urn:sha1:7184487f14eb7c2fcf8337bb16c6a63b6db1252e Pull audit fix from Paul Moore: "Just one patch from the audit tree for v3.20, and a very minor one at that. The patch simply removes an old, unused field from the audit_krule structure, a private audit-only struct. In audit related news, we did a proper overhaul of the audit pathname code and removed the nasty getname()/putname() hacks for audit, you should see those patches in Al's vfs tree if you haven't already. That's it for audit this time, let's hope for a quiet -rcX series" * 'upstream' of git://git.infradead.org/users/pcmoore/audit: audit: remove vestiges of vers_ops 2015-01-20T15:48:32Z Richard Guy Briggs rgb@redhat.com 2014-12-23T21:39:54Z urn:sha1:2fded7f44b8fcf79e274c3f0cfbd0298f95308f3 Should have been removed with commit 18900909 ("audit: remove the old depricated kernel interface"). Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Paul Moore <pmoore@redhat.com> 2014-12-24T02:13:16Z Linus Torvalds torvalds@linux-foundation.org 2014-12-24T02:13:16Z urn:sha1:66b3f4f0a0fcc197a1e432c3d2134f5c6a5275b9 Pull audit fixes from Paul Moore: "Four patches to fix various problems with the audit subsystem, all are fairly small and straightforward. One patch fixes a problem where we weren't using the correct gfp allocation flags (GFP_KERNEL regardless of context, oops), one patch fixes a problem with old userspace tools (this was broken for a while), one patch fixes a problem where we weren't recording pathnames correctly, and one fixes a problem with PID based filters. In general I don't think there is anything controversial with this patchset, and it fixes some rather unfortunate bugs; the allocation flag one can be particularly scary looking for users" * 'upstream' of git://git.infradead.org/users/pcmoore/audit: audit: restore AUDIT_LOGINUID unset ABI audit: correctly record file names with different path name types audit: use supplied gfp_mask from audit_buffer in kauditd_send_multicast_skb audit: don't attempt to lookup PIDs when changing PID filtering audit rules 2014-12-23T21:40:18Z Richard Guy Briggs rgb@redhat.com 2014-12-23T18:02:04Z urn:sha1:041d7b98ffe59c59fdd639931dea7d74f9aa9a59 A regression was caused by commit 780a7654cee8: audit: Make testing for a valid loginuid explicit. (which in turn attempted to fix a regression caused by e1760bd) When audit_krule_to_data() fills in the rules to get a listing, there was a missing clause to convert back from AUDIT_LOGINUID_SET to AUDIT_LOGINUID. This broke userspace by not returning the same information that was sent and expected. The rule: auditctl -a exit,never -F auid=-1 gives: auditctl -l LIST_RULES: exit,never f24=0 syscall=all when it should give: LIST_RULES: exit,never auid=-1 (0xffffffff) syscall=all Tag it so that it is reported the same way it was set. Create a new private flags audit_krule field (pflags) to store it that won't interact with the public one from the API. Cc: stable@vger.kernel.org # v3.10-rc1+ Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Paul Moore <pmoore@redhat.com> 2014-12-19T23:35:53Z Paul Moore pmoore@redhat.com 2014-12-19T23:35:53Z urn:sha1:3640dcfa4fd00cd91d88bb86250bdb496f7070c0 Commit f1dc4867 ("audit: anchor all pid references in the initial pid namespace") introduced a find_vpid() call when adding/removing audit rules with PID/PPID filters; unfortunately this is problematic as find_vpid() only works if there is a task with the associated PID alive on the system. The following commands demonstrate a simple reproducer. # auditctl -D # auditctl -l # autrace /bin/true # auditctl -l This patch resolves the problem by simply using the PID provided by the user without any additional validation, e.g. no calls to check to see if the task/PID exists. Cc: stable@vger.kernel.org # 3.15 Cc: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Paul Moore <pmoore@redhat.com> Acked-by: Eric Paris <eparis@redhat.com> Reviewed-by: Richard Guy Briggs <rgb@redhat.com> 2014-10-19T23:25:56Z Linus Torvalds torvalds@linux-foundation.org 2014-10-19T23:25:56Z urn:sha1:ab074ade9c33b3585da86d62e87bcb3e897a3f54 Pull audit updates from Eric Paris: "So this change across a whole bunch of arches really solves one basic problem. We want to audit when seccomp is killing a process. seccomp hooks in before the audit syscall entry code. audit_syscall_entry took as an argument the arch of the given syscall. Since the arch is part of what makes a syscall number meaningful it's an important part of the record, but it isn't available when seccomp shoots the syscall... For most arch's we have a better way to get the arch (syscall_get_arch) So the solution was two fold: Implement syscall_get_arch() everywhere there is audit which didn't have it. Use syscall_get_arch() in the seccomp audit code. Having syscall_get_arch() everywhere meant it was a useless flag on the stack and we could get rid of it for the typical syscall entry. The other changes inside the audit system aren't grand, fixed some records that had invalid spaces. Better locking around the task comm field. Removing some dead functions and structs. Make some things static. Really minor stuff" * git://git.infradead.org/users/eparis/audit: (31 commits) audit: rename audit_log_remove_rule to disambiguate for trees audit: cull redundancy in audit_rule_change audit: WARN if audit_rule_change called illegally audit: put rule existence check in canonical order next: openrisc: Fix build audit: get comm using lock to avoid race in string printing audit: remove open_arg() function that is never used audit: correct AUDIT_GET_FEATURE return message type audit: set nlmsg_len for multicast messages. audit: use union for audit_field values since they are mutually exclusive audit: invalid op= values for rules audit: use atomic_t to simplify audit_serial() kernel/audit.c: use ARRAY_SIZE instead of sizeof/sizeof[0] audit: reduce scope of audit_log_fcaps audit: reduce scope of audit_net_id audit: arm64: Remove the audit arch argument to audit_syscall_entry arm64: audit: Add audit hook in syscall_trace_enter/exit() audit: x86: drop arch from __audit_syscall_entry() interface sparc: implement is_32bit_task sparc: properly conditionalize use of TIF_32BIT ... 2014-10-10T19:07:58Z Richard Guy Briggs rgb@redhat.com 2014-10-03T02:05:19Z urn:sha1:e85322d21cfebeac64f58a204e9adc0bc5c1e46f Re-factor audit_rule_change() to reduce the amount of code redundancy and simplify the logic. Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Eric Paris <eparis@redhat.com> 2014-10-10T19:07:42Z Eric Paris eparis@redhat.com 2014-10-10T19:05:21Z urn:sha1:739c95038e68d364b01c0fc6f8fb8e47b1c1e979 Signed-off-by: Eric Paris <eparis@redhat.com> 2014-10-10T19:03:32Z Richard Guy Briggs rgb@redhat.com 2014-10-03T02:05:18Z urn:sha1:3639f17068ed40e4e208a6e218481d49817bbd56 Use same rule existence check order as audit_make_tree(), audit_to_watch(), update_lsm_rule() for legibility. Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Eric Paris <eparis@redhat.com> 2014-09-23T20:37:53Z Richard Guy Briggs rgb@redhat.com 2014-03-26T11:26:47Z urn:sha1:219ca39427bf6c46c4e1473493e33bc00635e99b Since only one of val, uid, gid and lsm* are used at any given time, combine them to reduce the size of the struct audit_field. Signed-off-by: Richard Guy Briggs <rgb@redhat.com>