linux/kernel/auditfilter.c, branch v4.14

audit: kernel generated netlink traffic should have a portid of 0

2017-05-02T14:16:05Z

We were setting the portid incorrectly in the netlink message headers, fix that to always be 0 (nlmsg_pid = 0). Signed-off-by: Paul Moore Reviewed-by: Richard Guy Briggs

audit: remove unnecessary semicolon in audit_field_valid()

2017-05-02T14:16:03Z

The excess ; after the closing parenthesis is just code-noise it has no and can be removed. Signed-off-by: Nicholas Mc Guire [PM: tweak subject line] Signed-off-by: Paul Moore

audit: add support for session ID user filter

2016-11-29T20:10:12Z

Define AUDIT_SESSIONID in the uapi and add support for specifying user filters based on the session ID. Also add the new session ID filter to the feature bitmap so userspace knows it is available. https://github.com/linux-audit/audit-kernel/issues/4 RFE: add a session ID filter to the kernel's user filter Signed-off-by: Richard Guy Briggs [PM: combine multiple patches from Richard into this one] Signed-off-by: Paul Moore

audit: fix formatting of AUDIT_CONFIG_CHANGE events

2016-11-20T20:38:00Z

The AUDIT_CONFIG_CHANGE events sometimes use a op= field. The current code logs the value of the field with quotes. This field is documented to not be encoded, so it should not have quotes. Signed-off-by: Steve Grubb Reviewed-by: Richard Guy Briggs [PM: reformatted commit description to make checkpatch.pl happy] Signed-off-by: Paul Moore

audit: add fields to exclude filter by reusing user filter

2016-06-27T15:01:00Z

RFE: add additional fields for use in audit filter exclude rules https://github.com/linux-audit/audit-kernel/issues/5 Re-factor and combine audit_filter_type() with audit_filter_user() to use audit_filter_user_rules() to enable the exclude filter to additionally filter on PID, UID, GID, AUID, LOGINUID_SET, SUBJ_*. The process of combining the similar audit_filter_user() and audit_filter_type() functions, required inverting the meaning and including the ALWAYS action of the latter. Include audit_filter_user_rules() into audit_filter(), removing unneeded logic in the process. Keep the check to quit early if the list is empty. Signed-off-by: Richard Guy Briggs [PM: checkpatch.pl fixes - whitespace damage, wrapped description] Signed-off-by: Paul Moore

audit: fix some horrible switch statement style crimes

2016-06-16T21:08:19Z

Signed-off-by: Paul Moore

audit: fixup: log on errors from filter user rules

2016-05-31T16:06:59Z

In commit 724e4fcc the intention was to pass any errors back from audit_filter_user_rules() to audit_filter_user(). Add that code. Signed-off-by: Richard Guy Briggs Signed-off-by: Paul Moore

audit: Fix typo in comment

2016-02-08T16:25:39Z

Signed-off-by: Weiyuan Signed-off-by: Paul Moore

audit: fix comment block whitespace

2015-11-04T13:23:51Z

Signed-off-by: Scott Matheina [PM: fixed subject line] Signed-off-by: Paul Moore

audit: implement audit by executable

2015-08-06T20:17:25Z

This adds the ability audit the actions of a not-yet-running process. This patch implements the ability to filter on the executable path. Instead of just hard coding the ino and dev of the executable we care about at the moment the rule is inserted into the kernel, use the new audit_fsnotify infrastructure to manage this dynamically. This means that if the filename does not yet exist but the containing directory does, or if the inode in question is unlinked and creat'd (aka updated) the rule will just continue to work. If the containing directory is moved or deleted or the filesystem is unmounted, the rule is deleted automatically. A future enhancement would be to have the rule survive across directory disruptions. This is a heavily modified version of a patch originally submitted by Eric Paris with some ideas from Peter Moody. Cc: Peter Moody Cc: Eric Paris Signed-off-by: Richard Guy Briggs [PM: minor whitespace clean to satisfy ./scripts/checkpatch] Signed-off-by: Paul Moore