linux/kernel/auditfilter.c, branch v5.1Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
https://git.shady.money/linux/atom?h=v5.12019-02-13T01:17:13Zaudit: mark expected switch fall-through2019-02-13T01:17:13ZGustavo A. R. Silvagustavo@embeddedor.com2019-02-12T20:46:00Zurn:sha1:131d34cb07957151c369366b158690057d2bce5e
In preparation to enabling -Wimplicit-fallthrough, mark switch
cases where we are expecting to fall through.
This patch fixes the following warning:
kernel/auditfilter.c: In function ‘audit_krule_to_data’:
kernel/auditfilter.c:668:7: warning: this statement may fall through [-Wimplicit-fallthrough=]
if (krule->pflags & AUDIT_LOGINUID_LEGACY && !f->val) {
^
kernel/auditfilter.c:674:3: note: here
default:
^~~~~~~
Warning level 3 was used: -Wimplicit-fallthrough=3
Notice that, in this particular case, the code comment is modified
in accordance with what GCC is expecting to find.
This patch is part of the ongoing efforts to enable
-Wimplicit-fallthrough.
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: remove unused actx param from audit_rule_match2019-02-01T04:00:15ZRichard Guy Briggsrgb@redhat.com2019-01-31T16:52:11Zurn:sha1:90462a5bd30c6ed91c6758e59537d047d7878ff9
The audit_rule_match() struct audit_context *actx parameter is not used
by any in-tree consumers (selinux, apparmour, integrity, smack).
The audit context is an internal audit structure that should only be
accessed by audit accessor functions.
It was part of commit 03d37d25e0f9 ("LSM/Audit: Introduce generic
Audit LSM hooks") but appears to have never been used.
Remove it.
Please see the github issue
https://github.com/linux-audit/audit-kernel/issues/107
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
[PM: fixed the referenced commit title]
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: add syscall information to CONFIG_CHANGE records2019-01-18T22:53:29ZRichard Guy Briggsrgb@redhat.com2019-01-18T22:42:48Zurn:sha1:626abcd13d4ea2b67be3249a250046cf713f532a
Tie syscall information to all CONFIG_CHANGE calls since they are all a
result of user actions.
Exclude user records from syscall context:
Since the function audit_log_common_recv_msg() is shared by a number of
AUDIT_CONFIG_CHANGE and the entire range of AUDIT_USER_* record types,
and since the AUDIT_CONFIG_CHANGE message type has been converted to a
syscall accompanied record type, special-case the AUDIT_USER_* range of
messages so they remain standalone records.
See: https://github.com/linux-audit/audit-kernel/issues/59
See: https://github.com/linux-audit/audit-kernel/issues/50
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
[PM: fix line lengths in kernel/audit.c]
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: rename FILTER_TYPE to FILTER_EXCLUDE2018-06-19T14:39:54ZRichard Guy Briggsrgb@redhat.com2018-06-05T15:45:07Zurn:sha1:d904ac0320d3c4ff4e9d80e4294ca5dde803696f
The AUDIT_FILTER_TYPE name is vague and misleading due to not describing
where or when the filter is applied and obsolete due to its available
filter fields having been expanded.
Userspace has already renamed it from AUDIT_FILTER_TYPE to
AUDIT_FILTER_EXCLUDE without checking if it already exists. The
userspace maintainer assures that as long as it is set to the same value
it will not be a problem since the userspace code does not treat
compiler warnings as errors. If this policy changes then checks if it
already exists can be added at the same time.
See: https://github.com/linux-audit/audit-kernel/issues/89
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: allow other filter list types for AUDIT_EXE2018-06-19T13:33:42ZOndrej Mosnáčekomosnace@redhat.com2018-05-30T08:45:24Zurn:sha1:29c1372d6a9b872acf479ba2744e4e7f043981c0
This patch removes the restriction of the AUDIT_EXE field to only
SYSCALL filter and teaches audit_filter to recognize this field.
This makes it possible to write rule lists such as:
auditctl -a exit,always [some general rule]
# Filter out events with executable name /bin/exe1 or /bin/exe2:
auditctl -a exclude,always -F exe=/bin/exe1
auditctl -a exclude,always -F exe=/bin/exe2
See: https://github.com/linux-audit/audit-kernel/issues/54
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: use existing session info function2018-05-18T19:47:54ZRichard Guy Briggsrgb@redhat.com2018-05-18T02:01:48Zurn:sha1:5c5b8d8bebee2b4e784e67b2751934fa564b1a79
Use the existing audit_log_session_info() function rather than
hardcoding its functionality.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: allow not equal op for audit by executable2018-04-24T15:18:10ZOndrej Mosnáčekomosnace@redhat.com2018-04-09T08:00:06Zurn:sha1:23bcc480dac204c7dbdf49d96b2c918ed98223c2
Current implementation of auditing by executable name only implements
the 'equal' operator. This patch extends it to also support the 'not
equal' operator.
See: https://github.com/linux-audit/audit-kernel/issues/53
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: deprecate the AUDIT_FILTER_ENTRY filter2018-02-15T19:36:29ZRichard Guy Briggsrgb@redhat.com2018-02-15T02:47:43Zurn:sha1:5260ecc2e0480cc7e184901ab4c3721d0c2765e3
The audit entry filter has been long deprecated with userspace support
finally removed in audit-v2.6.7 and plans to remove kernel support have
existed since kernel-v2.6.31.
Remove it.
Since removing the audit entry filter, test for early return before
setting up any context state.
Passes audit-testsuite.
See: https://github.com/linux-audit/audit-kernel/issues/6
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: session ID should not set arch quick field pointer2018-02-14T21:34:22ZRichard Guy Briggsrgb@redhat.com2018-02-12T10:04:53Zurn:sha1:6387440e15db1c9ee58028433cd87291cae488e7
A bug was introduced in 8fae47705685fcaa75a1fe4c8c3e18300a702979
("audit: add support for session ID user filter")
See: https://github.com/linux-audit/audit-kernel/issues/4
When setting a session ID filter, the session ID filter field overwrote
the quick pointer reference to the arch field, potentially causing the
arch field to be misinterpreted.
Passes audit-testsuite.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: filter PATH records keyed on filesystem magic2017-11-10T21:08:56ZRichard Guy Briggsrgb@redhat.com2017-08-23T11:03:39Zurn:sha1:42d5e37654e4cdb9fb2e2f3ab30045fee35c42d8
Tracefs or debugfs were causing hundreds to thousands of PATH records to
be associated with the init_module and finit_module SYSCALL records on a
few modules when the following rule was in place for startup:
-a always,exit -F arch=x86_64 -S init_module -F key=mod-load
Provide a method to ignore these large number of PATH records from
overwhelming the logs if they are not of interest. Introduce a new
filter list "AUDIT_FILTER_FS", with a new field type AUDIT_FSTYPE,
which keys off the filesystem 4-octet hexadecimal magic identifier to
filter specific filesystem PATH records.
An example rule would look like:
-a never,filesystem -F fstype=0x74726163 -F key=ignore_tracefs
-a never,filesystem -F fstype=0x64626720 -F key=ignore_debugfs
Arguably the better way to address this issue is to disable tracefs and
debugfs on boot from production systems.
See: https://github.com/linux-audit/audit-kernel/issues/16
See: https://github.com/linux-audit/audit-userspace/issues/8
Test case: https://github.com/linux-audit/audit-testsuite/issues/42
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
[PM: fixed the whitespace damage in kernel/auditsc.c]
Signed-off-by: Paul Moore <paul@paul-moore.com>