[GIT PULL] Audit changes for 3.10

[Eric Paris <eparis@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 4514 bytes --]

Al used to send pull requests every couple of years but he told me to
just start pushing them to you directly.

The following changes since commit 19f949f52599ba7c3f67a5897ac6be14bfcb1200:

  Linux 3.8 (2013-02-18 15:58:34 -0800)

are available in the git repository at:

  git://git.infradead.org/users/eparis/audit.git master

for you to fetch changes up to 2a0b4be6dd655e24990da1d0811e28b9277f8b12:

  audit: fix message spacing printing auid (2013-05-08 00:02:19 -0400)

Most of the changes are in audit* files so you shouldn't much care.  Our
touching outside of core audit code is pretty straight forward.  A couple
of interface changes which hit net/.  A simple argument bug calling audit
functions in namei.c and the removal of some assembly branch prediction
code on ppc.

Looks like you are going to have 2 merge failures due to patches which
came in through akpm.

The first in kernel/audit.c is a simple resolution.  My tree is correct
deleting those 3 lines.

The second in kernel/audit.h is a little worse.  You want to take my
tree.  Remove the #ifdef CONFIG_AUDIT and #endif towards the end of the
new code.  Then you want to remove the line declaring extern int
audit_enabled;

I'm attaching my merge resolution commit as a reference.

----------------------------------------------------------------
Andrew Morton (1):
      auditsc: remove audit_set_context() altogether - fold it into its caller

Anton Blanchard (2):
      audit: Syscall rules are not applied to existing processes on non-x86
      powerpc: Remove static branch prediction in 64bit traced syscall path

Chen Gang (1):
      kernel: audit: beautify code, for extern function, better to check its parameters by itself

Dmitry Monakhov (1):
      audit: destroy long filenames correctly

Eric Paris (17):
      audit: use data= not msg= for AUDIT_USER_TTY messages
      Audit: do not print error when LSMs disabled
      audit: fix build break when AUDIT_DEBUG == 2
      audit: allow checking the type of audit message in the user filter
      audit: make validity checking generic
      audit: remove the old depricated kernel interface
      audit: stop pushing loginid, uid, sessionid as arguments
      audit: push loginuid and sessionid processing down
      audit: use a consistent audit helper to log lsm information
      helper for some session id stuff
      audit: use spin_lock_irqsave/restore in audit tty code
      audit: do not needlessly take a spinlock in copy_signal
      audit: do not needlessly take a lock in tty_audit_exit
      audit: use spin_lock in audit_receive_msg to process tty logging
      audit: fix event coverage of AUDIT_ANOM_LINK
      Revert "audit: move kaudit thread start from auditd registration to kaudit init"
      audit: fix message spacing printing auid

Eric W. Biederman (1):
      audit: Make testing for a valid loginuid explicit.

Gao feng (1):
      audit: remove duplicate export of audit_enabled

Jeff Layton (1):
      audit: vfs: fix audit_inode call in O_CREAT case of do_last

Matvejchikov Ilya (1):
      audit: improve GID/EGID comparation logic

Rakib Mullick (1):
      auditsc: Use kzalloc instead of kmalloc+memset.

Richard Guy Briggs (4):
      audit: refactor hold queue flush
      audit: flatten kauditd_thread wait queue code
      audit: move kaudit thread start from auditd registration to kaudit init
      audit: add an option to control logging of passwords with pam_tty_audit

 arch/powerpc/kernel/entry_64.S |   2 +-
 drivers/tty/tty_audit.c        | 104 +++++++++++++++--------------------
 fs/namei.c                     |   2 +-
 include/linux/audit.h          |  48 ++++++++++------
 include/linux/sched.h          |   1 +
 include/linux/tty.h            |   6 +-
 include/uapi/linux/audit.h     |   4 +-
 kernel/audit.c                 | 516 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--------------------------------------------------------
 kernel/audit.h                 | 156 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 kernel/auditfilter.c           | 360 +++++++++++++++++++++++++++++++++++++-----------------------------------------------------------------------------------
 kernel/auditsc.c               | 421 +++++++++++++++-----------------------------------------------------------------------------------------------------------------------------
 net/socket.c                   |   6 +-
 12 files changed, 749 insertions(+), 877 deletions(-)



[-- Attachment #2: tmp.patch --]
[-- Type: text/x-patch, Size: 5801 bytes --]

commit 3f321c3c7f40eb887a4c40320dc555391382cb93
Merge: 9affd6b 82d8da0
Author: Eric Paris <eparis@redhat.com>
Date:   Tue May 7 23:09:02 2013 -0400

    Merge branch 'audit-for-3.10' into merge-test
    
    Conflicts:
    	kernel/audit.c
    	kernel/audit.h

diff --cc kernel/audit.c
index 0b084fa,f9c6506..fc94ee3
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@@ -660,17 -646,14 +646,15 @@@ static int audit_receive_msg(struct sk_
  
  	/* As soon as there's any sign of userspace auditd,
  	 * start kauditd to talk to it */
 -	if (!kauditd_task)
 +	if (!kauditd_task) {
  		kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd");
 -	if (IS_ERR(kauditd_task)) {
 -		err = PTR_ERR(kauditd_task);
 -		kauditd_task = NULL;
 -		return err;
 +		if (IS_ERR(kauditd_task)) {
 +			err = PTR_ERR(kauditd_task);
 +			kauditd_task = NULL;
 +			return err;
 +		}
  	}
- 	loginuid = audit_get_loginuid(current);
- 	sessionid = audit_get_sessionid(current);
- 	security_task_getsecid(current, &sid);
+ 
  	seq  = nlh->nlmsg_seq;
  	data = nlmsg_data(nlh);
  
diff --cc kernel/audit.h
index 11468d9,45c8325..1c95131
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@@ -59,8 -65,161 +65,158 @@@ struct audit_entry 
  	struct audit_krule	rule;
  };
  
+ struct audit_cap_data {
+ 	kernel_cap_t		permitted;
+ 	kernel_cap_t		inheritable;
+ 	union {
+ 		unsigned int	fE;		/* effective bit of file cap */
+ 		kernel_cap_t	effective;	/* effective set of process */
+ 	};
+ };
+ 
+ /* When fs/namei.c:getname() is called, we store the pointer in name and
+  * we don't let putname() free it (instead we free all of the saved
+  * pointers at syscall exit time).
+  *
+  * Further, in fs/namei.c:path_lookup() we store the inode and device.
+  */
+ struct audit_names {
+ 	struct list_head	list;		/* audit_context->names_list */
+ 
+ 	struct filename		*name;
+ 	int			name_len;	/* number of chars to log */
+ 	bool			name_put;	/* call __putname()? */
+ 
+ 	unsigned long		ino;
+ 	dev_t			dev;
+ 	umode_t			mode;
+ 	kuid_t			uid;
+ 	kgid_t			gid;
+ 	dev_t			rdev;
+ 	u32			osid;
+ 	struct audit_cap_data	fcap;
+ 	unsigned int		fcap_ver;
+ 	unsigned char		type;		/* record type */
+ 	/*
+ 	 * This was an allocated audit_names and not from the array of
+ 	 * names allocated in the task audit context.  Thus this name
+ 	 * should be freed on syscall exit.
+ 	 */
+ 	bool			should_free;
+ };
+ 
+ /* The per-task audit context. */
+ struct audit_context {
+ 	int		    dummy;	/* must be the first element */
+ 	int		    in_syscall;	/* 1 if task is in a syscall */
+ 	enum audit_state    state, current_state;
+ 	unsigned int	    serial;     /* serial number for record */
+ 	int		    major;      /* syscall number */
+ 	struct timespec	    ctime;      /* time of syscall entry */
+ 	unsigned long	    argv[4];    /* syscall arguments */
+ 	long		    return_code;/* syscall return code */
+ 	u64		    prio;
+ 	int		    return_valid; /* return code is valid */
+ 	/*
+ 	 * The names_list is the list of all audit_names collected during this
+ 	 * syscall.  The first AUDIT_NAMES entries in the names_list will
+ 	 * actually be from the preallocated_names array for performance
+ 	 * reasons.  Except during allocation they should never be referenced
+ 	 * through the preallocated_names array and should only be found/used
+ 	 * by running the names_list.
+ 	 */
+ 	struct audit_names  preallocated_names[AUDIT_NAMES];
+ 	int		    name_count; /* total records in names_list */
+ 	struct list_head    names_list;	/* struct audit_names->list anchor */
+ 	char		    *filterkey;	/* key for rule that triggered record */
+ 	struct path	    pwd;
+ 	struct audit_aux_data *aux;
+ 	struct audit_aux_data *aux_pids;
+ 	struct sockaddr_storage *sockaddr;
+ 	size_t sockaddr_len;
+ 				/* Save things to print about task_struct */
+ 	pid_t		    pid, ppid;
+ 	kuid_t		    uid, euid, suid, fsuid;
+ 	kgid_t		    gid, egid, sgid, fsgid;
+ 	unsigned long	    personality;
+ 	int		    arch;
+ 
+ 	pid_t		    target_pid;
+ 	kuid_t		    target_auid;
+ 	kuid_t		    target_uid;
+ 	unsigned int	    target_sessionid;
+ 	u32		    target_sid;
+ 	char		    target_comm[TASK_COMM_LEN];
+ 
+ 	struct audit_tree_refs *trees, *first_trees;
+ 	struct list_head killed_trees;
+ 	int tree_count;
+ 
+ 	int type;
+ 	union {
+ 		struct {
+ 			int nargs;
+ 			long args[6];
+ 		} socketcall;
+ 		struct {
+ 			kuid_t			uid;
+ 			kgid_t			gid;
+ 			umode_t			mode;
+ 			u32			osid;
+ 			int			has_perm;
+ 			uid_t			perm_uid;
+ 			gid_t			perm_gid;
+ 			umode_t			perm_mode;
+ 			unsigned long		qbytes;
+ 		} ipc;
+ 		struct {
+ 			mqd_t			mqdes;
+ 			struct mq_attr		mqstat;
+ 		} mq_getsetattr;
+ 		struct {
+ 			mqd_t			mqdes;
+ 			int			sigev_signo;
+ 		} mq_notify;
+ 		struct {
+ 			mqd_t			mqdes;
+ 			size_t			msg_len;
+ 			unsigned int		msg_prio;
+ 			struct timespec		abs_timeout;
+ 		} mq_sendrecv;
+ 		struct {
+ 			int			oflag;
+ 			umode_t			mode;
+ 			struct mq_attr		attr;
+ 		} mq_open;
+ 		struct {
+ 			pid_t			pid;
+ 			struct audit_cap_data	cap;
+ 		} capset;
+ 		struct {
+ 			int			fd;
+ 			int			flags;
+ 		} mmap;
+ 	};
+ 	int fds[2];
+ 
+ #if AUDIT_DEBUG
+ 	int		    put_count;
+ 	int		    ino_count;
+ #endif
+ };
+ 
 -#ifdef CONFIG_AUDIT
 -extern int audit_enabled;
  extern int audit_ever_enabled;
  
+ extern void audit_copy_inode(struct audit_names *name,
+ 			     const struct dentry *dentry,
+ 			     const struct inode *inode);
+ extern void audit_log_cap(struct audit_buffer *ab, char *prefix,
+ 			  kernel_cap_t *cap);
+ extern void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name);
+ extern void audit_log_name(struct audit_context *context,
+ 			   struct audit_names *n, struct path *path,
+ 			   int record_num, int *call_panic);
 -#endif
+ 
  extern int audit_pid;
  
  #define AUDIT_INODE_BUCKETS	32

[-- Attachment #3: Type: text/plain, Size: 0 bytes --]