[PATCH 00/12] [V3] audit by executable name

[Richard Guy Briggs <rgb@redhat.com>]

This is a part of Peter Moody, my and Eric Paris' work to implement
audit by executable name.

The fixup! patches are intended to be autosquashed down by git in the final set
of patches to be submitted, but they have been included here to show progress.
Some are quite obvious.

Please see the accompanying userspace patch:
	https://www.redhat.com/archives/linux-audit/2014-May/msg00019.html
The userspace interface is not expected to change appreciably unless something
important has been overlooked.  Setting and deleting rules works as expected.
	
If the path does not exist at rule creation time, it will be re-evaluated every
time there is a change to the parent directory at which point the change in
device and inode will be noted.


Here's a test run:

# /usr/local/sbin/auditctl -a always,exit -F dir=/tmp -F exe=/bin/touch -F key=touch_tmp
# /usr/local/sbin/ausearch --start recent -k touch_tmp
time->Mon Jun 30 14:15:06 2014
type=CONFIG_CHANGE msg=audit(1404152106.683:149): auid=0 ses=1 subj=unconfined_u :unconfined_r:auditctl_t:s0-s0:c0.c1023 op="add rule" key="touch_tmp" list=4 res =1

# /usr/local/sbin/auditctl -l
-a always,exit -S all -F dir=/tmp -F exe=/bin/touch -F key=touch_tmp

# touch /tmp/test

# /usr/local/sbin/ausearch --start recent -k touch_tmp
time->Wed Jul  2 12:18:47 2014
type=UNKNOWN[1327] msg=audit(1404317927.319:132): proctitle=746F756368002F746D702F74657374
type=PATH msg=audit(1404317927.319:132): item=1 name="/tmp/test" inode=25997 dev=00:20 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE
type=PATH msg=audit(1404317927.319:132): item=0 name="/tmp/" inode=11144 dev=00:20 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT
type=CWD msg=audit(1404317927.319:132):  cwd="/root"
type=SYSCALL msg=audit(1404317927.319:132): arch=c000003e syscall=2 success=yes exit=3 a0=7ffffa403dd5 a1=941 a2=1b6 a3=34b65b2c6c items=2 ppid=4321 pid=6436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="touch" exe="/usr/bin/touch" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="touch_tmp"



Revision history:
v3: rationalize and rename some function names and clean up get/put and free code.

v2: misguided attempt to add in audit_exe similar to watches
	https://www.redhat.com/archives/linux-audit/2014-June/msg00066.html

v1.5: eparis' switch to fsnotify
	https://www.redhat.com/archives/linux-audit/2014-May/msg00046.html
	https://www.redhat.com/archives/linux-audit/2014-May/msg00066.html

v1: change to path interface instead of inode
	https://www.redhat.com/archives/linux-audit/2014-May/msg00017.html

v0: Peter Moodie's original patches


Next step:
Get full-path notify working.


Eric Paris (3):
  audit: implement audit by executable
  audit: clean simple fsnotify implementation
  audit: convert audit_exe to audit_fsnotify

Richard Guy Briggs (9):
  fixup! audit: clean simple fsnotify implementation
  fixup! audit: convert audit_exe to audit_fsnotify
  fixup! audit: clean simple fsnotify implementation
  audit: avoid double copying the audit_exe path string
  fixup! audit: convert audit_exe to audit_fsnotify
  fixup! audit: clean simple fsnotify implementation
  fixup! audit: implement audit by executable
  fixup! audit: clean simple fsnotify implementation
  fixup! audit: clean simple fsnotify implementation

 include/linux/audit.h      |    1 +
 include/uapi/linux/audit.h |    2 +
 kernel/Makefile            |    2 +-
 kernel/audit.h             |   39 +++++++
 kernel/audit_exe.c         |   46 +++++++++
 kernel/audit_fsnotify.c    |  237 ++++++++++++++++++++++++++++++++++++++++++++
 kernel/auditfilter.c       |   51 +++++++++-
 kernel/auditsc.c           |   16 +++
 8 files changed, 391 insertions(+), 3 deletions(-)
 create mode 100644 kernel/audit_exe.c
 create mode 100644 kernel/audit_fsnotify.c