* Re: [PATCH v2] audit: removing unused variable
From: Joe Perches @ 2015-10-29 4:32 UTC (permalink / raw)
To: Saurabh Sengar; +Cc: paul, eparis, linux-audit, linux-kernel
In-Reply-To: <1446091912-6001-1-git-send-email-saurabh.truth@gmail.com>
On Thu, 2015-10-29 at 09:41 +0530, Saurabh Sengar wrote:
> variable rc is unnecessary hence removing it,
> also as the return type of function audit_log_common_recv_msg is no
> where used changing it to void.
Almost, but not quite. Keep at it.
Ideally your first attempts at kernel patching
should be done in the drivers/staging/ directory
before attempting patches outside of that path.
> diff --git a/kernel/audit.c b/kernel/audit.c
[]
> @@ -684,25 +684,24 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
> return err;
> }
>
> -static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
> +static void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
> {
> - int rc = 0;
> uid_t uid = from_kuid(&init_user_ns, current_uid());
> pid_t pid = task_tgid_nr(current);
>
> if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
> *ab = NULL;
> - return rc;
> + return ;
There's an unnecessary space before the semicolon.
This should be
return;
> }
>
> *ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
> if (unlikely(!*ab))
> - return rc;
> + return ;
here too
> audit_log_format(*ab, "pid=%d uid=%u", pid, uid);
> audit_log_session_info(*ab);
> audit_log_task_context(*ab);
>
> - return rc;
> + return ;
No return statement necessary here at all
> }
>
> int is_audit_feature_set(int i)
^ permalink raw reply
* [PATCH v2] audit: removing unused variable
From: Saurabh Sengar @ 2015-10-29 4:11 UTC (permalink / raw)
To: paul, eparis, linux-audit, linux-kernel; +Cc: Saurabh Sengar
variable rc is unnecessary hence removing it,
also as the return type of function audit_log_common_recv_msg is no
where used changing it to void.
Signed-off-by: Saurabh Sengar <saurabh.truth@gmail.com>
---
kernel/audit.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 662c007..b572115 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -684,25 +684,24 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
return err;
}
-static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
+static void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
{
- int rc = 0;
uid_t uid = from_kuid(&init_user_ns, current_uid());
pid_t pid = task_tgid_nr(current);
if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
*ab = NULL;
- return rc;
+ return ;
}
*ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
if (unlikely(!*ab))
- return rc;
+ return ;
audit_log_format(*ab, "pid=%d uid=%u", pid, uid);
audit_log_session_info(*ab);
audit_log_task_context(*ab);
- return rc;
+ return ;
}
int is_audit_feature_set(int i)
--
1.9.1
^ permalink raw reply related
* Re: [PATCH] audit: removing unused variable
From: Joe Perches @ 2015-10-28 22:12 UTC (permalink / raw)
To: Paul Moore; +Cc: Saurabh Sengar, eparis, linux-audit, linux-kernel
In-Reply-To: <7739343.KgmgksQykM@sifl>
On Wed, 2015-10-28 at 16:35 -0400, Paul Moore wrote:
> On Wednesday, October 28, 2015 09:40:34 AM Saurabh Sengar wrote:
> > variavle rc in not required as it is just used for unchanged for return,
> > and return is always 0 in the function.
[]
> Thanks, applied with some spelling corrections to the description.
As the return value is never actually tested,
it seems better to make it a void function,
> > diff --git a/kernel/audit.c b/kernel/audit.c
[]
> > @@ -686,23 +686,22 @@ static int audit_netlink_ok(struct sk_buff *skb, u16
> > msg_type)
> >
> > static int audit_log_common_recv_msg(struct audit_buffer **ab, u16
> > msg_type) {
> > - int rc = 0;
> > uid_t uid = from_kuid(&init_user_ns, current_uid());
> > pid_t pid = task_tgid_nr(current);
> >
> > if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
> > *ab = NULL;
> > - return rc;
> > + return 0;
> > }
> >
> > *ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
> > if (unlikely(!*ab))
> > - return rc;
> > + return 0;
> > audit_log_format(*ab, "pid=%d uid=%u", pid, uid);
> > audit_log_session_info(*ab);
> > audit_log_task_context(*ab);
> >
> > - return rc;
> > + return 0;
> > }
> >
> > int is_audit_feature_set(int i)
>
^ permalink raw reply
* [PATCH] audit: make audit_log_common_recv_msg() a void function
From: Paul Moore @ 2015-10-28 20:41 UTC (permalink / raw)
To: linux-audit
It always returns zero and no one is checking the return value.
Signed-off-by: Paul Moore <pmoore@redhat.com>
---
kernel/audit.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 0b81880..4d3cdcd 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -699,24 +699,22 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
return err;
}
-static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
+static void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
{
uid_t uid = from_kuid(&init_user_ns, current_uid());
pid_t pid = task_tgid_nr(current);
if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
*ab = NULL;
- return 0;
+ return;
}
*ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
if (unlikely(!*ab))
- return 0;
+ return;
audit_log_format(*ab, "pid=%d uid=%u", pid, uid);
audit_log_session_info(*ab);
audit_log_task_context(*ab);
-
- return 0;
}
int is_audit_feature_set(int i)
^ permalink raw reply related
* Re: [PATCH] audit: removing unused variable
From: Paul Moore @ 2015-10-28 20:35 UTC (permalink / raw)
To: Saurabh Sengar; +Cc: eparis, linux-audit, linux-kernel
In-Reply-To: <1446005434-4306-1-git-send-email-saurabh.truth@gmail.com>
On Wednesday, October 28, 2015 09:40:34 AM Saurabh Sengar wrote:
> variavle rc in not required as it is just used for unchanged for return,
> and return is always 0 in the function.
>
> Signed-off-by: Saurabh Sengar <saurabh.truth@gmail.com>
> ---
> kernel/audit.c | 7 +++----
> 1 file changed, 3 insertions(+), 4 deletions(-)
Thanks, applied with some spelling corrections to the description.
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 662c007..409482f 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -686,23 +686,22 @@ static int audit_netlink_ok(struct sk_buff *skb, u16
> msg_type)
>
> static int audit_log_common_recv_msg(struct audit_buffer **ab, u16
> msg_type) {
> - int rc = 0;
> uid_t uid = from_kuid(&init_user_ns, current_uid());
> pid_t pid = task_tgid_nr(current);
>
> if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
> *ab = NULL;
> - return rc;
> + return 0;
> }
>
> *ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
> if (unlikely(!*ab))
> - return rc;
> + return 0;
> audit_log_format(*ab, "pid=%d uid=%u", pid, uid);
> audit_log_session_info(*ab);
> audit_log_task_context(*ab);
>
> - return rc;
> + return 0;
> }
>
> int is_audit_feature_set(int i)
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Re: [RFC PATCH 0/7] audit: clean up audit queue handling
From: Paul Moore @ 2015-10-28 18:58 UTC (permalink / raw)
To: Richard Guy Briggs; +Cc: v.rathor, linux-kernel, linux-audit
In-Reply-To: <20151028184318.GB1359@madcap2.tricolour.ca>
On Wednesday, October 28, 2015 02:43:18 PM Richard Guy Briggs wrote:
> On 15/10/27, Paul Moore wrote:
> > On Thursday, October 22, 2015 02:53:13 PM Richard Guy Briggs wrote:
> > > This set of patches cleans up a number of corner cases in the management
> > > of the audit queue.
> > >
> > > Richard Guy Briggs (7):
> > > audit: don't needlessly reset valid wait time
> > > audit: include auditd's threads in audit_log_start() wait exception
> > > audit: allow systemd to use queue reserves
> > > audit: wake up threads if queue switched from limited to unlimited
> > > audit: allow audit_cmd_mutex holders to use reserves
> > > audit: wake up audit_backlog_wait queue when auditd goes away.
> > > audit: wake up kauditd_thread after auditd registers
> > >
> > > kernel/audit.c | 20 +++++++++++++++-----
> > > 1 files changed, 15 insertions(+), 5 deletions(-)
> >
> > Due to the fact that these patches were posted late in the 4.3-rcX cycle,
> > I've decided not to merge these into linux-audit#next for the upcoming
> > merge window. I still need to take a closer look and properly review
> > these patches, but I wanted to let you know why I haven't acted on them
> > yet.
>
> No problem, at least it is out of my queue, as long as we have enough
> time to hit the next one. :)
Definitely. I just start getting twitchy about accepting non-trivial patches
post -rc5(ish).
--
paul moore
security @ redhat
^ permalink raw reply
* Re: [RFC PATCH 0/7] audit: clean up audit queue handling
From: Richard Guy Briggs @ 2015-10-28 18:43 UTC (permalink / raw)
To: Paul Moore; +Cc: linux-audit, linux-kernel, sgrubb, eparis, v.rathor, ctcard
In-Reply-To: <8462372.4Lu2FckRET@sifl>
On 15/10/27, Paul Moore wrote:
> On Thursday, October 22, 2015 02:53:13 PM Richard Guy Briggs wrote:
> > This set of patches cleans up a number of corner cases in the management
> > of the audit queue.
> >
> > Richard Guy Briggs (7):
> > audit: don't needlessly reset valid wait time
> > audit: include auditd's threads in audit_log_start() wait exception
> > audit: allow systemd to use queue reserves
> > audit: wake up threads if queue switched from limited to unlimited
> > audit: allow audit_cmd_mutex holders to use reserves
> > audit: wake up audit_backlog_wait queue when auditd goes away.
> > audit: wake up kauditd_thread after auditd registers
> >
> > kernel/audit.c | 20 +++++++++++++++-----
> > 1 files changed, 15 insertions(+), 5 deletions(-)
>
> Due to the fact that these patches were posted late in the 4.3-rcX cycle, I've
> decided not to merge these into linux-audit#next for the upcoming merge
> window. I still need to take a closer look and properly review these patches,
> but I wanted to let you know why I haven't acted on them yet.
No problem, at least it is out of my queue, as long as we have enough
time to hit the next one. :)
> paul moore
- RGB
--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
^ permalink raw reply
* [PATCH] audit: removing unused variable
From: Saurabh Sengar @ 2015-10-28 4:10 UTC (permalink / raw)
To: paul, eparis, linux-audit, linux-kernel; +Cc: Saurabh Sengar
variavle rc in not required as it is just used for unchanged for return,
and return is always 0 in the function.
Signed-off-by: Saurabh Sengar <saurabh.truth@gmail.com>
---
kernel/audit.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 662c007..409482f 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -686,23 +686,22 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
{
- int rc = 0;
uid_t uid = from_kuid(&init_user_ns, current_uid());
pid_t pid = task_tgid_nr(current);
if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
*ab = NULL;
- return rc;
+ return 0;
}
*ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
if (unlikely(!*ab))
- return rc;
+ return 0;
audit_log_format(*ab, "pid=%d uid=%u", pid, uid);
audit_log_session_info(*ab);
audit_log_task_context(*ab);
- return rc;
+ return 0;
}
int is_audit_feature_set(int i)
--
1.9.1
^ permalink raw reply related
* Re: [PATCH 2/2] Fixed Trivial Warnings in file: Deleted Spaces prior to tabs, and added lines. modified: kernel/auditfilter.c
From: Joe Perches @ 2015-10-27 19:54 UTC (permalink / raw)
To: Richard Guy Briggs
Cc: Scott Matheina, Paul Moore, linux-audit, trivial, linux-kernel
In-Reply-To: <20151022021500.GD5269@madcap2.tricolour.ca>
On Wed, 2015-10-21 at 22:15 -0400, Richard Guy Briggs wrote:
> On 15/10/21, Scott Matheina wrote:
> > On 10/21/2015 10:33 AM, Richard Guy Briggs wrote:
> > > On 15/10/21, Joe Perches wrote:
> > >> On Mon, 2015-10-19 at 12:10 -0400, Richard Guy Briggs wrote:
> > >>> On 15/10/18, Scott Matheina wrote:
> > >>>> On 10/14/2015 04:54 PM, Paul Moore wrote:
> > >>>>> On Saturday, October 10, 2015 08:57:55 PM Scott Matheina wrote:
> > >> []
> > >>>>>> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> > >> []
> > >>>>>> @@ -109,6 +109,7 @@ void audit_free_rule_rcu(struct rcu_head *head)
> > >>>>>> {
> > >>>>>> struct audit_entry *e = container_of(head, struct audit_entry, rcu);
> > >>>>>> audit_free_rule(e);
> > >>>>>> +
> > >>>>>> }
> > >>>>> Why?
> > >>>> I was following the error messages in checkpatch.pl, but the warning
> > >>>> went away after adding this line. No problem with the code.
> > >>> That sounds like a bug in checkpatch.pl, since that blank line should be
> > >>> tween the declaration and the function call.
> > >> checkpatch message asks for a blank line after the
> > >> "struct audit_entry *e = ..." declaration.
> > > Well then maybe it is a bug in his interpretation of the output of
> > > checkpatch.pl? Scott, did you re-run checkpatch.pl after adding those
> > > spaces? Did it pass?
> >
> > The error did go away.
>
> Joe, I confirm the error went away. Looks like a bug in checkpatch.pl
> to me.
It's not a bug in checkpatch.
checkpatch doesn't care if there are blank lines between declarations.
Here's the output of checkpatch for this area:
WARNING: Missing a blank line after declarations
#111: FILE: kernel/auditfilter.c:111:
+ struct audit_entry *e = container_of(head, struct audit_entry, rcu);
+ audit_free_rule(e);
That doesn't suggest putting a blank line before line 111.
It suggests putting a blank line after the declaration of e.
^ permalink raw reply
* Re: [RFC PATCH 0/7] audit: clean up audit queue handling
From: Paul Moore @ 2015-10-27 18:44 UTC (permalink / raw)
To: Richard Guy Briggs
Cc: linux-audit, linux-kernel, sgrubb, eparis, v.rathor, ctcard
In-Reply-To: <cover.1445539473.git.rgb@redhat.com>
On Thursday, October 22, 2015 02:53:13 PM Richard Guy Briggs wrote:
> This set of patches cleans up a number of corner cases in the management
> of the audit queue.
>
> Richard Guy Briggs (7):
> audit: don't needlessly reset valid wait time
> audit: include auditd's threads in audit_log_start() wait exception
> audit: allow systemd to use queue reserves
> audit: wake up threads if queue switched from limited to unlimited
> audit: allow audit_cmd_mutex holders to use reserves
> audit: wake up audit_backlog_wait queue when auditd goes away.
> audit: wake up kauditd_thread after auditd registers
>
> kernel/audit.c | 20 +++++++++++++++-----
> 1 files changed, 15 insertions(+), 5 deletions(-)
Due to the fact that these patches were posted late in the 4.3-rcX cycle, I've
decided not to merge these into linux-audit#next for the upcoming merge
window. I still need to take a closer look and properly review these patches,
but I wanted to let you know why I haven't acted on them yet.
--
paul moore
security @ redhat
^ permalink raw reply
* Re: Running auditd from Raspberry Pi (Raspbian)
From: Steve Grubb @ 2015-10-27 3:12 UTC (permalink / raw)
To: Kangkook Jee; +Cc: linux-audit
In-Reply-To: <75B9BC31-3878-4739-8F47-369C4FD5FFA5@gmail.com>
On Monday, October 26, 2015 05:18:12 PM Kangkook Jee wrote:
> This time, I built with —with-arm option and tried again. It still fails but
> with different error message.
>
>
> pi@raspberrypi ~/audit-2.4.4 $ grep arm config.status
> ac_cs_config="'--with-arm'"
> set X /bin/bash './configure' '--with-arm' $ac_configure_extra_args
> --no-create --no-recursion host='armv7l-unknown-linux-gnueabihf'
> build='armv7l-unknown-linux-gnueabihf'
> sys_lib_search_path_spec='/usr/lib/gcc/arm-linux-gnueabihf/4.9
> /usr/lib/arm-linux-gnueabihf /usr/lib /lib/arm-linux-gnueabihf /lib '
> sys_lib_dlsearch_path_spec='/lib64 /usr/lib64 /lib /usr/lib /opt/vc/lib
> /lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf
> /usr/lib/arm-linux-gnueabihf/libfakeroot /usr/local/lib '
> S["target_cpu"]="armv7l"
> S["target"]="armv7l-unknown-linux-gnueabihf"
> S["host_cpu"]="armv7l"
> S["host"]="armv7l-unknown-linux-gnueabihf"
> S["build_cpu"]="armv7l"
> S["build"]="armv7l-unknown-linux-gnueabihf"
> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -S execve
> Error sending add rule data request (Invalid argument)
If this works:
ausyscall armeb open
returns something like:
open 5
mq_open 274
openat 322
perf_event_open 364
open_by_handle_at 371
Then user space is working. Anything else would be kernel issues.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: [PATCH] Fix to:WARNING: please, no space before tabs modified: kernel/auditfilter.c
From: Scott Matheina @ 2015-10-26 23:02 UTC (permalink / raw)
To: Paul Moore; +Cc: linux-audit
In-Reply-To: <CAHC9VhRczO=dh=94+SqunfcoDfkZQ1KoGsBUK035hKkfayjU9Q@mail.gmail.com>
On 10/26/15 3:07 PM, Paul Moore wrote:
> On Sunday, October 25, 2015 09:00:49 PM Scott Matheina wrote:
>> Signed-off-by: Scott Matheina <scott@matheina.com>
>> ---
>> kernel/auditfilter.c | 14 +++++++-------
>> 1 file changed, 7 insertions(+), 7 deletions(-)
> [NOTE: Adding the linux-audit list to the CC line]
>
> Applied, but I modified the patch subject line to "audit: fix comment block
> whitespace" as the original was a bit verbose. You can check the mailing list
> archive, or the git log, to see what people typically use for patch subject
> lines.
Thanks!
>
>> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
>> index 7714d93..b8ff9e1 100644
>> --- a/kernel/auditfilter.c
>> +++ b/kernel/auditfilter.c
>> @@ -39,13 +39,13 @@
>> * Locking model:
>> *
>> * audit_filter_mutex:
>> - * Synchronizes writes and blocking reads of audit's filterlist
>> - * data. Rcu is used to traverse the filterlist and access
>> - * contents of structs audit_entry, audit_watch and opaque
>> - * LSM rules during filtering. If modified, these structures
>> - * must be copied and replace their counterparts in the filterlist.
>> - * An audit_parent struct is not accessed during filtering, so may
>> - * be written directly provided audit_filter_mutex is held.
>> + * Synchronizes writes and blocking reads of audit's filterlist
>> + * data. Rcu is used to traverse the filterlist and access
>> + * contents of structs audit_entry, audit_watch and opaque
>> + * LSM rules during filtering. If modified, these structures
>> + * must be copied and replace their counterparts in the filterlist.
>> + * An audit_parent struct is not accessed during filtering, so may
>> + * be written directly provided audit_filter_mutex is held.
>> */
>>
>> /* Audit filter lists, defined in <linux/audit.h> */
^ permalink raw reply
* Re: Running auditd from Raspberry Pi (Raspbian)
From: Kangkook Jee @ 2015-10-26 21:18 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <079DE06B-6E74-486D-8031-847A378DACF8@gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 2946 bytes --]
This time, I built with —with-arm option and tried again. It still fails but with different error message.
pi@raspberrypi ~/audit-2.4.4 $ grep arm config.status
ac_cs_config="'--with-arm'"
set X /bin/bash './configure' '--with-arm' $ac_configure_extra_args --no-create --no-recursion
host='armv7l-unknown-linux-gnueabihf'
build='armv7l-unknown-linux-gnueabihf'
sys_lib_search_path_spec='/usr/lib/gcc/arm-linux-gnueabihf/4.9 /usr/lib/arm-linux-gnueabihf /usr/lib /lib/arm-linux-gnueabihf /lib '
sys_lib_dlsearch_path_spec='/lib64 /usr/lib64 /lib /usr/lib /opt/vc/lib /lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf/libfakeroot /usr/local/lib '
S["target_cpu"]="armv7l"
S["target"]="armv7l-unknown-linux-gnueabihf"
S["host_cpu"]="armv7l"
S["host"]="armv7l-unknown-linux-gnueabihf"
S["build_cpu"]="armv7l"
S["build"]="armv7l-unknown-linux-gnueabihf"
pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -S execve
Error sending add rule data request (Invalid argument)
> On Oct 26, 2015, at 4:57 PM, Kangkook Jee <aixer77@gmail.com> wrote:
>
> I added “—with-armeb” should it be just “—with-arm” ?
>
> This following shows my configuration status.
>
> pi@raspberrypi ~/audit-2.4.4 $ grep arm config.status
> ac_cs_config="'--with-armeb'"
> set X /bin/bash './configure' '--with-armeb' $ac_configure_extra_args --no-create --no-recursion
> host='armv7l-unknown-linux-gnueabihf'
> build='armv7l-unknown-linux-gnueabihf'
> sys_lib_search_path_spec='/usr/lib/gcc/arm-linux-gnueabihf/4.9 /usr/lib/arm-linux-gnueabihf /usr/lib /lib/arm-linux-gnueabihf /lib '
> sys_lib_dlsearch_path_spec='/lib64 /usr/lib64 /lib /usr/lib /opt/vc/lib /lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf/libfakeroot /usr/local/lib '
> S["target_cpu"]="armv7l"
> S["target"]="armv7l-unknown-linux-gnueabihf"
> S["host_cpu"]="armv7l"
> S["host"]="armv7l-unknown-linux-gnueabihf"
> S["build_cpu"]="armv7l"
> S["build"]="armv7l-unknown-linux-gnueabihf”
>
>
>> On Oct 26, 2015, at 4:37 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>>
>> On Monday, October 26, 2015 04:25:57 PM Kangkook Jee wrote:
>>> Dear Steve,
>>>
>>> I built auditctl from recent audit source and tried it again but I failed
>>> with the following errors.
>>>
>>> pi@raspberrypi ~/audit-2.4.4 $ sudo auditctl -e1 -b 102400
>>> AUDIT_STATUS: enabled=1 flag=1 pid=2022 rate_limit=0 backlog_limit=320
>>> lost=0 backlog=0 (reverse-i-search)`b': sudo auditctl -e1 -^C102400
>>> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -F
>>> arch=armeb -S clone arch elf mapping not found
>>> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -S clone
>>> Error detecting machine type
>>>
>>> Would you help me with this?
>>
>> Did you add --with-arm to the ./configure line? Its disabled by default.
>>
>> -Steve
>
[-- Attachment #1.2: Type: text/html, Size: 4293 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: Running auditd from Raspberry Pi (Raspbian)
From: Kangkook Jee @ 2015-10-26 20:57 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <2580157.z3kgxFZchv@x2>
I added “—with-armeb” should it be just “—with-arm” ?
This following shows my configuration status.
pi@raspberrypi ~/audit-2.4.4 $ grep arm config.status
ac_cs_config="'--with-armeb'"
set X /bin/bash './configure' '--with-armeb' $ac_configure_extra_args --no-create --no-recursion
host='armv7l-unknown-linux-gnueabihf'
build='armv7l-unknown-linux-gnueabihf'
sys_lib_search_path_spec='/usr/lib/gcc/arm-linux-gnueabihf/4.9 /usr/lib/arm-linux-gnueabihf /usr/lib /lib/arm-linux-gnueabihf /lib '
sys_lib_dlsearch_path_spec='/lib64 /usr/lib64 /lib /usr/lib /opt/vc/lib /lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf/libfakeroot /usr/local/lib '
S["target_cpu"]="armv7l"
S["target"]="armv7l-unknown-linux-gnueabihf"
S["host_cpu"]="armv7l"
S["host"]="armv7l-unknown-linux-gnueabihf"
S["build_cpu"]="armv7l"
S["build"]="armv7l-unknown-linux-gnueabihf”
> On Oct 26, 2015, at 4:37 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>
> On Monday, October 26, 2015 04:25:57 PM Kangkook Jee wrote:
>> Dear Steve,
>>
>> I built auditctl from recent audit source and tried it again but I failed
>> with the following errors.
>>
>> pi@raspberrypi ~/audit-2.4.4 $ sudo auditctl -e1 -b 102400
>> AUDIT_STATUS: enabled=1 flag=1 pid=2022 rate_limit=0 backlog_limit=320
>> lost=0 backlog=0 (reverse-i-search)`b': sudo auditctl -e1 -^C102400
>> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -F
>> arch=armeb -S clone arch elf mapping not found
>> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -S clone
>> Error detecting machine type
>>
>> Would you help me with this?
>
> Did you add --with-arm to the ./configure line? Its disabled by default.
>
> -Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: Running auditd from Raspberry Pi (Raspbian)
From: Steve Grubb @ 2015-10-26 20:37 UTC (permalink / raw)
To: Kangkook Jee; +Cc: linux-audit
In-Reply-To: <7941F2ED-39A0-45E7-815D-5F46CD859579@gmail.com>
On Monday, October 26, 2015 04:25:57 PM Kangkook Jee wrote:
> Dear Steve,
>
> I built auditctl from recent audit source and tried it again but I failed
> with the following errors.
>
> pi@raspberrypi ~/audit-2.4.4 $ sudo auditctl -e1 -b 102400
> AUDIT_STATUS: enabled=1 flag=1 pid=2022 rate_limit=0 backlog_limit=320
> lost=0 backlog=0 (reverse-i-search)`b': sudo auditctl -e1 -^C102400
> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -F
> arch=armeb -S clone arch elf mapping not found
> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -S clone
> Error detecting machine type
>
> Would you help me with this?
Did you add --with-arm to the ./configure line? Its disabled by default.
-Steve
^ permalink raw reply
* Re: Running auditd from Raspberry Pi (Raspbian)
From: Kangkook Jee @ 2015-10-26 20:25 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <1761781.EmJWtSeSBl@x2>
Dear Steve,
I built auditctl from recent audit source and tried it again but I failed with the following errors.
pi@raspberrypi ~/audit-2.4.4 $ sudo auditctl -e1 -b 102400
AUDIT_STATUS: enabled=1 flag=1 pid=2022 rate_limit=0 backlog_limit=320 lost=0 backlog=0
(reverse-i-search)`b': sudo auditctl -e1 -^C102400
pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -F arch=armeb -S clone
arch elf mapping not found
pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -S clone
Error detecting machine type
Would you help me with this?
Thanks a lot for your help again!
Regards, Kangkook
> On Oct 26, 2015, at 11:55 AM, Steve Grubb <sgrubb@redhat.com> wrote:
>
> On Friday, October 23, 2015 07:16:40 PM Kangkook Jee wrote:
>> Hi, all
>>
>> From my Raspberry Pi machine (running Debian Wheezy distribution), I could
>> see the kernel is built with audit enabled, and I could manage to install
>> user-space audit client with the following command.
>>
>> pi@raspberrypi ~ $ sudo apt-get install auditd
>>
>> However, when I tried to enable audit issuing the following commands it
>> doesn’t seem to run properly.
>>
>> pi@raspberrypi ~ $ sudo auditctl -l
>> No rules
>> pi@raspberrypi ~ $ sudo auditctl -a entry,always -S open
>> Error detecting machine type
>> pi@raspberrypi ~ $ sudo auditctl -a entry,always -F arch=armeb -S open
>> arch=armeb machine type not found
>>
>> Can anyone tell me whether audit support ARM based linux systems?
>
> Yes. It was added starting in 2.0.4 and was corrected several times.
>
>
>> Here’s my system information and thanks a lot for your help in advance!
>>
>> pi@raspberrypi ~ $ sudo uname -a
>> Linux raspberrypi 3.18.11-v7+ #781 SMP PREEMPT Tue Apr 21 18:07:59 BST 2015
>> armv7l GNU/Linux
>>
>> pi@raspberrypi ~ $ dpkg -l |grep audit
>> ii auditd 1:1.7.18-1.1
>> armhf User space tools for security auditing ii libaudit0
>> 1:1.7.18-1.1 armhf
>
> That one is too old. You need a newer audit package.
>
> -Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: [PATCH] Fix to:WARNING: please, no space before tabs modified: kernel/auditfilter.c
From: Paul Moore @ 2015-10-26 20:07 UTC (permalink / raw)
To: Scott Matheina; +Cc: linux-audit
In-Reply-To: <1445824849-4089-1-git-send-email-scott@matheina.com>
On Sunday, October 25, 2015 09:00:49 PM Scott Matheina wrote:
> Signed-off-by: Scott Matheina <scott@matheina.com>
> ---
> kernel/auditfilter.c | 14 +++++++-------
> 1 file changed, 7 insertions(+), 7 deletions(-)
[NOTE: Adding the linux-audit list to the CC line]
Applied, but I modified the patch subject line to "audit: fix comment block
whitespace" as the original was a bit verbose. You can check the mailing list
archive, or the git log, to see what people typically use for patch subject
lines.
> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index 7714d93..b8ff9e1 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -39,13 +39,13 @@
> * Locking model:
> *
> * audit_filter_mutex:
> - * Synchronizes writes and blocking reads of audit's filterlist
> - * data. Rcu is used to traverse the filterlist and access
> - * contents of structs audit_entry, audit_watch and opaque
> - * LSM rules during filtering. If modified, these structures
> - * must be copied and replace their counterparts in the filterlist.
> - * An audit_parent struct is not accessed during filtering, so may
> - * be written directly provided audit_filter_mutex is held.
> + * Synchronizes writes and blocking reads of audit's filterlist
> + * data. Rcu is used to traverse the filterlist and access
> + * contents of structs audit_entry, audit_watch and opaque
> + * LSM rules during filtering. If modified, these structures
> + * must be copied and replace their counterparts in the filterlist.
> + * An audit_parent struct is not accessed during filtering, so may
> + * be written directly provided audit_filter_mutex is held.
> */
>
> /* Audit filter lists, defined in <linux/audit.h> */
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Re: Running auditd from Raspberry Pi (Raspbian)
From: Kangkook Jee @ 2015-10-26 17:13 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <1761781.EmJWtSeSBl@x2>
Thanks a lot for your support. I will try with newer version and let you know how it goes!
Regards, Kangkook
> On Oct 26, 2015, at 11:55 AM, Steve Grubb <sgrubb@redhat.com> wrote:
>
> On Friday, October 23, 2015 07:16:40 PM Kangkook Jee wrote:
>> Hi, all
>>
>> From my Raspberry Pi machine (running Debian Wheezy distribution), I could
>> see the kernel is built with audit enabled, and I could manage to install
>> user-space audit client with the following command.
>>
>> pi@raspberrypi ~ $ sudo apt-get install auditd
>>
>> However, when I tried to enable audit issuing the following commands it
>> doesn’t seem to run properly.
>>
>> pi@raspberrypi ~ $ sudo auditctl -l
>> No rules
>> pi@raspberrypi ~ $ sudo auditctl -a entry,always -S open
>> Error detecting machine type
>> pi@raspberrypi ~ $ sudo auditctl -a entry,always -F arch=armeb -S open
>> arch=armeb machine type not found
>>
>> Can anyone tell me whether audit support ARM based linux systems?
>
> Yes. It was added starting in 2.0.4 and was corrected several times.
>
>
>> Here’s my system information and thanks a lot for your help in advance!
>>
>> pi@raspberrypi ~ $ sudo uname -a
>> Linux raspberrypi 3.18.11-v7+ #781 SMP PREEMPT Tue Apr 21 18:07:59 BST 2015
>> armv7l GNU/Linux
>>
>> pi@raspberrypi ~ $ dpkg -l |grep audit
>> ii auditd 1:1.7.18-1.1
>> armhf User space tools for security auditing ii libaudit0
>> 1:1.7.18-1.1 armhf
>
> That one is too old. You need a newer audit package.
>
> -Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: Running auditd from Raspberry Pi (Raspbian)
From: Steve Grubb @ 2015-10-26 15:55 UTC (permalink / raw)
To: linux-audit
In-Reply-To: <E4233D65-A74A-4AE0-819C-BE1863408B26@gmail.com>
On Friday, October 23, 2015 07:16:40 PM Kangkook Jee wrote:
> Hi, all
>
> From my Raspberry Pi machine (running Debian Wheezy distribution), I could
> see the kernel is built with audit enabled, and I could manage to install
> user-space audit client with the following command.
>
> pi@raspberrypi ~ $ sudo apt-get install auditd
>
> However, when I tried to enable audit issuing the following commands it
> doesn’t seem to run properly.
>
> pi@raspberrypi ~ $ sudo auditctl -l
> No rules
> pi@raspberrypi ~ $ sudo auditctl -a entry,always -S open
> Error detecting machine type
> pi@raspberrypi ~ $ sudo auditctl -a entry,always -F arch=armeb -S open
> arch=armeb machine type not found
>
> Can anyone tell me whether audit support ARM based linux systems?
Yes. It was added starting in 2.0.4 and was corrected several times.
> Here’s my system information and thanks a lot for your help in advance!
>
> pi@raspberrypi ~ $ sudo uname -a
> Linux raspberrypi 3.18.11-v7+ #781 SMP PREEMPT Tue Apr 21 18:07:59 BST 2015
> armv7l GNU/Linux
>
> pi@raspberrypi ~ $ dpkg -l |grep audit
> ii auditd 1:1.7.18-1.1
> armhf User space tools for security auditing ii libaudit0
> 1:1.7.18-1.1 armhf
That one is too old. You need a newer audit package.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: [PATCH 2/2] Fixed Trivial Warnings in file: Deleted Spaces prior to tabs, and added lines. modified: kernel/auditfilter.c
From: Scott Matheina @ 2015-10-25 23:53 UTC (permalink / raw)
To: Richard Guy Briggs
Cc: Joe Perches, Paul Moore, linux-audit, trivial, linux-kernel
In-Reply-To: <20151022021500.GD5269@madcap2.tricolour.ca>
On 10/21/2015 09:15 PM, Richard Guy Briggs wrote:
> On 15/10/21, Scott Matheina wrote:
>> On 10/21/2015 10:33 AM, Richard Guy Briggs wrote:
>>> On 15/10/21, Joe Perches wrote:
>>>> On Mon, 2015-10-19 at 12:10 -0400, Richard Guy Briggs wrote:
>>>>> On 15/10/18, Scott Matheina wrote:
>>>>>> On 10/14/2015 04:54 PM, Paul Moore wrote:
>>>>>>> On Saturday, October 10, 2015 08:57:55 PM Scott Matheina wrote:
>>>> []
>>>>>>>> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
>>>> []
>>>>>>>> @@ -109,6 +109,7 @@ void audit_free_rule_rcu(struct rcu_head *head)
>>>>>>>> {
>>>>>>>> struct audit_entry *e = container_of(head, struct audit_entry, rcu);
>>>>>>>> audit_free_rule(e);
>>>>>>>> +
>>>>>>>> }
>>>>>>> Why?
>>>>>> I was following the error messages in checkpatch.pl, but the warning
>>>>>> went away after adding this line. No problem with the code.
>>>>> That sounds like a bug in checkpatch.pl, since that blank line should be
>>>>> tween the declaration and the function call.
>>>> checkpatch message asks for a blank line after the
>>>> "struct audit_entry *e = ..." declaration.
>>> Well then maybe it is a bug in his interpretation of the output of
>>> checkpatch.pl? Scott, did you re-run checkpatch.pl after adding those
>>> spaces? Did it pass?
>> The error did go away.
> Joe, I confirm the error went away. Looks like a bug in checkpatch.pl
> to me. I tried a number of combinations of things and it didn't
> complain about several things it should have. I did try a few other
> things to make sure it was still finding problems like brace placement
> and leading spaces, but it looks like the blank line checking code isn't
> working. This is on 4.0, so maybe it has been fixed since then. Scott,
> what kernel version are you using?
I had just cloned Linus' repo, so v4.3rc6.
>
>>>>>>>> while (*list != ~0U) {
>>>>>>>> +
>>>>>>>> unsigned n = *list++;
>>>>>>>> if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
>>>>>>>> kfree(p);
>>>>>>> Why?
>>>>>> This is the same as above. Just going through the checkpatch.pl
>>>>>> script, and looking for warnings to fix.
>>>>> Again, another manifestation of that bug? That blank line should be
>>>>> after the declaration and before the if statement.
>>>> []
>>>>> Well, I agree, you have to start somewhere... Too bad you hit a bug in
>>>>> checkpatch.pl!
>>>> Here too, not a bug in checkpatch.
>>>>
>>>> checkpatch output asks for a blank line after the
>>>> "unsigned n" declaration, not before.
>>> - RGB
> - RGB
>
> --
> Richard Guy Briggs <rbriggs@redhat.com>
> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
^ permalink raw reply
* Re: Should audit_seccomp check audit_enabled?
From: Paul Moore @ 2015-10-24 2:24 UTC (permalink / raw)
To: Andy Lutomirski, Kees Cook; +Cc: Richard Guy Briggs, linux-audit, linux-kernel
In-Reply-To: <CALCETrU6Vi3uBgULzAwNvThWZhX_onJpGs3=_FHPYk=jag87Cg@mail.gmail.com>
On October 23, 2015 5:30:45 PM Andy Lutomirski <luto@amacapital.net> wrote:
> On Fri, Oct 23, 2015 at 2:22 PM, Kees Cook <keescook@chromium.org> wrote:
>> On Fri, Oct 23, 2015 at 2:07 PM, Andy Lutomirski <luto@amacapital.net> wrote:
>>> On Oct 23, 2015 10:01 AM, "Kees Cook" <keescook@chromium.org> wrote:
>>>>
>>>> On Fri, Oct 23, 2015 at 9:19 AM, Andy Lutomirski <luto@amacapital.net> wrote:
>>>> > I would argue that, if auditing is off, audit_seccomp shouldn't do
>>>> > anything. After all, unlike e.g. selinux, seccomp is not a systemwide
>>>> > policy, and seccomp signals might be ordinary behavior that's internal
>>>> > to the seccomp-using application. IOW, for people with audit compiled
>>>> > in and subscribed by journald but switched off, I think that the
>>>> > records shouldn't be emitted.
>>>> >
>>>> > If you agree, I can send the two-line patch.
>>>>
>>>> I think signr==0 states (which I would identify as "intended
>>>> behavior") don't need to be reported under any situation, but audit
>>>> folks wanted to keep it around.
>>>
>>> Even if there is a nonzero signr, it could just be a program opting to
>>> trap and emulate one of its own syscalls.
>>
>> At present, that is a rare situation. Programs tend to be ptrace
>> managed externally. Is there anything catching SIGSYS itself?
>>
>
> I wrote one once. I also wrote a whole set of patches for libseccomp
> to make it easier that never went anywhere -- I should dust those off
> and package them into their own library.
It has been a while since we discussed those patches, but if I remember
correctly it was going to be very difficult to do it in an arch agnostic
way and that was a concern.
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Running auditd from Raspberry Pi (Raspbian)
From: Kangkook Jee @ 2015-10-23 23:16 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 1226 bytes --]
Hi, all
From my Raspberry Pi machine (running Debian Wheezy distribution), I could see the kernel is built with audit enabled, and I could manage to install user-space audit client with the following command.
pi@raspberrypi ~ $ sudo apt-get install auditd
However, when I tried to enable audit issuing the following commands it doesn’t seem to run properly.
pi@raspberrypi ~ $ sudo auditctl -l
No rules
pi@raspberrypi ~ $ sudo auditctl -a entry,always -S open
Error detecting machine type
pi@raspberrypi ~ $ sudo auditctl -a entry,always -F arch=armeb -S open
arch=armeb machine type not found
Can anyone tell me whether audit support ARM based linux systems?
Here’s my system information and thanks a lot for your help in advance!
pi@raspberrypi ~ $ sudo uname -a
Linux raspberrypi 3.18.11-v7+ #781 SMP PREEMPT Tue Apr 21 18:07:59 BST 2015 armv7l GNU/Linux
pi@raspberrypi ~ $ dpkg -l |grep audit
ii auditd 1:1.7.18-1.1 armhf User space tools for security auditing
ii libaudit0 1:1.7.18-1.1 armhf Dynamic library for security auditing
Regards, Kangkook
[-- Attachment #1.2: Type: text/html, Size: 2668 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: Should audit_seccomp check audit_enabled?
From: Andy Lutomirski @ 2015-10-23 21:24 UTC (permalink / raw)
To: Kees Cook; +Cc: linux-audit, linux-kernel@vger.kernel.org, Richard Guy Briggs
In-Reply-To: <CAGXu5jK-EhKR=bTvA3CMQYf0916iyKiE0oQt7b2VByo_qr=oDw@mail.gmail.com>
On Fri, Oct 23, 2015 at 2:22 PM, Kees Cook <keescook@chromium.org> wrote:
> On Fri, Oct 23, 2015 at 2:07 PM, Andy Lutomirski <luto@amacapital.net> wrote:
>> On Oct 23, 2015 10:01 AM, "Kees Cook" <keescook@chromium.org> wrote:
>>>
>>> On Fri, Oct 23, 2015 at 9:19 AM, Andy Lutomirski <luto@amacapital.net> wrote:
>>> > I would argue that, if auditing is off, audit_seccomp shouldn't do
>>> > anything. After all, unlike e.g. selinux, seccomp is not a systemwide
>>> > policy, and seccomp signals might be ordinary behavior that's internal
>>> > to the seccomp-using application. IOW, for people with audit compiled
>>> > in and subscribed by journald but switched off, I think that the
>>> > records shouldn't be emitted.
>>> >
>>> > If you agree, I can send the two-line patch.
>>>
>>> I think signr==0 states (which I would identify as "intended
>>> behavior") don't need to be reported under any situation, but audit
>>> folks wanted to keep it around.
>>
>> Even if there is a nonzero signr, it could just be a program opting to
>> trap and emulate one of its own syscalls.
>
> At present, that is a rare situation. Programs tend to be ptrace
> managed externally. Is there anything catching SIGSYS itself?
>
I wrote one once. I also wrote a whole set of patches for libseccomp
to make it easier that never went anywhere -- I should dust those off
and package them into their own library.
--Andy
^ permalink raw reply
* Re: Should audit_seccomp check audit_enabled?
From: Kees Cook @ 2015-10-23 21:22 UTC (permalink / raw)
To: Andy Lutomirski
Cc: Richard Guy Briggs, linux-audit, linux-kernel@vger.kernel.org
In-Reply-To: <CALCETrUTKaYvQXGeKsMP-61sgFNpfpZZ6kmqBpBoUb+WxPR-KQ@mail.gmail.com>
On Fri, Oct 23, 2015 at 2:07 PM, Andy Lutomirski <luto@amacapital.net> wrote:
> On Oct 23, 2015 10:01 AM, "Kees Cook" <keescook@chromium.org> wrote:
>>
>> On Fri, Oct 23, 2015 at 9:19 AM, Andy Lutomirski <luto@amacapital.net> wrote:
>> > I would argue that, if auditing is off, audit_seccomp shouldn't do
>> > anything. After all, unlike e.g. selinux, seccomp is not a systemwide
>> > policy, and seccomp signals might be ordinary behavior that's internal
>> > to the seccomp-using application. IOW, for people with audit compiled
>> > in and subscribed by journald but switched off, I think that the
>> > records shouldn't be emitted.
>> >
>> > If you agree, I can send the two-line patch.
>>
>> I think signr==0 states (which I would identify as "intended
>> behavior") don't need to be reported under any situation, but audit
>> folks wanted to keep it around.
>
> Even if there is a nonzero signr, it could just be a program opting to
> trap and emulate one of its own syscalls.
At present, that is a rare situation. Programs tend to be ptrace
managed externally. Is there anything catching SIGSYS itself?
-Kees
--
Kees Cook
Chrome OS Security
^ permalink raw reply
* Re: Should audit_seccomp check audit_enabled?
From: Andy Lutomirski @ 2015-10-23 21:08 UTC (permalink / raw)
To: Paul Moore
Cc: Steve Grubb, Kees Cook, Richard Guy Briggs, linux-audit,
linux-kernel@vger.kernel.org
In-Reply-To: <CAHC9VhQT1dOU3keiDCwwi7UwGttCvGaKSj8nv=bpsttgvtbJjA@mail.gmail.com>
On Fri, Oct 23, 2015 at 1:58 PM, Paul Moore <paul@paul-moore.com> wrote:
> On Fri, Oct 23, 2015 at 4:51 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>> On Friday, October 23, 2015 03:38:05 PM Paul Moore wrote:
>>> On Fri, Oct 23, 2015 at 1:01 PM, Kees Cook <keescook@chromium.org> wrote:
>>> > On Fri, Oct 23, 2015 at 9:19 AM, Andy Lutomirski <luto@amacapital.net>
>> wrote:
>>> >> I would argue that, if auditing is off, audit_seccomp shouldn't do
>>> >> anything. After all, unlike e.g. selinux, seccomp is not a systemwide
>>> >> policy, and seccomp signals might be ordinary behavior that's internal
>>> >> to the seccomp-using application. IOW, for people with audit compiled
>>> >> in and subscribed by journald but switched off, I think that the
>>> >> records shouldn't be emitted.
>>> >>
>>> >> If you agree, I can send the two-line patch.
>>> >
>>> > I think signr==0 states (which I would identify as "intended
>>> > behavior") don't need to be reported under any situation, but audit
>>> > folks wanted to keep it around.
>>>
>>> Wearing my libseccomp hat, I would like some logging when the seccomp
>>> filter triggers a result other than allow. I don't care if this is
>>> via audit or printk(), I just want some notification. If we go the
>>> printk route and people really don't want to see anything in their
>>> logs, I suppose we could always add a sysctl knob to turn off the
>>> message completely (we would still need to do whatever audit records
>>> are required, see below).
>>>
>>> Wearing my audit hat, I want to make sure we tick off all the right
>>> boxes for the various certifications that people care about. Steve
>>> Grubb has commented on what he needs in the past, although I'm not
>>> sure it was on-list, so I'll ask him to repeat it here.
>>
>> I went back and reviewed my notes since this came up in the current Common
>> Criteria evaluation. What we decided to do is treat syscall failures which
>> failed due to seccomp the same as syscall failures caused by dropping
>> capabilities. Both are opt-in DAC policies. That means we don't care. Do
>> whatever you like. :-)
>
> Thanks Steve.
>
> Andy, is your objection that you don't want to see any seccomp
> messages, or just seccomp audit records when audit is disabled?
>
My objection is that people who have audit compiled in but disabled at
runtime shouldn't have the overhead or the log noise from these
messages. If people want the messages, then I think they should turn
on audit (auditctl -e 1 or whatever).
--Andy
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox