Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed
* Re: [PATCH v2] audit: removing unused variable
From: Joe Perches @ 2015-10-29  4:32 UTC (permalink / raw)
  To: Saurabh Sengar; +Cc: paul, eparis, linux-audit, linux-kernel
In-Reply-To: <1446091912-6001-1-git-send-email-saurabh.truth@gmail.com>

On Thu, 2015-10-29 at 09:41 +0530, Saurabh Sengar wrote:
> variable rc is unnecessary hence removing it,
> also as the return type of function audit_log_common_recv_msg is no
> where used changing it to void.

Almost, but not quite.  Keep at it.

Ideally your first attempts at kernel patching
should be done in the drivers/staging/ directory
before attempting patches outside of that path.

> diff --git a/kernel/audit.c b/kernel/audit.c
[]
> @@ -684,25 +684,24 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
>  	return err;
>  }
>  
> -static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
> +static void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
>  {
> -	int rc = 0;
>  	uid_t uid = from_kuid(&init_user_ns, current_uid());
>  	pid_t pid = task_tgid_nr(current);
>  
>  	if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
>  		*ab = NULL;
> -		return rc;
> +		return ;

There's an unnecessary space before the semicolon.
This should be
		return;

>  	}
>  
>  	*ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
>  	if (unlikely(!*ab))
> -		return rc;
> +		return ;

here too

>  	audit_log_format(*ab, "pid=%d uid=%u", pid, uid);
>  	audit_log_session_info(*ab);
>  	audit_log_task_context(*ab);
>  
> -	return rc;
> +	return ;

No return statement necessary here at all

>  }
>  
>  int is_audit_feature_set(int i)

^ permalink raw reply

* [PATCH v2] audit: removing unused variable
From: Saurabh Sengar @ 2015-10-29  4:11 UTC (permalink / raw)
  To: paul, eparis, linux-audit, linux-kernel; +Cc: Saurabh Sengar

variable rc is unnecessary hence removing it,
also as the return type of function audit_log_common_recv_msg is no
where used changing it to void.

Signed-off-by: Saurabh Sengar <saurabh.truth@gmail.com>
---
 kernel/audit.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/kernel/audit.c b/kernel/audit.c
index 662c007..b572115 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -684,25 +684,24 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
 	return err;
 }
 
-static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
+static void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
 {
-	int rc = 0;
 	uid_t uid = from_kuid(&init_user_ns, current_uid());
 	pid_t pid = task_tgid_nr(current);
 
 	if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
 		*ab = NULL;
-		return rc;
+		return ;
 	}
 
 	*ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
 	if (unlikely(!*ab))
-		return rc;
+		return ;
 	audit_log_format(*ab, "pid=%d uid=%u", pid, uid);
 	audit_log_session_info(*ab);
 	audit_log_task_context(*ab);
 
-	return rc;
+	return ;
 }
 
 int is_audit_feature_set(int i)
-- 
1.9.1

^ permalink raw reply related

* Re: [PATCH] audit: removing unused variable
From: Joe Perches @ 2015-10-28 22:12 UTC (permalink / raw)
  To: Paul Moore; +Cc: Saurabh Sengar, eparis, linux-audit, linux-kernel
In-Reply-To: <7739343.KgmgksQykM@sifl>

On Wed, 2015-10-28 at 16:35 -0400, Paul Moore wrote:
> On Wednesday, October 28, 2015 09:40:34 AM Saurabh Sengar wrote:
> > variavle rc in not required as it is just used for unchanged for return,
> > and return is always 0 in the function.
[]
> Thanks, applied with some spelling corrections to the description.

As the return value is never actually tested,
it seems better to make it a void function,

> > diff --git a/kernel/audit.c b/kernel/audit.c
[]
> > @@ -686,23 +686,22 @@ static int audit_netlink_ok(struct sk_buff *skb, u16
> > msg_type)
> > 
> >  static int audit_log_common_recv_msg(struct audit_buffer **ab, u16
> > msg_type) {
> > -	int rc = 0;
> >  	uid_t uid = from_kuid(&init_user_ns, current_uid());
> >  	pid_t pid = task_tgid_nr(current);
> > 
> >  	if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
> >  		*ab = NULL;
> > -		return rc;
> > +		return 0;
> >  	}
> > 
> >  	*ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
> >  	if (unlikely(!*ab))
> > -		return rc;
> > +		return 0;
> >  	audit_log_format(*ab, "pid=%d uid=%u", pid, uid);
> >  	audit_log_session_info(*ab);
> >  	audit_log_task_context(*ab);
> > 
> > -	return rc;
> > +	return 0;
> >  }
> > 
> >  int is_audit_feature_set(int i)
> 

^ permalink raw reply

* [PATCH] audit: make audit_log_common_recv_msg() a void function
From: Paul Moore @ 2015-10-28 20:41 UTC (permalink / raw)
  To: linux-audit

It always returns zero and no one is checking the return value.

Signed-off-by: Paul Moore <pmoore@redhat.com>
---
 kernel/audit.c |    8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/kernel/audit.c b/kernel/audit.c
index 0b81880..4d3cdcd 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -699,24 +699,22 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
 	return err;
 }
 
-static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
+static void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
 {
 	uid_t uid = from_kuid(&init_user_ns, current_uid());
 	pid_t pid = task_tgid_nr(current);
 
 	if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
 		*ab = NULL;
-		return 0;
+		return;
 	}
 
 	*ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
 	if (unlikely(!*ab))
-		return 0;
+		return;
 	audit_log_format(*ab, "pid=%d uid=%u", pid, uid);
 	audit_log_session_info(*ab);
 	audit_log_task_context(*ab);
-
-	return 0;
 }
 
 int is_audit_feature_set(int i)

^ permalink raw reply related

* Re: [PATCH] audit: removing unused variable
From: Paul Moore @ 2015-10-28 20:35 UTC (permalink / raw)
  To: Saurabh Sengar; +Cc: eparis, linux-audit, linux-kernel
In-Reply-To: <1446005434-4306-1-git-send-email-saurabh.truth@gmail.com>

On Wednesday, October 28, 2015 09:40:34 AM Saurabh Sengar wrote:
> variavle rc in not required as it is just used for unchanged for return,
> and return is always 0 in the function.
> 
> Signed-off-by: Saurabh Sengar <saurabh.truth@gmail.com>
> ---
>  kernel/audit.c | 7 +++----
>  1 file changed, 3 insertions(+), 4 deletions(-)

Thanks, applied with some spelling corrections to the description.

> diff --git a/kernel/audit.c b/kernel/audit.c
> index 662c007..409482f 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -686,23 +686,22 @@ static int audit_netlink_ok(struct sk_buff *skb, u16
> msg_type)
> 
>  static int audit_log_common_recv_msg(struct audit_buffer **ab, u16
> msg_type) {
> -	int rc = 0;
>  	uid_t uid = from_kuid(&init_user_ns, current_uid());
>  	pid_t pid = task_tgid_nr(current);
> 
>  	if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
>  		*ab = NULL;
> -		return rc;
> +		return 0;
>  	}
> 
>  	*ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
>  	if (unlikely(!*ab))
> -		return rc;
> +		return 0;
>  	audit_log_format(*ab, "pid=%d uid=%u", pid, uid);
>  	audit_log_session_info(*ab);
>  	audit_log_task_context(*ab);
> 
> -	return rc;
> +	return 0;
>  }
> 
>  int is_audit_feature_set(int i)

-- 
paul moore
www.paul-moore.com

^ permalink raw reply

* Re: [RFC PATCH 0/7] audit: clean up audit queue handling
From: Paul Moore @ 2015-10-28 18:58 UTC (permalink / raw)
  To: Richard Guy Briggs; +Cc: v.rathor, linux-kernel, linux-audit
In-Reply-To: <20151028184318.GB1359@madcap2.tricolour.ca>

On Wednesday, October 28, 2015 02:43:18 PM Richard Guy Briggs wrote:
> On 15/10/27, Paul Moore wrote:
> > On Thursday, October 22, 2015 02:53:13 PM Richard Guy Briggs wrote:
> > > This set of patches cleans up a number of corner cases in the management
> > > of the audit queue.
> > > 
> > > Richard Guy Briggs (7):
> > >   audit: don't needlessly reset valid wait time
> > >   audit: include auditd's threads in audit_log_start() wait exception
> > >   audit: allow systemd to use queue reserves
> > >   audit: wake up threads if queue switched from limited to unlimited
> > >   audit: allow audit_cmd_mutex holders to use reserves
> > >   audit: wake up audit_backlog_wait queue when auditd goes away.
> > >   audit: wake up kauditd_thread after auditd registers
> > >  
> > >  kernel/audit.c |   20 +++++++++++++++-----
> > >  1 files changed, 15 insertions(+), 5 deletions(-)
> > 
> > Due to the fact that these patches were posted late in the 4.3-rcX cycle,
> > I've decided not to merge these into linux-audit#next for the upcoming
> > merge window.  I still need to take a closer look and properly review
> > these patches, but I wanted to let you know why I haven't acted on them
> > yet.
> 
> No problem, at least it is out of my queue, as long as we have enough
> time to hit the next one.  :)

Definitely.  I just start getting twitchy about accepting non-trivial patches 
post -rc5(ish).

-- 
paul moore
security @ redhat

^ permalink raw reply

* Re: [RFC PATCH 0/7] audit: clean up audit queue handling
From: Richard Guy Briggs @ 2015-10-28 18:43 UTC (permalink / raw)
  To: Paul Moore; +Cc: linux-audit, linux-kernel, sgrubb, eparis, v.rathor, ctcard
In-Reply-To: <8462372.4Lu2FckRET@sifl>

On 15/10/27, Paul Moore wrote:
> On Thursday, October 22, 2015 02:53:13 PM Richard Guy Briggs wrote:
> > This set of patches cleans up a number of corner cases in the management
> > of the audit queue.
> > 
> > Richard Guy Briggs (7):
> >   audit: don't needlessly reset valid wait time
> >   audit: include auditd's threads in audit_log_start() wait exception
> >   audit: allow systemd to use queue reserves
> >   audit: wake up threads if queue switched from limited to unlimited
> >   audit: allow audit_cmd_mutex holders to use reserves
> >   audit: wake up audit_backlog_wait queue when auditd goes away.
> >   audit: wake up kauditd_thread after auditd registers
> > 
> >  kernel/audit.c |   20 +++++++++++++++-----
> >  1 files changed, 15 insertions(+), 5 deletions(-)
> 
> Due to the fact that these patches were posted late in the 4.3-rcX cycle, I've 
> decided not to merge these into linux-audit#next for the upcoming merge 
> window.  I still need to take a closer look and properly review these patches, 
> but I wanted to let you know why I haven't acted on them yet.

No problem, at least it is out of my queue, as long as we have enough
time to hit the next one.  :)

> paul moore

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

^ permalink raw reply

* [PATCH] audit: removing unused variable
From: Saurabh Sengar @ 2015-10-28  4:10 UTC (permalink / raw)
  To: paul, eparis, linux-audit, linux-kernel; +Cc: Saurabh Sengar

variavle rc in not required as it is just used for unchanged for return,
and return is always 0 in the function.

Signed-off-by: Saurabh Sengar <saurabh.truth@gmail.com>
---
 kernel/audit.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/kernel/audit.c b/kernel/audit.c
index 662c007..409482f 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -686,23 +686,22 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
 
 static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
 {
-	int rc = 0;
 	uid_t uid = from_kuid(&init_user_ns, current_uid());
 	pid_t pid = task_tgid_nr(current);
 
 	if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
 		*ab = NULL;
-		return rc;
+		return 0;
 	}
 
 	*ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
 	if (unlikely(!*ab))
-		return rc;
+		return 0;
 	audit_log_format(*ab, "pid=%d uid=%u", pid, uid);
 	audit_log_session_info(*ab);
 	audit_log_task_context(*ab);
 
-	return rc;
+	return 0;
 }
 
 int is_audit_feature_set(int i)
-- 
1.9.1

^ permalink raw reply related

* Re: [PATCH 2/2] Fixed Trivial Warnings in file: Deleted Spaces prior to tabs, and added lines. modified: kernel/auditfilter.c
From: Joe Perches @ 2015-10-27 19:54 UTC (permalink / raw)
  To: Richard Guy Briggs
  Cc: Scott Matheina, Paul Moore, linux-audit, trivial, linux-kernel
In-Reply-To: <20151022021500.GD5269@madcap2.tricolour.ca>

On Wed, 2015-10-21 at 22:15 -0400, Richard Guy Briggs wrote:
> On 15/10/21, Scott Matheina wrote:
> > On 10/21/2015 10:33 AM, Richard Guy Briggs wrote:
> > > On 15/10/21, Joe Perches wrote:
> > >> On Mon, 2015-10-19 at 12:10 -0400, Richard Guy Briggs wrote:
> > >>> On 15/10/18, Scott Matheina wrote:
> > >>>> On 10/14/2015 04:54 PM, Paul Moore wrote:
> > >>>>> On Saturday, October 10, 2015 08:57:55 PM Scott Matheina wrote:
> > >> []
> > >>>>>> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> > >> []
> > >>>>>> @@ -109,6 +109,7 @@ void audit_free_rule_rcu(struct rcu_head *head)
> > >>>>>>  {
> > >>>>>>  	struct audit_entry *e = container_of(head, struct audit_entry, rcu);
> > >>>>>>  	audit_free_rule(e);
> > >>>>>> +
> > >>>>>>  }
> > >>>>> Why?
> > >>>> I was following the error messages in checkpatch.pl, but the warning
> > >>>> went away after adding this line. No problem with the code. 
> > >>> That sounds like a bug in checkpatch.pl, since that blank line should be
> > >>> tween the declaration and the function call.
> > >> checkpatch message asks for a blank line after the
> > >> "struct audit_entry *e = ..." declaration.
> > > Well then maybe it is a bug in his interpretation of the output of
> > > checkpatch.pl?  Scott, did you re-run checkpatch.pl after adding those
> > > spaces?  Did it pass?
> > 
> > The error did go away. 
> 
> Joe, I confirm the error went away.  Looks like a bug in checkpatch.pl
> to me.

It's not a bug in checkpatch.

checkpatch doesn't care if there are blank lines between declarations.

Here's the output of checkpatch for this area:

WARNING: Missing a blank line after declarations
#111: FILE: kernel/auditfilter.c:111:
+	struct audit_entry *e = container_of(head, struct audit_entry, rcu);
+	audit_free_rule(e);

That doesn't suggest putting a blank line before line 111.
It suggests putting a blank line after the declaration of e.

^ permalink raw reply

* Re: [RFC PATCH 0/7] audit: clean up audit queue handling
From: Paul Moore @ 2015-10-27 18:44 UTC (permalink / raw)
  To: Richard Guy Briggs
  Cc: linux-audit, linux-kernel, sgrubb, eparis, v.rathor, ctcard
In-Reply-To: <cover.1445539473.git.rgb@redhat.com>

On Thursday, October 22, 2015 02:53:13 PM Richard Guy Briggs wrote:
> This set of patches cleans up a number of corner cases in the management
> of the audit queue.
> 
> Richard Guy Briggs (7):
>   audit: don't needlessly reset valid wait time
>   audit: include auditd's threads in audit_log_start() wait exception
>   audit: allow systemd to use queue reserves
>   audit: wake up threads if queue switched from limited to unlimited
>   audit: allow audit_cmd_mutex holders to use reserves
>   audit: wake up audit_backlog_wait queue when auditd goes away.
>   audit: wake up kauditd_thread after auditd registers
> 
>  kernel/audit.c |   20 +++++++++++++++-----
>  1 files changed, 15 insertions(+), 5 deletions(-)

Due to the fact that these patches were posted late in the 4.3-rcX cycle, I've 
decided not to merge these into linux-audit#next for the upcoming merge 
window.  I still need to take a closer look and properly review these patches, 
but I wanted to let you know why I haven't acted on them yet.

-- 
paul moore
security @ redhat

^ permalink raw reply

* Re: Running auditd from  Raspberry Pi (Raspbian)
From: Steve Grubb @ 2015-10-27  3:12 UTC (permalink / raw)
  To: Kangkook Jee; +Cc: linux-audit
In-Reply-To: <75B9BC31-3878-4739-8F47-369C4FD5FFA5@gmail.com>

On Monday, October 26, 2015 05:18:12 PM Kangkook Jee wrote:
> This time, I built with —with-arm option and tried again. It still fails but
> with different error message.
> 
> 
> pi@raspberrypi ~/audit-2.4.4 $ grep arm config.status
> ac_cs_config="'--with-arm'"
>   set X /bin/bash './configure'  '--with-arm' $ac_configure_extra_args
> --no-create --no-recursion host='armv7l-unknown-linux-gnueabihf'
> build='armv7l-unknown-linux-gnueabihf'
> sys_lib_search_path_spec='/usr/lib/gcc/arm-linux-gnueabihf/4.9
> /usr/lib/arm-linux-gnueabihf /usr/lib /lib/arm-linux-gnueabihf /lib '
> sys_lib_dlsearch_path_spec='/lib64 /usr/lib64 /lib /usr/lib /opt/vc/lib
> /lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf
> /usr/lib/arm-linux-gnueabihf/libfakeroot /usr/local/lib '
> S["target_cpu"]="armv7l"
> S["target"]="armv7l-unknown-linux-gnueabihf"
> S["host_cpu"]="armv7l"
> S["host"]="armv7l-unknown-linux-gnueabihf"
> S["build_cpu"]="armv7l"
> S["build"]="armv7l-unknown-linux-gnueabihf"
> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -S execve
> Error sending add rule data request (Invalid argument)

If this works:

ausyscall armeb open

returns something like:

open               5
mq_open            274
openat             322
perf_event_open    364
open_by_handle_at  371

Then user space is working. Anything else would be kernel issues.

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply

* Re: [PATCH] Fix to:WARNING: please, no space before tabs modified: kernel/auditfilter.c
From: Scott Matheina @ 2015-10-26 23:02 UTC (permalink / raw)
  To: Paul Moore; +Cc: linux-audit
In-Reply-To: <CAHC9VhRczO=dh=94+SqunfcoDfkZQ1KoGsBUK035hKkfayjU9Q@mail.gmail.com>



On 10/26/15 3:07 PM, Paul Moore wrote:
> On Sunday, October 25, 2015 09:00:49 PM Scott Matheina wrote:
>> Signed-off-by: Scott Matheina <scott@matheina.com>
>> ---
>>   kernel/auditfilter.c | 14 +++++++-------
>>   1 file changed, 7 insertions(+), 7 deletions(-)
> [NOTE: Adding the linux-audit list to the CC line]
>
> Applied, but I modified the patch subject line to "audit: fix comment block
> whitespace" as the original was a bit verbose.  You can check the mailing list
> archive, or the git log, to see what people typically use for patch subject
> lines.

Thanks!

>
>> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
>> index 7714d93..b8ff9e1 100644
>> --- a/kernel/auditfilter.c
>> +++ b/kernel/auditfilter.c
>> @@ -39,13 +39,13 @@
>>    * Locking model:
>>    *
>>    * audit_filter_mutex:
>> - * Synchronizes writes and blocking reads of audit's filterlist
>> - * data.  Rcu is used to traverse the filterlist and access
>> - * contents of structs audit_entry, audit_watch and opaque
>> - * LSM rules during filtering.  If modified, these structures
>> - * must be copied and replace their counterparts in the filterlist.
>> - * An audit_parent struct is not accessed during filtering, so may
>> - * be written directly provided audit_filter_mutex is held.
>> + * Synchronizes writes and blocking reads of audit's filterlist
>> + * data.  Rcu is used to traverse the filterlist and access
>> + * contents of structs audit_entry, audit_watch and opaque
>> + * LSM rules during filtering.  If modified, these structures
>> + * must be copied and replace their counterparts in the filterlist.
>> + * An audit_parent struct is not accessed during filtering, so may
>> + * be written directly provided audit_filter_mutex is held.
>>    */
>>
>>   /* Audit filter lists, defined in <linux/audit.h> */

^ permalink raw reply

* Re: Running auditd from  Raspberry Pi (Raspbian)
From: Kangkook Jee @ 2015-10-26 21:18 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <079DE06B-6E74-486D-8031-847A378DACF8@gmail.com>


[-- Attachment #1.1: Type: text/plain, Size: 2946 bytes --]

This time, I built with —with-arm option and tried again. It still fails but with different error message.


pi@raspberrypi ~/audit-2.4.4 $ grep arm config.status
ac_cs_config="'--with-arm'"
  set X /bin/bash './configure'  '--with-arm' $ac_configure_extra_args --no-create --no-recursion
host='armv7l-unknown-linux-gnueabihf'
build='armv7l-unknown-linux-gnueabihf'
sys_lib_search_path_spec='/usr/lib/gcc/arm-linux-gnueabihf/4.9 /usr/lib/arm-linux-gnueabihf /usr/lib /lib/arm-linux-gnueabihf /lib '
sys_lib_dlsearch_path_spec='/lib64 /usr/lib64 /lib /usr/lib /opt/vc/lib /lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf/libfakeroot /usr/local/lib '
S["target_cpu"]="armv7l"
S["target"]="armv7l-unknown-linux-gnueabihf"
S["host_cpu"]="armv7l"
S["host"]="armv7l-unknown-linux-gnueabihf"
S["build_cpu"]="armv7l"
S["build"]="armv7l-unknown-linux-gnueabihf"
pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -S execve
Error sending add rule data request (Invalid argument)


> On Oct 26, 2015, at 4:57 PM, Kangkook Jee <aixer77@gmail.com> wrote:
> 
> I added “—with-armeb” should it be just “—with-arm” ?
> 
> This following shows my configuration status.
> 
> pi@raspberrypi ~/audit-2.4.4 $ grep arm config.status
> ac_cs_config="'--with-armeb'"
>  set X /bin/bash './configure'  '--with-armeb' $ac_configure_extra_args --no-create --no-recursion
> host='armv7l-unknown-linux-gnueabihf'
> build='armv7l-unknown-linux-gnueabihf'
> sys_lib_search_path_spec='/usr/lib/gcc/arm-linux-gnueabihf/4.9 /usr/lib/arm-linux-gnueabihf /usr/lib /lib/arm-linux-gnueabihf /lib '
> sys_lib_dlsearch_path_spec='/lib64 /usr/lib64 /lib /usr/lib /opt/vc/lib /lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf/libfakeroot /usr/local/lib '
> S["target_cpu"]="armv7l"
> S["target"]="armv7l-unknown-linux-gnueabihf"
> S["host_cpu"]="armv7l"
> S["host"]="armv7l-unknown-linux-gnueabihf"
> S["build_cpu"]="armv7l"
> S["build"]="armv7l-unknown-linux-gnueabihf”
> 
> 
>> On Oct 26, 2015, at 4:37 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>> 
>> On Monday, October 26, 2015 04:25:57 PM Kangkook Jee wrote:
>>> Dear Steve,
>>> 
>>> I built auditctl from recent audit source and tried it again but I failed
>>> with the following errors.
>>> 
>>> pi@raspberrypi ~/audit-2.4.4 $ sudo auditctl -e1 -b 102400
>>> AUDIT_STATUS: enabled=1 flag=1 pid=2022 rate_limit=0 backlog_limit=320
>>> lost=0 backlog=0 (reverse-i-search)`b': sudo auditctl -e1 -^C102400
>>> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -F
>>> arch=armeb -S clone arch elf mapping not found
>>> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -S clone
>>> Error detecting machine type
>>> 
>>> Would you help me with this?
>> 
>> Did you add --with-arm to the ./configure line? Its disabled by default.
>> 
>> -Steve
> 


[-- Attachment #1.2: Type: text/html, Size: 4293 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply

* Re: Running auditd from  Raspberry Pi (Raspbian)
From: Kangkook Jee @ 2015-10-26 20:57 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <2580157.z3kgxFZchv@x2>

I added “—with-armeb” should it be just “—with-arm” ?

This following shows my configuration status.

pi@raspberrypi ~/audit-2.4.4 $ grep arm config.status
ac_cs_config="'--with-armeb'"
  set X /bin/bash './configure'  '--with-armeb' $ac_configure_extra_args --no-create --no-recursion
host='armv7l-unknown-linux-gnueabihf'
build='armv7l-unknown-linux-gnueabihf'
sys_lib_search_path_spec='/usr/lib/gcc/arm-linux-gnueabihf/4.9 /usr/lib/arm-linux-gnueabihf /usr/lib /lib/arm-linux-gnueabihf /lib '
sys_lib_dlsearch_path_spec='/lib64 /usr/lib64 /lib /usr/lib /opt/vc/lib /lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf/libfakeroot /usr/local/lib '
S["target_cpu"]="armv7l"
S["target"]="armv7l-unknown-linux-gnueabihf"
S["host_cpu"]="armv7l"
S["host"]="armv7l-unknown-linux-gnueabihf"
S["build_cpu"]="armv7l"
S["build"]="armv7l-unknown-linux-gnueabihf”


> On Oct 26, 2015, at 4:37 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> 
> On Monday, October 26, 2015 04:25:57 PM Kangkook Jee wrote:
>> Dear Steve,
>> 
>> I built auditctl from recent audit source and tried it again but I failed
>> with the following errors.
>> 
>> pi@raspberrypi ~/audit-2.4.4 $ sudo auditctl -e1 -b 102400
>> AUDIT_STATUS: enabled=1 flag=1 pid=2022 rate_limit=0 backlog_limit=320
>> lost=0 backlog=0 (reverse-i-search)`b': sudo auditctl -e1 -^C102400
>> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -F
>> arch=armeb -S clone arch elf mapping not found
>> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -S clone
>> Error detecting machine type
>> 
>> Would you help me with this?
> 
> Did you add --with-arm to the ./configure line? Its disabled by default.
> 
> -Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply

* Re: Running auditd from  Raspberry Pi (Raspbian)
From: Steve Grubb @ 2015-10-26 20:37 UTC (permalink / raw)
  To: Kangkook Jee; +Cc: linux-audit
In-Reply-To: <7941F2ED-39A0-45E7-815D-5F46CD859579@gmail.com>

On Monday, October 26, 2015 04:25:57 PM Kangkook Jee wrote:
> Dear Steve,
> 
> I built auditctl from recent audit source and tried it again but I failed
> with the following errors.
> 
> pi@raspberrypi ~/audit-2.4.4 $ sudo auditctl -e1 -b 102400
> AUDIT_STATUS: enabled=1 flag=1 pid=2022 rate_limit=0 backlog_limit=320
> lost=0 backlog=0 (reverse-i-search)`b': sudo auditctl -e1 -^C102400
> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -F
> arch=armeb -S clone arch elf mapping not found
> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -S clone
> Error detecting machine type
> 
> Would you help me with this?

Did you add --with-arm to the ./configure line? Its disabled by default.

-Steve

^ permalink raw reply

* Re: Running auditd from  Raspberry Pi (Raspbian)
From: Kangkook Jee @ 2015-10-26 20:25 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <1761781.EmJWtSeSBl@x2>

Dear Steve,

I built auditctl from recent audit source and tried it again but I failed with the following errors. 

pi@raspberrypi ~/audit-2.4.4 $ sudo auditctl -e1 -b 102400
AUDIT_STATUS: enabled=1 flag=1 pid=2022 rate_limit=0 backlog_limit=320 lost=0 backlog=0
(reverse-i-search)`b': sudo auditctl -e1 -^C102400
pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -F arch=armeb -S clone
arch elf mapping not found
pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -S clone
Error detecting machine type

Would you help me with this?

Thanks a lot for your help again!

Regards, Kangkook


> On Oct 26, 2015, at 11:55 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> 
> On Friday, October 23, 2015 07:16:40 PM Kangkook Jee wrote:
>> Hi, all
>> 
>> From my Raspberry Pi machine (running Debian Wheezy distribution), I could
>> see the kernel is built with audit enabled, and I could manage to install
>> user-space audit client with the following command.
>> 
>> pi@raspberrypi ~ $ sudo apt-get install auditd
>> 
>> However, when I tried to enable audit issuing the following commands it
>> doesn’t seem to run properly.
>> 
>> pi@raspberrypi ~ $ sudo auditctl -l
>> No rules
>> pi@raspberrypi ~ $ sudo auditctl -a entry,always -S open
>> Error detecting machine type
>> pi@raspberrypi ~ $ sudo auditctl -a entry,always -F arch=armeb -S open
>> arch=armeb machine type not found
>> 
>> Can anyone tell me whether audit support ARM based linux systems?
> 
> Yes. It was added starting in 2.0.4 and was corrected several times.
> 
> 
>> Here’s my system information and thanks a lot for your help in advance!
>> 
>> pi@raspberrypi ~ $ sudo uname -a
>> Linux raspberrypi 3.18.11-v7+ #781 SMP PREEMPT Tue Apr 21 18:07:59 BST 2015
>> armv7l GNU/Linux
>> 
>> pi@raspberrypi ~ $ dpkg -l |grep audit
>> ii  auditd                                1:1.7.18-1.1                      
>>     armhf        User space tools for security auditing ii  libaudit0     
>>                       1:1.7.18-1.1                            armhf       
> 
> That one is too old. You need a newer audit package.
> 
> -Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply

* Re: [PATCH] Fix to:WARNING: please, no space before tabs modified: kernel/auditfilter.c
From: Paul Moore @ 2015-10-26 20:07 UTC (permalink / raw)
  To: Scott Matheina; +Cc: linux-audit
In-Reply-To: <1445824849-4089-1-git-send-email-scott@matheina.com>

On Sunday, October 25, 2015 09:00:49 PM Scott Matheina wrote:
> Signed-off-by: Scott Matheina <scott@matheina.com>
> ---
>  kernel/auditfilter.c | 14 +++++++-------
>  1 file changed, 7 insertions(+), 7 deletions(-)

[NOTE: Adding the linux-audit list to the CC line]

Applied, but I modified the patch subject line to "audit: fix comment block
whitespace" as the original was a bit verbose.  You can check the mailing list
archive, or the git log, to see what people typically use for patch subject
lines.

> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index 7714d93..b8ff9e1 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -39,13 +39,13 @@
>   * Locking model:
>   *
>   * audit_filter_mutex:
> - * Synchronizes writes and blocking reads of audit's filterlist
> - * data.  Rcu is used to traverse the filterlist and access
> - * contents of structs audit_entry, audit_watch and opaque
> - * LSM rules during filtering.  If modified, these structures
> - * must be copied and replace their counterparts in the filterlist.
> - * An audit_parent struct is not accessed during filtering, so may
> - * be written directly provided audit_filter_mutex is held.
> + * Synchronizes writes and blocking reads of audit's filterlist
> + * data.  Rcu is used to traverse the filterlist and access
> + * contents of structs audit_entry, audit_watch and opaque
> + * LSM rules during filtering.  If modified, these structures
> + * must be copied and replace their counterparts in the filterlist.
> + * An audit_parent struct is not accessed during filtering, so may
> + * be written directly provided audit_filter_mutex is held.
>   */
>
>  /* Audit filter lists, defined in <linux/audit.h> */

-- 
paul moore
www.paul-moore.com

^ permalink raw reply

* Re: Running auditd from  Raspberry Pi (Raspbian)
From: Kangkook Jee @ 2015-10-26 17:13 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <1761781.EmJWtSeSBl@x2>

Thanks a lot for your support. I will try with newer version and let you know how it goes!

Regards, Kangkook

> On Oct 26, 2015, at 11:55 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> 
> On Friday, October 23, 2015 07:16:40 PM Kangkook Jee wrote:
>> Hi, all
>> 
>> From my Raspberry Pi machine (running Debian Wheezy distribution), I could
>> see the kernel is built with audit enabled, and I could manage to install
>> user-space audit client with the following command.
>> 
>> pi@raspberrypi ~ $ sudo apt-get install auditd
>> 
>> However, when I tried to enable audit issuing the following commands it
>> doesn’t seem to run properly.
>> 
>> pi@raspberrypi ~ $ sudo auditctl -l
>> No rules
>> pi@raspberrypi ~ $ sudo auditctl -a entry,always -S open
>> Error detecting machine type
>> pi@raspberrypi ~ $ sudo auditctl -a entry,always -F arch=armeb -S open
>> arch=armeb machine type not found
>> 
>> Can anyone tell me whether audit support ARM based linux systems?
> 
> Yes. It was added starting in 2.0.4 and was corrected several times.
> 
> 
>> Here’s my system information and thanks a lot for your help in advance!
>> 
>> pi@raspberrypi ~ $ sudo uname -a
>> Linux raspberrypi 3.18.11-v7+ #781 SMP PREEMPT Tue Apr 21 18:07:59 BST 2015
>> armv7l GNU/Linux
>> 
>> pi@raspberrypi ~ $ dpkg -l |grep audit
>> ii  auditd                                1:1.7.18-1.1                      
>>     armhf        User space tools for security auditing ii  libaudit0     
>>                       1:1.7.18-1.1                            armhf       
> 
> That one is too old. You need a newer audit package.
> 
> -Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply

* Re: Running auditd from  Raspberry Pi (Raspbian)
From: Steve Grubb @ 2015-10-26 15:55 UTC (permalink / raw)
  To: linux-audit
In-Reply-To: <E4233D65-A74A-4AE0-819C-BE1863408B26@gmail.com>

On Friday, October 23, 2015 07:16:40 PM Kangkook Jee wrote:
> Hi, all
> 
> From my Raspberry Pi machine (running Debian Wheezy distribution), I could
> see the kernel is built with audit enabled, and I could manage to install
> user-space audit client with the following command.
> 
> pi@raspberrypi ~ $ sudo apt-get install auditd
> 
> However, when I tried to enable audit issuing the following commands it
> doesn’t seem to run properly.
> 
> pi@raspberrypi ~ $ sudo auditctl -l
> No rules
> pi@raspberrypi ~ $ sudo auditctl -a entry,always -S open
> Error detecting machine type
> pi@raspberrypi ~ $ sudo auditctl -a entry,always -F arch=armeb -S open
> arch=armeb machine type not found
> 
> Can anyone tell me whether audit support ARM based linux systems?

Yes. It was added starting in 2.0.4 and was corrected several times.


> Here’s my system information and thanks a lot for your help in advance!
> 
> pi@raspberrypi ~ $ sudo uname -a
> Linux raspberrypi 3.18.11-v7+ #781 SMP PREEMPT Tue Apr 21 18:07:59 BST 2015
> armv7l GNU/Linux
> 
> pi@raspberrypi ~ $ dpkg -l |grep audit
> ii  auditd                                1:1.7.18-1.1                      
>      armhf        User space tools for security auditing ii  libaudit0     
>                        1:1.7.18-1.1                            armhf       

That one is too old. You need a newer audit package.

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply

* Re: [PATCH 2/2] Fixed Trivial Warnings in file: Deleted Spaces prior to tabs, and added lines. modified: kernel/auditfilter.c
From: Scott Matheina @ 2015-10-25 23:53 UTC (permalink / raw)
  To: Richard Guy Briggs
  Cc: Joe Perches, Paul Moore, linux-audit, trivial, linux-kernel
In-Reply-To: <20151022021500.GD5269@madcap2.tricolour.ca>



On 10/21/2015 09:15 PM, Richard Guy Briggs wrote:
> On 15/10/21, Scott Matheina wrote:
>> On 10/21/2015 10:33 AM, Richard Guy Briggs wrote:
>>> On 15/10/21, Joe Perches wrote:
>>>> On Mon, 2015-10-19 at 12:10 -0400, Richard Guy Briggs wrote:
>>>>> On 15/10/18, Scott Matheina wrote:
>>>>>> On 10/14/2015 04:54 PM, Paul Moore wrote:
>>>>>>> On Saturday, October 10, 2015 08:57:55 PM Scott Matheina wrote:
>>>> []
>>>>>>>> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
>>>> []
>>>>>>>> @@ -109,6 +109,7 @@ void audit_free_rule_rcu(struct rcu_head *head)
>>>>>>>>   {
>>>>>>>>   	struct audit_entry *e = container_of(head, struct audit_entry, rcu);
>>>>>>>>   	audit_free_rule(e);
>>>>>>>> +
>>>>>>>>   }
>>>>>>> Why?
>>>>>> I was following the error messages in checkpatch.pl, but the warning
>>>>>> went away after adding this line. No problem with the code.
>>>>> That sounds like a bug in checkpatch.pl, since that blank line should be
>>>>> tween the declaration and the function call.
>>>> checkpatch message asks for a blank line after the
>>>> "struct audit_entry *e = ..." declaration.
>>> Well then maybe it is a bug in his interpretation of the output of
>>> checkpatch.pl?  Scott, did you re-run checkpatch.pl after adding those
>>> spaces?  Did it pass?
>> The error did go away.
> Joe, I confirm the error went away.  Looks like a bug in checkpatch.pl
> to me.  I tried a number of combinations of things and it didn't
> complain about several things it should have.  I did try a few other
> things to make sure it was still finding problems like brace placement
> and leading spaces, but it looks like the blank line checking code isn't
> working.  This is on 4.0, so maybe it has been fixed since then.  Scott,
> what kernel version are you using?
I had just cloned Linus' repo, so v4.3rc6.
>
>>>>>>>>   	while (*list != ~0U) {
>>>>>>>> +
>>>>>>>>   		unsigned n = *list++;
>>>>>>>>   		if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
>>>>>>>>   			kfree(p);
>>>>>>> Why?
>>>>>> This is the same as above. Just going through the checkpatch.pl
>>>>>> script, and looking for warnings to fix.
>>>>> Again, another manifestation of that bug?  That blank line should be
>>>>> after the declaration and before the if statement.
>>>> []
>>>>> Well, I agree, you have to start somewhere...  Too bad you hit a bug in
>>>>> checkpatch.pl!
>>>> Here too, not a bug in checkpatch.
>>>>
>>>> checkpatch output asks for a blank line after the
>>>> "unsigned n" declaration, not before.
>>> - RGB
> - RGB
>
> --
> Richard Guy Briggs <rbriggs@redhat.com>
> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

^ permalink raw reply

* Re: Should audit_seccomp check audit_enabled?
From: Paul Moore @ 2015-10-24  2:24 UTC (permalink / raw)
  To: Andy Lutomirski, Kees Cook; +Cc: Richard Guy Briggs, linux-audit, linux-kernel
In-Reply-To: <CALCETrU6Vi3uBgULzAwNvThWZhX_onJpGs3=_FHPYk=jag87Cg@mail.gmail.com>

On October 23, 2015 5:30:45 PM Andy Lutomirski <luto@amacapital.net> wrote:

> On Fri, Oct 23, 2015 at 2:22 PM, Kees Cook <keescook@chromium.org> wrote:
>> On Fri, Oct 23, 2015 at 2:07 PM, Andy Lutomirski <luto@amacapital.net> wrote:
>>> On Oct 23, 2015 10:01 AM, "Kees Cook" <keescook@chromium.org> wrote:
>>>>
>>>> On Fri, Oct 23, 2015 at 9:19 AM, Andy Lutomirski <luto@amacapital.net> wrote:
>>>> > I would argue that, if auditing is off, audit_seccomp shouldn't do
>>>> > anything.  After all, unlike e.g. selinux, seccomp is not a systemwide
>>>> > policy, and seccomp signals might be ordinary behavior that's internal
>>>> > to the seccomp-using application.  IOW, for people with audit compiled
>>>> > in and subscribed by journald but switched off, I think that the
>>>> > records shouldn't be emitted.
>>>> >
>>>> > If you agree, I can send the two-line patch.
>>>>
>>>> I think signr==0 states (which I would identify as "intended
>>>> behavior") don't need to be reported under any situation, but audit
>>>> folks wanted to keep it around.
>>>
>>> Even if there is a nonzero signr, it could just be a program opting to
>>> trap and emulate one of its own syscalls.
>>
>> At present, that is a rare situation. Programs tend to be ptrace
>> managed externally. Is there anything catching SIGSYS itself?
>>
>
> I wrote one once.  I also wrote a whole set of patches for libseccomp
> to make it easier that never went anywhere -- I should dust those off
> and package them into their own library.

It has been a while since we discussed those patches, but if I remember 
correctly it was going to be very difficult to do it in an arch agnostic 
way and that was a concern.

--
paul moore
www.paul-moore.com

^ permalink raw reply

* Running auditd from  Raspberry Pi (Raspbian)
From: Kangkook Jee @ 2015-10-23 23:16 UTC (permalink / raw)
  To: linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 1226 bytes --]

Hi, all 

From my Raspberry Pi machine (running Debian Wheezy distribution), I could see the kernel is built with audit enabled, and I could manage to install user-space audit client with the following command. 

pi@raspberrypi ~ $ sudo apt-get install auditd

However, when I tried to enable audit issuing the following commands it doesn’t seem to run properly.

pi@raspberrypi ~ $ sudo auditctl -l
No rules
pi@raspberrypi ~ $ sudo auditctl -a entry,always -S open
Error detecting machine type
pi@raspberrypi ~ $ sudo auditctl -a entry,always -F arch=armeb -S open
arch=armeb machine type not found

Can anyone tell me whether audit support ARM based linux systems?
Here’s my system information and thanks a lot for your help in advance!

pi@raspberrypi ~ $ sudo uname -a
Linux raspberrypi 3.18.11-v7+ #781 SMP PREEMPT Tue Apr 21 18:07:59 BST 2015 armv7l GNU/Linux

pi@raspberrypi ~ $ dpkg -l |grep audit
ii  auditd                                1:1.7.18-1.1                            armhf        User space tools for security auditing
ii  libaudit0                             1:1.7.18-1.1                            armhf        Dynamic library for security auditing

Regards, Kangkook



[-- Attachment #1.2: Type: text/html, Size: 2668 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply

* Re: Should audit_seccomp check audit_enabled?
From: Andy Lutomirski @ 2015-10-23 21:24 UTC (permalink / raw)
  To: Kees Cook; +Cc: linux-audit, linux-kernel@vger.kernel.org, Richard Guy Briggs
In-Reply-To: <CAGXu5jK-EhKR=bTvA3CMQYf0916iyKiE0oQt7b2VByo_qr=oDw@mail.gmail.com>

On Fri, Oct 23, 2015 at 2:22 PM, Kees Cook <keescook@chromium.org> wrote:
> On Fri, Oct 23, 2015 at 2:07 PM, Andy Lutomirski <luto@amacapital.net> wrote:
>> On Oct 23, 2015 10:01 AM, "Kees Cook" <keescook@chromium.org> wrote:
>>>
>>> On Fri, Oct 23, 2015 at 9:19 AM, Andy Lutomirski <luto@amacapital.net> wrote:
>>> > I would argue that, if auditing is off, audit_seccomp shouldn't do
>>> > anything.  After all, unlike e.g. selinux, seccomp is not a systemwide
>>> > policy, and seccomp signals might be ordinary behavior that's internal
>>> > to the seccomp-using application.  IOW, for people with audit compiled
>>> > in and subscribed by journald but switched off, I think that the
>>> > records shouldn't be emitted.
>>> >
>>> > If you agree, I can send the two-line patch.
>>>
>>> I think signr==0 states (which I would identify as "intended
>>> behavior") don't need to be reported under any situation, but audit
>>> folks wanted to keep it around.
>>
>> Even if there is a nonzero signr, it could just be a program opting to
>> trap and emulate one of its own syscalls.
>
> At present, that is a rare situation. Programs tend to be ptrace
> managed externally. Is there anything catching SIGSYS itself?
>

I wrote one once.  I also wrote a whole set of patches for libseccomp
to make it easier that never went anywhere -- I should dust those off
and package them into their own library.

--Andy

^ permalink raw reply

* Re: Should audit_seccomp check audit_enabled?
From: Kees Cook @ 2015-10-23 21:22 UTC (permalink / raw)
  To: Andy Lutomirski
  Cc: Richard Guy Briggs, linux-audit, linux-kernel@vger.kernel.org
In-Reply-To: <CALCETrUTKaYvQXGeKsMP-61sgFNpfpZZ6kmqBpBoUb+WxPR-KQ@mail.gmail.com>

On Fri, Oct 23, 2015 at 2:07 PM, Andy Lutomirski <luto@amacapital.net> wrote:
> On Oct 23, 2015 10:01 AM, "Kees Cook" <keescook@chromium.org> wrote:
>>
>> On Fri, Oct 23, 2015 at 9:19 AM, Andy Lutomirski <luto@amacapital.net> wrote:
>> > I would argue that, if auditing is off, audit_seccomp shouldn't do
>> > anything.  After all, unlike e.g. selinux, seccomp is not a systemwide
>> > policy, and seccomp signals might be ordinary behavior that's internal
>> > to the seccomp-using application.  IOW, for people with audit compiled
>> > in and subscribed by journald but switched off, I think that the
>> > records shouldn't be emitted.
>> >
>> > If you agree, I can send the two-line patch.
>>
>> I think signr==0 states (which I would identify as "intended
>> behavior") don't need to be reported under any situation, but audit
>> folks wanted to keep it around.
>
> Even if there is a nonzero signr, it could just be a program opting to
> trap and emulate one of its own syscalls.

At present, that is a rare situation. Programs tend to be ptrace
managed externally. Is there anything catching SIGSYS itself?

-Kees

-- 
Kees Cook
Chrome OS Security

^ permalink raw reply

* Re: Should audit_seccomp check audit_enabled?
From: Andy Lutomirski @ 2015-10-23 21:08 UTC (permalink / raw)
  To: Paul Moore
  Cc: Steve Grubb, Kees Cook, Richard Guy Briggs, linux-audit,
	linux-kernel@vger.kernel.org
In-Reply-To: <CAHC9VhQT1dOU3keiDCwwi7UwGttCvGaKSj8nv=bpsttgvtbJjA@mail.gmail.com>

On Fri, Oct 23, 2015 at 1:58 PM, Paul Moore <paul@paul-moore.com> wrote:
> On Fri, Oct 23, 2015 at 4:51 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>> On Friday, October 23, 2015 03:38:05 PM Paul Moore wrote:
>>> On Fri, Oct 23, 2015 at 1:01 PM, Kees Cook <keescook@chromium.org> wrote:
>>> > On Fri, Oct 23, 2015 at 9:19 AM, Andy Lutomirski <luto@amacapital.net>
>> wrote:
>>> >> I would argue that, if auditing is off, audit_seccomp shouldn't do
>>> >> anything.  After all, unlike e.g. selinux, seccomp is not a systemwide
>>> >> policy, and seccomp signals might be ordinary behavior that's internal
>>> >> to the seccomp-using application.  IOW, for people with audit compiled
>>> >> in and subscribed by journald but switched off, I think that the
>>> >> records shouldn't be emitted.
>>> >>
>>> >> If you agree, I can send the two-line patch.
>>> >
>>> > I think signr==0 states (which I would identify as "intended
>>> > behavior") don't need to be reported under any situation, but audit
>>> > folks wanted to keep it around.
>>>
>>> Wearing my libseccomp hat, I would like some logging when the seccomp
>>> filter triggers a result other than allow.  I don't care if this is
>>> via audit or printk(), I just want some notification.  If we go the
>>> printk route and people really don't want to see anything in their
>>> logs, I suppose we could always add a sysctl knob to turn off the
>>> message completely (we would still need to do whatever audit records
>>> are required, see below).
>>>
>>> Wearing my audit hat, I want to make sure we tick off all the right
>>> boxes for the various certifications that people care about.  Steve
>>> Grubb has commented on what he needs in the past, although I'm not
>>> sure it was on-list, so I'll ask him to repeat it here.
>>
>> I went back and reviewed my notes since this came up in the current Common
>> Criteria evaluation. What we decided to do is treat syscall failures which
>> failed due to seccomp the same as syscall failures caused by dropping
>> capabilities. Both are opt-in DAC policies. That means we don't care. Do
>> whatever you like. :-)
>
> Thanks Steve.
>
> Andy, is your objection that you don't want to see any seccomp
> messages, or just seccomp audit records when audit is disabled?
>

My objection is that people who have audit compiled in but disabled at
runtime shouldn't have the overhead or the log noise from these
messages.  If people want the messages, then I think they should turn
on audit (auditctl -e 1 or whatever).

--Andy

^ permalink raw reply


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox