* audit 2.6.3 released
From: Steve Grubb @ 2016-07-05 13:15 UTC (permalink / raw)
To: linux-audit
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Fix NULL poiinter deref in auparse
- Optionally add dependency to libcap-ng in audit.pc
This is another bug fix release. The NULL ptr deref in auparse is crashing
auditd. And this adds a missing library dependency in the package config file
reported by Laurent.
Please let me know if you run across any problems with this release.
-Steve
^ permalink raw reply
* Re: Missing linker flags when statically linking
From: Steve Grubb @ 2016-07-05 12:15 UTC (permalink / raw)
To: linux-audit
In-Reply-To: <270aeb86-be05-03f0-0983-10e199083f56@debian.org>
Hello,
On Monday, July 4, 2016 2:08:14 PM EDT Laurent Bigonville wrote:
> Apparently the audit.pc file is missing flags to allow libaudit to be
> statically linked (see [0]).
>
> Adding something like "Requires.private: libcap-ng" should fix the problem.
OK. Fixed. There will be a new audit package release in a little while that
has this fixed.
-Steve
^ permalink raw reply
* Missing linker flags when statically linking
From: Laurent Bigonville @ 2016-07-04 12:08 UTC (permalink / raw)
To: linux-audit
Hello,
Apparently the audit.pc file is missing flags to allow libaudit to be
statically linked (see [0]).
Adding something like "Requires.private: libcap-ng" should fix the problem.
Regards,
Laurent Bigonville
[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829500
^ permalink raw reply
* audit 2.6.2 released
From: Steve Grubb @ 2016-07-01 16:10 UTC (permalink / raw)
To: linux-audit
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Fix ausearch segfault when using numeric uids
- In auparse move aulol structure into auparse_state_t
- Save and restore libcap-ng state when doing a capability check
- Require auparse_state_t pointer on auparse_set_escape_mode
This is another bug fix release. This fixes several bugs that have been
discovered during testing. The most important bug fixed is saving the
capability state and restoring it when testing capabilities. Not doing this
breaks the newer libvirt based programs such as gnome-boxes.
Please let me know if you run across any problems with this release.
-Steve
^ permalink raw reply
* Re: Audit, lxc containers and logged paths
From: Michele Giacomoli @ 2016-07-01 7:40 UTC (permalink / raw)
To: linux-audit
In-Reply-To: <20160630180914.GD27725@madcap2.tricolour.ca>
Got it. Thank you very much Richard
Il 30/06/2016 20:09, Richard Guy Briggs ha scritto:
> On 2016-06-30 19:27, Michele Giacomoli wrote:
>> Hello everybody,
> Hi Michele,
>
>> I need to watch folders inside unprivileged linux containers. From
>> what I know it's not possible to run audit inside a lxc guest, so I
>> set up audit inside the host to log access to dirs using absolute
>> path (e.g. /var/lib/lxc/mycontainer/rootfs/etc/) and it works, but
>> giving a look at the logs I found that both the paths of the
>> executable and the path that has been accessed are relative to the
>> container (i.e. /bin/ls and /etc/passwd), so I don't have a clue of
>> which is the container that generated the record. I could compare
>> the uid that generated it whith the uids set for the containers, but
>> it seems an ugly solution.
> General topics surrounding this sort of issue have been discussed on
> this list over the last couple of year. The way things are currently
> set up you are correct in the current way to address this problem. The
> kernel currently has no concept of containers.
>
>> Can audit be configured for logging the absolute paths, or give me a
>> hint of the container that generated the record?
> There have been some proposals to address this sort of challenge, but
> there is no consensus yet. I'm doing a presentaiton at the Linux
> Security Summit in Toronto this year in August that will touch on some
> of these issues and how we might address them. Some approaches document
> the namespaces of events and others allow audit to run in the container.
>
> (As to the follow-on reply, at this point the distribution is irrelevant
> since it isn't in the upstream kernel yet.)
>
>> Michele
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Kernel Security Engineering, Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply
* Re: Audit, lxc containers and logged paths
From: Richard Guy Briggs @ 2016-06-30 18:09 UTC (permalink / raw)
To: Michele Giacomoli; +Cc: linux-audit
In-Reply-To: <57755679.7090007@mynet.it>
On 2016-06-30 19:27, Michele Giacomoli wrote:
> Hello everybody,
Hi Michele,
> I need to watch folders inside unprivileged linux containers. From
> what I know it's not possible to run audit inside a lxc guest, so I
> set up audit inside the host to log access to dirs using absolute
> path (e.g. /var/lib/lxc/mycontainer/rootfs/etc/) and it works, but
> giving a look at the logs I found that both the paths of the
> executable and the path that has been accessed are relative to the
> container (i.e. /bin/ls and /etc/passwd), so I don't have a clue of
> which is the container that generated the record. I could compare
> the uid that generated it whith the uids set for the containers, but
> it seems an ugly solution.
General topics surrounding this sort of issue have been discussed on
this list over the last couple of year. The way things are currently
set up you are correct in the current way to address this problem. The
kernel currently has no concept of containers.
> Can audit be configured for logging the absolute paths, or give me a
> hint of the container that generated the record?
There have been some proposals to address this sort of challenge, but
there is no consensus yet. I'm doing a presentaiton at the Linux
Security Summit in Toronto this year in August that will touch on some
of these issues and how we might address them. Some approaches document
the namespaces of events and others allow audit to run in the container.
(As to the follow-on reply, at this point the distribution is irrelevant
since it isn't in the upstream kernel yet.)
> Michele
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply
* Re: Audit, lxc containers and logged paths
From: Michele Giacomoli @ 2016-06-30 17:40 UTC (permalink / raw)
To: linux-audit
In-Reply-To: <57755679.7090007@mynet.it>
Sorry, forgot to mention:
Host is Ubuntu 14.04, while guests are different Ubuntu versions
Audit is installed from Ubuntu repos (version 1:2.3.2-2ubuntu1)
Thank you
Il 30/06/2016 19:27, Michele Giacomoli ha scritto:
> Hello everybody,
>
> I need to watch folders inside unprivileged linux containers. From
> what I know it's not possible to run audit inside a lxc guest, so I
> set up audit inside the host to log access to dirs using absolute path
> (e.g. /var/lib/lxc/mycontainer/rootfs/etc/) and it works, but giving a
> look at the logs I found that both the paths of the executable and the
> path that has been accessed are relative to the container (i.e.
> /bin/ls and /etc/passwd), so I don't have a clue of which is the
> container that generated the record. I could compare the uid that
> generated it whith the uids set for the containers, but it seems an
> ugly solution.
>
> Can audit be configured for logging the absolute paths, or give me a
> hint of the container that generated the record?
>
> Best regards
> Michele
^ permalink raw reply
* Audit, lxc containers and logged paths
From: Michele Giacomoli @ 2016-06-30 17:27 UTC (permalink / raw)
To: linux-audit
Hello everybody,
I need to watch folders inside unprivileged linux containers. From what
I know it's not possible to run audit inside a lxc guest, so I set up
audit inside the host to log access to dirs using absolute path (e.g.
/var/lib/lxc/mycontainer/rootfs/etc/) and it works, but giving a look at
the logs I found that both the paths of the executable and the path that
has been accessed are relative to the container (i.e. /bin/ls and
/etc/passwd), so I don't have a clue of which is the container that
generated the record. I could compare the uid that generated it whith
the uids set for the containers, but it seems an ugly solution.
Can audit be configured for logging the absolute paths, or give me a
hint of the container that generated the record?
Best regards
Michele
^ permalink raw reply
* Re: [Y2038] [PATCH v3 00/24] Delete CURRENT_TIME_SEC and replace current_fs_time()
From: Arnd Bergmann @ 2016-06-29 19:48 UTC (permalink / raw)
To: y2038-cunTk1MwBs8s++Sfvej+rw
Cc: shaggy-DgEjT+Ai2ygdnm+yROfE0A,
jfs-discussion-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f,
trond.myklebust-7I+n7zu2hftEKMMhf/gKZA,
adrian.hunter-ral2JQCrhuEAvxtiuMwx3w, clm-b10kYP2dOMg,
adilger.kernel-m1MBpc4rdrD3fQ9qLvQP4Q, Deepa Dinamani,
tglx-hfZtesqFncYOwBW4kG4KsQ, sfrench-eUNUBHrolfbYtjvyW6yDsg,
paul-r2n+y4ga6xFZroRs9YW3xA, sage-H+wXaHxf7aLQT0dZR+AlfA,
idryomov-Re5JQEeQqe8AvxtiuMwx3w,
linux-ext4-u79uwXL29TY76Z2rM5mHXA,
cm224.lee-Sze3O3UU22JBDgjK7y7TUQ, mfasheh-IBi9RG/b67k,
john.stultz-QSEj5FYQhm4dnm+yROfE0A,
viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn, dsterba-IBi9RG/b67k,
jaegeuk-DgEjT+Ai2ygdnm+yROfE0A, ceph-devel-u79uwXL29TY76Z2rM5mHXA,
jlbec-aKy9MeLSZ9dg9hUCZPvPmw, linux-nfs-u79uwXL29TY76Z2rM5mHXA,
elder-DgEjT+Ai2ygdnm+yROfE0A, tytso-3s7WtUTddSA,
dedekind1-Re5JQEeQqe8AvxtiuMwx3w, jbacik-b10kYP2dOMg,
gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r,
linux-kernel-u79uwXL29TY76Z2rM5mHXA,
eparis-H+wXaHxf7aLQT0dZR+AlfA,
linux-f2fs-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f,
zyan-H+wXaHxf7aLQT0dZR+AlfA, linux-audit-H+wXaHxf7aLQT0dZR+AlfA,
linux-btrfs-u79uwXL29TY76Z2rM5mHXA, jack-IBi9RG/b67k,
linux-fsdevel-u79uwXL29TY76Z2rM5mHXA,
linux-mtd-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r, torvalds
In-Reply-To: <1466890668-23400-1-git-send-email-deepa.kernel-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
On Saturday, June 25, 2016 2:37:24 PM CEST Deepa Dinamani wrote:
> The series is aimed at getting rid of CURRENT_TIME, CURRENT_TIME_SEC macros
> and replacing current_fs_time() with current_time().
> The macros are not y2038 safe. There is no plan to transition them into being
> y2038 safe.
> ktime_get_* api's can be used in their place. And, these are y2038 safe.
>
> CURRENT_TIME will be deleted after 4.8 rc1 as there is a dependency function
> time64_to_tm() for one of the CURRENT_TIME occurance.
>
> Thanks to Arnd Bergmann for all the guidance and discussions.
>
> Patches 3-5 were mostly generated using coccinelle.
>
> All filesystem timestamps use current_fs_time() for right granularity as
> mentioned in the respective commit texts of patches. This has a changed
> signature, renamed to current_time() and moved to the fs/inode.c.
>
> This series also serves as a preparatory series to transition vfs to 64 bit
> timestamps as outlined here: https://lkml.org/lkml/2016/2/12/104 .
>
> As per Linus's suggestion in https://lkml.org/lkml/2016/5/24/663 , all the
> inode timestamp changes have been squashed into a single patch. Also,
> current_time() now is used as a single generic vfs filesystem timestamp api.
> It also takes struct inode* as argument instead of struct super_block*.
> Posting all patches together in a bigger series so that the big picture is
> clear.
>
> As per the suggestion in https://lwn.net/Articles/672598/, CURRENT_TIME macro
> bug fixes are being handled in a series separate from transitioning vfs to use.
>
Everything in this version looks good to me. Please add
Reviewed-by: Arnd Bergmann <arnd-r2nGTMty4D4@public.gmane.org>
and send a pull request to Al Viro, based on the latest linux-4.7-rc release.
Arnd
^ permalink raw reply
* [GIT PULL] Audit fixes for 4.7 (#1)
From: Paul Moore @ 2016-06-29 16:58 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-audit, linux-kernel
Hi Linus,
Two small patches to fix audit problems in 4.7-rcX; the first fixes a
potential kref leak, the second removes some header file noise. The
first is an important bug fix that really should go in before 4.7 is
released, the second is not critical, but falls into the
very-nice-to-have category so I'm including in the pull request; if
you object to the second let me know and I'll send a new request with
just the first patch.
Both patches are straightforward, self-contained, and pass our
testsuite without problem; please merge into the next v4.7-rcX
release.
Thanks,
-Paul
---
The following changes since commit 188e3c5cd2b672620291e64a21f1598fe91e40b6:
tty: provide tty_name() even without CONFIG_TTY (2016-04-27 17:12:58 -0400)
are available in the git repository at:
git://git.infradead.org/users/pcmoore/audit stable-4.7
for you to fetch changes up to 3f5be2da8565c1cce5655bb0948fcc957c6eb6c6:
audit: move audit_get_tty to reduce scope and kabi changes
(2016-06-28 15:48:48 -0400)
----------------------------------------------------------------
Richard Guy Briggs (2):
audit: move calcs after alloc and check when logging set loginuid
audit: move audit_get_tty to reduce scope and kabi changes
include/linux/audit.h | 24 ------------------------
kernel/audit.c | 17 +++++++++++++++++
kernel/audit.h | 4 ++++
kernel/auditsc.c | 8 ++++----
4 files changed, 25 insertions(+), 28 deletions(-)
--
paul moore
security @ redhat
^ permalink raw reply
* Re: Inconsistencies between shipped initscript and .service file
From: Steve Grubb @ 2016-06-29 16:29 UTC (permalink / raw)
To: linux-audit
In-Reply-To: <70d04f75-0f85-ff0e-5306-e4386fa6fc40@debian.org>
Hello,
On Wednesday, June 29, 2016 05:48:46 PM Laurent Bigonville wrote:
> I think there are inconsistencies between the behavior of the shipped
> LSB inistscript and the systemd .service.
>
> The sysconfig config file sets USE_AUGENRULES="no" and
> AUDITD_CLEAN_STOP="yes" while the .service file is actually doing the
> opposite.
>
> I guess that the sysconfig config should be modified (even if it's a
> quite minor issue)?
The idea is this, I didn't want to cause a regression on distributions. The
sysvinit scripts have been shipped forever and always expected the rule to be
in a specific place. So, its disabled so that there are no surprises. That's
because to enable it means that you got to put the rules in the rules.d
directory.
So, the thinking is that if you areswitching to systemd, there a lot different
about the system and as part of re-doing how you use the system let's just put
the rules in the right place and use augenrules by default.
Migrating between the two is not so easy. It needs to be done with intention
or you might get your rules overwritten.
-Steve
^ permalink raw reply
* Inconsistencies between shipped initscript and .service file
From: Laurent Bigonville @ 2016-06-29 15:48 UTC (permalink / raw)
To: linux-audit
Hi,
I think there are inconsistencies between the behavior of the shipped
LSB inistscript and the systemd .service.
The sysconfig config file sets USE_AUGENRULES="no" and
AUDITD_CLEAN_STOP="yes" while the .service file is actually doing the
opposite.
I guess that the sysconfig config should be modified (even if it's a
quite minor issue)?
Regards,
Laurent Bigonville
^ permalink raw reply
* audit 2.6.1 released
From: Steve Grubb @ 2016-06-29 1:39 UTC (permalink / raw)
To: linux-audit
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Do capabilities check rather than uid
- Auditd fixup directory and file permissions on startup
- Add some missing config items to auditd reconfigure
- In audisp-remote add warn_once and warn_once_continue action handlers
- In audisp-remote only emit 1 warning when disk_full or error is reached.
- Aulast now searches on user name as a string for enriched events
- Ausearch now searches on user name as a string for enriched events
- Create audit-stop.rules to clean up audit subsystem on stop
- Adjust LDFLAGS for cross compiled helper utilities (Laurent Bigonville)
- Fix event formatting issue in audispd
- Fix bug causing ack to not be sent from auditd to audisp-remote
This release follows the last one quickly because its a bugfix release. The
last release had a lot of code churn and debug and testing was not 100%
complete. The biggest issue was that during the creation of the protocol 2
format handler in auditspd, some newlines got stripped from the formatting.
This caused problems for any protocol 1 events. The likely effect is audispd
plugins not working correctly.
There was also a bug in auditd due to refactoring the code to retry sending
events to the dispatcher. The effect of the bug was to zero out the ack
function when receiving remote events. This caused audisp-remote to retry
sending the event over and over because it timed out thinking the server was
have comm problems.
It was also pointed out that some people don't want audit events of any kind
going to syslog when the audit daemon was stopped. This update adds a new file,
audit-stop.rules, which gets loaded when the audit daemon stops. The current
rules disables the audit subsystem and deletes all rules.
The conversion to enriched events was not complete in 2.6. The ausearch and
aulast program needed to use the user name as a string to search for events.
audisp-remote was reworked to only emit 1 warning when disk_full or error is
reached. New config options were added to help accomplish this. There is now
warn_once and warn_once_continue options for failures. It acts like the syslog
option except it only sends one. Read the man page for more details.
It was also found that not all config options were being loaded when the audit
daemon received SIGHUP.
The audit daemon will now fix logging directory ownership and mode during
restart or config reload. This will help everyone who sets the log access group
because it will restore the config after an upgrade.
Almost every place that uid was checked for root has been updated to do a
capability check instead.
Please let me know if you run across any problems with this release.
-Steve
^ permalink raw reply
* Re: Reset the LDFLAGS when building helper executables
From: Steve Grubb @ 2016-06-28 20:44 UTC (permalink / raw)
To: linux-audit
In-Reply-To: <47dd633f-1193-aef9-39a3-b621cf77fde7@debian.org>
On Tuesday, June 28, 2016 01:10:04 AM Laurent Bigonville wrote:
> > Looking that build system, it seems that CFLAGS and CPPFLAGS for these
> > executables are overriden in lib/Makefile.am and auparse/Makefile.am
> > (with CFLAGS_FOR_BUILD and CPPFLAGS_FOR_BUILD) but the LDFLAGS are
> > left untouched.
> >
> > Shouldn't the LDFLAGS also be reset when building these executables?
>
> The attached patch fixes the FTBFS for me
Thanks. Applied in commit 1292.
-Steve
^ permalink raw reply
* Re: [PATCH] audit: move audit_get_tty to reduce scope and kabi changes
From: Paul Moore @ 2016-06-28 19:56 UTC (permalink / raw)
To: Richard Guy Briggs; +Cc: linux-audit, linux-kernel, peter
In-Reply-To: <b23cc2047de07cf25cfb8a61c652d9c1fafc1df1.1467124809.git.rgb@redhat.com>
On Tue, Jun 28, 2016 at 12:07 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> The only users of audit_get_tty and audit_put_tty are internal to audit,
> so move it out of include/linux/audit.h to kernel.h and create a proper
> function rather than inlining it. This also reduces kABI changes.
>
> Suggested-by: Paul Moore <pmoore@redhat.com>
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> include/linux/audit.h | 24 ------------------------
> kernel/audit.c | 17 +++++++++++++++++
> kernel/audit.h | 4 ++++
> kernel/auditsc.c | 1 -
> 4 files changed, 21 insertions(+), 25 deletions(-)
With some exceptions, unless it lives under include/uapi it really
isn't a stable API issue for the kernel; all the other kABI fun is a
distribution specific value-add and not something we care about
upstream. That said, I think this is the better choice.
Further, since I'm already pushing your other patch to Linus for the
next 4.7-rc, I'm going to include this as I think it is worth fixing
now. Although if Linus balks at this patch I'm not going to fight
very hard for it, I'll just defer it to a future merge window.
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index 32cdafb..b40ed5d 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -26,7 +26,6 @@
> #include <linux/sched.h>
> #include <linux/ptrace.h>
> #include <uapi/linux/audit.h>
> -#include <linux/tty.h>
>
> #define AUDIT_INO_UNSET ((unsigned long)-1)
> #define AUDIT_DEV_UNSET ((dev_t)-1)
> @@ -344,23 +343,6 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
> return tsk->sessionid;
> }
>
> -static inline struct tty_struct *audit_get_tty(struct task_struct *tsk)
> -{
> - struct tty_struct *tty = NULL;
> - unsigned long flags;
> -
> - spin_lock_irqsave(&tsk->sighand->siglock, flags);
> - if (tsk->signal)
> - tty = tty_kref_get(tsk->signal->tty);
> - spin_unlock_irqrestore(&tsk->sighand->siglock, flags);
> - return tty;
> -}
> -
> -static inline void audit_put_tty(struct tty_struct *tty)
> -{
> - tty_kref_put(tty);
> -}
> -
> extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
> extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
> extern void __audit_bprm(struct linux_binprm *bprm);
> @@ -518,12 +500,6 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
> {
> return -1;
> }
> -static inline struct tty_struct *audit_get_tty(struct task_struct *tsk)
> -{
> - return NULL;
> -}
> -static inline void audit_put_tty(struct tty_struct *tty)
> -{ }
> static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
> { }
> static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid,
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 384374a..d597101 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1866,6 +1866,23 @@ out_null:
> audit_log_format(ab, " exe=(null)");
> }
>
> +struct tty_struct *audit_get_tty(struct task_struct *tsk)
> +{
> + struct tty_struct *tty = NULL;
> + unsigned long flags;
> +
> + spin_lock_irqsave(&tsk->sighand->siglock, flags);
> + if (tsk->signal)
> + tty = tty_kref_get(tsk->signal->tty);
> + spin_unlock_irqrestore(&tsk->sighand->siglock, flags);
> + return tty;
> +}
> +
> +void audit_put_tty(struct tty_struct *tty)
> +{
> + tty_kref_put(tty);
> +}
> +
> void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
> {
> const struct cred *cred;
> diff --git a/kernel/audit.h b/kernel/audit.h
> index cbbe6bb..a492f4c 100644
> --- a/kernel/audit.h
> +++ b/kernel/audit.h
> @@ -23,6 +23,7 @@
> #include <linux/audit.h>
> #include <linux/skbuff.h>
> #include <uapi/linux/mqueue.h>
> +#include <linux/tty.h>
>
> /* AUDIT_NAMES is the number of slots we reserve in the audit_context
> * for saving names from getname(). If we get more names we will allocate
> @@ -262,6 +263,9 @@ extern struct audit_entry *audit_dupe_rule(struct audit_krule *old);
> extern void audit_log_d_path_exe(struct audit_buffer *ab,
> struct mm_struct *mm);
>
> +extern struct tty_struct *audit_get_tty(struct task_struct *tsk);
> +extern void audit_put_tty(struct tty_struct *tty);
> +
> /* audit watch functions */
> #ifdef CONFIG_AUDIT_WATCH
> extern void audit_put_watch(struct audit_watch *watch);
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 33dafa7..60a354e 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -63,7 +63,6 @@
> #include <asm/unistd.h>
> #include <linux/security.h>
> #include <linux/list.h>
> -#include <linux/tty.h>
> #include <linux/binfmts.h>
> #include <linux/highmem.h>
> #include <linux/syscalls.h>
> --
> 1.7.1
>
--
paul moore
security @ redhat
^ permalink raw reply
* Re: [PATCH] audit: move calcs after alloc and check when logging set loginuid
From: Paul Moore @ 2016-06-28 19:42 UTC (permalink / raw)
To: Richard Guy Briggs; +Cc: linux-audit, linux-kernel, peter, sgrubb, eparis
In-Reply-To: <fbde8aaf26896ac6f177c4d87d721fdef21346b3.1467124299.git.rgb@redhat.com>
On Tue, Jun 28, 2016 at 12:06 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> Move the calculations of values after the allocation in case the
> allocation fails. This avoids wasting effort in the rare case that it
> fails, but more importantly saves us extra logic to release the tty ref.
>
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> kernel/auditsc.c | 7 ++++---
> 1 files changed, 4 insertions(+), 3 deletions(-)
Most importantly it keeps us from leaking a kref, which we currently
do if audit_log_start() fails.
Applied to audit#stable-4.7 and I'll be pushing this to Linus once
I've had a chance to see if your other patch is worth pushing during
the 4.7-rc cycle too.
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 71e14d8..33dafa7 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -1985,14 +1985,15 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
> if (!audit_enabled)
> return;
>
> + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
> + if (!ab)
> + return;
> +
> uid = from_kuid(&init_user_ns, task_uid(current));
> oldloginuid = from_kuid(&init_user_ns, koldloginuid);
> loginuid = from_kuid(&init_user_ns, kloginuid),
> tty = audit_get_tty(current);
>
> - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
> - if (!ab)
> - return;
> audit_log_format(ab, "pid=%d uid=%u", task_pid_nr(current), uid);
> audit_log_task_context(ab);
> audit_log_format(ab, " old-auid=%u auid=%u tty=%s old-ses=%u ses=%u res=%d",
> --
> 1.7.1
>
--
paul moore
security @ redhat
^ permalink raw reply
* Re: [PATCH] audit: catch errors from audit_filter_rules field checks
From: Richard Guy Briggs @ 2016-06-28 17:29 UTC (permalink / raw)
To: Paul Moore; +Cc: linux-audit, linux-kernel
In-Reply-To: <CAHC9VhSdBr8oNCSYVHm0=DD=484SYw-CAK5-92Hf9uRm4Bj2cw@mail.gmail.com>
On 2016-06-16 17:07, Paul Moore wrote:
> On Tue, Jun 14, 2016 at 5:03 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > In the case of an error returned from a field check in an audit filter
> > syscall rule, it is treated as a match and the rule action is honoured.
> >
> > This could cause a rule with a default of NEVER and an selinux field
> > check error to avoid logging.
> >
> > Recommend matching with an action of ALWAYS to catch malicious abuse of
> > this bug. The downside of this approach is it could DoS the audit
> > subsystem.
>
> I understand your concern about the DoS, but in reality it is no worse
> than if no audit filter rules were configured, yes?
Are you thinking of audit_filter_type which has now been merged with
audit_filter_user?
This is audit_filter_rules, which is used by syscalls with a much
broader choice of selectors.
If there are no rules set, there are no messages recorded other than
AVCs. If a rule was configured and an error occurred in one of the
SELinux checks, it would match and not report. I'd argue it should fail
safe and report.
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> > kernel/auditsc.c | 4 ++++
> > 1 files changed, 4 insertions(+), 0 deletions(-)
> >
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index 71e14d8..6123672 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -683,6 +683,10 @@ static int audit_filter_rules(struct task_struct *tsk,
> > }
> > if (!result)
> > return 0;
> > + if (result < 0) {
> > + *state = AUDIT_RECORD_CONTEXT;
> > + return 1;
> > + }
> > }
> >
> > if (ctx) {
>
> --
> paul moore
> www.paul-moore.com
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply
* [PATCH] audit: move audit_get_tty to reduce scope and kabi changes
From: Richard Guy Briggs @ 2016-06-28 16:07 UTC (permalink / raw)
To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs, peter
The only users of audit_get_tty and audit_put_tty are internal to audit,
so move it out of include/linux/audit.h to kernel.h and create a proper
function rather than inlining it. This also reduces kABI changes.
Suggested-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
include/linux/audit.h | 24 ------------------------
kernel/audit.c | 17 +++++++++++++++++
kernel/audit.h | 4 ++++
kernel/auditsc.c | 1 -
4 files changed, 21 insertions(+), 25 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 32cdafb..b40ed5d 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -26,7 +26,6 @@
#include <linux/sched.h>
#include <linux/ptrace.h>
#include <uapi/linux/audit.h>
-#include <linux/tty.h>
#define AUDIT_INO_UNSET ((unsigned long)-1)
#define AUDIT_DEV_UNSET ((dev_t)-1)
@@ -344,23 +343,6 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
return tsk->sessionid;
}
-static inline struct tty_struct *audit_get_tty(struct task_struct *tsk)
-{
- struct tty_struct *tty = NULL;
- unsigned long flags;
-
- spin_lock_irqsave(&tsk->sighand->siglock, flags);
- if (tsk->signal)
- tty = tty_kref_get(tsk->signal->tty);
- spin_unlock_irqrestore(&tsk->sighand->siglock, flags);
- return tty;
-}
-
-static inline void audit_put_tty(struct tty_struct *tty)
-{
- tty_kref_put(tty);
-}
-
extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
extern void __audit_bprm(struct linux_binprm *bprm);
@@ -518,12 +500,6 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
{
return -1;
}
-static inline struct tty_struct *audit_get_tty(struct task_struct *tsk)
-{
- return NULL;
-}
-static inline void audit_put_tty(struct tty_struct *tty)
-{ }
static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
{ }
static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid,
diff --git a/kernel/audit.c b/kernel/audit.c
index 384374a..d597101 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1866,6 +1866,23 @@ out_null:
audit_log_format(ab, " exe=(null)");
}
+struct tty_struct *audit_get_tty(struct task_struct *tsk)
+{
+ struct tty_struct *tty = NULL;
+ unsigned long flags;
+
+ spin_lock_irqsave(&tsk->sighand->siglock, flags);
+ if (tsk->signal)
+ tty = tty_kref_get(tsk->signal->tty);
+ spin_unlock_irqrestore(&tsk->sighand->siglock, flags);
+ return tty;
+}
+
+void audit_put_tty(struct tty_struct *tty)
+{
+ tty_kref_put(tty);
+}
+
void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
{
const struct cred *cred;
diff --git a/kernel/audit.h b/kernel/audit.h
index cbbe6bb..a492f4c 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -23,6 +23,7 @@
#include <linux/audit.h>
#include <linux/skbuff.h>
#include <uapi/linux/mqueue.h>
+#include <linux/tty.h>
/* AUDIT_NAMES is the number of slots we reserve in the audit_context
* for saving names from getname(). If we get more names we will allocate
@@ -262,6 +263,9 @@ extern struct audit_entry *audit_dupe_rule(struct audit_krule *old);
extern void audit_log_d_path_exe(struct audit_buffer *ab,
struct mm_struct *mm);
+extern struct tty_struct *audit_get_tty(struct task_struct *tsk);
+extern void audit_put_tty(struct tty_struct *tty);
+
/* audit watch functions */
#ifdef CONFIG_AUDIT_WATCH
extern void audit_put_watch(struct audit_watch *watch);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 33dafa7..60a354e 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -63,7 +63,6 @@
#include <asm/unistd.h>
#include <linux/security.h>
#include <linux/list.h>
-#include <linux/tty.h>
#include <linux/binfmts.h>
#include <linux/highmem.h>
#include <linux/syscalls.h>
--
1.7.1
^ permalink raw reply related
* [PATCH] audit: move calcs after alloc and check when logging set loginuid
From: Richard Guy Briggs @ 2016-06-28 16:06 UTC (permalink / raw)
To: linux-audit, linux-kernel
Cc: Richard Guy Briggs, peter, sgrubb, pmoore, eparis
Move the calculations of values after the allocation in case the
allocation fails. This avoids wasting effort in the rare case that it
fails, but more importantly saves us extra logic to release the tty ref.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
kernel/auditsc.c | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 71e14d8..33dafa7 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1985,14 +1985,15 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
if (!audit_enabled)
return;
+ ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
+ if (!ab)
+ return;
+
uid = from_kuid(&init_user_ns, task_uid(current));
oldloginuid = from_kuid(&init_user_ns, koldloginuid);
loginuid = from_kuid(&init_user_ns, kloginuid),
tty = audit_get_tty(current);
- ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
- if (!ab)
- return;
audit_log_format(ab, "pid=%d uid=%u", task_pid_nr(current), uid);
audit_log_task_context(ab);
audit_log_format(ab, " old-auid=%u auid=%u tty=%s old-ses=%u ses=%u res=%d",
--
1.7.1
^ permalink raw reply related
* Re: [PATCH v2] s390: ensure that syscall arguments are properly masked on s390
From: Heiko Carstens @ 2016-06-28 4:51 UTC (permalink / raw)
To: Paul Moore; +Cc: linux-s390, linux-audit
In-Reply-To: <CAGH-KgunDc74vuRa=z4yF8x5Ccxcery8-Ya1AqxdpAjaXEBxGQ@mail.gmail.com>
On Mon, Jun 27, 2016 at 10:37:59AM -0400, Paul Moore wrote:
> On Mon, Jun 27, 2016 at 10:34 AM, Paul Moore <pmoore@redhat.com> wrote:
> > From: Paul Moore <paul@paul-moore.com>
> >
> > When executing s390 code on s390x the syscall arguments are not
> > properly masked, leading to some malformed audit records.
> >
> > Signed-off-by: Paul Moore <paul@paul-moore.com>
> > ---
> > arch/s390/kernel/ptrace.c | 10 +++++++---
> > 1 file changed, 7 insertions(+), 3 deletions(-)
>
> The only change between v2 and the original patch is the use of
> is_compat_task() instead of the #ifdef, as suggested by Heiko. Like
> before, I've added this patch to the audit#next branch; I think we
> have sorted all the feedback, but if any objections remain please let
> me know.
Thanks!
Acked-by: Heiko Carstens <heiko.carstens@de.ibm.com>
^ permalink raw reply
* Re: Reset the LDFLAGS when building helper executables
From: Laurent Bigonville @ 2016-06-27 23:10 UTC (permalink / raw)
To: linux-audit@redhat.com
In-Reply-To: <0e720589-e434-e617-61a3-8805d4324f86@debian.org>
[-- Attachment #1: Type: text/plain, Size: 1455 bytes --]
Le 27/06/16 à 22:08, Laurent Bigonville a écrit :
> Hello,
>
> When enabling the hardening flags on debian (adding bindnow and PIE) I
> get the following message:
>
> gcc -DHAVE_CONFIG_H -I. -I../../../lib -I.. -I. -I../../..
> -I../../../auparse '-DTABLE_H="actiontab.h"' -g -O2 -c -o
> gen_actiontabs_h-gen_tables.o `test -f 'gen_tables.c' || echo
> '../../../lib/'`gen_tables.c
> /bin/bash ../libtool --tag=CC --mode=link gcc
> '-DTABLE_H="actiontab.h"' -g -O2 -fPIE -pie -Wl,-z,relro -Wl,-z,now
> -Wl,--as-needed -o gen_actiontabs_h gen_actiontabs_h-gen_tables.o
> libtool: link: gcc -DTABLE_H=\"actiontab.h\" -g -O2 -fPIE -pie -Wl,-z
> -Wl,relro -Wl,-z -Wl,now -Wl,--as-needed -o gen_actiontabs_h
> gen_actiontabs_h-gen_tables.o
> /usr/bin/ld: gen_actiontabs_h-gen_tables.o: relocation R_X86_64_32
> against `.rodata.str1.1' can not be used when making a shared object;
> recompile with -fPIC
> gen_actiontabs_h-gen_tables.o: error adding symbols: Bad value
> collect2: error: ld returned 1 exit status
>
> Looking that build system, it seems that CFLAGS and CPPFLAGS for these
> executables are overriden in lib/Makefile.am and auparse/Makefile.am
> (with CFLAGS_FOR_BUILD and CPPFLAGS_FOR_BUILD) but the LDFLAGS are
> left untouched.
>
> Shouldn't the LDFLAGS also be reset when building these executables?
The attached patch fixes the FTBFS for me
>
> Regards,
>
> Laurent Bigonville
>
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: ldflags_for_build.patch --]
[-- Type: text/x-patch; name="ldflags_for_build.patch", Size: 33781 bytes --]
Index: auparse/Makefile.am
===================================================================
--- a/auparse/Makefile.am (révision 1290)
+++ b/auparse/Makefile.am (copie de travail)
@@ -84,9 +84,11 @@
$(gen_accesstabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_accesstabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_accesstabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_accesstabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_accesstabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_accesstabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_accesstabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_accesstabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
accesstabs.h: gen_accesstabs_h Makefile
./gen_accesstabs_h --i2s-transtab access > $@
@@ -95,9 +97,11 @@
$(gen_captabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_captabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_captabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_captabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_captabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_captabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_captabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_captabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
captabs.h: gen_captabs_h Makefile
./gen_captabs_h --i2s cap > $@
@@ -106,9 +110,11 @@
$(gen_clock_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_clock_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_clock_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_clock_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_clock_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_clock_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_clock_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_clock_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
clocktabs.h: gen_clock_h Makefile
./gen_clock_h --i2s clock > $@
@@ -118,9 +124,11 @@
$(gen_clone_flagtabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_clone_flagtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_clone_flagtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_clone_flagtabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_clone-flagtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_clone-flagtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_clone-flagtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_clone-flagtabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
clone-flagtabs.h: gen_clone-flagtabs_h Makefile
./gen_clone-flagtabs_h --i2s-transtab clone_flag > $@
@@ -129,9 +137,11 @@
$(gen_epoll_ctls_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_epoll_ctls_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_epoll_ctls_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_epoll_ctls_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_epoll_ctls_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_epoll_ctls_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_epoll_ctls_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_epoll_ctls_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
epoll_ctls.h: gen_epoll_ctls_h Makefile
./gen_epoll_ctls_h --i2s epoll_ctl > $@
@@ -140,9 +150,11 @@
$(gen_famtabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_famtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_famtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_famtabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_famtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_famtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_famtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_famtabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
famtabs.h: gen_famtabs_h Makefile
./gen_famtabs_h --i2s fam > $@
@@ -152,9 +164,11 @@
$(gen_flagtabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_flagtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_flagtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_flagtabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_flagtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_flagtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_flagtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_flagtabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
flagtabs.h: gen_flagtabs_h Makefile
./gen_flagtabs_h --i2s-transtab flag > $@
@@ -164,9 +178,11 @@
$(gen_fcntl_cmdtabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_fcntl_cmdtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_fcntl_cmdtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_fcntl_cmdtabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_fcntl-cmdtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_fcntl-cmdtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_fcntl-cmdtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_fcntl-cmdtabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
fcntl-cmdtabs.h: gen_fcntl-cmdtabs_h Makefile
./gen_fcntl-cmdtabs_h --i2s fcntl > $@
@@ -175,9 +191,11 @@
$(gen_icmptypetabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_icmptypetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_icmptypetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_icmptypetabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_icmptypetabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_icmptypetabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_icmptypetabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_icmptypetabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
icmptypetabs.h: gen_icmptypetabs_h Makefile
./gen_icmptypetabs_h --i2s icmptype > $@
@@ -186,9 +204,11 @@
$(gen_ioctlreqtabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_ioctlreqtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_ioctlreqtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_ioctlreqtabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_ioctlreqtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_ioctlreqtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_ioctlreqtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_ioctlreqtabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
ioctlreqtabs.h: gen_ioctlreqtabs_h Makefile
./gen_ioctlreqtabs_h --i2s ioctlreq > $@
@@ -197,9 +217,11 @@
$(gen_ipctabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_ipctabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_ipctabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_ipctabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_ipctabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_ipctabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_ipctabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_ipctabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
ipctabs.h: gen_ipctabs_h Makefile
./gen_ipctabs_h --i2s ipc > $@
@@ -208,9 +230,11 @@
$(gen_ipccmdtabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_ipccmdtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_ipccmdtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_ipccmdtabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_ipccmdtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_ipccmdtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_ipccmdtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_ipccmdtabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
ipccmdtabs.h: gen_ipccmdtabs_h Makefile
./gen_ipccmdtabs_h --i2s-transtab ipccmd > $@
@@ -219,9 +243,11 @@
$(gen_ipoptnametabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_ipoptnametabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_ipoptnametabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_ipoptnametabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_ipoptnametabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_ipoptnametabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_ipoptnametabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_ipoptnametabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
ipoptnametabs.h: gen_ipoptnametabs_h Makefile
./gen_ipoptnametabs_h --i2s ipoptname > $@
@@ -230,9 +256,11 @@
$(gen_ip6optnametabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_ip6optnametabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_ip6optnametabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_ip6optnametabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_ip6optnametabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_ip6optnametabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_ip6optnametabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_ip6optnametabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
ip6optnametabs.h: gen_ip6optnametabs_h Makefile
./gen_ip6optnametabs_h --i2s ip6optname > $@
@@ -241,9 +269,11 @@
$(gen_mmaptabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_mmaptabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_mmaptabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_mmaptabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_mmaptabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_mmaptabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_mmaptabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_mmaptabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
mmaptabs.h: gen_mmaptabs_h Makefile
./gen_mmaptabs_h --i2s-transtab mmap > $@
@@ -252,9 +282,11 @@
$(gen_mounttabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_mounttabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_mounttabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_mounttabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_mounttabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_mounttabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_mounttabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_mounttabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
mounttabs.h: gen_mounttabs_h Makefile
./gen_mounttabs_h --i2s-transtab mount > $@
@@ -263,9 +295,11 @@
$(gen_nfprototabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_nfprototabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_nfprototabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_nfprototabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_nfprototabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_nfprototabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_nfprototabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_nfprototabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
nfprototabs.h: gen_nfprototabs_h Makefile
./gen_nfprototabs_h --i2s nfproto > $@
@@ -275,9 +309,11 @@
$(gen_open_flagtabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_open_flagtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_open_flagtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_open_flagtabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_open-flagtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_open-flagtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_open-flagtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_open-flagtabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
open-flagtabs.h: gen_open-flagtabs_h Makefile
./gen_open-flagtabs_h --i2s-transtab open_flag > $@
@@ -286,9 +322,11 @@
$(gen_persontabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_persontabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_persontabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_persontabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_persontabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_persontabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_persontabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_persontabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
persontabs.h: gen_persontabs_h Makefile
./gen_persontabs_h --i2s person > $@
@@ -297,9 +335,11 @@
$(gen_ptracetabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_ptracetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_ptracetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_ptracetabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_ptracetabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_ptracetabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_ptracetabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_ptracetabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
ptracetabs.h: gen_ptracetabs_h Makefile
./gen_ptracetabs_h --i2s ptrace > $@
@@ -308,9 +348,11 @@
$(gen_prctl_opttabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_prctl_opttabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_prctl_opttabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_prctl_opttabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_prctl_opttabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_prctl_opttabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_prctl_opttabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_prctl_opttabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
prctl_opttabs.h: gen_prctl_opttabs_h Makefile
./gen_prctl_opttabs_h --i2s prctl_opt > $@
@@ -319,9 +361,11 @@
$(gen_pktoptnametabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_pktoptnametabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_pktoptnametabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_pktoptnametabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_pktoptnametabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_pktoptnametabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_pktoptnametabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_pktoptnametabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
pktoptnametabs.h: gen_pktoptnametabs_h Makefile
./gen_pktoptnametabs_h --i2s pktoptname > $@
@@ -330,9 +374,11 @@
$(gen_prottabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_prottabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_prottabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_prottabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_prottabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_prottabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_prottabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_prottabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
prottabs.h: gen_prottabs_h Makefile
./gen_prottabs_h --i2s-transtab prot > $@
@@ -341,9 +387,11 @@
$(gen_recvtabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_recvtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_recvtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_recvtabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_recvtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_recvtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_recvtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_recvtabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
recvtabs.h: gen_recvtabs_h Makefile
./gen_recvtabs_h --i2s-transtab recv > $@
@@ -352,9 +400,11 @@
$(gen_rlimit_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_rlimit_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_rlimit_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_rlimit_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_rlimit_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_rlimit_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_rlimit_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_rlimit_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
rlimittabs.h: gen_rlimit_h Makefile
./gen_rlimit_h --i2s rlimit > $@
@@ -363,9 +413,11 @@
$(gen_schedtabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_schedtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_schedtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_schedtabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_schedtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_schedtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_schedtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_schedtabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
schedtabs.h: gen_schedtabs_h Makefile
./gen_schedtabs_h --i2s sched > $@
@@ -374,9 +426,11 @@
$(gen_seccomptabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_seccomptabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_seccomptabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_seccomptabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_seccomptabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_seccomptabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_seccomptabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_seccomptabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
seccomptabs.h: gen_seccomptabs_h Makefile
./gen_seccomptabs_h --i2s seccomp > $@
@@ -385,9 +439,11 @@
$(gen_seektabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_seektabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_seektabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_seektabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_seektabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_seektabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_seektabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_seektabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
seektabs.h: gen_seektabs_h Makefile
./gen_seektabs_h --i2s seek > $@
@@ -396,9 +452,11 @@
$(gen_shm_modetabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_shm_modetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_shm_modetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_shm_modetabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_shm_modetabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_shm_modetabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_shm_modetabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_shm_modetabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
shm_modetabs.h: gen_shm_modetabs_h Makefile
./gen_shm_modetabs_h --i2s-transtab shm_mode > $@
@@ -407,9 +465,11 @@
$(gen_signals_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_signals_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_signals_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_signals_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_signals_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_signals_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_signals_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_signals_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
signaltabs.h: gen_signals_h Makefile
./gen_signals_h --i2s signal > $@
@@ -418,9 +478,11 @@
$(gen_sockleveltabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_sockleveltabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_sockleveltabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_sockleveltabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_sockleveltabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_sockleveltabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_sockleveltabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_sockleveltabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
sockleveltabs.h: gen_sockleveltabs_h Makefile
./gen_sockleveltabs_h --i2s socklevel > $@
@@ -429,9 +491,11 @@
$(gen_sockoptnametabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_sockoptnametabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_sockoptnametabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_sockoptnametabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_sockoptnametabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_sockoptnametabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_sockoptnametabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_sockoptnametabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
sockoptnametabs.h: gen_sockoptnametabs_h Makefile
./gen_sockoptnametabs_h --i2s sockoptname > $@
@@ -440,9 +504,11 @@
$(gen_socktabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_socktabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_socktabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_socktabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_socktabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_socktabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_socktabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_socktabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
socktabs.h: gen_socktabs_h Makefile
./gen_socktabs_h --i2s sock > $@
@@ -451,9 +517,11 @@
$(gen_socktypetabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_socktypetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_socktypetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_socktypetabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_socktypetabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_socktypetabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_socktypetabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_socktypetabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
socktypetabs.h: gen_socktypetabs_h Makefile
./gen_socktypetabs_h --i2s sock_type > $@
@@ -462,9 +530,11 @@
$(gen_tcpoptnametabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_tcpoptnametabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_tcpoptnametabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_tcpoptnametabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_tcpoptnametabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_tcpoptnametabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_tcpoptnametabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_tcpoptnametabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
tcpoptnametabs.h: gen_tcpoptnametabs_h Makefile
./gen_tcpoptnametabs_h --i2s tcpoptname > $@
@@ -473,9 +543,11 @@
$(gen_typetabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_typetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_typetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_typetabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_typetabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_typetabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_typetabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_typetabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
typetabs.h: gen_typetabs_h Makefile
./gen_typetabs_h --s2i type > $@
@@ -484,9 +556,11 @@
$(gen_umounttabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_umounttabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_umounttabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_umounttabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_umounttabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_umounttabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_umounttabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_umounttabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
umounttabs.h: gen_umounttabs_h Makefile
./gen_umounttabs_h --i2s-transtab umount > $@
@@ -495,9 +569,11 @@
$(gen_inethooktabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_inethooktabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_inethooktabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_inethooktabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_inethooktabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_inethooktabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_inethooktabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_inethooktabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
inethooktabs.h: gen_inethooktabs_h Makefile
./gen_inethooktabs_h --i2s inethook > $@
@@ -506,9 +582,11 @@
$(gen_netactiontabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_netactiontabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_netactiontabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_netactiontabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_netactiontabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_netactiontabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_netactiontabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_netactiontabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
netactiontabs.h: gen_netactiontabs_h Makefile
./gen_netactiontabs_h --i2s netaction > $@
Index: lib/Makefile.am
===================================================================
--- a/lib/Makefile.am (révision 1290)
+++ b/lib/Makefile.am (copie de travail)
@@ -74,9 +74,11 @@
$(gen_actiontabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_actiontabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_actiontabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_actiontabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_actiontabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_actiontabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_actiontabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_actiontabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
actiontabs.h: gen_actiontabs_h Makefile
./gen_actiontabs_h --lowercase --i2s --s2i action > $@
@@ -86,9 +88,11 @@
$(gen_alpha_tables_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_alpha_tables_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_alpha_tables_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_alpha_tables_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_alpha_tables_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_alpha_tables_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_alpha_tables_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_alpha_tables_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
alpha_tables.h: gen_alpha_tables_h Makefile
./gen_alpha_tables_h --lowercase --i2s --s2i alpha_syscall > $@
endif
@@ -99,9 +103,11 @@
$(gen_arm_tables_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_arm_tables_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_arm_tables_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_arm_tables_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_arm_tables_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_arm_tables_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_arm_tables_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_arm_tables_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
arm_tables.h: gen_arm_tables_h Makefile
./gen_arm_tables_h --lowercase --i2s --s2i arm_syscall > $@
endif
@@ -112,9 +118,11 @@
$(gen_aarch64_tables_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_aarch64_tables_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_aarch64_tables_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_aarch64_tables_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_aarch64_tables_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_aarch64_tables_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_aarch64_tables_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_aarch64_tables_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
aarch64_tables.h: gen_aarch64_tables_h Makefile
./gen_aarch64_tables_h --lowercase --i2s --s2i aarch64_syscall > $@
endif
@@ -124,9 +132,11 @@
$(gen_errtabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_errtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_errtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_errtabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_errtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_errtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_errtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_errtabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
errtabs.h: gen_errtabs_h Makefile
./gen_errtabs_h --duplicate-ints --uppercase --i2s --s2i err > $@
@@ -135,9 +145,11 @@
$(gen_fieldtabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_fieldtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_fieldtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_fieldtabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_fieldtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_fieldtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_fieldtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_fieldtabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
fieldtabs.h: gen_fieldtabs_h Makefile
./gen_fieldtabs_h --duplicate-ints --lowercase --i2s --s2i field > $@
@@ -146,9 +158,11 @@
$(gen_flagtabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_flagtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_flagtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_flagtabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_flagtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_flagtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_flagtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_flagtabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
flagtabs.h: gen_flagtabs_h Makefile
./gen_flagtabs_h --lowercase --i2s --s2i flag > $@
@@ -157,9 +171,11 @@
$(gen_ftypetabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_ftypetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_ftypetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_ftypetabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_ftypetabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_ftypetabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_ftypetabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_ftypetabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
ftypetabs.h: gen_ftypetabs_h Makefile
./gen_ftypetabs_h --lowercase --i2s --s2i ftype > $@
@@ -168,9 +184,11 @@
$(gen_i386_tables_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_i386_tables_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_i386_tables_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_i386_tables_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_i386_tables_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_i386_tables_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_i386_tables_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_i386_tables_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
i386_tables.h: gen_i386_tables_h Makefile
./gen_i386_tables_h --duplicate-ints --lowercase --i2s --s2i \
i386_syscall > $@
@@ -180,9 +198,11 @@
$(gen_ia64_tables_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_ia64_tables_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_ia64_tables_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_ia64_tables_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_ia64_tables_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_ia64_tables_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_ia64_tables_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_ia64_tables_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
ia64_tables.h: gen_ia64_tables_h Makefile
./gen_ia64_tables_h --lowercase --i2s --s2i ia64_syscall > $@
@@ -191,9 +211,11 @@
$(gen_machinetabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_machinetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_machinetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_machinetabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_machinetabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_machinetabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_machinetabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_machinetabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
machinetabs.h: gen_machinetabs_h Makefile
./gen_machinetabs_h --duplicate-ints --lowercase --i2s --s2i machine \
> $@
@@ -203,9 +225,11 @@
$(gen_msg_typetabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_msg_typetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_msg_typetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_msg_typetabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_msg_typetabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_msg_typetabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_msg_typetabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_msg_typetabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
msg_typetabs.h: gen_msg_typetabs_h Makefile
./gen_msg_typetabs_h --uppercase --i2s --s2i msg_type > $@
@@ -214,9 +238,11 @@
$(gen_optabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_optabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_optabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_optabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_optabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_optabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_optabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_optabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
optabs.h: gen_optabs_h Makefile
./gen_optabs_h --i2s op > $@
@@ -225,9 +251,11 @@
$(gen_ppc_tables_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_ppc_tables_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_ppc_tables_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_ppc_tables_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_ppc_tables_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_ppc_tables_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_ppc_tables_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_ppc_tables_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
ppc_tables.h: gen_ppc_tables_h Makefile
./gen_ppc_tables_h --lowercase --i2s --s2i ppc_syscall > $@
@@ -236,9 +264,11 @@
$(gen_s390_tables_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_s390_tables_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_s390_tables_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_s390_tables_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_s390_tables_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_s390_tables_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_s390_tables_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_s390_tables_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
s390_tables.h: gen_s390_tables_h Makefile
./gen_s390_tables_h --lowercase --i2s --s2i s390_syscall > $@
@@ -247,9 +277,11 @@
$(gen_s390x_tables_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_s390x_tables_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_s390x_tables_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_s390x_tables_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_s390x_tables_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_s390x_tables_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_s390x_tables_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_s390x_tables_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
s390x_tables.h: gen_s390x_tables_h Makefile
./gen_s390x_tables_h --lowercase --i2s --s2i s390x_syscall > $@
@@ -258,8 +290,10 @@
$(gen_x86_64_tables_h_OBJECTS): CC=$(CC_FOR_BUILD)
$(gen_x86_64_tables_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
$(gen_x86_64_tables_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+$(gen_x86_64_tables_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD)
gen_x86_64_tables_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
gen_x86_64_tables_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
gen_x86_64_tables_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+gen_x86_64_tables_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
x86_64_tables.h: gen_x86_64_tables_h Makefile
./gen_x86_64_tables_h --lowercase --i2s --s2i x86_64_syscall > $@
[-- Attachment #3: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: Report Double Fetch Bug Found in Linux-4.6.1/kernel/auditsc.c
From: Paul Moore @ 2016-06-27 21:45 UTC (permalink / raw)
To: Pengfei Wang, Richard Guy Briggs
Cc: security@kernel.org, Krinke, Jens, Oleg Nesterov, Andy Lutomirski,
linux-audit, Ben Hutchings
In-Reply-To: <C7DA39EF-4929-43A2-8732-D66A701791C6@gmail.com>
On Wed, Jun 22, 2016 at 5:57 AM, Pengfei Wang <wpengfeinudt@gmail.com> wrote:
> Agreed, buffer the string at the first round and use it instead of recopying
> it a second time from user space would keep it safe, which is the easiest way I
> think. Please fix it, thanks!
FYI: I've created a new issue on GitHub to track this:
* https://github.com/linux-audit/audit-kernel/issues/18
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Re: [PATCH v4] audit: add fields to exclude filter by reusing user filter
From: Richard Guy Briggs @ 2016-06-27 21:12 UTC (permalink / raw)
To: Paul Moore; +Cc: linux-audit, linux-kernel
In-Reply-To: <CAHC9VhQ1S3acaGOZJ1MXp-eZLQ0XOFjSAr1+9NYqui-cny9iAQ@mail.gmail.com>
On 2016-06-27 11:18, Paul Moore wrote:
> On Fri, Jun 24, 2016 at 4:35 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > RFE: add additional fields for use in audit filter exclude rules
> > https://github.com/linux-audit/audit-kernel/issues/5
> >
> > Re-factor and combine audit_filter_type() with audit_filter_user() to
> > use audit_filter_user_rules() to enable the exclude filter to
> > additionally filter on PID, UID, GID, AUID, LOGINUID_SET, SUBJ_*.
> >
> > The process of combining the similar audit_filter_user() and
> > audit_filter_type() functions, required inverting the meaning and
> > including the ALWAYS action of the latter.
> >
> > Include audit_filter_user_rules() into audit_filter(), removing unneeded
> > logic in the process.
> >
> > Keep the check to quit early if the list is empty.
> >
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> > v4: rebase on 4.6-based audit/next.
> >
> > v3: pull audit_filter_user_rules() into audit_filter() and simplify
> > logic.
> >
> > v2: combine audit_filter_user() and audit_filter_type() into
> > audit_filter().
> > ---
> > include/linux/audit.h | 2 -
> > kernel/audit.c | 4 +-
> > kernel/audit.h | 2 +
> > kernel/auditfilter.c | 151 +++++++++++++++++--------------------------------
> > 4 files changed, 57 insertions(+), 102 deletions(-)
>
> Merged, thanks. Please remember to run scripts/checkpatch.pl on your
> submissions, I had to fix up a couple of whitespace damaged lines.
Oops, sorry, thanks for the touch-ups.
> > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > index e38e3fc..9d4443f 100644
> > --- a/include/linux/audit.h
> > +++ b/include/linux/audit.h
> > @@ -163,8 +163,6 @@ extern void audit_log_task_info(struct audit_buffer *ab,
> > extern int audit_update_lsm_rules(void);
> >
> > /* Private API (for audit.c only) */
> > -extern int audit_filter_user(int type);
> > -extern int audit_filter_type(int type);
> > extern int audit_rule_change(int type, __u32 portid, int seq,
> > void *data, size_t datasz);
> > extern int audit_list_rules_send(struct sk_buff *request_skb, int seq);
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 678c3f0..994588e 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -934,7 +934,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> > if (!audit_enabled && msg_type != AUDIT_USER_AVC)
> > return 0;
> >
> > - err = audit_filter_user(msg_type);
> > + err = audit_filter(msg_type, AUDIT_FILTER_USER);
> > if (err == 1) { /* match or error */
> > err = 0;
> > if (msg_type == AUDIT_USER_TTY) {
> > @@ -1382,7 +1382,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
> > if (audit_initialized != AUDIT_INITIALIZED)
> > return NULL;
> >
> > - if (unlikely(audit_filter_type(type)))
> > + if (unlikely(!audit_filter(type, AUDIT_FILTER_TYPE)))
> > return NULL;
> >
> > if (gfp_mask & __GFP_DIRECT_RECLAIM) {
> > diff --git a/kernel/audit.h b/kernel/audit.h
> > index cbbe6bb..1879f02 100644
> > --- a/kernel/audit.h
> > +++ b/kernel/audit.h
> > @@ -327,6 +327,8 @@ extern pid_t audit_sig_pid;
> > extern kuid_t audit_sig_uid;
> > extern u32 audit_sig_sid;
> >
> > +extern int audit_filter(int msgtype, unsigned int listtype);
> > +
> > #ifdef CONFIG_AUDITSYSCALL
> > extern int __audit_signal_info(int sig, struct task_struct *t);
> > static inline int audit_signal_info(int sig, struct task_struct *t)
> > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> > index ff59a5e..3a67acf 100644
> > --- a/kernel/auditfilter.c
> > +++ b/kernel/auditfilter.c
> > @@ -1290,117 +1290,72 @@ int audit_compare_dname_path(const char *dname, const char *path, int parentlen)
> > return strncmp(p, dname, dlen);
> > }
> >
> > -static int audit_filter_user_rules(struct audit_krule *rule, int type,
> > - enum audit_state *state)
> > -{
> > - int i;
> > -
> > - for (i = 0; i < rule->field_count; i++) {
> > - struct audit_field *f = &rule->fields[i];
> > - pid_t pid;
> > - int result = 0;
> > - u32 sid;
> > -
> > - switch (f->type) {
> > - case AUDIT_PID:
> > - pid = task_pid_nr(current);
> > - result = audit_comparator(pid, f->op, f->val);
> > - break;
> > - case AUDIT_UID:
> > - result = audit_uid_comparator(current_uid(), f->op, f->uid);
> > - break;
> > - case AUDIT_GID:
> > - result = audit_gid_comparator(current_gid(), f->op, f->gid);
> > - break;
> > - case AUDIT_LOGINUID:
> > - result = audit_uid_comparator(audit_get_loginuid(current),
> > - f->op, f->uid);
> > - break;
> > - case AUDIT_LOGINUID_SET:
> > - result = audit_comparator(audit_loginuid_set(current),
> > - f->op, f->val);
> > - break;
> > - case AUDIT_MSGTYPE:
> > - result = audit_comparator(type, f->op, f->val);
> > - break;
> > - case AUDIT_SUBJ_USER:
> > - case AUDIT_SUBJ_ROLE:
> > - case AUDIT_SUBJ_TYPE:
> > - case AUDIT_SUBJ_SEN:
> > - case AUDIT_SUBJ_CLR:
> > - if (f->lsm_rule) {
> > - security_task_getsecid(current, &sid);
> > - result = security_audit_rule_match(sid,
> > - f->type,
> > - f->op,
> > - f->lsm_rule,
> > - NULL);
> > - }
> > - break;
> > - }
> > -
> > - if (result <= 0)
> > - return result;
> > - }
> > - switch (rule->action) {
> > - case AUDIT_NEVER:
> > - *state = AUDIT_DISABLED;
> > - break;
> > - case AUDIT_ALWAYS:
> > - *state = AUDIT_RECORD_CONTEXT;
> > - break;
> > - }
> > - return 1;
> > -}
> > -
> > -int audit_filter_user(int type)
> > -{
> > - enum audit_state state = AUDIT_DISABLED;
> > - struct audit_entry *e;
> > - int rc, ret;
> > -
> > - ret = 1; /* Audit by default */
> > -
> > - rcu_read_lock();
> > - list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
> > - rc = audit_filter_user_rules(&e->rule, type, &state);
> > - if (rc) {
> > - if (rc > 0 && state == AUDIT_DISABLED)
> > - ret = 0;
> > - break;
> > - }
> > - }
> > - rcu_read_unlock();
> > -
> > - return ret;
> > -}
> > -
> > -int audit_filter_type(int type)
> > +int audit_filter(int msgtype, unsigned int listtype)
> > {
> > struct audit_entry *e;
> > - int result = 0;
> > + int ret = 1; /* Audit by default */
> >
> > rcu_read_lock();
> > - if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE]))
> > + if (list_empty(&audit_filter_list[listtype]))
> > goto unlock_and_return;
> > + list_for_each_entry_rcu(e, &audit_filter_list[listtype], list) {
> > + int i, result = 0;
> >
> > - list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE],
> > - list) {
> > - int i;
> > for (i = 0; i < e->rule.field_count; i++) {
> > struct audit_field *f = &e->rule.fields[i];
> > - if (f->type == AUDIT_MSGTYPE) {
> > - result = audit_comparator(type, f->op, f->val);
> > - if (!result)
> > - break;
> > + pid_t pid;
> > + u32 sid;
> > +
> > + switch (f->type) {
> > + case AUDIT_PID:
> > + pid = task_pid_nr(current);
> > + result = audit_comparator(pid, f->op, f->val);
> > + break;
> > + case AUDIT_UID:
> > + result = audit_uid_comparator(current_uid(), f->op, f->uid);
> > + break;
> > + case AUDIT_GID:
> > + result = audit_gid_comparator(current_gid(), f->op, f->gid);
> > + break;
> > + case AUDIT_LOGINUID:
> > + result = audit_uid_comparator(audit_get_loginuid(current),
> > + f->op, f->uid);
> > + break;
> > + case AUDIT_LOGINUID_SET:
> > + result = audit_comparator(audit_loginuid_set(current),
> > + f->op, f->val);
> > + break;
> > + case AUDIT_MSGTYPE:
> > + result = audit_comparator(msgtype, f->op, f->val);
> > + break;
> > + case AUDIT_SUBJ_USER:
> > + case AUDIT_SUBJ_ROLE:
> > + case AUDIT_SUBJ_TYPE:
> > + case AUDIT_SUBJ_SEN:
> > + case AUDIT_SUBJ_CLR:
> > + if (f->lsm_rule) {
> > + security_task_getsecid(current, &sid);
> > + result = security_audit_rule_match(sid,
> > + f->type, f->op, f->lsm_rule, NULL);
> > + }
> > + break;
> > + default:
> > + goto unlock_and_return;
> > }
> > + if (result < 0) /* error */
> > + goto unlock_and_return;
> > + if (!result)
> > + break;
> > + }
> > + if (result > 0) {
> > + if (e->rule.action == AUDIT_NEVER || listtype == AUDIT_FILTER_TYPE)
> > + ret = 0;
> > + break;
> > }
> > - if (result)
> > - goto unlock_and_return;
> > }
> > unlock_and_return:
> > rcu_read_unlock();
> > - return result;
> > + return ret;
> > }
> >
> > static int update_lsm_rule(struct audit_krule *r)
> > --
> > 1.7.1
>
> paul moore
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply
* Reset the LDFLAGS and building helper executables
From: Laurent Bigonville @ 2016-06-27 20:08 UTC (permalink / raw)
To: linux-audit@redhat.com
Hello,
When enabling the hardening flags on debian (adding bindnow and PIE) I
get the following message:
gcc -DHAVE_CONFIG_H -I. -I../../../lib -I.. -I. -I../../..
-I../../../auparse '-DTABLE_H="actiontab.h"' -g -O2 -c -o
gen_actiontabs_h-gen_tables.o `test -f 'gen_tables.c' || echo
'../../../lib/'`gen_tables.c
/bin/bash ../libtool --tag=CC --mode=link gcc
'-DTABLE_H="actiontab.h"' -g -O2 -fPIE -pie -Wl,-z,relro -Wl,-z,now
-Wl,--as-needed -o gen_actiontabs_h gen_actiontabs_h-gen_tables.o
libtool: link: gcc -DTABLE_H=\"actiontab.h\" -g -O2 -fPIE -pie -Wl,-z
-Wl,relro -Wl,-z -Wl,now -Wl,--as-needed -o gen_actiontabs_h
gen_actiontabs_h-gen_tables.o
/usr/bin/ld: gen_actiontabs_h-gen_tables.o: relocation R_X86_64_32
against `.rodata.str1.1' can not be used when making a shared object;
recompile with -fPIC
gen_actiontabs_h-gen_tables.o: error adding symbols: Bad value
collect2: error: ld returned 1 exit status
Looking that build system, it seems that CFLAGS and CPPFLAGS for these
executables are overriden in lib/Makefile.am and auparse/Makefile.am
(with CFLAGS_FOR_BUILD and CPPFLAGS_FOR_BUILD) but the LDFLAGS are left
untouched.
Shouldn't the LDFLAGS also be reset when building these executables?
Regards,
Laurent Bigonville
^ permalink raw reply
* Re: [PATCH] audit: catch errors from audit_filter_rules field checks
From: Paul Moore @ 2016-06-27 19:58 UTC (permalink / raw)
To: Richard Guy Briggs; +Cc: linux-audit, linux-kernel
In-Reply-To: <CAHC9VhSdBr8oNCSYVHm0=DD=484SYw-CAK5-92Hf9uRm4Bj2cw@mail.gmail.com>
On Thu, Jun 16, 2016 at 5:07 PM, Paul Moore <paul@paul-moore.com> wrote:
> On Tue, Jun 14, 2016 at 5:03 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
>> In the case of an error returned from a field check in an audit filter
>> syscall rule, it is treated as a match and the rule action is honoured.
>>
>> This could cause a rule with a default of NEVER and an selinux field
>> check error to avoid logging.
>>
>> Recommend matching with an action of ALWAYS to catch malicious abuse of
>> this bug. The downside of this approach is it could DoS the audit
>> subsystem.
>
> I understand your concern about the DoS, but in reality it is no worse
> than if no audit filter rules were configured, yes?
Just following up on this since I don't recall seeing a response ...
>> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
>> ---
>> kernel/auditsc.c | 4 ++++
>> 1 files changed, 4 insertions(+), 0 deletions(-)
>>
>> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
>> index 71e14d8..6123672 100644
>> --- a/kernel/auditsc.c
>> +++ b/kernel/auditsc.c
>> @@ -683,6 +683,10 @@ static int audit_filter_rules(struct task_struct *tsk,
>> }
>> if (!result)
>> return 0;
>> + if (result < 0) {
>> + *state = AUDIT_RECORD_CONTEXT;
>> + return 1;
>> + }
>> }
>>
>> if (ctx) {
>
> --
> paul moore
> www.paul-moore.com
--
paul moore
www.paul-moore.com
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox