Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed
* Re: [GIT PULL] [PATCH v4 00/26] Delete CURRENT_TIME and CURRENT_TIME_SEC macros
From: Greg KH @ 2016-08-15 16:23 UTC (permalink / raw)
  To: Deepa Dinamani
  Cc: shaggy-DgEjT+Ai2ygdnm+yROfE0A,
	jfs-discussion-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f,
	trond.myklebust-7I+n7zu2hftEKMMhf/gKZA,
	adrian.hunter-ral2JQCrhuEAvxtiuMwx3w, clm-b10kYP2dOMg,
	adilger.kernel-m1MBpc4rdrD3fQ9qLvQP4Q,
	buchino-FYB4Gu1CFyUAvxtiuMwx3w, tglx-hfZtesqFncYOwBW4kG4KsQ,
	zyan-H+wXaHxf7aLQT0dZR+AlfA,
	jejb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8,
	paul-r2n+y4ga6xFZroRs9YW3xA, linux-scsi-u79uwXL29TY76Z2rM5mHXA,
	y2038-cunTk1MwBs8s++Sfvej+rw, idryomov-Re5JQEeQqe8AvxtiuMwx3w,
	linux-ext4-u79uwXL29TY76Z2rM5mHXA,
	cm224.lee-Sze3O3UU22JBDgjK7y7TUQ, dushistov-JGs/UdohzUI,
	arnd-r2nGTMty4D4, mfasheh-IBi9RG/b67k,
	sramars-FYB4Gu1CFyUAvxtiuMwx3w,
	john.stultz-QSEj5FYQhm4dnm+yROfE0A,
	viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn, dsterba-IBi9RG/b67k,
	jaegeuk-DgEjT+Ai2ygdnm+yROfE0A, ceph-devel-u79uwXL29TY76Z2rM5mHXA,
	linux-nfs-u79uwXL29TY76Z2rM5mHXA, elder-DgEjT+Ai2ygdnm+yROfE0A,
	tytso-3s7WtUTddSA, sage-H+wXaHxf7aLQT0dZR+AlfA,
	martin.petersen-QHcLZuEGTsvQT0dZR+AlfA,
	dedekind1-Re5JQEeQqe8AvxtiuMwx3w, jbacik-b10kYP2dOMg,
	hiralpat-FYB4Gu1CFyUAvxtiuMwx3w,
	linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	eparis-H+wXaHxf7aLQT0dZR+AlfA,
	linux-f2fs-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f,
	sfrench-eUNUBHrolfbYtjvyW6yDsg,
	linux-audit-H+wXaHxf7aLQT0dZR+AlfA,
	ocfs2-devel-N0ozoZBvEnonbStXaT1jcA
In-Reply-To: <1471128518-24075-1-git-send-email-deepa.kernel-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>

On Sat, Aug 13, 2016 at 03:48:12PM -0700, Deepa Dinamani wrote:
> The series is aimed at getting rid of CURRENT_TIME and CURRENT_TIME_SEC macros.
> The macros are not y2038 safe. There is no plan to transition them into being
> y2038 safe.
> ktime_get_* api's can be used in their place. And, these are y2038 safe.

Who are you execting to pull this huge patch series?

Why not just introduce the new api call, wait for that to be merged, and
then push the individual patches through the different subsystems?
After half of those get ignored, then provide a single set of patches
that can go through Andrew or my trees.

thanks,

greg k-h

^ permalink raw reply

* [PATCH v4 19/26] audit: Use timespec64 to represent audit timestamps
From: Deepa Dinamani @ 2016-08-13 22:48 UTC (permalink / raw)
  To: linux-fsdevel, linux-kernel
  Cc: tytso, Paul Moore, arnd, y2038, Eric Paris, Richard Guy Briggs,
	linux-audit, viro, tglx, torvalds
In-Reply-To: <1471128518-24075-1-git-send-email-deepa.kernel@gmail.com>

struct timespec is not y2038 safe.
Audit timestamps are recorded in string format into
an audit buffer for a given context.
These mark the entry timestamps for the syscalls.
Use y2038 safe struct timespec64 to represent the times.
The log strings can handle this transition as strings can
hold upto 1024 characters.

Signed-off-by: Deepa Dinamani <deepa.kernel@gmail.com>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Paul Moore <paul@paul-moore.com>
Acked-by: Richard Guy Briggs <rgb@redhat.com>
Cc: Eric Paris <eparis@redhat.com>
Cc: Paul Moore <paul@paul-moore.com>
Cc: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com
---
 include/linux/audit.h |  4 ++--
 kernel/audit.c        | 10 +++++-----
 kernel/audit.h        |  2 +-
 kernel/auditsc.c      |  6 +++---
 4 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 9d4443f..e51782b 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -332,7 +332,7 @@ static inline void audit_ptrace(struct task_struct *t)
 				/* Private API (for audit.c only) */
 extern unsigned int audit_serial(void);
 extern int auditsc_get_stamp(struct audit_context *ctx,
-			      struct timespec *t, unsigned int *serial);
+			      struct timespec64 *t, unsigned int *serial);
 extern int audit_set_loginuid(kuid_t loginuid);
 
 static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
@@ -490,7 +490,7 @@ static inline void __audit_seccomp(unsigned long syscall, long signr, int code)
 static inline void audit_seccomp(unsigned long syscall, long signr, int code)
 { }
 static inline int auditsc_get_stamp(struct audit_context *ctx,
-			      struct timespec *t, unsigned int *serial)
+			      struct timespec64 *t, unsigned int *serial)
 {
 	return 0;
 }
diff --git a/kernel/audit.c b/kernel/audit.c
index a8a91bd..b03b6c7 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1325,10 +1325,10 @@ unsigned int audit_serial(void)
 }
 
 static inline void audit_get_stamp(struct audit_context *ctx,
-				   struct timespec *t, unsigned int *serial)
+				   struct timespec64 *t, unsigned int *serial)
 {
 	if (!ctx || !auditsc_get_stamp(ctx, t, serial)) {
-		*t = CURRENT_TIME;
+		ktime_get_real_ts64(t);
 		*serial = audit_serial();
 	}
 }
@@ -1370,7 +1370,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
 				     int type)
 {
 	struct audit_buffer	*ab	= NULL;
-	struct timespec		t;
+	struct timespec64	t;
 	unsigned int		uninitialized_var(serial);
 	int reserve = 5; /* Allow atomic callers to go up to five
 			    entries over the normal backlog limit */
@@ -1422,8 +1422,8 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
 
 	audit_get_stamp(ab->ctx, &t, &serial);
 
-	audit_log_format(ab, "audit(%lu.%03lu:%u): ",
-			 t.tv_sec, t.tv_nsec/1000000, serial);
+	audit_log_format(ab, "audit(%llu.%03lu:%u): ",
+			 (unsigned long long)t.tv_sec, t.tv_nsec/1000000, serial);
 	return ab;
 }
 
diff --git a/kernel/audit.h b/kernel/audit.h
index 431444c..55d1ca2 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -112,7 +112,7 @@ struct audit_context {
 	enum audit_state    state, current_state;
 	unsigned int	    serial;     /* serial number for record */
 	int		    major;      /* syscall number */
-	struct timespec	    ctime;      /* time of syscall entry */
+	struct timespec64   ctime;      /* time of syscall entry */
 	unsigned long	    argv[4];    /* syscall arguments */
 	long		    return_code;/* syscall return code */
 	u64		    prio;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 5abf1dc..8dc7fe9 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1522,7 +1522,7 @@ void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
 		return;
 
 	context->serial     = 0;
-	context->ctime      = CURRENT_TIME;
+	ktime_get_real_ts64(&context->ctime);
 	context->in_syscall = 1;
 	context->current_state  = state;
 	context->ppid       = 0;
@@ -1931,13 +1931,13 @@ EXPORT_SYMBOL_GPL(__audit_inode_child);
 /**
  * auditsc_get_stamp - get local copies of audit_context values
  * @ctx: audit_context for the task
- * @t: timespec to store time recorded in the audit_context
+ * @t: timespec64 to store time recorded in the audit_context
  * @serial: serial value that is recorded in the audit_context
  *
  * Also sets the context as auditable.
  */
 int auditsc_get_stamp(struct audit_context *ctx,
-		       struct timespec *t, unsigned int *serial)
+		       struct timespec64 *t, unsigned int *serial)
 {
 	if (!ctx->in_syscall)
 		return 0;
-- 
1.9.1

_______________________________________________
Y2038 mailing list
Y2038@lists.linaro.org
https://lists.linaro.org/mailman/listinfo/y2038

^ permalink raw reply related

* [GIT PULL] [PATCH v4 00/26] Delete CURRENT_TIME and CURRENT_TIME_SEC macros
From: Deepa Dinamani @ 2016-08-13 22:48 UTC (permalink / raw)
  To: linux-fsdevel-u79uwXL29TY76Z2rM5mHXA,
	linux-kernel-u79uwXL29TY76Z2rM5mHXA
  Cc: shaggy-DgEjT+Ai2ygdnm+yROfE0A,
	jfs-discussion-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f,
	trond.myklebust-7I+n7zu2hftEKMMhf/gKZA, clm-b10kYP2dOMg,
	adilger.kernel-m1MBpc4rdrD3fQ9qLvQP4Q,
	buchino-FYB4Gu1CFyUAvxtiuMwx3w, tglx-hfZtesqFncYOwBW4kG4KsQ,
	zyan-H+wXaHxf7aLQT0dZR+AlfA,
	jejb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8,
	paul-r2n+y4ga6xFZroRs9YW3xA, linux-scsi-u79uwXL29TY76Z2rM5mHXA,
	y2038-cunTk1MwBs8s++Sfvej+rw, idryomov-Re5JQEeQqe8AvxtiuMwx3w,
	linux-ext4-u79uwXL29TY76Z2rM5mHXA,
	cm224.lee-Sze3O3UU22JBDgjK7y7TUQ, dushistov-JGs/UdohzUI,
	arnd-r2nGTMty4D4, mfasheh-IBi9RG/b67k,
	sramars-FYB4Gu1CFyUAvxtiuMwx3w,
	john.stultz-QSEj5FYQhm4dnm+yROfE0A,
	viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn, dsterba-IBi9RG/b67k,
	jaegeuk-DgEjT+Ai2ygdnm+yROfE0A, ceph-devel-u79uwXL29TY76Z2rM5mHXA,
	linux-nfs-u79uwXL29TY76Z2rM5mHXA, elder-DgEjT+Ai2ygdnm+yROfE0A,
	tytso-3s7WtUTddSA, sage-H+wXaHxf7aLQT0dZR+AlfA,
	martin.petersen-QHcLZuEGTsvQT0dZR+AlfA,
	dedekind1-Re5JQEeQqe8AvxtiuMwx3w, jbacik-b10kYP2dOMg,
	gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r,
	hiralpat-FYB4Gu1CFyUAvxtiuMwx3w,
	adrian.hunter-ral2JQCrhuEAvxtiuMwx3w,
	eparis-H+wXaHxf7aLQT0dZR+AlfA,
	linux-f2fs-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f,
	sfrench-eUNUBHrolfbYtjvyW6yDsg,
	linux-audit-H+wXaHxf7aLQT0dZR+AlfA,
	ocfs2-devel-N0ozoZBvEnrZJqsBc5GL+g

The series is aimed at getting rid of CURRENT_TIME and CURRENT_TIME_SEC macros.
The macros are not y2038 safe. There is no plan to transition them into being
y2038 safe.
ktime_get_* api's can be used in their place. And, these are y2038 safe.

Thanks to Arnd Bergmann for all the guidance and discussions.

Patches 2-4 were mostly generated using coccinelle scripts.

All filesystem timestamps use current_fs_time() for right granularity as
mentioned in the respective commit texts of patches. This has a changed
signature, renamed to current_time() and moved to the fs/inode.c.

This series also serves as a preparatory series to transition vfs to 64 bit
timestamps as outlined here: https://lkml.org/lkml/2016/2/12/104 .

As per Linus's suggestion in https://lkml.org/lkml/2016/5/24/663 , all the
inode timestamp changes have been squashed into a single patch. Also,
current_time() now is used as a single generic vfs filesystem timestamp api.
It also takes struct inode* as argument instead of struct super_block*.
Posting all patches together in a bigger series so that the big picture is
clear.

As per the suggestion in https://lwn.net/Articles/672598/, CURRENT_TIME macro
bug fixes are being handled in a series separate from transitioning vfs to
use 64 bit timestamps.

Changes from v3:
* Rebased to 4.8-rc1 to avoid merge conflicts.
* Added CURRENT_TIME deletion and fnic patches back as time64_to_tm() is merged.
* Rearranged a couple of instances of CURRENT_TIME.

Changes from v2:
* Fix buildbot error for uninitialized sb in inode.
* Minor fixes according to Arnd's comments.
* Leave out the fnic and deletion of CURRENT_TIME to be submitted after 4.8 rc1.

Changes from v1:
* Change current_fs_time(struct super_block *) to current_time(struct inode *)
* Note that change to add time64_to_tm() is already part of John's
  kernel tree: https://lkml.org/lkml/2016/6/17/875 .

---------------------------------------------------------------

The following changes since commit 09f0834105f7fe315ddaeb77fad15f00565c167e:

  Add linux-next specific files for 20160809 (2016-08-09 13:48:00 +1000)

are available in the git repository at:

  https://github.com/deepa-hub/vfs current_time-v4.8-rc1

for you to fetch changes up to 050e25f5112626e228b742ed219314abc409a70f:

  time: Delete CURRENT_TIME_SEC and CURRENT_TIME (2016-08-13 13:44:41 -0700)

----------------------------------------------------------------
Deepa Dinamani (26):
  vfs: Add current_time() api
  fs: proc: Delete inode time initializations in proc_alloc_inode()
  fs: Replace CURRENT_TIME with current_time() for inode timestamps
  fs: Replace CURRENT_TIME_SEC with current_time() for inode timestamps
  fs: Replace current_fs_time() with current_time()
  fs: ufs: Use ktime_get_real_ts64() for birthtime
  fs: jfs: Replace CURRENT_TIME_SEC by current_time()
  fs: ext4: Use current_time() for inode timestamps
  fs: ubifs: Replace CURRENT_TIME_SEC with current_time
  fs: btrfs: Use ktime_get_real_ts for root ctime
  fs: udf: Replace CURRENT_TIME with current_time()
  fs: cifs: Replace CURRENT_TIME by current_time()
  fs: cifs: Replace CURRENT_TIME with ktime_get_real_ts()
  fs: cifs: Replace CURRENT_TIME by get_seconds
  fs: f2fs: Use ktime_get_real_seconds for sit_info times
  drivers: staging: lustre: Replace CURRENT_TIME with current_time()
  fs: ocfs2: Use time64_t to represent orphan scan times
  fs: ocfs2: Replace CURRENT_TIME macro
  audit: Use timespec64 to represent audit timestamps
  fs: nfs: Make nfs boot time y2038 safe
  block: Replace CURRENT_TIME with ktime_get_real_ts
  libceph: Replace CURRENT_TIME with ktime_get_real_ts
  fs: ceph: Replace current_fs_time for request stamp
  fnic: Use time64_t to represent trace timestamps
  time: Delete current_fs_time() function
  time: Delete CURRENT_TIME_SEC and CURRENT_TIME

 arch/powerpc/platforms/cell/spufs/inode.c          |  2 +-
 arch/s390/hypfs/inode.c                            |  4 +--
 drivers/block/rbd.c                                |  2 +-
 drivers/char/sonypi.c                              |  2 +-
 drivers/infiniband/hw/qib/qib_fs.c                 |  2 +-
 drivers/misc/ibmasm/ibmasmfs.c                     |  2 +-
 drivers/oprofile/oprofilefs.c                      |  2 +-
 drivers/platform/x86/sony-laptop.c                 |  2 +-
 drivers/scsi/fnic/fnic_trace.c                     |  4 +--
 drivers/scsi/fnic/fnic_trace.h                     |  2 +-
 drivers/staging/lustre/lustre/llite/llite_lib.c    | 16 ++++++------
 drivers/staging/lustre/lustre/llite/namei.c        |  4 +--
 drivers/staging/lustre/lustre/mdc/mdc_reint.c      |  6 ++---
 .../lustre/lustre/obdclass/linux/linux-obdo.c      |  6 ++---
 drivers/staging/lustre/lustre/obdclass/obdo.c      |  6 ++---
 drivers/staging/lustre/lustre/osc/osc_io.c         |  2 +-
 drivers/usb/core/devio.c                           | 18 +++++++-------
 drivers/usb/gadget/function/f_fs.c                 |  8 +++---
 drivers/usb/gadget/legacy/inode.c                  |  2 +-
 fs/9p/vfs_inode.c                                  |  2 +-
 fs/adfs/inode.c                                    |  2 +-
 fs/affs/amigaffs.c                                 |  6 ++---
 fs/affs/inode.c                                    |  2 +-
 fs/attr.c                                          |  2 +-
 fs/autofs4/inode.c                                 |  2 +-
 fs/autofs4/root.c                                  |  6 ++---
 fs/bad_inode.c                                     |  2 +-
 fs/bfs/dir.c                                       | 14 +++++------
 fs/binfmt_misc.c                                   |  2 +-
 fs/btrfs/file.c                                    |  6 ++---
 fs/btrfs/inode.c                                   | 22 ++++++++--------
 fs/btrfs/ioctl.c                                   |  8 +++---
 fs/btrfs/root-tree.c                               |  3 ++-
 fs/btrfs/transaction.c                             |  4 +--
 fs/btrfs/xattr.c                                   |  2 +-
 fs/ceph/file.c                                     |  4 +--
 fs/ceph/inode.c                                    |  2 +-
 fs/ceph/mds_client.c                               |  4 ++-
 fs/ceph/xattr.c                                    |  2 +-
 fs/cifs/cifsencrypt.c                              |  4 ++-
 fs/cifs/cifssmb.c                                  | 10 ++++----
 fs/cifs/file.c                                     |  4 +--
 fs/cifs/inode.c                                    | 28 +++++++++++----------
 fs/coda/dir.c                                      |  2 +-
 fs/coda/file.c                                     |  2 +-
 fs/coda/inode.c                                    |  2 +-
 fs/configfs/inode.c                                |  6 ++---
 fs/debugfs/inode.c                                 |  2 +-
 fs/devpts/inode.c                                  |  6 ++---
 fs/efivarfs/inode.c                                |  2 +-
 fs/exofs/dir.c                                     |  6 ++---
 fs/exofs/inode.c                                   |  4 +--
 fs/exofs/namei.c                                   |  6 ++---
 fs/ext2/acl.c                                      |  2 +-
 fs/ext2/dir.c                                      |  6 ++---
 fs/ext2/ialloc.c                                   |  2 +-
 fs/ext2/inode.c                                    |  4 +--
 fs/ext2/ioctl.c                                    |  4 +--
 fs/ext2/namei.c                                    |  6 ++---
 fs/ext2/super.c                                    |  2 +-
 fs/ext2/xattr.c                                    |  2 +-
 fs/ext4/acl.c                                      |  2 +-
 fs/ext4/ext4.h                                     |  6 -----
 fs/ext4/extents.c                                  | 10 ++++----
 fs/ext4/ialloc.c                                   |  2 +-
 fs/ext4/inline.c                                   |  4 +--
 fs/ext4/inode.c                                    |  6 ++---
 fs/ext4/ioctl.c                                    |  8 +++---
 fs/ext4/namei.c                                    | 24 ++++++++++--------
 fs/ext4/super.c                                    |  2 +-
 fs/ext4/xattr.c                                    |  2 +-
 fs/f2fs/dir.c                                      |  8 +++---
 fs/f2fs/file.c                                     |  8 +++---
 fs/f2fs/inline.c                                   |  2 +-
 fs/f2fs/namei.c                                    | 12 ++++-----
 fs/f2fs/segment.c                                  |  2 +-
 fs/f2fs/segment.h                                  |  5 ++--
 fs/f2fs/xattr.c                                    |  2 +-
 fs/fat/dir.c                                       |  2 +-
 fs/fat/file.c                                      |  6 ++---
 fs/fat/inode.c                                     |  2 +-
 fs/fat/namei_msdos.c                               | 12 ++++-----
 fs/fat/namei_vfat.c                                | 10 ++++----
 fs/fuse/control.c                                  |  2 +-
 fs/fuse/dir.c                                      |  2 +-
 fs/gfs2/bmap.c                                     |  8 +++---
 fs/gfs2/dir.c                                      | 12 ++++-----
 fs/gfs2/inode.c                                    |  8 +++---
 fs/gfs2/quota.c                                    |  2 +-
 fs/gfs2/xattr.c                                    |  8 +++---
 fs/hfs/catalog.c                                   |  8 +++---
 fs/hfs/dir.c                                       |  2 +-
 fs/hfs/inode.c                                     |  2 +-
 fs/hfsplus/catalog.c                               |  8 +++---
 fs/hfsplus/dir.c                                   |  6 ++---
 fs/hfsplus/inode.c                                 |  2 +-
 fs/hfsplus/ioctl.c                                 |  2 +-
 fs/hugetlbfs/inode.c                               | 10 ++++----
 fs/inode.c                                         | 29 +++++++++++++++++++---
 fs/jffs2/acl.c                                     |  2 +-
 fs/jffs2/fs.c                                      |  2 +-
 fs/jfs/acl.c                                       |  2 +-
 fs/jfs/inode.c                                     |  2 +-
 fs/jfs/ioctl.c                                     |  2 +-
 fs/jfs/jfs_inode.c                                 |  2 +-
 fs/jfs/namei.c                                     | 24 +++++++++---------
 fs/jfs/super.c                                     |  2 +-
 fs/jfs/xattr.c                                     |  2 +-
 fs/kernfs/inode.c                                  |  2 +-
 fs/libfs.c                                         | 14 +++++------
 fs/locks.c                                         |  2 +-
 fs/logfs/dir.c                                     |  6 ++---
 fs/logfs/file.c                                    |  2 +-
 fs/logfs/inode.c                                   |  4 +--
 fs/logfs/readwrite.c                               |  4 +--
 fs/minix/bitmap.c                                  |  2 +-
 fs/minix/dir.c                                     |  6 ++---
 fs/minix/itree_common.c                            |  4 +--
 fs/minix/namei.c                                   |  4 +--
 fs/nfs/client.c                                    |  2 +-
 fs/nfs/netns.h                                     |  2 +-
 fs/nfs/nfs4proc.c                                  | 10 +++++---
 fs/nfs/nfs4xdr.c                                   |  2 +-
 fs/nfsd/blocklayout.c                              |  2 +-
 fs/nilfs2/dir.c                                    |  6 ++---
 fs/nilfs2/inode.c                                  |  4 +--
 fs/nilfs2/ioctl.c                                  |  2 +-
 fs/nilfs2/namei.c                                  |  6 ++---
 fs/nsfs.c                                          |  2 +-
 fs/ntfs/inode.c                                    |  2 +-
 fs/ntfs/mft.c                                      |  2 +-
 fs/ocfs2/acl.c                                     |  2 +-
 fs/ocfs2/alloc.c                                   |  2 +-
 fs/ocfs2/aops.c                                    |  2 +-
 fs/ocfs2/cluster/heartbeat.c                       |  2 +-
 fs/ocfs2/dir.c                                     |  4 +--
 fs/ocfs2/dlmfs/dlmfs.c                             |  4 +--
 fs/ocfs2/file.c                                    | 12 ++++-----
 fs/ocfs2/inode.c                                   |  2 +-
 fs/ocfs2/journal.c                                 |  4 +--
 fs/ocfs2/move_extents.c                            |  2 +-
 fs/ocfs2/namei.c                                   | 16 ++++++------
 fs/ocfs2/ocfs2.h                                   |  2 +-
 fs/ocfs2/refcounttree.c                            |  4 +--
 fs/ocfs2/super.c                                   |  2 +-
 fs/ocfs2/xattr.c                                   |  2 +-
 fs/omfs/dir.c                                      |  4 +--
 fs/omfs/inode.c                                    |  2 +-
 fs/openpromfs/inode.c                              |  2 +-
 fs/orangefs/file.c                                 |  2 +-
 fs/orangefs/inode.c                                |  2 +-
 fs/orangefs/namei.c                                | 10 ++++----
 fs/pipe.c                                          |  2 +-
 fs/posix_acl.c                                     |  2 +-
 fs/proc/base.c                                     |  2 +-
 fs/proc/inode.c                                    |  3 +--
 fs/proc/proc_sysctl.c                              |  2 +-
 fs/proc/self.c                                     |  2 +-
 fs/proc/thread_self.c                              |  2 +-
 fs/pstore/inode.c                                  |  2 +-
 fs/ramfs/inode.c                                   |  6 ++---
 fs/reiserfs/inode.c                                |  2 +-
 fs/reiserfs/ioctl.c                                |  4 +--
 fs/reiserfs/namei.c                                | 12 ++++-----
 fs/reiserfs/stree.c                                |  8 +++---
 fs/reiserfs/super.c                                |  2 +-
 fs/reiserfs/xattr.c                                |  6 ++---
 fs/reiserfs/xattr_acl.c                            |  2 +-
 fs/sysv/dir.c                                      |  6 ++---
 fs/sysv/ialloc.c                                   |  2 +-
 fs/sysv/itree.c                                    |  4 +--
 fs/sysv/namei.c                                    |  4 +--
 fs/tracefs/inode.c                                 |  2 +-
 fs/ubifs/dir.c                                     | 10 ++++----
 fs/ubifs/file.c                                    | 12 ++++-----
 fs/ubifs/ioctl.c                                   |  2 +-
 fs/ubifs/misc.h                                    | 10 --------
 fs/ubifs/sb.c                                      | 14 ++++++++---
 fs/ubifs/xattr.c                                   |  6 ++---
 fs/udf/ialloc.c                                    |  2 +-
 fs/udf/inode.c                                     |  4 +--
 fs/udf/namei.c                                     | 20 +++++++--------
 fs/udf/super.c                                     |  9 ++++---
 fs/ufs/dir.c                                       |  6 ++---
 fs/ufs/ialloc.c                                    |  8 +++---
 fs/ufs/inode.c                                     |  6 ++---
 fs/ufs/namei.c                                     |  6 ++---
 fs/xfs/xfs_acl.c                                   |  2 +-
 fs/xfs/xfs_inode.c                                 |  2 +-
 fs/xfs/xfs_iops.c                                  |  2 +-
 fs/xfs/xfs_trans_inode.c                           |  2 +-
 include/linux/audit.h                              |  4 +--
 include/linux/fs.h                                 |  2 +-
 include/linux/time.h                               |  3 ---
 ipc/mqueue.c                                       | 18 +++++++-------
 kernel/audit.c                                     | 10 ++++----
 kernel/audit.h                                     |  2 +-
 kernel/auditsc.c                                   |  6 ++---
 kernel/bpf/inode.c                                 |  2 +-
 kernel/time/time.c                                 | 14 -----------
 mm/shmem.c                                         | 20 +++++++--------
 net/ceph/messenger.c                               |  6 +++--
 net/ceph/osd_client.c                              |  4 +--
 net/sunrpc/rpc_pipe.c                              |  2 +-
 security/apparmor/apparmorfs.c                     |  2 +-
 security/inode.c                                   |  2 +-
 security/selinux/selinuxfs.c                       |  2 +-
 207 files changed, 540 insertions(+), 524 deletions(-)

-- 
1.9.1

Cc: adilger.kernel-m1MBpc4rdrD3fQ9qLvQP4Q@public.gmane.org
Cc: adrian.hunter-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org
Cc: anna.schumaker-HgOvQuBEEgTQT0dZR+AlfA@public.gmane.org
Cc: buchino-FYB4Gu1CFyUAvxtiuMwx3w@public.gmane.org
Cc: ceph-devel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Cc: clm-b10kYP2dOMg@public.gmane.org
Cc: cm224.lee-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org
Cc: dedekind1-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
Cc: dsterba-IBi9RG/b67k@public.gmane.org
Cc: dushistov-JGs/UdohzUI@public.gmane.org
Cc: elder-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org
Cc: eparis-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org
Cc: gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org
Cc: hiralpat-FYB4Gu1CFyUAvxtiuMwx3w@public.gmane.org
Cc: idryomov-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
Cc: jack-IBi9RG/b67k@public.gmane.org
Cc: jaegeuk-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org
Cc: jbacik-b10kYP2dOMg@public.gmane.org
Cc: jejb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org
Cc: jfs-discussion-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
Cc: jlbec-aKy9MeLSZ9dg9hUCZPvPmw@public.gmane.org
Cc: john.stultz-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org
Cc: linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org
Cc: linux-btrfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Cc: linux-ext4-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Cc: linux-f2fs-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
Cc: linux-mtd-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org
Cc: linux-nfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Cc: linux-scsi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Cc: lustre-devel-aLEFhgZF4x6X6Mz3xDxJMA@public.gmane.org
Cc: martin.petersen-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org
Cc: mfasheh-IBi9RG/b67k@public.gmane.org
Cc: ocfs2-devel-N0ozoZBvEnrZJqsBc5GL+g@public.gmane.org
Cc: paul-r2n+y4ga6xFZroRs9YW3xA@public.gmane.org
Cc: sage-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org
Cc: sfrench-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org
Cc: shaggy-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org
Cc: sramars-FYB4Gu1CFyUAvxtiuMwx3w@public.gmane.org
Cc: trond.myklebust-7I+n7zu2hftEKMMhf/gKZA@public.gmane.org
Cc: zyan-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org

^ permalink raw reply

* Re: [PATCH 2/2] semanage: fix modify action in node and interface
From: Stephen Smalley @ 2016-08-11 17:33 UTC (permalink / raw)
  To: Miroslav Vadkerti, selinux; +Cc: linux-audit
In-Reply-To: <1469464627-2159-2-git-send-email-mvadkert@redhat.com>

On 07/25/2016 12:37 PM, Miroslav Vadkerti wrote:
> The modify actions of security context mappings for
> interface and node actully called add action.
> 
> Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>

Thanks, applied.

> ---
>  policycoreutils/semanage/semanage | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/policycoreutils/semanage/semanage b/policycoreutils/semanage/semanage
> index 954411d..b199ebe 100644
> --- a/policycoreutils/semanage/semanage
> +++ b/policycoreutils/semanage/semanage
> @@ -524,7 +524,7 @@ def handleInterface(args):
>      if args.action is "add":
>          OBJECT.add(args.interface, args.range, args.type)
>      if args.action is "modify":
> -        OBJECT.add(args.interface, args.range, args.type)
> +        OBJECT.modify(args.interface, args.range, args.type)
>      if args.action is "delete":
>          OBJECT.delete(args.interface)
>      if args.action is "list":
> @@ -607,7 +607,7 @@ def handleNode(args):
>      if args.action is "add":
>          OBJECT.add(args.node, args.netmask, args.proto, args.range, args.type)
>      if args.action is "modify":
> -        OBJECT.add(args.node, args.netmask, args.proto, args.range, args.type)
> +        OBJECT.modify(args.node, args.netmask, args.proto, args.range, args.type)
>      if args.action is "delete":
>          OBJECT.delete(args.node, args.netmask, args.proto)
>      if args.action is "list":
> 

^ permalink raw reply

* Re: [PATCH] semanage: add auditing of changes in records
From: James Carter @ 2016-08-09 20:21 UTC (permalink / raw)
  To: Miroslav Vadkerti, selinux-+05T5uksL2qpZYMLLGbcSA
  Cc: linux-audit-H+wXaHxf7aLQT0dZR+AlfA
In-Reply-To: <1469546125-19448-1-git-send-email-mvadkert-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>

On 07/26/2016 11:15 AM, Miroslav Vadkerti wrote:
> Common Criteria requirement FMT_MSA.1 needs any configuration change
> that affect enforcement of policy to be audited. This patch adds
> auditing of changes in security context mappings for network ports,
> interfaces, nodes and file contexts.
>
> A new function log_change is introduced that audits additions,
> modification and removal of the mappings via the USER_MAC_CONFIG_CHANGE
> audit event.
>
> The format of the audit events was discussed with the audit userspace
> maintainer.
>
> This patch resolves: https://bugzilla.redhat.com/show_bug.cgi?id=829175
>
> Signed-off-by: Miroslav Vadkerti <mvadkert-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>

Applied.

Thanks,
Jim


> ---
>  policycoreutils/semanage/seobject.py | 75 ++++++++++++++++++++++++++++++++++++
>  1 file changed, 75 insertions(+)
>
> diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
> index 3b0b108..7d6caa3 100644
> --- a/policycoreutils/semanage/seobject.py
> +++ b/policycoreutils/semanage/seobject.py
> @@ -82,6 +82,21 @@ file_type_str_to_option = {"all files": "a",
>                             "socket file": "s",
>                             "symbolic link": "l",
>                             "named pipe": "p"}
> +
> +proto_to_audit = {"tcp": 17,
> +                  "udp": 6,
> +                  "ipv4": 4,
> +                  "ipv6": 41}
> +
> +ftype_to_audit = {"": "any",
> +                  "b": "block",
> +                  "c": "char",
> +                  "d": "dir",
> +                  "f": "file",
> +                  "l": "symlink",
> +                  "p": "pipe",
> +                  "s": "socket"}
> +
>  try:
>      import audit
>
> @@ -90,6 +105,7 @@ try:
>          def __init__(self):
>              self.audit_fd = audit.audit_open()
>              self.log_list = []
> +            self.log_change_list = []
>
>          def log(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
>
> @@ -109,10 +125,17 @@ try:
>          def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
>              self.log_list.append([self.audit_fd, audit.AUDIT_ROLE_REMOVE, sys.argv[0], str(msg), name, 0, sename, serole, serange, oldsename, oldserole, oldserange, "", "", ""])
>
> +        def log_change(self, msg):
> +            self.log_change_list.append([self.audit_fd, audit.AUDIT_USER_MAC_CONFIG_CHANGE, str(msg), "semanage", "", "", ""])
> +
>          def commit(self, success):
>              for l in self.log_list:
>                  audit.audit_log_semanage_message(*(l + [success]))
> +            for l in self.log_change_list:
> +                audit.audit_log_user_comm_message(*(l + [success]))
> +
>              self.log_list = []
> +            self.log_change_list = []
>  except:
>      class logger:
>
> @@ -138,6 +161,9 @@ except:
>          def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
>              self.log(msg, name, sename, serole, serange, oldsename, oldserole, oldserange)
>
> +        def log_change(self, msg):
> +            self.log_list.append(" %s" % msg)
> +
>          def commit(self, success):
>              if success == 1:
>                  message = "Successful: "
> @@ -155,6 +181,9 @@ class nulllogger:
>      def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
>          pass
>
> +    def log_change(self, msg):
> +        pass
> +
>      def commit(self, success):
>          pass
>
> @@ -1109,6 +1138,8 @@ class portRecords(semanageRecords):
>          semanage_port_key_free(k)
>          semanage_port_free(p)
>
> +        self.mylog.log_change("resrc=port op=add lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u", "object_r", type, serange))
> +
>      def add(self, port, proto, serange, type):
>          self.begin()
>          self.__add(port, proto, serange, type)
> @@ -1150,6 +1181,8 @@ class portRecords(semanageRecords):
>          semanage_port_key_free(k)
>          semanage_port_free(p)
>
> +        self.mylog.log_change("resrc=port op=modify lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u", "object_r", setype, serange))
> +
>      def modify(self, port, proto, serange, setype):
>          self.begin()
>          self.__modify(port, proto, serange, setype)
> @@ -1168,6 +1201,7 @@ class portRecords(semanageRecords):
>              low = semanage_port_get_low(port)
>              high = semanage_port_get_high(port)
>              port_str = "%s-%s" % (low, high)
> +
>              (k, proto_d, low, high) = self.__genkey(port_str, proto_str)
>              if rc < 0:
>                  raise ValueError(_("Could not create a key for %s") % port_str)
> @@ -1177,6 +1211,11 @@ class portRecords(semanageRecords):
>                  raise ValueError(_("Could not delete the port %s") % port_str)
>              semanage_port_key_free(k)
>
> +            if low == high:
> +                port_str = low
> +
> +            self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port_str, proto_to_audit[proto_str]))
> +
>          self.commit()
>
>      def __delete(self, port, proto):
> @@ -1199,6 +1238,8 @@ class portRecords(semanageRecords):
>
>          semanage_port_key_free(k)
>
> +        self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port, proto_to_audit[proto]))
> +
>      def delete(self, port, proto):
>          self.begin()
>          self.__delete(port, proto)
> @@ -1380,6 +1421,8 @@ class nodeRecords(semanageRecords):
>          semanage_node_key_free(k)
>          semanage_node_free(node)
>
> +        self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, proto_to_audit[self.protocol[proto]], "system_u", "object_r", ctype, serange))
> +
>      def add(self, addr, mask, proto, serange, ctype):
>          self.begin()
>          self.__add(addr, mask, proto, serange, ctype)
> @@ -1421,6 +1464,8 @@ class nodeRecords(semanageRecords):
>          semanage_node_key_free(k)
>          semanage_node_free(node)
>
> +        self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, proto_to_audit[self.protocol[proto]], "system_u", "object_r", setype, serange))
> +
>      def modify(self, addr, mask, proto, serange, setype):
>          self.begin()
>          self.__modify(addr, mask, proto, serange, setype)
> @@ -1452,6 +1497,8 @@ class nodeRecords(semanageRecords):
>
>          semanage_node_key_free(k)
>
> +        self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, proto_to_audit[self.protocol[proto]]))
> +
>      def delete(self, addr, mask, proto):
>          self.begin()
>          self.__delete(addr, mask, proto)
> @@ -1581,6 +1628,8 @@ class interfaceRecords(semanageRecords):
>          semanage_iface_key_free(k)
>          semanage_iface_free(iface)
>
> +        self.mylog.log_change("resrc=interface op=add netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", ctype, serange))
> +
>      def add(self, interface, serange, ctype):
>          self.begin()
>          self.__add(interface, serange, ctype)
> @@ -1618,6 +1667,8 @@ class interfaceRecords(semanageRecords):
>          semanage_iface_key_free(k)
>          semanage_iface_free(iface)
>
> +        self.mylog.log_change("resrc=interface op=modify netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", setype, serange))
> +
>      def modify(self, interface, serange, setype):
>          self.begin()
>          self.__modify(interface, serange, setype)
> @@ -1646,6 +1697,8 @@ class interfaceRecords(semanageRecords):
>
>          semanage_iface_key_free(k)
>
> +        self.mylog.log_change("resrc=interface op=delete netif=%s" % interface)
> +
>      def delete(self, interface):
>          self.begin()
>          self.__delete(interface)
> @@ -1775,6 +1828,8 @@ class fcontextRecords(semanageRecords):
>                  if i.startswith(target + "/"):
>                      raise ValueError(_("File spec %s conflicts with equivalency rule '%s %s'") % (target, i, fdict[i]))
>
> +        self.mylog.log_change("resrc=fcontext op=add-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
> +
>          self.equiv[target] = substitute
>          self.equal_ind = True
>          self.commit()
> @@ -1785,6 +1840,9 @@ class fcontextRecords(semanageRecords):
>              raise ValueError(_("Equivalence class for %s does not exists") % target)
>          self.equiv[target] = substitute
>          self.equal_ind = True
> +
> +        self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
> +
>          self.commit()
>
>      def createcon(self, target, seuser="system_u"):
> @@ -1879,6 +1937,11 @@ class fcontextRecords(semanageRecords):
>          semanage_fcontext_key_free(k)
>          semanage_fcontext_free(fcontext)
>
> +        if not seuser:
> +            seuser = "system_u"
> +
> +        self.mylog.log_change("resrc=fcontext op=add %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange))
> +
>      def add(self, target, type, ftype="", serange="", seuser="system_u"):
>          self.begin()
>          self.__add(target, type, ftype, serange, seuser)
> @@ -1939,6 +2002,11 @@ class fcontextRecords(semanageRecords):
>          semanage_fcontext_key_free(k)
>          semanage_fcontext_free(fcontext)
>
> +        if not seuser:
> +            seuser = "system_u"
> +
> +        self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange))
> +
>      def modify(self, target, setype, ftype, serange, seuser):
>          self.begin()
>          self.__modify(target, setype, ftype, serange, seuser)
> @@ -1964,6 +2032,8 @@ class fcontextRecords(semanageRecords):
>                  raise ValueError(_("Could not delete the file context %s") % target)
>              semanage_fcontext_key_free(k)
>
> +            self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype_str]))
> +
>          self.equiv = {}
>          self.equal_ind = True
>          self.commit()
> @@ -1972,6 +2042,9 @@ class fcontextRecords(semanageRecords):
>          if target in self.equiv.keys():
>              self.equiv.pop(target)
>              self.equal_ind = True
> +
> +            self.mylog.log_change("resrc=fcontext op=delete-equal %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
> +
>              return
>
>          (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
> @@ -1996,6 +2069,8 @@ class fcontextRecords(semanageRecords):
>
>          semanage_fcontext_key_free(k)
>
> +        self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
> +
>      def delete(self, target, ftype):
>          self.begin()
>          self.__delete(target, ftype)
>


-- 
James Carter <jwcart2-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
National Security Agency
_______________________________________________
Selinux mailing list
Selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org
To unsubscribe, send email to Selinux-leave-+05T5uksL2pAGbPMOrvdOA@public.gmane.org
To get help, send an email containing "help" to Selinux-request-+05T5uksL2pAGbPMOrvdOA@public.gmane.org

^ permalink raw reply

* Re: Question about the a[[:digit:]+]\[.*\] fields
From: Paul Moore @ 2016-08-08 13:03 UTC (permalink / raw)
  To: Mateusz Piotrowski; +Cc: linux-audit, Konrad Witaszczyk
In-Reply-To: <106CB185-F7E5-4B4A-A3ED-64F5E3392086@FreeBSD.org>

On Mon, Aug 8, 2016 at 8:01 AM, Mateusz Piotrowski <0mp@freebsd.org> wrote:
> On 07 Aug 2016, at 20:51, Paul Moore <paul@paul-moore.com> wrote:
>
>> On Mon, Aug 1, 2016 at 10:46 AM, Steve Grubb <sgrubb@redhat.com> wrote:
>>> On Monday, August 1, 2016 12:16:30 AM EDT Mateusz Piotrowski wrote:
>>>> Hello,
>>>>
>>>> According to the field dictionary[1] there are fields which names are
>>>> defined by the following regex: "a[[:digit:]+]\[.*\]".
>>>>
>>>> I was able to find examples of fields like "a4" and "a5" (see [2]) but it
>>>> doesn't fit the regex which seems to require a pair of square brackets (so
>>>> "a4" should be "a4[]" or "a4[foo]"). I couldn't find any reference in the
>>>> Linux Audit source code.
>>>
>>> I think you have to have aurguments that are larger than the audit record
>>> limit and so many arguments that you have multiple execve records to contain
>>> them all.
>>
>> Sorry for the delay in responding, but yes, that is mostly correct.
>> If there is an argument that spills across the boundary of a single
>> EXECVE record, either due to an exceptionally large size, or little
>> room remaining in the existing record, an argument length field is
>> added to the record (a2_len=x) and the argument value is spilt and
>> indexed (a2[0]=x ... a[n]=x).
>
> Could you please correct me if I am wrong? From what I understand
> (based on kernel/auditsc.c:audit_log_single_execve_arg()[2]) a
> correct set of fields could possibly look like this:
>
>     a4_len=4 a4[0]=a a4[1]=n a4[2]=i a4[3]=a

That is correct, assuming that the a4_len and a4[0] field occur in one
record, a[1] in a second, a[2] in a third, and so on.  You should
never see aX[n] and aX[n+1] in a single record, if you, it's a bug :)

> as long as there are no unprintable control ascii characters (otherwise
> the a4_len field's value would be 8 as every character is printed in hex).
>
> How about the "a[[:digit:]+]_len" fields (for example a4_len)?
> Are they synonymous with the len field[1]?

The len field gets used for a lot of things, but for understanding
individual argument lengths, you should pay attention to the aX_len
field (when present).

>> The relevant code in the kernel just changed over the past few weeks
>> to correct some problems, so there are some subtle differences between
>> old code and what you will find in Linus' tree at the moment, but none
>> of those changes should affect the regex you've described.
>
> I'd appreciate if you could point me to a web server where I can download
> the kernel's source code you write about. I do not deal with Linux Kernel
> source code on daily basis and search engines don't produce obvious results.

When in doubt, Google is generally very helpful, but here is a link:

 * https://www.kernel.org

-- 
paul moore
www.paul-moore.com

^ permalink raw reply

* Re: Question about the a[[:digit:]+]\[.*\] fields
From: Mateusz Piotrowski @ 2016-08-08 12:01 UTC (permalink / raw)
  To: Paul Moore; +Cc: linux-audit, Konrad Witaszczyk
In-Reply-To: <CAHC9VhSBzbkFrFtCqKnMiXwH8OFcqzmz3_wa6N1rcYVvL+NnHQ@mail.gmail.com>

On 07 Aug 2016, at 20:51, Paul Moore <paul@paul-moore.com> wrote:

> On Mon, Aug 1, 2016 at 10:46 AM, Steve Grubb <sgrubb@redhat.com> wrote:
>> On Monday, August 1, 2016 12:16:30 AM EDT Mateusz Piotrowski wrote:
>>> Hello,
>>> 
>>> According to the field dictionary[1] there are fields which names are
>>> defined by the following regex: "a[[:digit:]+]\[.*\]".
>>> 
>>> I was able to find examples of fields like "a4" and "a5" (see [2]) but it
>>> doesn't fit the regex which seems to require a pair of square brackets (so
>>> "a4" should be "a4[]" or "a4[foo]"). I couldn't find any reference in the
>>> Linux Audit source code.
>> 
>> I think you have to have aurguments that are larger than the audit record
>> limit and so many arguments that you have multiple execve records to contain
>> them all.
> 
> Sorry for the delay in responding, but yes, that is mostly correct.
> If there is an argument that spills across the boundary of a single
> EXECVE record, either due to an exceptionally large size, or little
> room remaining in the existing record, an argument length field is
> added to the record (a2_len=x) and the argument value is spilt and
> indexed (a2[0]=x ... a[n]=x).

Could you please correct me if I am wrong? From what I understand 
(based on kernel/auditsc.c:audit_log_single_execve_arg()[2]) a 
correct set of fields could possibly look like this:

    a4_len=4 a4[0]=a a4[1]=n a4[2]=i a4[3]=a

as long as there are no unprintable control ascii characters (otherwise
the a4_len field's value would be 8 as every character is printed in hex).

How about the "a[[:digit:]+]_len" fields (for example a4_len)? 
Are they synonymous with the len field[1]?

> The relevant code in the kernel just changed over the past few weeks
> to correct some problems, so there are some subtle differences between
> old code and what you will find in Linus' tree at the moment, but none
> of those changes should affect the regex you've described.

I'd appreciate if you could point me to a web server where I can download 
the kernel's source code you write about. I do not deal with Linux Kernel 
source code on daily basis and search engines don't produce obvious results.

>>> My questions are:
>>> 1. Is this regex valid and up-to-date? Or is it an outdated rule which
>>> doesn't apply anymore?
> 
> It is correct if the argument spills across a single EXECVE record
> boundary, but since the index (the number between the square brackets)
> is not optional it would fail for the more common, single EXECVE
> record case.  You could also argue that the string match inside the
> square brackets should only match on a string of digits, but
> technically what is there does work.

OK, I get it. Thank you.

>>> 2. Could you suggest me where to look to see how those arguments to the
>>> execve syscall are handled?
>> 
>> Handled where? Kernel? Userspace doesn't do much with any execve argument
>> except decode it.
> 
> The kernel generates the EXECVE record in
> kernel/auditsc.c:audit_log_execve_info() and you can find a test for
> for the EXECVE record in the audit-testsuite (exec_execve).
> 
> * https://github.com/linux-audit/audit-testsuite

Thanks. It clarifies a lot and will help me to advance with my GSoC project[3].

Cheers!

-m

[1]: https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv#L95
[2]: http://lxr.free-electrons.com/source/kernel/auditsc.c#L1095
[3]: https://wiki.freebsd.org/SummerOfCode2016/NonBSMtoBSMConversionTools

^ permalink raw reply

* Re: Question about the a[[:digit:]+]\[.*\] fields
From: Paul Moore @ 2016-08-07 18:51 UTC (permalink / raw)
  To: Konrad Witaszczyk; +Cc: linux-audit
In-Reply-To: <37697145.Sr86xZ3kit@x2>

On Mon, Aug 1, 2016 at 10:46 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Monday, August 1, 2016 12:16:30 AM EDT Mateusz Piotrowski wrote:
>> Hello,
>>
>> According to the field dictionary[1] there are fields which names are
>> defined by the following regex: "a[[:digit:]+]\[.*\]".
>>
>> I was able to find examples of fields like "a4" and "a5" (see [2]) but it
>> doesn't fit the regex which seems to require a pair of square brackets (so
>> "a4" should be "a4[]" or "a4[foo]"). I couldn't find any reference in the
>> Linux Audit source code.
>
> I think you have to have aurguments that are larger than the audit record
> limit and so many arguments that you have multiple execve records to contain
> them all.

Sorry for the delay in responding, but yes, that is mostly correct.
If there is an argument that spills across the boundary of a single
EXECVE record, either due to an exceptionally large size, or little
room remaining in the existing record, an argument length field is
added to the record (a2_len=x) and the argument value is spilt and
indexed (a2[0]=x ... a[n]=x).

The relevant code in the kernel just changed over the past few weeks
to correct some problems, so there are some subtle differences between
old code and what you will find in Linus' tree at the moment, but none
of those changes should affect the regex you've described.

>> My questions are:
>> 1. Is this regex valid and up-to-date? Or is it an outdated rule which
>> doesn't apply anymore?

It is correct if the argument spills across a single EXECVE record
boundary, but since the index (the number between the square brackets)
is not optional it would fail for the more common, single EXECVE
record case.  You could also argue that the string match inside the
square brackets should only match on a string of digits, but
technically what is there does work.

>> 2. Could you suggest me where to look to see how those arguments to the
>> execve syscall are handled?
>
> Handled where? Kernel? Userspace doesn't do much with any execve argument
> except decode it.

The kernel generates the EXECVE record in
kernel/auditsc.c:audit_log_execve_info() and you can find a test for
for the EXECVE record in the audit-testsuite (exec_execve).

 * https://github.com/linux-audit/audit-testsuite

-- 
paul moore
www.paul-moore.com

^ permalink raw reply

* Re: [PATCH 0/5] Add support for sessionid user filters, sessionid_set and loginuid_set
From: Richard Guy Briggs @ 2016-08-02 16:30 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <7465676.juF99Vr4t2@x2>

On 2016-08-02 09:58, Steve Grubb wrote:
> On Tuesday, August 2, 2016 9:25:44 AM EDT Steve Grubb wrote:
> > On Tuesday, August 2, 2016 8:56:35 AM EDT Richard Guy Briggs wrote:
> > > On 2016-08-02 08:16, Steve Grubb wrote:
> > > > On Tuesday, August 2, 2016 5:38:56 AM EDT Richard Guy Briggs wrote:
> > > > > Add support for sessionid, sessionid_set (first two patches) and
> > > > > loginuid_set (and auid_set) (third patch) in user filters.  The first
> > > > > 
> > > > > two are directly related to issue "ghak4":
> > > > > https://github.com/linux-audit/audit-kernel/issues/4
> > > > > https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-> >
> > > > > >         User-Filter
> > > > > 
> > > > > The third is to support a kernel change from 3.10 and 3.19 to avoid
> > > > > using in-band values to indicate the loginuid is unset.
> > > > 
> > > > Have the above three patches been tested on old kernels?
> > > 
> > > Not yet.  How do you usually add new features to userspace to guard
> > > against missing features from old kernels?  Time to add a bit to the
> > > kenrel audit status feature field?
> > 
> > Yes. Otherwise you get EINVAL which doesn't let you explain what exactly is 
> > wrong with the rule.
> 
> Before you get too far...I just looked at the support being added in the first 
> three patches. There is no code changing auditctl. Is there something missing?

I am pretty sure I looked through auditctl and in the three cases things
were simple enough that the fallthrough case was sufficient.  Now that I
think about it, to avoid the ambiguity of -EINVAL, restricting the first
to a positive value and the 2nd and 3rd to true or false would remove
that ambiguity.

> -Steve

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

^ permalink raw reply

* Re: [PATCH] Ignore tags and cscope output files.
From: Steve Grubb @ 2016-08-02 15:54 UTC (permalink / raw)
  To: Richard Guy Briggs; +Cc: linux-audit
In-Reply-To: <1470126700-28455-1-git-send-email-rgb@redhat.com>

On Tuesday, August 2, 2016 4:31:40 AM EDT Richard Guy Briggs wrote:
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  trunk/.gitignore |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)

Applied. Thanks.

-Steve

^ permalink raw reply

* Re: How can I install the latest version of Linux Audit on CentOS 6.8? (Update on CentOS 7)
From: Mateusz Piotrowski @ 2016-08-02 14:21 UTC (permalink / raw)
  To: linux-audit
In-Reply-To: <A0A484B9-D6EE-4DFB-BE27-27B40E4C503B@FreeBSD.org>

Hello,

On 18 Jul 2016, at 17:39, Mateusz Piotrowski <0mp@freebsd.org> wrote:
>> On 15 Jul 2016, at 15:17, Steve Grubb <sgrubb@redhat.com> wrote:
>> On Friday, July 15, 2016 2:52:02 PM EDT Mateusz Piotrowski wrote:
>>> Is there an easier way to get the latest Linux Audit version on my system?
>> Why wouldn't you start with the distribution tar file?
>> http://people.redhat.com/sgrubb/audit/audit-2.6.5.tar.gz
> 
> I was able to install the latest version from the tar file using the following commands. Thanks Steve!
> 
> curl -O http://people.redhat.com/sgrubb/audit/audit-2.6.5.tar.gz
> gzip -d audit-2.6.5.tar.gz
> tar xf audit-2.6.5.tar
> cd audit-2.6.5
> yum install autoconf automake libtool tcp_wrappers-devel openldap-devel
> # Python and libcap-ng didn't work for me.
> # This is why I set --with-python and --with-libcap-ng to no instead to yes.
> ./configure --sbindir=/sbin --with-python=no --with-libwrap --enable-gssapi-krb5=yes --with-libcap-ng=no
> make
> make install
> 
> My CentOS is now running auditd version 2.6.5 (according to information within /var/log/audit/audit.log).

I just wanted to send an update to this thread - I successfully installed a fully featured audit-userspace on CentOS 7 x86_64 
installed from a Minimal Install ISO.

Here's everything you need to build and install audit-userspace:

yum install libtool tcp_wrappers-devel openldap-devel python-devel libcap-ng-devel swig
./configure --sbindir=/sbin --with-python=yes --with-libwrap --enable-gssapi-krb5=yes --with-libcap-ng=yes
make
make install

Cheers!

-m

^ permalink raw reply

* Re: [PATCH 0/5] Add support for sessionid user filters, sessionid_set and loginuid_set
From: Steve Grubb @ 2016-08-02 13:58 UTC (permalink / raw)
  To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <1631071.bJV1sPFgiU@x2>

On Tuesday, August 2, 2016 9:25:44 AM EDT Steve Grubb wrote:
> On Tuesday, August 2, 2016 8:56:35 AM EDT Richard Guy Briggs wrote:
> > On 2016-08-02 08:16, Steve Grubb wrote:
> > > On Tuesday, August 2, 2016 5:38:56 AM EDT Richard Guy Briggs wrote:
> > > > Add support for sessionid, sessionid_set (first two patches) and
> > > > loginuid_set (and auid_set) (third patch) in user filters.  The first
> > > > 
> > > > two are directly related to issue "ghak4":
> > > > https://github.com/linux-audit/audit-kernel/issues/4
> > > > https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-> >
> > > > >         User-Filter
> > > > 
> > > > The third is to support a kernel change from 3.10 and 3.19 to avoid
> > > > using in-band values to indicate the loginuid is unset.
> > > 
> > > Have the above three patches been tested on old kernels?
> > 
> > Not yet.  How do you usually add new features to userspace to guard
> > against missing features from old kernels?  Time to add a bit to the
> > kenrel audit status feature field?
> 
> Yes. Otherwise you get EINVAL which doesn't let you explain what exactly is 
> wrong with the rule.

Before you get too far...I just looked at the support being added in the first 
three patches. There is no code changing auditctl. Is there something missing?

-Steve

^ permalink raw reply

* Re: [PATCH 0/5] Add support for sessionid user filters, sessionid_set and loginuid_set
From: Steve Grubb @ 2016-08-02 13:25 UTC (permalink / raw)
  To: Richard Guy Briggs; +Cc: linux-audit
In-Reply-To: <20160802125635.GX10734@madcap2.tricolour.ca>

On Tuesday, August 2, 2016 8:56:35 AM EDT Richard Guy Briggs wrote:
> On 2016-08-02 08:16, Steve Grubb wrote:
> > On Tuesday, August 2, 2016 5:38:56 AM EDT Richard Guy Briggs wrote:
> > > Add support for sessionid, sessionid_set (first two patches) and
> > > loginuid_set (and auid_set) (third patch) in user filters.  The first
> > > 
> > > two are directly related to issue "ghak4":
> > >         https://github.com/linux-audit/audit-kernel/issues/4
> > >         https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-> > >         User-Filter
> > > 
> > > The third is to support a kernel change from 3.10 and 3.19 to avoid
> > > using in-band values to indicate the loginuid is unset.
> > 
> > Have the above three patches been tested on old kernels?
> 
> Not yet.  How do you usually add new features to userspace to guard
> against missing features from old kernels?  Time to add a bit to the
> kenrel audit status feature field?

Yes. Otherwise you get EINVAL which doesn't let you explain what exactly is 
wrong with the rule.

Thanks,
-Steve

> > > The last two patches are to add unset flags to sessionid and loginuid
> > > for ausearch and aureport.  These two patches are extras and not
> > > required for basic support.
> > 
> > I don't understand what the point of these last two items are. If the
> > session is not set, we have ses=4294967295 in the audit trail. That can
> > already be specified in ausearch as --session -1. I also am not sure that
> > session information makes any sense for aureport because we have aulast
> > which reports on session activity for users.
> 
> I was starting to doubt the utility of these last two patches which is
> why I tagged them optional.  Please use any bits or ideas that might be
> useful, otherwise drop them.
> 
> > -Steve
> 
> - RGB
> 
> --
> Richard Guy Briggs <rgb@redhat.com>
> Kernel Security Engineering, Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635

^ permalink raw reply

* Re: [PATCH 0/5] Add support for sessionid user filters, sessionid_set and loginuid_set
From: Richard Guy Briggs @ 2016-08-02 12:56 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <2972985.6eL3t5tKut@x2>

On 2016-08-02 08:16, Steve Grubb wrote:
> On Tuesday, August 2, 2016 5:38:56 AM EDT Richard Guy Briggs wrote:
> > Add support for sessionid, sessionid_set (first two patches) and
> > loginuid_set (and auid_set) (third patch) in user filters.  The first
> > two are directly related to issue "ghak4":
> >         https://github.com/linux-audit/audit-kernel/issues/4
> >         https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User
> > -Filter
> > 
> > The third is to support a kernel change from 3.10 and 3.19 to avoid
> > using in-band values to indicate the loginuid is unset.
> 
> Have the above three patches been tested on old kernels?

Not yet.  How do you usually add new features to userspace to guard
against missing features from old kernels?  Time to add a bit to the
kenrel audit status feature field?

> > The last two patches are to add unset flags to sessionid and loginuid
> > for ausearch and aureport.  These two patches are extras and not
> > required for basic support.
> 
> I don't understand what the point of these last two items are. If the session 
> is not set, we have ses=4294967295 in the audit trail. That can already be 
> specified in ausearch as --session -1. I also am not sure that session 
> information makes any sense for aureport because we have aulast which reports 
> on session activity for users.

I was starting to doubt the utility of these last two patches which is
why I tagged them optional.  Please use any bits or ideas that might be
useful, otherwise drop them.

> -Steve

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

^ permalink raw reply

* Re: [PATCH 0/5] Add support for sessionid user filters, sessionid_set and loginuid_set
From: Steve Grubb @ 2016-08-02 12:16 UTC (permalink / raw)
  To: Richard Guy Briggs; +Cc: linux-audit
In-Reply-To: <1470130741-31650-1-git-send-email-rgb@redhat.com>

On Tuesday, August 2, 2016 5:38:56 AM EDT Richard Guy Briggs wrote:
> Add support for sessionid, sessionid_set (first two patches) and
> loginuid_set (and auid_set) (third patch) in user filters.  The first
> two are directly related to issue "ghak4":
>         https://github.com/linux-audit/audit-kernel/issues/4
>         https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User
> -Filter
> 
> The third is to support a kernel change from 3.10 and 3.19 to avoid
> using in-band values to indicate the loginuid is unset.

Have the above three patches been tested on old kernels?

> The last two patches are to add unset flags to sessionid and loginuid
> for ausearch and aureport.  These two patches are extras and not
> required for basic support.

I don't understand what the point of these last two items are. If the session 
is not set, we have ses=4294967295 in the audit trail. That can already be 
specified in ausearch as --session -1. I also am not sure that session 
information makes any sense for aureport because we have aulast which reports 
on session activity for users.

-Steve

^ permalink raw reply

* [PATCH V2 2/2] audit: add AUDIT_SESSIONID_SET support
From: Richard Guy Briggs @ 2016-08-02  9:42 UTC (permalink / raw)
  To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs
In-Reply-To: <cover.1470129742.git.rgb@redhat.com>

Add AUDIT_SESSIONID_SET field to indicate the sessionID is set in
filters rather than depending on an in-band signal to indicate it.

https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
RFE Session ID User Filter

https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 include/linux/audit.h      |   10 ++++++++++
 include/uapi/linux/audit.h |    1 +
 kernel/auditfilter.c       |    3 +++
 kernel/auditsc.c           |    7 ++++---
 4 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 9d4443f..2392442 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -552,6 +552,16 @@ static inline bool audit_loginuid_set(struct task_struct *tsk)
 	return uid_valid(audit_get_loginuid(tsk));
 }
 
+static inline bool sessionid_valid(unsigned int sessionid)
+{
+	return sessionid != (unsigned int) -1;
+}
+
+static inline bool audit_sessionid_set(struct task_struct *tsk)
+{
+	return sessionid_valid(audit_get_sessionid(tsk));
+}
+
 static inline void audit_log_string(struct audit_buffer *ab, const char *buf)
 {
 	audit_log_n_string(ab, buf, strlen(buf));
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index b3140eb..a4048bc 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -253,6 +253,7 @@
 #define AUDIT_OBJ_LEV_HIGH	23
 #define AUDIT_LOGINUID_SET	24
 #define AUDIT_SESSIONID	25	/* Session ID */
+#define AUDIT_SESSIONID_SET	26	/* Session ID set or not */
 
 				/* These are ONLY useful when checking
 				 * at syscall exit time (AUDIT_AT_EXIT). */
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 1c60fcf..47eaaba 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -387,6 +387,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
 	case AUDIT_FILTERKEY:
 		break;
 	case AUDIT_LOGINUID_SET:
+	case AUDIT_SESSIONID_SET:
 		if ((f->val != 0) && (f->val != 1))
 			return -EINVAL;
 	/* FALL THROUGH */
@@ -478,6 +479,8 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
 				goto exit_free;
 			break;
 		case AUDIT_SESSIONID:
+			if (!sessionid_valid(f->val))
+				goto exit_free;
 		case AUDIT_ARCH:
 			entry->rule.arch_f = f;
 			break;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 52f7a61..4df536b 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -447,7 +447,6 @@ static int audit_filter_rules(struct task_struct *tsk,
 	const struct cred *cred;
 	int i, need_sid = 1;
 	u32 sid;
-	unsigned int sessionid;
 
 	cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
 
@@ -511,8 +510,7 @@ static int audit_filter_rules(struct task_struct *tsk,
 			result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
 			break;
 		case AUDIT_SESSIONID:
-			sessionid = audit_get_sessionid(current);
-			result = audit_comparator(sessionid, f->op, f->val);
+			result = audit_comparator(audit_get_sessionid(tsk), f->op, f->val);
 			break;
 		case AUDIT_PERS:
 			result = audit_comparator(tsk->personality, f->op, f->val);
@@ -614,6 +612,9 @@ static int audit_filter_rules(struct task_struct *tsk,
 		case AUDIT_LOGINUID_SET:
 			result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
 			break;
+		case AUDIT_SESSIONID_SET:
+			result = audit_comparator(audit_sessionid_set(tsk), f->op, f->val);
+			break;
 		case AUDIT_SUBJ_USER:
 		case AUDIT_SUBJ_ROLE:
 		case AUDIT_SUBJ_TYPE:
-- 
1.7.1

^ permalink raw reply related

* [PATCH V2 1/2] audit: add support for session ID user filter
From: Richard Guy Briggs @ 2016-08-02  9:42 UTC (permalink / raw)
  To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs
In-Reply-To: <cover.1470129742.git.rgb@redhat.com>

Define AUDIT_SESSIONID in the uapi and add support for specifying user
filters based on the session ID.

https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 include/uapi/linux/audit.h |    1 +
 kernel/auditfilter.c       |    2 ++
 kernel/auditsc.c           |    5 +++++
 3 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index d820aa9..b3140eb 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -252,6 +252,7 @@
 #define AUDIT_OBJ_LEV_LOW	22
 #define AUDIT_OBJ_LEV_HIGH	23
 #define AUDIT_LOGINUID_SET	24
+#define AUDIT_SESSIONID	25	/* Session ID */
 
 				/* These are ONLY useful when checking
 				 * at syscall exit time (AUDIT_AT_EXIT). */
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 85d9cac..1c60fcf 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -363,6 +363,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
 	case AUDIT_EXIT:
 	case AUDIT_SUCCESS:
 	case AUDIT_INODE:
+	case AUDIT_SESSIONID:
 		/* bit ops are only useful on syscall args */
 		if (f->op == Audit_bitmask || f->op == Audit_bittest)
 			return -EINVAL;
@@ -476,6 +477,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
 			if (!gid_valid(f->gid))
 				goto exit_free;
 			break;
+		case AUDIT_SESSIONID:
 		case AUDIT_ARCH:
 			entry->rule.arch_f = f;
 			break;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index c65af21..52f7a61 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -447,6 +447,7 @@ static int audit_filter_rules(struct task_struct *tsk,
 	const struct cred *cred;
 	int i, need_sid = 1;
 	u32 sid;
+	unsigned int sessionid;
 
 	cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
 
@@ -509,6 +510,10 @@ static int audit_filter_rules(struct task_struct *tsk,
 		case AUDIT_FSGID:
 			result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
 			break;
+		case AUDIT_SESSIONID:
+			sessionid = audit_get_sessionid(current);
+			result = audit_comparator(sessionid, f->op, f->val);
+			break;
 		case AUDIT_PERS:
 			result = audit_comparator(tsk->personality, f->op, f->val);
 			break;
-- 
1.7.1

^ permalink raw reply related

* [PATCH V2 0/2] Add support for session ID user filtering
From: Richard Guy Briggs @ 2016-08-02  9:42 UTC (permalink / raw)
  To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs

https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
RFE Session ID User Filter
 
https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter

See also the set of userspace suport patches:
	Add support for sessionid user filters, sessionid_set and loginuid_set
	https://www.redhat.com/archives/linux-audit/2016-August/msg00005.html
and the test case:
	https://github.com/rgbriggs/audit-testsuite/tree/ghak4-test-for-sessionID-user-filter

Richard Guy Briggs (2):
  audit: add support for session ID user filter
  audit: add AUDIT_SESSIONID_SET support

 include/linux/audit.h      |   10 ++++++++++
 include/uapi/linux/audit.h |    2 ++
 kernel/auditfilter.c       |    5 +++++
 kernel/auditsc.c           |    6 ++++++
 4 files changed, 23 insertions(+), 0 deletions(-)

^ permalink raw reply

* [PATCH 5/5] Add support for loginuid_set option for event filtering and searches.
From: Richard Guy Briggs @ 2016-08-02  9:39 UTC (permalink / raw)
  To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <1470130741-31650-1-git-send-email-rgb@redhat.com>

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 trunk/src/aureport-options.c |    1 +
 trunk/src/ausearch-common.h  |    1 +
 trunk/src/ausearch-options.c |   43 +++++++++++++++++++++++++++++++++++++++++-
 trunk/src/ausearch-parse.c   |   16 +++++++-------
 4 files changed, 52 insertions(+), 9 deletions(-)

diff --git a/trunk/src/aureport-options.c b/trunk/src/aureport-options.c
index b15cbb5..a0c78ea 100644
--- a/trunk/src/aureport-options.c
+++ b/trunk/src/aureport-options.c
@@ -44,6 +44,7 @@ int no_config = 0;
 /* These are for compatibility with parser */
 unsigned int event_id = -1;
 uid_t event_uid = -1, event_loginuid = -2, event_euid = -1;
+int event_loginuid_set = -1;
 const char *event_tuid = NULL, *event_teuid = NULL, *event_tauid = NULL;
 gid_t event_gid = -1, event_egid = -1;
 slist *event_node_list = NULL;
diff --git a/trunk/src/ausearch-common.h b/trunk/src/ausearch-common.h
index d60ea5f..cdb51e9 100644
--- a/trunk/src/ausearch-common.h
+++ b/trunk/src/ausearch-common.h
@@ -48,6 +48,7 @@ extern gid_t event_gid, event_egid;
 extern pid_t event_pid;
 extern int event_exact_match;
 extern uid_t event_uid, event_euid, event_loginuid;
+extern int event_loginuid_set;
 extern const char *event_tuid, *event_teuid, *event_tauid;
 slist *event_node_list;
 extern const char *event_comm;
diff --git a/trunk/src/ausearch-options.c b/trunk/src/ausearch-options.c
index f970c76..143a26f 100644
--- a/trunk/src/ausearch-options.c
+++ b/trunk/src/ausearch-options.c
@@ -50,6 +50,7 @@ success_t event_success = S_UNSET;
 int event_exact_match = 0;
 uid_t event_uid = -1, event_euid = -1, event_loginuid = -2;
 const char *event_tuid = NULL, *event_teuid = NULL, *event_tauid = NULL;
+int event_loginuid_set = -1;
 int event_syscall = -1, event_machine = -1;
 int event_ua = 0, event_ga = 0, event_se = 0;
 int just_one = 0;
@@ -84,7 +85,7 @@ struct nv_pair {
 
 enum { S_EVENT, S_COMM, S_FILENAME, S_ALL_GID, S_EFF_GID, S_GID, S_HELP,
 S_HOSTNAME, S_INTERP, S_INFILE, S_MESSAGE_TYPE, S_PID, S_SYSCALL, S_OSUCCESS,
-S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID,
+S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID, S_LOGINUID_SET,
 S_VERSION, S_EXACT_MATCH, S_EXECUTABLE, S_CONTEXT, S_SUBJECT, S_OBJECT,
 S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_SESSIONID_SET, S_EXIT,
 S_LINEBUFFERED, S_UUID, S_VMNAME, S_DEBUG, S_CHECKPOINT, S_ARCH };
@@ -159,6 +160,7 @@ static struct nv_pair optiontab[] = {
 	{ S_UUID, "--uuid" },
 	{ S_LOGINID, "-ul" },
 	{ S_LOGINID, "--loginuid" },
+	{ S_LOGINUID_SET, "--loginuid_set" },
 	{ S_VERSION, "-v" },
 	{ S_VERSION, "--version" },
 	{ S_VMNAME, "-vm" },
@@ -221,6 +223,7 @@ static void usage(void)
 	"\t-ue,--uid-effective <effective User id>  search based on Effective\n\t\t\t\t\tuser id\n"
 	"\t-ui,--uid <User Id>\t\tsearch based on user id\n"
 	"\t-ul,--loginuid <login id>\tsearch based on the User's Login id\n"
+	"\t--loginuid_set <0/1>\tsearch based on the User's Login id set or unset\n"
 	"\t-uu,--uuid <guest UUID>\t\tsearch for events related to the virtual\n"
 	"\t\t\t\t\tmachine with the given UUID.\n"
 	"\t-v,--version\t\t\tversion\n"
@@ -1107,6 +1110,44 @@ int check_params(int count, char *vars[])
 			}
 			c++;
 			break;
+		case S_LOGINUID_SET:
+			if (!optarg) {
+				if ((c+1 < count) && vars[c+1])
+					optarg = vars[c+1];
+				else {
+					fprintf(stderr,
+						"Argument is required for %s\n",
+						vars[c]);
+					retval = -1;
+					break;
+				}
+			}
+			{
+			size_t len = strlen(optarg);
+                        if (isdigit(optarg[0])) {
+				errno = 0;
+                        	event_loginuid = strtoul(optarg,NULL,10);
+				if (errno) {
+                        		fprintf(stderr, 
+						"Error (%s) converting %s\n",
+						strerror(errno), optarg);
+                                        retval = -1;
+				}
+				if (event_loginuid_set > 1) {
+					fprintf(stderr, 
+					"Loginuid_set must be a boolean value, was %s\n",
+						optarg);
+					retval = -1;
+				}
+                        } else {
+				fprintf(stderr, 
+				"Loginuid_set must be a boolean value, was %s\n",
+					optarg);
+				retval = -1;
+                        }
+			}
+			c++;
+			break;
 		case S_UUID:
 			if (!optarg) {
 				fprintf(stderr,
diff --git a/trunk/src/ausearch-parse.c b/trunk/src/ausearch-parse.c
index c45d54e..a489d25 100644
--- a/trunk/src/ausearch-parse.c
+++ b/trunk/src/ausearch-parse.c
@@ -251,7 +251,7 @@ static int parse_task_info(lnode *n, search_items *s)
 		*term = ' ';
 	}
 	// optionally get loginuid
-	if (event_loginuid != -2 || event_tauid) {
+	if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
 		str = strstr(term, "auid=");
 		if (str == NULL) {
 			str = strstr(term, "loginuid=");
@@ -823,7 +823,7 @@ static int parse_user(const lnode *n, search_items *s)
 		s->tuid = lookup_uid("uid", s->uid);
 	}
 	// optionally get loginuid
-	if (event_loginuid != -2 || event_tauid) {
+	if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
 		*term = ' ';
 		str = strstr(term, "auid=");
 		if (str == NULL) { // Try the older one
@@ -1271,7 +1271,7 @@ static int parse_login(const lnode *n, search_items *s)
 		}
 	}
 	// optionally get loginuid
-	if (event_loginuid != -2 || event_tauid) {
+	if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
 		str = strstr(term, "new auid=");
 		if (str == NULL) {
 			// 3.14 kernel changed it to the next line
@@ -1354,7 +1354,7 @@ static int parse_daemon1(const lnode *n, search_items *s)
 	term = mptr;
 
 	// optionally get auid
-	if (event_loginuid != -2 || event_tauid) {
+	if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
 		str = strstr(mptr, "auid=");
 		if (str == NULL)
 			return 1;
@@ -1613,7 +1613,7 @@ static int parse_integrity(const lnode *n, search_items *s)
 	}
 
 	// optionally get loginuid
-	if (event_loginuid != -2 || event_tauid) {
+	if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
 		str = strstr(n->message, "auid=");
 		if (str) {
 			ptr = str + 5;
@@ -1890,7 +1890,7 @@ static int parse_kernel_anom(const lnode *n, search_items *s)
 	char *str, *ptr, *term = n->message;
 
 	// optionally get loginuid
-	if (event_loginuid != -2 || event_tauid) {
+	if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
 		str = strstr(term, "auid=");
 		if (str == NULL)
 			return 1;
@@ -2078,7 +2078,7 @@ static int parse_simple_message(const lnode *n, search_items *s)
 	char *str, *ptr, *term = n->message;
 
 	// optionally get loginuid - old kernels skip auid for CONFIG_CHANGE
-	if (event_loginuid != -2 || event_tauid) {
+	if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
 		str = strstr(term, "auid=");
 		if (str == NULL && n->type != AUDIT_CONFIG_CHANGE)
 			return 1;
@@ -2257,7 +2257,7 @@ static int parse_tty(const lnode *n, search_items *s)
 	}
 
 	// optionally get loginuid
-	if (event_loginuid != -2 || event_tauid) {
+	if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
 		str = strstr(term, "auid=");
 		if (str == NULL)
 			return 5;
-- 
1.7.1

^ permalink raw reply related

* [PATCH 4/5] Add sessionid_set option to ausearch and aureport
From: Richard Guy Briggs @ 2016-08-02  9:39 UTC (permalink / raw)
  To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <1470130741-31650-1-git-send-email-rgb@redhat.com>

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 trunk/src/aureport-options.c |    3 ++-
 trunk/src/ausearch-match.c   |    3 +++
 trunk/src/ausearch-options.c |   42 +++++++++++++++++++++++++++++++++++++++++-
 trunk/src/ausearch-options.h |    1 +
 trunk/src/ausearch-parse.c   |   14 +++++++-------
 5 files changed, 54 insertions(+), 9 deletions(-)

diff --git a/trunk/src/aureport-options.c b/trunk/src/aureport-options.c
index 9a0fc18..b15cbb5 100644
--- a/trunk/src/aureport-options.c
+++ b/trunk/src/aureport-options.c
@@ -59,7 +59,7 @@ const char *event_uuid = NULL;
 const char *event_vmname = NULL;
 long long event_exit = 0;
 int event_exit_is_set = 0;
-int event_ppid = -1, event_session_id = -2;
+int event_ppid = -1, event_session_id = -2, event_session_id_set = -1;
 int event_debug = 0, event_machine = -1;
 
 /* These are used by aureport */
@@ -565,6 +565,7 @@ int check_params(int count, char *vars[])
 			else {
 				set_detail(D_DETAILED);
 				event_session_id = 1;
+				event_session_id_set = 1;
 				event_loginuid = 1;
 				event_tauid = dummy;
 				event_terminal = dummy;
diff --git a/trunk/src/ausearch-match.c b/trunk/src/ausearch-match.c
index ec8a582..bff7e24 100644
--- a/trunk/src/ausearch-match.c
+++ b/trunk/src/ausearch-match.c
@@ -112,6 +112,9 @@ int match(llist *l)
 				if ((event_session_id != -2) &&
 					(event_session_id != l->s.session_id))
 					return 0;
+				if ((event_session_id_set != -1) &&
+					(event_session_id_set != (l->s.session_id != -1)))
+					return 0;
 				if (event_exit_is_set) {
 					if (l->s.exit_is_set == 0)
 						return 0;
diff --git a/trunk/src/ausearch-options.c b/trunk/src/ausearch-options.c
index 521748d..f970c76 100644
--- a/trunk/src/ausearch-options.c
+++ b/trunk/src/ausearch-options.c
@@ -54,6 +54,7 @@ int event_syscall = -1, event_machine = -1;
 int event_ua = 0, event_ga = 0, event_se = 0;
 int just_one = 0;
 uint32_t event_session_id = -2;
+uint32_t event_session_id_set = -1;
 long long event_exit = 0;
 int event_exit_is_set = 0;
 int line_buffered = 0;
@@ -85,7 +86,7 @@ enum { S_EVENT, S_COMM, S_FILENAME, S_ALL_GID, S_EFF_GID, S_GID, S_HELP,
 S_HOSTNAME, S_INTERP, S_INFILE, S_MESSAGE_TYPE, S_PID, S_SYSCALL, S_OSUCCESS,
 S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID,
 S_VERSION, S_EXACT_MATCH, S_EXECUTABLE, S_CONTEXT, S_SUBJECT, S_OBJECT,
-S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_EXIT,
+S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_SESSIONID_SET, S_EXIT,
 S_LINEBUFFERED, S_UUID, S_VMNAME, S_DEBUG, S_CHECKPOINT, S_ARCH };
 
 static struct nv_pair optiontab[] = {
@@ -137,6 +138,7 @@ static struct nv_pair optiontab[] = {
 	{ S_CONTEXT, "-se" },
 	{ S_CONTEXT, "--context" },
 	{ S_SESSION, "--session" },
+	{ S_SESSIONID_SET, "--sessionid_set" },
 	{ S_SUBJECT, "-su" },
 	{ S_SUBJECT, "--subject" },
 	{ S_OSUCCESS, "-sv" },
@@ -209,6 +211,7 @@ static void usage(void)
 	"\t-sc,--syscall <SysCall name>\tsearch based on syscall name or number\n"
 	"\t-se,--context <SE Linux context> search based on either subject or\n\t\t\t\t\t object\n"
 	"\t--session <login session id>\tsearch based on login session id\n"
+	"\t--sessionid_set <0/1>\tsearch based on login session id set or unset\n"
 	"\t-su,--subject <SE Linux context> search based on context of the Subject\n"
 	"\t-sv,--success <Success Value>\tsearch based on syscall or event\n\t\t\t\t\tsuccess value\n"
 	"\t-te,--end [end date] [end time]\tending date & time for search\n"
@@ -767,6 +770,43 @@ int check_params(int count, char *vars[])
 			}
 			}
 			break;
+		case S_SESSIONID_SET:
+			if (!optarg) {
+				if ((c+1 < count) && vars[c+1])
+					optarg = vars[c+1];
+				else {
+					fprintf(stderr,
+						"Argument is required for %s\n",
+						vars[c]);
+					retval = -1;
+					break;
+				}
+			}
+			{ 
+			size_t len = strlen(optarg);
+			if (isdigit(optarg[0])) {
+				errno = 0;
+				event_session_id_set = strtoul(optarg,NULL,10);
+				if (errno) {
+					fprintf(stderr, "Error converting %s\n",
+						optarg);
+					retval = -1;
+				}
+				if (event_session_id_set > 1) {
+					fprintf(stderr, 
+					"Session id set must be a boolean value, was %s\n",
+						optarg);
+					retval = -1;
+				}
+				c++;
+                        } else {
+				fprintf(stderr, 
+				"Session id must be a boolean value, was %s\n",
+					optarg);
+				retval = -1;
+			}
+			}
+			break;
 		case S_EXIT:
 			if (!optarg) {
 				if ((c+1 < count) && vars[c+1])
diff --git a/trunk/src/ausearch-options.h b/trunk/src/ausearch-options.h
index 1372762..947f5d6 100644
--- a/trunk/src/ausearch-options.h
+++ b/trunk/src/ausearch-options.h
@@ -40,6 +40,7 @@ extern int line_buffered;
 extern int event_debug;
 extern pid_t event_ppid;
 extern uint32_t event_session_id;
+extern uint32_t event_session_id_set;
 extern ilist *event_type;
 
 /* Data type to govern output format */
diff --git a/trunk/src/ausearch-parse.c b/trunk/src/ausearch-parse.c
index 3047925..c45d54e 100644
--- a/trunk/src/ausearch-parse.c
+++ b/trunk/src/ausearch-parse.c
@@ -357,7 +357,7 @@ static int parse_task_info(lnode *n, search_items *s)
 		}
 	}
 	// ses
-	if (event_session_id != -2 ) {
+	if (event_session_id != -2 || event_session_id_set != -1) {
 		str = strstr(term, "ses=");
 		if (str) {
 			ptr = str + 4;
@@ -845,7 +845,7 @@ static int parse_user(const lnode *n, search_items *s)
 		s->tauid = lookup_uid("auid", s->loginuid);
 	}
 	// ses
-	if (event_session_id != -2 ) {
+	if (event_session_id != -2 || event_session_id_set != -1) {
 		str = strstr(term, "ses=");
 		if (str) {
 			ptr = str + 4;
@@ -1317,7 +1317,7 @@ static int parse_login(const lnode *n, search_items *s)
 			s->success = S_SUCCESS; 
 	}
 	// ses
-	if (event_session_id != -2 ) {
+	if (event_session_id != -2 || event_session_id_set != -1) {
 		if (term == NULL)
 			term = n->message;
 		str = strstr(term, "new ses=");
@@ -1631,7 +1631,7 @@ static int parse_integrity(const lnode *n, search_items *s)
 	}
 
 	// ses
-	if (event_session_id != -2 ) {
+	if (event_session_id != -2 || event_session_id_set != -1) {
 		str = strstr(term, "ses=");
 		if (str) {
 			ptr = str + 4;
@@ -1944,7 +1944,7 @@ static int parse_kernel_anom(const lnode *n, search_items *s)
 		}
 	}
 
-	if (event_session_id != -2) {
+	if (event_session_id != -2 || event_session_id_set != -1) {
 		str = strstr(term, "ses=");
 		if (str) {
 			ptr = str + 4;
@@ -2100,7 +2100,7 @@ static int parse_simple_message(const lnode *n, search_items *s)
 	}
 
 	// ses
-	if (event_session_id != -2 ) {
+	if (event_session_id != -2 || event_session_id_set != -1) {
 		str = strstr(term, "ses=");
 		if (str) {
 			ptr = str + 4;
@@ -2277,7 +2277,7 @@ static int parse_tty(const lnode *n, search_items *s)
 	}
 
 	// ses
-	if (event_session_id != -2 ) {
+	if (event_session_id != -2 || event_session_id_set != -1) {
 		str = strstr(term, "ses=");
 		if (str) {
 			ptr = str + 4;
-- 
1.7.1

^ permalink raw reply related

* [PATCH 3/5] Add user filter option loginuid_set from uapi macro AUDIT_LOGINUID_SET
From: Richard Guy Briggs @ 2016-08-02  9:38 UTC (permalink / raw)
  To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <1470130741-31650-1-git-send-email-rgb@redhat.com>

See upstream kernel commits:
	780a7654cee8d61819512385e778e4827db4bfbc (3.10.rc1)
		(audit: Make testing for a valid loginuid explicit.)
	041d7b98ffe59c59fdd639931dea7d74f9aa9a59 (3.19.rc2)
		(audit: restore AUDIT_LOGINUID unset ABI)

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 trunk/lib/fieldtab.h |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h
index b7b9f51..eeb951e 100644
--- a/trunk/lib/fieldtab.h
+++ b/trunk/lib/fieldtab.h
@@ -31,6 +31,8 @@ _S(AUDIT_SGID,         "sgid"         )
 _S(AUDIT_FSGID,        "fsgid"        )
 _S(AUDIT_LOGINUID,     "auid"         )
 _S(AUDIT_LOGINUID,     "loginuid"     )
+_S(AUDIT_LOGINUID_SET, "auid_set"     )
+_S(AUDIT_LOGINUID_SET, "loginuid_set" )
 _S(AUDIT_SESSIONID,    "sessionid"    )
 _S(AUDIT_SESSIONID_SET,"sessionid_set")
 _S(AUDIT_PERS,         "pers"         )
-- 
1.7.1

^ permalink raw reply related

* [PATCH 2/5] Add sessionid_set option from kernel uapi macro AUDIT_SESSIONID_SET
From: Richard Guy Briggs @ 2016-08-02  9:38 UTC (permalink / raw)
  To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <1470130741-31650-1-git-send-email-rgb@redhat.com>

Add sessionid_set field option from kernel uapi macro SESSIONID_SET to
enable specifying that sessionID is set or not in user filters.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 trunk/lib/fieldtab.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h
index 88cf8ea..b7b9f51 100644
--- a/trunk/lib/fieldtab.h
+++ b/trunk/lib/fieldtab.h
@@ -32,6 +32,7 @@ _S(AUDIT_FSGID,        "fsgid"        )
 _S(AUDIT_LOGINUID,     "auid"         )
 _S(AUDIT_LOGINUID,     "loginuid"     )
 _S(AUDIT_SESSIONID,    "sessionid"    )
+_S(AUDIT_SESSIONID_SET,"sessionid_set")
 _S(AUDIT_PERS,         "pers"         )
 _S(AUDIT_ARCH,         "arch"         )
 _S(AUDIT_MSGTYPE,      "msgtype"      )
-- 
1.7.1

^ permalink raw reply related

* [PATCH 1/5] Add userspace support for session ID user filter.
From: Richard Guy Briggs @ 2016-08-02  9:38 UTC (permalink / raw)
  To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <1470130741-31650-1-git-send-email-rgb@redhat.com>

Add support for the session ID user filter by adding the field name
"sessionid" using the kernel defined macro value AUDIT_SESSIONID.

https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 trunk/lib/fieldtab.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h
index bf48c95..88cf8ea 100644
--- a/trunk/lib/fieldtab.h
+++ b/trunk/lib/fieldtab.h
@@ -31,6 +31,7 @@ _S(AUDIT_SGID,         "sgid"         )
 _S(AUDIT_FSGID,        "fsgid"        )
 _S(AUDIT_LOGINUID,     "auid"         )
 _S(AUDIT_LOGINUID,     "loginuid"     )
+_S(AUDIT_SESSIONID,    "sessionid"    )
 _S(AUDIT_PERS,         "pers"         )
 _S(AUDIT_ARCH,         "arch"         )
 _S(AUDIT_MSGTYPE,      "msgtype"      )
-- 
1.7.1

^ permalink raw reply related

* [PATCH 0/5] Add support for sessionid user filters, sessionid_set and loginuid_set
From: Richard Guy Briggs @ 2016-08-02  9:38 UTC (permalink / raw)
  To: linux-audit; +Cc: Richard Guy Briggs

Add support for sessionid, sessionid_set (first two patches) and
loginuid_set (and auid_set) (third patch) in user filters.  The first
two are directly related to issue "ghak4":
	https://github.com/linux-audit/audit-kernel/issues/4
	https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter

The third is to support a kernel change from 3.10 and 3.19 to avoid
using in-band values to indicate the loginuid is unset.

The last two patches are to add unset flags to sessionid and loginuid
for ausearch and aureport.  These two patches are extras and not
required for basic support.

Richard Guy Briggs (5):
  Add userspace support for session ID user filter.
  Add sessionid_set option from kernel uapi macro AUDIT_SESSIONID_SET
  Add user filter option loginuid_set from uapi macro AUDIT_LOGINUID_SET
  Add sessionid_set option to ausearch and aureport
  Add support for loginuid_set option for event filtering and searches.

 trunk/lib/fieldtab.h         |    4 ++
 trunk/src/aureport-options.c |    4 +-
 trunk/src/ausearch-common.h  |    1 +
 trunk/src/ausearch-match.c   |    3 +
 trunk/src/ausearch-options.c |   85 +++++++++++++++++++++++++++++++++++++++++-
 trunk/src/ausearch-options.h |    1 +
 trunk/src/ausearch-parse.c   |   30 +++++++-------
 7 files changed, 110 insertions(+), 18 deletions(-)

^ permalink raw reply

* [PATCH] Ignore tags and cscope output files.
From: Richard Guy Briggs @ 2016-08-02  8:31 UTC (permalink / raw)
  To: linux-audit; +Cc: Richard Guy Briggs

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 trunk/.gitignore |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/trunk/.gitignore b/trunk/.gitignore
index ec0aa96..ba296d3 100644
--- a/trunk/.gitignore
+++ b/trunk/.gitignore
@@ -7,7 +7,9 @@ gen_*_h
 INSTALL
 Makefile
 Makefile.in
+tags
 TAGS
+cscope.*
 /aclocal.m4
 /autom4te.cache
 /audit*.tar.gz
-- 
1.7.1

^ permalink raw reply related


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox