* Re: [PATCH] security: lsm_audit: print pid and tid
From: Richard Guy Briggs @ 2016-08-18 5:56 UTC (permalink / raw)
To: Paul Moore; +Cc: Jeff Vander Stoep, selinux, linux-audit
In-Reply-To: <CAHC9VhS=odoi8NFFGP36VAMcL_Gbbin+0pyTj-MNcsPZKit0GQ@mail.gmail.com>
On 2016-08-17 16:58, Paul Moore wrote:
> On Tue, Jul 26, 2016 at 10:54 AM, Jeff Vander Stoep <jeffv@google.com> wrote:
> > dump_common_audit_data() currently contains a field for pid, but the
> > value printed is actually the thread ID, tid. Update this value to
> > return the task group ID. Add a new field for tid. With this change
> > the values printed by audit now match the values returned by the
> > getpid() and gettid() syscalls.
> >
> > Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
> > ---
> > security/lsm_audit.c | 7 +++++--
> > 1 file changed, 5 insertions(+), 2 deletions(-)
>
> Hi Jeff,
>
> Have you tested this against the audit-testsuite[1]? We don't have an
> explicit PID test yet, but at least two of the tests do test it as a
> side effect.
>
> Steve, I don't see the thread ID listed in the field dictionary, are
> you okay with using "tid" for this?
There is some naming confusion between userspace and kernel space with
pid vs. tid vs. tgid...
> However, as far as I can see, the biggest problem with this patch is
> that it adds a field in the middle of a record which will likely cause
> the audit userspace tools to explode (or so I've been warned in the
> past). Steve, what say you about the userspace?
Adding fields in the middle isn't necessarily a problem if it doesn't
confuse the existing scanner, which can skip over fields about which it
does not care. I've carefully added fields in the middle in the past,
trying my best to group it logically with the rest of the information as
has been requested, I think: subject, action, object, result.
> [1] https://github.com/linux-audit/audit-testsuite
> [2] https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv
>
> > diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> > index cccbf30..57f26c1 100644
> > --- a/security/lsm_audit.c
> > +++ b/security/lsm_audit.c
> > @@ -220,7 +220,8 @@ static void dump_common_audit_data(struct audit_buffer *ab,
> > */
> > BUILD_BUG_ON(sizeof(a->u) > sizeof(void *)*2);
> >
> > - audit_log_format(ab, " pid=%d comm=", task_pid_nr(current));
> > + audit_log_format(ab, " pid=%d tid=%d comm=", task_tgid_vnr(tsk),
> > + task_pid_vnr(tsk));
> > audit_log_untrustedstring(ab, memcpy(comm, current->comm, sizeof(comm)));
> >
> > switch (a->type) {
> > @@ -294,10 +295,12 @@ static void dump_common_audit_data(struct audit_buffer *ab,
> > case LSM_AUDIT_DATA_TASK: {
> > struct task_struct *tsk = a->u.tsk;
> > if (tsk) {
> > - pid_t pid = task_pid_nr(tsk);
> > + pid_t pid = task_tgid_vnr(tsk);
> > if (pid) {
> > char comm[sizeof(tsk->comm)];
> > audit_log_format(ab, " opid=%d ocomm=", pid);
> > + audit_log_format(ab, " opid=%d otid=%d ocomm=",
> > + pid, task_pid_vnr(tsk));
> > audit_log_untrustedstring(ab,
> > memcpy(comm, tsk->comm, sizeof(comm)));
> > }
>
> --
> paul moore
> www.paul-moore.com
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply
* Re: [PATCH] security: lsm_audit: print pid and tid
From: Paul Moore @ 2016-08-17 20:58 UTC (permalink / raw)
To: Jeff Vander Stoep, sgrubb; +Cc: linux-audit, selinux
In-Reply-To: <1469544870-11574-1-git-send-email-jeffv@google.com>
On Tue, Jul 26, 2016 at 10:54 AM, Jeff Vander Stoep <jeffv@google.com> wrote:
> dump_common_audit_data() currently contains a field for pid, but the
> value printed is actually the thread ID, tid. Update this value to
> return the task group ID. Add a new field for tid. With this change
> the values printed by audit now match the values returned by the
> getpid() and gettid() syscalls.
>
> Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
> ---
> security/lsm_audit.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
Hi Jeff,
Have you tested this against the audit-testsuite[1]? We don't have an
explicit PID test yet, but at least two of the tests do test it as a
side effect.
Steve, I don't see the thread ID listed in the field dictionary, are
you okay with using "tid" for this?
However, as far as I can see, the biggest problem with this patch is
that it adds a field in the middle of a record which will likely cause
the audit userspace tools to explode (or so I've been warned in the
past). Steve, what say you about the userspace?
[1] https://github.com/linux-audit/audit-testsuite
[2] https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv
> diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> index cccbf30..57f26c1 100644
> --- a/security/lsm_audit.c
> +++ b/security/lsm_audit.c
> @@ -220,7 +220,8 @@ static void dump_common_audit_data(struct audit_buffer *ab,
> */
> BUILD_BUG_ON(sizeof(a->u) > sizeof(void *)*2);
>
> - audit_log_format(ab, " pid=%d comm=", task_pid_nr(current));
> + audit_log_format(ab, " pid=%d tid=%d comm=", task_tgid_vnr(tsk),
> + task_pid_vnr(tsk));
> audit_log_untrustedstring(ab, memcpy(comm, current->comm, sizeof(comm)));
>
> switch (a->type) {
> @@ -294,10 +295,12 @@ static void dump_common_audit_data(struct audit_buffer *ab,
> case LSM_AUDIT_DATA_TASK: {
> struct task_struct *tsk = a->u.tsk;
> if (tsk) {
> - pid_t pid = task_pid_nr(tsk);
> + pid_t pid = task_tgid_vnr(tsk);
> if (pid) {
> char comm[sizeof(tsk->comm)];
> audit_log_format(ab, " opid=%d ocomm=", pid);
> + audit_log_format(ab, " opid=%d otid=%d ocomm=",
> + pid, task_pid_vnr(tsk));
> audit_log_untrustedstring(ab,
> memcpy(comm, tsk->comm, sizeof(comm)));
> }
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Re: [PATCH] semanage: add auditing of changes in records
From: Stephen Smalley @ 2016-08-17 18:50 UTC (permalink / raw)
To: Miroslav Vadkerti, selinux-+05T5uksL2qpZYMLLGbcSA
Cc: linux-audit-H+wXaHxf7aLQT0dZR+AlfA
In-Reply-To: <1469546125-19448-1-git-send-email-mvadkert-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
On 07/26/2016 11:15 AM, Miroslav Vadkerti wrote:
> Common Criteria requirement FMT_MSA.1 needs any configuration change
> that affect enforcement of policy to be audited. This patch adds
> auditing of changes in security context mappings for network ports,
> interfaces, nodes and file contexts.
>
> A new function log_change is introduced that audits additions,
> modification and removal of the mappings via the USER_MAC_CONFIG_CHANGE
> audit event.
>
> The format of the audit events was discussed with the audit userspace
> maintainer.
This broke semanage fcontext -D.
#semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
#semanage fcontext -D
KeyError: all files
>
> This patch resolves: https://bugzilla.redhat.com/show_bug.cgi?id=829175
>
> Signed-off-by: Miroslav Vadkerti <mvadkert-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
> ---
> policycoreutils/semanage/seobject.py | 75 ++++++++++++++++++++++++++++++++++++
> 1 file changed, 75 insertions(+)
>
> diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
> index 3b0b108..7d6caa3 100644
> --- a/policycoreutils/semanage/seobject.py
> +++ b/policycoreutils/semanage/seobject.py
> @@ -82,6 +82,21 @@ file_type_str_to_option = {"all files": "a",
> "socket file": "s",
> "symbolic link": "l",
> "named pipe": "p"}
> +
> +proto_to_audit = {"tcp": 17,
> + "udp": 6,
> + "ipv4": 4,
> + "ipv6": 41}
> +
> +ftype_to_audit = {"": "any",
> + "b": "block",
> + "c": "char",
> + "d": "dir",
> + "f": "file",
> + "l": "symlink",
> + "p": "pipe",
> + "s": "socket"}
> +
> try:
> import audit
>
> @@ -90,6 +105,7 @@ try:
> def __init__(self):
> self.audit_fd = audit.audit_open()
> self.log_list = []
> + self.log_change_list = []
>
> def log(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
>
> @@ -109,10 +125,17 @@ try:
> def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
> self.log_list.append([self.audit_fd, audit.AUDIT_ROLE_REMOVE, sys.argv[0], str(msg), name, 0, sename, serole, serange, oldsename, oldserole, oldserange, "", "", ""])
>
> + def log_change(self, msg):
> + self.log_change_list.append([self.audit_fd, audit.AUDIT_USER_MAC_CONFIG_CHANGE, str(msg), "semanage", "", "", ""])
> +
> def commit(self, success):
> for l in self.log_list:
> audit.audit_log_semanage_message(*(l + [success]))
> + for l in self.log_change_list:
> + audit.audit_log_user_comm_message(*(l + [success]))
> +
> self.log_list = []
> + self.log_change_list = []
> except:
> class logger:
>
> @@ -138,6 +161,9 @@ except:
> def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
> self.log(msg, name, sename, serole, serange, oldsename, oldserole, oldserange)
>
> + def log_change(self, msg):
> + self.log_list.append(" %s" % msg)
> +
> def commit(self, success):
> if success == 1:
> message = "Successful: "
> @@ -155,6 +181,9 @@ class nulllogger:
> def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
> pass
>
> + def log_change(self, msg):
> + pass
> +
> def commit(self, success):
> pass
>
> @@ -1109,6 +1138,8 @@ class portRecords(semanageRecords):
> semanage_port_key_free(k)
> semanage_port_free(p)
>
> + self.mylog.log_change("resrc=port op=add lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u", "object_r", type, serange))
> +
> def add(self, port, proto, serange, type):
> self.begin()
> self.__add(port, proto, serange, type)
> @@ -1150,6 +1181,8 @@ class portRecords(semanageRecords):
> semanage_port_key_free(k)
> semanage_port_free(p)
>
> + self.mylog.log_change("resrc=port op=modify lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u", "object_r", setype, serange))
> +
> def modify(self, port, proto, serange, setype):
> self.begin()
> self.__modify(port, proto, serange, setype)
> @@ -1168,6 +1201,7 @@ class portRecords(semanageRecords):
> low = semanage_port_get_low(port)
> high = semanage_port_get_high(port)
> port_str = "%s-%s" % (low, high)
> +
> (k, proto_d, low, high) = self.__genkey(port_str, proto_str)
> if rc < 0:
> raise ValueError(_("Could not create a key for %s") % port_str)
> @@ -1177,6 +1211,11 @@ class portRecords(semanageRecords):
> raise ValueError(_("Could not delete the port %s") % port_str)
> semanage_port_key_free(k)
>
> + if low == high:
> + port_str = low
> +
> + self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port_str, proto_to_audit[proto_str]))
> +
> self.commit()
>
> def __delete(self, port, proto):
> @@ -1199,6 +1238,8 @@ class portRecords(semanageRecords):
>
> semanage_port_key_free(k)
>
> + self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port, proto_to_audit[proto]))
> +
> def delete(self, port, proto):
> self.begin()
> self.__delete(port, proto)
> @@ -1380,6 +1421,8 @@ class nodeRecords(semanageRecords):
> semanage_node_key_free(k)
> semanage_node_free(node)
>
> + self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, proto_to_audit[self.protocol[proto]], "system_u", "object_r", ctype, serange))
> +
> def add(self, addr, mask, proto, serange, ctype):
> self.begin()
> self.__add(addr, mask, proto, serange, ctype)
> @@ -1421,6 +1464,8 @@ class nodeRecords(semanageRecords):
> semanage_node_key_free(k)
> semanage_node_free(node)
>
> + self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, proto_to_audit[self.protocol[proto]], "system_u", "object_r", setype, serange))
> +
> def modify(self, addr, mask, proto, serange, setype):
> self.begin()
> self.__modify(addr, mask, proto, serange, setype)
> @@ -1452,6 +1497,8 @@ class nodeRecords(semanageRecords):
>
> semanage_node_key_free(k)
>
> + self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, proto_to_audit[self.protocol[proto]]))
> +
> def delete(self, addr, mask, proto):
> self.begin()
> self.__delete(addr, mask, proto)
> @@ -1581,6 +1628,8 @@ class interfaceRecords(semanageRecords):
> semanage_iface_key_free(k)
> semanage_iface_free(iface)
>
> + self.mylog.log_change("resrc=interface op=add netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", ctype, serange))
> +
> def add(self, interface, serange, ctype):
> self.begin()
> self.__add(interface, serange, ctype)
> @@ -1618,6 +1667,8 @@ class interfaceRecords(semanageRecords):
> semanage_iface_key_free(k)
> semanage_iface_free(iface)
>
> + self.mylog.log_change("resrc=interface op=modify netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", setype, serange))
> +
> def modify(self, interface, serange, setype):
> self.begin()
> self.__modify(interface, serange, setype)
> @@ -1646,6 +1697,8 @@ class interfaceRecords(semanageRecords):
>
> semanage_iface_key_free(k)
>
> + self.mylog.log_change("resrc=interface op=delete netif=%s" % interface)
> +
> def delete(self, interface):
> self.begin()
> self.__delete(interface)
> @@ -1775,6 +1828,8 @@ class fcontextRecords(semanageRecords):
> if i.startswith(target + "/"):
> raise ValueError(_("File spec %s conflicts with equivalency rule '%s %s'") % (target, i, fdict[i]))
>
> + self.mylog.log_change("resrc=fcontext op=add-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
> +
> self.equiv[target] = substitute
> self.equal_ind = True
> self.commit()
> @@ -1785,6 +1840,9 @@ class fcontextRecords(semanageRecords):
> raise ValueError(_("Equivalence class for %s does not exists") % target)
> self.equiv[target] = substitute
> self.equal_ind = True
> +
> + self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
> +
> self.commit()
>
> def createcon(self, target, seuser="system_u"):
> @@ -1879,6 +1937,11 @@ class fcontextRecords(semanageRecords):
> semanage_fcontext_key_free(k)
> semanage_fcontext_free(fcontext)
>
> + if not seuser:
> + seuser = "system_u"
> +
> + self.mylog.log_change("resrc=fcontext op=add %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange))
> +
> def add(self, target, type, ftype="", serange="", seuser="system_u"):
> self.begin()
> self.__add(target, type, ftype, serange, seuser)
> @@ -1939,6 +2002,11 @@ class fcontextRecords(semanageRecords):
> semanage_fcontext_key_free(k)
> semanage_fcontext_free(fcontext)
>
> + if not seuser:
> + seuser = "system_u"
> +
> + self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange))
> +
> def modify(self, target, setype, ftype, serange, seuser):
> self.begin()
> self.__modify(target, setype, ftype, serange, seuser)
> @@ -1964,6 +2032,8 @@ class fcontextRecords(semanageRecords):
> raise ValueError(_("Could not delete the file context %s") % target)
> semanage_fcontext_key_free(k)
>
> + self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype_str]))
> +
> self.equiv = {}
> self.equal_ind = True
> self.commit()
> @@ -1972,6 +2042,9 @@ class fcontextRecords(semanageRecords):
> if target in self.equiv.keys():
> self.equiv.pop(target)
> self.equal_ind = True
> +
> + self.mylog.log_change("resrc=fcontext op=delete-equal %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
> +
> return
>
> (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
> @@ -1996,6 +2069,8 @@ class fcontextRecords(semanageRecords):
>
> semanage_fcontext_key_free(k)
>
> + self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
> +
> def delete(self, target, ftype):
> self.begin()
> self.__delete(target, ftype)
>
_______________________________________________
Selinux mailing list
Selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org
To unsubscribe, send email to Selinux-leave-+05T5uksL2pAGbPMOrvdOA@public.gmane.org
To get help, send an email containing "help" to Selinux-request-+05T5uksL2pAGbPMOrvdOA@public.gmane.org
^ permalink raw reply
* Re: Where can I find coding style guidelines for the Linux Audit framework source code?
From: Steve Grubb @ 2016-08-17 13:23 UTC (permalink / raw)
To: linux-audit
In-Reply-To: <F5C3EECE-4B0F-472E-B1F5-BDCAA10B06C2@FreeBSD.org>
On Wednesday, August 17, 2016 3:02:36 PM EDT Mateusz Piotrowski wrote:
> I wonder if there is a document describing the preferred coding style
> of the Linux Audit framework source code.
No.
> Is it basically the style of the Linux Kernel[1]?
I have never used the kernel style. But if you look at the code, its fairly
consistent - except that there are a whole lot of contributors over time. Not
everyone followed the style exactly. I try to correct it over time. The main
thing I hate is lines that are over 80 characters long or when a patch uses
spaces and not tabs.
> Secondly, does it make sense to submit patches which fix style only?
I don't like to have a lot of code churn just for style. I tend to fix style
either on patch submission. Or if its big or I don't have time, I fix it when
I'm in that area.
-Steve
> [1]: https://www.kernel.org/doc/Documentation/CodingStyle
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Where can I find coding style guidelines for the Linux Audit framework source code?
From: Mateusz Piotrowski @ 2016-08-17 13:02 UTC (permalink / raw)
To: linux-audit
Hello,
I wonder if there is a document describing the preferred coding style
of the Linux Audit framework source code. Is it basically the style of
the Linux Kernel[1]?
Secondly, does it make sense to submit patches which fix style only?
Cheers,
Mateusz
[1]: https://www.kernel.org/doc/Documentation/CodingStyle
^ permalink raw reply
* Re: [GIT PULL] [PATCH v4 00/26] Delete CURRENT_TIME and CURRENT_TIME_SEC macros
From: Greg KH @ 2016-08-16 18:53 UTC (permalink / raw)
To: Deepa Dinamani
Cc: Dave Kleikamp, jfs-discussion-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f,
Trond Myklebust, Adrian Hunter, Chris Mason, Andreas Dilger,
Brian Uchino, Thomas Gleixner, Yan, Zheng, James E.J. Bottomley,
Paul Moore, Linux SCSI List, y2038 Mailman List, Ilya Dryomov,
linux-ext4-u79uwXL29TY76Z2rM5mHXA, Changman Lee,
Evgeniy Dushistov, Arnd Bergmann, Mark Fasheh, Suma Ramars,
John Stultz, Alexander Viro, David Sterba,
Jaegeuk Kim <jaege>
In-Reply-To: <CABeXuvp027DZR0=zQPp86oGdi2B+Gh16z8_FyoY5UDUdHXAngA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
On Tue, Aug 16, 2016 at 11:18:52AM -0700, Deepa Dinamani wrote:
> Thank you for the suggestion.
>
> > Who are you execting to pull this huge patch series?
>
> The last pull request was addressed to Al as per Arnd's suggestion.
> I'm not completely sure who should it be addressed to.
>
> > Why not just introduce the new api call, wait for that to be merged, and
> > then push the individual patches through the different subsystems?
> > After half of those get ignored, then provide a single set of patches
> > that can go through Andrew or my trees.
>
> Arnd and I tried to do this a few ways.
>
> We can try to introduce the api first like you suggest.
>
> There are a few Acks already on the patches.
> And, patches 2-5 also need to be merged through some common tree like
> yours or Andrew's as you suggest.
>
> So, if everyone is ok, I could do the following:
>
> 1. Post patches 1-5 for rc-2.
-rc2 is already released, and we aren't adding new apis this late in the
release cycle, sorry.
> 2. Post all other patches to respective maintainers after rc-2
> 3. Then after patches get ignored or merged, post remaining as a
> series for you or Andrew to pick up.
The apis need to be aimed for 4.9-rc1, it's too late for 4.8, sorry.
greg k-h
^ permalink raw reply
* Re: [GIT PULL] [PATCH v4 00/26] Delete CURRENT_TIME and CURRENT_TIME_SEC macros
From: Deepa Dinamani @ 2016-08-16 18:18 UTC (permalink / raw)
To: Greg KH
Cc: Dave Kleikamp, jfs-discussion-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f,
Trond Myklebust, Adrian Hunter, Chris Mason, Andreas Dilger,
Brian Uchino, Thomas Gleixner, Yan, Zheng, James E.J. Bottomley,
Paul Moore, Linux SCSI List, y2038 Mailman List, Ilya Dryomov,
linux-ext4-u79uwXL29TY76Z2rM5mHXA, Changman Lee,
Evgeniy Dushistov, Arnd Bergmann, Mark Fasheh, Suma Ramars,
John Stultz, Alexander Viro, David Sterba,
Jaegeuk Kim <jaege>
In-Reply-To: <20160815162312.GA19794-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
Thank you for the suggestion.
> Who are you execting to pull this huge patch series?
The last pull request was addressed to Al as per Arnd's suggestion.
I'm not completely sure who should it be addressed to.
> Why not just introduce the new api call, wait for that to be merged, and
> then push the individual patches through the different subsystems?
> After half of those get ignored, then provide a single set of patches
> that can go through Andrew or my trees.
Arnd and I tried to do this a few ways.
We can try to introduce the api first like you suggest.
There are a few Acks already on the patches.
And, patches 2-5 also need to be merged through some common tree like
yours or Andrew's as you suggest.
So, if everyone is ok, I could do the following:
1. Post patches 1-5 for rc-2.
2. Post all other patches to respective maintainers after rc-2
3. Then after patches get ignored or merged, post remaining as a
series for you or Andrew to pick up.
-Deepa
^ permalink raw reply
* Re: [GIT PULL] [PATCH v4 00/26] Delete CURRENT_TIME and CURRENT_TIME_SEC macros
From: Greg KH @ 2016-08-15 16:23 UTC (permalink / raw)
To: Deepa Dinamani
Cc: shaggy-DgEjT+Ai2ygdnm+yROfE0A,
jfs-discussion-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f,
trond.myklebust-7I+n7zu2hftEKMMhf/gKZA,
adrian.hunter-ral2JQCrhuEAvxtiuMwx3w, clm-b10kYP2dOMg,
adilger.kernel-m1MBpc4rdrD3fQ9qLvQP4Q,
buchino-FYB4Gu1CFyUAvxtiuMwx3w, tglx-hfZtesqFncYOwBW4kG4KsQ,
zyan-H+wXaHxf7aLQT0dZR+AlfA,
jejb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8,
paul-r2n+y4ga6xFZroRs9YW3xA, linux-scsi-u79uwXL29TY76Z2rM5mHXA,
y2038-cunTk1MwBs8s++Sfvej+rw, idryomov-Re5JQEeQqe8AvxtiuMwx3w,
linux-ext4-u79uwXL29TY76Z2rM5mHXA,
cm224.lee-Sze3O3UU22JBDgjK7y7TUQ, dushistov-JGs/UdohzUI,
arnd-r2nGTMty4D4, mfasheh-IBi9RG/b67k,
sramars-FYB4Gu1CFyUAvxtiuMwx3w,
john.stultz-QSEj5FYQhm4dnm+yROfE0A,
viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn, dsterba-IBi9RG/b67k,
jaegeuk-DgEjT+Ai2ygdnm+yROfE0A, ceph-devel-u79uwXL29TY76Z2rM5mHXA,
linux-nfs-u79uwXL29TY76Z2rM5mHXA, elder-DgEjT+Ai2ygdnm+yROfE0A,
tytso-3s7WtUTddSA, sage-H+wXaHxf7aLQT0dZR+AlfA,
martin.petersen-QHcLZuEGTsvQT0dZR+AlfA,
dedekind1-Re5JQEeQqe8AvxtiuMwx3w, jbacik-b10kYP2dOMg,
hiralpat-FYB4Gu1CFyUAvxtiuMwx3w,
linux-kernel-u79uwXL29TY76Z2rM5mHXA,
eparis-H+wXaHxf7aLQT0dZR+AlfA,
linux-f2fs-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f,
sfrench-eUNUBHrolfbYtjvyW6yDsg,
linux-audit-H+wXaHxf7aLQT0dZR+AlfA,
ocfs2-devel-N0ozoZBvEnonbStXaT1jcA
In-Reply-To: <1471128518-24075-1-git-send-email-deepa.kernel-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
On Sat, Aug 13, 2016 at 03:48:12PM -0700, Deepa Dinamani wrote:
> The series is aimed at getting rid of CURRENT_TIME and CURRENT_TIME_SEC macros.
> The macros are not y2038 safe. There is no plan to transition them into being
> y2038 safe.
> ktime_get_* api's can be used in their place. And, these are y2038 safe.
Who are you execting to pull this huge patch series?
Why not just introduce the new api call, wait for that to be merged, and
then push the individual patches through the different subsystems?
After half of those get ignored, then provide a single set of patches
that can go through Andrew or my trees.
thanks,
greg k-h
^ permalink raw reply
* [PATCH v4 19/26] audit: Use timespec64 to represent audit timestamps
From: Deepa Dinamani @ 2016-08-13 22:48 UTC (permalink / raw)
To: linux-fsdevel, linux-kernel
Cc: tytso, Paul Moore, arnd, y2038, Eric Paris, Richard Guy Briggs,
linux-audit, viro, tglx, torvalds
In-Reply-To: <1471128518-24075-1-git-send-email-deepa.kernel@gmail.com>
struct timespec is not y2038 safe.
Audit timestamps are recorded in string format into
an audit buffer for a given context.
These mark the entry timestamps for the syscalls.
Use y2038 safe struct timespec64 to represent the times.
The log strings can handle this transition as strings can
hold upto 1024 characters.
Signed-off-by: Deepa Dinamani <deepa.kernel@gmail.com>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Paul Moore <paul@paul-moore.com>
Acked-by: Richard Guy Briggs <rgb@redhat.com>
Cc: Eric Paris <eparis@redhat.com>
Cc: Paul Moore <paul@paul-moore.com>
Cc: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com
---
include/linux/audit.h | 4 ++--
kernel/audit.c | 10 +++++-----
kernel/audit.h | 2 +-
kernel/auditsc.c | 6 +++---
4 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 9d4443f..e51782b 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -332,7 +332,7 @@ static inline void audit_ptrace(struct task_struct *t)
/* Private API (for audit.c only) */
extern unsigned int audit_serial(void);
extern int auditsc_get_stamp(struct audit_context *ctx,
- struct timespec *t, unsigned int *serial);
+ struct timespec64 *t, unsigned int *serial);
extern int audit_set_loginuid(kuid_t loginuid);
static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
@@ -490,7 +490,7 @@ static inline void __audit_seccomp(unsigned long syscall, long signr, int code)
static inline void audit_seccomp(unsigned long syscall, long signr, int code)
{ }
static inline int auditsc_get_stamp(struct audit_context *ctx,
- struct timespec *t, unsigned int *serial)
+ struct timespec64 *t, unsigned int *serial)
{
return 0;
}
diff --git a/kernel/audit.c b/kernel/audit.c
index a8a91bd..b03b6c7 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1325,10 +1325,10 @@ unsigned int audit_serial(void)
}
static inline void audit_get_stamp(struct audit_context *ctx,
- struct timespec *t, unsigned int *serial)
+ struct timespec64 *t, unsigned int *serial)
{
if (!ctx || !auditsc_get_stamp(ctx, t, serial)) {
- *t = CURRENT_TIME;
+ ktime_get_real_ts64(t);
*serial = audit_serial();
}
}
@@ -1370,7 +1370,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
int type)
{
struct audit_buffer *ab = NULL;
- struct timespec t;
+ struct timespec64 t;
unsigned int uninitialized_var(serial);
int reserve = 5; /* Allow atomic callers to go up to five
entries over the normal backlog limit */
@@ -1422,8 +1422,8 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
audit_get_stamp(ab->ctx, &t, &serial);
- audit_log_format(ab, "audit(%lu.%03lu:%u): ",
- t.tv_sec, t.tv_nsec/1000000, serial);
+ audit_log_format(ab, "audit(%llu.%03lu:%u): ",
+ (unsigned long long)t.tv_sec, t.tv_nsec/1000000, serial);
return ab;
}
diff --git a/kernel/audit.h b/kernel/audit.h
index 431444c..55d1ca2 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -112,7 +112,7 @@ struct audit_context {
enum audit_state state, current_state;
unsigned int serial; /* serial number for record */
int major; /* syscall number */
- struct timespec ctime; /* time of syscall entry */
+ struct timespec64 ctime; /* time of syscall entry */
unsigned long argv[4]; /* syscall arguments */
long return_code;/* syscall return code */
u64 prio;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 5abf1dc..8dc7fe9 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1522,7 +1522,7 @@ void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
return;
context->serial = 0;
- context->ctime = CURRENT_TIME;
+ ktime_get_real_ts64(&context->ctime);
context->in_syscall = 1;
context->current_state = state;
context->ppid = 0;
@@ -1931,13 +1931,13 @@ EXPORT_SYMBOL_GPL(__audit_inode_child);
/**
* auditsc_get_stamp - get local copies of audit_context values
* @ctx: audit_context for the task
- * @t: timespec to store time recorded in the audit_context
+ * @t: timespec64 to store time recorded in the audit_context
* @serial: serial value that is recorded in the audit_context
*
* Also sets the context as auditable.
*/
int auditsc_get_stamp(struct audit_context *ctx,
- struct timespec *t, unsigned int *serial)
+ struct timespec64 *t, unsigned int *serial)
{
if (!ctx->in_syscall)
return 0;
--
1.9.1
_______________________________________________
Y2038 mailing list
Y2038@lists.linaro.org
https://lists.linaro.org/mailman/listinfo/y2038
^ permalink raw reply related
* [GIT PULL] [PATCH v4 00/26] Delete CURRENT_TIME and CURRENT_TIME_SEC macros
From: Deepa Dinamani @ 2016-08-13 22:48 UTC (permalink / raw)
To: linux-fsdevel-u79uwXL29TY76Z2rM5mHXA,
linux-kernel-u79uwXL29TY76Z2rM5mHXA
Cc: shaggy-DgEjT+Ai2ygdnm+yROfE0A,
jfs-discussion-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f,
trond.myklebust-7I+n7zu2hftEKMMhf/gKZA, clm-b10kYP2dOMg,
adilger.kernel-m1MBpc4rdrD3fQ9qLvQP4Q,
buchino-FYB4Gu1CFyUAvxtiuMwx3w, tglx-hfZtesqFncYOwBW4kG4KsQ,
zyan-H+wXaHxf7aLQT0dZR+AlfA,
jejb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8,
paul-r2n+y4ga6xFZroRs9YW3xA, linux-scsi-u79uwXL29TY76Z2rM5mHXA,
y2038-cunTk1MwBs8s++Sfvej+rw, idryomov-Re5JQEeQqe8AvxtiuMwx3w,
linux-ext4-u79uwXL29TY76Z2rM5mHXA,
cm224.lee-Sze3O3UU22JBDgjK7y7TUQ, dushistov-JGs/UdohzUI,
arnd-r2nGTMty4D4, mfasheh-IBi9RG/b67k,
sramars-FYB4Gu1CFyUAvxtiuMwx3w,
john.stultz-QSEj5FYQhm4dnm+yROfE0A,
viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn, dsterba-IBi9RG/b67k,
jaegeuk-DgEjT+Ai2ygdnm+yROfE0A, ceph-devel-u79uwXL29TY76Z2rM5mHXA,
linux-nfs-u79uwXL29TY76Z2rM5mHXA, elder-DgEjT+Ai2ygdnm+yROfE0A,
tytso-3s7WtUTddSA, sage-H+wXaHxf7aLQT0dZR+AlfA,
martin.petersen-QHcLZuEGTsvQT0dZR+AlfA,
dedekind1-Re5JQEeQqe8AvxtiuMwx3w, jbacik-b10kYP2dOMg,
gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r,
hiralpat-FYB4Gu1CFyUAvxtiuMwx3w,
adrian.hunter-ral2JQCrhuEAvxtiuMwx3w,
eparis-H+wXaHxf7aLQT0dZR+AlfA,
linux-f2fs-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f,
sfrench-eUNUBHrolfbYtjvyW6yDsg,
linux-audit-H+wXaHxf7aLQT0dZR+AlfA,
ocfs2-devel-N0ozoZBvEnrZJqsBc5GL+g
The series is aimed at getting rid of CURRENT_TIME and CURRENT_TIME_SEC macros.
The macros are not y2038 safe. There is no plan to transition them into being
y2038 safe.
ktime_get_* api's can be used in their place. And, these are y2038 safe.
Thanks to Arnd Bergmann for all the guidance and discussions.
Patches 2-4 were mostly generated using coccinelle scripts.
All filesystem timestamps use current_fs_time() for right granularity as
mentioned in the respective commit texts of patches. This has a changed
signature, renamed to current_time() and moved to the fs/inode.c.
This series also serves as a preparatory series to transition vfs to 64 bit
timestamps as outlined here: https://lkml.org/lkml/2016/2/12/104 .
As per Linus's suggestion in https://lkml.org/lkml/2016/5/24/663 , all the
inode timestamp changes have been squashed into a single patch. Also,
current_time() now is used as a single generic vfs filesystem timestamp api.
It also takes struct inode* as argument instead of struct super_block*.
Posting all patches together in a bigger series so that the big picture is
clear.
As per the suggestion in https://lwn.net/Articles/672598/, CURRENT_TIME macro
bug fixes are being handled in a series separate from transitioning vfs to
use 64 bit timestamps.
Changes from v3:
* Rebased to 4.8-rc1 to avoid merge conflicts.
* Added CURRENT_TIME deletion and fnic patches back as time64_to_tm() is merged.
* Rearranged a couple of instances of CURRENT_TIME.
Changes from v2:
* Fix buildbot error for uninitialized sb in inode.
* Minor fixes according to Arnd's comments.
* Leave out the fnic and deletion of CURRENT_TIME to be submitted after 4.8 rc1.
Changes from v1:
* Change current_fs_time(struct super_block *) to current_time(struct inode *)
* Note that change to add time64_to_tm() is already part of John's
kernel tree: https://lkml.org/lkml/2016/6/17/875 .
---------------------------------------------------------------
The following changes since commit 09f0834105f7fe315ddaeb77fad15f00565c167e:
Add linux-next specific files for 20160809 (2016-08-09 13:48:00 +1000)
are available in the git repository at:
https://github.com/deepa-hub/vfs current_time-v4.8-rc1
for you to fetch changes up to 050e25f5112626e228b742ed219314abc409a70f:
time: Delete CURRENT_TIME_SEC and CURRENT_TIME (2016-08-13 13:44:41 -0700)
----------------------------------------------------------------
Deepa Dinamani (26):
vfs: Add current_time() api
fs: proc: Delete inode time initializations in proc_alloc_inode()
fs: Replace CURRENT_TIME with current_time() for inode timestamps
fs: Replace CURRENT_TIME_SEC with current_time() for inode timestamps
fs: Replace current_fs_time() with current_time()
fs: ufs: Use ktime_get_real_ts64() for birthtime
fs: jfs: Replace CURRENT_TIME_SEC by current_time()
fs: ext4: Use current_time() for inode timestamps
fs: ubifs: Replace CURRENT_TIME_SEC with current_time
fs: btrfs: Use ktime_get_real_ts for root ctime
fs: udf: Replace CURRENT_TIME with current_time()
fs: cifs: Replace CURRENT_TIME by current_time()
fs: cifs: Replace CURRENT_TIME with ktime_get_real_ts()
fs: cifs: Replace CURRENT_TIME by get_seconds
fs: f2fs: Use ktime_get_real_seconds for sit_info times
drivers: staging: lustre: Replace CURRENT_TIME with current_time()
fs: ocfs2: Use time64_t to represent orphan scan times
fs: ocfs2: Replace CURRENT_TIME macro
audit: Use timespec64 to represent audit timestamps
fs: nfs: Make nfs boot time y2038 safe
block: Replace CURRENT_TIME with ktime_get_real_ts
libceph: Replace CURRENT_TIME with ktime_get_real_ts
fs: ceph: Replace current_fs_time for request stamp
fnic: Use time64_t to represent trace timestamps
time: Delete current_fs_time() function
time: Delete CURRENT_TIME_SEC and CURRENT_TIME
arch/powerpc/platforms/cell/spufs/inode.c | 2 +-
arch/s390/hypfs/inode.c | 4 +--
drivers/block/rbd.c | 2 +-
drivers/char/sonypi.c | 2 +-
drivers/infiniband/hw/qib/qib_fs.c | 2 +-
drivers/misc/ibmasm/ibmasmfs.c | 2 +-
drivers/oprofile/oprofilefs.c | 2 +-
drivers/platform/x86/sony-laptop.c | 2 +-
drivers/scsi/fnic/fnic_trace.c | 4 +--
drivers/scsi/fnic/fnic_trace.h | 2 +-
drivers/staging/lustre/lustre/llite/llite_lib.c | 16 ++++++------
drivers/staging/lustre/lustre/llite/namei.c | 4 +--
drivers/staging/lustre/lustre/mdc/mdc_reint.c | 6 ++---
.../lustre/lustre/obdclass/linux/linux-obdo.c | 6 ++---
drivers/staging/lustre/lustre/obdclass/obdo.c | 6 ++---
drivers/staging/lustre/lustre/osc/osc_io.c | 2 +-
drivers/usb/core/devio.c | 18 +++++++-------
drivers/usb/gadget/function/f_fs.c | 8 +++---
drivers/usb/gadget/legacy/inode.c | 2 +-
fs/9p/vfs_inode.c | 2 +-
fs/adfs/inode.c | 2 +-
fs/affs/amigaffs.c | 6 ++---
fs/affs/inode.c | 2 +-
fs/attr.c | 2 +-
fs/autofs4/inode.c | 2 +-
fs/autofs4/root.c | 6 ++---
fs/bad_inode.c | 2 +-
fs/bfs/dir.c | 14 +++++------
fs/binfmt_misc.c | 2 +-
fs/btrfs/file.c | 6 ++---
fs/btrfs/inode.c | 22 ++++++++--------
fs/btrfs/ioctl.c | 8 +++---
fs/btrfs/root-tree.c | 3 ++-
fs/btrfs/transaction.c | 4 +--
fs/btrfs/xattr.c | 2 +-
fs/ceph/file.c | 4 +--
fs/ceph/inode.c | 2 +-
fs/ceph/mds_client.c | 4 ++-
fs/ceph/xattr.c | 2 +-
fs/cifs/cifsencrypt.c | 4 ++-
fs/cifs/cifssmb.c | 10 ++++----
fs/cifs/file.c | 4 +--
fs/cifs/inode.c | 28 +++++++++++----------
fs/coda/dir.c | 2 +-
fs/coda/file.c | 2 +-
fs/coda/inode.c | 2 +-
fs/configfs/inode.c | 6 ++---
fs/debugfs/inode.c | 2 +-
fs/devpts/inode.c | 6 ++---
fs/efivarfs/inode.c | 2 +-
fs/exofs/dir.c | 6 ++---
fs/exofs/inode.c | 4 +--
fs/exofs/namei.c | 6 ++---
fs/ext2/acl.c | 2 +-
fs/ext2/dir.c | 6 ++---
fs/ext2/ialloc.c | 2 +-
fs/ext2/inode.c | 4 +--
fs/ext2/ioctl.c | 4 +--
fs/ext2/namei.c | 6 ++---
fs/ext2/super.c | 2 +-
fs/ext2/xattr.c | 2 +-
fs/ext4/acl.c | 2 +-
fs/ext4/ext4.h | 6 -----
fs/ext4/extents.c | 10 ++++----
fs/ext4/ialloc.c | 2 +-
fs/ext4/inline.c | 4 +--
fs/ext4/inode.c | 6 ++---
fs/ext4/ioctl.c | 8 +++---
fs/ext4/namei.c | 24 ++++++++++--------
fs/ext4/super.c | 2 +-
fs/ext4/xattr.c | 2 +-
fs/f2fs/dir.c | 8 +++---
fs/f2fs/file.c | 8 +++---
fs/f2fs/inline.c | 2 +-
fs/f2fs/namei.c | 12 ++++-----
fs/f2fs/segment.c | 2 +-
fs/f2fs/segment.h | 5 ++--
fs/f2fs/xattr.c | 2 +-
fs/fat/dir.c | 2 +-
fs/fat/file.c | 6 ++---
fs/fat/inode.c | 2 +-
fs/fat/namei_msdos.c | 12 ++++-----
fs/fat/namei_vfat.c | 10 ++++----
fs/fuse/control.c | 2 +-
fs/fuse/dir.c | 2 +-
fs/gfs2/bmap.c | 8 +++---
fs/gfs2/dir.c | 12 ++++-----
fs/gfs2/inode.c | 8 +++---
fs/gfs2/quota.c | 2 +-
fs/gfs2/xattr.c | 8 +++---
fs/hfs/catalog.c | 8 +++---
fs/hfs/dir.c | 2 +-
fs/hfs/inode.c | 2 +-
fs/hfsplus/catalog.c | 8 +++---
fs/hfsplus/dir.c | 6 ++---
fs/hfsplus/inode.c | 2 +-
fs/hfsplus/ioctl.c | 2 +-
fs/hugetlbfs/inode.c | 10 ++++----
fs/inode.c | 29 +++++++++++++++++++---
fs/jffs2/acl.c | 2 +-
fs/jffs2/fs.c | 2 +-
fs/jfs/acl.c | 2 +-
fs/jfs/inode.c | 2 +-
fs/jfs/ioctl.c | 2 +-
fs/jfs/jfs_inode.c | 2 +-
fs/jfs/namei.c | 24 +++++++++---------
fs/jfs/super.c | 2 +-
fs/jfs/xattr.c | 2 +-
fs/kernfs/inode.c | 2 +-
fs/libfs.c | 14 +++++------
fs/locks.c | 2 +-
fs/logfs/dir.c | 6 ++---
fs/logfs/file.c | 2 +-
fs/logfs/inode.c | 4 +--
fs/logfs/readwrite.c | 4 +--
fs/minix/bitmap.c | 2 +-
fs/minix/dir.c | 6 ++---
fs/minix/itree_common.c | 4 +--
fs/minix/namei.c | 4 +--
fs/nfs/client.c | 2 +-
fs/nfs/netns.h | 2 +-
fs/nfs/nfs4proc.c | 10 +++++---
fs/nfs/nfs4xdr.c | 2 +-
fs/nfsd/blocklayout.c | 2 +-
fs/nilfs2/dir.c | 6 ++---
fs/nilfs2/inode.c | 4 +--
fs/nilfs2/ioctl.c | 2 +-
fs/nilfs2/namei.c | 6 ++---
fs/nsfs.c | 2 +-
fs/ntfs/inode.c | 2 +-
fs/ntfs/mft.c | 2 +-
fs/ocfs2/acl.c | 2 +-
fs/ocfs2/alloc.c | 2 +-
fs/ocfs2/aops.c | 2 +-
fs/ocfs2/cluster/heartbeat.c | 2 +-
fs/ocfs2/dir.c | 4 +--
fs/ocfs2/dlmfs/dlmfs.c | 4 +--
fs/ocfs2/file.c | 12 ++++-----
fs/ocfs2/inode.c | 2 +-
fs/ocfs2/journal.c | 4 +--
fs/ocfs2/move_extents.c | 2 +-
fs/ocfs2/namei.c | 16 ++++++------
fs/ocfs2/ocfs2.h | 2 +-
fs/ocfs2/refcounttree.c | 4 +--
fs/ocfs2/super.c | 2 +-
fs/ocfs2/xattr.c | 2 +-
fs/omfs/dir.c | 4 +--
fs/omfs/inode.c | 2 +-
fs/openpromfs/inode.c | 2 +-
fs/orangefs/file.c | 2 +-
fs/orangefs/inode.c | 2 +-
fs/orangefs/namei.c | 10 ++++----
fs/pipe.c | 2 +-
fs/posix_acl.c | 2 +-
fs/proc/base.c | 2 +-
fs/proc/inode.c | 3 +--
fs/proc/proc_sysctl.c | 2 +-
fs/proc/self.c | 2 +-
fs/proc/thread_self.c | 2 +-
fs/pstore/inode.c | 2 +-
fs/ramfs/inode.c | 6 ++---
fs/reiserfs/inode.c | 2 +-
fs/reiserfs/ioctl.c | 4 +--
fs/reiserfs/namei.c | 12 ++++-----
fs/reiserfs/stree.c | 8 +++---
fs/reiserfs/super.c | 2 +-
fs/reiserfs/xattr.c | 6 ++---
fs/reiserfs/xattr_acl.c | 2 +-
fs/sysv/dir.c | 6 ++---
fs/sysv/ialloc.c | 2 +-
fs/sysv/itree.c | 4 +--
fs/sysv/namei.c | 4 +--
fs/tracefs/inode.c | 2 +-
fs/ubifs/dir.c | 10 ++++----
fs/ubifs/file.c | 12 ++++-----
fs/ubifs/ioctl.c | 2 +-
fs/ubifs/misc.h | 10 --------
fs/ubifs/sb.c | 14 ++++++++---
fs/ubifs/xattr.c | 6 ++---
fs/udf/ialloc.c | 2 +-
fs/udf/inode.c | 4 +--
fs/udf/namei.c | 20 +++++++--------
fs/udf/super.c | 9 ++++---
fs/ufs/dir.c | 6 ++---
fs/ufs/ialloc.c | 8 +++---
fs/ufs/inode.c | 6 ++---
fs/ufs/namei.c | 6 ++---
fs/xfs/xfs_acl.c | 2 +-
fs/xfs/xfs_inode.c | 2 +-
fs/xfs/xfs_iops.c | 2 +-
fs/xfs/xfs_trans_inode.c | 2 +-
include/linux/audit.h | 4 +--
include/linux/fs.h | 2 +-
include/linux/time.h | 3 ---
ipc/mqueue.c | 18 +++++++-------
kernel/audit.c | 10 ++++----
kernel/audit.h | 2 +-
kernel/auditsc.c | 6 ++---
kernel/bpf/inode.c | 2 +-
kernel/time/time.c | 14 -----------
mm/shmem.c | 20 +++++++--------
net/ceph/messenger.c | 6 +++--
net/ceph/osd_client.c | 4 +--
net/sunrpc/rpc_pipe.c | 2 +-
security/apparmor/apparmorfs.c | 2 +-
security/inode.c | 2 +-
security/selinux/selinuxfs.c | 2 +-
207 files changed, 540 insertions(+), 524 deletions(-)
--
1.9.1
Cc: adilger.kernel-m1MBpc4rdrD3fQ9qLvQP4Q@public.gmane.org
Cc: adrian.hunter-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org
Cc: anna.schumaker-HgOvQuBEEgTQT0dZR+AlfA@public.gmane.org
Cc: buchino-FYB4Gu1CFyUAvxtiuMwx3w@public.gmane.org
Cc: ceph-devel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Cc: clm-b10kYP2dOMg@public.gmane.org
Cc: cm224.lee-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org
Cc: dedekind1-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
Cc: dsterba-IBi9RG/b67k@public.gmane.org
Cc: dushistov-JGs/UdohzUI@public.gmane.org
Cc: elder-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org
Cc: eparis-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org
Cc: gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org
Cc: hiralpat-FYB4Gu1CFyUAvxtiuMwx3w@public.gmane.org
Cc: idryomov-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
Cc: jack-IBi9RG/b67k@public.gmane.org
Cc: jaegeuk-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org
Cc: jbacik-b10kYP2dOMg@public.gmane.org
Cc: jejb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org
Cc: jfs-discussion-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
Cc: jlbec-aKy9MeLSZ9dg9hUCZPvPmw@public.gmane.org
Cc: john.stultz-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org
Cc: linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org
Cc: linux-btrfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Cc: linux-ext4-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Cc: linux-f2fs-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
Cc: linux-mtd-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org
Cc: linux-nfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Cc: linux-scsi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Cc: lustre-devel-aLEFhgZF4x6X6Mz3xDxJMA@public.gmane.org
Cc: martin.petersen-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org
Cc: mfasheh-IBi9RG/b67k@public.gmane.org
Cc: ocfs2-devel-N0ozoZBvEnrZJqsBc5GL+g@public.gmane.org
Cc: paul-r2n+y4ga6xFZroRs9YW3xA@public.gmane.org
Cc: sage-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org
Cc: sfrench-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org
Cc: shaggy-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org
Cc: sramars-FYB4Gu1CFyUAvxtiuMwx3w@public.gmane.org
Cc: trond.myklebust-7I+n7zu2hftEKMMhf/gKZA@public.gmane.org
Cc: zyan-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org
^ permalink raw reply
* Re: [PATCH 2/2] semanage: fix modify action in node and interface
From: Stephen Smalley @ 2016-08-11 17:33 UTC (permalink / raw)
To: Miroslav Vadkerti, selinux; +Cc: linux-audit
In-Reply-To: <1469464627-2159-2-git-send-email-mvadkert@redhat.com>
On 07/25/2016 12:37 PM, Miroslav Vadkerti wrote:
> The modify actions of security context mappings for
> interface and node actully called add action.
>
> Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
Thanks, applied.
> ---
> policycoreutils/semanage/semanage | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/policycoreutils/semanage/semanage b/policycoreutils/semanage/semanage
> index 954411d..b199ebe 100644
> --- a/policycoreutils/semanage/semanage
> +++ b/policycoreutils/semanage/semanage
> @@ -524,7 +524,7 @@ def handleInterface(args):
> if args.action is "add":
> OBJECT.add(args.interface, args.range, args.type)
> if args.action is "modify":
> - OBJECT.add(args.interface, args.range, args.type)
> + OBJECT.modify(args.interface, args.range, args.type)
> if args.action is "delete":
> OBJECT.delete(args.interface)
> if args.action is "list":
> @@ -607,7 +607,7 @@ def handleNode(args):
> if args.action is "add":
> OBJECT.add(args.node, args.netmask, args.proto, args.range, args.type)
> if args.action is "modify":
> - OBJECT.add(args.node, args.netmask, args.proto, args.range, args.type)
> + OBJECT.modify(args.node, args.netmask, args.proto, args.range, args.type)
> if args.action is "delete":
> OBJECT.delete(args.node, args.netmask, args.proto)
> if args.action is "list":
>
^ permalink raw reply
* Re: [PATCH] semanage: add auditing of changes in records
From: James Carter @ 2016-08-09 20:21 UTC (permalink / raw)
To: Miroslav Vadkerti, selinux-+05T5uksL2qpZYMLLGbcSA
Cc: linux-audit-H+wXaHxf7aLQT0dZR+AlfA
In-Reply-To: <1469546125-19448-1-git-send-email-mvadkert-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
On 07/26/2016 11:15 AM, Miroslav Vadkerti wrote:
> Common Criteria requirement FMT_MSA.1 needs any configuration change
> that affect enforcement of policy to be audited. This patch adds
> auditing of changes in security context mappings for network ports,
> interfaces, nodes and file contexts.
>
> A new function log_change is introduced that audits additions,
> modification and removal of the mappings via the USER_MAC_CONFIG_CHANGE
> audit event.
>
> The format of the audit events was discussed with the audit userspace
> maintainer.
>
> This patch resolves: https://bugzilla.redhat.com/show_bug.cgi?id=829175
>
> Signed-off-by: Miroslav Vadkerti <mvadkert-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Applied.
Thanks,
Jim
> ---
> policycoreutils/semanage/seobject.py | 75 ++++++++++++++++++++++++++++++++++++
> 1 file changed, 75 insertions(+)
>
> diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
> index 3b0b108..7d6caa3 100644
> --- a/policycoreutils/semanage/seobject.py
> +++ b/policycoreutils/semanage/seobject.py
> @@ -82,6 +82,21 @@ file_type_str_to_option = {"all files": "a",
> "socket file": "s",
> "symbolic link": "l",
> "named pipe": "p"}
> +
> +proto_to_audit = {"tcp": 17,
> + "udp": 6,
> + "ipv4": 4,
> + "ipv6": 41}
> +
> +ftype_to_audit = {"": "any",
> + "b": "block",
> + "c": "char",
> + "d": "dir",
> + "f": "file",
> + "l": "symlink",
> + "p": "pipe",
> + "s": "socket"}
> +
> try:
> import audit
>
> @@ -90,6 +105,7 @@ try:
> def __init__(self):
> self.audit_fd = audit.audit_open()
> self.log_list = []
> + self.log_change_list = []
>
> def log(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
>
> @@ -109,10 +125,17 @@ try:
> def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
> self.log_list.append([self.audit_fd, audit.AUDIT_ROLE_REMOVE, sys.argv[0], str(msg), name, 0, sename, serole, serange, oldsename, oldserole, oldserange, "", "", ""])
>
> + def log_change(self, msg):
> + self.log_change_list.append([self.audit_fd, audit.AUDIT_USER_MAC_CONFIG_CHANGE, str(msg), "semanage", "", "", ""])
> +
> def commit(self, success):
> for l in self.log_list:
> audit.audit_log_semanage_message(*(l + [success]))
> + for l in self.log_change_list:
> + audit.audit_log_user_comm_message(*(l + [success]))
> +
> self.log_list = []
> + self.log_change_list = []
> except:
> class logger:
>
> @@ -138,6 +161,9 @@ except:
> def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
> self.log(msg, name, sename, serole, serange, oldsename, oldserole, oldserange)
>
> + def log_change(self, msg):
> + self.log_list.append(" %s" % msg)
> +
> def commit(self, success):
> if success == 1:
> message = "Successful: "
> @@ -155,6 +181,9 @@ class nulllogger:
> def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
> pass
>
> + def log_change(self, msg):
> + pass
> +
> def commit(self, success):
> pass
>
> @@ -1109,6 +1138,8 @@ class portRecords(semanageRecords):
> semanage_port_key_free(k)
> semanage_port_free(p)
>
> + self.mylog.log_change("resrc=port op=add lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u", "object_r", type, serange))
> +
> def add(self, port, proto, serange, type):
> self.begin()
> self.__add(port, proto, serange, type)
> @@ -1150,6 +1181,8 @@ class portRecords(semanageRecords):
> semanage_port_key_free(k)
> semanage_port_free(p)
>
> + self.mylog.log_change("resrc=port op=modify lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u", "object_r", setype, serange))
> +
> def modify(self, port, proto, serange, setype):
> self.begin()
> self.__modify(port, proto, serange, setype)
> @@ -1168,6 +1201,7 @@ class portRecords(semanageRecords):
> low = semanage_port_get_low(port)
> high = semanage_port_get_high(port)
> port_str = "%s-%s" % (low, high)
> +
> (k, proto_d, low, high) = self.__genkey(port_str, proto_str)
> if rc < 0:
> raise ValueError(_("Could not create a key for %s") % port_str)
> @@ -1177,6 +1211,11 @@ class portRecords(semanageRecords):
> raise ValueError(_("Could not delete the port %s") % port_str)
> semanage_port_key_free(k)
>
> + if low == high:
> + port_str = low
> +
> + self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port_str, proto_to_audit[proto_str]))
> +
> self.commit()
>
> def __delete(self, port, proto):
> @@ -1199,6 +1238,8 @@ class portRecords(semanageRecords):
>
> semanage_port_key_free(k)
>
> + self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port, proto_to_audit[proto]))
> +
> def delete(self, port, proto):
> self.begin()
> self.__delete(port, proto)
> @@ -1380,6 +1421,8 @@ class nodeRecords(semanageRecords):
> semanage_node_key_free(k)
> semanage_node_free(node)
>
> + self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, proto_to_audit[self.protocol[proto]], "system_u", "object_r", ctype, serange))
> +
> def add(self, addr, mask, proto, serange, ctype):
> self.begin()
> self.__add(addr, mask, proto, serange, ctype)
> @@ -1421,6 +1464,8 @@ class nodeRecords(semanageRecords):
> semanage_node_key_free(k)
> semanage_node_free(node)
>
> + self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, proto_to_audit[self.protocol[proto]], "system_u", "object_r", setype, serange))
> +
> def modify(self, addr, mask, proto, serange, setype):
> self.begin()
> self.__modify(addr, mask, proto, serange, setype)
> @@ -1452,6 +1497,8 @@ class nodeRecords(semanageRecords):
>
> semanage_node_key_free(k)
>
> + self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, proto_to_audit[self.protocol[proto]]))
> +
> def delete(self, addr, mask, proto):
> self.begin()
> self.__delete(addr, mask, proto)
> @@ -1581,6 +1628,8 @@ class interfaceRecords(semanageRecords):
> semanage_iface_key_free(k)
> semanage_iface_free(iface)
>
> + self.mylog.log_change("resrc=interface op=add netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", ctype, serange))
> +
> def add(self, interface, serange, ctype):
> self.begin()
> self.__add(interface, serange, ctype)
> @@ -1618,6 +1667,8 @@ class interfaceRecords(semanageRecords):
> semanage_iface_key_free(k)
> semanage_iface_free(iface)
>
> + self.mylog.log_change("resrc=interface op=modify netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", setype, serange))
> +
> def modify(self, interface, serange, setype):
> self.begin()
> self.__modify(interface, serange, setype)
> @@ -1646,6 +1697,8 @@ class interfaceRecords(semanageRecords):
>
> semanage_iface_key_free(k)
>
> + self.mylog.log_change("resrc=interface op=delete netif=%s" % interface)
> +
> def delete(self, interface):
> self.begin()
> self.__delete(interface)
> @@ -1775,6 +1828,8 @@ class fcontextRecords(semanageRecords):
> if i.startswith(target + "/"):
> raise ValueError(_("File spec %s conflicts with equivalency rule '%s %s'") % (target, i, fdict[i]))
>
> + self.mylog.log_change("resrc=fcontext op=add-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
> +
> self.equiv[target] = substitute
> self.equal_ind = True
> self.commit()
> @@ -1785,6 +1840,9 @@ class fcontextRecords(semanageRecords):
> raise ValueError(_("Equivalence class for %s does not exists") % target)
> self.equiv[target] = substitute
> self.equal_ind = True
> +
> + self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
> +
> self.commit()
>
> def createcon(self, target, seuser="system_u"):
> @@ -1879,6 +1937,11 @@ class fcontextRecords(semanageRecords):
> semanage_fcontext_key_free(k)
> semanage_fcontext_free(fcontext)
>
> + if not seuser:
> + seuser = "system_u"
> +
> + self.mylog.log_change("resrc=fcontext op=add %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange))
> +
> def add(self, target, type, ftype="", serange="", seuser="system_u"):
> self.begin()
> self.__add(target, type, ftype, serange, seuser)
> @@ -1939,6 +2002,11 @@ class fcontextRecords(semanageRecords):
> semanage_fcontext_key_free(k)
> semanage_fcontext_free(fcontext)
>
> + if not seuser:
> + seuser = "system_u"
> +
> + self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange))
> +
> def modify(self, target, setype, ftype, serange, seuser):
> self.begin()
> self.__modify(target, setype, ftype, serange, seuser)
> @@ -1964,6 +2032,8 @@ class fcontextRecords(semanageRecords):
> raise ValueError(_("Could not delete the file context %s") % target)
> semanage_fcontext_key_free(k)
>
> + self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype_str]))
> +
> self.equiv = {}
> self.equal_ind = True
> self.commit()
> @@ -1972,6 +2042,9 @@ class fcontextRecords(semanageRecords):
> if target in self.equiv.keys():
> self.equiv.pop(target)
> self.equal_ind = True
> +
> + self.mylog.log_change("resrc=fcontext op=delete-equal %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
> +
> return
>
> (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
> @@ -1996,6 +2069,8 @@ class fcontextRecords(semanageRecords):
>
> semanage_fcontext_key_free(k)
>
> + self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
> +
> def delete(self, target, ftype):
> self.begin()
> self.__delete(target, ftype)
>
--
James Carter <jwcart2-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
National Security Agency
_______________________________________________
Selinux mailing list
Selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org
To unsubscribe, send email to Selinux-leave-+05T5uksL2pAGbPMOrvdOA@public.gmane.org
To get help, send an email containing "help" to Selinux-request-+05T5uksL2pAGbPMOrvdOA@public.gmane.org
^ permalink raw reply
* Re: Question about the a[[:digit:]+]\[.*\] fields
From: Paul Moore @ 2016-08-08 13:03 UTC (permalink / raw)
To: Mateusz Piotrowski; +Cc: linux-audit, Konrad Witaszczyk
In-Reply-To: <106CB185-F7E5-4B4A-A3ED-64F5E3392086@FreeBSD.org>
On Mon, Aug 8, 2016 at 8:01 AM, Mateusz Piotrowski <0mp@freebsd.org> wrote:
> On 07 Aug 2016, at 20:51, Paul Moore <paul@paul-moore.com> wrote:
>
>> On Mon, Aug 1, 2016 at 10:46 AM, Steve Grubb <sgrubb@redhat.com> wrote:
>>> On Monday, August 1, 2016 12:16:30 AM EDT Mateusz Piotrowski wrote:
>>>> Hello,
>>>>
>>>> According to the field dictionary[1] there are fields which names are
>>>> defined by the following regex: "a[[:digit:]+]\[.*\]".
>>>>
>>>> I was able to find examples of fields like "a4" and "a5" (see [2]) but it
>>>> doesn't fit the regex which seems to require a pair of square brackets (so
>>>> "a4" should be "a4[]" or "a4[foo]"). I couldn't find any reference in the
>>>> Linux Audit source code.
>>>
>>> I think you have to have aurguments that are larger than the audit record
>>> limit and so many arguments that you have multiple execve records to contain
>>> them all.
>>
>> Sorry for the delay in responding, but yes, that is mostly correct.
>> If there is an argument that spills across the boundary of a single
>> EXECVE record, either due to an exceptionally large size, or little
>> room remaining in the existing record, an argument length field is
>> added to the record (a2_len=x) and the argument value is spilt and
>> indexed (a2[0]=x ... a[n]=x).
>
> Could you please correct me if I am wrong? From what I understand
> (based on kernel/auditsc.c:audit_log_single_execve_arg()[2]) a
> correct set of fields could possibly look like this:
>
> a4_len=4 a4[0]=a a4[1]=n a4[2]=i a4[3]=a
That is correct, assuming that the a4_len and a4[0] field occur in one
record, a[1] in a second, a[2] in a third, and so on. You should
never see aX[n] and aX[n+1] in a single record, if you, it's a bug :)
> as long as there are no unprintable control ascii characters (otherwise
> the a4_len field's value would be 8 as every character is printed in hex).
>
> How about the "a[[:digit:]+]_len" fields (for example a4_len)?
> Are they synonymous with the len field[1]?
The len field gets used for a lot of things, but for understanding
individual argument lengths, you should pay attention to the aX_len
field (when present).
>> The relevant code in the kernel just changed over the past few weeks
>> to correct some problems, so there are some subtle differences between
>> old code and what you will find in Linus' tree at the moment, but none
>> of those changes should affect the regex you've described.
>
> I'd appreciate if you could point me to a web server where I can download
> the kernel's source code you write about. I do not deal with Linux Kernel
> source code on daily basis and search engines don't produce obvious results.
When in doubt, Google is generally very helpful, but here is a link:
* https://www.kernel.org
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Re: Question about the a[[:digit:]+]\[.*\] fields
From: Mateusz Piotrowski @ 2016-08-08 12:01 UTC (permalink / raw)
To: Paul Moore; +Cc: linux-audit, Konrad Witaszczyk
In-Reply-To: <CAHC9VhSBzbkFrFtCqKnMiXwH8OFcqzmz3_wa6N1rcYVvL+NnHQ@mail.gmail.com>
On 07 Aug 2016, at 20:51, Paul Moore <paul@paul-moore.com> wrote:
> On Mon, Aug 1, 2016 at 10:46 AM, Steve Grubb <sgrubb@redhat.com> wrote:
>> On Monday, August 1, 2016 12:16:30 AM EDT Mateusz Piotrowski wrote:
>>> Hello,
>>>
>>> According to the field dictionary[1] there are fields which names are
>>> defined by the following regex: "a[[:digit:]+]\[.*\]".
>>>
>>> I was able to find examples of fields like "a4" and "a5" (see [2]) but it
>>> doesn't fit the regex which seems to require a pair of square brackets (so
>>> "a4" should be "a4[]" or "a4[foo]"). I couldn't find any reference in the
>>> Linux Audit source code.
>>
>> I think you have to have aurguments that are larger than the audit record
>> limit and so many arguments that you have multiple execve records to contain
>> them all.
>
> Sorry for the delay in responding, but yes, that is mostly correct.
> If there is an argument that spills across the boundary of a single
> EXECVE record, either due to an exceptionally large size, or little
> room remaining in the existing record, an argument length field is
> added to the record (a2_len=x) and the argument value is spilt and
> indexed (a2[0]=x ... a[n]=x).
Could you please correct me if I am wrong? From what I understand
(based on kernel/auditsc.c:audit_log_single_execve_arg()[2]) a
correct set of fields could possibly look like this:
a4_len=4 a4[0]=a a4[1]=n a4[2]=i a4[3]=a
as long as there are no unprintable control ascii characters (otherwise
the a4_len field's value would be 8 as every character is printed in hex).
How about the "a[[:digit:]+]_len" fields (for example a4_len)?
Are they synonymous with the len field[1]?
> The relevant code in the kernel just changed over the past few weeks
> to correct some problems, so there are some subtle differences between
> old code and what you will find in Linus' tree at the moment, but none
> of those changes should affect the regex you've described.
I'd appreciate if you could point me to a web server where I can download
the kernel's source code you write about. I do not deal with Linux Kernel
source code on daily basis and search engines don't produce obvious results.
>>> My questions are:
>>> 1. Is this regex valid and up-to-date? Or is it an outdated rule which
>>> doesn't apply anymore?
>
> It is correct if the argument spills across a single EXECVE record
> boundary, but since the index (the number between the square brackets)
> is not optional it would fail for the more common, single EXECVE
> record case. You could also argue that the string match inside the
> square brackets should only match on a string of digits, but
> technically what is there does work.
OK, I get it. Thank you.
>>> 2. Could you suggest me where to look to see how those arguments to the
>>> execve syscall are handled?
>>
>> Handled where? Kernel? Userspace doesn't do much with any execve argument
>> except decode it.
>
> The kernel generates the EXECVE record in
> kernel/auditsc.c:audit_log_execve_info() and you can find a test for
> for the EXECVE record in the audit-testsuite (exec_execve).
>
> * https://github.com/linux-audit/audit-testsuite
Thanks. It clarifies a lot and will help me to advance with my GSoC project[3].
Cheers!
-m
[1]: https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv#L95
[2]: http://lxr.free-electrons.com/source/kernel/auditsc.c#L1095
[3]: https://wiki.freebsd.org/SummerOfCode2016/NonBSMtoBSMConversionTools
^ permalink raw reply
* Re: Question about the a[[:digit:]+]\[.*\] fields
From: Paul Moore @ 2016-08-07 18:51 UTC (permalink / raw)
To: Konrad Witaszczyk; +Cc: linux-audit
In-Reply-To: <37697145.Sr86xZ3kit@x2>
On Mon, Aug 1, 2016 at 10:46 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Monday, August 1, 2016 12:16:30 AM EDT Mateusz Piotrowski wrote:
>> Hello,
>>
>> According to the field dictionary[1] there are fields which names are
>> defined by the following regex: "a[[:digit:]+]\[.*\]".
>>
>> I was able to find examples of fields like "a4" and "a5" (see [2]) but it
>> doesn't fit the regex which seems to require a pair of square brackets (so
>> "a4" should be "a4[]" or "a4[foo]"). I couldn't find any reference in the
>> Linux Audit source code.
>
> I think you have to have aurguments that are larger than the audit record
> limit and so many arguments that you have multiple execve records to contain
> them all.
Sorry for the delay in responding, but yes, that is mostly correct.
If there is an argument that spills across the boundary of a single
EXECVE record, either due to an exceptionally large size, or little
room remaining in the existing record, an argument length field is
added to the record (a2_len=x) and the argument value is spilt and
indexed (a2[0]=x ... a[n]=x).
The relevant code in the kernel just changed over the past few weeks
to correct some problems, so there are some subtle differences between
old code and what you will find in Linus' tree at the moment, but none
of those changes should affect the regex you've described.
>> My questions are:
>> 1. Is this regex valid and up-to-date? Or is it an outdated rule which
>> doesn't apply anymore?
It is correct if the argument spills across a single EXECVE record
boundary, but since the index (the number between the square brackets)
is not optional it would fail for the more common, single EXECVE
record case. You could also argue that the string match inside the
square brackets should only match on a string of digits, but
technically what is there does work.
>> 2. Could you suggest me where to look to see how those arguments to the
>> execve syscall are handled?
>
> Handled where? Kernel? Userspace doesn't do much with any execve argument
> except decode it.
The kernel generates the EXECVE record in
kernel/auditsc.c:audit_log_execve_info() and you can find a test for
for the EXECVE record in the audit-testsuite (exec_execve).
* https://github.com/linux-audit/audit-testsuite
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Re: [PATCH 0/5] Add support for sessionid user filters, sessionid_set and loginuid_set
From: Richard Guy Briggs @ 2016-08-02 16:30 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <7465676.juF99Vr4t2@x2>
On 2016-08-02 09:58, Steve Grubb wrote:
> On Tuesday, August 2, 2016 9:25:44 AM EDT Steve Grubb wrote:
> > On Tuesday, August 2, 2016 8:56:35 AM EDT Richard Guy Briggs wrote:
> > > On 2016-08-02 08:16, Steve Grubb wrote:
> > > > On Tuesday, August 2, 2016 5:38:56 AM EDT Richard Guy Briggs wrote:
> > > > > Add support for sessionid, sessionid_set (first two patches) and
> > > > > loginuid_set (and auid_set) (third patch) in user filters. The first
> > > > >
> > > > > two are directly related to issue "ghak4":
> > > > > https://github.com/linux-audit/audit-kernel/issues/4
> > > > > https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-> >
> > > > > > User-Filter
> > > > >
> > > > > The third is to support a kernel change from 3.10 and 3.19 to avoid
> > > > > using in-band values to indicate the loginuid is unset.
> > > >
> > > > Have the above three patches been tested on old kernels?
> > >
> > > Not yet. How do you usually add new features to userspace to guard
> > > against missing features from old kernels? Time to add a bit to the
> > > kenrel audit status feature field?
> >
> > Yes. Otherwise you get EINVAL which doesn't let you explain what exactly is
> > wrong with the rule.
>
> Before you get too far...I just looked at the support being added in the first
> three patches. There is no code changing auditctl. Is there something missing?
I am pretty sure I looked through auditctl and in the three cases things
were simple enough that the fallthrough case was sufficient. Now that I
think about it, to avoid the ambiguity of -EINVAL, restricting the first
to a positive value and the 2nd and 3rd to true or false would remove
that ambiguity.
> -Steve
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply
* Re: [PATCH] Ignore tags and cscope output files.
From: Steve Grubb @ 2016-08-02 15:54 UTC (permalink / raw)
To: Richard Guy Briggs; +Cc: linux-audit
In-Reply-To: <1470126700-28455-1-git-send-email-rgb@redhat.com>
On Tuesday, August 2, 2016 4:31:40 AM EDT Richard Guy Briggs wrote:
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> trunk/.gitignore | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
Applied. Thanks.
-Steve
^ permalink raw reply
* Re: How can I install the latest version of Linux Audit on CentOS 6.8? (Update on CentOS 7)
From: Mateusz Piotrowski @ 2016-08-02 14:21 UTC (permalink / raw)
To: linux-audit
In-Reply-To: <A0A484B9-D6EE-4DFB-BE27-27B40E4C503B@FreeBSD.org>
Hello,
On 18 Jul 2016, at 17:39, Mateusz Piotrowski <0mp@freebsd.org> wrote:
>> On 15 Jul 2016, at 15:17, Steve Grubb <sgrubb@redhat.com> wrote:
>> On Friday, July 15, 2016 2:52:02 PM EDT Mateusz Piotrowski wrote:
>>> Is there an easier way to get the latest Linux Audit version on my system?
>> Why wouldn't you start with the distribution tar file?
>> http://people.redhat.com/sgrubb/audit/audit-2.6.5.tar.gz
>
> I was able to install the latest version from the tar file using the following commands. Thanks Steve!
>
> curl -O http://people.redhat.com/sgrubb/audit/audit-2.6.5.tar.gz
> gzip -d audit-2.6.5.tar.gz
> tar xf audit-2.6.5.tar
> cd audit-2.6.5
> yum install autoconf automake libtool tcp_wrappers-devel openldap-devel
> # Python and libcap-ng didn't work for me.
> # This is why I set --with-python and --with-libcap-ng to no instead to yes.
> ./configure --sbindir=/sbin --with-python=no --with-libwrap --enable-gssapi-krb5=yes --with-libcap-ng=no
> make
> make install
>
> My CentOS is now running auditd version 2.6.5 (according to information within /var/log/audit/audit.log).
I just wanted to send an update to this thread - I successfully installed a fully featured audit-userspace on CentOS 7 x86_64
installed from a Minimal Install ISO.
Here's everything you need to build and install audit-userspace:
yum install libtool tcp_wrappers-devel openldap-devel python-devel libcap-ng-devel swig
./configure --sbindir=/sbin --with-python=yes --with-libwrap --enable-gssapi-krb5=yes --with-libcap-ng=yes
make
make install
Cheers!
-m
^ permalink raw reply
* Re: [PATCH 0/5] Add support for sessionid user filters, sessionid_set and loginuid_set
From: Steve Grubb @ 2016-08-02 13:58 UTC (permalink / raw)
To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <1631071.bJV1sPFgiU@x2>
On Tuesday, August 2, 2016 9:25:44 AM EDT Steve Grubb wrote:
> On Tuesday, August 2, 2016 8:56:35 AM EDT Richard Guy Briggs wrote:
> > On 2016-08-02 08:16, Steve Grubb wrote:
> > > On Tuesday, August 2, 2016 5:38:56 AM EDT Richard Guy Briggs wrote:
> > > > Add support for sessionid, sessionid_set (first two patches) and
> > > > loginuid_set (and auid_set) (third patch) in user filters. The first
> > > >
> > > > two are directly related to issue "ghak4":
> > > > https://github.com/linux-audit/audit-kernel/issues/4
> > > > https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-> >
> > > > > User-Filter
> > > >
> > > > The third is to support a kernel change from 3.10 and 3.19 to avoid
> > > > using in-band values to indicate the loginuid is unset.
> > >
> > > Have the above three patches been tested on old kernels?
> >
> > Not yet. How do you usually add new features to userspace to guard
> > against missing features from old kernels? Time to add a bit to the
> > kenrel audit status feature field?
>
> Yes. Otherwise you get EINVAL which doesn't let you explain what exactly is
> wrong with the rule.
Before you get too far...I just looked at the support being added in the first
three patches. There is no code changing auditctl. Is there something missing?
-Steve
^ permalink raw reply
* Re: [PATCH 0/5] Add support for sessionid user filters, sessionid_set and loginuid_set
From: Steve Grubb @ 2016-08-02 13:25 UTC (permalink / raw)
To: Richard Guy Briggs; +Cc: linux-audit
In-Reply-To: <20160802125635.GX10734@madcap2.tricolour.ca>
On Tuesday, August 2, 2016 8:56:35 AM EDT Richard Guy Briggs wrote:
> On 2016-08-02 08:16, Steve Grubb wrote:
> > On Tuesday, August 2, 2016 5:38:56 AM EDT Richard Guy Briggs wrote:
> > > Add support for sessionid, sessionid_set (first two patches) and
> > > loginuid_set (and auid_set) (third patch) in user filters. The first
> > >
> > > two are directly related to issue "ghak4":
> > > https://github.com/linux-audit/audit-kernel/issues/4
> > > https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-> > > User-Filter
> > >
> > > The third is to support a kernel change from 3.10 and 3.19 to avoid
> > > using in-band values to indicate the loginuid is unset.
> >
> > Have the above three patches been tested on old kernels?
>
> Not yet. How do you usually add new features to userspace to guard
> against missing features from old kernels? Time to add a bit to the
> kenrel audit status feature field?
Yes. Otherwise you get EINVAL which doesn't let you explain what exactly is
wrong with the rule.
Thanks,
-Steve
> > > The last two patches are to add unset flags to sessionid and loginuid
> > > for ausearch and aureport. These two patches are extras and not
> > > required for basic support.
> >
> > I don't understand what the point of these last two items are. If the
> > session is not set, we have ses=4294967295 in the audit trail. That can
> > already be specified in ausearch as --session -1. I also am not sure that
> > session information makes any sense for aureport because we have aulast
> > which reports on session activity for users.
>
> I was starting to doubt the utility of these last two patches which is
> why I tagged them optional. Please use any bits or ideas that might be
> useful, otherwise drop them.
>
> > -Steve
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Kernel Security Engineering, Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply
* Re: [PATCH 0/5] Add support for sessionid user filters, sessionid_set and loginuid_set
From: Richard Guy Briggs @ 2016-08-02 12:56 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <2972985.6eL3t5tKut@x2>
On 2016-08-02 08:16, Steve Grubb wrote:
> On Tuesday, August 2, 2016 5:38:56 AM EDT Richard Guy Briggs wrote:
> > Add support for sessionid, sessionid_set (first two patches) and
> > loginuid_set (and auid_set) (third patch) in user filters. The first
> > two are directly related to issue "ghak4":
> > https://github.com/linux-audit/audit-kernel/issues/4
> > https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User
> > -Filter
> >
> > The third is to support a kernel change from 3.10 and 3.19 to avoid
> > using in-band values to indicate the loginuid is unset.
>
> Have the above three patches been tested on old kernels?
Not yet. How do you usually add new features to userspace to guard
against missing features from old kernels? Time to add a bit to the
kenrel audit status feature field?
> > The last two patches are to add unset flags to sessionid and loginuid
> > for ausearch and aureport. These two patches are extras and not
> > required for basic support.
>
> I don't understand what the point of these last two items are. If the session
> is not set, we have ses=4294967295 in the audit trail. That can already be
> specified in ausearch as --session -1. I also am not sure that session
> information makes any sense for aureport because we have aulast which reports
> on session activity for users.
I was starting to doubt the utility of these last two patches which is
why I tagged them optional. Please use any bits or ideas that might be
useful, otherwise drop them.
> -Steve
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply
* Re: [PATCH 0/5] Add support for sessionid user filters, sessionid_set and loginuid_set
From: Steve Grubb @ 2016-08-02 12:16 UTC (permalink / raw)
To: Richard Guy Briggs; +Cc: linux-audit
In-Reply-To: <1470130741-31650-1-git-send-email-rgb@redhat.com>
On Tuesday, August 2, 2016 5:38:56 AM EDT Richard Guy Briggs wrote:
> Add support for sessionid, sessionid_set (first two patches) and
> loginuid_set (and auid_set) (third patch) in user filters. The first
> two are directly related to issue "ghak4":
> https://github.com/linux-audit/audit-kernel/issues/4
> https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User
> -Filter
>
> The third is to support a kernel change from 3.10 and 3.19 to avoid
> using in-band values to indicate the loginuid is unset.
Have the above three patches been tested on old kernels?
> The last two patches are to add unset flags to sessionid and loginuid
> for ausearch and aureport. These two patches are extras and not
> required for basic support.
I don't understand what the point of these last two items are. If the session
is not set, we have ses=4294967295 in the audit trail. That can already be
specified in ausearch as --session -1. I also am not sure that session
information makes any sense for aureport because we have aulast which reports
on session activity for users.
-Steve
^ permalink raw reply
* [PATCH V2 2/2] audit: add AUDIT_SESSIONID_SET support
From: Richard Guy Briggs @ 2016-08-02 9:42 UTC (permalink / raw)
To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs
In-Reply-To: <cover.1470129742.git.rgb@redhat.com>
Add AUDIT_SESSIONID_SET field to indicate the sessionID is set in
filters rather than depending on an in-band signal to indicate it.
https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
RFE Session ID User Filter
https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
include/linux/audit.h | 10 ++++++++++
include/uapi/linux/audit.h | 1 +
kernel/auditfilter.c | 3 +++
kernel/auditsc.c | 7 ++++---
4 files changed, 18 insertions(+), 3 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 9d4443f..2392442 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -552,6 +552,16 @@ static inline bool audit_loginuid_set(struct task_struct *tsk)
return uid_valid(audit_get_loginuid(tsk));
}
+static inline bool sessionid_valid(unsigned int sessionid)
+{
+ return sessionid != (unsigned int) -1;
+}
+
+static inline bool audit_sessionid_set(struct task_struct *tsk)
+{
+ return sessionid_valid(audit_get_sessionid(tsk));
+}
+
static inline void audit_log_string(struct audit_buffer *ab, const char *buf)
{
audit_log_n_string(ab, buf, strlen(buf));
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index b3140eb..a4048bc 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -253,6 +253,7 @@
#define AUDIT_OBJ_LEV_HIGH 23
#define AUDIT_LOGINUID_SET 24
#define AUDIT_SESSIONID 25 /* Session ID */
+#define AUDIT_SESSIONID_SET 26 /* Session ID set or not */
/* These are ONLY useful when checking
* at syscall exit time (AUDIT_AT_EXIT). */
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 1c60fcf..47eaaba 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -387,6 +387,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
case AUDIT_FILTERKEY:
break;
case AUDIT_LOGINUID_SET:
+ case AUDIT_SESSIONID_SET:
if ((f->val != 0) && (f->val != 1))
return -EINVAL;
/* FALL THROUGH */
@@ -478,6 +479,8 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
goto exit_free;
break;
case AUDIT_SESSIONID:
+ if (!sessionid_valid(f->val))
+ goto exit_free;
case AUDIT_ARCH:
entry->rule.arch_f = f;
break;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 52f7a61..4df536b 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -447,7 +447,6 @@ static int audit_filter_rules(struct task_struct *tsk,
const struct cred *cred;
int i, need_sid = 1;
u32 sid;
- unsigned int sessionid;
cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
@@ -511,8 +510,7 @@ static int audit_filter_rules(struct task_struct *tsk,
result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
break;
case AUDIT_SESSIONID:
- sessionid = audit_get_sessionid(current);
- result = audit_comparator(sessionid, f->op, f->val);
+ result = audit_comparator(audit_get_sessionid(tsk), f->op, f->val);
break;
case AUDIT_PERS:
result = audit_comparator(tsk->personality, f->op, f->val);
@@ -614,6 +612,9 @@ static int audit_filter_rules(struct task_struct *tsk,
case AUDIT_LOGINUID_SET:
result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
break;
+ case AUDIT_SESSIONID_SET:
+ result = audit_comparator(audit_sessionid_set(tsk), f->op, f->val);
+ break;
case AUDIT_SUBJ_USER:
case AUDIT_SUBJ_ROLE:
case AUDIT_SUBJ_TYPE:
--
1.7.1
^ permalink raw reply related
* [PATCH V2 1/2] audit: add support for session ID user filter
From: Richard Guy Briggs @ 2016-08-02 9:42 UTC (permalink / raw)
To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs
In-Reply-To: <cover.1470129742.git.rgb@redhat.com>
Define AUDIT_SESSIONID in the uapi and add support for specifying user
filters based on the session ID.
https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
include/uapi/linux/audit.h | 1 +
kernel/auditfilter.c | 2 ++
kernel/auditsc.c | 5 +++++
3 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index d820aa9..b3140eb 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -252,6 +252,7 @@
#define AUDIT_OBJ_LEV_LOW 22
#define AUDIT_OBJ_LEV_HIGH 23
#define AUDIT_LOGINUID_SET 24
+#define AUDIT_SESSIONID 25 /* Session ID */
/* These are ONLY useful when checking
* at syscall exit time (AUDIT_AT_EXIT). */
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 85d9cac..1c60fcf 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -363,6 +363,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
case AUDIT_EXIT:
case AUDIT_SUCCESS:
case AUDIT_INODE:
+ case AUDIT_SESSIONID:
/* bit ops are only useful on syscall args */
if (f->op == Audit_bitmask || f->op == Audit_bittest)
return -EINVAL;
@@ -476,6 +477,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
if (!gid_valid(f->gid))
goto exit_free;
break;
+ case AUDIT_SESSIONID:
case AUDIT_ARCH:
entry->rule.arch_f = f;
break;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index c65af21..52f7a61 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -447,6 +447,7 @@ static int audit_filter_rules(struct task_struct *tsk,
const struct cred *cred;
int i, need_sid = 1;
u32 sid;
+ unsigned int sessionid;
cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
@@ -509,6 +510,10 @@ static int audit_filter_rules(struct task_struct *tsk,
case AUDIT_FSGID:
result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
break;
+ case AUDIT_SESSIONID:
+ sessionid = audit_get_sessionid(current);
+ result = audit_comparator(sessionid, f->op, f->val);
+ break;
case AUDIT_PERS:
result = audit_comparator(tsk->personality, f->op, f->val);
break;
--
1.7.1
^ permalink raw reply related
* [PATCH V2 0/2] Add support for session ID user filtering
From: Richard Guy Briggs @ 2016-08-02 9:42 UTC (permalink / raw)
To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs
https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
RFE Session ID User Filter
https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter
See also the set of userspace suport patches:
Add support for sessionid user filters, sessionid_set and loginuid_set
https://www.redhat.com/archives/linux-audit/2016-August/msg00005.html
and the test case:
https://github.com/rgbriggs/audit-testsuite/tree/ghak4-test-for-sessionID-user-filter
Richard Guy Briggs (2):
audit: add support for session ID user filter
audit: add AUDIT_SESSIONID_SET support
include/linux/audit.h | 10 ++++++++++
include/uapi/linux/audit.h | 2 ++
kernel/auditfilter.c | 5 +++++
kernel/auditsc.c | 6 ++++++
4 files changed, 23 insertions(+), 0 deletions(-)
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox