Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed
* Re: [PATCH V3 0/3] Add support for session ID user filtering
From: Paul Moore @ 2016-08-18 23:53 UTC (permalink / raw)
  To: Richard Guy Briggs, sgrubb; +Cc: linux-audit, linux-kernel
In-Reply-To: <cover.1471541331.git.rgb@redhat.com>

On Thu, Aug 18, 2016 at 1:43 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
> RFE Session ID User Filter
>
> https://github.com/linux-audit/audit-kernel/issues/4
> RFE: add a session ID filter to the kernel's user filter
>
> See also the set of userspace suport patches:
>         Add support for sessionid user filters, sessionid_set and loginuid_set
>         https://www.redhat.com/archives/linux-audit/2016-August/msg00005.html
>         (userspace update expected to be posted 2016-08-18)
> and the test case:
>         https://github.com/rgbriggs/audit-testsuite/tree/ghak4-test-for-sessionID-user-filter
>
> This third patch is expected to have a merge conflict with:
>         "audit: add exclude filter extension to feature bitmap"
> posted on 2016-08-18.
>
> Richard Guy Briggs (3):
>   audit: add support for session ID user filter
>   audit: add AUDIT_SESSIONID_SET support
>   audit: add sessionid filter extension to feature bitmap
>
>  include/linux/audit.h      |   10 ++++++++++
>  include/uapi/linux/audit.h |    6 +++++-
>  kernel/auditfilter.c       |    5 +++++
>  kernel/auditsc.c           |    6 ++++++
>  4 files changed, 26 insertions(+), 1 deletions(-)

These patches look fine to me; the only comment I have is that these
should probably be combined into a single patch to avoid
cherry-picking of individual pieces, e.g. skipping the feature bitmap
or AUDIT_SESSION_SET support.  I can do that when I merge the patches,
no need to resend unless you really want to ...

However, the bigger issue is coordination with the userspace patches.
I really don't like merging kernel patches until Steve OK's the
corresponding userspace patches.

-- 
paul moore
www.paul-moore.com

^ permalink raw reply

* [userspace PATCH v2 3/3] Check sessionID* fields available in kernel
From: Richard Guy Briggs @ 2016-08-18 18:47 UTC (permalink / raw)
  To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <1471546054-4536-1-git-send-email-rgb@redhat.com>

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 trunk/lib/libaudit.c |    8 ++++++--
 trunk/lib/libaudit.h |    3 +++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
index 5ffb720..a254a01 100644
--- a/trunk/lib/libaudit.c
+++ b/trunk/lib/libaudit.c
@@ -1647,11 +1647,13 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
 			else 
 				return -21;
 			break;
+		case AUDIT_SESSIONID_SET:
+			if ((features & AUDIT_FEATURE_BITMAP_SESSIONID_FILTER) == 0)
+				return -30;
+			/* fallthrough */
 		case AUDIT_LOGINUID_SET:
 			if(!features)
 				return -30;
-			/* fallthrough */
-		case AUDIT_SESSIONID_SET:
 			if (flags != AUDIT_FILTER_EXCLUDE &&
 			    flags != AUDIT_FILTER_USER &&
 			    flags != AUDIT_FILTER_EXIT)
@@ -1666,6 +1668,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
 				return -32;
 			break;
 		case AUDIT_SESSIONID:
+			if ((features & AUDIT_FEATURE_BITMAP_SESSIONID_FILTER) == 0)
+				return -30;
 			if (flags != AUDIT_FILTER_EXCLUDE &&
 			    flags != AUDIT_FILTER_USER &&
 			    flags != AUDIT_FILTER_EXIT)
diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h
index f8007c1..14bbf2d 100644
--- a/trunk/lib/libaudit.h
+++ b/trunk/lib/libaudit.h
@@ -281,6 +281,9 @@ extern "C" {
 #ifndef AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND
 #define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND	0x00000008
 #endif
+#ifndef AUDIT_FEATURE_BITMAP_SESSIONID_FILTER
+#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER   0x00000010
+#endif
 
 /* Defines for interfield comparison update */
 #ifndef AUDIT_OBJ_UID
-- 
1.7.1

^ permalink raw reply related

* [userspace PATCH v2 2/3] Add sessionid_set option from kernel uapi macro AUDIT_SESSIONID_SET
From: Richard Guy Briggs @ 2016-08-18 18:47 UTC (permalink / raw)
  To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <1471546054-4536-1-git-send-email-rgb@redhat.com>

Add sessionid_set field option from kernel uapi macro SESSIONID_SET to
enable specifying that sessionID is set or not in user filters.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 trunk/lib/fieldtab.h |    1 +
 trunk/lib/libaudit.c |    2 ++
 trunk/lib/libaudit.h |    4 ++++
 3 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h
index 84acc08..eeb951e 100644
--- a/trunk/lib/fieldtab.h
+++ b/trunk/lib/fieldtab.h
@@ -34,6 +34,7 @@ _S(AUDIT_LOGINUID,     "loginuid"     )
 _S(AUDIT_LOGINUID_SET, "auid_set"     )
 _S(AUDIT_LOGINUID_SET, "loginuid_set" )
 _S(AUDIT_SESSIONID,    "sessionid"    )
+_S(AUDIT_SESSIONID_SET,"sessionid_set")
 _S(AUDIT_PERS,         "pers"         )
 _S(AUDIT_ARCH,         "arch"         )
 _S(AUDIT_MSGTYPE,      "msgtype"      )
diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
index 38776f4..5ffb720 100644
--- a/trunk/lib/libaudit.c
+++ b/trunk/lib/libaudit.c
@@ -1650,6 +1650,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
 		case AUDIT_LOGINUID_SET:
 			if(!features)
 				return -30;
+			/* fallthrough */
+		case AUDIT_SESSIONID_SET:
 			if (flags != AUDIT_FILTER_EXCLUDE &&
 			    flags != AUDIT_FILTER_USER &&
 			    flags != AUDIT_FILTER_EXIT)
diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h
index 95b7a78..f8007c1 100644
--- a/trunk/lib/libaudit.h
+++ b/trunk/lib/libaudit.h
@@ -381,6 +381,10 @@ extern "C" {
 #define AUDIT_SESSIONID			25
 #endif
 
+#ifndef AUDIT_SESSIONID_SET
+#define AUDIT_SESSIONID_SET		26
+#endif
+
 /* Architectures */
 #ifndef EM_ARM
 #define EM_ARM  40
-- 
1.7.1

^ permalink raw reply related

* [userspace PATCH v2 1/3] Add userspace support for session ID user filter.
From: Richard Guy Briggs @ 2016-08-18 18:47 UTC (permalink / raw)
  To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <1471546054-4536-1-git-send-email-rgb@redhat.com>

Add support for the session ID user filter by adding the field name
"sessionid" using the kernel defined macro value AUDIT_SESSIONID.

https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 trunk/lib/errormsg.h |    1 +
 trunk/lib/fieldtab.h |    1 +
 trunk/lib/libaudit.c |   11 +++++++++++
 trunk/lib/libaudit.h |    4 ++++
 4 files changed, 17 insertions(+), 0 deletions(-)

diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h
index 4a897be..2c6b9fa 100644
--- a/trunk/lib/errormsg.h
+++ b/trunk/lib/errormsg.h
@@ -68,5 +68,6 @@ static const struct msg_tab err_msgtab[] = {
     { -30,    2,    "Field option not supported by kernel:" },
     { -31,    1,    "can only be used with exit, user and exclude filter lists" },
     { -32,    2,    "-F value should be boolean 0 or 1 for" },
+    { -33,    2,    "-F value should be positive number for" },
 };
 #endif
diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h
index 107157d..84acc08 100644
--- a/trunk/lib/fieldtab.h
+++ b/trunk/lib/fieldtab.h
@@ -33,6 +33,7 @@ _S(AUDIT_LOGINUID,     "auid"         )
 _S(AUDIT_LOGINUID,     "loginuid"     )
 _S(AUDIT_LOGINUID_SET, "auid_set"     )
 _S(AUDIT_LOGINUID_SET, "loginuid_set" )
+_S(AUDIT_SESSIONID,    "sessionid"    )
 _S(AUDIT_PERS,         "pers"         )
 _S(AUDIT_ARCH,         "arch"         )
 _S(AUDIT_MSGTYPE,      "msgtype"      )
diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
index 5ffc38c..38776f4 100644
--- a/trunk/lib/libaudit.c
+++ b/trunk/lib/libaudit.c
@@ -1663,6 +1663,17 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
 			else
 				return -32;
 			break;
+		case AUDIT_SESSIONID:
+			if (flags != AUDIT_FILTER_EXCLUDE &&
+			    flags != AUDIT_FILTER_USER &&
+			    flags != AUDIT_FILTER_EXIT)
+				return -31;
+			if (isdigit((char)*(v)))
+				rule->values[rule->field_count] =
+					strtol(v, NULL, 0);
+			else
+				return -33;
+			break;
 		case AUDIT_DEVMAJOR...AUDIT_INODE:
 		case AUDIT_SUCCESS:
 			if (flags != AUDIT_FILTER_EXIT)
diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h
index f77691f..95b7a78 100644
--- a/trunk/lib/libaudit.h
+++ b/trunk/lib/libaudit.h
@@ -377,6 +377,10 @@ extern "C" {
 #define AUDIT_LOGINUID_SET		24
 #endif
 
+#ifndef AUDIT_SESSIONID
+#define AUDIT_SESSIONID			25
+#endif
+
 /* Architectures */
 #ifndef EM_ARM
 #define EM_ARM  40
-- 
1.7.1

^ permalink raw reply related

* [userspace PATCH v2 0/3] Add support for sessionid user filters, sessionid_set
From: Richard Guy Briggs @ 2016-08-18 18:47 UTC (permalink / raw)
  To: linux-audit; +Cc: Richard Guy Briggs

Add support for sessionid, sessionid_set (first two patches) and
feature bitmap detection of the kernel feature (third patch) in user
filters.  This is to implement issue "ghak4":
	https://github.com/linux-audit/audit-kernel/issues/4
	https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter

This patchset should be added after loginuid_set and exclude filter
extension to avoid merge conflicts.

Richard Guy Briggs (3):
  Add userspace support for session ID user filter.
  Add sessionid_set option from kernel uapi macro AUDIT_SESSIONID_SET
  Check sessionID* fields available in kernel

 trunk/lib/errormsg.h |    1 +
 trunk/lib/fieldtab.h |    2 ++
 trunk/lib/libaudit.c |   17 +++++++++++++++++
 trunk/lib/libaudit.h |   11 +++++++++++
 4 files changed, 31 insertions(+), 0 deletions(-)

^ permalink raw reply

* [userspace PATCH v2 2/2] Check exclude filter cred extension fields available in kernel
From: Richard Guy Briggs @ 2016-08-18 18:33 UTC (permalink / raw)
  To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <1471545200-3742-1-git-send-email-rgb@redhat.com>

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 trunk/lib/errormsg.h |    2 +-
 trunk/lib/libaudit.c |   39 ++++++++++++++++++++++-----------------
 trunk/lib/libaudit.h |    3 +++
 3 files changed, 26 insertions(+), 18 deletions(-)

diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h
index 84bfdb3..4a897be 100644
--- a/trunk/lib/errormsg.h
+++ b/trunk/lib/errormsg.h
@@ -47,7 +47,7 @@ static const struct msg_tab err_msgtab[] = {
     { -9,    0,    "msgtype field can only be used with exclude filter list" },
     { -10,    0,    "Failed upgrading rule" },
     { -11,    0,    "String value too long" },
-    { -12,    0,    "Only msgtype field can be used with exclude filter" },
+    { -12,    0,    "Only msgtype, uid, gid, auid*, subj* fields can be used with exclude filter" },
     { -13,    1,    "only takes = or != operators" },
     { -14,    0,    "Permission can only contain  \'rwxa\'" },
     { -15,    2,    "-F unknown errno -"},
diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
index 798b3c8..5ffc38c 100644
--- a/trunk/lib/libaudit.c
+++ b/trunk/lib/libaudit.c
@@ -1401,23 +1401,28 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
 		return -2;
 
 	/* Exclude filter can be used only with MSGTYPE and cred fields */
-	if (flags == AUDIT_FILTER_EXCLUDE)
-		switch(field) {
-			case AUDIT_PID:
-			case AUDIT_UID:
-			case AUDIT_GID:
-			case AUDIT_LOGINUID:
-			case AUDIT_LOGINUID_SET:
-			case AUDIT_MSGTYPE:
-			case AUDIT_SUBJ_USER:
-			case AUDIT_SUBJ_ROLE:
-			case AUDIT_SUBJ_TYPE:
-			case AUDIT_SUBJ_SEN:
-			case AUDIT_SUBJ_CLR:
-				break;
-			default:
-				return -12;
-		}
+	if (flags == AUDIT_FILTER_EXCLUDE) {
+		if ((features & AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND) == 0) {
+			if (field != AUDIT_MSGTYPE)
+				return -30;
+		} else
+			switch(field) {
+				case AUDIT_PID:
+				case AUDIT_UID:
+				case AUDIT_GID:
+				case AUDIT_LOGINUID:
+				case AUDIT_LOGINUID_SET:
+				case AUDIT_MSGTYPE:
+				case AUDIT_SUBJ_USER:
+				case AUDIT_SUBJ_ROLE:
+				case AUDIT_SUBJ_TYPE:
+				case AUDIT_SUBJ_SEN:
+				case AUDIT_SUBJ_CLR:
+					break;
+				default:
+					return -12;
+			}
+	}
 
 	rule->fields[rule->field_count] = field;
 	rule->fieldflags[rule->field_count] = op;
diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h
index 0852bcc..f77691f 100644
--- a/trunk/lib/libaudit.h
+++ b/trunk/lib/libaudit.h
@@ -278,6 +278,9 @@ extern "C" {
 #ifndef AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH
 #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH    0x00000004
 #endif
+#ifndef AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND
+#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND	0x00000008
+#endif
 
 /* Defines for interfield comparison update */
 #ifndef AUDIT_OBJ_UID
-- 
1.7.1

^ permalink raw reply related

* [userspace PATCH v2 1/2] exclude filter: add support for user filter fields
From: Richard Guy Briggs @ 2016-08-18 18:33 UTC (permalink / raw)
  To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <1471545200-3742-1-git-send-email-rgb@redhat.com>

RFE: add additional fields for use in audit filter exclude rules
https://github.com/linux-audit/audit-kernel/issues/5

Enable the exclude filter to additionally filter on PID, UID, GID, AUID,
LOGINUID_SET, SUBJ_*.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 trunk/docs/auditctl.8 |    2 +-
 trunk/lib/errormsg.h  |    2 +-
 trunk/lib/libaudit.c  |   24 ++++++++++++++++++++----
 3 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/trunk/docs/auditctl.8 b/trunk/docs/auditctl.8
index ceb6c40..540ff70 100644
--- a/trunk/docs/auditctl.8
+++ b/trunk/docs/auditctl.8
@@ -76,7 +76,7 @@ Add a rule to the syscall exit list. This list is used upon exit from a system c
 Add a rule to the user message filter list. This list is used by the kernel to filter events originating in user space before relaying them to the audit daemon. It should be noted that the only fields that are valid are: uid, auid, gid, pid, subj_user, subj_role, subj_type, subj_sen, subj_clr, and msgtype. All other fields will be treated as non-matching. It should be understood that any event originating from user space from a process that has CAP_AUDIT_WRITE will be recorded into the audit trail. This means that the most likely use for this filter is with rules that have an action of never since nothing has to be done to allow events to be recorded.
 .TP
 .B exclude
-Add a rule to the event type exclusion filter list. This list is used to filter events that you do not want to see. For example, if you do not want to see any avc messages, you would using this list to record that. The message type that you do not wish to see is given with the msgtype field. 
+Add a rule to the event type exclusion filter list. This list is used to filter events that you do not want to see. For example, if you do not want to see any avc messages, you would using this list to record that.  Events can be excluded by process ID, user ID, group ID, login user ID, login user ID set, message type or subject context.
 .RE
 
 The following describes the valid \fIactions\fP for the rule:
diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h
index c678315..84bfdb3 100644
--- a/trunk/lib/errormsg.h
+++ b/trunk/lib/errormsg.h
@@ -66,7 +66,7 @@ static const struct msg_tab err_msgtab[] = {
     { -28,    2,    "Too many fields in rule:" },
     { -29,    1,    "only takes = operator" },
     { -30,    2,    "Field option not supported by kernel:" },
-    { -31,    1,    "can only be used with exit and user filter lists" },
+    { -31,    1,    "can only be used with exit, user and exclude filter lists" },
     { -32,    2,    "-F value should be boolean 0 or 1 for" },
 };
 #endif
diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
index 236f8bc..798b3c8 100644
--- a/trunk/lib/libaudit.c
+++ b/trunk/lib/libaudit.c
@@ -1400,9 +1400,24 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
 	if ((field = audit_name_to_field(f)) < 0) 
 		return -2;
 
-	/* Exclude filter can be used only with MSGTYPE field */
-	if (flags == AUDIT_FILTER_EXCLUDE && field != AUDIT_MSGTYPE)
-		return -12; 
+	/* Exclude filter can be used only with MSGTYPE and cred fields */
+	if (flags == AUDIT_FILTER_EXCLUDE)
+		switch(field) {
+			case AUDIT_PID:
+			case AUDIT_UID:
+			case AUDIT_GID:
+			case AUDIT_LOGINUID:
+			case AUDIT_LOGINUID_SET:
+			case AUDIT_MSGTYPE:
+			case AUDIT_SUBJ_USER:
+			case AUDIT_SUBJ_ROLE:
+			case AUDIT_SUBJ_TYPE:
+			case AUDIT_SUBJ_SEN:
+			case AUDIT_SUBJ_CLR:
+				break;
+			default:
+				return -12;
+		}
 
 	rule->fields[rule->field_count] = field;
 	rule->fieldflags[rule->field_count] = op;
@@ -1630,7 +1645,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
 		case AUDIT_LOGINUID_SET:
 			if(!features)
 				return -30;
-			if (flags != AUDIT_FILTER_USER &&
+			if (flags != AUDIT_FILTER_EXCLUDE &&
+			    flags != AUDIT_FILTER_USER &&
 			    flags != AUDIT_FILTER_EXIT)
 				return -31;
 			if (isdigit((char)*(v))) {
-- 
1.7.1

^ permalink raw reply related

* [userspace PATCH v2 0/2] add support for more fields to the exclude filter
From: Richard Guy Briggs @ 2016-08-18 18:33 UTC (permalink / raw)
  To: linux-audit; +Cc: Richard Guy Briggs

Add userspace support for the exclude filter extension of subject
credentials, including detection of the feature in the kernel.

This set should be added after loginuid_set support and before sessionID
user filter support to avoid merge conflicts.

Richard Guy Briggs (2):
  exclude filter: add support for user filter fields
  Check exclude filter cred extension fields available in kernel

 trunk/docs/auditctl.8 |    2 +-
 trunk/lib/errormsg.h  |    4 ++--
 trunk/lib/libaudit.c  |   29 +++++++++++++++++++++++++----
 trunk/lib/libaudit.h  |    3 +++
 4 files changed, 31 insertions(+), 7 deletions(-)

^ permalink raw reply

* [userspace PATCH v2 2/2] Add user filter option loginuid_set from uapi macro AUDIT_LOGINUID_SET
From: Richard Guy Briggs @ 2016-08-18 18:18 UTC (permalink / raw)
  To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <1471544337-3108-1-git-send-email-rgb@redhat.com>

Add macro if not in headers, check for version or feature bitmap.
Check for user or exit list use, check for boolean.

See upstream kernel commits:
	780a7654cee8d61819512385e778e4827db4bfbc
	041d7b98ffe59c59fdd639931dea7d74f9aa9a59

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 trunk/lib/errormsg.h |    2 ++
 trunk/lib/fieldtab.h |    2 ++
 trunk/lib/libaudit.c |   15 +++++++++++++++
 trunk/lib/libaudit.h |    6 ++++++
 4 files changed, 25 insertions(+), 0 deletions(-)

diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h
index a4602d5..c678315 100644
--- a/trunk/lib/errormsg.h
+++ b/trunk/lib/errormsg.h
@@ -66,5 +66,7 @@ static const struct msg_tab err_msgtab[] = {
     { -28,    2,    "Too many fields in rule:" },
     { -29,    1,    "only takes = operator" },
     { -30,    2,    "Field option not supported by kernel:" },
+    { -31,    1,    "can only be used with exit and user filter lists" },
+    { -32,    2,    "-F value should be boolean 0 or 1 for" },
 };
 #endif
diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h
index bf48c95..107157d 100644
--- a/trunk/lib/fieldtab.h
+++ b/trunk/lib/fieldtab.h
@@ -31,6 +31,8 @@ _S(AUDIT_SGID,         "sgid"         )
 _S(AUDIT_FSGID,        "fsgid"        )
 _S(AUDIT_LOGINUID,     "auid"         )
 _S(AUDIT_LOGINUID,     "loginuid"     )
+_S(AUDIT_LOGINUID_SET, "auid_set"     )
+_S(AUDIT_LOGINUID_SET, "loginuid_set" )
 _S(AUDIT_PERS,         "pers"         )
 _S(AUDIT_ARCH,         "arch"         )
 _S(AUDIT_MSGTYPE,      "msgtype"      )
diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
index 566b89e..236f8bc 100644
--- a/trunk/lib/libaudit.c
+++ b/trunk/lib/libaudit.c
@@ -1627,6 +1627,21 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
 			else 
 				return -21;
 			break;
+		case AUDIT_LOGINUID_SET:
+			if(!features)
+				return -30;
+			if (flags != AUDIT_FILTER_USER &&
+			    flags != AUDIT_FILTER_EXIT)
+				return -31;
+			if (isdigit((char)*(v))) {
+				rule->values[rule->field_count] =
+					strtol(v, NULL, 0);
+				if (rule->values[rule->field_count] > 1)
+					return -32;
+			}
+			else
+				return -32;
+			break;
 		case AUDIT_DEVMAJOR...AUDIT_INODE:
 		case AUDIT_SUCCESS:
 			if (flags != AUDIT_FILTER_EXIT)
diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h
index 9640f17..0852bcc 100644
--- a/trunk/lib/libaudit.h
+++ b/trunk/lib/libaudit.h
@@ -369,6 +369,12 @@ extern "C" {
 #define AUDIT_COMPARE_SGID_TO_FSGID    25
 #endif
 
+/* Rule fields */
+#ifndef AUDIT_LOGINUID_SET
+#define AUDIT_LOGINUID_SET		24
+#endif
+
+/* Architectures */
 #ifndef EM_ARM
 #define EM_ARM  40
 #endif
-- 
1.7.1

^ permalink raw reply related

* [userspace PATCH v2 1/2] get feature list only once
From: Richard Guy Briggs @ 2016-08-18 18:18 UTC (permalink / raw)
  To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <1471544337-3108-1-git-send-email-rgb@redhat.com>

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 trunk/lib/libaudit.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
index 70b8ea8..566b89e 100644
--- a/trunk/lib/libaudit.c
+++ b/trunk/lib/libaudit.c
@@ -1345,6 +1345,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
 	int        vlen;
 	int        offset;
 	struct audit_rule_data *rule = *rulep;
+	uint32_t features = audit_get_features();
 
 	if (f == NULL)
 		return -1;
@@ -1508,7 +1509,6 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
 		case AUDIT_FILTERKEY:
 		case AUDIT_EXE:
 			if (field == AUDIT_EXE) {
-				uint32_t features = audit_get_features();
 				if ((features & AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH) == 0)
 					return -30;
 				if (op != AUDIT_EQUAL)
-- 
1.7.1

^ permalink raw reply related

* [userspace PATCH v2 0/2] Add support for loginuid_set
From: Richard Guy Briggs @ 2016-08-18 18:18 UTC (permalink / raw)
  To: linux-audit; +Cc: Richard Guy Briggs

loginuid_set support should have been added to userspace when it was
added to the kernel around v3.10.  Add it before we do similar for
sessionID and sessionID_set.

There will be a number of users of features_bitmap within the same
function (exclude filter extension, sessionID filter), so refactor
audit_rule_fieldpair_data() to put audit_get_features earlier in the
function.

Richard Guy Briggs (2):
  get feature list only once
  Add user filter option loginuid_set from uapi macro
    AUDIT_LOGINUID_SET

 trunk/lib/errormsg.h |    2 ++
 trunk/lib/fieldtab.h |    2 ++
 trunk/lib/libaudit.c |   17 ++++++++++++++++-
 trunk/lib/libaudit.h |    6 ++++++
 4 files changed, 26 insertions(+), 1 deletions(-)

^ permalink raw reply

* [PATCH V3 3/3] audit: add sessionid filter extension to feature bitmap
From: Richard Guy Briggs @ 2016-08-18 17:43 UTC (permalink / raw)
  To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs
In-Reply-To: <cover.1471541331.git.rgb@redhat.com>

Add to the audit feature bitmap to indicate availability of the
extension of the exclude and user filters to include sessionID.

RFE: add a session ID filter to the kernel's user filter
https://github.com/linux-audit/audit-kernel/issues/4

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 include/uapi/linux/audit.h |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index a4048bc..d4a9589 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -329,9 +329,11 @@ enum {
 #define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT	0x00000001
 #define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME	0x00000002
 #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH	0x00000004
+#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER	0x00000010
 #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
 				  AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
-				  AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH)
+				  AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \
+				  AUDIT_FEATURE_BITMAP_SESSIONID_FILTER)
 
 /* deprecated: AUDIT_VERSION_* */
 #define AUDIT_VERSION_LATEST 		AUDIT_FEATURE_BITMAP_ALL
-- 
1.7.1

^ permalink raw reply related

* [PATCH V3 2/3] audit: add AUDIT_SESSIONID_SET support
From: Richard Guy Briggs @ 2016-08-18 17:43 UTC (permalink / raw)
  To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs
In-Reply-To: <cover.1471541331.git.rgb@redhat.com>

Add AUDIT_SESSIONID_SET field to indicate the sessionID is set in
filters rather than depending on an in-band signal to indicate it.

https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
RFE Session ID User Filter

https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 include/linux/audit.h      |   10 ++++++++++
 include/uapi/linux/audit.h |    1 +
 kernel/auditfilter.c       |    3 +++
 kernel/auditsc.c           |    7 ++++---
 4 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 9d4443f..2392442 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -552,6 +552,16 @@ static inline bool audit_loginuid_set(struct task_struct *tsk)
 	return uid_valid(audit_get_loginuid(tsk));
 }
 
+static inline bool sessionid_valid(unsigned int sessionid)
+{
+	return sessionid != (unsigned int) -1;
+}
+
+static inline bool audit_sessionid_set(struct task_struct *tsk)
+{
+	return sessionid_valid(audit_get_sessionid(tsk));
+}
+
 static inline void audit_log_string(struct audit_buffer *ab, const char *buf)
 {
 	audit_log_n_string(ab, buf, strlen(buf));
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index b3140eb..a4048bc 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -253,6 +253,7 @@
 #define AUDIT_OBJ_LEV_HIGH	23
 #define AUDIT_LOGINUID_SET	24
 #define AUDIT_SESSIONID	25	/* Session ID */
+#define AUDIT_SESSIONID_SET	26	/* Session ID set or not */
 
 				/* These are ONLY useful when checking
 				 * at syscall exit time (AUDIT_AT_EXIT). */
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 1c60fcf..47eaaba 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -387,6 +387,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
 	case AUDIT_FILTERKEY:
 		break;
 	case AUDIT_LOGINUID_SET:
+	case AUDIT_SESSIONID_SET:
 		if ((f->val != 0) && (f->val != 1))
 			return -EINVAL;
 	/* FALL THROUGH */
@@ -478,6 +479,8 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
 				goto exit_free;
 			break;
 		case AUDIT_SESSIONID:
+			if (!sessionid_valid(f->val))
+				goto exit_free;
 		case AUDIT_ARCH:
 			entry->rule.arch_f = f;
 			break;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 52f7a61..4df536b 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -447,7 +447,6 @@ static int audit_filter_rules(struct task_struct *tsk,
 	const struct cred *cred;
 	int i, need_sid = 1;
 	u32 sid;
-	unsigned int sessionid;
 
 	cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
 
@@ -511,8 +510,7 @@ static int audit_filter_rules(struct task_struct *tsk,
 			result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
 			break;
 		case AUDIT_SESSIONID:
-			sessionid = audit_get_sessionid(current);
-			result = audit_comparator(sessionid, f->op, f->val);
+			result = audit_comparator(audit_get_sessionid(tsk), f->op, f->val);
 			break;
 		case AUDIT_PERS:
 			result = audit_comparator(tsk->personality, f->op, f->val);
@@ -614,6 +612,9 @@ static int audit_filter_rules(struct task_struct *tsk,
 		case AUDIT_LOGINUID_SET:
 			result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
 			break;
+		case AUDIT_SESSIONID_SET:
+			result = audit_comparator(audit_sessionid_set(tsk), f->op, f->val);
+			break;
 		case AUDIT_SUBJ_USER:
 		case AUDIT_SUBJ_ROLE:
 		case AUDIT_SUBJ_TYPE:
-- 
1.7.1

^ permalink raw reply related

* [PATCH V3 1/3] audit: add support for session ID user filter
From: Richard Guy Briggs @ 2016-08-18 17:43 UTC (permalink / raw)
  To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs
In-Reply-To: <cover.1471541331.git.rgb@redhat.com>

Define AUDIT_SESSIONID in the uapi and add support for specifying user
filters based on the session ID.

https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 include/uapi/linux/audit.h |    1 +
 kernel/auditfilter.c       |    2 ++
 kernel/auditsc.c           |    5 +++++
 3 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index d820aa9..b3140eb 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -252,6 +252,7 @@
 #define AUDIT_OBJ_LEV_LOW	22
 #define AUDIT_OBJ_LEV_HIGH	23
 #define AUDIT_LOGINUID_SET	24
+#define AUDIT_SESSIONID	25	/* Session ID */
 
 				/* These are ONLY useful when checking
 				 * at syscall exit time (AUDIT_AT_EXIT). */
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 85d9cac..1c60fcf 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -363,6 +363,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
 	case AUDIT_EXIT:
 	case AUDIT_SUCCESS:
 	case AUDIT_INODE:
+	case AUDIT_SESSIONID:
 		/* bit ops are only useful on syscall args */
 		if (f->op == Audit_bitmask || f->op == Audit_bittest)
 			return -EINVAL;
@@ -476,6 +477,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
 			if (!gid_valid(f->gid))
 				goto exit_free;
 			break;
+		case AUDIT_SESSIONID:
 		case AUDIT_ARCH:
 			entry->rule.arch_f = f;
 			break;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index c65af21..52f7a61 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -447,6 +447,7 @@ static int audit_filter_rules(struct task_struct *tsk,
 	const struct cred *cred;
 	int i, need_sid = 1;
 	u32 sid;
+	unsigned int sessionid;
 
 	cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
 
@@ -509,6 +510,10 @@ static int audit_filter_rules(struct task_struct *tsk,
 		case AUDIT_FSGID:
 			result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
 			break;
+		case AUDIT_SESSIONID:
+			sessionid = audit_get_sessionid(current);
+			result = audit_comparator(sessionid, f->op, f->val);
+			break;
 		case AUDIT_PERS:
 			result = audit_comparator(tsk->personality, f->op, f->val);
 			break;
-- 
1.7.1

^ permalink raw reply related

* [PATCH V3 0/3] Add support for session ID user filtering
From: Richard Guy Briggs @ 2016-08-18 17:43 UTC (permalink / raw)
  To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs

https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
RFE Session ID User Filter
 
https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter

See also the set of userspace suport patches:
	Add support for sessionid user filters, sessionid_set and loginuid_set
	https://www.redhat.com/archives/linux-audit/2016-August/msg00005.html
	(userspace update expected to be posted 2016-08-18)
and the test case:
	https://github.com/rgbriggs/audit-testsuite/tree/ghak4-test-for-sessionID-user-filter

This third patch is expected to have a merge conflict with:
	"audit: add exclude filter extension to feature bitmap"
posted on 2016-08-18.

Richard Guy Briggs (3):
  audit: add support for session ID user filter
  audit: add AUDIT_SESSIONID_SET support
  audit: add sessionid filter extension to feature bitmap

 include/linux/audit.h      |   10 ++++++++++
 include/uapi/linux/audit.h |    6 +++++-
 kernel/auditfilter.c       |    5 +++++
 kernel/auditsc.c           |    6 ++++++
 4 files changed, 26 insertions(+), 1 deletions(-)

^ permalink raw reply

* [PATCH] audit: add exclude filter extension to feature bitmap
From: Richard Guy Briggs @ 2016-08-18 16:05 UTC (permalink / raw)
  To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs

Add to the audit feature bitmap to indicate availability of the
extension of the exclude filter to include PID, UID, AUID, GID, SUBJ_*.

RFE: add additional fields for use in audit filter exclude rules
https://github.com/linux-audit/audit-kernel/issues/5

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 include/uapi/linux/audit.h |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index d820aa9..76c5e7e 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -327,9 +327,11 @@ enum {
 #define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT	0x00000001
 #define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME	0x00000002
 #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH	0x00000004
+#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND	0x00000008
 #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
 				  AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
-				  AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH)
+				  AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \
+				  AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND)
 
 /* deprecated: AUDIT_VERSION_* */
 #define AUDIT_VERSION_LATEST 		AUDIT_FEATURE_BITMAP_ALL
-- 
1.7.1

^ permalink raw reply related

* Re: [PATCH] security: lsm_audit: print pid and tid
From: Paul Moore @ 2016-08-18 12:55 UTC (permalink / raw)
  To: Richard Guy Briggs; +Cc: Jeff Vander Stoep, selinux, linux-audit
In-Reply-To: <20160818055627.GH1304@madcap2.tricolour.ca>

On Thu, Aug 18, 2016 at 1:56 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2016-08-17 16:58, Paul Moore wrote:
>> However, as far as I can see, the biggest problem with this patch is
>> that it adds a field in the middle of a record which will likely cause
>> the audit userspace tools to explode (or so I've been warned in the
>> past).  Steve, what say you about the userspace?
>
> Adding fields in the middle isn't necessarily a problem if it doesn't
> confuse the existing scanner, which can skip over fields about which it
> does not care.  I've carefully added fields in the middle in the past,
> trying my best to group it logically with the rest of the information as
> has been requested, I think: subject, action, object, result.

I've ranted about this before so I won't do it again here, but
ultimately the problem is that the guidance for userspace
applications/libraries has been that you can expect certain fields in
specific locations.

-- 
paul moore
www.paul-moore.com

^ permalink raw reply

* Re: [PATCH] security: lsm_audit: print pid and tid
From: Richard Guy Briggs @ 2016-08-18  5:56 UTC (permalink / raw)
  To: Paul Moore; +Cc: Jeff Vander Stoep, selinux, linux-audit
In-Reply-To: <CAHC9VhS=odoi8NFFGP36VAMcL_Gbbin+0pyTj-MNcsPZKit0GQ@mail.gmail.com>

On 2016-08-17 16:58, Paul Moore wrote:
> On Tue, Jul 26, 2016 at 10:54 AM, Jeff Vander Stoep <jeffv@google.com> wrote:
> > dump_common_audit_data() currently contains a field for pid, but the
> > value printed is actually the thread ID, tid. Update this value to
> > return the task group ID. Add a new field for tid. With this change
> > the values printed by audit now match the values returned by the
> > getpid() and gettid() syscalls.
> >
> > Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
> > ---
> >  security/lsm_audit.c | 7 +++++--
> >  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> Hi Jeff,
> 
> Have you tested this against the audit-testsuite[1]?  We don't have an
> explicit PID test yet, but at least two of the tests do test it as a
> side effect.
> 
> Steve, I don't see the thread ID listed in the field dictionary, are
> you okay with using "tid" for this?

There is some naming confusion between userspace and kernel space with
pid vs. tid vs. tgid...

> However, as far as I can see, the biggest problem with this patch is
> that it adds a field in the middle of a record which will likely cause
> the audit userspace tools to explode (or so I've been warned in the
> past).  Steve, what say you about the userspace?

Adding fields in the middle isn't necessarily a problem if it doesn't
confuse the existing scanner, which can skip over fields about which it
does not care.  I've carefully added fields in the middle in the past,
trying my best to group it logically with the rest of the information as
has been requested, I think: subject, action, object, result.

> [1] https://github.com/linux-audit/audit-testsuite
> [2] https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv
> 
> > diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> > index cccbf30..57f26c1 100644
> > --- a/security/lsm_audit.c
> > +++ b/security/lsm_audit.c
> > @@ -220,7 +220,8 @@ static void dump_common_audit_data(struct audit_buffer *ab,
> >          */
> >         BUILD_BUG_ON(sizeof(a->u) > sizeof(void *)*2);
> >
> > -       audit_log_format(ab, " pid=%d comm=", task_pid_nr(current));
> > +       audit_log_format(ab, " pid=%d tid=%d comm=", task_tgid_vnr(tsk),
> > +                       task_pid_vnr(tsk));
> >         audit_log_untrustedstring(ab, memcpy(comm, current->comm, sizeof(comm)));
> >
> >         switch (a->type) {
> > @@ -294,10 +295,12 @@ static void dump_common_audit_data(struct audit_buffer *ab,
> >         case LSM_AUDIT_DATA_TASK: {
> >                 struct task_struct *tsk = a->u.tsk;
> >                 if (tsk) {
> > -                       pid_t pid = task_pid_nr(tsk);
> > +                       pid_t pid = task_tgid_vnr(tsk);
> >                         if (pid) {
> >                                 char comm[sizeof(tsk->comm)];
> >                                 audit_log_format(ab, " opid=%d ocomm=", pid);
> > +                               audit_log_format(ab, " opid=%d otid=%d ocomm=",
> > +                                               pid, task_pid_vnr(tsk));
> >                                 audit_log_untrustedstring(ab,
> >                                     memcpy(comm, tsk->comm, sizeof(comm)));
> >                         }
> 
> -- 
> paul moore
> www.paul-moore.com
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

^ permalink raw reply

* Re: [PATCH] security: lsm_audit: print pid and tid
From: Paul Moore @ 2016-08-17 20:58 UTC (permalink / raw)
  To: Jeff Vander Stoep, sgrubb; +Cc: linux-audit, selinux
In-Reply-To: <1469544870-11574-1-git-send-email-jeffv@google.com>

On Tue, Jul 26, 2016 at 10:54 AM, Jeff Vander Stoep <jeffv@google.com> wrote:
> dump_common_audit_data() currently contains a field for pid, but the
> value printed is actually the thread ID, tid. Update this value to
> return the task group ID. Add a new field for tid. With this change
> the values printed by audit now match the values returned by the
> getpid() and gettid() syscalls.
>
> Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
> ---
>  security/lsm_audit.c | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)

Hi Jeff,

Have you tested this against the audit-testsuite[1]?  We don't have an
explicit PID test yet, but at least two of the tests do test it as a
side effect.

Steve, I don't see the thread ID listed in the field dictionary, are
you okay with using "tid" for this?

However, as far as I can see, the biggest problem with this patch is
that it adds a field in the middle of a record which will likely cause
the audit userspace tools to explode (or so I've been warned in the
past).  Steve, what say you about the userspace?

[1] https://github.com/linux-audit/audit-testsuite
[2] https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv

> diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> index cccbf30..57f26c1 100644
> --- a/security/lsm_audit.c
> +++ b/security/lsm_audit.c
> @@ -220,7 +220,8 @@ static void dump_common_audit_data(struct audit_buffer *ab,
>          */
>         BUILD_BUG_ON(sizeof(a->u) > sizeof(void *)*2);
>
> -       audit_log_format(ab, " pid=%d comm=", task_pid_nr(current));
> +       audit_log_format(ab, " pid=%d tid=%d comm=", task_tgid_vnr(tsk),
> +                       task_pid_vnr(tsk));
>         audit_log_untrustedstring(ab, memcpy(comm, current->comm, sizeof(comm)));
>
>         switch (a->type) {
> @@ -294,10 +295,12 @@ static void dump_common_audit_data(struct audit_buffer *ab,
>         case LSM_AUDIT_DATA_TASK: {
>                 struct task_struct *tsk = a->u.tsk;
>                 if (tsk) {
> -                       pid_t pid = task_pid_nr(tsk);
> +                       pid_t pid = task_tgid_vnr(tsk);
>                         if (pid) {
>                                 char comm[sizeof(tsk->comm)];
>                                 audit_log_format(ab, " opid=%d ocomm=", pid);
> +                               audit_log_format(ab, " opid=%d otid=%d ocomm=",
> +                                               pid, task_pid_vnr(tsk));
>                                 audit_log_untrustedstring(ab,
>                                     memcpy(comm, tsk->comm, sizeof(comm)));
>                         }

-- 
paul moore
www.paul-moore.com

^ permalink raw reply

* Re: [PATCH] semanage: add auditing of changes in records
From: Stephen Smalley @ 2016-08-17 18:50 UTC (permalink / raw)
  To: Miroslav Vadkerti, selinux-+05T5uksL2qpZYMLLGbcSA
  Cc: linux-audit-H+wXaHxf7aLQT0dZR+AlfA
In-Reply-To: <1469546125-19448-1-git-send-email-mvadkert-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>

On 07/26/2016 11:15 AM, Miroslav Vadkerti wrote:
> Common Criteria requirement FMT_MSA.1 needs any configuration change
> that affect enforcement of policy to be audited. This patch adds
> auditing of changes in security context mappings for network ports,
> interfaces, nodes and file contexts.
> 
> A new function log_change is introduced that audits additions,
> modification and removal of the mappings via the USER_MAC_CONFIG_CHANGE
> audit event.
> 
> The format of the audit events was discussed with the audit userspace
> maintainer.

This broke semanage fcontext -D.

#semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
#semanage fcontext -D
KeyError: all files


> 
> This patch resolves: https://bugzilla.redhat.com/show_bug.cgi?id=829175
> 
> Signed-off-by: Miroslav Vadkerti <mvadkert-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
> ---
>  policycoreutils/semanage/seobject.py | 75 ++++++++++++++++++++++++++++++++++++
>  1 file changed, 75 insertions(+)
> 
> diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
> index 3b0b108..7d6caa3 100644
> --- a/policycoreutils/semanage/seobject.py
> +++ b/policycoreutils/semanage/seobject.py
> @@ -82,6 +82,21 @@ file_type_str_to_option = {"all files": "a",
>                             "socket file": "s",
>                             "symbolic link": "l",
>                             "named pipe": "p"}
> +
> +proto_to_audit = {"tcp": 17,
> +                  "udp": 6,
> +                  "ipv4": 4,
> +                  "ipv6": 41}
> +
> +ftype_to_audit = {"": "any",
> +                  "b": "block",
> +                  "c": "char",
> +                  "d": "dir",
> +                  "f": "file",
> +                  "l": "symlink",
> +                  "p": "pipe",
> +                  "s": "socket"}
> +
>  try:
>      import audit
>  
> @@ -90,6 +105,7 @@ try:
>          def __init__(self):
>              self.audit_fd = audit.audit_open()
>              self.log_list = []
> +            self.log_change_list = []
>  
>          def log(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
>  
> @@ -109,10 +125,17 @@ try:
>          def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
>              self.log_list.append([self.audit_fd, audit.AUDIT_ROLE_REMOVE, sys.argv[0], str(msg), name, 0, sename, serole, serange, oldsename, oldserole, oldserange, "", "", ""])
>  
> +        def log_change(self, msg):
> +            self.log_change_list.append([self.audit_fd, audit.AUDIT_USER_MAC_CONFIG_CHANGE, str(msg), "semanage", "", "", ""])
> +
>          def commit(self, success):
>              for l in self.log_list:
>                  audit.audit_log_semanage_message(*(l + [success]))
> +            for l in self.log_change_list:
> +                audit.audit_log_user_comm_message(*(l + [success]))
> +
>              self.log_list = []
> +            self.log_change_list = []
>  except:
>      class logger:
>  
> @@ -138,6 +161,9 @@ except:
>          def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
>              self.log(msg, name, sename, serole, serange, oldsename, oldserole, oldserange)
>  
> +        def log_change(self, msg):
> +            self.log_list.append(" %s" % msg)
> +
>          def commit(self, success):
>              if success == 1:
>                  message = "Successful: "
> @@ -155,6 +181,9 @@ class nulllogger:
>      def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
>          pass
>  
> +    def log_change(self, msg):
> +        pass
> +
>      def commit(self, success):
>          pass
>  
> @@ -1109,6 +1138,8 @@ class portRecords(semanageRecords):
>          semanage_port_key_free(k)
>          semanage_port_free(p)
>  
> +        self.mylog.log_change("resrc=port op=add lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u", "object_r", type, serange))
> +
>      def add(self, port, proto, serange, type):
>          self.begin()
>          self.__add(port, proto, serange, type)
> @@ -1150,6 +1181,8 @@ class portRecords(semanageRecords):
>          semanage_port_key_free(k)
>          semanage_port_free(p)
>  
> +        self.mylog.log_change("resrc=port op=modify lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u", "object_r", setype, serange))
> +
>      def modify(self, port, proto, serange, setype):
>          self.begin()
>          self.__modify(port, proto, serange, setype)
> @@ -1168,6 +1201,7 @@ class portRecords(semanageRecords):
>              low = semanage_port_get_low(port)
>              high = semanage_port_get_high(port)
>              port_str = "%s-%s" % (low, high)
> +
>              (k, proto_d, low, high) = self.__genkey(port_str, proto_str)
>              if rc < 0:
>                  raise ValueError(_("Could not create a key for %s") % port_str)
> @@ -1177,6 +1211,11 @@ class portRecords(semanageRecords):
>                  raise ValueError(_("Could not delete the port %s") % port_str)
>              semanage_port_key_free(k)
>  
> +            if low == high:
> +                port_str = low
> +
> +            self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port_str, proto_to_audit[proto_str]))
> +
>          self.commit()
>  
>      def __delete(self, port, proto):
> @@ -1199,6 +1238,8 @@ class portRecords(semanageRecords):
>  
>          semanage_port_key_free(k)
>  
> +        self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port, proto_to_audit[proto]))
> +
>      def delete(self, port, proto):
>          self.begin()
>          self.__delete(port, proto)
> @@ -1380,6 +1421,8 @@ class nodeRecords(semanageRecords):
>          semanage_node_key_free(k)
>          semanage_node_free(node)
>  
> +        self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, proto_to_audit[self.protocol[proto]], "system_u", "object_r", ctype, serange))
> +
>      def add(self, addr, mask, proto, serange, ctype):
>          self.begin()
>          self.__add(addr, mask, proto, serange, ctype)
> @@ -1421,6 +1464,8 @@ class nodeRecords(semanageRecords):
>          semanage_node_key_free(k)
>          semanage_node_free(node)
>  
> +        self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, proto_to_audit[self.protocol[proto]], "system_u", "object_r", setype, serange))
> +
>      def modify(self, addr, mask, proto, serange, setype):
>          self.begin()
>          self.__modify(addr, mask, proto, serange, setype)
> @@ -1452,6 +1497,8 @@ class nodeRecords(semanageRecords):
>  
>          semanage_node_key_free(k)
>  
> +        self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, proto_to_audit[self.protocol[proto]]))
> +
>      def delete(self, addr, mask, proto):
>          self.begin()
>          self.__delete(addr, mask, proto)
> @@ -1581,6 +1628,8 @@ class interfaceRecords(semanageRecords):
>          semanage_iface_key_free(k)
>          semanage_iface_free(iface)
>  
> +        self.mylog.log_change("resrc=interface op=add netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", ctype, serange))
> +
>      def add(self, interface, serange, ctype):
>          self.begin()
>          self.__add(interface, serange, ctype)
> @@ -1618,6 +1667,8 @@ class interfaceRecords(semanageRecords):
>          semanage_iface_key_free(k)
>          semanage_iface_free(iface)
>  
> +        self.mylog.log_change("resrc=interface op=modify netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", setype, serange))
> +
>      def modify(self, interface, serange, setype):
>          self.begin()
>          self.__modify(interface, serange, setype)
> @@ -1646,6 +1697,8 @@ class interfaceRecords(semanageRecords):
>  
>          semanage_iface_key_free(k)
>  
> +        self.mylog.log_change("resrc=interface op=delete netif=%s" % interface)
> +
>      def delete(self, interface):
>          self.begin()
>          self.__delete(interface)
> @@ -1775,6 +1828,8 @@ class fcontextRecords(semanageRecords):
>                  if i.startswith(target + "/"):
>                      raise ValueError(_("File spec %s conflicts with equivalency rule '%s %s'") % (target, i, fdict[i]))
>  
> +        self.mylog.log_change("resrc=fcontext op=add-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
> +
>          self.equiv[target] = substitute
>          self.equal_ind = True
>          self.commit()
> @@ -1785,6 +1840,9 @@ class fcontextRecords(semanageRecords):
>              raise ValueError(_("Equivalence class for %s does not exists") % target)
>          self.equiv[target] = substitute
>          self.equal_ind = True
> +
> +        self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
> +
>          self.commit()
>  
>      def createcon(self, target, seuser="system_u"):
> @@ -1879,6 +1937,11 @@ class fcontextRecords(semanageRecords):
>          semanage_fcontext_key_free(k)
>          semanage_fcontext_free(fcontext)
>  
> +        if not seuser:
> +            seuser = "system_u"
> +
> +        self.mylog.log_change("resrc=fcontext op=add %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange))
> +
>      def add(self, target, type, ftype="", serange="", seuser="system_u"):
>          self.begin()
>          self.__add(target, type, ftype, serange, seuser)
> @@ -1939,6 +2002,11 @@ class fcontextRecords(semanageRecords):
>          semanage_fcontext_key_free(k)
>          semanage_fcontext_free(fcontext)
>  
> +        if not seuser:
> +            seuser = "system_u"
> +
> +        self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange))
> +
>      def modify(self, target, setype, ftype, serange, seuser):
>          self.begin()
>          self.__modify(target, setype, ftype, serange, seuser)
> @@ -1964,6 +2032,8 @@ class fcontextRecords(semanageRecords):
>                  raise ValueError(_("Could not delete the file context %s") % target)
>              semanage_fcontext_key_free(k)
>  
> +            self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype_str]))
> +
>          self.equiv = {}
>          self.equal_ind = True
>          self.commit()
> @@ -1972,6 +2042,9 @@ class fcontextRecords(semanageRecords):
>          if target in self.equiv.keys():
>              self.equiv.pop(target)
>              self.equal_ind = True
> +
> +            self.mylog.log_change("resrc=fcontext op=delete-equal %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
> +
>              return
>  
>          (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
> @@ -1996,6 +2069,8 @@ class fcontextRecords(semanageRecords):
>  
>          semanage_fcontext_key_free(k)
>  
> +        self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
> +
>      def delete(self, target, ftype):
>          self.begin()
>          self.__delete(target, ftype)
> 

_______________________________________________
Selinux mailing list
Selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org
To unsubscribe, send email to Selinux-leave-+05T5uksL2pAGbPMOrvdOA@public.gmane.org
To get help, send an email containing "help" to Selinux-request-+05T5uksL2pAGbPMOrvdOA@public.gmane.org

^ permalink raw reply

* Re: Where can I find coding style guidelines for the Linux Audit framework source code?
From: Steve Grubb @ 2016-08-17 13:23 UTC (permalink / raw)
  To: linux-audit
In-Reply-To: <F5C3EECE-4B0F-472E-B1F5-BDCAA10B06C2@FreeBSD.org>

On Wednesday, August 17, 2016 3:02:36 PM EDT Mateusz Piotrowski wrote:
> I wonder if there is a document describing the preferred coding style
> of the Linux Audit framework source code.

No.

> Is it basically the style of the Linux Kernel[1]?

I have never used the kernel style. But if you look at the code, its fairly 
consistent - except that there are a whole lot of contributors over time. Not 
everyone followed the style exactly. I try to correct it over time. The main 
thing I hate is lines that are over 80 characters long or when a patch uses 
spaces and not tabs.


> Secondly, does it make sense to submit patches which fix style only?

I don't like to have a lot of code churn just for style. I tend to fix style 
either on patch submission. Or if its big or I don't have time, I fix it when 
I'm in that area.

 -Steve

 
> [1]: https://www.kernel.org/doc/Documentation/CodingStyle
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply

* Where can I find coding style guidelines for the Linux Audit framework source code?
From: Mateusz Piotrowski @ 2016-08-17 13:02 UTC (permalink / raw)
  To: linux-audit

Hello,

I wonder if there is a document describing the preferred coding style 
of the Linux Audit framework source code. Is it basically the style of
the Linux Kernel[1]?

Secondly, does it make sense to submit patches which fix style only?

Cheers,

Mateusz

[1]: https://www.kernel.org/doc/Documentation/CodingStyle

^ permalink raw reply

* Re: [GIT PULL] [PATCH v4 00/26] Delete CURRENT_TIME and CURRENT_TIME_SEC macros
From: Greg KH @ 2016-08-16 18:53 UTC (permalink / raw)
  To: Deepa Dinamani
  Cc: Dave Kleikamp, jfs-discussion-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f,
	Trond Myklebust, Adrian Hunter, Chris Mason, Andreas Dilger,
	Brian Uchino, Thomas Gleixner, Yan, Zheng, James E.J. Bottomley,
	Paul Moore, Linux SCSI List, y2038 Mailman List, Ilya Dryomov,
	linux-ext4-u79uwXL29TY76Z2rM5mHXA, Changman Lee,
	Evgeniy Dushistov, Arnd Bergmann, Mark Fasheh, Suma Ramars,
	John Stultz, Alexander Viro, David Sterba,
	Jaegeuk Kim <jaege>
In-Reply-To: <CABeXuvp027DZR0=zQPp86oGdi2B+Gh16z8_FyoY5UDUdHXAngA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>

On Tue, Aug 16, 2016 at 11:18:52AM -0700, Deepa Dinamani wrote:
> Thank you for the suggestion.
> 
> > Who are you execting to pull this huge patch series?
> 
> The last pull request was addressed to Al as per Arnd's suggestion.
> I'm not completely sure who should it be addressed to.
> 
> > Why not just introduce the new api call, wait for that to be merged, and
> > then push the individual patches through the different subsystems?
> > After half of those get ignored, then provide a single set of patches
> > that can go through Andrew or my trees.
> 
> Arnd and I tried to do this a few ways.
> 
> We can try to introduce the api first like you suggest.
> 
> There are a few Acks already on the patches.
> And, patches 2-5 also need to be merged through some common tree like
> yours or Andrew's as you suggest.
> 
> So, if everyone is ok, I could do the following:
> 
> 1. Post patches 1-5 for rc-2.

-rc2 is already released, and we aren't adding new apis this late in the
release cycle, sorry.

> 2. Post all other patches to respective maintainers after rc-2
> 3. Then after patches get ignored or merged, post remaining as a
> series for you or Andrew to pick up.

The apis need to be aimed for 4.9-rc1, it's too late for 4.8, sorry.

greg k-h

^ permalink raw reply

* Re: [GIT PULL] [PATCH v4 00/26] Delete CURRENT_TIME and CURRENT_TIME_SEC macros
From: Deepa Dinamani @ 2016-08-16 18:18 UTC (permalink / raw)
  To: Greg KH
  Cc: Dave Kleikamp, jfs-discussion-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f,
	Trond Myklebust, Adrian Hunter, Chris Mason, Andreas Dilger,
	Brian Uchino, Thomas Gleixner, Yan, Zheng, James E.J. Bottomley,
	Paul Moore, Linux SCSI List, y2038 Mailman List, Ilya Dryomov,
	linux-ext4-u79uwXL29TY76Z2rM5mHXA, Changman Lee,
	Evgeniy Dushistov, Arnd Bergmann, Mark Fasheh, Suma Ramars,
	John Stultz, Alexander Viro, David Sterba,
	Jaegeuk Kim <jaege>
In-Reply-To: <20160815162312.GA19794-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>

Thank you for the suggestion.

> Who are you execting to pull this huge patch series?

The last pull request was addressed to Al as per Arnd's suggestion.
I'm not completely sure who should it be addressed to.

> Why not just introduce the new api call, wait for that to be merged, and
> then push the individual patches through the different subsystems?
> After half of those get ignored, then provide a single set of patches
> that can go through Andrew or my trees.

Arnd and I tried to do this a few ways.

We can try to introduce the api first like you suggest.

There are a few Acks already on the patches.
And, patches 2-5 also need to be merged through some common tree like
yours or Andrew's as you suggest.

So, if everyone is ok, I could do the following:

1. Post patches 1-5 for rc-2.
2. Post all other patches to respective maintainers after rc-2
3. Then after patches get ignored or merged, post remaining as a
series for you or Andrew to pick up.

-Deepa

^ permalink raw reply

* Re: [GIT PULL] [PATCH v4 00/26] Delete CURRENT_TIME and CURRENT_TIME_SEC macros
From: Greg KH @ 2016-08-15 16:23 UTC (permalink / raw)
  To: Deepa Dinamani
  Cc: shaggy-DgEjT+Ai2ygdnm+yROfE0A,
	jfs-discussion-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f,
	trond.myklebust-7I+n7zu2hftEKMMhf/gKZA,
	adrian.hunter-ral2JQCrhuEAvxtiuMwx3w, clm-b10kYP2dOMg,
	adilger.kernel-m1MBpc4rdrD3fQ9qLvQP4Q,
	buchino-FYB4Gu1CFyUAvxtiuMwx3w, tglx-hfZtesqFncYOwBW4kG4KsQ,
	zyan-H+wXaHxf7aLQT0dZR+AlfA,
	jejb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8,
	paul-r2n+y4ga6xFZroRs9YW3xA, linux-scsi-u79uwXL29TY76Z2rM5mHXA,
	y2038-cunTk1MwBs8s++Sfvej+rw, idryomov-Re5JQEeQqe8AvxtiuMwx3w,
	linux-ext4-u79uwXL29TY76Z2rM5mHXA,
	cm224.lee-Sze3O3UU22JBDgjK7y7TUQ, dushistov-JGs/UdohzUI,
	arnd-r2nGTMty4D4, mfasheh-IBi9RG/b67k,
	sramars-FYB4Gu1CFyUAvxtiuMwx3w,
	john.stultz-QSEj5FYQhm4dnm+yROfE0A,
	viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn, dsterba-IBi9RG/b67k,
	jaegeuk-DgEjT+Ai2ygdnm+yROfE0A, ceph-devel-u79uwXL29TY76Z2rM5mHXA,
	linux-nfs-u79uwXL29TY76Z2rM5mHXA, elder-DgEjT+Ai2ygdnm+yROfE0A,
	tytso-3s7WtUTddSA, sage-H+wXaHxf7aLQT0dZR+AlfA,
	martin.petersen-QHcLZuEGTsvQT0dZR+AlfA,
	dedekind1-Re5JQEeQqe8AvxtiuMwx3w, jbacik-b10kYP2dOMg,
	hiralpat-FYB4Gu1CFyUAvxtiuMwx3w,
	linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	eparis-H+wXaHxf7aLQT0dZR+AlfA,
	linux-f2fs-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f,
	sfrench-eUNUBHrolfbYtjvyW6yDsg,
	linux-audit-H+wXaHxf7aLQT0dZR+AlfA,
	ocfs2-devel-N0ozoZBvEnonbStXaT1jcA
In-Reply-To: <1471128518-24075-1-git-send-email-deepa.kernel-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>

On Sat, Aug 13, 2016 at 03:48:12PM -0700, Deepa Dinamani wrote:
> The series is aimed at getting rid of CURRENT_TIME and CURRENT_TIME_SEC macros.
> The macros are not y2038 safe. There is no plan to transition them into being
> y2038 safe.
> ktime_get_* api's can be used in their place. And, these are y2038 safe.

Who are you execting to pull this huge patch series?

Why not just introduce the new api call, wait for that to be merged, and
then push the individual patches through the different subsystems?
After half of those get ignored, then provide a single set of patches
that can go through Andrew or my trees.

thanks,

greg k-h

^ permalink raw reply


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox