Dispatcher - single line output (perl)
by Leigh Purdie
There have been a few requests on this list for a
single-line-per-event output format.
>From what I understand, supporting this feature in the kernel is a
little challenging due to the potential memory/cache requirements -
having to save off the 'pieces' of an event from initiation to exit,
could be quite expensive when we're talking in-kernel resources.
Hence, we're left with an audit output that could:
* Have an arbitrary number of lines per unique event,
* Be chronologically distributed in some cases (event lines may be
spread over several seconds),
* Be out of sequence (numerically - two lines from event A, might be
followed by 1 line from event B, then another line from event A,
followed by the rest of event B).
* Have multiple 'items' with the same name (eg: source/dest UID's for
a CHMOD have the same 'name/key', though they are on different lines).
(Please let me know if these assumptions are incorrect!)
However, the dispatcher infrastructure offers the potential to
implement this sort of functionality in user-space.
As such, I've been playing with some perl that should translate
SYSCALL events to something that should be reasonably parse-able by
follow-on processing applications that expect events in a single-line
form (eg: logwatch, a SQL-based data injector, Snare or Snare Server).
Here's a sample line. Note that events are in header/data format (tab
delimited between components, comma delimited within a component).
rhel4 LinuxKAudit event,11,20060509 06:36:25
user,0(root),0(root),0(root),0(root) process,25068,id
path,/usr/bin/id return,0,yes a0,9f96ba8 a1,9f96b28
a2,9f84b40 a3,9f96b28 arch,40000003 auid,4294967295
exe,/usr/bin/id fsgid,0 fsuid,0 items,2 sgid,0 suid,0
The program works roughly as follows:
while read line
break line up into key/value pairs
pop the key/value data into an associative array (with a key of the
event number)
if we have an items=x key/value pair saved off for this event
number, and we have 'x' PATH-related lines now, then we must have a
complete event. Push it out.
ALSO push out any events that we haven't had any new lines for, for
more than 15 seconds.
..
We also getpwname/getgrname (with an internal cache to avoid recursive
audit events), and an internal simple realpath() to turn
/path/to/blah/../../to/somewhere into /path/to/somewhere.
The raw perl is attached. Does anyone have any comments, or
suggestions? (I don't care about structure at this point - it's early
days yet - I'm sure perl aficionados could do the entire program in a
single line).
In particular, comments would be welcome on how to absolutely,
programatically determine when an 'event' is complete, and it is safe
to push out our final 'line'.
Regards,
Leigh.
18 years, 4 months
audit 1.2.4 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
tomorrow. The Changelog is:
- Add support for the new filter key
- Update syscall tables for 2.6.17
- Add audit failure query function
- Switch out gethostbyname call with getaddrinfo
- Add audit by obj capability for 2.6.18 kernel
- Ausearch & aureport now fail if no args to -te
- New auditd.conf option to choose blocking/non-blocking dispatcher
communication
- Ausearch improved search by label
Please let me know if there are any problems with this release.
-Steve
18 years, 5 months
Logging failed open() calls on /var/log/audit/audit.log
by Robert Giles
Howdy folks - I'm running audit-1.2.2 with the latest audit-current git
tree (lspp.b20)...
The filesystem auditing seems to be working fine for all files *except*
the audit.log file.
For example, I do this:
auditctl -w /etc/shadow
auditctl -w /var/log/audit/audit.log
The audit daemon generates audit events for both successful and failed
open() calls to /etc/shadow, but only records *successful* accesses to
/var/log/audit/audit.log.
So if I attempt to access /etc/shadow as a regular user, a "success=no"
audit event is generated to indicate read failure - but if a regular user
attempts to read /var/log/audit/audit.log, nothing happens (no audit event
whatsoever is created).
*Successful* reads of /var/log/audit/audit.log (ie: as super-user) do
indeed generate the appropriate audit event in audit.log ("success=yes").
Is this the way the audit daemon is supposed to work? (some kind of race
condition if the audit daemon fully audits its own audit trail?)
(this question may seem unusual, but we're trying to audit "unsuccessful
attempts to access security-relevant objects"... the audit trail itself
constitutes a "security-relevant object").
Thanks again!
-----------------------------------------------------------
Robert Giles Group System Administrator
SPD/ARL:UT (512) 835-3077 � Fax (512) 490-4244
18 years, 6 months
[PATCH] Updated audit failure query functionality
by Lisa Smith
This is an updated patch for the audit failure query
functionality. The patch has been completely rewritten
to match the programming style and algorithms used in
auditd-config.c.
This patch introduces a new query function,
get_auditfail_action(enum auditfail_t *failmode), which
can be called to determine what action should be taken by
a service after audit_open() fails. The function will
read the tunable "failure_action" from the new
/etc/libaudit.conf file to determine what action should be
taken.
This patch provides easy expansion of the /etc/libaudit.conf
file to introduce new libaudit tunables if the need arises
in the future.
The audit_open() man page will be updated to reference this
query function, and a new man page will also be created for
get_auditfail_action().
Lisa
-------------------
libaudit.c | 246 +++++++++++++++++++++++++++++++++++++++++++++++++++++
libaudit.h | 11 ++
2 files changed, 257 insertions(+)
diff -burN orig/libaudit.c src/libaudit.c
--- orig/libaudit.c 2006-05-25 17:39:52.000000000 -0400
+++ src/libaudit.c 2006-06-26 15:00:56.000000000 -0400
@@ -42,13 +42,56 @@
#include "libaudit.h"
#include "private.h"
+/* Local prototypes */
+struct nv_pair
+{
+ const char *name;
+ const char *value;
+};
+
+struct kw_pair
+{
+ const char *name;
+ int (*parser)(const char *, int);
+};
+
+struct nv_list
+{
+ const char *name;
+ int option;
+};
+
+struct libaudit_conf
+{
+ auditfail_t failure_action;
+};
int audit_archadded = 0;
int audit_syscalladded = 0;
unsigned int audit_elf = 0U;
+static struct libaudit_conf config;
+static int load_libaudit_config();
+static char *get_line(FILE *f, char *buf);
+static int nv_split(char *buf, struct nv_pair *nv);
+static const struct kw_pair *kw_lookup(const char *val);
+static int audit_failure_parser(const char *val, int line);
static int name_to_uid(const char *name, uid_t *uid);
static int name_to_gid(const char *name, gid_t *gid);
+static const struct kw_pair keywords[] =
+{
+ {"failure_action", audit_failure_parser },
+ { NULL, NULL }
+};
+
+static const struct nv_list failure_actions[] =
+{
+ {"ignore", FA_IGNORE },
+ {"log", FA_LOG },
+ {"terminate", FA_TERMINATE },
+ { NULL, 0 }
+};
+
int audit_request_status(int fd)
{
@@ -68,6 +111,209 @@
return rc;
}
+/*
+ * Set everything to its default value
+*/
+static void clear_config()
+{
+ config.failure_action = FA_IGNORE;
+}
+
+static int load_libaudit_config()
+{
+ int fd, rc, lineno = 1;
+ struct stat st;
+ FILE *f;
+ char buf[128];
+
+ clear_config();
+
+ /* open the file */
+ rc = open(CONFIG_FILE, O_NOFOLLOW|O_RDONLY);
+ if (rc < 0) {
+ if (errno != ENOENT) {
+ audit_msg(LOG_ERR, "Error opening config file (%s)",
+ strerror(errno));
+ return 1;
+ }
+ audit_msg(LOG_WARNING,
+ "Config file %s doesn't exist, skipping", CONFIG_FILE);
+ return 0;
+ }
+ fd = rc;
+
+ /* check the file's permissions: owned by root, not world writable,
+ * not symlink.
+ */
+ audit_msg(LOG_DEBUG, "Config file %s opened for parsing",
+ CONFIG_FILE);
+ if (fstat(fd, &st) < 0) {
+ audit_msg(LOG_ERR, "Error fstat'ing config file (%s)",
+ strerror(errno));
+ return 1;
+ }
+ if (st.st_uid != 0) {
+ audit_msg(LOG_ERR, "Error - %s isn't owned by root",
+ CONFIG_FILE);
+ return 1;
+ }
+ if ((st.st_mode & S_IWOTH) == S_IWOTH) {
+ audit_msg(LOG_ERR, "Error - %s is world writable",
+ CONFIG_FILE);
+ return 1;
+ }
+ if (!S_ISREG(st.st_mode)) {
+ audit_msg(LOG_ERR, "Error - %s is not a regular file",
+ CONFIG_FILE);
+ return 1;
+ }
+
+ /* it's ok, read line by line */
+ f = fdopen(fd, "r");
+ if (f == NULL) {
+ audit_msg(LOG_ERR, "Error - fdopen failed (%s)",
+ strerror(errno));
+ return 1;
+ }
+
+ while (get_line(f, buf)) {
+ // convert line into name-value pair
+ const struct kw_pair *kw;
+ struct nv_pair nv;
+ rc = nv_split(buf, &nv);
+ switch (rc) {
+ case 0: // fine
+ break;
+ case 1: // not the right number of tokens.
+ audit_msg(LOG_ERR,
+ "Wrong number of arguments for line %d in %s",
+ lineno, CONFIG_FILE);
+ break;
+ case 2: // no '=' sign
+ audit_msg(LOG_ERR,
+ "Missing equal sign for line %d in %s",
+ lineno, CONFIG_FILE);
+ break;
+ default: // something else went wrong...
+ audit_msg(LOG_ERR,
+ "Unknown error for line %d in %s",
+ lineno, CONFIG_FILE);
+ break;
+ }
+ if (nv.name == NULL) {
+ lineno++;
+ continue;
+ }
+
+ /* identify keyword or error */
+ kw = kw_lookup(nv.name);
+ if (kw->name == NULL) {
+ audit_msg(LOG_ERR,
+ "Unknown keyword \"%s\" in line %d of %s",
+ nv.name, lineno, CONFIG_FILE);
+ fclose(f);
+ return 1;
+ }
+
+ /* dispatch to keyword's local parser */
+ rc = kw->parser(nv.value, lineno);
+ if (rc != 0) {
+ fclose(f);
+ return 1; // local parser puts message out
+ }
+
+ lineno++;
+ }
+
+ fclose(f);
+ return 0;
+}
+
+int get_auditfail_action(auditfail_t *failmode)
+{
+ if (load_libaudit_config())
+ *failmode = config.failure_action;
+ return 1;
+
+ *failmode = config.failure_action;
+ return 0;
+}
+
+
+static char *get_line(FILE *f, char *buf)
+{
+ if (fgets_unlocked(buf, 128, f)) {
+ /* remove newline */
+ char *ptr = strchr(buf, 0x0a);
+ if (ptr)
+ *ptr = 0;
+ return buf;
+ }
+ return NULL;
+}
+
+static int nv_split(char *buf, struct nv_pair *nv)
+{
+ /* Get the name part */
+ char *ptr;
+
+ nv->name = NULL;
+ nv->value = NULL;
+ ptr = strtok(buf, " ");
+ if (ptr == NULL)
+ return 0; /* If there's nothing, go to next line */
+ if (ptr[0] == '#')
+ return 0; /* If there's a comment, go to next line */
+ nv->name = ptr;
+
+ /* Check for a '=' */
+ ptr = strtok(NULL, " ");
+ if (ptr == NULL)
+ return 1;
+ if (strcmp(ptr, "=") != 0)
+ return 2;
+
+ /* get the value */
+ ptr = strtok(NULL, " ");
+ if (ptr == NULL)
+ return 1;
+ nv->value = ptr;
+
+ /* Make sure there's nothing else */
+ ptr = strtok(NULL, " ");
+ if (ptr)
+ return 1;
+
+ /* Everything is OK */
+ return 0;
+}
+
+static const struct kw_pair *kw_lookup(const char *val)
+{
+ int i = 0;
+ while (keywords[i].name != NULL) {
+ if (strcasecmp(keywords[i].name, val) == 0)
+ break;
+ i++;
+ }
+ return &keywords[i];
+}
+
+static int audit_failure_parser(const char *val, int line)
+{
+ int i;
+
+ audit_msg(LOG_DEBUG, "audit_failure_parser called with: %s", val);
+ for (i=0; failure_actions[i].name != NULL; i++) {
+ if (strcasecmp(val, failure_actions[i].name) == 0) {
+ config.failure_action = failure_actions[i].option;
+ return 0;
+ }
+ }
+ audit_msg(LOG_ERR, "Option %s not found - line %d", val, line);
+ return 1;
+}
+
int audit_set_enabled(int fd, uint32_t enabled)
{
int rc;
diff -burN orig/libaudit.h src/libaudit.h
--- orig/libaudit.h 2006-05-25 17:38:21.000000000 -0400
+++ src/libaudit.h 2006-06-26 14:58:53.000000000 -0400
@@ -248,6 +248,16 @@
MACH_ALPHA
} machine_t;
+/* These are the valid audit failure tunable enum values */
+typedef enum {
+ FA_IGNORE=0,
+ FA_LOG,
+ FA_TERMINATE
+} auditfail_t;
+
+/* #defines for the audit failure query */
+#define CONFIG_FILE "/etc/libaudit.conf"
+
/*
* audit_rule_data supports filter rules with both integer and string
* fields. It corresponds with AUDIT_ADD_RULE, AUDIT_DEL_RULE and
@@ -362,6 +372,7 @@
/* AUDIT_GET */
extern int audit_request_status(int fd);
extern int audit_is_enabled(int fd);
+extern int get_auditfail_action(auditfail_t *failmode);
/* AUDIT_SET */
typedef enum { WAIT_NO, WAIT_YES } rep_wait_t;
18 years, 6 months
[PATCH] audit tools: add filterkey support
by Amy Griffis
Hi Steve,
Here is the userspace patch I used to test the kernel filterkey patch.
Hope this helps,
Amy
---
lib/fieldtab.h | 1 +
lib/libaudit.c | 13 +++++++------
lib/libaudit.h | 4 ++++
src/auditctl.c | 5 +++++
4 files changed, 17 insertions(+), 6 deletions(-)
acece4c427812119ec1aac24fe5e8b58902985a9
diff --git a/lib/fieldtab.h b/lib/fieldtab.h
index a6f3121..a74754f 100644
--- a/lib/fieldtab.h
+++ b/lib/fieldtab.h
@@ -53,3 +53,4 @@ _S(AUDIT_ARG1, "a1" )
_S(AUDIT_ARG2, "a2" )
_S(AUDIT_ARG3, "a3" )
+_S(AUDIT_FILTERKEY, "filterkey")
diff --git a/lib/libaudit.c b/lib/libaudit.c
index b61df6c..48022df 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -827,6 +827,7 @@ int audit_rule_fieldpair(struct audit_ru
case AUDIT_SE_SEN:
case AUDIT_SE_CLR:
case AUDIT_WATCH:
+ case AUDIT_FILTERKEY:
return -10;
case AUDIT_DEVMAJOR...AUDIT_SUCCESS:
if (flags == AUDIT_FILTER_ENTRY)
@@ -946,17 +947,17 @@ int audit_rule_fieldpair_data(struct aud
else
return -8;
break;
+ case AUDIT_WATCH:
+ /* Watch is invalid on anything but exit */
+ if (flags != AUDIT_FILTER_EXIT)
+ return -7;
+ /* fallthrough */
case AUDIT_SE_USER:
case AUDIT_SE_ROLE:
case AUDIT_SE_TYPE:
case AUDIT_SE_SEN:
case AUDIT_SE_CLR:
- case AUDIT_WATCH:
- /* Watch is invalid on anything but exit */
- if ((flags != AUDIT_FILTER_EXIT) &&
- (field == AUDIT_WATCH))
- return -7;
-
+ case AUDIT_FILTERKEY:
rule->values[rule->field_count] = strlen(v);
offset = rule->buflen;
rule->buflen += strlen(v);
diff --git a/lib/libaudit.h b/lib/libaudit.h
index 8aab24e..c9e2ea4 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -214,6 +214,10 @@ extern "C" {
#define AUDIT_WATCH 105 /* This is a field in syscall rule */
#endif
+#ifndef AUDIT_FILTERKEY
+#define AUDIT_FILTERKEY 210
+#endif
+
/* This is new list defines from audit.h */
#ifndef AUDIT_FILTER_USER
#define AUDIT_FILTER_USER 0x00 /* Apply rule to user-generated messages */
diff --git a/src/auditctl.c b/src/auditctl.c
index 045a38d..168253f 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -967,6 +967,11 @@ static int audit_print_reply(struct audi
rep->ruledata->values[i],
&rep->ruledata->buf[boffset]);
boffset += rep->ruledata->values[i];
+ } else if (field == AUDIT_FILTERKEY) {
+ printf(" filterkey=%.*s",
+ rep->ruledata->values[i],
+ &rep->ruledata->buf[boffset]);
+ boffset += rep->ruledata->values[i];
} else {
printf(" %s%s%d", name,
audit_operator_to_symbol(op),
--
1.2.GIT
18 years, 6 months
Updating audit
by Steve
I would like to update audit so that I can use the new "rule filterkey"
feature. Can someone give me some direction in how to do this?
I am currently using:
Fedora Core 5
2.6.16-1.2212.2.8_FC6.lspp.34 kernel
audit-1.2.3-1
Thank you,
Steve
18 years, 6 months
Audit Wiki?
by Jonathan Abbey
Hi, all. We've been working on plotting a strategy for near-term
implementation of a NISPOM PL1 compliant installation here, and we're
hoping to move away from using Snare on a hand-hacked Linux kernel to
a more firm Linux 2.6 Audit basis.
One tool that I've found to be extremely valuable as I've tried to
plot out the issues involved has been an internal MediaWiki site that
we're running. I've sketched out summary documentation on the nature
and state of Linux 2.6 Audit, as well as how its design intersects
with SELinux and the role of polished user-fronting tools like Snare
in an Audit world.
This has been great, but our internal Wiki can only provide so much
value when there's perhaps two authors and a half-dozen audience
members for this content.
Is there any Wiki set up to support the 2.6 Audit work? Preferably
something that could be used for design documentation as well as
hands-on advice in implementing Audit against popular distributions.
I'd love to be able to document design issues for associated open
source tools like Snare on such a site, as well.
From what I can tell, the only web site set up to support Audit is
Steve Grubb's audit page at redhat.com.
Am I missing something?
If not, what would people think about establishing such a Wiki? I
could probably (read: haven't yet asked boss) set up such a Wiki on
our public-facing PHP server, but it might be better to host it
someplace more official.
Heck, it'd be great to just put some Audit-related pages on a general
kernel development wiki, but I don't know whether that exists, either.
Any suggestions?
Jon
--
-------------------------------------------------------------------------------
Jonathan Abbey jonabbey(a)arlut.utexas.edu
Applied Research Laboratories The University of Texas at Austin
GPG Key: 71767586 at keyserver pgp.mit.edu, http://www.ganymeta.org/workkey.gpg
18 years, 6 months
File watches supported in Audit 1.1.5 on Fedora Core 5?
by Jonathan Abbey
Hi, folks. I'm working on getting Audit working on Fedora Core 5,
using the latest assembly of RPMS from Fedora:
audit-libs-1.1.5-1
audit-libs-devel-1.1.5-1
audit-libs-python-1.1.5-1
audit-1.1.5-1
and I'm having quite a few problems with it. It appears that,
contrary to the man pages in the audit RPM, file watches are not
supported.
Likewise, many of the example rules in /usr/share/doc/audit-1.1.5/sample.rules,
such as
# Auditing failed opens
-a entry,always -S open -F success!=0
seem to be out of step with the actual rules supported by
/sbin/auditctl and/or the kernel. (I get the sensible 'Field success
cannot be checked at syscall entry' message).
Now, I understand from the Audit System FAQ at
http://people.redhat.com/sgrubb/audit/
that file watches in the kernel are being refactored to use inotify,
so I presume that explains why auditctl tells me that 'File system
watches not supported' when I run 'auditctl -L', and why it gives me a
vaguer complaint when I actually try to run 'auditctl -w'.
My questions are these:
Would the latest FC5 kernels support inotify-based file watches with a
more recent version of the Audit user tools?
Is there any up-to-date documentation that would serve me better than
that in the /usr/share/doc/audit-1.1.5 directory on FC5? I don't see
any on Steve Grubb's Audit page.
Thanks,
Jon
--
-------------------------------------------------------------------------------
Jonathan Abbey jonabbey(a)arlut.utexas.edu
Applied Research Laboratories The University of Texas at Austin
GPG Key: 71767586 at keyserver pgp.mit.edu, http://www.ganymeta.org/workkey.gpg
18 years, 6 months
File watching
by Steve
I have audit set to monitor all system calls for a file. I see some
system calls for it, but I think some may be missing... If I create the
file using vi, I only see an open followed by a stat64. Shouldn't there
be a write of some type? stat and open can't write to a file, can they?
Thanks,
Steve
18 years, 6 months
+ task-watchers-register-audit-task-watcher.patch added to -mm tree
by akpm@osdl.org
The patch titled
Task watchers: register audit task watcher
has been added to the -mm tree. Its filename is
task-watchers-register-audit-task-watcher.patch
See http://www.zip.com.au/~akpm/linux/patches/stuff/added-to-mm.txt to find
out what to do about this
------------------------------------------------------
Subject: Task watchers: register audit task watcher
From: Matt Helsley <matthltc(a)us.ibm.com>
Adapt audit to use task watchers.
Signed-off-by: Matt Helsley <matthltc(a)us.ibm.com>
Cc: David Woodhouse <dwmw2(a)infradead.org>
Cc: <linux-audit(a)redhat.com>
Signed-off-by: Andrew Morton <akpm(a)osdl.org>
---
kernel/audit.c | 25 ++++++++++++++++++++++++-
kernel/exit.c | 3 ---
kernel/fork.c | 7 +------
3 files changed, 25 insertions(+), 10 deletions(-)
diff -puN kernel/audit.c~task-watchers-register-audit-task-watcher kernel/audit.c
--- a/kernel/audit.c~task-watchers-register-audit-task-watcher
+++ a/kernel/audit.c
@@ -48,6 +48,7 @@
#include <linux/module.h>
#include <linux/err.h>
#include <linux/kthread.h>
+#include <linux/notifier.h>
#include <linux/audit.h>
@@ -66,6 +67,26 @@ static int audit_initialized;
/* No syscall auditing will take place unless audit_enabled != 0. */
int audit_enabled;
+static int audit_task(struct notifier_block *nb, unsigned long val, void *t)
+{
+ struct task_struct *tsk = t;
+
+ switch(get_watch_event(val)) {
+ case WATCH_TASK_INIT:
+ /* Hack: -EFOO sets NOTIFY_STOP_MASK */
+ return audit_alloc(tsk);
+ case WATCH_TASK_FREE:
+ if (unlikely(tsk->audit_context))
+ audit_free(tsk);
+ default:
+ return NOTIFY_DONE;
+ }
+}
+
+static struct notifier_block __read_mostly audit_watch_tasks_nb = {
+ .notifier_call = audit_task,
+};
+
/* Default state when kernel boots without any parameters. */
static int audit_default;
@@ -709,8 +730,10 @@ static int __init audit_enable(char *str
printk(KERN_INFO "audit: %s%s\n",
audit_default ? "enabled" : "disabled",
audit_initialized ? "" : " (after initialization)");
- if (audit_initialized)
+ if (audit_initialized) {
audit_enabled = audit_default;
+ register_task_watcher(&audit_watch_tasks_nb);
+ }
return 1;
}
diff -puN kernel/exit.c~task-watchers-register-audit-task-watcher kernel/exit.c
--- a/kernel/exit.c~task-watchers-register-audit-task-watcher
+++ a/kernel/exit.c
@@ -37,7 +37,6 @@
#include <linux/futex.h>
#include <linux/compat.h>
#include <linux/pipe_fs_i.h>
-#include <linux/audit.h> /* for audit_free() */
#include <linux/resource.h>
#include <linux/notifier.h>
@@ -908,8 +907,6 @@ fastcall NORET_TYPE void do_exit(long co
if (unlikely(tsk->compat_robust_list))
compat_exit_robust_list(tsk);
#endif
- if (unlikely(tsk->audit_context))
- audit_free(tsk);
tsk->exit_code = code;
taskstats_exit_send(tsk, tidstats, tgidstats);
taskstats_exit_free(tidstats, tgidstats);
diff -puN kernel/fork.c~task-watchers-register-audit-task-watcher kernel/fork.c
--- a/kernel/fork.c~task-watchers-register-audit-task-watcher
+++ a/kernel/fork.c
@@ -40,7 +40,6 @@
#include <linux/rcupdate.h>
#include <linux/ptrace.h>
#include <linux/mount.h>
-#include <linux/audit.h>
#include <linux/profile.h>
#include <linux/rmap.h>
#include <linux/acct.h>
@@ -1067,11 +1066,9 @@ static task_t *copy_process(unsigned lon
if ((retval = security_task_alloc(p)))
goto bad_fork_cleanup_policy;
- if ((retval = audit_alloc(p)))
- goto bad_fork_cleanup_security;
/* copy all the process information */
if ((retval = copy_semundo(clone_flags, p)))
- goto bad_fork_cleanup_audit;
+ goto bad_fork_cleanup_security;
if ((retval = copy_files(clone_flags, p)))
goto bad_fork_cleanup_semundo;
if ((retval = copy_fs(clone_flags, p)))
@@ -1249,8 +1246,6 @@ bad_fork_cleanup_files:
exit_files(p); /* blocking */
bad_fork_cleanup_semundo:
exit_sem(p);
-bad_fork_cleanup_audit:
- audit_free(p);
bad_fork_cleanup_security:
security_task_free(p);
notify_result = notify_watchers(WATCH_TASK_FREE, p);
_
Patches currently in -mm which might be from matthltc(a)us.ibm.com are
process-events-header-cleanup.patch
process-events-license-change.patch
remove-unecessary-null-check-in-kernel-acctc.patch
mark-profile-notifier-blocks-__read_mostly.patch
task-watchers-task-watchers.patch
task-watchers-task-watchers-tidy.patch
task-watchers-register-process-events-task-watcher.patch
task-watchers-refactor-process-events.patch
task-watchers-make-process-events-configurable-as.patch
task-watchers-allow-task-watchers-to-block.patch
task-watchers-register-audit-task-watcher.patch
task-watchers-register-per-task-delay-accounting.patch
task-watchers-register-profile-as-a-task-watcher.patch
task-watchers-add-support-for-per-task-watchers.patch
task-watchers-register-semundo-task-watcher.patch
task-watchers-register-per-task-semundo-watcher.patch
ipc-replace-kmalloc-and-memset-in-get_undo_list-with-kzalloc.patch
18 years, 6 months