[PATCH] audit: use audit_log_task_info in audit_core_dumps and __audit_seccomp
by Eric Paris
We have a helper function which writes out all of the interesting
identity information about tasks, audit_log_task_info(). We then have a
second helper, audit_log_task(), which is only used by audit_core_dumps()
and __audit_seccomp(). It is a light weight and only outputs some of the
information about the task. There does not appear to be rational for
its existence except audit_core_dumps() originally did it this way. At
the time audit_log_task_info() did not exist. When __audit_seccomp came
along audit_core_dumps() was split into this helper and reused. But
there was a better helper in audit.c.
This does reorder the records for audit_core_dumps() and
__audit_seccomp(). The new record order is below. The number in () is
the order in the old record. Entries without a () do not exist in the
old record.
audit_log_task_info:
ppid pid (6) auid (1) uid (2) gid (3) euid
suid fsuid egid sgid fsgid tty
ses (4) comm (7) exe (8) subj (5)
audit_log_task:
auid uid gid ses subj pid comm exe
It seems that reusing the task info pattern throughout records should
allow for faster simpler more streamlined userspace records parsing, but
changing order like this might be a deal breaker.
Signed-off-by: Eric Paris <eparis(a)redhat.com>
---
kernel/auditsc.c | 32 ++------------------------------
1 file changed, 2 insertions(+), 30 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 62500fe..9434e3b 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2352,34 +2352,6 @@ void __audit_mmap_fd(int fd, int flags)
context->type = AUDIT_MMAP;
}
-static void audit_log_task(struct audit_buffer *ab)
-{
- kuid_t auid, uid;
- kgid_t gid;
- unsigned int sessionid;
- struct mm_struct *mm = current->mm;
-
- auid = audit_get_loginuid(current);
- sessionid = audit_get_sessionid(current);
- current_uid_gid(&uid, &gid);
-
- audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
- from_kuid(&init_user_ns, auid),
- from_kuid(&init_user_ns, uid),
- from_kgid(&init_user_ns, gid),
- sessionid);
- audit_log_task_context(ab);
- audit_log_format(ab, " pid=%d comm=", current->pid);
- audit_log_untrustedstring(ab, current->comm);
- if (mm) {
- down_read(&mm->mmap_sem);
- if (mm->exe_file)
- audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
- up_read(&mm->mmap_sem);
- } else
- audit_log_format(ab, " exe=(null)");
-}
-
/**
* audit_core_dumps - record information about processes that end abnormally
* @signr: signal value
@@ -2400,7 +2372,7 @@ void audit_core_dumps(long signr)
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
if (unlikely(!ab))
return;
- audit_log_task(ab);
+ audit_log_task_info(ab, current);
audit_log_format(ab, " sig=%ld", signr);
audit_log_end(ab);
}
@@ -2412,7 +2384,7 @@ void __audit_seccomp(unsigned long syscall, long signr, int code)
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_SECCOMP);
if (unlikely(!ab))
return;
- audit_log_task(ab);
+ audit_log_task_info(ab, current);
audit_log_format(ab, " sig=%ld", signr);
audit_log_format(ab, " syscall=%ld", syscall);
audit_log_format(ab, " compat=%d", is_compat_task());
--
1.8.4.2
10 years, 9 months
[RFC][PATCH 1/3] mm: Create utility function for accessing a tasks commandline value
by William Roberts
introduce get_cmdline() for retreiving the value of a processes
proc/self/cmdline value.
Signed-off-by: William Roberts <wroberts(a)tresys.com>
---
include/linux/mm.h | 1 +
mm/util.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 49 insertions(+)
diff --git a/include/linux/mm.h b/include/linux/mm.h
index 3552717..01e7970 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -1134,6 +1134,7 @@ void account_page_writeback(struct page *page);
int set_page_dirty(struct page *page);
int set_page_dirty_lock(struct page *page);
int clear_page_dirty_for_io(struct page *page);
+int get_cmdline(struct task_struct *task, char *buffer, int buflen);
/* Is the vma a continuation of the stack vma above it? */
static inline int vma_growsdown(struct vm_area_struct *vma, unsigned long addr)
diff --git a/mm/util.c b/mm/util.c
index f7bc209..5285ff0 100644
--- a/mm/util.c
+++ b/mm/util.c
@@ -410,6 +410,54 @@ unsigned long vm_commit_limit(void)
* sysctl_overcommit_ratio / 100) + total_swap_pages;
}
+/**
+ * get_cmdline() - copy the cmdline value to a buffer.
+ * @task: the task whose cmdline value to copy.
+ * @buffer: the buffer to copy to.
+ * @buflen: the length of the buffer. Larger cmdline values are truncated
+ * to this length.
+ * Returns the size of the cmdline field copied. Note that the copy does
+ * not guarantee an ending NULL byte.
+ */
+int get_cmdline(struct task_struct *task, char *buffer, int buflen)
+{
+ int res = 0;
+ unsigned int len;
+ struct mm_struct *mm = get_task_mm(task);
+ if (!mm)
+ goto out;
+ if (!mm->arg_end)
+ goto out_mm; /* Shh! No looking before we're done */
+
+ len = mm->arg_end - mm->arg_start;
+
+ if (len > buflen)
+ len = buflen;
+
+ res = access_process_vm(task, mm->arg_start, buffer, len, 0);
+
+ /*
+ * If the nul at the end of args has been overwritten, then
+ * assume application is using setproctitle(3).
+ */
+ if (res > 0 && buffer[res-1] != '\0' && len < buflen) {
+ len = strnlen(buffer, res);
+ if (len < res) {
+ res = len;
+ } else {
+ len = mm->env_end - mm->env_start;
+ if (len > buflen - res)
+ len = buflen - res;
+ res += access_process_vm(task, mm->env_start,
+ buffer+res, len, 0);
+ res = strnlen(buffer, res);
+ }
+ }
+out_mm:
+ mmput(mm);
+out:
+ return res;
+}
/* Tracepoints definitions. */
EXPORT_TRACEPOINT_SYMBOL(kmalloc);
--
1.7.9.5
10 years, 9 months
[RFC][PATCH v2 1/3] mm: Create utility function for accessing a tasks commandline value
by William Roberts
introduce get_cmdline() for retreiving the value of a processes
proc/self/cmdline value.
Signed-off-by: William Roberts <wroberts(a)tresys.com>
---
include/linux/mm.h | 1 +
mm/util.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 49 insertions(+)
diff --git a/include/linux/mm.h b/include/linux/mm.h
index 3552717..01e7970 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -1134,6 +1134,7 @@ void account_page_writeback(struct page *page);
int set_page_dirty(struct page *page);
int set_page_dirty_lock(struct page *page);
int clear_page_dirty_for_io(struct page *page);
+int get_cmdline(struct task_struct *task, char *buffer, int buflen);
/* Is the vma a continuation of the stack vma above it? */
static inline int vma_growsdown(struct vm_area_struct *vma, unsigned long addr)
diff --git a/mm/util.c b/mm/util.c
index f7bc209..5285ff0 100644
--- a/mm/util.c
+++ b/mm/util.c
@@ -410,6 +410,54 @@ unsigned long vm_commit_limit(void)
* sysctl_overcommit_ratio / 100) + total_swap_pages;
}
+/**
+ * get_cmdline() - copy the cmdline value to a buffer.
+ * @task: the task whose cmdline value to copy.
+ * @buffer: the buffer to copy to.
+ * @buflen: the length of the buffer. Larger cmdline values are truncated
+ * to this length.
+ * Returns the size of the cmdline field copied. Note that the copy does
+ * not guarantee an ending NULL byte.
+ */
+int get_cmdline(struct task_struct *task, char *buffer, int buflen)
+{
+ int res = 0;
+ unsigned int len;
+ struct mm_struct *mm = get_task_mm(task);
+ if (!mm)
+ goto out;
+ if (!mm->arg_end)
+ goto out_mm; /* Shh! No looking before we're done */
+
+ len = mm->arg_end - mm->arg_start;
+
+ if (len > buflen)
+ len = buflen;
+
+ res = access_process_vm(task, mm->arg_start, buffer, len, 0);
+
+ /*
+ * If the nul at the end of args has been overwritten, then
+ * assume application is using setproctitle(3).
+ */
+ if (res > 0 && buffer[res-1] != '\0' && len < buflen) {
+ len = strnlen(buffer, res);
+ if (len < res) {
+ res = len;
+ } else {
+ len = mm->env_end - mm->env_start;
+ if (len > buflen - res)
+ len = buflen - res;
+ res += access_process_vm(task, mm->env_start,
+ buffer+res, len, 0);
+ res = strnlen(buffer, res);
+ }
+ }
+out_mm:
+ mmput(mm);
+out:
+ return res;
+}
/* Tracepoints definitions. */
EXPORT_TRACEPOINT_SYMBOL(kmalloc);
--
1.7.9.5
10 years, 9 months
[PATCH][RFC] audit: log namespace inode numbers
by Richard Guy Briggs
Log the namespace details of a task.
---
Does anyone have comments on this patch?
I'm looking for guidance on which types of messages should have namespace
information included. I've included too many, I suspect.
I also wonder if displaying these inode numbers in hexadecimal makes more sense
than decimal, since they are all based around 0xF0000000. These are all with
reference to the proc filesystem, so a device number should not be necessary to
qualify them.
include/linux/audit.h | 1 +
kernel/audit.c | 29 +++++++++++++++++++++++++++++
kernel/audit_watch.c | 1 +
kernel/auditfilter.c | 1 +
kernel/auditsc.c | 5 +++++
5 files changed, 37 insertions(+), 0 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 6976219..75fa602 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -92,6 +92,7 @@ extern int audit_classify_arch(int arch);
struct filename;
extern void audit_log_session_info(struct audit_buffer *ab);
+extern void audit_log_namespace_info(struct audit_buffer *ab, struct task_struct *tsk);
#ifdef CONFIG_AUDITSYSCALL
/* These are defined in auditsc.c */
diff --git a/kernel/audit.c b/kernel/audit.c
index dc03a30..b4c39a9 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -62,7 +62,15 @@
#endif
#include <linux/freezer.h>
#include <linux/tty.h>
+#include <linux/nsproxy.h>
+#include <linux/utsname.h>
+#include <linux/ipc_namespace.h>
+#include "../fs/mount.h"
+#include <linux/mount.h>
+#include <linux/mnt_namespace.h>
#include <linux/pid_namespace.h>
+#include <net/net_namespace.h>
+#include <linux/user_namespace.h>
#include <net/netns/generic.h>
#include "audit.h"
@@ -292,6 +300,7 @@ static int audit_log_config_change(char *function_name, int new, int old,
return rc;
audit_log_format(ab, "%s=%d old=%d", function_name, new, old);
audit_log_session_info(ab);
+ audit_log_namespace_info(ab, current);
rc = audit_log_task_context(ab);
if (rc)
allow_changes = 0; /* Something weird, deny request */
@@ -657,6 +666,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
return rc;
audit_log_format(*ab, "pid=%d uid=%u", task_tgid_vnr(current), uid);
audit_log_session_info(*ab);
+ audit_log_namespace_info(*ab, current);
audit_log_task_context(*ab);
return rc;
@@ -689,6 +699,7 @@ static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature
return;
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE);
+ audit_log_namespace_info(ab, current);
audit_log_format(ab, "feature=%s old=%d new=%d old_lock=%d new_lock=%d res=%d",
audit_feature_names[which], !!old_feature, !!new_feature,
!!old_lock, !!new_lock, res);
@@ -1621,6 +1632,23 @@ void audit_log_session_info(struct audit_buffer *ab)
audit_log_format(ab, " auid=%u ses=%u", auid, sessionid);
}
+void audit_log_namespace_info(struct audit_buffer *ab, struct task_struct *tsk)
+{
+ struct nsproxy *nsproxy;
+
+ rcu_read_lock();
+ audit_log_format(ab, " pidns=%x", task_active_pid_ns(tsk)->proc_inum);
+ nsproxy = task_nsproxy(tsk);
+ if (nsproxy != NULL) {
+ audit_log_format(ab, " usrns=%x", nsproxy->net_ns->user_ns->proc_inum);
+ audit_log_format(ab, " utsns=%x", nsproxy->uts_ns->proc_inum);
+ audit_log_format(ab, " ipcns=%x", nsproxy->ipc_ns->proc_inum);
+ audit_log_format(ab, " mntns=%x", nsproxy->mnt_ns->proc_inum);
+ audit_log_format(ab, " netns=%x", nsproxy->net_ns->proc_inum);
+ }
+ rcu_read_unlock();
+}
+
void audit_log_key(struct audit_buffer *ab, char *key)
{
audit_log_format(ab, " key=");
@@ -1890,6 +1918,7 @@ void audit_log_link_denied(const char *operation, struct path *link)
goto out;
audit_log_format(ab, "op=%s", operation);
audit_log_task_info(ab, current);
+ audit_log_namespace_info(ab, current);
audit_log_format(ab, " res=0");
audit_log_end(ab);
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index 22831c4..2382a3e 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -245,6 +245,7 @@ static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watc
audit_log_format(ab, "auid=%u ses=%u op=",
from_kuid(&init_user_ns, audit_get_loginuid(current)),
audit_get_sessionid(current));
+ audit_log_namespace_info(ab, current);
audit_log_string(ab, op);
audit_log_format(ab, " path=");
audit_log_untrustedstring(ab, w->path);
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 14a78cc..9c4b004 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1014,6 +1014,7 @@ static void audit_log_rule_change(char *action, struct audit_krule *rule, int re
if (!ab)
return;
audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);
+ audit_log_namespace_info(ab, current);
audit_log_task_context(ab);
audit_log_format(ab, " op=");
audit_log_string(ab, action);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 10176cd..3c73a3b 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -974,6 +974,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
from_kuid(&init_user_ns, auid),
from_kuid(&init_user_ns, uid), sessionid);
+ audit_log_namespace_info(ab, current);
if (sid) {
if (security_secid_to_secctx(sid, &ctx, &len)) {
audit_log_format(ab, " obj=(none)");
@@ -1302,6 +1303,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
context->name_count);
audit_log_task_info(ab, tsk);
+ audit_log_namespace_info(ab, current);
audit_log_key(ab, context->filterkey);
audit_log_end(ab);
@@ -1987,6 +1989,7 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
current->pid, uid,
oldloginuid, loginuid, oldsessionid, sessionid,
!rc);
+ audit_log_namespace_info(ab, current);
audit_log_end(ab);
}
@@ -2400,6 +2403,7 @@ void audit_core_dumps(long signr)
if (unlikely(!ab))
return;
audit_log_task(ab);
+ audit_log_namespace_info(ab, current);
audit_log_format(ab, " sig=%ld", signr);
audit_log_end(ab);
}
@@ -2412,6 +2416,7 @@ void __audit_seccomp(unsigned long syscall, long signr, int code)
if (unlikely(!ab))
return;
audit_log_task(ab);
+ audit_log_namespace_info(ab, current);
audit_log_format(ab, " sig=%ld", signr);
audit_log_format(ab, " syscall=%ld", syscall);
audit_log_format(ab, " compat=%d", is_compat_task());
--
1.7.1
10 years, 9 months
Setting loginuid for a process starting at boot
by Maupertuis Philippe
Hi,
I want to monitor a process which starts at boot.
I would like to assign it a specific loginuid for that purpose.
What is the best way to do that ?
Regards
Philippe
________________________________
Ce message et les pi?ces jointes sont confidentiels et r?serv?s ? l'usage exclusif de ses destinataires. Il peut ?galement ?tre prot?g? par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir imm?diatement l'exp?diteur et de le d?truire. L'int?grit? du message ne pouvant ?tre assur?e sur Internet, la responsabilit? de Worldline ne pourra ?tre recherch?e quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'exp?diteur ne donne aucune garantie ? cet ?gard et sa responsabilit? ne saurait ?tre recherch?e pour tout dommage r?sultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
10 years, 9 months
Clear kernel audit buffer?
by Aaron Lewis
Hi,
I'm doing a stress test on auditd, so I add a rule to monitor "open"
syscall, then I use a c program to generate massive amount of logs.
The program finished and exited.
But I generated too much, if I kill auditd and start it again, I can
still see a lot of type=SYSCALL logs. (But not CWD or PATH)
Can I clear the existing buffer?
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
10 years, 9 months
[PATCH 1/2] audit: rework AUDIT_TTY_SET to only grab spin_lock once
by Eric Paris
We can simplify the AUDIT_TTY_SET code to only grab the spin_lock one
time. We need to determine if the new values are valid and if so, set
the new values at the same time we grab the old onces. While we are
here get rid of 'res' and just use err.
Signed-off-by: Eric Paris <eparis(a)redhat.com>
---
kernel/audit.c | 28 +++++++++++++---------------
1 file changed, 13 insertions(+), 15 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index f45966e..5f7d2d9 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -999,19 +999,24 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
struct audit_tty_status s, old;
struct task_struct *tsk = current;
struct audit_buffer *ab;
- int res = 0;
+
+ memset(&s, 0, sizeof(s));
+ /* guard against past and future API changes */
+ memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh)));
+ /* check if new data is valid */
+ if ((s.enabled != 0 && s.enabled != 1) ||
+ (s.log_passwd != 0 && s.log_passwd != 1))
+ err = -EINVAL;
spin_lock(&tsk->sighand->siglock);
old.enabled = tsk->signal->audit_tty;
old.log_passwd = tsk->signal->audit_tty_log_passwd;
+ if (!err) {
+ tsk->signal->audit_tty = s.enabled;
+ tsk->signal->audit_tty_log_passwd = s.log_passwd;
+ }
spin_unlock(&tsk->sighand->siglock);
- memset(&s, 0, sizeof(s));
- /* guard against past and future API changes */
- memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh)));
- if ((s.enabled == 0 || s.enabled == 1) &&
- (s.log_passwd == 0 || s.log_passwd == 1))
- res = 1;
audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);
audit_log_format(ab, " op=tty_set"
" old-enabled=%d old-log_passwd=%d"
@@ -1019,15 +1024,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
" res=%d",
old.enabled, old.log_passwd,
s.enabled, s.log_passwd,
- res);
+ !err);
audit_log_end(ab);
- if (res) {
- spin_lock(&tsk->sighand->siglock);
- tsk->signal->audit_tty = s.enabled;
- tsk->signal->audit_tty_log_passwd = s.log_passwd;
- spin_unlock(&tsk->sighand->siglock);
- } else
- return -EINVAL;
break;
}
default:
--
1.8.4.2
10 years, 9 months
[PATCH] audit: wait_for_auditd rework for readability
by Eric Paris
We had some craziness with signed to unsigned long casting which appears
wholely unnecessary. Just use signed long. Even though 2 values of the
math equation are unsigned longs the result is expected to be a signed
long. So why keep casting the result to signed long? Just make it
signed long and use it.
We also remove the needless "timeout" variable. We already have the
stack "sleep_time" variable. Just use that...
Signed-off-by: Eric Paris <eparis(a)redhat.com>
---
kernel/audit.c | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 3c2ce3c..9d433b3 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1289,21 +1289,20 @@ static inline void audit_get_stamp(struct audit_context *ctx,
/*
* Wait for auditd to drain the queue a little
*/
-static unsigned long wait_for_auditd(unsigned long sleep_time)
+static long wait_for_auditd(long sleep_time)
{
- unsigned long timeout = sleep_time;
DECLARE_WAITQUEUE(wait, current);
set_current_state(TASK_UNINTERRUPTIBLE);
add_wait_queue_exclusive(&audit_backlog_wait, &wait);
if (audit_backlog_limit &&
skb_queue_len(&audit_skb_queue) > audit_backlog_limit)
- timeout = schedule_timeout(sleep_time);
+ sleep_time = schedule_timeout(sleep_time);
__set_current_state(TASK_RUNNING);
remove_wait_queue(&audit_backlog_wait, &wait);
- return timeout;
+ return sleep_time;
}
/**
@@ -1347,13 +1346,12 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
while (audit_backlog_limit
&& skb_queue_len(&audit_skb_queue) > audit_backlog_limit + reserve) {
if (gfp_mask & __GFP_WAIT && audit_backlog_wait_time) {
- unsigned long sleep_time;
+ long sleep_time;
- sleep_time = timeout_start + audit_backlog_wait_time -
- jiffies;
- if ((long)sleep_time > 0) {
+ sleep_time = timeout_start + audit_backlog_wait_time - jiffies;
+ if (sleep_time > 0) {
sleep_time = wait_for_auditd(sleep_time);
- if ((long)sleep_time > 0)
+ if (sleep_time > 0)
continue;
}
}
--
1.8.4.2
10 years, 9 months
[PATCH 1/2] audit: use define's for audit version
by Eric Paris
Give names to the audit versions. Just something for a userspace
programmer to know what the version provides.
Signed-off-by: Eric Paris <eparis(a)redhat.com>
---
include/uapi/linux/audit.h | 5 +++++
kernel/audit.c | 2 +-
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 14afb0d..3e1fbe9 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -320,6 +320,11 @@ enum {
#define AUDIT_STATUS_RATE_LIMIT 0x0008
#define AUDIT_STATUS_BACKLOG_LIMIT 0x0010
#define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020
+
+#define AUDIT_VERSION_BACKLOG_LIMIT 1
+#define AUDIT_VERSION_BACKLOG_WAIT_TIME 2
+#define AUDIT_VERSION_LATEST AUDIT_VERSION_BACKLOG_WAIT_TIME
+
/* Failure-to-log actions */
#define AUDIT_FAIL_SILENT 0
#define AUDIT_FAIL_PRINTK 1
diff --git a/kernel/audit.c b/kernel/audit.c
index 9d433b3..fe2e305 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -800,7 +800,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
s.backlog_limit = audit_backlog_limit;
s.lost = atomic_read(&audit_lost);
s.backlog = skb_queue_len(&audit_skb_queue);
- s.version = 2;
+ s.version = AUDIT_VERSION_LATEST;
s.backlog_wait_time = audit_backlog_wait_time;
audit_send_reply(NETLINK_CB(skb).portid, seq, AUDIT_GET, 0, 0,
&s, sizeof(s));
--
1.8.4.2
10 years, 9 months
[PATCH] audit: documentation of audit= kernel parameter
by Eric Paris
Further documentation of the 3 possible kernel value of the audit
command line option.
Signed-off-by: Eric Paris <eparis(a)redhat.com>
---
Documentation/kernel-parameters.txt | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index ab86766..5867442 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -465,6 +465,14 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
audit= [KNL] Enable the audit sub-system
Format: { "0" | "1" } (0 = disabled, 1 = enabled)
+ 0 - kernel audit is disabled and can not be enabled
+ until the next reboot
+ unset - kernel audit is partially enabled and will
+ be fully enabled by the userspace auditd
+ 1 - kernel audit is partially enabled just like 'unset'
+ only at most audit_backlog_limit messages will be
+ retained in RAM and forwarded to userspace auditd
+ when it being.
Default: unset
audit_backlog_limit= [KNL] Set the audit queue size limit.
--
1.8.4.2
10 years, 9 months