audit_status in kernel
by Steve Grubb
Hello,
I was looking at a new kernel and see that the audit_status structure has
changed. The first member of the structure is a bit mask that tells what all is
in the structure. So, if we add this:
__u32 version; /* audit api version number */
__u32 backlog_wait_time;/* message queue wait timeout */
};
Then we need to have a define for those two:
#define AUDIT_STATUS_BACKLOG_LIMIT 0x0010
+#define AUDIT_STATTUS_VERSION 0x0020
-#define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020
+#define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0040
IOW, each entry in the structure is supposed to have a mask value.
-Steve
10 years, 7 months
[PATCH 0/6][RFC] audit: standardize and simplify syscall_get_arch()
by Richard Guy Briggs
Each arch that supports audit requires syscall_get_arch() to able to log
and identify architecture-dependent syscall numbers. The information is used
in at least two different subsystems, so standardize it in the same call across
all arches.
Use the standardized syscall_get_arch() locally to add the arch to the
AUDIT_SECCOMP record to identify which syscall was issued.
Since all the callers of syscall_get_arch() presently pass "current" and none
of the arch-specific syscall_get_arch() implementations use the regs parameter,
call syscall_get_arch() locally where it is needed and drop passing around
arch, current and regs in __audit_syscall_entry() and audit_syscall_entry().
Compiles and runs on i686, x86_64, ppc, ppc64, s390, s390x, manually tested in
an x86_64 VM. aarch64 will be added soon.
Richard Guy Briggs (6):
syscall: define syscall_get_arch() for each audit-supported arch
audit: add arch field to seccomp event log
audit: __audit_syscall_entry: ignore arch arg and call
syscall_get_arch() directly
audit: drop arch from audit_syscall_entry() interface
audit: drop args from syscall_get_arch() interface
audit: drop arch from __audit_syscall_entry() interface
arch/arm/include/asm/syscall.h | 5 ++---
arch/arm/kernel/ptrace.c | 2 +-
arch/ia64/include/asm/syscall.h | 6 ++++++
arch/ia64/kernel/ptrace.c | 2 +-
arch/microblaze/include/asm/syscall.h | 5 +++++
arch/microblaze/kernel/ptrace.c | 2 +-
arch/mips/include/asm/syscall.h | 6 +++---
arch/mips/kernel/ptrace.c | 3 +--
arch/openrisc/include/asm/syscall.h | 5 +++++
arch/openrisc/kernel/ptrace.c | 2 +-
arch/parisc/include/asm/syscall.h | 11 +++++++++++
arch/parisc/kernel/ptrace.c | 5 ++---
arch/powerpc/include/asm/syscall.h | 12 ++++++++++++
arch/powerpc/kernel/ptrace.c | 6 ++----
arch/s390/include/asm/syscall.h | 7 +++----
arch/s390/kernel/ptrace.c | 4 +---
arch/sh/include/asm/syscall.h | 16 ++++++++++++++++
arch/sh/kernel/ptrace_32.c | 13 +------------
arch/sh/kernel/ptrace_64.c | 16 +---------------
arch/sparc/include/asm/syscall.h | 7 +++++++
arch/sparc/kernel/ptrace_64.c | 5 +----
arch/um/kernel/ptrace.c | 3 +--
arch/x86/ia32/ia32entry.S | 12 ++++++------
arch/x86/include/asm/syscall.h | 10 ++++------
arch/x86/kernel/entry_32.S | 11 +++++------
arch/x86/kernel/entry_64.S | 11 +++++------
arch/x86/kernel/ptrace.c | 6 ++----
arch/xtensa/kernel/ptrace.c | 2 +-
include/asm-generic/syscall.h | 6 ++----
include/linux/audit.h | 9 ++++-----
include/uapi/linux/audit.h | 1 +
kernel/auditsc.c | 6 ++++--
kernel/seccomp.c | 4 ++--
33 files changed, 120 insertions(+), 101 deletions(-)
10 years, 8 months
[PATCH] audit: don't generate loginuid log when audit disabled
by Richard Guy Briggs
From: Gao feng <gaofeng(a)cn.fujitsu.com>
If audit is disabled, we shouldn't generate loginuid audit
log.
Cc: stable(a)vger.kernel.org # v3.13-rc1
Acked-by: Eric Paris <eparis(a)redhat.com>
Signed-off-by: Gao feng <gaofeng(a)cn.fujitsu.com>
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
Signed-off-by: Eric Paris <eparis(a)redhat.com>
---
Already upstream in 3.14-rc1. This fixes a bug introduced by:
da0a6104 audit: loginuid functions coding style
kernel/auditsc.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index df1e685..9ab02fa 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1971,6 +1971,9 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
struct audit_buffer *ab;
uid_t uid, ologinuid, nloginuid;
+ if (!audit_enabled)
+ return;
+
uid = from_kuid(&init_user_ns, task_uid(current));
ologinuid = from_kuid(&init_user_ns, koldloginuid);
nloginuid = from_kuid(&init_user_ns, kloginuid),
--
1.7.1
10 years, 8 months