[RFC PATCH 0/7] audit: clean up audit queue handling
by Richard Guy Briggs
This set of patches cleans up a number of corner cases in the management
of the audit queue.
Richard Guy Briggs (7):
audit: don't needlessly reset valid wait time
audit: include auditd's threads in audit_log_start() wait exception
audit: allow systemd to use queue reserves
audit: wake up threads if queue switched from limited to unlimited
audit: allow audit_cmd_mutex holders to use reserves
audit: wake up audit_backlog_wait queue when auditd goes away.
audit: wake up kauditd_thread after auditd registers
kernel/audit.c | 20 +++++++++++++++-----
1 files changed, 15 insertions(+), 5 deletions(-)
8 years, 4 months
seccomp and audit_enabled
by Tony Jones
Hi.
What is the expected handling of AUDIT_SECCOMP if audit_enabled == 0? Opera browser makes use of a sandbox and if audit_enabled == 0 (and no auditd is running) there is a lot of messages dumped to the klog. The fix to __audit_seccomp() is trivial, similar to c2412d91c and I can send a patch, I'm just not sure if seccomp is somehow special?
Thanks
Tony
8 years, 11 months
[RFC PATCH v3 0/5] kdbus LSM/SELinux hooks
by Paul Moore
No real functional improvements since the v2 patchset earlier this
week, the main update is rebasing on GregKH's current kdbus tree
which is now 4.3-rc4 based and as a result brings the LSM stacking
changes and SELinux ioctl/xperm additions.
---
Paul Moore (5):
kdbus: add creator credentials to the endpoints
lsm: introduce hooks for kdbus
lsm: add support for auditing kdbus service names
selinux: introduce kdbus names into the policy
selinux: introduce kdbus access controls
include/linux/lsm_audit.h | 2
include/linux/lsm_hooks.h | 63 ++++++++++++++
include/linux/security.h | 71 ++++++++++++++++
ipc/kdbus/bus.c | 13 +--
ipc/kdbus/connection.c | 73 +++++++++++------
ipc/kdbus/endpoint.c | 14 +--
ipc/kdbus/endpoint.h | 3 -
ipc/kdbus/fs.c | 10 ++
ipc/kdbus/message.c | 19 +++-
ipc/kdbus/metadata.c | 6 -
ipc/kdbus/node.c | 11 +--
ipc/kdbus/node.h | 5 +
security/lsm_audit.c | 4 +
security/security.c | 62 ++++++++++++++
security/selinux/hooks.c | 153 +++++++++++++++++++++++++++++++++++
security/selinux/include/classmap.h | 4 +
security/selinux/include/security.h | 5 +
security/selinux/ss/policydb.c | 88 ++++++++++++++++----
security/selinux/ss/policydb.h | 3 -
security/selinux/ss/services.c | 38 +++++++++
20 files changed, 561 insertions(+), 86 deletions(-)
9 years
[PATCH] audit: removing unused variable
by Saurabh Sengar
variavle rc in not required as it is just used for unchanged for return,
and return is always 0 in the function.
Signed-off-by: Saurabh Sengar <saurabh.truth(a)gmail.com>
---
kernel/audit.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 662c007..409482f 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -686,23 +686,22 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
{
- int rc = 0;
uid_t uid = from_kuid(&init_user_ns, current_uid());
pid_t pid = task_tgid_nr(current);
if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
*ab = NULL;
- return rc;
+ return 0;
}
*ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
if (unlikely(!*ab))
- return rc;
+ return 0;
audit_log_format(*ab, "pid=%d uid=%u", pid, uid);
audit_log_session_info(*ab);
audit_log_task_context(*ab);
- return rc;
+ return 0;
}
int is_audit_feature_set(int i)
--
1.9.1
9 years
[PATCH v3] audit: removing unused variable
by Saurabh Sengar
variable rc is unnecessary hence removing it,
also as the return type of function audit_log_common_recv_msg is no
where used changing it to void.
Signed-off-by: Saurabh Sengar <saurabh.truth(a)gmail.com>
---
kernel/audit.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 662c007..a89b2b1 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -684,25 +684,22 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
return err;
}
-static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
+static void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
{
- int rc = 0;
uid_t uid = from_kuid(&init_user_ns, current_uid());
pid_t pid = task_tgid_nr(current);
if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
*ab = NULL;
- return rc;
+ return;
}
*ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
if (unlikely(!*ab))
- return rc;
+ return;
audit_log_format(*ab, "pid=%d uid=%u", pid, uid);
audit_log_session_info(*ab);
audit_log_task_context(*ab);
-
- return rc;
}
int is_audit_feature_set(int i)
--
1.9.1
9 years
[PATCH v2] audit: removing unused variable
by Saurabh Sengar
variable rc is unnecessary hence removing it,
also as the return type of function audit_log_common_recv_msg is no
where used changing it to void.
Signed-off-by: Saurabh Sengar <saurabh.truth(a)gmail.com>
---
kernel/audit.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 662c007..b572115 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -684,25 +684,24 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
return err;
}
-static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
+static void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
{
- int rc = 0;
uid_t uid = from_kuid(&init_user_ns, current_uid());
pid_t pid = task_tgid_nr(current);
if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
*ab = NULL;
- return rc;
+ return ;
}
*ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
if (unlikely(!*ab))
- return rc;
+ return ;
audit_log_format(*ab, "pid=%d uid=%u", pid, uid);
audit_log_session_info(*ab);
audit_log_task_context(*ab);
- return rc;
+ return ;
}
int is_audit_feature_set(int i)
--
1.9.1
9 years
[PATCH] audit: make audit_log_common_recv_msg() a void function
by Paul Moore
It always returns zero and no one is checking the return value.
Signed-off-by: Paul Moore <pmoore(a)redhat.com>
---
kernel/audit.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 0b81880..4d3cdcd 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -699,24 +699,22 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
return err;
}
-static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
+static void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
{
uid_t uid = from_kuid(&init_user_ns, current_uid());
pid_t pid = task_tgid_nr(current);
if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
*ab = NULL;
- return 0;
+ return;
}
*ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
if (unlikely(!*ab))
- return 0;
+ return;
audit_log_format(*ab, "pid=%d uid=%u", pid, uid);
audit_log_session_info(*ab);
audit_log_task_context(*ab);
-
- return 0;
}
int is_audit_feature_set(int i)
9 years
[PATCH 2/2] Fixed Trivial Warnings in file: Deleted Spaces prior to tabs, and added lines. modified: kernel/auditfilter.c
by Scott Matheina
Signed-off-by: Scott Matheina <scott(a)matheina.com>
---
kernel/auditfilter.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 7714d93..774f9ad 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -39,13 +39,13 @@
* Locking model:
*
* audit_filter_mutex:
- * Synchronizes writes and blocking reads of audit's filterlist
- * data. Rcu is used to traverse the filterlist and access
- * contents of structs audit_entry, audit_watch and opaque
- * LSM rules during filtering. If modified, these structures
- * must be copied and replace their counterparts in the filterlist.
- * An audit_parent struct is not accessed during filtering, so may
- * be written directly provided audit_filter_mutex is held.
+ * Synchronizes writes and blocking reads of audit's filterlist
+ * data. Rcu is used to traverse the filterlist and access
+ * contents of structs audit_entry, audit_watch and opaque
+ * LSM rules during filtering. If modified, these structures
+ * must be copied and replace their counterparts in the filterlist.
+ * An audit_parent struct is not accessed during filtering, so may
+ * be written directly provided audit_filter_mutex is held.
*/
/* Audit filter lists, defined in <linux/audit.h> */
@@ -109,6 +109,7 @@ void audit_free_rule_rcu(struct rcu_head *head)
{
struct audit_entry *e = container_of(head, struct audit_entry, rcu);
audit_free_rule(e);
+
}
/* Initialize an audit filterlist entry. */
@@ -176,9 +177,11 @@ static __u32 *classes[AUDIT_SYSCALL_CLASSES];
int __init audit_register_class(int class, unsigned *list)
{
__u32 *p = kcalloc(AUDIT_BITMASK_SIZE, sizeof(__u32), GFP_KERNEL);
+
if (!p)
return -ENOMEM;
while (*list != ~0U) {
+
unsigned n = *list++;
if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
kfree(p);
--
1.9.1
9 years
Running auditd from Raspberry Pi (Raspbian)
by Kangkook Jee
Hi, all
From my Raspberry Pi machine (running Debian Wheezy distribution), I could see the kernel is built with audit enabled, and I could manage to install user-space audit client with the following command.
pi@raspberrypi ~ $ sudo apt-get install auditd
However, when I tried to enable audit issuing the following commands it doesn’t seem to run properly.
pi@raspberrypi ~ $ sudo auditctl -l
No rules
pi@raspberrypi ~ $ sudo auditctl -a entry,always -S open
Error detecting machine type
pi@raspberrypi ~ $ sudo auditctl -a entry,always -F arch=armeb -S open
arch=armeb machine type not found
Can anyone tell me whether audit support ARM based linux systems?
Here’s my system information and thanks a lot for your help in advance!
pi@raspberrypi ~ $ sudo uname -a
Linux raspberrypi 3.18.11-v7+ #781 SMP PREEMPT Tue Apr 21 18:07:59 BST 2015 armv7l GNU/Linux
pi@raspberrypi ~ $ dpkg -l |grep audit
ii auditd 1:1.7.18-1.1 armhf User space tools for security auditing
ii libaudit0 1:1.7.18-1.1 armhf Dynamic library for security auditing
Regards, Kangkook
9 years