Re: linux-next: manual merge of the audit tree with Linus' tree
by Paul Moore
On Tuesday, October 06, 2015 01:55:01 PM Stephen Rothwell wrote:
> Hi Paul,
>
> Today's linux-next merge of the audit tree got a conflict in:
>
> include/linux/lsm_audit.h
>
> between commit:
>
> 671a2781ff01 ("security: add ioctl specific auditing to lsm_audit")
>
> from Linus' tree and commit:
>
> 43cfd5e38587 ("audit: constify parts of common_audit_data and
> lsm_network_audit")
>
> from the audit tree.
>
> I fixed it up (see below) and can carry the fix as necessary (no action
> is required).
Thanks, that patch looks correct, although I'm going to drop the patch causing
this problem for the time being as there are some oddities with the build
warning that you posted which aren't immediately obvious to me. Something
weird is causing it to work in audit#next but throw a warning when applied on
top of Linus' current ... I'll reapply the patch once I've resolved the issue.
--
paul moore
www.paul-moore.com
10 years
auditd.conf: flush set to DATA or SYNC does nothing on many kernels?
by Cat
Hello all,
I believe auditd's flush configuration can only be set to INCREMENTAL to
guarantee some form of log durability, while DATA or SYNC do nothing. Is
this is a known bug or did I misinterpret auditd.conf's man page?
In audit-event.c: in open_audit_log():
fcntl(F_SETFL, O_SYNC) is called on the already open log's file descriptor,
but O_SYNC (and O_DSYNC) are ignored by F_SETFL
You can check this in the kernel at
fs/fcntl.c:
#define SETFL_MASK (O_APPEND | O_NONBLOCK | O_NDELAY | O_DIRECT | O_NOATIME)
The fcntl() man page also indicates this expected behavior.
I checked both the kernel and audit source for CentOS 6.7 and Ubuntu
14.04.03 and I believe I've reproduced the problem on both distributions.
Thanks,
Cat
10 years
Two small errors in ausearch-parse.c
by Emily Ratliff
While testing usage of some tools, I stumbled across two small errors in
ausearch-parse.c. I have attached two patches
end-fix.patch fixes the segfaults which can be found by running
ausearch -m USER_AUTH,USER_ACCT --success no --if end-986-dump.log
and
ausearch -m USER_AUTH,USER_ACCT --success no --if error-ausearch.log
term-segfault.patch fixes the errors that can be found by running
aureport -if corrupt-log-for-aureport.log
and
ausearch -m USER_AUTH,USER_ACCT --success no --if
corrupt-log-for-ausearch.log
The erroneous log files were produced using zzuf. The corrupted log files
are also attached. It is unlikely that a user will encounter corrupted
audit log files in the wild, so these bugs aren't serious, but they are
easy to fix.
Emily
10 years
[PATCH] audit: constify parts of common_audit_data and lsm_network_audit
by Paul Moore
For the most part audit should never munge with any of the data in
these LSM common structs so constify as much as we can; this patch
handles some easy fields that don't require any real code changes.
Signed-off-by: Paul Moore <pmoore(a)redhat.com>
---
include/linux/lsm_audit.h | 8 ++++----
security/lsm_audit.c | 4 ++--
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
index 1cc89e9..6c4c7ac 100644
--- a/include/linux/lsm_audit.h
+++ b/include/linux/lsm_audit.h
@@ -24,7 +24,7 @@
struct lsm_network_audit {
int netif;
- struct sock *sk;
+ const struct sock *sk;
u16 family;
__be16 dport;
__be16 sport;
@@ -55,7 +55,7 @@ struct common_audit_data {
#define LSM_AUDIT_DATA_DENTRY 10
union {
struct path path;
- struct dentry *dentry;
+ const struct dentry *dentry;
struct inode *inode;
struct lsm_network_audit *net;
int cap;
@@ -64,10 +64,10 @@ struct common_audit_data {
#ifdef CONFIG_KEYS
struct {
key_serial_t key;
- char *key_desc;
+ const char *key_desc;
} key_struct;
#endif
- char *kmod_name;
+ const char *kmod_name;
} u;
/* this union contains LSM specific data */
union {
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 07fc997..bd61075 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -185,7 +185,7 @@ int ipv6_skb_to_auditdata(struct sk_buff *skb,
static inline void print_ipv6_addr(struct audit_buffer *ab,
- struct in6_addr *addr, __be16 port,
+ const struct in6_addr *addr, __be16 port,
char *name1, char *name2)
{
if (!ipv6_addr_any(addr))
@@ -288,7 +288,7 @@ static void dump_common_audit_data(struct audit_buffer *ab,
break;
case LSM_AUDIT_DATA_NET:
if (a->u.net->sk) {
- struct sock *sk = a->u.net->sk;
+ const struct sock *sk = a->u.net->sk;
struct unix_sock *u;
int len = 0;
char *p = NULL;
10 years
auditing kdbus service names
by Paul Moore
Hello all,
I'm currently working on a set of LSM hooks for the new kdbus IPC mechanism
and one of the things that I believe we will need to add is a new audit field
for the kdbus service name (very similar to the old fashioned dbus service
name). I was thinking "kdbus_svc" for the field name, any objections?
--
paul moore
security @ redhat
10 years
