[PATCH] audit: always enable syscall auditing when supported and audit is enabled
by Paul Moore
To the best of our knowledge, everyone who enables audit at compile
time also enables syscall auditing; this patch simplifies the Kconfig
menus by removing the option to disable syscall auditing when audit
is selected and the target arch supports it.
Signed-off-by: Paul Moore <pmoore(a)redhat.com>
---
init/Kconfig | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/init/Kconfig b/init/Kconfig
index c24b6f7..d4663b1 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -299,20 +299,15 @@ config AUDIT
help
Enable auditing infrastructure that can be used with another
kernel subsystem, such as SELinux (which requires this for
- logging of avc messages output). Does not do system-call
- auditing without CONFIG_AUDITSYSCALL.
+ logging of avc messages output). System call auditing is included
+ on architectures which support it.
config HAVE_ARCH_AUDITSYSCALL
bool
config AUDITSYSCALL
- bool "Enable system-call auditing support"
+ def_bool y
depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
- default y if SECURITY_SELINUX
- help
- Enable low-overhead system-call auditing infrastructure that
- can be used independently or with another kernel subsystem,
- such as SELinux.
config AUDIT_WATCH
def_bool y
5 years, 10 months
[PATCH] audit: add feature audit_lost reset
by Richard Guy Briggs
Add a method to reset the audit_lost value.
An AUDIT_SET message with the AUDIT_STATUS_LOST flag set by itself
will return a positive value repesenting the current audit_lost value
and reset the counter to zero. If AUDIT_STATUS_LOST is not the
only flag set, the reset command will be ignored. The value sent with
the command is ignored.
An AUDIT_LOST_RESET message will be queued to the listening audit
daemon. The message will be similar to a CONFIG_CHANGE message with the
fields "lost=0" and "old=" containing the value of audit_lost at reset
ending with a successful result code.
See: https://github.com/linux-audit/audit-kernel/issues/3
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
v3: Switch, from returing a message to the initiating process, to
queueing the message for the audit log.
v2: Switch from AUDIT_GET to AUDIT_SET, adding a +ve return code and
sending a dedicated AUDIT_LOST_RESET message.
---
include/uapi/linux/audit.h | 2 ++
kernel/audit.c | 16 +++++++++++++++-
2 files changed, 17 insertions(+), 1 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 208df7b..6d38bff 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -70,6 +70,7 @@
#define AUDIT_TTY_SET 1017 /* Set TTY auditing status */
#define AUDIT_SET_FEATURE 1018 /* Turn an audit feature on or off */
#define AUDIT_GET_FEATURE 1019 /* Get which features are enabled */
+#define AUDIT_LOST_RESET 1020 /* Reset the audit_lost value */
#define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages mostly uninteresting to kernel */
#define AUDIT_USER_AVC 1107 /* We filter this differently */
@@ -325,6 +326,7 @@ enum {
#define AUDIT_STATUS_RATE_LIMIT 0x0008
#define AUDIT_STATUS_BACKLOG_LIMIT 0x0010
#define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020
+#define AUDIT_STATUS_LOST 0x0040
#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
diff --git a/kernel/audit.c b/kernel/audit.c
index f1ca116..441e8c0 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -122,7 +122,7 @@
3) suppressed due to audit_rate_limit
4) suppressed due to audit_backlog_limit
*/
-static atomic_t audit_lost = ATOMIC_INIT(0);
+static atomic_t audit_lost = ATOMIC_INIT(0);
/* The netlink socket. */
static struct sock *audit_sock;
@@ -920,6 +920,20 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
if (err < 0)
return err;
}
+ if (s.mask == AUDIT_STATUS_LOST) {
+ struct audit_buffer *ab;
+ u32 lost = atomic_xchg(&audit_lost, 0);
+
+ ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOST_RESET);
+ if (unlikely(!ab))
+ return lost;
+ audit_log_format(ab, "lost=0 old=%u", lost);
+ audit_log_session_info(ab);
+ audit_log_task_context(ab);
+ audit_log_format(ab, " res=1");
+ audit_log_end(ab);
+ return lost;
+ }
break;
}
case AUDIT_GET_FEATURE:
--
1.7.1
7 years, 11 months
Re: [PATCH 05/22] audit: Fix sleep in atomic
by Paul Moore
On Thu, Dec 22, 2016 at 4:15 AM, Jan Kara <jack(a)suse.cz> wrote:
> Audit tree code was happily adding new notification marks while holding
> spinlocks. Since fsnotify_add_mark() acquires group->mark_mutex this can
> lead to sleeping while holding a spinlock, deadlocks due to lock
> inversion, and probably other fun. Fix the problem by acquiring
> group->mark_mutex earlier.
>
> CC: Paul Moore <paul(a)paul-moore.com>
> Signed-off-by: Jan Kara <jack(a)suse.cz>
> ---
> kernel/audit_tree.c | 13 +++++++++++--
> 1 file changed, 11 insertions(+), 2 deletions(-)
[SIDE NOTE: this patch explains your comments and my earlier concern
about the locked/unlocked variants of fsnotify_add_mark() in
untag_chunk()]
Ouch. Thanks for catching this ... what is your goal with these
patches, are you targeting this as a fix during the v4.10-rcX cycle?
If not, any objections if I pull this patch into the audit tree and
send this to Linus during the v4.10-rcX cycle (assuming it passes
testing, yadda yadda)?
> diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
> index f3130eb0a4bd..156b6a93f4fc 100644
> --- a/kernel/audit_tree.c
> +++ b/kernel/audit_tree.c
> @@ -231,6 +231,7 @@ static void untag_chunk(struct node *p)
> if (size)
> new = alloc_chunk(size);
>
> + mutex_lock(&entry->group->mark_mutex);
> spin_lock(&entry->lock);
> if (chunk->dead || !entry->inode) {
> spin_unlock(&entry->lock);
> @@ -258,7 +259,8 @@ static void untag_chunk(struct node *p)
> if (!new)
> goto Fallback;
>
> - if (fsnotify_add_mark(&new->mark, entry->group, entry->inode, NULL, 1)) {
> + if (fsnotify_add_mark_locked(&new->mark, entry->group, entry->inode,
> + NULL, 1)) {
> fsnotify_put_mark(&new->mark);
> goto Fallback;
> }
> @@ -309,6 +311,7 @@ static void untag_chunk(struct node *p)
> spin_unlock(&hash_lock);
> spin_unlock(&entry->lock);
> out:
> + mutex_unlock(&entry->group->mark_mutex);
> fsnotify_put_mark(entry);
> spin_lock(&hash_lock);
> }
> @@ -385,17 +388,21 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree)
>
> chunk_entry = &chunk->mark;
>
> + mutex_lock(&old_entry->group->mark_mutex);
> spin_lock(&old_entry->lock);
> if (!old_entry->inode) {
> /* old_entry is being shot, lets just lie */
> spin_unlock(&old_entry->lock);
> + mutex_unlock(&old_entry->group->mark_mutex);
> fsnotify_put_mark(old_entry);
> free_chunk(chunk);
> return -ENOENT;
> }
>
> - if (fsnotify_add_mark(chunk_entry, old_entry->group, old_entry->inode, NULL, 1)) {
> + if (fsnotify_add_mark_locked(chunk_entry, old_entry->group,
> + old_entry->inode, NULL, 1)) {
> spin_unlock(&old_entry->lock);
> + mutex_unlock(&old_entry->group->mark_mutex);
> fsnotify_put_mark(chunk_entry);
> fsnotify_put_mark(old_entry);
> return -ENOSPC;
> @@ -411,6 +418,7 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree)
> chunk->dead = 1;
> spin_unlock(&chunk_entry->lock);
> spin_unlock(&old_entry->lock);
> + mutex_unlock(&old_entry->group->mark_mutex);
>
> fsnotify_destroy_mark(chunk_entry, audit_tree_group);
>
> @@ -443,6 +451,7 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree)
> spin_unlock(&hash_lock);
> spin_unlock(&chunk_entry->lock);
> spin_unlock(&old_entry->lock);
> + mutex_unlock(&old_entry->group->mark_mutex);
> fsnotify_destroy_mark(old_entry, audit_tree_group);
> fsnotify_put_mark(chunk_entry); /* drop initial reference */
> fsnotify_put_mark(old_entry); /* pair to fsnotify_find mark_entry */
> --
> 2.10.2
>
--
paul moore
www.paul-moore.com
7 years, 11 months
Re: [PATCH 06/22] audit: Abstract hash key handling
by Paul Moore
On Thu, Dec 22, 2016 at 4:15 AM, Jan Kara <jack(a)suse.cz> wrote:
> Audit tree currently uses inode pointer as a key into the hash table.
> Getting that from notification mark will be somewhat more difficult with
> coming fsnotify changes and there's no reason we really have to use the
> inode pointer. So abstract getting of hash key from the audit chunk and
> inode so that we can switch to a different key easily later.
>
> CC: Paul Moore <paul(a)paul-moore.com>
> Signed-off-by: Jan Kara <jack(a)suse.cz>
> ---
> kernel/audit_tree.c | 39 ++++++++++++++++++++++++++++-----------
> 1 file changed, 28 insertions(+), 11 deletions(-)
I have no objections with this patch in particular, but in patch 8,
are you certain that inode_to_key() and chunk_to_key() will continue
to return the same key value?
> diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
> index 156b6a93f4fc..f0859828de09 100644
> --- a/kernel/audit_tree.c
> +++ b/kernel/audit_tree.c
> @@ -163,33 +163,48 @@ enum {HASH_SIZE = 128};
> static struct list_head chunk_hash_heads[HASH_SIZE];
> static __cacheline_aligned_in_smp DEFINE_SPINLOCK(hash_lock);
>
> -static inline struct list_head *chunk_hash(const struct inode *inode)
> +/* Function to return search key in our hash from inode. */
> +static unsigned long inode_to_key(const struct inode *inode)
> {
> - unsigned long n = (unsigned long)inode / L1_CACHE_BYTES;
> + return (unsigned long)inode;
> +}
> +
> +/*
> + * Function to return search key in our hash from chunk. Key 0 is special and
> + * should never be present in the hash.
> + */
> +static unsigned long chunk_to_key(struct audit_chunk *chunk)
> +{
> + return (unsigned long)chunk->mark.inode;
> +}
> +
> +static inline struct list_head *chunk_hash(unsigned long key)
> +{
> + unsigned long n = key / L1_CACHE_BYTES;
> return chunk_hash_heads + n % HASH_SIZE;
> }
>
> /* hash_lock & entry->lock is held by caller */
> static void insert_hash(struct audit_chunk *chunk)
> {
> - struct fsnotify_mark *entry = &chunk->mark;
> + unsigned long key = chunk_to_key(chunk);
> struct list_head *list;
>
> - if (!entry->inode)
> + if (!key)
> return;
> - list = chunk_hash(entry->inode);
> + list = chunk_hash(key);
> list_add_rcu(&chunk->hash, list);
> }
>
> /* called under rcu_read_lock */
> struct audit_chunk *audit_tree_lookup(const struct inode *inode)
> {
> - struct list_head *list = chunk_hash(inode);
> + unsigned long key = inode_to_key(inode);
> + struct list_head *list = chunk_hash(key);
> struct audit_chunk *p;
>
> list_for_each_entry_rcu(p, list, hash) {
> - /* mark.inode may have gone NULL, but who cares? */
> - if (p->mark.inode == inode) {
> + if (chunk_to_key(p) == key) {
> atomic_long_inc(&p->refs);
> return p;
> }
> @@ -585,7 +600,8 @@ int audit_remove_tree_rule(struct audit_krule *rule)
>
> static int compare_root(struct vfsmount *mnt, void *arg)
> {
> - return d_backing_inode(mnt->mnt_root) == arg;
> + return inode_to_key(d_backing_inode(mnt->mnt_root)) ==
> + (unsigned long)arg;
> }
>
> void audit_trim_trees(void)
> @@ -620,9 +636,10 @@ void audit_trim_trees(void)
> list_for_each_entry(node, &tree->chunks, list) {
> struct audit_chunk *chunk = find_chunk(node);
> /* this could be NULL if the watch is dying else where... */
> - struct inode *inode = chunk->mark.inode;
> node->index |= 1U<<31;
> - if (iterate_mounts(compare_root, inode, root_mnt))
> + if (iterate_mounts(compare_root,
> + (void *)chunk_to_key(chunk),
> + root_mnt))
> node->index &= ~(1U<<31);
> }
> spin_unlock(&hash_lock);
> --
> 2.10.2
>
--
paul moore
www.paul-moore.com
7 years, 11 months
Re: [PATCH 04/22] fsnotify: Remove fsnotify_duplicate_mark()
by Paul Moore
On Thu, Dec 22, 2016 at 4:15 AM, Jan Kara <jack(a)suse.cz> wrote:
> There are only two calls sites of fsnotify_duplicate_mark(). Those are
> in kernel/audit_tree.c and both are bogus. Vfsmount pointer is unused
> for audit tree, inode pointer and group gets set in
> fsnotify_add_mark_locked() later anyway, mask and free_mark are already
> set in alloc_chunk(). In fact, calling fsnotify_duplicate_mark() is
> actively harmful because following fsnotify_add_mark_locked() will leak
> group reference by overwriting the group pointer. So just remove the two
> calls to fsnotify_duplicate_mark() and the function.
>
> Signed-off-by: Jan Kara <jack(a)suse.cz>
> ---
> fs/notify/mark.c | 12 ------------
> include/linux/fsnotify_backend.h | 2 --
> kernel/audit_tree.c | 6 ++----
> 3 files changed, 2 insertions(+), 18 deletions(-)
At first glance this looks reasonable, although you keep mentioning
"fsnotify_add_mark_locked" above when untag_chunk() is calling
"fsnotify_add_mark"; I just wanted to make sure you hadn't intended to
take the mutex in the audit code instead of relying on the locking in
fsnotify_add_mark().
> diff --git a/fs/notify/mark.c b/fs/notify/mark.c
> index d3fea0bd89e2..6043306e8e21 100644
> --- a/fs/notify/mark.c
> +++ b/fs/notify/mark.c
> @@ -510,18 +510,6 @@ void fsnotify_detach_group_marks(struct fsnotify_group *group)
> }
> }
>
> -void fsnotify_duplicate_mark(struct fsnotify_mark *new, struct fsnotify_mark *old)
> -{
> - assert_spin_locked(&old->lock);
> - new->inode = old->inode;
> - new->mnt = old->mnt;
> - if (old->group)
> - fsnotify_get_group(old->group);
> - new->group = old->group;
> - new->mask = old->mask;
> - new->free_mark = old->free_mark;
> -}
> -
> /*
> * Nothing fancy, just initialize lists and locks and counters.
> */
> diff --git a/include/linux/fsnotify_backend.h b/include/linux/fsnotify_backend.h
> index 0cf34d6cc253..487246546ebe 100644
> --- a/include/linux/fsnotify_backend.h
> +++ b/include/linux/fsnotify_backend.h
> @@ -323,8 +323,6 @@ extern void fsnotify_init_mark(struct fsnotify_mark *mark, void (*free_mark)(str
> extern struct fsnotify_mark *fsnotify_find_inode_mark(struct fsnotify_group *group, struct inode *inode);
> /* find (and take a reference) to a mark associated with group and vfsmount */
> extern struct fsnotify_mark *fsnotify_find_vfsmount_mark(struct fsnotify_group *group, struct vfsmount *mnt);
> -/* copy the values from old into new */
> -extern void fsnotify_duplicate_mark(struct fsnotify_mark *new, struct fsnotify_mark *old);
> /* set the ignored_mask of a mark */
> extern void fsnotify_set_mark_ignored_mask_locked(struct fsnotify_mark *mark, __u32 mask);
> /* set the mask of a mark (might pin the object into memory */
> diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
> index 8b1dde96a0fa..f3130eb0a4bd 100644
> --- a/kernel/audit_tree.c
> +++ b/kernel/audit_tree.c
> @@ -258,8 +258,7 @@ static void untag_chunk(struct node *p)
> if (!new)
> goto Fallback;
>
> - fsnotify_duplicate_mark(&new->mark, entry);
> - if (fsnotify_add_mark(&new->mark, new->mark.group, new->mark.inode, NULL, 1)) {
> + if (fsnotify_add_mark(&new->mark, entry->group, entry->inode, NULL, 1)) {
> fsnotify_put_mark(&new->mark);
> goto Fallback;
> }
> @@ -395,8 +394,7 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree)
> return -ENOENT;
> }
>
> - fsnotify_duplicate_mark(chunk_entry, old_entry);
> - if (fsnotify_add_mark(chunk_entry, chunk_entry->group, chunk_entry->inode, NULL, 1)) {
> + if (fsnotify_add_mark(chunk_entry, old_entry->group, old_entry->inode, NULL, 1)) {
> spin_unlock(&old_entry->lock);
> fsnotify_put_mark(chunk_entry);
> fsnotify_put_mark(old_entry);
> --
> 2.10.2
>
--
paul moore
www.paul-moore.com
8 years
Re: [PATCH 0/22] fsnotify: Avoid SRCU stalls with fanotify permission events
by Paul Moore
On Thu, Dec 22, 2016 at 4:15 AM, Jan Kara <jack(a)suse.cz> wrote:
> Hello,
>
> currently, fanotify waits for response to a permission even from userspace
> process while holding fsnotify_mark_srcu lock. That has a consequence that
> when userspace process takes long to respond or does not respond at all,
> fsnotify_mark_srcu period cannot ever complete blocking reclaim of any
> notification marks and also blocking any process that did synchronize_srcu()
> on fsnotify_mark_srcu. Effectively, this eventually blocks anybody interacting
> with the notification subsystem. Miklos has some real world reports of this
> happening. Although this in principle a problem of broken userspace
> application (which futhermore has to have CAP_SYS_ADMIN in init_user_ns, so
> it is not a security problem), it is still nasty that a simple error can
> block the kernel like this.
>
> This patch set solves this problem ...
>
> Patches have survived testing with inotify/fanotify tests in LTP. I didn't test
> audit - Paul can you give these patches some testing? Since some of the
> changes are really non-trivial, I'd welcome if someone reviewed the patch set.
I'm going to take a look at the audit related patches right now,
expect some feedback shortly.
In the meantime, if you wanted to play a bit with some simple audit
regression tests, check out the testsuite below:
* https://github.com/linux-audit/audit-testsuite
... it is still rather simplistic, but the tests in tests/file_* and
tests/exec_name should do some basic exercises of the audit code that
leverages fsnotify. If nothing else, it should give you some ideas
about how you might stress this a bit more with audit.
--
paul moore
www.paul-moore.com
8 years
Re: [PATCH 1/2] selinux: log errors when loading new policy
by Stephen Smalley
On Sat, 2016-12-17 at 20:48 +0000, Gary Tierney wrote:
> Adds error and warning messages to the codepaths which can fail when
> loading a new policy. If a policy fails to load, an error message
> will
> be printed to dmesg with a description of what failed. Previously if
> there was an error during policy loading there would be no indication
> that it failed.
>
> Signed-off-by: Gary Tierney <gary.tierney(a)gmx.com>
> ---
> security/selinux/selinuxfs.c | 26 +++++++++++++++++++++-----
> 1 file changed, 21 insertions(+), 5 deletions(-)
>
> diff --git a/security/selinux/selinuxfs.c
> b/security/selinux/selinuxfs.c
> index 0aac402..2139cc7 100644
> --- a/security/selinux/selinuxfs.c
> +++ b/security/selinux/selinuxfs.c
> @@ -522,20 +522,32 @@ static ssize_t sel_write_load(struct file
> *file, const char __user *buf,
> goto out;
>
> length = security_load_policy(data, count);
> - if (length)
> + if (length) {
> + pr_err("SELinux: %s: failed to load policy\n",
> + __func__);
Not sure about your usage of pr_err() vs pr_warn();
security_load_policy() may simply fail due to invalid policy from
userspace, not a kernel-internal error per se.
I would tend to omit the function name; I don't think it is especially
helpful.
There was an earlier discussion about augmenting the audit logging from
this function, so this might overlap with that. I don't know where
that stands.
> goto out;
> + }
>
> length = sel_make_bools();
> - if (length)
> + if (length) {
> + pr_warn("SELinux: %s: failed to load policy
> booleans\n",
> + __func__);
> goto out1;
> + }
>
> length = sel_make_classes();
> - if (length)
> + if (length) {
> + pr_warn("SELinux: %s: failed to load policy
> classes\n",
> + __func__);
> goto out1;
> + }
>
> length = sel_make_policycap();
> - if (length)
> + if (length) {
> + pr_warn("SELinux: %s: failed to load policy
> capabilities\n",
> + __func__);
> goto out1;
> + }
>
> length = count;
>
> @@ -1299,9 +1311,13 @@ static int sel_make_bools(void)
>
> isec = (struct inode_security_struct *)inode-
> >i_security;
> ret = security_genfs_sid("selinuxfs", page,
> SECCLASS_FILE, &sid);
> - if (ret)
> + if (ret) {
> + pr_warn_ratelimited("SELinux: %s: failed to
> lookup sid for %s\n",
> + __func__, page);
> goto out;
>
> + }
> +
> isec->sid = sid;
> isec->initialized = LABEL_INITIALIZED;
> inode->i_fop = &sel_bool_ops;
8 years
[PATCH v2] audit: add feature audit_lost reset
by Richard Guy Briggs
Add a method to reset the audit_lost value.
An AUDIT_SET message with the AUDIT_STATUS_LOST flag set by itself
will return a positive value repesenting the current audit_lost value
and reset the counter to zero. If AUDIT_STATUS_LOST is not the
only flag set, the reset command will be ignored. The value sent with
the command is ignored.
An AUDIT_LOST_RESET message will be sent to the listening audit daemon.
The data field will contain a u32 with the positive value of the
audit_lost value when it was reset.
See: https://github.com/linux-audit/audit-kernel/issues/3
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
include/uapi/linux/audit.h | 2 ++
kernel/audit.c | 8 +++++++-
2 files changed, 9 insertions(+), 1 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 208df7b..6d38bff 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -70,6 +70,7 @@
#define AUDIT_TTY_SET 1017 /* Set TTY auditing status */
#define AUDIT_SET_FEATURE 1018 /* Turn an audit feature on or off */
#define AUDIT_GET_FEATURE 1019 /* Get which features are enabled */
+#define AUDIT_LOST_RESET 1020 /* Reset the audit_lost value */
#define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages mostly uninteresting to kernel */
#define AUDIT_USER_AVC 1107 /* We filter this differently */
@@ -325,6 +326,7 @@ enum {
#define AUDIT_STATUS_RATE_LIMIT 0x0008
#define AUDIT_STATUS_BACKLOG_LIMIT 0x0010
#define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020
+#define AUDIT_STATUS_LOST 0x0040
#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
diff --git a/kernel/audit.c b/kernel/audit.c
index f1ca116..19cfee0 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -122,7 +122,7 @@
3) suppressed due to audit_rate_limit
4) suppressed due to audit_backlog_limit
*/
-static atomic_t audit_lost = ATOMIC_INIT(0);
+static atomic_t audit_lost = ATOMIC_INIT(0);
/* The netlink socket. */
static struct sock *audit_sock;
@@ -920,6 +920,12 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
if (err < 0)
return err;
}
+ if (s.mask == AUDIT_STATUS_LOST) {
+ u32 lost = atomic_xchg(&audit_lost, 0);
+
+ audit_send_reply(skb, seq, AUDIT_LOST_RESET, 0, 0, &lost, sizeof(lost));
+ return lost;
+ }
break;
}
case AUDIT_GET_FEATURE:
--
1.7.1
8 years
audit 2.7 released
by Steve Grubb
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Remove config file permission checks in auparse
- Audisp-remote should detect normal socket close and mark remote_ended
- Allow auditctl to list rules if no capabilities but root euid
- In libaudit, use the last word of the syscall bit mask
- In auditd, write_logs option was not correctly handled (#1382397)
- In libaudit, allow filtering on new exclude filter fields (Richard Guy Briggs)
- In auditd, fix looping when checking active connections
- In auparse, the auparse_state_t pointer to keep escape_mode information
- In libaudit, add support for rules using sessionid (Richard Guy Briggs)
- Remove entry filter support
- Add auparse_destroy_ext function
- Improve ENRICHED logging format performance in auditd
- Fix regex rule file matching in augenrules (#1396792)
- Add numeric field/record accessors to auparse
- Fix auditd freeing in middle of reply buffer when nolog is used
- Switch auparse uid/gid cache to lru to limit growth
- Prevent ausearch from clobbering type field on loginuid search
- Add audit_get_session function to libaudit
- Add session and uid to most audit events
- Add auparse_classify code interface for subj, obj, action, results
The main goal of this update is to land the auparse_classify interface to
auparse. This will unlock many new capabilities in subsequent releases of the
2.7 series. If you are a programmer and do stuff with R or machine learning,
let me know. This is aimed squarely at transforming data into knowledge.
Aside from that, this fixes remote logging, and logging with the nolog and
write_logs = no option, it allows audit rules on the new exclude filter fields
and rules that use sessionid.
The entry filter support has been dropped. It was deprecated a couple years
ago. There are performance enhancements and correctness fixes.
Please let me know if you run across any problems with this release.
-Steve
8 years
