[PATCH] audit: mark expected switch fall-through
by Gustavo A. R. Silva
In preparation to enabling -Wimplicit-fallthrough, mark switch
cases where we are expecting to fall through.
This patch fixes the following warning:
kernel/auditfilter.c: In function ‘audit_krule_to_data’:
kernel/auditfilter.c:668:7: warning: this statement may fall through [-Wimplicit-fallthrough=]
if (krule->pflags & AUDIT_LOGINUID_LEGACY && !f->val) {
^
kernel/auditfilter.c:674:3: note: here
default:
^~~~~~~
Warning level 3 was used: -Wimplicit-fallthrough=3
Notice that, in this particular case, the code comment is modified
in accordance with what GCC is expecting to find.
This patch is part of the ongoing efforts to enable
-Wimplicit-fallthrough.
Signed-off-by: Gustavo A. R. Silva <gustavo(a)embeddedor.com>
---
kernel/auditfilter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index add360b46b38..63f8b3f26fab 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -670,7 +670,7 @@ static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
data->values[i] = AUDIT_UID_UNSET;
break;
}
- /* fallthrough if set */
+ /* fall through - if set */
default:
data->values[i] = f->val;
}
--
2.20.1
4 years, 5 months
[PATCH ghak90 V6 00/10] audit: implement container identifier
by Richard Guy Briggs
Implement kernel audit container identifier.
This patchset is a fifth based on the proposal document (V3)
posted:
https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html
The first patch was the last patch from ghak81 that was absorbed into
this patchset since its primary justification is the rest of this
patchset.
The second patch implements the proc fs write to set the audit container
identifier of a process, emitting an AUDIT_CONTAINER_OP record to
announce the registration of that audit container identifier on that
process. This patch requires userspace support for record acceptance
and proper type display.
The third implements reading the audit container identifier from the
proc filesystem for debugging. This patch wasn't planned for upstream
inclusion but is starting to become more likely.
The fourth implements the auxiliary record AUDIT_CONTAINER_ID if an audit
container identifier is associated with an event. This patch requires
userspace support for proper type display.
The 5th adds audit daemon signalling provenance through audit_sig_info2.
The 6th creates a local audit context to be able to bind a standalone
record with a locally created auxiliary record.
The 7th patch adds audit container identifier records to the user
standalone records.
The 8th adds audit container identifier filtering to the exit,
exclude and user lists. This patch adds the AUDIT_CONTID field and
requires auditctl userspace support for the --contid option.
The 9th adds network namespace audit container identifier labelling
based on member tasks' audit container identifier labels.
The 10th adds audit container identifier support to standalone netfilter
records that don't have a task context and lists each container to which
that net namespace belongs.
Example: Set an audit container identifier of 123456 to the "sleep" task:
sleep 2&
child=$!
echo 123456 > /proc/$child/audit_containerid; echo $?
ausearch -ts recent -m container_op
echo child:$child contid:$( cat /proc/$child/audit_containerid)
This should produce a record such as:
type=CONTAINER_OP msg=audit(2018-06-06 12:39:29.636:26949) : op=set opid=2209 contid=123456 old-contid=18446744073709551615 pid=628 auid=root uid=root tty=ttyS0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=bash exe=/usr/bin/bash res=yes
Example: Set a filter on an audit container identifier 123459 on /tmp/tmpcontainerid:
contid=123459
key=tmpcontainerid
auditctl -a exit,always -F dir=/tmp -F perm=wa -F contid=$contid -F key=$key
perl -e "sleep 1; open(my \$tmpfile, '>', \"/tmp/$key\"); close(\$tmpfile);" &
child=$!
echo $contid > /proc/$child/audit_containerid
sleep 2
ausearch -i -ts recent -k $key
auditctl -d exit,always -F dir=/tmp -F perm=wa -F contid=$contid -F key=$key
rm -f /tmp/$key
This should produce an event such as:
type=CONTAINER_ID msg=audit(2018-06-06 12:46:31.707:26953) : contid=123459
type=PROCTITLE msg=audit(2018-06-06 12:46:31.707:26953) : proctitle=perl -e sleep 1; open(my $tmpfile, '>', "/tmp/tmpcontainerid"); close($tmpfile);
type=PATH msg=audit(2018-06-06 12:46:31.707:26953) : item=1 name=/tmp/tmpcontainerid inode=25656 dev=00:26 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(2018-06-06 12:46:31.707:26953) : item=0 name=/tmp/ inode=8985 dev=00:26 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(2018-06-06 12:46:31.707:26953) : cwd=/root
type=SYSCALL msg=audit(2018-06-06 12:46:31.707:26953) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffffffffffff9c a1=0x5621f2b81900 a2=O_WRONLY|O_CREAT|O_TRUNC a3=0x1b6 items=2 ppid=628 pid=2232 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=perl exe=/usr/bin/perl subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=tmpcontainerid
Example: Test multiple containers on one netns:
sleep 5 &
child1=$!
containerid1=123451
echo $containerid1 > /proc/$child1/audit_containerid
sleep 5 &
child2=$!
containerid2=123452
echo $containerid2 > /proc/$child2/audit_containerid
iptables -I INPUT -i lo -p icmp --icmp-type echo-request -j AUDIT --type accept
iptables -I INPUT -t mangle -i lo -p icmp --icmp-type echo-request -j MARK --set-mark 0x12345555
sleep 1;
bash -c "ping -q -c 1 127.0.0.1 >/dev/null 2>&1"
sleep 1;
ausearch -i -m NETFILTER_PKT -ts boot|grep mark=0x12345555
ausearch -i -m NETFILTER_PKT -ts boot|grep contid=|grep $containerid1|grep $containerid2
This should produce an event such as:
type=NETFILTER_PKT msg=audit(03/15/2019 14:16:13.369:244) : mark=0x12345555 saddr=127.0.0.1 daddr=127.0.0.1 proto=icmp
type=CONTAINER_ID msg=audit(03/15/2019 14:16:13.369:244) : contid=123452,123451
Includes the last patch of https://github.com/linux-audit/audit-kernel/issues/81
Please see the github audit kernel issue for the main feature:
https://github.com/linux-audit/audit-kernel/issues/90
and the kernel filter code:
https://github.com/linux-audit/audit-kernel/issues/91
and the network support:
https://github.com/linux-audit/audit-kernel/issues/92
Please see the github audit userspace issue for supporting record types:
https://github.com/linux-audit/audit-userspace/issues/51
and filter code:
https://github.com/linux-audit/audit-userspace/issues/40
Please see the github audit testsuiite issue for the test case:
https://github.com/linux-audit/audit-testsuite/issues/64
Please see the github audit wiki for the feature overview:
https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Changelog:
v6
- change TMPBUFLEN from 11 to 21 to cover the decimal value of contid
u64 (nhorman)
- fix bug overwriting ctx in struct audit_sig_info, move cid above
ctx[0] (nhorman)
- fix bug skipping remaining fields and not advancing bufp when copying
out contid in audit_krule_to_data (omosnacec)
- add acks, tidy commit descriptions, other formatting fixes (checkpatch
wrong on audit_log_lost)
- cast ull for u64 prints
- target_cid tracking was moved from the ptrace/signal patch to
container_op
- target ptrace and signal records were moved from the ptrace/signal
patch to container_id
- auditd signaller tracking was moved to a new AUDIT_SIGNAL_INFO2
request and record
- ditch unnecessary list_empty() checks
- check for null net and aunet in audit_netns_contid_add()
- swap CONTAINER_OP contid/old-contid order to ease parsing
v5
- address loginuid and sessionid syscall scope in ghak104
- address audit_context in CONFIG_AUDIT vs CONFIG_AUDITSYSCALL in ghak105
- remove tty patch, addressed in ghak106
- rebase on audit/next v5.0-rc1
w/ghak59/ghak104/ghak103/ghak100/ghak107/ghak105/ghak106/ghak105sup
- update CONTAINER_ID to CONTAINER_OP in patch description
- move audit_context in audit_task_info to CONFIG_AUDITSYSCALL
- move audit_alloc() and audit_free() out of CONFIG_AUDITSYSCALL and into
CONFIG_AUDIT and create audit_{alloc,free}_syscall
- use plain kmem_cache_alloc() rather than kmem_cache_zalloc() in audit_alloc()
- fix audit_get_contid() declaration type error
- move audit_set_contid() from auditsc.c to audit.c
- audit_log_contid() returns void
- audit_log_contid() handed contid rather than tsk
- switch from AUDIT_CONTAINER to AUDIT_CONTAINER_ID for aux record
- move audit_log_contid(tsk/contid) & audit_contid_set(tsk)/audit_contid_valid(contid)
- switch from tsk to current
- audit_alloc_local() calls audit_log_lost() on failure to allocate a context
- add AUDIT_USER* non-syscall contid record
- cosmetic cleanup double parens, goto out on err
- ditch audit_get_ns_contid_list_lock(), fix aunet lock race
- switch from all-cpu read spinlock to rcu, keep spinlock for write
- update audit_alloc_local() to use ktime_get_coarse_real_ts64()
- add nft_log support
- add call from do_exit() in audit_free() to remove contid from netns
- relegate AUDIT_CONTAINER ref= field (was op=) to debug patch
v4
- preface set with ghak81:"collect audit task parameters"
- add shallyn and sgrubb acks
- rename feature bitmap macro
- rename cid_valid() to audit_contid_valid()
- rename AUDIT_CONTAINER_ID to AUDIT_CONTAINER_OP
- delete audit_get_contid_list() from headers
- move work into inner if, delete "found"
- change netns contid list function names
- move exports for audit_log_contid audit_alloc_local audit_free_context to non-syscall patch
- list contids CSV
- pass in gfp flags to audit_alloc_local() (fix audit_alloc_context callers)
- use "local" in lieu of abusing in_syscall for auditsc_get_stamp()
- read_lock(&tasklist_lock) around children and thread check
- task_lock(tsk) should be taken before first check of tsk->audit
- add spin lock to contid list in aunet
- restrict /proc read to CAP_AUDIT_CONTROL
- remove set again prohibition and inherited flag
- delete contidion spelling fix from patchset, send to netdev/linux-wireless
v3
- switched from containerid in task_struct to audit_task_info (depends on ghak81)
- drop INVALID_CID in favour of only AUDIT_CID_UNSET
- check for !audit_task_info, throw -ENOPROTOOPT on set
- changed -EPERM to -EEXIST for parent check
- return AUDIT_CID_UNSET if !audit_enabled
- squash child/thread check patch into AUDIT_CONTAINER_ID patch
- changed -EPERM to -EBUSY for child check
- separate child and thread checks, use -EALREADY for latter
- move addition of op= from ptrace/signal patch to AUDIT_CONTAINER patch
- fix && to || bashism in ptrace/signal patch
- uninline and export function for audit_free_context()
- drop CONFIG_CHANGE, FEATURE_CHANGE, ANOM_ABEND, ANOM_SECCOMP patches
- move audit_enabled check (xt_AUDIT)
- switched from containerid list in struct net to net_generic's struct audit_net
- move containerid list iteration into audit (xt_AUDIT)
- create function to move namespace switch into audit
- switched /proc/PID/ entry from containerid to audit_containerid
- call kzalloc with GFP_ATOMIC on in_atomic() in audit_alloc_context()
- call kzalloc with GFP_ATOMIC on in_atomic() in audit_log_container_info()
- use xt_net(par) instead of sock_net(skb->sk) to get net
- switched record and field names: initial CONTAINER_ID, aux CONTAINER, field CONTID
- allow to set own contid
- open code audit_set_containerid
- add contid inherited flag
- ccontainerid and pcontainerid eliminated due to inherited flag
- change name of container list funcitons
- rename containerid to contid
- convert initial container record to syscall aux
- fix spelling mistake of contidion in net/rfkill/core.c to avoid contid name collision
v2
- add check for children and threads
- add network namespace container identifier list
- add NETFILTER_PKT audit container identifier logging
- patch description and documentation clean-up and example
- reap unused ppid
Richard Guy Briggs (10):
audit: collect audit task parameters
audit: add container id
audit: read container ID of a process
audit: log container info of syscalls
audit: add contid support for signalling the audit daemon
audit: add support for non-syscall auxiliary records
audit: add containerid support for user records
audit: add containerid filtering
audit: add support for containerid to network namespaces
audit: NETFILTER_PKT: record each container ID associated with a netNS
fs/proc/base.c | 57 +++++++-
include/linux/audit.h | 113 +++++++++++++--
include/linux/sched.h | 7 +-
include/uapi/linux/audit.h | 9 +-
init/init_task.c | 3 +-
init/main.c | 2 +
kernel/audit.c | 325 ++++++++++++++++++++++++++++++++++++++++++--
kernel/audit.h | 9 ++
kernel/auditfilter.c | 47 +++++++
kernel/auditsc.c | 90 ++++++++----
kernel/fork.c | 1 -
kernel/nsproxy.c | 4 +
net/netfilter/nft_log.c | 11 +-
net/netfilter/xt_AUDIT.c | 11 +-
security/selinux/nlmsgtab.c | 1 +
15 files changed, 627 insertions(+), 63 deletions(-)
--
1.8.3.1
5 years, 3 months
Alpha and IA64 processors
by Steve Grubb
Hello,
Are there any objections to dropping support for the Alpha and IA64
processors in the master branch of audit user space? I would like to reduce
the maintenance burden and if noone is using these, I'll delete them on May
24.
Thanks,
-Steve
5 years, 4 months
[PATCH ghak90 V6] fixup! audit: add containerid filtering
by Richard Guy Briggs
Remove the BUG() call since we will never have an invalid op value as
audit_data_to_entry()/audit_to_op() ensure that the op value is a a
known good value.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/auditfilter.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 407b5bb3b4c6..385a114a1254 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1244,7 +1244,6 @@ int audit_comparator64(u64 left, u32 op, u64 right)
case Audit_bittest:
return ((left & right) == right);
default:
- BUG();
return 0;
}
}
--
1.8.3.1
5 years, 5 months
[PATCH ghau93 v1] add support to filter on sockaddr family
by Richard Guy Briggs
Provide a method to filter on network address family.
This adds support for the kernel filter for sockaddr family,
AUDIT_SADDR_FAM, adding the command line option "saddr_fam" to auditctl.
See: https://github.com/linux-audit/audit-kernel/issues/64
See: https://github.com/linux-audit/audit-userspace/issues/93
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
lib/errormsg.h | 2 ++
lib/fieldtab.h | 1 +
lib/libaudit.c | 6 ++++++
lib/libaudit.h | 3 +++
4 files changed, 12 insertions(+)
diff --git a/lib/errormsg.h b/lib/errormsg.h
index fd8c4a4b1311..fc03b2475034 100644
--- a/lib/errormsg.h
+++ b/lib/errormsg.h
@@ -70,6 +70,7 @@ struct msg_tab {
#define EAU_FIELDUNAVAIL 34
#define EAU_FILTERNOSUPPORT 35
#define EAU_FSTYPEUNKNOWN 36
+#define EAU_FIELDVALTOOBIG 37
static const struct msg_tab err_msgtab[] = {
{ -EAU_OPMISSING, 2, "-F missing operation for" },
{ -EAU_FIELDUNKNOWN, 2, "-F unknown field:" },
@@ -107,5 +108,6 @@ static const struct msg_tab err_msgtab[] = {
{ -EAU_FIELDUNAVAIL, 1, "field is not valid for the filter" },
{ -EAU_FILTERNOSUPPORT, 1, "filter is not supported by the kernel" },
{ -EAU_FSTYPEUNKNOWN, 2, "file system type is unknown for field:" },
+ { -EAU_FIELDVALTOOBIG, 2, "value is too large for field:" },
};
#endif
diff --git a/lib/fieldtab.h b/lib/fieldtab.h
index c425d5b86049..b597cafb2df8 100644
--- a/lib/fieldtab.h
+++ b/lib/fieldtab.h
@@ -69,3 +69,4 @@ _S(AUDIT_ARG3, "a3" )
_S(AUDIT_FILTERKEY, "key" )
_S(AUDIT_EXE, "exe" )
+_S(AUDIT_SADDR_FAM, "saddr_fam" )
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 2af017a0e520..2e4b148edde9 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -40,6 +40,7 @@
#include <limits.h> /* for PATH_MAX */
#include <sys/stat.h>
#include <sys/types.h>
+#include <sys/socket.h> /* AF_MAX */
#ifdef HAVE_LIBCAP_NG
#include <cap-ng.h>
#endif
@@ -1742,6 +1743,11 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
else if (strcmp(v, "unset") == 0)
rule->values[rule->field_count] = 4294967295;
break;
+ case AUDIT_SADDR_FAM:
+ rule->values[rule->field_count] = strtoul(v, NULL, 0);
+ if (rule->values[rule->field_count] >= AF_MAX)
+ return -EAU_FIELDVALTOOBIG;
+ break;
case AUDIT_DEVMAJOR...AUDIT_INODE:
case AUDIT_SUCCESS:
if (flags != AUDIT_FILTER_EXIT)
diff --git a/lib/libaudit.h b/lib/libaudit.h
index 77e4142beea2..89fe4839a69b 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -356,6 +356,9 @@ extern "C" {
#ifndef AUDIT_EXE
#define AUDIT_EXE 112
#endif
+#ifndef AUDIT_SADDR_FAM
+#define AUDIT_SADDR_FAM 113
+#endif
#ifndef AUDIT_SESSIONID
#define AUDIT_SESSIONID 25
--
1.8.3.1
5 years, 5 months
[PATCH] audit: remove the BUG() calls in the audit rule comparison functions
by Paul Moore
The audit_data_to_entry() function ensures that the operator is valid
so we can get rid of these BUG() calls. We keep the "return 0" just
so the system behaves in a sane-ish manner should something go
horribly wrong.
Signed-off-by: Paul Moore <paul(a)paul-moore.com>
---
kernel/auditfilter.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index e69d136eeaf6..1a21b6aa50d1 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1220,7 +1220,6 @@ int audit_comparator(u32 left, u32 op, u32 right)
case Audit_bittest:
return ((left & right) == right);
default:
- BUG();
return 0;
}
}
@@ -1243,7 +1242,6 @@ int audit_uid_comparator(kuid_t left, u32 op, kuid_t right)
case Audit_bitmask:
case Audit_bittest:
default:
- BUG();
return 0;
}
}
@@ -1266,7 +1264,6 @@ int audit_gid_comparator(kgid_t left, u32 op, kgid_t right)
case Audit_bitmask:
case Audit_bittest:
default:
- BUG();
return 0;
}
}
5 years, 5 months
Missing login records - Audit functionality in different kernel versions
by Róbert Nagy
Hello all,
I tested Audit on a Debian 7 (kernel version 3.2.0-5-amd64), but in the audit.log I get no USER_AUTH, USER_ACCT, CRED_ACQ, USER_START and USER_LOGIN record types at all, Only USER_LOGIN types.
As I understand these records should be there without any rules set.
https://www.redhat.com/archives/linux-audit/2017-July/msg00046.html
On another server with kernel version 4.9 it works properly. Is there a possibility that this Audit functionality is not implemented in kernel version 3.2, or is this just a configuration issue on my side?
We have too many Debian 3.x production servers to consider kernel upgrade being an option.
If it's a kernel issue, could you please recommend any workaround? Currently I am thinking on parsing the auth.log
Many thanks,
Robert
auditd.conf:
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 5
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
5 years, 5 months
Segmentation fault in aureport's safe_print_string()
by Zephyr Pellerin
While running `aureport -tm', I recieved a segmentation fault, I won't be
able to attach the core dump but I've tried include rudimentary information
about the crash.
- Backtrace
#0 0x00007ff3d7bbf8a1 in __strlen_avx2 () from /lib64/libc.so.6
#1 0x000055b44a62f304 in safe_print_string ()
#2 0x000055b44a62dbd6 in print_per_event_item ()
#3 0x000055b44a62c709 in per_event_processing ()
#4 0x000055b44a62184c in process_log_fd ()
#5 0x000055b44a621c78 in process_logs ()
#6 0x000055b44a621597 in main ()
- Base registers
rax 0xd 13
rbx 0x0 0
rcx 0x0 0
rdx 0x0 0
rsi 0x0 0
rdi 0x0 0
rbp 0x0 0x0
rsp 0x7ffff261b748 0x7ffff261b748
r8 0x7ff3d7be37f7 140685273348087
r9 0x7ff3d7bdd0a0 140685273321632
r10 0x0 0
r11 0x7ff3d7bdd120 140685273321760
r12 0x0 0
r13 0x7ffff261b910 140737259878672
r14 0x7ffff261b8e0 140737259878624
r15 0x55b44c570a10 94232863246864
rip 0x7ff3d7bbf8a1 0x7ff3d7bbf8a1 <__strlen_avx2+17>
eflags 0x10283 [ CF SF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
- AVX registers
ymm0 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x0, 0x0}}
ymm1 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0xff, 0x0,
0xff, 0x0, 0x0, 0xff, 0x0, 0x0, 0xff, 0x0 <repeats 20 times>}, v16_int16 =
{0x0, 0xff00, 0xff00, 0x0, 0xff, 0xff00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0},
v8_int32 = {0xff000000, 0xff00, 0xff0000ff, 0x0, 0x0, 0x0, 0x0,
0x0}, v4_int64 = {0xff00ff000000, 0xff0000ff, 0x0, 0x0}, v2_int128 =
{0xff0000ff0000ff00ff000000, 0x0}}
ymm2 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0xff, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0x0 <repeats 20 times>}, v16_int16 =
{0x0, 0xff00, 0x0, 0x0, 0x0, 0xff00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v8_int32 = {
0xff000000, 0x0, 0xff000000, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 =
{0xff000000, 0xff000000, 0x0, 0x0}, v2_int128 =
{0xff00000000000000ff000000, 0x0}}
ymm3 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0xff, 0x0
<repeats 28 times>}, v16_int16 = {0x0, 0xff00, 0x0 <repeats 14 times>},
v8_int32 = {0xff000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 =
{0xff000000, 0x0, 0x0, 0x0},
v2_int128 = {0xff000000, 0x0}}
ymm4 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x8000000000000000, 0x8000000000000000, 0x0, 0x0}, v32_int8 =
{0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0xff, 0xff, 0x0, 0x0, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0x0 <repeats 16 times>}, v16_int16 = {0x0, 0x0, 0xffff,
0xffff, 0x0, 0xffff,
0xffff, 0xffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32
= {0x0, 0xffffffff, 0xffff0000, 0xffffffff, 0x0, 0x0, 0x0, 0x0}, v4_int64 =
{0xffffffff00000000, 0xffffffffffff0000, 0x0, 0x0}, v2_int128 =
{0xffffffffffff0000ffffffff00000000, 0x0}}
ymm5 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x8000000000000000, 0x8000000000000000, 0x0, 0x0}, v32_int8 =
{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0xff, 0xff, 0x0 <repeats 16 times>}, v16_int16 = {0x0, 0x0, 0x0, 0xffff,
0x0, 0x0, 0x0, 0xffff,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x0,
0xffff0000, 0x0, 0xffff0000, 0x0, 0x0, 0x0, 0x0}, v4_int64 =
{0xffff000000000000, 0xffff000000000000, 0x0, 0x0}, v2_int128 =
{0xffff000000000000ffff000000000000, 0x0}}
ymm6 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x0, 0x0}}
ymm7 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x0, 0x0}}
ymm8 {v8_float = {0x0, 0x0, 0x0, 0xffffffff, 0x0, 0x0, 0x0,
0x0}, v4_double = {0x0, 0x7fffffffffffffff, 0x0, 0x0}, v32_int8 = {0x45,
0x4e, 0x54, 0x0, 0x20, 0x25, 0x73, 0x20, 0x25, 0x73, 0x20, 0x0, 0x64, 0x61,
0x74, 0x61, 0x0 <repeats 16 times>}, v16_int16 = {0x4e45, 0x54, 0x2520,
0x2073, 0x7325, 0x20,
0x6164, 0x6174, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32
= {0x544e45, 0x20732520, 0x207325, 0x61746164, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x2073252000544e45, 0x6174616400207325, 0x0, 0x0}, v2_int128 =
{0x61746164002073252073252000544e45, 0x0}}
ymm9 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x0, 0x0}}
ymm10 {v8_float = {0x0, 0x0, 0x0, 0xffffffff, 0x0, 0x0, 0x0,
0x0}, v4_double = {0x0, 0x7fffffffffffffff, 0x0, 0x0}, v32_int8 = {0x55,
0x45, 0x17, 0x0, 0x16, 0x58, 0x16, 0x10, 0x6, 0x6, 0x0, 0x16, 0x16, 0x42,
0x65, 0x65, 0x0 <repeats 16 times>}, v16_int16 = {0x4555, 0x17, 0x5816,
0x1016, 0x606, 0x1600,
0x4216, 0x6565, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32
= {0x174555, 0x10165816, 0x16000606, 0x65654216, 0x0, 0x0, 0x0, 0x0},
v4_int64 = {0x1016581600174555, 0x6565421616000606, 0x0, 0x0}, v2_int128 =
{0x65654216160006061016581600174555, 0x0}}
ymm11 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x0, 0x0}}
ymm12 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x0, 0x0}}
ymm13 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x0, 0x0}}
ymm14 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x0, 0x0}}
ymm15 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x0, 0x0}}
- (gdb) x/128x $rsp
0x7ffff261b748: 0x4a62f304 0x000055b4 0x4c570a10
0x000055b4
0x7ffff261b758: 0x4c570a10 0x000055b4 0xf261b790
0x00007fff
0x7ffff261b768: 0x4a62dbd6 0x000055b4 0x4c570b28
0x000055b4
0x7ffff261b778: 0x4c562db9 0x000055b4 0x4c570a50
0x000055b4
0x7ffff261b788: 0x4a627625 0x000055b4 0x312f3031
0x30322f38
0x7ffff261b798: 0x31203831 0x32333a32 0x0034313a
0x000055b4
0x7ffff261b7a8: 0x00000000 0x00000000 0x4a8390a0
0x000055b4
0x7ffff261b7b8: 0x4a62540a 0x000055b4 0x00000001
0x00000000
0x7ffff261b7c8: 0x1a278200 0x8d5822a5 0x4c570b10
0x000055b4
0x7ffff261b7d8: 0x4c570a10 0x000055b4 0x00000000
0x00000000
0x7ffff261b7e8: 0x4c570a50 0x000055b4 0xf261b8e0
0x00007fff
0x7ffff261b7f8: 0x4a6294ef 0x000055b4 0xf261b830
0x00007fff
0x7ffff261b808: 0xf261b828 0x00007fff 0x5bc8dfbe
0x00000000
0x7ffff261b818: 0x00000015 0x00000000 0x000000f8
0x00000000
0x7ffff261b828: 0x00000000 0x00000000 0x00000463
0x000000bc
0x7ffff261b838: 0x00000011 0x00000000 0x4c562d70
0x000055b4
0x7ffff261b848: 0x00000000 0x00000000 0x0000012e
0x0000012e
0x7ffff261b858: 0x00000463 0x00007ff3 0x00000000
0x00000000
0x7ffff261b868: 0x1a278200 0x8d5822a5 0x0000230a
0x00000000
0x7ffff261b878: 0x1a278200 0x8d5822a5 0x4c570a10
0x000055b4
0x7ffff261b888: 0x4c570a10 0x000055b4 0x4a8390a0
0x000055b4
0x7ffff261b898: 0x00000000 0x00000000 0xf261b910
0x00007fff
0x7ffff261b8a8: 0xf261b8e0 0x00007fff 0x4c570a10
0x000055b4
0x7ffff261b8b8: 0x4a62c709 0x000055b4 0x4c565d40
0x000055b4
0x7ffff261b8c8: 0x4a62184c 0x000055b4 0x4c55fd40
0x000055b4
0x7ffff261b8d8: 0x4c561420 0x000055b4 0x4a631233
0x000055b4
0x7ffff261b8e8: 0x00000001 0x00000000 0x00000000
0x00000000
0x7ffff261b8f8: 0xd7adf05a 0x00007ff3 0xd7adfa10
0x00007ff3
0x7ffff261b908: 0x00000000 0x00000000 0x00000000
0x00000000
0x7ffff261b918: 0x00000000 0x00000000 0x00000000
0x00000000
0x7ffff261b928: 0x1a278200 0x8d5822a5 0x00000000
0x00000000
0x7ffff261b938: 0x4c55fd40 0x000055b4 0x4c55fd40
0x000055b4
5 years, 5 months
Linux (RHEL 7.6 with OSP 14) Bugs
by Amer Hwitat
Dears,
I have the following Bugs that crashed my VM, I reported it to RH, they
didn't answer, and banned my developer account, the Bug is when you disable
the network on RHEL with OSP 14 installed all in one, it crashes the
system, I had a 12GB RAM, with 8 CPUs on the VM, and I found out that this
crash report pissed off someone in RH, because they called me, and said
what do you want from me!!, what I need is a Simple reply, is this a bug or
not.
here is the problem:
[root@localhost network-scripts]# systemctl status network -l
? network.service - LSB: Bring up/down networking
Loaded: loaded (/etc/rc.d/init.d/network; bad; vendor preset: disabled)
Active: failed (Result: exit-code) since Sat 2019-01-19 03:47:01 EST;
21s ago
Docs: man:systemd-sysv-generator(8)
Process: 86319 ExecStop=/etc/rc.d/init.d/network stop (code=exited,
status=0/SUCCESS)
Process: 86591 ExecStart=/etc/rc.d/init.d/network start (code=exited,
status=1/FAILURE)
Tasks: 0
Jan 19 03:47:01 localhost.localdomain dhclient[86963]: Please report for
this software via the Red Hat Bugzilla site:
Jan 19 03:47:01 localhost.localdomain dhclient[86963]:
http://bugzilla.redhat.com
Jan 19 03:47:01 localhost.localdomain dhclient[86963]: ution.
Jan 19 03:47:01 localhost.localdomain dhclient[86963]: exiting.
Jan 19 03:47:01 localhost.localdomain network[86591]: failed.
Jan 19 03:47:01 localhost.localdomain network[86591]: [FAILED]
Jan 19 03:47:01 localhost.localdomain systemd[1]: network.service: control
process exited, code=exited status=1
Jan 19 03:47:01 localhost.localdomain systemd[1]: Failed to start LSB:
Bring up/down networking.
Jan 19 03:47:01 localhost.localdomain systemd[1]: Unit network.service
entered failed state.
Jan 19 03:47:01 localhost.localdomain systemd[1]: network.service failed.
[root@localhost network-scripts]#
[root@localhost log]#
Message from syslogd@localhost at Jan 23 02:23:31 ...
kernel:NMI watchdog: BUG: soft lockup - CPU#3 stuck for 22s!
[ovsdb-server:10088]
[root@amer network-scripts]#
Message from syslogd@amer at Jan 27 12:46:38 ...
kernel:NMI watchdog: BUG: soft lockup - CPU#0 stuck for 22s!
[nova-api:102738]
Message from syslogd@amer at Jan 27 19:26:19 ...
kernel:NMI watchdog: BUG: soft lockup - CPU#5 stuck for 26s! [swapper/5:0]
Message from syslogd@amer at Jan 27 19:26:19 ...
kernel:NMI watchdog: BUG: soft lockup - CPU#1 stuck for 27s!
[dmeventd:71548]
Message from syslogd@amer at Jan 27 19:27:30 ...
kernel:NMI watchdog: BUG: soft lockup - CPU#5 stuck for 22s!
[6_scheduler:64928]
Message from syslogd@amer at Jan 27 19:31:25 ...
kernel:NMI watchdog: BUG: soft lockup - CPU#5 stuck for 22s!
[ksoftirqd/5:34]
Message from syslogd@amer at Jan 27 19:32:42 ...
kernel:NMI watchdog: BUG: soft lockup - CPU#3 stuck for 33s!
[swift-object-up:11358]
Message from syslogd@amer at Jan 27 19:33:55 ...
kernel:NMI watchdog: BUG: soft lockup - CPU#3 stuck for 24s!
[dmeventd:71548]
Message from syslogd@amer at Jan 27 19:34:25 ...
kernel:NMI watchdog: BUG: soft lockup - CPU#2 stuck for 65s!
[kworker/2:0:59993]
Message from syslogd@amer at Jan 27 19:37:50 ...
kernel:NMI watchdog: BUG: soft lockup - CPU#2 stuck for 24s!
[kworker/u256:3:8447]
Message from syslogd@amer at Jan 27 19:37:50 ...
kernel:NMI watchdog: BUG: soft lockup - CPU#5 stuck for 22s!
[ksoftirqd/5:34]
Message from syslogd@amer at Jan 27 19:37:51 ...
kernel:NMI watchdog: BUG: soft lockup - CPU#0 stuck for 21s!
[systemd:11968]
The CPU has been disabled by the guest operating system. Power off or reset
the virtual machine.
snapshots attached
[image: Red Hat Enterprise Linux 7 64-bit (2)-2019-01-28-03-57-27.png]
[image: Red Hat Enterprise Linux 7 64-bit (2)-2019-01-28-04-26-41.png]
[image: working solution.JPG]
the last snapshot is from a successful installation of OSP 14 that
specifically says that Kernel is not compatible with Firmware (Bios).
I didn't test on Debian flavors but I think it's the same, the problem is
with RabbitMQ heart beats, when the server is disconnected it times out
causing this problem of kernel loop.
Thanks and Best regards
Amer
5 years, 5 months
[PATCH ghak114 V1] audit: enforce op for string fields
by Richard Guy Briggs
The field operator is ignored on several string fields. WATCH, DIR,
PERM and FILETYPE field operators are completely ignored and meaningless
since the op is not referenced in audit_filter_rules(). Range and
bitwise operators are already addressed in ghak73.
Honour the operator for WATCH, DIR, PERM, FILETYPE fields as is done in
the EXE field.
Please see github issue
https://github.com/linux-audit/audit-kernel/issues/114
---
kernel/auditsc.c | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 30aa07b0115f..087137d341a2 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -601,12 +601,20 @@ static int audit_filter_rules(struct task_struct *tsk,
}
break;
case AUDIT_WATCH:
- if (name)
- result = audit_watch_compare(rule->watch, name->ino, name->dev);
+ if (name) {
+ result = audit_watch_compare(rule->watch,
+ name->ino,
+ name->dev);
+ if (f->op == Audit_not_equal)
+ result = !result;
+ }
break;
case AUDIT_DIR:
- if (ctx)
+ if (ctx) {
result = match_tree_refs(ctx, rule->tree);
+ if (f->op == Audit_not_equal)
+ result = !result;
+ }
break;
case AUDIT_LOGINUID:
result = audit_uid_comparator(audit_get_loginuid(tsk),
@@ -684,9 +692,13 @@ static int audit_filter_rules(struct task_struct *tsk,
break;
case AUDIT_PERM:
result = audit_match_perm(ctx, f->val);
+ if (f->op == Audit_not_equal)
+ result = !result;
break;
case AUDIT_FILETYPE:
result = audit_match_filetype(ctx, f->val);
+ if (f->op == Audit_not_equal)
+ result = !result;
break;
case AUDIT_FIELD_COMPARE:
result = audit_field_compare(tsk, cred, f, ctx, name);
--
1.8.3.1
5 years, 5 months