[PATCH v4 0/3] audit: add support for openat2
by Richard Guy Briggs
The openat2(2) syscall was added in v5.6. Add support for openat2 to the
audit syscall classifier and for recording openat2 parameters that cannot
be captured in the syscall parameters of the SYSCALL record.
Supporting userspace code can be found in
https://github.com/rgbriggs/audit-userspace/tree/ghau-openat2
Supporting test case can be found in
https://github.com/linux-audit/audit-testsuite/pull/103
Changelog:
v4:
- change filename include/linux/auditscm.h to auditsc_classmacros.h to avoid socket association
v3:
- re-add commit descriptions that somehow got dropped
- add new file to MAINTAINERS
v2:
- add include/linux/auditscm.h for audit syscall class macros due to syscall redefinition warnings:
arch/x86/ia32/audit.c:3:
./include/linux/audit.h:12,
./include/linux/sched.h:22,
./include/linux/seccomp.h:21,
./arch/x86/include/asm/seccomp.h:5,
./arch/x86/include/asm/unistd.h:20,
./arch/x86/include/generated/uapi/asm/unistd_64.h:4: warning: "__NR_read" redefined #define __NR_read 0
...
./arch/x86/include/generated/uapi/asm/unistd_64.h:338: warning: "__NR_rseq" redefined #define __NR_rseq 334
previous:
arch/x86/ia32/audit.c:2:
./arch/x86/include/generated/uapi/asm/unistd_32.h:7: note: this is the location of the previous definition #define __NR_read 3
...
./arch/x86/include/generated/uapi/asm/unistd_32.h:386: note: this is the location of the previous definition #define __NR_rseq 386
Richard Guy Briggs (3):
audit: replace magic audit syscall class numbers with macros
audit: add support for the openat2 syscall
audit: add OPENAT2 record to list how
MAINTAINERS | 1 +
arch/alpha/kernel/audit.c | 10 ++++++----
arch/ia64/kernel/audit.c | 10 ++++++----
arch/parisc/kernel/audit.c | 10 ++++++----
arch/parisc/kernel/compat_audit.c | 11 ++++++----
arch/powerpc/kernel/audit.c | 12 ++++++-----
arch/powerpc/kernel/compat_audit.c | 13 +++++++-----
arch/s390/kernel/audit.c | 12 ++++++-----
arch/s390/kernel/compat_audit.c | 13 +++++++-----
arch/sparc/kernel/audit.c | 12 ++++++-----
arch/sparc/kernel/compat_audit.c | 13 +++++++-----
arch/x86/ia32/audit.c | 13 +++++++-----
arch/x86/kernel/audit_64.c | 10 ++++++----
fs/open.c | 2 ++
include/linux/audit.h | 11 ++++++++++
include/linux/auditsc_classmacros.h | 24 ++++++++++++++++++++++
include/uapi/linux/audit.h | 1 +
kernel/audit.h | 2 ++
kernel/auditsc.c | 31 +++++++++++++++++++++++------
lib/audit.c | 14 ++++++++-----
lib/compat_audit.c | 15 +++++++++-----
21 files changed, 169 insertions(+), 71 deletions(-)
create mode 100644 include/linux/auditsc_classmacros.h
--
2.27.0
2 years, 8 months
Re: Maximum Value for q_depth
by Amjad Gabbar
Got it. Makes sense to me. Thanks for the explanation Steve.
One last thing though based on the discussion we had, if the kernel is able
to offload events even during bursts, wouldn’t setting q_depth
=backlog_limit be enough?
The reason being if there was an overflow on the kernel side, a different
message would be printed in the logs but because it is all dispatch errors,
I assume the kernel is able to handle the burst which is why the reasoning
of increasing q_depth to backlog_limit.
Thanks
Amjad
On Wed, Dec 8, 2021 at 4:38 PM Steve Grubb <sgrubb(a)redhat.com> wrote:
> On Wednesday, December 8, 2021 4:54:18 PM EST Amjad Gabbar wrote:
> > 1. The version of auditd is 1:2.8.4-3 and the plugins are af_unix.conf
> and
> > syslog.conf for audisp. The q_depth is currently set to 80 and I think it
> > calls for an increase but not sure if there is a way to figure out what
> the
> > proper number would be?
>
> There is no good calculation that I can give you. It depends on the
> average
> rate of incoming events and the rate that they can be offloaded to the
> plugins
> + some margin in case there is a burst. Looking at the 2.8.5 code, the
> default is 250.
>
> https://github.com/linux-audit/audit-userspace/blob/2.8_maintenance/init.d/
> audispd.conf
>
> So, you should at least set it that high. Maybe a bit higher.
>
>
> > 2. Another thing I would like to follow up on is the difference between
> > q_depth and backlog_limit. My assumption was if there is any drop due to
> a
> > burst of events it would be addressed by the backlog limit. Just would
> like
> > some clarification on this and how this is an event dispatcher issue?
>
> The backlog limit is inside the kernel. This is the buffer that holds
> events
> that are waiting for the audit daemon to offload them. Once the audit
> daemon
> has them, it sends it to the dispatcher which also buffers events because
> not
> all plugins are able to receive the events as soon as they arrive at the
> dispatcher.
>
> So, for brief bursts, the kernel backlog will handle the load. But once
> they
> are pulled out of the kernel, the q_depth controls how much to hold
> waiting
> for plugins. If this number needs to increase much, then the plugins are
> having problems. The syslog plugin should be fine. I'd look more at the
> af_unix plugin. The client that attaches to it needs to unload events
> quickly. I'd investigate the af_unix client to see if it's the problem.
>
> Cheers,
> -Steve
>
>
>
2 years, 9 months
[PATCH v2 0/7] pid: Introduce helper task_is_in_root_ns()
by Leo Yan
The kernel uses open code to check if a process is in root PID namespace
or not in several places.
Suggested by Suzuki, this patch set is to create a helper function
task_is_in_init_pid_ns() to replace open code.
This patch set has been applied on the mainline kernel and built for
Arm64 kernel with enabling all relevant modules.
Changes from v1:
* Renamed helper function from task_is_in_root_ns() to
task_is_in_init_pid_ns(). (Leon Romanovsky)
* Improved patches' commit logs for more neat.
Leo Yan (7):
pid: Introduce helper task_is_in_init_pid_ns()
coresight: etm3x: Use task_is_in_init_pid_ns()
coresight: etm4x: Use task_is_in_init_pid_ns()
connector/cn_proc: Use task_is_in_init_pid_ns()
coda: Use task_is_in_init_pid_ns()
audit: Use task_is_in_init_pid_ns()
taskstats: Use task_is_in_init_pid_ns()
drivers/connector/cn_proc.c | 2 +-
drivers/hwtracing/coresight/coresight-etm3x-sysfs.c | 8 ++++----
drivers/hwtracing/coresight/coresight-etm4x-sysfs.c | 8 ++++----
fs/coda/inode.c | 2 +-
fs/coda/psdev.c | 2 +-
include/linux/pid_namespace.h | 5 +++++
kernel/audit.c | 2 +-
kernel/taskstats.c | 2 +-
8 files changed, 18 insertions(+), 13 deletions(-)
--
2.25.1
2 years, 9 months
[RFC PATCH v1] audit: log AUDIT_TIME_* records only from rules
by Richard Guy Briggs
AUDIT_TIME_* events are generated when there are syscall rules present that are
not related to time keeping. This will produce noisy log entries that could
flood the logs and hide events we really care about.
Rather than immediately produce the AUDIT_TIME_* records, store the data and
log it at syscall exit time respecting the filter rules.
Please see https://bugzilla.redhat.com/show_bug.cgi?id=1991919
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
Note: This is a quick and dirty proof-of-concept. If this approach of
storing the values in the audit_context for later filtering is
acceptable I'll clean up the patch (re-name functions) and re-submit.
kernel/audit.h | 6 ++++++
kernel/auditsc.c | 29 +++++++++++++++++++++++++----
2 files changed, 31 insertions(+), 4 deletions(-)
diff --git a/kernel/audit.h b/kernel/audit.h
index 3b64a97f6091..25d63731b0e0 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -196,6 +196,12 @@ struct audit_context {
struct {
char *name;
} module;
+ struct {
+ struct audit_ntp_data data;
+ } ntp;
+ struct {
+ struct timespec64 injoffset;
+ } tk;
};
int fds[2];
struct audit_proctitle proctitle;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 6efb0bb909d0..8983790ad86a 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1210,11 +1210,18 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
from_kuid(&init_user_ns, name->fcap.rootid));
}
+void __audit_ntp_log_(const struct audit_ntp_data *ad);
+
static void show_special(struct audit_context *context, int *call_panic)
{
struct audit_buffer *ab;
int i;
+ if (context->type == AUDIT_TIME_ADJNTPVAL) {
+ __audit_ntp_log_(&context->ntp.data);
+ return;
+ }
+
ab = audit_log_start(context, GFP_KERNEL, context->type);
if (!ab)
return;
@@ -1324,6 +1331,11 @@ static void show_special(struct audit_context *context, int *call_panic)
audit_log_format(ab, "(null)");
break;
+ case AUDIT_TIME_INJOFFSET:
+ audit_log_format(ab, "sec=%lli nsec=%li",
+ (long long)context->tk.injoffset.tv_sec,
+ context->tk.injoffset.tv_nsec);
+ break;
}
audit_log_end(ab);
}
@@ -2571,9 +2583,18 @@ void __audit_fanotify(unsigned int response)
void __audit_tk_injoffset(struct timespec64 offset)
{
- audit_log(audit_context(), GFP_KERNEL, AUDIT_TIME_INJOFFSET,
- "sec=%lli nsec=%li",
- (long long)offset.tv_sec, offset.tv_nsec);
+ struct audit_context *context = audit_context();
+
+ context->type = AUDIT_TIME_INJOFFSET;
+ memcpy(&context->tk.injoffset, &offset, sizeof(offset));
+}
+
+void __audit_ntp_log(const struct audit_ntp_data *ad)
+{
+ struct audit_context *context = audit_context();
+
+ context->type = AUDIT_TIME_ADJNTPVAL;
+ memcpy(&context->ntp.data, ad, sizeof(*ad));
}
static void audit_log_ntp_val(const struct audit_ntp_data *ad,
@@ -2588,7 +2609,7 @@ static void audit_log_ntp_val(const struct audit_ntp_data *ad,
"op=%s old=%lli new=%lli", op, val->oldval, val->newval);
}
-void __audit_ntp_log(const struct audit_ntp_data *ad)
+void __audit_ntp_log_(const struct audit_ntp_data *ad)
{
audit_log_ntp_val(ad, "offset", AUDIT_NTP_OFFSET);
audit_log_ntp_val(ad, "freq", AUDIT_NTP_FREQ);
--
2.27.0
2 years, 9 months
[PATCH -next 0/1] audit: ignore userspace log when backlog limit exceeded and backlog_wait_time is 0
by luhuaxin
The audit backlog overflow is an actual problem in our system. We set
the backlog_wait_time to 0 for improving OS performance. Therefore,
under the impact of a large number of audit logs produced by sudo, the
backlog in buffer will greatly exceed backlog_limit.
When the backlog exceed the backlog_limit and backlog_wait_time is set
to 0, the process will only sleep for a very short time (jiffies). The
backlog may still exceed backlog_limit in extreme cases.
The more reasonable way to fix this problem is:
1. If backlog_wait_time is set to zero, ignore the log;
2. If backlog_wait_time is set to non-zero, let process sleep for
backlog_wait_time.
The above log limit logic is also the same as that in the existing
audit_log_start function.
This may not be a perfect solution, a further discussion maybe
necessary.
luhuaxin (1):
audit: ignore userspace log when backlog limit exceeded and
backlog_wait_time is 0
kernel/audit.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
--
2.23.0
2 years, 10 months
Re: [PATCH 1/1] Smack:- Fix the issue of wrong info printed in ptrace error logs
by Casey Schaufler
On 12/20/2021 2:13 AM, Vishal Goel wrote:
> Currently tracer process info is printed in object field in
> smack error log for ptrace check which is wrong.
> Object process should print the tracee process info.
> Tracee info is not printed in the smack error logs.
> So it is not possible to debug the ptrace smack issues.
>
> Now changes has been done to print both tracer and tracee
> process info in smack error logs for ptrace scenarios
>
> Old logs:-
> [ 378.098330] audit: type=1400 audit(1637212273.300:2): lsm=SMACK fn=smack_ptrace_access_check action=denied subject="Tracer_lbl" object="Tracee_lbl" requested= pid=9397 comm="tst_pt" opid=9397 ocomm="tst_pt"
> [ 520.261605] audit: type=1400 audit(1637212415.464:3): lsm=SMACK fn=smack_ptrace_traceme action=denied subject="Tracer_lbl" object="Tracee_lbl" requested= pid=12685 comm="tst_pt_me" opid=12563 ocomm="bash"
> [ 1445.259319] audit: type=1400 audit(1637213340.460:5): lsm=SMACK fn=smack_bprm_set_creds action=denied subject="Tracer_lbl" object="Tracee_lbl" requested= pid=1778 comm="tst_bprm" opid=1776 ocomm="tst_bprm"
>
> New logs:-
> [ 378.098330] audit: type=1400 audit(1637212273.300:2): lsm=SMACK fn=smack_ptrace_access_check action=denied subject="Tracer_lbl" object="Tracee_lbl" requested= tracer-pid=5189 tracer-comm="tst_pt" pid=5189 comm="tst_pt" tracee-pid=962 tracee-comm="test_tracee"
> [ 520.261605] audit: type=1400 audit(1637212415.464:3): lsm=SMACK fn=smack_ptrace_traceme action=denied subject="Tracer_lbl" object="Tracee_lbl" requested= tracer-pid=6161 tracer-comm="bash" pid=6310 comm="tst_pt_me" tracee-pid=6310 tracee-comm="tst_pt_me"
> [ 1445.259319] audit: type=1400 audit(1637213340.460:5): lsm=SMACK fn=smack_bprm_set_creds action=denied subject="Tracer_lbl" object="Tracee_lbl" requested= tracer-pid=6435 tracer-comm="tst_bprm" pid=6436 comm="tst_bprm" tracee-pid=6436 tracee-comm="tst_bprm"
>
> Signed-off-by: Vishal Goel <vishal.goel(a)samsung.com>
Added linux-audit to the CC list.
> ---
> include/linux/lsm_audit.h | 1 +
> security/lsm_audit.c | 15 +++++++++++++++
> security/smack/smack.h | 19 +++++++++++++++++++
> security/smack/smack_access.c | 16 ++++++++++++++++
> security/smack/smack_lsm.c | 33 ++++++++++++++++++++++-----------
> 5 files changed, 73 insertions(+), 11 deletions(-)
>
> diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
> index 17d02eda9..6d752ea16 100644
> --- a/include/linux/lsm_audit.h
> +++ b/include/linux/lsm_audit.h
> @@ -76,6 +76,7 @@ struct common_audit_data {
> #define LSM_AUDIT_DATA_IBENDPORT 14
> #define LSM_AUDIT_DATA_LOCKDOWN 15
> #define LSM_AUDIT_DATA_NOTIFICATION 16
> +#define LSM_AUDIT_DATA_PTRACE 17
> union {
> struct path path;
> struct dentry *dentry;
> diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> index 1897cbf6f..069e0282c 100644
> --- a/security/lsm_audit.c
> +++ b/security/lsm_audit.c
> @@ -318,6 +318,21 @@ static void dump_common_audit_data(struct audit_buffer *ab,
> }
> break;
> }
> + case LSM_AUDIT_DATA_PTRACE: {
> + struct task_struct *tsk = a->u.tsk;
> + if (tsk) {
> + pid_t pid = task_tgid_nr(tsk);
> +
> + if (pid) {
> + char comm[sizeof(tsk->comm)];
> +
> + audit_log_format(ab, " tracee-pid=%d tracee-comm=", pid);
> + audit_log_untrustedstring(ab,
> + memcpy(comm, tsk->comm, sizeof(comm)));
> + }
> + }
> + break;
> + }
> case LSM_AUDIT_DATA_NET:
> if (a->u.net->sk) {
> const struct sock *sk = a->u.net->sk;
> diff --git a/security/smack/smack.h b/security/smack/smack.h
> index 99c342259..901228205 100644
> --- a/security/smack/smack.h
> +++ b/security/smack/smack.h
> @@ -266,6 +266,7 @@ struct smack_audit_data {
> char *object;
> char *request;
> int result;
> + struct task_struct *tracer_tsk;
> };
>
> /*
> @@ -497,6 +498,16 @@ static inline void smk_ad_setfield_u_net_sk(struct smk_audit_info *a,
> {
> a->a.u.net->sk = sk;
> }
> +static inline void smk_ad_setfield_u_tracer(struct smk_audit_info *a,
> + struct task_struct *t)
> +{
> + a->a.smack_audit_data->tracer_tsk = t;
> +}
> +static inline void smk_ad_setfield_u_tracee(struct smk_audit_info *a,
> + struct task_struct *t)
> +{
> + a->a.u.tsk = t;
> +}
>
> #else /* no AUDIT */
>
> @@ -524,6 +535,14 @@ static inline void smk_ad_setfield_u_net_sk(struct smk_audit_info *a,
> struct sock *sk)
> {
> }
> +static inline void smk_ad_setfield_u_tracer(struct smk_audit_info *a,
> + struct task_struct *t)
> +{
> +}
> +static inline void smk_ad_setfield_u_tracee(struct smk_audit_info *a,
> + struct task_struct *t)
> +{
> +}
> #endif
>
> #endif /* _SECURITY_SMACK_H */
> diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
> index d2186e275..f39e3ac92 100644
> --- a/security/smack/smack_access.c
> +++ b/security/smack/smack_access.c
> @@ -323,6 +323,22 @@ static void smack_log_callback(struct audit_buffer *ab, void *a)
> audit_log_format(ab, " labels_differ");
> else
> audit_log_format(ab, " requested=%s", sad->request);
> +
> + if (ad->type == LSM_AUDIT_DATA_PTRACE) {
> + struct task_struct *tsk = sad->tracer_tsk;
> +
> + if (tsk) {
> + pid_t pid = task_tgid_nr(tsk);
> +
> + if (pid) {
> + char comm[sizeof(tsk->comm)];
> +
> + audit_log_format(ab, " tracer-pid=%d tracer-comm=", pid);
> + audit_log_untrustedstring(ab,
> + memcpy(comm, tsk->comm, sizeof(comm)));
> + }
> + }
> + }
> }
>
> /**
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index efd35b07c..47e8a9461 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -416,20 +416,13 @@ static inline unsigned int smk_ptrace_mode(unsigned int mode)
> */
> static int smk_ptrace_rule_check(struct task_struct *tracer,
> struct smack_known *tracee_known,
> - unsigned int mode, const char *func)
> + unsigned int mode, struct smk_audit_info *saip)
> {
> int rc;
> - struct smk_audit_info ad, *saip = NULL;
> struct task_smack *tsp;
> struct smack_known *tracer_known;
> const struct cred *tracercred;
>
> - if ((mode & PTRACE_MODE_NOAUDIT) == 0) {
> - smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK);
> - smk_ad_setfield_u_tsk(&ad, tracer);
> - saip = &ad;
> - }
> -
> rcu_read_lock();
> tracercred = __task_cred(tracer);
> tsp = smack_cred(tracercred);
> @@ -480,10 +473,17 @@ static int smk_ptrace_rule_check(struct task_struct *tracer,
> static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode)
> {
> struct smack_known *skp;
> + struct smk_audit_info ad, *saip = NULL;
>
> skp = smk_of_task_struct_obj(ctp);
> + if ((mode & PTRACE_MODE_NOAUDIT) == 0) {
> + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PTRACE);
> + smk_ad_setfield_u_tracer(&ad, current);
> + smk_ad_setfield_u_tracee(&ad, ctp);
> + saip = &ad;
> + }
>
> - return smk_ptrace_rule_check(current, skp, mode, __func__);
> + return smk_ptrace_rule_check(current, skp, mode, saip);
> }
>
> /**
> @@ -498,10 +498,15 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
> {
> int rc;
> struct smack_known *skp;
> + struct smk_audit_info ad, *saip = NULL;
>
> skp = smk_of_task(smack_cred(current_cred()));
> + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PTRACE);
> + smk_ad_setfield_u_tracer(&ad, ptp);
> + smk_ad_setfield_u_tracee(&ad, current);
> + saip = &ad;
>
> - rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__);
> + rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, saip);
> return rc;
> }
>
> @@ -897,15 +902,21 @@ static int smack_bprm_creds_for_exec(struct linux_binprm *bprm)
>
> if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
> struct task_struct *tracer;
> + struct smk_audit_info ad, *saip = NULL;
> rc = 0;
>
> + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PTRACE);
> + smk_ad_setfield_u_tracee(&ad, current);
> + saip = &ad;
> +
> rcu_read_lock();
> tracer = ptrace_parent(current);
> + smk_ad_setfield_u_tracer(&ad, tracer);
> if (likely(tracer != NULL))
> rc = smk_ptrace_rule_check(tracer,
> isp->smk_task,
> PTRACE_MODE_ATTACH,
> - __func__);
> + saip);
> rcu_read_unlock();
>
> if (rc != 0)
2 years, 10 months
[PATCH -next, v3 1/2] audit: use struct_size() helper in audit_[send|make]_reply()
by Xiu Jianfeng
Make use of struct_size() helper instead of an open-coded calculation.
Link: https://github.com/KSPP/linux/issues/160
Signed-off-by: Xiu Jianfeng <xiujianfeng(a)huawei.com>
---
kernel/audit.c | 2 +-
kernel/auditfilter.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index f33028578c60..7778eca34837 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1459,7 +1459,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
security_release_secctx(ctx, len);
}
audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0,
- sig_data, sizeof(*sig_data) + len);
+ sig_data, struct_size(sig_data, ctx, len));
kfree(sig_data);
break;
case AUDIT_TTY_GET: {
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 19352820b274..42d99896e7a6 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1092,7 +1092,7 @@ static void audit_list_rules(int seq, struct sk_buff_head *q)
break;
skb = audit_make_reply(seq, AUDIT_LIST_RULES, 0, 1,
data,
- sizeof(*data) + data->buflen);
+ struct_size(data, buf, data->buflen));
if (skb)
skb_queue_tail(q, skb);
kfree(data);
--
2.17.1
2 years, 10 months
[PATCH] audit: correct the AUDIT_DM_CTRL and AUDIT_DM_EVENT numbering
by Paul Moore
Due to conflict with the audit and SELinux trees the device mapper
audit record types need to be renumbered before landing in Linus'
tree.
Link: https://lore.kernel.org/lkml/CAHC9VhTLmzDQPqsj+vyBNua1X13UK_tTcixKZ7WWYEq...
Fixes: c1d7fa96e74b ("dm: introduce audit event module for device mapper")
Signed-off-by: Paul Moore <paul(a)paul-moore.com>
---
include/uapi/linux/audit.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 6650ab6def2a..809e4c2041b3 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -118,8 +118,8 @@
#define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */
#define AUDIT_BPF 1334 /* BPF subsystem */
#define AUDIT_EVENT_LISTENER 1335 /* Task joined multicast read socket */
-#define AUDIT_DM_CTRL 1336 /* Device Mapper target control */
-#define AUDIT_DM_EVENT 1337 /* Device Mapper events */
+#define AUDIT_DM_CTRL 1338 /* Device Mapper target control */
+#define AUDIT_DM_EVENT 1339 /* Device Mapper events */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
2 years, 10 months
[GIT PULL] Audit fixes for v5.16 (#1)
by Paul Moore
Hi Linus,
A single patch to fix a problem where the audit queue could grow
unbounded when the audit daemon is forcibly stopped. Please merge for
v5.16-rcX.
Thanks,
-Paul
--
The following changes since commit d9516f346e8b8e9c7dd37976a06a5bde1a871d6f:
audit: return early if the filter rule has a lower priority
(2021-10-18 18:34:37 -0400)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
tags/audit-pr-20211216
for you to fetch changes up to f4b3ee3c85551d2d343a3ba159304066523f730f:
audit: improve robustness of the audit queue handling
(2021-12-15 13:16:39 -0500)
----------------------------------------------------------------
audit/stable-5.16 PR 20211216
----------------------------------------------------------------
Paul Moore (1):
audit: improve robustness of the audit queue handling
kernel/audit.c | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
--
paul moore
www.paul-moore.com
2 years, 10 months
Fwd: [PATCH -next, v3 2/2] audit: replace zero-length array with flexible-array member
by Paul Moore
Forwarding this to the linux-audit mailing list.
---------- Forwarded message ---------
From: Xiu Jianfeng <xiujianfeng(a)huawei.com>
Date: Wed, Dec 15, 2021 at 9:08 PM
Subject: [PATCH -next, v3 2/2] audit: replace zero-length array with
flexible-array member
To: <paul(a)paul-moore.com>, <eparis(a)redhat.com>,
<keescook(a)chromium.org>, <gustavoars(a)kernel.org>
Cc: <linux-kernel(a)vger.kernel.org>, <linux-hardening(a)vger.kernel.org>
Zero-length arrays are deprecated and should be replaced with
flexible-array members.
Link: https://github.com/KSPP/linux/issues/78
Signed-off-by: Xiu Jianfeng <xiujianfeng(a)huawei.com>
---
include/uapi/linux/audit.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 9176a095fefc..8eda133ca4c1 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -514,7 +514,7 @@ struct audit_rule_data {
__u32 values[AUDIT_MAX_FIELDS];
__u32 fieldflags[AUDIT_MAX_FIELDS];
__u32 buflen; /* total length of string fields */
- char buf[0]; /* string fields buffer */
+ char buf[]; /* string fields buffer */
};
#endif /* _UAPI_LINUX_AUDIT_H_ */
--
2.17.1
2 years, 10 months