LSM stacking in next for 6.1?
by Casey Schaufler
I would like very much to get v38 or v39 of the LSM stacking for Apparmor
patch set in the LSM next branch for 6.1. The audit changes have polished
up nicely and I believe that all comments on the integrity code have been
addressed. The interface_lsm mechanism has been beaten to a frothy peak.
There are serious binder changes, but I think they address issues beyond
the needs of stacking. Changes outside these areas are pretty well limited
to LSM interface improvements.
2 years
[PATCH v4 0/4] fanotify: Allow user space to pass back additional audit info
by Richard Guy Briggs
The Fanotify API can be used for access control by requesting permission
event notification. The user space tooling that uses it may have a
complicated policy that inherently contains additional context for the
decision. If this information were available in the audit trail, policy
writers can close the loop on debugging policy. Also, if this additional
information were available, it would enable the creation of tools that
can suggest changes to the policy similar to how audit2allow can help
refine labeled security.
This patchset defines a new flag (FAN_INFO) and new extensions that
define additional information which are appended after the response
structure returned from user space on a permission event. The appended
information is organized with headers containing a type and size that
can be delegated to interested subsystems. One new information type is
defined for audit rule number.
A newer kernel will work with an older userspace and an older kernel
will behave as expected and reject a newer userspace, leaving it up to
the newer userspace to test appropriately and adapt as necessary.
The audit function was updated to log the additional information in the
AUDIT_FANOTIFY record. The following is an example of the new record
format:
type=FANOTIFY msg=audit(1600385147.372:590): resp=2 fan_type=1 fan_info=3F
changelog:
v1:
- first version by Steve Grubb <sgrubb(a)redhat.com>
Link: https://lore.kernel.org/r/2042449.irdbgypaU6@x2
v2:
- enhancements suggested by Jan Kara <jack(a)suse.cz>
- 1/3 change %d to %u in pr_debug
- 2/3 change response from __u32 to __u16
- mod struct fanotify_response and fanotify_perm_event add extra_info_type, extra_info_buf
- extra_info_buf size max FANOTIFY_MAX_RESPONSE_EXTRA_LEN, add struct fanotify_response_audit_rule
- extend debug statements
- remove unneeded macros
- [internal] change interface to finish_permission_event() and process_access_response()
- 3/3 update format of extra information
- [internal] change interface to audit_fanotify()
- change ctx_type= to fan_type=
Link: https://lore.kernel.org/r/cover.1651174324.git.rgb@redhat.com
v3:
- 1/3 switch {,__}audit_fanotify() from uint to u32
- 2/3 re-add fanotify_get_response switch case FAN_DENY: to avoid unnecessary churn
- add FAN_EXTRA flag to indicate more info and break with old kernel
- change response from u16 to u32 to avoid endian issues
- change extra_info_buf to union
- move low-cost fd check earlier
- change FAN_RESPONSE_INFO_AUDIT_NONE to FAN_RESPONSE_INFO_NONE
- switch to u32 for internal and __u32 for uapi
Link: https://lore.kernel.org/r/cover.1652724390.git.rgb@redhat.com
v4:
- scrap FAN_INVALID_RESPONSE_MASK in favour of original to catch invalid response == 0
- introduce FANOTIFY_RESPONSE_* macros
- uapi: remove union
- keep original struct fanotify_response, add fan_info infra starting with audit reason
- uapi add struct fanotify_response_info_header{type/pad/len} and struct fanotify_response_info_audit_rule{hdr/rule}
- rename fan_ctx= to fan_info=, FAN_EXTRA to FAN_INFO
- change event struct from type/buf to len/buf
- enable multiple info extensions in one message
- hex encode fan_info in __audit_fanotify()
- record type FANOTIFY extended to "type=FANOTIFY msg=audit(1659730979.839:284): resp=1 fan_type=0 fan_info=3F"
Link: https://lore.kernel.org/r/cover.1659981772.git.rgb@redhat.com
Richard Guy Briggs (4):
fanotify: Ensure consistent variable type for response
fanotify: define struct members to hold response decision context
fanotify,audit: Allow audit to use the full permission event response
fanotify,audit: deliver fan_info as a hex-encoded string
fs/notify/fanotify/fanotify.c | 13 +++-
fs/notify/fanotify/fanotify.h | 4 +-
fs/notify/fanotify/fanotify_user.c | 106 ++++++++++++++++++++++-------
include/linux/audit.h | 9 +--
include/linux/fanotify.h | 5 ++
include/uapi/linux/fanotify.h | 27 +++++++-
kernel/auditsc.c | 45 +++++++++++-
7 files changed, 174 insertions(+), 35 deletions(-)
--
2.27.0
2 years, 1 month
[RFC PATCH 2/2] fs/xattr: wire up syscalls
by Christian Göttsche
Enable the new added extended attribute related syscalls.
Signed-off-by: Christian Göttsche <cgzones(a)googlemail.com>
---
TODO:
- deprecate traditional syscalls (setxattr, ...)?
- resolve possible conflicts with proposed readfile syscall
---
arch/alpha/kernel/syscalls/syscall.tbl | 4 ++++
arch/arm/tools/syscall.tbl | 4 ++++
arch/arm64/include/asm/unistd.h | 2 +-
arch/arm64/include/asm/unistd32.h | 8 ++++++++
arch/ia64/kernel/syscalls/syscall.tbl | 4 ++++
arch/m68k/kernel/syscalls/syscall.tbl | 4 ++++
arch/microblaze/kernel/syscalls/syscall.tbl | 4 ++++
arch/mips/kernel/syscalls/syscall_n32.tbl | 4 ++++
arch/mips/kernel/syscalls/syscall_n64.tbl | 4 ++++
arch/mips/kernel/syscalls/syscall_o32.tbl | 4 ++++
arch/parisc/kernel/syscalls/syscall.tbl | 4 ++++
arch/powerpc/kernel/syscalls/syscall.tbl | 4 ++++
arch/s390/kernel/syscalls/syscall.tbl | 4 ++++
arch/sh/kernel/syscalls/syscall.tbl | 4 ++++
arch/sparc/kernel/syscalls/syscall.tbl | 4 ++++
arch/x86/entry/syscalls/syscall_32.tbl | 4 ++++
arch/x86/entry/syscalls/syscall_64.tbl | 4 ++++
arch/xtensa/kernel/syscalls/syscall.tbl | 4 ++++
include/asm-generic/audit_change_attr.h | 6 ++++++
include/linux/syscalls.h | 8 ++++++++
include/uapi/asm-generic/unistd.h | 12 +++++++++++-
21 files changed, 98 insertions(+), 2 deletions(-)
diff --git a/arch/alpha/kernel/syscalls/syscall.tbl b/arch/alpha/kernel/syscalls/syscall.tbl
index 3515bc4f16a4..826a8a36da81 100644
--- a/arch/alpha/kernel/syscalls/syscall.tbl
+++ b/arch/alpha/kernel/syscalls/syscall.tbl
@@ -490,3 +490,7 @@
558 common process_mrelease sys_process_mrelease
559 common futex_waitv sys_futex_waitv
560 common set_mempolicy_home_node sys_ni_syscall
+561 common setxattrat sys_setxattrat
+562 common getxattrat sys_getxattrat
+563 common listxattrat sys_listxattrat
+564 common removexattrat sys_removexattrat
diff --git a/arch/arm/tools/syscall.tbl b/arch/arm/tools/syscall.tbl
index ac964612d8b0..f0e9d9d487f0 100644
--- a/arch/arm/tools/syscall.tbl
+++ b/arch/arm/tools/syscall.tbl
@@ -464,3 +464,7 @@
448 common process_mrelease sys_process_mrelease
449 common futex_waitv sys_futex_waitv
450 common set_mempolicy_home_node sys_set_mempolicy_home_node
+451 common setxattrat sys_setxattrat
+452 common getxattrat sys_getxattrat
+453 common listxattrat sys_listxattrat
+454 common removexattrat sys_removexattrat
diff --git a/arch/arm64/include/asm/unistd.h b/arch/arm64/include/asm/unistd.h
index 037feba03a51..63a8a9c4abc1 100644
--- a/arch/arm64/include/asm/unistd.h
+++ b/arch/arm64/include/asm/unistd.h
@@ -39,7 +39,7 @@
#define __ARM_NR_compat_set_tls (__ARM_NR_COMPAT_BASE + 5)
#define __ARM_NR_COMPAT_END (__ARM_NR_COMPAT_BASE + 0x800)
-#define __NR_compat_syscalls 451
+#define __NR_compat_syscalls 455
#endif
#define __ARCH_WANT_SYS_CLONE
diff --git a/arch/arm64/include/asm/unistd32.h b/arch/arm64/include/asm/unistd32.h
index 604a2053d006..cd6ac63376d1 100644
--- a/arch/arm64/include/asm/unistd32.h
+++ b/arch/arm64/include/asm/unistd32.h
@@ -907,6 +907,14 @@ __SYSCALL(__NR_process_mrelease, sys_process_mrelease)
__SYSCALL(__NR_futex_waitv, sys_futex_waitv)
#define __NR_set_mempolicy_home_node 450
__SYSCALL(__NR_set_mempolicy_home_node, sys_set_mempolicy_home_node)
+#define __NR_setxattrat 451
+__SYSCALL(__NR_setxattrat, sys_setxattrat)
+#define __NR_getxattrat 452
+__SYSCALL(__NR_getxattrat, sys_getxattrat)
+#define __NR_listxattrat 453
+__SYSCALL(__NR_listxattrat, sys_listxattrat)
+#define __NR_removexattrat 454
+__SYSCALL(__NR_removexattrat, sys_removexattrat)
/*
* Please add new compat syscalls above this comment and update
diff --git a/arch/ia64/kernel/syscalls/syscall.tbl b/arch/ia64/kernel/syscalls/syscall.tbl
index 78b1d03e86e1..6e942a935a27 100644
--- a/arch/ia64/kernel/syscalls/syscall.tbl
+++ b/arch/ia64/kernel/syscalls/syscall.tbl
@@ -371,3 +371,7 @@
448 common process_mrelease sys_process_mrelease
449 common futex_waitv sys_futex_waitv
450 common set_mempolicy_home_node sys_set_mempolicy_home_node
+451 common setxattrat sys_setxattrat
+452 common getxattrat sys_getxattrat
+453 common listxattrat sys_listxattrat
+454 common removexattrat sys_removexattrat
diff --git a/arch/m68k/kernel/syscalls/syscall.tbl b/arch/m68k/kernel/syscalls/syscall.tbl
index b1f3940bc298..0847efdee734 100644
--- a/arch/m68k/kernel/syscalls/syscall.tbl
+++ b/arch/m68k/kernel/syscalls/syscall.tbl
@@ -450,3 +450,7 @@
448 common process_mrelease sys_process_mrelease
449 common futex_waitv sys_futex_waitv
450 common set_mempolicy_home_node sys_set_mempolicy_home_node
+451 common setxattrat sys_setxattrat
+452 common getxattrat sys_getxattrat
+453 common listxattrat sys_listxattrat
+454 common removexattrat sys_removexattrat
diff --git a/arch/microblaze/kernel/syscalls/syscall.tbl b/arch/microblaze/kernel/syscalls/syscall.tbl
index 820145e47350..7f619bbc718d 100644
--- a/arch/microblaze/kernel/syscalls/syscall.tbl
+++ b/arch/microblaze/kernel/syscalls/syscall.tbl
@@ -456,3 +456,7 @@
448 common process_mrelease sys_process_mrelease
449 common futex_waitv sys_futex_waitv
450 common set_mempolicy_home_node sys_set_mempolicy_home_node
+451 common setxattrat sys_setxattrat
+452 common getxattrat sys_getxattrat
+453 common listxattrat sys_listxattrat
+454 common removexattrat sys_removexattrat
diff --git a/arch/mips/kernel/syscalls/syscall_n32.tbl b/arch/mips/kernel/syscalls/syscall_n32.tbl
index 253ff994ed2e..5e4206c0aede 100644
--- a/arch/mips/kernel/syscalls/syscall_n32.tbl
+++ b/arch/mips/kernel/syscalls/syscall_n32.tbl
@@ -389,3 +389,7 @@
448 n32 process_mrelease sys_process_mrelease
449 n32 futex_waitv sys_futex_waitv
450 n32 set_mempolicy_home_node sys_set_mempolicy_home_node
+451 n32 setxattrat sys_setxattrat
+452 n32 getxattrat sys_getxattrat
+453 n32 listxattrat sys_listxattrat
+454 n32 removexattrat sys_removexattrat
diff --git a/arch/mips/kernel/syscalls/syscall_n64.tbl b/arch/mips/kernel/syscalls/syscall_n64.tbl
index 3f1886ad9d80..df0f053e76cd 100644
--- a/arch/mips/kernel/syscalls/syscall_n64.tbl
+++ b/arch/mips/kernel/syscalls/syscall_n64.tbl
@@ -365,3 +365,7 @@
448 n64 process_mrelease sys_process_mrelease
449 n64 futex_waitv sys_futex_waitv
450 common set_mempolicy_home_node sys_set_mempolicy_home_node
+451 n64 setxattrat sys_setxattrat
+452 n64 getxattrat sys_getxattrat
+453 n64 listxattrat sys_listxattrat
+454 n64 removexattrat sys_removexattrat
diff --git a/arch/mips/kernel/syscalls/syscall_o32.tbl b/arch/mips/kernel/syscalls/syscall_o32.tbl
index 8f243e35a7b2..09ec31ad475f 100644
--- a/arch/mips/kernel/syscalls/syscall_o32.tbl
+++ b/arch/mips/kernel/syscalls/syscall_o32.tbl
@@ -438,3 +438,7 @@
448 o32 process_mrelease sys_process_mrelease
449 o32 futex_waitv sys_futex_waitv
450 o32 set_mempolicy_home_node sys_set_mempolicy_home_node
+451 o32 setxattrat sys_setxattrat
+452 o32 getxattrat sys_getxattrat
+453 o32 listxattrat sys_listxattrat
+454 o32 removexattrat sys_removexattrat
diff --git a/arch/parisc/kernel/syscalls/syscall.tbl b/arch/parisc/kernel/syscalls/syscall.tbl
index 8a99c998da9b..fe3f4f41aee6 100644
--- a/arch/parisc/kernel/syscalls/syscall.tbl
+++ b/arch/parisc/kernel/syscalls/syscall.tbl
@@ -448,3 +448,7 @@
448 common process_mrelease sys_process_mrelease
449 common futex_waitv sys_futex_waitv
450 common set_mempolicy_home_node sys_set_mempolicy_home_node
+451 common setxattrat sys_setxattrat
+452 common getxattrat sys_getxattrat
+453 common listxattrat sys_listxattrat
+454 common removexattrat sys_removexattrat
diff --git a/arch/powerpc/kernel/syscalls/syscall.tbl b/arch/powerpc/kernel/syscalls/syscall.tbl
index 2600b4237292..bee27f650397 100644
--- a/arch/powerpc/kernel/syscalls/syscall.tbl
+++ b/arch/powerpc/kernel/syscalls/syscall.tbl
@@ -530,3 +530,7 @@
448 common process_mrelease sys_process_mrelease
449 common futex_waitv sys_futex_waitv
450 nospu set_mempolicy_home_node sys_set_mempolicy_home_node
+451 common setxattrat sys_setxattrat
+452 common getxattrat sys_getxattrat
+453 common listxattrat sys_listxattrat
+454 common removexattrat sys_removexattrat
diff --git a/arch/s390/kernel/syscalls/syscall.tbl b/arch/s390/kernel/syscalls/syscall.tbl
index 799147658dee..d1fbad4b7864 100644
--- a/arch/s390/kernel/syscalls/syscall.tbl
+++ b/arch/s390/kernel/syscalls/syscall.tbl
@@ -453,3 +453,7 @@
448 common process_mrelease sys_process_mrelease sys_process_mrelease
449 common futex_waitv sys_futex_waitv sys_futex_waitv
450 common set_mempolicy_home_node sys_set_mempolicy_home_node sys_set_mempolicy_home_node
+451 common setxattrat sys_setxattrat sys_setxattrat
+452 common getxattrat sys_getxattrat sys_getxattrat
+453 common listxattrat sys_listxattrat sys_listxattrat
+454 common removexattrat sys_removexattrat sys_removexattrat
diff --git a/arch/sh/kernel/syscalls/syscall.tbl b/arch/sh/kernel/syscalls/syscall.tbl
index 2de85c977f54..d4daa8afe45c 100644
--- a/arch/sh/kernel/syscalls/syscall.tbl
+++ b/arch/sh/kernel/syscalls/syscall.tbl
@@ -453,3 +453,7 @@
448 common process_mrelease sys_process_mrelease
449 common futex_waitv sys_futex_waitv
450 common set_mempolicy_home_node sys_set_mempolicy_home_node
+451 common setxattrat sys_setxattrat
+452 common getxattrat sys_getxattrat
+453 common listxattrat sys_listxattrat
+454 common removexattrat sys_removexattrat
diff --git a/arch/sparc/kernel/syscalls/syscall.tbl b/arch/sparc/kernel/syscalls/syscall.tbl
index 4398cc6fb68d..510d5175f80a 100644
--- a/arch/sparc/kernel/syscalls/syscall.tbl
+++ b/arch/sparc/kernel/syscalls/syscall.tbl
@@ -496,3 +496,7 @@
448 common process_mrelease sys_process_mrelease
449 common futex_waitv sys_futex_waitv
450 common set_mempolicy_home_node sys_set_mempolicy_home_node
+451 common setxattrat sys_setxattrat
+452 common getxattrat sys_getxattrat
+453 common listxattrat sys_listxattrat
+454 common removexattrat sys_removexattrat
diff --git a/arch/x86/entry/syscalls/syscall_32.tbl b/arch/x86/entry/syscalls/syscall_32.tbl
index 320480a8db4f..8488cc157fe0 100644
--- a/arch/x86/entry/syscalls/syscall_32.tbl
+++ b/arch/x86/entry/syscalls/syscall_32.tbl
@@ -455,3 +455,7 @@
448 i386 process_mrelease sys_process_mrelease
449 i386 futex_waitv sys_futex_waitv
450 i386 set_mempolicy_home_node sys_set_mempolicy_home_node
+451 i386 setxattrat sys_setxattrat
+452 i386 getxattrat sys_getxattrat
+453 i386 listxattrat sys_listxattrat
+454 i386 removexattrat sys_removexattrat
diff --git a/arch/x86/entry/syscalls/syscall_64.tbl b/arch/x86/entry/syscalls/syscall_64.tbl
index c84d12608cd2..f45d723d5a30 100644
--- a/arch/x86/entry/syscalls/syscall_64.tbl
+++ b/arch/x86/entry/syscalls/syscall_64.tbl
@@ -372,6 +372,10 @@
448 common process_mrelease sys_process_mrelease
449 common futex_waitv sys_futex_waitv
450 common set_mempolicy_home_node sys_set_mempolicy_home_node
+451 common setxattrat sys_setxattrat
+452 common getxattrat sys_getxattrat
+453 common listxattrat sys_listxattrat
+454 common removexattrat sys_removexattrat
#
# Due to a historical design error, certain syscalls are numbered differently
diff --git a/arch/xtensa/kernel/syscalls/syscall.tbl b/arch/xtensa/kernel/syscalls/syscall.tbl
index 52c94ab5c205..dbafe441a83f 100644
--- a/arch/xtensa/kernel/syscalls/syscall.tbl
+++ b/arch/xtensa/kernel/syscalls/syscall.tbl
@@ -421,3 +421,7 @@
448 common process_mrelease sys_process_mrelease
449 common futex_waitv sys_futex_waitv
450 common set_mempolicy_home_node sys_set_mempolicy_home_node
+451 common setxattrat sys_setxattrat
+452 common getxattrat sys_getxattrat
+453 common listxattrat sys_listxattrat
+454 common removexattrat sys_removexattrat
diff --git a/include/asm-generic/audit_change_attr.h b/include/asm-generic/audit_change_attr.h
index 331670807cf0..cc840537885f 100644
--- a/include/asm-generic/audit_change_attr.h
+++ b/include/asm-generic/audit_change_attr.h
@@ -11,9 +11,15 @@ __NR_lchown,
__NR_fchown,
#endif
__NR_setxattr,
+#ifdef __NR_setxattrat
+__NR_setxattrat,
+#endif
__NR_lsetxattr,
__NR_fsetxattr,
__NR_removexattr,
+#ifdef __NR_removexattrat
+__NR_removexattrat,
+#endif
__NR_lremovexattr,
__NR_fremovexattr,
#ifdef __NR_fchownat
diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
index a34b0f9a9972..090b9b5229a0 100644
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -348,23 +348,31 @@ asmlinkage long sys_io_uring_register(unsigned int fd, unsigned int op,
/* fs/xattr.c */
asmlinkage long sys_setxattr(const char __user *path, const char __user *name,
const void __user *value, size_t size, int flags);
+asmlinkage long sys_setxattrat(int dfd, const char __user *path, const char __user *name,
+ const void __user *value, size_t size, int flags);
asmlinkage long sys_lsetxattr(const char __user *path, const char __user *name,
const void __user *value, size_t size, int flags);
asmlinkage long sys_fsetxattr(int fd, const char __user *name,
const void __user *value, size_t size, int flags);
asmlinkage long sys_getxattr(const char __user *path, const char __user *name,
void __user *value, size_t size);
+asmlinkage long sys_getxattrat(int dfd, const char __user *path, const char __user *name,
+ void __user *value, size_t size, int flags);
asmlinkage long sys_lgetxattr(const char __user *path, const char __user *name,
void __user *value, size_t size);
asmlinkage long sys_fgetxattr(int fd, const char __user *name,
void __user *value, size_t size);
asmlinkage long sys_listxattr(const char __user *path, char __user *list,
size_t size);
+asmlinkage long sys_listxattrat(int dfd, const char __user *path, char __user *list,
+ size_t size, int flags);
asmlinkage long sys_llistxattr(const char __user *path, char __user *list,
size_t size);
asmlinkage long sys_flistxattr(int fd, char __user *list, size_t size);
asmlinkage long sys_removexattr(const char __user *path,
const char __user *name);
+asmlinkage long sys_removexattrat(int dfd, const char __user *path,
+ const char __user *name, int flags);
asmlinkage long sys_lremovexattr(const char __user *path,
const char __user *name);
asmlinkage long sys_fremovexattr(int fd, const char __user *name);
diff --git a/include/uapi/asm-generic/unistd.h b/include/uapi/asm-generic/unistd.h
index 45fa180cc56a..4fcc71612b7a 100644
--- a/include/uapi/asm-generic/unistd.h
+++ b/include/uapi/asm-generic/unistd.h
@@ -886,8 +886,18 @@ __SYSCALL(__NR_futex_waitv, sys_futex_waitv)
#define __NR_set_mempolicy_home_node 450
__SYSCALL(__NR_set_mempolicy_home_node, sys_set_mempolicy_home_node)
+/* fs/xattr.c */
+#define __NR_setxattrat 451
+__SYSCALL(__NR_setxattrat, sys_setxattrat)
+#define __NR_getxattrat 452
+__SYSCALL(__NR_getxattrat, sys_getxattrat)
+#define __NR_listxattrat 453
+__SYSCALL(__NR_listxattrat, sys_listxattrat)
+#define __NR_removexattrat 454
+__SYSCALL(__NR_removexattrat, sys_removexattrat)
+
#undef __NR_syscalls
-#define __NR_syscalls 451
+#define __NR_syscalls 455
/*
* 32 bit systems traditionally used different
--
2.37.2
2 years, 2 months
[PATCH] audit: remove obvious unnecessary header files
by wuchi
With updating the code, some header files are unnecessary. Remove
obvious header files.
Signed-off-by: wuchi <wuchi.zero(a)gmail.com>
---
kernel/audit.c | 3 ---
kernel/audit_fsnotify.c | 5 -----
kernel/audit_watch.c | 4 ----
kernel/auditfilter.c | 2 --
kernel/auditsc.c | 11 +----------
5 files changed, 1 insertion(+), 24 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index a75978ae38ad..f2caa710524f 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -35,13 +35,10 @@
#include <linux/init.h>
#include <linux/types.h>
#include <linux/atomic.h>
-#include <linux/mm.h>
-#include <linux/export.h>
#include <linux/slab.h>
#include <linux/err.h>
#include <linux/kthread.h>
#include <linux/kernel.h>
-#include <linux/syscalls.h>
#include <linux/spinlock.h>
#include <linux/rcupdate.h>
#include <linux/mutex.h>
diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c
index c565fbf66ac8..1b7b1cb7033d 100644
--- a/kernel/audit_fsnotify.c
+++ b/kernel/audit_fsnotify.c
@@ -8,15 +8,10 @@
#include <linux/kernel.h>
#include <linux/audit.h>
-#include <linux/kthread.h>
-#include <linux/mutex.h>
#include <linux/fs.h>
#include <linux/fsnotify_backend.h>
#include <linux/namei.h>
-#include <linux/netlink.h>
-#include <linux/sched.h>
#include <linux/slab.h>
-#include <linux/security.h>
#include "audit.h"
/*
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index 65075f1e4ac8..68d1fa42426d 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -9,16 +9,12 @@
#include <linux/file.h>
#include <linux/kernel.h>
#include <linux/audit.h>
-#include <linux/kthread.h>
#include <linux/mutex.h>
#include <linux/fs.h>
#include <linux/fsnotify_backend.h>
#include <linux/namei.h>
-#include <linux/netlink.h>
#include <linux/refcount.h>
-#include <linux/sched.h>
#include <linux/slab.h>
-#include <linux/security.h>
#include "audit.h"
/*
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 42d99896e7a6..7287c14dfb97 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -12,8 +12,6 @@
#include <linux/audit.h>
#include <linux/kthread.h>
#include <linux/mutex.h>
-#include <linux/fs.h>
-#include <linux/namei.h>
#include <linux/netlink.h>
#include <linux/sched.h>
#include <linux/slab.h>
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9f8c05228d6d..57734fea51fb 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -33,27 +33,19 @@
#include <linux/init.h>
#include <asm/types.h>
-#include <linux/atomic.h>
#include <linux/fs.h>
#include <linux/namei.h>
#include <linux/mm.h>
#include <linux/export.h>
#include <linux/slab.h>
-#include <linux/mount.h>
#include <linux/socket.h>
-#include <linux/mqueue.h>
#include <linux/audit.h>
#include <linux/personality.h>
#include <linux/time.h>
-#include <linux/netlink.h>
-#include <linux/compiler.h>
#include <asm/unistd.h>
#include <linux/security.h>
#include <linux/list.h>
#include <linux/binfmts.h>
-#include <linux/highmem.h>
-#include <linux/syscalls.h>
-#include <asm/syscall.h>
#include <linux/capability.h>
#include <linux/fs_struct.h>
#include <linux/compat.h>
@@ -61,8 +53,7 @@
#include <linux/string.h>
#include <linux/uaccess.h>
#include <linux/fsnotify_backend.h>
-#include <uapi/linux/limits.h>
-#include <uapi/linux/netfilter/nf_tables.h>
+#include <linux/limits.h>
#include <uapi/linux/openat2.h> // struct open_how
#include "audit.h"
--
2.20.1
2 years, 2 months
[PATCH] audit: use time_after to compare time
by wuchi
Using time_{*} macro to compare time is better
Signed-off-by: wuchi <wuchi.zero(a)gmail.com>
---
kernel/audit.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index a75978ae38ad..9bc0b0301198 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -321,7 +321,6 @@ static inline int audit_rate_check(void)
static DEFINE_SPINLOCK(lock);
unsigned long flags;
unsigned long now;
- unsigned long elapsed;
int retval = 0;
if (!audit_rate_limit) return 1;
@@ -330,9 +329,8 @@ static inline int audit_rate_check(void)
if (++messages < audit_rate_limit) {
retval = 1;
} else {
- now = jiffies;
- elapsed = now - last_check;
- if (elapsed > HZ) {
+ now = jiffies;
+ if (time_after(now, last_check + HZ)) {
last_check = now;
messages = 0;
retval = 1;
@@ -366,7 +364,7 @@ void audit_log_lost(const char *message)
if (!print) {
spin_lock_irqsave(&lock, flags);
now = jiffies;
- if (now - last_msg > HZ) {
+ if (time_after(now, last_msg + HZ)) {
print = 1;
last_msg = now;
}
--
2.20.1
2 years, 2 months
audit-3.0.9 released
by Steve Grubb
Hello,
I've just released a new version of the audit daemon. It can be
downloaded from http://people.redhat.com/sgrubb/audit. It will also be
in rawhide soon. The ChangeLog is:
- In auditd, release the async flush lock on stop
- Don't allow auditd to log directly into /var/log when log_group is non-zero
- Cleanup krb5 memory leaks on error paths
- Update auditd.cron to use auditctl --signal
- In auparse, if too many fields, realloc array bigger (Paul Wolneykien)
- In auparse, special case kernel module name interpretation
- If overflow_action is ignore, don't treat as an error
The main driver for this release is to update the kerberos code. It could
leak memory on certain error conditions. Also added in this release is
support for records with more than 36 fields. Auditing execve calls would be
the only way that it might have fell short. Now the field array is realloced
bigger on demand. And one last item is that the kernel module name was not
being interpreted correctly. Due to the field name being the same as a file
path, it was being processed like a path instead of an escaped name.
SHA256: fd9570444df1573a274ca8ba23590082298a083cfc0618138957f590e845bc78
Please let me know if you run across any problems with this release.
-Steve
2 years, 2 months
[GIT PULL] Audit fixes for v6.0 (#2)
by Paul Moore
Linus,
Another small audit patch, this time to fix a bug where the return
codes were not properly set before the audit filters were run,
potentially resulting in missed audit records. Please merge for v6.0.
Thanks,
-Paul
--
The following changes since commit ad982c3be4e60c7d39c03f782733503cbd88fd2a:
audit: fix potential double free on error path from
fsnotify_add_inode_mark (2022-08-22 18:50:06 -0400)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
tags/audit-pr-20220826
for you to fetch changes up to d4fefa4801a1c2f9c0c7a48fbb0fdf384e89a4ab:
audit: move audit_return_fixup before the filters
(2022-08-25 17:25:08 -0400)
----------------------------------------------------------------
audit/stable-6.0 PR 20220826
----------------------------------------------------------------
Richard Guy Briggs (1):
audit: move audit_return_fixup before the filters
kernel/auditsc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--
paul-moore.com
2 years, 2 months
[PATCH ghak138 v2 0/4] issues from moving beyond syscalls
by Richard Guy Briggs
The primary motivation was to solve the mystery of the missing syscall
events filed in ghak138. This is addressed by the audit_return_fixup()
patch and is most likely a stable candidate.
The others were a number of not so critical issues observed in the
process of examining the bisected patch to see what caused it.
changelog v2:
- split into 4 patches
- flesh out proctitle move justification
- add issue reference in return_fixup move patch
- remove explicit Cc:
Richard Guy Briggs (4):
audit: audit_context pid unused, context enum comment fix
audit: explicitly check audit_context->context enum value
audit: free audit_proctitle only on task exit
audit: move audit_return_fixup before the filters
kernel/audit.h | 2 +-
kernel/auditsc.c | 12 ++++++------
2 files changed, 7 insertions(+), 7 deletions(-)
--
2.27.0
2 years, 2 months
[PATCH] tests/io_uring: ensure that tne io_uring::enter_ring_fd is imported
by Paul Moore
The liburing library added a new field to the io_uring struct in
commit b02125e164ea ("Add preliminary support for using a registered ring fd"),
first seen in liburing v2.2.
Signed-off-by: Paul Moore <paul(a)paul-moore.com>
---
tests/io_uring/iouring.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tests/io_uring/iouring.c b/tests/io_uring/iouring.c
index 5d83146..af814f6 100644
--- a/tests/io_uring/iouring.c
+++ b/tests/io_uring/iouring.c
@@ -233,6 +233,7 @@ int uring_import(int fd, struct io_uring *ring, struct io_uring_params *params)
ring->flags = params->flags;
ring->features = params->features;
ring->ring_fd = fd;
+ ring->enter_ring_fd = fd;
ring->sq.ring_sz = params->sq_off.array +
params->sq_entries * sizeof(unsigned);
2 years, 2 months
[PATCH ghak138] audit: move audit_return_fixup before the filters
by Richard Guy Briggs
The success and return_code are needed by the filters. Move
audit_return_fixup() before the filters.
The pid member of struct audit_context is never used. Remove it.
The audit_reset_context() comment about unconditionally resetting
"ctx->state" should read "ctx->context".
The proctitle is intentionally stored between syscalls. Only free it in
audit_free_context().
Be explicit in checking the struct audit_context "context" member enum
value rather than assuming the order of context enum values.
Cc: stable(a)vger.kernel.org
Fixes: 12c5e81d3fd0 ("audit: prepare audit_context for use in calling contexts beyond syscalls")
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/audit.h | 2 +-
kernel/auditsc.c | 12 ++++++------
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/kernel/audit.h b/kernel/audit.h
index 58b66543b4d5..d6eb7b59c791 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -133,7 +133,7 @@ struct audit_context {
struct sockaddr_storage *sockaddr;
size_t sockaddr_len;
/* Save things to print about task_struct */
- pid_t pid, ppid;
+ pid_t ppid;
kuid_t uid, euid, suid, fsuid;
kgid_t gid, egid, sgid, fsgid;
unsigned long personality;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9226746dcf0a..9f8c05228d6d 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -965,7 +965,7 @@ static void audit_reset_context(struct audit_context *ctx)
if (!ctx)
return;
- /* if ctx is non-null, reset the "ctx->state" regardless */
+ /* if ctx is non-null, reset the "ctx->context" regardless */
ctx->context = AUDIT_CTX_UNUSED;
if (ctx->dummy)
return;
@@ -1002,7 +1002,7 @@ static void audit_reset_context(struct audit_context *ctx)
kfree(ctx->sockaddr);
ctx->sockaddr = NULL;
ctx->sockaddr_len = 0;
- ctx->pid = ctx->ppid = 0;
+ ctx->ppid = 0;
ctx->uid = ctx->euid = ctx->suid = ctx->fsuid = KUIDT_INIT(0);
ctx->gid = ctx->egid = ctx->sgid = ctx->fsgid = KGIDT_INIT(0);
ctx->personality = 0;
@@ -1016,7 +1016,6 @@ static void audit_reset_context(struct audit_context *ctx)
WARN_ON(!list_empty(&ctx->killed_trees));
audit_free_module(ctx);
ctx->fds[0] = -1;
- audit_proctitle_free(ctx);
ctx->type = 0; /* reset last for audit_free_*() */
}
@@ -1077,6 +1076,7 @@ static inline void audit_free_context(struct audit_context *context)
{
/* resetting is extra work, but it is likely just noise */
audit_reset_context(context);
+ audit_proctitle_free(context);
free_tree_refs(context);
kfree(context->filterkey);
kfree(context);
@@ -1940,6 +1940,7 @@ void __audit_uring_exit(int success, long code)
goto out;
}
+ audit_return_fixup(ctx, success, code);
if (ctx->context == AUDIT_CTX_SYSCALL) {
/*
* NOTE: See the note in __audit_uring_entry() about the case
@@ -1981,7 +1982,6 @@ void __audit_uring_exit(int success, long code)
audit_filter_inodes(current, ctx);
if (ctx->current_state != AUDIT_STATE_RECORD)
goto out;
- audit_return_fixup(ctx, success, code);
audit_log_exit();
out:
@@ -2065,13 +2065,13 @@ void __audit_syscall_exit(int success, long return_code)
if (!list_empty(&context->killed_trees))
audit_kill_trees(context);
+ audit_return_fixup(context, success, return_code);
/* run through both filters to ensure we set the filterkey properly */
audit_filter_syscall(current, context);
audit_filter_inodes(current, context);
- if (context->current_state < AUDIT_STATE_RECORD)
+ if (context->current_state != AUDIT_STATE_RECORD)
goto out;
- audit_return_fixup(context, success, return_code);
audit_log_exit();
out:
--
2.27.0
2 years, 2 months