[PATCH] audit: always enable syscall auditing when supported and audit is enabled
by Paul Moore
To the best of our knowledge, everyone who enables audit at compile
time also enables syscall auditing; this patch simplifies the Kconfig
menus by removing the option to disable syscall auditing when audit
is selected and the target arch supports it.
Signed-off-by: Paul Moore <pmoore(a)redhat.com>
---
init/Kconfig | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/init/Kconfig b/init/Kconfig
index c24b6f7..d4663b1 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -299,20 +299,15 @@ config AUDIT
help
Enable auditing infrastructure that can be used with another
kernel subsystem, such as SELinux (which requires this for
- logging of avc messages output). Does not do system-call
- auditing without CONFIG_AUDITSYSCALL.
+ logging of avc messages output). System call auditing is included
+ on architectures which support it.
config HAVE_ARCH_AUDITSYSCALL
bool
config AUDITSYSCALL
- bool "Enable system-call auditing support"
+ def_bool y
depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
- default y if SECURITY_SELINUX
- help
- Enable low-overhead system-call auditing infrastructure that
- can be used independently or with another kernel subsystem,
- such as SELinux.
config AUDIT_WATCH
def_bool y
5 years, 9 months
[RFC PATCH 0/3] simplify struct audit_krule reveals bug
by Richard Guy Briggs
In the process of trying to track down a potential bug altering the
registered arch for a syscall rule, a simplification of struct
audit_krule that removes a seemingly unnecessary member has revealed a
surprising NULL pointer dereference.
The struct audit_field *arch_f member should not be necessary since it
is the first field present if it is present at all, and is only
necessary for syscall rules, so iterating over the fields to find it is
simple and only happens when adding or deleting a rule. Shrinking the
struct audit_krule seemed to be a good idea, but appears to have openned
a can of worms. The first patch triggered this OOPS:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000009
IP: audit_match_signal+0x42/0x120
PGD 0 P4D 0
Oops: 0000 [#1] SMP PTI
Modules linked in: sunrpc 8139too i2c_piix4 pcspkr virtio_balloon 8139cp i2c_core mii sch_fq_codel floppy serio_raw ata_generic pata_acpi
CPU: 1 PID: 325 Comm: auditctl Not tainted 4.15.0-bz1462178-arch-changed+ #636
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
RIP: 0010:audit_match_signal+0x42/0x120
RSP: 0018:ffffc900003dfc08 EFLAGS: 00010202
RAX: 0000000000000003 RBX: ffff880036588000 RCX: 0000000000000003
RDX: ffff88003c7f02e0 RSI: ffff88003c7f02a0 RDI: ffff880036588000
RBP: ffff88003671de00 R08: 0000000000000001 R09: 0000000000000000
R10: ffff880036a0b190 R11: 0000000000000000 R12: 0000000000000000
R13: ffff880036588178 R14: ffff880036588000 R15: ffffffff8247f880
FS: 00007fa53c6d9740(0000) GS:ffff88003e400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000009 CR3: 00000000347ba000 CR4: 00000000000006e0
Call Trace:
audit_rule_change+0xb32/0xce0
audit_receive_msg+0x163/0x1090
? netlink_deliver_tap+0x90/0x350
? kvm_sched_clock_read+0x5/0x10
? sched_clock+0x5/0x10
audit_receive+0x4d/0xa0
netlink_unicast+0x195/0x250
netlink_sendmsg+0x2fe/0x3f0
sock_sendmsg+0x32/0x60
SYSC_sendto+0xda/0x140
? syscall_trace_enter+0x2dc/0x400
? return_from_SYSCALL_64+0x10/0x75
do_syscall_64+0x83/0x360
entry_SYSCALL64_slow_path+0x25/0x25
RIP: 0033:0x7fa53bbb1607
RSP: 002b:00007fff33f48c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000444 RCX: 00007fa53bbb1607
RDX: 0000000000000444 RSI: 00007fff33f48cb0 RDI: 0000000000000003
RBP: 0000000000000431 R08: 00007fff33f48c9c R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003
R13: 00007fff33f48cb0 R14: 00007fff33f48c9c R15: 00000000000003f3
Code: 01 00 00 83 3e 0b 0f 84 ef 00 00 00 31 c0 eb 0f 48 63 d0 48 c1 e2 05 48 01 f2 83 3a 0b 74 7d 83 c0 01 39 c8 75 ea 4d 85 c0 74 79 <41> 8b 78 08 e8 25 ff ed ff 85 c0 74 31 83 f8 01 75 58 48 8b 0d
RIP: audit_match_signal+0x42/0x120 RSP: ffffc900003dfc08
CR2: 0000000000000009
The second patch surprisingly fixes the OOPS.
Adding debug output, the OOPS is consistently happenning in the 7th STIG rule
that includes an arch parameter, but the value that causes the OOPS
dereferences, copies and prints out fine:
-a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change
ams_: i=0 f=00000000e5612893 type=11 op=0 val=40000003 key="time-change"
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
ams_: i=0 f=00000000cf222aca type=11 op=0 val=c000003e key="time-change"
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
ams_: i=0 f=00000000ad39bfc6 type=11 op=0 val=40000003 key="time-change"
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
ams_: i=0 f=00000000c9f83209 type=11 op=0 val=c000003e key="time-change"
-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
ams_: i=0 f=000000005a19d216 type=11 op=0 val=40000003 key="system-locale"
-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
ams_: i=0 f=000000003280e47a type=11 op=0 val=c000003e key="system-locale"
OOPS
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
ams_: i=0 f=000000008368170a type=11 op=0 val=40000003 key="perm_mod"
I'd let sleeping dogs lie, but I haven't tracked down the source of the
original rule that changes arch between addition and listing (nor reproduced it
yet since I don't have access to that HW arch), and it seems to reveal
potentially another bug.
Help! Any observations or hints?
Richard Guy Briggs (3):
audit: remove arch_f pointer from struct audit_krule
fixup! audit: remove arch_f pointer from struct audit_krule
debug! audit: remove arch_f pointer from struct audit_krule
include/linux/audit.h | 1 -
kernel/auditfilter.c | 18 +++++++++++++-----
2 files changed, 13 insertions(+), 6 deletions(-)
--
1.8.3.1
5 years, 11 months
unlimit retries for remote plugin restart
by Levin Stanislav
Hello All!
I have a question.
Let's assume we have client's audit service and audit gatherer placed on
a remote host.
Using au-remote plugin client sends logs to remote.
Let's stop (do not start then) remote's audit service and restart
client's one.
After that overcome max_restarts limit (e.g. default 10) from
/etc/audisp/audispd.conf by audit's events.
Then start remote's audit service and trigger any audit event on client.
But audisp-remote process is dead ("plugin /sbin/audisp-remote has
exceeded max_restarts").
How can i solve this issue without client's audit service
restart? Is it possible by any settings/configs?
Any help would be appreciated.
Thank you in advance.
6 years, 4 months
[RFC PATCH ghak88 V1] audit: tie ANOM_ABEND records to syscall
by Richard Guy Briggs
Since core dump events are triggered by user activity, tie the
ANOM_ABEND record to the syscall record to collect all records from the
same event.
See: https://github.com/linux-audit/audit-kernel/issues/88
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/auditsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index fefb9e2..5f0bd5e 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2461,7 +2461,7 @@ void audit_core_dumps(long signr)
if (signr == SIGQUIT) /* don't care for those */
return;
- ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
+ ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_ANOM_ABEND);
if (unlikely(!ab))
return;
audit_log_task(ab);
--
1.8.3.1
6 years, 4 months
[RFC PATCH ghak87 V1] audit: tie SECCOMP records to syscall
by Richard Guy Briggs
Since seccomp events are triggered by user activity, tie the SECCOMP
record to the syscall record to collect all records from the same event.
See: https://github.com/linux-audit/audit-kernel/issues/87
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/auditsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index ceb1c45..fefb9e2 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2485,7 +2485,7 @@ void audit_seccomp(unsigned long syscall, long signr, int code)
{
struct audit_buffer *ab;
- ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_SECCOMP);
+ ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_SECCOMP);
if (unlikely(!ab))
return;
audit_log_task(ab);
--
1.8.3.1
6 years, 4 months
[RFC PATCH 0/2] Extend AUDIT_EXE and AUDIT_DIR to more filter types
by Ondrej Mosnacek
This patch set extends the previous AUDIT_EXE patch by also doing a similar
thing with the AUDIT_DIR field.
I am sending it as RFC since this change requires passing audit_context to
audit_filter and I'm not sure if I should also pass it when doing the
AUDIT_FILTER_USER filtering. The call site does not have the ctx variable,
although I suppose it could be extracted from the current task somehow, but I'm
not sure if it even makes sense to use it in that place. I am not enabling
AUDIT_DIR for AUDIT_FILTER_USER in this patch, but if it makes sense I will do
that in the final patch.
Paul/Richard, please advise. See the FIXME in the second patch for the
problematic location.
Ondrej Mosnacek (2):
audit: allow other filter list types for AUDIT_EXE
[WIP] audit: allow other filter list types for AUDIT_DIR
kernel/audit.c | 5 +++--
kernel/audit.h | 32 +++++++++++++++++++++++++++++++-
kernel/audit_tree.c | 4 +++-
kernel/auditfilter.c | 13 ++++++++++---
kernel/auditsc.c | 28 ----------------------------
5 files changed, 47 insertions(+), 35 deletions(-)
--
2.17.0
6 years, 4 months
[RFC PATCH ghak86 V1] audit: use audit_enabled as a boolean where convenient
by Richard Guy Briggs
Most uses of audit_enabled don't care about the distinction between
AUDIT_ON and AUDIT_LOCKED, so using audit_enabled as a boolean makes
more sense and is easier to read. Most uses of audit_enabled treat it as
a boolean, so switch the remaining AUDIT_OFF usage to simply use
audit_enabled as a boolean where applicable.
See: https://github.com/linux-audit/audit-kernel/issues/86
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
drivers/tty/tty_audit.c | 2 +-
include/net/xfrm.h | 2 +-
kernel/audit.c | 8 ++++----
net/netfilter/xt_AUDIT.c | 2 +-
net/netlabel/netlabel_user.c | 2 +-
5 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
index e30aa6b..1e48051 100644
--- a/drivers/tty/tty_audit.c
+++ b/drivers/tty/tty_audit.c
@@ -92,7 +92,7 @@ static void tty_audit_buf_push(struct tty_audit_buf *buf)
{
if (buf->valid == 0)
return;
- if (audit_enabled == 0) {
+ if (!audit_enabled) {
buf->valid = 0;
return;
}
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 7f2e31a..380542b 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -734,7 +734,7 @@ static inline struct audit_buffer *xfrm_audit_start(const char *op)
{
struct audit_buffer *audit_buf = NULL;
- if (audit_enabled == 0)
+ if (!audit_enabled)
return NULL;
audit_buf = audit_log_start(audit_context(), GFP_ATOMIC,
AUDIT_MAC_IPSEC_EVENT);
diff --git a/kernel/audit.c b/kernel/audit.c
index e7478cb..3a18e59 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -424,7 +424,7 @@ static int audit_do_config_change(char *function_name, u32 *to_change, u32 new)
else
allow_changes = 1;
- if (audit_enabled != AUDIT_OFF) {
+ if (audit_enabled) {
rc = audit_log_config_change(function_name, new, old, allow_changes);
if (rc)
allow_changes = 0;
@@ -1097,7 +1097,7 @@ static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature
{
struct audit_buffer *ab;
- if (audit_enabled == AUDIT_OFF)
+ if (!audit_enabled)
return;
ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_FEATURE_CHANGE);
if (!ab)
@@ -1270,7 +1270,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
err = auditd_set(req_pid,
NETLINK_CB(skb).portid,
sock_net(NETLINK_CB(skb).sk));
- if (audit_enabled != AUDIT_OFF)
+ if (audit_enabled)
audit_log_config_change("audit_pid",
new_pid,
auditd_pid,
@@ -1281,7 +1281,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
/* try to process any backlog */
wake_up_interruptible(&kauditd_wait);
} else {
- if (audit_enabled != AUDIT_OFF)
+ if (audit_enabled)
audit_log_config_change("audit_pid",
new_pid,
auditd_pid, 1);
diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
index f368ee6..3921553 100644
--- a/net/netfilter/xt_AUDIT.c
+++ b/net/netfilter/xt_AUDIT.c
@@ -72,7 +72,7 @@ static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
struct audit_buffer *ab;
int fam = -1;
- if (audit_enabled == 0)
+ if (!audit_enabled)
goto errout;
ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
if (ab == NULL)
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index 2f328af..e68fa9d 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -101,7 +101,7 @@ struct audit_buffer *netlbl_audit_start_common(int type,
char *secctx;
u32 secctx_len;
- if (audit_enabled == 0)
+ if (!audit_enabled)
return NULL;
audit_buf = audit_log_start(audit_context(), GFP_ATOMIC, type);
--
1.8.3.1
6 years, 5 months
[RFC PATCH ghak32 V2 00/13] audit: implement container id
by Richard Guy Briggs
Implement audit kernel container ID.
This patchset is a second RFC based on the proposal document (V3)
posted:
https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html
The first patch implements the proc fs write to set the audit container
ID of a process, emitting an AUDIT_CONTAINER record to announce the
registration of that container ID on that process. This patch requires
userspace support for record acceptance and proper type display.
The second checks for children or co-threads and refuses to set the
container ID if either are present. (This policy could be changed to
set both with the same container ID provided they meet the rest of the
requirements.)
The third implements the auxiliary record AUDIT_CONTAINER_INFO if a
container ID is identifiable with an event. This patch requires
userspace support for proper type display.
The fourth adds container ID filtering to the exit, exclude and user
lists. This patch requires auditctil userspace support for the
--containerid option.
The 5th adds signal and ptrace support.
The 6th creates a local audit context to be able to bind a standalone
record with a locally created auxiliary record.
The 7th, 8th, 9th, 10th patches add container ID records to standalone
records. Some of these may end up being syscall auxiliary records and
won't need this specific support since they'll be supported via
syscalls.
The 11th adds network namespace container ID labelling based on member
tasks' container ID labels.
The 12th adds container ID support to standalone netfilter records that
don't have a task context and lists each container to which that net
namespace belongs.
The 13th implements reading the container ID from the proc filesystem
for debugging. This patch isn't planned for upstream inclusion.
Feedback please!
Example: Set a container ID of 123456 to the "sleep" task:
sleep 2&
child=$!
echo 123456 > /proc/$child/containerid; echo $?
ausearch -ts recent -m container
echo child:$child contid:$( cat /proc/$child/containerid)
This should produce a record such as:
type=CONTAINER msg=audit(1521122590.315:222): op=set pid=689 uid=0 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 auid=0 tty=pts0 ses=3 opid=707 old-contid=18446744073709551615 contid=123456 res=1
Example: Set a filter on a container ID 123459 on /tmp/tmpcontainerid:
containerid=123459
key=tmpcontainerid
auditctl -a exit,always -F dir=/tmp -F perm=wa -F containerid=$containerid -F key=$key
perl -e "sleep 1; open(my \$tmpfile, '>', \"/tmp/$key\"); close(\$tmpfile);" &
child=$!
echo $containerid > /proc/$child/containerid
sleep 2
ausearch -i -ts recent -k $key
auditctl -d exit,always -F dir=/tmp -F perm=wa -F containerid=$containerid -F key=$key
rm -f /tmp/$key
This should produce an event such as:
type=CONTAINER_INFO msg=audit(1521122591.614:227): op=task contid=123459
type=PROCTITLE msg=audit(1521122591.614:227): proctitle=7065726C002D6500736C65657020313B206F70656E286D792024746D7066696C652C20273E272C20222F746D702F746D70636F6E7461696E6572696422293B20636C6F73652824746D7066696C65293B
type=PATH msg=audit(1521122591.614:227): item=1 name="/tmp/tmpcontainerid" inode=18427 dev=00:26 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1521122591.614:227): item=0 name="/tmp/" inode=13513 dev=00:26 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1521122591.614:227): cwd="/root"
type=SYSCALL msg=audit(1521122591.614:227): arch=c000003e syscall=257 success=yes exit=3 a0=ffffffffffffff9c a1=55db90a28900 a2=241 a3=1b6 items=2 ppid=689 pid=724 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="perl" exe="/usr/bin/perl" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="tmpcontainerid"
See:
https://github.com/linux-audit/audit-kernel/issues/32
https://github.com/linux-audit/audit-userspace/issues/40
https://github.com/linux-audit/audit-testsuite/issues/64
Richard Guy Briggs (13):
audit: add container id
audit: check children and threading before allowing containerid
audit: log container info of syscalls
audit: add containerid filtering
audit: add containerid support for ptrace and signals
audit: add support for non-syscall auxiliary records
audit: add container aux record to watch/tree/mark
audit: add containerid support for tty_audit
audit: add containerid support for config/feature/user records
audit: add containerid support for seccomp and anom_abend records
audit: add support for containerid to network namespaces
audit: NETFILTER_PKT: record each container ID associated with a netNS
debug audit: read container ID of a process
drivers/tty/tty_audit.c | 5 +-
fs/proc/base.c | 53 ++++++++++++++++
include/linux/audit.h | 43 +++++++++++++
include/linux/init_task.h | 4 +-
include/linux/sched.h | 1 +
include/net/net_namespace.h | 12 ++++
include/uapi/linux/audit.h | 8 ++-
kernel/audit.c | 75 ++++++++++++++++++++---
kernel/audit.h | 3 +
kernel/audit_fsnotify.c | 5 +-
kernel/audit_tree.c | 5 +-
kernel/audit_watch.c | 33 +++++-----
kernel/auditfilter.c | 52 +++++++++++++++-
kernel/auditsc.c | 145 ++++++++++++++++++++++++++++++++++++++++++--
kernel/nsproxy.c | 6 ++
net/core/net_namespace.c | 45 ++++++++++++++
net/netfilter/xt_AUDIT.c | 15 ++++-
17 files changed, 473 insertions(+), 37 deletions(-)
--
1.8.3.1
6 years, 5 months
[PATCH ghak82 v2] audit: Fix extended comparison of GID/EGID
by Ondrej Mosnacek
The audit_filter_rules() function in auditsc.c used the in_[e]group_p()
functions to check GID/EGID match, but these functions use the current
task's credentials, while the comparison should use the credentials of
the task given to audit_filter_rules() as a parameter (tsk).
Note that we can use group_search(cred->group_info, ...) as a
replacement for both in_group_p and in_egroup_p as these functions only
compare the parameter to cred->fsgid/egid and then call group_search.
In fact, the usage of in_group_p was even more incorrect: it compares to
cred->fsgid (which is usually equal to cred->egid) and not cred->gid.
GitHub issue:
https://github.com/linux-audit/audit-kernel/issues/82
Fixes: 37eebe39c973 ("audit: improve GID/EGID comparation logic")
Signed-off-by: Ondrej Mosnacek <omosnace(a)redhat.com>
---
kernel/auditsc.c | 26 ++++++++++++--------------
1 file changed, 12 insertions(+), 14 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index ceb1c4596c51..3a324ca2fd20 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -492,23 +492,21 @@ static int audit_filter_rules(struct task_struct *tsk,
break;
case AUDIT_GID:
result = audit_gid_comparator(cred->gid, f->op, f->gid);
- if (f->op == Audit_equal) {
- if (!result)
- result = in_group_p(f->gid);
- } else if (f->op == Audit_not_equal) {
- if (result)
- result = !in_group_p(f->gid);
- }
+ if (f->op == Audit_equal)
+ result = result ||
+ groups_search(cred->group_info, f->gid);
+ else if (f->op == Audit_not_equal)
+ result = result &&
+ !groups_search(cred->group_info, f->gid);
break;
case AUDIT_EGID:
result = audit_gid_comparator(cred->egid, f->op, f->gid);
- if (f->op == Audit_equal) {
- if (!result)
- result = in_egroup_p(f->gid);
- } else if (f->op == Audit_not_equal) {
- if (result)
- result = !in_egroup_p(f->gid);
- }
+ if (f->op == Audit_equal)
+ result = result ||
+ groups_search(cred->group_info, f->gid);
+ else if (f->op == Audit_not_equal)
+ result = result &&
+ !groups_search(cred->group_info, f->gid);
break;
case AUDIT_SGID:
result = audit_gid_comparator(cred->sgid, f->op, f->gid);
--
2.17.0
6 years, 5 months