[ANNOUNCE][CFP] Linux Security Summit 2021
by James Morris
==============================================================================
ANNOUNCEMENT AND CALL FOR PARTICIPATION
LINUX SECURITY SUMMIT 2021
27-29 September
Dublin, Ireland
==============================================================================
DESCRIPTION
Linux Security Summit (LSS) is a technical forum for collaboration between
Linux developers, researchers, and end-users. Its primary aim is to foster
community efforts in analyzing and solving Linux security challenges.
The program committee currently seeks proposals for:
* Refereed Presentations:
45 minutes in length.
* Panel Discussion Topics:
45 minutes in length.
* Short Topics:
30 minutes in total, including at least 10 minutes discussion.
* Tutorials
90 minutes in length.
Tutorial sessions should be focused on advanced Linux security defense
topics within areas such as the kernel, compiler, and security-related
libraries. Priority will be given to tutorials created for this conference,
and those where the presenter a leading subject matter expert on the topic.
Topic areas include, but are not limited to:
* Kernel self-protection
* Access control
* Cryptography and key management
* Integrity policy and enforcement
* Hardware Security
* IoT and embedded security
* Virtualization and containers
* System-specific system hardening
* Case studies
* Security tools
* Security UX
* Emerging technologies, threats & techniques
Proposals should be submitted via:
https://events.linuxfoundation.org/linux-security-summit-europe/program/cfp/
** Note that for 2021, the North American and European events are combined into
a single event planned for Dublin, Ireland. **
DATES
* CFP close: June 27
* CFP notifications: July 20
* Schedule announced: July 22
* Event: September 27-29
WHO SHOULD ATTEND
We're seeking a diverse range of attendees and welcome participation by
people involved in Linux security development, operations, and research.
LSS is a unique global event that provides the opportunity to present and
discuss your work or research with key Linux security community members and
maintainers. It's also useful for those who wish to keep up with the latest
in Linux security development and to provide input to the development
process.
WEB SITE
https://events.linuxfoundation.org/linux-security-summit-europe/
TWITTER
For event updates and announcements, follow:
https://twitter.com/LinuxSecSummit
#linuxsecuritysummit
PROGRAM COMMITTEE
The program committee for LSS 2021 is:
* James Morris, Microsoft
* Serge Hallyn, Cisco
* Paul Moore, Cisco
* Stephen Smalley, NSA
* Elena Reshetova, Intel
* John Johansen, Canonical
* Kees Cook, Google
* Casey Schaufler, Intel
* Mimi Zohar, IBM
* David A. Wheeler, Institute for Defense Analyses
The program committee may be contacted as a group via email:
lss-pc () lists.linuxfoundation.org
3 years, 1 month
[PATCH v2 1/3] arm64: ptrace: Add is_syscall_success to handle compat
by He Zhe
The general version of is_syscall_success does not handle 32-bit
compatible case, which would cause 32-bit negative return code to be
recoganized as a positive number later and seen as a "success".
Since syscall_get_return_value is defined in syscall.h, implementing
is_syscall_success in ptrace.h would introduce build failure due to
recursive inclusion of some basic headers like mutex.h. Let's put the
implementation to ptrace.c
Signed-off-by: He Zhe <zhe.he(a)windriver.com>
---
v1 to v2: Call syscall_get_return_value to reduce code duplication
arch/arm64/include/asm/ptrace.h | 3 +++
arch/arm64/kernel/ptrace.c | 5 +++++
2 files changed, 8 insertions(+)
diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
index e58bca832dff..3c415e9e5d85 100644
--- a/arch/arm64/include/asm/ptrace.h
+++ b/arch/arm64/include/asm/ptrace.h
@@ -328,6 +328,9 @@ static inline void regs_set_return_value(struct pt_regs *regs, unsigned long rc)
regs->regs[0] = rc;
}
+extern inline int is_syscall_success(struct pt_regs *regs);
+#define is_syscall_success(regs) is_syscall_success(regs)
+
/**
* regs_get_kernel_argument() - get Nth function argument in kernel
* @regs: pt_regs of that context
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 170f42fd6101..2c84255e1e41 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -1909,3 +1909,8 @@ int valid_user_regs(struct user_pt_regs *regs, struct task_struct *task)
else
return valid_native_regs(regs);
}
+
+inline int is_syscall_success(struct pt_regs *regs)
+{
+ return !IS_ERR_VALUE(syscall_get_return_value(current, regs));
+}
--
2.17.1
3 years, 5 months
[PATCH v3 0/3] audit: add support for openat2
by Richard Guy Briggs
The openat2(2) syscall was added in v5.6. Add support for openat2 to the
audit syscall classifier and for recording openat2 parameters that cannot
be captured in the syscall parameters of the SYSCALL record.
Supporting userspace code can be found in
https://github.com/rgbriggs/audit-userspace/tree/ghau-openat2
Supporting test case can be found in
https://github.com/linux-audit/audit-testsuite/pull/103
Changelog:
v3:
- re-add commit descriptions that somehow got dropped
- add new file to MAINTAINERS
v2:
- add include/linux/auditscm.h for audit syscall class macros due to syscall redefinition warnings:
arch/x86/ia32/audit.c:3:
./include/linux/audit.h:12,
./include/linux/sched.h:22,
./include/linux/seccomp.h:21,
./arch/x86/include/asm/seccomp.h:5,
./arch/x86/include/asm/unistd.h:20,
./arch/x86/include/generated/uapi/asm/unistd_64.h:4: warning: "__NR_read" redefined #define __NR_read 0
...
./arch/x86/include/generated/uapi/asm/unistd_64.h:338: warning: "__NR_rseq" redefined #define __NR_rseq 334
previous:
arch/x86/ia32/audit.c:2:
./arch/x86/include/generated/uapi/asm/unistd_32.h:7: note: this is the location of the previous definition #define __NR_read 3
...
./arch/x86/include/generated/uapi/asm/unistd_32.h:386: note: this is the location of the previous definition #define __NR_rseq 386
Richard Guy Briggs (3):
audit: replace magic audit syscall class numbers with macros
audit: add support for the openat2 syscall
audit: add OPENAT2 record to list how
MAINTAINERS | 1 +
arch/alpha/kernel/audit.c | 10 ++++++----
arch/ia64/kernel/audit.c | 10 ++++++----
arch/parisc/kernel/audit.c | 10 ++++++----
arch/parisc/kernel/compat_audit.c | 11 +++++++----
arch/powerpc/kernel/audit.c | 12 +++++++-----
arch/powerpc/kernel/compat_audit.c | 13 ++++++++-----
arch/s390/kernel/audit.c | 12 +++++++-----
arch/s390/kernel/compat_audit.c | 13 ++++++++-----
arch/sparc/kernel/audit.c | 12 +++++++-----
arch/sparc/kernel/compat_audit.c | 13 ++++++++-----
arch/x86/ia32/audit.c | 13 ++++++++-----
arch/x86/kernel/audit_64.c | 10 ++++++----
fs/open.c | 2 ++
include/linux/audit.h | 11 +++++++++++
include/linux/auditscm.h | 24 +++++++++++++++++++++++
include/uapi/linux/audit.h | 1 +
kernel/audit.h | 2 ++
kernel/auditsc.c | 31 ++++++++++++++++++++++++------
lib/audit.c | 14 +++++++++-----
lib/compat_audit.c | 15 ++++++++++-----
21 files changed, 169 insertions(+), 71 deletions(-)
create mode 100644 include/linux/auditscm.h
--
2.27.0
3 years, 5 months
[PATCH v2 0/3] audit: add support for openat2
by Richard Guy Briggs
The openat2(2) syscall was added in v5.6. Add support for openat2 to the
audit syscall classifier and for recording openat2 parameters that cannot
be captured in the syscall parameters of the SYSCALL record.
Supporting userspace code can be found in
https://github.com/rgbriggs/audit-userspace/tree/ghau-openat2
Supporting test case can be found in
https://github.com/linux-audit/audit-testsuite/pull/103
Richard Guy Briggs (3):
audit: replace magic audit syscall class numbers with macros
audit: add support for the openat2 syscall
audit: add OPENAT2 record to list how
arch/alpha/kernel/audit.c | 10 ++++++----
arch/ia64/kernel/audit.c | 10 ++++++----
arch/parisc/kernel/audit.c | 10 ++++++----
arch/parisc/kernel/compat_audit.c | 11 +++++++----
arch/powerpc/kernel/audit.c | 12 +++++++-----
arch/powerpc/kernel/compat_audit.c | 13 ++++++++-----
arch/s390/kernel/audit.c | 12 +++++++-----
arch/s390/kernel/compat_audit.c | 13 ++++++++-----
arch/sparc/kernel/audit.c | 12 +++++++-----
arch/sparc/kernel/compat_audit.c | 13 ++++++++-----
arch/x86/ia32/audit.c | 13 ++++++++-----
arch/x86/kernel/audit_64.c | 10 ++++++----
fs/open.c | 2 ++
include/linux/audit.h | 11 +++++++++++
include/linux/auditscm.h | 24 +++++++++++++++++++++++
include/uapi/linux/audit.h | 1 +
kernel/audit.h | 2 ++
kernel/auditsc.c | 31 ++++++++++++++++++++++++------
lib/audit.c | 14 +++++++++-----
lib/compat_audit.c | 15 ++++++++++-----
20 files changed, 168 insertions(+), 71 deletions(-)
create mode 100644 include/linux/auditscm.h
--
2.27.0
3 years, 6 months
Problems with linux audit system in nested VM
by punnal baloch
Hi,
I am trying to run the Linux audit system in a nested Virtual machine on
the google cloud engine. The problem I am facing is that the Linux Audit
System suspends after showing the following error after a few minutes when
I view the auditd status.
جنوری 29 16:53:42 fuzzer-VirtualBox auditd[294]: Audit daemon has no space
left on logging partition
جنوری 29 16:53:42 fuzzer-VirtualBox auditd[294]: Audit daemon is suspending
logging due to no space left on logging partition.
I checked using the df -h command and found out that there was around 6GB
of free space on the logging partition so I did not understand why this
error is occuring. Can you provide me a solution? Could this be because of
nested virtualization?
Please find attached my audit.rules and auditd.conf files.
Regards,
Punnal
3 years, 6 months
[GIT PULL] Audit patches for v5.13
by Paul Moore
Hi Linus
Another small pull request for audit, most of the patches are
documentation updates with only two real code changes: one to fix a
compiler warning for a dummy function/macro, and one to cleanup some
code since we removed the AUDIT_FILTER_ENTRY ages ago (v4.17).
All the patches have been tested using audit-testsuite and as of about
thirty minutes ago the tag applied cleanly to your tree, please merge
for v5.13.
Thanks,
-Paul
--
The following changes since commit a38fd8748464831584a19438cbb3082b5a2dab15:
Linux 5.12-rc2 (2021-03-05 17:33:41 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
tags/audit-pr-20210426
for you to fetch changes up to b75d8f38bcc9599af42635530c00268c71911f11:
audit: drop /proc/PID/loginuid documentation Format field
(2021-04-01 18:32:24-0400)
----------------------------------------------------------------
audit/stable-5.13 PR 20210426
----------------------------------------------------------------
Arnd Bergmann (1):
audit: avoid -Wempty-body warning
Richard Guy Briggs (5):
audit: further cleanup of AUDIT_FILTER_ENTRY deprecation
MAINTAINERS: update audit files
audit: document /proc/PID/loginuid
audit: document /proc/PID/sessionid
audit: drop /proc/PID/loginuid documentation Format field
Documentation/ABI/stable/procfs-audit_loginuid | 27 ++++++++++++++++++++++++
MAINTAINERS | 2 ++
kernel/audit.h | 12 ++++++------
kernel/auditsc.c | 11 ++++-------
4 files changed, 39 insertions(+), 13 deletions(-)
create mode 100644 Documentation/ABI/stable/procfs-audit_loginuid
--
paul moore
www.paul-moore.com
3 years, 6 months
[PATCH 0/2] audit: add support for openat2
by Richard Guy Briggs
The openat2(2) syscall was added in v5.6. Add support for openat2 to the
audit syscall classifier and for recording openat2 parameters that cannot
be captured in the syscall parameters of the SYSCALL record.
Supporting userspace code can be found in
https://github.com/rgbriggs/audit-userspace/tree/ghau-openat2
Supporting test case can be found in
https://github.com/linux-audit/audit-testsuite/pull/103
Richard Guy Briggs (2):
audit: add support for the openat2 syscall
audit: add OPENAT2 record to list how
arch/alpha/kernel/audit.c | 2 ++
arch/ia64/kernel/audit.c | 2 ++
arch/parisc/kernel/audit.c | 2 ++
arch/parisc/kernel/compat_audit.c | 2 ++
arch/powerpc/kernel/audit.c | 2 ++
arch/powerpc/kernel/compat_audit.c | 2 ++
arch/s390/kernel/audit.c | 2 ++
arch/s390/kernel/compat_audit.c | 2 ++
arch/sparc/kernel/audit.c | 2 ++
arch/sparc/kernel/compat_audit.c | 2 ++
arch/x86/ia32/audit.c | 2 ++
arch/x86/kernel/audit_64.c | 2 ++
fs/open.c | 2 ++
include/linux/audit.h | 10 ++++++++++
include/uapi/linux/audit.h | 1 +
kernel/audit.h | 2 ++
kernel/auditsc.c | 19 +++++++++++++++++++
lib/audit.c | 4 ++++
lib/compat_audit.c | 4 ++++
19 files changed, 66 insertions(+)
--
2.27.0
3 years, 6 months
[PATCH 1/3] arm64: ptrace: Add is_syscall_success to handle compat
by He Zhe
The general version of is_syscall_success does not handle 32-bit
compatible case, which would cause 32-bit negative return code to be
recoganized as a positive number later and seen as a "success".
Since is_compat_thread is defined in compat.h, implementing
is_syscall_success in ptrace.h would introduce build failure due to
recursive inclusion of some basic headers like mutex.h. We put the
implementation to ptrace.c
Signed-off-by: He Zhe <zhe.he(a)windriver.com>
---
arch/arm64/include/asm/ptrace.h | 3 +++
arch/arm64/kernel/ptrace.c | 10 ++++++++++
2 files changed, 13 insertions(+)
diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
index e58bca832dff..3c415e9e5d85 100644
--- a/arch/arm64/include/asm/ptrace.h
+++ b/arch/arm64/include/asm/ptrace.h
@@ -328,6 +328,9 @@ static inline void regs_set_return_value(struct pt_regs *regs, unsigned long rc)
regs->regs[0] = rc;
}
+extern inline int is_syscall_success(struct pt_regs *regs);
+#define is_syscall_success(regs) is_syscall_success(regs)
+
/**
* regs_get_kernel_argument() - get Nth function argument in kernel
* @regs: pt_regs of that context
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 170f42fd6101..3266201f8c60 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -1909,3 +1909,13 @@ int valid_user_regs(struct user_pt_regs *regs, struct task_struct *task)
else
return valid_native_regs(regs);
}
+
+inline int is_syscall_success(struct pt_regs *regs)
+{
+ unsigned long val = regs->regs[0];
+
+ if (is_compat_thread(task_thread_info(current)))
+ val = sign_extend64(val, 31);
+
+ return !IS_ERR_VALUE(val);
+}
--
2.17.1
3 years, 6 months
Re: [PATCH 085/190] Revert "audit: fix a memory leak bug"
by Richard Guy Briggs
On 2021-04-21 13:14, Paul Moore wrote:
> On Wed, Apr 21, 2021 at 1:03 PM Richard Guy Briggs <rgb(a)redhat.com> wrote:
> > On 2021-04-21 12:18, Paul Moore wrote:
> > > On Wed, Apr 21, 2021 at 9:04 AM Greg Kroah-Hartman
> > > <gregkh(a)linuxfoundation.org> wrote:
> > > >
> > > > This reverts commit 70c4cf17e445264453bc5323db3e50aa0ac9e81f.
> > > >
> > > > Commits from @umn.edu addresses have been found to be submitted in "bad
> > > > faith" to try to test the kernel community's ability to review "known
> > > > malicious" changes. The result of these submissions can be found in a
> > > > paper published at the 42nd IEEE Symposium on Security and Privacy
> > > > entitled, "Open Source Insecurity: Stealthily Introducing
> > > > Vulnerabilities via Hypocrite Commits" written by Qiushi Wu (University
> > > > of Minnesota) and Kangjie Lu (University of Minnesota).
> > > >
> > > > Because of this, all submissions from this group must be reverted from
> > > > the kernel tree and will need to be re-reviewed again to determine if
> > > > they actually are a valid fix. Until that work is complete, remove this
> > > > change to ensure that no problems are being introduced into the
> > > > codebase.
> > > >
> > > > Cc: Wenwen Wang <wang6495(a)umn.edu>
> > > > Cc: Richard Guy Briggs <rgb(a)redhat.com>
> > > > Cc: Paul Moore <paul(a)paul-moore.com>
> > > > Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
> > > > ---
> > > > kernel/auditfilter.c | 12 +++++-------
> > > > 1 file changed, 5 insertions(+), 7 deletions(-)
> > >
> > > NACK on this revert. I've looked at the original patch again this
> > > morning, and the original patch still looks correct and doesn't appear
> > > to introduce any new faults to the best of my understanding.
> >
> > Agreed. Though on review, a much simpler fix to my original patch that
> > caused this problem requiring this fix
> > e85322d21cfebeac64f58a204e9adc0bc5c1e46f rgb 2014-10-02 ("audit: cull redundancy in audit_rule_change")
> > would have been the two-liner in the error path similar to the pattern
> > in audit_data_to_entry() error path would have been:
> >
> > if (entry->rule.tree)
> > audit_put_tree(entry->rule.tree); /* that's the temporary one */
>
> Given the situation this morning I think it is best to limit
> discussion on this thread to just the safety of the patches in
> question and the necessity of the reverts Greg is proposing here. If
> you have suggestions about how to clean-up or otherwise improve the
> code relating to these patches I think it is better to have that
> discussion in the appropriate subsystem list/forum/etc (as one would
> do normally).
My original patch wasn't exploitable anyways since both cases that call
audit_rule_change() from audit_receive_msg() were covered, there was no
fallthrough, and for extra precaution there was a BUG_ON() added.
I'd say it was harmless, essentially a revert of my redundancy cull
patch. This seems to be the consensus about many of the patches in this
set.
Wenwen's address bounces, almost certainly because they moved to
cs.uga.edu in between April and July 2019.
> paul moore
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
3 years, 6 months
[PATCH 1/2] audit: Add syscall return code handling for compat task
by He Zhe
When 32-bit userspace application is running on 64-bit kernel, the 32-bit
syscall return code would be changed from u32 to u64 in regs_return_value
and then changed to s64. Hence the negative return code recorded by audit
would end up being a big positive number like below.
type=SYSCALL msg=audit(1611110715.887:582): arch=40000028 syscall=322
success=yes exit=4294967283
This patch forces the u32->s32->s64 for compat tasks.
Signed-off-by: He Zhe <zhe.he(a)windriver.com>
---
include/linux/audit.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 82b7c1116a85..32cb853f3029 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -334,7 +334,9 @@ static inline void audit_syscall_exit(void *pt_regs)
{
if (unlikely(audit_context())) {
int success = is_syscall_success(pt_regs);
- long return_code = regs_return_value(pt_regs);
+ long return_code = is_compat_task() ?
+ (s64)(s32)regs_return_value(pt_regs) :
+ regs_return_value(pt_regs);
__audit_syscall_exit(success, return_code);
}
--
2.17.1
3 years, 6 months