- 24 Jul, 2008 1 commit
-
-
Adrian Bunk authored
Trying to compile the v850 port brings many compile errors, one of them exists since at least kernel 2.6.19. There also seems to be noone willing to bring this port back into a usable state. This patch therefore removes the v850 port. If anyone ever decides to revive the v850 port the code will still be available from older kernels, and it wouldn't be impossible for the port to reenter the kernel if it would become actively maintained again. Signed-off-by:
Adrian Bunk <bunk@kernel.org> Acked-by:
Greg Ungerer <gerg@uclinux.org> Signed-off-by:
Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org>
-
- 24 Jun, 2008 1 commit
-
-
Peng Haitao authored
The second argument "type" is not used in audit_filter_user(), so I think that type can be removed. If I'm wrong, please tell me. Signed-off-by:
Peng Haitao <penght@cn.fujitsu.com> Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk>
-
- 28 Apr, 2008 4 commits
-
-
Al Viro authored
Argument is S_IF... | <index>, where index is normally 0 or 1. Triggers if chosen element of ctx->names[] is present and the mode of object in question matches the upper bits of argument. I.e. for things like "is the argument of that chmod a directory", etc. Signed-off-by: -
Eric Paris authored
Key lengths were arbitrarily limited to 32 characters. If userspace is going to start using the single kernel key field as multiple virtual key fields (example key=key1,key2,key3,key4) we should give them enough room to work. Signed-off-by:
Eric Paris <eparis@redhat.com> Signed-off-by:
-
Eric Paris authored
This patch standardized the string auditing interfaces. No userspace changes will be visible and this is all just cleanup and consistancy work. We have the following string audit interfaces to use: void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len); void audit_log_n_string(struct audit_buffer *ab, const char *buf, size_t n); void audit_log_string(struct audit_buffer *ab, const char *buf); void audit_log_n_untrustedstring(struct audit_buffer *ab, const char *string, size_t n); void audit_log_untrustedstring(struct audit_buffer *ab, const char *string); This may be the first step to possibly fixing some of the issues that people have with the string output from the kernel audit system. But we still don't have an agreed upon solution to that problem. Signed-off-by:
-
Eric Paris authored
Previously I added sessionid output to all audit messages where it was available but we still didn't know the sessionid of the sender of netlink messages. This patch adds that information to netlink messages so we can audit who sent netlink messages. Signed-off-by:
-
- 18 Apr, 2008 2 commits
-
-
Ahmed S. Darwish authored
Rename the se_str and se_rule audit fields elements to lsm_str and lsm_rule to avoid confusion. Signed-off-by:
Casey Schaufler <casey@schaufler-ca.com> Signed-off-by:
Ahmed S. Darwish <darwish.07@gmail.com> Acked-by:
James Morris <jmorris@namei.org>
-
Ahmed S. Darwish authored
Setup the new Audit LSM hooks for SELinux. Remove the now redundant exported SELinux Audit interface. Audit: Export 'audit_krule' and 'audit_field' to the public since their internals are needed by the implementation of the new LSM hook 'audit_rule_known'. Signed-off-by:
-
- 15 Feb, 2008 1 commit
-
-
Jan Blunck authored
audit_log_d_path() is a d_path() wrapper that is used by the audit code. To use a struct path in audit_log_d_path() I need to embed it into struct avc_audit_data. [akpm@linux-foundation.org: coding-style fixes] Signed-off-by:
Jan Blunck <jblunck@suse.de> Acked-by:
Christoph Hellwig <hch@infradead.org> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: "J. Bruce Fields" <bfields@fieldses.org> Cc: Neil Brown <neilb@suse.de> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: James Morris <jmorris@namei.org> Signed-off-by:
-
- 01 Feb, 2008 5 commits
-
-
Eric Paris authored
execve arguments can be quite large. There is no limit on the number of arguments and a 4G limit on the size of an argument. this patch prints those aruguments in bite sized pieces. a userspace size limitation of 8k was discovered so this keeps messages around 7.5k single arguments larger than 7.5k in length are split into multiple records and can be identified as aX[Y]= Signed-off-by: -
Eric Paris authored
This patch adds an end of event record type. It will be sent by the kernel as the last record when a multi-record event is triggered. This will aid realtime analysis programs since they will now reliably know they have the last record to complete an event. The audit daemon filters this and will not write it to disk. Signed-off-by: Steve Grubb <sgrubb redhat com> Signed-off-by: -
Eric Paris authored
In order to correlate audit records to an individual login add a session id. This is incremented every time a user logs in and is included in almost all messages which currently output the auid. The field is labeled ses= or oses= Signed-off-by: -
Al Viro authored
Keeping loginuid in audit_context is racy and results in messier code. Taken to task_struct, out of the way of ->audit_context changes. Signed-off-by: -
Al Viro authored
all callers pass something->audit_context Signed-off-by:
-
- 29 Jan, 2008 1 commit
-
-
Paul Moore authored
This patch adds auditing support to the NetLabel static labeling mechanism. Signed-off-by:
Paul Moore <paul.moore@hp.com> Signed-off-by:
-
- 21 Oct, 2007 2 commits
-
-
Al Viro authored
New kind of audit rule predicates: "object is visible in given subtree". The part that can be sanely implemented, that is. Limitations: * if you have hardlink from outside of tree, you'd better watch it too (or just watch the object itself, obviously) * if you mount something under a watched tree, tell audit that new chunk should be added to watched subtrees * if you umount something in a watched tree and it's still mounted elsewhere, you will get matches on events happening there. New command tells audit to recalculate the trees, trimming such sources of false positives. Note that it's _not_ about path - if something mounted in several places (multiple mount, bindings, different namespaces, etc.), the match does _not_ depend on which one we are using for access. Signed-off-by: -
Al Viro authored
makes caller simpler *and* allows to scan ancestors Signed-off-by:
-
- 10 Oct, 2007 1 commit
-
-
Joy Latten authored
This patch modifies the current ipsec audit layer by breaking it up into purpose driven audit calls. So far, the only audit calls made are when add/delete an SA/policy. It had been discussed to give each key manager it's own calls to do this, but I found there to be much redundnacy since they did the exact same things, except for how they got auid and sid, so I combined them. The below audit calls can be made by any key manager. Hopefully, this is ok. Signed-off-by:
Joy Latten <latten@austin.ibm.com> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
- 24 Aug, 2007 1 commit
-
-
Miloslav Trmac authored
Renumber AUDIT_TTY_[GS]ET to avoid a conflict with netlink message types already used in the wild. Signed-off-by:
Miloslav Trmac <mitr@redhat.com> Signed-off-by:
-
- 22 Jul, 2007 2 commits
-
-
Al Viro authored
Selinux folks had been complaining about the lack of AVC_PATH records when audit is disabled. I must admit my stupidity - I assumed that avc_audit() really couldn't use audit_log_d_path() because of deadlocks (== could be called with dcache_lock or vfsmount_lock held). Shouldn't have made that assumption - it never gets called that way. It _is_ called under spinlocks, but not those. Since audit_log_d_path() uses ab->gfp_mask for allocations, kmalloc() in there is not a problem. IOW, the simple fix is sufficient: let's rip AUDIT_AVC_PATH out and simply generate pathname as part of main record. It's trivial to do. Signed-off-by: -
Eric Paris authored
Right now the audit filter can match on = != > < >= blah blah blah. This allow the filter to also look at bitwise AND operations, & Signed-off-by:
-
- 16 Jul, 2007 1 commit
-
-
Miloslav Trmac authored
Add TTY input auditing, used to audit system administrator's actions. This is required by various security standards such as DCID 6/3 and PCI to provide non-repudiation of administrator's actions and to allow a review of past actions if the administrator seems to overstep their duties or if the system becomes misconfigured for unknown reasons. These requirements do not make it necessary to audit TTY output as well. Compared to an user-space keylogger, this approach records TTY input using the audit subsystem, correlated with other audit events, and it is completely transparent to the user-space application (e.g. the console ioctls still work). TTY input auditing works on a higher level than auditing all system calls within the session, which would produce an overwhelming amount of mostly useless audit events. Add an "audit_tty" attribute, inherited across fork (). Data read from TTYs by process with the attribute is sent to the audit subsystem by the kernel. The audit netlink interface is extended to allow modifying the audit_tty attribute, and to allow sending explanatory audit events from user-space (for example, a shell might send an event containing the final command, after the interactive command-line editing and history expansion is performed, which might be difficult to decipher from the TTY input alone). Because the "audit_tty" attribute is inherited across fork (), it would be set e.g. for sshd restarted within an audited session. To prevent this, the audit_tty attribute is cleared when a process with no open TTY file descriptors (e.g. after daemon startup) opens a TTY. See https://www.redhat.com/archives/linux-audit/2007-June/msg00000.html for a more detailed rationale document for an older version of this patch. [akpm@linux-foundation.org: build fix] Signed-off-by:
-
- 11 May, 2007 5 commits
-
-
Steve Grubb authored
Hi, I have been working on some code that detects abnormal events based on audit system events. One kind of event that we currently have no visibility for is when a program terminates due to segfault - which should never happen on a production machine. And if it did, you'd want to investigate it. Attached is a patch that collects these events and sends them into the audit system. Signed-off-by:
Steve Grubb <sgrubb@redhat.com> Signed-off-by:
-
Amy Griffis authored
Handle the edge cases for POSIX message queue auditing. Collect inode info when opening an existing mq, and for send/receive operations. Remove audit_inode_update() as it has really evolved into the equivalent of audit_inode(). Signed-off-by:
Amy Griffis <amy.griffis@hp.com> Signed-off-by:
-
Amy Griffis authored
When auditing syscalls that send signals, log the pid and security context for each target process. Optimize the data collection by adding a counter for signal-related rules, and avoiding allocating an aux struct unless we have more than one target process. For process groups, collect pid/context data in blocks of 16. Move the audit_signal_info() hook up in check_kill_permission() so we audit attempts where permission is denied. Signed-off-by:
-
Amy Griffis authored
Add a syscall class for sending signals. Signed-off-by:
-
Al Viro authored
Signed-off-by:
-
- 06 Mar, 2007 1 commit
-
-
Jeff Dike authored
Include linux/types.h here because we need a definition of __u32. This file appears not be exported verbatim by libc, so I think this doesn't have any userspace consequences. Signed-off-by:
Jeff Dike <jdike@linux.intel.com> Cc: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it> Signed-off-by:
-
- 17 Feb, 2007 1 commit
-
-
Al Viro authored
Provide an audit record of the descriptor pair returned by pipe() and socketpair(). Rewritten from the original posted to linux-audit by John D. Ramsdell <ramsdell@mitre.org> Signed-off-by:
-
- 06 Dec, 2006 1 commit
-
-
Joy Latten authored
An audit message occurs when an ipsec SA or ipsec policy is created/deleted. Signed-off-by:
-
- 04 Oct, 2006 1 commit
-
-
Steve Grubb authored
Hi, This patch adds a new type for 3rd party module use and cleans up a deprecated message type. Signed-off-by:
-
- 29 Sep, 2006 1 commit
-
-
Paul Moore authored
Fix some issues Steve Grubb had with the way NetLabel was using the audit subsystem. This should make NetLabel more consistent with other kernel generated audit messages specifying configuration changes. Signed-off-by:
-
- 28 Sep, 2006 1 commit
-
-
Paul Moore authored
This patch adds audit support to NetLabel, including six new audit message types shown below. #define AUDIT_MAC_UNLBL_ACCEPT 1406 #define AUDIT_MAC_UNLBL_DENY 1407 #define AUDIT_MAC_CIPSOV4_ADD 1408 #define AUDIT_MAC_CIPSOV4_DEL 1409 #define AUDIT_MAC_MAP_ADD 1410 #define AUDIT_MAC_MAP_DEL 1411 Signed-off-by:
-
- 11 Sep, 2006 2 commits
-
-
Al Viro authored
add support for AUDIT_PERM predicate Signed-off-by: -
Al Viro authored
Signed-off-by:
-
- 03 Aug, 2006 5 commits
-
-
Al Viro authored
Signed-off-by: -
Al Viro authored
Signed-off-by: -
Al Viro authored
Signed-off-by: -
Amy Griffis authored
When an object is created via a symlink into an audited directory, audit misses the event due to not having collected the inode data for the directory. Modify __audit_inode_child() to copy the parent inode data if a parent wasn't found in audit_names[]. Signed-off-by:
-
Amy Griffis authored
When the specified path is an existing file or when it is a symlink, audit collects the wrong inode number, which causes it to miss the open() event. Adding a second hook to the open() path fixes this. Also add audit_copy_inode() to consolidate some code. Signed-off-by:
-
