1. 08 May, 2013 2 commits
    • Jeff Layton's avatar
      audit: vfs: fix audit_inode call in O_CREAT case of do_last · 33e2208a
      Jeff Layton authored
      Jiri reported a regression in auditing of open(..., O_CREAT) syscalls.
      In older kernels, creating a file with open(..., O_CREAT) created
      audit_name records that looked like this:
      
      type=PATH msg=audit(1360255720.628:64): item=1 name="/abc/foo" inode=138810 dev=fd:00 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0
      type=PATH msg=audit(1360255720.628:64): item=0 name="/abc/" inode=138635 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0
      
      ...in recent kernels though, they look like this:
      
      type=PATH msg=audit(1360255402.886:12574): item=2 name=(null) inode=264599 dev=fd:00 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0
      type=PATH msg=audit(1360255402.886:12574): item=1 name=(null) inode=264598 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0
      type=PATH msg=audit(1360255402.886:12574): item=0 name="/abc/foo" inode=264598 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0
      
      Richard bisected to determine that the problems started with commit
      bfcec708, but the log messages have changed with some later
      audit-related patches.
      
      The problem is that this audit_inode call is passing in the parent of
      the dentry being opened, but audit_inode is being called with the parent
      flag false. This causes later audit_inode and audit_inode_child calls to
      match the wrong entry in the audit_names list.
      
      This patch simply sets the flag to properly indicate that this inode
      represents the parent. With this, the audit_names entries are back to
      looking like they did before.
      
      Cc: <stable@vger.kernel.org> # v3.7+
      Reported-by: default avatarJiri Jaburek <jjaburek@redhat.com>
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      Test By: Richard Guy Briggs <rbriggs@redhat.com>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      33e2208a
    • Eric W. Biederman's avatar
      audit: Make testing for a valid loginuid explicit. · 780a7654
      Eric W. Biederman authored
      audit rule additions containing "-F auid!=4294967295" were failing
      with EINVAL because of a regression caused by e1760bd5.
      
      Apparently some userland audit rule sets want to know if loginuid uid
      has been set and are using a test for auid != 4294967295 to determine
      that.
      
      In practice that is a horrible way to ask if a value has been set,
      because it relies on subtle implementation details and will break
      every time the uid implementation in the kernel changes.
      
      So add a clean way to test if the audit loginuid has been set, and
      silently convert the old idiom to the cleaner and more comprehensible
      new idiom.
      
      Cc: <stable@vger.kernel.org> # 3.7
      Reported-By: default avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Tested-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      780a7654
  2. 30 Apr, 2013 12 commits
  3. 16 Apr, 2013 2 commits
  4. 12 Apr, 2013 1 commit
  5. 11 Apr, 2013 2 commits
    • Eric Paris's avatar
      Audit: do not print error when LSMs disabled · ad395abe
      Eric Paris authored
      RHBZ: 785936
      
      If the audit system collects a record about one process sending a signal
      to another process it includes in that collection the 'secid' or 'an int
      used to represet an LSM label.'  If there is no LSM enabled it will
      collect a 0.  The problem is that when we attempt to print that record
      we ask the LSM to convert the secid back to a string.  Since there is no
      LSM it returns EOPNOTSUPP.
      
      Most code in the audit system checks if the secid is 0 and does not
      print LSM info in that case.  The signal information code however forgot
      that check.  Thus users will see a message in syslog indicating that
      converting the sid to string failed.  Add the right check.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      ad395abe
    • Eric Paris's avatar
      audit: use data= not msg= for AUDIT_USER_TTY messages · f7616102
      Eric Paris authored
      Userspace parsing libraries assume that msg= is only for userspace audit
      records, not for user tty records.  Make this consistent with the other
      tty records.
      Reported-by: default avatarSteve Grubb <sgrubb@redhat.com>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      f7616102
  6. 10 Apr, 2013 6 commits
  7. 08 Apr, 2013 4 commits
  8. 18 Feb, 2013 3 commits
  9. 15 Feb, 2013 8 commits