linux-stable.git/include/linux/audit.h, branch linux-2.6.25.y Linux kernel stable tree d_path: Use struct path in struct avc_audit_data 2008-02-15T05:17:08+00:00 Jan Blunck jblunck@suse.de 2008-02-15T03:38:33+00:00 44707fdf5938ad269ea5d6c5744d82f6a7328746 audit_log_d_path() is a d_path() wrapper that is used by the audit code. To use a struct path in audit_log_d_path() I need to embed it into struct avc_audit_data. [akpm@linux-foundation.org: coding-style fixes] Signed-off-by: Jan Blunck <jblunck@suse.de> Acked-by: Christoph Hellwig <hch@infradead.org> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: "J. Bruce Fields" <bfields@fieldses.org> Cc: Neil Brown <neilb@suse.de> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
audit_log_d_path() is a d_path() wrapper that is used by the audit code.  To
use a struct path in audit_log_d_path() I need to embed it into struct
avc_audit_data.

[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Jan Blunck <jblunck@suse.de>
Acked-by: Christoph Hellwig <hch@infradead.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: "J. Bruce Fields" <bfields@fieldses.org>
Cc: Neil Brown <neilb@suse.de>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: James Morris <jmorris@namei.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[AUDIT] break large execve argument logging into smaller messages 2008-02-01T19:23:55+00:00 Eric Paris eparis@redhat.com 2008-01-07T19:31:58+00:00 de6bbd1d30e5912620d25dd15e3f180ac7f9fcef execve arguments can be quite large. There is no limit on the number of arguments and a 4G limit on the size of an argument. this patch prints those aruguments in bite sized pieces. a userspace size limitation of 8k was discovered so this keeps messages around 7.5k single arguments larger than 7.5k in length are split into multiple records and can be identified as aX[Y]= Signed-off-by: Eric Paris <eparis@redhat.com> 
execve arguments can be quite large.  There is no limit on the number of
arguments and a 4G limit on the size of an argument.

this patch prints those aruguments in bite sized pieces.  a userspace size
limitation of 8k was discovered so this keeps messages around 7.5k

single arguments larger than 7.5k in length are split into multiple records
and can be identified as aX[Y]=

Signed-off-by: Eric Paris <eparis@redhat.com>
[AUDIT] Add End of Event record 2008-02-01T19:07:19+00:00 Eric Paris eparis@redhat.com 2008-01-07T18:49:15+00:00 c0641f28dcbecb6dc34a4fd003a9947fcd080696 This patch adds an end of event record type. It will be sent by the kernel as the last record when a multi-record event is triggered. This will aid realtime analysis programs since they will now reliably know they have the last record to complete an event. The audit daemon filters this and will not write it to disk. Signed-off-by: Steve Grubb <sgrubb redhat com> Signed-off-by: Eric Paris <eparis@redhat.com> 
This patch adds an end of event record type. It will be sent by the kernel as
the last record when a multi-record event is triggered. This will aid realtime
analysis programs since they will now reliably know they have the last record
to complete an event. The audit daemon filters this and will not write it to
disk.

Signed-off-by: Steve Grubb <sgrubb redhat com>
Signed-off-by: Eric Paris <eparis@redhat.com>
[AUDIT] add session id to audit messages 2008-02-01T19:06:51+00:00 Eric Paris eparis@redhat.com 2008-01-08T15:06:53+00:00 4746ec5b01ed07205a91e4f7ed9de9d70f371407 In order to correlate audit records to an individual login add a session id. This is incremented every time a user logs in and is included in almost all messages which currently output the auid. The field is labeled ses= or oses= Signed-off-by: Eric Paris <eparis@redhat.com> 
In order to correlate audit records to an individual login add a session
id.  This is incremented every time a user logs in and is included in
almost all messages which currently output the auid.  The field is
labeled ses=  or oses=

Signed-off-by: Eric Paris <eparis@redhat.com>
[PATCH] get rid of loginuid races 2008-02-01T19:05:28+00:00 Al Viro viro@zeniv.linux.org.uk 2008-01-10T09:53:18+00:00 bfef93a5d1fb5654fe2025276c55e202d10b5255 Keeping loginuid in audit_context is racy and results in messier code. Taken to task_struct, out of the way of ->audit_context changes. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
Keeping loginuid in audit_context is racy and results in messier
code.  Taken to task_struct, out of the way of ->audit_context
changes.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PATCH] switch audit_get_loginuid() to task_struct * 2008-02-01T19:04:59+00:00 Al Viro viro@zeniv.linux.org.uk 2008-01-10T09:20:52+00:00 0c11b9428f619ab377c92eff2f160a834a6585dd all callers pass something->audit_context Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
all callers pass something->audit_context

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
NetLabel: Add auditing to the static labeling mechanism 2008-01-29T21:17:29+00:00 Paul Moore paul.moore@hp.com 2008-01-29T13:44:23+00:00 13541b3adad2dc2f56761c5193c2b88db3597f0e This patch adds auditing support to the NetLabel static labeling mechanism. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org> 
This patch adds auditing support to the NetLabel static labeling mechanism.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
[PATCH] audit: watching subtrees 2007-10-21T06:37:45+00:00 Al Viro viro@zeniv.linux.org.uk 2007-07-22T12:04:18+00:00 74c3cbe33bc077ac1159cadfea608b501e100344 New kind of audit rule predicates: "object is visible in given subtree". The part that can be sanely implemented, that is. Limitations: * if you have hardlink from outside of tree, you'd better watch it too (or just watch the object itself, obviously) * if you mount something under a watched tree, tell audit that new chunk should be added to watched subtrees * if you umount something in a watched tree and it's still mounted elsewhere, you will get matches on events happening there. New command tells audit to recalculate the trees, trimming such sources of false positives. Note that it's _not_ about path - if something mounted in several places (multiple mount, bindings, different namespaces, etc.), the match does _not_ depend on which one we are using for access. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is.  Limitations:
	* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
	* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
	* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there.  New command
tells audit to recalculate the trees, trimming such sources of false
positives.

Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PATCH] pass dentry to audit_inode()/audit_inode_child() 2007-10-21T06:37:18+00:00 Al Viro viro@zeniv.linux.org.uk 2007-06-07T16:19:32+00:00 5a190ae69766da9a34bf31200c5cea4c0667cf94 makes caller simpler *and* allows to scan ancestors Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
makes caller simpler *and* allows to scan ancestors

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[XFRM]: xfrm audit calls 2007-10-10T23:49:02+00:00 Joy Latten latten@austin.ibm.com 2007-09-17T18:51:22+00:00 ab5f5e8b144e4c804ef3aa1ce08a9ca9f01187ce This patch modifies the current ipsec audit layer by breaking it up into purpose driven audit calls. So far, the only audit calls made are when add/delete an SA/policy. It had been discussed to give each key manager it's own calls to do this, but I found there to be much redundnacy since they did the exact same things, except for how they got auid and sid, so I combined them. The below audit calls can be made by any key manager. Hopefully, this is ok. Signed-off-by: Joy Latten <latten@austin.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
This patch modifies the current ipsec audit layer
by breaking it up into purpose driven audit calls.

So far, the only audit calls made are when add/delete
an SA/policy. It had been discussed to give each
key manager it's own calls to do this, but I found
there to be much redundnacy since they did the exact
same things, except for how they got auid and sid, so I
combined them. The below audit calls can be made by any
key manager. Hopefully, this is ok.

Signed-off-by: Joy Latten <latten@austin.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>