linux-stable.git/kernel/auditsc.c, branch linux-2.6.18.y Linux kernel stable tree [PATCH] audit: AUDIT_PERM support 2006-09-11T17:32:30+00:00 Al Viro viro@zeniv.linux.org.uk 2006-08-31T23:26:40+00:00 55669bfa141b488be865341ed12e188967d11308 add support for AUDIT_PERM predicate Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
add support for AUDIT_PERM predicate

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PATCH] take filling ->pid, etc. out of audit_get_context() 2006-08-03T14:59:51+00:00 Al Viro viro@zeniv.linux.org.uk 2006-07-16T10:43:48+00:00 3f2792ffbd88dc1cd41d226674cc428914981e98 move that stuff downstream and into the only branch where it'll be used. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
move that stuff downstream and into the only branch where it'll be
used.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PATCH] don't bother with aux entires for dummy context 2006-08-03T14:59:42+00:00 Al Viro viro@zeniv.linux.org.uk 2006-07-16T10:38:45+00:00 5ac3a9c26c1cc4861d9cdd8b293fecbfcdc81afe Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PATCH] mark context of syscall entered with no rules as dummy 2006-08-03T14:59:26+00:00 Al Viro viro@zeniv.linux.org.uk 2006-08-03T14:59:26+00:00 d51374adf5f2f88155a072d3d801104e3c0c3d7f Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PATCH] introduce audit rules counter 2006-08-03T14:55:18+00:00 Al Viro viro@zeniv.linux.org.uk 2006-07-10T12:29:24+00:00 471a5c7c839114cc8b55876203aeb2817c33e3c5 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PATCH] fix missed create event for directory audit 2006-08-03T14:50:30+00:00 Amy Griffis amy.griffis@hp.com 2006-07-13T17:16:39+00:00 73d3ec5abad3f1730ac8530899d2c14d92f3ad63 When an object is created via a symlink into an audited directory, audit misses the event due to not having collected the inode data for the directory. Modify __audit_inode_child() to copy the parent inode data if a parent wasn't found in audit_names[]. Signed-off-by: Amy Griffis <amy.griffis@hp.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
When an object is created via a symlink into an audited directory, audit misses
the event due to not having collected the inode data for the directory.  Modify
__audit_inode_child() to copy the parent inode data if a parent wasn't found in
audit_names[].

Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PATCH] fix faulty inode data collection for open() with O_CREAT 2006-08-03T14:50:21+00:00 Amy Griffis amy.griffis@hp.com 2006-07-13T17:16:02+00:00 3e2efce067cec0099f99ae59f28feda99b02b498 When the specified path is an existing file or when it is a symlink, audit collects the wrong inode number, which causes it to miss the open() event. Adding a second hook to the open() path fixes this. Also add audit_copy_inode() to consolidate some code. Signed-off-by: Amy Griffis <amy.griffis@hp.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
When the specified path is an existing file or when it is a symlink, audit
collects the wrong inode number, which causes it to miss the open() event.
Adding a second hook to the open() path fixes this.

Also add audit_copy_inode() to consolidate some code.

Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PATCH] audit: support for object context filters 2006-07-01T09:44:19+00:00 Darrel Goeddel dgoeddel@trustedcs.com 2006-06-29T21:57:08+00:00 6e5a2d1d32596850a0ebf7fb3e54c0d69901dabd This patch introduces object audit filters based on the elements of the SELinux context. Signed-off-by: Darrel Goeddel <dgoeddel@trustedcs.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> kernel/auditfilter.c | 25 +++++++++++++++++++++++++ kernel/auditsc.c | 40 ++++++++++++++++++++++++++++++++++++++++ security/selinux/ss/services.c | 18 +++++++++++++++++- 3 files changed, 82 insertions(+), 1 deletion(-) Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
This patch introduces object audit filters based on the elements
of the SELinux context.

Signed-off-by: Darrel Goeddel <dgoeddel@trustedcs.com>
Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>

 kernel/auditfilter.c           |   25 +++++++++++++++++++++++++
 kernel/auditsc.c               |   40 ++++++++++++++++++++++++++++++++++++++++
 security/selinux/ss/services.c |   18 +++++++++++++++++-
 3 files changed, 82 insertions(+), 1 deletion(-)
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PATCH] audit: rename AUDIT_SE_* constants 2006-07-01T09:44:08+00:00 Darrel Goeddel dgoeddel@trustedcs.com 2006-06-29T21:56:39+00:00 3a6b9f85c641a3b89420b0c8150ed377526a1fe1 This patch renames some audit constant definitions and adds additional definitions used by the following patch. The renaming avoids ambiguity with respect to the new definitions. Signed-off-by: Darrel Goeddel <dgoeddel@trustedcs.com> include/linux/audit.h | 15 ++++++++---- kernel/auditfilter.c | 50 ++++++++++++++++++++--------------------- kernel/auditsc.c | 10 ++++---- security/selinux/ss/services.c | 32 +++++++++++++------------- 4 files changed, 56 insertions(+), 51 deletions(-) Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
This patch renames some audit constant definitions and adds
additional definitions used by the following patch.  The renaming
avoids ambiguity with respect to the new definitions.

Signed-off-by: Darrel Goeddel <dgoeddel@trustedcs.com>

 include/linux/audit.h          |   15 ++++++++----
 kernel/auditfilter.c           |   50 ++++++++++++++++++++---------------------
 kernel/auditsc.c               |   10 ++++----
 security/selinux/ss/services.c |   32 +++++++++++++-------------
 4 files changed, 56 insertions(+), 51 deletions(-)
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PATCH] add rule filterkey 2006-07-01T09:43:06+00:00 Amy Griffis amy.griffis@hp.com 2006-06-14T22:45:21+00:00 5adc8a6adc91c4c85a64c75a70a619fffc924817 Add support for a rule key, which can be used to tie audit records to audit rules. This is useful when a watched file is accessed through a link or symlink, as well as for general audit log analysis. Because this patch uses a string key instead of an integer key, there is a bit of extra overhead to do the kstrdup() when a rule fires. However, we're also allocating memory for the audit record buffer, so it's probably not that significant. I went ahead with a string key because it seems more user-friendly. Note that the user must ensure that filterkeys are unique. The kernel only checks for duplicate rules. Signed-off-by: Amy Griffis <amy.griffis@hpd.com> 
Add support for a rule key, which can be used to tie audit records to audit
rules.  This is useful when a watched file is accessed through a link or
symlink, as well as for general audit log analysis.

Because this patch uses a string key instead of an integer key, there is a bit
of extra overhead to do the kstrdup() when a rule fires.  However, we're also
allocating memory for the audit record buffer, so it's probably not that
significant.  I went ahead with a string key because it seems more
user-friendly.

Note that the user must ensure that filterkeys are unique.  The kernel only
checks for duplicate rules.

Signed-off-by: Amy Griffis <amy.griffis@hpd.com>