linux.git/kernel/audit.h, branch nocache-cleanup Linux kernel source tree audit: fix comment misindentation in audit.h 2025-10-22T23:28:06+00:00 Ricardo Robaina rrobaina@redhat.com 2025-10-08T14:27:19+00:00 4f7b54e17eddac93c78151ffc80b8437ab11c90b Minor comment misindentation adjustment. Signed-off-by: Ricardo Robaina <rrobaina@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 
Minor comment misindentation adjustment.

Signed-off-by: Ricardo Robaina <rrobaina@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: create audit_stamp structure 2025-08-30T14:15:28+00:00 Casey Schaufler casey@schaufler-ca.com 2025-08-16T17:28:56+00:00 0a561e3904a92492fee8e02a9f69276e939fd990 Replace the timestamp and serial number pair used in audit records with a structure containing the two elements. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> [PM: subj tweak] Signed-off-by: Paul Moore <paul@paul-moore.com> 
Replace the timestamp and serial number pair used in audit records
with a structure containing the two elements.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
[PM: subj tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit,module: restore audit logging in load failure case 2025-06-16T21:00:06+00:00 Richard Guy Briggs rgb@redhat.com 2025-06-13T19:58:00+00:00 ae1ae11fb277f1335d6bcd4935ba0ea985af3c32 The move of the module sanity check to earlier skipped the audit logging call in the case of failure and to a place where the previously used context is unavailable. Add an audit logging call for the module loading failure case and get the module name when possible. Link: https://issues.redhat.com/browse/RHEL-52839 Fixes: 02da2cbab452 ("module: move check_modinfo() early to early_mod_check()") Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Reviewed-by: Petr Pavlu <petr.pavlu@suse.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 
The move of the module sanity check to earlier skipped the audit logging
call in the case of failure and to a place where the previously used
context is unavailable.

Add an audit logging call for the module loading failure case and get
the module name when possible.

Link: https://issues.redhat.com/browse/RHEL-52839
Fixes: 02da2cbab452 ("module: move check_modinfo() early to early_mod_check()")
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Reviewed-by: Petr Pavlu <petr.pavlu@suse.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: change context data from secid to lsm_prop 2024-10-11T18:34:16+00:00 Casey Schaufler casey@schaufler-ca.com 2024-10-09T17:32:19+00:00 13d826e564e2ccae9df0caac8a3deb40dc4c8fda Change the LSM data stored in the audit transactions from a secid to an LSM prop. This is done in struct audit_context and struct audit_aux_data_pids. Several cases of scaffolding can be removed. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> [PM: subj line tweak] Signed-off-by: Paul Moore <paul@paul-moore.com> 
Change the LSM data stored in the audit transactions from a secid
to an LSM prop. This is done in struct audit_context and struct
audit_aux_data_pids. Several cases of scaffolding can be removed.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
[PM: subj line tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: use an lsm_prop in audit_names 2024-10-11T18:34:15+00:00 Casey Schaufler casey@schaufler-ca.com 2024-10-09T17:32:17+00:00 e0a8dcbd53b646d8535acd9fec95540275231b13 Replace the osid field in the audit_names structure with a lsm_prop structure. This accommodates the use of an lsm_prop in security_audit_rule_match() and security_inode_getsecid(). Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> [PM: subj line tweak] Signed-off-by: Paul Moore <paul@paul-moore.com> 
Replace the osid field in the audit_names structure with a
lsm_prop structure. This accommodates the use of an lsm_prop in
security_audit_rule_match() and security_inode_getsecid().

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
[PM: subj line tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: maintain an lsm_prop in audit_context 2024-10-11T18:34:13+00:00 Casey Schaufler casey@schaufler-ca.com 2024-10-09T17:32:12+00:00 7183abccd8ac2c486363e267b5d84032818eb725 Replace the secid value stored in struct audit_context with a struct lsm_prop. Change the code that uses this value to accommodate the change. security_audit_rule_match() expects a lsm_prop, so existing scaffolding can be removed. A call to security_secid_to_secctx() is changed to security_lsmprop_to_secctx(). The call to security_ipc_getsecid() is scaffolded. A new function lsmprop_is_set() is introduced to identify whether an lsm_prop contains a non-zero value. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> [PM: subject line tweak, fix lsmprop_is_set() typo] Signed-off-by: Paul Moore <paul@paul-moore.com> 
Replace the secid value stored in struct audit_context with a struct
lsm_prop. Change the code that uses this value to accommodate the
change. security_audit_rule_match() expects a lsm_prop, so existing
scaffolding can be removed. A call to security_secid_to_secctx()
is changed to security_lsmprop_to_secctx().  The call to
security_ipc_getsecid() is scaffolded.

A new function lsmprop_is_set() is introduced to identify whether
an lsm_prop contains a non-zero value.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
[PM: subject line tweak, fix lsmprop_is_set() typo]
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: correct audit_filter_inodes() definition 2023-07-21T16:17:25+00:00 Xiu Jianfeng xiujianfeng@huawei.com 2023-07-21T11:21:01+00:00 bf98354280bff22bc9e57c698d485c9e1c0b04f3 After changes in commit 0590b9335a1c ("fixing audit rule ordering mess, part 1"), audit_filter_inodes() returns void, so if CONFIG_AUDITSYSCALL not defined, it should be do {} while(0). Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 
After changes in commit 0590b9335a1c ("fixing audit rule ordering mess,
part 1"), audit_filter_inodes() returns void, so if CONFIG_AUDITSYSCALL
not defined, it should be do {} while(0).

Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: avoid missing-prototype warnings 2023-05-17T15:34:55+00:00 Arnd Bergmann arnd@arndb.de 2023-05-17T13:10:52+00:00 e455ca40dbcf2cd50d1e59bf4b2752b300bcdad4 Building with 'make W=1' reveals two function definitions without a previous prototype in the audit code: lib/compat_audit.c:32:5: error: no previous prototype for 'audit_classify_compat_syscall' [-Werror=missing-prototypes] kernel/audit.c:1813:14: error: no previous prototype for 'audit_serial' [-Werror=missing-prototypes] The first one needs a declaration from linux/audit.h but cannot include that header without causing conflicting (compat) syscall number definitions, so move the it into linux/audit_arch.h. The second one is declared conditionally based on CONFIG_AUDITSYSCALL but needed as a local function even when that option is disabled, so move the declaration out of the #ifdef block. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Paul Moore <paul@paul-moore.com> 
Building with 'make W=1' reveals two function definitions without
a previous prototype in the audit code:

lib/compat_audit.c:32:5: error: no previous prototype for 'audit_classify_compat_syscall' [-Werror=missing-prototypes]
kernel/audit.c:1813:14: error: no previous prototype for 'audit_serial' [-Werror=missing-prototypes]

The first one needs a declaration from linux/audit.h but cannot
include that header without causing conflicting (compat) syscall number
definitions, so move the it into linux/audit_arch.h.

The second one is declared conditionally based on CONFIG_AUDITSYSCALL
but needed as a local function even when that option is disabled, so
move the declaration out of the #ifdef block.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: remove selinux_audit_rule_update() declaration 2022-09-07T15:30:15+00:00 Xiu Jianfeng xiujianfeng@huawei.com 2022-09-06T13:25:08+00:00 934f70d9d498a7fffd611edf48356698f1d72e91 selinux_audit_rule_update() has been renamed to audit_update_lsm_rules() since commit d7a96f3a1ae2 ("Audit: internally use the new LSM audit hooks"), so remove it. Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 
selinux_audit_rule_update() has been renamed to audit_update_lsm_rules()
since commit d7a96f3a1ae2 ("Audit: internally use the new LSM audit
hooks"), so remove it.

Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: audit_context pid unused, context enum comment fix 2022-08-26T21:06:00+00:00 Richard Guy Briggs rgb@redhat.com 2022-08-25T19:32:37+00:00 e84d9f5214cb854fcd584aa78b5634794604d306 The pid member of struct audit_context is never used. Remove it. The audit_reset_context() comment about unconditionally resetting "ctx->state" should read "ctx->context". Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 
The pid member of struct audit_context is never used.  Remove it.

The audit_reset_context() comment about unconditionally resetting
"ctx->state" should read "ctx->context".

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>