Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v3.0.85 2011-01-19T22:51:37Z 2011-01-19T22:51:37Z Patrick McHardy kaber@trash.net 2011-01-19T22:51:37Z urn:sha1:14f0290ba44de6ed435fea24bba26e7868421c66 2011-01-16T17:12:59Z Thomas Graf tgraf@infradead.org 2011-01-16T17:12:59Z urn:sha1:fbabf31e4d482149b5e2704eb0287cf9117bdcf3 The setsockopt() syscall to replace tables is already recorded in the audit logs. This patch stores additional information such as table name and netfilter protocol. Cc: Patrick McHardy <kaber@trash.net> Cc: Eric Paris <eparis@parisplace.org> Cc: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by: Thomas Graf <tgraf@redhat.com> Signed-off-by: Patrick McHardy <kaber@trash.net> 2011-01-16T17:10:28Z Thomas Graf tgraf@infradead.org 2011-01-16T17:10:28Z urn:sha1:43f393caec0362abe03c72799d3f342af3973070 This patch adds a new netfilter target which creates audit records for packets traversing a certain chain. It can be used to record packets which are rejected administraively as follows: -N AUDIT_DROP -A AUDIT_DROP -j AUDIT --type DROP -A AUDIT_DROP -j DROP a rule which would typically drop or reject a packet would then invoke the new chain to record packets before dropping them. -j AUDIT_DROP The module is protocol independant and works for iptables, ip6tables and ebtables. The following information is logged: - netfilter hook - packet length - incomming/outgoing interface - MAC src/dst/proto for ethernet packets - src/dst/protocol address for IPv4/IPv6 - src/dst port for TCP/UDP/UDPLITE - icmp type/code Cc: Patrick McHardy <kaber@trash.net> Cc: Eric Paris <eparis@parisplace.org> Cc: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by: Thomas Graf <tgraf@redhat.com> Signed-off-by: Patrick McHardy <kaber@trash.net> 2011-01-10T16:51:44Z Alexey Dobriyan adobriyan@gmail.com 2011-01-10T06:17:10Z urn:sha1:37721e1b0cf98cb65895f234d8c500d270546529 Remove path.h from sched.h and other files. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2010-10-30T12:45:43Z Al Viro viro@zeniv.linux.org.uk 2010-10-30T06:54:44Z urn:sha1:120a795da07c9a02221ca23464c28a7c6ad7de1d Normal syscall audit doesn't catch 5th argument of syscall. It also doesn't catch the contents of userland structures pointed to be syscall argument, so for both old and new mmap(2) ABI it doesn't record the descriptor we are mapping. For old one it also misses flags. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2010-08-07T16:23:12Z Andi Kleen andi@firstfloor.org 2010-06-21T09:02:48Z urn:sha1:1676effca4cd2a6b32e6e8e0ecaa91522dfda6fa No real bugs I believe, just some dead code, and some shut up code. Signed-off-by: Andi Kleen <ak@linux.intel.com> Cc: Eric Paris <eparis@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Jens Axboe <jaxboe@fusionio.com> 2010-02-08T19:38:36Z Al Viro viro@zeniv.linux.org.uk 2009-12-25T10:07:33Z urn:sha1:cccc6bba3f771ef29b33e4f79e70ebc3dba245b0 it's always equal to ->d_name.name of the second argument Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2009-06-24T04:00:52Z Eric Paris eparis@redhat.com 2009-06-11T18:31:37Z urn:sha1:9d9609851003ebed15957f0f2ce18492739ee124 A number of places in the audit system we send an op= followed by a string that includes spaces. Somehow this works but it's just wrong. This patch moves all of those that I could find to be quoted. Example: Change From: type=CONFIG_CHANGE msg=audit(1244666690.117:31): auid=0 ses=1 subj=unconfined_u:unconfined_r:auditctl_t:s0-s0:c0.c1023 op=remove rule key="number2" list=4 res=0 Change To: type=CONFIG_CHANGE msg=audit(1244666690.117:31): auid=0 ses=1 subj=unconfined_u:unconfined_r:auditctl_t:s0-s0:c0.c1023 op="remove rule" key="number2" list=4 res=0 Signed-off-by: Eric Paris <eparis@redhat.com> 2009-02-11T22:40:14Z Mimi Zohar zohar@linux.vnet.ibm.com 2009-02-11T16:12:28Z urn:sha1:523979adfa0b79d4e3aa053220c37a9233294206 Based on discussions on linux-audit, as per Steve Grubb's request http://lkml.org/lkml/2009/2/6/269, the following changes were made: - forced audit result to be either 0 or 1. - made template names const - Added new stand-alone message type: AUDIT_INTEGRITY_RULE Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Acked-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: James Morris <jmorris@namei.org> 2009-02-06T00:01:45Z James Morris jmorris@namei.org 2009-02-06T00:01:45Z urn:sha1:cb5629b10d64a8006622ce3a52bc887d91057d69 Conflicts: fs/namei.c Manually merged per: diff --cc fs/namei.c index 734f2b5,bbc15c2..0000000 --- a/fs/namei.c +++ b/fs/namei.c @@@ -860,9 -848,8 +849,10 @@@ static int __link_path_walk(const char nd->flags |= LOOKUP_CONTINUE; err = exec_permission_lite(inode); if (err == -EAGAIN) - err = vfs_permission(nd, MAY_EXEC); + err = inode_permission(nd->path.dentry->d_inode, + MAY_EXEC); + if (!err) + err = ima_path_check(&nd->path, MAY_EXEC); if (err) break; @@@ -1525,14 -1506,9 +1509,14 @@@ int may_open(struct path *path, int acc flag &= ~O_TRUNC; } - error = vfs_permission(nd, acc_mode); + error = inode_permission(inode, acc_mode); if (error) return error; + - error = ima_path_check(&nd->path, ++ error = ima_path_check(path, + acc_mode & (MAY_READ | MAY_WRITE | MAY_EXEC)); + if (error) + return error; /* * An append-only file must be opened in append mode for writing. */ Signed-off-by: James Morris <jmorris@namei.org>