user/sven/linux.git/include/linux/audit.h, branch v3.4.67

audit: Syscall rules are not applied to existing processes on non-x86

2013-05-19T17:54:39Z

commit cdee3904b4ce7c03d1013ed6dd704b43ae7fc2e9 upstream. Commit b05d8447e782 (audit: inline audit_syscall_entry to reduce burden on archs) changed audit_syscall_entry to check for a dummy context before calling __audit_syscall_entry. Unfortunately the dummy context state is maintained in __audit_syscall_entry so once set it never gets cleared, even if the audit rules change. As a result, if there are no auditing rules when a process starts then it will never be subject to any rules added later. x86 doesn't see this because it has an assembly fast path that calls directly into __audit_syscall_entry. I noticed this issue when working on audit performance optimisations. I wrote a set of simple test cases available at: http://ozlabs.org/~anton/junkcode/audit_tests.tar.gz 02_new_rule.py fails without the patch and passes with it. The test case clears all rules, starts a process, adds a rule then verifies the process produces a syscall audit record. Signed-off-by: Anton Blanchard Signed-off-by: Eric Paris Signed-off-by: Greg Kroah-Hartman

constify path argument of audit_log_d_path()

2012-03-21T01:29:40Z

Signed-off-by: Al Viro

audit: comparison on interprocess fields

2012-01-17T21:17:03Z

This allows audit to specify rules in which we compare two fields of a process. Such as is the running process uid != to the running process euid? Signed-off-by: Peter Moody Signed-off-by: Eric Paris

audit: implement all object interfield comparisons

2012-01-17T21:17:02Z

This completes the matrix of interfield comparisons between uid/gid information for the current task and the uid/gid information for inodes. aka I can audit based on differences between the euid of the process and the uid of fs objects. Signed-off-by: Peter Moody Signed-off-by: Eric Paris

audit: allow interfield comparison between gid and ogid

2012-01-17T21:17:02Z

Allow audit rules to compare the gid of the running task to the gid of the inode in question. Signed-off-by: Eric Paris

audit: allow interfield comparison in audit rules

2012-01-17T21:17:01Z

We wish to be able to audit when a uid=500 task accesses a file which is uid=0. Or vice versa. This patch introduces a new audit filter type AUDIT_FIELD_COMPARE which takes as an 'enum' which indicates which fields should be compared. At this point we only define the task->uid vs inode->uid, but other comparisons can be added. Signed-off-by: Eric Paris

audit: remove task argument to audit_set_loginuid

2012-01-17T21:17:00Z

The function always deals with current. Don't expose an option pretending one can use it for something. You can't. Signed-off-by: Eric Paris

audit: allow audit matching on inode gid

2012-01-17T21:16:59Z

Much like the ability to filter audit on the uid of an inode collected, we should be able to filter on the gid of the inode. Signed-off-by: Eric Paris

audit: allow matching on obj_uid

2012-01-17T21:16:59Z

Allow syscall exit filter matching based on the uid of the owner of an inode used in a syscall. aka: auditctl -a always,exit -S open -F obj_uid=0 -F perm=wa Signed-off-by: Eric Paris

audit: remove audit_finish_fork as it can't be called

2012-01-17T21:16:59Z

Audit entry,always rules are not allowed and are automatically changed in exit,always rules in userspace. The kernel refuses to load such rules. Thus a task in the middle of a syscall (and thus in audit_finish_fork()) can only be in one of two states: AUDIT_BUILD_CONTEXT or AUDIT_DISABLED. Since the current task cannot be in AUDIT_RECORD_CONTEXT we aren't every going to actually use the code in audit_finish_fork() since it will return without doing anything. Thus drop the code. Signed-off-by: Eric Paris