Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v4.19.197 2020-06-22T07:05:13Z 2020-06-22T07:05:13Z Paul Moore paul@paul-moore.com 2020-04-21T13:10:56Z urn:sha1:4fe5dcafc74d9729e5f11f2d418c394eadbe0035 [ Upstream commit 3054d06719079388a543de6adb812638675ad8f5 ] If audit_list_rules_send() fails when trying to create a new thread to send the rules it also fails to cleanup properly, leaking a reference to a net structure. This patch fixes the error patch and renames audit_send_list() to audit_send_list_thread() to better match its cousin, audit_send_reply_thread(). Reported-by: teroincn@gmail.com Reviewed-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-06-22T07:05:13Z Paul Moore paul@paul-moore.com 2020-04-20T14:09:29Z urn:sha1:6d2f2b4218ad6af229ccefb517193094b88939ca [ Upstream commit a48b284b403a4a073d8beb72d2bb33e54df67fb6 ] If audit_send_reply() fails when trying to create a new thread to send the reply it also fails to cleanup properly, leaking a reference to a net structure. This patch fixes the error path and makes a handful of other cleanups that came up while fixing the code. Reported-by: teroincn@gmail.com Reviewed-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-04-29T14:31:31Z Paul Moore paul@paul-moore.com 2020-04-20T20:24:34Z urn:sha1:64c0c4832465cbef373b9f876511e1a4590c544d commit 763dafc520add02a1f4639b500c509acc0ea8e5b upstream. Commit 756125289285 ("audit: always check the netlink payload length in audit_receive_msg()") fixed a number of missing message length checks, but forgot to check the length of userspace generated audit records. The good news is that you need CAP_AUDIT_WRITE to submit userspace audit records, which is generally only given to trusted processes, so the impact should be limited. Cc: stable@vger.kernel.org Fixes: 756125289285 ("audit: always check the netlink payload length in audit_receive_msg()") Reported-by: syzbot+49e69b4d71a420ceda3e@syzkaller.appspotmail.com Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-03-05T15:42:23Z Paul Moore paul@paul-moore.com 2020-02-24T21:38:57Z urn:sha1:9d2fdc4c7efd90860378bdc18bd5f7c199c8d645 [ Upstream commit 756125289285f6e55a03861bf4b6257aa3d19a93 ] This patch ensures that we always check the netlink payload length in audit_receive_msg() before we take any action on the payload itself. Cc: stable@vger.kernel.org Reported-by: syzbot+399c44bf1f43b8747403@syzkaller.appspotmail.com Reported-by: syzbot+e4b12d8d202701f08b6d@syzkaller.appspotmail.com Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2018-07-17T18:45:08Z Paul Moore paul@paul-moore.com 2018-07-17T18:45:08Z urn:sha1:290e44b7dd116cc61cf37b7ca0be13313bb11e37 Commit c72051d5778a ("audit: use ktime_get_coarse_ts64() for time access") converted audit's use of current_kernel_time64() to the new ktime_get_coarse_ts64() function. Unfortunately this resulted in incorrect timestamps, e.g. events stamped with the year 1969 despite it being 2018. This patch corrects this by using ktime_get_coarse_real_ts64() just like the current_kernel_time64() wrapper. Fixes: c72051d5778a ("audit: use ktime_get_coarse_ts64() for time access") Reviewed-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Paul Moore <paul@paul-moore.com> 2018-07-03T14:12:54Z Arnd Bergmann arnd@arndb.de 2018-06-18T14:58:24Z urn:sha1:c72051d5778a9c0e5df31d6553a6fa3507b3685c The API got renamed for consistency with the other time accessors, this changes the audit caller as well. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Reviewed-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2018-06-19T14:43:55Z Richard Guy Briggs rgb@redhat.com 2018-06-05T23:20:39Z urn:sha1:f7859590d97614815b35a755c8213dfb8f2766bd Remove comparison of audit_enabled to magic numbers outside of audit. Related: https://github.com/linux-audit/audit-kernel/issues/86 Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2018-06-19T14:39:54Z Richard Guy Briggs rgb@redhat.com 2018-06-05T15:45:07Z urn:sha1:d904ac0320d3c4ff4e9d80e4294ca5dde803696f The AUDIT_FILTER_TYPE name is vague and misleading due to not describing where or when the filter is applied and obsolete due to its available filter fields having been expanded. Userspace has already renamed it from AUDIT_FILTER_TYPE to AUDIT_FILTER_EXCLUDE without checking if it already exists. The userspace maintainer assures that as long as it is set to the same value it will not be a problem since the userspace code does not treat compiler warnings as errors. If this policy changes then checks if it already exists can be added at the same time. See: https://github.com/linux-audit/audit-kernel/issues/89 Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2018-05-14T21:24:18Z Richard Guy Briggs rgb@redhat.com 2018-05-13T01:58:20Z urn:sha1:cdfb6b341f0f2409aba24b84f3b4b2bba50be5c5 Recognizing that the audit context is an internal audit value, use an access function to retrieve the audit context pointer for the task rather than reaching directly into the task struct to get it. Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: merge fuzz in auditsc.c and selinuxfs.c, checkpatch.pl fixes] Signed-off-by: Paul Moore <paul@paul-moore.com> 2018-04-20T18:57:30Z Richard Guy Briggs rgb@redhat.com 2018-04-11T12:46:52Z urn:sha1:d96f92f4aae1132482ce0a584c4bc3ce32c796ea Tie syscall information to FEATURE_CHANGE calls since it is a result of user action. See: https://github.com/linux-audit/audit-kernel/issues/80 Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: 80-char fixes] Signed-off-by: Paul Moore <paul@paul-moore.com>