user/sven/linux.git/kernel/audit_watch.c, branch v4.9.10 Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v4.9.10 2016-09-01T22:55:56Z Merge branch 'stable-4.8' of git://git.infradead.org/users/pcmoore/audit 2016-09-01T22:55:56Z Linus Torvalds torvalds@linux-foundation.org 2016-09-01T22:55:56Z urn:sha1:511a8cdb650544b7efd1bbccf7967d3153aee5f6 Pull audit fixes from Paul Moore: "Two small patches to fix some bugs with the audit-by-executable functionality we introduced back in v4.3 (both patches are marked for the stable folks)" * 'stable-4.8' of git://git.infradead.org/users/pcmoore/audit: audit: fix exe_file access in audit_exe_compare mm: introduce get_task_exe_file audit: fix exe_file access in audit_exe_compare 2016-08-31T20:16:35Z Mateusz Guzik mguzik@redhat.com 2016-08-23T14:20:39Z urn:sha1:5efc244346f9f338765da3d592f7947b0afdc4b5 Prior to the change the function would blindly deference mm, exe_file and exe_file->f_inode, each of which could have been NULL or freed. Use get_task_exe_file to safely obtain stable exe_file. Signed-off-by: Mateusz Guzik <mguzik@redhat.com> Acked-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru> Acked-by: Richard Guy Briggs <rgb@redhat.com> Cc: <stable@vger.kernel.org> # 4.3.x Signed-off-by: Paul Moore <paul@paul-moore.com> don't bother with ->d_inode->i_sb - it's always equal to ->d_sb 2016-04-10T21:11:51Z Al Viro viro@zeniv.linux.org.uk 2016-04-10T05:33:30Z urn:sha1:fc64005c93090c052637f63578d810b037abb1a1 ... and neither can ever be NULL Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Merge branch 'stable-4.6' of git://git.infradead.org/users/pcmoore/audit 2016-03-20T00:52:49Z Linus Torvalds torvalds@linux-foundation.org 2016-03-20T00:52:49Z urn:sha1:51b3eae8dbe5e6fa9657b21388ad6642d6934952 Pull audit updates from Paul Moore: "A small set of patches for audit this time; just three in total and one is a spelling fix. The two patches with actual content are designed to help prevent new instances of auditd from displacing an existing, functioning auditd and to generate a log of the attempt. Not to worry, dead/stuck auditd instances can still be replaced by a new instance without problem. Nothing controversial, and everything passes our regression suite" * 'stable-4.6' of git://git.infradead.org/users/pcmoore/audit: audit: Fix typo in comment audit: log failed attempts to change audit_pid configuration audit: stop an old auditd being starved out by a new auditd audit: Fix typo in comment 2016-02-08T16:25:39Z Wei Yuan weiyuan.wei@huawei.com 2016-02-06T07:39:47Z urn:sha1:fd97646b05957348e01be3d9de5c3d979b25c819 Signed-off-by: Weiyuan <weiyuan.wei@huawei.com> Signed-off-by: Paul Moore <paul@paul-moore.com> wrappers for ->i_mutex access 2016-01-22T23:04:28Z Al Viro viro@zeniv.linux.org.uk 2016-01-22T20:40:57Z urn:sha1:5955102c9984fa081b2d570cfac75c97eecf8f3b parallel to mutex_{lock,unlock,trylock,is_locked,lock_nested}, inode_foo(inode) being mutex_foo(&inode->i_mutex). Please, use those for access to ->i_mutex; over the coming cycle ->i_mutex will become rwsem, with ->lookup() done with it held only shared. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Merge branch 'upstream' of git://git.infradead.org/users/pcmoore/audit 2015-09-08T20:34:59Z Linus Torvalds torvalds@linux-foundation.org 2015-09-08T20:34:59Z urn:sha1:425afcff13a4bea2a3cf6f395cbc66fc158852be Pull audit update from Paul Moore: "This is one of the larger audit patchsets in recent history, consisting of eight patches and almost 400 lines of changes. The bulk of the patchset is the new "audit by executable" functionality which allows admins to set an audit watch based on the executable on disk. Prior to this, admins could only track an application by PID, which has some obvious limitations. Beyond the new functionality we also have some refcnt fixes and a few minor cleanups" * 'upstream' of git://git.infradead.org/users/pcmoore/audit: fixup: audit: implement audit by executable audit: implement audit by executable audit: clean simple fsnotify implementation audit: use macros for unset inode and device values audit: make audit_del_rule() more robust audit: fix uninitialized variable in audit_add_rule() audit: eliminate unnecessary extra layer of watch parent references audit: eliminate unnecessary extra layer of watch references fixup: audit: implement audit by executable 2015-08-13T02:04:07Z Richard Guy Briggs rgb@redhat.com 2015-08-08T14:20:25Z urn:sha1:15ce414b82b07acb99afda6e4d9bd14f317b6011 The Intel build-bot detected a sparse warning with with a patch I posted a couple of days ago that was accepted in the audit/next tree: Subject: [linux-next:master 6689/6751] kernel/audit_watch.c:543:36: sparse: dereference of noderef expression Date: Friday, August 07, 2015, 06:57:55 PM From: kbuild test robot <fengguang.wu@intel.com> tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master head: e6455bc5b91f41f842f30465c9193320f0568707 commit: 2e3a8aeb63e5335d4f837d453787c71bcb479796 [6689/6751] Merge remote- tracking branch 'audit/next' sparse warnings: (new ones prefixed by >>) >> kernel/audit_watch.c:543:36: sparse: dereference of noderef expression kernel/audit_watch.c:544:28: sparse: dereference of noderef expression 34d99af5 Richard Guy Briggs 2015-08-05 541 int audit_exe_compare(struct task_struct *tsk, struct audit_fsnotify_mark *mark) 34d99af5 Richard Guy Briggs 2015-08-05 542 { 34d99af5 Richard Guy Briggs 2015-08-05 @543 unsigned long ino = tsk->mm- >exe_file->f_inode->i_ino; 34d99af5 Richard Guy Briggs 2015-08-05 544 dev_t dev = tsk->mm->exe_file- >f_inode->i_sb->s_dev; :::::: The code at line 543 was first introduced by commit :::::: 34d99af52ad40bd498ba66970579a5bc1fb1a3bc audit: implement audit by executable tsk->mm->exe_file requires RCU access. The warning was reproduceable by adding "C=1 CF=-D__CHECK_ENDIAN__" to the build command, and verified eliminated with this patch. Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Paul Moore <pmoore@redhat.com> audit: implement audit by executable 2015-08-06T20:17:25Z Richard Guy Briggs rgb@redhat.com 2015-08-05T20:29:37Z urn:sha1:34d99af52ad40bd498ba66970579a5bc1fb1a3bc This adds the ability audit the actions of a not-yet-running process. This patch implements the ability to filter on the executable path. Instead of just hard coding the ino and dev of the executable we care about at the moment the rule is inserted into the kernel, use the new audit_fsnotify infrastructure to manage this dynamically. This means that if the filename does not yet exist but the containing directory does, or if the inode in question is unlinked and creat'd (aka updated) the rule will just continue to work. If the containing directory is moved or deleted or the filesystem is unmounted, the rule is deleted automatically. A future enhancement would be to have the rule survive across directory disruptions. This is a heavily modified version of a patch originally submitted by Eric Paris with some ideas from Peter Moody. Cc: Peter Moody <peter@hda3.com> Cc: Eric Paris <eparis@redhat.com> Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: minor whitespace clean to satisfy ./scripts/checkpatch] Signed-off-by: Paul Moore <pmoore@redhat.com> audit: use macros for unset inode and device values 2015-08-06T18:39:02Z Richard Guy Briggs rgb@redhat.com 2015-08-06T03:48:20Z urn:sha1:84cb777e67814f2e06a99ff228f743409e9617e9 Clean up a number of places were casted magic numbers are used to represent unset inode and device numbers in preparation for the audit by executable path patch set. Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: enclosed the _UNSET macros in parentheses for ./scripts/checkpatch] Signed-off-by: Paul Moore <pmoore@redhat.com>