user/sven/linux.git/kernel/audit_watch.c, branch v5.4.121

audit: CONFIG_CHANGE don't log internal bookkeeping as an event

2020-10-01T11:17:32Z

[ Upstream commit 70b3eeed49e8190d97139806f6fbaf8964306cdb ] Common Criteria calls out for any action that modifies the audit trail to be recorded. That usually is interpreted to mean insertion or removal of rules. It is not required to log modification of the inode information since the watch is still in effect. Additionally, if the rule is a never rule and the underlying file is one they do not want events for, they get an event for this bookkeeping update against their wishes. Since no device/inode info is logged at insertion and no device/inode information is logged on update, there is nothing meaningful being communicated to the admin by the CONFIG_CHANGE updated_rules event. One can assume that the rule was not "modified" because it is still watching the intended target. If the device or inode cannot be resolved, then audit_panic is called which is sufficient. The correct resolution is to drop logging config_update events since the watch is still in effect but just on another unknown inode. Signed-off-by: Steve Grubb Signed-off-by: Paul Moore Signed-off-by: Sasha Levin

audit_get_nd(): don't unlock parent too early

2019-11-10T16:56:55Z

if the child has been negative and just went positive under us, we want coherent d_is_positive() and ->d_inode. Don't unlock the parent until we'd done that work... Signed-off-by: Al Viro

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156

2019-05-30T18:26:35Z

Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation either version 2 of the license or at your option any later version this program is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details you should have received a copy of the gnu general public license along with this program if not write to the free software foundation inc 59 temple place suite 330 boston ma 02111 1307 usa extracted by the scancode license scanner the SPDX license identifier GPL-2.0-or-later has been chosen to replace the boilerplate/reference in 1334 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Richard Fontana Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190527070033.113240726@linutronix.de Signed-off-by: Greg Kroah-Hartman

audit_compare_dname_path(): switch to const struct qstr *

2019-04-29T00:33:43Z

Signed-off-by: Al Viro

audit_update_watch(): switch to const struct qstr *

2019-04-26T18:09:49Z

Signed-off-by: Al Viro

fsnotify: switch send_to_group() and ->handle_event to const struct qstr *

2019-04-26T17:51:03Z

note that conditions surrounding accesses to dname in audit_watch_handle_event() and audit_mark_handle_event() guarantee that dname won't have been NULL. Signed-off-by: Al Viro

audit: add syscall information to CONFIG_CHANGE records

2019-01-18T22:53:29Z

Tie syscall information to all CONFIG_CHANGE calls since they are all a result of user actions. Exclude user records from syscall context: Since the function audit_log_common_recv_msg() is shared by a number of AUDIT_CONFIG_CHANGE and the entire range of AUDIT_USER_* record types, and since the AUDIT_CONFIG_CHANGE message type has been converted to a syscall accompanied record type, special-case the AUDIT_USER_* range of messages so they remain standalone records. See: https://github.com/linux-audit/audit-kernel/issues/59 See: https://github.com/linux-audit/audit-kernel/issues/50 Signed-off-by: Richard Guy Briggs [PM: fix line lengths in kernel/audit.c] Signed-off-by: Paul Moore

audit: minimize our use of audit_log_format()

2018-11-26T23:40:00Z

There are some cases where we are making multiple audit_log_format() calls in a row, for no apparent reason. Squash these down to a single audit_log_format() call whenever possible. Acked-by: Richard Guy Briggs Signed-off-by: Paul Moore

audit: use session_info helper

2018-11-19T17:31:42Z

There are still a couple of places (mark and watch config changes) that open code auid and ses fields in sequence in records instead of using the audit_log_session_info() helper. Use the helper. Adjust the helper to accommodate being the first fields. Passes audit-testsuite. Signed-off-by: Richard Guy Briggs [PM: fixed misspellings in the description] Signed-off-by: Paul Moore

audit: fix use-after-free in audit_add_watch

2018-07-18T15:43:36Z

audit_add_watch stores locally krule->watch without taking a reference on watch. Then, it calls audit_add_to_parent, and uses the watch stored locally. Unfortunately, it is possible that audit_add_to_parent updates krule->watch. When it happens, it also drops a reference of watch which could free the watch. How to reproduce (with KASAN enabled): auditctl -w /etc/passwd -F success=0 -k test_passwd auditctl -w /etc/passwd -F success=1 -k test_passwd2 The second call to auditctl triggers the use-after-free, because audit_to_parent updates krule->watch to use a previous existing watch and drops the reference to the newly created watch. To fix the issue, we grab a reference of watch and we release it at the end of the function. Signed-off-by: Ronny Chevalier Reviewed-by: Richard Guy Briggs Signed-off-by: Paul Moore