user/sven/linux.git/kernel/auditsc.c, branch v3.4.39 Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v3.4.39 2012-01-23T16:44:53Z kernel-doc: fix new warnings in auditsc.c 2012-01-23T16:44:53Z Randy Dunlap rdunlap@xenotime.net 2012-01-21T19:02:24Z urn:sha1:42ae610c1a820ddecb80943d4ccfc936f7772535 Fix new kernel-doc warnings in auditsc.c: Warning(kernel/auditsc.c:1875): No description found for parameter 'success' Warning(kernel/auditsc.c:1875): No description found for parameter 'return_code' Warning(kernel/auditsc.c:1875): Excess function parameter 'pt_regs' description in '__audit_syscall_exit' Signed-off-by: Randy Dunlap <rdunlap@xenotime.net> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Eric Paris <eparis@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> audit: no leading space in audit_log_d_path prefix 2012-01-17T21:17:04Z Kees Cook keescook@chromium.org 2012-01-06T22:07:10Z urn:sha1:c158a35c8a681cf68d36f22f058f9f5466386c71 audit_log_d_path() injects an additional space before the prefix, which serves no purpose and doesn't mix well with other audit_log*() functions that do not sneak extra characters into the log. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Eric Paris <eparis@redhat.com> audit: fix signedness bug in audit_log_execve_info() 2012-01-17T21:17:03Z Xi Wang xi.wang@gmail.com 2011-12-20T23:39:41Z urn:sha1:5afb8a3f96573f7ea018abb768f5b6ebe1a6c1a4 In the loop, a size_t "len" is used to hold the return value of audit_log_single_execve_arg(), which returns -1 on error. In that case the error handling (len <= 0) will be bypassed since "len" is unsigned, and the loop continues with (p += len) being wrapped. Change the type of "len" to signed int to fix the error handling. size_t len; ... for (...) { len = audit_log_single_execve_arg(...); if (len <= 0) break; p += len; } Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Eric Paris <eparis@redhat.com> audit: comparison on interprocess fields 2012-01-17T21:17:03Z Peter Moody pmoody@google.com 2012-01-04T20:24:31Z urn:sha1:10d68360871657204885371cdf2594412675d2f9 This allows audit to specify rules in which we compare two fields of a process. Such as is the running process uid != to the running process euid? Signed-off-by: Peter Moody <pmoody@google.com> Signed-off-by: Eric Paris <eparis@redhat.com> audit: implement all object interfield comparisons 2012-01-17T21:17:02Z Peter Moody pmoody@google.com 2011-12-14T00:17:51Z urn:sha1:4a6633ed08af5ba67790b4d1adcdeb8ceb55677e This completes the matrix of interfield comparisons between uid/gid information for the current task and the uid/gid information for inodes. aka I can audit based on differences between the euid of the process and the uid of fs objects. Signed-off-by: Peter Moody <pmoody@google.com> Signed-off-by: Eric Paris <eparis@redhat.com> audit: allow interfield comparison between gid and ogid 2012-01-17T21:17:02Z Eric Paris eparis@redhat.com 2012-01-03T19:23:08Z urn:sha1:c9fe685f7a17a0ee8bf3fbe51e40b1c8b8e65896 Allow audit rules to compare the gid of the running task to the gid of the inode in question. Signed-off-by: Eric Paris <eparis@redhat.com> audit: complex interfield comparison helper 2012-01-17T21:17:02Z Eric Paris eparis@redhat.com 2012-01-03T19:23:08Z urn:sha1:b34b039324bf081554ee8678f9b8c5d937e5206c Rather than code the same loop over and over implement a helper function which uses some pointer magic to make it generic enough to be used numerous places as we implement more audit interfield comparisons Signed-off-by: Eric Paris <eparis@redhat.com> audit: allow interfield comparison in audit rules 2012-01-17T21:17:01Z Eric Paris eparis@redhat.com 2012-01-03T19:23:08Z urn:sha1:02d86a568c6d2d335256864451ac8ce781bc5652 We wish to be able to audit when a uid=500 task accesses a file which is uid=0. Or vice versa. This patch introduces a new audit filter type AUDIT_FIELD_COMPARE which takes as an 'enum' which indicates which fields should be compared. At this point we only define the task->uid vs inode->uid, but other comparisons can be added. Signed-off-by: Eric Paris <eparis@redhat.com> audit: do not call audit_getname on error 2012-01-17T21:17:01Z Eric Paris eparis@redhat.com 2012-01-03T19:23:08Z urn:sha1:4043cde8ecf7f7d880eb1133c201a3d392fd68c3 Just a code cleanup really. We don't need to make a function call just for it to return on error. This also makes the VFS function even easier to follow and removes a conditional on a hot path. Signed-off-by: Eric Paris <eparis@redhat.com> audit: only allow tasks to set their loginuid if it is -1 2012-01-17T21:17:00Z Eric Paris eparis@redhat.com 2012-01-03T19:23:08Z urn:sha1:633b45454503489209b0d9a45f9e3cd1b852c614 At the moment we allow tasks to set their loginuid if they have CAP_AUDIT_CONTROL. In reality we want tasks to set the loginuid when they log in and it be impossible to ever reset. We had to make it mutable even after it was once set (with the CAP) because on update and admin might have to restart sshd. Now sshd would get his loginuid and the next user which logged in using ssh would not be able to set his loginuid. Systemd has changed how userspace works and allowed us to make the kernel work the way it should. With systemd users (even admins) are not supposed to restart services directly. The system will restart the service for them. Thus since systemd is going to loginuid==-1, sshd would get -1, and sshd would be allowed to set a new loginuid without special permissions. If an admin in this system were to manually start an sshd he is inserting himself into the system chain of trust and thus, logically, it's his loginuid that should be used! Since we have old systems I make this a Kconfig option. Signed-off-by: Eric Paris <eparis@redhat.com>