1. 31 May, 2019 1 commit
    • Wenwen Wang's avatar
      audit: fix a memory leak bug · b5785152
      Wenwen Wang authored
      [ Upstream commit 70c4cf17e445264453bc5323db3e50aa0ac9e81f ]
      In audit_rule_change(), audit_data_to_entry() is firstly invoked to
      translate the payload data to the kernel's rule representation. In
      audit_data_to_entry(), depending on the audit field type, an audit tree may
      be created in audit_make_tree(), which eventually invokes kmalloc() to
      allocate the tree.  Since this tree is a temporary tree, it will be then
      freed in the following execution, e.g., audit_add_rule() if the message
      type is AUDIT_ADD_RULE or audit_del_rule() if the message type is
      AUDIT_DEL_RULE. However, if the message type is neither AUDIT_ADD_RULE nor
      AUDIT_DEL_RULE, i.e., the default case of the switch statement, this
      temporary tree is not freed.
      To fix this issue, only allocate the tree when the type is AUDIT_ADD_RULE
      or AUDIT_DEL_RULE.
      Signed-off-by: 's avatarWenwen Wang <wang6495@umn.edu>
      Reviewed-by: 's avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: 's avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
  2. 03 Aug, 2018 1 commit
  3. 02 May, 2017 2 commits
  4. 29 Nov, 2016 1 commit
  5. 20 Nov, 2016 1 commit
  6. 27 Jun, 2016 1 commit
  7. 16 Jun, 2016 1 commit
  8. 31 May, 2016 1 commit
  9. 08 Feb, 2016 1 commit
  10. 04 Nov, 2015 1 commit
  11. 06 Aug, 2015 2 commits
    • Richard Guy Briggs's avatar
      audit: implement audit by executable · 34d99af5
      Richard Guy Briggs authored
      This adds the ability audit the actions of a not-yet-running process.
      This patch implements the ability to filter on the executable path.  Instead of
      just hard coding the ino and dev of the executable we care about at the moment
      the rule is inserted into the kernel, use the new audit_fsnotify
      infrastructure to manage this dynamically.  This means that if the filename
      does not yet exist but the containing directory does, or if the inode in
      question is unlinked and creat'd (aka updated) the rule will just continue to
      work.  If the containing directory is moved or deleted or the filesystem is
      unmounted, the rule is deleted automatically.  A future enhancement would be to
      have the rule survive across directory disruptions.
      This is a heavily modified version of a patch originally submitted by Eric
      Paris with some ideas from Peter Moody.
      Cc: Peter Moody <peter@hda3.com>
      Cc: Eric Paris <eparis@redhat.com>
      Signed-off-by: 's avatarRichard Guy Briggs <rgb@redhat.com>
      [PM: minor whitespace clean to satisfy ./scripts/checkpatch]
      Signed-off-by: 's avatarPaul Moore <pmoore@redhat.com>
    • Richard Guy Briggs's avatar
      audit: clean simple fsnotify implementation · 7f492942
      Richard Guy Briggs authored
      This is to be used to audit by executable path rules, but audit watches should
      be able to share this code eventually.
      At the moment the audit watch code is a lot more complex.  That code only
      creates one fsnotify watch per parent directory.  That 'audit_parent' in
      turn has a list of 'audit_watches' which contain the name, ino, dev of
      the specific object we care about.  This just creates one fsnotify watch
      per object we care about.  So if you watch 100 inodes in /etc this code
      will create 100 fsnotify watches on /etc.  The audit_watch code will
      instead create 1 fsnotify watch on /etc (the audit_parent) and then 100
      individual watches chained from that fsnotify mark.
      We should be able to convert the audit_watch code to do one fsnotify
      mark per watch and simplify things/remove a whole lot of code.  After
      that conversion we should be able to convert the audit_fsnotify code to
      support that hierarchy if the optimization is necessary.
      Move the access to the entry for audit_match_signal() to the beginning of
      the audit_del_rule() function in case the entry found is the same one passed
      in.  This will enable it to be used by audit_autoremove_mark_rule(),
      kill_rules() and audit_remove_parent_watches().
      This is a heavily modified and merged version of two patches originally
      submitted by Eric Paris.
      Cc: Peter Moody <peter@hda3.com>
      Cc: Eric Paris <eparis@redhat.com>
      Signed-off-by: 's avatarRichard Guy Briggs <rgb@redhat.com>
      [PM: added a space after a declaration to keep ./scripts/checkpatch happy]
      Signed-off-by: 's avatarPaul Moore <pmoore@redhat.com>
  12. 05 Aug, 2015 2 commits
  13. 04 Aug, 2015 1 commit
  14. 20 Jan, 2015 1 commit
  15. 23 Dec, 2014 1 commit
    • Richard Guy Briggs's avatar
      audit: restore AUDIT_LOGINUID unset ABI · 041d7b98
      Richard Guy Briggs authored
      A regression was caused by commit 780a7654:
      	 audit: Make testing for a valid loginuid explicit.
      (which in turn attempted to fix a regression caused by e1760bd5)
      When audit_krule_to_data() fills in the rules to get a listing, there was a
      missing clause to convert back from AUDIT_LOGINUID_SET to AUDIT_LOGINUID.
      This broke userspace by not returning the same information that was sent and
      The rule:
      	auditctl -a exit,never -F auid=-1
      	auditctl -l
      		LIST_RULES: exit,never f24=0 syscall=all
      when it should give:
      		LIST_RULES: exit,never auid=-1 (0xffffffff) syscall=all
      Tag it so that it is reported the same way it was set.  Create a new
      private flags audit_krule field (pflags) to store it that won't interact with
      the public one from the API.
      Cc: stable@vger.kernel.org # v3.10-rc1+
      Signed-off-by: 's avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: 's avatarPaul Moore <pmoore@redhat.com>
  16. 19 Dec, 2014 1 commit
    • Paul Moore's avatar
      audit: don't attempt to lookup PIDs when changing PID filtering audit rules · 3640dcfa
      Paul Moore authored
      Commit f1dc4867 ("audit: anchor all pid references in the initial pid
      namespace") introduced a find_vpid() call when adding/removing audit
      rules with PID/PPID filters; unfortunately this is problematic as
      find_vpid() only works if there is a task with the associated PID
      alive on the system.  The following commands demonstrate a simple
      	# auditctl -D
      	# auditctl -l
      	# autrace /bin/true
      	# auditctl -l
      This patch resolves the problem by simply using the PID provided by
      the user without any additional validation, e.g. no calls to check to
      see if the task/PID exists.
      Cc: stable@vger.kernel.org # 3.15
      Cc: Richard Guy Briggs <rgb@redhat.com>
      Signed-off-by: 's avatarPaul Moore <pmoore@redhat.com>
      Acked-by: 's avatarEric Paris <eparis@redhat.com>
      Reviewed-by: 's avatarRichard Guy Briggs <rgb@redhat.com>
  17. 10 Oct, 2014 3 commits
  18. 23 Sep, 2014 2 commits
  19. 07 Aug, 2014 1 commit
  20. 02 Apr, 2014 1 commit
  21. 20 Mar, 2014 3 commits
  22. 08 Mar, 2014 1 commit
  23. 07 Mar, 2014 1 commit
  24. 01 Mar, 2014 1 commit
  25. 28 Feb, 2014 1 commit
  26. 14 Jan, 2014 5 commits
  27. 05 Nov, 2013 2 commits
    • Eric Paris's avatar
      audit: do not reject all AUDIT_INODE filter types · 78122037
      Eric Paris authored
      commit ab61d38e tried to merge the
      invalid filter checking into a single function.  However AUDIT_INODE
      filters were not verified in the new generic checker.  Thus such rules
      were being denied even though they were perfectly valid.
      $ auditctl -a exit,always -F arch=b64 -S open -F key=/foo -F inode=6955 -F devmajor=9 -F devminor=1
      Error sending add rule data request (Invalid argument)
      Signed-off-by: 's avatarEric Paris <eparis@redhat.com>
      Signed-off-by: 's avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: 's avatarEric Paris <eparis@redhat.com>
    • Richard Guy Briggs's avatar
      audit: change decimal constant to macro for invalid uid · 42f74461
      Richard Guy Briggs authored
      SFR reported this 2013-05-15:
      > After merging the final tree, today's linux-next build (i386 defconfig)
      > produced this warning:
      > kernel/auditfilter.c: In function 'audit_data_to_entry':
      > kernel/auditfilter.c:426:3: warning: this decimal constant is unsigned only
      > in ISO C90 [enabled by default]
      > Introduced by commit 780a7654 ("audit: Make testing for a valid
      > loginuid explicit") from Linus' tree.
      Replace this decimal constant in the code with a macro to make it more readable
      (add to the unsigned cast to quiet the warning).
      Cc: Stephen Rothwell <sfr@canb.auug.org.au>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: 's avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: 's avatarEric Paris <eparis@redhat.com>