An error occurred fetching the project authors.
- 16 Dec, 2017 1 commit
-
-
Paul Moore authored
[ Upstream commit 173743dd ] Prior to this patch we enabled audit in audit_init(), which is too late for PID 1 as the standard initcalls are run after the PID 1 task is forked. This means that we never allocate an audit_context (see audit_alloc()) for PID 1 and therefore miss a lot of audit events generated by PID 1. This patch enables audit as early as possible to help ensure that when PID 1 is forked it can allocate an audit_context if required. Reviewed-by:
Richard Guy Briggs <rgb@redhat.com> Signed-off-by:
Paul Moore <paul@paul-moore.com> Signed-off-by:
Sasha Levin <alexander.levin@verizon.com> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
- 30 Aug, 2016 1 commit
-
-
Paul Moore authored
Unfortunately we record PIDs in audit records using a variety of methods despite the correct way being the use of task_tgid_nr(). This patch converts all of these callers, except for the case of AUDIT_SET in audit_receive_msg() (see the comment in the code). Reported-by:
Jeff Vander Stoep <jeffv@google.com> Signed-off-by:
Paul Moore <paul@paul-moore.com>
-
- 28 Jun, 2016 1 commit
-
-
Richard Guy Briggs authored
The only users of audit_get_tty and audit_put_tty are internal to audit, so move it out of include/linux/audit.h to kernel.h and create a proper function rather than inlining it. This also reduces kABI changes. Suggested-by:
Paul Moore <pmoore@redhat.com> Signed-off-by:
Richard Guy Briggs <rgb@redhat.com> [PM: line wrapped description] Signed-off-by:
Paul Moore <paul@paul-moore.com>
-
- 27 Jun, 2016 1 commit
-
-
Richard Guy Briggs authored
RFE: add additional fields for use in audit filter exclude rules https://github.com/linux-audit/audit-kernel/issues/5 Re-factor and combine audit_filter_type() with audit_filter_user() to use audit_filter_user_rules() to enable the exclude filter to additionally filter on PID, UID, GID, AUID, LOGINUID_SET, SUBJ_*. The process of combining the similar audit_filter_user() and audit_filter_type() functions, required inverting the meaning and including the ALWAYS action of the latter. Include audit_filter_user_rules() into audit_filter(), removing unneeded logic in the process. Keep the check to quit early if the list is empty. Signed-off-by:
Richard Guy Briggs <rgb@redhat.com> [PM: checkpatch.pl fixes - whitespace damage, wrapped description] Signed-off-by:
Paul Moore <paul@paul-moore.com>
-
- 26 Apr, 2016 1 commit
-
-
Richard Guy Briggs authored
The tty field was missing from AUDIT_LOGIN events. Refactor code to create a new function audit_get_tty(), using it to replace the call in audit_log_task_info() and to add it to audit_log_set_loginuid(). Lock and bump the kref to protect it, adding audit_put_tty() alias to decrement it. Signed-off-by:
Richard Guy Briggs <rgb@redhat.com> Signed-off-by:
Paul Moore <paul@paul-moore.com>
-
- 04 Apr, 2016 1 commit
-
-
Paul Moore authored
Remove the calls to __set_current_state() to mark the task as running and do some related cleanup in wait_for_auditd() to limit the amount of work we do when we aren't going to reschedule the current task. Signed-off-by:
Paul Moore <paul@paul-moore.com>
-
- 28 Jan, 2016 2 commits
-
-
Peter Hurley authored
The audit_tty and audit_tty_log_passwd fields are actually bool values, so merge into single memory location to access atomically. NB: audit log operations may still occur after tty audit is disabled which is consistent with the existing functionality Signed-off-by:
Peter Hurley <peter@hurleysoftware.com> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
Peter Hurley authored
tty_audit_push() and tty_audit_push_current() perform identical tasks; eliminate the tty_audit_push() implementation and the tty_audit_push_current() name. Signed-off-by:
Peter Hurley <peter@hurleysoftware.com> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
- 25 Jan, 2016 2 commits
-
-
Richard Guy Briggs authored
Failed attempts to change the audit_pid configuration are not presently logged. One case is an attempt to starve an old auditd by starting up a new auditd when the old one is still alive and active. The other case is an attempt to orphan a new auditd when an old auditd shuts down. Log both as AUDIT_CONFIG_CHANGE messages with failure result. Signed-off-by:
Richard Guy Briggs <rgb@redhat.com> Signed-off-by:
Paul Moore <pmoore@redhat.com>
-
Richard Guy Briggs authored
Nothing prevents a new auditd starting up and replacing a valid audit_pid when an old auditd is still running, effectively starving out the old auditd since audit_pid no longer points to the old valid auditd. If no message to auditd has been attempted since auditd died unnaturally or got killed, audit_pid will still indicate it is alive. There isn't an easy way to detect if an old auditd is still running on the existing audit_pid other than attempting to send a message to see if it fails. An -ECONNREFUSED almost certainly means it disappeared and can be replaced. Other errors are not so straightforward and may indicate transient problems that will resolve themselves and the old auditd will recover. Yet others will likely need manual intervention for which a new auditd will not solve the problem. Send a new message type (AUDIT_REPLACE) to the old auditd containing a u32 with the PID of the new auditd. If the audit replace message succeeds (or doesn't fail with certainty), fail to register the new auditd and return an error (-EEXIST). This is expected to make the patch preventing an old auditd orphaning a new auditd redundant. V3: Switch audit message type from 1000 to 1300 block. Signed-off-by:
Richard Guy Briggs <rgb@redhat.com> Signed-off-by:
Paul Moore <pmoore@redhat.com>
-
- 13 Jan, 2016 5 commits
-
-
Markus Elfring authored
The functions consume_skb() and kfree_skb() test whether their argument is NULL and then return immediately. Thus the tests around their calls are not needed. This issue was detected by using the Coccinelle software. Signed-off-by:
Markus Elfring <elfring@users.sourceforge.net> [PM: tweak patch prefix] Signed-off-by:
Paul Moore <pmoore@redhat.com>
-
Richard Guy Briggs authored
If the audit_backlog_limit is changed from a limited value to an unlimited value (zero) while the queue was overflowed, wake up the audit_backlog_wait queue to allow those processes to continue. Signed-off-by:
Richard Guy Briggs <rgb@redhat.com> Signed-off-by:
Paul Moore <pmoore@redhat.com>
-
Richard Guy Briggs authored
Should auditd spawn threads, allow all members of its thread group to use the audit_backlog_limit reserves to bypass the queue limits too. Signed-off-by:
Richard Guy Briggs <rgb@redhat.com> [PM: minor upstream merge tweaks] Signed-off-by:
Paul Moore <pmoore@redhat.com>
-
Paul Moore authored
It seems much more obvious and readable to simply use "0". Signed-off-by:
Paul Moore <pmoore@redhat.com>
-
Richard Guy Briggs authored
After auditd has recovered from an overflowed queue, the first process that doesn't use reserves to make it through the queue checks should reset the audit backlog wait time to the configured value. After that, there is no need to keep resetting it. Signed-off-by:
Richard Guy Briggs <rgb@redhat.com> Signed-off-by:
Paul Moore <pmoore@redhat.com>
-
- 24 Dec, 2015 1 commit
-
-
Andreas Gruenbacher authored
Make the inode argument of the inode_getsecid hook non-const so that we can use it to revalidate invalid security labels. Signed-off-by:
Andreas Gruenbacher <agruenba@redhat.com> Acked-by:
Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by:
Paul Moore <pmoore@redhat.com>
-
- 07 Nov, 2015 1 commit
-
-
Mel Gorman authored
mm, page_alloc: distinguish between being unable to sleep, unwilling to sleep and avoiding waking kswapd __GFP_WAIT has been used to identify atomic context in callers that hold spinlocks or are in interrupts. They are expected to be high priority and have access one of two watermarks lower than "min" which can be referred to as the "atomic reserve". __GFP_HIGH users get access to the first lower watermark and can be called the "high priority reserve". Over time, callers had a requirement to not block when fallback options were available. Some have abused __GFP_WAIT leading to a situation where an optimisitic allocation with a fallback option can access atomic reserves. This patch uses __GFP_ATOMIC to identify callers that are truely atomic, cannot sleep and have no alternative. High priority users continue to use __GFP_HIGH. __GFP_DIRECT_RECLAIM identifies callers that can sleep and are willing to enter direct reclaim. __GFP_KSWAPD_RECLAIM to identify callers that want to wake kswapd for background reclaim. __GFP_WAIT is redefined as a caller that is willing to enter direct reclaim and wake kswapd for background reclaim. This patch then converts a number of sites o __GFP_ATOMIC is used by callers that are high priority and have memory pools for those requests. GFP_ATOMIC uses this flag. o Callers that have a limited mempool to guarantee forward progress clear __GFP_DIRECT_RECLAIM but keep __GFP_KSWAPD_RECLAIM. bio allocations fall into this category where kswapd will still be woken but atomic reserves are not used as there is a one-entry mempool to guarantee progress. o Callers that are checking if they are non-blocking should use the helper gfpflags_allow_blocking() where possible. This is because checking for __GFP_WAIT as was done historically now can trigger false positives. Some exceptions like dm-crypt.c exist where the code intent is clearer if __GFP_DIRECT_RECLAIM is used instead of the helper due to flag manipulations. o Callers that built their own GFP flags instead of starting with GFP_KERNEL and friends now also need to specify __GFP_KSWAPD_RECLAIM. The first key hazard to watch out for is callers that removed __GFP_WAIT and was depending on access to atomic reserves for inconspicuous reasons. In some cases it may be appropriate for them to use __GFP_HIGH. The second key hazard is callers that assembled their own combination of GFP flags instead of starting with something like GFP_KERNEL. They may now wish to specify __GFP_KSWAPD_RECLAIM. It's almost certainly harmless if it's missed in most cases as other activity will wake kswapd. Signed-off-by:
Mel Gorman <mgorman@techsingularity.net> Acked-by:
Vlastimil Babka <vbabka@suse.cz> Acked-by:
Michal Hocko <mhocko@suse.com> Acked-by:
Johannes Weiner <hannes@cmpxchg.org> Cc: Christoph Lameter <cl@linux.com> Cc: David Rientjes <rientjes@google.com> Cc: Vitaly Wool <vitalywool@gmail.com> Cc: Rik van Riel <riel@redhat.com> Signed-off-by:
Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org>
-
- 04 Nov, 2015 4 commits
-
-
Paul Moore authored
It always returns zero and no one is checking the return value. Signed-off-by:
Paul Moore <pmoore@redhat.com>
-
Saurabh Sengar authored
Variable rc in not required as it is just used for unchanged for return, and return is always 0 in the function. Signed-off-by:
Saurabh Sengar <saurabh.truth@gmail.com> [PM: fixed spelling errors in description] Signed-off-by:
Paul Moore <pmoore@redhat.com>
-
Yaowei Bai authored
This patch makes audit_string_contains_control return bool to improve readability due to this particular function only using either one or zero as its return value. Signed-off-by:
Yaowei Bai <bywxiaobai@163.com> [PM: tweaked subject line] Signed-off-by:
Paul Moore <pmoore@redhat.com>
-
Richard Guy Briggs authored
There are several reports of the kernel losing contact with auditd when it is, in fact, still running. When this happens, kernel syslogs show: "audit: *NO* daemon at audit_pid=<pid>" although auditd is still running, and is apparently happy, listening on the netlink socket. The pid in the "*NO* daemon" message matches the pid of the running auditd process. Restarting auditd solves this. The problem appears to happen randomly, and doesn't seem to be strongly correlated to the rate of audit events being logged. The problem happens fairly regularly (every few days), but not yet reproduced to order. On production kernels, BUG_ON() is a no-op, so any error will trigger this. Commit 34eab0a7 ("audit: prevent an older auditd shutdown from orphaning a newer auditd startup") eliminates one possible cause. This isn't the case here, since the PID in the error message and the PID of the running auditd match. The primary expected cause of error here is -ECONNREFUSED when the audit daemon goes away, when netlink_getsockbyportid() can't find the auditd portid entry in the netlink audit table (or there is no receive function). If -EPERM is returned, that situation isn't likely to be resolved in a timely fashion without administrator intervention. In both cases, reset the audit_pid. This does not rule out a race condition. SELinux is expected to return zero since this isn't an INET or INET6 socket. Other LSMs may have other return codes. Log the error code for better diagnosis in the future. In the case of -ENOMEM, the situation could be temporary, based on local or general availability of buffers. -EAGAIN should never happen since the netlink audit (kernel) socket is set to MAX_SCHEDULE_TIMEOUT. -ERESTARTSYS and -EINTR are not expected since this kernel thread is not expected to receive signals. In these cases (or any other unexpected ones for now), report the error and re-schedule the thread, retrying up to 5 times. v2: Removed BUG_ON(). Moved comma in pr_*() statements. Removed audit_strerror() text. Reported-by:
Vipin Rathor <v.rathor@gmail.com> Reported-by: <ctcard@hotmail.com> Signed-off-by:
Richard Guy Briggs <rgb@redhat.com> [PM: applied rgb's fixup patch to correct audit_log_lost() format issues] Signed-off-by:
Paul Moore <pmoore@redhat.com>
-
- 06 Aug, 2015 1 commit
-
-
Richard Guy Briggs authored
Clean up a number of places were casted magic numbers are used to represent unset inode and device numbers in preparation for the audit by executable path patch set. Signed-off-by:
Richard Guy Briggs <rgb@redhat.com> [PM: enclosed the _UNSET macros in parentheses for ./scripts/checkpatch] Signed-off-by:
Paul Moore <pmoore@redhat.com>
-
- 29 May, 2015 1 commit
-
-
Shailendra Verma authored
Signed-off-by:
Shailendra Verma <shailendra.capricorn@gmail.com> [PM: tweaked subject line] Signed-off-by:
Paul Moore <pmoore@redhat.com>
-
- 15 Apr, 2015 1 commit
-
-
David Howells authored
Signed-off-by:
David Howells <dhowells@redhat.com> Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk>
-
- 13 Mar, 2015 1 commit
-
-
Pranith Kumar authored
After commit 3e1d0bb6 ("audit: Convert int limit uses to u32"), by converting an int to u32, few conditions will always evaluate to false. These warnings were emitted during compilation: kernel/audit.c: In function ‘audit_set_enabled’: kernel/audit.c:347:2: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits] if (state < AUDIT_OFF || state > AUDIT_LOCKED) ^ kernel/audit.c: In function ‘audit_receive_msg’: kernel/audit.c:880:9: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits] if (s.backlog_wait_time < 0 || The following patch removes those unnecessary conditions. Signed-off-by:
Pranith Kumar <bobby.prani@gmail.com> Signed-off-by:
Paul Moore <pmoore@redhat.com>
-
- 23 Feb, 2015 5 commits
-
-
Davidlohr Bueso authored
The mm->exe_file is currently serialized with mmap_sem (shared) in order to both safely (1) read the file and (2) audit it via audit_log_d_path(). Good users will, on the other hand, make use of the more standard get_mm_exe_file(), requiring only holding the mmap_sem to read the value, and relying on reference counting to make sure that the exe file won't dissapear underneath us. Additionally, upon NULL return of get_mm_exe_file, we also call audit_log_format(ab, " exe=(null)"). Signed-off-by:
Davidlohr Bueso <dbueso@suse.de> [PM: tweaked subject line] Signed-off-by:
Paul Moore <pmoore@redhat.com>
-
Davidlohr Bueso authored
This patch adds a audit_log_d_path_exe() helper function to share how we handle auditing of the exe_file's path. Used by both audit and auditsc. No functionality is changed. Signed-off-by:
Davidlohr Bueso <dbueso@suse.de> [PM: tweaked subject line] Signed-off-by:
Paul Moore <pmoore@redhat.com>
-
Ameen Ali authored
Fixed a coding style issue (unnecessary parentheses , unnecessary braces) Signed-off-by:
Ameen-Ali <Ameenali023@gmail.com> [PM: tweaked subject line] Signed-off-by:
Paul Moore <pmoore@redhat.com>
-
Richard Guy Briggs authored
During a queue overflow condition while we are waiting for auditd to drain the queue to make room for regular messages, we don't want a successful auditd that has bypassed the queue check to reset the backlog wait time. Signed-off-by:
Richard Guy Briggs <rgb@redhat.com> Signed-off-by:
Paul Moore <pmoore@redhat.com>
-
Richard Guy Briggs authored
Copy the set wait time to a working value to avoid losing the set value if the queue overflows. Signed-off-by:
Richard Guy Briggs <rgb@redhat.com> Signed-off-by:
Paul Moore <pmoore@redhat.com>
-
- 27 Dec, 2014 1 commit
-
-
Johannes Berg authored
Netlink families can exist in multiple namespaces, and for the most part multicast subscriptions are per network namespace. Thus it only makes sense to have bind/unbind notifications per network namespace. To achieve this, pass the network namespace of a given client socket to the bind/unbind functions. Also do this in generic netlink, and there also make sure that any bind for multicast groups that only exist in init_net is rejected. This isn't really a problem if it is accepted since a client in a different namespace will never receive any notifications from such a group, but it can confuse the family if not rejected (it's also possible to silently (without telling the family) accept it, but it would also have to be ignored on unbind so families that take any kind of action on bind/unbind won't do unnecessary work for invalid clients like that. Signed-off-by:
Johannes Berg <johannes.berg@intel.com> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
- 19 Dec, 2014 1 commit
-
-
Richard Guy Briggs authored
Eric Paris explains: Since kauditd_send_multicast_skb() gets called in audit_log_end(), which can come from any context (aka even a sleeping context) GFP_KERNEL can't be used. Since the audit_buffer knows what context it should use, pass that down and use that. See: https://lkml.org/lkml/2014/12/16/542 BUG: sleeping function called from invalid context at mm/slab.c:2849 in_atomic(): 1, irqs_disabled(): 0, pid: 885, name: sulogin 2 locks held by sulogin/885: #0: (&sig->cred_guard_mutex){+.+.+.}, at: [<ffffffff91152e30>] prepare_bprm_creds+0x28/0x8b #1: (tty_files_lock){+.+.+.}, at: [<ffffffff9123e787>] selinux_bprm_committing_creds+0x55/0x22b CPU: 1 PID: 885 Comm: sulogin Not tainted 3.18.0-next-20141216 #30 Hardware name: Dell Inc. Latitude E6530/07Y85M, BIOS A15 06/20/2014 ffff880223744f10 ffff88022410f9b8 ffffffff916ba529 0000000000000375 ffff880223744f10 ffff88022410f9e8 ffffffff91063185 0000000000000006 0000000000000000 0000000000000000 0000000000000000 ffff88022410fa38 Call Trace: [<ffffffff916ba529>] dump_stack+0x50/0xa8 [<ffffffff91063185>] ___might_sleep+0x1b6/0x1be [<ffffffff910632a6>] __might_sleep+0x119/0x128 [<ffffffff91140720>] cache_alloc_debugcheck_before.isra.45+0x1d/0x1f [<ffffffff91141d81>] kmem_cache_alloc+0x43/0x1c9 [<ffffffff914e148d>] __alloc_skb+0x42/0x1a3 [<ffffffff914e2b62>] skb_copy+0x3e/0xa3 [<ffffffff910c263e>] audit_log_end+0x83/0x100 [<ffffffff9123b8d3>] ? avc_audit_pre_callback+0x103/0x103 [<ffffffff91252a73>] common_lsm_audit+0x441/0x450 [<ffffffff9123c163>] slow_avc_audit+0x63/0x67 [<ffffffff9123c42c>] avc_has_perm+0xca/0xe3 [<ffffffff9123dc2d>] inode_has_perm+0x5a/0x65 [<ffffffff9123e7ca>] selinux_bprm_committing_creds+0x98/0x22b [<ffffffff91239e64>] security_bprm_committing_creds+0xe/0x10 [<ffffffff911515e6>] install_exec_creds+0xe/0x79 [<ffffffff911974cf>] load_elf_binary+0xe36/0x10d7 [<ffffffff9115198e>] search_binary_handler+0x81/0x18c [<ffffffff91153376>] do_execveat_common.isra.31+0x4e3/0x7b7 [<ffffffff91153669>] do_execve+0x1f/0x21 [<ffffffff91153967>] SyS_execve+0x25/0x29 [<ffffffff916c61a9>] stub_execve+0x69/0xa0 Cc: stable@vger.kernel.org #v3.16-rc1 Reported-by:
Valdis Kletnieks <Valdis.Kletnieks@vt.edu> Signed-off-by:
Richard Guy Briggs <rgb@redhat.com> Tested-by:
Valdis Kletnieks <Valdis.Kletnieks@vt.edu> Signed-off-by:
Paul Moore <pmoore@redhat.com>
-
- 17 Nov, 2014 1 commit
-
-
Richard Guy Briggs authored
The version field defined in the audit status structure was found to have limitations in terms of its expressibility of features supported. This is distict from the get/set features call to be able to command those features that are present. Converting this field from a version number to a feature bitmap will allow distributions to selectively backport and support certain features and will allow upstream to be able to deprecate features in the future. It will allow userspace clients to first query the kernel for which features are actually present and supported. Currently, EINVAL is returned rather than EOPNOTSUP, which isn't helpful in determining if there was an error in the command, or if it simply isn't supported yet. Past features are not represented by this bitmap, but their use may be converted to EOPNOTSUP if needed in the future. Since "version" is too generic to convert with a #define, use a union in the struct status, introducing the member "feature_bitmap" unionized with "version". Convert existing AUDIT_VERSION_* macros over to AUDIT_FEATURE_BITMAP* counterparts, leaving the former for backwards compatibility. Signed-off-by:
Richard Guy Briggs <rgb@redhat.com> [PM: minor whitespace tweaks] Signed-off-by:
Paul Moore <pmoore@redhat.com>
-
- 04 Nov, 2014 1 commit
-
-
Peter Zijlstra authored
The kauditd_thread wait loop is a bit iffy; it has a number of problems: - calls try_to_freeze() before schedule(); you typically want the thread to re-evaluate the sleep condition when unfreezing, also freeze_task() issues a wakeup. - it unconditionally does the {add,remove}_wait_queue(), even when the sleep condition is false. Use wait_event_freezable() that does the right thing. Reported-by:
Mike Galbraith <umgwanakikbuti@gmail.com> Signed-off-by:
Peter Zijlstra (Intel) <peterz@infradead.org> Cc: Eric Paris <eparis@redhat.com> Cc: oleg@redhat.com Cc: Eric Paris <eparis@redhat.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Link: http://lkml.kernel.org/r/20141002102251.GA6324@worktop.programming.kicks-ass.netSigned-off-by:
Ingo Molnar <mingo@kernel.org>
-
- 30 Oct, 2014 1 commit
-
-
Richard Guy Briggs authored
Add a space between subj= and feature= fields to make them parsable. Signed-off-by:
Richard Guy Briggs <rgb@redhat.com> Cc: stable@vger.kernel.org Signed-off-by:
Paul Moore <pmoore@redhat.com>
-
- 23 Sep, 2014 5 commits
-
-
Richard Guy Briggs authored
When task->comm is passed directly to audit_log_untrustedstring() without getting a copy or using the task_lock, there is a race that could happen that would output a NULL (\0) in the output string that would effectively truncate the rest of the report text after the comm= field in the audit, losing fields. Use get_task_comm() to get a copy while acquiring the task_lock to prevent this and to prevent the result from being a mixture of old and new values of comm. Signed-off-by:
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by:
Richard Guy Briggs <rgb@redhat.com>
-
Richard Guy Briggs authored
When an AUDIT_GET_FEATURE message is sent from userspace to the kernel, it should reply with a message tagged as an AUDIT_GET_FEATURE type with a struct audit_feature. The current reply is a message tagged as an AUDIT_GET type with a struct audit_feature. This appears to have been a cut-and-paste-eo in commit b0fed402. Reported-by:
Steve Grubb <sgrubb@redhat.com> Signed-off-by:
Richard Guy Briggs <rgb@redhat.com>
-
Richard Guy Briggs authored
Report: Looking at your example code in http://people.redhat.com/rbriggs/audit-multicast-listen/audit-multicast-listen.c, it seems that nlmsg_len field in the received messages is supposed to contain the length of the header + payload, but it is always set to the size of the header only, i.e. 16. The example program works, because the printf format specifies the minimum width, not "precision", so it simply prints out the payload until the first zero byte. This isn't too much of a problem, but precludes the use of recvmmsg, iiuc? (gdb) p *(struct nlmsghdr*)nlh $14 = {nlmsg_len = 16, nlmsg_type = 1100, nlmsg_flags = 0, nlmsg_seq = 0, nlmsg_pid = 9910} The only time nlmsg_len would have been updated was at audit_buffer_alloc() inside audit_log_start() and never updated after. It should arguably be done in audit_log_vformat(), but would be more efficient in audit_log_end(). Reported-by:
Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> Signed-off-by:
Richard Guy Briggs <rgb@redhat.com>
-
Richard Guy Briggs authored
Since there is already a primitive to do this operation in the atomic_t, use it to simplify audit_serial(). Signed-off-by:
Richard Guy Briggs <rgb@redhat.com>
-
Fabian Frederick authored
Use kernel.h definition. Cc: Eric Paris <eparis@redhat.com> Cc: Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
Fabian Frederick <fabf@skynet.be> Signed-off-by:
Richard Guy Briggs <rgb@redhat.com>
-