1. 05 Apr, 2009 9 commits
    • Eric Paris's avatar
      Audit: remove spaces from audit_log_d_path · def57543
      Eric Paris authored
      audit_log_d_path had spaces in the strings which would be emitted on the
      error paths.  This patch simply replaces those spaces with an _ or removes
      the needless spaces entirely.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      def57543
    • Eric Paris's avatar
      audit: audit_set_auditable defined but not used · 679173b7
      Eric Paris authored
      after 0590b933 audit_set_auditable() is now only
      used by the audit tree code.  If CONFIG_AUDIT_TREE is unset it will be defined
      but unused.  This patch simply moves the function inside a CONFIG_AUDIT_TREE
      block.
      
      cc1: warnings being treated as errors
      /home/acme_unencrypted/git/linux-2.6-tip/kernel/auditsc.c:745: error: ‘audit_set_auditable’ defined but not used
      make[2]: *** [kernel/auditsc.o] Error 1
      make[1]: *** [kernel] Error 2
      make[1]: *** Waiting for unfinished jobs....
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      679173b7
    • Eric Paris's avatar
      audit: incorrect ref counting in audit tree tag_chunk · 318b6d3d
      Eric Paris authored
      tag_chunk has bad exit paths in which the inotify ref counting is wrong.
      At the top of the function we found &old_watch using  inotify_find_watch().
      inotify_find_watch takes a reference to the watch.  This is never dropped
      on an error path.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      318b6d3d
    • Paul Moore's avatar
      audit: Fix possible return value truncation in audit_get_context() · 6d208da8
      Paul Moore authored
      The audit subsystem treats syscall return codes as type long, unfortunately
      the audit_get_context() function mistakenly converts the return code to an
      int type in the parameters which could cause problems on systems where the
      sizeof(int) != sizeof(long).
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      6d208da8
    • Miloslav Trmac's avatar
      audit: ignore terminating NUL in AUDIT_USER_TTY messages · 55ad2f8d
      Miloslav Trmac authored
      AUDIT_USER_TTY, like all other messages sent from user-space, is sent
      NUL-terminated.  Unlike other user-space audit messages, which come only
      from trusted sources, AUDIT_USER_TTY messages are processed using
      audit_log_n_untrustedstring().
      
      This patch modifies AUDIT_USER_TTY handling to ignore the trailing NUL
      and use the "quoted_string" representation of the message if possible.
      Signed-off-by: default avatarMiloslav Trmac <mitr@redhat.com>
      Cc: Eric Paris <eparis@redhat.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Steve Grubb <sgrubb@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      55ad2f8d
    • Miloslav Trmac's avatar
      Audit: fix handling of 'strings' with NULL characters · b3897f56
      Miloslav Trmac authored
      currently audit_log_n_untrustedstring() uses audit_string_contains_control()
      to check if the 'string' has any control characters.  If the 'string' has an
      embedded NULL audit_string_contains_control() will return that the data has
      no control characters and will then pass the string to audit_log_n_string
      with the total length, not the length up to the first NULL.
      audit_log_n_string() does a memcpy of the entire length and so the actual
      audit record emitted may then contain a NULL and then whatever random memory
      is after the NULL.
      
      Since we want to log the entire octet stream (if we can't trust the data
      to be a string we can't trust that a NULL isn't actually a part of it)
      we should just consider NULL as a control character.  If the caller is
      certain they want to stop at the first NULL they should be using
      audit_log_untrustedstring.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      b3897f56
    • Zhenwen Xu's avatar
      make the e->rule.xxx shorter in kernel auditfilter.c · c28bb7da
      Zhenwen Xu authored
      make the e->rule.xxx shorter in kernel/auditfilter.c
      --
      ---------------------------------
      Zhenwen Xu - Open and Free
      Home Page:	http://zhwen.org
      My Studio:	http://dim4.cn
      
      >From 99692dc640b278f1cb1a15646ce42f22e89c0f77 Mon Sep 17 00:00:00 2001
      From: Zhenwen Xu <Helight.Xu@gmail.com>
      Date: Thu, 12 Mar 2009 22:04:59 +0800
      Subject: [PATCH] make the e->rule.xxx shorter in kernel/auditfilter.c
      Signed-off-by: default avatarZhenwen Xu <Helight.Xu@gmail.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      c28bb7da
    • Randy Dunlap's avatar
      auditsc: fix kernel-doc notation · 6b962559
      Randy Dunlap authored
      Fix auditsc kernel-doc notation:
      
      Warning(linux-2.6.28-git7//kernel/auditsc.c:2156): No description found for parameter 'attr'
      Warning(linux-2.6.28-git7//kernel/auditsc.c:2156): Excess function parameter 'u_attr' description in '__audit_mq_open'
      Warning(linux-2.6.28-git7//kernel/auditsc.c:2204): No description found for parameter 'notification'
      Warning(linux-2.6.28-git7//kernel/auditsc.c:2204): Excess function parameter 'u_notification' description in '__audit_mq_notify'
      Signed-off-by: default avatarRandy Dunlap <randy.dunlap@oracle.com>
      cc:	Al Viro <viro@zeniv.linux.org.uk>
      cc:	Eric Paris <eparis@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      6b962559
    • Jiri Pirko's avatar
      audit: EXECVE record - removed bogus newline · ca96a895
      Jiri Pirko authored
      (updated)
      Added hunk that changes the comment, the rest is the same.
      
      EXECVE records contain a newline after every argument. auditd converts
      "\n" to " " so you cannot see newlines even in raw logs, but they're
      there nevertheless. If you're not using auditd, you need to work round
      them. These '\n' chars are can be easily replaced by spaces when
      creating record in kernel. Note there is no need for trailing '\n' in
      an audit record.
      
      record before this patch:
      "type=EXECVE msg=audit(1231421801.566:31): argc=4 a0=\"./test\"\na1=\"a\"\na2=\"b\"\na3=\"c\"\n"
      
      record after this patch:
      "type=EXECVE msg=audit(1231421801.566:31): argc=4 a0=\"./test\" a1=\"a\" a2=\"b\" a3=\"c\""
      Signed-off-by: default avatarJiri Pirko <jpirko@redhat.com>
      Acked-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      ca96a895
  2. 04 Apr, 2009 6 commits
  3. 03 Apr, 2009 25 commits