1. 28 Apr, 2008 7 commits
    • Eric Paris's avatar
      Audit: MAINTAINERS update · 0ef1970d
      Eric Paris authored
      Change maintainers to include me and al viro
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      0ef1970d
    • Eric Paris's avatar
      Audit: increase the maximum length of the key field · a42da93c
      Eric Paris authored
      Key lengths were arbitrarily limited to 32 characters.  If userspace is going
      to start using the single kernel key field as multiple virtual key fields
      (example key=key1,key2,key3,key4) we should give them enough room to work.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      a42da93c
    • Eric Paris's avatar
      Audit: standardize string audit interfaces · b556f8ad
      Eric Paris authored
      This patch standardized the string auditing interfaces.  No userspace
      changes will be visible and this is all just cleanup and consistancy
      work.  We have the following string audit interfaces to use:
      
      void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len);
      
      void audit_log_n_string(struct audit_buffer *ab, const char *buf, size_t n);
      void audit_log_string(struct audit_buffer *ab, const char *buf);
      
      void audit_log_n_untrustedstring(struct audit_buffer *ab, const char *string, size_t n);
      void audit_log_untrustedstring(struct audit_buffer *ab, const char *string);
      
      This may be the first step to possibly fixing some of the issues that
      people have with the string output from the kernel audit system.  But we
      still don't have an agreed upon solution to that problem.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      b556f8ad
    • Eric Paris's avatar
      Audit: stop deadlock from signals under load · f09ac9db
      Eric Paris authored
      A deadlock is possible between kauditd and auditd under load if auditd
      receives a signal.  When auditd receives a signal it sends a netlink
      message to the kernel asking for information about the sender of the
      signal.  In that same context the audit system will attempt to send a
      netlink message back to the userspace auditd.  If kauditd has already
      filled the socket buffer (see netlink_attachskb()) auditd will now put
      itself to sleep waiting for room to send the message.  Since auditd is
      responsible for draining that socket we have a deadlock.  The fix, since
      the response from the kernel does not need to be synchronous is to send
      the signal information back to auditd in a separate thread.  And thus
      auditd can continue to drain the audit queue normally.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      f09ac9db
    • Eric Paris's avatar
      Audit: save audit_backlog_limit audit messages in case auditd comes back · f3d357b0
      Eric Paris authored
      This patch causes the kernel audit subsystem to store up to
      audit_backlog_limit messages for use by auditd if it ever appears
      sometime in the future in userspace.  This is useful to collect audit
      messages during bootup and even when auditd is stopped.  This is NOT a
      reliable mechanism, it does not ever call audit_panic, nor should it.
      audit_log_lost()/audit_panic() are called during the normal delivery
      mechanism.  The messages are still sent to printk/syslog as usual and if
      too many messages appear to be queued they will be silently discarded.
      
      I liked doing it by default, but this patch only uses the queue in
      question if it was booted with audit=1 or if the kernel was built
      enabling audit by default.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      f3d357b0
    • Eric Paris's avatar
      Audit: collect sessionid in netlink messages · 2532386f
      Eric Paris authored
      Previously I added sessionid output to all audit messages where it was
      available but we still didn't know the sessionid of the sender of
      netlink messages.  This patch adds that information to netlink messages
      so we can audit who sent netlink messages.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      2532386f
    • Eric Paris's avatar
      Audit: end printk with newline · 436c405c
      Eric Paris authored
      A couple of audit printk statements did not have a newline.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      436c405c
  2. 27 Apr, 2008 33 commits