Merge branch 'audit.b32' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current (18e6756a) · Commits · 戴 / test

include/linux/audit.h

+2 −1

Original line number	Diff line number	Diff line
		@@ -75,7 +75,7 @@
		#define AUDIT_DAEMON_CONFIG 1203 /* Daemon config change */

		#define AUDIT_SYSCALL 1300 /* Syscall event */
		#define AUDIT_FS_WATCH 1301 /* Filesystem watch event */
		/* #define AUDIT_FS_WATCH 1301 * Deprecated */
		#define AUDIT_PATH 1302 /* Filename path information */
		#define AUDIT_IPC 1303 /* IPC record */
		#define AUDIT_SOCKETCALL 1304 /* sys_socketcall arguments */
		@@ -88,6 +88,7 @@
		#define AUDIT_MQ_SENDRECV 1313 /* POSIX MQ send/receive record type */
		#define AUDIT_MQ_NOTIFY 1314 /* POSIX MQ notify record type */
		#define AUDIT_MQ_GETSETATTR 1315 /* POSIX MQ get/set attribute record type */
		#define AUDIT_KERNEL_OTHER 1316 /* For use by 3rd party modules */

		#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
		#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */

kernel/auditfilter.c

+8 −1

Original line number	Diff line number	Diff line
		@@ -411,7 +411,6 @@ static struct audit_entry audit_rule_to_entry(struct audit_rule rule)
		case AUDIT_FSGID:
		case AUDIT_LOGINUID:
		case AUDIT_PERS:
		case AUDIT_ARCH:
		case AUDIT_MSGTYPE:
		case AUDIT_PPID:
		case AUDIT_DEVMAJOR:
		@@ -423,6 +422,14 @@ static struct audit_entry audit_rule_to_entry(struct audit_rule rule)
		case AUDIT_ARG2:
		case AUDIT_ARG3:
		break;
		/* arch is only allowed to be = or != */
		case AUDIT_ARCH:
		if ((f->op != AUDIT_NOT_EQUAL) && (f->op != AUDIT_EQUAL)
		&& (f->op != AUDIT_NEGATE) && (f->op)) {
		err = -EINVAL;
		goto exit_free;
		}
		break;
		case AUDIT_PERM:
		if (f->val & ~15)
		goto exit_free;

kernel/auditsc.c

+24 −4

Original line number	Diff line number	Diff line
		@@ -278,8 +278,11 @@ static int audit_filter_rules(struct task_struct *tsk,
		result = audit_comparator(tsk->pid, f->op, f->val);
		break;
		case AUDIT_PPID:
		if (ctx)
		if (ctx) {
		if (!ctx->ppid)
		ctx->ppid = sys_getppid();
		result = audit_comparator(ctx->ppid, f->op, f->val);
		}
		break;
		case AUDIT_UID:
		result = audit_comparator(tsk->uid, f->op, f->val);
		@@ -795,7 +798,8 @@ static void audit_log_exit(struct audit_context context, struct task_struct ts

		/* tsk == current */
		context->pid = tsk->pid;
		context->ppid = sys_getppid(); /* sic. tsk == current in all cases */
		if (!context->ppid)
		context->ppid = sys_getppid();
		context->uid = tsk->uid;
		context->gid = tsk->gid;
		context->euid = tsk->euid;
		@@ -1137,6 +1141,7 @@ void audit_syscall_entry(int arch, int major,
		context->ctime = CURRENT_TIME;
		context->in_syscall = 1;
		context->auditable = !!(state == AUDIT_RECORD_CONTEXT);
		context->ppid = 0;
		}

		/**
		@@ -1352,7 +1357,13 @@ void __audit_inode_child(const char dname, const struct inode inode,
		}

		update_context:
		idx = context->name_count++;
		idx = context->name_count;
		if (context->name_count == AUDIT_NAMES) {
		printk(KERN_DEBUG "name_count maxed and losing %s\n",
		found_name ?: "(null)");
		return;
		}
		context->name_count++;
		#if AUDIT_DEBUG
		context->ino_count++;
		#endif
		@@ -1370,7 +1381,16 @@ update_context:
		/* A parent was not found in audit_names, so copy the inode data for the
		* provided parent. */
		if (!found_name) {
		idx = context->name_count++;
		idx = context->name_count;
		if (context->name_count == AUDIT_NAMES) {
		printk(KERN_DEBUG
		"name_count maxed and losing parent inode data: dev=%02x:%02x, inode=%lu",
		MAJOR(parent->i_sb->s_dev),
		MINOR(parent->i_sb->s_dev),
		parent->i_ino);
		return;
		}
		context->name_count++;
		#if AUDIT_DEBUG
		context->ino_count++;
		#endif

Admin message