Commit 425afcff authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'upstream' of git://git.infradead.org/users/pcmoore/audit 

Pull audit update from Paul Moore:
 "This is one of the larger audit patchsets in recent history,
  consisting of eight patches and almost 400 lines of changes.

  The bulk of the patchset is the new "audit by executable"
  functionality which allows admins to set an audit watch based on the
  executable on disk.  Prior to this, admins could only track an
  application by PID, which has some obvious limitations.

  Beyond the new functionality we also have some refcnt fixes and a few
  minor cleanups"

* 'upstream' of git://git.infradead.org/users/pcmoore/audit:
  fixup: audit: implement audit by executable
  audit: implement audit by executable
  audit: clean simple fsnotify implementation
  audit: use macros for unset inode and device values
  audit: make audit_del_rule() more robust
  audit: fix uninitialized variable in audit_add_rule()
  audit: eliminate unnecessary extra layer of watch parent references
  audit: eliminate unnecessary extra layer of watch references
parents b793c005 15ce414b

include/linux/audit.h

+4 −0
Original line number Diff line number Diff line
@@ -27,6 +27,9 @@ 
#include <linux/ptrace.h>

#include <uapi/linux/audit.h>



#define AUDIT_INO_UNSET ((unsigned long)-1)

#define AUDIT_DEV_UNSET ((dev_t)-1)



struct audit_sig_info {

	uid_t		uid;

	pid_t		pid;
@@ -59,6 +62,7 @@ struct audit_krule { 
	struct audit_field	*inode_f; /* quick access to an inode field */

	struct audit_watch	*watch;	/* associated watch */

	struct audit_tree	*tree;	/* associated watched tree */

	struct audit_fsnotify_mark	*exe;

	struct list_head	rlist;	/* entry in audit_{watch,tree}.rules list */

	struct list_head	list;	/* for AUDIT_LIST* purposes only */

	u64			prio;

include/uapi/linux/audit.h

+4 −1
Original line number Diff line number Diff line
@@ -266,6 +266,7 @@ 
#define AUDIT_OBJ_UID	109

#define AUDIT_OBJ_GID	110

#define AUDIT_FIELD_COMPARE	111

#define AUDIT_EXE	112



#define AUDIT_ARG0      200

#define AUDIT_ARG1      (AUDIT_ARG0+1)
@@ -324,8 +325,10 @@ enum { 


#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT	0x00000001

#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME	0x00000002

#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH	0x00000004

#define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \

				  AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME)

				  AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \

				  AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH)



/* deprecated: AUDIT_VERSION_* */

#define AUDIT_VERSION_LATEST 		AUDIT_FEATURE_BITMAP_ALL

kernel/Makefile

+1 −1
Original line number Diff line number Diff line
@@ -64,7 +64,7 @@ obj-$(CONFIG_SMP) += stop_machine.o 
obj-$(CONFIG_KPROBES_SANITY_TEST) += test_kprobes.o

obj-$(CONFIG_AUDIT) += audit.o auditfilter.o

obj-$(CONFIG_AUDITSYSCALL) += auditsc.o

obj-$(CONFIG_AUDIT_WATCH) += audit_watch.o

obj-$(CONFIG_AUDIT_WATCH) += audit_watch.o audit_fsnotify.o

obj-$(CONFIG_AUDIT_TREE) += audit_tree.o

obj-$(CONFIG_GCOV_KERNEL) += gcov/

obj-$(CONFIG_KPROBES) += kprobes.o

kernel/audit.c

+1 −1
Original line number Diff line number Diff line
@@ -1761,7 +1761,7 @@ void audit_log_name(struct audit_context *context, struct audit_names *n, 
	} else

		audit_log_format(ab, " name=(null)");



	if (n->ino != (unsigned long)-1)

	if (n->ino != AUDIT_INO_UNSET)

		audit_log_format(ab, " inode=%lu"

				 " dev=%02x:%02x mode=%#ho"

				 " ouid=%u ogid=%u rdev=%02x:%02x",

kernel/audit.h

+18 −0
Original line number Diff line number Diff line
@@ -50,6 +50,7 @@ enum audit_state { 


/* Rule lists */

struct audit_watch;

struct audit_fsnotify_mark;

struct audit_tree;

struct audit_chunk;
@@ -252,6 +253,7 @@ struct audit_net { 
extern int selinux_audit_rule_update(void);



extern struct mutex audit_filter_mutex;

extern int audit_del_rule(struct audit_entry *);

extern void audit_free_rule_rcu(struct rcu_head *);

extern struct list_head audit_filter_list[];
@@ -269,6 +271,15 @@ extern int audit_add_watch(struct audit_krule *krule, struct list_head **list); 
extern void audit_remove_watch_rule(struct audit_krule *krule);

extern char *audit_watch_path(struct audit_watch *watch);

extern int audit_watch_compare(struct audit_watch *watch, unsigned long ino, dev_t dev);



extern struct audit_fsnotify_mark *audit_alloc_mark(struct audit_krule *krule, char *pathname, int len);

extern char *audit_mark_path(struct audit_fsnotify_mark *mark);

extern void audit_remove_mark(struct audit_fsnotify_mark *audit_mark);

extern void audit_remove_mark_rule(struct audit_krule *krule);

extern int audit_mark_compare(struct audit_fsnotify_mark *mark, unsigned long ino, dev_t dev);

extern int audit_dupe_exe(struct audit_krule *new, struct audit_krule *old);

extern int audit_exe_compare(struct task_struct *tsk, struct audit_fsnotify_mark *mark);



#else

#define audit_put_watch(w) {}

#define audit_get_watch(w) {}
@@ -278,6 +289,13 @@ extern int audit_watch_compare(struct audit_watch *watch, unsigned long ino, dev 
#define audit_watch_path(w) ""

#define audit_watch_compare(w, i, d) 0



#define audit_alloc_mark(k, p, l) (ERR_PTR(-EINVAL))

#define audit_mark_path(m) ""

#define audit_remove_mark(m)

#define audit_remove_mark_rule(k)

#define audit_mark_compare(m, i, d) 0

#define audit_exe_compare(t, m) (-EINVAL)

#define audit_dupe_exe(n, o) (-EINVAL)

#endif /* CONFIG_AUDIT_WATCH */



#ifdef CONFIG_AUDIT_TREE

CRA Git | Maintained and supported by SUSTech CRA and CCSE