linux-toradex.git/include/linux/audit.h, branch v3.6.4 Linux kernel for Apalis and Colibri modules fs: add link restriction audit reporting 2012-07-29T17:43:08+00:00 Kees Cook keescook@chromium.org 2012-07-26T00:29:08+00:00 a51d9eaa41866ab6b4b6ecad7b621f8b66ece0dc Adds audit messages for unexpected link restriction violations so that system owners will have some sort of potentially actionable information about misbehaving processes. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
Adds audit messages for unexpected link restriction violations so that
system owners will have some sort of potentially actionable information
about misbehaving processes.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
seccomp: remove duplicated failure logging 2012-04-14T01:13:20+00:00 Kees Cook keescook@chromium.org 2012-04-12T21:47:58+00:00 3dc1c1b2d2ed7507ce8a379814ad75745ff97ebe This consolidates the seccomp filter error logging path and adds more details to the audit log. Signed-off-by: Will Drewry <wad@chromium.org> Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Eric Paris <eparis@redhat.com> v18: make compat= permanent in the record v15: added a return code to the audit_seccomp path by wad@chromium.org (suggested by eparis@redhat.com) v*: original by keescook@chromium.org Signed-off-by: James Morris <james.l.morris@oracle.com> 
This consolidates the seccomp filter error logging path and adds more
details to the audit log.

Signed-off-by: Will Drewry <wad@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Eric Paris <eparis@redhat.com>

v18: make compat= permanent in the record
v15: added a return code to the audit_seccomp path by wad@chromium.org
     (suggested by eparis@redhat.com)
v*: original by keescook@chromium.org
Signed-off-by: James Morris <james.l.morris@oracle.com>
constify path argument of audit_log_d_path() 2012-03-21T01:29:40+00:00 Al Viro viro@zeniv.linux.org.uk 2012-03-15T01:48:20+00:00 66b3fad3f4c535c92b6a1184d535a97d6aa5d82a Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
audit: comparison on interprocess fields 2012-01-17T21:17:03+00:00 Peter Moody pmoody@google.com 2012-01-04T20:24:31+00:00 10d68360871657204885371cdf2594412675d2f9 This allows audit to specify rules in which we compare two fields of a process. Such as is the running process uid != to the running process euid? Signed-off-by: Peter Moody <pmoody@google.com> Signed-off-by: Eric Paris <eparis@redhat.com> 
This allows audit to specify rules in which we compare two fields of a
process.  Such as is the running process uid != to the running process
euid?

Signed-off-by: Peter Moody <pmoody@google.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
audit: implement all object interfield comparisons 2012-01-17T21:17:02+00:00 Peter Moody pmoody@google.com 2011-12-14T00:17:51+00:00 4a6633ed08af5ba67790b4d1adcdeb8ceb55677e This completes the matrix of interfield comparisons between uid/gid information for the current task and the uid/gid information for inodes. aka I can audit based on differences between the euid of the process and the uid of fs objects. Signed-off-by: Peter Moody <pmoody@google.com> Signed-off-by: Eric Paris <eparis@redhat.com> 
This completes the matrix of interfield comparisons between uid/gid
information for the current task and the uid/gid information for inodes.
aka I can audit based on differences between the euid of the process and
the uid of fs objects.

Signed-off-by: Peter Moody <pmoody@google.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
audit: allow interfield comparison between gid and ogid 2012-01-17T21:17:02+00:00 Eric Paris eparis@redhat.com 2012-01-03T19:23:08+00:00 c9fe685f7a17a0ee8bf3fbe51e40b1c8b8e65896 Allow audit rules to compare the gid of the running task to the gid of the inode in question. Signed-off-by: Eric Paris <eparis@redhat.com> 
Allow audit rules to compare the gid of the running task to the gid of the
inode in question.

Signed-off-by: Eric Paris <eparis@redhat.com>
audit: allow interfield comparison in audit rules 2012-01-17T21:17:01+00:00 Eric Paris eparis@redhat.com 2012-01-03T19:23:08+00:00 02d86a568c6d2d335256864451ac8ce781bc5652 We wish to be able to audit when a uid=500 task accesses a file which is uid=0. Or vice versa. This patch introduces a new audit filter type AUDIT_FIELD_COMPARE which takes as an 'enum' which indicates which fields should be compared. At this point we only define the task->uid vs inode->uid, but other comparisons can be added. Signed-off-by: Eric Paris <eparis@redhat.com> 
We wish to be able to audit when a uid=500 task accesses a file which is
uid=0.  Or vice versa.  This patch introduces a new audit filter type
AUDIT_FIELD_COMPARE which takes as an 'enum' which indicates which fields
should be compared.  At this point we only define the task->uid vs
inode->uid, but other comparisons can be added.

Signed-off-by: Eric Paris <eparis@redhat.com>
audit: remove task argument to audit_set_loginuid 2012-01-17T21:17:00+00:00 Eric Paris eparis@redhat.com 2012-01-03T19:23:08+00:00 0a300be6d5be8f66cd96609334710c268d0bfdce The function always deals with current. Don't expose an option pretending one can use it for something. You can't. Signed-off-by: Eric Paris <eparis@redhat.com> 
The function always deals with current.  Don't expose an option
pretending one can use it for something.  You can't.

Signed-off-by: Eric Paris <eparis@redhat.com>
audit: allow audit matching on inode gid 2012-01-17T21:16:59+00:00 Eric Paris eparis@redhat.com 2012-01-03T19:23:07+00:00 54d3218b31aee5bc9c859ae60fbde933d922448b Much like the ability to filter audit on the uid of an inode collected, we should be able to filter on the gid of the inode. Signed-off-by: Eric Paris <eparis@redhat.com> 
Much like the ability to filter audit on the uid of an inode collected, we
should be able to filter on the gid of the inode.

Signed-off-by: Eric Paris <eparis@redhat.com>
audit: allow matching on obj_uid 2012-01-17T21:16:59+00:00 Eric Paris eparis@redhat.com 2012-01-03T19:23:07+00:00 efaffd6e4417860c67576ac760dd6e8bbd15f006 Allow syscall exit filter matching based on the uid of the owner of an inode used in a syscall. aka: auditctl -a always,exit -S open -F obj_uid=0 -F perm=wa Signed-off-by: Eric Paris <eparis@redhat.com> 
Allow syscall exit filter matching based on the uid of the owner of an
inode used in a syscall.  aka:

auditctl -a always,exit -S open -F obj_uid=0 -F perm=wa

Signed-off-by: Eric Paris <eparis@redhat.com>