1. 26 Sep, 2018 1 commit
  2. 18 May, 2018 2 commits
  3. 14 May, 2018 1 commit
  4. 15 Aug, 2017 2 commits
    • Jan Kara's avatar
      audit: Receive unmount event · b5fed474
      Jan Kara authored
      Although audit_watch_handle_event() can handle FS_UNMOUNT event, it is
      not part of AUDIT_FS_WATCH mask and thus such event never gets to
      audit_watch_handle_event(). Thus fsnotify marks are deleted by fsnotify
      subsystem on unmount without audit being notified about that which leads
      to a strange state of existing audit rules with dead fsnotify marks.
      
      Add FS_UNMOUNT to the mask of events to be received so that audit can
      clean up its state accordingly.
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      b5fed474
    • Jan Kara's avatar
      audit: Fix use after free in audit_remove_watch_rule() · d76036ab
      Jan Kara authored
      audit_remove_watch_rule() drops watch's reference to parent but then
      continues to work with it. That is not safe as parent can get freed once
      we drop our reference. The following is a trivial reproducer:
      
      mount -o loop image /mnt
      touch /mnt/file
      auditctl -w /mnt/file -p wax
      umount /mnt
      auditctl -D
      <crash in fsnotify_destroy_mark()>
      
      Grab our own reference in audit_remove_watch_rule() earlier to make sure
      mark does not get freed under us.
      
      CC: stable@vger.kernel.org
      Reported-by: default avatarTony Jones <tonyj@suse.de>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Tested-by: default avatarTony Jones <tonyj@suse.de>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      d76036ab
  5. 02 May, 2017 2 commits
  6. 10 Apr, 2017 4 commits
  7. 05 Dec, 2016 1 commit
  8. 04 Dec, 2016 1 commit
  9. 20 Nov, 2016 1 commit
  10. 31 Aug, 2016 1 commit
  11. 10 Apr, 2016 1 commit
  12. 08 Feb, 2016 1 commit
  13. 22 Jan, 2016 1 commit
    • Al Viro's avatar
      wrappers for ->i_mutex access · 5955102c
      Al Viro authored
      parallel to mutex_{lock,unlock,trylock,is_locked,lock_nested},
      inode_foo(inode) being mutex_foo(&inode->i_mutex).
      
      Please, use those for access to ->i_mutex; over the coming cycle
      ->i_mutex will become rwsem, with ->lookup() done with it held
      only shared.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      5955102c
  14. 13 Aug, 2015 1 commit
    • Richard Guy Briggs's avatar
      fixup: audit: implement audit by executable · 15ce414b
      Richard Guy Briggs authored
      The Intel build-bot detected a sparse warning with with a patch I posted a
      couple of days ago that was accepted in the audit/next tree:
      
      Subject: [linux-next:master 6689/6751] kernel/audit_watch.c:543:36: sparse: dereference of noderef expression
      Date: Friday, August 07, 2015, 06:57:55 PM
      From: kbuild test robot <fengguang.wu@intel.com>
      tree:   git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
      head:   e6455bc5b91f41f842f30465c9193320f0568707
      commit: 2e3a8aeb63e5335d4f837d453787c71bcb479796 [6689/6751] Merge remote- tracking branch 'audit/next'
      sparse warnings: (new ones prefixed by >>)
      >> kernel/audit_watch.c:543:36: sparse: dereference of noderef expression
         kernel/audit_watch.c:544:28: sparse: dereference of noderef expression
      
      34d99af5 Richard Guy Briggs 2015-08-05  541  int audit_exe_compare(struct task_struct *tsk, struct audit_fsnotify_mark *mark)
      34d99af5 Richard Guy Briggs 2015-08-05  542  {
      34d99af5 Richard Guy Briggs 2015-08-05 @543     unsigned long ino = tsk->mm- >exe_file->f_inode->i_ino;
      34d99af5 Richard Guy Briggs 2015-08-05  544     dev_t dev = tsk->mm->exe_file- >f_inode->i_sb->s_dev;
      
      :::::: The code at line 543 was first introduced by commit
      :::::: 34d99af5 audit: implement audit by executable
      
      tsk->mm->exe_file requires RCU access.  The warning was reproduceable by adding
      "C=1 CF=-D__CHECK_ENDIAN__" to the build command, and verified eliminated with
      this patch.
      Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      15ce414b
  15. 06 Aug, 2015 2 commits
    • Richard Guy Briggs's avatar
      audit: implement audit by executable · 34d99af5
      Richard Guy Briggs authored
      This adds the ability audit the actions of a not-yet-running process.
      
      This patch implements the ability to filter on the executable path.  Instead of
      just hard coding the ino and dev of the executable we care about at the moment
      the rule is inserted into the kernel, use the new audit_fsnotify
      infrastructure to manage this dynamically.  This means that if the filename
      does not yet exist but the containing directory does, or if the inode in
      question is unlinked and creat'd (aka updated) the rule will just continue to
      work.  If the containing directory is moved or deleted or the filesystem is
      unmounted, the rule is deleted automatically.  A future enhancement would be to
      have the rule survive across directory disruptions.
      
      This is a heavily modified version of a patch originally submitted by Eric
      Paris with some ideas from Peter Moody.
      
      Cc: Peter Moody <peter@hda3.com>
      Cc: Eric Paris <eparis@redhat.com>
      Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      [PM: minor whitespace clean to satisfy ./scripts/checkpatch]
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      34d99af5
    • Richard Guy Briggs's avatar
      audit: use macros for unset inode and device values · 84cb777e
      Richard Guy Briggs authored
      Clean up a number of places were casted magic numbers are used to represent
      unset inode and device numbers in preparation for the audit by executable path
      patch set.
      Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      [PM: enclosed the _UNSET macros in parentheses for ./scripts/checkpatch]
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      84cb777e
  16. 04 Aug, 2015 2 commits
    • Richard Guy Briggs's avatar
      audit: eliminate unnecessary extra layer of watch parent references · aa7c043d
      Richard Guy Briggs authored
      The audit watch parent count was imbalanced, adding an unnecessary layer of
      watch parent references.  Decrement the additional parent reference when a
      watch is reused, already having a reference to the parent.
      
      audit_find_parent() gets a reference to the parent, if the parent is
      already known.  This additional parental reference is not needed if the
      watch is subsequently found by audit_add_to_parent(), and consumed if
      the watch does not already exist, so we need to put the parent if the
      watch is found, and do nothing if this new watch is added to the parent.
      
      If the parent wasn't already known, it is created with a refcount of 1
      and added to the audit_watch_group, then incremented by one to be
      subsequently consumed by the newly created watch in
      audit_add_to_parent().
      
      The rule points to the watch, not to the parent, so the rule's refcount
      gets bumped, not the parent's.
      
      See LKML, 2015-07-16
      Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      aa7c043d
    • Richard Guy Briggs's avatar
      audit: eliminate unnecessary extra layer of watch references · f8259b26
      Richard Guy Briggs authored
      The audit watch count was imbalanced, adding an unnecessary layer of watch
      references.  Only add the second reference when it is added to a parent.
      Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      f8259b26
  17. 15 Apr, 2015 1 commit
  18. 23 Sep, 2014 1 commit
    • Burn Alting's avatar
      audit: invalid op= values for rules · e7df61f4
      Burn Alting authored
      Various audit events dealing with adding, removing and updating rules result in
      invalid values set for the op keys which result in embedded spaces in op=
      values.
      
      The invalid values are
              op="add rule"       set in kernel/auditfilter.c
              op="remove rule"    set in kernel/auditfilter.c
              op="remove rule"    set in kernel/audit_tree.c
              op="updated rules"  set in kernel/audit_watch.c
              op="remove rule"    set in kernel/audit_watch.c
      
      Replace the space in the above values with an underscore character ('_').
      Coded-by: default avatarBurn Alting <burn@swtf.dyndns.org>
      Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      e7df61f4
  19. 18 Feb, 2014 1 commit
    • Jan Kara's avatar
      inotify: Fix reporting of cookies for inotify events · 45a22f4c
      Jan Kara authored
      My rework of handling of notification events (namely commit 7053aee2
      "fsnotify: do not share events between notification groups") broke
      sending of cookies with inotify events. We didn't propagate the value
      passed to fsnotify() properly and passed 4 uninitialized bytes to
      userspace instead (so it is also an information leak). Sadly I didn't
      notice this during my testing because inotify cookies aren't used very
      much and LTP inotify tests ignore them.
      
      Fix the problem by passing the cookie value properly.
      
      Fixes: 7053aee2Reported-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      45a22f4c
  20. 22 Jan, 2014 3 commits
    • Jan Kara's avatar
      fsnotify: remove pointless NULL initializers · 56b27cf6
      Jan Kara authored
      We usually rely on the fact that struct members not specified in the
      initializer are set to NULL.  So do that with fsnotify function pointers
      as well.
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Cc: Eric Paris <eparis@parisplace.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      56b27cf6
    • Jan Kara's avatar
      fsnotify: remove .should_send_event callback · 83c4c4b0
      Jan Kara authored
      After removing event structure creation from the generic layer there is
      no reason for separate .should_send_event and .handle_event callbacks.
      So just remove the first one.
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Cc: Eric Paris <eparis@parisplace.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      83c4c4b0
    • Jan Kara's avatar
      fsnotify: do not share events between notification groups · 7053aee2
      Jan Kara authored
      Currently fsnotify framework creates one event structure for each
      notification event and links this event into all interested notification
      groups.  This is done so that we save memory when several notification
      groups are interested in the event.  However the need for event
      structure shared between inotify & fanotify bloats the event structure
      so the result is often higher memory consumption.
      
      Another problem is that fsnotify framework keeps path references with
      outstanding events so that fanotify can return open file descriptors
      with its events.  This has the undesirable effect that filesystem cannot
      be unmounted while there are outstanding events - a regression for
      inotify compared to a situation before it was converted to fsnotify
      framework.  For fanotify this problem is hard to avoid and users of
      fanotify should kind of expect this behavior when they ask for file
      descriptors from notified files.
      
      This patch changes fsnotify and its users to create separate event
      structure for each group.  This allows for much simpler code (~400 lines
      removed by this patch) and also smaller event structures.  For example
      on 64-bit system original struct fsnotify_event consumes 120 bytes, plus
      additional space for file name, additional 24 bytes for second and each
      subsequent group linking the event, and additional 32 bytes for each
      inotify group for private data.  After the conversion inotify event
      consumes 48 bytes plus space for file name which is considerably less
      memory unless file names are long and there are several groups
      interested in the events (both of which are uncommon).  Fanotify event
      fits in 56 bytes after the conversion (fanotify doesn't care about file
      names so its events don't have to have it allocated).  A win unless
      there are four or more fanotify groups interested in the event.
      
      The conversion also solves the problem with unmount when only inotify is
      used as we don't have to grab path references for inotify events.
      
      [hughd@google.com: fanotify: fix corruption preventing startup]
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Cc: Eric Paris <eparis@parisplace.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      7053aee2
  21. 11 Jan, 2013 1 commit
  22. 11 Dec, 2012 1 commit
  23. 12 Oct, 2012 2 commits
  24. 18 Sep, 2012 1 commit
    • Eric W. Biederman's avatar
      userns: Convert the audit loginuid to be a kuid · e1760bd5
      Eric W. Biederman authored
      Always store audit loginuids in type kuid_t.
      
      Print loginuids by converting them into uids in the appropriate user
      namespace, and then printing the resulting uid.
      
      Modify audit_get_loginuid to return a kuid_t.
      
      Modify audit_set_loginuid to take a kuid_t.
      
      Modify /proc/<pid>/loginuid on read to convert the loginuid into the
      user namespace of the opener of the file.
      
      Modify /proc/<pid>/loginud on write to convert the loginuid
      rom the user namespace of the opener of the file.
      
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Eric Paris <eparis@redhat.com>
      Cc: Paul Moore <paul@paul-moore.com> ?
      Cc: David Miller <davem@davemloft.net>
      Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
      e1760bd5
  25. 14 Jul, 2012 1 commit
    • Al Viro's avatar
      get rid of kern_path_parent() · 79714f72
      Al Viro authored
      all callers want the same thing, actually - a kinda-sorta analog of
      kern_path_create().  I.e. they want parent vfsmount/dentry (with
      ->i_mutex held, to make sure the child dentry is still their child)
      + the child dentry.
      
      Signed-off-by Al Viro <viro@zeniv.linux.org.uk>
      79714f72
  26. 14 Mar, 2011 2 commits
  27. 30 Oct, 2010 1 commit
  28. 12 Aug, 2010 1 commit