)]}' { "log": [ { "commit": "13541b3adad2dc2f56761c5193c2b88db3597f0e", "tree": "ef5dfff5135ecb91ccb379d351c9bc5f491e080a", "parents": [ "8cc44579d1bd77ba3a32f2cb76fd9669c229c5fd" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Tue Jan 29 08:44:23 2008 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 30 08:17:29 2008 +1100" }, "message": "NetLabel: Add auditing to the static labeling mechanism\n\nThis patch adds auditing support to the NetLabel static labeling mechanism.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "74c3cbe33bc077ac1159cadfea608b501e100344", "tree": "4c4023caa4e15d19780255fa5880df3d36eb292c", "parents": [ "455434d450a358ac5bcf3fc58f8913d13c544622" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Jul 22 08:04:18 2007 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Oct 21 02:37:45 2007 -0400" }, "message": "[PATCH] audit: watching subtrees\n\nNew kind of audit rule predicates: \"object is visible in given subtree\".\nThe part that can be sanely implemented, that is. Limitations:\n\t* if you have hardlink from outside of tree, you\u0027d better watch\nit too (or just watch the object itself, obviously)\n\t* if you mount something under a watched tree, tell audit\nthat new chunk should be added to watched subtrees\n\t* if you umount something in a watched tree and it\u0027s still mounted\nelsewhere, you will get matches on events happening there. New command\ntells audit to recalculate the trees, trimming such sources of false\npositives.\n\nNote that it\u0027s _not_ about path - if something mounted in several places\n(multiple mount, bindings, different namespaces, etc.), the match does\n_not_ depend on which one we are using for access.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "5a190ae69766da9a34bf31200c5cea4c0667cf94", "tree": "340c500fe42518abe6d1159a00619b1bd02f07fc", "parents": [ "cfa76f024f7c9e65169425804e5b32e71f66d0ee" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu Jun 07 12:19:32 2007 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Oct 21 02:37:18 2007 -0400" }, "message": "[PATCH] pass dentry to audit_inode()/audit_inode_child()\n\nmakes caller simpler *and* allows to scan ancestors\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "ab5f5e8b144e4c804ef3aa1ce08a9ca9f01187ce", "tree": "bf3915a618b29f507d882e9c665ed9d07e7c0765", "parents": [ "d2e9117c7aa9544d910634e17e3519fd67155229" ], "author": { "name": "Joy Latten", "email": "latten@austin.ibm.com", "time": "Mon Sep 17 11:51:22 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Oct 10 16:49:02 2007 -0700" }, "message": "[XFRM]: xfrm audit calls\n\nThis patch modifies the current ipsec audit layer\nby breaking it up into purpose driven audit calls.\n\nSo far, the only audit calls made are when add/delete\nan SA/policy. It had been discussed to give each\nkey manager it\u0027s own calls to do this, but I found\nthere to be much redundnacy since they did the exact\nsame things, except for how they got auid and sid, so I\ncombined them. The below audit calls can be made by any\nkey manager. Hopefully, this is ok.\n\nSigned-off-by: Joy Latten \u003clatten@austin.ibm.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "6dc2c1b7798ef645213afc82f6d5eac3d61bc18b", "tree": "1f6edacc42a38d836556d7bba52f2321e0397d89", "parents": [ "1ff6f3dbfb366b464869d3558406e498cb3e1159" ], "author": { "name": "Miloslav Trmac", "email": "mitr@redhat.com", "time": "Thu Aug 23 10:19:53 2007 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Thu Aug 23 21:37:45 2007 -0700" }, "message": "Renumber AUDIT_TTY_[GS]ET\n\nRenumber AUDIT_TTY_[GS]ET to avoid a conflict with netlink message types\nalready used in the wild.\n\nSigned-off-by: Miloslav Trmac \u003cmitr@redhat.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "4259fa01a2d2aa3e589b34ba7624080232d9c1ff", "tree": "3aa83d784c4db22f3b62e4d963757497555c5e5c", "parents": [ "74f2345b6be1410f824cb7dd638d2c10a9709379" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu Jun 07 11:13:31 2007 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Jul 22 09:57:02 2007 -0400" }, "message": "[PATCH] get rid of AVC_PATH postponed treatment\n\n Selinux folks had been complaining about the lack of AVC_PATH\nrecords when audit is disabled. I must admit my stupidity - I assumed\nthat avc_audit() really couldn\u0027t use audit_log_d_path() because of\ndeadlocks (\u003d\u003d could be called with dcache_lock or vfsmount_lock held).\nShouldn\u0027t have made that assumption - it never gets called that way.\nIt _is_ called under spinlocks, but not those.\n\n Since audit_log_d_path() uses ab-\u003egfp_mask for allocations,\nkmalloc() in there is not a problem. IOW, the simple fix is sufficient:\nlet\u0027s rip AUDIT_AVC_PATH out and simply generate pathname as part of main\nrecord. It\u0027s trivial to do.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "74f2345b6be1410f824cb7dd638d2c10a9709379", "tree": "a9cbdb517eb01b04de3e641d87ef42ad186e91e3", "parents": [ "c926e4f432af0f61ac2b9b637fb51a4871a3fc91" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Jun 04 17:00:14 2007 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Jul 22 09:57:02 2007 -0400" }, "message": "[PATCH] allow audit filtering on bit \u0026 operations\n\nRight now the audit filter can match on \u003d !\u003d \u003e \u003c \u003e\u003d blah blah blah.\nThis allow the filter to also look at bitwise AND operations, \u0026\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "522ed7767e800cff6c650ec64b0ee0677303119c", "tree": "f65ecb29f2cf885018d3557f840de3ef4be6ec64", "parents": [ "4f27c00bf80f122513d3a5be16ed851573164534" ], "author": { "name": "Miloslav Trmac", "email": "mitr@redhat.com", "time": "Sun Jul 15 23:40:56 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Mon Jul 16 09:05:47 2007 -0700" }, "message": "Audit: add TTY input auditing\n\nAdd TTY input auditing, used to audit system administrator\u0027s actions. This is\nrequired by various security standards such as DCID 6/3 and PCI to provide\nnon-repudiation of administrator\u0027s actions and to allow a review of past\nactions if the administrator seems to overstep their duties or if the system\nbecomes misconfigured for unknown reasons. These requirements do not make it\nnecessary to audit TTY output as well.\n\nCompared to an user-space keylogger, this approach records TTY input using the\naudit subsystem, correlated with other audit events, and it is completely\ntransparent to the user-space application (e.g. the console ioctls still\nwork).\n\nTTY input auditing works on a higher level than auditing all system calls\nwithin the session, which would produce an overwhelming amount of mostly\nuseless audit events.\n\nAdd an \"audit_tty\" attribute, inherited across fork (). Data read from TTYs\nby process with the attribute is sent to the audit subsystem by the kernel.\nThe audit netlink interface is extended to allow modifying the audit_tty\nattribute, and to allow sending explanatory audit events from user-space (for\nexample, a shell might send an event containing the final command, after the\ninteractive command-line editing and history expansion is performed, which\nmight be difficult to decipher from the TTY input alone).\n\nBecause the \"audit_tty\" attribute is inherited across fork (), it would be set\ne.g. for sshd restarted within an audited session. To prevent this, the\naudit_tty attribute is cleared when a process with no open TTY file\ndescriptors (e.g. after daemon startup) opens a TTY.\n\nSee https://www.redhat.com/archives/linux-audit/2007-June/msg00000.html for a\nmore detailed rationale document for an older version of this patch.\n\n[akpm@linux-foundation.org: build fix]\nSigned-off-by: Miloslav Trmac \u003cmitr@redhat.com\u003e\nCc: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nCc: Alan Cox \u003calan@lxorguk.ukuu.org.uk\u003e\nCc: Paul Fulghum \u003cpaulkf@microgate.com\u003e\nCc: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\nCc: Steve Grubb \u003csgrubb@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "0a4ff8c2598b72f2fa9d50aae9e1809e684dbf41", "tree": "309f2b2b5874692302862534cd9052a1d96018ba", "parents": [ "5712e88f2b0f626a4857c24128810bbf8ce09537" ], "author": { "name": "Steve Grubb", "email": "sgrubb@redhat.com", "time": "Thu Apr 19 10:28:21 2007 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Fri May 11 05:38:26 2007 -0400" }, "message": "[PATCH] Abnormal End of Processes\n\nHi,\n\nI have been working on some code that detects abnormal events based on audit\nsystem events. One kind of event that we currently have no visibility for is\nwhen a program terminates due to segfault - which should never happen on a\nproduction machine. And if it did, you\u0027d want to investigate it. Attached is a\npatch that collects these events and sends them into the audit system.\n\nSigned-off-by: Steve Grubb \u003csgrubb@redhat.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "4fc03b9beb2314f3adb9e72b7935a80c577954d1", "tree": "81e04534c582923fcdc8212497d1487ddae412a8", "parents": [ "510f4006e7a82b37b53c17bbe64ec20f3a59302b" ], "author": { "name": "Amy Griffis", "email": "amy.griffis@hp.com", "time": "Tue Feb 13 14:15:01 2007 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Fri May 11 05:38:26 2007 -0400" }, "message": "[PATCH] complete message queue auditing\n\nHandle the edge cases for POSIX message queue auditing. Collect inode\ninfo when opening an existing mq, and for send/receive operations. Remove\naudit_inode_update() as it has really evolved into the equivalent of\naudit_inode().\n\nSigned-off-by: Amy Griffis \u003camy.griffis@hp.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "e54dc2431d740a79a6bd013babade99d71b1714f", "tree": "16b0990d5c16946239a17b332f54b5918fb03305", "parents": [ "7f13da40e36c84d0d046b7adbd060af7d3717250" ], "author": { "name": "Amy Griffis", "email": "amy.griffis@hp.com", "time": "Thu Mar 29 18:01:04 2007 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Fri May 11 05:38:25 2007 -0400" }, "message": "[PATCH] audit signal recipients\n\nWhen auditing syscalls that send signals, log the pid and security\ncontext for each target process. Optimize the data collection by\nadding a counter for signal-related rules, and avoiding allocating an\naux struct unless we have more than one target process. For process\ngroups, collect pid/context data in blocks of 16. Move the\naudit_signal_info() hook up in check_kill_permission() so we audit\nattempts where permission is denied.\n\nSigned-off-by: Amy Griffis \u003camy.griffis@hp.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "7f13da40e36c84d0d046b7adbd060af7d3717250", "tree": "3cf0c58f674be94a7237734367ee5c04a5f223bc", "parents": [ "a5cb013da773a67ee48d1c19e96436c22a73a7eb" ], "author": { "name": "Amy Griffis", "email": "amy.griffis@hp.com", "time": "Thu Mar 29 18:00:37 2007 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Fri May 11 05:38:25 2007 -0400" }, "message": "[PATCH] add SIGNAL syscall class (v3)\n\nAdd a syscall class for sending signals.\n\nSigned-off-by: Amy Griffis \u003camy.griffis@hp.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "a5cb013da773a67ee48d1c19e96436c22a73a7eb", "tree": "8832d105c4742674423bd50352b8a4805c44fecc", "parents": [ "129a84de2347002f09721cda3155ccfd19fade40" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Mar 20 13:58:35 2007 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Fri May 11 05:38:25 2007 -0400" }, "message": "[PATCH] auditing ptrace\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "3b46e650165f691a30ddede1a79d2df02f3459d7", "tree": "90cc53677412986b28d31001faa5e5a980cba7fe", "parents": [ "f991633de626a5f16069d00e26b45142e037ce24" ], "author": { "name": "Jeff Dike", "email": "jdike@addtoit.com", "time": "Tue Mar 06 01:42:17 2007 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue Mar 06 09:30:25 2007 -0800" }, "message": "[PATCH] linux/audit.h needs linux/types.h\n\nInclude linux/types.h here because we need a definition of __u32. This file\nappears not be exported verbatim by libc, so I think this doesn\u0027t have any\nuserspace consequences.\n\nSigned-off-by: Jeff Dike \u003cjdike@linux.intel.com\u003e\nCc: Paolo \u0027Blaisorblade\u0027 Giarrusso \u003cblaisorblade@yahoo.it\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "db3495099d3d52854b13874905af6e40a91f4721", "tree": "5a832081d70dd9dabda3498baf40b7d6ced47f24", "parents": [ "6a01b07fae482f9b34491b317056c89d3b96ca2e" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Feb 07 01:48:00 2007 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sat Feb 17 21:30:15 2007 -0500" }, "message": "[PATCH] AUDIT_FD_PAIR\n\nProvide an audit record of the descriptor pair returned by pipe() and\nsocketpair(). Rewritten from the original posted to linux-audit by\nJohn D. Ramsdell \u003cramsdell@mitre.org\u003e\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "161a09e737f0761ca064ee6a907313402f7a54b6", "tree": "80fdf6dc5de73d810ef0ec811299a5ec3c5ce23e", "parents": [ "95b99a670df31ca5271f503f378e5cac3aee8f5e" ], "author": { "name": "Joy Latten", "email": "latten@austin.ibm.com", "time": "Mon Nov 27 13:11:54 2006 -0600" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Dec 06 20:14:22 2006 -0800" }, "message": "audit: Add auditing to ipsec\n\nAn audit message occurs when an ipsec SA\nor ipsec policy is created/deleted.\n\nSigned-off-by: Joy Latten \u003clatten@austin.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "c8e649ba908954447e9a095677f6a6c8e50a37b2", "tree": "7a02cf7ed8222e9f62b3a53f9eba8d13354e268f", "parents": [ "ac9910ce017ff5f86f3a25e969b2c4f5d6ac438f" ], "author": { "name": "Steve Grubb", "email": "sgrubb@redhat.com", "time": "Fri Sep 29 11:56:49 2006 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Oct 04 08:31:24 2006 -0400" }, "message": "[PATCH] message types updated\n\nHi,\n\nThis patch adds a new type for 3rd party module use and cleans up a deprecated\nmessage type.\n\nSigned-off-by: Steve Grubb \u003csgrubb@redhat.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "95d4e6be25a68cd9fbe8c0d356b585504d8db1c7", "tree": "2133c970e6786bdf82004ace225b6bca19b9ddba", "parents": [ "d6c641026dec68acfb4b0baa98aad960e963ed97" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Fri Sep 29 17:05:05 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Fri Sep 29 17:05:05 2006 -0700" }, "message": "[NetLabel]: audit fixups due to delayed feedback\n\nFix some issues Steve Grubb had with the way NetLabel was using the audit\nsubsystem. This should make NetLabel more consistent with other kernel\ngenerated audit messages specifying configuration changes.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: Steve Grubb \u003csgrubb@redhat.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "32f50cdee666333168b5203c7864bede159f789e", "tree": "c4989cc2521551714f656d60f6b895232ffdeda6", "parents": [ "8ea333eb5da3e3219f570220c56bca09f6f4d25a" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Thu Sep 28 14:51:47 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Sep 28 18:03:09 2006 -0700" }, "message": "[NetLabel]: add audit support for configuration changes\n\nThis patch adds audit support to NetLabel, including six new audit message\ntypes shown below.\n\n #define AUDIT_MAC_UNLBL_ACCEPT 1406\n #define AUDIT_MAC_UNLBL_DENY 1407\n #define AUDIT_MAC_CIPSOV4_ADD 1408\n #define AUDIT_MAC_CIPSOV4_DEL 1409\n #define AUDIT_MAC_MAP_ADD 1410\n #define AUDIT_MAC_MAP_DEL 1411\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "55669bfa141b488be865341ed12e188967d11308", "tree": "efeec37a93f46c48937eb849c083da9a42ed3709", "parents": [ "dc104fb3231f11e95b5a0f09ae3ab27a8fd5b2e8" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu Aug 31 19:26:40 2006 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Sep 11 13:32:30 2006 -0400" }, "message": "[PATCH] audit: AUDIT_PERM support\n\nadd support for AUDIT_PERM predicate\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "dc104fb3231f11e95b5a0f09ae3ab27a8fd5b2e8", "tree": "2db993a72a4eac79841f531e2961576bf9fb56d7", "parents": [ "c08037997d4ae3e9a679fbdb46ed47c957916e14" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu Aug 31 19:05:56 2006 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Sep 11 13:32:27 2006 -0400" }, "message": "[PATCH] audit: more syscall classes added\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "5ac3a9c26c1cc4861d9cdd8b293fecbfcdc81afe", "tree": "6ca960fade3253ac358f3614e6a07361fc90d09e", "parents": [ "d51374adf5f2f88155a072d3d801104e3c0c3d7f" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Jul 16 06:38:45 2006 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu Aug 03 10:59:42 2006 -0400" }, "message": "[PATCH] don\u0027t bother with aux entires for dummy context\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "d51374adf5f2f88155a072d3d801104e3c0c3d7f", "tree": "2b87e74cdb43fca5635cc25fb5a419cbb686ce00", "parents": [ "471a5c7c839114cc8b55876203aeb2817c33e3c5" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu Aug 03 10:59:26 2006 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu Aug 03 10:59:26 2006 -0400" }, "message": "[PATCH] mark context of syscall entered with no rules as dummy\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "471a5c7c839114cc8b55876203aeb2817c33e3c5", "tree": "a034011f4efe66adcdca6e21efc2e05b0c0d3e34", "parents": [ "5422e01ac16df7398b2bad1eccad0ae3be4dee32" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Jul 10 08:29:24 2006 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu Aug 03 10:55:18 2006 -0400" }, "message": "[PATCH] introduce audit rules counter\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "73d3ec5abad3f1730ac8530899d2c14d92f3ad63", "tree": "c2829a1e36ca155eecc7d4b8648fe9755247bec5", "parents": [ "3e2efce067cec0099f99ae59f28feda99b02b498" ], "author": { "name": "Amy Griffis", "email": "amy.griffis@hp.com", "time": "Thu Jul 13 13:16:39 2006 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu Aug 03 10:50:30 2006 -0400" }, "message": "[PATCH] fix missed create event for directory audit\n\nWhen an object is created via a symlink into an audited directory, audit misses\nthe event due to not having collected the inode data for the directory. Modify\n__audit_inode_child() to copy the parent inode data if a parent wasn\u0027t found in\naudit_names[].\n\nSigned-off-by: Amy Griffis \u003camy.griffis@hp.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "3e2efce067cec0099f99ae59f28feda99b02b498", "tree": "94577cb6cb7f223319bb89a805b2d6945d42632e", "parents": [ "46f5960fdbf359f0c75989854bbaebc1de7a1eb4" ], "author": { "name": "Amy Griffis", "email": "amy.griffis@hp.com", "time": "Thu Jul 13 13:16:02 2006 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu Aug 03 10:50:21 2006 -0400" }, "message": "[PATCH] fix faulty inode data collection for open() with O_CREAT\n\nWhen the specified path is an existing file or when it is a symlink, audit\ncollects the wrong inode number, which causes it to miss the open() event.\nAdding a second hook to the open() path fixes this.\n\nAlso add audit_copy_inode() to consolidate some code.\n\nSigned-off-by: Amy Griffis \u003camy.griffis@hp.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "b915543b46a2aa599fdd2169e51bcfd88812a12b", "tree": "8025e6654829d4c245b5b6b6f47a84543ebffb7b", "parents": [ "6e5a2d1d32596850a0ebf7fb3e54c0d69901dabd" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sat Jul 01 03:56:16 2006 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sat Jul 01 07:44:10 2006 -0400" }, "message": "[PATCH] audit syscall classes\n\nAllow to tie upper bits of syscall bitmap in audit rules to kernel-defined\nsets of syscalls. Infrastructure, a couple of classes (with 32bit counterparts\nfor biarch targets) and actual tie-in on i386, amd64 and ia64.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "3a6b9f85c641a3b89420b0c8150ed377526a1fe1", "tree": "e44e64edf0620d3f6da443c57540b09882231459", "parents": [ "5adc8a6adc91c4c85a64c75a70a619fffc924817" ], "author": { "name": "Darrel Goeddel", "email": "dgoeddel@trustedcs.com", "time": "Thu Jun 29 16:56:39 2006 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sat Jul 01 05:44:08 2006 -0400" }, "message": "[PATCH] audit: rename AUDIT_SE_* constants\n\nThis patch renames some audit constant definitions and adds\nadditional definitions used by the following patch. The renaming\navoids ambiguity with respect to the new definitions.\n\nSigned-off-by: Darrel Goeddel \u003cdgoeddel@trustedcs.com\u003e\n\n include/linux/audit.h | 15 ++++++++----\n kernel/auditfilter.c | 50 ++++++++++++++++++++---------------------\n kernel/auditsc.c | 10 ++++----\n security/selinux/ss/services.c | 32 +++++++++++++-------------\n 4 files changed, 56 insertions(+), 51 deletions(-)\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "5adc8a6adc91c4c85a64c75a70a619fffc924817", "tree": "ace9af6bbc3cf711f43cfd88e834baeb6989ca3f", "parents": [ "9262e9149f346a5443300f8c451b8e7631e81a42" ], "author": { "name": "Amy Griffis", "email": "amy.griffis@hp.com", "time": "Wed Jun 14 18:45:21 2006 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sat Jul 01 05:43:06 2006 -0400" }, "message": "[PATCH] add rule filterkey\n\nAdd support for a rule key, which can be used to tie audit records to audit\nrules. This is useful when a watched file is accessed through a link or\nsymlink, as well as for general audit log analysis.\n\nBecause this patch uses a string key instead of an integer key, there is a bit\nof extra overhead to do the kstrdup() when a rule fires. However, we\u0027re also\nallocating memory for the audit record buffer, so it\u0027s probably not that\nsignificant. I went ahead with a string key because it seems more\nuser-friendly.\n\nNote that the user must ensure that filterkeys are unique. The kernel only\nchecks for duplicate rules.\n\nSigned-off-by: Amy Griffis \u003camy.griffis@hpd.com\u003e\n" }, { "commit": "d9eaec9e295a84a80b663996d0489fcff3a1dca9", "tree": "85cfc09bb5f0eb42d3be7dfbddaad31353307796", "parents": [ "cee4cca740d209bcb4b9857baa2253d5ba4e3fbe", "41757106b9ca7867dafb2404d618f947b4786fd7" ], "author": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Tue Jun 20 15:37:56 2006 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Tue Jun 20 15:37:56 2006 -0700" }, "message": "Merge branch \u0027audit.b21\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current\n\n* \u0027audit.b21\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current: (25 commits)\n [PATCH] make set_loginuid obey audit_enabled\n [PATCH] log more info for directory entry change events\n [PATCH] fix AUDIT_FILTER_PREPEND handling\n [PATCH] validate rule fields\u0027 types\n [PATCH] audit: path-based rules\n [PATCH] Audit of POSIX Message Queue Syscalls v.2\n [PATCH] fix se_sen audit filter\n [PATCH] deprecate AUDIT_POSSBILE\n [PATCH] inline more audit helpers\n [PATCH] proc_loginuid_write() uses simple_strtoul() on non-terminated array\n [PATCH] update of IPC audit record cleanup\n [PATCH] minor audit updates\n [PATCH] fix audit_krule_to_{rule,data} return values\n [PATCH] add filtering by ppid\n [PATCH] log ppid\n [PATCH] collect sid of those who send signals to auditd\n [PATCH] execve argument logging\n [PATCH] fix deadlocks in AUDIT_LIST/AUDIT_LIST_RULES\n [PATCH] audit_panic() is audit-internal\n [PATCH] inotify (5/5): update kernel documentation\n ...\n\nManual fixup of conflict in unclude/linux/inotify.h\n" }, { "commit": "9c937dcc71021f2dbf78f904f03d962dd9bcc130", "tree": "6ab53c1cf1235515307d521cecc4f76afa34e137", "parents": [ "6a2bceec0ea7fdc47aef9a3f2f771c201eaabe5d" ], "author": { "name": "Amy Griffis", "email": "amy.griffis@hp.com", "time": "Thu Jun 08 23:19:31 2006 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jun 20 05:25:28 2006 -0400" }, "message": "[PATCH] log more info for directory entry change events\n\nWhen an audit event involves changes to a directory entry, include\na PATH record for the directory itself. A few other notable changes:\n\n - fixed audit_inode_child() hooks in fsnotify_move()\n - removed unused flags arg from audit_inode()\n - added audit log routines for logging a portion of a string\n\nHere\u0027s some sample output.\n\nbefore patch:\ntype\u003dSYSCALL msg\u003daudit(1149821605.320:26): arch\u003d40000003 syscall\u003d39 success\u003dyes exit\u003d0 a0\u003dbf8d3c7c a1\u003d1ff a2\u003d804e1b8 a3\u003dbf8d3c7c items\u003d1 ppid\u003d739 pid\u003d800 auid\u003d0 uid\u003d0 gid\u003d0 euid\u003d0 suid\u003d0 fsuid\u003d0 egid\u003d0 sgid\u003d0 fsgid\u003d0 tty\u003dttyS0 comm\u003d\"mkdir\" exe\u003d\"/bin/mkdir\" subj\u003droot:system_r:unconfined_t:s0-s0:c0.c255\ntype\u003dCWD msg\u003daudit(1149821605.320:26): cwd\u003d\"/root\"\ntype\u003dPATH msg\u003daudit(1149821605.320:26): item\u003d0 name\u003d\"foo\" parent\u003d164068 inode\u003d164010 dev\u003d03:00 mode\u003d040755 ouid\u003d0 ogid\u003d0 rdev\u003d00:00 obj\u003droot:object_r:user_home_t:s0\n\nafter patch:\ntype\u003dSYSCALL msg\u003daudit(1149822032.332:24): arch\u003d40000003 syscall\u003d39 success\u003dyes exit\u003d0 a0\u003dbfdd9c7c a1\u003d1ff a2\u003d804e1b8 a3\u003dbfdd9c7c items\u003d2 ppid\u003d714 pid\u003d777 auid\u003d0 uid\u003d0 gid\u003d0 euid\u003d0 suid\u003d0 fsuid\u003d0 egid\u003d0 sgid\u003d0 fsgid\u003d0 tty\u003dttyS0 comm\u003d\"mkdir\" exe\u003d\"/bin/mkdir\" subj\u003droot:system_r:unconfined_t:s0-s0:c0.c255\ntype\u003dCWD msg\u003daudit(1149822032.332:24): cwd\u003d\"/root\"\ntype\u003dPATH msg\u003daudit(1149822032.332:24): item\u003d0 name\u003d\"/root\" inode\u003d164068 dev\u003d03:00 mode\u003d040750 ouid\u003d0 ogid\u003d0 rdev\u003d00:00 obj\u003droot:object_r:user_home_dir_t:s0\ntype\u003dPATH msg\u003daudit(1149822032.332:24): item\u003d1 name\u003d\"foo\" inode\u003d164010 dev\u003d03:00 mode\u003d040755 ouid\u003d0 ogid\u003d0 rdev\u003d00:00 obj\u003droot:object_r:user_home_t:s0\n\nSigned-off-by: Amy Griffis \u003camy.griffis@hp.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "f368c07d7214a7c41dfceb76c8db473b850f0229", "tree": "e3f1e2d1a6ffbe61bf99ece51b906654728db4c9", "parents": [ "20ca73bc792be9625af184cbec36e1372611d1c3" ], "author": { "name": "Amy Griffis", "email": "amy.griffis@hp.com", "time": "Fri Apr 07 16:55:56 2006 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jun 20 05:25:27 2006 -0400" }, "message": "[PATCH] audit: path-based rules\n\nIn this implementation, audit registers inotify watches on the parent\ndirectories of paths specified in audit rules. When audit\u0027s inotify\nevent handler is called, it updates any affected rules based on the\nfilesystem event. If the parent directory is renamed, removed, or its\nfilesystem is unmounted, audit removes all rules referencing that\ninotify watch.\n\nTo keep things simple, this implementation limits location-based\nauditing to the directory entries in an existing directory. Given\na path-based rule for /foo/bar/passwd, the following table applies:\n\n passwd modified -- audit event logged\n passwd replaced -- audit event logged, rules list updated\n bar renamed -- rule removed\n foo renamed -- untracked, meaning that the rule now applies to\n\t\t the new location\n\nAudit users typically want to have many rules referencing filesystem\nobjects, which can significantly impact filtering performance. This\npatch also adds an inode-number-based rule hash to mitigate this\nsituation.\n\nThe patch is relative to the audit git tree:\nhttp://kernel.org/git/?p\u003dlinux/kernel/git/viro/audit-current.git;a\u003dsummary\nand uses the inotify kernel API:\nhttp://lkml.org/lkml/2006/6/1/145\n\nSigned-off-by: Amy Griffis \u003camy.griffis@hp.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "20ca73bc792be9625af184cbec36e1372611d1c3", "tree": "98a1232ad3c9baa14676b2b48fab79a3df4a20b0", "parents": [ "8ba8e0fbe6321961f6ba04e2fd7215b37d935c83" ], "author": { "name": "George C. Wilson", "email": "ltcgcw@us.ibm.com", "time": "Wed May 24 16:09:55 2006 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jun 20 05:25:26 2006 -0400" }, "message": "[PATCH] Audit of POSIX Message Queue Syscalls v.2\n\nThis patch adds audit support to POSIX message queues. It applies cleanly to\nthe lspp.b15 branch of Al Viro\u0027s git tree. There are new auxiliary data\nstructures, and collection and emission routines in kernel/auditsc.c. New hooks\nin ipc/mqueue.c collect arguments from the syscalls.\n\nI tested the patch by building the examples from the POSIX MQ library tarball.\nBuild them -lrt, not against the old MQ library in the tarball. Here\u0027s the URL:\nhttp://www.geocities.com/wronski12/posix_ipc/libmqueue-4.41.tar.gz\nDo auditctl -a exit,always -S for mq_open, mq_timedsend, mq_timedreceive,\nmq_notify, mq_getsetattr. mq_unlink has no new hooks. Please see the\ncorresponding userspace patch to get correct output from auditd for the new\nrecord types.\n\n[fixes folded]\n\nSigned-off-by: George Wilson \u003cltcgcw@us.ibm.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "d8945bb51a2bb6623cfa36b9ff63594f46d513aa", "tree": "b369c9b853e90790a04baa70ee66a2ef9e15fd18", "parents": [ "e0182909297da8d38a5d473ae7bee3d0324632a1" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu May 18 16:01:30 2006 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jun 20 05:25:25 2006 -0400" }, "message": "[PATCH] inline more audit helpers\n\npull checks for -\u003eaudit_context into inlined wrappers\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "ac03221a4fdda9bfdabf99bcd129847f20fc1d80", "tree": "9b65ede238b03007bfe5e25f46efca68ec0994e0", "parents": [ "5d136a010de3bc16fe595987feb9ef8868f064c2" ], "author": { "name": "Linda Knippers", "email": "linda.knippers@hp.com", "time": "Tue May 16 22:03:48 2006 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jun 20 05:25:24 2006 -0400" }, "message": "[PATCH] update of IPC audit record cleanup\n\nThe following patch addresses most of the issues with the IPC_SET_PERM\nrecords as described in:\nhttps://www.redhat.com/archives/linux-audit/2006-May/msg00010.html\nand addresses the comments I received on the record field names.\n\nTo summarize, I made the following changes:\n\n1. Changed sys_msgctl() and semctl_down() so that an IPC_SET_PERM\n record is emitted in the failure case as well as the success case.\n This matches the behavior in sys_shmctl(). I could simplify the\n code in sys_msgctl() and semctl_down() slightly but it would mean\n that in some error cases we could get an IPC_SET_PERM record\n without an IPC record and that seemed odd.\n\n2. No change to the IPC record type, given no feedback on the backward\n compatibility question.\n\n3. Removed the qbytes field from the IPC record. It wasn\u0027t being\n set and when audit_ipc_obj() is called from ipcperms(), the\n information isn\u0027t available. If we want the information in the IPC\n record, more extensive changes will be necessary. Since it only\n applies to message queues and it isn\u0027t really permission related, it\n doesn\u0027t seem worth it.\n\n4. Removed the obj field from the IPC_SET_PERM record. This means that\n the kern_ipc_perm argument is no longer needed.\n\n5. Removed the spaces and renamed the IPC_SET_PERM field names. Replaced iuid and\n igid fields with ouid and ogid in the IPC record.\n\nI tested this with the lspp.22 kernel on an x86_64 box. I believe it\napplies cleanly on the latest kernel.\n\n-- ljk\n\nSigned-off-by: Linda Knippers \u003clinda.knippers@hp.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "3c66251e573219a0532a5a07381b2f60a412d9eb", "tree": "b047b25d28ae1abe6bb81daba886e44e0a82094f", "parents": [ "f46038ff7d23ae092d61b366332c05aab8227b48" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sat May 06 08:26:27 2006 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jun 20 05:25:22 2006 -0400" }, "message": "[PATCH] add filtering by ppid\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "e1396065e0489f98b35021b97907ab4edbfb24e1", "tree": "a276ea0a2ece9132d435adf1a1f82d0ada1ae938", "parents": [ "473ae30bc7b1dda5c5791c773f95e9424ddfead9" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu May 25 10:19:47 2006 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jun 20 05:25:21 2006 -0400" }, "message": "[PATCH] collect sid of those who send signals to auditd\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "473ae30bc7b1dda5c5791c773f95e9424ddfead9", "tree": "541f6f20b9131fcfb650ca491e291d3c6b148a1b", "parents": [ "9044e6bca5a4a575d3c068dfccb5651a2d6a13bc" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Apr 26 14:04:08 2006 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jun 20 05:25:21 2006 -0400" }, "message": "[PATCH] execve argument logging\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "bc0f3b8ebba611291fdaa2864dbffd2d29336c64", "tree": "08418bb535747731348609b5ca2ddbbd8fa0f510", "parents": [ "0edce197db00094d04c7fb147903add814c9db67" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon May 22 01:36:34 2006 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jun 20 05:25:20 2006 -0400" }, "message": "[PATCH] audit_panic() is audit-internal\n\n... no need to provide a stub; note that extern is already gone from\ninclude/linux/audit.h\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "5047f09b56d0bc3c21aec9cb16de60283da645c6", "tree": "09a07554b933c3bb912ce3bfc0ea7c7e1f16041c", "parents": [ "c0f1fe00c3923135b2c2f443448585482da8a53e", "5528e568a760442e0ec8fd2dea1f0791875a066b" ], "author": { "name": "David Woodhouse", "email": "dwmw2@infradead.org", "time": "Sat May 06 19:59:18 2006 +0100" }, "committer": { "name": "David Woodhouse", "email": "dwmw2@infradead.org", "time": "Sat May 06 19:59:18 2006 +0100" }, "message": "Merge git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6\n\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\n" }, { "commit": "073115d6b29c7910feaa08241c6484637f5ca958", "tree": "5fd32da9f54b3c12b65d3c0142fb9bdf87dc01c3", "parents": [ "ce29b682e228c70cdc91a1b2935c5adb2087bab8" ], "author": { "name": "Steve Grubb", "email": "sgrubb@redhat.com", "time": "Sun Apr 02 17:07:33 2006 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon May 01 06:10:04 2006 -0400" }, "message": "[PATCH] Rework of IPC auditing\n\n1) The audit_ipc_perms() function has been split into two different\nfunctions:\n - audit_ipc_obj()\n - audit_ipc_set_perm()\n\nThere\u0027s a key shift here... The audit_ipc_obj() collects the uid, gid,\nmode, and SElinux context label of the current ipc object. This\naudit_ipc_obj() hook is now found in several places. Most notably, it\nis hooked in ipcperms(), which is called in various places around the\nipc code permforming a MAC check. Additionally there are several places\nwhere *checkid() is used to validate that an operation is being\nperformed on a valid object while not necessarily having a nearby\nipcperms() call. In these locations, audit_ipc_obj() is called to\nensure that the information is captured by the audit system.\n\nThe audit_set_new_perm() function is called any time the permissions on\nthe ipc object changes. In this case, the NEW permissions are recorded\n(and note that an audit_ipc_obj() call exists just a few lines before\neach instance).\n\n2) Support for an AUDIT_IPC_SET_PERM audit message type. This allows\nfor separate auxiliary audit records for normal operations on an IPC\nobject and permissions changes. Note that the same struct\naudit_aux_data_ipcctl is used and populated, however there are separate\naudit_log_format statements based on the type of the message. Finally,\nthe AUDIT_IPC block of code in audit_free_aux() was extended to handle\naux messages of this new type. No more mem leaks I hope ;-)\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "ce29b682e228c70cdc91a1b2935c5adb2087bab8", "tree": "39e3e5b345748bec1c2d21962407689cdb1b7dab", "parents": [ "e7c3497013a7e5496ce3d5fd3c73b5cf5af7a56e" ], "author": { "name": "Steve Grubb", "email": "sgrubb@redhat.com", "time": "Sat Apr 01 18:29:34 2006 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon May 01 06:10:01 2006 -0400" }, "message": "[PATCH] More user space subject labels\n\nHi,\n\nThe patch below builds upon the patch sent earlier and adds subject label to\nall audit events generated via the netlink interface. It also cleans up a few\nother minor things.\n\nSigned-off-by: Steve Grubb \u003csgrubb@redhat.com\u003e\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "376bd9cb357ec945ac893feaeb63af7370a6e70b", "tree": "7e2848792982dfe30e19a600a41fa5cb49ee6e6e", "parents": [ "97e94c453073a2aba4bb5e0825ddc5e923debf11" ], "author": { "name": "Darrel Goeddel", "email": "dgoeddel@trustedcs.com", "time": "Fri Feb 24 15:44:05 2006 -0600" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon May 01 06:06:24 2006 -0400" }, "message": "[PATCH] support for context based audit filtering\n\nThe following patch provides selinux interfaces that will allow the audit\nsystem to perform filtering based on the process context (user, role, type,\nsensitivity, and clearance). These interfaces will allow the selinux\nmodule to perform efficient matches based on lower level selinux constructs,\nrather than relying on context retrievals and string comparisons within\nthe audit module. It also allows for dominance checks on the mls portion\nof the contexts that are impossible with only string comparisons.\n\nSigned-off-by: Darrel Goeddel \u003cdgoeddel@trustedcs.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "5411be59db80333039386f3b1ccfe5eb9023a916", "tree": "77873af4b7557768c3c48b56e7ae4508be4a70a5", "parents": [ "e495149b173d8e133e1f6f2eb86fd97be7e92010" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Mar 29 20:23:36 2006 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon May 01 06:06:18 2006 -0400" }, "message": "[PATCH] drop task argument of audit_syscall_{entry,exit}\n\n... it\u0027s always current, and that\u0027s a good thing - allows simpler locking.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "f001e47f83db18a9f202f25c0255b4d11ebe468b", "tree": "0d459fdb2dce2d21f5739619210bcd4b679a49f2", "parents": [ "62c4f0a2d5a188f73a94f2cb8ea0dba3e7cf0a7f" ], "author": { "name": "David Woodhouse", "email": "dwmw2@infradead.org", "time": "Thu Apr 27 00:11:01 2006 +0100" }, "committer": { "name": "David Woodhouse", "email": "dwmw2@infradead.org", "time": "Thu Apr 27 00:11:01 2006 +0100" }, "message": "Sanitise linux/audit.h for userspace consumption, split elf-em.h from elf.h\n\nDon\u0027t include \u003clinux/sched.h\u003e outside __KERNEL__, and split the EM_xxx\ndefinitions out of elf.h into elf-em.h so that audit.h can include just\nthat and not pollute the namespace any further than it needs to.\n\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\n" }, { "commit": "5bdb98868062c1b14025883049551af343233187", "tree": "1f15c49cf4c9535bb3897d5fedbe78b3a7651410", "parents": [ "a6c043a887a9db32a545539426ddfc8cc2c28f8f" ], "author": { "name": "Steve Grubb", "email": "sgrubb@redhat.com", "time": "Sat Dec 03 08:39:35 2005 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Mar 20 14:08:55 2006 -0500" }, "message": "[PATCH] promiscuous mode\n\nHi,\n\nWhen a network interface goes into promiscuous mode, its an important security\nissue. The attached patch is intended to capture that action and send an\nevent to the audit system.\n\nThe patch carves out a new block of numbers for kernel detected anomalies.\nThese are events that may indicate suspicious activity. Other examples of\npotential kernel anomalies would be: exceeding disk quota, rlimit violations,\nchanges to syscall entry table.\n\nSigned-off-by: Steve Grubb \u003csgrubb@redhat.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "5d3301088f7e412992d9e61cc3604cbdff3090ff", "tree": "6dbcea6a4707474393b640f8aaa588b2aa90309e", "parents": [ "93315ed6dd12dacfc941f9eb8ca0293aadf99793" ], "author": { "name": "Steve Grubb", "email": "viro@zeniv.linux.org.uk", "time": "Mon Jan 09 09:48:17 2006 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Mar 20 14:08:55 2006 -0500" }, "message": "[PATCH] add/remove rule update\n\nHi,\n\nThe following patch adds a little more information to the add/remove rule message emitted\nby the kernel.\n\nSigned-off-by: Steve Grubb \u003csgrubb@redhat.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "93315ed6dd12dacfc941f9eb8ca0293aadf99793", "tree": "4fc070c92a1de21d3befe4ce48c733c65d044bb3", "parents": [ "af601e4623d0303bfafa54ec728b7ae8493a8e1b" ], "author": { "name": "Amy Griffis", "email": "amy.griffis@hp.com", "time": "Tue Feb 07 12:05:27 2006 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Mar 20 14:08:54 2006 -0500" }, "message": "[PATCH] audit string fields interface + consumer\n\nUpdated patch to dynamically allocate audit rule fields in kernel\u0027s\ninternal representation. Added unlikely() calls for testing memory\nallocation result.\n\nAmy Griffis wrote: [Wed Jan 11 2006, 02:02:31PM EST]\n\u003e Modify audit\u0027s kernel-userspace interface to allow the specification\n\u003e of string fields in audit rules.\n\u003e\n\u003e Signed-off-by: Amy Griffis \u003camy.griffis@hp.com\u003e\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n(cherry picked from 5ffc4a863f92351b720fe3e9c5cd647accff9e03 commit)\n" }, { "commit": "af601e4623d0303bfafa54ec728b7ae8493a8e1b", "tree": "5f79d5ae42eeccfc1ffaf8e82a1999e4d3af793e", "parents": [ "d884596f44ef5a0bcd8a66405dc04902aeaa6fc7" ], "author": { "name": "Steve Grubb", "email": "sgrubb@redhat.com", "time": "Wed Jan 04 14:08:39 2006 +0000" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Mar 20 14:08:54 2006 -0500" }, "message": "[PATCH] SE Linux audit events\n\nAttached is a patch that hardwires important SE Linux events to the audit\nsystem. Please Apply.\n\nSigned-off-by: Steve Grubb \u003csgrubb@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\n" }, { "commit": "fe7752bab26a9ac0651b695ad4f55659761f68f7", "tree": "b2e516a52232c978fc824b226418d8a28460b8a8", "parents": [ "ee436dc46a762f430e37952d375a23d87735f73f" ], "author": { "name": "David Woodhouse", "email": "dwmw2@infradead.org", "time": "Thu Dec 15 18:33:52 2005 +0000" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Mar 20 14:08:54 2006 -0500" }, "message": "[PATCH] Fix audit record filtering with !CONFIG_AUDITSYSCALL\n\nThis fixes the per-user and per-message-type filtering when syscall\nauditing isn\u0027t enabled.\n\n[AV: folded followup fix from the same author]\n\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "8c8570fb8feef2bc166bee75a85748b25cda22d9", "tree": "ed783d405ea9d5f3d3ccc57fb56c7b7cb2cdfb82", "parents": [ "c8edc80c8b8c397c53f4f659a05b9ea6208029bf" ], "author": { "name": "Dustin Kirkland", "email": "dustin.kirkland@us.ibm.com", "time": "Thu Nov 03 17:15:16 2005 +0000" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Mar 20 14:08:54 2006 -0500" }, "message": "[PATCH] Capture selinux subject/object context information.\n\nThis patch extends existing audit records with subject/object context\ninformation. Audit records associated with filesystem inodes, ipc, and\ntasks now contain SELinux label information in the field \"subj\" if the\nitem is performing the action, or in \"obj\" if the item is the receiver\nof an action.\n\nThese labels are collected via hooks in SELinux and appended to the\nappropriate record in the audit code.\n\nThis additional information is required for Common Criteria Labeled\nSecurity Protection Profile (LSPP).\n\n[AV: fixed kmalloc flags use]\n[folded leak fixes]\n[folded cleanup from akpm (kfree(NULL)]\n[folded audit_inode_context() leak fix]\n[folded akpm\u0027s fix for audit_ipc_perm() definition in case of !CONFIG_AUDIT]\n\nSigned-off-by: Dustin Kirkland \u003cdustin.kirkland@us.ibm.com\u003e\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "c8edc80c8b8c397c53f4f659a05b9ea6208029bf", "tree": "0b09c0ff9ea28038b711d7368100302a1cc69b6d", "parents": [ "73241ccca0f7786933f1d31b3d86f2456549953a" ], "author": { "name": "Dustin Kirkland", "email": "dustin.kirkland@us.ibm.com", "time": "Thu Nov 03 16:12:36 2005 +0000" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Mar 20 14:08:54 2006 -0500" }, "message": "[PATCH] Exclude messages by message type\n\n - Add a new, 5th filter called \"exclude\".\n - And add a new field AUDIT_MSGTYPE.\n - Define a new function audit_filter_exclude() that takes a message type\n as input and examines all rules in the filter. It returns \u00271\u0027 if the\n message is to be excluded, and \u00270\u0027 otherwise.\n - Call the audit_filter_exclude() function near the top of\n audit_log_start() just after asserting audit_initialized. If the\n message type is not to be audited, return NULL very early, before\n doing a lot of work.\n[combined with followup fix for bug in original patch, Nov 4, same author]\n[combined with later renaming AUDIT_FILTER_EXCLUDE-\u003eAUDIT_FILTER_TYPE\nand audit_filter_exclude() -\u003e audit_filter_type()]\n\nSigned-off-by: Dustin Kirkland \u003cdustin.kirkland@us.ibm.com\u003e\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "73241ccca0f7786933f1d31b3d86f2456549953a", "tree": "daa7efabfb7aa2f511a467606786820949e8763e", "parents": [ "f38aa94224c5517a40ba56d453779f70d3229803" ], "author": { "name": "Amy Griffis", "email": "amy.griffis@hp.com", "time": "Thu Nov 03 16:00:25 2005 +0000" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Mar 20 14:08:53 2006 -0500" }, "message": "[PATCH] Collect more inode information during syscall processing.\n\nThis patch augments the collection of inode info during syscall\nprocessing. It represents part of the functionality that was provided\nby the auditfs patch included in RHEL4.\n\nSpecifically, it:\n\n- Collects information for target inodes created or removed during\n syscalls. Previous code only collects information for the target\n inode\u0027s parent.\n\n- Adds the audit_inode() hook to syscalls that operate on a file\n descriptor (e.g. fchown), enabling audit to do inode filtering for\n these calls.\n\n- Modifies filtering code to check audit context for either an inode #\n or a parent inode # matching a given rule.\n\n- Modifies logging to provide inode # for both parent and child.\n\n- Protect debug info from NULL audit_names.name.\n\n[AV: folded a later typo fix from the same author]\n\nSigned-off-by: Amy Griffis \u003camy.griffis@hp.com\u003e\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "90d526c074ae5db484388da56c399acf892b6c17", "tree": "edeb7c47d9144f3995846c5fc25db8e49ef12f5d", "parents": [ "b63862f46547487388e582e8ac9083830d34f058" ], "author": { "name": "Steve Grubb", "email": "sgrubb@redhat.com", "time": "Thu Nov 03 15:48:08 2005 +0000" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Mar 20 14:08:53 2006 -0500" }, "message": "[PATCH] Define new range of userspace messages.\n\nThe attached patch updates various items for the new user space\nmessages. Please apply.\n\nSigned-off-by: Steve Grubb \u003csgrubb@redhat.com\u003e\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\n" }, { "commit": "b63862f46547487388e582e8ac9083830d34f058", "tree": "5aa0173c02535fdd9dfe302e9c8a8a225091ed56", "parents": [ "b0dd25a8263dde3c30b0d7d72a8bd92d7ba0e3f5" ], "author": { "name": "Dustin Kirkland", "email": "dustin.kirkland@us.ibm.com", "time": "Thu Nov 03 15:41:46 2005 +0000" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Mar 20 14:08:53 2006 -0500" }, "message": "[PATCH] Filter rule comparators\n\nCurrently, audit only supports the \"\u003d\" and \"!\u003d\" operators in the -F\nfilter rules.\n\nThis patch reworks the support for \"\u003d\" and \"!\u003d\", and adds support\nfor \"\u003e\", \"\u003e\u003d\", \"\u003c\", and \"\u003c\u003d\".\n\nThis turned out to be a pretty clean, and simply process. I ended up\nusing the high order bits of the \"field\", as suggested by Steve and Amy.\nThis allowed for no changes whatsoever to the netlink communications.\nSee the documentation within the patch in the include/linux/audit.h\narea, where there is a table that explains the reasoning of the bitmask\nassignments clearly.\n\nThe patch adds a new function, audit_comparator(left, op, right).\nThis function will perform the specified comparison (op, which defaults\nto \"\u003d\u003d\" for backward compatibility) between two values (left and right).\nIf the negate bit is on, it will negate whatever that result was. This\nvalue is returned.\n\nSigned-off-by: Dustin Kirkland \u003cdustin.kirkland@us.ibm.com\u003e\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\n" }, { "commit": "9796fdd829da626374458e8706daedcc0e432ddd", "tree": "a0b4af7f45267cdcdfb677c2167906c6ef981b76", "parents": [ "55016f10e31bb15b85d8c500f979dfdceb37d548" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Fri Oct 21 03:22:03 2005 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Fri Oct 28 08:16:49 2005 -0700" }, "message": "[PATCH] gfp_t: kernel/*\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "30beab1491f0b96b2f23d3fb68af01fd921a16d8", "tree": "c580bdc0846269fbb10feeda901ecec1a48ee2ef", "parents": [ "21af6c4f2aa5f63138871b4ddd77d7ebf2588c9d", "c32511e2718618f0b53479eb36e07439aa363a74" ], "author": { "name": "David Woodhouse", "email": "dwmw2@shinybook.infradead.org", "time": "Wed Jul 13 15:25:59 2005 +0100" }, "committer": { "name": "David Woodhouse", "email": "dwmw2@shinybook.infradead.org", "time": "Wed Jul 13 15:25:59 2005 +0100" }, "message": "Merge with /shiny/git/linux-2.6/.git\n" }, { "commit": "f7ceba360cce9af3fbc4e5a5b1bd40b570b7021c", "tree": "1d138496048bbf5851cd60dee7acb912cffc6971", "parents": [ "8d8a64796fdee4e20355c6c12c9cc630a2e7494d" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sun Jul 10 19:29:45 2005 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sun Jul 10 19:29:45 2005 -0700" }, "message": "[SPARC64]: Add syscall auditing support.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "7b430437c0de81681ecfa8efa8f55823df733529", "tree": "c91b2dcb370b561c448d9005ef0ec41426ff7ef3", "parents": [ "13774024da8ebdf17212c0f5a83f5b0681a649eb" ], "author": { "name": "David Woodhouse", "email": "dwmw2@shinybook.infradead.org", "time": "Sat Jul 02 13:50:40 2005 +0100" }, "committer": { "name": "David Woodhouse", "email": "dwmw2@shinybook.infradead.org", "time": "Sat Jul 02 13:50:40 2005 +0100" }, "message": "AUDIT: Fix definition of audit_log() if audit not enabled\n\naudit_log() also takes an extra argument, although it\u0027s a vararg \nfunction so the compiler didn\u0027t really notice.\n\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\n" }, { "commit": "13774024da8ebdf17212c0f5a83f5b0681a649eb", "tree": "22a847f6c112b2dc24181082c31000a515bcf00e", "parents": [ "d2f6409584e2c62ffad81690562330ff3bf4a458" ], "author": { "name": "Badari Pulavarty", "email": "pbadari@yahoo.com", "time": "Sat Jul 02 13:49:07 2005 +0100" }, "committer": { "name": "David Woodhouse", "email": "dwmw2@shinybook.infradead.org", "time": "Sat Jul 02 13:49:07 2005 +0100" }, "message": "AUDIT: Fix definition of audit_log_start() if audit not enabled\n\naudit_log_start() seems to take 3 arguments, but its defined to take \nonly 2 when AUDIT is turned off.\n\nsecurity/selinux/avc.c:553:75: macro \"audit_log_start\" passed 3 arguments, but takes just 2\n\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\n" }, { "commit": "5bb289b5a0becb53ac3e1d60815ff8b779296b73", "tree": "0db75422d66eec857e0c05cd4cf4d014e7c0e264", "parents": [ "993e2d4106e94dae6e8cfbeb32073bd12cdee203" ], "author": { "name": "David Woodhouse", "email": "dwmw2@shinybook.infradead.org", "time": "Fri Jun 24 14:14:05 2005 +0100" }, "committer": { "name": "David Woodhouse", "email": "dwmw2@shinybook.infradead.org", "time": "Fri Jun 24 14:14:05 2005 +0100" }, "message": "AUDIT: Clean up user message filtering\n\nDon\u0027t look up the task by its pid and then use the syscall filtering\nhelper. Just implement our own filter helper which operates solely on\nthe information in the netlink_skb_parms. \n\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\n" }, { "commit": "9ad9ad385be27fcc7c16d290d972c6173e780a61", "tree": "bbca700c2d88ba421a6c9c348de367eaf4de0e2c", "parents": [ "177bbc733a1d9c935bc3d6efd776a6699b29b1ca" ], "author": { "name": "David Woodhouse", "email": "dwmw2@shinybook.infradead.org", "time": "Wed Jun 22 15:04:33 2005 +0100" }, "committer": { "name": "David Woodhouse", "email": "dwmw2@shinybook.infradead.org", "time": "Wed Jun 22 15:04:33 2005 +0100" }, "message": "AUDIT: Wait for backlog to clear when generating messages.\n\nAdd a gfp_mask to audit_log_start() and audit_log(), to reduce the\namount of GFP_ATOMIC allocation -- most of it doesn\u0027t need to be \nGFP_ATOMIC. Also if the mask includes __GFP_WAIT, then wait up to\n60 seconds for the auditd backlog to clear instead of immediately \nabandoning the message. \n\nThe timeout should probably be made configurable, but for now it\u0027ll \nsuffice that it only happens if auditd is actually running.\n\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\n" }, { "commit": "4a4cd633b575609b741a1de7837223a2d9e1c34c", "tree": "f4c3a6beb6a587598193053240f3e3f82885f1e3", "parents": [ "f6a789d19858a951e7ff9e297a44b377c21b6c33" ], "author": { "name": "David Woodhouse", "email": "dwmw2@shinybook.infradead.org", "time": "Wed Jun 22 14:56:47 2005 +0100" }, "committer": { "name": "David Woodhouse", "email": "dwmw2@shinybook.infradead.org", "time": "Wed Jun 22 14:56:47 2005 +0100" }, "message": "AUDIT: Optimise the audit-disabled case for discarding user messages\n\nAlso exempt USER_AVC message from being discarded to preserve \nexisting behaviour for SE Linux.\n\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\n" }, { "commit": "f6a789d19858a951e7ff9e297a44b377c21b6c33", "tree": "5e54f1460bc048706ad6df8c5cb5bf748f067f13", "parents": [ "ae7b961b1c943367dfe179411f120d7bf8eaba89" ], "author": { "name": "David Woodhouse", "email": "dwmw2@shinybook.infradead.org", "time": "Tue Jun 21 16:22:01 2005 +0100" }, "committer": { "name": "David Woodhouse", "email": "dwmw2@shinybook.infradead.org", "time": "Tue Jun 21 16:22:01 2005 +0100" }, "message": "AUDIT: Spawn kernel thread to list filter rules.\n\nIf we have enough rules to fill the netlink buffer space, it\u0027ll \ndeadlock because auditctl isn\u0027t ever actually going to read from the \nsocket until we return, and we aren\u0027t going to return until it \nreads... so we spawn a kernel thread to spew out the list and then\nexit.\n\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\n" }, { "commit": "ae7b961b1c943367dfe179411f120d7bf8eaba89", "tree": "d40171c26b22295e45ad7b67923442bfb513752a", "parents": [ "f7056d64ae101d910f965a2e39831f635ef7891b" ], "author": { "name": "David Woodhouse", "email": "dwmw2@shinybook.infradead.org", "time": "Mon Jun 20 16:11:05 2005 +0100" }, "committer": { "name": "David Woodhouse", "email": "dwmw2@shinybook.infradead.org", "time": "Mon Jun 20 16:11:05 2005 +0100" }, "message": "AUDIT: Report lookup flags with path/inode records.\n\nWhen LOOKUP_PARENT is used, the inode which results is not the inode\nfound at the pathname. Report the flags so that this doesn\u0027t generate\nmisleading audit records.\n\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\n" }, { "commit": "0f45aa18e65cf3d768082d7d86054a0d2a20bb18", "tree": "6e94dfcd813061f5a710b5621e1b2f5a01a95533", "parents": [ "0107b3cf3225aed6ddde4fa8dbcd4ed643b34f4d" ], "author": { "name": "David Woodhouse", "email": "dwmw2@shinybook.infradead.org", "time": "Sun Jun 19 19:35:50 2005 +0100" }, "committer": { "name": "David Woodhouse", "email": "dwmw2@shinybook.infradead.org", "time": "Sun Jun 19 19:35:50 2005 +0100" }, "message": "AUDIT: Allow filtering of user messages\n\nTurn the field from a bitmask to an enumeration and add a list to allow \nfiltering of messages generated by userspace. We also define a list for \nfile system watches in anticipation of that feature.\n\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\n" }, { "commit": "8f37d47c9bf74cb48692691086b482e315d07f40", "tree": "b7d35bbd8e78d124455f3abbc9c50134bc9cee0a", "parents": [ "7551ced334ce6eb2a7a765309871e619f645add1" ], "author": { "name": "David Woodhouse", "email": "dwmw2@shinybook.infradead.org", "time": "Fri May 27 12:17:28 2005 +0100" }, "committer": { "name": "David Woodhouse", "email": "dwmw2@shinybook.infradead.org", "time": "Fri May 27 12:17:28 2005 +0100" }, "message": "AUDIT: Record working directory when syscall arguments are pathnames\n\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\n" }, { "commit": "bfb4496e7239c9132d732a65cdcf3d6a7431ad1a", "tree": "72a2068a1008a66db09ad6eebfdeb490f1a33308", "parents": [ "7b5d781ce1f19fb7382d3d3fb7af48e429bed12d" ], "author": { "name": "David Woodhouse", "email": "dwmw2@shinybook.infradead.org", "time": "Sat May 21 21:08:09 2005 +0100" }, "committer": { "name": "David Woodhouse", "email": "dwmw2@shinybook.infradead.org", "time": "Sat May 21 21:08:09 2005 +0100" }, "message": "AUDIT: Assign serial number to non-syscall messages\n\nMove audit_serial() into audit.c and use it to generate serial numbers \non messages even when there is no audit context from syscall auditing. \nThis allows us to disambiguate audit records when more than one is \ngenerated in the same millisecond.\n\nBased on a patch by Steve Grubb after he observed the problem.\n\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\n\n" }, { "commit": "011161051bbc25f7f8b7df059dbd934c534443f0", "tree": "f1ca3727e4130cacad86dfdae65e7533fcb67784", "parents": [ "fb19b4c6aa024837a0071f07baa07dbf49d07151" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Sat May 21 00:15:52 2005 +0100" }, "committer": { "name": "David Woodhouse", "email": "dwmw2@shinybook.infradead.org", "time": "Sat May 21 00:15:52 2005 +0100" }, "message": "AUDIT: Avoid sleeping function in SElinux AVC audit.\n\nThis patch changes the SELinux AVC to defer logging of paths to the audit\nframework upon syscall exit, by saving a reference to the (dentry,vfsmount)\npair in an auxiliary audit item on the current audit context for processing\nby audit_log_exit.\n\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\n" }, { "commit": "209aba03243ee42a22f8df8d08aa9963f62aec64", "tree": "e45ee43e7af31f847377e8bb3a0a61581732b653", "parents": [ "3ec3b2fba526ead2fa3f3d7c91924f39a0733749" ], "author": { "name": "David Woodhouse", "email": "dwmw2@shinybook.infradead.org", "time": "Wed May 18 10:21:07 2005 +0100" }, "committer": { "name": "David Woodhouse", "email": "dwmw2@shinybook.infradead.org", "time": "Wed May 18 10:21:07 2005 +0100" }, "message": "AUDIT: Treat all user messages identically.\n\nIt\u0027s silly to have to add explicit entries for new userspace messages\nas we invent them. Just treat all messages in the user range the same.\n\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\n" }, { "commit": "3ec3b2fba526ead2fa3f3d7c91924f39a0733749", "tree": "12b9b3de4e0d5bb3c977ea3ef534ba4f7e556cb9", "parents": [ "69887ac1dcb79dfc773dabac2dd081fa6d6e2573" ], "author": { "name": "David Woodhouse", "email": "dwmw2@shinybook.infradead.org", "time": "Tue May 17 12:08:48 2005 +0100" }, "committer": { "name": "David Woodhouse", "email": "dwmw2@shinybook.infradead.org", "time": "Tue May 17 12:08:48 2005 +0100" }, "message": "AUDIT: Capture sys_socketcall arguments and sockaddrs \n\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\n" }, { "commit": "23f32d18aa589e228c5a9e12e0d0c67c9b5bcdce", "tree": "fa8e1156035b871d446cdf9706898b761d6455e0", "parents": [ "c04049939f88b29e235d2da217bce6e8ead44f32" ], "author": { "name": "Steve Grubb", "email": "sgrubb@redhat.com", "time": "Fri May 13 18:35:15 2005 +0100" }, "committer": { "name": "David Woodhouse", "email": "dwmw2@shinybook.infradead.org", "time": "Fri May 13 18:35:15 2005 +0100" }, "message": "AUDIT: Fix some spelling errors\n\nI\u0027m going through the kernel code and have a patch that corrects \nseveral spelling errors in comments.\n\nFrom: Steve Grubb \u003csgrubb@redhat.com\u003e\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\n" }, { "commit": "c04049939f88b29e235d2da217bce6e8ead44f32", "tree": "9bf3ab72b9939c529e7c96f8768bc8b7e1d768c9", "parents": [ "9ea74f0655412d0fbd12bf9adb6c14c8fe707a42" ], "author": { "name": "Steve Grubb", "email": "sgrubb@redhat.com", "time": "Fri May 13 18:17:42 2005 +0100" }, "committer": { "name": "David Woodhouse", "email": "dwmw2@shinybook.infradead.org", "time": "Fri May 13 18:17:42 2005 +0100" }, "message": "AUDIT: Add message types to audit records\n\nThis patch adds more messages types to the audit subsystem so that audit \nanalysis is quicker, intuitive, and more useful.\n\nSigned-off-by: Steve Grubb \u003csgrubb@redhat.com\u003e\n---\nI forgot one type in the big patch. I need to add one for user space \noriginating SE Linux avc messages. This is used by dbus and nscd.\n\n-Steve\n---\nUpdated to 2.6.12-rc4-mm1.\n-dwmw2\n\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\n" }, { "commit": "c1b773d87eadc3972d697444127e89a7291769a2", "tree": "edfce2e842c3b6be70f3b90584507aab9fb3de8f", "parents": [ "197c69c6afd2deb7eec44040ff533d90d26c6161" ], "author": { "name": "Chris Wright", "email": "chrisw@osdl.org", "time": "Wed May 11 10:55:10 2005 +0100" }, "committer": { "name": "David Woodhouse", "email": "dwmw2@shinybook.infradead.org", "time": "Wed May 11 10:55:10 2005 +0100" }, "message": "Add audit_log_type\n\nAdd audit_log_type to allow callers to specify type and pid when logging.\nConvert audit_log to wrapper around audit_log_type. Could have\nconverted all audit_log callers directly, but common case is default\nof type AUDIT_KERNEL and pid 0. Update audit_log_start to take type\nand pid values when creating a new audit_buffer. Move sequences that\ndid audit_log_start, audit_log_format, audit_set_type, audit_log_end,\nto simply call audit_log_type directly. This obsoletes audit_set_type\nand audit_set_pid, so remove them.\n\nSigned-off-by: Chris Wright \u003cchrisw@osdl.org\u003e\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\n" }, { "commit": "197c69c6afd2deb7eec44040ff533d90d26c6161", "tree": "a44d7170fe20d6119eff6e656d39be623ed6131a", "parents": [ "804a6a49d874841a98ebea3247ad2e672812ad6a" ], "author": { "name": "Chris Wright", "email": "chrisw@osdl.org", "time": "Wed May 11 10:54:05 2005 +0100" }, "committer": { "name": "David Woodhouse", "email": "dwmw2@shinybook.infradead.org", "time": "Wed May 11 10:54:05 2005 +0100" }, "message": "Move ifdef CONFIG_AUDITSYSCALL to header\n\nRemove code conditionally dependent on CONFIG_AUDITSYSCALL from audit.c.\nMove these dependencies to audit.h with the rest.\n\nSigned-off-by: Chris Wright \u003cchrisw@osdl.org\u003e\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\n" }, { "commit": "c2f0c7c356dc9ae15419f00c725a2fcc58eeff58", "tree": "2b765b791115e0e85b45bc98800fd2650b23155b", "parents": [ "2512809255d018744fe6c2f5e996c83769846c07" ], "author": { "name": "Steve Grubb", "email": "sgrubb@redhat.com", "time": "Fri May 06 12:38:39 2005 +0100" }, "committer": { "name": "David Woodhouse", "email": "dwmw2@shinybook.infradead.org", "time": "Fri May 06 12:38:39 2005 +0100" }, "message": "The attached patch addresses the problem with getting the audit daemon \nshutdown credential information. It creates a new message type \nAUDIT_TERM_INFO, which is used by the audit daemon to query who issued the \nshutdown. \n\nIt requires the placement of a hook function that gathers the information. The \nhook is after the DAC \u0026 MAC checks and before the function returns. Racing \nthreads could overwrite the uid \u0026 pid - but they would have to be root and \nhave policy that allows signalling the audit daemon. That should be a \nmanageable risk.\n\nThe userspace component will be released later in audit 0.7.2. When it \nreceives the TERM signal, it queries the kernel for shutdown information. \nWhen it receives it, it writes the message and exits. The message looks \nlike this:\n\ntype\u003dDAEMON msg\u003dauditd(1114551182.000) auditd normal halt, sending pid\u003d2650 \nuid\u003d525, auditd pid\u003d1685\n\nSigned-off-by: Steve Grubb \u003csgrubb@redhat.com\u003e\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\n" }, { "commit": "456be6cd90dbbb9b0ea01d56932d56d110d51cf7", "tree": "27f0d001610f686d11ff460cb6c848a599c8ca4f", "parents": [ "37509e749dc2072e667db806ef24b9e897f61b8a" ], "author": { "name": "Steve Grubb", "email": "sgrubb@redhat.com", "time": "Fri Apr 29 17:30:07 2005 +0100" }, "committer": { "name": "", "email": "dwmw2@shinybook.infradead.org", "time": "Fri Apr 29 17:30:07 2005 +0100" }, "message": "[AUDIT] LOGIN message credentials\n\nAttached is a new patch that solves the issue of getting valid credentials \ninto the LOGIN message. The current code was assuming that the audit context \nhad already been copied. This is not always the case for LOGIN messages.\n\nTo solve the problem, the patch passes the task struct to the function that \nemits the message where it can get valid credentials.\n\nSigned-off-by: Steve Grubb \u003csgrubb@redhat.com\u003e\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\n" }, { "commit": "c94c257c88c517f251da273a15c654224c7b6e21", "tree": "992dd50f6bb13a70b04450cdfe0dbfb3c7b17ef5", "parents": [ "85c8721ff3bc96b702427a440616079e8daf8a2f" ], "author": { "name": "Serge Hallyn", "email": "serue@us.ibm.com", "time": "Fri Apr 29 16:27:17 2005 +0100" }, "committer": { "name": "", "email": "dwmw2@shinybook.infradead.org", "time": "Fri Apr 29 16:27:17 2005 +0100" }, "message": "Add audit uid to netlink credentials\n\nMost audit control messages are sent over netlink.In order to properly\nlog the identity of the sender of audit control messages, we would like\nto add the loginuid to the netlink_creds structure, as per the attached\npatch.\n\nSigned-off-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\n" }, { "commit": "85c8721ff3bc96b702427a440616079e8daf8a2f", "tree": "1232ac4ebbd6d2453ee4d4a104003273ced20440", "parents": [ "67eb81e1686f44bcf8f005b296213fd2c21b4719" ], "author": { "name": "", "email": "dwmw2@shinybook.infradead.org", "time": "Fri Apr 29 16:23:29 2005 +0100" }, "committer": { "name": "", "email": "dwmw2@shinybook.infradead.org", "time": "Fri Apr 29 16:23:29 2005 +0100" }, "message": "audit: update pointer to userspace tools, remove emacs mode tags\n" }, { "commit": "d812ddbb89e323d054a7d073466225966c8350c8", "tree": "469e3e7bb7d1ca450059fc1b45660b8bc6452dc7", "parents": [ "2fd6f58ba6efc82ea2c9c2630f7ff5ed9eeaf34a" ], "author": { "name": "Steve Grubb", "email": "sgrubb@redhat.com", "time": "Fri Apr 29 16:09:52 2005 +0100" }, "committer": { "name": "", "email": "dwmw2@shinybook.infradead.org", "time": "Fri Apr 29 16:09:52 2005 +0100" }, "message": "[AUDIT] Fix signedness of \u0027serial\u0027 in various routines.\n\nAttached is a patch that corrects a signed/unsigned warning. I also noticed\nthat we needlessly init serial to 0. That only needs to occur if the kernel\nwas compiled without the audit system.\n\n-Steve Grubb\n\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\n" }, { "commit": "2fd6f58ba6efc82ea2c9c2630f7ff5ed9eeaf34a", "tree": "87cf236a78ad242ae01f1b71c289131e6d1c0662", "parents": [ "ea3834d9fb348fb1144ad3affea22df933eaf62e" ], "author": { "name": "", "email": "dwmw2@shinybook.infradead.org", "time": "Fri Apr 29 16:08:28 2005 +0100" }, "committer": { "name": "", "email": "dwmw2@shinybook.infradead.org", "time": "Fri Apr 29 16:08:28 2005 +0100" }, "message": "[AUDIT] Don\u0027t allow ptrace to fool auditing, log arch of audited syscalls.\n\nWe were calling ptrace_notify() after auditing the syscall and arguments,\nbut the debugger could have _changed_ them before the syscall was actually\ninvoked. Reorder the calls to fix that.\n\nWhile we\u0027re touching ever call to audit_syscall_entry(), we also make it\ntake an extra argument: the architecture of the syscall which was made,\nbecause some architectures allow more than one type of syscall.\n\nAlso add an explicit success/failure flag to audit_syscall_exit(), for\nthe benefit of architectures which return that in a condition register\nrather than only returning a single register.\n\nChange type of syscall return value to \u0027long\u0027 not \u0027int\u0027.\n\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\n" }, { "commit": "83c7d09173fdb6b06b109e65895392db3e49ac9c", "tree": "3f48367a4d1413e221a5367bcd0cf8df7322c368", "parents": [ "c60c390620e0abb60d4ae8c43583714bda27763f" ], "author": { "name": "", "email": "dwmw2@shinybook.infradead.org", "time": "Fri Apr 29 15:54:44 2005 +0100" }, "committer": { "name": "", "email": "dwmw2@shinybook.infradead.org", "time": "Fri Apr 29 15:54:44 2005 +0100" }, "message": "AUDIT: Avoid log pollution by untrusted strings.\n\nWe log strings from userspace, such as arguments to open(). These could\nbe formatted to contain \\n followed by fake audit log entries. Provide\na function for logging such strings, which gives a hex dump when the\nstring contains anything but basic printable ASCII characters. Use it\nfor logging filenames.\n\nSigned-off-by: David Woodhouse \u003cdwmw2@infradead.org\u003e\n" }, { "commit": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "tree": "0bba044c4ce775e45a88a51686b5d9f90697ea9d", "parents": [], "author": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "message": "Linux-2.6.12-rc2\n\nInitial git repository build. I\u0027m not bothering with the full history,\neven though we have it. We can create a separate \"historical\" git\narchive of that later if we want to, and in the meantime it\u0027s about\n3.2GB when imported into git - space that would just make the early\ngit days unnecessarily complicated, when we don\u0027t have a lot of good\ninfrastructure for it.\n\nLet it rip!\n" } ] }