From 5504a69a4219170ad00fe5eebc57672a357813ad Mon Sep 17 00:00:00 2001 From: Richard Guy Briggs Date: Thu, 11 Mar 2021 11:38:05 -0500 Subject: audit: further cleanup of AUDIT_FILTER_ENTRY deprecation Remove the list parameter from the function call since the exit filter list is the only remaining list used by this function. This cleans up commit 5260ecc2e048 ("audit: deprecate the AUDIT_FILTER_ENTRY filter") Signed-off-by: Richard Guy Briggs Signed-off-by: Paul Moore --- kernel/auditsc.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 47fb48f42c93..8bb9ac84d2fb 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -805,8 +805,7 @@ static int audit_in_mask(const struct audit_krule *rule, unsigned long val) * (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT). */ static void audit_filter_syscall(struct task_struct *tsk, - struct audit_context *ctx, - struct list_head *list) + struct audit_context *ctx) { struct audit_entry *e; enum audit_state state; @@ -815,7 +814,7 @@ static void audit_filter_syscall(struct task_struct *tsk, return; rcu_read_lock(); - list_for_each_entry_rcu(e, list, list) { + list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_EXIT], list) { if (audit_in_mask(&e->rule, ctx->major) && audit_filter_rules(tsk, &e->rule, ctx, NULL, &state, false)) { @@ -1627,8 +1626,7 @@ void __audit_free(struct task_struct *tsk) context->return_valid = AUDITSC_INVALID; context->return_code = 0; - audit_filter_syscall(tsk, context, - &audit_filter_list[AUDIT_FILTER_EXIT]); + audit_filter_syscall(tsk, context); audit_filter_inodes(tsk, context); if (context->current_state == AUDIT_RECORD_CONTEXT) audit_log_exit(); @@ -1735,8 +1733,7 @@ void __audit_syscall_exit(int success, long return_code) else context->return_code = return_code; - audit_filter_syscall(current, context, - &audit_filter_list[AUDIT_FILTER_EXIT]); + audit_filter_syscall(current, context); audit_filter_inodes(current, context); if (context->current_state == AUDIT_RECORD_CONTEXT) audit_log_exit(); -- cgit v1.2.3 From c43223755075acb6e3aa9c7ee89eeabdcf5ccda8 Mon Sep 17 00:00:00 2001 From: Richard Guy Briggs Date: Wed, 17 Mar 2021 21:48:59 -0400 Subject: MAINTAINERS: update audit files Add files maintaned by the audit subsystem. Files from arch/*/*/*audit*.[ch] and arch/x86/include/asm/audit.h were not added due to concern of the list not holding up over time. There exist already exceptions that caused the need for this specificity. Signed-off-by: Richard Guy Briggs Signed-off-by: Paul Moore --- MAINTAINERS | 2 ++ 1 file changed, 2 insertions(+) diff --git a/MAINTAINERS b/MAINTAINERS index d92f85ca831d..1249655459d3 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -2979,9 +2979,11 @@ L: linux-audit@redhat.com (moderated for non-subscribers) S: Supported W: https://github.com/linux-audit T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git +F: include/asm-generic/audit_*.h F: include/linux/audit.h F: include/uapi/linux/audit.h F: kernel/audit* +F: lib/*audit.c AUXILIARY DISPLAY DRIVERS M: Miguel Ojeda -- cgit v1.2.3 From 1dd34cfcfd070c12ebe146078b64deaa83cf5b2e Mon Sep 17 00:00:00 2001 From: Richard Guy Briggs Date: Thu, 18 Mar 2021 15:19:10 -0400 Subject: audit: document /proc/PID/loginuid Describe the /proc/PID/loginuid interface in Documentation/ABI/stable that was added 2005-02-01 by commit 1e2d1492e178 ("[PATCH] audit: handle loginuid through proc") Signed-off-by: Richard Guy Briggs Signed-off-by: Paul Moore --- Documentation/ABI/stable/procfs-audit_loginuid | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 Documentation/ABI/stable/procfs-audit_loginuid diff --git a/Documentation/ABI/stable/procfs-audit_loginuid b/Documentation/ABI/stable/procfs-audit_loginuid new file mode 100644 index 000000000000..e7c100b9ab18 --- /dev/null +++ b/Documentation/ABI/stable/procfs-audit_loginuid @@ -0,0 +1,15 @@ +What: Audit Login UID +Date: 2005-02-01 +KernelVersion: 2.6.11-rc2 1e2d1492e178 ("[PATCH] audit: handle loginuid through proc") +Contact: linux-audit@redhat.com +Format: %u +Users: audit and login applications +Description: + The /proc/$pid/loginuid pseudofile is written to set and + read to get the audit login UID of process $pid. If it is + unset, permissions are not needed to set it. The accessor must + have CAP_AUDIT_CONTROL in the initial user namespace to write + it if it has been set. It cannot be written again if + AUDIT_FEATURE_LOGINUID_IMMUTABLE is enabled. It cannot be + unset if AUDIT_FEATURE_ONLY_UNSET_LOGINUID is enabled. + -- cgit v1.2.3 From 7c585c9dffa5cd5155cdd0e41c52b403d13626d8 Mon Sep 17 00:00:00 2001 From: Richard Guy Briggs Date: Thu, 18 Mar 2021 15:19:11 -0400 Subject: audit: document /proc/PID/sessionid Describe the /proc/PID/loginuid interface in Documentation/ABI/stable that was added 2008-03-13 in commit 1e0bd7550ea9 ("[PATCH] export sessionid alongside the loginuid in procfs") Signed-off-by: Richard Guy Briggs Signed-off-by: Paul Moore --- Documentation/ABI/stable/procfs-audit_loginuid | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/Documentation/ABI/stable/procfs-audit_loginuid b/Documentation/ABI/stable/procfs-audit_loginuid index e7c100b9ab18..9d55a3ff4b34 100644 --- a/Documentation/ABI/stable/procfs-audit_loginuid +++ b/Documentation/ABI/stable/procfs-audit_loginuid @@ -13,3 +13,15 @@ Description: AUDIT_FEATURE_LOGINUID_IMMUTABLE is enabled. It cannot be unset if AUDIT_FEATURE_ONLY_UNSET_LOGINUID is enabled. + +What: Audit Login Session ID +Date: 2008-03-13 +KernelVersion: 2.6.25-rc7 1e0bd7550ea9 ("[PATCH] export sessionid alongside the loginuid in procfs") +Contact: linux-audit@redhat.com +Format: %u +Users: audit and login applications +Description: + The /proc/$pid/sessionid pseudofile is read to get the + audit login session ID of process $pid. It is set + automatically, serially assigned with each new login. + -- cgit v1.2.3 From d4ceb1d6e732b11d7226ff6d51adf2418bb1f60f Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Mon, 22 Mar 2021 17:27:45 +0100 Subject: audit: avoid -Wempty-body warning gcc warns about an empty statement when audit_remove_mark is defined to nothing: kernel/auditfilter.c: In function 'audit_data_to_entry': kernel/auditfilter.c:609:51: error: suggest braces around empty body in an 'if' statement [-Werror=empty-body] 609 | audit_remove_mark(entry->rule.exe); /* that's the template one */ | ^ Change the macros to use the usual "do { } while (0)" instead, and change a few more that were (void)0, for consistency. Signed-off-by: Arnd Bergmann Acked-by: Richard Guy Briggs Signed-off-by: Paul Moore --- kernel/audit.h | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/kernel/audit.h b/kernel/audit.h index 3b9c0945225a..1522e100fd17 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -292,8 +292,8 @@ extern void audit_filter_inodes(struct task_struct *tsk, extern struct list_head *audit_killed_trees(void); #else /* CONFIG_AUDITSYSCALL */ #define auditsc_get_stamp(c, t, s) 0 -#define audit_put_watch(w) {} -#define audit_get_watch(w) {} +#define audit_put_watch(w) do { } while (0) +#define audit_get_watch(w) do { } while (0) #define audit_to_watch(k, p, l, o) (-EINVAL) #define audit_add_watch(k, l) (-EINVAL) #define audit_remove_watch_rule(k) BUG() @@ -302,8 +302,8 @@ extern struct list_head *audit_killed_trees(void); #define audit_alloc_mark(k, p, l) (ERR_PTR(-EINVAL)) #define audit_mark_path(m) "" -#define audit_remove_mark(m) -#define audit_remove_mark_rule(k) +#define audit_remove_mark(m) do { } while (0) +#define audit_remove_mark_rule(k) do { } while (0) #define audit_mark_compare(m, i, d) 0 #define audit_exe_compare(t, m) (-EINVAL) #define audit_dupe_exe(n, o) (-EINVAL) @@ -311,8 +311,8 @@ extern struct list_head *audit_killed_trees(void); #define audit_remove_tree_rule(rule) BUG() #define audit_add_tree_rule(rule) -EINVAL #define audit_make_tree(rule, str, op) -EINVAL -#define audit_trim_trees() (void)0 -#define audit_put_tree(tree) (void)0 +#define audit_trim_trees() do { } while (0) +#define audit_put_tree(tree) do { } while (0) #define audit_tag_tree(old, new) -EINVAL #define audit_tree_path(rule) "" /* never called */ #define audit_kill_trees(context) BUG() -- cgit v1.2.3 From b75d8f38bcc9599af42635530c00268c71911f11 Mon Sep 17 00:00:00 2001 From: Richard Guy Briggs Date: Thu, 1 Apr 2021 15:10:27 -0400 Subject: audit: drop /proc/PID/loginuid documentation Format field Drop the "Format:" field from the /proc/PID/loginuid documentation and integrate the information into the Description field since it is not recognized by the "./scripts/get_abi.pl validate" command which causes a warning. Documentation/ABI/README describes the valid fields. Reported-by: Mauro Carvalho Chehab Signed-off-by: Richard Guy Briggs Signed-off-by: Paul Moore --- Documentation/ABI/stable/procfs-audit_loginuid | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/Documentation/ABI/stable/procfs-audit_loginuid b/Documentation/ABI/stable/procfs-audit_loginuid index 9d55a3ff4b34..cda405178391 100644 --- a/Documentation/ABI/stable/procfs-audit_loginuid +++ b/Documentation/ABI/stable/procfs-audit_loginuid @@ -2,26 +2,26 @@ What: Audit Login UID Date: 2005-02-01 KernelVersion: 2.6.11-rc2 1e2d1492e178 ("[PATCH] audit: handle loginuid through proc") Contact: linux-audit@redhat.com -Format: %u Users: audit and login applications Description: The /proc/$pid/loginuid pseudofile is written to set and - read to get the audit login UID of process $pid. If it is - unset, permissions are not needed to set it. The accessor must - have CAP_AUDIT_CONTROL in the initial user namespace to write - it if it has been set. It cannot be written again if - AUDIT_FEATURE_LOGINUID_IMMUTABLE is enabled. It cannot be - unset if AUDIT_FEATURE_ONLY_UNSET_LOGINUID is enabled. - + read to get the audit login UID of process $pid as a + decimal unsigned int (%u, u32). If it is unset, + permissions are not needed to set it. The accessor must + have CAP_AUDIT_CONTROL in the initial user namespace to + write it if it has been set. It cannot be written again + if AUDIT_FEATURE_LOGINUID_IMMUTABLE is enabled. It + cannot be unset if AUDIT_FEATURE_ONLY_UNSET_LOGINUID is + enabled. What: Audit Login Session ID Date: 2008-03-13 KernelVersion: 2.6.25-rc7 1e0bd7550ea9 ("[PATCH] export sessionid alongside the loginuid in procfs") Contact: linux-audit@redhat.com -Format: %u Users: audit and login applications Description: The /proc/$pid/sessionid pseudofile is read to get the - audit login session ID of process $pid. It is set - automatically, serially assigned with each new login. + audit login session ID of process $pid as a decimal + unsigned int (%u, u32). It is set automatically, + serially assigned with each new login. -- cgit v1.2.3