GIT 7ecd950421da7f773d87a5fc704dc2e8c7183505 git+ssh://master.kernel.org/pub/scm/linux/kernel/git/viro/audit-current.git#mm.b43 commit Author: Klaus Heinrich Kiwi Date: Wed Jan 23 22:57:45 2008 -0500 [AUDIT] Add uid, gid fields to ANOM_PROMISCUOUS message Changes the ANOM_PROMISCUOUS message to include uid and gid fields, making it consistent with other AUDIT_ANOM_ messages and in the format the userspace is expecting. Signed-off-by: Klaus Heinrich Kiwi Acked-by: Eric Paris commit bd03ee1591bd0e917d92511a3bf11279b64fe57c Author: Eric Paris Date: Wed Jan 23 22:55:05 2008 -0500 [AUDIT] ratelimit printk messages audit some printk messages from the audit system can become excessive. This patch ratelimits those messages. It was found that messages, such as the audit backlog lost printk message could flood the logs to the point that a machine could take an nmi watchdog hit or otherwise become unresponsive. Signed-off-by: Eric Paris commit 775ef9707973a2b3650c382f317ee2982dbb52f9 Author: Richard Knutsson Date: Thu Jan 10 11:02:40 2008 -0800 [patch 2/2] audit: complement va_copy with va_end() Complement va_copy() with va_end(). Signed-off-by: Richard Knutsson Cc: Al Viro Signed-off-by: Andrew Morton commit 2a70c723c7891d6c5a6e4432ce0bfa6be94011be Author: Andrew Morton Date: Thu Jan 10 11:02:39 2008 -0800 [patch 1/2] kernel/audit.c: warning fix kernel/audit.c: In function 'audit_log_start': kernel/audit.c:1133: warning: 'serial' may be used uninitialized in this function Cc: Al Viro Signed-off-by: Andrew Morton commit 622012b262a466f551ffcec21ea7f17573dae358 Author: Eric Paris Date: Tue Jan 8 17:38:31 2008 -0500 [AUDIT] create context if auditing was ever enabled Disabling audit at runtime by auditctl doesn't mean that we can stop allocating contexts for new processes; we don't want to miss them when that sucker is reenabled. (based on work from Al Viro in the RHEL kernel series) Signed-off-by: Eric Paris commit 53cda8c9b651c1bbc680640547029fc77ee28750 Author: Eric Paris Date: Mon Jan 7 18:14:19 2008 -0500 [AUDIT] clean up audit_receive_msg() generally clean up audit_receive_msg() don't free random memory if selinux_sid_to_string fails for some reason. Move generic auditing to a helper function Signed-off-by: Eric Paris commit 547fef925111b83f59cf33d181d5b1b868a3e747 Author: Eric Paris Date: Mon Jan 7 17:09:31 2008 -0500 [AUDIT] make audit=0 really stop audit messages Some audit messages (namely configuration changes) are still emitted even if the audit subsystem has been explicitly disabled. This patch turns those messages off as well. Signed-off-by: Eric Paris commit c76b6618358aee4103215b4e9f3bba73cda278f2 Author: Eric Paris Date: Mon Jan 7 14:31:58 2008 -0500 [AUDIT] break large execve argument logging into smaller messages execve arguments can be quite large. There is no limit on the number of arguments and a 4G limit on the size of an argument. this patch prints those aruguments in bite sized pieces. a userspace size limitation of 8k was discovered so this keeps messages around 7.5k single arguments larger than 7.5k in length are split into multiple records and can be identified as aX[Y]= Signed-off-by: Eric Paris commit e5ea95588f73012b04d30c8e946df0ebabdb9191 Author: Eric Paris Date: Mon Jan 7 14:19:15 2008 -0500 [AUDIT] include audit type in audit message when using printk Currently audit drops the audit type when an audit message goes through printk instead of the audit deamon. This is a minor annoyance in that the audit type is no longer part of the message and the information the audit type conveys needs to be carried in, or derived from the message data. The attached patch includes the type number as part of the printk. Admittedly it isn't the type name that the audit deamon provides but I think this is better than dropping the type completely. Signed-pff-by: John Johansen Signed-off-by: Eric Paris commit 3c95e97eb0a69c2410ee2d441a7b97dfd69a0202 Author: Eric Paris Date: Mon Jan 7 14:01:18 2008 -0500 [AUDIT] do not panic on exclude messages in audit_log_pid_context() If we fail to get an ab in audit_log_pid_context this may be due to an exclude rule rather than a memory allocation failure. If it was due to a memory allocation failue we would have already paniced and no need to do it again. Signed-off-by: Eric Paris commit b3c294e7404c402a82b0772587c71cbb8d3adc00 Author: Eric Paris Date: Mon Jan 7 13:49:15 2008 -0500 [AUDIT] Add End of Event record This patch adds an end of event record type. It will be sent by the kernel as the last record when a multi-record event is triggered. This will aid realtime analysis programs since they will now reliably know they have the last record to complete an event. The audit daemon filters this and will not write it to disk. Signed-off-by: Steve Grubb Signed-off-by: Eric Paris commit a2184b1279b1d445fdc0e9577e6728f5fcac4953 Author: Eric Paris Date: Tue Jan 8 10:06:53 2008 -0500 [AUDIT] add session id to audit messages In order to correlate audit records to an individual login add a session id. This is incremented every time a user logs in and is included in almost all messages which currently output the auid. The field is labeled ses= or oses= Signed-off-by: Eric Paris commit 898558211ddde37272d0bb1a0dc8d3239333430b Author: Eric Paris Date: Mon Jan 7 13:40:17 2008 -0500 [AUDIT] collect uid, loginuid, and comm in OBJ_PID records Add uid, loginuid, and comm collection to OBJ_PID records. This just gives users a little more information about the task that received a signal. pid is rather meaningless after the fact, and even though comm isn't great we can't collect exe reasonably on this code path for performance reasons. Signed-off-by: Eric Paris commit 95481a6ced01bea7033855655800a65bda327a4a Author: Eric Paris Date: Mon Jan 7 13:34:51 2008 -0500 [AUDIT] return EINTR not ERESTART* The syscall exit code will change ERESTART* kernel internal return codes to EINTR if it does not restart the syscall. Since we collect the audit info before that point we should fix those in the audit log as well. Signed-off-by: Eric Paris commit 55ca862946b3eeb311423be8d48389ac11a07c10 Author: Al Viro Date: Thu Jan 10 04:53:18 2008 -0500 [PATCH] get rid of loginuid races Keeping loginuid in audit_context is racy and results in messier code. Taken to task_struct, out of the way of ->audit_context changes. Signed-off-by: Al Viro commit 4ec057cacad4fdbd593dab67b2afa0620f5abf89 Author: Al Viro Date: Thu Jan 10 04:20:52 2008 -0500 [PATCH] switch audit_get_loginuid() to task_struct * all callers pass something->audit_context Signed-off-by: Al Viro kernel/audit.c | 12 ++++++++++++ kernel/sysctl.c | 3 +++ 2 files changed, 15 insertions(+), 0 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index c8555b1..4cbdb0e 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -301,13 +301,25 @@ static int audit_do_config_change(char *function_name, int *to_change, } static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid) +<<<<<<< HEAD:kernel/audit.c +======= { return audit_do_config_change("audit_rate_limit", &audit_rate_limit, limit, loginuid, sid); } static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid) +>>>>>>> FETCH_HEAD:kernel/audit.c { +<<<<<<< HEAD:kernel/audit.c + return audit_do_config_change("audit_rate_limit", &audit_rate_limit, + limit, loginuid, sid); +} + +static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid) +{ +======= +>>>>>>> FETCH_HEAD:kernel/audit.c return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit, limit, loginuid, sid); } diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 7cb1ac3..79978c2 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -81,7 +81,10 @@ extern int percpu_pagelist_fraction; extern int compat_log; extern int maps_protect; extern int sysctl_stat_interval; +<<<<<<< HEAD:kernel/sysctl.c extern int latencytop_enabled; +======= +>>>>>>> FETCH_HEAD:kernel/sysctl.c /* Constants used for minimum and maximum */ #ifdef CONFIG_DETECT_SOFTLOCKUP