From: Casey Schaufler <casey@schaufler-ca.com>
To: casey.schaufler@intel.com, jmorris@namei.org,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Cc: casey@schaufler-ca.com, linux-audit@redhat.com,
keescook@chromium.org, john.johansen@canonical.com,
penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com,
sds@tycho.nsa.gov, linux-kernel@vger.kernel.org
Subject: [PATCH v28 23/25] Audit: Add record for multiple object LSM attributes
Date: Wed, 21 Jul 2021 17:47:56 -0700 [thread overview]
Message-ID: <20210722004758.12371-24-casey@schaufler-ca.com> (raw)
In-Reply-To: <20210722004758.12371-1-casey@schaufler-ca.com>
Create a new audit record type to contain the object information
when there are multiple security modules that may require such data.
This record is linked with the same timestamp and serial number.
An example of the MAC_OBJ_CONTEXTS (1421) record is:
type=UNKNOWN[1421]
msg=audit(1601152467.009:1050):
obj_selinux="unconfined_u:object_r:user_home_t:s0"
Not all security modules that can provide object information
do so in all cases. It is possible that a security module won't
apply an object attribute in all cases.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: linux-audit@redhat.com
To: Paul Moore <paul@paul-moore.com>
---
include/linux/audit.h | 7 ++++
include/uapi/linux/audit.h | 1 +
kernel/audit.c | 54 ++++++++++++++++++++++++++++
kernel/audit.h | 4 +--
kernel/auditsc.c | 73 +++++++-------------------------------
5 files changed, 76 insertions(+), 63 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 85eb87f6f92d..6bf0c86fcbc9 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -187,6 +187,8 @@ extern void audit_log_path_denied(int type,
extern void audit_log_lost(const char *message);
extern int audit_log_task_context(struct audit_buffer *ab);
+extern int audit_log_object_context(struct audit_buffer *ab,
+ struct lsmblob *blob);
extern void audit_log_task_info(struct audit_buffer *ab);
extern int audit_update_lsm_rules(void);
@@ -250,6 +252,11 @@ static inline int audit_log_task_context(struct audit_buffer *ab)
{
return 0;
}
+static inline int audit_log_object_context(struct audit_buffer *ab,
+ struct lsmblob *blob)
+{
+ return 0;
+}
static inline void audit_log_task_info(struct audit_buffer *ab)
{ }
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 4432a8bed8e0..4efed1abcd54 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -140,6 +140,7 @@
#define AUDIT_MAC_CALIPSO_ADD 1418 /* NetLabel: add CALIPSO DOI entry */
#define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry */
#define AUDIT_MAC_TASK_CONTEXTS 1420 /* Multiple LSM contexts */
+#define AUDIT_MAC_OBJ_CONTEXTS 1421 /* Multiple LSM object contexts */
#define AUDIT_FIRST_KERN_ANOM_MSG 1700
#define AUDIT_LAST_KERN_ANOM_MSG 1799
diff --git a/kernel/audit.c b/kernel/audit.c
index cba63789a164..c500b303e39f 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -2204,6 +2204,60 @@ int audit_log_task_context(struct audit_buffer *ab)
}
EXPORT_SYMBOL(audit_log_task_context);
+int audit_log_object_context(struct audit_buffer *ab,
+ struct lsmblob *blob)
+{
+ int i;
+ int error;
+ bool sep = false;
+ struct lsmcontext lsmdata;
+ struct audit_buffer *lsmab = NULL;
+ struct audit_context *context = NULL;
+
+ /*
+ * If there is more than one security module that has a
+ * object "context" it's necessary to put the object data
+ * into a separate record to maintain compatibility.
+ */
+ if (lsm_multiple_contexts()) {
+ audit_log_format(ab, " obj=?");
+ context = ab->ctx;
+ if (context)
+ lsmab = audit_log_start(context, GFP_KERNEL,
+ AUDIT_MAC_OBJ_CONTEXTS);
+ WARN_ONCE(!context, "Context not set for object\n");
+ }
+
+ for (i = 0; i < LSMBLOB_ENTRIES; i++) {
+ if (blob->secid[i] == 0)
+ continue;
+ error = security_secid_to_secctx(blob, &lsmdata, i);
+ if (error && error != -EINVAL) {
+ audit_panic("error in audit_log_object_context");
+ return error;
+ }
+
+ if (context) {
+ audit_log_format(lsmab, "%sobj_%s=\"%s\"",
+ sep ? " " : "",
+ lsm_slot_to_name(i),
+ lsmdata.context);
+ sep = true;
+ } else
+ audit_log_format(ab, " obj=%s", lsmdata.context);
+
+ security_release_secctx(&lsmdata);
+ if (!context)
+ break;
+ }
+
+ if (context)
+ audit_log_end(lsmab);
+
+ return 0;
+}
+EXPORT_SYMBOL(audit_log_object_context);
+
void audit_log_d_path_exe(struct audit_buffer *ab,
struct mm_struct *mm)
{
diff --git a/kernel/audit.h b/kernel/audit.h
index ddc1a69edc79..d62f3cb09278 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -78,7 +78,7 @@ struct audit_names {
kuid_t uid;
kgid_t gid;
dev_t rdev;
- u32 osid;
+ struct lsmblob oblob;
struct audit_cap_data fcap;
unsigned int fcap_ver;
unsigned char type; /* record type */
@@ -153,7 +153,7 @@ struct audit_context {
kuid_t uid;
kgid_t gid;
umode_t mode;
- u32 osid;
+ struct lsmblob oblob;
int has_perm;
uid_t perm_uid;
gid_t perm_gid;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 01fdcbf468c0..5261a69a050a 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -691,14 +691,6 @@ static int audit_filter_rules(struct task_struct *tsk,
if (f->lsm_isset) {
/* Find files that match */
if (name) {
- /*
- * lsmblob_init sets all values in the
- * lsmblob to sid. This is temporary
- * until name->osid is converted to a
- * lsmblob, which happens later in
- * this patch set.
- */
- lsmblob_init(&blob, name->osid);
result = security_audit_rule_match(
&blob,
f->type,
@@ -706,7 +698,6 @@ static int audit_filter_rules(struct task_struct *tsk,
f->lsm_rules);
} else if (ctx) {
list_for_each_entry(n, &ctx->names_list, list) {
- lsmblob_init(&blob, name->osid);
if (security_audit_rule_match(
&blob,
f->type,
@@ -720,8 +711,7 @@ static int audit_filter_rules(struct task_struct *tsk,
/* Find ipc objects that match */
if (!ctx || ctx->type != AUDIT_IPC)
break;
- lsmblob_init(&blob, ctx->ipc.osid);
- if (security_audit_rule_match(&blob,
+ if (security_audit_rule_match(&ctx->ipc.oblob,
f->type, f->op,
f->lsm_rules))
++result;
@@ -1031,7 +1021,6 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
struct lsmblob *blob, char *comm)
{
struct audit_buffer *ab;
- struct lsmcontext lsmctx;
int rc = 0;
ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
@@ -1041,15 +1030,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
from_kuid(&init_user_ns, auid),
from_kuid(&init_user_ns, uid), sessionid);
- if (lsmblob_is_set(blob)) {
- if (security_secid_to_secctx(blob, &lsmctx, LSMBLOB_FIRST)) {
- audit_log_format(ab, " obj=(none)");
- rc = 1;
- } else {
- audit_log_format(ab, " obj=%s", lsmctx.context);
- security_release_secctx(&lsmctx);
- }
- }
+ if (lsmblob_is_set(blob))
+ rc = audit_log_object_context(ab, blob);
audit_log_format(ab, " ocomm=");
audit_log_untrustedstring(ab, comm);
audit_log_end(ab);
@@ -1277,26 +1259,15 @@ static void show_special(struct audit_context *context, int *call_panic)
context->socketcall.args[i]);
break; }
case AUDIT_IPC: {
- u32 osid = context->ipc.osid;
+ struct lsmblob *oblob = &context->ipc.oblob;
audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
from_kuid(&init_user_ns, context->ipc.uid),
from_kgid(&init_user_ns, context->ipc.gid),
context->ipc.mode);
- if (osid) {
- struct lsmcontext lsmcxt;
- struct lsmblob blob;
-
- lsmblob_init(&blob, osid);
- if (security_secid_to_secctx(&blob, &lsmcxt,
- LSMBLOB_FIRST)) {
- audit_log_format(ab, " osid=%u", osid);
- *call_panic = 1;
- } else {
- audit_log_format(ab, " obj=%s", lsmcxt.context);
- security_release_secctx(&lsmcxt);
- }
- }
+ if (lsmblob_is_set(oblob) &&
+ audit_log_object_context(ab, oblob))
+ *call_panic = 1;
if (context->ipc.has_perm) {
audit_log_end(ab);
ab = audit_log_start(context, GFP_KERNEL,
@@ -1441,20 +1412,9 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
from_kgid(&init_user_ns, n->gid),
MAJOR(n->rdev),
MINOR(n->rdev));
- if (n->osid != 0) {
- struct lsmblob blob;
- struct lsmcontext lsmctx;
-
- lsmblob_init(&blob, n->osid);
- if (security_secid_to_secctx(&blob, &lsmctx, LSMBLOB_FIRST)) {
- audit_log_format(ab, " osid=%u", n->osid);
- if (call_panic)
- *call_panic = 2;
- } else {
- audit_log_format(ab, " obj=%s", lsmctx.context);
- security_release_secctx(&lsmctx);
- }
- }
+ if (lsmblob_is_set(&n->oblob) &&
+ audit_log_object_context(ab, &n->oblob) && call_panic)
+ *call_panic = 2;
/* log the audit_names record type */
switch (n->type) {
@@ -2001,17 +1961,13 @@ static void audit_copy_inode(struct audit_names *name,
const struct dentry *dentry,
struct inode *inode, unsigned int flags)
{
- struct lsmblob blob;
-
name->ino = inode->i_ino;
name->dev = inode->i_sb->s_dev;
name->mode = inode->i_mode;
name->uid = inode->i_uid;
name->gid = inode->i_gid;
name->rdev = inode->i_rdev;
- security_inode_getsecid(inode, &blob);
- /* scaffolding until osid is updated */
- name->osid = blob.secid[0];
+ security_inode_getsecid(inode, &name->oblob);
if (flags & AUDIT_INODE_NOEVAL) {
name->fcap_ver = -1;
return;
@@ -2358,17 +2314,12 @@ void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
{
struct audit_context *context = audit_context();
- struct lsmblob blob;
context->ipc.uid = ipcp->uid;
context->ipc.gid = ipcp->gid;
context->ipc.mode = ipcp->mode;
context->ipc.has_perm = 0;
- security_ipc_getsecid(ipcp, &blob);
- /* context->ipc.osid will be changed to a lsmblob later in
- * the patch series. This will allow auditing of all the object
- * labels associated with the ipc object. */
- context->ipc.osid = lsmblob_value(&blob);
+ security_ipc_getsecid(ipcp, &context->ipc.oblob);
context->type = AUDIT_IPC;
}
--
2.31.1
WARNING: multiple messages have this Message-ID (diff)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey.schaufler@intel.com, jmorris@namei.org,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Cc: john.johansen@canonical.com, linux-kernel@vger.kernel.org,
linux-audit@redhat.com, sds@tycho.nsa.gov
Subject: [PATCH v28 23/25] Audit: Add record for multiple object LSM attributes
Date: Wed, 21 Jul 2021 17:47:56 -0700 [thread overview]
Message-ID: <20210722004758.12371-24-casey@schaufler-ca.com> (raw)
In-Reply-To: <20210722004758.12371-1-casey@schaufler-ca.com>
Create a new audit record type to contain the object information
when there are multiple security modules that may require such data.
This record is linked with the same timestamp and serial number.
An example of the MAC_OBJ_CONTEXTS (1421) record is:
type=UNKNOWN[1421]
msg=audit(1601152467.009:1050):
obj_selinux="unconfined_u:object_r:user_home_t:s0"
Not all security modules that can provide object information
do so in all cases. It is possible that a security module won't
apply an object attribute in all cases.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: linux-audit@redhat.com
To: Paul Moore <paul@paul-moore.com>
---
include/linux/audit.h | 7 ++++
include/uapi/linux/audit.h | 1 +
kernel/audit.c | 54 ++++++++++++++++++++++++++++
kernel/audit.h | 4 +--
kernel/auditsc.c | 73 +++++++-------------------------------
5 files changed, 76 insertions(+), 63 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 85eb87f6f92d..6bf0c86fcbc9 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -187,6 +187,8 @@ extern void audit_log_path_denied(int type,
extern void audit_log_lost(const char *message);
extern int audit_log_task_context(struct audit_buffer *ab);
+extern int audit_log_object_context(struct audit_buffer *ab,
+ struct lsmblob *blob);
extern void audit_log_task_info(struct audit_buffer *ab);
extern int audit_update_lsm_rules(void);
@@ -250,6 +252,11 @@ static inline int audit_log_task_context(struct audit_buffer *ab)
{
return 0;
}
+static inline int audit_log_object_context(struct audit_buffer *ab,
+ struct lsmblob *blob)
+{
+ return 0;
+}
static inline void audit_log_task_info(struct audit_buffer *ab)
{ }
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 4432a8bed8e0..4efed1abcd54 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -140,6 +140,7 @@
#define AUDIT_MAC_CALIPSO_ADD 1418 /* NetLabel: add CALIPSO DOI entry */
#define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry */
#define AUDIT_MAC_TASK_CONTEXTS 1420 /* Multiple LSM contexts */
+#define AUDIT_MAC_OBJ_CONTEXTS 1421 /* Multiple LSM object contexts */
#define AUDIT_FIRST_KERN_ANOM_MSG 1700
#define AUDIT_LAST_KERN_ANOM_MSG 1799
diff --git a/kernel/audit.c b/kernel/audit.c
index cba63789a164..c500b303e39f 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -2204,6 +2204,60 @@ int audit_log_task_context(struct audit_buffer *ab)
}
EXPORT_SYMBOL(audit_log_task_context);
+int audit_log_object_context(struct audit_buffer *ab,
+ struct lsmblob *blob)
+{
+ int i;
+ int error;
+ bool sep = false;
+ struct lsmcontext lsmdata;
+ struct audit_buffer *lsmab = NULL;
+ struct audit_context *context = NULL;
+
+ /*
+ * If there is more than one security module that has a
+ * object "context" it's necessary to put the object data
+ * into a separate record to maintain compatibility.
+ */
+ if (lsm_multiple_contexts()) {
+ audit_log_format(ab, " obj=?");
+ context = ab->ctx;
+ if (context)
+ lsmab = audit_log_start(context, GFP_KERNEL,
+ AUDIT_MAC_OBJ_CONTEXTS);
+ WARN_ONCE(!context, "Context not set for object\n");
+ }
+
+ for (i = 0; i < LSMBLOB_ENTRIES; i++) {
+ if (blob->secid[i] == 0)
+ continue;
+ error = security_secid_to_secctx(blob, &lsmdata, i);
+ if (error && error != -EINVAL) {
+ audit_panic("error in audit_log_object_context");
+ return error;
+ }
+
+ if (context) {
+ audit_log_format(lsmab, "%sobj_%s=\"%s\"",
+ sep ? " " : "",
+ lsm_slot_to_name(i),
+ lsmdata.context);
+ sep = true;
+ } else
+ audit_log_format(ab, " obj=%s", lsmdata.context);
+
+ security_release_secctx(&lsmdata);
+ if (!context)
+ break;
+ }
+
+ if (context)
+ audit_log_end(lsmab);
+
+ return 0;
+}
+EXPORT_SYMBOL(audit_log_object_context);
+
void audit_log_d_path_exe(struct audit_buffer *ab,
struct mm_struct *mm)
{
diff --git a/kernel/audit.h b/kernel/audit.h
index ddc1a69edc79..d62f3cb09278 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -78,7 +78,7 @@ struct audit_names {
kuid_t uid;
kgid_t gid;
dev_t rdev;
- u32 osid;
+ struct lsmblob oblob;
struct audit_cap_data fcap;
unsigned int fcap_ver;
unsigned char type; /* record type */
@@ -153,7 +153,7 @@ struct audit_context {
kuid_t uid;
kgid_t gid;
umode_t mode;
- u32 osid;
+ struct lsmblob oblob;
int has_perm;
uid_t perm_uid;
gid_t perm_gid;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 01fdcbf468c0..5261a69a050a 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -691,14 +691,6 @@ static int audit_filter_rules(struct task_struct *tsk,
if (f->lsm_isset) {
/* Find files that match */
if (name) {
- /*
- * lsmblob_init sets all values in the
- * lsmblob to sid. This is temporary
- * until name->osid is converted to a
- * lsmblob, which happens later in
- * this patch set.
- */
- lsmblob_init(&blob, name->osid);
result = security_audit_rule_match(
&blob,
f->type,
@@ -706,7 +698,6 @@ static int audit_filter_rules(struct task_struct *tsk,
f->lsm_rules);
} else if (ctx) {
list_for_each_entry(n, &ctx->names_list, list) {
- lsmblob_init(&blob, name->osid);
if (security_audit_rule_match(
&blob,
f->type,
@@ -720,8 +711,7 @@ static int audit_filter_rules(struct task_struct *tsk,
/* Find ipc objects that match */
if (!ctx || ctx->type != AUDIT_IPC)
break;
- lsmblob_init(&blob, ctx->ipc.osid);
- if (security_audit_rule_match(&blob,
+ if (security_audit_rule_match(&ctx->ipc.oblob,
f->type, f->op,
f->lsm_rules))
++result;
@@ -1031,7 +1021,6 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
struct lsmblob *blob, char *comm)
{
struct audit_buffer *ab;
- struct lsmcontext lsmctx;
int rc = 0;
ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
@@ -1041,15 +1030,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
from_kuid(&init_user_ns, auid),
from_kuid(&init_user_ns, uid), sessionid);
- if (lsmblob_is_set(blob)) {
- if (security_secid_to_secctx(blob, &lsmctx, LSMBLOB_FIRST)) {
- audit_log_format(ab, " obj=(none)");
- rc = 1;
- } else {
- audit_log_format(ab, " obj=%s", lsmctx.context);
- security_release_secctx(&lsmctx);
- }
- }
+ if (lsmblob_is_set(blob))
+ rc = audit_log_object_context(ab, blob);
audit_log_format(ab, " ocomm=");
audit_log_untrustedstring(ab, comm);
audit_log_end(ab);
@@ -1277,26 +1259,15 @@ static void show_special(struct audit_context *context, int *call_panic)
context->socketcall.args[i]);
break; }
case AUDIT_IPC: {
- u32 osid = context->ipc.osid;
+ struct lsmblob *oblob = &context->ipc.oblob;
audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
from_kuid(&init_user_ns, context->ipc.uid),
from_kgid(&init_user_ns, context->ipc.gid),
context->ipc.mode);
- if (osid) {
- struct lsmcontext lsmcxt;
- struct lsmblob blob;
-
- lsmblob_init(&blob, osid);
- if (security_secid_to_secctx(&blob, &lsmcxt,
- LSMBLOB_FIRST)) {
- audit_log_format(ab, " osid=%u", osid);
- *call_panic = 1;
- } else {
- audit_log_format(ab, " obj=%s", lsmcxt.context);
- security_release_secctx(&lsmcxt);
- }
- }
+ if (lsmblob_is_set(oblob) &&
+ audit_log_object_context(ab, oblob))
+ *call_panic = 1;
if (context->ipc.has_perm) {
audit_log_end(ab);
ab = audit_log_start(context, GFP_KERNEL,
@@ -1441,20 +1412,9 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
from_kgid(&init_user_ns, n->gid),
MAJOR(n->rdev),
MINOR(n->rdev));
- if (n->osid != 0) {
- struct lsmblob blob;
- struct lsmcontext lsmctx;
-
- lsmblob_init(&blob, n->osid);
- if (security_secid_to_secctx(&blob, &lsmctx, LSMBLOB_FIRST)) {
- audit_log_format(ab, " osid=%u", n->osid);
- if (call_panic)
- *call_panic = 2;
- } else {
- audit_log_format(ab, " obj=%s", lsmctx.context);
- security_release_secctx(&lsmctx);
- }
- }
+ if (lsmblob_is_set(&n->oblob) &&
+ audit_log_object_context(ab, &n->oblob) && call_panic)
+ *call_panic = 2;
/* log the audit_names record type */
switch (n->type) {
@@ -2001,17 +1961,13 @@ static void audit_copy_inode(struct audit_names *name,
const struct dentry *dentry,
struct inode *inode, unsigned int flags)
{
- struct lsmblob blob;
-
name->ino = inode->i_ino;
name->dev = inode->i_sb->s_dev;
name->mode = inode->i_mode;
name->uid = inode->i_uid;
name->gid = inode->i_gid;
name->rdev = inode->i_rdev;
- security_inode_getsecid(inode, &blob);
- /* scaffolding until osid is updated */
- name->osid = blob.secid[0];
+ security_inode_getsecid(inode, &name->oblob);
if (flags & AUDIT_INODE_NOEVAL) {
name->fcap_ver = -1;
return;
@@ -2358,17 +2314,12 @@ void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
{
struct audit_context *context = audit_context();
- struct lsmblob blob;
context->ipc.uid = ipcp->uid;
context->ipc.gid = ipcp->gid;
context->ipc.mode = ipcp->mode;
context->ipc.has_perm = 0;
- security_ipc_getsecid(ipcp, &blob);
- /* context->ipc.osid will be changed to a lsmblob later in
- * the patch series. This will allow auditing of all the object
- * labels associated with the ipc object. */
- context->ipc.osid = lsmblob_value(&blob);
+ security_ipc_getsecid(ipcp, &context->ipc.oblob);
context->type = AUDIT_IPC;
}
--
2.31.1
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2021-07-22 1:13 UTC|newest]
Thread overview: 94+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20210722004758.12371-1-casey.ref@schaufler-ca.com>
2021-07-22 0:47 ` [PATCH v28 00/25] LSM: Module stacking for AppArmor Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 01/25] LSM: Infrastructure management of the sock security Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 02/25] LSM: Add the lsmblob data structure Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 03/25] LSM: provide lsm name and id slot mappings Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 04/25] IMA: avoid label collisions with stacked LSMs Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 05/25] LSM: Use lsmblob in security_audit_rule_match Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 06/25] LSM: Use lsmblob in security_kernel_act_as Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 07/25] LSM: Use lsmblob in security_secctx_to_secid Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 08/25] LSM: Use lsmblob in security_secid_to_secctx Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 09/25] LSM: Use lsmblob in security_ipc_getsecid Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 10/25] LSM: Use lsmblob in security_task_getsecid Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 11/25] LSM: Use lsmblob in security_inode_getsecid Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 12/25] LSM: Use lsmblob in security_cred_getsecid Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-23 23:56 ` kernel test robot
2021-07-23 23:56 ` kernel test robot
2021-07-23 23:56 ` kernel test robot
2021-07-22 0:47 ` [PATCH v28 13/25] IMA: Change internal interfaces to use lsmblobs Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 14/25] LSM: Specify which LSM to display Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 15/25] LSM: Ensure the correct LSM context releaser Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 16/25] LSM: Use lsmcontext in security_secid_to_secctx Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 17/25] LSM: Use lsmcontext in security_inode_getsecctx Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 18/25] LSM: security_secid_to_secctx in netlink netfilter Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 19/25] NET: Store LSM netlabel data in a lsmblob Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 20/25] LSM: Verify LSM display sanity in binder Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 21/25] audit: support non-syscall auxiliary records Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 17:02 ` kernel test robot
2021-07-22 17:02 ` kernel test robot
2021-07-22 17:02 ` kernel test robot
2021-07-22 0:47 ` [PATCH v28 22/25] Audit: Add record for multiple process LSM attributes Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 4:08 ` kernel test robot
2021-07-22 4:08 ` kernel test robot
2021-08-12 20:59 ` Paul Moore
2021-08-12 20:59 ` Paul Moore
2021-08-12 22:38 ` Casey Schaufler
2021-08-12 22:38 ` Casey Schaufler
2021-08-13 15:31 ` Paul Moore
2021-08-13 15:31 ` Paul Moore
2021-08-13 18:48 ` Casey Schaufler
2021-08-13 18:48 ` Casey Schaufler
2021-08-13 20:43 ` Paul Moore
2021-08-13 20:43 ` Paul Moore
2021-08-13 21:47 ` Casey Schaufler
2021-08-13 21:47 ` Casey Schaufler
2021-08-16 18:57 ` Paul Moore
2021-08-16 18:57 ` Paul Moore
2021-08-18 21:59 ` Casey Schaufler
2021-08-18 21:59 ` Casey Schaufler
2021-08-19 0:47 ` Paul Moore
2021-08-19 0:47 ` Paul Moore
2021-08-19 0:56 ` Casey Schaufler
2021-08-19 0:56 ` Casey Schaufler
2021-08-19 22:41 ` Casey Schaufler
2021-08-19 22:41 ` Casey Schaufler
2021-08-20 19:06 ` Paul Moore
2021-08-20 19:06 ` Paul Moore
2021-08-20 19:17 ` Casey Schaufler
2021-08-20 19:17 ` Casey Schaufler
2021-08-20 23:48 ` Casey Schaufler
2021-08-20 23:48 ` Casey Schaufler
2021-08-24 14:45 ` Paul Moore
2021-08-24 14:45 ` Paul Moore
2021-08-24 15:20 ` Casey Schaufler
2021-08-24 15:20 ` Casey Schaufler
2021-08-24 16:14 ` Paul Moore
2021-08-24 16:14 ` Paul Moore
2021-07-22 0:47 ` Casey Schaufler [this message]
2021-07-22 0:47 ` [PATCH v28 23/25] Audit: Add record for multiple object " Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 24/25] LSM: Add /proc attr entry for full LSM context Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
2021-07-22 0:47 ` [PATCH v28 25/25] AppArmor: Remove the exclusive flag Casey Schaufler
2021-07-22 0:47 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210722004758.12371-24-casey@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=casey.schaufler@intel.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.