rpms/kernel/devel linux-2.6-audit-pending.patch, NONE, 1.1.2.1 kernel-2.6.spec, 1.2139.2.1, 1.2139.2.2
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Mon Apr 24 22:24:12 UTC 2006
Author: sgrubb
Update of /cvs/dist/rpms/kernel/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv8015
Modified Files:
Tag: private-lspp-18-branch
kernel-2.6.spec
Added Files:
Tag: private-lspp-18-branch
linux-2.6-audit-pending.patch
Log Message:
Add watches to lspp kernel
linux-2.6-audit-pending.patch:
fs/Kconfig | 24 -
fs/Makefile | 1
fs/exec.c | 6
fs/inotify.c | 966 ++++++++++++-----------------------------------
fs/inotify_user.c | 708 ++++++++++++++++++++++++++++++++++
include/linux/audit.h | 7
include/linux/fsnotify.h | 29 -
include/linux/inotify.h | 85 +++-
include/linux/sched.h | 2
init/Kconfig | 3
kernel/audit.c | 27 -
kernel/audit.h | 22 -
kernel/auditfilter.c | 673 ++++++++++++++++++++++++++++++--
kernel/auditsc.c | 116 ++++-
kernel/sysctl.c | 4
kernel/user.c | 2
16 files changed, 1867 insertions(+), 808 deletions(-)
--- NEW FILE linux-2.6-audit-pending.patch ---
diff --git a/fs/Kconfig b/fs/Kconfig
index 2524629..74b957c 100644
--- a/fs/Kconfig
+++ b/fs/Kconfig
@@ -393,18 +393,30 @@ config INOTIFY
bool "Inotify file change notification support"
default y
---help---
- Say Y here to enable inotify support and the associated system
- calls. Inotify is a file change notification system and a
- replacement for dnotify. Inotify fixes numerous shortcomings in
- dnotify and introduces several new features. It allows monitoring
- of both files and directories via a single open fd. Other features
- include multiple file events, one-shot support, and unmount
+ Say Y here to enable inotify support. Inotify is a file change
+ notification system and a replacement for dnotify. Inotify fixes
+ numerous shortcomings in dnotify and introduces several new features
+ including multiple file events, one-shot support, and unmount
notification.
For more information, see Documentation/filesystems/inotify.txt
If unsure, say Y.
+config INOTIFY_USER
+ bool "Inotify support for userspace"
+ depends on INOTIFY
+ default y
+ ---help---
+ Say Y here to enable inotify support for userspace, including the
+ associated system calls. Inotify allows monitoring of both files and
+ directories via a single open fd. Events are read from the file
+ descriptor, which is also select()- and poll()-able.
+
+ For more information, see Documentation/filesystems/inotify.txt
+
+ If unsure, say Y.
+
config QUOTA
bool "Quota support"
help
diff --git a/fs/Makefile b/fs/Makefile
index 83bf478..6d7b4be 100644
--- a/fs/Makefile
+++ b/fs/Makefile
@@ -13,6 +13,7 @@ obj-y := open.o read_write.o file_table.
ioprio.o pnode.o drop_caches.o splice.o sync.o
obj-$(CONFIG_INOTIFY) += inotify.o
+obj-$(CONFIG_INOTIFY_USER) += inotify_user.o
obj-$(CONFIG_EPOLL) += eventpoll.o
obj-$(CONFIG_COMPAT) += compat.o compat_ioctl.o
diff --git a/fs/exec.c b/fs/exec.c
index 4121bb5..9260a16 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -49,6 +49,7 @@
#include <linux/rmap.h>
#include <linux/acct.h>
#include <linux/cn_proc.h>
+#include <linux/audit.h>
#include <asm/uaccess.h>
#include <asm/mmu_context.h>
@@ -1085,6 +1086,11 @@ int search_binary_handler(struct linux_b
/* kernel module loader fixup */
/* so we don't try to load run modprobe in kernel space. */
set_fs(USER_DS);
+
+ retval = audit_bprm(bprm);
+ if (retval)
+ return retval;
+
retval = -ENOENT;
for (try=0; try<2; try++) {
read_lock(&binfmt_lock);
diff --git a/fs/inotify.c b/fs/inotify.c
index 1f50302..a97f861 100644
--- a/fs/inotify.c
+++ b/fs/inotify.c
@@ -20,35 +20,17 @@
#include <linux/module.h>
#include <linux/kernel.h>
-#include <linux/sched.h>
#include <linux/spinlock.h>
#include <linux/idr.h>
#include <linux/slab.h>
#include <linux/fs.h>
-#include <linux/file.h>
-#include <linux/mount.h>
-#include <linux/namei.h>
-#include <linux/poll.h>
#include <linux/init.h>
#include <linux/list.h>
#include <linux/writeback.h>
#include <linux/inotify.h>
-#include <linux/syscalls.h>
-
-#include <asm/ioctls.h>
static atomic_t inotify_cookie;
-static kmem_cache_t *watch_cachep __read_mostly;
-static kmem_cache_t *event_cachep __read_mostly;
-
-static struct vfsmount *inotify_mnt __read_mostly;
-
-/* these are configurable via /proc/sys/fs/inotify/ */
-int inotify_max_user_instances __read_mostly;
-int inotify_max_user_watches __read_mostly;
-int inotify_max_queued_events __read_mostly;
-
/*
* Lock ordering:
*
@@ -56,128 +38,62 @@ int inotify_max_queued_events __read_mos
* iprune_mutex (synchronize shrink_icache_memory())
* inode_lock (protects the super_block->s_inodes list)
* inode->inotify_mutex (protects inode->inotify_watches and watches->i_list)
- * inotify_dev->mutex (protects inotify_device and watches->d_list)
+ * inotify_handle->mutex (protects inotify_handle and watches->h_list)
+ *
+ * The inode->inotify_mutex and inotify_handle->mutex and held during execution
+ * of a caller's event callback. Thus, the caller must not hold any locks
+ * taking during callback processing while calling any of the published inotify
+ * routines, i.e.
+ * inotify_init
+ * inotify_destroy
+ * inotify_find_watch
+ * inotify_find_update_watch
+ * inotify_add_watch
+ * inotify_rm_wd
+ * inotify_rm_watch
*/
/*
- * Lifetimes of the three main data structures--inotify_device, inode, and
+ * Lifetimes of the three main data structures--inotify_handle, inode, and
* inotify_watch--are managed by reference count.
*
- * inotify_device: Lifetime is from inotify_init() until release. Additional
- * references can bump the count via get_inotify_dev() and drop the count via
- * put_inotify_dev().
- *
- * inotify_watch: Lifetime is from create_watch() to destory_watch().
- * Additional references can bump the count via get_inotify_watch() and drop
- * the count via put_inotify_watch().
+ * inotify_handle: Lifetime is from inotify_init() to inotify_destroy().
+ * Additional references can bump the count via get_inotify_handle() and drop
+ * the count via put_inotify_handle().
+ *
+ * inotify_watch: Lifetime is from inotify_add_watch() to
+ * remove_watch_no_event(). Additional references can bump the count via
+ * get_inotify_watch() and drop the count via put_inotify_watch().
*
* inode: Pinned so long as the inode is associated with a watch, from
- * create_watch() to put_inotify_watch().
+ * inotify_add_watch() to the final put_inotify_watch().
*/
/*
- * struct inotify_device - represents an inotify instance
+ * struct inotify_handle - represents an inotify instance
*
* This structure is protected by the mutex 'mutex'.
*/
-struct inotify_device {
- wait_queue_head_t wq; /* wait queue for i/o */
+struct inotify_handle {
struct idr idr; /* idr mapping wd -> watch */
struct mutex mutex; /* protects this bad boy */
- struct list_head events; /* list of queued events */
struct list_head watches; /* list of watches */
atomic_t count; /* reference count */
- struct user_struct *user; /* user who opened this dev */
- unsigned int queue_size; /* size of the queue (bytes) */
- unsigned int event_count; /* number of pending events */
- unsigned int max_events; /* maximum number of events */
u32 last_wd; /* the last wd allocated */
+ void (*callback)(struct inotify_watch *, u32, u32, u32, const char *,
+ struct inode *); /* event callback */
};
-/*
- * struct inotify_kernel_event - An inotify event, originating from a watch and
- * queued for user-space. A list of these is attached to each instance of the
- * device. In read(), this list is walked and all events that can fit in the
- * buffer are returned.
- *
- * Protected by dev->mutex of the device in which we are queued.
- */
-struct inotify_kernel_event {
- struct inotify_event event; /* the user-space event */
- struct list_head list; /* entry in inotify_device's list */
- char *name; /* filename, if any */
-};
-
[...3156 lines suppressed...]
#include <linux/tty.h>
#include <linux/selinux.h>
+#include <linux/binfmts.h>
#include "audit.h"
@@ -110,6 +111,13 @@ struct audit_aux_data_ipcctl {
u32 osid;
};
+struct audit_aux_data_execve {
+ struct audit_aux_data d;
+ int argc;
+ int envc;
+ char mem[0];
+};
+
struct audit_aux_data_socketcall {
struct audit_aux_data d;
int nargs;
@@ -160,6 +168,27 @@ struct audit_context {
#endif
};
+/* Determine if any context name data matches a rule's watch data */
+static inline int audit_match_watch(struct audit_context *ctx,
+ struct audit_watch *watch)
+{
+ int i;
+
+ if (!ctx)
+ return 0;
+
+ if (watch->ino == (unsigned long)-1)
+ return 0;
+
+ for (i = 0; i < ctx->name_count; i++) {
+ if (ctx->names[i].dev == watch->dev &&
+ (ctx->names[i].ino == watch->ino ||
+ ctx->names[i].pino == watch->ino))
+ return 1;
+ }
+
+ return 0;
+}
/* Compare a task_struct with an audit_rule. Return 1 on match, 0
* otherwise. */
@@ -254,6 +283,9 @@ static int audit_filter_rules(struct tas
}
}
break;
+ case AUDIT_WATCH:
+ result = audit_match_watch(ctx, rule->watch);
+ break;
case AUDIT_LOGINUID:
result = 0;
if (ctx)
@@ -667,6 +699,16 @@ static void audit_log_exit(struct audit_
kfree(ctx);
}
break; }
+ case AUDIT_EXECVE: {
+ struct audit_aux_data_execve *axi = (void *)aux;
+ int i;
+ char *p;
+ for (i = 0, p = axi->mem; i < axi->argc; i++) {
+ audit_log_format(ab, "a%d=", i);
+ p = audit_log_untrustedstring(ab, p);
+ audit_log_format(ab, "\n");
+ }
+ break; }
case AUDIT_SOCKETCALL: {
int i;
@@ -1061,37 +1103,20 @@ void __audit_inode_child(const char *dna
return;
/* determine matching parent */
- if (dname)
- for (idx = 0; idx < context->name_count; idx++)
- if (context->names[idx].pino == pino) {
- const char *n;
- const char *name = context->names[idx].name;
- int dlen = strlen(dname);
- int nlen = name ? strlen(name) : 0;
-
- if (nlen < dlen)
- continue;
-
- /* disregard trailing slashes */
- n = name + nlen - 1;
- while ((*n == '/') && (n > name))
- n--;
-
- /* find last path component */
- n = n - dlen + 1;
- if (n < name)
- continue;
- else if (n > name) {
- if (*--n != '/')
- continue;
- else
- n++;
- }
+ if (!dname)
+ goto no_match;
+ for (idx = 0; idx < context->name_count; idx++)
+ if (context->names[idx].pino == pino) {
+ const char *name = context->names[idx].name;
- if (strncmp(n, dname, dlen) == 0)
- goto update_context;
- }
+ if (!name)
+ continue;
+ if (audit_compare_dname_path(dname, name) == 0)
+ goto update_context;
+ }
+
+no_match:
/* catch-all in case match not found */
idx = context->name_count++;
context->names[idx].name = NULL;
@@ -1231,6 +1256,39 @@ int audit_ipc_set_perm(unsigned long qby
return 0;
}
+int audit_bprm(struct linux_binprm *bprm)
+{
+ struct audit_aux_data_execve *ax;
+ struct audit_context *context = current->audit_context;
+ unsigned long p, next;
+ void *to;
+
+ if (likely(!audit_enabled || !context))
+ return 0;
+
+ ax = kmalloc(sizeof(*ax) + PAGE_SIZE * MAX_ARG_PAGES - bprm->p,
+ GFP_KERNEL);
+ if (!ax)
+ return -ENOMEM;
+
+ ax->argc = bprm->argc;
+ ax->envc = bprm->envc;
+ for (p = bprm->p, to = ax->mem; p < MAX_ARG_PAGES*PAGE_SIZE; p = next) {
+ struct page *page = bprm->page[p / PAGE_SIZE];
+ void *kaddr = kmap(page);
+ next = (p + PAGE_SIZE) & ~(PAGE_SIZE - 1);
+ memcpy(to, kaddr + (p & (PAGE_SIZE - 1)), next - p);
+ to += next - p;
+ kunmap(page);
+ }
+
+ ax->d.type = AUDIT_EXECVE;
+ ax->d.next = context->aux;
+ context->aux = (void *)ax;
+ return 0;
+}
+
+
/**
* audit_socketcall - record audit data for sys_socketcall
* @nargs: number of args
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index e82726f..0d656e6 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -150,7 +150,7 @@ extern ctl_table random_table[];
#ifdef CONFIG_UNIX98_PTYS
extern ctl_table pty_table[];
#endif
-#ifdef CONFIG_INOTIFY
+#ifdef CONFIG_INOTIFY_USER
extern ctl_table inotify_table[];
#endif
@@ -1028,7 +1028,7 @@ static ctl_table fs_table[] = {
.mode = 0644,
.proc_handler = &proc_doulongvec_minmax,
},
-#ifdef CONFIG_INOTIFY
+#ifdef CONFIG_INOTIFY_USER
{
.ctl_name = FS_INOTIFY,
.procname = "inotify",
diff --git a/kernel/user.c b/kernel/user.c
index 2116642..4b1eb74 100644
--- a/kernel/user.c
+++ b/kernel/user.c
@@ -140,7 +140,7 @@ struct user_struct * alloc_uid(uid_t uid
atomic_set(&new->processes, 0);
atomic_set(&new->files, 0);
atomic_set(&new->sigpending, 0);
-#ifdef CONFIG_INOTIFY
+#ifdef CONFIG_INOTIFY_USER
atomic_set(&new->inotify_watches, 0);
atomic_set(&new->inotify_devs, 0);
#endif
Index: kernel-2.6.spec
===================================================================
RCS file: /cvs/dist/rpms/kernel/devel/kernel-2.6.spec,v
retrieving revision 1.2139.2.1
retrieving revision 1.2139.2.2
diff -u -r1.2139.2.1 -r1.2139.2.2
--- kernel-2.6.spec 19 Apr 2006 21:11:47 -0000 1.2139.2.1
+++ kernel-2.6.spec 24 Apr 2006 22:24:10 -0000 1.2139.2.2
@@ -25,7 +25,7 @@
%define sublevel 16
%define kversion 2.6.%{sublevel}
%define rpmversion 2.6.%{sublevel}
-%define rhbsys .lspp.18
+%define rhbsys .lspp.19
%define release %(R="$Revision$"; RR="${R##: }"; echo ${RR%%?})_FC6%{rhbsys}
%define signmodules 0
%define make_target bzImage
@@ -388,7 +388,7 @@
# Audit & lspp patches
Patch20100: linux-2.6-audit-git.patch
-Patch20101: linux-2.6-execve.patch
+Patch20101: linux-2.6-audit-pending.patch
# END OF PATCH DEFINITIONS
More information about the fedora-cvs-commits
mailing list