audit: backport from upstream v5.13-rc1 to v5.16-rc6

Backport selected trivial fixes, cleanups, and enhancements from upstream from
kernel version 5.13-rc1 up to kernel version 5.16-rc6. This will help make
Audit functionality more stable, bring useful enhancements/fixes into RHEL-8.6,
and ease future backports.

List of upstream commits (in apply order):

audit-pr-20210830 covered by audit-pr-20211019

audit-pr-20211019 on v5.14-rc1 for v5.15-rc7/1
d97e99386ad0 [bugfix] audit: add header protection to kernel/audit.h
6e3ee990c904 [bugfix] (tag: audit/stable-5.15) audit: fix possible null-pointer dereference in audit_filter_rules

selinux-pr-20211101 on v5.15 for v5.16-rc1 consult Jeff Moyer jmoyer@redhat.com and Ondrej Mosnacek omosnace@redhat.com
cdab10bf3285 Merge tag 'selinux-pr-20211101' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux
12c5e81d3fd0 [cleanup] {paul@paul-moore.com} audit: prepare audit_context for use in calling contexts beyond syscalls
5bd2182d58e9 [feature] {paul@paul-moore.com} audit,io_uring,io-wq: add some basic audit support to io_uring
67daf270cebc [feature] {paul@paul-moore.com} audit: add filtering for io_uring records

audit-pr-20211101 on v5.15-rc1 for v5.16-rc1
57d4374be94a [bugfix] audit: rename struct node to struct audit_node to prevent future name collisions
d680c6b49c5e [cleanup] audit: Convert to SPDX identifier
8e71168e2cc7 [bugfix] lsm_audit: avoid overloading the "key" audit field
42f355ef59a2 [cleanup] audit: replace magic audit syscall class numbers with macros
1c30e3af8a79 [feature] audit: add support for the openat2 syscall
571e5c0efcb2 [feature] audit: add OPENAT2 record to list "how" info
d9516f346e8b [bugfix] audit: return early if the filter rule has a lower priority

fsnotify: on 5.14-rc4 for 5.15-rc1, consult Miklos Szeredi mszeredi@redhat.com
3513431926f9 Merge tag 'fsnotify_for_v5.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs
2021-08-11 e43de7f0862b [cleanup] {amir73il@gmail.com} fsnotify: optimize the case of no marks of any type
2021-08-11 ec44610fe2b8 [cleanup] {amir73il@gmail.com} fsnotify: count all objects with attached connectors
2021-08-11 11fa333b58ba [cleanup] {amir73il@gmail.com} fsnotify: count s_fsnotify_inode_refs for attached connectors
2021-08-11 09ddbe69c992 [cleanup] {amir73il@gmail.com} fsnotify: replace igrab() with ihold() on attach connector

fsnotify: on 5.14 for v5.15-rc1 fixes: ec44610fe2b8 ("fsnotify: count all objects with attached connectors")
2022-01-18 [bugfix] 14d0c9e2 {amir73il@gmail.com} fsnotify: fix sb_connectors leak

fsnotify: on 5.15-rc5 for 5.16-rc1, consult Miklos Szeredi mszeredi@redhat.com
2acda7549e70 Merge tag 'fsnotify_for_v5.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs
2021-10-25 [bugfix] 9baf93d68bcc {amir73il@gmail.com} fsnotify: pass data_type to fsnotify_name()
2021-10-25 [bugfix] fd5a3ff49a19 {amir73il@gmail.com} fsnotify: pass dentry instead of inode data
2021-10-25 [bugfix] dabe729dddca {amir73il@gmail.com} fsnotify: clarify contract for create event hooks

dm: on 5.15-rc5 for 5.16-rc1 audit logging feature enhancement, consult Mike Snitzer snitzer@redhat.com mailto:snitzer@redhat.com
dropped, already present in mr 291
c183e1707aba Merge tag 'for-5.16/dm-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
2021-09-04 [feature] 2cc1ae487828 {michael.weiss@aisec.fraunhofer.de} dm: introduce audit event module for device mapper
2021-09-04 [feature] 82bb85998cc9 {michael.weiss@aisec.fraunhofer.de} dm integrity: log audit events for dm-integrity target
2021-09-04 [feature] 58d0f180bd91 {michael.weiss@aisec.fraunhofer.de} dm crypt: log aead integrity violations to audit subsystem

audit-pr-20211216 on v5.15-rc1 for v5.16-rc6
f4b3ee3c8555 [bugfix] (tag: audit/stable-5.16) audit: improve robustness of the audit queue handling

audit-pr-20220110 on v5.16-rc1 for v5.17-rc1
bc6e60a4fc1d [cleanup] audit: use struct_size() helper in kmalloc()
8f110f530635 [bugfix] audit: ensure userspace is penalized the same as the kernel when under pressure
30561b51cc8d [cleanup] audit: use struct_size() helper in audit_[send|make]_reply()
ed98ea2128b6 [cleanup] (audit/next) audit: replace zero-length array with flexible-array member

audit-pr-20220131 in v5.17-rc3
f26d04331360 [bugfix] ("audit: improve audit queue handling when "audit=1" on cmdline")
Fixes: 5b52330b ("audit: fix auditd/kernel connection state tracking")
Fixes: f4b3ee3c85551 ("audit: improve robustness of the audit queue handling")

audit-pr-20220209 in v5.17-rc4
7a82f89de92a [bugfix] ("audit: don't deref the syscall args when checking the openat2 open_how::flags")
Fixes: 1c30e3af8a79 ("audit: add support for the openat2 syscall")

audit-pr-20220321 on v5.17-rc1 in v5.18-rc1
272ceeaea355 [bugfix] ("audit: log AUDIT_TIME_* records only from rules")
Fixes: 7e8eda73 ("ntp: Audit NTP parameters adjustment")
Fixes: 2d87a067 ("timekeeping: Audit clock adjustments")

audit-pr-20220616 stable-5.19 on v5.19-rc2 for v5.19-rc3? git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
ef79c396c664 ("audit: free module name")
Fixes: 12c5e81d3fd0 ("audit: prepare audit_context for use in calling contexts beyond syscalls")

patchset changelog:
v2

• add 4 patches fsnotify dependancies
• remove 3 patches dm audit/integrity/crypt
• update upstream status on last 5
  v3
• add queue handling bugfix from v5.17-rc3
• add openat2 syscall arg deref bugfix from v5.17-rc4
  v4
• correct bz ref in patches 13-15
  v5
• backport AUDIT_TIME_* logging fix
  v6
• backport audit kern module memleak fix

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2035124
Signed-off-by: Richard Guy Briggs rgb@redhat.com

6b527e0b (Richard Guy Briggs)
audit: log AUDIT_TIME_* records only from rules

14ab2f0c (Richard Guy Briggs)
audit: don't deref the syscall args when checking the openat2 open_how::flags

f359f51d (Richard Guy Briggs)
audit: improve audit queue handling when "audit=1" on cmdline

61d757c1 (Richard Guy Briggs)
audit: replace zero-length array with flexible-array member

34590e28 (Richard Guy Briggs)
audit: use struct_size() helper in audit_[send|make]_reply()

77f9c131 (Richard Guy Briggs)
audit: ensure userspace is penalized the same as the kernel when under
pressure

cf719269 (Richard Guy Briggs)
audit: use struct_size() helper in kmalloc()

35ee3e96 (Richard Guy Briggs)
audit: improve robustness of the audit queue handling

63b29b28 (Richard Guy Briggs)
fsnotify: clarify contract for create event hooks

aeaa6ac4 (Richard Guy Briggs)
fsnotify: pass dentry instead of inode data

e8ed7f37 (Richard Guy Briggs)
fsnotify: pass data_type to fsnotify_name()

14d0c9e2 (Richard Guy Briggs)
fsnotify: fix sb_connectors leak

dd9b5a0e (Richard Guy Briggs)
fsnotify: optimize the case of no marks of any type

479eb993 (Richard Guy Briggs)
fsnotify: count all objects with attached connectors

33fcd29f (Richard Guy Briggs)
fsnotify: count s_fsnotify_inode_refs for attached connectors

3bae03d8 (Richard Guy Briggs)
fsnotify: replace igrab() with ihold() on attach connector

d0c6b8b1 (Richard Guy Briggs)
audit: return early if the filter rule has a lower priority

886687e3 (Richard Guy Briggs)
audit: add OPENAT2 record to list "how" info

7ed95623 (Richard Guy Briggs)
audit: add support for the openat2 syscall

6313e79a (Richard Guy Briggs)
audit: replace magic audit syscall class numbers with macros

d33c9bd0 (Richard Guy Briggs)
lsm_audit: avoid overloading the "key" audit field

57a5a9ea (Richard Guy Briggs)
audit: Convert to SPDX identifier

22e69213 (Richard Guy Briggs)
audit: rename struct node to struct audit_node to prevent future name
collisions

cdcbacc4 (Richard Guy Briggs)
audit: add filtering for io_uring records

d10f41ef (Richard Guy Briggs)
audit,io_uring,io-wq: add some basic audit support to io_uring

143f5b34 (Richard Guy Briggs)
audit: prepare audit_context for use in calling contexts beyond syscalls

ae5e1b66 (Richard Guy Briggs)
audit: fix possible null-pointer dereference in audit_filter_rules

bef2df24 (Richard Guy Briggs)
audit: add header protection to kernel/audit.h

MAINTAINERS | 1 +
arch/alpha/kernel/audit.c | 10 +-
arch/ia64/kernel/audit.c | 10 +-
arch/parisc/kernel/audit.c | 10 +-
arch/parisc/kernel/compat_audit.c | 11 +-
arch/powerpc/kernel/audit.c | 12 +-
arch/powerpc/kernel/compat_audit.c | 13 +-
arch/s390/kernel/audit.c | 12 +-
arch/s390/kernel/compat_audit.c | 13 +-
arch/sparc/kernel/audit.c | 12 +-
arch/sparc/kernel/compat_audit.c | 13 +-
arch/x86/ia32/audit.c | 13 +-
arch/x86/kernel/audit_64.c | 10 +-
drivers/md/Kconfig | 10 +
drivers/md/Makefile | 4 +
drivers/md/dm-audit.c | 84 ++++++
drivers/md/dm-audit.h | 66 +++++
drivers/md/dm-crypt.c | 22 +-
drivers/md/dm-integrity.c | 25 +-
fs/io-wq.c | 4 +
fs/io_uring.c | 55 +++-
fs/open.c | 2 +
include/linux/audit.h | 37 +++
include/linux/audit_arch.h | 24 ++
include/linux/fsnotify.h | 52 ++--
include/linux/fsnotify_backend.h | 16 ++
include/uapi/linux/audit.h | 9 +-
kernel/audit.c | 43 ++-
kernel/audit.h | 14 +-
kernel/audit_fsnotify.c | 3 +-
kernel/audit_tree.c | 25 +-
kernel/audit_watch.c | 6 +-
kernel/auditfilter.c | 19 +-
kernel/auditsc.c | 519 ++++++++++++++++++++++++++++---------
lib/audit.c | 14 +-
lib/compat_audit.c | 15 +-
security/lsm_audit.c | 2 +-
37 files changed, 954 insertions(+), 256 deletions(-)