[RFC,ghak21,2/4] audit: link denied should not directly generate PATH record
diff mbox

Message ID f48d5d1f1e429e2dee817ae723f9a02a67ed1f3b.1518603831.git.rgb@redhat.com
State New
Headers show

Commit Message

Richard Guy Briggs Feb. 14, 2018, 4:18 p.m. UTC
Audit link denied events generate duplicate PATH records which disagree
in different ways from symlink and hardlink denials.
audit_log_link_denied() should not directly generate PATH records.

See: https://github.com/linux-audit/audit-kernel/issues/21
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 kernel/audit.c | 14 +-------------
 1 file changed, 1 insertion(+), 13 deletions(-)

Comments

Paul Moore March 9, 2018, 12:26 a.m. UTC | #1
On Wed, Feb 14, 2018 at 11:18 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> Audit link denied events generate duplicate PATH records which disagree
> in different ways from symlink and hardlink denials.
> audit_log_link_denied() should not directly generate PATH records.
>
> See: https://github.com/linux-audit/audit-kernel/issues/21
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  kernel/audit.c | 14 +-------------
>  1 file changed, 1 insertion(+), 13 deletions(-)

Merged, thanks.

> diff --git a/kernel/audit.c b/kernel/audit.c
> index 4c3fd24..683b249 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -2259,31 +2259,19 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
>  void audit_log_link_denied(const char *operation, const struct path *link)
>  {
>         struct audit_buffer *ab;
> -       struct audit_names *name;
>
>         if (!audit_enabled || audit_dummy_context())
>                 return;
>
> -       name = kzalloc(sizeof(*name), GFP_NOFS);
> -       if (!name)
> -               return;
> -
>         /* Generate AUDIT_ANOM_LINK with subject, operation, outcome. */
>         ab = audit_log_start(current->audit_context, GFP_KERNEL,
>                              AUDIT_ANOM_LINK);
>         if (!ab)
> -               goto out;
> +               return;
>         audit_log_format(ab, "op=%s", operation);
>         audit_log_task_info(ab, current);
>         audit_log_format(ab, " res=0");
>         audit_log_end(ab);
> -
> -       /* Generate AUDIT_PATH record with object. */
> -       name->type = AUDIT_TYPE_NORMAL;
> -       audit_copy_inode(name, link->dentry, d_backing_inode(link->dentry));
> -       audit_log_name(current->audit_context, name, link, 0, NULL);
> -out:
> -       kfree(name);
>  }
>
>  /**
> --
> 1.8.3.1
>
Richard Guy Briggs March 12, 2018, 8:01 a.m. UTC | #2
On 2018-03-08 19:26, Paul Moore wrote:
> On Wed, Feb 14, 2018 at 11:18 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > Audit link denied events generate duplicate PATH records which disagree
> > in different ways from symlink and hardlink denials.
> > audit_log_link_denied() should not directly generate PATH records.
> >
> > See: https://github.com/linux-audit/audit-kernel/issues/21
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> >  kernel/audit.c | 14 +-------------
> >  1 file changed, 1 insertion(+), 13 deletions(-)
> 
> Merged, thanks.

Self-NACK.  Please un-merge this RFC v1 version and merge instead the v2
patch since it removes the now-unnecessary struct path * parameter from
audit_log_link_denied().

> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 4c3fd24..683b249 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -2259,31 +2259,19 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
> >  void audit_log_link_denied(const char *operation, const struct path *link)
> >  {
> >         struct audit_buffer *ab;
> > -       struct audit_names *name;
> >
> >         if (!audit_enabled || audit_dummy_context())
> >                 return;
> >
> > -       name = kzalloc(sizeof(*name), GFP_NOFS);
> > -       if (!name)
> > -               return;
> > -
> >         /* Generate AUDIT_ANOM_LINK with subject, operation, outcome. */
> >         ab = audit_log_start(current->audit_context, GFP_KERNEL,
> >                              AUDIT_ANOM_LINK);
> >         if (!ab)
> > -               goto out;
> > +               return;
> >         audit_log_format(ab, "op=%s", operation);
> >         audit_log_task_info(ab, current);
> >         audit_log_format(ab, " res=0");
> >         audit_log_end(ab);
> > -
> > -       /* Generate AUDIT_PATH record with object. */
> > -       name->type = AUDIT_TYPE_NORMAL;
> > -       audit_copy_inode(name, link->dentry, d_backing_inode(link->dentry));
> > -       audit_log_name(current->audit_context, name, link, 0, NULL);
> > -out:
> > -       kfree(name);
> >  }
> >
> >  /**
> > --
> > 1.8.3.1
> >
> 
> 
> 
> -- 
> paul moore
> www.paul-moore.com

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Patch
diff mbox

diff --git a/kernel/audit.c b/kernel/audit.c
index 4c3fd24..683b249 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -2259,31 +2259,19 @@  void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
 void audit_log_link_denied(const char *operation, const struct path *link)
 {
 	struct audit_buffer *ab;
-	struct audit_names *name;
 
 	if (!audit_enabled || audit_dummy_context())
 		return;
 
-	name = kzalloc(sizeof(*name), GFP_NOFS);
-	if (!name)
-		return;
-
 	/* Generate AUDIT_ANOM_LINK with subject, operation, outcome. */
 	ab = audit_log_start(current->audit_context, GFP_KERNEL,
 			     AUDIT_ANOM_LINK);
 	if (!ab)
-		goto out;
+		return;
 	audit_log_format(ab, "op=%s", operation);
 	audit_log_task_info(ab, current);
 	audit_log_format(ab, " res=0");
 	audit_log_end(ab);
-
-	/* Generate AUDIT_PATH record with object. */
-	name->type = AUDIT_TYPE_NORMAL;
-	audit_copy_inode(name, link->dentry, d_backing_inode(link->dentry));
-	audit_log_name(current->audit_context, name, link, 0, NULL);
-out:
-	kfree(name);
 }
 
 /**