| Message ID | 087489b21e50bcda65c6af3e038394d5bfe09e00.1553626080.git.rgb@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [ghak109,V2] audit: link integrity evm_write_xattrs record to syscall event | expand |
Hi Richard, Paul, On Tue, 2019-03-26 at 14:49 -0400, Richard Guy Briggs wrote: > In commit fa516b66a1bf ("EVM: Allow runtime modification of the set of > verified xattrs"), the call to audit_log_start() is missing a context to > link it to an audit event. Since this event is in user context, add > the process' syscall context to the record. > > In addition, the orphaned keyword "locked" appears in the record. > Normalize this by changing it to logging the locking string "." as any > other user input in the "xattr=" field. > > Please see the github issue > https://github.com/linux-audit/audit-kernel/issues/109 > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Acked-by: Mimi Zohar <zohar@linux.ibm.com> Paul, were you planning on upstreaming this patch? Mimi
On Tue, Mar 26, 2019 at 4:40 PM Mimi Zohar <zohar@linux.ibm.com> wrote: > > Hi Richard, Paul, > > On Tue, 2019-03-26 at 14:49 -0400, Richard Guy Briggs wrote: > > In commit fa516b66a1bf ("EVM: Allow runtime modification of the set of > > verified xattrs"), the call to audit_log_start() is missing a context to > > link it to an audit event. Since this event is in user context, add > > the process' syscall context to the record. > > > > In addition, the orphaned keyword "locked" appears in the record. > > Normalize this by changing it to logging the locking string "." as any > > other user input in the "xattr=" field. > > > > Please see the github issue > > https://github.com/linux-audit/audit-kernel/issues/109 > > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > Acked-by: Mimi Zohar <zohar@linux.ibm.com> > > Paul, were you planning on upstreaming this patch? Yep, unless you would rather do it? If you pull it into the IMA tree, please add my ACK; otherwise let me know and I'll merge it into audit/next. Acked-by: Paul Moore <paul@paul-moore.com>
On Tue, 2019-03-26 at 19:58 -0400, Paul Moore wrote: > On Tue, Mar 26, 2019 at 4:40 PM Mimi Zohar <zohar@linux.ibm.com> wrote: > > > > Hi Richard, Paul, > > > > On Tue, 2019-03-26 at 14:49 -0400, Richard Guy Briggs wrote: > > > In commit fa516b66a1bf ("EVM: Allow runtime modification of the set of > > > verified xattrs"), the call to audit_log_start() is missing a context to > > > link it to an audit event. Since this event is in user context, add > > > the process' syscall context to the record. > > > > > > In addition, the orphaned keyword "locked" appears in the record. > > > Normalize this by changing it to logging the locking string "." as any > > > other user input in the "xattr=" field. > > > > > > Please see the github issue > > > https://github.com/linux-audit/audit-kernel/issues/109 > > > > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > > > Acked-by: Mimi Zohar <zohar@linux.ibm.com> > > > > Paul, were you planning on upstreaming this patch? > > Yep, unless you would rather do it? No, that's fine. Thanks! Mimi
On Wed, Mar 27, 2019 at 11:05 AM Mimi Zohar <zohar@linux.ibm.com> wrote: > On Tue, 2019-03-26 at 19:58 -0400, Paul Moore wrote: > > On Tue, Mar 26, 2019 at 4:40 PM Mimi Zohar <zohar@linux.ibm.com> wrote: > > > > > > Hi Richard, Paul, > > > > > > On Tue, 2019-03-26 at 14:49 -0400, Richard Guy Briggs wrote: > > > > In commit fa516b66a1bf ("EVM: Allow runtime modification of the set of > > > > verified xattrs"), the call to audit_log_start() is missing a context to > > > > link it to an audit event. Since this event is in user context, add > > > > the process' syscall context to the record. > > > > > > > > In addition, the orphaned keyword "locked" appears in the record. > > > > Normalize this by changing it to logging the locking string "." as any > > > > other user input in the "xattr=" field. > > > > > > > > Please see the github issue > > > > https://github.com/linux-audit/audit-kernel/issues/109 > > > > > > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > > > > > Acked-by: Mimi Zohar <zohar@linux.ibm.com> > > > > > > Paul, were you planning on upstreaming this patch? > > > > Yep, unless you would rather do it? > > No, that's fine. Thanks! Merged into audit/next, thanks all.
diff --git a/security/integrity/evm/evm_secfs.c b/security/integrity/evm/evm_secfs.c index 015aea8fdf1e..3f7cbb238923 100644 --- a/security/integrity/evm/evm_secfs.c +++ b/security/integrity/evm/evm_secfs.c @@ -192,7 +192,8 @@ static ssize_t evm_write_xattrs(struct file *file, const char __user *buf, if (count > XATTR_NAME_MAX) return -E2BIG; - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_EVM_XATTR); + ab = audit_log_start(audit_context(), GFP_KERNEL, + AUDIT_INTEGRITY_EVM_XATTR); if (!ab) return -ENOMEM; @@ -214,6 +215,9 @@ static ssize_t evm_write_xattrs(struct file *file, const char __user *buf, if (len && xattr->name[len-1] == '\n') xattr->name[len-1] = '\0'; + audit_log_format(ab, "xattr="); + audit_log_untrustedstring(ab, xattr->name); + if (strcmp(xattr->name, ".") == 0) { evm_xattrs_locked = 1; newattrs.ia_mode = S_IFREG | 0440; @@ -222,15 +226,11 @@ static ssize_t evm_write_xattrs(struct file *file, const char __user *buf, inode_lock(inode); err = simple_setattr(evm_xattrs, &newattrs); inode_unlock(inode); - audit_log_format(ab, "locked"); if (!err) err = count; goto out; } - audit_log_format(ab, "xattr="); - audit_log_untrustedstring(ab, xattr->name); - if (strncmp(xattr->name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN) != 0) { err = -EINVAL;
In commit fa516b66a1bf ("EVM: Allow runtime modification of the set of verified xattrs"), the call to audit_log_start() is missing a context to link it to an audit event. Since this event is in user context, add the process' syscall context to the record. In addition, the orphaned keyword "locked" appears in the record. Normalize this by changing it to logging the locking string "." as any other user input in the "xattr=" field. Please see the github issue https://github.com/linux-audit/audit-kernel/issues/109 Signed-off-by: Richard Guy Briggs <rgb@redhat.com> --- Changelog: v2 - switch from "(locked)" to printing the "." verbatim, untrusted. security/integrity/evm/evm_secfs.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-)