Discussion:
[PATCH ghak21 V4 2/2] audit: add refused symlink to audit_names
Richard Guy Briggs
2018-03-21 08:42:21 UTC
Permalink
Audit link denied events for symlinks had duplicate PATH records rather
than just updating the existing PATH record. Update the symlink's PATH
record with the current dentry and inode information.

See: https://github.com/linux-audit/audit-kernel/issues/21
Signed-off-by: Richard Guy Briggs <***@redhat.com>
---
fs/namei.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/fs/namei.c b/fs/namei.c
index e3682bb..5f8e8e2 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -945,6 +945,7 @@ static inline int may_follow_link(struct nameidata *nd)
if (nd->flags & LOOKUP_RCU)
return -ECHILD;

+ audit_inode(nd->name, nd->stack[0].link.dentry, 0);
audit_log_link_denied("follow_link");
return -EACCES;
}
--
1.8.3.1
Richard Guy Briggs
2018-03-21 08:42:20 UTC
Permalink
In commit 45b578fe4c3cade6f4ca1fc934ce199afd857edc
("audit: link denied should not directly generate PATH record")
the need for the struct path *link parameter was removed.
Remove the now useless struct path argument.

Signed-off-by: Richard Guy Briggs <***@redhat.com>
---
fs/namei.c | 4 ++--
include/linux/audit.h | 6 ++----
kernel/audit.c | 3 +--
3 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/fs/namei.c b/fs/namei.c
index 9cc91fb..e3682bb 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -945,7 +945,7 @@ static inline int may_follow_link(struct nameidata *nd)
if (nd->flags & LOOKUP_RCU)
return -ECHILD;

- audit_log_link_denied("follow_link", &nd->stack[0].link);
+ audit_log_link_denied("follow_link");
return -EACCES;
}

@@ -1011,7 +1011,7 @@ static int may_linkat(struct path *link)
if (safe_hardlink_source(inode) || inode_owner_or_capable(inode))
return 0;

- audit_log_link_denied("linkat", link);
+ audit_log_link_denied("linkat");
return -EPERM;
}

diff --git a/include/linux/audit.h b/include/linux/audit.h
index af410d9..75d5b03 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -146,8 +146,7 @@ extern void audit_log_d_path(struct audit_buffer *ab,
const struct path *path);
extern void audit_log_key(struct audit_buffer *ab,
char *key);
-extern void audit_log_link_denied(const char *operation,
- const struct path *link);
+extern void audit_log_link_denied(const char *operation);
extern void audit_log_lost(const char *message);

extern int audit_log_task_context(struct audit_buffer *ab);
@@ -194,8 +193,7 @@ static inline void audit_log_d_path(struct audit_buffer *ab,
{ }
static inline void audit_log_key(struct audit_buffer *ab, char *key)
{ }
-static inline void audit_log_link_denied(const char *string,
- const struct path *link)
+static inline void audit_log_link_denied(const char *string)
{ }
static inline int audit_log_task_context(struct audit_buffer *ab)
{
diff --git a/kernel/audit.c b/kernel/audit.c
index 3f2f143..e8bf8d7 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -2308,9 +2308,8 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
/**
* audit_log_link_denied - report a link restriction denial
* @operation: specific link operation
- * @link: the path that triggered the restriction
*/
-void audit_log_link_denied(const char *operation, const struct path *link)
+void audit_log_link_denied(const char *operation)
{
struct audit_buffer *ab;
--
1.8.3.1
Paul Moore
2018-03-21 15:21:46 UTC
Permalink
Post by Richard Guy Briggs
In commit 45b578fe4c3cade6f4ca1fc934ce199afd857edc
("audit: link denied should not directly generate PATH record")
the need for the struct path *link parameter was removed.
Remove the now useless struct path argument.
---
fs/namei.c | 4 ++--
include/linux/audit.h | 6 ++----
kernel/audit.c | 3 +--
3 files changed, 5 insertions(+), 8 deletions(-)
Fourth times the charm ... merged.
Post by Richard Guy Briggs
diff --git a/fs/namei.c b/fs/namei.c
index 9cc91fb..e3682bb 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -945,7 +945,7 @@ static inline int may_follow_link(struct nameidata *nd)
if (nd->flags & LOOKUP_RCU)
return -ECHILD;
- audit_log_link_denied("follow_link", &nd->stack[0].link);
+ audit_log_link_denied("follow_link");
return -EACCES;
}
@@ -1011,7 +1011,7 @@ static int may_linkat(struct path *link)
if (safe_hardlink_source(inode) || inode_owner_or_capable(inode))
return 0;
- audit_log_link_denied("linkat", link);
+ audit_log_link_denied("linkat");
return -EPERM;
}
diff --git a/include/linux/audit.h b/include/linux/audit.h
index af410d9..75d5b03 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -146,8 +146,7 @@ extern void audit_log_d_path(struct audit_buffer *ab,
const struct path *path);
extern void audit_log_key(struct audit_buffer *ab,
char *key);
-extern void audit_log_link_denied(const char *operation,
- const struct path *link);
+extern void audit_log_link_denied(const char *operation);
extern void audit_log_lost(const char *message);
extern int audit_log_task_context(struct audit_buffer *ab);
@@ -194,8 +193,7 @@ static inline void audit_log_d_path(struct audit_buffer *ab,
{ }
static inline void audit_log_key(struct audit_buffer *ab, char *key)
{ }
-static inline void audit_log_link_denied(const char *string,
- const struct path *link)
+static inline void audit_log_link_denied(const char *string)
{ }
static inline int audit_log_task_context(struct audit_buffer *ab)
{
diff --git a/kernel/audit.c b/kernel/audit.c
index 3f2f143..e8bf8d7 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -2308,9 +2308,8 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
/**
* audit_log_link_denied - report a link restriction denial
*/
-void audit_log_link_denied(const char *operation, const struct path *link)
+void audit_log_link_denied(const char *operation)
{
struct audit_buffer *ab;
--
1.8.3.1
--
paul moore
www.paul-moore.com
Kees Cook
2018-04-16 17:55:13 UTC
Permalink
Post by Richard Guy Briggs
In commit 45b578fe4c3cade6f4ca1fc934ce199afd857edc
("audit: link denied should not directly generate PATH record")
the need for the struct path *link parameter was removed.
Remove the now useless struct path argument.
---
fs/namei.c | 4 ++--
include/linux/audit.h | 6 ++----
kernel/audit.c | 3 +--
3 files changed, 5 insertions(+), 8 deletions(-)
diff --git a/fs/namei.c b/fs/namei.c
index 9cc91fb..e3682bb 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -945,7 +945,7 @@ static inline int may_follow_link(struct nameidata *nd)
if (nd->flags & LOOKUP_RCU)
return -ECHILD;
- audit_log_link_denied("follow_link", &nd->stack[0].link);
+ audit_log_link_denied("follow_link");
return -EACCES;
}
@@ -1011,7 +1011,7 @@ static int may_linkat(struct path *link)
if (safe_hardlink_source(inode) || inode_owner_or_capable(inode))
return 0;
- audit_log_link_denied("linkat", link);
+ audit_log_link_denied("linkat");
return -EPERM;
}
This removed the "link" details in both cases, and then commit
ea841bafda3f ("audit: add refused symlink to audit_names") added back
Post by Richard Guy Briggs
diff --git a/fs/namei.c b/fs/namei.c
index e3682bb72cb5..5f8e8e2732e1 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -945,6 +945,7 @@ static inline int may_follow_link(struct nameidata *nd)
if (nd->flags & LOOKUP_RCU)
return -ECHILD;
+ audit_inode(nd->name, nd->stack[0].link.dentry, 0);
audit_log_link_denied("follow_link");
return -EACCES;
}
Why remove it in the first place, and why add it back open-coded in
only one place?

-Kees
--
Kees Cook
Pixel Security
Richard Guy Briggs
2018-04-16 17:55:04 UTC
Permalink
Post by Kees Cook
Post by Richard Guy Briggs
In commit 45b578fe4c3cade6f4ca1fc934ce199afd857edc
("audit: link denied should not directly generate PATH record")
the need for the struct path *link parameter was removed.
Remove the now useless struct path argument.
---
fs/namei.c | 4 ++--
include/linux/audit.h | 6 ++----
kernel/audit.c | 3 +--
3 files changed, 5 insertions(+), 8 deletions(-)
diff --git a/fs/namei.c b/fs/namei.c
index 9cc91fb..e3682bb 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -945,7 +945,7 @@ static inline int may_follow_link(struct nameidata *nd)
if (nd->flags & LOOKUP_RCU)
return -ECHILD;
- audit_log_link_denied("follow_link", &nd->stack[0].link);
+ audit_log_link_denied("follow_link");
return -EACCES;
}
@@ -1011,7 +1011,7 @@ static int may_linkat(struct path *link)
if (safe_hardlink_source(inode) || inode_owner_or_capable(inode))
return 0;
- audit_log_link_denied("linkat", link);
+ audit_log_link_denied("linkat");
return -EPERM;
}
This removed the "link" details in both cases, and then commit
ea841bafda3f ("audit: add refused symlink to audit_names") added back
Post by Richard Guy Briggs
diff --git a/fs/namei.c b/fs/namei.c
index e3682bb72cb5..5f8e8e2732e1 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -945,6 +945,7 @@ static inline int may_follow_link(struct nameidata *nd)
if (nd->flags & LOOKUP_RCU)
return -ECHILD;
+ audit_inode(nd->name, nd->stack[0].link.dentry, 0);
audit_log_link_denied("follow_link");
return -EACCES;
}
Why remove it in the first place, and why add it back open-coded in
only one place?
In both cases, the extra PATH record didn't make sense with the SYSCALL
record "items=" field and conflicted with another PATH record's "item="
field.

All the necessary details were already available in the hardlink case
via two PATH records associated with the SYSCALL record.

There were two conflicting PATH records in the symlink case, one of them
incomplete, so it made more sense to make the existing one complete.
Post by Kees Cook
-Kees
- RGB

--
Richard Guy Briggs <***@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Paul Moore
2018-03-21 15:49:02 UTC
Permalink
Post by Richard Guy Briggs
Audit link denied events for symlinks had duplicate PATH records rather
than just updating the existing PATH record. Update the symlink's PATH
record with the current dentry and inode information.
See: https://github.com/linux-audit/audit-kernel/issues/21
---
fs/namei.c | 1 +
1 file changed, 1 insertion(+)
Merged. Thanks for the audit log examples.
Post by Richard Guy Briggs
diff --git a/fs/namei.c b/fs/namei.c
index e3682bb..5f8e8e2 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -945,6 +945,7 @@ static inline int may_follow_link(struct nameidata *nd)
if (nd->flags & LOOKUP_RCU)
return -ECHILD;
+ audit_inode(nd->name, nd->stack[0].link.dentry, 0);
audit_log_link_denied("follow_link");
return -EACCES;
}
--
1.8.3.1
--
paul moore
www.paul-moore.com
Loading...