Re: [PATCH ghak21 V2 2/4] audit: link denied should not directly generate PATH record
On 2018-03-13 02:22, kbuild test robot wrote: > Hi Richard, > > Thank you for the patch! Yet something to improve: > > [auto build test ERROR on linus/master] > [also build test ERROR on v4.16-rc5 next-20180309] > [if your patch is applied to the wrong git tree, please drop us a note to > help improve the system] My fault. It was applied to a stale tree: git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git A self-NACKed patch wasn't removed from the upstream tree as hoped. A new patch is already in the works. > url: > https://github.com/0day-ci/linux/commits/Richard-Guy-Briggs/audit-address-ANOM_LINK-excess-records/20180313-015527 > Note: the > linux-review/Richard-Guy-Briggs/audit-address-ANOM_LINK-excess-records/20180313-015527 > HEAD 12e8c56bcd359f7d20d4ae011674d37bc832bc4c builds fine. > It only hurts bisectibility. - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH ghak21 V2 2/4] audit: link denied should not directly generate PATH record
Hi Richard, Thank you for the patch! Yet something to improve: [auto build test ERROR on linus/master] [also build test ERROR on v4.16-rc5 next-20180309] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: https://github.com/0day-ci/linux/commits/Richard-Guy-Briggs/audit-address-ANOM_LINK-excess-records/20180313-015527 config: i386-tinyconfig (attached as .config) compiler: gcc-7 (Debian 7.3.0-1) 7.3.0 reproduce: # save the attached .config to linux build tree make ARCH=i386 Note: the linux-review/Richard-Guy-Briggs/audit-address-ANOM_LINK-excess-records/20180313-015527 HEAD 12e8c56bcd359f7d20d4ae011674d37bc832bc4c builds fine. It only hurts bisectibility. All errors (new ones prefixed by >>): fs/namei.c: In function 'may_follow_link': >> fs/namei.c:929:2: error: too many arguments to function >> 'audit_log_link_denied' audit_log_link_denied("follow_link", &nd->stack[0].link); ^ In file included from include/linux/fsnotify.h:16:0, from fs/namei.c:25: include/linux/audit.h:196:20: note: declared here static inline void audit_log_link_denied(const char *string) ^ vim +/audit_log_link_denied +929 fs/namei.c 800179c9b Kees Cook 2012-07-25 886 800179c9b Kees Cook 2012-07-25 887 /** 800179c9b Kees Cook 2012-07-25 888 * may_follow_link - Check symlink following for unsafe situations 55852635a Randy Dunlap 2012-08-18 889 * @nd: nameidata pathwalk data 800179c9b Kees Cook 2012-07-25 890 * 800179c9b Kees Cook 2012-07-25 891 * In the case of the sysctl_protected_symlinks sysctl being enabled, 800179c9b Kees Cook 2012-07-25 892 * CAP_DAC_OVERRIDE needs to be specifically ignored if the symlink is 800179c9b Kees Cook 2012-07-25 893 * in a sticky world-writable directory. This is to protect privileged 800179c9b Kees Cook 2012-07-25 894 * processes from failing races against path names that may change out 800179c9b Kees Cook 2012-07-25 895 * from under them by way of other users creating malicious symlinks. 800179c9b Kees Cook 2012-07-25 896 * It will permit symlinks to be followed only when outside a sticky 800179c9b Kees Cook 2012-07-25 897 * world-writable directory, or when the uid of the symlink and follower 800179c9b Kees Cook 2012-07-25 898 * match, or when the directory owner matches the symlink's owner. 800179c9b Kees Cook 2012-07-25 899 * 800179c9b Kees Cook 2012-07-25 900 * Returns 0 if following the symlink is allowed, -ve on error. 800179c9b Kees Cook 2012-07-25 901 */ fec2fa24e Al Viro 2015-05-06 902 static inline int may_follow_link(struct nameidata *nd) 800179c9b Kees Cook 2012-07-25 903 { 800179c9b Kees Cook 2012-07-25 904 const struct inode *inode; 800179c9b Kees Cook 2012-07-25 905 const struct inode *parent; 2d7f9e2ad Seth Forshee 2016-04-26 906 kuid_t puid; 800179c9b Kees Cook 2012-07-25 907 800179c9b Kees Cook 2012-07-25 908 if (!sysctl_protected_symlinks) 800179c9b Kees Cook 2012-07-25 909 return 0; 800179c9b Kees Cook 2012-07-25 910 800179c9b Kees Cook 2012-07-25 911 /* Allowed if owner and follower match. */ fceef393a Al Viro 2015-12-29 912 inode = nd->link_inode; 81abe27b1 Eric W. Biederman 2012-08-03 913 if (uid_eq(current_cred()->fsuid, inode->i_uid)) 800179c9b Kees Cook 2012-07-25 914 return 0; 800179c9b Kees Cook 2012-07-25 915 800179c9b Kees Cook 2012-07-25 916 /* Allowed if parent directory not sticky and world-writable. */ aa65fa35b Al Viro 2015-08-04 917 parent = nd->inode; 800179c9b Kees Cook 2012-07-25 918 if ((parent->i_mode & (S_ISVTX|S_IWOTH)) != (S_ISVTX|S_IWOTH)) 800179c9b Kees Cook 2012-07-25 919 return 0; 800179c9b Kees Cook 2012-07-25 920 800179c9b Kees Cook 2012-07-25 921 /* Allowed if parent directory and link owner match. */ 2d7f9e2ad Seth Forshee 2016-04-26 922 puid = parent->i_uid; 2d7f9e2ad Seth Forshee 2016-04-26 923 if (uid_valid(puid) && uid_eq(puid, inode->i_uid)) 800179c9b Kees Cook 2012-07-25 924 return 0; 800179c9b Kees Cook 2012-07-25 925 31956502d Al Viro 2015-05-07 926 if (nd->flags & LOOKUP_RCU) 31956502d Al Viro 2015-05-07 927 return -ECHILD; 31956502d Al Viro 2015-05-07 928 1cf2665b5 Al Viro 2015-05-06 @929 audit_log_link_denied("follow_link", &nd->stack[0].link); 800179c9b Kees Cook 2012-07-25 930 return -EACCES; 800179c9b Kees Cook 2012-07-25 931 } 800179c9b Kees Cook 2012
Re: [PATCH ghak21 V2 2/4] audit: link denied should not directly generate PATH record
On Mon, Mar 12, 2018 at 11:30 AM, Richard Guy Briggs wrote: > On 2018-03-12 11:05, Paul Moore wrote: >> On Mon, Mar 12, 2018 at 2:31 AM, Richard Guy Briggs wrote: >> > Audit link denied events generate duplicate PATH records which disagree >> > in different ways from symlink and hardlink denials. >> > audit_log_link_denied() should not directly generate PATH records. >> > While we're at it, remove the now useless struct path argument. >> > >> > See: https://github.com/linux-audit/audit-kernel/issues/21 >> > Signed-off-by: Richard Guy Briggs >> > --- >> > fs/namei.c| 2 +- >> > include/linux/audit.h | 6 ++ >> > kernel/audit.c| 17 ++--- >> > 3 files changed, 5 insertions(+), 20 deletions(-) >> >> I have no objection to the v2 change of removing the link parameter, >> but this patch can not be merged as-is because the v1 patch has >> already been merged into audit/next (as stated on the mailing list). > > Yes, I self-NACKed that patch. > > https://www.redhat.com/archives/linux-audit/2018-March/msg00070.html > > Is it not possible to drop it, or would you have to do a revert to avoid > a rebase? Yes, it is possible to drop a patch from the audit/next patch stack, but dropping patches is considered *very* bad form and not something I want to do without a Very Good Reason. While the v2 patch is the "right" patch, the v1 patch is not dangerous, so I would rather you just build on top of what is currently in audit/next. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH ghak21 V2 2/4] audit: link denied should not directly generate PATH record
On 2018-03-12 11:05, Paul Moore wrote: > On Mon, Mar 12, 2018 at 2:31 AM, Richard Guy Briggs wrote: > > Audit link denied events generate duplicate PATH records which disagree > > in different ways from symlink and hardlink denials. > > audit_log_link_denied() should not directly generate PATH records. > > While we're at it, remove the now useless struct path argument. > > > > See: https://github.com/linux-audit/audit-kernel/issues/21 > > Signed-off-by: Richard Guy Briggs > > --- > > fs/namei.c| 2 +- > > include/linux/audit.h | 6 ++ > > kernel/audit.c| 17 ++--- > > 3 files changed, 5 insertions(+), 20 deletions(-) > > I have no objection to the v2 change of removing the link parameter, > but this patch can not be merged as-is because the v1 patch has > already been merged into audit/next (as stated on the mailing list). Yes, I self-NACKed that patch. https://www.redhat.com/archives/linux-audit/2018-March/msg00070.html Is it not possible to drop it, or would you have to do a revert to avoid a rebase? > You need to respin this patch against audit/next and redo the > subject/description to indicate that you are just removing the unused > link parameter in this updated patch. So the way I had it in my devel tree rather than squashing it... > > diff --git a/fs/namei.c b/fs/namei.c > > index 9cc91fb..50d2533 100644 > > --- a/fs/namei.c > > +++ b/fs/namei.c > > @@ -1011,7 +1011,7 @@ static int may_linkat(struct path *link) > > if (safe_hardlink_source(inode) || inode_owner_or_capable(inode)) > > return 0; > > > > - audit_log_link_denied("linkat", link); > > + audit_log_link_denied("linkat"); > > return -EPERM; > > } > > > > diff --git a/include/linux/audit.h b/include/linux/audit.h > > index af410d9..75d5b03 100644 > > --- a/include/linux/audit.h > > +++ b/include/linux/audit.h > > @@ -146,8 +146,7 @@ extern void audit_log_d_path(struct > > audit_buffer *ab, > > const struct path *path); > > extern voidaudit_log_key(struct audit_buffer *ab, > > char *key); > > -extern voidaudit_log_link_denied(const char *operation, > > - const struct path *link); > > +extern voidaudit_log_link_denied(const char *operation); > > extern voidaudit_log_lost(const char *message); > > > > extern int audit_log_task_context(struct audit_buffer *ab); > > @@ -194,8 +193,7 @@ static inline void audit_log_d_path(struct audit_buffer > > *ab, > > { } > > static inline void audit_log_key(struct audit_buffer *ab, char *key) > > { } > > -static inline void audit_log_link_denied(const char *string, > > -const struct path *link) > > +static inline void audit_log_link_denied(const char *string) > > { } > > static inline int audit_log_task_context(struct audit_buffer *ab) > > { > > diff --git a/kernel/audit.c b/kernel/audit.c > > index 7026d69..e54deaf 100644 > > --- a/kernel/audit.c > > +++ b/kernel/audit.c > > @@ -2301,36 +2301,23 @@ void audit_log_task_info(struct audit_buffer *ab, > > struct task_struct *tsk) > > /** > > * audit_log_link_denied - report a link restriction denial > > * @operation: specific link operation > > - * @link: the path that triggered the restriction > > */ > > -void audit_log_link_denied(const char *operation, const struct path *link) > > +void audit_log_link_denied(const char *operation) > > { > > struct audit_buffer *ab; > > - struct audit_names *name; > > > > if (!audit_enabled || audit_dummy_context()) > > return; > > > > - name = kzalloc(sizeof(*name), GFP_NOFS); > > - if (!name) > > - return; > > - > > /* Generate AUDIT_ANOM_LINK with subject, operation, outcome. */ > > ab = audit_log_start(current->audit_context, GFP_KERNEL, > > AUDIT_ANOM_LINK); > > if (!ab) > > - goto out; > > + return; > > audit_log_format(ab, "op=%s", operation); > > audit_log_task_info(ab, current); > > audit_log_format(ab, " res=0"); > > audit_log_end(ab); > > - > > - /* Generate AUDIT_PATH record with object. */ > > - name->type = AUDIT_TYPE_NORMAL; > > - audit_copy_inode(name, link->dentry, d_backing_inode(link->dentry)); > > - audit_log_name(current->audit_context, name, link, 0, NULL); > > -out: > > - kfree(name); > > } > > > > /** > > -- > > 1.8.3.1 > > > > > > -- > paul moore > www.paul-moore.com > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647
Re: [PATCH ghak21 V2 2/4] audit: link denied should not directly generate PATH record
On Mon, Mar 12, 2018 at 2:31 AM, Richard Guy Briggs wrote: > Audit link denied events generate duplicate PATH records which disagree > in different ways from symlink and hardlink denials. > audit_log_link_denied() should not directly generate PATH records. > While we're at it, remove the now useless struct path argument. > > See: https://github.com/linux-audit/audit-kernel/issues/21 > Signed-off-by: Richard Guy Briggs > --- > fs/namei.c| 2 +- > include/linux/audit.h | 6 ++ > kernel/audit.c| 17 ++--- > 3 files changed, 5 insertions(+), 20 deletions(-) I have no objection to the v2 change of removing the link parameter, but this patch can not be merged as-is because the v1 patch has already been merged into audit/next (as stated on the mailing list). You need to respin this patch against audit/next and redo the subject/description to indicate that you are just removing the unused link parameter in this updated patch. > diff --git a/fs/namei.c b/fs/namei.c > index 9cc91fb..50d2533 100644 > --- a/fs/namei.c > +++ b/fs/namei.c > @@ -1011,7 +1011,7 @@ static int may_linkat(struct path *link) > if (safe_hardlink_source(inode) || inode_owner_or_capable(inode)) > return 0; > > - audit_log_link_denied("linkat", link); > + audit_log_link_denied("linkat"); > return -EPERM; > } > > diff --git a/include/linux/audit.h b/include/linux/audit.h > index af410d9..75d5b03 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -146,8 +146,7 @@ extern void audit_log_d_path(struct > audit_buffer *ab, > const struct path *path); > extern voidaudit_log_key(struct audit_buffer *ab, > char *key); > -extern voidaudit_log_link_denied(const char *operation, > - const struct path *link); > +extern voidaudit_log_link_denied(const char *operation); > extern voidaudit_log_lost(const char *message); > > extern int audit_log_task_context(struct audit_buffer *ab); > @@ -194,8 +193,7 @@ static inline void audit_log_d_path(struct audit_buffer > *ab, > { } > static inline void audit_log_key(struct audit_buffer *ab, char *key) > { } > -static inline void audit_log_link_denied(const char *string, > -const struct path *link) > +static inline void audit_log_link_denied(const char *string) > { } > static inline int audit_log_task_context(struct audit_buffer *ab) > { > diff --git a/kernel/audit.c b/kernel/audit.c > index 7026d69..e54deaf 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -2301,36 +2301,23 @@ void audit_log_task_info(struct audit_buffer *ab, > struct task_struct *tsk) > /** > * audit_log_link_denied - report a link restriction denial > * @operation: specific link operation > - * @link: the path that triggered the restriction > */ > -void audit_log_link_denied(const char *operation, const struct path *link) > +void audit_log_link_denied(const char *operation) > { > struct audit_buffer *ab; > - struct audit_names *name; > > if (!audit_enabled || audit_dummy_context()) > return; > > - name = kzalloc(sizeof(*name), GFP_NOFS); > - if (!name) > - return; > - > /* Generate AUDIT_ANOM_LINK with subject, operation, outcome. */ > ab = audit_log_start(current->audit_context, GFP_KERNEL, > AUDIT_ANOM_LINK); > if (!ab) > - goto out; > + return; > audit_log_format(ab, "op=%s", operation); > audit_log_task_info(ab, current); > audit_log_format(ab, " res=0"); > audit_log_end(ab); > - > - /* Generate AUDIT_PATH record with object. */ > - name->type = AUDIT_TYPE_NORMAL; > - audit_copy_inode(name, link->dentry, d_backing_inode(link->dentry)); > - audit_log_name(current->audit_context, name, link, 0, NULL); > -out: > - kfree(name); > } > > /** > -- > 1.8.3.1 > -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH ghak21 V2 2/4] audit: link denied should not directly generate PATH record
Audit link denied events generate duplicate PATH records which disagree in different ways from symlink and hardlink denials. audit_log_link_denied() should not directly generate PATH records. While we're at it, remove the now useless struct path argument. See: https://github.com/linux-audit/audit-kernel/issues/21 Signed-off-by: Richard Guy Briggs --- fs/namei.c| 2 +- include/linux/audit.h | 6 ++ kernel/audit.c| 17 ++--- 3 files changed, 5 insertions(+), 20 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index 9cc91fb..50d2533 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -1011,7 +1011,7 @@ static int may_linkat(struct path *link) if (safe_hardlink_source(inode) || inode_owner_or_capable(inode)) return 0; - audit_log_link_denied("linkat", link); + audit_log_link_denied("linkat"); return -EPERM; } diff --git a/include/linux/audit.h b/include/linux/audit.h index af410d9..75d5b03 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -146,8 +146,7 @@ extern void audit_log_d_path(struct audit_buffer *ab, const struct path *path); extern voidaudit_log_key(struct audit_buffer *ab, char *key); -extern voidaudit_log_link_denied(const char *operation, - const struct path *link); +extern voidaudit_log_link_denied(const char *operation); extern voidaudit_log_lost(const char *message); extern int audit_log_task_context(struct audit_buffer *ab); @@ -194,8 +193,7 @@ static inline void audit_log_d_path(struct audit_buffer *ab, { } static inline void audit_log_key(struct audit_buffer *ab, char *key) { } -static inline void audit_log_link_denied(const char *string, -const struct path *link) +static inline void audit_log_link_denied(const char *string) { } static inline int audit_log_task_context(struct audit_buffer *ab) { diff --git a/kernel/audit.c b/kernel/audit.c index 7026d69..e54deaf 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2301,36 +2301,23 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) /** * audit_log_link_denied - report a link restriction denial * @operation: specific link operation - * @link: the path that triggered the restriction */ -void audit_log_link_denied(const char *operation, const struct path *link) +void audit_log_link_denied(const char *operation) { struct audit_buffer *ab; - struct audit_names *name; if (!audit_enabled || audit_dummy_context()) return; - name = kzalloc(sizeof(*name), GFP_NOFS); - if (!name) - return; - /* Generate AUDIT_ANOM_LINK with subject, operation, outcome. */ ab = audit_log_start(current->audit_context, GFP_KERNEL, AUDIT_ANOM_LINK); if (!ab) - goto out; + return; audit_log_format(ab, "op=%s", operation); audit_log_task_info(ab, current); audit_log_format(ab, " res=0"); audit_log_end(ab); - - /* Generate AUDIT_PATH record with object. */ - name->type = AUDIT_TYPE_NORMAL; - audit_copy_inode(name, link->dentry, d_backing_inode(link->dentry)); - audit_log_name(current->audit_context, name, link, 0, NULL); -out: - kfree(name); } /** -- 1.8.3.1 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit