Re: [RFC PATCH ghak21 2/4] audit: link denied should not directly generate PATH record
On 2018-03-08 19:26, Paul Moore wrote: > On Wed, Feb 14, 2018 at 11:18 AM, Richard Guy Briggs wrote: > > Audit link denied events generate duplicate PATH records which disagree > > in different ways from symlink and hardlink denials. > > audit_log_link_denied() should not directly generate PATH records. > > > > See: https://github.com/linux-audit/audit-kernel/issues/21 > > Signed-off-by: Richard Guy Briggs > > --- > > kernel/audit.c | 14 +- > > 1 file changed, 1 insertion(+), 13 deletions(-) > > Merged, thanks. Self-NACK. Please un-merge this RFC v1 version and merge instead the v2 patch since it removes the now-unnecessary struct path * parameter from audit_log_link_denied(). > > diff --git a/kernel/audit.c b/kernel/audit.c > > index 4c3fd24..683b249 100644 > > --- a/kernel/audit.c > > +++ b/kernel/audit.c > > @@ -2259,31 +2259,19 @@ void audit_log_task_info(struct audit_buffer *ab, > > struct task_struct *tsk) > > void audit_log_link_denied(const char *operation, const struct path *link) > > { > > struct audit_buffer *ab; > > - struct audit_names *name; > > > > if (!audit_enabled || audit_dummy_context()) > > return; > > > > - name = kzalloc(sizeof(*name), GFP_NOFS); > > - if (!name) > > - return; > > - > > /* Generate AUDIT_ANOM_LINK with subject, operation, outcome. */ > > ab = audit_log_start(current->audit_context, GFP_KERNEL, > > AUDIT_ANOM_LINK); > > if (!ab) > > - goto out; > > + return; > > audit_log_format(ab, "op=%s", operation); > > audit_log_task_info(ab, current); > > audit_log_format(ab, " res=0"); > > audit_log_end(ab); > > - > > - /* Generate AUDIT_PATH record with object. */ > > - name->type = AUDIT_TYPE_NORMAL; > > - audit_copy_inode(name, link->dentry, d_backing_inode(link->dentry)); > > - audit_log_name(current->audit_context, name, link, 0, NULL); > > -out: > > - kfree(name); > > } > > > > /** > > -- > > 1.8.3.1 > > > > > > -- > paul moore > www.paul-moore.com - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [RFC PATCH ghak21 2/4] audit: link denied should not directly generate PATH record
On Wed, Feb 14, 2018 at 11:18 AM, Richard Guy Briggs wrote: > Audit link denied events generate duplicate PATH records which disagree > in different ways from symlink and hardlink denials. > audit_log_link_denied() should not directly generate PATH records. > > See: https://github.com/linux-audit/audit-kernel/issues/21 > Signed-off-by: Richard Guy Briggs > --- > kernel/audit.c | 14 +- > 1 file changed, 1 insertion(+), 13 deletions(-) Merged, thanks. > diff --git a/kernel/audit.c b/kernel/audit.c > index 4c3fd24..683b249 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -2259,31 +2259,19 @@ void audit_log_task_info(struct audit_buffer *ab, > struct task_struct *tsk) > void audit_log_link_denied(const char *operation, const struct path *link) > { > struct audit_buffer *ab; > - struct audit_names *name; > > if (!audit_enabled || audit_dummy_context()) > return; > > - name = kzalloc(sizeof(*name), GFP_NOFS); > - if (!name) > - return; > - > /* Generate AUDIT_ANOM_LINK with subject, operation, outcome. */ > ab = audit_log_start(current->audit_context, GFP_KERNEL, > AUDIT_ANOM_LINK); > if (!ab) > - goto out; > + return; > audit_log_format(ab, "op=%s", operation); > audit_log_task_info(ab, current); > audit_log_format(ab, " res=0"); > audit_log_end(ab); > - > - /* Generate AUDIT_PATH record with object. */ > - name->type = AUDIT_TYPE_NORMAL; > - audit_copy_inode(name, link->dentry, d_backing_inode(link->dentry)); > - audit_log_name(current->audit_context, name, link, 0, NULL); > -out: > - kfree(name); > } > > /** > -- > 1.8.3.1 > -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[RFC PATCH ghak21 2/4] audit: link denied should not directly generate PATH record
Audit link denied events generate duplicate PATH records which disagree in different ways from symlink and hardlink denials. audit_log_link_denied() should not directly generate PATH records. See: https://github.com/linux-audit/audit-kernel/issues/21 Signed-off-by: Richard Guy Briggs --- kernel/audit.c | 14 +- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 4c3fd24..683b249 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2259,31 +2259,19 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) void audit_log_link_denied(const char *operation, const struct path *link) { struct audit_buffer *ab; - struct audit_names *name; if (!audit_enabled || audit_dummy_context()) return; - name = kzalloc(sizeof(*name), GFP_NOFS); - if (!name) - return; - /* Generate AUDIT_ANOM_LINK with subject, operation, outcome. */ ab = audit_log_start(current->audit_context, GFP_KERNEL, AUDIT_ANOM_LINK); if (!ab) - goto out; + return; audit_log_format(ab, "op=%s", operation); audit_log_task_info(ab, current); audit_log_format(ab, " res=0"); audit_log_end(ab); - - /* Generate AUDIT_PATH record with object. */ - name->type = AUDIT_TYPE_NORMAL; - audit_copy_inode(name, link->dentry, d_backing_inode(link->dentry)); - audit_log_name(current->audit_context, name, link, 0, NULL); -out: - kfree(name); } /** -- 1.8.3.1 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit