Re: [RFC PATCH ghak21 4/4] audit: add parent of refused symlink to audit_names

2018-03-08 Thread Paul Moore
On Wed, Feb 14, 2018 at 11:18 AM, Richard Guy Briggs wrote: > Audit link denied events for symlinks were missing the parent PATH > record. Add it. Since the full pathname may not be available, > reconstruct it from the path in the nameidata supplied. > > See: https://github.com/linux-audit/audit

Re: [RFC PATCH ghak21 3/4] audit: add refused symlink to audit_names

2018-03-08 Thread Paul Moore
On Thu, Mar 8, 2018 at 7:30 PM, Paul Moore wrote: > On Wed, Feb 14, 2018 at 11:18 AM, Richard Guy Briggs wrote: >> Audit link denied events for symlinks had duplicate PATH records rather >> than just updating the existing PATH record. Update the symlink's PATH >> record with the current dentry a

Re: [RFC PATCH ghak21 3/4] audit: add refused symlink to audit_names

2018-03-08 Thread Paul Moore
On Wed, Feb 14, 2018 at 11:18 AM, Richard Guy Briggs wrote: > Audit link denied events for symlinks had duplicate PATH records rather > than just updating the existing PATH record. Update the symlink's PATH > record with the current dentry and inode information. > > See: https://github.com/linux-

Re: [RFC PATCH ghak21 2/4] audit: link denied should not directly generate PATH record

2018-03-08 Thread Paul Moore
On Wed, Feb 14, 2018 at 11:18 AM, Richard Guy Briggs wrote: > Audit link denied events generate duplicate PATH records which disagree > in different ways from symlink and hardlink denials. > audit_log_link_denied() should not directly generate PATH records. > > See: https://github.com/linux-audit/

Re: [RFC PATCH ghak21 1/4] audit: make ANOM_LINK obey audit_enabled and audit_dummy_context

2018-03-08 Thread Paul Moore
On Thu, Feb 15, 2018 at 5:51 PM, Paul Moore wrote: > On Thu, Feb 15, 2018 at 1:16 AM, Kees Cook wrote: >> On Wed, Feb 14, 2018 at 6:33 PM, Richard Guy Briggs wrote: >>> On 2018-02-14 09:51, Kees Cook wrote: On Wed, Feb 14, 2018 at 8:18 AM, Richard Guy Briggs wrote: > Audit link

Re: [PATCH] audit: add containerid support for IMA-audit

2018-03-08 Thread Mimi Zohar
On Thu, 2018-03-08 at 06:21 -0500, Richard Guy Briggs wrote: > On 2018-03-05 09:24, Mimi Zohar wrote: > > On Mon, 2018-03-05 at 08:50 -0500, Richard Guy Briggs wrote: > > > On 2018-03-05 08:43, Mimi Zohar wrote: > > > > Hi Richard, > > > > > > > > This patch has been compiled, but not runtime test

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

2018-03-08 Thread Richard Guy Briggs
On 2018-03-08 06:30, Andy Lutomirski wrote: > > > > On Mar 8, 2018, at 1:12 AM, Richard Guy Briggs wrote: > > > >> On 2018-03-07 18:43, Paul Moore wrote: > >>> On Wed, Mar 7, 2018 at 6:41 PM, Paul Moore wrote: > On Wed, Mar 7, 2018 at 11:48 AM, Jiri Kosina wrote: > > On Wed, 7 Mar 20

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

2018-03-08 Thread Andy Lutomirski
On Wed, Mar 7, 2018 at 11:41 PM, Paul Moore wrote: > On Wed, Mar 7, 2018 at 11:48 AM, Jiri Kosina wrote: >> On Wed, 7 Mar 2018, Andy Lutomirski wrote: >>> Wow, this was a long time ago. >> >> Oh yeah; but it now resurfaced on our side, as we are of course receiving >> a lot of requests with respe

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

2018-03-08 Thread Andy Lutomirski
> On Mar 8, 2018, at 1:12 AM, Richard Guy Briggs wrote: > >> On 2018-03-07 18:43, Paul Moore wrote: >>> On Wed, Mar 7, 2018 at 6:41 PM, Paul Moore wrote: On Wed, Mar 7, 2018 at 11:48 AM, Jiri Kosina wrote: > On Wed, 7 Mar 2018, Andy Lutomirski wrote: > Wow, this was a long time a

Re: [RFC PATCH ghak21 0/4] audit: address ANOM_LINK excess records

2018-03-08 Thread Richard Guy Briggs
On 2018-02-14 22:46, Richard Guy Briggs wrote: > On 2018-02-14 11:49, Steve Grubb wrote: > > On Wednesday, February 14, 2018 11:18:20 AM EST Richard Guy Briggs wrote: > > > Audit link denied events were being unexpectedly produced in a disjoint > > > way when audit was disabled, and when they were

Re: [PATCH] audit: add containerid support for IMA-audit

2018-03-08 Thread Richard Guy Briggs
On 2018-03-05 09:24, Mimi Zohar wrote: > On Mon, 2018-03-05 at 08:50 -0500, Richard Guy Briggs wrote: > > On 2018-03-05 08:43, Mimi Zohar wrote: > > > Hi Richard, > > > > > > This patch has been compiled, but not runtime tested. > > > > Ok, great, thank you. I assume you are offering this patch

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

2018-03-08 Thread Richard Guy Briggs
On 2018-03-07 18:43, Paul Moore wrote: > On Wed, Mar 7, 2018 at 6:41 PM, Paul Moore wrote: > > On Wed, Mar 7, 2018 at 11:48 AM, Jiri Kosina wrote: > >> On Wed, 7 Mar 2018, Andy Lutomirski wrote: > >>> Wow, this was a long time ago. > >> > >> Oh yeah; but it now resurfaced on our side, as we are o