When task->comm is passed directly to audit_log_untrustedstring() without
getting a copy or using the task_lock, there is a race that could happen that
would output a NULL (\0) in the output string that would effectively truncate
the rest of the report text after the comm= field in the audit, losing fields.
Use get_task_comm() to get a copy while acquiring the task_lock to prevent
this and to prevent the result from being a mixture of old and new values of
comm.
Signed-off-by: Richard Guy Briggs <[email protected]>
---
security/integrity/integrity_audit.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/security/integrity/integrity_audit.c b/security/integrity/integrity_audit.c
index 85253b5..11706a2 100644
--- a/security/integrity/integrity_audit.c
+++ b/security/integrity/integrity_audit.c
@@ -33,6 +33,7 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode,
const char *cause, int result, int audit_info)
{
struct audit_buffer *ab;
+ char comm[sizeof(current->comm)];
if (!integrity_audit_info && audit_info == 1) /* Skip info messages */
return;
@@ -49,7 +50,7 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode,
audit_log_format(ab, " cause=");
audit_log_string(ab, cause);
audit_log_format(ab, " comm=");
- audit_log_untrustedstring(ab, current->comm);
+ audit_log_untrustedstring(ab, get_task_comm(comm, current));
if (fname) {
audit_log_format(ab, " name=");
audit_log_untrustedstring(ab, fname);
--
1.7.1
On Wed, 2014-04-02 at 12:19 -0400, Richard Guy Briggs wrote:
> When task->comm is passed directly to audit_log_untrustedstring() without
> getting a copy or using the task_lock, there is a race that could happen that
> would output a NULL (\0) in the output string that would effectively truncate
> the rest of the report text after the comm= field in the audit, losing fields.
>
> Use get_task_comm() to get a copy while acquiring the task_lock to prevent
> this and to prevent the result from being a mixture of old and new values of
> comm.
>
> Signed-off-by: Richard Guy Briggs <[email protected]>
> ---
> security/integrity/integrity_audit.c | 3 ++-
> 1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/security/integrity/integrity_audit.c b/security/integrity/integrity_audit.c
> index 85253b5..11706a2 100644
> --- a/security/integrity/integrity_audit.c
> +++ b/security/integrity/integrity_audit.c
> @@ -33,6 +33,7 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode,
> const char *cause, int result, int audit_info)
> {
> struct audit_buffer *ab;
> + char comm[sizeof(current->comm)];
>
> if (!integrity_audit_info && audit_info == 1) /* Skip info messages */
> return;
> @@ -49,7 +50,7 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode,
> audit_log_format(ab, " cause=");
> audit_log_string(ab, cause);
> audit_log_format(ab, " comm=");
> - audit_log_untrustedstring(ab, current->comm);
> + audit_log_untrustedstring(ab, get_task_comm(comm, current));
> if (fname) {
> audit_log_format(ab, " name=");
> audit_log_untrustedstring(ab, fname);
This change is already being upstreamed as commit 73a6b44 "Integrity:
Pass commname via get_task_comm()".
thanks,
Mimi
Hello Mimi,
On Wednesday, April 02, 2014 01:39:47 PM Mimi Zohar wrote:
> This change is already being upstreamed as commit 73a6b44 "Integrity:
> Pass commname via get_task_comm()".
While I was looking at Richard's patch, I noticed a few places where cause and
op are logged and the string isn't tied together with a _ or -. These are in
ima/ima_appraise.c line 383, and ima/ima_policy.c lines 333, 657, and 683. Are
these fixed upstream? Or should a patch be made?
Thanks,
-Steve
On Wed, 2014-04-02 at 14:00 -0400, Steve Grubb wrote:
> Hello Mimi,
>
> On Wednesday, April 02, 2014 01:39:47 PM Mimi Zohar wrote:
> > This change is already being upstreamed as commit 73a6b44 "Integrity:
> > Pass commname via get_task_comm()".
>
> While I was looking at Richard's patch, I noticed a few places where cause and
> op are logged and the string isn't tied together with a _ or -. These are in
> ima/ima_appraise.c line 383, and ima/ima_policy.c lines 333, 657, and 683. Are
> these fixed upstream? Or should a patch be made?
Nothing has changed in terms of 'cause' and 'op'. I would suggest
making the changes in integrity_audit.c: integrity_audit_msg().
thanks,
Mimi
On Wed, 2014-04-02 at 14:12 -0400, Mimi Zohar wrote:
> On Wed, 2014-04-02 at 14:00 -0400, Steve Grubb wrote:
> > Hello Mimi,
> >
> > On Wednesday, April 02, 2014 01:39:47 PM Mimi Zohar wrote:
> > > This change is already being upstreamed as commit 73a6b44 "Integrity:
> > > Pass commname via get_task_comm()".
> >
> > While I was looking at Richard's patch, I noticed a few places where cause and
> > op are logged and the string isn't tied together with a _ or -. These are in
> > ima/ima_appraise.c line 383, and ima/ima_policy.c lines 333, 657, and 683. Are
> > these fixed upstream? Or should a patch be made?
>
> Nothing has changed in terms of 'cause' and 'op'. I would suggest
> making the changes in integrity_audit.c: integrity_audit_msg().
The question is actually, do you know of anyone who is expecting the
space, instead of a more 'audit standard' - or _ ? If not, we'll change
it. If so, we'll discuss more :)
-Eric
On Wed, 2014-04-02 at 14:18 -0400, Eric Paris wrote:
> On Wed, 2014-04-02 at 14:12 -0400, Mimi Zohar wrote:
> > On Wed, 2014-04-02 at 14:00 -0400, Steve Grubb wrote:
> > > Hello Mimi,
> > >
> > > On Wednesday, April 02, 2014 01:39:47 PM Mimi Zohar wrote:
> > > > This change is already being upstreamed as commit 73a6b44 "Integrity:
> > > > Pass commname via get_task_comm()".
> > >
> > > While I was looking at Richard's patch, I noticed a few places where cause and
> > > op are logged and the string isn't tied together with a _ or -. These are in
> > > ima/ima_appraise.c line 383, and ima/ima_policy.c lines 333, 657, and 683. Are
> > > these fixed upstream? Or should a patch be made?
> >
> > Nothing has changed in terms of 'cause' and 'op'. I would suggest
> > making the changes in integrity_audit.c: integrity_audit_msg().
>
> The question is actually, do you know of anyone who is expecting the
> space, instead of a more 'audit standard' - or _ ? If not, we'll change
> it. If so, we'll discuss more :)
CC'ing linux-ima-user as well.
Mimi
On 14/04/02, Mimi Zohar wrote:
> On Wed, 2014-04-02 at 12:19 -0400, Richard Guy Briggs wrote:
> > When task->comm is passed directly to audit_log_untrustedstring() without
> > getting a copy or using the task_lock, there is a race that could happen that
> > would output a NULL (\0) in the output string that would effectively truncate
> > the rest of the report text after the comm= field in the audit, losing fields.
> >
> > Use get_task_comm() to get a copy while acquiring the task_lock to prevent
> > this and to prevent the result from being a mixture of old and new values of
> > comm.
> >
> > Signed-off-by: Richard Guy Briggs <[email protected]>
> > ---
> > security/integrity/integrity_audit.c | 3 ++-
> > 1 files changed, 2 insertions(+), 1 deletions(-)
> >
> > diff --git a/security/integrity/integrity_audit.c b/security/integrity/integrity_audit.c
> > index 85253b5..11706a2 100644
> > --- a/security/integrity/integrity_audit.c
> > +++ b/security/integrity/integrity_audit.c
> > @@ -33,6 +33,7 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode,
> > const char *cause, int result, int audit_info)
> > {
> > struct audit_buffer *ab;
> > + char comm[sizeof(current->comm)];
> >
> > if (!integrity_audit_info && audit_info == 1) /* Skip info messages */
> > return;
> > @@ -49,7 +50,7 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode,
> > audit_log_format(ab, " cause=");
> > audit_log_string(ab, cause);
> > audit_log_format(ab, " comm=");
> > - audit_log_untrustedstring(ab, current->comm);
> > + audit_log_untrustedstring(ab, get_task_comm(comm, current));
> > if (fname) {
> > audit_log_format(ab, " name=");
> > audit_log_untrustedstring(ab, fname);
>
> This change is already being upstreamed as commit 73a6b44 "Integrity:
> Pass commname via get_task_comm()".
Excellent. Missed that. Thanks.
> thanks,
>
> Mimi
- RGB
--
Richard Guy Briggs <[email protected]>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
On 14/04/02, Mimi Zohar wrote:
> On Wed, 2014-04-02 at 14:18 -0400, Eric Paris wrote:
> > On Wed, 2014-04-02 at 14:12 -0400, Mimi Zohar wrote:
> > > On Wed, 2014-04-02 at 14:00 -0400, Steve Grubb wrote:
> > > > Hello Mimi,
> > > >
> > > > On Wednesday, April 02, 2014 01:39:47 PM Mimi Zohar wrote:
> > > > > This change is already being upstreamed as commit 73a6b44 "Integrity:
> > > > > Pass commname via get_task_comm()".
> > > >
> > > > While I was looking at Richard's patch, I noticed a few places where cause and
> > > > op are logged and the string isn't tied together with a _ or -. These are in
> > > > ima/ima_appraise.c line 383, and ima/ima_policy.c lines 333, 657, and 683. Are
> > > > these fixed upstream? Or should a patch be made?
> > >
> > > Nothing has changed in terms of 'cause' and 'op'. I would suggest
> > > making the changes in integrity_audit.c: integrity_audit_msg().
That function could massage incoming text fields and convert spaces to
hyphens or underscores, but I'd assume the right place to do it would be
in the original text. If you suggest the former, it could just be done
in audit_log_string(), but then grepping the source for error messages
would not be nearly as useful. Is this what you were suggesting?
> > The question is actually, do you know of anyone who is expecting the
> > space, instead of a more 'audit standard' - or _ ? If not, we'll change
> > it. If so, we'll discuss more :)
>
> CC'ing linux-ima-user as well.
Thanks.
> Mimi
- RGB
--
Richard Guy Briggs <[email protected]>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
On 14/04/02, Richard Guy Briggs wrote:
> On 14/04/02, Mimi Zohar wrote:
> > On Wed, 2014-04-02 at 14:18 -0400, Eric Paris wrote:
> > > On Wed, 2014-04-02 at 14:12 -0400, Mimi Zohar wrote:
> > > > On Wed, 2014-04-02 at 14:00 -0400, Steve Grubb wrote:
> > > > > Hello Mimi,
> > > > >
> > > > > On Wednesday, April 02, 2014 01:39:47 PM Mimi Zohar wrote:
> > > > > > This change is already being upstreamed as commit 73a6b44 "Integrity:
> > > > > > Pass commname via get_task_comm()".
> > > > >
> > > > > While I was looking at Richard's patch, I noticed a few places where cause and
> > > > > op are logged and the string isn't tied together with a _ or -. These are in
> > > > > ima/ima_appraise.c line 383, and ima/ima_policy.c lines 333, 657, and 683. Are
> > > > > these fixed upstream? Or should a patch be made?
> > > >
> > > > Nothing has changed in terms of 'cause' and 'op'. I would suggest
> > > > making the changes in integrity_audit.c: integrity_audit_msg().
>
> That function could massage incoming text fields and convert spaces to
> hyphens or underscores, but I'd assume the right place to do it would be
> in the original text. If you suggest the former, it could just be done
> in audit_log_string(), but then grepping the source for error messages
> would not be nearly as useful. Is this what you were suggesting?
>
> > > The question is actually, do you know of anyone who is expecting the
> > > space, instead of a more 'audit standard' - or _ ? If not, we'll change
> > > it. If so, we'll discuss more :)
> >
> > CC'ing linux-ima-user as well.
>
> Thanks.
Was there any response from linux-ima-user?
> > Mimi
>
> - RGB
- RGB
--
Richard Guy Briggs <[email protected]>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
On 14 June 2014 03:02, Richard Guy Briggs <[email protected]> wrote:
> On 14/04/02, Richard Guy Briggs wrote:
>> On 14/04/02, Mimi Zohar wrote:
>> > On Wed, 2014-04-02 at 14:18 -0400, Eric Paris wrote:
>> > > On Wed, 2014-04-02 at 14:12 -0400, Mimi Zohar wrote:
>> > > > On Wed, 2014-04-02 at 14:00 -0400, Steve Grubb wrote:
>> > > > > Hello Mimi,
>> > > > >
>> > > > > On Wednesday, April 02, 2014 01:39:47 PM Mimi Zohar wrote:
>> > > > > > This change is already being upstreamed as commit 73a6b44 "Integrity:
>> > > > > > Pass commname via get_task_comm()".
>> > > > >
>> > > > > While I was looking at Richard's patch, I noticed a few places where cause and
>> > > > > op are logged and the string isn't tied together with a _ or -. These are in
>> > > > > ima/ima_appraise.c line 383, and ima/ima_policy.c lines 333, 657, and 683. Are
>> > > > > these fixed upstream? Or should a patch be made?
>> > > >
>> > > > Nothing has changed in terms of 'cause' and 'op'. I would suggest
>> > > > making the changes in integrity_audit.c: integrity_audit_msg().
>>
>> That function could massage incoming text fields and convert spaces to
>> hyphens or underscores, but I'd assume the right place to do it would be
>> in the original text. If you suggest the former, it could just be done
>> in audit_log_string(), but then grepping the source for error messages
>> would not be nearly as useful. Is this what you were suggesting?
>>
>> > > The question is actually, do you know of anyone who is expecting the
>> > > space, instead of a more 'audit standard' - or _ ? If not, we'll change
>> > > it. If so, we'll discuss more :)
>> >
>> > CC'ing linux-ima-user as well.
>>
>> Thanks.
>
> Was there any response from linux-ima-user?
>
>> > Mimi
>>
>> - RGB
>
Hi,
I will find this patch and have a look.
Thanks,
Dmitry
> - RGB
>
> --
> Richard Guy Briggs <[email protected]>
> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
>
> ------------------------------------------------------------------------------
> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
> Find What Matters Most in Your Big Data with HPCC Systems
> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
> http://p.sf.net/sfu/hpccsystems
> _______________________________________________
> Linux-ima-user mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/linux-ima-user
--
Thanks,
Dmitry
On Sat, 2014-06-14 at 12:43 +0300, Dmitry Kasatkin wrote:
> On 14 June 2014 03:02, Richard Guy Briggs <[email protected]> wrote:
> > On 14/04/02, Richard Guy Briggs wrote:
> >> On 14/04/02, Mimi Zohar wrote:
> >> > On Wed, 2014-04-02 at 14:18 -0400, Eric Paris wrote:
> >> > > On Wed, 2014-04-02 at 14:12 -0400, Mimi Zohar wrote:
> >> > > > On Wed, 2014-04-02 at 14:00 -0400, Steve Grubb wrote:
> >> > > > > Hello Mimi,
> >> > > > >
> >> > > > > On Wednesday, April 02, 2014 01:39:47 PM Mimi Zohar wrote:
> >> > > > > > This change is already being upstreamed as commit 73a6b44 "Integrity:
> >> > > > > > Pass commname via get_task_comm()".
> >> > > > >
> >> > > > > While I was looking at Richard's patch, I noticed a few places where cause and
> >> > > > > op are logged and the string isn't tied together with a _ or -. These are in
> >> > > > > ima/ima_appraise.c line 383, and ima/ima_policy.c lines 333, 657, and 683. Are
> >> > > > > these fixed upstream? Or should a patch be made?
> >> > > >
> >> > > > Nothing has changed in terms of 'cause' and 'op'. I would suggest
> >> > > > making the changes in integrity_audit.c: integrity_audit_msg().
> >>
> >> That function could massage incoming text fields and convert spaces to
> >> hyphens or underscores, but I'd assume the right place to do it would be
> >> in the original text. If you suggest the former, it could just be done
> >> in audit_log_string(), but then grepping the source for error messages
> >> would not be nearly as useful. Is this what you were suggesting?
> >>
> >> > > The question is actually, do you know of anyone who is expecting the
> >> > > space, instead of a more 'audit standard' - or _ ? If not, we'll change
> >> > > it. If so, we'll discuss more :)
> >> >
> >> > CC'ing linux-ima-user as well.
> >>
> >> Thanks.
> >
> > Was there any response from linux-ima-user?
> >
> >> > Mimi
> >>
> >> - RGB
> >
>
> Hi,
>
> I will find this patch and have a look.
As nobody has responded, I would assume it is safe to change.
Mimi
On 14/06/14, Mimi Zohar wrote:
> On Sat, 2014-06-14 at 12:43 +0300, Dmitry Kasatkin wrote:
> > On 14 June 2014 03:02, Richard Guy Briggs <[email protected]> wrote:
> > > On 14/04/02, Richard Guy Briggs wrote:
> > >> On 14/04/02, Mimi Zohar wrote:
> > >> > On Wed, 2014-04-02 at 14:18 -0400, Eric Paris wrote:
> > >> > > On Wed, 2014-04-02 at 14:12 -0400, Mimi Zohar wrote:
> > >> > > > On Wed, 2014-04-02 at 14:00 -0400, Steve Grubb wrote:
> > >> > > > > Hello Mimi,
> > >> > > > >
> > >> > > > > On Wednesday, April 02, 2014 01:39:47 PM Mimi Zohar wrote:
> > >> > > > > > This change is already being upstreamed as commit 73a6b44 "Integrity:
> > >> > > > > > Pass commname via get_task_comm()".
> > >> > > > >
> > >> > > > > While I was looking at Richard's patch, I noticed a few places where cause and
> > >> > > > > op are logged and the string isn't tied together with a _ or -. These are in
> > >> > > > > ima/ima_appraise.c line 383, and ima/ima_policy.c lines 333, 657, and 683. Are
> > >> > > > > these fixed upstream? Or should a patch be made?
> > >> > > >
> > >> > > > Nothing has changed in terms of 'cause' and 'op'. I would suggest
> > >> > > > making the changes in integrity_audit.c: integrity_audit_msg().
> > >>
> > >> That function could massage incoming text fields and convert spaces to
> > >> hyphens or underscores, but I'd assume the right place to do it would be
> > >> in the original text. If you suggest the former, it could just be done
> > >> in audit_log_string(), but then grepping the source for error messages
> > >> would not be nearly as useful. Is this what you were suggesting?
> > >>
> > >> > > The question is actually, do you know of anyone who is expecting the
> > >> > > space, instead of a more 'audit standard' - or _ ? If not, we'll change
> > >> > > it. If so, we'll discuss more :)
> > >> >
> > >> > CC'ing linux-ima-user as well.
> > >>
> > >> Thanks.
> > >
> > > Was there any response from linux-ima-user?
> > >
> > >> > Mimi
> > >>
> > >> - RGB
> > >
> >
> > Hi,
> >
> > I will find this patch and have a look.
>
> As nobody has responded, I would assume it is safe to change.
Thanks! :)
> Mimi
- RGB
--
Richard Guy Briggs <[email protected]>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545