Received: by 10.223.185.116 with SMTP id b49csp888960wrg; Wed, 14 Feb 2018 08:27:59 -0800 (PST) X-Google-Smtp-Source: AH8x2251sJ7s/BLgY5M2z2XxgSwHreGWZiY1m7BSt6HE2LM3NwFt/Cy5r+no84ahs/u/pUUVB5ms X-Received: by 10.98.33.4 with SMTP id h4mr5226150pfh.144.1518625679397; Wed, 14 Feb 2018 08:27:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518625679; cv=none; d=google.com; s=arc-20160816; b=HVWlRhq9feCMGkCiXRU9jgpL+m5uAh2TGc93HUmzX7MaPEiV+8LT0AykWXHVZll0AP zHSaYI6EQiQQEW0qshNUJgKvyqqmetM1D5ZrS6/ENWFsmWyGdY5HPOtQNnyBnL6uVkt/ qo1VJDzv1DCXxPFyuBW/IlfN14BXYxyTvED0TNdASPH558HA/gZYZQGkLA7I9OanliJ8 +a3sxRm2FYDhuHI0cGp6pR/u8PinYRVvTFGW5TXbuocRzXbRtNnBqhqtPr9zhKJ6SEq7 kk1tY3Yqp8DFptijporyse1OOrU2Rbc88rsOFaBd9n5qKKUHqn2XUGBLyeEWNpdIi8u+ E7MA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=84IpXgl5th1SNT6UAKxwjQO0AYf05+2ZJ2JTHYIp1vY=; b=w+L8h32Kh7IcTVAiLNydbsE4kTS0EiGjb/4lEIiwUOtVqzwkx2MBC1p45kfrTFxQGa pCUj6w63QC6dJlBKinOuBXZqVsA+UR6bZq7eWFdB1Zc7ieGdAITjCZPeb5tsb60ULGhe J5Kxm8RBnORwqm/yVUWilcNdEA0MV0dqmGDgnGsjjjlQfsm3eUXZIB0rDkYxOqHjTSA3 dlOMBIJqUWUA3L6+dy1z01kIMbnwN5SqfBCFrEohBbzmKzGlJE9pK98rlYfJJ8wd2NWV IwT/R9SyJl8MhGeBFf68ZRZzkFSBTyvknJ6KkWwfKujV+VL9sM4dHylxQZTbuo3e1tcN +pOA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f7si2971084pgn.183.2018.02.14.08.27.44; Wed, 14 Feb 2018 08:27:59 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1032445AbeBNQWx (ORCPT + 99 others); Wed, 14 Feb 2018 11:22:53 -0500 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:57738 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1032203AbeBNQWw (ORCPT ); Wed, 14 Feb 2018 11:22:52 -0500 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 87EC7404008D; Wed, 14 Feb 2018 16:22:51 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-12.rdu2.redhat.com [10.10.112.12]) by smtp.corp.redhat.com (Postfix) with ESMTP id 949721008399; Wed, 14 Feb 2018 16:22:47 +0000 (UTC) From: Richard Guy Briggs To: Linux-Audit Mailing List , LKML Cc: Eric Paris , Paul Moore , Steve Grubb , Kees Cook , Richard Guy Briggs Subject: [RFC PATCH ghak21 0/4] audit: address ANOM_LINK excess records Date: Wed, 14 Feb 2018 11:18:20 -0500 Message-Id: X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Wed, 14 Feb 2018 16:22:51 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Wed, 14 Feb 2018 16:22:51 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'rgb@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Audit link denied events were being unexpectedly produced in a disjoint way when audit was disabled, and when they were expected, there were duplicate PATH records. This patchset addresses both issues for symlinks and hardlinks. This was introduced with commit b24a30a7305418ff138ff51776fc555ec57c011a ("audit: fix event coverage of AUDIT_ANOM_LINK") commit a51d9eaa41866ab6b4b6ecad7b621f8b66ece0dc ("fs: add link restriction audit reporting") Here are the resulting events: symlink: type=PROCTITLE msg=audit(02/14/2018 04:40:21.635:238) : proctitle=cat my-passwd type=PATH msg=audit(02/14/2018 04:40:21.635:238) : item=1 name=/tmp/my-passwd inode=17618 dev=00:27 mode=link,777 ouid=rgb ogid=rgb rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(02/14/2018 04:40:21.635:238) : item=0 name=/tmp inode=13446 dev=00:27 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(02/14/2018 04:40:21.635:238) : cwd=/tmp type=SYSCALL msg=audit(02/14/2018 04:40:21.635:238) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7ffc6c1acdda a2=O_RDONLY a3=0x0 items=2 ppid=549 pid=606 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm= cat exe=/usr/bin/cat subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=ANOM_LINK msg=audit(02/14/2018 04:40:21.635:238) : op=follow_link ppid=549 pid=606 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=roo t sgid=root fsgid=root tty=ttyS0 ses=1 comm=cat exe=/usr/bin/cat subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no ---- hardlink: type=PROCTITLE msg=audit(02/14/2018 04:40:25.373:239) : proctitle=ln test test-ln type=PATH msg=audit(02/14/2018 04:40:25.373:239) : item=1 name=/tmp inode=13446 dev=00:27 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(02/14/2018 04:40:25.373:239) : item=0 name=test inode=17619 dev=00:27 mode=file,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(02/14/2018 04:40:25.373:239) : cwd=/tmp type=SYSCALL msg=audit(02/14/2018 04:40:25.373:239) : arch=x86_64 syscall=linkat success=no exit=EPERM(Operation not permitted) a0=0xffffff9c a1=0x7fffe6c3f628 a2=0xffffff9c a3=0x7fffe6c3f62d items=2 ppid=578 pid=607 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=pts0 ses=3 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=ANOM_LINK msg=audit(02/14/2018 04:40:25.373:239) : op=linkat ppid=578 pid=607 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=pts0 ses=3 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no The remaining problem is how to address this when syscall logging is disabled since it needs a parent path record and/or a CWD record to complete it. It could also use a proctitle record too. In fact, it looks like we need a way to have multiple auxiliary records to support an arbitrary record. Comments please. See: https://github.com/linux-audit/audit-kernel/issues/21 See also: https://github.com/linux-audit/audit-kernel/issues/51 Richard Guy Briggs (4): audit: make ANOM_LINK obey audit_enabled and audit_dummy_context audit: link denied should not directly generate PATH record audit: add refused symlink to audit_names audit: add parent of refused symlink to audit_names fs/namei.c | 10 ++++++++++ kernel/audit.c | 13 ++----------- 2 files changed, 12 insertions(+), 11 deletions(-) -- 1.8.3.1