Received: by 10.223.185.116 with SMTP id b49csp1132160wrg; Wed, 14 Feb 2018 12:07:27 -0800 (PST) X-Google-Smtp-Source: AH8x226ew0HcCQYV+V9pbsrycSkykQ099D2WUMxiD2O/eAjCDCtVyB1rlwr5LfQXxa6TGorgw5Cl X-Received: by 10.99.63.9 with SMTP id m9mr147456pga.247.1518638846949; Wed, 14 Feb 2018 12:07:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518638846; cv=none; d=google.com; s=arc-20160816; b=kKSk3Jqxa2V6ysk4dENVxJE9Q05+4/hG3Ol9Kc2BXCrYsPpZ9llLvmPv7AVJwfDp0S L0x3jYFU7pPEWe4UJRGv3Yvamp70d6VhUHMlalUzoee4GNWvJkbzJlGOTloRQBiVPdGy 1yxJs1rP2zmXSfIzWuygr4a6o5WV1wiD1TEC232g+1NI4W8+mt1nswSup8fJzIRqGnqC FlTlZmuBo4h/FbBP5PhAd2WvVOudJ9caoEL/cqmW1ksP+nulWg4u1cSsJguyBrD7dWXc 6CWbDgBvrswt8CZp7wEZz2qHSg/IUxajCFrJWlq31XrPuBftzuE3IAfGxy9t9qC1ypXi nVsQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=ZHtLSDl7cpUjddUkfUoVOgeGy0SedYqYriLrWMdNpbo=; b=XKODbChYjPc+Bkm8VG7R26KzpGuPRj6HflNHXPq/PLY6avlIr4he0uv00WDjuHaaBE k0QAOL50fxGAaRdhmnG8CwUyXnpZr55u+gczotNCRoe58qlfu7usBLwhlJBx7oHppHB6 TpjFiJZxlnfXY9pofYo4qfuZOpOkKH4HWp/G9GtkHjL4B27dJ2pqmuIIxNtvA5jKNt2O 8jah/MO5GhY6FNcUOXmFG7rgT6QjF9jiP7F+AYbvRILlm+6rMBUFHuvF0D62gSHQcMtn 0YalEBAvvAifOksABVkgBr3AkueKFkkjEtntsLtmuuCiXXOWRx5Q/tv+rtNpu9F3+azb bTEA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l4-v6si185272plk.510.2018.02.14.12.07.12; Wed, 14 Feb 2018 12:07:26 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1032488AbeBNQXB (ORCPT + 99 others); Wed, 14 Feb 2018 11:23:01 -0500 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:57744 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1032462AbeBNQW7 (ORCPT ); Wed, 14 Feb 2018 11:22:59 -0500 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id D379B408501B; Wed, 14 Feb 2018 16:22:58 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-12.rdu2.redhat.com [10.10.112.12]) by smtp.corp.redhat.com (Postfix) with ESMTP id 524B71010409; Wed, 14 Feb 2018 16:22:57 +0000 (UTC) From: Richard Guy Briggs To: Linux-Audit Mailing List , LKML Cc: Eric Paris , Paul Moore , Steve Grubb , Kees Cook , Richard Guy Briggs Subject: [RFC PATCH ghak21 4/4] audit: add parent of refused symlink to audit_names Date: Wed, 14 Feb 2018 11:18:24 -0500 Message-Id: <1c5184985e422774329484153b0147c2861e91a7.1518603831.git.rgb@redhat.com> In-Reply-To: References: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Wed, 14 Feb 2018 16:22:58 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Wed, 14 Feb 2018 16:22:58 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'rgb@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Audit link denied events for symlinks were missing the parent PATH record. Add it. Since the full pathname may not be available, reconstruct it from the path in the nameidata supplied. See: https://github.com/linux-audit/audit-kernel/issues/21 Signed-off-by: Richard Guy Briggs --- fs/namei.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/fs/namei.c b/fs/namei.c index 0edf133..bf1c046b 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -923,6 +923,7 @@ static inline int may_follow_link(struct nameidata *nd) const struct inode *inode; const struct inode *parent; kuid_t puid; + char *pathname; if (!sysctl_protected_symlinks) return 0; @@ -945,6 +946,14 @@ static inline int may_follow_link(struct nameidata *nd) if (nd->flags & LOOKUP_RCU) return -ECHILD; + pathname = kmalloc(PATH_MAX + 1, GFP_KERNEL); + if (!pathname) + return -ENOMEM; + audit_inode(getname_kernel(d_absolute_path(&nd->stack[0].link, pathname, + PATH_MAX + 1)), + nd->stack[0].link.dentry, 0); + audit_inode(nd->name, nd->stack[0].link.dentry->d_parent, LOOKUP_PARENT); + audit_inode(nd->name, nd->stack[0].link.dentry, 0); audit_log_link_denied("follow_link", &nd->stack[0].link); return -EACCES; -- 1.8.3.1