Received: by 10.223.185.116 with SMTP id b49csp1644022wrg; Wed, 14 Feb 2018 22:18:30 -0800 (PST) X-Google-Smtp-Source: AH8x224KhOeyin1AV73+Ow7znr4McdpizAxMYdKb7ErH98MGmsv4lkzVTGJVSN1ZFOcUL+Gt1BaP X-Received: by 10.98.58.204 with SMTP id v73mr1656644pfj.0.1518675509992; Wed, 14 Feb 2018 22:18:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518675509; cv=none; d=google.com; s=arc-20160816; b=rRIJrEFLRxb7kj+QqjU8Twk1swFUVrCbOF/PH8j80EiFV4CbFNh5KqRCKpN0jEGSOE IDWSAFKB/qsHNDrmPKjPweqc28RIseAiqepXhHab7GcK4p9Mtr/laXKix/eojsQy4sL9 AKbsnS2S19x1XpPFvO3CtnlvLfcriBQEFDtgn008MHUp4PdTXKrIlAdGRtvEakw9Lm3K GuRK0z5Q8DHRnV13mTHzx9JJsTk9z/EijJULfxFCsw/a6H5CCrN0imHaRGGVWo5fa19C kvpz2zcWlO84nG7HtNor+3zAat22FmMRLX0Ecw6MrhUmQOkWYJlDGmHbeGzgNcXSe0Xl obVQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=5BUrr1iTG6Km6RLa8B4sbdg+ck0SAHrNHi89KMSDn/8=; b=Z66OwHCMSFwOYFpShGv0JUX6kswv+XsMS6djeZcO8z1GhCyRxMwa8kiuDACZNF9fLg yhysNd/NptkqQ0xBpT9wOnD3msNxv5FrdewFv4XVVB2ySpP0v4HJvmdzAJ1ghgeDcTfb cMCs6tIxQ+6DiNh7B9JZGhZx8KsrM0JST+rgpQZ58wl1mVpuT8StxMUBX6h5/E3h5ihG tk8dIJrL17SCGVDPweVC8M9d/I75gId7slq6jfwwXFpjVEJEUYHOJzNjHd+5YOp6CkHz zDMVr5fnqKp8b5airBCJyQRKKQ+ZSq/9O8c97fiMEGw7riPvq86NULDNlOWO4lJDTdRF 3npA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=Pm5RQQna; dkim=fail header.i=@chromium.org header.s=google header.b=ZO1xb9lz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h125si3717067pgc.602.2018.02.14.22.18.03; Wed, 14 Feb 2018 22:18:29 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=Pm5RQQna; dkim=fail header.i=@chromium.org header.s=google header.b=ZO1xb9lz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754788AbeBOGQ4 (ORCPT + 99 others); Thu, 15 Feb 2018 01:16:56 -0500 Received: from mail-vk0-f65.google.com ([209.85.213.65]:45133 "EHLO mail-vk0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754747AbeBOGQy (ORCPT ); Thu, 15 Feb 2018 01:16:54 -0500 Received: by mail-vk0-f65.google.com with SMTP id j204so14307578vke.12 for ; Wed, 14 Feb 2018 22:16:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=5BUrr1iTG6Km6RLa8B4sbdg+ck0SAHrNHi89KMSDn/8=; b=Pm5RQQnaqB+PkGuOLqc246rBIjjvjLOPQrCp41bBBmbStkVUxEggmaBG2/zhfvzHtN NK00ch6Pzt/AZZoF8dS2jtbdc+5eKlg1X2sJNxbJFuS72tlzptv7ywPYbJXBtF1pZeIM esitpA/95j/sdGrO3QWiiXJWNWEJ/0p7NYSSDuSeVGvxnX6iUe/57XY7p84TwEQtq6FS rbfnZfOIcYF9Kak0ngK/PLRI8OG3nzmaMNeu7DbHyTxLv/JCdq/DV5WD2u8GSNICOJ4Y kubT7Cihv07Jf3N8HHikMrxanPytj29Lu9ecprPXA3V9gS1WHb4EsvEeDWNt3xgjILnT 7aHQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=5BUrr1iTG6Km6RLa8B4sbdg+ck0SAHrNHi89KMSDn/8=; b=ZO1xb9lz6tpww2CwknsWwQJffItD5DEDNkcWF+4KPTrbn0ST5oBXaeWTQHc0IBVllX 2Ap/WABmk+cGR57W5QG4zeD3t1dsvOW9A01S+xbYS2JLcPBFI4tpDpCkbe3NL3xYzTBC zQYQFQ3iDzXPFjgdrwHIkwrZYDRc4ztqnW/30= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=5BUrr1iTG6Km6RLa8B4sbdg+ck0SAHrNHi89KMSDn/8=; b=mxKNR6zGtMPZ2ETxaf03pSbAa2fLvH2uirgt6CyTPM8hNT3CCZ8D+Qq7+TIKAyTo0A z8W5lkKLo/RK7yEkhQbxYYTCTnthU464tibHqsWQe2RTGOzOVJgr5yLauwSVm521rFfR dmfAIs7FNfn1MCvm+M+kGSYB9EoXzqMb+4fRth6dfg8+EMJaaMJ0yYTGG+U+PHyQyJd1 kNv2dt16C1g4YFsTXJl5TppLh+7iMRV1EcyzUgf8uH09bpRd1HdYG6a/9keaes5/yU/2 xtLHnN29EY9ck32mE/Kh/4I7iARGPjf2q9k9R4Vm/IR5SdEVDLHKGrqopXwJ9Iu1QyGW SN7A== X-Gm-Message-State: APf1xPAkasCLs72WfZYA4ZNacQyeZQ9iK8GWYIygC12RWvOWhuWSxNVw 89pDppm1LC4RdudUrNzZLNfBSCnqxE5oVpMxgaO68w== X-Received: by 10.31.169.70 with SMTP id s67mr1271150vke.121.1518675413941; Wed, 14 Feb 2018 22:16:53 -0800 (PST) MIME-Version: 1.0 Received: by 10.31.56.87 with HTTP; Wed, 14 Feb 2018 22:16:52 -0800 (PST) In-Reply-To: <20180215023327.tt2s2pbcrblz5a7u@madcap2.tricolour.ca> References: <3a9542b261d93bc4eaecfaf359affbba152cf965.1518603831.git.rgb@redhat.com> <20180215023327.tt2s2pbcrblz5a7u@madcap2.tricolour.ca> From: Kees Cook Date: Wed, 14 Feb 2018 22:16:52 -0800 X-Google-Sender-Auth: Z8V6xKTvN3UVPpt6qBFVE9Oulbs Message-ID: Subject: Re: [RFC PATCH ghak21 1/4] audit: make ANOM_LINK obey audit_enabled and audit_dummy_context To: Richard Guy Briggs Cc: Linux-Audit Mailing List , LKML , Eric Paris , Paul Moore , Steve Grubb Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Feb 14, 2018 at 6:33 PM, Richard Guy Briggs wrote: > On 2018-02-14 09:51, Kees Cook wrote: >> On Wed, Feb 14, 2018 at 8:18 AM, Richard Guy Briggs wrote: >> > Audit link denied events emit disjointed records when audit is disabled. >> > No records should be emitted when audit is disabled. >> > >> > See: https://github.com/linux-audit/audit-kernel/issues/21 >> > Signed-off-by: Richard Guy Briggs >> > --- >> > kernel/audit.c | 3 +++ >> > 1 file changed, 3 insertions(+) >> > >> > diff --git a/kernel/audit.c b/kernel/audit.c >> > index 227db99..4c3fd24 100644 >> > --- a/kernel/audit.c >> > +++ b/kernel/audit.c >> > @@ -2261,6 +2261,9 @@ void audit_log_link_denied(const char *operation, const struct path *link) >> > struct audit_buffer *ab; >> > struct audit_names *name; >> > >> > + if (!audit_enabled || audit_dummy_context()) >> > + return; >> > + >> > name = kzalloc(sizeof(*name), GFP_NOFS); >> > if (!name) >> > return; >> >> Doesn't this means errors here would be silent if audit isn't enabled? >> I don't that; sysadmins should see this notification regardless of the >> audit state... > > This is a user error and not a system error, so I would think if system > auditing is disabled, they don't care about this kind of error. It could indicate an attack attempt... -Kees > > Steve? > >> -Kees > > - RGB > > -- > Richard Guy Briggs > Sr. S/W Engineer, Kernel Security, Base Operating Systems > Remote, Ottawa, Red Hat Canada > IRC: rgb, SunRaycer > Voice: +1.647.777.2635, Internal: (81) 32635 -- Kees Cook Pixel Security