Received: by 10.223.185.116 with SMTP id b49csp813106wrg; Fri, 16 Feb 2018 07:35:50 -0800 (PST) X-Google-Smtp-Source: AH8x225u5oGT9T2L5MM3l8cHmbqONXG1xdfTIaP6s5GVSHdpRUvo391iwpGFr++BjVt5FABAjrbM X-Received: by 10.99.159.10 with SMTP id g10mr5375927pge.407.1518795350657; Fri, 16 Feb 2018 07:35:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518795350; cv=none; d=google.com; s=arc-20160816; b=ptDpGc68XIkaIHAWwiO071qTg5W2FknMBLLH11nLCajxTYS4cCR9szxxD9MFl6UNPI g34jYIr6j+IAWV+pkasfYhIVhrgzXxZuNBrXvRgCYKH0imFZp+ZM+Kz9xHefWYyT+WiU aDHG8hqRDphwkG0bcnBvSpUI4o4l98IrSUq39tc+tU/AADqjQYe25XV6dYnGftbzKZb1 9vtvti2yiSxK1aKy6UVBz0HRAV/z+eQZE1Vr02a67ZskTNpPmffSJjfCDLIXjDTe3WTf 0vh9bbrjCOV2t11w6b/Gvprfvttnr9ADnyUVhHOA7GXbqXI28eqK36+EzELZO7TYemtl tHZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=zlgaZQt4tBZkCLA+9ckBJsTvCNAboqMGIyN8+3P2MgU=; b=y9uFhoDTyq9z1a+HJn+3RsXzR+9f18Lqpcmj5N2Y6xWaUy9q1X49KwRkTSnePyRPwU CvRmy4dnkOuwt/VjLJUBnPq/V40zgQJdfARHUXP6HwEVE3xdw13d82gJNTujF4L40f5H TnTT+85p/+oF8A3G1NX6xmM9qJq2ZSYvPduNuRltHyQKyCGLKFpxQG9qxYgzZDgEYq2P LBdevrOfXj8dAPXmMfd38SmtuP2K3v0UHu3ULPAouiV3bPnGFPjVQNEF7vU4i4cKg2XY oD3BwOXNximrLL+h1w989w29uaWW67Ub566Osj5c7fFzDw8gCAbmCl2tJoisEa+i9YyR eG4Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=lZAptu98; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id bi1-v6si4729506plb.393.2018.02.16.07.35.35; Fri, 16 Feb 2018 07:35:50 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=lZAptu98; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756477AbeBOWvi (ORCPT + 99 others); Thu, 15 Feb 2018 17:51:38 -0500 Received: from mail-lf0-f66.google.com ([209.85.215.66]:46082 "EHLO mail-lf0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756464AbeBOWvh (ORCPT ); Thu, 15 Feb 2018 17:51:37 -0500 Received: by mail-lf0-f66.google.com with SMTP id q194so1706843lfe.13 for ; Thu, 15 Feb 2018 14:51:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=zlgaZQt4tBZkCLA+9ckBJsTvCNAboqMGIyN8+3P2MgU=; b=lZAptu98R0TigGXoVAdoOvXKCv+mjHy5HKLkyxDgWLLwOxrM9kAxMG8OQzC1XU7Mrf R2t7LM4rYa0Md2wARwfc4VzwCfmqWmlFLaKqmOpSfzK7kUXcI8iK+vqkGFBhhuf9pxp0 Osv2khZzkSX/j7IlQoOvjIHhELEZEM6jPld/UpxPMkK5GTZeIprxLYyBoW6xcNuvryNZ Rd/9iH6EfYzBsalXt1WiXOKB9WK/+IM7Gd4MwMXWuNVi228xTEWd1i/sMH+7ChCfk6A8 aPnnRneekZf/nj5tySojHtSEBCSyUW1PxA51RUI1Ur+5NdTWQbvWbz4kT2qF77g+3QRl RAmg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=zlgaZQt4tBZkCLA+9ckBJsTvCNAboqMGIyN8+3P2MgU=; b=OXzCoJrb3lqToy3iLeWE91uj1bKJAtTRMgWBs1YDvSjFvT6weUApUnWUKeb2O6Nphk v1af48ieKS+BMEptp/ipVZvzfFDFNKI9mt7yEi/y4+BlUUU65daXRyL8VGNG0Sofw1ys +EGK0t1fEXF2k8EZgAXTF3umJ6sLuFNZbGol13J9H4lGGqsT8P0+lDkSDmgjF0VdJUfk +0D50NqXpAcPBGlxHEC87EjgZNkyhAg/P8M01sdaEnjcVXRjZFpN2UU3e/ADr5Fpv+AZ PykKkyimQjgUBncoelTo0qygIiaIjwgB3puKzFPXt69IWbUxdFQKhUVG3+L0B41SArdD c7gg== X-Gm-Message-State: APf1xPCCEGEu7bJ4r144wgxiyhVEEq2wu5FSgTY3sMTpBcmsL5wG6Ecb kxa9RAWEvvpsfZp45FbhFZeGGirgUkp2hqwzk2oK X-Received: by 10.25.89.12 with SMTP id n12mr3077103lfb.10.1518735095607; Thu, 15 Feb 2018 14:51:35 -0800 (PST) MIME-Version: 1.0 Received: by 10.25.216.145 with HTTP; Thu, 15 Feb 2018 14:51:34 -0800 (PST) X-Originating-IP: [108.20.156.165] In-Reply-To: References: <3a9542b261d93bc4eaecfaf359affbba152cf965.1518603831.git.rgb@redhat.com> <20180215023327.tt2s2pbcrblz5a7u@madcap2.tricolour.ca> From: Paul Moore Date: Thu, 15 Feb 2018 17:51:34 -0500 Message-ID: Subject: Re: [RFC PATCH ghak21 1/4] audit: make ANOM_LINK obey audit_enabled and audit_dummy_context To: Kees Cook Cc: Richard Guy Briggs , Linux-Audit Mailing List , LKML , Eric Paris , Steve Grubb Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Feb 15, 2018 at 1:16 AM, Kees Cook wrote: > On Wed, Feb 14, 2018 at 6:33 PM, Richard Guy Briggs wrote: >> On 2018-02-14 09:51, Kees Cook wrote: >>> On Wed, Feb 14, 2018 at 8:18 AM, Richard Guy Briggs wrote: >>> > Audit link denied events emit disjointed records when audit is disabled. >>> > No records should be emitted when audit is disabled. >>> > >>> > See: https://github.com/linux-audit/audit-kernel/issues/21 >>> > Signed-off-by: Richard Guy Briggs >>> > --- >>> > kernel/audit.c | 3 +++ >>> > 1 file changed, 3 insertions(+) >>> > >>> > diff --git a/kernel/audit.c b/kernel/audit.c >>> > index 227db99..4c3fd24 100644 >>> > --- a/kernel/audit.c >>> > +++ b/kernel/audit.c >>> > @@ -2261,6 +2261,9 @@ void audit_log_link_denied(const char *operation, const struct path *link) >>> > struct audit_buffer *ab; >>> > struct audit_names *name; >>> > >>> > + if (!audit_enabled || audit_dummy_context()) >>> > + return; >>> > + >>> > name = kzalloc(sizeof(*name), GFP_NOFS); >>> > if (!name) >>> > return; >>> >>> Doesn't this means errors here would be silent if audit isn't enabled? >>> I don't that; sysadmins should see this notification regardless of the >>> audit state... >> >> This is a user error and not a system error, so I would think if system >> auditing is disabled, they don't care about this kind of error. > > It could indicate an attack attempt... We get beat up by several folks when we emit audit records with audit disabled, and they have a very valid point. I'm not arguing that the information isn't useful, I'm arguing that if you are interested in the sort of information that audit provides you should enable audit. :) -- paul moore www.paul-moore.com