Received: by 10.223.185.116 with SMTP id b49csp991439wrg;
        Fri, 16 Feb 2018 10:25:38 -0800 (PST)
X-Google-Smtp-Source: AH8x224mlGKQnO86zmlGZIgdRqgG2Xay5gf8Z+OOBbyoiA5L+Tp16QLlKKo3yvijByoOeMUbOe0J
X-Received: by 10.101.89.74 with SMTP id g10mr5818930pgu.415.1518805537909;
        Fri, 16 Feb 2018 10:25:37 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518805537; cv=none;
        d=google.com; s=arc-20160816;
        b=QijehGLDz29O0/0yEaU5ibXMr6Z0EmS05XYqD7A7ZYvQSHJV+UU04KU9b86N6TlE1j
         Lo6Qu4iPCtvXk3d4LVDINpSXwp4IDGamhx1ehXX4BFWEZJu+Mzu8EEjrOEN4ES65FCxJ
         zSqbZhjysFwCdTFPK8+VBPSC8HBo5Ty67tl9Wq0BKMzhmYZAWrcr9An6mgntTf6zV1R8
         2xgceC0mbiQqmxKQPESX+hpNfJlnwxiKYCsoSROZC8Aas38EprudTczOL1Kv4IDxjlLk
         XixdRddq2l0P1X1OsBfDumNzE++ppfrtys8C5cnEvFy+Nxg9A88poJkAkNoVPs2tJATJ
         8XcA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=KofsPYuxfQWxYqhiRa40MLJQq9V3hRQL8LxQB3wKT3U=;
        b=Tbe1+9a1UfrXh0zxC5ebjt8xZf3ZPTx0KtKZbfcXKbFBMl8G+y3LPLMAf9WG9Xzp7+
         hUWI2g3LfIcEqAaH77q7pPRql66NtG+W6sw5SVyJ2XKaSBUVYhvKq/hbvIgV63L5rkOS
         AfLk/ggqFOsNW+9nnML6iNiTM7vnxCzGtSMkBgvaSMPGBMEPQhJW1EBTjgd+Y8gYTqEa
         8Wcw2QZHDEGqMIZX3GpaxRTr4HGL8WmLiDo1ZjrF1XEEsJN6vFeTb5lc2IDn13BqWHoE
         MS6blQVoPnNBTayztcpuAnL0uaOyT0GhY1LWw9GT+0lmV+JAyUyEVkmmUSvLGW1l9d3q
         1Cvg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=UEbN+U6o;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e92-v6si20776plb.82.2018.02.16.10.25.22;
        Fri, 16 Feb 2018 10:25:37 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=UEbN+U6o;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1165164AbeBOXeh (ORCPT <rfc822;kkdevenda@gmail.com> + 99 others);
        Thu, 15 Feb 2018 18:34:37 -0500
Received: from mail-lf0-f68.google.com ([209.85.215.68]:41089 "EHLO
        mail-lf0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1163785AbeBOXef (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 15 Feb 2018 18:34:35 -0500
Received: by mail-lf0-f68.google.com with SMTP id f136so1834302lff.8
        for <linux-kernel@vger.kernel.org>; Thu, 15 Feb 2018 15:34:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=KofsPYuxfQWxYqhiRa40MLJQq9V3hRQL8LxQB3wKT3U=;
        b=UEbN+U6oLwly720cXaTJwWytZAf4Gfu+dvroKl0LpwznMrvPSkEuMCcfk5ZO7vc10D
         oj1MB+iAEQRlVKkS30FYpGiP9DYvJYPr/YE16rJiSv3uPdgVZmELfAdsD5WanIEPs917
         JNYwsXEsTFJuzGwiny8V5/ZKwUSLCvOHITQbqo/Wk1d8TI0TKqUv9OSrbmfvPfDfMG/M
         nXhw24m4/xot6pPFtEoyDJD0fl9rDpnF0jZj1OvOVjd72i9kylhiTcLRzVI3/7CBymuk
         HTsoZo4CuqsCWSNBLTRf5h9ZjbrUn6m4me2gU6dcRcF5wkaNeLEaMSVh5otm9DGQBAo8
         s83A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=KofsPYuxfQWxYqhiRa40MLJQq9V3hRQL8LxQB3wKT3U=;
        b=HEnyVS+5BqG2s+Vdf8UAN3T6FPzQyTMdr3q0g03dOqAR+qINT1PAw7qX7OJ1nMNTLh
         YQHhj2e55k0moGW7+excrv6Lwn2vCjIMA3sDflZHF9MTAyMVry2Z6aU8+oh1ChkVFos8
         qny3ke3AA+HxapaNpCxlshR+nKibe1F+v/4+/pqQy1DZKhiEj8HmvT5gpUfPTAKkXct7
         1Bdxgvcx5E/8/yJ7Jq/SabaPHZvNWrN5nhoD7PbihgASotFp9wZkBUJxg8CeL7q16/RP
         qDXYfYXnBeyfhPcFxucoSwLFJ8JhIWCB8FkNB7FOHHxqi70GfgAV2WXEZA/8hKkBcj8F
         hV/Q==
X-Gm-Message-State: APf1xPBf0ksb/KMtL09EzK4gN9zb1Qw6xEpQ378imPXgaCVurfI5BLw/
        BJgAWH5K8w+K6LP2wS9PJyJ7HMAYEZQc9i54Ueff
X-Received: by 10.46.67.26 with SMTP id q26mr2300621lja.131.1518737673994;
 Thu, 15 Feb 2018 15:34:33 -0800 (PST)
MIME-Version: 1.0
Received: by 10.25.216.145 with HTTP; Thu, 15 Feb 2018 15:34:33 -0800 (PST)
X-Originating-IP: [108.20.156.165]
In-Reply-To: <1c5184985e422774329484153b0147c2861e91a7.1518603831.git.rgb@redhat.com>
References: <cover.1518603831.git.rgb@redhat.com> <1c5184985e422774329484153b0147c2861e91a7.1518603831.git.rgb@redhat.com>
From:   Paul Moore <paul@paul-moore.com>
Date:   Thu, 15 Feb 2018 18:34:33 -0500
Message-ID: <CAHC9VhR3u0n9ZSLHYcf0aJR=X=PLkSFPnYffz+=5v669QyasHg@mail.gmail.com>
Subject: Re: [RFC PATCH ghak21 4/4] audit: add parent of refused symlink to audit_names
To:     Richard Guy Briggs <rgb@redhat.com>
Cc:     Linux-Audit Mailing List <linux-audit@redhat.com>,
        LKML <linux-kernel@vger.kernel.org>,
        Eric Paris <eparis@redhat.com>,
        Steve Grubb <sgrubb@redhat.com>,
        Kees Cook <keescook@chromium.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Feb 14, 2018 at 11:18 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> Audit link denied events for symlinks were missing the parent PATH
> record.  Add it.  Since the full pathname may not be available,
> reconstruct it from the path in the nameidata supplied.
>
> See: https://github.com/linux-audit/audit-kernel/issues/21
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  fs/namei.c | 9 +++++++++
>  1 file changed, 9 insertions(+)
>
> diff --git a/fs/namei.c b/fs/namei.c
> index 0edf133..bf1c046b 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -923,6 +923,7 @@ static inline int may_follow_link(struct nameidata *nd)
>         const struct inode *inode;
>         const struct inode *parent;
>         kuid_t puid;
> +       char *pathname;
>
>         if (!sysctl_protected_symlinks)
>                 return 0;
> @@ -945,6 +946,14 @@ static inline int may_follow_link(struct nameidata *nd)
>         if (nd->flags & LOOKUP_RCU)
>                 return -ECHILD;
>
> +       pathname = kmalloc(PATH_MAX + 1, GFP_KERNEL);
> +       if (!pathname)
> +               return -ENOMEM;
> +       audit_inode(getname_kernel(d_absolute_path(&nd->stack[0].link, pathname,
> +                                                  PATH_MAX + 1)),
> +                   nd->stack[0].link.dentry, 0);

Hmm, it's been a while since I've looked at the audit vfs/inode code,
but isn't the audit_inode() call directly above effectively a
duplicate of the audit_inode(nd->name, nd->stack[0].link.dentry, 0)
call you added in patch 3/4?

> +       audit_inode(nd->name, nd->stack[0].link.dentry->d_parent, LOOKUP_PARENT);
> +
>         audit_inode(nd->name, nd->stack[0].link.dentry, 0);
>         audit_log_link_denied("follow_link", &nd->stack[0].link);
>         return -EACCES;
> --
> 1.8.3.1

-- 
paul moore
www.paul-moore.com