Received: by 10.223.185.116 with SMTP id b49csp991439wrg; Fri, 16 Feb 2018 10:25:38 -0800 (PST) X-Google-Smtp-Source: AH8x224mlGKQnO86zmlGZIgdRqgG2Xay5gf8Z+OOBbyoiA5L+Tp16QLlKKo3yvijByoOeMUbOe0J X-Received: by 10.101.89.74 with SMTP id g10mr5818930pgu.415.1518805537909; Fri, 16 Feb 2018 10:25:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518805537; cv=none; d=google.com; s=arc-20160816; b=QijehGLDz29O0/0yEaU5ibXMr6Z0EmS05XYqD7A7ZYvQSHJV+UU04KU9b86N6TlE1j Lo6Qu4iPCtvXk3d4LVDINpSXwp4IDGamhx1ehXX4BFWEZJu+Mzu8EEjrOEN4ES65FCxJ zSqbZhjysFwCdTFPK8+VBPSC8HBo5Ty67tl9Wq0BKMzhmYZAWrcr9An6mgntTf6zV1R8 2xgceC0mbiQqmxKQPESX+hpNfJlnwxiKYCsoSROZC8Aas38EprudTczOL1Kv4IDxjlLk XixdRddq2l0P1X1OsBfDumNzE++ppfrtys8C5cnEvFy+Nxg9A88poJkAkNoVPs2tJATJ 8XcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=KofsPYuxfQWxYqhiRa40MLJQq9V3hRQL8LxQB3wKT3U=; b=Tbe1+9a1UfrXh0zxC5ebjt8xZf3ZPTx0KtKZbfcXKbFBMl8G+y3LPLMAf9WG9Xzp7+ hUWI2g3LfIcEqAaH77q7pPRql66NtG+W6sw5SVyJ2XKaSBUVYhvKq/hbvIgV63L5rkOS AfLk/ggqFOsNW+9nnML6iNiTM7vnxCzGtSMkBgvaSMPGBMEPQhJW1EBTjgd+Y8gYTqEa 8Wcw2QZHDEGqMIZX3GpaxRTr4HGL8WmLiDo1ZjrF1XEEsJN6vFeTb5lc2IDn13BqWHoE MS6blQVoPnNBTayztcpuAnL0uaOyT0GhY1LWw9GT+0lmV+JAyUyEVkmmUSvLGW1l9d3q 1Cvg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=UEbN+U6o; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e92-v6si20776plb.82.2018.02.16.10.25.22; Fri, 16 Feb 2018 10:25:37 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=UEbN+U6o; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1165164AbeBOXeh (ORCPT + 99 others); Thu, 15 Feb 2018 18:34:37 -0500 Received: from mail-lf0-f68.google.com ([209.85.215.68]:41089 "EHLO mail-lf0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1163785AbeBOXef (ORCPT ); Thu, 15 Feb 2018 18:34:35 -0500 Received: by mail-lf0-f68.google.com with SMTP id f136so1834302lff.8 for ; Thu, 15 Feb 2018 15:34:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=KofsPYuxfQWxYqhiRa40MLJQq9V3hRQL8LxQB3wKT3U=; b=UEbN+U6oLwly720cXaTJwWytZAf4Gfu+dvroKl0LpwznMrvPSkEuMCcfk5ZO7vc10D oj1MB+iAEQRlVKkS30FYpGiP9DYvJYPr/YE16rJiSv3uPdgVZmELfAdsD5WanIEPs917 JNYwsXEsTFJuzGwiny8V5/ZKwUSLCvOHITQbqo/Wk1d8TI0TKqUv9OSrbmfvPfDfMG/M nXhw24m4/xot6pPFtEoyDJD0fl9rDpnF0jZj1OvOVjd72i9kylhiTcLRzVI3/7CBymuk HTsoZo4CuqsCWSNBLTRf5h9ZjbrUn6m4me2gU6dcRcF5wkaNeLEaMSVh5otm9DGQBAo8 s83A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=KofsPYuxfQWxYqhiRa40MLJQq9V3hRQL8LxQB3wKT3U=; b=HEnyVS+5BqG2s+Vdf8UAN3T6FPzQyTMdr3q0g03dOqAR+qINT1PAw7qX7OJ1nMNTLh YQHhj2e55k0moGW7+excrv6Lwn2vCjIMA3sDflZHF9MTAyMVry2Z6aU8+oh1ChkVFos8 qny3ke3AA+HxapaNpCxlshR+nKibe1F+v/4+/pqQy1DZKhiEj8HmvT5gpUfPTAKkXct7 1Bdxgvcx5E/8/yJ7Jq/SabaPHZvNWrN5nhoD7PbihgASotFp9wZkBUJxg8CeL7q16/RP qDXYfYXnBeyfhPcFxucoSwLFJ8JhIWCB8FkNB7FOHHxqi70GfgAV2WXEZA/8hKkBcj8F hV/Q== X-Gm-Message-State: APf1xPBf0ksb/KMtL09EzK4gN9zb1Qw6xEpQ378imPXgaCVurfI5BLw/ BJgAWH5K8w+K6LP2wS9PJyJ7HMAYEZQc9i54Ueff X-Received: by 10.46.67.26 with SMTP id q26mr2300621lja.131.1518737673994; Thu, 15 Feb 2018 15:34:33 -0800 (PST) MIME-Version: 1.0 Received: by 10.25.216.145 with HTTP; Thu, 15 Feb 2018 15:34:33 -0800 (PST) X-Originating-IP: [108.20.156.165] In-Reply-To: <1c5184985e422774329484153b0147c2861e91a7.1518603831.git.rgb@redhat.com> References: <1c5184985e422774329484153b0147c2861e91a7.1518603831.git.rgb@redhat.com> From: Paul Moore Date: Thu, 15 Feb 2018 18:34:33 -0500 Message-ID: Subject: Re: [RFC PATCH ghak21 4/4] audit: add parent of refused symlink to audit_names To: Richard Guy Briggs Cc: Linux-Audit Mailing List , LKML , Eric Paris , Steve Grubb , Kees Cook Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Feb 14, 2018 at 11:18 AM, Richard Guy Briggs wrote: > Audit link denied events for symlinks were missing the parent PATH > record. Add it. Since the full pathname may not be available, > reconstruct it from the path in the nameidata supplied. > > See: https://github.com/linux-audit/audit-kernel/issues/21 > Signed-off-by: Richard Guy Briggs > --- > fs/namei.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/fs/namei.c b/fs/namei.c > index 0edf133..bf1c046b 100644 > --- a/fs/namei.c > +++ b/fs/namei.c > @@ -923,6 +923,7 @@ static inline int may_follow_link(struct nameidata *nd) > const struct inode *inode; > const struct inode *parent; > kuid_t puid; > + char *pathname; > > if (!sysctl_protected_symlinks) > return 0; > @@ -945,6 +946,14 @@ static inline int may_follow_link(struct nameidata *nd) > if (nd->flags & LOOKUP_RCU) > return -ECHILD; > > + pathname = kmalloc(PATH_MAX + 1, GFP_KERNEL); > + if (!pathname) > + return -ENOMEM; > + audit_inode(getname_kernel(d_absolute_path(&nd->stack[0].link, pathname, > + PATH_MAX + 1)), > + nd->stack[0].link.dentry, 0); Hmm, it's been a while since I've looked at the audit vfs/inode code, but isn't the audit_inode() call directly above effectively a duplicate of the audit_inode(nd->name, nd->stack[0].link.dentry, 0) call you added in patch 3/4? > + audit_inode(nd->name, nd->stack[0].link.dentry->d_parent, LOOKUP_PARENT); > + > audit_inode(nd->name, nd->stack[0].link.dentry, 0); > audit_log_link_denied("follow_link", &nd->stack[0].link); > return -EACCES; > -- > 1.8.3.1 -- paul moore www.paul-moore.com