Received: by 10.223.185.116 with SMTP id b49csp1046158wrg; Fri, 16 Feb 2018 11:25:01 -0800 (PST) X-Google-Smtp-Source: AH8x226Akdsf1+23XESXxf1Y4bGujgqwOVTj07SHjmB/RfmTbv4zfH/hxXIsS/g7OiZV1H5ekZas X-Received: by 10.101.78.1 with SMTP id r1mr6022660pgt.322.1518809101303; Fri, 16 Feb 2018 11:25:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518809101; cv=none; d=google.com; s=arc-20160816; b=VatlVsRK5hLQvOmBmlm+ykYzzhNTXLPLTFVN0nsEE+63ennDCMP7+NjcdOAzl/CywR 4HObytkPUq0exiFIyqm+H4ZswfYHw+h/6Smq6MrGEv1YCRBaeiwfeI8Hhw21y53lWm7c ai2wMxVCTZKtHy3zD/v/7rY5OY5DpQXN0RPGYFQqN59zvRcuSSD+l/tUMREtgZf5KA// 7rmQpXAAG1ycfLzoZdxLz81nyj215/IiA/h+0fWwmFGPvOFHebZ1jWMOgBPG0Oi9+aRp hVZovSiqUMO20KZ3uceBqf4XlMtUBC83caxjZHE1NMGg9ZQ2cdc0QWOjlqh2IU5o5VKd 9oog== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=53yHgR8d9GZnQ7ZdRrFd70BwtKDNizG08jQGnXe5BTQ=; b=QfVcHE/civcMSUvrtePklUZ4GNA70a0z5EVWR2/RoG/EKT2MRcBgurnFE9CrHhKuug Eknvdi0ermNAMeGx4BXxRX3ItK78KmzAxi8yjO/CmsRe+aEuS3mc1JePjgU6zwlUcEXJ i64lL2ULttVRHy0f4uiHDg9FDaRGhBz8Sy18WeEI5c6SQPeeBtzeo2lXD/eccRpoVAbG cCzsGBwdj5B1nuRYM4KsAsXFqPQHfK2spZJG2XZk/mjAU9p7frep8Wn3m3VczghBrG1/ Mh6sb/xHmxUZ+aCAb99MoiJ8nRmdfB4OtgXwVT7sc/2RhaHJWrGGiO2zEI/+zfmR/4/I 6+qQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=ST90r4iH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k9-v6si641120plt.293.2018.02.16.11.24.47; Fri, 16 Feb 2018 11:25:01 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=ST90r4iH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752803AbeBPS4d (ORCPT + 99 others); Fri, 16 Feb 2018 13:56:33 -0500 Received: from mail-lf0-f67.google.com ([209.85.215.67]:39870 "EHLO mail-lf0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750907AbeBPS4a (ORCPT ); Fri, 16 Feb 2018 13:56:30 -0500 Received: by mail-lf0-f67.google.com with SMTP id h78so5354456lfg.6 for ; Fri, 16 Feb 2018 10:56:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=53yHgR8d9GZnQ7ZdRrFd70BwtKDNizG08jQGnXe5BTQ=; b=ST90r4iHMgJe7lZDc3eS45yyaCMbpsIgAoqzWgZQTAg8Zv4IiLRWm7tf+khQPh9OO2 BJzTdsIt8F9aB1h7gysoQGqfY0YkO1hs9spzV9c2NsK3m6KhOSWgfRO3J/qOpNS4sfij b9IuFYSB0bsqpgiWmjxH8ytnpbQUmAqDckdmiTTxyTorxHoqWni6QaAH7lcFzxRrbzIK s12rN0RoI9/6w3JrzqokW4zqSj9mwz1WP2nGmsVI3Ws4AKrfw/P5V2UInCK5/JzxGZ+g AH7RB6fEHRenlkFlG3o/d+zKuysfYmrW0B+jAUJud+p0QZTmkiF3Mg6svu5W8GkR+Per QxKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=53yHgR8d9GZnQ7ZdRrFd70BwtKDNizG08jQGnXe5BTQ=; b=DUltXdBTdveK85TZK6XxWJls5lyUqkEOlzR9/h3Ej7Bcgkc+D+KFKBZCx1VdGKxr4Z MJ7ZruTrHkNRDGOpVa7m0dA3jQJDhfovdnNjoFJ1xKI7Q//QOmeEgY9OzSg0BRUGLnes MhXwDr6HfiNGQTz2Mxe1c4ExVNbSWQA9L7eD/YxhLx2R41vvDLc9BgxfFXuPuyt/Wmp6 MXdqSF99wgtZdZ+6ZrarVu4aHxVlgaI/+HGGV+3DpFQ6IUoK0sLEJjYum/Ii5E3nWzB2 zAfTVglcCeeGAMpZq5hhr50BAa15eQFqebnYkwF+aZUtLM8q5TDoeuot1Tw9U+epWxaw qs7g== X-Gm-Message-State: APf1xPCVyMso8NLBWJSG2czskLGhfdYAoHs752GvaAoVKorY3Phmdyct T7jrnwMavAV8LKeXYoZb/KgRQMEqixhfgCUR7WmW X-Received: by 10.25.204.78 with SMTP id c75mr4837909lfg.39.1518807388937; Fri, 16 Feb 2018 10:56:28 -0800 (PST) MIME-Version: 1.0 Received: by 10.25.216.145 with HTTP; Fri, 16 Feb 2018 10:56:28 -0800 (PST) X-Originating-IP: [70.88.214.193] In-Reply-To: <20180216025922.fmqxidvwk7qpq6gv@madcap2.tricolour.ca> References: <1c5184985e422774329484153b0147c2861e91a7.1518603831.git.rgb@redhat.com> <20180216025922.fmqxidvwk7qpq6gv@madcap2.tricolour.ca> From: Paul Moore Date: Fri, 16 Feb 2018 13:56:28 -0500 Message-ID: Subject: Re: [RFC PATCH ghak21 4/4] audit: add parent of refused symlink to audit_names To: Richard Guy Briggs Cc: Linux-Audit Mailing List , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Feb 15, 2018 at 9:59 PM, Richard Guy Briggs wrote: > On 2018-02-15 18:34, Paul Moore wrote: >> On Wed, Feb 14, 2018 at 11:18 AM, Richard Guy Briggs wrote: >> > Audit link denied events for symlinks were missing the parent PATH >> > record. Add it. Since the full pathname may not be available, >> > reconstruct it from the path in the nameidata supplied. >> > >> > See: https://github.com/linux-audit/audit-kernel/issues/21 >> > Signed-off-by: Richard Guy Briggs >> > --- >> > fs/namei.c | 9 +++++++++ >> > 1 file changed, 9 insertions(+) >> > >> > diff --git a/fs/namei.c b/fs/namei.c >> > index 0edf133..bf1c046b 100644 >> > --- a/fs/namei.c >> > +++ b/fs/namei.c >> > @@ -923,6 +923,7 @@ static inline int may_follow_link(struct nameidata *nd) >> > const struct inode *inode; >> > const struct inode *parent; >> > kuid_t puid; >> > + char *pathname; >> > >> > if (!sysctl_protected_symlinks) >> > return 0; >> > @@ -945,6 +946,14 @@ static inline int may_follow_link(struct nameidata *nd) >> > if (nd->flags & LOOKUP_RCU) >> > return -ECHILD; >> > >> > + pathname = kmalloc(PATH_MAX + 1, GFP_KERNEL); >> > + if (!pathname) >> > + return -ENOMEM; >> > + audit_inode(getname_kernel(d_absolute_path(&nd->stack[0].link, pathname, >> > + PATH_MAX + 1)), >> > + nd->stack[0].link.dentry, 0); >> >> Hmm, it's been a while since I've looked at the audit vfs/inode code, >> but isn't the audit_inode() call directly above effectively a >> duplicate of the audit_inode(nd->name, nd->stack[0].link.dentry, 0) >> call you added in patch 3/4? > > It gets the full pathname string of the link, then converts it to a > struct filename*, and then below, we feed it that struct filename* with > the parent's dentry and the LOOKUP_PARENT flag to drop the last part of > the pathname and set the filetype to PARENT. I think that last bit is what I was forgetting, thanks. > I didn't try, it, but I expect if I feed it parent's dentry above, I'd > get only the parent pathname and when I feed it to audit_inode() below > it would again drop the last part of the pathname when the LOOKUP_PARENT > flag is included, or not label it as a filetype PARENT if we don't > include the flag to get the full parent pathname. > >> > + audit_inode(nd->name, nd->stack[0].link.dentry->d_parent, LOOKUP_PARENT); >> > + >> > audit_inode(nd->name, nd->stack[0].link.dentry, 0); >> > audit_log_link_denied("follow_link", &nd->stack[0].link); >> > return -EACCES; >> > -- >> > 1.8.3.1 -- paul moore www.paul-moore.com