Received: by 10.223.185.116 with SMTP id b49csp233407wrg; Thu, 8 Mar 2018 16:24:47 -0800 (PST) X-Google-Smtp-Source: AG47ELvRmVDerA3yViWpH1S3gyXu4XwdQi2O7ZMCuIhRUoyagY4+7q1aiVWF8z+/lknhCUbzivS9 X-Received: by 2002:a17:902:4601:: with SMTP id o1-v6mr25627554pld.210.1520555087824; Thu, 08 Mar 2018 16:24:47 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520555087; cv=none; d=google.com; s=arc-20160816; b=qg5wz3mnqnswDo1XOUmr5xwW2TQdHYm/npYL/kCiEoAFLmvjLq/Un88bgQ7wCBhWzA aVLxsq+5yHXIy93vwtL9DcnWlIqYctLXtaY2aZD/LfGYDVGBa3m8F04OzpEpOgXL44uu jqEgDLkU9YfZouooj+6lOjShhBvoeUVLMQqRo0PCLo8cxdrAYUC9+oFFPAbS6d9GkeYT /YGy9+Phczo1iAgU8HdjcH7Ldop+ZUcj4wZ6AgF0NXOX4p+bIHBnbyVLQj/eJYFc1COM hJFS+h/wGvJ9ZY+J8mb/XPSqzMosnOCPrM6gzfsZqlzBwVVRRsnaVilJcpqk63hAoH1F rMbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=ug6qjczQKBxJbnz5ot8SoHoRo+b6G7r8HnAOi8/U2OY=; b=tJgWC8Ux25Zg842Z9I3GWH9ukXhCyYW1u0WT0ATGAFY00jjqM9IKp+NgIniVz7OIRy p5ylBjZL2Au3aGk//zs3vxvpHp4bvCAi2FvjnwnG3fv6n5x00NxAJnx4M2GmKysl0iyg ffR57fWFb/Fzuj1Y89rp6+7Id5lTsPaJEhc2SfEzGaFDcn67vnDNLJotk2QigYdS6ZGD jus+VYmcTrY4HnBA+Js1NwP6+73aMUU5trJjnVHI3usf/9cOX3r5hP0LStRSz7gmI6Lm Hb5R21yJbKjq2HyLAdkj0EMRBo4KtAWD2gCZDkcbSTAE3NZ6BNfhoVeqGSYD56dQI1WP XIwQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=SnGJtYDz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e92-v6si15578166plb.82.2018.03.08.16.24.32; Thu, 08 Mar 2018 16:24:47 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=SnGJtYDz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751167AbeCIAXi (ORCPT + 99 others); Thu, 8 Mar 2018 19:23:38 -0500 Received: from mail-lf0-f67.google.com ([209.85.215.67]:33286 "EHLO mail-lf0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750859AbeCIAXh (ORCPT ); Thu, 8 Mar 2018 19:23:37 -0500 Received: by mail-lf0-f67.google.com with SMTP id o145-v6so10913673lff.0 for ; Thu, 08 Mar 2018 16:23:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ug6qjczQKBxJbnz5ot8SoHoRo+b6G7r8HnAOi8/U2OY=; b=SnGJtYDzNVtDXMSCM5RGH3BtHeUAKCuQa7FZa3rSmvBGmBvHzOhauY/BbuEL1DDog5 nK4oKuGap7+fZUcuXieoNEKHcffm9wHG2XdCn4boL28VMSU0Zg1/mJtmDMY1w3cLN/B+ BUnvXrzHt9PJu25ilESyCCntQ3r5N7ZxQ2rJBATidJgKbB+G+8j+MxEUHV+0oBUdtImM LJI0MKT4MrNeaRsnFWb1z07f7BGZAZPp6te0tyrdYjKQt5pL/VctCAu1KwkCROmfgYVu gNWTxk8ZQbI4mwF94njy3EfV4chYiOwI9QkAqOst0L8FDYEAKZ3t/A54jgujY3D6mUgs fLZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ug6qjczQKBxJbnz5ot8SoHoRo+b6G7r8HnAOi8/U2OY=; b=M9TeH9JH7+tTdppftT7NA3x4l1pFF57H2AX5LlFctMg3sCImSDx9lbyoV2VndLhWQi yfXJ1y81jYFwN3U1SUxVPRXzhpgk9c5cOGzyeYXo0AX0Pk4nxboutNQYOYjDINYVrydA QM8g5kPDQdMpGkXdlLBuVEW1CZ2lhWfvFQoMFwoDT2PJvk895xZk+x059muyE9BJHUaY F1ho2ppm1CakHDQQzQMlIJnN8f9eBmpdgZ1i9+TKl3991+dU0q7vdmSVf5fAd3GtHCcL pxztE20mCTrrd/EjENWSB3eIXLrqrWvovF47v3ZMQRG9y3gS51dTEdgbZBiNXO3yAhZr tEJg== X-Gm-Message-State: AElRT7GkEqWeLkJK1Yn1qqTzd2exm4xNQG/QAHLc9klFAmRME3i108KD cqUPN/41gzI2KZVSKKbe8Vw3nDpSO+blLP0fFwGd X-Received: by 10.25.193.78 with SMTP id r75mr19081068lff.124.1520555014472; Thu, 08 Mar 2018 16:23:34 -0800 (PST) MIME-Version: 1.0 Received: by 10.25.216.167 with HTTP; Thu, 8 Mar 2018 16:23:33 -0800 (PST) X-Originating-IP: [108.20.156.165] In-Reply-To: References: <3a9542b261d93bc4eaecfaf359affbba152cf965.1518603831.git.rgb@redhat.com> <20180215023327.tt2s2pbcrblz5a7u@madcap2.tricolour.ca> From: Paul Moore Date: Thu, 8 Mar 2018 19:23:33 -0500 Message-ID: Subject: Re: [RFC PATCH ghak21 1/4] audit: make ANOM_LINK obey audit_enabled and audit_dummy_context To: Richard Guy Briggs Cc: Linux-Audit Mailing List , LKML , Eric Paris , Steve Grubb , Kees Cook Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Feb 15, 2018 at 5:51 PM, Paul Moore wrote: > On Thu, Feb 15, 2018 at 1:16 AM, Kees Cook wrote: >> On Wed, Feb 14, 2018 at 6:33 PM, Richard Guy Briggs wrote: >>> On 2018-02-14 09:51, Kees Cook wrote: >>>> On Wed, Feb 14, 2018 at 8:18 AM, Richard Guy Briggs wrote: >>>> > Audit link denied events emit disjointed records when audit is disabled. >>>> > No records should be emitted when audit is disabled. >>>> > >>>> > See: https://github.com/linux-audit/audit-kernel/issues/21 >>>> > Signed-off-by: Richard Guy Briggs >>>> > --- >>>> > kernel/audit.c | 3 +++ >>>> > 1 file changed, 3 insertions(+) >>>> > >>>> > diff --git a/kernel/audit.c b/kernel/audit.c >>>> > index 227db99..4c3fd24 100644 >>>> > --- a/kernel/audit.c >>>> > +++ b/kernel/audit.c >>>> > @@ -2261,6 +2261,9 @@ void audit_log_link_denied(const char *operation, const struct path *link) >>>> > struct audit_buffer *ab; >>>> > struct audit_names *name; >>>> > >>>> > + if (!audit_enabled || audit_dummy_context()) >>>> > + return; >>>> > + >>>> > name = kzalloc(sizeof(*name), GFP_NOFS); >>>> > if (!name) >>>> > return; >>>> >>>> Doesn't this means errors here would be silent if audit isn't enabled? >>>> I don't that; sysadmins should see this notification regardless of the >>>> audit state... >>> >>> This is a user error and not a system error, so I would think if system >>> auditing is disabled, they don't care about this kind of error. >> >> It could indicate an attack attempt... > > We get beat up by several folks when we emit audit records with audit > disabled, and they have a very valid point. > > I'm not arguing that the information isn't useful, I'm arguing that if > you are interested in the sort of information that audit provides you > should enable audit. :) FYI, merged into audit/next. -- paul moore www.paul-moore.com