Received: by 10.223.185.116 with SMTP id b49csp233407wrg;
        Thu, 8 Mar 2018 16:24:47 -0800 (PST)
X-Google-Smtp-Source: AG47ELvRmVDerA3yViWpH1S3gyXu4XwdQi2O7ZMCuIhRUoyagY4+7q1aiVWF8z+/lknhCUbzivS9
X-Received: by 2002:a17:902:4601:: with SMTP id o1-v6mr25627554pld.210.1520555087824;
        Thu, 08 Mar 2018 16:24:47 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1520555087; cv=none;
        d=google.com; s=arc-20160816;
        b=qg5wz3mnqnswDo1XOUmr5xwW2TQdHYm/npYL/kCiEoAFLmvjLq/Un88bgQ7wCBhWzA
         aVLxsq+5yHXIy93vwtL9DcnWlIqYctLXtaY2aZD/LfGYDVGBa3m8F04OzpEpOgXL44uu
         jqEgDLkU9YfZouooj+6lOjShhBvoeUVLMQqRo0PCLo8cxdrAYUC9+oFFPAbS6d9GkeYT
         /YGy9+Phczo1iAgU8HdjcH7Ldop+ZUcj4wZ6AgF0NXOX4p+bIHBnbyVLQj/eJYFc1COM
         hJFS+h/wGvJ9ZY+J8mb/XPSqzMosnOCPrM6gzfsZqlzBwVVRRsnaVilJcpqk63hAoH1F
         rMbA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=ug6qjczQKBxJbnz5ot8SoHoRo+b6G7r8HnAOi8/U2OY=;
        b=tJgWC8Ux25Zg842Z9I3GWH9ukXhCyYW1u0WT0ATGAFY00jjqM9IKp+NgIniVz7OIRy
         p5ylBjZL2Au3aGk//zs3vxvpHp4bvCAi2FvjnwnG3fv6n5x00NxAJnx4M2GmKysl0iyg
         ffR57fWFb/Fzuj1Y89rp6+7Id5lTsPaJEhc2SfEzGaFDcn67vnDNLJotk2QigYdS6ZGD
         jus+VYmcTrY4HnBA+Js1NwP6+73aMUU5trJjnVHI3usf/9cOX3r5hP0LStRSz7gmI6Lm
         Hb5R21yJbKjq2HyLAdkj0EMRBo4KtAWD2gCZDkcbSTAE3NZ6BNfhoVeqGSYD56dQI1WP
         XIwQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=SnGJtYDz;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e92-v6si15578166plb.82.2018.03.08.16.24.32;
        Thu, 08 Mar 2018 16:24:47 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=SnGJtYDz;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751167AbeCIAXi (ORCPT <rfc822;arandomawesomegeek@gmail.com>
        + 99 others); Thu, 8 Mar 2018 19:23:38 -0500
Received: from mail-lf0-f67.google.com ([209.85.215.67]:33286 "EHLO
        mail-lf0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750859AbeCIAXh (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 8 Mar 2018 19:23:37 -0500
Received: by mail-lf0-f67.google.com with SMTP id o145-v6so10913673lff.0
        for <linux-kernel@vger.kernel.org>; Thu, 08 Mar 2018 16:23:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=ug6qjczQKBxJbnz5ot8SoHoRo+b6G7r8HnAOi8/U2OY=;
        b=SnGJtYDzNVtDXMSCM5RGH3BtHeUAKCuQa7FZa3rSmvBGmBvHzOhauY/BbuEL1DDog5
         nK4oKuGap7+fZUcuXieoNEKHcffm9wHG2XdCn4boL28VMSU0Zg1/mJtmDMY1w3cLN/B+
         BUnvXrzHt9PJu25ilESyCCntQ3r5N7ZxQ2rJBATidJgKbB+G+8j+MxEUHV+0oBUdtImM
         LJI0MKT4MrNeaRsnFWb1z07f7BGZAZPp6te0tyrdYjKQt5pL/VctCAu1KwkCROmfgYVu
         gNWTxk8ZQbI4mwF94njy3EfV4chYiOwI9QkAqOst0L8FDYEAKZ3t/A54jgujY3D6mUgs
         fLZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=ug6qjczQKBxJbnz5ot8SoHoRo+b6G7r8HnAOi8/U2OY=;
        b=M9TeH9JH7+tTdppftT7NA3x4l1pFF57H2AX5LlFctMg3sCImSDx9lbyoV2VndLhWQi
         yfXJ1y81jYFwN3U1SUxVPRXzhpgk9c5cOGzyeYXo0AX0Pk4nxboutNQYOYjDINYVrydA
         QM8g5kPDQdMpGkXdlLBuVEW1CZ2lhWfvFQoMFwoDT2PJvk895xZk+x059muyE9BJHUaY
         F1ho2ppm1CakHDQQzQMlIJnN8f9eBmpdgZ1i9+TKl3991+dU0q7vdmSVf5fAd3GtHCcL
         pxztE20mCTrrd/EjENWSB3eIXLrqrWvovF47v3ZMQRG9y3gS51dTEdgbZBiNXO3yAhZr
         tEJg==
X-Gm-Message-State: AElRT7GkEqWeLkJK1Yn1qqTzd2exm4xNQG/QAHLc9klFAmRME3i108KD
        cqUPN/41gzI2KZVSKKbe8Vw3nDpSO+blLP0fFwGd
X-Received: by 10.25.193.78 with SMTP id r75mr19081068lff.124.1520555014472;
 Thu, 08 Mar 2018 16:23:34 -0800 (PST)
MIME-Version: 1.0
Received: by 10.25.216.167 with HTTP; Thu, 8 Mar 2018 16:23:33 -0800 (PST)
X-Originating-IP: [108.20.156.165]
In-Reply-To: <CAHC9VhRiS9rb44m7dTDWU_p4Bo=SM_kSF9bvJw39Wee20zei6w@mail.gmail.com>
References: <cover.1518603831.git.rgb@redhat.com> <3a9542b261d93bc4eaecfaf359affbba152cf965.1518603831.git.rgb@redhat.com>
 <CAGXu5jKtEv-W3R-uakY9S9=OFmjY3ZqxQJFa3YxGd4RWyUEGgQ@mail.gmail.com>
 <20180215023327.tt2s2pbcrblz5a7u@madcap2.tricolour.ca> <CAGXu5jLTEa7sPxOnrWj8SNi-crEPQpTBXtdqdfppOE_vf9GriQ@mail.gmail.com>
 <CAHC9VhRiS9rb44m7dTDWU_p4Bo=SM_kSF9bvJw39Wee20zei6w@mail.gmail.com>
From:   Paul Moore <paul@paul-moore.com>
Date:   Thu, 8 Mar 2018 19:23:33 -0500
Message-ID: <CAHC9VhR5=qXw0qogQrk+7z7mZgiBOZG64gxSZ6cyRY8exZqvDw@mail.gmail.com>
Subject: Re: [RFC PATCH ghak21 1/4] audit: make ANOM_LINK obey audit_enabled
 and audit_dummy_context
To:     Richard Guy Briggs <rgb@redhat.com>
Cc:     Linux-Audit Mailing List <linux-audit@redhat.com>,
        LKML <linux-kernel@vger.kernel.org>,
        Eric Paris <eparis@redhat.com>,
        Steve Grubb <sgrubb@redhat.com>,
        Kees Cook <keescook@chromium.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Feb 15, 2018 at 5:51 PM, Paul Moore <paul@paul-moore.com> wrote:
> On Thu, Feb 15, 2018 at 1:16 AM, Kees Cook <keescook@chromium.org> wrote:
>> On Wed, Feb 14, 2018 at 6:33 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
>>> On 2018-02-14 09:51, Kees Cook wrote:
>>>> On Wed, Feb 14, 2018 at 8:18 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
>>>> > Audit link denied events emit disjointed records when audit is disabled.
>>>> > No records should be emitted when audit is disabled.
>>>> >
>>>> > See: https://github.com/linux-audit/audit-kernel/issues/21
>>>> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
>>>> > ---
>>>> >  kernel/audit.c | 3 +++
>>>> >  1 file changed, 3 insertions(+)
>>>> >
>>>> > diff --git a/kernel/audit.c b/kernel/audit.c
>>>> > index 227db99..4c3fd24 100644
>>>> > --- a/kernel/audit.c
>>>> > +++ b/kernel/audit.c
>>>> > @@ -2261,6 +2261,9 @@ void audit_log_link_denied(const char *operation, const struct path *link)
>>>> >         struct audit_buffer *ab;
>>>> >         struct audit_names *name;
>>>> >
>>>> > +       if (!audit_enabled || audit_dummy_context())
>>>> > +               return;
>>>> > +
>>>> >         name = kzalloc(sizeof(*name), GFP_NOFS);
>>>> >         if (!name)
>>>> >                 return;
>>>>
>>>> Doesn't this means errors here would be silent if audit isn't enabled?
>>>> I don't that; sysadmins should see this notification regardless of the
>>>> audit state...
>>>
>>> This is a user error and not a system error, so I would think if system
>>> auditing is disabled, they don't care about this kind of error.
>>
>> It could indicate an attack attempt...
>
> We get beat up by several folks when we emit audit records with audit
> disabled, and they have a very valid point.
>
> I'm not arguing that the information isn't useful, I'm arguing that if
> you are interested in the sort of information that audit provides you
> should enable audit.  :)

FYI, merged into audit/next.

-- 
paul moore
www.paul-moore.com