Received: by 10.213.65.16 with SMTP id m16csp194238imf;
        Sun, 11 Mar 2018 23:38:36 -0700 (PDT)
X-Google-Smtp-Source: AG47ELvJZLO6PaXT57bU2wWbIDdxbE3f3dR0oaHAD6IIx/6FnJMTJuukInF+04H1p7l+s4FHNj2+
X-Received: by 10.98.134.10 with SMTP id x10mr6936216pfd.78.1520836716459;
        Sun, 11 Mar 2018 23:38:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1520836716; cv=none;
        d=google.com; s=arc-20160816;
        b=Mj4kqfKHpBIauw9ZlD4ri9e0ghx+h/Q9T3fKgFMl9il/rzioHr989uHgfgJl+Hi19g
         NtYzb3Uje9qbwhEDRlosbSw06021hTqvlwYDXFZrlFrSz03VLPwuthCORYj1QfzGjsyr
         Jg9xCyWpPXzciX8juuLCkETvtr70gnIF/oAXEXomYDZDHom5Pt0i06tupq+6q7a+GJUO
         +qLtuH9YgAlO4LqFYhWUa2bh9FQ5TbfpURMJ3ksz92JG+yGLtmJ+zG+vo0nBW50vjSDL
         5ZiM4Y6b5dEpCY86ljjcxnoEtWmMNYtyElcIYjQy0J9mK88xMGHxJYnBGlIaLA1Zt7ae
         Oo6Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:references:in-reply-to:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=GcF99Pn6pBApEcp8ndaqsYSkjvTi+4UukQ7Kf+Vyby0=;
        b=N7jdPeXGlaegwP2YzzQljSB595zNcXhBc+IUUlDY7OeNISHh/o2t1aUabimUEOq0dD
         GoaQIi7iTTaWGQvcDjQzAI2LoU5OuaVmYgCbMBgLdXEZNpG9eZ9VcnF0LNZkBL9gVTUy
         OAz/7iKi1vuPtChhExgkK81kNLKjJKXc1DtzgYv3806Ua8vtWmOPHJJDZ/Q8OaMAJn3/
         PrwbLXDavDbnnzupmndP8/dboG00yfxKizrEXSAzaipnyJqsAuGVL2Erhd50OiGCvvKc
         NVv3upVTs8r5g8m6d4pftDIaBsC6IB1ZRhHK6RqEO6qE4gC407DnGiiscsAXbR7EsJaG
         0otg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f11si4519485pgs.782.2018.03.11.23.38.08;
        Sun, 11 Mar 2018 23:38:36 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752078AbeCLGgv (ORCPT <rfc822;0330sisy@gmail.com> + 99 others);
        Mon, 12 Mar 2018 02:36:51 -0400
Received: from mx3-rdu2.redhat.com ([66.187.233.73]:56158 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1750752AbeCLGge (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 12 Mar 2018 02:36:34 -0400
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id 3E0908D6BE;
        Mon, 12 Mar 2018 06:36:34 +0000 (UTC)
Received: from madcap2.tricolour.ca (ovpn-112-12.rdu2.redhat.com [10.10.112.12])
        by smtp.corp.redhat.com (Postfix) with ESMTP id C6D751C719;
        Mon, 12 Mar 2018 06:36:32 +0000 (UTC)
From:   Richard Guy Briggs <rgb@redhat.com>
To:     Linux-Audit Mailing List <linux-audit@redhat.com>,
        LKML <linux-kernel@vger.kernel.org>
Cc:     Eric Paris <eparis@redhat.com>, Paul Moore <paul@paul-moore.com>,
        Steve Grubb <sgrubb@redhat.com>,
        Kees Cook <keescook@chromium.org>,
        Richard Guy Briggs <rgb@redhat.com>
Subject: [PATCH ghak21 V2 4/4] audit: add parent of refused symlink to audit_names
Date:   Mon, 12 Mar 2018 02:31:20 -0400
Message-Id: <b8673a31534c6122545a09abcb6db405e0d0ec50.1520835596.git.rgb@redhat.com>
In-Reply-To: <cover.1520835596.git.rgb@redhat.com>
References: <cover.1520835596.git.rgb@redhat.com>
In-Reply-To: <cover.1520835596.git.rgb@redhat.com>
References: <cover.1520835596.git.rgb@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Mon, 12 Mar 2018 06:36:34 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Mon, 12 Mar 2018 06:36:34 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'rgb@redhat.com' RCPT:''
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Audit link denied events for symlinks were missing the parent PATH
record.  Add it.  Since the full pathname may not be available,
reconstruct it from the path in the nameidata supplied.

See: https://github.com/linux-audit/audit-kernel/issues/21
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 fs/namei.c            |  2 +-
 include/linux/audit.h |  3 +++
 kernel/audit.c        | 31 +++++++++++++++++++++++++++++++
 3 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/fs/namei.c b/fs/namei.c
index 00f5041..2f39617 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -946,7 +946,7 @@ static inline int may_follow_link(struct nameidata *nd)
 		return -ECHILD;
 
 	audit_inode(nd->name, nd->stack[0].link.dentry, 0);
-	audit_log_link_denied("follow_link", &nd->stack[0].link);
+	audit_log_symlink_denied(&nd->stack[0].link);
 	return -EACCES;
 }
 
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 75d5b03..b5808e9 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -147,6 +147,7 @@ extern void		    audit_log_d_path(struct audit_buffer *ab,
 extern void		    audit_log_key(struct audit_buffer *ab,
 					  char *key);
 extern void		    audit_log_link_denied(const char *operation);
+extern void		    audit_log_symlink_denied(const struct path *link);
 extern void		    audit_log_lost(const char *message);
 
 extern int audit_log_task_context(struct audit_buffer *ab);
@@ -195,6 +196,8 @@ static inline void audit_log_key(struct audit_buffer *ab, char *key)
 { }
 static inline void audit_log_link_denied(const char *string)
 { }
+static inline void audit_log_symlink_denied(const struct path *link)
+{ }
 static inline int audit_log_task_context(struct audit_buffer *ab)
 {
 	return 0;
diff --git a/kernel/audit.c b/kernel/audit.c
index e54deaf..4acf374 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -73,6 +73,7 @@
 #include <linux/freezer.h>
 #include <linux/pid_namespace.h>
 #include <net/netns/generic.h>
+#include <linux/namei.h> /* for LOOKUP_PARENT */
 
 #include "audit.h"
 
@@ -2320,6 +2321,36 @@ void audit_log_link_denied(const char *operation)
 	audit_log_end(ab);
 }
 
+/*
+ * audit_log_symlink_denied - report a symlink restriction denial
+ * @link: the path that triggered the restriction
+ */
+void audit_log_symlink_denied(const struct path *link)
+{
+	char *pathname;
+	struct filename *filename;
+
+	if (audit_dummy_context())
+		return;
+
+	pathname = kmalloc(PATH_MAX + 1, GFP_KERNEL);
+	if (!pathname) {
+		audit_panic("memory allocation error while reporting symlink denied");
+		return;
+	}
+	filename = getname_kernel(d_absolute_path(link, pathname, PATH_MAX + 1));
+	if (IS_ERR(filename)) {
+		audit_panic("error getting pathname while reporting symlink denied");
+		goto out;
+	}
+	audit_inode(filename, link->dentry->d_parent, LOOKUP_PARENT);
+	audit_log_link_denied("follow_link");
+	putname(filename);
+out:
+	kfree(pathname);
+	return;
+}
+
 /**
  * audit_log_end - end one audit record
  * @ab: the audit_buffer
-- 
1.8.3.1