Received: by 10.213.65.16 with SMTP id m16csp194723imf; Sun, 11 Mar 2018 23:40:02 -0700 (PDT) X-Google-Smtp-Source: AG47ELtwikk7qvxAcZISgct/+qM4pzVTXwQfh2SY+UbGCqGzrQherSTXdcwPSwI1JjyY8ilu1zL/ X-Received: by 10.101.91.133 with SMTP id i5mr5683527pgr.20.1520836802299; Sun, 11 Mar 2018 23:40:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1520836802; cv=none; d=google.com; s=arc-20160816; b=Afm3wY83mboFBC8C4LFh+HVdvRvl0Zxmwu7x1Ec2MN+zCgukVs3LoEGeijE3cfAaC5 Hj6//VwnSim5bApzQT/0ggFEGAFS8DTFwBgwK/pvspVcOdTuuIB8sXwCdKceDprOBgax py53Iq8z6GstkDltQTmWm2yRXcbNNledQo78b3JhCCAxsqaeFR59iOrOgcAwU96btqfv I5pZWxrsElJ/uB1UmVkGiNs55nA/6cg0xu/k3N9BgCbMNV29JhoWHweXw3EuAH73fQQe pR2lrRSDlMzUvUTNlbXzxtH3vWlyDjirq4Dyz0NG7/rz8CvMuFLuhFSlvHgvElN9Xlyo 3jqA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=OSVCnRGjGm1uHPyi4xw5HNz2tB4Dq30OAYK/BsJ6ph4=; b=nA5f9ll6VoOxN1jharuTfB/eFARnGAcmv0V0c+G/ZxhgYOZ1F5/1eQkyfsukbMnyUP C6WpvCH3iG1k8M2L+U6QqqAu8eITHOl9mNznV/h1lWrPqRgkhXQFvGJYJvUX2BNpvyf+ zl26XZPusVolT5qYVneqJDiIC58dd8p778w8ZGpl/LXnV12GMuS7ZfVVTchxyKP+U2Ys F19xsuT9YMAjzRzG/snRWMrpvvj/wGC8puBQ1Wmd6831ka48ame9Gm7XtKtrbD9tYwDp SVQd9YpGQIe2xNnz+urwm/Qvh8tFf3qsggAzpX1UDNnFVbrq1hmt2kZusFT9+uwsh0SK nIEQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u3si4584438pgo.349.2018.03.11.23.39.47; Sun, 11 Mar 2018 23:40:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751753AbeCLGg2 (ORCPT + 99 others); Mon, 12 Mar 2018 02:36:28 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:56148 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1750752AbeCLGg1 (ORCPT ); Mon, 12 Mar 2018 02:36:27 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2ABADD1425; Mon, 12 Mar 2018 06:36:27 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-12.rdu2.redhat.com [10.10.112.12]) by smtp.corp.redhat.com (Postfix) with ESMTP id BE5767C59; Mon, 12 Mar 2018 06:36:21 +0000 (UTC) From: Richard Guy Briggs To: Linux-Audit Mailing List , LKML Cc: Eric Paris , Paul Moore , Steve Grubb , Kees Cook , Richard Guy Briggs Subject: [PATCH ghak21 V2 0/4] audit: address ANOM_LINK excess records Date: Mon, 12 Mar 2018 02:31:16 -0400 Message-Id: X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Mon, 12 Mar 2018 06:36:27 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Mon, 12 Mar 2018 06:36:27 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'rgb@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Audit link denied events were being unexpectedly produced in a disjoint way when audit was disabled, and when they were expected, there were duplicate PATH records. This patchset addresses both issues for symlinks and hardlinks. This was introduced with commit b24a30a7305418ff138ff51776fc555ec57c011a ("audit: fix event coverage of AUDIT_ANOM_LINK") commit a51d9eaa41866ab6b4b6ecad7b621f8b66ece0dc ("fs: add link restriction audit reporting") Here are the resulting events: symlink: type=PROCTITLE msg=audit(03/12/2018 02:21:49.578:310) : proctitle=ls ./my-passwd type=PATH msg=audit(03/12/2018 02:21:49.578:310) : item=1 name=/tmp/ inode=13529 dev=00:27 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(03/12/2018 02:21:49.578:310) : item=0 name=./my-passwd inode=17090 dev=00:27 mode=link,777 ouid=rgb ogid=rgb rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(03/12/2018 02:21:49.578:310) : cwd=/tmp type=SYSCALL msg=audit(03/12/2018 02:21:49.578:310) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7ffd79950dda a1=0x563f658a03c8 a2=0x563f658a03c8 a3=0x79950d00 items=2 ppid=552 pid=629 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=ANOM_LINK msg=audit(03/12/2018 02:21:49.578:310) : op=follow_link ppid=552 pid=629 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no ---- hardlink: type=PROCTITLE msg=audit(03/12/2018 02:24:39.813:314) : proctitle=ln test test-ln type=PATH msg=audit(03/12/2018 02:24:39.813:314) : item=1 name=/tmp inode=13529 dev=00:27 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(03/12/2018 02:24:39.813:314) : item=0 name=test inode=18112 dev=00:27 mode=file,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(03/12/2018 02:24:39.813:314) : cwd=/tmp type=SYSCALL msg=audit(03/12/2018 02:24:39.813:314) : arch=x86_64 syscall=linkat success=no exit=EPERM(Operation not permitted) a0=0xffffff9c a1=0x7ffccba77629 a2=0xffffff9c a3=0x7ffccba7762e items=2 ppid=605 pid=638 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=pts0 ses=4 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=ANOM_LINK msg=audit(03/12/2018 02:24:39.813:314) : op=linkat ppid=605 pid=638 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=pts0 ses=4 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no See: https://github.com/linux-audit/audit-kernel/issues/21 See also: https://github.com/linux-audit/audit-kernel/issues/51 Richard Guy Briggs (4): audit: make ANOM_LINK obey audit_enabled and audit_dummy_context audit: link denied should not directly generate PATH record audit: add refused symlink to audit_names audit: add parent of refused symlink to audit_names fs/namei.c | 5 +++-- include/linux/audit.h | 9 +++++---- kernel/audit.c | 43 ++++++++++++++++++++++++++++++++----------- 3 files changed, 40 insertions(+), 17 deletions(-) -- 1.8.3.1