Received: by 10.213.65.68 with SMTP id h4csp126989imn; Mon, 12 Mar 2018 08:46:36 -0700 (PDT) X-Google-Smtp-Source: AG47ELuKmIlcahdLwgivA1budszk/ssaUy/xfjvXcJ/XOoWVeQgatVqiTJmH9h9G5RP3ngz7RqwC X-Received: by 2002:a17:902:5489:: with SMTP id e9-v6mr8751077pli.81.1520869596816; Mon, 12 Mar 2018 08:46:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1520869596; cv=none; d=google.com; s=arc-20160816; b=DgnXU/MbOZ1/sddFpH0CETGO7HFmdjyyUBG2u2/15tCgJt/JcgEl17BL1sLjbPsxD7 0ZOFzVBtpNgQcr0FZgD1uufAoLM9X8FVzVEath7VeRMc3wYMWpKxI8lIDLBJR4V0R0ZQ MtAnkNMqvVUxwDdodXkRNE2zgwD7xhAy42tNL8vCnSfyXqlNkPewbz+ipNy7wXYaKygo MzOy22Vaf8/mPN9qkVAuSxeNH3G65QPNHiKQulqqVOVNJLgANpSFYBG969lDDE5rf9zk BWXtCIqRo+da/cUYcU+Wkp0C8/Fld7EOg9gtnyeJQIF9VYUXZaGm7Q0BLhfL7hq5AfTv 01Kg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=z/3LvXk5/ME79mNq145OuBl/kSnWm6yl3g73//2RBRg=; b=EKNDN4d4vm9QOq7PYrZn7ERayinBW7+iNybTBLhKteHww/8zlWv1cwDKLriXCLHhWg Iz7TEwWlCdnYUAZtqvd7yGoI/XSiaqzmPk6dDOyUW2zlI+10WK6+d94lg0bXivi4hbpM LK1QBQHkn47i6WoSXtZhfZ8EQhH5/Lqblh9cJWK7XxrpQ8Lts6heEymDDHjnyR0wnwoZ dty1hjXUAeZGsLh+ixHhhGckncX9Ovy7L01JauTyHAeiVsmpyWNUB51mQ9VLmD7UvFm7 BSX1aiej7Y78OLOxaGT0FWDTu57ftke0D3QDqo6S3kFPO+04VvWw1E/de8IeXSzIQHY2 Tcxw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=gGa4HiQp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m9-v6si6124452plt.6.2018.03.12.08.46.21; Mon, 12 Mar 2018 08:46:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=gGa4HiQp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932531AbeCLPp0 (ORCPT + 99 others); Mon, 12 Mar 2018 11:45:26 -0400 Received: from mail-lf0-f66.google.com ([209.85.215.66]:35000 "EHLO mail-lf0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932478AbeCLPpY (ORCPT ); Mon, 12 Mar 2018 11:45:24 -0400 Received: by mail-lf0-f66.google.com with SMTP id t132-v6so7536092lfe.2 for ; Mon, 12 Mar 2018 08:45:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=z/3LvXk5/ME79mNq145OuBl/kSnWm6yl3g73//2RBRg=; b=gGa4HiQpcmqFi9GMd/o4J2wkkg1p197O+Sj1WIaA0TYVmCyB2A27THRxAopnNS0Mp/ JyIxPgG5RMfyRv2tBnME034Gk57WjN4O7sm1YQQctVP+rcXbAt916LKwNtrot4g5pn6+ ImsB/9h0KUWxgeB1XR7dvjTvcOZNgDbQ9UkUR6hG3XcpZFXxAX2mp/w3qQa2zfeW2jXl zcTsAM+sgs4zyC0jG1k9KdK87MkxiUlozD9f3JQ9JbijbVIZoC2l2dDonYPe5Hz4lQtG ErxqFYeizCbasJD9P8teAdqDxmEnNW2xrSHaqtf/vZDt+hPmKhlYjV31uyNEokw4hl9m EJ/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=z/3LvXk5/ME79mNq145OuBl/kSnWm6yl3g73//2RBRg=; b=rzIT5IgpfghHk2nueeCWgaZOMdOxM7QKtmAxCQLHXfCdNFZ8WGK/mhtXUh/BJ1kLvY 0lh5tY8vVXALT/ZZMv6KcJkRxVCxkBOx6KXeTNATLOZMOIuUz/m7FxTkceL0nvzImQRw VLcPtNG6hgXcpDxREiC9RnzpDQtQ7eQVYkTxxVL15B68BMyTQwVKlImGrskGOzp3Bpnw KJlqH/Nwiov1LlpIJYwD68uz/X76hkG6VyIESE5n4kAHKIy7S+mLka8BEMRFm+RnsbEb FbHY0LkfAnkoV65sr+95Yo1ZSn6XPlPIVb6WsdIKUBb4IR4VkZW6uFhl1LmkULvV4/dJ x8yw== X-Gm-Message-State: AElRT7G9aDvn1a3Obm0NuqaJoMvgUzfJsnafUlRDaj0/kBkp51vxkZLo zW50H8Kak/b20i7uBpYa59JPc2rLBvNz8IB7HVaZ X-Received: by 10.46.36.16 with SMTP id k16mr5246497ljk.14.1520869523095; Mon, 12 Mar 2018 08:45:23 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a19:d8a7:0:0:0:0:0 with HTTP; Mon, 12 Mar 2018 08:45:22 -0700 (PDT) X-Originating-IP: [108.20.156.165] In-Reply-To: References: From: Paul Moore Date: Mon, 12 Mar 2018 11:45:22 -0400 Message-ID: Subject: Re: [PATCH ghak21 V2 4/4] audit: add parent of refused symlink to audit_names To: Richard Guy Briggs Cc: Linux-Audit Mailing List , LKML , Eric Paris , Steve Grubb , Kees Cook Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 12, 2018 at 2:31 AM, Richard Guy Briggs wrote: > Audit link denied events for symlinks were missing the parent PATH > record. Add it. Since the full pathname may not be available, > reconstruct it from the path in the nameidata supplied. > > See: https://github.com/linux-audit/audit-kernel/issues/21 > Signed-off-by: Richard Guy Briggs > --- > fs/namei.c | 2 +- > include/linux/audit.h | 3 +++ > kernel/audit.c | 31 +++++++++++++++++++++++++++++++ > 3 files changed, 35 insertions(+), 1 deletion(-) See my comment in patch 3/4; it should really be folded into this patch. Additional comment inline below ... > diff --git a/kernel/audit.c b/kernel/audit.c > index e54deaf..4acf374 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -73,6 +73,7 @@ > #include > #include > #include > +#include /* for LOOKUP_PARENT */ > > #include "audit.h" > > @@ -2320,6 +2321,36 @@ void audit_log_link_denied(const char *operation) > audit_log_end(ab); > } > > +/* > + * audit_log_symlink_denied - report a symlink restriction denial > + * @link: the path that triggered the restriction > + */ > +void audit_log_symlink_denied(const struct path *link) > +{ > + char *pathname; > + struct filename *filename; > + > + if (audit_dummy_context()) > + return; > + > + pathname = kmalloc(PATH_MAX + 1, GFP_KERNEL); > + if (!pathname) { > + audit_panic("memory allocation error while reporting symlink denied"); > + return; > + } > + filename = getname_kernel(d_absolute_path(link, pathname, PATH_MAX + 1)); > + if (IS_ERR(filename)) { > + audit_panic("error getting pathname while reporting symlink denied"); > + goto out; > + } > + audit_inode(filename, link->dentry->d_parent, LOOKUP_PARENT); Since we are already checking audit_dummy_context() above we don't need to check it again in audit_inode(), you should just call __audit_inode() directly. As a reminder, make sure you convert LOOKUP_PARENT to AUDIT_INODE_PARENT. > + audit_log_link_denied("follow_link"); > + putname(filename); > +out: > + kfree(pathname); > + return; > +} -- paul moore www.paul-moore.com