Received: by 10.213.65.68 with SMTP id h4csp129548imn; Mon, 12 Mar 2018 08:51:15 -0700 (PDT) X-Google-Smtp-Source: AG47ELtiw9InEOshV5+aBJquyEWxNagrB/U5FntTg0S0+0Tx3NqM+uysBzZLBNTIb8qXcyEHcZkE X-Received: by 10.99.182.76 with SMTP id v12mr6902718pgt.158.1520869875308; Mon, 12 Mar 2018 08:51:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1520869875; cv=none; d=google.com; s=arc-20160816; b=HwvUXKVWgEPj74Du3UD3KvlwHJOaOR/e0bny0U5ZpZNToDEoyRO+QLBentygB+rJUt OAofxgSOmS0weW8Z5hdbyG7tco/KqojjhgI6VZrLKJz/0srVFb0oN6zF60tmCOcnCL0Q EGl2ifg1jEH6tZGzTueD0MI8lImdECW6XvY+C1Z6zwa3tWdonMtuhHy6da9uXBVBvAsr 3+Kjrs/ObOvRZ40RooHAGfvkaYZTNXERtp/rxFOYT3vq3m5sYUrRRc/1BaV1FPGwP+6+ FKp9qvHcK26rMtbEm5KTEPpdIgnaoDz6hINksn/U04e2TmjBKf+HZ3nGeEY541ypovJT ld5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=Pe7GeSHBmRQrsuUupm8AtjG1Z2OsYEp1iPyplb2OGjs=; b=d0upa3Uy59QWUKvJdu/5Eda+nNhjXX3+FJ67OCV/8WMQ+KDRVG163kX90CHnDJS7/P c7Dz9ZApFBjbguvCkb/cUYzNeO23Nl8+ZJ/4N1JF9jSorqFI7/loUjmabK5yBvw0xRSy ummNbK/xervsU/AeaRimMrHwejgRnQcXCMkRpwFfxvgAbIA9oLEhnQwn4/0bZBO96l3M 5tWWI4Am9JQPQ9WPKF2Fe10JO0jg173eyDcu3xgbYA33UE3KyCXBy1R2GuZW8wWykUaE GWvwmUC6TNa4hJfR1kkduVaSeCXfmu/k1D1MGlp1uMYj98ANKXyB584tIcKSz5A3JtMe 9lHw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=TT0l6sMu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f89-v6si6062160plb.687.2018.03.12.08.50.59; Mon, 12 Mar 2018 08:51:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=TT0l6sMu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932637AbeCLPt7 (ORCPT + 99 others); Mon, 12 Mar 2018 11:49:59 -0400 Received: from mail-lf0-f68.google.com ([209.85.215.68]:44265 "EHLO mail-lf0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932326AbeCLPt6 (ORCPT ); Mon, 12 Mar 2018 11:49:58 -0400 Received: by mail-lf0-f68.google.com with SMTP id v9-v6so23968712lfa.11 for ; Mon, 12 Mar 2018 08:49:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Pe7GeSHBmRQrsuUupm8AtjG1Z2OsYEp1iPyplb2OGjs=; b=TT0l6sMumbvTSX7rR3eVsX7QKSXbyytLf9Y6Fz88dK1ulNbr/ENhFj6nw3svwOrte9 4azDIrU3YwHqlJ8bOxOlmnH7pRwUxgRpEJYgdG+iw6rDaSUFNPMX74/VrvYCXAYE/JM+ ge6YB/TwoRQ3Xs0IV9slOLBAZ/9duniu2IYv/OSkdA/8z/1j1Ddz2bvjfV1MfSRWxK2B HGcboq9Vka2Q7VUBsOMnITIWNCPJly9CdqmS/tGCfoiioTJ09vB/uaZXJKF/Hsl6VY4B TQ3pSYth3xlatBxRf9FuDgv0dGZG3J5FnSROqXsR94rA/sprl4IecoV7ICFuftoLaTcQ +VHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Pe7GeSHBmRQrsuUupm8AtjG1Z2OsYEp1iPyplb2OGjs=; b=meEhgQwErvagUOMyxGmdBPCgs10ecF9ba/gw9ZCRwd3bqht14Ok1VxpHhv+EhQcDWN pu/Y8X6ObslGa0L54j7mMSpRzju1X9gwYXEsr+btRo4beZn5KslLczcgdeR0xsyvZ1C1 9EqFWdJyUJuQyJXqcNDcq63hdohwrjXJjkTunl6bf2Qfzx5v7PoZi/KH/8G7nbuex5P1 PFmYB+VK2s28UofeAyiM6+vZkCbohJZRmO5WiBLHiZm4NaKY5tVvLpJyRL2tIKm0KA90 gwwNUtCqSXmgbRCmBw5m2zHmWJeAcijfPkQOWqlwhs9Km/IVYip86JZx17IkX4HCFfR/ xs+A== X-Gm-Message-State: AElRT7E57nZTZ1TtiYRDfd9u0iLTpzM7iFrmrUROPiavz/5PG53hjIzq kGND3fkqmr5+VpqQ2Bduk9oG/2jNnYeADspiEom5 X-Received: by 10.46.36.16 with SMTP id k16mr5255955ljk.14.1520869796985; Mon, 12 Mar 2018 08:49:56 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a19:d8a7:0:0:0:0:0 with HTTP; Mon, 12 Mar 2018 08:49:56 -0700 (PDT) X-Originating-IP: [108.20.156.165] In-Reply-To: <20180312161735.3447ad56@ivy-bridge> References: <20180312161735.3447ad56@ivy-bridge> From: Paul Moore Date: Mon, 12 Mar 2018 11:49:56 -0400 Message-ID: Subject: Re: [PATCH ghak21 V2 0/4] audit: address ANOM_LINK excess records To: Steve Grubb , Richard Guy Briggs Cc: Linux-Audit Mailing List , LKML , Eric Paris , Kees Cook Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 12, 2018 at 11:17 AM, Steve Grubb wrote: > On Mon, 12 Mar 2018 02:31:16 -0400 > Richard Guy Briggs wrote: > >> Audit link denied events were being unexpectedly produced in a >> disjoint way when audit was disabled, and when they were expected, >> there were duplicate PATH records. This patchset addresses both >> issues for symlinks and hardlinks. >> >> This was introduced with >> commit b24a30a7305418ff138ff51776fc555ec57c011a >> ("audit: fix event coverage of AUDIT_ANOM_LINK") >> commit a51d9eaa41866ab6b4b6ecad7b621f8b66ece0dc >> ("fs: add link restriction audit reporting") >> >> Here are the resulting events: >> >> symlink: >> type=PROCTITLE msg=audit(03/12/2018 02:21:49.578:310) : >> proctitle=ls ./my-passwd type=PATH msg=audit(03/12/2018 >> 02:21:49.578:310) : item=1 name=/tmp/ inode=13529 dev=00:27 >> mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 >> obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none >> cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(03/12/2018 >> 02:21:49.578:310) : item=0 name=./my-passwd inode=17090 dev=00:27 >> mode=link,777 ouid=rgb ogid=rgb rdev=00:00 >> obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none >> cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(03/12/2018 >> 02:21:49.578:310) : cwd=/tmp type=SYSCALL msg=audit(03/12/2018 >> 02:21:49.578:310) : arch=x86_64 syscall=stat success=no >> exit=EACCES(Permission denied) a0=0x7ffd79950dda a1=0x563f658a03c8 >> a2=0x563f658a03c8 a3=0x79950d00 items=2 ppid=552 pid=629 auid=root >> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root >> fsgid=root tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls >> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) >> type=ANOM_LINK msg=audit(03/12/2018 02:21:49.578:310) : >> op=follow_link ppid=552 pid=629 auid=root uid=root gid=root euid=root >> suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 >> comm=ls exe=/usr/bin/ls > > So, if we now only emit the ANOM_LINK event when audit is enabled, we > should get rid of all the duplicate information in that record. The > SYSCALL record has all that information. As discussed previously, I'm not going to merge any patches which remove fields from existing records. -- paul moore www.paul-moore.com