Received: by 10.213.65.68 with SMTP id h4csp129548imn;
        Mon, 12 Mar 2018 08:51:15 -0700 (PDT)
X-Google-Smtp-Source: AG47ELtiw9InEOshV5+aBJquyEWxNagrB/U5FntTg0S0+0Tx3NqM+uysBzZLBNTIb8qXcyEHcZkE
X-Received: by 10.99.182.76 with SMTP id v12mr6902718pgt.158.1520869875308;
        Mon, 12 Mar 2018 08:51:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1520869875; cv=none;
        d=google.com; s=arc-20160816;
        b=HwvUXKVWgEPj74Du3UD3KvlwHJOaOR/e0bny0U5ZpZNToDEoyRO+QLBentygB+rJUt
         OAofxgSOmS0weW8Z5hdbyG7tco/KqojjhgI6VZrLKJz/0srVFb0oN6zF60tmCOcnCL0Q
         EGl2ifg1jEH6tZGzTueD0MI8lImdECW6XvY+C1Z6zwa3tWdonMtuhHy6da9uXBVBvAsr
         3+Kjrs/ObOvRZ40RooHAGfvkaYZTNXERtp/rxFOYT3vq3m5sYUrRRc/1BaV1FPGwP+6+
         FKp9qvHcK26rMtbEm5KTEPpdIgnaoDz6hINksn/U04e2TmjBKf+HZ3nGeEY541ypovJT
         ld5Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=Pe7GeSHBmRQrsuUupm8AtjG1Z2OsYEp1iPyplb2OGjs=;
        b=d0upa3Uy59QWUKvJdu/5Eda+nNhjXX3+FJ67OCV/8WMQ+KDRVG163kX90CHnDJS7/P
         c7Dz9ZApFBjbguvCkb/cUYzNeO23Nl8+ZJ/4N1JF9jSorqFI7/loUjmabK5yBvw0xRSy
         ummNbK/xervsU/AeaRimMrHwejgRnQcXCMkRpwFfxvgAbIA9oLEhnQwn4/0bZBO96l3M
         5tWWI4Am9JQPQ9WPKF2Fe10JO0jg173eyDcu3xgbYA33UE3KyCXBy1R2GuZW8wWykUaE
         GWvwmUC6TNa4hJfR1kkduVaSeCXfmu/k1D1MGlp1uMYj98ANKXyB584tIcKSz5A3JtMe
         9lHw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=TT0l6sMu;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f89-v6si6062160plb.687.2018.03.12.08.50.59;
        Mon, 12 Mar 2018 08:51:15 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=TT0l6sMu;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932637AbeCLPt7 (ORCPT <rfc822;zoe.song.ucas@gmail.com>
        + 99 others); Mon, 12 Mar 2018 11:49:59 -0400
Received: from mail-lf0-f68.google.com ([209.85.215.68]:44265 "EHLO
        mail-lf0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932326AbeCLPt6 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 12 Mar 2018 11:49:58 -0400
Received: by mail-lf0-f68.google.com with SMTP id v9-v6so23968712lfa.11
        for <linux-kernel@vger.kernel.org>; Mon, 12 Mar 2018 08:49:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=Pe7GeSHBmRQrsuUupm8AtjG1Z2OsYEp1iPyplb2OGjs=;
        b=TT0l6sMumbvTSX7rR3eVsX7QKSXbyytLf9Y6Fz88dK1ulNbr/ENhFj6nw3svwOrte9
         4azDIrU3YwHqlJ8bOxOlmnH7pRwUxgRpEJYgdG+iw6rDaSUFNPMX74/VrvYCXAYE/JM+
         ge6YB/TwoRQ3Xs0IV9slOLBAZ/9duniu2IYv/OSkdA/8z/1j1Ddz2bvjfV1MfSRWxK2B
         HGcboq9Vka2Q7VUBsOMnITIWNCPJly9CdqmS/tGCfoiioTJ09vB/uaZXJKF/Hsl6VY4B
         TQ3pSYth3xlatBxRf9FuDgv0dGZG3J5FnSROqXsR94rA/sprl4IecoV7ICFuftoLaTcQ
         +VHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=Pe7GeSHBmRQrsuUupm8AtjG1Z2OsYEp1iPyplb2OGjs=;
        b=meEhgQwErvagUOMyxGmdBPCgs10ecF9ba/gw9ZCRwd3bqht14Ok1VxpHhv+EhQcDWN
         pu/Y8X6ObslGa0L54j7mMSpRzju1X9gwYXEsr+btRo4beZn5KslLczcgdeR0xsyvZ1C1
         9EqFWdJyUJuQyJXqcNDcq63hdohwrjXJjkTunl6bf2Qfzx5v7PoZi/KH/8G7nbuex5P1
         PFmYB+VK2s28UofeAyiM6+vZkCbohJZRmO5WiBLHiZm4NaKY5tVvLpJyRL2tIKm0KA90
         gwwNUtCqSXmgbRCmBw5m2zHmWJeAcijfPkQOWqlwhs9Km/IVYip86JZx17IkX4HCFfR/
         xs+A==
X-Gm-Message-State: AElRT7E57nZTZ1TtiYRDfd9u0iLTpzM7iFrmrUROPiavz/5PG53hjIzq
        kGND3fkqmr5+VpqQ2Bduk9oG/2jNnYeADspiEom5
X-Received: by 10.46.36.16 with SMTP id k16mr5255955ljk.14.1520869796985; Mon,
 12 Mar 2018 08:49:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a19:d8a7:0:0:0:0:0 with HTTP; Mon, 12 Mar 2018 08:49:56
 -0700 (PDT)
X-Originating-IP: [108.20.156.165]
In-Reply-To: <20180312161735.3447ad56@ivy-bridge>
References: <cover.1520835596.git.rgb@redhat.com> <20180312161735.3447ad56@ivy-bridge>
From:   Paul Moore <paul@paul-moore.com>
Date:   Mon, 12 Mar 2018 11:49:56 -0400
Message-ID: <CAHC9VhSx7C=6OxEpe7ss+LmngsLp0947kXWXOjug7fnxD5GUOw@mail.gmail.com>
Subject: Re: [PATCH ghak21 V2 0/4] audit: address ANOM_LINK excess records
To:     Steve Grubb <sgrubb@redhat.com>,
        Richard Guy Briggs <rgb@redhat.com>
Cc:     Linux-Audit Mailing List <linux-audit@redhat.com>,
        LKML <linux-kernel@vger.kernel.org>,
        Eric Paris <eparis@redhat.com>,
        Kees Cook <keescook@chromium.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Mar 12, 2018 at 11:17 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Mon, 12 Mar 2018 02:31:16 -0400
> Richard Guy Briggs <rgb@redhat.com> wrote:
>
>> Audit link denied events were being unexpectedly produced in a
>> disjoint way when audit was disabled, and when they were expected,
>> there were duplicate PATH records.  This patchset addresses both
>> issues for symlinks and hardlinks.
>>
>> This was introduced with
>>       commit b24a30a7305418ff138ff51776fc555ec57c011a
>>       ("audit: fix event coverage of AUDIT_ANOM_LINK")
>>       commit a51d9eaa41866ab6b4b6ecad7b621f8b66ece0dc
>>       ("fs: add link restriction audit reporting")
>>
>> Here are the resulting events:
>>
>> symlink:
>> type=PROCTITLE msg=audit(03/12/2018 02:21:49.578:310) :
>> proctitle=ls ./my-passwd type=PATH msg=audit(03/12/2018
>> 02:21:49.578:310) : item=1 name=/tmp/ inode=13529 dev=00:27
>> mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
>> obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none
>> cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(03/12/2018
>> 02:21:49.578:310) : item=0 name=./my-passwd inode=17090 dev=00:27
>> mode=link,777 ouid=rgb ogid=rgb rdev=00:00
>> obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none
>> cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(03/12/2018
>> 02:21:49.578:310) : cwd=/tmp type=SYSCALL msg=audit(03/12/2018
>> 02:21:49.578:310) : arch=x86_64 syscall=stat success=no
>> exit=EACCES(Permission denied) a0=0x7ffd79950dda a1=0x563f658a03c8
>> a2=0x563f658a03c8 a3=0x79950d00 items=2 ppid=552 pid=629 auid=root
>> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
>> fsgid=root tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls
>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
>> type=ANOM_LINK msg=audit(03/12/2018 02:21:49.578:310) :
>> op=follow_link ppid=552 pid=629 auid=root uid=root gid=root euid=root
>> suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1
>> comm=ls exe=/usr/bin/ls
>
> So, if we now only emit the ANOM_LINK event when audit is enabled, we
> should get rid of all the duplicate information in that record. The
> SYSCALL record has all that information.

As discussed previously, I'm not going to merge any patches which
remove fields from existing records.

-- 
paul moore
www.paul-moore.com