Received: by 10.213.65.68 with SMTP id h4csp570333imn; Tue, 13 Mar 2018 13:25:59 -0700 (PDT) X-Google-Smtp-Source: AG47ELvFu9BsnxVlPZeJm9olw/0Se32n3blrdfQLP9SKwHjajz1RvdpJ5MV/vBV+/0aodF7KJ8AH X-Received: by 2002:a17:902:2e04:: with SMTP id q4-v6mr1728450plb.22.1520972759435; Tue, 13 Mar 2018 13:25:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1520972759; cv=none; d=google.com; s=arc-20160816; b=sPJQn3QOym50Www8qXJ6ycTJvO2ZCn+1G9+h2lwlw2FfBWrBXp3OpCByJNp4d0pJfw 4hvH4b7jn2/EVJtDO5E75REtv1o7QnNGZWfvarCBGmcRIBM8nAOfqLC4OgmORbcoMLkW aZZVMoiCyGOklbVrGEb2+UIE068t7/NEDX5GBp2qBdPD3IZqYGgB/BMFD+L1ibe14SNI b14TvZ+6ln4EPDlMlNrGw9bgeO/BOtX8myYpM9vhlh3buCJp4IC80odxOXVlmKRYXuQf HNEBJH1pHxShzDZu+FsHn27DODRGDeTm2fe1N6VXcCYjYeJqF0OLxMAmvTv8Pg2Real3 m1Vw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=89mKRpXkCL3wguqQLrTstaeyraUmprqYhLTstv9gFOY=; b=CkH+pyqMB/biWRCfmsAcMfrSwtOQqj3zBDotRejv4sGUqyuSBFLf34C4Og1VXFXMC8 9J6OyywGyeAXIy+hxg5D1YLZdLQyPlbGVLltUgvzl4N3HJrMfbBZscM+yDVLcKt9EghP GKf3WmYSmG7ZIkaS9AK5IPo8Tm1QcgLvsU8FIDi9j0fFwURmJiQ7fxM00G3kpSgKFCSi rtLKP7imJgpWN3cep51o+QSsR4FZfF8EWipaapyfTICrwcAX610C+hPOSwznPorPb+8Q ocgn/iXcV6FtkYK0//v0rh5naxTEI3r0dhuS7TtRysHAOO05R/y7Q9jWAas6gCf8gVOJ btZw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=T3RYhmfg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x10si725221pfj.54.2018.03.13.13.25.45; Tue, 13 Mar 2018 13:25:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=T3RYhmfg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752778AbeCMUYw (ORCPT + 99 others); Tue, 13 Mar 2018 16:24:52 -0400 Received: from mail-lf0-f68.google.com ([209.85.215.68]:37731 "EHLO mail-lf0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752196AbeCMUYv (ORCPT ); Tue, 13 Mar 2018 16:24:51 -0400 Received: by mail-lf0-f68.google.com with SMTP id y19-v6so1390606lfd.4 for ; Tue, 13 Mar 2018 13:24:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=89mKRpXkCL3wguqQLrTstaeyraUmprqYhLTstv9gFOY=; b=T3RYhmfg5gRF6FJOGolRNs67Jnn8gOIAaOmcsjJke57hWl1RwV2Orn7ycx6HbIpX6g BmgOgoXGyVZCRKhdhvOXI+rErrB5TcJGGx4VoIhNy2i+Qw499SP6DvfW+yLAfxtOZqOo lv4sFN2U7rEblubIkBJ2ANtleqFa/a48asLTJR5fUCC7uDvOQvgYhKmtSojx5qg47Ojl 9ovH+61UNanFm+gg3nnpfl9CZZajdlUdLHDXaHgTjmceHJVpLnsjiGuT39qqO2o6Wk93 qFYy7meV6wWYZMVzl4VLTVgkm6xkPFy1fOKWt+BMPaRdznWkB1hSt3CnsAEXHjTviDkV yXLg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=89mKRpXkCL3wguqQLrTstaeyraUmprqYhLTstv9gFOY=; b=oUdlKNtw/N69kRuDpPo2phIWEniYXXyb0XRWmiDaPjhlFwyIb2CxUxmC7rvUtqJzlh WujGoYeBVFDxhLojgeuLBswqKEWW8m3Kui5wys0jnguZTt1Di6KpJWKZFNZ7CmGqc6Y7 49wDjh4xFTocBhQLwLhLQY31R8xXXVH9x3JFpnUiuNox9YL+Xs5Fqy59kDT+hqEj+9Bo jLXNq0/bmVO7WuUcIkVuKFeR0DaYcwsBdH2hsvS5qarK9vJklkrbtC/hEnSclp0Ri7W2 2/XPwp+zWlGGIALZF9DOLmi9KDqKpo03jGzKvFsLiEJCZWLTQrTMKm7eSS0r/Vtd/fql AKdA== X-Gm-Message-State: AElRT7EFjgleGbT+Q8LKA3eQ0gTcPWdtbOR9mcbMtGxSnvr7HFc9eGZr E0d6uCRaiMNJIMzHvpWld176h0r+9V5N0TYGL7dN X-Received: by 10.46.124.11 with SMTP id x11mr1421691ljc.72.1520972689378; Tue, 13 Mar 2018 13:24:49 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a19:984c:0:0:0:0:0 with HTTP; Tue, 13 Mar 2018 13:24:48 -0700 (PDT) X-Originating-IP: [108.20.156.165] In-Reply-To: <20180313105251.p7pc472xyklm7ssr@madcap2.tricolour.ca> References: <20180312152614.qvcxng3biug46lms@madcap2.tricolour.ca> <20180312155256.4j7uglv7jiyppozm@madcap2.tricolour.ca> <20180313093517.28c99b48@ivy-bridge> <20180313101108.s6o7jec57rsxpsmc@madcap2.tricolour.ca> <20180313113815.187da185@ivy-bridge> <20180313105251.p7pc472xyklm7ssr@madcap2.tricolour.ca> From: Paul Moore Date: Tue, 13 Mar 2018 16:24:48 -0400 Message-ID: Subject: Re: [PATCH ghak21 V2 3/4] audit: add refused symlink to audit_names To: Richard Guy Briggs Cc: Steve Grubb , Linux-Audit Mailing List , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Mar 13, 2018 at 6:52 AM, Richard Guy Briggs wrote: > On 2018-03-13 11:38, Steve Grubb wrote: >> On Tue, 13 Mar 2018 06:11:08 -0400 >> Richard Guy Briggs wrote: >> >> > On 2018-03-13 09:35, Steve Grubb wrote: >> > > On Mon, 12 Mar 2018 11:52:56 -0400 >> > > Richard Guy Briggs wrote: >> > > >> > > > On 2018-03-12 11:53, Paul Moore wrote: >> > > > > On Mon, Mar 12, 2018 at 11:26 AM, Richard Guy Briggs >> > > > > wrote: >> > > > > > On 2018-03-12 11:12, Paul Moore wrote: >> > > > > >> On Mon, Mar 12, 2018 at 2:31 AM, Richard Guy Briggs >> > > > > >> wrote: >> > > > > >> > Audit link denied events for symlinks had duplicate PATH >> > > > > >> > records rather than just updating the existing PATH record. >> > > > > >> > Update the symlink's PATH record with the current dentry >> > > > > >> > and inode information. >> > > > > >> > >> > > > > >> > See: https://github.com/linux-audit/audit-kernel/issues/21 >> > > > > >> > Signed-off-by: Richard Guy Briggs >> > > > > >> > --- >> > > > > >> > fs/namei.c | 1 + >> > > > > >> > 1 file changed, 1 insertion(+) >> > > > > >> >> > > > > >> Why didn't you include this in patch 4/4 like I asked during >> > > > > >> the previous review? >> > > > > > >> > > > > > Please see the last comment of: >> > > > > > https://www.redhat.com/archives/linux-audit/2018-March/msg00070.html >> > > > > >> > > > > Yes, I just saw that ... I hadn't seen your replies on the v1 >> > > > > patches until I had finished reviewing v2. I just replied to >> > > > > that mail in the v1 thread, but basically you need to figure >> > > > > out what is necessary here and let us know. If I have to >> > > > > figure it out it likely isn't going to get done with enough >> > > > > soak time prior to the upcoming merge window. >> > > > >> > > > Steve? I was hoping you could chime in here. >> > > >> > > If the CWD record will always be the same as the PARENT record, >> > > then we do not need the parent record. Duplicate information is >> > > bad. Like all the duplicate SYSCALL information. >> > >> > The CWD record could be different from the PARENT record, since I >> > could have SYMLINK=/tmp/test/symlink, CWD=/tmp, PARENT=/tmp/test. >> > Does the parent record even matter since it might not be a directory >> > operation like creat, unlink or rename? >> >> There's 2 issues. One is creating the path if what we have is relative. >> In this situation CWD should be enough. But if the question is whether >> the PARENT directory should be included...what if the PARENT >> permissions do not allow the successful name resolution? In that case >> we might only get a PARENT record no? In that case we would need it. > > I think in the case of symlink creation, normal file create code path > would be in effect, and would properly log parent and symlink source > file paths (if a rule to log it was in effect) which is not something > that would trigger a symlink link denied error. Symlink link denied > happens only when trying to actually follow the link before > resolving the target path of a read/write/exec of the symlink target. > > If the parent permissions of the link's target don't allow successful > name resolution then the symlink link denied condition isn't met, but > rather any other rule that applies to the target path. I'm guessing you are in the process of tracking all this down, but if not, lets get to a point where we can answer this definitively and not guess :) -- paul moore www.paul-moore.com