Received: by 10.213.65.68 with SMTP id h4csp570333imn;
        Tue, 13 Mar 2018 13:25:59 -0700 (PDT)
X-Google-Smtp-Source: AG47ELvFu9BsnxVlPZeJm9olw/0Se32n3blrdfQLP9SKwHjajz1RvdpJ5MV/vBV+/0aodF7KJ8AH
X-Received: by 2002:a17:902:2e04:: with SMTP id q4-v6mr1728450plb.22.1520972759435;
        Tue, 13 Mar 2018 13:25:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1520972759; cv=none;
        d=google.com; s=arc-20160816;
        b=sPJQn3QOym50Www8qXJ6ycTJvO2ZCn+1G9+h2lwlw2FfBWrBXp3OpCByJNp4d0pJfw
         4hvH4b7jn2/EVJtDO5E75REtv1o7QnNGZWfvarCBGmcRIBM8nAOfqLC4OgmORbcoMLkW
         aZZVMoiCyGOklbVrGEb2+UIE068t7/NEDX5GBp2qBdPD3IZqYGgB/BMFD+L1ibe14SNI
         b14TvZ+6ln4EPDlMlNrGw9bgeO/BOtX8myYpM9vhlh3buCJp4IC80odxOXVlmKRYXuQf
         HNEBJH1pHxShzDZu+FsHn27DODRGDeTm2fe1N6VXcCYjYeJqF0OLxMAmvTv8Pg2Real3
         m1Vw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=89mKRpXkCL3wguqQLrTstaeyraUmprqYhLTstv9gFOY=;
        b=CkH+pyqMB/biWRCfmsAcMfrSwtOQqj3zBDotRejv4sGUqyuSBFLf34C4Og1VXFXMC8
         9J6OyywGyeAXIy+hxg5D1YLZdLQyPlbGVLltUgvzl4N3HJrMfbBZscM+yDVLcKt9EghP
         GKf3WmYSmG7ZIkaS9AK5IPo8Tm1QcgLvsU8FIDi9j0fFwURmJiQ7fxM00G3kpSgKFCSi
         rtLKP7imJgpWN3cep51o+QSsR4FZfF8EWipaapyfTICrwcAX610C+hPOSwznPorPb+8Q
         ocgn/iXcV6FtkYK0//v0rh5naxTEI3r0dhuS7TtRysHAOO05R/y7Q9jWAas6gCf8gVOJ
         btZw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=T3RYhmfg;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id x10si725221pfj.54.2018.03.13.13.25.45;
        Tue, 13 Mar 2018 13:25:59 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=T3RYhmfg;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752778AbeCMUYw (ORCPT <rfc822;utfcpqpk@gmail.com> + 99 others);
        Tue, 13 Mar 2018 16:24:52 -0400
Received: from mail-lf0-f68.google.com ([209.85.215.68]:37731 "EHLO
        mail-lf0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752196AbeCMUYv (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 13 Mar 2018 16:24:51 -0400
Received: by mail-lf0-f68.google.com with SMTP id y19-v6so1390606lfd.4
        for <linux-kernel@vger.kernel.org>; Tue, 13 Mar 2018 13:24:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=89mKRpXkCL3wguqQLrTstaeyraUmprqYhLTstv9gFOY=;
        b=T3RYhmfg5gRF6FJOGolRNs67Jnn8gOIAaOmcsjJke57hWl1RwV2Orn7ycx6HbIpX6g
         BmgOgoXGyVZCRKhdhvOXI+rErrB5TcJGGx4VoIhNy2i+Qw499SP6DvfW+yLAfxtOZqOo
         lv4sFN2U7rEblubIkBJ2ANtleqFa/a48asLTJR5fUCC7uDvOQvgYhKmtSojx5qg47Ojl
         9ovH+61UNanFm+gg3nnpfl9CZZajdlUdLHDXaHgTjmceHJVpLnsjiGuT39qqO2o6Wk93
         qFYy7meV6wWYZMVzl4VLTVgkm6xkPFy1fOKWt+BMPaRdznWkB1hSt3CnsAEXHjTviDkV
         yXLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=89mKRpXkCL3wguqQLrTstaeyraUmprqYhLTstv9gFOY=;
        b=oUdlKNtw/N69kRuDpPo2phIWEniYXXyb0XRWmiDaPjhlFwyIb2CxUxmC7rvUtqJzlh
         WujGoYeBVFDxhLojgeuLBswqKEWW8m3Kui5wys0jnguZTt1Di6KpJWKZFNZ7CmGqc6Y7
         49wDjh4xFTocBhQLwLhLQY31R8xXXVH9x3JFpnUiuNox9YL+Xs5Fqy59kDT+hqEj+9Bo
         jLXNq0/bmVO7WuUcIkVuKFeR0DaYcwsBdH2hsvS5qarK9vJklkrbtC/hEnSclp0Ri7W2
         2/XPwp+zWlGGIALZF9DOLmi9KDqKpo03jGzKvFsLiEJCZWLTQrTMKm7eSS0r/Vtd/fql
         AKdA==
X-Gm-Message-State: AElRT7EFjgleGbT+Q8LKA3eQ0gTcPWdtbOR9mcbMtGxSnvr7HFc9eGZr
        E0d6uCRaiMNJIMzHvpWld176h0r+9V5N0TYGL7dN
X-Received: by 10.46.124.11 with SMTP id x11mr1421691ljc.72.1520972689378;
 Tue, 13 Mar 2018 13:24:49 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a19:984c:0:0:0:0:0 with HTTP; Tue, 13 Mar 2018 13:24:48
 -0700 (PDT)
X-Originating-IP: [108.20.156.165]
In-Reply-To: <20180313105251.p7pc472xyklm7ssr@madcap2.tricolour.ca>
References: <cover.1520835596.git.rgb@redhat.com> <ce98e9600a8d7d0169067ae9f3e3a5ae2fb1f54a.1520835596.git.rgb@redhat.com>
 <CAHC9VhRh094wMJkiBY+iStfwMEotHMrOCWUSW23gva_ccknuqg@mail.gmail.com>
 <20180312152614.qvcxng3biug46lms@madcap2.tricolour.ca> <CAHC9VhR-2tQAsDHDNto7GWkSrCLWGuURexxsxDxECfY9KoVvww@mail.gmail.com>
 <20180312155256.4j7uglv7jiyppozm@madcap2.tricolour.ca> <20180313093517.28c99b48@ivy-bridge>
 <20180313101108.s6o7jec57rsxpsmc@madcap2.tricolour.ca> <20180313113815.187da185@ivy-bridge>
 <20180313105251.p7pc472xyklm7ssr@madcap2.tricolour.ca>
From:   Paul Moore <paul@paul-moore.com>
Date:   Tue, 13 Mar 2018 16:24:48 -0400
Message-ID: <CAHC9VhQ+JwGd3FOU_oZVgQRt=MAcyeDxDiZv8GWtXF3bYLp+dQ@mail.gmail.com>
Subject: Re: [PATCH ghak21 V2 3/4] audit: add refused symlink to audit_names
To:     Richard Guy Briggs <rgb@redhat.com>
Cc:     Steve Grubb <sgrubb@redhat.com>,
        Linux-Audit Mailing List <linux-audit@redhat.com>,
        LKML <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Mar 13, 2018 at 6:52 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2018-03-13 11:38, Steve Grubb wrote:
>> On Tue, 13 Mar 2018 06:11:08 -0400
>> Richard Guy Briggs <rgb@redhat.com> wrote:
>>
>> > On 2018-03-13 09:35, Steve Grubb wrote:
>> > > On Mon, 12 Mar 2018 11:52:56 -0400
>> > > Richard Guy Briggs <rgb@redhat.com> wrote:
>> > >
>> > > > On 2018-03-12 11:53, Paul Moore wrote:
>> > > > > On Mon, Mar 12, 2018 at 11:26 AM, Richard Guy Briggs
>> > > > > <rgb@redhat.com> wrote:
>> > > > > > On 2018-03-12 11:12, Paul Moore wrote:
>> > > > > >> On Mon, Mar 12, 2018 at 2:31 AM, Richard Guy Briggs
>> > > > > >> <rgb@redhat.com> wrote:
>> > > > > >> > Audit link denied events for symlinks had duplicate PATH
>> > > > > >> > records rather than just updating the existing PATH record.
>> > > > > >> > Update the symlink's PATH record with the current dentry
>> > > > > >> > and inode information.
>> > > > > >> >
>> > > > > >> > See: https://github.com/linux-audit/audit-kernel/issues/21
>> > > > > >> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
>> > > > > >> > ---
>> > > > > >> >  fs/namei.c | 1 +
>> > > > > >> >  1 file changed, 1 insertion(+)
>> > > > > >>
>> > > > > >> Why didn't you include this in patch 4/4 like I asked during
>> > > > > >> the previous review?
>> > > > > >
>> > > > > > Please see the last comment of:
>> > > > > > https://www.redhat.com/archives/linux-audit/2018-March/msg00070.html
>> > > > >
>> > > > > Yes, I just saw that ... I hadn't seen your replies on the v1
>> > > > > patches until I had finished reviewing v2.  I just replied to
>> > > > > that mail in the v1 thread, but basically you need to figure
>> > > > > out what is necessary here and let us know.  If I have to
>> > > > > figure it out it likely isn't going to get done with enough
>> > > > > soak time prior to the upcoming merge window.
>> > > >
>> > > > Steve?  I was hoping you could chime in here.
>> > >
>> > > If the CWD record will always be the same as the PARENT record,
>> > > then we do not need the parent record. Duplicate information is
>> > > bad. Like all the duplicate SYSCALL information.
>> >
>> > The CWD record could be different from the PARENT record, since I
>> > could have SYMLINK=/tmp/test/symlink, CWD=/tmp, PARENT=/tmp/test.
>> > Does the parent record even matter since it might not be a directory
>> > operation like creat, unlink or rename?
>>
>> There's 2 issues. One is creating the path if what we have is relative.
>> In this situation CWD should be enough. But if the question is whether
>> the PARENT directory should be included...what if the PARENT
>> permissions do not allow the successful name resolution? In that case
>> we might only get a PARENT record no? In that case we would need it.
>
> I think in the case of symlink creation, normal file create code path
> would be in effect, and would properly log parent and symlink source
> file paths (if a rule to log it was in effect) which is not something
> that would trigger a symlink link denied error.  Symlink link denied
> happens only when trying to actually follow the link before
> resolving the target path of a read/write/exec of the symlink target.
>
> If the parent permissions of the link's target don't allow successful
> name resolution then the symlink link denied condition isn't met, but
> rather any other rule that applies to the target path.

I'm guessing you are in the process of tracking all this down, but if
not, lets get to a point where we can answer this definitively and not
guess :)

-- 
paul moore
www.paul-moore.com