Received: by 2002:ac0:950e:0:0:0:0:0 with SMTP id f14csp430264imc; Sat, 16 Mar 2019 05:12:25 -0700 (PDT) X-Google-Smtp-Source: APXvYqznaCj+EmZL6ueU90hiEhqqJRNzArLreTFCbWzLM46zm51FHlHQanNStq0hQ6ffhCDGDaAF X-Received: by 2002:a62:ee03:: with SMTP id e3mr9339275pfi.241.1552738345713; Sat, 16 Mar 2019 05:12:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1552738345; cv=none; d=google.com; s=arc-20160816; b=A7RWt6v6LuV0OXK9Mu0FcGzM62qDo9fi4Zawvgv7qrCDlxDKazZao+DbSGq3GGuJM6 lAhQWFInCPpjp/3OwyguFgJndIV110SBoCJGk3mFJ2wOJF7nG76WUsLZXMtof0VbJJiW LJe0CFc/CAfoEhgYV/hc+NT//XdIvdvwh+dgTlkjH9i+HueDjHcvkvHQl2g0/IBC/1KS BwXTgeDOF1Vzv+9y8HohiDnS4VwB6GEulJpOfHMSY/HhTnNmxAeH9zKO7yimKH7UCk2W E2J6Hjztm6f+qPSGmL5ddYK2/P7JyPV4Jc1TIy2/Ly71KZLGdhlA7seY8KjqrJHG1r9x xrYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from; bh=7rCoi/GIUurj9CLCZbXT6AL+7/roQHXPAiQqg0M9L8Y=; b=uUsxjC0SI4Rzt/FGFedzGGLFfbM/0/u2BNoKxODLNsM6gs3MvObzzcoqUCHhVmNIyl bA4vZpISCerE74eWE2hRJrL4pLafkRqPnDaV8FCGpsMZ/6vAnhTL6PsAS8A3oKpXJNXy JukAWiU9qrt5Z2lYaDHyx0BnldJ7g/3AVmXK3RjDY3EmSPkcCUQiH74TejqfaHijLcT6 TxMZqImUAbHXGQAm4J/2yImkV6HAI2oWm94yH054dq9Vu+93l+RM9RaqTYY07LmDv028 NmPv6TxDFHQtC1LUx5a2pUZMGJ+ri8SBJJgj2ZYknuJQoD70Y66TnmMdsQSnV2aLfVaT Gzlg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l1si4642545pld.210.2019.03.16.05.11.58; Sat, 16 Mar 2019 05:12:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726735AbfCPMK6 (ORCPT + 99 others); Sat, 16 Mar 2019 08:10:58 -0400 Received: from mx1.redhat.com ([209.132.183.28]:59274 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726310AbfCPMK6 (ORCPT ); Sat, 16 Mar 2019 08:10:58 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 8FACFC049D67; Sat, 16 Mar 2019 12:10:57 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-22.phx2.redhat.com [10.3.112.22]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8B8255D6B3; Sat, 16 Mar 2019 12:10:50 +0000 (UTC) From: Richard Guy Briggs To: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, Linux-Audit Mailing List , LKML Cc: Paul Moore , sgrubb@redhat.com, omosnace@redhat.com, eparis@parisplace.org, serge@hallyn.com, zohar@linux.ibm.com, mjg59@google.com, Richard Guy Briggs Subject: [PATCH ghak109 V1] audit: link integrity evm_write_xattrs record to syscall event Date: Sat, 16 Mar 2019 08:10:08 -0400 Message-Id: <81d0122d14c4fbb3a2ad33d25fdf2dd001c7dcc7.1552737854.git.rgb@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Sat, 16 Mar 2019 12:10:57 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In commit fa516b66a1bf ("EVM: Allow runtime modification of the set of verified xattrs"), the call to audit_log_start() is missing a context to link it to an audit event. Since this event is in user context, add the process' syscall context to the record. In addition, the orphaned keyword "locked" appears in the record. Normalize this by changing it to "xattr=(locked)". Please see the github issue https://github.com/linux-audit/audit-kernel/issues/109 Signed-off-by: Richard Guy Briggs --- security/integrity/evm/evm_secfs.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/security/integrity/evm/evm_secfs.c b/security/integrity/evm/evm_secfs.c index 015aea8fdf1e..4171d174e9da 100644 --- a/security/integrity/evm/evm_secfs.c +++ b/security/integrity/evm/evm_secfs.c @@ -192,7 +192,8 @@ static ssize_t evm_write_xattrs(struct file *file, const char __user *buf, if (count > XATTR_NAME_MAX) return -E2BIG; - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_EVM_XATTR); + ab = audit_log_start(audit_context(), GFP_KERNEL, + AUDIT_INTEGRITY_EVM_XATTR); if (!ab) return -ENOMEM; @@ -222,7 +223,7 @@ static ssize_t evm_write_xattrs(struct file *file, const char __user *buf, inode_lock(inode); err = simple_setattr(evm_xattrs, &newattrs); inode_unlock(inode); - audit_log_format(ab, "locked"); + audit_log_format(ab, "xattr=(locked)"); if (!err) err = count; goto out; -- 1.8.3.1