Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp4561566img; Tue, 26 Mar 2019 11:52:15 -0700 (PDT) X-Google-Smtp-Source: APXvYqwz5j8o9gnVmvOcziMOYTOPKdkskjTAc3pdupVc2wV4lcVgiyb+NyspunGFnMNE6FLB287N X-Received: by 2002:a62:f20e:: with SMTP id m14mr6776101pfh.228.1553626335376; Tue, 26 Mar 2019 11:52:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553626335; cv=none; d=google.com; s=arc-20160816; b=fY3cDURYwaj36P7GRaobJ2NuxQsVQ9e2jzb2nTXZJ1HgIwvGtPBCGa3oewTdG5Wgp3 swk064G6b0gJomefR2n7I82xaULLwoiCE26uOa0V8kdfcP0mXiRFzzmGk6h1GnTdoD84 8KYRwf9kcdMApwaGM+4CYKzPUNUPPVxcjSmrYFmlGb0E2MoXOjXUlMKBBifXRv8ird5b yyZ9ZSd95HPODgGit1fEa7O3EdmWZg+2GJQPWT/hFmdxcG6IIEjqcWS25aprbYcAXl7l JmfHg0J0XwY3+rnShzjY5scBF7xxUEhMhulf7vjYW7bNJ5HDpRJBHM2QqSGUhLYAU/Ly QU8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from; bh=lIKyy1UbF8amw/IQemBJ4nEvjNWOv9dQJ3yFcHkdfuk=; b=PXr+gjQp98g5aUXj8fKKzK2M49jDIjosnfA78E5LofAWdOr4pXcu7UmbGRn0+Zf6nQ siOSkoxrGI7ZT7POZI4QW3VgW7/ZB4QF9yRWkI6ivuMZNDfmcL97Msu24pwVcAWcvbmW C1ZGQmTkPAlPtYuQQLTzuXoPV82Jaaxz9DcQHktLMgBiWaycQGr0dMSpLFW2/Akt5Ezu kJHEfOBIdUvMac5v+/4vvZxaZPWFjE8GmXnmS7/aqLIvnA5s8AmmH2VCIHaHgdo/OgRs x1d9XeEsHomFBzag8xkP98c3KMwpz3AoyyVeAWslFlOYmsbHu8tAcB5b5UP4ObWq/DLP XHig== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 7si13429944pfi.128.2019.03.26.11.52.00; Tue, 26 Mar 2019 11:52:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732653AbfCZStx (ORCPT + 99 others); Tue, 26 Mar 2019 14:49:53 -0400 Received: from mx1.redhat.com ([209.132.183.28]:46730 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731467AbfCZStw (ORCPT ); Tue, 26 Mar 2019 14:49:52 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 621073086201; Tue, 26 Mar 2019 18:49:52 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-19.phx2.redhat.com [10.3.112.19]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8A4E65C226; Tue, 26 Mar 2019 18:49:44 +0000 (UTC) From: Richard Guy Briggs To: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, Linux-Audit Mailing List , LKML Cc: Paul Moore , sgrubb@redhat.com, omosnace@redhat.com, eparis@parisplace.org, serge@hallyn.com, zohar@linux.ibm.com, mjg59@google.com, Richard Guy Briggs Subject: [PATCH ghak109 V2] audit: link integrity evm_write_xattrs record to syscall event Date: Tue, 26 Mar 2019 14:49:20 -0400 Message-Id: <087489b21e50bcda65c6af3e038394d5bfe09e00.1553626080.git.rgb@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.42]); Tue, 26 Mar 2019 18:49:52 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In commit fa516b66a1bf ("EVM: Allow runtime modification of the set of verified xattrs"), the call to audit_log_start() is missing a context to link it to an audit event. Since this event is in user context, add the process' syscall context to the record. In addition, the orphaned keyword "locked" appears in the record. Normalize this by changing it to logging the locking string "." as any other user input in the "xattr=" field. Please see the github issue https://github.com/linux-audit/audit-kernel/issues/109 Signed-off-by: Richard Guy Briggs --- Changelog: v2 - switch from "(locked)" to printing the "." verbatim, untrusted. security/integrity/evm/evm_secfs.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/security/integrity/evm/evm_secfs.c b/security/integrity/evm/evm_secfs.c index 015aea8fdf1e..3f7cbb238923 100644 --- a/security/integrity/evm/evm_secfs.c +++ b/security/integrity/evm/evm_secfs.c @@ -192,7 +192,8 @@ static ssize_t evm_write_xattrs(struct file *file, const char __user *buf, if (count > XATTR_NAME_MAX) return -E2BIG; - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_EVM_XATTR); + ab = audit_log_start(audit_context(), GFP_KERNEL, + AUDIT_INTEGRITY_EVM_XATTR); if (!ab) return -ENOMEM; @@ -214,6 +215,9 @@ static ssize_t evm_write_xattrs(struct file *file, const char __user *buf, if (len && xattr->name[len-1] == '\n') xattr->name[len-1] = '\0'; + audit_log_format(ab, "xattr="); + audit_log_untrustedstring(ab, xattr->name); + if (strcmp(xattr->name, ".") == 0) { evm_xattrs_locked = 1; newattrs.ia_mode = S_IFREG | 0440; @@ -222,15 +226,11 @@ static ssize_t evm_write_xattrs(struct file *file, const char __user *buf, inode_lock(inode); err = simple_setattr(evm_xattrs, &newattrs); inode_unlock(inode); - audit_log_format(ab, "locked"); if (!err) err = count; goto out; } - audit_log_format(ab, "xattr="); - audit_log_untrustedstring(ab, xattr->name); - if (strncmp(xattr->name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN) != 0) { err = -EINVAL; -- 1.8.3.1