Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp27681ybg;
        Mon, 27 Jul 2020 14:34:05 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxB/vmYSsw5/1SEGjvQ64i8CXi5KN9kyZlQ+8TH9QNuHmUiHOXmKpqdoLVf6MT/VGDJuef2
X-Received: by 2002:a17:906:6d56:: with SMTP id a22mr14715778ejt.440.1595885645529;
        Mon, 27 Jul 2020 14:34:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1595885645; cv=none;
        d=google.com; s=arc-20160816;
        b=FVDUWpync/oN/EhPrfBZ2YYFCfzdaDSYsa75MPXQTjvuzNIdupv8qNCL2NpuzH+kXY
         RJIIQC8ssbrko46XOqCvEwxVJAhLjRVAUfo3CFT0/RlzbmY1dY/fBopJvdrCTCeQK6Ok
         otBYTNyEdwPI+KiNJL2ZA6I9h2YMr4VcRiW4YWC5J6tyr9RtZzXomfwuX80MiISbMmyk
         CbMFWjqRaELESfJxAfXdI7utoSjByTaNBBmLlHiJb8L5qSaAjA7UvKyV0LAn7WNOZows
         zTUuhCqSNiWzCddq85MnyWxJWxkbli8eQk2uN4xUy+GAa85XkrQnU1w3VF/Ui3fdX563
         lxCQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=xRQavoTxy6WU9VHdh3GgKlMshVx0eklnqw7rYScM/Kk=;
        b=S62taY4q5a5O+RTqJtbB6ZQEfUwzX5XDkqSkDwlOsKueng+d8v6DxXQPizOU2aCfvg
         R/k0ukR5h95AXVZAOU69x23NHAknwT+Yu1S+v54jA5qSXkweZHWsmty45PmeS8H1nRnn
         ILP9YnM8IW99S/htXOP5Jhh9m7ewlIUZEy1BlcUAp2nblC1/DeNJqPGX9MbT3s+mkkCP
         2EzVVRAvAobzyfW+RCMFoKthNWaHh8ZK52EFfo+VuF/z3CuzcG7ByKjN/a1fmIPcVhb4
         IWC0W+juZpGgVna7f51ycXpd+nYW4mXStx3EwDYuANjia0qwE2Bju0hCoKASiuMNbkVw
         UcJA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Flsp2quf;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id t3si6318577edw.327.2020.07.27.14.33.43;
        Mon, 27 Jul 2020 14:34:05 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Flsp2quf;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726738AbgG0Vaj (ORCPT <rfc822;wxiaokuan@gmail.com> + 99 others);
        Mon, 27 Jul 2020 17:30:39 -0400
Received: from us-smtp-2.mimecast.com ([207.211.31.81]:23918 "EHLO
        us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1726183AbgG0Vaj (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 27 Jul 2020 17:30:39 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1595885438;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc; bh=xRQavoTxy6WU9VHdh3GgKlMshVx0eklnqw7rYScM/Kk=;
        b=Flsp2qufDNZifSDdKbYse81JUJj3yik7u9hOeQvq2khpcpOuBX6y7FFogN7nM1qvt9ud5k
        tD+wHb7Q6E4zs3503nkCjrFnZgAU9OJNujV41NS/cICPYt83OCMgJsy+gnaTnp7STssDBp
        nO7oNjWLH059ndByNnzKmYCINyVPTHM=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-395-TgKhn0k2MF-dUgH99Yy8Qw-1; Mon, 27 Jul 2020 17:30:34 -0400
X-MC-Unique: TgKhn0k2MF-dUgH99Yy8Qw-1
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 8B71B1932490;
        Mon, 27 Jul 2020 21:30:33 +0000 (UTC)
Received: from madcap2.tricolour.ca (unknown [10.10.110.3])
        by smtp.corp.redhat.com (Postfix) with ESMTP id CFBAC10013C4;
        Mon, 27 Jul 2020 21:30:25 +0000 (UTC)
From:   Richard Guy Briggs <rgb@redhat.com>
To:     Linux-Audit Mailing List <linux-audit@redhat.com>,
        LKML <linux-kernel@vger.kernel.org>,
        Linux Security Module list 
        <linux-security-module@vger.kernel.org>
Cc:     Paul Moore <paul@paul-moore.com>, eparis@parisplace.org,
        Richard Guy Briggs <rgb@redhat.com>
Subject: [PATCH V3fix ghak120] audit: initialize context values in case of mandatory events
Date:   Mon, 27 Jul 2020 17:29:59 -0400
Message-Id: <e3e9c9da9115fd233c5a7895dbb4a698a365b1b0.1595884394.git.rgb@redhat.com>
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Issue ghak120 enabled syscall records to accompany required records when
no rules are present to trigger the storage of syscall context.  A
reported issue showed that the cwd was not always initialized.  That
issue was already resolved, but a review of all other records that could
be triggered at the time of a syscall record revealed other potential
values that could be missing or misleading.  Initialize them.

The fds array is reset to -1 after the first syscall to indicate it
isn't valid any more, but was never set to -1 when the context was
allocated to indicate it wasn't yet valid.

The audit_inode* functions can be called without going through
getname_flags() or getname_kernel() that sets audit_names and cwd, so
set the cwd if it has not already been done so due to audit_names being
valid.

The LSM dump_common_audit_data() LSM_AUDIT_DATA_NET:AF_UNIX case was
missed with the ghak96 patch, so add that case here.

Please see issue https://github.com/linux-audit/audit-kernel/issues/120
Please see issue https://github.com/linux-audit/audit-kernel/issues/96
Passes audit-testsuite.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 kernel/auditsc.c     | 3 +++
 security/lsm_audit.c | 1 +
 2 files changed, 4 insertions(+)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 6884b50069d1..2f97618e6a34 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -929,6 +929,7 @@ static inline struct audit_context *audit_alloc_context(enum audit_state state)
 	context->prio = state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
 	INIT_LIST_HEAD(&context->killed_trees);
 	INIT_LIST_HEAD(&context->names_list);
+	context->fds[0] = -1;
 	return context;
 }
 
@@ -2076,6 +2077,7 @@ void __audit_inode(struct filename *name, const struct dentry *dentry,
 	}
 	handle_path(dentry);
 	audit_copy_inode(n, dentry, inode, flags & AUDIT_INODE_NOEVAL);
+	_audit_getcwd(context);
 }
 
 void __audit_file(const struct file *file)
@@ -2194,6 +2196,7 @@ void __audit_inode_child(struct inode *parent,
 		audit_copy_inode(found_child, dentry, inode, 0);
 	else
 		found_child->ino = AUDIT_INO_UNSET;
+	_audit_getcwd(context);
 }
 EXPORT_SYMBOL_GPL(__audit_inode_child);
 
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 53d0d183db8f..e93077612246 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -369,6 +369,7 @@ static void dump_common_audit_data(struct audit_buffer *ab,
 					audit_log_untrustedstring(ab, p);
 				else
 					audit_log_n_hex(ab, p, len);
+				audit_getcwd();
 				break;
 			}
 		}
-- 
1.8.3.1