Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp853116pxk; Thu, 17 Sep 2020 19:07:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwPjvtptJY7GKELaRIRzfb9E2SHUG7gOHg9sFdHakxdod3IjCVHq1vDXsGTbQ4N8yCuRzWT X-Received: by 2002:a50:e68a:: with SMTP id z10mr37558372edm.100.1600394862318; Thu, 17 Sep 2020 19:07:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600394862; cv=none; d=google.com; s=arc-20160816; b=waDhjsZRHZZGBueccS3FWY8440J2ffxlEZbckKdHBka5UJZdWcHOlpf5lGT15vbRro TwwT4TqgLkO949cYOEhs+Wju15MMW1BF1MC1YFgoKFTOcGRiDqdfZoXJNdz2j/oVPQkU FB+J/y7ag8euXcEec7Btq6bw957k6z8j/8SX1SCPMmxRTFeiFdrb1DGKyJ1pZ3eoNMNd 2pFNBQ4S6MdWSfk06rbtglBw94WaOeaKXZZY4yAUOYbTEJz9h2ScE9KTlhHCH6pSHq3a 8J08IJyZm8DJV9HxUhCKF9Q1Irk7Ch7PGrGtpu9bp7PO8SWVgZxPhbAkWkwH9xPkDMm5 An1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=0CL1Dti2S8A2FmvEXke6a7W7HnwBaWAA81mGwkpEX0c=; b=MKpmCnc81lN5tNnLEB0DLysfy7AyDagulW7oMbx5ro9dVenvFC80wEbRYOjmogMqOr fw9Ye3M8sxzJqd8dW41dYtLLYBRP/EbLFjFJ73f4ct/jnlCxERDpwzagU0GfxwFRDV8p w9OKaES3mPzcN8M0aU1/2zt1JSo/JG3YtY8PaPLNYa/5j1SKn0H8hJMFZ2dDeY6cC8nR 7oT4mzyeE+Xg5Nv8zzppvyjROogwq/LC3iXdiDVkp74DghtelvGKFC9fq6zauZvlDB2S /OmCSDQNfo+fdq0m/rdZk2oCvyvmdl6S2+i26Rx7GHCGfLwltqbM7DIZzB/rS4qR7T5w 9Kcg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=pbBU5DZV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a14si1137719edk.57.2020.09.17.19.07.19; Thu, 17 Sep 2020 19:07:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=pbBU5DZV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727134AbgIRCDo (ORCPT + 99 others); Thu, 17 Sep 2020 22:03:44 -0400 Received: from mail.kernel.org ([198.145.29.99]:50190 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727120AbgIRCDl (ORCPT ); Thu, 17 Sep 2020 22:03:41 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7C5492371F; Fri, 18 Sep 2020 02:03:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1600394618; bh=T6mR97KSK3mQAcRVINKVqt1yKOVBS7sfxQ4KrGiyM2M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=pbBU5DZVF8pm9xNpXtvqt50ZpjxNWR4QWxmjldl3W3AjUBJaDlLN4m/KI1pQ3CXFE 7FFTBT6rR1T9OeMI/Zxb0lOt+E72rWCehfSXL9voAUq24LVYxEAPwpl8A+rOWeYWG1 fd42caDgLtpymtukCxNiDinzF00WlacvpJBu74lk= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Steve Grubb , Paul Moore , Sasha Levin , linux-audit@redhat.com Subject: [PATCH AUTOSEL 5.4 120/330] audit: CONFIG_CHANGE don't log internal bookkeeping as an event Date: Thu, 17 Sep 2020 21:57:40 -0400 Message-Id: <20200918020110.2063155-120-sashal@kernel.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200918020110.2063155-1-sashal@kernel.org> References: <20200918020110.2063155-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Steve Grubb [ Upstream commit 70b3eeed49e8190d97139806f6fbaf8964306cdb ] Common Criteria calls out for any action that modifies the audit trail to be recorded. That usually is interpreted to mean insertion or removal of rules. It is not required to log modification of the inode information since the watch is still in effect. Additionally, if the rule is a never rule and the underlying file is one they do not want events for, they get an event for this bookkeeping update against their wishes. Since no device/inode info is logged at insertion and no device/inode information is logged on update, there is nothing meaningful being communicated to the admin by the CONFIG_CHANGE updated_rules event. One can assume that the rule was not "modified" because it is still watching the intended target. If the device or inode cannot be resolved, then audit_panic is called which is sufficient. The correct resolution is to drop logging config_update events since the watch is still in effect but just on another unknown inode. Signed-off-by: Steve Grubb Signed-off-by: Paul Moore Signed-off-by: Sasha Levin --- kernel/audit_watch.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c index 4508d5e0cf696..8a8fd732ff6d0 100644 --- a/kernel/audit_watch.c +++ b/kernel/audit_watch.c @@ -302,8 +302,6 @@ static void audit_update_watch(struct audit_parent *parent, if (oentry->rule.exe) audit_remove_mark(oentry->rule.exe); - audit_watch_log_rule_change(r, owatch, "updated_rules"); - call_rcu(&oentry->rcu, audit_free_rule_rcu); } -- 2.25.1