Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp3699159pxk; Tue, 29 Sep 2020 04:09:09 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwPf/B01VX4yjG68I5ngs5iYDcqOnYnme9CAvLcC7FSMkGC+0brV6U1NEEKLfeuwVa8OG7z X-Received: by 2002:a05:6402:142c:: with SMTP id c12mr2717083edx.41.1601377749361; Tue, 29 Sep 2020 04:09:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1601377749; cv=none; d=google.com; s=arc-20160816; b=BtENJ+aug+FkHsPyZmJlKu7Odqpq3znIRQZGVDvhSv7rw8FCN1OcPD0rbY3mp+wpDI Eb9zUvACAgJ+3G12GxbTxMM5v7s1nxjFb6E9Bykp10FtcZsAfCNRoaGfBG0rNn3ZBLQ/ dYSH3gs9KtLg+4U6/irqIWY74j2CvwHMiwDJ4+efYsq4tIsVFpE4Tlz6EORCKDiojCLo TDDG2oQgLHklPebJk+wvjg9W+5PlU9DEvAA+29e5tmhTT5mPG8Pm/c66gjjD+pEDDulT JxZPNBSSMYI0IzTX1TU91Pje1TXybpSTn994F3u8JNTqcJxlaheo4eVaAGFh0UrPCDtI 5bXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=MvmN4L116Xd/EGevqMsNOOBfySB0KWelAvet3nkPcbM=; b=QPfJYOM6WuURLj0HgFWHqxO6FWXTZyQ3SfwiUNxb/zxgc8zUZU9X1bmCYE3BxHzyMC QrW+Znss62CvXwmQLnL6BbNTqBCY1Ee1w3spYyR6aq25sYSrxUEm3ESXVdGyYZ+aPZXo Mhc8srRR4ZHdQ2jaaym6eB21M6QjRlZBaFhKmsWOdtl2UWOF6n25W78IZsNZoreELhHv AyE1lup+jb0/xakPmxhWcMY4JR1iuWcocnHSPi6PFIsdDyFTVsOcmBRP+AjFxBGZfIaF QJuPeuXh2HqeDoqfTzPzpIwYb/Yd9gcz0wZuWLB2/5aSphKoYU+UFTRET0T0B0EZVm9M cXFQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=L2H3KSGY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o11si2501424ejx.754.2020.09.29.04.08.46; Tue, 29 Sep 2020 04:09:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=L2H3KSGY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728823AbgI2LGg (ORCPT + 99 others); Tue, 29 Sep 2020 07:06:36 -0400 Received: from mail.kernel.org ([198.145.29.99]:41614 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728706AbgI2LFQ (ORCPT ); Tue, 29 Sep 2020 07:05:16 -0400 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 37E6421924; Tue, 29 Sep 2020 11:05:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1601377515; bh=87+WqOweEGv6JEXprGAxQOqHXrbLFDAJA78HEXX6/N0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=L2H3KSGY8xX3oOsRhBZeLq8VccUJn5D3ZxL5jRXGHTa7P9HAJTE87T/y5nYBTZc+p r4iB7HZ0QYQHwUNxmf9Ut7jE6vUMzXyvXZHbvAw4yZXOXlHRmXFwvKjFnpxXlXNKOs Z9/hLJ8x43hOPQeigmrA4pwI6qPtDO6aDpzbmVDM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Steve Grubb , Paul Moore , Sasha Levin Subject: [PATCH 4.4 33/85] audit: CONFIG_CHANGE dont log internal bookkeeping as an event Date: Tue, 29 Sep 2020 13:00:00 +0200 Message-Id: <20200929105929.883679131@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200929105928.198942536@linuxfoundation.org> References: <20200929105928.198942536@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Steve Grubb [ Upstream commit 70b3eeed49e8190d97139806f6fbaf8964306cdb ] Common Criteria calls out for any action that modifies the audit trail to be recorded. That usually is interpreted to mean insertion or removal of rules. It is not required to log modification of the inode information since the watch is still in effect. Additionally, if the rule is a never rule and the underlying file is one they do not want events for, they get an event for this bookkeeping update against their wishes. Since no device/inode info is logged at insertion and no device/inode information is logged on update, there is nothing meaningful being communicated to the admin by the CONFIG_CHANGE updated_rules event. One can assume that the rule was not "modified" because it is still watching the intended target. If the device or inode cannot be resolved, then audit_panic is called which is sufficient. The correct resolution is to drop logging config_update events since the watch is still in effect but just on another unknown inode. Signed-off-by: Steve Grubb Signed-off-by: Paul Moore Signed-off-by: Sasha Levin --- kernel/audit_watch.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c index f45a9a5d3e47a..af453f3c2b3dd 100644 --- a/kernel/audit_watch.c +++ b/kernel/audit_watch.c @@ -316,8 +316,6 @@ static void audit_update_watch(struct audit_parent *parent, if (oentry->rule.exe) audit_remove_mark(oentry->rule.exe); - audit_watch_log_rule_change(r, owatch, "updated_rules"); - call_rcu(&oentry->rcu, audit_free_rule_rcu); } -- 2.25.1