[PATCH] integrity: get comm using lock to avoid race in string printing

[PATCH] integrity: get comm using lock to avoid race in string printing

[Richard Guy Briggs]

When task->comm is passed directly to audit_log_untrustedstring() without
getting a copy or using the task_lock, there is a race that could happen that
would output a NULL (\0) in the output string that would effectively truncate
the rest of the report text after the comm= field in the audit, losing fields.

Use get_task_comm() to get a copy while acquiring the task_lock to prevent
this and to prevent the result from being a mixture of old and new values of
comm.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 security/integrity/integrity_audit.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/security/integrity/integrity_audit.c b/security/integrity/integrity_audit.c
index 85253b5..11706a2 100644
--- a/security/integrity/integrity_audit.c
+++ b/security/integrity/integrity_audit.c
@@ -33,6 +33,7 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode,
 			 const char *cause, int result, int audit_info)
 {
 	struct audit_buffer *ab;
+	char comm[sizeof(current->comm)];
 
 	if (!integrity_audit_info && audit_info == 1)	/* Skip info messages */
 		return;
@@ -49,7 +50,7 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode,
 	audit_log_format(ab, " cause=");
 	audit_log_string(ab, cause);
 	audit_log_format(ab, " comm=");
-	audit_log_untrustedstring(ab, current->comm);
+	audit_log_untrustedstring(ab, get_task_comm(comm, current));
 	if (fname) {
 		audit_log_format(ab, " name=");
 		audit_log_untrustedstring(ab, fname);
-- 
1.7.1

[PATCH] integrity: get comm using lock to avoid race in string printing

[Richard Guy Briggs]

When task->comm is passed directly to audit_log_untrustedstring() without
getting a copy or using the task_lock, there is a race that could happen that
would output a NULL (\0) in the output string that would effectively truncate
the rest of the report text after the comm= field in the audit, losing fields.

Use get_task_comm() to get a copy while acquiring the task_lock to prevent
this and to prevent the result from being a mixture of old and new values of
comm.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 security/integrity/integrity_audit.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/security/integrity/integrity_audit.c b/security/integrity/integrity_audit.c
index 85253b5..11706a2 100644
--- a/security/integrity/integrity_audit.c
+++ b/security/integrity/integrity_audit.c
@@ -33,6 +33,7 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode,
 			 const char *cause, int result, int audit_info)
 {
 	struct audit_buffer *ab;
+	char comm[sizeof(current->comm)];
 
 	if (!integrity_audit_info && audit_info == 1)	/* Skip info messages */
 		return;
@@ -49,7 +50,7 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode,
 	audit_log_format(ab, " cause=");
 	audit_log_string(ab, cause);
 	audit_log_format(ab, " comm=");
-	audit_log_untrustedstring(ab, current->comm);
+	audit_log_untrustedstring(ab, get_task_comm(comm, current));
 	if (fname) {
 		audit_log_format(ab, " name=");
 		audit_log_untrustedstring(ab, fname);
-- 
1.7.1

Re: [PATCH] integrity: get comm using lock to avoid race in string printing

[Mimi Zohar]

On Wed, 2014-04-02 at 12:19 -0400, Richard Guy Briggs wrote: 
> When task->comm is passed directly to audit_log_untrustedstring() without
> getting a copy or using the task_lock, there is a race that could happen that
> would output a NULL (\0) in the output string that would effectively truncate
> the rest of the report text after the comm= field in the audit, losing fields.
> 
> Use get_task_comm() to get a copy while acquiring the task_lock to prevent
> this and to prevent the result from being a mixture of old and new values of
> comm.
> 
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  security/integrity/integrity_audit.c |    3 ++-
>  1 files changed, 2 insertions(+), 1 deletions(-)
> 
> diff --git a/security/integrity/integrity_audit.c b/security/integrity/integrity_audit.c
> index 85253b5..11706a2 100644
> --- a/security/integrity/integrity_audit.c
> +++ b/security/integrity/integrity_audit.c
> @@ -33,6 +33,7 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode,
>  			 const char *cause, int result, int audit_info)
>  {
>  	struct audit_buffer *ab;
> +	char comm[sizeof(current->comm)];
> 
>  	if (!integrity_audit_info && audit_info == 1)	/* Skip info messages */
>  		return;
> @@ -49,7 +50,7 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode,
>  	audit_log_format(ab, " cause=");
>  	audit_log_string(ab, cause);
>  	audit_log_format(ab, " comm=");
> -	audit_log_untrustedstring(ab, current->comm);
> +	audit_log_untrustedstring(ab, get_task_comm(comm, current));
>  	if (fname) {
>  		audit_log_format(ab, " name=");
>  		audit_log_untrustedstring(ab, fname);

This change is already being upstreamed as commit 73a6b44 "Integrity:
Pass commname via get_task_comm()".

thanks,

Mimi

Re: [PATCH] integrity: get comm using lock to avoid race in string printing

[Steve Grubb]

Hello Mimi,

On Wednesday, April 02, 2014 01:39:47 PM Mimi Zohar wrote:
> This change is already being upstreamed as commit 73a6b44 "Integrity:
> Pass commname via get_task_comm()".

While I was looking at Richard's patch, I noticed a few places where cause and 
op are logged and the string isn't tied together with a _ or -. These are in 
ima/ima_appraise.c line 383, and ima/ima_policy.c lines 333, 657, and 683. Are 
these fixed upstream? Or should a patch be made?

Thanks,
-Steve

Re: [PATCH] integrity: get comm using lock to avoid race in string printing

[Steve Grubb]

Hello Mimi,

On Wednesday, April 02, 2014 01:39:47 PM Mimi Zohar wrote:
> This change is already being upstreamed as commit 73a6b44 "Integrity:
> Pass commname via get_task_comm()".

While I was looking at Richard's patch, I noticed a few places where cause and 
op are logged and the string isn't tied together with a _ or -. These are in 
ima/ima_appraise.c line 383, and ima/ima_policy.c lines 333, 657, and 683. Are 
these fixed upstream? Or should a patch be made?

Thanks,
-Steve

Re: [PATCH] integrity: get comm using lock to avoid race in string printing

[Mimi Zohar]

On Wed, 2014-04-02 at 14:00 -0400, Steve Grubb wrote: 
> Hello Mimi,
> 
> On Wednesday, April 02, 2014 01:39:47 PM Mimi Zohar wrote:
> > This change is already being upstreamed as commit 73a6b44 "Integrity:
> > Pass commname via get_task_comm()".
> 
> While I was looking at Richard's patch, I noticed a few places where cause and 
> op are logged and the string isn't tied together with a _ or -. These are in 
> ima/ima_appraise.c line 383, and ima/ima_policy.c lines 333, 657, and 683. Are 
> these fixed upstream? Or should a patch be made?

Nothing has changed in terms of 'cause' and 'op'.  I would suggest
making the changes in integrity_audit.c: integrity_audit_msg().

thanks,

Mimi

Re: [PATCH] integrity: get comm using lock to avoid race in string printing

[Mimi Zohar]

On Wed, 2014-04-02 at 14:00 -0400, Steve Grubb wrote: 
> Hello Mimi,
> 
> On Wednesday, April 02, 2014 01:39:47 PM Mimi Zohar wrote:
> > This change is already being upstreamed as commit 73a6b44 "Integrity:
> > Pass commname via get_task_comm()".
> 
> While I was looking at Richard's patch, I noticed a few places where cause and 
> op are logged and the string isn't tied together with a _ or -. These are in 
> ima/ima_appraise.c line 383, and ima/ima_policy.c lines 333, 657, and 683. Are 
> these fixed upstream? Or should a patch be made?

Nothing has changed in terms of 'cause' and 'op'.  I would suggest
making the changes in integrity_audit.c: integrity_audit_msg().

thanks,

Mimi

Re: [PATCH] integrity: get comm using lock to avoid race in string printing

[Eric Paris]

On Wed, 2014-04-02 at 14:12 -0400, Mimi Zohar wrote:
> On Wed, 2014-04-02 at 14:00 -0400, Steve Grubb wrote: 
> > Hello Mimi,
> > 
> > On Wednesday, April 02, 2014 01:39:47 PM Mimi Zohar wrote:
> > > This change is already being upstreamed as commit 73a6b44 "Integrity:
> > > Pass commname via get_task_comm()".
> > 
> > While I was looking at Richard's patch, I noticed a few places where cause and 
> > op are logged and the string isn't tied together with a _ or -. These are in 
> > ima/ima_appraise.c line 383, and ima/ima_policy.c lines 333, 657, and 683. Are 
> > these fixed upstream? Or should a patch be made?
> 
> Nothing has changed in terms of 'cause' and 'op'.  I would suggest
> making the changes in integrity_audit.c: integrity_audit_msg().

The question is actually, do you know of anyone who is expecting the
space, instead of a more 'audit standard' - or _ ?  If not, we'll change
it.  If so, we'll discuss more   :)

-Eric

Re: [PATCH] integrity: get comm using lock to avoid race in string printing

[Eric Paris]

On Wed, 2014-04-02 at 14:12 -0400, Mimi Zohar wrote:
> On Wed, 2014-04-02 at 14:00 -0400, Steve Grubb wrote: 
> > Hello Mimi,
> > 
> > On Wednesday, April 02, 2014 01:39:47 PM Mimi Zohar wrote:
> > > This change is already being upstreamed as commit 73a6b44 "Integrity:
> > > Pass commname via get_task_comm()".
> > 
> > While I was looking at Richard's patch, I noticed a few places where cause and 
> > op are logged and the string isn't tied together with a _ or -. These are in 
> > ima/ima_appraise.c line 383, and ima/ima_policy.c lines 333, 657, and 683. Are 
> > these fixed upstream? Or should a patch be made?
> 
> Nothing has changed in terms of 'cause' and 'op'.  I would suggest
> making the changes in integrity_audit.c: integrity_audit_msg().

The question is actually, do you know of anyone who is expecting the
space, instead of a more 'audit standard' - or _ ?  If not, we'll change
it.  If so, we'll discuss more   :)

-Eric

Re: [PATCH] integrity: get comm using lock to avoid race in string printing

[Mimi Zohar]

On Wed, 2014-04-02 at 14:18 -0400, Eric Paris wrote: 
> On Wed, 2014-04-02 at 14:12 -0400, Mimi Zohar wrote:
> > On Wed, 2014-04-02 at 14:00 -0400, Steve Grubb wrote: 
> > > Hello Mimi,
> > > 
> > > On Wednesday, April 02, 2014 01:39:47 PM Mimi Zohar wrote:
> > > > This change is already being upstreamed as commit 73a6b44 "Integrity:
> > > > Pass commname via get_task_comm()".
> > > 
> > > While I was looking at Richard's patch, I noticed a few places where cause and 
> > > op are logged and the string isn't tied together with a _ or -. These are in 
> > > ima/ima_appraise.c line 383, and ima/ima_policy.c lines 333, 657, and 683. Are 
> > > these fixed upstream? Or should a patch be made?
> > 
> > Nothing has changed in terms of 'cause' and 'op'.  I would suggest
> > making the changes in integrity_audit.c: integrity_audit_msg().
> 
> The question is actually, do you know of anyone who is expecting the
> space, instead of a more 'audit standard' - or _ ?  If not, we'll change
> it.  If so, we'll discuss more   :)

CC'ing linux-ima-user as well.

Mimi

Re: [PATCH] integrity: get comm using lock to avoid race in string printing

[Mimi Zohar]

On Wed, 2014-04-02 at 14:18 -0400, Eric Paris wrote: 
> On Wed, 2014-04-02 at 14:12 -0400, Mimi Zohar wrote:
> > On Wed, 2014-04-02 at 14:00 -0400, Steve Grubb wrote: 
> > > Hello Mimi,
> > > 
> > > On Wednesday, April 02, 2014 01:39:47 PM Mimi Zohar wrote:
> > > > This change is already being upstreamed as commit 73a6b44 "Integrity:
> > > > Pass commname via get_task_comm()".
> > > 
> > > While I was looking at Richard's patch, I noticed a few places where cause and 
> > > op are logged and the string isn't tied together with a _ or -. These are in 
> > > ima/ima_appraise.c line 383, and ima/ima_policy.c lines 333, 657, and 683. Are 
> > > these fixed upstream? Or should a patch be made?
> > 
> > Nothing has changed in terms of 'cause' and 'op'.  I would suggest
> > making the changes in integrity_audit.c: integrity_audit_msg().
> 
> The question is actually, do you know of anyone who is expecting the
> space, instead of a more 'audit standard' - or _ ?  If not, we'll change
> it.  If so, we'll discuss more   :)

CC'ing linux-ima-user as well.

Mimi

oraphaned keywords in audit log text [was: Re: [PATCH] integrity: get comm using lock to avoid race in string] printing

[Richard Guy Briggs]

On 14/04/02, Mimi Zohar wrote:
> On Wed, 2014-04-02 at 14:18 -0400, Eric Paris wrote: 
> > On Wed, 2014-04-02 at 14:12 -0400, Mimi Zohar wrote:
> > > On Wed, 2014-04-02 at 14:00 -0400, Steve Grubb wrote: 
> > > > Hello Mimi,
> > > > 
> > > > On Wednesday, April 02, 2014 01:39:47 PM Mimi Zohar wrote:
> > > > > This change is already being upstreamed as commit 73a6b44 "Integrity:
> > > > > Pass commname via get_task_comm()".
> > > > 
> > > > While I was looking at Richard's patch, I noticed a few places where cause and 
> > > > op are logged and the string isn't tied together with a _ or -. These are in 
> > > > ima/ima_appraise.c line 383, and ima/ima_policy.c lines 333, 657, and 683. Are 
> > > > these fixed upstream? Or should a patch be made?
> > > 
> > > Nothing has changed in terms of 'cause' and 'op'.  I would suggest
> > > making the changes in integrity_audit.c: integrity_audit_msg().

That function could massage incoming text fields and convert spaces to
hyphens or underscores, but I'd assume the right place to do it would be
in the original text.  If you suggest the former, it could just be done
in audit_log_string(), but then grepping the source for error messages
would not be nearly as useful.  Is this what you were suggesting?

> > The question is actually, do you know of anyone who is expecting the
> > space, instead of a more 'audit standard' - or _ ?  If not, we'll change
> > it.  If so, we'll discuss more   :)
> 
> CC'ing linux-ima-user as well.

Thanks.

> Mimi

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: oraphaned keywords in audit log text [was: Re: [PATCH] integrity: get comm using lock to avoid race in string] printing

[Richard Guy Briggs]

On 14/04/02, Richard Guy Briggs wrote:
> On 14/04/02, Mimi Zohar wrote:
> > On Wed, 2014-04-02 at 14:18 -0400, Eric Paris wrote: 
> > > On Wed, 2014-04-02 at 14:12 -0400, Mimi Zohar wrote:
> > > > On Wed, 2014-04-02 at 14:00 -0400, Steve Grubb wrote: 
> > > > > Hello Mimi,
> > > > > 
> > > > > On Wednesday, April 02, 2014 01:39:47 PM Mimi Zohar wrote:
> > > > > > This change is already being upstreamed as commit 73a6b44 "Integrity:
> > > > > > Pass commname via get_task_comm()".
> > > > > 
> > > > > While I was looking at Richard's patch, I noticed a few places where cause and 
> > > > > op are logged and the string isn't tied together with a _ or -. These are in 
> > > > > ima/ima_appraise.c line 383, and ima/ima_policy.c lines 333, 657, and 683. Are 
> > > > > these fixed upstream? Or should a patch be made?
> > > > 
> > > > Nothing has changed in terms of 'cause' and 'op'.  I would suggest
> > > > making the changes in integrity_audit.c: integrity_audit_msg().
> 
> That function could massage incoming text fields and convert spaces to
> hyphens or underscores, but I'd assume the right place to do it would be
> in the original text.  If you suggest the former, it could just be done
> in audit_log_string(), but then grepping the source for error messages
> would not be nearly as useful.  Is this what you were suggesting?
> 
> > > The question is actually, do you know of anyone who is expecting the
> > > space, instead of a more 'audit standard' - or _ ?  If not, we'll change
> > > it.  If so, we'll discuss more   :)
> > 
> > CC'ing linux-ima-user as well.
> 
> Thanks.

Was there any response from linux-ima-user?

> > Mimi
> 
> - RGB

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [Linux-ima-user] oraphaned keywords in audit log text [was: Re: [PATCH] integrity: get comm using lock to avoid race in string] printing

[Dmitry Kasatkin]

On 14 June 2014 03:02, Richard Guy Briggs <rgb@redhat.com> wrote:
> On 14/04/02, Richard Guy Briggs wrote:
>> On 14/04/02, Mimi Zohar wrote:
>> > On Wed, 2014-04-02 at 14:18 -0400, Eric Paris wrote:
>> > > On Wed, 2014-04-02 at 14:12 -0400, Mimi Zohar wrote:
>> > > > On Wed, 2014-04-02 at 14:00 -0400, Steve Grubb wrote:
>> > > > > Hello Mimi,
>> > > > >
>> > > > > On Wednesday, April 02, 2014 01:39:47 PM Mimi Zohar wrote:
>> > > > > > This change is already being upstreamed as commit 73a6b44 "Integrity:
>> > > > > > Pass commname via get_task_comm()".
>> > > > >
>> > > > > While I was looking at Richard's patch, I noticed a few places where cause and
>> > > > > op are logged and the string isn't tied together with a _ or -. These are in
>> > > > > ima/ima_appraise.c line 383, and ima/ima_policy.c lines 333, 657, and 683. Are
>> > > > > these fixed upstream? Or should a patch be made?
>> > > >
>> > > > Nothing has changed in terms of 'cause' and 'op'.  I would suggest
>> > > > making the changes in integrity_audit.c: integrity_audit_msg().
>>
>> That function could massage incoming text fields and convert spaces to
>> hyphens or underscores, but I'd assume the right place to do it would be
>> in the original text.  If you suggest the former, it could just be done
>> in audit_log_string(), but then grepping the source for error messages
>> would not be nearly as useful.  Is this what you were suggesting?
>>
>> > > The question is actually, do you know of anyone who is expecting the
>> > > space, instead of a more 'audit standard' - or _ ?  If not, we'll change
>> > > it.  If so, we'll discuss more   :)
>> >
>> > CC'ing linux-ima-user as well.
>>
>> Thanks.
>
> Was there any response from linux-ima-user?
>
>> > Mimi
>>
>> - RGB
>

Hi,

I will find this patch and have a look.

Thanks,

Dmitry

> - RGB
>
> --
> Richard Guy Briggs <rbriggs@redhat.com>
> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
>
> ------------------------------------------------------------------------------
> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
> Find What Matters Most in Your Big Data with HPCC Systems
> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
> http://p.sf.net/sfu/hpccsystems
> _______________________________________________
> Linux-ima-user mailing list
> Linux-ima-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/linux-ima-user



-- 
Thanks,
Dmitry

Re: [Linux-ima-user] oraphaned keywords in audit log text [was: Re: [PATCH] integrity: get comm using lock to avoid race in string] printing

[Mimi Zohar]

On Sat, 2014-06-14 at 12:43 +0300, Dmitry Kasatkin wrote: 
> On 14 June 2014 03:02, Richard Guy Briggs <rgb@redhat.com> wrote:
> > On 14/04/02, Richard Guy Briggs wrote:
> >> On 14/04/02, Mimi Zohar wrote:
> >> > On Wed, 2014-04-02 at 14:18 -0400, Eric Paris wrote:
> >> > > On Wed, 2014-04-02 at 14:12 -0400, Mimi Zohar wrote:
> >> > > > On Wed, 2014-04-02 at 14:00 -0400, Steve Grubb wrote:
> >> > > > > Hello Mimi,
> >> > > > >
> >> > > > > On Wednesday, April 02, 2014 01:39:47 PM Mimi Zohar wrote:
> >> > > > > > This change is already being upstreamed as commit 73a6b44 "Integrity:
> >> > > > > > Pass commname via get_task_comm()".
> >> > > > >
> >> > > > > While I was looking at Richard's patch, I noticed a few places where cause and
> >> > > > > op are logged and the string isn't tied together with a _ or -. These are in
> >> > > > > ima/ima_appraise.c line 383, and ima/ima_policy.c lines 333, 657, and 683. Are
> >> > > > > these fixed upstream? Or should a patch be made?
> >> > > >
> >> > > > Nothing has changed in terms of 'cause' and 'op'.  I would suggest
> >> > > > making the changes in integrity_audit.c: integrity_audit_msg().
> >>
> >> That function could massage incoming text fields and convert spaces to
> >> hyphens or underscores, but I'd assume the right place to do it would be
> >> in the original text.  If you suggest the former, it could just be done
> >> in audit_log_string(), but then grepping the source for error messages
> >> would not be nearly as useful.  Is this what you were suggesting?
> >>
> >> > > The question is actually, do you know of anyone who is expecting the
> >> > > space, instead of a more 'audit standard' - or _ ?  If not, we'll change
> >> > > it.  If so, we'll discuss more   :)
> >> >
> >> > CC'ing linux-ima-user as well.
> >>
> >> Thanks.
> >
> > Was there any response from linux-ima-user?
> >
> >> > Mimi
> >>
> >> - RGB
> >
> 
> Hi,
> 
> I will find this patch and have a look.

As nobody has responded, I would assume it is safe to change.

Mimi

Re: [Linux-ima-user] oraphaned keywords in audit log text [was: Re: [PATCH] integrity: get comm using lock to avoid race in string] printing

[Richard Guy Briggs]

On 14/06/14, Mimi Zohar wrote:
> On Sat, 2014-06-14 at 12:43 +0300, Dmitry Kasatkin wrote: 
> > On 14 June 2014 03:02, Richard Guy Briggs <rgb@redhat.com> wrote:
> > > On 14/04/02, Richard Guy Briggs wrote:
> > >> On 14/04/02, Mimi Zohar wrote:
> > >> > On Wed, 2014-04-02 at 14:18 -0400, Eric Paris wrote:
> > >> > > On Wed, 2014-04-02 at 14:12 -0400, Mimi Zohar wrote:
> > >> > > > On Wed, 2014-04-02 at 14:00 -0400, Steve Grubb wrote:
> > >> > > > > Hello Mimi,
> > >> > > > >
> > >> > > > > On Wednesday, April 02, 2014 01:39:47 PM Mimi Zohar wrote:
> > >> > > > > > This change is already being upstreamed as commit 73a6b44 "Integrity:
> > >> > > > > > Pass commname via get_task_comm()".
> > >> > > > >
> > >> > > > > While I was looking at Richard's patch, I noticed a few places where cause and
> > >> > > > > op are logged and the string isn't tied together with a _ or -. These are in
> > >> > > > > ima/ima_appraise.c line 383, and ima/ima_policy.c lines 333, 657, and 683. Are
> > >> > > > > these fixed upstream? Or should a patch be made?
> > >> > > >
> > >> > > > Nothing has changed in terms of 'cause' and 'op'.  I would suggest
> > >> > > > making the changes in integrity_audit.c: integrity_audit_msg().
> > >>
> > >> That function could massage incoming text fields and convert spaces to
> > >> hyphens or underscores, but I'd assume the right place to do it would be
> > >> in the original text.  If you suggest the former, it could just be done
> > >> in audit_log_string(), but then grepping the source for error messages
> > >> would not be nearly as useful.  Is this what you were suggesting?
> > >>
> > >> > > The question is actually, do you know of anyone who is expecting the
> > >> > > space, instead of a more 'audit standard' - or _ ?  If not, we'll change
> > >> > > it.  If so, we'll discuss more   :)
> > >> >
> > >> > CC'ing linux-ima-user as well.
> > >>
> > >> Thanks.
> > >
> > > Was there any response from linux-ima-user?
> > >
> > >> > Mimi
> > >>
> > >> - RGB
> > >
> > 
> > Hi,
> > 
> > I will find this patch and have a look.
> 
> As nobody has responded, I would assume it is safe to change.

Thanks!  :)

> Mimi

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH] integrity: get comm using lock to avoid race in string printing

[Richard Guy Briggs]

On 14/04/02, Mimi Zohar wrote:
> On Wed, 2014-04-02 at 12:19 -0400, Richard Guy Briggs wrote: 
> > When task->comm is passed directly to audit_log_untrustedstring() without
> > getting a copy or using the task_lock, there is a race that could happen that
> > would output a NULL (\0) in the output string that would effectively truncate
> > the rest of the report text after the comm= field in the audit, losing fields.
> > 
> > Use get_task_comm() to get a copy while acquiring the task_lock to prevent
> > this and to prevent the result from being a mixture of old and new values of
> > comm.
> > 
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> >  security/integrity/integrity_audit.c |    3 ++-
> >  1 files changed, 2 insertions(+), 1 deletions(-)
> > 
> > diff --git a/security/integrity/integrity_audit.c b/security/integrity/integrity_audit.c
> > index 85253b5..11706a2 100644
> > --- a/security/integrity/integrity_audit.c
> > +++ b/security/integrity/integrity_audit.c
> > @@ -33,6 +33,7 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode,
> >  			 const char *cause, int result, int audit_info)
> >  {
> >  	struct audit_buffer *ab;
> > +	char comm[sizeof(current->comm)];
> > 
> >  	if (!integrity_audit_info && audit_info == 1)	/* Skip info messages */
> >  		return;
> > @@ -49,7 +50,7 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode,
> >  	audit_log_format(ab, " cause=");
> >  	audit_log_string(ab, cause);
> >  	audit_log_format(ab, " comm=");
> > -	audit_log_untrustedstring(ab, current->comm);
> > +	audit_log_untrustedstring(ab, get_task_comm(comm, current));
> >  	if (fname) {
> >  		audit_log_format(ab, " name=");
> >  		audit_log_untrustedstring(ab, fname);
> 
> This change is already being upstreamed as commit 73a6b44 "Integrity:
> Pass commname via get_task_comm()".

Excellent.  Missed that.  Thanks.

> thanks,
> 
> Mimi

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545