From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mimi Zohar Subject: Re: [PATCH ghak109 V2] audit: link integrity evm_write_xattrs record to syscall event Date: Wed, 27 Mar 2019 11:04:08 -0400 Message-ID: <1553699048.4154.1.camel@linux.ibm.com> References: <087489b21e50bcda65c6af3e038394d5bfe09e00.1553626080.git.rgb@redhat.com> <1553632830.4233.3.camel@linux.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org To: Paul Moore Cc: Richard Guy Briggs , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, Linux-Audit Mailing List , LKML , sgrubb@redhat.com, omosnace@redhat.com, Eric Paris , Serge Hallyn , mjg59@google.com List-Id: linux-audit@redhat.com On Tue, 2019-03-26 at 19:58 -0400, Paul Moore wrote: > On Tue, Mar 26, 2019 at 4:40 PM Mimi Zohar wrote: > > > > Hi Richard, Paul, > > > > On Tue, 2019-03-26 at 14:49 -0400, Richard Guy Briggs wrote: > > > In commit fa516b66a1bf ("EVM: Allow runtime modification of the set of > > > verified xattrs"), the call to audit_log_start() is missing a context to > > > link it to an audit event. Since this event is in user context, add > > > the process' syscall context to the record. > > > > > > In addition, the orphaned keyword "locked" appears in the record. > > > Normalize this by changing it to logging the locking string "." as any > > > other user input in the "xattr=" field. > > > > > > Please see the github issue > > > https://github.com/linux-audit/audit-kernel/issues/109 > > > > > > Signed-off-by: Richard Guy Briggs > > > > Acked-by: Mimi Zohar > > > > Paul, were you planning on upstreaming this patch? > > Yep, unless you would rather do it? No, that's fine. Thanks! Mimi