From: Vladis Dronov <vdronov@redhat.com>
To: Casey Schaufler <casey@schaufler-ca.com>,
Richard Guy Briggs <rgb@redhat.com>
Cc: James Morris <jmorris@namei.org>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, linux-audit@redhat.com,
"Serge E . Hallyn" <serge@hallyn.com>
Subject: Re: [PATCH ghak96] audit: set cwd in audit context for file-related LSM audit records
Date: Thu, 2 Apr 2020 12:31:21 -0400 (EDT) [thread overview]
Message-ID: <1800109401.20260657.1585845081366.JavaMail.zimbra@redhat.com> (raw)
In-Reply-To: <2d7174b1-115f-b86f-8054-a5caef4b69ff@schaufler-ca.com>
Hello, Casey, all,
----- Original Message -----
> From: "Casey Schaufler" <casey@schaufler-ca.com>
> Subject: Re: [PATCH ghak96] audit: set cwd in audit context for file-related LSM audit records
>
> On 4/2/2020 7:13 AM, Vladis Dronov wrote:
> > Set a current working directory in an audit context for the following
> > record
> > types in dump_common_audit_data(): LSM_AUDIT_DATA_PATH,
> > LSM_AUDIT_DATA_FILE,
> > LSM_AUDIT_DATA_IOCTL_OP, LSM_AUDIT_DATA_DENTRY, LSM_AUDIT_DATA_INODE so a
> > separate CWD record is emitted later.
> >
> > Link: https://github.com/linux-audit/audit-kernel/issues/96
>
> I don't have a problem with the patch, but it sure would be nice
> if you explained why these events "could use a CWD record".
(adding Richard Guy Briggs <rgb@redhat.com> which I should have been done earlier)
I would agree, adding "cwd=" field in the LSM record itself is simpler to me.
Unfortunately, all I can say for now is "The intent was a separate CWD record,
that is already defined" requirement from the ghak#96 issue.
Richard, could you, please, clarify since you've posted this requirement in
the ghak#96's description?
> > Signed-off-by: Vladis Dronov <vdronov@redhat.com>
> > ---
> > out-of-commit-message-note:
> >
> > Hello,
> > Honestly, I'm not sure about "if (!context->in_syscall)" check in
> > __audit_getcwd(). It was copied from __audit_getname() and I do
> > not quite understand why it is there and if __audit_getcwd() needs
> > it. If you have an idea on this, could you please, tell?
> >
> > include/linux/audit.h | 9 ++++++++-
> > kernel/auditsc.c | 17 +++++++++++++++++
> > security/lsm_audit.c | 5 +++++
> > 3 files changed, 30 insertions(+), 1 deletion(-)
> >
> > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > index f9ceae57ca8d..b4306abc5891 100644
> > --- a/include/linux/audit.h
> > +++ b/include/linux/audit.h
> > @@ -268,7 +268,7 @@ extern void __audit_syscall_entry(int major, unsigned
> > long a0, unsigned long a1,
> > extern void __audit_syscall_exit(int ret_success, long ret_value);
> > extern struct filename *__audit_reusename(const __user char *uptr);
> > extern void __audit_getname(struct filename *name);
> > -
> > +extern void __audit_getcwd(void);
> > extern void __audit_inode(struct filename *name, const struct dentry
> > *dentry,
> > unsigned int flags);
> > extern void __audit_file(const struct file *);
> > @@ -327,6 +327,11 @@ static inline void audit_getname(struct filename
> > *name)
> > if (unlikely(!audit_dummy_context()))
> > __audit_getname(name);
> > }
> > +static inline void audit_getcwd(void)
> > +{
> > + if (unlikely(!audit_dummy_context()))
> > + __audit_getcwd();
> > +}
> > static inline void audit_inode(struct filename *name,
> > const struct dentry *dentry,
> > unsigned int aflags) {
> > @@ -545,6 +550,8 @@ static inline struct filename *audit_reusename(const
> > __user char *name)
> > }
> > static inline void audit_getname(struct filename *name)
> > { }
> > +static inline void audit_getcwd(void)
> > +{ }
> > static inline void __audit_inode(struct filename *name,
> > const struct dentry *dentry,
> > unsigned int flags)
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index 814406a35db1..16316032ef9f 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -1890,6 +1890,23 @@ void __audit_getname(struct filename *name)
> > get_fs_pwd(current->fs, &context->pwd);
> > }
> >
> > +/**
> > + * __audit_getcwd - set a current working directory
> > + *
> > + * Set a current working directory of an audited process for this context.
> > + * Called from security/lsm_audit.c:dump_common_audit_data().
> > + */
> > +void __audit_getcwd(void)
> > +{
> > + struct audit_context *context = audit_context();
> > +
> > + if (!context->in_syscall)
> > + return;
> > +
> > + if (!context->pwd.dentry)
> > + get_fs_pwd(current->fs, &context->pwd);
> > +}
> > +
> > static inline int audit_copy_fcaps(struct audit_names *name,
> > const struct dentry *dentry)
> > {
> > diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> > index 2d2bf49016f4..7c555621c2bd 100644
> > --- a/security/lsm_audit.c
> > +++ b/security/lsm_audit.c
> > @@ -241,6 +241,7 @@ static void dump_common_audit_data(struct audit_buffer
> > *ab,
> > audit_log_untrustedstring(ab, inode->i_sb->s_id);
> > audit_log_format(ab, " ino=%lu", inode->i_ino);
> > }
> > + audit_getcwd();
> > break;
> > }
> > case LSM_AUDIT_DATA_FILE: {
> > @@ -254,6 +255,7 @@ static void dump_common_audit_data(struct audit_buffer
> > *ab,
> > audit_log_untrustedstring(ab, inode->i_sb->s_id);
> > audit_log_format(ab, " ino=%lu", inode->i_ino);
> > }
> > + audit_getcwd();
> > break;
> > }
> > case LSM_AUDIT_DATA_IOCTL_OP: {
> > @@ -269,6 +271,7 @@ static void dump_common_audit_data(struct audit_buffer
> > *ab,
> > }
> >
> > audit_log_format(ab, " ioctlcmd=0x%hx", a->u.op->cmd);
> > + audit_getcwd();
> > break;
> > }
> > case LSM_AUDIT_DATA_DENTRY: {
> > @@ -283,6 +286,7 @@ static void dump_common_audit_data(struct audit_buffer
> > *ab,
> > audit_log_untrustedstring(ab, inode->i_sb->s_id);
> > audit_log_format(ab, " ino=%lu", inode->i_ino);
> > }
> > + audit_getcwd();
> > break;
> > }
> > case LSM_AUDIT_DATA_INODE: {
> > @@ -300,6 +304,7 @@ static void dump_common_audit_data(struct audit_buffer
> > *ab,
> > audit_log_format(ab, " dev=");
> > audit_log_untrustedstring(ab, inode->i_sb->s_id);
> > audit_log_format(ab, " ino=%lu", inode->i_ino);
> > + audit_getcwd();
> > break;
> > }
> > case LSM_AUDIT_DATA_TASK: {
Best regards,
Vladis Dronov | Red Hat, Inc. | The Core Kernel | Senior Software Engineer
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
WARNING: multiple messages have this Message-ID (diff)
From: Vladis Dronov <vdronov@redhat.com>
To: Casey Schaufler <casey@schaufler-ca.com>,
Richard Guy Briggs <rgb@redhat.com>
Cc: Paul Moore <paul@paul-moore.com>, Eric Paris <eparis@redhat.com>,
linux-audit@redhat.com, James Morris <jmorris@namei.org>,
"Serge E . Hallyn" <serge@hallyn.com>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH ghak96] audit: set cwd in audit context for file-related LSM audit records
Date: Thu, 2 Apr 2020 12:31:21 -0400 (EDT) [thread overview]
Message-ID: <1800109401.20260657.1585845081366.JavaMail.zimbra@redhat.com> (raw)
In-Reply-To: <2d7174b1-115f-b86f-8054-a5caef4b69ff@schaufler-ca.com>
Hello, Casey, all,
----- Original Message -----
> From: "Casey Schaufler" <casey@schaufler-ca.com>
> Subject: Re: [PATCH ghak96] audit: set cwd in audit context for file-related LSM audit records
>
> On 4/2/2020 7:13 AM, Vladis Dronov wrote:
> > Set a current working directory in an audit context for the following
> > record
> > types in dump_common_audit_data(): LSM_AUDIT_DATA_PATH,
> > LSM_AUDIT_DATA_FILE,
> > LSM_AUDIT_DATA_IOCTL_OP, LSM_AUDIT_DATA_DENTRY, LSM_AUDIT_DATA_INODE so a
> > separate CWD record is emitted later.
> >
> > Link: https://github.com/linux-audit/audit-kernel/issues/96
>
> I don't have a problem with the patch, but it sure would be nice
> if you explained why these events "could use a CWD record".
(adding Richard Guy Briggs <rgb@redhat.com> which I should have been done earlier)
I would agree, adding "cwd=" field in the LSM record itself is simpler to me.
Unfortunately, all I can say for now is "The intent was a separate CWD record,
that is already defined" requirement from the ghak#96 issue.
Richard, could you, please, clarify since you've posted this requirement in
the ghak#96's description?
> > Signed-off-by: Vladis Dronov <vdronov@redhat.com>
> > ---
> > out-of-commit-message-note:
> >
> > Hello,
> > Honestly, I'm not sure about "if (!context->in_syscall)" check in
> > __audit_getcwd(). It was copied from __audit_getname() and I do
> > not quite understand why it is there and if __audit_getcwd() needs
> > it. If you have an idea on this, could you please, tell?
> >
> > include/linux/audit.h | 9 ++++++++-
> > kernel/auditsc.c | 17 +++++++++++++++++
> > security/lsm_audit.c | 5 +++++
> > 3 files changed, 30 insertions(+), 1 deletion(-)
> >
> > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > index f9ceae57ca8d..b4306abc5891 100644
> > --- a/include/linux/audit.h
> > +++ b/include/linux/audit.h
> > @@ -268,7 +268,7 @@ extern void __audit_syscall_entry(int major, unsigned
> > long a0, unsigned long a1,
> > extern void __audit_syscall_exit(int ret_success, long ret_value);
> > extern struct filename *__audit_reusename(const __user char *uptr);
> > extern void __audit_getname(struct filename *name);
> > -
> > +extern void __audit_getcwd(void);
> > extern void __audit_inode(struct filename *name, const struct dentry
> > *dentry,
> > unsigned int flags);
> > extern void __audit_file(const struct file *);
> > @@ -327,6 +327,11 @@ static inline void audit_getname(struct filename
> > *name)
> > if (unlikely(!audit_dummy_context()))
> > __audit_getname(name);
> > }
> > +static inline void audit_getcwd(void)
> > +{
> > + if (unlikely(!audit_dummy_context()))
> > + __audit_getcwd();
> > +}
> > static inline void audit_inode(struct filename *name,
> > const struct dentry *dentry,
> > unsigned int aflags) {
> > @@ -545,6 +550,8 @@ static inline struct filename *audit_reusename(const
> > __user char *name)
> > }
> > static inline void audit_getname(struct filename *name)
> > { }
> > +static inline void audit_getcwd(void)
> > +{ }
> > static inline void __audit_inode(struct filename *name,
> > const struct dentry *dentry,
> > unsigned int flags)
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index 814406a35db1..16316032ef9f 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -1890,6 +1890,23 @@ void __audit_getname(struct filename *name)
> > get_fs_pwd(current->fs, &context->pwd);
> > }
> >
> > +/**
> > + * __audit_getcwd - set a current working directory
> > + *
> > + * Set a current working directory of an audited process for this context.
> > + * Called from security/lsm_audit.c:dump_common_audit_data().
> > + */
> > +void __audit_getcwd(void)
> > +{
> > + struct audit_context *context = audit_context();
> > +
> > + if (!context->in_syscall)
> > + return;
> > +
> > + if (!context->pwd.dentry)
> > + get_fs_pwd(current->fs, &context->pwd);
> > +}
> > +
> > static inline int audit_copy_fcaps(struct audit_names *name,
> > const struct dentry *dentry)
> > {
> > diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> > index 2d2bf49016f4..7c555621c2bd 100644
> > --- a/security/lsm_audit.c
> > +++ b/security/lsm_audit.c
> > @@ -241,6 +241,7 @@ static void dump_common_audit_data(struct audit_buffer
> > *ab,
> > audit_log_untrustedstring(ab, inode->i_sb->s_id);
> > audit_log_format(ab, " ino=%lu", inode->i_ino);
> > }
> > + audit_getcwd();
> > break;
> > }
> > case LSM_AUDIT_DATA_FILE: {
> > @@ -254,6 +255,7 @@ static void dump_common_audit_data(struct audit_buffer
> > *ab,
> > audit_log_untrustedstring(ab, inode->i_sb->s_id);
> > audit_log_format(ab, " ino=%lu", inode->i_ino);
> > }
> > + audit_getcwd();
> > break;
> > }
> > case LSM_AUDIT_DATA_IOCTL_OP: {
> > @@ -269,6 +271,7 @@ static void dump_common_audit_data(struct audit_buffer
> > *ab,
> > }
> >
> > audit_log_format(ab, " ioctlcmd=0x%hx", a->u.op->cmd);
> > + audit_getcwd();
> > break;
> > }
> > case LSM_AUDIT_DATA_DENTRY: {
> > @@ -283,6 +286,7 @@ static void dump_common_audit_data(struct audit_buffer
> > *ab,
> > audit_log_untrustedstring(ab, inode->i_sb->s_id);
> > audit_log_format(ab, " ino=%lu", inode->i_ino);
> > }
> > + audit_getcwd();
> > break;
> > }
> > case LSM_AUDIT_DATA_INODE: {
> > @@ -300,6 +304,7 @@ static void dump_common_audit_data(struct audit_buffer
> > *ab,
> > audit_log_format(ab, " dev=");
> > audit_log_untrustedstring(ab, inode->i_sb->s_id);
> > audit_log_format(ab, " ino=%lu", inode->i_ino);
> > + audit_getcwd();
> > break;
> > }
> > case LSM_AUDIT_DATA_TASK: {
Best regards,
Vladis Dronov | Red Hat, Inc. | The Core Kernel | Senior Software Engineer
next prev parent reply other threads:[~2020-04-02 16:31 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-02 14:13 [PATCH ghak96] audit: set cwd in audit context for file-related LSM audit records Vladis Dronov
2020-04-02 14:13 ` Vladis Dronov
2020-04-02 15:38 ` Casey Schaufler
2020-04-02 15:38 ` Casey Schaufler
2020-04-02 16:31 ` Vladis Dronov [this message]
2020-04-02 16:31 ` Vladis Dronov
2020-04-09 21:50 ` Richard Guy Briggs
2020-04-09 21:50 ` Richard Guy Briggs
2020-04-17 22:21 ` Paul Moore
2020-04-17 22:21 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1800109401.20260657.1585845081366.JavaMail.zimbra@redhat.com \
--to=vdronov@redhat.com \
--cc=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=rgb@redhat.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.