[RFC PATCH ghak21 0/4] audit: address ANOM_LINK excess records

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Richard Guy Briggs <rgb@redhat.com>
To: Linux-Audit Mailing List <linux-audit@redhat.com>,
	LKML <linux-kernel@vger.kernel.org>
Cc: Eric Paris <eparis@redhat.com>, Paul Moore <paul@paul-moore.com>,
	Steve Grubb <sgrubb@redhat.com>,
	Kees Cook <keescook@chromium.org>,
	Richard Guy Briggs <rgb@redhat.com>
Subject: [RFC PATCH ghak21 0/4] audit: address ANOM_LINK excess records
Date: Wed, 14 Feb 2018 11:18:20 -0500	[thread overview]
Message-ID: <cover.1518603831.git.rgb@redhat.com> (raw)

Audit link denied events were being unexpectedly produced in a disjoint
way when audit was disabled, and when they were expected, there were
duplicate PATH records.  This patchset addresses both issues for
symlinks and hardlinks.

This was introduced with
	commit b24a30a7305418ff138ff51776fc555ec57c011a
	("audit: fix event coverage of AUDIT_ANOM_LINK")
	commit a51d9eaa41866ab6b4b6ecad7b621f8b66ece0dc
	("fs: add link restriction audit reporting")

Here are the resulting events:

symlink:
type=PROCTITLE msg=audit(02/14/2018 04:40:21.635:238) : proctitle=cat my-passwd
type=PATH msg=audit(02/14/2018 04:40:21.635:238) : item=1 name=/tmp/my-passwd inode=17618 dev=00:27 mode=link,777 ouid=rgb ogid=rgb rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(02/14/2018 04:40:21.635:238) : item=0 name=/tmp inode=13446 dev=00:27 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(02/14/2018 04:40:21.635:238) : cwd=/tmp
type=SYSCALL msg=audit(02/14/2018 04:40:21.635:238) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7ffc6c1acdda 
a2=O_RDONLY a3=0x0 items=2 ppid=549 pid=606 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=
cat exe=/usr/bin/cat subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_LINK msg=audit(02/14/2018 04:40:21.635:238) : op=follow_link ppid=549 pid=606 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=roo
t sgid=root fsgid=root tty=ttyS0 ses=1 comm=cat exe=/usr/bin/cat subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no
----
hardlink:
type=PROCTITLE msg=audit(02/14/2018 04:40:25.373:239) : proctitle=ln test test-ln
type=PATH msg=audit(02/14/2018 04:40:25.373:239) : item=1 name=/tmp inode=13446 dev=00:27 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(02/14/2018 04:40:25.373:239) : item=0 name=test inode=17619 dev=00:27 mode=file,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(02/14/2018 04:40:25.373:239) : cwd=/tmp
type=SYSCALL msg=audit(02/14/2018 04:40:25.373:239) : arch=x86_64 syscall=linkat success=no exit=EPERM(Operation not permitted) a0=0xffffff9c a1=0x7fffe6c3f628 a2=0xffffff9c a3=0x7fffe6c3f62d items=2 ppid=578 pid=607 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=pts0 ses=3 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_LINK msg=audit(02/14/2018 04:40:25.373:239) : op=linkat ppid=578 pid=607 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=pts0 ses=3 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no

The remaining problem is how to address this when syscall logging is
disabled since it needs a parent path record and/or a CWD record to
complete it.  It could also use a proctitle record too.  In fact, it
looks like we need a way to have multiple auxiliary records to support
an arbitrary record.  Comments please.

See: https://github.com/linux-audit/audit-kernel/issues/21
See also: https://github.com/linux-audit/audit-kernel/issues/51

Richard Guy Briggs (4):
  audit: make ANOM_LINK obey audit_enabled and audit_dummy_context
  audit: link denied should not directly generate PATH record
  audit: add refused symlink to audit_names
  audit: add parent of refused symlink to audit_names

 fs/namei.c     | 10 ++++++++++
 kernel/audit.c | 13 ++-----------
 2 files changed, 12 insertions(+), 11 deletions(-)

-- 
1.8.3.1

next             reply	other threads:[~2018-02-14 16:18 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-02-14 16:18 Richard Guy Briggs [this message]
2018-02-14 16:18 ` [RFC PATCH ghak21 1/4] audit: make ANOM_LINK obey audit_enabled and audit_dummy_context Richard Guy Briggs
2018-02-14 16:18   ` Richard Guy Briggs
2018-02-14 17:51   ` Kees Cook
2018-02-14 17:51     ` Kees Cook
2018-02-15  2:33     ` Richard Guy Briggs
2018-02-15  6:16       ` Kees Cook
2018-02-15 22:51         ` Paul Moore
2018-03-09  0:23           ` Paul Moore
2018-02-14 16:18 ` [RFC PATCH ghak21 2/4] audit: link denied should not directly generate PATH record Richard Guy Briggs
2018-03-09  0:26   ` Paul Moore
2018-03-12  8:01     ` Richard Guy Briggs
2018-02-14 16:18 ` [RFC PATCH ghak21 3/4] audit: add refused symlink to audit_names Richard Guy Briggs
2018-02-14 16:18   ` Richard Guy Briggs
2018-03-09  0:30   ` Paul Moore
2018-03-09  0:33     ` Paul Moore
2018-02-14 16:18 ` [RFC PATCH ghak21 4/4] audit: add parent of " Richard Guy Briggs
2018-02-15 23:34   ` Paul Moore
2018-02-15 23:34     ` Paul Moore
2018-02-16  2:59     ` Richard Guy Briggs
2018-02-16 18:56       ` Paul Moore
2018-03-09  0:50   ` Paul Moore
2018-03-12  7:59     ` Richard Guy Briggs
2018-03-12  7:59       ` Richard Guy Briggs
2018-03-12 15:47       ` Paul Moore
2018-02-14 16:49 ` [RFC PATCH ghak21 0/4] audit: address ANOM_LINK excess records Steve Grubb
2018-02-15  3:46   ` Richard Guy Briggs
2018-03-08 11:47     ` Richard Guy Briggs

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=cover.1518603831.git.rgb@redhat.com \
    --to=rgb@redhat.com \
    --cc=eparis@redhat.com \
    --cc=keescook@chromium.org \
    --cc=linux-audit@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=sgrubb@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.