From: Steve Grubb <sgrubb@redhat.com>
To: Ondrej Mosnacek <omosnace@redhat.com>
Cc: Richard Guy Briggs <rgb@redhat.com>,
Linux-Audit Mailing List <linux-audit@redhat.com>
Subject: Re: [PATCH ghak95] audit: Do not log full CWD path on empty relative paths
Date: Fri, 24 Aug 2018 10:28:37 -0400 [thread overview]
Message-ID: <1756482.jLK7dZV42z@x2> (raw)
In-Reply-To: <CAFqZXNuoVTkxE_0zCLFU3uJz4YHmtNVx=D_4POSPLWORs4g6Pg@mail.gmail.com>
On Friday, August 24, 2018 8:59:10 AM EDT Ondrej Mosnacek wrote:
> On Thu, Aug 2, 2018 at 1:45 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> > When a relative path has just a single component and we want to emit a
> > nametype=PARENT record, the current implementation just reports the full
> > CWD path (which is alrady available in the audit context).
> >
> > This is wrong for three reasons:
> > 1. Wasting log space for redundant data (CWD path is already in the CWD
> >
> > record).
> >
> > 2. Inconsistency with other PATH records (if a relative PARENT directory
> >
> > path contains at least one component, only the verbatim relative path
> > is logged).
> >
> > 3. In some syscalls (e.g. openat(2)) the relative path may not even be
> >
> > relative to the CWD, but to another directory specified as a file
> > descriptor. In that case the logged path is simply plain wrong.
> >
> > This patch modifies this behavior to simply report "." in the
> > aforementioned case, which is equivalent to an "empty" directory path
> > and can be concatenated with the actual base directory path (CWD or
> > dirfd from openat(2)-like syscall) once support for its logging is added
> > later. In the meantime, defaulting to CWD as base directory on relative
> > paths (as already done by the userspace tools) will be enough to achieve
> > results equivalent to the current behavior.
>
> I tested this patch a little bit with the libauparse library (it has
> some functions for normalizing paths extracted from the records) and
> it seems to behave as intended. The userspace functions seem to take a
> rather crude approach and I think they won't always properly normalize
> some paths, but that is a separate issue and this patch at least
> definitely doesn't make it worse.
Be sure to test with directory names that have spaces in them as well as file
names with spaces in them.
-Steve
> > See: https://github.com/linux-audit/audit-kernel/issues/95
> >
> > Fixes: 9c937dcc7102 ("[PATCH] log more info for directory entry change
> > events") Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > ---
> >
> > kernel/audit.c | 9 ++++-----
> > 1 file changed, 4 insertions(+), 5 deletions(-)
> >
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 2a8058764aa6..4f18bd48eb4b 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -2127,28 +2127,27 @@ void audit_log_name(struct audit_context
> > *context, struct audit_names *n,>
> > audit_log_format(ab, "item=%d", record_num);
> >
> > + audit_log_format(ab, " name=");
> >
> > if (path)
> >
> > - audit_log_d_path(ab, " name=", path);
> > + audit_log_d_path(ab, NULL, path);
> >
> > else if (n->name) {
> >
> > switch (n->name_len) {
> >
> > case AUDIT_NAME_FULL:
> > /* log the full path */
> >
> > - audit_log_format(ab, " name=");
> >
> > audit_log_untrustedstring(ab, n->name->name);
> > break;
> >
> > case 0:
> > /* name was specified as a relative path and the
> >
> > * directory component is the cwd */
> >
> > - audit_log_d_path(ab, " name=", &context->pwd);
> > + audit_log_untrustedstring(ab, ".");
> >
> > break;
> >
> > default:
> > /* log the name's directory component */
> >
> > - audit_log_format(ab, " name=");
> >
> > audit_log_n_untrustedstring(ab, n->name->name,
> >
> > n->name_len);
> >
> > }
> >
> > } else
> >
> > - audit_log_format(ab, " name=(null)");
> > + audit_log_format(ab, "(null)");
> >
> > if (n->ino != AUDIT_INO_UNSET)
> >
> > audit_log_format(ab, " inode=%lu"
> >
> > --
> > 2.17.1
>
> --
> Ondrej Mosnacek <omosnace at redhat dot com>
> Associate Software Engineer, Security Technologies
> Red Hat, Inc.
prev parent reply other threads:[~2018-08-24 14:28 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-02 11:44 [PATCH ghak95] audit: Do not log full CWD path on empty relative paths Ondrej Mosnacek
2018-08-02 13:29 ` Richard Guy Briggs
2018-08-02 22:24 ` Paul Moore
2018-08-03 7:08 ` Ondrej Mosnacek
2018-08-24 14:09 ` Paul Moore
2018-08-27 13:00 ` Ondrej Mosnacek
2018-09-13 13:57 ` Ondrej Mosnacek
2018-09-13 14:13 ` Paul Moore
2018-09-19 1:35 ` Paul Moore
2018-09-19 11:01 ` Ondrej Mosnacek
2018-09-19 15:44 ` Paul Moore
2018-10-31 8:54 ` Ondrej Mosnacek
2018-11-05 23:30 ` Paul Moore
2018-11-06 8:08 ` Ondrej Mosnacek
2018-11-06 20:19 ` Paul Moore
2018-11-13 15:25 ` Ondrej Mosnacek
2018-11-13 16:30 ` Paul Moore
2018-12-01 16:50 ` Steve Grubb
2018-12-04 0:17 ` Paul Moore
2018-12-04 8:07 ` Ondrej Mosnacek
2018-12-04 22:19 ` Paul Moore
2018-08-03 0:03 ` Paul Moore
2018-08-24 15:00 ` Paul Moore
2018-08-24 15:14 ` Steve Grubb
2018-08-27 12:42 ` Ondrej Mosnacek
2018-08-24 12:59 ` Ondrej Mosnacek
2018-08-24 14:28 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1756482.jLK7dZV42z@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=omosnace@redhat.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox