From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 469BAC433DB for ; Thu, 25 Feb 2021 22:14:56 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id B1DEF64F29 for ; Thu, 25 Feb 2021 22:14:55 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B1DEF64F29 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=linux-audit-bounces@redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1614291294; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=zxU65RSMtVlHObedeS03C0kw5kZUlg80Yvb7fyFYwWw=; b=QwQD17pShb+bydINdCQK2Jrv37MXdFhAA+MfnQ8plf6ZhZOD6hF5mKpPS8bAqAgZ+nnze+ 2BzdWI4ANLXXHd6Ajp0LfqgZLxmaYNfTGMNzfb1ehUnKvZHsnhOxX9z/Ywn+gRgW310DZK Os68Vl1/jUiNd1qpsfSs0Pj77JDr/e8= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-478-7U5ffrMlMEGFBIftslGZqg-1; Thu, 25 Feb 2021 17:14:52 -0500 X-MC-Unique: 7U5ffrMlMEGFBIftslGZqg-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 488C8107AD28; Thu, 25 Feb 2021 22:14:48 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B6EAA1F432; Thu, 25 Feb 2021 22:14:46 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 2FCB818095CB; Thu, 25 Feb 2021 22:14:44 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 11PMEgII002548 for ; Thu, 25 Feb 2021 17:14:42 -0500 Received: by smtp.corp.redhat.com (Postfix) id 617166FEED; Thu, 25 Feb 2021 22:14:42 +0000 (UTC) Received: from x2.localnet (ovpn-116-240.rdu2.redhat.com [10.10.116.240]) by smtp.corp.redhat.com (Postfix) with ESMTP id 32B686F987 for ; Thu, 25 Feb 2021 22:14:39 +0000 (UTC) From: Steve Grubb To: linux-audit@redhat.com Subject: open_by_handle_at and CVE-2020-35501 Date: Thu, 25 Feb 2021 17:14:38 -0500 Message-ID: <7230785.EvYhyI6sBW@x2> Organization: Red Hat MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: linux-audit@redhat.com X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hello, There was an announcement on the oss-security mail list a week ago: https://seclists.org/oss-sec/2021/q1/155 regarding auditing of the open_by_handle_at system call. They are using a rule like this: -a always,exit -F path=/path/to/file -F perm=wr and expecting that we have an audit record when opened using the name_to_handle_at/open_by_handle_at syscall pair. I run a study of my system by adding audit rules for each of the syscalls. What I found was that the name_to_handle_at seems to be used by systemd and it only passes a relative file name. This makes the audit event next to useless. And interestingly I have no events for open_by_handle_at in spite of systemd preparing to use it. So, I don't have any idea what the audit event would look like. In any event, they are asking what upstream audit is going to do about this? In looking into open_by_handle_at, I found that it was used in an exploit against docker some time ago where it was possible to bruteforce the handle. Of cource you need CAP_DAC_READ_SEARCH to call it. https://www.programmersought.com/article/54607139735/ I think we should do something, not sure what. Simply adding the syscall to the open perms machinery will get an event, but probably nothing usable. You could at least see who is doing it and with what program. In the meantime, people can use the syscall rules to audit for any occurance. I think the default rules do include it. Cheers, -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit