From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E226BC2BBC7 for ; Sat, 11 Apr 2020 23:08:28 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id AC27221927 for ; Sat, 11 Apr 2020 23:08:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1586646508; bh=6ujQpcxIGithtYCTLKGJdniW/4CHxY9NdvXu1hLNzmU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=OGiO0r3NKfRLEl0m0NPdOl9YRBOc1cfvje38U/UifAQcXxTq9ujZTRfUY2W9fJkXj j6L1l9nySv6sSYEHx2jWp7GN4gG74/T4ypAQ6Nlz2947ugJc2N0+CEhLjC389QJWsw VcOEk1M2btdVjXOAV2NFZb4IjVhXRQ0G6lWZnc2E= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726832AbgDKXI1 (ORCPT ); Sat, 11 Apr 2020 19:08:27 -0400 Received: from mail.kernel.org ([198.145.29.99]:44836 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728877AbgDKXIO (ORCPT ); Sat, 11 Apr 2020 19:08:14 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 163DF20787; Sat, 11 Apr 2020 23:08:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1586646494; bh=6ujQpcxIGithtYCTLKGJdniW/4CHxY9NdvXu1hLNzmU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XkSfLtQm4EJ3UrEhxjS01KvuOX9Vm7xrIShz8fw8Tg2zYqSQNT36hbbuvekGaHO2A SVrWH3gWhFH6cFI6FcX1CnMt1UlpWxYaXHszDc/+lc0rRg+CuB4QaycB0gF3MklvrJ bi4QCF43QDwI0XccFXed52eKn1j8tPQb0xj1VgDM= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Steve Grubb , Paul Moore , Sasha Levin , linux-audit@redhat.com Subject: [PATCH AUTOSEL 5.5 057/121] audit: CONFIG_CHANGE don't log internal bookkeeping as an event Date: Sat, 11 Apr 2020 19:06:02 -0400 Message-Id: <20200411230706.23855-57-sashal@kernel.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200411230706.23855-1-sashal@kernel.org> References: <20200411230706.23855-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Steve Grubb [ Upstream commit 70b3eeed49e8190d97139806f6fbaf8964306cdb ] Common Criteria calls out for any action that modifies the audit trail to be recorded. That usually is interpreted to mean insertion or removal of rules. It is not required to log modification of the inode information since the watch is still in effect. Additionally, if the rule is a never rule and the underlying file is one they do not want events for, they get an event for this bookkeeping update against their wishes. Since no device/inode info is logged at insertion and no device/inode information is logged on update, there is nothing meaningful being communicated to the admin by the CONFIG_CHANGE updated_rules event. One can assume that the rule was not "modified" because it is still watching the intended target. If the device or inode cannot be resolved, then audit_panic is called which is sufficient. The correct resolution is to drop logging config_update events since the watch is still in effect but just on another unknown inode. Signed-off-by: Steve Grubb Signed-off-by: Paul Moore Signed-off-by: Sasha Levin --- kernel/audit_watch.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c index 4508d5e0cf696..8a8fd732ff6d0 100644 --- a/kernel/audit_watch.c +++ b/kernel/audit_watch.c @@ -302,8 +302,6 @@ static void audit_update_watch(struct audit_parent *parent, if (oentry->rule.exe) audit_remove_mark(oentry->rule.exe); - audit_watch_log_rule_change(r, owatch, "updated_rules"); - call_rcu(&oentry->rcu, audit_free_rule_rcu); } -- 2.20.1