subject:"\[PATCH ghak21 V2 0\/4\] audit\: address ANOM

Re: [PATCH ghak21 V2 0/4] audit: address ANOM_LINK excess records

2018-03-12 Thread Paul Moore

On Mon, Mar 12, 2018 at 11:17 AM, Steve Grubb  wrote:
> On Mon, 12 Mar 2018 02:31:16 -0400
> Richard Guy Briggs  wrote:
>
>> Audit link denied events were being unexpectedly produced in a
>> disjoint way when audit was disabled, and when they were expected,
>> there were duplicate PATH records.  This patchset addresses both
>> issues for symlinks and hardlinks.
>>
>> This was introduced with
>>   commit b24a30a7305418ff138ff51776fc555ec57c011a
>>   ("audit: fix event coverage of AUDIT_ANOM_LINK")
>>   commit a51d9eaa41866ab6b4b6ecad7b621f8b66ece0dc
>>   ("fs: add link restriction audit reporting")
>>
>> Here are the resulting events:
>>
>> symlink:
>> type=PROCTITLE msg=audit(03/12/2018 02:21:49.578:310) :
>> proctitle=ls ./my-passwd type=PATH msg=audit(03/12/2018
>> 02:21:49.578:310) : item=1 name=/tmp/ inode=13529 dev=00:27
>> mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
>> obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none
>> cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(03/12/2018
>> 02:21:49.578:310) : item=0 name=./my-passwd inode=17090 dev=00:27
>> mode=link,777 ouid=rgb ogid=rgb rdev=00:00
>> obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none
>> cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(03/12/2018
>> 02:21:49.578:310) : cwd=/tmp type=SYSCALL msg=audit(03/12/2018
>> 02:21:49.578:310) : arch=x86_64 syscall=stat success=no
>> exit=EACCES(Permission denied) a0=0x7ffd79950dda a1=0x563f658a03c8
>> a2=0x563f658a03c8 a3=0x79950d00 items=2 ppid=552 pid=629 auid=root
>> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
>> fsgid=root tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls
>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
>> type=ANOM_LINK msg=audit(03/12/2018 02:21:49.578:310) :
>> op=follow_link ppid=552 pid=629 auid=root uid=root gid=root euid=root
>> suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1
>> comm=ls exe=/usr/bin/ls
>
> So, if we now only emit the ANOM_LINK event when audit is enabled, we
> should get rid of all the duplicate information in that record. The
> SYSCALL record has all that information.

As discussed previously, I'm not going to merge any patches which
remove fields from existing records.

-- 
paul moore
www.paul-moore.com

Re: [PATCH ghak21 V2 0/4] audit: address ANOM_LINK excess records

2018-03-12 Thread Paul Moore

On Mon, Mar 12, 2018 at 11:17 AM, Steve Grubb  wrote:
> On Mon, 12 Mar 2018 02:31:16 -0400
> Richard Guy Briggs  wrote:
>
>> Audit link denied events were being unexpectedly produced in a
>> disjoint way when audit was disabled, and when they were expected,
>> there were duplicate PATH records.  This patchset addresses both
>> issues for symlinks and hardlinks.
>>
>> This was introduced with
>>   commit b24a30a7305418ff138ff51776fc555ec57c011a
>>   ("audit: fix event coverage of AUDIT_ANOM_LINK")
>>   commit a51d9eaa41866ab6b4b6ecad7b621f8b66ece0dc
>>   ("fs: add link restriction audit reporting")
>>
>> Here are the resulting events:
>>
>> symlink:
>> type=PROCTITLE msg=audit(03/12/2018 02:21:49.578:310) :
>> proctitle=ls ./my-passwd type=PATH msg=audit(03/12/2018
>> 02:21:49.578:310) : item=1 name=/tmp/ inode=13529 dev=00:27
>> mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
>> obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none
>> cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(03/12/2018
>> 02:21:49.578:310) : item=0 name=./my-passwd inode=17090 dev=00:27
>> mode=link,777 ouid=rgb ogid=rgb rdev=00:00
>> obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none
>> cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(03/12/2018
>> 02:21:49.578:310) : cwd=/tmp type=SYSCALL msg=audit(03/12/2018
>> 02:21:49.578:310) : arch=x86_64 syscall=stat success=no
>> exit=EACCES(Permission denied) a0=0x7ffd79950dda a1=0x563f658a03c8
>> a2=0x563f658a03c8 a3=0x79950d00 items=2 ppid=552 pid=629 auid=root
>> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
>> fsgid=root tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls
>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
>> type=ANOM_LINK msg=audit(03/12/2018 02:21:49.578:310) :
>> op=follow_link ppid=552 pid=629 auid=root uid=root gid=root euid=root
>> suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1
>> comm=ls exe=/usr/bin/ls
>
> So, if we now only emit the ANOM_LINK event when audit is enabled, we
> should get rid of all the duplicate information in that record. The
> SYSCALL record has all that information.

As discussed previously, I'm not going to merge any patches which
remove fields from existing records.

-- 
paul moore
www.paul-moore.com

Re: [PATCH ghak21 V2 0/4] audit: address ANOM_LINK excess records

2018-03-12 Thread Steve Grubb

On Mon, 12 Mar 2018 02:31:16 -0400
Richard Guy Briggs  wrote:

> Audit link denied events were being unexpectedly produced in a
> disjoint way when audit was disabled, and when they were expected,
> there were duplicate PATH records.  This patchset addresses both
> issues for symlinks and hardlinks.
> 
> This was introduced with
>   commit b24a30a7305418ff138ff51776fc555ec57c011a
>   ("audit: fix event coverage of AUDIT_ANOM_LINK")
>   commit a51d9eaa41866ab6b4b6ecad7b621f8b66ece0dc
>   ("fs: add link restriction audit reporting")
> 
> Here are the resulting events:
> 
> symlink:
> type=PROCTITLE msg=audit(03/12/2018 02:21:49.578:310) :
> proctitle=ls ./my-passwd type=PATH msg=audit(03/12/2018
> 02:21:49.578:310) : item=1 name=/tmp/ inode=13529 dev=00:27
> mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
> obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none
> cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(03/12/2018
> 02:21:49.578:310) : item=0 name=./my-passwd inode=17090 dev=00:27
> mode=link,777 ouid=rgb ogid=rgb rdev=00:00
> obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none
> cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(03/12/2018
> 02:21:49.578:310) : cwd=/tmp type=SYSCALL msg=audit(03/12/2018
> 02:21:49.578:310) : arch=x86_64 syscall=stat success=no
> exit=EACCES(Permission denied) a0=0x7ffd79950dda a1=0x563f658a03c8
> a2=0x563f658a03c8 a3=0x79950d00 items=2 ppid=552 pid=629 auid=root
> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
> fsgid=root tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> type=ANOM_LINK msg=audit(03/12/2018 02:21:49.578:310) :
> op=follow_link ppid=552 pid=629 auid=root uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1
> comm=ls exe=/usr/bin/ls

So, if we now only emit the ANOM_LINK event when audit is enabled, we
should get rid of all the duplicate information in that record. The
SYSCALL record has all that information.

-Steve

> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no
>  hardlink: type=PROCTITLE msg=audit(03/12/2018
> 02:24:39.813:314) : proctitle=ln test test-ln type=PATH
> msg=audit(03/12/2018 02:24:39.813:314) : item=1 name=/tmp inode=13529
> dev=00:27 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
> obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none
> cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(03/12/2018
> 02:24:39.813:314) : item=0 name=test inode=18112 dev=00:27
> mode=file,700 ouid=root ogid=root rdev=00:00
> obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none
> cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(03/12/2018
> 02:24:39.813:314) : cwd=/tmp type=SYSCALL msg=audit(03/12/2018
> 02:24:39.813:314) : arch=x86_64 syscall=linkat success=no
> exit=EPERM(Operation not permitted) a0=0xff9c a1=0x7ffccba77629
> a2=0xff9c a3=0x7ffccba7762e items=2 ppid=605 pid=638 auid=rgb
> uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb
> fsgid=rgb tty=pts0 ses=4 comm=ln exe=/usr/bin/ln
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> type=ANOM_LINK msg=audit(03/12/2018 02:24:39.813:314) : op=linkat
> ppid=605 pid=638 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb
> egid=rgb sgid=rgb fsgid=rgb tty=pts0 ses=4 comm=ln exe=/usr/bin/ln
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no 
> 
> See: https://github.com/linux-audit/audit-kernel/issues/21
> See also: https://github.com/linux-audit/audit-kernel/issues/51
> 
> Richard Guy Briggs (4):
>   audit: make ANOM_LINK obey audit_enabled and audit_dummy_context
>   audit: link denied should not directly generate PATH record
>   audit: add refused symlink to audit_names
>   audit: add parent of refused symlink to audit_names
> 
>  fs/namei.c|  5 +++--
>  include/linux/audit.h |  9 +
>  kernel/audit.c| 43
> --- 3 files changed, 40
> insertions(+), 17 deletions(-)
>

Re: [PATCH ghak21 V2 0/4] audit: address ANOM_LINK excess records

2018-03-12 Thread Steve Grubb

On Mon, 12 Mar 2018 02:31:16 -0400
Richard Guy Briggs  wrote:

> Audit link denied events were being unexpectedly produced in a
> disjoint way when audit was disabled, and when they were expected,
> there were duplicate PATH records.  This patchset addresses both
> issues for symlinks and hardlinks.
> 
> This was introduced with
>   commit b24a30a7305418ff138ff51776fc555ec57c011a
>   ("audit: fix event coverage of AUDIT_ANOM_LINK")
>   commit a51d9eaa41866ab6b4b6ecad7b621f8b66ece0dc
>   ("fs: add link restriction audit reporting")
> 
> Here are the resulting events:
> 
> symlink:
> type=PROCTITLE msg=audit(03/12/2018 02:21:49.578:310) :
> proctitle=ls ./my-passwd type=PATH msg=audit(03/12/2018
> 02:21:49.578:310) : item=1 name=/tmp/ inode=13529 dev=00:27
> mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
> obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none
> cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(03/12/2018
> 02:21:49.578:310) : item=0 name=./my-passwd inode=17090 dev=00:27
> mode=link,777 ouid=rgb ogid=rgb rdev=00:00
> obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none
> cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(03/12/2018
> 02:21:49.578:310) : cwd=/tmp type=SYSCALL msg=audit(03/12/2018
> 02:21:49.578:310) : arch=x86_64 syscall=stat success=no
> exit=EACCES(Permission denied) a0=0x7ffd79950dda a1=0x563f658a03c8
> a2=0x563f658a03c8 a3=0x79950d00 items=2 ppid=552 pid=629 auid=root
> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
> fsgid=root tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> type=ANOM_LINK msg=audit(03/12/2018 02:21:49.578:310) :
> op=follow_link ppid=552 pid=629 auid=root uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1
> comm=ls exe=/usr/bin/ls

So, if we now only emit the ANOM_LINK event when audit is enabled, we
should get rid of all the duplicate information in that record. The
SYSCALL record has all that information.

-Steve

> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no
>  hardlink: type=PROCTITLE msg=audit(03/12/2018
> 02:24:39.813:314) : proctitle=ln test test-ln type=PATH
> msg=audit(03/12/2018 02:24:39.813:314) : item=1 name=/tmp inode=13529
> dev=00:27 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
> obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none
> cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(03/12/2018
> 02:24:39.813:314) : item=0 name=test inode=18112 dev=00:27
> mode=file,700 ouid=root ogid=root rdev=00:00
> obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none
> cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(03/12/2018
> 02:24:39.813:314) : cwd=/tmp type=SYSCALL msg=audit(03/12/2018
> 02:24:39.813:314) : arch=x86_64 syscall=linkat success=no
> exit=EPERM(Operation not permitted) a0=0xff9c a1=0x7ffccba77629
> a2=0xff9c a3=0x7ffccba7762e items=2 ppid=605 pid=638 auid=rgb
> uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb
> fsgid=rgb tty=pts0 ses=4 comm=ln exe=/usr/bin/ln
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> type=ANOM_LINK msg=audit(03/12/2018 02:24:39.813:314) : op=linkat
> ppid=605 pid=638 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb
> egid=rgb sgid=rgb fsgid=rgb tty=pts0 ses=4 comm=ln exe=/usr/bin/ln
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no 
> 
> See: https://github.com/linux-audit/audit-kernel/issues/21
> See also: https://github.com/linux-audit/audit-kernel/issues/51
> 
> Richard Guy Briggs (4):
>   audit: make ANOM_LINK obey audit_enabled and audit_dummy_context
>   audit: link denied should not directly generate PATH record
>   audit: add refused symlink to audit_names
>   audit: add parent of refused symlink to audit_names
> 
>  fs/namei.c|  5 +++--
>  include/linux/audit.h |  9 +
>  kernel/audit.c| 43
> --- 3 files changed, 40
> insertions(+), 17 deletions(-)
>

Re: [PATCH ghak21 V2 0/4] audit: address ANOM_LINK excess records

2018-03-12 Thread Richard Guy Briggs

On 2018-03-12 02:31, Richard Guy Briggs wrote:
> Audit link denied events were being unexpectedly produced in a disjoint
> way when audit was disabled, and when they were expected, there were
> duplicate PATH records.  This patchset addresses both issues for
> symlinks and hardlinks.
> 
> This was introduced with
>   commit b24a30a7305418ff138ff51776fc555ec57c011a
>   ("audit: fix event coverage of AUDIT_ANOM_LINK")
>   commit a51d9eaa41866ab6b4b6ecad7b621f8b66ece0dc
>   ("fs: add link restriction audit reporting")
> 
> Here are the resulting events:
> 
> symlink:
> type=PROCTITLE msg=audit(03/12/2018 02:21:49.578:310) : proctitle=ls 
> ./my-passwd 
> type=PATH msg=audit(03/12/2018 02:21:49.578:310) : item=1 name=/tmp/ 
> inode=13529 dev=00:27 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 
> obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none 
> cap_fe=0 cap_fver=0 
> type=PATH msg=audit(03/12/2018 02:21:49.578:310) : item=0 name=./my-passwd 
> inode=17090 dev=00:27 mode=link,777 ouid=rgb ogid=rgb rdev=00:00 
> obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none 
> cap_fi=none cap_fe=0 cap_fver=0 
> type=CWD msg=audit(03/12/2018 02:21:49.578:310) : cwd=/tmp 
> type=SYSCALL msg=audit(03/12/2018 02:21:49.578:310) : arch=x86_64 
> syscall=stat success=no exit=EACCES(Permission denied) a0=0x7ffd79950dda 
> a1=0x563f658a03c8 a2=0x563f658a03c8 a3=0x79950d00 items=2 ppid=552 pid=629 
> auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root 
> sgid=root fsgid=root tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls 
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
> type=ANOM_LINK msg=audit(03/12/2018 02:21:49.578:310) : op=follow_link 
> ppid=552 pid=629 auid=root uid=root gid=root euid=root suid=root fsuid=root 
> egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls 
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no 
> 
> hardlink:
> type=PROCTITLE msg=audit(03/12/2018 02:24:39.813:314) : proctitle=ln test 
> test-ln 
> type=PATH msg=audit(03/12/2018 02:24:39.813:314) : item=1 name=/tmp 
> inode=13529 dev=00:27 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 
> obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none 
> cap_fe=0 cap_fver=0 
> type=PATH msg=audit(03/12/2018 02:24:39.813:314) : item=0 name=test 
> inode=18112 dev=00:27 mode=file,700 ouid=root ogid=root rdev=00:00 
> obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none 
> cap_fi=none cap_fe=0 cap_fver=0 
> type=CWD msg=audit(03/12/2018 02:24:39.813:314) : cwd=/tmp 
> type=SYSCALL msg=audit(03/12/2018 02:24:39.813:314) : arch=x86_64 
> syscall=linkat success=no exit=EPERM(Operation not permitted) a0=0xff9c 
> a1=0x7ffccba77629 a2=0xff9c a3=0x7ffccba7762e items=2 ppid=605 pid=638 
> auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb 
> fsgid=rgb tty=pts0 ses=4 comm=ln exe=/usr/bin/ln 
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
> type=ANOM_LINK msg=audit(03/12/2018 02:24:39.813:314) : op=linkat ppid=605 
> pid=638 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb 
> sgid=rgb fsgid=rgb tty=pts0 ses=4 comm=ln exe=/usr/bin/ln 
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no 
> 
> See: https://github.com/linux-audit/audit-kernel/issues/21
> See also: https://github.com/linux-audit/audit-kernel/issues/51
> 
> Richard Guy Briggs (4):
>   audit: make ANOM_LINK obey audit_enabled and audit_dummy_context
>   audit: link denied should not directly generate PATH record
>   audit: add refused symlink to audit_names
>   audit: add parent of refused symlink to audit_names
> 
>  fs/namei.c|  5 +++--
>  include/linux/audit.h |  9 +
>  kernel/audit.c| 43 ---
>  3 files changed, 40 insertions(+), 17 deletions(-)
> 
> -- 

Changelog:
v2:
- remove now supperfluous struct path * parameter from audit_log_link_denied()
- refactor audit_log_symlink_denied() to properly free memory (pathname, 
filename)

> 1.8.3.1
> 

- RGB

--
Richard Guy Briggs 
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Re: [PATCH ghak21 V2 0/4] audit: address ANOM_LINK excess records

2018-03-12 Thread Richard Guy Briggs

On 2018-03-12 02:31, Richard Guy Briggs wrote:
> Audit link denied events were being unexpectedly produced in a disjoint
> way when audit was disabled, and when they were expected, there were
> duplicate PATH records.  This patchset addresses both issues for
> symlinks and hardlinks.
> 
> This was introduced with
>   commit b24a30a7305418ff138ff51776fc555ec57c011a
>   ("audit: fix event coverage of AUDIT_ANOM_LINK")
>   commit a51d9eaa41866ab6b4b6ecad7b621f8b66ece0dc
>   ("fs: add link restriction audit reporting")
> 
> Here are the resulting events:
> 
> symlink:
> type=PROCTITLE msg=audit(03/12/2018 02:21:49.578:310) : proctitle=ls 
> ./my-passwd 
> type=PATH msg=audit(03/12/2018 02:21:49.578:310) : item=1 name=/tmp/ 
> inode=13529 dev=00:27 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 
> obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none 
> cap_fe=0 cap_fver=0 
> type=PATH msg=audit(03/12/2018 02:21:49.578:310) : item=0 name=./my-passwd 
> inode=17090 dev=00:27 mode=link,777 ouid=rgb ogid=rgb rdev=00:00 
> obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none 
> cap_fi=none cap_fe=0 cap_fver=0 
> type=CWD msg=audit(03/12/2018 02:21:49.578:310) : cwd=/tmp 
> type=SYSCALL msg=audit(03/12/2018 02:21:49.578:310) : arch=x86_64 
> syscall=stat success=no exit=EACCES(Permission denied) a0=0x7ffd79950dda 
> a1=0x563f658a03c8 a2=0x563f658a03c8 a3=0x79950d00 items=2 ppid=552 pid=629 
> auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root 
> sgid=root fsgid=root tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls 
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
> type=ANOM_LINK msg=audit(03/12/2018 02:21:49.578:310) : op=follow_link 
> ppid=552 pid=629 auid=root uid=root gid=root euid=root suid=root fsuid=root 
> egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls 
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no 
> 
> hardlink:
> type=PROCTITLE msg=audit(03/12/2018 02:24:39.813:314) : proctitle=ln test 
> test-ln 
> type=PATH msg=audit(03/12/2018 02:24:39.813:314) : item=1 name=/tmp 
> inode=13529 dev=00:27 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 
> obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none 
> cap_fe=0 cap_fver=0 
> type=PATH msg=audit(03/12/2018 02:24:39.813:314) : item=0 name=test 
> inode=18112 dev=00:27 mode=file,700 ouid=root ogid=root rdev=00:00 
> obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none 
> cap_fi=none cap_fe=0 cap_fver=0 
> type=CWD msg=audit(03/12/2018 02:24:39.813:314) : cwd=/tmp 
> type=SYSCALL msg=audit(03/12/2018 02:24:39.813:314) : arch=x86_64 
> syscall=linkat success=no exit=EPERM(Operation not permitted) a0=0xff9c 
> a1=0x7ffccba77629 a2=0xff9c a3=0x7ffccba7762e items=2 ppid=605 pid=638 
> auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb 
> fsgid=rgb tty=pts0 ses=4 comm=ln exe=/usr/bin/ln 
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
> type=ANOM_LINK msg=audit(03/12/2018 02:24:39.813:314) : op=linkat ppid=605 
> pid=638 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb 
> sgid=rgb fsgid=rgb tty=pts0 ses=4 comm=ln exe=/usr/bin/ln 
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no 
> 
> See: https://github.com/linux-audit/audit-kernel/issues/21
> See also: https://github.com/linux-audit/audit-kernel/issues/51
> 
> Richard Guy Briggs (4):
>   audit: make ANOM_LINK obey audit_enabled and audit_dummy_context
>   audit: link denied should not directly generate PATH record
>   audit: add refused symlink to audit_names
>   audit: add parent of refused symlink to audit_names
> 
>  fs/namei.c|  5 +++--
>  include/linux/audit.h |  9 +
>  kernel/audit.c| 43 ---
>  3 files changed, 40 insertions(+), 17 deletions(-)
> 
> -- 

Changelog:
v2:
- remove now supperfluous struct path * parameter from audit_log_link_denied()
- refactor audit_log_symlink_denied() to properly free memory (pathname, 
filename)

> 1.8.3.1
> 

- RGB

--
Richard Guy Briggs 
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

[PATCH ghak21 V2 0/4] audit: address ANOM_LINK excess records

2018-03-12 Thread Richard Guy Briggs

Audit link denied events were being unexpectedly produced in a disjoint
way when audit was disabled, and when they were expected, there were
duplicate PATH records.  This patchset addresses both issues for
symlinks and hardlinks.

This was introduced with
commit b24a30a7305418ff138ff51776fc555ec57c011a
("audit: fix event coverage of AUDIT_ANOM_LINK")
commit a51d9eaa41866ab6b4b6ecad7b621f8b66ece0dc
("fs: add link restriction audit reporting")

Here are the resulting events:

symlink:
type=PROCTITLE msg=audit(03/12/2018 02:21:49.578:310) : proctitle=ls 
./my-passwd 
type=PATH msg=audit(03/12/2018 02:21:49.578:310) : item=1 name=/tmp/ 
inode=13529 dev=00:27 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 
obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 
cap_fver=0 
type=PATH msg=audit(03/12/2018 02:21:49.578:310) : item=0 name=./my-passwd 
inode=17090 dev=00:27 mode=link,777 ouid=rgb ogid=rgb rdev=00:00 
obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none 
cap_fe=0 cap_fver=0 
type=CWD msg=audit(03/12/2018 02:21:49.578:310) : cwd=/tmp 
type=SYSCALL msg=audit(03/12/2018 02:21:49.578:310) : arch=x86_64 syscall=stat 
success=no exit=EACCES(Permission denied) a0=0x7ffd79950dda a1=0x563f658a03c8 
a2=0x563f658a03c8 a3=0x79950d00 items=2 ppid=552 pid=629 auid=root uid=root 
gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root 
tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=ANOM_LINK msg=audit(03/12/2018 02:21:49.578:310) : op=follow_link ppid=552 
pid=629 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root 
sgid=root fsgid=root tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no 

hardlink:
type=PROCTITLE msg=audit(03/12/2018 02:24:39.813:314) : proctitle=ln test 
test-ln 
type=PATH msg=audit(03/12/2018 02:24:39.813:314) : item=1 name=/tmp inode=13529 
dev=00:27 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 
obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 
cap_fver=0 
type=PATH msg=audit(03/12/2018 02:24:39.813:314) : item=0 name=test inode=18112 
dev=00:27 mode=file,700 ouid=root ogid=root rdev=00:00 
obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none 
cap_fe=0 cap_fver=0 
type=CWD msg=audit(03/12/2018 02:24:39.813:314) : cwd=/tmp 
type=SYSCALL msg=audit(03/12/2018 02:24:39.813:314) : arch=x86_64 
syscall=linkat success=no exit=EPERM(Operation not permitted) a0=0xff9c 
a1=0x7ffccba77629 a2=0xff9c a3=0x7ffccba7762e items=2 ppid=605 pid=638 
auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb 
fsgid=rgb tty=pts0 ses=4 comm=ln exe=/usr/bin/ln 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=ANOM_LINK msg=audit(03/12/2018 02:24:39.813:314) : op=linkat ppid=605 
pid=638 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb 
fsgid=rgb tty=pts0 ses=4 comm=ln exe=/usr/bin/ln 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no 

See: https://github.com/linux-audit/audit-kernel/issues/21
See also: https://github.com/linux-audit/audit-kernel/issues/51

Richard Guy Briggs (4):
  audit: make ANOM_LINK obey audit_enabled and audit_dummy_context
  audit: link denied should not directly generate PATH record
  audit: add refused symlink to audit_names
  audit: add parent of refused symlink to audit_names

 fs/namei.c|  5 +++--
 include/linux/audit.h |  9 +
 kernel/audit.c| 43 ---
 3 files changed, 40 insertions(+), 17 deletions(-)

-- 
1.8.3.1

[PATCH ghak21 V2 0/4] audit: address ANOM_LINK excess records

2018-03-12 Thread Richard Guy Briggs

Audit link denied events were being unexpectedly produced in a disjoint
way when audit was disabled, and when they were expected, there were
duplicate PATH records.  This patchset addresses both issues for
symlinks and hardlinks.

This was introduced with
commit b24a30a7305418ff138ff51776fc555ec57c011a
("audit: fix event coverage of AUDIT_ANOM_LINK")
commit a51d9eaa41866ab6b4b6ecad7b621f8b66ece0dc
("fs: add link restriction audit reporting")

Here are the resulting events:

symlink:
type=PROCTITLE msg=audit(03/12/2018 02:21:49.578:310) : proctitle=ls 
./my-passwd 
type=PATH msg=audit(03/12/2018 02:21:49.578:310) : item=1 name=/tmp/ 
inode=13529 dev=00:27 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 
obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 
cap_fver=0 
type=PATH msg=audit(03/12/2018 02:21:49.578:310) : item=0 name=./my-passwd 
inode=17090 dev=00:27 mode=link,777 ouid=rgb ogid=rgb rdev=00:00 
obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none 
cap_fe=0 cap_fver=0 
type=CWD msg=audit(03/12/2018 02:21:49.578:310) : cwd=/tmp 
type=SYSCALL msg=audit(03/12/2018 02:21:49.578:310) : arch=x86_64 syscall=stat 
success=no exit=EACCES(Permission denied) a0=0x7ffd79950dda a1=0x563f658a03c8 
a2=0x563f658a03c8 a3=0x79950d00 items=2 ppid=552 pid=629 auid=root uid=root 
gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root 
tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=ANOM_LINK msg=audit(03/12/2018 02:21:49.578:310) : op=follow_link ppid=552 
pid=629 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root 
sgid=root fsgid=root tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no 

hardlink:
type=PROCTITLE msg=audit(03/12/2018 02:24:39.813:314) : proctitle=ln test 
test-ln 
type=PATH msg=audit(03/12/2018 02:24:39.813:314) : item=1 name=/tmp inode=13529 
dev=00:27 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 
obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 
cap_fver=0 
type=PATH msg=audit(03/12/2018 02:24:39.813:314) : item=0 name=test inode=18112 
dev=00:27 mode=file,700 ouid=root ogid=root rdev=00:00 
obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none 
cap_fe=0 cap_fver=0 
type=CWD msg=audit(03/12/2018 02:24:39.813:314) : cwd=/tmp 
type=SYSCALL msg=audit(03/12/2018 02:24:39.813:314) : arch=x86_64 
syscall=linkat success=no exit=EPERM(Operation not permitted) a0=0xff9c 
a1=0x7ffccba77629 a2=0xff9c a3=0x7ffccba7762e items=2 ppid=605 pid=638 
auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb 
fsgid=rgb tty=pts0 ses=4 comm=ln exe=/usr/bin/ln 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=ANOM_LINK msg=audit(03/12/2018 02:24:39.813:314) : op=linkat ppid=605 
pid=638 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb 
fsgid=rgb tty=pts0 ses=4 comm=ln exe=/usr/bin/ln 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no 

See: https://github.com/linux-audit/audit-kernel/issues/21
See also: https://github.com/linux-audit/audit-kernel/issues/51

Richard Guy Briggs (4):
  audit: make ANOM_LINK obey audit_enabled and audit_dummy_context
  audit: link denied should not directly generate PATH record
  audit: add refused symlink to audit_names
  audit: add parent of refused symlink to audit_names

 fs/namei.c|  5 +++--
 include/linux/audit.h |  9 +
 kernel/audit.c| 43 ---
 3 files changed, 40 insertions(+), 17 deletions(-)

-- 
1.8.3.1

Re: [PATCH ghak21 V2 0/4] audit: address ANOM_LINK excess records

Re: [PATCH ghak21 V2 0/4] audit: address ANOM_LINK excess records

Re: [PATCH ghak21 V2 0/4] audit: address ANOM_LINK excess records

Re: [PATCH ghak21 V2 0/4] audit: address ANOM_LINK excess records

Re: [PATCH ghak21 V2 0/4] audit: address ANOM_LINK excess records

Re: [PATCH ghak21 V2 0/4] audit: address ANOM_LINK excess records

[PATCH ghak21 V2 0/4] audit: address ANOM_LINK excess records

[PATCH ghak21 V2 0/4] audit: address ANOM_LINK excess records

8 matches

Site Navigation

Mail list logo

Footer information