From: Steve Grubb <sgrubb@redhat.com>
To: Ondrej Mosnacek <omosnace@redhat.com>
Cc: Richard Guy Briggs <rgb@redhat.com>,
Linux-Audit Mailing List <linux-audit@redhat.com>
Subject: Re: [PATCH ghak95] audit: Do not log full CWD path on empty relative paths
Date: Fri, 24 Aug 2018 10:28:37 -0400 [thread overview]
Message-ID: <1756482.jLK7dZV42z@x2> (raw)
In-Reply-To: <CAFqZXNuoVTkxE_0zCLFU3uJz4YHmtNVx=D_4POSPLWORs4g6Pg@mail.gmail.com>
On Friday, August 24, 2018 8:59:10 AM EDT Ondrej Mosnacek wrote:
> On Thu, Aug 2, 2018 at 1:45 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> > When a relative path has just a single component and we want to emit a
> > nametype=PARENT record, the current implementation just reports the full
> > CWD path (which is alrady available in the audit context).
> >
> > This is wrong for three reasons:
> > 1. Wasting log space for redundant data (CWD path is already in the CWD
> >
> > record).
> >
> > 2. Inconsistency with other PATH records (if a relative PARENT directory
> >
> > path contains at least one component, only the verbatim relative path
> > is logged).
> >
> > 3. In some syscalls (e.g. openat(2)) the relative path may not even be
> >
> > relative to the CWD, but to another directory specified as a file
> > descriptor. In that case the logged path is simply plain wrong.
> >
> > This patch modifies this behavior to simply report "." in the
> > aforementioned case, which is equivalent to an "empty" directory path
> > and can be concatenated with the actual base directory path (CWD or
> > dirfd from openat(2)-like syscall) once support for its logging is added
> > later. In the meantime, defaulting to CWD as base directory on relative
> > paths (as already done by the userspace tools) will be enough to achieve
> > results equivalent to the current behavior.
>
> I tested this patch a little bit with the libauparse library (it has
> some functions for normalizing paths extracted from the records) and
> it seems to behave as intended. The userspace functions seem to take a
> rather crude approach and I think they won't always properly normalize
> some paths, but that is a separate issue and this patch at least
> definitely doesn't make it worse.
Be sure to test with directory names that have spaces in them as well as file
names with spaces in them.
-Steve
> > See: https://github.com/linux-audit/audit-kernel/issues/95
> >
> > Fixes: 9c937dcc7102 ("[PATCH] log more info for directory entry change
> > events") Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > ---
> >
> > kernel/audit.c | 9 ++++-----
> > 1 file changed, 4 insertions(+), 5 deletions(-)
> >
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 2a8058764aa6..4f18bd48eb4b 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -2127,28 +2127,27 @@ void audit_log_name(struct audit_context
> > *context, struct audit_names *n,>
> > audit_log_format(ab, "item=%d", record_num);
> >
> > + audit_log_format(ab, " name=");
> >
> > if (path)
> >
> > - audit_log_d_path(ab, " name=", path);
> > + audit_log_d_path(ab, NULL, path);
> >
> > else if (n->name) {
> >
> > switch (n->name_len) {
> >
> > case AUDIT_NAME_FULL:
> > /* log the full path */
> >
> > - audit_log_format(ab, " name=");
> >
> > audit_log_untrustedstring(ab, n->name->name);
> > break;
> >
> > case 0:
> > /* name was specified as a relative path and the
> >
> > * directory component is the cwd */
> >
> > - audit_log_d_path(ab, " name=", &context->pwd);
> > + audit_log_untrustedstring(ab, ".");
> >
> > break;
> >
> > default:
> > /* log the name's directory component */
> >
> > - audit_log_format(ab, " name=");
> >
> > audit_log_n_untrustedstring(ab, n->name->name,
> >
> > n->name_len);
> >
> > }
> >
> > } else
> >
> > - audit_log_format(ab, " name=(null)");
> > + audit_log_format(ab, "(null)");
> >
> > if (n->ino != AUDIT_INO_UNSET)
> >
> > audit_log_format(ab, " inode=%lu"
> >
> > --
> > 2.17.1
>
> --
> Ondrej Mosnacek <omosnace at redhat dot com>
> Associate Software Engineer, Security Technologies
> Red Hat, Inc.
prev parent reply other threads:[~2018-08-24 14:28 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-02 11:44 [PATCH ghak95] audit: Do not log full CWD path on empty relative paths Ondrej Mosnacek
2018-08-02 13:29 ` Richard Guy Briggs
2018-08-02 22:24 ` Paul Moore
2018-08-03 7:08 ` Ondrej Mosnacek
2018-08-24 14:09 ` Paul Moore
2018-08-27 13:00 ` Ondrej Mosnacek
2018-09-13 13:57 ` Ondrej Mosnacek
2018-09-13 14:13 ` Paul Moore
2018-09-19 1:35 ` Paul Moore
2018-09-19 11:01 ` Ondrej Mosnacek
2018-09-19 15:44 ` Paul Moore
2018-10-31 8:54 ` Ondrej Mosnacek
2018-11-05 23:30 ` Paul Moore
2018-11-06 8:08 ` Ondrej Mosnacek
2018-11-06 20:19 ` Paul Moore
2018-11-13 15:25 ` Ondrej Mosnacek
2018-11-13 16:30 ` Paul Moore
2018-12-01 16:50 ` Steve Grubb
2018-12-04 0:17 ` Paul Moore
2018-12-04 8:07 ` Ondrej Mosnacek
2018-12-04 22:19 ` Paul Moore
2018-08-03 0:03 ` Paul Moore
2018-08-24 15:00 ` Paul Moore
2018-08-24 15:14 ` Steve Grubb
2018-08-27 12:42 ` Ondrej Mosnacek
2018-08-24 12:59 ` Ondrej Mosnacek
2018-08-24 14:28 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1756482.jLK7dZV42z@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=omosnace@redhat.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.