From mboxrd@z Thu Jan  1 00:00:00 1970
From: Tyler Hicks <tyhicks@canonical.com>
Subject: Re: [PATCH] audit: printk USER_AVC messages when audit isn't enabled
Date: Fri, 16 Aug 2013 12:05:58 -0700
Message-ID: <20130816190558.GB3592@boyd>
References: <1374800575-32320-1-git-send-email-tyhicks@canonical.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3122683129819674692=="
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1374800575-32320-1-git-send-email-tyhicks@canonical.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Al Viro <viro@zeniv.linux.org.uk>, Eric Paris <eparis@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


--===============3122683129819674692==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="Bn2rw/3z4jIqBvZU"
Content-Disposition: inline


--Bn2rw/3z4jIqBvZU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2013-07-25 18:02:55, Tyler Hicks wrote:
> When the audit=3D1 kernel parameter is absent and auditd is not running,
> AUDIT_USER_AVC messages are being silently discarded.
>=20
> AUDIT_USER_AVC messages should be sent to userspace using printk(), as
> mentioned in the commit message of
> 4a4cd633b575609b741a1de7837223a2d9e1c34c ("AUDIT: Optimise the
> audit-disabled case for discarding user messages").
>=20
> When audit_enabled is 0, audit_receive_msg() discards all user messages
> except for AUDIT_USER_AVC messages. However, audit_log_common_recv_msg()
> refuses to allocate an audit_buffer if audit_enabled is 0. The fix is to
> special case AUDIT_USER_AVC messages in both functions.
>=20
> Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
> Cc: Al Viro <viro@zeniv.linux.org.uk>
> Cc: Eric Paris <eparis@redhat.com>
> Cc: linux-audit@redhat.com
> ---

Hello Al and Eric - I wanted to bring this patch back to your attention
so it doesn't get forgotten. This is a fairly nasty bug in distros that
leave auditd as optional but still build packages against libaudit.

Thanks!

Tyler

>=20
> It looks like commit 50397bd1e471391d27f64efad9271459c913de87 ("[AUDIT] c=
lean
> up audit_receive_msg()") introduced this bug, so I think that this patch =
should
> also get the tag:
>=20
>   Cc: <stable@kernel.org> # v2.6.25+
>=20
> Al and Eric, I'll leave that up to you two.
>=20
>=20
> Here's my test matrix showing where messages end up as a result of a call=
 to
> libaudit's audit_log_user_avc_message():
>=20
> 		|	unpatched	patched
> ----------------+--------------------------------
> w/o audit=3D1 &	|	*dropped*	syslog
> w/o auditd	|
> 		|
> w/ audit=3D1 &	|	syslog		syslog
> w/o auditd	|
> 		|
> w/o audit=3D1 &	|	audit.log	audit.log
> w/ auditd	|
> 		|
> w/ audit=3D1 &	|	audit.log	audit.log
> w/ auditd	|
>=20
> Thanks!
>=20
>  kernel/audit.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>=20
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 91e53d0..f4f2773 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -613,7 +613,7 @@ static int audit_log_common_recv_msg(struct audit_buf=
fer **ab, u16 msg_type)
>  	int rc =3D 0;
>  	uid_t uid =3D from_kuid(&init_user_ns, current_uid());
> =20
> -	if (!audit_enabled) {
> +	if (!audit_enabled && msg_type !=3D AUDIT_USER_AVC) {
>  		*ab =3D NULL;
>  		return rc;
>  	}
> --=20
> 1.8.3.2
>=20
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

--Bn2rw/3z4jIqBvZU
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBCgAGBQJSDngWAAoJENaSAD2qAscKLtgQALwjkDNdCPw+3oS8jFN9GMs5
dLy1TeGQLGcQjUtQUyQ8Vz0+I5qMg36Pbdu3xxOHFaWcy3GZWJ961Pwr097gvVPH
NxTWSf6C3Wkjt1SSqYGv1gGu5Tcl9/d8k4lV+LR6d1beWiOM1v8bn66jYM0pb62S
xLzCODx038+xeXG5NngOoJ41v/qpCjbaNT6tBCP9xKK4SQ7mXPkyXAOoTQeOurTr
mRMZLA9kc5BhiYoIxkkCLjpF7E3E8aiKHyw6NxjIQDLB0BVt7Z+dAzIhpOpYHtzq
0mB5ZGuYnDD+lZsdNfap0gmwhptymqmns0PwFtm4kB2iZ3FLLRB2NWE/s5HPlkcL
4e+JxI1k6ML7DJD8bVj0+RJpemndRaZ7UpNkye0U/CpLD3JZka4JS/41jmFeRsaY
oxc7A2+y983uAj+0PL3OOil4Scx+jzGRlu/RgRYocsOp+locCktFU30cAtKjVsjI
p6Td7q3AeSQzOiASOQKmJOeLvPH7PvbmAKOLdZCHQ31zNVB/yfR0HE2qfuqkgyxx
0Hz4pa+l1ms4pLJN7E6/gc8U93a8hBIXcmur0qEvrIvc+bvcBY5PS6T9RweUilYA
Z0n8H/BZFWG57y3vpR51VGuIF2kyKT83eiiIAFtfCvY+Ohi+bHWg4260PR1Pn+np
653DNbcUTMpYvPK/wATz
=wLXx
-----END PGP SIGNATURE-----

--Bn2rw/3z4jIqBvZU--


--===============3122683129819674692==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============3122683129819674692==--