Re: [PATCH] audit: printk USER_AVC messages when audit isn't enabled

From: Richard Guy Briggs <rgb@redhat.com>
To: Tyler Hicks <tyhicks@canonical.com>
Cc: linux-audit@redhat.com, Al Viro <viro@zeniv.linux.org.uk>
Subject: Re: [PATCH] audit: printk USER_AVC messages when audit isn't enabled
Date: Tue, 20 Aug 2013 10:45:48 -0400	[thread overview]
Message-ID: <20130820144548.GN11242@madcap2.tricolour.ca> (raw)
In-Reply-To: <1374800575-32320-1-git-send-email-tyhicks@canonical.com>

On Thu, Jul 25, 2013 at 06:02:55PM -0700, Tyler Hicks wrote:
> When the audit=1 kernel parameter is absent and auditd is not running,
> AUDIT_USER_AVC messages are being silently discarded.
> 
> AUDIT_USER_AVC messages should be sent to userspace using printk(), as
> mentioned in the commit message of
> 4a4cd633b575609b741a1de7837223a2d9e1c34c ("AUDIT: Optimise the
> audit-disabled case for discarding user messages").
> 
> When audit_enabled is 0, audit_receive_msg() discards all user messages
> except for AUDIT_USER_AVC messages. However, audit_log_common_recv_msg()
> refuses to allocate an audit_buffer if audit_enabled is 0. The fix is to
> special case AUDIT_USER_AVC messages in both functions.
> 
> Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
> Cc: Al Viro <viro@zeniv.linux.org.uk>
> Cc: Eric Paris <eparis@redhat.com>
> Cc: linux-audit@redhat.com
> ---
> 
> It looks like commit 50397bd1e471391d27f64efad9271459c913de87 ("[AUDIT] clean
> up audit_receive_msg()") introduced this bug, so I think that this patch should
> also get the tag:
> 
>   Cc: <stable@kernel.org> # v2.6.25+
> 
> Al and Eric, I'll leave that up to you two.

Hi Tyler,

This patch looks entirely reasonable to me.

Acked-by: Richard Guy Briggs <rbriggs@redhat.com>

> Here's my test matrix showing where messages end up as a result of a call to
> libaudit's audit_log_user_avc_message():
> 
> 		|	unpatched	patched
> ----------------+--------------------------------
> w/o audit=1 &	|	*dropped*	syslog
> w/o auditd	|
> 		|
> w/ audit=1 &	|	syslog		syslog
> w/o auditd	|
> 		|
> w/o audit=1 &	|	audit.log	audit.log
> w/ auditd	|
> 		|
> w/ audit=1 &	|	audit.log	audit.log
> w/ auditd	|
> 
> Thanks!
> 
>  kernel/audit.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 91e53d0..f4f2773 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -613,7 +613,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
>  	int rc = 0;
>  	uid_t uid = from_kuid(&init_user_ns, current_uid());
>  
> -	if (!audit_enabled) {
> +	if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
>  		*ab = NULL;
>  		return rc;
>  	}
> -- 
> 1.8.3.2
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer
Kernel Security
AMER ENG Base Operating Systems
Remote, Ottawa, Canada
Voice: +1.647.777.2635
Internal: (81) 32635
Alt: +1.613.693.0684x3545