* [PATCH] Fix formatting of AUDIT_CONFIG_CHANGE events
@ 2016-11-16 21:14 Steve Grubb
2016-11-17 6:40 ` Richard Guy Briggs
2016-11-20 20:42 ` Paul Moore
0 siblings, 2 replies; 3+ messages in thread
From: Steve Grubb @ 2016-11-16 21:14 UTC (permalink / raw)
To: linux-audit
The AUDIT_CONFIG_CHANGE events sometimes use a op= field. The current code
logs the value of the field with quotes. This field is documented to not be
encoded, so it should not have quotes.
Signed-off-by: Steve Grubb <sgrubb@redhat.com>
---
diff -urp vanilla-4.9-rc5.orig/kernel/auditfilter.c vanilla-4.9-rc5/kernel/auditfilter.c
--- vanilla-4.9-rc5.orig/kernel/auditfilter.c 2016-10-02 19:24:33.000000000 -0400
+++ vanilla-4.9-rc5/kernel/auditfilter.c 2016-11-16 16:00:30.608728324 -0500
@@ -1074,8 +1074,7 @@ static void audit_log_rule_change(char *
return;
audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);
audit_log_task_context(ab);
- audit_log_format(ab, " op=");
- audit_log_string(ab, action);
+ audit_log_format(ab, " op=%s", action);
audit_log_key(ab, rule->filterkey);
audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
audit_log_end(ab);
diff -urp vanilla-4.9-rc5.orig/kernel/audit_fsnotify.c vanilla-4.9-rc5/kernel/audit_fsnotify.c
--- vanilla-4.9-rc5.orig/kernel/audit_fsnotify.c 2016-10-02 19:24:33.000000000 -0400
+++ vanilla-4.9-rc5/kernel/audit_fsnotify.c 2016-11-16 16:02:41.516728544 -0500
@@ -130,10 +130,9 @@ static void audit_mark_log_rule_change(s
ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
if (unlikely(!ab))
return;
- audit_log_format(ab, "auid=%u ses=%u op=",
+ audit_log_format(ab, "auid=%u ses=%u op=%s",
from_kuid(&init_user_ns, audit_get_loginuid(current)),
- audit_get_sessionid(current));
- audit_log_string(ab, op);
+ audit_get_sessionid(current), op);
audit_log_format(ab, " path=");
audit_log_untrustedstring(ab, audit_mark->path);
audit_log_key(ab, rule->filterkey);
diff -urp vanilla-4.9-rc5.orig/kernel/audit_tree.c vanilla-4.9-rc5/kernel/audit_tree.c
--- vanilla-4.9-rc5.orig/kernel/audit_tree.c 2016-10-02 19:24:33.000000000 -0400
+++ vanilla-4.9-rc5/kernel/audit_tree.c 2016-11-16 16:03:26.414728619 -0500
@@ -458,8 +458,7 @@ static void audit_tree_log_remove_rule(s
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
if (unlikely(!ab))
return;
- audit_log_format(ab, "op=");
- audit_log_string(ab, "remove_rule");
+ audit_log_format(ab, "op=remove_rule");
audit_log_format(ab, " dir=");
audit_log_untrustedstring(ab, rule->tree->pathname);
audit_log_key(ab, rule->filterkey);
diff -urp vanilla-4.9-rc5.orig/kernel/audit_watch.c vanilla-4.9-rc5/kernel/audit_watch.c
--- vanilla-4.9-rc5.orig/kernel/audit_watch.c 2016-10-02 19:24:33.000000000 -0400
+++ vanilla-4.9-rc5/kernel/audit_watch.c 2016-11-16 16:04:18.287728706 -0500
@@ -242,10 +242,9 @@ static void audit_watch_log_rule_change(
ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
if (unlikely(!ab))
return;
- audit_log_format(ab, "auid=%u ses=%u op=",
+ audit_log_format(ab, "auid=%u ses=%u op=%s",
from_kuid(&init_user_ns, audit_get_loginuid(current)),
- audit_get_sessionid(current));
- audit_log_string(ab, op);
+ audit_get_sessionid(current), op);
audit_log_format(ab, " path=");
audit_log_untrustedstring(ab, w->path);
audit_log_key(ab, r->filterkey);
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] Fix formatting of AUDIT_CONFIG_CHANGE events
2016-11-16 21:14 [PATCH] Fix formatting of AUDIT_CONFIG_CHANGE events Steve Grubb
@ 2016-11-17 6:40 ` Richard Guy Briggs
2016-11-20 20:42 ` Paul Moore
1 sibling, 0 replies; 3+ messages in thread
From: Richard Guy Briggs @ 2016-11-17 6:40 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
On 2016-11-16 16:14, Steve Grubb wrote:
> The AUDIT_CONFIG_CHANGE events sometimes use a op= field. The current code
> logs the value of the field with quotes. This field is documented to not be
> encoded, so it should not have quotes.
There were a number of callers that had spaces in their "op" or "action"
strings which I've addressed with several upstream patches, so this is
the right direction to go. All the callers for the instances listed
below are fine.
> Signed-off-by: Steve Grubb <sgrubb@redhat.com>
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>
> diff -urp vanilla-4.9-rc5.orig/kernel/auditfilter.c vanilla-4.9-rc5/kernel/auditfilter.c
> --- vanilla-4.9-rc5.orig/kernel/auditfilter.c 2016-10-02 19:24:33.000000000 -0400
> +++ vanilla-4.9-rc5/kernel/auditfilter.c 2016-11-16 16:00:30.608728324 -0500
> @@ -1074,8 +1074,7 @@ static void audit_log_rule_change(char *
> return;
> audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);
> audit_log_task_context(ab);
> - audit_log_format(ab, " op=");
> - audit_log_string(ab, action);
> + audit_log_format(ab, " op=%s", action);
> audit_log_key(ab, rule->filterkey);
> audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
> audit_log_end(ab);
> diff -urp vanilla-4.9-rc5.orig/kernel/audit_fsnotify.c vanilla-4.9-rc5/kernel/audit_fsnotify.c
> --- vanilla-4.9-rc5.orig/kernel/audit_fsnotify.c 2016-10-02 19:24:33.000000000 -0400
> +++ vanilla-4.9-rc5/kernel/audit_fsnotify.c 2016-11-16 16:02:41.516728544 -0500
> @@ -130,10 +130,9 @@ static void audit_mark_log_rule_change(s
> ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
> if (unlikely(!ab))
> return;
> - audit_log_format(ab, "auid=%u ses=%u op=",
> + audit_log_format(ab, "auid=%u ses=%u op=%s",
> from_kuid(&init_user_ns, audit_get_loginuid(current)),
> - audit_get_sessionid(current));
> - audit_log_string(ab, op);
> + audit_get_sessionid(current), op);
> audit_log_format(ab, " path=");
> audit_log_untrustedstring(ab, audit_mark->path);
> audit_log_key(ab, rule->filterkey);
> diff -urp vanilla-4.9-rc5.orig/kernel/audit_tree.c vanilla-4.9-rc5/kernel/audit_tree.c
> --- vanilla-4.9-rc5.orig/kernel/audit_tree.c 2016-10-02 19:24:33.000000000 -0400
> +++ vanilla-4.9-rc5/kernel/audit_tree.c 2016-11-16 16:03:26.414728619 -0500
> @@ -458,8 +458,7 @@ static void audit_tree_log_remove_rule(s
> ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
> if (unlikely(!ab))
> return;
> - audit_log_format(ab, "op=");
> - audit_log_string(ab, "remove_rule");
> + audit_log_format(ab, "op=remove_rule");
> audit_log_format(ab, " dir=");
> audit_log_untrustedstring(ab, rule->tree->pathname);
> audit_log_key(ab, rule->filterkey);
> diff -urp vanilla-4.9-rc5.orig/kernel/audit_watch.c vanilla-4.9-rc5/kernel/audit_watch.c
> --- vanilla-4.9-rc5.orig/kernel/audit_watch.c 2016-10-02 19:24:33.000000000 -0400
> +++ vanilla-4.9-rc5/kernel/audit_watch.c 2016-11-16 16:04:18.287728706 -0500
> @@ -242,10 +242,9 @@ static void audit_watch_log_rule_change(
> ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
> if (unlikely(!ab))
> return;
> - audit_log_format(ab, "auid=%u ses=%u op=",
> + audit_log_format(ab, "auid=%u ses=%u op=%s",
> from_kuid(&init_user_ns, audit_get_loginuid(current)),
> - audit_get_sessionid(current));
> - audit_log_string(ab, op);
> + audit_get_sessionid(current), op);
> audit_log_format(ab, " path=");
> audit_log_untrustedstring(ab, w->path);
> audit_log_key(ab, r->filterkey);
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] Fix formatting of AUDIT_CONFIG_CHANGE events
2016-11-16 21:14 [PATCH] Fix formatting of AUDIT_CONFIG_CHANGE events Steve Grubb
2016-11-17 6:40 ` Richard Guy Briggs
@ 2016-11-20 20:42 ` Paul Moore
1 sibling, 0 replies; 3+ messages in thread
From: Paul Moore @ 2016-11-20 20:42 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
On Wed, Nov 16, 2016 at 4:14 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> The AUDIT_CONFIG_CHANGE events sometimes use a op= field. The current code
> logs the value of the field with quotes. This field is documented to not be
> encoded, so it should not have quotes.
>
> Signed-off-by: Steve Grubb <sgrubb@redhat.com>
Looks good to me, merged.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-11-20 20:42 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-11-16 21:14 [PATCH] Fix formatting of AUDIT_CONFIG_CHANGE events Steve Grubb
2016-11-17 6:40 ` Richard Guy Briggs
2016-11-20 20:42 ` Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.