From: Paul Moore <paul@paul-moore.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: Linux-Audit Mailing List <linux-audit@redhat.com>,
LKML <linux-kernel@vger.kernel.org>,
Linux Security Module list
<linux-security-module@vger.kernel.org>,
Eric Paris <eparis@parisplace.org>,
john.johansen@canonical.com
Subject: Re: [PATCH ghak96 v3] audit: issue CWD record to accompany LSM_AUDIT_DATA_* records
Date: Wed, 8 Jul 2020 19:06:18 -0400 [thread overview]
Message-ID: <CAHC9VhT59qkGZar0wUkNK7uVsKvHVQL4-P-gmw+99F8eTKkz-w@mail.gmail.com> (raw)
In-Reply-To: <878ac79163e31142963f1cd4f743599c35b6754a.1593691408.git.rgb@redhat.com>
On Fri, Jul 3, 2020 at 12:56 PM Richard Guy Briggs <rgb@redhat.com> wrote:
>
> The LSM_AUDIT_DATA_* records for PATH, FILE, IOCTL_OP, DENTRY and INODE
> are incomplete without the task context of the AUDIT Current Working
> Directory record. Add it.
>
> This record addition can't use audit_dummy_context to determine whether
> or not to store the record information since the LSM_AUDIT_DATA_*
> records are initiated by various LSMs independent of any audit rules.
> context->in_syscall is used to determine if it was called in user
> context like audit_getname.
>
> Please see the upstream issue
> https://github.com/linux-audit/audit-kernel/issues/96
>
> Adapted from Vladis Dronov's v2 patch.
>
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> Passes audit-testsuite.
>
> Changelog:
> v3
> - adapt and refactor__audit_getname, don't key on dummy
>
> v2
> 2020-04-02 vdronov https://www.redhat.com/archives/linux-audit/2020-April/msg00004.html
> - convert to standalone CWD record
>
> v1:
> 2020-03-24 vdronov https://github.com/nefigtut/audit-kernel/commit/df0b55b7ab84e1c9faa588b08e547e604bf25c87
> - add cwd= field to LSM record
>
> include/linux/audit.h | 9 ++++++++-
> kernel/auditsc.c | 17 +++++++++++++++--
> security/lsm_audit.c | 5 +++++
> 3 files changed, 28 insertions(+), 3 deletions(-)
Merged into audit/next, thanks.
--
paul moore
www.paul-moore.com
WARNING: multiple messages have this Message-ID (diff)
From: Paul Moore <paul@paul-moore.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: Eric Paris <eparis@parisplace.org>,
Linux Security Module list
<linux-security-module@vger.kernel.org>,
Linux-Audit Mailing List <linux-audit@redhat.com>,
LKML <linux-kernel@vger.kernel.org>,
john.johansen@canonical.com
Subject: Re: [PATCH ghak96 v3] audit: issue CWD record to accompany LSM_AUDIT_DATA_* records
Date: Wed, 8 Jul 2020 19:06:18 -0400 [thread overview]
Message-ID: <CAHC9VhT59qkGZar0wUkNK7uVsKvHVQL4-P-gmw+99F8eTKkz-w@mail.gmail.com> (raw)
In-Reply-To: <878ac79163e31142963f1cd4f743599c35b6754a.1593691408.git.rgb@redhat.com>
On Fri, Jul 3, 2020 at 12:56 PM Richard Guy Briggs <rgb@redhat.com> wrote:
>
> The LSM_AUDIT_DATA_* records for PATH, FILE, IOCTL_OP, DENTRY and INODE
> are incomplete without the task context of the AUDIT Current Working
> Directory record. Add it.
>
> This record addition can't use audit_dummy_context to determine whether
> or not to store the record information since the LSM_AUDIT_DATA_*
> records are initiated by various LSMs independent of any audit rules.
> context->in_syscall is used to determine if it was called in user
> context like audit_getname.
>
> Please see the upstream issue
> https://github.com/linux-audit/audit-kernel/issues/96
>
> Adapted from Vladis Dronov's v2 patch.
>
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> Passes audit-testsuite.
>
> Changelog:
> v3
> - adapt and refactor__audit_getname, don't key on dummy
>
> v2
> 2020-04-02 vdronov https://www.redhat.com/archives/linux-audit/2020-April/msg00004.html
> - convert to standalone CWD record
>
> v1:
> 2020-03-24 vdronov https://github.com/nefigtut/audit-kernel/commit/df0b55b7ab84e1c9faa588b08e547e604bf25c87
> - add cwd= field to LSM record
>
> include/linux/audit.h | 9 ++++++++-
> kernel/auditsc.c | 17 +++++++++++++++--
> security/lsm_audit.c | 5 +++++
> 3 files changed, 28 insertions(+), 3 deletions(-)
Merged into audit/next, thanks.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2020-07-08 23:06 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-03 16:56 [PATCH ghak96 v3] audit: issue CWD record to accompany LSM_AUDIT_DATA_* records Richard Guy Briggs
2020-07-03 16:56 ` Richard Guy Briggs
2020-07-08 23:06 ` Paul Moore [this message]
2020-07-08 23:06 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHC9VhT59qkGZar0wUkNK7uVsKvHVQL4-P-gmw+99F8eTKkz-w@mail.gmail.com \
--to=paul@paul-moore.com \
--cc=eparis@parisplace.org \
--cc=john.johansen@canonical.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.