[PATCH ghak21 V4 0/2] audit: address ANOM_LINK excess records

[PATCH ghak21 V4 0/2] audit: address ANOM_LINK excess records

[Richard Guy Briggs]

This V4 is a supplement to patches 1 and 2 of v1 already merged.

Audit link denied events were being unexpectedly produced in a disjoint
way when audit was disabled, and when they were expected, there were
duplicate PATH records.  This patchset addresses both issues for
symlinks and hardlinks.

This was introduced with
	commit b24a30a7305418ff138ff51776fc555ec57c011a
	("audit: fix event coverage of AUDIT_ANOM_LINK")
	commit a51d9eaa41866ab6b4b6ecad7b621f8b66ece0dc
	("fs: add link restriction audit reporting")

Here are the original events for symlink and hardlink for each of
CWD!=PARENT and CWD=PARENT on 4.15.7-300.fc27.x86_64:
----
type=PROCTITLE msg=audit(2018-03-21 04:15:45.353:285) : proctitle=ls /tmp/my-passwd 
type=PATH msg=audit(2018-03-21 04:15:45.353:285) : item=0 name=/tmp/my-passwd nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(2018-03-21 04:15:45.353:285) : cwd=/root 
type=SYSCALL msg=audit(2018-03-21 04:15:45.353:285) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7ffddb7c4de7 a1=0x557b4bb5f3c0 a2=0x557b4bb5f3c0 a3=0xdb7c4d00 items=1 ppid=621 pid=676 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=PATH msg=audit(2018-03-21 04:15:45.353:285) : item=0 name=/tmp/my-passwd inode=20618 dev=00:29 mode=link,777 ouid=rgb ogid=rgb rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=ANOM_LINK msg=audit(2018-03-21 04:15:45.353:285) : op=follow_link ppid=621 pid=676 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no 
----
type=PROCTITLE msg=audit(2018-03-21 04:15:45.356:286) : proctitle=ls my-passwd 
type=PATH msg=audit(2018-03-21 04:15:45.356:286) : item=0 name=my-passwd nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(2018-03-21 04:15:45.356:286) : cwd=/tmp 
type=SYSCALL msg=audit(2018-03-21 04:15:45.356:286) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7ffe24d26de0 a1=0x55de0254b3c0 a2=0x55de0254b3c0 a3=0x24d26d00 items=1 ppid=621 pid=677 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=PATH msg=audit(2018-03-21 04:15:45.356:286) : item=0 name=/tmp/my-passwd inode=20618 dev=00:29 mode=link,777 ouid=rgb ogid=rgb rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=ANOM_LINK msg=audit(2018-03-21 04:15:45.356:286) : op=follow_link ppid=621 pid=677 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no 
----
type=PROCTITLE msg=audit(2018-03-21 04:15:56.688:287) : proctitle=ln /tmp/test /tmp/test-ln 
type=PATH msg=audit(2018-03-21 04:15:56.688:287) : item=1 name=/tmp/ inode=15168 dev=00:29 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(2018-03-21 04:15:56.688:287) : item=0 name=/tmp/test inode=20018 dev=00:29 mode=file,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(2018-03-21 04:15:56.688:287) : cwd=/home/rgb 
type=SYSCALL msg=audit(2018-03-21 04:15:56.688:287) : arch=x86_64 syscall=linkat success=no exit=EPERM(Operation not permitted) a0=0xffffff9c a1=0x7fff7f3ac62e a2=0xffffff9c a3=0x7fff7f3ac638 items=2 ppid=650 pid=680 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=pts0 ses=3 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=PATH msg=audit(2018-03-21 04:15:56.688:287) : item=0 name=/tmp/test inode=20018 dev=00:29 mode=file,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=ANOM_LINK msg=audit(2018-03-21 04:15:56.688:287) : op=linkat ppid=650 pid=680 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=pts0 ses=3 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no 
----
type=PROCTITLE msg=audit(2018-03-21 04:15:56.691:288) : proctitle=ln test test-ln 
type=PATH msg=audit(2018-03-21 04:15:56.691:288) : item=1 name=/tmp inode=15168 dev=00:29 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(2018-03-21 04:15:56.691:288) : item=0 name=test inode=20018 dev=00:29 mode=file,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=no ne cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(2018-03-21 04:15:56.691:288) : cwd=/tmp 
type=SYSCALL msg=audit(2018-03-21 04:15:56.691:288) : arch=x86_64 syscall=linkat success=no exit=EPERM(Operation not permitted) a0=0xffffff9c a1=0x7ffd01e3e62c a2=0xffffff9c a3=0x7ffd01e3e631 items=2 ppid=650 pid=681 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=pts0 ses=3 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=PATH msg=audit(2018-03-21 04:15:56.691:288) : item=0 name=/tmp/test inode=20018 dev=00:29 mode=file,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=ANOM_LINK msg=audit(2018-03-21 04:15:56.691:288) : op=linkat ppid=650 pid=681 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=pts0 ses=3 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no 
----

Here are the resulting events for symlink and hardlink for each of CWD!=PARENT
and CWD=PARENT based on audit/next 11dd266:
----
type=PROCTITLE msg=audit(2018-03-21 04:29:41.556:315) : proctitle=ls --color=auto /tmp/my-passwd 
type=PATH msg=audit(2018-03-21 04:29:41.556:315) : item=0 name=/tmp/my-passwd inode=19641 dev=00:26 mode=link,777 ouid=rgb ogid=rgb rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(2018-03-21 04:29:41.556:315) : cwd=/root 
type=SYSCALL msg=audit(2018-03-21 04:29:41.556:315) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7ffd4585565a a1=0x5649fb468fd0 a2=0x5649fb468fd0 a3=0x45855600 items=1 ppid=694 pid=714 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=6 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=ANOM_LINK msg=audit(2018-03-21 04:29:41.556:315) : op=follow_link ppid=694 pid=714 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=6 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no 
----
type=PROCTITLE msg=audit(2018-03-21 04:29:41.562:316) : proctitle=ls --color=auto my-passwd 
type=PATH msg=audit(2018-03-21 04:29:41.562:316) : item=0 name=my-passwd inode=19641 dev=00:26 mode=link,777 ouid=rgb ogid=rgb rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(2018-03-21 04:29:41.562:316) : cwd=/tmp 
type=SYSCALL msg=audit(2018-03-21 04:29:41.562:316) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7fff7fe3c653 a1=0x55d9f875dfd0 a2=0x55d9f875dfd0 a3=0x7fe3c600 items=1 ppid=694 pid=715 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=6 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=ANOM_LINK msg=audit(2018-03-21 04:29:41.562:316) : op=follow_link ppid=694 pid=715 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=6 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no 
----
type=PROCTITLE msg=audit(2018-03-21 04:29:54.709:317) : proctitle=ln /tmp/test /tmp/test-ln 
type=PATH msg=audit(2018-03-21 04:29:54.709:317) : item=1 name=/tmp/ inode=13038 dev=00:26 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(2018-03-21 04:29:54.709:317) : item=0 name=/tmp/test inode=18720 dev=00:26 mode=file,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(2018-03-21 04:29:54.709:317) : cwd=/home/rgb 
type=SYSCALL msg=audit(2018-03-21 04:29:54.709:317) : arch=x86_64 syscall=linkat success=no exit=EPERM(Operation not permitted) a0=0xffffff9c a1=0x7ffc468b2dbb a2=0xffffff9c a3=0x7ffc468b2dc5 items=2 ppid=661 pid=718 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=ttyS0 ses=5 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=ANOM_LINK msg=audit(2018-03-21 04:29:54.709:317) : op=linkat ppid=661 pid=718 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=ttyS0 ses=5 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no 
----
type=PROCTITLE msg=audit(2018-03-21 04:29:54.714:318) : proctitle=ln test test-ln 
type=PATH msg=audit(2018-03-21 04:29:54.714:318) : item=1 name=/tmp inode=13038 dev=00:26 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(2018-03-21 04:29:54.714:318) : item=0 name=test inode=18720 dev=00:26 mode=file,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(2018-03-21 04:29:54.714:318) : cwd=/tmp 
type=SYSCALL msg=audit(2018-03-21 04:29:54.714:318) : arch=x86_64 syscall=linkat success=no exit=EPERM(Operation not permitted) a0=0xffffff9c a1=0x7ffc06b99db9 a2=0xffffff9c a3=0x7ffc06b99dbe items=2 ppid=661 pid=719 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=ttyS0 ses=5 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=ANOM_LINK msg=audit(2018-03-21 04:29:54.714:318) : op=linkat ppid=661 pid=719 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=ttyS0 ses=5 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no 
----

See: https://github.com/linux-audit/audit-kernel/issues/21
See also: https://github.com/linux-audit/audit-kernel/issues/51

Changelog:
v4:
- fix call from may_follow_link() to audit_log_link_denied() param count
v3:
- rebase on previously accepted 1/4 and 2/4 patches and drop them
- drop parent record audit_log_symlink_denied()
v2:
- remove now supperfluous struct path * parameter from audit_log_link_denied()
- refactor audit_log_symlink_denied() to properly free memory (pathname, filename)

Richard Guy Briggs (2):
  audit: remove path param from link denied function
  audit: add refused symlink to audit_names

 fs/namei.c            | 5 +++--
 include/linux/audit.h | 6 ++----
 kernel/audit.c        | 3 +--
 3 files changed, 6 insertions(+), 8 deletions(-)

-- 
1.8.3.1

[PATCH ghak21 V4 0/2] audit: address ANOM_LINK excess records

[Richard Guy Briggs]

This V4 is a supplement to patches 1 and 2 of v1 already merged.

Audit link denied events were being unexpectedly produced in a disjoint
way when audit was disabled, and when they were expected, there were
duplicate PATH records.  This patchset addresses both issues for
symlinks and hardlinks.

This was introduced with
	commit b24a30a7305418ff138ff51776fc555ec57c011a
	("audit: fix event coverage of AUDIT_ANOM_LINK")
	commit a51d9eaa41866ab6b4b6ecad7b621f8b66ece0dc
	("fs: add link restriction audit reporting")

Here are the original events for symlink and hardlink for each of
CWD!=PARENT and CWD=PARENT on 4.15.7-300.fc27.x86_64:
----
type=PROCTITLE msg=audit(2018-03-21 04:15:45.353:285) : proctitle=ls /tmp/my-passwd 
type=PATH msg=audit(2018-03-21 04:15:45.353:285) : item=0 name=/tmp/my-passwd nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(2018-03-21 04:15:45.353:285) : cwd=/root 
type=SYSCALL msg=audit(2018-03-21 04:15:45.353:285) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7ffddb7c4de7 a1=0x557b4bb5f3c0 a2=0x557b4bb5f3c0 a3=0xdb7c4d00 items=1 ppid=621 pid=676 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=PATH msg=audit(2018-03-21 04:15:45.353:285) : item=0 name=/tmp/my-passwd inode=20618 dev=00:29 mode=link,777 ouid=rgb ogid=rgb rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=ANOM_LINK msg=audit(2018-03-21 04:15:45.353:285) : op=follow_link ppid=621 pid=676 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no 
----
type=PROCTITLE msg=audit(2018-03-21 04:15:45.356:286) : proctitle=ls my-passwd 
type=PATH msg=audit(2018-03-21 04:15:45.356:286) : item=0 name=my-passwd nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(2018-03-21 04:15:45.356:286) : cwd=/tmp 
type=SYSCALL msg=audit(2018-03-21 04:15:45.356:286) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7ffe24d26de0 a1=0x55de0254b3c0 a2=0x55de0254b3c0 a3=0x24d26d00 items=1 ppid=621 pid=677 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=PATH msg=audit(2018-03-21 04:15:45.356:286) : item=0 name=/tmp/my-passwd inode=20618 dev=00:29 mode=link,777 ouid=rgb ogid=rgb rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=ANOM_LINK msg=audit(2018-03-21 04:15:45.356:286) : op=follow_link ppid=621 pid=677 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no 
----
type=PROCTITLE msg=audit(2018-03-21 04:15:56.688:287) : proctitle=ln /tmp/test /tmp/test-ln 
type=PATH msg=audit(2018-03-21 04:15:56.688:287) : item=1 name=/tmp/ inode=15168 dev=00:29 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(2018-03-21 04:15:56.688:287) : item=0 name=/tmp/test inode=20018 dev=00:29 mode=file,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(2018-03-21 04:15:56.688:287) : cwd=/home/rgb 
type=SYSCALL msg=audit(2018-03-21 04:15:56.688:287) : arch=x86_64 syscall=linkat success=no exit=EPERM(Operation not permitted) a0=0xffffff9c a1=0x7fff7f3ac62e a2=0xffffff9c a3=0x7fff7f3ac638 items=2 ppid=650 pid=680 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=pts0 ses=3 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=PATH msg=audit(2018-03-21 04:15:56.688:287) : item=0 name=/tmp/test inode=20018 dev=00:29 mode=file,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=ANOM_LINK msg=audit(2018-03-21 04:15:56.688:287) : op=linkat ppid=650 pid=680 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=pts0 ses=3 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no 
----
type=PROCTITLE msg=audit(2018-03-21 04:15:56.691:288) : proctitle=ln test test-ln 
type=PATH msg=audit(2018-03-21 04:15:56.691:288) : item=1 name=/tmp inode=15168 dev=00:29 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(2018-03-21 04:15:56.691:288) : item=0 name=test inode=20018 dev=00:29 mode=file,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=no ne cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(2018-03-21 04:15:56.691:288) : cwd=/tmp 
type=SYSCALL msg=audit(2018-03-21 04:15:56.691:288) : arch=x86_64 syscall=linkat success=no exit=EPERM(Operation not permitted) a0=0xffffff9c a1=0x7ffd01e3e62c a2=0xffffff9c a3=0x7ffd01e3e631 items=2 ppid=650 pid=681 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=pts0 ses=3 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=PATH msg=audit(2018-03-21 04:15:56.691:288) : item=0 name=/tmp/test inode=20018 dev=00:29 mode=file,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=ANOM_LINK msg=audit(2018-03-21 04:15:56.691:288) : op=linkat ppid=650 pid=681 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=pts0 ses=3 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no 
----

Here are the resulting events for symlink and hardlink for each of CWD!=PARENT
and CWD=PARENT based on audit/next 11dd266:
----
type=PROCTITLE msg=audit(2018-03-21 04:29:41.556:315) : proctitle=ls --color=auto /tmp/my-passwd 
type=PATH msg=audit(2018-03-21 04:29:41.556:315) : item=0 name=/tmp/my-passwd inode=19641 dev=00:26 mode=link,777 ouid=rgb ogid=rgb rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(2018-03-21 04:29:41.556:315) : cwd=/root 
type=SYSCALL msg=audit(2018-03-21 04:29:41.556:315) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7ffd4585565a a1=0x5649fb468fd0 a2=0x5649fb468fd0 a3=0x45855600 items=1 ppid=694 pid=714 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=6 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=ANOM_LINK msg=audit(2018-03-21 04:29:41.556:315) : op=follow_link ppid=694 pid=714 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=6 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no 
----
type=PROCTITLE msg=audit(2018-03-21 04:29:41.562:316) : proctitle=ls --color=auto my-passwd 
type=PATH msg=audit(2018-03-21 04:29:41.562:316) : item=0 name=my-passwd inode=19641 dev=00:26 mode=link,777 ouid=rgb ogid=rgb rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(2018-03-21 04:29:41.562:316) : cwd=/tmp 
type=SYSCALL msg=audit(2018-03-21 04:29:41.562:316) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7fff7fe3c653 a1=0x55d9f875dfd0 a2=0x55d9f875dfd0 a3=0x7fe3c600 items=1 ppid=694 pid=715 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=6 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=ANOM_LINK msg=audit(2018-03-21 04:29:41.562:316) : op=follow_link ppid=694 pid=715 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=6 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no 
----
type=PROCTITLE msg=audit(2018-03-21 04:29:54.709:317) : proctitle=ln /tmp/test /tmp/test-ln 
type=PATH msg=audit(2018-03-21 04:29:54.709:317) : item=1 name=/tmp/ inode=13038 dev=00:26 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(2018-03-21 04:29:54.709:317) : item=0 name=/tmp/test inode=18720 dev=00:26 mode=file,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(2018-03-21 04:29:54.709:317) : cwd=/home/rgb 
type=SYSCALL msg=audit(2018-03-21 04:29:54.709:317) : arch=x86_64 syscall=linkat success=no exit=EPERM(Operation not permitted) a0=0xffffff9c a1=0x7ffc468b2dbb a2=0xffffff9c a3=0x7ffc468b2dc5 items=2 ppid=661 pid=718 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=ttyS0 ses=5 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=ANOM_LINK msg=audit(2018-03-21 04:29:54.709:317) : op=linkat ppid=661 pid=718 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=ttyS0 ses=5 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no 
----
type=PROCTITLE msg=audit(2018-03-21 04:29:54.714:318) : proctitle=ln test test-ln 
type=PATH msg=audit(2018-03-21 04:29:54.714:318) : item=1 name=/tmp inode=13038 dev=00:26 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(2018-03-21 04:29:54.714:318) : item=0 name=test inode=18720 dev=00:26 mode=file,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(2018-03-21 04:29:54.714:318) : cwd=/tmp 
type=SYSCALL msg=audit(2018-03-21 04:29:54.714:318) : arch=x86_64 syscall=linkat success=no exit=EPERM(Operation not permitted) a0=0xffffff9c a1=0x7ffc06b99db9 a2=0xffffff9c a3=0x7ffc06b99dbe items=2 ppid=661 pid=719 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=ttyS0 ses=5 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=ANOM_LINK msg=audit(2018-03-21 04:29:54.714:318) : op=linkat ppid=661 pid=719 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=ttyS0 ses=5 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no 
----

See: https://github.com/linux-audit/audit-kernel/issues/21
See also: https://github.com/linux-audit/audit-kernel/issues/51

Changelog:
v4:
- fix call from may_follow_link() to audit_log_link_denied() param count
v3:
- rebase on previously accepted 1/4 and 2/4 patches and drop them
- drop parent record audit_log_symlink_denied()
v2:
- remove now supperfluous struct path * parameter from audit_log_link_denied()
- refactor audit_log_symlink_denied() to properly free memory (pathname, filename)

Richard Guy Briggs (2):
  audit: remove path param from link denied function
  audit: add refused symlink to audit_names

 fs/namei.c            | 5 +++--
 include/linux/audit.h | 6 ++----
 kernel/audit.c        | 3 +--
 3 files changed, 6 insertions(+), 8 deletions(-)

-- 
1.8.3.1

[PATCH ghak21 V4 1/2] audit: remove path param from link denied function

[Richard Guy Briggs]

In commit 45b578fe4c3cade6f4ca1fc934ce199afd857edc
("audit: link denied should not directly generate PATH record")
the need for the struct path *link parameter was removed.
Remove the now useless struct path argument.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 fs/namei.c            | 4 ++--
 include/linux/audit.h | 6 ++----
 kernel/audit.c        | 3 +--
 3 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/fs/namei.c b/fs/namei.c
index 9cc91fb..e3682bb 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -945,7 +945,7 @@ static inline int may_follow_link(struct nameidata *nd)
 	if (nd->flags & LOOKUP_RCU)
 		return -ECHILD;
 
-	audit_log_link_denied("follow_link", &nd->stack[0].link);
+	audit_log_link_denied("follow_link");
 	return -EACCES;
 }
 
@@ -1011,7 +1011,7 @@ static int may_linkat(struct path *link)
 	if (safe_hardlink_source(inode) || inode_owner_or_capable(inode))
 		return 0;
 
-	audit_log_link_denied("linkat", link);
+	audit_log_link_denied("linkat");
 	return -EPERM;
 }
 
diff --git a/include/linux/audit.h b/include/linux/audit.h
index af410d9..75d5b03 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -146,8 +146,7 @@ extern void		    audit_log_d_path(struct audit_buffer *ab,
 					     const struct path *path);
 extern void		    audit_log_key(struct audit_buffer *ab,
 					  char *key);
-extern void		    audit_log_link_denied(const char *operation,
-						  const struct path *link);
+extern void		    audit_log_link_denied(const char *operation);
 extern void		    audit_log_lost(const char *message);
 
 extern int audit_log_task_context(struct audit_buffer *ab);
@@ -194,8 +193,7 @@ static inline void audit_log_d_path(struct audit_buffer *ab,
 { }
 static inline void audit_log_key(struct audit_buffer *ab, char *key)
 { }
-static inline void audit_log_link_denied(const char *string,
-					 const struct path *link)
+static inline void audit_log_link_denied(const char *string)
 { }
 static inline int audit_log_task_context(struct audit_buffer *ab)
 {
diff --git a/kernel/audit.c b/kernel/audit.c
index 3f2f143..e8bf8d7 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -2308,9 +2308,8 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
 /**
  * audit_log_link_denied - report a link restriction denial
  * @operation: specific link operation
- * @link: the path that triggered the restriction
  */
-void audit_log_link_denied(const char *operation, const struct path *link)
+void audit_log_link_denied(const char *operation)
 {
 	struct audit_buffer *ab;
 
-- 
1.8.3.1

[PATCH ghak21 V4 1/2] audit: remove path param from link denied function

[Richard Guy Briggs]

In commit 45b578fe4c3cade6f4ca1fc934ce199afd857edc
("audit: link denied should not directly generate PATH record")
the need for the struct path *link parameter was removed.
Remove the now useless struct path argument.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 fs/namei.c            | 4 ++--
 include/linux/audit.h | 6 ++----
 kernel/audit.c        | 3 +--
 3 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/fs/namei.c b/fs/namei.c
index 9cc91fb..e3682bb 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -945,7 +945,7 @@ static inline int may_follow_link(struct nameidata *nd)
 	if (nd->flags & LOOKUP_RCU)
 		return -ECHILD;
 
-	audit_log_link_denied("follow_link", &nd->stack[0].link);
+	audit_log_link_denied("follow_link");
 	return -EACCES;
 }
 
@@ -1011,7 +1011,7 @@ static int may_linkat(struct path *link)
 	if (safe_hardlink_source(inode) || inode_owner_or_capable(inode))
 		return 0;
 
-	audit_log_link_denied("linkat", link);
+	audit_log_link_denied("linkat");
 	return -EPERM;
 }
 
diff --git a/include/linux/audit.h b/include/linux/audit.h
index af410d9..75d5b03 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -146,8 +146,7 @@ extern void		    audit_log_d_path(struct audit_buffer *ab,
 					     const struct path *path);
 extern void		    audit_log_key(struct audit_buffer *ab,
 					  char *key);
-extern void		    audit_log_link_denied(const char *operation,
-						  const struct path *link);
+extern void		    audit_log_link_denied(const char *operation);
 extern void		    audit_log_lost(const char *message);
 
 extern int audit_log_task_context(struct audit_buffer *ab);
@@ -194,8 +193,7 @@ static inline void audit_log_d_path(struct audit_buffer *ab,
 { }
 static inline void audit_log_key(struct audit_buffer *ab, char *key)
 { }
-static inline void audit_log_link_denied(const char *string,
-					 const struct path *link)
+static inline void audit_log_link_denied(const char *string)
 { }
 static inline int audit_log_task_context(struct audit_buffer *ab)
 {
diff --git a/kernel/audit.c b/kernel/audit.c
index 3f2f143..e8bf8d7 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -2308,9 +2308,8 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
 /**
  * audit_log_link_denied - report a link restriction denial
  * @operation: specific link operation
- * @link: the path that triggered the restriction
  */
-void audit_log_link_denied(const char *operation, const struct path *link)
+void audit_log_link_denied(const char *operation)
 {
 	struct audit_buffer *ab;
 
-- 
1.8.3.1

[PATCH ghak21 V4 2/2] audit: add refused symlink to audit_names

[Richard Guy Briggs]

Audit link denied events for symlinks had duplicate PATH records rather
than just updating the existing PATH record.  Update the symlink's PATH
record with the current dentry and inode information.

See: https://github.com/linux-audit/audit-kernel/issues/21
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 fs/namei.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/namei.c b/fs/namei.c
index e3682bb..5f8e8e2 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -945,6 +945,7 @@ static inline int may_follow_link(struct nameidata *nd)
 	if (nd->flags & LOOKUP_RCU)
 		return -ECHILD;
 
+	audit_inode(nd->name, nd->stack[0].link.dentry, 0);
 	audit_log_link_denied("follow_link");
 	return -EACCES;
 }
-- 
1.8.3.1

[PATCH ghak21 V4 2/2] audit: add refused symlink to audit_names

[Richard Guy Briggs]

Audit link denied events for symlinks had duplicate PATH records rather
than just updating the existing PATH record.  Update the symlink's PATH
record with the current dentry and inode information.

See: https://github.com/linux-audit/audit-kernel/issues/21
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 fs/namei.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/namei.c b/fs/namei.c
index e3682bb..5f8e8e2 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -945,6 +945,7 @@ static inline int may_follow_link(struct nameidata *nd)
 	if (nd->flags & LOOKUP_RCU)
 		return -ECHILD;
 
+	audit_inode(nd->name, nd->stack[0].link.dentry, 0);
 	audit_log_link_denied("follow_link");
 	return -EACCES;
 }
-- 
1.8.3.1

Re: [PATCH ghak21 V4 1/2] audit: remove path param from link denied function

[Paul Moore]

On Wed, Mar 21, 2018 at 4:42 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> In commit 45b578fe4c3cade6f4ca1fc934ce199afd857edc
> ("audit: link denied should not directly generate PATH record")
> the need for the struct path *link parameter was removed.
> Remove the now useless struct path argument.
>
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  fs/namei.c            | 4 ++--
>  include/linux/audit.h | 6 ++----
>  kernel/audit.c        | 3 +--
>  3 files changed, 5 insertions(+), 8 deletions(-)

Fourth times the charm ... merged.

> diff --git a/fs/namei.c b/fs/namei.c
> index 9cc91fb..e3682bb 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -945,7 +945,7 @@ static inline int may_follow_link(struct nameidata *nd)
>         if (nd->flags & LOOKUP_RCU)
>                 return -ECHILD;
>
> -       audit_log_link_denied("follow_link", &nd->stack[0].link);
> +       audit_log_link_denied("follow_link");
>         return -EACCES;
>  }
>
> @@ -1011,7 +1011,7 @@ static int may_linkat(struct path *link)
>         if (safe_hardlink_source(inode) || inode_owner_or_capable(inode))
>                 return 0;
>
> -       audit_log_link_denied("linkat", link);
> +       audit_log_link_denied("linkat");
>         return -EPERM;
>  }
>
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index af410d9..75d5b03 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -146,8 +146,7 @@ extern void             audit_log_d_path(struct audit_buffer *ab,
>                                              const struct path *path);
>  extern void                audit_log_key(struct audit_buffer *ab,
>                                           char *key);
> -extern void                audit_log_link_denied(const char *operation,
> -                                                 const struct path *link);
> +extern void                audit_log_link_denied(const char *operation);
>  extern void                audit_log_lost(const char *message);
>
>  extern int audit_log_task_context(struct audit_buffer *ab);
> @@ -194,8 +193,7 @@ static inline void audit_log_d_path(struct audit_buffer *ab,
>  { }
>  static inline void audit_log_key(struct audit_buffer *ab, char *key)
>  { }
> -static inline void audit_log_link_denied(const char *string,
> -                                        const struct path *link)
> +static inline void audit_log_link_denied(const char *string)
>  { }
>  static inline int audit_log_task_context(struct audit_buffer *ab)
>  {
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 3f2f143..e8bf8d7 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -2308,9 +2308,8 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
>  /**
>   * audit_log_link_denied - report a link restriction denial
>   * @operation: specific link operation
> - * @link: the path that triggered the restriction
>   */
> -void audit_log_link_denied(const char *operation, const struct path *link)
> +void audit_log_link_denied(const char *operation)
>  {
>         struct audit_buffer *ab;
>
> --
> 1.8.3.1
>



-- 
paul moore
www.paul-moore.com

Re: [PATCH ghak21 V4 2/2] audit: add refused symlink to audit_names

[Paul Moore]

On Wed, Mar 21, 2018 at 4:42 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> Audit link denied events for symlinks had duplicate PATH records rather
> than just updating the existing PATH record.  Update the symlink's PATH
> record with the current dentry and inode information.
>
> See: https://github.com/linux-audit/audit-kernel/issues/21
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  fs/namei.c | 1 +
>  1 file changed, 1 insertion(+)

Merged.  Thanks for the audit log examples.

> diff --git a/fs/namei.c b/fs/namei.c
> index e3682bb..5f8e8e2 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -945,6 +945,7 @@ static inline int may_follow_link(struct nameidata *nd)
>         if (nd->flags & LOOKUP_RCU)
>                 return -ECHILD;
>
> +       audit_inode(nd->name, nd->stack[0].link.dentry, 0);
>         audit_log_link_denied("follow_link");
>         return -EACCES;
>  }
> --
> 1.8.3.1

-- 
paul moore
www.paul-moore.com

Re: [PATCH ghak21 V4 1/2] audit: remove path param from link denied function

[Richard Guy Briggs]

On 2018-04-16 10:55, Kees Cook wrote:
> On Wed, Mar 21, 2018 at 1:42 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > In commit 45b578fe4c3cade6f4ca1fc934ce199afd857edc
> > ("audit: link denied should not directly generate PATH record")
> > the need for the struct path *link parameter was removed.
> > Remove the now useless struct path argument.
> >
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> >  fs/namei.c            | 4 ++--
> >  include/linux/audit.h | 6 ++----
> >  kernel/audit.c        | 3 +--
> >  3 files changed, 5 insertions(+), 8 deletions(-)
> >
> > diff --git a/fs/namei.c b/fs/namei.c
> > index 9cc91fb..e3682bb 100644
> > --- a/fs/namei.c
> > +++ b/fs/namei.c
> > @@ -945,7 +945,7 @@ static inline int may_follow_link(struct nameidata *nd)
> >         if (nd->flags & LOOKUP_RCU)
> >                 return -ECHILD;
> >
> > -       audit_log_link_denied("follow_link", &nd->stack[0].link);
> > +       audit_log_link_denied("follow_link");
> >         return -EACCES;
> >  }
> >
> > @@ -1011,7 +1011,7 @@ static int may_linkat(struct path *link)
> >         if (safe_hardlink_source(inode) || inode_owner_or_capable(inode))
> >                 return 0;
> >
> > -       audit_log_link_denied("linkat", link);
> > +       audit_log_link_denied("linkat");
> >         return -EPERM;
> >  }
> 
> This removed the "link" details in both cases, and then commit
> ea841bafda3f ("audit: add refused symlink to audit_names") added back
> one of them:
> 
> > diff --git a/fs/namei.c b/fs/namei.c
> > index e3682bb72cb5..5f8e8e2732e1 100644
> > --- a/fs/namei.c
> > +++ b/fs/namei.c
> > @@ -945,6 +945,7 @@ static inline int may_follow_link(struct nameidata *nd)
> >         if (nd->flags & LOOKUP_RCU)
> >                 return -ECHILD;
> >
> > +       audit_inode(nd->name, nd->stack[0].link.dentry, 0);
> >         audit_log_link_denied("follow_link");
> >         return -EACCES;
> >  }
> 
> Why remove it in the first place, and why add it back open-coded in
> only one place?

In both cases, the extra PATH record didn't make sense with the SYSCALL
record "items=" field and conflicted with another PATH record's "item="
field.

All the necessary details were already available in the hardlink case
via two PATH records associated with the SYSCALL record.

There were two conflicting PATH records in the symlink case, one of them
incomplete, so it made more sense to make the existing one complete.

> -Kees

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Re: [PATCH ghak21 V4 1/2] audit: remove path param from link denied function

[Kees Cook]

On Wed, Mar 21, 2018 at 1:42 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> In commit 45b578fe4c3cade6f4ca1fc934ce199afd857edc
> ("audit: link denied should not directly generate PATH record")
> the need for the struct path *link parameter was removed.
> Remove the now useless struct path argument.
>
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  fs/namei.c            | 4 ++--
>  include/linux/audit.h | 6 ++----
>  kernel/audit.c        | 3 +--
>  3 files changed, 5 insertions(+), 8 deletions(-)
>
> diff --git a/fs/namei.c b/fs/namei.c
> index 9cc91fb..e3682bb 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -945,7 +945,7 @@ static inline int may_follow_link(struct nameidata *nd)
>         if (nd->flags & LOOKUP_RCU)
>                 return -ECHILD;
>
> -       audit_log_link_denied("follow_link", &nd->stack[0].link);
> +       audit_log_link_denied("follow_link");
>         return -EACCES;
>  }
>
> @@ -1011,7 +1011,7 @@ static int may_linkat(struct path *link)
>         if (safe_hardlink_source(inode) || inode_owner_or_capable(inode))
>                 return 0;
>
> -       audit_log_link_denied("linkat", link);
> +       audit_log_link_denied("linkat");
>         return -EPERM;
>  }

This removed the "link" details in both cases, and then commit
ea841bafda3f ("audit: add refused symlink to audit_names") added back
one of them:

> diff --git a/fs/namei.c b/fs/namei.c
> index e3682bb72cb5..5f8e8e2732e1 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -945,6 +945,7 @@ static inline int may_follow_link(struct nameidata *nd)
>         if (nd->flags & LOOKUP_RCU)
>                 return -ECHILD;
>
> +       audit_inode(nd->name, nd->stack[0].link.dentry, 0);
>         audit_log_link_denied("follow_link");
>         return -EACCES;
>  }

Why remove it in the first place, and why add it back open-coded in
only one place?

-Kees

-- 
Kees Cook
Pixel Security