Re: open_by_handle_at and CVE-2020-35501

[Steve Grubb <sgrubb@redhat.com>]

Hello Paul,

On Thursday, February 25, 2021 5:28:11 PM EST Paul Moore wrote:
> On Thu, Feb 25, 2021 at 5:15 PM Steve Grubb <sgrubb@redhat.com> wrote:
> > Hello,
> > 
> > There was an announcement on the oss-security mail list a week ago:
> > 
> > https://seclists.org/oss-sec/2021/q1/155
> > 
> > regarding auditing of the open_by_handle_at system call ...
> 
> The *at() syscalls are a known issue with respect to audit; we have a
> few open GH issues related to the topic, the oldest appears to be the
> one below:
>
> * https://github.com/linux-audit/audit-kernel/issues/9
 
Yes, that is true. But this is a bit different because at least those *at 
functions get triggered by -F perm=xrwa. Should one or both of the syscalls 
be added to the filter? And name_to_handle_at() appears to be yet another 
kernel system call who's arg4 has something that is security relevant.

So, it looks like there are probably 3 work items: 1) add syscall(s) to the 
perm filter, 2) add an auxiliary record to grab the arg4 flags variable, 3) add 
to the list of functions that have *at path resolution issues.

-Steve


> > ... In any event, they are asking what upstream audit is going to do
> > about this?
> I recognize it sounds a bit trite here, but "patches are always
> welcome".  Basically someone needs to have the time and motivation to
> look into this and put forth some patches that we can discuss and
> iterate over.  The problem is that historically audit has attracted
> very few kernel developers outside the occasional development push by
> a distro preparing a OS release for a certification effort.  I was
> just lamenting this fact on a private mail thread with some other
> kernel developers a couple of weeks ago ...




--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit