From: Steve Grubb <sgrubb@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: linux-audit@redhat.com
Subject: Re: open_by_handle_at and CVE-2020-35501
Date: Tue, 02 Mar 2021 10:10:55 -0500 [thread overview]
Message-ID: <4648666.31r3eYUQgx@x2> (raw)
In-Reply-To: <CAHC9VhSAywkDkTPi=Hii0G2rb=gsji0-W3EC55GwcBns_toXEw@mail.gmail.com>
Hello Paul,
On Thursday, February 25, 2021 5:28:11 PM EST Paul Moore wrote:
> On Thu, Feb 25, 2021 at 5:15 PM Steve Grubb <sgrubb@redhat.com> wrote:
> > Hello,
> >
> > There was an announcement on the oss-security mail list a week ago:
> >
> > https://seclists.org/oss-sec/2021/q1/155
> >
> > regarding auditing of the open_by_handle_at system call ...
>
> The *at() syscalls are a known issue with respect to audit; we have a
> few open GH issues related to the topic, the oldest appears to be the
> one below:
>
> * https://github.com/linux-audit/audit-kernel/issues/9
Yes, that is true. But this is a bit different because at least those *at
functions get triggered by -F perm=xrwa. Should one or both of the syscalls
be added to the filter? And name_to_handle_at() appears to be yet another
kernel system call who's arg4 has something that is security relevant.
So, it looks like there are probably 3 work items: 1) add syscall(s) to the
perm filter, 2) add an auxiliary record to grab the arg4 flags variable, 3) add
to the list of functions that have *at path resolution issues.
-Steve
> > ... In any event, they are asking what upstream audit is going to do
> > about this?
> I recognize it sounds a bit trite here, but "patches are always
> welcome". Basically someone needs to have the time and motivation to
> look into this and put forth some patches that we can discuss and
> iterate over. The problem is that historically audit has attracted
> very few kernel developers outside the occasional development push by
> a distro preparing a OS release for a certification effort. I was
> just lamenting this fact on a private mail thread with some other
> kernel developers a couple of weeks ago ...
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
prev parent reply other threads:[~2021-03-02 15:11 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-25 22:14 open_by_handle_at and CVE-2020-35501 Steve Grubb
2021-02-25 22:28 ` Paul Moore
2021-03-02 15:10 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4648666.31r3eYUQgx@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).