* result logged in integrity audit message
@ 2020-06-06 3:13 Lakshmi Ramasubramanian
2020-06-07 1:51 ` Mimi Zohar
0 siblings, 1 reply; 3+ messages in thread
From: Lakshmi Ramasubramanian @ 2020-06-06 3:13 UTC (permalink / raw)
To: Mimi Zohar; +Cc: linux-integrity, linux-audit
Hi Mimi,
In integrity audit message function the inverse of "result" is being
logged for "res=". Please see below. Is this intentional?
void integrity_audit_msg(int audit_msgno, struct inode *inode,
const unsigned char *fname, const char *op,
const char *cause, int result, int audit_info)
{
...
audit_log_format(ab, " res=%d", !result);
}
The callers of this function are passing an error code (-ENOMEM,
-EINVAL, etc.) in the "result" parameter. But that error code is lost -
instead "res" is set to 0.
For example,
audit: type=1804 audit(1591411737.631:3): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=kernel op=ima_alloc_key_entry cause=ENOMEM
comm="swapper/0" name=".builtin_trusted_keys" res=0
thanks,
-lakshmi
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: result logged in integrity audit message
2020-06-06 3:13 result logged in integrity audit message Lakshmi Ramasubramanian
@ 2020-06-07 1:51 ` Mimi Zohar
2020-06-07 5:36 ` Lakshmi Ramasubramanian
0 siblings, 1 reply; 3+ messages in thread
From: Mimi Zohar @ 2020-06-07 1:51 UTC (permalink / raw)
To: Lakshmi Ramasubramanian; +Cc: linux-integrity, linux-audit
Hi Lakshmi,
On Fri, 2020-06-05 at 20:13 -0700, Lakshmi Ramasubramanian wrote:
> Hi Mimi,
>
> In integrity audit message function the inverse of "result" is being
> logged for "res=". Please see below. Is this intentional?
>
> void integrity_audit_msg(int audit_msgno, struct inode *inode,
> const unsigned char *fname, const char *op,
> const char *cause, int result, int audit_info)
> {
>
> ...
> audit_log_format(ab, " res=%d", !result);
> }
>
> The callers of this function are passing an error code (-ENOMEM,
> -EINVAL, etc.) in the "result" parameter. But that error code is lost -
> instead "res" is set to 0.
>
> For example,
>
> audit: type=1804 audit(1591411737.631:3): pid=1 uid=0 auid=4294967295
> ses=4294967295 subj=kernel op=ima_alloc_key_entry cause=ENOMEM
> comm="swapper/0" name=".builtin_trusted_keys" res=0
The commit message provides an explanation. Look at b0d5de4d5880 ("IMA: fix
audit res field to indicate 1 for success and 0 for failure").
Mimi
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: result logged in integrity audit message
2020-06-07 1:51 ` Mimi Zohar
@ 2020-06-07 5:36 ` Lakshmi Ramasubramanian
0 siblings, 0 replies; 3+ messages in thread
From: Lakshmi Ramasubramanian @ 2020-06-07 5:36 UTC (permalink / raw)
To: Mimi Zohar; +Cc: linux-integrity, linux-audit
On 6/6/20 6:51 PM, Mimi Zohar wrote:
> Hi Lakshmi,
>
> The commit message provides an explanation. Look at b0d5de4d5880 ("IMA: fix
> audit res field to indicate 1 for success and 0 for failure").
Thanks for the info Mimi.
If this function logs the "result" parameter as passed by the caller,
the audit message could be very helpful when triaging failures.
But I guess changing this now would cause regression in components that
expect only 0 or 1 in the "res" field in an audit message.
thanks,
-lakshmi
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-06-08 12:32 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-06 3:13 result logged in integrity audit message Lakshmi Ramasubramanian
2020-06-07 1:51 ` Mimi Zohar
2020-06-07 5:36 ` Lakshmi Ramasubramanian
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).