Linux-audit Archive on lore.kernel.org
 help / color / Atom feed
* result logged in integrity audit message
@ 2020-06-06  3:13 Lakshmi Ramasubramanian
  2020-06-07  1:51 ` Mimi Zohar
  0 siblings, 1 reply; 3+ messages in thread
From: Lakshmi Ramasubramanian @ 2020-06-06  3:13 UTC (permalink / raw)
  To: Mimi Zohar; +Cc: linux-integrity, linux-audit

Hi Mimi,

In integrity audit message function the inverse of "result" is being 
logged for "res=". Please see below. Is this intentional?

void integrity_audit_msg(int audit_msgno, struct inode *inode,
			 const unsigned char *fname, const char *op,
			 const char *cause, int result, int audit_info)
{

  ...
  audit_log_format(ab, " res=%d", !result);
}

The callers of this function are passing an error code (-ENOMEM, 
-EINVAL, etc.) in the "result" parameter. But that error code is lost - 
instead "res" is set to 0.

For example,

audit: type=1804 audit(1591411737.631:3): pid=1 uid=0 auid=4294967295 
ses=4294967295 subj=kernel op=ima_alloc_key_entry cause=ENOMEM 
comm="swapper/0" name=".builtin_trusted_keys" res=0

thanks,
  -lakshmi

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: result logged in integrity audit message
  2020-06-06  3:13 result logged in integrity audit message Lakshmi Ramasubramanian
@ 2020-06-07  1:51 ` Mimi Zohar
  2020-06-07  5:36   ` Lakshmi Ramasubramanian
  0 siblings, 1 reply; 3+ messages in thread
From: Mimi Zohar @ 2020-06-07  1:51 UTC (permalink / raw)
  To: Lakshmi Ramasubramanian; +Cc: linux-integrity, linux-audit

Hi Lakshmi,

On Fri, 2020-06-05 at 20:13 -0700, Lakshmi Ramasubramanian wrote:
> Hi Mimi,
> 
> In integrity audit message function the inverse of "result" is being 
> logged for "res=". Please see below. Is this intentional?
> 
> void integrity_audit_msg(int audit_msgno, struct inode *inode,
> 			 const unsigned char *fname, const char *op,
> 			 const char *cause, int result, int audit_info)
> {
> 
>   ...
>   audit_log_format(ab, " res=%d", !result);
> }
> 
> The callers of this function are passing an error code (-ENOMEM, 
> -EINVAL, etc.) in the "result" parameter. But that error code is lost - 
> instead "res" is set to 0.
> 
> For example,
> 
> audit: type=1804 audit(1591411737.631:3): pid=1 uid=0 auid=4294967295 
> ses=4294967295 subj=kernel op=ima_alloc_key_entry cause=ENOMEM 
> comm="swapper/0" name=".builtin_trusted_keys" res=0

The commit message provides an explanation.  Look at b0d5de4d5880 ("IMA: fix
audit res field to indicate 1 for success and 0 for failure").

Mimi


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: result logged in integrity audit message
  2020-06-07  1:51 ` Mimi Zohar
@ 2020-06-07  5:36   ` Lakshmi Ramasubramanian
  0 siblings, 0 replies; 3+ messages in thread
From: Lakshmi Ramasubramanian @ 2020-06-07  5:36 UTC (permalink / raw)
  To: Mimi Zohar; +Cc: linux-integrity, linux-audit

On 6/6/20 6:51 PM, Mimi Zohar wrote:

> Hi Lakshmi,
> 
> The commit message provides an explanation.  Look at b0d5de4d5880 ("IMA: fix
> audit res field to indicate 1 for success and 0 for failure").

Thanks for the info Mimi.

If this function logs the "result" parameter as passed by the caller, 
the audit message could be very helpful when triaging failures.
But I guess changing this now would cause regression in components that 
expect only 0 or 1 in the "res" field in an audit message.

thanks,
  -lakshmi


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-06  3:13 result logged in integrity audit message Lakshmi Ramasubramanian
2020-06-07  1:51 ` Mimi Zohar
2020-06-07  5:36   ` Lakshmi Ramasubramanian

Linux-audit Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-audit/0 linux-audit/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-audit linux-audit/ https://lore.kernel.org/linux-audit \
		linux-audit@redhat.com
	public-inbox-index linux-audit

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.redhat.linux-audit


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git