linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH ghak109 V2] audit: link integrity evm_write_xattrs record to syscall event
@ 2019-03-26 18:49 Richard Guy Briggs
  2019-03-26 20:40 ` Mimi Zohar
  0 siblings, 1 reply; 5+ messages in thread
From: Richard Guy Briggs @ 2019-03-26 18:49 UTC (permalink / raw)
  To: linux-integrity, linux-security-module, Linux-Audit Mailing List, LKML
  Cc: Paul Moore, sgrubb, omosnace, eparis, serge, zohar, mjg59,
	Richard Guy Briggs

In commit fa516b66a1bf ("EVM: Allow runtime modification of the set of
verified xattrs"), the call to audit_log_start() is missing a context to
link it to an audit event. Since this event is in user context, add
the process' syscall context to the record.

In addition, the orphaned keyword "locked" appears in the record.
Normalize this by changing it to logging the locking string "." as any
other user input in the "xattr=" field.

Please see the github issue
https://github.com/linux-audit/audit-kernel/issues/109

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
Changelog:
v2
- switch from "(locked)" to printing the "." verbatim, untrusted.

 security/integrity/evm/evm_secfs.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/security/integrity/evm/evm_secfs.c b/security/integrity/evm/evm_secfs.c
index 015aea8fdf1e..3f7cbb238923 100644
--- a/security/integrity/evm/evm_secfs.c
+++ b/security/integrity/evm/evm_secfs.c
@@ -192,7 +192,8 @@ static ssize_t evm_write_xattrs(struct file *file, const char __user *buf,
 	if (count > XATTR_NAME_MAX)
 		return -E2BIG;
 
-	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_EVM_XATTR);
+	ab = audit_log_start(audit_context(), GFP_KERNEL,
+			     AUDIT_INTEGRITY_EVM_XATTR);
 	if (!ab)
 		return -ENOMEM;
 
@@ -214,6 +215,9 @@ static ssize_t evm_write_xattrs(struct file *file, const char __user *buf,
 	if (len && xattr->name[len-1] == '\n')
 		xattr->name[len-1] = '\0';
 
+	audit_log_format(ab, "xattr=");
+	audit_log_untrustedstring(ab, xattr->name);
+
 	if (strcmp(xattr->name, ".") == 0) {
 		evm_xattrs_locked = 1;
 		newattrs.ia_mode = S_IFREG | 0440;
@@ -222,15 +226,11 @@ static ssize_t evm_write_xattrs(struct file *file, const char __user *buf,
 		inode_lock(inode);
 		err = simple_setattr(evm_xattrs, &newattrs);
 		inode_unlock(inode);
-		audit_log_format(ab, "locked");
 		if (!err)
 			err = count;
 		goto out;
 	}
 
-	audit_log_format(ab, "xattr=");
-	audit_log_untrustedstring(ab, xattr->name);
-
 	if (strncmp(xattr->name, XATTR_SECURITY_PREFIX,
 		    XATTR_SECURITY_PREFIX_LEN) != 0) {
 		err = -EINVAL;
-- 
1.8.3.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH ghak109 V2] audit: link integrity evm_write_xattrs record to syscall event
  2019-03-26 18:49 [PATCH ghak109 V2] audit: link integrity evm_write_xattrs record to syscall event Richard Guy Briggs
@ 2019-03-26 20:40 ` Mimi Zohar
  2019-03-26 23:58   ` Paul Moore
  0 siblings, 1 reply; 5+ messages in thread
From: Mimi Zohar @ 2019-03-26 20:40 UTC (permalink / raw)
  To: Richard Guy Briggs, linux-integrity, linux-security-module,
	Linux-Audit Mailing List, LKML
  Cc: Paul Moore, sgrubb, omosnace, eparis, serge, mjg59

Hi Richard, Paul,

On Tue, 2019-03-26 at 14:49 -0400, Richard Guy Briggs wrote:
> In commit fa516b66a1bf ("EVM: Allow runtime modification of the set of
> verified xattrs"), the call to audit_log_start() is missing a context to
> link it to an audit event. Since this event is in user context, add
> the process' syscall context to the record.
> 
> In addition, the orphaned keyword "locked" appears in the record.
> Normalize this by changing it to logging the locking string "." as any
> other user input in the "xattr=" field.
> 
> Please see the github issue
> https://github.com/linux-audit/audit-kernel/issues/109
> 
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>

Acked-by: Mimi Zohar <zohar@linux.ibm.com>

Paul, were you planning on upstreaming this patch?

Mimi


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH ghak109 V2] audit: link integrity evm_write_xattrs record to syscall event
  2019-03-26 20:40 ` Mimi Zohar
@ 2019-03-26 23:58   ` Paul Moore
  2019-03-27 15:04     ` Mimi Zohar
  0 siblings, 1 reply; 5+ messages in thread
From: Paul Moore @ 2019-03-26 23:58 UTC (permalink / raw)
  To: Mimi Zohar
  Cc: Richard Guy Briggs, linux-integrity, linux-security-module,
	Linux-Audit Mailing List, LKML, sgrubb, omosnace, Eric Paris,
	Serge Hallyn, mjg59

On Tue, Mar 26, 2019 at 4:40 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
>
> Hi Richard, Paul,
>
> On Tue, 2019-03-26 at 14:49 -0400, Richard Guy Briggs wrote:
> > In commit fa516b66a1bf ("EVM: Allow runtime modification of the set of
> > verified xattrs"), the call to audit_log_start() is missing a context to
> > link it to an audit event. Since this event is in user context, add
> > the process' syscall context to the record.
> >
> > In addition, the orphaned keyword "locked" appears in the record.
> > Normalize this by changing it to logging the locking string "." as any
> > other user input in the "xattr=" field.
> >
> > Please see the github issue
> > https://github.com/linux-audit/audit-kernel/issues/109
> >
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
>
> Acked-by: Mimi Zohar <zohar@linux.ibm.com>
>
> Paul, were you planning on upstreaming this patch?

Yep, unless you would rather do it?  If you pull it into the IMA tree,
please add my ACK; otherwise let me know and I'll merge it into
audit/next.

Acked-by: Paul Moore <paul@paul-moore.com>

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH ghak109 V2] audit: link integrity evm_write_xattrs record to syscall event
  2019-03-26 23:58   ` Paul Moore
@ 2019-03-27 15:04     ` Mimi Zohar
  2019-03-27 22:14       ` Paul Moore
  0 siblings, 1 reply; 5+ messages in thread
From: Mimi Zohar @ 2019-03-27 15:04 UTC (permalink / raw)
  To: Paul Moore
  Cc: Richard Guy Briggs, linux-integrity, linux-security-module,
	Linux-Audit Mailing List, LKML, sgrubb, omosnace, Eric Paris,
	Serge Hallyn, mjg59

On Tue, 2019-03-26 at 19:58 -0400, Paul Moore wrote:
> On Tue, Mar 26, 2019 at 4:40 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
> >
> > Hi Richard, Paul,
> >
> > On Tue, 2019-03-26 at 14:49 -0400, Richard Guy Briggs wrote:
> > > In commit fa516b66a1bf ("EVM: Allow runtime modification of the set of
> > > verified xattrs"), the call to audit_log_start() is missing a context to
> > > link it to an audit event. Since this event is in user context, add
> > > the process' syscall context to the record.
> > >
> > > In addition, the orphaned keyword "locked" appears in the record.
> > > Normalize this by changing it to logging the locking string "." as any
> > > other user input in the "xattr=" field.
> > >
> > > Please see the github issue
> > > https://github.com/linux-audit/audit-kernel/issues/109
> > >
> > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> >
> > Acked-by: Mimi Zohar <zohar@linux.ibm.com>
> >
> > Paul, were you planning on upstreaming this patch?
> 
> Yep, unless you would rather do it?

No, that's fine. Thanks!

Mimi


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH ghak109 V2] audit: link integrity evm_write_xattrs record to syscall event
  2019-03-27 15:04     ` Mimi Zohar
@ 2019-03-27 22:14       ` Paul Moore
  0 siblings, 0 replies; 5+ messages in thread
From: Paul Moore @ 2019-03-27 22:14 UTC (permalink / raw)
  To: Mimi Zohar, Richard Guy Briggs
  Cc: linux-integrity, linux-security-module, Linux-Audit Mailing List,
	LKML, sgrubb, omosnace, Eric Paris, Serge Hallyn, mjg59

On Wed, Mar 27, 2019 at 11:05 AM Mimi Zohar <zohar@linux.ibm.com> wrote:
> On Tue, 2019-03-26 at 19:58 -0400, Paul Moore wrote:
> > On Tue, Mar 26, 2019 at 4:40 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
> > >
> > > Hi Richard, Paul,
> > >
> > > On Tue, 2019-03-26 at 14:49 -0400, Richard Guy Briggs wrote:
> > > > In commit fa516b66a1bf ("EVM: Allow runtime modification of the set of
> > > > verified xattrs"), the call to audit_log_start() is missing a context to
> > > > link it to an audit event. Since this event is in user context, add
> > > > the process' syscall context to the record.
> > > >
> > > > In addition, the orphaned keyword "locked" appears in the record.
> > > > Normalize this by changing it to logging the locking string "." as any
> > > > other user input in the "xattr=" field.
> > > >
> > > > Please see the github issue
> > > > https://github.com/linux-audit/audit-kernel/issues/109
> > > >
> > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > >
> > > Acked-by: Mimi Zohar <zohar@linux.ibm.com>
> > >
> > > Paul, were you planning on upstreaming this patch?
> >
> > Yep, unless you would rather do it?
>
> No, that's fine. Thanks!

Merged into audit/next, thanks all.

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-03-27 22:14 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-26 18:49 [PATCH ghak109 V2] audit: link integrity evm_write_xattrs record to syscall event Richard Guy Briggs
2019-03-26 20:40 ` Mimi Zohar
2019-03-26 23:58   ` Paul Moore
2019-03-27 15:04     ` Mimi Zohar
2019-03-27 22:14       ` Paul Moore

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).