From: Richard Guy Briggs <rgb@redhat.com>
To: linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
Linux-Audit Mailing List <linux-audit@redhat.com>,
LKML <linux-kernel@vger.kernel.org>
Cc: Paul Moore <paul@paul-moore.com>,
sgrubb@redhat.com, omosnace@redhat.com, eparis@parisplace.org,
serge@hallyn.com, zohar@linux.ibm.com, mjg59@google.com,
Richard Guy Briggs <rgb@redhat.com>
Subject: [PATCH ghak109 V1] audit: link integrity evm_write_xattrs record to syscall event
Date: Sat, 16 Mar 2019 08:10:08 -0400 [thread overview]
Message-ID: <81d0122d14c4fbb3a2ad33d25fdf2dd001c7dcc7.1552737854.git.rgb@redhat.com> (raw)
In commit fa516b66a1bf ("EVM: Allow runtime modification of the set of
verified xattrs"), the call to audit_log_start() is missing a context to
link it to an audit event. Since this event is in user context, add
the process' syscall context to the record.
In addition, the orphaned keyword "locked" appears in the record.
Normalize this by changing it to "xattr=(locked)".
Please see the github issue
https://github.com/linux-audit/audit-kernel/issues/109
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
security/integrity/evm/evm_secfs.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/security/integrity/evm/evm_secfs.c b/security/integrity/evm/evm_secfs.c
index 015aea8fdf1e..4171d174e9da 100644
--- a/security/integrity/evm/evm_secfs.c
+++ b/security/integrity/evm/evm_secfs.c
@@ -192,7 +192,8 @@ static ssize_t evm_write_xattrs(struct file *file, const char __user *buf,
if (count > XATTR_NAME_MAX)
return -E2BIG;
- ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_EVM_XATTR);
+ ab = audit_log_start(audit_context(), GFP_KERNEL,
+ AUDIT_INTEGRITY_EVM_XATTR);
if (!ab)
return -ENOMEM;
@@ -222,7 +223,7 @@ static ssize_t evm_write_xattrs(struct file *file, const char __user *buf,
inode_lock(inode);
err = simple_setattr(evm_xattrs, &newattrs);
inode_unlock(inode);
- audit_log_format(ab, "locked");
+ audit_log_format(ab, "xattr=(locked)");
if (!err)
err = count;
goto out;
--
1.8.3.1
next reply other threads:[~2019-03-16 12:10 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-16 12:10 Richard Guy Briggs [this message]
2019-03-20 23:48 ` [PATCH ghak109 V1] audit: link integrity evm_write_xattrs record to syscall event Paul Moore
2019-03-21 0:50 ` Richard Guy Briggs
2019-03-21 1:03 ` Paul Moore
2019-03-26 15:11 ` Mimi Zohar
2019-03-26 15:22 ` Steve Grubb
2019-03-26 15:29 ` Mimi Zohar
2019-03-26 16:14 ` Richard Guy Briggs
2019-03-26 17:42 ` Richard Guy Briggs
2019-03-26 17:55 ` Matthew Garrett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=81d0122d14c4fbb3a2ad33d25fdf2dd001c7dcc7.1552737854.git.rgb@redhat.com \
--to=rgb@redhat.com \
--cc=eparis@parisplace.org \
--cc=linux-audit@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mjg59@google.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=sgrubb@redhat.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).