Re: [PATCH] audit: Report suspicious O_CREAT usage
On Wed, Sep 25, 2019 at 5:02 PM Kees Cook <keescook(a)chromium.org> wrote:
This renames the very specific audit_log_link_denied() to
audit_log_path_denied() and adds the AUDIT_* type as an argument. This
allows for the creation of the new AUDIT_ANOM_CREAT that can be used to
report the fifo/regular file creation restrictions that were introduced
in commit 30aba6656f61 ("namei: allow restricted O_CREAT of FIFOs and
regular files"). Without this change, discovering that the restriction
is enabled can be very challenging:
https://lore.kernel.org/lkml/CA+jJMxvkqjXHy3DnV5MVhFTL2RUhg0WQ-XVFW3ngDQO...
Reported-by: Jérémie Galarneau <jeremie.galarneau(a)efficios.com>
Signed-off-by: Kees Cook <keescook(a)chromium.org>
---
This is not a complete fix because reporting was broken in commit
15564ff0a16e ("audit: make ANOM_LINK obey audit_enabled and
audit_dummy_context")
which specifically goes against the intention of these records: they
should _always_ be reported. If auditing isn't enabled, they should be
ratelimited.
Instead of using audit, should this just go back to using
pr_ratelimited()?
I'm going to ignore the rename and other aspects of this patch for the
moment so we can focus on the topic of if/when/how these records
should be emitted by the kernel.
Unfortunately, people tend to get very upset if audit emits *any*
records when they haven't explicitly enabled audit, the significance
of the record doesn't seem to matter, which is why you see patches
like 15564ff0a16e ("audit: make ANOM_LINK obey audit_enabled and
audit_dummy_context"). We could consider converting some records to
printk()s, rate-limited or not, but we need to balance this with the
various security certifications which audit was created to satisfy.
In some cases a printk() isn't sufficient.
Steve is probably the only one who really keeps track of the various
auditing requirements of the different security certifications; what
say you Steve on this issue with ANOM_CREAT records?
--
paul moore
www.paul-moore.com