Hi Richard,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on linus/master]
[also build test ERROR on v4.16-rc5 next-20180309]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the
system]
url:
https://github.com/0day-ci/linux/commits/Richard-Guy-Briggs/audit-address...
config: i386-tinyconfig (attached as .config)
compiler: gcc-7 (Debian 7.3.0-1) 7.3.0
reproduce:
# save the attached .config to linux build tree
make ARCH=i386
Note: the
linux-review/Richard-Guy-Briggs/audit-address-ANOM_LINK-excess-records/20180313-015527
HEAD 12e8c56bcd359f7d20d4ae011674d37bc832bc4c builds fine.
It only hurts bisectibility.
All errors (new ones prefixed by >>):
fs/namei.c: In function 'may_follow_link':
> fs/namei.c:929:2: error: too many arguments to function
'audit_log_link_denied'
audit_log_link_denied("follow_link",
&nd->stack[0].link);
^~~~~~~~~~~~~~~~~~~~~
In file included from include/linux/fsnotify.h:16:0,
from fs/namei.c:25:
include/linux/audit.h:196:20: note: declared here
static inline void audit_log_link_denied(const char *string)
^~~~~~~~~~~~~~~~~~~~~
vim +/audit_log_link_denied +929 fs/namei.c
800179c9b Kees Cook 2012-07-25 886
800179c9b Kees Cook 2012-07-25 887 /**
800179c9b Kees Cook 2012-07-25 888 * may_follow_link - Check symlink following
for unsafe situations
55852635a Randy Dunlap 2012-08-18 889 * @nd: nameidata pathwalk data
800179c9b Kees Cook 2012-07-25 890 *
800179c9b Kees Cook 2012-07-25 891 * In the case of the
sysctl_protected_symlinks sysctl being enabled,
800179c9b Kees Cook 2012-07-25 892 * CAP_DAC_OVERRIDE needs to be specifically
ignored if the symlink is
800179c9b Kees Cook 2012-07-25 893 * in a sticky world-writable directory. This
is to protect privileged
800179c9b Kees Cook 2012-07-25 894 * processes from failing races against path
names that may change out
800179c9b Kees Cook 2012-07-25 895 * from under them by way of other users
creating malicious symlinks.
800179c9b Kees Cook 2012-07-25 896 * It will permit symlinks to be followed
only when outside a sticky
800179c9b Kees Cook 2012-07-25 897 * world-writable directory, or when the uid
of the symlink and follower
800179c9b Kees Cook 2012-07-25 898 * match, or when the directory owner matches
the symlink's owner.
800179c9b Kees Cook 2012-07-25 899 *
800179c9b Kees Cook 2012-07-25 900 * Returns 0 if following the symlink is
allowed, -ve on error.
800179c9b Kees Cook 2012-07-25 901 */
fec2fa24e Al Viro 2015-05-06 902 static inline int may_follow_link(struct
nameidata *nd)
800179c9b Kees Cook 2012-07-25 903 {
800179c9b Kees Cook 2012-07-25 904 const struct inode *inode;
800179c9b Kees Cook 2012-07-25 905 const struct inode *parent;
2d7f9e2ad Seth Forshee 2016-04-26 906 kuid_t puid;
800179c9b Kees Cook 2012-07-25 907
800179c9b Kees Cook 2012-07-25 908 if (!sysctl_protected_symlinks)
800179c9b Kees Cook 2012-07-25 909 return 0;
800179c9b Kees Cook 2012-07-25 910
800179c9b Kees Cook 2012-07-25 911 /* Allowed if owner and follower match. */
fceef393a Al Viro 2015-12-29 912 inode = nd->link_inode;
81abe27b1 Eric W. Biederman 2012-08-03 913 if (uid_eq(current_cred()->fsuid,
inode->i_uid))
800179c9b Kees Cook 2012-07-25 914 return 0;
800179c9b Kees Cook 2012-07-25 915
800179c9b Kees Cook 2012-07-25 916 /* Allowed if parent directory not sticky
and world-writable. */
aa65fa35b Al Viro 2015-08-04 917 parent = nd->inode;
800179c9b Kees Cook 2012-07-25 918 if ((parent->i_mode &
(S_ISVTX|S_IWOTH)) != (S_ISVTX|S_IWOTH))
800179c9b Kees Cook 2012-07-25 919 return 0;
800179c9b Kees Cook 2012-07-25 920
800179c9b Kees Cook 2012-07-25 921 /* Allowed if parent directory and link
owner match. */
2d7f9e2ad Seth Forshee 2016-04-26 922 puid = parent->i_uid;
2d7f9e2ad Seth Forshee 2016-04-26 923 if (uid_valid(puid) && uid_eq(puid,
inode->i_uid))
800179c9b Kees Cook 2012-07-25 924 return 0;
800179c9b Kees Cook 2012-07-25 925
31956502d Al Viro 2015-05-07 926 if (nd->flags & LOOKUP_RCU)
31956502d Al Viro 2015-05-07 927 return -ECHILD;
31956502d Al Viro 2015-05-07 928
1cf2665b5 Al Viro 2015-05-06 @929
audit_log_link_denied("follow_link", &nd->stack[0].link);
800179c9b Kees Cook 2012-07-25 930 return -EACCES;
800179c9b Kees Cook 2012-07-25 931 }
800179c9b Kees Cook 2012-07-25 932
:::::: The code at line 929 was first introduced by commit
:::::: 1cf2665b5bdfc63185fb4a416bff54b14ad30c79 namei: kill nd->link
:::::: TO: Al Viro <viro(a)zeniv.linux.org.uk>
:::::: CC: Al Viro <viro(a)zeniv.linux.org.uk>
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation