On 2018-03-08 19:26, Paul Moore wrote:
On Wed, Feb 14, 2018 at 11:18 AM, Richard Guy Briggs
<rgb(a)redhat.com> wrote:
> Audit link denied events generate duplicate PATH records which disagree
> in different ways from symlink and hardlink denials.
> audit_log_link_denied() should not directly generate PATH records.
>
> See:
https://github.com/linux-audit/audit-kernel/issues/21
> Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
> ---
> kernel/audit.c | 14 +-------------
> 1 file changed, 1 insertion(+), 13 deletions(-)
Merged, thanks.
Self-NACK. Please un-merge this RFC v1 version and merge instead the v2
patch since it removes the now-unnecessary struct path * parameter from
audit_log_link_denied().
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 4c3fd24..683b249 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -2259,31 +2259,19 @@ void audit_log_task_info(struct audit_buffer *ab, struct
task_struct *tsk)
> void audit_log_link_denied(const char *operation, const struct path *link)
> {
> struct audit_buffer *ab;
> - struct audit_names *name;
>
> if (!audit_enabled || audit_dummy_context())
> return;
>
> - name = kzalloc(sizeof(*name), GFP_NOFS);
> - if (!name)
> - return;
> -
> /* Generate AUDIT_ANOM_LINK with subject, operation, outcome. */
> ab = audit_log_start(current->audit_context, GFP_KERNEL,
> AUDIT_ANOM_LINK);
> if (!ab)
> - goto out;
> + return;
> audit_log_format(ab, "op=%s", operation);
> audit_log_task_info(ab, current);
> audit_log_format(ab, " res=0");
> audit_log_end(ab);
> -
> - /* Generate AUDIT_PATH record with object. */
> - name->type = AUDIT_TYPE_NORMAL;
> - audit_copy_inode(name, link->dentry, d_backing_inode(link->dentry));
> - audit_log_name(current->audit_context, name, link, 0, NULL);
> -out:
> - kfree(name);
> }
>
> /**
> --
> 1.8.3.1
>
--
paul moore
www.paul-moore.com
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635