3:14 p.m.
The AUDIT_CONFIG_CHANGE events sometimes use a op= field. The current code
logs the value of the field with quotes. This field is documented to not be
encoded, so it should not have quotes.
Signed-off-by: Steve Grubb <sgrubb(a)redhat.com>
---
diff -urp vanilla-4.9-rc5.orig/kernel/auditfilter.c vanilla-4.9-rc5/kernel/auditfilter.c
--- vanilla-4.9-rc5.orig/kernel/auditfilter.c 2016-10-02 19:24:33.000000000 -0400
+++ vanilla-4.9-rc5/kernel/auditfilter.c 2016-11-16 16:00:30.608728324 -0500
@@ -1074,8 +1074,7 @@ static void audit_log_rule_change(char *
return;
audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);
audit_log_task_context(ab);
- audit_log_format(ab, " op=");
- audit_log_string(ab, action);
+ audit_log_format(ab, " op=%s", action);
audit_log_key(ab, rule->filterkey);
audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
audit_log_end(ab);
diff -urp vanilla-4.9-rc5.orig/kernel/audit_fsnotify.c
vanilla-4.9-rc5/kernel/audit_fsnotify.c
--- vanilla-4.9-rc5.orig/kernel/audit_fsnotify.c 2016-10-02 19:24:33.000000000 -0400
+++ vanilla-4.9-rc5/kernel/audit_fsnotify.c 2016-11-16 16:02:41.516728544 -0500
@@ -130,10 +130,9 @@ static void audit_mark_log_rule_change(s
ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
if (unlikely(!ab))
return;
- audit_log_format(ab, "auid=%u ses=%u op=",
+ audit_log_format(ab, "auid=%u ses=%u op=%s",
from_kuid(&init_user_ns, audit_get_loginuid(current)),
- audit_get_sessionid(current));
- audit_log_string(ab, op);
+ audit_get_sessionid(current), op);
audit_log_format(ab, " path=");
audit_log_untrustedstring(ab, audit_mark->path);
audit_log_key(ab, rule->filterkey);
diff -urp vanilla-4.9-rc5.orig/kernel/audit_tree.c vanilla-4.9-rc5/kernel/audit_tree.c
--- vanilla-4.9-rc5.orig/kernel/audit_tree.c 2016-10-02 19:24:33.000000000 -0400
+++ vanilla-4.9-rc5/kernel/audit_tree.c 2016-11-16 16:03:26.414728619 -0500
@@ -458,8 +458,7 @@ static void audit_tree_log_remove_rule(s
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
if (unlikely(!ab))
return;
- audit_log_format(ab, "op=");
- audit_log_string(ab, "remove_rule");
+ audit_log_format(ab, "op=remove_rule");
audit_log_format(ab, " dir=");
audit_log_untrustedstring(ab, rule->tree->pathname);
audit_log_key(ab, rule->filterkey);
diff -urp vanilla-4.9-rc5.orig/kernel/audit_watch.c vanilla-4.9-rc5/kernel/audit_watch.c
--- vanilla-4.9-rc5.orig/kernel/audit_watch.c 2016-10-02 19:24:33.000000000 -0400
+++ vanilla-4.9-rc5/kernel/audit_watch.c 2016-11-16 16:04:18.287728706 -0500
@@ -242,10 +242,9 @@ static void audit_watch_log_rule_change(
ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
if (unlikely(!ab))
return;
- audit_log_format(ab, "auid=%u ses=%u op=",
+ audit_log_format(ab, "auid=%u ses=%u op=%s",
from_kuid(&init_user_ns, audit_get_loginuid(current)),
- audit_get_sessionid(current));
- audit_log_string(ab, op);
+ audit_get_sessionid(current), op);
audit_log_format(ab, " path=");
audit_log_untrustedstring(ab, w->path);
audit_log_key(ab, r->filterkey);
12:40 a.m.
On 2016-11-16 16:14, Steve Grubb wrote:
The AUDIT_CONFIG_CHANGE events sometimes use a op= field. The current
code
logs the value of the field with quotes. This field is documented to not be
encoded, so it should not have quotes.
There were a number of callers that had spaces in their "op" or
"action"
strings which I've addressed with several upstream patches, so this is
the right direction to go. All the callers for the instances listed
below are fine.
Signed-off-by: Steve Grubb <sgrubb(a)redhat.com>
Reviewed-by: Richard Guy Briggs <rgb(a)redhat.com>
---
diff -urp vanilla-4.9-rc5.orig/kernel/auditfilter.c vanilla-4.9-rc5/kernel/auditfilter.c
--- vanilla-4.9-rc5.orig/kernel/auditfilter.c 2016-10-02 19:24:33.000000000 -0400
+++ vanilla-4.9-rc5/kernel/auditfilter.c 2016-11-16 16:00:30.608728324 -0500
@@ -1074,8 +1074,7 @@ static void audit_log_rule_change(char *
return;
audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);
audit_log_task_context(ab);
- audit_log_format(ab, " op=");
- audit_log_string(ab, action);
+ audit_log_format(ab, " op=%s", action);
audit_log_key(ab, rule->filterkey);
audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
audit_log_end(ab);
diff -urp vanilla-4.9-rc5.orig/kernel/audit_fsnotify.c
vanilla-4.9-rc5/kernel/audit_fsnotify.c
--- vanilla-4.9-rc5.orig/kernel/audit_fsnotify.c 2016-10-02 19:24:33.000000000 -0400
+++ vanilla-4.9-rc5/kernel/audit_fsnotify.c 2016-11-16 16:02:41.516728544 -0500
@@ -130,10 +130,9 @@ static void audit_mark_log_rule_change(s
ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
if (unlikely(!ab))
return;
- audit_log_format(ab, "auid=%u ses=%u op=",
+ audit_log_format(ab, "auid=%u ses=%u op=%s",
from_kuid(&init_user_ns, audit_get_loginuid(current)),
- audit_get_sessionid(current));
- audit_log_string(ab, op);
+ audit_get_sessionid(current), op);
audit_log_format(ab, " path=");
audit_log_untrustedstring(ab, audit_mark->path);
audit_log_key(ab, rule->filterkey);
diff -urp vanilla-4.9-rc5.orig/kernel/audit_tree.c vanilla-4.9-rc5/kernel/audit_tree.c
--- vanilla-4.9-rc5.orig/kernel/audit_tree.c 2016-10-02 19:24:33.000000000 -0400
+++ vanilla-4.9-rc5/kernel/audit_tree.c 2016-11-16 16:03:26.414728619 -0500
@@ -458,8 +458,7 @@ static void audit_tree_log_remove_rule(s
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
if (unlikely(!ab))
return;
- audit_log_format(ab, "op=");
- audit_log_string(ab, "remove_rule");
+ audit_log_format(ab, "op=remove_rule");
audit_log_format(ab, " dir=");
audit_log_untrustedstring(ab, rule->tree->pathname);
audit_log_key(ab, rule->filterkey);
diff -urp vanilla-4.9-rc5.orig/kernel/audit_watch.c vanilla-4.9-rc5/kernel/audit_watch.c
--- vanilla-4.9-rc5.orig/kernel/audit_watch.c 2016-10-02 19:24:33.000000000 -0400
+++ vanilla-4.9-rc5/kernel/audit_watch.c 2016-11-16 16:04:18.287728706 -0500
@@ -242,10 +242,9 @@ static void audit_watch_log_rule_change(
ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
if (unlikely(!ab))
return;
- audit_log_format(ab, "auid=%u ses=%u op=",
+ audit_log_format(ab, "auid=%u ses=%u op=%s",
from_kuid(&init_user_ns, audit_get_loginuid(current)),
- audit_get_sessionid(current));
- audit_log_string(ab, op);
+ audit_get_sessionid(current), op);
audit_log_format(ab, " path=");
audit_log_untrustedstring(ab, w->path);
audit_log_key(ab, r->filterkey);
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
2:42 p.m.
On Wed, Nov 16, 2016 at 4:14 PM, Steve Grubb <sgrubb(a)redhat.com> wrote:
The AUDIT_CONFIG_CHANGE events sometimes use a op= field. The current
code
logs the value of the field with quotes. This field is documented to not be
encoded, so it should not have quotes.
Signed-off-by: Steve Grubb <sgrubb(a)redhat.com>
Looks good to me, merged.
--
paul moore
www.paul-moore.com
2999
days inactive
3003
days old
linux-audit@lists.linux-audit.osci.io
2 comments
3 participants
participants (3)
-
Paul Moore -
Richard Guy Briggs -
Steve Grubb