Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAHC9VhTwyNsW5xVNsb+jXhgoLL86daZL1cWG9d+DVB0dQJAgMQ@mail.gmail.com>
Date: Wed, 2 Oct 2019 17:12:01 -0400
From: Paul Moore <paul@...l-moore.com>
To: Kees Cook <keescook@...omium.org>
Cc: linux-kernel@...r.kernel.org, 
	Jérémie Galarneau <jeremie.galarneau@...icios.com>, 
	s.mesoraca16@...il.com, viro@...iv.linux.org.uk, dan.carpenter@...cle.com, 
	akpm@...ux-foundation.org, Mathieu Desnoyers <mathieu.desnoyers@...icios.com>, 
	kernel-hardening@...ts.openwall.com, linux-audit@...hat.com, 
	Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: [PATCH v2] audit: Report suspicious O_CREAT usage

On Tue, Oct 1, 2019 at 12:48 PM Kees Cook <keescook@...omium.org> wrote:
>
> This renames the very specific audit_log_link_denied() to
> audit_log_path_denied() and adds the AUDIT_* type as an argument. This
> allows for the creation of the new AUDIT_ANOM_CREAT that can be used to
> report the fifo/regular file creation restrictions that were introduced
> in commit 30aba6656f61 ("namei: allow restricted O_CREAT of FIFOs and
> regular files"). Additionally further clarifies the existing
> "operations" strings.
>
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---
> v2:
>  - fix build failure typo in CONFIG_AUDIT=n case
>  - improve operations naming (paul)
> ---
>  fs/namei.c                 |  8 ++++++--
>  include/linux/audit.h      |  5 +++--
>  include/uapi/linux/audit.h |  1 +
>  kernel/audit.c             | 11 ++++++-----
>  4 files changed, 16 insertions(+), 9 deletions(-)

Thanks for the update, but I think we need another respin, see below.

> diff --git a/fs/namei.c b/fs/namei.c
> index 671c3c1a3425..2d5d245ae723 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -925,7 +925,7 @@ static inline int may_follow_link(struct nameidata *nd)
>                 return -ECHILD;
>
>         audit_inode(nd->name, nd->stack[0].link.dentry, 0);
> -       audit_log_link_denied("follow_link");
> +       audit_log_path_denied(AUDIT_ANOM_LINK, "sticky_follow_link");

Maybe I should have been more clear in the last patch thread, but my
suggested name change was only for the new records you are adding; we
don't want to change the operation/op names for existing records.  In
the above change, "follow_link" should stay "follow_link".

> @@ -993,7 +993,7 @@ static int may_linkat(struct path *link)
>         if (safe_hardlink_source(inode) || inode_owner_or_capable(inode))
>                 return 0;
>
> -       audit_log_link_denied("linkat");
> +       audit_log_path_denied(AUDIT_ANOM_LINK, "unowned_linkat");

See above, this should stay as "linkat".

> @@ -1031,6 +1031,10 @@ static int may_create_in_sticky(struct dentry * const dir,
>             (dir->d_inode->i_mode & 0020 &&
>              ((sysctl_protected_fifos >= 2 && S_ISFIFO(inode->i_mode)) ||
>               (sysctl_protected_regular >= 2 && S_ISREG(inode->i_mode))))) {
> +               const char *operation = S_ISFIFO(inode->i_mode) ?
> +                                       "sticky_create_fifo" :
> +                                       "sticky_create_regular";
> +               audit_log_path_denied(AUDIT_ANOM_CREAT, operation);

This is a new record, so this is fine.  Thanks for changing this.

-- 
paul moore
www.paul-moore.com

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.