Linux bug report submitted

Fri Apr 4 05:00:38 UTC 2014

All,

I finally submitted a bug report to the Linux kernel with respect to
invalid audit 'op' values.

The bug is listed as https://bugzilla.kernel.org/show_bug.cgi?id=73511
and is described as ...

        Various audit events dealing with adding, removing and updating
        rules result in invalid values set for the op keys which result
        in embedded spaces in op= values.
        The invalid values are
        op="add rule"       set in kernel/auditfilter.c
        op="remove rule"    set in kernel/auditfilter.c
        op="remove rule"    set in kernel/audit_tree.c
        op="updated rules"  set in kernel/audit_watch.c
        op="remove rule"    set in kernel/audit_watch.c
        
        The attached patch replaces the space in the above values with
        an underscore character ('_').
        
A patch was also provided.

One assumes the similar issues (cause keys having values with embedded
spaces) pointed out by Steve in the ima code in
https://www.redhat.com/archives/linux-audit/2014-April/msg00014.html
will also get fixed.

For those interested, I have attached the patch.

Rgds
-------------- next part --------------
diff -Npru linux/kernel/auditfilter.c linux_burn/kernel/auditfilter.c

--- linux/kernel/auditfilter.c	2014-04-04 10:34:25.378979727 +1100
+++ linux_burn/kernel/auditfilter.c	2014-04-04 10:42:24.782022509 +1100
@@ -1045,7 +1045,7 @@ int audit_rule_change(int type, __u32 po
 			return PTR_ERR(entry);
 
 		err = audit_add_rule(entry);
-		audit_log_rule_change("add rule", &entry->rule, !err);
+		audit_log_rule_change("add_rule", &entry->rule, !err);
 		if (err)
 			audit_free_rule(entry);
 		break;
@@ -1055,7 +1055,7 @@ int audit_rule_change(int type, __u32 po
 			return PTR_ERR(entry);
 
 		err = audit_del_rule(entry);
-		audit_log_rule_change("remove rule", &entry->rule, !err);
+		audit_log_rule_change("remove_rule", &entry->rule, !err);
 		audit_free_rule(entry);
 		break;
 	default:
diff -Npru linux/kernel/audit_tree.c linux_burn/kernel/audit_tree.c
--- linux/kernel/audit_tree.c	2014-04-04 10:34:25.378979727 +1100
+++ linux_burn/kernel/audit_tree.c	2014-04-04 10:42:47.462777736 +1100
@@ -457,7 +457,7 @@ static void audit_log_remove_rule(struct
 	if (unlikely(!ab))
 		return;
 	audit_log_format(ab, "op=");
-	audit_log_string(ab, "remove rule");
+	audit_log_string(ab, "remove_rule");
 	audit_log_format(ab, " dir=");
 	audit_log_untrustedstring(ab, rule->tree->pathname);
 	audit_log_key(ab, rule->filterkey);
diff -Npru linux/kernel/audit_watch.c linux_burn/kernel/audit_watch.c
--- linux/kernel/audit_watch.c	2014-04-04 10:34:25.378979727 +1100
+++ linux_burn/kernel/audit_watch.c	2014-04-04 10:43:24.475304414 +1100
@@ -314,7 +314,7 @@ static void audit_update_watch(struct au
 					     &nentry->rule.list);
 			}
 
-			audit_watch_log_rule_change(r, owatch, "updated rules");
+			audit_watch_log_rule_change(r, owatch, "updated_rules");
 
 			call_rcu(&oentry->rcu, audit_free_rule_rcu);
 		}
@@ -342,7 +342,7 @@ static void audit_remove_parent_watches(
 	list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
 		list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
 			e = container_of(r, struct audit_entry, rule);
-			audit_watch_log_rule_change(r, w, "remove rule");
+			audit_watch_log_rule_change(r, w, "remove_rule");
 			list_del(&r->rlist);
 			list_del(&r->list);
 			list_del_rcu(&e->list);
