audit: invalid op= values for rules [was: Re: Linux bug report submitted]
Richard Guy Briggs
rgb at redhat.com
Fri Apr 4 15:59:24 UTC 2014
On 14/04/04, Burn Alting wrote:
> All,
>
> I finally submitted a bug report to the Linux kernel with respect to
> invalid audit 'op' values.
>
> The bug is listed as https://bugzilla.kernel.org/show_bug.cgi?id=73511
> and is described as ...
>
> Various audit events dealing with adding, removing and updating
> rules result in invalid values set for the op keys which result
> in embedded spaces in op= values.
> The invalid values are
> op="add rule" set in kernel/auditfilter.c
> op="remove rule" set in kernel/auditfilter.c
> op="remove rule" set in kernel/audit_tree.c
> op="updated rules" set in kernel/audit_watch.c
> op="remove rule" set in kernel/audit_watch.c
>
> The attached patch replaces the space in the above values with
> an underscore character ('_').
>
> A patch was also provided.
>
> One assumes the similar issues (cause keys having values with embedded
> spaces) pointed out by Steve in the ima code in
> https://www.redhat.com/archives/linux-audit/2014-April/msg00014.html
> will also get fixed.
Yes, I have a patch for that.
> For those interested, I have attached the patch.
Thanks Burn! I'll add these to my tree and watch for issues raised by
log consumers.
> Rgds
> diff -Npru linux/kernel/auditfilter.c linux_burn/kernel/auditfilter.c
> --- linux/kernel/auditfilter.c 2014-04-04 10:34:25.378979727 +1100
> +++ linux_burn/kernel/auditfilter.c 2014-04-04 10:42:24.782022509 +1100
> @@ -1045,7 +1045,7 @@ int audit_rule_change(int type, __u32 po
> return PTR_ERR(entry);
>
> err = audit_add_rule(entry);
> - audit_log_rule_change("add rule", &entry->rule, !err);
> + audit_log_rule_change("add_rule", &entry->rule, !err);
> if (err)
> audit_free_rule(entry);
> break;
> @@ -1055,7 +1055,7 @@ int audit_rule_change(int type, __u32 po
> return PTR_ERR(entry);
>
> err = audit_del_rule(entry);
> - audit_log_rule_change("remove rule", &entry->rule, !err);
> + audit_log_rule_change("remove_rule", &entry->rule, !err);
> audit_free_rule(entry);
> break;
> default:
> diff -Npru linux/kernel/audit_tree.c linux_burn/kernel/audit_tree.c
> --- linux/kernel/audit_tree.c 2014-04-04 10:34:25.378979727 +1100
> +++ linux_burn/kernel/audit_tree.c 2014-04-04 10:42:47.462777736 +1100
> @@ -457,7 +457,7 @@ static void audit_log_remove_rule(struct
> if (unlikely(!ab))
> return;
> audit_log_format(ab, "op=");
> - audit_log_string(ab, "remove rule");
> + audit_log_string(ab, "remove_rule");
> audit_log_format(ab, " dir=");
> audit_log_untrustedstring(ab, rule->tree->pathname);
> audit_log_key(ab, rule->filterkey);
> diff -Npru linux/kernel/audit_watch.c linux_burn/kernel/audit_watch.c
> --- linux/kernel/audit_watch.c 2014-04-04 10:34:25.378979727 +1100
> +++ linux_burn/kernel/audit_watch.c 2014-04-04 10:43:24.475304414 +1100
> @@ -314,7 +314,7 @@ static void audit_update_watch(struct au
> &nentry->rule.list);
> }
>
> - audit_watch_log_rule_change(r, owatch, "updated rules");
> + audit_watch_log_rule_change(r, owatch, "updated_rules");
>
> call_rcu(&oentry->rcu, audit_free_rule_rcu);
> }
> @@ -342,7 +342,7 @@ static void audit_remove_parent_watches(
> list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
> list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
> e = container_of(r, struct audit_entry, rule);
> - audit_watch_log_rule_change(r, w, "remove rule");
> + audit_watch_log_rule_change(r, w, "remove_rule");
> list_del(&r->rlist);
> list_del(&r->list);
> list_del_rcu(&e->list);
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
More information about the Linux-audit
mailing list