audit: invalid op= values for rules [was: Re: Linux bug report submitted]

[Richard Guy Briggs]

On 14/04/04, Burn Alting wrote:
> All,
> 
> I finally submitted a bug report to the Linux kernel with respect to
> invalid audit 'op' values.
> 
> The bug is listed as https://bugzilla.kernel.org/show_bug.cgi?id=73511
> and is described as ...
> 
>         Various audit events dealing with adding, removing and updating
>         rules result in invalid values set for the op keys which result
>         in embedded spaces in op= values.
>         The invalid values are
>         op="add rule"       set in kernel/auditfilter.c
>         op="remove rule"    set in kernel/auditfilter.c
>         op="remove rule"    set in kernel/audit_tree.c
>         op="updated rules"  set in kernel/audit_watch.c
>         op="remove rule"    set in kernel/audit_watch.c
>         
>         The attached patch replaces the space in the above values with
>         an underscore character ('_').
>         
> A patch was also provided.
> 
> One assumes the similar issues (cause keys having values with embedded
> spaces) pointed out by Steve in the ima code in
> https://www.redhat.com/archives/linux-audit/2014-April/msg00014.html
> will also get fixed.

Yes, I have a patch for that.

> For those interested, I have attached the patch.

Thanks Burn!  I'll add these to my tree and watch for issues raised by
log consumers.

> Rgds

> diff -Npru linux/kernel/auditfilter.c linux_burn/kernel/auditfilter.c
> --- linux/kernel/auditfilter.c	2014-04-04 10:34:25.378979727 +1100
> +++ linux_burn/kernel/auditfilter.c	2014-04-04 10:42:24.782022509 +1100
> @@ -1045,7 +1045,7 @@ int audit_rule_change(int type, __u32 po
>  			return PTR_ERR(entry);
>  
>  		err = audit_add_rule(entry);
> -		audit_log_rule_change("add rule", &entry->rule, !err);
> +		audit_log_rule_change("add_rule", &entry->rule, !err);
>  		if (err)
>  			audit_free_rule(entry);
>  		break;
> @@ -1055,7 +1055,7 @@ int audit_rule_change(int type, __u32 po
>  			return PTR_ERR(entry);
>  
>  		err = audit_del_rule(entry);
> -		audit_log_rule_change("remove rule", &entry->rule, !err);
> +		audit_log_rule_change("remove_rule", &entry->rule, !err);
>  		audit_free_rule(entry);
>  		break;
>  	default:
> diff -Npru linux/kernel/audit_tree.c linux_burn/kernel/audit_tree.c
> --- linux/kernel/audit_tree.c	2014-04-04 10:34:25.378979727 +1100
> +++ linux_burn/kernel/audit_tree.c	2014-04-04 10:42:47.462777736 +1100
> @@ -457,7 +457,7 @@ static void audit_log_remove_rule(struct
>  	if (unlikely(!ab))
>  		return;
>  	audit_log_format(ab, "op=");
> -	audit_log_string(ab, "remove rule");
> +	audit_log_string(ab, "remove_rule");
>  	audit_log_format(ab, " dir=");
>  	audit_log_untrustedstring(ab, rule->tree->pathname);
>  	audit_log_key(ab, rule->filterkey);
> diff -Npru linux/kernel/audit_watch.c linux_burn/kernel/audit_watch.c
> --- linux/kernel/audit_watch.c	2014-04-04 10:34:25.378979727 +1100
> +++ linux_burn/kernel/audit_watch.c	2014-04-04 10:43:24.475304414 +1100
> @@ -314,7 +314,7 @@ static void audit_update_watch(struct au
>  					     &nentry->rule.list);
>  			}
>  
> -			audit_watch_log_rule_change(r, owatch, "updated rules");
> +			audit_watch_log_rule_change(r, owatch, "updated_rules");
>  
>  			call_rcu(&oentry->rcu, audit_free_rule_rcu);
>  		}
> @@ -342,7 +342,7 @@ static void audit_remove_parent_watches(
>  	list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
>  		list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
>  			e = container_of(r, struct audit_entry, rule);
> -			audit_watch_log_rule_change(r, w, "remove rule");
> +			audit_watch_log_rule_change(r, w, "remove_rule");
>  			list_del(&r->rlist);
>  			list_del(&r->list);
>  			list_del_rcu(&e->list);

> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit


- RGB

--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545