[RFC PATCH ghak59 V1 3/6] audit: exclude user records from syscall context
Richard Guy Briggs
rgb at redhat.com
Mon Jul 23 16:40:35 UTC 2018
On 2018-07-12 17:46, Richard Guy Briggs wrote:
> On 2018-06-28 18:11, Paul Moore wrote:
> > On Thu, Jun 14, 2018 at 4:23 PM Richard Guy Briggs <rgb at redhat.com> wrote:
> > > Since the function audit_log_common_recv_msg() is shared by a number of
> > > AUDIT_CONFIG_CHANGE and the entire range of AUDIT_USER_* record types,
> > > and since the AUDIT_CONFIG_CHANGE message type has been converted to a
> > > syscall accompanied record type, special-case the AUDIT_USER_* range of
> > > messages so they remain standalone records.
> > >
> > > See: https://github.com/linux-audit/audit-kernel/issues/59
> > > Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
> > > ---
> > > kernel/audit.c | 12 +++++++++---
> > > 1 file changed, 9 insertions(+), 3 deletions(-)
> >
> > I think this is fine, but see my previous comment about combining 2/6
> > and 3/6 as a safety measure.
>
> This one I left as a seperate patch for discussion. We'd previously
> talked about connecting all possible records with syscall records if
> they exist, but this one I'm unsure about, since we don't really care
> what userspace process is issuing this message. It is just the message
> content itself that is important. Or is it? Are we concerned about
> CAP_AUDIT_WRITE holders/abusers and want as much info about them as we
> can get in case they go rogue or pear-shaped?
I'm waiting on re-spinning this patchset because of this open question.
Is connecting AUDIT_USER* records desirable or a liability?
> > > diff --git a/kernel/audit.c b/kernel/audit.c
> > > index e469234..c8c2efc 100644
> > > --- a/kernel/audit.c
> > > +++ b/kernel/audit.c
> > > @@ -1057,7 +1057,8 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
> > > return err;
> > > }
> > >
> > > -static void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
> > > +static void __audit_log_common_recv_msg(struct audit_context *context,
> > > + struct audit_buffer **ab, u16 msg_type)
> > > {
> > > uid_t uid = from_kuid(&init_user_ns, current_uid());
> > > pid_t pid = task_tgid_nr(current);
> > > @@ -1067,7 +1068,7 @@ static void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
> > > return;
> > > }
> > >
> > > - *ab = audit_log_start(audit_context(), GFP_KERNEL, msg_type);
> > > + *ab = audit_log_start(context, GFP_KERNEL, msg_type);
> > > if (unlikely(!*ab))
> > > return;
> > > audit_log_format(*ab, "pid=%d uid=%u", pid, uid);
> > > @@ -1075,6 +1076,11 @@ static void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
> > > audit_log_task_context(*ab);
> > > }
> > >
> > > +static inline void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
> > > +{
> > > + __audit_log_common_recv_msg(audit_context(), ab, msg_type);
> > > +}
> > > +
> > > int is_audit_feature_set(int i)
> > > {
> > > return af.features & AUDIT_FEATURE_TO_MASK(i);
> > > @@ -1341,7 +1347,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> > > if (err)
> > > break;
> > > }
> > > - audit_log_common_recv_msg(&ab, msg_type);
> > > + __audit_log_common_recv_msg(NULL, &ab, msg_type);
> > > if (msg_type != AUDIT_USER_TTY)
> > > audit_log_format(ab, " msg='%.*s'",
> > > AUDIT_MESSAGE_TEXT_MAX,
> > > --
> > > 1.8.3.1
> > >
> >
> >
> > --
> > paul moore
> > www.paul-moore.com
> >
> > --
> > Linux-audit mailing list
> > Linux-audit at redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
>
> - RGB
>
> --
> Richard Guy Briggs <rgb at redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list