Date: Thu, 26 Sep 2019 11:31:32 -0400 From: Paul Moore <paul@...l-moore.com> To: Kees Cook <keescook@...omium.org>, sgrubb@...hat.com Cc: linux-kernel@...r.kernel.org, Jérémie Galarneau <jeremie.galarneau@...icios.com>, s.mesoraca16@...il.com, viro@...iv.linux.org.uk, dan.carpenter@...cle.com, akpm@...ux-foundation.org, Mathieu Desnoyers <mathieu.desnoyers@...icios.com>, kernel-hardening@...ts.openwall.com, linux-audit@...hat.com, Linus Torvalds <torvalds@...ux-foundation.org> Subject: Re: [PATCH] audit: Report suspicious O_CREAT usage On Wed, Sep 25, 2019 at 5:02 PM Kees Cook <keescook@...omium.org> wrote: > > This renames the very specific audit_log_link_denied() to > audit_log_path_denied() and adds the AUDIT_* type as an argument. This > allows for the creation of the new AUDIT_ANOM_CREAT that can be used to > report the fifo/regular file creation restrictions that were introduced > in commit 30aba6656f61 ("namei: allow restricted O_CREAT of FIFOs and > regular files"). Without this change, discovering that the restriction > is enabled can be very challenging: > https://lore.kernel.org/lkml/CA+jJMxvkqjXHy3DnV5MVhFTL2RUhg0WQ-XVFW3ngDQOdkFq0PA@mail.gmail.com > > Reported-by: Jérémie Galarneau <jeremie.galarneau@...icios.com> > Signed-off-by: Kees Cook <keescook@...omium.org> > --- > This is not a complete fix because reporting was broken in commit > 15564ff0a16e ("audit: make ANOM_LINK obey audit_enabled and > audit_dummy_context") > which specifically goes against the intention of these records: they > should _always_ be reported. If auditing isn't enabled, they should be > ratelimited. > > Instead of using audit, should this just go back to using > pr_ratelimited()? I'm going to ignore the rename and other aspects of this patch for the moment so we can focus on the topic of if/when/how these records should be emitted by the kernel. Unfortunately, people tend to get very upset if audit emits *any* records when they haven't explicitly enabled audit, the significance of the record doesn't seem to matter, which is why you see patches like 15564ff0a16e ("audit: make ANOM_LINK obey audit_enabled and audit_dummy_context"). We could consider converting some records to printk()s, rate-limited or not, but we need to balance this with the various security certifications which audit was created to satisfy. In some cases a printk() isn't sufficient. Steve is probably the only one who really keeps track of the various auditing requirements of the different security certifications; what say you Steve on this issue with ANOM_CREAT records? -- paul moore www.paul-moore.com
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.