lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 2 Dec 2013 15:09:01 -0500 From: Jeff Layton <jlayton@...hat.com> To: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Cc: linux-kernel@...r.kernel.org, stable@...r.kernel.org, Eric Paris <eparis@...hat.com>, Richard Guy Briggs <rgb@...hat.com> Subject: Re: [PATCH 3.10 086/173] audit: log the audit_names record type On Mon, 2 Dec 2013 11:11:09 -0800 Greg Kroah-Hartman <gregkh@...uxfoundation.org> wrote: > 3.10-stable review patch. If anyone has any objections, please let me know. > > ------------------ > > From: Jeff Layton <jlayton@...hat.com> > > commit d3aea84a4ace5ff9ce7fb7714cee07bebef681c2 upstream. > > ...to make it clear what the intent behind each record's operation was. > > In many cases you can infer this, based on the context of the syscall > and the result. In other cases it's not so obvious. For instance, in > the case where you have a file being renamed over another, you'll have > two different records with the same filename but different inode info. > By logging this information we can clearly tell which one was created > and which was deleted. > > This fixes what was broken in commit bfcec708. > Commit 79f6530c should also be backported to stable v3.7+. > > Signed-off-by: Jeff Layton <jlayton@...hat.com> > Signed-off-by: Eric Paris <eparis@...hat.com> > Signed-off-by: Richard Guy Briggs <rgb@...hat.com> > Signed-off-by: Eric Paris <eparis@...hat.com> > Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org> > > --- > kernel/audit.c | 20 ++++++++++++++++++++ > 1 file changed, 20 insertions(+) > > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -1537,6 +1537,26 @@ void audit_log_name(struct audit_context > } > } > > + /* log the audit_names record type */ > + audit_log_format(ab, " nametype="); > + switch(n->type) { > + case AUDIT_TYPE_NORMAL: > + audit_log_format(ab, "NORMAL"); > + break; > + case AUDIT_TYPE_PARENT: > + audit_log_format(ab, "PARENT"); > + break; > + case AUDIT_TYPE_CHILD_DELETE: > + audit_log_format(ab, "DELETE"); > + break; > + case AUDIT_TYPE_CHILD_CREATE: > + audit_log_format(ab, "CREATE"); > + break; > + default: > + audit_log_format(ab, "UNKNOWN"); > + break; > + } > + > audit_log_fcaps(ab, n); > audit_log_end(ab); > } > > I'm not sure this is really suitable or needed for stable. It's unlikely to hurt anything, but it doesn't really fix a problem per-se. It just adds a little extra info to the audit records. Ditto for the 3.12 version of this patch... -- Jeff Layton <jlayton@...hat.com> -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists