| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 2 Dec 2013 15:09:01 -0500
From: Jeff Layton <jlayton@...hat.com>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: linux-kernel@...r.kernel.org, stable@...r.kernel.org,
Eric Paris <eparis@...hat.com>,
Richard Guy Briggs <rgb@...hat.com>
Subject: Re: [PATCH 3.10 086/173] audit: log the audit_names record type
On Mon, 2 Dec 2013 11:11:09 -0800
Greg Kroah-Hartman <gregkh@...uxfoundation.org> wrote:
> 3.10-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Jeff Layton <jlayton@...hat.com>
>
> commit d3aea84a4ace5ff9ce7fb7714cee07bebef681c2 upstream.
>
> ...to make it clear what the intent behind each record's operation was.
>
> In many cases you can infer this, based on the context of the syscall
> and the result. In other cases it's not so obvious. For instance, in
> the case where you have a file being renamed over another, you'll have
> two different records with the same filename but different inode info.
> By logging this information we can clearly tell which one was created
> and which was deleted.
>
> This fixes what was broken in commit bfcec708.
> Commit 79f6530c should also be backported to stable v3.7+.
>
> Signed-off-by: Jeff Layton <jlayton@...hat.com>
> Signed-off-by: Eric Paris <eparis@...hat.com>
> Signed-off-by: Richard Guy Briggs <rgb@...hat.com>
> Signed-off-by: Eric Paris <eparis@...hat.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
>
> ---
> kernel/audit.c | 20 ++++++++++++++++++++
> 1 file changed, 20 insertions(+)
>
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1537,6 +1537,26 @@ void audit_log_name(struct audit_context
> }
> }
>
> + /* log the audit_names record type */
> + audit_log_format(ab, " nametype=");
> + switch(n->type) {
> + case AUDIT_TYPE_NORMAL:
> + audit_log_format(ab, "NORMAL");
> + break;
> + case AUDIT_TYPE_PARENT:
> + audit_log_format(ab, "PARENT");
> + break;
> + case AUDIT_TYPE_CHILD_DELETE:
> + audit_log_format(ab, "DELETE");
> + break;
> + case AUDIT_TYPE_CHILD_CREATE:
> + audit_log_format(ab, "CREATE");
> + break;
> + default:
> + audit_log_format(ab, "UNKNOWN");
> + break;
> + }
> +
> audit_log_fcaps(ab, n);
> audit_log_end(ab);
> }
>
>
I'm not sure this is really suitable or needed for stable. It's
unlikely to hurt anything, but it doesn't really fix a problem per-se.
It just adds a little extra info to the audit records.
Ditto for the 3.12 version of this patch...
--
Jeff Layton <jlayton@...hat.com>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists