[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHC9VhRNmWw1__-haD1ZEekADTho3EJyXQMd6ETpOv4c8Qn9nw@mail.gmail.com>
Date: Thu, 26 Sep 2019 11:31:32 -0400
From: Paul Moore <paul@...l-moore.com>
To: Kees Cook <keescook@...omium.org>, sgrubb@...hat.com
Cc: linux-kernel@...r.kernel.org,
Jérémie Galarneau
<jeremie.galarneau@...icios.com>, s.mesoraca16@...il.com,
viro@...iv.linux.org.uk, dan.carpenter@...cle.com,
akpm@...ux-foundation.org,
Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
kernel-hardening@...ts.openwall.com, linux-audit@...hat.com,
Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: [PATCH] audit: Report suspicious O_CREAT usage
On Wed, Sep 25, 2019 at 5:02 PM Kees Cook <keescook@...omium.org> wrote:
>
> This renames the very specific audit_log_link_denied() to
> audit_log_path_denied() and adds the AUDIT_* type as an argument. This
> allows for the creation of the new AUDIT_ANOM_CREAT that can be used to
> report the fifo/regular file creation restrictions that were introduced
> in commit 30aba6656f61 ("namei: allow restricted O_CREAT of FIFOs and
> regular files"). Without this change, discovering that the restriction
> is enabled can be very challenging:
> https://lore.kernel.org/lkml/CA+jJMxvkqjXHy3DnV5MVhFTL2RUhg0WQ-XVFW3ngDQOdkFq0PA@mail.gmail.com
>
> Reported-by: Jérémie Galarneau <jeremie.galarneau@...icios.com>
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---
> This is not a complete fix because reporting was broken in commit
> 15564ff0a16e ("audit: make ANOM_LINK obey audit_enabled and
> audit_dummy_context")
> which specifically goes against the intention of these records: they
> should _always_ be reported. If auditing isn't enabled, they should be
> ratelimited.
>
> Instead of using audit, should this just go back to using
> pr_ratelimited()?
I'm going to ignore the rename and other aspects of this patch for the
moment so we can focus on the topic of if/when/how these records
should be emitted by the kernel.
Unfortunately, people tend to get very upset if audit emits *any*
records when they haven't explicitly enabled audit, the significance
of the record doesn't seem to matter, which is why you see patches
like 15564ff0a16e ("audit: make ANOM_LINK obey audit_enabled and
audit_dummy_context"). We could consider converting some records to
printk()s, rate-limited or not, but we need to balance this with the
various security certifications which audit was created to satisfy.
In some cases a printk() isn't sufficient.
Steve is probably the only one who really keeps track of the various
auditing requirements of the different security certifications; what
say you Steve on this issue with ANOM_CREAT records?
--
paul moore
www.paul-moore.com
Powered by blists - more mailing lists