| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <41911815.FMGa2a4QOz@x2>
Date: Tue, 16 Jun 2020 11:43:26 -0400
From: Steve Grubb <sgrubb@...hat.com>
To: Paul Moore <paul@...l-moore.com>
Cc: Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>,
zohar@...ux.ibm.com, rgb@...hat.com,
linux-integrity@...r.kernel.org, linux-audit@...hat.com,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 1/2] integrity: Add result field in audit message
On Monday, June 15, 2020 6:51:22 PM EDT Paul Moore wrote:
> On Fri, Jun 12, 2020 at 10:26 PM Lakshmi Ramasubramanian
>
> <nramas@...ux.microsoft.com> wrote:
> > Result code is not included in the audit messages logged by
> > the integrity subsystem. Add "result" field in the audit messages
> > logged by the integrity subsystem and set the value to the result code
> > passed to integrity_audit_msg() in the "result" parameter.
> >
> > Sample audit message:
> >
> > [ 6.284329] audit: type=1804 audit(1591756723.627:2): pid=1 uid=0
> > auid=4294967295 ses=4294967295 subj=kernel op=add_boot_aggregate
> > cause=alloc_entry comm="swapper/0" name="boot_aggregate" res=0
> > result=-12
> >
> > [ 8.085456] audit: type=1802 audit(1592005947.297:9): pid=1 uid=0
> > auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
> > op=policy_update cause=completed comm="systemd" res=1 result=0
> >
> > Signed-off-by: Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>
> > Suggested-by: Steve Grubb <sgrubb@...hat.com>
> > ---
> >
> > security/integrity/integrity_audit.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
>
> If we can't use "res=" to carry more than 0/1 then this seems reasonable.
Paul,
But we can't do this. The field name dictionary says this is used to convey
success/fail. It is hard coded in the field interpretation table to look for
0/1 and interpret that. Interpeting this field will now produce an error
message. And "result" is a searchable field.
As I suggested a few emails back, let's just use errno or something not
already taken in the dictionary. NACK.
-Steve
> Acked-by: Paul Moore <paul@...l-moore.com>
>
> > diff --git a/security/integrity/integrity_audit.c
> > b/security/integrity/integrity_audit.c index 5109173839cc..84002d3d5a95
> > 100644
> > --- a/security/integrity/integrity_audit.c
> > +++ b/security/integrity/integrity_audit.c
> > @@ -53,6 +53,6 @@ void integrity_audit_msg(int audit_msgno, struct inode
> > *inode,>
> > audit_log_untrustedstring(ab, inode->i_sb->s_id);
> > audit_log_format(ab, " ino=%lu", inode->i_ino);
> >
> > }
> >
> > - audit_log_format(ab, " res=%d", !result);
> > + audit_log_format(ab, " res=%d result=%d", !result, result);
> >
> > audit_log_end(ab);
> >
> > }
> >
> > --
> > 2.27.0
Powered by blists - more mailing lists