| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHC9VhQBN1H9b2aTa-OHzowXeR4Y3DzRnF=do5Q5SWDTsbu4cw@mail.gmail.com> Date: Sun, 11 Aug 2024 17:52:26 -0400 From: Paul Moore <paul@...l-moore.com> To: Jeff Layton <jlayton@...nel.org> Cc: Jan Kara <jack@...e.cz>, Christian Brauner <brauner@...nel.org>, Alexander Viro <viro@...iv.linux.org.uk>, Andrew Morton <akpm@...ux-foundation.org>, Mateusz Guzik <mjguzik@...il.com>, Josef Bacik <josef@...icpanda.com>, linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, audit@...r.kernel.org Subject: Re: [PATCH v2] fs: try an opportunistic lookup for O_CREAT opens too On Fri, Aug 9, 2024 at 10:21 AM Jeff Layton <jlayton@...nel.org> wrote: > On Thu, 2024-08-08 at 21:22 -0400, Paul Moore wrote: > > On Thu, Aug 8, 2024 at 8:33 PM Jeff Layton <jlayton@...nel.org> > > wrote: ... > > > The question here is about the case where O_CREAT is set, but the > > > file > > > already exists. Nothing is being created in that case, so do we > > > need to > > > emit an audit record for the parent? > > > > As long as the full path information is present in the existing > > file's > > audit record it should be okay. > > O_CREAT is ignored when the dentry already exists, so doing the same > thing that we do when O_CREAT isn't set seems reasonable. > > We do call this in do_open, which would apply in this case: > > if (!(file->f_mode & FMODE_CREATED)) > audit_inode(nd->name, nd->path.dentry, 0); > > That should have the necessary path info. If that's the case, then I > think Christian's cleanup series on top of mine should be OK. I think > that the only thing that would be missing is the AUDIT_INODE_PARENT > record for the directory in the case where the dentry already exists, > which should be superfluous. > > ISTR that Red Hat has a pretty extensive testsuite for audit. We might > want to get them to run their tests on Christian's changes to be sure > there are no surprises, if they are amenable. I believe you are thinking of the audit-test project, which started as a community effort to develop a test suite suitable for the popular Common Criteria protection profiles of the time (of which auditing was an important requirement). Unfortunately, after a couple rounds of certifications I couldn't get the various companies involved to continue to maintain the public test suite anymore, so everyone went their own way with private forks. I have no idea if the community project still works, but someone at IBM/RH should have a recent~ish version that either runs on a modern system or is close to it. FWIW, the dead/dormant community project can be found at the link below (yes, that is a sf.net link): https://sourceforge.net/projects/audit-test It's been a while since I've been at RH, so I'm not sure if my test/QA contacts are still there, but if you don't have a contact at IBM/RH Jeff let me know and I can try to reach out. -- paul-moore.com
Powered by blists - more mailing lists