From patchwork Sat Mar 16 12:10:08 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Guy Briggs X-Patchwork-Id: 10855837 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DA0C41575 for ; Sat, 16 Mar 2019 12:11:01 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AECA12A515 for ; Sat, 16 Mar 2019 12:11:01 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9E2EA2A527; Sat, 16 Mar 2019 12:11:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4472A2A515 for ; Sat, 16 Mar 2019 12:11:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726376AbfCPMK6 (ORCPT ); Sat, 16 Mar 2019 08:10:58 -0400 Received: from mx1.redhat.com ([209.132.183.28]:59274 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726310AbfCPMK6 (ORCPT ); Sat, 16 Mar 2019 08:10:58 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 8FACFC049D67; Sat, 16 Mar 2019 12:10:57 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-22.phx2.redhat.com [10.3.112.22]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8B8255D6B3; Sat, 16 Mar 2019 12:10:50 +0000 (UTC) From: Richard Guy Briggs To: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, Linux-Audit Mailing List , LKML Cc: Paul Moore , sgrubb@redhat.com, omosnace@redhat.com, eparis@parisplace.org, serge@hallyn.com, zohar@linux.ibm.com, mjg59@google.com, Richard Guy Briggs Subject: [PATCH ghak109 V1] audit: link integrity evm_write_xattrs record to syscall event Date: Sat, 16 Mar 2019 08:10:08 -0400 Message-Id: <81d0122d14c4fbb3a2ad33d25fdf2dd001c7dcc7.1552737854.git.rgb@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Sat, 16 Mar 2019 12:10:57 +0000 (UTC) Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP In commit fa516b66a1bf ("EVM: Allow runtime modification of the set of verified xattrs"), the call to audit_log_start() is missing a context to link it to an audit event. Since this event is in user context, add the process' syscall context to the record. In addition, the orphaned keyword "locked" appears in the record. Normalize this by changing it to "xattr=(locked)". Please see the github issue https://github.com/linux-audit/audit-kernel/issues/109 Signed-off-by: Richard Guy Briggs --- security/integrity/evm/evm_secfs.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/security/integrity/evm/evm_secfs.c b/security/integrity/evm/evm_secfs.c index 015aea8fdf1e..4171d174e9da 100644 --- a/security/integrity/evm/evm_secfs.c +++ b/security/integrity/evm/evm_secfs.c @@ -192,7 +192,8 @@ static ssize_t evm_write_xattrs(struct file *file, const char __user *buf, if (count > XATTR_NAME_MAX) return -E2BIG; - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_EVM_XATTR); + ab = audit_log_start(audit_context(), GFP_KERNEL, + AUDIT_INTEGRITY_EVM_XATTR); if (!ab) return -ENOMEM; @@ -222,7 +223,7 @@ static ssize_t evm_write_xattrs(struct file *file, const char __user *buf, inode_lock(inode); err = simple_setattr(evm_xattrs, &newattrs); inode_unlock(inode); - audit_log_format(ab, "locked"); + audit_log_format(ab, "xattr=(locked)"); if (!err) err = count; goto out;