Re: [PATCH] audit: printk USER_AVC messages when audit isn't enabled

From: Kees Cook
Date: Mon Aug 19 2013 - 19:59:40 EST

Next message: Christian Daudt: "Re: [PATCH 1/2] ARM: dts: align sdio numbers to HW definition"
Previous message: Benjamin Herrenschmidt: "Re: [PATCH] vfio-pci: PCI hot reset interface"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Aug 16, 2013 at 12:05 PM, Tyler Hicks <tyhicks@xxxxxxxxxxxxx> wrote:
> On 2013-07-25 18:02:55, Tyler Hicks wrote:
>> When the audit=1 kernel parameter is absent and auditd is not running,
>> AUDIT_USER_AVC messages are being silently discarded.
>>
>> AUDIT_USER_AVC messages should be sent to userspace using printk(), as
>> mentioned in the commit message of
>> 4a4cd633b575609b741a1de7837223a2d9e1c34c ("AUDIT: Optimise the
>> audit-disabled case for discarding user messages").
>>
>> When audit_enabled is 0, audit_receive_msg() discards all user messages
>> except for AUDIT_USER_AVC messages. However, audit_log_common_recv_msg()
>> refuses to allocate an audit_buffer if audit_enabled is 0. The fix is to
>> special case AUDIT_USER_AVC messages in both functions.
>>
>> Signed-off-by: Tyler Hicks <tyhicks@xxxxxxxxxxxxx>
>> Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
>> Cc: Eric Paris <eparis@xxxxxxxxxx>
>> Cc: linux-audit@xxxxxxxxxx
>> ---
>
> Hello Al and Eric - I wanted to bring this patch back to your attention
> so it doesn't get forgotten. This is a fairly nasty bug in distros that
> leave auditd as optional but still build packages against libaudit.

I haven't seen a lot of movement in the audit tree lately, but Andrew
has helped push other fixes like this in the past. This fix seems
entirely reasonable to me. :) Andrew, can you pick this up?

Acked-by: Kees Cook <keescook@xxxxxxxxxxxx>

>
> Thanks!
>
> Tyler
>
>>
>> It looks like commit 50397bd1e471391d27f64efad9271459c913de87 ("[AUDIT] clean
>> up audit_receive_msg()") introduced this bug, so I think that this patch should
>> also get the tag:
>>
>> Cc: <stable@xxxxxxxxxx> # v2.6.25+

Yeah, this seems like a good idea too.

Thanks,

-Kees

>>
>> Al and Eric, I'll leave that up to you two.
>>
>>
>> Here's my test matrix showing where messages end up as a result of a call to
>> libaudit's audit_log_user_avc_message():
>>
>> | unpatched patched
>> ----------------+--------------------------------
>> w/o audit=1 & | *dropped* syslog
>> w/o auditd |
>> |
>> w/ audit=1 & | syslog syslog
>> w/o auditd |
>> |
>> w/o audit=1 & | audit.log audit.log
>> w/ auditd |
>> |
>> w/ audit=1 & | audit.log audit.log
>> w/ auditd |
>>
>> Thanks!
>>
>> kernel/audit.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/kernel/audit.c b/kernel/audit.c
>> index 91e53d0..f4f2773 100644
>> --- a/kernel/audit.c
>> +++ b/kernel/audit.c
>> @@ -613,7 +613,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
>> int rc = 0;
>> uid_t uid = from_kuid(&init_user_ns, current_uid());
>>
>> - if (!audit_enabled) {
>> + if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
>> *ab = NULL;
>> return rc;
>> }
>> --
>> 1.8.3.2
>>
>> --
>> Linux-audit mailing list
>> Linux-audit@xxxxxxxxxx
>> https://www.redhat.com/mailman/listinfo/linux-audit
>
> --
> Linux-audit mailing list
> Linux-audit@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/linux-audit

--
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Christian Daudt: "Re: [PATCH 1/2] ARM: dts: align sdio numbers to HW definition"
Previous message: Benjamin Herrenschmidt: "Re: [PATCH] vfio-pci: PCI hot reset interface"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]