From patchwork Tue Sep 29 10:59:32 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 290765 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9CD06C4727C for ; Tue, 29 Sep 2020 12:40:04 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 4F21D2076A for ; Tue, 29 Sep 2020 12:40:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1601383204; bh=1A9kQmECskEl4gPJ+6UrYq13lluTiE+z2WhigvhzBpM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=xNcjC0NC0T0MlaBYuJMFNgV2cyAbS9MHo6PO8iIY80AmbSOXhM0dpiEvT1qICFRgY Nypsl2rnAsSk5aPsB2Zb3Ef5jWIFkHywlnBSuPNbAXhh9QT++7ct9CyXmn+wUjh9aw DJcVTxwar0N5i6C0UYgjFuKRCaqWMVviTREnWBvA= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729121AbgI2MkB (ORCPT ); Tue, 29 Sep 2020 08:40:01 -0400 Received: from mail.kernel.org ([198.145.29.99]:32838 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729578AbgI2LQT (ORCPT ); Tue, 29 Sep 2020 07:16:19 -0400 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5BE3F206DB; Tue, 29 Sep 2020 11:16:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1601378179; bh=1A9kQmECskEl4gPJ+6UrYq13lluTiE+z2WhigvhzBpM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=0zetuUP2pFURImGIABe9RjRK120Cia/SnhIibU08BiES/UdZkbAA3KX4QYMEBg3EL 4RKrvFYwZ/nTaqFXrsGES8Z4wIR6UWXwRSLAVObUdnZK47tVPgt/Pvllp9zqA78IBh ofbkeLZpAH6L1MoLRIDC7oGDpGQFuO310+ddlatM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Steve Grubb , Paul Moore , Sasha Levin Subject: [PATCH 4.14 060/166] audit: CONFIG_CHANGE dont log internal bookkeeping as an event Date: Tue, 29 Sep 2020 12:59:32 +0200 Message-Id: <20200929105938.216049161@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200929105935.184737111@linuxfoundation.org> References: <20200929105935.184737111@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Steve Grubb [ Upstream commit 70b3eeed49e8190d97139806f6fbaf8964306cdb ] Common Criteria calls out for any action that modifies the audit trail to be recorded. That usually is interpreted to mean insertion or removal of rules. It is not required to log modification of the inode information since the watch is still in effect. Additionally, if the rule is a never rule and the underlying file is one they do not want events for, they get an event for this bookkeeping update against their wishes. Since no device/inode info is logged at insertion and no device/inode information is logged on update, there is nothing meaningful being communicated to the admin by the CONFIG_CHANGE updated_rules event. One can assume that the rule was not "modified" because it is still watching the intended target. If the device or inode cannot be resolved, then audit_panic is called which is sufficient. The correct resolution is to drop logging config_update events since the watch is still in effect but just on another unknown inode. Signed-off-by: Steve Grubb Signed-off-by: Paul Moore Signed-off-by: Sasha Levin --- kernel/audit_watch.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c index 35f1d706bd5b4..ac87820cc0825 100644 --- a/kernel/audit_watch.c +++ b/kernel/audit_watch.c @@ -316,8 +316,6 @@ static void audit_update_watch(struct audit_parent *parent, if (oentry->rule.exe) audit_remove_mark(oentry->rule.exe); - audit_watch_log_rule_change(r, owatch, "updated_rules"); - call_rcu(&oentry->rcu, audit_free_rule_rcu); }