[PATCH] Fix formatting of AUDIT_CONFIG_CHANGE events

Richard Guy Briggs rgb at redhat.com
Thu Nov 17 06:40:19 UTC 2016 

On 2016-11-16 16:14, Steve Grubb wrote:
> The AUDIT_CONFIG_CHANGE events sometimes use a op= field. The current code
> logs the value of the field with quotes. This field is documented to not be
> encoded, so it should not have quotes.

There were a number of callers that had spaces in their "op" or "action"
strings which I've addressed with several upstream patches, so this is
the right direction to go.  All the callers for the instances listed
below are fine.

> Signed-off-by: Steve Grubb <sgrubb at redhat.com>

Reviewed-by: Richard Guy Briggs <rgb at redhat.com>

> ---
> 
> diff -urp vanilla-4.9-rc5.orig/kernel/auditfilter.c vanilla-4.9-rc5/kernel/auditfilter.c
> --- vanilla-4.9-rc5.orig/kernel/auditfilter.c	2016-10-02 19:24:33.000000000 -0400
> +++ vanilla-4.9-rc5/kernel/auditfilter.c	2016-11-16 16:00:30.608728324 -0500
> @@ -1074,8 +1074,7 @@ static void audit_log_rule_change(char *
>  		return;
>  	audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);
>  	audit_log_task_context(ab);
> -	audit_log_format(ab, " op=");
> -	audit_log_string(ab, action);
> +	audit_log_format(ab, " op=%s", action);
>  	audit_log_key(ab, rule->filterkey);
>  	audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
>  	audit_log_end(ab);
> diff -urp vanilla-4.9-rc5.orig/kernel/audit_fsnotify.c vanilla-4.9-rc5/kernel/audit_fsnotify.c
> --- vanilla-4.9-rc5.orig/kernel/audit_fsnotify.c	2016-10-02 19:24:33.000000000 -0400
> +++ vanilla-4.9-rc5/kernel/audit_fsnotify.c	2016-11-16 16:02:41.516728544 -0500
> @@ -130,10 +130,9 @@ static void audit_mark_log_rule_change(s
>  	ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
>  	if (unlikely(!ab))
>  		return;
> -	audit_log_format(ab, "auid=%u ses=%u op=",
> +	audit_log_format(ab, "auid=%u ses=%u op=%s",
>  			 from_kuid(&init_user_ns, audit_get_loginuid(current)),
> -			 audit_get_sessionid(current));
> -	audit_log_string(ab, op);
> +			 audit_get_sessionid(current), op);
>  	audit_log_format(ab, " path=");
>  	audit_log_untrustedstring(ab, audit_mark->path);
>  	audit_log_key(ab, rule->filterkey);
> diff -urp vanilla-4.9-rc5.orig/kernel/audit_tree.c vanilla-4.9-rc5/kernel/audit_tree.c
> --- vanilla-4.9-rc5.orig/kernel/audit_tree.c	2016-10-02 19:24:33.000000000 -0400
> +++ vanilla-4.9-rc5/kernel/audit_tree.c	2016-11-16 16:03:26.414728619 -0500
> @@ -458,8 +458,7 @@ static void audit_tree_log_remove_rule(s
>  	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
>  	if (unlikely(!ab))
>  		return;
> -	audit_log_format(ab, "op=");
> -	audit_log_string(ab, "remove_rule");
> +	audit_log_format(ab, "op=remove_rule");
>  	audit_log_format(ab, " dir=");
>  	audit_log_untrustedstring(ab, rule->tree->pathname);
>  	audit_log_key(ab, rule->filterkey);
> diff -urp vanilla-4.9-rc5.orig/kernel/audit_watch.c vanilla-4.9-rc5/kernel/audit_watch.c
> --- vanilla-4.9-rc5.orig/kernel/audit_watch.c	2016-10-02 19:24:33.000000000 -0400
> +++ vanilla-4.9-rc5/kernel/audit_watch.c	2016-11-16 16:04:18.287728706 -0500
> @@ -242,10 +242,9 @@ static void audit_watch_log_rule_change(
>  		ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
>  		if (unlikely(!ab))
>  			return;
> -		audit_log_format(ab, "auid=%u ses=%u op=",
> +		audit_log_format(ab, "auid=%u ses=%u op=%s",
>  				 from_kuid(&init_user_ns, audit_get_loginuid(current)),
> -				 audit_get_sessionid(current));
> -		audit_log_string(ab, op);
> +				 audit_get_sessionid(current), op);
>  		audit_log_format(ab, " path=");
>  		audit_log_untrustedstring(ab, w->path);
>  		audit_log_key(ab, r->filterkey);
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

- RGB

--
Richard Guy Briggs <rgb at redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

More information about the Linux-audit mailing list