On Wed, Sep 25, 2019 at 5:02 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote: > > This renames the very specific audit_log_link_denied() to > audit_log_path_denied() and adds the AUDIT_* type as an argument. This > allows for the creation of the new AUDIT_ANOM_CREAT that can be used to > report the fifo/regular file creation restrictions that were introduced > in commit 30aba6656f61 ("namei: allow restricted O_CREAT of FIFOs and > regular files"). Without this change, discovering that the restriction > is enabled can be very challenging: > https://lore.kernel.org/lkml/CA+jJMxvkqjXHy3DnV5MVhFTL2RUhg0WQ-XVFW3ngDQOdkFq0PA@xxxxxxxxxxxxxx > > Reported-by: Jérémie Galarneau <jeremie.galarneau@xxxxxxxxxxxx> > Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> > --- > This is not a complete fix because reporting was broken in commit > 15564ff0a16e ("audit: make ANOM_LINK obey audit_enabled and > audit_dummy_context") > which specifically goes against the intention of these records: they > should _always_ be reported. If auditing isn't enabled, they should be > ratelimited. > > Instead of using audit, should this just go back to using > pr_ratelimited()? I'm going to ignore the rename and other aspects of this patch for the moment so we can focus on the topic of if/when/how these records should be emitted by the kernel. Unfortunately, people tend to get very upset if audit emits *any* records when they haven't explicitly enabled audit, the significance of the record doesn't seem to matter, which is why you see patches like 15564ff0a16e ("audit: make ANOM_LINK obey audit_enabled and audit_dummy_context"). We could consider converting some records to printk()s, rate-limited or not, but we need to balance this with the various security certifications which audit was created to satisfy. In some cases a printk() isn't sufficient. Steve is probably the only one who really keeps track of the various auditing requirements of the different security certifications; what say you Steve on this issue with ANOM_CREAT records? -- paul moore www.paul-moore.com