The following commit has been merged in the master branch: commit 674d85eb2d7dc6ef436f46f770f7ab3f1b9c6669 Merge: 645c248d6fc4350562766fefd8ba1d7defe4b5e7 1320a4052ea11eb2879eb7361da15a106a780972 Author: Linus Torvalds torvalds@linux-foundation.org Date: Tue Mar 31 15:04:17 2020 -0700

Merge tag 'audit-pr-20200330' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit

Pull audit updates from Paul Moore: "We've got two audit patches for the v5.7 merge window with a stellar 14 lines changed between the two patches. The patch descriptions are far more lengthy than the patches themselves, which is a very good thing for patches this size IMHO. The patches pass our test suites and a quick summary is below:

- Stop logging inode information when updating an audit file watch.

Since we are not changing the inode, or the fact that we are watching the associated file, the inode information is just noise that we can do without.

- Fix a problem where mandatory audit records were missing their accompanying audit records (e.g. SYSCALL records were missing).

The missing records often meant that we didn't have the necessary context to understand what was going on when the event occurred"

* tag 'audit-pr-20200330' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit: audit: trigger accompanying records when no rules present audit: CONFIG_CHANGE don't log internal bookkeeping as an event

diff --combined kernel/audit.c index 9ddfe2aa6671,b96331e1976d..b69c8b460341 --- a/kernel/audit.c +++ b/kernel/audit.c @@@ -1101,11 -1101,13 +1101,11 @@@ static void audit_log_feature_change(in audit_log_end(ab); }

-static int audit_set_feature(struct sk_buff *skb) +static int audit_set_feature(struct audit_features *uaf) { - struct audit_features *uaf; int i;

BUILD_BUG_ON(AUDIT_LAST_FEATURE + 1 > ARRAY_SIZE(audit_feature_names)); - uaf = nlmsg_data(nlmsg_hdr(skb));

/* if there is ever a version 2 we should handle that here */

@@@ -1173,7 -1175,6 +1173,7 @@@ static int audit_receive_msg(struct sk_ { u32 seq; void *data; + int data_len; int err; struct audit_buffer *ab; u16 msg_type = nlh->nlmsg_type; @@@ -1187,7 -1188,6 +1187,7 @@@

seq = nlh->nlmsg_seq; data = nlmsg_data(nlh); + data_len = nlmsg_len(nlh);

switch (msg_type) { case AUDIT_GET: { @@@ -1211,7 -1211,7 +1211,7 @@@ struct audit_status s; memset(&s, 0, sizeof(s)); /* guard against past and future API changes */ - memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh))); + memcpy(&s, data, min_t(size_t, sizeof(s), data_len)); if (s.mask & AUDIT_STATUS_ENABLED) { err = audit_set_enabled(s.enabled); if (err < 0) @@@ -1315,9 -1315,7 +1315,9 @@@ return err; break; case AUDIT_SET_FEATURE: - err = audit_set_feature(skb); + if (data_len < sizeof(struct audit_features)) + return -EINVAL; + err = audit_set_feature(data); if (err) return err; break; @@@ -1329,8 -1327,6 +1329,8 @@@

err = audit_filter(msg_type, AUDIT_FILTER_USER); if (err == 1) { /* match or error */ + char *str = data; + err = 0; if (msg_type == AUDIT_USER_TTY) { err = tty_audit_push(); @@@ -1338,24 -1334,26 +1338,24 @@@ break; } audit_log_user_recv_msg(&ab, msg_type); - if (msg_type != AUDIT_USER_TTY) + if (msg_type != AUDIT_USER_TTY) { + /* ensure NULL termination */ + str[data_len - 1] = '\0'; audit_log_format(ab, " msg='%.*s'", AUDIT_MESSAGE_TEXT_MAX, - (char *)data); - else { - int size; - + str); + } else { audit_log_format(ab, " data="); - size = nlmsg_len(nlh); - if (size > 0 && - ((unsigned char *)data)[size - 1] == '\0') - size--; - audit_log_n_untrustedstring(ab, data, size); + if (data_len > 0 && str[data_len - 1] == '\0') + data_len--; + audit_log_n_untrustedstring(ab, str, data_len); } audit_log_end(ab); } break; case AUDIT_ADD_RULE: case AUDIT_DEL_RULE: - if (nlmsg_len(nlh) < sizeof(struct audit_rule_data)) + if (data_len < sizeof(struct audit_rule_data)) return -EINVAL; if (audit_enabled == AUDIT_LOCKED) { audit_log_common_recv_msg(audit_context(), &ab, @@@ -1367,7 -1365,7 +1367,7 @@@ audit_log_end(ab); return -EPERM; } - err = audit_rule_change(msg_type, seq, data, nlmsg_len(nlh)); + err = audit_rule_change(msg_type, seq, data, data_len); break; case AUDIT_LIST_RULES: err = audit_list_rules_send(skb, seq); @@@ -1382,7 -1380,7 +1382,7 @@@ case AUDIT_MAKE_EQUIV: { void *bufp = data; u32 sizes[2]; - size_t msglen = nlmsg_len(nlh); + size_t msglen = data_len; char *old, *new;

err = -EINVAL; @@@ -1458,7 -1456,7 +1458,7 @@@

memset(&s, 0, sizeof(s)); /* guard against past and future API changes */ - memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh))); + memcpy(&s, data, min_t(size_t, sizeof(s), data_len)); /* check if new data is valid */ if ((s.enabled != 0 && s.enabled != 1) || (s.log_passwd != 0 && s.log_passwd != 1)) @@@ -1800,6 -1798,7 +1800,7 @@@ struct audit_buffer *audit_log_start(st }

audit_get_stamp(ab->ctx, &t, &serial); + audit_clear_dummy(ab->ctx); audit_log_format(ab, "audit(%llu.%03lu:%u): ", (unsigned long long)t.tv_sec, t.tv_nsec/1000000, serial);