Bug 174707

Summary: audit is missing fs object identity info when removing some xattrs
Product: Red Hat Enterprise Linux 4 Reporter: Amy Griffis <amy.griffis>
Component: kernelAssignee: Alexander Viro <aviro>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: andriusb, jbaron, kweidner, linda.knippers, security-response-team, sgrubb
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2007-0791 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-11-15 16:13:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 245197    
Bug Blocks: 175213, 176155, 201088, 245198    

Description Amy Griffis 2005-12-01 16:28:14 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

Description of problem:
When removing the "trusted.md5sum" xattr, audit does not produce FS_WATCH records for a watched file.  Since audit does not produce PATH records for fremovexattr, this results in no filesystem object identity information for this syscall.

Version-Release number of selected component (if applicable):
kernel-2.6.9-22.0.1.EL.audit.1 (rhel4 u2 kernel + 173500  fix)

How reproducible:
Always

Steps to Reproduce:
1. enable syscall auditing
2. auditctl -a entry,always -S fremovexattr
3. auditctl -w /tmp/foo -k TMP_FOO
4. fd = open("/tmp/foo", O_RDWR, 0);
5. fsetxattr(fd, "trusted.md5sum", "0", sizeof("0"), XATTR_CREATE)
6. fremovexattr(fd, "trusted.md5sum");

Actual Results:  Audit log from x86_64 architecture:

type=SYSCALL msg=audit(1133453735.714:3811): arch=c000003e syscall=2 success=yes exit=3 a0=7fbffffc86 a1=2 a2=0 a3=7fbffff901 items=1 pid=6958 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="t_fremovexattr" exe="/home/eal/t_fremovexattr"
type=FS_WATCH msg=audit(1133453735.714:3811): watch_inode=213048 watch="foo" filterkey=TMP_FOO perm=0 perm_mask=6
type=FS_INODE msg=audit(1133453735.714:3811): inode=213048 inode_uid=0 inode_gid=0 inode_dev=fd:00 inode_rdev=00:00
type=CWD msg=audit(1133453735.714:3811):  cwd="/home/eal"
type=PATH msg=audit(1133453735.714:3811): name="/tmp/foo" flags=101  inode=213048 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00

type=SYSCALL msg=audit(1133453735.714:3812): arch=c000003e syscall=190 success=yes exit=0 a0=3 a1=4008f2 a2=4008f0 a3=2 items=0 pid=6958 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="t_fremovexattr" exe="/home/eal/t_fremovexattr"
type=FS_WATCH msg=audit(1133453735.714:3812): watch_inode=213048 watch="foo" filterkey=TMP_FOO perm=0 perm_mask=2
type=FS_INODE msg=audit(1133453735.714:3812): inode=213048 inode_uid=0 inode_gid=0 inode_dev=fd:00 inode_rdev=00:00

type=SYSCALL msg=audit(1133453735.714:3813): arch=c000003e syscall=199 success=yes exit=0 a0=3 a1=4008f2 a2=4008f0 a3=7fbffff901 items=0 pid=6958 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="t_fremovexattr" exe="/home/eal/t_fremovexattr"

Expected Results:  The same operation using the xattr "user.mime_type" with value "text/plain" produces the following records for fremovexattr:

type=SYSCALL msg=audit(1133454070.709:3823): arch=c000003e syscall=199 success=yes exit=0 a0=3 a1=4008fb a2=4008f0 a3=7fbffff901 items=0 pid=7018 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="t_fremovexattr" exe="/home/eal/t_fremovexattr"
type=FS_WATCH msg=audit(1133454070.709:3823): watch_inode=213048 watch="foo" filterkey=TMP_FOO perm=0 perm_mask=2
type=FS_INODE msg=audit(1133454070.709:3823): inode=213048 inode_uid=0 inode_gid=0 inode_dev=fd:00 inode_rdev=00:00

Additional info:
Comment 1 Andrius Benokraitis 2005-12-07 16:46:02 UTC 
Hi Amy, did you have a patch proposed for this, or is this just a notification
of the bug? How severe is this as well? Thanks!
Comment 2 Linda Knippers 2005-12-07 18:46:35 UTC 
Hi Andrius, 
We don't have a proposed patch, its just a bug notification.
While it is a problem that ought to be fixed at some point, it
isn't critical for our purposes right now.
Comment 4 Daniel Riek 2006-11-21 19:56:16 UTC 
Not planned for 4.5. Moving to 4.6
Comment 5 RHEL Program Management 2007-05-09 11:04:01 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 7 RHEL Program Management 2007-06-11 22:41:51 UTC 
This request was evaluated by Red Hat Kernel Team for inclusion in a Red
Hat Enterprise Linux maintenance release, and has moved to bugzilla 
status POST.
Comment 8 Jason Baron 2007-06-19 14:06:06 UTC 
committed in stream U6 build 55.9. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 13 errata-xmlrpc 2007-11-15 16:13:12 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0791.html