BUG: PATH record contains (null) for file descriptor operation

cgzones commented 1 year ago

System: Debian sid Kernel: Linux hostname 5.19.0-1-amd64 #1 SMP PREEMPT_DYNAMIC Debian 5.19.6-1 (2022-09-01) x86_64 GNU/Linux Auditd: 3.0.9

Triggering a SELinux denial on a file descriptor operation (e.g. fchmod(2)) creates an audit record path field with a name of (null). Since the path of the file descriptor is exported by reading the symlink target of /proc/\<PID>/fd/\<FD> the audit subsystem should be able to provide it.

time->Fri Sep  9 17:09:59 2022
type=PROCTITLE msg=audit(1662736199.136:580): proctitle=2F7573722F6C6F63616C2F62696E2F74657374002F6574632F706173737764
type=PATH msg=audit(1662736199.136:580): item=0 name=(null) inode=917101 dev=fe:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:conf_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1662736199.136:580): cwd="/home/christian"
type=SYSCALL msg=audit(1662736199.136:580): arch=c000003e syscall=91 success=no exit=-13 a0=3 a1=1a0 a2=0 a3=70495e20e660 items=1 ppid=2340 pid=91666 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts6 ses=3 comm="test" exe="/usr/local/bin/test" subj=xuser_u:xuser_r:xuser_t:s0 key=(null)
type=AVC msg=audit(1662736199.136:580): avc:  denied  { setattr } for  pid=91666 comm="test" name="passwd" dev="dm-1" ino=917101 scontext=xuser_u:xuser_r:xuser_t:s0 tcontext=system_u:object_r:conf_t:s0 tclass=file permissive=0

type=PROCTITLE msg=audit(09/09/22 17:09:59.136:580) : proctitle=/usr/local/bin/test /etc/passwd 
type=PATH msg=audit(09/09/22 17:09:59.136:580) : item=0 name=(null) inode=917101 dev=fe:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:conf_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/09/22 17:09:59.136:580) : cwd=/home/christian 
type=SYSCALL msg=audit(09/09/22 17:09:59.136:580) : arch=x86_64 syscall=fchmod success=no exit=EACCES(Permission denied) a0=0x3 a1=0640 a2=0x0 a3=0x70495e20e660 items=1 ppid=2340 pid=91666 auid=christian uid=christian gid=christian euid=christian suid=christian fsuid=christian egid=christian sgid=christian fsgid=christian tty=pts6 ses=3 comm=test exe=/usr/local/bin/test subj=xuser_u:xuser_r:xuser_t:s0 key=(null) 
type=AVC msg=audit(09/09/22 17:09:59.136:580) : avc:  denied  { setattr } for  pid=91666 comm=test name=passwd dev="dm-1" ino=917101 scontext=xuser_u:xuser_r:xuser_t:s0 tcontext=system_u:object_r:conf_t:s0 tclass=file permissive=0

freedom1b2830 commented 1 year ago

in the latest Arch Linux (last used a month ago) observed this bug.

hqh2010 commented 1 year ago

@cgzones https://github.com/linux-audit/audit-kernel/pulls

linux-audit / audit-kernel

BUG: PATH record contains (null) for file descriptor operation #140