[PATCH v2 1/4] ima: Call audit_log_string() rather than logging it untrusted

From: Stefan Berger
Date: Thu May 31 2018 - 10:26:30 EST

Next message: John Garry: "Re: [PATCH 1/8] scsi: libsas: delete dead code in scsi_transport_sas.c"
Previous message: Stefan Berger: "[PATCH v2 3/4] ima: Do not audit if CONFIG_INTEGRITY_AUDIT is not set"
In reply to: Stefan Berger: "[PATCH v2 3/4] ima: Do not audit if CONFIG_INTEGRITY_AUDIT is not set"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The parameters passed to this logging function are all provided by
a privileged user and therefore we can call audit_log_string()
rather than audit_log_untrustedstring().

Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
Suggested-by: Steve Grubb <sgrubb@xxxxxxxxxx>
Acked-by: Paul Moore <paul@xxxxxxxxxxxxxx>
---
security/integrity/ima/ima_policy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 8bbc18eb07eb..1d00db19d167 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -634,7 +634,7 @@ static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value,
audit_log_format(ab, "%s<", key);
else
audit_log_format(ab, "%s=", key);
- audit_log_untrustedstring(ab, value);
+ audit_log_string(ab, value);
audit_log_format(ab, " ");
}
static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
--
2.13.6

Next message: John Garry: "Re: [PATCH 1/8] scsi: libsas: delete dead code in scsi_transport_sas.c"
Previous message: Stefan Berger: "[PATCH v2 3/4] ima: Do not audit if CONFIG_INTEGRITY_AUDIT is not set"
In reply to: Stefan Berger: "[PATCH v2 3/4] ima: Do not audit if CONFIG_INTEGRITY_AUDIT is not set"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]