Commit 4b8a311b authored by Eric Paris's avatar Eric Paris Committed by Al Viro

[PATCH] arch filter lists with < or > should not be accepted

Currently the kernel audit system represents arch's as numbers and will
gladly accept comparisons between archs using >, <, >=, <= when the only
thing that makes sense is = or !=.  I'm told that the next revision of
auditctl will do this checking but this will provide enforcement in the
kernel even for old userspace.  A simple command to show the issue would
be to run

auditctl -d entry,always -F arch>i686 -S chmod

with this patch the kernel will reject this with -EINVAL

Please comment/ack/nak as soon as possible.

-Eric

 kernel/auditfilter.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
parent 78b656b8
...@@ -411,7 +411,6 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) ...@@ -411,7 +411,6 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
case AUDIT_FSGID: case AUDIT_FSGID:
case AUDIT_LOGINUID: case AUDIT_LOGINUID:
case AUDIT_PERS: case AUDIT_PERS:
case AUDIT_ARCH:
case AUDIT_MSGTYPE: case AUDIT_MSGTYPE:
case AUDIT_PPID: case AUDIT_PPID:
case AUDIT_DEVMAJOR: case AUDIT_DEVMAJOR:
...@@ -423,6 +422,14 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) ...@@ -423,6 +422,14 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
case AUDIT_ARG2: case AUDIT_ARG2:
case AUDIT_ARG3: case AUDIT_ARG3:
break; break;
/* arch is only allowed to be = or != */
case AUDIT_ARCH:
if ((f->op != AUDIT_NOT_EQUAL) && (f->op != AUDIT_EQUAL)
&& (f->op != AUDIT_NEGATE) && (f->op)) {
err = -EINVAL;
goto exit_free;
}
break;
case AUDIT_PERM: case AUDIT_PERM:
if (f->val & ~15) if (f->val & ~15)
goto exit_free; goto exit_free;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment