Re: [PATCH] audit: don't attempt to lookup PIDs when changing PID filtering audit rules

From: Eric Paris <eparis@redhat.com>
To: Paul Moore <pmoore@redhat.com>
Cc: rgb@redhat.com, linux-audit@redhat.com
Subject: Re: [PATCH] audit: don't attempt to lookup PIDs when changing PID filtering audit rules
Date: Mon, 15 Dec 2014 12:29:52 -0500	[thread overview]
Message-ID: <1418664592.3145.3.camel@redhat.com> (raw)
In-Reply-To: <20141215171414.30169.46068.stgit@localhost>

Lets say I and in the non-init pid namespace.

I run audictl -a exit,always -S all -F pid=1

Is the audit system going to show records for what I think is pid=1 or
what the initial pid namespace thinks is pid=1 ?

Which is correct? (hint, it's impossible to know pids above my
namespace, or even to know what pid the process in question thinks it
is, since it could be below my namespace)

I won't pretend this is easy to solve.

Steve et al.  What do you think of maybe having pid= rules automatically
removed when the pid goes away?  I can't think of another way to handle
this (although the perf hit might be so stupidly high....)

On Mon, 2014-12-15 at 12:14 -0500, Paul Moore wrote:
> Commit f1dc4867 ("audit: anchor all pid references in the initial pid
> namespace") introduced a find_vpid() call when adding/removing audit
> rules with PID/PPID filters; unfortunately this is problematic as
> find_vpid() only works if there is a task with the associated PID
> alive on the system.  The following commands demonstrate a simple
> reproducer.
> 
> 	# auditctl -D
> 	# auditctl -l
> 	# autrace /bin/true
> 	# auditctl -l
> 
> This patch resolves the problem by simply using the PID provided by
> the user without any additional validation, e.g. no calls to check to
> see if the task/PID exists.
> 
> Cc: stable@vger.kernel.org # 3.15
> Cc: Richard Guy Briggs <rgb@redhat.com>
> Signed-off-by: Paul Moore <pmoore@redhat.com>
> ---
>  kernel/auditfilter.c |   13 -------------
>  1 file changed, 13 deletions(-)
> 
> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index 8e9bc9c..b2e63ba 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -433,19 +433,6 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
>  			f->val = 0;
>  		}
>  
> -		if ((f->type == AUDIT_PID) || (f->type == AUDIT_PPID)) {
> -			struct pid *pid;
> -			rcu_read_lock();
> -			pid = find_vpid(f->val);
> -			if (!pid) {
> -				rcu_read_unlock();
> -				err = -ESRCH;
> -				goto exit_free;
> -			}
> -			f->val = pid_nr(pid);
> -			rcu_read_unlock();
> -		}
> -
>  		err = audit_field_valid(entry, f);
>  		if (err)
>  			goto exit_free;
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit