public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed
* [PATCH] arch filter lists with < or > should not be accepted
@ 2006-09-28 21:46 Eric Paris
  2006-09-29 12:46 ` Alexander Viro
  0 siblings, 1 reply; 2+ messages in thread
From: Eric Paris @ 2006-09-28 21:46 UTC (permalink / raw)
  To: linux-audit; +Cc: David Woodhouse

Currently the kernel audit system represents arch's as numbers and will
gladly accept comparisons between archs using >, <, >=, <= when the only
thing that makes sense is = or !=.  I'm told that the next revision of
auditctl will do this checking but this will provide enforcement in the
kernel even for old userspace.  A simple command to show the issue would
be to run

auditctl -d entry,always -F arch>i686 -S chmod

with this patch the kernel will reject this with -EINVAL

Please comment/ack/nak as soon as possible.

-Eric

 kernel/auditfilter.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- linux-2.6.18.i686/kernel/auditfilter.c.audit.arch	2006-09-28 16:44:11.000000000 -0400
+++ linux-2.6.18.i686/kernel/auditfilter.c	2006-09-28 17:38:34.000000000 -0400
@@ -411,7 +411,6 @@ static struct audit_entry *audit_rule_to
 		case AUDIT_FSGID:
 		case AUDIT_LOGINUID:
 		case AUDIT_PERS:
-		case AUDIT_ARCH:
 		case AUDIT_MSGTYPE:
 		case AUDIT_PPID:
 		case AUDIT_DEVMAJOR:
@@ -423,6 +422,14 @@ static struct audit_entry *audit_rule_to
 		case AUDIT_ARG2:
 		case AUDIT_ARG3:
 			break;
+		/* arch is only allowed to be = or != */
+		case AUDIT_ARCH:
+			if ((f->op != AUDIT_NOT_EQUAL) && (f->op != AUDIT_EQUAL) 
+					&& (f->op != AUDIT_NEGATE) && (f->op)) {
+				err = -EINVAL;
+				goto exit_free;
+			}
+			break;
 		case AUDIT_PERM:
 			if (f->val & ~15)
 				goto exit_free;

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [PATCH] arch filter lists with < or > should not be accepted
  2006-09-28 21:46 [PATCH] arch filter lists with < or > should not be accepted Eric Paris
@ 2006-09-29 12:46 ` Alexander Viro
  0 siblings, 0 replies; 2+ messages in thread
From: Alexander Viro @ 2006-09-29 12:46 UTC (permalink / raw)
  To: Eric Paris; +Cc: linux-audit, David Woodhouse

On Thu, Sep 28, 2006 at 05:46:21PM -0400, Eric Paris wrote:
> Currently the kernel audit system represents arch's as numbers and will
> gladly accept comparisons between archs using >, <, >=, <= when the only
> thing that makes sense is = or !=.  I'm told that the next revision of
> auditctl will do this checking but this will provide enforcement in the
> kernel even for old userspace.  A simple command to show the issue would
> be to run
> 
> auditctl -d entry,always -F arch>i686 -S chmod
> 
> with this patch the kernel will reject this with -EINVAL
> 
> Please comment/ack/nak as soon as possible.

ACK

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-09-29 12:46 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-09-28 21:46 [PATCH] arch filter lists with < or > should not be accepted Eric Paris
2006-09-29 12:46 ` Alexander Viro

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox