From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org, "Richard Guy Briggs" <rgb@redhat.com>,
"Eric W. Biederman" <ebiederm@xmission.com>
Subject: [PATCH 3.2 57/94] audit: convert PPIDs to the inital PID namespace.
Date: Mon, 28 Apr 2014 02:11:22 +0100 [thread overview]
Message-ID: <lsq.1398647482.952226570@decadent.org.uk> (raw)
In-Reply-To: <lsq.1398647481.453080089@decadent.org.uk>
3.2.58-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Guy Briggs <rgb@redhat.com>
commit c92cdeb45eea38515e82187f48c2e4f435fb4e25 upstream.
sys_getppid() returns the parent pid of the current process in its own pid
namespace. Since audit filters are based in the init pid namespace, a process
could avoid a filter or trigger an unintended one by being in an alternate pid
namespace or log meaningless information.
Switch to task_ppid_nr() for PPIDs to anchor all audit filters in the
init_pid_ns.
(informed by ebiederman's 6c621b7e)
Cc: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
[bwh: Backported to 3.2: sys_getppid() is used by audit_exit() but not
audit_log_task_info()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -473,7 +473,7 @@ static int audit_filter_rules(struct tas
case AUDIT_PPID:
if (ctx) {
if (!ctx->ppid)
- ctx->ppid = sys_getppid();
+ ctx->ppid = task_ppid_nr(tsk);
result = audit_comparator(ctx->ppid, f->op, f->val);
}
break;
@@ -1335,7 +1335,7 @@ static void audit_log_exit(struct audit_
/* tsk == current */
context->pid = tsk->pid;
if (!context->ppid)
- context->ppid = sys_getppid();
+ context->ppid = task_ppid_nr(tsk);
cred = current_cred();
context->uid = cred->uid;
context->gid = cred->gid;
next prev parent reply other threads:[~2014-04-28 1:11 UTC|newest]
Thread overview: 98+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-28 1:11 [PATCH 3.2 00/94] 3.2.58-rc1 review Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 16/94] sparc: PCI: Fix incorrect address calculation of PCI Bridge windows on Simba-bridges Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 06/94] ipv6: Avoid unnecessary temporary addresses being generated Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 04/94] vlan: Set correct source MAC address with TX VLAN offload enabled Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 10/94] xen-netback: remove pointless clause from if statement Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 01/94] net: sctp: fix skb leakage in COOKIE ECHO path of chunk->auth_chunk Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 25/94] ARM: 7954/1: mm: remove remaining domain support from ARMv6 Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 09/94] vhost: validate vhost_get_vq_desc return value Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 14/94] isdnloop: several buffer overflows Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 24/94] ARM: mm: introduce present, faulting entries for PAGE_NONE Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 17/94] Revert "sparc64: Fix __copy_{to,from}_user_inatomic defines." Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 21/94] drm/i915: inverted brightness quirk for Acer Aspire 4736Z Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 20/94] ipv6: don't set DST_NOCOUNT for remotely added routes Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 11/94] ipv6: some ipv6 statistic counters failed to disable bh Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 05/94] net: socket: error on a negative msg_namelen Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 12/94] netlink: don't compare the nul-termination in nla_strcmp Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 23/94] w1: fix w1_send_slave dropping a slave id Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 26/94] matroxfb: restore the registers M_ACCESS and M_PITCH Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 19/94] sparc64: don't treat 64-bit syscall return codes as 32-bit Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 03/94] net: unix: non blocking recvmsg() should not return -EINTR Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 27/94] framebuffer: fix cfb_copyarea Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 13/94] isdnloop: Validate NUL-terminated strings from user Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 02/94] bridge: multicast: add sanity check for query source addresses Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 08/94] vhost: fix total length when packets are too short Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 22/94] drm/i915: quirk invert brightness for Acer Aspire 5336 Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 07/94] ipv6: ip6_append_data_mtu do not handle the mtu of the second fragment properly Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 15/94] rds: prevent dereference of a NULL device in rds_iw_laddr_check Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 18/94] sparc32: fix build failure for arch_jump_label_transform Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 69/94] ALSA: hda - Enable beep for ASUS 1015E Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 51/94] mfd: Include all drivers in subsystem menu Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 63/94] nfsd: Add fh_{want,drop}_write() Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 31/94] hvc: ensure hvc_init is only ever called once in hvc_console.c Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 55/94] mfd: 88pm860x: Fix possible NULL pointer dereference on i2c_new_dummy error Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 77/94] ocfs2: dlm: fix recovery hung Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 41/94] jffs2: remove from wait queue after schedule() Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 35/94] [media] uvcvideo: Do not use usb_set_interface on bulk EP Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 48/94] ath9k: fix ready time of the multicast buffer queue Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 56/94] pid: get pid_t ppid of task in init_pid_ns Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 58/94] Btrfs: fix deadlock with nested trans handles Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 67/94] nfsd4: fix setclientid encode size Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 39/94] staging:serqt_usb2: Fix sparse warning restricted __le16 degrades to integer Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 88/94] drivers: hv: additional switch to use mb() instead of smp_mb() Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 78/94] ocfs2: do not put bh when buffer_uptodate failed Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 60/94] x86, hyperv: Bypass the timer_irq_works() check Ben Hutchings
2014-04-28 1:11 ` Ben Hutchings [this message]
2014-04-28 1:11 ` [PATCH 3.2 40/94] Btrfs: skip submitting barrier for missing device Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 66/94] dm thin: fix dangling bio in process_deferred_bios error path Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 87/94] target/tcm_fc: Fix use-after-free of ft_tpg Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 92/94] powernow-k6: correctly initialize default parameters Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 30/94] tgafb: fix data copying Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 68/94] MIPS: Hibernate: Flush TLB entries in swsusp_arch_resume() Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 72/94] reiserfs: fix race in readdir Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 62/94] nfsd4: session needs room for following op to error out Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 46/94] virtio_balloon: don't softlockup on huge balloon changes Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 90/94] selinux: correctly label /proc inodes in use before the policy is loaded Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 33/94] [media] media: gspca: sn9c20x: add ID for Genius Look 1320 V2 Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 80/94] mm: try_to_unmap_cluster() should lock_page() before mlocking Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 81/94] mm: hugetlb: fix softlockup when a large number of hugepages are freed Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 36/94] usb: gadget: atmel_usba: fix crashed during stopping when DEBUG is enabled Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 54/94] mfd: max8925: Fix possible NULL pointer dereference on i2c_new_dummy error Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 45/94] iwlwifi: dvm: take mutex when sending SYNC BT config command Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 53/94] mfd: max8998: Fix possible NULL pointer dereference on i2c_new_dummy error Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 49/94] IB/ipath: Fix potential buffer overrun in sending diag packet routine Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 94/94] Revert "alpha: fix broken network checksum" Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 79/94] iscsi-target: Fix ERL=2 ASYNC_EVENT connection pointer bug Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 71/94] IB/ehca: Returns an error on ib_copy_to_udata() failure Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 91/94] powernow-k6: disable cache when changing frequency Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 50/94] IB/nes: Return an error on ib_copy_from_udata() failure instead of NULL Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 85/94] b43: Fix machine check error due to improper access of B43_MMIO_PSM_PHY_HDR Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 75/94] sh: fix format string bug in stack tracer Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 61/94] nfsd4: buffer-length check for SUPPATTR_EXCLCREAT Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 86/94] x86-64, modify_ldt: Ban 16-bit segments on 64-bit kernels Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 93/94] powernow-k6: reorder frequencies Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 47/94] ext4: fix partial cluster handling for bigalloc file systems Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 29/94] mach64: fix cursor when character width is not a multiple of 8 pixels Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 37/94] blktrace: fix accounting of partially completed requests Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 73/94] drm/vmwgfx: correct fb_fix_screeninfo.line_length Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 74/94] drm/radeon: call drm_edid_to_eld when we update the edid Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 70/94] IB/mthca: Return an error on ib_copy_to_udata() failure Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 38/94] rtlwifi: rtl8192se: Fix too long disable of IRQs Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 84/94] lib/percpu_counter.c: fix bad percpu counter state during suspend Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 59/94] gpio: mxs: Allow for recursive enable_irq_wake() call Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 76/94] ocfs2: dlm: fix lock migration crash Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 82/94] wait: fix reparent_leader() vs EXIT_DEAD->EXIT_ZOMBIE race Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 89/94] Char: ipmi_bt_sm, fix infinite loop Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 42/94] jffs2: avoid soft-lockup in jffs2_reserve_space_gc() Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 32/94] usb: dwc3: fix wrong bit mask in dwc3_event_devt Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 83/94] ALSA: ice1712: Fix boundary checks in PCM pointer ops Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 64/94] nfsd: notify_change needs elevated write count Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 28/94] mach64: use unaligned access Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 52/94] mfd: max8997: Fix possible NULL pointer dereference on i2c_new_dummy error Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 34/94] tty: Set correct tty name in 'active' sysfs attribute Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 65/94] drm/i915/tv: fix gen4 composite s-video tv-out Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 43/94] jffs2: Fix segmentation fault found in stress test Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 44/94] jffs2: Fix crash due to truncation of csize Ben Hutchings
2014-04-28 15:05 ` [PATCH 3.2 00/94] 3.2.58-rc1 review Ben Hutchings
2014-04-29 4:01 ` Guenter Roeck
2014-04-30 12:21 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=lsq.1398647482.952226570@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rgb@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox