[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHC9VhSdBr8oNCSYVHm0=DD=484SYw-CAK5-92Hf9uRm4Bj2cw@mail.gmail.com>
Date: Thu, 16 Jun 2016 17:07:37 -0400
From: Paul Moore <paul@...l-moore.com>
To: Richard Guy Briggs <rgb@...hat.com>
Cc: linux-audit@...hat.com, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] audit: catch errors from audit_filter_rules field checks
On Tue, Jun 14, 2016 at 5:03 PM, Richard Guy Briggs <rgb@...hat.com> wrote:
> In the case of an error returned from a field check in an audit filter
> syscall rule, it is treated as a match and the rule action is honoured.
>
> This could cause a rule with a default of NEVER and an selinux field
> check error to avoid logging.
>
> Recommend matching with an action of ALWAYS to catch malicious abuse of
> this bug. The downside of this approach is it could DoS the audit
> subsystem.
I understand your concern about the DoS, but in reality it is no worse
than if no audit filter rules were configured, yes?
> Signed-off-by: Richard Guy Briggs <rgb@...hat.com>
> ---
> kernel/auditsc.c | 4 ++++
> 1 files changed, 4 insertions(+), 0 deletions(-)
>
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 71e14d8..6123672 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -683,6 +683,10 @@ static int audit_filter_rules(struct task_struct *tsk,
> }
> if (!result)
> return 0;
> + if (result < 0) {
> + *state = AUDIT_RECORD_CONTEXT;
> + return 1;
> + }
> }
>
> if (ctx) {
--
paul moore
www.paul-moore.com
Powered by blists - more mailing lists