| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 27 Jun 2016 15:58:21 -0400
From: Paul Moore <paul@...l-moore.com>
To: Richard Guy Briggs <rgb@...hat.com>
Cc: linux-audit@...hat.com, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] audit: catch errors from audit_filter_rules field checks
On Thu, Jun 16, 2016 at 5:07 PM, Paul Moore <paul@...l-moore.com> wrote:
> On Tue, Jun 14, 2016 at 5:03 PM, Richard Guy Briggs <rgb@...hat.com> wrote:
>> In the case of an error returned from a field check in an audit filter
>> syscall rule, it is treated as a match and the rule action is honoured.
>>
>> This could cause a rule with a default of NEVER and an selinux field
>> check error to avoid logging.
>>
>> Recommend matching with an action of ALWAYS to catch malicious abuse of
>> this bug. The downside of this approach is it could DoS the audit
>> subsystem.
>
> I understand your concern about the DoS, but in reality it is no worse
> than if no audit filter rules were configured, yes?
Just following up on this since I don't recall seeing a response ...
>> Signed-off-by: Richard Guy Briggs <rgb@...hat.com>
>> ---
>> kernel/auditsc.c | 4 ++++
>> 1 files changed, 4 insertions(+), 0 deletions(-)
>>
>> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
>> index 71e14d8..6123672 100644
>> --- a/kernel/auditsc.c
>> +++ b/kernel/auditsc.c
>> @@ -683,6 +683,10 @@ static int audit_filter_rules(struct task_struct *tsk,
>> }
>> if (!result)
>> return 0;
>> + if (result < 0) {
>> + *state = AUDIT_RECORD_CONTEXT;
>> + return 1;
>> + }
>> }
>>
>> if (ctx) {
>
> --
> paul moore
> www.paul-moore.com
--
paul moore
www.paul-moore.com
Powered by blists - more mailing lists