lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <a11cbe691ee1b3ecfad1615ef5b6dd6ef2c4e2cc.1488337428.git.rgb@redhat.com>
Date:   Tue, 28 Feb 2017 22:29:09 -0500
From:   Richard Guy Briggs <rgb@...hat.com>
To:     linux-kernel@...r.kernel.org, linux-audit@...hat.com
Cc:     Richard Guy Briggs <rgb@...hat.com>,
        Steven Rostedt <rostedt@...dmis.org>,
        Ingo Molnar <mingo@...hat.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Al Viro <viro@...iv.linux.org.uk>,
        Eric Paris <eparis@...hat.com>, Paul Moore <pmoore@...hat.com>,
        Steve Grubb <sgrubb@...hat.com>
Subject: [PATCH ALT2] audit: don't create PATH records for anonymous parents and their children

Tracefs or debugfs were causing hundreds to thousands of null PATH records to
be associated with the init_module and finit_module SYSCALL records on a few
modules when the following rule was in place for startup:
        -a always,exit -F arch=x86_64 -S init_module -F key=mod-load

Don't create those records when the parent is not found in
that task context's audit names_list.

See https://github.com/linux-audit/audit-kernel/issues/8
Test case: https://github.com/linux-audit/audit-testsuite/issues/42

Signed-off-by: Richard Guy Briggs <rgb@...hat.com>
---
 kernel/auditsc.c |   20 +++++++-------------
 1 files changed, 7 insertions(+), 13 deletions(-)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4db32e8..83eb3bc 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1889,6 +1889,10 @@ void __audit_inode_child(struct inode *parent,
 		}
 	}
 
+	if (!found_parent)
+		/* Don't track if parent is "anonymous" */
+		return;
+
 	/* is there a matching child entry? */
 	list_for_each_entry(n, &context->names_list, list) {
 		/* can only match entries that have a name */
@@ -1908,14 +1912,6 @@ void __audit_inode_child(struct inode *parent,
 		}
 	}
 
-	if (!found_parent) {
-		/* create a new, "anonymous" parent record */
-		n = audit_alloc_name(context, AUDIT_TYPE_PARENT);
-		if (!n)
-			return;
-		audit_copy_inode(n, NULL, parent);
-	}
-
 	if (!found_child) {
 		found_child = audit_alloc_name(context, type);
 		if (!found_child)
@@ -1924,11 +1920,9 @@ void __audit_inode_child(struct inode *parent,
 		/* Re-use the name belonging to the slot for a matching parent
 		 * directory. All names for this context are relinquished in
 		 * audit_free_names() */
-		if (found_parent) {
-			found_child->name = found_parent->name;
-			found_child->name_len = AUDIT_NAME_FULL;
-			found_child->name->refcnt++;
-		}
+		found_child->name = found_parent->name;
+		found_child->name_len = AUDIT_NAME_FULL;
+		found_child->name->refcnt++;
 	}
 
 	if (inode)
-- 
1.7.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ