lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHC9VhRWq-iW4kKkhKLiORSVtDXyeWNLyGX1wcmT4LwuoDiDgw@mail.gmail.com>
Date:   Thu, 8 Feb 2018 18:58:56 -0500
From:   Paul Moore <paul@...l-moore.com>
To:     Richard Guy Briggs <rgb@...hat.com>
Cc:     linux-audit@...hat.com, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] audit: deprecate the AUDIT_FILTER_ENTRY filter

On Wed, Feb 7, 2018 at 6:24 AM, Richard Guy Briggs <rgb@...hat.com> wrote:
> The audit entry filter has been long deprecated with userspace support
> finally removed in audit-v2.6.7 and plans to remove kernel support have
> existed since kernel-v2.6.31.
> Remove it.
>
> Passes audit-testsuite.
>
> See: https://github.com/linux-audit/audit-kernel/issues/6
> Signed-off-by: Richard Guy Briggs <rgb@...hat.com>
> ---
>  kernel/auditfilter.c | 4 ++--
>  kernel/auditsc.c     | 3 ++-
>  2 files changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index 4a1758a..1bbf5de 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -258,8 +258,8 @@ static inline struct audit_entry *audit_to_entry_common(struct audit_rule_data *
>                 goto exit_err;
>  #ifdef CONFIG_AUDITSYSCALL
>         case AUDIT_FILTER_ENTRY:
> -               if (rule->action == AUDIT_ALWAYS)
> -                       goto exit_err;
> +               pr_err("AUDIT_FILTER_ENTRY is deprecated\n");
> +               goto exit_err;
>         case AUDIT_FILTER_EXIT:
>         case AUDIT_FILTER_TASK:
>  #endif
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index e80459f..9348302 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -1530,7 +1530,8 @@ void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
>         context->dummy = !audit_n_rules;
>         if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
>                 context->prio = 0;
> -               state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
> +               if (auditd_test_task(tsk))
> +                       return;

Since we are removing the call to audit_filter_syscall() entirely -
which would appear to be the right thing - I wonder if it would be a
good idea to move the auditd_test_task() check earlier in the function
(fail early).  I'm thinking up where we check audit_enabled, before we
start populating context.

>         }
>         if (state == AUDIT_DISABLED)
>                 return;
> --
> 1.8.3.1
>
> --
> Linux-audit mailing list
> Linux-audit@...hat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

-- 
paul moore
www.paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ