lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 9 Feb 2018 04:21:39 -0500
From:   Richard Guy Briggs <rgb@...hat.com>
To:     Paul Moore <paul@...l-moore.com>
Cc:     linux-audit@...hat.com, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] audit: deprecate the AUDIT_FILTER_ENTRY filter

On 2018-02-08 18:58, Paul Moore wrote:
> On Wed, Feb 7, 2018 at 6:24 AM, Richard Guy Briggs <rgb@...hat.com> wrote:
> > The audit entry filter has been long deprecated with userspace support
> > finally removed in audit-v2.6.7 and plans to remove kernel support have
> > existed since kernel-v2.6.31.
> > Remove it.
> >
> > Passes audit-testsuite.
> >
> > See: https://github.com/linux-audit/audit-kernel/issues/6
> > Signed-off-by: Richard Guy Briggs <rgb@...hat.com>
> > ---
> >  kernel/auditfilter.c | 4 ++--
> >  kernel/auditsc.c     | 3 ++-
> >  2 files changed, 4 insertions(+), 3 deletions(-)
> >
> > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> > index 4a1758a..1bbf5de 100644
> > --- a/kernel/auditfilter.c
> > +++ b/kernel/auditfilter.c
> > @@ -258,8 +258,8 @@ static inline struct audit_entry *audit_to_entry_common(struct audit_rule_data *
> >                 goto exit_err;
> >  #ifdef CONFIG_AUDITSYSCALL
> >         case AUDIT_FILTER_ENTRY:
> > -               if (rule->action == AUDIT_ALWAYS)
> > -                       goto exit_err;
> > +               pr_err("AUDIT_FILTER_ENTRY is deprecated\n");
> > +               goto exit_err;
> >         case AUDIT_FILTER_EXIT:
> >         case AUDIT_FILTER_TASK:
> >  #endif
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index e80459f..9348302 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -1530,7 +1530,8 @@ void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
> >         context->dummy = !audit_n_rules;
> >         if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
> >                 context->prio = 0;
> > -               state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
> > +               if (auditd_test_task(tsk))
> > +                       return;
> 
> Since we are removing the call to audit_filter_syscall() entirely -
> which would appear to be the right thing - I wonder if it would be a
> good idea to move the auditd_test_task() check earlier in the function
> (fail early).  I'm thinking up where we check audit_enabled, before we
> start populating context.

Ok, agreed, along some other minor code shuffles.

> >         }
> >         if (state == AUDIT_DISABLED)
> >                 return;
> > --
> 
> paul moore

- RGB

--
Richard Guy Briggs <rgb@...hat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ