Merge branch 'audit.b32' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current
* 'audit.b32' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current: [PATCH] message types updated [PATCH] name_count array overrun [PATCH] PPID filtering fix [PATCH] arch filter lists with < or > should not be accepted
This commit is contained in:
commit
18e6756a6b
|
@ -75,7 +75,7 @@
|
|||
#define AUDIT_DAEMON_CONFIG 1203 /* Daemon config change */
|
||||
|
||||
#define AUDIT_SYSCALL 1300 /* Syscall event */
|
||||
#define AUDIT_FS_WATCH 1301 /* Filesystem watch event */
|
||||
/* #define AUDIT_FS_WATCH 1301 * Deprecated */
|
||||
#define AUDIT_PATH 1302 /* Filename path information */
|
||||
#define AUDIT_IPC 1303 /* IPC record */
|
||||
#define AUDIT_SOCKETCALL 1304 /* sys_socketcall arguments */
|
||||
|
@ -88,6 +88,7 @@
|
|||
#define AUDIT_MQ_SENDRECV 1313 /* POSIX MQ send/receive record type */
|
||||
#define AUDIT_MQ_NOTIFY 1314 /* POSIX MQ notify record type */
|
||||
#define AUDIT_MQ_GETSETATTR 1315 /* POSIX MQ get/set attribute record type */
|
||||
#define AUDIT_KERNEL_OTHER 1316 /* For use by 3rd party modules */
|
||||
|
||||
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
|
||||
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
|
||||
|
|
|
@ -411,7 +411,6 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
|
|||
case AUDIT_FSGID:
|
||||
case AUDIT_LOGINUID:
|
||||
case AUDIT_PERS:
|
||||
case AUDIT_ARCH:
|
||||
case AUDIT_MSGTYPE:
|
||||
case AUDIT_PPID:
|
||||
case AUDIT_DEVMAJOR:
|
||||
|
@ -423,6 +422,14 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
|
|||
case AUDIT_ARG2:
|
||||
case AUDIT_ARG3:
|
||||
break;
|
||||
/* arch is only allowed to be = or != */
|
||||
case AUDIT_ARCH:
|
||||
if ((f->op != AUDIT_NOT_EQUAL) && (f->op != AUDIT_EQUAL)
|
||||
&& (f->op != AUDIT_NEGATE) && (f->op)) {
|
||||
err = -EINVAL;
|
||||
goto exit_free;
|
||||
}
|
||||
break;
|
||||
case AUDIT_PERM:
|
||||
if (f->val & ~15)
|
||||
goto exit_free;
|
||||
|
|
|
@ -278,8 +278,11 @@ static int audit_filter_rules(struct task_struct *tsk,
|
|||
result = audit_comparator(tsk->pid, f->op, f->val);
|
||||
break;
|
||||
case AUDIT_PPID:
|
||||
if (ctx)
|
||||
if (ctx) {
|
||||
if (!ctx->ppid)
|
||||
ctx->ppid = sys_getppid();
|
||||
result = audit_comparator(ctx->ppid, f->op, f->val);
|
||||
}
|
||||
break;
|
||||
case AUDIT_UID:
|
||||
result = audit_comparator(tsk->uid, f->op, f->val);
|
||||
|
@ -795,7 +798,8 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
|
|||
|
||||
/* tsk == current */
|
||||
context->pid = tsk->pid;
|
||||
context->ppid = sys_getppid(); /* sic. tsk == current in all cases */
|
||||
if (!context->ppid)
|
||||
context->ppid = sys_getppid();
|
||||
context->uid = tsk->uid;
|
||||
context->gid = tsk->gid;
|
||||
context->euid = tsk->euid;
|
||||
|
@ -1137,6 +1141,7 @@ void audit_syscall_entry(int arch, int major,
|
|||
context->ctime = CURRENT_TIME;
|
||||
context->in_syscall = 1;
|
||||
context->auditable = !!(state == AUDIT_RECORD_CONTEXT);
|
||||
context->ppid = 0;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -1352,7 +1357,13 @@ void __audit_inode_child(const char *dname, const struct inode *inode,
|
|||
}
|
||||
|
||||
update_context:
|
||||
idx = context->name_count++;
|
||||
idx = context->name_count;
|
||||
if (context->name_count == AUDIT_NAMES) {
|
||||
printk(KERN_DEBUG "name_count maxed and losing %s\n",
|
||||
found_name ?: "(null)");
|
||||
return;
|
||||
}
|
||||
context->name_count++;
|
||||
#if AUDIT_DEBUG
|
||||
context->ino_count++;
|
||||
#endif
|
||||
|
@ -1370,7 +1381,16 @@ update_context:
|
|||
/* A parent was not found in audit_names, so copy the inode data for the
|
||||
* provided parent. */
|
||||
if (!found_name) {
|
||||
idx = context->name_count++;
|
||||
idx = context->name_count;
|
||||
if (context->name_count == AUDIT_NAMES) {
|
||||
printk(KERN_DEBUG
|
||||
"name_count maxed and losing parent inode data: dev=%02x:%02x, inode=%lu",
|
||||
MAJOR(parent->i_sb->s_dev),
|
||||
MINOR(parent->i_sb->s_dev),
|
||||
parent->i_ino);
|
||||
return;
|
||||
}
|
||||
context->name_count++;
|
||||
#if AUDIT_DEBUG
|
||||
context->ino_count++;
|
||||
#endif
|
||||
|
|
Loading…
Reference in New Issue