[PATCH] arch filter lists with < or > should not be accepted
Currently the kernel audit system represents arch's as numbers and will gladly accept comparisons between archs using >, <, >=, <= when the only thing that makes sense is = or !=. I'm told that the next revision of auditctl will do this checking but this will provide enforcement in the kernel even for old userspace. A simple command to show the issue would be to run auditctl -d entry,always -F arch>i686 -S chmod with this patch the kernel will reject this with -EINVAL Please comment/ack/nak as soon as possible. -Eric kernel/auditfilter.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
This commit is contained in:
Eric Paris
Al Viro
parent
78b656b8bf
commit
4b8a311bb1
|
|
@ -411,7 +411,6 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
|
|||
case AUDIT_FSGID:
|
||||
case AUDIT_LOGINUID:
|
||||
case AUDIT_PERS:
|
||||
case AUDIT_ARCH:
|
||||
case AUDIT_MSGTYPE:
|
||||
case AUDIT_PPID:
|
||||
case AUDIT_DEVMAJOR:
|
||||
|
|
@ -423,6 +422,14 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
|
|||
case AUDIT_ARG2:
|
||||
case AUDIT_ARG3:
|
||||
break;
|
||||
/* arch is only allowed to be = or != */
|
||||
case AUDIT_ARCH:
|
||||
if ((f->op != AUDIT_NOT_EQUAL) && (f->op != AUDIT_EQUAL)
|
||||
&& (f->op != AUDIT_NEGATE) && (f->op)) {
|
||||
err = -EINVAL;
|
||||
goto exit_free;
|
||||
}
|
||||
break;
|
||||
case AUDIT_PERM:
|
||||
if (f->val & ~15)
|
||||
goto exit_free;
|
||||
|
|
|
|||
Reference in New Issue