Re: 3.6-rc4 audit_log_d_path oops.

From: Kees Cook
Date: Thu Sep 06 2012 - 13:50:20 EST


On Thu, Sep 6, 2012 at 9:45 AM, Dave Jones <davej@xxxxxxxxxx> wrote:
> On Thu, Sep 06, 2012 at 09:32:49AM -0700, Kees Cook wrote:
> > > I just realised, the funny thing about this is that the machine running that test
> > > had selinux/audit disabled. And yet here we are, screwing around with audit buffers.
> >
> > The intent was to have this message show up in dmesg even if auditd
> > wasn't running, and even if the specific process wasn't being
> > explicitly audited.
> >
> > > Should there be a test on audit_enable=0 in audit_log_link_denied() ?
> > >
> > > I'm now curious how much more of the audit code is getting run through similar lack of tests
> >
> > What is the condition in which audit_log_start fails?
>
> in the case of that oops, given I had booted with audit=0, I suspect it was hitting the first check...
>
> 1157 if (audit_initialized != AUDIT_INITIALIZED)
> 1158 return NULL;

Ah-ha, okay. Yeah, I'm fine with the fix you had. If _start fails, just return.

-Kees

--
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/