Re: [PATCH] audit: catch errors from audit_filter_rules field checks

From: Paul Moore
Date: Mon Jun 27 2016 - 15:58:37 EST


On Thu, Jun 16, 2016 at 5:07 PM, Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> On Tue, Jun 14, 2016 at 5:03 PM, Richard Guy Briggs <rgb@xxxxxxxxxx> wrote:
>> In the case of an error returned from a field check in an audit filter
>> syscall rule, it is treated as a match and the rule action is honoured.
>>
>> This could cause a rule with a default of NEVER and an selinux field
>> check error to avoid logging.
>>
>> Recommend matching with an action of ALWAYS to catch malicious abuse of
>> this bug. The downside of this approach is it could DoS the audit
>> subsystem.
>
> I understand your concern about the DoS, but in reality it is no worse
> than if no audit filter rules were configured, yes?

Just following up on this since I don't recall seeing a response ...

>> Signed-off-by: Richard Guy Briggs <rgb@xxxxxxxxxx>
>> ---
>> kernel/auditsc.c | 4 ++++
>> 1 files changed, 4 insertions(+), 0 deletions(-)
>>
>> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
>> index 71e14d8..6123672 100644
>> --- a/kernel/auditsc.c
>> +++ b/kernel/auditsc.c
>> @@ -683,6 +683,10 @@ static int audit_filter_rules(struct task_struct *tsk,
>> }
>> if (!result)
>> return 0;
>> + if (result < 0) {
>> + *state = AUDIT_RECORD_CONTEXT;
>> + return 1;
>> + }
>> }
>>
>> if (ctx) {
>
> --
> paul moore
> www.paul-moore.com



--
paul moore
www.paul-moore.com