Re: [PATCH ghak90 V8 14/16] audit: check contid depth and add limit config param
From: Paul Moore
Date: Wed Jan 22 2020 - 16:29:41 EST
On Tue, Dec 31, 2019 at 2:51 PM Richard Guy Briggs <rgb@xxxxxxxxxx> wrote:
>
> Clamp the depth of audit container identifier nesting to limit the
> netlink and disk bandwidth used and to prevent losing information from
> record text size overflow in the contid field.
>
> Add a configuration parameter AUDIT_STATUS_CONTID_DEPTH_LIMIT (0x80) to
> set the audit container identifier depth limit. This can be used to
> prevent overflow of the contid field in CONTAINER_OP and CONTAINER_ID
> messages, losing information, and to limit bandwidth used by these
> messages.
>
> Signed-off-by: Richard Guy Briggs <rgb@xxxxxxxxxx>
> ---
> include/uapi/linux/audit.h | 2 ++
> kernel/audit.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
> kernel/audit.h | 2 ++
> 3 files changed, 50 insertions(+)
Since setting an audit container ID, and hence acting as an
orchestrator and creating a new nested level of audit container IDs,
is a privileged operation I think we can equate this to the infamous
"shooting oneself in the foot" problem. Let's leave this limitation
out of the patchset for now, if it becomes a problem in the future we
can consider restricting the nesting depth.
--
paul moore
www.paul-moore.com