[PATCH 2/2] audit signal recipients (v2)

Eric Paris eparis at redhat.com
Tue Feb 27 20:41:42 UTC 2007 

On Fri, 2007-02-23 at 17:51 -0500, Amy Griffis wrote:

> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index 3749193..b90d121 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -1171,7 +1171,7 @@ static inline int audit_add_rule(struct audit_entry *entry,
>  	struct nameidata *ndp, *ndw;
>  	int h, err, putnd_needed = 0;
>  #ifdef CONFIG_AUDITSYSCALL
> -	int dont_count = 0;
> +	int i, dont_count = 0;
>  
>  	/* If either of these, don't count towards total */
>  	if (entry->rule.listnr == AUDIT_FILTER_USER ||
> @@ -1221,6 +1221,11 @@ static inline int audit_add_rule(struct audit_entry *entry,
>  #ifdef CONFIG_AUDITSYSCALL
>  	if (!dont_count)
>  		audit_n_rules++;
> +
> +	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
> +		if ((entry->rule.mask[i] & classes[AUDIT_CLASS_SIGNAL][i]) ||
> +		    (entry->rule.mask[i] & classes[AUDIT_CLASS_SIGNAL_32][i]))
> +			audit_signals++;
>  #endif
>  	mutex_unlock(&audit_filter_mutex);
>  
> @@ -1247,7 +1252,7 @@ static inline int audit_del_rule(struct audit_entry *entry,
>  	LIST_HEAD(inotify_list);
>  	int h, ret = 0;
>  #ifdef CONFIG_AUDITSYSCALL
> -	int dont_count = 0;
> +	int i, dont_count = 0;
>  
>  	/* If either of these, don't count towards total */
>  	if (entry->rule.listnr == AUDIT_FILTER_USER ||
> @@ -1294,6 +1299,11 @@ static inline int audit_del_rule(struct audit_entry *entry,
>  #ifdef CONFIG_AUDITSYSCALL
>  	if (!dont_count)
>  		audit_n_rules--;
> +
> +	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
> +		if ((entry->rule.mask[i] & classes[AUDIT_CLASS_SIGNAL][i]) ||
> +		    (entry->rule.mask[i] & classes[AUDIT_CLASS_SIGNAL_32][i]))
> +			audit_signals--;
>  #endif
>  	mutex_unlock(&audit_filter_mutex);

Since AUDIT_CLASS_SIGNAL_32 is not defined on i686 (see patch 1/2 the
patch to lib/audit.c which i686 uses) the second part of this or
statement is referencing way beyond the end of the classes array.  I'm
investigating the right way to decide what we should be comparing
against across all arches, but maybe you will find it first.

-Eric

More information about the Linux-audit mailing list