audit-ptrace patch (untested)
Stephen Smalley
sds at tycho.nsa.gov
Tue Mar 6 14:46:14 UTC 2007
On Mon, 2007-03-05 at 09:50 -0500, Alexander Viro wrote:
> That one is on top of security_getprocattr() patch. See bz#228384...
>
<snip>
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 89875b2..c8465ea 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
<snip>
> @@ -1874,6 +1887,13 @@ int audit_sockaddr(int len, void *a)
> return 0;
> }
>
> +void __audit_ptrace(struct task_struct *t)
> +{
> + struct audit_context *context = current->audit_context;
> + context->target_pid = t->pid;
> + security_getprocattr(t, "current", &context->obj_ctx);
> +}
This will trigger a permission check in selinux_getprocattr, because
current != t. So the audit system could be prevented from fetching the
context in this way based on the current task's permissions. As with
the prior patch, I'd suggest using security_task_getsecid() and
security_secid_to_secctx() [or their selinux-specific equivalents,
selinux_get_task_sid and selinux_sid_to_string, already in use by audit]
instead for such internal access to security contexts.
--
Stephen Smalley
National Security Agency
More information about the Linux-audit
mailing list