[PATCH] audit: don't attempt to lookup PIDs when changing PID filtering audit rules
Richard Guy Briggs
rgb at redhat.com
Mon Dec 15 18:50:57 UTC 2014
On 14/12/15, Eric Paris wrote:
> Lets say I and in the non-init pid namespace.
>
> I run audictl -a exit,always -S all -F pid=1
That's easy (for now). Line 675 of kernel/audit.c in audit_netlink_ok()
called from audit_receive_msg() will prevent that with:
if ((task_active_pid_ns(current) != &init_pid_ns))
return -EPERM;
> Is the audit system going to show records for what I think is pid=1 or
> what the initial pid namespace thinks is pid=1 ?
Longer term this will need to be solved if we want to run
commands requiring CAP_AUDIT_CONTROL in a container.
I've still got outstanding patches to store PIDs as struct pid rather
than pid_t, so this was part of the motivation to start that in this
code.
> Which is correct? (hint, it's impossible to know pids above my
> namespace, or even to know what pid the process in question thinks it
> is, since it could be below my namespace)
>
> I won't pretend this is easy to solve.
At the moment, this patch will solve this problem. It is also arguably
more necessary on AUDIT_ADD_RULE than for AUDIT_DEL_RULE.
> Steve et al. What do you think of maybe having pid= rules automatically
> removed when the pid goes away? I can't think of another way to handle
> this (although the perf hit might be so stupidly high....)
That makes sense, as the same is done for paths that vanish.
> On Mon, 2014-12-15 at 12:14 -0500, Paul Moore wrote:
> > Commit f1dc4867 ("audit: anchor all pid references in the initial pid
> > namespace") introduced a find_vpid() call when adding/removing audit
> > rules with PID/PPID filters; unfortunately this is problematic as
> > find_vpid() only works if there is a task with the associated PID
> > alive on the system. The following commands demonstrate a simple
> > reproducer.
> >
> > # auditctl -D
> > # auditctl -l
> > # autrace /bin/true
> > # auditctl -l
> >
> > This patch resolves the problem by simply using the PID provided by
> > the user without any additional validation, e.g. no calls to check to
> > see if the task/PID exists.
> >
> > Cc: stable at vger.kernel.org # 3.15
> > Cc: Richard Guy Briggs <rgb at redhat.com>
> > Signed-off-by: Paul Moore <pmoore at redhat.com>
> > ---
> > kernel/auditfilter.c | 13 -------------
> > 1 file changed, 13 deletions(-)
> >
> > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> > index 8e9bc9c..b2e63ba 100644
> > --- a/kernel/auditfilter.c
> > +++ b/kernel/auditfilter.c
> > @@ -433,19 +433,6 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
> > f->val = 0;
> > }
> >
> > - if ((f->type == AUDIT_PID) || (f->type == AUDIT_PPID)) {
> > - struct pid *pid;
> > - rcu_read_lock();
> > - pid = find_vpid(f->val);
> > - if (!pid) {
> > - rcu_read_unlock();
> > - err = -ESRCH;
> > - goto exit_free;
> > - }
> > - f->val = pid_nr(pid);
> > - rcu_read_unlock();
> > - }
> > -
> > err = audit_field_valid(entry, f);
> > if (err)
> > goto exit_free;
> >
> > --
> > Linux-audit mailing list
> > Linux-audit at redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
>
>
- RGB
--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
More information about the Linux-audit
mailing list