[PATCH ghak82 v2] audit: Fix extended comparison of GID/EGID
by Ondrej Mosnacek
The audit_filter_rules() function in auditsc.c used the in_[e]group_p()
functions to check GID/EGID match, but these functions use the current
task's credentials, while the comparison should use the credentials of
the task given to audit_filter_rules() as a parameter (tsk).
Note that we can use group_search(cred->group_info, ...) as a
replacement for both in_group_p and in_egroup_p as these functions only
compare the parameter to cred->fsgid/egid and then call group_search.
In fact, the usage of in_group_p was even more incorrect: it compares to
cred->fsgid (which is usually equal to cred->egid) and not cred->gid.
GitHub issue:
https://github.com/linux-audit/audit-kernel/issues/82
Fixes: 37eebe39c973 ("audit: improve GID/EGID comparation logic")
Signed-off-by: Ondrej Mosnacek <omosnace(a)redhat.com>
---
kernel/auditsc.c | 26 ++++++++++++--------------
1 file changed, 12 insertions(+), 14 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index ceb1c4596c51..3a324ca2fd20 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -492,23 +492,21 @@ static int audit_filter_rules(struct task_struct *tsk,
break;
case AUDIT_GID:
result = audit_gid_comparator(cred->gid, f->op, f->gid);
- if (f->op == Audit_equal) {
- if (!result)
- result = in_group_p(f->gid);
- } else if (f->op == Audit_not_equal) {
- if (result)
- result = !in_group_p(f->gid);
- }
+ if (f->op == Audit_equal)
+ result = result ||
+ groups_search(cred->group_info, f->gid);
+ else if (f->op == Audit_not_equal)
+ result = result &&
+ !groups_search(cred->group_info, f->gid);
break;
case AUDIT_EGID:
result = audit_gid_comparator(cred->egid, f->op, f->gid);
- if (f->op == Audit_equal) {
- if (!result)
- result = in_egroup_p(f->gid);
- } else if (f->op == Audit_not_equal) {
- if (result)
- result = !in_egroup_p(f->gid);
- }
+ if (f->op == Audit_equal)
+ result = result ||
+ groups_search(cred->group_info, f->gid);
+ else if (f->op == Audit_not_equal)
+ result = result &&
+ !groups_search(cred->group_info, f->gid);
break;
case AUDIT_SGID:
result = audit_gid_comparator(cred->sgid, f->op, f->gid);
--
2.17.0
6 years, 6 months
- 3
- 2
[PATCH 0/8] IMA: work on audit records produced by IMA
by Stefan Berger
This series of patches cleans up some usages of the audit
subsystem's API by IMA and extends the audit subsystem's API
with API calls for adding new fields to the audit_buffer. Besides
that we extend the existing audit records created while parsing
IMA policy rules with fields that are common for audit records
produced by IMA. Besides that we introduce a new record type
that IMA creates while parsing policy rules.
Stefan
Stefan Berger (8):
ima: Call audit_log_string() rather than logging it untrusted
ima: Use audit_log_format() rather than audit_log_string()
audit: Implement audit_log_tty()
audit: Allow others to call audit_log_d_path_exe()
integrity: Add exe= and tty= before res= to integrity audits
integrity: Factor out common part of integrity_audit_msg()
ima: Do not audit if CONFIG_INTEGRITY_AUDIT is not set
ima: Differentiate auditing policy rules from "audit" actions
include/linux/audit.h | 10 ++++++++++
include/uapi/linux/audit.h | 3 ++-
kernel/audit.c | 8 ++++++++
security/integrity/ima/Kconfig | 1 +
security/integrity/ima/ima_policy.c | 12 ++++++++----
security/integrity/integrity.h | 26 ++++++++++++++++++++++++++
security/integrity/integrity_audit.c | 32 +++++++++++++++++++-------------
7 files changed, 74 insertions(+), 18 deletions(-)
--
2.13.6
6 years, 6 months
- 6
- 47
[RFC PATCH ghak89 V1] audit: rename FILTER_TYPE to FILTER_EXCL
by Richard Guy Briggs
The AUDIT_FILTER_TYPE name is vague and misleading due to not describing
where or when the filter is applied and obsolete due to its available
filter fields having been expanded.
Userspace has already renamed it from AUDIT_FILTER_TYPE to
AUDIT_FILTER_EXCLUDE without checking if it already exists. In order to
not cause userspace compile problems from duplicate definitions and to
more accurately and inclusively rename it in the kernel, while providing
a migration path for userspace, rename it to AUDIT_FILTER_EXCL.
See: https://github.com/linux-audit/audit-kernel/issues/89
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
include/uapi/linux/audit.h | 3 ++-
kernel/audit.c | 2 +-
kernel/auditfilter.c | 10 +++++-----
3 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 04f9bd2..45dd7ef 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -156,8 +156,9 @@
#define AUDIT_FILTER_ENTRY 0x02 /* Apply rule at syscall entry */
#define AUDIT_FILTER_WATCH 0x03 /* Apply rule to file system watches */
#define AUDIT_FILTER_EXIT 0x04 /* Apply rule at syscall exit */
-#define AUDIT_FILTER_TYPE 0x05 /* Apply rule at audit_log_start */
+#define AUDIT_FILTER_EXCL 0x05 /* Apply rule at audit_log_start */
#define AUDIT_FILTER_FS 0x06 /* Apply rule at __audit_inode_child */
+#define AUDIT_FILTER_TYPE AUDIT_FILTER_EXCL /* obsolete misleading naming */
#define AUDIT_NR_FILTERS 7
diff --git a/kernel/audit.c b/kernel/audit.c
index 3a18e59..089cede 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1754,7 +1754,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
if (audit_initialized != AUDIT_INITIALIZED)
return NULL;
- if (unlikely(!audit_filter(type, AUDIT_FILTER_TYPE)))
+ if (unlikely(!audit_filter(type, AUDIT_FILTER_EXCL)))
return NULL;
/* NOTE: don't ever fail/sleep on these two conditions:
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index eaa3201..f17a42f5 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -264,7 +264,7 @@ static inline struct audit_entry *audit_to_entry_common(struct audit_rule_data *
case AUDIT_FILTER_TASK:
#endif
case AUDIT_FILTER_USER:
- case AUDIT_FILTER_TYPE:
+ case AUDIT_FILTER_EXCL:
case AUDIT_FILTER_FS:
;
}
@@ -337,7 +337,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
{
switch(f->type) {
case AUDIT_MSGTYPE:
- if (entry->rule.listnr != AUDIT_FILTER_TYPE &&
+ if (entry->rule.listnr != AUDIT_FILTER_EXCL &&
entry->rule.listnr != AUDIT_FILTER_USER)
return -EINVAL;
break;
@@ -931,7 +931,7 @@ static inline int audit_add_rule(struct audit_entry *entry)
/* If any of these, don't count towards total */
switch(entry->rule.listnr) {
case AUDIT_FILTER_USER:
- case AUDIT_FILTER_TYPE:
+ case AUDIT_FILTER_EXCL:
case AUDIT_FILTER_FS:
dont_count = 1;
}
@@ -1013,7 +1013,7 @@ int audit_del_rule(struct audit_entry *entry)
/* If any of these, don't count towards total */
switch(entry->rule.listnr) {
case AUDIT_FILTER_USER:
- case AUDIT_FILTER_TYPE:
+ case AUDIT_FILTER_EXCL:
case AUDIT_FILTER_FS:
dont_count = 1;
}
@@ -1369,7 +1369,7 @@ int audit_filter(int msgtype, unsigned int listtype)
break;
}
if (result > 0) {
- if (e->rule.action == AUDIT_NEVER || listtype == AUDIT_FILTER_TYPE)
+ if (e->rule.action == AUDIT_NEVER || listtype == AUDIT_FILTER_EXCL)
ret = 0;
break;
}
--
1.8.3.1
6 years, 6 months
- 2
- 8