Re: [PATCH ghak90 V8 14/16] audit: check contid depth and add limit config param
On Tue, Dec 31, 2019 at 2:51 PM Richard Guy Briggs <rgb(a)redhat.com> wrote:
Clamp the depth of audit container identifier nesting to limit the
netlink and disk bandwidth used and to prevent losing information from
record text size overflow in the contid field.
Add a configuration parameter AUDIT_STATUS_CONTID_DEPTH_LIMIT (0x80) to
set the audit container identifier depth limit. This can be used to
prevent overflow of the contid field in CONTAINER_OP and CONTAINER_ID
messages, losing information, and to limit bandwidth used by these
messages.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
include/uapi/linux/audit.h | 2 ++
kernel/audit.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
kernel/audit.h | 2 ++
3 files changed, 50 insertions(+)
Since setting an audit container ID, and hence acting as an
orchestrator and creating a new nested level of audit container IDs,
is a privileged operation I think we can equate this to the infamous
"shooting oneself in the foot" problem. Let's leave this limitation
out of the patchset for now, if it becomes a problem in the future we
can consider restricting the nesting depth.
--
paul moore
www.paul-moore.com