Re: [PATCH] audit: don't attempt to lookup PIDs when changing PID filtering audit rules

Commit f1dc4867 ("audit: anchor all pid references in the initial pid namespace") introduced a find_vpid() call when adding/removing audit rules with PID/PPID filters; unfortunately this is problematic as find_vpid() only works if there is a task with the associated PID alive on the system. The following commands demonstrate a simple reproducer. # auditctl -D # auditctl -l # autrace /bin/true # auditctl -l This patch resolves the problem by simply using the PID provided by the user without any additional validation, e.g. no calls to check to see if the task/PID exists. Cc: stable(a)vger.kernel.org # 3.15 Cc: Richard Guy Briggs <rgb(a)redhat.com&gt; Signed-off-by: Paul Moore <pmoore(a)redhat.com&gt; --- kernel/auditfilter.c | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 8e9bc9c..b2e63ba 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -433,19 +433,6 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, f->val = 0; } - if ((f->type == AUDIT_PID) || (f->type == AUDIT_PPID)) { - struct pid *pid; - rcu_read_lock(); - pid = find_vpid(f->val); - if (!pid) { - rcu_read_unlock(); - err = -ESRCH; - goto exit_free; - } - f->val = pid_nr(pid); - rcu_read_unlock(); - } - err = audit_field_valid(entry, f); if (err) goto exit_free; -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit