Re: [PATCH] audit: catch errors from audit_filter_rules field checks
On Tue, Jun 14, 2016 at 5:03 PM, Richard Guy Briggs <rgb(a)redhat.com> wrote:
In the case of an error returned from a field check in an audit
filter
syscall rule, it is treated as a match and the rule action is honoured.
This could cause a rule with a default of NEVER and an selinux field
check error to avoid logging.
Recommend matching with an action of ALWAYS to catch malicious abuse of
this bug. The downside of this approach is it could DoS the audit
subsystem.
I understand your concern about the DoS, but in reality it is no worse
than if no audit filter rules were configured, yes?
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/auditsc.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 71e14d8..6123672 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -683,6 +683,10 @@ static int audit_filter_rules(struct task_struct *tsk,
}
if (!result)
return 0;
+ if (result < 0) {
+ *state = AUDIT_RECORD_CONTEXT;
+ return 1;
+ }
}
if (ctx) {
--
paul moore
www.paul-moore.com