On Thu, Jun 16, 2016 at 5:07 PM, Paul Moore <paul(a)paul-moore.com> wrote:
On Tue, Jun 14, 2016 at 5:03 PM, Richard Guy Briggs
<rgb(a)redhat.com> wrote:
> In the case of an error returned from a field check in an audit filter
> syscall rule, it is treated as a match and the rule action is honoured.
>
> This could cause a rule with a default of NEVER and an selinux field
> check error to avoid logging.
>
> Recommend matching with an action of ALWAYS to catch malicious abuse of
> this bug. The downside of this approach is it could DoS the audit
> subsystem.
I understand your concern about the DoS, but in reality it is no worse
than if no audit filter rules were configured, yes?
Just following up on this since I don't recall seeing a response ...
> Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
> ---
> kernel/auditsc.c | 4 ++++
> 1 files changed, 4 insertions(+), 0 deletions(-)
>
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 71e14d8..6123672 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -683,6 +683,10 @@ static int audit_filter_rules(struct task_struct *tsk,
> }
> if (!result)
> return 0;
> + if (result < 0) {
> + *state = AUDIT_RECORD_CONTEXT;
> + return 1;
> + }
> }
>
> if (ctx) {
--
paul moore
www.paul-moore.com
--
paul moore
www.paul-moore.com