Re: [PATCH ghak64 V1] audit: add saddr_fam filter field
On Tue, Apr 30, 2019 at 1:01 PM Richard Guy Briggs <rgb(a)redhat.com> wrote:
On 2019-04-27 10:09, Paul Moore wrote:
> On Fri, Apr 26, 2019 at 1:00 PM Richard Guy Briggs <rgb(a)redhat.com> wrote:
...
> Beyond that, looking at the patch below it seems like there is
an
> obvious omission regarding validating the address families; some
> updates to audit_field_valid() to verify that the specified address
> family is greater than AF_UNSPEC and less than AF_MAX would be good to
> have.
I thought of that and as you can see had added it to the userspace code
that accompanies it. There isn't really any harm to allow it to go
outside those address family limits if someone really wants to do that.
I see it as a usability issue. In general terms, we shouldn't allow
admins to add a nonsense filter rule to the kernel, and we shouldn't
rely on the userspace to catch everything.
--
paul moore
www.paul-moore.com