diff options
author | Eric Paris <eparis@redhat.com> | 2006-09-28 17:46:21 -0400 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2006-10-04 08:31:16 -0400 |
commit | 4b8a311bb161a3bd2ab44311f42c526b6dc76270 (patch) | |
tree | a2a269d8292ebcb8020c6748dad340bf74566979 | |
parent | 78b656b8bf933101b42409b4492734b23427bfc3 (diff) |
[PATCH] arch filter lists with < or > should not be accepted
Currently the kernel audit system represents arch's as numbers and will
gladly accept comparisons between archs using >, <, >=, <= when the only
thing that makes sense is = or !=. I'm told that the next revision of
auditctl will do this checking but this will provide enforcement in the
kernel even for old userspace. A simple command to show the issue would
be to run
auditctl -d entry,always -F arch>i686 -S chmod
with this patch the kernel will reject this with -EINVAL
Please comment/ack/nak as soon as possible.
-Eric
kernel/auditfilter.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-rw-r--r-- | kernel/auditfilter.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 1a58a81fb09..4f40d923af8 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -411,7 +411,6 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) case AUDIT_FSGID: case AUDIT_LOGINUID: case AUDIT_PERS: - case AUDIT_ARCH: case AUDIT_MSGTYPE: case AUDIT_PPID: case AUDIT_DEVMAJOR: @@ -423,6 +422,14 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) case AUDIT_ARG2: case AUDIT_ARG3: break; + /* arch is only allowed to be = or != */ + case AUDIT_ARCH: + if ((f->op != AUDIT_NOT_EQUAL) && (f->op != AUDIT_EQUAL) + && (f->op != AUDIT_NEGATE) && (f->op)) { + err = -EINVAL; + goto exit_free; + } + break; case AUDIT_PERM: if (f->val & ~15) goto exit_free; |