Commit 3640dcfa authored Dec 19, 2014 by Paul Moore

audit: don't attempt to lookup PIDs when changing PID filtering audit rules



Commit f1dc4867 ("audit: anchor all pid references in the initial pid
namespace") introduced a find_vpid() call when adding/removing audit
rules with PID/PPID filters; unfortunately this is problematic as
find_vpid() only works if there is a task with the associated PID
alive on the system.  The following commands demonstrate a simple
reproducer.

	# auditctl -D
	# auditctl -l
	# autrace /bin/true
	# auditctl -l

This patch resolves the problem by simply using the PID provided by
the user without any additional validation, e.g. no calls to check to
see if the task/PID exists.

Cc: stable@vger.kernel.org # 3.15
Cc: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Acked-by: Eric Paris <eparis@redhat.com>
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>

parent 0f7e94ee

kernel/auditfilter.c

+0 −13

Original line number	Diff line number	Diff line
		@@ -444,19 +444,6 @@ static struct audit_entry audit_data_to_entry(struct audit_rule_data data,
		f->val = 0;
		}

		if ((f->type == AUDIT_PID) \|\| (f->type == AUDIT_PPID)) {
		struct pid *pid;
		rcu_read_lock();
		pid = find_vpid(f->val);
		if (!pid) {
		rcu_read_unlock();
		err = -ESRCH;
		goto exit_free;
		}
		f->val = pid_nr(pid);
		rcu_read_unlock();
		}

		err = audit_field_valid(entry, f);
		if (err)
		goto exit_free;

Admin message