Commit af85d177 authored Jun 05, 2018 by Ondrej Mosnáček Committed by Paul Moore Jun 19, 2018

audit: Fix extended comparison of GID/EGID

The audit_filter_rules() function in auditsc.c used the in_[e]group_p()
functions to check GID/EGID match, but these functions use the current
task's credentials, while the comparison should use the credentials of
the task given to audit_filter_rules() as a parameter (tsk).

Note that we can use group_search(cred->group_info, ...) as a
replacement for both in_group_p and in_egroup_p as these functions only
compare the parameter to cred->fsgid/egid and then call group_search.

In fact, the usage of in_group_p was even more incorrect: it compares to
cred->fsgid (which is usually equal to cred->egid) and not cred->gid.

GitHub issue:
https://github.com/linux-audit/audit-kernel/issues/82



Fixes: 37eebe39 ("audit: improve GID/EGID comparation logic")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

parent d87de4a8

kernel/auditsc.c

+4 −4

Original line number	Diff line number	Diff line
		@@ -494,20 +494,20 @@ static int audit_filter_rules(struct task_struct *tsk,
		result = audit_gid_comparator(cred->gid, f->op, f->gid);
		if (f->op == Audit_equal) {
		if (!result)
		result = in_group_p(f->gid);
		result = groups_search(cred->group_info, f->gid);
		} else if (f->op == Audit_not_equal) {
		if (result)
		result = !in_group_p(f->gid);
		result = !groups_search(cred->group_info, f->gid);
		}
		break;
		case AUDIT_EGID:
		result = audit_gid_comparator(cred->egid, f->op, f->gid);
		if (f->op == Audit_equal) {
		if (!result)
		result = in_egroup_p(f->gid);
		result = groups_search(cred->group_info, f->gid);
		} else if (f->op == Audit_not_equal) {
		if (result)
		result = !in_egroup_p(f->gid);
		result = !groups_search(cred->group_info, f->gid);
		}
		break;
		case AUDIT_SGID:

Admin message