audit: Use current instead of NETLINK_CREDS() in audit_filter
Get caller process uid and gid and pid values from the current task instead of the NETLINK_CB. This is simpler than passing NETLINK_CREDS from from audit_receive_msg to audit_filter_user_rules and avoid the chance of being hit by the occassional bugs in netlink uid/gid credential passing. This is a safe changes because all netlink requests are processed in the task of the sending process. Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Eric Paris <eparis@redhat.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
This commit is contained in:
parent
34e36d8ecb
commit
02276bda4a
@ -700,7 +700,7 @@ extern void audit_log_secctx(struct audit_buffer *ab, u32 secid);
|
|||||||
extern int audit_update_lsm_rules(void);
|
extern int audit_update_lsm_rules(void);
|
||||||
|
|
||||||
/* Private API (for audit.c only) */
|
/* Private API (for audit.c only) */
|
||||||
extern int audit_filter_user(struct netlink_skb_parms *cb);
|
extern int audit_filter_user(void);
|
||||||
extern int audit_filter_type(int type);
|
extern int audit_filter_type(int type);
|
||||||
extern int audit_receive_filter(int type, int pid, int uid, int seq,
|
extern int audit_receive_filter(int type, int pid, int uid, int seq,
|
||||||
void *data, size_t datasz, uid_t loginuid,
|
void *data, size_t datasz, uid_t loginuid,
|
||||||
|
@ -744,7 +744,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
|
|||||||
if (!audit_enabled && msg_type != AUDIT_USER_AVC)
|
if (!audit_enabled && msg_type != AUDIT_USER_AVC)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
err = audit_filter_user(&NETLINK_CB(skb));
|
err = audit_filter_user();
|
||||||
if (err == 1) {
|
if (err == 1) {
|
||||||
err = 0;
|
err = 0;
|
||||||
if (msg_type == AUDIT_USER_TTY) {
|
if (msg_type == AUDIT_USER_TTY) {
|
||||||
|
@ -1236,8 +1236,7 @@ int audit_compare_dname_path(const char *dname, const char *path,
|
|||||||
return strncmp(p, dname, dlen);
|
return strncmp(p, dname, dlen);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int audit_filter_user_rules(struct netlink_skb_parms *cb,
|
static int audit_filter_user_rules(struct audit_krule *rule,
|
||||||
struct audit_krule *rule,
|
|
||||||
enum audit_state *state)
|
enum audit_state *state)
|
||||||
{
|
{
|
||||||
int i;
|
int i;
|
||||||
@ -1249,13 +1248,13 @@ static int audit_filter_user_rules(struct netlink_skb_parms *cb,
|
|||||||
|
|
||||||
switch (f->type) {
|
switch (f->type) {
|
||||||
case AUDIT_PID:
|
case AUDIT_PID:
|
||||||
result = audit_comparator(cb->creds.pid, f->op, f->val);
|
result = audit_comparator(task_pid_vnr(current), f->op, f->val);
|
||||||
break;
|
break;
|
||||||
case AUDIT_UID:
|
case AUDIT_UID:
|
||||||
result = audit_comparator(cb->creds.uid, f->op, f->val);
|
result = audit_comparator(current_uid(), f->op, f->val);
|
||||||
break;
|
break;
|
||||||
case AUDIT_GID:
|
case AUDIT_GID:
|
||||||
result = audit_comparator(cb->creds.gid, f->op, f->val);
|
result = audit_comparator(current_gid(), f->op, f->val);
|
||||||
break;
|
break;
|
||||||
case AUDIT_LOGINUID:
|
case AUDIT_LOGINUID:
|
||||||
result = audit_comparator(audit_get_loginuid(current),
|
result = audit_comparator(audit_get_loginuid(current),
|
||||||
@ -1287,7 +1286,7 @@ static int audit_filter_user_rules(struct netlink_skb_parms *cb,
|
|||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
int audit_filter_user(struct netlink_skb_parms *cb)
|
int audit_filter_user(void)
|
||||||
{
|
{
|
||||||
enum audit_state state = AUDIT_DISABLED;
|
enum audit_state state = AUDIT_DISABLED;
|
||||||
struct audit_entry *e;
|
struct audit_entry *e;
|
||||||
@ -1295,7 +1294,7 @@ int audit_filter_user(struct netlink_skb_parms *cb)
|
|||||||
|
|
||||||
rcu_read_lock();
|
rcu_read_lock();
|
||||||
list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
|
list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
|
||||||
if (audit_filter_user_rules(cb, &e->rule, &state)) {
|
if (audit_filter_user_rules(&e->rule, &state)) {
|
||||||
if (state == AUDIT_DISABLED)
|
if (state == AUDIT_DISABLED)
|
||||||
ret = 0;
|
ret = 0;
|
||||||
break;
|
break;
|
||||||
|
Loading…
Reference in New Issue
Block a user