diff options
| author | <dwmw2@shinybook.infradead.org> | 2005-04-29 10:54:44 -0400 |
|---|---|---|
| committer | <dwmw2@shinybook.infradead.org> | 2005-04-29 10:54:44 -0400 |
| commit | 83c7d09173fdb6b06b109e65895392db3e49ac9c (patch) | |
| tree | 3f48367a4d1413e221a5367bcd0cf8df7322c368 | |
| parent | c60c390620e0abb60d4ae8c43583714bda27763f (diff) | |
AUDIT: Avoid log pollution by untrusted strings.
We log strings from userspace, such as arguments to open(). These could
be formatted to contain \n followed by fake audit log entries. Provide
a function for logging such strings, which gives a hex dump when the
string contains anything but basic printable ASCII characters. Use it
for logging filenames.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
| -rw-r--r-- | include/linux/audit.h | 8 | ||||
| -rw-r--r-- | kernel/audit.c | 23 | ||||
| -rw-r--r-- | kernel/auditsc.c | 7 |
3 files changed, 34 insertions, 4 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h index 3628f7cfb178..9b77992c4888 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h | |||
| @@ -174,11 +174,15 @@ extern void audit_log_format(struct audit_buffer *ab, | |||
| 174 | const char *fmt, ...) | 174 | const char *fmt, ...) |
| 175 | __attribute__((format(printf,2,3))); | 175 | __attribute__((format(printf,2,3))); |
| 176 | extern void audit_log_end(struct audit_buffer *ab); | 176 | extern void audit_log_end(struct audit_buffer *ab); |
| 177 | extern void audit_log_hex(struct audit_buffer *ab, | ||
| 178 | const unsigned char *buf, | ||
| 179 | size_t len); | ||
| 180 | extern void audit_log_untrustedstring(struct audit_buffer *ab, | ||
| 181 | const char *string); | ||
| 177 | extern void audit_log_d_path(struct audit_buffer *ab, | 182 | extern void audit_log_d_path(struct audit_buffer *ab, |
| 178 | const char *prefix, | 183 | const char *prefix, |
| 179 | struct dentry *dentry, | 184 | struct dentry *dentry, |
| 180 | struct vfsmount *vfsmnt); | 185 | struct vfsmount *vfsmnt); |
| 181 | |||
| 182 | /* Private API (for auditsc.c only) */ | 186 | /* Private API (for auditsc.c only) */ |
| 183 | extern void audit_send_reply(int pid, int seq, int type, | 187 | extern void audit_send_reply(int pid, int seq, int type, |
| 184 | int done, int multi, | 188 | int done, int multi, |
| @@ -190,6 +194,8 @@ extern void audit_log_lost(const char *message); | |||
| 190 | #define audit_log_vformat(b,f,a) do { ; } while (0) | 194 | #define audit_log_vformat(b,f,a) do { ; } while (0) |
| 191 | #define audit_log_format(b,f,...) do { ; } while (0) | 195 | #define audit_log_format(b,f,...) do { ; } while (0) |
| 192 | #define audit_log_end(b) do { ; } while (0) | 196 | #define audit_log_end(b) do { ; } while (0) |
| 197 | #define audit_log_hex(a,b,l) do { ; } while (0) | ||
| 198 | #define audit_log_untrustedstring(a,s) do { ; } while (0) | ||
| 193 | #define audit_log_d_path(b,p,d,v) do { ; } while (0) | 199 | #define audit_log_d_path(b,p,d,v) do { ; } while (0) |
| 194 | #endif | 200 | #endif |
| 195 | #endif | 201 | #endif |
diff --git a/kernel/audit.c b/kernel/audit.c index 0f84dd7af2c8..dca7b99615d2 100644 --- a/kernel/audit.c +++ b/kernel/audit.c | |||
| @@ -720,6 +720,29 @@ void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) | |||
| 720 | va_end(args); | 720 | va_end(args); |
| 721 | } | 721 | } |
| 722 | 722 | ||
| 723 | void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len) | ||
| 724 | { | ||
| 725 | int i; | ||
| 726 | |||
| 727 | for (i=0; i<len; i++) | ||
| 728 | audit_log_format(ab, "%02x", buf[i]); | ||
| 729 | } | ||
| 730 | |||
| 731 | void audit_log_untrustedstring(struct audit_buffer *ab, const char *string) | ||
| 732 | { | ||
| 733 | const char *p = string; | ||
| 734 | |||
| 735 | while (*p) { | ||
| 736 | if (*p == '"' || *p == ' ' || *p < 0x20 || *p > 0x7f) { | ||
| 737 | audit_log_hex(ab, string, strlen(string)); | ||
| 738 | return; | ||
| 739 | } | ||
| 740 | p++; | ||
| 741 | } | ||
| 742 | audit_log_format(ab, "\"%s\"", string); | ||
| 743 | } | ||
| 744 | |||
| 745 | |||
| 723 | /* This is a helper-function to print the d_path without using a static | 746 | /* This is a helper-function to print the d_path without using a static |
| 724 | * buffer or allocating another buffer in addition to the one in | 747 | * buffer or allocating another buffer in addition to the one in |
| 725 | * audit_buffer. */ | 748 | * audit_buffer. */ |
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 6f1931381bc9..00e87ffff13b 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c | |||
| @@ -696,9 +696,10 @@ static void audit_log_exit(struct audit_context *context) | |||
| 696 | if (!ab) | 696 | if (!ab) |
| 697 | continue; /* audit_panic has been called */ | 697 | continue; /* audit_panic has been called */ |
| 698 | audit_log_format(ab, "item=%d", i); | 698 | audit_log_format(ab, "item=%d", i); |
| 699 | if (context->names[i].name) | 699 | if (context->names[i].name) { |
| 700 | audit_log_format(ab, " name=%s", | 700 | audit_log_format(ab, " name="); |
| 701 | context->names[i].name); | 701 | audit_log_untrustedstring(ab, context->names[i].name); |
| 702 | } | ||
| 702 | if (context->names[i].ino != (unsigned long)-1) | 703 | if (context->names[i].ino != (unsigned long)-1) |
| 703 | audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o" | 704 | audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o" |
| 704 | " uid=%d gid=%d rdev=%02x:%02x", | 705 | " uid=%d gid=%d rdev=%02x:%02x", |