[PATCH] arch filter lists with < or > should not be accepted

Currently the kernel audit system represents arch's as numbers and will
gladly accept comparisons between archs using >, <, >=, <= when the only
thing that makes sense is = or !=.  I'm told that the next revision of
auditctl will do this checking but this will provide enforcement in the
kernel even for old userspace.  A simple command to show the issue would
be to run

auditctl -d entry,always -F arch>i686 -S chmod

with this patch the kernel will reject this with -EINVAL

Please comment/ack/nak as soon as possible.

-Eric

 kernel/auditfilter.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

1 files changed, 8 insertions, 1 deletions

diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 1a58a81fb09d..4f40d923af8e 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -411,7 +411,6 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
                 case AUDIT_FSGID:
                 case AUDIT_LOGINUID:
                 case AUDIT_PERS:
-                case AUDIT_ARCH:
                 case AUDIT_MSGTYPE:
                 case AUDIT_PPID:
                 case AUDIT_DEVMAJOR:
@@ -423,6 +422,14 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
                 case AUDIT_ARG2:
                 case AUDIT_ARG3:
                         break;
+                /* arch is only allowed to be = or != */
+                case AUDIT_ARCH:
+                        if ((f->op != AUDIT_NOT_EQUAL) && (f->op != AUDIT_EQUAL)
+                                        && (f->op != AUDIT_NEGATE) && (f->op)) {
+                                err = -EINVAL;
+                                goto exit_free;
+                        }
+                        break;
                 case AUDIT_PERM:
                         if (f->val & ~15)
                                 goto exit_free;