diff options
author | Eric W. Biederman <ebiederm@xmission.com> | 2012-09-11 02:10:16 -0400 |
---|---|---|
committer | Eric W. Biederman <ebiederm@xmission.com> | 2012-09-17 21:03:31 -0400 |
commit | 02276bda4a2bf094fcde89fb5db4d9e86347ebf4 (patch) | |
tree | 7f06da4dd9757c353133b9c512334daf96cfec1e /kernel | |
parent | 34e36d8ecbd958bc15f8e63deade1227de337eb1 (diff) |
audit: Use current instead of NETLINK_CREDS() in audit_filter
Get caller process uid and gid and pid values from the current task
instead of the NETLINK_CB. This is simpler than passing NETLINK_CREDS
from from audit_receive_msg to audit_filter_user_rules and avoid the
chance of being hit by the occassional bugs in netlink uid/gid
credential passing. This is a safe changes because all netlink
requests are processed in the task of the sending process.
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Eric Paris <eparis@redhat.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Diffstat (limited to 'kernel')
-rw-r--r-- | kernel/audit.c | 2 | ||||
-rw-r--r-- | kernel/auditfilter.c | 13 |
2 files changed, 7 insertions, 8 deletions
diff --git a/kernel/audit.c b/kernel/audit.c index 7b7268e3073b..fecb1507b485 100644 --- a/kernel/audit.c +++ b/kernel/audit.c | |||
@@ -744,7 +744,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
744 | if (!audit_enabled && msg_type != AUDIT_USER_AVC) | 744 | if (!audit_enabled && msg_type != AUDIT_USER_AVC) |
745 | return 0; | 745 | return 0; |
746 | 746 | ||
747 | err = audit_filter_user(&NETLINK_CB(skb)); | 747 | err = audit_filter_user(); |
748 | if (err == 1) { | 748 | if (err == 1) { |
749 | err = 0; | 749 | err = 0; |
750 | if (msg_type == AUDIT_USER_TTY) { | 750 | if (msg_type == AUDIT_USER_TTY) { |
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index a6c3f1abd206..b754f43bc56c 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c | |||
@@ -1236,8 +1236,7 @@ int audit_compare_dname_path(const char *dname, const char *path, | |||
1236 | return strncmp(p, dname, dlen); | 1236 | return strncmp(p, dname, dlen); |
1237 | } | 1237 | } |
1238 | 1238 | ||
1239 | static int audit_filter_user_rules(struct netlink_skb_parms *cb, | 1239 | static int audit_filter_user_rules(struct audit_krule *rule, |
1240 | struct audit_krule *rule, | ||
1241 | enum audit_state *state) | 1240 | enum audit_state *state) |
1242 | { | 1241 | { |
1243 | int i; | 1242 | int i; |
@@ -1249,13 +1248,13 @@ static int audit_filter_user_rules(struct netlink_skb_parms *cb, | |||
1249 | 1248 | ||
1250 | switch (f->type) { | 1249 | switch (f->type) { |
1251 | case AUDIT_PID: | 1250 | case AUDIT_PID: |
1252 | result = audit_comparator(cb->creds.pid, f->op, f->val); | 1251 | result = audit_comparator(task_pid_vnr(current), f->op, f->val); |
1253 | break; | 1252 | break; |
1254 | case AUDIT_UID: | 1253 | case AUDIT_UID: |
1255 | result = audit_comparator(cb->creds.uid, f->op, f->val); | 1254 | result = audit_comparator(current_uid(), f->op, f->val); |
1256 | break; | 1255 | break; |
1257 | case AUDIT_GID: | 1256 | case AUDIT_GID: |
1258 | result = audit_comparator(cb->creds.gid, f->op, f->val); | 1257 | result = audit_comparator(current_gid(), f->op, f->val); |
1259 | break; | 1258 | break; |
1260 | case AUDIT_LOGINUID: | 1259 | case AUDIT_LOGINUID: |
1261 | result = audit_comparator(audit_get_loginuid(current), | 1260 | result = audit_comparator(audit_get_loginuid(current), |
@@ -1287,7 +1286,7 @@ static int audit_filter_user_rules(struct netlink_skb_parms *cb, | |||
1287 | return 1; | 1286 | return 1; |
1288 | } | 1287 | } |
1289 | 1288 | ||
1290 | int audit_filter_user(struct netlink_skb_parms *cb) | 1289 | int audit_filter_user(void) |
1291 | { | 1290 | { |
1292 | enum audit_state state = AUDIT_DISABLED; | 1291 | enum audit_state state = AUDIT_DISABLED; |
1293 | struct audit_entry *e; | 1292 | struct audit_entry *e; |
@@ -1295,7 +1294,7 @@ int audit_filter_user(struct netlink_skb_parms *cb) | |||
1295 | 1294 | ||
1296 | rcu_read_lock(); | 1295 | rcu_read_lock(); |
1297 | list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { | 1296 | list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { |
1298 | if (audit_filter_user_rules(cb, &e->rule, &state)) { | 1297 | if (audit_filter_user_rules(&e->rule, &state)) { |
1299 | if (state == AUDIT_DISABLED) | 1298 | if (state == AUDIT_DISABLED) |
1300 | ret = 0; | 1299 | ret = 0; |
1301 | break; | 1300 | break; |