diff options
| author | Stephen Smalley <sds@tycho.nsa.gov> | 2005-05-24 16:28:28 -0400 |
|---|---|---|
| committer | David Woodhouse <dwmw2@shinybook.infradead.org> | 2005-05-24 16:28:28 -0400 |
| commit | 37ca5389b863e5ffba6fb7c22331bf57dbf7764a (patch) | |
| tree | 4869477a27fbd8ad91b0ce42f0b2e4b6817e5105 /security/selinux | |
| parent | 99e45eeac867d51ff3395dcf3d7aedf5ac2812c8 (diff) | |
AUDIT: Fix remaining cases of direct logging of untrusted strings by avc_audit
Per Steve Grubb's observation that there are some remaining cases where
avc_audit() directly logs untrusted strings without escaping them, here
is a patch that changes avc_audit() to use audit_log_untrustedstring()
or audit_log_hex() as appropriate. Note that d_name.name is nul-
terminated by d_alloc(), and that sun_path is nul-terminated by
unix_mkname(), so it is not necessary for the AVC to create nul-
terminated copies or to alter audit_log_untrustedstring to take a length
argument. In the case of an abstract name, we use audit_log_hex() with
an explicit length.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Diffstat (limited to 'security/selinux')
| -rw-r--r-- | security/selinux/avc.c | 22 |
1 files changed, 9 insertions, 13 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 914d0d294fff..451502467a9b 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c | |||
| @@ -575,16 +575,16 @@ void avc_audit(u32 ssid, u32 tsid, | |||
| 575 | struct dentry *dentry = a->u.fs.dentry; | 575 | struct dentry *dentry = a->u.fs.dentry; |
| 576 | if (a->u.fs.mnt) | 576 | if (a->u.fs.mnt) |
| 577 | audit_avc_path(dentry, a->u.fs.mnt); | 577 | audit_avc_path(dentry, a->u.fs.mnt); |
| 578 | audit_log_format(ab, " name=%s", | 578 | audit_log_format(ab, " name="); |
| 579 | dentry->d_name.name); | 579 | audit_log_untrustedstring(ab, dentry->d_name.name); |
| 580 | inode = dentry->d_inode; | 580 | inode = dentry->d_inode; |
| 581 | } else if (a->u.fs.inode) { | 581 | } else if (a->u.fs.inode) { |
| 582 | struct dentry *dentry; | 582 | struct dentry *dentry; |
| 583 | inode = a->u.fs.inode; | 583 | inode = a->u.fs.inode; |
| 584 | dentry = d_find_alias(inode); | 584 | dentry = d_find_alias(inode); |
| 585 | if (dentry) { | 585 | if (dentry) { |
| 586 | audit_log_format(ab, " name=%s", | 586 | audit_log_format(ab, " name="); |
| 587 | dentry->d_name.name); | 587 | audit_log_untrustedstring(ab, dentry->d_name.name); |
| 588 | dput(dentry); | 588 | dput(dentry); |
| 589 | } | 589 | } |
| 590 | } | 590 | } |
| @@ -628,23 +628,19 @@ void avc_audit(u32 ssid, u32 tsid, | |||
| 628 | u = unix_sk(sk); | 628 | u = unix_sk(sk); |
| 629 | if (u->dentry) { | 629 | if (u->dentry) { |
| 630 | audit_avc_path(u->dentry, u->mnt); | 630 | audit_avc_path(u->dentry, u->mnt); |
| 631 | audit_log_format(ab, " name=%s", | 631 | audit_log_format(ab, " name="); |
| 632 | u->dentry->d_name.name); | 632 | audit_log_untrustedstring(ab, u->dentry->d_name.name); |
| 633 | |||
| 634 | break; | 633 | break; |
| 635 | } | 634 | } |
| 636 | if (!u->addr) | 635 | if (!u->addr) |
| 637 | break; | 636 | break; |
| 638 | len = u->addr->len-sizeof(short); | 637 | len = u->addr->len-sizeof(short); |
| 639 | p = &u->addr->name->sun_path[0]; | 638 | p = &u->addr->name->sun_path[0]; |
| 639 | audit_log_format(ab, " path="); | ||
| 640 | if (*p) | 640 | if (*p) |
| 641 | audit_log_format(ab, | 641 | audit_log_untrustedstring(ab, p); |
| 642 | "path=%*.*s", len, | ||
| 643 | len, p); | ||
| 644 | else | 642 | else |
| 645 | audit_log_format(ab, | 643 | audit_log_hex(ab, p, len); |
| 646 | "path=@%*.*s", len-1, | ||
| 647 | len-1, p+1); | ||
| 648 | break; | 644 | break; |
| 649 | } | 645 | } |
| 650 | } | 646 | } |