search

linux-audit / audit-kernel

GitHub mirror of the Linux Kernel's audit repository
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
Other
137 stars 36 forks source link

Q: add incorrect rules to the rule table #166

Closed LidiYuan closed 1 month ago

LidiYuan commented 1 month ago

security/selinux/ss/services.c:

int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
{
    struct selinux_audit_rule *tmprule;
    struct role_datum *roledatum;
    struct type_datum *typedatum;
    struct user_datum *userdatum;
    struct selinux_audit_rule **rule = (struct selinux_audit_rule **)vrule;
    int rc = 0;

    *rule = NULL;

    if (!ss_initialized)
    {
        return -EOPNOTSUPP;
    }

    switch (field) 
    {
    case AUDIT_SUBJ_USER:
    case AUDIT_SUBJ_ROLE:
    case AUDIT_SUBJ_TYPE:
    case AUDIT_OBJ_USER:
    case AUDIT_OBJ_ROLE:
    case AUDIT_OBJ_TYPE:
        /* only 'equals' and 'not equals' fit user, role, and type */
        if (op != Audit_equal && op != Audit_not_equal)
            return -EINVAL;         /*!!!!!!!!!!!!!!!!*/

}

kernel/auditfilter.c:

static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,size_t datasz)
{

    case AUDIT_SUBJ_USER:
        case AUDIT_SUBJ_ROLE:
        case AUDIT_SUBJ_TYPE:
        case AUDIT_SUBJ_SEN:
        case AUDIT_SUBJ_CLR:
        case AUDIT_OBJ_USER:
        case AUDIT_OBJ_ROLE:
        case AUDIT_OBJ_TYPE:
        case AUDIT_OBJ_LEV_LOW:
        case AUDIT_OBJ_LEV_HIGH:
            str = audit_unpack_string(&bufp, &remain, f->val);
            if (IS_ERR(str))
                goto exit_free;
            entry->rule.buflen += f->val;

            err = security_audit_rule_init(f->type, f->op, str,(void **)&f->lsm_rule);
            /* Keep currently invalid fields around in case they
             * become valid after a policy reload. */
            if (err == -EINVAL) /*!!!!!!!!!!!!!!!!!!!!!!!!!!!!*/
            {
                printk(KERN_WARNING "audit rule for LSM ""\'%s\' is invalid\n",  str);
                err = 0;
            }

}

Due to operator mismatch, an error was returned in selinux_audit_rule_init(). But when we call security_audit_rule_init() in audit_data_to_entry() and find that the return value is - EINVAL, it does not prevent the rule from being added? Can this erroneous rule also be successfully added?

pcmoore commented 1 month ago

This should not cause a problem, see the selinux_audit_rule_match() function in "security/selinux/ss/services.c". If you do see a problem with this (improper auditing, kernel panic, etc.) please let us know.