search

linux-audit / audit-kernel

GitHub mirror of the Linux Kernel's audit repository
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
Other
140 stars 37 forks source link

BUG: inconsistent usage of current/tsk in audit_filter_rules #82

Closed WOnder93 closed 6 years ago

WOnder93 commented 6 years ago

The function audit_filter_rules accepts a struct task_struct *tsk parameter, which can be different from current (representing the currently executing task). However, in some places current is used instead of tsk.

s/current/tsk/:

        case AUDIT_SESSIONID:
            sessionid = audit_get_sessionid(current);
            result = audit_comparator(sessionid, f->op, f->val);
            break;

These two comparisons call the in_group_p/in_egroup_p functions which implicitly use the current variable:

        case AUDIT_GID:
            result = audit_gid_comparator(cred->gid, f->op, f->gid);
            if (f->op == Audit_equal) {
                if (!result)
                    result = in_group_p(f->gid);
            } else if (f->op == Audit_not_equal) {
                if (result)
                    result = !in_group_p(f->gid);
            }
            break;
        case AUDIT_EGID:
            result = audit_gid_comparator(cred->egid, f->op, f->gid);
            if (f->op == Audit_equal) {
                if (!result)
                    result = in_egroup_p(f->gid);
            } else if (f->op == Audit_not_equal) {
                if (result)
                    result = !in_egroup_p(f->gid);
            }
            break;

They should be replaced by functions that use the struct cred data from tsk. Since the kernel currently doesn't provide a function that would accept a user provided struct cred *, they either need to be added to include/linux/cred.h and kernel/groups.c or open coded in the audit code (it's just a few lines of code... still it is probably better to add them globally).

Original ML discussion: https://www.redhat.com/archives/linux-audit/2018-May/msg00084.html Quick link to in_group_p implementation: https://elixir.bootlin.com/linux/v4.17-rc5/source/kernel/groups.c#L219

WOnder93 commented 6 years ago

I submitted patches for this issue here: https://www.redhat.com/archives/linux-audit/2018-May/msg00095.html https://www.redhat.com/archives/linux-audit/2018-May/msg00096.html

In the end I just replaced the in_[e]group_p functions with search_groups calls as this is the only part of the in_[e]group_p implementations that wasn't already covered by the main comparison. For more details please see the related discussion in the mailing list.

WOnder93 commented 6 years ago

Fixed upstream in 5b71388663c0920848c0ee7de946970a2692b76d and af85d1772e31fed34165a1b3decef340cf4080c0.