* Question about audit_filter_rules
@ 2018-05-16 6:57 Ondrej Mosnacek
2018-05-16 8:43 ` Ondrej Mosnacek
2018-05-16 11:37 ` Richard Guy Briggs
0 siblings, 2 replies; 5+ messages in thread
From: Ondrej Mosnacek @ 2018-05-16 6:57 UTC (permalink / raw)
To: Linux-Audit Mailing List; +Cc: Richard Guy Briggs
Hi,
I noticed this suspicious line in the definition of the
audit_filter_rules function in auditsc.c:
[...]
case AUDIT_SESSIONID:
sessionid = audit_get_sessionid(current); // <--- HERE
result = audit_comparator(sessionid, f->op, f->val);
break;
[...]
Here, the sessionid is retrieved from the current task pointer, while
all the other code in this function compares against the tsk task
pointer. It seems that it is not always guaranteed that tsk ==
current, so my question is: Is it intentional for some reason or
should it be tsk instead of current?
Thanks,
--
Ondrej Mosnacek <omosnace at redhat dot com>
Associate Software Engineer, Security Technologies
Red Hat, Inc.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Question about audit_filter_rules
2018-05-16 6:57 Question about audit_filter_rules Ondrej Mosnacek
@ 2018-05-16 8:43 ` Ondrej Mosnacek
2018-05-16 11:46 ` Richard Guy Briggs
2018-05-16 11:37 ` Richard Guy Briggs
1 sibling, 1 reply; 5+ messages in thread
From: Ondrej Mosnacek @ 2018-05-16 8:43 UTC (permalink / raw)
To: Linux-Audit Mailing List; +Cc: Richard Guy Briggs
I found more inconsistencies:
[...]
case AUDIT_GID:
result = audit_gid_comparator(cred->gid, f->op, f->gid);
if (f->op == Audit_equal) {
if (!result)
result = in_group_p(f->gid);
} else if (f->op == Audit_not_equal) {
if (result)
result = !in_group_p(f->gid);
}
break;
case AUDIT_EGID:
result = audit_gid_comparator(cred->egid, f->op, f->gid);
if (f->op == Audit_equal) {
if (!result)
result = in_egroup_p(f->gid);
} else if (f->op == Audit_not_equal) {
if (result)
result = !in_egroup_p(f->gid);
}
break;
[...]
The in_[e]group_p functions match the current task's group list.
Unfortunately there don't seem to be functions in the kernel that
would do the same for arbitrary struct cred pointers, we may need to
add these to fix this.
See the definition of in_group_p for reference:
https://elixir.bootlin.com/linux/latest/source/kernel/groups.c#L219
2018-05-16 8:57 GMT+02:00 Ondrej Mosnacek <omosnace@redhat.com>:
> Hi,
>
> I noticed this suspicious line in the definition of the
> audit_filter_rules function in auditsc.c:
>
> [...]
> case AUDIT_SESSIONID:
> sessionid = audit_get_sessionid(current); // <--- HERE
> result = audit_comparator(sessionid, f->op, f->val);
> break;
> [...]
>
> Here, the sessionid is retrieved from the current task pointer, while
> all the other code in this function compares against the tsk task
> pointer. It seems that it is not always guaranteed that tsk ==
> current, so my question is: Is it intentional for some reason or
> should it be tsk instead of current?
>
> Thanks,
> --
> Ondrej Mosnacek <omosnace at redhat dot com>
> Associate Software Engineer, Security Technologies
> Red Hat, Inc.
--
Ondrej Mosnacek <omosnace at redhat dot com>
Associate Software Engineer, Security Technologies
Red Hat, Inc.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Question about audit_filter_rules
2018-05-16 6:57 Question about audit_filter_rules Ondrej Mosnacek
2018-05-16 8:43 ` Ondrej Mosnacek
@ 2018-05-16 11:37 ` Richard Guy Briggs
1 sibling, 0 replies; 5+ messages in thread
From: Richard Guy Briggs @ 2018-05-16 11:37 UTC (permalink / raw)
To: Ondrej Mosnacek; +Cc: Linux-Audit Mailing List
On 2018-05-16 08:57, Ondrej Mosnacek wrote:
> Hi,
>
> I noticed this suspicious line in the definition of the
> audit_filter_rules function in auditsc.c:
>
> [...]
> case AUDIT_SESSIONID:
> sessionid = audit_get_sessionid(current); // <--- HERE
> result = audit_comparator(sessionid, f->op, f->val);
> break;
> [...]
>
> Here, the sessionid is retrieved from the current task pointer, while
> all the other code in this function compares against the tsk task
> pointer. It seems that it is not always guaranteed that tsk ==
> current, so my question is: Is it intentional for some reason or
> should it be tsk instead of current?
I'd agree you've found a bug. I can trace it to my 2016-11-20
commit 8fae47705685fcaa75a1fe4c8c3e18300a702979
("audit: add support for session ID user filter")
It appears it should in fact be tsk rather than current.
> Ondrej Mosnacek <omosnace at redhat dot com>
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Question about audit_filter_rules
2018-05-16 8:43 ` Ondrej Mosnacek
@ 2018-05-16 11:46 ` Richard Guy Briggs
2018-05-16 12:27 ` Ondrej Mosnacek
0 siblings, 1 reply; 5+ messages in thread
From: Richard Guy Briggs @ 2018-05-16 11:46 UTC (permalink / raw)
To: Ondrej Mosnacek; +Cc: Linux-Audit Mailing List
On 2018-05-16 10:43, Ondrej Mosnacek wrote:
> I found more inconsistencies:
> [...]
> case AUDIT_GID:
> result = audit_gid_comparator(cred->gid, f->op, f->gid);
> if (f->op == Audit_equal) {
> if (!result)
> result = in_group_p(f->gid);
> } else if (f->op == Audit_not_equal) {
> if (result)
> result = !in_group_p(f->gid);
> }
> break;
> case AUDIT_EGID:
> result = audit_gid_comparator(cred->egid, f->op, f->gid);
> if (f->op == Audit_equal) {
> if (!result)
> result = in_egroup_p(f->gid);
> } else if (f->op == Audit_not_equal) {
> if (result)
> result = !in_egroup_p(f->gid);
> }
> break;
> [...]
>
> The in_[e]group_p functions match the current task's group list.
> Unfortunately there don't seem to be functions in the kernel that
> would do the same for arbitrary struct cred pointers, we may need to
> add these to fix this.
>
> See the definition of in_group_p for reference:
> https://elixir.bootlin.com/linux/latest/source/kernel/groups.c#L219
Interesting. Nice catch. I'll need to look at these and the previous
one again. File github audit kernel issues...
> 2018-05-16 8:57 GMT+02:00 Ondrej Mosnacek <omosnace@redhat.com>:
> > Hi,
> >
> > I noticed this suspicious line in the definition of the
> > audit_filter_rules function in auditsc.c:
> >
> > [...]
> > case AUDIT_SESSIONID:
> > sessionid = audit_get_sessionid(current); // <--- HERE
> > result = audit_comparator(sessionid, f->op, f->val);
> > break;
> > [...]
> >
> > Here, the sessionid is retrieved from the current task pointer, while
> > all the other code in this function compares against the tsk task
> > pointer. It seems that it is not always guaranteed that tsk ==
> > current, so my question is: Is it intentional for some reason or
> > should it be tsk instead of current?
> >
> > Ondrej Mosnacek <omosnace at redhat dot com>
>
> Ondrej Mosnacek <omosnace at redhat dot com>
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Question about audit_filter_rules
2018-05-16 11:46 ` Richard Guy Briggs
@ 2018-05-16 12:27 ` Ondrej Mosnacek
0 siblings, 0 replies; 5+ messages in thread
From: Ondrej Mosnacek @ 2018-05-16 12:27 UTC (permalink / raw)
To: Richard Guy Briggs; +Cc: Linux-Audit Mailing List
2018-05-16 13:46 GMT+02:00 Richard Guy Briggs <rgb@redhat.com>:
> On 2018-05-16 10:43, Ondrej Mosnacek wrote:
>> I found more inconsistencies:
>> [...]
>> case AUDIT_GID:
>> result = audit_gid_comparator(cred->gid, f->op, f->gid);
>> if (f->op == Audit_equal) {
>> if (!result)
>> result = in_group_p(f->gid);
>> } else if (f->op == Audit_not_equal) {
>> if (result)
>> result = !in_group_p(f->gid);
>> }
>> break;
>> case AUDIT_EGID:
>> result = audit_gid_comparator(cred->egid, f->op, f->gid);
>> if (f->op == Audit_equal) {
>> if (!result)
>> result = in_egroup_p(f->gid);
>> } else if (f->op == Audit_not_equal) {
>> if (result)
>> result = !in_egroup_p(f->gid);
>> }
>> break;
>> [...]
>>
>> The in_[e]group_p functions match the current task's group list.
>> Unfortunately there don't seem to be functions in the kernel that
>> would do the same for arbitrary struct cred pointers, we may need to
>> add these to fix this.
>>
>> See the definition of in_group_p for reference:
>> https://elixir.bootlin.com/linux/latest/source/kernel/groups.c#L219
>
> Interesting. Nice catch. I'll need to look at these and the previous
> one again. File github audit kernel issues...
Done, created at:
https://github.com/linux-audit/audit-kernel/issues/82
>> 2018-05-16 8:57 GMT+02:00 Ondrej Mosnacek <omosnace@redhat.com>:
>> > Hi,
>> >
>> > I noticed this suspicious line in the definition of the
>> > audit_filter_rules function in auditsc.c:
>> >
>> > [...]
>> > case AUDIT_SESSIONID:
>> > sessionid = audit_get_sessionid(current); // <--- HERE
>> > result = audit_comparator(sessionid, f->op, f->val);
>> > break;
>> > [...]
>> >
>> > Here, the sessionid is retrieved from the current task pointer, while
>> > all the other code in this function compares against the tsk task
>> > pointer. It seems that it is not always guaranteed that tsk ==
>> > current, so my question is: Is it intentional for some reason or
>> > should it be tsk instead of current?
>> >
>> > Ondrej Mosnacek <omosnace at redhat dot com>
>>
>> Ondrej Mosnacek <omosnace at redhat dot com>
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
--
Ondrej Mosnacek <omosnace at redhat dot com>
Associate Software Engineer, Security Technologies
Red Hat, Inc.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-05-16 12:28 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-05-16 6:57 Question about audit_filter_rules Ondrej Mosnacek
2018-05-16 8:43 ` Ondrej Mosnacek
2018-05-16 11:46 ` Richard Guy Briggs
2018-05-16 12:27 ` Ondrej Mosnacek
2018-05-16 11:37 ` Richard Guy Briggs
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.