From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Moore Subject: Re: [PATCH ghak90 V8 14/16] audit: check contid depth and add limit config param Date: Wed, 22 Jan 2020 16:29:22 -0500 Message-ID: References: <28cf3e16f8440bcb852767d3ae13e1a56c19569c.1577736799.git.rgb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Return-path: In-Reply-To: <28cf3e16f8440bcb852767d3ae13e1a56c19569c.1577736799.git.rgb@redhat.com> Sender: netdev-owner@vger.kernel.org To: Richard Guy Briggs Cc: containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, Eric Paris , Serge Hallyn , ebiederm@xmission.com, nhorman@tuxdriver.com, Dan Walsh , mpatel@redhat.com List-Id: linux-api@vger.kernel.org On Tue, Dec 31, 2019 at 2:51 PM Richard Guy Briggs wrote: > > Clamp the depth of audit container identifier nesting to limit the > netlink and disk bandwidth used and to prevent losing information from > record text size overflow in the contid field. > > Add a configuration parameter AUDIT_STATUS_CONTID_DEPTH_LIMIT (0x80) to > set the audit container identifier depth limit. This can be used to > prevent overflow of the contid field in CONTAINER_OP and CONTAINER_ID > messages, losing information, and to limit bandwidth used by these > messages. > > Signed-off-by: Richard Guy Briggs > --- > include/uapi/linux/audit.h | 2 ++ > kernel/audit.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ > kernel/audit.h | 2 ++ > 3 files changed, 50 insertions(+) Since setting an audit container ID, and hence acting as an orchestrator and creating a new nested level of audit container IDs, is a privileged operation I think we can equate this to the infamous "shooting oneself in the foot" problem. Let's leave this limitation out of the patchset for now, if it becomes a problem in the future we can consider restricting the nesting depth.