Merge branch 'audit.b32' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit...

* 'audit.b32' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current:
  [PATCH] message types updated
  [PATCH] name_count array overrun
  [PATCH] PPID filtering fix
  [PATCH] arch filter lists with < or > should not be accepted

diff --git a/include/linux/audit.h b/include/linux/audit.h
index c3aa097..b2ca666 100644 (file)
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -75,7 +75,7 @@
 #define AUDIT_DAEMON_CONFIG     1203    /* Daemon config change */
 
 #define AUDIT_SYSCALL          1300    /* Syscall event */
-#define AUDIT_FS_WATCH         1301    /* Filesystem watch event */
+/* #define AUDIT_FS_WATCH      1301     * Deprecated */
 #define AUDIT_PATH             1302    /* Filename path information */
 #define AUDIT_IPC              1303    /* IPC record */
 #define AUDIT_SOCKETCALL       1304    /* sys_socketcall arguments */
@@ -88,6 +88,7 @@
 #define AUDIT_MQ_SENDRECV      1313    /* POSIX MQ send/receive record type */
 #define AUDIT_MQ_NOTIFY                1314    /* POSIX MQ notify record type */
 #define AUDIT_MQ_GETSETATTR    1315    /* POSIX MQ get/set attribute record type */
+#define AUDIT_KERNEL_OTHER     1316    /* For use by 3rd party modules */
 
 #define AUDIT_AVC              1400    /* SE Linux avc denial or grant */
 #define AUDIT_SELINUX_ERR      1401    /* Internal SE Linux Errors */

diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 1a58a81..4f40d92 100644 (file)
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -411,7 +411,6 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
                case AUDIT_FSGID:
                case AUDIT_LOGINUID:
                case AUDIT_PERS:
-               case AUDIT_ARCH:
                case AUDIT_MSGTYPE:
                case AUDIT_PPID:
                case AUDIT_DEVMAJOR:
@@ -423,6 +422,14 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
                case AUDIT_ARG2:
                case AUDIT_ARG3:
                        break;
+               /* arch is only allowed to be = or != */
+               case AUDIT_ARCH:
+                       if ((f->op != AUDIT_NOT_EQUAL) && (f->op != AUDIT_EQUAL)
+                                       && (f->op != AUDIT_NEGATE) && (f->op)) {
+                               err = -EINVAL;
+                               goto exit_free;
+                       }
+                       break;
                case AUDIT_PERM:
                        if (f->val & ~15)
                                goto exit_free;

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 1051476..42f2f11 100644 (file)
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -278,8 +278,11 @@ static int audit_filter_rules(struct task_struct *tsk,
                        result = audit_comparator(tsk->pid, f->op, f->val);
                        break;
                case AUDIT_PPID:
-                       if (ctx)
+                       if (ctx) {
+                               if (!ctx->ppid)
+                                       ctx->ppid = sys_getppid();
                                result = audit_comparator(ctx->ppid, f->op, f->val);
+                       }
                        break;
                case AUDIT_UID:
                        result = audit_comparator(tsk->uid, f->op, f->val);
@@ -795,7 +798,8 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
 
        /* tsk == current */
        context->pid = tsk->pid;
-       context->ppid = sys_getppid();  /* sic.  tsk == current in all cases */
+       if (!context->ppid)
+               context->ppid = sys_getppid();
        context->uid = tsk->uid;
        context->gid = tsk->gid;
        context->euid = tsk->euid;
@@ -1137,6 +1141,7 @@ void audit_syscall_entry(int arch, int major,
        context->ctime      = CURRENT_TIME;
        context->in_syscall = 1;
        context->auditable  = !!(state == AUDIT_RECORD_CONTEXT);
+       context->ppid       = 0;
 }
 
 /**
@@ -1352,7 +1357,13 @@ void __audit_inode_child(const char *dname, const struct inode *inode,
                }
 
 update_context:
-       idx = context->name_count++;
+       idx = context->name_count;
+       if (context->name_count == AUDIT_NAMES) {
+               printk(KERN_DEBUG "name_count maxed and losing %s\n",
+                       found_name ?: "(null)");
+               return;
+       }
+       context->name_count++;
 #if AUDIT_DEBUG
        context->ino_count++;
 #endif
@@ -1370,7 +1381,16 @@ update_context:
        /* A parent was not found in audit_names, so copy the inode data for the
         * provided parent. */
        if (!found_name) {
-               idx = context->name_count++;
+               idx = context->name_count;
+               if (context->name_count == AUDIT_NAMES) {
+                       printk(KERN_DEBUG
+                               "name_count maxed and losing parent inode data: dev=%02x:%02x, inode=%lu",
+                               MAJOR(parent->i_sb->s_dev),
+                               MINOR(parent->i_sb->s_dev),
+                               parent->i_ino);
+                       return;
+               }
+               context->name_count++;
 #if AUDIT_DEBUG
                context->ino_count++;
 #endif