audit: convert PPIDs to the inital PID namespace.

sys_getppid() returns the parent pid of the current process in its own pid namespace. Since audit filters are based in the init pid namespace, a process could avoid a filter or trigger an unintended one by being in an alternate pid namespace or log meaningless information. Switch to task_ppid_nr() for PPIDs to anchor all audit filters in the init_pid_ns. (informed by ebiederman's 6c621b7e) Cc: stable@vger.kernel.org Cc: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>

audit: convert PPIDs to the inital PID namespace.
sys_getppid() returns the parent pid of the current process in its own pid namespace. Since audit filters are based in the init pid namespace, a process could avoid a filter or trigger an unintended one by being in an alternate pid namespace or log meaningless information. Switch to task_ppid_nr() for PPIDs to anchor all audit filters in the init_pid_ns. (informed by ebiederman's 6c621b7e) Cc: stable@vger.kernel.org Cc: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Richard Guy Briggs · Eric Paris · Eric Lee · Eric Lee · Eric Lee · Eric Lee
1 parent ad36d28293
Showing 2 changed files with 3 additions and 3 deletions Side-by-side Diff
kernel/audit.c
kernel/auditsc.c
@@ -1819,10 +1819,10 @@
 	spin_unlock_irq(&tsk->sighand->siglock);
  
 	audit_log_format(ab,
-			 " ppid=%ld pid=%d auid=%u uid=%u gid=%u"
+			 " ppid=%d pid=%d auid=%u uid=%u gid=%u"
 			 " euid=%u suid=%u fsuid=%u"
 			 " egid=%u sgid=%u fsgid=%u tty=%s ses=%u",
-			 sys_getppid(),
+			 task_ppid_nr(tsk),
 			 tsk->pid,
 			 from_kuid(&init_user_ns, audit_get_loginuid(tsk)),
 			 from_kuid(&init_user_ns, cred->uid),
@@ -465,7 +465,7 @@
 		case AUDIT_PPID:
 			if (ctx) {
 				if (!ctx->ppid)
-					ctx->ppid = sys_getppid();
+					ctx->ppid = task_ppid_nr(tsk);
 				result = audit_comparator(ctx->ppid, f->op, f->val);
 			}
 			break;
...	...	@@ -1819,10 +1819,10 @@
1819	1819	spin_unlock_irq(&tsk->sighand->siglock);
1820	1820
1821	1821	audit_log_format(ab,
1822		- " ppid=%ld pid=%d auid=%u uid=%u gid=%u"
	1822	+ " ppid=%d pid=%d auid=%u uid=%u gid=%u"
1823	1823	" euid=%u suid=%u fsuid=%u"
1824	1824	" egid=%u sgid=%u fsgid=%u tty=%s ses=%u",
1825		- sys_getppid(),
	1825	+ task_ppid_nr(tsk),
1826	1826	tsk->pid,
1827	1827	from_kuid(&init_user_ns, audit_get_loginuid(tsk)),
1828	1828	from_kuid(&init_user_ns, cred->uid),
...	...	@@ -465,7 +465,7 @@
465	465	case AUDIT_PPID:
466	466	if (ctx) {
467	467	if (!ctx->ppid)
468		- ctx->ppid = sys_getppid();
	468	+ ctx->ppid = task_ppid_nr(tsk);
469	469	result = audit_comparator(ctx->ppid, f->op, f->val);
470	470	}
471	471	break;