Commit dbe0ca090fcc181319d56c27b90a9946647650a9
Committed by
Greg Kroah-Hartman
1 parent
1110f3504d
audit: don't attempt to lookup PIDs when changing PID filtering audit rules
commit 3640dcfa4fd00cd91d88bb86250bdb496f7070c0 upstream. Commit f1dc4867 ("audit: anchor all pid references in the initial pid namespace") introduced a find_vpid() call when adding/removing audit rules with PID/PPID filters; unfortunately this is problematic as find_vpid() only works if there is a task with the associated PID alive on the system. The following commands demonstrate a simple reproducer. # auditctl -D # auditctl -l # autrace /bin/true # auditctl -l This patch resolves the problem by simply using the PID provided by the user without any additional validation, e.g. no calls to check to see if the task/PID exists. Cc: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Paul Moore <pmoore@redhat.com> Acked-by: Eric Paris <eparis@redhat.com> Reviewed-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Showing 1 changed file with 0 additions and 13 deletions Side-by-side Diff
kernel/auditfilter.c
... | ... | @@ -444,19 +444,6 @@ |
444 | 444 | f->val = 0; |
445 | 445 | } |
446 | 446 | |
447 | - if ((f->type == AUDIT_PID) || (f->type == AUDIT_PPID)) { | |
448 | - struct pid *pid; | |
449 | - rcu_read_lock(); | |
450 | - pid = find_vpid(f->val); | |
451 | - if (!pid) { | |
452 | - rcu_read_unlock(); | |
453 | - err = -ESRCH; | |
454 | - goto exit_free; | |
455 | - } | |
456 | - f->val = pid_nr(pid); | |
457 | - rcu_read_unlock(); | |
458 | - } | |
459 | - | |
460 | 447 | err = audit_field_valid(entry, f); |
461 | 448 | if (err) |
462 | 449 | goto exit_free; |