audit: don't attempt to lookup PIDs when changing PID filtering audit rules

commit 3640dcfa4fd00cd91d88bb86250bdb496f7070c0 upstream. Commit f1dc4867 ("audit: anchor all pid references in the initial pid namespace") introduced a find_vpid() call when adding/removing audit rules with PID/PPID filters; unfortunately this is problematic as find_vpid() only works if there is a task with the associated PID alive on the system. The following commands demonstrate a simple reproducer. # auditctl -D # auditctl -l # autrace /bin/true # auditctl -l This patch resolves the problem by simply using the PID provided by the user without any additional validation, e.g. no calls to check to see if the task/PID exists. Cc: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Paul Moore <pmoore@redhat.com> Acked-by: Eric Paris <eparis@redhat.com> Reviewed-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

audit: don't attempt to lookup PIDs when changing PID filtering audit rules
commit 3640dcfa4fd00cd91d88bb86250bdb496f7070c0 upstream. Commit f1dc4867 ("audit: anchor all pid references in the initial pid namespace") introduced a find_vpid() call when adding/removing audit rules with PID/PPID filters; unfortunately this is problematic as find_vpid() only works if there is a task with the associated PID alive on the system. The following commands demonstrate a simple reproducer. # auditctl -D # auditctl -l # autrace /bin/true # auditctl -l This patch resolves the problem by simply using the PID provided by the user without any additional validation, e.g. no calls to check to see if the task/PID exists. Cc: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Paul Moore <pmoore@redhat.com> Acked-by: Eric Paris <eparis@redhat.com> Reviewed-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Paul Moore · Greg Kroah-Hartman
1 parent 1110f3504d
Showing 1 changed file with 0 additions and 13 deletions Side-by-side Diff
kernel/auditfilter.c
@@ -444,19 +444,6 @@
 			f->val = 0;
 		}
  
-		if ((f->type == AUDIT_PID) || (f->type == AUDIT_PPID)) {
-			struct pid *pid;
-			rcu_read_lock();
-			pid = find_vpid(f->val);
-			if (!pid) {
-				rcu_read_unlock();
-				err = -ESRCH;
-				goto exit_free;
-			}
-			f->val = pid_nr(pid);
-			rcu_read_unlock();
-		}
-
 		err = audit_field_valid(entry, f);
 		if (err)
 			goto exit_free;
...	...	@@ -444,19 +444,6 @@
444	444	f->val = 0;
445	445	}
446	446
447		- if ((f->type == AUDIT_PID) \|\| (f->type == AUDIT_PPID)) {
448		- struct pid *pid;
449		- rcu_read_lock();
450		- pid = find_vpid(f->val);
451		- if (!pid) {
452		- rcu_read_unlock();
453		- err = -ESRCH;
454		- goto exit_free;
455		- }
456		- f->val = pid_nr(pid);
457		- rcu_read_unlock();
458		- }
459		-
460	447	err = audit_field_valid(entry, f);
461	448	if (err)
462	449	goto exit_free;