On Tue, Dec 31, 2019 at 2:51 PM Richard Guy Briggs <[email protected]> wrote: > > Clamp the depth of audit container identifier nesting to limit the > netlink and disk bandwidth used and to prevent losing information from > record text size overflow in the contid field. > > Add a configuration parameter AUDIT_STATUS_CONTID_DEPTH_LIMIT (0x80) to > set the audit container identifier depth limit. This can be used to > prevent overflow of the contid field in CONTAINER_OP and CONTAINER_ID > messages, losing information, and to limit bandwidth used by these > messages. > > Signed-off-by: Richard Guy Briggs <[email protected]> > --- > include/uapi/linux/audit.h | 2 ++ > kernel/audit.c | 46 > ++++++++++++++++++++++++++++++++++++++++++++++ > kernel/audit.h | 2 ++ > 3 files changed, 50 insertions(+)
Since setting an audit container ID, and hence acting as an orchestrator and creating a new nested level of audit container IDs, is a privileged operation I think we can equate this to the infamous "shooting oneself in the foot" problem. Let's leave this limitation out of the patchset for now, if it becomes a problem in the future we can consider restricting the nesting depth. -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
