Hello,
On Saturday, October 16, 2021 3:23:51 AM EDT Gaosheng Cui wrote:
> It is not necessary for audit_filter_rules() functions to check
> audit fileds of the rule with a lower priority, and if we did,
> there might be some unintended effects, such as the ctx->ppid
> may be changed unexpectedly, so return early if the rule has
> a lower priority.
>
> Signed-off-by: Gaosheng Cui <[email protected]>
> ---
> kernel/auditsc.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 42d4a4320526..b517947bfa48 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -470,6 +470,9 @@ static int audit_filter_rules(struct task_struct *tsk,
> u32 sid;
> unsigned int sessionid;
>
> + if (ctx && rule->prio <= ctx->prio)
> + return 0;
> +
Just wondering something... If the first thing we do is to decide to return,
should we have called the function in the first place? I wonder if this test
should be used to break out of the rule iteration loops so that we don't keep
calling only to return ?
-Steve
> cred = rcu_dereference_check(tsk->cred, tsk == current ||
task_creation);
>
> for (i = 0; i < rule->field_count; i++) {
> @@ -737,8 +740,6 @@ static int audit_filter_rules(struct task_struct *tsk,
> }
>
> if (ctx) {
> - if (rule->prio <= ctx->prio)
> - return 0;
> if (rule->filterkey) {
> kfree(ctx->filterkey);
> ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
--
Linux-audit mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/linux-audit
