On Thu, Jun 16, 2016 at 5:07 PM, Paul Moore <[email protected]> wrote: > On Tue, Jun 14, 2016 at 5:03 PM, Richard Guy Briggs <[email protected]> wrote: >> In the case of an error returned from a field check in an audit filter >> syscall rule, it is treated as a match and the rule action is honoured. >> >> This could cause a rule with a default of NEVER and an selinux field >> check error to avoid logging. >> >> Recommend matching with an action of ALWAYS to catch malicious abuse of >> this bug. The downside of this approach is it could DoS the audit >> subsystem. > > I understand your concern about the DoS, but in reality it is no worse > than if no audit filter rules were configured, yes?
Just following up on this since I don't recall seeing a response ... >> Signed-off-by: Richard Guy Briggs <[email protected]> >> --- >> kernel/auditsc.c | 4 ++++ >> 1 files changed, 4 insertions(+), 0 deletions(-) >> >> diff --git a/kernel/auditsc.c b/kernel/auditsc.c >> index 71e14d8..6123672 100644 >> --- a/kernel/auditsc.c >> +++ b/kernel/auditsc.c >> @@ -683,6 +683,10 @@ static int audit_filter_rules(struct task_struct *tsk, >> } >> if (!result) >> return 0; >> + if (result < 0) { >> + *state = AUDIT_RECORD_CONTEXT; >> + return 1; >> + } >> } >> >> if (ctx) { > > -- > paul moore > www.paul-moore.com -- paul moore www.paul-moore.com
