On 14/03/08, Tetsuo Handa wrote: > Richard Guy Briggs wrote: > > > > > Likewise, audit_log_untrustedstring(ab, current->comm) is racy. > > > > > If task->comm was "Hello Linux" until > > > > > audit_string_contains_control() in > > > > > audit_log_n_untrustedstring() returns false, and becomes "Penguin" > > > > > before > > > > > memcpy() in audit_log_n_string() is called, memcpy() will emit > > > > > "Penguin\0nux" > > > > > into the audit log, which results in loss of information (e.g. > > > > > SELinux > > > > > context) due to the unexpected '\0' byte. > > > > > > > > I expect the audit people don't like this? Also, how do audit and the > > > > LSM crap things interact? I thought they were both different piles of > > > > ignorable goo? > > > > > > I think the audit people do not like loss of information. Some of LSM > > > modules > > > are using audit subsystem for recording security related events. An > > > example is > > > shown later. > > > > This is true, however since comm it untrusted because it can be modified > > by the user audit doesn't trust it anyways, so who cares? > > Excuse me, but did you understand this side effect correctly?
<snip> > ), you can see that fields after comm= (e.g. exe= subj= key= ) are missing. Ok, from your desciption and example I had clearly not fully understood the problem. > ---------- An audit log with race ---------- > type=SYSCALL msg=audit(1394281498.566:63): arch=40000003 syscall=11 > success=yes exit=0 a0=858c9c8 a1=85a6620 a2=858e4a0 a3=85a6620 items=2 > ppid=1747 pid=2662 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=pts1 ses=2 comm="truncated > type=EXECVE msg=audit(1394281498.566:63): argc=1 a0="/tmp/printable-comm" > type=CWD msg=audit(1394281498.566:63): cwd="/root" > type=PATH msg=audit(1394281498.566:63): item=0 name="/tmp/printable-comm" > inode=1970955 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > obj=system_u:object_r:bin_t:s0 nametype=NORMAL > type=PATH msg=audit(1394281498.566:63): item=1 name=(null) inode=2360187 > dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL > ---------- An audit log with race ---------- > > Even if you don't trust the comm= field, it is annoying for me that fields > after comm= are missing in the audit log. More than annoying, that isn't acceptable. - RGB -- Richard Guy Briggs <rbri...@redhat.com> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
