On Thu, May 29, 2014 at 9:25 AM, Steve Grubb wrote:
> On Thursday, May 29, 2014 09:04:10 AM Andy Lutomirski wrote:
>> On Thu, May 29, 2014 at 6:05 AM, Steve Grubb wrote:
>> > On Wednesday, May 28, 2014 07:40:57 PM Andy Lutomirski wrote:
>> >> >> - It assumes that syscall numbers are between 0 an
On Thursday, May 29, 2014 09:04:10 AM Andy Lutomirski wrote:
> On Thu, May 29, 2014 at 6:05 AM, Steve Grubb wrote:
> > On Wednesday, May 28, 2014 07:40:57 PM Andy Lutomirski wrote:
> >> >> - It assumes that syscall numbers are between 0 and 2048.
> >> >>
> >> > There could well be a bug here. No
On Thu, May 29, 2014 at 6:05 AM, Steve Grubb wrote:
> On Wednesday, May 28, 2014 07:40:57 PM Andy Lutomirski wrote:
>> >> - It assumes that syscall numbers are between 0 and 2048.
>> >>
>> > There could well be a bug here. Not questioning that. Although that
>> > would be patch 1/2
>>
>> Even w
On 2014-05-28 15:33:06, Tony Jones wrote:
> This patch came from our L3 department. AppArmor LSM is logging using the
> common_lsm_audit()
> call but the audit userspace parsing code expects to see an SELinux tclass
> field. This patch
> doesn't address the lack of support for AppArmor in "aur
On 2014-05-29 11:01:38, Steve Grubb wrote:
> On Thursday, May 29, 2014 10:31:52 AM Tyler Hicks wrote:
> > On 2014-05-28 15:33:06, Tony Jones wrote:
> > > This patch came from our L3 department. AppArmor LSM is logging using the
> > > common_lsm_audit() call but the audit userspace parsing code exp
On Thursday, May 29, 2014 10:31:52 AM Tyler Hicks wrote:
> On 2014-05-28 15:33:06, Tony Jones wrote:
> > This patch came from our L3 department. AppArmor LSM is logging using the
> > common_lsm_audit() call but the audit userspace parsing code expects to
> > see an SELinux tclass field. This patch
On Wednesday, May 28, 2014 07:40:57 PM Andy Lutomirski wrote:
> >> - It assumes that syscall numbers are between 0 and 2048.
> >>
> > There could well be a bug here. Not questioning that. Although that
> > would be patch 1/2
>
> Even with patch 1, it still doesn't handle large syscall numbers -
On Wednesday, May 28, 2014 10:43:57 PM Eric Paris wrote:
> On Wed, 2014-05-28 at 19:27 -0700, Andy Lutomirski wrote:
> > On Wed, May 28, 2014 at 7:23 PM, Eric Paris wrote:
> > > On Wed, 2014-05-28 at 18:44 -0700, Andy Lutomirski wrote:
> > >> Fixes an easy DoS and possible information disclosure.
Fixes an easy DoS and possible information disclosure.
This does nothing about the broken state of x32 auditing.
Cc: sta...@vger.kernel.org
Signed-off-by: Andy Lutomirski
---
kernel/auditsc.c | 27 ++-
1 file changed, 18 insertions(+), 9 deletions(-)
diff --git a/kernel
On Wed, May 28, 2014 at 7:09 PM, Eric Paris wrote:
> NAK
>
> On Wed, 2014-05-28 at 18:44 -0700, Andy Lutomirski wrote:
>> Here are some issues with the code:
>> - It thinks that syscalls have four arguments.
>
> Not true at all. It records the registers that would hold the first 4
> entries on s
On Wed, 2014-05-28 at 19:27 -0700, Andy Lutomirski wrote:
> On Wed, May 28, 2014 at 7:23 PM, Eric Paris wrote:
> > On Wed, 2014-05-28 at 18:44 -0700, Andy Lutomirski wrote:
> >> Fixes an easy DoS and possible information disclosure.
> >>
> >> This does nothing about the broken state of x32 auditin
On Wed, May 28, 2014 at 7:43 PM, Eric Paris wrote:
> On Wed, 2014-05-28 at 19:27 -0700, Andy Lutomirski wrote:
>> On Wed, May 28, 2014 at 7:23 PM, Eric Paris wrote:
>> > On Wed, 2014-05-28 at 18:44 -0700, Andy Lutomirski wrote:
>> >> Fixes an easy DoS and possible information disclosure.
>> >>
>>
CONFIG_AUDITSYSCALL is awful. Patch 2 enumerates some reasons.
Patch 1 fixes a nasty DoS and possible information leak. It should
be applied and backported.
Patch 2 is optional. I leave it to other peoples' judgment.
Andy Lutomirski (2):
auditsc: audit_krule mask accesses need bounds checki
On Wed, May 28, 2014 at 7:23 PM, Eric Paris wrote:
> On Wed, 2014-05-28 at 18:44 -0700, Andy Lutomirski wrote:
>> Fixes an easy DoS and possible information disclosure.
>>
>> This does nothing about the broken state of x32 auditing.
>>
>> Cc: sta...@vger.kernel.org
>> Signed-off-by: Andy Lutomirsk
Here are some issues with the code:
- It thinks that syscalls have four arguments.
- It's a performance disaster.
- It assumes that syscall numbers are between 0 and 2048.
- It's unclear whether it's supposed to be reliable.
- It's broken on things like x32.
- It can't support ARM OABI.
- It
On Wed, May 28, 2014 at 7:54 PM, Eric Paris wrote:
> On Wed, 2014-05-28 at 19:40 -0700, Andy Lutomirski wrote:
>> On Wed, May 28, 2014 at 7:09 PM, Eric Paris wrote:
>> > NAK
>> >
>> > On Wed, 2014-05-28 at 18:44 -0700, Andy Lutomirski wrote:
>> >> Here are some issues with the code:
>> >> - It t
On 2014-05-28 15:33:06, Tony Jones wrote:
> This patch came from our L3 department. AppArmor LSM is logging using the
> common_lsm_audit()
> call but the audit userspace parsing code expects to see an SELinux tclass
> field. This patch
> doesn't address the lack of support for AppArmor in "aur
17 matches
Mail list logo
