| From c92cdeb45eea38515e82187f48c2e4f435fb4e25 Mon Sep 17 00:00:00 2001 |
| From: Richard Guy Briggs <rgb@redhat.com> |
| Date: Tue, 10 Dec 2013 22:10:41 -0500 |
| Subject: audit: convert PPIDs to the inital PID namespace. |
| |
| From: Richard Guy Briggs <rgb@redhat.com> |
| |
| commit c92cdeb45eea38515e82187f48c2e4f435fb4e25 upstream. |
| |
| sys_getppid() returns the parent pid of the current process in its own pid |
| namespace. Since audit filters are based in the init pid namespace, a process |
| could avoid a filter or trigger an unintended one by being in an alternate pid |
| namespace or log meaningless information. |
| |
| Switch to task_ppid_nr() for PPIDs to anchor all audit filters in the |
| init_pid_ns. |
| |
| (informed by ebiederman's 6c621b7e) |
| Cc: Eric W. Biederman <ebiederm@xmission.com> |
| Signed-off-by: Richard Guy Briggs <rgb@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| kernel/audit.c | 4 ++-- |
| kernel/auditsc.c | 2 +- |
| 2 files changed, 3 insertions(+), 3 deletions(-) |
| |
| --- a/kernel/audit.c |
| +++ b/kernel/audit.c |
| @@ -1829,10 +1829,10 @@ void audit_log_task_info(struct audit_bu |
| spin_unlock_irq(&tsk->sighand->siglock); |
| |
| audit_log_format(ab, |
| - " ppid=%ld pid=%d auid=%u uid=%u gid=%u" |
| + " ppid=%d pid=%d auid=%u uid=%u gid=%u" |
| " euid=%u suid=%u fsuid=%u" |
| " egid=%u sgid=%u fsgid=%u tty=%s ses=%u", |
| - sys_getppid(), |
| + task_ppid_nr(tsk), |
| tsk->pid, |
| from_kuid(&init_user_ns, audit_get_loginuid(tsk)), |
| from_kuid(&init_user_ns, cred->uid), |
| --- a/kernel/auditsc.c |
| +++ b/kernel/auditsc.c |
| @@ -459,7 +459,7 @@ static int audit_filter_rules(struct tas |
| case AUDIT_PPID: |
| if (ctx) { |
| if (!ctx->ppid) |
| - ctx->ppid = sys_getppid(); |
| + ctx->ppid = task_ppid_nr(tsk); |
| result = audit_comparator(ctx->ppid, f->op, f->val); |
| } |
| break; |