[ARCHIVE DEBUG 06/13] audit_debug: don't let systemd change config
Richard Guy Briggs
rgb at redhat.com
Thu Oct 22 19:28:36 UTC 2015
On 15/10/22, Steve Grubb wrote:
> On Thursday, October 22, 2015 02:58:52 PM Richard Guy Briggs wrote:
> > Debug the possibility of systemd changing the audit config causing
> > shutdown delays by blocking all such requests.
>
> I don't understand what you are saying here. As long as something something
> has CAP_AUDIT_CONTROL, it can make changes. But we have to record what made
> the changes in the logs.
I grouped all the message types that make changes first so that if it
was init or systemd attempting such a change, it would be denied with
-EPERM. Systemd should only have CAP_AUDIT_READ. If it isn't process 1
(init or systemd) it will just fallthrough this list of message types as
it did before. This was done for debug testing only. This isn't
intended to be accepted upstream.
Does this help? Perhaps I should have been more explicit that even if
systemd somehow was configured with CAP_AUDIT_CONTROL, it would be
denied.
> -Steve
>
> > Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
> > ---
> > kernel/audit.c | 14 ++++++++------
> > 1 files changed, 8 insertions(+), 6 deletions(-)
> >
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 30b3b08..93a466b 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -680,18 +680,20 @@ static int audit_netlink_ok(struct sk_buff *skb, u16
> > msg_type) case AUDIT_ADD:
> > case AUDIT_DEL:
> > return -EOPNOTSUPP;
> > - case AUDIT_GET:
> > case AUDIT_SET:
> > - case AUDIT_GET_FEATURE:
> > case AUDIT_SET_FEATURE:
> > - case AUDIT_LIST_RULES:
> > case AUDIT_ADD_RULE:
> > case AUDIT_DEL_RULE:
> > - case AUDIT_SIGNAL_INFO:
> > - case AUDIT_TTY_GET:
> > - case AUDIT_TTY_SET:
> > case AUDIT_TRIM:
> > case AUDIT_MAKE_EQUIV:
> > + case AUDIT_TTY_SET:
> > + if (current->tgid == 1)
> > + return -EPERM;
> > + case AUDIT_GET:
> > + case AUDIT_GET_FEATURE:
> > + case AUDIT_LIST_RULES:
> > + case AUDIT_SIGNAL_INFO:
> > + case AUDIT_TTY_GET:
> > /* Only support auditd and auditctl in initial pid namespace
> > * for now. */
> > if ((task_active_pid_ns(current) != &init_pid_ns))
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
More information about the Linux-audit
mailing list