[PATCH ghak64 V1] audit: add saddr_fam filter field
Paul Moore
paul at paul-moore.com
Tue Apr 30 17:37:41 UTC 2019
On Tue, Apr 30, 2019 at 1:01 PM Richard Guy Briggs <rgb at redhat.com> wrote:
> On 2019-04-27 10:09, Paul Moore wrote:
> > On Fri, Apr 26, 2019 at 1:00 PM Richard Guy Briggs <rgb at redhat.com> wrote:
...
> > Beyond that, looking at the patch below it seems like there is an
> > obvious omission regarding validating the address families; some
> > updates to audit_field_valid() to verify that the specified address
> > family is greater than AF_UNSPEC and less than AF_MAX would be good to
> > have.
>
> I thought of that and as you can see had added it to the userspace code
> that accompanies it. There isn't really any harm to allow it to go
> outside those address family limits if someone really wants to do that.
I see it as a usability issue. In general terms, we shouldn't allow
admins to add a nonsense filter rule to the kernel, and we shouldn't
rely on the userspace to catch everything.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list