[RFC PATCH ghak73 V1] audit: re-structure audit field valid checks

Richard Guy Briggs rgb at redhat.com
Tue May 7 11:59:51 UTC 2019 

On 2019-05-07 11:23, Ondrej Mosnacek wrote:
> On Mon, May 6, 2019 at 4:48 PM Richard Guy Briggs <rgb at redhat.com> wrote:
> > Multiple checks were being done in one switch case statement that
> > started to cause some redundancies and awkward exceptions.  Separate the
> > valid field and op check from the select valid values checks.
> >
> > Enforce the elimination of meaningless bitwise and greater/lessthan
> > checks on string fields and other fields with unrelated scalar values.
> >
> > Please see the github issue
> > https://github.com/linux-audit/audit-kernel/issues/73
> >
> > Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
> > ---
> > Passes audit-testsuite on f30.
> > Note: This does not necessarily completely resolve ghak73, but enables
> > ghak64.
> >
> >  kernel/auditfilter.c | 42 +++++++++++++++++++++++++++---------------
> >  1 file changed, 27 insertions(+), 15 deletions(-)
> >
> > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> > index 1bc6410413e6..17cfccd9ee27 100644
> > --- a/kernel/auditfilter.c
> > +++ b/kernel/auditfilter.c
> > @@ -358,9 +358,16 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
> >                 }
> >         }
> >
> > +       /* Check for valid field type and op */
> >         switch(f->type) {
> > -       default:
> > -               return -EINVAL;
> > +       case AUDIT_ARG0:
> > +       case AUDIT_ARG1:
> > +       case AUDIT_ARG2:
> > +       case AUDIT_ARG3:
> > +       case AUDIT_PERS: /* <uapi/linux/personality.h> */
> > +       case AUDIT_DEVMINOR:
> > +               /* all ops are valid */
> > +               break;
> >         case AUDIT_UID:
> >         case AUDIT_EUID:
> >         case AUDIT_SUID:
> > @@ -373,11 +380,9 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
> >         case AUDIT_FSGID:
> >         case AUDIT_OBJ_GID:
> >         case AUDIT_PID:
> > -       case AUDIT_PERS:
> >         case AUDIT_MSGTYPE:
> >         case AUDIT_PPID:
> >         case AUDIT_DEVMAJOR:
> > -       case AUDIT_DEVMINOR:
> 
> The fact that AUDIT_DEVMAJOR and AUDIT_DEVMINOR support different set
> of operators irks me a bit, but I understand the motivation (minor
> numbers are allocated in a more "ordered" fashion than major numbers),
> so I'm neutral about it.

Agreed it felt a bit weird, but figured the ordered nature could justify
it.

> >         case AUDIT_EXIT:
> >         case AUDIT_SUCCESS:
> >         case AUDIT_INODE:
> > @@ -386,10 +391,6 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
> >                 if (f->op == Audit_bitmask || f->op == Audit_bittest)
> >                         return -EINVAL;
> >                 break;
> > -       case AUDIT_ARG0:
> > -       case AUDIT_ARG1:
> > -       case AUDIT_ARG2:
> > -       case AUDIT_ARG3:
> >         case AUDIT_SUBJ_USER:
> >         case AUDIT_SUBJ_ROLE:
> >         case AUDIT_SUBJ_TYPE:
> > @@ -403,16 +404,28 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
> >         case AUDIT_WATCH:
> >         case AUDIT_DIR:
> >         case AUDIT_FILTERKEY:
> > -               break;
> >         case AUDIT_LOGINUID_SET:
> > -               if ((f->val != 0) && (f->val != 1))
> > -                       return -EINVAL;
> > -       /* FALL THROUGH */
> >         case AUDIT_ARCH:
> >         case AUDIT_FSTYPE:
> > +       case AUDIT_PERM:
> > +       case AUDIT_FILETYPE:
> 
> Looking at [1], it seems that f->op is actually ignored for AUDIT_PERM
> and AUDIT_FILETYPE... This is probably out of scope for this patch,
> but maybe AUDIT_PERM should be fixed to properly support bitmask
> operators (and the allowed ops should be only bitmask, bittest, equal,
> and not_equal) and AUDIT_FILETYPE to distinguish between the equal and
> not_equal operator. (Maybe you have already filed an issue for this,
> I'm losing track of all the ghaks :)

Good catch.  WATCH, DIR and EXE also fall into this same issue.  Is it
worth addressing audit_watch_perm(), audit_watch_filetype(),
audit_watch_compare(), audit_tree_refs() in the same manner as
audit_exe_compare() has been addressed?

> Other than that the patch looks good to me.
> 
> [1] https://elixir.bootlin.com/linux/v5.1/source/kernel/auditsc.c#L685
> 
> > +       case AUDIT_FIELD_COMPARE:
> > +       case AUDIT_EXE:
> > +               /* only equal and not equal valid ops */
> >                 if (f->op != Audit_not_equal && f->op != Audit_equal)
> >                         return -EINVAL;
> >                 break;
> > +       default:
> > +               /* field not recognized */
> > +               return -EINVAL;
> > +       }
> > +
> > +       /* Check for select valid field values */
> > +       switch(f->type) {
> > +       case AUDIT_LOGINUID_SET:
> > +               if ((f->val != 0) && (f->val != 1))
> > +                       return -EINVAL;
> > +               break;
> >         case AUDIT_PERM:
> >                 if (f->val & ~15)
> >                         return -EINVAL;
> > @@ -425,11 +438,10 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
> >                 if (f->val > AUDIT_MAX_FIELD_COMPARE)
> >                         return -EINVAL;
> >                 break;
> > -       case AUDIT_EXE:
> > -               if (f->op != Audit_not_equal && f->op != Audit_equal)
> > -                       return -EINVAL;
> > +       default:
> >                 break;
> >         }
> > +
> >         return 0;
> >  }
> >
> > --
> > 1.8.3.1
> 
> -- 
> Ondrej Mosnacek <omosnace at redhat dot com>
> Software Engineer, Security Technologies
> Red Hat, Inc.

- RGB

--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

More information about the Linux-audit mailing list