audit: Use current instead of NETLINK_CREDS() in audit_filter
Eric W. Biederman [Tue, 11 Sep 2012 06:10:16 +0000 (23:10 -0700)]
Get caller process uid and gid and pid values from the current task
instead of the NETLINK_CB.  This is simpler than passing NETLINK_CREDS
from from audit_receive_msg to audit_filter_user_rules and avoid the
chance of being hit by the occassional bugs in netlink uid/gid
credential passing.  This is a safe changes because all netlink
requests are processed in the task of the sending process.

Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Eric Paris <eparis@redhat.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

include/linux/audit.h
kernel/audit.c
kernel/auditfilter.c

index 36abf2a..9c9af0e 100644 (file)
@@ -700,7 +700,7 @@ extern void                     audit_log_secctx(struct audit_buffer *ab, u32 secid);
 extern int                 audit_update_lsm_rules(void);
 
                                /* Private API (for audit.c only) */
-extern int audit_filter_user(struct netlink_skb_parms *cb);
+extern int audit_filter_user(void);
 extern int audit_filter_type(int type);
 extern int  audit_receive_filter(int type, int pid, int uid, int seq,
                                void *data, size_t datasz, uid_t loginuid,
index 7b7268e..fecb150 100644 (file)
@@ -744,7 +744,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                if (!audit_enabled && msg_type != AUDIT_USER_AVC)
                        return 0;
 
-               err = audit_filter_user(&NETLINK_CB(skb));
+               err = audit_filter_user();
                if (err == 1) {
                        err = 0;
                        if (msg_type == AUDIT_USER_TTY) {
index a6c3f1a..b754f43 100644 (file)
@@ -1236,8 +1236,7 @@ int audit_compare_dname_path(const char *dname, const char *path,
        return strncmp(p, dname, dlen);
 }
 
-static int audit_filter_user_rules(struct netlink_skb_parms *cb,
-                                  struct audit_krule *rule,
+static int audit_filter_user_rules(struct audit_krule *rule,
                                   enum audit_state *state)
 {
        int i;
@@ -1249,13 +1248,13 @@ static int audit_filter_user_rules(struct netlink_skb_parms *cb,
 
                switch (f->type) {
                case AUDIT_PID:
-                       result = audit_comparator(cb->creds.pid, f->op, f->val);
+                       result = audit_comparator(task_pid_vnr(current), f->op, f->val);
                        break;
                case AUDIT_UID:
-                       result = audit_comparator(cb->creds.uid, f->op, f->val);
+                       result = audit_comparator(current_uid(), f->op, f->val);
                        break;
                case AUDIT_GID:
-                       result = audit_comparator(cb->creds.gid, f->op, f->val);
+                       result = audit_comparator(current_gid(), f->op, f->val);
                        break;
                case AUDIT_LOGINUID:
                        result = audit_comparator(audit_get_loginuid(current),
@@ -1287,7 +1286,7 @@ static int audit_filter_user_rules(struct netlink_skb_parms *cb,
        return 1;
 }
 
-int audit_filter_user(struct netlink_skb_parms *cb)
+int audit_filter_user(void)
 {
        enum audit_state state = AUDIT_DISABLED;
        struct audit_entry *e;
@@ -1295,7 +1294,7 @@ int audit_filter_user(struct netlink_skb_parms *cb)
 
        rcu_read_lock();
        list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
-               if (audit_filter_user_rules(cb, &e->rule, &state)) {
+               if (audit_filter_user_rules(&e->rule, &state)) {
                        if (state == AUDIT_DISABLED)
                                ret = 0;
                        break;