Re: [PATCH ghak90 V8 14/16] audit: check contid depth and add limit config param

From: Paul Moore
Date: Wed Jan 22 2020 - 16:29:41 EST

Next message: Paul Moore: "Re: [PATCH ghak90 V8 15/16] audit: check contid count per netns and add config param limit"
Previous message: Paul Moore: "Re: [PATCH ghak90 V8 13/16] audit: track container nesting"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Dec 31, 2019 at 2:51 PM Richard Guy Briggs <rgb@xxxxxxxxxx> wrote:
>
> Clamp the depth of audit container identifier nesting to limit the
> netlink and disk bandwidth used and to prevent losing information from
> record text size overflow in the contid field.
>
> Add a configuration parameter AUDIT_STATUS_CONTID_DEPTH_LIMIT (0x80) to
> set the audit container identifier depth limit. This can be used to
> prevent overflow of the contid field in CONTAINER_OP and CONTAINER_ID
> messages, losing information, and to limit bandwidth used by these
> messages.
>
> Signed-off-by: Richard Guy Briggs <rgb@xxxxxxxxxx>
> ---
> include/uapi/linux/audit.h | 2 ++
> kernel/audit.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
> kernel/audit.h | 2 ++
> 3 files changed, 50 insertions(+)

Since setting an audit container ID, and hence acting as an
orchestrator and creating a new nested level of audit container IDs,
is a privileged operation I think we can equate this to the infamous
"shooting oneself in the foot" problem. Let's leave this limitation
out of the patchset for now, if it becomes a problem in the future we
can consider restricting the nesting depth.

--
paul moore
www.paul-moore.com

Next message: Paul Moore: "Re: [PATCH ghak90 V8 15/16] audit: check contid count per netns and add config param limit"
Previous message: Paul Moore: "Re: [PATCH ghak90 V8 13/16] audit: track container nesting"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]