Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 638a0fd2 authored by Eric W. Biederman's avatar Eric W. Biederman Committed by Eric Paris
Browse files

audit: Use struct net not pid_t to remember the network namespce to reply in 



While reading through 3.14-rc1 I found a pretty siginficant mishandling
of network namespaces in the recent audit changes.

In struct audit_netlink_list and audit_reply add a reference to the
network namespace of the caller and remove the userspace pid of the
caller.  This cleanly remembers the callers network namespace, and
removes a huge class of races and nasty failure modes that can occur
when attempting to relook up the callers network namespace from a pid_t
(including the caller's network namespace changing, pid wraparound, and
the pid simply not being present).

Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
Acked-by: default avatarRichard Guy Briggs <rgb@redhat.com>
Signed-off-by: default avatarEric Paris <eparis@redhat.com>
parent 3f1c8250

kernel/audit.c

+6 −4
Original line number Diff line number Diff line
@@ -182,7 +182,7 @@ struct audit_buffer { 


struct audit_reply {

	__u32 portid;

	pid_t pid;

	struct net *net;

	struct sk_buff *skb;

};
@@ -500,7 +500,7 @@ int audit_send_list(void *_dest) 
{

	struct audit_netlink_list *dest = _dest;

	struct sk_buff *skb;

	struct net *net = get_net_ns_by_pid(dest->pid);

	struct net *net = dest->net;

	struct audit_net *aunet = net_generic(net, audit_net_id);



	/* wait for parent to finish and send an ACK */
@@ -510,6 +510,7 @@ int audit_send_list(void *_dest) 
	while ((skb = __skb_dequeue(&dest->q)) != NULL)

		netlink_unicast(aunet->nlsk, skb, dest->portid, 0);



	put_net(net);

	kfree(dest);



	return 0;
@@ -543,7 +544,7 @@ struct sk_buff *audit_make_reply(__u32 portid, int seq, int type, int done, 
static int audit_send_reply_thread(void *arg)

{

	struct audit_reply *reply = (struct audit_reply *)arg;

	struct net *net = get_net_ns_by_pid(reply->pid);

	struct net *net = reply->net;

	struct audit_net *aunet = net_generic(net, audit_net_id);



	mutex_lock(&audit_cmd_mutex);
@@ -552,6 +553,7 @@ static int audit_send_reply_thread(void *arg) 
	/* Ignore failure. It'll only happen if the sender goes away,

	   because our timeout is set to infinite. */

	netlink_unicast(aunet->nlsk , reply->skb, reply->portid, 0);

	put_net(net);

	kfree(reply);

	return 0;

}
@@ -583,8 +585,8 @@ static void audit_send_reply(__u32 portid, int seq, int type, int done, 
	if (!skb)

		goto out;



	reply->net = get_net(current->nsproxy->net_ns);

	reply->portid = portid;

	reply->pid = task_pid_vnr(current);

	reply->skb = skb;



	tsk = kthread_run(audit_send_reply_thread, reply, "audit_send_reply");

kernel/audit.h

+1 −1
Original line number Diff line number Diff line
@@ -253,7 +253,7 @@ extern void audit_panic(const char *message); 


struct audit_netlink_list {

	__u32 portid;

	pid_t pid;

	struct net *net;

	struct sk_buff_head q;

};

kernel/auditfilter.c

+2 −1
Original line number Diff line number Diff line
@@ -31,6 +31,7 @@ 
#include <linux/sched.h>

#include <linux/slab.h>

#include <linux/security.h>

#include <net/net_namespace.h>

#include "audit.h"



/*
@@ -1085,8 +1086,8 @@ int audit_list_rules_send(__u32 portid, int seq) 
	dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL);

	if (!dest)

		return -ENOMEM;

	dest->net = get_net(current->nsproxy->net_ns);

	dest->portid = portid;

	dest->pid = task_pid_vnr(current);

	skb_queue_head_init(&dest->q);



	mutex_lock(&audit_filter_mutex);