AUDIT: Avoid log pollution by untrusted strings.
We log strings from userspace, such as arguments to open(). These could be formatted to contain \n followed by fake audit log entries. Provide a function for logging such strings, which gives a hex dump when the string contains anything but basic printable ASCII characters. Use it for logging filenames. Signed-off-by: David Woodhouse <dwmw2@infradead.org>
This commit is contained in:
parent
c60c390620
commit
83c7d09173
3 changed files with 34 additions and 4 deletions
|
@ -174,11 +174,15 @@ extern void audit_log_format(struct audit_buffer *ab,
|
|||
const char *fmt, ...)
|
||||
__attribute__((format(printf,2,3)));
|
||||
extern void audit_log_end(struct audit_buffer *ab);
|
||||
extern void audit_log_hex(struct audit_buffer *ab,
|
||||
const unsigned char *buf,
|
||||
size_t len);
|
||||
extern void audit_log_untrustedstring(struct audit_buffer *ab,
|
||||
const char *string);
|
||||
extern void audit_log_d_path(struct audit_buffer *ab,
|
||||
const char *prefix,
|
||||
struct dentry *dentry,
|
||||
struct vfsmount *vfsmnt);
|
||||
|
||||
/* Private API (for auditsc.c only) */
|
||||
extern void audit_send_reply(int pid, int seq, int type,
|
||||
int done, int multi,
|
||||
|
@ -190,6 +194,8 @@ extern void audit_log_lost(const char *message);
|
|||
#define audit_log_vformat(b,f,a) do { ; } while (0)
|
||||
#define audit_log_format(b,f,...) do { ; } while (0)
|
||||
#define audit_log_end(b) do { ; } while (0)
|
||||
#define audit_log_hex(a,b,l) do { ; } while (0)
|
||||
#define audit_log_untrustedstring(a,s) do { ; } while (0)
|
||||
#define audit_log_d_path(b,p,d,v) do { ; } while (0)
|
||||
#endif
|
||||
#endif
|
||||
|
|
|
@ -720,6 +720,29 @@ void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
|
|||
va_end(args);
|
||||
}
|
||||
|
||||
void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len)
|
||||
{
|
||||
int i;
|
||||
|
||||
for (i=0; i<len; i++)
|
||||
audit_log_format(ab, "%02x", buf[i]);
|
||||
}
|
||||
|
||||
void audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
|
||||
{
|
||||
const char *p = string;
|
||||
|
||||
while (*p) {
|
||||
if (*p == '"' || *p == ' ' || *p < 0x20 || *p > 0x7f) {
|
||||
audit_log_hex(ab, string, strlen(string));
|
||||
return;
|
||||
}
|
||||
p++;
|
||||
}
|
||||
audit_log_format(ab, "\"%s\"", string);
|
||||
}
|
||||
|
||||
|
||||
/* This is a helper-function to print the d_path without using a static
|
||||
* buffer or allocating another buffer in addition to the one in
|
||||
* audit_buffer. */
|
||||
|
|
|
@ -696,9 +696,10 @@ static void audit_log_exit(struct audit_context *context)
|
|||
if (!ab)
|
||||
continue; /* audit_panic has been called */
|
||||
audit_log_format(ab, "item=%d", i);
|
||||
if (context->names[i].name)
|
||||
audit_log_format(ab, " name=%s",
|
||||
context->names[i].name);
|
||||
if (context->names[i].name) {
|
||||
audit_log_format(ab, " name=");
|
||||
audit_log_untrustedstring(ab, context->names[i].name);
|
||||
}
|
||||
if (context->names[i].ino != (unsigned long)-1)
|
||||
audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o"
|
||||
" uid=%d gid=%d rdev=%02x:%02x",
|
||||
|
|
Loading…
Reference in a new issue