@@ -2667,6 +2667,22 @@ int audit_signal_info(int sig, struct task_struct *t)
return audit_signal_info_syscall(t);
}
+static int audit_contid_depth(struct audit_cont *cont)
+{
+ struct audit_cont *parent;
+ int depth = 1;
+
+ if (!cont)
+ return 0;
+
+ parent = cont->parent;
+ while (parent) {
+ depth++;
+ parent = parent->parent;
+ }
+ return depth;
+}
+
struct audit_cont *audit_cont(struct task_struct *tsk)
{
if (!tsk->audit || !tsk->audit->cont)
@@ -2785,6 +2801,11 @@ int audit_set_contid(struct task_struct *task, u64 contid)
rc = -ENOSPC;
goto conterror;
}
+ /* Set max contid depth */
+ if (audit_contid_depth(audit_cont(current->real_parent)) >= AUDIT_CONTID_DEPTH) {
+ rc = -EMLINK;
+ goto conterror;
+ }
if (!newcont) {
newcont = kmalloc(sizeof(struct audit_cont), GFP_ATOMIC);
if (newcont) {
@@ -231,6 +231,8 @@ struct audit_contid_status {
u64 id;
};
+#define AUDIT_CONTID_DEPTH 5
+
/* Indicates that audit should log the full pathname. */
#define AUDIT_NAME_FULL -1
Set an arbitrary limit on the depth of audit container identifier nesting to limit abuse. Signed-off-by: Richard Guy Briggs <rgb@redhat.com> --- kernel/audit.c | 21 +++++++++++++++++++++ kernel/audit.h | 2 ++ 2 files changed, 23 insertions(+)