Set an arbitrary limit on the depth of audit container identifier nesting to limit abuse. Signed-off-by: Richard Guy Briggs <rgb@xxxxxxxxxx> --- kernel/audit.c | 21 +++++++++++++++++++++ kernel/audit.h | 2 ++ 2 files changed, 23 insertions(+) diff --git a/kernel/audit.c b/kernel/audit.c index 848fd1c8c579..a70c9184e5d9 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2667,6 +2667,22 @@ int audit_signal_info(int sig, struct task_struct *t) return audit_signal_info_syscall(t); } +static int audit_contid_depth(struct audit_cont *cont) +{ + struct audit_cont *parent; + int depth = 1; + + if (!cont) + return 0; + + parent = cont->parent; + while (parent) { + depth++; + parent = parent->parent; + } + return depth; +} + struct audit_cont *audit_cont(struct task_struct *tsk) { if (!tsk->audit || !tsk->audit->cont) @@ -2785,6 +2801,11 @@ int audit_set_contid(struct task_struct *task, u64 contid) rc = -ENOSPC; goto conterror; } + /* Set max contid depth */ + if (audit_contid_depth(audit_cont(current->real_parent)) >= AUDIT_CONTID_DEPTH) { + rc = -EMLINK; + goto conterror; + } if (!newcont) { newcont = kmalloc(sizeof(struct audit_cont), GFP_ATOMIC); if (newcont) { diff --git a/kernel/audit.h b/kernel/audit.h index 89b7de323c13..cb25341c1a0f 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -231,6 +231,8 @@ struct audit_contid_status { u64 id; }; +#define AUDIT_CONTID_DEPTH 5 + /* Indicates that audit should log the full pathname. */ #define AUDIT_NAME_FULL -1 -- 1.8.3.1 _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers