Date: Fri, 29 Sep 2006 11:38:08 -0400
From: Eric Paris <eparis@redhat.com>
Subject: [RHEL5 PATCH] Disallow meaningless arch audit filters, BZ 206427

This is BZ 206427

Since the kernel represents archs as numbers in the audit system it does
not complain when using > or < to compare them.  An example would be it
will gladly determine if i686 > x86_64.  Since such comparisons don't
make any sense the following patch will limit arch rules to use = or !=
and will return -EINVAL for any rule which attempts to use > or <

This patch has been sent upstream and I expect it to make 2.6.19.  A
simple test case is to do use the following command

auditctl -a entry,always -F 'arch>i686' -S chmod

on the unpatched kernel this will be taken just fine, with this patch
this filter will be rejected.

-Eric

--- linux-2.6.18.i686/kernel/auditfilter.c.audit.arch	2006-09-28 16:44:11.000000000 -0400
+++ linux-2.6.18.i686/kernel/auditfilter.c	2006-09-28 17:38:34.000000000 -0400
@@ -411,7 +411,6 @@ static struct audit_entry *audit_rule_to
 		case AUDIT_FSGID:
 		case AUDIT_LOGINUID:
 		case AUDIT_PERS:
-		case AUDIT_ARCH:
 		case AUDIT_MSGTYPE:
 		case AUDIT_PPID:
 		case AUDIT_DEVMAJOR:
@@ -423,6 +422,14 @@ static struct audit_entry *audit_rule_to
 		case AUDIT_ARG2:
 		case AUDIT_ARG3:
 			break;
+		/* arch is only allowed to be = or != */
+		case AUDIT_ARCH:
+			if ((f->op != AUDIT_NOT_EQUAL) && (f->op != AUDIT_EQUAL) 
+					&& (f->op != AUDIT_NEGATE) && (f->op)) {
+				err = -EINVAL;
+				goto exit_free;
+			}
+			break;
 		case AUDIT_PERM:
 			if (f->val & ~15)
 				goto exit_free;