From: Alexander Viro <aviro@redhat.com>
To: linux-audit@redhat.com
Subject: [PATCH] collect sid of those who send {HUP,TERM,USR1} to auditd
Date: Sat, 6 May 2006 08:45:02 -0400 [thread overview]
Message-ID: <20060506124502.GZ29125@devserv.devel.redhat.com> (raw)
Add USR1 to the set we are logging, log sid of sender, make audit_signal_info()
inlined.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
include/linux/audit.h | 3 +--
kernel/audit.c | 2 ++
kernel/audit.h | 11 +++++++++++
kernel/auditsc.c | 21 +++++++++++----------
kernel/signal.c | 2 +-
5 files changed, 26 insertions(+), 13 deletions(-)
b0e74dd9e54eb5f81751f5cd832d1c9d1c703775
diff --git a/include/linux/audit.h b/include/linux/audit.h
index c60e96d..103ed6d 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -278,6 +278,7 @@ struct audit_rule { /* for AUDIT_LIST,
struct audit_sig_info {
uid_t uid;
pid_t pid;
+ __u32 sid;
};
struct audit_buffer;
@@ -328,7 +329,6 @@ extern int audit_bprm(struct linux_binpr
extern int audit_socketcall(int nargs, unsigned long *args);
extern int audit_sockaddr(int len, void *addr);
extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt);
-extern void audit_signal_info(int sig, struct task_struct *t);
extern int audit_set_macxattr(const char *name);
#else
#define audit_alloc(t) ({ 0; })
@@ -349,7 +349,6 @@ extern int audit_set_macxattr(const char
#define audit_socketcall(n,a) ({ 0; })
#define audit_sockaddr(len, addr) ({ 0; })
#define audit_avc_path(dentry, mnt) ({ 0; })
-#define audit_signal_info(s,t) do { ; } while (0)
#define audit_set_macxattr(n) do { ; } while (0)
#endif
diff --git a/kernel/audit.c b/kernel/audit.c
index 35d5db1..11aa301 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -89,6 +89,7 @@ static int audit_backlog_wait_overflow =
/* The identity of the user shutting down the audit system. */
uid_t audit_sig_uid = -1;
pid_t audit_sig_pid = -1;
+u32 audit_sig_sid = 0;
/* Records can be lost in several ways:
0) [suppressed in audit_alloc]
@@ -614,6 +615,7 @@ static int audit_receive_msg(struct sk_b
case AUDIT_SIGNAL_INFO:
sig_data.uid = audit_sig_uid;
sig_data.pid = audit_sig_pid;
+ sig_data.sid = audit_sig_sid;
audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_SIGNAL_INFO,
0, 0, &sig_data, sizeof(sig_data));
break;
diff --git a/kernel/audit.h b/kernel/audit.h
index 8948fc1..52cb1e3 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -101,3 +101,14 @@ struct audit_netlink_list {
int audit_send_list(void *);
extern int selinux_audit_rule_update(void);
+
+#ifdef CONFIG_AUDITSYSCALL
+extern void __audit_signal_info(int sig, struct task_struct *t);
+static inline void audit_signal_info(int sig, struct task_struct *t)
+{
+ if (unlikely(audit_pid && t->tgid == audit_pid))
+ __audit_signal_info(sig, t);
+}
+#else
+#define audit_signal_info(s,t)
+#endif
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 114f921..4ca913d 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1376,19 +1376,20 @@ int audit_avc_path(struct dentry *dentry
* If the audit subsystem is being terminated, record the task (pid)
* and uid that is doing that.
*/
-void audit_signal_info(int sig, struct task_struct *t)
+void __audit_signal_info(int sig, struct task_struct *t)
{
extern pid_t audit_sig_pid;
extern uid_t audit_sig_uid;
+ extern u32 audit_sig_sid;
- if (unlikely(audit_pid && t->tgid == audit_pid)) {
- if (sig == SIGTERM || sig == SIGHUP) {
- struct audit_context *ctx = current->audit_context;
- audit_sig_pid = current->pid;
- if (ctx)
- audit_sig_uid = ctx->loginuid;
- else
- audit_sig_uid = current->uid;
- }
+ if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1) {
+ struct task_struct *tsk = current;
+ struct audit_context *ctx = tsk->audit_context;
+ audit_sig_pid = tsk->pid;
+ if (ctx)
+ audit_sig_uid = ctx->loginuid;
+ else
+ audit_sig_uid = tsk->uid;
+ selinux_get_task_sid(tsk, &audit_sig_sid);
}
}
diff --git a/kernel/signal.c b/kernel/signal.c
index e5f8aea..1b3c921 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -23,12 +23,12 @@
#include <linux/syscalls.h>
#include <linux/ptrace.h>
#include <linux/signal.h>
-#include <linux/audit.h>
#include <linux/capability.h>
#include <asm/param.h>
#include <asm/uaccess.h>
#include <asm/unistd.h>
#include <asm/siginfo.h>
+#include "audit.h" /* audit_signal_info() */
/*
* SLAB caches for signal bits.
--
0.99.9.GIT
next reply other threads:[~2006-05-06 12:45 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-05-06 12:45 Alexander Viro [this message]
2006-05-08 20:16 ` [PATCH] collect sid of those who send {HUP, TERM, USR1} to auditd Amy Griffis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060506124502.GZ29125@devserv.devel.redhat.com \
--to=aviro@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.