Re: [PATCH] collect sid of those who send {HUP, TERM, USR1} to auditd

From: Amy Griffis <amy.griffis@hp.com>
To: linux-audit@redhat.com
Subject: Re: [PATCH] collect sid of those who send {HUP, TERM, USR1} to auditd
Date: Mon, 8 May 2006 16:16:58 -0400	[thread overview]
Message-ID: <20060508201658.GA25968@zk3.dec.com> (raw)
In-Reply-To: <20060506124502.GZ29125@devserv.devel.redhat.com>

On Sat, May 06, 2006 at 08:45:02AM -0400, Alexander Viro wrote:
> Add USR1 to the set we are logging, log sid of sender, make audit_signal_info()
> inlined.
> 
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> 
> ---
> 
>  include/linux/audit.h |    3 +--
>  kernel/audit.c        |    2 ++
>  kernel/audit.h        |   11 +++++++++++
>  kernel/auditsc.c      |   21 +++++++++++----------
>  kernel/signal.c       |    2 +-
>  5 files changed, 26 insertions(+), 13 deletions(-)
> 
> b0e74dd9e54eb5f81751f5cd832d1c9d1c703775
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index c60e96d..103ed6d 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -278,6 +278,7 @@ struct audit_rule {		/* for AUDIT_LIST, 
>  struct audit_sig_info {
>  	uid_t		uid;
>  	pid_t		pid;
> +	__u32		sid;
>  };
>  
>  struct audit_buffer;
> @@ -328,7 +329,6 @@ extern int audit_bprm(struct linux_binpr
>  extern int audit_socketcall(int nargs, unsigned long *args);
>  extern int audit_sockaddr(int len, void *addr);
>  extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt);
> -extern void audit_signal_info(int sig, struct task_struct *t);
>  extern int audit_set_macxattr(const char *name);
>  #else
>  #define audit_alloc(t) ({ 0; })
> @@ -349,7 +349,6 @@ extern int audit_set_macxattr(const char
>  #define audit_socketcall(n,a) ({ 0; })
>  #define audit_sockaddr(len, addr) ({ 0; })
>  #define audit_avc_path(dentry, mnt) ({ 0; })
> -#define audit_signal_info(s,t) do { ; } while (0)
>  #define audit_set_macxattr(n) do { ; } while (0)
>  #endif
>  
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 35d5db1..11aa301 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -89,6 +89,7 @@ static int	audit_backlog_wait_overflow =
>  /* The identity of the user shutting down the audit system. */
>  uid_t		audit_sig_uid = -1;
>  pid_t		audit_sig_pid = -1;
> +u32		audit_sig_sid = 0;
>  
>  /* Records can be lost in several ways:
>     0) [suppressed in audit_alloc]
> @@ -614,6 +615,7 @@ static int audit_receive_msg(struct sk_b
>  	case AUDIT_SIGNAL_INFO:
>  		sig_data.uid = audit_sig_uid;
>  		sig_data.pid = audit_sig_pid;
> +		sig_data.sid = audit_sig_sid;
>  		audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_SIGNAL_INFO, 
>  				0, 0, &sig_data, sizeof(sig_data));
>  		break;

Shouldn't you translate the sid to its string representation before
sending to userspace?

> diff --git a/kernel/audit.h b/kernel/audit.h
> index 8948fc1..52cb1e3 100644
> --- a/kernel/audit.h
> +++ b/kernel/audit.h
> @@ -101,3 +101,14 @@ struct audit_netlink_list {
>  int audit_send_list(void *);
>  
>  extern int selinux_audit_rule_update(void);
> +
> +#ifdef CONFIG_AUDITSYSCALL
> +extern void __audit_signal_info(int sig, struct task_struct *t);
> +static inline void audit_signal_info(int sig, struct task_struct *t)
> +{
> +	if (unlikely(audit_pid && t->tgid == audit_pid))
> +		__audit_signal_info(sig, t);
> +}
> +#else
> +#define audit_signal_info(s,t)
> +#endif
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 114f921..4ca913d 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -1376,19 +1376,20 @@ int audit_avc_path(struct dentry *dentry
>   * If the audit subsystem is being terminated, record the task (pid)
>   * and uid that is doing that.
>   */
> -void audit_signal_info(int sig, struct task_struct *t)
> +void __audit_signal_info(int sig, struct task_struct *t)
>  {
>  	extern pid_t audit_sig_pid;
>  	extern uid_t audit_sig_uid;
> +	extern u32 audit_sig_sid;
>  
> -	if (unlikely(audit_pid && t->tgid == audit_pid)) {
> -		if (sig == SIGTERM || sig == SIGHUP) {
> -			struct audit_context *ctx = current->audit_context;
> -			audit_sig_pid = current->pid;
> -			if (ctx)
> -				audit_sig_uid = ctx->loginuid;
> -			else
> -				audit_sig_uid = current->uid;
> -		}
> +	if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1) {
> +		struct task_struct *tsk = current;
> +		struct audit_context *ctx = tsk->audit_context;
> +		audit_sig_pid = tsk->pid;
> +		if (ctx)
> +			audit_sig_uid = ctx->loginuid;
> +		else
> +			audit_sig_uid = tsk->uid;
> +		selinux_get_task_sid(tsk, &audit_sig_sid);
>  	}
>  }
> diff --git a/kernel/signal.c b/kernel/signal.c
> index e5f8aea..1b3c921 100644
> --- a/kernel/signal.c
> +++ b/kernel/signal.c
> @@ -23,12 +23,12 @@
>  #include <linux/syscalls.h>
>  #include <linux/ptrace.h>
>  #include <linux/signal.h>
> -#include <linux/audit.h>
>  #include <linux/capability.h>
>  #include <asm/param.h>
>  #include <asm/uaccess.h>
>  #include <asm/unistd.h>
>  #include <asm/siginfo.h>
> +#include "audit.h"	/* audit_signal_info() */
>  
>  /*
>   * SLAB caches for signal bits.
> -- 
> 0.99.9.GIT
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
> 