From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [PATCH 1/1] audit: log binding and unbinding to netlink multicast
Date: Mon, 16 Oct 2017 18:28:50 -0400
Message-ID: <2996118.lXGmUDsRlS@x2>
References: <1586072.oZ6YSgVNJI@x2>
	<CAHC9VhQ0L1zenvk4NAonbfmAF7U4diwOWFO4O0z_XejuVMQiHg@mail.gmail.com>
	<18408080.ZMkQbuXcMZ@x2>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <18408080.ZMkQbuXcMZ@x2>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Monday, October 16, 2017 6:06:47 PM EDT Steve Grubb wrote:
> > > +/* Log information about who is connecting to the audit multicast
> > > socket
> > > */ +static void audit_log_multicast_bind(int group, const char *op, int
> > > err) +{
> > > +       const struct cred *cred;
> > > +       struct tty_struct *tty;
> > > +       char comm[sizeof(current->comm)];
> > > +       struct audit_buffer *ab;
> > > +
> > > +       ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_EVENT_LISTENER);
> > 
> > It really seems like this should be associated with the current task,
> > e.g. "audit_log_start(current->audit_context, ...)".  After all, the
> > whole point of this record is to capture information about the subject
> > who is binding to the multicast socket.
> 
> OK, easy enough.

But wouldn't that make it an auxiliary record (if there happens to be a 
syscall record) instead of a standalone event? The intention is that this 
event is standalone just like AUDIT_SECCOMP or AUDIT_LOGIN. Associating with 
the current task is done by using current in formatting the message as seen 
below. (e.g.  task_pid_nr(current), audit_get_sessionid(current))

I think it's correct as is.

-Steve

> > +       if (!ab)
> > +               return;
> > +
> > +       cred = current_cred();
> > +       tty = audit_get_tty(current);
> > +
> > +       audit_log_format(ab, "pid=%u uid=%u auid=%u tty=%s ses=%u",
> > +                       task_pid_nr(current),
> > +                       from_kuid(&init_user_ns, cred->uid),
> > +                       from_kuid(&init_user_ns,
> > audit_get_loginuid(current)), +                       tty ? tty_name(tty)
> > : "(none)",
> > +                       audit_get_sessionid(current));
> > +       audit_put_tty(tty);
> > +       audit_log_task_context(ab); /* subj= */
> > +       audit_log_format(ab, " comm=");
> > +       audit_log_untrustedstring(ab, get_task_comm(comm, current));
> > +       audit_log_d_path_exe(ab, current->mm); /* exe= */