From: Peter Hurley <peter@hurleysoftware.com>
To: Richard Guy Briggs <rgb@redhat.com>,
linux-audit@redhat.com, linux-kernel@vger.kernel.org
Cc: sgrubb@redhat.com, pmoore@redhat.com, eparis@redhat.com
Subject: Re: [PATCH] audit: add tty field to LOGIN event
Date: Wed, 13 Apr 2016 17:31:16 -0700 [thread overview]
Message-ID: <570EE4D4.4080903@hurleysoftware.com> (raw)
In-Reply-To: <4587fd4a69c5d41f9596c0644ce22dc38db47d04.1460589810.git.rgb@redhat.com>
Hi Richard,
On 04/13/2016 04:25 PM, Richard Guy Briggs wrote:
> The tty field was missing from AUDIT_LOGIN events.
>
> Refactor code to create a new function audit_get_tty(), using it to
> replace the call in audit_log_task_info() and to add it to
> audit_log_set_loginuid().
>
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> include/linux/audit.h | 18 ++++++++++++++++++
> kernel/audit.c | 11 +----------
> kernel/auditsc.c | 5 +++--
> 3 files changed, 22 insertions(+), 12 deletions(-)
>
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index b40ed5d..20c6649 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -26,6 +26,7 @@
> #include <linux/sched.h>
> #include <linux/ptrace.h>
> #include <uapi/linux/audit.h>
> +#include <linux/tty.h>
>
> #define AUDIT_INO_UNSET ((unsigned long)-1)
> #define AUDIT_DEV_UNSET ((dev_t)-1)
> @@ -343,6 +344,19 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
> return tsk->sessionid;
> }
>
> +static inline char *audit_get_tty(struct task_struct *tsk)
> +{
> + char *tty;
> +
> + spin_lock_irq(&tsk->sighand->siglock);
> + if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
> + tty = tsk->signal->tty->name;
> + else
> + tty = "(none)";
> + spin_unlock_irq(&tsk->sighand->siglock);
This is unsafe because the tty could be immediately torn down after the
siglock is dropped, and return a dangling ptr.
> + return tty;
> +}
> +
> extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
> extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
> extern void __audit_bprm(struct linux_binprm *bprm);
> @@ -500,6 +514,10 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
> {
> return -1;
> }
> +static inline char *audit_get_tty(struct task_struct *tsk)
> +{
> + return "(invalid)";
> +}
> static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
> { }
> static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid,
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 3a3e5de..fae11df 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -64,7 +64,6 @@
> #include <linux/security.h>
> #endif
> #include <linux/freezer.h>
> -#include <linux/tty.h>
> #include <linux/pid_namespace.h>
> #include <net/netns/generic.h>
>
> @@ -1873,7 +1872,6 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
> {
> const struct cred *cred;
> char comm[sizeof(tsk->comm)];
> - char *tty;
struct tty_struct *tty;
>
> if (!ab)
> return;
> @@ -1881,13 +1879,6 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
> /* tsk == current */
> cred = current_cred();
>
> - spin_lock_irq(&tsk->sighand->siglock);
> - if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
> - tty = tsk->signal->tty->name;
> - else
> - tty = "(none)";
> - spin_unlock_irq(&tsk->sighand->siglock);
tty = get_current_tty();
> -
> audit_log_format(ab,
> " ppid=%d pid=%d auid=%u uid=%u gid=%u"
> " euid=%u suid=%u fsuid=%u"
> @@ -1903,7 +1894,7 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
> from_kgid(&init_user_ns, cred->egid),
> from_kgid(&init_user_ns, cred->sgid),
> from_kgid(&init_user_ns, cred->fsgid),
> - tty, audit_get_sessionid(tsk));
> + audit_get_tty(tsk), audit_get_sessionid(tsk));
tty_name(tty), ....);
^^^^^^^^^^
returns "NULL tty" if tty == NULL
tty_kref_put(tty);
>
> audit_log_format(ab, " comm=");
> audit_log_untrustedstring(ab, get_task_comm(comm, tsk));
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 195ffae..a0467fb 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -1993,8 +1993,9 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
> return;
> audit_log_format(ab, "pid=%d uid=%u", task_pid_nr(current), uid);
> audit_log_task_context(ab);
> - audit_log_format(ab, " old-auid=%u auid=%u old-ses=%u ses=%u res=%d",
> - oldloginuid, loginuid, oldsessionid, sessionid, !rc);
tty = get_current_tty();
> + audit_log_format(ab, " old-auid=%u auid=%u tty=%s old-ses=%u ses=%u res=%d",
> + oldloginuid, loginuid, audit_get_tty(current),
......., tty_name(tty),
> + oldsessionid, sessionid, !rc);
tty_kref_put(tty);
Regards,
Peter Hurley
> audit_log_end(ab);
> }
>
>
next prev parent reply other threads:[~2016-04-14 0:31 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-13 23:25 [PATCH] audit: add tty field to LOGIN event Richard Guy Briggs
2016-04-13 23:25 ` Richard Guy Briggs
2016-04-14 0:31 ` Peter Hurley [this message]
2016-04-18 18:27 ` Richard Guy Briggs
2016-04-18 18:27 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=570EE4D4.4080903@hurleysoftware.com \
--to=peter@hurleysoftware.com \
--cc=eparis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pmoore@redhat.com \
--cc=rgb@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.