From: Tyler Hicks <tyhicks@canonical.com>
To: Paul Moore <paul@paul-moore.com>, Eric Paris <eparis@redhat.com>,
Kees Cook <keescook@chromium.org>,
Andy Lutomirski <luto@amacapital.net>,
Will Drewry <wad@chromium.org>
Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org
Subject: [PATCH 1/2] seccomp: Allow for auditing functionality specific to return actions
Date: Mon, 2 Jan 2017 16:53:09 +0000 [thread overview]
Message-ID: <1483375990-14948-2-git-send-email-tyhicks@canonical.com> (raw)
In-Reply-To: <1483375990-14948-1-git-send-email-tyhicks@canonical.com>
This patch introduces the concept of auditing formats that are specific
to the action specified in a filter's return value. Initially, only
SECCOMP_RET_KILL has an auditing message that differs from other return
actions because it specifies the signal that is to be sent.
This patch causes a small functional change in that "sig=0" is not
printed when auditing seccomp actions other than SECCOMP_RET_KILL.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
---
include/linux/audit.h | 39 +++++++++++++++++++++++++++++++++------
kernel/auditsc.c | 19 +++++++++++++++----
kernel/seccomp.c | 6 +++---
3 files changed, 51 insertions(+), 13 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index f51fca8d..8c588c3 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -85,6 +85,11 @@ struct audit_field {
u32 op;
};
+struct audit_seccomp_info {
+ int code;
+ long signr;
+};
+
extern int is_audit_feature_set(int which);
extern int __init audit_register_class(int class, unsigned *list);
@@ -243,7 +248,8 @@ extern void __audit_file(const struct file *);
extern void __audit_inode_child(struct inode *parent,
const struct dentry *dentry,
const unsigned char type);
-extern void __audit_seccomp(unsigned long syscall, long signr, int code);
+extern void __audit_seccomp(unsigned long syscall,
+ struct audit_seccomp_info *info);
extern void __audit_ptrace(struct task_struct *t);
static inline bool audit_dummy_context(void)
@@ -313,14 +319,31 @@ static inline void audit_inode_child(struct inode *parent,
}
void audit_core_dumps(long signr);
-static inline void audit_seccomp(unsigned long syscall, long signr, int code)
+static inline void audit_seccomp_signal(unsigned long syscall, long signr,
+ int code)
{
if (!audit_enabled)
return;
/* Force a record to be reported if a signal was delivered. */
- if (signr || unlikely(!audit_dummy_context()))
- __audit_seccomp(syscall, signr, code);
+ if (signr || unlikely(!audit_dummy_context())) {
+ struct audit_seccomp_info info = { .code = code,
+ .signr = signr };
+
+ __audit_seccomp(syscall, &info);
+ }
+}
+
+static inline void audit_seccomp_common(unsigned long syscall, int code)
+{
+ if (!audit_enabled)
+ return;
+
+ if (code || unlikely(!audit_dummy_context())) {
+ struct audit_seccomp_info info = { .code = code };
+
+ __audit_seccomp(syscall, &info);
+ }
}
static inline void audit_ptrace(struct task_struct *t)
@@ -485,9 +508,13 @@ static inline void audit_inode_child(struct inode *parent,
{ }
static inline void audit_core_dumps(long signr)
{ }
-static inline void __audit_seccomp(unsigned long syscall, long signr, int code)
+static inline void __audit_seccomp(unsigned long syscall,
+ struct audit_seccomp_info *info);
+{ }
+static inline void audit_seccomp_signal(unsigned long syscall, long signr,
+ int code)
{ }
-static inline void audit_seccomp(unsigned long syscall, long signr, int code)
+static inline void audit_seccomp_common(unsigned long syscall, int code)
{ }
static inline int auditsc_get_stamp(struct audit_context *ctx,
struct timespec *t, unsigned int *serial)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index cf1fa43..b3472f2 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -74,6 +74,7 @@
#include <linux/string.h>
#include <linux/uaccess.h>
#include <uapi/linux/limits.h>
+#include <uapi/linux/seccomp.h>
#include "audit.h"
@@ -2415,7 +2416,7 @@ void audit_core_dumps(long signr)
audit_log_end(ab);
}
-void __audit_seccomp(unsigned long syscall, long signr, int code)
+void __audit_seccomp(unsigned long syscall, struct audit_seccomp_info *info)
{
struct audit_buffer *ab;
@@ -2423,9 +2424,19 @@ void __audit_seccomp(unsigned long syscall, long signr, int code)
if (unlikely(!ab))
return;
audit_log_task(ab);
- audit_log_format(ab, " sig=%ld arch=%x syscall=%ld compat=%d ip=0x%lx code=0x%x",
- signr, syscall_get_arch(), syscall,
- in_compat_syscall(), KSTK_EIP(current), code);
+
+ switch (info->code) {
+ case SECCOMP_RET_KILL:
+ audit_log_format(ab, " sig=%ld", info->signr);
+ break;
+ default:
+ break;
+ }
+
+ audit_log_format(ab,
+ " arch=%x syscall=%ld compat=%d ip=0x%lx code=0x%x",
+ syscall_get_arch(), syscall, in_compat_syscall(),
+ KSTK_EIP(current), info->code);
audit_log_end(ab);
}
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index f7ce79a..54c01b6 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -532,7 +532,7 @@ static void __secure_computing_strict(int this_syscall)
#ifdef SECCOMP_DEBUG
dump_stack();
#endif
- audit_seccomp(this_syscall, SIGKILL, SECCOMP_RET_KILL);
+ audit_seccomp_signal(this_syscall, SIGKILL, SECCOMP_RET_KILL);
do_exit(SIGKILL);
}
@@ -635,14 +635,14 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd,
case SECCOMP_RET_KILL:
default:
- audit_seccomp(this_syscall, SIGSYS, action);
+ audit_seccomp_signal(this_syscall, SIGSYS, action);
do_exit(SIGSYS);
}
unreachable();
skip:
- audit_seccomp(this_syscall, 0, action);
+ audit_seccomp_common(this_syscall, action);
return -1;
}
#else
--
2.7.4
next prev parent reply other threads:[~2017-01-02 16:53 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-02 16:53 [PATCH 0/2] Begin auditing SECCOMP_RET_ERRNO return actions Tyler Hicks
2017-01-02 16:53 ` Tyler Hicks [this message]
2017-01-02 16:53 ` [PATCH 2/2] seccomp: Audit SECCOMP_RET_ERRNO actions with errno values Tyler Hicks
2017-01-02 17:20 ` Steve Grubb
2017-01-02 17:42 ` Tyler Hicks
2017-01-02 18:49 ` Steve Grubb
2017-01-02 22:55 ` Paul Moore
2017-01-02 22:47 ` [PATCH 0/2] Begin auditing SECCOMP_RET_ERRNO return actions Paul Moore
2017-01-03 5:56 ` Andy Lutomirski
2017-01-03 19:31 ` Paul Moore
2017-01-03 13:31 ` Tyler Hicks
2017-01-03 19:42 ` Paul Moore
2017-01-03 20:44 ` Kees Cook
2017-01-03 20:53 ` Steve Grubb
2017-01-03 20:54 ` Paul Moore
2017-01-03 21:03 ` Kees Cook
2017-01-03 21:13 ` Paul Moore
2017-01-03 21:21 ` Kees Cook
2017-01-03 21:31 ` Paul Moore
2017-01-03 21:44 ` Kees Cook
2017-01-04 1:58 ` Tyler Hicks
2017-01-04 4:43 ` Richard Guy Briggs
2017-01-04 6:31 ` Kees Cook
2017-01-04 2:04 ` Tyler Hicks
2017-01-03 5:57 ` Andy Lutomirski
2017-01-03 13:53 ` Tyler Hicks
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1483375990-14948-2-git-send-email-tyhicks@canonical.com \
--to=tyhicks@canonical.com \
--cc=eparis@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=paul@paul-moore.com \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox