Re: [PATCH] security: lsm_audit: print pid and tid

Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Jeff Vander Stoep <jeffv@google.com>,
	linux-audit@redhat.com, selinux@tycho.nsa.gov
Subject: Re: [PATCH] security: lsm_audit: print pid and tid
Date: Tue, 30 Aug 2016 11:03:53 -0400	[thread overview]
Message-ID: <1761452.xxMEsoZRlS@x2> (raw)
In-Reply-To: <CAHC9VhS=odoi8NFFGP36VAMcL_Gbbin+0pyTj-MNcsPZKit0GQ@mail.gmail.com>

On Wednesday, August 17, 2016 4:58:02 PM EDT Paul Moore wrote:
> On Tue, Jul 26, 2016 at 10:54 AM, Jeff Vander Stoep <jeffv@google.com> wrote:
> > dump_common_audit_data() currently contains a field for pid, but the
> > value printed is actually the thread ID, tid. Update this value to
> > return the task group ID. Add a new field for tid. With this change
> > the values printed by audit now match the values returned by the
> > getpid() and gettid() syscalls.
> > 
> > Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
> > ---
> > 
> >  security/lsm_audit.c | 7 +++++--
> >  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> Hi Jeff,
> 
> Have you tested this against the audit-testsuite[1]?  We don't have an
> explicit PID test yet, but at least two of the tests do test it as a
> side effect.
> 
> Steve, I don't see the thread ID listed in the field dictionary, are
> you okay with using "tid" for this?

Yes. Can someone add both?

> However, as far as I can see, the biggest problem with this patch is
> that it adds a field in the middle of a record which will likely cause
> the audit userspace tools to explode (or so I've been warned in the
> past).  Steve, what say you about the userspace?

This is OK. After picking out pid, search utiliies scan for comm. They will 
just skip over the new field. If fields that we normally search change order, 
then we have a problem.

So, ACK on my end.

-Steve

> [1] https://github.com/linux-audit/audit-testsuite
> [2]
> https://github.com/linux-audit/audit-documentation/blob/master/specs/fields
> /field-dictionary.csv
> > diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> > index cccbf30..57f26c1 100644
> > --- a/security/lsm_audit.c
> > +++ b/security/lsm_audit.c
> > @@ -220,7 +220,8 @@ static void dump_common_audit_data(struct audit_buffer
> > *ab,> 
> >          */
> >         
> >         BUILD_BUG_ON(sizeof(a->u) > sizeof(void *)*2);
> > 
> > -       audit_log_format(ab, " pid=%d comm=", task_pid_nr(current));
> > +       audit_log_format(ab, " pid=%d tid=%d comm=", task_tgid_vnr(tsk),
> > +                       task_pid_vnr(tsk));
> > 
> >         audit_log_untrustedstring(ab, memcpy(comm, current->comm,
> >         sizeof(comm)));
> >         
> >         switch (a->type) {
> > 
> > @@ -294,10 +295,12 @@ static void dump_common_audit_data(struct
> > audit_buffer *ab,> 
> >         case LSM_AUDIT_DATA_TASK: {
> >         
> >                 struct task_struct *tsk = a->u.tsk;
> >                 if (tsk) {
> > 
> > -                       pid_t pid = task_pid_nr(tsk);
> > +                       pid_t pid = task_tgid_vnr(tsk);
> > 
> >                         if (pid) {
> >                         
> >                                 char comm[sizeof(tsk->comm)];
> >                                 audit_log_format(ab, " opid=%d ocomm=",
> >                                 pid);
> > 
> > +                               audit_log_format(ab, " opid=%d otid=%d
> > ocomm=", +                                               pid,
> > task_pid_vnr(tsk));> 
> >                                 audit_log_untrustedstring(ab,
> >                                 
> >                                     memcpy(comm, tsk->comm,
> >                                     sizeof(comm)));
> >                         
> >                         }

next prev parent reply	other threads:[~2016-08-30 15:03 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-07-26 14:54 [PATCH] security: lsm_audit: print pid and tid Jeff Vander Stoep
2016-08-17 20:58 ` Paul Moore
2016-08-18  5:56   ` Richard Guy Briggs
2016-08-18 12:55     ` Paul Moore
2016-08-29 22:42   ` Paul Moore
2016-08-30 15:03   ` Steve Grubb [this message]
2016-08-30 20:18     ` Paul Moore
     [not found] ` <1469544870-11574-1-git-send-email-jeffv-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
2016-08-30 20:56   ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1761452.xxMEsoZRlS@x2 \
    --to=sgrubb@redhat.com \
    --cc=jeffv@google.com \
    --cc=linux-audit@redhat.com \
    --cc=paul@paul-moore.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox