[PATCH 1/1] Added exe field to audit core dump signal log

[PATCH 1/1] Added exe field to audit core dump signal log

[Paul Davies C]

Currently when the coredump signals are logged by the audit system , the
actual path to the executable is not logged. Without details of exe , the
system admin may not have an exact idea on what program failed.

This patch changes the audit_log_task() so that the path to the exe is also
logged.

Signed-off-by: Paul Davies C <pauldaviesc@gmail.com>
---
 kernel/auditsc.c |    7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9845cb3..988de72 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab)
 	kuid_t auid, uid;
 	kgid_t gid;
 	unsigned int sessionid;
+	struct mm_struct *mm = current->mm;
 
 	auid = audit_get_loginuid(current);
 	sessionid = audit_get_sessionid(current);
@@ -2366,6 +2367,12 @@ static void audit_log_task(struct audit_buffer *ab)
 	audit_log_task_context(ab);
 	audit_log_format(ab, " pid=%d comm=", current->pid);
 	audit_log_untrustedstring(ab, current->comm);
+	if (mm) {
+		down_read(&mm->mmap_sem);
+		if (mm->exe_file)
+			audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
+		up_read(&mm->mmap_sem);
+	}
 }
 
 static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
-- 
1.7.9.5

Re: [PATCH 1/1] Added exe field to audit core dump signal log

[Richard Guy Briggs]

On Thu, Nov 14, 2013 at 08:56:57AM +0530, Paul Davies C wrote:
> Currently when the coredump signals are logged by the audit system , the
> actual path to the executable is not logged. Without details of exe , the
> system admin may not have an exact idea on what program failed.
> 
> This patch changes the audit_log_task() so that the path to the exe is also
> logged.

Out of curiosity, on which platform are you observing this?  This sounds
related to Bill Roberts' recent cmdline patches.

I also wonder how reliable this is, or whether it could have been 
changed from under us by deletion or rename after invocation.

This BZ sounds related:
	https://bugzilla.redhat.com/show_bug.cgi?id=837856
	https://bugzilla.redhat.com/show_bug.cgi?id=831684

> Signed-off-by: Paul Davies C <pauldaviesc@gmail.com>
> ---
>  kernel/auditsc.c |    7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 9845cb3..988de72 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab)
>  	kuid_t auid, uid;
>  	kgid_t gid;
>  	unsigned int sessionid;
> +	struct mm_struct *mm = current->mm;
>  
>  	auid = audit_get_loginuid(current);
>  	sessionid = audit_get_sessionid(current);
> @@ -2366,6 +2367,12 @@ static void audit_log_task(struct audit_buffer *ab)
>  	audit_log_task_context(ab);
>  	audit_log_format(ab, " pid=%d comm=", current->pid);
>  	audit_log_untrustedstring(ab, current->comm);
> +	if (mm) {
> +		down_read(&mm->mmap_sem);
> +		if (mm->exe_file)
> +			audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
> +		up_read(&mm->mmap_sem);
> +	}
>  }
>  
>  static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
> -- 
> 1.7.9.5

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH 1/1] Added exe field to audit core dump signal log

[William Roberts]

On Wed, Nov 20, 2013 at 1:47 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> On Thu, Nov 14, 2013 at 08:56:57AM +0530, Paul Davies C wrote:
>> Currently when the coredump signals are logged by the audit system , the
>> actual path to the executable is not logged. Without details of exe , the
>> system admin may not have an exact idea on what program failed.
>>
>> This patch changes the audit_log_task() so that the path to the exe is also
>> logged.
>
> Out of curiosity, on which platform are you observing this?  This sounds
> related to Bill Roberts' recent cmdline patches.

I don't think this is related, looks to me like he want the exe file that
started it. Where as I want some abstract field that was set by the VM
at application invocation.

>
> I also wonder how reliable this is, or whether it could have been
> changed from under us by deletion or rename after invocation.

I don't think paths can ever be trusted 100%... I'm thinking chroots and
namespaces might alter what the path is.

>
> This BZ sounds related:
>         https://bugzilla.redhat.com/show_bug.cgi?id=837856
>         https://bugzilla.redhat.com/show_bug.cgi?id=831684
>
>> Signed-off-by: Paul Davies C <pauldaviesc@gmail.com>
>> ---
>>  kernel/auditsc.c |    7 +++++++
>>  1 file changed, 7 insertions(+)
>>
>> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
>> index 9845cb3..988de72 100644
>> --- a/kernel/auditsc.c
>> +++ b/kernel/auditsc.c
>> @@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab)
>>       kuid_t auid, uid;
>>       kgid_t gid;
>>       unsigned int sessionid;
>> +     struct mm_struct *mm = current->mm;
Why wouldn't we use:
get_task_mm(current)
>>
>>       auid = audit_get_loginuid(current);
>>       sessionid = audit_get_sessionid(current);
>> @@ -2366,6 +2367,12 @@ static void audit_log_task(struct audit_buffer *ab)
>>       audit_log_task_context(ab);
>>       audit_log_format(ab, " pid=%d comm=", current->pid);
>>       audit_log_untrustedstring(ab, current->comm);
>> +     if (mm) {

if using get_task_mm() drop below

>> +             down_read(&mm->mmap_sem);
>> +             if (mm->exe_file)
>> +                     audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);

if using get_task_mm() change below to mmput(mm);

>> +             up_read(&mm->mmap_sem);
>> +     }
>>  }
>>
>>  static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
>> --
>> 1.7.9.5
>
> - RGB
>
> --
> Richard Guy Briggs <rbriggs@redhat.com>
> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit



-- 
Respectfully,

William C Roberts

Re: [PATCH 1/1] Added exe field to audit core dump signal log

[William Roberts]

On Wed, Nov 20, 2013 at 2:03 PM, William Roberts
<bill.c.roberts@gmail.com> wrote:
> On Wed, Nov 20, 2013 at 1:47 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
>> On Thu, Nov 14, 2013 at 08:56:57AM +0530, Paul Davies C wrote:
>>> Currently when the coredump signals are logged by the audit system , the
>>> actual path to the executable is not logged. Without details of exe , the
>>> system admin may not have an exact idea on what program failed.
>>>
>>> This patch changes the audit_log_task() so that the path to the exe is also
>>> logged.
>>
>> Out of curiosity, on which platform are you observing this?  This sounds
>> related to Bill Roberts' recent cmdline patches.
>
> I don't think this is related, looks to me like he want the exe file that
> started it. Where as I want some abstract field that was set by the VM
> at application invocation.
>
>>
>> I also wonder how reliable this is, or whether it could have been
>> changed from under us by deletion or rename after invocation.
>
> I don't think paths can ever be trusted 100%... I'm thinking chroots and
> namespaces might alter what the path is.
>
>>
>> This BZ sounds related:
>>         https://bugzilla.redhat.com/show_bug.cgi?id=837856
>>         https://bugzilla.redhat.com/show_bug.cgi?id=831684
>>
>>> Signed-off-by: Paul Davies C <pauldaviesc@gmail.com>
>>> ---
>>>  kernel/auditsc.c |    7 +++++++
>>>  1 file changed, 7 insertions(+)
>>>
>>> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
>>> index 9845cb3..988de72 100644
>>> --- a/kernel/auditsc.c
>>> +++ b/kernel/auditsc.c
>>> @@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab)
>>>       kuid_t auid, uid;
>>>       kgid_t gid;
>>>       unsigned int sessionid;
>>> +     struct mm_struct *mm = current->mm;
> Why wouldn't we use:
> get_task_mm(current)
>>>
>>>       auid = audit_get_loginuid(current);
>>>       sessionid = audit_get_sessionid(current);
>>> @@ -2366,6 +2367,12 @@ static void audit_log_task(struct audit_buffer *ab)
>>>       audit_log_task_context(ab);
>>>       audit_log_format(ab, " pid=%d comm=", current->pid);
>>>       audit_log_untrustedstring(ab, current->comm);
>>> +     if (mm) {
>
> if using get_task_mm() drop below
>
>>> +             down_read(&mm->mmap_sem);
>>> +             if (mm->exe_file)
>>> +                     audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
>
> if using get_task_mm() change below to mmput(mm);
>
>>> +             up_read(&mm->mmap_sem);
>>> +     }
>>>  }
>>>

<snip>
One other thing that I know Steve Grubb is picky on, is the field
still needs to be there even if mm is null. We can't have
disappearing fields. On error conditions, I've been doing
<fieldname>=(null) on my patches.

Re: [PATCH 1/1] Added exe field to audit core dump signal log

[Richard Guy Briggs]

On Wed, Nov 20, 2013 at 02:03:01PM -0800, William Roberts wrote:
> On Wed, Nov 20, 2013 at 1:47 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > On Thu, Nov 14, 2013 at 08:56:57AM +0530, Paul Davies C wrote:
> >> Currently when the coredump signals are logged by the audit system , the
> >> actual path to the executable is not logged. Without details of exe , the
> >> system admin may not have an exact idea on what program failed.
> >>
> >> This patch changes the audit_log_task() so that the path to the exe is also
> >> logged.
> >
> > Out of curiosity, on which platform are you observing this?  This sounds
> > related to Bill Roberts' recent cmdline patches.
> 
> I don't think this is related, looks to me like he want the exe file that
> started it. Where as I want some abstract field that was set by the VM
> at application invocation.

I pulled the trigger on send a bit too fast...

I see now where that code came from...  It was copied from
audit_log_task_info().

> >> Signed-off-by: Paul Davies C <pauldaviesc@gmail.com>
> >> +     struct mm_struct *mm = current->mm;
> Why wouldn't we use:
> get_task_mm(current)

That may be a bit heavy for this usage since we are in the current
context.

> >>       auid = audit_get_loginuid(current);
> >>       sessionid = audit_get_sessionid(current);
> >> @@ -2366,6 +2367,12 @@ static void audit_log_task(struct audit_buffer *ab)
> >>       audit_log_task_context(ab);
> >>       audit_log_format(ab, " pid=%d comm=", current->pid);
> >>       audit_log_untrustedstring(ab, current->comm);
> >> +     if (mm) {
> 
> if using get_task_mm() drop below
> 
> >> +             down_read(&mm->mmap_sem);
> >> +             if (mm->exe_file)
> >> +                     audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
> 
> if using get_task_mm() change below to mmput(mm);
> 
> >> +             up_read(&mm->mmap_sem);
> >> +     }
> >
> > - RGB
> 
> William C Roberts

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH 1/1] Added exe field to audit core dump signal log

[Richard Guy Briggs]

On Wed, Nov 20, 2013 at 02:07:58PM -0800, William Roberts wrote:
> On Wed, Nov 20, 2013 at 2:03 PM, William Roberts
> <bill.c.roberts@gmail.com> wrote:
> > On Wed, Nov 20, 2013 at 1:47 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> >> On Thu, Nov 14, 2013 at 08:56:57AM +0530, Paul Davies C wrote:
> >>> +     if (mm) {
> >>> +             down_read(&mm->mmap_sem);
> >>> +             if (mm->exe_file)
> >>> +                     audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
> >>> +             up_read(&mm->mmap_sem);
> >>> +     }
> 
> <snip>
> One other thing that I know Steve Grubb is picky on, is the field
> still needs to be there even if mm is null. We can't have
> disappearing fields. On error conditions, I've been doing
> <fieldname>=(null) on my patches.

Agreed.

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH 1/1] Added exe field to audit core dump signal log

[Steve Grubb]

Hello Paul Moore,

Looks like this patch never got picked up. I think we should apply it.

-Steve

On Thursday, November 14, 2013 08:56:57 AM Paul Davies C wrote:
> Currently when the coredump signals are logged by the audit system , the
> actual path to the executable is not logged. Without details of exe , the
> system admin may not have an exact idea on what program failed.
> 
> This patch changes the audit_log_task() so that the path to the exe is also
> logged.
> 
> Signed-off-by: Paul Davies C <pauldaviesc@gmail.com>
> ---
>  kernel/auditsc.c |    7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 9845cb3..988de72 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab)
>  	kuid_t auid, uid;
>  	kgid_t gid;
>  	unsigned int sessionid;
> +	struct mm_struct *mm = current->mm;
> 
>  	auid = audit_get_loginuid(current);
>  	sessionid = audit_get_sessionid(current);
> @@ -2366,6 +2367,12 @@ static void audit_log_task(struct audit_buffer *ab)
>  	audit_log_task_context(ab);
>  	audit_log_format(ab, " pid=%d comm=", current->pid);
>  	audit_log_untrustedstring(ab, current->comm);
> +	if (mm) {
> +		down_read(&mm->mmap_sem);
> +		if (mm->exe_file)
> +			audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
> +		up_read(&mm->mmap_sem);
> +	}
>  }
> 
>  static void audit_log_abend(struct audit_buffer *ab, char *reason, long
> signr)

Re: [PATCH 1/1] Added exe field to audit core dump signal log

[Paul Moore]

On Wednesday, July 08, 2015 04:28:06 PM Steve Grubb wrote:
> Hello Paul Moore,
> 
> Looks like this patch never got picked up. I think we should apply it.

Thanks for finding this; did you run into this problem?

Since this was posted back in 2013 it would be nice if someone could do a 
quick sanity test to show that 1) the problem still exists on current kernels 
and 2) the patch below fixes it.  You get extra credit if you show your work.

The reproducer should be trivial; I'm just dealing with some other issues 
these next few days.

> On Thursday, November 14, 2013 08:56:57 AM Paul Davies C wrote:
> > Currently when the coredump signals are logged by the audit system , the
> > actual path to the executable is not logged. Without details of exe , the
> > system admin may not have an exact idea on what program failed.
> > 
> > This patch changes the audit_log_task() so that the path to the exe is
> > also
> > logged.
> > 
> > Signed-off-by: Paul Davies C <pauldaviesc@gmail.com>
> > ---
> > 
> >  kernel/auditsc.c |    7 +++++++
> >  1 file changed, 7 insertions(+)
> > 
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index 9845cb3..988de72 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab)
> > 
> >  	kuid_t auid, uid;
> >  	kgid_t gid;
> >  	unsigned int sessionid;
> > 
> > +	struct mm_struct *mm = current->mm;
> > 
> >  	auid = audit_get_loginuid(current);
> >  	sessionid = audit_get_sessionid(current);
> > 
> > @@ -2366,6 +2367,12 @@ static void audit_log_task(struct audit_buffer *ab)
> > 
> >  	audit_log_task_context(ab);
> >  	audit_log_format(ab, " pid=%d comm=", current->pid);
> >  	audit_log_untrustedstring(ab, current->comm);
> > 
> > +	if (mm) {
> > +		down_read(&mm->mmap_sem);
> > +		if (mm->exe_file)
> > +			audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
> > +		up_read(&mm->mmap_sem);
> > +	}
> > 
> >  }
> >  
> >  static void audit_log_abend(struct audit_buffer *ab, char *reason, long
> > 
> > signr)

-- 
paul moore
security @ redhat

Re: [PATCH 1/1] Added exe field to audit core dump signal log

[Steve Grubb]

On Wednesday, July 08, 2015 04:50:27 PM Paul Moore wrote:
> On Wednesday, July 08, 2015 04:28:06 PM Steve Grubb wrote:
> > Hello Paul Moore,
> > 
> > Looks like this patch never got picked up. I think we should apply it.
> 
> Thanks for finding this; did you run into this problem?

I was going through old email trying to clear my backlog and saw this
one marked for follow up at some point.


> Since this was posted back in 2013 it would be nice if someone could do a
> quick sanity test to show that 1) the problem still exists on current
> kernels and

This is the function in question:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/auditsc.c?id=refs/tags/v4.2-rc1#n2357

Actually, I missed the call to audit_log_d_path_exe() because I was looking
for exe= in the logging string ...so its already fixed.

Sorry for the noise.  :-)

-Steve

> 2) the patch below fixes it.  You get extra credit if you show
> your work.
>
> The reproducer should be trivial; I'm just dealing with some other issues
> these next few days.
> 
> > On Thursday, November 14, 2013 08:56:57 AM Paul Davies C wrote:
> > > Currently when the coredump signals are logged by the audit system , the
> > > actual path to the executable is not logged. Without details of exe ,
> > > the
> > > system admin may not have an exact idea on what program failed.
> > > 
> > > This patch changes the audit_log_task() so that the path to the exe is
> > > also
> > > logged.
> > > 
> > > Signed-off-by: Paul Davies C <pauldaviesc@gmail.com>
> > > ---
> > > 
> > >  kernel/auditsc.c |    7 +++++++
> > >  1 file changed, 7 insertions(+)
> > > 
> > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > > index 9845cb3..988de72 100644
> > > --- a/kernel/auditsc.c
> > > +++ b/kernel/auditsc.c
> > > @@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer
> > > *ab)
> > > 
> > >  	kuid_t auid, uid;
> > >  	kgid_t gid;
> > >  	unsigned int sessionid;
> > > 
> > > +	struct mm_struct *mm = current->mm;
> > > 
> > >  	auid = audit_get_loginuid(current);
> > >  	sessionid = audit_get_sessionid(current);
> > > 
> > > @@ -2366,6 +2367,12 @@ static void audit_log_task(struct audit_buffer
> > > *ab)
> > > 
> > >  	audit_log_task_context(ab);
> > >  	audit_log_format(ab, " pid=%d comm=", current->pid);
> > >  	audit_log_untrustedstring(ab, current->comm);
> > > 
> > > +	if (mm) {
> > > +		down_read(&mm->mmap_sem);
> > > +		if (mm->exe_file)
> > > +			audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
> > > +		up_read(&mm->mmap_sem);
> > > +	}
> > > 
> > >  }
> > >  
> > >  static void audit_log_abend(struct audit_buffer *ab, char *reason, long
> > > 
> > > signr)