From mboxrd@z Thu Jan 1 00:00:00 1970 From: Amy Griffis Subject: Re: [PATCH] collect sid of those who send {HUP, TERM, USR1} to auditd Date: Mon, 8 May 2006 16:16:58 -0400 Message-ID: <20060508201658.GA25968@zk3.dec.com> References: <20060506124502.GZ29125@devserv.devel.redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k48KH81d005770 for ; Mon, 8 May 2006 16:17:08 -0400 Received: from tayrelbas03.tay.hp.com (tayrelbas03.tay.hp.com [161.114.80.246]) by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k48KH45N016963 for ; Mon, 8 May 2006 16:17:04 -0400 Received: from tayrelint01.nz-tay.cpqcorp.net (tayrelint01.nz-tay.cpqcorp.net [16.47.5.6]) by tayrelbas03.tay.hp.com (Postfix) with ESMTP id F1D8F341C3 for ; Mon, 8 May 2006 16:16:58 -0400 (EDT) Received: from dill.zko.hp.com (dill.zko.hp.com [16.116.96.242]) by tayrelint01.nz-tay.cpqcorp.net (Postfix) with ESMTP id D3AAF34028 for ; Mon, 8 May 2006 16:16:58 -0400 (EDT) Content-Disposition: inline In-Reply-To: <20060506124502.GZ29125@devserv.devel.redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Sat, May 06, 2006 at 08:45:02AM -0400, Alexander Viro wrote: > Add USR1 to the set we are logging, log sid of sender, make audit_signal_info() > inlined. > > Signed-off-by: Al Viro > > --- > > include/linux/audit.h | 3 +-- > kernel/audit.c | 2 ++ > kernel/audit.h | 11 +++++++++++ > kernel/auditsc.c | 21 +++++++++++---------- > kernel/signal.c | 2 +- > 5 files changed, 26 insertions(+), 13 deletions(-) > > b0e74dd9e54eb5f81751f5cd832d1c9d1c703775 > diff --git a/include/linux/audit.h b/include/linux/audit.h > index c60e96d..103ed6d 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -278,6 +278,7 @@ struct audit_rule { /* for AUDIT_LIST, > struct audit_sig_info { > uid_t uid; > pid_t pid; > + __u32 sid; > }; > > struct audit_buffer; > @@ -328,7 +329,6 @@ extern int audit_bprm(struct linux_binpr > extern int audit_socketcall(int nargs, unsigned long *args); > extern int audit_sockaddr(int len, void *addr); > extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt); > -extern void audit_signal_info(int sig, struct task_struct *t); > extern int audit_set_macxattr(const char *name); > #else > #define audit_alloc(t) ({ 0; }) > @@ -349,7 +349,6 @@ extern int audit_set_macxattr(const char > #define audit_socketcall(n,a) ({ 0; }) > #define audit_sockaddr(len, addr) ({ 0; }) > #define audit_avc_path(dentry, mnt) ({ 0; }) > -#define audit_signal_info(s,t) do { ; } while (0) > #define audit_set_macxattr(n) do { ; } while (0) > #endif > > diff --git a/kernel/audit.c b/kernel/audit.c > index 35d5db1..11aa301 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -89,6 +89,7 @@ static int audit_backlog_wait_overflow = > /* The identity of the user shutting down the audit system. */ > uid_t audit_sig_uid = -1; > pid_t audit_sig_pid = -1; > +u32 audit_sig_sid = 0; > > /* Records can be lost in several ways: > 0) [suppressed in audit_alloc] > @@ -614,6 +615,7 @@ static int audit_receive_msg(struct sk_b > case AUDIT_SIGNAL_INFO: > sig_data.uid = audit_sig_uid; > sig_data.pid = audit_sig_pid; > + sig_data.sid = audit_sig_sid; > audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_SIGNAL_INFO, > 0, 0, &sig_data, sizeof(sig_data)); > break; Shouldn't you translate the sid to its string representation before sending to userspace? > diff --git a/kernel/audit.h b/kernel/audit.h > index 8948fc1..52cb1e3 100644 > --- a/kernel/audit.h > +++ b/kernel/audit.h > @@ -101,3 +101,14 @@ struct audit_netlink_list { > int audit_send_list(void *); > > extern int selinux_audit_rule_update(void); > + > +#ifdef CONFIG_AUDITSYSCALL > +extern void __audit_signal_info(int sig, struct task_struct *t); > +static inline void audit_signal_info(int sig, struct task_struct *t) > +{ > + if (unlikely(audit_pid && t->tgid == audit_pid)) > + __audit_signal_info(sig, t); > +} > +#else > +#define audit_signal_info(s,t) > +#endif > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 114f921..4ca913d 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -1376,19 +1376,20 @@ int audit_avc_path(struct dentry *dentry > * If the audit subsystem is being terminated, record the task (pid) > * and uid that is doing that. > */ > -void audit_signal_info(int sig, struct task_struct *t) > +void __audit_signal_info(int sig, struct task_struct *t) > { > extern pid_t audit_sig_pid; > extern uid_t audit_sig_uid; > + extern u32 audit_sig_sid; > > - if (unlikely(audit_pid && t->tgid == audit_pid)) { > - if (sig == SIGTERM || sig == SIGHUP) { > - struct audit_context *ctx = current->audit_context; > - audit_sig_pid = current->pid; > - if (ctx) > - audit_sig_uid = ctx->loginuid; > - else > - audit_sig_uid = current->uid; > - } > + if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1) { > + struct task_struct *tsk = current; > + struct audit_context *ctx = tsk->audit_context; > + audit_sig_pid = tsk->pid; > + if (ctx) > + audit_sig_uid = ctx->loginuid; > + else > + audit_sig_uid = tsk->uid; > + selinux_get_task_sid(tsk, &audit_sig_sid); > } > } > diff --git a/kernel/signal.c b/kernel/signal.c > index e5f8aea..1b3c921 100644 > --- a/kernel/signal.c > +++ b/kernel/signal.c > @@ -23,12 +23,12 @@ > #include > #include > #include > -#include > #include > #include > #include > #include > #include > +#include "audit.h" /* audit_signal_info() */ > > /* > * SLAB caches for signal bits. > -- > 0.99.9.GIT > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit >