From mboxrd@z Thu Jan  1 00:00:00 1970
From: Alexander Viro <aviro@redhat.com>
Subject: audit-ptrace patch (untested)
Date: Mon, 5 Mar 2007 09:50:25 -0500
Message-ID: <20070305145025.GC19390@devserv.devel.redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <linux-audit-bounces@redhat.com>
Received: from devserv.devel.redhat.com (devserv.devel.redhat.com
	[172.16.58.1])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l25EoUWw005907
	for <linux-audit@redhat.com>; Mon, 5 Mar 2007 09:50:30 -0500
Received: from devserv.devel.redhat.com (localhost.localdomain [127.0.0.1])
	by devserv.devel.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	l25EoUDW007538
	for <linux-audit@redhat.com>; Mon, 5 Mar 2007 09:50:30 -0500
Received: (from aviro@localhost)
	by devserv.devel.redhat.com (8.12.11.20060308/8.12.11/Submit) id
	l25EoUGR007530
	for linux-audit@redhat.com; Mon, 5 Mar 2007 09:50:30 -0500
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

That one is on top of security_getprocattr() patch.  See bz#228384...

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 229fa01..cce8b6c 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -90,6 +90,7 @@
 #define AUDIT_MQ_GETSETATTR	1315	/* POSIX MQ get/set attribute record type */
 #define AUDIT_KERNEL_OTHER	1316	/* For use by 3rd party modules */
 #define AUDIT_FD_PAIR		1317    /* audit record for pipe/socketpair */
+#define AUDIT_OBJ_PID	1318	/* ptrace target */
 
 #define AUDIT_AVC		1400	/* SE Linux avc denial or grant */
 #define AUDIT_SELINUX_ERR	1401	/* Internal SE Linux Errors */
@@ -351,6 +352,8 @@ extern void __audit_inode(const char *name, const struct inode *inode);
 extern void __audit_inode_child(const char *dname, const struct inode *inode,
 				const struct inode *parent);
 extern void __audit_inode_update(const struct inode *inode);
+extern void __audit_ptrace(struct task_struct *t);
+
 static inline int audit_dummy_context(void)
 {
 	void *p = current->audit_context;
@@ -376,6 +379,12 @@ static inline void audit_inode_update(const struct inode *inode) {
 		__audit_inode_update(inode);
 }
 
+static inline void audit_ptrace(struct task_struct *t)
+{
+	if (unlikely(!audit_dummy_context()))
+		__audit_ptrace(t);
+}
+
 				/* Private API (for audit.c only) */
 extern unsigned int audit_serial(void);
 extern void auditsc_get_stamp(struct audit_context *ctx,
@@ -476,6 +485,7 @@ extern int audit_n_rules;
 #define audit_mq_timedreceive(d,l,p,t) ({ 0; })
 #define audit_mq_notify(d,n) ({ 0; })
 #define audit_mq_getsetattr(d,s) ({ 0; })
+#define audit_ptrace(t) ((void)0)
 #define audit_n_rules 0
 #endif
 
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 89875b2..c8465ea 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -209,6 +209,9 @@ struct audit_context {
 	unsigned long	    personality;
 	int		    arch;
 
+	pid_t		    target_pid;
+	char *		    obj_ctx;
+
 #if AUDIT_DEBUG
 	int		    put_count;
 	int		    ino_count;
@@ -729,6 +732,7 @@ static inline void audit_free_context(struct audit_context *context)
 		audit_free_names(context);
 		audit_free_aux(context);
 		kfree(context->filterkey);
+		kfree(context->obj_ctx);
 		kfree(context);
 		context  = previous;
 	} while (context);
@@ -967,6 +971,13 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
 		audit_log_end(ab);
 	}
 
+	if (context->obj_ctx) {
+		ab =audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
+		audit_log_format(ab, "opid=%d obj=%s",
+				 context->target_pid, context->obj_ctx);
+		audit_log_end(ab);
+	}
+
 	if (context->pwd && context->pwdmnt) {
 		ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
 		if (ab) {
@@ -1187,6 +1198,8 @@ void audit_syscall_exit(int valid, long return_code)
 	} else {
 		audit_free_names(context);
 		audit_free_aux(context);
+		kfree(context->obj_ctx);
+		context->obj_ctx = NULL;
 		kfree(context->filterkey);
 		context->filterkey = NULL;
 		tsk->audit_context = context;
@@ -1874,6 +1887,13 @@ int audit_sockaddr(int len, void *a)
 	return 0;
 }
 
+void __audit_ptrace(struct task_struct *t)
+{
+	struct audit_context *context = current->audit_context;
+	context->target_pid = t->pid;
+	security_getprocattr(t, "current", &context->obj_ctx);
+}
+
 /**
  * audit_avc_path - record the granting or denial of permissions
  * @dentry: dentry to record
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index 4d50e06..ad7949a 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -18,6 +18,7 @@
 #include <linux/ptrace.h>
 #include <linux/security.h>
 #include <linux/signal.h>
+#include <linux/audit.h>
 
 #include <asm/pgtable.h>
 #include <asm/uaccess.h>
@@ -161,6 +162,8 @@ int ptrace_attach(struct task_struct *task)
 {
 	int retval;
 
+	audit_ptrace(task);
+
 	retval = -EPERM;
 	if (task->pid <= 1)
 		goto out;