From: Eric Paris <eparis@redhat.com>
To: linux-audit@redhat.com
Cc: viro@zeniv.linux.org.uk
Subject: [PATCH 05/26] seccomp: audit abnormal end to a process due to seccomp
Date: Thu, 17 Nov 2011 17:03:07 -0500 [thread overview]
Message-ID: <20111117220307.23481.21729.stgit@paris.rdu.redhat.com> (raw)
In-Reply-To: <20111117220244.23481.96785.stgit@paris.rdu.redhat.com>
The audit system likes to collect information about processes that end
abnormally (SIGSEGV) as this may me useful intrusion detection information.
This patch adds audit support to collect information when seccomp forces a
task to exit because of misbehavior in a similar way.
Signed-off-by: Eric Paris <eparis@redhat.com>
---
include/linux/audit.h | 8 ++++++++
kernel/auditsc.c | 50 ++++++++++++++++++++++++++++---------------------
kernel/seccomp.c | 2 ++
3 files changed, 39 insertions(+), 21 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 2f81c6f..24851b5 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -430,6 +430,7 @@ extern void audit_putname(const char *name);
extern void __audit_inode(const char *name, const struct dentry *dentry);
extern void __audit_inode_child(const struct dentry *dentry,
const struct inode *parent);
+extern void __audit_seccomp(unsigned long syscall);
extern void __audit_ptrace(struct task_struct *t);
static inline int audit_dummy_context(void)
@@ -453,6 +454,12 @@ static inline void audit_inode_child(const struct dentry *dentry,
}
void audit_core_dumps(long signr);
+static inline void audit_seccomp(unsigned long syscall)
+{
+ if (unlikely(!audit_dummy_context()))
+ __audit_seccomp(syscall);
+}
+
static inline void audit_ptrace(struct task_struct *t)
{
if (unlikely(!audit_dummy_context()))
@@ -558,6 +565,7 @@ extern int audit_signals;
#define audit_inode(n,d) do { (void)(d); } while (0)
#define audit_inode_child(i,p) do { ; } while (0)
#define audit_core_dumps(i) do { ; } while (0)
+#define audit_seccomp(i) do { ; } while (0)
#define auditsc_get_stamp(c,t,s) (0)
#define audit_get_loginuid(t) (-1)
#define audit_get_sessionid(t) (-1)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 1a0604e..a0785cf 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2529,6 +2529,25 @@ void __audit_mmap_fd(int fd, int flags)
context->type = AUDIT_MMAP;
}
+static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
+{
+ uid_t auid, uid;
+ gid_t gid;
+ unsigned int sessionid;
+
+ auid = audit_get_loginuid(current);
+ sessionid = audit_get_sessionid(current);
+ current_uid_gid(&uid, &gid);
+
+ audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
+ auid, uid, gid, sessionid);
+ audit_log_task_context(ab);
+ audit_log_format(ab, " pid=%d comm=", current->pid);
+ audit_log_untrustedstring(ab, current->comm);
+ audit_log_format(ab, " reason=");
+ audit_log_string(ab, reason);
+ audit_log_format(ab, " sig=%ld", signr);
+}
/**
* audit_core_dumps - record information about processes that end abnormally
* @signr: signal value
@@ -2539,10 +2558,6 @@ void __audit_mmap_fd(int fd, int flags)
void audit_core_dumps(long signr)
{
struct audit_buffer *ab;
- u32 sid;
- uid_t auid = audit_get_loginuid(current), uid;
- gid_t gid;
- unsigned int sessionid = audit_get_sessionid(current);
if (!audit_enabled)
return;
@@ -2551,24 +2566,17 @@ void audit_core_dumps(long signr)
return;
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
- current_uid_gid(&uid, &gid);
- audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
- auid, uid, gid, sessionid);
- security_task_getsecid(current, &sid);
- if (sid) {
- char *ctx = NULL;
- u32 len;
+ audit_log_abend(ab, "memory violation", signr);
+ audit_log_end(ab);
+}
- if (security_secid_to_secctx(sid, &ctx, &len))
- audit_log_format(ab, " ssid=%u", sid);
- else {
- audit_log_format(ab, " subj=%s", ctx);
- security_release_secctx(ctx, len);
- }
- }
- audit_log_format(ab, " pid=%d comm=", current->pid);
- audit_log_untrustedstring(ab, current->comm);
- audit_log_format(ab, " sig=%ld", signr);
+void __audit_seccomp(unsigned long syscall)
+{
+ struct audit_buffer *ab;
+
+ ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
+ audit_log_abend(ab, "seccomp", SIGKILL);
+ audit_log_format(ab, " syscall=%ld", syscall);
audit_log_end(ab);
}
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 57d4b13..e8d76c5 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -6,6 +6,7 @@
* This defines a simple but solid secure-computing mode.
*/
+#include <linux/audit.h>
#include <linux/seccomp.h>
#include <linux/sched.h>
#include <linux/compat.h>
@@ -54,6 +55,7 @@ void __secure_computing(int this_syscall)
#ifdef SECCOMP_DEBUG
dump_stack();
#endif
+ audit_seccomp(this_syscall);
do_exit(SIGKILL);
}
next prev parent reply other threads:[~2011-11-17 22:03 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-17 22:02 [PATCH 01/26] audit: make filetype matching consistent with other filters Eric Paris
2011-11-17 22:02 ` [PATCH 02/26] audit: dynamically allocate audit_names when not enough space is in the names array Eric Paris
2011-11-17 22:02 ` [PATCH 03/26] audit: drop the meaningless and format breaking word 'user' Eric Paris
2011-11-17 22:03 ` [PATCH 04/26] audit: check current inode and containing object when filtering on major and minor Eric Paris
2011-11-17 22:03 ` Eric Paris [this message]
2011-11-17 22:03 ` [PATCH 06/26] Audit: push audit success and retcode into arch ptrace.h Eric Paris
2011-11-17 22:03 ` [PATCH 07/26] audit: ia32entry.S sign extend error codes when calling 64 bit code Eric Paris
2011-11-17 22:03 ` [PATCH 08/26] audit: inline audit_syscall_entry to reduce burdon on archs Eric Paris
2011-11-17 22:03 ` [PATCH 09/26] audit: remove AUDIT_SETUP_CONTEXT as it isn't used Eric Paris
2011-11-17 22:03 ` [PATCH 10/26] audit: drop some potentially inadvisable likely notations Eric Paris
2011-11-17 22:03 ` [PATCH 11/26] audit: inline checks for not needing to collect aux records Eric Paris
2011-11-17 22:03 ` [PATCH 12/26] audit: drop audit_set_macxattr as it doesn't do anything Eric Paris
2011-11-17 22:03 ` [PATCH 13/26] audit: inline audit_free to simplify the look of generic code Eric Paris
2011-11-17 22:04 ` [PATCH 14/26] audit: reject entry,always rules Eric Paris
2011-11-17 22:04 ` [PATCH 15/26] audit: remove audit_finish_fork as it can't be called Eric Paris
2011-11-17 22:04 ` [PATCH 16/26] audit: allow matching on obj_uid Eric Paris
2011-11-17 22:04 ` [PATCH 17/26] audit: allow audit matching on inode gid Eric Paris
2011-11-17 22:04 ` [PATCH 18/26] audit: allow interfield comparison in audit rules Eric Paris
2011-11-17 22:04 ` [PATCH 19/26] audit: complex interfield comparison helper Eric Paris
2011-11-17 22:04 ` [PATCH 20/26] audit: allow interfield comparison between gid and ogid Eric Paris
2011-11-17 22:04 ` [PATCH 21/26] audit: remove task argument to audit_set_loginuid Eric Paris
2011-11-17 22:04 ` [PATCH 22/26] audit: only allow tasks to set their loginuid if it is -1 Eric Paris
2011-11-17 22:04 ` [PATCH 23/26] audit: do not call audit_getname on error Eric Paris
2011-11-17 22:04 ` [PATCH 24/26] Kernel: Audit Support For The ARM Platform Eric Paris
2011-11-17 22:05 ` [PATCH 25/26] audit: fix mark refcounting Eric Paris
2011-11-17 22:05 ` [PATCH 26/26] audit: collect path information when possible Eric Paris
2011-11-17 22:47 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111117220307.23481.21729.stgit@paris.rdu.redhat.com \
--to=eparis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox