From: Paul Moore <pmoore@redhat.com>
To: Steve Grubb <sgrubb@redhat.com>, Paul Davies C <pauldaviesc@gmail.com>
Cc: rgb@redhat.com, linux-audit@redhat.com
Subject: Re: [PATCH 1/1] Added exe field to audit core dump signal log
Date: Wed, 08 Jul 2015 16:50:27 -0400 [thread overview]
Message-ID: <2278998.3uTL9r8SHj@sifl> (raw)
In-Reply-To: <9329673.DzdnucMbcf@x2>
On Wednesday, July 08, 2015 04:28:06 PM Steve Grubb wrote:
> Hello Paul Moore,
>
> Looks like this patch never got picked up. I think we should apply it.
Thanks for finding this; did you run into this problem?
Since this was posted back in 2013 it would be nice if someone could do a
quick sanity test to show that 1) the problem still exists on current kernels
and 2) the patch below fixes it. You get extra credit if you show your work.
The reproducer should be trivial; I'm just dealing with some other issues
these next few days.
> On Thursday, November 14, 2013 08:56:57 AM Paul Davies C wrote:
> > Currently when the coredump signals are logged by the audit system , the
> > actual path to the executable is not logged. Without details of exe , the
> > system admin may not have an exact idea on what program failed.
> >
> > This patch changes the audit_log_task() so that the path to the exe is
> > also
> > logged.
> >
> > Signed-off-by: Paul Davies C <pauldaviesc@gmail.com>
> > ---
> >
> > kernel/auditsc.c | 7 +++++++
> > 1 file changed, 7 insertions(+)
> >
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index 9845cb3..988de72 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab)
> >
> > kuid_t auid, uid;
> > kgid_t gid;
> > unsigned int sessionid;
> >
> > + struct mm_struct *mm = current->mm;
> >
> > auid = audit_get_loginuid(current);
> > sessionid = audit_get_sessionid(current);
> >
> > @@ -2366,6 +2367,12 @@ static void audit_log_task(struct audit_buffer *ab)
> >
> > audit_log_task_context(ab);
> > audit_log_format(ab, " pid=%d comm=", current->pid);
> > audit_log_untrustedstring(ab, current->comm);
> >
> > + if (mm) {
> > + down_read(&mm->mmap_sem);
> > + if (mm->exe_file)
> > + audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
> > + up_read(&mm->mmap_sem);
> > + }
> >
> > }
> >
> > static void audit_log_abend(struct audit_buffer *ab, char *reason, long
> >
> > signr)
--
paul moore
security @ redhat
next prev parent reply other threads:[~2015-07-08 20:50 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-14 3:26 [PATCH 1/1] Added exe field to audit core dump signal log Paul Davies C
2013-11-20 21:47 ` Richard Guy Briggs
2013-11-20 22:03 ` William Roberts
2013-11-20 22:07 ` William Roberts
2013-11-20 22:30 ` Richard Guy Briggs
2013-11-20 22:29 ` Richard Guy Briggs
2015-07-08 20:28 ` Steve Grubb
2015-07-08 20:50 ` Paul Moore [this message]
2015-07-08 20:58 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2278998.3uTL9r8SHj@sifl \
--to=pmoore@redhat.com \
--cc=linux-audit@redhat.com \
--cc=pauldaviesc@gmail.com \
--cc=rgb@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox