Re: [PATCH ghak111 V1] audit: deliver siginfo regarless of syscall

From: Richard Guy Briggs
Date: Tue Apr 09 2019 - 10:03:13 EST

Next message: Rob Herring: "Re: [PATCH v2 2/2] dt-bindings: net: bluetooth: Add device property nvm-postfix for QCA6174"
Previous message: Vitaly Chikunov: "Re: [PATCH v8 00/10] crypto: add EC-RDSA (GOST 34.10) algorithm"
In reply to: Steve Grubb: "Re: [PATCH ghak111 V1] audit: deliver siginfo regarless of syscall"
Next in thread: Steve Grubb: "Re: [PATCH ghak111 V1] audit: deliver siginfo regarless of syscall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2019-04-09 08:01, Steve Grubb wrote:
> On Mon, 8 Apr 2019 23:52:29 -0400 Richard Guy Briggs <rgb@xxxxxxxxxx> wrote:
> > When a process signals the audit daemon (shutdown, rotate, resume,
> > reconfig) but syscall auditing is not enabled, we still want to know
> > the identity of the process sending the signal to the audit daemon.
>
> Why? If syscall auditing is disabled, then there is no requirement to
> provide anything. What is the real problem that you are seeing?

Shutdown messages with -1 in them rather than the real values.

> -Steve
>
> > Move audit_signal_info() out of syscall auditing to general auditing
> > but create a new function audit_signal_info_syscall() to take care of
> > the syscall dependent parts for when syscall auditing is enabled.
> >
> > Please see the github kernel audit issue
> > https://github.com/linux-audit/audit-kernel/issues/111
> >
> > Signed-off-by: Richard Guy Briggs <rgb@xxxxxxxxxx>
> > ---
> > include/linux/audit.h | 6 ++++++
> > kernel/audit.c | 27 +++++++++++++++++++++++++++
> > kernel/audit.h | 4 ++--
> > kernel/auditsc.c | 19 +++----------------
> > kernel/signal.c | 2 +-
> > 5 files changed, 39 insertions(+), 19 deletions(-)
> >
> > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > index 1e69d9fe16da..4a22fc3f824f 100644
> > --- a/include/linux/audit.h
> > +++ b/include/linux/audit.h
> > @@ -173,6 +173,9 @@ static inline unsigned int
> > audit_get_sessionid(struct task_struct *tsk) }
> >
> > extern u32 audit_enabled;
> > +
> > +extern int audit_signal_info(int sig, struct task_struct *t);
> > +
> > #else /* CONFIG_AUDIT */
> > static inline __printf(4, 5)
> > void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
> > @@ -226,6 +229,9 @@ static inline unsigned int
> > audit_get_sessionid(struct task_struct *tsk) }
> >
> > #define audit_enabled AUDIT_OFF
> > +
> > +#define audit_signal_info(s, t) AUDIT_OFF
> > +
> > #endif /* CONFIG_AUDIT */
> >
> > #ifdef CONFIG_AUDIT_COMPAT_GENERIC
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index b96bf69183f4..67399ff72d43 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -2274,6 +2274,33 @@ int audit_set_loginuid(kuid_t loginuid)
> > }
> >
> > /**
> > + * audit_signal_info - record signal info for shutting down audit
> > subsystem
> > + * @sig: signal value
> > + * @t: task being signaled
> > + *
> > + * If the audit subsystem is being terminated, record the task (pid)
> > + * and uid that is doing that.
> > + */
> > +int audit_signal_info(int sig, struct task_struct *t)
> > +{
> > + kuid_t uid = current_uid(), auid;
> > +
> > + if (auditd_test_task(t) &&
> > + (sig == SIGTERM || sig == SIGHUP ||
> > + sig == SIGUSR1 || sig == SIGUSR2)) {
> > + audit_sig_pid = task_tgid_nr(current);
> > + auid = audit_get_loginuid(current);
> > + if (uid_valid(auid))
> > + audit_sig_uid = auid;
> > + else
> > + audit_sig_uid = uid;
> > + security_task_getsecid(current, &audit_sig_sid);
> > + }
> > +
> > + return audit_signal_info_syscall(t);
> > +}
> > +
> > +/**
> > * audit_log_end - end one audit record
> > * @ab: the audit_buffer
> > *
> > diff --git a/kernel/audit.h b/kernel/audit.h
> > index 958d5b8fc1b3..18a8ae812e9f 100644
> > --- a/kernel/audit.h
> > +++ b/kernel/audit.h
> > @@ -299,7 +299,7 @@ extern bool audit_tree_match(struct audit_chunk
> > *chunk, extern void audit_put_tree(struct audit_tree *tree);
> > extern void audit_kill_trees(struct audit_context *context);
> >
> > -extern int audit_signal_info(int sig, struct task_struct *t);
> > +extern int audit_signal_info_syscall(struct task_struct *t);
> > extern void audit_filter_inodes(struct task_struct *tsk,
> > struct audit_context *ctx);
> > extern struct list_head *audit_killed_trees(void);
> > @@ -330,7 +330,7 @@ extern void audit_filter_inodes(struct
> > task_struct *tsk, #define audit_tree_path(rule) "" /* never
> > called */ #define audit_kill_trees(context) BUG()
> >
> > -#define audit_signal_info(s, t) AUDIT_DISABLED
> > +#define audit_signal_info_syscall(t) AUDIT_OFF
> > #define audit_filter_inodes(t, c) AUDIT_DISABLED
> > #endif /* CONFIG_AUDITSYSCALL */
> >
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index 98a98e6dca05..dbd43d84c347 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -2370,30 +2370,17 @@ void __audit_ptrace(struct task_struct *t)
> > }
> >
> > /**
> > - * audit_signal_info - record signal info for shutting down audit
> > subsystem
> > - * @sig: signal value
> > + * audit_signal_info_syscall - record signal info for syscalls
> > * @t: task being signaled
> > *
> > * If the audit subsystem is being terminated, record the task (pid)
> > * and uid that is doing that.
> > */
> > -int audit_signal_info(int sig, struct task_struct *t)
> > +int audit_signal_info_syscall(struct task_struct *t)
> > {
> > struct audit_aux_data_pids *axp;
> > struct audit_context *ctx = audit_context();
> > - kuid_t uid = current_uid(), auid, t_uid = task_uid(t);
> > -
> > - if (auditd_test_task(t) &&
> > - (sig == SIGTERM || sig == SIGHUP ||
> > - sig == SIGUSR1 || sig == SIGUSR2)) {
> > - audit_sig_pid = task_tgid_nr(current);
> > - auid = audit_get_loginuid(current);
> > - if (uid_valid(auid))
> > - audit_sig_uid = auid;
> > - else
> > - audit_sig_uid = uid;
> > - security_task_getsecid(current, &audit_sig_sid);
> > - }
> > + kuid_t t_uid = task_uid(t);
> >
> > if (!audit_signals || audit_dummy_context())
> > return 0;
> > diff --git a/kernel/signal.c b/kernel/signal.c
> > index b7953934aa99..73db5dfa797d 100644
> > --- a/kernel/signal.c
> > +++ b/kernel/signal.c
> > @@ -43,6 +43,7 @@
> > #include <linux/compiler.h>
> > #include <linux/posix-timers.h>
> > #include <linux/livepatch.h>
> > +#include <linux/audit.h> /* audit_signal_info() */
> >
> > #define CREATE_TRACE_POINTS
> > #include <trace/events/signal.h>
> > @@ -52,7 +53,6 @@
> > #include <asm/unistd.h>
> > #include <asm/siginfo.h>
> > #include <asm/cacheflush.h>
> > -#include "audit.h" /* audit_signal_info() */
> >
> > /*
> > * SLAB caches for signal bits.
>

- RGB

--
Richard Guy Briggs <rgb@xxxxxxxxxx>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Next message: Rob Herring: "Re: [PATCH v2 2/2] dt-bindings: net: bluetooth: Add device property nvm-postfix for QCA6174"
Previous message: Vitaly Chikunov: "Re: [PATCH v8 00/10] crypto: add EC-RDSA (GOST 34.10) algorithm"
In reply to: Steve Grubb: "Re: [PATCH ghak111 V1] audit: deliver siginfo regarless of syscall"
Next in thread: Steve Grubb: "Re: [PATCH ghak111 V1] audit: deliver siginfo regarless of syscall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]