Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit e139606

Browse files
author
Al Viro
committed
[PATCH] collect sid of those who send signals to auditd
Signed-off-by: Al Viro <[email protected]>
1 parent 473ae30 commit e139606

5 files changed

Lines changed: 45 additions & 25 deletions

File tree

include/linux/audit.h

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -278,6 +278,7 @@ struct audit_rule { /* for AUDIT_LIST, AUDIT_ADD, and AUDIT_DEL */
278278
struct audit_sig_info {
279279
uid_t uid;
280280
pid_t pid;
281+
char ctx[0];
281282
};
282283

283284
struct audit_buffer;
@@ -328,7 +329,6 @@ extern int audit_bprm(struct linux_binprm *bprm);
328329
extern int audit_socketcall(int nargs, unsigned long *args);
329330
extern int audit_sockaddr(int len, void *addr);
330331
extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt);
331-
extern void audit_signal_info(int sig, struct task_struct *t);
332332
extern int audit_set_macxattr(const char *name);
333333
#else
334334
#define audit_alloc(t) ({ 0; })
@@ -349,7 +349,6 @@ extern int audit_set_macxattr(const char *name);
349349
#define audit_socketcall(n,a) ({ 0; })
350350
#define audit_sockaddr(len, addr) ({ 0; })
351351
#define audit_avc_path(dentry, mnt) ({ 0; })
352-
#define audit_signal_info(s,t) do { ; } while (0)
353352
#define audit_set_macxattr(n) do { ; } while (0)
354353
#endif
355354

kernel/audit.c

Lines changed: 20 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -89,6 +89,7 @@ static int audit_backlog_wait_overflow = 0;
8989
/* The identity of the user shutting down the audit system. */
9090
uid_t audit_sig_uid = -1;
9191
pid_t audit_sig_pid = -1;
92+
u32 audit_sig_sid = 0;
9293

9394
/* Records can be lost in several ways:
9495
0) [suppressed in audit_alloc]
@@ -479,7 +480,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
479480
struct audit_buffer *ab;
480481
u16 msg_type = nlh->nlmsg_type;
481482
uid_t loginuid; /* loginuid of sender */
482-
struct audit_sig_info sig_data;
483+
struct audit_sig_info *sig_data;
484+
char *ctx;
485+
u32 len;
483486

484487
err = audit_netlink_ok(NETLINK_CB(skb).eff_cap, msg_type);
485488
if (err)
@@ -531,12 +534,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
531534
if (status_get->mask & AUDIT_STATUS_PID) {
532535
int old = audit_pid;
533536
if (sid) {
534-
char *ctx = NULL;
535-
u32 len;
536-
int rc;
537-
if ((rc = selinux_ctxid_to_string(
537+
if ((err = selinux_ctxid_to_string(
538538
sid, &ctx, &len)))
539-
return rc;
539+
return err;
540540
else
541541
audit_log(NULL, GFP_KERNEL,
542542
AUDIT_CONFIG_CHANGE,
@@ -572,8 +572,6 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
572572
"user pid=%d uid=%u auid=%u",
573573
pid, uid, loginuid);
574574
if (sid) {
575-
char *ctx = NULL;
576-
u32 len;
577575
if (selinux_ctxid_to_string(
578576
sid, &ctx, &len)) {
579577
audit_log_format(ab,
@@ -612,10 +610,21 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
612610
loginuid, sid);
613611
break;
614612
case AUDIT_SIGNAL_INFO:
615-
sig_data.uid = audit_sig_uid;
616-
sig_data.pid = audit_sig_pid;
613+
err = selinux_ctxid_to_string(audit_sig_sid, &ctx, &len);
614+
if (err)
615+
return err;
616+
sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL);
617+
if (!sig_data) {
618+
kfree(ctx);
619+
return -ENOMEM;
620+
}
621+
sig_data->uid = audit_sig_uid;
622+
sig_data->pid = audit_sig_pid;
623+
memcpy(sig_data->ctx, ctx, len);
624+
kfree(ctx);
617625
audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_SIGNAL_INFO,
618-
0, 0, &sig_data, sizeof(sig_data));
626+
0, 0, sig_data, sizeof(*sig_data) + len);
627+
kfree(sig_data);
619628
break;
620629
default:
621630
err = -EINVAL;

kernel/audit.h

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -101,3 +101,14 @@ struct audit_netlink_list {
101101
int audit_send_list(void *);
102102

103103
extern int selinux_audit_rule_update(void);
104+
105+
#ifdef CONFIG_AUDITSYSCALL
106+
extern void __audit_signal_info(int sig, struct task_struct *t);
107+
static inline void audit_signal_info(int sig, struct task_struct *t)
108+
{
109+
if (unlikely(audit_pid && t->tgid == audit_pid))
110+
__audit_signal_info(sig, t);
111+
}
112+
#else
113+
#define audit_signal_info(s,t)
114+
#endif

kernel/auditsc.c

Lines changed: 12 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1376,19 +1376,20 @@ int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt)
13761376
* If the audit subsystem is being terminated, record the task (pid)
13771377
* and uid that is doing that.
13781378
*/
1379-
void audit_signal_info(int sig, struct task_struct *t)
1379+
void __audit_signal_info(int sig, struct task_struct *t)
13801380
{
13811381
extern pid_t audit_sig_pid;
13821382
extern uid_t audit_sig_uid;
1383-
1384-
if (unlikely(audit_pid && t->tgid == audit_pid)) {
1385-
if (sig == SIGTERM || sig == SIGHUP) {
1386-
struct audit_context *ctx = current->audit_context;
1387-
audit_sig_pid = current->pid;
1388-
if (ctx)
1389-
audit_sig_uid = ctx->loginuid;
1390-
else
1391-
audit_sig_uid = current->uid;
1392-
}
1383+
extern u32 audit_sig_sid;
1384+
1385+
if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1) {
1386+
struct task_struct *tsk = current;
1387+
struct audit_context *ctx = tsk->audit_context;
1388+
audit_sig_pid = tsk->pid;
1389+
if (ctx)
1390+
audit_sig_uid = ctx->loginuid;
1391+
else
1392+
audit_sig_uid = tsk->uid;
1393+
selinux_get_task_sid(tsk, &audit_sig_sid);
13931394
}
13941395
}

kernel/signal.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,12 +23,12 @@
2323
#include <linux/syscalls.h>
2424
#include <linux/ptrace.h>
2525
#include <linux/signal.h>
26-
#include <linux/audit.h>
2726
#include <linux/capability.h>
2827
#include <asm/param.h>
2928
#include <asm/uaccess.h>
3029
#include <asm/unistd.h>
3130
#include <asm/siginfo.h>
31+
#include "audit.h" /* audit_signal_info() */
3232

3333
/*
3434
* SLAB caches for signal bits.

0 commit comments

Comments
 (0)