Commit 7b9205bd authored by Kees Cook's avatar Kees Cook Committed by Linus Torvalds
Browse files

audit: create explicit AUDIT_SECCOMP event type 



The seccomp path was using AUDIT_ANOM_ABEND from when seccomp mode 1
could only kill a process.  While we still want to make sure an audit
record is forced on a kill, this should use a separate record type since
seccomp mode 2 introduces other behaviors.

In the case of "handled" behaviors (process wasn't killed), only emit a
record if the process is under inspection.  This change also fixes
userspace examination of seccomp audit events, since it was considered
malformed due to missing fields of the AUDIT_ANOM_ABEND event type.

Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Eric Paris <eparis@redhat.com>
Cc: Jeff Layton <jlayton@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Julien Tinnes <jln@google.com>
Acked-by: default avatarWill Drewry <wad@chromium.org>
Acked-by: default avatarSteve Grubb <sgrubb@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 56ca9d98

include/linux/audit.h

+2 −1
Original line number Diff line number Diff line
@@ -157,7 +157,8 @@ void audit_core_dumps(long signr); 


static inline void audit_seccomp(unsigned long syscall, long signr, int code)

{

	if (unlikely(!audit_dummy_context()))

	/* Force a record to be reported if a signal was delivered. */

	if (signr || unlikely(!audit_dummy_context()))

		__audit_seccomp(syscall, signr, code);

}

include/uapi/linux/audit.h

+1 −0
Original line number Diff line number Diff line
@@ -106,6 +106,7 @@ 
#define AUDIT_MMAP		1323	/* Record showing descriptor and flags in mmap */

#define AUDIT_NETFILTER_PKT	1324	/* Packets traversing netfilter chains */

#define AUDIT_NETFILTER_CFG	1325	/* Netfilter chain modifications */

#define AUDIT_SECCOMP		1326	/* Secure Computing event */



#define AUDIT_AVC		1400	/* SE Linux avc denial or grant */

#define AUDIT_SELINUX_ERR	1401	/* Internal SE Linux Errors */

kernel/auditsc.c

+11 −3
Original line number Diff line number Diff line
@@ -2675,7 +2675,7 @@ void __audit_mmap_fd(int fd, int flags) 
	context->type = AUDIT_MMAP;

}



static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)

static void audit_log_task(struct audit_buffer *ab)

{

	kuid_t auid, uid;

	kgid_t gid;
@@ -2693,6 +2693,11 @@ static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr) 
	audit_log_task_context(ab);

	audit_log_format(ab, " pid=%d comm=", current->pid);

	audit_log_untrustedstring(ab, current->comm);

}



static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)

{

	audit_log_task(ab);

	audit_log_format(ab, " reason=");

	audit_log_string(ab, reason);

	audit_log_format(ab, " sig=%ld", signr);
@@ -2723,8 +2728,11 @@ void __audit_seccomp(unsigned long syscall, long signr, int code) 
{

	struct audit_buffer *ab;



	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);

	audit_log_abend(ab, "seccomp", signr);

	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_SECCOMP);

	if (unlikely(!ab))

		return;

	audit_log_task(ab);

	audit_log_format(ab, " sig=%ld", signr);

	audit_log_format(ab, " syscall=%ld", syscall);

	audit_log_format(ab, " compat=%d", is_compat_task());

	audit_log_format(ab, " ip=0x%lx", KSTK_EIP(current));

CRA Git | Maintained and supported by SUSTech CRA and CCSE