Commit b48345aa authored by Richard Guy Briggs's avatar Richard Guy Briggs Committed by Paul Moore
Browse files

audit: deliver signal_info regarless of syscall 

When a process signals the audit daemon (shutdown, rotate, resume,
reconfig) but syscall auditing is not enabled, we still want to know the
identity of the process sending the signal to the audit daemon.

Move audit_signal_info() out of syscall auditing to general auditing but
create a new function audit_signal_info_syscall() to take care of the
syscall dependent parts for when syscall auditing is enabled.

Please see the github kernel audit issue
https://github.com/linux-audit/audit-kernel/issues/111



Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent a188339c

include/linux/audit.h

+9 −0
Original line number Diff line number Diff line
@@ -196,6 +196,9 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 
}



extern u32 audit_enabled;



extern int audit_signal_info(int sig, struct task_struct *t);



#else /* CONFIG_AUDIT */

static inline __printf(4, 5)

void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
@@ -249,6 +252,12 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 
}



#define audit_enabled AUDIT_OFF



static inline int audit_signal_info(int sig, struct task_struct *t)

{

	return 0;

}



#endif /* CONFIG_AUDIT */



#ifdef CONFIG_AUDIT_COMPAT_GENERIC

kernel/audit.c

+27 −0
Original line number Diff line number Diff line
@@ -2273,6 +2273,33 @@ out: 
	return rc;

}



/**

 * audit_signal_info - record signal info for shutting down audit subsystem

 * @sig: signal value

 * @t: task being signaled

 *

 * If the audit subsystem is being terminated, record the task (pid)

 * and uid that is doing that.

 */

int audit_signal_info(int sig, struct task_struct *t)

{

	kuid_t uid = current_uid(), auid;



	if (auditd_test_task(t) &&

	    (sig == SIGTERM || sig == SIGHUP ||

	     sig == SIGUSR1 || sig == SIGUSR2)) {

		audit_sig_pid = task_tgid_nr(current);

		auid = audit_get_loginuid(current);

		if (uid_valid(auid))

			audit_sig_uid = auid;

		else

			audit_sig_uid = uid;

		security_task_getsecid(current, &audit_sig_sid);

	}



	return audit_signal_info_syscall(t);

}



/**

 * audit_log_end - end one audit record

 * @ab: the audit_buffer

kernel/audit.h

+6 −2
Original line number Diff line number Diff line
@@ -299,7 +299,7 @@ extern const char *audit_tree_path(struct audit_tree *tree); 
extern void audit_put_tree(struct audit_tree *tree);

extern void audit_kill_trees(struct audit_context *context);



extern int audit_signal_info(int sig, struct task_struct *t);

extern int audit_signal_info_syscall(struct task_struct *t);

extern void audit_filter_inodes(struct task_struct *tsk,

				struct audit_context *ctx);

extern struct list_head *audit_killed_trees(void);
@@ -330,7 +330,11 @@ extern struct list_head *audit_killed_trees(void); 
#define audit_tree_path(rule) ""	/* never called */

#define audit_kill_trees(context) BUG()



#define audit_signal_info(s, t) AUDIT_DISABLED

static inline int audit_signal_info_syscall(struct task_struct *t)

{

	return 0;

}



#define audit_filter_inodes(t, c) AUDIT_DISABLED

#endif /* CONFIG_AUDITSYSCALL */

kernel/auditsc.c

+3 −16
Original line number Diff line number Diff line
@@ -2360,30 +2360,17 @@ void __audit_ptrace(struct task_struct *t) 
}



/**

 * audit_signal_info - record signal info for shutting down audit subsystem

 * @sig: signal value

 * audit_signal_info_syscall - record signal info for syscalls

 * @t: task being signaled

 *

 * If the audit subsystem is being terminated, record the task (pid)

 * and uid that is doing that.

 */

int audit_signal_info(int sig, struct task_struct *t)

int audit_signal_info_syscall(struct task_struct *t)

{

	struct audit_aux_data_pids *axp;

	struct audit_context *ctx = audit_context();

	kuid_t uid = current_uid(), auid, t_uid = task_uid(t);



	if (auditd_test_task(t) &&

	    (sig == SIGTERM || sig == SIGHUP ||

	     sig == SIGUSR1 || sig == SIGUSR2)) {

		audit_sig_pid = task_tgid_nr(current);

		auid = audit_get_loginuid(current);

		if (uid_valid(auid))

			audit_sig_uid = auid;

		else

			audit_sig_uid = uid;

		security_task_getsecid(current, &audit_sig_sid);

	}

	kuid_t t_uid = task_uid(t);



	if (!audit_signals || audit_dummy_context())

		return 0;

kernel/signal.c

+1 −1
Original line number Diff line number Diff line
@@ -44,6 +44,7 @@ 
#include <linux/posix-timers.h>

#include <linux/livepatch.h>

#include <linux/cgroup.h>

#include <linux/audit.h>



#define CREATE_TRACE_POINTS

#include <trace/events/signal.h>
@@ -53,7 +54,6 @@ 
#include <asm/unistd.h>

#include <asm/siginfo.h>

#include <asm/cacheflush.h>

#include "audit.h"	/* audit_signal_info() */



/*

 * SLAB caches for signal bits.

CRA Git | Maintained and supported by SUSTech CRA and CCSE