[PATCH] Reporting file descriptors created by pipe and socketpair

John D. Ramsdell ramsdell at mitre.org
Tue Sep 12 16:07:13 UTC 2006 

The polgen tools suggest SELinux policy by analyzing dynamic traces of
a running set of related programs.  It derives information flow by
tracking file descriptors used by a set of programs, and notes which
processes performs reads and writes.  We would very much like to get
our raw data from autrace, however, the current traces it generates
lacks some crucial information.  The record for the pipe and
socketpair system call does not include the file descriptors created
upon success.  Enclosed is a patch by Mark Workman that remedies this
problem. 

John

Signed-off-by: John D. Ramsdell <ramsdell at mitre.org>
*** a/kernel/auditsc.c	2006-03-20 00:53:29.000000000 -0500
--- b/kernel/auditsc.c	2006-06-26 08:21:56.000000000 -0400
***************
*** 820,825 ****
--- 820,846 ----
  		audit_log_format(ab, " success=%s exit=%ld", 
  				 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
  				 context->return_code);
+ 
+         printk(KERN_INFO "%s  auditing what?\n", __FUNCTION__);
+ 
+ 	switch (context->major) {
+ 		case __NR_socketcall:
+ 			if (context->argv[0] == SYS_SOCKETPAIR)
+ 				audit_log_format(ab, " descriptor pair=%d,%d",
+ 						current->audit_pids[0],
+ 						current->audit_pids[1]);
+ 			break;
+ 
+ 		case __NR_pipe:
+ 			audit_log_format(ab, " descriptor pair=%d,%d",
+ 					current->audit_pids[0],
+ 					current->audit_pids[1]);
+ 			break;
+ 
+ 		default: break;
+ 	}
+ 
+ 
  	audit_log_format(ab,
  		  " a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
  		  " pid=%d auid=%u uid=%u gid=%u"
*** a/fs/pipe.c	2006-03-20 00:53:29.000000000 -0500
--- b/fs/pipe.c	2006-06-26 10:10:15.000000000 -0400
***************
*** 779,786 ****
  
  	fd_install(i, f1);
  	fd_install(j, f2);
! 	fd[0] = i;
! 	fd[1] = j;
  	return 0;
  
  close_f12_inode_i_j:
--- 779,786 ----
  
  	fd_install(i, f1);
  	fd_install(j, f2);
! 	current->audit_pids[0] = fd[0] = i;
! 	current->audit_pids[1] = fd[1] = j;
  	return 0;
  
  close_f12_inode_i_j:
*** a/include/linux/sched.h	2006-03-20 00:53:29.000000000 -0500
--- b/include/linux/sched.h	2006-06-26 08:19:23.000000000 -0400
***************
*** 819,824 ****
--- 819,825 ----
  	void *security;
  	struct audit_context *audit_context;
  	seccomp_t seccomp;
+ 	int audit_pids [3];
  
  /* Thread group tracking */
     	u32 parent_exec_id;
*** a/net/socket.c	2006-03-20 00:53:29.000000000 -0500
--- b/net/socket.c	2006-06-26 12:35:23.000000000 -0400
***************
*** 1256,1263 ****
  	err = put_user(fd1, &usockvec[0]); 
  	if (!err)
  		err = put_user(fd2, &usockvec[1]);
! 	if (!err)
  		return 0;
  
  	sys_close(fd2);
  	sys_close(fd1);
--- 1256,1266 ----
  	err = put_user(fd1, &usockvec[0]); 
  	if (!err)
  		err = put_user(fd2, &usockvec[1]);
! 	if (!err) {
! 		current->audit_pids[0] = fd1;
! 		current->audit_pids[1] = fd2;
  		return 0;
+ 	}
  
  	sys_close(fd2);
  	sys_close(fd1);

More information about the Linux-audit mailing list