audit-ptrace patch (untested)
Alexander Viro
aviro at redhat.com
Mon Mar 5 14:50:25 UTC 2007
That one is on top of security_getprocattr() patch. See bz#228384...
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 229fa01..cce8b6c 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -90,6 +90,7 @@
#define AUDIT_MQ_GETSETATTR 1315 /* POSIX MQ get/set attribute record type */
#define AUDIT_KERNEL_OTHER 1316 /* For use by 3rd party modules */
#define AUDIT_FD_PAIR 1317 /* audit record for pipe/socketpair */
+#define AUDIT_OBJ_PID 1318 /* ptrace target */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
@@ -351,6 +352,8 @@ extern void __audit_inode(const char *name, const struct inode *inode);
extern void __audit_inode_child(const char *dname, const struct inode *inode,
const struct inode *parent);
extern void __audit_inode_update(const struct inode *inode);
+extern void __audit_ptrace(struct task_struct *t);
+
static inline int audit_dummy_context(void)
{
void *p = current->audit_context;
@@ -376,6 +379,12 @@ static inline void audit_inode_update(const struct inode *inode) {
__audit_inode_update(inode);
}
+static inline void audit_ptrace(struct task_struct *t)
+{
+ if (unlikely(!audit_dummy_context()))
+ __audit_ptrace(t);
+}
+
/* Private API (for audit.c only) */
extern unsigned int audit_serial(void);
extern void auditsc_get_stamp(struct audit_context *ctx,
@@ -476,6 +485,7 @@ extern int audit_n_rules;
#define audit_mq_timedreceive(d,l,p,t) ({ 0; })
#define audit_mq_notify(d,n) ({ 0; })
#define audit_mq_getsetattr(d,s) ({ 0; })
+#define audit_ptrace(t) ((void)0)
#define audit_n_rules 0
#endif
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 89875b2..c8465ea 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -209,6 +209,9 @@ struct audit_context {
unsigned long personality;
int arch;
+ pid_t target_pid;
+ char * obj_ctx;
+
#if AUDIT_DEBUG
int put_count;
int ino_count;
@@ -729,6 +732,7 @@ static inline void audit_free_context(struct audit_context *context)
audit_free_names(context);
audit_free_aux(context);
kfree(context->filterkey);
+ kfree(context->obj_ctx);
kfree(context);
context = previous;
} while (context);
@@ -967,6 +971,13 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
audit_log_end(ab);
}
+ if (context->obj_ctx) {
+ ab =audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
+ audit_log_format(ab, "opid=%d obj=%s",
+ context->target_pid, context->obj_ctx);
+ audit_log_end(ab);
+ }
+
if (context->pwd && context->pwdmnt) {
ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
if (ab) {
@@ -1187,6 +1198,8 @@ void audit_syscall_exit(int valid, long return_code)
} else {
audit_free_names(context);
audit_free_aux(context);
+ kfree(context->obj_ctx);
+ context->obj_ctx = NULL;
kfree(context->filterkey);
context->filterkey = NULL;
tsk->audit_context = context;
@@ -1874,6 +1887,13 @@ int audit_sockaddr(int len, void *a)
return 0;
}
+void __audit_ptrace(struct task_struct *t)
+{
+ struct audit_context *context = current->audit_context;
+ context->target_pid = t->pid;
+ security_getprocattr(t, "current", &context->obj_ctx);
+}
+
/**
* audit_avc_path - record the granting or denial of permissions
* @dentry: dentry to record
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index 4d50e06..ad7949a 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -18,6 +18,7 @@
#include <linux/ptrace.h>
#include <linux/security.h>
#include <linux/signal.h>
+#include <linux/audit.h>
#include <asm/pgtable.h>
#include <asm/uaccess.h>
@@ -161,6 +162,8 @@ int ptrace_attach(struct task_struct *task)
{
int retval;
+ audit_ptrace(task);
+
retval = -EPERM;
if (task->pid <= 1)
goto out;
More information about the Linux-audit
mailing list