[PATCH 1/1] Added exe field to audit core dump signal log
Paul Moore
pmoore at redhat.com
Wed Jul 8 20:50:27 UTC 2015
On Wednesday, July 08, 2015 04:28:06 PM Steve Grubb wrote:
> Hello Paul Moore,
>
> Looks like this patch never got picked up. I think we should apply it.
Thanks for finding this; did you run into this problem?
Since this was posted back in 2013 it would be nice if someone could do a
quick sanity test to show that 1) the problem still exists on current kernels
and 2) the patch below fixes it. You get extra credit if you show your work.
The reproducer should be trivial; I'm just dealing with some other issues
these next few days.
> On Thursday, November 14, 2013 08:56:57 AM Paul Davies C wrote:
> > Currently when the coredump signals are logged by the audit system , the
> > actual path to the executable is not logged. Without details of exe , the
> > system admin may not have an exact idea on what program failed.
> >
> > This patch changes the audit_log_task() so that the path to the exe is
> > also
> > logged.
> >
> > Signed-off-by: Paul Davies C <pauldaviesc at gmail.com>
> > ---
> >
> > kernel/auditsc.c | 7 +++++++
> > 1 file changed, 7 insertions(+)
> >
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index 9845cb3..988de72 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab)
> >
> > kuid_t auid, uid;
> > kgid_t gid;
> > unsigned int sessionid;
> >
> > + struct mm_struct *mm = current->mm;
> >
> > auid = audit_get_loginuid(current);
> > sessionid = audit_get_sessionid(current);
> >
> > @@ -2366,6 +2367,12 @@ static void audit_log_task(struct audit_buffer *ab)
> >
> > audit_log_task_context(ab);
> > audit_log_format(ab, " pid=%d comm=", current->pid);
> > audit_log_untrustedstring(ab, current->comm);
> >
> > + if (mm) {
> > + down_read(&mm->mmap_sem);
> > + if (mm->exe_file)
> > + audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
> > + up_read(&mm->mmap_sem);
> > + }
> >
> > }
> >
> > static void audit_log_abend(struct audit_buffer *ab, char *reason, long
> >
> > signr)
--
paul moore
security @ redhat
More information about the Linux-audit
mailing list