[PATCH 1/1] Added exe field to audit core dump signal log

Steve Grubb sgrubb at redhat.com
Wed Jul 8 20:58:57 UTC 2015 

On Wednesday, July 08, 2015 04:50:27 PM Paul Moore wrote:
> On Wednesday, July 08, 2015 04:28:06 PM Steve Grubb wrote:
> > Hello Paul Moore,
> > 
> > Looks like this patch never got picked up. I think we should apply it.
> 
> Thanks for finding this; did you run into this problem?

I was going through old email trying to clear my backlog and saw this
one marked for follow up at some point.


> Since this was posted back in 2013 it would be nice if someone could do a
> quick sanity test to show that 1) the problem still exists on current
> kernels and

This is the function in question:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/auditsc.c?id=refs/tags/v4.2-rc1#n2357

Actually, I missed the call to audit_log_d_path_exe() because I was looking
for exe= in the logging string ...so its already fixed.

Sorry for the noise.  :-)

-Steve

> 2) the patch below fixes it.  You get extra credit if you show
> your work.
>
> The reproducer should be trivial; I'm just dealing with some other issues
> these next few days.
> 
> > On Thursday, November 14, 2013 08:56:57 AM Paul Davies C wrote:
> > > Currently when the coredump signals are logged by the audit system , the
> > > actual path to the executable is not logged. Without details of exe ,
> > > the
> > > system admin may not have an exact idea on what program failed.
> > > 
> > > This patch changes the audit_log_task() so that the path to the exe is
> > > also
> > > logged.
> > > 
> > > Signed-off-by: Paul Davies C <pauldaviesc at gmail.com>
> > > ---
> > > 
> > >  kernel/auditsc.c |    7 +++++++
> > >  1 file changed, 7 insertions(+)
> > > 
> > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > > index 9845cb3..988de72 100644
> > > --- a/kernel/auditsc.c
> > > +++ b/kernel/auditsc.c
> > > @@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer
> > > *ab)
> > > 
> > >  	kuid_t auid, uid;
> > >  	kgid_t gid;
> > >  	unsigned int sessionid;
> > > 
> > > +	struct mm_struct *mm = current->mm;
> > > 
> > >  	auid = audit_get_loginuid(current);
> > >  	sessionid = audit_get_sessionid(current);
> > > 
> > > @@ -2366,6 +2367,12 @@ static void audit_log_task(struct audit_buffer
> > > *ab)
> > > 
> > >  	audit_log_task_context(ab);
> > >  	audit_log_format(ab, " pid=%d comm=", current->pid);
> > >  	audit_log_untrustedstring(ab, current->comm);
> > > 
> > > +	if (mm) {
> > > +		down_read(&mm->mmap_sem);
> > > +		if (mm->exe_file)
> > > +			audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
> > > +		up_read(&mm->mmap_sem);
> > > +	}
> > > 
> > >  }
> > >  
> > >  static void audit_log_abend(struct audit_buffer *ab, char *reason, long
> > > 
> > > signr)

More information about the Linux-audit mailing list