[PATCH] security: lsm_audit: print pid and tid
Richard Guy Briggs
rgb at redhat.com
Thu Aug 18 05:56:27 UTC 2016
On 2016-08-17 16:58, Paul Moore wrote:
> On Tue, Jul 26, 2016 at 10:54 AM, Jeff Vander Stoep <jeffv at google.com> wrote:
> > dump_common_audit_data() currently contains a field for pid, but the
> > value printed is actually the thread ID, tid. Update this value to
> > return the task group ID. Add a new field for tid. With this change
> > the values printed by audit now match the values returned by the
> > getpid() and gettid() syscalls.
> >
> > Signed-off-by: Jeff Vander Stoep <jeffv at google.com>
> > ---
> > security/lsm_audit.c | 7 +++++--
> > 1 file changed, 5 insertions(+), 2 deletions(-)
>
> Hi Jeff,
>
> Have you tested this against the audit-testsuite[1]? We don't have an
> explicit PID test yet, but at least two of the tests do test it as a
> side effect.
>
> Steve, I don't see the thread ID listed in the field dictionary, are
> you okay with using "tid" for this?
There is some naming confusion between userspace and kernel space with
pid vs. tid vs. tgid...
> However, as far as I can see, the biggest problem with this patch is
> that it adds a field in the middle of a record which will likely cause
> the audit userspace tools to explode (or so I've been warned in the
> past). Steve, what say you about the userspace?
Adding fields in the middle isn't necessarily a problem if it doesn't
confuse the existing scanner, which can skip over fields about which it
does not care. I've carefully added fields in the middle in the past,
trying my best to group it logically with the rest of the information as
has been requested, I think: subject, action, object, result.
> [1] https://github.com/linux-audit/audit-testsuite
> [2] https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv
>
> > diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> > index cccbf30..57f26c1 100644
> > --- a/security/lsm_audit.c
> > +++ b/security/lsm_audit.c
> > @@ -220,7 +220,8 @@ static void dump_common_audit_data(struct audit_buffer *ab,
> > */
> > BUILD_BUG_ON(sizeof(a->u) > sizeof(void *)*2);
> >
> > - audit_log_format(ab, " pid=%d comm=", task_pid_nr(current));
> > + audit_log_format(ab, " pid=%d tid=%d comm=", task_tgid_vnr(tsk),
> > + task_pid_vnr(tsk));
> > audit_log_untrustedstring(ab, memcpy(comm, current->comm, sizeof(comm)));
> >
> > switch (a->type) {
> > @@ -294,10 +295,12 @@ static void dump_common_audit_data(struct audit_buffer *ab,
> > case LSM_AUDIT_DATA_TASK: {
> > struct task_struct *tsk = a->u.tsk;
> > if (tsk) {
> > - pid_t pid = task_pid_nr(tsk);
> > + pid_t pid = task_tgid_vnr(tsk);
> > if (pid) {
> > char comm[sizeof(tsk->comm)];
> > audit_log_format(ab, " opid=%d ocomm=", pid);
> > + audit_log_format(ab, " opid=%d otid=%d ocomm=",
> > + pid, task_pid_vnr(tsk));
> > audit_log_untrustedstring(ab,
> > memcpy(comm, tsk->comm, sizeof(comm)));
> > }
>
> --
> paul moore
> www.paul-moore.com
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list