[PATCH 1/1] audit: log binding and unbinding to netlink multicast

Richard Guy Briggs rgb at redhat.com
Mon Oct 16 23:04:14 UTC 2017 

On 2017-10-16 22:28, Steve Grubb wrote:
> On Monday, October 16, 2017 6:06:47 PM EDT Steve Grubb wrote:
> > > > +/* Log information about who is connecting to the audit multicast
> > > > socket
> > > > */ +static void audit_log_multicast_bind(int group, const char *op, int
> > > > err) +{
> > > > +       const struct cred *cred;
> > > > +       struct tty_struct *tty;
> > > > +       char comm[sizeof(current->comm)];
> > > > +       struct audit_buffer *ab;
> > > > +
> > > > +       ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_EVENT_LISTENER);
> > > 
> > > It really seems like this should be associated with the current task,
> > > e.g. "audit_log_start(current->audit_context, ...)".  After all, the
> > > whole point of this record is to capture information about the subject
> > > who is binding to the multicast socket.
> > 
> > OK, easy enough.
> 
> But wouldn't that make it an auxiliary record (if there happens to be a 
> syscall record) instead of a standalone event? The intention is that this 
> event is standalone just like AUDIT_SECCOMP or AUDIT_LOGIN. Associating with 
> the current task is done by using current in formatting the message as seen 
> below. (e.g.  task_pid_nr(current), audit_get_sessionid(current))
> 
> I think it's correct as is.

Yes, this would associate this record with the tentatively generated
SYSCALL record for this task.

To use the AUDIT_TASK record idea, a local audit context would need to
be created and used for the AUDIT_CONFIG_CHANGE and AUDIT_TASK records
only.

> -Steve
> 
> > > +       if (!ab)
> > > +               return;
> > > +
> > > +       cred = current_cred();
> > > +       tty = audit_get_tty(current);
> > > +
> > > +       audit_log_format(ab, "pid=%u uid=%u auid=%u tty=%s ses=%u",
> > > +                       task_pid_nr(current),
> > > +                       from_kuid(&init_user_ns, cred->uid),
> > > +                       from_kuid(&init_user_ns,
> > > audit_get_loginuid(current)), +                       tty ? tty_name(tty)
> > > : "(none)",
> > > +                       audit_get_sessionid(current));
> > > +       audit_put_tty(tty);
> > > +       audit_log_task_context(ab); /* subj= */
> > > +       audit_log_format(ab, " comm=");
> > > +       audit_log_untrustedstring(ab, get_task_comm(comm, current));
> > > +       audit_log_d_path_exe(ab, current->mm); /* exe= */
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

- RGB

--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

More information about the Linux-audit mailing list