[PATCH ghak111 V1] audit: deliver siginfo regarless of syscall

Richard Guy Briggs rgb at redhat.com
Tue Apr 9 14:02:59 UTC 2019 

On 2019-04-09 08:01, Steve Grubb wrote:
> On Mon,  8 Apr 2019 23:52:29 -0400 Richard Guy Briggs <rgb at redhat.com> wrote:
> > When a process signals the audit daemon (shutdown, rotate, resume,
> > reconfig) but syscall auditing is not enabled, we still want to know
> > the identity of the process sending the signal to the audit daemon.
> 
> Why? If syscall auditing is disabled, then there is no requirement to
> provide anything. What is the real problem that you are seeing?

Shutdown messages with -1 in them rather than the real values.

> -Steve
> 
> > Move audit_signal_info() out of syscall auditing to general auditing
> > but create a new function audit_signal_info_syscall() to take care of
> > the syscall dependent parts for when syscall auditing is enabled.
> > 
> > Please see the github kernel audit issue
> > https://github.com/linux-audit/audit-kernel/issues/111
> > 
> > Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
> > ---
> >  include/linux/audit.h |  6 ++++++
> >  kernel/audit.c        | 27 +++++++++++++++++++++++++++
> >  kernel/audit.h        |  4 ++--
> >  kernel/auditsc.c      | 19 +++----------------
> >  kernel/signal.c       |  2 +-
> >  5 files changed, 39 insertions(+), 19 deletions(-)
> > 
> > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > index 1e69d9fe16da..4a22fc3f824f 100644
> > --- a/include/linux/audit.h
> > +++ b/include/linux/audit.h
> > @@ -173,6 +173,9 @@ static inline unsigned int
> > audit_get_sessionid(struct task_struct *tsk) }
> >  
> >  extern u32 audit_enabled;
> > +
> > +extern int audit_signal_info(int sig, struct task_struct *t);
> > +
> >  #else /* CONFIG_AUDIT */
> >  static inline __printf(4, 5)
> >  void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
> > @@ -226,6 +229,9 @@ static inline unsigned int
> > audit_get_sessionid(struct task_struct *tsk) }
> >  
> >  #define audit_enabled AUDIT_OFF
> > +
> > +#define audit_signal_info(s, t) AUDIT_OFF
> > +
> >  #endif /* CONFIG_AUDIT */
> >  
> >  #ifdef CONFIG_AUDIT_COMPAT_GENERIC
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index b96bf69183f4..67399ff72d43 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -2274,6 +2274,33 @@ int audit_set_loginuid(kuid_t loginuid)
> >  }
> >  
> >  /**
> > + * audit_signal_info - record signal info for shutting down audit
> > subsystem
> > + * @sig: signal value
> > + * @t: task being signaled
> > + *
> > + * If the audit subsystem is being terminated, record the task (pid)
> > + * and uid that is doing that.
> > + */
> > +int audit_signal_info(int sig, struct task_struct *t)
> > +{
> > +	kuid_t uid = current_uid(), auid;
> > +
> > +	if (auditd_test_task(t) &&
> > +	    (sig == SIGTERM || sig == SIGHUP ||
> > +	     sig == SIGUSR1 || sig == SIGUSR2)) {
> > +		audit_sig_pid = task_tgid_nr(current);
> > +		auid = audit_get_loginuid(current);
> > +		if (uid_valid(auid))
> > +			audit_sig_uid = auid;
> > +		else
> > +			audit_sig_uid = uid;
> > +		security_task_getsecid(current, &audit_sig_sid);
> > +	}
> > +
> > +	return audit_signal_info_syscall(t);
> > +}
> > +
> > +/**
> >   * audit_log_end - end one audit record
> >   * @ab: the audit_buffer
> >   *
> > diff --git a/kernel/audit.h b/kernel/audit.h
> > index 958d5b8fc1b3..18a8ae812e9f 100644
> > --- a/kernel/audit.h
> > +++ b/kernel/audit.h
> > @@ -299,7 +299,7 @@ extern bool audit_tree_match(struct audit_chunk
> > *chunk, extern void audit_put_tree(struct audit_tree *tree);
> >  extern void audit_kill_trees(struct audit_context *context);
> >  
> > -extern int audit_signal_info(int sig, struct task_struct *t);
> > +extern int audit_signal_info_syscall(struct task_struct *t);
> >  extern void audit_filter_inodes(struct task_struct *tsk,
> >  				struct audit_context *ctx);
> >  extern struct list_head *audit_killed_trees(void);
> > @@ -330,7 +330,7 @@ extern void audit_filter_inodes(struct
> > task_struct *tsk, #define audit_tree_path(rule) ""	/* never
> > called */ #define audit_kill_trees(context) BUG()
> >  
> > -#define audit_signal_info(s, t) AUDIT_DISABLED
> > +#define audit_signal_info_syscall(t) AUDIT_OFF
> >  #define audit_filter_inodes(t, c) AUDIT_DISABLED
> >  #endif /* CONFIG_AUDITSYSCALL */
> >  
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index 98a98e6dca05..dbd43d84c347 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -2370,30 +2370,17 @@ void __audit_ptrace(struct task_struct *t)
> >  }
> >  
> >  /**
> > - * audit_signal_info - record signal info for shutting down audit
> > subsystem
> > - * @sig: signal value
> > + * audit_signal_info_syscall - record signal info for syscalls
> >   * @t: task being signaled
> >   *
> >   * If the audit subsystem is being terminated, record the task (pid)
> >   * and uid that is doing that.
> >   */
> > -int audit_signal_info(int sig, struct task_struct *t)
> > +int audit_signal_info_syscall(struct task_struct *t)
> >  {
> >  	struct audit_aux_data_pids *axp;
> >  	struct audit_context *ctx = audit_context();
> > -	kuid_t uid = current_uid(), auid, t_uid = task_uid(t);
> > -
> > -	if (auditd_test_task(t) &&
> > -	    (sig == SIGTERM || sig == SIGHUP ||
> > -	     sig == SIGUSR1 || sig == SIGUSR2)) {
> > -		audit_sig_pid = task_tgid_nr(current);
> > -		auid = audit_get_loginuid(current);
> > -		if (uid_valid(auid))
> > -			audit_sig_uid = auid;
> > -		else
> > -			audit_sig_uid = uid;
> > -		security_task_getsecid(current, &audit_sig_sid);
> > -	}
> > +	kuid_t t_uid = task_uid(t);
> >  
> >  	if (!audit_signals || audit_dummy_context())
> >  		return 0;
> > diff --git a/kernel/signal.c b/kernel/signal.c
> > index b7953934aa99..73db5dfa797d 100644
> > --- a/kernel/signal.c
> > +++ b/kernel/signal.c
> > @@ -43,6 +43,7 @@
> >  #include <linux/compiler.h>
> >  #include <linux/posix-timers.h>
> >  #include <linux/livepatch.h>
> > +#include <linux/audit.h>	/* audit_signal_info() */
> >  
> >  #define CREATE_TRACE_POINTS
> >  #include <trace/events/signal.h>
> > @@ -52,7 +53,6 @@
> >  #include <asm/unistd.h>
> >  #include <asm/siginfo.h>
> >  #include <asm/cacheflush.h>
> > -#include "audit.h"	/* audit_signal_info() */
> >  
> >  /*
> >   * SLAB caches for signal bits.
> 

- RGB

--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

More information about the Linux-audit mailing list