[PATCH v3] audit: log AUDIT_TIME_* records only from rules
by Richard Guy Briggs
AUDIT_TIME_* events are generated when there are syscall rules present that are
not related to time keeping. This will produce noisy log entries that could
flood the logs and hide events we really care about.
Rather than immediately produce the AUDIT_TIME_* records, store the data in the
context and log it at syscall exit time respecting the filter rules.
Please see https://bugzilla.redhat.com/show_bug.cgi?id=1991919
Fixes: 7e8eda734d30 ("ntp: Audit NTP parameters adjustment")
Fixes: 2d87a0674bd6 ("timekeeping: Audit clock adjustments")
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
Changelog:
v2:
- rename __audit_ntp_log_ to audit_log_ntp
- pre-check ntp before storing
- move tk out of the context union and move ntp logging to the bottom of audit_show_special()
- restructure logging of ntp to use ab and allocate more only if more
- add Fixes lines
v3
- move tk into union
- rename audit_log_ntp() to audit_log_time() and add tk
- key off both AUDIT_TIME_* but favour NTP
kernel/audit.h | 4 +++
kernel/auditsc.c | 86 +++++++++++++++++++++++++++++++++++++-----------
2 files changed, 70 insertions(+), 20 deletions(-)
diff --git a/kernel/audit.h b/kernel/audit.h
index c4498090a5bd..58b66543b4d5 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -201,6 +201,10 @@ struct audit_context {
struct {
char *name;
} module;
+ struct {
+ struct audit_ntp_data ntp_data;
+ struct timespec64 tk_injoffset;
+ } time;
};
int fds[2];
struct audit_proctitle proctitle;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index b517947bfa48..9c6c55a81fdb 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1331,6 +1331,55 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
from_kuid(&init_user_ns, name->fcap.rootid));
}
+void audit_log_time(struct audit_context *context, struct audit_buffer **ab)
+{
+ const struct audit_ntp_data *ntp = &context->time.ntp_data;
+ const struct timespec64 *tk = &context->time.tk_injoffset;
+ const char *ntp_name[] = {
+ "offset",
+ "freq",
+ "status",
+ "tai",
+ "tick",
+ "adjust",
+ };
+ int type, first = 1;
+
+ if (context->type == AUDIT_TIME_INJOFFSET)
+ goto tk;
+
+ /* use up allocated ab from show_special before new one */
+ for (type = 0; type < AUDIT_NTP_NVALS; type++) {
+ if (ntp->vals[type].newval != ntp->vals[type].oldval) {
+ if (first) {
+ first = 0;
+ } else {
+ audit_log_end(*ab);
+ *ab = audit_log_start(context, GFP_KERNEL,
+ AUDIT_TIME_ADJNTPVAL);
+ if (!*ab)
+ return;
+ }
+ audit_log_format(*ab, "op=%s old=%lli new=%lli",
+ ntp_name[type], ntp->vals[type].oldval,
+ ntp->vals[type].newval);
+ }
+ }
+
+tk:
+ if (tk->tv_sec != 0 || tk->tv_nsec != 0) {
+ if (!first) {
+ audit_log_end(*ab);
+ *ab = audit_log_start(context, GFP_KERNEL,
+ AUDIT_TIME_INJOFFSET);
+ if (!*ab)
+ return;
+ }
+ audit_log_format(*ab, "sec=%lli nsec=%li",
+ (long long)tk->tv_sec, tk->tv_nsec);
+ }
+}
+
static void show_special(struct audit_context *context, int *call_panic)
{
struct audit_buffer *ab;
@@ -1445,6 +1494,10 @@ static void show_special(struct audit_context *context, int *call_panic)
audit_log_format(ab, "(null)");
break;
+ case AUDIT_TIME_ADJNTPVAL:
+ case AUDIT_TIME_INJOFFSET:
+ audit_log_time(context, &ab);
+ break;
}
audit_log_end(ab);
}
@@ -2840,31 +2893,24 @@ void __audit_fanotify(unsigned int response)
void __audit_tk_injoffset(struct timespec64 offset)
{
- audit_log(audit_context(), GFP_KERNEL, AUDIT_TIME_INJOFFSET,
- "sec=%lli nsec=%li",
- (long long)offset.tv_sec, offset.tv_nsec);
-}
-
-static void audit_log_ntp_val(const struct audit_ntp_data *ad,
- const char *op, enum audit_ntp_type type)
-{
- const struct audit_ntp_val *val = &ad->vals[type];
-
- if (val->newval == val->oldval)
- return;
+ struct audit_context *context = audit_context();
- audit_log(audit_context(), GFP_KERNEL, AUDIT_TIME_ADJNTPVAL,
- "op=%s old=%lli new=%lli", op, val->oldval, val->newval);
+ if (!context->type)
+ context->type = AUDIT_TIME_INJOFFSET;
+ memcpy(&context->time.tk_injoffset, &offset, sizeof(offset));
}
void __audit_ntp_log(const struct audit_ntp_data *ad)
{
- audit_log_ntp_val(ad, "offset", AUDIT_NTP_OFFSET);
- audit_log_ntp_val(ad, "freq", AUDIT_NTP_FREQ);
- audit_log_ntp_val(ad, "status", AUDIT_NTP_STATUS);
- audit_log_ntp_val(ad, "tai", AUDIT_NTP_TAI);
- audit_log_ntp_val(ad, "tick", AUDIT_NTP_TICK);
- audit_log_ntp_val(ad, "adjust", AUDIT_NTP_ADJUST);
+ struct audit_context *context = audit_context();
+ int type;
+
+ for (type = 0; type < AUDIT_NTP_NVALS; type++)
+ if (ad->vals[type].newval != ad->vals[type].oldval) {
+ context->type = AUDIT_TIME_ADJNTPVAL;
+ memcpy(&context->time.ntp_data, ad, sizeof(*ad));
+ break;
+ }
}
void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries,
--
2.27.0
2 years, 8 months
[GIT PULL] Audit fixes for v5.17 (#2)
by Paul Moore
Linus,
Another audit fix for v5.17-rcX, this time a single rather small but
important patch that fixes an oops/page-fault caused by improperly
accessing userspace memory. Please merge for the next -rcX release.
Thanks,
-Paul
--
The following changes since commit f26d04331360d42dbd6b58448bd98e4edbfbe1c5:
audit: improve audit queue handling when "audit=1" on cmdline
(2022-01-25 13:22:51 -0500)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
tags/audit-pr-20220209
for you to fetch changes up to 7a82f89de92aac5a244d3735b2bd162c1147620c:
audit: don't deref the syscall args when checking the openat2
open_how::flags (2022-02-09 16:04:26 -0500)
----------------------------------------------------------------
audit/stable-5.17 PR 20220209
----------------------------------------------------------------
Paul Moore (1):
audit: don't deref the syscall args when checking the openat2
open_how::flags
kernel/auditsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--
paul-moore.com
2 years, 8 months
[PATCH] audit: don't deref the syscall args when checking the openat2 open_how::flags
by Paul Moore
As reported by Jeff, dereferencing the openat2 syscall argument in
audit_match_perm() to obtain the open_how::flags can result in an
oops/page-fault. This patch fixes this by using the open_how struct
that we store in the audit_context with audit_openat2_how().
Cc: stable(a)vger.kernel.org
Fixes: 1c30e3af8a79 ("audit: add support for the openat2 syscall")
Reported-by: Jeff Mahoney <jeffm(a)suse.com>
Signed-off-by: Paul Moore <paul(a)paul-moore.com>
---
kernel/auditsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index fce5d43a933f..a83928cbdcb7 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -185,7 +185,7 @@ static int audit_match_perm(struct audit_context *ctx, int mask)
case AUDITSC_EXECVE:
return mask & AUDIT_PERM_EXEC;
case AUDITSC_OPENAT2:
- return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags);
+ return mask & ACC_MODE((u32)ctx->openat2.flags);
default:
return 0;
}
2 years, 8 months
[PATCH v1] audit: fix illegal pointer dereference for openat2
by Richard Guy Briggs
The user pointer was being illegally dereferenced directly to get the
open_how flags data in audit_match_perm. Use the previously saved flags
data elsewhere in the context instead.
Coverage is provided by the audit-testsuite syscalls_file test case.
Cc: stable(a)vger.kernel.org
Link: https://lore.kernel.org/r/c96031b4-b76d-d82c-e232-1cccbbf71946@suse.com
Fixes: 1c30e3af8a79 ("audit: add support for the openat2 syscall")
Reported-by: Jeff Mahoney <jeffm(a)suse.com>
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/auditsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index fce5d43a933f..81ab510a7be4 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -185,7 +185,7 @@ static int audit_match_perm(struct audit_context *ctx, int mask)
case AUDITSC_EXECVE:
return mask & AUDIT_PERM_EXEC;
case AUDITSC_OPENAT2:
- return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags);
+ return mask & ACC_MODE((u32)(ctx->openat2.flags));
default:
return 0;
}
--
2.27.0
2 years, 8 months
[PATCH v4 0/3] audit: add support for openat2
by Richard Guy Briggs
The openat2(2) syscall was added in v5.6. Add support for openat2 to the
audit syscall classifier and for recording openat2 parameters that cannot
be captured in the syscall parameters of the SYSCALL record.
Supporting userspace code can be found in
https://github.com/rgbriggs/audit-userspace/tree/ghau-openat2
Supporting test case can be found in
https://github.com/linux-audit/audit-testsuite/pull/103
Changelog:
v4:
- change filename include/linux/auditscm.h to auditsc_classmacros.h to avoid socket association
v3:
- re-add commit descriptions that somehow got dropped
- add new file to MAINTAINERS
v2:
- add include/linux/auditscm.h for audit syscall class macros due to syscall redefinition warnings:
arch/x86/ia32/audit.c:3:
./include/linux/audit.h:12,
./include/linux/sched.h:22,
./include/linux/seccomp.h:21,
./arch/x86/include/asm/seccomp.h:5,
./arch/x86/include/asm/unistd.h:20,
./arch/x86/include/generated/uapi/asm/unistd_64.h:4: warning: "__NR_read" redefined #define __NR_read 0
...
./arch/x86/include/generated/uapi/asm/unistd_64.h:338: warning: "__NR_rseq" redefined #define __NR_rseq 334
previous:
arch/x86/ia32/audit.c:2:
./arch/x86/include/generated/uapi/asm/unistd_32.h:7: note: this is the location of the previous definition #define __NR_read 3
...
./arch/x86/include/generated/uapi/asm/unistd_32.h:386: note: this is the location of the previous definition #define __NR_rseq 386
Richard Guy Briggs (3):
audit: replace magic audit syscall class numbers with macros
audit: add support for the openat2 syscall
audit: add OPENAT2 record to list how
MAINTAINERS | 1 +
arch/alpha/kernel/audit.c | 10 ++++++----
arch/ia64/kernel/audit.c | 10 ++++++----
arch/parisc/kernel/audit.c | 10 ++++++----
arch/parisc/kernel/compat_audit.c | 11 ++++++----
arch/powerpc/kernel/audit.c | 12 ++++++-----
arch/powerpc/kernel/compat_audit.c | 13 +++++++-----
arch/s390/kernel/audit.c | 12 ++++++-----
arch/s390/kernel/compat_audit.c | 13 +++++++-----
arch/sparc/kernel/audit.c | 12 ++++++-----
arch/sparc/kernel/compat_audit.c | 13 +++++++-----
arch/x86/ia32/audit.c | 13 +++++++-----
arch/x86/kernel/audit_64.c | 10 ++++++----
fs/open.c | 2 ++
include/linux/audit.h | 11 ++++++++++
include/linux/auditsc_classmacros.h | 24 ++++++++++++++++++++++
include/uapi/linux/audit.h | 1 +
kernel/audit.h | 2 ++
kernel/auditsc.c | 31 +++++++++++++++++++++++------
lib/audit.c | 14 ++++++++-----
lib/compat_audit.c | 15 +++++++++-----
21 files changed, 169 insertions(+), 71 deletions(-)
create mode 100644 include/linux/auditsc_classmacros.h
--
2.27.0
2 years, 8 months
[PATCH v4 0/5] pid: Use helper task_is_in_root_ns()
by Leo Yan
The helper task_is_in_root_ns() has been merged into the mainline kernel
(thanks Jakub Kicinski for merging the patches [1]).
On the other hand, there have 5 patches were left out in the patch
series v2 [2], this patch series is to resend these 5 patches so that
sub-module maintainers could pick patches without concerning dependency
issue.
This patch series can be cleanly applied on the mainline kernel with
latest commit dcb85f85fa6f ("gcc-plugins/stackleak: Use noinstr in favor
of notrace").
[1] https://lore.kernel.org/lkml/20220126050427.605628-1-leo.yan@linaro.org/
[2] https://lore.kernel.org/lkml/20211208083320.472503-1-leo.yan@linaro.org/
Changes from v2:
* Added review and ack tags.
* Dropped two merged patches and resend the left 5 patches.
Changes from v1:
* Renamed helper function from task_is_in_root_ns() to
task_is_in_init_pid_ns(). (Leon Romanovsky)
* Improved patches' commit logs for more neat.
Leo Yan (5):
coresight: etm3x: Use task_is_in_init_pid_ns()
coresight: etm4x: Use task_is_in_init_pid_ns()
coda: Use task_is_in_init_pid_ns()
audit: Use task_is_in_init_pid_ns()
taskstats: Use task_is_in_init_pid_ns()
drivers/hwtracing/coresight/coresight-etm3x-sysfs.c | 8 ++++----
drivers/hwtracing/coresight/coresight-etm4x-sysfs.c | 8 ++++----
fs/coda/inode.c | 2 +-
fs/coda/psdev.c | 2 +-
kernel/audit.c | 2 +-
kernel/taskstats.c | 2 +-
6 files changed, 12 insertions(+), 12 deletions(-)
--
2.25.1
2 years, 8 months
Re: [PATCH 1/1] Smack:- Fix the issue of wrong info printed in ptrace error logs
by Casey Schaufler
On 12/20/2021 2:13 AM, Vishal Goel wrote:
> Currently tracer process info is printed in object field in
> smack error log for ptrace check which is wrong.
> Object process should print the tracee process info.
> Tracee info is not printed in the smack error logs.
> So it is not possible to debug the ptrace smack issues.
>
> Now changes has been done to print both tracer and tracee
> process info in smack error logs for ptrace scenarios
>
> Old logs:-
> [ 378.098330] audit: type=1400 audit(1637212273.300:2): lsm=SMACK fn=smack_ptrace_access_check action=denied subject="Tracer_lbl" object="Tracee_lbl" requested= pid=9397 comm="tst_pt" opid=9397 ocomm="tst_pt"
> [ 520.261605] audit: type=1400 audit(1637212415.464:3): lsm=SMACK fn=smack_ptrace_traceme action=denied subject="Tracer_lbl" object="Tracee_lbl" requested= pid=12685 comm="tst_pt_me" opid=12563 ocomm="bash"
> [ 1445.259319] audit: type=1400 audit(1637213340.460:5): lsm=SMACK fn=smack_bprm_set_creds action=denied subject="Tracer_lbl" object="Tracee_lbl" requested= pid=1778 comm="tst_bprm" opid=1776 ocomm="tst_bprm"
>
> New logs:-
> [ 378.098330] audit: type=1400 audit(1637212273.300:2): lsm=SMACK fn=smack_ptrace_access_check action=denied subject="Tracer_lbl" object="Tracee_lbl" requested= tracer-pid=5189 tracer-comm="tst_pt" pid=5189 comm="tst_pt" tracee-pid=962 tracee-comm="test_tracee"
> [ 520.261605] audit: type=1400 audit(1637212415.464:3): lsm=SMACK fn=smack_ptrace_traceme action=denied subject="Tracer_lbl" object="Tracee_lbl" requested= tracer-pid=6161 tracer-comm="bash" pid=6310 comm="tst_pt_me" tracee-pid=6310 tracee-comm="tst_pt_me"
> [ 1445.259319] audit: type=1400 audit(1637213340.460:5): lsm=SMACK fn=smack_bprm_set_creds action=denied subject="Tracer_lbl" object="Tracee_lbl" requested= tracer-pid=6435 tracer-comm="tst_bprm" pid=6436 comm="tst_bprm" tracee-pid=6436 tracee-comm="tst_bprm"
>
> Signed-off-by: Vishal Goel <vishal.goel(a)samsung.com>
Does anyone from the audit side object to my taking this
in the Smack tree?
> ---
> include/linux/lsm_audit.h | 1 +
> security/lsm_audit.c | 15 +++++++++++++++
> security/smack/smack.h | 19 +++++++++++++++++++
> security/smack/smack_access.c | 16 ++++++++++++++++
> security/smack/smack_lsm.c | 33 ++++++++++++++++++++++-----------
> 5 files changed, 73 insertions(+), 11 deletions(-)
>
> diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
> index 17d02eda9..6d752ea16 100644
> --- a/include/linux/lsm_audit.h
> +++ b/include/linux/lsm_audit.h
> @@ -76,6 +76,7 @@ struct common_audit_data {
> #define LSM_AUDIT_DATA_IBENDPORT 14
> #define LSM_AUDIT_DATA_LOCKDOWN 15
> #define LSM_AUDIT_DATA_NOTIFICATION 16
> +#define LSM_AUDIT_DATA_PTRACE 17
> union {
> struct path path;
> struct dentry *dentry;
> diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> index 1897cbf6f..069e0282c 100644
> --- a/security/lsm_audit.c
> +++ b/security/lsm_audit.c
> @@ -318,6 +318,21 @@ static void dump_common_audit_data(struct audit_buffer *ab,
> }
> break;
> }
> + case LSM_AUDIT_DATA_PTRACE: {
> + struct task_struct *tsk = a->u.tsk;
> + if (tsk) {
> + pid_t pid = task_tgid_nr(tsk);
> +
> + if (pid) {
> + char comm[sizeof(tsk->comm)];
> +
> + audit_log_format(ab, " tracee-pid=%d tracee-comm=", pid);
> + audit_log_untrustedstring(ab,
> + memcpy(comm, tsk->comm, sizeof(comm)));
> + }
> + }
> + break;
> + }
> case LSM_AUDIT_DATA_NET:
> if (a->u.net->sk) {
> const struct sock *sk = a->u.net->sk;
> diff --git a/security/smack/smack.h b/security/smack/smack.h
> index 99c342259..901228205 100644
> --- a/security/smack/smack.h
> +++ b/security/smack/smack.h
> @@ -266,6 +266,7 @@ struct smack_audit_data {
> char *object;
> char *request;
> int result;
> + struct task_struct *tracer_tsk;
> };
>
> /*
> @@ -497,6 +498,16 @@ static inline void smk_ad_setfield_u_net_sk(struct smk_audit_info *a,
> {
> a->a.u.net->sk = sk;
> }
> +static inline void smk_ad_setfield_u_tracer(struct smk_audit_info *a,
> + struct task_struct *t)
> +{
> + a->a.smack_audit_data->tracer_tsk = t;
> +}
> +static inline void smk_ad_setfield_u_tracee(struct smk_audit_info *a,
> + struct task_struct *t)
> +{
> + a->a.u.tsk = t;
> +}
>
> #else /* no AUDIT */
>
> @@ -524,6 +535,14 @@ static inline void smk_ad_setfield_u_net_sk(struct smk_audit_info *a,
> struct sock *sk)
> {
> }
> +static inline void smk_ad_setfield_u_tracer(struct smk_audit_info *a,
> + struct task_struct *t)
> +{
> +}
> +static inline void smk_ad_setfield_u_tracee(struct smk_audit_info *a,
> + struct task_struct *t)
> +{
> +}
> #endif
>
> #endif /* _SECURITY_SMACK_H */
> diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
> index d2186e275..f39e3ac92 100644
> --- a/security/smack/smack_access.c
> +++ b/security/smack/smack_access.c
> @@ -323,6 +323,22 @@ static void smack_log_callback(struct audit_buffer *ab, void *a)
> audit_log_format(ab, " labels_differ");
> else
> audit_log_format(ab, " requested=%s", sad->request);
> +
> + if (ad->type == LSM_AUDIT_DATA_PTRACE) {
> + struct task_struct *tsk = sad->tracer_tsk;
> +
> + if (tsk) {
> + pid_t pid = task_tgid_nr(tsk);
> +
> + if (pid) {
> + char comm[sizeof(tsk->comm)];
> +
> + audit_log_format(ab, " tracer-pid=%d tracer-comm=", pid);
> + audit_log_untrustedstring(ab,
> + memcpy(comm, tsk->comm, sizeof(comm)));
> + }
> + }
> + }
> }
>
> /**
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index efd35b07c..47e8a9461 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -416,20 +416,13 @@ static inline unsigned int smk_ptrace_mode(unsigned int mode)
> */
> static int smk_ptrace_rule_check(struct task_struct *tracer,
> struct smack_known *tracee_known,
> - unsigned int mode, const char *func)
> + unsigned int mode, struct smk_audit_info *saip)
> {
> int rc;
> - struct smk_audit_info ad, *saip = NULL;
> struct task_smack *tsp;
> struct smack_known *tracer_known;
> const struct cred *tracercred;
>
> - if ((mode & PTRACE_MODE_NOAUDIT) == 0) {
> - smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK);
> - smk_ad_setfield_u_tsk(&ad, tracer);
> - saip = &ad;
> - }
> -
> rcu_read_lock();
> tracercred = __task_cred(tracer);
> tsp = smack_cred(tracercred);
> @@ -480,10 +473,17 @@ static int smk_ptrace_rule_check(struct task_struct *tracer,
> static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode)
> {
> struct smack_known *skp;
> + struct smk_audit_info ad, *saip = NULL;
>
> skp = smk_of_task_struct_obj(ctp);
> + if ((mode & PTRACE_MODE_NOAUDIT) == 0) {
> + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PTRACE);
> + smk_ad_setfield_u_tracer(&ad, current);
> + smk_ad_setfield_u_tracee(&ad, ctp);
> + saip = &ad;
> + }
>
> - return smk_ptrace_rule_check(current, skp, mode, __func__);
> + return smk_ptrace_rule_check(current, skp, mode, saip);
> }
>
> /**
> @@ -498,10 +498,15 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
> {
> int rc;
> struct smack_known *skp;
> + struct smk_audit_info ad, *saip = NULL;
>
> skp = smk_of_task(smack_cred(current_cred()));
> + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PTRACE);
> + smk_ad_setfield_u_tracer(&ad, ptp);
> + smk_ad_setfield_u_tracee(&ad, current);
> + saip = &ad;
>
> - rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__);
> + rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, saip);
> return rc;
> }
>
> @@ -897,15 +902,21 @@ static int smack_bprm_creds_for_exec(struct linux_binprm *bprm)
>
> if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
> struct task_struct *tracer;
> + struct smk_audit_info ad, *saip = NULL;
> rc = 0;
>
> + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PTRACE);
> + smk_ad_setfield_u_tracee(&ad, current);
> + saip = &ad;
> +
> rcu_read_lock();
> tracer = ptrace_parent(current);
> + smk_ad_setfield_u_tracer(&ad, tracer);
> if (likely(tracer != NULL))
> rc = smk_ptrace_rule_check(tracer,
> isp->smk_task,
> PTRACE_MODE_ATTACH,
> - __func__);
> + saip);
> rcu_read_unlock();
>
> if (rc != 0)
2 years, 9 months
[GIT PULL] Audit fixes for v5.17 (#1)
by Paul Moore
Linus,
A single audit patch to fix problems relating to audit queuing and
system responsiveness when "audit=1" is specified on the kernel
command line and the audit daemon is SIGSTOP'd for an extended period
of time. Please merge for v5.17-rcX.
Thanks,
-Paul
--
The following changes since commit e783362eb54cd99b2cac8b3a9aeac942e6f6ac07:
Linux 5.17-rc1 (2022-01-23 10:12:53 +0200)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
tags/audit-pr-20220131
for you to fetch changes up to f26d04331360d42dbd6b58448bd98e4edbfbe1c5:
audit: improve audit queue handling when "audit=1" on cmdline
(2022-01-25 13:22:51 -0500)
----------------------------------------------------------------
audit/stable-5.17 PR 20220131
----------------------------------------------------------------
Paul Moore (1):
audit: improve audit queue handling when "audit=1" on cmdline
kernel/audit.c | 62 +++++++++++++++++++++++++++++++++++++---------------
1 file changed, 43 insertions(+), 19 deletions(-)
--
paul-moore.com
2 years, 9 months