[PATCH 1/2] audit: add call argument to socketcall auditing
by Sven Schnelle
socketcall auditing misses the call argument:
type=SOCKETCALL msg=audit: nargs=3 a0=10 a1=3 a2=c
which renders socketcall auditing (almost) useless. Add the call
argument so it is possible to decode the actual syscall from the
audit log:
type=SOCKETCALL msg=audit: call=1 nargs=3 a0=10 a1=3 a2=c
Signed-off-by: Sven Schnelle <svens(a)linux.ibm.com>
---
include/linux/audit.h | 10 +++++-----
kernel/audit.h | 1 +
kernel/auditsc.c | 6 ++++--
net/compat.c | 2 +-
net/socket.c | 2 +-
5 files changed, 12 insertions(+), 9 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index d06134ac6245..7d2256f999ab 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -405,7 +405,7 @@ static inline void audit_ptrace(struct task_struct *t)
extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
extern void __audit_bprm(struct linux_binprm *bprm);
-extern int __audit_socketcall(int nargs, unsigned long *args);
+extern int __audit_socketcall(int call, int nargs, unsigned long *args);
extern int __audit_sockaddr(int len, void *addr);
extern void __audit_fd_pair(int fd1, int fd2);
extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr);
@@ -445,14 +445,14 @@ static inline void audit_bprm(struct linux_binprm *bprm)
if (unlikely(!audit_dummy_context()))
__audit_bprm(bprm);
}
-static inline int audit_socketcall(int nargs, unsigned long *args)
+static inline int audit_socketcall(int call, int nargs, unsigned long *args)
{
if (unlikely(!audit_dummy_context()))
- return __audit_socketcall(nargs, args);
+ return __audit_socketcall(call, nargs, args);
return 0;
}
-static inline int audit_socketcall_compat(int nargs, u32 *args)
+static inline int audit_socketcall_compat(int call, int nargs, u32 *args)
{
unsigned long a[AUDITSC_ARGS];
int i;
@@ -462,7 +462,7 @@ static inline int audit_socketcall_compat(int nargs, u32 *args)
for (i = 0; i < nargs; i++)
a[i] = (unsigned long)args[i];
- return __audit_socketcall(nargs, a);
+ return __audit_socketcall(call, nargs, a);
}
static inline int audit_sockaddr(int len, void *addr)
diff --git a/kernel/audit.h b/kernel/audit.h
index 58b66543b4d5..34e53b6f0ebb 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -153,6 +153,7 @@ struct audit_context {
int type;
union {
struct {
+ int call;
int nargs;
long args[6];
} socketcall;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index ea2ee1181921..c856893041c9 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1399,8 +1399,9 @@ static void show_special(struct audit_context *context, int *call_panic)
switch (context->type) {
case AUDIT_SOCKETCALL: {
int nargs = context->socketcall.nargs;
+ int call = context->socketcall.call;
- audit_log_format(ab, "nargs=%d", nargs);
+ audit_log_format(ab, "call=%d nargs=%d", call, nargs);
for (i = 0; i < nargs; i++)
audit_log_format(ab, " a%d=%lx", i,
context->socketcall.args[i]);
@@ -2684,13 +2685,14 @@ void __audit_bprm(struct linux_binprm *bprm)
* @args: args array
*
*/
-int __audit_socketcall(int nargs, unsigned long *args)
+int __audit_socketcall(int call, int nargs, unsigned long *args)
{
struct audit_context *context = audit_context();
if (nargs <= 0 || nargs > AUDITSC_ARGS || !args)
return -EINVAL;
context->type = AUDIT_SOCKETCALL;
+ context->socketcall.call = call;
context->socketcall.nargs = nargs;
memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
return 0;
diff --git a/net/compat.c b/net/compat.c
index 210fc3b4d0d8..0df955019ecc 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -437,7 +437,7 @@ COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args)
if (copy_from_user(a, args, len))
return -EFAULT;
- ret = audit_socketcall_compat(len / sizeof(a[0]), a);
+ ret = audit_socketcall_compat(call, len / sizeof(a[0]), a);
if (ret)
return ret;
diff --git a/net/socket.c b/net/socket.c
index 6887840682bb..ff71f28c96f7 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2921,7 +2921,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args)
if (copy_from_user(a, args, len))
return -EFAULT;
- err = audit_socketcall(nargs[call] / sizeof(unsigned long), a);
+ err = audit_socketcall(call, nargs[call] / sizeof(unsigned long), a);
if (err)
return err;
--
2.32.0
2 years, 6 months