Re: [PATCH 1/1] audit: log binding and unbinding to netlink multicast

On Monday, October 16, 2017 6:06:47 PM EDT Steve Grubb wrote: > > > +/* Log information about who is connecting to the audit multicast > > > socket > > > */ +static void audit_log_multicast_bind(int group, const char *op, int > > > err) +{ > > > + const struct cred *cred; > > > + struct tty_struct *tty; > > > + char comm[sizeof(current->comm)]; > > > + struct audit_buffer *ab; > > > + > > > + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_EVENT_LISTENER); > > > > It really seems like this should be associated with the current task, > > e.g. "audit_log_start(current->audit_context, ...)". After all, the > > whole point of this record is to capture information about the subject > > who is binding to the multicast socket. > > OK, easy enough. But wouldn't that make it an auxiliary record (if there happens to be a syscall record) instead of a standalone event? The intention is that this event is standalone just like AUDIT_SECCOMP or AUDIT_LOGIN. Associating with the current task is done by using current in formatting the message as seen below. (e.g. task_pid_nr(current), audit_get_sessionid(current)) I think it's correct as is.

-Steve > > + if (!ab) > > + return; > > + > > + cred = current_cred(); > > + tty = audit_get_tty(current); > > + > > + audit_log_format(ab, "pid=%u uid=%u auid=%u tty=%s ses=%u", > > + task_pid_nr(current), > > + from_kuid(&init_user_ns, cred->uid), > > + from_kuid(&init_user_ns, > > audit_get_loginuid(current)), + tty ? tty_name(tty) > > : "(none)", > > + audit_get_sessionid(current)); > > + audit_put_tty(tty); > > + audit_log_task_context(ab); /* subj= */ > > + audit_log_format(ab, " comm="); > > + audit_log_untrustedstring(ab, get_task_comm(comm, current)); > > + audit_log_d_path_exe(ab, current->mm); /* exe= */ -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit