Re: OBJ_PID records

On Fri, Sep 28, 2007 at 09:39:57AM -0400, Steve Grubb wrote: OK, I think I see what's going on: a) we are too cautious about audit_signals; need to exclude rules that have AUDIT_DEV{MAJOR,MINOR}, AUDIT_INODE, AUDIT_WATCH, AUDIT_PERM. None of those will trigger on signal-sending syscall b) more important, we should not touch async signals - basically, when kernel decides to send SIGIO/SIGURG we obviously should not screw with current->audit_context. Note that we already have that check, right in the caller of audit_signal_info() (that is, when we decide if current-based permissions checks apply). So we simply need to move audit_signal_info() a bit down - after we'd decided that it's not an async signal and before the permission checks. Patch below does just that. diff -urN linux-2.6.22.x86_64/kernel/signal.c foo/kernel/signal.c --- linux-2.6.22.x86_64/kernel/signal.c 2007-10-01 13:18:10.000000000 -0400 +++ foo/kernel/signal.c 2007-10-01 14:45:35.000000000 -0400 @@ -532,18 +532,18 @@ if (!valid_signal(sig)) return error; - error = audit_signal_info(sig, t); /* Let audit system see the signal */ - if (error) - return error; - - error = -EPERM; - if ((info == SEND_SIG_NOINFO || (!is_si_special(info) && SI_FROMUSER(info))) - && ((sig != SIGCONT) || - (process_session(current) != process_session(t))) - && (current->euid ^ t->suid) && (current->euid ^ t->uid) - && (current->uid ^ t->suid) && (current->uid ^ t->uid) - && !capable(CAP_KILL)) + if (info == SEND_SIG_NOINFO || (!is_si_special(info) && SI_FROMUSER(info))) { + error = audit_signal_info(sig, t); /* Let audit system see the signal */ + if (error) + return error; + error = -EPERM; + if (((sig != SIGCONT) || + (process_session(current) != process_session(t))) + && (current->euid ^ t->suid) && (current->euid ^ t->uid) + && (current->uid ^ t->suid) && (current->uid ^ t->uid) + && !capable(CAP_KILL)) return error; + } return security_task_kill(t, info, sig, 0); }