audit-ptrace patch (untested)

That one is on top of security_getprocattr() patch. See bz#228384... diff --git a/include/linux/audit.h b/include/linux/audit.h index 229fa01..cce8b6c 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -90,6 +90,7 @@ #define AUDIT_MQ_GETSETATTR 1315 /* POSIX MQ get/set attribute record type */ #define AUDIT_KERNEL_OTHER 1316 /* For use by 3rd party modules */ #define AUDIT_FD_PAIR 1317 /* audit record for pipe/socketpair */ +#define AUDIT_OBJ_PID 1318 /* ptrace target */ #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ @@ -351,6 +352,8 @@ extern void __audit_inode(const char *name, const struct inode *inode); extern void __audit_inode_child(const char *dname, const struct inode *inode, const struct inode *parent); extern void __audit_inode_update(const struct inode *inode); +extern void __audit_ptrace(struct task_struct *t); + static inline int audit_dummy_context(void) { void *p = current->audit_context; @@ -376,6 +379,12 @@ static inline void audit_inode_update(const struct inode *inode) { __audit_inode_update(inode); } +static inline void audit_ptrace(struct task_struct *t) +{ + if (unlikely(!audit_dummy_context())) + __audit_ptrace(t); +} + /* Private API (for audit.c only) */ extern unsigned int audit_serial(void); extern void auditsc_get_stamp(struct audit_context *ctx, @@ -476,6 +485,7 @@ extern int audit_n_rules; #define audit_mq_timedreceive(d,l,p,t) ({ 0; }) #define audit_mq_notify(d,n) ({ 0; }) #define audit_mq_getsetattr(d,s) ({ 0; }) +#define audit_ptrace(t) ((void)0) #define audit_n_rules 0 #endif diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 89875b2..c8465ea 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -209,6 +209,9 @@ struct audit_context { unsigned long personality; int arch; + pid_t target_pid; + char * obj_ctx; + #if AUDIT_DEBUG int put_count; int ino_count; @@ -729,6 +732,7 @@ static inline void audit_free_context(struct audit_context *context) audit_free_names(context); audit_free_aux(context); kfree(context->filterkey); + kfree(context->obj_ctx); kfree(context); context = previous; } while (context); @@ -967,6 +971,13 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts audit_log_end(ab); } + if (context->obj_ctx) { + ab =audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); + audit_log_format(ab, "opid=%d obj=%s", + context->target_pid, context->obj_ctx); + audit_log_end(ab); + } + if (context->pwd && context->pwdmnt) { ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD); if (ab) { @@ -1187,6 +1198,8 @@ void audit_syscall_exit(int valid, long return_code) } else { audit_free_names(context); audit_free_aux(context); + kfree(context->obj_ctx); + context->obj_ctx = NULL; kfree(context->filterkey); context->filterkey = NULL; tsk->audit_context = context; @@ -1874,6 +1887,13 @@ int audit_sockaddr(int len, void *a) return 0; } +void __audit_ptrace(struct task_struct *t) +{ + struct audit_context *context = current->audit_context; + context->target_pid = t->pid; + security_getprocattr(t, "current", &context->obj_ctx); +} + /** * audit_avc_path - record the granting or denial of permissions * @dentry: dentry to record diff --git a/kernel/ptrace.c b/kernel/ptrace.c index 4d50e06..ad7949a 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -18,6 +18,7 @@ #include <linux/ptrace.h> #include <linux/security.h> #include <linux/signal.h> +#include <linux/audit.h> #include <asm/pgtable.h> #include <asm/uaccess.h> @@ -161,6 +162,8 @@ int ptrace_attach(struct task_struct *task) { int retval; + audit_ptrace(task); + retval = -EPERM; if (task->pid <= 1) goto out;