[PATCH 1/2] audit: log binding and unbinding to netlink multicast socket
The audit subsystem could use a function that logs the commonly needed
fields for a typical audit event. This logs less that audit_log_task_info
and reduces the need to hand code individual fields.
Signed-off-by: Steve Grubb <sgrubb(a)redhat.com>
---
include/linux/audit.h | 5 +++++
kernel/audit.c | 35 +++++++++++++++++++++++++++++++++++
2 files changed, 40 insertions(+)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index c2e7e3a..2620847 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -484,6 +484,8 @@ static inline void audit_log_secctx(struct audit_buffer *ab, u32
secid)
extern int audit_log_task_context(struct audit_buffer *ab);
extern void audit_log_task_info(struct audit_buffer *ab,
struct task_struct *tsk);
+extern void audit_log_task_simple(struct audit_buffer *ab,
+ struct task_struct *tsk);
extern int audit_update_lsm_rules(void);
@@ -540,6 +542,9 @@ static inline int audit_log_task_context(struct audit_buffer *ab)
static inline void audit_log_task_info(struct audit_buffer *ab,
struct task_struct *tsk)
{ }
+static inline void audit_log_task_simple(struct audit_buffer *ab,
+ struct task_struct *tsk)
+{ }
#define audit_enabled 0
#endif /* CONFIG_AUDIT */
static inline void audit_log_string(struct audit_buffer *ab, const char *buf)
diff --git a/kernel/audit.c b/kernel/audit.c
index 1c13e42..29fb38b 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1100,6 +1100,41 @@ static void audit_receive(struct sk_buff *skb)
mutex_unlock(&audit_cmd_mutex);
}
+/* This function logs the essential information needed to understand
+ * what or who is causing the event */
+void audit_log_task_simple(struct audit_buffer *ab, struct task_struct *tsk)
+{
+ const struct cred *cred;
+ char comm[sizeof(tsk->comm)];
+ char *tty;
+
+ if (!ab)
+ return;
+
+ /* tsk == current */
+ cred = current_cred();
+
+ spin_lock_irq(&tsk->sighand->siglock);
+ if (tsk->signal && tsk->signal->tty &&
tsk->signal->tty->name)
+ tty = tsk->signal->tty->name;
+ else
+ tty = "(none)";
+ spin_unlock_irq(&tsk->sighand->siglock);
+
+ audit_log_format(ab, "pid=%u uid=%u auid=%u tty=%s ses=%u",
+ task_pid_nr(tsk),
+ from_kuid(&init_user_ns, cred->uid),
+ from_kuid(&init_user_ns, audit_get_loginuid(tsk)),
+ tty, audit_get_sessionid(tsk));
+
+ audit_log_task_context(ab); /* subj= */
+ audit_log_format(ab, " comm=");
+ audit_log_untrustedstring(ab, get_task_comm(comm, tsk));
+
+ audit_log_d_path_exe(ab, tsk->mm); /* exe= */
+}
+EXPORT_SYMBOL(audit_log_task_simple);
+
/* Run custom bind function on netlink socket group connect or bind requests. */
static int audit_bind(struct net *net, int group)
{
--
2.4.3