6:49 p.m.
Hello,
This is a quicky patch to add security label info to user messages,
please take a look over it and let me know if there are objections.
Thanks.
-tim
diff --git a/kernel/audit.c b/kernel/audit.c
index d95efd6..576078b 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -54,6 +54,7 @@
#include <net/sock.h>
#include <linux/skbuff.h>
#include <linux/netlink.h>
+#include <linux/sched.h>
/* No auditing will take place until audit_initialized != 0.
* (Initialization happens after skb_init is called.) */
@@ -136,6 +137,8 @@ struct audit_buffer {
gfp_t gfp_mask;
};
+extern void audit_log_task_context(struct task_struct *tsk, struct audit_buffer *ab);
+
static void audit_set_pid(struct audit_buffer *ab, pid_t pid)
{
struct nlmsghdr *nlh = (struct nlmsghdr *)ab->skb->data;
@@ -391,6 +394,7 @@ static int audit_receive_msg(struct sk_b
u16 msg_type = nlh->nlmsg_type;
uid_t loginuid; /* loginuid of sender */
struct audit_sig_info sig_data;
+ struct task_struct *tsk;
err = audit_netlink_ok(NETLINK_CB(skb).eff_cap, msg_type);
if (err)
@@ -464,6 +468,13 @@ static int audit_receive_msg(struct sk_b
"user pid=%d uid=%u auid=%u msg='%.1024s'",
pid, uid, loginuid, (char *)data);
audit_set_pid(ab, pid);
+ read_lock(&tasklist_lock);
+ tsk = find_task_by_pid(pid);
+ if (tsk)
+ get_task_struct(tsk);
+ read_unlock(&tasklist_lock);
+ audit_log_task_context(tsk, ab);
+ put_task_struct(tsk);
audit_log_end(ab);
}
}
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 8f0a61c..689bac3 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -503,12 +503,12 @@ static inline void audit_free_context(st
printk(KERN_ERR "audit: freed %d contexts\n", count);
}
-static void audit_log_task_context(struct audit_buffer *ab)
+void audit_log_task_context(struct task_struct *tsk, struct audit_buffer *ab)
{
char *ctx = NULL;
ssize_t len = 0;
- len = security_getprocattr(current, "current", NULL, 0);
+ len = security_getprocattr(tsk, "current", NULL, 0);
if (len < 0) {
if (len != -EINVAL)
goto error_path;
@@ -519,7 +519,7 @@ static void audit_log_task_context(struc
if (!ctx)
goto error_path;
- len = security_getprocattr(current, "current", ctx, len);
+ len = security_getprocattr(tsk, "current", ctx, len);
if (len < 0 )
goto error_path;
@@ -559,7 +559,7 @@ static void audit_log_task_info(struct a
vma = vma->vm_next;
}
up_read(&mm->mmap_sem);
- audit_log_task_context(ab);
+ audit_log_task_context(current, ab);
}
static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask)
6:46 a.m.
On Friday 13 January 2006 19:49, Timothy R. Chavez wrote:
@@ -464,6 +468,13 @@ static int audit_receive_msg(struct sk_b
"user pid=%d uid=%u
auid=%u msg='%.1024s'", pid, uid, loginuid, (char *)data);
audit_set_pid(ab, pid);
+ read_lock(&tasklist_lock);
+ tsk = find_task_by_pid(pid);
Looks good except...netlink is an async protocol. The pid that sent the
netlink packet may have been replaced by another process with the same pid by
the time we receive the packet. Seems like we need to collect and use the sid
at send time just like we do the loginuid.
-Steve
9:44 a.m.
On Sat, 2006-01-14 at 07:46 -0500, Steve Grubb wrote:
On Friday 13 January 2006 19:49, Timothy R. Chavez wrote:
> @@ -464,6 +468,13 @@ static int audit_receive_msg(struct sk_b
> "user pid=%d uid=%u
> auid=%u msg='%.1024s'", pid, uid, loginuid, (char *)data);
> audit_set_pid(ab, pid);
> + read_lock(&tasklist_lock);
> + tsk = find_task_by_pid(pid);
Looks good except...netlink is an async protocol. The pid that sent the
netlink packet may have been replaced by another process with the same pid by
the time we receive the packet. Seems like we need to collect and use the sid
at send time just like we do the loginuid.
-Steve
Aye, good point. Hmmmmm....
-tim
6926
days inactive
6928
days old
linux-audit@lists.linux-audit.osci.io
2 comments
2 participants
participants (2)
-
Steve Grubb -
Timothy R. Chavez