From: Sven Schnelle <svens@linux.ibm.com>
To: Paul Moore <paul@paul-moore.com>, Eric Paris <eparis@redhat.com>
Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org
Subject: [PATCH 1/2] audit: add call argument to socketcall auditing
Date: Tue, 3 May 2022 11:02:11 +0200 [thread overview]
Message-ID: <20220503090212.1322050-1-svens@linux.ibm.com> (raw)
socketcall auditing misses the call argument:
type=SOCKETCALL msg=audit: nargs=3 a0=10 a1=3 a2=c
which renders socketcall auditing (almost) useless. Add the call
argument so it is possible to decode the actual syscall from the
audit log:
type=SOCKETCALL msg=audit: call=1 nargs=3 a0=10 a1=3 a2=c
Signed-off-by: Sven Schnelle <svens@linux.ibm.com>
---
include/linux/audit.h | 10 +++++-----
kernel/audit.h | 1 +
kernel/auditsc.c | 6 ++++--
net/compat.c | 2 +-
net/socket.c | 2 +-
5 files changed, 12 insertions(+), 9 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index d06134ac6245..7d2256f999ab 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -405,7 +405,7 @@ static inline void audit_ptrace(struct task_struct *t)
extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
extern void __audit_bprm(struct linux_binprm *bprm);
-extern int __audit_socketcall(int nargs, unsigned long *args);
+extern int __audit_socketcall(int call, int nargs, unsigned long *args);
extern int __audit_sockaddr(int len, void *addr);
extern void __audit_fd_pair(int fd1, int fd2);
extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr);
@@ -445,14 +445,14 @@ static inline void audit_bprm(struct linux_binprm *bprm)
if (unlikely(!audit_dummy_context()))
__audit_bprm(bprm);
}
-static inline int audit_socketcall(int nargs, unsigned long *args)
+static inline int audit_socketcall(int call, int nargs, unsigned long *args)
{
if (unlikely(!audit_dummy_context()))
- return __audit_socketcall(nargs, args);
+ return __audit_socketcall(call, nargs, args);
return 0;
}
-static inline int audit_socketcall_compat(int nargs, u32 *args)
+static inline int audit_socketcall_compat(int call, int nargs, u32 *args)
{
unsigned long a[AUDITSC_ARGS];
int i;
@@ -462,7 +462,7 @@ static inline int audit_socketcall_compat(int nargs, u32 *args)
for (i = 0; i < nargs; i++)
a[i] = (unsigned long)args[i];
- return __audit_socketcall(nargs, a);
+ return __audit_socketcall(call, nargs, a);
}
static inline int audit_sockaddr(int len, void *addr)
diff --git a/kernel/audit.h b/kernel/audit.h
index 58b66543b4d5..34e53b6f0ebb 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -153,6 +153,7 @@ struct audit_context {
int type;
union {
struct {
+ int call;
int nargs;
long args[6];
} socketcall;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index ea2ee1181921..c856893041c9 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1399,8 +1399,9 @@ static void show_special(struct audit_context *context, int *call_panic)
switch (context->type) {
case AUDIT_SOCKETCALL: {
int nargs = context->socketcall.nargs;
+ int call = context->socketcall.call;
- audit_log_format(ab, "nargs=%d", nargs);
+ audit_log_format(ab, "call=%d nargs=%d", call, nargs);
for (i = 0; i < nargs; i++)
audit_log_format(ab, " a%d=%lx", i,
context->socketcall.args[i]);
@@ -2684,13 +2685,14 @@ void __audit_bprm(struct linux_binprm *bprm)
* @args: args array
*
*/
-int __audit_socketcall(int nargs, unsigned long *args)
+int __audit_socketcall(int call, int nargs, unsigned long *args)
{
struct audit_context *context = audit_context();
if (nargs <= 0 || nargs > AUDITSC_ARGS || !args)
return -EINVAL;
context->type = AUDIT_SOCKETCALL;
+ context->socketcall.call = call;
context->socketcall.nargs = nargs;
memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
return 0;
diff --git a/net/compat.c b/net/compat.c
index 210fc3b4d0d8..0df955019ecc 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -437,7 +437,7 @@ COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args)
if (copy_from_user(a, args, len))
return -EFAULT;
- ret = audit_socketcall_compat(len / sizeof(a[0]), a);
+ ret = audit_socketcall_compat(call, len / sizeof(a[0]), a);
if (ret)
return ret;
diff --git a/net/socket.c b/net/socket.c
index 6887840682bb..ff71f28c96f7 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2921,7 +2921,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args)
if (copy_from_user(a, args, len))
return -EFAULT;
- err = audit_socketcall(nargs[call] / sizeof(unsigned long), a);
+ err = audit_socketcall(call, nargs[call] / sizeof(unsigned long), a);
if (err)
return err;
--
2.32.0
WARNING: multiple messages have this Message-ID (diff)
From: Sven Schnelle <svens@linux.ibm.com>
To: Paul Moore <paul@paul-moore.com>, Eric Paris <eparis@redhat.com>
Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org
Subject: [PATCH 1/2] audit: add call argument to socketcall auditing
Date: Tue, 3 May 2022 11:02:11 +0200 [thread overview]
Message-ID: <20220503090212.1322050-1-svens@linux.ibm.com> (raw)
socketcall auditing misses the call argument:
type=SOCKETCALL msg=audit: nargs=3 a0=10 a1=3 a2=c
which renders socketcall auditing (almost) useless. Add the call
argument so it is possible to decode the actual syscall from the
audit log:
type=SOCKETCALL msg=audit: call=1 nargs=3 a0=10 a1=3 a2=c
Signed-off-by: Sven Schnelle <svens@linux.ibm.com>
---
include/linux/audit.h | 10 +++++-----
kernel/audit.h | 1 +
kernel/auditsc.c | 6 ++++--
net/compat.c | 2 +-
net/socket.c | 2 +-
5 files changed, 12 insertions(+), 9 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index d06134ac6245..7d2256f999ab 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -405,7 +405,7 @@ static inline void audit_ptrace(struct task_struct *t)
extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
extern void __audit_bprm(struct linux_binprm *bprm);
-extern int __audit_socketcall(int nargs, unsigned long *args);
+extern int __audit_socketcall(int call, int nargs, unsigned long *args);
extern int __audit_sockaddr(int len, void *addr);
extern void __audit_fd_pair(int fd1, int fd2);
extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr);
@@ -445,14 +445,14 @@ static inline void audit_bprm(struct linux_binprm *bprm)
if (unlikely(!audit_dummy_context()))
__audit_bprm(bprm);
}
-static inline int audit_socketcall(int nargs, unsigned long *args)
+static inline int audit_socketcall(int call, int nargs, unsigned long *args)
{
if (unlikely(!audit_dummy_context()))
- return __audit_socketcall(nargs, args);
+ return __audit_socketcall(call, nargs, args);
return 0;
}
-static inline int audit_socketcall_compat(int nargs, u32 *args)
+static inline int audit_socketcall_compat(int call, int nargs, u32 *args)
{
unsigned long a[AUDITSC_ARGS];
int i;
@@ -462,7 +462,7 @@ static inline int audit_socketcall_compat(int nargs, u32 *args)
for (i = 0; i < nargs; i++)
a[i] = (unsigned long)args[i];
- return __audit_socketcall(nargs, a);
+ return __audit_socketcall(call, nargs, a);
}
static inline int audit_sockaddr(int len, void *addr)
diff --git a/kernel/audit.h b/kernel/audit.h
index 58b66543b4d5..34e53b6f0ebb 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -153,6 +153,7 @@ struct audit_context {
int type;
union {
struct {
+ int call;
int nargs;
long args[6];
} socketcall;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index ea2ee1181921..c856893041c9 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1399,8 +1399,9 @@ static void show_special(struct audit_context *context, int *call_panic)
switch (context->type) {
case AUDIT_SOCKETCALL: {
int nargs = context->socketcall.nargs;
+ int call = context->socketcall.call;
- audit_log_format(ab, "nargs=%d", nargs);
+ audit_log_format(ab, "call=%d nargs=%d", call, nargs);
for (i = 0; i < nargs; i++)
audit_log_format(ab, " a%d=%lx", i,
context->socketcall.args[i]);
@@ -2684,13 +2685,14 @@ void __audit_bprm(struct linux_binprm *bprm)
* @args: args array
*
*/
-int __audit_socketcall(int nargs, unsigned long *args)
+int __audit_socketcall(int call, int nargs, unsigned long *args)
{
struct audit_context *context = audit_context();
if (nargs <= 0 || nargs > AUDITSC_ARGS || !args)
return -EINVAL;
context->type = AUDIT_SOCKETCALL;
+ context->socketcall.call = call;
context->socketcall.nargs = nargs;
memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
return 0;
diff --git a/net/compat.c b/net/compat.c
index 210fc3b4d0d8..0df955019ecc 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -437,7 +437,7 @@ COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args)
if (copy_from_user(a, args, len))
return -EFAULT;
- ret = audit_socketcall_compat(len / sizeof(a[0]), a);
+ ret = audit_socketcall_compat(call, len / sizeof(a[0]), a);
if (ret)
return ret;
diff --git a/net/socket.c b/net/socket.c
index 6887840682bb..ff71f28c96f7 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2921,7 +2921,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args)
if (copy_from_user(a, args, len))
return -EFAULT;
- err = audit_socketcall(nargs[call] / sizeof(unsigned long), a);
+ err = audit_socketcall(call, nargs[call] / sizeof(unsigned long), a);
if (err)
return err;
--
2.32.0
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
next reply other threads:[~2022-05-03 9:02 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-03 9:02 Sven Schnelle [this message]
2022-05-03 9:02 ` [PATCH 1/2] audit: add call argument to socketcall auditing Sven Schnelle
2022-05-03 9:02 ` [PATCH 2/2] audit: add filterkey to special audit messages Sven Schnelle
2022-05-03 9:02 ` Sven Schnelle
2022-05-03 16:57 ` Paul Moore
2022-05-03 16:57 ` Paul Moore
2022-05-04 5:22 ` Sven Schnelle
2022-05-04 5:22 ` Sven Schnelle
2022-05-03 13:32 ` [PATCH 1/2] audit: add call argument to socketcall auditing kernel test robot
2022-05-03 13:32 ` kernel test robot
2022-05-03 13:32 ` kernel test robot
2022-05-03 13:32 ` kernel test robot
2022-05-03 14:04 ` kernel test robot
2022-05-03 14:04 ` kernel test robot
2022-05-03 16:07 ` Paul Moore
2022-05-03 16:07 ` Paul Moore
2022-05-03 17:16 ` Steve Grubb
2022-05-03 17:16 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220503090212.1322050-1-svens@linux.ibm.com \
--to=svens@linux.ibm.com \
--cc=eparis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.