From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756517AbdABQyM (ORCPT ); Mon, 2 Jan 2017 11:54:12 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:52528 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756502AbdABQyL (ORCPT ); Mon, 2 Jan 2017 11:54:11 -0500 From: Tyler Hicks To: Paul Moore , Eric Paris , Kees Cook , Andy Lutomirski , Will Drewry Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org Subject: [PATCH 1/2] seccomp: Allow for auditing functionality specific to return actions Date: Mon, 2 Jan 2017 16:53:09 +0000 Message-Id: <1483375990-14948-2-git-send-email-tyhicks@canonical.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1483375990-14948-1-git-send-email-tyhicks@canonical.com> References: <1483375990-14948-1-git-send-email-tyhicks@canonical.com> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This patch introduces the concept of auditing formats that are specific to the action specified in a filter's return value. Initially, only SECCOMP_RET_KILL has an auditing message that differs from other return actions because it specifies the signal that is to be sent. This patch causes a small functional change in that "sig=0" is not printed when auditing seccomp actions other than SECCOMP_RET_KILL. Signed-off-by: Tyler Hicks --- include/linux/audit.h | 39 +++++++++++++++++++++++++++++++++------ kernel/auditsc.c | 19 +++++++++++++++---- kernel/seccomp.c | 6 +++--- 3 files changed, 51 insertions(+), 13 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index f51fca8d..8c588c3 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -85,6 +85,11 @@ struct audit_field { u32 op; }; +struct audit_seccomp_info { + int code; + long signr; +}; + extern int is_audit_feature_set(int which); extern int __init audit_register_class(int class, unsigned *list); @@ -243,7 +248,8 @@ extern void __audit_file(const struct file *); extern void __audit_inode_child(struct inode *parent, const struct dentry *dentry, const unsigned char type); -extern void __audit_seccomp(unsigned long syscall, long signr, int code); +extern void __audit_seccomp(unsigned long syscall, + struct audit_seccomp_info *info); extern void __audit_ptrace(struct task_struct *t); static inline bool audit_dummy_context(void) @@ -313,14 +319,31 @@ static inline void audit_inode_child(struct inode *parent, } void audit_core_dumps(long signr); -static inline void audit_seccomp(unsigned long syscall, long signr, int code) +static inline void audit_seccomp_signal(unsigned long syscall, long signr, + int code) { if (!audit_enabled) return; /* Force a record to be reported if a signal was delivered. */ - if (signr || unlikely(!audit_dummy_context())) - __audit_seccomp(syscall, signr, code); + if (signr || unlikely(!audit_dummy_context())) { + struct audit_seccomp_info info = { .code = code, + .signr = signr }; + + __audit_seccomp(syscall, &info); + } +} + +static inline void audit_seccomp_common(unsigned long syscall, int code) +{ + if (!audit_enabled) + return; + + if (code || unlikely(!audit_dummy_context())) { + struct audit_seccomp_info info = { .code = code }; + + __audit_seccomp(syscall, &info); + } } static inline void audit_ptrace(struct task_struct *t) @@ -485,9 +508,13 @@ static inline void audit_inode_child(struct inode *parent, { } static inline void audit_core_dumps(long signr) { } -static inline void __audit_seccomp(unsigned long syscall, long signr, int code) +static inline void __audit_seccomp(unsigned long syscall, + struct audit_seccomp_info *info); +{ } +static inline void audit_seccomp_signal(unsigned long syscall, long signr, + int code) { } -static inline void audit_seccomp(unsigned long syscall, long signr, int code) +static inline void audit_seccomp_common(unsigned long syscall, int code) { } static inline int auditsc_get_stamp(struct audit_context *ctx, struct timespec *t, unsigned int *serial) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index cf1fa43..b3472f2 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -74,6 +74,7 @@ #include #include #include +#include #include "audit.h" @@ -2415,7 +2416,7 @@ void audit_core_dumps(long signr) audit_log_end(ab); } -void __audit_seccomp(unsigned long syscall, long signr, int code) +void __audit_seccomp(unsigned long syscall, struct audit_seccomp_info *info) { struct audit_buffer *ab; @@ -2423,9 +2424,19 @@ void __audit_seccomp(unsigned long syscall, long signr, int code) if (unlikely(!ab)) return; audit_log_task(ab); - audit_log_format(ab, " sig=%ld arch=%x syscall=%ld compat=%d ip=0x%lx code=0x%x", - signr, syscall_get_arch(), syscall, - in_compat_syscall(), KSTK_EIP(current), code); + + switch (info->code) { + case SECCOMP_RET_KILL: + audit_log_format(ab, " sig=%ld", info->signr); + break; + default: + break; + } + + audit_log_format(ab, + " arch=%x syscall=%ld compat=%d ip=0x%lx code=0x%x", + syscall_get_arch(), syscall, in_compat_syscall(), + KSTK_EIP(current), info->code); audit_log_end(ab); } diff --git a/kernel/seccomp.c b/kernel/seccomp.c index f7ce79a..54c01b6 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -532,7 +532,7 @@ static void __secure_computing_strict(int this_syscall) #ifdef SECCOMP_DEBUG dump_stack(); #endif - audit_seccomp(this_syscall, SIGKILL, SECCOMP_RET_KILL); + audit_seccomp_signal(this_syscall, SIGKILL, SECCOMP_RET_KILL); do_exit(SIGKILL); } @@ -635,14 +635,14 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, case SECCOMP_RET_KILL: default: - audit_seccomp(this_syscall, SIGSYS, action); + audit_seccomp_signal(this_syscall, SIGSYS, action); do_exit(SIGSYS); } unreachable(); skip: - audit_seccomp(this_syscall, 0, action); + audit_seccomp_common(this_syscall, action); return -1; } #else -- 2.7.4