From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Tyler Hicks <tyhicks@canonical.com>,
Paul Moore <paul@paul-moore.com>, Eric Paris <eparis@redhat.com>,
Kees Cook <keescook@chromium.org>,
Andy Lutomirski <luto@amacapital.net>,
Will Drewry <wad@chromium.org>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/2] seccomp: Audit SECCOMP_RET_ERRNO actions with errno values
Date: Mon, 02 Jan 2017 12:20:53 -0500 [thread overview]
Message-ID: <5284369.V7krsaxZyN@x2> (raw)
In-Reply-To: <1483375990-14948-3-git-send-email-tyhicks@canonical.com>
On Monday, January 2, 2017 4:53:10 PM EST Tyler Hicks wrote:
> Generate audit records for SECCOMP_RET_ERRNO actions, which were
> previously not audited.
>
> Additionally, include the errno value that will be set in the audit
> message.
>
> Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
> ---
> include/linux/audit.h | 19 ++++++++++++++++++-
> kernel/auditsc.c | 3 +++
> kernel/seccomp.c | 4 +++-
> 3 files changed, 24 insertions(+), 2 deletions(-)
>
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index 8c588c3..6815812 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -87,7 +87,10 @@ struct audit_field {
>
> struct audit_seccomp_info {
> int code;
> - long signr;
> + union {
> + int errno;
> + long signr;
> + };
> };
>
> extern int is_audit_feature_set(int which);
> @@ -319,6 +322,20 @@ static inline void audit_inode_child(struct inode
> *parent, }
> void audit_core_dumps(long signr);
>
> +static inline void audit_seccomp_errno(unsigned long syscall, int errno,
> + int code)
> +{
> + if (!audit_enabled)
> + return;
> +
> + if (errno || unlikely(!audit_dummy_context())) {
> + struct audit_seccomp_info info = { .code = code,
> + .errno = errno };
> +
> + __audit_seccomp(syscall, &info);
> + }
> +}
> +
> static inline void audit_seccomp_signal(unsigned long syscall, long signr,
> int code)
> {
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index b3472f2..db5fc9d 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -2426,6 +2426,9 @@ void __audit_seccomp(unsigned long syscall, struct
> audit_seccomp_info *info) audit_log_task(ab);
>
> switch (info->code) {
> + case SECCOMP_RET_ERRNO:
> + audit_log_format(ab, " errno=%d", info->errno);
> + break;
"exit" is the field name that syscalls use to return errno to user space. I'd
rather not see another field created that maps to the same thing. You can check
the translation with the auformat utility:
http://people.redhat.com/sgrubb/files/auformat.tar.gz
$ ausearch --start today --just-one -m syscall -sv no --raw | ./auformat "%EXIT\n"
Also, I am working to normalize all the records. That mean every event record
of the same type has the same fields, in the same order, with the same
representation. I would think "exit" could be added to the current record after
syscall so that its ordered similarly to a syscall record.
-Steve
> case SECCOMP_RET_KILL:
> audit_log_format(ab, " sig=%ld", info->signr);
> break;
> diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> index 54c01b6..e99c566 100644
> --- a/kernel/seccomp.c
> +++ b/kernel/seccomp.c
> @@ -576,9 +576,11 @@ static int __seccomp_filter(int this_syscall, const
> struct seccomp_data *sd, /* Set low-order bits as an errno, capped at
> MAX_ERRNO. */
> if (data > MAX_ERRNO)
> data = MAX_ERRNO;
> +
> + audit_seccomp_errno(this_syscall, data, action);
> syscall_set_return_value(current, task_pt_regs(current),
> -data, 0);
> - goto skip;
> + return -1;
>
> case SECCOMP_RET_TRAP:
> /* Show the handler the original registers. */
next prev parent reply other threads:[~2017-01-02 17:21 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-02 16:53 [PATCH 0/2] Begin auditing SECCOMP_RET_ERRNO return actions Tyler Hicks
2017-01-02 16:53 ` [PATCH 1/2] seccomp: Allow for auditing functionality specific to " Tyler Hicks
2017-01-02 16:53 ` [PATCH 2/2] seccomp: Audit SECCOMP_RET_ERRNO actions with errno values Tyler Hicks
2017-01-02 17:20 ` Steve Grubb [this message]
2017-01-02 17:42 ` Tyler Hicks
2017-01-02 18:49 ` Steve Grubb
2017-01-02 22:55 ` Paul Moore
2017-01-02 22:47 ` [PATCH 0/2] Begin auditing SECCOMP_RET_ERRNO return actions Paul Moore
2017-01-03 5:56 ` Andy Lutomirski
2017-01-03 19:31 ` Paul Moore
2017-01-03 13:31 ` Tyler Hicks
2017-01-03 19:42 ` Paul Moore
2017-01-03 20:44 ` Kees Cook
2017-01-03 20:53 ` Steve Grubb
2017-01-03 20:54 ` Paul Moore
2017-01-03 21:03 ` Kees Cook
2017-01-03 21:13 ` Paul Moore
2017-01-03 21:21 ` Kees Cook
2017-01-03 21:31 ` Paul Moore
2017-01-03 21:44 ` Kees Cook
2017-01-04 1:58 ` Tyler Hicks
2017-01-04 4:43 ` Richard Guy Briggs
2017-01-04 6:31 ` Kees Cook
2017-01-04 2:04 ` Tyler Hicks
2017-01-03 5:57 ` Andy Lutomirski
2017-01-03 13:53 ` Tyler Hicks
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5284369.V7krsaxZyN@x2 \
--to=sgrubb@redhat.com \
--cc=eparis@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=paul@paul-moore.com \
--cc=tyhicks@canonical.com \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).