diff options
| author | Kees Cook <keescook@chromium.org> | 2012-04-12 17:47:58 -0400 |
|---|---|---|
| committer | James Morris <james.l.morris@oracle.com> | 2012-04-13 21:13:20 -0400 |
| commit | 3dc1c1b2d2ed7507ce8a379814ad75745ff97ebe (patch) | |
| tree | 68ca991b7a3d2fc7623f6d86ba5827d6638974fd | |
| parent | e2cfabdfd075648216f99c2c03821cf3f47c1727 (diff) | |
seccomp: remove duplicated failure logging
This consolidates the seccomp filter error logging path and adds more
details to the audit log.
Signed-off-by: Will Drewry <wad@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Eric Paris <eparis@redhat.com>
v18: make compat= permanent in the record
v15: added a return code to the audit_seccomp path by wad@chromium.org
(suggested by eparis@redhat.com)
v*: original by keescook@chromium.org
Signed-off-by: James Morris <james.l.morris@oracle.com>
| -rw-r--r-- | include/linux/audit.h | 8 | ||||
| -rw-r--r-- | kernel/auditsc.c | 8 | ||||
| -rw-r--r-- | kernel/seccomp.c | 15 |
3 files changed, 11 insertions, 20 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h index ed3ef1972496..22f292a917a3 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h | |||
| @@ -463,7 +463,7 @@ extern void audit_putname(const char *name); | |||
| 463 | extern void __audit_inode(const char *name, const struct dentry *dentry); | 463 | extern void __audit_inode(const char *name, const struct dentry *dentry); |
| 464 | extern void __audit_inode_child(const struct dentry *dentry, | 464 | extern void __audit_inode_child(const struct dentry *dentry, |
| 465 | const struct inode *parent); | 465 | const struct inode *parent); |
| 466 | extern void __audit_seccomp(unsigned long syscall); | 466 | extern void __audit_seccomp(unsigned long syscall, long signr, int code); |
| 467 | extern void __audit_ptrace(struct task_struct *t); | 467 | extern void __audit_ptrace(struct task_struct *t); |
| 468 | 468 | ||
| 469 | static inline int audit_dummy_context(void) | 469 | static inline int audit_dummy_context(void) |
| @@ -508,10 +508,10 @@ static inline void audit_inode_child(const struct dentry *dentry, | |||
| 508 | } | 508 | } |
| 509 | void audit_core_dumps(long signr); | 509 | void audit_core_dumps(long signr); |
| 510 | 510 | ||
| 511 | static inline void audit_seccomp(unsigned long syscall) | 511 | static inline void audit_seccomp(unsigned long syscall, long signr, int code) |
| 512 | { | 512 | { |
| 513 | if (unlikely(!audit_dummy_context())) | 513 | if (unlikely(!audit_dummy_context())) |
| 514 | __audit_seccomp(syscall); | 514 | __audit_seccomp(syscall, signr, code); |
| 515 | } | 515 | } |
| 516 | 516 | ||
| 517 | static inline void audit_ptrace(struct task_struct *t) | 517 | static inline void audit_ptrace(struct task_struct *t) |
| @@ -634,7 +634,7 @@ extern int audit_signals; | |||
| 634 | #define audit_inode(n,d) do { (void)(d); } while (0) | 634 | #define audit_inode(n,d) do { (void)(d); } while (0) |
| 635 | #define audit_inode_child(i,p) do { ; } while (0) | 635 | #define audit_inode_child(i,p) do { ; } while (0) |
| 636 | #define audit_core_dumps(i) do { ; } while (0) | 636 | #define audit_core_dumps(i) do { ; } while (0) |
| 637 | #define audit_seccomp(i) do { ; } while (0) | 637 | #define audit_seccomp(i,s,c) do { ; } while (0) |
| 638 | #define auditsc_get_stamp(c,t,s) (0) | 638 | #define auditsc_get_stamp(c,t,s) (0) |
| 639 | #define audit_get_loginuid(t) (-1) | 639 | #define audit_get_loginuid(t) (-1) |
| 640 | #define audit_get_sessionid(t) (-1) | 640 | #define audit_get_sessionid(t) (-1) |
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index af1de0f34eae..4b96415527b8 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c | |||
| @@ -67,6 +67,7 @@ | |||
| 67 | #include <linux/syscalls.h> | 67 | #include <linux/syscalls.h> |
| 68 | #include <linux/capability.h> | 68 | #include <linux/capability.h> |
| 69 | #include <linux/fs_struct.h> | 69 | #include <linux/fs_struct.h> |
| 70 | #include <linux/compat.h> | ||
| 70 | 71 | ||
| 71 | #include "audit.h" | 72 | #include "audit.h" |
| 72 | 73 | ||
| @@ -2710,13 +2711,16 @@ void audit_core_dumps(long signr) | |||
| 2710 | audit_log_end(ab); | 2711 | audit_log_end(ab); |
| 2711 | } | 2712 | } |
| 2712 | 2713 | ||
| 2713 | void __audit_seccomp(unsigned long syscall) | 2714 | void __audit_seccomp(unsigned long syscall, long signr, int code) |
| 2714 | { | 2715 | { |
| 2715 | struct audit_buffer *ab; | 2716 | struct audit_buffer *ab; |
| 2716 | 2717 | ||
| 2717 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); | 2718 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); |
| 2718 | audit_log_abend(ab, "seccomp", SIGKILL); | 2719 | audit_log_abend(ab, "seccomp", signr); |
| 2719 | audit_log_format(ab, " syscall=%ld", syscall); | 2720 | audit_log_format(ab, " syscall=%ld", syscall); |
| 2721 | audit_log_format(ab, " compat=%d", is_compat_task()); | ||
| 2722 | audit_log_format(ab, " ip=0x%lx", KSTK_EIP(current)); | ||
| 2723 | audit_log_format(ab, " code=0x%x", code); | ||
| 2720 | audit_log_end(ab); | 2724 | audit_log_end(ab); |
| 2721 | } | 2725 | } |
| 2722 | 2726 | ||
diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 0aeec1960f91..0f7c709a523e 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c | |||
| @@ -60,18 +60,6 @@ struct seccomp_filter { | |||
| 60 | /* Limit any path through the tree to 256KB worth of instructions. */ | 60 | /* Limit any path through the tree to 256KB worth of instructions. */ |
| 61 | #define MAX_INSNS_PER_PATH ((1 << 18) / sizeof(struct sock_filter)) | 61 | #define MAX_INSNS_PER_PATH ((1 << 18) / sizeof(struct sock_filter)) |
| 62 | 62 | ||
| 63 | static void seccomp_filter_log_failure(int syscall) | ||
| 64 | { | ||
| 65 | int compat = 0; | ||
| 66 | #ifdef CONFIG_COMPAT | ||
| 67 | compat = is_compat_task(); | ||
| 68 | #endif | ||
| 69 | pr_info("%s[%d]: %ssystem call %d blocked at 0x%lx\n", | ||
| 70 | current->comm, task_pid_nr(current), | ||
| 71 | (compat ? "compat " : ""), | ||
| 72 | syscall, KSTK_EIP(current)); | ||
| 73 | } | ||
| 74 | |||
| 75 | /** | 63 | /** |
| 76 | * get_u32 - returns a u32 offset into data | 64 | * get_u32 - returns a u32 offset into data |
| 77 | * @data: a unsigned 64 bit value | 65 | * @data: a unsigned 64 bit value |
| @@ -381,7 +369,6 @@ void __secure_computing(int this_syscall) | |||
| 381 | case SECCOMP_MODE_FILTER: | 369 | case SECCOMP_MODE_FILTER: |
| 382 | if (seccomp_run_filters(this_syscall) == SECCOMP_RET_ALLOW) | 370 | if (seccomp_run_filters(this_syscall) == SECCOMP_RET_ALLOW) |
| 383 | return; | 371 | return; |
| 384 | seccomp_filter_log_failure(this_syscall); | ||
| 385 | exit_sig = SIGSYS; | 372 | exit_sig = SIGSYS; |
| 386 | break; | 373 | break; |
| 387 | #endif | 374 | #endif |
| @@ -392,7 +379,7 @@ void __secure_computing(int this_syscall) | |||
| 392 | #ifdef SECCOMP_DEBUG | 379 | #ifdef SECCOMP_DEBUG |
| 393 | dump_stack(); | 380 | dump_stack(); |
| 394 | #endif | 381 | #endif |
| 395 | audit_seccomp(this_syscall); | 382 | audit_seccomp(this_syscall, exit_code, SECCOMP_RET_KILL); |
| 396 | do_exit(exit_sig); | 383 | do_exit(exit_sig); |
| 397 | } | 384 | } |
| 398 | 385 | ||