diff options
| author | Kees Cook <keescook@chromium.org> | 2013-01-11 17:32:05 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2013-01-11 17:54:55 -0500 |
| commit | 7b9205bd775afc4439ed86d617f9042ee9e76a71 (patch) | |
| tree | cfb91447f15301d7daccc73bda12a63fde6a229d /include | |
| parent | 56ca9d98772c68368c929ab41d42108319a38da2 (diff) | |
audit: create explicit AUDIT_SECCOMP event type
The seccomp path was using AUDIT_ANOM_ABEND from when seccomp mode 1
could only kill a process. While we still want to make sure an audit
record is forced on a kill, this should use a separate record type since
seccomp mode 2 introduces other behaviors.
In the case of "handled" behaviors (process wasn't killed), only emit a
record if the process is under inspection. This change also fixes
userspace examination of seccomp audit events, since it was considered
malformed due to missing fields of the AUDIT_ANOM_ABEND event type.
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Eric Paris <eparis@redhat.com>
Cc: Jeff Layton <jlayton@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Julien Tinnes <jln@google.com>
Acked-by: Will Drewry <wad@chromium.org>
Acked-by: Steve Grubb <sgrubb@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'include')
| -rw-r--r-- | include/linux/audit.h | 3 | ||||
| -rw-r--r-- | include/uapi/linux/audit.h | 1 |
2 files changed, 3 insertions, 1 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h index bce729afbcf9..9d5104d7aba9 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h | |||
| @@ -157,7 +157,8 @@ void audit_core_dumps(long signr); | |||
| 157 | 157 | ||
| 158 | static inline void audit_seccomp(unsigned long syscall, long signr, int code) | 158 | static inline void audit_seccomp(unsigned long syscall, long signr, int code) |
| 159 | { | 159 | { |
| 160 | if (unlikely(!audit_dummy_context())) | 160 | /* Force a record to be reported if a signal was delivered. */ |
| 161 | if (signr || unlikely(!audit_dummy_context())) | ||
| 161 | __audit_seccomp(syscall, signr, code); | 162 | __audit_seccomp(syscall, signr, code); |
| 162 | } | 163 | } |
| 163 | 164 | ||
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 76352ac45f24..09a2d94ab113 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h | |||
| @@ -106,6 +106,7 @@ | |||
| 106 | #define AUDIT_MMAP 1323 /* Record showing descriptor and flags in mmap */ | 106 | #define AUDIT_MMAP 1323 /* Record showing descriptor and flags in mmap */ |
| 107 | #define AUDIT_NETFILTER_PKT 1324 /* Packets traversing netfilter chains */ | 107 | #define AUDIT_NETFILTER_PKT 1324 /* Packets traversing netfilter chains */ |
| 108 | #define AUDIT_NETFILTER_CFG 1325 /* Netfilter chain modifications */ | 108 | #define AUDIT_NETFILTER_CFG 1325 /* Netfilter chain modifications */ |
| 109 | #define AUDIT_SECCOMP 1326 /* Secure Computing event */ | ||
| 109 | 110 | ||
| 110 | #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ | 111 | #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ |
| 111 | #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ | 112 | #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ |