diff options
| author | Amy Griffis <amy.griffis@hp.com> | 2007-03-29 18:01:04 -0400 |
|---|---|---|
| committer | Al Viro <viro@zeniv.linux.org.uk> | 2007-05-11 05:38:25 -0400 |
| commit | e54dc2431d740a79a6bd013babade99d71b1714f (patch) | |
| tree | 16b0990d5c16946239a17b332f54b5918fb03305 /kernel/auditfilter.c | |
| parent | 7f13da40e36c84d0d046b7adbd060af7d3717250 (diff) | |
[PATCH] audit signal recipients
When auditing syscalls that send signals, log the pid and security
context for each target process. Optimize the data collection by
adding a counter for signal-related rules, and avoiding allocating an
aux struct unless we have more than one target process. For process
groups, collect pid/context data in blocks of 16. Move the
audit_signal_info() hook up in check_kill_permission() so we audit
attempts where permission is denied.
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'kernel/auditfilter.c')
| -rw-r--r-- | kernel/auditfilter.c | 48 |
1 files changed, 47 insertions, 1 deletions
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 3749193aed8c..6c61263ff96d 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c | |||
| @@ -311,6 +311,43 @@ int audit_match_class(int class, unsigned syscall) | |||
| 311 | return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall); | 311 | return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall); |
| 312 | } | 312 | } |
| 313 | 313 | ||
| 314 | static inline int audit_match_class_bits(int class, u32 *mask) | ||
| 315 | { | ||
| 316 | int i; | ||
| 317 | |||
| 318 | if (classes[class]) { | ||
| 319 | for (i = 0; i < AUDIT_BITMASK_SIZE; i++) | ||
| 320 | if (mask[i] & classes[class][i]) | ||
| 321 | return 0; | ||
| 322 | } | ||
| 323 | return 1; | ||
| 324 | } | ||
| 325 | |||
| 326 | static int audit_match_signal(struct audit_entry *entry) | ||
| 327 | { | ||
| 328 | struct audit_field *arch = entry->rule.arch_f; | ||
| 329 | |||
| 330 | if (!arch) { | ||
| 331 | /* When arch is unspecified, we must check both masks on biarch | ||
| 332 | * as syscall number alone is ambiguous. */ | ||
| 333 | return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, | ||
| 334 | entry->rule.mask) && | ||
| 335 | audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, | ||
| 336 | entry->rule.mask)); | ||
| 337 | } | ||
| 338 | |||
| 339 | switch(audit_classify_arch(arch->val)) { | ||
| 340 | case 0: /* native */ | ||
| 341 | return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, | ||
| 342 | entry->rule.mask)); | ||
| 343 | case 1: /* 32bit on biarch */ | ||
| 344 | return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, | ||
| 345 | entry->rule.mask)); | ||
| 346 | default: | ||
| 347 | return 1; | ||
| 348 | } | ||
| 349 | } | ||
| 350 | |||
| 314 | /* Common user-space to kernel rule translation. */ | 351 | /* Common user-space to kernel rule translation. */ |
| 315 | static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) | 352 | static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) |
| 316 | { | 353 | { |
| @@ -429,6 +466,7 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) | |||
| 429 | err = -EINVAL; | 466 | err = -EINVAL; |
| 430 | goto exit_free; | 467 | goto exit_free; |
| 431 | } | 468 | } |
| 469 | entry->rule.arch_f = f; | ||
| 432 | break; | 470 | break; |
| 433 | case AUDIT_PERM: | 471 | case AUDIT_PERM: |
| 434 | if (f->val & ~15) | 472 | if (f->val & ~15) |
| @@ -519,7 +557,6 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, | |||
| 519 | case AUDIT_FSGID: | 557 | case AUDIT_FSGID: |
| 520 | case AUDIT_LOGINUID: | 558 | case AUDIT_LOGINUID: |
| 521 | case AUDIT_PERS: | 559 | case AUDIT_PERS: |
| 522 | case AUDIT_ARCH: | ||
| 523 | case AUDIT_MSGTYPE: | 560 | case AUDIT_MSGTYPE: |
| 524 | case AUDIT_PPID: | 561 | case AUDIT_PPID: |
| 525 | case AUDIT_DEVMAJOR: | 562 | case AUDIT_DEVMAJOR: |
| @@ -531,6 +568,9 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, | |||
| 531 | case AUDIT_ARG2: | 568 | case AUDIT_ARG2: |
| 532 | case AUDIT_ARG3: | 569 | case AUDIT_ARG3: |
| 533 | break; | 570 | break; |
| 571 | case AUDIT_ARCH: | ||
| 572 | entry->rule.arch_f = f; | ||
| 573 | break; | ||
| 534 | case AUDIT_SUBJ_USER: | 574 | case AUDIT_SUBJ_USER: |
| 535 | case AUDIT_SUBJ_ROLE: | 575 | case AUDIT_SUBJ_ROLE: |
| 536 | case AUDIT_SUBJ_TYPE: | 576 | case AUDIT_SUBJ_TYPE: |
| @@ -1221,6 +1261,9 @@ static inline int audit_add_rule(struct audit_entry *entry, | |||
| 1221 | #ifdef CONFIG_AUDITSYSCALL | 1261 | #ifdef CONFIG_AUDITSYSCALL |
| 1222 | if (!dont_count) | 1262 | if (!dont_count) |
| 1223 | audit_n_rules++; | 1263 | audit_n_rules++; |
| 1264 | |||
| 1265 | if (!audit_match_signal(entry)) | ||
| 1266 | audit_signals++; | ||
| 1224 | #endif | 1267 | #endif |
| 1225 | mutex_unlock(&audit_filter_mutex); | 1268 | mutex_unlock(&audit_filter_mutex); |
| 1226 | 1269 | ||
| @@ -1294,6 +1337,9 @@ static inline int audit_del_rule(struct audit_entry *entry, | |||
| 1294 | #ifdef CONFIG_AUDITSYSCALL | 1337 | #ifdef CONFIG_AUDITSYSCALL |
| 1295 | if (!dont_count) | 1338 | if (!dont_count) |
| 1296 | audit_n_rules--; | 1339 | audit_n_rules--; |
| 1340 | |||
| 1341 | if (!audit_match_signal(entry)) | ||
| 1342 | audit_signals--; | ||
| 1297 | #endif | 1343 | #endif |
| 1298 | mutex_unlock(&audit_filter_mutex); | 1344 | mutex_unlock(&audit_filter_mutex); |
| 1299 | 1345 | ||