seccomp: audit abnormal end to a process due to seccomp

The audit system likes to collect information about processes that end abnormally (SIGSEGV) as this may me useful intrusion detection information. This patch adds audit support to collect information when seccomp forces a task to exit because of misbehavior in a similar way. Signed-off-by: Eric Paris <eparis@redhat.com>
author: Eric Paris <eparis@redhat.com> 2012-01-03 14:23:05 -0500
committer: Al Viro <viro@zeniv.linux.org.uk> 2012-01-17 16:16:55 -0500
commit: 85e7bac33b8d5edafc4e219c7dfdb3d48e0b4e31 (patch)
tree: 6a1f178de829d2219a65a8563e12f2c8029d4b13 /kernel
parent: 16c174bd95cb07c9d0ad3fcd8c70f9cea7214c9d (diff)
2 files changed, 31 insertions, 21 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 7c495147c3d9..e9bcb93800d8 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2529,6 +2529,25 @@ void __audit_mmap_fd(int fd, int flags)
        context->type = AUDIT_MMAP;
 }
+static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
+{
+        uid_t auid, uid;
+        gid_t gid;
+        unsigned int sessionid;
+        auid = audit_get_loginuid(current);
+        sessionid = audit_get_sessionid(current);
+        current_uid_gid(&uid, &gid);
+        audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
+                         auid, uid, gid, sessionid);
+        audit_log_task_context(ab);
+        audit_log_format(ab, " pid=%d comm=", current->pid);
+        audit_log_untrustedstring(ab, current->comm);
+        audit_log_format(ab, " reason=");
+        audit_log_string(ab, reason);
+        audit_log_format(ab, " sig=%ld", signr);
+}
 /**
 * audit_core_dumps - record information about processes that end abnormally
 * @signr: signal value
@@ -2539,10 +2558,6 @@ void __audit_mmap_fd(int fd, int flags)
 void audit_core_dumps(long signr)
 {
        struct audit_buffer *ab;
-        u32 sid;
-        uid_t auid = audit_get_loginuid(current), uid;
-        gid_t gid;
-        unsigned int sessionid = audit_get_sessionid(current);
        if (!audit_enabled)
                return;
@@ -2551,24 +2566,17 @@ void audit_core_dumps(long signr)
                return;
        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
-        current_uid_gid(&uid, &gid);
+        audit_log_abend(ab, "memory violation", signr);
-        audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
+        audit_log_end(ab);
-                         auid, uid, gid, sessionid);
+}
-        security_task_getsecid(current, &sid);
-        if (sid) {
-                char *ctx = NULL;
-                u32 len;
-                if (security_secid_to_secctx(sid, &ctx, &len))
+void __audit_seccomp(unsigned long syscall)
-                        audit_log_format(ab, " ssid=%u", sid);
+{
-                else {
+        struct audit_buffer *ab;
-                        audit_log_format(ab, " subj=%s", ctx);
-                        security_release_secctx(ctx, len);
+        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
-                }
+        audit_log_abend(ab, "seccomp", SIGKILL);
-        }
+        audit_log_format(ab, " syscall=%ld", syscall);
-        audit_log_format(ab, " pid=%d comm=", current->pid);
-        audit_log_untrustedstring(ab, current->comm);
-        audit_log_format(ab, " sig=%ld", signr);
        audit_log_end(ab);
 }
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 57d4b13b631d..e8d76c5895ea 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -6,6 +6,7 @@
 * This defines a simple but solid secure-computing mode.
 */
+#include <linux/audit.h>
 #include <linux/seccomp.h>
 #include <linux/sched.h>
 #include <linux/compat.h>
@@ -54,6 +55,7 @@ void __secure_computing(int this_syscall)
 #ifdef SECCOMP_DEBUG
        dump_stack();
 #endif
+        audit_seccomp(this_syscall);
        do_exit(SIGKILL);
 }
author	Eric Paris <eparis@redhat.com>	2012-01-03 14:23:05 -0500
committer	Al Viro <viro@zeniv.linux.org.uk>	2012-01-17 16:16:55 -0500
commit	85e7bac33b8d5edafc4e219c7dfdb3d48e0b4e31 (patch)
tree	6a1f178de829d2219a65a8563e12f2c8029d4b13 /kernel
parent	16c174bd95cb07c9d0ad3fcd8c70f9cea7214c9d (diff)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 7c495147c3d9..e9bcb93800d8 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c
@@ -2529,6 +2529,25 @@ void __audit_mmap_fd(int fd, int flags)
2529	context->type = AUDIT_MMAP;	2529	context->type = AUDIT_MMAP;
2530	}	2530	}
2531		2531
		2532	static void audit_log_abend(struct audit_buffer ab, char reason, long signr)
		2533	{
		2534	uid_t auid, uid;
		2535	gid_t gid;
		2536	unsigned int sessionid;
		2537
		2538	auid = audit_get_loginuid(current);
		2539	sessionid = audit_get_sessionid(current);
		2540	current_uid_gid(&uid, &gid);
		2541
		2542	audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
		2543	auid, uid, gid, sessionid);
		2544	audit_log_task_context(ab);
		2545	audit_log_format(ab, " pid=%d comm=", current->pid);
		2546	audit_log_untrustedstring(ab, current->comm);
		2547	audit_log_format(ab, " reason=");
		2548	audit_log_string(ab, reason);
		2549	audit_log_format(ab, " sig=%ld", signr);
		2550	}
2532	/**	2551	/**
2533	* audit_core_dumps - record information about processes that end abnormally	2552	* audit_core_dumps - record information about processes that end abnormally
2534	* @signr: signal value	2553	* @signr: signal value
@@ -2539,10 +2558,6 @@ void __audit_mmap_fd(int fd, int flags)
2539	void audit_core_dumps(long signr)	2558	void audit_core_dumps(long signr)
2540	{	2559	{
2541	struct audit_buffer *ab;	2560	struct audit_buffer *ab;
2542	u32 sid;
2543	uid_t auid = audit_get_loginuid(current), uid;
2544	gid_t gid;
2545	unsigned int sessionid = audit_get_sessionid(current);
2546		2561
2547	if (!audit_enabled)	2562	if (!audit_enabled)
2548	return;	2563	return;
@@ -2551,24 +2566,17 @@ void audit_core_dumps(long signr)
2551	return;	2566	return;
2552		2567
2553	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);	2568	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
2554	current_uid_gid(&uid, &gid);	2569	audit_log_abend(ab, "memory violation", signr);
2555	audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",	2570	audit_log_end(ab);
2556	auid, uid, gid, sessionid);	2571	}
2557	security_task_getsecid(current, &sid);
2558	if (sid) {
2559	char *ctx = NULL;
2560	u32 len;
2561		2572
2562	if (security_secid_to_secctx(sid, &ctx, &len))	2573	void __audit_seccomp(unsigned long syscall)
2563	audit_log_format(ab, " ssid=%u", sid);	2574	{
2564	else {	2575	struct audit_buffer *ab;
2565	audit_log_format(ab, " subj=%s", ctx);	2576
2566	security_release_secctx(ctx, len);	2577	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
2567	}	2578	audit_log_abend(ab, "seccomp", SIGKILL);
2568	}	2579	audit_log_format(ab, " syscall=%ld", syscall);
2569	audit_log_format(ab, " pid=%d comm=", current->pid);
2570	audit_log_untrustedstring(ab, current->comm);
2571	audit_log_format(ab, " sig=%ld", signr);
2572	audit_log_end(ab);	2580	audit_log_end(ab);
2573	}	2581	}
2574		2582


diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 57d4b13b631d..e8d76c5895ea 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c
@@ -6,6 +6,7 @@
6	* This defines a simple but solid secure-computing mode.	6	* This defines a simple but solid secure-computing mode.
7	*/	7	*/
8		8
		9	#include <linux/audit.h>
9	#include <linux/seccomp.h>	10	#include <linux/seccomp.h>
10	#include <linux/sched.h>	11	#include <linux/sched.h>
11	#include <linux/compat.h>	12	#include <linux/compat.h>
@@ -54,6 +55,7 @@ void __secure_computing(int this_syscall)
54	#ifdef SECCOMP_DEBUG	55	#ifdef SECCOMP_DEBUG
55	dump_stack();	56	dump_stack();
56	#endif	57	#endif
		58	audit_seccomp(this_syscall);
57	do_exit(SIGKILL);	59	do_exit(SIGKILL);
58	}	60	}
59		61