aboutsummaryrefslogtreecommitdiffstats
path: root/kernel
diff options
context:
space:
mode:
Diffstat (limited to 'kernel')
-rw-r--r--kernel/audit.h13
-rw-r--r--kernel/auditfilter.c48
-rw-r--r--kernel/auditsc.c311
-rw-r--r--kernel/ptrace.c3
-rw-r--r--kernel/signal.c10
5 files changed, 290 insertions, 95 deletions
diff --git a/kernel/audit.h b/kernel/audit.h
index a3370232a390..815d6f5c04ee 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -83,6 +83,7 @@ struct audit_krule {
83 u32 field_count; 83 u32 field_count;
84 char *filterkey; /* ties events to rules */ 84 char *filterkey; /* ties events to rules */
85 struct audit_field *fields; 85 struct audit_field *fields;
86 struct audit_field *arch_f; /* quick access to arch field */
86 struct audit_field *inode_f; /* quick access to an inode field */ 87 struct audit_field *inode_f; /* quick access to an inode field */
87 struct audit_watch *watch; /* associated watch */ 88 struct audit_watch *watch; /* associated watch */
88 struct list_head rlist; /* entry in audit_watch.rules list */ 89 struct list_head rlist; /* entry in audit_watch.rules list */
@@ -131,17 +132,19 @@ extern void audit_handle_ievent(struct inotify_watch *, u32, u32, u32,
131extern int selinux_audit_rule_update(void); 132extern int selinux_audit_rule_update(void);
132 133
133#ifdef CONFIG_AUDITSYSCALL 134#ifdef CONFIG_AUDITSYSCALL
134extern void __audit_signal_info(int sig, struct task_struct *t); 135extern int __audit_signal_info(int sig, struct task_struct *t);
135static inline void audit_signal_info(int sig, struct task_struct *t) 136static inline int audit_signal_info(int sig, struct task_struct *t)
136{ 137{
137 if (unlikely(audit_pid && t->tgid == audit_pid)) 138 if (unlikely((audit_pid && t->tgid == audit_pid) ||
138 __audit_signal_info(sig, t); 139 (audit_signals && !audit_dummy_context())))
140 return __audit_signal_info(sig, t);
141 return 0;
139} 142}
140extern enum audit_state audit_filter_inodes(struct task_struct *, 143extern enum audit_state audit_filter_inodes(struct task_struct *,
141 struct audit_context *); 144 struct audit_context *);
142extern void audit_set_auditable(struct audit_context *); 145extern void audit_set_auditable(struct audit_context *);
143#else 146#else
144#define audit_signal_info(s,t) 147#define audit_signal_info(s,t) AUDIT_DISABLED
145#define audit_filter_inodes(t,c) AUDIT_DISABLED 148#define audit_filter_inodes(t,c) AUDIT_DISABLED
146#define audit_set_auditable(c) 149#define audit_set_auditable(c)
147#endif 150#endif
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 3749193aed8c..6c61263ff96d 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -311,6 +311,43 @@ int audit_match_class(int class, unsigned syscall)
311 return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall); 311 return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
312} 312}
313 313
314static inline int audit_match_class_bits(int class, u32 *mask)
315{
316 int i;
317
318 if (classes[class]) {
319 for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
320 if (mask[i] & classes[class][i])
321 return 0;
322 }
323 return 1;
324}
325
326static int audit_match_signal(struct audit_entry *entry)
327{
328 struct audit_field *arch = entry->rule.arch_f;
329
330 if (!arch) {
331 /* When arch is unspecified, we must check both masks on biarch
332 * as syscall number alone is ambiguous. */
333 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
334 entry->rule.mask) &&
335 audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
336 entry->rule.mask));
337 }
338
339 switch(audit_classify_arch(arch->val)) {
340 case 0: /* native */
341 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
342 entry->rule.mask));
343 case 1: /* 32bit on biarch */
344 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
345 entry->rule.mask));
346 default:
347 return 1;
348 }
349}
350
314/* Common user-space to kernel rule translation. */ 351/* Common user-space to kernel rule translation. */
315static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) 352static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule)
316{ 353{
@@ -429,6 +466,7 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
429 err = -EINVAL; 466 err = -EINVAL;
430 goto exit_free; 467 goto exit_free;
431 } 468 }
469 entry->rule.arch_f = f;
432 break; 470 break;
433 case AUDIT_PERM: 471 case AUDIT_PERM:
434 if (f->val & ~15) 472 if (f->val & ~15)
@@ -519,7 +557,6 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
519 case AUDIT_FSGID: 557 case AUDIT_FSGID:
520 case AUDIT_LOGINUID: 558 case AUDIT_LOGINUID:
521 case AUDIT_PERS: 559 case AUDIT_PERS:
522 case AUDIT_ARCH:
523 case AUDIT_MSGTYPE: 560 case AUDIT_MSGTYPE:
524 case AUDIT_PPID: 561 case AUDIT_PPID:
525 case AUDIT_DEVMAJOR: 562 case AUDIT_DEVMAJOR:
@@ -531,6 +568,9 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
531 case AUDIT_ARG2: 568 case AUDIT_ARG2:
532 case AUDIT_ARG3: 569 case AUDIT_ARG3:
533 break; 570 break;
571 case AUDIT_ARCH:
572 entry->rule.arch_f = f;
573 break;
534 case AUDIT_SUBJ_USER: 574 case AUDIT_SUBJ_USER:
535 case AUDIT_SUBJ_ROLE: 575 case AUDIT_SUBJ_ROLE:
536 case AUDIT_SUBJ_TYPE: 576 case AUDIT_SUBJ_TYPE:
@@ -1221,6 +1261,9 @@ static inline int audit_add_rule(struct audit_entry *entry,
1221#ifdef CONFIG_AUDITSYSCALL 1261#ifdef CONFIG_AUDITSYSCALL
1222 if (!dont_count) 1262 if (!dont_count)
1223 audit_n_rules++; 1263 audit_n_rules++;
1264
1265 if (!audit_match_signal(entry))
1266 audit_signals++;
1224#endif 1267#endif
1225 mutex_unlock(&audit_filter_mutex); 1268 mutex_unlock(&audit_filter_mutex);
1226 1269
@@ -1294,6 +1337,9 @@ static inline int audit_del_rule(struct audit_entry *entry,
1294#ifdef CONFIG_AUDITSYSCALL 1337#ifdef CONFIG_AUDITSYSCALL
1295 if (!dont_count) 1338 if (!dont_count)
1296 audit_n_rules--; 1339 audit_n_rules--;
1340
1341 if (!audit_match_signal(entry))
1342 audit_signals--;
1297#endif 1343#endif
1298 mutex_unlock(&audit_filter_mutex); 1344 mutex_unlock(&audit_filter_mutex);
1299 1345
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 628c7ac590a0..e36481ed61b4 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -78,17 +78,15 @@ extern int audit_enabled;
78 * for saving names from getname(). */ 78 * for saving names from getname(). */
79#define AUDIT_NAMES 20 79#define AUDIT_NAMES 20
80 80
81/* AUDIT_NAMES_RESERVED is the number of slots we reserve in the
82 * audit_context from being used for nameless inodes from
83 * path_lookup. */
84#define AUDIT_NAMES_RESERVED 7
85
86/* Indicates that audit should log the full pathname. */ 81/* Indicates that audit should log the full pathname. */
87#define AUDIT_NAME_FULL -1 82#define AUDIT_NAME_FULL -1
88 83
89/* number of audit rules */ 84/* number of audit rules */
90int audit_n_rules; 85int audit_n_rules;
91 86
87/* determines whether we collect data for signals sent */
88int audit_signals;
89
92/* When fs/namei.c:getname() is called, we store the pointer in name and 90/* When fs/namei.c:getname() is called, we store the pointer in name and
93 * we don't let putname() free it (instead we free all of the saved 91 * we don't let putname() free it (instead we free all of the saved
94 * pointers at syscall exit time). 92 * pointers at syscall exit time).
@@ -114,6 +112,9 @@ struct audit_aux_data {
114 112
115#define AUDIT_AUX_IPCPERM 0 113#define AUDIT_AUX_IPCPERM 0
116 114
115/* Number of target pids per aux struct. */
116#define AUDIT_AUX_PIDS 16
117
117struct audit_aux_data_mq_open { 118struct audit_aux_data_mq_open {
118 struct audit_aux_data d; 119 struct audit_aux_data d;
119 int oflag; 120 int oflag;
@@ -181,6 +182,13 @@ struct audit_aux_data_path {
181 struct vfsmount *mnt; 182 struct vfsmount *mnt;
182}; 183};
183 184
185struct audit_aux_data_pids {
186 struct audit_aux_data d;
187 pid_t target_pid[AUDIT_AUX_PIDS];
188 u32 target_sid[AUDIT_AUX_PIDS];
189 int pid_count;
190};
191
184/* The per-task audit context. */ 192/* The per-task audit context. */
185struct audit_context { 193struct audit_context {
186 int dummy; /* must be the first element */ 194 int dummy; /* must be the first element */
@@ -201,6 +209,7 @@ struct audit_context {
201 struct vfsmount * pwdmnt; 209 struct vfsmount * pwdmnt;
202 struct audit_context *previous; /* For nested syscalls */ 210 struct audit_context *previous; /* For nested syscalls */
203 struct audit_aux_data *aux; 211 struct audit_aux_data *aux;
212 struct audit_aux_data *aux_pids;
204 213
205 /* Save things to print about task_struct */ 214 /* Save things to print about task_struct */
206 pid_t pid, ppid; 215 pid_t pid, ppid;
@@ -209,6 +218,9 @@ struct audit_context {
209 unsigned long personality; 218 unsigned long personality;
210 int arch; 219 int arch;
211 220
221 pid_t target_pid;
222 u32 target_sid;
223
212#if AUDIT_DEBUG 224#if AUDIT_DEBUG
213 int put_count; 225 int put_count;
214 int ino_count; 226 int ino_count;
@@ -654,6 +666,10 @@ static inline void audit_free_aux(struct audit_context *context)
654 context->aux = aux->next; 666 context->aux = aux->next;
655 kfree(aux); 667 kfree(aux);
656 } 668 }
669 while ((aux = context->aux_pids)) {
670 context->aux_pids = aux->next;
671 kfree(aux);
672 }
657} 673}
658 674
659static inline void audit_zero_context(struct audit_context *context, 675static inline void audit_zero_context(struct audit_context *context,
@@ -795,6 +811,29 @@ static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk
795 audit_log_task_context(ab); 811 audit_log_task_context(ab);
796} 812}
797 813
814static int audit_log_pid_context(struct audit_context *context, pid_t pid,
815 u32 sid)
816{
817 struct audit_buffer *ab;
818 char *s = NULL;
819 u32 len;
820 int rc = 0;
821
822 ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
823 if (!ab)
824 return 1;
825
826 if (selinux_sid_to_string(sid, &s, &len)) {
827 audit_log_format(ab, "opid=%d obj=(none)", pid);
828 rc = 1;
829 } else
830 audit_log_format(ab, "opid=%d obj=%s", pid, s);
831 audit_log_end(ab);
832 kfree(s);
833
834 return rc;
835}
836
798static void audit_log_exit(struct audit_context *context, struct task_struct *tsk) 837static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
799{ 838{
800 int i, call_panic = 0; 839 int i, call_panic = 0;
@@ -973,6 +1012,21 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
973 audit_log_end(ab); 1012 audit_log_end(ab);
974 } 1013 }
975 1014
1015 for (aux = context->aux_pids; aux; aux = aux->next) {
1016 struct audit_aux_data_pids *axs = (void *)aux;
1017 int i;
1018
1019 for (i = 0; i < axs->pid_count; i++)
1020 if (audit_log_pid_context(context, axs->target_pid[i],
1021 axs->target_sid[i]))
1022 call_panic = 1;
1023 }
1024
1025 if (context->target_pid &&
1026 audit_log_pid_context(context, context->target_pid,
1027 context->target_sid))
1028 call_panic = 1;
1029
976 if (context->pwd && context->pwdmnt) { 1030 if (context->pwd && context->pwdmnt) {
977 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD); 1031 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
978 if (ab) { 1032 if (ab) {
@@ -1193,6 +1247,10 @@ void audit_syscall_exit(int valid, long return_code)
1193 } else { 1247 } else {
1194 audit_free_names(context); 1248 audit_free_names(context);
1195 audit_free_aux(context); 1249 audit_free_aux(context);
1250 context->aux = NULL;
1251 context->aux_pids = NULL;
1252 context->target_pid = 0;
1253 context->target_sid = 0;
1196 kfree(context->filterkey); 1254 kfree(context->filterkey);
1197 context->filterkey = NULL; 1255 context->filterkey = NULL;
1198 tsk->audit_context = context; 1256 tsk->audit_context = context;
@@ -1226,6 +1284,7 @@ void __audit_getname(const char *name)
1226 context->names[context->name_count].name_len = AUDIT_NAME_FULL; 1284 context->names[context->name_count].name_len = AUDIT_NAME_FULL;
1227 context->names[context->name_count].name_put = 1; 1285 context->names[context->name_count].name_put = 1;
1228 context->names[context->name_count].ino = (unsigned long)-1; 1286 context->names[context->name_count].ino = (unsigned long)-1;
1287 context->names[context->name_count].osid = 0;
1229 ++context->name_count; 1288 ++context->name_count;
1230 if (!context->pwd) { 1289 if (!context->pwd) {
1231 read_lock(&current->fs->lock); 1290 read_lock(&current->fs->lock);
@@ -1279,6 +1338,28 @@ void audit_putname(const char *name)
1279#endif 1338#endif
1280} 1339}
1281 1340
1341static int audit_inc_name_count(struct audit_context *context,
1342 const struct inode *inode)
1343{
1344 if (context->name_count >= AUDIT_NAMES) {
1345 if (inode)
1346 printk(KERN_DEBUG "name_count maxed, losing inode data: "
1347 "dev=%02x:%02x, inode=%lu",
1348 MAJOR(inode->i_sb->s_dev),
1349 MINOR(inode->i_sb->s_dev),
1350 inode->i_ino);
1351
1352 else
1353 printk(KERN_DEBUG "name_count maxed, losing inode data");
1354 return 1;
1355 }
1356 context->name_count++;
1357#if AUDIT_DEBUG
1358 context->ino_count++;
1359#endif
1360 return 0;
1361}
1362
1282/* Copy inode data into an audit_names. */ 1363/* Copy inode data into an audit_names. */
1283static void audit_copy_inode(struct audit_names *name, const struct inode *inode) 1364static void audit_copy_inode(struct audit_names *name, const struct inode *inode)
1284{ 1365{
@@ -1316,13 +1397,10 @@ void __audit_inode(const char *name, const struct inode *inode)
1316 else { 1397 else {
1317 /* FIXME: how much do we care about inodes that have no 1398 /* FIXME: how much do we care about inodes that have no
1318 * associated name? */ 1399 * associated name? */
1319 if (context->name_count >= AUDIT_NAMES - AUDIT_NAMES_RESERVED) 1400 if (audit_inc_name_count(context, inode))
1320 return; 1401 return;
1321 idx = context->name_count++; 1402 idx = context->name_count - 1;
1322 context->names[idx].name = NULL; 1403 context->names[idx].name = NULL;
1323#if AUDIT_DEBUG
1324 ++context->ino_count;
1325#endif
1326 } 1404 }
1327 audit_copy_inode(&context->names[idx], inode); 1405 audit_copy_inode(&context->names[idx], inode);
1328} 1406}
@@ -1346,7 +1424,7 @@ void __audit_inode_child(const char *dname, const struct inode *inode,
1346{ 1424{
1347 int idx; 1425 int idx;
1348 struct audit_context *context = current->audit_context; 1426 struct audit_context *context = current->audit_context;
1349 const char *found_name = NULL; 1427 const char *found_parent = NULL, *found_child = NULL;
1350 int dirlen = 0; 1428 int dirlen = 0;
1351 1429
1352 if (!context->in_syscall) 1430 if (!context->in_syscall)
@@ -1354,88 +1432,73 @@ void __audit_inode_child(const char *dname, const struct inode *inode,
1354 1432
1355 /* determine matching parent */ 1433 /* determine matching parent */
1356 if (!dname) 1434 if (!dname)
1357 goto update_context; 1435 goto add_names;
1358 for (idx = 0; idx < context->name_count; idx++)
1359 if (context->names[idx].ino == parent->i_ino) {
1360 const char *name = context->names[idx].name;
1361 1436
1362 if (!name) 1437 /* parent is more likely, look for it first */
1363 continue; 1438 for (idx = 0; idx < context->name_count; idx++) {
1439 struct audit_names *n = &context->names[idx];
1364 1440
1365 if (audit_compare_dname_path(dname, name, &dirlen) == 0) { 1441 if (!n->name)
1366 context->names[idx].name_len = dirlen; 1442 continue;
1367 found_name = name; 1443
1368 break; 1444 if (n->ino == parent->i_ino &&
1369 } 1445 !audit_compare_dname_path(dname, n->name, &dirlen)) {
1446 n->name_len = dirlen; /* update parent data in place */
1447 found_parent = n->name;
1448 goto add_names;
1370 } 1449 }
1450 }
1371 1451
1372update_context: 1452 /* no matching parent, look for matching child */
1373 idx = context->name_count; 1453 for (idx = 0; idx < context->name_count; idx++) {
1374 if (context->name_count == AUDIT_NAMES) { 1454 struct audit_names *n = &context->names[idx];
1375 printk(KERN_DEBUG "name_count maxed and losing %s\n", 1455
1376 found_name ?: "(null)"); 1456 if (!n->name)
1377 return; 1457 continue;
1458
1459 /* strcmp() is the more likely scenario */
1460 if (!strcmp(dname, n->name) ||
1461 !audit_compare_dname_path(dname, n->name, &dirlen)) {
1462 if (inode)
1463 audit_copy_inode(n, inode);
1464 else
1465 n->ino = (unsigned long)-1;
1466 found_child = n->name;
1467 goto add_names;
1468 }
1378 } 1469 }
1379 context->name_count++; 1470
1380#if AUDIT_DEBUG 1471add_names:
1381 context->ino_count++; 1472 if (!found_parent) {
1382#endif 1473 if (audit_inc_name_count(context, parent))
1383 /* Re-use the name belonging to the slot for a matching parent directory.
1384 * All names for this context are relinquished in audit_free_names() */
1385 context->names[idx].name = found_name;
1386 context->names[idx].name_len = AUDIT_NAME_FULL;
1387 context->names[idx].name_put = 0; /* don't call __putname() */
1388
1389 if (!inode)
1390 context->names[idx].ino = (unsigned long)-1;
1391 else
1392 audit_copy_inode(&context->names[idx], inode);
1393
1394 /* A parent was not found in audit_names, so copy the inode data for the
1395 * provided parent. */
1396 if (!found_name) {
1397 idx = context->name_count;
1398 if (context->name_count == AUDIT_NAMES) {
1399 printk(KERN_DEBUG
1400 "name_count maxed and losing parent inode data: dev=%02x:%02x, inode=%lu",
1401 MAJOR(parent->i_sb->s_dev),
1402 MINOR(parent->i_sb->s_dev),
1403 parent->i_ino);
1404 return; 1474 return;
1405 } 1475 idx = context->name_count - 1;
1406 context->name_count++; 1476 context->names[idx].name = NULL;
1407#if AUDIT_DEBUG
1408 context->ino_count++;
1409#endif
1410 audit_copy_inode(&context->names[idx], parent); 1477 audit_copy_inode(&context->names[idx], parent);
1411 } 1478 }
1412}
1413 1479
1414/** 1480 if (!found_child) {
1415 * audit_inode_update - update inode info for last collected name 1481 if (audit_inc_name_count(context, inode))
1416 * @inode: inode being audited 1482 return;
1417 * 1483 idx = context->name_count - 1;
1418 * When open() is called on an existing object with the O_CREAT flag, the inode
1419 * data audit initially collects is incorrect. This additional hook ensures
1420 * audit has the inode data for the actual object to be opened.
1421 */
1422void __audit_inode_update(const struct inode *inode)
1423{
1424 struct audit_context *context = current->audit_context;
1425 int idx;
1426 1484
1427 if (!context->in_syscall || !inode) 1485 /* Re-use the name belonging to the slot for a matching parent
1428 return; 1486 * directory. All names for this context are relinquished in
1487 * audit_free_names() */
1488 if (found_parent) {
1489 context->names[idx].name = found_parent;
1490 context->names[idx].name_len = AUDIT_NAME_FULL;
1491 /* don't call __putname() */
1492 context->names[idx].name_put = 0;
1493 } else {
1494 context->names[idx].name = NULL;
1495 }
1429 1496
1430 if (context->name_count == 0) { 1497 if (inode)
1431 context->name_count++; 1498 audit_copy_inode(&context->names[idx], inode);
1432#if AUDIT_DEBUG 1499 else
1433 context->ino_count++; 1500 context->names[idx].ino = (unsigned long)-1;
1434#endif
1435 } 1501 }
1436 idx = context->name_count - 1;
1437
1438 audit_copy_inode(&context->names[idx], inode);
1439} 1502}
1440 1503
1441/** 1504/**
@@ -1880,6 +1943,14 @@ int audit_sockaddr(int len, void *a)
1880 return 0; 1943 return 0;
1881} 1944}
1882 1945
1946void __audit_ptrace(struct task_struct *t)
1947{
1948 struct audit_context *context = current->audit_context;
1949
1950 context->target_pid = t->pid;
1951 selinux_get_task_sid(t, &context->target_sid);
1952}
1953
1883/** 1954/**
1884 * audit_avc_path - record the granting or denial of permissions 1955 * audit_avc_path - record the granting or denial of permissions
1885 * @dentry: dentry to record 1956 * @dentry: dentry to record
@@ -1918,15 +1989,17 @@ int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt)
1918 * If the audit subsystem is being terminated, record the task (pid) 1989 * If the audit subsystem is being terminated, record the task (pid)
1919 * and uid that is doing that. 1990 * and uid that is doing that.
1920 */ 1991 */
1921void __audit_signal_info(int sig, struct task_struct *t) 1992int __audit_signal_info(int sig, struct task_struct *t)
1922{ 1993{
1994 struct audit_aux_data_pids *axp;
1995 struct task_struct *tsk = current;
1996 struct audit_context *ctx = tsk->audit_context;
1923 extern pid_t audit_sig_pid; 1997 extern pid_t audit_sig_pid;
1924 extern uid_t audit_sig_uid; 1998 extern uid_t audit_sig_uid;
1925 extern u32 audit_sig_sid; 1999 extern u32 audit_sig_sid;
1926 2000
1927 if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1) { 2001 if (audit_pid && t->tgid == audit_pid &&
1928 struct task_struct *tsk = current; 2002 (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1)) {
1929 struct audit_context *ctx = tsk->audit_context;
1930 audit_sig_pid = tsk->pid; 2003 audit_sig_pid = tsk->pid;
1931 if (ctx) 2004 if (ctx)
1932 audit_sig_uid = ctx->loginuid; 2005 audit_sig_uid = ctx->loginuid;
@@ -1934,4 +2007,72 @@ void __audit_signal_info(int sig, struct task_struct *t)
1934 audit_sig_uid = tsk->uid; 2007 audit_sig_uid = tsk->uid;
1935 selinux_get_task_sid(tsk, &audit_sig_sid); 2008 selinux_get_task_sid(tsk, &audit_sig_sid);
1936 } 2009 }
2010
2011 if (!audit_signals) /* audit_context checked in wrapper */
2012 return 0;
2013
2014 /* optimize the common case by putting first signal recipient directly
2015 * in audit_context */
2016 if (!ctx->target_pid) {
2017 ctx->target_pid = t->tgid;
2018 selinux_get_task_sid(t, &ctx->target_sid);
2019 return 0;
2020 }
2021
2022 axp = (void *)ctx->aux_pids;
2023 if (!axp || axp->pid_count == AUDIT_AUX_PIDS) {
2024 axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
2025 if (!axp)
2026 return -ENOMEM;
2027
2028 axp->d.type = AUDIT_OBJ_PID;
2029 axp->d.next = ctx->aux_pids;
2030 ctx->aux_pids = (void *)axp;
2031 }
2032 BUG_ON(axp->pid_count > AUDIT_AUX_PIDS);
2033
2034 axp->target_pid[axp->pid_count] = t->tgid;
2035 selinux_get_task_sid(t, &axp->target_sid[axp->pid_count]);
2036 axp->pid_count++;
2037
2038 return 0;
2039}
2040
2041/**
2042 * audit_core_dumps - record information about processes that end abnormally
2043 * @sig: signal value
2044 *
2045 * If a process ends with a core dump, something fishy is going on and we
2046 * should record the event for investigation.
2047 */
2048void audit_core_dumps(long signr)
2049{
2050 struct audit_buffer *ab;
2051 u32 sid;
2052
2053 if (!audit_enabled)
2054 return;
2055
2056 if (signr == SIGQUIT) /* don't care for those */
2057 return;
2058
2059 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
2060 audit_log_format(ab, "auid=%u uid=%u gid=%u",
2061 audit_get_loginuid(current->audit_context),
2062 current->uid, current->gid);
2063 selinux_get_task_sid(current, &sid);
2064 if (sid) {
2065 char *ctx = NULL;
2066 u32 len;
2067
2068 if (selinux_sid_to_string(sid, &ctx, &len))
2069 audit_log_format(ab, " ssid=%u", sid);
2070 else
2071 audit_log_format(ab, " subj=%s", ctx);
2072 kfree(ctx);
2073 }
2074 audit_log_format(ab, " pid=%d comm=", current->pid);
2075 audit_log_untrustedstring(ab, current->comm);
2076 audit_log_format(ab, " sig=%ld", signr);
2077 audit_log_end(ab);
1937} 2078}
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index 4d50e06fd745..ad7949a589dd 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -18,6 +18,7 @@
18#include <linux/ptrace.h> 18#include <linux/ptrace.h>
19#include <linux/security.h> 19#include <linux/security.h>
20#include <linux/signal.h> 20#include <linux/signal.h>
21#include <linux/audit.h>
21 22
22#include <asm/pgtable.h> 23#include <asm/pgtable.h>
23#include <asm/uaccess.h> 24#include <asm/uaccess.h>
@@ -161,6 +162,8 @@ int ptrace_attach(struct task_struct *task)
161{ 162{
162 int retval; 163 int retval;
163 164
165 audit_ptrace(task);
166
164 retval = -EPERM; 167 retval = -EPERM;
165 if (task->pid <= 1) 168 if (task->pid <= 1)
166 goto out; 169 goto out;
diff --git a/kernel/signal.c b/kernel/signal.c
index 34b7d6abce8f..364fc95bf97c 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -497,6 +497,11 @@ static int check_kill_permission(int sig, struct siginfo *info,
497 int error = -EINVAL; 497 int error = -EINVAL;
498 if (!valid_signal(sig)) 498 if (!valid_signal(sig))
499 return error; 499 return error;
500
501 error = audit_signal_info(sig, t); /* Let audit system see the signal */
502 if (error)
503 return error;
504
500 error = -EPERM; 505 error = -EPERM;
501 if ((info == SEND_SIG_NOINFO || (!is_si_special(info) && SI_FROMUSER(info))) 506 if ((info == SEND_SIG_NOINFO || (!is_si_special(info) && SI_FROMUSER(info)))
502 && ((sig != SIGCONT) || 507 && ((sig != SIGCONT) ||
@@ -506,10 +511,7 @@ static int check_kill_permission(int sig, struct siginfo *info,
506 && !capable(CAP_KILL)) 511 && !capable(CAP_KILL))
507 return error; 512 return error;
508 513
509 error = security_task_kill(t, info, sig, 0); 514 return security_task_kill(t, info, sig, 0);
510 if (!error)
511 audit_signal_info(sig, t); /* Let audit system see the signal */
512 return error;
513} 515}
514 516
515/* forward decl */ 517/* forward decl */