Commit 85e7bac3 authored by Eric Paris's avatar Eric Paris Committed by Al Viro

seccomp: audit abnormal end to a process due to seccomp

The audit system likes to collect information about processes that end
abnormally (SIGSEGV) as this may me useful intrusion detection information.
This patch adds audit support to collect information when seccomp forces a
task to exit because of misbehavior in a similar way.
Signed-off-by: default avatarEric Paris <eparis@redhat.com>
parent 16c174bd
...@@ -430,6 +430,7 @@ extern void audit_putname(const char *name); ...@@ -430,6 +430,7 @@ extern void audit_putname(const char *name);
extern void __audit_inode(const char *name, const struct dentry *dentry); extern void __audit_inode(const char *name, const struct dentry *dentry);
extern void __audit_inode_child(const struct dentry *dentry, extern void __audit_inode_child(const struct dentry *dentry,
const struct inode *parent); const struct inode *parent);
extern void __audit_seccomp(unsigned long syscall);
extern void __audit_ptrace(struct task_struct *t); extern void __audit_ptrace(struct task_struct *t);
static inline int audit_dummy_context(void) static inline int audit_dummy_context(void)
...@@ -453,6 +454,12 @@ static inline void audit_inode_child(const struct dentry *dentry, ...@@ -453,6 +454,12 @@ static inline void audit_inode_child(const struct dentry *dentry,
} }
void audit_core_dumps(long signr); void audit_core_dumps(long signr);
static inline void audit_seccomp(unsigned long syscall)
{
if (unlikely(!audit_dummy_context()))
__audit_seccomp(syscall);
}
static inline void audit_ptrace(struct task_struct *t) static inline void audit_ptrace(struct task_struct *t)
{ {
if (unlikely(!audit_dummy_context())) if (unlikely(!audit_dummy_context()))
...@@ -558,6 +565,7 @@ extern int audit_signals; ...@@ -558,6 +565,7 @@ extern int audit_signals;
#define audit_inode(n,d) do { (void)(d); } while (0) #define audit_inode(n,d) do { (void)(d); } while (0)
#define audit_inode_child(i,p) do { ; } while (0) #define audit_inode_child(i,p) do { ; } while (0)
#define audit_core_dumps(i) do { ; } while (0) #define audit_core_dumps(i) do { ; } while (0)
#define audit_seccomp(i) do { ; } while (0)
#define auditsc_get_stamp(c,t,s) (0) #define auditsc_get_stamp(c,t,s) (0)
#define audit_get_loginuid(t) (-1) #define audit_get_loginuid(t) (-1)
#define audit_get_sessionid(t) (-1) #define audit_get_sessionid(t) (-1)
......
...@@ -2529,6 +2529,25 @@ void __audit_mmap_fd(int fd, int flags) ...@@ -2529,6 +2529,25 @@ void __audit_mmap_fd(int fd, int flags)
context->type = AUDIT_MMAP; context->type = AUDIT_MMAP;
} }
static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
{
uid_t auid, uid;
gid_t gid;
unsigned int sessionid;
auid = audit_get_loginuid(current);
sessionid = audit_get_sessionid(current);
current_uid_gid(&uid, &gid);
audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
auid, uid, gid, sessionid);
audit_log_task_context(ab);
audit_log_format(ab, " pid=%d comm=", current->pid);
audit_log_untrustedstring(ab, current->comm);
audit_log_format(ab, " reason=");
audit_log_string(ab, reason);
audit_log_format(ab, " sig=%ld", signr);
}
/** /**
* audit_core_dumps - record information about processes that end abnormally * audit_core_dumps - record information about processes that end abnormally
* @signr: signal value * @signr: signal value
...@@ -2539,10 +2558,6 @@ void __audit_mmap_fd(int fd, int flags) ...@@ -2539,10 +2558,6 @@ void __audit_mmap_fd(int fd, int flags)
void audit_core_dumps(long signr) void audit_core_dumps(long signr)
{ {
struct audit_buffer *ab; struct audit_buffer *ab;
u32 sid;
uid_t auid = audit_get_loginuid(current), uid;
gid_t gid;
unsigned int sessionid = audit_get_sessionid(current);
if (!audit_enabled) if (!audit_enabled)
return; return;
...@@ -2551,24 +2566,17 @@ void audit_core_dumps(long signr) ...@@ -2551,24 +2566,17 @@ void audit_core_dumps(long signr)
return; return;
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
current_uid_gid(&uid, &gid); audit_log_abend(ab, "memory violation", signr);
audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u", audit_log_end(ab);
auid, uid, gid, sessionid); }
security_task_getsecid(current, &sid);
if (sid) {
char *ctx = NULL;
u32 len;
if (security_secid_to_secctx(sid, &ctx, &len)) void __audit_seccomp(unsigned long syscall)
audit_log_format(ab, " ssid=%u", sid); {
else { struct audit_buffer *ab;
audit_log_format(ab, " subj=%s", ctx);
security_release_secctx(ctx, len); ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
} audit_log_abend(ab, "seccomp", SIGKILL);
} audit_log_format(ab, " syscall=%ld", syscall);
audit_log_format(ab, " pid=%d comm=", current->pid);
audit_log_untrustedstring(ab, current->comm);
audit_log_format(ab, " sig=%ld", signr);
audit_log_end(ab); audit_log_end(ab);
} }
......
...@@ -6,6 +6,7 @@ ...@@ -6,6 +6,7 @@
* This defines a simple but solid secure-computing mode. * This defines a simple but solid secure-computing mode.
*/ */
#include <linux/audit.h>
#include <linux/seccomp.h> #include <linux/seccomp.h>
#include <linux/sched.h> #include <linux/sched.h>
#include <linux/compat.h> #include <linux/compat.h>
...@@ -54,6 +55,7 @@ void __secure_computing(int this_syscall) ...@@ -54,6 +55,7 @@ void __secure_computing(int this_syscall)
#ifdef SECCOMP_DEBUG #ifdef SECCOMP_DEBUG
dump_stack(); dump_stack();
#endif #endif
audit_seccomp(this_syscall);
do_exit(SIGKILL); do_exit(SIGKILL);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment