Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp3550679yba; Mon, 8 Apr 2019 23:02:56 -0700 (PDT) X-Google-Smtp-Source: APXvYqw8PvwQPVMfCHs0KDV9EcfFcfNfEEVYRlf/wmQPXbPBhiERWaOnpge8DneTAyVlUuq6PwS5 X-Received: by 2002:a17:902:e302:: with SMTP id cg2mr33461003plb.285.1554789776013; Mon, 08 Apr 2019 23:02:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554789776; cv=none; d=google.com; s=arc-20160816; b=ZsrxeRve+0yDTzOchhVAfjRf8SC1Sjb8n8wsd1laZKdo6xTDZ9zWtXr5sLg/iipXyl sKzwnBvz6C2r6X1YPk+vN2E75REl5nuFBgI4A6uY8tG1zLqcwXDl06XiGXkZtPM6gxL1 jcH6oAFi99wvlm2dzW7EYpKFo6jR3Ljbys2AjaBzAXliPxQ9q/KjK+pnnTnt34ooMUnR 21+8cnhoXq3OzCMLyDi7U7CubrO7gr/Qswaoj25tNot3k9jEZ4F3NIXmTxbcZ7N/jSGc kVe9g44jEOZ3uxjWX0BhgxCZVpOp1QatC9c1qNeeWGiTr6OYkTkknFKn/6ucqc0tEsSP +ljg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :organization:references:in-reply-to:message-id:subject:cc:to:from :date; bh=lVd7HkyAzWEOyQ+XbRBJsOSClnB+KeHVhZCEhdoLmh4=; b=neOuNmDm6uUGGDF1U2aDOSPND3wQZBrRVBEWqBAoE3KSDHu9PqX6QkXWXHWrlD7bv3 H/lphH7FXtnNEkiKbjD2vAjSp+KZYWDrAqEu5o0LFenOcm1L4pzgGDJky7AyaVm22MwR qGSgnlhCM9inNoTfhvmhp6bw2KNv+JyVEIoHPtlULZLURyVeUUqnzXSTbCZhuQ2fciXt Bg2Ttx8uPnwdcudw24n6D0lnhFZiYWEclqrt2PPH7q+AD84VMSJPi3p1KjhSsVlic8k9 pYIUWQkFy5jLIOYh5gnjfGlSpssDtm8Gx1ImRSfv8Ii9iF9V6gvfrbdji8UHhuS7SsAb rt+w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i195si28553799pgd.521.2019.04.08.23.02.37; Mon, 08 Apr 2019 23:02:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726162AbfDIGBs (ORCPT + 99 others); Tue, 9 Apr 2019 02:01:48 -0400 Received: from mx1.redhat.com ([209.132.183.28]:60660 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725781AbfDIGBr (ORCPT ); Tue, 9 Apr 2019 02:01:47 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2F12B10C6E; Tue, 9 Apr 2019 06:01:47 +0000 (UTC) Received: from ivy-bridge (ovpn-116-129.ams2.redhat.com [10.36.116.129]) by smtp.corp.redhat.com (Postfix) with ESMTP id D4E325D9D1; Tue, 9 Apr 2019 06:01:38 +0000 (UTC) Date: Tue, 9 Apr 2019 08:01:38 +0200 From: Steve Grubb To: Richard Guy Briggs Cc: LKML , Linux-Audit Mailing List , Paul Moore , omosnace@redhat.com, eparis@parisplace.org, ebiederm@xmission.com, oleg@redhat.com Subject: Re: [PATCH ghak111 V1] audit: deliver siginfo regarless of syscall Message-ID: <20190409080138.745d18a1@ivy-bridge> In-Reply-To: References: Organization: Red Hat MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Tue, 09 Apr 2019 06:01:47 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 8 Apr 2019 23:52:29 -0400 Richard Guy Briggs wrote: > When a process signals the audit daemon (shutdown, rotate, resume, > reconfig) but syscall auditing is not enabled, we still want to know > the identity of the process sending the signal to the audit daemon. Why? If syscall auditing is disabled, then there is no requirement to provide anything. What is the real problem that you are seeing? Thanks, -Steve > Move audit_signal_info() out of syscall auditing to general auditing > but create a new function audit_signal_info_syscall() to take care of > the syscall dependent parts for when syscall auditing is enabled. > > Please see the github kernel audit issue > https://github.com/linux-audit/audit-kernel/issues/111 > > Signed-off-by: Richard Guy Briggs > --- > include/linux/audit.h | 6 ++++++ > kernel/audit.c | 27 +++++++++++++++++++++++++++ > kernel/audit.h | 4 ++-- > kernel/auditsc.c | 19 +++---------------- > kernel/signal.c | 2 +- > 5 files changed, 39 insertions(+), 19 deletions(-) > > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 1e69d9fe16da..4a22fc3f824f 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -173,6 +173,9 @@ static inline unsigned int > audit_get_sessionid(struct task_struct *tsk) } > > extern u32 audit_enabled; > + > +extern int audit_signal_info(int sig, struct task_struct *t); > + > #else /* CONFIG_AUDIT */ > static inline __printf(4, 5) > void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, > @@ -226,6 +229,9 @@ static inline unsigned int > audit_get_sessionid(struct task_struct *tsk) } > > #define audit_enabled AUDIT_OFF > + > +#define audit_signal_info(s, t) AUDIT_OFF > + > #endif /* CONFIG_AUDIT */ > > #ifdef CONFIG_AUDIT_COMPAT_GENERIC > diff --git a/kernel/audit.c b/kernel/audit.c > index b96bf69183f4..67399ff72d43 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -2274,6 +2274,33 @@ int audit_set_loginuid(kuid_t loginuid) > } > > /** > + * audit_signal_info - record signal info for shutting down audit > subsystem > + * @sig: signal value > + * @t: task being signaled > + * > + * If the audit subsystem is being terminated, record the task (pid) > + * and uid that is doing that. > + */ > +int audit_signal_info(int sig, struct task_struct *t) > +{ > + kuid_t uid = current_uid(), auid; > + > + if (auditd_test_task(t) && > + (sig == SIGTERM || sig == SIGHUP || > + sig == SIGUSR1 || sig == SIGUSR2)) { > + audit_sig_pid = task_tgid_nr(current); > + auid = audit_get_loginuid(current); > + if (uid_valid(auid)) > + audit_sig_uid = auid; > + else > + audit_sig_uid = uid; > + security_task_getsecid(current, &audit_sig_sid); > + } > + > + return audit_signal_info_syscall(t); > +} > + > +/** > * audit_log_end - end one audit record > * @ab: the audit_buffer > * > diff --git a/kernel/audit.h b/kernel/audit.h > index 958d5b8fc1b3..18a8ae812e9f 100644 > --- a/kernel/audit.h > +++ b/kernel/audit.h > @@ -299,7 +299,7 @@ extern bool audit_tree_match(struct audit_chunk > *chunk, extern void audit_put_tree(struct audit_tree *tree); > extern void audit_kill_trees(struct audit_context *context); > > -extern int audit_signal_info(int sig, struct task_struct *t); > +extern int audit_signal_info_syscall(struct task_struct *t); > extern void audit_filter_inodes(struct task_struct *tsk, > struct audit_context *ctx); > extern struct list_head *audit_killed_trees(void); > @@ -330,7 +330,7 @@ extern void audit_filter_inodes(struct > task_struct *tsk, #define audit_tree_path(rule) "" /* never > called */ #define audit_kill_trees(context) BUG() > > -#define audit_signal_info(s, t) AUDIT_DISABLED > +#define audit_signal_info_syscall(t) AUDIT_OFF > #define audit_filter_inodes(t, c) AUDIT_DISABLED > #endif /* CONFIG_AUDITSYSCALL */ > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 98a98e6dca05..dbd43d84c347 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -2370,30 +2370,17 @@ void __audit_ptrace(struct task_struct *t) > } > > /** > - * audit_signal_info - record signal info for shutting down audit > subsystem > - * @sig: signal value > + * audit_signal_info_syscall - record signal info for syscalls > * @t: task being signaled > * > * If the audit subsystem is being terminated, record the task (pid) > * and uid that is doing that. > */ > -int audit_signal_info(int sig, struct task_struct *t) > +int audit_signal_info_syscall(struct task_struct *t) > { > struct audit_aux_data_pids *axp; > struct audit_context *ctx = audit_context(); > - kuid_t uid = current_uid(), auid, t_uid = task_uid(t); > - > - if (auditd_test_task(t) && > - (sig == SIGTERM || sig == SIGHUP || > - sig == SIGUSR1 || sig == SIGUSR2)) { > - audit_sig_pid = task_tgid_nr(current); > - auid = audit_get_loginuid(current); > - if (uid_valid(auid)) > - audit_sig_uid = auid; > - else > - audit_sig_uid = uid; > - security_task_getsecid(current, &audit_sig_sid); > - } > + kuid_t t_uid = task_uid(t); > > if (!audit_signals || audit_dummy_context()) > return 0; > diff --git a/kernel/signal.c b/kernel/signal.c > index b7953934aa99..73db5dfa797d 100644 > --- a/kernel/signal.c > +++ b/kernel/signal.c > @@ -43,6 +43,7 @@ > #include > #include > #include > +#include /* audit_signal_info() */ > > #define CREATE_TRACE_POINTS > #include > @@ -52,7 +53,6 @@ > #include > #include > #include > -#include "audit.h" /* audit_signal_info() */ > > /* > * SLAB caches for signal bits.