Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp3896450yba; Tue, 9 Apr 2019 07:04:18 -0700 (PDT) X-Google-Smtp-Source: APXvYqz7Y0rUoqHVdoRoOIiN2Icih1kIBh6Z7Lfk+5uz6fCq5uJ/c7w3+ZdQnGdjWMAX4qMQ1VZo X-Received: by 2002:aa7:914d:: with SMTP id 13mr37103956pfi.149.1554818658200; Tue, 09 Apr 2019 07:04:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554818658; cv=none; d=google.com; s=arc-20160816; b=vpqSr3aRxxDqavYw7my/nLbP7l49RUcPgwrGK4VOufagGacBTjOJZUvmYSmX/5n72w ZRzGY2lo1SBGAf4VJmEJSa7hyMy7jRCJoe1QCB+COxM5W5q9XEJ0TNNZuglmn086f9O/ coIK4FmoxOeKfS4yNlYkd8z+90rVGgC0jrjUSJnuQHhyt3V8sQuQOg8qpAuL4CoCaS85 Adk8g95ws8NfTH0P/XL+V/SDCA1U5D5PySzr1jb5bfjnOYfDaqhJ1c3el7VzwjUDXE+a YjkLWCJRHfwjVL7EkFPf5gmpmyTDR9Pn0yufNtpjgy6TCd4VSt+wXLAffnlhHpbztq8U UPtw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=1rXT+uQDbO/+UGH9n5/p1cAfRxhJ5K6GnuGt6j8hG1E=; b=FQwORCRnrHabMBy219NxaOqncanpMsZhIivg+BFjKYEex2+GH8UNbkd3/3ALUMW3F6 wXcSxI9Lfx67ApYh9dJWj+scBwuxtXmrx+pnBWVidIu1vggsM1wEhEUcJ4S8PfPIm1Il GuCqYyWEm/ZyIirNnqwokrrvj7nLeboJkam4SYVc0x2oo36mhtjvUHZ3MCiCBDCbZF7T VkbUuNGv1z8XIqhW/VfxV7RgfuqqmBHWgO9iyRuOpxSy6T8vJDLOMwz9DjZ7t9PMJLZv 67nG2gUg5C0Ze9OaUUfXyRI/j8IYe1ZM7fDe0WrDwHx+pTENSjGkbYV2trXA+sA+eS17 uy6w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 102si30636098plf.250.2019.04.09.07.03.59; Tue, 09 Apr 2019 07:04:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726515AbfDIODM (ORCPT + 99 others); Tue, 9 Apr 2019 10:03:12 -0400 Received: from mx1.redhat.com ([209.132.183.28]:30658 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726035AbfDIODL (ORCPT ); Tue, 9 Apr 2019 10:03:11 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B77E1307EA8F; Tue, 9 Apr 2019 14:03:11 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-16.phx2.redhat.com [10.3.112.16]) by smtp.corp.redhat.com (Postfix) with ESMTPS id BF1B719C7B; Tue, 9 Apr 2019 14:03:02 +0000 (UTC) Date: Tue, 9 Apr 2019 10:02:59 -0400 From: Richard Guy Briggs To: Steve Grubb Cc: LKML , Linux-Audit Mailing List , Paul Moore , omosnace@redhat.com, eparis@parisplace.org, ebiederm@xmission.com, oleg@redhat.com Subject: Re: [PATCH ghak111 V1] audit: deliver siginfo regarless of syscall Message-ID: <20190409140259.n4t6rxb24eu3uzvp@madcap2.tricolour.ca> References: <20190409080138.745d18a1@ivy-bridge> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190409080138.745d18a1@ivy-bridge> User-Agent: NeoMutt/20180716 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.44]); Tue, 09 Apr 2019 14:03:11 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2019-04-09 08:01, Steve Grubb wrote: > On Mon, 8 Apr 2019 23:52:29 -0400 Richard Guy Briggs wrote: > > When a process signals the audit daemon (shutdown, rotate, resume, > > reconfig) but syscall auditing is not enabled, we still want to know > > the identity of the process sending the signal to the audit daemon. > > Why? If syscall auditing is disabled, then there is no requirement to > provide anything. What is the real problem that you are seeing? Shutdown messages with -1 in them rather than the real values. > -Steve > > > Move audit_signal_info() out of syscall auditing to general auditing > > but create a new function audit_signal_info_syscall() to take care of > > the syscall dependent parts for when syscall auditing is enabled. > > > > Please see the github kernel audit issue > > https://github.com/linux-audit/audit-kernel/issues/111 > > > > Signed-off-by: Richard Guy Briggs > > --- > > include/linux/audit.h | 6 ++++++ > > kernel/audit.c | 27 +++++++++++++++++++++++++++ > > kernel/audit.h | 4 ++-- > > kernel/auditsc.c | 19 +++---------------- > > kernel/signal.c | 2 +- > > 5 files changed, 39 insertions(+), 19 deletions(-) > > > > diff --git a/include/linux/audit.h b/include/linux/audit.h > > index 1e69d9fe16da..4a22fc3f824f 100644 > > --- a/include/linux/audit.h > > +++ b/include/linux/audit.h > > @@ -173,6 +173,9 @@ static inline unsigned int > > audit_get_sessionid(struct task_struct *tsk) } > > > > extern u32 audit_enabled; > > + > > +extern int audit_signal_info(int sig, struct task_struct *t); > > + > > #else /* CONFIG_AUDIT */ > > static inline __printf(4, 5) > > void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, > > @@ -226,6 +229,9 @@ static inline unsigned int > > audit_get_sessionid(struct task_struct *tsk) } > > > > #define audit_enabled AUDIT_OFF > > + > > +#define audit_signal_info(s, t) AUDIT_OFF > > + > > #endif /* CONFIG_AUDIT */ > > > > #ifdef CONFIG_AUDIT_COMPAT_GENERIC > > diff --git a/kernel/audit.c b/kernel/audit.c > > index b96bf69183f4..67399ff72d43 100644 > > --- a/kernel/audit.c > > +++ b/kernel/audit.c > > @@ -2274,6 +2274,33 @@ int audit_set_loginuid(kuid_t loginuid) > > } > > > > /** > > + * audit_signal_info - record signal info for shutting down audit > > subsystem > > + * @sig: signal value > > + * @t: task being signaled > > + * > > + * If the audit subsystem is being terminated, record the task (pid) > > + * and uid that is doing that. > > + */ > > +int audit_signal_info(int sig, struct task_struct *t) > > +{ > > + kuid_t uid = current_uid(), auid; > > + > > + if (auditd_test_task(t) && > > + (sig == SIGTERM || sig == SIGHUP || > > + sig == SIGUSR1 || sig == SIGUSR2)) { > > + audit_sig_pid = task_tgid_nr(current); > > + auid = audit_get_loginuid(current); > > + if (uid_valid(auid)) > > + audit_sig_uid = auid; > > + else > > + audit_sig_uid = uid; > > + security_task_getsecid(current, &audit_sig_sid); > > + } > > + > > + return audit_signal_info_syscall(t); > > +} > > + > > +/** > > * audit_log_end - end one audit record > > * @ab: the audit_buffer > > * > > diff --git a/kernel/audit.h b/kernel/audit.h > > index 958d5b8fc1b3..18a8ae812e9f 100644 > > --- a/kernel/audit.h > > +++ b/kernel/audit.h > > @@ -299,7 +299,7 @@ extern bool audit_tree_match(struct audit_chunk > > *chunk, extern void audit_put_tree(struct audit_tree *tree); > > extern void audit_kill_trees(struct audit_context *context); > > > > -extern int audit_signal_info(int sig, struct task_struct *t); > > +extern int audit_signal_info_syscall(struct task_struct *t); > > extern void audit_filter_inodes(struct task_struct *tsk, > > struct audit_context *ctx); > > extern struct list_head *audit_killed_trees(void); > > @@ -330,7 +330,7 @@ extern void audit_filter_inodes(struct > > task_struct *tsk, #define audit_tree_path(rule) "" /* never > > called */ #define audit_kill_trees(context) BUG() > > > > -#define audit_signal_info(s, t) AUDIT_DISABLED > > +#define audit_signal_info_syscall(t) AUDIT_OFF > > #define audit_filter_inodes(t, c) AUDIT_DISABLED > > #endif /* CONFIG_AUDITSYSCALL */ > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > index 98a98e6dca05..dbd43d84c347 100644 > > --- a/kernel/auditsc.c > > +++ b/kernel/auditsc.c > > @@ -2370,30 +2370,17 @@ void __audit_ptrace(struct task_struct *t) > > } > > > > /** > > - * audit_signal_info - record signal info for shutting down audit > > subsystem > > - * @sig: signal value > > + * audit_signal_info_syscall - record signal info for syscalls > > * @t: task being signaled > > * > > * If the audit subsystem is being terminated, record the task (pid) > > * and uid that is doing that. > > */ > > -int audit_signal_info(int sig, struct task_struct *t) > > +int audit_signal_info_syscall(struct task_struct *t) > > { > > struct audit_aux_data_pids *axp; > > struct audit_context *ctx = audit_context(); > > - kuid_t uid = current_uid(), auid, t_uid = task_uid(t); > > - > > - if (auditd_test_task(t) && > > - (sig == SIGTERM || sig == SIGHUP || > > - sig == SIGUSR1 || sig == SIGUSR2)) { > > - audit_sig_pid = task_tgid_nr(current); > > - auid = audit_get_loginuid(current); > > - if (uid_valid(auid)) > > - audit_sig_uid = auid; > > - else > > - audit_sig_uid = uid; > > - security_task_getsecid(current, &audit_sig_sid); > > - } > > + kuid_t t_uid = task_uid(t); > > > > if (!audit_signals || audit_dummy_context()) > > return 0; > > diff --git a/kernel/signal.c b/kernel/signal.c > > index b7953934aa99..73db5dfa797d 100644 > > --- a/kernel/signal.c > > +++ b/kernel/signal.c > > @@ -43,6 +43,7 @@ > > #include > > #include > > #include > > +#include /* audit_signal_info() */ > > > > #define CREATE_TRACE_POINTS > > #include > > @@ -52,7 +53,6 @@ > > #include > > #include > > #include > > -#include "audit.h" /* audit_signal_info() */ > > > > /* > > * SLAB caches for signal bits. > - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635