Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp688071yba; Thu, 18 Apr 2019 08:01:18 -0700 (PDT) X-Google-Smtp-Source: APXvYqwgSRtNpkFNOrUg4i/VYzA6G5HwG0X4JOJsFm4nxh6+wuLveRGnB0dimxV12qDf35NsdbkR X-Received: by 2002:a62:b61a:: with SMTP id j26mr97129252pff.203.1555599678840; Thu, 18 Apr 2019 08:01:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555599678; cv=none; d=google.com; s=arc-20160816; b=J9rPJKWJq7IEpob1ZKX8C4Skcxs9KGSZqMlaI5QYPECT/Pz/DI/kXaim5CgXsADxmA WkIQIHgxZmG15XnOoBoUk7Us5cu5ISx6Rnfk/efhf4+j92Ms0IIvH7Czz8NaglCBwfAr bXBwn6gw93OY2X4rtKaec99FWHxuH2MxAZTOwRfxFubPXV1Syw39euOb2L1X2r7qKgbF MCqXSI1jDuLiNkRX3TJxv64VaFLET8JrrAUIb2lfwY2Fj9FsDtVZW8y/gIwO3011czO3 ZVWi/jLhaE45rjtsTHHhJnr9TsvQcsMIxmWm8DHYHl7jseuecyGAAXxYGCzv7k5oacJv Z/hQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=LE07HDZj9OewdeoMnjTBSXjV2SgwNpRGLcBWvK5Jtf8=; b=GkvEykRg/2TZFsrKAXwQIbr5u0GysxPwfsgLrxbeZ4paCPX+/akc1+EGueV+m+FzK8 RLYFE2v9/a+HlLwROAgaoqIH5vGbpHBcQmJcetYA2bz0ZC4681aUTHAZ5gnm3sff8/Iq TUAt14PCwB40l4oz/5nC7slhOKYqKKZ6AlnRYoDUm2CSTMMadcMy9MdROoADxyagfAdY +GqaUY96yp7CwQUTD5P7YJnrKCJe3nDvpiSadmgc1wbqRfeUWfX8iPIe8WPo3o93x2qm bdTO5ff64JrsK/Is8KQPKe4gzqACncCLPvzO0/8RxF+l5STJITsq1x9wPnsnI7p79fyy Py6g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=OEKJisEG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y71si2002329pgd.51.2019.04.18.08.01.03; Thu, 18 Apr 2019 08:01:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=OEKJisEG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388983AbfDRO7x (ORCPT + 99 others); Thu, 18 Apr 2019 10:59:53 -0400 Received: from mail-lf1-f67.google.com ([209.85.167.67]:34917 "EHLO mail-lf1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388277AbfDRO7w (ORCPT ); Thu, 18 Apr 2019 10:59:52 -0400 Received: by mail-lf1-f67.google.com with SMTP id j20so1880275lfh.2 for ; Thu, 18 Apr 2019 07:59:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LE07HDZj9OewdeoMnjTBSXjV2SgwNpRGLcBWvK5Jtf8=; b=OEKJisEG742TvIxAggby08MJCS2WeLG4nv/IJylSsXx7OCS1acyKQGZfxsStAkLn6f Wyqno3zbYrzfZjcN7GWbjP1pBrwMxNy5soSeIzb4BaidIjCAeyJ6oiNOMG5NfSc0j2gK otrUI3cp3CUQ8sSq1bs6v8dw/Ev3F0lvV5Hq+iX9EMSQvb7NM/ml1cClvMyN3Zyfq6C0 7VI+NwAAfXFEACB2+DYH0PdeVyn22Yz+277n5B8Dws7W76a8DNu9Dp5SgaEDsvYnZQw3 wgMQkextPEuZlBQl0uyE6YA3h6uSSwfRCz6LXJxPxn/co34Hd3ixsFc2iTR+xc4MIMxb 0CZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LE07HDZj9OewdeoMnjTBSXjV2SgwNpRGLcBWvK5Jtf8=; b=hvWdiD9ZEkROXx9jyAxsmIALRr8BdpREhQcNwBzxk1nVMP/JThQXsc2EV/tnSiXSZC 0kZrZ6h0cx7N2SehiGcwUSN2E4wNgwQb/Xzzp0mIjjoV4FI2Ic1n5/clrIaD1hLtCRRE 9euhXVakIcBeGNseDbbdYXU4TfjYz7NCPhtQZbowTDVXpqaRhXHi+WBorKdB7xxj8f2w 6bajqwVIFG5xJdCr9i3UNs3x5ozFG0dnJ7YjlneVtdOzu4BrI+M7HhcEMpJdm0k6PpW9 Z35cyWE8xdQId+Iz6Q3SFNkO1t6OAOGfEAn1VgJ7WlEwUMLk11A+ghkZv3cuvPjZcFTC jgfA== X-Gm-Message-State: APjAAAW/Bg4I6Mh2R1svKoOZNe82a1JbU5RPBUOLkfHw1pGbm8jScOoO LkFtCErt4ITlpUR6YmcEPgsRLyfC8k3F+5rJfTu6 X-Received: by 2002:a19:7702:: with SMTP id s2mr32257157lfc.102.1555599590822; Thu, 18 Apr 2019 07:59:50 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Paul Moore Date: Thu, 18 Apr 2019 10:59:39 -0400 Message-ID: Subject: Re: [PATCH ghak111 V1] audit: deliver siginfo regarless of syscall To: Richard Guy Briggs Cc: LKML , Linux-Audit Mailing List , sgrubb@redhat.com, omosnace@redhat.com, Eric Paris , ebiederm@xmission.com, oleg@redhat.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 8, 2019 at 11:53 PM Richard Guy Briggs wrote: > > When a process signals the audit daemon (shutdown, rotate, resume, > reconfig) but syscall auditing is not enabled, we still want to know the > identity of the process sending the signal to the audit daemon. > > Move audit_signal_info() out of syscall auditing to general auditing but > create a new function audit_signal_info_syscall() to take care of the > syscall dependent parts for when syscall auditing is enabled. > > Please see the github kernel audit issue > https://github.com/linux-audit/audit-kernel/issues/111 > > Signed-off-by: Richard Guy Briggs > --- > include/linux/audit.h | 6 ++++++ > kernel/audit.c | 27 +++++++++++++++++++++++++++ > kernel/audit.h | 4 ++-- > kernel/auditsc.c | 19 +++---------------- > kernel/signal.c | 2 +- > 5 files changed, 39 insertions(+), 19 deletions(-) ... > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 1e69d9fe16da..4a22fc3f824f 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -226,6 +229,9 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk) > } > > #define audit_enabled AUDIT_OFF > + > +#define audit_signal_info(s, t) AUDIT_OFF > + Should this be AUDIT_DISABLED to preserve the current value/behavior? Technically they should both have a value of zero right now, but since the AUDIT_DISABLED value isn't explicit it seems safer to go with AUDIT_DISABLED. > diff --git a/kernel/audit.h b/kernel/audit.h > index 958d5b8fc1b3..18a8ae812e9f 100644 > --- a/kernel/audit.h > +++ b/kernel/audit.h > @@ -299,7 +299,7 @@ extern bool audit_tree_match(struct audit_chunk *chunk, > extern void audit_put_tree(struct audit_tree *tree); > extern void audit_kill_trees(struct audit_context *context); > > -extern int audit_signal_info(int sig, struct task_struct *t); > +extern int audit_signal_info_syscall(struct task_struct *t); > extern void audit_filter_inodes(struct task_struct *tsk, > struct audit_context *ctx); > extern struct list_head *audit_killed_trees(void); > @@ -330,7 +330,7 @@ extern void audit_filter_inodes(struct task_struct *tsk, > #define audit_tree_path(rule) "" /* never called */ > #define audit_kill_trees(context) BUG() > > -#define audit_signal_info(s, t) AUDIT_DISABLED > +#define audit_signal_info_syscall(t) AUDIT_OFF Similar as above. -- paul moore www.paul-moore.com