Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp710594yba;
        Thu, 18 Apr 2019 08:19:50 -0700 (PDT)
X-Google-Smtp-Source: APXvYqw8nHonFBfipG8auV8lV67f99N5Cl6FFTP7SPQcjoJcVVg5f+THIab6ndXyXieRURaRzQKv
X-Received: by 2002:a17:902:778b:: with SMTP id o11mr6815701pll.333.1555600789943;
        Thu, 18 Apr 2019 08:19:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1555600789; cv=none;
        d=google.com; s=arc-20160816;
        b=TqU+Njs1eHidpxf7Scz3T8SVOMJd6b2KcuMStPqWgxb2JLYBWeDypd6Tv1Ii5W0/p+
         I396msdHg0V5K8vpHPJL3n4pLTquYsl66xCBZoU2nHqNklVZv5zwhSPn4YGdyo2iNGBb
         UemgaANnAT4lk11T2KI1+sPCASws9WXYUujF2sgBw01AmE5kqLlqe52LJngBQ/0vahlc
         rjnMUlzHRxUmivnptw4DChLh68GHDr48HfBQk9DjCBaEQihvn/vPyzubD43l5mbZt6BY
         mOvGsSVnczpWvXlRSAb6FyNYe+NLTB3q6vKyYcFfSb7rBHvNNEzTbzmAbbU0IFtX/Baa
         6FaA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=bXnvoHr+JIoUvghqzAOTZOJHJWdJAdHRNP2anwgtkBg=;
        b=02WtqnrVFukO4K5XyjA9xSeew05kFKcW1Kyk5MnNVtnXEKZuF67Syvse01K7L7W3ge
         v8oO33HcUyfKQmvZPlFxz9oWo0igPYOCwp+Q8iuVabpsvP1f5ocFS0qglWaIFGsDJoCT
         vQYVKGFF7NJ4QzBmRH3I/qvYJzM9desQAH/orjskvnSpgM/tteT07hRrHHOPG9rL/lb9
         UxST4BAa0iZAZwUn7sDCgc1gkZ8/6CC+tNjeSitvuhOAGXdvKqgWpMwOAQD9/zPq4fZ6
         FjR4ooM1ReJqlLIq4TYoMagDLFldI+6E430uF6fh7gnj7FwVwiTugoq/V/8KEPCJ/bAV
         ivEw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g3si2293707plp.369.2019.04.18.08.19.33;
        Thu, 18 Apr 2019 08:19:49 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2389449AbfDRPQy (ORCPT <rfc822;lxz1983@gmail.com> + 99 others);
        Thu, 18 Apr 2019 11:16:54 -0400
Received: from mx1.redhat.com ([209.132.183.28]:44236 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1731317AbfDRPQy (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 18 Apr 2019 11:16:54 -0400
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id ED1FC2C977B;
        Thu, 18 Apr 2019 15:16:53 +0000 (UTC)
Received: from madcap2.tricolour.ca (ovpn-112-16.phx2.redhat.com [10.3.112.16])
        by smtp.corp.redhat.com (Postfix) with ESMTPS id 30A9E60C66;
        Thu, 18 Apr 2019 15:16:44 +0000 (UTC)
Date:   Thu, 18 Apr 2019 11:16:42 -0400
From:   Richard Guy Briggs <rgb@redhat.com>
To:     Paul Moore <paul@paul-moore.com>
Cc:     LKML <linux-kernel@vger.kernel.org>,
        Linux-Audit Mailing List <linux-audit@redhat.com>,
        sgrubb@redhat.com, omosnace@redhat.com,
        Eric Paris <eparis@parisplace.org>, ebiederm@xmission.com,
        oleg@redhat.com
Subject: Re: [PATCH ghak111 V1] audit: deliver siginfo regarless of syscall
Message-ID: <20190418151642.nb5mgrxfw55hqecs@madcap2.tricolour.ca>
References: <c7b092894ac6d611f8c5083e712da41e6685f94a.1554781852.git.rgb@redhat.com>
 <CAHC9VhSCRrbFYy3KnSAt4GhADCfTXW-_uSm8focUk-i7_FPjrA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAHC9VhSCRrbFYy3KnSAt4GhADCfTXW-_uSm8focUk-i7_FPjrA@mail.gmail.com>
User-Agent: NeoMutt/20180716
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Thu, 18 Apr 2019 15:16:54 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 2019-04-18 10:59, Paul Moore wrote:
> On Mon, Apr 8, 2019 at 11:53 PM Richard Guy Briggs <rgb@redhat.com> wrote:
> > When a process signals the audit daemon (shutdown, rotate, resume,
> > reconfig) but syscall auditing is not enabled, we still want to know the
> > identity of the process sending the signal to the audit daemon.
> >
> > Move audit_signal_info() out of syscall auditing to general auditing but
> > create a new function audit_signal_info_syscall() to take care of the
> > syscall dependent parts for when syscall auditing is enabled.
> >
> > Please see the github kernel audit issue
> > https://github.com/linux-audit/audit-kernel/issues/111
> >
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> >  include/linux/audit.h |  6 ++++++
> >  kernel/audit.c        | 27 +++++++++++++++++++++++++++
> >  kernel/audit.h        |  4 ++--
> >  kernel/auditsc.c      | 19 +++----------------
> >  kernel/signal.c       |  2 +-
> >  5 files changed, 39 insertions(+), 19 deletions(-)
> 
> ...
> 
> > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > index 1e69d9fe16da..4a22fc3f824f 100644
> > --- a/include/linux/audit.h
> > +++ b/include/linux/audit.h
> > @@ -226,6 +229,9 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
> >  }
> >
> >  #define audit_enabled AUDIT_OFF
> > +
> > +#define audit_signal_info(s, t) AUDIT_OFF
> > +
> 
> Should this be AUDIT_DISABLED to preserve the current value/behavior?
> Technically they should both have a value of zero right now, but since
> the AUDIT_DISABLED value isn't explicit it seems safer to go with
> AUDIT_DISABLED.

I did that first, but that symbol was not available when one or both of
CONFIG_AUDITSYSCALL or CONFIG_AUDIT was off, so I had to change it to
AUDIT_OFF.  I followed the logic to confirm that is what was intended by
the original code.

When auidit is off, we want to just return zero so it gets skipped
rather than throwing an error.

> > diff --git a/kernel/audit.h b/kernel/audit.h
> > index 958d5b8fc1b3..18a8ae812e9f 100644
> > --- a/kernel/audit.h
> > +++ b/kernel/audit.h
> > @@ -299,7 +299,7 @@ extern bool audit_tree_match(struct audit_chunk *chunk,
> >  extern void audit_put_tree(struct audit_tree *tree);
> >  extern void audit_kill_trees(struct audit_context *context);
> >
> > -extern int audit_signal_info(int sig, struct task_struct *t);
> > +extern int audit_signal_info_syscall(struct task_struct *t);
> >  extern void audit_filter_inodes(struct task_struct *tsk,
> >                                 struct audit_context *ctx);
> >  extern struct list_head *audit_killed_trees(void);
> > @@ -330,7 +330,7 @@ extern void audit_filter_inodes(struct task_struct *tsk,
> >  #define audit_tree_path(rule) ""       /* never called */
> >  #define audit_kill_trees(context) BUG()
> >
> > -#define audit_signal_info(s, t) AUDIT_DISABLED
> > +#define audit_signal_info_syscall(t) AUDIT_OFF
> 
> Similar as above.
> 
> -- 
> paul moore
> www.paul-moore.com

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635