Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp710594yba; Thu, 18 Apr 2019 08:19:50 -0700 (PDT) X-Google-Smtp-Source: APXvYqw8nHonFBfipG8auV8lV67f99N5Cl6FFTP7SPQcjoJcVVg5f+THIab6ndXyXieRURaRzQKv X-Received: by 2002:a17:902:778b:: with SMTP id o11mr6815701pll.333.1555600789943; Thu, 18 Apr 2019 08:19:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555600789; cv=none; d=google.com; s=arc-20160816; b=TqU+Njs1eHidpxf7Scz3T8SVOMJd6b2KcuMStPqWgxb2JLYBWeDypd6Tv1Ii5W0/p+ I396msdHg0V5K8vpHPJL3n4pLTquYsl66xCBZoU2nHqNklVZv5zwhSPn4YGdyo2iNGBb UemgaANnAT4lk11T2KI1+sPCASws9WXYUujF2sgBw01AmE5kqLlqe52LJngBQ/0vahlc rjnMUlzHRxUmivnptw4DChLh68GHDr48HfBQk9DjCBaEQihvn/vPyzubD43l5mbZt6BY mOvGsSVnczpWvXlRSAb6FyNYe+NLTB3q6vKyYcFfSb7rBHvNNEzTbzmAbbU0IFtX/Baa 6FaA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=bXnvoHr+JIoUvghqzAOTZOJHJWdJAdHRNP2anwgtkBg=; b=02WtqnrVFukO4K5XyjA9xSeew05kFKcW1Kyk5MnNVtnXEKZuF67Syvse01K7L7W3ge v8oO33HcUyfKQmvZPlFxz9oWo0igPYOCwp+Q8iuVabpsvP1f5ocFS0qglWaIFGsDJoCT vQYVKGFF7NJ4QzBmRH3I/qvYJzM9desQAH/orjskvnSpgM/tteT07hRrHHOPG9rL/lb9 UxST4BAa0iZAZwUn7sDCgc1gkZ8/6CC+tNjeSitvuhOAGXdvKqgWpMwOAQD9/zPq4fZ6 FjR4ooM1ReJqlLIq4TYoMagDLFldI+6E430uF6fh7gnj7FwVwiTugoq/V/8KEPCJ/bAV ivEw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g3si2293707plp.369.2019.04.18.08.19.33; Thu, 18 Apr 2019 08:19:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389449AbfDRPQy (ORCPT + 99 others); Thu, 18 Apr 2019 11:16:54 -0400 Received: from mx1.redhat.com ([209.132.183.28]:44236 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731317AbfDRPQy (ORCPT ); Thu, 18 Apr 2019 11:16:54 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id ED1FC2C977B; Thu, 18 Apr 2019 15:16:53 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-16.phx2.redhat.com [10.3.112.16]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 30A9E60C66; Thu, 18 Apr 2019 15:16:44 +0000 (UTC) Date: Thu, 18 Apr 2019 11:16:42 -0400 From: Richard Guy Briggs To: Paul Moore Cc: LKML , Linux-Audit Mailing List , sgrubb@redhat.com, omosnace@redhat.com, Eric Paris , ebiederm@xmission.com, oleg@redhat.com Subject: Re: [PATCH ghak111 V1] audit: deliver siginfo regarless of syscall Message-ID: <20190418151642.nb5mgrxfw55hqecs@madcap2.tricolour.ca> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20180716 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Thu, 18 Apr 2019 15:16:54 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2019-04-18 10:59, Paul Moore wrote: > On Mon, Apr 8, 2019 at 11:53 PM Richard Guy Briggs wrote: > > When a process signals the audit daemon (shutdown, rotate, resume, > > reconfig) but syscall auditing is not enabled, we still want to know the > > identity of the process sending the signal to the audit daemon. > > > > Move audit_signal_info() out of syscall auditing to general auditing but > > create a new function audit_signal_info_syscall() to take care of the > > syscall dependent parts for when syscall auditing is enabled. > > > > Please see the github kernel audit issue > > https://github.com/linux-audit/audit-kernel/issues/111 > > > > Signed-off-by: Richard Guy Briggs > > --- > > include/linux/audit.h | 6 ++++++ > > kernel/audit.c | 27 +++++++++++++++++++++++++++ > > kernel/audit.h | 4 ++-- > > kernel/auditsc.c | 19 +++---------------- > > kernel/signal.c | 2 +- > > 5 files changed, 39 insertions(+), 19 deletions(-) > > ... > > > diff --git a/include/linux/audit.h b/include/linux/audit.h > > index 1e69d9fe16da..4a22fc3f824f 100644 > > --- a/include/linux/audit.h > > +++ b/include/linux/audit.h > > @@ -226,6 +229,9 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk) > > } > > > > #define audit_enabled AUDIT_OFF > > + > > +#define audit_signal_info(s, t) AUDIT_OFF > > + > > Should this be AUDIT_DISABLED to preserve the current value/behavior? > Technically they should both have a value of zero right now, but since > the AUDIT_DISABLED value isn't explicit it seems safer to go with > AUDIT_DISABLED. I did that first, but that symbol was not available when one or both of CONFIG_AUDITSYSCALL or CONFIG_AUDIT was off, so I had to change it to AUDIT_OFF. I followed the logic to confirm that is what was intended by the original code. When auidit is off, we want to just return zero so it gets skipped rather than throwing an error. > > diff --git a/kernel/audit.h b/kernel/audit.h > > index 958d5b8fc1b3..18a8ae812e9f 100644 > > --- a/kernel/audit.h > > +++ b/kernel/audit.h > > @@ -299,7 +299,7 @@ extern bool audit_tree_match(struct audit_chunk *chunk, > > extern void audit_put_tree(struct audit_tree *tree); > > extern void audit_kill_trees(struct audit_context *context); > > > > -extern int audit_signal_info(int sig, struct task_struct *t); > > +extern int audit_signal_info_syscall(struct task_struct *t); > > extern void audit_filter_inodes(struct task_struct *tsk, > > struct audit_context *ctx); > > extern struct list_head *audit_killed_trees(void); > > @@ -330,7 +330,7 @@ extern void audit_filter_inodes(struct task_struct *tsk, > > #define audit_tree_path(rule) "" /* never called */ > > #define audit_kill_trees(context) BUG() > > > > -#define audit_signal_info(s, t) AUDIT_DISABLED > > +#define audit_signal_info_syscall(t) AUDIT_OFF > > Similar as above. > > -- > paul moore > www.paul-moore.com - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635