lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2424177.54a8UTzN38@x2>
Date:	Mon, 26 Nov 2012 09:14:03 -0500
From:	Steve Grubb <sgrubb@...hat.com>
To:	Kees Cook <keescook@...omium.org>
Cc:	linux-kernel@...r.kernel.org, Al Viro <viro@...iv.linux.org.uk>,
	Eric Paris <eparis@...hat.com>,
	Jeff Layton <jlayton@...hat.com>,
	"Eric W. Biederman" <ebiederm@...ssion.com>,
	Julien Tinnes <jln@...gle.com>, Will Drewry <wad@...gle.com>,
	linux-audit@...hat.com
Subject: Re: [PATCH] audit: create explicit AUDIT_SECCOMP event type

On Monday, November 19, 2012 01:56:53 PM Kees Cook wrote:
> The seccomp path was using AUDIT_ANOM_ABEND from when seccomp mode 1
> could only kill a process. While we still want to make sure an audit
> record is forced on a kill, this should use a separate record type since
> seccomp mode 2 introduces other behaviors. In the case of "handled"
> behaviors (process wasn't killed), only emit a record if the process is
> under inspection.

Under the old record type, we know that the process is being terminated. 
Therefore the meaning of the action is known as its implicit in the record 
type. With this new type, we need to record what behavior is being enforced on 
the process. I don't see where that is being recorded.

Could we add that?

Thanks,
-Steve


> Cc: Julien Tinnes <jln@...gle.com>
> Cc: Will Drewry <wad@...gle.com>
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---
>  include/linux/audit.h      |    3 ++-
>  include/uapi/linux/audit.h |    1 +
>  kernel/auditsc.c           |   14 +++++++++++---
>  3 files changed, 14 insertions(+), 4 deletions(-)
> 
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index bce729a..9d5104d 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -157,7 +157,8 @@ void audit_core_dumps(long signr);
> 
>  static inline void audit_seccomp(unsigned long syscall, long signr, int
> code) {
> -	if (unlikely(!audit_dummy_context()))
> +	/* Force a record to be reported if a signal was delivered. */
> +	if (signr || unlikely(!audit_dummy_context()))
>  		__audit_seccomp(syscall, signr, code);
>  }
> 
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 76352ac..09a2d94 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -106,6 +106,7 @@
>  #define AUDIT_MMAP		1323	/* Record showing descriptor and flags in 
mmap */
>  #define AUDIT_NETFILTER_PKT	1324	/* Packets traversing netfilter chains 
*/
>  #define AUDIT_NETFILTER_CFG	1325	/* Netfilter chain modifications */
> +#define AUDIT_SECCOMP		1326	/* Secure Computing event */
> 
>  #define AUDIT_AVC		1400	/* SE Linux avc denial or grant */
>  #define AUDIT_SELINUX_ERR	1401	/* Internal SE Linux Errors */
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 2f186ed..157e989 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -2735,7 +2735,7 @@ void __audit_mmap_fd(int fd, int flags)
>  	context->type = AUDIT_MMAP;
>  }
> 
> -static void audit_log_abend(struct audit_buffer *ab, char *reason, long
> signr) +static void audit_log_task(struct audit_buffer *ab)
>  {
>  	kuid_t auid, uid;
>  	kgid_t gid;
> @@ -2753,6 +2753,11 @@ static void audit_log_abend(struct audit_buffer *ab,
> char *reason, long signr) audit_log_task_context(ab);
>  	audit_log_format(ab, " pid=%d comm=", current->pid);
>  	audit_log_untrustedstring(ab, current->comm);
> +}
> +
> +static void audit_log_abend(struct audit_buffer *ab, char *reason, long
> signr) +{
> +	audit_log_task(ab);
>  	audit_log_format(ab, " reason=");
>  	audit_log_string(ab, reason);
>  	audit_log_format(ab, " sig=%ld", signr);
> @@ -2783,8 +2788,11 @@ void __audit_seccomp(unsigned long syscall, long
> signr, int code) {
>  	struct audit_buffer *ab;
> 
> -	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
> -	audit_log_abend(ab, "seccomp", signr);
> +	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_SECCOMP);
> +	if (unlikely(!ab))
> +		return;
> +	audit_log_task(ab);
> +	audit_log_format(ab, " sig=%ld", signr);
>  	audit_log_format(ab, " syscall=%ld", syscall);
>  	audit_log_format(ab, " compat=%d", is_compat_task());
>  	audit_log_format(ab, " ip=0x%lx", KSTK_EIP(current));
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ