seccomp: remove duplicated failure logging

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This consolidates the seccomp filter error logging path and adds more
details to the audit log.

Signed-off-by: Will Drewry <wad@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Eric Paris <eparis@redhat.com>

v18: make compat= permanent in the record
v15: added a return code to the audit_seccomp path by wad@chromium.org
(suggested by eparis@redhat.com)
v*: original by keescook@chromium.org
Signed-off-by: James Morris <james.l.morris@oracle.com>

authored by

Kees Cook and committed by

James Morris 14 years ago 3dc1c1b2 e2cfabdf

+11 -20

3 changed files

expand all

include

linux

audit.h

kernel

auditsc.c

seccomp.c

+4 -4

include/linux/audit.h

··· 463 463 extern void __audit_inode(const char *name, const struct dentry *dentry); 464 464 extern void __audit_inode_child(const struct dentry *dentry, 465 465 const struct inode *parent); 466 - extern void __audit_seccomp(unsigned long syscall); 466 + extern void __audit_seccomp(unsigned long syscall, long signr, int code); 467 467 extern void __audit_ptrace(struct task_struct *t); 468 468 469 469 static inline int audit_dummy_context(void) ··· 508 508 } 509 509 void audit_core_dumps(long signr); 510 510 511 - static inline void audit_seccomp(unsigned long syscall) 511 + static inline void audit_seccomp(unsigned long syscall, long signr, int code) 512 512 { 513 513 if (unlikely(!audit_dummy_context())) 514 - __audit_seccomp(syscall); 514 + __audit_seccomp(syscall, signr, code); 515 515 } 516 516 517 517 static inline void audit_ptrace(struct task_struct *t) ··· 634 634 #define audit_inode(n,d) do { (void)(d); } while (0) 635 635 #define audit_inode_child(i,p) do { ; } while (0) 636 636 #define audit_core_dumps(i) do { ; } while (0) 637 - #define audit_seccomp(i) do { ; } while (0) 637 + #define audit_seccomp(i,s,c) do { ; } while (0) 638 638 #define auditsc_get_stamp(c,t,s) (0) 639 639 #define audit_get_loginuid(t) (-1) 640 640 #define audit_get_sessionid(t) (-1)

+6 -2

kernel/auditsc.c

··· 67 67 #include <linux/syscalls.h> 68 68 #include <linux/capability.h> 69 69 #include <linux/fs_struct.h> 70 + #include <linux/compat.h> 70 71 71 72 #include "audit.h" 72 73 ··· 2711 2710 audit_log_end(ab); 2712 2711 } 2713 2712 2714 - void __audit_seccomp(unsigned long syscall) 2713 + void __audit_seccomp(unsigned long syscall, long signr, int code) 2715 2714 { 2716 2715 struct audit_buffer *ab; 2717 2716 2718 2717 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); 2719 - audit_log_abend(ab, "seccomp", SIGKILL); 2718 + audit_log_abend(ab, "seccomp", signr); 2720 2719 audit_log_format(ab, " syscall=%ld", syscall); 2720 + audit_log_format(ab, " compat=%d", is_compat_task()); 2721 + audit_log_format(ab, " ip=0x%lx", KSTK_EIP(current)); 2722 + audit_log_format(ab, " code=0x%x", code); 2721 2723 audit_log_end(ab); 2722 2724 } 2723 2725

+1 -14

kernel/seccomp.c

··· 60 60 /* Limit any path through the tree to 256KB worth of instructions. */ 61 61 #define MAX_INSNS_PER_PATH ((1 << 18) / sizeof(struct sock_filter)) 62 62 63 - static void seccomp_filter_log_failure(int syscall) 64 - { 65 - int compat = 0; 66 - #ifdef CONFIG_COMPAT 67 - compat = is_compat_task(); 68 - #endif 69 - pr_info("%s[%d]: %ssystem call %d blocked at 0x%lx\n", 70 - current->comm, task_pid_nr(current), 71 - (compat ? "compat " : ""), 72 - syscall, KSTK_EIP(current)); 73 - } 74 - 75 63 /** 76 64 * get_u32 - returns a u32 offset into data 77 65 * @data: a unsigned 64 bit value ··· 369 381 case SECCOMP_MODE_FILTER: 370 382 if (seccomp_run_filters(this_syscall) == SECCOMP_RET_ALLOW) 371 383 return; 372 - seccomp_filter_log_failure(this_syscall); 373 384 exit_sig = SIGSYS; 374 385 break; 375 386 #endif ··· 379 392 #ifdef SECCOMP_DEBUG 380 393 dump_stack(); 381 394 #endif 382 - audit_seccomp(this_syscall); 395 + audit_seccomp(this_syscall, exit_code, SECCOMP_RET_KILL); 383 396 do_exit(exit_sig); 384 397 } 385 398