seccomp: audit abnormal end to a process due to seccomp

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The audit system likes to collect information about processes that end
abnormally (SIGSEGV) as this may me useful intrusion detection information.
This patch adds audit support to collect information when seccomp forces a
task to exit because of misbehavior in a similar way.

Signed-off-by: Eric Paris <eparis@redhat.com>

authored by

Eric Paris and committed by

Al Viro 14 years ago 85e7bac3 16c174bd

+39 -21

3 changed files

expand all

include

linux

audit.h

kernel

auditsc.c

seccomp.c

include/linux/audit.h

··· 430 430 extern void __audit_inode(const char *name, const struct dentry *dentry); 431 431 extern void __audit_inode_child(const struct dentry *dentry, 432 432 const struct inode *parent); 433 + extern void __audit_seccomp(unsigned long syscall); 433 434 extern void __audit_ptrace(struct task_struct *t); 434 435 435 436 static inline int audit_dummy_context(void) ··· 453 452 __audit_inode_child(dentry, parent); 454 453 } 455 454 void audit_core_dumps(long signr); 455 + 456 + static inline void audit_seccomp(unsigned long syscall) 457 + { 458 + if (unlikely(!audit_dummy_context())) 459 + __audit_seccomp(syscall); 460 + } 456 461 457 462 static inline void audit_ptrace(struct task_struct *t) 458 463 { ··· 565 558 #define audit_inode(n,d) do { (void)(d); } while (0) 566 559 #define audit_inode_child(i,p) do { ; } while (0) 567 560 #define audit_core_dumps(i) do { ; } while (0) 561 + #define audit_seccomp(i) do { ; } while (0) 568 562 #define auditsc_get_stamp(c,t,s) (0) 569 563 #define audit_get_loginuid(t) (-1) 570 564 #define audit_get_sessionid(t) (-1)

+29 -21

kernel/auditsc.c

··· 2529 2529 context->type = AUDIT_MMAP; 2530 2530 } 2531 2531 2532 + static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr) 2533 + { 2534 + uid_t auid, uid; 2535 + gid_t gid; 2536 + unsigned int sessionid; 2537 + 2538 + auid = audit_get_loginuid(current); 2539 + sessionid = audit_get_sessionid(current); 2540 + current_uid_gid(&uid, &gid); 2541 + 2542 + audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u", 2543 + auid, uid, gid, sessionid); 2544 + audit_log_task_context(ab); 2545 + audit_log_format(ab, " pid=%d comm=", current->pid); 2546 + audit_log_untrustedstring(ab, current->comm); 2547 + audit_log_format(ab, " reason="); 2548 + audit_log_string(ab, reason); 2549 + audit_log_format(ab, " sig=%ld", signr); 2550 + } 2532 2551 /** 2533 2552 * audit_core_dumps - record information about processes that end abnormally 2534 2553 * @signr: signal value ··· 2558 2539 void audit_core_dumps(long signr) 2559 2540 { 2560 2541 struct audit_buffer *ab; 2561 - u32 sid; 2562 - uid_t auid = audit_get_loginuid(current), uid; 2563 - gid_t gid; 2564 - unsigned int sessionid = audit_get_sessionid(current); 2565 2542 2566 2543 if (!audit_enabled) 2567 2544 return; ··· 2566 2551 return; 2567 2552 2568 2553 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); 2569 - current_uid_gid(&uid, &gid); 2570 - audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u", 2571 - auid, uid, gid, sessionid); 2572 - security_task_getsecid(current, &sid); 2573 - if (sid) { 2574 - char *ctx = NULL; 2575 - u32 len; 2554 + audit_log_abend(ab, "memory violation", signr); 2555 + audit_log_end(ab); 2556 + } 2576 2557 2577 - if (security_secid_to_secctx(sid, &ctx, &len)) 2578 - audit_log_format(ab, " ssid=%u", sid); 2579 - else { 2580 - audit_log_format(ab, " subj=%s", ctx); 2581 - security_release_secctx(ctx, len); 2582 - } 2583 - } 2584 - audit_log_format(ab, " pid=%d comm=", current->pid); 2585 - audit_log_untrustedstring(ab, current->comm); 2586 - audit_log_format(ab, " sig=%ld", signr); 2558 + void __audit_seccomp(unsigned long syscall) 2559 + { 2560 + struct audit_buffer *ab; 2561 + 2562 + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); 2563 + audit_log_abend(ab, "seccomp", SIGKILL); 2564 + audit_log_format(ab, " syscall=%ld", syscall); 2587 2565 audit_log_end(ab); 2588 2566 } 2589 2567

kernel/seccomp.c

··· 6 6 * This defines a simple but solid secure-computing mode. 7 7 */ 8 8 9 + #include <linux/audit.h> 9 10 #include <linux/seccomp.h> 10 11 #include <linux/sched.h> 11 12 #include <linux/compat.h> ··· 55 54 #ifdef SECCOMP_DEBUG 56 55 dump_stack(); 57 56 #endif 57 + audit_seccomp(this_syscall); 58 58 do_exit(SIGKILL); 59 59 } 60 60