[PATCH] auditing ptrace · tjh.dev/kernel@a5cb013

tjh.dev / kernel

fork atom

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

fork atom

[PATCH] auditing ptrace

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

Al Viro 19 years ago a5cb013d 129a84de

+42

3 changed files

expand all

include

linux

audit.h

kernel

auditsc.c

ptrace.c

+10

include/linux/audit.h

··· 91 91 #define AUDIT_MQ_GETSETATTR 1315 /* POSIX MQ get/set attribute record type */ 92 92 #define AUDIT_KERNEL_OTHER 1316 /* For use by 3rd party modules */ 93 93 #define AUDIT_FD_PAIR 1317 /* audit record for pipe/socketpair */ 94 + #define AUDIT_OBJ_PID 1318 /* ptrace target */ 94 95 95 96 #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ 96 97 #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ ··· 353 352 extern void __audit_inode_child(const char *dname, const struct inode *inode, 354 353 const struct inode *parent); 355 354 extern void __audit_inode_update(const struct inode *inode); 355 + extern void __audit_ptrace(struct task_struct *t); 356 + 356 357 static inline int audit_dummy_context(void) 357 358 { 358 359 void *p = current->audit_context; ··· 378 375 static inline void audit_inode_update(const struct inode *inode) { 379 376 if (unlikely(!audit_dummy_context())) 380 377 __audit_inode_update(inode); 378 + } 379 + 380 + static inline void audit_ptrace(struct task_struct *t) 381 + { 382 + if (unlikely(!audit_dummy_context())) 383 + __audit_ptrace(t); 381 384 } 382 385 383 386 /* Private API (for audit.c only) */ ··· 486 477 #define audit_mq_timedreceive(d,l,p,t) ({ 0; }) 487 478 #define audit_mq_notify(d,n) ({ 0; }) 488 479 #define audit_mq_getsetattr(d,s) ({ 0; }) 480 + #define audit_ptrace(t) ((void)0) 489 481 #define audit_n_rules 0 490 482 #endif 491 483

+29

kernel/auditsc.c

··· 209 209 unsigned long personality; 210 210 int arch; 211 211 212 + pid_t target_pid; 213 + u32 target_sid; 214 + 212 215 #if AUDIT_DEBUG 213 216 int put_count; 214 217 int ino_count; ··· 976 973 audit_log_end(ab); 977 974 } 978 975 976 + if (context->target_pid) { 977 + ab =audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); 978 + if (ab) { 979 + char *s = NULL, *t; 980 + u32 len; 981 + if (selinux_sid_to_string(context->target_sid, 982 + &s, &len)) 983 + t = "(none)"; 984 + else 985 + t = s; 986 + audit_log_format(ab, "opid=%d obj=%s", 987 + context->target_pid, t); 988 + audit_log_end(ab); 989 + kfree(s); 990 + } 991 + } 992 + 979 993 if (context->pwd && context->pwdmnt) { 980 994 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD); 981 995 if (ab) { ··· 1213 1193 } else { 1214 1194 audit_free_names(context); 1215 1195 audit_free_aux(context); 1196 + context->target_pid = 0; 1216 1197 kfree(context->filterkey); 1217 1198 context->filterkey = NULL; 1218 1199 tsk->audit_context = context; ··· 1899 1878 ax->d.next = context->aux; 1900 1879 context->aux = (void *)ax; 1901 1880 return 0; 1881 + } 1882 + 1883 + void __audit_ptrace(struct task_struct *t) 1884 + { 1885 + struct audit_context *context = current->audit_context; 1886 + 1887 + context->target_pid = t->pid; 1888 + selinux_get_task_sid(t, &context->target_sid); 1902 1889 } 1903 1890 1904 1891 /**

kernel/ptrace.c

··· 18 18 #include <linux/ptrace.h> 19 19 #include <linux/security.h> 20 20 #include <linux/signal.h> 21 + #include <linux/audit.h> 21 22 22 23 #include <asm/pgtable.h> 23 24 #include <asm/uaccess.h> ··· 161 160 int ptrace_attach(struct task_struct *task) 162 161 { 163 162 int retval; 163 + 164 + audit_ptrace(task); 164 165 165 166 retval = -EPERM; 166 167 if (task->pid <= 1)