Add uid, loginuid, and comm collection to OBJ_PID records. This just
gives users a little more information about the task that received a
signal. pid is rather meaningless after the fact, and even though comm
isn't great we can't collect exe reasonably on this code path for
performance reasons.
Signed-off-by: Eric Paris <[EMAIL PROTECTED]>
---
changes since -v2
- change ordering to put auid before uid
- add 'o' to everything in the record
- use uid_t not pid_t (types are hard)
type=OBJ_PID msg=audit(12/12/2007 17:06:05.328:17) : opid=2223 oauid=0
ouid=root obj=root:system_r:unconfined_t:s0-s0:c0.c1023 ocomm="tmp"
type=OBJ_PID msg=audit(12/12/2007 17:06:05.328:17) : opid=2222 oauid=0
ouid=root obj=root:system_r:unconfined_t:s0-s0:c0.c1023 ocomm="tmp"
type=SYSCALL msg=audit(12/12/2007 17:06:05.328:17) : arch=x86_64 syscall=kill
success=yes exit=0 a0=fffff752 a1=9 a2=0 a3=0 items=0 ppid=2191 pid=2221
auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=pts0 comm=tmp exe=/tmp/tmp
subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)
----
type=OBJ_PID msg=audit(12/12/2007 17:07:16.389:38) : opid=2291 oauid=0
ouid=test obj=root:system_r:httpd_t:s0-s0:c0.c1023 ocomm="bash"
type=SYSCALL msg=audit(12/12/2007 17:07:16.389:38) : arch=x86_64 syscall=kill
success=yes exit=0 a0=8f3 a1=f a2=0 a3=0 items=0 ppid=2186 pid=2191 auid=root
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
tty=pts0 comm=bash exe=/bin/bash subj=root:system_r:unconfined_t:s0-s0:c0.c1023
key=(null)
kernel/auditsc.c | 32 +++++++++++++++++++++++++++-----
1 files changed, 27 insertions(+), 5 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index bce9ecd..6d53e75 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -176,7 +176,10 @@ struct audit_aux_data_fd_pair {
struct audit_aux_data_pids {
struct audit_aux_data d;
pid_t target_pid[AUDIT_AUX_PIDS];
+ uid_t target_auid[AUDIT_AUX_PIDS];
+ uid_t target_uid[AUDIT_AUX_PIDS];
u32 target_sid[AUDIT_AUX_PIDS];
+ char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
int pid_count;
};
@@ -215,7 +218,10 @@ struct audit_context {
int arch;
pid_t target_pid;
+ uid_t target_auid;
+ uid_t target_uid;
u32 target_sid;
+ char target_comm[TASK_COMM_LEN];
struct audit_tree_refs *trees, *first_trees;
int tree_count;
@@ -922,7 +928,7 @@ static void audit_log_task_info(struct audit_buffer *ab,
struct task_struct *tsk
}
static int audit_log_pid_context(struct audit_context *context, pid_t pid,
- u32 sid)
+ uid_t auid, uid_t uid, u32 sid, char *comm)
{
struct audit_buffer *ab;
char *s = NULL;
@@ -933,11 +939,14 @@ static int audit_log_pid_context(struct audit_context
*context, pid_t pid,
if (!ab)
return 1;
+ audit_log_format(ab, "opid=%d oauid=%d ouid=%d", pid, auid, uid);
if (selinux_sid_to_string(sid, &s, &len)) {
- audit_log_format(ab, "opid=%d obj=(none)", pid);
+ audit_log_format(ab, " obj=(none)");
rc = 1;
} else
- audit_log_format(ab, "opid=%d obj=%s", pid, s);
+ audit_log_format(ab, " obj=%s", s);
+ audit_log_format(ab, " ocomm=");
+ audit_log_untrustedstring(ab, comm);
audit_log_end(ab);
kfree(s);
@@ -1168,13 +1177,17 @@ static void audit_log_exit(struct audit_context
*context, struct task_struct *ts
for (i = 0; i < axs->pid_count; i++)
if (audit_log_pid_context(context, axs->target_pid[i],
- axs->target_sid[i]))
+ axs->target_auid[i],
+ axs->target_uid[i],
+ axs->target_sid[i],
+ axs->target_comm[i]))
call_panic = 1;
}
if (context->target_pid &&
audit_log_pid_context(context, context->target_pid,
- context->target_sid))
+ context->target_auid, context->target_uid,
+ context->target_sid, context->target_comm))
call_panic = 1;
if (context->pwd && context->pwdmnt) {
@@ -2193,7 +2206,10 @@ void __audit_ptrace(struct task_struct *t)
struct audit_context *context = current->audit_context;
context->target_pid = t->pid;
+ context->target_auid = audit_get_loginuid(t->audit_context);
+ context->target_uid = t->uid;
selinux_get_task_sid(t, &context->target_sid);
+ memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
}
/**
@@ -2230,7 +2246,10 @@ int __audit_signal_info(int sig, struct task_struct *t)
* in audit_context */
if (!ctx->target_pid) {
ctx->target_pid = t->tgid;
+ ctx->target_auid = audit_get_loginuid(t->audit_context);
+ ctx->target_uid = t->uid;
selinux_get_task_sid(t, &ctx->target_sid);
+ memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
return 0;
}
@@ -2247,7 +2266,10 @@ int __audit_signal_info(int sig, struct task_struct *t)
BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
axp->target_pid[axp->pid_count] = t->tgid;
+ axp->target_auid[axp->pid_count] = audit_get_loginuid(t->audit_context);
+ axp->target_uid[axp->pid_count] = t->uid;
selinux_get_task_sid(t, &axp->target_sid[axp->pid_count]);
+ memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
axp->pid_count++;
return 0;
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
