Re: [PATCH 1/1] Added exe field to audit core dump signal log

Wed, 20 Nov 2013 13:50:12 -0800 

On Thu, Nov 14, 2013 at 08:56:57AM +0530, Paul Davies C wrote:
> Currently when the coredump signals are logged by the audit system , the
> actual path to the executable is not logged. Without details of exe , the
> system admin may not have an exact idea on what program failed.
> 
> This patch changes the audit_log_task() so that the path to the exe is also
> logged.

Out of curiosity, on which platform are you observing this?  This sounds
related to Bill Roberts' recent cmdline patches.

I also wonder how reliable this is, or whether it could have been 
changed from under us by deletion or rename after invocation.

This BZ sounds related:
        https://bugzilla.redhat.com/show_bug.cgi?id=837856
        https://bugzilla.redhat.com/show_bug.cgi?id=831684

> Signed-off-by: Paul Davies C <[email protected]>
> ---
>  kernel/auditsc.c |    7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 9845cb3..988de72 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab)
>       kuid_t auid, uid;
>       kgid_t gid;
>       unsigned int sessionid;
> +     struct mm_struct *mm = current->mm;
>  
>       auid = audit_get_loginuid(current);
>       sessionid = audit_get_sessionid(current);
> @@ -2366,6 +2367,12 @@ static void audit_log_task(struct audit_buffer *ab)
>       audit_log_task_context(ab);
>       audit_log_format(ab, " pid=%d comm=", current->pid);
>       audit_log_untrustedstring(ab, current->comm);
> +     if (mm) {
> +             down_read(&mm->mmap_sem);
> +             if (mm->exe_file)
> +                     audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
> +             up_read(&mm->mmap_sem);
> +     }
>  }
>  
>  static void audit_log_abend(struct audit_buffer *ab, char *reason, long 
> signr)
> -- 
> 1.7.9.5

- RGB

--
Richard Guy Briggs <[email protected]>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red 
Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit

Reply via email to