Currently when the coredump signals are logged by the audit system , the actual path to the executable is not logged. Without details of exe , the system admin may not have an exact idea on what program failed.
This patch changes the audit_log_task() so that the path to the exe is also logged. Signed-off-by: Paul Davies C <[email protected]> --- kernel/auditsc.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 9845cb3..53ecc02 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab) kuid_t auid, uid; kgid_t gid; unsigned int sessionid; + struct mm_struct *mm = current->mm; auid = audit_get_loginuid(current); sessionid = audit_get_sessionid(current); @@ -2366,6 +2367,13 @@ static void audit_log_task(struct audit_buffer *ab) audit_log_task_context(ab); audit_log_format(ab, " pid=%d comm=", current->pid); audit_log_untrustedstring(ab, current->comm); + if (mm) { + down_read(&mm->mmap_sem); + if (mm->exe_file) + audit_log_d_path(ab, " exe=", &mm->exe_file->f_path); + up_read(&mm->mmap_sem); + } else + audit_log_format(ab, " exe=(null)"); } static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr) -- 1.7.9.5 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
