On 2019-04-09 08:01, Steve Grubb wrote: > On Mon, 8 Apr 2019 23:52:29 -0400 Richard Guy Briggs <[email protected]> wrote: > > When a process signals the audit daemon (shutdown, rotate, resume, > > reconfig) but syscall auditing is not enabled, we still want to know > > the identity of the process sending the signal to the audit daemon. > > Why? If syscall auditing is disabled, then there is no requirement to > provide anything. What is the real problem that you are seeing?
Shutdown messages with -1 in them rather than the real values. > -Steve > > > Move audit_signal_info() out of syscall auditing to general auditing > > but create a new function audit_signal_info_syscall() to take care of > > the syscall dependent parts for when syscall auditing is enabled. > > > > Please see the github kernel audit issue > > https://github.com/linux-audit/audit-kernel/issues/111 > > > > Signed-off-by: Richard Guy Briggs <[email protected]> > > --- > > include/linux/audit.h | 6 ++++++ > > kernel/audit.c | 27 +++++++++++++++++++++++++++ > > kernel/audit.h | 4 ++-- > > kernel/auditsc.c | 19 +++---------------- > > kernel/signal.c | 2 +- > > 5 files changed, 39 insertions(+), 19 deletions(-) > > > > diff --git a/include/linux/audit.h b/include/linux/audit.h > > index 1e69d9fe16da..4a22fc3f824f 100644 > > --- a/include/linux/audit.h > > +++ b/include/linux/audit.h > > @@ -173,6 +173,9 @@ static inline unsigned int > > audit_get_sessionid(struct task_struct *tsk) } > > > > extern u32 audit_enabled; > > + > > +extern int audit_signal_info(int sig, struct task_struct *t); > > + > > #else /* CONFIG_AUDIT */ > > static inline __printf(4, 5) > > void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, > > @@ -226,6 +229,9 @@ static inline unsigned int > > audit_get_sessionid(struct task_struct *tsk) } > > > > #define audit_enabled AUDIT_OFF > > + > > +#define audit_signal_info(s, t) AUDIT_OFF > > + > > #endif /* CONFIG_AUDIT */ > > > > #ifdef CONFIG_AUDIT_COMPAT_GENERIC > > diff --git a/kernel/audit.c b/kernel/audit.c > > index b96bf69183f4..67399ff72d43 100644 > > --- a/kernel/audit.c > > +++ b/kernel/audit.c > > @@ -2274,6 +2274,33 @@ int audit_set_loginuid(kuid_t loginuid) > > } > > > > /** > > + * audit_signal_info - record signal info for shutting down audit > > subsystem > > + * @sig: signal value > > + * @t: task being signaled > > + * > > + * If the audit subsystem is being terminated, record the task (pid) > > + * and uid that is doing that. > > + */ > > +int audit_signal_info(int sig, struct task_struct *t) > > +{ > > + kuid_t uid = current_uid(), auid; > > + > > + if (auditd_test_task(t) && > > + (sig == SIGTERM || sig == SIGHUP || > > + sig == SIGUSR1 || sig == SIGUSR2)) { > > + audit_sig_pid = task_tgid_nr(current); > > + auid = audit_get_loginuid(current); > > + if (uid_valid(auid)) > > + audit_sig_uid = auid; > > + else > > + audit_sig_uid = uid; > > + security_task_getsecid(current, &audit_sig_sid); > > + } > > + > > + return audit_signal_info_syscall(t); > > +} > > + > > +/** > > * audit_log_end - end one audit record > > * @ab: the audit_buffer > > * > > diff --git a/kernel/audit.h b/kernel/audit.h > > index 958d5b8fc1b3..18a8ae812e9f 100644 > > --- a/kernel/audit.h > > +++ b/kernel/audit.h > > @@ -299,7 +299,7 @@ extern bool audit_tree_match(struct audit_chunk > > *chunk, extern void audit_put_tree(struct audit_tree *tree); > > extern void audit_kill_trees(struct audit_context *context); > > > > -extern int audit_signal_info(int sig, struct task_struct *t); > > +extern int audit_signal_info_syscall(struct task_struct *t); > > extern void audit_filter_inodes(struct task_struct *tsk, > > struct audit_context *ctx); > > extern struct list_head *audit_killed_trees(void); > > @@ -330,7 +330,7 @@ extern void audit_filter_inodes(struct > > task_struct *tsk, #define audit_tree_path(rule) "" /* never > > called */ #define audit_kill_trees(context) BUG() > > > > -#define audit_signal_info(s, t) AUDIT_DISABLED > > +#define audit_signal_info_syscall(t) AUDIT_OFF > > #define audit_filter_inodes(t, c) AUDIT_DISABLED > > #endif /* CONFIG_AUDITSYSCALL */ > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > index 98a98e6dca05..dbd43d84c347 100644 > > --- a/kernel/auditsc.c > > +++ b/kernel/auditsc.c > > @@ -2370,30 +2370,17 @@ void __audit_ptrace(struct task_struct *t) > > } > > > > /** > > - * audit_signal_info - record signal info for shutting down audit > > subsystem > > - * @sig: signal value > > + * audit_signal_info_syscall - record signal info for syscalls > > * @t: task being signaled > > * > > * If the audit subsystem is being terminated, record the task (pid) > > * and uid that is doing that. > > */ > > -int audit_signal_info(int sig, struct task_struct *t) > > +int audit_signal_info_syscall(struct task_struct *t) > > { > > struct audit_aux_data_pids *axp; > > struct audit_context *ctx = audit_context(); > > - kuid_t uid = current_uid(), auid, t_uid = task_uid(t); > > - > > - if (auditd_test_task(t) && > > - (sig == SIGTERM || sig == SIGHUP || > > - sig == SIGUSR1 || sig == SIGUSR2)) { > > - audit_sig_pid = task_tgid_nr(current); > > - auid = audit_get_loginuid(current); > > - if (uid_valid(auid)) > > - audit_sig_uid = auid; > > - else > > - audit_sig_uid = uid; > > - security_task_getsecid(current, &audit_sig_sid); > > - } > > + kuid_t t_uid = task_uid(t); > > > > if (!audit_signals || audit_dummy_context()) > > return 0; > > diff --git a/kernel/signal.c b/kernel/signal.c > > index b7953934aa99..73db5dfa797d 100644 > > --- a/kernel/signal.c > > +++ b/kernel/signal.c > > @@ -43,6 +43,7 @@ > > #include <linux/compiler.h> > > #include <linux/posix-timers.h> > > #include <linux/livepatch.h> > > +#include <linux/audit.h> /* audit_signal_info() */ > > > > #define CREATE_TRACE_POINTS > > #include <trace/events/signal.h> > > @@ -52,7 +53,6 @@ > > #include <asm/unistd.h> > > #include <asm/siginfo.h> > > #include <asm/cacheflush.h> > > -#include "audit.h" /* audit_signal_info() */ > > > > /* > > * SLAB caches for signal bits. > - RGB -- Richard Guy Briggs <[email protected]> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
