Hi, Have these patches been picked up? I haven't seen any activity in the Audit tree for 11 months: http://git.kernel.org/?p=linux/kernel/git/viro/audit.git;a=summary
Are audit changes happening through another tree? Thanks! -Kees On Tue, Dec 18, 2012 at 12:22 PM, <[email protected]> wrote: > From: Kees Cook <[email protected]> > Subject: audit: create explicit AUDIT_SECCOMP event type > > The seccomp path was using AUDIT_ANOM_ABEND from when seccomp mode 1 could > only kill a process. While we still want to make sure an audit record is > forced on a kill, this should use a separate record type since seccomp > mode 2 introduces other behaviors. > > In the case of "handled" behaviors (process wasn't killed), only emit a > record if the process is under inspection. This change also fixes > userspace examination of seccomp audit events, since it was considered > malformed due to missing fields of the AUDIT_ANOM_ABEND event type. > > Signed-off-by: Kees Cook <[email protected]> > Cc: Al Viro <[email protected]> > Cc: Eric Paris <[email protected]> > Cc: Jeff Layton <[email protected]> > Cc: "Eric W. Biederman" <[email protected]> > Cc: Julien Tinnes <[email protected]> > Acked-by: Will Drewry <[email protected]> > Acked-by: Steve Grubb <[email protected]> > Cc: Andrea Arcangeli <[email protected]> > Cc: <[email protected]> > Signed-off-by: Andrew Morton <[email protected]> > --- > > include/linux/audit.h | 3 ++- > include/uapi/linux/audit.h | 1 + > kernel/auditsc.c | 14 +++++++++++--- > 3 files changed, 14 insertions(+), 4 deletions(-) > > diff -puN > include/linux/audit.h~audit-create-explicit-audit_seccomp-event-type > include/linux/audit.h > --- a/include/linux/audit.h~audit-create-explicit-audit_seccomp-event-type > +++ a/include/linux/audit.h > @@ -157,7 +157,8 @@ void audit_core_dumps(long signr); > > static inline void audit_seccomp(unsigned long syscall, long signr, int code) > { > - if (unlikely(!audit_dummy_context())) > + /* Force a record to be reported if a signal was delivered. */ > + if (signr || unlikely(!audit_dummy_context())) > __audit_seccomp(syscall, signr, code); > } > > diff -puN > include/uapi/linux/audit.h~audit-create-explicit-audit_seccomp-event-type > include/uapi/linux/audit.h > --- > a/include/uapi/linux/audit.h~audit-create-explicit-audit_seccomp-event-type > +++ a/include/uapi/linux/audit.h > @@ -106,6 +106,7 @@ > #define AUDIT_MMAP 1323 /* Record showing descriptor and > flags in mmap */ > #define AUDIT_NETFILTER_PKT 1324 /* Packets traversing netfilter > chains */ > #define AUDIT_NETFILTER_CFG 1325 /* Netfilter chain modifications */ > +#define AUDIT_SECCOMP 1326 /* Secure Computing event */ > > #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ > #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ > diff -puN kernel/auditsc.c~audit-create-explicit-audit_seccomp-event-type > kernel/auditsc.c > --- a/kernel/auditsc.c~audit-create-explicit-audit_seccomp-event-type > +++ a/kernel/auditsc.c > @@ -2675,7 +2675,7 @@ void __audit_mmap_fd(int fd, int flags) > context->type = AUDIT_MMAP; > } > > -static void audit_log_abend(struct audit_buffer *ab, char *reason, long > signr) > +static void audit_log_task(struct audit_buffer *ab) > { > kuid_t auid, uid; > kgid_t gid; > @@ -2693,6 +2693,11 @@ static void audit_log_abend(struct audit > audit_log_task_context(ab); > audit_log_format(ab, " pid=%d comm=", current->pid); > audit_log_untrustedstring(ab, current->comm); > +} > + > +static void audit_log_abend(struct audit_buffer *ab, char *reason, long > signr) > +{ > + audit_log_task(ab); > audit_log_format(ab, " reason="); > audit_log_string(ab, reason); > audit_log_format(ab, " sig=%ld", signr); > @@ -2723,8 +2728,11 @@ void __audit_seccomp(unsigned long sysca > { > struct audit_buffer *ab; > > - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); > - audit_log_abend(ab, "seccomp", signr); > + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_SECCOMP); > + if (unlikely(!ab)) > + return; > + audit_log_task(ab); > + audit_log_format(ab, " sig=%ld", signr); > audit_log_format(ab, " syscall=%ld", syscall); > audit_log_format(ab, " compat=%d", is_compat_task()); > audit_log_format(ab, " ip=0x%lx", KSTK_EIP(current)); > _ -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
