[2/2] seccomp: forcing auditing of kill condition

Submitter	Tim Gardner
Date	Nov. 19, 2012, 6:52 p.m.
Message ID	<1353351139-26868-2-git-send-email-tim.gardner@canonical.com>
Download	mbox \| patch
Permalink	/patch/200131/
State	New
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Tim Gardner <tim.gardner@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [PATCH 2/2] seccomp: forcing auditing of kill condition Date: Mon, 19 Nov 2012 11:52:19 -0700 Message-Id: <1353351139-26868-2-git-send-email-tim.gardner@canonical.com> In-Reply-To: <1353351139-26868-1-git-send-email-tim.gardner@canonical.com> References: <1353351139-26868-1-git-send-email-tim.gardner@canonical.com> Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com

Comments

Tim Gardner - Nov. 19, 2012, 6:52 p.m.

From: Kees Cook <kees@ubuntu.com>

BugLink: http://bugs.launchpad.net/bugs/1079469

Instead of auditing all seccomp actions, only force the reporting of
those that kill a process. All others should be checked for an existing
audit context on the process. (This improves the adjustment that
commit 426ae7eee59e3de2a4c14ccfc30df0a7d64709fe was attempting.)

Signed-off-by: Kees Cook <kees@ubuntu.com>
Acked-by: Herton Krzesinski <herton.krzesinski@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
 kernel/seccomp.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Patch

diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index ee376be..9002cfa 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -443,7 +443,7 @@  int __secure_computing(int this_syscall)
 #ifdef SECCOMP_DEBUG
 	dump_stack();
 #endif
-	audit_seccomp(this_syscall, exit_sig, ret);
+	__audit_seccomp(this_syscall, exit_sig, ret);
 	do_exit(exit_sig);
 #ifdef CONFIG_SECCOMP_FILTER
 skip:

Patchwork [2/2] seccomp: forcing auditing of kill condition

Comments

Patch