[3.5.y.z,extended,stable] Patch "audit: create explicit AUDIT_SECCOMP event type" has been added to staging queue

Message ID 1358916258-24242-1-git-send-email-herton.krzesinski@canonical.com
State New
Headers show

Commit Message

Herton Ronaldo Krzesinski Jan. 23, 2013, 4:44 a.m.
This is a note to let you know that I have just added a patch titled

    audit: create explicit AUDIT_SECCOMP event type

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:


If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see



From 9387df46cd87ab973c85fa4f8d198d6a2e877b99 Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@chromium.org>
Date: Fri, 11 Jan 2013 14:32:05 -0800
Subject: [PATCH] audit: create explicit AUDIT_SECCOMP event type

commit 7b9205bd775afc4439ed86d617f9042ee9e76a71 upstream.

The seccomp path was using AUDIT_ANOM_ABEND from when seccomp mode 1
could only kill a process.  While we still want to make sure an audit
record is forced on a kill, this should use a separate record type since
seccomp mode 2 introduces other behaviors.

In the case of "handled" behaviors (process wasn't killed), only emit a
record if the process is under inspection.  This change also fixes
userspace examination of seccomp audit events, since it was considered
malformed due to missing fields of the AUDIT_ANOM_ABEND event type.

Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Eric Paris <eparis@redhat.com>
Cc: Jeff Layton <jlayton@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Julien Tinnes <jln@google.com>
Acked-by: Will Drewry <wad@chromium.org>
Acked-by: Steve Grubb <sgrubb@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[ herton: adjust context, include/uapi/linux/audit.h -> include/linux/audit.h ]
Signed-off-by: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
 include/linux/audit.h |    4 +++-
 kernel/auditsc.c      |   14 +++++++++++---
 2 files changed, 14 insertions(+), 4 deletions(-)



diff --git a/include/linux/audit.h b/include/linux/audit.h
index 22f292a..eaa7c9f 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -106,6 +106,7 @@ 
 #define AUDIT_MMAP		1323	/* Record showing descriptor and flags in mmap */
 #define AUDIT_NETFILTER_PKT	1324	/* Packets traversing netfilter chains */
 #define AUDIT_NETFILTER_CFG	1325	/* Netfilter chain modifications */
+#define AUDIT_SECCOMP		1326	/* Secure Computing event */

 #define AUDIT_AVC		1400	/* SE Linux avc denial or grant */
 #define AUDIT_SELINUX_ERR	1401	/* Internal SE Linux Errors */
@@ -510,7 +511,8 @@  void audit_core_dumps(long signr);

 static inline void audit_seccomp(unsigned long syscall, long signr, int code)
-	if (unlikely(!audit_dummy_context()))
+	/* Force a record to be reported if a signal was delivered. */
+	if (signr || unlikely(!audit_dummy_context()))
 		__audit_seccomp(syscall, signr, code);

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4b96415..a0ecca4 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2670,7 +2670,7 @@  void __audit_mmap_fd(int fd, int flags)
 	context->type = AUDIT_MMAP;

-static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
+static void audit_log_task(struct audit_buffer *ab)
 	uid_t auid, uid;
 	gid_t gid;
@@ -2685,6 +2685,11 @@  static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
 	audit_log_format(ab, " pid=%d comm=", current->pid);
 	audit_log_untrustedstring(ab, current->comm);
+static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
+	audit_log_task(ab);
 	audit_log_format(ab, " reason=");
 	audit_log_string(ab, reason);
 	audit_log_format(ab, " sig=%ld", signr);
@@ -2715,8 +2720,11 @@  void __audit_seccomp(unsigned long syscall, long signr, int code)
 	struct audit_buffer *ab;

-	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
-	audit_log_abend(ab, "seccomp", signr);
+	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_SECCOMP);
+	if (unlikely(!ab))
+		return;
+	audit_log_task(ab);
+	audit_log_format(ab, " sig=%ld", signr);
 	audit_log_format(ab, " syscall=%ld", syscall);
 	audit_log_format(ab, " compat=%d", is_compat_task());
 	audit_log_format(ab, " ip=0x%lx", KSTK_EIP(current));