|
Message-Id: <1330559620-23543-13-git-send-email-wad@chromium.org> Date: Wed, 29 Feb 2012 17:53:40 -0600 From: Will Drewry <wad@...omium.org> To: linux-kernel@...r.kernel.org Cc: linux-arch@...r.kernel.org, linux-doc@...r.kernel.org, kernel-hardening@...ts.openwall.com, netdev@...r.kernel.org, x86@...nel.org, arnd@...db.de, davem@...emloft.net, hpa@...or.com, mingo@...hat.com, oleg@...hat.com, peterz@...radead.org, rdunlap@...otime.net, mcgrathr@...omium.org, tglx@...utronix.de, luto@....edu, eparis@...hat.com, serge.hallyn@...onical.com, djm@...drot.org, scarybeasts@...il.com, indan@....nu, pmoore@...hat.com, akpm@...ux-foundation.org, corbet@....net, eric.dumazet@...il.com, markus@...omium.org, coreyb@...ux.vnet.ibm.com, keescook@...omium.org Subject: [PATCH v12 13/13] seccomp: remove duplicated failure logging From: Kees Cook <keescook@...omium.org> This consolidates the seccomp filter error logging path and adds more details to the audit log. Acked-by: Will Drewry <wad@...omium.org> Signed-off-by: Kees Cook <keescook@...omium.org> --- include/linux/audit.h | 8 ++++---- kernel/auditsc.c | 9 +++++++-- kernel/seccomp.c | 15 +-------------- 3 files changed, 12 insertions(+), 20 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 9ff7a2c..5aac29b 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -463,7 +463,7 @@ extern void audit_putname(const char *name); extern void __audit_inode(const char *name, const struct dentry *dentry); extern void __audit_inode_child(const struct dentry *dentry, const struct inode *parent); -extern void __audit_seccomp(unsigned long syscall); +extern void __audit_seccomp(unsigned long syscall, long signr); extern void __audit_ptrace(struct task_struct *t); static inline int audit_dummy_context(void) @@ -508,10 +508,10 @@ static inline void audit_inode_child(const struct dentry *dentry, } void audit_core_dumps(long signr); -static inline void audit_seccomp(unsigned long syscall) +static inline void audit_seccomp(unsigned long syscall, long signr) { if (unlikely(!audit_dummy_context())) - __audit_seccomp(syscall); + __audit_seccomp(syscall, signr); } static inline void audit_ptrace(struct task_struct *t) @@ -634,7 +634,7 @@ extern int audit_signals; #define audit_inode(n,d) do { (void)(d); } while (0) #define audit_inode_child(i,p) do { ; } while (0) #define audit_core_dumps(i) do { ; } while (0) -#define audit_seccomp(i) do { ; } while (0) +#define audit_seccomp(i, s) do { ; } while (0) #define auditsc_get_stamp(c,t,s) (0) #define audit_get_loginuid(t) (-1) #define audit_get_sessionid(t) (-1) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index af1de0f..74652fe 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -67,6 +67,7 @@ #include <linux/syscalls.h> #include <linux/capability.h> #include <linux/fs_struct.h> +#include <linux/compat.h> #include "audit.h" @@ -2710,13 +2711,17 @@ void audit_core_dumps(long signr) audit_log_end(ab); } -void __audit_seccomp(unsigned long syscall) +void __audit_seccomp(unsigned long syscall, long signr) { struct audit_buffer *ab; ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); - audit_log_abend(ab, "seccomp", SIGKILL); + audit_log_abend(ab, "seccomp", signr); audit_log_format(ab, " syscall=%ld", syscall); +#ifdef CONFIG_COMPAT + audit_log_format(ab, " compat=%d", is_compat_task()); +#endif + audit_log_format(ab, " ip=0x%lx", KSTK_EIP(current)); audit_log_end(ab); } diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 1064327..78ecd6f 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -60,18 +60,6 @@ struct seccomp_filter { /* Limit any path through the tree to 5 megabytes worth of instructions. */ #define MAX_INSNS_PER_PATH ((5 << 20) / sizeof(struct sock_filter)) -static void seccomp_filter_log_failure(int syscall) -{ - int compat = 0; -#ifdef CONFIG_COMPAT - compat = is_compat_task(); -#endif - pr_info("%s[%d]: %ssystem call %d blocked at 0x%lx\n", - current->comm, task_pid_nr(current), - (compat ? "compat " : ""), - syscall, KSTK_EIP(current)); -} - /** * get_u32 - returns a u32 offset into data * @data: a unsigned 64 bit value @@ -370,7 +358,6 @@ int __secure_computing_int(int this_syscall) default: break; } - seccomp_filter_log_failure(this_syscall); exit_code = SIGSYS; break; } @@ -382,7 +369,7 @@ int __secure_computing_int(int this_syscall) #ifdef SECCOMP_DEBUG dump_stack(); #endif - audit_seccomp(this_syscall); + audit_seccomp(this_syscall, exit_code); do_exit(exit_code); return -1; /* never reached */ } -- 1.7.5.4
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.