seccomp: remove duplicated failure logging
This consolidates the seccomp filter error logging path and adds more details to the audit log. Signed-off-by: Will Drewry <wad@chromium.org> Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Eric Paris <eparis@redhat.com> v18: make compat= permanent in the record v15: added a return code to the audit_seccomp path by wad@chromium.org (suggested by eparis@redhat.com) v*: original by keescook@chromium.org Signed-off-by: James Morris <james.l.morris@oracle.com>
This commit is contained in:
parent
e2cfabdfd0
commit
3dc1c1b2d2
3 changed files with 11 additions and 20 deletions
|
@ -463,7 +463,7 @@ extern void audit_putname(const char *name);
|
|||
extern void __audit_inode(const char *name, const struct dentry *dentry);
|
||||
extern void __audit_inode_child(const struct dentry *dentry,
|
||||
const struct inode *parent);
|
||||
extern void __audit_seccomp(unsigned long syscall);
|
||||
extern void __audit_seccomp(unsigned long syscall, long signr, int code);
|
||||
extern void __audit_ptrace(struct task_struct *t);
|
||||
|
||||
static inline int audit_dummy_context(void)
|
||||
|
@ -508,10 +508,10 @@ static inline void audit_inode_child(const struct dentry *dentry,
|
|||
}
|
||||
void audit_core_dumps(long signr);
|
||||
|
||||
static inline void audit_seccomp(unsigned long syscall)
|
||||
static inline void audit_seccomp(unsigned long syscall, long signr, int code)
|
||||
{
|
||||
if (unlikely(!audit_dummy_context()))
|
||||
__audit_seccomp(syscall);
|
||||
__audit_seccomp(syscall, signr, code);
|
||||
}
|
||||
|
||||
static inline void audit_ptrace(struct task_struct *t)
|
||||
|
@ -634,7 +634,7 @@ extern int audit_signals;
|
|||
#define audit_inode(n,d) do { (void)(d); } while (0)
|
||||
#define audit_inode_child(i,p) do { ; } while (0)
|
||||
#define audit_core_dumps(i) do { ; } while (0)
|
||||
#define audit_seccomp(i) do { ; } while (0)
|
||||
#define audit_seccomp(i,s,c) do { ; } while (0)
|
||||
#define auditsc_get_stamp(c,t,s) (0)
|
||||
#define audit_get_loginuid(t) (-1)
|
||||
#define audit_get_sessionid(t) (-1)
|
||||
|
|
|
@ -67,6 +67,7 @@
|
|||
#include <linux/syscalls.h>
|
||||
#include <linux/capability.h>
|
||||
#include <linux/fs_struct.h>
|
||||
#include <linux/compat.h>
|
||||
|
||||
#include "audit.h"
|
||||
|
||||
|
@ -2710,13 +2711,16 @@ void audit_core_dumps(long signr)
|
|||
audit_log_end(ab);
|
||||
}
|
||||
|
||||
void __audit_seccomp(unsigned long syscall)
|
||||
void __audit_seccomp(unsigned long syscall, long signr, int code)
|
||||
{
|
||||
struct audit_buffer *ab;
|
||||
|
||||
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
|
||||
audit_log_abend(ab, "seccomp", SIGKILL);
|
||||
audit_log_abend(ab, "seccomp", signr);
|
||||
audit_log_format(ab, " syscall=%ld", syscall);
|
||||
audit_log_format(ab, " compat=%d", is_compat_task());
|
||||
audit_log_format(ab, " ip=0x%lx", KSTK_EIP(current));
|
||||
audit_log_format(ab, " code=0x%x", code);
|
||||
audit_log_end(ab);
|
||||
}
|
||||
|
||||
|
|
|
@ -60,18 +60,6 @@ struct seccomp_filter {
|
|||
/* Limit any path through the tree to 256KB worth of instructions. */
|
||||
#define MAX_INSNS_PER_PATH ((1 << 18) / sizeof(struct sock_filter))
|
||||
|
||||
static void seccomp_filter_log_failure(int syscall)
|
||||
{
|
||||
int compat = 0;
|
||||
#ifdef CONFIG_COMPAT
|
||||
compat = is_compat_task();
|
||||
#endif
|
||||
pr_info("%s[%d]: %ssystem call %d blocked at 0x%lx\n",
|
||||
current->comm, task_pid_nr(current),
|
||||
(compat ? "compat " : ""),
|
||||
syscall, KSTK_EIP(current));
|
||||
}
|
||||
|
||||
/**
|
||||
* get_u32 - returns a u32 offset into data
|
||||
* @data: a unsigned 64 bit value
|
||||
|
@ -381,7 +369,6 @@ void __secure_computing(int this_syscall)
|
|||
case SECCOMP_MODE_FILTER:
|
||||
if (seccomp_run_filters(this_syscall) == SECCOMP_RET_ALLOW)
|
||||
return;
|
||||
seccomp_filter_log_failure(this_syscall);
|
||||
exit_sig = SIGSYS;
|
||||
break;
|
||||
#endif
|
||||
|
@ -392,7 +379,7 @@ void __secure_computing(int this_syscall)
|
|||
#ifdef SECCOMP_DEBUG
|
||||
dump_stack();
|
||||
#endif
|
||||
audit_seccomp(this_syscall);
|
||||
audit_seccomp(this_syscall, exit_code, SECCOMP_RET_KILL);
|
||||
do_exit(exit_sig);
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue