diff options
author | Richard Guy Briggs <rgb@redhat.com> | 2019-05-10 12:21:49 -0400 |
---|---|---|
committer | Paul Moore <paul@paul-moore.com> | 2019-05-21 22:18:25 -0400 |
commit | b48345aafb203803ccda4488cb5409b1ed435c0a (patch) | |
tree | 025ceffb2d6792a15b495c64d9de565c5baf2c9d /kernel/audit.c | |
parent | a188339ca5a396acc588e5851ed7e19f66b0ebd9 (diff) | |
download | linux-b48345aafb203803ccda4488cb5409b1ed435c0a.tar.bz2 |
audit: deliver signal_info regarless of syscall
When a process signals the audit daemon (shutdown, rotate, resume,
reconfig) but syscall auditing is not enabled, we still want to know the
identity of the process sending the signal to the audit daemon.
Move audit_signal_info() out of syscall auditing to general auditing but
create a new function audit_signal_info_syscall() to take care of the
syscall dependent parts for when syscall auditing is enabled.
Please see the github kernel audit issue
https://github.com/linux-audit/audit-kernel/issues/111
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'kernel/audit.c')
-rw-r--r-- | kernel/audit.c | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/kernel/audit.c b/kernel/audit.c index b96bf69183f4..67399ff72d43 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2274,6 +2274,33 @@ out: } /** + * audit_signal_info - record signal info for shutting down audit subsystem + * @sig: signal value + * @t: task being signaled + * + * If the audit subsystem is being terminated, record the task (pid) + * and uid that is doing that. + */ +int audit_signal_info(int sig, struct task_struct *t) +{ + kuid_t uid = current_uid(), auid; + + if (auditd_test_task(t) && + (sig == SIGTERM || sig == SIGHUP || + sig == SIGUSR1 || sig == SIGUSR2)) { + audit_sig_pid = task_tgid_nr(current); + auid = audit_get_loginuid(current); + if (uid_valid(auid)) + audit_sig_uid = auid; + else + audit_sig_uid = uid; + security_task_getsecid(current, &audit_sig_sid); + } + + return audit_signal_info_syscall(t); +} + +/** * audit_log_end - end one audit record * @ab: the audit_buffer * |