diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2019-07-08 18:55:42 -0700 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2019-07-08 18:55:42 -0700 |
commit | 61fc5771f5e729a2ce235af42f69c8506725e84a (patch) | |
tree | e0871c1921ab43d8a46c541791927f4459ba9a84 /kernel/audit.c | |
parent | 884922591e2b58fd7f1018701f957446d1ffac4d (diff) | |
parent | 839d05e413856bd686a33b59294d4e8238169320 (diff) | |
download | linux-61fc5771f5e729a2ce235af42f69c8506725e84a.tar.bz2 |
Merge tag 'audit-pr-20190702' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit
Pull audit updates from Paul Moore:
"This pull request is a bit early, but with some vacation time coming
up I wanted to send this out now just in case the remote Internet Gods
decide not to smile on me once the merge window opens. The patchset
for v5.3 is pretty minor this time, the highlights include:
- When the audit daemon is sent a signal, ensure we deliver
information about the sender even when syscall auditing is not
enabled/supported.
- Add the ability to filter audit records based on network address
family.
- Tighten the audit field filtering restrictions on string based
fields.
- Cleanup the audit field filtering verification code.
- Remove a few BUG() calls from the audit code"
* tag 'audit-pr-20190702' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:
audit: remove the BUG() calls in the audit rule comparison functions
audit: enforce op for string fields
audit: add saddr_fam filter field
audit: re-structure audit field valid checks
audit: deliver signal_info regarless of syscall
Diffstat (limited to 'kernel/audit.c')
-rw-r--r-- | kernel/audit.c | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/kernel/audit.c b/kernel/audit.c index 486c968214d9..da8dc0db5bd3 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2261,6 +2261,33 @@ out: } /** + * audit_signal_info - record signal info for shutting down audit subsystem + * @sig: signal value + * @t: task being signaled + * + * If the audit subsystem is being terminated, record the task (pid) + * and uid that is doing that. + */ +int audit_signal_info(int sig, struct task_struct *t) +{ + kuid_t uid = current_uid(), auid; + + if (auditd_test_task(t) && + (sig == SIGTERM || sig == SIGHUP || + sig == SIGUSR1 || sig == SIGUSR2)) { + audit_sig_pid = task_tgid_nr(current); + auid = audit_get_loginuid(current); + if (uid_valid(auid)) + audit_sig_uid = auid; + else + audit_sig_uid = uid; + security_task_getsecid(current, &audit_sig_sid); + } + + return audit_signal_info_syscall(t); +} + +/** * audit_log_end - end one audit record * @ab: the audit_buffer * |