openkylin
/
linux
mirror of https://gitee.com/openkylin/linux.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

apparmor: audit unknown signal numbers 

Allow apparmor to audit the number of a signal that it does not
provide a mapping for and is currently being reported only as
unknown.

Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen 2018-02-01 12:32:02 +01:00
parent 3dc6b1ce68
commit 3acfd5f54c
3 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
security/apparmor/include/audit.h
View File

@ -130,7 +130,10 @@ struct apparmor_audit_data {
int rlim; int rlim;
unsigned long max; unsigned long max;
} rlim; } rlim;
int signal; struct {
int signal;
int unmappedsig;
};
}; };
}; };
struct { struct {

1
security/apparmor/include/sig_names.h
View File

@ -3,6 +3,7 @@
#define SIGUNKNOWN 0 #define SIGUNKNOWN 0
#define MAXMAPPED_SIG 35 #define MAXMAPPED_SIG 35
#define MAXMAPPED_SIGNAME (MAXMAPPED_SIG + 1) #define MAXMAPPED_SIGNAME (MAXMAPPED_SIG + 1)
#define SIGRT_BASE 128
/* provide a mapping of arch signal to internal signal # for mediation /* provide a mapping of arch signal to internal signal # for mediation
* those that are always an alias SIGCLD for SIGCLHD and SIGPOLL for SIGIO * those that are always an alias SIGCLD for SIGCLHD and SIGPOLL for SIGIO

10
security/apparmor/ipc.c
View File

@ -138,7 +138,7 @@ static inline int map_signal_num(int sig)
if (sig > SIGRTMAX) if (sig > SIGRTMAX)
return SIGUNKNOWN; return SIGUNKNOWN;
else if (sig >= SIGRTMIN) else if (sig >= SIGRTMIN)
return sig - SIGRTMIN + 128; /* rt sigs mapped to 128 */ return sig - SIGRTMIN + SIGRT_BASE;
else if (sig < MAXMAPPED_SIG) else if (sig < MAXMAPPED_SIG)
return sig_map[sig]; return sig_map[sig];
return SIGUNKNOWN; return SIGUNKNOWN;
@ -174,11 +174,14 @@ static void audit_signal_cb(struct audit_buffer *ab, void *va)
audit_signal_mask(ab, aad(sa)->denied); audit_signal_mask(ab, aad(sa)->denied);
} }
} }
if (aad(sa)->signal < MAXMAPPED_SIGNAME) if (aad(sa)->signal == SIGUNKNOWN)
audit_log_format(ab, "signal=unknown(%d)",
aad(sa)->unmappedsig);
else if (aad(sa)->signal < MAXMAPPED_SIGNAME)
audit_log_format(ab, " signal=%s", sig_names[aad(sa)->signal]); audit_log_format(ab, " signal=%s", sig_names[aad(sa)->signal]);
else else
audit_log_format(ab, " signal=rtmin+%d", audit_log_format(ab, " signal=rtmin+%d",
aad(sa)->signal - 128); aad(sa)->signal - SIGRT_BASE);
audit_log_format(ab, " peer="); audit_log_format(ab, " peer=");
aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer, aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
FLAGS_NONE, GFP_ATOMIC); FLAGS_NONE, GFP_ATOMIC);
@ -211,6 +214,7 @@ int aa_may_signal(struct aa_label *sender, struct aa_label *target, int sig)
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SIGNAL); DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SIGNAL);
aad(&sa)->signal = map_signal_num(sig); aad(&sa)->signal = map_signal_num(sig);
aad(&sa)->unmappedsig = sig;
return xcheck_labels(sender, target, profile, return xcheck_labels(sender, target, profile,
profile_signal_perm(profile, target, MAY_WRITE, &sa), profile_signal_perm(profile, target, MAY_WRITE, &sa),
profile_signal_perm(profile, sender, MAY_READ, &sa)); profile_signal_perm(profile, sender, MAY_READ, &sa));