audit: Simplify and correct audit_log_capset
- Always report the current process as capset now always only works on the current process. This prevents reporting 0 or a random pid in a random pid namespace. - Don't bother to pass the pid as is available. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> (cherry picked from commit bcc85f0af31af123e32858069eb2ad8f39f90e67) (cherry picked from commit f911cac4556a7a23e0b3ea850233d13b32328692) Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [eparis: fix build error when audit disabled] Signed-off-by: Eric Paris <eparis@redhat.com>
This commit is contained in:
Eric W. Biederman
Eric Paris
parent
fc582aef7d
commit
ca24a23ebc
|
|
@ -220,7 +220,7 @@ extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat);
|
|||
extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
|
||||
const struct cred *new,
|
||||
const struct cred *old);
|
||||
extern void __audit_log_capset(pid_t pid, const struct cred *new, const struct cred *old);
|
||||
extern void __audit_log_capset(const struct cred *new, const struct cred *old);
|
||||
extern void __audit_mmap_fd(int fd, int flags);
|
||||
|
||||
static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
|
||||
|
|
@ -285,11 +285,11 @@ static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm,
|
|||
return 0;
|
||||
}
|
||||
|
||||
static inline void audit_log_capset(pid_t pid, const struct cred *new,
|
||||
static inline void audit_log_capset(const struct cred *new,
|
||||
const struct cred *old)
|
||||
{
|
||||
if (unlikely(!audit_dummy_context()))
|
||||
__audit_log_capset(pid, new, old);
|
||||
__audit_log_capset(new, old);
|
||||
}
|
||||
|
||||
static inline void audit_mmap_fd(int fd, int flags)
|
||||
|
|
@ -397,8 +397,8 @@ static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm,
|
|||
{
|
||||
return 0;
|
||||
}
|
||||
static inline void audit_log_capset(pid_t pid, const struct cred *new,
|
||||
const struct cred *old)
|
||||
static inline void audit_log_capset(const struct cred *new,
|
||||
const struct cred *old)
|
||||
{ }
|
||||
static inline void audit_mmap_fd(int fd, int flags)
|
||||
{ }
|
||||
|
|
|
|||
|
|
@ -2321,18 +2321,16 @@ int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
|
|||
|
||||
/**
|
||||
* __audit_log_capset - store information about the arguments to the capset syscall
|
||||
* @pid: target pid of the capset call
|
||||
* @new: the new credentials
|
||||
* @old: the old (current) credentials
|
||||
*
|
||||
* Record the aguments userspace sent to sys_capset for later printing by the
|
||||
* audit system if applicable
|
||||
*/
|
||||
void __audit_log_capset(pid_t pid,
|
||||
const struct cred *new, const struct cred *old)
|
||||
void __audit_log_capset(const struct cred *new, const struct cred *old)
|
||||
{
|
||||
struct audit_context *context = current->audit_context;
|
||||
context->capset.pid = pid;
|
||||
context->capset.pid = task_pid_nr(current);
|
||||
context->capset.cap.effective = new->cap_effective;
|
||||
context->capset.cap.inheritable = new->cap_effective;
|
||||
context->capset.cap.permitted = new->cap_permitted;
|
||||
|
|
|
|||
|
|
@ -277,7 +277,7 @@ SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data)
|
|||
if (ret < 0)
|
||||
goto error;
|
||||
|
||||
audit_log_capset(pid, new, current_cred());
|
||||
audit_log_capset(new, current_cred());
|
||||
|
||||
return commit_creds(new);
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue