diff options
author | John Johansen <john.johansen@canonical.com> | 2018-02-01 12:32:02 +0100 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2018-02-09 11:30:01 -0800 |
commit | 3acfd5f54ca16c15c36ac2f218357f2707b7edb8 (patch) | |
tree | d64067798fbe0d4ff3fa839e48ce6fae3bfe84c3 | |
parent | 3dc6b1ce6861ebf40b68ab4b752a05584a1f99bf (diff) | |
download | op-kernel-dev-3acfd5f54ca16c15c36ac2f218357f2707b7edb8.zip op-kernel-dev-3acfd5f54ca16c15c36ac2f218357f2707b7edb8.tar.gz |
apparmor: audit unknown signal numbers
Allow apparmor to audit the number of a signal that it does not
provide a mapping for and is currently being reported only as
unknown.
Signed-off-by: John Johansen <john.johansen@canonical.com>
-rw-r--r-- | security/apparmor/include/audit.h | 5 | ||||
-rw-r--r-- | security/apparmor/include/sig_names.h | 1 | ||||
-rw-r--r-- | security/apparmor/ipc.c | 10 |
3 files changed, 12 insertions, 4 deletions
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h index 2ebc00a..41ad2c9 100644 --- a/security/apparmor/include/audit.h +++ b/security/apparmor/include/audit.h @@ -130,7 +130,10 @@ struct apparmor_audit_data { int rlim; unsigned long max; } rlim; - int signal; + struct { + int signal; + int unmappedsig; + }; }; }; struct { diff --git a/security/apparmor/include/sig_names.h b/security/apparmor/include/sig_names.h index 5ca47c5..cbf7a99 100644 --- a/security/apparmor/include/sig_names.h +++ b/security/apparmor/include/sig_names.h @@ -3,6 +3,7 @@ #define SIGUNKNOWN 0 #define MAXMAPPED_SIG 35 #define MAXMAPPED_SIGNAME (MAXMAPPED_SIG + 1) +#define SIGRT_BASE 128 /* provide a mapping of arch signal to internal signal # for mediation * those that are always an alias SIGCLD for SIGCLHD and SIGPOLL for SIGIO diff --git a/security/apparmor/ipc.c b/security/apparmor/ipc.c index 754f2ff..d7b137d 100644 --- a/security/apparmor/ipc.c +++ b/security/apparmor/ipc.c @@ -138,7 +138,7 @@ static inline int map_signal_num(int sig) if (sig > SIGRTMAX) return SIGUNKNOWN; else if (sig >= SIGRTMIN) - return sig - SIGRTMIN + 128; /* rt sigs mapped to 128 */ + return sig - SIGRTMIN + SIGRT_BASE; else if (sig < MAXMAPPED_SIG) return sig_map[sig]; return SIGUNKNOWN; @@ -174,11 +174,14 @@ static void audit_signal_cb(struct audit_buffer *ab, void *va) audit_signal_mask(ab, aad(sa)->denied); } } - if (aad(sa)->signal < MAXMAPPED_SIGNAME) + if (aad(sa)->signal == SIGUNKNOWN) + audit_log_format(ab, "signal=unknown(%d)", + aad(sa)->unmappedsig); + else if (aad(sa)->signal < MAXMAPPED_SIGNAME) audit_log_format(ab, " signal=%s", sig_names[aad(sa)->signal]); else audit_log_format(ab, " signal=rtmin+%d", - aad(sa)->signal - 128); + aad(sa)->signal - SIGRT_BASE); audit_log_format(ab, " peer="); aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer, FLAGS_NONE, GFP_ATOMIC); @@ -211,6 +214,7 @@ int aa_may_signal(struct aa_label *sender, struct aa_label *target, int sig) DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SIGNAL); aad(&sa)->signal = map_signal_num(sig); + aad(&sa)->unmappedsig = sig; return xcheck_labels(sender, target, profile, profile_signal_perm(profile, target, MAY_WRITE, &sa), profile_signal_perm(profile, sender, MAY_READ, &sa)); |