From 3acfd5f54ca16c15c36ac2f218357f2707b7edb8 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Thu, 1 Feb 2018 12:32:02 +0100 Subject: apparmor: audit unknown signal numbers Allow apparmor to audit the number of a signal that it does not provide a mapping for and is currently being reported only as unknown. Signed-off-by: John Johansen --- security/apparmor/include/audit.h | 5 ++++- security/apparmor/include/sig_names.h | 1 + security/apparmor/ipc.c | 10 +++++++--- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h index 2ebc00a..41ad2c9 100644 --- a/security/apparmor/include/audit.h +++ b/security/apparmor/include/audit.h @@ -130,7 +130,10 @@ struct apparmor_audit_data { int rlim; unsigned long max; } rlim; - int signal; + struct { + int signal; + int unmappedsig; + }; }; }; struct { diff --git a/security/apparmor/include/sig_names.h b/security/apparmor/include/sig_names.h index 5ca47c5..cbf7a99 100644 --- a/security/apparmor/include/sig_names.h +++ b/security/apparmor/include/sig_names.h @@ -3,6 +3,7 @@ #define SIGUNKNOWN 0 #define MAXMAPPED_SIG 35 #define MAXMAPPED_SIGNAME (MAXMAPPED_SIG + 1) +#define SIGRT_BASE 128 /* provide a mapping of arch signal to internal signal # for mediation * those that are always an alias SIGCLD for SIGCLHD and SIGPOLL for SIGIO diff --git a/security/apparmor/ipc.c b/security/apparmor/ipc.c index 754f2ff..d7b137d 100644 --- a/security/apparmor/ipc.c +++ b/security/apparmor/ipc.c @@ -138,7 +138,7 @@ static inline int map_signal_num(int sig) if (sig > SIGRTMAX) return SIGUNKNOWN; else if (sig >= SIGRTMIN) - return sig - SIGRTMIN + 128; /* rt sigs mapped to 128 */ + return sig - SIGRTMIN + SIGRT_BASE; else if (sig < MAXMAPPED_SIG) return sig_map[sig]; return SIGUNKNOWN; @@ -174,11 +174,14 @@ static void audit_signal_cb(struct audit_buffer *ab, void *va) audit_signal_mask(ab, aad(sa)->denied); } } - if (aad(sa)->signal < MAXMAPPED_SIGNAME) + if (aad(sa)->signal == SIGUNKNOWN) + audit_log_format(ab, "signal=unknown(%d)", + aad(sa)->unmappedsig); + else if (aad(sa)->signal < MAXMAPPED_SIGNAME) audit_log_format(ab, " signal=%s", sig_names[aad(sa)->signal]); else audit_log_format(ab, " signal=rtmin+%d", - aad(sa)->signal - 128); + aad(sa)->signal - SIGRT_BASE); audit_log_format(ab, " peer="); aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer, FLAGS_NONE, GFP_ATOMIC); @@ -211,6 +214,7 @@ int aa_may_signal(struct aa_label *sender, struct aa_label *target, int sig) DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SIGNAL); aad(&sa)->signal = map_signal_num(sig); + aad(&sa)->unmappedsig = sig; return xcheck_labels(sender, target, profile, profile_signal_perm(profile, target, MAY_WRITE, &sa), profile_signal_perm(profile, sender, MAY_READ, &sa)); -- cgit v1.1