summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2018-02-01 14:32:02 +0300
committerJohn Johansen <john.johansen@canonical.com>2018-02-09 22:30:01 +0300
commit3acfd5f54ca16c15c36ac2f218357f2707b7edb8 (patch)
treed64067798fbe0d4ff3fa839e48ce6fae3bfe84c3
parent3dc6b1ce6861ebf40b68ab4b752a05584a1f99bf (diff)
downloadlinux-3acfd5f54ca16c15c36ac2f218357f2707b7edb8.tar.xz
apparmor: audit unknown signal numbers
Allow apparmor to audit the number of a signal that it does not provide a mapping for and is currently being reported only as unknown. Signed-off-by: John Johansen <john.johansen@canonical.com>
-rw-r--r--security/apparmor/include/audit.h5
-rw-r--r--security/apparmor/include/sig_names.h1
-rw-r--r--security/apparmor/ipc.c10
3 files changed, 12 insertions, 4 deletions
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
index 2ebc00a579fd..41ad2c947bf4 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -130,7 +130,10 @@ struct apparmor_audit_data {
int rlim;
unsigned long max;
} rlim;
- int signal;
+ struct {
+ int signal;
+ int unmappedsig;
+ };
};
};
struct {
diff --git a/security/apparmor/include/sig_names.h b/security/apparmor/include/sig_names.h
index 5ca47c50dfa7..cbf7a997ed84 100644
--- a/security/apparmor/include/sig_names.h
+++ b/security/apparmor/include/sig_names.h
@@ -3,6 +3,7 @@
#define SIGUNKNOWN 0
#define MAXMAPPED_SIG 35
#define MAXMAPPED_SIGNAME (MAXMAPPED_SIG + 1)
+#define SIGRT_BASE 128
/* provide a mapping of arch signal to internal signal # for mediation
* those that are always an alias SIGCLD for SIGCLHD and SIGPOLL for SIGIO
diff --git a/security/apparmor/ipc.c b/security/apparmor/ipc.c
index 754f2ff8d355..d7b137d4eb74 100644
--- a/security/apparmor/ipc.c
+++ b/security/apparmor/ipc.c
@@ -138,7 +138,7 @@ static inline int map_signal_num(int sig)
if (sig > SIGRTMAX)
return SIGUNKNOWN;
else if (sig >= SIGRTMIN)
- return sig - SIGRTMIN + 128; /* rt sigs mapped to 128 */
+ return sig - SIGRTMIN + SIGRT_BASE;
else if (sig < MAXMAPPED_SIG)
return sig_map[sig];
return SIGUNKNOWN;
@@ -174,11 +174,14 @@ static void audit_signal_cb(struct audit_buffer *ab, void *va)
audit_signal_mask(ab, aad(sa)->denied);
}
}
- if (aad(sa)->signal < MAXMAPPED_SIGNAME)
+ if (aad(sa)->signal == SIGUNKNOWN)
+ audit_log_format(ab, "signal=unknown(%d)",
+ aad(sa)->unmappedsig);
+ else if (aad(sa)->signal < MAXMAPPED_SIGNAME)
audit_log_format(ab, " signal=%s", sig_names[aad(sa)->signal]);
else
audit_log_format(ab, " signal=rtmin+%d",
- aad(sa)->signal - 128);
+ aad(sa)->signal - SIGRT_BASE);
audit_log_format(ab, " peer=");
aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
FLAGS_NONE, GFP_ATOMIC);
@@ -211,6 +214,7 @@ int aa_may_signal(struct aa_label *sender, struct aa_label *target, int sig)
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SIGNAL);
aad(&sa)->signal = map_signal_num(sig);
+ aad(&sa)->unmappedsig = sig;
return xcheck_labels(sender, target, profile,
profile_signal_perm(profile, target, MAY_WRITE, &sa),
profile_signal_perm(profile, sender, MAY_READ, &sa));