Commit 3acfd5f5 authored by John Johansen's avatar John Johansen

apparmor: audit unknown signal numbers

Allow apparmor to audit the number of a signal that it does not
provide a mapping for and is currently being reported only as
unknown.
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 3dc6b1ce
...@@ -130,7 +130,10 @@ struct apparmor_audit_data { ...@@ -130,7 +130,10 @@ struct apparmor_audit_data {
int rlim; int rlim;
unsigned long max; unsigned long max;
} rlim; } rlim;
struct {
int signal; int signal;
int unmappedsig;
};
}; };
}; };
struct { struct {
......
...@@ -3,6 +3,7 @@ ...@@ -3,6 +3,7 @@
#define SIGUNKNOWN 0 #define SIGUNKNOWN 0
#define MAXMAPPED_SIG 35 #define MAXMAPPED_SIG 35
#define MAXMAPPED_SIGNAME (MAXMAPPED_SIG + 1) #define MAXMAPPED_SIGNAME (MAXMAPPED_SIG + 1)
#define SIGRT_BASE 128
/* provide a mapping of arch signal to internal signal # for mediation /* provide a mapping of arch signal to internal signal # for mediation
* those that are always an alias SIGCLD for SIGCLHD and SIGPOLL for SIGIO * those that are always an alias SIGCLD for SIGCLHD and SIGPOLL for SIGIO
......
...@@ -138,7 +138,7 @@ static inline int map_signal_num(int sig) ...@@ -138,7 +138,7 @@ static inline int map_signal_num(int sig)
if (sig > SIGRTMAX) if (sig > SIGRTMAX)
return SIGUNKNOWN; return SIGUNKNOWN;
else if (sig >= SIGRTMIN) else if (sig >= SIGRTMIN)
return sig - SIGRTMIN + 128; /* rt sigs mapped to 128 */ return sig - SIGRTMIN + SIGRT_BASE;
else if (sig < MAXMAPPED_SIG) else if (sig < MAXMAPPED_SIG)
return sig_map[sig]; return sig_map[sig];
return SIGUNKNOWN; return SIGUNKNOWN;
...@@ -174,11 +174,14 @@ static void audit_signal_cb(struct audit_buffer *ab, void *va) ...@@ -174,11 +174,14 @@ static void audit_signal_cb(struct audit_buffer *ab, void *va)
audit_signal_mask(ab, aad(sa)->denied); audit_signal_mask(ab, aad(sa)->denied);
} }
} }
if (aad(sa)->signal < MAXMAPPED_SIGNAME) if (aad(sa)->signal == SIGUNKNOWN)
audit_log_format(ab, "signal=unknown(%d)",
aad(sa)->unmappedsig);
else if (aad(sa)->signal < MAXMAPPED_SIGNAME)
audit_log_format(ab, " signal=%s", sig_names[aad(sa)->signal]); audit_log_format(ab, " signal=%s", sig_names[aad(sa)->signal]);
else else
audit_log_format(ab, " signal=rtmin+%d", audit_log_format(ab, " signal=rtmin+%d",
aad(sa)->signal - 128); aad(sa)->signal - SIGRT_BASE);
audit_log_format(ab, " peer="); audit_log_format(ab, " peer=");
aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer, aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
FLAGS_NONE, GFP_ATOMIC); FLAGS_NONE, GFP_ATOMIC);
...@@ -211,6 +214,7 @@ int aa_may_signal(struct aa_label *sender, struct aa_label *target, int sig) ...@@ -211,6 +214,7 @@ int aa_may_signal(struct aa_label *sender, struct aa_label *target, int sig)
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SIGNAL); DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SIGNAL);
aad(&sa)->signal = map_signal_num(sig); aad(&sa)->signal = map_signal_num(sig);
aad(&sa)->unmappedsig = sig;
return xcheck_labels(sender, target, profile, return xcheck_labels(sender, target, profile,
profile_signal_perm(profile, target, MAY_WRITE, &sa), profile_signal_perm(profile, target, MAY_WRITE, &sa),
profile_signal_perm(profile, sender, MAY_READ, &sa)); profile_signal_perm(profile, sender, MAY_READ, &sa));
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment