Generate audit records for SECCOMP_RET_ERRNO actions, which were previously not audited.
Additionally, include the errno value that will be set in the audit message. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- include/linux/audit.h | 19 ++++++++++++++++++- kernel/auditsc.c | 3 +++ kernel/seccomp.c | 4 +++- 3 files changed, 24 insertions(+), 2 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 8c588c3..6815812 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -87,7 +87,10 @@ struct audit_field { struct audit_seccomp_info { int code; - long signr; + union { + int errno; + long signr; + }; }; extern int is_audit_feature_set(int which); @@ -319,6 +322,20 @@ static inline void audit_inode_child(struct inode *parent, } void audit_core_dumps(long signr); +static inline void audit_seccomp_errno(unsigned long syscall, int errno, + int code) +{ + if (!audit_enabled) + return; + + if (errno || unlikely(!audit_dummy_context())) { + struct audit_seccomp_info info = { .code = code, + .errno = errno }; + + __audit_seccomp(syscall, &info); + } +} + static inline void audit_seccomp_signal(unsigned long syscall, long signr, int code) { diff --git a/kernel/auditsc.c b/kernel/auditsc.c index b3472f2..db5fc9d 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2426,6 +2426,9 @@ void __audit_seccomp(unsigned long syscall, struct audit_seccomp_info *info) audit_log_task(ab); switch (info->code) { + case SECCOMP_RET_ERRNO: + audit_log_format(ab, " errno=%d", info->errno); + break; case SECCOMP_RET_KILL: audit_log_format(ab, " sig=%ld", info->signr); break; diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 54c01b6..e99c566 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -576,9 +576,11 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, /* Set low-order bits as an errno, capped at MAX_ERRNO. */ if (data > MAX_ERRNO) data = MAX_ERRNO; + + audit_seccomp_errno(this_syscall, data, action); syscall_set_return_value(current, task_pt_regs(current), -data, 0); - goto skip; + return -1; case SECCOMP_RET_TRAP: /* Show the handler the original registers. */ -- 2.7.4 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit