socketcall auditing misses the call argument: type=SOCKETCALL msg=audit: nargs=3 a0=10 a1=3 a2=c
which renders socketcall auditing (almost) useless. Add the call argument so it is possible to decode the actual syscall from the audit log: type=SOCKETCALL msg=audit: call=1 nargs=3 a0=10 a1=3 a2=c Signed-off-by: Sven Schnelle <[email protected]> --- include/linux/audit.h | 10 +++++----- kernel/audit.h | 1 + kernel/auditsc.c | 6 ++++-- net/compat.c | 2 +- net/socket.c | 2 +- 5 files changed, 12 insertions(+), 9 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index d06134ac6245..7d2256f999ab 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -405,7 +405,7 @@ static inline void audit_ptrace(struct task_struct *t) extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); extern void __audit_bprm(struct linux_binprm *bprm); -extern int __audit_socketcall(int nargs, unsigned long *args); +extern int __audit_socketcall(int call, int nargs, unsigned long *args); extern int __audit_sockaddr(int len, void *addr); extern void __audit_fd_pair(int fd1, int fd2); extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr); @@ -445,14 +445,14 @@ static inline void audit_bprm(struct linux_binprm *bprm) if (unlikely(!audit_dummy_context())) __audit_bprm(bprm); } -static inline int audit_socketcall(int nargs, unsigned long *args) +static inline int audit_socketcall(int call, int nargs, unsigned long *args) { if (unlikely(!audit_dummy_context())) - return __audit_socketcall(nargs, args); + return __audit_socketcall(call, nargs, args); return 0; } -static inline int audit_socketcall_compat(int nargs, u32 *args) +static inline int audit_socketcall_compat(int call, int nargs, u32 *args) { unsigned long a[AUDITSC_ARGS]; int i; @@ -462,7 +462,7 @@ static inline int audit_socketcall_compat(int nargs, u32 *args) for (i = 0; i < nargs; i++) a[i] = (unsigned long)args[i]; - return __audit_socketcall(nargs, a); + return __audit_socketcall(call, nargs, a); } static inline int audit_sockaddr(int len, void *addr) diff --git a/kernel/audit.h b/kernel/audit.h index 58b66543b4d5..34e53b6f0ebb 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -153,6 +153,7 @@ struct audit_context { int type; union { struct { + int call; int nargs; long args[6]; } socketcall; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index ea2ee1181921..c856893041c9 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1399,8 +1399,9 @@ static void show_special(struct audit_context *context, int *call_panic) switch (context->type) { case AUDIT_SOCKETCALL: { int nargs = context->socketcall.nargs; + int call = context->socketcall.call; - audit_log_format(ab, "nargs=%d", nargs); + audit_log_format(ab, "call=%d nargs=%d", call, nargs); for (i = 0; i < nargs; i++) audit_log_format(ab, " a%d=%lx", i, context->socketcall.args[i]); @@ -2684,13 +2685,14 @@ void __audit_bprm(struct linux_binprm *bprm) * @args: args array * */ -int __audit_socketcall(int nargs, unsigned long *args) +int __audit_socketcall(int call, int nargs, unsigned long *args) { struct audit_context *context = audit_context(); if (nargs <= 0 || nargs > AUDITSC_ARGS || !args) return -EINVAL; context->type = AUDIT_SOCKETCALL; + context->socketcall.call = call; context->socketcall.nargs = nargs; memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long)); return 0; diff --git a/net/compat.c b/net/compat.c index 210fc3b4d0d8..0df955019ecc 100644 --- a/net/compat.c +++ b/net/compat.c @@ -437,7 +437,7 @@ COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args) if (copy_from_user(a, args, len)) return -EFAULT; - ret = audit_socketcall_compat(len / sizeof(a[0]), a); + ret = audit_socketcall_compat(call, len / sizeof(a[0]), a); if (ret) return ret; diff --git a/net/socket.c b/net/socket.c index 6887840682bb..ff71f28c96f7 100644 --- a/net/socket.c +++ b/net/socket.c @@ -2921,7 +2921,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args) if (copy_from_user(a, args, len)) return -EFAULT; - err = audit_socketcall(nargs[call] / sizeof(unsigned long), a); + err = audit_socketcall(call, nargs[call] / sizeof(unsigned long), a); if (err) return err; -- 2.32.0 -- Linux-audit mailing list [email protected] https://listman.redhat.com/mailman/listinfo/linux-audit
