[PATCH 2/9] exploit: report to audit subsystem when available

Thu, 12 Dec 2013 08:55:59 -0800 

From: Vegard Nossum <vegard.nos...@oracle.com>

Signed-off-by: Vegard Nossum <vegard.nos...@oracle.com>
---
 include/uapi/linux/audit.h |    1 +
 security/exploit.c         |   16 ++++++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 75cef3f..65811d4 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -131,6 +131,7 @@
 #define AUDIT_ANOM_PROMISCUOUS      1700 /* Device changed promiscuous mode */
 #define AUDIT_ANOM_ABEND            1701 /* Process ended abnormally */
 #define AUDIT_ANOM_LINK                    1702 /* Suspicious use of file 
links */
+#define AUDIT_ANOM_EXPLOIT          1703 /* Known exploit attempt */
 #define AUDIT_INTEGRITY_DATA       1800 /* Data integrity verification */
 #define AUDIT_INTEGRITY_METADATA    1801 /* Metadata integrity verification */
 #define AUDIT_INTEGRITY_STATUS     1802 /* Integrity enable status */
diff --git a/security/exploit.c b/security/exploit.c
index a732613..3d8ee5b 100644
--- a/security/exploit.c
+++ b/security/exploit.c
@@ -1,3 +1,4 @@
+#include <linux/audit.h>
 #include <linux/cred.h>
 #include <linux/exploit.h>
 #include <linux/printk.h>
@@ -19,9 +20,24 @@ void _exploit(const char *id)
        pid_t pid = task_pid_nr(task);
        uid_t uid = from_kuid(&init_user_ns, current_uid());
        char comm[sizeof(task->comm)];
+#ifdef CONFIG_AUDIT
+       struct audit_buffer *ab;
+#endif
 
        get_task_comm(comm, task);
 
+#ifdef CONFIG_AUDIT
+       ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_ANOM_EXPLOIT);
+       if (ab) {
+               audit_log_format(ab, "exploit id=%s pid=%u uid=%u auid=%u 
ses=%u comm=",
+                       id, pid, uid,
+                       from_kuid(&init_user_ns, audit_get_loginuid(task)),
+                       audit_get_sessionid(task));
+               audit_log_untrustedstring(ab, comm);
+               audit_log_end(ab);
+       }
+#endif
+
        pr_warn_ratelimited("warning: possible %s exploit attempt by pid=%u 
uid=%u comm=%s\n",
                id, pid, uid, comm);
 }
-- 
1.7.10.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Reply via email to