From 3acfd5f54ca16c15c36ac2f218357f2707b7edb8 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Thu, 1 Feb 2018 12:32:02 +0100 Subject: apparmor: audit unknown signal numbers Allow apparmor to audit the number of a signal that it does not provide a mapping for and is currently being reported only as unknown. Signed-off-by: John Johansen --- security/apparmor/ipc.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'security/apparmor/ipc.c') diff --git a/security/apparmor/ipc.c b/security/apparmor/ipc.c index 754f2ff8d355..d7b137d4eb74 100644 --- a/security/apparmor/ipc.c +++ b/security/apparmor/ipc.c @@ -138,7 +138,7 @@ static inline int map_signal_num(int sig) if (sig > SIGRTMAX) return SIGUNKNOWN; else if (sig >= SIGRTMIN) - return sig - SIGRTMIN + 128; /* rt sigs mapped to 128 */ + return sig - SIGRTMIN + SIGRT_BASE; else if (sig < MAXMAPPED_SIG) return sig_map[sig]; return SIGUNKNOWN; @@ -174,11 +174,14 @@ static void audit_signal_cb(struct audit_buffer *ab, void *va) audit_signal_mask(ab, aad(sa)->denied); } } - if (aad(sa)->signal < MAXMAPPED_SIGNAME) + if (aad(sa)->signal == SIGUNKNOWN) + audit_log_format(ab, "signal=unknown(%d)", + aad(sa)->unmappedsig); + else if (aad(sa)->signal < MAXMAPPED_SIGNAME) audit_log_format(ab, " signal=%s", sig_names[aad(sa)->signal]); else audit_log_format(ab, " signal=rtmin+%d", - aad(sa)->signal - 128); + aad(sa)->signal - SIGRT_BASE); audit_log_format(ab, " peer="); aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer, FLAGS_NONE, GFP_ATOMIC); @@ -211,6 +214,7 @@ int aa_may_signal(struct aa_label *sender, struct aa_label *target, int sig) DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SIGNAL); aad(&sa)->signal = map_signal_num(sig); + aad(&sa)->unmappedsig = sig; return xcheck_labels(sender, target, profile, profile_signal_perm(profile, target, MAY_WRITE, &sa), profile_signal_perm(profile, sender, MAY_READ, &sa)); -- cgit v1.2.3