[PATCH] Fixed reason field in audit signal logging
Eric Paris
eparis at redhat.com
Thu Nov 7 14:43:24 UTC 2013
On Thu, 2013-11-07 at 19:09 +0530, Paul Davies C wrote:
> The audit system logs the signals that leads to abnormal end of a process.
> However , as of now , it always states the reason for failure of a process as
> "memory violation" regardless of the signal delivered. This is due to the
> audit_core_dumps() function pass the reason for failure blindly to the
> audit_log_abend() as "memory violation".
>
> This patch changes the audit_core_dumps() function as to pass on the right
> reason to the audit_log_abend based on the signal received.
>
> Signed-off-by:Paul Davies C
Acked-by: Eric Paris <eparis at redhat.com>
But we really should wait for an Ack and thoughts from steve grubb....
> ---
> kernel/auditsc.c | 31 ++++++++++++++++++++++++++++++-
> 1 file changed, 30 insertions(+), 1 deletion(-)
>
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 9845cb3..3cafd13 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -2395,7 +2395,36 @@ void audit_core_dumps(long signr)
> ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
> if (unlikely(!ab))
> return;
> - audit_log_abend(ab, "memory violation", signr);
> +
> + /*Identify the reason for failure based on signal delivered.*/
> + switch (signr) {
> + case SIGABRT:
> + audit_log_abend(ab, "received abort", signr);
> + break;
> + case SIGBUS:
> + audit_log_abend(ab, "invalid pointer dereference", signr);
> + break;
> + case SIGFPE:
> + audit_log_abend(ab, "invalid floating point instruction", signr);
> + break;
> + case SIGILL:
> + audit_log_abend(ab, "illegal instruction", signr);
> + break;
> + case SIGSEGV:
> + audit_log_abend(ab, "memory violation", signr);
> + break;
> + case SIGTRAP:
> + audit_log_abend(ab, "bad instruction / debugger generated signal", signr);
> + break;
> + case SIGXCPU:
> + audit_log_abend(ab, "cpu time violation", signr);
> + break;
> + case SIGXFSZ:
> + audit_log_abend(ab, "file size violation", signr);
> + break;
> + default:
> + audit_log_abend(ab, "not defined", signr);
> + }
> audit_log_end(ab);
> }
>
More information about the Linux-audit
mailing list