[PATCH 1/1] Added exe field to audit core dump signal log

Richard Guy Briggs rgb at redhat.com
Wed Nov 20 22:29:28 UTC 2013 

On Wed, Nov 20, 2013 at 02:03:01PM -0800, William Roberts wrote:
> On Wed, Nov 20, 2013 at 1:47 PM, Richard Guy Briggs <rgb at redhat.com> wrote:
> > On Thu, Nov 14, 2013 at 08:56:57AM +0530, Paul Davies C wrote:
> >> Currently when the coredump signals are logged by the audit system , the
> >> actual path to the executable is not logged. Without details of exe , the
> >> system admin may not have an exact idea on what program failed.
> >>
> >> This patch changes the audit_log_task() so that the path to the exe is also
> >> logged.
> >
> > Out of curiosity, on which platform are you observing this?  This sounds
> > related to Bill Roberts' recent cmdline patches.
> 
> I don't think this is related, looks to me like he want the exe file that
> started it. Where as I want some abstract field that was set by the VM
> at application invocation.

I pulled the trigger on send a bit too fast...

I see now where that code came from...  It was copied from
audit_log_task_info().

> >> Signed-off-by: Paul Davies C <pauldaviesc at gmail.com>
> >> +     struct mm_struct *mm = current->mm;
> Why wouldn't we use:
> get_task_mm(current)

That may be a bit heavy for this usage since we are in the current
context.

> >>       auid = audit_get_loginuid(current);
> >>       sessionid = audit_get_sessionid(current);
> >> @@ -2366,6 +2367,12 @@ static void audit_log_task(struct audit_buffer *ab)
> >>       audit_log_task_context(ab);
> >>       audit_log_format(ab, " pid=%d comm=", current->pid);
> >>       audit_log_untrustedstring(ab, current->comm);
> >> +     if (mm) {
> 
> if using get_task_mm() drop below
> 
> >> +             down_read(&mm->mmap_sem);
> >> +             if (mm->exe_file)
> >> +                     audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
> 
> if using get_task_mm() change below to mmput(mm);
> 
> >> +             up_read(&mm->mmap_sem);
> >> +     }
> >
> > - RGB
> 
> William C Roberts

- RGB

--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

More information about the Linux-audit mailing list