apparmor: audit unknown signal numbers

BugLink: http://bugs.launchpad.net/bugs/1763427
Allow apparmor to audit the number of a signal that it does not
provide a mapping for and is currently being reported only as
unknown.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 3acfd5f54ca16c15c36ac2f218357f2707b7edb8
 git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor)
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>

diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
index d7ecae4cf59b99efc1ff29da2cf11f1c4c0d67e8..54789cd4188ab69f1b75f42c2900c02660868db6 100644 (file)
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -126,7 +126,6 @@ struct apparmor_audit_data {
                                        const char *target;
                                        kuid_t ouid;
                                } fs;
-                               int signal;
                                struct {
                                        int type, protocol;
                                        struct sock *peer_sk;
@@ -137,6 +136,10 @@ struct apparmor_audit_data {
                                        int rlim;
                                        unsigned long max;
                                } rlim;
+                               struct {
+                                       int signal;
+                                       int unmappedsig;
+                               };
                        };
                };
                struct {

diff --git a/security/apparmor/include/sig_names.h b/security/apparmor/include/sig_names.h
index 5ca47c50dfa73430f3263d2bf6746b956046fe3e..cbf7a997ed8412797282be480a15339ee431d997 100644 (file)
--- a/security/apparmor/include/sig_names.h
+++ b/security/apparmor/include/sig_names.h
@@ -3,6 +3,7 @@
 #define SIGUNKNOWN 0
 #define MAXMAPPED_SIG 35
 #define MAXMAPPED_SIGNAME (MAXMAPPED_SIG + 1)
+#define SIGRT_BASE 128
 
 /* provide a mapping of arch signal to internal signal # for mediation
  * those that are always an alias SIGCLD for SIGCLHD and SIGPOLL for SIGIO

diff --git a/security/apparmor/ipc.c b/security/apparmor/ipc.c
index 754f2ff8d3550ed3b9d0570607b2cfb76b613772..d7b137d4eb740a52404d67cb702b183fb63ddafe 100644 (file)
--- a/security/apparmor/ipc.c
+++ b/security/apparmor/ipc.c
@@ -138,7 +138,7 @@ static inline int map_signal_num(int sig)
        if (sig > SIGRTMAX)
                return SIGUNKNOWN;
        else if (sig >= SIGRTMIN)
-               return sig - SIGRTMIN + 128;    /* rt sigs mapped to 128 */
+               return sig - SIGRTMIN + SIGRT_BASE;
        else if (sig < MAXMAPPED_SIG)
                return sig_map[sig];
        return SIGUNKNOWN;
@@ -174,11 +174,14 @@ static void audit_signal_cb(struct audit_buffer *ab, void *va)
                        audit_signal_mask(ab, aad(sa)->denied);
                }
        }
-       if (aad(sa)->signal < MAXMAPPED_SIGNAME)
+       if (aad(sa)->signal == SIGUNKNOWN)
+               audit_log_format(ab, "signal=unknown(%d)",
+                                aad(sa)->unmappedsig);
+       else if (aad(sa)->signal < MAXMAPPED_SIGNAME)
                audit_log_format(ab, " signal=%s", sig_names[aad(sa)->signal]);
        else
                audit_log_format(ab, " signal=rtmin+%d",
-                                aad(sa)->signal - 128);
+                                aad(sa)->signal - SIGRT_BASE);
        audit_log_format(ab, " peer=");
        aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
                        FLAGS_NONE, GFP_ATOMIC);
@@ -211,6 +214,7 @@ int aa_may_signal(struct aa_label *sender, struct aa_label *target, int sig)
        DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SIGNAL);
 
        aad(&sa)->signal = map_signal_num(sig);
+       aad(&sa)->unmappedsig = sig;
        return xcheck_labels(sender, target, profile,
                        profile_signal_perm(profile, target, MAY_WRITE, &sa),
                        profile_signal_perm(profile, sender, MAY_READ, &sa));