Google Git
Sign in
googlers / maze / linux / 9410d228a4cf434305306746bb799fb7acdd8648^! / .
commit9410d228a4cf434305306746bb799fb7acdd8648[log] [tgz]
authorRichard Guy Briggs <rgb@redhat.com>Wed Oct 30 18:05:24 2013 -0400
committerEric Paris <eparis@redhat.com>Tue Nov 05 11:15:03 2013 -0500
tree93dc6f756af3c2557f2e1377bad52582fdd9fe19
parentd9cfea91e97d5d19f9d69beaa844f5fe56a6adc6 [diff]
audit: call audit_bprm() only once to add AUDIT_EXECVE information

Move the audit_bprm() call from search_binary_handler() to exec_binprm().  This
allows us to get rid of the mm member of struct audit_aux_data_execve since
bprm->mm will equal current->mm.

This also mitigates the issue that ->argc could be modified by the
load_binary() call in search_binary_handler().

audit_bprm() was being called to add an AUDIT_EXECVE record to the audit
context every time search_binary_handler() was recursively called.  Only one
reference is necessary.

Reported-by: Oleg Nesterov <onestero@redhat.com>
Cc: Eric Paris <eparis@redhat.com>
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
---
This patch is against 3.11, but was developed on Oleg's post-3.11 patches that
introduce exec_binprm().

diff --git a/fs/exec.c b/fs/exec.c
index fd774c7..c5c24f2 100644
--- a/fs/exec.c
+++ b/fs/exec.c

@@ -1383,10 +1383,6 @@
 	if (retval)
 		return retval;
 
-	retval = audit_bprm(bprm);
-	if (retval)
-		return retval;
-
 	/* Need to fetch pid before load_binary changes it */
 	old_pid = current->pid;
 	rcu_read_lock();
@@ -1408,6 +1404,7 @@
 			bprm->recursion_depth = depth;
 			if (retval >= 0) {
 				if (depth == 0) {
+					audit_bprm(bprm);
 					trace_sched_process_exec(current, old_pid, bprm);
 					ptrace_event(PTRACE_EVENT_EXEC, old_vpid);
 				}

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 08b38bf..a406419 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h

@@ -238,11 +238,10 @@
 	if (unlikely(!audit_dummy_context()))
 		__audit_ipc_set_perm(qbytes, uid, gid, mode);
 }
-static inline int audit_bprm(struct linux_binprm *bprm)
+static inline void audit_bprm(struct linux_binprm *bprm)
 {
 	if (unlikely(!audit_dummy_context()))
 		__audit_bprm(bprm);
-	return 0;
 }
 static inline int audit_socketcall(int nargs, unsigned long *args)
 {
@@ -369,10 +368,8 @@
 static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid,
 					gid_t gid, umode_t mode)
 { }
-static inline int audit_bprm(struct linux_binprm *bprm)
-{
-	return 0;
-}
+static inline void audit_bprm(struct linux_binprm *bprm)
+{ }
 static inline int audit_socketcall(int nargs, unsigned long *args)
 {
 	return 0;

diff --git a/kernel/audit.h b/kernel/audit.h
index e7b94ab..b779642 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h

@@ -199,7 +199,6 @@
 		} mmap;
 		struct {
 			int			argc;
-			struct mm_struct	*mm;
 		} execve;
 	};
 	int fds[2];

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 425a893..dfc5d67 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c

@@ -1145,9 +1145,6 @@
 	const char __user *p;
 	char *buf;
 
-	if (context->execve.mm != current->mm)
-		return; /* execve failed, no additional info */
-
 	p = (const char __user *)current->mm->arg_start;
 
 	audit_log_format(*ab, "argc=%d", context->execve.argc);
@@ -2144,7 +2141,6 @@
 
 	context->type = AUDIT_EXECVE;
 	context->execve.argc = bprm->argc;
-	context->execve.mm = bprm->mm;
 }