UBUNTU: SAUCE: SECCOMP: seccomp: remove duplicated failure logging

This consolidates the seccomp filter error logging path and adds more
details to the audit log.

v15: added a return code to the audit_seccomp path by wad@chromium.org
     (suggested by eparis@redhat.com)
v*: original by keescook@chromium.org

Signed-off-by: Will Drewry <wad@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kees Cook <kees@ubuntu.com>

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 24851b5..ab40f49 100644 (file)
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -430,7 +430,7 @@ extern void audit_putname(const char *name);
 extern void __audit_inode(const char *name, const struct dentry *dentry);
 extern void __audit_inode_child(const struct dentry *dentry,
                                const struct inode *parent);
-extern void __audit_seccomp(unsigned long syscall);
+extern void __audit_seccomp(unsigned long syscall, long signr, int code);
 extern void __audit_ptrace(struct task_struct *t);
 
 static inline int audit_dummy_context(void)
@@ -454,10 +454,10 @@ static inline void audit_inode_child(const struct dentry *dentry,
 }
 void audit_core_dumps(long signr);
 
-static inline void audit_seccomp(unsigned long syscall)
+static inline void audit_seccomp(unsigned long syscall, long signr, int code)
 {
        if (unlikely(!audit_dummy_context()))
-               __audit_seccomp(syscall);
+               __audit_seccomp(syscall, signr, code);
 }
 
 static inline void audit_ptrace(struct task_struct *t)
@@ -565,7 +565,7 @@ extern int audit_signals;
 #define audit_inode(n,d) do { (void)(d); } while (0)
 #define audit_inode_child(i,p) do { ; } while (0)
 #define audit_core_dumps(i) do { ; } while (0)
-#define audit_seccomp(i) do { ; } while (0)
+#define audit_seccomp(i,s,c) do { ; } while (0)
 #define auditsc_get_stamp(c,t,s) (0)
 #define audit_get_loginuid(t) (-1)
 #define audit_get_sessionid(t) (-1)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 0e2d6a9..ea19c31 100644 (file)
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -67,6 +67,7 @@
 #include <linux/syscalls.h>
 #include <linux/capability.h>
 #include <linux/fs_struct.h>
+#include <linux/compat.h>
 
 #include "audit.h"
 
@@ -2540,13 +2541,18 @@ void audit_core_dumps(long signr)
        audit_log_end(ab);
 }
 
-void __audit_seccomp(unsigned long syscall)
+void __audit_seccomp(unsigned long syscall, long signr, int code)
 {
        struct audit_buffer *ab;
 
        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
-       audit_log_abend(ab, "seccomp", SIGKILL);
+       audit_log_abend(ab, "seccomp", signr);
        audit_log_format(ab, " syscall=%ld", syscall);
+#ifdef CONFIG_COMPAT
+       audit_log_format(ab, " compat=%d", is_compat_task());
+#endif
+       audit_log_format(ab, " ip=0x%lx", KSTK_EIP(current));
+       audit_log_format(ab, " code=0x%x", code);
        audit_log_end(ab);
 }
 

diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 5fc3381..7d933d3 100644 (file)
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -62,18 +62,6 @@ struct seccomp_filter {
 /* Limit any path through the tree to 256KB worth of instructions. */
 #define MAX_INSNS_PER_PATH ((1 << 18) / sizeof(struct sock_filter))
 
-static void seccomp_filter_log_failure(int syscall)
-{
-       int compat = 0;
-#ifdef CONFIG_COMPAT
-       compat = is_compat_task();
-#endif
-       pr_info("%s[%d]: %ssystem call %d blocked at 0x%lx\n",
-               current->comm, task_pid_nr(current),
-               (compat ? "compat " : ""),
-               syscall, KSTK_EIP(current));
-}
-
 /**
  * get_u32 - returns a u32 offset into data
  * @data: a unsigned 64 bit value
@@ -378,7 +366,6 @@ void __secure_computing(int this_syscall)
        case SECCOMP_MODE_FILTER:
                if (seccomp_run_filters(this_syscall) == SECCOMP_RET_ALLOW)
                        return;
-               seccomp_filter_log_failure(this_syscall);
                exit_sig = SIGSYS;
                break;
 #endif
@@ -389,7 +376,7 @@ void __secure_computing(int this_syscall)
 #ifdef SECCOMP_DEBUG
        dump_stack();
 #endif
-       audit_seccomp(this_syscall);
+       audit_seccomp(this_syscall, exit_code, SECCOMP_RET_KILL);
        do_exit(exit_sig);
 }