• Kees Cook's avatar
    audit: create explicit AUDIT_SECCOMP event type · 7b9205bd
    Kees Cook authored
    The seccomp path was using AUDIT_ANOM_ABEND from when seccomp mode 1
    could only kill a process.  While we still want to make sure an audit
    record is forced on a kill, this should use a separate record type since
    seccomp mode 2 introduces other behaviors.
    
    In the case of "handled" behaviors (process wasn't killed), only emit a
    record if the process is under inspection.  This change also fixes
    userspace examination of seccomp audit events, since it was considered
    malformed due to missing fields of the AUDIT_ANOM_ABEND event type.
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: Jeff Layton <jlayton@redhat.com>
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Cc: Julien Tinnes <jln@google.com>
    Acked-by: default avatarWill Drewry <wad@chromium.org>
    Acked-by: default avatarSteve Grubb <sgrubb@redhat.com>
    Cc: Andrea Arcangeli <aarcange@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    7b9205bd
auditsc.c 71.9 KB