Djam/kernel-6.1
1
0
Fork 0
mirror of https://abf.rosa.ru/djam/kernel-6.1.git synced 2025-02-24 15:52:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

AltHa: add logging of allowed interpreters

Browse source 
kernel.altha.rstrscript.debug_log=1 now allows to log interpreters
which were allowed to run and log the path to them which was seen by the kernel.

It should easify debugging issues like https://bugzilla.altlinux.org/show_bug.cgi?id=38225
where it is not clear why a binary was allowed to run.
This commit is contained in:
Mikhail Novosyolov 2020-03-17 00:31:54 +03:00
parent 5f08ed1263
commit 2854a5a0a7
2 changed files with 60 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

58
0003-AltHa-add-logging-of-allowed-interpreters.patch Normal file
View file

@ -0,0 +1,58 @@
From 5bc4b7346adbce6ed9e38b0fb564d4125fa6608b Mon Sep 17 00:00:00 2001
From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
Date: Tue, 17 Mar 2020 00:20:39 +0300
Subject: [PATCH] AltHa: add logging of allowed interpreters
kernel.altha.rstrscript.debug_log=1 now allows to log interpreters
which were allowed to run and log the path to them which was seen by the kernel.
It should easify debugging issues like https://bugzilla.altlinux.org/show_bug.cgi?id=38225
where it is not clear why a binary was allowed to run.
---
security/altha/altha_lsm.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/security/altha/altha_lsm.c b/security/altha/altha_lsm.c
index 7d1cc8f8a1a7..9513d6009f95 100644
--- a/security/altha/altha_lsm.c
+++ b/security/altha/altha_lsm.c
@@ -34,6 +34,7 @@ static bool altha_enabled = 0;
/* sysctl flags */
static int nosuid_enabled;
static int rstrscript_enabled;
+static int debug_log_enabled;
static int olock_enabled;
/* Boot parameter handing */
@@ -171,6 +172,13 @@ static struct ctl_table rstrscript_sysctl_table[] = {
.mode = 0644,
.proc_handler = &proc_dointvec_minmax,
},
+ {
+ .procname = "debug_log",
+ .data = &debug_log_enabled,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &proc_dointvec_minmax,
+ },
{
.procname = "interpreters",
.data = proc_interpreters,
@@ -248,7 +256,13 @@ static int altha_bprm_set_creds(struct linux_binprm *bprm)
bprm->filename, cur_uid);
up_read(&interpreters_sem);
return -EPERM;
- }
+ } else {
+ if (debug_log_enabled) {
+ pr_notice_ratelimited
+ ("AltHa/RestrScript: file %s is allowed to run by f_path %s\n",
+ bprm->filename, bprm->file->f_path);
+ }
+ }
}
up_read(&interpreters_sem);
}
--
2.20.1

3
kernel.spec
View file

@ -11,7 +11,7 @@
%define sublevel 25
# Release number. Increase this before a rebuild.
%define rpmrel 7
%define rpmrel 8
%define fullrpmrel %{rpmrel}
%define rpmtag %{disttag}
@ -215,6 +215,7 @@ Patch109: fs-aufs.patch
# TODO: known problem: https://bugzilla.altlinux.org/show_bug.cgi?id=38225
Patch201: 0001-AltHa-LSM-module.patch
Patch202: 0002-Documentation-for-AltHa-LSM.patch
Patch203: 0003-AltHa-add-logging-of-allowed-interpreters.patch
# Other patches
Patch301: objtool-sync-check.sh-set-the-exit-code-explicitly.patch