From 2854a5a0a7484ec0d12e3fdb834945eadc49a8be Mon Sep 17 00:00:00 2001
From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
Date: Tue, 17 Mar 2020 00:31:54 +0300
Subject: [PATCH] AltHa: add logging of allowed interpreters

kernel.altha.rstrscript.debug_log=1 now allows to log interpreters
which were allowed to run and log the path to them which was seen by the kernel.

It should easify debugging issues like https://bugzilla.altlinux.org/show_bug.cgi?id=38225
where it is not clear why a binary was allowed to run.
---
 ...-add-logging-of-allowed-interpreters.patch | 58 +++++++++++++++++++
 kernel.spec                                   |  3 +-
 2 files changed, 60 insertions(+), 1 deletion(-)
 create mode 100644 0003-AltHa-add-logging-of-allowed-interpreters.patch

diff --git a/0003-AltHa-add-logging-of-allowed-interpreters.patch b/0003-AltHa-add-logging-of-allowed-interpreters.patch
new file mode 100644
index 0000000..18ead19
--- /dev/null
+++ b/0003-AltHa-add-logging-of-allowed-interpreters.patch
@@ -0,0 +1,58 @@
+From 5bc4b7346adbce6ed9e38b0fb564d4125fa6608b Mon Sep 17 00:00:00 2001
+From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
+Date: Tue, 17 Mar 2020 00:20:39 +0300
+Subject: [PATCH] AltHa: add logging of allowed interpreters
+
+kernel.altha.rstrscript.debug_log=1 now allows to log interpreters
+which were allowed to run and log the path to them which was seen by the kernel.
+
+It should easify debugging issues like https://bugzilla.altlinux.org/show_bug.cgi?id=38225
+where it is not clear why a binary was allowed to run.
+---
+ security/altha/altha_lsm.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/security/altha/altha_lsm.c b/security/altha/altha_lsm.c
+index 7d1cc8f8a1a7..9513d6009f95 100644
+--- a/security/altha/altha_lsm.c
++++ b/security/altha/altha_lsm.c
+@@ -34,6 +34,7 @@ static bool altha_enabled = 0;
+ /* sysctl flags */
+ static int nosuid_enabled;
+ static int rstrscript_enabled;
++static int debug_log_enabled;
+ static int olock_enabled;
+ 
+ /* Boot parameter handing */
+@@ -171,6 +172,13 @@ static struct ctl_table rstrscript_sysctl_table[] = {
+ 	 .mode = 0644,
+ 	 .proc_handler = &proc_dointvec_minmax,
+ 	 },
++	{
++	 .procname = "debug_log",
++	 .data = &debug_log_enabled,
++	 .maxlen = sizeof(int),
++	 .mode = 0644,
++	 .proc_handler = &proc_dointvec_minmax,
++	 },
+ 	{
+ 	 .procname = "interpreters",
+ 	 .data = proc_interpreters,
+@@ -248,7 +256,13 @@ static int altha_bprm_set_creds(struct linux_binprm *bprm)
+ 				     bprm->filename, cur_uid);
+ 				up_read(&interpreters_sem);
+ 				return -EPERM;
+-			}
++			} else {
++				if (debug_log_enabled) {
++					pr_notice_ratelimited
++						("AltHa/RestrScript: file %s is allowed to run by f_path %s\n",
++						 bprm->filename, bprm->file->f_path);
++					 }
++				 }
+ 		}
+ 		up_read(&interpreters_sem);
+ 	}
+-- 
+2.20.1
+
diff --git a/kernel.spec b/kernel.spec
index 6c4bbe3..77d985a 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -11,7 +11,7 @@
 %define sublevel	25
 
 # Release number. Increase this before a rebuild.
-%define rpmrel		7
+%define rpmrel		8
 %define fullrpmrel	%{rpmrel}
 
 %define rpmtag		%{disttag}
@@ -215,6 +215,7 @@ Patch109:	fs-aufs.patch
 # TODO: known problem: https://bugzilla.altlinux.org/show_bug.cgi?id=38225
 Patch201:	0001-AltHa-LSM-module.patch
 Patch202:	0002-Documentation-for-AltHa-LSM.patch
+Patch203:	0003-AltHa-add-logging-of-allowed-interpreters.patch
 
 # Other patches
 Patch301:	objtool-sync-check.sh-set-the-exit-code-explicitly.patch