From 5bc4b7346adbce6ed9e38b0fb564d4125fa6608b Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Tue, 17 Mar 2020 00:20:39 +0300 Subject: [PATCH] AltHa: add logging of allowed interpreters kernel.altha.rstrscript.debug_log=1 now allows to log interpreters which were allowed to run and log the path to them which was seen by the kernel. It should easify debugging issues like https://bugzilla.altlinux.org/show_bug.cgi?id=38225 where it is not clear why a binary was allowed to run. --- security/altha/altha_lsm.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/security/altha/altha_lsm.c b/security/altha/altha_lsm.c index 7d1cc8f8a1a7..9513d6009f95 100644 --- a/security/altha/altha_lsm.c +++ b/security/altha/altha_lsm.c @@ -34,6 +34,7 @@ static bool altha_enabled = 0; /* sysctl flags */ static int nosuid_enabled; static int rstrscript_enabled; +static int debug_log_enabled; static int olock_enabled; /* Boot parameter handing */ @@ -171,6 +172,13 @@ static struct ctl_table rstrscript_sysctl_table[] = { .mode = 0644, .proc_handler = &proc_dointvec_minmax, }, + { + .procname = "debug_log", + .data = &debug_log_enabled, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = &proc_dointvec_minmax, + }, { .procname = "interpreters", .data = proc_interpreters, @@ -248,7 +256,13 @@ static int altha_bprm_set_creds(struct linux_binprm *bprm) bprm->filename, cur_uid); up_read(&interpreters_sem); return -EPERM; - } + } else { + if (debug_log_enabled) { + pr_notice_ratelimited + ("AltHa/RestrScript: file %s is allowed to run by f_path %s\n", + bprm->filename, bprm->file->f_path); + } + } } up_read(&interpreters_sem); } -- 2.20.1