kernel-6.6/0003-AltHa-add-logging-of-allowed-interpreters.patch

From 5bc4b7346adbce6ed9e38b0fb564d4125fa6608b Mon Sep 17 00:00:00 2001
From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
Date: Tue, 17 Mar 2020 00:20:39 +0300
Subject: [PATCH] AltHa: add logging of allowed interpreters

kernel.altha.rstrscript.debug_log=1 now allows to log interpreters
which were allowed to run and log the path to them which was seen by the kernel.

It should easify debugging issues like https://bugzilla.altlinux.org/show_bug.cgi?id=38225
where it is not clear why a binary was allowed to run.
---
 security/altha/altha_lsm.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/security/altha/altha_lsm.c b/security/altha/altha_lsm.c
index 7d1cc8f8a1a7..9513d6009f95 100644
--- a/security/altha/altha_lsm.c
+++ b/security/altha/altha_lsm.c
@@ -34,6 +34,7 @@ static bool altha_enabled = 0;
 /* sysctl flags */
 static int nosuid_enabled;
 static int rstrscript_enabled;
+static int debug_log_enabled;
 static int olock_enabled;
 
 /* Boot parameter handing */
@@ -171,6 +172,13 @@ static struct ctl_table rstrscript_sysctl_table[] = {
 	 .mode = 0644,
 	 .proc_handler = &proc_dointvec_minmax,
 	 },
+	{
+	 .procname = "debug_log",
+	 .data = &debug_log_enabled,
+	 .maxlen = sizeof(int),
+	 .mode = 0644,
+	 .proc_handler = &proc_dointvec_minmax,
+	 },
 	{
 	 .procname = "interpreters",
 	 .data = proc_interpreters,
@@ -248,7 +256,13 @@ static int altha_bprm_set_creds(struct linux_binprm *bprm)
 				     bprm->filename, cur_uid);
 				up_read(&interpreters_sem);
 				return -EPERM;
-			}
+			} else {
+				if (debug_log_enabled) {
+					pr_notice_ratelimited
+						("AltHa/RestrScript: file %s is allowed to run by f_path %s\n",
+						 bprm->filename, bprm->file->f_path);
+					 }
+				 }
 		}
 		up_read(&interpreters_sem);
 	}
-- 
2.20.1