diff options
Diffstat (limited to 'kernel/seccomp.c')
| -rw-r--r-- | kernel/seccomp.c | 58 |
1 files changed, 49 insertions, 9 deletions
diff --git a/kernel/seccomp.c b/kernel/seccomp.c index b36ac1e0cd0e..f5630d1a88fe 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -1219,11 +1219,10 @@ static int read_actions_logged(struct ctl_table *ro_table, void __user *buffer, } static int write_actions_logged(struct ctl_table *ro_table, void __user *buffer, - size_t *lenp, loff_t *ppos) + size_t *lenp, loff_t *ppos, u32 *actions_logged) { char names[sizeof(seccomp_actions_avail)]; struct ctl_table table; - u32 actions_logged; int ret; if (!capable(CAP_SYS_ADMIN)) @@ -1238,24 +1237,65 @@ static int write_actions_logged(struct ctl_table *ro_table, void __user *buffer, if (ret) return ret; - if (!seccomp_actions_logged_from_names(&actions_logged, table.data)) + if (!seccomp_actions_logged_from_names(actions_logged, table.data)) return -EINVAL; - if (actions_logged & SECCOMP_LOG_ALLOW) + if (*actions_logged & SECCOMP_LOG_ALLOW) return -EINVAL; - seccomp_actions_logged = actions_logged; + seccomp_actions_logged = *actions_logged; return 0; } +static void audit_actions_logged(u32 actions_logged, u32 old_actions_logged, + int ret) +{ + char names[sizeof(seccomp_actions_avail)]; + char old_names[sizeof(seccomp_actions_avail)]; + const char *new = names; + const char *old = old_names; + + if (!audit_enabled) + return; + + memset(names, 0, sizeof(names)); + memset(old_names, 0, sizeof(old_names)); + + if (ret) + new = "?"; + else if (!actions_logged) + new = "(none)"; + else if (!seccomp_names_from_actions_logged(names, sizeof(names), + actions_logged, ",")) + new = "?"; + + if (!old_actions_logged) + old = "(none)"; + else if (!seccomp_names_from_actions_logged(old_names, + sizeof(old_names), + old_actions_logged, ",")) + old = "?"; + + return audit_seccomp_actions_logged(new, old, !ret); +} + static int seccomp_actions_logged_handler(struct ctl_table *ro_table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { - if (write) - return write_actions_logged(ro_table, buffer, lenp, ppos); - else - return read_actions_logged(ro_table, buffer, lenp, ppos); + int ret; + + if (write) { + u32 actions_logged = 0; + u32 old_actions_logged = seccomp_actions_logged; + + ret = write_actions_logged(ro_table, buffer, lenp, ppos, + &actions_logged); + audit_actions_logged(actions_logged, old_actions_logged, ret); + } else + ret = read_actions_logged(ro_table, buffer, lenp, ppos); + + return ret; } static struct ctl_path seccomp_sysctl_path[] = { |