issuhub.com

Linux Kernel Architecture

(Jacob Rumans) #1

Chapter 19: Auditing


If this is the case,copy_process(i.e., originating from theforksystem call) is the place where
audit_allocis called to allocate a new instance ofstruct audit_context. Figure 19-7 shows the code
flow diagram foraudit_context.


audit_alloc

audit_filter_task

Filter result AUDIT_DISABLED? Finish without allocation

audit_alloc_context

Preserve login ID

set TIF_SYSCALL_AUDIT

Figure 19-7: Code flow diagram foraudit_context.

First,audit_filter_taskdetermines if system call auditing needs to be activated for the present task.
If the audit system is disabled completely, not even this needs to take place, soaudit_allocis left
immediately. The function applies the registered filters of typeAUDIT_FILTER_TASK.Iftheverdictis
AUDIT_DISABLED,audit_alloccan return immediately without allocating an instance ofaudit_context
because no system call auditing is required (the rest of the audit code can check this easily — the
audit_contextelement oftask_structremains aNULLpointer in this case).


If system call auditing is desired,audit_alloc_contextallocates a new instance ofaudit_context.The
routine prepares the instance withstateset to the state given by the filter operation.


Finally, the kernel preserves the login UID of the currently running task (this is necessary to create audit
trails where the login UID is preserved overforks), as follows:


kernel/auditsc.c

int audit_alloc(struct task_struct *tsk)

{

...

/* Preserve login uid */

context->loginuid = -1;

if (current->audit_context)

context->loginuid = current->audit_context->loginuid;

tsk->audit_context = context;

set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);

return 0;

}

Additionally, theTIF_SYSCALL_AUDITflag is set in the instance oftask_structthat belongs to the
process. This is necessary for the low-level interrupt processing code to call the auditing functions at
interrupt entry and exit — otherwise, this step will be skipped for performance reasons.


Note that the call toaudit_allocoriginates from processingforksystem calls, so the decision about
whether system call auditing needs to be enabled ornot is made whenever a process creates a duplicate
of itself. This ensures that the check is performed for every task in the system.

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.