audit: Simplify and correct audit_log_capset

- Always report the current process as capset now always only works on
  the current process.  This prevents reporting 0 or a random pid in
  a random pid namespace.

- Don't bother to pass the pid as is available.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
(cherry picked from commit bcc85f0af31af123e32858069eb2ad8f39f90e67)
(cherry picked from commit f911cac4556a7a23e0b3ea850233d13b32328692)

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
[eparis: fix build error when audit disabled]
Signed-off-by: Eric Paris <eparis@redhat.com>

diff --git a/include/linux/audit.h b/include/linux/audit.h
index a40641954c296c3042c0e34f5c1ff170aee5cfa5..c9a66c6f13073bf48038c7b597804014a1f9610b 100644 (file)
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -220,7 +220,7 @@ extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat);
 extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
                                  const struct cred *new,
                                  const struct cred *old);
-extern void __audit_log_capset(pid_t pid, const struct cred *new, const struct cred *old);
+extern void __audit_log_capset(const struct cred *new, const struct cred *old);
 extern void __audit_mmap_fd(int fd, int flags);
 
 static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
@@ -285,11 +285,11 @@ static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm,
        return 0;
 }
 
-static inline void audit_log_capset(pid_t pid, const struct cred *new,
+static inline void audit_log_capset(const struct cred *new,
                                   const struct cred *old)
 {
        if (unlikely(!audit_dummy_context()))
-               __audit_log_capset(pid, new, old);
+               __audit_log_capset(new, old);
 }
 
 static inline void audit_mmap_fd(int fd, int flags)
@@ -397,8 +397,8 @@ static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm,
 {
        return 0;
 }
-static inline void audit_log_capset(pid_t pid, const struct cred *new,
-                                  const struct cred *old)
+static inline void audit_log_capset(const struct cred *new,
+                                   const struct cred *old)
 { }
 static inline void audit_mmap_fd(int fd, int flags)
 { }

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 90594c9f755213232e5282899c8547cd5c61c823..df1e685809e1363218c09ccf5b87191d6f1ef976 100644 (file)
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2321,18 +2321,16 @@ int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
 
 /**
  * __audit_log_capset - store information about the arguments to the capset syscall
- * @pid: target pid of the capset call
  * @new: the new credentials
  * @old: the old (current) credentials
  *
  * Record the aguments userspace sent to sys_capset for later printing by the
  * audit system if applicable
  */
-void __audit_log_capset(pid_t pid,
-                      const struct cred *new, const struct cred *old)
+void __audit_log_capset(const struct cred *new, const struct cred *old)
 {
        struct audit_context *context = current->audit_context;
-       context->capset.pid = pid;
+       context->capset.pid = task_pid_nr(current);
        context->capset.cap.effective   = new->cap_effective;
        context->capset.cap.inheritable = new->cap_effective;
        context->capset.cap.permitted   = new->cap_permitted;

diff --git a/kernel/capability.c b/kernel/capability.c
index 4e66bf9275b03edf3c62e0e350afc5248f2b00b8..34019c57888d4d093956b81963b557abd95103e9 100644 (file)
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -277,7 +277,7 @@ SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data)
        if (ret < 0)
                goto error;
 
-       audit_log_capset(pid, new, current_cred());
+       audit_log_capset(new, current_cred());
 
        return commit_creds(new);