summaryrefslogtreecommitdiffstats
path: root/kernel/auditsc.c
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2019-03-07 15:20:11 -0500
committerLinus Torvalds <torvalds@linux-foundation.org>2019-03-07 15:20:11 -0500
commitbe37f21a08ce65c7632c7f45e1755a4b07f278a0 (patch)
tree5f61b71e21dd809ea558ad195d06b7ebd4fb49c5 /kernel/auditsc.c
parent3ac96c30ccfa802501dd2f4941e4508ea54b0b8a (diff)
parent131d34cb07957151c369366b158690057d2bce5e (diff)
Merge tag 'audit-pr-20190305' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit
Pull audit updates from Paul Moore: "A lucky 13 audit patches for v5.1. Despite the rather large diffstat, most of the changes are from two bug fix patches that move code from one Kconfig option to another. Beyond that bit of churn, the remaining changes are largely cleanups and bug-fixes as we slowly march towards container auditing. It isn't all boring though, we do have a couple of new things: file capabilities v3 support, and expanded support for filtering on filesystems to solve problems with remote filesystems. All changes pass the audit-testsuite. Please merge for v5.1" * tag 'audit-pr-20190305' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit: audit: mark expected switch fall-through audit: hide auditsc_get_stamp and audit_serial prototypes audit: join tty records to their syscall audit: remove audit_context when CONFIG_ AUDIT and not AUDITSYSCALL audit: remove unused actx param from audit_rule_match audit: ignore fcaps on umount audit: clean up AUDITSYSCALL prototypes and stubs audit: more filter PATH records keyed on filesystem magic audit: add support for fcaps v3 audit: move loginuid and sessionid from CONFIG_AUDITSYSCALL to CONFIG_AUDIT audit: add syscall information to CONFIG_CHANGE records audit: hand taken context to audit_kill_trees for syscall logging audit: give a clue what CONFIG_CHANGE op was involved
Diffstat (limited to 'kernel/auditsc.c')
-rw-r--r--kernel/auditsc.c320
1 files changed, 210 insertions, 110 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 6593a5207fb0..d1eab1d4a930 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -631,9 +631,8 @@ static int audit_filter_rules(struct task_struct *tsk,
631 need_sid = 0; 631 need_sid = 0;
632 } 632 }
633 result = security_audit_rule_match(sid, f->type, 633 result = security_audit_rule_match(sid, f->type,
634 f->op, 634 f->op,
635 f->lsm_rule, 635 f->lsm_rule);
636 ctx);
637 } 636 }
638 break; 637 break;
639 case AUDIT_OBJ_USER: 638 case AUDIT_OBJ_USER:
@@ -647,13 +646,17 @@ static int audit_filter_rules(struct task_struct *tsk,
647 /* Find files that match */ 646 /* Find files that match */
648 if (name) { 647 if (name) {
649 result = security_audit_rule_match( 648 result = security_audit_rule_match(
650 name->osid, f->type, f->op, 649 name->osid,
651 f->lsm_rule, ctx); 650 f->type,
651 f->op,
652 f->lsm_rule);
652 } else if (ctx) { 653 } else if (ctx) {
653 list_for_each_entry(n, &ctx->names_list, list) { 654 list_for_each_entry(n, &ctx->names_list, list) {
654 if (security_audit_rule_match(n->osid, f->type, 655 if (security_audit_rule_match(
655 f->op, f->lsm_rule, 656 n->osid,
656 ctx)) { 657 f->type,
658 f->op,
659 f->lsm_rule)) {
657 ++result; 660 ++result;
658 break; 661 break;
659 } 662 }
@@ -664,7 +667,7 @@ static int audit_filter_rules(struct task_struct *tsk,
664 break; 667 break;
665 if (security_audit_rule_match(ctx->ipc.osid, 668 if (security_audit_rule_match(ctx->ipc.osid,
666 f->type, f->op, 669 f->type, f->op,
667 f->lsm_rule, ctx)) 670 f->lsm_rule))
668 ++result; 671 ++result;
669 } 672 }
670 break; 673 break;
@@ -1136,6 +1139,32 @@ out:
1136 kfree(buf_head); 1139 kfree(buf_head);
1137} 1140}
1138 1141
1142void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
1143{
1144 int i;
1145
1146 if (cap_isclear(*cap)) {
1147 audit_log_format(ab, " %s=0", prefix);
1148 return;
1149 }
1150 audit_log_format(ab, " %s=", prefix);
1151 CAP_FOR_EACH_U32(i)
1152 audit_log_format(ab, "%08x", cap->cap[CAP_LAST_U32 - i]);
1153}
1154
1155static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
1156{
1157 if (name->fcap_ver == -1) {
1158 audit_log_format(ab, " cap_fe=? cap_fver=? cap_fp=? cap_fi=?");
1159 return;
1160 }
1161 audit_log_cap(ab, "cap_fp", &name->fcap.permitted);
1162 audit_log_cap(ab, "cap_fi", &name->fcap.inheritable);
1163 audit_log_format(ab, " cap_fe=%d cap_fver=%x cap_frootid=%d",
1164 name->fcap.fE, name->fcap_ver,
1165 from_kuid(&init_user_ns, name->fcap.rootid));
1166}
1167
1139static void show_special(struct audit_context *context, int *call_panic) 1168static void show_special(struct audit_context *context, int *call_panic)
1140{ 1169{
1141 struct audit_buffer *ab; 1170 struct audit_buffer *ab;
@@ -1258,6 +1287,97 @@ static inline int audit_proctitle_rtrim(char *proctitle, int len)
1258 return len; 1287 return len;
1259} 1288}
1260 1289
1290/*
1291 * audit_log_name - produce AUDIT_PATH record from struct audit_names
1292 * @context: audit_context for the task
1293 * @n: audit_names structure with reportable details
1294 * @path: optional path to report instead of audit_names->name
1295 * @record_num: record number to report when handling a list of names
1296 * @call_panic: optional pointer to int that will be updated if secid fails
1297 */
1298static void audit_log_name(struct audit_context *context, struct audit_names *n,
1299 const struct path *path, int record_num, int *call_panic)
1300{
1301 struct audit_buffer *ab;
1302
1303 ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
1304 if (!ab)
1305 return;
1306
1307 audit_log_format(ab, "item=%d", record_num);
1308
1309 if (path)
1310 audit_log_d_path(ab, " name=", path);
1311 else if (n->name) {
1312 switch (n->name_len) {
1313 case AUDIT_NAME_FULL:
1314 /* log the full path */
1315 audit_log_format(ab, " name=");
1316 audit_log_untrustedstring(ab, n->name->name);
1317 break;
1318 case 0:
1319 /* name was specified as a relative path and the
1320 * directory component is the cwd
1321 */
1322 audit_log_d_path(ab, " name=", &context->pwd);
1323 break;
1324 default:
1325 /* log the name's directory component */
1326 audit_log_format(ab, " name=");
1327 audit_log_n_untrustedstring(ab, n->name->name,
1328 n->name_len);
1329 }
1330 } else
1331 audit_log_format(ab, " name=(null)");
1332
1333 if (n->ino != AUDIT_INO_UNSET)
1334 audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#ho ouid=%u ogid=%u rdev=%02x:%02x",
1335 n->ino,
1336 MAJOR(n->dev),
1337 MINOR(n->dev),
1338 n->mode,
1339 from_kuid(&init_user_ns, n->uid),
1340 from_kgid(&init_user_ns, n->gid),
1341 MAJOR(n->rdev),
1342 MINOR(n->rdev));
1343 if (n->osid != 0) {
1344 char *ctx = NULL;
1345 u32 len;
1346
1347 if (security_secid_to_secctx(
1348 n->osid, &ctx, &len)) {
1349 audit_log_format(ab, " osid=%u", n->osid);
1350 if (call_panic)
1351 *call_panic = 2;
1352 } else {
1353 audit_log_format(ab, " obj=%s", ctx);
1354 security_release_secctx(ctx, len);
1355 }
1356 }
1357
1358 /* log the audit_names record type */
1359 switch (n->type) {
1360 case AUDIT_TYPE_NORMAL:
1361 audit_log_format(ab, " nametype=NORMAL");
1362 break;
1363 case AUDIT_TYPE_PARENT:
1364 audit_log_format(ab, " nametype=PARENT");
1365 break;
1366 case AUDIT_TYPE_CHILD_DELETE:
1367 audit_log_format(ab, " nametype=DELETE");
1368 break;
1369 case AUDIT_TYPE_CHILD_CREATE:
1370 audit_log_format(ab, " nametype=CREATE");
1371 break;
1372 default:
1373 audit_log_format(ab, " nametype=UNKNOWN");
1374 break;
1375 }
1376
1377 audit_log_fcaps(ab, n);
1378 audit_log_end(ab);
1379}
1380
1261static void audit_log_proctitle(void) 1381static void audit_log_proctitle(void)
1262{ 1382{
1263 int res; 1383 int res;
@@ -1358,6 +1478,9 @@ static void audit_log_exit(void)
1358 audit_log_cap(ab, "pi", &axs->new_pcap.inheritable); 1478 audit_log_cap(ab, "pi", &axs->new_pcap.inheritable);
1359 audit_log_cap(ab, "pe", &axs->new_pcap.effective); 1479 audit_log_cap(ab, "pe", &axs->new_pcap.effective);
1360 audit_log_cap(ab, "pa", &axs->new_pcap.ambient); 1480 audit_log_cap(ab, "pa", &axs->new_pcap.ambient);
1481 audit_log_format(ab, " frootid=%d",
1482 from_kuid(&init_user_ns,
1483 axs->fcap.rootid));
1361 break; } 1484 break; }
1362 1485
1363 } 1486 }
@@ -1444,6 +1567,9 @@ void __audit_free(struct task_struct *tsk)
1444 if (!context) 1567 if (!context)
1445 return; 1568 return;
1446 1569
1570 if (!list_empty(&context->killed_trees))
1571 audit_kill_trees(context);
1572
1447 /* We are called either by do_exit() or the fork() error handling code; 1573 /* We are called either by do_exit() or the fork() error handling code;
1448 * in the former case tsk == current and in the latter tsk is a 1574 * in the former case tsk == current and in the latter tsk is a
1449 * random task_struct that doesn't doesn't have any meaningful data we 1575 * random task_struct that doesn't doesn't have any meaningful data we
@@ -1460,9 +1586,6 @@ void __audit_free(struct task_struct *tsk)
1460 audit_log_exit(); 1586 audit_log_exit();
1461 } 1587 }
1462 1588
1463 if (!list_empty(&context->killed_trees))
1464 audit_kill_trees(&context->killed_trees);
1465
1466 audit_set_context(tsk, NULL); 1589 audit_set_context(tsk, NULL);
1467 audit_free_context(context); 1590 audit_free_context(context);
1468} 1591}
@@ -1537,6 +1660,9 @@ void __audit_syscall_exit(int success, long return_code)
1537 if (!context) 1660 if (!context)
1538 return; 1661 return;
1539 1662
1663 if (!list_empty(&context->killed_trees))
1664 audit_kill_trees(context);
1665
1540 if (!context->dummy && context->in_syscall) { 1666 if (!context->dummy && context->in_syscall) {
1541 if (success) 1667 if (success)
1542 context->return_valid = AUDITSC_SUCCESS; 1668 context->return_valid = AUDITSC_SUCCESS;
@@ -1571,9 +1697,6 @@ void __audit_syscall_exit(int success, long return_code)
1571 context->in_syscall = 0; 1697 context->in_syscall = 0;
1572 context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0; 1698 context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
1573 1699
1574 if (!list_empty(&context->killed_trees))
1575 audit_kill_trees(&context->killed_trees);
1576
1577 audit_free_names(context); 1700 audit_free_names(context);
1578 unroll_tree_refs(context, NULL, 0); 1701 unroll_tree_refs(context, NULL, 0);
1579 audit_free_aux(context); 1702 audit_free_aux(context);
@@ -1750,6 +1873,47 @@ void __audit_getname(struct filename *name)
1750 get_fs_pwd(current->fs, &context->pwd); 1873 get_fs_pwd(current->fs, &context->pwd);
1751} 1874}
1752 1875
1876static inline int audit_copy_fcaps(struct audit_names *name,
1877 const struct dentry *dentry)
1878{
1879 struct cpu_vfs_cap_data caps;
1880 int rc;
1881
1882 if (!dentry)
1883 return 0;
1884
1885 rc = get_vfs_caps_from_disk(dentry, &caps);
1886 if (rc)
1887 return rc;
1888
1889 name->fcap.permitted = caps.permitted;
1890 name->fcap.inheritable = caps.inheritable;
1891 name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
1892 name->fcap.rootid = caps.rootid;
1893 name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >>
1894 VFS_CAP_REVISION_SHIFT;
1895
1896 return 0;
1897}
1898
1899/* Copy inode data into an audit_names. */
1900void audit_copy_inode(struct audit_names *name, const struct dentry *dentry,
1901 struct inode *inode, unsigned int flags)
1902{
1903 name->ino = inode->i_ino;
1904 name->dev = inode->i_sb->s_dev;
1905 name->mode = inode->i_mode;
1906 name->uid = inode->i_uid;
1907 name->gid = inode->i_gid;
1908 name->rdev = inode->i_rdev;
1909 security_inode_getsecid(inode, &name->osid);
1910 if (flags & AUDIT_INODE_NOEVAL) {
1911 name->fcap_ver = -1;
1912 return;
1913 }
1914 audit_copy_fcaps(name, dentry);
1915}
1916
1753/** 1917/**
1754 * __audit_inode - store the inode and device from a lookup 1918 * __audit_inode - store the inode and device from a lookup
1755 * @name: name being audited 1919 * @name: name being audited
@@ -1763,10 +1927,31 @@ void __audit_inode(struct filename *name, const struct dentry *dentry,
1763 struct inode *inode = d_backing_inode(dentry); 1927 struct inode *inode = d_backing_inode(dentry);
1764 struct audit_names *n; 1928 struct audit_names *n;
1765 bool parent = flags & AUDIT_INODE_PARENT; 1929 bool parent = flags & AUDIT_INODE_PARENT;
1930 struct audit_entry *e;
1931 struct list_head *list = &audit_filter_list[AUDIT_FILTER_FS];
1932 int i;
1766 1933
1767 if (!context->in_syscall) 1934 if (!context->in_syscall)
1768 return; 1935 return;
1769 1936
1937 rcu_read_lock();
1938 if (!list_empty(list)) {
1939 list_for_each_entry_rcu(e, list, list) {
1940 for (i = 0; i < e->rule.field_count; i++) {
1941 struct audit_field *f = &e->rule.fields[i];
1942
1943 if (f->type == AUDIT_FSTYPE
1944 && audit_comparator(inode->i_sb->s_magic,
1945 f->op, f->val)
1946 && e->rule.action == AUDIT_NEVER) {
1947 rcu_read_unlock();
1948 return;
1949 }
1950 }
1951 }
1952 }
1953 rcu_read_unlock();
1954
1770 if (!name) 1955 if (!name)
1771 goto out_alloc; 1956 goto out_alloc;
1772 1957
@@ -1832,7 +2017,7 @@ out:
1832 n->type = AUDIT_TYPE_NORMAL; 2017 n->type = AUDIT_TYPE_NORMAL;
1833 } 2018 }
1834 handle_path(dentry); 2019 handle_path(dentry);
1835 audit_copy_inode(n, dentry, inode); 2020 audit_copy_inode(n, dentry, inode, flags & AUDIT_INODE_NOEVAL);
1836} 2021}
1837 2022
1838void __audit_file(const struct file *file) 2023void __audit_file(const struct file *file)
@@ -1875,14 +2060,12 @@ void __audit_inode_child(struct inode *parent,
1875 for (i = 0; i < e->rule.field_count; i++) { 2060 for (i = 0; i < e->rule.field_count; i++) {
1876 struct audit_field *f = &e->rule.fields[i]; 2061 struct audit_field *f = &e->rule.fields[i];
1877 2062
1878 if (f->type == AUDIT_FSTYPE) { 2063 if (f->type == AUDIT_FSTYPE
1879 if (audit_comparator(parent->i_sb->s_magic, 2064 && audit_comparator(parent->i_sb->s_magic,
1880 f->op, f->val)) { 2065 f->op, f->val)
1881 if (e->rule.action == AUDIT_NEVER) { 2066 && e->rule.action == AUDIT_NEVER) {
1882 rcu_read_unlock(); 2067 rcu_read_unlock();
1883 return; 2068 return;
1884 }
1885 }
1886 } 2069 }
1887 } 2070 }
1888 } 2071 }
@@ -1933,7 +2116,7 @@ void __audit_inode_child(struct inode *parent,
1933 n = audit_alloc_name(context, AUDIT_TYPE_PARENT); 2116 n = audit_alloc_name(context, AUDIT_TYPE_PARENT);
1934 if (!n) 2117 if (!n)
1935 return; 2118 return;
1936 audit_copy_inode(n, NULL, parent); 2119 audit_copy_inode(n, NULL, parent, 0);
1937 } 2120 }
1938 2121
1939 if (!found_child) { 2122 if (!found_child) {
@@ -1952,7 +2135,7 @@ void __audit_inode_child(struct inode *parent,
1952 } 2135 }
1953 2136
1954 if (inode) 2137 if (inode)
1955 audit_copy_inode(found_child, dentry, inode); 2138 audit_copy_inode(found_child, dentry, inode, 0);
1956 else 2139 else
1957 found_child->ino = AUDIT_INO_UNSET; 2140 found_child->ino = AUDIT_INO_UNSET;
1958} 2141}
@@ -1983,90 +2166,6 @@ int auditsc_get_stamp(struct audit_context *ctx,
1983 return 1; 2166 return 1;
1984} 2167}
1985 2168
1986/* global counter which is incremented every time something logs in */
1987static atomic_t session_id = ATOMIC_INIT(0);
1988
1989static int audit_set_loginuid_perm(kuid_t loginuid)
1990{
1991 /* if we are unset, we don't need privs */
1992 if (!audit_loginuid_set(current))
1993 return 0;
1994 /* if AUDIT_FEATURE_LOGINUID_IMMUTABLE means never ever allow a change*/
1995 if (is_audit_feature_set(AUDIT_FEATURE_LOGINUID_IMMUTABLE))
1996 return -EPERM;
1997 /* it is set, you need permission */
1998 if (!capable(CAP_AUDIT_CONTROL))
1999 return -EPERM;
2000 /* reject if this is not an unset and we don't allow that */
2001 if (is_audit_feature_set(AUDIT_FEATURE_ONLY_UNSET_LOGINUID) && uid_valid(loginuid))
2002 return -EPERM;
2003 return 0;
2004}
2005
2006static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
2007 unsigned int oldsessionid, unsigned int sessionid,
2008 int rc)
2009{
2010 struct audit_buffer *ab;
2011 uid_t uid, oldloginuid, loginuid;
2012 struct tty_struct *tty;
2013
2014 if (!audit_enabled)
2015 return;
2016
2017 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
2018 if (!ab)
2019 return;
2020
2021 uid = from_kuid(&init_user_ns, task_uid(current));
2022 oldloginuid = from_kuid(&init_user_ns, koldloginuid);
2023 loginuid = from_kuid(&init_user_ns, kloginuid),
2024 tty = audit_get_tty();
2025
2026 audit_log_format(ab, "pid=%d uid=%u", task_tgid_nr(current), uid);
2027 audit_log_task_context(ab);
2028 audit_log_format(ab, " old-auid=%u auid=%u tty=%s old-ses=%u ses=%u res=%d",
2029 oldloginuid, loginuid, tty ? tty_name(tty) : "(none)",
2030 oldsessionid, sessionid, !rc);
2031 audit_put_tty(tty);
2032 audit_log_end(ab);
2033}
2034
2035/**
2036 * audit_set_loginuid - set current task's audit_context loginuid
2037 * @loginuid: loginuid value
2038 *
2039 * Returns 0.
2040 *
2041 * Called (set) from fs/proc/base.c::proc_loginuid_write().
2042 */
2043int audit_set_loginuid(kuid_t loginuid)
2044{
2045 unsigned int oldsessionid, sessionid = AUDIT_SID_UNSET;
2046 kuid_t oldloginuid;
2047 int rc;
2048
2049 oldloginuid = audit_get_loginuid(current);
2050 oldsessionid = audit_get_sessionid(current);
2051
2052 rc = audit_set_loginuid_perm(loginuid);
2053 if (rc)
2054 goto out;
2055
2056 /* are we setting or clearing? */
2057 if (uid_valid(loginuid)) {
2058 sessionid = (unsigned int)atomic_inc_return(&session_id);
2059 if (unlikely(sessionid == AUDIT_SID_UNSET))
2060 sessionid = (unsigned int)atomic_inc_return(&session_id);
2061 }
2062
2063 current->sessionid = sessionid;
2064 current->loginuid = loginuid;
2065out:
2066 audit_log_set_loginuid(oldloginuid, loginuid, oldsessionid, sessionid, rc);
2067 return rc;
2068}
2069
2070/** 2169/**
2071 * __audit_mq_open - record audit data for a POSIX MQ open 2170 * __audit_mq_open - record audit data for a POSIX MQ open
2072 * @oflag: open flag 2171 * @oflag: open flag
@@ -2355,6 +2454,7 @@ int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
2355 ax->fcap.permitted = vcaps.permitted; 2454 ax->fcap.permitted = vcaps.permitted;
2356 ax->fcap.inheritable = vcaps.inheritable; 2455 ax->fcap.inheritable = vcaps.inheritable;
2357 ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE); 2456 ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2457 ax->fcap.rootid = vcaps.rootid;
2358 ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT; 2458 ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
2359 2459
2360 ax->old_pcap.permitted = old->cap_permitted; 2460 ax->old_pcap.permitted = old->cap_permitted;
generated by cgit v1.2.2 (git 2.25.0) at 2025-09-10 17:17:18 -0400