diff options
| author | David Vrabel <david.vrabel@citrix.com> | 2014-04-07 08:52:12 -0400 |
|---|---|---|
| committer | David Vrabel <david.vrabel@citrix.com> | 2014-04-07 08:52:12 -0400 |
| commit | 2c5cb2770392fb9c5d8518688c8bc61986d70dc6 (patch) | |
| tree | b19210e709de6ee0d22b67ef605a569500cf1a18 /kernel/audit.c | |
| parent | cd979883b9ede90643e019f33cb317933eb867b4 (diff) | |
| parent | 683b6c6f82a60fabf47012581c2cfbf1b037ab95 (diff) | |
Merge commit '683b6c6f82a60fabf47012581c2cfbf1b037ab95' into stable/for-linus-3.15
This merge of the irq-core-for-linus branch broke the ARM build when
Xen is enabled.
Conflicts:
drivers/xen/events/events_base.c
Diffstat (limited to 'kernel/audit.c')
| -rw-r--r-- | kernel/audit.c | 43 |
1 files changed, 27 insertions, 16 deletions
diff --git a/kernel/audit.c b/kernel/audit.c index 34c5a2310fbf..95a20f3f52f1 100644 --- a/kernel/audit.c +++ b/kernel/audit.c | |||
| @@ -182,7 +182,7 @@ struct audit_buffer { | |||
| 182 | 182 | ||
| 183 | struct audit_reply { | 183 | struct audit_reply { |
| 184 | __u32 portid; | 184 | __u32 portid; |
| 185 | pid_t pid; | 185 | struct net *net; |
| 186 | struct sk_buff *skb; | 186 | struct sk_buff *skb; |
| 187 | }; | 187 | }; |
| 188 | 188 | ||
| @@ -500,7 +500,7 @@ int audit_send_list(void *_dest) | |||
| 500 | { | 500 | { |
| 501 | struct audit_netlink_list *dest = _dest; | 501 | struct audit_netlink_list *dest = _dest; |
| 502 | struct sk_buff *skb; | 502 | struct sk_buff *skb; |
| 503 | struct net *net = get_net_ns_by_pid(dest->pid); | 503 | struct net *net = dest->net; |
| 504 | struct audit_net *aunet = net_generic(net, audit_net_id); | 504 | struct audit_net *aunet = net_generic(net, audit_net_id); |
| 505 | 505 | ||
| 506 | /* wait for parent to finish and send an ACK */ | 506 | /* wait for parent to finish and send an ACK */ |
| @@ -510,6 +510,7 @@ int audit_send_list(void *_dest) | |||
| 510 | while ((skb = __skb_dequeue(&dest->q)) != NULL) | 510 | while ((skb = __skb_dequeue(&dest->q)) != NULL) |
| 511 | netlink_unicast(aunet->nlsk, skb, dest->portid, 0); | 511 | netlink_unicast(aunet->nlsk, skb, dest->portid, 0); |
| 512 | 512 | ||
| 513 | put_net(net); | ||
| 513 | kfree(dest); | 514 | kfree(dest); |
| 514 | 515 | ||
| 515 | return 0; | 516 | return 0; |
| @@ -543,7 +544,7 @@ out_kfree_skb: | |||
| 543 | static int audit_send_reply_thread(void *arg) | 544 | static int audit_send_reply_thread(void *arg) |
| 544 | { | 545 | { |
| 545 | struct audit_reply *reply = (struct audit_reply *)arg; | 546 | struct audit_reply *reply = (struct audit_reply *)arg; |
| 546 | struct net *net = get_net_ns_by_pid(reply->pid); | 547 | struct net *net = reply->net; |
| 547 | struct audit_net *aunet = net_generic(net, audit_net_id); | 548 | struct audit_net *aunet = net_generic(net, audit_net_id); |
| 548 | 549 | ||
| 549 | mutex_lock(&audit_cmd_mutex); | 550 | mutex_lock(&audit_cmd_mutex); |
| @@ -552,12 +553,13 @@ static int audit_send_reply_thread(void *arg) | |||
| 552 | /* Ignore failure. It'll only happen if the sender goes away, | 553 | /* Ignore failure. It'll only happen if the sender goes away, |
| 553 | because our timeout is set to infinite. */ | 554 | because our timeout is set to infinite. */ |
| 554 | netlink_unicast(aunet->nlsk , reply->skb, reply->portid, 0); | 555 | netlink_unicast(aunet->nlsk , reply->skb, reply->portid, 0); |
| 556 | put_net(net); | ||
| 555 | kfree(reply); | 557 | kfree(reply); |
| 556 | return 0; | 558 | return 0; |
| 557 | } | 559 | } |
| 558 | /** | 560 | /** |
| 559 | * audit_send_reply - send an audit reply message via netlink | 561 | * audit_send_reply - send an audit reply message via netlink |
| 560 | * @portid: netlink port to which to send reply | 562 | * @request_skb: skb of request we are replying to (used to target the reply) |
| 561 | * @seq: sequence number | 563 | * @seq: sequence number |
| 562 | * @type: audit message type | 564 | * @type: audit message type |
| 563 | * @done: done (last) flag | 565 | * @done: done (last) flag |
| @@ -568,9 +570,11 @@ static int audit_send_reply_thread(void *arg) | |||
| 568 | * Allocates an skb, builds the netlink message, and sends it to the port id. | 570 | * Allocates an skb, builds the netlink message, and sends it to the port id. |
| 569 | * No failure notifications. | 571 | * No failure notifications. |
| 570 | */ | 572 | */ |
| 571 | static void audit_send_reply(__u32 portid, int seq, int type, int done, | 573 | static void audit_send_reply(struct sk_buff *request_skb, int seq, int type, int done, |
| 572 | int multi, const void *payload, int size) | 574 | int multi, const void *payload, int size) |
| 573 | { | 575 | { |
| 576 | u32 portid = NETLINK_CB(request_skb).portid; | ||
| 577 | struct net *net = sock_net(NETLINK_CB(request_skb).sk); | ||
| 574 | struct sk_buff *skb; | 578 | struct sk_buff *skb; |
| 575 | struct task_struct *tsk; | 579 | struct task_struct *tsk; |
| 576 | struct audit_reply *reply = kmalloc(sizeof(struct audit_reply), | 580 | struct audit_reply *reply = kmalloc(sizeof(struct audit_reply), |
| @@ -583,8 +587,8 @@ static void audit_send_reply(__u32 portid, int seq, int type, int done, | |||
| 583 | if (!skb) | 587 | if (!skb) |
| 584 | goto out; | 588 | goto out; |
| 585 | 589 | ||
| 590 | reply->net = get_net(net); | ||
| 586 | reply->portid = portid; | 591 | reply->portid = portid; |
| 587 | reply->pid = task_pid_vnr(current); | ||
| 588 | reply->skb = skb; | 592 | reply->skb = skb; |
| 589 | 593 | ||
| 590 | tsk = kthread_run(audit_send_reply_thread, reply, "audit_send_reply"); | 594 | tsk = kthread_run(audit_send_reply_thread, reply, "audit_send_reply"); |
| @@ -604,9 +608,19 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type) | |||
| 604 | int err = 0; | 608 | int err = 0; |
| 605 | 609 | ||
| 606 | /* Only support the initial namespaces for now. */ | 610 | /* Only support the initial namespaces for now. */ |
| 611 | /* | ||
| 612 | * We return ECONNREFUSED because it tricks userspace into thinking | ||
| 613 | * that audit was not configured into the kernel. Lots of users | ||
| 614 | * configure their PAM stack (because that's what the distro does) | ||
| 615 | * to reject login if unable to send messages to audit. If we return | ||
| 616 | * ECONNREFUSED the PAM stack thinks the kernel does not have audit | ||
| 617 | * configured in and will let login proceed. If we return EPERM | ||
| 618 | * userspace will reject all logins. This should be removed when we | ||
| 619 | * support non init namespaces!! | ||
| 620 | */ | ||
| 607 | if ((current_user_ns() != &init_user_ns) || | 621 | if ((current_user_ns() != &init_user_ns) || |
| 608 | (task_active_pid_ns(current) != &init_pid_ns)) | 622 | (task_active_pid_ns(current) != &init_pid_ns)) |
| 609 | return -EPERM; | 623 | return -ECONNREFUSED; |
| 610 | 624 | ||
| 611 | switch (msg_type) { | 625 | switch (msg_type) { |
| 612 | case AUDIT_LIST: | 626 | case AUDIT_LIST: |
| @@ -673,8 +687,7 @@ static int audit_get_feature(struct sk_buff *skb) | |||
| 673 | 687 | ||
| 674 | seq = nlmsg_hdr(skb)->nlmsg_seq; | 688 | seq = nlmsg_hdr(skb)->nlmsg_seq; |
| 675 | 689 | ||
| 676 | audit_send_reply(NETLINK_CB(skb).portid, seq, AUDIT_GET, 0, 0, | 690 | audit_send_reply(skb, seq, AUDIT_GET, 0, 0, &af, sizeof(af)); |
| 677 | &af, sizeof(af)); | ||
| 678 | 691 | ||
| 679 | return 0; | 692 | return 0; |
| 680 | } | 693 | } |
| @@ -794,8 +807,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
| 794 | s.backlog = skb_queue_len(&audit_skb_queue); | 807 | s.backlog = skb_queue_len(&audit_skb_queue); |
| 795 | s.version = AUDIT_VERSION_LATEST; | 808 | s.version = AUDIT_VERSION_LATEST; |
| 796 | s.backlog_wait_time = audit_backlog_wait_time; | 809 | s.backlog_wait_time = audit_backlog_wait_time; |
| 797 | audit_send_reply(NETLINK_CB(skb).portid, seq, AUDIT_GET, 0, 0, | 810 | audit_send_reply(skb, seq, AUDIT_GET, 0, 0, &s, sizeof(s)); |
| 798 | &s, sizeof(s)); | ||
| 799 | break; | 811 | break; |
| 800 | } | 812 | } |
| 801 | case AUDIT_SET: { | 813 | case AUDIT_SET: { |
| @@ -905,7 +917,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
| 905 | seq, data, nlmsg_len(nlh)); | 917 | seq, data, nlmsg_len(nlh)); |
| 906 | break; | 918 | break; |
| 907 | case AUDIT_LIST_RULES: | 919 | case AUDIT_LIST_RULES: |
| 908 | err = audit_list_rules_send(NETLINK_CB(skb).portid, seq); | 920 | err = audit_list_rules_send(skb, seq); |
| 909 | break; | 921 | break; |
| 910 | case AUDIT_TRIM: | 922 | case AUDIT_TRIM: |
| 911 | audit_trim_trees(); | 923 | audit_trim_trees(); |
| @@ -970,8 +982,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
| 970 | memcpy(sig_data->ctx, ctx, len); | 982 | memcpy(sig_data->ctx, ctx, len); |
| 971 | security_release_secctx(ctx, len); | 983 | security_release_secctx(ctx, len); |
| 972 | } | 984 | } |
| 973 | audit_send_reply(NETLINK_CB(skb).portid, seq, AUDIT_SIGNAL_INFO, | 985 | audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0, |
| 974 | 0, 0, sig_data, sizeof(*sig_data) + len); | 986 | sig_data, sizeof(*sig_data) + len); |
| 975 | kfree(sig_data); | 987 | kfree(sig_data); |
| 976 | break; | 988 | break; |
| 977 | case AUDIT_TTY_GET: { | 989 | case AUDIT_TTY_GET: { |
| @@ -983,8 +995,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
| 983 | s.log_passwd = tsk->signal->audit_tty_log_passwd; | 995 | s.log_passwd = tsk->signal->audit_tty_log_passwd; |
| 984 | spin_unlock(&tsk->sighand->siglock); | 996 | spin_unlock(&tsk->sighand->siglock); |
| 985 | 997 | ||
| 986 | audit_send_reply(NETLINK_CB(skb).portid, seq, | 998 | audit_send_reply(skb, seq, AUDIT_TTY_GET, 0, 0, &s, sizeof(s)); |
| 987 | AUDIT_TTY_GET, 0, 0, &s, sizeof(s)); | ||
| 988 | break; | 999 | break; |
| 989 | } | 1000 | } |
| 990 | case AUDIT_TTY_SET: { | 1001 | case AUDIT_TTY_SET: { |