aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--kernel/auditsc.c332
1 files changed, 164 insertions, 168 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index aa3feec4df14..c65af21a12d6 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -73,6 +73,7 @@
73#include <linux/compat.h> 73#include <linux/compat.h>
74#include <linux/ctype.h> 74#include <linux/ctype.h>
75#include <linux/string.h> 75#include <linux/string.h>
76#include <linux/uaccess.h>
76#include <uapi/linux/limits.h> 77#include <uapi/linux/limits.h>
77 78
78#include "audit.h" 79#include "audit.h"
@@ -82,7 +83,8 @@
82#define AUDITSC_SUCCESS 1 83#define AUDITSC_SUCCESS 1
83#define AUDITSC_FAILURE 2 84#define AUDITSC_FAILURE 2
84 85
85/* no execve audit message should be longer than this (userspace limits) */ 86/* no execve audit message should be longer than this (userspace limits),
87 * see the note near the top of audit_log_execve_info() about this value */
86#define MAX_EXECVE_AUDIT_LEN 7500 88#define MAX_EXECVE_AUDIT_LEN 7500
87 89
88/* max length to print of cmdline/proctitle value during audit */ 90/* max length to print of cmdline/proctitle value during audit */
@@ -992,184 +994,178 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
992 return rc; 994 return rc;
993} 995}
994 996
995/* 997static void audit_log_execve_info(struct audit_context *context,
996 * to_send and len_sent accounting are very loose estimates. We aren't 998 struct audit_buffer **ab)
997 * really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being
998 * within about 500 bytes (next page boundary)
999 *
1000 * why snprintf? an int is up to 12 digits long. if we just assumed when
1001 * logging that a[%d]= was going to be 16 characters long we would be wasting
1002 * space in every audit message. In one 7500 byte message we can log up to
1003 * about 1000 min size arguments. That comes down to about 50% waste of space
1004 * if we didn't do the snprintf to find out how long arg_num_len was.
1005 */
1006static int audit_log_single_execve_arg(struct audit_context *context,
1007 struct audit_buffer **ab,
1008 int arg_num,
1009 size_t *len_sent,
1010 const char __user *p,
1011 char *buf)
1012{ 999{
1013 char arg_num_len_buf[12]; 1000 long len_max;
1014 const char __user *tmp_p = p; 1001 long len_rem;
1015 /* how many digits are in arg_num? 5 is the length of ' a=""' */ 1002 long len_full;
1016 size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 5; 1003 long len_buf;
1017 size_t len, len_left, to_send; 1004 long len_abuf;
1018 size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN; 1005 long len_tmp;
1019 unsigned int i, has_cntl = 0, too_long = 0; 1006 bool require_data;
1020 int ret; 1007 bool encode;
1021 1008 unsigned int iter;
1022 /* strnlen_user includes the null we don't want to send */ 1009 unsigned int arg;
1023 len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1; 1010 char *buf_head;
1024 1011 char *buf;
1025 /* 1012 const char __user *p = (const char __user *)current->mm->arg_start;
1026 * We just created this mm, if we can't find the strings 1013
1027 * we just copied into it something is _very_ wrong. Similar 1014 /* NOTE: this buffer needs to be large enough to hold all the non-arg
1028 * for strings that are too long, we should not have created 1015 * data we put in the audit record for this argument (see the
1029 * any. 1016 * code below) ... at this point in time 96 is plenty */
1030 */ 1017 char abuf[96];
1031 if (WARN_ON_ONCE(len < 0 || len > MAX_ARG_STRLEN - 1)) { 1018
1032 send_sig(SIGKILL, current, 0); 1019 /* NOTE: we set MAX_EXECVE_AUDIT_LEN to a rather arbitrary limit, the
1033 return -1; 1020 * current value of 7500 is not as important as the fact that it
1021 * is less than 8k, a setting of 7500 gives us plenty of wiggle
1022 * room if we go over a little bit in the logging below */
1023 WARN_ON_ONCE(MAX_EXECVE_AUDIT_LEN > 7500);
1024 len_max = MAX_EXECVE_AUDIT_LEN;
1025
1026 /* scratch buffer to hold the userspace args */
1027 buf_head = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
1028 if (!buf_head) {
1029 audit_panic("out of memory for argv string");
1030 return;
1034 } 1031 }
1032 buf = buf_head;
1035 1033
1036 /* walk the whole argument looking for non-ascii chars */ 1034 audit_log_format(*ab, "argc=%d", context->execve.argc);
1035
1036 len_rem = len_max;
1037 len_buf = 0;
1038 len_full = 0;
1039 require_data = true;
1040 encode = false;
1041 iter = 0;
1042 arg = 0;
1037 do { 1043 do {
1038 if (len_left > MAX_EXECVE_AUDIT_LEN) 1044 /* NOTE: we don't ever want to trust this value for anything
1039 to_send = MAX_EXECVE_AUDIT_LEN; 1045 * serious, but the audit record format insists we
1040 else 1046 * provide an argument length for really long arguments,
1041 to_send = len_left; 1047 * e.g. > MAX_EXECVE_AUDIT_LEN, so we have no choice but
1042 ret = copy_from_user(buf, tmp_p, to_send); 1048 * to use strncpy_from_user() to obtain this value for
1043 /* 1049 * recording in the log, although we don't use it
1044 * There is no reason for this copy to be short. We just 1050 * anywhere here to avoid a double-fetch problem */
1045 * copied them here, and the mm hasn't been exposed to user- 1051 if (len_full == 0)
1046 * space yet. 1052 len_full = strnlen_user(p, MAX_ARG_STRLEN) - 1;
1047 */ 1053
1048 if (ret) { 1054 /* read more data from userspace */
1049 WARN_ON(1); 1055 if (require_data) {
1050 send_sig(SIGKILL, current, 0); 1056 /* can we make more room in the buffer? */
1051 return -1; 1057 if (buf != buf_head) {
1052 } 1058 memmove(buf_head, buf, len_buf);
1053 buf[to_send] = '\0'; 1059 buf = buf_head;
1054 has_cntl = audit_string_contains_control(buf, to_send); 1060 }
1055 if (has_cntl) { 1061
1056 /* 1062 /* fetch as much as we can of the argument */
1057 * hex messages get logged as 2 bytes, so we can only 1063 len_tmp = strncpy_from_user(&buf_head[len_buf], p,
1058 * send half as much in each message 1064 len_max - len_buf);
1059 */ 1065 if (len_tmp == -EFAULT) {
1060 max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2; 1066 /* unable to copy from userspace */
1061 break; 1067 send_sig(SIGKILL, current, 0);
1062 } 1068 goto out;
1063 len_left -= to_send; 1069 } else if (len_tmp == (len_max - len_buf)) {
1064 tmp_p += to_send; 1070 /* buffer is not large enough */
1065 } while (len_left > 0); 1071 require_data = true;
1066 1072 /* NOTE: if we are going to span multiple
1067 len_left = len; 1073 * buffers force the encoding so we stand
1068 1074 * a chance at a sane len_full value and
1069 if (len > max_execve_audit_len) 1075 * consistent record encoding */
1070 too_long = 1; 1076 encode = true;
1071 1077 len_full = len_full * 2;
1072 /* rewalk the argument actually logging the message */ 1078 p += len_tmp;
1073 for (i = 0; len_left > 0; i++) { 1079 } else {
1074 int room_left; 1080 require_data = false;
1075 1081 if (!encode)
1076 if (len_left > max_execve_audit_len) 1082 encode = audit_string_contains_control(
1077 to_send = max_execve_audit_len; 1083 buf, len_tmp);
1078 else 1084 /* try to use a trusted value for len_full */
1079 to_send = len_left; 1085 if (len_full < len_max)
1080 1086 len_full = (encode ?
1081 /* do we have space left to send this argument in this ab? */ 1087 len_tmp * 2 : len_tmp);
1082 room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent; 1088 p += len_tmp + 1;
1083 if (has_cntl) 1089 }
1084 room_left -= (to_send * 2); 1090 len_buf += len_tmp;
1085 else 1091 buf_head[len_buf] = '\0';
1086 room_left -= to_send;
1087 if (room_left < 0) {
1088 *len_sent = 0;
1089 audit_log_end(*ab);
1090 *ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
1091 if (!*ab)
1092 return 0;
1093 }
1094 1092
1095 /* 1093 /* length of the buffer in the audit record? */
1096 * first record needs to say how long the original string was 1094 len_abuf = (encode ? len_buf * 2 : len_buf + 2);
1097 * so we can be sure nothing was lost.
1098 */
1099 if ((i == 0) && (too_long))
1100 audit_log_format(*ab, " a%d_len=%zu", arg_num,
1101 has_cntl ? 2*len : len);
1102
1103 /*
1104 * normally arguments are small enough to fit and we already
1105 * filled buf above when we checked for control characters
1106 * so don't bother with another copy_from_user
1107 */
1108 if (len >= max_execve_audit_len)
1109 ret = copy_from_user(buf, p, to_send);
1110 else
1111 ret = 0;
1112 if (ret) {
1113 WARN_ON(1);
1114 send_sig(SIGKILL, current, 0);
1115 return -1;
1116 } 1095 }
1117 buf[to_send] = '\0';
1118
1119 /* actually log it */
1120 audit_log_format(*ab, " a%d", arg_num);
1121 if (too_long)
1122 audit_log_format(*ab, "[%d]", i);
1123 audit_log_format(*ab, "=");
1124 if (has_cntl)
1125 audit_log_n_hex(*ab, buf, to_send);
1126 else
1127 audit_log_string(*ab, buf);
1128
1129 p += to_send;
1130 len_left -= to_send;
1131 *len_sent += arg_num_len;
1132 if (has_cntl)
1133 *len_sent += to_send * 2;
1134 else
1135 *len_sent += to_send;
1136 }
1137 /* include the null we didn't log */
1138 return len + 1;
1139}
1140 1096
1141static void audit_log_execve_info(struct audit_context *context, 1097 /* write as much as we can to the audit log */
1142 struct audit_buffer **ab) 1098 if (len_buf > 0) {
1143{ 1099 /* NOTE: some magic numbers here - basically if we
1144 int i, len; 1100 * can't fit a reasonable amount of data into the
1145 size_t len_sent = 0; 1101 * existing audit buffer, flush it and start with
1146 const char __user *p; 1102 * a new buffer */
1147 char *buf; 1103 if ((sizeof(abuf) + 8) > len_rem) {
1104 len_rem = len_max;
1105 audit_log_end(*ab);
1106 *ab = audit_log_start(context,
1107 GFP_KERNEL, AUDIT_EXECVE);
1108 if (!*ab)
1109 goto out;
1110 }
1148 1111
1149 p = (const char __user *)current->mm->arg_start; 1112 /* create the non-arg portion of the arg record */
1113 len_tmp = 0;
1114 if (require_data || (iter > 0) ||
1115 ((len_abuf + sizeof(abuf)) > len_rem)) {
1116 if (iter == 0) {
1117 len_tmp += snprintf(&abuf[len_tmp],
1118 sizeof(abuf) - len_tmp,
1119 " a%d_len=%lu",
1120 arg, len_full);
1121 }
1122 len_tmp += snprintf(&abuf[len_tmp],
1123 sizeof(abuf) - len_tmp,
1124 " a%d[%d]=", arg, iter++);
1125 } else
1126 len_tmp += snprintf(&abuf[len_tmp],
1127 sizeof(abuf) - len_tmp,
1128 " a%d=", arg);
1129 WARN_ON(len_tmp >= sizeof(abuf));
1130 abuf[sizeof(abuf) - 1] = '\0';
1131
1132 /* log the arg in the audit record */
1133 audit_log_format(*ab, "%s", abuf);
1134 len_rem -= len_tmp;
1135 len_tmp = len_buf;
1136 if (encode) {
1137 if (len_abuf > len_rem)
1138 len_tmp = len_rem / 2; /* encoding */
1139 audit_log_n_hex(*ab, buf, len_tmp);
1140 len_rem -= len_tmp * 2;
1141 len_abuf -= len_tmp * 2;
1142 } else {
1143 if (len_abuf > len_rem)
1144 len_tmp = len_rem - 2; /* quotes */
1145 audit_log_n_string(*ab, buf, len_tmp);
1146 len_rem -= len_tmp + 2;
1147 /* don't subtract the "2" because we still need
1148 * to add quotes to the remaining string */
1149 len_abuf -= len_tmp;
1150 }
1151 len_buf -= len_tmp;
1152 buf += len_tmp;
1153 }
1150 1154
1151 audit_log_format(*ab, "argc=%d", context->execve.argc); 1155 /* ready to move to the next argument? */
1156 if ((len_buf == 0) && !require_data) {
1157 arg++;
1158 iter = 0;
1159 len_full = 0;
1160 require_data = true;
1161 encode = false;
1162 }
1163 } while (arg < context->execve.argc);
1152 1164
1153 /* 1165 /* NOTE: the caller handles the final audit_log_end() call */
1154 * we need some kernel buffer to hold the userspace args. Just
1155 * allocate one big one rather than allocating one of the right size
1156 * for every single argument inside audit_log_single_execve_arg()
1157 * should be <8k allocation so should be pretty safe.
1158 */
1159 buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
1160 if (!buf) {
1161 audit_panic("out of memory for argv string");
1162 return;
1163 }
1164 1166
1165 for (i = 0; i < context->execve.argc; i++) { 1167out:
1166 len = audit_log_single_execve_arg(context, ab, i, 1168 kfree(buf_head);
1167 &len_sent, p, buf);
1168 if (len <= 0)
1169 break;
1170 p += len;
1171 }
1172 kfree(buf);
1173} 1169}
1174 1170
1175static void show_special(struct audit_context *context, int *call_panic) 1171static void show_special(struct audit_context *context, int *call_panic)
generated by cgit v1.2.2 (git 2.25.0) at 2025-04-25 13:43:01 -0400