7 files changed, 96 insertions, 20 deletions

diff --git a/include/linux/audit.h b/include/linux/audit.h
index f51fca8d0b6f..504e784b7ffa 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -360,6 +360,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
                                   const struct cred *old);
 extern void __audit_log_capset(const struct cred *new, const struct cred *old);
 extern void __audit_mmap_fd(int fd, int flags);
+extern void __audit_log_kern_module(char *name);
 
 static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
 {
@@ -387,6 +388,20 @@ static inline int audit_socketcall(int nargs, unsigned long *args)
                 return __audit_socketcall(nargs, args);
         return 0;
 }
+
+static inline int audit_socketcall_compat(int nargs, u32 *args)
+{
+        unsigned long a[AUDITSC_ARGS];
+        int i;
+
+        if (audit_dummy_context())
+                return 0;
+
+        for (i = 0; i < nargs; i++)
+                a[i] = (unsigned long)args[i];
+        return __audit_socketcall(nargs, a);
+}
+
 static inline int audit_sockaddr(int len, void *addr)
 {
         if (unlikely(!audit_dummy_context()))
@@ -436,6 +451,12 @@ static inline void audit_mmap_fd(int fd, int flags)
                 __audit_mmap_fd(fd, flags);
 }
 
+static inline void audit_log_kern_module(char *name)
+{
+        if (!audit_dummy_context())
+                __audit_log_kern_module(name);
+}
+
 extern int audit_n_rules;
 extern int audit_signals;
 #else /* CONFIG_AUDITSYSCALL */
@@ -513,6 +534,12 @@ static inline int audit_socketcall(int nargs, unsigned long *args)
 {
         return 0;
 }
+
+static inline int audit_socketcall_compat(int nargs, u32 *args)
+{
+        return 0;
+}
+
 static inline void audit_fd_pair(int fd1, int fd2)
 { }
 static inline int audit_sockaddr(int len, void *addr)
@@ -541,6 +568,11 @@ static inline void audit_log_capset(const struct cred *new,
 { }
 static inline void audit_mmap_fd(int fd, int flags)
 { }
+
+static inline void audit_log_kern_module(char *name)
+{
+}
+
 static inline void audit_ptrace(struct task_struct *t)
 { }
 #define audit_n_rules 0
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 1c107cb1c83f..0714a66f0e0c 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -111,6 +111,7 @@
 #define AUDIT_PROCTITLE         1327    /* Proctitle emit event */
 #define AUDIT_FEATURE_CHANGE    1328    /* audit log listing feature changes */
 #define AUDIT_REPLACE           1329    /* Replace auditd if this packet unanswerd */
+#define AUDIT_KERN_MODULE       1330    /* Kernel Module events */
 
 #define AUDIT_AVC               1400    /* SE Linux avc denial or grant */
 #define AUDIT_SELINUX_ERR       1401    /* Internal SE Linux Errors */
@@ -326,17 +327,21 @@ enum {
 #define AUDIT_STATUS_RATE_LIMIT         0x0008
 #define AUDIT_STATUS_BACKLOG_LIMIT      0x0010
 #define AUDIT_STATUS_BACKLOG_WAIT_TIME  0x0020
+#define AUDIT_STATUS_LOST               0x0040
 
 #define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT      0x00000001
 #define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME  0x00000002
 #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH    0x00000004
 #define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND     0x00000008
 #define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER   0x00000010
+#define AUDIT_FEATURE_BITMAP_LOST_RESET         0x00000020
+
 #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
                                   AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
                                   AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \
                                   AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
-                                  AUDIT_FEATURE_BITMAP_SESSIONID_FILTER)
+                                  AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
+                                  AUDIT_FEATURE_BITMAP_LOST_RESET)
 
 /* deprecated: AUDIT_VERSION_* */
 #define AUDIT_VERSION_LATEST            AUDIT_FEATURE_BITMAP_ALL
diff --git a/kernel/audit.c b/kernel/audit.c
index 6e399bb69d7c..e794544f5e63 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -121,7 +121,7 @@ u32		audit_sig_sid = 0;
    3) suppressed due to audit_rate_limit
    4) suppressed due to audit_backlog_limit
 */
-static atomic_t    audit_lost = ATOMIC_INIT(0);
+static atomic_t audit_lost = ATOMIC_INIT(0);
 
 /* The netlink socket. */
 static struct sock *audit_sock;
@@ -1058,6 +1058,12 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                         if (err < 0)
                                 return err;
                 }
+                if (s.mask == AUDIT_STATUS_LOST) {
+                        u32 lost = atomic_xchg(&audit_lost, 0);
+
+                        audit_log_config_change("lost", 0, lost, 1);
+                        return lost;
+                }
                 break;
         }
         case AUDIT_GET_FEATURE:
@@ -1349,7 +1355,9 @@ static int __init audit_init(void)
                 panic("audit: failed to start the kauditd thread (%d)\n", err);
         }
 
-        audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized");
+        audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL,
+                "state=initialized audit_enabled=%u res=1",
+                 audit_enabled);
 
         return 0;
 }
diff --git a/kernel/audit.h b/kernel/audit.h
index 960d49c9db5e..ca579880303a 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -199,6 +199,9 @@ struct audit_context {
                 struct {
                         int                     argc;
                 } execve;
+                struct {
+                        char                    *name;
+                } module;
         };
         int fds[2];
         struct audit_proctitle proctitle;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index cf1fa43512c1..d6a8de5f8fa3 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1221,7 +1221,7 @@ static void show_special(struct audit_context *context, int *call_panic)
                                 context->ipc.perm_mode);
                 }
                 break; }
-        case AUDIT_MQ_OPEN: {
+        case AUDIT_MQ_OPEN:
                 audit_log_format(ab,
                         "oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
                         "mq_msgsize=%ld mq_curmsgs=%ld",
@@ -1230,8 +1230,8 @@ static void show_special(struct audit_context *context, int *call_panic)
                         context->mq_open.attr.mq_maxmsg,
                         context->mq_open.attr.mq_msgsize,
                         context->mq_open.attr.mq_curmsgs);
-                break; }
-        case AUDIT_MQ_SENDRECV: {
+                break;
+        case AUDIT_MQ_SENDRECV:
                 audit_log_format(ab,
                         "mqdes=%d msg_len=%zd msg_prio=%u "
                         "abs_timeout_sec=%ld abs_timeout_nsec=%ld",
@@ -1240,12 +1240,12 @@ static void show_special(struct audit_context *context, int *call_panic)
                         context->mq_sendrecv.msg_prio,
                         context->mq_sendrecv.abs_timeout.tv_sec,
                         context->mq_sendrecv.abs_timeout.tv_nsec);
-                break; }
-        case AUDIT_MQ_NOTIFY: {
+                break;
+        case AUDIT_MQ_NOTIFY:
                 audit_log_format(ab, "mqdes=%d sigev_signo=%d",
                                 context->mq_notify.mqdes,
                                 context->mq_notify.sigev_signo);
-                break; }
+                break;
         case AUDIT_MQ_GETSETATTR: {
                 struct mq_attr *attr = &context->mq_getsetattr.mqstat;
                 audit_log_format(ab,
@@ -1255,19 +1255,24 @@ static void show_special(struct audit_context *context, int *call_panic)
                         attr->mq_flags, attr->mq_maxmsg,
                         attr->mq_msgsize, attr->mq_curmsgs);
                 break; }
-        case AUDIT_CAPSET: {
+        case AUDIT_CAPSET:
                 audit_log_format(ab, "pid=%d", context->capset.pid);
                 audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
                 audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
                 audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
-                break; }
-        case AUDIT_MMAP: {
+                break;
+        case AUDIT_MMAP:
                 audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd,
                                  context->mmap.flags);
-                break; }
-        case AUDIT_EXECVE: {
+                break;
+        case AUDIT_EXECVE:
                 audit_log_execve_info(context, &ab);
-                break; }
+                break;
+        case AUDIT_KERN_MODULE:
+                audit_log_format(ab, "name=");
+                audit_log_untrustedstring(ab, context->module.name);
+                kfree(context->module.name);
+                break;
         }
         audit_log_end(ab);
 }
@@ -2368,6 +2373,15 @@ void __audit_mmap_fd(int fd, int flags)
         context->type = AUDIT_MMAP;
 }
 
+void __audit_log_kern_module(char *name)
+{
+        struct audit_context *context = current->audit_context;
+
+        context->module.name = kmalloc(strlen(name) + 1, GFP_KERNEL);
+        strcpy(context->module.name, name);
+        context->type = AUDIT_KERN_MODULE;
+}
+
 static void audit_log_task(struct audit_buffer *ab)
 {
         kuid_t auid, uid;
@@ -2411,7 +2425,7 @@ void audit_core_dumps(long signr)
         if (unlikely(!ab))
                 return;
         audit_log_task(ab);
-        audit_log_format(ab, " sig=%ld", signr);
+        audit_log_format(ab, " sig=%ld res=1", signr);
         audit_log_end(ab);
 }
 
diff --git a/kernel/module.c b/kernel/module.c
index 3d8f126208e3..e2eec4b47143 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -61,6 +61,7 @@
 #include <linux/pfn.h>
 #include <linux/bsearch.h>
 #include <linux/dynamic_debug.h>
+#include <linux/audit.h>
 #include <uapi/linux/module.h>
 #include "module-internal.h"
 
@@ -3608,6 +3609,8 @@ static int load_module(struct load_info *info, const char __user *uargs,
                 goto free_copy;
         }
 
+        audit_log_kern_module(mod->name);
+
         /* Reserve our place in the list. */
         err = add_unformed_module(mod);
         if (err)
@@ -3696,7 +3699,7 @@ static int load_module(struct load_info *info, const char __user *uargs,
                        mod->name, after_dashes);
         }
 
-        /* Link in to syfs. */
+        /* Link in to sysfs. */
         err = mod_sysfs_setup(mod, info, mod->kp, mod->num_kp);
         if (err < 0)
                 goto coming_cleanup;
diff --git a/net/compat.c b/net/compat.c
index 96c544b05b15..d69f539ca0bc 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -22,6 +22,7 @@
 #include <linux/filter.h>
 #include <linux/compat.h>
 #include <linux/security.h>
+#include <linux/audit.h>
 #include <linux/export.h>
 
 #include <net/scm.h>
@@ -781,14 +782,24 @@ COMPAT_SYSCALL_DEFINE5(recvmmsg, int, fd, struct compat_mmsghdr __user *, mmsg,
 
 COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args)
 {
-        int ret;
-        u32 a[6];
+        u32 a[AUDITSC_ARGS];
+        unsigned int len;
         u32 a0, a1;
+        int ret;
 
         if (call < SYS_SOCKET || call > SYS_SENDMMSG)
                 return -EINVAL;
-        if (copy_from_user(a, args, nas[call]))
+        len = nas[call];
+        if (len > sizeof(a))
+                return -EINVAL;
+
+        if (copy_from_user(a, args, len))
                 return -EFAULT;
+
+        ret = audit_socketcall_compat(len / sizeof(a[0]), a);
+        if (ret)
+                return ret;
+
         a0 = a[0];
         a1 = a[1];