aboutsummaryrefslogtreecommitdiffstats
path: root/kernel/audit.c
diff options
context:
space:
mode:
Diffstat (limited to 'kernel/audit.c')
-rw-r--r--kernel/audit.c43
1 files changed, 27 insertions, 16 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index 34c5a2310fbf..95a20f3f52f1 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -182,7 +182,7 @@ struct audit_buffer {
182 182
183struct audit_reply { 183struct audit_reply {
184 __u32 portid; 184 __u32 portid;
185 pid_t pid; 185 struct net *net;
186 struct sk_buff *skb; 186 struct sk_buff *skb;
187}; 187};
188 188
@@ -500,7 +500,7 @@ int audit_send_list(void *_dest)
500{ 500{
501 struct audit_netlink_list *dest = _dest; 501 struct audit_netlink_list *dest = _dest;
502 struct sk_buff *skb; 502 struct sk_buff *skb;
503 struct net *net = get_net_ns_by_pid(dest->pid); 503 struct net *net = dest->net;
504 struct audit_net *aunet = net_generic(net, audit_net_id); 504 struct audit_net *aunet = net_generic(net, audit_net_id);
505 505
506 /* wait for parent to finish and send an ACK */ 506 /* wait for parent to finish and send an ACK */
@@ -510,6 +510,7 @@ int audit_send_list(void *_dest)
510 while ((skb = __skb_dequeue(&dest->q)) != NULL) 510 while ((skb = __skb_dequeue(&dest->q)) != NULL)
511 netlink_unicast(aunet->nlsk, skb, dest->portid, 0); 511 netlink_unicast(aunet->nlsk, skb, dest->portid, 0);
512 512
513 put_net(net);
513 kfree(dest); 514 kfree(dest);
514 515
515 return 0; 516 return 0;
@@ -543,7 +544,7 @@ out_kfree_skb:
543static int audit_send_reply_thread(void *arg) 544static int audit_send_reply_thread(void *arg)
544{ 545{
545 struct audit_reply *reply = (struct audit_reply *)arg; 546 struct audit_reply *reply = (struct audit_reply *)arg;
546 struct net *net = get_net_ns_by_pid(reply->pid); 547 struct net *net = reply->net;
547 struct audit_net *aunet = net_generic(net, audit_net_id); 548 struct audit_net *aunet = net_generic(net, audit_net_id);
548 549
549 mutex_lock(&audit_cmd_mutex); 550 mutex_lock(&audit_cmd_mutex);
@@ -552,12 +553,13 @@ static int audit_send_reply_thread(void *arg)
552 /* Ignore failure. It'll only happen if the sender goes away, 553 /* Ignore failure. It'll only happen if the sender goes away,
553 because our timeout is set to infinite. */ 554 because our timeout is set to infinite. */
554 netlink_unicast(aunet->nlsk , reply->skb, reply->portid, 0); 555 netlink_unicast(aunet->nlsk , reply->skb, reply->portid, 0);
556 put_net(net);
555 kfree(reply); 557 kfree(reply);
556 return 0; 558 return 0;
557} 559}
558/** 560/**
559 * audit_send_reply - send an audit reply message via netlink 561 * audit_send_reply - send an audit reply message via netlink
560 * @portid: netlink port to which to send reply 562 * @request_skb: skb of request we are replying to (used to target the reply)
561 * @seq: sequence number 563 * @seq: sequence number
562 * @type: audit message type 564 * @type: audit message type
563 * @done: done (last) flag 565 * @done: done (last) flag
@@ -568,9 +570,11 @@ static int audit_send_reply_thread(void *arg)
568 * Allocates an skb, builds the netlink message, and sends it to the port id. 570 * Allocates an skb, builds the netlink message, and sends it to the port id.
569 * No failure notifications. 571 * No failure notifications.
570 */ 572 */
571static void audit_send_reply(__u32 portid, int seq, int type, int done, 573static void audit_send_reply(struct sk_buff *request_skb, int seq, int type, int done,
572 int multi, const void *payload, int size) 574 int multi, const void *payload, int size)
573{ 575{
576 u32 portid = NETLINK_CB(request_skb).portid;
577 struct net *net = sock_net(NETLINK_CB(request_skb).sk);
574 struct sk_buff *skb; 578 struct sk_buff *skb;
575 struct task_struct *tsk; 579 struct task_struct *tsk;
576 struct audit_reply *reply = kmalloc(sizeof(struct audit_reply), 580 struct audit_reply *reply = kmalloc(sizeof(struct audit_reply),
@@ -583,8 +587,8 @@ static void audit_send_reply(__u32 portid, int seq, int type, int done,
583 if (!skb) 587 if (!skb)
584 goto out; 588 goto out;
585 589
590 reply->net = get_net(net);
586 reply->portid = portid; 591 reply->portid = portid;
587 reply->pid = task_pid_vnr(current);
588 reply->skb = skb; 592 reply->skb = skb;
589 593
590 tsk = kthread_run(audit_send_reply_thread, reply, "audit_send_reply"); 594 tsk = kthread_run(audit_send_reply_thread, reply, "audit_send_reply");
@@ -604,9 +608,19 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
604 int err = 0; 608 int err = 0;
605 609
606 /* Only support the initial namespaces for now. */ 610 /* Only support the initial namespaces for now. */
611 /*
612 * We return ECONNREFUSED because it tricks userspace into thinking
613 * that audit was not configured into the kernel. Lots of users
614 * configure their PAM stack (because that's what the distro does)
615 * to reject login if unable to send messages to audit. If we return
616 * ECONNREFUSED the PAM stack thinks the kernel does not have audit
617 * configured in and will let login proceed. If we return EPERM
618 * userspace will reject all logins. This should be removed when we
619 * support non init namespaces!!
620 */
607 if ((current_user_ns() != &init_user_ns) || 621 if ((current_user_ns() != &init_user_ns) ||
608 (task_active_pid_ns(current) != &init_pid_ns)) 622 (task_active_pid_ns(current) != &init_pid_ns))
609 return -EPERM; 623 return -ECONNREFUSED;
610 624
611 switch (msg_type) { 625 switch (msg_type) {
612 case AUDIT_LIST: 626 case AUDIT_LIST:
@@ -673,8 +687,7 @@ static int audit_get_feature(struct sk_buff *skb)
673 687
674 seq = nlmsg_hdr(skb)->nlmsg_seq; 688 seq = nlmsg_hdr(skb)->nlmsg_seq;
675 689
676 audit_send_reply(NETLINK_CB(skb).portid, seq, AUDIT_GET, 0, 0, 690 audit_send_reply(skb, seq, AUDIT_GET, 0, 0, &af, sizeof(af));
677 &af, sizeof(af));
678 691
679 return 0; 692 return 0;
680} 693}
@@ -794,8 +807,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
794 s.backlog = skb_queue_len(&audit_skb_queue); 807 s.backlog = skb_queue_len(&audit_skb_queue);
795 s.version = AUDIT_VERSION_LATEST; 808 s.version = AUDIT_VERSION_LATEST;
796 s.backlog_wait_time = audit_backlog_wait_time; 809 s.backlog_wait_time = audit_backlog_wait_time;
797 audit_send_reply(NETLINK_CB(skb).portid, seq, AUDIT_GET, 0, 0, 810 audit_send_reply(skb, seq, AUDIT_GET, 0, 0, &s, sizeof(s));
798 &s, sizeof(s));
799 break; 811 break;
800 } 812 }
801 case AUDIT_SET: { 813 case AUDIT_SET: {
@@ -905,7 +917,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
905 seq, data, nlmsg_len(nlh)); 917 seq, data, nlmsg_len(nlh));
906 break; 918 break;
907 case AUDIT_LIST_RULES: 919 case AUDIT_LIST_RULES:
908 err = audit_list_rules_send(NETLINK_CB(skb).portid, seq); 920 err = audit_list_rules_send(skb, seq);
909 break; 921 break;
910 case AUDIT_TRIM: 922 case AUDIT_TRIM:
911 audit_trim_trees(); 923 audit_trim_trees();
@@ -970,8 +982,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
970 memcpy(sig_data->ctx, ctx, len); 982 memcpy(sig_data->ctx, ctx, len);
971 security_release_secctx(ctx, len); 983 security_release_secctx(ctx, len);
972 } 984 }
973 audit_send_reply(NETLINK_CB(skb).portid, seq, AUDIT_SIGNAL_INFO, 985 audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0,
974 0, 0, sig_data, sizeof(*sig_data) + len); 986 sig_data, sizeof(*sig_data) + len);
975 kfree(sig_data); 987 kfree(sig_data);
976 break; 988 break;
977 case AUDIT_TTY_GET: { 989 case AUDIT_TTY_GET: {
@@ -983,8 +995,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
983 s.log_passwd = tsk->signal->audit_tty_log_passwd; 995 s.log_passwd = tsk->signal->audit_tty_log_passwd;
984 spin_unlock(&tsk->sighand->siglock); 996 spin_unlock(&tsk->sighand->siglock);
985 997
986 audit_send_reply(NETLINK_CB(skb).portid, seq, 998 audit_send_reply(skb, seq, AUDIT_TTY_GET, 0, 0, &s, sizeof(s));
987 AUDIT_TTY_GET, 0, 0, &s, sizeof(s));
988 break; 999 break;
989 } 1000 }
990 case AUDIT_TTY_SET: { 1001 case AUDIT_TTY_SET: {
generated by cgit v1.2.2 (git 2.25.0) at 2025-10-01 17:20:58 -0400