1 files changed, 72 insertions, 43 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index d1eab1d4a930..5371b59bde36 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -771,15 +771,13 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk,
                return AUDIT_DISABLED;
        rcu_read_lock();
-        if (!list_empty(list)) {
+        list_for_each_entry_rcu(e, list, list) {
-                list_for_each_entry_rcu(e, list, list) {
+                if (audit_in_mask(&e->rule, ctx->major) &&
-                        if (audit_in_mask(&e->rule, ctx->major) &&
+                    audit_filter_rules(tsk, &e->rule, ctx, NULL,
-                            audit_filter_rules(tsk, &e->rule, ctx, NULL,
+                                       &state, false)) {
-                                               &state, false)) {
+                        rcu_read_unlock();
-                                rcu_read_unlock();
+                        ctx->current_state = state;
-                                ctx->current_state = state;
+                        return state;
-                                return state;
-                        }
                }
        }
        rcu_read_unlock();
@@ -798,9 +796,6 @@ static int audit_filter_inode_name(struct task_struct *tsk,
        struct audit_entry *e;
        enum audit_state state;
-        if (list_empty(list))
-                return 0;
        list_for_each_entry_rcu(e, list, list) {
                if (audit_in_mask(&e->rule, ctx->major) &&
                    audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) {
@@ -808,7 +803,6 @@ static int audit_filter_inode_name(struct task_struct *tsk,
                        return 1;
                }
        }
        return 0;
 }
@@ -840,6 +834,13 @@ static inline void audit_proctitle_free(struct audit_context *context)
        context->proctitle.len = 0;
 }
+static inline void audit_free_module(struct audit_context *context)
+{
+        if (context->type == AUDIT_KERN_MODULE) {
+                kfree(context->module.name);
+                context->module.name = NULL;
+        }
+}
 static inline void audit_free_names(struct audit_context *context)
 {
        struct audit_names *n, *next;
@@ -923,6 +924,7 @@ int audit_alloc(struct task_struct *tsk)
 static inline void audit_free_context(struct audit_context *context)
 {
+        audit_free_module(context);
        audit_free_names(context);
        unroll_tree_refs(context, NULL, 0);
        free_tree_refs(context);
@@ -1139,7 +1141,8 @@ out:
        kfree(buf_head);
 }
-void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
+static void audit_log_cap(struct audit_buffer *ab, char *prefix,
+                          kernel_cap_t *cap)
 {
        int i;
@@ -1266,7 +1269,6 @@ static void show_special(struct audit_context *context, int *call_panic)
                audit_log_format(ab, "name=");
                if (context->module.name) {
                        audit_log_untrustedstring(ab, context->module.name);
-                        kfree(context->module.name);
                } else
                        audit_log_format(ab, "(null)");
@@ -1628,7 +1630,7 @@ void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
                        return;
        }
-        context->arch       = syscall_get_arch();
+        context->arch       = syscall_get_arch(current);
        context->major      = major;
        context->argv[0]    = a1;
        context->argv[1]    = a2;
@@ -1697,6 +1699,7 @@ void __audit_syscall_exit(int success, long return_code)
        context->in_syscall = 0;
        context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
+        audit_free_module(context);
        audit_free_names(context);
        unroll_tree_refs(context, NULL, 0);
        audit_free_aux(context);
@@ -1897,8 +1900,9 @@ static inline int audit_copy_fcaps(struct audit_names *name,
 }
 /* Copy inode data into an audit_names. */
-void audit_copy_inode(struct audit_names *name, const struct dentry *dentry,
+static void audit_copy_inode(struct audit_names *name,
-                      struct inode *inode, unsigned int flags)
+                             const struct dentry *dentry,
+                             struct inode *inode, unsigned int flags)
 {
        name->ino   = inode->i_ino;
        name->dev   = inode->i_sb->s_dev;
@@ -1935,18 +1939,16 @@ void __audit_inode(struct filename *name, const struct dentry *dentry,
                return;
        rcu_read_lock();
-        if (!list_empty(list)) {
+        list_for_each_entry_rcu(e, list, list) {
-                list_for_each_entry_rcu(e, list, list) {
+                for (i = 0; i < e->rule.field_count; i++) {
-                        for (i = 0; i < e->rule.field_count; i++) {
+                        struct audit_field *f = &e->rule.fields[i];
-                                struct audit_field *f = &e->rule.fields[i];
+                        if (f->type == AUDIT_FSTYPE
-                                if (f->type == AUDIT_FSTYPE
+                            && audit_comparator(inode->i_sb->s_magic,
-                                    && audit_comparator(inode->i_sb->s_magic,
+                                                f->op, f->val)
-                                                        f->op, f->val)
+                            && e->rule.action == AUDIT_NEVER) {
-                                    && e->rule.action == AUDIT_NEVER) {
+                                rcu_read_unlock();
-                                        rcu_read_unlock();
+                                return;
-                                        return;
-                                }
                        }
                }
        }
@@ -2055,18 +2057,16 @@ void __audit_inode_child(struct inode *parent,
                return;
        rcu_read_lock();
-        if (!list_empty(list)) {
+        list_for_each_entry_rcu(e, list, list) {
-                list_for_each_entry_rcu(e, list, list) {
+                for (i = 0; i < e->rule.field_count; i++) {
-                        for (i = 0; i < e->rule.field_count; i++) {
+                        struct audit_field *f = &e->rule.fields[i];
-                                struct audit_field *f = &e->rule.fields[i];
+                        if (f->type == AUDIT_FSTYPE
-                                if (f->type == AUDIT_FSTYPE
+                            && audit_comparator(parent->i_sb->s_magic,
-                                    && audit_comparator(parent->i_sb->s_magic,
+                                                f->op, f->val)
-                                                        f->op, f->val)
+                            && e->rule.action == AUDIT_NEVER) {
-                                    && e->rule.action == AUDIT_NEVER) {
+                                rcu_read_unlock();
-                                        rcu_read_unlock();
+                                return;
-                                        return;
-                                }
                        }
                }
        }
@@ -2512,6 +2512,35 @@ void __audit_fanotify(unsigned int response)
                AUDIT_FANOTIFY, "resp=%u", response);
 }
+void __audit_tk_injoffset(struct timespec64 offset)
+{
+        audit_log(audit_context(), GFP_KERNEL, AUDIT_TIME_INJOFFSET,
+                  "sec=%lli nsec=%li",
+                  (long long)offset.tv_sec, offset.tv_nsec);
+}
+static void audit_log_ntp_val(const struct audit_ntp_data *ad,
+                              const char *op, enum audit_ntp_type type)
+{
+        const struct audit_ntp_val *val = &ad->vals[type];
+        if (val->newval == val->oldval)
+                return;
+        audit_log(audit_context(), GFP_KERNEL, AUDIT_TIME_ADJNTPVAL,
+                  "op=%s old=%lli new=%lli", op, val->oldval, val->newval);
+}
+void __audit_ntp_log(const struct audit_ntp_data *ad)
+{
+        audit_log_ntp_val(ad, "offset", AUDIT_NTP_OFFSET);
+        audit_log_ntp_val(ad, "freq",   AUDIT_NTP_FREQ);
+        audit_log_ntp_val(ad, "status", AUDIT_NTP_STATUS);
+        audit_log_ntp_val(ad, "tai",    AUDIT_NTP_TAI);
+        audit_log_ntp_val(ad, "tick",   AUDIT_NTP_TICK);
+        audit_log_ntp_val(ad, "adjust", AUDIT_NTP_ADJUST);
+}
 static void audit_log_task(struct audit_buffer *ab)
 {
        kuid_t auid, uid;
@@ -2580,7 +2609,7 @@ void audit_seccomp(unsigned long syscall, long signr, int code)
                return;
        audit_log_task(ab);
        audit_log_format(ab, " sig=%ld arch=%x syscall=%ld compat=%d ip=0x%lx code=0x%x",
-                         signr, syscall_get_arch(), syscall,
+                         signr, syscall_get_arch(current), syscall,
                         in_compat_syscall(), KSTK_EIP(current), code);
        audit_log_end(ab);
 }

diff --git a/kernel/auditsc.c b/kernel/auditsc.c index d1eab1d4a930..5371b59bde36 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c
@@ -771,15 +771,13 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk,
771	return AUDIT_DISABLED;	771	return AUDIT_DISABLED;
772		772
773	rcu_read_lock();	773	rcu_read_lock();
774	if (!list_empty(list)) {	774	list_for_each_entry_rcu(e, list, list) {
775	list_for_each_entry_rcu(e, list, list) {	775	if (audit_in_mask(&e->rule, ctx->major) &&
776	if (audit_in_mask(&e->rule, ctx->major) &&	776	audit_filter_rules(tsk, &e->rule, ctx, NULL,
777	audit_filter_rules(tsk, &e->rule, ctx, NULL,	777	&state, false)) {
778	&state, false)) {	778	rcu_read_unlock();
779	rcu_read_unlock();	779	ctx->current_state = state;
780	ctx->current_state = state;	780	return state;
781	return state;
782	}
783	}	781	}
784	}	782	}
785	rcu_read_unlock();	783	rcu_read_unlock();
@@ -798,9 +796,6 @@ static int audit_filter_inode_name(struct task_struct *tsk,
798	struct audit_entry *e;	796	struct audit_entry *e;
799	enum audit_state state;	797	enum audit_state state;
800		798
801	if (list_empty(list))
802	return 0;
803
804	list_for_each_entry_rcu(e, list, list) {	799	list_for_each_entry_rcu(e, list, list) {
805	if (audit_in_mask(&e->rule, ctx->major) &&	800	if (audit_in_mask(&e->rule, ctx->major) &&
806	audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) {	801	audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) {
@@ -808,7 +803,6 @@ static int audit_filter_inode_name(struct task_struct *tsk,
808	return 1;	803	return 1;
809	}	804	}
810	}	805	}
811
812	return 0;	806	return 0;
813	}	807	}
814		808
@@ -840,6 +834,13 @@ static inline void audit_proctitle_free(struct audit_context *context)
840	context->proctitle.len = 0;	834	context->proctitle.len = 0;
841	}	835	}
842		836
		837	static inline void audit_free_module(struct audit_context *context)
		838	{
		839	if (context->type == AUDIT_KERN_MODULE) {
		840	kfree(context->module.name);
		841	context->module.name = NULL;
		842	}
		843	}
843	static inline void audit_free_names(struct audit_context *context)	844	static inline void audit_free_names(struct audit_context *context)
844	{	845	{
845	struct audit_names n, next;	846	struct audit_names n, next;
@@ -923,6 +924,7 @@ int audit_alloc(struct task_struct *tsk)
923		924
924	static inline void audit_free_context(struct audit_context *context)	925	static inline void audit_free_context(struct audit_context *context)
925	{	926	{
		927	audit_free_module(context);
926	audit_free_names(context);	928	audit_free_names(context);
927	unroll_tree_refs(context, NULL, 0);	929	unroll_tree_refs(context, NULL, 0);
928	free_tree_refs(context);	930	free_tree_refs(context);
@@ -1139,7 +1141,8 @@ out:
1139	kfree(buf_head);	1141	kfree(buf_head);
1140	}	1142	}
1141		1143
1142	void audit_log_cap(struct audit_buffer ab, char prefix, kernel_cap_t *cap)	1144	static void audit_log_cap(struct audit_buffer ab, char prefix,
		1145	kernel_cap_t *cap)
1143	{	1146	{
1144	int i;	1147	int i;
1145		1148
@@ -1266,7 +1269,6 @@ static void show_special(struct audit_context context, int call_panic)
1266	audit_log_format(ab, "name=");	1269	audit_log_format(ab, "name=");
1267	if (context->module.name) {	1270	if (context->module.name) {
1268	audit_log_untrustedstring(ab, context->module.name);	1271	audit_log_untrustedstring(ab, context->module.name);
1269	kfree(context->module.name);
1270	} else	1272	} else
1271	audit_log_format(ab, "(null)");	1273	audit_log_format(ab, "(null)");
1272		1274
@@ -1628,7 +1630,7 @@ void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
1628	return;	1630	return;
1629	}	1631	}
1630		1632
1631	context->arch = syscall_get_arch();	1633	context->arch = syscall_get_arch(current);
1632	context->major = major;	1634	context->major = major;
1633	context->argv[0] = a1;	1635	context->argv[0] = a1;
1634	context->argv[1] = a2;	1636	context->argv[1] = a2;
@@ -1697,6 +1699,7 @@ void __audit_syscall_exit(int success, long return_code)
1697	context->in_syscall = 0;	1699	context->in_syscall = 0;
1698	context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;	1700	context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
1699		1701
		1702	audit_free_module(context);
1700	audit_free_names(context);	1703	audit_free_names(context);
1701	unroll_tree_refs(context, NULL, 0);	1704	unroll_tree_refs(context, NULL, 0);
1702	audit_free_aux(context);	1705	audit_free_aux(context);
@@ -1897,8 +1900,9 @@ static inline int audit_copy_fcaps(struct audit_names *name,
1897	}	1900	}
1898		1901
1899	/* Copy inode data into an audit_names. */	1902	/* Copy inode data into an audit_names. */
1900	void audit_copy_inode(struct audit_names name, const struct dentry dentry,	1903	static void audit_copy_inode(struct audit_names *name,
1901	struct inode *inode, unsigned int flags)	1904	const struct dentry *dentry,
		1905	struct inode *inode, unsigned int flags)
1902	{	1906	{
1903	name->ino = inode->i_ino;	1907	name->ino = inode->i_ino;
1904	name->dev = inode->i_sb->s_dev;	1908	name->dev = inode->i_sb->s_dev;
@@ -1935,18 +1939,16 @@ void __audit_inode(struct filename name, const struct dentry dentry,
1935	return;	1939	return;
1936		1940
1937	rcu_read_lock();	1941	rcu_read_lock();
1938	if (!list_empty(list)) {	1942	list_for_each_entry_rcu(e, list, list) {
1939	list_for_each_entry_rcu(e, list, list) {	1943	for (i = 0; i < e->rule.field_count; i++) {
1940	for (i = 0; i < e->rule.field_count; i++) {	1944	struct audit_field *f = &e->rule.fields[i];
1941	struct audit_field *f = &e->rule.fields[i];	1945
1942		1946	if (f->type == AUDIT_FSTYPE
1943	if (f->type == AUDIT_FSTYPE	1947	&& audit_comparator(inode->i_sb->s_magic,
1944	&& audit_comparator(inode->i_sb->s_magic,	1948	f->op, f->val)
1945	f->op, f->val)	1949	&& e->rule.action == AUDIT_NEVER) {
1946	&& e->rule.action == AUDIT_NEVER) {	1950	rcu_read_unlock();
1947	rcu_read_unlock();	1951	return;
1948	return;
1949	}
1950	}	1952	}
1951	}	1953	}
1952	}	1954	}
@@ -2055,18 +2057,16 @@ void __audit_inode_child(struct inode *parent,
2055	return;	2057	return;
2056		2058
2057	rcu_read_lock();	2059	rcu_read_lock();
2058	if (!list_empty(list)) {	2060	list_for_each_entry_rcu(e, list, list) {
2059	list_for_each_entry_rcu(e, list, list) {	2061	for (i = 0; i < e->rule.field_count; i++) {
2060	for (i = 0; i < e->rule.field_count; i++) {	2062	struct audit_field *f = &e->rule.fields[i];
2061	struct audit_field *f = &e->rule.fields[i];	2063
2062		2064	if (f->type == AUDIT_FSTYPE
2063	if (f->type == AUDIT_FSTYPE	2065	&& audit_comparator(parent->i_sb->s_magic,
2064	&& audit_comparator(parent->i_sb->s_magic,	2066	f->op, f->val)
2065	f->op, f->val)	2067	&& e->rule.action == AUDIT_NEVER) {
2066	&& e->rule.action == AUDIT_NEVER) {	2068	rcu_read_unlock();
2067	rcu_read_unlock();	2069	return;
2068	return;
2069	}
2070	}	2070	}
2071	}	2071	}
2072	}	2072	}
@@ -2512,6 +2512,35 @@ void __audit_fanotify(unsigned int response)
2512	AUDIT_FANOTIFY, "resp=%u", response);	2512	AUDIT_FANOTIFY, "resp=%u", response);
2513	}	2513	}
2514		2514
		2515	void __audit_tk_injoffset(struct timespec64 offset)
		2516	{
		2517	audit_log(audit_context(), GFP_KERNEL, AUDIT_TIME_INJOFFSET,
		2518	"sec=%lli nsec=%li",
		2519	(long long)offset.tv_sec, offset.tv_nsec);
		2520	}
		2521
		2522	static void audit_log_ntp_val(const struct audit_ntp_data *ad,
		2523	const char *op, enum audit_ntp_type type)
		2524	{
		2525	const struct audit_ntp_val *val = &ad->vals[type];
		2526
		2527	if (val->newval == val->oldval)
		2528	return;
		2529
		2530	audit_log(audit_context(), GFP_KERNEL, AUDIT_TIME_ADJNTPVAL,
		2531	"op=%s old=%lli new=%lli", op, val->oldval, val->newval);
		2532	}
		2533
		2534	void __audit_ntp_log(const struct audit_ntp_data *ad)
		2535	{
		2536	audit_log_ntp_val(ad, "offset", AUDIT_NTP_OFFSET);
		2537	audit_log_ntp_val(ad, "freq", AUDIT_NTP_FREQ);
		2538	audit_log_ntp_val(ad, "status", AUDIT_NTP_STATUS);
		2539	audit_log_ntp_val(ad, "tai", AUDIT_NTP_TAI);
		2540	audit_log_ntp_val(ad, "tick", AUDIT_NTP_TICK);
		2541	audit_log_ntp_val(ad, "adjust", AUDIT_NTP_ADJUST);
		2542	}
		2543
2515	static void audit_log_task(struct audit_buffer *ab)	2544	static void audit_log_task(struct audit_buffer *ab)
2516	{	2545	{
2517	kuid_t auid, uid;	2546	kuid_t auid, uid;
@@ -2580,7 +2609,7 @@ void audit_seccomp(unsigned long syscall, long signr, int code)
2580	return;	2609	return;
2581	audit_log_task(ab);	2610	audit_log_task(ab);
2582	audit_log_format(ab, " sig=%ld arch=%x syscall=%ld compat=%d ip=0x%lx code=0x%x",	2611	audit_log_format(ab, " sig=%ld arch=%x syscall=%ld compat=%d ip=0x%lx code=0x%x",
2583	signr, syscall_get_arch(), syscall,	2612	signr, syscall_get_arch(current), syscall,
2584	in_compat_syscall(), KSTK_EIP(current), code);	2613	in_compat_syscall(), KSTK_EIP(current), code);
2585	audit_log_end(ab);	2614	audit_log_end(ab);
2586	}	2615	}