aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2013-04-19 13:23:09 -0400
committerEric Paris <eparis@redhat.com>2013-04-30 15:31:28 -0400
commitdc9eb698f441889f2d7926b1cc6f1e14f0787f00 (patch)
treeacdd37f268633b38b370fe0725f57ccd0d4fcadc
parent18900909163758baf2152c9102b1a0953f7f1c30 (diff)
audit: stop pushing loginid, uid, sessionid as arguments
We always use current. Stop pulling this when the skb comes in and pushing it around as arguments. Just get it at the end when you need it. Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat
-rw-r--r--drivers/tty/tty_audit.c4
-rw-r--r--include/linux/audit.h3
-rw-r--r--include/linux/tty.h6
-rw-r--r--kernel/audit.c100
-rw-r--r--kernel/auditfilter.c22
5 files changed, 52 insertions, 83 deletions
diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
index 6953dc82850c..1e4e9f30ea09 100644
--- a/drivers/tty/tty_audit.c
+++ b/drivers/tty/tty_audit.c
@@ -202,10 +202,12 @@ void tty_audit_tiocsti(struct tty_struct *tty, char ch)
202 * reference to the tty audit buffer if available. 202 * reference to the tty audit buffer if available.
203 * Flush the buffer or return an appropriate error code. 203 * Flush the buffer or return an appropriate error code.
204 */ 204 */
205int tty_audit_push_task(struct task_struct *tsk, kuid_t loginuid, u32 sessionid) 205int tty_audit_push_task(struct task_struct *tsk)
206{ 206{
207 struct tty_audit_buf *buf = ERR_PTR(-EPERM); 207 struct tty_audit_buf *buf = ERR_PTR(-EPERM);
208 unsigned long flags; 208 unsigned long flags;
209 kuid_t loginuid = audit_get_loginuid(tsk);
210 u32 sessionid = audit_get_sessionid(tsk);
209 211
210 if (!lock_task_sighand(tsk, &flags)) 212 if (!lock_task_sighand(tsk, &flags))
211 return -ESRCH; 213 return -ESRCH;
diff --git a/include/linux/audit.h b/include/linux/audit.h
index b26d7f121ac5..a3a50cca1efb 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -441,8 +441,7 @@ extern int audit_update_lsm_rules(void);
441extern int audit_filter_user(int type); 441extern int audit_filter_user(int type);
442extern int audit_filter_type(int type); 442extern int audit_filter_type(int type);
443extern int audit_receive_filter(int type, int pid, int seq, 443extern int audit_receive_filter(int type, int pid, int seq,
444 void *data, size_t datasz, kuid_t loginuid, 444 void *data, size_t datasz);
445 u32 sessionid, u32 sid);
446extern int audit_enabled; 445extern int audit_enabled;
447#else /* CONFIG_AUDIT */ 446#else /* CONFIG_AUDIT */
448static inline __printf(4, 5) 447static inline __printf(4, 5)
diff --git a/include/linux/tty.h b/include/linux/tty.h
index 8db1b569c37a..78e378b3971c 100644
--- a/include/linux/tty.h
+++ b/include/linux/tty.h
@@ -517,8 +517,7 @@ extern void tty_audit_exit(void);
517extern void tty_audit_fork(struct signal_struct *sig); 517extern void tty_audit_fork(struct signal_struct *sig);
518extern void tty_audit_tiocsti(struct tty_struct *tty, char ch); 518extern void tty_audit_tiocsti(struct tty_struct *tty, char ch);
519extern void tty_audit_push(struct tty_struct *tty); 519extern void tty_audit_push(struct tty_struct *tty);
520extern int tty_audit_push_task(struct task_struct *tsk, 520extern int tty_audit_push_task(struct task_struct *tsk);
521 kuid_t loginuid, u32 sessionid);
522#else 521#else
523static inline void tty_audit_add_data(struct tty_struct *tty, 522static inline void tty_audit_add_data(struct tty_struct *tty,
524 unsigned char *data, size_t size, unsigned icanon) 523 unsigned char *data, size_t size, unsigned icanon)
@@ -536,8 +535,7 @@ static inline void tty_audit_fork(struct signal_struct *sig)
536static inline void tty_audit_push(struct tty_struct *tty) 535static inline void tty_audit_push(struct tty_struct *tty)
537{ 536{
538} 537}
539static inline int tty_audit_push_task(struct task_struct *tsk, 538static inline int tty_audit_push_task(struct task_struct *tsk)
540 kuid_t loginuid, u32 sessionid)
541{ 539{
542 return 0; 540 return 0;
543} 541}
diff --git a/kernel/audit.c b/kernel/audit.c
index 274882d308d3..bf1e1330cbb1 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -265,17 +265,22 @@ void audit_log_lost(const char *message)
265} 265}
266 266
267static int audit_log_config_change(char *function_name, int new, int old, 267static int audit_log_config_change(char *function_name, int new, int old,
268 kuid_t loginuid, u32 sessionid, u32 sid,
269 int allow_changes) 268 int allow_changes)
270{ 269{
271 struct audit_buffer *ab; 270 struct audit_buffer *ab;
272 int rc = 0; 271 int rc = 0;
272 u32 sessionid = audit_get_sessionid(current);
273 uid_t auid = from_kuid(&init_user_ns, audit_get_loginuid(current));
274 u32 sid;
275
273 276
274 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 277 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
275 if (unlikely(!ab)) 278 if (unlikely(!ab))
276 return rc; 279 return rc;
277 audit_log_format(ab, "%s=%d old=%d auid=%u ses=%u", function_name, new, 280 audit_log_format(ab, "%s=%d old=%d auid=%u ses=%u", function_name, new,
278 old, from_kuid(&init_user_ns, loginuid), sessionid); 281 old, auid, sessionid);
282
283 security_task_getsecid(current, &sid);
279 if (sid) { 284 if (sid) {
280 char *ctx = NULL; 285 char *ctx = NULL;
281 u32 len; 286 u32 len;
@@ -294,9 +299,7 @@ static int audit_log_config_change(char *function_name, int new, int old,
294 return rc; 299 return rc;
295} 300}
296 301
297static int audit_do_config_change(char *function_name, int *to_change, 302static int audit_do_config_change(char *function_name, int *to_change, int new)
298 int new, kuid_t loginuid, u32 sessionid,
299 u32 sid)
300{ 303{
301 int allow_changes, rc = 0, old = *to_change; 304 int allow_changes, rc = 0, old = *to_change;
302 305
@@ -307,8 +310,7 @@ static int audit_do_config_change(char *function_name, int *to_change,
307 allow_changes = 1; 310 allow_changes = 1;
308 311
309 if (audit_enabled != AUDIT_OFF) { 312 if (audit_enabled != AUDIT_OFF) {
310 rc = audit_log_config_change(function_name, new, old, loginuid, 313 rc = audit_log_config_change(function_name, new, old, allow_changes);
311 sessionid, sid, allow_changes);
312 if (rc) 314 if (rc)
313 allow_changes = 0; 315 allow_changes = 0;
314 } 316 }
@@ -322,44 +324,37 @@ static int audit_do_config_change(char *function_name, int *to_change,
322 return rc; 324 return rc;
323} 325}
324 326
325static int audit_set_rate_limit(int limit, kuid_t loginuid, u32 sessionid, 327static int audit_set_rate_limit(int limit)
326 u32 sid)
327{ 328{
328 return audit_do_config_change("audit_rate_limit", &audit_rate_limit, 329 return audit_do_config_change("audit_rate_limit", &audit_rate_limit, limit);
329 limit, loginuid, sessionid, sid);
330} 330}
331 331
332static int audit_set_backlog_limit(int limit, kuid_t loginuid, u32 sessionid, 332static int audit_set_backlog_limit(int limit)
333 u32 sid)
334{ 333{
335 return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit, 334 return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit, limit);
336 limit, loginuid, sessionid, sid);
337} 335}
338 336
339static int audit_set_enabled(int state, kuid_t loginuid, u32 sessionid, u32 sid) 337static int audit_set_enabled(int state)
340{ 338{
341 int rc; 339 int rc;
342 if (state < AUDIT_OFF || state > AUDIT_LOCKED) 340 if (state < AUDIT_OFF || state > AUDIT_LOCKED)
343 return -EINVAL; 341 return -EINVAL;
344 342
345 rc = audit_do_config_change("audit_enabled", &audit_enabled, state, 343 rc = audit_do_config_change("audit_enabled", &audit_enabled, state);
346 loginuid, sessionid, sid);
347
348 if (!rc) 344 if (!rc)
349 audit_ever_enabled |= !!state; 345 audit_ever_enabled |= !!state;
350 346
351 return rc; 347 return rc;
352} 348}
353 349
354static int audit_set_failure(int state, kuid_t loginuid, u32 sessionid, u32 sid) 350static int audit_set_failure(int state)
355{ 351{
356 if (state != AUDIT_FAIL_SILENT 352 if (state != AUDIT_FAIL_SILENT
357 && state != AUDIT_FAIL_PRINTK 353 && state != AUDIT_FAIL_PRINTK
358 && state != AUDIT_FAIL_PANIC) 354 && state != AUDIT_FAIL_PANIC)
359 return -EINVAL; 355 return -EINVAL;
360 356
361 return audit_do_config_change("audit_failure", &audit_failure, state, 357 return audit_do_config_change("audit_failure", &audit_failure, state);
362 loginuid, sessionid, sid);
363} 358}
364 359
365/* 360/*
@@ -627,12 +622,15 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
627 return err; 622 return err;
628} 623}
629 624
630static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type, 625static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
631 kuid_t auid, u32 ses, u32 sid)
632{ 626{
633 int rc = 0; 627 int rc = 0;
634 char *ctx = NULL; 628 char *ctx = NULL;
635 u32 len; 629 u32 len;
630 u32 sessionid = audit_get_sessionid(current);
631 uid_t uid = from_kuid(&init_user_ns, current_uid());
632 uid_t auid = from_kuid(&init_user_ns, audit_get_loginuid(current));
633 u32 sid;
636 634
637 if (!audit_enabled) { 635 if (!audit_enabled) {
638 *ab = NULL; 636 *ab = NULL;
@@ -643,9 +641,8 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
643 if (unlikely(!*ab)) 641 if (unlikely(!*ab))
644 return rc; 642 return rc;
645 audit_log_format(*ab, "pid=%d uid=%u auid=%u ses=%u", 643 audit_log_format(*ab, "pid=%d uid=%u auid=%u ses=%u",
646 task_tgid_vnr(current), 644 task_tgid_vnr(current), uid, auid, sessionid);
647 from_kuid(&init_user_ns, current_uid()), 645 security_task_getsecid(current, &sid);
648 from_kuid(&init_user_ns, auid), ses);
649 if (sid) { 646 if (sid) {
650 rc = security_secid_to_secctx(sid, &ctx, &len); 647 rc = security_secid_to_secctx(sid, &ctx, &len);
651 if (rc) 648 if (rc)
@@ -661,14 +658,12 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
661 658
662static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) 659static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
663{ 660{
664 u32 seq, sid; 661 u32 seq;
665 void *data; 662 void *data;
666 struct audit_status *status_get, status_set; 663 struct audit_status *status_get, status_set;
667 int err; 664 int err;
668 struct audit_buffer *ab; 665 struct audit_buffer *ab;
669 u16 msg_type = nlh->nlmsg_type; 666 u16 msg_type = nlh->nlmsg_type;
670 kuid_t loginuid; /* loginuid of sender */
671 u32 sessionid;
672 struct audit_sig_info *sig_data; 667 struct audit_sig_info *sig_data;
673 char *ctx = NULL; 668 char *ctx = NULL;
674 u32 len; 669 u32 len;
@@ -677,9 +672,6 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
677 if (err) 672 if (err)
678 return err; 673 return err;
679 674
680 loginuid = audit_get_loginuid(current);
681 sessionid = audit_get_sessionid(current);
682 security_task_getsecid(current, &sid);
683 seq = nlh->nlmsg_seq; 675 seq = nlh->nlmsg_seq;
684 data = nlmsg_data(nlh); 676 data = nlmsg_data(nlh);
685 677
@@ -700,14 +692,12 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
700 return -EINVAL; 692 return -EINVAL;
701 status_get = (struct audit_status *)data; 693 status_get = (struct audit_status *)data;
702 if (status_get->mask & AUDIT_STATUS_ENABLED) { 694 if (status_get->mask & AUDIT_STATUS_ENABLED) {
703 err = audit_set_enabled(status_get->enabled, 695 err = audit_set_enabled(status_get->enabled);
704 loginuid, sessionid, sid);
705 if (err < 0) 696 if (err < 0)
706 return err; 697 return err;
707 } 698 }
708 if (status_get->mask & AUDIT_STATUS_FAILURE) { 699 if (status_get->mask & AUDIT_STATUS_FAILURE) {
709 err = audit_set_failure(status_get->failure, 700 err = audit_set_failure(status_get->failure);
710 loginuid, sessionid, sid);
711 if (err < 0) 701 if (err < 0)
712 return err; 702 return err;
713 } 703 }
@@ -715,22 +705,17 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
715 int new_pid = status_get->pid; 705 int new_pid = status_get->pid;
716 706
717 if (audit_enabled != AUDIT_OFF) 707 if (audit_enabled != AUDIT_OFF)
718 audit_log_config_change("audit_pid", new_pid, 708 audit_log_config_change("audit_pid", new_pid, audit_pid, 1);
719 audit_pid, loginuid,
720 sessionid, sid, 1);
721
722 audit_pid = new_pid; 709 audit_pid = new_pid;
723 audit_nlk_portid = NETLINK_CB(skb).portid; 710 audit_nlk_portid = NETLINK_CB(skb).portid;
724 } 711 }
725 if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) { 712 if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) {
726 err = audit_set_rate_limit(status_get->rate_limit, 713 err = audit_set_rate_limit(status_get->rate_limit);
727 loginuid, sessionid, sid);
728 if (err < 0) 714 if (err < 0)
729 return err; 715 return err;
730 } 716 }
731 if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT) 717 if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT)
732 err = audit_set_backlog_limit(status_get->backlog_limit, 718 err = audit_set_backlog_limit(status_get->backlog_limit);
733 loginuid, sessionid, sid);
734 break; 719 break;
735 case AUDIT_USER: 720 case AUDIT_USER:
736 case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG: 721 case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
@@ -742,14 +727,11 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
742 if (err == 1) { 727 if (err == 1) {
743 err = 0; 728 err = 0;
744 if (msg_type == AUDIT_USER_TTY) { 729 if (msg_type == AUDIT_USER_TTY) {
745 err = tty_audit_push_task(current, loginuid, 730 err = tty_audit_push_task(current);
746 sessionid);
747 if (err) 731 if (err)
748 break; 732 break;
749 } 733 }
750 audit_log_common_recv_msg(&ab, msg_type, 734 audit_log_common_recv_msg(&ab, msg_type);
751 loginuid, sessionid, sid);
752
753 if (msg_type != AUDIT_USER_TTY) 735 if (msg_type != AUDIT_USER_TTY)
754 audit_log_format(ab, " msg='%.1024s'", 736 audit_log_format(ab, " msg='%.1024s'",
755 (char *)data); 737 (char *)data);
@@ -772,26 +754,19 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
772 if (nlmsg_len(nlh) < sizeof(struct audit_rule_data)) 754 if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
773 return -EINVAL; 755 return -EINVAL;
774 if (audit_enabled == AUDIT_LOCKED) { 756 if (audit_enabled == AUDIT_LOCKED) {
775 audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, 757 audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);
776 loginuid, sessionid, sid); 758 audit_log_format(ab, " audit_enabled=%d res=0", audit_enabled);
777
778 audit_log_format(ab, " audit_enabled=%d res=0",
779 audit_enabled);
780 audit_log_end(ab); 759 audit_log_end(ab);
781 return -EPERM; 760 return -EPERM;
782 } 761 }
783 /* fallthrough */ 762 /* fallthrough */
784 case AUDIT_LIST_RULES: 763 case AUDIT_LIST_RULES:
785 err = audit_receive_filter(msg_type, NETLINK_CB(skb).portid, 764 err = audit_receive_filter(msg_type, NETLINK_CB(skb).portid,
786 seq, data, nlmsg_len(nlh), 765 seq, data, nlmsg_len(nlh));
787 loginuid, sessionid, sid);
788 break; 766 break;
789 case AUDIT_TRIM: 767 case AUDIT_TRIM:
790 audit_trim_trees(); 768 audit_trim_trees();
791 769 audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);
792 audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE,
793 loginuid, sessionid, sid);
794
795 audit_log_format(ab, " op=trim res=1"); 770 audit_log_format(ab, " op=trim res=1");
796 audit_log_end(ab); 771 audit_log_end(ab);
797 break; 772 break;
@@ -821,8 +796,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
821 /* OK, here comes... */ 796 /* OK, here comes... */
822 err = audit_tag_tree(old, new); 797 err = audit_tag_tree(old, new);
823 798
824 audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, 799 audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);
825 loginuid, sessionid, sid);
826 800
827 audit_log_format(ab, " op=make_equiv old="); 801 audit_log_format(ab, " op=make_equiv old=");
828 audit_log_untrustedstring(ab, old); 802 audit_log_untrustedstring(ab, old);
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index ee9af6533327..f952234da2ca 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -980,11 +980,12 @@ static void audit_list_rules(int pid, int seq, struct sk_buff_head *q)
980} 980}
981 981
982/* Log rule additions and removals */ 982/* Log rule additions and removals */
983static void audit_log_rule_change(kuid_t loginuid, u32 sessionid, u32 sid, 983static void audit_log_rule_change(char *action, struct audit_krule *rule, int res)
984 char *action, struct audit_krule *rule,
985 int res)
986{ 984{
987 struct audit_buffer *ab; 985 struct audit_buffer *ab;
986 uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(current));
987 u32 sessionid = audit_get_sessionid(current);
988 u32 sid;
988 989
989 if (!audit_enabled) 990 if (!audit_enabled)
990 return; 991 return;
@@ -992,8 +993,8 @@ static void audit_log_rule_change(kuid_t loginuid, u32 sessionid, u32 sid,
992 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 993 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
993 if (!ab) 994 if (!ab)
994 return; 995 return;
995 audit_log_format(ab, "auid=%u ses=%u", 996 audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);
996 from_kuid(&init_user_ns, loginuid), sessionid); 997 security_task_getsecid(current, &sid);
997 if (sid) { 998 if (sid) {
998 char *ctx = NULL; 999 char *ctx = NULL;
999 u32 len; 1000 u32 len;
@@ -1022,8 +1023,7 @@ static void audit_log_rule_change(kuid_t loginuid, u32 sessionid, u32 sid,
1022 * @sessionid: sessionid for netlink audit message 1023 * @sessionid: sessionid for netlink audit message
1023 * @sid: SE Linux Security ID of sender 1024 * @sid: SE Linux Security ID of sender
1024 */ 1025 */
1025int audit_receive_filter(int type, int pid, int seq, void *data, 1026int audit_receive_filter(int type, int pid, int seq, void *data, size_t datasz)
1026 size_t datasz, kuid_t loginuid, u32 sessionid, u32 sid)
1027{ 1027{
1028 struct task_struct *tsk; 1028 struct task_struct *tsk;
1029 struct audit_netlink_list *dest; 1029 struct audit_netlink_list *dest;
@@ -1061,9 +1061,7 @@ int audit_receive_filter(int type, int pid, int seq, void *data,
1061 return PTR_ERR(entry); 1061 return PTR_ERR(entry);
1062 1062
1063 err = audit_add_rule(entry); 1063 err = audit_add_rule(entry);
1064 audit_log_rule_change(loginuid, sessionid, sid, "add rule", 1064 audit_log_rule_change("add rule", &entry->rule, !err);
1065 &entry->rule, !err);
1066
1067 if (err) 1065 if (err)
1068 audit_free_rule(entry); 1066 audit_free_rule(entry);
1069 break; 1067 break;
@@ -1073,9 +1071,7 @@ int audit_receive_filter(int type, int pid, int seq, void *data,
1073 return PTR_ERR(entry); 1071 return PTR_ERR(entry);
1074 1072
1075 err = audit_del_rule(entry); 1073 err = audit_del_rule(entry);
1076 audit_log_rule_change(loginuid, sessionid, sid, "remove rule", 1074 audit_log_rule_change("remove rule", &entry->rule, !err);
1077 &entry->rule, !err);
1078
1079 audit_free_rule(entry); 1075 audit_free_rule(entry);
1080 break; 1076 break;
1081 default: 1077 default:
generated by cgit v1.2.2 (git 2.25.0) at 2025-04-10 07:37:08 -0400