diff options
author | Al Viro <viro@zeniv.linux.org.uk> | 2009-01-04 14:52:57 -0500 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2009-01-04 15:14:41 -0500 |
commit | 57f71a0af4244d9ba3c0bce74b1d2e66e8d520bd (patch) | |
tree | c089a97949fc1d459e137b18739c04e9217913d1 | |
parent | 157cf649a735a2f7e8dba0ed08e6e38b6c30d886 (diff) |
sanitize audit_log_capset()
* no allocations
* return void
* don't duplicate checked for dummy context
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-rw-r--r-- | include/linux/audit.h | 9 | ||||
-rw-r--r-- | kernel/auditsc.c | 44 | ||||
-rw-r--r-- | kernel/capability.c | 4 |
3 files changed, 21 insertions, 36 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h index bd59cd1e3219..7ddcb6a29eb1 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h | |||
@@ -457,7 +457,7 @@ extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat); | |||
457 | extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, | 457 | extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, |
458 | const struct cred *new, | 458 | const struct cred *new, |
459 | const struct cred *old); | 459 | const struct cred *old); |
460 | extern int __audit_log_capset(pid_t pid, const struct cred *new, const struct cred *old); | 460 | extern void __audit_log_capset(pid_t pid, const struct cred *new, const struct cred *old); |
461 | 461 | ||
462 | static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) | 462 | static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) |
463 | { | 463 | { |
@@ -504,12 +504,11 @@ static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, | |||
504 | return 0; | 504 | return 0; |
505 | } | 505 | } |
506 | 506 | ||
507 | static inline int audit_log_capset(pid_t pid, const struct cred *new, | 507 | static inline void audit_log_capset(pid_t pid, const struct cred *new, |
508 | const struct cred *old) | 508 | const struct cred *old) |
509 | { | 509 | { |
510 | if (unlikely(!audit_dummy_context())) | 510 | if (unlikely(!audit_dummy_context())) |
511 | return __audit_log_capset(pid, new, old); | 511 | __audit_log_capset(pid, new, old); |
512 | return 0; | ||
513 | } | 512 | } |
514 | 513 | ||
515 | extern int audit_n_rules; | 514 | extern int audit_n_rules; |
@@ -544,7 +543,7 @@ extern int audit_signals; | |||
544 | #define audit_mq_notify(d,n) ((void)0) | 543 | #define audit_mq_notify(d,n) ((void)0) |
545 | #define audit_mq_getsetattr(d,s) ((void)0) | 544 | #define audit_mq_getsetattr(d,s) ((void)0) |
546 | #define audit_log_bprm_fcaps(b, ncr, ocr) ({ 0; }) | 545 | #define audit_log_bprm_fcaps(b, ncr, ocr) ({ 0; }) |
547 | #define audit_log_capset(pid, ncr, ocr) ({ 0; }) | 546 | #define audit_log_capset(pid, ncr, ocr) ((void)0) |
548 | #define audit_ptrace(t) ((void)0) | 547 | #define audit_ptrace(t) ((void)0) |
549 | #define audit_n_rules 0 | 548 | #define audit_n_rules 0 |
550 | #define audit_signals 0 | 549 | #define audit_signals 0 |
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 327e65d50674..c76a58215f54 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c | |||
@@ -235,6 +235,10 @@ struct audit_context { | |||
235 | mode_t mode; | 235 | mode_t mode; |
236 | struct mq_attr attr; | 236 | struct mq_attr attr; |
237 | } mq_open; | 237 | } mq_open; |
238 | struct { | ||
239 | pid_t pid; | ||
240 | struct audit_cap_data cap; | ||
241 | } capset; | ||
238 | }; | 242 | }; |
239 | int fds[2]; | 243 | int fds[2]; |
240 | 244 | ||
@@ -1291,6 +1295,12 @@ static void show_special(struct audit_context *context, int *call_panic) | |||
1291 | attr->mq_flags, attr->mq_maxmsg, | 1295 | attr->mq_flags, attr->mq_maxmsg, |
1292 | attr->mq_msgsize, attr->mq_curmsgs); | 1296 | attr->mq_msgsize, attr->mq_curmsgs); |
1293 | break; } | 1297 | break; } |
1298 | case AUDIT_CAPSET: { | ||
1299 | audit_log_format(ab, "pid=%d", context->capset.pid); | ||
1300 | audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable); | ||
1301 | audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted); | ||
1302 | audit_log_cap(ab, "cap_pe", &context->capset.cap.effective); | ||
1303 | break; } | ||
1294 | } | 1304 | } |
1295 | audit_log_end(ab); | 1305 | audit_log_end(ab); |
1296 | } | 1306 | } |
@@ -1392,14 +1402,6 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts | |||
1392 | audit_log_cap(ab, "new_pe", &axs->new_pcap.effective); | 1402 | audit_log_cap(ab, "new_pe", &axs->new_pcap.effective); |
1393 | break; } | 1403 | break; } |
1394 | 1404 | ||
1395 | case AUDIT_CAPSET: { | ||
1396 | struct audit_aux_data_capset *axs = (void *)aux; | ||
1397 | audit_log_format(ab, "pid=%d", axs->pid); | ||
1398 | audit_log_cap(ab, "cap_pi", &axs->cap.inheritable); | ||
1399 | audit_log_cap(ab, "cap_pp", &axs->cap.permitted); | ||
1400 | audit_log_cap(ab, "cap_pe", &axs->cap.effective); | ||
1401 | break; } | ||
1402 | |||
1403 | } | 1405 | } |
1404 | audit_log_end(ab); | 1406 | audit_log_end(ab); |
1405 | } | 1407 | } |
@@ -2456,29 +2458,15 @@ int __audit_log_bprm_fcaps(struct linux_binprm *bprm, | |||
2456 | * Record the aguments userspace sent to sys_capset for later printing by the | 2458 | * Record the aguments userspace sent to sys_capset for later printing by the |
2457 | * audit system if applicable | 2459 | * audit system if applicable |
2458 | */ | 2460 | */ |
2459 | int __audit_log_capset(pid_t pid, | 2461 | void __audit_log_capset(pid_t pid, |
2460 | const struct cred *new, const struct cred *old) | 2462 | const struct cred *new, const struct cred *old) |
2461 | { | 2463 | { |
2462 | struct audit_aux_data_capset *ax; | ||
2463 | struct audit_context *context = current->audit_context; | 2464 | struct audit_context *context = current->audit_context; |
2464 | 2465 | context->capset.pid = pid; | |
2465 | if (likely(!audit_enabled || !context || context->dummy)) | 2466 | context->capset.cap.effective = new->cap_effective; |
2466 | return 0; | 2467 | context->capset.cap.inheritable = new->cap_effective; |
2467 | 2468 | context->capset.cap.permitted = new->cap_permitted; | |
2468 | ax = kmalloc(sizeof(*ax), GFP_KERNEL); | 2469 | context->type = AUDIT_CAPSET; |
2469 | if (!ax) | ||
2470 | return -ENOMEM; | ||
2471 | |||
2472 | ax->d.type = AUDIT_CAPSET; | ||
2473 | ax->d.next = context->aux; | ||
2474 | context->aux = (void *)ax; | ||
2475 | |||
2476 | ax->pid = pid; | ||
2477 | ax->cap.effective = new->cap_effective; | ||
2478 | ax->cap.inheritable = new->cap_effective; | ||
2479 | ax->cap.permitted = new->cap_permitted; | ||
2480 | |||
2481 | return 0; | ||
2482 | } | 2470 | } |
2483 | 2471 | ||
2484 | /** | 2472 | /** |
diff --git a/kernel/capability.c b/kernel/capability.c index 36b4b4daebec..c598d9d5be4f 100644 --- a/kernel/capability.c +++ b/kernel/capability.c | |||
@@ -280,9 +280,7 @@ asmlinkage long sys_capset(cap_user_header_t header, const cap_user_data_t data) | |||
280 | if (ret < 0) | 280 | if (ret < 0) |
281 | goto error; | 281 | goto error; |
282 | 282 | ||
283 | ret = audit_log_capset(pid, new, current_cred()); | 283 | audit_log_capset(pid, new, current_cred()); |
284 | if (ret < 0) | ||
285 | return ret; | ||
286 | 284 | ||
287 | return commit_creds(new); | 285 | return commit_creds(new); |
288 | 286 | ||