aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAl Viro <viro@zeniv.linux.org.uk>2009-01-04 14:52:57 -0500
committerAl Viro <viro@zeniv.linux.org.uk>2009-01-04 15:14:41 -0500
commit57f71a0af4244d9ba3c0bce74b1d2e66e8d520bd (patch)
treec089a97949fc1d459e137b18739c04e9217913d1
parent157cf649a735a2f7e8dba0ed08e6e38b6c30d886 (diff)
sanitize audit_log_capset()
* no allocations * return void * don't duplicate checked for dummy context Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-rw-r--r--include/linux/audit.h9
-rw-r--r--kernel/auditsc.c44
-rw-r--r--kernel/capability.c4
3 files changed, 21 insertions, 36 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h
index bd59cd1e3219..7ddcb6a29eb1 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -457,7 +457,7 @@ extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat);
457extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, 457extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
458 const struct cred *new, 458 const struct cred *new,
459 const struct cred *old); 459 const struct cred *old);
460extern int __audit_log_capset(pid_t pid, const struct cred *new, const struct cred *old); 460extern void __audit_log_capset(pid_t pid, const struct cred *new, const struct cred *old);
461 461
462static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 462static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
463{ 463{
@@ -504,12 +504,11 @@ static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm,
504 return 0; 504 return 0;
505} 505}
506 506
507static inline int audit_log_capset(pid_t pid, const struct cred *new, 507static inline void audit_log_capset(pid_t pid, const struct cred *new,
508 const struct cred *old) 508 const struct cred *old)
509{ 509{
510 if (unlikely(!audit_dummy_context())) 510 if (unlikely(!audit_dummy_context()))
511 return __audit_log_capset(pid, new, old); 511 __audit_log_capset(pid, new, old);
512 return 0;
513} 512}
514 513
515extern int audit_n_rules; 514extern int audit_n_rules;
@@ -544,7 +543,7 @@ extern int audit_signals;
544#define audit_mq_notify(d,n) ((void)0) 543#define audit_mq_notify(d,n) ((void)0)
545#define audit_mq_getsetattr(d,s) ((void)0) 544#define audit_mq_getsetattr(d,s) ((void)0)
546#define audit_log_bprm_fcaps(b, ncr, ocr) ({ 0; }) 545#define audit_log_bprm_fcaps(b, ncr, ocr) ({ 0; })
547#define audit_log_capset(pid, ncr, ocr) ({ 0; }) 546#define audit_log_capset(pid, ncr, ocr) ((void)0)
548#define audit_ptrace(t) ((void)0) 547#define audit_ptrace(t) ((void)0)
549#define audit_n_rules 0 548#define audit_n_rules 0
550#define audit_signals 0 549#define audit_signals 0
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 327e65d50674..c76a58215f54 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -235,6 +235,10 @@ struct audit_context {
235 mode_t mode; 235 mode_t mode;
236 struct mq_attr attr; 236 struct mq_attr attr;
237 } mq_open; 237 } mq_open;
238 struct {
239 pid_t pid;
240 struct audit_cap_data cap;
241 } capset;
238 }; 242 };
239 int fds[2]; 243 int fds[2];
240 244
@@ -1291,6 +1295,12 @@ static void show_special(struct audit_context *context, int *call_panic)
1291 attr->mq_flags, attr->mq_maxmsg, 1295 attr->mq_flags, attr->mq_maxmsg,
1292 attr->mq_msgsize, attr->mq_curmsgs); 1296 attr->mq_msgsize, attr->mq_curmsgs);
1293 break; } 1297 break; }
1298 case AUDIT_CAPSET: {
1299 audit_log_format(ab, "pid=%d", context->capset.pid);
1300 audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
1301 audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
1302 audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
1303 break; }
1294 } 1304 }
1295 audit_log_end(ab); 1305 audit_log_end(ab);
1296} 1306}
@@ -1392,14 +1402,6 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
1392 audit_log_cap(ab, "new_pe", &axs->new_pcap.effective); 1402 audit_log_cap(ab, "new_pe", &axs->new_pcap.effective);
1393 break; } 1403 break; }
1394 1404
1395 case AUDIT_CAPSET: {
1396 struct audit_aux_data_capset *axs = (void *)aux;
1397 audit_log_format(ab, "pid=%d", axs->pid);
1398 audit_log_cap(ab, "cap_pi", &axs->cap.inheritable);
1399 audit_log_cap(ab, "cap_pp", &axs->cap.permitted);
1400 audit_log_cap(ab, "cap_pe", &axs->cap.effective);
1401 break; }
1402
1403 } 1405 }
1404 audit_log_end(ab); 1406 audit_log_end(ab);
1405 } 1407 }
@@ -2456,29 +2458,15 @@ int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
2456 * Record the aguments userspace sent to sys_capset for later printing by the 2458 * Record the aguments userspace sent to sys_capset for later printing by the
2457 * audit system if applicable 2459 * audit system if applicable
2458 */ 2460 */
2459int __audit_log_capset(pid_t pid, 2461void __audit_log_capset(pid_t pid,
2460 const struct cred *new, const struct cred *old) 2462 const struct cred *new, const struct cred *old)
2461{ 2463{
2462 struct audit_aux_data_capset *ax;
2463 struct audit_context *context = current->audit_context; 2464 struct audit_context *context = current->audit_context;
2464 2465 context->capset.pid = pid;
2465 if (likely(!audit_enabled || !context || context->dummy)) 2466 context->capset.cap.effective = new->cap_effective;
2466 return 0; 2467 context->capset.cap.inheritable = new->cap_effective;
2467 2468 context->capset.cap.permitted = new->cap_permitted;
2468 ax = kmalloc(sizeof(*ax), GFP_KERNEL); 2469 context->type = AUDIT_CAPSET;
2469 if (!ax)
2470 return -ENOMEM;
2471
2472 ax->d.type = AUDIT_CAPSET;
2473 ax->d.next = context->aux;
2474 context->aux = (void *)ax;
2475
2476 ax->pid = pid;
2477 ax->cap.effective = new->cap_effective;
2478 ax->cap.inheritable = new->cap_effective;
2479 ax->cap.permitted = new->cap_permitted;
2480
2481 return 0;
2482} 2470}
2483 2471
2484/** 2472/**
diff --git a/kernel/capability.c b/kernel/capability.c
index 36b4b4daebec..c598d9d5be4f 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -280,9 +280,7 @@ asmlinkage long sys_capset(cap_user_header_t header, const cap_user_data_t data)
280 if (ret < 0) 280 if (ret < 0)
281 goto error; 281 goto error;
282 282
283 ret = audit_log_capset(pid, new, current_cred()); 283 audit_log_capset(pid, new, current_cred());
284 if (ret < 0)
285 return ret;
286 284
287 return commit_creds(new); 285 return commit_creds(new);
288 286