diff options
author | Al Viro <viro@zeniv.linux.org.uk> | 2006-04-26 14:04:08 -0400 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2006-06-20 05:25:21 -0400 |
commit | 473ae30bc7b1dda5c5791c773f95e9424ddfead9 (patch) | |
tree | 541f6f20b9131fcfb650ca491e291d3c6b148a1b | |
parent | 9044e6bca5a4a575d3c068dfccb5651a2d6a13bc (diff) |
[PATCH] execve argument logging
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-rw-r--r-- | fs/exec.c | 6 | ||||
-rw-r--r-- | include/linux/audit.h | 6 | ||||
-rw-r--r-- | kernel/audit.c | 8 | ||||
-rw-r--r-- | kernel/auditsc.c | 51 |
4 files changed, 67 insertions, 4 deletions
@@ -49,6 +49,7 @@ | |||
49 | #include <linux/rmap.h> | 49 | #include <linux/rmap.h> |
50 | #include <linux/acct.h> | 50 | #include <linux/acct.h> |
51 | #include <linux/cn_proc.h> | 51 | #include <linux/cn_proc.h> |
52 | #include <linux/audit.h> | ||
52 | 53 | ||
53 | #include <asm/uaccess.h> | 54 | #include <asm/uaccess.h> |
54 | #include <asm/mmu_context.h> | 55 | #include <asm/mmu_context.h> |
@@ -1085,6 +1086,11 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) | |||
1085 | /* kernel module loader fixup */ | 1086 | /* kernel module loader fixup */ |
1086 | /* so we don't try to load run modprobe in kernel space. */ | 1087 | /* so we don't try to load run modprobe in kernel space. */ |
1087 | set_fs(USER_DS); | 1088 | set_fs(USER_DS); |
1089 | |||
1090 | retval = audit_bprm(bprm); | ||
1091 | if (retval) | ||
1092 | return retval; | ||
1093 | |||
1088 | retval = -ENOENT; | 1094 | retval = -ENOENT; |
1089 | for (try=0; try<2; try++) { | 1095 | for (try=0; try<2; try++) { |
1090 | read_lock(&binfmt_lock); | 1096 | read_lock(&binfmt_lock); |
diff --git a/include/linux/audit.h b/include/linux/audit.h index e65399bf2710..1a221b65f7b7 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h | |||
@@ -83,6 +83,7 @@ | |||
83 | #define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */ | 83 | #define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */ |
84 | #define AUDIT_SOCKADDR 1306 /* sockaddr copied as syscall arg */ | 84 | #define AUDIT_SOCKADDR 1306 /* sockaddr copied as syscall arg */ |
85 | #define AUDIT_CWD 1307 /* Current working directory */ | 85 | #define AUDIT_CWD 1307 /* Current working directory */ |
86 | #define AUDIT_EXECVE 1309 /* execve arguments */ | ||
86 | #define AUDIT_IPC_SET_PERM 1311 /* IPC new permissions record type */ | 87 | #define AUDIT_IPC_SET_PERM 1311 /* IPC new permissions record type */ |
87 | 88 | ||
88 | #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ | 89 | #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ |
@@ -283,6 +284,7 @@ struct audit_buffer; | |||
283 | struct audit_context; | 284 | struct audit_context; |
284 | struct inode; | 285 | struct inode; |
285 | struct netlink_skb_parms; | 286 | struct netlink_skb_parms; |
287 | struct linux_binprm; | ||
286 | 288 | ||
287 | #define AUDITSC_INVALID 0 | 289 | #define AUDITSC_INVALID 0 |
288 | #define AUDITSC_SUCCESS 1 | 290 | #define AUDITSC_SUCCESS 1 |
@@ -322,6 +324,7 @@ extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid); | |||
322 | extern uid_t audit_get_loginuid(struct audit_context *ctx); | 324 | extern uid_t audit_get_loginuid(struct audit_context *ctx); |
323 | extern int audit_ipc_obj(struct kern_ipc_perm *ipcp); | 325 | extern int audit_ipc_obj(struct kern_ipc_perm *ipcp); |
324 | extern int audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, struct kern_ipc_perm *ipcp); | 326 | extern int audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, struct kern_ipc_perm *ipcp); |
327 | extern int audit_bprm(struct linux_binprm *bprm); | ||
325 | extern int audit_socketcall(int nargs, unsigned long *args); | 328 | extern int audit_socketcall(int nargs, unsigned long *args); |
326 | extern int audit_sockaddr(int len, void *addr); | 329 | extern int audit_sockaddr(int len, void *addr); |
327 | extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt); | 330 | extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt); |
@@ -342,6 +345,7 @@ extern int audit_set_macxattr(const char *name); | |||
342 | #define audit_get_loginuid(c) ({ -1; }) | 345 | #define audit_get_loginuid(c) ({ -1; }) |
343 | #define audit_ipc_obj(i) ({ 0; }) | 346 | #define audit_ipc_obj(i) ({ 0; }) |
344 | #define audit_ipc_set_perm(q,u,g,m,i) ({ 0; }) | 347 | #define audit_ipc_set_perm(q,u,g,m,i) ({ 0; }) |
348 | #define audit_bprm(p) ({ 0; }) | ||
345 | #define audit_socketcall(n,a) ({ 0; }) | 349 | #define audit_socketcall(n,a) ({ 0; }) |
346 | #define audit_sockaddr(len, addr) ({ 0; }) | 350 | #define audit_sockaddr(len, addr) ({ 0; }) |
347 | #define audit_avc_path(dentry, mnt) ({ 0; }) | 351 | #define audit_avc_path(dentry, mnt) ({ 0; }) |
@@ -364,7 +368,7 @@ extern void audit_log_end(struct audit_buffer *ab); | |||
364 | extern void audit_log_hex(struct audit_buffer *ab, | 368 | extern void audit_log_hex(struct audit_buffer *ab, |
365 | const unsigned char *buf, | 369 | const unsigned char *buf, |
366 | size_t len); | 370 | size_t len); |
367 | extern void audit_log_untrustedstring(struct audit_buffer *ab, | 371 | extern const char * audit_log_untrustedstring(struct audit_buffer *ab, |
368 | const char *string); | 372 | const char *string); |
369 | extern void audit_log_d_path(struct audit_buffer *ab, | 373 | extern void audit_log_d_path(struct audit_buffer *ab, |
370 | const char *prefix, | 374 | const char *prefix, |
diff --git a/kernel/audit.c b/kernel/audit.c index bf74bf02aa4b..d09f131b111a 100644 --- a/kernel/audit.c +++ b/kernel/audit.c | |||
@@ -1026,18 +1026,20 @@ void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf, | |||
1026 | * or a space. Unescaped strings will start and end with a double quote mark. | 1026 | * or a space. Unescaped strings will start and end with a double quote mark. |
1027 | * Strings that are escaped are printed in hex (2 digits per char). | 1027 | * Strings that are escaped are printed in hex (2 digits per char). |
1028 | */ | 1028 | */ |
1029 | void audit_log_untrustedstring(struct audit_buffer *ab, const char *string) | 1029 | const char *audit_log_untrustedstring(struct audit_buffer *ab, const char *string) |
1030 | { | 1030 | { |
1031 | const unsigned char *p = string; | 1031 | const unsigned char *p = string; |
1032 | size_t len = strlen(string); | ||
1032 | 1033 | ||
1033 | while (*p) { | 1034 | while (*p) { |
1034 | if (*p == '"' || *p < 0x21 || *p > 0x7f) { | 1035 | if (*p == '"' || *p < 0x21 || *p > 0x7f) { |
1035 | audit_log_hex(ab, string, strlen(string)); | 1036 | audit_log_hex(ab, string, len); |
1036 | return; | 1037 | return string + len + 1; |
1037 | } | 1038 | } |
1038 | p++; | 1039 | p++; |
1039 | } | 1040 | } |
1040 | audit_log_format(ab, "\"%s\"", string); | 1041 | audit_log_format(ab, "\"%s\"", string); |
1042 | return p + 1; | ||
1041 | } | 1043 | } |
1042 | 1044 | ||
1043 | /* This is a helper-function to print the escaped d_path */ | 1045 | /* This is a helper-function to print the escaped d_path */ |
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 1c03a4ed1b27..114f921979ec 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c | |||
@@ -59,6 +59,7 @@ | |||
59 | #include <linux/list.h> | 59 | #include <linux/list.h> |
60 | #include <linux/tty.h> | 60 | #include <linux/tty.h> |
61 | #include <linux/selinux.h> | 61 | #include <linux/selinux.h> |
62 | #include <linux/binfmts.h> | ||
62 | 63 | ||
63 | #include "audit.h" | 64 | #include "audit.h" |
64 | 65 | ||
@@ -110,6 +111,13 @@ struct audit_aux_data_ipcctl { | |||
110 | u32 osid; | 111 | u32 osid; |
111 | }; | 112 | }; |
112 | 113 | ||
114 | struct audit_aux_data_execve { | ||
115 | struct audit_aux_data d; | ||
116 | int argc; | ||
117 | int envc; | ||
118 | char mem[0]; | ||
119 | }; | ||
120 | |||
113 | struct audit_aux_data_socketcall { | 121 | struct audit_aux_data_socketcall { |
114 | struct audit_aux_data d; | 122 | struct audit_aux_data d; |
115 | int nargs; | 123 | int nargs; |
@@ -667,6 +675,16 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts | |||
667 | kfree(ctx); | 675 | kfree(ctx); |
668 | } | 676 | } |
669 | break; } | 677 | break; } |
678 | case AUDIT_EXECVE: { | ||
679 | struct audit_aux_data_execve *axi = (void *)aux; | ||
680 | int i; | ||
681 | const char *p; | ||
682 | for (i = 0, p = axi->mem; i < axi->argc; i++) { | ||
683 | audit_log_format(ab, "a%d=", i); | ||
684 | p = audit_log_untrustedstring(ab, p); | ||
685 | audit_log_format(ab, "\n"); | ||
686 | } | ||
687 | break; } | ||
670 | 688 | ||
671 | case AUDIT_SOCKETCALL: { | 689 | case AUDIT_SOCKETCALL: { |
672 | int i; | 690 | int i; |
@@ -1231,6 +1249,39 @@ int audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, | |||
1231 | return 0; | 1249 | return 0; |
1232 | } | 1250 | } |
1233 | 1251 | ||
1252 | int audit_bprm(struct linux_binprm *bprm) | ||
1253 | { | ||
1254 | struct audit_aux_data_execve *ax; | ||
1255 | struct audit_context *context = current->audit_context; | ||
1256 | unsigned long p, next; | ||
1257 | void *to; | ||
1258 | |||
1259 | if (likely(!audit_enabled || !context)) | ||
1260 | return 0; | ||
1261 | |||
1262 | ax = kmalloc(sizeof(*ax) + PAGE_SIZE * MAX_ARG_PAGES - bprm->p, | ||
1263 | GFP_KERNEL); | ||
1264 | if (!ax) | ||
1265 | return -ENOMEM; | ||
1266 | |||
1267 | ax->argc = bprm->argc; | ||
1268 | ax->envc = bprm->envc; | ||
1269 | for (p = bprm->p, to = ax->mem; p < MAX_ARG_PAGES*PAGE_SIZE; p = next) { | ||
1270 | struct page *page = bprm->page[p / PAGE_SIZE]; | ||
1271 | void *kaddr = kmap(page); | ||
1272 | next = (p + PAGE_SIZE) & ~(PAGE_SIZE - 1); | ||
1273 | memcpy(to, kaddr + (p & (PAGE_SIZE - 1)), next - p); | ||
1274 | to += next - p; | ||
1275 | kunmap(page); | ||
1276 | } | ||
1277 | |||
1278 | ax->d.type = AUDIT_EXECVE; | ||
1279 | ax->d.next = context->aux; | ||
1280 | context->aux = (void *)ax; | ||
1281 | return 0; | ||
1282 | } | ||
1283 | |||
1284 | |||
1234 | /** | 1285 | /** |
1235 | * audit_socketcall - record audit data for sys_socketcall | 1286 | * audit_socketcall - record audit data for sys_socketcall |
1236 | * @nargs: number of args | 1287 | * @nargs: number of args |