diff options
author | James Morris <jmorris@namei.org> | 2008-12-24 19:40:09 -0500 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2008-12-24 19:40:09 -0500 |
commit | cbacc2c7f066a1e01b33b0e27ae5efbf534bc2db (patch) | |
tree | 90d1093131d2a3543a8b3b1f3364e7c6f4081a93 /kernel/auditsc.c | |
parent | 4a6908a3a050aacc9c3a2f36b276b46c0629ad91 (diff) | |
parent | 74192246910ff4fb95309ba1a683215644beeb62 (diff) |
Merge branch 'next' into for-linus
Diffstat (limited to 'kernel/auditsc.c')
-rw-r--r-- | kernel/auditsc.c | 255 |
1 files changed, 226 insertions, 29 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 2a3f0afc4d2a..4819f3711973 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c | |||
@@ -65,6 +65,7 @@ | |||
65 | #include <linux/highmem.h> | 65 | #include <linux/highmem.h> |
66 | #include <linux/syscalls.h> | 66 | #include <linux/syscalls.h> |
67 | #include <linux/inotify.h> | 67 | #include <linux/inotify.h> |
68 | #include <linux/capability.h> | ||
68 | 69 | ||
69 | #include "audit.h" | 70 | #include "audit.h" |
70 | 71 | ||
@@ -84,6 +85,15 @@ int audit_n_rules; | |||
84 | /* determines whether we collect data for signals sent */ | 85 | /* determines whether we collect data for signals sent */ |
85 | int audit_signals; | 86 | int audit_signals; |
86 | 87 | ||
88 | struct audit_cap_data { | ||
89 | kernel_cap_t permitted; | ||
90 | kernel_cap_t inheritable; | ||
91 | union { | ||
92 | unsigned int fE; /* effective bit of a file capability */ | ||
93 | kernel_cap_t effective; /* effective set of a process */ | ||
94 | }; | ||
95 | }; | ||
96 | |||
87 | /* When fs/namei.c:getname() is called, we store the pointer in name and | 97 | /* When fs/namei.c:getname() is called, we store the pointer in name and |
88 | * we don't let putname() free it (instead we free all of the saved | 98 | * we don't let putname() free it (instead we free all of the saved |
89 | * pointers at syscall exit time). | 99 | * pointers at syscall exit time). |
@@ -100,6 +110,8 @@ struct audit_names { | |||
100 | gid_t gid; | 110 | gid_t gid; |
101 | dev_t rdev; | 111 | dev_t rdev; |
102 | u32 osid; | 112 | u32 osid; |
113 | struct audit_cap_data fcap; | ||
114 | unsigned int fcap_ver; | ||
103 | }; | 115 | }; |
104 | 116 | ||
105 | struct audit_aux_data { | 117 | struct audit_aux_data { |
@@ -184,6 +196,20 @@ struct audit_aux_data_pids { | |||
184 | int pid_count; | 196 | int pid_count; |
185 | }; | 197 | }; |
186 | 198 | ||
199 | struct audit_aux_data_bprm_fcaps { | ||
200 | struct audit_aux_data d; | ||
201 | struct audit_cap_data fcap; | ||
202 | unsigned int fcap_ver; | ||
203 | struct audit_cap_data old_pcap; | ||
204 | struct audit_cap_data new_pcap; | ||
205 | }; | ||
206 | |||
207 | struct audit_aux_data_capset { | ||
208 | struct audit_aux_data d; | ||
209 | pid_t pid; | ||
210 | struct audit_cap_data cap; | ||
211 | }; | ||
212 | |||
187 | struct audit_tree_refs { | 213 | struct audit_tree_refs { |
188 | struct audit_tree_refs *next; | 214 | struct audit_tree_refs *next; |
189 | struct audit_chunk *c[31]; | 215 | struct audit_chunk *c[31]; |
@@ -421,6 +447,7 @@ static int audit_filter_rules(struct task_struct *tsk, | |||
421 | struct audit_names *name, | 447 | struct audit_names *name, |
422 | enum audit_state *state) | 448 | enum audit_state *state) |
423 | { | 449 | { |
450 | const struct cred *cred = get_task_cred(tsk); | ||
424 | int i, j, need_sid = 1; | 451 | int i, j, need_sid = 1; |
425 | u32 sid; | 452 | u32 sid; |
426 | 453 | ||
@@ -440,28 +467,28 @@ static int audit_filter_rules(struct task_struct *tsk, | |||
440 | } | 467 | } |
441 | break; | 468 | break; |
442 | case AUDIT_UID: | 469 | case AUDIT_UID: |
443 | result = audit_comparator(tsk->uid, f->op, f->val); | 470 | result = audit_comparator(cred->uid, f->op, f->val); |
444 | break; | 471 | break; |
445 | case AUDIT_EUID: | 472 | case AUDIT_EUID: |
446 | result = audit_comparator(tsk->euid, f->op, f->val); | 473 | result = audit_comparator(cred->euid, f->op, f->val); |
447 | break; | 474 | break; |
448 | case AUDIT_SUID: | 475 | case AUDIT_SUID: |
449 | result = audit_comparator(tsk->suid, f->op, f->val); | 476 | result = audit_comparator(cred->suid, f->op, f->val); |
450 | break; | 477 | break; |
451 | case AUDIT_FSUID: | 478 | case AUDIT_FSUID: |
452 | result = audit_comparator(tsk->fsuid, f->op, f->val); | 479 | result = audit_comparator(cred->fsuid, f->op, f->val); |
453 | break; | 480 | break; |
454 | case AUDIT_GID: | 481 | case AUDIT_GID: |
455 | result = audit_comparator(tsk->gid, f->op, f->val); | 482 | result = audit_comparator(cred->gid, f->op, f->val); |
456 | break; | 483 | break; |
457 | case AUDIT_EGID: | 484 | case AUDIT_EGID: |
458 | result = audit_comparator(tsk->egid, f->op, f->val); | 485 | result = audit_comparator(cred->egid, f->op, f->val); |
459 | break; | 486 | break; |
460 | case AUDIT_SGID: | 487 | case AUDIT_SGID: |
461 | result = audit_comparator(tsk->sgid, f->op, f->val); | 488 | result = audit_comparator(cred->sgid, f->op, f->val); |
462 | break; | 489 | break; |
463 | case AUDIT_FSGID: | 490 | case AUDIT_FSGID: |
464 | result = audit_comparator(tsk->fsgid, f->op, f->val); | 491 | result = audit_comparator(cred->fsgid, f->op, f->val); |
465 | break; | 492 | break; |
466 | case AUDIT_PERS: | 493 | case AUDIT_PERS: |
467 | result = audit_comparator(tsk->personality, f->op, f->val); | 494 | result = audit_comparator(tsk->personality, f->op, f->val); |
@@ -615,8 +642,10 @@ static int audit_filter_rules(struct task_struct *tsk, | |||
615 | break; | 642 | break; |
616 | } | 643 | } |
617 | 644 | ||
618 | if (!result) | 645 | if (!result) { |
646 | put_cred(cred); | ||
619 | return 0; | 647 | return 0; |
648 | } | ||
620 | } | 649 | } |
621 | if (rule->filterkey && ctx) | 650 | if (rule->filterkey && ctx) |
622 | ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC); | 651 | ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC); |
@@ -624,6 +653,7 @@ static int audit_filter_rules(struct task_struct *tsk, | |||
624 | case AUDIT_NEVER: *state = AUDIT_DISABLED; break; | 653 | case AUDIT_NEVER: *state = AUDIT_DISABLED; break; |
625 | case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; | 654 | case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; |
626 | } | 655 | } |
656 | put_cred(cred); | ||
627 | return 1; | 657 | return 1; |
628 | } | 658 | } |
629 | 659 | ||
@@ -1171,8 +1201,38 @@ static void audit_log_execve_info(struct audit_context *context, | |||
1171 | kfree(buf); | 1201 | kfree(buf); |
1172 | } | 1202 | } |
1173 | 1203 | ||
1204 | static void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap) | ||
1205 | { | ||
1206 | int i; | ||
1207 | |||
1208 | audit_log_format(ab, " %s=", prefix); | ||
1209 | CAP_FOR_EACH_U32(i) { | ||
1210 | audit_log_format(ab, "%08x", cap->cap[(_KERNEL_CAPABILITY_U32S-1) - i]); | ||
1211 | } | ||
1212 | } | ||
1213 | |||
1214 | static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name) | ||
1215 | { | ||
1216 | kernel_cap_t *perm = &name->fcap.permitted; | ||
1217 | kernel_cap_t *inh = &name->fcap.inheritable; | ||
1218 | int log = 0; | ||
1219 | |||
1220 | if (!cap_isclear(*perm)) { | ||
1221 | audit_log_cap(ab, "cap_fp", perm); | ||
1222 | log = 1; | ||
1223 | } | ||
1224 | if (!cap_isclear(*inh)) { | ||
1225 | audit_log_cap(ab, "cap_fi", inh); | ||
1226 | log = 1; | ||
1227 | } | ||
1228 | |||
1229 | if (log) | ||
1230 | audit_log_format(ab, " cap_fe=%d cap_fver=%x", name->fcap.fE, name->fcap_ver); | ||
1231 | } | ||
1232 | |||
1174 | static void audit_log_exit(struct audit_context *context, struct task_struct *tsk) | 1233 | static void audit_log_exit(struct audit_context *context, struct task_struct *tsk) |
1175 | { | 1234 | { |
1235 | const struct cred *cred; | ||
1176 | int i, call_panic = 0; | 1236 | int i, call_panic = 0; |
1177 | struct audit_buffer *ab; | 1237 | struct audit_buffer *ab; |
1178 | struct audit_aux_data *aux; | 1238 | struct audit_aux_data *aux; |
@@ -1182,14 +1242,15 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts | |||
1182 | context->pid = tsk->pid; | 1242 | context->pid = tsk->pid; |
1183 | if (!context->ppid) | 1243 | if (!context->ppid) |
1184 | context->ppid = sys_getppid(); | 1244 | context->ppid = sys_getppid(); |
1185 | context->uid = tsk->uid; | 1245 | cred = current_cred(); |
1186 | context->gid = tsk->gid; | 1246 | context->uid = cred->uid; |
1187 | context->euid = tsk->euid; | 1247 | context->gid = cred->gid; |
1188 | context->suid = tsk->suid; | 1248 | context->euid = cred->euid; |
1189 | context->fsuid = tsk->fsuid; | 1249 | context->suid = cred->suid; |
1190 | context->egid = tsk->egid; | 1250 | context->fsuid = cred->fsuid; |
1191 | context->sgid = tsk->sgid; | 1251 | context->egid = cred->egid; |
1192 | context->fsgid = tsk->fsgid; | 1252 | context->sgid = cred->sgid; |
1253 | context->fsgid = cred->fsgid; | ||
1193 | context->personality = tsk->personality; | 1254 | context->personality = tsk->personality; |
1194 | 1255 | ||
1195 | ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL); | 1256 | ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL); |
@@ -1334,6 +1395,28 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts | |||
1334 | audit_log_format(ab, "fd0=%d fd1=%d", axs->fd[0], axs->fd[1]); | 1395 | audit_log_format(ab, "fd0=%d fd1=%d", axs->fd[0], axs->fd[1]); |
1335 | break; } | 1396 | break; } |
1336 | 1397 | ||
1398 | case AUDIT_BPRM_FCAPS: { | ||
1399 | struct audit_aux_data_bprm_fcaps *axs = (void *)aux; | ||
1400 | audit_log_format(ab, "fver=%x", axs->fcap_ver); | ||
1401 | audit_log_cap(ab, "fp", &axs->fcap.permitted); | ||
1402 | audit_log_cap(ab, "fi", &axs->fcap.inheritable); | ||
1403 | audit_log_format(ab, " fe=%d", axs->fcap.fE); | ||
1404 | audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted); | ||
1405 | audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable); | ||
1406 | audit_log_cap(ab, "old_pe", &axs->old_pcap.effective); | ||
1407 | audit_log_cap(ab, "new_pp", &axs->new_pcap.permitted); | ||
1408 | audit_log_cap(ab, "new_pi", &axs->new_pcap.inheritable); | ||
1409 | audit_log_cap(ab, "new_pe", &axs->new_pcap.effective); | ||
1410 | break; } | ||
1411 | |||
1412 | case AUDIT_CAPSET: { | ||
1413 | struct audit_aux_data_capset *axs = (void *)aux; | ||
1414 | audit_log_format(ab, "pid=%d", axs->pid); | ||
1415 | audit_log_cap(ab, "cap_pi", &axs->cap.inheritable); | ||
1416 | audit_log_cap(ab, "cap_pp", &axs->cap.permitted); | ||
1417 | audit_log_cap(ab, "cap_pe", &axs->cap.effective); | ||
1418 | break; } | ||
1419 | |||
1337 | } | 1420 | } |
1338 | audit_log_end(ab); | 1421 | audit_log_end(ab); |
1339 | } | 1422 | } |
@@ -1421,6 +1504,8 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts | |||
1421 | } | 1504 | } |
1422 | } | 1505 | } |
1423 | 1506 | ||
1507 | audit_log_fcaps(ab, n); | ||
1508 | |||
1424 | audit_log_end(ab); | 1509 | audit_log_end(ab); |
1425 | } | 1510 | } |
1426 | 1511 | ||
@@ -1802,8 +1887,36 @@ static int audit_inc_name_count(struct audit_context *context, | |||
1802 | return 0; | 1887 | return 0; |
1803 | } | 1888 | } |
1804 | 1889 | ||
1890 | |||
1891 | static inline int audit_copy_fcaps(struct audit_names *name, const struct dentry *dentry) | ||
1892 | { | ||
1893 | struct cpu_vfs_cap_data caps; | ||
1894 | int rc; | ||
1895 | |||
1896 | memset(&name->fcap.permitted, 0, sizeof(kernel_cap_t)); | ||
1897 | memset(&name->fcap.inheritable, 0, sizeof(kernel_cap_t)); | ||
1898 | name->fcap.fE = 0; | ||
1899 | name->fcap_ver = 0; | ||
1900 | |||
1901 | if (!dentry) | ||
1902 | return 0; | ||
1903 | |||
1904 | rc = get_vfs_caps_from_disk(dentry, &caps); | ||
1905 | if (rc) | ||
1906 | return rc; | ||
1907 | |||
1908 | name->fcap.permitted = caps.permitted; | ||
1909 | name->fcap.inheritable = caps.inheritable; | ||
1910 | name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE); | ||
1911 | name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT; | ||
1912 | |||
1913 | return 0; | ||
1914 | } | ||
1915 | |||
1916 | |||
1805 | /* Copy inode data into an audit_names. */ | 1917 | /* Copy inode data into an audit_names. */ |
1806 | static void audit_copy_inode(struct audit_names *name, const struct inode *inode) | 1918 | static void audit_copy_inode(struct audit_names *name, const struct dentry *dentry, |
1919 | const struct inode *inode) | ||
1807 | { | 1920 | { |
1808 | name->ino = inode->i_ino; | 1921 | name->ino = inode->i_ino; |
1809 | name->dev = inode->i_sb->s_dev; | 1922 | name->dev = inode->i_sb->s_dev; |
@@ -1812,6 +1925,7 @@ static void audit_copy_inode(struct audit_names *name, const struct inode *inode | |||
1812 | name->gid = inode->i_gid; | 1925 | name->gid = inode->i_gid; |
1813 | name->rdev = inode->i_rdev; | 1926 | name->rdev = inode->i_rdev; |
1814 | security_inode_getsecid(inode, &name->osid); | 1927 | security_inode_getsecid(inode, &name->osid); |
1928 | audit_copy_fcaps(name, dentry); | ||
1815 | } | 1929 | } |
1816 | 1930 | ||
1817 | /** | 1931 | /** |
@@ -1846,7 +1960,7 @@ void __audit_inode(const char *name, const struct dentry *dentry) | |||
1846 | context->names[idx].name = NULL; | 1960 | context->names[idx].name = NULL; |
1847 | } | 1961 | } |
1848 | handle_path(dentry); | 1962 | handle_path(dentry); |
1849 | audit_copy_inode(&context->names[idx], inode); | 1963 | audit_copy_inode(&context->names[idx], dentry, inode); |
1850 | } | 1964 | } |
1851 | 1965 | ||
1852 | /** | 1966 | /** |
@@ -1907,7 +2021,7 @@ void __audit_inode_child(const char *dname, const struct dentry *dentry, | |||
1907 | if (!strcmp(dname, n->name) || | 2021 | if (!strcmp(dname, n->name) || |
1908 | !audit_compare_dname_path(dname, n->name, &dirlen)) { | 2022 | !audit_compare_dname_path(dname, n->name, &dirlen)) { |
1909 | if (inode) | 2023 | if (inode) |
1910 | audit_copy_inode(n, inode); | 2024 | audit_copy_inode(n, NULL, inode); |
1911 | else | 2025 | else |
1912 | n->ino = (unsigned long)-1; | 2026 | n->ino = (unsigned long)-1; |
1913 | found_child = n->name; | 2027 | found_child = n->name; |
@@ -1921,7 +2035,7 @@ add_names: | |||
1921 | return; | 2035 | return; |
1922 | idx = context->name_count - 1; | 2036 | idx = context->name_count - 1; |
1923 | context->names[idx].name = NULL; | 2037 | context->names[idx].name = NULL; |
1924 | audit_copy_inode(&context->names[idx], parent); | 2038 | audit_copy_inode(&context->names[idx], NULL, parent); |
1925 | } | 2039 | } |
1926 | 2040 | ||
1927 | if (!found_child) { | 2041 | if (!found_child) { |
@@ -1942,7 +2056,7 @@ add_names: | |||
1942 | } | 2056 | } |
1943 | 2057 | ||
1944 | if (inode) | 2058 | if (inode) |
1945 | audit_copy_inode(&context->names[idx], inode); | 2059 | audit_copy_inode(&context->names[idx], NULL, inode); |
1946 | else | 2060 | else |
1947 | context->names[idx].ino = (unsigned long)-1; | 2061 | context->names[idx].ino = (unsigned long)-1; |
1948 | } | 2062 | } |
@@ -1996,7 +2110,7 @@ int audit_set_loginuid(struct task_struct *task, uid_t loginuid) | |||
1996 | audit_log_format(ab, "login pid=%d uid=%u " | 2110 | audit_log_format(ab, "login pid=%d uid=%u " |
1997 | "old auid=%u new auid=%u" | 2111 | "old auid=%u new auid=%u" |
1998 | " old ses=%u new ses=%u", | 2112 | " old ses=%u new ses=%u", |
1999 | task->pid, task->uid, | 2113 | task->pid, task_uid(task), |
2000 | task->loginuid, loginuid, | 2114 | task->loginuid, loginuid, |
2001 | task->sessionid, sessionid); | 2115 | task->sessionid, sessionid); |
2002 | audit_log_end(ab); | 2116 | audit_log_end(ab); |
@@ -2379,7 +2493,7 @@ void __audit_ptrace(struct task_struct *t) | |||
2379 | 2493 | ||
2380 | context->target_pid = t->pid; | 2494 | context->target_pid = t->pid; |
2381 | context->target_auid = audit_get_loginuid(t); | 2495 | context->target_auid = audit_get_loginuid(t); |
2382 | context->target_uid = t->uid; | 2496 | context->target_uid = task_uid(t); |
2383 | context->target_sessionid = audit_get_sessionid(t); | 2497 | context->target_sessionid = audit_get_sessionid(t); |
2384 | security_task_getsecid(t, &context->target_sid); | 2498 | security_task_getsecid(t, &context->target_sid); |
2385 | memcpy(context->target_comm, t->comm, TASK_COMM_LEN); | 2499 | memcpy(context->target_comm, t->comm, TASK_COMM_LEN); |
@@ -2398,6 +2512,7 @@ int __audit_signal_info(int sig, struct task_struct *t) | |||
2398 | struct audit_aux_data_pids *axp; | 2512 | struct audit_aux_data_pids *axp; |
2399 | struct task_struct *tsk = current; | 2513 | struct task_struct *tsk = current; |
2400 | struct audit_context *ctx = tsk->audit_context; | 2514 | struct audit_context *ctx = tsk->audit_context; |
2515 | uid_t uid = current_uid(), t_uid = task_uid(t); | ||
2401 | 2516 | ||
2402 | if (audit_pid && t->tgid == audit_pid) { | 2517 | if (audit_pid && t->tgid == audit_pid) { |
2403 | if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) { | 2518 | if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) { |
@@ -2405,7 +2520,7 @@ int __audit_signal_info(int sig, struct task_struct *t) | |||
2405 | if (tsk->loginuid != -1) | 2520 | if (tsk->loginuid != -1) |
2406 | audit_sig_uid = tsk->loginuid; | 2521 | audit_sig_uid = tsk->loginuid; |
2407 | else | 2522 | else |
2408 | audit_sig_uid = tsk->uid; | 2523 | audit_sig_uid = uid; |
2409 | security_task_getsecid(tsk, &audit_sig_sid); | 2524 | security_task_getsecid(tsk, &audit_sig_sid); |
2410 | } | 2525 | } |
2411 | if (!audit_signals || audit_dummy_context()) | 2526 | if (!audit_signals || audit_dummy_context()) |
@@ -2417,7 +2532,7 @@ int __audit_signal_info(int sig, struct task_struct *t) | |||
2417 | if (!ctx->target_pid) { | 2532 | if (!ctx->target_pid) { |
2418 | ctx->target_pid = t->tgid; | 2533 | ctx->target_pid = t->tgid; |
2419 | ctx->target_auid = audit_get_loginuid(t); | 2534 | ctx->target_auid = audit_get_loginuid(t); |
2420 | ctx->target_uid = t->uid; | 2535 | ctx->target_uid = t_uid; |
2421 | ctx->target_sessionid = audit_get_sessionid(t); | 2536 | ctx->target_sessionid = audit_get_sessionid(t); |
2422 | security_task_getsecid(t, &ctx->target_sid); | 2537 | security_task_getsecid(t, &ctx->target_sid); |
2423 | memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); | 2538 | memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); |
@@ -2438,7 +2553,7 @@ int __audit_signal_info(int sig, struct task_struct *t) | |||
2438 | 2553 | ||
2439 | axp->target_pid[axp->pid_count] = t->tgid; | 2554 | axp->target_pid[axp->pid_count] = t->tgid; |
2440 | axp->target_auid[axp->pid_count] = audit_get_loginuid(t); | 2555 | axp->target_auid[axp->pid_count] = audit_get_loginuid(t); |
2441 | axp->target_uid[axp->pid_count] = t->uid; | 2556 | axp->target_uid[axp->pid_count] = t_uid; |
2442 | axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t); | 2557 | axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t); |
2443 | security_task_getsecid(t, &axp->target_sid[axp->pid_count]); | 2558 | security_task_getsecid(t, &axp->target_sid[axp->pid_count]); |
2444 | memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); | 2559 | memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); |
@@ -2448,6 +2563,86 @@ int __audit_signal_info(int sig, struct task_struct *t) | |||
2448 | } | 2563 | } |
2449 | 2564 | ||
2450 | /** | 2565 | /** |
2566 | * __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps | ||
2567 | * @bprm: pointer to the bprm being processed | ||
2568 | * @new: the proposed new credentials | ||
2569 | * @old: the old credentials | ||
2570 | * | ||
2571 | * Simply check if the proc already has the caps given by the file and if not | ||
2572 | * store the priv escalation info for later auditing at the end of the syscall | ||
2573 | * | ||
2574 | * -Eric | ||
2575 | */ | ||
2576 | int __audit_log_bprm_fcaps(struct linux_binprm *bprm, | ||
2577 | const struct cred *new, const struct cred *old) | ||
2578 | { | ||
2579 | struct audit_aux_data_bprm_fcaps *ax; | ||
2580 | struct audit_context *context = current->audit_context; | ||
2581 | struct cpu_vfs_cap_data vcaps; | ||
2582 | struct dentry *dentry; | ||
2583 | |||
2584 | ax = kmalloc(sizeof(*ax), GFP_KERNEL); | ||
2585 | if (!ax) | ||
2586 | return -ENOMEM; | ||
2587 | |||
2588 | ax->d.type = AUDIT_BPRM_FCAPS; | ||
2589 | ax->d.next = context->aux; | ||
2590 | context->aux = (void *)ax; | ||
2591 | |||
2592 | dentry = dget(bprm->file->f_dentry); | ||
2593 | get_vfs_caps_from_disk(dentry, &vcaps); | ||
2594 | dput(dentry); | ||
2595 | |||
2596 | ax->fcap.permitted = vcaps.permitted; | ||
2597 | ax->fcap.inheritable = vcaps.inheritable; | ||
2598 | ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE); | ||
2599 | ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT; | ||
2600 | |||
2601 | ax->old_pcap.permitted = old->cap_permitted; | ||
2602 | ax->old_pcap.inheritable = old->cap_inheritable; | ||
2603 | ax->old_pcap.effective = old->cap_effective; | ||
2604 | |||
2605 | ax->new_pcap.permitted = new->cap_permitted; | ||
2606 | ax->new_pcap.inheritable = new->cap_inheritable; | ||
2607 | ax->new_pcap.effective = new->cap_effective; | ||
2608 | return 0; | ||
2609 | } | ||
2610 | |||
2611 | /** | ||
2612 | * __audit_log_capset - store information about the arguments to the capset syscall | ||
2613 | * @pid: target pid of the capset call | ||
2614 | * @new: the new credentials | ||
2615 | * @old: the old (current) credentials | ||
2616 | * | ||
2617 | * Record the aguments userspace sent to sys_capset for later printing by the | ||
2618 | * audit system if applicable | ||
2619 | */ | ||
2620 | int __audit_log_capset(pid_t pid, | ||
2621 | const struct cred *new, const struct cred *old) | ||
2622 | { | ||
2623 | struct audit_aux_data_capset *ax; | ||
2624 | struct audit_context *context = current->audit_context; | ||
2625 | |||
2626 | if (likely(!audit_enabled || !context || context->dummy)) | ||
2627 | return 0; | ||
2628 | |||
2629 | ax = kmalloc(sizeof(*ax), GFP_KERNEL); | ||
2630 | if (!ax) | ||
2631 | return -ENOMEM; | ||
2632 | |||
2633 | ax->d.type = AUDIT_CAPSET; | ||
2634 | ax->d.next = context->aux; | ||
2635 | context->aux = (void *)ax; | ||
2636 | |||
2637 | ax->pid = pid; | ||
2638 | ax->cap.effective = new->cap_effective; | ||
2639 | ax->cap.inheritable = new->cap_effective; | ||
2640 | ax->cap.permitted = new->cap_permitted; | ||
2641 | |||
2642 | return 0; | ||
2643 | } | ||
2644 | |||
2645 | /** | ||
2451 | * audit_core_dumps - record information about processes that end abnormally | 2646 | * audit_core_dumps - record information about processes that end abnormally |
2452 | * @signr: signal value | 2647 | * @signr: signal value |
2453 | * | 2648 | * |
@@ -2458,7 +2653,8 @@ void audit_core_dumps(long signr) | |||
2458 | { | 2653 | { |
2459 | struct audit_buffer *ab; | 2654 | struct audit_buffer *ab; |
2460 | u32 sid; | 2655 | u32 sid; |
2461 | uid_t auid = audit_get_loginuid(current); | 2656 | uid_t auid = audit_get_loginuid(current), uid; |
2657 | gid_t gid; | ||
2462 | unsigned int sessionid = audit_get_sessionid(current); | 2658 | unsigned int sessionid = audit_get_sessionid(current); |
2463 | 2659 | ||
2464 | if (!audit_enabled) | 2660 | if (!audit_enabled) |
@@ -2468,8 +2664,9 @@ void audit_core_dumps(long signr) | |||
2468 | return; | 2664 | return; |
2469 | 2665 | ||
2470 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); | 2666 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); |
2667 | current_uid_gid(&uid, &gid); | ||
2471 | audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u", | 2668 | audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u", |
2472 | auid, current->uid, current->gid, sessionid); | 2669 | auid, uid, gid, sessionid); |
2473 | security_task_getsecid(current, &sid); | 2670 | security_task_getsecid(current, &sid); |
2474 | if (sid) { | 2671 | if (sid) { |
2475 | char *ctx = NULL; | 2672 | char *ctx = NULL; |