audit: fix event coverage of AUDIT_ANOM_LINK

The userspace audit tools didn't like the existing formatting of the AUDIT_ANOM_LINK event. It needed to be expanded to emit an AUDIT_PATH event as well, so this implements the change. The bulk of the patch is moving code out of auditsc.c into audit.c and audit.h for general use. It expands audit_log_name to include an optional "struct path" argument for the simple case of just needing to report a pathname. This also makes audit_log_task_info available when syscall auditing is not enabled, since it is needed in either case for process details. Signed-off-by: Kees Cook <keescook@chromium.org> Reported-by: Steve Grubb <sgrubb@redhat.com>
author: Eric Paris <eparis@redhat.com> 2013-04-30 15:30:32 -0400
committer: Eric Paris <eparis@redhat.com> 2013-04-30 15:31:28 -0400
commit: b24a30a7305418ff138ff51776fc555ec57c011a (patch)
tree: 2c64cff75b758c3fb407118ab473167fb5bec3fa /kernel/auditsc.c
parent: 7173c54e3a9deb491a586e7e107375109ee48bcb (diff)
1 files changed, 1 insertions, 352 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 17e9a260a545..add3086bdb02 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -76,11 +76,6 @@
 #define AUDITSC_SUCCESS 1
 #define AUDITSC_FAILURE 2
-/* AUDIT_NAMES is the number of slots we reserve in the audit_context
- * for saving names from getname().  If we get more names we will allocate
- * a name dynamically and also add those to the list anchored by names_list. */
-#define AUDIT_NAMES     5
 /* no execve audit message should be longer than this (userspace limits) */
 #define MAX_EXECVE_AUDIT_LEN 7500
@@ -90,44 +85,6 @@ int audit_n_rules;
 /* determines whether we collect data for signals sent */
 int audit_signals;
-struct audit_cap_data {
-        kernel_cap_t            permitted;
-        kernel_cap_t            inheritable;
-        union {
-                unsigned int    fE;             /* effective bit of a file capability */
-                kernel_cap_t    effective;      /* effective set of a process */
-        };
-};
-/* When fs/namei.c:getname() is called, we store the pointer in name and
- * we don't let putname() free it (instead we free all of the saved
- * pointers at syscall exit time).
- *
- * Further, in fs/namei.c:path_lookup() we store the inode and device.
- */
-struct audit_names {
-        struct list_head        list;           /* audit_context->names_list */
-        struct filename *name;
-        unsigned long           ino;
-        dev_t                   dev;
-        umode_t                 mode;
-        kuid_t                  uid;
-        kgid_t                  gid;
-        dev_t                   rdev;
-        u32                     osid;
-        struct audit_cap_data    fcap;
-        unsigned int            fcap_ver;
-        int                     name_len;       /* number of name's characters to log */
-        unsigned char           type;           /* record type */
-        bool                    name_put;       /* call __putname() for this name */
-        /*
-         * This was an allocated audit_names and not from the array of
-         * names allocated in the task audit context.  Thus this name
-         * should be freed on syscall exit
-         */
-        bool                    should_free;
-};
 struct audit_aux_data {
        struct audit_aux_data   *next;
        int                     type;
@@ -175,106 +132,6 @@ struct audit_tree_refs {
        struct audit_chunk *c[31];
 };
-/* The per-task audit context. */
-struct audit_context {
-        int                 dummy;      /* must be the first element */
-        int                 in_syscall; /* 1 if task is in a syscall */
-        enum audit_state    state, current_state;
-        unsigned int        serial;     /* serial number for record */
-        int                 major;      /* syscall number */
-        struct timespec     ctime;      /* time of syscall entry */
-        unsigned long       argv[4];    /* syscall arguments */
-        long                return_code;/* syscall return code */
-        u64                 prio;
-        int                 return_valid; /* return code is valid */
-        /*
-         * The names_list is the list of all audit_names collected during this
-         * syscall.  The first AUDIT_NAMES entries in the names_list will
-         * actually be from the preallocated_names array for performance
-         * reasons.  Except during allocation they should never be referenced
-         * through the preallocated_names array and should only be found/used
-         * by running the names_list.
-         */
-        struct audit_names  preallocated_names[AUDIT_NAMES];
-        int                 name_count; /* total records in names_list */
-        struct list_head    names_list; /* anchor for struct audit_names->list */
-        char *              filterkey;  /* key for rule that triggered record */
-        struct path         pwd;
-        struct audit_aux_data *aux;
-        struct audit_aux_data *aux_pids;
-        struct sockaddr_storage *sockaddr;
-        size_t sockaddr_len;
-                                /* Save things to print about task_struct */
-        pid_t               pid, ppid;
-        kuid_t              uid, euid, suid, fsuid;
-        kgid_t              gid, egid, sgid, fsgid;
-        unsigned long       personality;
-        int                 arch;
-        pid_t               target_pid;
-        kuid_t              target_auid;
-        kuid_t              target_uid;
-        unsigned int        target_sessionid;
-        u32                 target_sid;
-        char                target_comm[TASK_COMM_LEN];
-        struct audit_tree_refs *trees, *first_trees;
-        struct list_head killed_trees;
-        int tree_count;
-        int type;
-        union {
-                struct {
-                        int nargs;
-                        long args[AUDITSC_ARGS];
-                } socketcall;
-                struct {
-                        kuid_t                  uid;
-                        kgid_t                  gid;
-                        umode_t                 mode;
-                        u32                     osid;
-                        int                     has_perm;
-                        uid_t                   perm_uid;
-                        gid_t                   perm_gid;
-                        umode_t                 perm_mode;
-                        unsigned long           qbytes;
-                } ipc;
-                struct {
-                        mqd_t                   mqdes;
-                        struct mq_attr          mqstat;
-                } mq_getsetattr;
-                struct {
-                        mqd_t                   mqdes;
-                        int                     sigev_signo;
-                } mq_notify;
-                struct {
-                        mqd_t                   mqdes;
-                        size_t                  msg_len;
-                        unsigned int            msg_prio;
-                        struct timespec         abs_timeout;
-                } mq_sendrecv;
-                struct {
-                        int                     oflag;
-                        umode_t                 mode;
-                        struct mq_attr          attr;
-                } mq_open;
-                struct {
-                        pid_t                   pid;
-                        struct audit_cap_data   cap;
-                } capset;
-                struct {
-                        int                     fd;
-                        int                     flags;
-                } mmap;
-        };
-        int fds[2];
-#if AUDIT_DEBUG
-        int                 put_count;
-        int                 ino_count;
-#endif
-};
 static inline int open_arg(int flags, int mask)
 {
        int n = ACC_MODE(flags);
@@ -1109,88 +966,6 @@ static inline void audit_free_context(struct audit_context *context)
        kfree(context);
 }
-int audit_log_task_context(struct audit_buffer *ab)
-{
-        char *ctx = NULL;
-        unsigned len;
-        int error;
-        u32 sid;
-        security_task_getsecid(current, &sid);
-        if (!sid)
-                return 0;
-        error = security_secid_to_secctx(sid, &ctx, &len);
-        if (error) {
-                if (error != -EINVAL)
-                        goto error_path;
-                return 0;
-        }
-        audit_log_format(ab, " subj=%s", ctx);
-        security_release_secctx(ctx, len);
-        return 0;
-error_path:
-        audit_panic("error in audit_log_task_context");
-        return error;
-}
-EXPORT_SYMBOL(audit_log_task_context);
-void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
-{
-        const struct cred *cred;
-        char name[sizeof(tsk->comm)];
-        struct mm_struct *mm = tsk->mm;
-        char *tty;
-        if (!ab)
-                return;
-        /* tsk == current */
-        cred = current_cred();
-        spin_lock_irq(&tsk->sighand->siglock);
-        if (tsk->signal && tsk->signal->tty)
-                tty = tsk->signal->tty->name;
-        else
-                tty = "(none)";
-        spin_unlock_irq(&tsk->sighand->siglock);
-        audit_log_format(ab,
-                         " ppid=%ld pid=%d auid=%u uid=%u gid=%u"
-                         " euid=%u suid=%u fsuid=%u"
-                         " egid=%u sgid=%u fsgid=%u ses=%u tty=%s",
-                         sys_getppid(),
-                         tsk->pid,
-                         from_kuid(&init_user_ns, tsk->loginuid),
-                         from_kuid(&init_user_ns, cred->uid),
-                         from_kgid(&init_user_ns, cred->gid),
-                         from_kuid(&init_user_ns, cred->euid),
-                         from_kuid(&init_user_ns, cred->suid),
-                         from_kuid(&init_user_ns, cred->fsuid),
-                         from_kgid(&init_user_ns, cred->egid),
-                         from_kgid(&init_user_ns, cred->sgid),
-                         from_kgid(&init_user_ns, cred->fsgid),
-                         tsk->sessionid, tty);
-        get_task_comm(name, tsk);
-        audit_log_format(ab, " comm=");
-        audit_log_untrustedstring(ab, name);
-        if (mm) {
-                down_read(&mm->mmap_sem);
-                if (mm->exe_file)
-                        audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
-                up_read(&mm->mmap_sem);
-        }
-        audit_log_task_context(ab);
-}
-EXPORT_SYMBOL(audit_log_task_info);
 static int audit_log_pid_context(struct audit_context *context, pid_t pid,
                                 kuid_t auid, kuid_t uid, unsigned int sessionid,
                                 u32 sid, char *comm)
@@ -1408,35 +1183,6 @@ static void audit_log_execve_info(struct audit_context *context,
        kfree(buf);
 }
-static void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
-{
-        int i;
-        audit_log_format(ab, " %s=", prefix);
-        CAP_FOR_EACH_U32(i) {
-                audit_log_format(ab, "%08x", cap->cap[(_KERNEL_CAPABILITY_U32S-1) - i]);
-        }
-}
-static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
-{
-        kernel_cap_t *perm = &name->fcap.permitted;
-        kernel_cap_t *inh = &name->fcap.inheritable;
-        int log = 0;
-        if (!cap_isclear(*perm)) {
-                audit_log_cap(ab, "cap_fp", perm);
-                log = 1;
-        }
-        if (!cap_isclear(*inh)) {
-                audit_log_cap(ab, "cap_fi", inh);
-                log = 1;
-        }
-        if (log)
-                audit_log_format(ab, " cap_fe=%d cap_fver=%x", name->fcap.fE, name->fcap_ver);
-}
 static void show_special(struct audit_context *context, int *call_panic)
 {
        struct audit_buffer *ab;
@@ -1534,68 +1280,6 @@ static void show_special(struct audit_context *context, int *call_panic)
        audit_log_end(ab);
 }
-static void audit_log_name(struct audit_context *context, struct audit_names *n,
-                           int record_num, int *call_panic)
-{
-        struct audit_buffer *ab;
-        ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
-        if (!ab)
-                return; /* audit_panic has been called */
-        audit_log_format(ab, "item=%d", record_num);
-        if (n->name) {
-                switch (n->name_len) {
-                case AUDIT_NAME_FULL:
-                        /* log the full path */
-                        audit_log_format(ab, " name=");
-                        audit_log_untrustedstring(ab, n->name->name);
-                        break;
-                case 0:
-                        /* name was specified as a relative path and the
-                         * directory component is the cwd */
-                        audit_log_d_path(ab, " name=", &context->pwd);
-                        break;
-                default:
-                        /* log the name's directory component */
-                        audit_log_format(ab, " name=");
-                        audit_log_n_untrustedstring(ab, n->name->name,
-                                                    n->name_len);
-                }
-        } else
-                audit_log_format(ab, " name=(null)");
-        if (n->ino != (unsigned long)-1) {
-                audit_log_format(ab, " inode=%lu"
-                                 " dev=%02x:%02x mode=%#ho"
-                                 " ouid=%u ogid=%u rdev=%02x:%02x",
-                                 n->ino,
-                                 MAJOR(n->dev),
-                                 MINOR(n->dev),
-                                 n->mode,
-                                 from_kuid(&init_user_ns, n->uid),
-                                 from_kgid(&init_user_ns, n->gid),
-                                 MAJOR(n->rdev),
-                                 MINOR(n->rdev));
-        }
-        if (n->osid != 0) {
-                char *ctx = NULL;
-                u32 len;
-                if (security_secid_to_secctx(
-                        n->osid, &ctx, &len)) {
-                        audit_log_format(ab, " osid=%u", n->osid);
-                        *call_panic = 2;
-                } else {
-                        audit_log_format(ab, " obj=%s", ctx);
-                        security_release_secctx(ctx, len);
-                }
-        }
-        audit_log_fcaps(ab, n);
-        audit_log_end(ab);
-}
 static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
 {
        int i, call_panic = 0;
@@ -1713,7 +1397,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
        i = 0;
        list_for_each_entry(n, &context->names_list, list)
-                audit_log_name(context, n, i++, &call_panic);
+                audit_log_name(context, n, NULL, i++, &call_panic);
        /* Send end of event record to help user space know we are finished */
        ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
@@ -2078,41 +1762,6 @@ void audit_putname(struct filename *name)
 #endif
 }
-static inline int audit_copy_fcaps(struct audit_names *name, const struct dentry *dentry)
-{
-        struct cpu_vfs_cap_data caps;
-        int rc;
-        if (!dentry)
-                return 0;
-        rc = get_vfs_caps_from_disk(dentry, &caps);
-        if (rc)
-                return rc;
-        name->fcap.permitted = caps.permitted;
-        name->fcap.inheritable = caps.inheritable;
-        name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
-        name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
-        return 0;
-}
-/* Copy inode data into an audit_names. */
-static void audit_copy_inode(struct audit_names *name, const struct dentry *dentry,
-                             const struct inode *inode)
-{
-        name->ino   = inode->i_ino;
-        name->dev   = inode->i_sb->s_dev;
-        name->mode  = inode->i_mode;
-        name->uid   = inode->i_uid;
-        name->gid   = inode->i_gid;
-        name->rdev  = inode->i_rdev;
-        security_inode_getsecid(inode, &name->osid);
-        audit_copy_fcaps(name, dentry);
-}
 /**
 * __audit_inode - store the inode and device from a lookup
 * @name: name being audited
author	Eric Paris <eparis@redhat.com>	2013-04-30 15:30:32 -0400
committer	Eric Paris <eparis@redhat.com>	2013-04-30 15:31:28 -0400
commit	b24a30a7305418ff138ff51776fc555ec57c011a (patch)
tree	2c64cff75b758c3fb407118ab473167fb5bec3fa /kernel/auditsc.c
parent	7173c54e3a9deb491a586e7e107375109ee48bcb (diff)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 17e9a260a545..add3086bdb02 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c
@@ -76,11 +76,6 @@
76	#define AUDITSC_SUCCESS 1	76	#define AUDITSC_SUCCESS 1
77	#define AUDITSC_FAILURE 2	77	#define AUDITSC_FAILURE 2
78		78
79	/* AUDIT_NAMES is the number of slots we reserve in the audit_context
80	* for saving names from getname(). If we get more names we will allocate
81	* a name dynamically and also add those to the list anchored by names_list. */
82	#define AUDIT_NAMES 5
83
84	/* no execve audit message should be longer than this (userspace limits) */	79	/* no execve audit message should be longer than this (userspace limits) */
85	#define MAX_EXECVE_AUDIT_LEN 7500	80	#define MAX_EXECVE_AUDIT_LEN 7500
86		81
@@ -90,44 +85,6 @@ int audit_n_rules;
90	/* determines whether we collect data for signals sent */	85	/* determines whether we collect data for signals sent */
91	int audit_signals;	86	int audit_signals;
92		87
93	struct audit_cap_data {
94	kernel_cap_t permitted;
95	kernel_cap_t inheritable;
96	union {
97	unsigned int fE; /* effective bit of a file capability */
98	kernel_cap_t effective; /* effective set of a process */
99	};
100	};
101
102	/* When fs/namei.c:getname() is called, we store the pointer in name and
103	* we don't let putname() free it (instead we free all of the saved
104	* pointers at syscall exit time).
105	*
106	* Further, in fs/namei.c:path_lookup() we store the inode and device.
107	*/
108	struct audit_names {
109	struct list_head list; /* audit_context->names_list */
110	struct filename *name;
111	unsigned long ino;
112	dev_t dev;
113	umode_t mode;
114	kuid_t uid;
115	kgid_t gid;
116	dev_t rdev;
117	u32 osid;
118	struct audit_cap_data fcap;
119	unsigned int fcap_ver;
120	int name_len; /* number of name's characters to log */
121	unsigned char type; /* record type */
122	bool name_put; /* call __putname() for this name */
123	/*
124	* This was an allocated audit_names and not from the array of
125	* names allocated in the task audit context. Thus this name
126	* should be freed on syscall exit
127	*/
128	bool should_free;
129	};
130
131	struct audit_aux_data {	88	struct audit_aux_data {
132	struct audit_aux_data *next;	89	struct audit_aux_data *next;
133	int type;	90	int type;
@@ -175,106 +132,6 @@ struct audit_tree_refs {
175	struct audit_chunk *c[31];	132	struct audit_chunk *c[31];
176	};	133	};
177		134
178	/* The per-task audit context. */
179	struct audit_context {
180	int dummy; /* must be the first element */
181	int in_syscall; /* 1 if task is in a syscall */
182	enum audit_state state, current_state;
183	unsigned int serial; /* serial number for record */
184	int major; /* syscall number */
185	struct timespec ctime; /* time of syscall entry */
186	unsigned long argv[4]; /* syscall arguments */
187	long return_code;/* syscall return code */
188	u64 prio;
189	int return_valid; /* return code is valid */
190	/*
191	* The names_list is the list of all audit_names collected during this
192	* syscall. The first AUDIT_NAMES entries in the names_list will
193	* actually be from the preallocated_names array for performance
194	* reasons. Except during allocation they should never be referenced
195	* through the preallocated_names array and should only be found/used
196	* by running the names_list.
197	*/
198	struct audit_names preallocated_names[AUDIT_NAMES];
199	int name_count; /* total records in names_list */
200	struct list_head names_list; /* anchor for struct audit_names->list */
201	char * filterkey; /* key for rule that triggered record */
202	struct path pwd;
203	struct audit_aux_data *aux;
204	struct audit_aux_data *aux_pids;
205	struct sockaddr_storage *sockaddr;
206	size_t sockaddr_len;
207	/* Save things to print about task_struct */
208	pid_t pid, ppid;
209	kuid_t uid, euid, suid, fsuid;
210	kgid_t gid, egid, sgid, fsgid;
211	unsigned long personality;
212	int arch;
213
214	pid_t target_pid;
215	kuid_t target_auid;
216	kuid_t target_uid;
217	unsigned int target_sessionid;
218	u32 target_sid;
219	char target_comm[TASK_COMM_LEN];
220
221	struct audit_tree_refs trees, first_trees;
222	struct list_head killed_trees;
223	int tree_count;
224
225	int type;
226	union {
227	struct {
228	int nargs;
229	long args[AUDITSC_ARGS];
230	} socketcall;
231	struct {
232	kuid_t uid;
233	kgid_t gid;
234	umode_t mode;
235	u32 osid;
236	int has_perm;
237	uid_t perm_uid;
238	gid_t perm_gid;
239	umode_t perm_mode;
240	unsigned long qbytes;
241	} ipc;
242	struct {
243	mqd_t mqdes;
244	struct mq_attr mqstat;
245	} mq_getsetattr;
246	struct {
247	mqd_t mqdes;
248	int sigev_signo;
249	} mq_notify;
250	struct {
251	mqd_t mqdes;
252	size_t msg_len;
253	unsigned int msg_prio;
254	struct timespec abs_timeout;
255	} mq_sendrecv;
256	struct {
257	int oflag;
258	umode_t mode;
259	struct mq_attr attr;
260	} mq_open;
261	struct {
262	pid_t pid;
263	struct audit_cap_data cap;
264	} capset;
265	struct {
266	int fd;
267	int flags;
268	} mmap;
269	};
270	int fds[2];
271
272	#if AUDIT_DEBUG
273	int put_count;
274	int ino_count;
275	#endif
276	};
277
278	static inline int open_arg(int flags, int mask)	135	static inline int open_arg(int flags, int mask)
279	{	136	{
280	int n = ACC_MODE(flags);	137	int n = ACC_MODE(flags);
@@ -1109,88 +966,6 @@ static inline void audit_free_context(struct audit_context *context)
1109	kfree(context);	966	kfree(context);
1110	}	967	}
1111		968
1112	int audit_log_task_context(struct audit_buffer *ab)
1113	{
1114	char *ctx = NULL;
1115	unsigned len;
1116	int error;
1117	u32 sid;
1118
1119	security_task_getsecid(current, &sid);
1120	if (!sid)
1121	return 0;
1122
1123	error = security_secid_to_secctx(sid, &ctx, &len);
1124	if (error) {
1125	if (error != -EINVAL)
1126	goto error_path;
1127	return 0;
1128	}
1129
1130	audit_log_format(ab, " subj=%s", ctx);
1131	security_release_secctx(ctx, len);
1132	return 0;
1133
1134	error_path:
1135	audit_panic("error in audit_log_task_context");
1136	return error;
1137	}
1138
1139	EXPORT_SYMBOL(audit_log_task_context);
1140
1141	void audit_log_task_info(struct audit_buffer ab, struct task_struct tsk)
1142	{
1143	const struct cred *cred;
1144	char name[sizeof(tsk->comm)];
1145	struct mm_struct *mm = tsk->mm;
1146	char *tty;
1147
1148	if (!ab)
1149	return;
1150
1151	/* tsk == current */
1152	cred = current_cred();
1153
1154	spin_lock_irq(&tsk->sighand->siglock);
1155	if (tsk->signal && tsk->signal->tty)
1156	tty = tsk->signal->tty->name;
1157	else
1158	tty = "(none)";
1159	spin_unlock_irq(&tsk->sighand->siglock);
1160
1161
1162	audit_log_format(ab,
1163	" ppid=%ld pid=%d auid=%u uid=%u gid=%u"
1164	" euid=%u suid=%u fsuid=%u"
1165	" egid=%u sgid=%u fsgid=%u ses=%u tty=%s",
1166	sys_getppid(),
1167	tsk->pid,
1168	from_kuid(&init_user_ns, tsk->loginuid),
1169	from_kuid(&init_user_ns, cred->uid),
1170	from_kgid(&init_user_ns, cred->gid),
1171	from_kuid(&init_user_ns, cred->euid),
1172	from_kuid(&init_user_ns, cred->suid),
1173	from_kuid(&init_user_ns, cred->fsuid),
1174	from_kgid(&init_user_ns, cred->egid),
1175	from_kgid(&init_user_ns, cred->sgid),
1176	from_kgid(&init_user_ns, cred->fsgid),
1177	tsk->sessionid, tty);
1178
1179	get_task_comm(name, tsk);
1180	audit_log_format(ab, " comm=");
1181	audit_log_untrustedstring(ab, name);
1182
1183	if (mm) {
1184	down_read(&mm->mmap_sem);
1185	if (mm->exe_file)
1186	audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
1187	up_read(&mm->mmap_sem);
1188	}
1189	audit_log_task_context(ab);
1190	}
1191
1192	EXPORT_SYMBOL(audit_log_task_info);
1193
1194	static int audit_log_pid_context(struct audit_context *context, pid_t pid,	969	static int audit_log_pid_context(struct audit_context *context, pid_t pid,
1195	kuid_t auid, kuid_t uid, unsigned int sessionid,	970	kuid_t auid, kuid_t uid, unsigned int sessionid,
1196	u32 sid, char *comm)	971	u32 sid, char *comm)
@@ -1408,35 +1183,6 @@ static void audit_log_execve_info(struct audit_context *context,
1408	kfree(buf);	1183	kfree(buf);
1409	}	1184	}
1410		1185
1411	static void audit_log_cap(struct audit_buffer ab, char prefix, kernel_cap_t *cap)
1412	{
1413	int i;
1414
1415	audit_log_format(ab, " %s=", prefix);
1416	CAP_FOR_EACH_U32(i) {
1417	audit_log_format(ab, "%08x", cap->cap[(_KERNEL_CAPABILITY_U32S-1) - i]);
1418	}
1419	}
1420
1421	static void audit_log_fcaps(struct audit_buffer ab, struct audit_names name)
1422	{
1423	kernel_cap_t *perm = &name->fcap.permitted;
1424	kernel_cap_t *inh = &name->fcap.inheritable;
1425	int log = 0;
1426
1427	if (!cap_isclear(*perm)) {
1428	audit_log_cap(ab, "cap_fp", perm);
1429	log = 1;
1430	}
1431	if (!cap_isclear(*inh)) {
1432	audit_log_cap(ab, "cap_fi", inh);
1433	log = 1;
1434	}
1435
1436	if (log)
1437	audit_log_format(ab, " cap_fe=%d cap_fver=%x", name->fcap.fE, name->fcap_ver);
1438	}
1439
1440	static void show_special(struct audit_context context, int call_panic)	1186	static void show_special(struct audit_context context, int call_panic)
1441	{	1187	{
1442	struct audit_buffer *ab;	1188	struct audit_buffer *ab;
@@ -1534,68 +1280,6 @@ static void show_special(struct audit_context context, int call_panic)
1534	audit_log_end(ab);	1280	audit_log_end(ab);
1535	}	1281	}
1536		1282
1537	static void audit_log_name(struct audit_context context, struct audit_names n,
1538	int record_num, int *call_panic)
1539	{
1540	struct audit_buffer *ab;
1541	ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
1542	if (!ab)
1543	return; /* audit_panic has been called */
1544
1545	audit_log_format(ab, "item=%d", record_num);
1546
1547	if (n->name) {
1548	switch (n->name_len) {
1549	case AUDIT_NAME_FULL:
1550	/* log the full path */
1551	audit_log_format(ab, " name=");
1552	audit_log_untrustedstring(ab, n->name->name);
1553	break;
1554	case 0:
1555	/* name was specified as a relative path and the
1556	* directory component is the cwd */
1557	audit_log_d_path(ab, " name=", &context->pwd);
1558	break;
1559	default:
1560	/* log the name's directory component */
1561	audit_log_format(ab, " name=");
1562	audit_log_n_untrustedstring(ab, n->name->name,
1563	n->name_len);
1564	}
1565	} else
1566	audit_log_format(ab, " name=(null)");
1567
1568	if (n->ino != (unsigned long)-1) {
1569	audit_log_format(ab, " inode=%lu"
1570	" dev=%02x:%02x mode=%#ho"
1571	" ouid=%u ogid=%u rdev=%02x:%02x",
1572	n->ino,
1573	MAJOR(n->dev),
1574	MINOR(n->dev),
1575	n->mode,
1576	from_kuid(&init_user_ns, n->uid),
1577	from_kgid(&init_user_ns, n->gid),
1578	MAJOR(n->rdev),
1579	MINOR(n->rdev));
1580	}
1581	if (n->osid != 0) {
1582	char *ctx = NULL;
1583	u32 len;
1584	if (security_secid_to_secctx(
1585	n->osid, &ctx, &len)) {
1586	audit_log_format(ab, " osid=%u", n->osid);
1587	*call_panic = 2;
1588	} else {
1589	audit_log_format(ab, " obj=%s", ctx);
1590	security_release_secctx(ctx, len);
1591	}
1592	}
1593
1594	audit_log_fcaps(ab, n);
1595
1596	audit_log_end(ab);
1597	}
1598
1599	static void audit_log_exit(struct audit_context context, struct task_struct tsk)	1283	static void audit_log_exit(struct audit_context context, struct task_struct tsk)
1600	{	1284	{
1601	int i, call_panic = 0;	1285	int i, call_panic = 0;
@@ -1713,7 +1397,7 @@ static void audit_log_exit(struct audit_context context, struct task_struct ts
1713		1397
1714	i = 0;	1398	i = 0;
1715	list_for_each_entry(n, &context->names_list, list)	1399	list_for_each_entry(n, &context->names_list, list)
1716	audit_log_name(context, n, i++, &call_panic);	1400	audit_log_name(context, n, NULL, i++, &call_panic);
1717		1401
1718	/* Send end of event record to help user space know we are finished */	1402	/* Send end of event record to help user space know we are finished */
1719	ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);	1403	ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
@@ -2078,41 +1762,6 @@ void audit_putname(struct filename *name)
2078	#endif	1762	#endif
2079	}	1763	}
2080		1764
2081	static inline int audit_copy_fcaps(struct audit_names name, const struct dentry dentry)
2082	{
2083	struct cpu_vfs_cap_data caps;
2084	int rc;
2085
2086	if (!dentry)
2087	return 0;
2088
2089	rc = get_vfs_caps_from_disk(dentry, &caps);
2090	if (rc)
2091	return rc;
2092
2093	name->fcap.permitted = caps.permitted;
2094	name->fcap.inheritable = caps.inheritable;
2095	name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2096	name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
2097
2098	return 0;
2099	}
2100
2101
2102	/* Copy inode data into an audit_names. */
2103	static void audit_copy_inode(struct audit_names name, const struct dentry dentry,
2104	const struct inode *inode)
2105	{
2106	name->ino = inode->i_ino;
2107	name->dev = inode->i_sb->s_dev;
2108	name->mode = inode->i_mode;
2109	name->uid = inode->i_uid;
2110	name->gid = inode->i_gid;
2111	name->rdev = inode->i_rdev;
2112	security_inode_getsecid(inode, &name->osid);
2113	audit_copy_fcaps(name, dentry);
2114	}
2115
2116	/**	1765	/**
2117	* __audit_inode - store the inode and device from a lookup	1766	* __audit_inode - store the inode and device from a lookup
2118	* @name: name being audited	1767	* @name: name being audited