aboutsummaryrefslogtreecommitdiffstats
path: root/kernel/auditsc.c
diff options
context:
space:
mode:
authorEric W. Biederman <ebiederm@xmission.com>2012-09-11 01:39:43 -0400
committerEric W. Biederman <ebiederm@xmission.com>2012-09-17 21:08:54 -0400
commite1760bd5ffae8cb98cffb030ee8e631eba28f3d8 (patch)
tree4694a60b407c418bf7de4b97355dc3bd0e6c6559 /kernel/auditsc.c
parentca57ec0f00c3f139c41bf6b0a5b9bcc95bbb2ad7 (diff)
userns: Convert the audit loginuid to be a kuid
Always store audit loginuids in type kuid_t. Print loginuids by converting them into uids in the appropriate user namespace, and then printing the resulting uid. Modify audit_get_loginuid to return a kuid_t. Modify audit_set_loginuid to take a kuid_t. Modify /proc/<pid>/loginuid on read to convert the loginuid into the user namespace of the opener of the file. Modify /proc/<pid>/loginud on write to convert the loginuid rom the user namespace of the opener of the file. Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Eric Paris <eparis@redhat.com> Cc: Paul Moore <paul@paul-moore.com> ? Cc: David Miller <davem@davemloft.net> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Diffstat (limited to 'kernel/auditsc.c')
-rw-r--r--kernel/auditsc.c20
1 files changed, 11 insertions, 9 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 0b5b8a232b55..26fdfc092e35 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -149,7 +149,7 @@ struct audit_aux_data_execve {
149struct audit_aux_data_pids { 149struct audit_aux_data_pids {
150 struct audit_aux_data d; 150 struct audit_aux_data d;
151 pid_t target_pid[AUDIT_AUX_PIDS]; 151 pid_t target_pid[AUDIT_AUX_PIDS];
152 uid_t target_auid[AUDIT_AUX_PIDS]; 152 kuid_t target_auid[AUDIT_AUX_PIDS];
153 uid_t target_uid[AUDIT_AUX_PIDS]; 153 uid_t target_uid[AUDIT_AUX_PIDS];
154 unsigned int target_sessionid[AUDIT_AUX_PIDS]; 154 unsigned int target_sessionid[AUDIT_AUX_PIDS];
155 u32 target_sid[AUDIT_AUX_PIDS]; 155 u32 target_sid[AUDIT_AUX_PIDS];
@@ -214,7 +214,7 @@ struct audit_context {
214 int arch; 214 int arch;
215 215
216 pid_t target_pid; 216 pid_t target_pid;
217 uid_t target_auid; 217 kuid_t target_auid;
218 uid_t target_uid; 218 uid_t target_uid;
219 unsigned int target_sessionid; 219 unsigned int target_sessionid;
220 u32 target_sid; 220 u32 target_sid;
@@ -1176,7 +1176,7 @@ static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk
1176} 1176}
1177 1177
1178static int audit_log_pid_context(struct audit_context *context, pid_t pid, 1178static int audit_log_pid_context(struct audit_context *context, pid_t pid,
1179 uid_t auid, uid_t uid, unsigned int sessionid, 1179 kuid_t auid, uid_t uid, unsigned int sessionid,
1180 u32 sid, char *comm) 1180 u32 sid, char *comm)
1181{ 1181{
1182 struct audit_buffer *ab; 1182 struct audit_buffer *ab;
@@ -1188,7 +1188,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
1188 if (!ab) 1188 if (!ab)
1189 return rc; 1189 return rc;
1190 1190
1191 audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid, 1191 audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
1192 from_kuid(&init_user_ns, auid),
1192 uid, sessionid); 1193 uid, sessionid);
1193 if (security_secid_to_secctx(sid, &ctx, &len)) { 1194 if (security_secid_to_secctx(sid, &ctx, &len)) {
1194 audit_log_format(ab, " obj=(none)"); 1195 audit_log_format(ab, " obj=(none)");
@@ -1630,7 +1631,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
1630 context->name_count, 1631 context->name_count,
1631 context->ppid, 1632 context->ppid,
1632 context->pid, 1633 context->pid,
1633 tsk->loginuid, 1634 from_kuid(&init_user_ns, tsk->loginuid),
1634 context->uid, 1635 context->uid,
1635 context->gid, 1636 context->gid,
1636 context->euid, context->suid, context->fsuid, 1637 context->euid, context->suid, context->fsuid,
@@ -2291,14 +2292,14 @@ static atomic_t session_id = ATOMIC_INIT(0);
2291 * 2292 *
2292 * Called (set) from fs/proc/base.c::proc_loginuid_write(). 2293 * Called (set) from fs/proc/base.c::proc_loginuid_write().
2293 */ 2294 */
2294int audit_set_loginuid(uid_t loginuid) 2295int audit_set_loginuid(kuid_t loginuid)
2295{ 2296{
2296 struct task_struct *task = current; 2297 struct task_struct *task = current;
2297 struct audit_context *context = task->audit_context; 2298 struct audit_context *context = task->audit_context;
2298 unsigned int sessionid; 2299 unsigned int sessionid;
2299 2300
2300#ifdef CONFIG_AUDIT_LOGINUID_IMMUTABLE 2301#ifdef CONFIG_AUDIT_LOGINUID_IMMUTABLE
2301 if (task->loginuid != -1) 2302 if (uid_valid(task->loginuid))
2302 return -EPERM; 2303 return -EPERM;
2303#else /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */ 2304#else /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */
2304 if (!capable(CAP_AUDIT_CONTROL)) 2305 if (!capable(CAP_AUDIT_CONTROL))
@@ -2315,7 +2316,8 @@ int audit_set_loginuid(uid_t loginuid)
2315 "old auid=%u new auid=%u" 2316 "old auid=%u new auid=%u"
2316 " old ses=%u new ses=%u", 2317 " old ses=%u new ses=%u",
2317 task->pid, task_uid(task), 2318 task->pid, task_uid(task),
2318 task->loginuid, loginuid, 2319 from_kuid(&init_user_ns, task->loginuid),
2320 from_kuid(&init_user_ns, loginuid),
2319 task->sessionid, sessionid); 2321 task->sessionid, sessionid);
2320 audit_log_end(ab); 2322 audit_log_end(ab);
2321 } 2323 }
@@ -2543,7 +2545,7 @@ int __audit_signal_info(int sig, struct task_struct *t)
2543 if (audit_pid && t->tgid == audit_pid) { 2545 if (audit_pid && t->tgid == audit_pid) {
2544 if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) { 2546 if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) {
2545 audit_sig_pid = tsk->pid; 2547 audit_sig_pid = tsk->pid;
2546 if (tsk->loginuid != -1) 2548 if (uid_valid(tsk->loginuid))
2547 audit_sig_uid = tsk->loginuid; 2549 audit_sig_uid = tsk->loginuid;
2548 else 2550 else
2549 audit_sig_uid = uid; 2551 audit_sig_uid = uid;
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-23 16:53:38 -0500