aboutsummaryrefslogtreecommitdiffstats
path: root/kernel/auditsc.c
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@g5.osdl.org>2006-03-25 12:24:53 -0500
committerLinus Torvalds <torvalds@g5.osdl.org>2006-03-25 12:24:53 -0500
commit1b9a3917366028cc451a98dd22e3bcd537d4e5c1 (patch)
treed911058720e0a9aeeaf9f407ccdc6fbf4047f47d /kernel/auditsc.c
parent3661f00e2097676847deb01add1a0918044bd816 (diff)
parent71e1c784b24a026a490b3de01541fc5ee14ebc09 (diff)
Merge branch 'audit.b3' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current
* 'audit.b3' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current: (22 commits) [PATCH] fix audit_init failure path [PATCH] EXPORT_SYMBOL patch for audit_log, audit_log_start, audit_log_end and audit_format [PATCH] sem2mutex: audit_netlink_sem [PATCH] simplify audit_free() locking [PATCH] Fix audit operators [PATCH] promiscuous mode [PATCH] Add tty to syscall audit records [PATCH] add/remove rule update [PATCH] audit string fields interface + consumer [PATCH] SE Linux audit events [PATCH] Minor cosmetic cleanups to the code moved into auditfilter.c [PATCH] Fix audit record filtering with !CONFIG_AUDITSYSCALL [PATCH] Fix IA64 success/failure indication in syscall auditing. [PATCH] Miscellaneous bug and warning fixes [PATCH] Capture selinux subject/object context information. [PATCH] Exclude messages by message type [PATCH] Collect more inode information during syscall processing. [PATCH] Pass dentry, not just name, in fsnotify creation hooks. [PATCH] Define new range of userspace messages. [PATCH] Filter rule comparators ... Fixed trivial conflict in security/selinux/hooks.c
Diffstat (limited to 'kernel/auditsc.c')
-rw-r--r--kernel/auditsc.c834
1 files changed, 434 insertions, 400 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index c4394abcd5e6..7f160df21a23 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2,6 +2,8 @@
2 * Handles all system-call specific auditing features. 2 * Handles all system-call specific auditing features.
3 * 3 *
4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
5 * Copyright 2005 Hewlett-Packard Development Company, L.P.
6 * Copyright (C) 2005 IBM Corporation
5 * All Rights Reserved. 7 * All Rights Reserved.
6 * 8 *
7 * This program is free software; you can redistribute it and/or modify 9 * This program is free software; you can redistribute it and/or modify
@@ -27,11 +29,22 @@
27 * this file -- see entry.S) is based on a GPL'd patch written by 29 * this file -- see entry.S) is based on a GPL'd patch written by
28 * okir@suse.de and Copyright 2003 SuSE Linux AG. 30 * okir@suse.de and Copyright 2003 SuSE Linux AG.
29 * 31 *
32 * The support of additional filter rules compares (>, <, >=, <=) was
33 * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
34 *
35 * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
36 * filesystem information.
37 *
38 * Subject and object context labeling support added by <danjones@us.ibm.com>
39 * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
30 */ 40 */
31 41
32#include <linux/init.h> 42#include <linux/init.h>
33#include <asm/types.h> 43#include <asm/types.h>
34#include <asm/atomic.h> 44#include <asm/atomic.h>
45#include <asm/types.h>
46#include <linux/fs.h>
47#include <linux/namei.h>
35#include <linux/mm.h> 48#include <linux/mm.h>
36#include <linux/module.h> 49#include <linux/module.h>
37#include <linux/mount.h> 50#include <linux/mount.h>
@@ -39,16 +52,16 @@
39#include <linux/audit.h> 52#include <linux/audit.h>
40#include <linux/personality.h> 53#include <linux/personality.h>
41#include <linux/time.h> 54#include <linux/time.h>
42#include <linux/kthread.h>
43#include <linux/netlink.h> 55#include <linux/netlink.h>
44#include <linux/compiler.h> 56#include <linux/compiler.h>
45#include <asm/unistd.h> 57#include <asm/unistd.h>
58#include <linux/security.h>
59#include <linux/list.h>
60#include <linux/tty.h>
61
62#include "audit.h"
46 63
47/* 0 = no checking 64extern struct list_head audit_filter_list[];
48 1 = put_count checking
49 2 = verbose put_count checking
50*/
51#define AUDIT_DEBUG 0
52 65
53/* No syscall auditing will take place unless audit_enabled != 0. */ 66/* No syscall auditing will take place unless audit_enabled != 0. */
54extern int audit_enabled; 67extern int audit_enabled;
@@ -62,29 +75,6 @@ extern int audit_enabled;
62 * path_lookup. */ 75 * path_lookup. */
63#define AUDIT_NAMES_RESERVED 7 76#define AUDIT_NAMES_RESERVED 7
64 77
65/* At task start time, the audit_state is set in the audit_context using
66 a per-task filter. At syscall entry, the audit_state is augmented by
67 the syscall filter. */
68enum audit_state {
69 AUDIT_DISABLED, /* Do not create per-task audit_context.
70 * No syscall-specific audit records can
71 * be generated. */
72 AUDIT_SETUP_CONTEXT, /* Create the per-task audit_context,
73 * but don't necessarily fill it in at
74 * syscall entry time (i.e., filter
75 * instead). */
76 AUDIT_BUILD_CONTEXT, /* Create the per-task audit_context,
77 * and always fill it in at syscall
78 * entry time. This makes a full
79 * syscall record available if some
80 * other part of the kernel decides it
81 * should be recorded. */
82 AUDIT_RECORD_CONTEXT /* Create the per-task audit_context,
83 * always fill it in at syscall entry
84 * time, and always write out the audit
85 * record at syscall exit time. */
86};
87
88/* When fs/namei.c:getname() is called, we store the pointer in name and 78/* When fs/namei.c:getname() is called, we store the pointer in name and
89 * we don't let putname() free it (instead we free all of the saved 79 * we don't let putname() free it (instead we free all of the saved
90 * pointers at syscall exit time). 80 * pointers at syscall exit time).
@@ -93,12 +83,13 @@ enum audit_state {
93struct audit_names { 83struct audit_names {
94 const char *name; 84 const char *name;
95 unsigned long ino; 85 unsigned long ino;
86 unsigned long pino;
96 dev_t dev; 87 dev_t dev;
97 umode_t mode; 88 umode_t mode;
98 uid_t uid; 89 uid_t uid;
99 gid_t gid; 90 gid_t gid;
100 dev_t rdev; 91 dev_t rdev;
101 unsigned flags; 92 char *ctx;
102}; 93};
103 94
104struct audit_aux_data { 95struct audit_aux_data {
@@ -115,6 +106,7 @@ struct audit_aux_data_ipcctl {
115 uid_t uid; 106 uid_t uid;
116 gid_t gid; 107 gid_t gid;
117 mode_t mode; 108 mode_t mode;
109 char *ctx;
118}; 110};
119 111
120struct audit_aux_data_socketcall { 112struct audit_aux_data_socketcall {
@@ -167,290 +159,72 @@ struct audit_context {
167#endif 159#endif
168}; 160};
169 161
170 /* Public API */
171/* There are three lists of rules -- one to search at task creation
172 * time, one to search at syscall entry time, and another to search at
173 * syscall exit time. */
174static struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
175 LIST_HEAD_INIT(audit_filter_list[0]),
176 LIST_HEAD_INIT(audit_filter_list[1]),
177 LIST_HEAD_INIT(audit_filter_list[2]),
178 LIST_HEAD_INIT(audit_filter_list[3]),
179 LIST_HEAD_INIT(audit_filter_list[4]),
180#if AUDIT_NR_FILTERS != 5
181#error Fix audit_filter_list initialiser
182#endif
183};
184
185struct audit_entry {
186 struct list_head list;
187 struct rcu_head rcu;
188 struct audit_rule rule;
189};
190
191extern int audit_pid;
192
193/* Copy rule from user-space to kernel-space. Called from
194 * audit_add_rule during AUDIT_ADD. */
195static inline int audit_copy_rule(struct audit_rule *d, struct audit_rule *s)
196{
197 int i;
198
199 if (s->action != AUDIT_NEVER
200 && s->action != AUDIT_POSSIBLE
201 && s->action != AUDIT_ALWAYS)
202 return -1;
203 if (s->field_count < 0 || s->field_count > AUDIT_MAX_FIELDS)
204 return -1;
205 if ((s->flags & ~AUDIT_FILTER_PREPEND) >= AUDIT_NR_FILTERS)
206 return -1;
207
208 d->flags = s->flags;
209 d->action = s->action;
210 d->field_count = s->field_count;
211 for (i = 0; i < d->field_count; i++) {
212 d->fields[i] = s->fields[i];
213 d->values[i] = s->values[i];
214 }
215 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) d->mask[i] = s->mask[i];
216 return 0;
217}
218
219/* Check to see if two rules are identical. It is called from
220 * audit_add_rule during AUDIT_ADD and
221 * audit_del_rule during AUDIT_DEL. */
222static inline int audit_compare_rule(struct audit_rule *a, struct audit_rule *b)
223{
224 int i;
225
226 if (a->flags != b->flags)
227 return 1;
228
229 if (a->action != b->action)
230 return 1;
231
232 if (a->field_count != b->field_count)
233 return 1;
234
235 for (i = 0; i < a->field_count; i++) {
236 if (a->fields[i] != b->fields[i]
237 || a->values[i] != b->values[i])
238 return 1;
239 }
240
241 for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
242 if (a->mask[i] != b->mask[i])
243 return 1;
244
245 return 0;
246}
247
248/* Note that audit_add_rule and audit_del_rule are called via
249 * audit_receive() in audit.c, and are protected by
250 * audit_netlink_sem. */
251static inline int audit_add_rule(struct audit_rule *rule,
252 struct list_head *list)
253{
254 struct audit_entry *entry;
255
256 /* Do not use the _rcu iterator here, since this is the only
257 * addition routine. */
258 list_for_each_entry(entry, list, list) {
259 if (!audit_compare_rule(rule, &entry->rule)) {
260 return -EEXIST;
261 }
262 }
263
264 if (!(entry = kmalloc(sizeof(*entry), GFP_KERNEL)))
265 return -ENOMEM;
266 if (audit_copy_rule(&entry->rule, rule)) {
267 kfree(entry);
268 return -EINVAL;
269 }
270
271 if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
272 entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
273 list_add_rcu(&entry->list, list);
274 } else {
275 list_add_tail_rcu(&entry->list, list);
276 }
277
278 return 0;
279}
280
281static inline void audit_free_rule(struct rcu_head *head)
282{
283 struct audit_entry *e = container_of(head, struct audit_entry, rcu);
284 kfree(e);
285}
286
287/* Note that audit_add_rule and audit_del_rule are called via
288 * audit_receive() in audit.c, and are protected by
289 * audit_netlink_sem. */
290static inline int audit_del_rule(struct audit_rule *rule,
291 struct list_head *list)
292{
293 struct audit_entry *e;
294
295 /* Do not use the _rcu iterator here, since this is the only
296 * deletion routine. */
297 list_for_each_entry(e, list, list) {
298 if (!audit_compare_rule(rule, &e->rule)) {
299 list_del_rcu(&e->list);
300 call_rcu(&e->rcu, audit_free_rule);
301 return 0;
302 }
303 }
304 return -ENOENT; /* No matching rule */
305}
306
307static int audit_list_rules(void *_dest)
308{
309 int pid, seq;
310 int *dest = _dest;
311 struct audit_entry *entry;
312 int i;
313
314 pid = dest[0];
315 seq = dest[1];
316 kfree(dest);
317
318 down(&audit_netlink_sem);
319
320 /* The *_rcu iterators not needed here because we are
321 always called with audit_netlink_sem held. */
322 for (i=0; i<AUDIT_NR_FILTERS; i++) {
323 list_for_each_entry(entry, &audit_filter_list[i], list)
324 audit_send_reply(pid, seq, AUDIT_LIST, 0, 1,
325 &entry->rule, sizeof(entry->rule));
326 }
327 audit_send_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0);
328
329 up(&audit_netlink_sem);
330 return 0;
331}
332
333int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
334 uid_t loginuid)
335{
336 struct task_struct *tsk;
337 int *dest;
338 int err = 0;
339 unsigned listnr;
340
341 switch (type) {
342 case AUDIT_LIST:
343 /* We can't just spew out the rules here because we might fill
344 * the available socket buffer space and deadlock waiting for
345 * auditctl to read from it... which isn't ever going to
346 * happen if we're actually running in the context of auditctl
347 * trying to _send_ the stuff */
348
349 dest = kmalloc(2 * sizeof(int), GFP_KERNEL);
350 if (!dest)
351 return -ENOMEM;
352 dest[0] = pid;
353 dest[1] = seq;
354
355 tsk = kthread_run(audit_list_rules, dest, "audit_list_rules");
356 if (IS_ERR(tsk)) {
357 kfree(dest);
358 err = PTR_ERR(tsk);
359 }
360 break;
361 case AUDIT_ADD:
362 listnr =((struct audit_rule *)data)->flags & ~AUDIT_FILTER_PREPEND;
363 if (listnr >= AUDIT_NR_FILTERS)
364 return -EINVAL;
365
366 err = audit_add_rule(data, &audit_filter_list[listnr]);
367 if (!err)
368 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
369 "auid=%u added an audit rule\n", loginuid);
370 break;
371 case AUDIT_DEL:
372 listnr =((struct audit_rule *)data)->flags & ~AUDIT_FILTER_PREPEND;
373 if (listnr >= AUDIT_NR_FILTERS)
374 return -EINVAL;
375
376 err = audit_del_rule(data, &audit_filter_list[listnr]);
377 if (!err)
378 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
379 "auid=%u removed an audit rule\n", loginuid);
380 break;
381 default:
382 return -EINVAL;
383 }
384
385 return err;
386}
387 162
388/* Compare a task_struct with an audit_rule. Return 1 on match, 0 163/* Compare a task_struct with an audit_rule. Return 1 on match, 0
389 * otherwise. */ 164 * otherwise. */
390static int audit_filter_rules(struct task_struct *tsk, 165static int audit_filter_rules(struct task_struct *tsk,
391 struct audit_rule *rule, 166 struct audit_krule *rule,
392 struct audit_context *ctx, 167 struct audit_context *ctx,
393 enum audit_state *state) 168 enum audit_state *state)
394{ 169{
395 int i, j; 170 int i, j;
396 171
397 for (i = 0; i < rule->field_count; i++) { 172 for (i = 0; i < rule->field_count; i++) {
398 u32 field = rule->fields[i] & ~AUDIT_NEGATE; 173 struct audit_field *f = &rule->fields[i];
399 u32 value = rule->values[i];
400 int result = 0; 174 int result = 0;
401 175
402 switch (field) { 176 switch (f->type) {
403 case AUDIT_PID: 177 case AUDIT_PID:
404 result = (tsk->pid == value); 178 result = audit_comparator(tsk->pid, f->op, f->val);
405 break; 179 break;
406 case AUDIT_UID: 180 case AUDIT_UID:
407 result = (tsk->uid == value); 181 result = audit_comparator(tsk->uid, f->op, f->val);
408 break; 182 break;
409 case AUDIT_EUID: 183 case AUDIT_EUID:
410 result = (tsk->euid == value); 184 result = audit_comparator(tsk->euid, f->op, f->val);
411 break; 185 break;
412 case AUDIT_SUID: 186 case AUDIT_SUID:
413 result = (tsk->suid == value); 187 result = audit_comparator(tsk->suid, f->op, f->val);
414 break; 188 break;
415 case AUDIT_FSUID: 189 case AUDIT_FSUID:
416 result = (tsk->fsuid == value); 190 result = audit_comparator(tsk->fsuid, f->op, f->val);
417 break; 191 break;
418 case AUDIT_GID: 192 case AUDIT_GID:
419 result = (tsk->gid == value); 193 result = audit_comparator(tsk->gid, f->op, f->val);
420 break; 194 break;
421 case AUDIT_EGID: 195 case AUDIT_EGID:
422 result = (tsk->egid == value); 196 result = audit_comparator(tsk->egid, f->op, f->val);
423 break; 197 break;
424 case AUDIT_SGID: 198 case AUDIT_SGID:
425 result = (tsk->sgid == value); 199 result = audit_comparator(tsk->sgid, f->op, f->val);
426 break; 200 break;
427 case AUDIT_FSGID: 201 case AUDIT_FSGID:
428 result = (tsk->fsgid == value); 202 result = audit_comparator(tsk->fsgid, f->op, f->val);
429 break; 203 break;
430 case AUDIT_PERS: 204 case AUDIT_PERS:
431 result = (tsk->personality == value); 205 result = audit_comparator(tsk->personality, f->op, f->val);
432 break; 206 break;
433 case AUDIT_ARCH: 207 case AUDIT_ARCH:
434 if (ctx) 208 if (ctx)
435 result = (ctx->arch == value); 209 result = audit_comparator(ctx->arch, f->op, f->val);
436 break; 210 break;
437 211
438 case AUDIT_EXIT: 212 case AUDIT_EXIT:
439 if (ctx && ctx->return_valid) 213 if (ctx && ctx->return_valid)
440 result = (ctx->return_code == value); 214 result = audit_comparator(ctx->return_code, f->op, f->val);
441 break; 215 break;
442 case AUDIT_SUCCESS: 216 case AUDIT_SUCCESS:
443 if (ctx && ctx->return_valid) { 217 if (ctx && ctx->return_valid) {
444 if (value) 218 if (f->val)
445 result = (ctx->return_valid == AUDITSC_SUCCESS); 219 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
446 else 220 else
447 result = (ctx->return_valid == AUDITSC_FAILURE); 221 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
448 } 222 }
449 break; 223 break;
450 case AUDIT_DEVMAJOR: 224 case AUDIT_DEVMAJOR:
451 if (ctx) { 225 if (ctx) {
452 for (j = 0; j < ctx->name_count; j++) { 226 for (j = 0; j < ctx->name_count; j++) {
453 if (MAJOR(ctx->names[j].dev)==value) { 227 if (audit_comparator(MAJOR(ctx->names[j].dev), f->op, f->val)) {
454 ++result; 228 ++result;
455 break; 229 break;
456 } 230 }
@@ -460,7 +234,7 @@ static int audit_filter_rules(struct task_struct *tsk,
460 case AUDIT_DEVMINOR: 234 case AUDIT_DEVMINOR:
461 if (ctx) { 235 if (ctx) {
462 for (j = 0; j < ctx->name_count; j++) { 236 for (j = 0; j < ctx->name_count; j++) {
463 if (MINOR(ctx->names[j].dev)==value) { 237 if (audit_comparator(MINOR(ctx->names[j].dev), f->op, f->val)) {
464 ++result; 238 ++result;
465 break; 239 break;
466 } 240 }
@@ -470,7 +244,8 @@ static int audit_filter_rules(struct task_struct *tsk,
470 case AUDIT_INODE: 244 case AUDIT_INODE:
471 if (ctx) { 245 if (ctx) {
472 for (j = 0; j < ctx->name_count; j++) { 246 for (j = 0; j < ctx->name_count; j++) {
473 if (ctx->names[j].ino == value) { 247 if (audit_comparator(ctx->names[j].ino, f->op, f->val) ||
248 audit_comparator(ctx->names[j].pino, f->op, f->val)) {
474 ++result; 249 ++result;
475 break; 250 break;
476 } 251 }
@@ -480,19 +255,17 @@ static int audit_filter_rules(struct task_struct *tsk,
480 case AUDIT_LOGINUID: 255 case AUDIT_LOGINUID:
481 result = 0; 256 result = 0;
482 if (ctx) 257 if (ctx)
483 result = (ctx->loginuid == value); 258 result = audit_comparator(ctx->loginuid, f->op, f->val);
484 break; 259 break;
485 case AUDIT_ARG0: 260 case AUDIT_ARG0:
486 case AUDIT_ARG1: 261 case AUDIT_ARG1:
487 case AUDIT_ARG2: 262 case AUDIT_ARG2:
488 case AUDIT_ARG3: 263 case AUDIT_ARG3:
489 if (ctx) 264 if (ctx)
490 result = (ctx->argv[field-AUDIT_ARG0]==value); 265 result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
491 break; 266 break;
492 } 267 }
493 268
494 if (rule->fields[i] & AUDIT_NEGATE)
495 result = !result;
496 if (!result) 269 if (!result)
497 return 0; 270 return 0;
498 } 271 }
@@ -527,7 +300,7 @@ static enum audit_state audit_filter_task(struct task_struct *tsk)
527/* At syscall entry and exit time, this filter is called if the 300/* At syscall entry and exit time, this filter is called if the
528 * audit_state is not low enough that auditing cannot take place, but is 301 * audit_state is not low enough that auditing cannot take place, but is
529 * also not high enough that we already know we have to write an audit 302 * also not high enough that we already know we have to write an audit
530 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT). 303 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
531 */ 304 */
532static enum audit_state audit_filter_syscall(struct task_struct *tsk, 305static enum audit_state audit_filter_syscall(struct task_struct *tsk,
533 struct audit_context *ctx, 306 struct audit_context *ctx,
@@ -541,77 +314,19 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk,
541 314
542 rcu_read_lock(); 315 rcu_read_lock();
543 if (!list_empty(list)) { 316 if (!list_empty(list)) {
544 int word = AUDIT_WORD(ctx->major); 317 int word = AUDIT_WORD(ctx->major);
545 int bit = AUDIT_BIT(ctx->major); 318 int bit = AUDIT_BIT(ctx->major);
546 319
547 list_for_each_entry_rcu(e, list, list) { 320 list_for_each_entry_rcu(e, list, list) {
548 if ((e->rule.mask[word] & bit) == bit 321 if ((e->rule.mask[word] & bit) == bit
549 && audit_filter_rules(tsk, &e->rule, ctx, &state)) { 322 && audit_filter_rules(tsk, &e->rule, ctx, &state)) {
550 rcu_read_unlock(); 323 rcu_read_unlock();
551 return state; 324 return state;
552 } 325 }
553 }
554 }
555 rcu_read_unlock();
556 return AUDIT_BUILD_CONTEXT;
557}
558
559static int audit_filter_user_rules(struct netlink_skb_parms *cb,
560 struct audit_rule *rule,
561 enum audit_state *state)
562{
563 int i;
564
565 for (i = 0; i < rule->field_count; i++) {
566 u32 field = rule->fields[i] & ~AUDIT_NEGATE;
567 u32 value = rule->values[i];
568 int result = 0;
569
570 switch (field) {
571 case AUDIT_PID:
572 result = (cb->creds.pid == value);
573 break;
574 case AUDIT_UID:
575 result = (cb->creds.uid == value);
576 break;
577 case AUDIT_GID:
578 result = (cb->creds.gid == value);
579 break;
580 case AUDIT_LOGINUID:
581 result = (cb->loginuid == value);
582 break;
583 }
584
585 if (rule->fields[i] & AUDIT_NEGATE)
586 result = !result;
587 if (!result)
588 return 0;
589 }
590 switch (rule->action) {
591 case AUDIT_NEVER: *state = AUDIT_DISABLED; break;
592 case AUDIT_POSSIBLE: *state = AUDIT_BUILD_CONTEXT; break;
593 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break;
594 }
595 return 1;
596}
597
598int audit_filter_user(struct netlink_skb_parms *cb, int type)
599{
600 struct audit_entry *e;
601 enum audit_state state;
602 int ret = 1;
603
604 rcu_read_lock();
605 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
606 if (audit_filter_user_rules(cb, &e->rule, &state)) {
607 if (state == AUDIT_DISABLED)
608 ret = 0;
609 break;
610 } 326 }
611 } 327 }
612 rcu_read_unlock(); 328 rcu_read_unlock();
613 329 return AUDIT_BUILD_CONTEXT;
614 return ret; /* Audit by default */
615} 330}
616 331
617/* This should be called with task_lock() held. */ 332/* This should be called with task_lock() held. */
@@ -654,17 +369,18 @@ static inline void audit_free_names(struct audit_context *context)
654#if AUDIT_DEBUG == 2 369#if AUDIT_DEBUG == 2
655 if (context->auditable 370 if (context->auditable
656 ||context->put_count + context->ino_count != context->name_count) { 371 ||context->put_count + context->ino_count != context->name_count) {
657 printk(KERN_ERR "audit.c:%d(:%d): major=%d in_syscall=%d" 372 printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d"
658 " name_count=%d put_count=%d" 373 " name_count=%d put_count=%d"
659 " ino_count=%d [NOT freeing]\n", 374 " ino_count=%d [NOT freeing]\n",
660 __LINE__, 375 __FILE__, __LINE__,
661 context->serial, context->major, context->in_syscall, 376 context->serial, context->major, context->in_syscall,
662 context->name_count, context->put_count, 377 context->name_count, context->put_count,
663 context->ino_count); 378 context->ino_count);
664 for (i = 0; i < context->name_count; i++) 379 for (i = 0; i < context->name_count; i++) {
665 printk(KERN_ERR "names[%d] = %p = %s\n", i, 380 printk(KERN_ERR "names[%d] = %p = %s\n", i,
666 context->names[i].name, 381 context->names[i].name,
667 context->names[i].name); 382 context->names[i].name ?: "(null)");
383 }
668 dump_stack(); 384 dump_stack();
669 return; 385 return;
670 } 386 }
@@ -674,9 +390,13 @@ static inline void audit_free_names(struct audit_context *context)
674 context->ino_count = 0; 390 context->ino_count = 0;
675#endif 391#endif
676 392
677 for (i = 0; i < context->name_count; i++) 393 for (i = 0; i < context->name_count; i++) {
394 char *p = context->names[i].ctx;
395 context->names[i].ctx = NULL;
396 kfree(p);
678 if (context->names[i].name) 397 if (context->names[i].name)
679 __putname(context->names[i].name); 398 __putname(context->names[i].name);
399 }
680 context->name_count = 0; 400 context->name_count = 0;
681 if (context->pwd) 401 if (context->pwd)
682 dput(context->pwd); 402 dput(context->pwd);
@@ -696,6 +416,12 @@ static inline void audit_free_aux(struct audit_context *context)
696 dput(axi->dentry); 416 dput(axi->dentry);
697 mntput(axi->mnt); 417 mntput(axi->mnt);
698 } 418 }
419 if ( aux->type == AUDIT_IPC ) {
420 struct audit_aux_data_ipcctl *axi = (void *)aux;
421 if (axi->ctx)
422 kfree(axi->ctx);
423 }
424
699 context->aux = aux->next; 425 context->aux = aux->next;
700 kfree(aux); 426 kfree(aux);
701 } 427 }
@@ -721,10 +447,15 @@ static inline struct audit_context *audit_alloc_context(enum audit_state state)
721 return context; 447 return context;
722} 448}
723 449
724/* Filter on the task information and allocate a per-task audit context 450/**
451 * audit_alloc - allocate an audit context block for a task
452 * @tsk: task
453 *
454 * Filter on the task information and allocate a per-task audit context
725 * if necessary. Doing so turns on system call auditing for the 455 * if necessary. Doing so turns on system call auditing for the
726 * specified task. This is called from copy_process, so no lock is 456 * specified task. This is called from copy_process, so no lock is
727 * needed. */ 457 * needed.
458 */
728int audit_alloc(struct task_struct *tsk) 459int audit_alloc(struct task_struct *tsk)
729{ 460{
730 struct audit_context *context; 461 struct audit_context *context;
@@ -775,7 +506,37 @@ static inline void audit_free_context(struct audit_context *context)
775 printk(KERN_ERR "audit: freed %d contexts\n", count); 506 printk(KERN_ERR "audit: freed %d contexts\n", count);
776} 507}
777 508
778static void audit_log_task_info(struct audit_buffer *ab) 509static void audit_log_task_context(struct audit_buffer *ab, gfp_t gfp_mask)
510{
511 char *ctx = NULL;
512 ssize_t len = 0;
513
514 len = security_getprocattr(current, "current", NULL, 0);
515 if (len < 0) {
516 if (len != -EINVAL)
517 goto error_path;
518 return;
519 }
520
521 ctx = kmalloc(len, gfp_mask);
522 if (!ctx)
523 goto error_path;
524
525 len = security_getprocattr(current, "current", ctx, len);
526 if (len < 0 )
527 goto error_path;
528
529 audit_log_format(ab, " subj=%s", ctx);
530 return;
531
532error_path:
533 if (ctx)
534 kfree(ctx);
535 audit_panic("error in audit_log_task_context");
536 return;
537}
538
539static void audit_log_task_info(struct audit_buffer *ab, gfp_t gfp_mask)
779{ 540{
780 char name[sizeof(current->comm)]; 541 char name[sizeof(current->comm)];
781 struct mm_struct *mm = current->mm; 542 struct mm_struct *mm = current->mm;
@@ -788,6 +549,10 @@ static void audit_log_task_info(struct audit_buffer *ab)
788 if (!mm) 549 if (!mm)
789 return; 550 return;
790 551
552 /*
553 * this is brittle; all callers that pass GFP_ATOMIC will have
554 * NULL current->mm and we won't get here.
555 */
791 down_read(&mm->mmap_sem); 556 down_read(&mm->mmap_sem);
792 vma = mm->mmap; 557 vma = mm->mmap;
793 while (vma) { 558 while (vma) {
@@ -801,6 +566,7 @@ static void audit_log_task_info(struct audit_buffer *ab)
801 vma = vma->vm_next; 566 vma = vma->vm_next;
802 } 567 }
803 up_read(&mm->mmap_sem); 568 up_read(&mm->mmap_sem);
569 audit_log_task_context(ab, gfp_mask);
804} 570}
805 571
806static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask) 572static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask)
@@ -808,6 +574,7 @@ static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask)
808 int i; 574 int i;
809 struct audit_buffer *ab; 575 struct audit_buffer *ab;
810 struct audit_aux_data *aux; 576 struct audit_aux_data *aux;
577 const char *tty;
811 578
812 ab = audit_log_start(context, gfp_mask, AUDIT_SYSCALL); 579 ab = audit_log_start(context, gfp_mask, AUDIT_SYSCALL);
813 if (!ab) 580 if (!ab)
@@ -820,11 +587,15 @@ static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask)
820 audit_log_format(ab, " success=%s exit=%ld", 587 audit_log_format(ab, " success=%s exit=%ld",
821 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no", 588 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
822 context->return_code); 589 context->return_code);
590 if (current->signal->tty && current->signal->tty->name)
591 tty = current->signal->tty->name;
592 else
593 tty = "(none)";
823 audit_log_format(ab, 594 audit_log_format(ab,
824 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d" 595 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
825 " pid=%d auid=%u uid=%u gid=%u" 596 " pid=%d auid=%u uid=%u gid=%u"
826 " euid=%u suid=%u fsuid=%u" 597 " euid=%u suid=%u fsuid=%u"
827 " egid=%u sgid=%u fsgid=%u", 598 " egid=%u sgid=%u fsgid=%u tty=%s",
828 context->argv[0], 599 context->argv[0],
829 context->argv[1], 600 context->argv[1],
830 context->argv[2], 601 context->argv[2],
@@ -835,8 +606,8 @@ static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask)
835 context->uid, 606 context->uid,
836 context->gid, 607 context->gid,
837 context->euid, context->suid, context->fsuid, 608 context->euid, context->suid, context->fsuid,
838 context->egid, context->sgid, context->fsgid); 609 context->egid, context->sgid, context->fsgid, tty);
839 audit_log_task_info(ab); 610 audit_log_task_info(ab, gfp_mask);
840 audit_log_end(ab); 611 audit_log_end(ab);
841 612
842 for (aux = context->aux; aux; aux = aux->next) { 613 for (aux = context->aux; aux; aux = aux->next) {
@@ -849,8 +620,8 @@ static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask)
849 case AUDIT_IPC: { 620 case AUDIT_IPC: {
850 struct audit_aux_data_ipcctl *axi = (void *)aux; 621 struct audit_aux_data_ipcctl *axi = (void *)aux;
851 audit_log_format(ab, 622 audit_log_format(ab,
852 " qbytes=%lx iuid=%u igid=%u mode=%x", 623 " qbytes=%lx iuid=%u igid=%u mode=%x obj=%s",
853 axi->qbytes, axi->uid, axi->gid, axi->mode); 624 axi->qbytes, axi->uid, axi->gid, axi->mode, axi->ctx);
854 break; } 625 break; }
855 626
856 case AUDIT_SOCKETCALL: { 627 case AUDIT_SOCKETCALL: {
@@ -885,42 +656,62 @@ static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask)
885 } 656 }
886 } 657 }
887 for (i = 0; i < context->name_count; i++) { 658 for (i = 0; i < context->name_count; i++) {
659 unsigned long ino = context->names[i].ino;
660 unsigned long pino = context->names[i].pino;
661
888 ab = audit_log_start(context, gfp_mask, AUDIT_PATH); 662 ab = audit_log_start(context, gfp_mask, AUDIT_PATH);
889 if (!ab) 663 if (!ab)
890 continue; /* audit_panic has been called */ 664 continue; /* audit_panic has been called */
891 665
892 audit_log_format(ab, "item=%d", i); 666 audit_log_format(ab, "item=%d", i);
893 if (context->names[i].name) { 667
894 audit_log_format(ab, " name="); 668 audit_log_format(ab, " name=");
669 if (context->names[i].name)
895 audit_log_untrustedstring(ab, context->names[i].name); 670 audit_log_untrustedstring(ab, context->names[i].name);
896 } 671 else
897 audit_log_format(ab, " flags=%x\n", context->names[i].flags); 672 audit_log_format(ab, "(null)");
898 673
899 if (context->names[i].ino != (unsigned long)-1) 674 if (pino != (unsigned long)-1)
900 audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o" 675 audit_log_format(ab, " parent=%lu", pino);
901 " ouid=%u ogid=%u rdev=%02x:%02x", 676 if (ino != (unsigned long)-1)
902 context->names[i].ino, 677 audit_log_format(ab, " inode=%lu", ino);
903 MAJOR(context->names[i].dev), 678 if ((pino != (unsigned long)-1) || (ino != (unsigned long)-1))
904 MINOR(context->names[i].dev), 679 audit_log_format(ab, " dev=%02x:%02x mode=%#o"
905 context->names[i].mode, 680 " ouid=%u ogid=%u rdev=%02x:%02x",
906 context->names[i].uid, 681 MAJOR(context->names[i].dev),
907 context->names[i].gid, 682 MINOR(context->names[i].dev),
908 MAJOR(context->names[i].rdev), 683 context->names[i].mode,
684 context->names[i].uid,
685 context->names[i].gid,
686 MAJOR(context->names[i].rdev),
909 MINOR(context->names[i].rdev)); 687 MINOR(context->names[i].rdev));
688 if (context->names[i].ctx) {
689 audit_log_format(ab, " obj=%s",
690 context->names[i].ctx);
691 }
692
910 audit_log_end(ab); 693 audit_log_end(ab);
911 } 694 }
912} 695}
913 696
914/* Free a per-task audit context. Called from copy_process and 697/**
915 * __put_task_struct. */ 698 * audit_free - free a per-task audit context
699 * @tsk: task whose audit context block to free
700 *
701 * Called from copy_process and __put_task_struct.
702 */
916void audit_free(struct task_struct *tsk) 703void audit_free(struct task_struct *tsk)
917{ 704{
918 struct audit_context *context; 705 struct audit_context *context;
919 706
920 task_lock(tsk); 707 /*
708 * No need to lock the task - when we execute audit_free()
709 * then the task has no external references anymore, and
710 * we are tearing it down. (The locking also confuses
711 * DEBUG_LOCKDEP - this freeing may occur in softirq
712 * contexts as well, via RCU.)
713 */
921 context = audit_get_context(tsk, 0, 0); 714 context = audit_get_context(tsk, 0, 0);
922 task_unlock(tsk);
923
924 if (likely(!context)) 715 if (likely(!context))
925 return; 716 return;
926 717
@@ -934,13 +725,24 @@ void audit_free(struct task_struct *tsk)
934 audit_free_context(context); 725 audit_free_context(context);
935} 726}
936 727
937/* Fill in audit context at syscall entry. This only happens if the 728/**
729 * audit_syscall_entry - fill in an audit record at syscall entry
730 * @tsk: task being audited
731 * @arch: architecture type
732 * @major: major syscall type (function)
733 * @a1: additional syscall register 1
734 * @a2: additional syscall register 2
735 * @a3: additional syscall register 3
736 * @a4: additional syscall register 4
737 *
738 * Fill in audit context at syscall entry. This only happens if the
938 * audit context was created when the task was created and the state or 739 * audit context was created when the task was created and the state or
939 * filters demand the audit context be built. If the state from the 740 * filters demand the audit context be built. If the state from the
940 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT, 741 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
941 * then the record will be written at syscall exit time (otherwise, it 742 * then the record will be written at syscall exit time (otherwise, it
942 * will only be written if another part of the kernel requests that it 743 * will only be written if another part of the kernel requests that it
943 * be written). */ 744 * be written).
745 */
944void audit_syscall_entry(struct task_struct *tsk, int arch, int major, 746void audit_syscall_entry(struct task_struct *tsk, int arch, int major,
945 unsigned long a1, unsigned long a2, 747 unsigned long a1, unsigned long a2,
946 unsigned long a3, unsigned long a4) 748 unsigned long a3, unsigned long a4)
@@ -950,7 +752,8 @@ void audit_syscall_entry(struct task_struct *tsk, int arch, int major,
950 752
951 BUG_ON(!context); 753 BUG_ON(!context);
952 754
953 /* This happens only on certain architectures that make system 755 /*
756 * This happens only on certain architectures that make system
954 * calls in kernel_thread via the entry.S interface, instead of 757 * calls in kernel_thread via the entry.S interface, instead of
955 * with direct calls. (If you are porting to a new 758 * with direct calls. (If you are porting to a new
956 * architecture, hitting this condition can indicate that you 759 * architecture, hitting this condition can indicate that you
@@ -966,11 +769,6 @@ void audit_syscall_entry(struct task_struct *tsk, int arch, int major,
966 if (context->in_syscall) { 769 if (context->in_syscall) {
967 struct audit_context *newctx; 770 struct audit_context *newctx;
968 771
969#if defined(__NR_vm86) && defined(__NR_vm86old)
970 /* vm86 mode should only be entered once */
971 if (major == __NR_vm86 || major == __NR_vm86old)
972 return;
973#endif
974#if AUDIT_DEBUG 772#if AUDIT_DEBUG
975 printk(KERN_ERR 773 printk(KERN_ERR
976 "audit(:%d) pid=%d in syscall=%d;" 774 "audit(:%d) pid=%d in syscall=%d;"
@@ -1014,11 +812,18 @@ void audit_syscall_entry(struct task_struct *tsk, int arch, int major,
1014 context->auditable = !!(state == AUDIT_RECORD_CONTEXT); 812 context->auditable = !!(state == AUDIT_RECORD_CONTEXT);
1015} 813}
1016 814
1017/* Tear down after system call. If the audit context has been marked as 815/**
816 * audit_syscall_exit - deallocate audit context after a system call
817 * @tsk: task being audited
818 * @valid: success/failure flag
819 * @return_code: syscall return value
820 *
821 * Tear down after system call. If the audit context has been marked as
1018 * auditable (either because of the AUDIT_RECORD_CONTEXT state from 822 * auditable (either because of the AUDIT_RECORD_CONTEXT state from
1019 * filtering, or because some other part of the kernel write an audit 823 * filtering, or because some other part of the kernel write an audit
1020 * message), then write out the syscall information. In call cases, 824 * message), then write out the syscall information. In call cases,
1021 * free the names stored from getname(). */ 825 * free the names stored from getname().
826 */
1022void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code) 827void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code)
1023{ 828{
1024 struct audit_context *context; 829 struct audit_context *context;
@@ -1053,7 +858,13 @@ void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code)
1053 put_task_struct(tsk); 858 put_task_struct(tsk);
1054} 859}
1055 860
1056/* Add a name to the list. Called from fs/namei.c:getname(). */ 861/**
862 * audit_getname - add a name to the list
863 * @name: name to add
864 *
865 * Add a name to the list of audit names for this context.
866 * Called from fs/namei.c:getname().
867 */
1057void audit_getname(const char *name) 868void audit_getname(const char *name)
1058{ 869{
1059 struct audit_context *context = current->audit_context; 870 struct audit_context *context = current->audit_context;
@@ -1082,10 +893,13 @@ void audit_getname(const char *name)
1082 893
1083} 894}
1084 895
1085/* Intercept a putname request. Called from 896/* audit_putname - intercept a putname request
1086 * include/linux/fs.h:putname(). If we have stored the name from 897 * @name: name to intercept and delay for putname
1087 * getname in the audit context, then we delay the putname until syscall 898 *
1088 * exit. */ 899 * If we have stored the name from getname in the audit context,
900 * then we delay the putname until syscall exit.
901 * Called from include/linux/fs.h:putname().
902 */
1089void audit_putname(const char *name) 903void audit_putname(const char *name)
1090{ 904{
1091 struct audit_context *context = current->audit_context; 905 struct audit_context *context = current->audit_context;
@@ -1100,7 +914,7 @@ void audit_putname(const char *name)
1100 for (i = 0; i < context->name_count; i++) 914 for (i = 0; i < context->name_count; i++)
1101 printk(KERN_ERR "name[%d] = %p = %s\n", i, 915 printk(KERN_ERR "name[%d] = %p = %s\n", i,
1102 context->names[i].name, 916 context->names[i].name,
1103 context->names[i].name); 917 context->names[i].name ?: "(null)");
1104 } 918 }
1105#endif 919#endif
1106 __putname(name); 920 __putname(name);
@@ -1122,9 +936,52 @@ void audit_putname(const char *name)
1122#endif 936#endif
1123} 937}
1124 938
1125/* Store the inode and device from a lookup. Called from 939void audit_inode_context(int idx, const struct inode *inode)
1126 * fs/namei.c:path_lookup(). */ 940{
1127void audit_inode(const char *name, const struct inode *inode, unsigned flags) 941 struct audit_context *context = current->audit_context;
942 const char *suffix = security_inode_xattr_getsuffix();
943 char *ctx = NULL;
944 int len = 0;
945
946 if (!suffix)
947 goto ret;
948
949 len = security_inode_getsecurity(inode, suffix, NULL, 0, 0);
950 if (len == -EOPNOTSUPP)
951 goto ret;
952 if (len < 0)
953 goto error_path;
954
955 ctx = kmalloc(len, GFP_KERNEL);
956 if (!ctx)
957 goto error_path;
958
959 len = security_inode_getsecurity(inode, suffix, ctx, len, 0);
960 if (len < 0)
961 goto error_path;
962
963 kfree(context->names[idx].ctx);
964 context->names[idx].ctx = ctx;
965 goto ret;
966
967error_path:
968 if (ctx)
969 kfree(ctx);
970 audit_panic("error in audit_inode_context");
971ret:
972 return;
973}
974
975
976/**
977 * audit_inode - store the inode and device from a lookup
978 * @name: name being audited
979 * @inode: inode being audited
980 * @flags: lookup flags (as used in path_lookup())
981 *
982 * Called from fs/namei.c:path_lookup().
983 */
984void __audit_inode(const char *name, const struct inode *inode, unsigned flags)
1128{ 985{
1129 int idx; 986 int idx;
1130 struct audit_context *context = current->audit_context; 987 struct audit_context *context = current->audit_context;
@@ -1150,15 +1007,105 @@ void audit_inode(const char *name, const struct inode *inode, unsigned flags)
1150 ++context->ino_count; 1007 ++context->ino_count;
1151#endif 1008#endif
1152 } 1009 }
1153 context->names[idx].flags = flags;
1154 context->names[idx].ino = inode->i_ino;
1155 context->names[idx].dev = inode->i_sb->s_dev; 1010 context->names[idx].dev = inode->i_sb->s_dev;
1156 context->names[idx].mode = inode->i_mode; 1011 context->names[idx].mode = inode->i_mode;
1157 context->names[idx].uid = inode->i_uid; 1012 context->names[idx].uid = inode->i_uid;
1158 context->names[idx].gid = inode->i_gid; 1013 context->names[idx].gid = inode->i_gid;
1159 context->names[idx].rdev = inode->i_rdev; 1014 context->names[idx].rdev = inode->i_rdev;
1015 audit_inode_context(idx, inode);
1016 if ((flags & LOOKUP_PARENT) && (strcmp(name, "/") != 0) &&
1017 (strcmp(name, ".") != 0)) {
1018 context->names[idx].ino = (unsigned long)-1;
1019 context->names[idx].pino = inode->i_ino;
1020 } else {
1021 context->names[idx].ino = inode->i_ino;
1022 context->names[idx].pino = (unsigned long)-1;
1023 }
1024}
1025
1026/**
1027 * audit_inode_child - collect inode info for created/removed objects
1028 * @dname: inode's dentry name
1029 * @inode: inode being audited
1030 * @pino: inode number of dentry parent
1031 *
1032 * For syscalls that create or remove filesystem objects, audit_inode
1033 * can only collect information for the filesystem object's parent.
1034 * This call updates the audit context with the child's information.
1035 * Syscalls that create a new filesystem object must be hooked after
1036 * the object is created. Syscalls that remove a filesystem object
1037 * must be hooked prior, in order to capture the target inode during
1038 * unsuccessful attempts.
1039 */
1040void __audit_inode_child(const char *dname, const struct inode *inode,
1041 unsigned long pino)
1042{
1043 int idx;
1044 struct audit_context *context = current->audit_context;
1045
1046 if (!context->in_syscall)
1047 return;
1048
1049 /* determine matching parent */
1050 if (dname)
1051 for (idx = 0; idx < context->name_count; idx++)
1052 if (context->names[idx].pino == pino) {
1053 const char *n;
1054 const char *name = context->names[idx].name;
1055 int dlen = strlen(dname);
1056 int nlen = name ? strlen(name) : 0;
1057
1058 if (nlen < dlen)
1059 continue;
1060
1061 /* disregard trailing slashes */
1062 n = name + nlen - 1;
1063 while ((*n == '/') && (n > name))
1064 n--;
1065
1066 /* find last path component */
1067 n = n - dlen + 1;
1068 if (n < name)
1069 continue;
1070 else if (n > name) {
1071 if (*--n != '/')
1072 continue;
1073 else
1074 n++;
1075 }
1076
1077 if (strncmp(n, dname, dlen) == 0)
1078 goto update_context;
1079 }
1080
1081 /* catch-all in case match not found */
1082 idx = context->name_count++;
1083 context->names[idx].name = NULL;
1084 context->names[idx].pino = pino;
1085#if AUDIT_DEBUG
1086 context->ino_count++;
1087#endif
1088
1089update_context:
1090 if (inode) {
1091 context->names[idx].ino = inode->i_ino;
1092 context->names[idx].dev = inode->i_sb->s_dev;
1093 context->names[idx].mode = inode->i_mode;
1094 context->names[idx].uid = inode->i_uid;
1095 context->names[idx].gid = inode->i_gid;
1096 context->names[idx].rdev = inode->i_rdev;
1097 audit_inode_context(idx, inode);
1098 }
1160} 1099}
1161 1100
1101/**
1102 * auditsc_get_stamp - get local copies of audit_context values
1103 * @ctx: audit_context for the task
1104 * @t: timespec to store time recorded in the audit_context
1105 * @serial: serial value that is recorded in the audit_context
1106 *
1107 * Also sets the context as auditable.
1108 */
1162void auditsc_get_stamp(struct audit_context *ctx, 1109void auditsc_get_stamp(struct audit_context *ctx,
1163 struct timespec *t, unsigned int *serial) 1110 struct timespec *t, unsigned int *serial)
1164{ 1111{
@@ -1170,6 +1117,15 @@ void auditsc_get_stamp(struct audit_context *ctx,
1170 ctx->auditable = 1; 1117 ctx->auditable = 1;
1171} 1118}
1172 1119
1120/**
1121 * audit_set_loginuid - set a task's audit_context loginuid
1122 * @task: task whose audit context is being modified
1123 * @loginuid: loginuid value
1124 *
1125 * Returns 0.
1126 *
1127 * Called (set) from fs/proc/base.c::proc_loginuid_write().
1128 */
1173int audit_set_loginuid(struct task_struct *task, uid_t loginuid) 1129int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
1174{ 1130{
1175 if (task->audit_context) { 1131 if (task->audit_context) {
@@ -1188,12 +1144,59 @@ int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
1188 return 0; 1144 return 0;
1189} 1145}
1190 1146
1147/**
1148 * audit_get_loginuid - get the loginuid for an audit_context
1149 * @ctx: the audit_context
1150 *
1151 * Returns the context's loginuid or -1 if @ctx is NULL.
1152 */
1191uid_t audit_get_loginuid(struct audit_context *ctx) 1153uid_t audit_get_loginuid(struct audit_context *ctx)
1192{ 1154{
1193 return ctx ? ctx->loginuid : -1; 1155 return ctx ? ctx->loginuid : -1;
1194} 1156}
1195 1157
1196int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode) 1158static char *audit_ipc_context(struct kern_ipc_perm *ipcp)
1159{
1160 struct audit_context *context = current->audit_context;
1161 char *ctx = NULL;
1162 int len = 0;
1163
1164 if (likely(!context))
1165 return NULL;
1166
1167 len = security_ipc_getsecurity(ipcp, NULL, 0);
1168 if (len == -EOPNOTSUPP)
1169 goto ret;
1170 if (len < 0)
1171 goto error_path;
1172
1173 ctx = kmalloc(len, GFP_ATOMIC);
1174 if (!ctx)
1175 goto error_path;
1176
1177 len = security_ipc_getsecurity(ipcp, ctx, len);
1178 if (len < 0)
1179 goto error_path;
1180
1181 return ctx;
1182
1183error_path:
1184 kfree(ctx);
1185 audit_panic("error in audit_ipc_context");
1186ret:
1187 return NULL;
1188}
1189
1190/**
1191 * audit_ipc_perms - record audit data for ipc
1192 * @qbytes: msgq bytes
1193 * @uid: msgq user id
1194 * @gid: msgq group id
1195 * @mode: msgq mode (permissions)
1196 *
1197 * Returns 0 for success or NULL context or < 0 on error.
1198 */
1199int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, struct kern_ipc_perm *ipcp)
1197{ 1200{
1198 struct audit_aux_data_ipcctl *ax; 1201 struct audit_aux_data_ipcctl *ax;
1199 struct audit_context *context = current->audit_context; 1202 struct audit_context *context = current->audit_context;
@@ -1201,7 +1204,7 @@ int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
1201 if (likely(!context)) 1204 if (likely(!context))
1202 return 0; 1205 return 0;
1203 1206
1204 ax = kmalloc(sizeof(*ax), GFP_KERNEL); 1207 ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
1205 if (!ax) 1208 if (!ax)
1206 return -ENOMEM; 1209 return -ENOMEM;
1207 1210
@@ -1209,6 +1212,7 @@ int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
1209 ax->uid = uid; 1212 ax->uid = uid;
1210 ax->gid = gid; 1213 ax->gid = gid;
1211 ax->mode = mode; 1214 ax->mode = mode;
1215 ax->ctx = audit_ipc_context(ipcp);
1212 1216
1213 ax->d.type = AUDIT_IPC; 1217 ax->d.type = AUDIT_IPC;
1214 ax->d.next = context->aux; 1218 ax->d.next = context->aux;
@@ -1216,6 +1220,13 @@ int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
1216 return 0; 1220 return 0;
1217} 1221}
1218 1222
1223/**
1224 * audit_socketcall - record audit data for sys_socketcall
1225 * @nargs: number of args
1226 * @args: args array
1227 *
1228 * Returns 0 for success or NULL context or < 0 on error.
1229 */
1219int audit_socketcall(int nargs, unsigned long *args) 1230int audit_socketcall(int nargs, unsigned long *args)
1220{ 1231{
1221 struct audit_aux_data_socketcall *ax; 1232 struct audit_aux_data_socketcall *ax;
@@ -1237,6 +1248,13 @@ int audit_socketcall(int nargs, unsigned long *args)
1237 return 0; 1248 return 0;
1238} 1249}
1239 1250
1251/**
1252 * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
1253 * @len: data length in user space
1254 * @a: data address in kernel space
1255 *
1256 * Returns 0 for success or NULL context or < 0 on error.
1257 */
1240int audit_sockaddr(int len, void *a) 1258int audit_sockaddr(int len, void *a)
1241{ 1259{
1242 struct audit_aux_data_sockaddr *ax; 1260 struct audit_aux_data_sockaddr *ax;
@@ -1258,6 +1276,15 @@ int audit_sockaddr(int len, void *a)
1258 return 0; 1276 return 0;
1259} 1277}
1260 1278
1279/**
1280 * audit_avc_path - record the granting or denial of permissions
1281 * @dentry: dentry to record
1282 * @mnt: mnt to record
1283 *
1284 * Returns 0 for success or NULL context or < 0 on error.
1285 *
1286 * Called from security/selinux/avc.c::avc_audit()
1287 */
1261int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt) 1288int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt)
1262{ 1289{
1263 struct audit_aux_data_path *ax; 1290 struct audit_aux_data_path *ax;
@@ -1279,6 +1306,14 @@ int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt)
1279 return 0; 1306 return 0;
1280} 1307}
1281 1308
1309/**
1310 * audit_signal_info - record signal info for shutting down audit subsystem
1311 * @sig: signal value
1312 * @t: task being signaled
1313 *
1314 * If the audit subsystem is being terminated, record the task (pid)
1315 * and uid that is doing that.
1316 */
1282void audit_signal_info(int sig, struct task_struct *t) 1317void audit_signal_info(int sig, struct task_struct *t)
1283{ 1318{
1284 extern pid_t audit_sig_pid; 1319 extern pid_t audit_sig_pid;
@@ -1295,4 +1330,3 @@ void audit_signal_info(int sig, struct task_struct *t)
1295 } 1330 }
1296 } 1331 }
1297} 1332}
1298
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-23 13:25:37 -0500