aboutsummaryrefslogtreecommitdiffstats
path: root/kernel/auditsc.c
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2008-02-01 16:37:03 -0500
committerLinus Torvalds <torvalds@linux-foundation.org>2008-02-01 16:37:03 -0500
commitdd5f5fed6c9458a7aa81eeef3732cc3a9891cfdf (patch)
tree06b81942dc218763889efe65faf08aeb23e71f03 /kernel/auditsc.c
parent3e01dfce1387f8bec41018f0d7b42fd88ad4163f (diff)
parent7759db82774802885f96c250b36c3dfe317e62ff (diff)
Merge branch 'audit.b46' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current
* 'audit.b46' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current: [AUDIT] Add uid, gid fields to ANOM_PROMISCUOUS message [AUDIT] ratelimit printk messages audit [patch 2/2] audit: complement va_copy with va_end() [patch 1/2] kernel/audit.c: warning fix [AUDIT] create context if auditing was ever enabled [AUDIT] clean up audit_receive_msg() [AUDIT] make audit=0 really stop audit messages [AUDIT] break large execve argument logging into smaller messages [AUDIT] include audit type in audit message when using printk [AUDIT] do not panic on exclude messages in audit_log_pid_context() [AUDIT] Add End of Event record [AUDIT] add session id to audit messages [AUDIT] collect uid, loginuid, and comm in OBJ_PID records [AUDIT] return EINTR not ERESTART* [PATCH] get rid of loginuid races [PATCH] switch audit_get_loginuid() to task_struct *
Diffstat (limited to 'kernel/auditsc.c')
-rw-r--r--kernel/auditsc.c349
1 files changed, 256 insertions, 93 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index bce9ecdb7712..1c06ecf38d7b 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -70,6 +70,7 @@
70#include "audit.h" 70#include "audit.h"
71 71
72extern struct list_head audit_filter_list[]; 72extern struct list_head audit_filter_list[];
73extern int audit_ever_enabled;
73 74
74/* AUDIT_NAMES is the number of slots we reserve in the audit_context 75/* AUDIT_NAMES is the number of slots we reserve in the audit_context
75 * for saving names from getname(). */ 76 * for saving names from getname(). */
@@ -78,6 +79,9 @@ extern struct list_head audit_filter_list[];
78/* Indicates that audit should log the full pathname. */ 79/* Indicates that audit should log the full pathname. */
79#define AUDIT_NAME_FULL -1 80#define AUDIT_NAME_FULL -1
80 81
82/* no execve audit message should be longer than this (userspace limits) */
83#define MAX_EXECVE_AUDIT_LEN 7500
84
81/* number of audit rules */ 85/* number of audit rules */
82int audit_n_rules; 86int audit_n_rules;
83 87
@@ -176,7 +180,11 @@ struct audit_aux_data_fd_pair {
176struct audit_aux_data_pids { 180struct audit_aux_data_pids {
177 struct audit_aux_data d; 181 struct audit_aux_data d;
178 pid_t target_pid[AUDIT_AUX_PIDS]; 182 pid_t target_pid[AUDIT_AUX_PIDS];
183 uid_t target_auid[AUDIT_AUX_PIDS];
184 uid_t target_uid[AUDIT_AUX_PIDS];
185 unsigned int target_sessionid[AUDIT_AUX_PIDS];
179 u32 target_sid[AUDIT_AUX_PIDS]; 186 u32 target_sid[AUDIT_AUX_PIDS];
187 char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
180 int pid_count; 188 int pid_count;
181}; 189};
182 190
@@ -192,7 +200,6 @@ struct audit_context {
192 enum audit_state state; 200 enum audit_state state;
193 unsigned int serial; /* serial number for record */ 201 unsigned int serial; /* serial number for record */
194 struct timespec ctime; /* time of syscall entry */ 202 struct timespec ctime; /* time of syscall entry */
195 uid_t loginuid; /* login uid (identity) */
196 int major; /* syscall number */ 203 int major; /* syscall number */
197 unsigned long argv[4]; /* syscall arguments */ 204 unsigned long argv[4]; /* syscall arguments */
198 int return_valid; /* return code is valid */ 205 int return_valid; /* return code is valid */
@@ -215,7 +222,11 @@ struct audit_context {
215 int arch; 222 int arch;
216 223
217 pid_t target_pid; 224 pid_t target_pid;
225 uid_t target_auid;
226 uid_t target_uid;
227 unsigned int target_sessionid;
218 u32 target_sid; 228 u32 target_sid;
229 char target_comm[TASK_COMM_LEN];
219 230
220 struct audit_tree_refs *trees, *first_trees; 231 struct audit_tree_refs *trees, *first_trees;
221 int tree_count; 232 int tree_count;
@@ -506,7 +517,7 @@ static int audit_filter_rules(struct task_struct *tsk,
506 case AUDIT_LOGINUID: 517 case AUDIT_LOGINUID:
507 result = 0; 518 result = 0;
508 if (ctx) 519 if (ctx)
509 result = audit_comparator(ctx->loginuid, f->op, f->val); 520 result = audit_comparator(tsk->loginuid, f->op, f->val);
510 break; 521 break;
511 case AUDIT_SUBJ_USER: 522 case AUDIT_SUBJ_USER:
512 case AUDIT_SUBJ_ROLE: 523 case AUDIT_SUBJ_ROLE:
@@ -702,7 +713,24 @@ static inline struct audit_context *audit_get_context(struct task_struct *tsk,
702 if (likely(!context)) 713 if (likely(!context))
703 return NULL; 714 return NULL;
704 context->return_valid = return_valid; 715 context->return_valid = return_valid;
705 context->return_code = return_code; 716
717 /*
718 * we need to fix up the return code in the audit logs if the actual
719 * return codes are later going to be fixed up by the arch specific
720 * signal handlers
721 *
722 * This is actually a test for:
723 * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||
724 * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)
725 *
726 * but is faster than a bunch of ||
727 */
728 if (unlikely(return_code <= -ERESTARTSYS) &&
729 (return_code >= -ERESTART_RESTARTBLOCK) &&
730 (return_code != -ENOIOCTLCMD))
731 context->return_code = -EINTR;
732 else
733 context->return_code = return_code;
706 734
707 if (context->in_syscall && !context->dummy && !context->auditable) { 735 if (context->in_syscall && !context->dummy && !context->auditable) {
708 enum audit_state state; 736 enum audit_state state;
@@ -783,11 +811,8 @@ static inline void audit_free_aux(struct audit_context *context)
783static inline void audit_zero_context(struct audit_context *context, 811static inline void audit_zero_context(struct audit_context *context,
784 enum audit_state state) 812 enum audit_state state)
785{ 813{
786 uid_t loginuid = context->loginuid;
787
788 memset(context, 0, sizeof(*context)); 814 memset(context, 0, sizeof(*context));
789 context->state = state; 815 context->state = state;
790 context->loginuid = loginuid;
791} 816}
792 817
793static inline struct audit_context *audit_alloc_context(enum audit_state state) 818static inline struct audit_context *audit_alloc_context(enum audit_state state)
@@ -814,7 +839,7 @@ int audit_alloc(struct task_struct *tsk)
814 struct audit_context *context; 839 struct audit_context *context;
815 enum audit_state state; 840 enum audit_state state;
816 841
817 if (likely(!audit_enabled)) 842 if (likely(!audit_ever_enabled))
818 return 0; /* Return if not auditing. */ 843 return 0; /* Return if not auditing. */
819 844
820 state = audit_filter_task(tsk); 845 state = audit_filter_task(tsk);
@@ -826,11 +851,6 @@ int audit_alloc(struct task_struct *tsk)
826 return -ENOMEM; 851 return -ENOMEM;
827 } 852 }
828 853
829 /* Preserve login uid */
830 context->loginuid = -1;
831 if (current->audit_context)
832 context->loginuid = current->audit_context->loginuid;
833
834 tsk->audit_context = context; 854 tsk->audit_context = context;
835 set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT); 855 set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
836 return 0; 856 return 0;
@@ -922,7 +942,8 @@ static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk
922} 942}
923 943
924static int audit_log_pid_context(struct audit_context *context, pid_t pid, 944static int audit_log_pid_context(struct audit_context *context, pid_t pid,
925 u32 sid) 945 uid_t auid, uid_t uid, unsigned int sessionid,
946 u32 sid, char *comm)
926{ 947{
927 struct audit_buffer *ab; 948 struct audit_buffer *ab;
928 char *s = NULL; 949 char *s = NULL;
@@ -931,68 +952,204 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
931 952
932 ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); 953 ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
933 if (!ab) 954 if (!ab)
934 return 1; 955 return rc;
935 956
957 audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid,
958 uid, sessionid);
936 if (selinux_sid_to_string(sid, &s, &len)) { 959 if (selinux_sid_to_string(sid, &s, &len)) {
937 audit_log_format(ab, "opid=%d obj=(none)", pid); 960 audit_log_format(ab, " obj=(none)");
938 rc = 1; 961 rc = 1;
939 } else 962 } else
940 audit_log_format(ab, "opid=%d obj=%s", pid, s); 963 audit_log_format(ab, " obj=%s", s);
964 audit_log_format(ab, " ocomm=");
965 audit_log_untrustedstring(ab, comm);
941 audit_log_end(ab); 966 audit_log_end(ab);
942 kfree(s); 967 kfree(s);
943 968
944 return rc; 969 return rc;
945} 970}
946 971
947static void audit_log_execve_info(struct audit_buffer *ab, 972/*
948 struct audit_aux_data_execve *axi) 973 * to_send and len_sent accounting are very loose estimates. We aren't
974 * really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being
975 * within about 500 bytes (next page boundry)
976 *
977 * why snprintf? an int is up to 12 digits long. if we just assumed when
978 * logging that a[%d]= was going to be 16 characters long we would be wasting
979 * space in every audit message. In one 7500 byte message we can log up to
980 * about 1000 min size arguments. That comes down to about 50% waste of space
981 * if we didn't do the snprintf to find out how long arg_num_len was.
982 */
983static int audit_log_single_execve_arg(struct audit_context *context,
984 struct audit_buffer **ab,
985 int arg_num,
986 size_t *len_sent,
987 const char __user *p,
988 char *buf)
949{ 989{
950 int i; 990 char arg_num_len_buf[12];
951 long len, ret; 991 const char __user *tmp_p = p;
952 const char __user *p; 992 /* how many digits are in arg_num? 3 is the length of a=\n */
953 char *buf; 993 size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 3;
994 size_t len, len_left, to_send;
995 size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
996 unsigned int i, has_cntl = 0, too_long = 0;
997 int ret;
998
999 /* strnlen_user includes the null we don't want to send */
1000 len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1;
954 1001
955 if (axi->mm != current->mm) 1002 /*
956 return; /* execve failed, no additional info */ 1003 * We just created this mm, if we can't find the strings
957 1004 * we just copied into it something is _very_ wrong. Similar
958 p = (const char __user *)axi->mm->arg_start; 1005 * for strings that are too long, we should not have created
1006 * any.
1007 */
1008 if (unlikely((len = -1) || len > MAX_ARG_STRLEN - 1)) {
1009 WARN_ON(1);
1010 send_sig(SIGKILL, current, 0);
1011 }
959 1012
960 for (i = 0; i < axi->argc; i++, p += len) { 1013 /* walk the whole argument looking for non-ascii chars */
961 len = strnlen_user(p, MAX_ARG_STRLEN); 1014 do {
1015 if (len_left > MAX_EXECVE_AUDIT_LEN)
1016 to_send = MAX_EXECVE_AUDIT_LEN;
1017 else
1018 to_send = len_left;
1019 ret = copy_from_user(buf, tmp_p, to_send);
962 /* 1020 /*
963 * We just created this mm, if we can't find the strings 1021 * There is no reason for this copy to be short. We just
964 * we just copied into it something is _very_ wrong. Similar 1022 * copied them here, and the mm hasn't been exposed to user-
965 * for strings that are too long, we should not have created 1023 * space yet.
966 * any.
967 */ 1024 */
968 if (!len || len > MAX_ARG_STRLEN) { 1025 if (ret) {
969 WARN_ON(1); 1026 WARN_ON(1);
970 send_sig(SIGKILL, current, 0); 1027 send_sig(SIGKILL, current, 0);
971 } 1028 }
972 1029 buf[to_send] = '\0';
973 buf = kmalloc(len, GFP_KERNEL); 1030 has_cntl = audit_string_contains_control(buf, to_send);
974 if (!buf) { 1031 if (has_cntl) {
975 audit_panic("out of memory for argv string\n"); 1032 /*
1033 * hex messages get logged as 2 bytes, so we can only
1034 * send half as much in each message
1035 */
1036 max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2;
976 break; 1037 break;
977 } 1038 }
1039 len_left -= to_send;
1040 tmp_p += to_send;
1041 } while (len_left > 0);
1042
1043 len_left = len;
1044
1045 if (len > max_execve_audit_len)
1046 too_long = 1;
1047
1048 /* rewalk the argument actually logging the message */
1049 for (i = 0; len_left > 0; i++) {
1050 int room_left;
1051
1052 if (len_left > max_execve_audit_len)
1053 to_send = max_execve_audit_len;
1054 else
1055 to_send = len_left;
1056
1057 /* do we have space left to send this argument in this ab? */
1058 room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent;
1059 if (has_cntl)
1060 room_left -= (to_send * 2);
1061 else
1062 room_left -= to_send;
1063 if (room_left < 0) {
1064 *len_sent = 0;
1065 audit_log_end(*ab);
1066 *ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
1067 if (!*ab)
1068 return 0;
1069 }
978 1070
979 ret = copy_from_user(buf, p, len);
980 /* 1071 /*
981 * There is no reason for this copy to be short. We just 1072 * first record needs to say how long the original string was
982 * copied them here, and the mm hasn't been exposed to user- 1073 * so we can be sure nothing was lost.
983 * space yet. 1074 */
1075 if ((i == 0) && (too_long))
1076 audit_log_format(*ab, "a%d_len=%ld ", arg_num,
1077 has_cntl ? 2*len : len);
1078
1079 /*
1080 * normally arguments are small enough to fit and we already
1081 * filled buf above when we checked for control characters
1082 * so don't bother with another copy_from_user
984 */ 1083 */
1084 if (len >= max_execve_audit_len)
1085 ret = copy_from_user(buf, p, to_send);
1086 else
1087 ret = 0;
985 if (ret) { 1088 if (ret) {
986 WARN_ON(1); 1089 WARN_ON(1);
987 send_sig(SIGKILL, current, 0); 1090 send_sig(SIGKILL, current, 0);
988 } 1091 }
1092 buf[to_send] = '\0';
1093
1094 /* actually log it */
1095 audit_log_format(*ab, "a%d", arg_num);
1096 if (too_long)
1097 audit_log_format(*ab, "[%d]", i);
1098 audit_log_format(*ab, "=");
1099 if (has_cntl)
1100 audit_log_hex(*ab, buf, to_send);
1101 else
1102 audit_log_format(*ab, "\"%s\"", buf);
1103 audit_log_format(*ab, "\n");
1104
1105 p += to_send;
1106 len_left -= to_send;
1107 *len_sent += arg_num_len;
1108 if (has_cntl)
1109 *len_sent += to_send * 2;
1110 else
1111 *len_sent += to_send;
1112 }
1113 /* include the null we didn't log */
1114 return len + 1;
1115}
989 1116
990 audit_log_format(ab, "a%d=", i); 1117static void audit_log_execve_info(struct audit_context *context,
991 audit_log_untrustedstring(ab, buf); 1118 struct audit_buffer **ab,
992 audit_log_format(ab, "\n"); 1119 struct audit_aux_data_execve *axi)
1120{
1121 int i;
1122 size_t len, len_sent = 0;
1123 const char __user *p;
1124 char *buf;
1125
1126 if (axi->mm != current->mm)
1127 return; /* execve failed, no additional info */
1128
1129 p = (const char __user *)axi->mm->arg_start;
1130
1131 audit_log_format(*ab, "argc=%d ", axi->argc);
1132
1133 /*
1134 * we need some kernel buffer to hold the userspace args. Just
1135 * allocate one big one rather than allocating one of the right size
1136 * for every single argument inside audit_log_single_execve_arg()
1137 * should be <8k allocation so should be pretty safe.
1138 */
1139 buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
1140 if (!buf) {
1141 audit_panic("out of memory for argv string\n");
1142 return;
1143 }
993 1144
994 kfree(buf); 1145 for (i = 0; i < axi->argc; i++) {
1146 len = audit_log_single_execve_arg(context, ab, i,
1147 &len_sent, p, buf);
1148 if (len <= 0)
1149 break;
1150 p += len;
995 } 1151 }
1152 kfree(buf);
996} 1153}
997 1154
998static void audit_log_exit(struct audit_context *context, struct task_struct *tsk) 1155static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
@@ -1039,7 +1196,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
1039 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d" 1196 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
1040 " ppid=%d pid=%d auid=%u uid=%u gid=%u" 1197 " ppid=%d pid=%d auid=%u uid=%u gid=%u"
1041 " euid=%u suid=%u fsuid=%u" 1198 " euid=%u suid=%u fsuid=%u"
1042 " egid=%u sgid=%u fsgid=%u tty=%s", 1199 " egid=%u sgid=%u fsgid=%u tty=%s ses=%u",
1043 context->argv[0], 1200 context->argv[0],
1044 context->argv[1], 1201 context->argv[1],
1045 context->argv[2], 1202 context->argv[2],
@@ -1047,11 +1204,12 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
1047 context->name_count, 1204 context->name_count,
1048 context->ppid, 1205 context->ppid,
1049 context->pid, 1206 context->pid,
1050 context->loginuid, 1207 tsk->loginuid,
1051 context->uid, 1208 context->uid,
1052 context->gid, 1209 context->gid,
1053 context->euid, context->suid, context->fsuid, 1210 context->euid, context->suid, context->fsuid,
1054 context->egid, context->sgid, context->fsgid, tty); 1211 context->egid, context->sgid, context->fsgid, tty,
1212 tsk->sessionid);
1055 1213
1056 mutex_unlock(&tty_mutex); 1214 mutex_unlock(&tty_mutex);
1057 1215
@@ -1135,7 +1293,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
1135 1293
1136 case AUDIT_EXECVE: { 1294 case AUDIT_EXECVE: {
1137 struct audit_aux_data_execve *axi = (void *)aux; 1295 struct audit_aux_data_execve *axi = (void *)aux;
1138 audit_log_execve_info(ab, axi); 1296 audit_log_execve_info(context, &ab, axi);
1139 break; } 1297 break; }
1140 1298
1141 case AUDIT_SOCKETCALL: { 1299 case AUDIT_SOCKETCALL: {
@@ -1168,13 +1326,19 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
1168 1326
1169 for (i = 0; i < axs->pid_count; i++) 1327 for (i = 0; i < axs->pid_count; i++)
1170 if (audit_log_pid_context(context, axs->target_pid[i], 1328 if (audit_log_pid_context(context, axs->target_pid[i],
1171 axs->target_sid[i])) 1329 axs->target_auid[i],
1330 axs->target_uid[i],
1331 axs->target_sessionid[i],
1332 axs->target_sid[i],
1333 axs->target_comm[i]))
1172 call_panic = 1; 1334 call_panic = 1;
1173 } 1335 }
1174 1336
1175 if (context->target_pid && 1337 if (context->target_pid &&
1176 audit_log_pid_context(context, context->target_pid, 1338 audit_log_pid_context(context, context->target_pid,
1177 context->target_sid)) 1339 context->target_auid, context->target_uid,
1340 context->target_sessionid,
1341 context->target_sid, context->target_comm))
1178 call_panic = 1; 1342 call_panic = 1;
1179 1343
1180 if (context->pwd && context->pwdmnt) { 1344 if (context->pwd && context->pwdmnt) {
@@ -1242,6 +1406,11 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
1242 1406
1243 audit_log_end(ab); 1407 audit_log_end(ab);
1244 } 1408 }
1409
1410 /* Send end of event record to help user space know we are finished */
1411 ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
1412 if (ab)
1413 audit_log_end(ab);
1245 if (call_panic) 1414 if (call_panic)
1246 audit_panic("error converting sid to string"); 1415 audit_panic("error converting sid to string");
1247} 1416}
@@ -1766,6 +1935,9 @@ void auditsc_get_stamp(struct audit_context *ctx,
1766 ctx->auditable = 1; 1935 ctx->auditable = 1;
1767} 1936}
1768 1937
1938/* global counter which is incremented every time something logs in */
1939static atomic_t session_id = ATOMIC_INIT(0);
1940
1769/** 1941/**
1770 * audit_set_loginuid - set a task's audit_context loginuid 1942 * audit_set_loginuid - set a task's audit_context loginuid
1771 * @task: task whose audit context is being modified 1943 * @task: task whose audit context is being modified
@@ -1777,41 +1949,29 @@ void auditsc_get_stamp(struct audit_context *ctx,
1777 */ 1949 */
1778int audit_set_loginuid(struct task_struct *task, uid_t loginuid) 1950int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
1779{ 1951{
1952 unsigned int sessionid = atomic_inc_return(&session_id);
1780 struct audit_context *context = task->audit_context; 1953 struct audit_context *context = task->audit_context;
1781 1954
1782 if (context) { 1955 if (context && context->in_syscall) {
1783 /* Only log if audit is enabled */ 1956 struct audit_buffer *ab;
1784 if (context->in_syscall) { 1957
1785 struct audit_buffer *ab; 1958 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
1786 1959 if (ab) {
1787 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN); 1960 audit_log_format(ab, "login pid=%d uid=%u "
1788 if (ab) { 1961 "old auid=%u new auid=%u"
1789 audit_log_format(ab, "login pid=%d uid=%u " 1962 " old ses=%u new ses=%u",
1790 "old auid=%u new auid=%u", 1963 task->pid, task->uid,
1791 task->pid, task->uid, 1964 task->loginuid, loginuid,
1792 context->loginuid, loginuid); 1965 task->sessionid, sessionid);
1793 audit_log_end(ab); 1966 audit_log_end(ab);
1794 }
1795 } 1967 }
1796 context->loginuid = loginuid;
1797 } 1968 }
1969 task->sessionid = sessionid;
1970 task->loginuid = loginuid;
1798 return 0; 1971 return 0;
1799} 1972}
1800 1973
1801/** 1974/**
1802 * audit_get_loginuid - get the loginuid for an audit_context
1803 * @ctx: the audit_context
1804 *
1805 * Returns the context's loginuid or -1 if @ctx is NULL.
1806 */
1807uid_t audit_get_loginuid(struct audit_context *ctx)
1808{
1809 return ctx ? ctx->loginuid : -1;
1810}
1811
1812EXPORT_SYMBOL(audit_get_loginuid);
1813
1814/**
1815 * __audit_mq_open - record audit data for a POSIX MQ open 1975 * __audit_mq_open - record audit data for a POSIX MQ open
1816 * @oflag: open flag 1976 * @oflag: open flag
1817 * @mode: mode bits 1977 * @mode: mode bits
@@ -2070,8 +2230,6 @@ int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode
2070 return 0; 2230 return 0;
2071} 2231}
2072 2232
2073int audit_argv_kb = 32;
2074
2075int audit_bprm(struct linux_binprm *bprm) 2233int audit_bprm(struct linux_binprm *bprm)
2076{ 2234{
2077 struct audit_aux_data_execve *ax; 2235 struct audit_aux_data_execve *ax;
@@ -2080,14 +2238,6 @@ int audit_bprm(struct linux_binprm *bprm)
2080 if (likely(!audit_enabled || !context || context->dummy)) 2238 if (likely(!audit_enabled || !context || context->dummy))
2081 return 0; 2239 return 0;
2082 2240
2083 /*
2084 * Even though the stack code doesn't limit the arg+env size any more,
2085 * the audit code requires that _all_ arguments be logged in a single
2086 * netlink skb. Hence cap it :-(
2087 */
2088 if (bprm->argv_len > (audit_argv_kb << 10))
2089 return -E2BIG;
2090
2091 ax = kmalloc(sizeof(*ax), GFP_KERNEL); 2241 ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2092 if (!ax) 2242 if (!ax)
2093 return -ENOMEM; 2243 return -ENOMEM;
@@ -2193,7 +2343,11 @@ void __audit_ptrace(struct task_struct *t)
2193 struct audit_context *context = current->audit_context; 2343 struct audit_context *context = current->audit_context;
2194 2344
2195 context->target_pid = t->pid; 2345 context->target_pid = t->pid;
2346 context->target_auid = audit_get_loginuid(t);
2347 context->target_uid = t->uid;
2348 context->target_sessionid = audit_get_sessionid(t);
2196 selinux_get_task_sid(t, &context->target_sid); 2349 selinux_get_task_sid(t, &context->target_sid);
2350 memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
2197} 2351}
2198 2352
2199/** 2353/**
@@ -2216,8 +2370,8 @@ int __audit_signal_info(int sig, struct task_struct *t)
2216 if (audit_pid && t->tgid == audit_pid) { 2370 if (audit_pid && t->tgid == audit_pid) {
2217 if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1) { 2371 if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1) {
2218 audit_sig_pid = tsk->pid; 2372 audit_sig_pid = tsk->pid;
2219 if (ctx) 2373 if (tsk->loginuid != -1)
2220 audit_sig_uid = ctx->loginuid; 2374 audit_sig_uid = tsk->loginuid;
2221 else 2375 else
2222 audit_sig_uid = tsk->uid; 2376 audit_sig_uid = tsk->uid;
2223 selinux_get_task_sid(tsk, &audit_sig_sid); 2377 selinux_get_task_sid(tsk, &audit_sig_sid);
@@ -2230,7 +2384,11 @@ int __audit_signal_info(int sig, struct task_struct *t)
2230 * in audit_context */ 2384 * in audit_context */
2231 if (!ctx->target_pid) { 2385 if (!ctx->target_pid) {
2232 ctx->target_pid = t->tgid; 2386 ctx->target_pid = t->tgid;
2387 ctx->target_auid = audit_get_loginuid(t);
2388 ctx->target_uid = t->uid;
2389 ctx->target_sessionid = audit_get_sessionid(t);
2233 selinux_get_task_sid(t, &ctx->target_sid); 2390 selinux_get_task_sid(t, &ctx->target_sid);
2391 memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
2234 return 0; 2392 return 0;
2235 } 2393 }
2236 2394
@@ -2247,7 +2405,11 @@ int __audit_signal_info(int sig, struct task_struct *t)
2247 BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS); 2405 BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
2248 2406
2249 axp->target_pid[axp->pid_count] = t->tgid; 2407 axp->target_pid[axp->pid_count] = t->tgid;
2408 axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
2409 axp->target_uid[axp->pid_count] = t->uid;
2410 axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
2250 selinux_get_task_sid(t, &axp->target_sid[axp->pid_count]); 2411 selinux_get_task_sid(t, &axp->target_sid[axp->pid_count]);
2412 memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
2251 axp->pid_count++; 2413 axp->pid_count++;
2252 2414
2253 return 0; 2415 return 0;
@@ -2264,6 +2426,8 @@ void audit_core_dumps(long signr)
2264{ 2426{
2265 struct audit_buffer *ab; 2427 struct audit_buffer *ab;
2266 u32 sid; 2428 u32 sid;
2429 uid_t auid = audit_get_loginuid(current);
2430 unsigned int sessionid = audit_get_sessionid(current);
2267 2431
2268 if (!audit_enabled) 2432 if (!audit_enabled)
2269 return; 2433 return;
@@ -2272,9 +2436,8 @@ void audit_core_dumps(long signr)
2272 return; 2436 return;
2273 2437
2274 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); 2438 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
2275 audit_log_format(ab, "auid=%u uid=%u gid=%u", 2439 audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
2276 audit_get_loginuid(current->audit_context), 2440 auid, current->uid, current->gid, sessionid);
2277 current->uid, current->gid);
2278 selinux_get_task_sid(current, &sid); 2441 selinux_get_task_sid(current, &sid);
2279 if (sid) { 2442 if (sid) {
2280 char *ctx = NULL; 2443 char *ctx = NULL;
generated by cgit v1.2.2 (git 2.25.0) at 2024-10-09 23:30:04 -0400