[PATCH] execve argument logging

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

2 files changed, 56 insertions, 3 deletions

diff --git a/kernel/audit.c b/kernel/audit.c
index bf74bf02aa4b..d09f131b111a 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1026,18 +1026,20 @@ void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf,
  * or a space. Unescaped strings will start and end with a double quote mark.
  * Strings that are escaped are printed in hex (2 digits per char).
  */
-void audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
+const char *audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
 {
         const unsigned char *p = string;
+        size_t len = strlen(string);
 
         while (*p) {
                 if (*p == '"' || *p < 0x21 || *p > 0x7f) {
-                        audit_log_hex(ab, string, strlen(string));
-                        return;
+                        audit_log_hex(ab, string, len);
+                        return string + len + 1;
                 }
                 p++;
         }
         audit_log_format(ab, "\"%s\"", string);
+        return p + 1;
 }
 
 /* This is a helper-function to print the escaped d_path */
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 1c03a4ed1b27..114f921979ec 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -59,6 +59,7 @@
 #include <linux/list.h>
 #include <linux/tty.h>
 #include <linux/selinux.h>
+#include <linux/binfmts.h>
 
 #include "audit.h"
 
@@ -110,6 +111,13 @@ struct audit_aux_data_ipcctl {
         u32                     osid;
 };
 
+struct audit_aux_data_execve {
+        struct audit_aux_data   d;
+        int argc;
+        int envc;
+        char mem[0];
+};
+
 struct audit_aux_data_socketcall {
         struct audit_aux_data   d;
         int                     nargs;
@@ -667,6 +675,16 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
                                 kfree(ctx);
                         }
                         break; }
+                case AUDIT_EXECVE: {
+                        struct audit_aux_data_execve *axi = (void *)aux;
+                        int i;
+                        const char *p;
+                        for (i = 0, p = axi->mem; i < axi->argc; i++) {
+                                audit_log_format(ab, "a%d=", i);
+                                p = audit_log_untrustedstring(ab, p);
+                                audit_log_format(ab, "\n");
+                        }
+                        break; }
 
                 case AUDIT_SOCKETCALL: {
                         int i;
@@ -1231,6 +1249,39 @@ int audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode,
         return 0;
 }
 
+int audit_bprm(struct linux_binprm *bprm)
+{
+        struct audit_aux_data_execve *ax;
+        struct audit_context *context = current->audit_context;
+        unsigned long p, next;
+        void *to;
+
+        if (likely(!audit_enabled || !context))
+                return 0;
+
+        ax = kmalloc(sizeof(*ax) + PAGE_SIZE * MAX_ARG_PAGES - bprm->p,
+                                GFP_KERNEL);
+        if (!ax)
+                return -ENOMEM;
+
+        ax->argc = bprm->argc;
+        ax->envc = bprm->envc;
+        for (p = bprm->p, to = ax->mem; p < MAX_ARG_PAGES*PAGE_SIZE; p = next) {
+                struct page *page = bprm->page[p / PAGE_SIZE];
+                void *kaddr = kmap(page);
+                next = (p + PAGE_SIZE) & ~(PAGE_SIZE - 1);
+                memcpy(to, kaddr + (p & (PAGE_SIZE - 1)), next - p);
+                to += next - p;
+                kunmap(page);
+        }
+
+        ax->d.type = AUDIT_EXECVE;
+        ax->d.next = context->aux;
+        context->aux = (void *)ax;
+        return 0;
+}
+
+
 /**
  * audit_socketcall - record audit data for sys_socketcall
  * @nargs: number of args