aboutsummaryrefslogtreecommitdiffstats
path: root/kernel
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@g5.osdl.org>2006-03-25 12:24:53 -0500
committerLinus Torvalds <torvalds@g5.osdl.org>2006-03-25 12:24:53 -0500
commit1b9a3917366028cc451a98dd22e3bcd537d4e5c1 (patch)
treed911058720e0a9aeeaf9f407ccdc6fbf4047f47d /kernel
parent3661f00e2097676847deb01add1a0918044bd816 (diff)
parent71e1c784b24a026a490b3de01541fc5ee14ebc09 (diff)
Merge branch 'audit.b3' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current
* 'audit.b3' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current: (22 commits) [PATCH] fix audit_init failure path [PATCH] EXPORT_SYMBOL patch for audit_log, audit_log_start, audit_log_end and audit_format [PATCH] sem2mutex: audit_netlink_sem [PATCH] simplify audit_free() locking [PATCH] Fix audit operators [PATCH] promiscuous mode [PATCH] Add tty to syscall audit records [PATCH] add/remove rule update [PATCH] audit string fields interface + consumer [PATCH] SE Linux audit events [PATCH] Minor cosmetic cleanups to the code moved into auditfilter.c [PATCH] Fix audit record filtering with !CONFIG_AUDITSYSCALL [PATCH] Fix IA64 success/failure indication in syscall auditing. [PATCH] Miscellaneous bug and warning fixes [PATCH] Capture selinux subject/object context information. [PATCH] Exclude messages by message type [PATCH] Collect more inode information during syscall processing. [PATCH] Pass dentry, not just name, in fsnotify creation hooks. [PATCH] Define new range of userspace messages. [PATCH] Filter rule comparators ... Fixed trivial conflict in security/selinux/hooks.c
Diffstat (limited to 'kernel')
-rw-r--r--kernel/Makefile2
-rw-r--r--kernel/audit.c175
-rw-r--r--kernel/audit.h88
-rw-r--r--kernel/auditfilter.c630
-rw-r--r--kernel/auditsc.c834
5 files changed, 1293 insertions, 436 deletions
diff --git a/kernel/Makefile b/kernel/Makefile
index aebd7a78984e..ff1c11dc12cf 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -26,7 +26,7 @@ obj-$(CONFIG_COMPAT) += compat.o
26obj-$(CONFIG_CPUSETS) += cpuset.o 26obj-$(CONFIG_CPUSETS) += cpuset.o
27obj-$(CONFIG_IKCONFIG) += configs.o 27obj-$(CONFIG_IKCONFIG) += configs.o
28obj-$(CONFIG_STOP_MACHINE) += stop_machine.o 28obj-$(CONFIG_STOP_MACHINE) += stop_machine.o
29obj-$(CONFIG_AUDIT) += audit.o 29obj-$(CONFIG_AUDIT) += audit.o auditfilter.o
30obj-$(CONFIG_AUDITSYSCALL) += auditsc.o 30obj-$(CONFIG_AUDITSYSCALL) += auditsc.o
31obj-$(CONFIG_KPROBES) += kprobes.o 31obj-$(CONFIG_KPROBES) += kprobes.o
32obj-$(CONFIG_SYSFS) += ksysfs.o 32obj-$(CONFIG_SYSFS) += ksysfs.o
diff --git a/kernel/audit.c b/kernel/audit.c
index 0a813d2883e5..04fe2e301b61 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -52,6 +52,7 @@
52#include <linux/audit.h> 52#include <linux/audit.h>
53 53
54#include <net/sock.h> 54#include <net/sock.h>
55#include <net/netlink.h>
55#include <linux/skbuff.h> 56#include <linux/skbuff.h>
56#include <linux/netlink.h> 57#include <linux/netlink.h>
57 58
@@ -72,7 +73,7 @@ static int audit_failure = AUDIT_FAIL_PRINTK;
72 * contains the (non-zero) pid. */ 73 * contains the (non-zero) pid. */
73int audit_pid; 74int audit_pid;
74 75
75/* If audit_limit is non-zero, limit the rate of sending audit records 76/* If audit_rate_limit is non-zero, limit the rate of sending audit records
76 * to that number per second. This prevents DoS attacks, but results in 77 * to that number per second. This prevents DoS attacks, but results in
77 * audit records being dropped. */ 78 * audit records being dropped. */
78static int audit_rate_limit; 79static int audit_rate_limit;
@@ -102,7 +103,7 @@ static struct sock *audit_sock;
102 * than AUDIT_MAXFREE are in use, the audit buffer is freed instead of 103 * than AUDIT_MAXFREE are in use, the audit buffer is freed instead of
103 * being placed on the freelist). */ 104 * being placed on the freelist). */
104static DEFINE_SPINLOCK(audit_freelist_lock); 105static DEFINE_SPINLOCK(audit_freelist_lock);
105static int audit_freelist_count = 0; 106static int audit_freelist_count;
106static LIST_HEAD(audit_freelist); 107static LIST_HEAD(audit_freelist);
107 108
108static struct sk_buff_head audit_skb_queue; 109static struct sk_buff_head audit_skb_queue;
@@ -113,7 +114,7 @@ static DECLARE_WAIT_QUEUE_HEAD(audit_backlog_wait);
113/* The netlink socket is only to be read by 1 CPU, which lets us assume 114/* The netlink socket is only to be read by 1 CPU, which lets us assume
114 * that list additions and deletions never happen simultaneously in 115 * that list additions and deletions never happen simultaneously in
115 * auditsc.c */ 116 * auditsc.c */
116DECLARE_MUTEX(audit_netlink_sem); 117DEFINE_MUTEX(audit_netlink_mutex);
117 118
118/* AUDIT_BUFSIZ is the size of the temporary buffer used for formatting 119/* AUDIT_BUFSIZ is the size of the temporary buffer used for formatting
119 * audit records. Since printk uses a 1024 byte buffer, this buffer 120 * audit records. Since printk uses a 1024 byte buffer, this buffer
@@ -142,7 +143,7 @@ static void audit_set_pid(struct audit_buffer *ab, pid_t pid)
142 nlh->nlmsg_pid = pid; 143 nlh->nlmsg_pid = pid;
143} 144}
144 145
145static void audit_panic(const char *message) 146void audit_panic(const char *message)
146{ 147{
147 switch (audit_failure) 148 switch (audit_failure)
148 { 149 {
@@ -186,8 +187,14 @@ static inline int audit_rate_check(void)
186 return retval; 187 return retval;
187} 188}
188 189
189/* Emit at least 1 message per second, even if audit_rate_check is 190/**
190 * throttling. */ 191 * audit_log_lost - conditionally log lost audit message event
192 * @message: the message stating reason for lost audit message
193 *
194 * Emit at least 1 message per second, even if audit_rate_check is
195 * throttling.
196 * Always increment the lost messages counter.
197*/
191void audit_log_lost(const char *message) 198void audit_log_lost(const char *message)
192{ 199{
193 static unsigned long last_msg = 0; 200 static unsigned long last_msg = 0;
@@ -218,7 +225,6 @@ void audit_log_lost(const char *message)
218 audit_backlog_limit); 225 audit_backlog_limit);
219 audit_panic(message); 226 audit_panic(message);
220 } 227 }
221
222} 228}
223 229
224static int audit_set_rate_limit(int limit, uid_t loginuid) 230static int audit_set_rate_limit(int limit, uid_t loginuid)
@@ -300,8 +306,22 @@ static int kauditd_thread(void *dummy)
300 remove_wait_queue(&kauditd_wait, &wait); 306 remove_wait_queue(&kauditd_wait, &wait);
301 } 307 }
302 } 308 }
309 return 0;
303} 310}
304 311
312/**
313 * audit_send_reply - send an audit reply message via netlink
314 * @pid: process id to send reply to
315 * @seq: sequence number
316 * @type: audit message type
317 * @done: done (last) flag
318 * @multi: multi-part message flag
319 * @payload: payload data
320 * @size: payload size
321 *
322 * Allocates an skb, builds the netlink message, and sends it to the pid.
323 * No failure notifications.
324 */
305void audit_send_reply(int pid, int seq, int type, int done, int multi, 325void audit_send_reply(int pid, int seq, int type, int done, int multi,
306 void *payload, int size) 326 void *payload, int size)
307{ 327{
@@ -342,15 +362,19 @@ static int audit_netlink_ok(kernel_cap_t eff_cap, u16 msg_type)
342 switch (msg_type) { 362 switch (msg_type) {
343 case AUDIT_GET: 363 case AUDIT_GET:
344 case AUDIT_LIST: 364 case AUDIT_LIST:
365 case AUDIT_LIST_RULES:
345 case AUDIT_SET: 366 case AUDIT_SET:
346 case AUDIT_ADD: 367 case AUDIT_ADD:
368 case AUDIT_ADD_RULE:
347 case AUDIT_DEL: 369 case AUDIT_DEL:
370 case AUDIT_DEL_RULE:
348 case AUDIT_SIGNAL_INFO: 371 case AUDIT_SIGNAL_INFO:
349 if (!cap_raised(eff_cap, CAP_AUDIT_CONTROL)) 372 if (!cap_raised(eff_cap, CAP_AUDIT_CONTROL))
350 err = -EPERM; 373 err = -EPERM;
351 break; 374 break;
352 case AUDIT_USER: 375 case AUDIT_USER:
353 case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG: 376 case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
377 case AUDIT_FIRST_USER_MSG2...AUDIT_LAST_USER_MSG2:
354 if (!cap_raised(eff_cap, CAP_AUDIT_WRITE)) 378 if (!cap_raised(eff_cap, CAP_AUDIT_WRITE))
355 err = -EPERM; 379 err = -EPERM;
356 break; 380 break;
@@ -376,7 +400,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
376 if (err) 400 if (err)
377 return err; 401 return err;
378 402
379 /* As soon as there's any sign of userspace auditd, start kauditd to talk to it */ 403 /* As soon as there's any sign of userspace auditd,
404 * start kauditd to talk to it */
380 if (!kauditd_task) 405 if (!kauditd_task)
381 kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd"); 406 kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd");
382 if (IS_ERR(kauditd_task)) { 407 if (IS_ERR(kauditd_task)) {
@@ -430,6 +455,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
430 break; 455 break;
431 case AUDIT_USER: 456 case AUDIT_USER:
432 case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG: 457 case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
458 case AUDIT_FIRST_USER_MSG2...AUDIT_LAST_USER_MSG2:
433 if (!audit_enabled && msg_type != AUDIT_USER_AVC) 459 if (!audit_enabled && msg_type != AUDIT_USER_AVC)
434 return 0; 460 return 0;
435 461
@@ -448,12 +474,23 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
448 break; 474 break;
449 case AUDIT_ADD: 475 case AUDIT_ADD:
450 case AUDIT_DEL: 476 case AUDIT_DEL:
451 if (nlh->nlmsg_len < sizeof(struct audit_rule)) 477 if (nlmsg_len(nlh) < sizeof(struct audit_rule))
452 return -EINVAL; 478 return -EINVAL;
453 /* fallthrough */ 479 /* fallthrough */
454 case AUDIT_LIST: 480 case AUDIT_LIST:
455 err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid, 481 err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
456 uid, seq, data, loginuid); 482 uid, seq, data, nlmsg_len(nlh),
483 loginuid);
484 break;
485 case AUDIT_ADD_RULE:
486 case AUDIT_DEL_RULE:
487 if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
488 return -EINVAL;
489 /* fallthrough */
490 case AUDIT_LIST_RULES:
491 err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
492 uid, seq, data, nlmsg_len(nlh),
493 loginuid);
457 break; 494 break;
458 case AUDIT_SIGNAL_INFO: 495 case AUDIT_SIGNAL_INFO:
459 sig_data.uid = audit_sig_uid; 496 sig_data.uid = audit_sig_uid;
@@ -469,9 +506,11 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
469 return err < 0 ? err : 0; 506 return err < 0 ? err : 0;
470} 507}
471 508
472/* Get message from skb (based on rtnetlink_rcv_skb). Each message is 509/*
510 * Get message from skb (based on rtnetlink_rcv_skb). Each message is
473 * processed by audit_receive_msg. Malformed skbs with wrong length are 511 * processed by audit_receive_msg. Malformed skbs with wrong length are
474 * discarded silently. */ 512 * discarded silently.
513 */
475static void audit_receive_skb(struct sk_buff *skb) 514static void audit_receive_skb(struct sk_buff *skb)
476{ 515{
477 int err; 516 int err;
@@ -499,14 +538,14 @@ static void audit_receive(struct sock *sk, int length)
499 struct sk_buff *skb; 538 struct sk_buff *skb;
500 unsigned int qlen; 539 unsigned int qlen;
501 540
502 down(&audit_netlink_sem); 541 mutex_lock(&audit_netlink_mutex);
503 542
504 for (qlen = skb_queue_len(&sk->sk_receive_queue); qlen; qlen--) { 543 for (qlen = skb_queue_len(&sk->sk_receive_queue); qlen; qlen--) {
505 skb = skb_dequeue(&sk->sk_receive_queue); 544 skb = skb_dequeue(&sk->sk_receive_queue);
506 audit_receive_skb(skb); 545 audit_receive_skb(skb);
507 kfree_skb(skb); 546 kfree_skb(skb);
508 } 547 }
509 up(&audit_netlink_sem); 548 mutex_unlock(&audit_netlink_mutex);
510} 549}
511 550
512 551
@@ -519,8 +558,9 @@ static int __init audit_init(void)
519 THIS_MODULE); 558 THIS_MODULE);
520 if (!audit_sock) 559 if (!audit_sock)
521 audit_panic("cannot initialize netlink socket"); 560 audit_panic("cannot initialize netlink socket");
561 else
562 audit_sock->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
522 563
523 audit_sock->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
524 skb_queue_head_init(&audit_skb_queue); 564 skb_queue_head_init(&audit_skb_queue);
525 audit_initialized = 1; 565 audit_initialized = 1;
526 audit_enabled = audit_default; 566 audit_enabled = audit_default;
@@ -600,7 +640,10 @@ err:
600 return NULL; 640 return NULL;
601} 641}
602 642
603/* Compute a serial number for the audit record. Audit records are 643/**
644 * audit_serial - compute a serial number for the audit record
645 *
646 * Compute a serial number for the audit record. Audit records are
604 * written to user-space as soon as they are generated, so a complete 647 * written to user-space as soon as they are generated, so a complete
605 * audit record may be written in several pieces. The timestamp of the 648 * audit record may be written in several pieces. The timestamp of the
606 * record and this serial number are used by the user-space tools to 649 * record and this serial number are used by the user-space tools to
@@ -612,8 +655,8 @@ err:
612 * audit context (for those records that have a context), and emit them 655 * audit context (for those records that have a context), and emit them
613 * all at syscall exit. However, this could delay the reporting of 656 * all at syscall exit. However, this could delay the reporting of
614 * significant errors until syscall exit (or never, if the system 657 * significant errors until syscall exit (or never, if the system
615 * halts). */ 658 * halts).
616 659 */
617unsigned int audit_serial(void) 660unsigned int audit_serial(void)
618{ 661{
619 static spinlock_t serial_lock = SPIN_LOCK_UNLOCKED; 662 static spinlock_t serial_lock = SPIN_LOCK_UNLOCKED;
@@ -649,6 +692,21 @@ static inline void audit_get_stamp(struct audit_context *ctx,
649 * will be written at syscall exit. If there is no associated task, tsk 692 * will be written at syscall exit. If there is no associated task, tsk
650 * should be NULL. */ 693 * should be NULL. */
651 694
695/**
696 * audit_log_start - obtain an audit buffer
697 * @ctx: audit_context (may be NULL)
698 * @gfp_mask: type of allocation
699 * @type: audit message type
700 *
701 * Returns audit_buffer pointer on success or NULL on error.
702 *
703 * Obtain an audit buffer. This routine does locking to obtain the
704 * audit buffer, but then no locking is required for calls to
705 * audit_log_*format. If the task (ctx) is a task that is currently in a
706 * syscall, then the syscall is marked as auditable and an audit record
707 * will be written at syscall exit. If there is no associated task, then
708 * task context (ctx) should be NULL.
709 */
652struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, 710struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
653 int type) 711 int type)
654{ 712{
@@ -661,6 +719,9 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
661 if (!audit_initialized) 719 if (!audit_initialized)
662 return NULL; 720 return NULL;
663 721
722 if (unlikely(audit_filter_type(type)))
723 return NULL;
724
664 if (gfp_mask & __GFP_WAIT) 725 if (gfp_mask & __GFP_WAIT)
665 reserve = 0; 726 reserve = 0;
666 else 727 else
@@ -713,6 +774,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
713/** 774/**
714 * audit_expand - expand skb in the audit buffer 775 * audit_expand - expand skb in the audit buffer
715 * @ab: audit_buffer 776 * @ab: audit_buffer
777 * @extra: space to add at tail of the skb
716 * 778 *
717 * Returns 0 (no space) on failed expansion, or available space if 779 * Returns 0 (no space) on failed expansion, or available space if
718 * successful. 780 * successful.
@@ -729,10 +791,12 @@ static inline int audit_expand(struct audit_buffer *ab, int extra)
729 return skb_tailroom(skb); 791 return skb_tailroom(skb);
730} 792}
731 793
732/* Format an audit message into the audit buffer. If there isn't enough 794/*
795 * Format an audit message into the audit buffer. If there isn't enough
733 * room in the audit buffer, more room will be allocated and vsnprint 796 * room in the audit buffer, more room will be allocated and vsnprint
734 * will be called a second time. Currently, we assume that a printk 797 * will be called a second time. Currently, we assume that a printk
735 * can't format message larger than 1024 bytes, so we don't either. */ 798 * can't format message larger than 1024 bytes, so we don't either.
799 */
736static void audit_log_vformat(struct audit_buffer *ab, const char *fmt, 800static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
737 va_list args) 801 va_list args)
738{ 802{
@@ -757,7 +821,8 @@ static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
757 /* The printk buffer is 1024 bytes long, so if we get 821 /* The printk buffer is 1024 bytes long, so if we get
758 * here and AUDIT_BUFSIZ is at least 1024, then we can 822 * here and AUDIT_BUFSIZ is at least 1024, then we can
759 * log everything that printk could have logged. */ 823 * log everything that printk could have logged. */
760 avail = audit_expand(ab, max_t(unsigned, AUDIT_BUFSIZ, 1+len-avail)); 824 avail = audit_expand(ab,
825 max_t(unsigned, AUDIT_BUFSIZ, 1+len-avail));
761 if (!avail) 826 if (!avail)
762 goto out; 827 goto out;
763 len = vsnprintf(skb->tail, avail, fmt, args2); 828 len = vsnprintf(skb->tail, avail, fmt, args2);
@@ -768,8 +833,14 @@ out:
768 return; 833 return;
769} 834}
770 835
771/* Format a message into the audit buffer. All the work is done in 836/**
772 * audit_log_vformat. */ 837 * audit_log_format - format a message into the audit buffer.
838 * @ab: audit_buffer
839 * @fmt: format string
840 * @...: optional parameters matching @fmt string
841 *
842 * All the work is done in audit_log_vformat.
843 */
773void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) 844void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
774{ 845{
775 va_list args; 846 va_list args;
@@ -781,9 +852,18 @@ void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
781 va_end(args); 852 va_end(args);
782} 853}
783 854
784/* This function will take the passed buf and convert it into a string of 855/**
785 * ascii hex digits. The new string is placed onto the skb. */ 856 * audit_log_hex - convert a buffer to hex and append it to the audit skb
786void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf, 857 * @ab: the audit_buffer
858 * @buf: buffer to convert to hex
859 * @len: length of @buf to be converted
860 *
861 * No return value; failure to expand is silently ignored.
862 *
863 * This function will take the passed buf and convert it into a string of
864 * ascii hex digits. The new string is placed onto the skb.
865 */
866void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf,
787 size_t len) 867 size_t len)
788{ 868{
789 int i, avail, new_len; 869 int i, avail, new_len;
@@ -812,10 +892,16 @@ void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf,
812 skb_put(skb, len << 1); /* new string is twice the old string */ 892 skb_put(skb, len << 1); /* new string is twice the old string */
813} 893}
814 894
815/* This code will escape a string that is passed to it if the string 895/**
816 * contains a control character, unprintable character, double quote mark, 896 * audit_log_unstrustedstring - log a string that may contain random characters
897 * @ab: audit_buffer
898 * @string: string to be logged
899 *
900 * This code will escape a string that is passed to it if the string
901 * contains a control character, unprintable character, double quote mark,
817 * or a space. Unescaped strings will start and end with a double quote mark. 902 * or a space. Unescaped strings will start and end with a double quote mark.
818 * Strings that are escaped are printed in hex (2 digits per char). */ 903 * Strings that are escaped are printed in hex (2 digits per char).
904 */
819void audit_log_untrustedstring(struct audit_buffer *ab, const char *string) 905void audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
820{ 906{
821 const unsigned char *p = string; 907 const unsigned char *p = string;
@@ -854,10 +940,15 @@ void audit_log_d_path(struct audit_buffer *ab, const char *prefix,
854 kfree(path); 940 kfree(path);
855} 941}
856 942
857/* The netlink_* functions cannot be called inside an irq context, so 943/**
858 * the audit buffer is places on a queue and a tasklet is scheduled to 944 * audit_log_end - end one audit record
945 * @ab: the audit_buffer
946 *
947 * The netlink_* functions cannot be called inside an irq context, so
948 * the audit buffer is placed on a queue and a tasklet is scheduled to
859 * remove them from the queue outside the irq context. May be called in 949 * remove them from the queue outside the irq context. May be called in
860 * any context. */ 950 * any context.
951 */
861void audit_log_end(struct audit_buffer *ab) 952void audit_log_end(struct audit_buffer *ab)
862{ 953{
863 if (!ab) 954 if (!ab)
@@ -878,9 +969,18 @@ void audit_log_end(struct audit_buffer *ab)
878 audit_buffer_free(ab); 969 audit_buffer_free(ab);
879} 970}
880 971
881/* Log an audit record. This is a convenience function that calls 972/**
882 * audit_log_start, audit_log_vformat, and audit_log_end. It may be 973 * audit_log - Log an audit record
883 * called in any context. */ 974 * @ctx: audit context
975 * @gfp_mask: type of allocation
976 * @type: audit message type
977 * @fmt: format string to use
978 * @...: variable parameters matching the format string
979 *
980 * This is a convenience function that calls audit_log_start,
981 * audit_log_vformat, and audit_log_end. It may be called
982 * in any context.
983 */
884void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 984void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
885 const char *fmt, ...) 985 const char *fmt, ...)
886{ 986{
@@ -895,3 +995,8 @@ void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
895 audit_log_end(ab); 995 audit_log_end(ab);
896 } 996 }
897} 997}
998
999EXPORT_SYMBOL(audit_log_start);
1000EXPORT_SYMBOL(audit_log_end);
1001EXPORT_SYMBOL(audit_log_format);
1002EXPORT_SYMBOL(audit_log);
diff --git a/kernel/audit.h b/kernel/audit.h
new file mode 100644
index 000000000000..bc5392076e2b
--- /dev/null
+++ b/kernel/audit.h
@@ -0,0 +1,88 @@
1/* audit -- definition of audit_context structure and supporting types
2 *
3 * Copyright 2003-2004 Red Hat, Inc.
4 * Copyright 2005 Hewlett-Packard Development Company, L.P.
5 * Copyright 2005 IBM Corporation
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20 */
21
22#include <linux/mutex.h>
23#include <linux/fs.h>
24#include <linux/audit.h>
25
26/* 0 = no checking
27 1 = put_count checking
28 2 = verbose put_count checking
29*/
30#define AUDIT_DEBUG 0
31
32/* At task start time, the audit_state is set in the audit_context using
33 a per-task filter. At syscall entry, the audit_state is augmented by
34 the syscall filter. */
35enum audit_state {
36 AUDIT_DISABLED, /* Do not create per-task audit_context.
37 * No syscall-specific audit records can
38 * be generated. */
39 AUDIT_SETUP_CONTEXT, /* Create the per-task audit_context,
40 * but don't necessarily fill it in at
41 * syscall entry time (i.e., filter
42 * instead). */
43 AUDIT_BUILD_CONTEXT, /* Create the per-task audit_context,
44 * and always fill it in at syscall
45 * entry time. This makes a full
46 * syscall record available if some
47 * other part of the kernel decides it
48 * should be recorded. */
49 AUDIT_RECORD_CONTEXT /* Create the per-task audit_context,
50 * always fill it in at syscall entry
51 * time, and always write out the audit
52 * record at syscall exit time. */
53};
54
55/* Rule lists */
56struct audit_field {
57 u32 type;
58 u32 val;
59 u32 op;
60};
61
62struct audit_krule {
63 int vers_ops;
64 u32 flags;
65 u32 listnr;
66 u32 action;
67 u32 mask[AUDIT_BITMASK_SIZE];
68 u32 buflen; /* for data alloc on list rules */
69 u32 field_count;
70 struct audit_field *fields;
71};
72
73struct audit_entry {
74 struct list_head list;
75 struct rcu_head rcu;
76 struct audit_krule rule;
77};
78
79
80extern int audit_pid;
81extern int audit_comparator(const u32 left, const u32 op, const u32 right);
82
83extern void audit_send_reply(int pid, int seq, int type,
84 int done, int multi,
85 void *payload, int size);
86extern void audit_log_lost(const char *message);
87extern void audit_panic(const char *message);
88extern struct mutex audit_netlink_mutex;
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
new file mode 100644
index 000000000000..d3a8539f3a83
--- /dev/null
+++ b/kernel/auditfilter.c
@@ -0,0 +1,630 @@
1/* auditfilter.c -- filtering of audit events
2 *
3 * Copyright 2003-2004 Red Hat, Inc.
4 * Copyright 2005 Hewlett-Packard Development Company, L.P.
5 * Copyright 2005 IBM Corporation
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20 */
21
22#include <linux/kernel.h>
23#include <linux/audit.h>
24#include <linux/kthread.h>
25#include <linux/netlink.h>
26#include "audit.h"
27
28/* There are three lists of rules -- one to search at task creation
29 * time, one to search at syscall entry time, and another to search at
30 * syscall exit time. */
31struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
32 LIST_HEAD_INIT(audit_filter_list[0]),
33 LIST_HEAD_INIT(audit_filter_list[1]),
34 LIST_HEAD_INIT(audit_filter_list[2]),
35 LIST_HEAD_INIT(audit_filter_list[3]),
36 LIST_HEAD_INIT(audit_filter_list[4]),
37 LIST_HEAD_INIT(audit_filter_list[5]),
38#if AUDIT_NR_FILTERS != 6
39#error Fix audit_filter_list initialiser
40#endif
41};
42
43static inline void audit_free_rule(struct audit_entry *e)
44{
45 kfree(e->rule.fields);
46 kfree(e);
47}
48
49static inline void audit_free_rule_rcu(struct rcu_head *head)
50{
51 struct audit_entry *e = container_of(head, struct audit_entry, rcu);
52 audit_free_rule(e);
53}
54
55/* Unpack a filter field's string representation from user-space
56 * buffer. */
57static __attribute__((unused)) char *audit_unpack_string(void **bufp, size_t *remain, size_t len)
58{
59 char *str;
60
61 if (!*bufp || (len == 0) || (len > *remain))
62 return ERR_PTR(-EINVAL);
63
64 /* Of the currently implemented string fields, PATH_MAX
65 * defines the longest valid length.
66 */
67 if (len > PATH_MAX)
68 return ERR_PTR(-ENAMETOOLONG);
69
70 str = kmalloc(len + 1, GFP_KERNEL);
71 if (unlikely(!str))
72 return ERR_PTR(-ENOMEM);
73
74 memcpy(str, *bufp, len);
75 str[len] = 0;
76 *bufp += len;
77 *remain -= len;
78
79 return str;
80}
81
82/* Common user-space to kernel rule translation. */
83static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule)
84{
85 unsigned listnr;
86 struct audit_entry *entry;
87 struct audit_field *fields;
88 int i, err;
89
90 err = -EINVAL;
91 listnr = rule->flags & ~AUDIT_FILTER_PREPEND;
92 switch(listnr) {
93 default:
94 goto exit_err;
95 case AUDIT_FILTER_USER:
96 case AUDIT_FILTER_TYPE:
97#ifdef CONFIG_AUDITSYSCALL
98 case AUDIT_FILTER_ENTRY:
99 case AUDIT_FILTER_EXIT:
100 case AUDIT_FILTER_TASK:
101#endif
102 ;
103 }
104 if (rule->action != AUDIT_NEVER && rule->action != AUDIT_POSSIBLE &&
105 rule->action != AUDIT_ALWAYS)
106 goto exit_err;
107 if (rule->field_count > AUDIT_MAX_FIELDS)
108 goto exit_err;
109
110 err = -ENOMEM;
111 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
112 if (unlikely(!entry))
113 goto exit_err;
114 fields = kmalloc(sizeof(*fields) * rule->field_count, GFP_KERNEL);
115 if (unlikely(!fields)) {
116 kfree(entry);
117 goto exit_err;
118 }
119
120 memset(&entry->rule, 0, sizeof(struct audit_krule));
121 memset(fields, 0, sizeof(struct audit_field));
122
123 entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND;
124 entry->rule.listnr = listnr;
125 entry->rule.action = rule->action;
126 entry->rule.field_count = rule->field_count;
127 entry->rule.fields = fields;
128
129 for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
130 entry->rule.mask[i] = rule->mask[i];
131
132 return entry;
133
134exit_err:
135 return ERR_PTR(err);
136}
137
138/* Translate struct audit_rule to kernel's rule respresentation.
139 * Exists for backward compatibility with userspace. */
140static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
141{
142 struct audit_entry *entry;
143 int err = 0;
144 int i;
145
146 entry = audit_to_entry_common(rule);
147 if (IS_ERR(entry))
148 goto exit_nofree;
149
150 for (i = 0; i < rule->field_count; i++) {
151 struct audit_field *f = &entry->rule.fields[i];
152
153 if (rule->fields[i] & AUDIT_UNUSED_BITS) {
154 err = -EINVAL;
155 goto exit_free;
156 }
157
158 f->op = rule->fields[i] & (AUDIT_NEGATE|AUDIT_OPERATORS);
159 f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS);
160 f->val = rule->values[i];
161
162 entry->rule.vers_ops = (f->op & AUDIT_OPERATORS) ? 2 : 1;
163
164 /* Support for legacy operators where
165 * AUDIT_NEGATE bit signifies != and otherwise assumes == */
166 if (f->op & AUDIT_NEGATE)
167 f->op = AUDIT_NOT_EQUAL;
168 else if (!f->op)
169 f->op = AUDIT_EQUAL;
170 else if (f->op == AUDIT_OPERATORS) {
171 err = -EINVAL;
172 goto exit_free;
173 }
174 }
175
176exit_nofree:
177 return entry;
178
179exit_free:
180 audit_free_rule(entry);
181 return ERR_PTR(err);
182}
183
184/* Translate struct audit_rule_data to kernel's rule respresentation. */
185static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
186 size_t datasz)
187{
188 int err = 0;
189 struct audit_entry *entry;
190 void *bufp;
191 /* size_t remain = datasz - sizeof(struct audit_rule_data); */
192 int i;
193
194 entry = audit_to_entry_common((struct audit_rule *)data);
195 if (IS_ERR(entry))
196 goto exit_nofree;
197
198 bufp = data->buf;
199 entry->rule.vers_ops = 2;
200 for (i = 0; i < data->field_count; i++) {
201 struct audit_field *f = &entry->rule.fields[i];
202
203 err = -EINVAL;
204 if (!(data->fieldflags[i] & AUDIT_OPERATORS) ||
205 data->fieldflags[i] & ~AUDIT_OPERATORS)
206 goto exit_free;
207
208 f->op = data->fieldflags[i] & AUDIT_OPERATORS;
209 f->type = data->fields[i];
210 switch(f->type) {
211 /* call type-specific conversion routines here */
212 default:
213 f->val = data->values[i];
214 }
215 }
216
217exit_nofree:
218 return entry;
219
220exit_free:
221 audit_free_rule(entry);
222 return ERR_PTR(err);
223}
224
225/* Pack a filter field's string representation into data block. */
226static inline size_t audit_pack_string(void **bufp, char *str)
227{
228 size_t len = strlen(str);
229
230 memcpy(*bufp, str, len);
231 *bufp += len;
232
233 return len;
234}
235
236/* Translate kernel rule respresentation to struct audit_rule.
237 * Exists for backward compatibility with userspace. */
238static struct audit_rule *audit_krule_to_rule(struct audit_krule *krule)
239{
240 struct audit_rule *rule;
241 int i;
242
243 rule = kmalloc(sizeof(*rule), GFP_KERNEL);
244 if (unlikely(!rule))
245 return ERR_PTR(-ENOMEM);
246 memset(rule, 0, sizeof(*rule));
247
248 rule->flags = krule->flags | krule->listnr;
249 rule->action = krule->action;
250 rule->field_count = krule->field_count;
251 for (i = 0; i < rule->field_count; i++) {
252 rule->values[i] = krule->fields[i].val;
253 rule->fields[i] = krule->fields[i].type;
254
255 if (krule->vers_ops == 1) {
256 if (krule->fields[i].op & AUDIT_NOT_EQUAL)
257 rule->fields[i] |= AUDIT_NEGATE;
258 } else {
259 rule->fields[i] |= krule->fields[i].op;
260 }
261 }
262 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) rule->mask[i] = krule->mask[i];
263
264 return rule;
265}
266
267/* Translate kernel rule respresentation to struct audit_rule_data. */
268static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
269{
270 struct audit_rule_data *data;
271 void *bufp;
272 int i;
273
274 data = kmalloc(sizeof(*data) + krule->buflen, GFP_KERNEL);
275 if (unlikely(!data))
276 return ERR_PTR(-ENOMEM);
277 memset(data, 0, sizeof(*data));
278
279 data->flags = krule->flags | krule->listnr;
280 data->action = krule->action;
281 data->field_count = krule->field_count;
282 bufp = data->buf;
283 for (i = 0; i < data->field_count; i++) {
284 struct audit_field *f = &krule->fields[i];
285
286 data->fields[i] = f->type;
287 data->fieldflags[i] = f->op;
288 switch(f->type) {
289 /* call type-specific conversion routines here */
290 default:
291 data->values[i] = f->val;
292 }
293 }
294 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) data->mask[i] = krule->mask[i];
295
296 return data;
297}
298
299/* Compare two rules in kernel format. Considered success if rules
300 * don't match. */
301static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
302{
303 int i;
304
305 if (a->flags != b->flags ||
306 a->listnr != b->listnr ||
307 a->action != b->action ||
308 a->field_count != b->field_count)
309 return 1;
310
311 for (i = 0; i < a->field_count; i++) {
312 if (a->fields[i].type != b->fields[i].type ||
313 a->fields[i].op != b->fields[i].op)
314 return 1;
315
316 switch(a->fields[i].type) {
317 /* call type-specific comparison routines here */
318 default:
319 if (a->fields[i].val != b->fields[i].val)
320 return 1;
321 }
322 }
323
324 for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
325 if (a->mask[i] != b->mask[i])
326 return 1;
327
328 return 0;
329}
330
331/* Add rule to given filterlist if not a duplicate. Protected by
332 * audit_netlink_mutex. */
333static inline int audit_add_rule(struct audit_entry *entry,
334 struct list_head *list)
335{
336 struct audit_entry *e;
337
338 /* Do not use the _rcu iterator here, since this is the only
339 * addition routine. */
340 list_for_each_entry(e, list, list) {
341 if (!audit_compare_rule(&entry->rule, &e->rule))
342 return -EEXIST;
343 }
344
345 if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
346 list_add_rcu(&entry->list, list);
347 } else {
348 list_add_tail_rcu(&entry->list, list);
349 }
350
351 return 0;
352}
353
354/* Remove an existing rule from filterlist. Protected by
355 * audit_netlink_mutex. */
356static inline int audit_del_rule(struct audit_entry *entry,
357 struct list_head *list)
358{
359 struct audit_entry *e;
360
361 /* Do not use the _rcu iterator here, since this is the only
362 * deletion routine. */
363 list_for_each_entry(e, list, list) {
364 if (!audit_compare_rule(&entry->rule, &e->rule)) {
365 list_del_rcu(&e->list);
366 call_rcu(&e->rcu, audit_free_rule_rcu);
367 return 0;
368 }
369 }
370 return -ENOENT; /* No matching rule */
371}
372
373/* List rules using struct audit_rule. Exists for backward
374 * compatibility with userspace. */
375static int audit_list(void *_dest)
376{
377 int pid, seq;
378 int *dest = _dest;
379 struct audit_entry *entry;
380 int i;
381
382 pid = dest[0];
383 seq = dest[1];
384 kfree(dest);
385
386 mutex_lock(&audit_netlink_mutex);
387
388 /* The *_rcu iterators not needed here because we are
389 always called with audit_netlink_mutex held. */
390 for (i=0; i<AUDIT_NR_FILTERS; i++) {
391 list_for_each_entry(entry, &audit_filter_list[i], list) {
392 struct audit_rule *rule;
393
394 rule = audit_krule_to_rule(&entry->rule);
395 if (unlikely(!rule))
396 break;
397 audit_send_reply(pid, seq, AUDIT_LIST, 0, 1,
398 rule, sizeof(*rule));
399 kfree(rule);
400 }
401 }
402 audit_send_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0);
403
404 mutex_unlock(&audit_netlink_mutex);
405 return 0;
406}
407
408/* List rules using struct audit_rule_data. */
409static int audit_list_rules(void *_dest)
410{
411 int pid, seq;
412 int *dest = _dest;
413 struct audit_entry *e;
414 int i;
415
416 pid = dest[0];
417 seq = dest[1];
418 kfree(dest);
419
420 mutex_lock(&audit_netlink_mutex);
421
422 /* The *_rcu iterators not needed here because we are
423 always called with audit_netlink_mutex held. */
424 for (i=0; i<AUDIT_NR_FILTERS; i++) {
425 list_for_each_entry(e, &audit_filter_list[i], list) {
426 struct audit_rule_data *data;
427
428 data = audit_krule_to_data(&e->rule);
429 if (unlikely(!data))
430 break;
431 audit_send_reply(pid, seq, AUDIT_LIST_RULES, 0, 1,
432 data, sizeof(*data));
433 kfree(data);
434 }
435 }
436 audit_send_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0);
437
438 mutex_unlock(&audit_netlink_mutex);
439 return 0;
440}
441
442/**
443 * audit_receive_filter - apply all rules to the specified message type
444 * @type: audit message type
445 * @pid: target pid for netlink audit messages
446 * @uid: target uid for netlink audit messages
447 * @seq: netlink audit message sequence (serial) number
448 * @data: payload data
449 * @datasz: size of payload data
450 * @loginuid: loginuid of sender
451 */
452int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
453 size_t datasz, uid_t loginuid)
454{
455 struct task_struct *tsk;
456 int *dest;
457 int err = 0;
458 struct audit_entry *entry;
459
460 switch (type) {
461 case AUDIT_LIST:
462 case AUDIT_LIST_RULES:
463 /* We can't just spew out the rules here because we might fill
464 * the available socket buffer space and deadlock waiting for
465 * auditctl to read from it... which isn't ever going to
466 * happen if we're actually running in the context of auditctl
467 * trying to _send_ the stuff */
468
469 dest = kmalloc(2 * sizeof(int), GFP_KERNEL);
470 if (!dest)
471 return -ENOMEM;
472 dest[0] = pid;
473 dest[1] = seq;
474
475 if (type == AUDIT_LIST)
476 tsk = kthread_run(audit_list, dest, "audit_list");
477 else
478 tsk = kthread_run(audit_list_rules, dest,
479 "audit_list_rules");
480 if (IS_ERR(tsk)) {
481 kfree(dest);
482 err = PTR_ERR(tsk);
483 }
484 break;
485 case AUDIT_ADD:
486 case AUDIT_ADD_RULE:
487 if (type == AUDIT_ADD)
488 entry = audit_rule_to_entry(data);
489 else
490 entry = audit_data_to_entry(data, datasz);
491 if (IS_ERR(entry))
492 return PTR_ERR(entry);
493
494 err = audit_add_rule(entry,
495 &audit_filter_list[entry->rule.listnr]);
496 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
497 "auid=%u add rule to list=%d res=%d\n",
498 loginuid, entry->rule.listnr, !err);
499
500 if (err)
501 audit_free_rule(entry);
502 break;
503 case AUDIT_DEL:
504 case AUDIT_DEL_RULE:
505 if (type == AUDIT_DEL)
506 entry = audit_rule_to_entry(data);
507 else
508 entry = audit_data_to_entry(data, datasz);
509 if (IS_ERR(entry))
510 return PTR_ERR(entry);
511
512 err = audit_del_rule(entry,
513 &audit_filter_list[entry->rule.listnr]);
514 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
515 "auid=%u remove rule from list=%d res=%d\n",
516 loginuid, entry->rule.listnr, !err);
517
518 audit_free_rule(entry);
519 break;
520 default:
521 return -EINVAL;
522 }
523
524 return err;
525}
526
527int audit_comparator(const u32 left, const u32 op, const u32 right)
528{
529 switch (op) {
530 case AUDIT_EQUAL:
531 return (left == right);
532 case AUDIT_NOT_EQUAL:
533 return (left != right);
534 case AUDIT_LESS_THAN:
535 return (left < right);
536 case AUDIT_LESS_THAN_OR_EQUAL:
537 return (left <= right);
538 case AUDIT_GREATER_THAN:
539 return (left > right);
540 case AUDIT_GREATER_THAN_OR_EQUAL:
541 return (left >= right);
542 }
543 BUG();
544 return 0;
545}
546
547
548
549static int audit_filter_user_rules(struct netlink_skb_parms *cb,
550 struct audit_krule *rule,
551 enum audit_state *state)
552{
553 int i;
554
555 for (i = 0; i < rule->field_count; i++) {
556 struct audit_field *f = &rule->fields[i];
557 int result = 0;
558
559 switch (f->type) {
560 case AUDIT_PID:
561 result = audit_comparator(cb->creds.pid, f->op, f->val);
562 break;
563 case AUDIT_UID:
564 result = audit_comparator(cb->creds.uid, f->op, f->val);
565 break;
566 case AUDIT_GID:
567 result = audit_comparator(cb->creds.gid, f->op, f->val);
568 break;
569 case AUDIT_LOGINUID:
570 result = audit_comparator(cb->loginuid, f->op, f->val);
571 break;
572 }
573
574 if (!result)
575 return 0;
576 }
577 switch (rule->action) {
578 case AUDIT_NEVER: *state = AUDIT_DISABLED; break;
579 case AUDIT_POSSIBLE: *state = AUDIT_BUILD_CONTEXT; break;
580 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break;
581 }
582 return 1;
583}
584
585int audit_filter_user(struct netlink_skb_parms *cb, int type)
586{
587 struct audit_entry *e;
588 enum audit_state state;
589 int ret = 1;
590
591 rcu_read_lock();
592 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
593 if (audit_filter_user_rules(cb, &e->rule, &state)) {
594 if (state == AUDIT_DISABLED)
595 ret = 0;
596 break;
597 }
598 }
599 rcu_read_unlock();
600
601 return ret; /* Audit by default */
602}
603
604int audit_filter_type(int type)
605{
606 struct audit_entry *e;
607 int result = 0;
608
609 rcu_read_lock();
610 if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE]))
611 goto unlock_and_return;
612
613 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE],
614 list) {
615 int i;
616 for (i = 0; i < e->rule.field_count; i++) {
617 struct audit_field *f = &e->rule.fields[i];
618 if (f->type == AUDIT_MSGTYPE) {
619 result = audit_comparator(type, f->op, f->val);
620 if (!result)
621 break;
622 }
623 }
624 if (result)
625 goto unlock_and_return;
626 }
627unlock_and_return:
628 rcu_read_unlock();
629 return result;
630}
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index c4394abcd5e6..7f160df21a23 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2,6 +2,8 @@
2 * Handles all system-call specific auditing features. 2 * Handles all system-call specific auditing features.
3 * 3 *
4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
5 * Copyright 2005 Hewlett-Packard Development Company, L.P.
6 * Copyright (C) 2005 IBM Corporation
5 * All Rights Reserved. 7 * All Rights Reserved.
6 * 8 *
7 * This program is free software; you can redistribute it and/or modify 9 * This program is free software; you can redistribute it and/or modify
@@ -27,11 +29,22 @@
27 * this file -- see entry.S) is based on a GPL'd patch written by 29 * this file -- see entry.S) is based on a GPL'd patch written by
28 * okir@suse.de and Copyright 2003 SuSE Linux AG. 30 * okir@suse.de and Copyright 2003 SuSE Linux AG.
29 * 31 *
32 * The support of additional filter rules compares (>, <, >=, <=) was
33 * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
34 *
35 * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
36 * filesystem information.
37 *
38 * Subject and object context labeling support added by <danjones@us.ibm.com>
39 * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
30 */ 40 */
31 41
32#include <linux/init.h> 42#include <linux/init.h>
33#include <asm/types.h> 43#include <asm/types.h>
34#include <asm/atomic.h> 44#include <asm/atomic.h>
45#include <asm/types.h>
46#include <linux/fs.h>
47#include <linux/namei.h>
35#include <linux/mm.h> 48#include <linux/mm.h>
36#include <linux/module.h> 49#include <linux/module.h>
37#include <linux/mount.h> 50#include <linux/mount.h>
@@ -39,16 +52,16 @@
39#include <linux/audit.h> 52#include <linux/audit.h>
40#include <linux/personality.h> 53#include <linux/personality.h>
41#include <linux/time.h> 54#include <linux/time.h>
42#include <linux/kthread.h>
43#include <linux/netlink.h> 55#include <linux/netlink.h>
44#include <linux/compiler.h> 56#include <linux/compiler.h>
45#include <asm/unistd.h> 57#include <asm/unistd.h>
58#include <linux/security.h>
59#include <linux/list.h>
60#include <linux/tty.h>
61
62#include "audit.h"
46 63
47/* 0 = no checking 64extern struct list_head audit_filter_list[];
48 1 = put_count checking
49 2 = verbose put_count checking
50*/
51#define AUDIT_DEBUG 0
52 65
53/* No syscall auditing will take place unless audit_enabled != 0. */ 66/* No syscall auditing will take place unless audit_enabled != 0. */
54extern int audit_enabled; 67extern int audit_enabled;
@@ -62,29 +75,6 @@ extern int audit_enabled;
62 * path_lookup. */ 75 * path_lookup. */
63#define AUDIT_NAMES_RESERVED 7 76#define AUDIT_NAMES_RESERVED 7
64 77
65/* At task start time, the audit_state is set in the audit_context using
66 a per-task filter. At syscall entry, the audit_state is augmented by
67 the syscall filter. */
68enum audit_state {
69 AUDIT_DISABLED, /* Do not create per-task audit_context.
70 * No syscall-specific audit records can
71 * be generated. */
72 AUDIT_SETUP_CONTEXT, /* Create the per-task audit_context,
73 * but don't necessarily fill it in at
74 * syscall entry time (i.e., filter
75 * instead). */
76 AUDIT_BUILD_CONTEXT, /* Create the per-task audit_context,
77 * and always fill it in at syscall
78 * entry time. This makes a full
79 * syscall record available if some
80 * other part of the kernel decides it
81 * should be recorded. */
82 AUDIT_RECORD_CONTEXT /* Create the per-task audit_context,
83 * always fill it in at syscall entry
84 * time, and always write out the audit
85 * record at syscall exit time. */
86};
87
88/* When fs/namei.c:getname() is called, we store the pointer in name and 78/* When fs/namei.c:getname() is called, we store the pointer in name and
89 * we don't let putname() free it (instead we free all of the saved 79 * we don't let putname() free it (instead we free all of the saved
90 * pointers at syscall exit time). 80 * pointers at syscall exit time).
@@ -93,12 +83,13 @@ enum audit_state {
93struct audit_names { 83struct audit_names {
94 const char *name; 84 const char *name;
95 unsigned long ino; 85 unsigned long ino;
86 unsigned long pino;
96 dev_t dev; 87 dev_t dev;
97 umode_t mode; 88 umode_t mode;
98 uid_t uid; 89 uid_t uid;
99 gid_t gid; 90 gid_t gid;
100 dev_t rdev; 91 dev_t rdev;
101 unsigned flags; 92 char *ctx;
102}; 93};
103 94
104struct audit_aux_data { 95struct audit_aux_data {
@@ -115,6 +106,7 @@ struct audit_aux_data_ipcctl {
115 uid_t uid; 106 uid_t uid;
116 gid_t gid; 107 gid_t gid;
117 mode_t mode; 108 mode_t mode;
109 char *ctx;
118}; 110};
119 111
120struct audit_aux_data_socketcall { 112struct audit_aux_data_socketcall {
@@ -167,290 +159,72 @@ struct audit_context {
167#endif 159#endif
168}; 160};
169 161
170 /* Public API */
171/* There are three lists of rules -- one to search at task creation
172 * time, one to search at syscall entry time, and another to search at
173 * syscall exit time. */
174static struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
175 LIST_HEAD_INIT(audit_filter_list[0]),
176 LIST_HEAD_INIT(audit_filter_list[1]),
177 LIST_HEAD_INIT(audit_filter_list[2]),
178 LIST_HEAD_INIT(audit_filter_list[3]),
179 LIST_HEAD_INIT(audit_filter_list[4]),
180#if AUDIT_NR_FILTERS != 5
181#error Fix audit_filter_list initialiser
182#endif
183};
184
185struct audit_entry {
186 struct list_head list;
187 struct rcu_head rcu;
188 struct audit_rule rule;
189};
190
191extern int audit_pid;
192
193/* Copy rule from user-space to kernel-space. Called from
194 * audit_add_rule during AUDIT_ADD. */
195static inline int audit_copy_rule(struct audit_rule *d, struct audit_rule *s)
196{
197 int i;
198
199 if (s->action != AUDIT_NEVER
200 && s->action != AUDIT_POSSIBLE
201 && s->action != AUDIT_ALWAYS)
202 return -1;
203 if (s->field_count < 0 || s->field_count > AUDIT_MAX_FIELDS)
204 return -1;
205 if ((s->flags & ~AUDIT_FILTER_PREPEND) >= AUDIT_NR_FILTERS)
206 return -1;
207
208 d->flags = s->flags;
209 d->action = s->action;
210 d->field_count = s->field_count;
211 for (i = 0; i < d->field_count; i++) {
212 d->fields[i] = s->fields[i];
213 d->values[i] = s->values[i];
214 }
215 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) d->mask[i] = s->mask[i];
216 return 0;
217}
218
219/* Check to see if two rules are identical. It is called from
220 * audit_add_rule during AUDIT_ADD and
221 * audit_del_rule during AUDIT_DEL. */
222static inline int audit_compare_rule(struct audit_rule *a, struct audit_rule *b)
223{
224 int i;
225
226 if (a->flags != b->flags)
227 return 1;
228
229 if (a->action != b->action)
230 return 1;
231
232 if (a->field_count != b->field_count)
233 return 1;
234
235 for (i = 0; i < a->field_count; i++) {
236 if (a->fields[i] != b->fields[i]
237 || a->values[i] != b->values[i])
238 return 1;
239 }
240
241 for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
242 if (a->mask[i] != b->mask[i])
243 return 1;
244
245 return 0;
246}
247
248/* Note that audit_add_rule and audit_del_rule are called via
249 * audit_receive() in audit.c, and are protected by
250 * audit_netlink_sem. */
251static inline int audit_add_rule(struct audit_rule *rule,
252 struct list_head *list)
253{
254 struct audit_entry *entry;
255
256 /* Do not use the _rcu iterator here, since this is the only
257 * addition routine. */
258 list_for_each_entry(entry, list, list) {
259 if (!audit_compare_rule(rule, &entry->rule)) {
260 return -EEXIST;
261 }
262 }
263
264 if (!(entry = kmalloc(sizeof(*entry), GFP_KERNEL)))
265 return -ENOMEM;
266 if (audit_copy_rule(&entry->rule, rule)) {
267 kfree(entry);
268 return -EINVAL;
269 }
270
271 if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
272 entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
273 list_add_rcu(&entry->list, list);
274 } else {
275 list_add_tail_rcu(&entry->list, list);
276 }
277
278 return 0;
279}
280
281static inline void audit_free_rule(struct rcu_head *head)
282{
283 struct audit_entry *e = container_of(head, struct audit_entry, rcu);
284 kfree(e);
285}
286
287/* Note that audit_add_rule and audit_del_rule are called via
288 * audit_receive() in audit.c, and are protected by
289 * audit_netlink_sem. */
290static inline int audit_del_rule(struct audit_rule *rule,
291 struct list_head *list)
292{
293 struct audit_entry *e;
294
295 /* Do not use the _rcu iterator here, since this is the only
296 * deletion routine. */
297 list_for_each_entry(e, list, list) {
298 if (!audit_compare_rule(rule, &e->rule)) {
299 list_del_rcu(&e->list);
300 call_rcu(&e->rcu, audit_free_rule);
301 return 0;
302 }
303 }
304 return -ENOENT; /* No matching rule */
305}
306
307static int audit_list_rules(void *_dest)
308{
309 int pid, seq;
310 int *dest = _dest;
311 struct audit_entry *entry;
312 int i;
313
314 pid = dest[0];
315 seq = dest[1];
316 kfree(dest);
317
318 down(&audit_netlink_sem);
319
320 /* The *_rcu iterators not needed here because we are
321 always called with audit_netlink_sem held. */
322 for (i=0; i<AUDIT_NR_FILTERS; i++) {
323 list_for_each_entry(entry, &audit_filter_list[i], list)
324 audit_send_reply(pid, seq, AUDIT_LIST, 0, 1,
325 &entry->rule, sizeof(entry->rule));
326 }
327 audit_send_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0);
328
329 up(&audit_netlink_sem);
330 return 0;
331}
332
333int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
334 uid_t loginuid)
335{
336 struct task_struct *tsk;
337 int *dest;
338 int err = 0;
339 unsigned listnr;
340
341 switch (type) {
342 case AUDIT_LIST:
343 /* We can't just spew out the rules here because we might fill
344 * the available socket buffer space and deadlock waiting for
345 * auditctl to read from it... which isn't ever going to
346 * happen if we're actually running in the context of auditctl
347 * trying to _send_ the stuff */
348
349 dest = kmalloc(2 * sizeof(int), GFP_KERNEL);
350 if (!dest)
351 return -ENOMEM;
352 dest[0] = pid;
353 dest[1] = seq;
354
355 tsk = kthread_run(audit_list_rules, dest, "audit_list_rules");
356 if (IS_ERR(tsk)) {
357 kfree(dest);
358 err = PTR_ERR(tsk);
359 }
360 break;
361 case AUDIT_ADD:
362 listnr =((struct audit_rule *)data)->flags & ~AUDIT_FILTER_PREPEND;
363 if (listnr >= AUDIT_NR_FILTERS)
364 return -EINVAL;
365
366 err = audit_add_rule(data, &audit_filter_list[listnr]);
367 if (!err)
368 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
369 "auid=%u added an audit rule\n", loginuid);
370 break;
371 case AUDIT_DEL:
372 listnr =((struct audit_rule *)data)->flags & ~AUDIT_FILTER_PREPEND;
373 if (listnr >= AUDIT_NR_FILTERS)
374 return -EINVAL;
375
376 err = audit_del_rule(data, &audit_filter_list[listnr]);
377 if (!err)
378 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
379 "auid=%u removed an audit rule\n", loginuid);
380 break;
381 default:
382 return -EINVAL;
383 }
384
385 return err;
386}
387 162
388/* Compare a task_struct with an audit_rule. Return 1 on match, 0 163/* Compare a task_struct with an audit_rule. Return 1 on match, 0
389 * otherwise. */ 164 * otherwise. */
390static int audit_filter_rules(struct task_struct *tsk, 165static int audit_filter_rules(struct task_struct *tsk,
391 struct audit_rule *rule, 166 struct audit_krule *rule,
392 struct audit_context *ctx, 167 struct audit_context *ctx,
393 enum audit_state *state) 168 enum audit_state *state)
394{ 169{
395 int i, j; 170 int i, j;
396 171
397 for (i = 0; i < rule->field_count; i++) { 172 for (i = 0; i < rule->field_count; i++) {
398 u32 field = rule->fields[i] & ~AUDIT_NEGATE; 173 struct audit_field *f = &rule->fields[i];
399 u32 value = rule->values[i];
400 int result = 0; 174 int result = 0;
401 175
402 switch (field) { 176 switch (f->type) {
403 case AUDIT_PID: 177 case AUDIT_PID:
404 result = (tsk->pid == value); 178 result = audit_comparator(tsk->pid, f->op, f->val);
405 break; 179 break;
406 case AUDIT_UID: 180 case AUDIT_UID:
407 result = (tsk->uid == value); 181 result = audit_comparator(tsk->uid, f->op, f->val);
408 break; 182 break;
409 case AUDIT_EUID: 183 case AUDIT_EUID:
410 result = (tsk->euid == value); 184 result = audit_comparator(tsk->euid, f->op, f->val);
411 break; 185 break;
412 case AUDIT_SUID: 186 case AUDIT_SUID:
413 result = (tsk->suid == value); 187 result = audit_comparator(tsk->suid, f->op, f->val);
414 break; 188 break;
415 case AUDIT_FSUID: 189 case AUDIT_FSUID:
416 result = (tsk->fsuid == value); 190 result = audit_comparator(tsk->fsuid, f->op, f->val);
417 break; 191 break;
418 case AUDIT_GID: 192 case AUDIT_GID:
419 result = (tsk->gid == value); 193 result = audit_comparator(tsk->gid, f->op, f->val);
420 break; 194 break;
421 case AUDIT_EGID: 195 case AUDIT_EGID:
422 result = (tsk->egid == value); 196 result = audit_comparator(tsk->egid, f->op, f->val);
423 break; 197 break;
424 case AUDIT_SGID: 198 case AUDIT_SGID:
425 result = (tsk->sgid == value); 199 result = audit_comparator(tsk->sgid, f->op, f->val);
426 break; 200 break;
427 case AUDIT_FSGID: 201 case AUDIT_FSGID:
428 result = (tsk->fsgid == value); 202 result = audit_comparator(tsk->fsgid, f->op, f->val);
429 break; 203 break;
430 case AUDIT_PERS: 204 case AUDIT_PERS:
431 result = (tsk->personality == value); 205 result = audit_comparator(tsk->personality, f->op, f->val);
432 break; 206 break;
433 case AUDIT_ARCH: 207 case AUDIT_ARCH:
434 if (ctx) 208 if (ctx)
435 result = (ctx->arch == value); 209 result = audit_comparator(ctx->arch, f->op, f->val);
436 break; 210 break;
437 211
438 case AUDIT_EXIT: 212 case AUDIT_EXIT:
439 if (ctx && ctx->return_valid) 213 if (ctx && ctx->return_valid)
440 result = (ctx->return_code == value); 214 result = audit_comparator(ctx->return_code, f->op, f->val);
441 break; 215 break;
442 case AUDIT_SUCCESS: 216 case AUDIT_SUCCESS:
443 if (ctx && ctx->return_valid) { 217 if (ctx && ctx->return_valid) {
444 if (value) 218 if (f->val)
445 result = (ctx->return_valid == AUDITSC_SUCCESS); 219 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
446 else 220 else
447 result = (ctx->return_valid == AUDITSC_FAILURE); 221 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
448 } 222 }
449 break; 223 break;
450 case AUDIT_DEVMAJOR: 224 case AUDIT_DEVMAJOR:
451 if (ctx) { 225 if (ctx) {
452 for (j = 0; j < ctx->name_count; j++) { 226 for (j = 0; j < ctx->name_count; j++) {
453 if (MAJOR(ctx->names[j].dev)==value) { 227 if (audit_comparator(MAJOR(ctx->names[j].dev), f->op, f->val)) {
454 ++result; 228 ++result;
455 break; 229 break;
456 } 230 }
@@ -460,7 +234,7 @@ static int audit_filter_rules(struct task_struct *tsk,
460 case AUDIT_DEVMINOR: 234 case AUDIT_DEVMINOR:
461 if (ctx) { 235 if (ctx) {
462 for (j = 0; j < ctx->name_count; j++) { 236 for (j = 0; j < ctx->name_count; j++) {
463 if (MINOR(ctx->names[j].dev)==value) { 237 if (audit_comparator(MINOR(ctx->names[j].dev), f->op, f->val)) {
464 ++result; 238 ++result;
465 break; 239 break;
466 } 240 }
@@ -470,7 +244,8 @@ static int audit_filter_rules(struct task_struct *tsk,
470 case AUDIT_INODE: 244 case AUDIT_INODE:
471 if (ctx) { 245 if (ctx) {
472 for (j = 0; j < ctx->name_count; j++) { 246 for (j = 0; j < ctx->name_count; j++) {
473 if (ctx->names[j].ino == value) { 247 if (audit_comparator(ctx->names[j].ino, f->op, f->val) ||
248 audit_comparator(ctx->names[j].pino, f->op, f->val)) {
474 ++result; 249 ++result;
475 break; 250 break;
476 } 251 }
@@ -480,19 +255,17 @@ static int audit_filter_rules(struct task_struct *tsk,
480 case AUDIT_LOGINUID: 255 case AUDIT_LOGINUID:
481 result = 0; 256 result = 0;
482 if (ctx) 257 if (ctx)
483 result = (ctx->loginuid == value); 258 result = audit_comparator(ctx->loginuid, f->op, f->val);
484 break; 259 break;
485 case AUDIT_ARG0: 260 case AUDIT_ARG0:
486 case AUDIT_ARG1: 261 case AUDIT_ARG1:
487 case AUDIT_ARG2: 262 case AUDIT_ARG2:
488 case AUDIT_ARG3: 263 case AUDIT_ARG3:
489 if (ctx) 264 if (ctx)
490 result = (ctx->argv[field-AUDIT_ARG0]==value); 265 result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
491 break; 266 break;
492 } 267 }
493 268
494 if (rule->fields[i] & AUDIT_NEGATE)
495 result = !result;
496 if (!result) 269 if (!result)
497 return 0; 270 return 0;
498 } 271 }
@@ -527,7 +300,7 @@ static enum audit_state audit_filter_task(struct task_struct *tsk)
527/* At syscall entry and exit time, this filter is called if the 300/* At syscall entry and exit time, this filter is called if the
528 * audit_state is not low enough that auditing cannot take place, but is 301 * audit_state is not low enough that auditing cannot take place, but is
529 * also not high enough that we already know we have to write an audit 302 * also not high enough that we already know we have to write an audit
530 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT). 303 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
531 */ 304 */
532static enum audit_state audit_filter_syscall(struct task_struct *tsk, 305static enum audit_state audit_filter_syscall(struct task_struct *tsk,
533 struct audit_context *ctx, 306 struct audit_context *ctx,
@@ -541,77 +314,19 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk,
541 314
542 rcu_read_lock(); 315 rcu_read_lock();
543 if (!list_empty(list)) { 316 if (!list_empty(list)) {
544 int word = AUDIT_WORD(ctx->major); 317 int word = AUDIT_WORD(ctx->major);
545 int bit = AUDIT_BIT(ctx->major); 318 int bit = AUDIT_BIT(ctx->major);
546 319
547 list_for_each_entry_rcu(e, list, list) { 320 list_for_each_entry_rcu(e, list, list) {
548 if ((e->rule.mask[word] & bit) == bit 321 if ((e->rule.mask[word] & bit) == bit
549 && audit_filter_rules(tsk, &e->rule, ctx, &state)) { 322 && audit_filter_rules(tsk, &e->rule, ctx, &state)) {
550 rcu_read_unlock(); 323 rcu_read_unlock();
551 return state; 324 return state;
552 } 325 }
553 }
554 }
555 rcu_read_unlock();
556 return AUDIT_BUILD_CONTEXT;
557}
558
559static int audit_filter_user_rules(struct netlink_skb_parms *cb,
560 struct audit_rule *rule,
561 enum audit_state *state)
562{
563 int i;
564
565 for (i = 0; i < rule->field_count; i++) {
566 u32 field = rule->fields[i] & ~AUDIT_NEGATE;
567 u32 value = rule->values[i];
568 int result = 0;
569
570 switch (field) {
571 case AUDIT_PID:
572 result = (cb->creds.pid == value);
573 break;
574 case AUDIT_UID:
575 result = (cb->creds.uid == value);
576 break;
577 case AUDIT_GID:
578 result = (cb->creds.gid == value);
579 break;
580 case AUDIT_LOGINUID:
581 result = (cb->loginuid == value);
582 break;
583 }
584
585 if (rule->fields[i] & AUDIT_NEGATE)
586 result = !result;
587 if (!result)
588 return 0;
589 }
590 switch (rule->action) {
591 case AUDIT_NEVER: *state = AUDIT_DISABLED; break;
592 case AUDIT_POSSIBLE: *state = AUDIT_BUILD_CONTEXT; break;
593 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break;
594 }
595 return 1;
596}
597
598int audit_filter_user(struct netlink_skb_parms *cb, int type)
599{
600 struct audit_entry *e;
601 enum audit_state state;
602 int ret = 1;
603
604 rcu_read_lock();
605 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
606 if (audit_filter_user_rules(cb, &e->rule, &state)) {
607 if (state == AUDIT_DISABLED)
608 ret = 0;
609 break;
610 } 326 }
611 } 327 }
612 rcu_read_unlock(); 328 rcu_read_unlock();
613 329 return AUDIT_BUILD_CONTEXT;
614 return ret; /* Audit by default */
615} 330}
616 331
617/* This should be called with task_lock() held. */ 332/* This should be called with task_lock() held. */
@@ -654,17 +369,18 @@ static inline void audit_free_names(struct audit_context *context)
654#if AUDIT_DEBUG == 2 369#if AUDIT_DEBUG == 2
655 if (context->auditable 370 if (context->auditable
656 ||context->put_count + context->ino_count != context->name_count) { 371 ||context->put_count + context->ino_count != context->name_count) {
657 printk(KERN_ERR "audit.c:%d(:%d): major=%d in_syscall=%d" 372 printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d"
658 " name_count=%d put_count=%d" 373 " name_count=%d put_count=%d"
659 " ino_count=%d [NOT freeing]\n", 374 " ino_count=%d [NOT freeing]\n",
660 __LINE__, 375 __FILE__, __LINE__,
661 context->serial, context->major, context->in_syscall, 376 context->serial, context->major, context->in_syscall,
662 context->name_count, context->put_count, 377 context->name_count, context->put_count,
663 context->ino_count); 378 context->ino_count);
664 for (i = 0; i < context->name_count; i++) 379 for (i = 0; i < context->name_count; i++) {
665 printk(KERN_ERR "names[%d] = %p = %s\n", i, 380 printk(KERN_ERR "names[%d] = %p = %s\n", i,
666 context->names[i].name, 381 context->names[i].name,
667 context->names[i].name); 382 context->names[i].name ?: "(null)");
383 }
668 dump_stack(); 384 dump_stack();
669 return; 385 return;
670 } 386 }
@@ -674,9 +390,13 @@ static inline void audit_free_names(struct audit_context *context)
674 context->ino_count = 0; 390 context->ino_count = 0;
675#endif 391#endif
676 392
677 for (i = 0; i < context->name_count; i++) 393 for (i = 0; i < context->name_count; i++) {
394 char *p = context->names[i].ctx;
395 context->names[i].ctx = NULL;
396 kfree(p);
678 if (context->names[i].name) 397 if (context->names[i].name)
679 __putname(context->names[i].name); 398 __putname(context->names[i].name);
399 }
680 context->name_count = 0; 400 context->name_count = 0;
681 if (context->pwd) 401 if (context->pwd)
682 dput(context->pwd); 402 dput(context->pwd);
@@ -696,6 +416,12 @@ static inline void audit_free_aux(struct audit_context *context)
696 dput(axi->dentry); 416 dput(axi->dentry);
697 mntput(axi->mnt); 417 mntput(axi->mnt);
698 } 418 }
419 if ( aux->type == AUDIT_IPC ) {
420 struct audit_aux_data_ipcctl *axi = (void *)aux;
421 if (axi->ctx)
422 kfree(axi->ctx);
423 }
424
699 context->aux = aux->next; 425 context->aux = aux->next;
700 kfree(aux); 426 kfree(aux);
701 } 427 }
@@ -721,10 +447,15 @@ static inline struct audit_context *audit_alloc_context(enum audit_state state)
721 return context; 447 return context;
722} 448}
723 449
724/* Filter on the task information and allocate a per-task audit context 450/**
451 * audit_alloc - allocate an audit context block for a task
452 * @tsk: task
453 *
454 * Filter on the task information and allocate a per-task audit context
725 * if necessary. Doing so turns on system call auditing for the 455 * if necessary. Doing so turns on system call auditing for the
726 * specified task. This is called from copy_process, so no lock is 456 * specified task. This is called from copy_process, so no lock is
727 * needed. */ 457 * needed.
458 */
728int audit_alloc(struct task_struct *tsk) 459int audit_alloc(struct task_struct *tsk)
729{ 460{
730 struct audit_context *context; 461 struct audit_context *context;
@@ -775,7 +506,37 @@ static inline void audit_free_context(struct audit_context *context)
775 printk(KERN_ERR "audit: freed %d contexts\n", count); 506 printk(KERN_ERR "audit: freed %d contexts\n", count);
776} 507}
777 508
778static void audit_log_task_info(struct audit_buffer *ab) 509static void audit_log_task_context(struct audit_buffer *ab, gfp_t gfp_mask)
510{
511 char *ctx = NULL;
512 ssize_t len = 0;
513
514 len = security_getprocattr(current, "current", NULL, 0);
515 if (len < 0) {
516 if (len != -EINVAL)
517 goto error_path;
518 return;
519 }
520
521 ctx = kmalloc(len, gfp_mask);
522 if (!ctx)
523 goto error_path;
524
525 len = security_getprocattr(current, "current", ctx, len);
526 if (len < 0 )
527 goto error_path;
528
529 audit_log_format(ab, " subj=%s", ctx);
530 return;
531
532error_path:
533 if (ctx)
534 kfree(ctx);
535 audit_panic("error in audit_log_task_context");
536 return;
537}
538
539static void audit_log_task_info(struct audit_buffer *ab, gfp_t gfp_mask)
779{ 540{
780 char name[sizeof(current->comm)]; 541 char name[sizeof(current->comm)];
781 struct mm_struct *mm = current->mm; 542 struct mm_struct *mm = current->mm;
@@ -788,6 +549,10 @@ static void audit_log_task_info(struct audit_buffer *ab)
788 if (!mm) 549 if (!mm)
789 return; 550 return;
790 551
552 /*
553 * this is brittle; all callers that pass GFP_ATOMIC will have
554 * NULL current->mm and we won't get here.
555 */
791 down_read(&mm->mmap_sem); 556 down_read(&mm->mmap_sem);
792 vma = mm->mmap; 557 vma = mm->mmap;
793 while (vma) { 558 while (vma) {
@@ -801,6 +566,7 @@ static void audit_log_task_info(struct audit_buffer *ab)
801 vma = vma->vm_next; 566 vma = vma->vm_next;
802 } 567 }
803 up_read(&mm->mmap_sem); 568 up_read(&mm->mmap_sem);
569 audit_log_task_context(ab, gfp_mask);
804} 570}
805 571
806static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask) 572static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask)
@@ -808,6 +574,7 @@ static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask)
808 int i; 574 int i;
809 struct audit_buffer *ab; 575 struct audit_buffer *ab;
810 struct audit_aux_data *aux; 576 struct audit_aux_data *aux;
577 const char *tty;
811 578
812 ab = audit_log_start(context, gfp_mask, AUDIT_SYSCALL); 579 ab = audit_log_start(context, gfp_mask, AUDIT_SYSCALL);
813 if (!ab) 580 if (!ab)
@@ -820,11 +587,15 @@ static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask)
820 audit_log_format(ab, " success=%s exit=%ld", 587 audit_log_format(ab, " success=%s exit=%ld",
821 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no", 588 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
822 context->return_code); 589 context->return_code);
590 if (current->signal->tty && current->signal->tty->name)
591 tty = current->signal->tty->name;
592 else
593 tty = "(none)";
823 audit_log_format(ab, 594 audit_log_format(ab,
824 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d" 595 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
825 " pid=%d auid=%u uid=%u gid=%u" 596 " pid=%d auid=%u uid=%u gid=%u"
826 " euid=%u suid=%u fsuid=%u" 597 " euid=%u suid=%u fsuid=%u"
827 " egid=%u sgid=%u fsgid=%u", 598 " egid=%u sgid=%u fsgid=%u tty=%s",
828 context->argv[0], 599 context->argv[0],
829 context->argv[1], 600 context->argv[1],
830 context->argv[2], 601 context->argv[2],
@@ -835,8 +606,8 @@ static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask)
835 context->uid, 606 context->uid,
836 context->gid, 607 context->gid,
837 context->euid, context->suid, context->fsuid, 608 context->euid, context->suid, context->fsuid,
838 context->egid, context->sgid, context->fsgid); 609 context->egid, context->sgid, context->fsgid, tty);
839 audit_log_task_info(ab); 610 audit_log_task_info(ab, gfp_mask);
840 audit_log_end(ab); 611 audit_log_end(ab);
841 612
842 for (aux = context->aux; aux; aux = aux->next) { 613 for (aux = context->aux; aux; aux = aux->next) {
@@ -849,8 +620,8 @@ static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask)
849 case AUDIT_IPC: { 620 case AUDIT_IPC: {
850 struct audit_aux_data_ipcctl *axi = (void *)aux; 621 struct audit_aux_data_ipcctl *axi = (void *)aux;
851 audit_log_format(ab, 622 audit_log_format(ab,
852 " qbytes=%lx iuid=%u igid=%u mode=%x", 623 " qbytes=%lx iuid=%u igid=%u mode=%x obj=%s",
853 axi->qbytes, axi->uid, axi->gid, axi->mode); 624 axi->qbytes, axi->uid, axi->gid, axi->mode, axi->ctx);
854 break; } 625 break; }
855 626
856 case AUDIT_SOCKETCALL: { 627 case AUDIT_SOCKETCALL: {
@@ -885,42 +656,62 @@ static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask)
885 } 656 }
886 } 657 }
887 for (i = 0; i < context->name_count; i++) { 658 for (i = 0; i < context->name_count; i++) {
659 unsigned long ino = context->names[i].ino;
660 unsigned long pino = context->names[i].pino;
661
888 ab = audit_log_start(context, gfp_mask, AUDIT_PATH); 662 ab = audit_log_start(context, gfp_mask, AUDIT_PATH);
889 if (!ab) 663 if (!ab)
890 continue; /* audit_panic has been called */ 664 continue; /* audit_panic has been called */
891 665
892 audit_log_format(ab, "item=%d", i); 666 audit_log_format(ab, "item=%d", i);
893 if (context->names[i].name) { 667
894 audit_log_format(ab, " name="); 668 audit_log_format(ab, " name=");
669 if (context->names[i].name)
895 audit_log_untrustedstring(ab, context->names[i].name); 670 audit_log_untrustedstring(ab, context->names[i].name);
896 } 671 else
897 audit_log_format(ab, " flags=%x\n", context->names[i].flags); 672 audit_log_format(ab, "(null)");
898 673
899 if (context->names[i].ino != (unsigned long)-1) 674 if (pino != (unsigned long)-1)
900 audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o" 675 audit_log_format(ab, " parent=%lu", pino);
901 " ouid=%u ogid=%u rdev=%02x:%02x", 676 if (ino != (unsigned long)-1)
902 context->names[i].ino, 677 audit_log_format(ab, " inode=%lu", ino);
903 MAJOR(context->names[i].dev), 678 if ((pino != (unsigned long)-1) || (ino != (unsigned long)-1))
904 MINOR(context->names[i].dev), 679 audit_log_format(ab, " dev=%02x:%02x mode=%#o"
905 context->names[i].mode, 680 " ouid=%u ogid=%u rdev=%02x:%02x",
906 context->names[i].uid, 681 MAJOR(context->names[i].dev),
907 context->names[i].gid, 682 MINOR(context->names[i].dev),
908 MAJOR(context->names[i].rdev), 683 context->names[i].mode,
684 context->names[i].uid,
685 context->names[i].gid,
686 MAJOR(context->names[i].rdev),
909 MINOR(context->names[i].rdev)); 687 MINOR(context->names[i].rdev));
688 if (context->names[i].ctx) {
689 audit_log_format(ab, " obj=%s",
690 context->names[i].ctx);
691 }
692
910 audit_log_end(ab); 693 audit_log_end(ab);
911 } 694 }
912} 695}
913 696
914/* Free a per-task audit context. Called from copy_process and 697/**
915 * __put_task_struct. */ 698 * audit_free - free a per-task audit context
699 * @tsk: task whose audit context block to free
700 *
701 * Called from copy_process and __put_task_struct.
702 */
916void audit_free(struct task_struct *tsk) 703void audit_free(struct task_struct *tsk)
917{ 704{
918 struct audit_context *context; 705 struct audit_context *context;
919 706
920 task_lock(tsk); 707 /*
708 * No need to lock the task - when we execute audit_free()
709 * then the task has no external references anymore, and
710 * we are tearing it down. (The locking also confuses
711 * DEBUG_LOCKDEP - this freeing may occur in softirq
712 * contexts as well, via RCU.)
713 */
921 context = audit_get_context(tsk, 0, 0); 714 context = audit_get_context(tsk, 0, 0);
922 task_unlock(tsk);
923
924 if (likely(!context)) 715 if (likely(!context))
925 return; 716 return;
926 717
@@ -934,13 +725,24 @@ void audit_free(struct task_struct *tsk)
934 audit_free_context(context); 725 audit_free_context(context);
935} 726}
936 727
937/* Fill in audit context at syscall entry. This only happens if the 728/**
729 * audit_syscall_entry - fill in an audit record at syscall entry
730 * @tsk: task being audited
731 * @arch: architecture type
732 * @major: major syscall type (function)
733 * @a1: additional syscall register 1
734 * @a2: additional syscall register 2
735 * @a3: additional syscall register 3
736 * @a4: additional syscall register 4
737 *
738 * Fill in audit context at syscall entry. This only happens if the
938 * audit context was created when the task was created and the state or 739 * audit context was created when the task was created and the state or
939 * filters demand the audit context be built. If the state from the 740 * filters demand the audit context be built. If the state from the
940 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT, 741 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
941 * then the record will be written at syscall exit time (otherwise, it 742 * then the record will be written at syscall exit time (otherwise, it
942 * will only be written if another part of the kernel requests that it 743 * will only be written if another part of the kernel requests that it
943 * be written). */ 744 * be written).
745 */
944void audit_syscall_entry(struct task_struct *tsk, int arch, int major, 746void audit_syscall_entry(struct task_struct *tsk, int arch, int major,
945 unsigned long a1, unsigned long a2, 747 unsigned long a1, unsigned long a2,
946 unsigned long a3, unsigned long a4) 748 unsigned long a3, unsigned long a4)
@@ -950,7 +752,8 @@ void audit_syscall_entry(struct task_struct *tsk, int arch, int major,
950 752
951 BUG_ON(!context); 753 BUG_ON(!context);
952 754
953 /* This happens only on certain architectures that make system 755 /*
756 * This happens only on certain architectures that make system
954 * calls in kernel_thread via the entry.S interface, instead of 757 * calls in kernel_thread via the entry.S interface, instead of
955 * with direct calls. (If you are porting to a new 758 * with direct calls. (If you are porting to a new
956 * architecture, hitting this condition can indicate that you 759 * architecture, hitting this condition can indicate that you
@@ -966,11 +769,6 @@ void audit_syscall_entry(struct task_struct *tsk, int arch, int major,
966 if (context->in_syscall) { 769 if (context->in_syscall) {
967 struct audit_context *newctx; 770 struct audit_context *newctx;
968 771
969#if defined(__NR_vm86) && defined(__NR_vm86old)
970 /* vm86 mode should only be entered once */
971 if (major == __NR_vm86 || major == __NR_vm86old)
972 return;
973#endif
974#if AUDIT_DEBUG 772#if AUDIT_DEBUG
975 printk(KERN_ERR 773 printk(KERN_ERR
976 "audit(:%d) pid=%d in syscall=%d;" 774 "audit(:%d) pid=%d in syscall=%d;"
@@ -1014,11 +812,18 @@ void audit_syscall_entry(struct task_struct *tsk, int arch, int major,
1014 context->auditable = !!(state == AUDIT_RECORD_CONTEXT); 812 context->auditable = !!(state == AUDIT_RECORD_CONTEXT);
1015} 813}
1016 814
1017/* Tear down after system call. If the audit context has been marked as 815/**
816 * audit_syscall_exit - deallocate audit context after a system call
817 * @tsk: task being audited
818 * @valid: success/failure flag
819 * @return_code: syscall return value
820 *
821 * Tear down after system call. If the audit context has been marked as
1018 * auditable (either because of the AUDIT_RECORD_CONTEXT state from 822 * auditable (either because of the AUDIT_RECORD_CONTEXT state from
1019 * filtering, or because some other part of the kernel write an audit 823 * filtering, or because some other part of the kernel write an audit
1020 * message), then write out the syscall information. In call cases, 824 * message), then write out the syscall information. In call cases,
1021 * free the names stored from getname(). */ 825 * free the names stored from getname().
826 */
1022void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code) 827void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code)
1023{ 828{
1024 struct audit_context *context; 829 struct audit_context *context;
@@ -1053,7 +858,13 @@ void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code)
1053 put_task_struct(tsk); 858 put_task_struct(tsk);
1054} 859}
1055 860
1056/* Add a name to the list. Called from fs/namei.c:getname(). */ 861/**
862 * audit_getname - add a name to the list
863 * @name: name to add
864 *
865 * Add a name to the list of audit names for this context.
866 * Called from fs/namei.c:getname().
867 */
1057void audit_getname(const char *name) 868void audit_getname(const char *name)
1058{ 869{
1059 struct audit_context *context = current->audit_context; 870 struct audit_context *context = current->audit_context;
@@ -1082,10 +893,13 @@ void audit_getname(const char *name)
1082 893
1083} 894}
1084 895
1085/* Intercept a putname request. Called from 896/* audit_putname - intercept a putname request
1086 * include/linux/fs.h:putname(). If we have stored the name from 897 * @name: name to intercept and delay for putname
1087 * getname in the audit context, then we delay the putname until syscall 898 *
1088 * exit. */ 899 * If we have stored the name from getname in the audit context,
900 * then we delay the putname until syscall exit.
901 * Called from include/linux/fs.h:putname().
902 */
1089void audit_putname(const char *name) 903void audit_putname(const char *name)
1090{ 904{
1091 struct audit_context *context = current->audit_context; 905 struct audit_context *context = current->audit_context;
@@ -1100,7 +914,7 @@ void audit_putname(const char *name)
1100 for (i = 0; i < context->name_count; i++) 914 for (i = 0; i < context->name_count; i++)
1101 printk(KERN_ERR "name[%d] = %p = %s\n", i, 915 printk(KERN_ERR "name[%d] = %p = %s\n", i,
1102 context->names[i].name, 916 context->names[i].name,
1103 context->names[i].name); 917 context->names[i].name ?: "(null)");
1104 } 918 }
1105#endif 919#endif
1106 __putname(name); 920 __putname(name);
@@ -1122,9 +936,52 @@ void audit_putname(const char *name)
1122#endif 936#endif
1123} 937}
1124 938
1125/* Store the inode and device from a lookup. Called from 939void audit_inode_context(int idx, const struct inode *inode)
1126 * fs/namei.c:path_lookup(). */ 940{
1127void audit_inode(const char *name, const struct inode *inode, unsigned flags) 941 struct audit_context *context = current->audit_context;
942 const char *suffix = security_inode_xattr_getsuffix();
943 char *ctx = NULL;
944 int len = 0;
945
946 if (!suffix)
947 goto ret;
948
949 len = security_inode_getsecurity(inode, suffix, NULL, 0, 0);
950 if (len == -EOPNOTSUPP)
951 goto ret;
952 if (len < 0)
953 goto error_path;
954
955 ctx = kmalloc(len, GFP_KERNEL);
956 if (!ctx)
957 goto error_path;
958
959 len = security_inode_getsecurity(inode, suffix, ctx, len, 0);
960 if (len < 0)
961 goto error_path;
962
963 kfree(context->names[idx].ctx);
964 context->names[idx].ctx = ctx;
965 goto ret;
966
967error_path:
968 if (ctx)
969 kfree(ctx);
970 audit_panic("error in audit_inode_context");
971ret:
972 return;
973}
974
975
976/**
977 * audit_inode - store the inode and device from a lookup
978 * @name: name being audited
979 * @inode: inode being audited
980 * @flags: lookup flags (as used in path_lookup())
981 *
982 * Called from fs/namei.c:path_lookup().
983 */
984void __audit_inode(const char *name, const struct inode *inode, unsigned flags)
1128{ 985{
1129 int idx; 986 int idx;
1130 struct audit_context *context = current->audit_context; 987 struct audit_context *context = current->audit_context;
@@ -1150,15 +1007,105 @@ void audit_inode(const char *name, const struct inode *inode, unsigned flags)
1150 ++context->ino_count; 1007 ++context->ino_count;
1151#endif 1008#endif
1152 } 1009 }
1153 context->names[idx].flags = flags;
1154 context->names[idx].ino = inode->i_ino;
1155 context->names[idx].dev = inode->i_sb->s_dev; 1010 context->names[idx].dev = inode->i_sb->s_dev;
1156 context->names[idx].mode = inode->i_mode; 1011 context->names[idx].mode = inode->i_mode;
1157 context->names[idx].uid = inode->i_uid; 1012 context->names[idx].uid = inode->i_uid;
1158 context->names[idx].gid = inode->i_gid; 1013 context->names[idx].gid = inode->i_gid;
1159 context->names[idx].rdev = inode->i_rdev; 1014 context->names[idx].rdev = inode->i_rdev;
1015 audit_inode_context(idx, inode);
1016 if ((flags & LOOKUP_PARENT) && (strcmp(name, "/") != 0) &&
1017 (strcmp(name, ".") != 0)) {
1018 context->names[idx].ino = (unsigned long)-1;
1019 context->names[idx].pino = inode->i_ino;
1020 } else {
1021 context->names[idx].ino = inode->i_ino;
1022 context->names[idx].pino = (unsigned long)-1;
1023 }
1024}
1025
1026/**
1027 * audit_inode_child - collect inode info for created/removed objects
1028 * @dname: inode's dentry name
1029 * @inode: inode being audited
1030 * @pino: inode number of dentry parent
1031 *
1032 * For syscalls that create or remove filesystem objects, audit_inode
1033 * can only collect information for the filesystem object's parent.
1034 * This call updates the audit context with the child's information.
1035 * Syscalls that create a new filesystem object must be hooked after
1036 * the object is created. Syscalls that remove a filesystem object
1037 * must be hooked prior, in order to capture the target inode during
1038 * unsuccessful attempts.
1039 */
1040void __audit_inode_child(const char *dname, const struct inode *inode,
1041 unsigned long pino)
1042{
1043 int idx;
1044 struct audit_context *context = current->audit_context;
1045
1046 if (!context->in_syscall)
1047 return;
1048
1049 /* determine matching parent */
1050 if (dname)
1051 for (idx = 0; idx < context->name_count; idx++)
1052 if (context->names[idx].pino == pino) {
1053 const char *n;
1054 const char *name = context->names[idx].name;
1055 int dlen = strlen(dname);
1056 int nlen = name ? strlen(name) : 0;
1057
1058 if (nlen < dlen)
1059 continue;
1060
1061 /* disregard trailing slashes */
1062 n = name + nlen - 1;
1063 while ((*n == '/') && (n > name))
1064 n--;
1065
1066 /* find last path component */
1067 n = n - dlen + 1;
1068 if (n < name)
1069 continue;
1070 else if (n > name) {
1071 if (*--n != '/')
1072 continue;
1073 else
1074 n++;
1075 }
1076
1077 if (strncmp(n, dname, dlen) == 0)
1078 goto update_context;
1079 }
1080
1081 /* catch-all in case match not found */
1082 idx = context->name_count++;
1083 context->names[idx].name = NULL;
1084 context->names[idx].pino = pino;
1085#if AUDIT_DEBUG
1086 context->ino_count++;
1087#endif
1088
1089update_context:
1090 if (inode) {
1091 context->names[idx].ino = inode->i_ino;
1092 context->names[idx].dev = inode->i_sb->s_dev;
1093 context->names[idx].mode = inode->i_mode;
1094 context->names[idx].uid = inode->i_uid;
1095 context->names[idx].gid = inode->i_gid;
1096 context->names[idx].rdev = inode->i_rdev;
1097 audit_inode_context(idx, inode);
1098 }
1160} 1099}
1161 1100
1101/**
1102 * auditsc_get_stamp - get local copies of audit_context values
1103 * @ctx: audit_context for the task
1104 * @t: timespec to store time recorded in the audit_context
1105 * @serial: serial value that is recorded in the audit_context
1106 *
1107 * Also sets the context as auditable.
1108 */
1162void auditsc_get_stamp(struct audit_context *ctx, 1109void auditsc_get_stamp(struct audit_context *ctx,
1163 struct timespec *t, unsigned int *serial) 1110 struct timespec *t, unsigned int *serial)
1164{ 1111{
@@ -1170,6 +1117,15 @@ void auditsc_get_stamp(struct audit_context *ctx,
1170 ctx->auditable = 1; 1117 ctx->auditable = 1;
1171} 1118}
1172 1119
1120/**
1121 * audit_set_loginuid - set a task's audit_context loginuid
1122 * @task: task whose audit context is being modified
1123 * @loginuid: loginuid value
1124 *
1125 * Returns 0.
1126 *
1127 * Called (set) from fs/proc/base.c::proc_loginuid_write().
1128 */
1173int audit_set_loginuid(struct task_struct *task, uid_t loginuid) 1129int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
1174{ 1130{
1175 if (task->audit_context) { 1131 if (task->audit_context) {
@@ -1188,12 +1144,59 @@ int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
1188 return 0; 1144 return 0;
1189} 1145}
1190 1146
1147/**
1148 * audit_get_loginuid - get the loginuid for an audit_context
1149 * @ctx: the audit_context
1150 *
1151 * Returns the context's loginuid or -1 if @ctx is NULL.
1152 */
1191uid_t audit_get_loginuid(struct audit_context *ctx) 1153uid_t audit_get_loginuid(struct audit_context *ctx)
1192{ 1154{
1193 return ctx ? ctx->loginuid : -1; 1155 return ctx ? ctx->loginuid : -1;
1194} 1156}
1195 1157
1196int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode) 1158static char *audit_ipc_context(struct kern_ipc_perm *ipcp)
1159{
1160 struct audit_context *context = current->audit_context;
1161 char *ctx = NULL;
1162 int len = 0;
1163
1164 if (likely(!context))
1165 return NULL;
1166
1167 len = security_ipc_getsecurity(ipcp, NULL, 0);
1168 if (len == -EOPNOTSUPP)
1169 goto ret;
1170 if (len < 0)
1171 goto error_path;
1172
1173 ctx = kmalloc(len, GFP_ATOMIC);
1174 if (!ctx)
1175 goto error_path;
1176
1177 len = security_ipc_getsecurity(ipcp, ctx, len);
1178 if (len < 0)
1179 goto error_path;
1180
1181 return ctx;
1182
1183error_path:
1184 kfree(ctx);
1185 audit_panic("error in audit_ipc_context");
1186ret:
1187 return NULL;
1188}
1189
1190/**
1191 * audit_ipc_perms - record audit data for ipc
1192 * @qbytes: msgq bytes
1193 * @uid: msgq user id
1194 * @gid: msgq group id
1195 * @mode: msgq mode (permissions)
1196 *
1197 * Returns 0 for success or NULL context or < 0 on error.
1198 */
1199int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, struct kern_ipc_perm *ipcp)
1197{ 1200{
1198 struct audit_aux_data_ipcctl *ax; 1201 struct audit_aux_data_ipcctl *ax;
1199 struct audit_context *context = current->audit_context; 1202 struct audit_context *context = current->audit_context;
@@ -1201,7 +1204,7 @@ int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
1201 if (likely(!context)) 1204 if (likely(!context))
1202 return 0; 1205 return 0;
1203 1206
1204 ax = kmalloc(sizeof(*ax), GFP_KERNEL); 1207 ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
1205 if (!ax) 1208 if (!ax)
1206 return -ENOMEM; 1209 return -ENOMEM;
1207 1210
@@ -1209,6 +1212,7 @@ int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
1209 ax->uid = uid; 1212 ax->uid = uid;
1210 ax->gid = gid; 1213 ax->gid = gid;
1211 ax->mode = mode; 1214 ax->mode = mode;
1215 ax->ctx = audit_ipc_context(ipcp);
1212 1216
1213 ax->d.type = AUDIT_IPC; 1217 ax->d.type = AUDIT_IPC;
1214 ax->d.next = context->aux; 1218 ax->d.next = context->aux;
@@ -1216,6 +1220,13 @@ int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
1216 return 0; 1220 return 0;
1217} 1221}
1218 1222
1223/**
1224 * audit_socketcall - record audit data for sys_socketcall
1225 * @nargs: number of args
1226 * @args: args array
1227 *
1228 * Returns 0 for success or NULL context or < 0 on error.
1229 */
1219int audit_socketcall(int nargs, unsigned long *args) 1230int audit_socketcall(int nargs, unsigned long *args)
1220{ 1231{
1221 struct audit_aux_data_socketcall *ax; 1232 struct audit_aux_data_socketcall *ax;
@@ -1237,6 +1248,13 @@ int audit_socketcall(int nargs, unsigned long *args)
1237 return 0; 1248 return 0;
1238} 1249}
1239 1250
1251/**
1252 * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
1253 * @len: data length in user space
1254 * @a: data address in kernel space
1255 *
1256 * Returns 0 for success or NULL context or < 0 on error.
1257 */
1240int audit_sockaddr(int len, void *a) 1258int audit_sockaddr(int len, void *a)
1241{ 1259{
1242 struct audit_aux_data_sockaddr *ax; 1260 struct audit_aux_data_sockaddr *ax;
@@ -1258,6 +1276,15 @@ int audit_sockaddr(int len, void *a)
1258 return 0; 1276 return 0;
1259} 1277}
1260 1278
1279/**
1280 * audit_avc_path - record the granting or denial of permissions
1281 * @dentry: dentry to record
1282 * @mnt: mnt to record
1283 *
1284 * Returns 0 for success or NULL context or < 0 on error.
1285 *
1286 * Called from security/selinux/avc.c::avc_audit()
1287 */
1261int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt) 1288int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt)
1262{ 1289{
1263 struct audit_aux_data_path *ax; 1290 struct audit_aux_data_path *ax;
@@ -1279,6 +1306,14 @@ int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt)
1279 return 0; 1306 return 0;
1280} 1307}
1281 1308
1309/**
1310 * audit_signal_info - record signal info for shutting down audit subsystem
1311 * @sig: signal value
1312 * @t: task being signaled
1313 *
1314 * If the audit subsystem is being terminated, record the task (pid)
1315 * and uid that is doing that.
1316 */
1282void audit_signal_info(int sig, struct task_struct *t) 1317void audit_signal_info(int sig, struct task_struct *t)
1283{ 1318{
1284 extern pid_t audit_sig_pid; 1319 extern pid_t audit_sig_pid;
@@ -1295,4 +1330,3 @@ void audit_signal_info(int sig, struct task_struct *t)
1295 } 1330 }
1296 } 1331 }
1297} 1332}
1298
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-12 00:24:09 -0500