diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2014-04-12 15:38:53 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2014-04-12 15:38:53 -0400 |
| commit | 0b747172dce6e0905ab173afbaffebb7a11d89bd (patch) | |
| tree | cef4092aa49bd44d4759b58762bfa221dac45f57 /kernel | |
| parent | b7e70ca9c7d7f049bba8047d7ab49966fd5e9e9d (diff) | |
| parent | 312103d64d0fcadb332899a2c84b357ddb18f4e3 (diff) | |
Merge git://git.infradead.org/users/eparis/audit
Pull audit updates from Eric Paris.
* git://git.infradead.org/users/eparis/audit: (28 commits)
AUDIT: make audit_is_compat depend on CONFIG_AUDIT_COMPAT_GENERIC
audit: renumber AUDIT_FEATURE_CHANGE into the 1300 range
audit: do not cast audit_rule_data pointers pointlesly
AUDIT: Allow login in non-init namespaces
audit: define audit_is_compat in kernel internal header
kernel: Use RCU_INIT_POINTER(x, NULL) in audit.c
sched: declare pid_alive as inline
audit: use uapi/linux/audit.h for AUDIT_ARCH declarations
syscall_get_arch: remove useless function arguments
audit: remove stray newline from audit_log_execve_info() audit_panic() call
audit: remove stray newlines from audit_log_lost messages
audit: include subject in login records
audit: remove superfluous new- prefix in AUDIT_LOGIN messages
audit: allow user processes to log from another PID namespace
audit: anchor all pid references in the initial pid namespace
audit: convert PPIDs to the inital PID namespace.
pid: get pid_t ppid of task in init_pid_ns
audit: rename the misleading audit_get_context() to audit_take_context()
audit: Add generic compat syscall support
audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL
...
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/audit.c | 27 | ||||
| -rw-r--r-- | kernel/audit.h | 6 | ||||
| -rw-r--r-- | kernel/auditfilter.c | 33 | ||||
| -rw-r--r-- | kernel/auditsc.c | 133 | ||||
| -rw-r--r-- | kernel/seccomp.c | 4 |
5 files changed, 149 insertions, 54 deletions
diff --git a/kernel/audit.c b/kernel/audit.c index 95a20f3f52f1..7c2893602d06 100644 --- a/kernel/audit.c +++ b/kernel/audit.c | |||
| @@ -182,7 +182,7 @@ struct audit_buffer { | |||
| 182 | 182 | ||
| 183 | struct audit_reply { | 183 | struct audit_reply { |
| 184 | __u32 portid; | 184 | __u32 portid; |
| 185 | struct net *net; | 185 | struct net *net; |
| 186 | struct sk_buff *skb; | 186 | struct sk_buff *skb; |
| 187 | }; | 187 | }; |
| 188 | 188 | ||
| @@ -396,7 +396,7 @@ static void audit_printk_skb(struct sk_buff *skb) | |||
| 396 | if (printk_ratelimit()) | 396 | if (printk_ratelimit()) |
| 397 | pr_notice("type=%d %s\n", nlh->nlmsg_type, data); | 397 | pr_notice("type=%d %s\n", nlh->nlmsg_type, data); |
| 398 | else | 398 | else |
| 399 | audit_log_lost("printk limit exceeded\n"); | 399 | audit_log_lost("printk limit exceeded"); |
| 400 | } | 400 | } |
| 401 | 401 | ||
| 402 | audit_hold_skb(skb); | 402 | audit_hold_skb(skb); |
| @@ -412,7 +412,7 @@ static void kauditd_send_skb(struct sk_buff *skb) | |||
| 412 | BUG_ON(err != -ECONNREFUSED); /* Shouldn't happen */ | 412 | BUG_ON(err != -ECONNREFUSED); /* Shouldn't happen */ |
| 413 | if (audit_pid) { | 413 | if (audit_pid) { |
| 414 | pr_err("*NO* daemon at audit_pid=%d\n", audit_pid); | 414 | pr_err("*NO* daemon at audit_pid=%d\n", audit_pid); |
| 415 | audit_log_lost("auditd disappeared\n"); | 415 | audit_log_lost("auditd disappeared"); |
| 416 | audit_pid = 0; | 416 | audit_pid = 0; |
| 417 | audit_sock = NULL; | 417 | audit_sock = NULL; |
| 418 | } | 418 | } |
| @@ -607,7 +607,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type) | |||
| 607 | { | 607 | { |
| 608 | int err = 0; | 608 | int err = 0; |
| 609 | 609 | ||
| 610 | /* Only support the initial namespaces for now. */ | 610 | /* Only support initial user namespace for now. */ |
| 611 | /* | 611 | /* |
| 612 | * We return ECONNREFUSED because it tricks userspace into thinking | 612 | * We return ECONNREFUSED because it tricks userspace into thinking |
| 613 | * that audit was not configured into the kernel. Lots of users | 613 | * that audit was not configured into the kernel. Lots of users |
| @@ -618,8 +618,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type) | |||
| 618 | * userspace will reject all logins. This should be removed when we | 618 | * userspace will reject all logins. This should be removed when we |
| 619 | * support non init namespaces!! | 619 | * support non init namespaces!! |
| 620 | */ | 620 | */ |
| 621 | if ((current_user_ns() != &init_user_ns) || | 621 | if (current_user_ns() != &init_user_ns) |
| 622 | (task_active_pid_ns(current) != &init_pid_ns)) | ||
| 623 | return -ECONNREFUSED; | 622 | return -ECONNREFUSED; |
| 624 | 623 | ||
| 625 | switch (msg_type) { | 624 | switch (msg_type) { |
| @@ -639,6 +638,11 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type) | |||
| 639 | case AUDIT_TTY_SET: | 638 | case AUDIT_TTY_SET: |
| 640 | case AUDIT_TRIM: | 639 | case AUDIT_TRIM: |
| 641 | case AUDIT_MAKE_EQUIV: | 640 | case AUDIT_MAKE_EQUIV: |
| 641 | /* Only support auditd and auditctl in initial pid namespace | ||
| 642 | * for now. */ | ||
| 643 | if ((task_active_pid_ns(current) != &init_pid_ns)) | ||
| 644 | return -EPERM; | ||
| 645 | |||
| 642 | if (!capable(CAP_AUDIT_CONTROL)) | 646 | if (!capable(CAP_AUDIT_CONTROL)) |
| 643 | err = -EPERM; | 647 | err = -EPERM; |
| 644 | break; | 648 | break; |
| @@ -659,6 +663,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type) | |||
| 659 | { | 663 | { |
| 660 | int rc = 0; | 664 | int rc = 0; |
| 661 | uid_t uid = from_kuid(&init_user_ns, current_uid()); | 665 | uid_t uid = from_kuid(&init_user_ns, current_uid()); |
| 666 | pid_t pid = task_tgid_nr(current); | ||
| 662 | 667 | ||
| 663 | if (!audit_enabled && msg_type != AUDIT_USER_AVC) { | 668 | if (!audit_enabled && msg_type != AUDIT_USER_AVC) { |
| 664 | *ab = NULL; | 669 | *ab = NULL; |
| @@ -668,7 +673,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type) | |||
| 668 | *ab = audit_log_start(NULL, GFP_KERNEL, msg_type); | 673 | *ab = audit_log_start(NULL, GFP_KERNEL, msg_type); |
| 669 | if (unlikely(!*ab)) | 674 | if (unlikely(!*ab)) |
| 670 | return rc; | 675 | return rc; |
| 671 | audit_log_format(*ab, "pid=%d uid=%u", task_tgid_vnr(current), uid); | 676 | audit_log_format(*ab, "pid=%d uid=%u", pid, uid); |
| 672 | audit_log_session_info(*ab); | 677 | audit_log_session_info(*ab); |
| 673 | audit_log_task_context(*ab); | 678 | audit_log_task_context(*ab); |
| 674 | 679 | ||
| @@ -1097,7 +1102,7 @@ static void __net_exit audit_net_exit(struct net *net) | |||
| 1097 | audit_sock = NULL; | 1102 | audit_sock = NULL; |
| 1098 | } | 1103 | } |
| 1099 | 1104 | ||
| 1100 | rcu_assign_pointer(aunet->nlsk, NULL); | 1105 | RCU_INIT_POINTER(aunet->nlsk, NULL); |
| 1101 | synchronize_net(); | 1106 | synchronize_net(); |
| 1102 | netlink_kernel_release(sock); | 1107 | netlink_kernel_release(sock); |
| 1103 | } | 1108 | } |
| @@ -1829,11 +1834,11 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) | |||
| 1829 | spin_unlock_irq(&tsk->sighand->siglock); | 1834 | spin_unlock_irq(&tsk->sighand->siglock); |
| 1830 | 1835 | ||
| 1831 | audit_log_format(ab, | 1836 | audit_log_format(ab, |
| 1832 | " ppid=%ld pid=%d auid=%u uid=%u gid=%u" | 1837 | " ppid=%d pid=%d auid=%u uid=%u gid=%u" |
| 1833 | " euid=%u suid=%u fsuid=%u" | 1838 | " euid=%u suid=%u fsuid=%u" |
| 1834 | " egid=%u sgid=%u fsgid=%u tty=%s ses=%u", | 1839 | " egid=%u sgid=%u fsgid=%u tty=%s ses=%u", |
| 1835 | sys_getppid(), | 1840 | task_ppid_nr(tsk), |
| 1836 | tsk->pid, | 1841 | task_pid_nr(tsk), |
| 1837 | from_kuid(&init_user_ns, audit_get_loginuid(tsk)), | 1842 | from_kuid(&init_user_ns, audit_get_loginuid(tsk)), |
| 1838 | from_kuid(&init_user_ns, cred->uid), | 1843 | from_kuid(&init_user_ns, cred->uid), |
| 1839 | from_kgid(&init_user_ns, cred->gid), | 1844 | from_kgid(&init_user_ns, cred->gid), |
diff --git a/kernel/audit.h b/kernel/audit.h index 8df132214606..7bb65730c890 100644 --- a/kernel/audit.h +++ b/kernel/audit.h | |||
| @@ -106,6 +106,11 @@ struct audit_names { | |||
| 106 | bool should_free; | 106 | bool should_free; |
| 107 | }; | 107 | }; |
| 108 | 108 | ||
| 109 | struct audit_proctitle { | ||
| 110 | int len; /* length of the cmdline field. */ | ||
| 111 | char *value; /* the cmdline field */ | ||
| 112 | }; | ||
| 113 | |||
| 109 | /* The per-task audit context. */ | 114 | /* The per-task audit context. */ |
| 110 | struct audit_context { | 115 | struct audit_context { |
| 111 | int dummy; /* must be the first element */ | 116 | int dummy; /* must be the first element */ |
| @@ -202,6 +207,7 @@ struct audit_context { | |||
| 202 | } execve; | 207 | } execve; |
| 203 | }; | 208 | }; |
| 204 | int fds[2]; | 209 | int fds[2]; |
| 210 | struct audit_proctitle proctitle; | ||
| 205 | 211 | ||
| 206 | #if AUDIT_DEBUG | 212 | #if AUDIT_DEBUG |
| 207 | int put_count; | 213 | int put_count; |
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 92062fd6cc8c..8e9bc9c3dbb7 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c | |||
| @@ -19,6 +19,8 @@ | |||
| 19 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | 19 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
| 20 | */ | 20 | */ |
| 21 | 21 | ||
| 22 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | ||
| 23 | |||
| 22 | #include <linux/kernel.h> | 24 | #include <linux/kernel.h> |
| 23 | #include <linux/audit.h> | 25 | #include <linux/audit.h> |
| 24 | #include <linux/kthread.h> | 26 | #include <linux/kthread.h> |
| @@ -226,7 +228,7 @@ static int audit_match_signal(struct audit_entry *entry) | |||
| 226 | #endif | 228 | #endif |
| 227 | 229 | ||
| 228 | /* Common user-space to kernel rule translation. */ | 230 | /* Common user-space to kernel rule translation. */ |
| 229 | static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) | 231 | static inline struct audit_entry *audit_to_entry_common(struct audit_rule_data *rule) |
| 230 | { | 232 | { |
| 231 | unsigned listnr; | 233 | unsigned listnr; |
| 232 | struct audit_entry *entry; | 234 | struct audit_entry *entry; |
| @@ -249,7 +251,7 @@ static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) | |||
| 249 | ; | 251 | ; |
| 250 | } | 252 | } |
| 251 | if (unlikely(rule->action == AUDIT_POSSIBLE)) { | 253 | if (unlikely(rule->action == AUDIT_POSSIBLE)) { |
| 252 | printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n"); | 254 | pr_err("AUDIT_POSSIBLE is deprecated\n"); |
| 253 | goto exit_err; | 255 | goto exit_err; |
| 254 | } | 256 | } |
| 255 | if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS) | 257 | if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS) |
| @@ -403,7 +405,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, | |||
