Merge branch 'upstream-fixes' into upstream

author: Jeff Garzik <jeff@garzik.org> 2006-09-12 11:42:45 -0400
committer: Jeff Garzik <jeff@garzik.org> 2006-09-12 11:42:45 -0400
commit: 8083e1656211eb1487329923d592ee061d08d7b3 (patch)
tree: 92a44787484996b82365fab21f2dec960ab4f2d3 /kernel
parent: 6b12a3d35ff6cb09f8b777ab258ea1e32c680d62 (diff)
parent: 1802ca745280b916cda4090e459741b8c9b3e8d0 (diff)
4 files changed, 90 insertions, 5 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index 0a36091ed712..963fd15c9621 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1028,6 +1028,9 @@ void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf,
        struct sk_buff *skb;
        static const unsigned char *hex = "0123456789ABCDEF";
+        if (!ab)
+                return;
        BUG_ON(!ab->skb);
        skb = ab->skb;
        avail = skb_tailroom(skb);
@@ -1060,6 +1063,9 @@ static void audit_log_n_string(struct audit_buffer *ab, size_t slen,
        unsigned char *ptr;
        struct sk_buff *skb;
+        if (!ab)
+                return;
        BUG_ON(!ab->skb);
        skb = ab->skb;
        avail = skb_tailroom(skb);
diff --git a/kernel/audit.h b/kernel/audit.h
index 6aa33b848cf2..a3370232a390 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -104,6 +104,7 @@ static inline int audit_hash_ino(u32 ino)
        return (ino & (AUDIT_INODE_BUCKETS-1));
 }
+extern int audit_match_class(int class, unsigned syscall);
 extern int audit_comparator(const u32 left, const u32 op, const u32 right);
 extern int audit_compare_dname_path(const char *dname, const char *path,
                                    int *dirlen);
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 6a9a5c5a4e7d..a44879b0c72f 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -302,6 +302,15 @@ int __init audit_register_class(int class, unsigned *list)
        return 0;
 }
+int audit_match_class(int class, unsigned syscall)
+{
+        if (unlikely(syscall >= AUDIT_BITMASK_SIZE * sizeof(__u32)))
+                return 0;
+        if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class]))
+                return 0;
+        return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
+}
 /* Common user-space to kernel rule translation. */
 static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule)
 {
@@ -404,6 +413,7 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
                case AUDIT_PERS:
                case AUDIT_ARCH:
                case AUDIT_MSGTYPE:
+                case AUDIT_PPID:
                case AUDIT_DEVMAJOR:
                case AUDIT_DEVMINOR:
                case AUDIT_EXIT:
@@ -413,6 +423,10 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
                case AUDIT_ARG2:
                case AUDIT_ARG3:
                        break;
+                case AUDIT_PERM:
+                        if (f->val & ~15)
+                                goto exit_free;
+                        break;
                case AUDIT_INODE:
                        err = audit_to_inode(&entry->rule, f);
                        if (err)
@@ -567,6 +581,10 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
                        entry->rule.buflen += f->val;
                        entry->rule.filterkey = str;
                        break;
+                case AUDIT_PERM:
+                        if (f->val & ~15)
+                                goto exit_free;
+                        break;
                default:
                        goto exit_free;
                }
@@ -913,7 +931,7 @@ static void audit_update_watch(struct audit_parent *parent,
                }
                ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
-                audit_log_format(ab, "audit updated rules specifying watch=");
+                audit_log_format(ab, "audit updated rules specifying path=");
                audit_log_untrustedstring(ab, owatch->path);
                audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino);
                audit_log_end(ab);
@@ -936,19 +954,28 @@ static void audit_remove_parent_watches(struct audit_parent *parent)
        struct audit_watch *w, *nextw;
        struct audit_krule *r, *nextr;
        struct audit_entry *e;
+        struct audit_buffer *ab;
        mutex_lock(&audit_filter_mutex);
        parent->flags |= AUDIT_PARENT_INVALID;
        list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
                list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
                        e = container_of(r, struct audit_entry, rule);
+                        ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
+                        audit_log_format(ab, "audit implicitly removed rule path=");
+                        audit_log_untrustedstring(ab, w->path);
+                        if (r->filterkey) {
+                                audit_log_format(ab, " key=");
+                                audit_log_untrustedstring(ab, r->filterkey);
+                        } else
+                                audit_log_format(ab, " key=(null)");
+                        audit_log_format(ab, " list=%d", r->listnr);
+                        audit_log_end(ab);
                        list_del(&r->rlist);
                        list_del_rcu(&e->list);
                        call_rcu(&e->rcu, audit_free_rule_rcu);
-                        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-                                 "audit implicitly removed rule from list=%d\n",
-                                  AUDIT_FILTER_EXIT);
                }
                audit_remove_watch(w);
        }
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index efc1b74bebf3..1bd8827a0102 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -209,6 +209,54 @@ struct audit_context {
 #endif
 };
+#define ACC_MODE(x) ("\004\002\006\006"[(x)&O_ACCMODE])
+static inline int open_arg(int flags, int mask)
+{
+        int n = ACC_MODE(flags);
+        if (flags & (O_TRUNC | O_CREAT))
+                n |= AUDIT_PERM_WRITE;
+        return n & mask;
+}
+static int audit_match_perm(struct audit_context *ctx, int mask)
+{
+        unsigned n = ctx->major;
+        switch (audit_classify_syscall(ctx->arch, n)) {
+        case 0: /* native */
+                if ((mask & AUDIT_PERM_WRITE) &&
+                     audit_match_class(AUDIT_CLASS_WRITE, n))
+                        return 1;
+                if ((mask & AUDIT_PERM_READ) &&
+                     audit_match_class(AUDIT_CLASS_READ, n))
+                        return 1;
+                if ((mask & AUDIT_PERM_ATTR) &&
+                     audit_match_class(AUDIT_CLASS_CHATTR, n))
+                        return 1;
+                return 0;
+        case 1: /* 32bit on biarch */
+                if ((mask & AUDIT_PERM_WRITE) &&
+                     audit_match_class(AUDIT_CLASS_WRITE_32, n))
+                        return 1;
+                if ((mask & AUDIT_PERM_READ) &&
+                     audit_match_class(AUDIT_CLASS_READ_32, n))
+                        return 1;
+                if ((mask & AUDIT_PERM_ATTR) &&
+                     audit_match_class(AUDIT_CLASS_CHATTR_32, n))
+                        return 1;
+                return 0;
+        case 2: /* open */
+                return mask & ACC_MODE(ctx->argv[1]);
+        case 3: /* openat */
+                return mask & ACC_MODE(ctx->argv[2]);
+        case 4: /* socketcall */
+                return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
+        case 5: /* execve */
+                return mask & AUDIT_PERM_EXEC;
+        default:
+                return 0;
+        }
+}
 /* Determine if any context name data matches a rule's watch data */
 /* Compare a task_struct with an audit_rule.  Return 1 on match, 0
 * otherwise. */
@@ -397,6 +445,9 @@ static int audit_filter_rules(struct task_struct *tsk,
                        /* ignore this field for filtering */
                        result = 1;
                        break;
+                case AUDIT_PERM:
+                        result = audit_match_perm(ctx, f->val);
+                        break;
                }
                if (!result)
author	Jeff Garzik <jeff@garzik.org>	2006-09-12 11:42:45 -0400
committer	Jeff Garzik <jeff@garzik.org>	2006-09-12 11:42:45 -0400
commit	8083e1656211eb1487329923d592ee061d08d7b3 (patch)
tree	92a44787484996b82365fab21f2dec960ab4f2d3 /kernel
parent	6b12a3d35ff6cb09f8b777ab258ea1e32c680d62 (diff)
parent	1802ca745280b916cda4090e459741b8c9b3e8d0 (diff)

diff --git a/kernel/audit.c b/kernel/audit.c index 0a36091ed712..963fd15c9621 100644 --- a/kernel/audit.c +++ b/kernel/audit.c
@@ -1028,6 +1028,9 @@ void audit_log_hex(struct audit_buffer ab, const unsigned char buf,
1028	struct sk_buff *skb;	1028	struct sk_buff *skb;
1029	static const unsigned char *hex = "0123456789ABCDEF";	1029	static const unsigned char *hex = "0123456789ABCDEF";
1030		1030
		1031	if (!ab)
		1032	return;
		1033
1031	BUG_ON(!ab->skb);	1034	BUG_ON(!ab->skb);
1032	skb = ab->skb;	1035	skb = ab->skb;
1033	avail = skb_tailroom(skb);	1036	avail = skb_tailroom(skb);
@@ -1060,6 +1063,9 @@ static void audit_log_n_string(struct audit_buffer *ab, size_t slen,
1060	unsigned char *ptr;	1063	unsigned char *ptr;
1061	struct sk_buff *skb;	1064	struct sk_buff *skb;
1062		1065
		1066	if (!ab)
		1067	return;
		1068
1063	BUG_ON(!ab->skb);	1069	BUG_ON(!ab->skb);
1064	skb = ab->skb;	1070	skb = ab->skb;
1065	avail = skb_tailroom(skb);	1071	avail = skb_tailroom(skb);


diff --git a/kernel/audit.h b/kernel/audit.h index 6aa33b848cf2..a3370232a390 100644 --- a/kernel/audit.h +++ b/kernel/audit.h
@@ -104,6 +104,7 @@ static inline int audit_hash_ino(u32 ino)
104	return (ino & (AUDIT_INODE_BUCKETS-1));	104	return (ino & (AUDIT_INODE_BUCKETS-1));
105	}	105	}
106		106
		107	extern int audit_match_class(int class, unsigned syscall);
107	extern int audit_comparator(const u32 left, const u32 op, const u32 right);	108	extern int audit_comparator(const u32 left, const u32 op, const u32 right);
108	extern int audit_compare_dname_path(const char dname, const char path,	109	extern int audit_compare_dname_path(const char dname, const char path,
109	int *dirlen);	110	int *dirlen);


diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 6a9a5c5a4e7d..a44879b0c72f 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c
@@ -302,6 +302,15 @@ int __init audit_register_class(int class, unsigned *list)
302	return 0;	302	return 0;
303	}	303	}
304		304
		305	int audit_match_class(int class, unsigned syscall)
		306	{
		307	if (unlikely(syscall >= AUDIT_BITMASK_SIZE * sizeof(__u32)))
		308	return 0;
		309	if (unlikely(class >= AUDIT_SYSCALL_CLASSES \|\| !classes[class]))
		310	return 0;
		311	return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
		312	}
		313
305	/* Common user-space to kernel rule translation. */	314	/* Common user-space to kernel rule translation. */
306	static inline struct audit_entry audit_to_entry_common(struct audit_rule rule)	315	static inline struct audit_entry audit_to_entry_common(struct audit_rule rule)
307	{	316	{
@@ -404,6 +413,7 @@ static struct audit_entry audit_rule_to_entry(struct audit_rule rule)
404	case AUDIT_PERS:	413	case AUDIT_PERS:
405	case AUDIT_ARCH:	414	case AUDIT_ARCH:
406	case AUDIT_MSGTYPE:	415	case AUDIT_MSGTYPE:
		416	case AUDIT_PPID:
407	case AUDIT_DEVMAJOR:	417	case AUDIT_DEVMAJOR:
408	case AUDIT_DEVMINOR:	418	case AUDIT_DEVMINOR:
409	case AUDIT_EXIT:	419	case AUDIT_EXIT:
@@ -413,6 +423,10 @@ static struct audit_entry audit_rule_to_entry(struct audit_rule rule)
413	case AUDIT_ARG2:	423	case AUDIT_ARG2:
414	case AUDIT_ARG3:	424	case AUDIT_ARG3:
415	break;	425	break;
		426	case AUDIT_PERM:
		427	if (f->val & ~15)
		428	goto exit_free;
		429	break;
416	case AUDIT_INODE:	430	case AUDIT_INODE:
417	err = audit_to_inode(&entry->rule, f);	431	err = audit_to_inode(&entry->rule, f);
418	if (err)	432	if (err)
@@ -567,6 +581,10 @@ static struct audit_entry audit_data_to_entry(struct audit_rule_data data,
567	entry->rule.buflen += f->val;	581	entry->rule.buflen += f->val;
568	entry->rule.filterkey = str;	582	entry->rule.filterkey = str;
569	break;	583	break;
		584	case AUDIT_PERM:
		585	if (f->val & ~15)
		586	goto exit_free;
		587	break;
570	default:	588	default:
571	goto exit_free;	589	goto exit_free;
572	}	590	}
@@ -913,7 +931,7 @@ static void audit_update_watch(struct audit_parent *parent,
913	}	931	}
914		932
915	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);	933	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
916	audit_log_format(ab, "audit updated rules specifying watch=");	934	audit_log_format(ab, "audit updated rules specifying path=");
917	audit_log_untrustedstring(ab, owatch->path);	935	audit_log_untrustedstring(ab, owatch->path);
918	audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino);	936	audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino);
919	audit_log_end(ab);	937	audit_log_end(ab);
@@ -936,19 +954,28 @@ static void audit_remove_parent_watches(struct audit_parent *parent)
936	struct audit_watch w, nextw;	954	struct audit_watch w, nextw;
937	struct audit_krule r, nextr;	955	struct audit_krule r, nextr;
938	struct audit_entry *e;	956	struct audit_entry *e;
		957	struct audit_buffer *ab;
939		958
940	mutex_lock(&audit_filter_mutex);	959	mutex_lock(&audit_filter_mutex);
941	parent->flags \|= AUDIT_PARENT_INVALID;	960	parent->flags \|= AUDIT_PARENT_INVALID;
942	list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {	961	list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
943	list_for_each_entry_safe(r, nextr, &w->rules, rlist) {	962	list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
944	e = container_of(r, struct audit_entry, rule);	963	e = container_of(r, struct audit_entry, rule);
		964
		965	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
		966	audit_log_format(ab, "audit implicitly removed rule path=");
		967	audit_log_untrustedstring(ab, w->path);
		968	if (r->filterkey) {
		969	audit_log_format(ab, " key=");
		970	audit_log_untrustedstring(ab, r->filterkey);
		971	} else
		972	audit_log_format(ab, " key=(null)");
		973	audit_log_format(ab, " list=%d", r->listnr);
		974	audit_log_end(ab);
		975
945	list_del(&r->rlist);	976	list_del(&r->rlist);
946	list_del_rcu(&e->list);	977	list_del_rcu(&e->list);
947	call_rcu(&e->rcu, audit_free_rule_rcu);	978	call_rcu(&e->rcu, audit_free_rule_rcu);
948
949	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
950	"audit implicitly removed rule from list=%d\n",
951	AUDIT_FILTER_EXIT);
952	}	979	}
953	audit_remove_watch(w);	980	audit_remove_watch(w);
954	}	981	}


diff --git a/kernel/auditsc.c b/kernel/auditsc.c index efc1b74bebf3..1bd8827a0102 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c
@@ -209,6 +209,54 @@ struct audit_context {
209	#endif	209	#endif
210	};	210	};
211		211
		212	#define ACC_MODE(x) ("\004\002\006\006"[(x)&O_ACCMODE])
		213	static inline int open_arg(int flags, int mask)
		214	{
		215	int n = ACC_MODE(flags);
		216	if (flags & (O_TRUNC \| O_CREAT))
		217	n \|= AUDIT_PERM_WRITE;
		218	return n & mask;
		219	}
		220
		221	static int audit_match_perm(struct audit_context *ctx, int mask)
		222	{
		223	unsigned n = ctx->major;
		224	switch (audit_classify_syscall(ctx->arch, n)) {
		225	case 0: /* native */
		226	if ((mask & AUDIT_PERM_WRITE) &&
		227	audit_match_class(AUDIT_CLASS_WRITE, n))
		228	return 1;
		229	if ((mask & AUDIT_PERM_READ) &&
		230	audit_match_class(AUDIT_CLASS_READ, n))
		231	return 1;
		232	if ((mask & AUDIT_PERM_ATTR) &&
		233	audit_match_class(AUDIT_CLASS_CHATTR, n))
		234	return 1;
		235	return 0;
		236	case 1: /* 32bit on biarch */
		237	if ((mask & AUDIT_PERM_WRITE) &&
		238	audit_match_class(AUDIT_CLASS_WRITE_32, n))
		239	return 1;
		240	if ((mask & AUDIT_PERM_READ) &&
		241	audit_match_class(AUDIT_CLASS_READ_32, n))
		242	return 1;
		243	if ((mask & AUDIT_PERM_ATTR) &&
		244	audit_match_class(AUDIT_CLASS_CHATTR_32, n))
		245	return 1;
		246	return 0;
		247	case 2: /* open */
		248	return mask & ACC_MODE(ctx->argv[1]);
		249	case 3: /* openat */
		250	return mask & ACC_MODE(ctx->argv[2]);
		251	case 4: /* socketcall */
		252	return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
		253	case 5: /* execve */
		254	return mask & AUDIT_PERM_EXEC;
		255	default:
		256	return 0;
		257	}
		258	}
		259
212	/* Determine if any context name data matches a rule's watch data */	260	/* Determine if any context name data matches a rule's watch data */
213	/* Compare a task_struct with an audit_rule. Return 1 on match, 0	261	/* Compare a task_struct with an audit_rule. Return 1 on match, 0
214	* otherwise. */	262	* otherwise. */
@@ -397,6 +445,9 @@ static int audit_filter_rules(struct task_struct *tsk,
397	/* ignore this field for filtering */	445	/* ignore this field for filtering */
398	result = 1;	446	result = 1;
399	break;	447	break;
		448	case AUDIT_PERM:
		449	result = audit_match_perm(ctx, f->val);
		450	break;
400	}	451	}
401		452
402	if (!result)	453	if (!result)