diff options
-rw-r--r-- | kernel/audit.c | 134 | ||||
-rw-r--r-- | kernel/auditsc.c | 150 |
2 files changed, 238 insertions, 46 deletions
diff --git a/kernel/audit.c b/kernel/audit.c index 0a813d2883e5..973ca5a9e0d6 100644 --- a/kernel/audit.c +++ b/kernel/audit.c | |||
@@ -72,7 +72,7 @@ static int audit_failure = AUDIT_FAIL_PRINTK; | |||
72 | * contains the (non-zero) pid. */ | 72 | * contains the (non-zero) pid. */ |
73 | int audit_pid; | 73 | int audit_pid; |
74 | 74 | ||
75 | /* If audit_limit is non-zero, limit the rate of sending audit records | 75 | /* If audit_rate_limit is non-zero, limit the rate of sending audit records |
76 | * to that number per second. This prevents DoS attacks, but results in | 76 | * to that number per second. This prevents DoS attacks, but results in |
77 | * audit records being dropped. */ | 77 | * audit records being dropped. */ |
78 | static int audit_rate_limit; | 78 | static int audit_rate_limit; |
@@ -102,7 +102,7 @@ static struct sock *audit_sock; | |||
102 | * than AUDIT_MAXFREE are in use, the audit buffer is freed instead of | 102 | * than AUDIT_MAXFREE are in use, the audit buffer is freed instead of |
103 | * being placed on the freelist). */ | 103 | * being placed on the freelist). */ |
104 | static DEFINE_SPINLOCK(audit_freelist_lock); | 104 | static DEFINE_SPINLOCK(audit_freelist_lock); |
105 | static int audit_freelist_count = 0; | 105 | static int audit_freelist_count; |
106 | static LIST_HEAD(audit_freelist); | 106 | static LIST_HEAD(audit_freelist); |
107 | 107 | ||
108 | static struct sk_buff_head audit_skb_queue; | 108 | static struct sk_buff_head audit_skb_queue; |
@@ -186,8 +186,14 @@ static inline int audit_rate_check(void) | |||
186 | return retval; | 186 | return retval; |
187 | } | 187 | } |
188 | 188 | ||
189 | /* Emit at least 1 message per second, even if audit_rate_check is | 189 | /** |
190 | * throttling. */ | 190 | * audit_log_lost - conditionally log lost audit message event |
191 | * @message: the message stating reason for lost audit message | ||
192 | * | ||
193 | * Emit at least 1 message per second, even if audit_rate_check is | ||
194 | * throttling. | ||
195 | * Always increment the lost messages counter. | ||
196 | */ | ||
191 | void audit_log_lost(const char *message) | 197 | void audit_log_lost(const char *message) |
192 | { | 198 | { |
193 | static unsigned long last_msg = 0; | 199 | static unsigned long last_msg = 0; |
@@ -218,7 +224,6 @@ void audit_log_lost(const char *message) | |||
218 | audit_backlog_limit); | 224 | audit_backlog_limit); |
219 | audit_panic(message); | 225 | audit_panic(message); |
220 | } | 226 | } |
221 | |||
222 | } | 227 | } |
223 | 228 | ||
224 | static int audit_set_rate_limit(int limit, uid_t loginuid) | 229 | static int audit_set_rate_limit(int limit, uid_t loginuid) |
@@ -302,6 +307,19 @@ static int kauditd_thread(void *dummy) | |||
302 | } | 307 | } |
303 | } | 308 | } |
304 | 309 | ||
310 | /** | ||
311 | * audit_send_reply - send an audit reply message via netlink | ||
312 | * @pid: process id to send reply to | ||
313 | * @seq: sequence number | ||
314 | * @type: audit message type | ||
315 | * @done: done (last) flag | ||
316 | * @multi: multi-part message flag | ||
317 | * @payload: payload data | ||
318 | * @size: payload size | ||
319 | * | ||
320 | * Allocates an skb, builds the netlink message, and sends it to the pid. | ||
321 | * No failure notifications. | ||
322 | */ | ||
305 | void audit_send_reply(int pid, int seq, int type, int done, int multi, | 323 | void audit_send_reply(int pid, int seq, int type, int done, int multi, |
306 | void *payload, int size) | 324 | void *payload, int size) |
307 | { | 325 | { |
@@ -376,7 +394,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
376 | if (err) | 394 | if (err) |
377 | return err; | 395 | return err; |
378 | 396 | ||
379 | /* As soon as there's any sign of userspace auditd, start kauditd to talk to it */ | 397 | /* As soon as there's any sign of userspace auditd, |
398 | * start kauditd to talk to it */ | ||
380 | if (!kauditd_task) | 399 | if (!kauditd_task) |
381 | kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd"); | 400 | kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd"); |
382 | if (IS_ERR(kauditd_task)) { | 401 | if (IS_ERR(kauditd_task)) { |
@@ -469,9 +488,11 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
469 | return err < 0 ? err : 0; | 488 | return err < 0 ? err : 0; |
470 | } | 489 | } |
471 | 490 | ||
472 | /* Get message from skb (based on rtnetlink_rcv_skb). Each message is | 491 | /* |
492 | * Get message from skb (based on rtnetlink_rcv_skb). Each message is | ||
473 | * processed by audit_receive_msg. Malformed skbs with wrong length are | 493 | * processed by audit_receive_msg. Malformed skbs with wrong length are |
474 | * discarded silently. */ | 494 | * discarded silently. |
495 | */ | ||
475 | static void audit_receive_skb(struct sk_buff *skb) | 496 | static void audit_receive_skb(struct sk_buff *skb) |
476 | { | 497 | { |
477 | int err; | 498 | int err; |
@@ -600,7 +621,10 @@ err: | |||
600 | return NULL; | 621 | return NULL; |
601 | } | 622 | } |
602 | 623 | ||
603 | /* Compute a serial number for the audit record. Audit records are | 624 | /** |
625 | * audit_serial - compute a serial number for the audit record | ||
626 | * | ||
627 | * Compute a serial number for the audit record. Audit records are | ||
604 | * written to user-space as soon as they are generated, so a complete | 628 | * written to user-space as soon as they are generated, so a complete |
605 | * audit record may be written in several pieces. The timestamp of the | 629 | * audit record may be written in several pieces. The timestamp of the |
606 | * record and this serial number are used by the user-space tools to | 630 | * record and this serial number are used by the user-space tools to |
@@ -612,8 +636,8 @@ err: | |||
612 | * audit context (for those records that have a context), and emit them | 636 | * audit context (for those records that have a context), and emit them |
613 | * all at syscall exit. However, this could delay the reporting of | 637 | * all at syscall exit. However, this could delay the reporting of |
614 | * significant errors until syscall exit (or never, if the system | 638 | * significant errors until syscall exit (or never, if the system |
615 | * halts). */ | 639 | * halts). |
616 | 640 | */ | |
617 | unsigned int audit_serial(void) | 641 | unsigned int audit_serial(void) |
618 | { | 642 | { |
619 | static spinlock_t serial_lock = SPIN_LOCK_UNLOCKED; | 643 | static spinlock_t serial_lock = SPIN_LOCK_UNLOCKED; |
@@ -649,6 +673,21 @@ static inline void audit_get_stamp(struct audit_context *ctx, | |||
649 | * will be written at syscall exit. If there is no associated task, tsk | 673 | * will be written at syscall exit. If there is no associated task, tsk |
650 | * should be NULL. */ | 674 | * should be NULL. */ |
651 | 675 | ||
676 | /** | ||
677 | * audit_log_start - obtain an audit buffer | ||
678 | * @ctx: audit_context (may be NULL) | ||
679 | * @gfp_mask: type of allocation | ||
680 | * @type: audit message type | ||
681 | * | ||
682 | * Returns audit_buffer pointer on success or NULL on error. | ||
683 | * | ||
684 | * Obtain an audit buffer. This routine does locking to obtain the | ||
685 | * audit buffer, but then no locking is required for calls to | ||
686 | * audit_log_*format. If the task (ctx) is a task that is currently in a | ||
687 | * syscall, then the syscall is marked as auditable and an audit record | ||
688 | * will be written at syscall exit. If there is no associated task, then | ||
689 | * task context (ctx) should be NULL. | ||
690 | */ | ||
652 | struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, | 691 | struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, |
653 | int type) | 692 | int type) |
654 | { | 693 | { |
@@ -713,6 +752,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, | |||
713 | /** | 752 | /** |
714 | * audit_expand - expand skb in the audit buffer | 753 | * audit_expand - expand skb in the audit buffer |
715 | * @ab: audit_buffer | 754 | * @ab: audit_buffer |
755 | * @extra: space to add at tail of the skb | ||
716 | * | 756 | * |
717 | * Returns 0 (no space) on failed expansion, or available space if | 757 | * Returns 0 (no space) on failed expansion, or available space if |
718 | * successful. | 758 | * successful. |
@@ -729,10 +769,12 @@ static inline int audit_expand(struct audit_buffer *ab, int extra) | |||
729 | return skb_tailroom(skb); | 769 | return skb_tailroom(skb); |
730 | } | 770 | } |
731 | 771 | ||
732 | /* Format an audit message into the audit buffer. If there isn't enough | 772 | /* |
773 | * Format an audit message into the audit buffer. If there isn't enough | ||
733 | * room in the audit buffer, more room will be allocated and vsnprint | 774 | * room in the audit buffer, more room will be allocated and vsnprint |
734 | * will be called a second time. Currently, we assume that a printk | 775 | * will be called a second time. Currently, we assume that a printk |
735 | * can't format message larger than 1024 bytes, so we don't either. */ | 776 | * can't format message larger than 1024 bytes, so we don't either. |
777 | */ | ||
736 | static void audit_log_vformat(struct audit_buffer *ab, const char *fmt, | 778 | static void audit_log_vformat(struct audit_buffer *ab, const char *fmt, |
737 | va_list args) | 779 | va_list args) |
738 | { | 780 | { |
@@ -757,7 +799,8 @@ static void audit_log_vformat(struct audit_buffer *ab, const char *fmt, | |||
757 | /* The printk buffer is 1024 bytes long, so if we get | 799 | /* The printk buffer is 1024 bytes long, so if we get |
758 | * here and AUDIT_BUFSIZ is at least 1024, then we can | 800 | * here and AUDIT_BUFSIZ is at least 1024, then we can |
759 | * log everything that printk could have logged. */ | 801 | * log everything that printk could have logged. */ |
760 | avail = audit_expand(ab, max_t(unsigned, AUDIT_BUFSIZ, 1+len-avail)); | 802 | avail = audit_expand(ab, |
803 | max_t(unsigned, AUDIT_BUFSIZ, 1+len-avail)); | ||
761 | if (!avail) | 804 | if (!avail) |
762 | goto out; | 805 | goto out; |
763 | len = vsnprintf(skb->tail, avail, fmt, args2); | 806 | len = vsnprintf(skb->tail, avail, fmt, args2); |
@@ -768,8 +811,14 @@ out: | |||
768 | return; | 811 | return; |
769 | } | 812 | } |
770 | 813 | ||
771 | /* Format a message into the audit buffer. All the work is done in | 814 | /** |
772 | * audit_log_vformat. */ | 815 | * audit_log_format - format a message into the audit buffer. |
816 | * @ab: audit_buffer | ||
817 | * @fmt: format string | ||
818 | * @...: optional parameters matching @fmt string | ||
819 | * | ||
820 | * All the work is done in audit_log_vformat. | ||
821 | */ | ||
773 | void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) | 822 | void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) |
774 | { | 823 | { |
775 | va_list args; | 824 | va_list args; |
@@ -781,9 +830,18 @@ void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) | |||
781 | va_end(args); | 830 | va_end(args); |
782 | } | 831 | } |
783 | 832 | ||
784 | /* This function will take the passed buf and convert it into a string of | 833 | /** |
785 | * ascii hex digits. The new string is placed onto the skb. */ | 834 | * audit_log_hex - convert a buffer to hex and append it to the audit skb |
786 | void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf, | 835 | * @ab: the audit_buffer |
836 | * @buf: buffer to convert to hex | ||
837 | * @len: length of @buf to be converted | ||
838 | * | ||
839 | * No return value; failure to expand is silently ignored. | ||
840 | * | ||
841 | * This function will take the passed buf and convert it into a string of | ||
842 | * ascii hex digits. The new string is placed onto the skb. | ||
843 | */ | ||
844 | void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf, | ||
787 | size_t len) | 845 | size_t len) |
788 | { | 846 | { |
789 | int i, avail, new_len; | 847 | int i, avail, new_len; |
@@ -812,10 +870,16 @@ void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf, | |||
812 | skb_put(skb, len << 1); /* new string is twice the old string */ | 870 | skb_put(skb, len << 1); /* new string is twice the old string */ |
813 | } | 871 | } |
814 | 872 | ||
815 | /* This code will escape a string that is passed to it if the string | 873 | /** |
816 | * contains a control character, unprintable character, double quote mark, | 874 | * audit_log_unstrustedstring - log a string that may contain random characters |
875 | * @ab: audit_buffer | ||
876 | * @string: string to be logged | ||
877 | * | ||
878 | * This code will escape a string that is passed to it if the string | ||
879 | * contains a control character, unprintable character, double quote mark, | ||
817 | * or a space. Unescaped strings will start and end with a double quote mark. | 880 | * or a space. Unescaped strings will start and end with a double quote mark. |
818 | * Strings that are escaped are printed in hex (2 digits per char). */ | 881 | * Strings that are escaped are printed in hex (2 digits per char). |
882 | */ | ||
819 | void audit_log_untrustedstring(struct audit_buffer *ab, const char *string) | 883 | void audit_log_untrustedstring(struct audit_buffer *ab, const char *string) |
820 | { | 884 | { |
821 | const unsigned char *p = string; | 885 | const unsigned char *p = string; |
@@ -854,10 +918,15 @@ void audit_log_d_path(struct audit_buffer *ab, const char *prefix, | |||
854 | kfree(path); | 918 | kfree(path); |
855 | } | 919 | } |
856 | 920 | ||
857 | /* The netlink_* functions cannot be called inside an irq context, so | 921 | /** |
858 | * the audit buffer is places on a queue and a tasklet is scheduled to | 922 | * audit_log_end - end one audit record |
923 | * @ab: the audit_buffer | ||
924 | * | ||
925 | * The netlink_* functions cannot be called inside an irq context, so | ||
926 | * the audit buffer is placed on a queue and a tasklet is scheduled to | ||
859 | * remove them from the queue outside the irq context. May be called in | 927 | * remove them from the queue outside the irq context. May be called in |
860 | * any context. */ | 928 | * any context. |
929 | */ | ||
861 | void audit_log_end(struct audit_buffer *ab) | 930 | void audit_log_end(struct audit_buffer *ab) |
862 | { | 931 | { |
863 | if (!ab) | 932 | if (!ab) |
@@ -878,9 +947,18 @@ void audit_log_end(struct audit_buffer *ab) | |||
878 | audit_buffer_free(ab); | 947 | audit_buffer_free(ab); |
879 | } | 948 | } |
880 | 949 | ||
881 | /* Log an audit record. This is a convenience function that calls | 950 | /** |
882 | * audit_log_start, audit_log_vformat, and audit_log_end. It may be | 951 | * audit_log - Log an audit record |
883 | * called in any context. */ | 952 | * @ctx: audit context |
953 | * @gfp_mask: type of allocation | ||
954 | * @type: audit message type | ||
955 | * @fmt: format string to use | ||
956 | * @...: variable parameters matching the format string | ||
957 | * | ||
958 | * This is a convenience function that calls audit_log_start, | ||
959 | * audit_log_vformat, and audit_log_end. It may be called | ||
960 | * in any context. | ||
961 | */ | ||
884 | void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, | 962 | void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, |
885 | const char *fmt, ...) | 963 | const char *fmt, ...) |
886 | { | 964 | { |
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index cfaa4a277f08..51a4f58a4d81 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c | |||
@@ -330,6 +330,15 @@ static int audit_list_rules(void *_dest) | |||
330 | return 0; | 330 | return 0; |
331 | } | 331 | } |
332 | 332 | ||
333 | /** | ||
334 | * audit_receive_filter - apply all rules to the specified message type | ||
335 | * @type: audit message type | ||
336 | * @pid: target pid for netlink audit messages | ||
337 | * @uid: target uid for netlink audit messages | ||
338 | * @seq: netlink audit message sequence (serial) number | ||
339 | * @data: payload data | ||
340 | * @loginuid: loginuid of sender | ||
341 | */ | ||
333 | int audit_receive_filter(int type, int pid, int uid, int seq, void *data, | 342 | int audit_receive_filter(int type, int pid, int uid, int seq, void *data, |
334 | uid_t loginuid) | 343 | uid_t loginuid) |
335 | { | 344 | { |
@@ -527,7 +536,7 @@ static enum audit_state audit_filter_task(struct task_struct *tsk) | |||
527 | /* At syscall entry and exit time, this filter is called if the | 536 | /* At syscall entry and exit time, this filter is called if the |
528 | * audit_state is not low enough that auditing cannot take place, but is | 537 | * audit_state is not low enough that auditing cannot take place, but is |
529 | * also not high enough that we already know we have to write an audit | 538 | * also not high enough that we already know we have to write an audit |
530 | * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT). | 539 | * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT). |
531 | */ | 540 | */ |
532 | static enum audit_state audit_filter_syscall(struct task_struct *tsk, | 541 | static enum audit_state audit_filter_syscall(struct task_struct *tsk, |
533 | struct audit_context *ctx, | 542 | struct audit_context *ctx, |
@@ -721,10 +730,15 @@ static inline struct audit_context *audit_alloc_context(enum audit_state state) | |||
721 | return context; | 730 | return context; |
722 | } | 731 | } |
723 | 732 | ||
724 | /* Filter on the task information and allocate a per-task audit context | 733 | /** |
734 | * audit_alloc - allocate an audit context block for a task | ||
735 | * @tsk: task | ||
736 | * | ||
737 | * Filter on the task information and allocate a per-task audit context | ||
725 | * if necessary. Doing so turns on system call auditing for the | 738 | * if necessary. Doing so turns on system call auditing for the |
726 | * specified task. This is called from copy_process, so no lock is | 739 | * specified task. This is called from copy_process, so no lock is |
727 | * needed. */ | 740 | * needed. |
741 | */ | ||
728 | int audit_alloc(struct task_struct *tsk) | 742 | int audit_alloc(struct task_struct *tsk) |
729 | { | 743 | { |
730 | struct audit_context *context; | 744 | struct audit_context *context; |
@@ -911,8 +925,12 @@ static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask) | |||
911 | } | 925 | } |
912 | } | 926 | } |
913 | 927 | ||
914 | /* Free a per-task audit context. Called from copy_process and | 928 | /** |
915 | * __put_task_struct. */ | 929 | * audit_free - free a per-task audit context |
930 | * @tsk: task whose audit context block to free | ||
931 | * | ||
932 | * Called from copy_process and __put_task_struct. | ||
933 | */ | ||
916 | void audit_free(struct task_struct *tsk) | 934 | void audit_free(struct task_struct *tsk) |
917 | { | 935 | { |
918 | struct audit_context *context; | 936 | struct audit_context *context; |
@@ -934,13 +952,24 @@ void audit_free(struct task_struct *tsk) | |||
934 | audit_free_context(context); | 952 | audit_free_context(context); |
935 | } | 953 | } |
936 | 954 | ||
937 | /* Fill in audit context at syscall entry. This only happens if the | 955 | /** |
956 | * audit_syscall_entry - fill in an audit record at syscall entry | ||
957 | * @tsk: task being audited | ||
958 | * @arch: architecture type | ||
959 | * @major: major syscall type (function) | ||
960 | * @a1: additional syscall register 1 | ||
961 | * @a2: additional syscall register 2 | ||
962 | * @a3: additional syscall register 3 | ||
963 | * @a4: additional syscall register 4 | ||
964 | * | ||
965 | * Fill in audit context at syscall entry. This only happens if the | ||
938 | * audit context was created when the task was created and the state or | 966 | * audit context was created when the task was created and the state or |
939 | * filters demand the audit context be built. If the state from the | 967 | * filters demand the audit context be built. If the state from the |
940 | * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT, | 968 | * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT, |
941 | * then the record will be written at syscall exit time (otherwise, it | 969 | * then the record will be written at syscall exit time (otherwise, it |
942 | * will only be written if another part of the kernel requests that it | 970 | * will only be written if another part of the kernel requests that it |
943 | * be written). */ | 971 | * be written). |
972 | */ | ||
944 | void audit_syscall_entry(struct task_struct *tsk, int arch, int major, | 973 | void audit_syscall_entry(struct task_struct *tsk, int arch, int major, |
945 | unsigned long a1, unsigned long a2, | 974 | unsigned long a1, unsigned long a2, |
946 | unsigned long a3, unsigned long a4) | 975 | unsigned long a3, unsigned long a4) |
@@ -950,7 +979,8 @@ void audit_syscall_entry(struct task_struct *tsk, int arch, int major, | |||
950 | 979 | ||
951 | BUG_ON(!context); | 980 | BUG_ON(!context); |
952 | 981 | ||
953 | /* This happens only on certain architectures that make system | 982 | /* |
983 | * This happens only on certain architectures that make system | ||
954 | * calls in kernel_thread via the entry.S interface, instead of | 984 | * calls in kernel_thread via the entry.S interface, instead of |
955 | * with direct calls. (If you are porting to a new | 985 | * with direct calls. (If you are porting to a new |
956 | * architecture, hitting this condition can indicate that you | 986 | * architecture, hitting this condition can indicate that you |
@@ -1009,11 +1039,18 @@ void audit_syscall_entry(struct task_struct *tsk, int arch, int major, | |||
1009 | context->auditable = !!(state == AUDIT_RECORD_CONTEXT); | 1039 | context->auditable = !!(state == AUDIT_RECORD_CONTEXT); |
1010 | } | 1040 | } |
1011 | 1041 | ||
1012 | /* Tear down after system call. If the audit context has been marked as | 1042 | /** |
1043 | * audit_syscall_exit - deallocate audit context after a system call | ||
1044 | * @tsk: task being audited | ||
1045 | * @valid: success/failure flag | ||
1046 | * @return_code: syscall return value | ||
1047 | * | ||
1048 | * Tear down after system call. If the audit context has been marked as | ||
1013 | * auditable (either because of the AUDIT_RECORD_CONTEXT state from | 1049 | * auditable (either because of the AUDIT_RECORD_CONTEXT state from |
1014 | * filtering, or because some other part of the kernel write an audit | 1050 | * filtering, or because some other part of the kernel write an audit |
1015 | * message), then write out the syscall information. In call cases, | 1051 | * message), then write out the syscall information. In call cases, |
1016 | * free the names stored from getname(). */ | 1052 | * free the names stored from getname(). |
1053 | */ | ||
1017 | void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code) | 1054 | void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code) |
1018 | { | 1055 | { |
1019 | struct audit_context *context; | 1056 | struct audit_context *context; |
@@ -1048,7 +1085,13 @@ void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code) | |||
1048 | put_task_struct(tsk); | 1085 | put_task_struct(tsk); |
1049 | } | 1086 | } |
1050 | 1087 | ||
1051 | /* Add a name to the list. Called from fs/namei.c:getname(). */ | 1088 | /** |
1089 | * audit_getname - add a name to the list | ||
1090 | * @name: name to add | ||
1091 | * | ||
1092 | * Add a name to the list of audit names for this context. | ||
1093 | * Called from fs/namei.c:getname(). | ||
1094 | */ | ||
1052 | void audit_getname(const char *name) | 1095 | void audit_getname(const char *name) |
1053 | { | 1096 | { |
1054 | struct audit_context *context = current->audit_context; | 1097 | struct audit_context *context = current->audit_context; |
@@ -1077,10 +1120,13 @@ void audit_getname(const char *name) | |||
1077 | 1120 | ||
1078 | } | 1121 | } |
1079 | 1122 | ||
1080 | /* Intercept a putname request. Called from | 1123 | /* audit_putname - intercept a putname request |
1081 | * include/linux/fs.h:putname(). If we have stored the name from | 1124 | * @name: name to intercept and delay for putname |
1082 | * getname in the audit context, then we delay the putname until syscall | 1125 | * |
1083 | * exit. */ | 1126 | * If we have stored the name from getname in the audit context, |
1127 | * then we delay the putname until syscall exit. | ||
1128 | * Called from include/linux/fs.h:putname(). | ||
1129 | */ | ||
1084 | void audit_putname(const char *name) | 1130 | void audit_putname(const char *name) |
1085 | { | 1131 | { |
1086 | struct audit_context *context = current->audit_context; | 1132 | struct audit_context *context = current->audit_context; |
@@ -1117,8 +1163,14 @@ void audit_putname(const char *name) | |||
1117 | #endif | 1163 | #endif |
1118 | } | 1164 | } |
1119 | 1165 | ||
1120 | /* Store the inode and device from a lookup. Called from | 1166 | /** |
1121 | * fs/namei.c:path_lookup(). */ | 1167 | * audit_inode - store the inode and device from a lookup |
1168 | * @name: name being audited | ||
1169 | * @inode: inode being audited | ||
1170 | * @flags: lookup flags (as used in path_lookup()) | ||
1171 | * | ||
1172 | * Called from fs/namei.c:path_lookup(). | ||
1173 | */ | ||
1122 | void audit_inode(const char *name, const struct inode *inode, unsigned flags) | 1174 | void audit_inode(const char *name, const struct inode *inode, unsigned flags) |
1123 | { | 1175 | { |
1124 | int idx; | 1176 | int idx; |
@@ -1154,6 +1206,14 @@ void audit_inode(const char *name, const struct inode *inode, unsigned flags) | |||
1154 | context->names[idx].rdev = inode->i_rdev; | 1206 | context->names[idx].rdev = inode->i_rdev; |
1155 | } | 1207 | } |
1156 | 1208 | ||
1209 | /** | ||
1210 | * auditsc_get_stamp - get local copies of audit_context values | ||
1211 | * @ctx: audit_context for the task | ||
1212 | * @t: timespec to store time recorded in the audit_context | ||
1213 | * @serial: serial value that is recorded in the audit_context | ||
1214 | * | ||
1215 | * Also sets the context as auditable. | ||
1216 | */ | ||
1157 | void auditsc_get_stamp(struct audit_context *ctx, | 1217 | void auditsc_get_stamp(struct audit_context *ctx, |
1158 | struct timespec *t, unsigned int *serial) | 1218 | struct timespec *t, unsigned int *serial) |
1159 | { | 1219 | { |
@@ -1165,6 +1225,15 @@ void auditsc_get_stamp(struct audit_context *ctx, | |||
1165 | ctx->auditable = 1; | 1225 | ctx->auditable = 1; |
1166 | } | 1226 | } |
1167 | 1227 | ||
1228 | /** | ||
1229 | * audit_set_loginuid - set a task's audit_context loginuid | ||
1230 | * @task: task whose audit context is being modified | ||
1231 | * @loginuid: loginuid value | ||
1232 | * | ||
1233 | * Returns 0. | ||
1234 | * | ||
1235 | * Called (set) from fs/proc/base.c::proc_loginuid_write(). | ||
1236 | */ | ||
1168 | int audit_set_loginuid(struct task_struct *task, uid_t loginuid) | 1237 | int audit_set_loginuid(struct task_struct *task, uid_t loginuid) |
1169 | { | 1238 | { |
1170 | if (task->audit_context) { | 1239 | if (task->audit_context) { |
@@ -1183,11 +1252,26 @@ int audit_set_loginuid(struct task_struct *task, uid_t loginuid) | |||
1183 | return 0; | 1252 | return 0; |
1184 | } | 1253 | } |
1185 | 1254 | ||
1255 | /** | ||
1256 | * audit_get_loginuid - get the loginuid for an audit_context | ||
1257 | * @ctx: the audit_context | ||
1258 | * | ||
1259 | * Returns the context's loginuid or -1 if @ctx is NULL. | ||
1260 | */ | ||
1186 | uid_t audit_get_loginuid(struct audit_context *ctx) | 1261 | uid_t audit_get_loginuid(struct audit_context *ctx) |
1187 | { | 1262 | { |
1188 | return ctx ? ctx->loginuid : -1; | 1263 | return ctx ? ctx->loginuid : -1; |
1189 | } | 1264 | } |
1190 | 1265 | ||
1266 | /** | ||
1267 | * audit_ipc_perms - record audit data for ipc | ||
1268 | * @qbytes: msgq bytes | ||
1269 | * @uid: msgq user id | ||
1270 | * @gid: msgq group id | ||
1271 | * @mode: msgq mode (permissions) | ||
1272 | * | ||
1273 | * Returns 0 for success or NULL context or < 0 on error. | ||
1274 | */ | ||
1191 | int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode) | 1275 | int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode) |
1192 | { | 1276 | { |
1193 | struct audit_aux_data_ipcctl *ax; | 1277 | struct audit_aux_data_ipcctl *ax; |
@@ -1211,6 +1295,13 @@ int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode) | |||
1211 | return 0; | 1295 | return 0; |
1212 | } | 1296 | } |
1213 | 1297 | ||
1298 | /** | ||
1299 | * audit_socketcall - record audit data for sys_socketcall | ||
1300 | * @nargs: number of args | ||
1301 | * @args: args array | ||
1302 | * | ||
1303 | * Returns 0 for success or NULL context or < 0 on error. | ||
1304 | */ | ||
1214 | int audit_socketcall(int nargs, unsigned long *args) | 1305 | int audit_socketcall(int nargs, unsigned long *args) |
1215 | { | 1306 | { |
1216 | struct audit_aux_data_socketcall *ax; | 1307 | struct audit_aux_data_socketcall *ax; |
@@ -1232,6 +1323,13 @@ int audit_socketcall(int nargs, unsigned long *args) | |||
1232 | return 0; | 1323 | return 0; |
1233 | } | 1324 | } |
1234 | 1325 | ||
1326 | /** | ||
1327 | * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto | ||
1328 | * @len: data length in user space | ||
1329 | * @a: data address in kernel space | ||
1330 | * | ||
1331 | * Returns 0 for success or NULL context or < 0 on error. | ||
1332 | */ | ||
1235 | int audit_sockaddr(int len, void *a) | 1333 | int audit_sockaddr(int len, void *a) |
1236 | { | 1334 | { |
1237 | struct audit_aux_data_sockaddr *ax; | 1335 | struct audit_aux_data_sockaddr *ax; |
@@ -1253,6 +1351,15 @@ int audit_sockaddr(int len, void *a) | |||
1253 | return 0; | 1351 | return 0; |
1254 | } | 1352 | } |
1255 | 1353 | ||
1354 | /** | ||
1355 | * audit_avc_path - record the granting or denial of permissions | ||
1356 | * @dentry: dentry to record | ||
1357 | * @mnt: mnt to record | ||
1358 | * | ||
1359 | * Returns 0 for success or NULL context or < 0 on error. | ||
1360 | * | ||
1361 | * Called from security/selinux/avc.c::avc_audit() | ||
1362 | */ | ||
1256 | int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt) | 1363 | int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt) |
1257 | { | 1364 | { |
1258 | struct audit_aux_data_path *ax; | 1365 | struct audit_aux_data_path *ax; |
@@ -1274,6 +1381,14 @@ int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt) | |||
1274 | return 0; | 1381 | return 0; |
1275 | } | 1382 | } |
1276 | 1383 | ||
1384 | /** | ||
1385 | * audit_signal_info - record signal info for shutting down audit subsystem | ||
1386 | * @sig: signal value | ||
1387 | * @t: task being signaled | ||
1388 | * | ||
1389 | * If the audit subsystem is being terminated, record the task (pid) | ||
1390 | * and uid that is doing that. | ||
1391 | */ | ||
1277 | void audit_signal_info(int sig, struct task_struct *t) | 1392 | void audit_signal_info(int sig, struct task_struct *t) |
1278 | { | 1393 | { |
1279 | extern pid_t audit_sig_pid; | 1394 | extern pid_t audit_sig_pid; |
@@ -1290,4 +1405,3 @@ void audit_signal_info(int sig, struct task_struct *t) | |||
1290 | } | 1405 | } |
1291 | } | 1406 | } |
1292 | } | 1407 | } |
1293 | |||