diff options
-rw-r--r-- | MAINTAINERS | 5 | ||||
-rw-r--r-- | arch/ppc64/kernel/asm-offsets.c | 1 | ||||
-rw-r--r-- | arch/ppc64/kernel/entry.S | 18 | ||||
-rw-r--r-- | fs/namei.c | 2 | ||||
-rw-r--r-- | include/linux/audit.h | 36 | ||||
-rw-r--r-- | kernel/audit.c | 128 | ||||
-rw-r--r-- | kernel/auditsc.c | 327 | ||||
-rw-r--r-- | security/selinux/avc.c | 4 | ||||
-rw-r--r-- | security/selinux/hooks.c | 2 | ||||
-rw-r--r-- | security/selinux/ss/services.c | 4 |
10 files changed, 356 insertions, 171 deletions
diff --git a/MAINTAINERS b/MAINTAINERS index a67bf7d315d7..d1e0eb46d201 100644 --- a/MAINTAINERS +++ b/MAINTAINERS | |||
@@ -370,7 +370,10 @@ W: http://atmelwlandriver.sourceforge.net/ | |||
370 | S: Maintained | 370 | S: Maintained |
371 | 371 | ||
372 | AUDIT SUBSYSTEM | 372 | AUDIT SUBSYSTEM |
373 | L: linux-audit@redhat.com (subscribers-only) | 373 | P: David Woodhouse |
374 | M: dwmw2@infradead.org | ||
375 | L: linux-audit@redhat.com | ||
376 | W: http://people.redhat.com/sgrubb/audit/ | ||
374 | S: Maintained | 377 | S: Maintained |
375 | 378 | ||
376 | AX.25 NETWORK LAYER | 379 | AX.25 NETWORK LAYER |
diff --git a/arch/ppc64/kernel/asm-offsets.c b/arch/ppc64/kernel/asm-offsets.c index 17e35d0fed09..1ff4fa05a973 100644 --- a/arch/ppc64/kernel/asm-offsets.c +++ b/arch/ppc64/kernel/asm-offsets.c | |||
@@ -68,6 +68,7 @@ int main(void) | |||
68 | DEFINE(THREAD_USED_VR, offsetof(struct thread_struct, used_vr)); | 68 | DEFINE(THREAD_USED_VR, offsetof(struct thread_struct, used_vr)); |
69 | #endif /* CONFIG_ALTIVEC */ | 69 | #endif /* CONFIG_ALTIVEC */ |
70 | DEFINE(MM, offsetof(struct task_struct, mm)); | 70 | DEFINE(MM, offsetof(struct task_struct, mm)); |
71 | DEFINE(AUDITCONTEXT, offsetof(struct task_struct, audit_context)); | ||
71 | 72 | ||
72 | DEFINE(DCACHEL1LINESIZE, offsetof(struct ppc64_caches, dline_size)); | 73 | DEFINE(DCACHEL1LINESIZE, offsetof(struct ppc64_caches, dline_size)); |
73 | DEFINE(DCACHEL1LOGLINESIZE, offsetof(struct ppc64_caches, log_dline_size)); | 74 | DEFINE(DCACHEL1LOGLINESIZE, offsetof(struct ppc64_caches, log_dline_size)); |
diff --git a/arch/ppc64/kernel/entry.S b/arch/ppc64/kernel/entry.S index d133a49cdf89..e8c0bbf4d000 100644 --- a/arch/ppc64/kernel/entry.S +++ b/arch/ppc64/kernel/entry.S | |||
@@ -276,12 +276,22 @@ _GLOBAL(ppc64_rt_sigsuspend) | |||
276 | _GLOBAL(ppc32_rt_sigsuspend) | 276 | _GLOBAL(ppc32_rt_sigsuspend) |
277 | bl .save_nvgprs | 277 | bl .save_nvgprs |
278 | bl .sys32_rt_sigsuspend | 278 | bl .sys32_rt_sigsuspend |
279 | /* If sigsuspend() returns zero, we are going into a signal handler */ | ||
280 | 70: cmpdi 0,r3,0 | 279 | 70: cmpdi 0,r3,0 |
281 | beq .ret_from_except | 280 | /* If it returned an error, we need to return via syscall_exit to set |
282 | /* If it returned -EINTR, we need to return via syscall_exit to set | ||
283 | the SO bit in cr0 and potentially stop for ptrace. */ | 281 | the SO bit in cr0 and potentially stop for ptrace. */ |
284 | b syscall_exit | 282 | bne syscall_exit |
283 | /* If sigsuspend() returns zero, we are going into a signal handler. We | ||
284 | may need to call audit_syscall_exit() to mark the exit from sigsuspend() */ | ||
285 | #ifdef CONFIG_AUDIT | ||
286 | ld r3,PACACURRENT(r13) | ||
287 | ld r4,AUDITCONTEXT(r3) | ||
288 | cmpdi 0,r4,0 | ||
289 | beq .ret_from_except /* No audit_context: Leave immediately. */ | ||
290 | li r4, 2 /* AUDITSC_FAILURE */ | ||
291 | li r5,-4 /* It's always -EINTR */ | ||
292 | bl .audit_syscall_exit | ||
293 | #endif | ||
294 | b .ret_from_except | ||
285 | 295 | ||
286 | _GLOBAL(ppc_fork) | 296 | _GLOBAL(ppc_fork) |
287 | bl .save_nvgprs | 297 | bl .save_nvgprs |
diff --git a/fs/namei.c b/fs/namei.c index 21d85f1ac839..043d587216b5 100644 --- a/fs/namei.c +++ b/fs/namei.c | |||
@@ -1048,7 +1048,7 @@ int fastcall path_lookup(const char *name, unsigned int flags, struct nameidata | |||
1048 | out: | 1048 | out: |
1049 | if (unlikely(current->audit_context | 1049 | if (unlikely(current->audit_context |
1050 | && nd && nd->dentry && nd->dentry->d_inode)) | 1050 | && nd && nd->dentry && nd->dentry->d_inode)) |
1051 | audit_inode(name, nd->dentry->d_inode); | 1051 | audit_inode(name, nd->dentry->d_inode, flags); |
1052 | return retval; | 1052 | return retval; |
1053 | } | 1053 | } |
1054 | 1054 | ||
diff --git a/include/linux/audit.h b/include/linux/audit.h index 68aba0c02e49..b2a2509bd7ea 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h | |||
@@ -51,7 +51,8 @@ | |||
51 | #define AUDIT_WATCH_LIST 1009 /* List all file/dir watches */ | 51 | #define AUDIT_WATCH_LIST 1009 /* List all file/dir watches */ |
52 | #define AUDIT_SIGNAL_INFO 1010 /* Get info about sender of signal to auditd */ | 52 | #define AUDIT_SIGNAL_INFO 1010 /* Get info about sender of signal to auditd */ |
53 | 53 | ||
54 | #define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages uninteresting to kernel */ | 54 | #define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages mostly uninteresting to kernel */ |
55 | #define AUDIT_USER_AVC 1107 /* We filter this differently */ | ||
55 | #define AUDIT_LAST_USER_MSG 1199 | 56 | #define AUDIT_LAST_USER_MSG 1199 |
56 | 57 | ||
57 | #define AUDIT_DAEMON_START 1200 /* Daemon startup record */ | 58 | #define AUDIT_DAEMON_START 1200 /* Daemon startup record */ |
@@ -75,10 +76,15 @@ | |||
75 | #define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ | 76 | #define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ |
76 | 77 | ||
77 | /* Rule flags */ | 78 | /* Rule flags */ |
78 | #define AUDIT_PER_TASK 0x01 /* Apply rule at task creation (not syscall) */ | 79 | #define AUDIT_FILTER_USER 0x00 /* Apply rule to user-generated messages */ |
79 | #define AUDIT_AT_ENTRY 0x02 /* Apply rule at syscall entry */ | 80 | #define AUDIT_FILTER_TASK 0x01 /* Apply rule at task creation (not syscall) */ |
80 | #define AUDIT_AT_EXIT 0x04 /* Apply rule at syscall exit */ | 81 | #define AUDIT_FILTER_ENTRY 0x02 /* Apply rule at syscall entry */ |
81 | #define AUDIT_PREPEND 0x10 /* Prepend to front of list */ | 82 | #define AUDIT_FILTER_WATCH 0x03 /* Apply rule to file system watches */ |
83 | #define AUDIT_FILTER_EXIT 0x04 /* Apply rule at syscall exit */ | ||
84 | |||
85 | #define AUDIT_NR_FILTERS 5 | ||
86 | |||
87 | #define AUDIT_FILTER_PREPEND 0x10 /* Prepend to front of list */ | ||
82 | 88 | ||
83 | /* Rule actions */ | 89 | /* Rule actions */ |
84 | #define AUDIT_NEVER 0 /* Do not build context if rule matches */ | 90 | #define AUDIT_NEVER 0 /* Do not build context if rule matches */ |
@@ -199,6 +205,7 @@ struct audit_sig_info { | |||
199 | struct audit_buffer; | 205 | struct audit_buffer; |
200 | struct audit_context; | 206 | struct audit_context; |
201 | struct inode; | 207 | struct inode; |
208 | struct netlink_skb_parms; | ||
202 | 209 | ||
203 | #define AUDITSC_INVALID 0 | 210 | #define AUDITSC_INVALID 0 |
204 | #define AUDITSC_SUCCESS 1 | 211 | #define AUDITSC_SUCCESS 1 |
@@ -215,7 +222,7 @@ extern void audit_syscall_entry(struct task_struct *task, int arch, | |||
215 | extern void audit_syscall_exit(struct task_struct *task, int failed, long return_code); | 222 | extern void audit_syscall_exit(struct task_struct *task, int failed, long return_code); |
216 | extern void audit_getname(const char *name); | 223 | extern void audit_getname(const char *name); |
217 | extern void audit_putname(const char *name); | 224 | extern void audit_putname(const char *name); |
218 | extern void audit_inode(const char *name, const struct inode *inode); | 225 | extern void audit_inode(const char *name, const struct inode *inode, unsigned flags); |
219 | 226 | ||
220 | /* Private API (for audit.c only) */ | 227 | /* Private API (for audit.c only) */ |
221 | extern int audit_receive_filter(int type, int pid, int uid, int seq, | 228 | extern int audit_receive_filter(int type, int pid, int uid, int seq, |
@@ -230,6 +237,7 @@ extern int audit_socketcall(int nargs, unsigned long *args); | |||
230 | extern int audit_sockaddr(int len, void *addr); | 237 | extern int audit_sockaddr(int len, void *addr); |
231 | extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt); | 238 | extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt); |
232 | extern void audit_signal_info(int sig, struct task_struct *t); | 239 | extern void audit_signal_info(int sig, struct task_struct *t); |
240 | extern int audit_filter_user(struct netlink_skb_parms *cb, int type); | ||
233 | #else | 241 | #else |
234 | #define audit_alloc(t) ({ 0; }) | 242 | #define audit_alloc(t) ({ 0; }) |
235 | #define audit_free(t) do { ; } while (0) | 243 | #define audit_free(t) do { ; } while (0) |
@@ -237,7 +245,7 @@ extern void audit_signal_info(int sig, struct task_struct *t); | |||
237 | #define audit_syscall_exit(t,f,r) do { ; } while (0) | 245 | #define audit_syscall_exit(t,f,r) do { ; } while (0) |
238 | #define audit_getname(n) do { ; } while (0) | 246 | #define audit_getname(n) do { ; } while (0) |
239 | #define audit_putname(n) do { ; } while (0) | 247 | #define audit_putname(n) do { ; } while (0) |
240 | #define audit_inode(n,i) do { ; } while (0) | 248 | #define audit_inode(n,i,f) do { ; } while (0) |
241 | #define audit_receive_filter(t,p,u,s,d,l) ({ -EOPNOTSUPP; }) | 249 | #define audit_receive_filter(t,p,u,s,d,l) ({ -EOPNOTSUPP; }) |
242 | #define auditsc_get_stamp(c,t,s) do { BUG(); } while (0) | 250 | #define auditsc_get_stamp(c,t,s) do { BUG(); } while (0) |
243 | #define audit_get_loginuid(c) ({ -1; }) | 251 | #define audit_get_loginuid(c) ({ -1; }) |
@@ -246,16 +254,17 @@ extern void audit_signal_info(int sig, struct task_struct *t); | |||
246 | #define audit_sockaddr(len, addr) ({ 0; }) | 254 | #define audit_sockaddr(len, addr) ({ 0; }) |
247 | #define audit_avc_path(dentry, mnt) ({ 0; }) | 255 | #define audit_avc_path(dentry, mnt) ({ 0; }) |
248 | #define audit_signal_info(s,t) do { ; } while (0) | 256 | #define audit_signal_info(s,t) do { ; } while (0) |
257 | #define audit_filter_user(cb,t) ({ 1; }) | ||
249 | #endif | 258 | #endif |
250 | 259 | ||
251 | #ifdef CONFIG_AUDIT | 260 | #ifdef CONFIG_AUDIT |
252 | /* These are defined in audit.c */ | 261 | /* These are defined in audit.c */ |
253 | /* Public API */ | 262 | /* Public API */ |
254 | extern void audit_log(struct audit_context *ctx, int type, | 263 | extern void audit_log(struct audit_context *ctx, int gfp_mask, |
255 | const char *fmt, ...) | 264 | int type, const char *fmt, ...) |
256 | __attribute__((format(printf,3,4))); | 265 | __attribute__((format(printf,4,5))); |
257 | 266 | ||
258 | extern struct audit_buffer *audit_log_start(struct audit_context *ctx,int type); | 267 | extern struct audit_buffer *audit_log_start(struct audit_context *ctx, int gfp_mask, int type); |
259 | extern void audit_log_format(struct audit_buffer *ab, | 268 | extern void audit_log_format(struct audit_buffer *ab, |
260 | const char *fmt, ...) | 269 | const char *fmt, ...) |
261 | __attribute__((format(printf,2,3))); | 270 | __attribute__((format(printf,2,3))); |
@@ -274,9 +283,10 @@ extern void audit_send_reply(int pid, int seq, int type, | |||
274 | int done, int multi, | 283 | int done, int multi, |
275 | void *payload, int size); | 284 | void *payload, int size); |
276 | extern void audit_log_lost(const char *message); | 285 | extern void audit_log_lost(const char *message); |
286 | extern struct semaphore audit_netlink_sem; | ||
277 | #else | 287 | #else |
278 | #define audit_log(c,t,f,...) do { ; } while (0) | 288 | #define audit_log(c,g,t,f,...) do { ; } while (0) |
279 | #define audit_log_start(c,t) ({ NULL; }) | 289 | #define audit_log_start(c,g,t) ({ NULL; }) |
280 | #define audit_log_vformat(b,f,a) do { ; } while (0) | 290 | #define audit_log_vformat(b,f,a) do { ; } while (0) |
281 | #define audit_log_format(b,f,...) do { ; } while (0) | 291 | #define audit_log_format(b,f,...) do { ; } while (0) |
282 | #define audit_log_end(b) do { ; } while (0) | 292 | #define audit_log_end(b) do { ; } while (0) |
diff --git a/kernel/audit.c b/kernel/audit.c index 7f0699790d46..83096b67510a 100644 --- a/kernel/audit.c +++ b/kernel/audit.c | |||
@@ -79,6 +79,8 @@ static int audit_rate_limit; | |||
79 | 79 | ||
80 | /* Number of outstanding audit_buffers allowed. */ | 80 | /* Number of outstanding audit_buffers allowed. */ |
81 | static int audit_backlog_limit = 64; | 81 | static int audit_backlog_limit = 64; |
82 | static int audit_backlog_wait_time = 60 * HZ; | ||
83 | static int audit_backlog_wait_overflow = 0; | ||
82 | 84 | ||
83 | /* The identity of the user shutting down the audit system. */ | 85 | /* The identity of the user shutting down the audit system. */ |
84 | uid_t audit_sig_uid = -1; | 86 | uid_t audit_sig_uid = -1; |
@@ -106,18 +108,12 @@ static LIST_HEAD(audit_freelist); | |||
106 | static struct sk_buff_head audit_skb_queue; | 108 | static struct sk_buff_head audit_skb_queue; |
107 | static struct task_struct *kauditd_task; | 109 | static struct task_struct *kauditd_task; |
108 | static DECLARE_WAIT_QUEUE_HEAD(kauditd_wait); | 110 | static DECLARE_WAIT_QUEUE_HEAD(kauditd_wait); |
109 | 111 | static DECLARE_WAIT_QUEUE_HEAD(audit_backlog_wait); | |
110 | /* There are three lists of rules -- one to search at task creation | ||
111 | * time, one to search at syscall entry time, and another to search at | ||
112 | * syscall exit time. */ | ||
113 | static LIST_HEAD(audit_tsklist); | ||
114 | static LIST_HEAD(audit_entlist); | ||
115 | static LIST_HEAD(audit_extlist); | ||
116 | 112 | ||
117 | /* The netlink socket is only to be read by 1 CPU, which lets us assume | 113 | /* The netlink socket is only to be read by 1 CPU, which lets us assume |
118 | * that list additions and deletions never happen simultaneously in | 114 | * that list additions and deletions never happen simultaneously in |
119 | * auditsc.c */ | 115 | * auditsc.c */ |
120 | static DECLARE_MUTEX(audit_netlink_sem); | 116 | DECLARE_MUTEX(audit_netlink_sem); |
121 | 117 | ||
122 | /* AUDIT_BUFSIZ is the size of the temporary buffer used for formatting | 118 | /* AUDIT_BUFSIZ is the size of the temporary buffer used for formatting |
123 | * audit records. Since printk uses a 1024 byte buffer, this buffer | 119 | * audit records. Since printk uses a 1024 byte buffer, this buffer |
@@ -137,6 +133,7 @@ struct audit_buffer { | |||
137 | struct list_head list; | 133 | struct list_head list; |
138 | struct sk_buff *skb; /* formatted skb ready to send */ | 134 | struct sk_buff *skb; /* formatted skb ready to send */ |
139 | struct audit_context *ctx; /* NULL or associated context */ | 135 | struct audit_context *ctx; /* NULL or associated context */ |
136 | int gfp_mask; | ||
140 | }; | 137 | }; |
141 | 138 | ||
142 | static void audit_set_pid(struct audit_buffer *ab, pid_t pid) | 139 | static void audit_set_pid(struct audit_buffer *ab, pid_t pid) |
@@ -145,11 +142,6 @@ static void audit_set_pid(struct audit_buffer *ab, pid_t pid) | |||
145 | nlh->nlmsg_pid = pid; | 142 | nlh->nlmsg_pid = pid; |
146 | } | 143 | } |
147 | 144 | ||
148 | struct audit_entry { | ||
149 | struct list_head list; | ||
150 | struct audit_rule rule; | ||
151 | }; | ||
152 | |||
153 | static void audit_panic(const char *message) | 145 | static void audit_panic(const char *message) |
154 | { | 146 | { |
155 | switch (audit_failure) | 147 | switch (audit_failure) |
@@ -233,7 +225,7 @@ static int audit_set_rate_limit(int limit, uid_t loginuid) | |||
233 | { | 225 | { |
234 | int old = audit_rate_limit; | 226 | int old = audit_rate_limit; |
235 | audit_rate_limit = limit; | 227 | audit_rate_limit = limit; |
236 | audit_log(NULL, AUDIT_CONFIG_CHANGE, | 228 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, |
237 | "audit_rate_limit=%d old=%d by auid=%u", | 229 | "audit_rate_limit=%d old=%d by auid=%u", |
238 | audit_rate_limit, old, loginuid); | 230 | audit_rate_limit, old, loginuid); |
239 | return old; | 231 | return old; |
@@ -243,7 +235,7 @@ static int audit_set_backlog_limit(int limit, uid_t loginuid) | |||
243 | { | 235 | { |
244 | int old = audit_backlog_limit; | 236 | int old = audit_backlog_limit; |
245 | audit_backlog_limit = limit; | 237 | audit_backlog_limit = limit; |
246 | audit_log(NULL, AUDIT_CONFIG_CHANGE, | 238 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, |
247 | "audit_backlog_limit=%d old=%d by auid=%u", | 239 | "audit_backlog_limit=%d old=%d by auid=%u", |
248 | audit_backlog_limit, old, loginuid); | 240 | audit_backlog_limit, old, loginuid); |
249 | return old; | 241 | return old; |
@@ -255,7 +247,7 @@ static int audit_set_enabled(int state, uid_t loginuid) | |||
255 | if (state != 0 && state != 1) | 247 | if (state != 0 && state != 1) |
256 | return -EINVAL; | 248 | return -EINVAL; |
257 | audit_enabled = state; | 249 | audit_enabled = state; |
258 | audit_log(NULL, AUDIT_CONFIG_CHANGE, | 250 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, |
259 | "audit_enabled=%d old=%d by auid=%u", | 251 | "audit_enabled=%d old=%d by auid=%u", |
260 | audit_enabled, old, loginuid); | 252 | audit_enabled, old, loginuid); |
261 | return old; | 253 | return old; |
@@ -269,7 +261,7 @@ static int audit_set_failure(int state, uid_t loginuid) | |||
269 | && state != AUDIT_FAIL_PANIC) | 261 | && state != AUDIT_FAIL_PANIC) |
270 | return -EINVAL; | 262 | return -EINVAL; |
271 | audit_failure = state; | 263 | audit_failure = state; |
272 | audit_log(NULL, AUDIT_CONFIG_CHANGE, | 264 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, |
273 | "audit_failure=%d old=%d by auid=%u", | 265 | "audit_failure=%d old=%d by auid=%u", |
274 | audit_failure, old, loginuid); | 266 | audit_failure, old, loginuid); |
275 | return old; | 267 | return old; |
@@ -281,6 +273,7 @@ int kauditd_thread(void *dummy) | |||
281 | 273 | ||
282 | while (1) { | 274 | while (1) { |
283 | skb = skb_dequeue(&audit_skb_queue); | 275 | skb = skb_dequeue(&audit_skb_queue); |
276 | wake_up(&audit_backlog_wait); | ||
284 | if (skb) { | 277 | if (skb) { |
285 | if (audit_pid) { | 278 | if (audit_pid) { |
286 | int err = netlink_unicast(audit_sock, skb, audit_pid, 0); | 279 | int err = netlink_unicast(audit_sock, skb, audit_pid, 0); |
@@ -290,7 +283,7 @@ int kauditd_thread(void *dummy) | |||
290 | audit_pid = 0; | 283 | audit_pid = 0; |
291 | } | 284 | } |
292 | } else { | 285 | } else { |
293 | printk(KERN_ERR "%s\n", skb->data + NLMSG_SPACE(0)); | 286 | printk(KERN_NOTICE "%s\n", skb->data + NLMSG_SPACE(0)); |
294 | kfree_skb(skb); | 287 | kfree_skb(skb); |
295 | } | 288 | } |
296 | } else { | 289 | } else { |
@@ -423,7 +416,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
423 | if (status_get->mask & AUDIT_STATUS_PID) { | 416 | if (status_get->mask & AUDIT_STATUS_PID) { |
424 | int old = audit_pid; | 417 | int old = audit_pid; |
425 | audit_pid = status_get->pid; | 418 | audit_pid = status_get->pid; |
426 | audit_log(NULL, AUDIT_CONFIG_CHANGE, | 419 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, |
427 | "audit_pid=%d old=%d by auid=%u", | 420 | "audit_pid=%d old=%d by auid=%u", |
428 | audit_pid, old, loginuid); | 421 | audit_pid, old, loginuid); |
429 | } | 422 | } |
@@ -435,15 +428,21 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
435 | break; | 428 | break; |
436 | case AUDIT_USER: | 429 | case AUDIT_USER: |
437 | case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG: | 430 | case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG: |
438 | ab = audit_log_start(NULL, msg_type); | 431 | if (!audit_enabled && msg_type != AUDIT_USER_AVC) |
439 | if (!ab) | 432 | return 0; |
440 | break; /* audit_panic has been called */ | 433 | |
441 | audit_log_format(ab, | 434 | err = audit_filter_user(&NETLINK_CB(skb), msg_type); |
442 | "user pid=%d uid=%u auid=%u" | 435 | if (err == 1) { |
443 | " msg='%.1024s'", | 436 | err = 0; |
444 | pid, uid, loginuid, (char *)data); | 437 | ab = audit_log_start(NULL, GFP_KERNEL, msg_type); |
445 | audit_set_pid(ab, pid); | 438 | if (ab) { |
446 | audit_log_end(ab); | 439 | audit_log_format(ab, |
440 | "user pid=%d uid=%u auid=%u msg='%.1024s'", | ||
441 | pid, uid, loginuid, (char *)data); | ||
442 | audit_set_pid(ab, pid); | ||
443 | audit_log_end(ab); | ||
444 | } | ||
445 | } | ||
447 | break; | 446 | break; |
448 | case AUDIT_ADD: | 447 | case AUDIT_ADD: |
449 | case AUDIT_DEL: | 448 | case AUDIT_DEL: |
@@ -523,7 +522,7 @@ static int __init audit_init(void) | |||
523 | skb_queue_head_init(&audit_skb_queue); | 522 | skb_queue_head_init(&audit_skb_queue); |
524 | audit_initialized = 1; | 523 | audit_initialized = 1; |
525 | audit_enabled = audit_default; | 524 | audit_enabled = audit_default; |
526 | audit_log(NULL, AUDIT_KERNEL, "initialized"); | 525 | audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized"); |
527 | return 0; | 526 | return 0; |
528 | } | 527 | } |
529 | __initcall(audit_init); | 528 | __initcall(audit_init); |
@@ -561,7 +560,7 @@ static void audit_buffer_free(struct audit_buffer *ab) | |||
561 | } | 560 | } |
562 | 561 | ||
563 | static struct audit_buffer * audit_buffer_alloc(struct audit_context *ctx, | 562 | static struct audit_buffer * audit_buffer_alloc(struct audit_context *ctx, |
564 | int gfp_mask, int type) | 563 | unsigned int __nocast gfp_mask, int type) |
565 | { | 564 | { |
566 | unsigned long flags; | 565 | unsigned long flags; |
567 | struct audit_buffer *ab = NULL; | 566 | struct audit_buffer *ab = NULL; |
@@ -587,6 +586,7 @@ static struct audit_buffer * audit_buffer_alloc(struct audit_context *ctx, | |||
587 | goto err; | 586 | goto err; |
588 | 587 | ||
589 | ab->ctx = ctx; | 588 | ab->ctx = ctx; |
589 | ab->gfp_mask = gfp_mask; | ||
590 | nlh = (struct nlmsghdr *)skb_put(ab->skb, NLMSG_SPACE(0)); | 590 | nlh = (struct nlmsghdr *)skb_put(ab->skb, NLMSG_SPACE(0)); |
591 | nlh->nlmsg_type = type; | 591 | nlh->nlmsg_type = type; |
592 | nlh->nlmsg_flags = 0; | 592 | nlh->nlmsg_flags = 0; |
@@ -606,26 +606,27 @@ err: | |||
606 | * (timestamp,serial) tuple is unique for each syscall and is live from | 606 | * (timestamp,serial) tuple is unique for each syscall and is live from |
607 | * syscall entry to syscall exit. | 607 | * syscall entry to syscall exit. |
608 | * | 608 | * |
609 | * Atomic values are only guaranteed to be 24-bit, so we count down. | ||
610 | * | ||
611 | * NOTE: Another possibility is to store the formatted records off the | 609 | * NOTE: Another possibility is to store the formatted records off the |
612 | * audit context (for those records that have a context), and emit them | 610 | * audit context (for those records that have a context), and emit them |
613 | * all at syscall exit. However, this could delay the reporting of | 611 | * all at syscall exit. However, this could delay the reporting of |
614 | * significant errors until syscall exit (or never, if the system | 612 | * significant errors until syscall exit (or never, if the system |
615 | * halts). */ | 613 | * halts). */ |
614 | |||
616 | unsigned int audit_serial(void) | 615 | unsigned int audit_serial(void) |
617 | { | 616 | { |
618 | static atomic_t serial = ATOMIC_INIT(0xffffff); | 617 | static spinlock_t serial_lock = SPIN_LOCK_UNLOCKED; |
619 | unsigned int a, b; | 618 | static unsigned int serial = 0; |
619 | |||
620 | unsigned long flags; | ||
621 | unsigned int ret; | ||
620 | 622 | ||
623 | spin_lock_irqsave(&serial_lock, flags); | ||
621 | do { | 624 | do { |
622 | a = atomic_read(&serial); | 625 | ret = ++serial; |
623 | if (atomic_dec_and_test(&serial)) | 626 | } while (unlikely(!ret)); |
624 | atomic_set(&serial, 0xffffff); | 627 | spin_unlock_irqrestore(&serial_lock, flags); |
625 | b = atomic_read(&serial); | ||
626 | } while (b != a - 1); | ||
627 | 628 | ||
628 | return 0xffffff - b; | 629 | return ret; |
629 | } | 630 | } |
630 | 631 | ||
631 | static inline void audit_get_stamp(struct audit_context *ctx, | 632 | static inline void audit_get_stamp(struct audit_context *ctx, |
@@ -645,17 +646,43 @@ static inline void audit_get_stamp(struct audit_context *ctx, | |||
645 | * syscall, then the syscall is marked as auditable and an audit record | 646 | * syscall, then the syscall is marked as auditable and an audit record |
646 | * will be written at syscall exit. If there is no associated task, tsk | 647 | * will be written at syscall exit. If there is no associated task, tsk |
647 | * should be NULL. */ | 648 | * should be NULL. */ |
648 | struct audit_buffer *audit_log_start(struct audit_context *ctx, int type) | 649 | |
650 | struct audit_buffer *audit_log_start(struct audit_context *ctx, int gfp_mask, | ||
651 | int type) | ||
649 | { | 652 | { |
650 | struct audit_buffer *ab = NULL; | 653 | struct audit_buffer *ab = NULL; |
651 | struct timespec t; | 654 | struct timespec t; |
652 | unsigned int serial; | 655 | unsigned int serial; |
656 | int reserve; | ||
657 | unsigned long timeout_start = jiffies; | ||
653 | 658 | ||
654 | if (!audit_initialized) | 659 | if (!audit_initialized) |
655 | return NULL; | 660 | return NULL; |
656 | 661 | ||
657 | if (audit_backlog_limit | 662 | if (gfp_mask & __GFP_WAIT) |
658 | && skb_queue_len(&audit_skb_queue) > audit_backlog_limit) { | 663 | reserve = 0; |
664 | else | ||
665 | reserve = 5; /* Allow atomic callers to go up to five | ||
666 | entries over the normal backlog limit */ | ||
667 | |||
668 | while (audit_backlog_limit | ||
669 | && skb_queue_len(&audit_skb_queue) > audit_backlog_limit + reserve) { | ||
670 | if (gfp_mask & __GFP_WAIT && audit_backlog_wait_time | ||
671 | && time_before(jiffies, timeout_start + audit_backlog_wait_time)) { | ||
672 | |||
673 | /* Wait for auditd to drain the queue a little */ | ||
674 | DECLARE_WAITQUEUE(wait, current); | ||
675 | set_current_state(TASK_INTERRUPTIBLE); | ||
676 | add_wait_queue(&audit_backlog_wait, &wait); | ||
677 | |||
678 | if (audit_backlog_limit && | ||
679 | skb_queue_len(&audit_skb_queue) > audit_backlog_limit) | ||
680 | schedule_timeout(timeout_start + audit_backlog_wait_time - jiffies); | ||
681 | |||
682 | __set_current_state(TASK_RUNNING); | ||
683 | remove_wait_queue(&audit_backlog_wait, &wait); | ||
684 | continue; | ||
685 | } | ||
659 | if (audit_rate_check()) | 686 | if (audit_rate_check()) |
660 | printk(KERN_WARNING | 687 | printk(KERN_WARNING |
661 | "audit: audit_backlog=%d > " | 688 | "audit: audit_backlog=%d > " |
@@ -663,10 +690,12 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, int type) | |||
663 | skb_queue_len(&audit_skb_queue), | 690 | skb_queue_len(&audit_skb_queue), |
664 | audit_backlog_limit); | 691 | audit_backlog_limit); |
665 | audit_log_lost("backlog limit exceeded"); | 692 | audit_log_lost("backlog limit exceeded"); |
693 | audit_backlog_wait_time = audit_backlog_wait_overflow; | ||
694 | wake_up(&audit_backlog_wait); | ||
666 | return NULL; | 695 | return NULL; |
667 | } | 696 | } |
668 | 697 | ||
669 | ab = audit_buffer_alloc(ctx, GFP_ATOMIC, type); | 698 | ab = audit_buffer_alloc(ctx, gfp_mask, type); |
670 | if (!ab) { | 699 | if (!ab) { |
671 | audit_log_lost("out of memory in audit_log_start"); | 700 | audit_log_lost("out of memory in audit_log_start"); |
672 | return NULL; | 701 | return NULL; |
@@ -690,7 +719,7 @@ static inline int audit_expand(struct audit_buffer *ab, int extra) | |||
690 | { | 719 | { |
691 | struct sk_buff *skb = ab->skb; | 720 | struct sk_buff *skb = ab->skb; |
692 | int ret = pskb_expand_head(skb, skb_headroom(skb), extra, | 721 | int ret = pskb_expand_head(skb, skb_headroom(skb), extra, |
693 | GFP_ATOMIC); | 722 | ab->gfp_mask); |
694 | if (ret < 0) { | 723 | if (ret < 0) { |
695 | audit_log_lost("out of memory in audit_expand"); | 724 | audit_log_lost("out of memory in audit_expand"); |
696 | return 0; | 725 | return 0; |
@@ -809,7 +838,7 @@ void audit_log_d_path(struct audit_buffer *ab, const char *prefix, | |||
809 | audit_log_format(ab, " %s", prefix); | 838 | audit_log_format(ab, " %s", prefix); |
810 | 839 | ||
811 | /* We will allow 11 spaces for ' (deleted)' to be appended */ | 840 | /* We will allow 11 spaces for ' (deleted)' to be appended */ |
812 | path = kmalloc(PATH_MAX+11, GFP_KERNEL); | 841 | path = kmalloc(PATH_MAX+11, ab->gfp_mask); |
813 | if (!path) { | 842 | if (!path) { |
814 | audit_log_format(ab, "<no memory>"); | 843 | audit_log_format(ab, "<no memory>"); |
815 | return; | 844 | return; |
@@ -841,7 +870,7 @@ void audit_log_end(struct audit_buffer *ab) | |||
841 | ab->skb = NULL; | 870 | ab->skb = NULL; |
842 | wake_up_interruptible(&kauditd_wait); | 871 | wake_up_interruptible(&kauditd_wait); |
843 | } else { | 872 | } else { |
844 | printk("%s\n", ab->skb->data + NLMSG_SPACE(0)); | 873 | printk(KERN_NOTICE "%s\n", ab->skb->data + NLMSG_SPACE(0)); |
845 | } | 874 | } |
846 | } | 875 | } |
847 | audit_buffer_free(ab); | 876 | audit_buffer_free(ab); |
@@ -850,12 +879,13 @@ void audit_log_end(struct audit_buffer *ab) | |||
850 | /* Log an audit record. This is a convenience function that calls | 879 | /* Log an audit record. This is a convenience function that calls |
851 | * audit_log_start, audit_log_vformat, and audit_log_end. It may be | 880 | * audit_log_start, audit_log_vformat, and audit_log_end. It may be |
852 | * called in any context. */ | 881 | * called in any context. */ |
853 | void audit_log(struct audit_context *ctx, int type, const char *fmt, ...) | 882 | void audit_log(struct audit_context *ctx, int gfp_mask, int type, |
883 | const char *fmt, ...) | ||
854 | { | 884 | { |
855 | struct audit_buffer *ab; | 885 | struct audit_buffer *ab; |
856 | va_list args; | 886 | va_list args; |
857 | 887 | ||
858 | ab = audit_log_start(ctx, type); | 888 | ab = audit_log_start(ctx, gfp_mask, type); |
859 | if (ab) { | 889 | if (ab) { |
860 | va_start(args, fmt); | 890 | va_start(args, fmt); |
861 | audit_log_vformat(ab, fmt, args); | 891 | audit_log_vformat(ab, fmt, args); |
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index e75f84e1a1a0..88696f639aab 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c | |||
@@ -39,6 +39,9 @@ | |||
39 | #include <linux/audit.h> | 39 | #include <linux/audit.h> |
40 | #include <linux/personality.h> | 40 | #include <linux/personality.h> |
41 | #include <linux/time.h> | 41 | #include <linux/time.h> |
42 | #include <linux/kthread.h> | ||
43 | #include <linux/netlink.h> | ||
44 | #include <linux/compiler.h> | ||
42 | #include <asm/unistd.h> | 45 | #include <asm/unistd.h> |
43 | 46 | ||
44 | /* 0 = no checking | 47 | /* 0 = no checking |
@@ -95,6 +98,7 @@ struct audit_names { | |||
95 | uid_t uid; | 98 | uid_t uid; |
96 | gid_t gid; | 99 | gid_t gid; |
97 | dev_t rdev; | 100 | dev_t rdev; |
101 | unsigned flags; | ||
98 | }; | 102 | }; |
99 | 103 | ||
100 | struct audit_aux_data { | 104 | struct audit_aux_data { |
@@ -167,9 +171,16 @@ struct audit_context { | |||
167 | /* There are three lists of rules -- one to search at task creation | 171 | /* There are three lists of rules -- one to search at task creation |
168 | * time, one to search at syscall entry time, and another to search at | 172 | * time, one to search at syscall entry time, and another to search at |
169 | * syscall exit time. */ | 173 | * syscall exit time. */ |
170 | static LIST_HEAD(audit_tsklist); | 174 | static struct list_head audit_filter_list[AUDIT_NR_FILTERS] = { |
171 | static LIST_HEAD(audit_entlist); | 175 | LIST_HEAD_INIT(audit_filter_list[0]), |
172 | static LIST_HEAD(audit_extlist); | 176 | LIST_HEAD_INIT(audit_filter_list[1]), |
177 | LIST_HEAD_INIT(audit_filter_list[2]), | ||
178 | LIST_HEAD_INIT(audit_filter_list[3]), | ||
179 | LIST_HEAD_INIT(audit_filter_list[4]), | ||
180 | #if AUDIT_NR_FILTERS != 5 | ||
181 | #error Fix audit_filter_list initialiser | ||
182 | #endif | ||
183 | }; | ||
173 | 184 | ||
174 | struct audit_entry { | 185 | struct audit_entry { |
175 | struct list_head list; | 186 | struct list_head list; |
@@ -179,9 +190,36 @@ struct audit_entry { | |||
179 | 190 | ||
180 | extern int audit_pid; | 191 | extern int audit_pid; |
181 | 192 | ||
193 | /* Copy rule from user-space to kernel-space. Called from | ||
194 | * audit_add_rule during AUDIT_ADD. */ | ||
195 | static inline int audit_copy_rule(struct audit_rule *d, struct audit_rule *s) | ||
196 | { | ||
197 | int i; | ||
198 | |||
199 | if (s->action != AUDIT_NEVER | ||
200 | && s->action != AUDIT_POSSIBLE | ||
201 | && s->action != AUDIT_ALWAYS) | ||
202 | return -1; | ||
203 | if (s->field_count < 0 || s->field_count > AUDIT_MAX_FIELDS) | ||
204 | return -1; | ||
205 | if ((s->flags & ~AUDIT_FILTER_PREPEND) >= AUDIT_NR_FILTERS) | ||
206 | return -1; | ||
207 | |||
208 | d->flags = s->flags; | ||
209 | d->action = s->action; | ||
210 | d->field_count = s->field_count; | ||
211 | for (i = 0; i < d->field_count; i++) { | ||
212 | d->fields[i] = s->fields[i]; | ||
213 | d->values[i] = s->values[i]; | ||
214 | } | ||
215 | for (i = 0; i < AUDIT_BITMASK_SIZE; i++) d->mask[i] = s->mask[i]; | ||
216 | return 0; | ||
217 | } | ||
218 | |||
182 | /* Check to see if two rules are identical. It is called from | 219 | /* Check to see if two rules are identical. It is called from |
220 | * audit_add_rule during AUDIT_ADD and | ||
183 | * audit_del_rule during AUDIT_DEL. */ | 221 | * audit_del_rule during AUDIT_DEL. */ |
184 | static int audit_compare_rule(struct audit_rule *a, struct audit_rule *b) | 222 | static inline int audit_compare_rule(struct audit_rule *a, struct audit_rule *b) |
185 | { | 223 | { |
186 | int i; | 224 | int i; |
187 | 225 | ||
@@ -210,19 +248,37 @@ static int audit_compare_rule(struct audit_rule *a, struct audit_rule *b) | |||
210 | /* Note that audit_add_rule and audit_del_rule are called via | 248 | /* Note that audit_add_rule and audit_del_rule are called via |
211 | * audit_receive() in audit.c, and are protected by | 249 | * audit_receive() in audit.c, and are protected by |
212 | * audit_netlink_sem. */ | 250 | * audit_netlink_sem. */ |
213 | static inline int audit_add_rule(struct audit_entry *entry, | 251 | static inline int audit_add_rule(struct audit_rule *rule, |
214 | struct list_head *list) | 252 | struct list_head *list) |
215 | { | 253 | { |
216 | if (entry->rule.flags & AUDIT_PREPEND) { | 254 | struct audit_entry *entry; |
217 | entry->rule.flags &= ~AUDIT_PREPEND; | 255 | |
256 | /* Do not use the _rcu iterator here, since this is the only | ||
257 | * addition routine. */ | ||
258 | list_for_each_entry(entry, list, list) { | ||
259 | if (!audit_compare_rule(rule, &entry->rule)) { | ||
260 | return -EEXIST; | ||
261 | } | ||
262 | } | ||
263 | |||
264 | if (!(entry = kmalloc(sizeof(*entry), GFP_KERNEL))) | ||
265 | return -ENOMEM; | ||
266 | if (audit_copy_rule(&entry->rule, rule)) { | ||
267 | kfree(entry); | ||
268 | return -EINVAL; | ||
269 | } | ||
270 | |||
271 | if (entry->rule.flags & AUDIT_FILTER_PREPEND) { | ||
272 | entry->rule.flags &= ~AUDIT_FILTER_PREPEND; | ||
218 | list_add_rcu(&entry->list, list); | 273 | list_add_rcu(&entry->list, list); |
219 | } else { | 274 | } else { |
220 | list_add_tail_rcu(&entry->list, list); | 275 | list_add_tail_rcu(&entry->list, list); |
221 | } | 276 | } |
277 | |||
222 | return 0; | 278 | return 0; |
223 | } | 279 | } |
224 | 280 | ||
225 | static void audit_free_rule(struct rcu_head *head) | 281 | static inline void audit_free_rule(struct rcu_head *head) |
226 | { | 282 | { |
227 | struct audit_entry *e = container_of(head, struct audit_entry, rcu); | 283 | struct audit_entry *e = container_of(head, struct audit_entry, rcu); |
228 | kfree(e); | 284 | kfree(e); |
@@ -245,82 +301,82 @@ static inline int audit_del_rule(struct audit_rule *rule, | |||
245 | return 0; | 301 | return 0; |
246 | } | 302 | } |
247 | } | 303 | } |
248 | return -EFAULT; /* No matching rule */ | 304 | return -ENOENT; /* No matching rule */ |
249 | } | 305 | } |
250 | 306 | ||
251 | /* Copy rule from user-space to kernel-space. Called during | 307 | static int audit_list_rules(void *_dest) |
252 | * AUDIT_ADD. */ | ||
253 | static int audit_copy_rule(struct audit_rule *d, struct audit_rule *s) | ||
254 | { | 308 | { |
309 | int pid, seq; | ||
310 | int *dest = _dest; | ||
311 | struct audit_entry *entry; | ||
255 | int i; | 312 | int i; |
256 | 313 | ||
257 | if (s->action != AUDIT_NEVER | 314 | pid = dest[0]; |
258 | && s->action != AUDIT_POSSIBLE | 315 | seq = dest[1]; |
259 | && s->action != AUDIT_ALWAYS) | 316 | kfree(dest); |
260 | return -1; | ||
261 | if (s->field_count < 0 || s->field_count > AUDIT_MAX_FIELDS) | ||
262 | return -1; | ||
263 | 317 | ||
264 | d->flags = s->flags; | 318 | down(&audit_netlink_sem); |
265 | d->action = s->action; | 319 | |
266 | d->field_count = s->field_count; | 320 | /* The *_rcu iterators not needed here because we are |
267 | for (i = 0; i < d->field_count; i++) { | 321 | always called with audit_netlink_sem held. */ |
268 | d->fields[i] = s->fields[i]; | 322 | for (i=0; i<AUDIT_NR_FILTERS; i++) { |
269 | d->values[i] = s->values[i]; | 323 | list_for_each_entry(entry, &audit_filter_list[i], list) |
324 | audit_send_reply(pid, seq, AUDIT_LIST, 0, 1, | ||
325 | &entry->rule, sizeof(entry->rule)); | ||
270 | } | 326 | } |
271 | for (i = 0; i < AUDIT_BITMASK_SIZE; i++) d->mask[i] = s->mask[i]; | 327 | audit_send_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0); |
328 | |||
329 | up(&audit_netlink_sem); | ||
272 | return 0; | 330 | return 0; |
273 | } | 331 | } |
274 | 332 | ||
275 | int audit_receive_filter(int type, int pid, int uid, int seq, void *data, | 333 | int audit_receive_filter(int type, int pid, int uid, int seq, void *data, |
276 | uid_t loginuid) | 334 | uid_t loginuid) |
277 | { | 335 | { |
278 | u32 flags; | 336 | struct task_struct *tsk; |
279 | struct audit_entry *entry; | 337 | int *dest; |
280 | int err = 0; | 338 | int err = 0; |
339 | unsigned listnr; | ||
281 | 340 | ||
282 | switch (type) { | 341 | switch (type) { |
283 | case AUDIT_LIST: | 342 | case AUDIT_LIST: |
284 | /* The *_rcu iterators not needed here because we are | 343 | /* We can't just spew out the rules here because we might fill |
285 | always called with audit_netlink_sem held. */ | 344 | * the available socket buffer space and deadlock waiting for |
286 | list_for_each_entry(entry, &audit_tsklist, list) | 345 | * auditctl to read from it... which isn't ever going to |
287 | audit_send_reply(pid, seq, AUDIT_LIST, 0, 1, | 346 | * happen if we're actually running in the context of auditctl |
288 | &entry->rule, sizeof(entry->rule)); | 347 | * trying to _send_ the stuff */ |
289 | list_for_each_entry(entry, &audit_entlist, list) | 348 | |
290 | audit_send_reply(pid, seq, AUDIT_LIST, 0, 1, | 349 | dest = kmalloc(2 * sizeof(int), GFP_KERNEL); |
291 | &entry->rule, sizeof(entry->rule)); | 350 | if (!dest) |
292 | list_for_each_entry(entry, &audit_extlist, list) | 351 | return -ENOMEM; |
293 | audit_send_reply(pid, seq, AUDIT_LIST, 0, 1, | 352 | dest[0] = pid; |
294 | &entry->rule, sizeof(entry->rule)); | 353 | dest[1] = seq; |
295 | audit_send_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0); | 354 | |
355 | tsk = kthread_run(audit_list_rules, dest, "audit_list_rules"); | ||
356 | if (IS_ERR(tsk)) { | ||
357 | kfree(dest); | ||
358 | err = PTR_ERR(tsk); | ||
359 | } | ||
296 | break; | 360 | break; |
297 | case AUDIT_ADD: | 361 | case AUDIT_ADD: |
298 | if (!(entry = kmalloc(sizeof(*entry), GFP_KERNEL))) | 362 | listnr =((struct audit_rule *)data)->flags & ~AUDIT_FILTER_PREPEND; |
299 | return -ENOMEM; | 363 | if (listnr >= AUDIT_NR_FILTERS) |
300 | if (audit_copy_rule(&entry->rule, data)) { | ||
301 | kfree(entry); | ||
302 | return -EINVAL; | 364 | return -EINVAL; |
303 | } | 365 | |
304 | flags = entry->rule.flags; | 366 | err = audit_add_rule(data, &audit_filter_list[listnr]); |
305 | if (!err && (flags & AUDIT_PER_TASK)) | 367 | if (!err) |
306 | err = audit_add_rule(entry, &audit_tsklist); | 368 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, |
307 | if (!err && (flags & AUDIT_AT_ENTRY)) | 369 | "auid=%u added an audit rule\n", loginuid); |
308 | err = audit_add_rule(entry, &audit_entlist); | ||
309 | if (!err && (flags & AUDIT_AT_EXIT)) | ||
310 | err = audit_add_rule(entry, &audit_extlist); | ||
311 | audit_log(NULL, AUDIT_CONFIG_CHANGE, | ||
312 | "auid=%u added an audit rule\n", loginuid); | ||
313 | break; | 370 | break; |
314 | case AUDIT_DEL: | 371 | case AUDIT_DEL: |
315 | flags =((struct audit_rule *)data)->flags; | 372 | listnr =((struct audit_rule *)data)->flags & ~AUDIT_FILTER_PREPEND; |
316 | if (!err && (flags & AUDIT_PER_TASK)) | 373 | if (listnr >= AUDIT_NR_FILTERS) |
317 | err = audit_del_rule(data, &audit_tsklist); | 374 | return -EINVAL; |
318 | if (!err && (flags & AUDIT_AT_ENTRY)) | 375 | |
319 | err = audit_del_rule(data, &audit_entlist); | 376 | err = audit_del_rule(data, &audit_filter_list[listnr]); |
320 | if (!err && (flags & AUDIT_AT_EXIT)) | 377 | if (!err) |
321 | err = audit_del_rule(data, &audit_extlist); | 378 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, |
322 | audit_log(NULL, AUDIT_CONFIG_CHANGE, | 379 | "auid=%u removed an audit rule\n", loginuid); |
323 | "auid=%u removed an audit rule\n", loginuid); | ||
324 | break; | 380 | break; |
325 | default: | 381 | default: |
326 | return -EINVAL; | 382 | return -EINVAL; |
@@ -384,8 +440,12 @@ static int audit_filter_rules(struct task_struct *tsk, | |||
384 | result = (ctx->return_code == value); | 440 | result = (ctx->return_code == value); |
385 | break; | 441 | break; |
386 | case AUDIT_SUCCESS: | 442 | case AUDIT_SUCCESS: |
387 | if (ctx && ctx->return_valid) | 443 | if (ctx && ctx->return_valid) { |
388 | result = (ctx->return_valid == AUDITSC_SUCCESS); | 444 | if (value) |
445 | result = (ctx->return_valid == AUDITSC_SUCCESS); | ||
446 | else | ||
447 | result = (ctx->return_valid == AUDITSC_FAILURE); | ||
448 | } | ||
389 | break; | 449 | break; |
390 | case AUDIT_DEVMAJOR: | 450 | case AUDIT_DEVMAJOR: |
391 | if (ctx) { | 451 | if (ctx) { |
@@ -454,7 +514,7 @@ static enum audit_state audit_filter_task(struct task_struct *tsk) | |||
454 | enum audit_state state; | 514 | enum audit_state state; |
455 | 515 | ||
456 | rcu_read_lock(); | 516 | rcu_read_lock(); |
457 | list_for_each_entry_rcu(e, &audit_tsklist, list) { | 517 | list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) { |
458 | if (audit_filter_rules(tsk, &e->rule, NULL, &state)) { | 518 | if (audit_filter_rules(tsk, &e->rule, NULL, &state)) { |
459 | rcu_read_unlock(); | 519 | rcu_read_unlock(); |
460 | return state; | 520 | return state; |
@@ -474,20 +534,84 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk, | |||
474 | struct list_head *list) | 534 | struct list_head *list) |
475 | { | 535 | { |
476 | struct audit_entry *e; | 536 | struct audit_entry *e; |
537 | enum audit_state state; | ||
538 | |||
539 | if (audit_pid && tsk->tgid == audit_pid) | ||
540 | return AUDIT_DISABLED; | ||
541 | |||
542 | rcu_read_lock(); | ||
543 | if (!list_empty(list)) { | ||
544 | int word = AUDIT_WORD(ctx->major); | ||
545 | int bit = AUDIT_BIT(ctx->major); | ||
546 | |||
547 | list_for_each_entry_rcu(e, list, list) { | ||
548 | if ((e->rule.mask[word] & bit) == bit | ||
549 | && audit_filter_rules(tsk, &e->rule, ctx, &state)) { | ||
550 | rcu_read_unlock(); | ||
551 | return state; | ||
552 | } | ||
553 | } | ||
554 | } | ||
555 | rcu_read_unlock(); | ||
556 | return AUDIT_BUILD_CONTEXT; | ||
557 | } | ||
558 | |||
559 | static int audit_filter_user_rules(struct netlink_skb_parms *cb, | ||
560 | struct audit_rule *rule, | ||
561 | enum audit_state *state) | ||
562 | { | ||
563 | int i; | ||
564 | |||
565 | for (i = 0; i < rule->field_count; i++) { | ||
566 | u32 field = rule->fields[i] & ~AUDIT_NEGATE; | ||
567 | u32 value = rule->values[i]; | ||
568 | int result = 0; | ||
569 | |||
570 | switch (field) { | ||
571 | case AUDIT_PID: | ||
572 | result = (cb->creds.pid == value); | ||
573 | break; | ||
574 | case AUDIT_UID: | ||
575 | result = (cb->creds.uid == value); | ||
576 | break; | ||
577 | case AUDIT_GID: | ||
578 | result = (cb->creds.gid == value); | ||
579 | break; | ||
580 | case AUDIT_LOGINUID: | ||
581 | result = (cb->loginuid == value); | ||
582 | break; | ||
583 | } | ||
584 | |||
585 | if (rule->fields[i] & AUDIT_NEGATE) | ||
586 | result = !result; | ||
587 | if (!result) | ||
588 | return 0; | ||
589 | } | ||
590 | switch (rule->action) { | ||
591 | case AUDIT_NEVER: *state = AUDIT_DISABLED; break; | ||
592 | case AUDIT_POSSIBLE: *state = AUDIT_BUILD_CONTEXT; break; | ||
593 | case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; | ||
594 | } | ||
595 | return 1; | ||
596 | } | ||
597 | |||
598 | int audit_filter_user(struct netlink_skb_parms *cb, int type) | ||
599 | { | ||
600 | struct audit_entry *e; | ||
477 | enum audit_state state; | 601 | enum audit_state state; |
478 | int word = AUDIT_WORD(ctx->major); | 602 | int ret = 1; |
479 | int bit = AUDIT_BIT(ctx->major); | ||
480 | 603 | ||
481 | rcu_read_lock(); | 604 | rcu_read_lock(); |
482 | list_for_each_entry_rcu(e, list, list) { | 605 | list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { |
483 | if ((e->rule.mask[word] & bit) == bit | 606 | if (audit_filter_user_rules(cb, &e->rule, &state)) { |
484 | && audit_filter_rules(tsk, &e->rule, ctx, &state)) { | 607 | if (state == AUDIT_DISABLED) |
485 | rcu_read_unlock(); | 608 | ret = 0; |
486 | return state; | 609 | break; |
487 | } | 610 | } |
488 | } | 611 | } |
489 | rcu_read_unlock(); | 612 | rcu_read_unlock(); |
490 | return AUDIT_BUILD_CONTEXT; | 613 | |
614 | return ret; /* Audit by default */ | ||
491 | } | 615 | } |
492 | 616 | ||
493 | /* This should be called with task_lock() held. */ | 617 | /* This should be called with task_lock() held. */ |
@@ -504,7 +628,7 @@ static inline struct audit_context *audit_get_context(struct task_struct *tsk, | |||
504 | 628 | ||
505 | if (context->in_syscall && !context->auditable) { | 629 | if (context->in_syscall && !context->auditable) { |
506 | enum audit_state state; | 630 | enum audit_state state; |
507 | state = audit_filter_syscall(tsk, context, &audit_extlist); | 631 | state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]); |
508 | if (state == AUDIT_RECORD_CONTEXT) | 632 | if (state == AUDIT_RECORD_CONTEXT) |
509 | context->auditable = 1; | 633 | context->auditable = 1; |
510 | } | 634 | } |
@@ -679,13 +803,13 @@ static void audit_log_task_info(struct audit_buffer *ab) | |||
679 | up_read(&mm->mmap_sem); | 803 | up_read(&mm->mmap_sem); |
680 | } | 804 | } |
681 | 805 | ||
682 | static void audit_log_exit(struct audit_context *context) | 806 | static void audit_log_exit(struct audit_context *context, unsigned int gfp_mask) |
683 | { | 807 | { |
684 | int i; | 808 | int i; |
685 | struct audit_buffer *ab; | 809 | struct audit_buffer *ab; |
686 | struct audit_aux_data *aux; | 810 | struct audit_aux_data *aux; |
687 | 811 | ||
688 | ab = audit_log_start(context, AUDIT_SYSCALL); | 812 | ab = audit_log_start(context, gfp_mask, AUDIT_SYSCALL); |
689 | if (!ab) | 813 | if (!ab) |
690 | return; /* audit_panic has been called */ | 814 | return; /* audit_panic has been called */ |
691 | audit_log_format(ab, "arch=%x syscall=%d", | 815 | audit_log_format(ab, "arch=%x syscall=%d", |
@@ -717,7 +841,7 @@ static void audit_log_exit(struct audit_context *context) | |||
717 | 841 | ||
718 | for (aux = context->aux; aux; aux = aux->next) { | 842 | for (aux = context->aux; aux; aux = aux->next) { |
719 | 843 | ||
720 | ab = audit_log_start(context, aux->type); | 844 | ab = audit_log_start(context, GFP_KERNEL, aux->type); |
721 | if (!ab) | 845 | if (!ab) |
722 | continue; /* audit_panic has been called */ | 846 | continue; /* audit_panic has been called */ |
723 | 847 | ||
@@ -754,14 +878,14 @@ static void audit_log_exit(struct audit_context *context) | |||
754 | } | 878 | } |
755 | 879 | ||
756 | if (context->pwd && context->pwdmnt) { | 880 | if (context->pwd && context->pwdmnt) { |
757 | ab = audit_log_start(context, AUDIT_CWD); | 881 | ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD); |
758 | if (ab) { | 882 | if (ab) { |
759 | audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt); | 883 | audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt); |
760 | audit_log_end(ab); | 884 | audit_log_end(ab); |
761 | } | 885 | } |
762 | } | 886 | } |
763 | for (i = 0; i < context->name_count; i++) { | 887 | for (i = 0; i < context->name_count; i++) { |
764 | ab = audit_log_start(context, AUDIT_PATH); | 888 | ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH); |
765 | if (!ab) | 889 | if (!ab) |
766 | continue; /* audit_panic has been called */ | 890 | continue; /* audit_panic has been called */ |
767 | 891 | ||
@@ -770,6 +894,8 @@ static void audit_log_exit(struct audit_context *context) | |||
770 | audit_log_format(ab, " name="); | 894 | audit_log_format(ab, " name="); |
771 | audit_log_untrustedstring(ab, context->names[i].name); | 895 | audit_log_untrustedstring(ab, context->names[i].name); |
772 | } | 896 | } |
897 | audit_log_format(ab, " flags=%x\n", context->names[i].flags); | ||
898 | |||
773 | if (context->names[i].ino != (unsigned long)-1) | 899 | if (context->names[i].ino != (unsigned long)-1) |
774 | audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o" | 900 | audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o" |
775 | " ouid=%u ogid=%u rdev=%02x:%02x", | 901 | " ouid=%u ogid=%u rdev=%02x:%02x", |
@@ -799,9 +925,11 @@ void audit_free(struct task_struct *tsk) | |||
799 | return; | 925 | return; |
800 | 926 | ||
801 | /* Check for system calls that do not go through the exit | 927 | /* Check for system calls that do not go through the exit |
802 | * function (e.g., exit_group), then free context block. */ | 928 | * function (e.g., exit_group), then free context block. |
803 | if (context->in_syscall && context->auditable && context->pid != audit_pid) | 929 | * We use GFP_ATOMIC here because we might be doing this |
804 | audit_log_exit(context); | 930 | * in the context of the idle thread */ |
931 | if (context->in_syscall && context->auditable) | ||
932 | audit_log_exit(context, GFP_ATOMIC); | ||
805 | 933 | ||
806 | audit_free_context(context); | 934 | audit_free_context(context); |
807 | } | 935 | } |
@@ -876,11 +1004,11 @@ void audit_syscall_entry(struct task_struct *tsk, int arch, int major, | |||
876 | 1004 | ||
877 | state = context->state; | 1005 | state = context->state; |
878 | if (state == AUDIT_SETUP_CONTEXT || state == AUDIT_BUILD_CONTEXT) | 1006 | if (state == AUDIT_SETUP_CONTEXT || state == AUDIT_BUILD_CONTEXT) |
879 | state = audit_filter_syscall(tsk, context, &audit_entlist); | 1007 | state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]); |
880 | if (likely(state == AUDIT_DISABLED)) | 1008 | if (likely(state == AUDIT_DISABLED)) |
881 | return; | 1009 | return; |
882 | 1010 | ||
883 | context->serial = audit_serial(); | 1011 | context->serial = 0; |
884 | context->ctime = CURRENT_TIME; | 1012 | context->ctime = CURRENT_TIME; |
885 | context->in_syscall = 1; | 1013 | context->in_syscall = 1; |
886 | context->auditable = !!(state == AUDIT_RECORD_CONTEXT); | 1014 | context->auditable = !!(state == AUDIT_RECORD_CONTEXT); |
@@ -903,10 +1031,10 @@ void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code) | |||
903 | /* Not having a context here is ok, since the parent may have | 1031 | /* Not having a context here is ok, since the parent may have |
904 | * called __put_task_struct. */ | 1032 | * called __put_task_struct. */ |
905 | if (likely(!context)) | 1033 | if (likely(!context)) |
906 | return; | 1034 | goto out; |
907 | 1035 | ||
908 | if (context->in_syscall && context->auditable && context->pid != audit_pid) | 1036 | if (context->in_syscall && context->auditable) |
909 | audit_log_exit(context); | 1037 | audit_log_exit(context, GFP_KERNEL); |
910 | 1038 | ||
911 | context->in_syscall = 0; | 1039 | context->in_syscall = 0; |
912 | context->auditable = 0; | 1040 | context->auditable = 0; |
@@ -919,9 +1047,9 @@ void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code) | |||
919 | } else { | 1047 | } else { |
920 | audit_free_names(context); | 1048 | audit_free_names(context); |
921 | audit_free_aux(context); | 1049 | audit_free_aux(context); |
922 | audit_zero_context(context, context->state); | ||
923 | tsk->audit_context = context; | 1050 | tsk->audit_context = context; |
924 | } | 1051 | } |
1052 | out: | ||
925 | put_task_struct(tsk); | 1053 | put_task_struct(tsk); |
926 | } | 1054 | } |
927 | 1055 | ||
@@ -996,7 +1124,7 @@ void audit_putname(const char *name) | |||
996 | 1124 | ||
997 | /* Store the inode and device from a lookup. Called from | 1125 | /* Store the inode and device from a lookup. Called from |
998 | * fs/namei.c:path_lookup(). */ | 1126 | * fs/namei.c:path_lookup(). */ |
999 | void audit_inode(const char *name, const struct inode *inode) | 1127 | void audit_inode(const char *name, const struct inode *inode, unsigned flags) |
1000 | { | 1128 | { |
1001 | int idx; | 1129 | int idx; |
1002 | struct audit_context *context = current->audit_context; | 1130 | struct audit_context *context = current->audit_context; |
@@ -1022,17 +1150,20 @@ void audit_inode(const char *name, const struct inode *inode) | |||
1022 | ++context->ino_count; | 1150 | ++context->ino_count; |
1023 | #endif | 1151 | #endif |
1024 | } | 1152 | } |
1025 | context->names[idx].ino = inode->i_ino; | 1153 | context->names[idx].flags = flags; |
1026 | context->names[idx].dev = inode->i_sb->s_dev; | 1154 | context->names[idx].ino = inode->i_ino; |
1027 | context->names[idx].mode = inode->i_mode; | 1155 | context->names[idx].dev = inode->i_sb->s_dev; |
1028 | context->names[idx].uid = inode->i_uid; | 1156 | context->names[idx].mode = inode->i_mode; |
1029 | context->names[idx].gid = inode->i_gid; | 1157 | context->names[idx].uid = inode->i_uid; |
1030 | context->names[idx].rdev = inode->i_rdev; | 1158 | context->names[idx].gid = inode->i_gid; |
1159 | context->names[idx].rdev = inode->i_rdev; | ||
1031 | } | 1160 | } |
1032 | 1161 | ||
1033 | void auditsc_get_stamp(struct audit_context *ctx, | 1162 | void auditsc_get_stamp(struct audit_context *ctx, |
1034 | struct timespec *t, unsigned int *serial) | 1163 | struct timespec *t, unsigned int *serial) |
1035 | { | 1164 | { |
1165 | if (!ctx->serial) | ||
1166 | ctx->serial = audit_serial(); | ||
1036 | t->tv_sec = ctx->ctime.tv_sec; | 1167 | t->tv_sec = ctx->ctime.tv_sec; |
1037 | t->tv_nsec = ctx->ctime.tv_nsec; | 1168 | t->tv_nsec = ctx->ctime.tv_nsec; |
1038 | *serial = ctx->serial; | 1169 | *serial = ctx->serial; |
@@ -1044,7 +1175,7 @@ int audit_set_loginuid(struct task_struct *task, uid_t loginuid) | |||
1044 | if (task->audit_context) { | 1175 | if (task->audit_context) { |
1045 | struct audit_buffer *ab; | 1176 | struct audit_buffer *ab; |
1046 | 1177 | ||
1047 | ab = audit_log_start(NULL, AUDIT_LOGIN); | 1178 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN); |
1048 | if (ab) { | 1179 | if (ab) { |
1049 | audit_log_format(ab, "login pid=%d uid=%u " | 1180 | audit_log_format(ab, "login pid=%d uid=%u " |
1050 | "old auid=%u new auid=%u", | 1181 | "old auid=%u new auid=%u", |
@@ -1153,7 +1284,7 @@ void audit_signal_info(int sig, struct task_struct *t) | |||
1153 | extern pid_t audit_sig_pid; | 1284 | extern pid_t audit_sig_pid; |
1154 | extern uid_t audit_sig_uid; | 1285 | extern uid_t audit_sig_uid; |
1155 | 1286 | ||
1156 | if (unlikely(audit_pid && t->pid == audit_pid)) { | 1287 | if (unlikely(audit_pid && t->tgid == audit_pid)) { |
1157 | if (sig == SIGTERM || sig == SIGHUP) { | 1288 | if (sig == SIGTERM || sig == SIGHUP) { |
1158 | struct audit_context *ctx = current->audit_context; | 1289 | struct audit_context *ctx = current->audit_context; |
1159 | audit_sig_pid = current->pid; | 1290 | audit_sig_pid = current->pid; |
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index cf6020f85403..12e4fb72bf0f 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c | |||
@@ -242,7 +242,7 @@ void __init avc_init(void) | |||
242 | avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node), | 242 | avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node), |
243 | 0, SLAB_PANIC, NULL, NULL); | 243 | 0, SLAB_PANIC, NULL, NULL); |
244 | 244 | ||
245 | audit_log(current->audit_context, AUDIT_KERNEL, "AVC INITIALIZED\n"); | 245 | audit_log(current->audit_context, GFP_KERNEL, AUDIT_KERNEL, "AVC INITIALIZED\n"); |
246 | } | 246 | } |
247 | 247 | ||
248 | int avc_get_hash_stats(char *page) | 248 | int avc_get_hash_stats(char *page) |
@@ -550,7 +550,7 @@ void avc_audit(u32 ssid, u32 tsid, | |||
550 | return; | 550 | return; |
551 | } | 551 | } |
552 | 552 | ||
553 | ab = audit_log_start(current->audit_context, AUDIT_AVC); | 553 | ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_AVC); |
554 | if (!ab) | 554 | if (!ab) |
555 | return; /* audit_panic has been called */ | 555 | return; /* audit_panic has been called */ |
556 | audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); | 556 | audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f40c8221ec1b..6e4937fe062b 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -3389,7 +3389,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) | |||
3389 | err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); | 3389 | err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); |
3390 | if (err) { | 3390 | if (err) { |
3391 | if (err == -EINVAL) { | 3391 | if (err == -EINVAL) { |
3392 | audit_log(current->audit_context, AUDIT_SELINUX_ERR, | 3392 | audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR, |
3393 | "SELinux: unrecognized netlink message" | 3393 | "SELinux: unrecognized netlink message" |
3394 | " type=%hu for sclass=%hu\n", | 3394 | " type=%hu for sclass=%hu\n", |
3395 | nlh->nlmsg_type, isec->sclass); | 3395 | nlh->nlmsg_type, isec->sclass); |
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 92b89dc99bcd..aecdded55e74 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
@@ -381,7 +381,7 @@ static int security_validtrans_handle_fail(struct context *ocontext, | |||
381 | goto out; | 381 | goto out; |
382 | if (context_struct_to_string(tcontext, &t, &tlen) < 0) | 382 | if (context_struct_to_string(tcontext, &t, &tlen) < 0) |
383 | goto out; | 383 | goto out; |
384 | audit_log(current->audit_context, AUDIT_SELINUX_ERR, | 384 | audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, |
385 | "security_validate_transition: denied for" | 385 | "security_validate_transition: denied for" |
386 | " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", | 386 | " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", |
387 | o, n, t, policydb.p_class_val_to_name[tclass-1]); | 387 | o, n, t, policydb.p_class_val_to_name[tclass-1]); |
@@ -787,7 +787,7 @@ static int compute_sid_handle_invalid_context( | |||
787 | goto out; | 787 | goto out; |
788 | if (context_struct_to_string(newcontext, &n, &nlen) < 0) | 788 | if (context_struct_to_string(newcontext, &n, &nlen) < 0) |
789 | goto out; | 789 | goto out; |
790 | audit_log(current->audit_context, AUDIT_SELINUX_ERR, | 790 | audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, |
791 | "security_compute_sid: invalid context %s" | 791 | "security_compute_sid: invalid context %s" |
792 | " for scontext=%s" | 792 | " for scontext=%s" |
793 | " tcontext=%s" | 793 | " tcontext=%s" |