aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--arch/ia64/ia32/audit.c5
-rw-r--r--arch/ia64/kernel/audit.c17
-rw-r--r--arch/powerpc/kernel/audit.c17
-rw-r--r--arch/powerpc/kernel/compat_audit.c5
-rw-r--r--arch/s390/kernel/audit.c17
-rw-r--r--arch/s390/kernel/compat_audit.c5
-rw-r--r--arch/sparc64/kernel/audit.c17
-rw-r--r--arch/sparc64/kernel/compat_audit.c5
-rw-r--r--arch/x86_64/ia32/audit.c5
-rw-r--r--arch/x86_64/kernel/audit.c17
-rw-r--r--fs/exec.c2
-rw-r--r--fs/namei.c2
-rw-r--r--fs/xattr.c2
-rw-r--r--include/asm-generic/audit_signal.h3
-rw-r--r--include/linux/audit.h21
-rw-r--r--ipc/mqueue.c4
-rw-r--r--kernel/audit.h13
-rw-r--r--kernel/auditfilter.c48
-rw-r--r--kernel/auditsc.c311
-rw-r--r--kernel/ptrace.c3
-rw-r--r--kernel/signal.c10
-rw-r--r--lib/audit.c11
22 files changed, 439 insertions, 101 deletions
diff --git a/arch/ia64/ia32/audit.c b/arch/ia64/ia32/audit.c
index 92d7d0c8d93f..8850fe40ea34 100644
--- a/arch/ia64/ia32/audit.c
+++ b/arch/ia64/ia32/audit.c
@@ -20,6 +20,11 @@ unsigned ia32_read_class[] = {
20~0U 20~0U
21}; 21};
22 22
23unsigned ia32_signal_class[] = {
24#include <asm-generic/audit_signal.h>
25~0U
26};
27
23int ia32_classify_syscall(unsigned syscall) 28int ia32_classify_syscall(unsigned syscall)
24{ 29{
25 switch(syscall) { 30 switch(syscall) {
diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c
index 04682555a28c..f3802ae89b10 100644
--- a/arch/ia64/kernel/audit.c
+++ b/arch/ia64/kernel/audit.c
@@ -23,6 +23,20 @@ static unsigned chattr_class[] = {
23~0U 23~0U
24}; 24};
25 25
26static unsigned signal_class[] = {
27#include <asm-generic/audit_signal.h>
28~0U
29};
30
31int audit_classify_arch(int arch)
32{
33#ifdef CONFIG_IA32_SUPPORT
34 if (arch == AUDIT_ARCH_I386)
35 return 1;
36#endif
37 return 0;
38}
39
26int audit_classify_syscall(int abi, unsigned syscall) 40int audit_classify_syscall(int abi, unsigned syscall)
27{ 41{
28#ifdef CONFIG_IA32_SUPPORT 42#ifdef CONFIG_IA32_SUPPORT
@@ -49,15 +63,18 @@ static int __init audit_classes_init(void)
49 extern __u32 ia32_write_class[]; 63 extern __u32 ia32_write_class[];
50 extern __u32 ia32_read_class[]; 64 extern __u32 ia32_read_class[];
51 extern __u32 ia32_chattr_class[]; 65 extern __u32 ia32_chattr_class[];
66 extern __u32 ia32_signal_class[];
52 audit_register_class(AUDIT_CLASS_WRITE_32, ia32_write_class); 67 audit_register_class(AUDIT_CLASS_WRITE_32, ia32_write_class);
53 audit_register_class(AUDIT_CLASS_READ_32, ia32_read_class); 68 audit_register_class(AUDIT_CLASS_READ_32, ia32_read_class);
54 audit_register_class(AUDIT_CLASS_DIR_WRITE_32, ia32_dir_class); 69 audit_register_class(AUDIT_CLASS_DIR_WRITE_32, ia32_dir_class);
55 audit_register_class(AUDIT_CLASS_CHATTR_32, ia32_chattr_class); 70 audit_register_class(AUDIT_CLASS_CHATTR_32, ia32_chattr_class);
71 audit_register_class(AUDIT_CLASS_SIGNAL_32, ia32_signal_class);
56#endif 72#endif
57 audit_register_class(AUDIT_CLASS_WRITE, write_class); 73 audit_register_class(AUDIT_CLASS_WRITE, write_class);
58 audit_register_class(AUDIT_CLASS_READ, read_class); 74 audit_register_class(AUDIT_CLASS_READ, read_class);
59 audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class); 75 audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class);
60 audit_register_class(AUDIT_CLASS_CHATTR, chattr_class); 76 audit_register_class(AUDIT_CLASS_CHATTR, chattr_class);
77 audit_register_class(AUDIT_CLASS_SIGNAL, signal_class);
61 return 0; 78 return 0;
62} 79}
63 80
diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c
index 7fe5e6300e9a..a4dab7cab348 100644
--- a/arch/powerpc/kernel/audit.c
+++ b/arch/powerpc/kernel/audit.c
@@ -23,6 +23,20 @@ static unsigned chattr_class[] = {
23~0U 23~0U
24}; 24};
25 25
26static unsigned signal_class[] = {
27#include <asm-generic/audit_signal.h>
28~0U
29};
30
31int audit_classify_arch(int arch)
32{
33#ifdef CONFIG_PPC64
34 if (arch == AUDIT_ARCH_PPC)
35 return 1;
36#endif
37 return 0;
38}
39
26int audit_classify_syscall(int abi, unsigned syscall) 40int audit_classify_syscall(int abi, unsigned syscall)
27{ 41{
28#ifdef CONFIG_PPC64 42#ifdef CONFIG_PPC64
@@ -51,15 +65,18 @@ static int __init audit_classes_init(void)
51 extern __u32 ppc32_write_class[]; 65 extern __u32 ppc32_write_class[];
52 extern __u32 ppc32_read_class[]; 66 extern __u32 ppc32_read_class[];
53 extern __u32 ppc32_chattr_class[]; 67 extern __u32 ppc32_chattr_class[];
68 extern __u32 ppc32_signal_class[];
54 audit_register_class(AUDIT_CLASS_WRITE_32, ppc32_write_class); 69 audit_register_class(AUDIT_CLASS_WRITE_32, ppc32_write_class);
55 audit_register_class(AUDIT_CLASS_READ_32, ppc32_read_class); 70 audit_register_class(AUDIT_CLASS_READ_32, ppc32_read_class);
56 audit_register_class(AUDIT_CLASS_DIR_WRITE_32, ppc32_dir_class); 71 audit_register_class(AUDIT_CLASS_DIR_WRITE_32, ppc32_dir_class);
57 audit_register_class(AUDIT_CLASS_CHATTR_32, ppc32_chattr_class); 72 audit_register_class(AUDIT_CLASS_CHATTR_32, ppc32_chattr_class);
73 audit_register_class(AUDIT_CLASS_SIGNAL_32, ppc32_signal_class);
58#endif 74#endif
59 audit_register_class(AUDIT_CLASS_WRITE, write_class); 75 audit_register_class(AUDIT_CLASS_WRITE, write_class);
60 audit_register_class(AUDIT_CLASS_READ, read_class); 76 audit_register_class(AUDIT_CLASS_READ, read_class);
61 audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class); 77 audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class);
62 audit_register_class(AUDIT_CLASS_CHATTR, chattr_class); 78 audit_register_class(AUDIT_CLASS_CHATTR, chattr_class);
79 audit_register_class(AUDIT_CLASS_SIGNAL, signal_class);
63 return 0; 80 return 0;
64} 81}
65 82
diff --git a/arch/powerpc/kernel/compat_audit.c b/arch/powerpc/kernel/compat_audit.c
index 640d4bb29321..108ff14e2122 100644
--- a/arch/powerpc/kernel/compat_audit.c
+++ b/arch/powerpc/kernel/compat_audit.c
@@ -21,6 +21,11 @@ unsigned ppc32_read_class[] = {
21~0U 21~0U
22}; 22};
23 23
24unsigned ppc32_signal_class[] = {
25#include <asm-generic/audit_signal.h>
26~0U
27};
28
24int ppc32_classify_syscall(unsigned syscall) 29int ppc32_classify_syscall(unsigned syscall)
25{ 30{
26 switch(syscall) { 31 switch(syscall) {
diff --git a/arch/s390/kernel/audit.c b/arch/s390/kernel/audit.c
index 0741d9193390..d1c76fe10f29 100644
--- a/arch/s390/kernel/audit.c
+++ b/arch/s390/kernel/audit.c
@@ -23,6 +23,20 @@ static unsigned chattr_class[] = {
23~0U 23~0U
24}; 24};
25 25
26static unsigned signal_class[] = {
27#include <asm-generic/audit_signal.h>
28~0U
29};
30
31int audit_classify_arch(int arch)
32{
33#ifdef CONFIG_COMPAT
34 if (arch == AUDIT_ARCH_S390)
35 return 1;
36#endif
37 return 0;
38}
39
26int audit_classify_syscall(int abi, unsigned syscall) 40int audit_classify_syscall(int abi, unsigned syscall)
27{ 41{
28#ifdef CONFIG_COMPAT 42#ifdef CONFIG_COMPAT
@@ -51,15 +65,18 @@ static int __init audit_classes_init(void)
51 extern __u32 s390_write_class[]; 65 extern __u32 s390_write_class[];
52 extern __u32 s390_read_class[]; 66 extern __u32 s390_read_class[];
53 extern __u32 s390_chattr_class[]; 67 extern __u32 s390_chattr_class[];
68 extern __u32 s390_signal_class[];
54 audit_register_class(AUDIT_CLASS_WRITE_32, s390_write_class); 69 audit_register_class(AUDIT_CLASS_WRITE_32, s390_write_class);
55 audit_register_class(AUDIT_CLASS_READ_32, s390_read_class); 70 audit_register_class(AUDIT_CLASS_READ_32, s390_read_class);
56 audit_register_class(AUDIT_CLASS_DIR_WRITE_32, s390_dir_class); 71 audit_register_class(AUDIT_CLASS_DIR_WRITE_32, s390_dir_class);
57 audit_register_class(AUDIT_CLASS_CHATTR_32, s390_chattr_class); 72 audit_register_class(AUDIT_CLASS_CHATTR_32, s390_chattr_class);
73 audit_register_class(AUDIT_CLASS_SIGNAL_32, s390_signal_class);
58#endif 74#endif
59 audit_register_class(AUDIT_CLASS_WRITE, write_class); 75 audit_register_class(AUDIT_CLASS_WRITE, write_class);
60 audit_register_class(AUDIT_CLASS_READ, read_class); 76 audit_register_class(AUDIT_CLASS_READ, read_class);
61 audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class); 77 audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class);
62 audit_register_class(AUDIT_CLASS_CHATTR, chattr_class); 78 audit_register_class(AUDIT_CLASS_CHATTR, chattr_class);
79 audit_register_class(AUDIT_CLASS_SIGNAL, signal_class);
63 return 0; 80 return 0;
64} 81}
65 82
diff --git a/arch/s390/kernel/compat_audit.c b/arch/s390/kernel/compat_audit.c
index 16d9436bfa91..0569f5126e49 100644
--- a/arch/s390/kernel/compat_audit.c
+++ b/arch/s390/kernel/compat_audit.c
@@ -21,6 +21,11 @@ unsigned s390_read_class[] = {
21~0U 21~0U
22}; 22};
23 23
24unsigned s390_signal_class[] = {
25#include <asm-generic/audit_signal.h>
26~0U
27};
28
24int s390_classify_syscall(unsigned syscall) 29int s390_classify_syscall(unsigned syscall)
25{ 30{
26 switch(syscall) { 31 switch(syscall) {
diff --git a/arch/sparc64/kernel/audit.c b/arch/sparc64/kernel/audit.c
index aef19cc27072..24d7f4b4178a 100644
--- a/arch/sparc64/kernel/audit.c
+++ b/arch/sparc64/kernel/audit.c
@@ -23,6 +23,20 @@ static unsigned chattr_class[] = {
23~0U 23~0U
24}; 24};
25 25
26static unsigned signal_class[] = {
27#include <asm-generic/audit_signal.h>
28~0U
29};
30
31int audit_classify_arch(int arch)
32{
33#ifdef CONFIG_SPARC32_COMPAT
34 if (arch == AUDIT_ARCH_SPARC)
35 return 1;
36#endif
37 return 0;
38}
39
26int audit_classify_syscall(int abi, unsigned syscall) 40int audit_classify_syscall(int abi, unsigned syscall)
27{ 41{
28#ifdef CONFIG_SPARC32_COMPAT 42#ifdef CONFIG_SPARC32_COMPAT
@@ -51,15 +65,18 @@ static int __init audit_classes_init(void)
51 extern __u32 sparc32_write_class[]; 65 extern __u32 sparc32_write_class[];
52 extern __u32 sparc32_read_class[]; 66 extern __u32 sparc32_read_class[];
53 extern __u32 sparc32_chattr_class[]; 67 extern __u32 sparc32_chattr_class[];
68 extern __u32 sparc32_signal_class[];
54 audit_register_class(AUDIT_CLASS_WRITE_32, sparc32_write_class); 69 audit_register_class(AUDIT_CLASS_WRITE_32, sparc32_write_class);
55 audit_register_class(AUDIT_CLASS_READ_32, sparc32_read_class); 70 audit_register_class(AUDIT_CLASS_READ_32, sparc32_read_class);
56 audit_register_class(AUDIT_CLASS_DIR_WRITE_32, sparc32_dir_class); 71 audit_register_class(AUDIT_CLASS_DIR_WRITE_32, sparc32_dir_class);
57 audit_register_class(AUDIT_CLASS_CHATTR_32, sparc32_chattr_class); 72 audit_register_class(AUDIT_CLASS_CHATTR_32, sparc32_chattr_class);
73 audit_register_class(AUDIT_CLASS_SIGNAL_32, sparc32_signal_class);
58#endif 74#endif
59 audit_register_class(AUDIT_CLASS_WRITE, write_class); 75 audit_register_class(AUDIT_CLASS_WRITE, write_class);
60 audit_register_class(AUDIT_CLASS_READ, read_class); 76 audit_register_class(AUDIT_CLASS_READ, read_class);
61 audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class); 77 audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class);
62 audit_register_class(AUDIT_CLASS_CHATTR, chattr_class); 78 audit_register_class(AUDIT_CLASS_CHATTR, chattr_class);
79 audit_register_class(AUDIT_CLASS_SIGNAL, signal_class);
63 return 0; 80 return 0;
64} 81}
65 82
diff --git a/arch/sparc64/kernel/compat_audit.c b/arch/sparc64/kernel/compat_audit.c
index cca96c91b780..c1979482aa92 100644
--- a/arch/sparc64/kernel/compat_audit.c
+++ b/arch/sparc64/kernel/compat_audit.c
@@ -20,6 +20,11 @@ unsigned sparc32_read_class[] = {
20~0U 20~0U
21}; 21};
22 22
23unsigned sparc32_signal_class[] = {
24#include <asm-generic/audit_signal.h>
25~0U
26};
27
23int sparc32_classify_syscall(unsigned syscall) 28int sparc32_classify_syscall(unsigned syscall)
24{ 29{
25 switch(syscall) { 30 switch(syscall) {
diff --git a/arch/x86_64/ia32/audit.c b/arch/x86_64/ia32/audit.c
index 92d7d0c8d93f..8850fe40ea34 100644
--- a/arch/x86_64/ia32/audit.c
+++ b/arch/x86_64/ia32/audit.c
@@ -20,6 +20,11 @@ unsigned ia32_read_class[] = {
20~0U 20~0U
21}; 21};
22 22
23unsigned ia32_signal_class[] = {
24#include <asm-generic/audit_signal.h>
25~0U
26};
27
23int ia32_classify_syscall(unsigned syscall) 28int ia32_classify_syscall(unsigned syscall)
24{ 29{
25 switch(syscall) { 30 switch(syscall) {
diff --git a/arch/x86_64/kernel/audit.c b/arch/x86_64/kernel/audit.c
index 21f33387bef3..06d3e5a14d9d 100644
--- a/arch/x86_64/kernel/audit.c
+++ b/arch/x86_64/kernel/audit.c
@@ -23,6 +23,20 @@ static unsigned chattr_class[] = {
23~0U 23~0U
24}; 24};
25 25
26static unsigned signal_class[] = {
27#include <asm-generic/audit_signal.h>
28~0U
29};
30
31int audit_classify_arch(int arch)
32{
33#ifdef CONFIG_IA32_EMULATION
34 if (arch == AUDIT_ARCH_I386)
35 return 1;
36#endif
37 return 0;
38}
39
26int audit_classify_syscall(int abi, unsigned syscall) 40int audit_classify_syscall(int abi, unsigned syscall)
27{ 41{
28#ifdef CONFIG_IA32_EMULATION 42#ifdef CONFIG_IA32_EMULATION
@@ -49,15 +63,18 @@ static int __init audit_classes_init(void)
49 extern __u32 ia32_write_class[]; 63 extern __u32 ia32_write_class[];
50 extern __u32 ia32_read_class[]; 64 extern __u32 ia32_read_class[];
51 extern __u32 ia32_chattr_class[]; 65 extern __u32 ia32_chattr_class[];
66 extern __u32 ia32_signal_class[];
52 audit_register_class(AUDIT_CLASS_WRITE_32, ia32_write_class); 67 audit_register_class(AUDIT_CLASS_WRITE_32, ia32_write_class);
53 audit_register_class(AUDIT_CLASS_READ_32, ia32_read_class); 68 audit_register_class(AUDIT_CLASS_READ_32, ia32_read_class);
54 audit_register_class(AUDIT_CLASS_DIR_WRITE_32, ia32_dir_class); 69 audit_register_class(AUDIT_CLASS_DIR_WRITE_32, ia32_dir_class);
55 audit_register_class(AUDIT_CLASS_CHATTR_32, ia32_chattr_class); 70 audit_register_class(AUDIT_CLASS_CHATTR_32, ia32_chattr_class);
71 audit_register_class(AUDIT_CLASS_SIGNAL_32, ia32_signal_class);
56#endif 72#endif
57 audit_register_class(AUDIT_CLASS_WRITE, write_class); 73 audit_register_class(AUDIT_CLASS_WRITE, write_class);
58 audit_register_class(AUDIT_CLASS_READ, read_class); 74 audit_register_class(AUDIT_CLASS_READ, read_class);
59 audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class); 75 audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class);
60 audit_register_class(AUDIT_CLASS_CHATTR, chattr_class); 76 audit_register_class(AUDIT_CLASS_CHATTR, chattr_class);
77 audit_register_class(AUDIT_CLASS_SIGNAL, signal_class);
61 return 0; 78 return 0;
62} 79}
63 80
diff --git a/fs/exec.c b/fs/exec.c
index 955a8eb66d70..70fa36554c14 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1495,6 +1495,8 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs)
1495 int flag = 0; 1495 int flag = 0;
1496 int ispipe = 0; 1496 int ispipe = 0;
1497 1497
1498 audit_core_dumps(signr);
1499
1498 binfmt = current->binfmt; 1500 binfmt = current->binfmt;
1499 if (!binfmt || !binfmt->core_dump) 1501 if (!binfmt || !binfmt->core_dump)
1500 goto fail; 1502 goto fail;
diff --git a/fs/namei.c b/fs/namei.c
index b3780e3fc88e..5e2d98d10c5d 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1719,7 +1719,7 @@ do_last:
1719 * It already exists. 1719 * It already exists.
1720 */ 1720 */
1721 mutex_unlock(&dir->d_inode->i_mutex); 1721 mutex_unlock(&dir->d_inode->i_mutex);
1722 audit_inode_update(path.dentry->d_inode); 1722 audit_inode(pathname, path.dentry->d_inode);
1723 1723
1724 error = -EEXIST; 1724 error = -EEXIST;
1725 if (flag & O_EXCL) 1725 if (flag & O_EXCL)
diff --git a/fs/xattr.c b/fs/xattr.c
index 9f4568b55b0f..4523aca79659 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -350,6 +350,7 @@ sys_fgetxattr(int fd, char __user *name, void __user *value, size_t size)
350 f = fget(fd); 350 f = fget(fd);
351 if (!f) 351 if (!f)
352 return error; 352 return error;
353 audit_inode(NULL, f->f_path.dentry->d_inode);
353 error = getxattr(f->f_path.dentry, name, value, size); 354 error = getxattr(f->f_path.dentry, name, value, size);
354 fput(f); 355 fput(f);
355 return error; 356 return error;
@@ -422,6 +423,7 @@ sys_flistxattr(int fd, char __user *list, size_t size)
422 f = fget(fd); 423 f = fget(fd);
423 if (!f) 424 if (!f)
424 return error; 425 return error;
426 audit_inode(NULL, f->f_path.dentry->d_inode);
425 error = listxattr(f->f_path.dentry, list, size); 427 error = listxattr(f->f_path.dentry, list, size);
426 fput(f); 428 fput(f);
427 return error; 429 return error;
diff --git a/include/asm-generic/audit_signal.h b/include/asm-generic/audit_signal.h
new file mode 100644
index 000000000000..6feab7f18a53
--- /dev/null
+++ b/include/asm-generic/audit_signal.h
@@ -0,0 +1,3 @@
1__NR_kill,
2__NR_tgkill,
3__NR_tkill,
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 773e30df11ee..fccc6e50298a 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -91,6 +91,7 @@
91#define AUDIT_MQ_GETSETATTR 1315 /* POSIX MQ get/set attribute record type */ 91#define AUDIT_MQ_GETSETATTR 1315 /* POSIX MQ get/set attribute record type */
92#define AUDIT_KERNEL_OTHER 1316 /* For use by 3rd party modules */ 92#define AUDIT_KERNEL_OTHER 1316 /* For use by 3rd party modules */
93#define AUDIT_FD_PAIR 1317 /* audit record for pipe/socketpair */ 93#define AUDIT_FD_PAIR 1317 /* audit record for pipe/socketpair */
94#define AUDIT_OBJ_PID 1318 /* ptrace target */
94 95
95#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ 96#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
96#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ 97#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
@@ -111,6 +112,7 @@
111#define AUDIT_FIRST_KERN_ANOM_MSG 1700 112#define AUDIT_FIRST_KERN_ANOM_MSG 1700
112#define AUDIT_LAST_KERN_ANOM_MSG 1799 113#define AUDIT_LAST_KERN_ANOM_MSG 1799
113#define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */ 114#define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */
115#define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */
114 116
115#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ 117#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
116 118
@@ -148,6 +150,8 @@
148#define AUDIT_CLASS_READ_32 5 150#define AUDIT_CLASS_READ_32 5
149#define AUDIT_CLASS_WRITE 6 151#define AUDIT_CLASS_WRITE 6
150#define AUDIT_CLASS_WRITE_32 7 152#define AUDIT_CLASS_WRITE_32 7
153#define AUDIT_CLASS_SIGNAL 8
154#define AUDIT_CLASS_SIGNAL_32 9
151 155
152/* This bitmask is used to validate user input. It represents all bits that 156/* This bitmask is used to validate user input. It represents all bits that
153 * are currently used in an audit field constant understood by the kernel. 157 * are currently used in an audit field constant understood by the kernel.
@@ -337,6 +341,7 @@ struct mqstat;
337#define AUDITSC_RESULT(x) ( ((long)(x))<0?AUDITSC_FAILURE:AUDITSC_SUCCESS ) 341#define AUDITSC_RESULT(x) ( ((long)(x))<0?AUDITSC_FAILURE:AUDITSC_SUCCESS )
338extern int __init audit_register_class(int class, unsigned *list); 342extern int __init audit_register_class(int class, unsigned *list);
339extern int audit_classify_syscall(int abi, unsigned syscall); 343extern int audit_classify_syscall(int abi, unsigned syscall);
344extern int audit_classify_arch(int arch);
340#ifdef CONFIG_AUDITSYSCALL 345#ifdef CONFIG_AUDITSYSCALL
341/* These are defined in auditsc.c */ 346/* These are defined in auditsc.c */
342 /* Public API */ 347 /* Public API */
@@ -351,7 +356,8 @@ extern void audit_putname(const char *name);
351extern void __audit_inode(const char *name, const struct inode *inode); 356extern void __audit_inode(const char *name, const struct inode *inode);
352extern void __audit_inode_child(const char *dname, const struct inode *inode, 357extern void __audit_inode_child(const char *dname, const struct inode *inode,
353 const struct inode *parent); 358 const struct inode *parent);
354extern void __audit_inode_update(const struct inode *inode); 359extern void __audit_ptrace(struct task_struct *t);
360
355static inline int audit_dummy_context(void) 361static inline int audit_dummy_context(void)
356{ 362{
357 void *p = current->audit_context; 363 void *p = current->audit_context;
@@ -372,9 +378,12 @@ static inline void audit_inode_child(const char *dname,
372 if (unlikely(!audit_dummy_context())) 378 if (unlikely(!audit_dummy_context()))
373 __audit_inode_child(dname, inode, parent); 379 __audit_inode_child(dname, inode, parent);
374} 380}
375static inline void audit_inode_update(const struct inode *inode) { 381void audit_core_dumps(long signr);
382
383static inline void audit_ptrace(struct task_struct *t)
384{
376 if (unlikely(!audit_dummy_context())) 385 if (unlikely(!audit_dummy_context()))
377 __audit_inode_update(inode); 386 __audit_ptrace(t);
378} 387}
379 388
380 /* Private API (for audit.c only) */ 389 /* Private API (for audit.c only) */
@@ -447,6 +456,7 @@ static inline int audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
447 return 0; 456 return 0;
448} 457}
449extern int audit_n_rules; 458extern int audit_n_rules;
459extern int audit_signals;
450#else 460#else
451#define audit_alloc(t) ({ 0; }) 461#define audit_alloc(t) ({ 0; })
452#define audit_free(t) do { ; } while (0) 462#define audit_free(t) do { ; } while (0)
@@ -457,10 +467,9 @@ extern int audit_n_rules;
457#define audit_putname(n) do { ; } while (0) 467#define audit_putname(n) do { ; } while (0)
458#define __audit_inode(n,i) do { ; } while (0) 468#define __audit_inode(n,i) do { ; } while (0)
459#define __audit_inode_child(d,i,p) do { ; } while (0) 469#define __audit_inode_child(d,i,p) do { ; } while (0)
460#define __audit_inode_update(i) do { ; } while (0)
461#define audit_inode(n,i) do { ; } while (0) 470#define audit_inode(n,i) do { ; } while (0)
462#define audit_inode_child(d,i,p) do { ; } while (0) 471#define audit_inode_child(d,i,p) do { ; } while (0)
463#define audit_inode_update(i) do { ; } while (0) 472#define audit_core_dumps(i) do { ; } while (0)
464#define auditsc_get_stamp(c,t,s) do { BUG(); } while (0) 473#define auditsc_get_stamp(c,t,s) do { BUG(); } while (0)
465#define audit_get_loginuid(c) ({ -1; }) 474#define audit_get_loginuid(c) ({ -1; })
466#define audit_log_task_context(b) do { ; } while (0) 475#define audit_log_task_context(b) do { ; } while (0)
@@ -477,7 +486,9 @@ extern int audit_n_rules;
477#define audit_mq_timedreceive(d,l,p,t) ({ 0; }) 486#define audit_mq_timedreceive(d,l,p,t) ({ 0; })
478#define audit_mq_notify(d,n) ({ 0; }) 487#define audit_mq_notify(d,n) ({ 0; })
479#define audit_mq_getsetattr(d,s) ({ 0; }) 488#define audit_mq_getsetattr(d,s) ({ 0; })
489#define audit_ptrace(t) ((void)0)
480#define audit_n_rules 0 490#define audit_n_rules 0
491#define audit_signals 0
481#endif 492#endif
482 493
483#ifdef CONFIG_AUDIT 494#ifdef CONFIG_AUDIT
diff --git a/ipc/mqueue.c b/ipc/mqueue.c
index d17821d3f483..fab5707cb5f7 100644
--- a/ipc/mqueue.c
+++ b/ipc/mqueue.c
@@ -681,6 +681,7 @@ asmlinkage long sys_mq_open(const char __user *u_name, int oflag, mode_t mode,
681 681
682 if (oflag & O_CREAT) { 682 if (oflag & O_CREAT) {
683 if (dentry->d_inode) { /* entry already exists */ 683 if (dentry->d_inode) { /* entry already exists */
684 audit_inode(name, dentry->d_inode);
684 error = -EEXIST; 685 error = -EEXIST;
685 if (oflag & O_EXCL) 686 if (oflag & O_EXCL)
686 goto out; 687 goto out;
@@ -693,6 +694,7 @@ asmlinkage long sys_mq_open(const char __user *u_name, int oflag, mode_t mode,
693 error = -ENOENT; 694 error = -ENOENT;
694 if (!dentry->d_inode) 695 if (!dentry->d_inode)
695 goto out; 696 goto out;
697 audit_inode(name, dentry->d_inode);
696 filp = do_open(dentry, oflag); 698 filp = do_open(dentry, oflag);
697 } 699 }
698 700
@@ -840,6 +842,7 @@ asmlinkage long sys_mq_timedsend(mqd_t mqdes, const char __user *u_msg_ptr,
840 if (unlikely(filp->f_op != &mqueue_file_operations)) 842 if (unlikely(filp->f_op != &mqueue_file_operations))
841 goto out_fput; 843 goto out_fput;
842 info = MQUEUE_I(inode); 844 info = MQUEUE_I(inode);
845 audit_inode(NULL, inode);
843 846
844 if (unlikely(!(filp->f_mode & FMODE_WRITE))) 847 if (unlikely(!(filp->f_mode & FMODE_WRITE)))
845 goto out_fput; 848 goto out_fput;
@@ -923,6 +926,7 @@ asmlinkage ssize_t sys_mq_timedreceive(mqd_t mqdes, char __user *u_msg_ptr,
923 if (unlikely(filp->f_op != &mqueue_file_operations)) 926 if (unlikely(filp->f_op != &mqueue_file_operations))
924 goto out_fput; 927 goto out_fput;
925 info = MQUEUE_I(inode); 928 info = MQUEUE_I(inode);
929 audit_inode(NULL, inode);
926 930
927 if (unlikely(!(filp->f_mode & FMODE_READ))) 931 if (unlikely(!(filp->f_mode & FMODE_READ)))
928 goto out_fput; 932 goto out_fput;
diff --git a/kernel/audit.h b/kernel/audit.h
index a3370232a390..815d6f5c04ee 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -83,6 +83,7 @@ struct audit_krule {
83 u32 field_count; 83 u32 field_count;
84 char *filterkey; /* ties events to rules */ 84 char *filterkey; /* ties events to rules */
85 struct audit_field *fields; 85 struct audit_field *fields;
86 struct audit_field *arch_f; /* quick access to arch field */
86 struct audit_field *inode_f; /* quick access to an inode field */ 87 struct audit_field *inode_f; /* quick access to an inode field */
87 struct audit_watch *watch; /* associated watch */ 88 struct audit_watch *watch; /* associated watch */
88 struct list_head rlist; /* entry in audit_watch.rules list */ 89 struct list_head rlist; /* entry in audit_watch.rules list */
@@ -131,17 +132,19 @@ extern void audit_handle_ievent(struct inotify_watch *, u32, u32, u32,
131extern int selinux_audit_rule_update(void); 132extern int selinux_audit_rule_update(void);
132 133
133#ifdef CONFIG_AUDITSYSCALL 134#ifdef CONFIG_AUDITSYSCALL
134extern void __audit_signal_info(int sig, struct task_struct *t); 135extern int __audit_signal_info(int sig, struct task_struct *t);
135static inline void audit_signal_info(int sig, struct task_struct *t) 136static inline int audit_signal_info(int sig, struct task_struct *t)
136{ 137{
137 if (unlikely(audit_pid && t->tgid == audit_pid)) 138 if (unlikely((audit_pid && t->tgid == audit_pid) ||
138 __audit_signal_info(sig, t); 139 (audit_signals && !audit_dummy_context())))
140 return __audit_signal_info(sig, t);
141 return 0;
139} 142}
140extern enum audit_state audit_filter_inodes(struct task_struct *, 143extern enum audit_state audit_filter_inodes(struct task_struct *,
141 struct audit_context *); 144 struct audit_context *);
142extern void audit_set_auditable(struct audit_context *); 145extern void audit_set_auditable(struct audit_context *);
143#else 146#else
144#define audit_signal_info(s,t) 147#define audit_signal_info(s,t) AUDIT_DISABLED
145#define audit_filter_inodes(t,c) AUDIT_DISABLED 148#define audit_filter_inodes(t,c) AUDIT_DISABLED
146#define audit_set_auditable(c) 149#define audit_set_auditable(c)
147#endif 150#endif
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 3749193aed8c..6c61263ff96d 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -311,6 +311,43 @@ int audit_match_class(int class, unsigned syscall)
311 return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall); 311 return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
312} 312}
313 313
314static inline int audit_match_class_bits(int class, u32 *mask)
315{
316 int i;
317
318 if (classes[class]) {
319 for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
320 if (mask[i] & classes[class][i])
321 return 0;
322 }
323 return 1;
324}
325
326static int audit_match_signal(struct audit_entry *entry)
327{
328 struct audit_field *arch = entry->rule.arch_f;
329
330 if (!arch) {
331 /* When arch is unspecified, we must check both masks on biarch
332 * as syscall number alone is ambiguous. */
333 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
334 entry->rule.mask) &&
335 audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
336 entry->rule.mask));
337 }
338
339 switch(audit_classify_arch(arch->val)) {
340 case 0: /* native */
341 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
342 entry->rule.mask));
343 case 1: /* 32bit on biarch */
344 return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
345 entry->rule.mask));
346 default:
347 return 1;
348 }
349}
350
314/* Common user-space to kernel rule translation. */ 351/* Common user-space to kernel rule translation. */
315static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) 352static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule)
316{ 353{
@@ -429,6 +466,7 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
429 err = -EINVAL; 466 err = -EINVAL;
430 goto exit_free; 467 goto exit_free;
431 } 468 }
469 entry->rule.arch_f = f;
432 break; 470 break;
433 case AUDIT_PERM: 471 case AUDIT_PERM:
434 if (f->val & ~15) 472 if (f->val & ~15)
@@ -519,7 +557,6 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
519 case AUDIT_FSGID: 557 case AUDIT_FSGID:
520 case AUDIT_LOGINUID: 558 case AUDIT_LOGINUID:
521 case AUDIT_PERS: 559 case AUDIT_PERS:
522 case AUDIT_ARCH:
523 case AUDIT_MSGTYPE: 560 case AUDIT_MSGTYPE:
524 case AUDIT_PPID: 561 case AUDIT_PPID:
525 case AUDIT_DEVMAJOR: 562 case AUDIT_DEVMAJOR:
@@ -531,6 +568,9 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
531 case AUDIT_ARG2: 568 case AUDIT_ARG2:
532 case AUDIT_ARG3: 569 case AUDIT_ARG3:
533 break; 570 break;
571 case AUDIT_ARCH:
572 entry->rule.arch_f = f;
573 break;
534 case AUDIT_SUBJ_USER: 574 case AUDIT_SUBJ_USER:
535 case AUDIT_SUBJ_ROLE: 575 case AUDIT_SUBJ_ROLE:
536 case AUDIT_SUBJ_TYPE: 576 case AUDIT_SUBJ_TYPE:
@@ -1221,6 +1261,9 @@ static inline int audit_add_rule(struct audit_entry *entry,
1221#ifdef CONFIG_AUDITSYSCALL 1261#ifdef CONFIG_AUDITSYSCALL
1222 if (!dont_count) 1262 if (!dont_count)
1223 audit_n_rules++; 1263 audit_n_rules++;
1264
1265 if (!audit_match_signal(entry))
1266 audit_signals++;
1224#endif 1267#endif
1225 mutex_unlock(&audit_filter_mutex); 1268 mutex_unlock(&audit_filter_mutex);
1226 1269
@@ -1294,6 +1337,9 @@ static inline int audit_del_rule(struct audit_entry *entry,
1294#ifdef CONFIG_AUDITSYSCALL 1337#ifdef CONFIG_AUDITSYSCALL
1295 if (!dont_count) 1338 if (!dont_count)
1296 audit_n_rules--; 1339 audit_n_rules--;
1340
1341 if (!audit_match_signal(entry))
1342 audit_signals--;
1297#endif 1343#endif
1298 mutex_unlock(&audit_filter_mutex); 1344 mutex_unlock(&audit_filter_mutex);
1299 1345
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 628c7ac590a0..e36481ed61b4 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -78,17 +78,15 @@ extern int audit_enabled;
78 * for saving names from getname(). */ 78 * for saving names from getname(). */
79#define AUDIT_NAMES 20 79#define AUDIT_NAMES 20
80 80
81/* AUDIT_NAMES_RESERVED is the number of slots we reserve in the
82 * audit_context from being used for nameless inodes from
83 * path_lookup. */
84#define AUDIT_NAMES_RESERVED 7
85
86/* Indicates that audit should log the full pathname. */ 81/* Indicates that audit should log the full pathname. */
87#define AUDIT_NAME_FULL -1 82#define AUDIT_NAME_FULL -1
88 83
89/* number of audit rules */ 84/* number of audit rules */
90int audit_n_rules; 85int audit_n_rules;
91 86
87/* determines whether we collect data for signals sent */
88int audit_signals;
89
92/* When fs/namei.c:getname() is called, we store the pointer in name and 90/* When fs/namei.c:getname() is called, we store the pointer in name and
93 * we don't let putname() free it (instead we free all of the saved 91 * we don't let putname() free it (instead we free all of the saved
94 * pointers at syscall exit time). 92 * pointers at syscall exit time).
@@ -114,6 +112,9 @@ struct audit_aux_data {
114 112
115#define AUDIT_AUX_IPCPERM 0 113#define AUDIT_AUX_IPCPERM 0
116 114
115/* Number of target pids per aux struct. */
116#define AUDIT_AUX_PIDS 16
117
117struct audit_aux_data_mq_open { 118struct audit_aux_data_mq_open {
118 struct audit_aux_data d; 119 struct audit_aux_data d;
119 int oflag; 120 int oflag;
@@ -181,6 +182,13 @@ struct audit_aux_data_path {
181 struct vfsmount *mnt; 182 struct vfsmount *mnt;
182}; 183};
183 184
185struct audit_aux_data_pids {
186 struct audit_aux_data d;
187 pid_t target_pid[AUDIT_AUX_PIDS];
188 u32 target_sid[AUDIT_AUX_PIDS];
189 int pid_count;
190};
191
184/* The per-task audit context. */ 192/* The per-task audit context. */
185struct audit_context { 193struct audit_context {
186 int dummy; /* must be the first element */ 194 int dummy; /* must be the first element */
@@ -201,6 +209,7 @@ struct audit_context {
201 struct vfsmount * pwdmnt; 209 struct vfsmount * pwdmnt;
202 struct audit_context *previous; /* For nested syscalls */ 210 struct audit_context *previous; /* For nested syscalls */
203 struct audit_aux_data *aux; 211 struct audit_aux_data *aux;
212 struct audit_aux_data *aux_pids;
204 213
205 /* Save things to print about task_struct */ 214 /* Save things to print about task_struct */
206 pid_t pid, ppid; 215 pid_t pid, ppid;
@@ -209,6 +218,9 @@ struct audit_context {
209 unsigned long personality; 218 unsigned long personality;
210 int arch; 219 int arch;
211 220
221 pid_t target_pid;
222 u32 target_sid;
223
212#if AUDIT_DEBUG 224#if AUDIT_DEBUG
213 int put_count; 225 int put_count;
214 int ino_count; 226 int ino_count;
@@ -654,6 +666,10 @@ static inline void audit_free_aux(struct audit_context *context)
654 context->aux = aux->next; 666 context->aux = aux->next;
655 kfree(aux); 667 kfree(aux);
656 } 668 }
669 while ((aux = context->aux_pids)) {
670 context->aux_pids = aux->next;
671 kfree(aux);
672 }
657} 673}
658 674
659static inline void audit_zero_context(struct audit_context *context, 675static inline void audit_zero_context(struct audit_context *context,
@@ -795,6 +811,29 @@ static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk
795 audit_log_task_context(ab); 811 audit_log_task_context(ab);
796} 812}
797 813
814static int audit_log_pid_context(struct audit_context *context, pid_t pid,
815 u32 sid)
816{
817 struct audit_buffer *ab;
818 char *s = NULL;
819 u32 len;
820 int rc = 0;
821
822 ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
823 if (!ab)
824 return 1;
825
826 if (selinux_sid_to_string(sid, &s, &len)) {
827 audit_log_format(ab, "opid=%d obj=(none)", pid);
828 rc = 1;
829 } else
830 audit_log_format(ab, "opid=%d obj=%s", pid, s);
831 audit_log_end(ab);
832 kfree(s);
833
834 return rc;
835}
836
798static void audit_log_exit(struct audit_context *context, struct task_struct *tsk) 837static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
799{ 838{
800 int i, call_panic = 0; 839 int i, call_panic = 0;
@@ -973,6 +1012,21 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
973 audit_log_end(ab); 1012 audit_log_end(ab);
974 } 1013 }
975 1014
1015 for (aux = context->aux_pids; aux; aux = aux->next) {
1016 struct audit_aux_data_pids *axs = (void *)aux;
1017 int i;
1018
1019 for (i = 0; i < axs->pid_count; i++)
1020 if (audit_log_pid_context(context, axs->target_pid[i],
1021 axs->target_sid[i]))
1022 call_panic = 1;
1023 }
1024
1025 if (context->target_pid &&
1026 audit_log_pid_context(context, context->target_pid,
1027 context->target_sid))
1028 call_panic = 1;
1029
976 if (context->pwd && context->pwdmnt) { 1030 if (context->pwd && context->pwdmnt) {
977 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD); 1031 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
978 if (ab) { 1032 if (ab) {
@@ -1193,6 +1247,10 @@ void audit_syscall_exit(int valid, long return_code)
1193 } else { 1247 } else {
1194 audit_free_names(context); 1248 audit_free_names(context);
1195 audit_free_aux(context); 1249 audit_free_aux(context);
1250 context->aux = NULL;
1251 context->aux_pids = NULL;
1252 context->target_pid = 0;
1253 context->target_sid = 0;
1196 kfree(context->filterkey); 1254 kfree(context->filterkey);
1197 context->filterkey = NULL; 1255 context->filterkey = NULL;
1198 tsk->audit_context = context; 1256 tsk->audit_context = context;
@@ -1226,6 +1284,7 @@ void __audit_getname(const char *name)
1226 context->names[context->name_count].name_len = AUDIT_NAME_FULL; 1284 context->names[context->name_count].name_len = AUDIT_NAME_FULL;
1227 context->names[context->name_count].name_put = 1; 1285 context->names[context->name_count].name_put = 1;
1228 context->names[context->name_count].ino = (unsigned long)-1; 1286 context->names[context->name_count].ino = (unsigned long)-1;
1287 context->names[context->name_count].osid = 0;
1229 ++context->name_count; 1288 ++context->name_count;
1230 if (!context->pwd) { 1289 if (!context->pwd) {
1231 read_lock(&current->fs->lock); 1290 read_lock(&current->fs->lock);
@@ -1279,6 +1338,28 @@ void audit_putname(const char *name)
1279#endif 1338#endif
1280} 1339}
1281 1340
1341static int audit_inc_name_count(struct audit_context *context,
1342 const struct inode *inode)
1343{
1344 if (context->name_count >= AUDIT_NAMES) {
1345 if (inode)
1346 printk(KERN_DEBUG "name_count maxed, losing inode data: "
1347 "dev=%02x:%02x, inode=%lu",
1348 MAJOR(inode->i_sb->s_dev),
1349 MINOR(inode->i_sb->s_dev),
1350 inode->i_ino);
1351
1352 else
1353 printk(KERN_DEBUG "name_count maxed, losing inode data");
1354 return 1;
1355 }
1356 context->name_count++;
1357#if AUDIT_DEBUG
1358 context->ino_count++;
1359#endif
1360 return 0;
1361}
1362
1282/* Copy inode data into an audit_names. */ 1363/* Copy inode data into an audit_names. */
1283static void audit_copy_inode(struct audit_names *name, const struct inode *inode) 1364static void audit_copy_inode(struct audit_names *name, const struct inode *inode)
1284{ 1365{
@@ -1316,13 +1397,10 @@ void __audit_inode(const char *name, const struct inode *inode)
1316 else { 1397 else {
1317 /* FIXME: how much do we care about inodes that have no 1398 /* FIXME: how much do we care about inodes that have no
1318 * associated name? */ 1399 * associated name? */
1319 if (context->name_count >= AUDIT_NAMES - AUDIT_NAMES_RESERVED) 1400 if (audit_inc_name_count(context, inode))
1320 return; 1401 return;
1321 idx = context->name_count++; 1402 idx = context->name_count - 1;
1322 context->names[idx].name = NULL; 1403 context->names[idx].name = NULL;
1323#if AUDIT_DEBUG
1324 ++context->ino_count;
1325#endif
1326 } 1404 }
1327 audit_copy_inode(&context->names[idx], inode); 1405 audit_copy_inode(&context->names[idx], inode);
1328} 1406}
@@ -1346,7 +1424,7 @@ void __audit_inode_child(const char *dname, const struct inode *inode,
1346{ 1424{
1347 int idx; 1425 int idx;
1348 struct audit_context *context = current->audit_context; 1426 struct audit_context *context = current->audit_context;
1349 const char *found_name = NULL; 1427 const char *found_parent = NULL, *found_child = NULL;
1350 int dirlen = 0; 1428 int dirlen = 0;
1351 1429
1352 if (!context->in_syscall) 1430 if (!context->in_syscall)
@@ -1354,88 +1432,73 @@ void __audit_inode_child(const char *dname, const struct inode *inode,
1354 1432
1355 /* determine matching parent */ 1433 /* determine matching parent */
1356 if (!dname) 1434 if (!dname)
1357 goto update_context; 1435 goto add_names;
1358 for (idx = 0; idx < context->name_count; idx++)
1359 if (context->names[idx].ino == parent->i_ino) {
1360 const char *name = context->names[idx].name;
1361 1436
1362 if (!name) 1437 /* parent is more likely, look for it first */
1363 continue; 1438 for (idx = 0; idx < context->name_count; idx++) {
1439 struct audit_names *n = &context->names[idx];
1364 1440
1365 if (audit_compare_dname_path(dname, name, &dirlen) == 0) { 1441 if (!n->name)
1366 context->names[idx].name_len = dirlen; 1442 continue;
1367 found_name = name; 1443
1368 break; 1444 if (n->ino == parent->i_ino &&
1369 } 1445 !audit_compare_dname_path(dname, n->name, &dirlen)) {
1446 n->name_len = dirlen; /* update parent data in place */
1447 found_parent = n->name;
1448 goto add_names;
1370 } 1449 }
1450 }
1371 1451
1372update_context: 1452 /* no matching parent, look for matching child */
1373 idx = context->name_count; 1453 for (idx = 0; idx < context->name_count; idx++) {
1374 if (context->name_count == AUDIT_NAMES) { 1454 struct audit_names *n = &context->names[idx];
1375 printk(KERN_DEBUG "name_count maxed and losing %s\n", 1455
1376 found_name ?: "(null)"); 1456 if (!n->name)
1377 return; 1457 continue;
1458
1459 /* strcmp() is the more likely scenario */
1460 if (!strcmp(dname, n->name) ||
1461 !audit_compare_dname_path(dname, n->name, &dirlen)) {
1462 if (inode)
1463 audit_copy_inode(n, inode);
1464 else
1465 n->ino = (unsigned long)-1;
1466 found_child = n->name;
1467 goto add_names;
1468 }
1378 } 1469 }
1379 context->name_count++; 1470
1380#if AUDIT_DEBUG 1471add_names:
1381 context->ino_count++; 1472 if (!found_parent) {
1382#endif 1473 if (audit_inc_name_count(context, parent))
1383 /* Re-use the name belonging to the slot for a matching parent directory.
1384 * All names for this context are relinquished in audit_free_names() */
1385 context->names[idx].name = found_name;
1386 context->names[idx].name_len = AUDIT_NAME_FULL;
1387 context->names[idx].name_put = 0; /* don't call __putname() */
1388
1389 if (!inode)
1390 context->names[idx].ino = (unsigned long)-1;
1391 else
1392 audit_copy_inode(&context->names[idx], inode);
1393
1394 /* A parent was not found in audit_names, so copy the inode data for the
1395 * provided parent. */
1396 if (!found_name) {
1397 idx = context->name_count;
1398 if (context->name_count == AUDIT_NAMES) {
1399 printk(KERN_DEBUG
1400 "name_count maxed and losing parent inode data: dev=%02x:%02x, inode=%lu",
1401 MAJOR(parent->i_sb->s_dev),
1402 MINOR(parent->i_sb->s_dev),
1403 parent->i_ino);
1404 return; 1474 return;
1405 } 1475 idx = context->name_count - 1;
1406 context->name_count++; 1476 context->names[idx].name = NULL;
1407#if AUDIT_DEBUG
1408 context->ino_count++;
1409#endif
1410 audit_copy_inode(&context->names[idx], parent); 1477 audit_copy_inode(&context->names[idx], parent);
1411 } 1478 }
1412}
1413 1479
1414/** 1480 if (!found_child) {
1415 * audit_inode_update - update inode info for last collected name 1481 if (audit_inc_name_count(context, inode))
1416 * @inode: inode being audited 1482 return;
1417 * 1483 idx = context->name_count - 1;
1418 * When open() is called on an existing object with the O_CREAT flag, the inode
1419 * data audit initially collects is incorrect. This additional hook ensures
1420 * audit has the inode data for the actual object to be opened.
1421 */
1422void __audit_inode_update(const struct inode *inode)
1423{
1424 struct audit_context *context = current->audit_context;
1425 int idx;
1426 1484
1427 if (!context->in_syscall || !inode) 1485 /* Re-use the name belonging to the slot for a matching parent
1428 return; 1486 * directory. All names for this context are relinquished in
1487 * audit_free_names() */
1488 if (found_parent) {
1489 context->names[idx].name = found_parent;
1490 context->names[idx].name_len = AUDIT_NAME_FULL;
1491 /* don't call __putname() */
1492 context->names[idx].name_put = 0;
1493 } else {
1494 context->names[idx].name = NULL;
1495 }
1429 1496
1430 if (context->name_count == 0) { 1497 if (inode)
1431 context->name_count++; 1498 audit_copy_inode(&context->names[idx], inode);
1432#if AUDIT_DEBUG 1499 else
1433 context->ino_count++; 1500 context->names[idx].ino = (unsigned long)-1;
1434#endif
1435 } 1501 }
1436 idx = context->name_count - 1;
1437
1438 audit_copy_inode(&context->names[idx], inode);
1439} 1502}
1440 1503
1441/** 1504/**
@@ -1880,6 +1943,14 @@ int audit_sockaddr(int len, void *a)
1880 return 0; 1943 return 0;
1881} 1944}
1882 1945
1946void __audit_ptrace(struct task_struct *t)
1947{
1948 struct audit_context *context = current->audit_context;
1949
1950 context->target_pid = t->pid;
1951 selinux_get_task_sid(t, &context->target_sid);
1952}
1953
1883/** 1954/**
1884 * audit_avc_path - record the granting or denial of permissions 1955 * audit_avc_path - record the granting or denial of permissions
1885 * @dentry: dentry to record 1956 * @dentry: dentry to record
@@ -1918,15 +1989,17 @@ int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt)
1918 * If the audit subsystem is being terminated, record the task (pid) 1989 * If the audit subsystem is being terminated, record the task (pid)
1919 * and uid that is doing that. 1990 * and uid that is doing that.
1920 */ 1991 */
1921void __audit_signal_info(int sig, struct task_struct *t) 1992int __audit_signal_info(int sig, struct task_struct *t)
1922{ 1993{
1994 struct audit_aux_data_pids *axp;
1995 struct task_struct *tsk = current;
1996 struct audit_context *ctx = tsk->audit_context;
1923 extern pid_t audit_sig_pid; 1997 extern pid_t audit_sig_pid;
1924 extern uid_t audit_sig_uid; 1998 extern uid_t audit_sig_uid;
1925 extern u32 audit_sig_sid; 1999 extern u32 audit_sig_sid;
1926 2000
1927 if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1) { 2001 if (audit_pid && t->tgid == audit_pid &&
1928 struct task_struct *tsk = current; 2002 (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1)) {
1929 struct audit_context *ctx = tsk->audit_context;
1930 audit_sig_pid = tsk->pid; 2003 audit_sig_pid = tsk->pid;
1931 if (ctx) 2004 if (ctx)
1932 audit_sig_uid = ctx->loginuid; 2005 audit_sig_uid = ctx->loginuid;
@@ -1934,4 +2007,72 @@ void __audit_signal_info(int sig, struct task_struct *t)
1934 audit_sig_uid = tsk->uid; 2007 audit_sig_uid = tsk->uid;
1935 selinux_get_task_sid(tsk, &audit_sig_sid); 2008 selinux_get_task_sid(tsk, &audit_sig_sid);
1936 } 2009 }
2010
2011 if (!audit_signals) /* audit_context checked in wrapper */
2012 return 0;
2013
2014 /* optimize the common case by putting first signal recipient directly
2015 * in audit_context */
2016 if (!ctx->target_pid) {
2017 ctx->target_pid = t->tgid;
2018 selinux_get_task_sid(t, &ctx->target_sid);
2019 return 0;
2020 }
2021
2022 axp = (void *)ctx->aux_pids;
2023 if (!axp || axp->pid_count == AUDIT_AUX_PIDS) {
2024 axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
2025 if (!axp)
2026 return -ENOMEM;
2027
2028 axp->d.type = AUDIT_OBJ_PID;
2029 axp->d.next = ctx->aux_pids;
2030 ctx->aux_pids = (void *)axp;
2031 }
2032 BUG_ON(axp->pid_count > AUDIT_AUX_PIDS);
2033
2034 axp->target_pid[axp->pid_count] = t->tgid;
2035 selinux_get_task_sid(t, &axp->target_sid[axp->pid_count]);
2036 axp->pid_count++;
2037
2038 return 0;
2039}
2040
2041/**
2042 * audit_core_dumps - record information about processes that end abnormally
2043 * @sig: signal value
2044 *
2045 * If a process ends with a core dump, something fishy is going on and we
2046 * should record the event for investigation.
2047 */
2048void audit_core_dumps(long signr)
2049{
2050 struct audit_buffer *ab;
2051 u32 sid;
2052
2053 if (!audit_enabled)
2054 return;
2055
2056 if (signr == SIGQUIT) /* don't care for those */
2057 return;
2058
2059 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
2060 audit_log_format(ab, "auid=%u uid=%u gid=%u",
2061 audit_get_loginuid(current->audit_context),
2062 current->uid, current->gid);
2063 selinux_get_task_sid(current, &sid);
2064 if (sid) {
2065 char *ctx = NULL;
2066 u32 len;
2067
2068 if (selinux_sid_to_string(sid, &ctx, &len))
2069 audit_log_format(ab, " ssid=%u", sid);
2070 else
2071 audit_log_format(ab, " subj=%s", ctx);
2072 kfree(ctx);
2073 }
2074 audit_log_format(ab, " pid=%d comm=", current->pid);
2075 audit_log_untrustedstring(ab, current->comm);
2076 audit_log_format(ab, " sig=%ld", signr);
2077 audit_log_end(ab);
1937} 2078}
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index 4d50e06fd745..ad7949a589dd 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -18,6 +18,7 @@
18#include <linux/ptrace.h> 18#include <linux/ptrace.h>
19#include <linux/security.h> 19#include <linux/security.h>
20#include <linux/signal.h> 20#include <linux/signal.h>
21#include <linux/audit.h>
21 22
22#include <asm/pgtable.h> 23#include <asm/pgtable.h>
23#include <asm/uaccess.h> 24#include <asm/uaccess.h>
@@ -161,6 +162,8 @@ int ptrace_attach(struct task_struct *task)
161{ 162{
162 int retval; 163 int retval;
163 164
165 audit_ptrace(task);
166
164 retval = -EPERM; 167 retval = -EPERM;
165 if (task->pid <= 1) 168 if (task->pid <= 1)
166 goto out; 169 goto out;
diff --git a/kernel/signal.c b/kernel/signal.c
index 34b7d6abce8f..364fc95bf97c 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -497,6 +497,11 @@ static int check_kill_permission(int sig, struct siginfo *info,
497 int error = -EINVAL; 497 int error = -EINVAL;
498 if (!valid_signal(sig)) 498 if (!valid_signal(sig))
499 return error; 499 return error;
500
501 error = audit_signal_info(sig, t); /* Let audit system see the signal */
502 if (error)
503 return error;
504
500 error = -EPERM; 505 error = -EPERM;
501 if ((info == SEND_SIG_NOINFO || (!is_si_special(info) && SI_FROMUSER(info))) 506 if ((info == SEND_SIG_NOINFO || (!is_si_special(info) && SI_FROMUSER(info)))
502 && ((sig != SIGCONT) || 507 && ((sig != SIGCONT) ||
@@ -506,10 +511,7 @@ static int check_kill_permission(int sig, struct siginfo *info,
506 && !capable(CAP_KILL)) 511 && !capable(CAP_KILL))
507 return error; 512 return error;
508 513
509 error = security_task_kill(t, info, sig, 0); 514 return security_task_kill(t, info, sig, 0);
510 if (!error)
511 audit_signal_info(sig, t); /* Let audit system see the signal */
512 return error;
513} 515}
514 516
515/* forward decl */ 517/* forward decl */
diff --git a/lib/audit.c b/lib/audit.c
index 3b1289fadf06..8e7dc1c63aa9 100644
--- a/lib/audit.c
+++ b/lib/audit.c
@@ -23,6 +23,16 @@ static unsigned chattr_class[] = {
23~0U 23~0U
24}; 24};
25 25
26static unsigned signal_class[] = {
27#include <asm-generic/audit_signal.h>
28~0U
29};
30
31int audit_classify_arch(int arch)
32{
33 return 0;
34}
35
26int audit_classify_syscall(int abi, unsigned syscall) 36int audit_classify_syscall(int abi, unsigned syscall)
27{ 37{
28 switch(syscall) { 38 switch(syscall) {
@@ -49,6 +59,7 @@ static int __init audit_classes_init(void)
49 audit_register_class(AUDIT_CLASS_READ, read_class); 59 audit_register_class(AUDIT_CLASS_READ, read_class);
50 audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class); 60 audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class);
51 audit_register_class(AUDIT_CLASS_CHATTR, chattr_class); 61 audit_register_class(AUDIT_CLASS_CHATTR, chattr_class);
62 audit_register_class(AUDIT_CLASS_SIGNAL, signal_class);
52 return 0; 63 return 0;
53} 64}
54 65