aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--arch/ppc/Kconfig17
-rw-r--r--arch/ppc/kernel/entry.S16
-rw-r--r--arch/ppc/kernel/ppc_ksyms.c2
-rw-r--r--arch/ppc/kernel/ptrace.c40
-rw-r--r--include/asm-ppc/seccomp.h10
-rw-r--r--include/asm-ppc/thread_info.h7
-rw-r--r--include/linux/audit.h87
-rw-r--r--init/Kconfig3
-rw-r--r--kernel/audit.c548
-rw-r--r--kernel/auditsc.c143
-rw-r--r--kernel/signal.c7
-rw-r--r--net/socket.c9
-rw-r--r--security/selinux/avc.c11
-rw-r--r--security/selinux/hooks.c2
-rw-r--r--security/selinux/nlmsgtab.c10
-rw-r--r--security/selinux/ss/services.c4
16 files changed, 542 insertions, 374 deletions
diff --git a/arch/ppc/Kconfig b/arch/ppc/Kconfig
index 600f23d7fd33..cd752a3cf3bd 100644
--- a/arch/ppc/Kconfig
+++ b/arch/ppc/Kconfig
@@ -1083,6 +1083,23 @@ source "drivers/zorro/Kconfig"
1083 1083
1084source kernel/power/Kconfig 1084source kernel/power/Kconfig
1085 1085
1086config SECCOMP
1087 bool "Enable seccomp to safely compute untrusted bytecode"
1088 depends on PROC_FS
1089 default y
1090 help
1091 This kernel feature is useful for number crunching applications
1092 that may need to compute untrusted bytecode during their
1093 execution. By using pipes or other transports made available to
1094 the process as file descriptors supporting the read/write
1095 syscalls, it's possible to isolate those applications in
1096 their own address space using seccomp. Once seccomp is
1097 enabled via /proc/<pid>/seccomp, it cannot be disabled
1098 and the task is only allowed to execute a few safe syscalls
1099 defined by each seccomp mode.
1100
1101 If unsure, say Y. Only embedded should say N here.
1102
1086endmenu 1103endmenu
1087 1104
1088config ISA_DMA_API 1105config ISA_DMA_API
diff --git a/arch/ppc/kernel/entry.S b/arch/ppc/kernel/entry.S
index 5f075dbc4ee7..661523707e8c 100644
--- a/arch/ppc/kernel/entry.S
+++ b/arch/ppc/kernel/entry.S
@@ -202,7 +202,7 @@ _GLOBAL(DoSyscall)
202 rlwinm r11,r11,0,~_TIFL_FORCE_NOERROR 202 rlwinm r11,r11,0,~_TIFL_FORCE_NOERROR
203 stw r11,TI_LOCAL_FLAGS(r10) 203 stw r11,TI_LOCAL_FLAGS(r10)
204 lwz r11,TI_FLAGS(r10) 204 lwz r11,TI_FLAGS(r10)
205 andi. r11,r11,_TIF_SYSCALL_TRACE 205 andi. r11,r11,_TIF_SYSCALL_T_OR_A
206 bne- syscall_dotrace 206 bne- syscall_dotrace
207syscall_dotrace_cont: 207syscall_dotrace_cont:
208 cmplwi 0,r0,NR_syscalls 208 cmplwi 0,r0,NR_syscalls
@@ -237,7 +237,7 @@ ret_from_syscall:
237 SYNC 237 SYNC
238 MTMSRD(r10) 238 MTMSRD(r10)
239 lwz r9,TI_FLAGS(r12) 239 lwz r9,TI_FLAGS(r12)
240 andi. r0,r9,(_TIF_SYSCALL_TRACE|_TIF_SIGPENDING|_TIF_NEED_RESCHED) 240 andi. r0,r9,(_TIF_SYSCALL_T_OR_A|_TIF_SIGPENDING|_TIF_NEED_RESCHED)
241 bne- syscall_exit_work 241 bne- syscall_exit_work
242syscall_exit_cont: 242syscall_exit_cont:
243#if defined(CONFIG_4xx) || defined(CONFIG_BOOKE) 243#if defined(CONFIG_4xx) || defined(CONFIG_BOOKE)
@@ -277,7 +277,8 @@ syscall_dotrace:
277 SAVE_NVGPRS(r1) 277 SAVE_NVGPRS(r1)
278 li r0,0xc00 278 li r0,0xc00
279 stw r0,TRAP(r1) 279 stw r0,TRAP(r1)
280 bl do_syscall_trace 280 addi r3,r1,STACK_FRAME_OVERHEAD
281 bl do_syscall_trace_enter
281 lwz r0,GPR0(r1) /* Restore original registers */ 282 lwz r0,GPR0(r1) /* Restore original registers */
282 lwz r3,GPR3(r1) 283 lwz r3,GPR3(r1)
283 lwz r4,GPR4(r1) 284 lwz r4,GPR4(r1)
@@ -291,7 +292,7 @@ syscall_dotrace:
291syscall_exit_work: 292syscall_exit_work:
292 stw r6,RESULT(r1) /* Save result */ 293 stw r6,RESULT(r1) /* Save result */
293 stw r3,GPR3(r1) /* Update return value */ 294 stw r3,GPR3(r1) /* Update return value */
294 andi. r0,r9,_TIF_SYSCALL_TRACE 295 andi. r0,r9,_TIF_SYSCALL_T_OR_A
295 beq 5f 296 beq 5f
296 ori r10,r10,MSR_EE 297 ori r10,r10,MSR_EE
297 SYNC 298 SYNC
@@ -303,7 +304,8 @@ syscall_exit_work:
303 li r4,0xc00 304 li r4,0xc00
304 stw r4,TRAP(r1) 305 stw r4,TRAP(r1)
3054: 3064:
306 bl do_syscall_trace 307 addi r3,r1,STACK_FRAME_OVERHEAD
308 bl do_syscall_trace_leave
307 REST_NVGPRS(r1) 309 REST_NVGPRS(r1)
3082: 3102:
309 lwz r3,GPR3(r1) 311 lwz r3,GPR3(r1)
@@ -627,8 +629,8 @@ sigreturn_exit:
627 subi r1,r3,STACK_FRAME_OVERHEAD 629 subi r1,r3,STACK_FRAME_OVERHEAD
628 rlwinm r12,r1,0,0,18 /* current_thread_info() */ 630 rlwinm r12,r1,0,0,18 /* current_thread_info() */
629 lwz r9,TI_FLAGS(r12) 631 lwz r9,TI_FLAGS(r12)
630 andi. r0,r9,_TIF_SYSCALL_TRACE 632 andi. r0,r9,_TIF_SYSCALL_T_OR_A
631 bnel- do_syscall_trace 633 bnel- do_syscall_trace_leave
632 /* fall through */ 634 /* fall through */
633 635
634 .globl ret_from_except_full 636 .globl ret_from_except_full
diff --git a/arch/ppc/kernel/ppc_ksyms.c b/arch/ppc/kernel/ppc_ksyms.c
index 2ccb58fe4fc3..d59ad07de8e7 100644
--- a/arch/ppc/kernel/ppc_ksyms.c
+++ b/arch/ppc/kernel/ppc_ksyms.c
@@ -55,7 +55,6 @@
55#define EXPORT_SYMTAB_STROPS 55#define EXPORT_SYMTAB_STROPS
56 56
57extern void transfer_to_handler(void); 57extern void transfer_to_handler(void);
58extern void do_syscall_trace(void);
59extern void do_IRQ(struct pt_regs *regs); 58extern void do_IRQ(struct pt_regs *regs);
60extern void MachineCheckException(struct pt_regs *regs); 59extern void MachineCheckException(struct pt_regs *regs);
61extern void AlignmentException(struct pt_regs *regs); 60extern void AlignmentException(struct pt_regs *regs);
@@ -74,7 +73,6 @@ extern unsigned long mm_ptov (unsigned long paddr);
74EXPORT_SYMBOL(clear_pages); 73EXPORT_SYMBOL(clear_pages);
75EXPORT_SYMBOL(clear_user_page); 74EXPORT_SYMBOL(clear_user_page);
76EXPORT_SYMBOL(do_signal); 75EXPORT_SYMBOL(do_signal);
77EXPORT_SYMBOL(do_syscall_trace);
78EXPORT_SYMBOL(transfer_to_handler); 76EXPORT_SYMBOL(transfer_to_handler);
79EXPORT_SYMBOL(do_IRQ); 77EXPORT_SYMBOL(do_IRQ);
80EXPORT_SYMBOL(MachineCheckException); 78EXPORT_SYMBOL(MachineCheckException);
diff --git a/arch/ppc/kernel/ptrace.c b/arch/ppc/kernel/ptrace.c
index 59d59a8dc249..e7aee4108dea 100644
--- a/arch/ppc/kernel/ptrace.c
+++ b/arch/ppc/kernel/ptrace.c
@@ -27,6 +27,9 @@
27#include <linux/user.h> 27#include <linux/user.h>
28#include <linux/security.h> 28#include <linux/security.h>
29#include <linux/signal.h> 29#include <linux/signal.h>
30#include <linux/seccomp.h>
31#include <linux/audit.h>
32#include <linux/module.h>
30 33
31#include <asm/uaccess.h> 34#include <asm/uaccess.h>
32#include <asm/page.h> 35#include <asm/page.h>
@@ -455,11 +458,10 @@ out:
455 return ret; 458 return ret;
456} 459}
457 460
458void do_syscall_trace(void) 461static void do_syscall_trace(void)
459{ 462{
460 if (!test_thread_flag(TIF_SYSCALL_TRACE) 463 /* the 0x80 provides a way for the tracing parent to distinguish
461 || !(current->ptrace & PT_PTRACED)) 464 between a syscall stop and SIGTRAP delivery */
462 return;
463 ptrace_notify(SIGTRAP | ((current->ptrace & PT_TRACESYSGOOD) 465 ptrace_notify(SIGTRAP | ((current->ptrace & PT_TRACESYSGOOD)
464 ? 0x80 : 0)); 466 ? 0x80 : 0));
465 467
@@ -473,3 +475,33 @@ void do_syscall_trace(void)
473 current->exit_code = 0; 475 current->exit_code = 0;
474 } 476 }
475} 477}
478
479void do_syscall_trace_enter(struct pt_regs *regs)
480{
481 if (test_thread_flag(TIF_SYSCALL_TRACE)
482 && (current->ptrace & PT_PTRACED))
483 do_syscall_trace();
484
485 if (unlikely(current->audit_context))
486 audit_syscall_entry(current, AUDIT_ARCH_PPC,
487 regs->gpr[0],
488 regs->gpr[3], regs->gpr[4],
489 regs->gpr[5], regs->gpr[6]);
490}
491
492void do_syscall_trace_leave(struct pt_regs *regs)
493{
494 secure_computing(regs->gpr[0]);
495
496 if (unlikely(current->audit_context))
497 audit_syscall_exit(current,
498 (regs->ccr&0x1000)?AUDITSC_FAILURE:AUDITSC_SUCCESS,
499 regs->result);
500
501 if ((test_thread_flag(TIF_SYSCALL_TRACE))
502 && (current->ptrace & PT_PTRACED))
503 do_syscall_trace();
504}
505
506EXPORT_SYMBOL(do_syscall_trace_enter);
507EXPORT_SYMBOL(do_syscall_trace_leave);
diff --git a/include/asm-ppc/seccomp.h b/include/asm-ppc/seccomp.h
new file mode 100644
index 000000000000..666c4da96d87
--- /dev/null
+++ b/include/asm-ppc/seccomp.h
@@ -0,0 +1,10 @@
1#ifndef _ASM_SECCOMP_H
2
3#include <linux/unistd.h>
4
5#define __NR_seccomp_read __NR_read
6#define __NR_seccomp_write __NR_write
7#define __NR_seccomp_exit __NR_exit
8#define __NR_seccomp_sigreturn __NR_rt_sigreturn
9
10#endif /* _ASM_SECCOMP_H */
diff --git a/include/asm-ppc/thread_info.h b/include/asm-ppc/thread_info.h
index f7f01524e8a8..e3b5284a6f91 100644
--- a/include/asm-ppc/thread_info.h
+++ b/include/asm-ppc/thread_info.h
@@ -77,12 +77,19 @@ static inline struct thread_info *current_thread_info(void)
77#define TIF_POLLING_NRFLAG 4 /* true if poll_idle() is polling 77#define TIF_POLLING_NRFLAG 4 /* true if poll_idle() is polling
78 TIF_NEED_RESCHED */ 78 TIF_NEED_RESCHED */
79#define TIF_MEMDIE 5 79#define TIF_MEMDIE 5
80#define TIF_SYSCALL_AUDIT 6 /* syscall auditing active */
81#define TIF_SECCOMP 7 /* secure computing */
82
80/* as above, but as bit values */ 83/* as above, but as bit values */
81#define _TIF_SYSCALL_TRACE (1<<TIF_SYSCALL_TRACE) 84#define _TIF_SYSCALL_TRACE (1<<TIF_SYSCALL_TRACE)
82#define _TIF_NOTIFY_RESUME (1<<TIF_NOTIFY_RESUME) 85#define _TIF_NOTIFY_RESUME (1<<TIF_NOTIFY_RESUME)
83#define _TIF_SIGPENDING (1<<TIF_SIGPENDING) 86#define _TIF_SIGPENDING (1<<TIF_SIGPENDING)
84#define _TIF_NEED_RESCHED (1<<TIF_NEED_RESCHED) 87#define _TIF_NEED_RESCHED (1<<TIF_NEED_RESCHED)
85#define _TIF_POLLING_NRFLAG (1<<TIF_POLLING_NRFLAG) 88#define _TIF_POLLING_NRFLAG (1<<TIF_POLLING_NRFLAG)
89#define _TIF_SYSCALL_AUDIT (1<<TIF_SYSCALL_AUDIT)
90#define _TIF_SECCOMP (1<<TIF_SECCOMP)
91
92#define _TIF_SYSCALL_T_OR_A (_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT|_TIF_SECCOMP)
86 93
87/* 94/*
88 * Non racy (local) flags bit numbers 95 * Non racy (local) flags bit numbers
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 19f04b049798..17ea5d522d81 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -27,15 +27,50 @@
27#include <linux/sched.h> 27#include <linux/sched.h>
28#include <linux/elf.h> 28#include <linux/elf.h>
29 29
30/* Request and reply types */ 30/* The netlink messages for the audit system is divided into blocks:
31#define AUDIT_GET 1000 /* Get status */ 31 * 1000 - 1099 are for commanding the audit system
32#define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */ 32 * 1100 - 1199 user space trusted application messages
33#define AUDIT_LIST 1002 /* List filtering rules */ 33 * 1200 - 1299 messages internal to the audit daemon
34#define AUDIT_ADD 1003 /* Add filtering rule */ 34 * 1300 - 1399 audit event messages
35#define AUDIT_DEL 1004 /* Delete filtering rule */ 35 * 1400 - 1499 SE Linux use
36#define AUDIT_USER 1005 /* Send a message from user-space */ 36 * 1500 - 1999 future use
37#define AUDIT_LOGIN 1006 /* Define the login id and informaiton */ 37 * 2000 is for otherwise unclassified kernel audit messages
38#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ 38 *
39 * Messages from 1000-1199 are bi-directional. 1200-1299 are exclusively user
40 * space. Anything over that is kernel --> user space communication.
41 */
42#define AUDIT_GET 1000 /* Get status */
43#define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */
44#define AUDIT_LIST 1002 /* List syscall filtering rules */
45#define AUDIT_ADD 1003 /* Add syscall filtering rule */
46#define AUDIT_DEL 1004 /* Delete syscall filtering rule */
47#define AUDIT_USER 1005 /* Message from userspace -- deprecated */
48#define AUDIT_LOGIN 1006 /* Define the login id and information */
49#define AUDIT_WATCH_INS 1007 /* Insert file/dir watch entry */
50#define AUDIT_WATCH_REM 1008 /* Remove file/dir watch entry */
51#define AUDIT_WATCH_LIST 1009 /* List all file/dir watches */
52#define AUDIT_SIGNAL_INFO 1010 /* Get info about sender of signal to auditd */
53
54#define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages uninteresting to kernel */
55#define AUDIT_LAST_USER_MSG 1199
56
57#define AUDIT_DAEMON_START 1200 /* Daemon startup record */
58#define AUDIT_DAEMON_END 1201 /* Daemon normal stop record */
59#define AUDIT_DAEMON_ABORT 1202 /* Daemon error stop record */
60#define AUDIT_DAEMON_CONFIG 1203 /* Daemon config change */
61
62#define AUDIT_SYSCALL 1300 /* Syscall event */
63#define AUDIT_FS_WATCH 1301 /* Filesystem watch event */
64#define AUDIT_PATH 1302 /* Filname path information */
65#define AUDIT_IPC 1303 /* IPC record */
66#define AUDIT_SOCKETCALL 1304 /* sys_socketcall arguments */
67#define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */
68#define AUDIT_SOCKADDR 1306 /* sockaddr copied as syscall arg */
69
70#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
71#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
72
73#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
39 74
40/* Rule flags */ 75/* Rule flags */
41#define AUDIT_PER_TASK 0x01 /* Apply rule at task creation (not syscall) */ 76#define AUDIT_PER_TASK 0x01 /* Apply rule at task creation (not syscall) */
@@ -132,16 +167,9 @@
132#define AUDIT_ARCH_V850 (EM_V850|__AUDIT_ARCH_LE) 167#define AUDIT_ARCH_V850 (EM_V850|__AUDIT_ARCH_LE)
133#define AUDIT_ARCH_X86_64 (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) 168#define AUDIT_ARCH_X86_64 (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
134 169
135#ifndef __KERNEL__
136struct audit_message {
137 struct nlmsghdr nlh;
138 char data[1200];
139};
140#endif
141
142struct audit_status { 170struct audit_status {
143 __u32 mask; /* Bit mask for valid entries */ 171 __u32 mask; /* Bit mask for valid entries */
144 __u32 enabled; /* 1 = enabled, 0 = disbaled */ 172 __u32 enabled; /* 1 = enabled, 0 = disabled */
145 __u32 failure; /* Failure-to-log action */ 173 __u32 failure; /* Failure-to-log action */
146 __u32 pid; /* pid of auditd process */ 174 __u32 pid; /* pid of auditd process */
147 __u32 rate_limit; /* messages rate limit (per second) */ 175 __u32 rate_limit; /* messages rate limit (per second) */
@@ -161,6 +189,11 @@ struct audit_rule { /* for AUDIT_LIST, AUDIT_ADD, and AUDIT_DEL */
161 189
162#ifdef __KERNEL__ 190#ifdef __KERNEL__
163 191
192struct audit_sig_info {
193 uid_t uid;
194 pid_t pid;
195};
196
164struct audit_buffer; 197struct audit_buffer;
165struct audit_context; 198struct audit_context;
166struct inode; 199struct inode;
@@ -185,11 +218,14 @@ extern void audit_inode(const char *name, const struct inode *inode);
185 /* Private API (for audit.c only) */ 218 /* Private API (for audit.c only) */
186extern int audit_receive_filter(int type, int pid, int uid, int seq, 219extern int audit_receive_filter(int type, int pid, int uid, int seq,
187 void *data, uid_t loginuid); 220 void *data, uid_t loginuid);
188extern void audit_get_stamp(struct audit_context *ctx, 221extern int audit_get_stamp(struct audit_context *ctx,
189 struct timespec *t, unsigned int *serial); 222 struct timespec *t, unsigned int *serial);
190extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid); 223extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid);
191extern uid_t audit_get_loginuid(struct audit_context *ctx); 224extern uid_t audit_get_loginuid(struct audit_context *ctx);
192extern int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode); 225extern int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode);
226extern int audit_socketcall(int nargs, unsigned long *args);
227extern int audit_sockaddr(int len, void *addr);
228extern void audit_signal_info(int sig, struct task_struct *t);
193#else 229#else
194#define audit_alloc(t) ({ 0; }) 230#define audit_alloc(t) ({ 0; })
195#define audit_free(t) do { ; } while (0) 231#define audit_free(t) do { ; } while (0)
@@ -198,18 +234,23 @@ extern int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mo
198#define audit_getname(n) do { ; } while (0) 234#define audit_getname(n) do { ; } while (0)
199#define audit_putname(n) do { ; } while (0) 235#define audit_putname(n) do { ; } while (0)
200#define audit_inode(n,i) do { ; } while (0) 236#define audit_inode(n,i) do { ; } while (0)
237#define audit_receive_filter(t,p,u,s,d,l) ({ -EOPNOTSUPP; })
238#define audit_get_stamp(c,t,s) ({ 0; })
201#define audit_get_loginuid(c) ({ -1; }) 239#define audit_get_loginuid(c) ({ -1; })
202#define audit_ipc_perms(q,u,g,m) ({ 0; }) 240#define audit_ipc_perms(q,u,g,m) ({ 0; })
241#define audit_socketcall(n,a) ({ 0; })
242#define audit_sockaddr(len, addr) ({ 0; })
243#define audit_signal_info(s,t) do { ; } while (0)
203#endif 244#endif
204 245
205#ifdef CONFIG_AUDIT 246#ifdef CONFIG_AUDIT
206/* These are defined in audit.c */ 247/* These are defined in audit.c */
207 /* Public API */ 248 /* Public API */
208extern void audit_log(struct audit_context *ctx, 249extern void audit_log(struct audit_context *ctx, int type,
209 const char *fmt, ...) 250 const char *fmt, ...)
210 __attribute__((format(printf,2,3))); 251 __attribute__((format(printf,3,4)));
211 252
212extern struct audit_buffer *audit_log_start(struct audit_context *ctx); 253extern struct audit_buffer *audit_log_start(struct audit_context *ctx,int type);
213extern void audit_log_format(struct audit_buffer *ab, 254extern void audit_log_format(struct audit_buffer *ab,
214 const char *fmt, ...) 255 const char *fmt, ...)
215 __attribute__((format(printf,2,3))); 256 __attribute__((format(printf,2,3)));
@@ -229,8 +270,8 @@ extern void audit_send_reply(int pid, int seq, int type,
229 void *payload, int size); 270 void *payload, int size);
230extern void audit_log_lost(const char *message); 271extern void audit_log_lost(const char *message);
231#else 272#else
232#define audit_log(t,f,...) do { ; } while (0) 273#define audit_log(c,t,f,...) do { ; } while (0)
233#define audit_log_start(t) ({ NULL; }) 274#define audit_log_start(c,t) ({ NULL; })
234#define audit_log_vformat(b,f,a) do { ; } while (0) 275#define audit_log_vformat(b,f,a) do { ; } while (0)
235#define audit_log_format(b,f,...) do { ; } while (0) 276#define audit_log_format(b,f,...) do { ; } while (0)
236#define audit_log_end(b) do { ; } while (0) 277#define audit_log_end(b) do { ; } while (0)
diff --git a/init/Kconfig b/init/Kconfig
index d920baed109a..448939d183dd 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -164,6 +164,7 @@ config SYSCTL
164 164
165config AUDIT 165config AUDIT
166 bool "Auditing support" 166 bool "Auditing support"
167 depends on NET
167 default y if SECURITY_SELINUX 168 default y if SECURITY_SELINUX
168 help 169 help
169 Enable auditing infrastructure that can be used with another 170 Enable auditing infrastructure that can be used with another
@@ -173,7 +174,7 @@ config AUDIT
173 174
174config AUDITSYSCALL 175config AUDITSYSCALL
175 bool "Enable system-call auditing support" 176 bool "Enable system-call auditing support"
176 depends on AUDIT && (X86 || PPC64 || ARCH_S390 || IA64 || UML) 177 depends on AUDIT && (X86 || PPC || PPC64 || ARCH_S390 || IA64 || UML)
177 default y if SECURITY_SELINUX 178 default y if SECURITY_SELINUX
178 help 179 help
179 Enable low-overhead system-call auditing infrastructure that 180 Enable low-overhead system-call auditing infrastructure that
diff --git a/kernel/audit.c b/kernel/audit.c
index 9c4f1af0c794..bbc6f542c8f7 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -46,6 +46,8 @@
46#include <asm/types.h> 46#include <asm/types.h>
47#include <linux/mm.h> 47#include <linux/mm.h>
48#include <linux/module.h> 48#include <linux/module.h>
49#include <linux/err.h>
50#include <linux/kthread.h>
49 51
50#include <linux/audit.h> 52#include <linux/audit.h>
51 53
@@ -68,7 +70,7 @@ static int audit_failure = AUDIT_FAIL_PRINTK;
68 70
69/* If audit records are to be written to the netlink socket, audit_pid 71/* If audit records are to be written to the netlink socket, audit_pid
70 * contains the (non-zero) pid. */ 72 * contains the (non-zero) pid. */
71static int audit_pid; 73int audit_pid;
72 74
73/* If audit_limit is non-zero, limit the rate of sending audit records 75/* If audit_limit is non-zero, limit the rate of sending audit records
74 * to that number per second. This prevents DoS attacks, but results in 76 * to that number per second. This prevents DoS attacks, but results in
@@ -77,7 +79,10 @@ static int audit_rate_limit;
77 79
78/* Number of outstanding audit_buffers allowed. */ 80/* Number of outstanding audit_buffers allowed. */
79static int audit_backlog_limit = 64; 81static int audit_backlog_limit = 64;
80static atomic_t audit_backlog = ATOMIC_INIT(0); 82
83/* The identity of the user shutting down the audit system. */
84uid_t audit_sig_uid = -1;
85pid_t audit_sig_pid = -1;
81 86
82/* Records can be lost in several ways: 87/* Records can be lost in several ways:
83 0) [suppressed in audit_alloc] 88 0) [suppressed in audit_alloc]
@@ -91,19 +96,17 @@ static atomic_t audit_lost = ATOMIC_INIT(0);
91/* The netlink socket. */ 96/* The netlink socket. */
92static struct sock *audit_sock; 97static struct sock *audit_sock;
93 98
94/* There are two lists of audit buffers. The txlist contains audit 99/* The audit_freelist is a list of pre-allocated audit buffers (if more
95 * buffers that cannot be sent immediately to the netlink device because
96 * we are in an irq context (these are sent later in a tasklet).
97 *
98 * The second list is a list of pre-allocated audit buffers (if more
99 * than AUDIT_MAXFREE are in use, the audit buffer is freed instead of 100 * than AUDIT_MAXFREE are in use, the audit buffer is freed instead of
100 * being placed on the freelist). */ 101 * being placed on the freelist). */
101static DEFINE_SPINLOCK(audit_txlist_lock);
102static DEFINE_SPINLOCK(audit_freelist_lock); 102static DEFINE_SPINLOCK(audit_freelist_lock);
103static int audit_freelist_count = 0; 103static int audit_freelist_count = 0;
104static LIST_HEAD(audit_txlist);
105static LIST_HEAD(audit_freelist); 104static LIST_HEAD(audit_freelist);
106 105
106static struct sk_buff_head audit_skb_queue;
107static struct task_struct *kauditd_task;
108static DECLARE_WAIT_QUEUE_HEAD(kauditd_wait);
109
107/* There are three lists of rules -- one to search at task creation 110/* There are three lists of rules -- one to search at task creation
108 * time, one to search at syscall entry time, and another to search at 111 * time, one to search at syscall entry time, and another to search at
109 * syscall exit time. */ 112 * syscall exit time. */
@@ -112,7 +115,7 @@ static LIST_HEAD(audit_entlist);
112static LIST_HEAD(audit_extlist); 115static LIST_HEAD(audit_extlist);
113 116
114/* The netlink socket is only to be read by 1 CPU, which lets us assume 117/* The netlink socket is only to be read by 1 CPU, which lets us assume
115 * that list additions and deletions never happen simultaneiously in 118 * that list additions and deletions never happen simultaneously in
116 * auditsc.c */ 119 * auditsc.c */
117static DECLARE_MUTEX(audit_netlink_sem); 120static DECLARE_MUTEX(audit_netlink_sem);
118 121
@@ -132,21 +135,14 @@ static DECLARE_MUTEX(audit_netlink_sem);
132 * use simultaneously. */ 135 * use simultaneously. */
133struct audit_buffer { 136struct audit_buffer {
134 struct list_head list; 137 struct list_head list;
135 struct sk_buff_head sklist; /* formatted skbs ready to send */ 138 struct sk_buff *skb; /* formatted skb ready to send */
136 struct audit_context *ctx; /* NULL or associated context */ 139 struct audit_context *ctx; /* NULL or associated context */
137 int len; /* used area of tmp */
138 char tmp[AUDIT_BUFSIZ];
139
140 /* Pointer to header and contents */
141 struct nlmsghdr *nlh;
142 int total;
143 int type;
144 int pid;
145}; 140};
146 141
147void audit_set_type(struct audit_buffer *ab, int type) 142static void audit_set_pid(struct audit_buffer *ab, pid_t pid)
148{ 143{
149 ab->type = type; 144 struct nlmsghdr *nlh = (struct nlmsghdr *)ab->skb->data;
145 nlh->nlmsg_pid = pid;
150} 146}
151 147
152struct audit_entry { 148struct audit_entry {
@@ -154,9 +150,6 @@ struct audit_entry {
154 struct audit_rule rule; 150 struct audit_rule rule;
155}; 151};
156 152
157static void audit_log_end_irq(struct audit_buffer *ab);
158static void audit_log_end_fast(struct audit_buffer *ab);
159
160static void audit_panic(const char *message) 153static void audit_panic(const char *message)
161{ 154{
162 switch (audit_failure) 155 switch (audit_failure)
@@ -227,10 +220,8 @@ void audit_log_lost(const char *message)
227 220
228 if (print) { 221 if (print) {
229 printk(KERN_WARNING 222 printk(KERN_WARNING
230 "audit: audit_lost=%d audit_backlog=%d" 223 "audit: audit_lost=%d audit_rate_limit=%d audit_backlog_limit=%d\n",
231 " audit_rate_limit=%d audit_backlog_limit=%d\n",
232 atomic_read(&audit_lost), 224 atomic_read(&audit_lost),
233 atomic_read(&audit_backlog),
234 audit_rate_limit, 225 audit_rate_limit,
235 audit_backlog_limit); 226 audit_backlog_limit);
236 audit_panic(message); 227 audit_panic(message);
@@ -242,7 +233,8 @@ static int audit_set_rate_limit(int limit, uid_t loginuid)
242{ 233{
243 int old = audit_rate_limit; 234 int old = audit_rate_limit;
244 audit_rate_limit = limit; 235 audit_rate_limit = limit;
245 audit_log(NULL, "audit_rate_limit=%d old=%d by auid %u", 236 audit_log(NULL, AUDIT_CONFIG_CHANGE,
237 "audit_rate_limit=%d old=%d by auid %u",
246 audit_rate_limit, old, loginuid); 238 audit_rate_limit, old, loginuid);
247 return old; 239 return old;
248} 240}
@@ -251,7 +243,8 @@ static int audit_set_backlog_limit(int limit, uid_t loginuid)
251{ 243{
252 int old = audit_backlog_limit; 244 int old = audit_backlog_limit;
253 audit_backlog_limit = limit; 245 audit_backlog_limit = limit;
254 audit_log(NULL, "audit_backlog_limit=%d old=%d by auid %u", 246 audit_log(NULL, AUDIT_CONFIG_CHANGE,
247 "audit_backlog_limit=%d old=%d by auid %u",
255 audit_backlog_limit, old, loginuid); 248 audit_backlog_limit, old, loginuid);
256 return old; 249 return old;
257} 250}
@@ -262,8 +255,9 @@ static int audit_set_enabled(int state, uid_t loginuid)
262 if (state != 0 && state != 1) 255 if (state != 0 && state != 1)
263 return -EINVAL; 256 return -EINVAL;
264 audit_enabled = state; 257 audit_enabled = state;
265 audit_log(NULL, "audit_enabled=%d old=%d by auid %u", 258 audit_log(NULL, AUDIT_CONFIG_CHANGE,
266 audit_enabled, old, loginuid); 259 "audit_enabled=%d old=%d by auid %u",
260 audit_enabled, old, loginuid);
267 return old; 261 return old;
268} 262}
269 263
@@ -275,12 +269,44 @@ static int audit_set_failure(int state, uid_t loginuid)
275 && state != AUDIT_FAIL_PANIC) 269 && state != AUDIT_FAIL_PANIC)
276 return -EINVAL; 270 return -EINVAL;
277 audit_failure = state; 271 audit_failure = state;
278 audit_log(NULL, "audit_failure=%d old=%d by auid %u", 272 audit_log(NULL, AUDIT_CONFIG_CHANGE,
279 audit_failure, old, loginuid); 273 "audit_failure=%d old=%d by auid %u",
274 audit_failure, old, loginuid);
280 return old; 275 return old;
281} 276}
282 277
283#ifdef CONFIG_NET 278int kauditd_thread(void *dummy)
279{
280 struct sk_buff *skb;
281
282 while (1) {
283 skb = skb_dequeue(&audit_skb_queue);
284 if (skb) {
285 if (audit_pid) {
286 int err = netlink_unicast(audit_sock, skb, audit_pid, 0);
287 if (err < 0) {
288 BUG_ON(err != -ECONNREFUSED); /* Shoudn't happen */
289 printk(KERN_ERR "audit: *NO* daemon at audit_pid=%d\n", audit_pid);
290 audit_pid = 0;
291 }
292 } else {
293 printk(KERN_ERR "%s\n", skb->data + NLMSG_SPACE(0));
294 kfree_skb(skb);
295 }
296 } else {
297 DECLARE_WAITQUEUE(wait, current);
298 set_current_state(TASK_INTERRUPTIBLE);
299 add_wait_queue(&kauditd_wait, &wait);
300
301 if (!skb_queue_len(&audit_skb_queue))
302 schedule();
303
304 __set_current_state(TASK_RUNNING);
305 remove_wait_queue(&kauditd_wait, &wait);
306 }
307 }
308}
309
284void audit_send_reply(int pid, int seq, int type, int done, int multi, 310void audit_send_reply(int pid, int seq, int type, int done, int multi,
285 void *payload, int size) 311 void *payload, int size)
286{ 312{
@@ -293,13 +319,16 @@ void audit_send_reply(int pid, int seq, int type, int done, int multi,
293 319
294 skb = alloc_skb(len, GFP_KERNEL); 320 skb = alloc_skb(len, GFP_KERNEL);
295 if (!skb) 321 if (!skb)
296 goto nlmsg_failure; 322 return;
297 323
298 nlh = NLMSG_PUT(skb, pid, seq, t, len - sizeof(*nlh)); 324 nlh = NLMSG_PUT(skb, pid, seq, t, size);
299 nlh->nlmsg_flags = flags; 325 nlh->nlmsg_flags = flags;
300 data = NLMSG_DATA(nlh); 326 data = NLMSG_DATA(nlh);
301 memcpy(data, payload, size); 327 memcpy(data, payload, size);
302 netlink_unicast(audit_sock, skb, pid, MSG_DONTWAIT); 328
329 /* Ignore failure. It'll only happen if the sender goes away,
330 because our timeout is set to infinite. */
331 netlink_unicast(audit_sock, skb, pid, 0);
303 return; 332 return;
304 333
305nlmsg_failure: /* Used by NLMSG_PUT */ 334nlmsg_failure: /* Used by NLMSG_PUT */
@@ -321,10 +350,11 @@ static int audit_netlink_ok(kernel_cap_t eff_cap, u16 msg_type)
321 case AUDIT_SET: 350 case AUDIT_SET:
322 case AUDIT_ADD: 351 case AUDIT_ADD:
323 case AUDIT_DEL: 352 case AUDIT_DEL:
353 case AUDIT_SIGNAL_INFO:
324 if (!cap_raised(eff_cap, CAP_AUDIT_CONTROL)) 354 if (!cap_raised(eff_cap, CAP_AUDIT_CONTROL))
325 err = -EPERM; 355 err = -EPERM;
326 break; 356 break;
327 case AUDIT_USER: 357 case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
328 if (!cap_raised(eff_cap, CAP_AUDIT_WRITE)) 358 if (!cap_raised(eff_cap, CAP_AUDIT_WRITE))
329 err = -EPERM; 359 err = -EPERM;
330 break; 360 break;
@@ -344,11 +374,21 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
344 struct audit_buffer *ab; 374 struct audit_buffer *ab;
345 u16 msg_type = nlh->nlmsg_type; 375 u16 msg_type = nlh->nlmsg_type;
346 uid_t loginuid; /* loginuid of sender */ 376 uid_t loginuid; /* loginuid of sender */
377 struct audit_sig_info sig_data;
347 378
348 err = audit_netlink_ok(NETLINK_CB(skb).eff_cap, msg_type); 379 err = audit_netlink_ok(NETLINK_CB(skb).eff_cap, msg_type);
349 if (err) 380 if (err)
350 return err; 381 return err;
351 382
383 /* As soon as there's any sign of userspace auditd, start kauditd to talk to it */
384 if (!kauditd_task)
385 kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd");
386 if (IS_ERR(kauditd_task)) {
387 err = PTR_ERR(kauditd_task);
388 kauditd_task = NULL;
389 return err;
390 }
391
352 pid = NETLINK_CREDS(skb)->pid; 392 pid = NETLINK_CREDS(skb)->pid;
353 uid = NETLINK_CREDS(skb)->uid; 393 uid = NETLINK_CREDS(skb)->uid;
354 loginuid = NETLINK_CB(skb).loginuid; 394 loginuid = NETLINK_CB(skb).loginuid;
@@ -363,7 +403,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
363 status_set.rate_limit = audit_rate_limit; 403 status_set.rate_limit = audit_rate_limit;
364 status_set.backlog_limit = audit_backlog_limit; 404 status_set.backlog_limit = audit_backlog_limit;
365 status_set.lost = atomic_read(&audit_lost); 405 status_set.lost = atomic_read(&audit_lost);
366 status_set.backlog = atomic_read(&audit_backlog); 406 status_set.backlog = skb_queue_len(&audit_skb_queue);
367 audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0, 407 audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0,
368 &status_set, sizeof(status_set)); 408 &status_set, sizeof(status_set));
369 break; 409 break;
@@ -382,7 +422,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
382 if (status_get->mask & AUDIT_STATUS_PID) { 422 if (status_get->mask & AUDIT_STATUS_PID) {
383 int old = audit_pid; 423 int old = audit_pid;
384 audit_pid = status_get->pid; 424 audit_pid = status_get->pid;
385 audit_log(NULL, "audit_pid=%d old=%d by auid %u", 425 audit_log(NULL, AUDIT_CONFIG_CHANGE,
426 "audit_pid=%d old=%d by auid %u",
386 audit_pid, old, loginuid); 427 audit_pid, old, loginuid);
387 } 428 }
388 if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) 429 if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
@@ -391,8 +432,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
391 audit_set_backlog_limit(status_get->backlog_limit, 432 audit_set_backlog_limit(status_get->backlog_limit,
392 loginuid); 433 loginuid);
393 break; 434 break;
394 case AUDIT_USER: 435 case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
395 ab = audit_log_start(NULL); 436 ab = audit_log_start(NULL, msg_type);
396 if (!ab) 437 if (!ab)
397 break; /* audit_panic has been called */ 438 break; /* audit_panic has been called */
398 audit_log_format(ab, 439 audit_log_format(ab,
@@ -402,8 +443,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
402 (int)(nlh->nlmsg_len 443 (int)(nlh->nlmsg_len
403 - ((char *)data - (char *)nlh)), 444 - ((char *)data - (char *)nlh)),
404 loginuid, (char *)data); 445 loginuid, (char *)data);
405 ab->type = AUDIT_USER; 446 audit_set_pid(ab, pid);
406 ab->pid = pid;
407 audit_log_end(ab); 447 audit_log_end(ab);
408 break; 448 break;
409 case AUDIT_ADD: 449 case AUDIT_ADD:
@@ -412,12 +452,14 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
412 return -EINVAL; 452 return -EINVAL;
413 /* fallthrough */ 453 /* fallthrough */
414 case AUDIT_LIST: 454 case AUDIT_LIST:
415#ifdef CONFIG_AUDITSYSCALL
416 err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid, 455 err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
417 uid, seq, data, loginuid); 456 uid, seq, data, loginuid);
418#else 457 break;
419 err = -EOPNOTSUPP; 458 case AUDIT_SIGNAL_INFO:
420#endif 459 sig_data.uid = audit_sig_uid;
460 sig_data.pid = audit_sig_pid;
461 audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_SIGNAL_INFO,
462 0, 0, &sig_data, sizeof(sig_data));
421 break; 463 break;
422 default: 464 default:
423 err = -EINVAL; 465 err = -EINVAL;
@@ -467,87 +509,6 @@ static void audit_receive(struct sock *sk, int length)
467 up(&audit_netlink_sem); 509 up(&audit_netlink_sem);
468} 510}
469 511
470/* Move data from tmp buffer into an skb. This is an extra copy, and
471 * that is unfortunate. However, the copy will only occur when a record
472 * is being written to user space, which is already a high-overhead
473 * operation. (Elimination of the copy is possible, for example, by
474 * writing directly into a pre-allocated skb, at the cost of wasting
475 * memory. */
476static void audit_log_move(struct audit_buffer *ab)
477{
478 struct sk_buff *skb;
479 char *start;
480 int extra = ab->nlh ? 0 : NLMSG_SPACE(0);
481
482 /* possible resubmission */
483 if (ab->len == 0)
484 return;
485
486 skb = skb_peek_tail(&ab->sklist);
487 if (!skb || skb_tailroom(skb) <= ab->len + extra) {
488 skb = alloc_skb(2 * ab->len + extra, GFP_ATOMIC);
489 if (!skb) {
490 ab->len = 0; /* Lose information in ab->tmp */
491 audit_log_lost("out of memory in audit_log_move");
492 return;
493 }
494 __skb_queue_tail(&ab->sklist, skb);
495 if (!ab->nlh)
496 ab->nlh = (struct nlmsghdr *)skb_put(skb,
497 NLMSG_SPACE(0));
498 }
499 start = skb_put(skb, ab->len);
500 memcpy(start, ab->tmp, ab->len);
501 ab->len = 0;
502}
503
504/* Iterate over the skbuff in the audit_buffer, sending their contents
505 * to user space. */
506static inline int audit_log_drain(struct audit_buffer *ab)
507{
508 struct sk_buff *skb;
509
510 while ((skb = skb_dequeue(&ab->sklist))) {
511 int retval = 0;
512
513 if (audit_pid) {
514 if (ab->nlh) {
515 ab->nlh->nlmsg_len = ab->total;
516 ab->nlh->nlmsg_type = ab->type;
517 ab->nlh->nlmsg_flags = 0;
518 ab->nlh->nlmsg_seq = 0;
519 ab->nlh->nlmsg_pid = ab->pid;
520 }
521 skb_get(skb); /* because netlink_* frees */
522 retval = netlink_unicast(audit_sock, skb, audit_pid,
523 MSG_DONTWAIT);
524 }
525 if (retval == -EAGAIN &&
526 (atomic_read(&audit_backlog)) < audit_backlog_limit) {
527 skb_queue_head(&ab->sklist, skb);
528 audit_log_end_irq(ab);
529 return 1;
530 }
531 if (retval < 0) {
532 if (retval == -ECONNREFUSED) {
533 printk(KERN_ERR
534 "audit: *NO* daemon at audit_pid=%d\n",
535 audit_pid);
536 audit_pid = 0;
537 } else
538 audit_log_lost("netlink socket too busy");
539 }
540 if (!audit_pid) { /* No daemon */
541 int offset = ab->nlh ? NLMSG_SPACE(0) : 0;
542 int len = skb->len - offset;
543 skb->data[offset + len] = '\0';
544 printk(KERN_ERR "%s\n", skb->data + offset);
545 }
546 kfree_skb(skb);
547 ab->nlh = NULL;
548 }
549 return 0;
550}
551 512
552/* Initialize audit support at boot time. */ 513/* Initialize audit support at boot time. */
553static int __init audit_init(void) 514static int __init audit_init(void)
@@ -558,40 +519,13 @@ static int __init audit_init(void)
558 if (!audit_sock) 519 if (!audit_sock)
559 audit_panic("cannot initialize netlink socket"); 520 audit_panic("cannot initialize netlink socket");
560 521
522 audit_sock->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
523 skb_queue_head_init(&audit_skb_queue);
561 audit_initialized = 1; 524 audit_initialized = 1;
562 audit_enabled = audit_default; 525 audit_enabled = audit_default;
563 audit_log(NULL, "initialized"); 526 audit_log(NULL, AUDIT_KERNEL, "initialized");
564 return 0; 527 return 0;
565} 528}
566
567#else
568/* Without CONFIG_NET, we have no skbuffs. For now, print what we have
569 * in the buffer. */
570static void audit_log_move(struct audit_buffer *ab)
571{
572 printk(KERN_ERR "%*.*s\n", ab->len, ab->len, ab->tmp);
573 ab->len = 0;
574}
575
576static inline int audit_log_drain(struct audit_buffer *ab)
577{
578 return 0;
579}
580
581/* Initialize audit support at boot time. */
582int __init audit_init(void)
583{
584 printk(KERN_INFO "audit: initializing WITHOUT netlink support\n");
585 audit_sock = NULL;
586 audit_pid = 0;
587
588 audit_initialized = 1;
589 audit_enabled = audit_default;
590 audit_log(NULL, "initialized");
591 return 0;
592}
593#endif
594
595__initcall(audit_init); 529__initcall(audit_init);
596 530
597/* Process kernel command-line parameter at boot time. audit=0 or audit=1. */ 531/* Process kernel command-line parameter at boot time. audit=0 or audit=1. */
@@ -608,6 +542,61 @@ static int __init audit_enable(char *str)
608 542
609__setup("audit=", audit_enable); 543__setup("audit=", audit_enable);
610 544
545static void audit_buffer_free(struct audit_buffer *ab)
546{
547 unsigned long flags;
548
549 if (!ab)
550 return;
551
552 if (ab->skb)
553 kfree_skb(ab->skb);
554
555 spin_lock_irqsave(&audit_freelist_lock, flags);
556 if (++audit_freelist_count > AUDIT_MAXFREE)
557 kfree(ab);
558 else
559 list_add(&ab->list, &audit_freelist);
560 spin_unlock_irqrestore(&audit_freelist_lock, flags);
561}
562
563static struct audit_buffer * audit_buffer_alloc(struct audit_context *ctx,
564 int gfp_mask, int type)
565{
566 unsigned long flags;
567 struct audit_buffer *ab = NULL;
568 struct nlmsghdr *nlh;
569
570 spin_lock_irqsave(&audit_freelist_lock, flags);
571 if (!list_empty(&audit_freelist)) {
572 ab = list_entry(audit_freelist.next,
573 struct audit_buffer, list);
574 list_del(&ab->list);
575 --audit_freelist_count;
576 }
577 spin_unlock_irqrestore(&audit_freelist_lock, flags);
578
579 if (!ab) {
580 ab = kmalloc(sizeof(*ab), gfp_mask);
581 if (!ab)
582 goto err;
583 }
584
585 ab->skb = alloc_skb(AUDIT_BUFSIZ, gfp_mask);
586 if (!ab->skb)
587 goto err;
588
589 ab->ctx = ctx;
590 nlh = (struct nlmsghdr *)skb_put(ab->skb, NLMSG_SPACE(0));
591 nlh->nlmsg_type = type;
592 nlh->nlmsg_flags = 0;
593 nlh->nlmsg_pid = 0;
594 nlh->nlmsg_seq = 0;
595 return ab;
596err:
597 audit_buffer_free(ab);
598 return NULL;
599}
611 600
612/* Obtain an audit buffer. This routine does locking to obtain the 601/* Obtain an audit buffer. This routine does locking to obtain the
613 * audit buffer, but then no locking is required for calls to 602 * audit buffer, but then no locking is required for calls to
@@ -615,68 +604,49 @@ __setup("audit=", audit_enable);
615 * syscall, then the syscall is marked as auditable and an audit record 604 * syscall, then the syscall is marked as auditable and an audit record
616 * will be written at syscall exit. If there is no associated task, tsk 605 * will be written at syscall exit. If there is no associated task, tsk
617 * should be NULL. */ 606 * should be NULL. */
618struct audit_buffer *audit_log_start(struct audit_context *ctx) 607struct audit_buffer *audit_log_start(struct audit_context *ctx, int type)
619{ 608{
620 struct audit_buffer *ab = NULL; 609 struct audit_buffer *ab = NULL;
621 unsigned long flags;
622 struct timespec t; 610 struct timespec t;
623 unsigned int serial; 611 unsigned int serial;
624 612
625 if (!audit_initialized) 613 if (!audit_initialized)
626 return NULL; 614 return NULL;
627 615
628 if (audit_backlog_limit 616 ab = audit_buffer_alloc(ctx, GFP_ATOMIC, type);
629 && atomic_read(&audit_backlog) > audit_backlog_limit) {
630 if (audit_rate_check())
631 printk(KERN_WARNING
632 "audit: audit_backlog=%d > "
633 "audit_backlog_limit=%d\n",
634 atomic_read(&audit_backlog),
635 audit_backlog_limit);
636 audit_log_lost("backlog limit exceeded");
637 return NULL;
638 }
639
640 spin_lock_irqsave(&audit_freelist_lock, flags);
641 if (!list_empty(&audit_freelist)) {
642 ab = list_entry(audit_freelist.next,
643 struct audit_buffer, list);
644 list_del(&ab->list);
645 --audit_freelist_count;
646 }
647 spin_unlock_irqrestore(&audit_freelist_lock, flags);
648
649 if (!ab)
650 ab = kmalloc(sizeof(*ab), GFP_ATOMIC);
651 if (!ab) { 617 if (!ab) {
652 audit_log_lost("out of memory in audit_log_start"); 618 audit_log_lost("out of memory in audit_log_start");
653 return NULL; 619 return NULL;
654 } 620 }
655 621
656 atomic_inc(&audit_backlog); 622 if (!audit_get_stamp(ab->ctx, &t, &serial)) {
657 skb_queue_head_init(&ab->sklist);
658
659 ab->ctx = ctx;
660 ab->len = 0;
661 ab->nlh = NULL;
662 ab->total = 0;
663 ab->type = AUDIT_KERNEL;
664 ab->pid = 0;
665
666#ifdef CONFIG_AUDITSYSCALL
667 if (ab->ctx)
668 audit_get_stamp(ab->ctx, &t, &serial);
669 else
670#endif
671 {
672 t = CURRENT_TIME; 623 t = CURRENT_TIME;
673 serial = 0; 624 serial = 0;
674 } 625 }
626
675 audit_log_format(ab, "audit(%lu.%03lu:%u): ", 627 audit_log_format(ab, "audit(%lu.%03lu:%u): ",
676 t.tv_sec, t.tv_nsec/1000000, serial); 628 t.tv_sec, t.tv_nsec/1000000, serial);
677 return ab; 629 return ab;
678} 630}
679 631
632/**
633 * audit_expand - expand skb in the audit buffer
634 * @ab: audit_buffer
635 *
636 * Returns 0 (no space) on failed expansion, or available space if
637 * successful.
638 */
639static inline int audit_expand(struct audit_buffer *ab, int extra)
640{
641 struct sk_buff *skb = ab->skb;
642 int ret = pskb_expand_head(skb, skb_headroom(skb), extra,
643 GFP_ATOMIC);
644 if (ret < 0) {
645 audit_log_lost("out of memory in audit_expand");
646 return 0;
647 }
648 return skb_tailroom(skb);
649}
680 650
681/* Format an audit message into the audit buffer. If there isn't enough 651/* Format an audit message into the audit buffer. If there isn't enough
682 * room in the audit buffer, more room will be allocated and vsnprint 652 * room in the audit buffer, more room will be allocated and vsnprint
@@ -686,26 +656,35 @@ static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
686 va_list args) 656 va_list args)
687{ 657{
688 int len, avail; 658 int len, avail;
659 struct sk_buff *skb;
660 va_list args2;
689 661
690 if (!ab) 662 if (!ab)
691 return; 663 return;
692 664
693 avail = sizeof(ab->tmp) - ab->len; 665 BUG_ON(!ab->skb);
694 if (avail <= 0) { 666 skb = ab->skb;
695 audit_log_move(ab); 667 avail = skb_tailroom(skb);
696 avail = sizeof(ab->tmp) - ab->len; 668 if (avail == 0) {
669 avail = audit_expand(ab, AUDIT_BUFSIZ);
670 if (!avail)
671 goto out;
697 } 672 }
698 len = vsnprintf(ab->tmp + ab->len, avail, fmt, args); 673 va_copy(args2, args);
674 len = vsnprintf(skb->tail, avail, fmt, args);
699 if (len >= avail) { 675 if (len >= avail) {
700 /* The printk buffer is 1024 bytes long, so if we get 676 /* The printk buffer is 1024 bytes long, so if we get
701 * here and AUDIT_BUFSIZ is at least 1024, then we can 677 * here and AUDIT_BUFSIZ is at least 1024, then we can
702 * log everything that printk could have logged. */ 678 * log everything that printk could have logged. */
703 audit_log_move(ab); 679 avail = audit_expand(ab, max_t(unsigned, AUDIT_BUFSIZ, 1+len-avail));
704 avail = sizeof(ab->tmp) - ab->len; 680 if (!avail)
705 len = vsnprintf(ab->tmp + ab->len, avail, fmt, args); 681 goto out;
682 len = vsnprintf(skb->tail, avail, fmt, args2);
706 } 683 }
707 ab->len += (len < avail) ? len : avail; 684 if (len > 0)
708 ab->total += (len < avail) ? len : avail; 685 skb_put(skb, len);
686out:
687 return;
709} 688}
710 689
711/* Format a message into the audit buffer. All the work is done in 690/* Format a message into the audit buffer. All the work is done in
@@ -721,20 +700,47 @@ void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
721 va_end(args); 700 va_end(args);
722} 701}
723 702
724void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len) 703/* This function will take the passed buf and convert it into a string of
704 * ascii hex digits. The new string is placed onto the skb. */
705void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf,
706 size_t len)
725{ 707{
726 int i; 708 int i, avail, new_len;
709 unsigned char *ptr;
710 struct sk_buff *skb;
711 static const unsigned char *hex = "0123456789ABCDEF";
712
713 BUG_ON(!ab->skb);
714 skb = ab->skb;
715 avail = skb_tailroom(skb);
716 new_len = len<<1;
717 if (new_len >= avail) {
718 /* Round the buffer request up to the next multiple */
719 new_len = AUDIT_BUFSIZ*(((new_len-avail)/AUDIT_BUFSIZ) + 1);
720 avail = audit_expand(ab, new_len);
721 if (!avail)
722 return;
723 }
727 724
728 for (i=0; i<len; i++) 725 ptr = skb->tail;
729 audit_log_format(ab, "%02x", buf[i]); 726 for (i=0; i<len; i++) {
727 *ptr++ = hex[(buf[i] & 0xF0)>>4]; /* Upper nibble */
728 *ptr++ = hex[buf[i] & 0x0F]; /* Lower nibble */
729 }
730 *ptr = 0;
731 skb_put(skb, len << 1); /* new string is twice the old string */
730} 732}
731 733
734/* This code will escape a string that is passed to it if the string
735 * contains a control character, unprintable character, double quote mark,
736 * or a space. Unescaped strings will start and end with a double quote mark.
737 * Strings that are escaped are printed in hex (2 digits per char). */
732void audit_log_untrustedstring(struct audit_buffer *ab, const char *string) 738void audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
733{ 739{
734 const unsigned char *p = string; 740 const unsigned char *p = string;
735 741
736 while (*p) { 742 while (*p) {
737 if (*p == '"' || *p == ' ' || *p < 0x20 || *p > 0x7f) { 743 if (*p == '"' || *p < 0x21 || *p > 0x7f) {
738 audit_log_hex(ab, string, strlen(string)); 744 audit_log_hex(ab, string, strlen(string));
739 return; 745 return;
740 } 746 }
@@ -743,117 +749,63 @@ void audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
743 audit_log_format(ab, "\"%s\"", string); 749 audit_log_format(ab, "\"%s\"", string);
744} 750}
745 751
746 752/* This is a helper-function to print the escaped d_path */
747/* This is a helper-function to print the d_path without using a static
748 * buffer or allocating another buffer in addition to the one in
749 * audit_buffer. */
750void audit_log_d_path(struct audit_buffer *ab, const char *prefix, 753void audit_log_d_path(struct audit_buffer *ab, const char *prefix,
751 struct dentry *dentry, struct vfsmount *vfsmnt) 754 struct dentry *dentry, struct vfsmount *vfsmnt)
752{ 755{
753 char *p; 756 char *p, *path;
754 int len, avail;
755
756 if (prefix) audit_log_format(ab, " %s", prefix);
757
758 if (ab->len > 128)
759 audit_log_move(ab);
760 avail = sizeof(ab->tmp) - ab->len;
761 p = d_path(dentry, vfsmnt, ab->tmp + ab->len, avail);
762 if (IS_ERR(p)) {
763 /* FIXME: can we save some information here? */
764 audit_log_format(ab, "<toolong>");
765 } else {
766 /* path isn't at start of buffer */
767 len = (ab->tmp + sizeof(ab->tmp) - 1) - p;
768 memmove(ab->tmp + ab->len, p, len);
769 ab->len += len;
770 ab->total += len;
771 }
772}
773
774/* Remove queued messages from the audit_txlist and send them to userspace. */
775static void audit_tasklet_handler(unsigned long arg)
776{
777 LIST_HEAD(list);
778 struct audit_buffer *ab;
779 unsigned long flags;
780 757
781 spin_lock_irqsave(&audit_txlist_lock, flags); 758 if (prefix)
782 list_splice_init(&audit_txlist, &list); 759 audit_log_format(ab, " %s", prefix);
783 spin_unlock_irqrestore(&audit_txlist_lock, flags);
784 760
785 while (!list_empty(&list)) { 761 /* We will allow 11 spaces for ' (deleted)' to be appended */
786 ab = list_entry(list.next, struct audit_buffer, list); 762 path = kmalloc(PATH_MAX+11, GFP_KERNEL);
787 list_del(&ab->list); 763 if (!path) {
788 audit_log_end_fast(ab); 764 audit_log_format(ab, "<no memory>");
765 return;
789 } 766 }
767 p = d_path(dentry, vfsmnt, path, PATH_MAX+11);
768 if (IS_ERR(p)) { /* Should never happen since we send PATH_MAX */
769 /* FIXME: can we save some information here? */
770 audit_log_format(ab, "<too long>");
771 } else
772 audit_log_untrustedstring(ab, p);
773 kfree(path);
790} 774}
791 775
792static DECLARE_TASKLET(audit_tasklet, audit_tasklet_handler, 0);
793
794/* The netlink_* functions cannot be called inside an irq context, so 776/* The netlink_* functions cannot be called inside an irq context, so
795 * the audit buffer is places on a queue and a tasklet is scheduled to 777 * the audit buffer is places on a queue and a tasklet is scheduled to
796 * remove them from the queue outside the irq context. May be called in 778 * remove them from the queue outside the irq context. May be called in
797 * any context. */ 779 * any context. */
798static void audit_log_end_irq(struct audit_buffer *ab) 780void audit_log_end(struct audit_buffer *ab)
799{
800 unsigned long flags;
801
802 if (!ab)
803 return;
804 spin_lock_irqsave(&audit_txlist_lock, flags);
805 list_add_tail(&ab->list, &audit_txlist);
806 spin_unlock_irqrestore(&audit_txlist_lock, flags);
807
808 tasklet_schedule(&audit_tasklet);
809}
810
811/* Send the message in the audit buffer directly to user space. May not
812 * be called in an irq context. */
813static void audit_log_end_fast(struct audit_buffer *ab)
814{ 781{
815 unsigned long flags;
816
817 BUG_ON(in_irq());
818 if (!ab) 782 if (!ab)
819 return; 783 return;
820 if (!audit_rate_check()) { 784 if (!audit_rate_check()) {
821 audit_log_lost("rate limit exceeded"); 785 audit_log_lost("rate limit exceeded");
822 } else { 786 } else {
823 audit_log_move(ab); 787 if (audit_pid) {
824 if (audit_log_drain(ab)) 788 struct nlmsghdr *nlh = (struct nlmsghdr *)ab->skb->data;
825 return; 789 nlh->nlmsg_len = ab->skb->len - NLMSG_SPACE(0);
790 skb_queue_tail(&audit_skb_queue, ab->skb);
791 ab->skb = NULL;
792 wake_up_interruptible(&kauditd_wait);
793 } else {
794 printk("%s\n", ab->skb->data + NLMSG_SPACE(0));
795 }
826 } 796 }
827 797 audit_buffer_free(ab);
828 atomic_dec(&audit_backlog);
829 spin_lock_irqsave(&audit_freelist_lock, flags);
830 if (++audit_freelist_count > AUDIT_MAXFREE)
831 kfree(ab);
832 else
833 list_add(&ab->list, &audit_freelist);
834 spin_unlock_irqrestore(&audit_freelist_lock, flags);
835}
836
837/* Send or queue the message in the audit buffer, depending on the
838 * current context. (A convenience function that may be called in any
839 * context.) */
840void audit_log_end(struct audit_buffer *ab)
841{
842 if (in_irq())
843 audit_log_end_irq(ab);
844 else
845 audit_log_end_fast(ab);
846} 798}
847 799
848/* Log an audit record. This is a convenience function that calls 800/* Log an audit record. This is a convenience function that calls
849 * audit_log_start, audit_log_vformat, and audit_log_end. It may be 801 * audit_log_start, audit_log_vformat, and audit_log_end. It may be
850 * called in any context. */ 802 * called in any context. */
851void audit_log(struct audit_context *ctx, const char *fmt, ...) 803void audit_log(struct audit_context *ctx, int type, const char *fmt, ...)
852{ 804{
853 struct audit_buffer *ab; 805 struct audit_buffer *ab;
854 va_list args; 806 va_list args;
855 807
856 ab = audit_log_start(ctx); 808 ab = audit_log_start(ctx, type);
857 if (ab) { 809 if (ab) {
858 va_start(args, fmt); 810 va_start(args, fmt);
859 audit_log_vformat(ab, fmt, args); 811 audit_log_vformat(ab, fmt, args);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 37b3ac94bc47..78d7a13fc86f 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -34,7 +34,7 @@
34#include <asm/types.h> 34#include <asm/types.h>
35#include <linux/mm.h> 35#include <linux/mm.h>
36#include <linux/module.h> 36#include <linux/module.h>
37 37#include <linux/socket.h>
38#include <linux/audit.h> 38#include <linux/audit.h>
39#include <linux/personality.h> 39#include <linux/personality.h>
40#include <linux/time.h> 40#include <linux/time.h>
@@ -112,6 +112,18 @@ struct audit_aux_data_ipcctl {
112 mode_t mode; 112 mode_t mode;
113}; 113};
114 114
115struct audit_aux_data_socketcall {
116 struct audit_aux_data d;
117 int nargs;
118 unsigned long args[0];
119};
120
121struct audit_aux_data_sockaddr {
122 struct audit_aux_data d;
123 int len;
124 char a[0];
125};
126
115 127
116/* The per-task audit context. */ 128/* The per-task audit context. */
117struct audit_context { 129struct audit_context {
@@ -157,6 +169,8 @@ struct audit_entry {
157 struct audit_rule rule; 169 struct audit_rule rule;
158}; 170};
159 171
172extern int audit_pid;
173
160/* Check to see if two rules are identical. It is called from 174/* Check to see if two rules are identical. It is called from
161 * audit_del_rule during AUDIT_DEL. */ 175 * audit_del_rule during AUDIT_DEL. */
162static int audit_compare_rule(struct audit_rule *a, struct audit_rule *b) 176static int audit_compare_rule(struct audit_rule *a, struct audit_rule *b)
@@ -226,7 +240,6 @@ static inline int audit_del_rule(struct audit_rule *rule,
226 return -EFAULT; /* No matching rule */ 240 return -EFAULT; /* No matching rule */
227} 241}
228 242
229#ifdef CONFIG_NET
230/* Copy rule from user-space to kernel-space. Called during 243/* Copy rule from user-space to kernel-space. Called during
231 * AUDIT_ADD. */ 244 * AUDIT_ADD. */
232static int audit_copy_rule(struct audit_rule *d, struct audit_rule *s) 245static int audit_copy_rule(struct audit_rule *d, struct audit_rule *s)
@@ -287,7 +300,8 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
287 err = audit_add_rule(entry, &audit_entlist); 300 err = audit_add_rule(entry, &audit_entlist);
288 if (!err && (flags & AUDIT_AT_EXIT)) 301 if (!err && (flags & AUDIT_AT_EXIT))
289 err = audit_add_rule(entry, &audit_extlist); 302 err = audit_add_rule(entry, &audit_extlist);
290 audit_log(NULL, "auid %u added an audit rule\n", loginuid); 303 audit_log(NULL, AUDIT_CONFIG_CHANGE,
304 "auid %u added an audit rule\n", loginuid);
291 break; 305 break;
292 case AUDIT_DEL: 306 case AUDIT_DEL:
293 flags =((struct audit_rule *)data)->flags; 307 flags =((struct audit_rule *)data)->flags;
@@ -297,7 +311,8 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
297 err = audit_del_rule(data, &audit_entlist); 311 err = audit_del_rule(data, &audit_entlist);
298 if (!err && (flags & AUDIT_AT_EXIT)) 312 if (!err && (flags & AUDIT_AT_EXIT))
299 err = audit_del_rule(data, &audit_extlist); 313 err = audit_del_rule(data, &audit_extlist);
300 audit_log(NULL, "auid %u removed an audit rule\n", loginuid); 314 audit_log(NULL, AUDIT_CONFIG_CHANGE,
315 "auid %u removed an audit rule\n", loginuid);
301 break; 316 break;
302 default: 317 default:
303 return -EINVAL; 318 return -EINVAL;
@@ -305,7 +320,6 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
305 320
306 return err; 321 return err;
307} 322}
308#endif
309 323
310/* Compare a task_struct with an audit_rule. Return 1 on match, 0 324/* Compare a task_struct with an audit_rule. Return 1 on match, 0
311 * otherwise. */ 325 * otherwise. */
@@ -444,7 +458,7 @@ static enum audit_state audit_filter_task(struct task_struct *tsk)
444 458
445/* At syscall entry and exit time, this filter is called if the 459/* At syscall entry and exit time, this filter is called if the
446 * audit_state is not low enough that auditing cannot take place, but is 460 * audit_state is not low enough that auditing cannot take place, but is
447 * also not high enough that we already know we have to write and audit 461 * also not high enough that we already know we have to write an audit
448 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT). 462 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
449 */ 463 */
450static enum audit_state audit_filter_syscall(struct task_struct *tsk, 464static enum audit_state audit_filter_syscall(struct task_struct *tsk,
@@ -650,7 +664,7 @@ static void audit_log_exit(struct audit_context *context)
650 int i; 664 int i;
651 struct audit_buffer *ab; 665 struct audit_buffer *ab;
652 666
653 ab = audit_log_start(context); 667 ab = audit_log_start(context, AUDIT_SYSCALL);
654 if (!ab) 668 if (!ab)
655 return; /* audit_panic has been called */ 669 return; /* audit_panic has been called */
656 audit_log_format(ab, "syscall=%d", context->major); 670 audit_log_format(ab, "syscall=%d", context->major);
@@ -682,28 +696,43 @@ static void audit_log_exit(struct audit_context *context)
682 while (context->aux) { 696 while (context->aux) {
683 struct audit_aux_data *aux; 697 struct audit_aux_data *aux;
684 698
685 ab = audit_log_start(context); 699 aux = context->aux;
700
701 ab = audit_log_start(context, aux->type);
686 if (!ab) 702 if (!ab)
687 continue; /* audit_panic has been called */ 703 continue; /* audit_panic has been called */
688 704
689 aux = context->aux;
690 context->aux = aux->next;
691
692 audit_log_format(ab, "auxitem=%d", aux->type);
693 switch (aux->type) { 705 switch (aux->type) {
694 case AUDIT_AUX_IPCPERM: { 706 case AUDIT_IPC: {
695 struct audit_aux_data_ipcctl *axi = (void *)aux; 707 struct audit_aux_data_ipcctl *axi = (void *)aux;
696 audit_log_format(ab, 708 audit_log_format(ab,
697 " qbytes=%lx uid=%d gid=%d mode=%x", 709 " qbytes=%lx iuid=%d igid=%d mode=%x",
698 axi->qbytes, axi->uid, axi->gid, axi->mode); 710 axi->qbytes, axi->uid, axi->gid, axi->mode);
699 } 711 break; }
712
713 case AUDIT_SOCKETCALL: {
714 int i;
715 struct audit_aux_data_socketcall *axs = (void *)aux;
716 audit_log_format(ab, "nargs=%d", axs->nargs);
717 for (i=0; i<axs->nargs; i++)
718 audit_log_format(ab, " a%d=%lx", i, axs->args[i]);
719 break; }
720
721 case AUDIT_SOCKADDR: {
722 struct audit_aux_data_sockaddr *axs = (void *)aux;
723
724 audit_log_format(ab, "saddr=");
725 audit_log_hex(ab, axs->a, axs->len);
726 break; }
700 } 727 }
701 audit_log_end(ab); 728 audit_log_end(ab);
729
730 context->aux = aux->next;
702 kfree(aux); 731 kfree(aux);
703 } 732 }
704 733
705 for (i = 0; i < context->name_count; i++) { 734 for (i = 0; i < context->name_count; i++) {
706 ab = audit_log_start(context); 735 ab = audit_log_start(context, AUDIT_PATH);
707 if (!ab) 736 if (!ab)
708 continue; /* audit_panic has been called */ 737 continue; /* audit_panic has been called */
709 audit_log_format(ab, "item=%d", i); 738 audit_log_format(ab, "item=%d", i);
@@ -713,7 +742,7 @@ static void audit_log_exit(struct audit_context *context)
713 } 742 }
714 if (context->names[i].ino != (unsigned long)-1) 743 if (context->names[i].ino != (unsigned long)-1)
715 audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o" 744 audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o"
716 " uid=%d gid=%d rdev=%02x:%02x", 745 " ouid=%d ogid=%d rdev=%02x:%02x",
717 context->names[i].ino, 746 context->names[i].ino,
718 MAJOR(context->names[i].dev), 747 MAJOR(context->names[i].dev),
719 MINOR(context->names[i].dev), 748 MINOR(context->names[i].dev),
@@ -741,7 +770,7 @@ void audit_free(struct task_struct *tsk)
741 770
742 /* Check for system calls that do not go through the exit 771 /* Check for system calls that do not go through the exit
743 * function (e.g., exit_group), then free context block. */ 772 * function (e.g., exit_group), then free context block. */
744 if (context->in_syscall && context->auditable) 773 if (context->in_syscall && context->auditable && context->pid != audit_pid)
745 audit_log_exit(context); 774 audit_log_exit(context);
746 775
747 audit_free_context(context); 776 audit_free_context(context);
@@ -750,7 +779,7 @@ void audit_free(struct task_struct *tsk)
750/* Compute a serial number for the audit record. Audit records are 779/* Compute a serial number for the audit record. Audit records are
751 * written to user-space as soon as they are generated, so a complete 780 * written to user-space as soon as they are generated, so a complete
752 * audit record may be written in several pieces. The timestamp of the 781 * audit record may be written in several pieces. The timestamp of the
753 * record and this serial number are used by the user-space daemon to 782 * record and this serial number are used by the user-space tools to
754 * determine which pieces belong to the same audit record. The 783 * determine which pieces belong to the same audit record. The
755 * (timestamp,serial) tuple is unique for each syscall and is live from 784 * (timestamp,serial) tuple is unique for each syscall and is live from
756 * syscall entry to syscall exit. 785 * syscall entry to syscall exit.
@@ -876,7 +905,7 @@ void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code)
876 if (likely(!context)) 905 if (likely(!context))
877 return; 906 return;
878 907
879 if (context->in_syscall && context->auditable) 908 if (context->in_syscall && context->auditable && context->pid != audit_pid)
880 audit_log_exit(context); 909 audit_log_exit(context);
881 910
882 context->in_syscall = 0; 911 context->in_syscall = 0;
@@ -994,7 +1023,7 @@ void audit_inode(const char *name, const struct inode *inode)
994 context->names[idx].rdev = inode->i_rdev; 1023 context->names[idx].rdev = inode->i_rdev;
995} 1024}
996 1025
997void audit_get_stamp(struct audit_context *ctx, 1026int audit_get_stamp(struct audit_context *ctx,
998 struct timespec *t, unsigned int *serial) 1027 struct timespec *t, unsigned int *serial)
999{ 1028{
1000 if (ctx) { 1029 if (ctx) {
@@ -1002,26 +1031,22 @@ void audit_get_stamp(struct audit_context *ctx,
1002 t->tv_nsec = ctx->ctime.tv_nsec; 1031 t->tv_nsec = ctx->ctime.tv_nsec;
1003 *serial = ctx->serial; 1032 *serial = ctx->serial;
1004 ctx->auditable = 1; 1033 ctx->auditable = 1;
1005 } else { 1034 return 1;
1006 *t = CURRENT_TIME;
1007 *serial = 0;
1008 } 1035 }
1036 return 0;
1009} 1037}
1010 1038
1011extern int audit_set_type(struct audit_buffer *ab, int type);
1012
1013int audit_set_loginuid(struct task_struct *task, uid_t loginuid) 1039int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
1014{ 1040{
1015 if (task->audit_context) { 1041 if (task->audit_context) {
1016 struct audit_buffer *ab; 1042 struct audit_buffer *ab;
1017 1043
1018 ab = audit_log_start(NULL); 1044 ab = audit_log_start(NULL, AUDIT_LOGIN);
1019 if (ab) { 1045 if (ab) {
1020 audit_log_format(ab, "login pid=%d uid=%u " 1046 audit_log_format(ab, "login pid=%d uid=%u "
1021 "old loginuid=%u new loginuid=%u", 1047 "old loginuid=%u new loginuid=%u",
1022 task->pid, task->uid, 1048 task->pid, task->uid,
1023 task->audit_context->loginuid, loginuid); 1049 task->audit_context->loginuid, loginuid);
1024 audit_set_type(ab, AUDIT_LOGIN);
1025 audit_log_end(ab); 1050 audit_log_end(ab);
1026 } 1051 }
1027 task->audit_context->loginuid = loginuid; 1052 task->audit_context->loginuid = loginuid;
@@ -1051,8 +1076,68 @@ int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
1051 ax->gid = gid; 1076 ax->gid = gid;
1052 ax->mode = mode; 1077 ax->mode = mode;
1053 1078
1054 ax->d.type = AUDIT_AUX_IPCPERM; 1079 ax->d.type = AUDIT_IPC;
1055 ax->d.next = context->aux; 1080 ax->d.next = context->aux;
1056 context->aux = (void *)ax; 1081 context->aux = (void *)ax;
1057 return 0; 1082 return 0;
1058} 1083}
1084
1085int audit_socketcall(int nargs, unsigned long *args)
1086{
1087 struct audit_aux_data_socketcall *ax;
1088 struct audit_context *context = current->audit_context;
1089
1090 if (likely(!context))
1091 return 0;
1092
1093 ax = kmalloc(sizeof(*ax) + nargs * sizeof(unsigned long), GFP_KERNEL);
1094 if (!ax)
1095 return -ENOMEM;
1096
1097 ax->nargs = nargs;
1098 memcpy(ax->args, args, nargs * sizeof(unsigned long));
1099
1100 ax->d.type = AUDIT_SOCKETCALL;
1101 ax->d.next = context->aux;
1102 context->aux = (void *)ax;
1103 return 0;
1104}
1105
1106int audit_sockaddr(int len, void *a)
1107{
1108 struct audit_aux_data_sockaddr *ax;
1109 struct audit_context *context = current->audit_context;
1110
1111 if (likely(!context))
1112 return 0;
1113
1114 ax = kmalloc(sizeof(*ax) + len, GFP_KERNEL);
1115 if (!ax)
1116 return -ENOMEM;
1117
1118 ax->len = len;
1119 memcpy(ax->a, a, len);
1120
1121 ax->d.type = AUDIT_SOCKADDR;
1122 ax->d.next = context->aux;
1123 context->aux = (void *)ax;
1124 return 0;
1125}
1126
1127void audit_signal_info(int sig, struct task_struct *t)
1128{
1129 extern pid_t audit_sig_pid;
1130 extern uid_t audit_sig_uid;
1131
1132 if (unlikely(audit_pid && t->pid == audit_pid)) {
1133 if (sig == SIGTERM || sig == SIGHUP) {
1134 struct audit_context *ctx = current->audit_context;
1135 audit_sig_pid = current->pid;
1136 if (ctx)
1137 audit_sig_uid = ctx->loginuid;
1138 else
1139 audit_sig_uid = current->uid;
1140 }
1141 }
1142}
1143
diff --git a/kernel/signal.c b/kernel/signal.c
index 8f3debc77c5b..293e189d8bc3 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -24,6 +24,7 @@
24#include <linux/ptrace.h> 24#include <linux/ptrace.h>
25#include <linux/posix-timers.h> 25#include <linux/posix-timers.h>
26#include <linux/signal.h> 26#include <linux/signal.h>
27#include <linux/audit.h>
27#include <asm/param.h> 28#include <asm/param.h>
28#include <asm/uaccess.h> 29#include <asm/uaccess.h>
29#include <asm/unistd.h> 30#include <asm/unistd.h>
@@ -658,7 +659,11 @@ static int check_kill_permission(int sig, struct siginfo *info,
658 && (current->uid ^ t->suid) && (current->uid ^ t->uid) 659 && (current->uid ^ t->suid) && (current->uid ^ t->uid)
659 && !capable(CAP_KILL)) 660 && !capable(CAP_KILL))
660 return error; 661 return error;
661 return security_task_kill(t, info, sig); 662
663 error = security_task_kill(t, info, sig);
664 if (!error)
665 audit_signal_info(sig, t); /* Let audit system see the signal */
666 return error;
662} 667}
663 668
664/* forward decl */ 669/* forward decl */
diff --git a/net/socket.c b/net/socket.c
index cec0cb38b9ce..6b7c3b51a7c1 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -81,6 +81,7 @@
81#include <linux/syscalls.h> 81#include <linux/syscalls.h>
82#include <linux/compat.h> 82#include <linux/compat.h>
83#include <linux/kmod.h> 83#include <linux/kmod.h>
84#include <linux/audit.h>
84 85
85#ifdef CONFIG_NET_RADIO 86#ifdef CONFIG_NET_RADIO
86#include <linux/wireless.h> /* Note : will define WIRELESS_EXT */ 87#include <linux/wireless.h> /* Note : will define WIRELESS_EXT */
@@ -226,7 +227,7 @@ int move_addr_to_kernel(void __user *uaddr, int ulen, void *kaddr)
226 return 0; 227 return 0;
227 if(copy_from_user(kaddr,uaddr,ulen)) 228 if(copy_from_user(kaddr,uaddr,ulen))
228 return -EFAULT; 229 return -EFAULT;
229 return 0; 230 return audit_sockaddr(ulen, kaddr);
230} 231}
231 232
232/** 233/**
@@ -1906,7 +1907,11 @@ asmlinkage long sys_socketcall(int call, unsigned long __user *args)
1906 /* copy_from_user should be SMP safe. */ 1907 /* copy_from_user should be SMP safe. */
1907 if (copy_from_user(a, args, nargs[call])) 1908 if (copy_from_user(a, args, nargs[call]))
1908 return -EFAULT; 1909 return -EFAULT;
1909 1910
1911 err = audit_socketcall(nargs[call]/sizeof(unsigned long), args);
1912 if (err)
1913 return err;
1914
1910 a0=a[0]; 1915 a0=a[0];
1911 a1=a[1]; 1916 a1=a[1];
1912 1917
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 85a6f66a873f..62b963aca275 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -242,7 +242,7 @@ void __init avc_init(void)
242 avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node), 242 avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node),
243 0, SLAB_PANIC, NULL, NULL); 243 0, SLAB_PANIC, NULL, NULL);
244 244
245 audit_log(current->audit_context, "AVC INITIALIZED\n"); 245 audit_log(current->audit_context, AUDIT_KERNEL, "AVC INITIALIZED\n");
246} 246}
247 247
248int avc_get_hash_stats(char *page) 248int avc_get_hash_stats(char *page)
@@ -532,6 +532,7 @@ void avc_audit(u32 ssid, u32 tsid,
532 u16 tclass, u32 requested, 532 u16 tclass, u32 requested,
533 struct av_decision *avd, int result, struct avc_audit_data *a) 533 struct av_decision *avd, int result, struct avc_audit_data *a)
534{ 534{
535 struct task_struct *tsk = current;
535 struct inode *inode = NULL; 536 struct inode *inode = NULL;
536 u32 denied, audited; 537 u32 denied, audited;
537 struct audit_buffer *ab; 538 struct audit_buffer *ab;
@@ -549,12 +550,18 @@ void avc_audit(u32 ssid, u32 tsid,
549 return; 550 return;
550 } 551 }
551 552
552 ab = audit_log_start(current->audit_context); 553 ab = audit_log_start(current->audit_context, AUDIT_AVC);
553 if (!ab) 554 if (!ab)
554 return; /* audit_panic has been called */ 555 return; /* audit_panic has been called */
555 audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); 556 audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted");
556 avc_dump_av(ab, tclass,audited); 557 avc_dump_av(ab, tclass,audited);
557 audit_log_format(ab, " for "); 558 audit_log_format(ab, " for ");
559 if (a && a->tsk)
560 tsk = a->tsk;
561 if (a->tsk && a->tsk->pid) {
562 audit_log_format(ab, " pid=%d comm=", tsk->pid);
563 audit_log_untrustedstring(ab, tsk->comm);
564 }
558 if (a) { 565 if (a) {
559 switch (a->type) { 566 switch (a->type) {
560 case AVC_AUDIT_DATA_IPC: 567 case AVC_AUDIT_DATA_IPC:
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index aae1e794fe48..db845cbd5841 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3419,7 +3419,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3419 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); 3419 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3420 if (err) { 3420 if (err) {
3421 if (err == -EINVAL) { 3421 if (err == -EINVAL) {
3422 audit_log(current->audit_context, 3422 audit_log(current->audit_context, AUDIT_SELINUX_ERR,
3423 "SELinux: unrecognized netlink message" 3423 "SELinux: unrecognized netlink message"
3424 " type=%hu for sclass=%hu\n", 3424 " type=%hu for sclass=%hu\n",
3425 nlh->nlmsg_type, isec->sclass); 3425 nlh->nlmsg_type, isec->sclass);
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index b3adb481bc25..f0fb6d76f7c5 100644
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -97,6 +97,7 @@ static struct nlmsg_perm nlmsg_audit_perms[] =
97 { AUDIT_ADD, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, 97 { AUDIT_ADD, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
98 { AUDIT_DEL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, 98 { AUDIT_DEL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
99 { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, 99 { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
100 { AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ },
100}; 101};
101 102
102 103
@@ -141,8 +142,13 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
141 break; 142 break;
142 143
143 case SECCLASS_NETLINK_AUDIT_SOCKET: 144 case SECCLASS_NETLINK_AUDIT_SOCKET:
144 err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms, 145 if (nlmsg_type >= AUDIT_FIRST_USER_MSG &&
145 sizeof(nlmsg_audit_perms)); 146 nlmsg_type <= AUDIT_LAST_USER_MSG) {
147 *perm = NETLINK_AUDIT_SOCKET__NLMSG_RELAY;
148 } else {
149 err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms,
150 sizeof(nlmsg_audit_perms));
151 }
146 break; 152 break;
147 153
148 /* No messaging from userspace, or class unknown/unhandled */ 154 /* No messaging from userspace, or class unknown/unhandled */
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 8449d667b062..b6149147d5cb 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -365,7 +365,7 @@ static int security_validtrans_handle_fail(struct context *ocontext,
365 goto out; 365 goto out;
366 if (context_struct_to_string(tcontext, &t, &tlen) < 0) 366 if (context_struct_to_string(tcontext, &t, &tlen) < 0)
367 goto out; 367 goto out;
368 audit_log(current->audit_context, 368 audit_log(current->audit_context, AUDIT_SELINUX_ERR,
369 "security_validate_transition: denied for" 369 "security_validate_transition: denied for"
370 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", 370 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
371 o, n, t, policydb.p_class_val_to_name[tclass-1]); 371 o, n, t, policydb.p_class_val_to_name[tclass-1]);
@@ -742,7 +742,7 @@ static int compute_sid_handle_invalid_context(
742 goto out; 742 goto out;
743 if (context_struct_to_string(newcontext, &n, &nlen) < 0) 743 if (context_struct_to_string(newcontext, &n, &nlen) < 0)
744 goto out; 744 goto out;
745 audit_log(current->audit_context, 745 audit_log(current->audit_context, AUDIT_SELINUX_ERR,
746 "security_compute_sid: invalid context %s" 746 "security_compute_sid: invalid context %s"
747 " for scontext=%s" 747 " for scontext=%s"
748 " tcontext=%s" 748 " tcontext=%s"
generated by cgit v1.2.2 (git 2.25.0) at 2024-12-20 21:39:25 -0500