aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--include/linux/audit.h3
-rw-r--r--kernel/auditfilter.c9
-rw-r--r--kernel/auditsc.c28
3 files changed, 34 insertions, 6 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h
index c3aa09751814..b2ca666d9997 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -75,7 +75,7 @@
75#define AUDIT_DAEMON_CONFIG 1203 /* Daemon config change */ 75#define AUDIT_DAEMON_CONFIG 1203 /* Daemon config change */
76 76
77#define AUDIT_SYSCALL 1300 /* Syscall event */ 77#define AUDIT_SYSCALL 1300 /* Syscall event */
78#define AUDIT_FS_WATCH 1301 /* Filesystem watch event */ 78/* #define AUDIT_FS_WATCH 1301 * Deprecated */
79#define AUDIT_PATH 1302 /* Filename path information */ 79#define AUDIT_PATH 1302 /* Filename path information */
80#define AUDIT_IPC 1303 /* IPC record */ 80#define AUDIT_IPC 1303 /* IPC record */
81#define AUDIT_SOCKETCALL 1304 /* sys_socketcall arguments */ 81#define AUDIT_SOCKETCALL 1304 /* sys_socketcall arguments */
@@ -88,6 +88,7 @@
88#define AUDIT_MQ_SENDRECV 1313 /* POSIX MQ send/receive record type */ 88#define AUDIT_MQ_SENDRECV 1313 /* POSIX MQ send/receive record type */
89#define AUDIT_MQ_NOTIFY 1314 /* POSIX MQ notify record type */ 89#define AUDIT_MQ_NOTIFY 1314 /* POSIX MQ notify record type */
90#define AUDIT_MQ_GETSETATTR 1315 /* POSIX MQ get/set attribute record type */ 90#define AUDIT_MQ_GETSETATTR 1315 /* POSIX MQ get/set attribute record type */
91#define AUDIT_KERNEL_OTHER 1316 /* For use by 3rd party modules */
91 92
92#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ 93#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
93#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ 94#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 1a58a81fb09d..4f40d923af8e 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -411,7 +411,6 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
411 case AUDIT_FSGID: 411 case AUDIT_FSGID:
412 case AUDIT_LOGINUID: 412 case AUDIT_LOGINUID:
413 case AUDIT_PERS: 413 case AUDIT_PERS:
414 case AUDIT_ARCH:
415 case AUDIT_MSGTYPE: 414 case AUDIT_MSGTYPE:
416 case AUDIT_PPID: 415 case AUDIT_PPID:
417 case AUDIT_DEVMAJOR: 416 case AUDIT_DEVMAJOR:
@@ -423,6 +422,14 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
423 case AUDIT_ARG2: 422 case AUDIT_ARG2:
424 case AUDIT_ARG3: 423 case AUDIT_ARG3:
425 break; 424 break;
425 /* arch is only allowed to be = or != */
426 case AUDIT_ARCH:
427 if ((f->op != AUDIT_NOT_EQUAL) && (f->op != AUDIT_EQUAL)
428 && (f->op != AUDIT_NEGATE) && (f->op)) {
429 err = -EINVAL;
430 goto exit_free;
431 }
432 break;
426 case AUDIT_PERM: 433 case AUDIT_PERM:
427 if (f->val & ~15) 434 if (f->val & ~15)
428 goto exit_free; 435 goto exit_free;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 105147631753..42f2f1179711 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -278,8 +278,11 @@ static int audit_filter_rules(struct task_struct *tsk,
278 result = audit_comparator(tsk->pid, f->op, f->val); 278 result = audit_comparator(tsk->pid, f->op, f->val);
279 break; 279 break;
280 case AUDIT_PPID: 280 case AUDIT_PPID:
281 if (ctx) 281 if (ctx) {
282 if (!ctx->ppid)
283 ctx->ppid = sys_getppid();
282 result = audit_comparator(ctx->ppid, f->op, f->val); 284 result = audit_comparator(ctx->ppid, f->op, f->val);
285 }
283 break; 286 break;
284 case AUDIT_UID: 287 case AUDIT_UID:
285 result = audit_comparator(tsk->uid, f->op, f->val); 288 result = audit_comparator(tsk->uid, f->op, f->val);
@@ -795,7 +798,8 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
795 798
796 /* tsk == current */ 799 /* tsk == current */
797 context->pid = tsk->pid; 800 context->pid = tsk->pid;
798 context->ppid = sys_getppid(); /* sic. tsk == current in all cases */ 801 if (!context->ppid)
802 context->ppid = sys_getppid();
799 context->uid = tsk->uid; 803 context->uid = tsk->uid;
800 context->gid = tsk->gid; 804 context->gid = tsk->gid;
801 context->euid = tsk->euid; 805 context->euid = tsk->euid;
@@ -1137,6 +1141,7 @@ void audit_syscall_entry(int arch, int major,
1137 context->ctime = CURRENT_TIME; 1141 context->ctime = CURRENT_TIME;
1138 context->in_syscall = 1; 1142 context->in_syscall = 1;
1139 context->auditable = !!(state == AUDIT_RECORD_CONTEXT); 1143 context->auditable = !!(state == AUDIT_RECORD_CONTEXT);
1144 context->ppid = 0;
1140} 1145}
1141 1146
1142/** 1147/**
@@ -1352,7 +1357,13 @@ void __audit_inode_child(const char *dname, const struct inode *inode,
1352 } 1357 }
1353 1358
1354update_context: 1359update_context:
1355 idx = context->name_count++; 1360 idx = context->name_count;
1361 if (context->name_count == AUDIT_NAMES) {
1362 printk(KERN_DEBUG "name_count maxed and losing %s\n",
1363 found_name ?: "(null)");
1364 return;
1365 }
1366 context->name_count++;
1356#if AUDIT_DEBUG 1367#if AUDIT_DEBUG
1357 context->ino_count++; 1368 context->ino_count++;
1358#endif 1369#endif
@@ -1370,7 +1381,16 @@ update_context:
1370 /* A parent was not found in audit_names, so copy the inode data for the 1381 /* A parent was not found in audit_names, so copy the inode data for the
1371 * provided parent. */ 1382 * provided parent. */
1372 if (!found_name) { 1383 if (!found_name) {
1373 idx = context->name_count++; 1384 idx = context->name_count;
1385 if (context->name_count == AUDIT_NAMES) {
1386 printk(KERN_DEBUG
1387 "name_count maxed and losing parent inode data: dev=%02x:%02x, inode=%lu",
1388 MAJOR(parent->i_sb->s_dev),
1389 MINOR(parent->i_sb->s_dev),
1390 parent->i_ino);
1391 return;
1392 }
1393 context->name_count++;
1374#if AUDIT_DEBUG 1394#if AUDIT_DEBUG
1375 context->ino_count++; 1395 context->ino_count++;
1376#endif 1396#endif
generated by cgit v1.2.2 (git 2.25.0) at 2025-11-11 18:18:13 -0500