aboutsummaryrefslogtreecommitdiffstats
path: root/kernel/audit.c
diff options
context:
space:
mode:
Diffstat (limited to 'kernel/audit.c')
-rw-r--r--kernel/audit.c128
1 files changed, 79 insertions, 49 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index 7f0699790d46..83096b67510a 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -79,6 +79,8 @@ static int audit_rate_limit;
79 79
80/* Number of outstanding audit_buffers allowed. */ 80/* Number of outstanding audit_buffers allowed. */
81static int audit_backlog_limit = 64; 81static int audit_backlog_limit = 64;
82static int audit_backlog_wait_time = 60 * HZ;
83static int audit_backlog_wait_overflow = 0;
82 84
83/* The identity of the user shutting down the audit system. */ 85/* The identity of the user shutting down the audit system. */
84uid_t audit_sig_uid = -1; 86uid_t audit_sig_uid = -1;
@@ -106,18 +108,12 @@ static LIST_HEAD(audit_freelist);
106static struct sk_buff_head audit_skb_queue; 108static struct sk_buff_head audit_skb_queue;
107static struct task_struct *kauditd_task; 109static struct task_struct *kauditd_task;
108static DECLARE_WAIT_QUEUE_HEAD(kauditd_wait); 110static DECLARE_WAIT_QUEUE_HEAD(kauditd_wait);
109 111static DECLARE_WAIT_QUEUE_HEAD(audit_backlog_wait);
110/* There are three lists of rules -- one to search at task creation
111 * time, one to search at syscall entry time, and another to search at
112 * syscall exit time. */
113static LIST_HEAD(audit_tsklist);
114static LIST_HEAD(audit_entlist);
115static LIST_HEAD(audit_extlist);
116 112
117/* The netlink socket is only to be read by 1 CPU, which lets us assume 113/* The netlink socket is only to be read by 1 CPU, which lets us assume
118 * that list additions and deletions never happen simultaneously in 114 * that list additions and deletions never happen simultaneously in
119 * auditsc.c */ 115 * auditsc.c */
120static DECLARE_MUTEX(audit_netlink_sem); 116DECLARE_MUTEX(audit_netlink_sem);
121 117
122/* AUDIT_BUFSIZ is the size of the temporary buffer used for formatting 118/* AUDIT_BUFSIZ is the size of the temporary buffer used for formatting
123 * audit records. Since printk uses a 1024 byte buffer, this buffer 119 * audit records. Since printk uses a 1024 byte buffer, this buffer
@@ -137,6 +133,7 @@ struct audit_buffer {
137 struct list_head list; 133 struct list_head list;
138 struct sk_buff *skb; /* formatted skb ready to send */ 134 struct sk_buff *skb; /* formatted skb ready to send */
139 struct audit_context *ctx; /* NULL or associated context */ 135 struct audit_context *ctx; /* NULL or associated context */
136 int gfp_mask;
140}; 137};
141 138
142static void audit_set_pid(struct audit_buffer *ab, pid_t pid) 139static void audit_set_pid(struct audit_buffer *ab, pid_t pid)
@@ -145,11 +142,6 @@ static void audit_set_pid(struct audit_buffer *ab, pid_t pid)
145 nlh->nlmsg_pid = pid; 142 nlh->nlmsg_pid = pid;
146} 143}
147 144
148struct audit_entry {
149 struct list_head list;
150 struct audit_rule rule;
151};
152
153static void audit_panic(const char *message) 145static void audit_panic(const char *message)
154{ 146{
155 switch (audit_failure) 147 switch (audit_failure)
@@ -233,7 +225,7 @@ static int audit_set_rate_limit(int limit, uid_t loginuid)
233{ 225{
234 int old = audit_rate_limit; 226 int old = audit_rate_limit;
235 audit_rate_limit = limit; 227 audit_rate_limit = limit;
236 audit_log(NULL, AUDIT_CONFIG_CHANGE, 228 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
237 "audit_rate_limit=%d old=%d by auid=%u", 229 "audit_rate_limit=%d old=%d by auid=%u",
238 audit_rate_limit, old, loginuid); 230 audit_rate_limit, old, loginuid);
239 return old; 231 return old;
@@ -243,7 +235,7 @@ static int audit_set_backlog_limit(int limit, uid_t loginuid)
243{ 235{
244 int old = audit_backlog_limit; 236 int old = audit_backlog_limit;
245 audit_backlog_limit = limit; 237 audit_backlog_limit = limit;
246 audit_log(NULL, AUDIT_CONFIG_CHANGE, 238 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
247 "audit_backlog_limit=%d old=%d by auid=%u", 239 "audit_backlog_limit=%d old=%d by auid=%u",
248 audit_backlog_limit, old, loginuid); 240 audit_backlog_limit, old, loginuid);
249 return old; 241 return old;
@@ -255,7 +247,7 @@ static int audit_set_enabled(int state, uid_t loginuid)
255 if (state != 0 && state != 1) 247 if (state != 0 && state != 1)
256 return -EINVAL; 248 return -EINVAL;
257 audit_enabled = state; 249 audit_enabled = state;
258 audit_log(NULL, AUDIT_CONFIG_CHANGE, 250 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
259 "audit_enabled=%d old=%d by auid=%u", 251 "audit_enabled=%d old=%d by auid=%u",
260 audit_enabled, old, loginuid); 252 audit_enabled, old, loginuid);
261 return old; 253 return old;
@@ -269,7 +261,7 @@ static int audit_set_failure(int state, uid_t loginuid)
269 && state != AUDIT_FAIL_PANIC) 261 && state != AUDIT_FAIL_PANIC)
270 return -EINVAL; 262 return -EINVAL;
271 audit_failure = state; 263 audit_failure = state;
272 audit_log(NULL, AUDIT_CONFIG_CHANGE, 264 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
273 "audit_failure=%d old=%d by auid=%u", 265 "audit_failure=%d old=%d by auid=%u",
274 audit_failure, old, loginuid); 266 audit_failure, old, loginuid);
275 return old; 267 return old;
@@ -281,6 +273,7 @@ int kauditd_thread(void *dummy)
281 273
282 while (1) { 274 while (1) {
283 skb = skb_dequeue(&audit_skb_queue); 275 skb = skb_dequeue(&audit_skb_queue);
276 wake_up(&audit_backlog_wait);
284 if (skb) { 277 if (skb) {
285 if (audit_pid) { 278 if (audit_pid) {
286 int err = netlink_unicast(audit_sock, skb, audit_pid, 0); 279 int err = netlink_unicast(audit_sock, skb, audit_pid, 0);
@@ -290,7 +283,7 @@ int kauditd_thread(void *dummy)
290 audit_pid = 0; 283 audit_pid = 0;
291 } 284 }
292 } else { 285 } else {
293 printk(KERN_ERR "%s\n", skb->data + NLMSG_SPACE(0)); 286 printk(KERN_NOTICE "%s\n", skb->data + NLMSG_SPACE(0));
294 kfree_skb(skb); 287 kfree_skb(skb);
295 } 288 }
296 } else { 289 } else {
@@ -423,7 +416,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
423 if (status_get->mask & AUDIT_STATUS_PID) { 416 if (status_get->mask & AUDIT_STATUS_PID) {
424 int old = audit_pid; 417 int old = audit_pid;
425 audit_pid = status_get->pid; 418 audit_pid = status_get->pid;
426 audit_log(NULL, AUDIT_CONFIG_CHANGE, 419 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
427 "audit_pid=%d old=%d by auid=%u", 420 "audit_pid=%d old=%d by auid=%u",
428 audit_pid, old, loginuid); 421 audit_pid, old, loginuid);
429 } 422 }
@@ -435,15 +428,21 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
435 break; 428 break;
436 case AUDIT_USER: 429 case AUDIT_USER:
437 case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG: 430 case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
438 ab = audit_log_start(NULL, msg_type); 431 if (!audit_enabled && msg_type != AUDIT_USER_AVC)
439 if (!ab) 432 return 0;
440 break; /* audit_panic has been called */ 433
441 audit_log_format(ab, 434 err = audit_filter_user(&NETLINK_CB(skb), msg_type);
442 "user pid=%d uid=%u auid=%u" 435 if (err == 1) {
443 " msg='%.1024s'", 436 err = 0;
444 pid, uid, loginuid, (char *)data); 437 ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
445 audit_set_pid(ab, pid); 438 if (ab) {
446 audit_log_end(ab); 439 audit_log_format(ab,
440 "user pid=%d uid=%u auid=%u msg='%.1024s'",
441 pid, uid, loginuid, (char *)data);
442 audit_set_pid(ab, pid);
443 audit_log_end(ab);
444 }
445 }
447 break; 446 break;
448 case AUDIT_ADD: 447 case AUDIT_ADD:
449 case AUDIT_DEL: 448 case AUDIT_DEL:
@@ -523,7 +522,7 @@ static int __init audit_init(void)
523 skb_queue_head_init(&audit_skb_queue); 522 skb_queue_head_init(&audit_skb_queue);
524 audit_initialized = 1; 523 audit_initialized = 1;
525 audit_enabled = audit_default; 524 audit_enabled = audit_default;
526 audit_log(NULL, AUDIT_KERNEL, "initialized"); 525 audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized");
527 return 0; 526 return 0;
528} 527}
529__initcall(audit_init); 528__initcall(audit_init);
@@ -561,7 +560,7 @@ static void audit_buffer_free(struct audit_buffer *ab)
561} 560}
562 561
563static struct audit_buffer * audit_buffer_alloc(struct audit_context *ctx, 562static struct audit_buffer * audit_buffer_alloc(struct audit_context *ctx,
564 int gfp_mask, int type) 563 unsigned int __nocast gfp_mask, int type)
565{ 564{
566 unsigned long flags; 565 unsigned long flags;
567 struct audit_buffer *ab = NULL; 566 struct audit_buffer *ab = NULL;
@@ -587,6 +586,7 @@ static struct audit_buffer * audit_buffer_alloc(struct audit_context *ctx,
587 goto err; 586 goto err;
588 587
589 ab->ctx = ctx; 588 ab->ctx = ctx;
589 ab->gfp_mask = gfp_mask;
590 nlh = (struct nlmsghdr *)skb_put(ab->skb, NLMSG_SPACE(0)); 590 nlh = (struct nlmsghdr *)skb_put(ab->skb, NLMSG_SPACE(0));
591 nlh->nlmsg_type = type; 591 nlh->nlmsg_type = type;
592 nlh->nlmsg_flags = 0; 592 nlh->nlmsg_flags = 0;
@@ -606,26 +606,27 @@ err:
606 * (timestamp,serial) tuple is unique for each syscall and is live from 606 * (timestamp,serial) tuple is unique for each syscall and is live from
607 * syscall entry to syscall exit. 607 * syscall entry to syscall exit.
608 * 608 *
609 * Atomic values are only guaranteed to be 24-bit, so we count down.
610 *
611 * NOTE: Another possibility is to store the formatted records off the 609 * NOTE: Another possibility is to store the formatted records off the
612 * audit context (for those records that have a context), and emit them 610 * audit context (for those records that have a context), and emit them
613 * all at syscall exit. However, this could delay the reporting of 611 * all at syscall exit. However, this could delay the reporting of
614 * significant errors until syscall exit (or never, if the system 612 * significant errors until syscall exit (or never, if the system
615 * halts). */ 613 * halts). */
614
616unsigned int audit_serial(void) 615unsigned int audit_serial(void)
617{ 616{
618 static atomic_t serial = ATOMIC_INIT(0xffffff); 617 static spinlock_t serial_lock = SPIN_LOCK_UNLOCKED;
619 unsigned int a, b; 618 static unsigned int serial = 0;
619
620 unsigned long flags;
621 unsigned int ret;
620 622
623 spin_lock_irqsave(&serial_lock, flags);
621 do { 624 do {
622 a = atomic_read(&serial); 625 ret = ++serial;
623 if (atomic_dec_and_test(&serial)) 626 } while (unlikely(!ret));
624 atomic_set(&serial, 0xffffff); 627 spin_unlock_irqrestore(&serial_lock, flags);
625 b = atomic_read(&serial);
626 } while (b != a - 1);
627 628
628 return 0xffffff - b; 629 return ret;
629} 630}
630 631
631static inline void audit_get_stamp(struct audit_context *ctx, 632static inline void audit_get_stamp(struct audit_context *ctx,
@@ -645,17 +646,43 @@ static inline void audit_get_stamp(struct audit_context *ctx,
645 * syscall, then the syscall is marked as auditable and an audit record 646 * syscall, then the syscall is marked as auditable and an audit record
646 * will be written at syscall exit. If there is no associated task, tsk 647 * will be written at syscall exit. If there is no associated task, tsk
647 * should be NULL. */ 648 * should be NULL. */
648struct audit_buffer *audit_log_start(struct audit_context *ctx, int type) 649
650struct audit_buffer *audit_log_start(struct audit_context *ctx, int gfp_mask,
651 int type)
649{ 652{
650 struct audit_buffer *ab = NULL; 653 struct audit_buffer *ab = NULL;
651 struct timespec t; 654 struct timespec t;
652 unsigned int serial; 655 unsigned int serial;
656 int reserve;
657 unsigned long timeout_start = jiffies;
653 658
654 if (!audit_initialized) 659 if (!audit_initialized)
655 return NULL; 660 return NULL;
656 661
657 if (audit_backlog_limit 662 if (gfp_mask & __GFP_WAIT)
658 && skb_queue_len(&audit_skb_queue) > audit_backlog_limit) { 663 reserve = 0;
664 else
665 reserve = 5; /* Allow atomic callers to go up to five
666 entries over the normal backlog limit */
667
668 while (audit_backlog_limit
669 && skb_queue_len(&audit_skb_queue) > audit_backlog_limit + reserve) {
670 if (gfp_mask & __GFP_WAIT && audit_backlog_wait_time
671 && time_before(jiffies, timeout_start + audit_backlog_wait_time)) {
672
673 /* Wait for auditd to drain the queue a little */
674 DECLARE_WAITQUEUE(wait, current);
675 set_current_state(TASK_INTERRUPTIBLE);
676 add_wait_queue(&audit_backlog_wait, &wait);
677
678 if (audit_backlog_limit &&
679 skb_queue_len(&audit_skb_queue) > audit_backlog_limit)
680 schedule_timeout(timeout_start + audit_backlog_wait_time - jiffies);
681
682 __set_current_state(TASK_RUNNING);
683 remove_wait_queue(&audit_backlog_wait, &wait);
684 continue;
685 }
659 if (audit_rate_check()) 686 if (audit_rate_check())
660 printk(KERN_WARNING 687 printk(KERN_WARNING
661 "audit: audit_backlog=%d > " 688 "audit: audit_backlog=%d > "
@@ -663,10 +690,12 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, int type)
663 skb_queue_len(&audit_skb_queue), 690 skb_queue_len(&audit_skb_queue),
664 audit_backlog_limit); 691 audit_backlog_limit);
665 audit_log_lost("backlog limit exceeded"); 692 audit_log_lost("backlog limit exceeded");
693 audit_backlog_wait_time = audit_backlog_wait_overflow;
694 wake_up(&audit_backlog_wait);
666 return NULL; 695 return NULL;
667 } 696 }
668 697
669 ab = audit_buffer_alloc(ctx, GFP_ATOMIC, type); 698 ab = audit_buffer_alloc(ctx, gfp_mask, type);
670 if (!ab) { 699 if (!ab) {
671 audit_log_lost("out of memory in audit_log_start"); 700 audit_log_lost("out of memory in audit_log_start");
672 return NULL; 701 return NULL;
@@ -690,7 +719,7 @@ static inline int audit_expand(struct audit_buffer *ab, int extra)
690{ 719{
691 struct sk_buff *skb = ab->skb; 720 struct sk_buff *skb = ab->skb;
692 int ret = pskb_expand_head(skb, skb_headroom(skb), extra, 721 int ret = pskb_expand_head(skb, skb_headroom(skb), extra,
693 GFP_ATOMIC); 722 ab->gfp_mask);
694 if (ret < 0) { 723 if (ret < 0) {
695 audit_log_lost("out of memory in audit_expand"); 724 audit_log_lost("out of memory in audit_expand");
696 return 0; 725 return 0;
@@ -809,7 +838,7 @@ void audit_log_d_path(struct audit_buffer *ab, const char *prefix,
809 audit_log_format(ab, " %s", prefix); 838 audit_log_format(ab, " %s", prefix);
810 839
811 /* We will allow 11 spaces for ' (deleted)' to be appended */ 840 /* We will allow 11 spaces for ' (deleted)' to be appended */
812 path = kmalloc(PATH_MAX+11, GFP_KERNEL); 841 path = kmalloc(PATH_MAX+11, ab->gfp_mask);
813 if (!path) { 842 if (!path) {
814 audit_log_format(ab, "<no memory>"); 843 audit_log_format(ab, "<no memory>");
815 return; 844 return;
@@ -841,7 +870,7 @@ void audit_log_end(struct audit_buffer *ab)
841 ab->skb = NULL; 870 ab->skb = NULL;
842 wake_up_interruptible(&kauditd_wait); 871 wake_up_interruptible(&kauditd_wait);
843 } else { 872 } else {
844 printk("%s\n", ab->skb->data + NLMSG_SPACE(0)); 873 printk(KERN_NOTICE "%s\n", ab->skb->data + NLMSG_SPACE(0));
845 } 874 }
846 } 875 }
847 audit_buffer_free(ab); 876 audit_buffer_free(ab);
@@ -850,12 +879,13 @@ void audit_log_end(struct audit_buffer *ab)
850/* Log an audit record. This is a convenience function that calls 879/* Log an audit record. This is a convenience function that calls
851 * audit_log_start, audit_log_vformat, and audit_log_end. It may be 880 * audit_log_start, audit_log_vformat, and audit_log_end. It may be
852 * called in any context. */ 881 * called in any context. */
853void audit_log(struct audit_context *ctx, int type, const char *fmt, ...) 882void audit_log(struct audit_context *ctx, int gfp_mask, int type,
883 const char *fmt, ...)
854{ 884{
855 struct audit_buffer *ab; 885 struct audit_buffer *ab;
856 va_list args; 886 va_list args;
857 887
858 ab = audit_log_start(ctx, type); 888 ab = audit_log_start(ctx, gfp_mask, type);
859 if (ab) { 889 if (ab) {
860 va_start(args, fmt); 890 va_start(args, fmt);
861 audit_log_vformat(ab, fmt, args); 891 audit_log_vformat(ab, fmt, args);