aboutsummaryrefslogtreecommitdiffstats
path: root/kernel/audit.c
diff options
context:
space:
mode:
Diffstat (limited to 'kernel/audit.c')
-rw-r--r--kernel/audit.c587
1 files changed, 294 insertions, 293 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index 9c4f1af0c794..ef35166fdc29 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -46,6 +46,8 @@
46#include <asm/types.h> 46#include <asm/types.h>
47#include <linux/mm.h> 47#include <linux/mm.h>
48#include <linux/module.h> 48#include <linux/module.h>
49#include <linux/err.h>
50#include <linux/kthread.h>
49 51
50#include <linux/audit.h> 52#include <linux/audit.h>
51 53
@@ -68,7 +70,7 @@ static int audit_failure = AUDIT_FAIL_PRINTK;
68 70
69/* If audit records are to be written to the netlink socket, audit_pid 71/* If audit records are to be written to the netlink socket, audit_pid
70 * contains the (non-zero) pid. */ 72 * contains the (non-zero) pid. */
71static int audit_pid; 73int audit_pid;
72 74
73/* If audit_limit is non-zero, limit the rate of sending audit records 75/* If audit_limit is non-zero, limit the rate of sending audit records
74 * to that number per second. This prevents DoS attacks, but results in 76 * to that number per second. This prevents DoS attacks, but results in
@@ -77,7 +79,10 @@ static int audit_rate_limit;
77 79
78/* Number of outstanding audit_buffers allowed. */ 80/* Number of outstanding audit_buffers allowed. */
79static int audit_backlog_limit = 64; 81static int audit_backlog_limit = 64;
80static atomic_t audit_backlog = ATOMIC_INIT(0); 82
83/* The identity of the user shutting down the audit system. */
84uid_t audit_sig_uid = -1;
85pid_t audit_sig_pid = -1;
81 86
82/* Records can be lost in several ways: 87/* Records can be lost in several ways:
83 0) [suppressed in audit_alloc] 88 0) [suppressed in audit_alloc]
@@ -91,19 +96,17 @@ static atomic_t audit_lost = ATOMIC_INIT(0);
91/* The netlink socket. */ 96/* The netlink socket. */
92static struct sock *audit_sock; 97static struct sock *audit_sock;
93 98
94/* There are two lists of audit buffers. The txlist contains audit 99/* The audit_freelist is a list of pre-allocated audit buffers (if more
95 * buffers that cannot be sent immediately to the netlink device because
96 * we are in an irq context (these are sent later in a tasklet).
97 *
98 * The second list is a list of pre-allocated audit buffers (if more
99 * than AUDIT_MAXFREE are in use, the audit buffer is freed instead of 100 * than AUDIT_MAXFREE are in use, the audit buffer is freed instead of
100 * being placed on the freelist). */ 101 * being placed on the freelist). */
101static DEFINE_SPINLOCK(audit_txlist_lock);
102static DEFINE_SPINLOCK(audit_freelist_lock); 102static DEFINE_SPINLOCK(audit_freelist_lock);
103static int audit_freelist_count = 0; 103static int audit_freelist_count = 0;
104static LIST_HEAD(audit_txlist);
105static LIST_HEAD(audit_freelist); 104static LIST_HEAD(audit_freelist);
106 105
106static struct sk_buff_head audit_skb_queue;
107static struct task_struct *kauditd_task;
108static DECLARE_WAIT_QUEUE_HEAD(kauditd_wait);
109
107/* There are three lists of rules -- one to search at task creation 110/* There are three lists of rules -- one to search at task creation
108 * time, one to search at syscall entry time, and another to search at 111 * time, one to search at syscall entry time, and another to search at
109 * syscall exit time. */ 112 * syscall exit time. */
@@ -112,7 +115,7 @@ static LIST_HEAD(audit_entlist);
112static LIST_HEAD(audit_extlist); 115static LIST_HEAD(audit_extlist);
113 116
114/* The netlink socket is only to be read by 1 CPU, which lets us assume 117/* The netlink socket is only to be read by 1 CPU, which lets us assume
115 * that list additions and deletions never happen simultaneiously in 118 * that list additions and deletions never happen simultaneously in
116 * auditsc.c */ 119 * auditsc.c */
117static DECLARE_MUTEX(audit_netlink_sem); 120static DECLARE_MUTEX(audit_netlink_sem);
118 121
@@ -132,21 +135,14 @@ static DECLARE_MUTEX(audit_netlink_sem);
132 * use simultaneously. */ 135 * use simultaneously. */
133struct audit_buffer { 136struct audit_buffer {
134 struct list_head list; 137 struct list_head list;
135 struct sk_buff_head sklist; /* formatted skbs ready to send */ 138 struct sk_buff *skb; /* formatted skb ready to send */
136 struct audit_context *ctx; /* NULL or associated context */ 139 struct audit_context *ctx; /* NULL or associated context */
137 int len; /* used area of tmp */
138 char tmp[AUDIT_BUFSIZ];
139
140 /* Pointer to header and contents */
141 struct nlmsghdr *nlh;
142 int total;
143 int type;
144 int pid;
145}; 140};
146 141
147void audit_set_type(struct audit_buffer *ab, int type) 142static void audit_set_pid(struct audit_buffer *ab, pid_t pid)
148{ 143{
149 ab->type = type; 144 struct nlmsghdr *nlh = (struct nlmsghdr *)ab->skb->data;
145 nlh->nlmsg_pid = pid;
150} 146}
151 147
152struct audit_entry { 148struct audit_entry {
@@ -154,9 +150,6 @@ struct audit_entry {
154 struct audit_rule rule; 150 struct audit_rule rule;
155}; 151};
156 152
157static void audit_log_end_irq(struct audit_buffer *ab);
158static void audit_log_end_fast(struct audit_buffer *ab);
159
160static void audit_panic(const char *message) 153static void audit_panic(const char *message)
161{ 154{
162 switch (audit_failure) 155 switch (audit_failure)
@@ -227,10 +220,8 @@ void audit_log_lost(const char *message)
227 220
228 if (print) { 221 if (print) {
229 printk(KERN_WARNING 222 printk(KERN_WARNING
230 "audit: audit_lost=%d audit_backlog=%d" 223 "audit: audit_lost=%d audit_rate_limit=%d audit_backlog_limit=%d\n",
231 " audit_rate_limit=%d audit_backlog_limit=%d\n",
232 atomic_read(&audit_lost), 224 atomic_read(&audit_lost),
233 atomic_read(&audit_backlog),
234 audit_rate_limit, 225 audit_rate_limit,
235 audit_backlog_limit); 226 audit_backlog_limit);
236 audit_panic(message); 227 audit_panic(message);
@@ -242,7 +233,8 @@ static int audit_set_rate_limit(int limit, uid_t loginuid)
242{ 233{
243 int old = audit_rate_limit; 234 int old = audit_rate_limit;
244 audit_rate_limit = limit; 235 audit_rate_limit = limit;
245 audit_log(NULL, "audit_rate_limit=%d old=%d by auid %u", 236 audit_log(NULL, AUDIT_CONFIG_CHANGE,
237 "audit_rate_limit=%d old=%d by auid=%u",
246 audit_rate_limit, old, loginuid); 238 audit_rate_limit, old, loginuid);
247 return old; 239 return old;
248} 240}
@@ -251,7 +243,8 @@ static int audit_set_backlog_limit(int limit, uid_t loginuid)
251{ 243{
252 int old = audit_backlog_limit; 244 int old = audit_backlog_limit;
253 audit_backlog_limit = limit; 245 audit_backlog_limit = limit;
254 audit_log(NULL, "audit_backlog_limit=%d old=%d by auid %u", 246 audit_log(NULL, AUDIT_CONFIG_CHANGE,
247 "audit_backlog_limit=%d old=%d by auid=%u",
255 audit_backlog_limit, old, loginuid); 248 audit_backlog_limit, old, loginuid);
256 return old; 249 return old;
257} 250}
@@ -262,8 +255,9 @@ static int audit_set_enabled(int state, uid_t loginuid)
262 if (state != 0 && state != 1) 255 if (state != 0 && state != 1)
263 return -EINVAL; 256 return -EINVAL;
264 audit_enabled = state; 257 audit_enabled = state;
265 audit_log(NULL, "audit_enabled=%d old=%d by auid %u", 258 audit_log(NULL, AUDIT_CONFIG_CHANGE,
266 audit_enabled, old, loginuid); 259 "audit_enabled=%d old=%d by auid=%u",
260 audit_enabled, old, loginuid);
267 return old; 261 return old;
268} 262}
269 263
@@ -275,12 +269,44 @@ static int audit_set_failure(int state, uid_t loginuid)
275 && state != AUDIT_FAIL_PANIC) 269 && state != AUDIT_FAIL_PANIC)
276 return -EINVAL; 270 return -EINVAL;
277 audit_failure = state; 271 audit_failure = state;
278 audit_log(NULL, "audit_failure=%d old=%d by auid %u", 272 audit_log(NULL, AUDIT_CONFIG_CHANGE,
279 audit_failure, old, loginuid); 273 "audit_failure=%d old=%d by auid=%u",
274 audit_failure, old, loginuid);
280 return old; 275 return old;
281} 276}
282 277
283#ifdef CONFIG_NET 278int kauditd_thread(void *dummy)
279{
280 struct sk_buff *skb;
281
282 while (1) {
283 skb = skb_dequeue(&audit_skb_queue);
284 if (skb) {
285 if (audit_pid) {
286 int err = netlink_unicast(audit_sock, skb, audit_pid, 0);
287 if (err < 0) {
288 BUG_ON(err != -ECONNREFUSED); /* Shoudn't happen */
289 printk(KERN_ERR "audit: *NO* daemon at audit_pid=%d\n", audit_pid);
290 audit_pid = 0;
291 }
292 } else {
293 printk(KERN_ERR "%s\n", skb->data + NLMSG_SPACE(0));
294 kfree_skb(skb);
295 }
296 } else {
297 DECLARE_WAITQUEUE(wait, current);
298 set_current_state(TASK_INTERRUPTIBLE);
299 add_wait_queue(&kauditd_wait, &wait);
300
301 if (!skb_queue_len(&audit_skb_queue))
302 schedule();
303
304 __set_current_state(TASK_RUNNING);
305 remove_wait_queue(&kauditd_wait, &wait);
306 }
307 }
308}
309
284void audit_send_reply(int pid, int seq, int type, int done, int multi, 310void audit_send_reply(int pid, int seq, int type, int done, int multi,
285 void *payload, int size) 311 void *payload, int size)
286{ 312{
@@ -293,13 +319,16 @@ void audit_send_reply(int pid, int seq, int type, int done, int multi,
293 319
294 skb = alloc_skb(len, GFP_KERNEL); 320 skb = alloc_skb(len, GFP_KERNEL);
295 if (!skb) 321 if (!skb)
296 goto nlmsg_failure; 322 return;
297 323
298 nlh = NLMSG_PUT(skb, pid, seq, t, len - sizeof(*nlh)); 324 nlh = NLMSG_PUT(skb, pid, seq, t, size);
299 nlh->nlmsg_flags = flags; 325 nlh->nlmsg_flags = flags;
300 data = NLMSG_DATA(nlh); 326 data = NLMSG_DATA(nlh);
301 memcpy(data, payload, size); 327 memcpy(data, payload, size);
302 netlink_unicast(audit_sock, skb, pid, MSG_DONTWAIT); 328
329 /* Ignore failure. It'll only happen if the sender goes away,
330 because our timeout is set to infinite. */
331 netlink_unicast(audit_sock, skb, pid, 0);
303 return; 332 return;
304 333
305nlmsg_failure: /* Used by NLMSG_PUT */ 334nlmsg_failure: /* Used by NLMSG_PUT */
@@ -321,10 +350,12 @@ static int audit_netlink_ok(kernel_cap_t eff_cap, u16 msg_type)
321 case AUDIT_SET: 350 case AUDIT_SET:
322 case AUDIT_ADD: 351 case AUDIT_ADD:
323 case AUDIT_DEL: 352 case AUDIT_DEL:
353 case AUDIT_SIGNAL_INFO:
324 if (!cap_raised(eff_cap, CAP_AUDIT_CONTROL)) 354 if (!cap_raised(eff_cap, CAP_AUDIT_CONTROL))
325 err = -EPERM; 355 err = -EPERM;
326 break; 356 break;
327 case AUDIT_USER: 357 case AUDIT_USER:
358 case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
328 if (!cap_raised(eff_cap, CAP_AUDIT_WRITE)) 359 if (!cap_raised(eff_cap, CAP_AUDIT_WRITE))
329 err = -EPERM; 360 err = -EPERM;
330 break; 361 break;
@@ -344,11 +375,21 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
344 struct audit_buffer *ab; 375 struct audit_buffer *ab;
345 u16 msg_type = nlh->nlmsg_type; 376 u16 msg_type = nlh->nlmsg_type;
346 uid_t loginuid; /* loginuid of sender */ 377 uid_t loginuid; /* loginuid of sender */
378 struct audit_sig_info sig_data;
347 379
348 err = audit_netlink_ok(NETLINK_CB(skb).eff_cap, msg_type); 380 err = audit_netlink_ok(NETLINK_CB(skb).eff_cap, msg_type);
349 if (err) 381 if (err)
350 return err; 382 return err;
351 383
384 /* As soon as there's any sign of userspace auditd, start kauditd to talk to it */
385 if (!kauditd_task)
386 kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd");
387 if (IS_ERR(kauditd_task)) {
388 err = PTR_ERR(kauditd_task);
389 kauditd_task = NULL;
390 return err;
391 }
392
352 pid = NETLINK_CREDS(skb)->pid; 393 pid = NETLINK_CREDS(skb)->pid;
353 uid = NETLINK_CREDS(skb)->uid; 394 uid = NETLINK_CREDS(skb)->uid;
354 loginuid = NETLINK_CB(skb).loginuid; 395 loginuid = NETLINK_CB(skb).loginuid;
@@ -363,7 +404,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
363 status_set.rate_limit = audit_rate_limit; 404 status_set.rate_limit = audit_rate_limit;
364 status_set.backlog_limit = audit_backlog_limit; 405 status_set.backlog_limit = audit_backlog_limit;
365 status_set.lost = atomic_read(&audit_lost); 406 status_set.lost = atomic_read(&audit_lost);
366 status_set.backlog = atomic_read(&audit_backlog); 407 status_set.backlog = skb_queue_len(&audit_skb_queue);
367 audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0, 408 audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0,
368 &status_set, sizeof(status_set)); 409 &status_set, sizeof(status_set));
369 break; 410 break;
@@ -382,7 +423,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
382 if (status_get->mask & AUDIT_STATUS_PID) { 423 if (status_get->mask & AUDIT_STATUS_PID) {
383 int old = audit_pid; 424 int old = audit_pid;
384 audit_pid = status_get->pid; 425 audit_pid = status_get->pid;
385 audit_log(NULL, "audit_pid=%d old=%d by auid %u", 426 audit_log(NULL, AUDIT_CONFIG_CHANGE,
427 "audit_pid=%d old=%d by auid=%u",
386 audit_pid, old, loginuid); 428 audit_pid, old, loginuid);
387 } 429 }
388 if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) 430 if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
@@ -392,18 +434,15 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
392 loginuid); 434 loginuid);
393 break; 435 break;
394 case AUDIT_USER: 436 case AUDIT_USER:
395 ab = audit_log_start(NULL); 437 case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
438 ab = audit_log_start(NULL, msg_type);
396 if (!ab) 439 if (!ab)
397 break; /* audit_panic has been called */ 440 break; /* audit_panic has been called */
398 audit_log_format(ab, 441 audit_log_format(ab,
399 "user pid=%d uid=%d length=%d loginuid=%u" 442 "user pid=%d uid=%u auid=%u"
400 " msg='%.1024s'", 443 " msg='%.1024s'",
401 pid, uid, 444 pid, uid, loginuid, (char *)data);
402 (int)(nlh->nlmsg_len 445 audit_set_pid(ab, pid);
403 - ((char *)data - (char *)nlh)),
404 loginuid, (char *)data);
405 ab->type = AUDIT_USER;
406 ab->pid = pid;
407 audit_log_end(ab); 446 audit_log_end(ab);
408 break; 447 break;
409 case AUDIT_ADD: 448 case AUDIT_ADD:
@@ -412,12 +451,14 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
412 return -EINVAL; 451 return -EINVAL;
413 /* fallthrough */ 452 /* fallthrough */
414 case AUDIT_LIST: 453 case AUDIT_LIST:
415#ifdef CONFIG_AUDITSYSCALL
416 err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid, 454 err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
417 uid, seq, data, loginuid); 455 uid, seq, data, loginuid);
418#else 456 break;
419 err = -EOPNOTSUPP; 457 case AUDIT_SIGNAL_INFO:
420#endif 458 sig_data.uid = audit_sig_uid;
459 sig_data.pid = audit_sig_pid;
460 audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_SIGNAL_INFO,
461 0, 0, &sig_data, sizeof(sig_data));
421 break; 462 break;
422 default: 463 default:
423 err = -EINVAL; 464 err = -EINVAL;
@@ -467,87 +508,6 @@ static void audit_receive(struct sock *sk, int length)
467 up(&audit_netlink_sem); 508 up(&audit_netlink_sem);
468} 509}
469 510
470/* Move data from tmp buffer into an skb. This is an extra copy, and
471 * that is unfortunate. However, the copy will only occur when a record
472 * is being written to user space, which is already a high-overhead
473 * operation. (Elimination of the copy is possible, for example, by
474 * writing directly into a pre-allocated skb, at the cost of wasting
475 * memory. */
476static void audit_log_move(struct audit_buffer *ab)
477{
478 struct sk_buff *skb;
479 char *start;
480 int extra = ab->nlh ? 0 : NLMSG_SPACE(0);
481
482 /* possible resubmission */
483 if (ab->len == 0)
484 return;
485
486 skb = skb_peek_tail(&ab->sklist);
487 if (!skb || skb_tailroom(skb) <= ab->len + extra) {
488 skb = alloc_skb(2 * ab->len + extra, GFP_ATOMIC);
489 if (!skb) {
490 ab->len = 0; /* Lose information in ab->tmp */
491 audit_log_lost("out of memory in audit_log_move");
492 return;
493 }
494 __skb_queue_tail(&ab->sklist, skb);
495 if (!ab->nlh)
496 ab->nlh = (struct nlmsghdr *)skb_put(skb,
497 NLMSG_SPACE(0));
498 }
499 start = skb_put(skb, ab->len);
500 memcpy(start, ab->tmp, ab->len);
501 ab->len = 0;
502}
503
504/* Iterate over the skbuff in the audit_buffer, sending their contents
505 * to user space. */
506static inline int audit_log_drain(struct audit_buffer *ab)
507{
508 struct sk_buff *skb;
509
510 while ((skb = skb_dequeue(&ab->sklist))) {
511 int retval = 0;
512
513 if (audit_pid) {
514 if (ab->nlh) {
515 ab->nlh->nlmsg_len = ab->total;
516 ab->nlh->nlmsg_type = ab->type;
517 ab->nlh->nlmsg_flags = 0;
518 ab->nlh->nlmsg_seq = 0;
519 ab->nlh->nlmsg_pid = ab->pid;
520 }
521 skb_get(skb); /* because netlink_* frees */
522 retval = netlink_unicast(audit_sock, skb, audit_pid,
523 MSG_DONTWAIT);
524 }
525 if (retval == -EAGAIN &&
526 (atomic_read(&audit_backlog)) < audit_backlog_limit) {
527 skb_queue_head(&ab->sklist, skb);
528 audit_log_end_irq(ab);
529 return 1;
530 }
531 if (retval < 0) {
532 if (retval == -ECONNREFUSED) {
533 printk(KERN_ERR
534 "audit: *NO* daemon at audit_pid=%d\n",
535 audit_pid);
536 audit_pid = 0;
537 } else
538 audit_log_lost("netlink socket too busy");
539 }
540 if (!audit_pid) { /* No daemon */
541 int offset = ab->nlh ? NLMSG_SPACE(0) : 0;
542 int len = skb->len - offset;
543 skb->data[offset + len] = '\0';
544 printk(KERN_ERR "%s\n", skb->data + offset);
545 }
546 kfree_skb(skb);
547 ab->nlh = NULL;
548 }
549 return 0;
550}
551 511
552/* Initialize audit support at boot time. */ 512/* Initialize audit support at boot time. */
553static int __init audit_init(void) 513static int __init audit_init(void)
@@ -558,40 +518,13 @@ static int __init audit_init(void)
558 if (!audit_sock) 518 if (!audit_sock)
559 audit_panic("cannot initialize netlink socket"); 519 audit_panic("cannot initialize netlink socket");
560 520
521 audit_sock->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
522 skb_queue_head_init(&audit_skb_queue);
561 audit_initialized = 1; 523 audit_initialized = 1;
562 audit_enabled = audit_default; 524 audit_enabled = audit_default;
563 audit_log(NULL, "initialized"); 525 audit_log(NULL, AUDIT_KERNEL, "initialized");
564 return 0;
565}
566
567#else
568/* Without CONFIG_NET, we have no skbuffs. For now, print what we have
569 * in the buffer. */
570static void audit_log_move(struct audit_buffer *ab)
571{
572 printk(KERN_ERR "%*.*s\n", ab->len, ab->len, ab->tmp);
573 ab->len = 0;
574}
575
576static inline int audit_log_drain(struct audit_buffer *ab)
577{
578 return 0;
579}
580
581/* Initialize audit support at boot time. */
582int __init audit_init(void)
583{
584 printk(KERN_INFO "audit: initializing WITHOUT netlink support\n");
585 audit_sock = NULL;
586 audit_pid = 0;
587
588 audit_initialized = 1;
589 audit_enabled = audit_default;
590 audit_log(NULL, "initialized");
591 return 0; 526 return 0;
592} 527}
593#endif
594
595__initcall(audit_init); 528__initcall(audit_init);
596 529
597/* Process kernel command-line parameter at boot time. audit=0 or audit=1. */ 530/* Process kernel command-line parameter at boot time. audit=0 or audit=1. */
@@ -608,6 +541,102 @@ static int __init audit_enable(char *str)
608 541
609__setup("audit=", audit_enable); 542__setup("audit=", audit_enable);
610 543
544static void audit_buffer_free(struct audit_buffer *ab)
545{
546 unsigned long flags;
547
548 if (!ab)
549 return;
550
551 if (ab->skb)
552 kfree_skb(ab->skb);
553
554 spin_lock_irqsave(&audit_freelist_lock, flags);
555 if (++audit_freelist_count > AUDIT_MAXFREE)
556 kfree(ab);
557 else
558 list_add(&ab->list, &audit_freelist);
559 spin_unlock_irqrestore(&audit_freelist_lock, flags);
560}
561
562static struct audit_buffer * audit_buffer_alloc(struct audit_context *ctx,
563 int gfp_mask, int type)
564{
565 unsigned long flags;
566 struct audit_buffer *ab = NULL;
567 struct nlmsghdr *nlh;
568
569 spin_lock_irqsave(&audit_freelist_lock, flags);
570 if (!list_empty(&audit_freelist)) {
571 ab = list_entry(audit_freelist.next,
572 struct audit_buffer, list);
573 list_del(&ab->list);
574 --audit_freelist_count;
575 }
576 spin_unlock_irqrestore(&audit_freelist_lock, flags);
577
578 if (!ab) {
579 ab = kmalloc(sizeof(*ab), gfp_mask);
580 if (!ab)
581 goto err;
582 }
583
584 ab->skb = alloc_skb(AUDIT_BUFSIZ, gfp_mask);
585 if (!ab->skb)
586 goto err;
587
588 ab->ctx = ctx;
589 nlh = (struct nlmsghdr *)skb_put(ab->skb, NLMSG_SPACE(0));
590 nlh->nlmsg_type = type;
591 nlh->nlmsg_flags = 0;
592 nlh->nlmsg_pid = 0;
593 nlh->nlmsg_seq = 0;
594 return ab;
595err:
596 audit_buffer_free(ab);
597 return NULL;
598}
599
600/* Compute a serial number for the audit record. Audit records are
601 * written to user-space as soon as they are generated, so a complete
602 * audit record may be written in several pieces. The timestamp of the
603 * record and this serial number are used by the user-space tools to
604 * determine which pieces belong to the same audit record. The
605 * (timestamp,serial) tuple is unique for each syscall and is live from
606 * syscall entry to syscall exit.
607 *
608 * Atomic values are only guaranteed to be 24-bit, so we count down.
609 *
610 * NOTE: Another possibility is to store the formatted records off the
611 * audit context (for those records that have a context), and emit them
612 * all at syscall exit. However, this could delay the reporting of
613 * significant errors until syscall exit (or never, if the system
614 * halts). */
615unsigned int audit_serial(void)
616{
617 static atomic_t serial = ATOMIC_INIT(0xffffff);
618 unsigned int a, b;
619
620 do {
621 a = atomic_read(&serial);
622 if (atomic_dec_and_test(&serial))
623 atomic_set(&serial, 0xffffff);
624 b = atomic_read(&serial);
625 } while (b != a - 1);
626
627 return 0xffffff - b;
628}
629
630static inline void audit_get_stamp(struct audit_context *ctx,
631 struct timespec *t, unsigned int *serial)
632{
633 if (ctx)
634 auditsc_get_stamp(ctx, t, serial);
635 else {
636 *t = CURRENT_TIME;
637 *serial = audit_serial();
638 }
639}
611 640
612/* Obtain an audit buffer. This routine does locking to obtain the 641/* Obtain an audit buffer. This routine does locking to obtain the
613 * audit buffer, but then no locking is required for calls to 642 * audit buffer, but then no locking is required for calls to
@@ -615,10 +644,9 @@ __setup("audit=", audit_enable);
615 * syscall, then the syscall is marked as auditable and an audit record 644 * syscall, then the syscall is marked as auditable and an audit record
616 * will be written at syscall exit. If there is no associated task, tsk 645 * will be written at syscall exit. If there is no associated task, tsk
617 * should be NULL. */ 646 * should be NULL. */
618struct audit_buffer *audit_log_start(struct audit_context *ctx) 647struct audit_buffer *audit_log_start(struct audit_context *ctx, int type)
619{ 648{
620 struct audit_buffer *ab = NULL; 649 struct audit_buffer *ab = NULL;
621 unsigned long flags;
622 struct timespec t; 650 struct timespec t;
623 unsigned int serial; 651 unsigned int serial;
624 652
@@ -626,57 +654,48 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx)
626 return NULL; 654 return NULL;
627 655
628 if (audit_backlog_limit 656 if (audit_backlog_limit
629 && atomic_read(&audit_backlog) > audit_backlog_limit) { 657 && skb_queue_len(&audit_skb_queue) > audit_backlog_limit) {
630 if (audit_rate_check()) 658 if (audit_rate_check())
631 printk(KERN_WARNING 659 printk(KERN_WARNING
632 "audit: audit_backlog=%d > " 660 "audit: audit_backlog=%d > "
633 "audit_backlog_limit=%d\n", 661 "audit_backlog_limit=%d\n",
634 atomic_read(&audit_backlog), 662 skb_queue_len(&audit_skb_queue),
635 audit_backlog_limit); 663 audit_backlog_limit);
636 audit_log_lost("backlog limit exceeded"); 664 audit_log_lost("backlog limit exceeded");
637 return NULL; 665 return NULL;
638 } 666 }
639 667
640 spin_lock_irqsave(&audit_freelist_lock, flags); 668 ab = audit_buffer_alloc(ctx, GFP_ATOMIC, type);
641 if (!list_empty(&audit_freelist)) {
642 ab = list_entry(audit_freelist.next,
643 struct audit_buffer, list);
644 list_del(&ab->list);
645 --audit_freelist_count;
646 }
647 spin_unlock_irqrestore(&audit_freelist_lock, flags);
648
649 if (!ab)
650 ab = kmalloc(sizeof(*ab), GFP_ATOMIC);
651 if (!ab) { 669 if (!ab) {
652 audit_log_lost("out of memory in audit_log_start"); 670 audit_log_lost("out of memory in audit_log_start");
653 return NULL; 671 return NULL;
654 } 672 }
655 673
656 atomic_inc(&audit_backlog); 674 audit_get_stamp(ab->ctx, &t, &serial);
657 skb_queue_head_init(&ab->sklist);
658
659 ab->ctx = ctx;
660 ab->len = 0;
661 ab->nlh = NULL;
662 ab->total = 0;
663 ab->type = AUDIT_KERNEL;
664 ab->pid = 0;
665 675
666#ifdef CONFIG_AUDITSYSCALL
667 if (ab->ctx)
668 audit_get_stamp(ab->ctx, &t, &serial);
669 else
670#endif
671 {
672 t = CURRENT_TIME;
673 serial = 0;
674 }
675 audit_log_format(ab, "audit(%lu.%03lu:%u): ", 676 audit_log_format(ab, "audit(%lu.%03lu:%u): ",
676 t.tv_sec, t.tv_nsec/1000000, serial); 677 t.tv_sec, t.tv_nsec/1000000, serial);
677 return ab; 678 return ab;
678} 679}
679 680
681/**
682 * audit_expand - expand skb in the audit buffer
683 * @ab: audit_buffer
684 *
685 * Returns 0 (no space) on failed expansion, or available space if
686 * successful.
687 */
688static inline int audit_expand(struct audit_buffer *ab, int extra)
689{
690 struct sk_buff *skb = ab->skb;
691 int ret = pskb_expand_head(skb, skb_headroom(skb), extra,
692 GFP_ATOMIC);
693 if (ret < 0) {
694 audit_log_lost("out of memory in audit_expand");
695 return 0;
696 }
697 return skb_tailroom(skb);
698}
680 699
681/* Format an audit message into the audit buffer. If there isn't enough 700/* Format an audit message into the audit buffer. If there isn't enough
682 * room in the audit buffer, more room will be allocated and vsnprint 701 * room in the audit buffer, more room will be allocated and vsnprint
@@ -686,26 +705,35 @@ static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
686 va_list args) 705 va_list args)
687{ 706{
688 int len, avail; 707 int len, avail;
708 struct sk_buff *skb;
709 va_list args2;
689 710
690 if (!ab) 711 if (!ab)
691 return; 712 return;
692 713
693 avail = sizeof(ab->tmp) - ab->len; 714 BUG_ON(!ab->skb);
694 if (avail <= 0) { 715 skb = ab->skb;
695 audit_log_move(ab); 716 avail = skb_tailroom(skb);
696 avail = sizeof(ab->tmp) - ab->len; 717 if (avail == 0) {
718 avail = audit_expand(ab, AUDIT_BUFSIZ);
719 if (!avail)
720 goto out;
697 } 721 }
698 len = vsnprintf(ab->tmp + ab->len, avail, fmt, args); 722 va_copy(args2, args);
723 len = vsnprintf(skb->tail, avail, fmt, args);
699 if (len >= avail) { 724 if (len >= avail) {
700 /* The printk buffer is 1024 bytes long, so if we get 725 /* The printk buffer is 1024 bytes long, so if we get
701 * here and AUDIT_BUFSIZ is at least 1024, then we can 726 * here and AUDIT_BUFSIZ is at least 1024, then we can
702 * log everything that printk could have logged. */ 727 * log everything that printk could have logged. */
703 audit_log_move(ab); 728 avail = audit_expand(ab, max_t(unsigned, AUDIT_BUFSIZ, 1+len-avail));
704 avail = sizeof(ab->tmp) - ab->len; 729 if (!avail)
705 len = vsnprintf(ab->tmp + ab->len, avail, fmt, args); 730 goto out;
731 len = vsnprintf(skb->tail, avail, fmt, args2);
706 } 732 }
707 ab->len += (len < avail) ? len : avail; 733 if (len > 0)
708 ab->total += (len < avail) ? len : avail; 734 skb_put(skb, len);
735out:
736 return;
709} 737}
710 738
711/* Format a message into the audit buffer. All the work is done in 739/* Format a message into the audit buffer. All the work is done in
@@ -721,20 +749,47 @@ void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
721 va_end(args); 749 va_end(args);
722} 750}
723 751
724void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len) 752/* This function will take the passed buf and convert it into a string of
753 * ascii hex digits. The new string is placed onto the skb. */
754void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf,
755 size_t len)
725{ 756{
726 int i; 757 int i, avail, new_len;
758 unsigned char *ptr;
759 struct sk_buff *skb;
760 static const unsigned char *hex = "0123456789ABCDEF";
761
762 BUG_ON(!ab->skb);
763 skb = ab->skb;
764 avail = skb_tailroom(skb);
765 new_len = len<<1;
766 if (new_len >= avail) {
767 /* Round the buffer request up to the next multiple */
768 new_len = AUDIT_BUFSIZ*(((new_len-avail)/AUDIT_BUFSIZ) + 1);
769 avail = audit_expand(ab, new_len);
770 if (!avail)
771 return;
772 }
727 773
728 for (i=0; i<len; i++) 774 ptr = skb->tail;
729 audit_log_format(ab, "%02x", buf[i]); 775 for (i=0; i<len; i++) {
776 *ptr++ = hex[(buf[i] & 0xF0)>>4]; /* Upper nibble */
777 *ptr++ = hex[buf[i] & 0x0F]; /* Lower nibble */
778 }
779 *ptr = 0;
780 skb_put(skb, len << 1); /* new string is twice the old string */
730} 781}
731 782
783/* This code will escape a string that is passed to it if the string
784 * contains a control character, unprintable character, double quote mark,
785 * or a space. Unescaped strings will start and end with a double quote mark.
786 * Strings that are escaped are printed in hex (2 digits per char). */
732void audit_log_untrustedstring(struct audit_buffer *ab, const char *string) 787void audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
733{ 788{
734 const unsigned char *p = string; 789 const unsigned char *p = string;
735 790
736 while (*p) { 791 while (*p) {
737 if (*p == '"' || *p == ' ' || *p < 0x20 || *p > 0x7f) { 792 if (*p == '"' || *p < 0x21 || *p > 0x7f) {
738 audit_log_hex(ab, string, strlen(string)); 793 audit_log_hex(ab, string, strlen(string));
739 return; 794 return;
740 } 795 }
@@ -743,117 +798,63 @@ void audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
743 audit_log_format(ab, "\"%s\"", string); 798 audit_log_format(ab, "\"%s\"", string);
744} 799}
745 800
746 801/* This is a helper-function to print the escaped d_path */
747/* This is a helper-function to print the d_path without using a static
748 * buffer or allocating another buffer in addition to the one in
749 * audit_buffer. */
750void audit_log_d_path(struct audit_buffer *ab, const char *prefix, 802void audit_log_d_path(struct audit_buffer *ab, const char *prefix,
751 struct dentry *dentry, struct vfsmount *vfsmnt) 803 struct dentry *dentry, struct vfsmount *vfsmnt)
752{ 804{
753 char *p; 805 char *p, *path;
754 int len, avail;
755 806
756 if (prefix) audit_log_format(ab, " %s", prefix); 807 if (prefix)
757 808 audit_log_format(ab, " %s", prefix);
758 if (ab->len > 128)
759 audit_log_move(ab);
760 avail = sizeof(ab->tmp) - ab->len;
761 p = d_path(dentry, vfsmnt, ab->tmp + ab->len, avail);
762 if (IS_ERR(p)) {
763 /* FIXME: can we save some information here? */
764 audit_log_format(ab, "<toolong>");
765 } else {
766 /* path isn't at start of buffer */
767 len = (ab->tmp + sizeof(ab->tmp) - 1) - p;
768 memmove(ab->tmp + ab->len, p, len);
769 ab->len += len;
770 ab->total += len;
771 }
772}
773
774/* Remove queued messages from the audit_txlist and send them to userspace. */
775static void audit_tasklet_handler(unsigned long arg)
776{
777 LIST_HEAD(list);
778 struct audit_buffer *ab;
779 unsigned long flags;
780 809
781 spin_lock_irqsave(&audit_txlist_lock, flags); 810 /* We will allow 11 spaces for ' (deleted)' to be appended */
782 list_splice_init(&audit_txlist, &list); 811 path = kmalloc(PATH_MAX+11, GFP_KERNEL);
783 spin_unlock_irqrestore(&audit_txlist_lock, flags); 812 if (!path) {
784 813 audit_log_format(ab, "<no memory>");
785 while (!list_empty(&list)) { 814 return;
786 ab = list_entry(list.next, struct audit_buffer, list);
787 list_del(&ab->list);
788 audit_log_end_fast(ab);
789 } 815 }
816 p = d_path(dentry, vfsmnt, path, PATH_MAX+11);
817 if (IS_ERR(p)) { /* Should never happen since we send PATH_MAX */
818 /* FIXME: can we save some information here? */
819 audit_log_format(ab, "<too long>");
820 } else
821 audit_log_untrustedstring(ab, p);
822 kfree(path);
790} 823}
791 824
792static DECLARE_TASKLET(audit_tasklet, audit_tasklet_handler, 0);
793
794/* The netlink_* functions cannot be called inside an irq context, so 825/* The netlink_* functions cannot be called inside an irq context, so
795 * the audit buffer is places on a queue and a tasklet is scheduled to 826 * the audit buffer is places on a queue and a tasklet is scheduled to
796 * remove them from the queue outside the irq context. May be called in 827 * remove them from the queue outside the irq context. May be called in
797 * any context. */ 828 * any context. */
798static void audit_log_end_irq(struct audit_buffer *ab) 829void audit_log_end(struct audit_buffer *ab)
799{
800 unsigned long flags;
801
802 if (!ab)
803 return;
804 spin_lock_irqsave(&audit_txlist_lock, flags);
805 list_add_tail(&ab->list, &audit_txlist);
806 spin_unlock_irqrestore(&audit_txlist_lock, flags);
807
808 tasklet_schedule(&audit_tasklet);
809}
810
811/* Send the message in the audit buffer directly to user space. May not
812 * be called in an irq context. */
813static void audit_log_end_fast(struct audit_buffer *ab)
814{ 830{
815 unsigned long flags;
816
817 BUG_ON(in_irq());
818 if (!ab) 831 if (!ab)
819 return; 832 return;
820 if (!audit_rate_check()) { 833 if (!audit_rate_check()) {
821 audit_log_lost("rate limit exceeded"); 834 audit_log_lost("rate limit exceeded");
822 } else { 835 } else {
823 audit_log_move(ab); 836 if (audit_pid) {
824 if (audit_log_drain(ab)) 837 struct nlmsghdr *nlh = (struct nlmsghdr *)ab->skb->data;
825 return; 838 nlh->nlmsg_len = ab->skb->len - NLMSG_SPACE(0);
839 skb_queue_tail(&audit_skb_queue, ab->skb);
840 ab->skb = NULL;
841 wake_up_interruptible(&kauditd_wait);
842 } else {
843 printk("%s\n", ab->skb->data + NLMSG_SPACE(0));
844 }
826 } 845 }
827 846 audit_buffer_free(ab);
828 atomic_dec(&audit_backlog);
829 spin_lock_irqsave(&audit_freelist_lock, flags);
830 if (++audit_freelist_count > AUDIT_MAXFREE)
831 kfree(ab);
832 else
833 list_add(&ab->list, &audit_freelist);
834 spin_unlock_irqrestore(&audit_freelist_lock, flags);
835}
836
837/* Send or queue the message in the audit buffer, depending on the
838 * current context. (A convenience function that may be called in any
839 * context.) */
840void audit_log_end(struct audit_buffer *ab)
841{
842 if (in_irq())
843 audit_log_end_irq(ab);
844 else
845 audit_log_end_fast(ab);
846} 847}
847 848
848/* Log an audit record. This is a convenience function that calls 849/* Log an audit record. This is a convenience function that calls
849 * audit_log_start, audit_log_vformat, and audit_log_end. It may be 850 * audit_log_start, audit_log_vformat, and audit_log_end. It may be
850 * called in any context. */ 851 * called in any context. */
851void audit_log(struct audit_context *ctx, const char *fmt, ...) 852void audit_log(struct audit_context *ctx, int type, const char *fmt, ...)
852{ 853{
853 struct audit_buffer *ab; 854 struct audit_buffer *ab;
854 va_list args; 855 va_list args;
855 856
856 ab = audit_log_start(ctx); 857 ab = audit_log_start(ctx, type);
857 if (ab) { 858 if (ab) {
858 va_start(args, fmt); 859 va_start(args, fmt);
859 audit_log_vformat(ab, fmt, args); 860 audit_log_vformat(ab, fmt, args);
generated by cgit v1.2.2 (git 2.25.0) at 2025-11-01 01:42:21 -0400