1 files changed, 60 insertions, 33 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index ac26d4d960d3..9c4f1af0c794 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1,4 +1,4 @@
-/* audit.c -- Auditing support -*- linux-c -*-
+/* audit.c -- Auditing support
 * Gateway between the kernel (e.g., selinux) and the user-space audit daemon.
 * System-call specific features have moved to auditsc.c
 *
@@ -38,7 +38,7 @@
 *        6) Support low-overhead kernel-based filtering to minimize the
 *           information that must be passed to user-space.
 *
- * Example user-space utilities: http://people.redhat.com/faith/audit/
+ * Example user-space utilities: http://people.redhat.com/sgrubb/audit/
 */
 #include <linux/init.h>
@@ -142,7 +142,6 @@ struct audit_buffer {
        int                  total;
        int                  type;
        int                  pid;
-        int                  count; /* Times requeued */
 };
 void audit_set_type(struct audit_buffer *ab, int type)
@@ -239,36 +238,36 @@ void audit_log_lost(const char *message)
 }
-static int audit_set_rate_limit(int limit)
+static int audit_set_rate_limit(int limit, uid_t loginuid)
 {
        int old          = audit_rate_limit;
        audit_rate_limit = limit;
-        audit_log(current->audit_context, "audit_rate_limit=%d old=%d",
+        audit_log(NULL, "audit_rate_limit=%d old=%d by auid %u",
-                  audit_rate_limit, old);
+                        audit_rate_limit, old, loginuid);
        return old;
 }
-static int audit_set_backlog_limit(int limit)
+static int audit_set_backlog_limit(int limit, uid_t loginuid)
 {
        int old          = audit_backlog_limit;
        audit_backlog_limit = limit;
-        audit_log(current->audit_context, "audit_backlog_limit=%d old=%d",
+        audit_log(NULL, "audit_backlog_limit=%d old=%d by auid %u",
-                  audit_backlog_limit, old);
+                        audit_backlog_limit, old, loginuid);
        return old;
 }
-static int audit_set_enabled(int state)
+static int audit_set_enabled(int state, uid_t loginuid)
 {
        int old          = audit_enabled;
        if (state != 0 && state != 1)
                return -EINVAL;
        audit_enabled = state;
-        audit_log(current->audit_context, "audit_enabled=%d old=%d",
+        audit_log(NULL, "audit_enabled=%d old=%d by auid %u",
-                  audit_enabled, old);
+                  audit_enabled, old, loginuid);
        return old;
 }
-static int audit_set_failure(int state)
+static int audit_set_failure(int state, uid_t loginuid)
 {
        int old          = audit_failure;
        if (state != AUDIT_FAIL_SILENT
@@ -276,8 +275,8 @@ static int audit_set_failure(int state)
            && state != AUDIT_FAIL_PANIC)
                return -EINVAL;
        audit_failure = state;
-        audit_log(current->audit_context, "audit_failure=%d old=%d",
+        audit_log(NULL, "audit_failure=%d old=%d by auid %u",
-                  audit_failure, old);
+                  audit_failure, old, loginuid);
        return old;
 }
@@ -344,6 +343,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
        int                     err;
        struct audit_buffer     *ab;
        u16                     msg_type = nlh->nlmsg_type;
+        uid_t                   loginuid; /* loginuid of sender */
        err = audit_netlink_ok(NETLINK_CB(skb).eff_cap, msg_type);
        if (err)
@@ -351,6 +351,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
        pid  = NETLINK_CREDS(skb)->pid;
        uid  = NETLINK_CREDS(skb)->uid;
+        loginuid = NETLINK_CB(skb).loginuid;
        seq  = nlh->nlmsg_seq;
        data = NLMSG_DATA(nlh);
@@ -371,34 +372,36 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                        return -EINVAL;
                status_get   = (struct audit_status *)data;
                if (status_get->mask & AUDIT_STATUS_ENABLED) {
-                        err = audit_set_enabled(status_get->enabled);
+                        err = audit_set_enabled(status_get->enabled, loginuid);
                        if (err < 0) return err;
                }
                if (status_get->mask & AUDIT_STATUS_FAILURE) {
-                        err = audit_set_failure(status_get->failure);
+                        err = audit_set_failure(status_get->failure, loginuid);
                        if (err < 0) return err;
                }
                if (status_get->mask & AUDIT_STATUS_PID) {
                        int old   = audit_pid;
                        audit_pid = status_get->pid;
-                        audit_log(current->audit_context,
+                        audit_log(NULL, "audit_pid=%d old=%d by auid %u",
-                                  "audit_pid=%d old=%d", audit_pid, old);
+                                  audit_pid, old, loginuid);
                }
                if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
-                        audit_set_rate_limit(status_get->rate_limit);
+                        audit_set_rate_limit(status_get->rate_limit, loginuid);
                if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT)
-                        audit_set_backlog_limit(status_get->backlog_limit);
+                        audit_set_backlog_limit(status_get->backlog_limit,
+                                                        loginuid);
                break;
        case AUDIT_USER:
                ab = audit_log_start(NULL);
                if (!ab)
                        break;  /* audit_panic has been called */
                audit_log_format(ab,
-                                 "user pid=%d uid=%d length=%d msg='%.1024s'",
+                                 "user pid=%d uid=%d length=%d loginuid=%u"
+                                 " msg='%.1024s'",
                                 pid, uid,
                                 (int)(nlh->nlmsg_len
                                       - ((char *)data - (char *)nlh)),
-                                 (char *)data);
+                                 loginuid, (char *)data);
                ab->type = AUDIT_USER;
                ab->pid  = pid;
                audit_log_end(ab);
@@ -411,7 +414,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
        case AUDIT_LIST:
 #ifdef CONFIG_AUDITSYSCALL
                err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
-                                           uid, seq, data);
+                                           uid, seq, data, loginuid);
 #else
                err = -EOPNOTSUPP;
 #endif
@@ -480,7 +483,7 @@ static void audit_log_move(struct audit_buffer *ab)
        if (ab->len == 0)
                return;
-        skb = skb_peek(&ab->sklist);
+        skb = skb_peek_tail(&ab->sklist);
        if (!skb || skb_tailroom(skb) <= ab->len + extra) {
                skb = alloc_skb(2 * ab->len + extra, GFP_ATOMIC);
                if (!skb) {
@@ -519,9 +522,9 @@ static inline int audit_log_drain(struct audit_buffer *ab)
                        retval = netlink_unicast(audit_sock, skb, audit_pid,
                                                 MSG_DONTWAIT);
                }
-                if (retval == -EAGAIN && ab->count < 5) {
+                if (retval == -EAGAIN &&
-                        ++ab->count;
+                    (atomic_read(&audit_backlog)) < audit_backlog_limit) {
-                        skb_queue_tail(&ab->sklist, skb);
+                        skb_queue_head(&ab->sklist, skb);
                        audit_log_end_irq(ab);
                        return 1;
                }
@@ -537,8 +540,8 @@ static inline int audit_log_drain(struct audit_buffer *ab)
                if (!audit_pid) { /* No daemon */
                        int offset = ab->nlh ? NLMSG_SPACE(0) : 0;
                        int len    = skb->len - offset;
-                        printk(KERN_ERR "%*.*s\n",
+                        skb->data[offset + len] = '\0';
-                               len, len, skb->data + offset);
+                        printk(KERN_ERR "%s\n", skb->data + offset);
                }
                kfree_skb(skb);
                ab->nlh = NULL;
@@ -617,7 +620,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx)
        struct audit_buffer     *ab     = NULL;
        unsigned long           flags;
        struct timespec         t;
-        int                     serial  = 0;
+        unsigned int            serial;
        if (!audit_initialized)
                return NULL;
@@ -659,15 +662,16 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx)
        ab->total = 0;
        ab->type  = AUDIT_KERNEL;
        ab->pid   = 0;
-        ab->count = 0;
 #ifdef CONFIG_AUDITSYSCALL
        if (ab->ctx)
                audit_get_stamp(ab->ctx, &t, &serial);
        else
 #endif
+        {
                t = CURRENT_TIME;
+                serial = 0;
+        }
        audit_log_format(ab, "audit(%lu.%03lu:%u): ",
                         t.tv_sec, t.tv_nsec/1000000, serial);
        return ab;
@@ -717,6 +721,29 @@ void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
        va_end(args);
 }
+void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len)
+{
+        int i;
+        for (i=0; i<len; i++)
+                audit_log_format(ab, "%02x", buf[i]);
+}
+void audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
+{
+        const unsigned char *p = string;
+        while (*p) {
+                if (*p == '"' || *p == ' ' || *p < 0x20 || *p > 0x7f) {
+                        audit_log_hex(ab, string, strlen(string));
+                        return;
+                }
+                p++;
+        }
+        audit_log_format(ab, "\"%s\"", string);
+}
 /* This is a helper-function to print the d_path without using a static
 * buffer or allocating another buffer in addition to the one in
 * audit_buffer. */

diff --git a/kernel/audit.c b/kernel/audit.c index ac26d4d960d3..9c4f1af0c794 100644 --- a/kernel/audit.c +++ b/kernel/audit.c
@@ -1,4 +1,4 @@
1	/* audit.c -- Auditing support -- linux-c --	1	/* audit.c -- Auditing support
2	* Gateway between the kernel (e.g., selinux) and the user-space audit daemon.	2	* Gateway between the kernel (e.g., selinux) and the user-space audit daemon.
3	* System-call specific features have moved to auditsc.c	3	* System-call specific features have moved to auditsc.c
4	*	4	*
@@ -38,7 +38,7 @@
38	* 6) Support low-overhead kernel-based filtering to minimize the	38	* 6) Support low-overhead kernel-based filtering to minimize the
39	* information that must be passed to user-space.	39	* information that must be passed to user-space.
40	*	40	*
41	* Example user-space utilities: http://people.redhat.com/faith/audit/	41	* Example user-space utilities: http://people.redhat.com/sgrubb/audit/
42	*/	42	*/
43		43
44	#include <linux/init.h>	44	#include <linux/init.h>
@@ -142,7 +142,6 @@ struct audit_buffer {
142	int total;	142	int total;
143	int type;	143	int type;
144	int pid;	144	int pid;
145	int count; /* Times requeued */
146	};	145	};
147		146
148	void audit_set_type(struct audit_buffer *ab, int type)	147	void audit_set_type(struct audit_buffer *ab, int type)
@@ -239,36 +238,36 @@ void audit_log_lost(const char *message)
239		238
240	}	239	}
241		240
242	static int audit_set_rate_limit(int limit)	241	static int audit_set_rate_limit(int limit, uid_t loginuid)
243	{	242	{
244	int old = audit_rate_limit;	243	int old = audit_rate_limit;
245	audit_rate_limit = limit;	244	audit_rate_limit = limit;
246	audit_log(current->audit_context, "audit_rate_limit=%d old=%d",	245	audit_log(NULL, "audit_rate_limit=%d old=%d by auid %u",
247	audit_rate_limit, old);	246	audit_rate_limit, old, loginuid);
248	return old;	247	return old;
249	}	248	}
250		249
251	static int audit_set_backlog_limit(int limit)	250	static int audit_set_backlog_limit(int limit, uid_t loginuid)
252	{	251	{
253	int old = audit_backlog_limit;	252	int old = audit_backlog_limit;
254	audit_backlog_limit = limit;	253	audit_backlog_limit = limit;
255	audit_log(current->audit_context, "audit_backlog_limit=%d old=%d",	254	audit_log(NULL, "audit_backlog_limit=%d old=%d by auid %u",
256	audit_backlog_limit, old);	255	audit_backlog_limit, old, loginuid);
257	return old;	256	return old;
258	}	257	}
259		258
260	static int audit_set_enabled(int state)	259	static int audit_set_enabled(int state, uid_t loginuid)
261	{	260	{
262	int old = audit_enabled;	261	int old = audit_enabled;
263	if (state != 0 && state != 1)	262	if (state != 0 && state != 1)
264	return -EINVAL;	263	return -EINVAL;
265	audit_enabled = state;	264	audit_enabled = state;
266	audit_log(current->audit_context, "audit_enabled=%d old=%d",	265	audit_log(NULL, "audit_enabled=%d old=%d by auid %u",
267	audit_enabled, old);	266	audit_enabled, old, loginuid);
268	return old;	267	return old;
269	}	268	}
270		269
271	static int audit_set_failure(int state)	270	static int audit_set_failure(int state, uid_t loginuid)
272	{	271	{
273	int old = audit_failure;	272	int old = audit_failure;
274	if (state != AUDIT_FAIL_SILENT	273	if (state != AUDIT_FAIL_SILENT
@@ -276,8 +275,8 @@ static int audit_set_failure(int state)
276	&& state != AUDIT_FAIL_PANIC)	275	&& state != AUDIT_FAIL_PANIC)
277	return -EINVAL;	276	return -EINVAL;
278	audit_failure = state;	277	audit_failure = state;
279	audit_log(current->audit_context, "audit_failure=%d old=%d",	278	audit_log(NULL, "audit_failure=%d old=%d by auid %u",
280	audit_failure, old);	279	audit_failure, old, loginuid);
281	return old;	280	return old;
282	}	281	}
283		282
@@ -344,6 +343,7 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
344	int err;	343	int err;
345	struct audit_buffer *ab;	344	struct audit_buffer *ab;
346	u16 msg_type = nlh->nlmsg_type;	345	u16 msg_type = nlh->nlmsg_type;
		346	uid_t loginuid; /* loginuid of sender */
347		347
348	err = audit_netlink_ok(NETLINK_CB(skb).eff_cap, msg_type);	348	err = audit_netlink_ok(NETLINK_CB(skb).eff_cap, msg_type);
349	if (err)	349	if (err)
@@ -351,6 +351,7 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
351		351
352	pid = NETLINK_CREDS(skb)->pid;	352	pid = NETLINK_CREDS(skb)->pid;
353	uid = NETLINK_CREDS(skb)->uid;	353	uid = NETLINK_CREDS(skb)->uid;
		354	loginuid = NETLINK_CB(skb).loginuid;
354	seq = nlh->nlmsg_seq;	355	seq = nlh->nlmsg_seq;
355	data = NLMSG_DATA(nlh);	356	data = NLMSG_DATA(nlh);
356		357
@@ -371,34 +372,36 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
371	return -EINVAL;	372	return -EINVAL;
372	status_get = (struct audit_status *)data;	373	status_get = (struct audit_status *)data;
373	if (status_get->mask & AUDIT_STATUS_ENABLED) {	374	if (status_get->mask & AUDIT_STATUS_ENABLED) {
374	err = audit_set_enabled(status_get->enabled);	375	err = audit_set_enabled(status_get->enabled, loginuid);
375	if (err < 0) return err;	376	if (err < 0) return err;
376	}	377	}
377	if (status_get->mask & AUDIT_STATUS_FAILURE) {	378	if (status_get->mask & AUDIT_STATUS_FAILURE) {
378	err = audit_set_failure(status_get->failure);	379	err = audit_set_failure(status_get->failure, loginuid);
379	if (err < 0) return err;	380	if (err < 0) return err;
380	}	381	}
381	if (status_get->mask & AUDIT_STATUS_PID) {	382	if (status_get->mask & AUDIT_STATUS_PID) {
382	int old = audit_pid;	383	int old = audit_pid;
383	audit_pid = status_get->pid;	384	audit_pid = status_get->pid;
384	audit_log(current->audit_context,	385	audit_log(NULL, "audit_pid=%d old=%d by auid %u",
385	"audit_pid=%d old=%d", audit_pid, old);	386	audit_pid, old, loginuid);
386	}	387	}
387	if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)	388	if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
388	audit_set_rate_limit(status_get->rate_limit);	389	audit_set_rate_limit(status_get->rate_limit, loginuid);
389	if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT)	390	if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT)
390	audit_set_backlog_limit(status_get->backlog_limit);	391	audit_set_backlog_limit(status_get->backlog_limit,
		392	loginuid);
391	break;	393	break;
392	case AUDIT_USER:	394	case AUDIT_USER:
393	ab = audit_log_start(NULL);	395	ab = audit_log_start(NULL);
394	if (!ab)	396	if (!ab)
395	break; /* audit_panic has been called */	397	break; /* audit_panic has been called */
396	audit_log_format(ab,	398	audit_log_format(ab,
397	"user pid=%d uid=%d length=%d msg='%.1024s'",	399	"user pid=%d uid=%d length=%d loginuid=%u"
		400	" msg='%.1024s'",
398	pid, uid,	401	pid, uid,
399	(int)(nlh->nlmsg_len	402	(int)(nlh->nlmsg_len
400	- ((char )data - (char )nlh)),	403	- ((char )data - (char )nlh)),
401	(char *)data);	404	loginuid, (char *)data);
402	ab->type = AUDIT_USER;	405	ab->type = AUDIT_USER;
403	ab->pid = pid;	406	ab->pid = pid;
404	audit_log_end(ab);	407	audit_log_end(ab);
@@ -411,7 +414,7 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
411	case AUDIT_LIST:	414	case AUDIT_LIST:
412	#ifdef CONFIG_AUDITSYSCALL	415	#ifdef CONFIG_AUDITSYSCALL
413	err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,	416	err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
414	uid, seq, data);	417	uid, seq, data, loginuid);
415	#else	418	#else
416	err = -EOPNOTSUPP;	419	err = -EOPNOTSUPP;
417	#endif	420	#endif
@@ -480,7 +483,7 @@ static void audit_log_move(struct audit_buffer *ab)
480	if (ab->len == 0)	483	if (ab->len == 0)
481	return;	484	return;
482		485
483	skb = skb_peek(&ab->sklist);	486	skb = skb_peek_tail(&ab->sklist);
484	if (!skb \|\| skb_tailroom(skb) <= ab->len + extra) {	487	if (!skb \|\| skb_tailroom(skb) <= ab->len + extra) {
485	skb = alloc_skb(2 * ab->len + extra, GFP_ATOMIC);	488	skb = alloc_skb(2 * ab->len + extra, GFP_ATOMIC);
486	if (!skb) {	489	if (!skb) {
@@ -519,9 +522,9 @@ static inline int audit_log_drain(struct audit_buffer *ab)
519	retval = netlink_unicast(audit_sock, skb, audit_pid,	522	retval = netlink_unicast(audit_sock, skb, audit_pid,
520	MSG_DONTWAIT);	523	MSG_DONTWAIT);
521	}	524	}
522	if (retval == -EAGAIN && ab->count < 5) {	525	if (retval == -EAGAIN &&
523	++ab->count;	526	(atomic_read(&audit_backlog)) < audit_backlog_limit) {
524	skb_queue_tail(&ab->sklist, skb);	527	skb_queue_head(&ab->sklist, skb);
525	audit_log_end_irq(ab);	528	audit_log_end_irq(ab);
526	return 1;	529	return 1;
527	}	530	}
@@ -537,8 +540,8 @@ static inline int audit_log_drain(struct audit_buffer *ab)
537	if (!audit_pid) { /* No daemon */	540	if (!audit_pid) { /* No daemon */
538	int offset = ab->nlh ? NLMSG_SPACE(0) : 0;	541	int offset = ab->nlh ? NLMSG_SPACE(0) : 0;
539	int len = skb->len - offset;	542	int len = skb->len - offset;
540	printk(KERN_ERR "%.s\n",	543	skb->data[offset + len] = '\0';
541	len, len, skb->data + offset);	544	printk(KERN_ERR "%s\n", skb->data + offset);
542	}	545	}
543	kfree_skb(skb);	546	kfree_skb(skb);
544	ab->nlh = NULL;	547	ab->nlh = NULL;
@@ -617,7 +620,7 @@ struct audit_buffer audit_log_start(struct audit_context ctx)
617	struct audit_buffer *ab = NULL;	620	struct audit_buffer *ab = NULL;
618	unsigned long flags;	621	unsigned long flags;
619	struct timespec t;	622	struct timespec t;
620	int serial = 0;	623	unsigned int serial;
621		624
622	if (!audit_initialized)	625	if (!audit_initialized)
623	return NULL;	626	return NULL;
@@ -659,15 +662,16 @@ struct audit_buffer audit_log_start(struct audit_context ctx)
659	ab->total = 0;	662	ab->total = 0;
660	ab->type = AUDIT_KERNEL;	663	ab->type = AUDIT_KERNEL;
661	ab->pid = 0;	664	ab->pid = 0;
662	ab->count = 0;
663		665
664	#ifdef CONFIG_AUDITSYSCALL	666	#ifdef CONFIG_AUDITSYSCALL
665	if (ab->ctx)	667	if (ab->ctx)
666	audit_get_stamp(ab->ctx, &t, &serial);	668	audit_get_stamp(ab->ctx, &t, &serial);
667	else	669	else
668	#endif	670	#endif
		671	{
669	t = CURRENT_TIME;	672	t = CURRENT_TIME;
670		673	serial = 0;
		674	}
671	audit_log_format(ab, "audit(%lu.%03lu:%u): ",	675	audit_log_format(ab, "audit(%lu.%03lu:%u): ",
672	t.tv_sec, t.tv_nsec/1000000, serial);	676	t.tv_sec, t.tv_nsec/1000000, serial);
673	return ab;	677	return ab;
@@ -717,6 +721,29 @@ void audit_log_format(struct audit_buffer ab, const char fmt, ...)
717	va_end(args);	721	va_end(args);
718	}	722	}
719		723
		724	void audit_log_hex(struct audit_buffer ab, const unsigned char buf, size_t len)
		725	{
		726	int i;
		727
		728	for (i=0; i<len; i++)
		729	audit_log_format(ab, "%02x", buf[i]);
		730	}
		731
		732	void audit_log_untrustedstring(struct audit_buffer ab, const char string)
		733	{
		734	const unsigned char *p = string;
		735
		736	while (*p) {
		737	if (p == '"' \|\| p == ' ' \|\| p < 0x20 \|\| p > 0x7f) {
		738	audit_log_hex(ab, string, strlen(string));
		739	return;
		740	}
		741	p++;
		742	}
		743	audit_log_format(ab, "\"%s\"", string);
		744	}
		745
		746
720	/* This is a helper-function to print the d_path without using a static	747	/* This is a helper-function to print the d_path without using a static
721	* buffer or allocating another buffer in addition to the one in	748	* buffer or allocating another buffer in addition to the one in
722	* audit_buffer. */	749	* audit_buffer. */