aboutsummaryrefslogtreecommitdiffstats
path: root/kernel/audit.c
diff options
context:
space:
mode:
Diffstat (limited to 'kernel/audit.c')
-rw-r--r--kernel/audit.c434
1 files changed, 178 insertions, 256 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index 801c946dd24b..c8555b180213 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -66,10 +66,11 @@
66 * (Initialization happens after skb_init is called.) */ 66 * (Initialization happens after skb_init is called.) */
67static int audit_initialized; 67static int audit_initialized;
68 68
69/* 0 - no auditing 69#define AUDIT_OFF 0
70 * 1 - auditing enabled 70#define AUDIT_ON 1
71 * 2 - auditing enabled and configuration is locked/unchangeable. */ 71#define AUDIT_LOCKED 2
72int audit_enabled; 72int audit_enabled;
73int audit_ever_enabled;
73 74
74/* Default state when kernel boots without any parameters. */ 75/* Default state when kernel boots without any parameters. */
75static int audit_default; 76static int audit_default;
@@ -152,8 +153,10 @@ struct audit_buffer {
152 153
153static void audit_set_pid(struct audit_buffer *ab, pid_t pid) 154static void audit_set_pid(struct audit_buffer *ab, pid_t pid)
154{ 155{
155 struct nlmsghdr *nlh = nlmsg_hdr(ab->skb); 156 if (ab) {
156 nlh->nlmsg_pid = pid; 157 struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
158 nlh->nlmsg_pid = pid;
159 }
157} 160}
158 161
159void audit_panic(const char *message) 162void audit_panic(const char *message)
@@ -163,7 +166,8 @@ void audit_panic(const char *message)
163 case AUDIT_FAIL_SILENT: 166 case AUDIT_FAIL_SILENT:
164 break; 167 break;
165 case AUDIT_FAIL_PRINTK: 168 case AUDIT_FAIL_PRINTK:
166 printk(KERN_ERR "audit: %s\n", message); 169 if (printk_ratelimit())
170 printk(KERN_ERR "audit: %s\n", message);
167 break; 171 break;
168 case AUDIT_FAIL_PANIC: 172 case AUDIT_FAIL_PANIC:
169 panic("audit: %s\n", message); 173 panic("audit: %s\n", message);
@@ -231,161 +235,107 @@ void audit_log_lost(const char *message)
231 } 235 }
232 236
233 if (print) { 237 if (print) {
234 printk(KERN_WARNING 238 if (printk_ratelimit())
235 "audit: audit_lost=%d audit_rate_limit=%d audit_backlog_limit=%d\n", 239 printk(KERN_WARNING
236 atomic_read(&audit_lost), 240 "audit: audit_lost=%d audit_rate_limit=%d "
237 audit_rate_limit, 241 "audit_backlog_limit=%d\n",
238 audit_backlog_limit); 242 atomic_read(&audit_lost),
243 audit_rate_limit,
244 audit_backlog_limit);
239 audit_panic(message); 245 audit_panic(message);
240 } 246 }
241} 247}
242 248
243static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid) 249static int audit_log_config_change(char *function_name, int new, int old,
250 uid_t loginuid, u32 sid, int allow_changes)
244{ 251{
245 int res, rc = 0, old = audit_rate_limit; 252 struct audit_buffer *ab;
246 253 int rc = 0;
247 /* check if we are locked */
248 if (audit_enabled == 2)
249 res = 0;
250 else
251 res = 1;
252 254
255 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
256 audit_log_format(ab, "%s=%d old=%d by auid=%u", function_name, new,
257 old, loginuid);
253 if (sid) { 258 if (sid) {
254 char *ctx = NULL; 259 char *ctx = NULL;
255 u32 len; 260 u32 len;
256 if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) { 261
257 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 262 rc = selinux_sid_to_string(sid, &ctx, &len);
258 "audit_rate_limit=%d old=%d by auid=%u" 263 if (rc) {
259 " subj=%s res=%d", 264 audit_log_format(ab, " sid=%u", sid);
260 limit, old, loginuid, ctx, res); 265 allow_changes = 0; /* Something weird, deny request */
266 } else {
267 audit_log_format(ab, " subj=%s", ctx);
261 kfree(ctx); 268 kfree(ctx);
262 } else 269 }
263 res = 0; /* Something weird, deny request */
264 } 270 }
265 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 271 audit_log_format(ab, " res=%d", allow_changes);
266 "audit_rate_limit=%d old=%d by auid=%u res=%d", 272 audit_log_end(ab);
267 limit, old, loginuid, res);
268
269 /* If we are allowed, make the change */
270 if (res == 1)
271 audit_rate_limit = limit;
272 /* Not allowed, update reason */
273 else if (rc == 0)
274 rc = -EPERM;
275 return rc; 273 return rc;
276} 274}
277 275
278static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid) 276static int audit_do_config_change(char *function_name, int *to_change,
277 int new, uid_t loginuid, u32 sid)
279{ 278{
280 int res, rc = 0, old = audit_backlog_limit; 279 int allow_changes, rc = 0, old = *to_change;
281 280
282 /* check if we are locked */ 281 /* check if we are locked */
283 if (audit_enabled == 2) 282 if (audit_enabled == AUDIT_LOCKED)
284 res = 0; 283 allow_changes = 0;
285 else 284 else
286 res = 1; 285 allow_changes = 1;
287 286
288 if (sid) { 287 if (audit_enabled != AUDIT_OFF) {
289 char *ctx = NULL; 288 rc = audit_log_config_change(function_name, new, old,
290 u32 len; 289 loginuid, sid, allow_changes);
291 if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) { 290 if (rc)
292 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 291 allow_changes = 0;
293 "audit_backlog_limit=%d old=%d by auid=%u"
294 " subj=%s res=%d",
295 limit, old, loginuid, ctx, res);
296 kfree(ctx);
297 } else
298 res = 0; /* Something weird, deny request */
299 } 292 }
300 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
301 "audit_backlog_limit=%d old=%d by auid=%u res=%d",
302 limit, old, loginuid, res);
303 293
304 /* If we are allowed, make the change */ 294 /* If we are allowed, make the change */
305 if (res == 1) 295 if (allow_changes == 1)
306 audit_backlog_limit = limit; 296 *to_change = new;
307 /* Not allowed, update reason */ 297 /* Not allowed, update reason */
308 else if (rc == 0) 298 else if (rc == 0)
309 rc = -EPERM; 299 rc = -EPERM;
310 return rc; 300 return rc;
311} 301}
312 302
313static int audit_set_enabled(int state, uid_t loginuid, u32 sid) 303static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
304{
305 return audit_do_config_change("audit_rate_limit", &audit_rate_limit,
306 limit, loginuid, sid);
307}
308
309static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)
314{ 310{
315 int res, rc = 0, old = audit_enabled; 311 return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit,
312 limit, loginuid, sid);
313}
316 314
317 if (state < 0 || state > 2) 315static int audit_set_enabled(int state, uid_t loginuid, u32 sid)
316{
317 int rc;
318 if (state < AUDIT_OFF || state > AUDIT_LOCKED)
318 return -EINVAL; 319 return -EINVAL;
319 320
320 /* check if we are locked */ 321 rc = audit_do_config_change("audit_enabled", &audit_enabled, state,
321 if (audit_enabled == 2) 322 loginuid, sid);
322 res = 0;
323 else
324 res = 1;
325 323
326 if (sid) { 324 if (!rc)
327 char *ctx = NULL; 325 audit_ever_enabled |= !!state;
328 u32 len;
329 if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
330 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
331 "audit_enabled=%d old=%d by auid=%u"
332 " subj=%s res=%d",
333 state, old, loginuid, ctx, res);
334 kfree(ctx);
335 } else
336 res = 0; /* Something weird, deny request */
337 }
338 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
339 "audit_enabled=%d old=%d by auid=%u res=%d",
340 state, old, loginuid, res);
341 326
342 /* If we are allowed, make the change */
343 if (res == 1)
344 audit_enabled = state;
345 /* Not allowed, update reason */
346 else if (rc == 0)
347 rc = -EPERM;
348 return rc; 327 return rc;
349} 328}
350 329
351static int audit_set_failure(int state, uid_t loginuid, u32 sid) 330static int audit_set_failure(int state, uid_t loginuid, u32 sid)
352{ 331{
353 int res, rc = 0, old = audit_failure;
354
355 if (state != AUDIT_FAIL_SILENT 332 if (state != AUDIT_FAIL_SILENT
356 && state != AUDIT_FAIL_PRINTK 333 && state != AUDIT_FAIL_PRINTK
357 && state != AUDIT_FAIL_PANIC) 334 && state != AUDIT_FAIL_PANIC)
358 return -EINVAL; 335 return -EINVAL;
359 336
360 /* check if we are locked */ 337 return audit_do_config_change("audit_failure", &audit_failure, state,
361 if (audit_enabled == 2) 338 loginuid, sid);
362 res = 0;
363 else
364 res = 1;
365
366 if (sid) {
367 char *ctx = NULL;
368 u32 len;
369 if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
370 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
371 "audit_failure=%d old=%d by auid=%u"
372 " subj=%s res=%d",
373 state, old, loginuid, ctx, res);
374 kfree(ctx);
375 } else
376 res = 0; /* Something weird, deny request */
377 }
378 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
379 "audit_failure=%d old=%d by auid=%u res=%d",
380 state, old, loginuid, res);
381
382 /* If we are allowed, make the change */
383 if (res == 1)
384 audit_failure = state;
385 /* Not allowed, update reason */
386 else if (rc == 0)
387 rc = -EPERM;
388 return rc;
389} 339}
390 340
391static int kauditd_thread(void *dummy) 341static int kauditd_thread(void *dummy)
@@ -405,7 +355,11 @@ static int kauditd_thread(void *dummy)
405 audit_pid = 0; 355 audit_pid = 0;
406 } 356 }
407 } else { 357 } else {
408 printk(KERN_NOTICE "%s\n", skb->data + NLMSG_SPACE(0)); 358 if (printk_ratelimit())
359 printk(KERN_NOTICE "%s\n", skb->data +
360 NLMSG_SPACE(0));
361 else
362 audit_log_lost("printk limit exceeded\n");
409 kfree_skb(skb); 363 kfree_skb(skb);
410 } 364 }
411 } else { 365 } else {
@@ -573,6 +527,33 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
573 return err; 527 return err;
574} 528}
575 529
530static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
531 u32 pid, u32 uid, uid_t auid, u32 sid)
532{
533 int rc = 0;
534 char *ctx = NULL;
535 u32 len;
536
537 if (!audit_enabled) {
538 *ab = NULL;
539 return rc;
540 }
541
542 *ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
543 audit_log_format(*ab, "user pid=%d uid=%u auid=%u",
544 pid, uid, auid);
545 if (sid) {
546 rc = selinux_sid_to_string(sid, &ctx, &len);
547 if (rc)
548 audit_log_format(*ab, " ssid=%u", sid);
549 else
550 audit_log_format(*ab, " subj=%s", ctx);
551 kfree(ctx);
552 }
553
554 return rc;
555}
556
576static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) 557static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
577{ 558{
578 u32 uid, pid, seq, sid; 559 u32 uid, pid, seq, sid;
@@ -583,7 +564,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
583 u16 msg_type = nlh->nlmsg_type; 564 u16 msg_type = nlh->nlmsg_type;
584 uid_t loginuid; /* loginuid of sender */ 565 uid_t loginuid; /* loginuid of sender */
585 struct audit_sig_info *sig_data; 566 struct audit_sig_info *sig_data;
586 char *ctx; 567 char *ctx = NULL;
587 u32 len; 568 u32 len;
588 569
589 err = audit_netlink_ok(skb, msg_type); 570 err = audit_netlink_ok(skb, msg_type);
@@ -634,23 +615,14 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
634 if (err < 0) return err; 615 if (err < 0) return err;
635 } 616 }
636 if (status_get->mask & AUDIT_STATUS_PID) { 617 if (status_get->mask & AUDIT_STATUS_PID) {
637 int old = audit_pid; 618 int new_pid = status_get->pid;
638 if (sid) { 619
639 if ((err = selinux_sid_to_string( 620 if (audit_enabled != AUDIT_OFF)
640 sid, &ctx, &len))) 621 audit_log_config_change("audit_pid", new_pid,
641 return err; 622 audit_pid, loginuid,
642 else 623 sid, 1);
643 audit_log(NULL, GFP_KERNEL, 624
644 AUDIT_CONFIG_CHANGE, 625 audit_pid = new_pid;
645 "audit_pid=%d old=%d by auid=%u subj=%s",
646 status_get->pid, old,
647 loginuid, ctx);
648 kfree(ctx);
649 } else
650 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
651 "audit_pid=%d old=%d by auid=%u",
652 status_get->pid, old, loginuid);
653 audit_pid = status_get->pid;
654 } 626 }
655 if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) 627 if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
656 err = audit_set_rate_limit(status_get->rate_limit, 628 err = audit_set_rate_limit(status_get->rate_limit,
@@ -673,64 +645,35 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
673 if (err) 645 if (err)
674 break; 646 break;
675 } 647 }
676 ab = audit_log_start(NULL, GFP_KERNEL, msg_type); 648 audit_log_common_recv_msg(&ab, msg_type, pid, uid,
677 if (ab) { 649 loginuid, sid);
678 audit_log_format(ab, 650
679 "user pid=%d uid=%u auid=%u", 651 if (msg_type != AUDIT_USER_TTY)
680 pid, uid, loginuid); 652 audit_log_format(ab, " msg='%.1024s'",
681 if (sid) { 653 (char *)data);
682 if (selinux_sid_to_string( 654 else {
683 sid, &ctx, &len)) { 655 int size;
684 audit_log_format(ab, 656
685 " ssid=%u", sid); 657 audit_log_format(ab, " msg=");
686 /* Maybe call audit_panic? */ 658 size = nlmsg_len(nlh);
687 } else 659 audit_log_n_untrustedstring(ab, size,
688 audit_log_format(ab, 660 data);
689 " subj=%s", ctx);
690 kfree(ctx);
691 }
692 if (msg_type != AUDIT_USER_TTY)
693 audit_log_format(ab, " msg='%.1024s'",
694 (char *)data);
695 else {
696 int size;
697
698 audit_log_format(ab, " msg=");
699 size = nlmsg_len(nlh);
700 audit_log_n_untrustedstring(ab, size,
701 data);
702 }
703 audit_set_pid(ab, pid);
704 audit_log_end(ab);
705 } 661 }
662 audit_set_pid(ab, pid);
663 audit_log_end(ab);
706 } 664 }
707 break; 665 break;
708 case AUDIT_ADD: 666 case AUDIT_ADD:
709 case AUDIT_DEL: 667 case AUDIT_DEL:
710 if (nlmsg_len(nlh) < sizeof(struct audit_rule)) 668 if (nlmsg_len(nlh) < sizeof(struct audit_rule))
711 return -EINVAL; 669 return -EINVAL;
712 if (audit_enabled == 2) { 670 if (audit_enabled == AUDIT_LOCKED) {
713 ab = audit_log_start(NULL, GFP_KERNEL, 671 audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
714 AUDIT_CONFIG_CHANGE); 672 uid, loginuid, sid);
715 if (ab) { 673
716 audit_log_format(ab, 674 audit_log_format(ab, " audit_enabled=%d res=0",
717 "pid=%d uid=%u auid=%u", 675 audit_enabled);
718 pid, uid, loginuid); 676 audit_log_end(ab);
719 if (sid) {
720 if (selinux_sid_to_string(
721 sid, &ctx, &len)) {
722 audit_log_format(ab,
723 " ssid=%u", sid);
724 /* Maybe call audit_panic? */
725 } else
726 audit_log_format(ab,
727 " subj=%s", ctx);
728 kfree(ctx);
729 }
730 audit_log_format(ab, " audit_enabled=%d res=0",
731 audit_enabled);
732 audit_log_end(ab);
733 }
734 return -EPERM; 677 return -EPERM;
735 } 678 }
736 /* fallthrough */ 679 /* fallthrough */
@@ -743,28 +686,13 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
743 case AUDIT_DEL_RULE: 686 case AUDIT_DEL_RULE:
744 if (nlmsg_len(nlh) < sizeof(struct audit_rule_data)) 687 if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
745 return -EINVAL; 688 return -EINVAL;
746 if (audit_enabled == 2) { 689 if (audit_enabled == AUDIT_LOCKED) {
747 ab = audit_log_start(NULL, GFP_KERNEL, 690 audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
748 AUDIT_CONFIG_CHANGE); 691 uid, loginuid, sid);
749 if (ab) { 692
750 audit_log_format(ab, 693 audit_log_format(ab, " audit_enabled=%d res=0",
751 "pid=%d uid=%u auid=%u", 694 audit_enabled);
752 pid, uid, loginuid); 695 audit_log_end(ab);
753 if (sid) {
754 if (selinux_sid_to_string(
755 sid, &ctx, &len)) {
756 audit_log_format(ab,
757 " ssid=%u", sid);
758 /* Maybe call audit_panic? */
759 } else
760 audit_log_format(ab,
761 " subj=%s", ctx);
762 kfree(ctx);
763 }
764 audit_log_format(ab, " audit_enabled=%d res=0",
765 audit_enabled);
766 audit_log_end(ab);
767 }
768 return -EPERM; 696 return -EPERM;
769 } 697 }
770 /* fallthrough */ 698 /* fallthrough */
@@ -775,19 +703,10 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
775 break; 703 break;
776 case AUDIT_TRIM: 704 case AUDIT_TRIM:
777 audit_trim_trees(); 705 audit_trim_trees();
778 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 706
779 if (!ab) 707 audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
780 break; 708 uid, loginuid, sid);
781 audit_log_format(ab, "auid=%u", loginuid); 709
782 if (sid) {
783 u32 len;
784 ctx = NULL;
785 if (selinux_sid_to_string(sid, &ctx, &len))
786 audit_log_format(ab, " ssid=%u", sid);
787 else
788 audit_log_format(ab, " subj=%s", ctx);
789 kfree(ctx);
790 }
791 audit_log_format(ab, " op=trim res=1"); 710 audit_log_format(ab, " op=trim res=1");
792 audit_log_end(ab); 711 audit_log_end(ab);
793 break; 712 break;
@@ -817,22 +736,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
817 /* OK, here comes... */ 736 /* OK, here comes... */
818 err = audit_tag_tree(old, new); 737 err = audit_tag_tree(old, new);
819 738
820 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 739 audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
821 if (!ab) { 740 uid, loginuid, sid);
822 kfree(old); 741
823 kfree(new);
824 break;
825 }
826 audit_log_format(ab, "auid=%u", loginuid);
827 if (sid) {
828 u32 len;
829 ctx = NULL;
830 if (selinux_sid_to_string(sid, &ctx, &len))
831 audit_log_format(ab, " ssid=%u", sid);
832 else
833 audit_log_format(ab, " subj=%s", ctx);
834 kfree(ctx);
835 }
836 audit_log_format(ab, " op=make_equiv old="); 742 audit_log_format(ab, " op=make_equiv old=");
837 audit_log_untrustedstring(ab, old); 743 audit_log_untrustedstring(ab, old);
838 audit_log_format(ab, " new="); 744 audit_log_format(ab, " new=");
@@ -965,6 +871,7 @@ static int __init audit_init(void)
965 skb_queue_head_init(&audit_skb_queue); 871 skb_queue_head_init(&audit_skb_queue);
966 audit_initialized = 1; 872 audit_initialized = 1;
967 audit_enabled = audit_default; 873 audit_enabled = audit_default;
874 audit_ever_enabled |= !!audit_default;
968 875
969 /* Register the callback with selinux. This callback will be invoked 876 /* Register the callback with selinux. This callback will be invoked
970 * when a new policy is loaded. */ 877 * when a new policy is loaded. */
@@ -992,8 +899,10 @@ static int __init audit_enable(char *str)
992 printk(KERN_INFO "audit: %s%s\n", 899 printk(KERN_INFO "audit: %s%s\n",
993 audit_default ? "enabled" : "disabled", 900 audit_default ? "enabled" : "disabled",
994 audit_initialized ? "" : " (after initialization)"); 901 audit_initialized ? "" : " (after initialization)");
995 if (audit_initialized) 902 if (audit_initialized) {
996 audit_enabled = audit_default; 903 audit_enabled = audit_default;
904 audit_ever_enabled |= !!audit_default;
905 }
997 return 1; 906 return 1;
998} 907}
999 908
@@ -1130,7 +1039,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
1130{ 1039{
1131 struct audit_buffer *ab = NULL; 1040 struct audit_buffer *ab = NULL;
1132 struct timespec t; 1041 struct timespec t;
1133 unsigned int serial; 1042 unsigned int uninitialized_var(serial);
1134 int reserve; 1043 int reserve;
1135 unsigned long timeout_start = jiffies; 1044 unsigned long timeout_start = jiffies;
1136 1045
@@ -1164,7 +1073,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
1164 remove_wait_queue(&audit_backlog_wait, &wait); 1073 remove_wait_queue(&audit_backlog_wait, &wait);
1165 continue; 1074 continue;
1166 } 1075 }
1167 if (audit_rate_check()) 1076 if (audit_rate_check() && printk_ratelimit())
1168 printk(KERN_WARNING 1077 printk(KERN_WARNING
1169 "audit: audit_backlog=%d > " 1078 "audit: audit_backlog=%d > "
1170 "audit_backlog_limit=%d\n", 1079 "audit_backlog_limit=%d\n",
@@ -1249,6 +1158,7 @@ static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
1249 goto out; 1158 goto out;
1250 len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args2); 1159 len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args2);
1251 } 1160 }
1161 va_end(args2);
1252 if (len > 0) 1162 if (len > 0)
1253 skb_put(skb, len); 1163 skb_put(skb, len);
1254out: 1164out:
@@ -1350,6 +1260,21 @@ static void audit_log_n_string(struct audit_buffer *ab, size_t slen,
1350} 1260}
1351 1261
1352/** 1262/**
1263 * audit_string_contains_control - does a string need to be logged in hex
1264 * @string - string to be checked
1265 * @len - max length of the string to check
1266 */
1267int audit_string_contains_control(const char *string, size_t len)
1268{
1269 const unsigned char *p;
1270 for (p = string; p < (const unsigned char *)string + len && *p; p++) {
1271 if (*p == '"' || *p < 0x21 || *p > 0x7f)
1272 return 1;
1273 }
1274 return 0;
1275}
1276
1277/**
1353 * audit_log_n_untrustedstring - log a string that may contain random characters 1278 * audit_log_n_untrustedstring - log a string that may contain random characters
1354 * @ab: audit_buffer 1279 * @ab: audit_buffer
1355 * @len: lenth of string (not including trailing null) 1280 * @len: lenth of string (not including trailing null)
@@ -1363,19 +1288,13 @@ static void audit_log_n_string(struct audit_buffer *ab, size_t slen,
1363 * The caller specifies the number of characters in the string to log, which may 1288 * The caller specifies the number of characters in the string to log, which may
1364 * or may not be the entire string. 1289 * or may not be the entire string.
1365 */ 1290 */
1366const char *audit_log_n_untrustedstring(struct audit_buffer *ab, size_t len, 1291void audit_log_n_untrustedstring(struct audit_buffer *ab, size_t len,
1367 const char *string) 1292 const char *string)
1368{ 1293{
1369 const unsigned char *p; 1294 if (audit_string_contains_control(string, len))
1370 1295 audit_log_hex(ab, string, len);
1371 for (p = string; p < (const unsigned char *)string + len && *p; p++) { 1296 else
1372 if (*p == '"' || *p < 0x21 || *p > 0x7f) { 1297 audit_log_n_string(ab, len, string);
1373 audit_log_hex(ab, string, len);
1374 return string + len + 1;
1375 }
1376 }
1377 audit_log_n_string(ab, len, string);
1378 return p + 1;
1379} 1298}
1380 1299
1381/** 1300/**
@@ -1386,9 +1305,9 @@ const char *audit_log_n_untrustedstring(struct audit_buffer *ab, size_t len,
1386 * Same as audit_log_n_untrustedstring(), except that strlen is used to 1305 * Same as audit_log_n_untrustedstring(), except that strlen is used to
1387 * determine string length. 1306 * determine string length.
1388 */ 1307 */
1389const char *audit_log_untrustedstring(struct audit_buffer *ab, const char *string) 1308void audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
1390{ 1309{
1391 return audit_log_n_untrustedstring(ab, strlen(string), string); 1310 audit_log_n_untrustedstring(ab, strlen(string), string);
1392} 1311}
1393 1312
1394/* This is a helper-function to print the escaped d_path */ 1313/* This is a helper-function to print the escaped d_path */
@@ -1437,8 +1356,11 @@ void audit_log_end(struct audit_buffer *ab)
1437 skb_queue_tail(&audit_skb_queue, ab->skb); 1356 skb_queue_tail(&audit_skb_queue, ab->skb);
1438 ab->skb = NULL; 1357 ab->skb = NULL;
1439 wake_up_interruptible(&kauditd_wait); 1358 wake_up_interruptible(&kauditd_wait);
1359 } else if (printk_ratelimit()) {
1360 struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
1361 printk(KERN_NOTICE "type=%d %s\n", nlh->nlmsg_type, ab->skb->data + NLMSG_SPACE(0));
1440 } else { 1362 } else {
1441 printk(KERN_NOTICE "%s\n", ab->skb->data + NLMSG_SPACE(0)); 1363 audit_log_lost("printk limit exceeded\n");
1442 } 1364 }
1443 } 1365 }
1444 audit_buffer_free(ab); 1366 audit_buffer_free(ab);
generated by cgit v1.2.2 (git 2.25.0) at 2025-11-16 20:42:37 -0500