aboutsummaryrefslogtreecommitdiffstats
path: root/kernel/audit.c
diff options
context:
space:
mode:
Diffstat (limited to 'kernel/audit.c')
-rw-r--r--kernel/audit.c78
1 files changed, 55 insertions, 23 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index 187164572bd0..4e940c05ede8 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -140,6 +140,12 @@ struct audit_buffer {
140 struct audit_context *ctx; /* NULL or associated context */ 140 struct audit_context *ctx; /* NULL or associated context */
141}; 141};
142 142
143static void audit_set_pid(struct audit_buffer *ab, pid_t pid)
144{
145 struct nlmsghdr *nlh = (struct nlmsghdr *)ab->skb->data;
146 nlh->nlmsg_pid = pid;
147}
148
143struct audit_entry { 149struct audit_entry {
144 struct list_head list; 150 struct list_head list;
145 struct audit_rule rule; 151 struct audit_rule rule;
@@ -233,7 +239,8 @@ static int audit_set_rate_limit(int limit, uid_t loginuid)
233{ 239{
234 int old = audit_rate_limit; 240 int old = audit_rate_limit;
235 audit_rate_limit = limit; 241 audit_rate_limit = limit;
236 audit_log(NULL, "audit_rate_limit=%d old=%d by auid %u", 242 audit_log(NULL, AUDIT_CONFIG_CHANGE,
243 "audit_rate_limit=%d old=%d by auid %u",
237 audit_rate_limit, old, loginuid); 244 audit_rate_limit, old, loginuid);
238 return old; 245 return old;
239} 246}
@@ -242,7 +249,8 @@ static int audit_set_backlog_limit(int limit, uid_t loginuid)
242{ 249{
243 int old = audit_backlog_limit; 250 int old = audit_backlog_limit;
244 audit_backlog_limit = limit; 251 audit_backlog_limit = limit;
245 audit_log(NULL, "audit_backlog_limit=%d old=%d by auid %u", 252 audit_log(NULL, AUDIT_CONFIG_CHANGE,
253 "audit_backlog_limit=%d old=%d by auid %u",
246 audit_backlog_limit, old, loginuid); 254 audit_backlog_limit, old, loginuid);
247 return old; 255 return old;
248} 256}
@@ -253,8 +261,9 @@ static int audit_set_enabled(int state, uid_t loginuid)
253 if (state != 0 && state != 1) 261 if (state != 0 && state != 1)
254 return -EINVAL; 262 return -EINVAL;
255 audit_enabled = state; 263 audit_enabled = state;
256 audit_log(NULL, "audit_enabled=%d old=%d by auid %u", 264 audit_log(NULL, AUDIT_CONFIG_CHANGE,
257 audit_enabled, old, loginuid); 265 "audit_enabled=%d old=%d by auid %u",
266 audit_enabled, old, loginuid);
258 return old; 267 return old;
259} 268}
260 269
@@ -266,8 +275,9 @@ static int audit_set_failure(int state, uid_t loginuid)
266 && state != AUDIT_FAIL_PANIC) 275 && state != AUDIT_FAIL_PANIC)
267 return -EINVAL; 276 return -EINVAL;
268 audit_failure = state; 277 audit_failure = state;
269 audit_log(NULL, "audit_failure=%d old=%d by auid %u", 278 audit_log(NULL, AUDIT_CONFIG_CHANGE,
270 audit_failure, old, loginuid); 279 "audit_failure=%d old=%d by auid %u",
280 audit_failure, old, loginuid);
271 return old; 281 return old;
272} 282}
273 283
@@ -316,6 +326,14 @@ static int audit_netlink_ok(kernel_cap_t eff_cap, u16 msg_type)
316 err = -EPERM; 326 err = -EPERM;
317 break; 327 break;
318 case AUDIT_USER: 328 case AUDIT_USER:
329 case AUDIT_USER_AUTH:
330 case AUDIT_USER_ACCT:
331 case AUDIT_USER_MGMT:
332 case AUDIT_CRED_ACQ:
333 case AUDIT_CRED_DISP:
334 case AUDIT_USER_START:
335 case AUDIT_USER_END:
336 case AUDIT_USER_AVC:
319 if (!cap_raised(eff_cap, CAP_AUDIT_WRITE)) 337 if (!cap_raised(eff_cap, CAP_AUDIT_WRITE))
320 err = -EPERM; 338 err = -EPERM;
321 break; 339 break;
@@ -332,6 +350,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
332 void *data; 350 void *data;
333 struct audit_status *status_get, status_set; 351 struct audit_status *status_get, status_set;
334 int err; 352 int err;
353 struct audit_buffer *ab;
335 u16 msg_type = nlh->nlmsg_type; 354 u16 msg_type = nlh->nlmsg_type;
336 uid_t loginuid; /* loginuid of sender */ 355 uid_t loginuid; /* loginuid of sender */
337 struct audit_sig_info sig_data; 356 struct audit_sig_info sig_data;
@@ -373,7 +392,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
373 if (status_get->mask & AUDIT_STATUS_PID) { 392 if (status_get->mask & AUDIT_STATUS_PID) {
374 int old = audit_pid; 393 int old = audit_pid;
375 audit_pid = status_get->pid; 394 audit_pid = status_get->pid;
376 audit_log(NULL, "audit_pid=%d old=%d by auid %u", 395 audit_log(NULL, AUDIT_CONFIG_CHANGE,
396 "audit_pid=%d old=%d by auid %u",
377 audit_pid, old, loginuid); 397 audit_pid, old, loginuid);
378 } 398 }
379 if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) 399 if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
@@ -383,13 +403,26 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
383 loginuid); 403 loginuid);
384 break; 404 break;
385 case AUDIT_USER: 405 case AUDIT_USER:
386 audit_log_type(NULL, AUDIT_USER, pid, 406 case AUDIT_USER_AUTH:
407 case AUDIT_USER_ACCT:
408 case AUDIT_USER_MGMT:
409 case AUDIT_CRED_ACQ:
410 case AUDIT_CRED_DISP:
411 case AUDIT_USER_START:
412 case AUDIT_USER_END:
413 case AUDIT_USER_AVC:
414 ab = audit_log_start(NULL, msg_type);
415 if (!ab)
416 break; /* audit_panic has been called */
417 audit_log_format(ab,
387 "user pid=%d uid=%d length=%d loginuid=%u" 418 "user pid=%d uid=%d length=%d loginuid=%u"
388 " msg='%.1024s'", 419 " msg='%.1024s'",
389 pid, uid, 420 pid, uid,
390 (int)(nlh->nlmsg_len 421 (int)(nlh->nlmsg_len
391 - ((char *)data - (char *)nlh)), 422 - ((char *)data - (char *)nlh)),
392 loginuid, (char *)data); 423 loginuid, (char *)data);
424 audit_set_pid(ab, pid);
425 audit_log_end(ab);
393 break; 426 break;
394 case AUDIT_ADD: 427 case AUDIT_ADD:
395 case AUDIT_DEL: 428 case AUDIT_DEL:
@@ -504,7 +537,7 @@ static int __init audit_init(void)
504 537
505 audit_initialized = 1; 538 audit_initialized = 1;
506 audit_enabled = audit_default; 539 audit_enabled = audit_default;
507 audit_log(NULL, "initialized"); 540 audit_log(NULL, AUDIT_KERNEL, "initialized");
508 return 0; 541 return 0;
509} 542}
510__initcall(audit_init); 543__initcall(audit_init);
@@ -541,10 +574,12 @@ static void audit_buffer_free(struct audit_buffer *ab)
541 spin_unlock_irqrestore(&audit_freelist_lock, flags); 574 spin_unlock_irqrestore(&audit_freelist_lock, flags);
542} 575}
543 576
544static struct audit_buffer * audit_buffer_alloc(int gfp_mask) 577static struct audit_buffer * audit_buffer_alloc(struct audit_context *ctx,
578 int gfp_mask, int type)
545{ 579{
546 unsigned long flags; 580 unsigned long flags;
547 struct audit_buffer *ab = NULL; 581 struct audit_buffer *ab = NULL;
582 struct nlmsghdr *nlh;
548 583
549 spin_lock_irqsave(&audit_freelist_lock, flags); 584 spin_lock_irqsave(&audit_freelist_lock, flags);
550 if (!list_empty(&audit_freelist)) { 585 if (!list_empty(&audit_freelist)) {
@@ -566,6 +601,12 @@ static struct audit_buffer * audit_buffer_alloc(int gfp_mask)
566 if (!ab->skb) 601 if (!ab->skb)
567 goto err; 602 goto err;
568 603
604 ab->ctx = ctx;
605 nlh = (struct nlmsghdr *)skb_put(ab->skb, NLMSG_SPACE(0));
606 nlh->nlmsg_type = type;
607 nlh->nlmsg_flags = 0;
608 nlh->nlmsg_pid = 0;
609 nlh->nlmsg_seq = 0;
569 return ab; 610 return ab;
570err: 611err:
571 audit_buffer_free(ab); 612 audit_buffer_free(ab);
@@ -578,12 +619,11 @@ err:
578 * syscall, then the syscall is marked as auditable and an audit record 619 * syscall, then the syscall is marked as auditable and an audit record
579 * will be written at syscall exit. If there is no associated task, tsk 620 * will be written at syscall exit. If there is no associated task, tsk
580 * should be NULL. */ 621 * should be NULL. */
581struct audit_buffer *audit_log_start(struct audit_context *ctx, int type, int pid) 622struct audit_buffer *audit_log_start(struct audit_context *ctx, int type)
582{ 623{
583 struct audit_buffer *ab = NULL; 624 struct audit_buffer *ab = NULL;
584 struct timespec t; 625 struct timespec t;
585 unsigned int serial; 626 unsigned int serial;
586 struct nlmsghdr *nlh;
587 627
588 if (!audit_initialized) 628 if (!audit_initialized)
589 return NULL; 629 return NULL;
@@ -600,19 +640,12 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, int type, int pi
600 return NULL; 640 return NULL;
601 } 641 }
602 642
603 ab = audit_buffer_alloc(GFP_ATOMIC); 643 ab = audit_buffer_alloc(ctx, GFP_ATOMIC, type);
604 if (!ab) { 644 if (!ab) {
605 audit_log_lost("out of memory in audit_log_start"); 645 audit_log_lost("out of memory in audit_log_start");
606 return NULL; 646 return NULL;
607 } 647 }
608 648
609 ab->ctx = ctx;
610 nlh = (struct nlmsghdr *)skb_put(ab->skb, NLMSG_SPACE(0));
611 nlh->nlmsg_type = type;
612 nlh->nlmsg_flags = 0;
613 nlh->nlmsg_pid = pid;
614 nlh->nlmsg_seq = 0;
615
616 if (!audit_get_stamp(ab->ctx, &t, &serial)) { 649 if (!audit_get_stamp(ab->ctx, &t, &serial)) {
617 t = CURRENT_TIME; 650 t = CURRENT_TIME;
618 serial = 0; 651 serial = 0;
@@ -809,13 +842,12 @@ void audit_log_end(struct audit_buffer *ab)
809/* Log an audit record. This is a convenience function that calls 842/* Log an audit record. This is a convenience function that calls
810 * audit_log_start, audit_log_vformat, and audit_log_end. It may be 843 * audit_log_start, audit_log_vformat, and audit_log_end. It may be
811 * called in any context. */ 844 * called in any context. */
812void audit_log_type(struct audit_context *ctx, int type, int pid, 845void audit_log(struct audit_context *ctx, int type, const char *fmt, ...)
813 const char *fmt, ...)
814{ 846{
815 struct audit_buffer *ab; 847 struct audit_buffer *ab;
816 va_list args; 848 va_list args;
817 849
818 ab = audit_log_start(ctx, type, pid); 850 ab = audit_log_start(ctx, type);
819 if (ab) { 851 if (ab) {
820 va_start(args, fmt); 852 va_start(args, fmt);
821 audit_log_vformat(ab, fmt, args); 853 audit_log_vformat(ab, fmt, args);