diff options
Diffstat (limited to 'kernel/audit.c')
| -rw-r--r-- | kernel/audit.c | 132 |
1 files changed, 102 insertions, 30 deletions
diff --git a/kernel/audit.c b/kernel/audit.c index 7ec9ccae1299..df57b493e1cb 100644 --- a/kernel/audit.c +++ b/kernel/audit.c | |||
| @@ -230,49 +230,103 @@ void audit_log_lost(const char *message) | |||
| 230 | } | 230 | } |
| 231 | } | 231 | } |
| 232 | 232 | ||
| 233 | static int audit_set_rate_limit(int limit, uid_t loginuid) | 233 | static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid) |
| 234 | { | 234 | { |
| 235 | int old = audit_rate_limit; | 235 | int old = audit_rate_limit; |
| 236 | audit_rate_limit = limit; | 236 | |
| 237 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | 237 | if (sid) { |
| 238 | char *ctx = NULL; | ||
| 239 | u32 len; | ||
| 240 | int rc; | ||
| 241 | if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) | ||
| 242 | return rc; | ||
| 243 | else | ||
| 244 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | ||
| 245 | "audit_rate_limit=%d old=%d by auid=%u subj=%s", | ||
| 246 | limit, old, loginuid, ctx); | ||
| 247 | kfree(ctx); | ||
| 248 | } else | ||
| 249 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | ||
| 238 | "audit_rate_limit=%d old=%d by auid=%u", | 250 | "audit_rate_limit=%d old=%d by auid=%u", |
| 239 | audit_rate_limit, old, loginuid); | 251 | limit, old, loginuid); |
| 252 | audit_rate_limit = limit; | ||
| 240 | return old; | 253 | return old; |
| 241 | } | 254 | } |
| 242 | 255 | ||
| 243 | static int audit_set_backlog_limit(int limit, uid_t loginuid) | 256 | static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid) |
| 244 | { | 257 | { |
| 245 | int old = audit_backlog_limit; | 258 | int old = audit_backlog_limit; |
| 246 | audit_backlog_limit = limit; | 259 | |
| 247 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | 260 | if (sid) { |
| 261 | char *ctx = NULL; | ||
| 262 | u32 len; | ||
| 263 | int rc; | ||
| 264 | if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) | ||
| 265 | return rc; | ||
| 266 | else | ||
| 267 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | ||
| 268 | "audit_backlog_limit=%d old=%d by auid=%u subj=%s", | ||
| 269 | limit, old, loginuid, ctx); | ||
| 270 | kfree(ctx); | ||
| 271 | } else | ||
| 272 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | ||
| 248 | "audit_backlog_limit=%d old=%d by auid=%u", | 273 | "audit_backlog_limit=%d old=%d by auid=%u", |
| 249 | audit_backlog_limit, old, loginuid); | 274 | limit, old, loginuid); |
| 275 | audit_backlog_limit = limit; | ||
| 250 | return old; | 276 | return old; |
| 251 | } | 277 | } |
| 252 | 278 | ||
| 253 | static int audit_set_enabled(int state, uid_t loginuid) | 279 | static int audit_set_enabled(int state, uid_t loginuid, u32 sid) |
| 254 | { | 280 | { |
| 255 | int old = audit_enabled; | 281 | int old = audit_enabled; |
| 282 | |||
| 256 | if (state != 0 && state != 1) | 283 | if (state != 0 && state != 1) |
| 257 | return -EINVAL; | 284 | return -EINVAL; |
| 258 | audit_enabled = state; | 285 | |
| 259 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | 286 | if (sid) { |
| 287 | char *ctx = NULL; | ||
| 288 | u32 len; | ||
| 289 | int rc; | ||
| 290 | if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) | ||
| 291 | return rc; | ||
| 292 | else | ||
| 293 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | ||
| 294 | "audit_enabled=%d old=%d by auid=%u subj=%s", | ||
| 295 | state, old, loginuid, ctx); | ||
| 296 | kfree(ctx); | ||
| 297 | } else | ||
| 298 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | ||
| 260 | "audit_enabled=%d old=%d by auid=%u", | 299 | "audit_enabled=%d old=%d by auid=%u", |
| 261 | audit_enabled, old, loginuid); | 300 | state, old, loginuid); |
| 301 | audit_enabled = state; | ||
| 262 | return old; | 302 | return old; |
| 263 | } | 303 | } |
| 264 | 304 | ||
| 265 | static int audit_set_failure(int state, uid_t loginuid) | 305 | static int audit_set_failure(int state, uid_t loginuid, u32 sid) |
| 266 | { | 306 | { |
| 267 | int old = audit_failure; | 307 | int old = audit_failure; |
| 308 | |||
| 268 | if (state != AUDIT_FAIL_SILENT | 309 | if (state != AUDIT_FAIL_SILENT |
| 269 | && state != AUDIT_FAIL_PRINTK | 310 | && state != AUDIT_FAIL_PRINTK |
| 270 | && state != AUDIT_FAIL_PANIC) | 311 | && state != AUDIT_FAIL_PANIC) |
| 271 | return -EINVAL; | 312 | return -EINVAL; |
| 272 | audit_failure = state; | 313 | |
| 273 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | 314 | if (sid) { |
| 315 | char *ctx = NULL; | ||
| 316 | u32 len; | ||
| 317 | int rc; | ||
| 318 | if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) | ||
| 319 | return rc; | ||
| 320 | else | ||
| 321 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | ||
| 322 | "audit_failure=%d old=%d by auid=%u subj=%s", | ||
| 323 | state, old, loginuid, ctx); | ||
| 324 | kfree(ctx); | ||
| 325 | } else | ||
| 326 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | ||
| 274 | "audit_failure=%d old=%d by auid=%u", | 327 | "audit_failure=%d old=%d by auid=%u", |
| 275 | audit_failure, old, loginuid); | 328 | state, old, loginuid); |
| 329 | audit_failure = state; | ||
| 276 | return old; | 330 | return old; |
| 277 | } | 331 | } |
| 278 | 332 | ||
| @@ -437,25 +491,43 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
| 437 | return -EINVAL; | 491 | return -EINVAL; |
| 438 | status_get = (struct audit_status *)data; | 492 | status_get = (struct audit_status *)data; |
| 439 | if (status_get->mask & AUDIT_STATUS_ENABLED) { | 493 | if (status_get->mask & AUDIT_STATUS_ENABLED) { |
| 440 | err = audit_set_enabled(status_get->enabled, loginuid); | 494 | err = audit_set_enabled(status_get->enabled, |
| 495 | loginuid, sid); | ||
| 441 | if (err < 0) return err; | 496 | if (err < 0) return err; |
| 442 | } | 497 | } |
| 443 | if (status_get->mask & AUDIT_STATUS_FAILURE) { | 498 | if (status_get->mask & AUDIT_STATUS_FAILURE) { |
| 444 | err = audit_set_failure(status_get->failure, loginuid); | 499 | err = audit_set_failure(status_get->failure, |
| 500 | loginuid, sid); | ||
| 445 | if (err < 0) return err; | 501 | if (err < 0) return err; |
| 446 | } | 502 | } |
| 447 | if (status_get->mask & AUDIT_STATUS_PID) { | 503 | if (status_get->mask & AUDIT_STATUS_PID) { |
| 448 | int old = audit_pid; | 504 | int old = audit_pid; |
| 505 | if (sid) { | ||
| 506 | char *ctx = NULL; | ||
| 507 | u32 len; | ||
| 508 | int rc; | ||
| 509 | if ((rc = selinux_ctxid_to_string( | ||
| 510 | sid, &ctx, &len))) | ||
| 511 | return rc; | ||
| 512 | else | ||
| 513 | audit_log(NULL, GFP_KERNEL, | ||
| 514 | AUDIT_CONFIG_CHANGE, | ||
| 515 | "audit_pid=%d old=%d by auid=%u subj=%s", | ||
| 516 | status_get->pid, old, | ||
| 517 | loginuid, ctx); | ||
| 518 | kfree(ctx); | ||
| 519 | } else | ||
| 520 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | ||
| 521 | "audit_pid=%d old=%d by auid=%u", | ||
| 522 | status_get->pid, old, loginuid); | ||
| 449 | audit_pid = status_get->pid; | 523 | audit_pid = status_get->pid; |
| 450 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | ||
| 451 | "audit_pid=%d old=%d by auid=%u", | ||
| 452 | audit_pid, old, loginuid); | ||
| 453 | } | 524 | } |
| 454 | if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) | 525 | if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) |
| 455 | audit_set_rate_limit(status_get->rate_limit, loginuid); | 526 | audit_set_rate_limit(status_get->rate_limit, |
| 527 | loginuid, sid); | ||
| 456 | if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT) | 528 | if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT) |
| 457 | audit_set_backlog_limit(status_get->backlog_limit, | 529 | audit_set_backlog_limit(status_get->backlog_limit, |
| 458 | loginuid); | 530 | loginuid, sid); |
| 459 | break; | 531 | break; |
| 460 | case AUDIT_USER: | 532 | case AUDIT_USER: |
| 461 | case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG: | 533 | case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG: |
| @@ -477,7 +549,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
| 477 | if (selinux_ctxid_to_string( | 549 | if (selinux_ctxid_to_string( |
| 478 | sid, &ctx, &len)) { | 550 | sid, &ctx, &len)) { |
| 479 | audit_log_format(ab, | 551 | audit_log_format(ab, |
| 480 | " subj=%u", sid); | 552 | " ssid=%u", sid); |
| 481 | /* Maybe call audit_panic? */ | 553 | /* Maybe call audit_panic? */ |
| 482 | } else | 554 | } else |
| 483 | audit_log_format(ab, | 555 | audit_log_format(ab, |
| @@ -499,7 +571,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
| 499 | case AUDIT_LIST: | 571 | case AUDIT_LIST: |
| 500 | err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid, | 572 | err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid, |
| 501 | uid, seq, data, nlmsg_len(nlh), | 573 | uid, seq, data, nlmsg_len(nlh), |
| 502 | loginuid); | 574 | loginuid, sid); |
| 503 | break; | 575 | break; |
| 504 | case AUDIT_ADD_RULE: | 576 | case AUDIT_ADD_RULE: |
| 505 | case AUDIT_DEL_RULE: | 577 | case AUDIT_DEL_RULE: |
| @@ -509,7 +581,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
| 509 | case AUDIT_LIST_RULES: | 581 | case AUDIT_LIST_RULES: |
| 510 | err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid, | 582 | err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid, |
| 511 | uid, seq, data, nlmsg_len(nlh), | 583 | uid, seq, data, nlmsg_len(nlh), |
| 512 | loginuid); | 584 | loginuid, sid); |
| 513 | break; | 585 | break; |
| 514 | case AUDIT_SIGNAL_INFO: | 586 | case AUDIT_SIGNAL_INFO: |
| 515 | sig_data.uid = audit_sig_uid; | 587 | sig_data.uid = audit_sig_uid; |