diff options
Diffstat (limited to 'kernel/auditsc.c')
-rw-r--r-- | kernel/auditsc.c | 150 |
1 files changed, 132 insertions, 18 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index cfaa4a277f08..51a4f58a4d81 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c | |||
@@ -330,6 +330,15 @@ static int audit_list_rules(void *_dest) | |||
330 | return 0; | 330 | return 0; |
331 | } | 331 | } |
332 | 332 | ||
333 | /** | ||
334 | * audit_receive_filter - apply all rules to the specified message type | ||
335 | * @type: audit message type | ||
336 | * @pid: target pid for netlink audit messages | ||
337 | * @uid: target uid for netlink audit messages | ||
338 | * @seq: netlink audit message sequence (serial) number | ||
339 | * @data: payload data | ||
340 | * @loginuid: loginuid of sender | ||
341 | */ | ||
333 | int audit_receive_filter(int type, int pid, int uid, int seq, void *data, | 342 | int audit_receive_filter(int type, int pid, int uid, int seq, void *data, |
334 | uid_t loginuid) | 343 | uid_t loginuid) |
335 | { | 344 | { |
@@ -527,7 +536,7 @@ static enum audit_state audit_filter_task(struct task_struct *tsk) | |||
527 | /* At syscall entry and exit time, this filter is called if the | 536 | /* At syscall entry and exit time, this filter is called if the |
528 | * audit_state is not low enough that auditing cannot take place, but is | 537 | * audit_state is not low enough that auditing cannot take place, but is |
529 | * also not high enough that we already know we have to write an audit | 538 | * also not high enough that we already know we have to write an audit |
530 | * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT). | 539 | * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT). |
531 | */ | 540 | */ |
532 | static enum audit_state audit_filter_syscall(struct task_struct *tsk, | 541 | static enum audit_state audit_filter_syscall(struct task_struct *tsk, |
533 | struct audit_context *ctx, | 542 | struct audit_context *ctx, |
@@ -721,10 +730,15 @@ static inline struct audit_context *audit_alloc_context(enum audit_state state) | |||
721 | return context; | 730 | return context; |
722 | } | 731 | } |
723 | 732 | ||
724 | /* Filter on the task information and allocate a per-task audit context | 733 | /** |
734 | * audit_alloc - allocate an audit context block for a task | ||
735 | * @tsk: task | ||
736 | * | ||
737 | * Filter on the task information and allocate a per-task audit context | ||
725 | * if necessary. Doing so turns on system call auditing for the | 738 | * if necessary. Doing so turns on system call auditing for the |
726 | * specified task. This is called from copy_process, so no lock is | 739 | * specified task. This is called from copy_process, so no lock is |
727 | * needed. */ | 740 | * needed. |
741 | */ | ||
728 | int audit_alloc(struct task_struct *tsk) | 742 | int audit_alloc(struct task_struct *tsk) |
729 | { | 743 | { |
730 | struct audit_context *context; | 744 | struct audit_context *context; |
@@ -911,8 +925,12 @@ static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask) | |||
911 | } | 925 | } |
912 | } | 926 | } |
913 | 927 | ||
914 | /* Free a per-task audit context. Called from copy_process and | 928 | /** |
915 | * __put_task_struct. */ | 929 | * audit_free - free a per-task audit context |
930 | * @tsk: task whose audit context block to free | ||
931 | * | ||
932 | * Called from copy_process and __put_task_struct. | ||
933 | */ | ||
916 | void audit_free(struct task_struct *tsk) | 934 | void audit_free(struct task_struct *tsk) |
917 | { | 935 | { |
918 | struct audit_context *context; | 936 | struct audit_context *context; |
@@ -934,13 +952,24 @@ void audit_free(struct task_struct *tsk) | |||
934 | audit_free_context(context); | 952 | audit_free_context(context); |
935 | } | 953 | } |
936 | 954 | ||
937 | /* Fill in audit context at syscall entry. This only happens if the | 955 | /** |
956 | * audit_syscall_entry - fill in an audit record at syscall entry | ||
957 | * @tsk: task being audited | ||
958 | * @arch: architecture type | ||
959 | * @major: major syscall type (function) | ||
960 | * @a1: additional syscall register 1 | ||
961 | * @a2: additional syscall register 2 | ||
962 | * @a3: additional syscall register 3 | ||
963 | * @a4: additional syscall register 4 | ||
964 | * | ||
965 | * Fill in audit context at syscall entry. This only happens if the | ||
938 | * audit context was created when the task was created and the state or | 966 | * audit context was created when the task was created and the state or |
939 | * filters demand the audit context be built. If the state from the | 967 | * filters demand the audit context be built. If the state from the |
940 | * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT, | 968 | * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT, |
941 | * then the record will be written at syscall exit time (otherwise, it | 969 | * then the record will be written at syscall exit time (otherwise, it |
942 | * will only be written if another part of the kernel requests that it | 970 | * will only be written if another part of the kernel requests that it |
943 | * be written). */ | 971 | * be written). |
972 | */ | ||
944 | void audit_syscall_entry(struct task_struct *tsk, int arch, int major, | 973 | void audit_syscall_entry(struct task_struct *tsk, int arch, int major, |
945 | unsigned long a1, unsigned long a2, | 974 | unsigned long a1, unsigned long a2, |
946 | unsigned long a3, unsigned long a4) | 975 | unsigned long a3, unsigned long a4) |
@@ -950,7 +979,8 @@ void audit_syscall_entry(struct task_struct *tsk, int arch, int major, | |||
950 | 979 | ||
951 | BUG_ON(!context); | 980 | BUG_ON(!context); |
952 | 981 | ||
953 | /* This happens only on certain architectures that make system | 982 | /* |
983 | * This happens only on certain architectures that make system | ||
954 | * calls in kernel_thread via the entry.S interface, instead of | 984 | * calls in kernel_thread via the entry.S interface, instead of |
955 | * with direct calls. (If you are porting to a new | 985 | * with direct calls. (If you are porting to a new |
956 | * architecture, hitting this condition can indicate that you | 986 | * architecture, hitting this condition can indicate that you |
@@ -1009,11 +1039,18 @@ void audit_syscall_entry(struct task_struct *tsk, int arch, int major, | |||
1009 | context->auditable = !!(state == AUDIT_RECORD_CONTEXT); | 1039 | context->auditable = !!(state == AUDIT_RECORD_CONTEXT); |
1010 | } | 1040 | } |
1011 | 1041 | ||
1012 | /* Tear down after system call. If the audit context has been marked as | 1042 | /** |
1043 | * audit_syscall_exit - deallocate audit context after a system call | ||
1044 | * @tsk: task being audited | ||
1045 | * @valid: success/failure flag | ||
1046 | * @return_code: syscall return value | ||
1047 | * | ||
1048 | * Tear down after system call. If the audit context has been marked as | ||
1013 | * auditable (either because of the AUDIT_RECORD_CONTEXT state from | 1049 | * auditable (either because of the AUDIT_RECORD_CONTEXT state from |
1014 | * filtering, or because some other part of the kernel write an audit | 1050 | * filtering, or because some other part of the kernel write an audit |
1015 | * message), then write out the syscall information. In call cases, | 1051 | * message), then write out the syscall information. In call cases, |
1016 | * free the names stored from getname(). */ | 1052 | * free the names stored from getname(). |
1053 | */ | ||
1017 | void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code) | 1054 | void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code) |
1018 | { | 1055 | { |
1019 | struct audit_context *context; | 1056 | struct audit_context *context; |
@@ -1048,7 +1085,13 @@ void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code) | |||
1048 | put_task_struct(tsk); | 1085 | put_task_struct(tsk); |
1049 | } | 1086 | } |
1050 | 1087 | ||
1051 | /* Add a name to the list. Called from fs/namei.c:getname(). */ | 1088 | /** |
1089 | * audit_getname - add a name to the list | ||
1090 | * @name: name to add | ||
1091 | * | ||
1092 | * Add a name to the list of audit names for this context. | ||
1093 | * Called from fs/namei.c:getname(). | ||
1094 | */ | ||
1052 | void audit_getname(const char *name) | 1095 | void audit_getname(const char *name) |
1053 | { | 1096 | { |
1054 | struct audit_context *context = current->audit_context; | 1097 | struct audit_context *context = current->audit_context; |
@@ -1077,10 +1120,13 @@ void audit_getname(const char *name) | |||
1077 | 1120 | ||
1078 | } | 1121 | } |
1079 | 1122 | ||
1080 | /* Intercept a putname request. Called from | 1123 | /* audit_putname - intercept a putname request |
1081 | * include/linux/fs.h:putname(). If we have stored the name from | 1124 | * @name: name to intercept and delay for putname |
1082 | * getname in the audit context, then we delay the putname until syscall | 1125 | * |
1083 | * exit. */ | 1126 | * If we have stored the name from getname in the audit context, |
1127 | * then we delay the putname until syscall exit. | ||
1128 | * Called from include/linux/fs.h:putname(). | ||
1129 | */ | ||
1084 | void audit_putname(const char *name) | 1130 | void audit_putname(const char *name) |
1085 | { | 1131 | { |
1086 | struct audit_context *context = current->audit_context; | 1132 | struct audit_context *context = current->audit_context; |
@@ -1117,8 +1163,14 @@ void audit_putname(const char *name) | |||
1117 | #endif | 1163 | #endif |
1118 | } | 1164 | } |
1119 | 1165 | ||
1120 | /* Store the inode and device from a lookup. Called from | 1166 | /** |
1121 | * fs/namei.c:path_lookup(). */ | 1167 | * audit_inode - store the inode and device from a lookup |
1168 | * @name: name being audited | ||
1169 | * @inode: inode being audited | ||
1170 | * @flags: lookup flags (as used in path_lookup()) | ||
1171 | * | ||
1172 | * Called from fs/namei.c:path_lookup(). | ||
1173 | */ | ||
1122 | void audit_inode(const char *name, const struct inode *inode, unsigned flags) | 1174 | void audit_inode(const char *name, const struct inode *inode, unsigned flags) |
1123 | { | 1175 | { |
1124 | int idx; | 1176 | int idx; |
@@ -1154,6 +1206,14 @@ void audit_inode(const char *name, const struct inode *inode, unsigned flags) | |||
1154 | context->names[idx].rdev = inode->i_rdev; | 1206 | context->names[idx].rdev = inode->i_rdev; |
1155 | } | 1207 | } |
1156 | 1208 | ||
1209 | /** | ||
1210 | * auditsc_get_stamp - get local copies of audit_context values | ||
1211 | * @ctx: audit_context for the task | ||
1212 | * @t: timespec to store time recorded in the audit_context | ||
1213 | * @serial: serial value that is recorded in the audit_context | ||
1214 | * | ||
1215 | * Also sets the context as auditable. | ||
1216 | */ | ||
1157 | void auditsc_get_stamp(struct audit_context *ctx, | 1217 | void auditsc_get_stamp(struct audit_context *ctx, |
1158 | struct timespec *t, unsigned int *serial) | 1218 | struct timespec *t, unsigned int *serial) |
1159 | { | 1219 | { |
@@ -1165,6 +1225,15 @@ void auditsc_get_stamp(struct audit_context *ctx, | |||
1165 | ctx->auditable = 1; | 1225 | ctx->auditable = 1; |
1166 | } | 1226 | } |
1167 | 1227 | ||
1228 | /** | ||
1229 | * audit_set_loginuid - set a task's audit_context loginuid | ||
1230 | * @task: task whose audit context is being modified | ||
1231 | * @loginuid: loginuid value | ||
1232 | * | ||
1233 | * Returns 0. | ||
1234 | * | ||
1235 | * Called (set) from fs/proc/base.c::proc_loginuid_write(). | ||
1236 | */ | ||
1168 | int audit_set_loginuid(struct task_struct *task, uid_t loginuid) | 1237 | int audit_set_loginuid(struct task_struct *task, uid_t loginuid) |
1169 | { | 1238 | { |
1170 | if (task->audit_context) { | 1239 | if (task->audit_context) { |
@@ -1183,11 +1252,26 @@ int audit_set_loginuid(struct task_struct *task, uid_t loginuid) | |||
1183 | return 0; | 1252 | return 0; |
1184 | } | 1253 | } |
1185 | 1254 | ||
1255 | /** | ||
1256 | * audit_get_loginuid - get the loginuid for an audit_context | ||
1257 | * @ctx: the audit_context | ||
1258 | * | ||
1259 | * Returns the context's loginuid or -1 if @ctx is NULL. | ||
1260 | */ | ||
1186 | uid_t audit_get_loginuid(struct audit_context *ctx) | 1261 | uid_t audit_get_loginuid(struct audit_context *ctx) |
1187 | { | 1262 | { |
1188 | return ctx ? ctx->loginuid : -1; | 1263 | return ctx ? ctx->loginuid : -1; |
1189 | } | 1264 | } |
1190 | 1265 | ||
1266 | /** | ||
1267 | * audit_ipc_perms - record audit data for ipc | ||
1268 | * @qbytes: msgq bytes | ||
1269 | * @uid: msgq user id | ||
1270 | * @gid: msgq group id | ||
1271 | * @mode: msgq mode (permissions) | ||
1272 | * | ||
1273 | * Returns 0 for success or NULL context or < 0 on error. | ||
1274 | */ | ||
1191 | int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode) | 1275 | int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode) |
1192 | { | 1276 | { |
1193 | struct audit_aux_data_ipcctl *ax; | 1277 | struct audit_aux_data_ipcctl *ax; |
@@ -1211,6 +1295,13 @@ int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode) | |||
1211 | return 0; | 1295 | return 0; |
1212 | } | 1296 | } |
1213 | 1297 | ||
1298 | /** | ||
1299 | * audit_socketcall - record audit data for sys_socketcall | ||
1300 | * @nargs: number of args | ||
1301 | * @args: args array | ||
1302 | * | ||
1303 | * Returns 0 for success or NULL context or < 0 on error. | ||
1304 | */ | ||
1214 | int audit_socketcall(int nargs, unsigned long *args) | 1305 | int audit_socketcall(int nargs, unsigned long *args) |
1215 | { | 1306 | { |
1216 | struct audit_aux_data_socketcall *ax; | 1307 | struct audit_aux_data_socketcall *ax; |
@@ -1232,6 +1323,13 @@ int audit_socketcall(int nargs, unsigned long *args) | |||
1232 | return 0; | 1323 | return 0; |
1233 | } | 1324 | } |
1234 | 1325 | ||
1326 | /** | ||
1327 | * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto | ||
1328 | * @len: data length in user space | ||
1329 | * @a: data address in kernel space | ||
1330 | * | ||
1331 | * Returns 0 for success or NULL context or < 0 on error. | ||
1332 | */ | ||
1235 | int audit_sockaddr(int len, void *a) | 1333 | int audit_sockaddr(int len, void *a) |
1236 | { | 1334 | { |
1237 | struct audit_aux_data_sockaddr *ax; | 1335 | struct audit_aux_data_sockaddr *ax; |
@@ -1253,6 +1351,15 @@ int audit_sockaddr(int len, void *a) | |||
1253 | return 0; | 1351 | return 0; |
1254 | } | 1352 | } |
1255 | 1353 | ||
1354 | /** | ||
1355 | * audit_avc_path - record the granting or denial of permissions | ||
1356 | * @dentry: dentry to record | ||
1357 | * @mnt: mnt to record | ||
1358 | * | ||
1359 | * Returns 0 for success or NULL context or < 0 on error. | ||
1360 | * | ||
1361 | * Called from security/selinux/avc.c::avc_audit() | ||
1362 | */ | ||
1256 | int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt) | 1363 | int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt) |
1257 | { | 1364 | { |
1258 | struct audit_aux_data_path *ax; | 1365 | struct audit_aux_data_path *ax; |
@@ -1274,6 +1381,14 @@ int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt) | |||
1274 | return 0; | 1381 | return 0; |
1275 | } | 1382 | } |
1276 | 1383 | ||
1384 | /** | ||
1385 | * audit_signal_info - record signal info for shutting down audit subsystem | ||
1386 | * @sig: signal value | ||
1387 | * @t: task being signaled | ||
1388 | * | ||
1389 | * If the audit subsystem is being terminated, record the task (pid) | ||
1390 | * and uid that is doing that. | ||
1391 | */ | ||
1277 | void audit_signal_info(int sig, struct task_struct *t) | 1392 | void audit_signal_info(int sig, struct task_struct *t) |
1278 | { | 1393 | { |
1279 | extern pid_t audit_sig_pid; | 1394 | extern pid_t audit_sig_pid; |
@@ -1290,4 +1405,3 @@ void audit_signal_info(int sig, struct task_struct *t) | |||
1290 | } | 1405 | } |
1291 | } | 1406 | } |
1292 | } | 1407 | } |
1293 | |||