aboutsummaryrefslogtreecommitdiffstats
path: root/kernel/auditsc.c
diff options
context:
space:
mode:
Diffstat (limited to 'kernel/auditsc.c')
-rw-r--r--kernel/auditsc.c150
1 files changed, 132 insertions, 18 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index cfaa4a277f08..51a4f58a4d81 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -330,6 +330,15 @@ static int audit_list_rules(void *_dest)
330 return 0; 330 return 0;
331} 331}
332 332
333/**
334 * audit_receive_filter - apply all rules to the specified message type
335 * @type: audit message type
336 * @pid: target pid for netlink audit messages
337 * @uid: target uid for netlink audit messages
338 * @seq: netlink audit message sequence (serial) number
339 * @data: payload data
340 * @loginuid: loginuid of sender
341 */
333int audit_receive_filter(int type, int pid, int uid, int seq, void *data, 342int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
334 uid_t loginuid) 343 uid_t loginuid)
335{ 344{
@@ -527,7 +536,7 @@ static enum audit_state audit_filter_task(struct task_struct *tsk)
527/* At syscall entry and exit time, this filter is called if the 536/* At syscall entry and exit time, this filter is called if the
528 * audit_state is not low enough that auditing cannot take place, but is 537 * audit_state is not low enough that auditing cannot take place, but is
529 * also not high enough that we already know we have to write an audit 538 * also not high enough that we already know we have to write an audit
530 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT). 539 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
531 */ 540 */
532static enum audit_state audit_filter_syscall(struct task_struct *tsk, 541static enum audit_state audit_filter_syscall(struct task_struct *tsk,
533 struct audit_context *ctx, 542 struct audit_context *ctx,
@@ -721,10 +730,15 @@ static inline struct audit_context *audit_alloc_context(enum audit_state state)
721 return context; 730 return context;
722} 731}
723 732
724/* Filter on the task information and allocate a per-task audit context 733/**
734 * audit_alloc - allocate an audit context block for a task
735 * @tsk: task
736 *
737 * Filter on the task information and allocate a per-task audit context
725 * if necessary. Doing so turns on system call auditing for the 738 * if necessary. Doing so turns on system call auditing for the
726 * specified task. This is called from copy_process, so no lock is 739 * specified task. This is called from copy_process, so no lock is
727 * needed. */ 740 * needed.
741 */
728int audit_alloc(struct task_struct *tsk) 742int audit_alloc(struct task_struct *tsk)
729{ 743{
730 struct audit_context *context; 744 struct audit_context *context;
@@ -911,8 +925,12 @@ static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask)
911 } 925 }
912} 926}
913 927
914/* Free a per-task audit context. Called from copy_process and 928/**
915 * __put_task_struct. */ 929 * audit_free - free a per-task audit context
930 * @tsk: task whose audit context block to free
931 *
932 * Called from copy_process and __put_task_struct.
933 */
916void audit_free(struct task_struct *tsk) 934void audit_free(struct task_struct *tsk)
917{ 935{
918 struct audit_context *context; 936 struct audit_context *context;
@@ -934,13 +952,24 @@ void audit_free(struct task_struct *tsk)
934 audit_free_context(context); 952 audit_free_context(context);
935} 953}
936 954
937/* Fill in audit context at syscall entry. This only happens if the 955/**
956 * audit_syscall_entry - fill in an audit record at syscall entry
957 * @tsk: task being audited
958 * @arch: architecture type
959 * @major: major syscall type (function)
960 * @a1: additional syscall register 1
961 * @a2: additional syscall register 2
962 * @a3: additional syscall register 3
963 * @a4: additional syscall register 4
964 *
965 * Fill in audit context at syscall entry. This only happens if the
938 * audit context was created when the task was created and the state or 966 * audit context was created when the task was created and the state or
939 * filters demand the audit context be built. If the state from the 967 * filters demand the audit context be built. If the state from the
940 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT, 968 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
941 * then the record will be written at syscall exit time (otherwise, it 969 * then the record will be written at syscall exit time (otherwise, it
942 * will only be written if another part of the kernel requests that it 970 * will only be written if another part of the kernel requests that it
943 * be written). */ 971 * be written).
972 */
944void audit_syscall_entry(struct task_struct *tsk, int arch, int major, 973void audit_syscall_entry(struct task_struct *tsk, int arch, int major,
945 unsigned long a1, unsigned long a2, 974 unsigned long a1, unsigned long a2,
946 unsigned long a3, unsigned long a4) 975 unsigned long a3, unsigned long a4)
@@ -950,7 +979,8 @@ void audit_syscall_entry(struct task_struct *tsk, int arch, int major,
950 979
951 BUG_ON(!context); 980 BUG_ON(!context);
952 981
953 /* This happens only on certain architectures that make system 982 /*
983 * This happens only on certain architectures that make system
954 * calls in kernel_thread via the entry.S interface, instead of 984 * calls in kernel_thread via the entry.S interface, instead of
955 * with direct calls. (If you are porting to a new 985 * with direct calls. (If you are porting to a new
956 * architecture, hitting this condition can indicate that you 986 * architecture, hitting this condition can indicate that you
@@ -1009,11 +1039,18 @@ void audit_syscall_entry(struct task_struct *tsk, int arch, int major,
1009 context->auditable = !!(state == AUDIT_RECORD_CONTEXT); 1039 context->auditable = !!(state == AUDIT_RECORD_CONTEXT);
1010} 1040}
1011 1041
1012/* Tear down after system call. If the audit context has been marked as 1042/**
1043 * audit_syscall_exit - deallocate audit context after a system call
1044 * @tsk: task being audited
1045 * @valid: success/failure flag
1046 * @return_code: syscall return value
1047 *
1048 * Tear down after system call. If the audit context has been marked as
1013 * auditable (either because of the AUDIT_RECORD_CONTEXT state from 1049 * auditable (either because of the AUDIT_RECORD_CONTEXT state from
1014 * filtering, or because some other part of the kernel write an audit 1050 * filtering, or because some other part of the kernel write an audit
1015 * message), then write out the syscall information. In call cases, 1051 * message), then write out the syscall information. In call cases,
1016 * free the names stored from getname(). */ 1052 * free the names stored from getname().
1053 */
1017void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code) 1054void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code)
1018{ 1055{
1019 struct audit_context *context; 1056 struct audit_context *context;
@@ -1048,7 +1085,13 @@ void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code)
1048 put_task_struct(tsk); 1085 put_task_struct(tsk);
1049} 1086}
1050 1087
1051/* Add a name to the list. Called from fs/namei.c:getname(). */ 1088/**
1089 * audit_getname - add a name to the list
1090 * @name: name to add
1091 *
1092 * Add a name to the list of audit names for this context.
1093 * Called from fs/namei.c:getname().
1094 */
1052void audit_getname(const char *name) 1095void audit_getname(const char *name)
1053{ 1096{
1054 struct audit_context *context = current->audit_context; 1097 struct audit_context *context = current->audit_context;
@@ -1077,10 +1120,13 @@ void audit_getname(const char *name)
1077 1120
1078} 1121}
1079 1122
1080/* Intercept a putname request. Called from 1123/* audit_putname - intercept a putname request
1081 * include/linux/fs.h:putname(). If we have stored the name from 1124 * @name: name to intercept and delay for putname
1082 * getname in the audit context, then we delay the putname until syscall 1125 *
1083 * exit. */ 1126 * If we have stored the name from getname in the audit context,
1127 * then we delay the putname until syscall exit.
1128 * Called from include/linux/fs.h:putname().
1129 */
1084void audit_putname(const char *name) 1130void audit_putname(const char *name)
1085{ 1131{
1086 struct audit_context *context = current->audit_context; 1132 struct audit_context *context = current->audit_context;
@@ -1117,8 +1163,14 @@ void audit_putname(const char *name)
1117#endif 1163#endif
1118} 1164}
1119 1165
1120/* Store the inode and device from a lookup. Called from 1166/**
1121 * fs/namei.c:path_lookup(). */ 1167 * audit_inode - store the inode and device from a lookup
1168 * @name: name being audited
1169 * @inode: inode being audited
1170 * @flags: lookup flags (as used in path_lookup())
1171 *
1172 * Called from fs/namei.c:path_lookup().
1173 */
1122void audit_inode(const char *name, const struct inode *inode, unsigned flags) 1174void audit_inode(const char *name, const struct inode *inode, unsigned flags)
1123{ 1175{
1124 int idx; 1176 int idx;
@@ -1154,6 +1206,14 @@ void audit_inode(const char *name, const struct inode *inode, unsigned flags)
1154 context->names[idx].rdev = inode->i_rdev; 1206 context->names[idx].rdev = inode->i_rdev;
1155} 1207}
1156 1208
1209/**
1210 * auditsc_get_stamp - get local copies of audit_context values
1211 * @ctx: audit_context for the task
1212 * @t: timespec to store time recorded in the audit_context
1213 * @serial: serial value that is recorded in the audit_context
1214 *
1215 * Also sets the context as auditable.
1216 */
1157void auditsc_get_stamp(struct audit_context *ctx, 1217void auditsc_get_stamp(struct audit_context *ctx,
1158 struct timespec *t, unsigned int *serial) 1218 struct timespec *t, unsigned int *serial)
1159{ 1219{
@@ -1165,6 +1225,15 @@ void auditsc_get_stamp(struct audit_context *ctx,
1165 ctx->auditable = 1; 1225 ctx->auditable = 1;
1166} 1226}
1167 1227
1228/**
1229 * audit_set_loginuid - set a task's audit_context loginuid
1230 * @task: task whose audit context is being modified
1231 * @loginuid: loginuid value
1232 *
1233 * Returns 0.
1234 *
1235 * Called (set) from fs/proc/base.c::proc_loginuid_write().
1236 */
1168int audit_set_loginuid(struct task_struct *task, uid_t loginuid) 1237int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
1169{ 1238{
1170 if (task->audit_context) { 1239 if (task->audit_context) {
@@ -1183,11 +1252,26 @@ int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
1183 return 0; 1252 return 0;
1184} 1253}
1185 1254
1255/**
1256 * audit_get_loginuid - get the loginuid for an audit_context
1257 * @ctx: the audit_context
1258 *
1259 * Returns the context's loginuid or -1 if @ctx is NULL.
1260 */
1186uid_t audit_get_loginuid(struct audit_context *ctx) 1261uid_t audit_get_loginuid(struct audit_context *ctx)
1187{ 1262{
1188 return ctx ? ctx->loginuid : -1; 1263 return ctx ? ctx->loginuid : -1;
1189} 1264}
1190 1265
1266/**
1267 * audit_ipc_perms - record audit data for ipc
1268 * @qbytes: msgq bytes
1269 * @uid: msgq user id
1270 * @gid: msgq group id
1271 * @mode: msgq mode (permissions)
1272 *
1273 * Returns 0 for success or NULL context or < 0 on error.
1274 */
1191int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode) 1275int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
1192{ 1276{
1193 struct audit_aux_data_ipcctl *ax; 1277 struct audit_aux_data_ipcctl *ax;
@@ -1211,6 +1295,13 @@ int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
1211 return 0; 1295 return 0;
1212} 1296}
1213 1297
1298/**
1299 * audit_socketcall - record audit data for sys_socketcall
1300 * @nargs: number of args
1301 * @args: args array
1302 *
1303 * Returns 0 for success or NULL context or < 0 on error.
1304 */
1214int audit_socketcall(int nargs, unsigned long *args) 1305int audit_socketcall(int nargs, unsigned long *args)
1215{ 1306{
1216 struct audit_aux_data_socketcall *ax; 1307 struct audit_aux_data_socketcall *ax;
@@ -1232,6 +1323,13 @@ int audit_socketcall(int nargs, unsigned long *args)
1232 return 0; 1323 return 0;
1233} 1324}
1234 1325
1326/**
1327 * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
1328 * @len: data length in user space
1329 * @a: data address in kernel space
1330 *
1331 * Returns 0 for success or NULL context or < 0 on error.
1332 */
1235int audit_sockaddr(int len, void *a) 1333int audit_sockaddr(int len, void *a)
1236{ 1334{
1237 struct audit_aux_data_sockaddr *ax; 1335 struct audit_aux_data_sockaddr *ax;
@@ -1253,6 +1351,15 @@ int audit_sockaddr(int len, void *a)
1253 return 0; 1351 return 0;
1254} 1352}
1255 1353
1354/**
1355 * audit_avc_path - record the granting or denial of permissions
1356 * @dentry: dentry to record
1357 * @mnt: mnt to record
1358 *
1359 * Returns 0 for success or NULL context or < 0 on error.
1360 *
1361 * Called from security/selinux/avc.c::avc_audit()
1362 */
1256int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt) 1363int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt)
1257{ 1364{
1258 struct audit_aux_data_path *ax; 1365 struct audit_aux_data_path *ax;
@@ -1274,6 +1381,14 @@ int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt)
1274 return 0; 1381 return 0;
1275} 1382}
1276 1383
1384/**
1385 * audit_signal_info - record signal info for shutting down audit subsystem
1386 * @sig: signal value
1387 * @t: task being signaled
1388 *
1389 * If the audit subsystem is being terminated, record the task (pid)
1390 * and uid that is doing that.
1391 */
1277void audit_signal_info(int sig, struct task_struct *t) 1392void audit_signal_info(int sig, struct task_struct *t)
1278{ 1393{
1279 extern pid_t audit_sig_pid; 1394 extern pid_t audit_sig_pid;
@@ -1290,4 +1405,3 @@ void audit_signal_info(int sig, struct task_struct *t)
1290 } 1405 }
1291 } 1406 }
1292} 1407}
1293