aboutsummaryrefslogtreecommitdiffstats
path: root/kernel/auditsc.c
diff options
context:
space:
mode:
Diffstat (limited to 'kernel/auditsc.c')
-rw-r--r--kernel/auditsc.c205
1 files changed, 165 insertions, 40 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index aaaca8a13bbe..6e03322e155b 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -78,6 +78,9 @@ extern struct list_head audit_filter_list[];
78/* Indicates that audit should log the full pathname. */ 78/* Indicates that audit should log the full pathname. */
79#define AUDIT_NAME_FULL -1 79#define AUDIT_NAME_FULL -1
80 80
81/* no execve audit message should be longer than this (userspace limits) */
82#define MAX_EXECVE_AUDIT_LEN 7500
83
81/* number of audit rules */ 84/* number of audit rules */
82int audit_n_rules; 85int audit_n_rules;
83 86
@@ -965,55 +968,187 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
965 return rc; 968 return rc;
966} 969}
967 970
968static void audit_log_execve_info(struct audit_buffer *ab, 971/*
969 struct audit_aux_data_execve *axi) 972 * to_send and len_sent accounting are very loose estimates. We aren't
973 * really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being
974 * within about 500 bytes (next page boundry)
975 *
976 * why snprintf? an int is up to 12 digits long. if we just assumed when
977 * logging that a[%d]= was going to be 16 characters long we would be wasting
978 * space in every audit message. In one 7500 byte message we can log up to
979 * about 1000 min size arguments. That comes down to about 50% waste of space
980 * if we didn't do the snprintf to find out how long arg_num_len was.
981 */
982static int audit_log_single_execve_arg(struct audit_context *context,
983 struct audit_buffer **ab,
984 int arg_num,
985 size_t *len_sent,
986 const char __user *p,
987 char *buf)
970{ 988{
971 int i; 989 char arg_num_len_buf[12];
972 long len, ret; 990 const char __user *tmp_p = p;
973 const char __user *p; 991 /* how many digits are in arg_num? 3 is the length of a=\n */
974 char *buf; 992 size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 3;
993 size_t len, len_left, to_send;
994 size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
995 unsigned int i, has_cntl = 0, too_long = 0;
996 int ret;
997
998 /* strnlen_user includes the null we don't want to send */
999 len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1;
975 1000
976 if (axi->mm != current->mm) 1001 /*
977 return; /* execve failed, no additional info */ 1002 * We just created this mm, if we can't find the strings
978 1003 * we just copied into it something is _very_ wrong. Similar
979 p = (const char __user *)axi->mm->arg_start; 1004 * for strings that are too long, we should not have created
1005 * any.
1006 */
1007 if (unlikely((len = -1) || len > MAX_ARG_STRLEN - 1)) {
1008 WARN_ON(1);
1009 send_sig(SIGKILL, current, 0);
1010 }
980 1011
981 for (i = 0; i < axi->argc; i++, p += len) { 1012 /* walk the whole argument looking for non-ascii chars */
982 len = strnlen_user(p, MAX_ARG_STRLEN); 1013 do {
1014 if (len_left > MAX_EXECVE_AUDIT_LEN)
1015 to_send = MAX_EXECVE_AUDIT_LEN;
1016 else
1017 to_send = len_left;
1018 ret = copy_from_user(buf, tmp_p, to_send);
983 /* 1019 /*
984 * We just created this mm, if we can't find the strings 1020 * There is no reason for this copy to be short. We just
985 * we just copied into it something is _very_ wrong. Similar 1021 * copied them here, and the mm hasn't been exposed to user-
986 * for strings that are too long, we should not have created 1022 * space yet.
987 * any.
988 */ 1023 */
989 if (!len || len > MAX_ARG_STRLEN) { 1024 if (ret) {
990 WARN_ON(1); 1025 WARN_ON(1);
991 send_sig(SIGKILL, current, 0); 1026 send_sig(SIGKILL, current, 0);
992 } 1027 }
993 1028 buf[to_send] = '\0';
994 buf = kmalloc(len, GFP_KERNEL); 1029 has_cntl = audit_string_contains_control(buf, to_send);
995 if (!buf) { 1030 if (has_cntl) {
996 audit_panic("out of memory for argv string\n"); 1031 /*
1032 * hex messages get logged as 2 bytes, so we can only
1033 * send half as much in each message
1034 */
1035 max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2;
997 break; 1036 break;
998 } 1037 }
1038 len_left -= to_send;
1039 tmp_p += to_send;
1040 } while (len_left > 0);
1041
1042 len_left = len;
1043
1044 if (len > max_execve_audit_len)
1045 too_long = 1;
1046
1047 /* rewalk the argument actually logging the message */
1048 for (i = 0; len_left > 0; i++) {
1049 int room_left;
1050
1051 if (len_left > max_execve_audit_len)
1052 to_send = max_execve_audit_len;
1053 else
1054 to_send = len_left;
1055
1056 /* do we have space left to send this argument in this ab? */
1057 room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent;
1058 if (has_cntl)
1059 room_left -= (to_send * 2);
1060 else
1061 room_left -= to_send;
1062 if (room_left < 0) {
1063 *len_sent = 0;
1064 audit_log_end(*ab);
1065 *ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
1066 if (!*ab)
1067 return 0;
1068 }
999 1069
1000 ret = copy_from_user(buf, p, len);
1001 /* 1070 /*
1002 * There is no reason for this copy to be short. We just 1071 * first record needs to say how long the original string was
1003 * copied them here, and the mm hasn't been exposed to user- 1072 * so we can be sure nothing was lost.
1004 * space yet. 1073 */
1074 if ((i == 0) && (too_long))
1075 audit_log_format(*ab, "a%d_len=%ld ", arg_num,
1076 has_cntl ? 2*len : len);
1077
1078 /*
1079 * normally arguments are small enough to fit and we already
1080 * filled buf above when we checked for control characters
1081 * so don't bother with another copy_from_user
1005 */ 1082 */
1083 if (len >= max_execve_audit_len)
1084 ret = copy_from_user(buf, p, to_send);
1085 else
1086 ret = 0;
1006 if (ret) { 1087 if (ret) {
1007 WARN_ON(1); 1088 WARN_ON(1);
1008 send_sig(SIGKILL, current, 0); 1089 send_sig(SIGKILL, current, 0);
1009 } 1090 }
1091 buf[to_send] = '\0';
1092
1093 /* actually log it */
1094 audit_log_format(*ab, "a%d", arg_num);
1095 if (too_long)
1096 audit_log_format(*ab, "[%d]", i);
1097 audit_log_format(*ab, "=");
1098 if (has_cntl)
1099 audit_log_hex(*ab, buf, to_send);
1100 else
1101 audit_log_format(*ab, "\"%s\"", buf);
1102 audit_log_format(*ab, "\n");
1103
1104 p += to_send;
1105 len_left -= to_send;
1106 *len_sent += arg_num_len;
1107 if (has_cntl)
1108 *len_sent += to_send * 2;
1109 else
1110 *len_sent += to_send;
1111 }
1112 /* include the null we didn't log */
1113 return len + 1;
1114}
1115
1116static void audit_log_execve_info(struct audit_context *context,
1117 struct audit_buffer **ab,
1118 struct audit_aux_data_execve *axi)
1119{
1120 int i;
1121 size_t len, len_sent = 0;
1122 const char __user *p;
1123 char *buf;
1010 1124
1011 audit_log_format(ab, "a%d=", i); 1125 if (axi->mm != current->mm)
1012 audit_log_untrustedstring(ab, buf); 1126 return; /* execve failed, no additional info */
1013 audit_log_format(ab, "\n"); 1127
1128 p = (const char __user *)axi->mm->arg_start;
1014 1129
1015 kfree(buf); 1130 audit_log_format(*ab, "argc=%d ", axi->argc);
1131
1132 /*
1133 * we need some kernel buffer to hold the userspace args. Just
1134 * allocate one big one rather than allocating one of the right size
1135 * for every single argument inside audit_log_single_execve_arg()
1136 * should be <8k allocation so should be pretty safe.
1137 */
1138 buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
1139 if (!buf) {
1140 audit_panic("out of memory for argv string\n");
1141 return;
1016 } 1142 }
1143
1144 for (i = 0; i < axi->argc; i++) {
1145 len = audit_log_single_execve_arg(context, ab, i,
1146 &len_sent, p, buf);
1147 if (len <= 0)
1148 break;
1149 p += len;
1150 }
1151 kfree(buf);
1017} 1152}
1018 1153
1019static void audit_log_exit(struct audit_context *context, struct task_struct *tsk) 1154static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
@@ -1157,7 +1292,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
1157 1292
1158 case AUDIT_EXECVE: { 1293 case AUDIT_EXECVE: {
1159 struct audit_aux_data_execve *axi = (void *)aux; 1294 struct audit_aux_data_execve *axi = (void *)aux;
1160 audit_log_execve_info(ab, axi); 1295 audit_log_execve_info(context, &ab, axi);
1161 break; } 1296 break; }
1162 1297
1163 case AUDIT_SOCKETCALL: { 1298 case AUDIT_SOCKETCALL: {
@@ -2094,8 +2229,6 @@ int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode
2094 return 0; 2229 return 0;
2095} 2230}
2096 2231
2097int audit_argv_kb = 32;
2098
2099int audit_bprm(struct linux_binprm *bprm) 2232int audit_bprm(struct linux_binprm *bprm)
2100{ 2233{
2101 struct audit_aux_data_execve *ax; 2234 struct audit_aux_data_execve *ax;
@@ -2104,14 +2237,6 @@ int audit_bprm(struct linux_binprm *bprm)
2104 if (likely(!audit_enabled || !context || context->dummy)) 2237 if (likely(!audit_enabled || !context || context->dummy))
2105 return 0; 2238 return 0;
2106 2239
2107 /*
2108 * Even though the stack code doesn't limit the arg+env size any more,
2109 * the audit code requires that _all_ arguments be logged in a single
2110 * netlink skb. Hence cap it :-(
2111 */
2112 if (bprm->argv_len > (audit_argv_kb << 10))
2113 return -E2BIG;
2114
2115 ax = kmalloc(sizeof(*ax), GFP_KERNEL); 2240 ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2116 if (!ax) 2241 if (!ax)
2117 return -ENOMEM; 2242 return -ENOMEM;