aboutsummaryrefslogtreecommitdiffstats
path: root/kernel/auditsc.c
diff options
context:
space:
mode:
Diffstat (limited to 'kernel/auditsc.c')
-rw-r--r--kernel/auditsc.c68
1 files changed, 68 insertions, 0 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index de7e9bcba9ae..3229cd4206f5 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -196,6 +196,14 @@ struct audit_aux_data_pids {
196 int pid_count; 196 int pid_count;
197}; 197};
198 198
199struct audit_aux_data_bprm_fcaps {
200 struct audit_aux_data d;
201 struct audit_cap_data fcap;
202 unsigned int fcap_ver;
203 struct audit_cap_data old_pcap;
204 struct audit_cap_data new_pcap;
205};
206
199struct audit_tree_refs { 207struct audit_tree_refs {
200 struct audit_tree_refs *next; 208 struct audit_tree_refs *next;
201 struct audit_chunk *c[31]; 209 struct audit_chunk *c[31];
@@ -1375,6 +1383,20 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
1375 audit_log_format(ab, "fd0=%d fd1=%d", axs->fd[0], axs->fd[1]); 1383 audit_log_format(ab, "fd0=%d fd1=%d", axs->fd[0], axs->fd[1]);
1376 break; } 1384 break; }
1377 1385
1386 case AUDIT_BPRM_FCAPS: {
1387 struct audit_aux_data_bprm_fcaps *axs = (void *)aux;
1388 audit_log_format(ab, "fver=%x", axs->fcap_ver);
1389 audit_log_cap(ab, "fp", &axs->fcap.permitted);
1390 audit_log_cap(ab, "fi", &axs->fcap.inheritable);
1391 audit_log_format(ab, " fe=%d", axs->fcap.fE);
1392 audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
1393 audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
1394 audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
1395 audit_log_cap(ab, "new_pp", &axs->new_pcap.permitted);
1396 audit_log_cap(ab, "new_pi", &axs->new_pcap.inheritable);
1397 audit_log_cap(ab, "new_pe", &axs->new_pcap.effective);
1398 break; }
1399
1378 } 1400 }
1379 audit_log_end(ab); 1401 audit_log_end(ab);
1380 } 1402 }
@@ -2502,6 +2524,52 @@ int __audit_signal_info(int sig, struct task_struct *t)
2502} 2524}
2503 2525
2504/** 2526/**
2527 * __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps
2528 * @bprm pointer to the bprm being processed
2529 * @caps the caps read from the disk
2530 *
2531 * Simply check if the proc already has the caps given by the file and if not
2532 * store the priv escalation info for later auditing at the end of the syscall
2533 *
2534 * this can fail and we don't care. See the note in audit.h for
2535 * audit_log_bprm_fcaps() for my explaination....
2536 *
2537 * -Eric
2538 */
2539void __audit_log_bprm_fcaps(struct linux_binprm *bprm, kernel_cap_t *pP, kernel_cap_t *pE)
2540{
2541 struct audit_aux_data_bprm_fcaps *ax;
2542 struct audit_context *context = current->audit_context;
2543 struct cpu_vfs_cap_data vcaps;
2544 struct dentry *dentry;
2545
2546 ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2547 if (!ax)
2548 return;
2549
2550 ax->d.type = AUDIT_BPRM_FCAPS;
2551 ax->d.next = context->aux;
2552 context->aux = (void *)ax;
2553
2554 dentry = dget(bprm->file->f_dentry);
2555 get_vfs_caps_from_disk(dentry, &vcaps);
2556 dput(dentry);
2557
2558 ax->fcap.permitted = vcaps.permitted;
2559 ax->fcap.inheritable = vcaps.inheritable;
2560 ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2561 ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
2562
2563 ax->old_pcap.permitted = *pP;
2564 ax->old_pcap.inheritable = current->cap_inheritable;
2565 ax->old_pcap.effective = *pE;
2566
2567 ax->new_pcap.permitted = current->cap_permitted;
2568 ax->new_pcap.inheritable = current->cap_inheritable;
2569 ax->new_pcap.effective = current->cap_effective;
2570}
2571
2572/**
2505 * audit_core_dumps - record information about processes that end abnormally 2573 * audit_core_dumps - record information about processes that end abnormally
2506 * @signr: signal value 2574 * @signr: signal value
2507 * 2575 *