diff options
Diffstat (limited to 'kernel/auditsc.c')
-rw-r--r-- | kernel/auditsc.c | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index de7e9bcba9ae..3229cd4206f5 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c | |||
@@ -196,6 +196,14 @@ struct audit_aux_data_pids { | |||
196 | int pid_count; | 196 | int pid_count; |
197 | }; | 197 | }; |
198 | 198 | ||
199 | struct audit_aux_data_bprm_fcaps { | ||
200 | struct audit_aux_data d; | ||
201 | struct audit_cap_data fcap; | ||
202 | unsigned int fcap_ver; | ||
203 | struct audit_cap_data old_pcap; | ||
204 | struct audit_cap_data new_pcap; | ||
205 | }; | ||
206 | |||
199 | struct audit_tree_refs { | 207 | struct audit_tree_refs { |
200 | struct audit_tree_refs *next; | 208 | struct audit_tree_refs *next; |
201 | struct audit_chunk *c[31]; | 209 | struct audit_chunk *c[31]; |
@@ -1375,6 +1383,20 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts | |||
1375 | audit_log_format(ab, "fd0=%d fd1=%d", axs->fd[0], axs->fd[1]); | 1383 | audit_log_format(ab, "fd0=%d fd1=%d", axs->fd[0], axs->fd[1]); |
1376 | break; } | 1384 | break; } |
1377 | 1385 | ||
1386 | case AUDIT_BPRM_FCAPS: { | ||
1387 | struct audit_aux_data_bprm_fcaps *axs = (void *)aux; | ||
1388 | audit_log_format(ab, "fver=%x", axs->fcap_ver); | ||
1389 | audit_log_cap(ab, "fp", &axs->fcap.permitted); | ||
1390 | audit_log_cap(ab, "fi", &axs->fcap.inheritable); | ||
1391 | audit_log_format(ab, " fe=%d", axs->fcap.fE); | ||
1392 | audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted); | ||
1393 | audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable); | ||
1394 | audit_log_cap(ab, "old_pe", &axs->old_pcap.effective); | ||
1395 | audit_log_cap(ab, "new_pp", &axs->new_pcap.permitted); | ||
1396 | audit_log_cap(ab, "new_pi", &axs->new_pcap.inheritable); | ||
1397 | audit_log_cap(ab, "new_pe", &axs->new_pcap.effective); | ||
1398 | break; } | ||
1399 | |||
1378 | } | 1400 | } |
1379 | audit_log_end(ab); | 1401 | audit_log_end(ab); |
1380 | } | 1402 | } |
@@ -2502,6 +2524,52 @@ int __audit_signal_info(int sig, struct task_struct *t) | |||
2502 | } | 2524 | } |
2503 | 2525 | ||
2504 | /** | 2526 | /** |
2527 | * __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps | ||
2528 | * @bprm pointer to the bprm being processed | ||
2529 | * @caps the caps read from the disk | ||
2530 | * | ||
2531 | * Simply check if the proc already has the caps given by the file and if not | ||
2532 | * store the priv escalation info for later auditing at the end of the syscall | ||
2533 | * | ||
2534 | * this can fail and we don't care. See the note in audit.h for | ||
2535 | * audit_log_bprm_fcaps() for my explaination.... | ||
2536 | * | ||
2537 | * -Eric | ||
2538 | */ | ||
2539 | void __audit_log_bprm_fcaps(struct linux_binprm *bprm, kernel_cap_t *pP, kernel_cap_t *pE) | ||
2540 | { | ||
2541 | struct audit_aux_data_bprm_fcaps *ax; | ||
2542 | struct audit_context *context = current->audit_context; | ||
2543 | struct cpu_vfs_cap_data vcaps; | ||
2544 | struct dentry *dentry; | ||
2545 | |||
2546 | ax = kmalloc(sizeof(*ax), GFP_KERNEL); | ||
2547 | if (!ax) | ||
2548 | return; | ||
2549 | |||
2550 | ax->d.type = AUDIT_BPRM_FCAPS; | ||
2551 | ax->d.next = context->aux; | ||
2552 | context->aux = (void *)ax; | ||
2553 | |||
2554 | dentry = dget(bprm->file->f_dentry); | ||
2555 | get_vfs_caps_from_disk(dentry, &vcaps); | ||
2556 | dput(dentry); | ||
2557 | |||
2558 | ax->fcap.permitted = vcaps.permitted; | ||
2559 | ax->fcap.inheritable = vcaps.inheritable; | ||
2560 | ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE); | ||
2561 | ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT; | ||
2562 | |||
2563 | ax->old_pcap.permitted = *pP; | ||
2564 | ax->old_pcap.inheritable = current->cap_inheritable; | ||
2565 | ax->old_pcap.effective = *pE; | ||
2566 | |||
2567 | ax->new_pcap.permitted = current->cap_permitted; | ||
2568 | ax->new_pcap.inheritable = current->cap_inheritable; | ||
2569 | ax->new_pcap.effective = current->cap_effective; | ||
2570 | } | ||
2571 | |||
2572 | /** | ||
2505 | * audit_core_dumps - record information about processes that end abnormally | 2573 | * audit_core_dumps - record information about processes that end abnormally |
2506 | * @signr: signal value | 2574 | * @signr: signal value |
2507 | * | 2575 | * |