1 files changed, 169 insertions, 62 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index e75f84e1a1a0..46b45abceb9a 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -39,6 +39,9 @@
 #include <linux/audit.h>
 #include <linux/personality.h>
 #include <linux/time.h>
+#include <linux/kthread.h>
+#include <linux/netlink.h>
+#include <linux/compiler.h>
 #include <asm/unistd.h>
 /* 0 = no checking
@@ -95,6 +98,7 @@ struct audit_names {
        uid_t           uid;
        gid_t           gid;
        dev_t           rdev;
+        unsigned        flags;
 };
 struct audit_aux_data {
@@ -167,9 +171,16 @@ struct audit_context {
 /* There are three lists of rules -- one to search at task creation
 * time, one to search at syscall entry time, and another to search at
 * syscall exit time. */
-static LIST_HEAD(audit_tsklist);
+static struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
-static LIST_HEAD(audit_entlist);
+        LIST_HEAD_INIT(audit_filter_list[0]),
-static LIST_HEAD(audit_extlist);
+        LIST_HEAD_INIT(audit_filter_list[1]),
+        LIST_HEAD_INIT(audit_filter_list[2]),
+        LIST_HEAD_INIT(audit_filter_list[3]),
+        LIST_HEAD_INIT(audit_filter_list[4]),
+#if AUDIT_NR_FILTERS != 5
+#error Fix audit_filter_list initialiser
+#endif
+};
 struct audit_entry {
        struct list_head  list;
@@ -210,16 +221,15 @@ static int audit_compare_rule(struct audit_rule *a, struct audit_rule *b)
 /* Note that audit_add_rule and audit_del_rule are called via
 * audit_receive() in audit.c, and are protected by
 * audit_netlink_sem. */
-static inline int audit_add_rule(struct audit_entry *entry,
+static inline void audit_add_rule(struct audit_entry *entry,
-                                 struct list_head *list)
+                                  struct list_head *list)
 {
-        if (entry->rule.flags & AUDIT_PREPEND) {
+        if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
-                entry->rule.flags &= ~AUDIT_PREPEND;
+                entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
                list_add_rcu(&entry->list, list);
        } else {
                list_add_tail_rcu(&entry->list, list);
        }
-        return 0;
 }
 static void audit_free_rule(struct rcu_head *head)
@@ -245,7 +255,7 @@ static inline int audit_del_rule(struct audit_rule *rule,
                        return 0;
                }
        }
-        return -EFAULT;         /* No matching rule */
+        return -ENOENT;         /* No matching rule */
 }
 /* Copy rule from user-space to kernel-space.  Called during
@@ -260,6 +270,8 @@ static int audit_copy_rule(struct audit_rule *d, struct audit_rule *s)
                return -1;
        if (s->field_count < 0 || s->field_count > AUDIT_MAX_FIELDS)
                return -1;
+        if ((s->flags & ~AUDIT_FILTER_PREPEND) >= AUDIT_NR_FILTERS)
+                return -1;
        d->flags        = s->flags;
        d->action       = s->action;
@@ -272,27 +284,60 @@ static int audit_copy_rule(struct audit_rule *d, struct audit_rule *s)
        return 0;
 }
+static int audit_list_rules(void *_dest)
+{
+        int pid, seq;
+        int *dest = _dest;
+        struct audit_entry *entry;
+        int i;
+        pid = dest[0];
+        seq = dest[1];
+        kfree(dest);
+        down(&audit_netlink_sem);
+        /* The *_rcu iterators not needed here because we are
+           always called with audit_netlink_sem held. */
+        for (i=0; i<AUDIT_NR_FILTERS; i++) {
+                list_for_each_entry(entry, &audit_filter_list[i], list)
+                        audit_send_reply(pid, seq, AUDIT_LIST, 0, 1,
+                                         &entry->rule, sizeof(entry->rule));
+        }
+        audit_send_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0);
+        
+        up(&audit_netlink_sem);
+        return 0;
+}
 int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
                                                        uid_t loginuid)
 {
-        u32                flags;
        struct audit_entry *entry;
+        struct task_struct *tsk;
+        int *dest;
        int                err = 0;
+        unsigned listnr;
        switch (type) {
        case AUDIT_LIST:
-                /* The *_rcu iterators not needed here because we are
+                /* We can't just spew out the rules here because we might fill
-                   always called with audit_netlink_sem held. */
+                 * the available socket buffer space and deadlock waiting for
-                list_for_each_entry(entry, &audit_tsklist, list)
+                 * auditctl to read from it... which isn't ever going to
-                        audit_send_reply(pid, seq, AUDIT_LIST, 0, 1,
+                 * happen if we're actually running in the context of auditctl
-                                         &entry->rule, sizeof(entry->rule));
+                 * trying to _send_ the stuff */
-                list_for_each_entry(entry, &audit_entlist, list)
+                 
-                        audit_send_reply(pid, seq, AUDIT_LIST, 0, 1,
+                dest = kmalloc(2 * sizeof(int), GFP_KERNEL);
-                                         &entry->rule, sizeof(entry->rule));
+                if (!dest)
-                list_for_each_entry(entry, &audit_extlist, list)
+                        return -ENOMEM;
-                        audit_send_reply(pid, seq, AUDIT_LIST, 0, 1,
+                dest[0] = pid;
-                                         &entry->rule, sizeof(entry->rule));
+                dest[1] = seq;
-                audit_send_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0);
+                tsk = kthread_run(audit_list_rules, dest, "audit_list_rules");
+                if (IS_ERR(tsk)) {
+                        kfree(dest);
+                        err = PTR_ERR(tsk);
+                }
                break;
        case AUDIT_ADD:
                if (!(entry = kmalloc(sizeof(*entry), GFP_KERNEL)))
@@ -301,26 +346,20 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
                        kfree(entry);
                        return -EINVAL;
                }
-                flags = entry->rule.flags;
+                listnr = entry->rule.flags & ~AUDIT_FILTER_PREPEND;
-                if (!err && (flags & AUDIT_PER_TASK))
+                audit_add_rule(entry, &audit_filter_list[listnr]);
-                        err = audit_add_rule(entry, &audit_tsklist);
+                audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 
-                if (!err && (flags & AUDIT_AT_ENTRY))
-                        err = audit_add_rule(entry, &audit_entlist);
-                if (!err && (flags & AUDIT_AT_EXIT))
-                        err = audit_add_rule(entry, &audit_extlist);
-                audit_log(NULL, AUDIT_CONFIG_CHANGE, 
                                "auid=%u added an audit rule\n", loginuid);
                break;
        case AUDIT_DEL:
-                flags =((struct audit_rule *)data)->flags;
+                listnr =((struct audit_rule *)data)->flags & ~AUDIT_FILTER_PREPEND;
-                if (!err && (flags & AUDIT_PER_TASK))
+                if (listnr >= AUDIT_NR_FILTERS)
-                        err = audit_del_rule(data, &audit_tsklist);
+                        return -EINVAL;
-                if (!err && (flags & AUDIT_AT_ENTRY))
-                        err = audit_del_rule(data, &audit_entlist);
+                err = audit_del_rule(data, &audit_filter_list[listnr]);
-                if (!err && (flags & AUDIT_AT_EXIT))
+                if (!err)
-                        err = audit_del_rule(data, &audit_extlist);
+                        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-                audit_log(NULL, AUDIT_CONFIG_CHANGE,
+                                  "auid=%u removed an audit rule\n", loginuid);
-                                "auid=%u removed an audit rule\n", loginuid);
                break;
        default:
                return -EINVAL;
@@ -454,7 +493,7 @@ static enum audit_state audit_filter_task(struct task_struct *tsk)
        enum audit_state   state;
        rcu_read_lock();
-        list_for_each_entry_rcu(e, &audit_tsklist, list) {
+        list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
                if (audit_filter_rules(tsk, &e->rule, NULL, &state)) {
                        rcu_read_unlock();
                        return state;
@@ -478,6 +517,9 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk,
        int                word = AUDIT_WORD(ctx->major);
        int                bit  = AUDIT_BIT(ctx->major);
+        if (audit_pid && tsk->tgid == audit_pid)
+                return AUDIT_DISABLED;
        rcu_read_lock();
        list_for_each_entry_rcu(e, list, list) {
                if ((e->rule.mask[word] & bit) == bit
@@ -490,6 +532,64 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk,
        return AUDIT_BUILD_CONTEXT;
 }
+static int audit_filter_user_rules(struct netlink_skb_parms *cb,
+                              struct audit_rule *rule,
+                              enum audit_state *state)
+{
+        int i;
+        for (i = 0; i < rule->field_count; i++) {
+                u32 field  = rule->fields[i] & ~AUDIT_NEGATE;
+                u32 value  = rule->values[i];
+                int result = 0;
+                switch (field) {
+                case AUDIT_PID:
+                        result = (cb->creds.pid == value);
+                        break;
+                case AUDIT_UID:
+                        result = (cb->creds.uid == value);
+                        break;
+                case AUDIT_GID:
+                        result = (cb->creds.gid == value);
+                        break;
+                case AUDIT_LOGINUID:
+                        result = (cb->loginuid == value);
+                        break;
+                }
+                if (rule->fields[i] & AUDIT_NEGATE)
+                        result = !result;
+                if (!result)
+                        return 0;
+        }
+        switch (rule->action) {
+        case AUDIT_NEVER:    *state = AUDIT_DISABLED;       break;
+        case AUDIT_POSSIBLE: *state = AUDIT_BUILD_CONTEXT;  break;
+        case AUDIT_ALWAYS:   *state = AUDIT_RECORD_CONTEXT; break;
+        }
+        return 1;
+}
+int audit_filter_user(struct netlink_skb_parms *cb, int type)
+{
+        struct audit_entry *e;
+        enum audit_state   state;
+        int ret = 1;
+        rcu_read_lock();
+        list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
+                if (audit_filter_user_rules(cb, &e->rule, &state)) {
+                        if (state == AUDIT_DISABLED)
+                                ret = 0;
+                        break;
+                }
+        }
+        rcu_read_unlock();
+        return ret; /* Audit by default */
+}
 /* This should be called with task_lock() held. */
 static inline struct audit_context *audit_get_context(struct task_struct *tsk,
                                                      int return_valid,
@@ -504,7 +604,7 @@ static inline struct audit_context *audit_get_context(struct task_struct *tsk,
        if (context->in_syscall && !context->auditable) {
                enum audit_state state;
-                state = audit_filter_syscall(tsk, context, &audit_extlist);
+                state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
                if (state == AUDIT_RECORD_CONTEXT)
                        context->auditable = 1;
        }
@@ -679,13 +779,13 @@ static void audit_log_task_info(struct audit_buffer *ab)
        up_read(&mm->mmap_sem);
 }
-static void audit_log_exit(struct audit_context *context)
+static void audit_log_exit(struct audit_context *context, unsigned int gfp_mask)
 {
        int i;
        struct audit_buffer *ab;
        struct audit_aux_data *aux;
-        ab = audit_log_start(context, AUDIT_SYSCALL);
+        ab = audit_log_start(context, gfp_mask, AUDIT_SYSCALL);
        if (!ab)
                return;         /* audit_panic has been called */
        audit_log_format(ab, "arch=%x syscall=%d",
@@ -717,7 +817,7 @@ static void audit_log_exit(struct audit_context *context)
        for (aux = context->aux; aux; aux = aux->next) {
-                ab = audit_log_start(context, aux->type);
+                ab = audit_log_start(context, GFP_KERNEL, aux->type);
                if (!ab)
                        continue; /* audit_panic has been called */
@@ -754,14 +854,14 @@ static void audit_log_exit(struct audit_context *context)
        }
        if (context->pwd && context->pwdmnt) {
-                ab = audit_log_start(context, AUDIT_CWD);
+                ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
                if (ab) {
                        audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt);
                        audit_log_end(ab);
                }
        }
        for (i = 0; i < context->name_count; i++) {
-                ab = audit_log_start(context, AUDIT_PATH);
+                ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
                if (!ab)
                        continue; /* audit_panic has been called */
@@ -770,6 +870,8 @@ static void audit_log_exit(struct audit_context *context)
                        audit_log_format(ab, " name=");
                        audit_log_untrustedstring(ab, context->names[i].name);
                }
+                audit_log_format(ab, " flags=%x\n", context->names[i].flags);
+                         
                if (context->names[i].ino != (unsigned long)-1)
                        audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o"
                                             " ouid=%u ogid=%u rdev=%02x:%02x",
@@ -799,9 +901,11 @@ void audit_free(struct task_struct *tsk)
                return;
        /* Check for system calls that do not go through the exit
-         * function (e.g., exit_group), then free context block. */
+         * function (e.g., exit_group), then free context block. 
-        if (context->in_syscall && context->auditable && context->pid != audit_pid)
+         * We use GFP_ATOMIC here because we might be doing this 
-                audit_log_exit(context);
+         * in the context of the idle thread */
+        if (context->in_syscall && context->auditable)
+                audit_log_exit(context, GFP_ATOMIC);
        audit_free_context(context);
 }
@@ -876,11 +980,11 @@ void audit_syscall_entry(struct task_struct *tsk, int arch, int major,
        state = context->state;
        if (state == AUDIT_SETUP_CONTEXT || state == AUDIT_BUILD_CONTEXT)
-                state = audit_filter_syscall(tsk, context, &audit_entlist);
+                state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
        if (likely(state == AUDIT_DISABLED))
                return;
-        context->serial     = audit_serial();
+        context->serial     = 0;
        context->ctime      = CURRENT_TIME;
        context->in_syscall = 1;
        context->auditable  = !!(state == AUDIT_RECORD_CONTEXT);
@@ -905,8 +1009,8 @@ void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code)
        if (likely(!context))
                return;
-        if (context->in_syscall && context->auditable && context->pid != audit_pid)
+        if (context->in_syscall && context->auditable)
-                audit_log_exit(context);
+                audit_log_exit(context, GFP_KERNEL);
        context->in_syscall = 0;
        context->auditable  = 0;
@@ -996,7 +1100,7 @@ void audit_putname(const char *name)
 /* Store the inode and device from a lookup.  Called from
 * fs/namei.c:path_lookup(). */
-void audit_inode(const char *name, const struct inode *inode)
+void audit_inode(const char *name, const struct inode *inode, unsigned flags)
 {
        int idx;
        struct audit_context *context = current->audit_context;
@@ -1022,17 +1126,20 @@ void audit_inode(const char *name, const struct inode *inode)
                ++context->ino_count;
 #endif
        }
-        context->names[idx].ino  = inode->i_ino;
+        context->names[idx].flags = flags;
-        context->names[idx].dev  = inode->i_sb->s_dev;
+        context->names[idx].ino   = inode->i_ino;
-        context->names[idx].mode = inode->i_mode;
+        context->names[idx].dev   = inode->i_sb->s_dev;
-        context->names[idx].uid  = inode->i_uid;
+        context->names[idx].mode  = inode->i_mode;
-        context->names[idx].gid  = inode->i_gid;
+        context->names[idx].uid   = inode->i_uid;
-        context->names[idx].rdev = inode->i_rdev;
+        context->names[idx].gid   = inode->i_gid;
+        context->names[idx].rdev  = inode->i_rdev;
 }
 void auditsc_get_stamp(struct audit_context *ctx,
                       struct timespec *t, unsigned int *serial)
 {
+        if (!ctx->serial)
+                ctx->serial = audit_serial();
        t->tv_sec  = ctx->ctime.tv_sec;
        t->tv_nsec = ctx->ctime.tv_nsec;
        *serial    = ctx->serial;
@@ -1044,7 +1151,7 @@ int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
        if (task->audit_context) {
                struct audit_buffer *ab;
-                ab = audit_log_start(NULL, AUDIT_LOGIN);
+                ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
                if (ab) {
                        audit_log_format(ab, "login pid=%d uid=%u "
                                "old auid=%u new auid=%u",
@@ -1153,7 +1260,7 @@ void audit_signal_info(int sig, struct task_struct *t)
        extern pid_t audit_sig_pid;
        extern uid_t audit_sig_uid;
-        if (unlikely(audit_pid && t->pid == audit_pid)) {
+        if (unlikely(audit_pid && t->tgid == audit_pid)) {
                if (sig == SIGTERM || sig == SIGHUP) {
                        struct audit_context *ctx = current->audit_context;
                        audit_sig_pid = current->pid;

diff --git a/kernel/auditsc.c b/kernel/auditsc.c index e75f84e1a1a0..46b45abceb9a 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c
@@ -39,6 +39,9 @@
39	#include <linux/audit.h>	39	#include <linux/audit.h>
40	#include <linux/personality.h>	40	#include <linux/personality.h>
41	#include <linux/time.h>	41	#include <linux/time.h>
		42	#include <linux/kthread.h>
		43	#include <linux/netlink.h>
		44	#include <linux/compiler.h>
42	#include <asm/unistd.h>	45	#include <asm/unistd.h>
43		46
44	/* 0 = no checking	47	/* 0 = no checking
@@ -95,6 +98,7 @@ struct audit_names {
95	uid_t uid;	98	uid_t uid;
96	gid_t gid;	99	gid_t gid;
97	dev_t rdev;	100	dev_t rdev;
		101	unsigned flags;
98	};	102	};
99		103
100	struct audit_aux_data {	104	struct audit_aux_data {
@@ -167,9 +171,16 @@ struct audit_context {
167	/* There are three lists of rules -- one to search at task creation	171	/* There are three lists of rules -- one to search at task creation
168	* time, one to search at syscall entry time, and another to search at	172	* time, one to search at syscall entry time, and another to search at
169	* syscall exit time. */	173	* syscall exit time. */
170	static LIST_HEAD(audit_tsklist);	174	static struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
171	static LIST_HEAD(audit_entlist);	175	LIST_HEAD_INIT(audit_filter_list[0]),
172	static LIST_HEAD(audit_extlist);	176	LIST_HEAD_INIT(audit_filter_list[1]),
		177	LIST_HEAD_INIT(audit_filter_list[2]),
		178	LIST_HEAD_INIT(audit_filter_list[3]),
		179	LIST_HEAD_INIT(audit_filter_list[4]),
		180	#if AUDIT_NR_FILTERS != 5
		181	#error Fix audit_filter_list initialiser
		182	#endif
		183	};
173		184
174	struct audit_entry {	185	struct audit_entry {
175	struct list_head list;	186	struct list_head list;
@@ -210,16 +221,15 @@ static int audit_compare_rule(struct audit_rule a, struct audit_rule b)
210	/* Note that audit_add_rule and audit_del_rule are called via	221	/* Note that audit_add_rule and audit_del_rule are called via
211	* audit_receive() in audit.c, and are protected by	222	* audit_receive() in audit.c, and are protected by
212	* audit_netlink_sem. */	223	* audit_netlink_sem. */
213	static inline int audit_add_rule(struct audit_entry *entry,	224	static inline void audit_add_rule(struct audit_entry *entry,
214	struct list_head *list)	225	struct list_head *list)
215	{	226	{
216	if (entry->rule.flags & AUDIT_PREPEND) {	227	if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
217	entry->rule.flags &= ~AUDIT_PREPEND;	228	entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
218	list_add_rcu(&entry->list, list);	229	list_add_rcu(&entry->list, list);
219	} else {	230	} else {
220	list_add_tail_rcu(&entry->list, list);	231	list_add_tail_rcu(&entry->list, list);
221	}	232	}
222	return 0;
223	}	233	}
224		234
225	static void audit_free_rule(struct rcu_head *head)	235	static void audit_free_rule(struct rcu_head *head)
@@ -245,7 +255,7 @@ static inline int audit_del_rule(struct audit_rule *rule,
245	return 0;	255	return 0;
246	}	256	}
247	}	257	}
248	return -EFAULT; /* No matching rule */	258	return -ENOENT; /* No matching rule */
249	}	259	}
250		260
251	/* Copy rule from user-space to kernel-space. Called during	261	/* Copy rule from user-space to kernel-space. Called during
@@ -260,6 +270,8 @@ static int audit_copy_rule(struct audit_rule d, struct audit_rule s)
260	return -1;	270	return -1;
261	if (s->field_count < 0 \|\| s->field_count > AUDIT_MAX_FIELDS)	271	if (s->field_count < 0 \|\| s->field_count > AUDIT_MAX_FIELDS)
262	return -1;	272	return -1;
		273	if ((s->flags & ~AUDIT_FILTER_PREPEND) >= AUDIT_NR_FILTERS)
		274	return -1;
263		275
264	d->flags = s->flags;	276	d->flags = s->flags;
265	d->action = s->action;	277	d->action = s->action;
@@ -272,27 +284,60 @@ static int audit_copy_rule(struct audit_rule d, struct audit_rule s)
272	return 0;	284	return 0;
273	}	285	}
274		286
		287	static int audit_list_rules(void *_dest)
		288	{
		289	int pid, seq;
		290	int *dest = _dest;
		291	struct audit_entry *entry;
		292	int i;
		293
		294	pid = dest[0];
		295	seq = dest[1];
		296	kfree(dest);
		297
		298	down(&audit_netlink_sem);
		299
		300	/* The *_rcu iterators not needed here because we are
		301	always called with audit_netlink_sem held. */
		302	for (i=0; i<AUDIT_NR_FILTERS; i++) {
		303	list_for_each_entry(entry, &audit_filter_list[i], list)
		304	audit_send_reply(pid, seq, AUDIT_LIST, 0, 1,
		305	&entry->rule, sizeof(entry->rule));
		306	}
		307	audit_send_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0);
		308
		309	up(&audit_netlink_sem);
		310	return 0;
		311	}
		312
275	int audit_receive_filter(int type, int pid, int uid, int seq, void *data,	313	int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
276	uid_t loginuid)	314	uid_t loginuid)
277	{	315	{
278	u32 flags;
279	struct audit_entry *entry;	316	struct audit_entry *entry;
		317	struct task_struct *tsk;
		318	int *dest;
280	int err = 0;	319	int err = 0;
		320	unsigned listnr;
281		321
282	switch (type) {	322	switch (type) {
283	case AUDIT_LIST:	323	case AUDIT_LIST:
284	/* The *_rcu iterators not needed here because we are	324	/* We can't just spew out the rules here because we might fill
285	always called with audit_netlink_sem held. */	325	* the available socket buffer space and deadlock waiting for
286	list_for_each_entry(entry, &audit_tsklist, list)	326	* auditctl to read from it... which isn't ever going to
287	audit_send_reply(pid, seq, AUDIT_LIST, 0, 1,	327	* happen if we're actually running in the context of auditctl
288	&entry->rule, sizeof(entry->rule));	328	* trying to _send_ the stuff */
289	list_for_each_entry(entry, &audit_entlist, list)	329
290	audit_send_reply(pid, seq, AUDIT_LIST, 0, 1,	330	dest = kmalloc(2 * sizeof(int), GFP_KERNEL);
291	&entry->rule, sizeof(entry->rule));	331	if (!dest)
292	list_for_each_entry(entry, &audit_extlist, list)	332	return -ENOMEM;
293	audit_send_reply(pid, seq, AUDIT_LIST, 0, 1,	333	dest[0] = pid;
294	&entry->rule, sizeof(entry->rule));	334	dest[1] = seq;
295	audit_send_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0);	335
		336	tsk = kthread_run(audit_list_rules, dest, "audit_list_rules");
		337	if (IS_ERR(tsk)) {
		338	kfree(dest);
		339	err = PTR_ERR(tsk);
		340	}
296	break;	341	break;
297	case AUDIT_ADD:	342	case AUDIT_ADD:
298	if (!(entry = kmalloc(sizeof(*entry), GFP_KERNEL)))	343	if (!(entry = kmalloc(sizeof(*entry), GFP_KERNEL)))
@@ -301,26 +346,20 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
301	kfree(entry);	346	kfree(entry);
302	return -EINVAL;	347	return -EINVAL;
303	}	348	}
304	flags = entry->rule.flags;	349	listnr = entry->rule.flags & ~AUDIT_FILTER_PREPEND;
305	if (!err && (flags & AUDIT_PER_TASK))	350	audit_add_rule(entry, &audit_filter_list[listnr]);
306	err = audit_add_rule(entry, &audit_tsklist);	351	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
307	if (!err && (flags & AUDIT_AT_ENTRY))
308	err = audit_add_rule(entry, &audit_entlist);
309	if (!err && (flags & AUDIT_AT_EXIT))
310	err = audit_add_rule(entry, &audit_extlist);
311	audit_log(NULL, AUDIT_CONFIG_CHANGE,
312	"auid=%u added an audit rule\n", loginuid);	352	"auid=%u added an audit rule\n", loginuid);
313	break;	353	break;
314	case AUDIT_DEL:	354	case AUDIT_DEL:
315	flags =((struct audit_rule *)data)->flags;	355	listnr =((struct audit_rule *)data)->flags & ~AUDIT_FILTER_PREPEND;
316	if (!err && (flags & AUDIT_PER_TASK))	356	if (listnr >= AUDIT_NR_FILTERS)
317	err = audit_del_rule(data, &audit_tsklist);	357	return -EINVAL;
318	if (!err && (flags & AUDIT_AT_ENTRY))	358
319	err = audit_del_rule(data, &audit_entlist);	359	err = audit_del_rule(data, &audit_filter_list[listnr]);
320	if (!err && (flags & AUDIT_AT_EXIT))	360	if (!err)
321	err = audit_del_rule(data, &audit_extlist);	361	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
322	audit_log(NULL, AUDIT_CONFIG_CHANGE,	362	"auid=%u removed an audit rule\n", loginuid);
323	"auid=%u removed an audit rule\n", loginuid);
324	break;	363	break;
325	default:	364	default:
326	return -EINVAL;	365	return -EINVAL;
@@ -454,7 +493,7 @@ static enum audit_state audit_filter_task(struct task_struct *tsk)
454	enum audit_state state;	493	enum audit_state state;
455		494
456	rcu_read_lock();	495	rcu_read_lock();
457	list_for_each_entry_rcu(e, &audit_tsklist, list) {	496	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
458	if (audit_filter_rules(tsk, &e->rule, NULL, &state)) {	497	if (audit_filter_rules(tsk, &e->rule, NULL, &state)) {
459	rcu_read_unlock();	498	rcu_read_unlock();
460	return state;	499	return state;
@@ -478,6 +517,9 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk,
478	int word = AUDIT_WORD(ctx->major);	517	int word = AUDIT_WORD(ctx->major);
479	int bit = AUDIT_BIT(ctx->major);	518	int bit = AUDIT_BIT(ctx->major);
480		519
		520	if (audit_pid && tsk->tgid == audit_pid)
		521	return AUDIT_DISABLED;
		522
481	rcu_read_lock();	523	rcu_read_lock();
482	list_for_each_entry_rcu(e, list, list) {	524	list_for_each_entry_rcu(e, list, list) {
483	if ((e->rule.mask[word] & bit) == bit	525	if ((e->rule.mask[word] & bit) == bit
@@ -490,6 +532,64 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk,
490	return AUDIT_BUILD_CONTEXT;	532	return AUDIT_BUILD_CONTEXT;
491	}	533	}
492		534
		535	static int audit_filter_user_rules(struct netlink_skb_parms *cb,
		536	struct audit_rule *rule,
		537	enum audit_state *state)
		538	{
		539	int i;
		540
		541	for (i = 0; i < rule->field_count; i++) {
		542	u32 field = rule->fields[i] & ~AUDIT_NEGATE;
		543	u32 value = rule->values[i];
		544	int result = 0;
		545
		546	switch (field) {
		547	case AUDIT_PID:
		548	result = (cb->creds.pid == value);
		549	break;
		550	case AUDIT_UID:
		551	result = (cb->creds.uid == value);
		552	break;
		553	case AUDIT_GID:
		554	result = (cb->creds.gid == value);
		555	break;
		556	case AUDIT_LOGINUID:
		557	result = (cb->loginuid == value);
		558	break;
		559	}
		560
		561	if (rule->fields[i] & AUDIT_NEGATE)
		562	result = !result;
		563	if (!result)
		564	return 0;
		565	}
		566	switch (rule->action) {
		567	case AUDIT_NEVER: *state = AUDIT_DISABLED; break;
		568	case AUDIT_POSSIBLE: *state = AUDIT_BUILD_CONTEXT; break;
		569	case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break;
		570	}
		571	return 1;
		572	}
		573
		574	int audit_filter_user(struct netlink_skb_parms *cb, int type)
		575	{
		576	struct audit_entry *e;
		577	enum audit_state state;
		578	int ret = 1;
		579
		580	rcu_read_lock();
		581	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
		582	if (audit_filter_user_rules(cb, &e->rule, &state)) {
		583	if (state == AUDIT_DISABLED)
		584	ret = 0;
		585	break;
		586	}
		587	}
		588	rcu_read_unlock();
		589
		590	return ret; /* Audit by default */
		591	}
		592
493	/* This should be called with task_lock() held. */	593	/* This should be called with task_lock() held. */
494	static inline struct audit_context audit_get_context(struct task_struct tsk,	594	static inline struct audit_context audit_get_context(struct task_struct tsk,
495	int return_valid,	595	int return_valid,
@@ -504,7 +604,7 @@ static inline struct audit_context audit_get_context(struct task_struct tsk,
504		604
505	if (context->in_syscall && !context->auditable) {	605	if (context->in_syscall && !context->auditable) {
506	enum audit_state state;	606	enum audit_state state;
507	state = audit_filter_syscall(tsk, context, &audit_extlist);	607	state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
508	if (state == AUDIT_RECORD_CONTEXT)	608	if (state == AUDIT_RECORD_CONTEXT)
509	context->auditable = 1;	609	context->auditable = 1;
510	}	610	}
@@ -679,13 +779,13 @@ static void audit_log_task_info(struct audit_buffer *ab)
679	up_read(&mm->mmap_sem);	779	up_read(&mm->mmap_sem);
680	}	780	}
681		781
682	static void audit_log_exit(struct audit_context *context)	782	static void audit_log_exit(struct audit_context *context, unsigned int gfp_mask)
683	{	783	{
684	int i;	784	int i;
685	struct audit_buffer *ab;	785	struct audit_buffer *ab;
686	struct audit_aux_data *aux;	786	struct audit_aux_data *aux;
687		787
688	ab = audit_log_start(context, AUDIT_SYSCALL);	788	ab = audit_log_start(context, gfp_mask, AUDIT_SYSCALL);
689	if (!ab)	789	if (!ab)
690	return; /* audit_panic has been called */	790	return; /* audit_panic has been called */
691	audit_log_format(ab, "arch=%x syscall=%d",	791	audit_log_format(ab, "arch=%x syscall=%d",
@@ -717,7 +817,7 @@ static void audit_log_exit(struct audit_context *context)
717		817
718	for (aux = context->aux; aux; aux = aux->next) {	818	for (aux = context->aux; aux; aux = aux->next) {
719		819
720	ab = audit_log_start(context, aux->type);	820	ab = audit_log_start(context, GFP_KERNEL, aux->type);
721	if (!ab)	821	if (!ab)
722	continue; /* audit_panic has been called */	822	continue; /* audit_panic has been called */
723		823
@@ -754,14 +854,14 @@ static void audit_log_exit(struct audit_context *context)
754	}	854	}
755		855
756	if (context->pwd && context->pwdmnt) {	856	if (context->pwd && context->pwdmnt) {
757	ab = audit_log_start(context, AUDIT_CWD);	857	ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
758	if (ab) {	858	if (ab) {
759	audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt);	859	audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt);
760	audit_log_end(ab);	860	audit_log_end(ab);
761	}	861	}
762	}	862	}
763	for (i = 0; i < context->name_count; i++) {	863	for (i = 0; i < context->name_count; i++) {
764	ab = audit_log_start(context, AUDIT_PATH);	864	ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
765	if (!ab)	865	if (!ab)
766	continue; /* audit_panic has been called */	866	continue; /* audit_panic has been called */
767		867
@@ -770,6 +870,8 @@ static void audit_log_exit(struct audit_context *context)
770	audit_log_format(ab, " name=");	870	audit_log_format(ab, " name=");
771	audit_log_untrustedstring(ab, context->names[i].name);	871	audit_log_untrustedstring(ab, context->names[i].name);
772	}	872	}
		873	audit_log_format(ab, " flags=%x\n", context->names[i].flags);
		874
773	if (context->names[i].ino != (unsigned long)-1)	875	if (context->names[i].ino != (unsigned long)-1)
774	audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o"	876	audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o"
775	" ouid=%u ogid=%u rdev=%02x:%02x",	877	" ouid=%u ogid=%u rdev=%02x:%02x",
@@ -799,9 +901,11 @@ void audit_free(struct task_struct *tsk)
799	return;	901	return;
800		902
801	/* Check for system calls that do not go through the exit	903	/* Check for system calls that do not go through the exit
802	* function (e.g., exit_group), then free context block. */	904	* function (e.g., exit_group), then free context block.
803	if (context->in_syscall && context->auditable && context->pid != audit_pid)	905	* We use GFP_ATOMIC here because we might be doing this
804	audit_log_exit(context);	906	* in the context of the idle thread */
		907	if (context->in_syscall && context->auditable)
		908	audit_log_exit(context, GFP_ATOMIC);
805		909
806	audit_free_context(context);	910	audit_free_context(context);
807	}	911	}
@@ -876,11 +980,11 @@ void audit_syscall_entry(struct task_struct *tsk, int arch, int major,
876		980
877	state = context->state;	981	state = context->state;
878	if (state == AUDIT_SETUP_CONTEXT \|\| state == AUDIT_BUILD_CONTEXT)	982	if (state == AUDIT_SETUP_CONTEXT \|\| state == AUDIT_BUILD_CONTEXT)
879	state = audit_filter_syscall(tsk, context, &audit_entlist);	983	state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
880	if (likely(state == AUDIT_DISABLED))	984	if (likely(state == AUDIT_DISABLED))
881	return;	985	return;
882		986
883	context->serial = audit_serial();	987	context->serial = 0;
884	context->ctime = CURRENT_TIME;	988	context->ctime = CURRENT_TIME;
885	context->in_syscall = 1;	989	context->in_syscall = 1;
886	context->auditable = !!(state == AUDIT_RECORD_CONTEXT);	990	context->auditable = !!(state == AUDIT_RECORD_CONTEXT);
@@ -905,8 +1009,8 @@ void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code)
905	if (likely(!context))	1009	if (likely(!context))
906	return;	1010	return;
907		1011
908	if (context->in_syscall && context->auditable && context->pid != audit_pid)	1012	if (context->in_syscall && context->auditable)
909	audit_log_exit(context);	1013	audit_log_exit(context, GFP_KERNEL);
910		1014
911	context->in_syscall = 0;	1015	context->in_syscall = 0;
912	context->auditable = 0;	1016	context->auditable = 0;
@@ -996,7 +1100,7 @@ void audit_putname(const char *name)
996		1100
997	/* Store the inode and device from a lookup. Called from	1101	/* Store the inode and device from a lookup. Called from
998	* fs/namei.c:path_lookup(). */	1102	* fs/namei.c:path_lookup(). */
999	void audit_inode(const char name, const struct inode inode)	1103	void audit_inode(const char name, const struct inode inode, unsigned flags)
1000	{	1104	{
1001	int idx;	1105	int idx;
1002	struct audit_context *context = current->audit_context;	1106	struct audit_context *context = current->audit_context;
@@ -1022,17 +1126,20 @@ void audit_inode(const char name, const struct inode inode)
1022	++context->ino_count;	1126	++context->ino_count;
1023	#endif	1127	#endif
1024	}	1128	}
1025	context->names[idx].ino = inode->i_ino;	1129	context->names[idx].flags = flags;
1026	context->names[idx].dev = inode->i_sb->s_dev;	1130	context->names[idx].ino = inode->i_ino;
1027	context->names[idx].mode = inode->i_mode;	1131	context->names[idx].dev = inode->i_sb->s_dev;
1028	context->names[idx].uid = inode->i_uid;	1132	context->names[idx].mode = inode->i_mode;
1029	context->names[idx].gid = inode->i_gid;	1133	context->names[idx].uid = inode->i_uid;
1030	context->names[idx].rdev = inode->i_rdev;	1134	context->names[idx].gid = inode->i_gid;
		1135	context->names[idx].rdev = inode->i_rdev;
1031	}	1136	}
1032		1137
1033	void auditsc_get_stamp(struct audit_context *ctx,	1138	void auditsc_get_stamp(struct audit_context *ctx,
1034	struct timespec t, unsigned int serial)	1139	struct timespec t, unsigned int serial)
1035	{	1140	{
		1141	if (!ctx->serial)
		1142	ctx->serial = audit_serial();
1036	t->tv_sec = ctx->ctime.tv_sec;	1143	t->tv_sec = ctx->ctime.tv_sec;
1037	t->tv_nsec = ctx->ctime.tv_nsec;	1144	t->tv_nsec = ctx->ctime.tv_nsec;
1038	*serial = ctx->serial;	1145	*serial = ctx->serial;
@@ -1044,7 +1151,7 @@ int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
1044	if (task->audit_context) {	1151	if (task->audit_context) {
1045	struct audit_buffer *ab;	1152	struct audit_buffer *ab;
1046		1153
1047	ab = audit_log_start(NULL, AUDIT_LOGIN);	1154	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
1048	if (ab) {	1155	if (ab) {
1049	audit_log_format(ab, "login pid=%d uid=%u "	1156	audit_log_format(ab, "login pid=%d uid=%u "
1050	"old auid=%u new auid=%u",	1157	"old auid=%u new auid=%u",
@@ -1153,7 +1260,7 @@ void audit_signal_info(int sig, struct task_struct *t)
1153	extern pid_t audit_sig_pid;	1260	extern pid_t audit_sig_pid;
1154	extern uid_t audit_sig_uid;	1261	extern uid_t audit_sig_uid;
1155		1262
1156	if (unlikely(audit_pid && t->pid == audit_pid)) {	1263	if (unlikely(audit_pid && t->tgid == audit_pid)) {
1157	if (sig == SIGTERM \|\| sig == SIGHUP) {	1264	if (sig == SIGTERM \|\| sig == SIGHUP) {
1158	struct audit_context *ctx = current->audit_context;	1265	struct audit_context *ctx = current->audit_context;
1159	audit_sig_pid = current->pid;	1266	audit_sig_pid = current->pid;