diff options
Diffstat (limited to 'kernel/auditsc.c')
-rw-r--r-- | kernel/auditsc.c | 834 |
1 files changed, 434 insertions, 400 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index c4394abcd5e6..7f160df21a23 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c | |||
@@ -2,6 +2,8 @@ | |||
2 | * Handles all system-call specific auditing features. | 2 | * Handles all system-call specific auditing features. |
3 | * | 3 | * |
4 | * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. | 4 | * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. |
5 | * Copyright 2005 Hewlett-Packard Development Company, L.P. | ||
6 | * Copyright (C) 2005 IBM Corporation | ||
5 | * All Rights Reserved. | 7 | * All Rights Reserved. |
6 | * | 8 | * |
7 | * This program is free software; you can redistribute it and/or modify | 9 | * This program is free software; you can redistribute it and/or modify |
@@ -27,11 +29,22 @@ | |||
27 | * this file -- see entry.S) is based on a GPL'd patch written by | 29 | * this file -- see entry.S) is based on a GPL'd patch written by |
28 | * okir@suse.de and Copyright 2003 SuSE Linux AG. | 30 | * okir@suse.de and Copyright 2003 SuSE Linux AG. |
29 | * | 31 | * |
32 | * The support of additional filter rules compares (>, <, >=, <=) was | ||
33 | * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005. | ||
34 | * | ||
35 | * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional | ||
36 | * filesystem information. | ||
37 | * | ||
38 | * Subject and object context labeling support added by <danjones@us.ibm.com> | ||
39 | * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance. | ||
30 | */ | 40 | */ |
31 | 41 | ||
32 | #include <linux/init.h> | 42 | #include <linux/init.h> |
33 | #include <asm/types.h> | 43 | #include <asm/types.h> |
34 | #include <asm/atomic.h> | 44 | #include <asm/atomic.h> |
45 | #include <asm/types.h> | ||
46 | #include <linux/fs.h> | ||
47 | #include <linux/namei.h> | ||
35 | #include <linux/mm.h> | 48 | #include <linux/mm.h> |
36 | #include <linux/module.h> | 49 | #include <linux/module.h> |
37 | #include <linux/mount.h> | 50 | #include <linux/mount.h> |
@@ -39,16 +52,16 @@ | |||
39 | #include <linux/audit.h> | 52 | #include <linux/audit.h> |
40 | #include <linux/personality.h> | 53 | #include <linux/personality.h> |
41 | #include <linux/time.h> | 54 | #include <linux/time.h> |
42 | #include <linux/kthread.h> | ||
43 | #include <linux/netlink.h> | 55 | #include <linux/netlink.h> |
44 | #include <linux/compiler.h> | 56 | #include <linux/compiler.h> |
45 | #include <asm/unistd.h> | 57 | #include <asm/unistd.h> |
58 | #include <linux/security.h> | ||
59 | #include <linux/list.h> | ||
60 | #include <linux/tty.h> | ||
61 | |||
62 | #include "audit.h" | ||
46 | 63 | ||
47 | /* 0 = no checking | 64 | extern struct list_head audit_filter_list[]; |
48 | 1 = put_count checking | ||
49 | 2 = verbose put_count checking | ||
50 | */ | ||
51 | #define AUDIT_DEBUG 0 | ||
52 | 65 | ||
53 | /* No syscall auditing will take place unless audit_enabled != 0. */ | 66 | /* No syscall auditing will take place unless audit_enabled != 0. */ |
54 | extern int audit_enabled; | 67 | extern int audit_enabled; |
@@ -62,29 +75,6 @@ extern int audit_enabled; | |||
62 | * path_lookup. */ | 75 | * path_lookup. */ |
63 | #define AUDIT_NAMES_RESERVED 7 | 76 | #define AUDIT_NAMES_RESERVED 7 |
64 | 77 | ||
65 | /* At task start time, the audit_state is set in the audit_context using | ||
66 | a per-task filter. At syscall entry, the audit_state is augmented by | ||
67 | the syscall filter. */ | ||
68 | enum audit_state { | ||
69 | AUDIT_DISABLED, /* Do not create per-task audit_context. | ||
70 | * No syscall-specific audit records can | ||
71 | * be generated. */ | ||
72 | AUDIT_SETUP_CONTEXT, /* Create the per-task audit_context, | ||
73 | * but don't necessarily fill it in at | ||
74 | * syscall entry time (i.e., filter | ||
75 | * instead). */ | ||
76 | AUDIT_BUILD_CONTEXT, /* Create the per-task audit_context, | ||
77 | * and always fill it in at syscall | ||
78 | * entry time. This makes a full | ||
79 | * syscall record available if some | ||
80 | * other part of the kernel decides it | ||
81 | * should be recorded. */ | ||
82 | AUDIT_RECORD_CONTEXT /* Create the per-task audit_context, | ||
83 | * always fill it in at syscall entry | ||
84 | * time, and always write out the audit | ||
85 | * record at syscall exit time. */ | ||
86 | }; | ||
87 | |||
88 | /* When fs/namei.c:getname() is called, we store the pointer in name and | 78 | /* When fs/namei.c:getname() is called, we store the pointer in name and |
89 | * we don't let putname() free it (instead we free all of the saved | 79 | * we don't let putname() free it (instead we free all of the saved |
90 | * pointers at syscall exit time). | 80 | * pointers at syscall exit time). |
@@ -93,12 +83,13 @@ enum audit_state { | |||
93 | struct audit_names { | 83 | struct audit_names { |
94 | const char *name; | 84 | const char *name; |
95 | unsigned long ino; | 85 | unsigned long ino; |
86 | unsigned long pino; | ||
96 | dev_t dev; | 87 | dev_t dev; |
97 | umode_t mode; | 88 | umode_t mode; |
98 | uid_t uid; | 89 | uid_t uid; |
99 | gid_t gid; | 90 | gid_t gid; |
100 | dev_t rdev; | 91 | dev_t rdev; |
101 | unsigned flags; | 92 | char *ctx; |
102 | }; | 93 | }; |
103 | 94 | ||
104 | struct audit_aux_data { | 95 | struct audit_aux_data { |
@@ -115,6 +106,7 @@ struct audit_aux_data_ipcctl { | |||
115 | uid_t uid; | 106 | uid_t uid; |
116 | gid_t gid; | 107 | gid_t gid; |
117 | mode_t mode; | 108 | mode_t mode; |
109 | char *ctx; | ||
118 | }; | 110 | }; |
119 | 111 | ||
120 | struct audit_aux_data_socketcall { | 112 | struct audit_aux_data_socketcall { |
@@ -167,290 +159,72 @@ struct audit_context { | |||
167 | #endif | 159 | #endif |
168 | }; | 160 | }; |
169 | 161 | ||
170 | /* Public API */ | ||
171 | /* There are three lists of rules -- one to search at task creation | ||
172 | * time, one to search at syscall entry time, and another to search at | ||
173 | * syscall exit time. */ | ||
174 | static struct list_head audit_filter_list[AUDIT_NR_FILTERS] = { | ||
175 | LIST_HEAD_INIT(audit_filter_list[0]), | ||
176 | LIST_HEAD_INIT(audit_filter_list[1]), | ||
177 | LIST_HEAD_INIT(audit_filter_list[2]), | ||
178 | LIST_HEAD_INIT(audit_filter_list[3]), | ||
179 | LIST_HEAD_INIT(audit_filter_list[4]), | ||
180 | #if AUDIT_NR_FILTERS != 5 | ||
181 | #error Fix audit_filter_list initialiser | ||
182 | #endif | ||
183 | }; | ||
184 | |||
185 | struct audit_entry { | ||
186 | struct list_head list; | ||
187 | struct rcu_head rcu; | ||
188 | struct audit_rule rule; | ||
189 | }; | ||
190 | |||
191 | extern int audit_pid; | ||
192 | |||
193 | /* Copy rule from user-space to kernel-space. Called from | ||
194 | * audit_add_rule during AUDIT_ADD. */ | ||
195 | static inline int audit_copy_rule(struct audit_rule *d, struct audit_rule *s) | ||
196 | { | ||
197 | int i; | ||
198 | |||
199 | if (s->action != AUDIT_NEVER | ||
200 | && s->action != AUDIT_POSSIBLE | ||
201 | && s->action != AUDIT_ALWAYS) | ||
202 | return -1; | ||
203 | if (s->field_count < 0 || s->field_count > AUDIT_MAX_FIELDS) | ||
204 | return -1; | ||
205 | if ((s->flags & ~AUDIT_FILTER_PREPEND) >= AUDIT_NR_FILTERS) | ||
206 | return -1; | ||
207 | |||
208 | d->flags = s->flags; | ||
209 | d->action = s->action; | ||
210 | d->field_count = s->field_count; | ||
211 | for (i = 0; i < d->field_count; i++) { | ||
212 | d->fields[i] = s->fields[i]; | ||
213 | d->values[i] = s->values[i]; | ||
214 | } | ||
215 | for (i = 0; i < AUDIT_BITMASK_SIZE; i++) d->mask[i] = s->mask[i]; | ||
216 | return 0; | ||
217 | } | ||
218 | |||
219 | /* Check to see if two rules are identical. It is called from | ||
220 | * audit_add_rule during AUDIT_ADD and | ||
221 | * audit_del_rule during AUDIT_DEL. */ | ||
222 | static inline int audit_compare_rule(struct audit_rule *a, struct audit_rule *b) | ||
223 | { | ||
224 | int i; | ||
225 | |||
226 | if (a->flags != b->flags) | ||
227 | return 1; | ||
228 | |||
229 | if (a->action != b->action) | ||
230 | return 1; | ||
231 | |||
232 | if (a->field_count != b->field_count) | ||
233 | return 1; | ||
234 | |||
235 | for (i = 0; i < a->field_count; i++) { | ||
236 | if (a->fields[i] != b->fields[i] | ||
237 | || a->values[i] != b->values[i]) | ||
238 | return 1; | ||
239 | } | ||
240 | |||
241 | for (i = 0; i < AUDIT_BITMASK_SIZE; i++) | ||
242 | if (a->mask[i] != b->mask[i]) | ||
243 | return 1; | ||
244 | |||
245 | return 0; | ||
246 | } | ||
247 | |||
248 | /* Note that audit_add_rule and audit_del_rule are called via | ||
249 | * audit_receive() in audit.c, and are protected by | ||
250 | * audit_netlink_sem. */ | ||
251 | static inline int audit_add_rule(struct audit_rule *rule, | ||
252 | struct list_head *list) | ||
253 | { | ||
254 | struct audit_entry *entry; | ||
255 | |||
256 | /* Do not use the _rcu iterator here, since this is the only | ||
257 | * addition routine. */ | ||
258 | list_for_each_entry(entry, list, list) { | ||
259 | if (!audit_compare_rule(rule, &entry->rule)) { | ||
260 | return -EEXIST; | ||
261 | } | ||
262 | } | ||
263 | |||
264 | if (!(entry = kmalloc(sizeof(*entry), GFP_KERNEL))) | ||
265 | return -ENOMEM; | ||
266 | if (audit_copy_rule(&entry->rule, rule)) { | ||
267 | kfree(entry); | ||
268 | return -EINVAL; | ||
269 | } | ||
270 | |||
271 | if (entry->rule.flags & AUDIT_FILTER_PREPEND) { | ||
272 | entry->rule.flags &= ~AUDIT_FILTER_PREPEND; | ||
273 | list_add_rcu(&entry->list, list); | ||
274 | } else { | ||
275 | list_add_tail_rcu(&entry->list, list); | ||
276 | } | ||
277 | |||
278 | return 0; | ||
279 | } | ||
280 | |||
281 | static inline void audit_free_rule(struct rcu_head *head) | ||
282 | { | ||
283 | struct audit_entry *e = container_of(head, struct audit_entry, rcu); | ||
284 | kfree(e); | ||
285 | } | ||
286 | |||
287 | /* Note that audit_add_rule and audit_del_rule are called via | ||
288 | * audit_receive() in audit.c, and are protected by | ||
289 | * audit_netlink_sem. */ | ||
290 | static inline int audit_del_rule(struct audit_rule *rule, | ||
291 | struct list_head *list) | ||
292 | { | ||
293 | struct audit_entry *e; | ||
294 | |||
295 | /* Do not use the _rcu iterator here, since this is the only | ||
296 | * deletion routine. */ | ||
297 | list_for_each_entry(e, list, list) { | ||
298 | if (!audit_compare_rule(rule, &e->rule)) { | ||
299 | list_del_rcu(&e->list); | ||
300 | call_rcu(&e->rcu, audit_free_rule); | ||
301 | return 0; | ||
302 | } | ||
303 | } | ||
304 | return -ENOENT; /* No matching rule */ | ||
305 | } | ||
306 | |||
307 | static int audit_list_rules(void *_dest) | ||
308 | { | ||
309 | int pid, seq; | ||
310 | int *dest = _dest; | ||
311 | struct audit_entry *entry; | ||
312 | int i; | ||
313 | |||
314 | pid = dest[0]; | ||
315 | seq = dest[1]; | ||
316 | kfree(dest); | ||
317 | |||
318 | down(&audit_netlink_sem); | ||
319 | |||
320 | /* The *_rcu iterators not needed here because we are | ||
321 | always called with audit_netlink_sem held. */ | ||
322 | for (i=0; i<AUDIT_NR_FILTERS; i++) { | ||
323 | list_for_each_entry(entry, &audit_filter_list[i], list) | ||
324 | audit_send_reply(pid, seq, AUDIT_LIST, 0, 1, | ||
325 | &entry->rule, sizeof(entry->rule)); | ||
326 | } | ||
327 | audit_send_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0); | ||
328 | |||
329 | up(&audit_netlink_sem); | ||
330 | return 0; | ||
331 | } | ||
332 | |||
333 | int audit_receive_filter(int type, int pid, int uid, int seq, void *data, | ||
334 | uid_t loginuid) | ||
335 | { | ||
336 | struct task_struct *tsk; | ||
337 | int *dest; | ||
338 | int err = 0; | ||
339 | unsigned listnr; | ||
340 | |||
341 | switch (type) { | ||
342 | case AUDIT_LIST: | ||
343 | /* We can't just spew out the rules here because we might fill | ||
344 | * the available socket buffer space and deadlock waiting for | ||
345 | * auditctl to read from it... which isn't ever going to | ||
346 | * happen if we're actually running in the context of auditctl | ||
347 | * trying to _send_ the stuff */ | ||
348 | |||
349 | dest = kmalloc(2 * sizeof(int), GFP_KERNEL); | ||
350 | if (!dest) | ||
351 | return -ENOMEM; | ||
352 | dest[0] = pid; | ||
353 | dest[1] = seq; | ||
354 | |||
355 | tsk = kthread_run(audit_list_rules, dest, "audit_list_rules"); | ||
356 | if (IS_ERR(tsk)) { | ||
357 | kfree(dest); | ||
358 | err = PTR_ERR(tsk); | ||
359 | } | ||
360 | break; | ||
361 | case AUDIT_ADD: | ||
362 | listnr =((struct audit_rule *)data)->flags & ~AUDIT_FILTER_PREPEND; | ||
363 | if (listnr >= AUDIT_NR_FILTERS) | ||
364 | return -EINVAL; | ||
365 | |||
366 | err = audit_add_rule(data, &audit_filter_list[listnr]); | ||
367 | if (!err) | ||
368 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | ||
369 | "auid=%u added an audit rule\n", loginuid); | ||
370 | break; | ||
371 | case AUDIT_DEL: | ||
372 | listnr =((struct audit_rule *)data)->flags & ~AUDIT_FILTER_PREPEND; | ||
373 | if (listnr >= AUDIT_NR_FILTERS) | ||
374 | return -EINVAL; | ||
375 | |||
376 | err = audit_del_rule(data, &audit_filter_list[listnr]); | ||
377 | if (!err) | ||
378 | audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, | ||
379 | "auid=%u removed an audit rule\n", loginuid); | ||
380 | break; | ||
381 | default: | ||
382 | return -EINVAL; | ||
383 | } | ||
384 | |||
385 | return err; | ||
386 | } | ||
387 | 162 | ||
388 | /* Compare a task_struct with an audit_rule. Return 1 on match, 0 | 163 | /* Compare a task_struct with an audit_rule. Return 1 on match, 0 |
389 | * otherwise. */ | 164 | * otherwise. */ |
390 | static int audit_filter_rules(struct task_struct *tsk, | 165 | static int audit_filter_rules(struct task_struct *tsk, |
391 | struct audit_rule *rule, | 166 | struct audit_krule *rule, |
392 | struct audit_context *ctx, | 167 | struct audit_context *ctx, |
393 | enum audit_state *state) | 168 | enum audit_state *state) |
394 | { | 169 | { |
395 | int i, j; | 170 | int i, j; |
396 | 171 | ||
397 | for (i = 0; i < rule->field_count; i++) { | 172 | for (i = 0; i < rule->field_count; i++) { |
398 | u32 field = rule->fields[i] & ~AUDIT_NEGATE; | 173 | struct audit_field *f = &rule->fields[i]; |
399 | u32 value = rule->values[i]; | ||
400 | int result = 0; | 174 | int result = 0; |
401 | 175 | ||
402 | switch (field) { | 176 | switch (f->type) { |
403 | case AUDIT_PID: | 177 | case AUDIT_PID: |
404 | result = (tsk->pid == value); | 178 | result = audit_comparator(tsk->pid, f->op, f->val); |
405 | break; | 179 | break; |
406 | case AUDIT_UID: | 180 | case AUDIT_UID: |
407 | result = (tsk->uid == value); | 181 | result = audit_comparator(tsk->uid, f->op, f->val); |
408 | break; | 182 | break; |
409 | case AUDIT_EUID: | 183 | case AUDIT_EUID: |
410 | result = (tsk->euid == value); | 184 | result = audit_comparator(tsk->euid, f->op, f->val); |
411 | break; | 185 | break; |
412 | case AUDIT_SUID: | 186 | case AUDIT_SUID: |
413 | result = (tsk->suid == value); | 187 | result = audit_comparator(tsk->suid, f->op, f->val); |
414 | break; | 188 | break; |
415 | case AUDIT_FSUID: | 189 | case AUDIT_FSUID: |
416 | result = (tsk->fsuid == value); | 190 | result = audit_comparator(tsk->fsuid, f->op, f->val); |
417 | break; | 191 | break; |
418 | case AUDIT_GID: | 192 | case AUDIT_GID: |
419 | result = (tsk->gid == value); | 193 | result = audit_comparator(tsk->gid, f->op, f->val); |
420 | break; | 194 | break; |
421 | case AUDIT_EGID: | 195 | case AUDIT_EGID: |
422 | result = (tsk->egid == value); | 196 | result = audit_comparator(tsk->egid, f->op, f->val); |
423 | break; | 197 | break; |
424 | case AUDIT_SGID: | 198 | case AUDIT_SGID: |
425 | result = (tsk->sgid == value); | 199 | result = audit_comparator(tsk->sgid, f->op, f->val); |
426 | break; | 200 | break; |
427 | case AUDIT_FSGID: | 201 | case AUDIT_FSGID: |
428 | result = (tsk->fsgid == value); | 202 | result = audit_comparator(tsk->fsgid, f->op, f->val); |
429 | break; | 203 | break; |
430 | case AUDIT_PERS: | 204 | case AUDIT_PERS: |
431 | result = (tsk->personality == value); | 205 | result = audit_comparator(tsk->personality, f->op, f->val); |
432 | break; | 206 | break; |
433 | case AUDIT_ARCH: | 207 | case AUDIT_ARCH: |
434 | if (ctx) | 208 | if (ctx) |
435 | result = (ctx->arch == value); | 209 | result = audit_comparator(ctx->arch, f->op, f->val); |
436 | break; | 210 | break; |
437 | 211 | ||
438 | case AUDIT_EXIT: | 212 | case AUDIT_EXIT: |
439 | if (ctx && ctx->return_valid) | 213 | if (ctx && ctx->return_valid) |
440 | result = (ctx->return_code == value); | 214 | result = audit_comparator(ctx->return_code, f->op, f->val); |
441 | break; | 215 | break; |
442 | case AUDIT_SUCCESS: | 216 | case AUDIT_SUCCESS: |
443 | if (ctx && ctx->return_valid) { | 217 | if (ctx && ctx->return_valid) { |
444 | if (value) | 218 | if (f->val) |
445 | result = (ctx->return_valid == AUDITSC_SUCCESS); | 219 | result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS); |
446 | else | 220 | else |
447 | result = (ctx->return_valid == AUDITSC_FAILURE); | 221 | result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE); |
448 | } | 222 | } |
449 | break; | 223 | break; |
450 | case AUDIT_DEVMAJOR: | 224 | case AUDIT_DEVMAJOR: |
451 | if (ctx) { | 225 | if (ctx) { |
452 | for (j = 0; j < ctx->name_count; j++) { | 226 | for (j = 0; j < ctx->name_count; j++) { |
453 | if (MAJOR(ctx->names[j].dev)==value) { | 227 | if (audit_comparator(MAJOR(ctx->names[j].dev), f->op, f->val)) { |
454 | ++result; | 228 | ++result; |
455 | break; | 229 | break; |
456 | } | 230 | } |
@@ -460,7 +234,7 @@ static int audit_filter_rules(struct task_struct *tsk, | |||
460 | case AUDIT_DEVMINOR: | 234 | case AUDIT_DEVMINOR: |
461 | if (ctx) { | 235 | if (ctx) { |
462 | for (j = 0; j < ctx->name_count; j++) { | 236 | for (j = 0; j < ctx->name_count; j++) { |
463 | if (MINOR(ctx->names[j].dev)==value) { | 237 | if (audit_comparator(MINOR(ctx->names[j].dev), f->op, f->val)) { |
464 | ++result; | 238 | ++result; |
465 | break; | 239 | break; |
466 | } | 240 | } |
@@ -470,7 +244,8 @@ static int audit_filter_rules(struct task_struct *tsk, | |||
470 | case AUDIT_INODE: | 244 | case AUDIT_INODE: |
471 | if (ctx) { | 245 | if (ctx) { |
472 | for (j = 0; j < ctx->name_count; j++) { | 246 | for (j = 0; j < ctx->name_count; j++) { |
473 | if (ctx->names[j].ino == value) { | 247 | if (audit_comparator(ctx->names[j].ino, f->op, f->val) || |
248 | audit_comparator(ctx->names[j].pino, f->op, f->val)) { | ||
474 | ++result; | 249 | ++result; |
475 | break; | 250 | break; |
476 | } | 251 | } |
@@ -480,19 +255,17 @@ static int audit_filter_rules(struct task_struct *tsk, | |||
480 | case AUDIT_LOGINUID: | 255 | case AUDIT_LOGINUID: |
481 | result = 0; | 256 | result = 0; |
482 | if (ctx) | 257 | if (ctx) |
483 | result = (ctx->loginuid == value); | 258 | result = audit_comparator(ctx->loginuid, f->op, f->val); |
484 | break; | 259 | break; |
485 | case AUDIT_ARG0: | 260 | case AUDIT_ARG0: |
486 | case AUDIT_ARG1: | 261 | case AUDIT_ARG1: |
487 | case AUDIT_ARG2: | 262 | case AUDIT_ARG2: |
488 | case AUDIT_ARG3: | 263 | case AUDIT_ARG3: |
489 | if (ctx) | 264 | if (ctx) |
490 | result = (ctx->argv[field-AUDIT_ARG0]==value); | 265 | result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val); |
491 | break; | 266 | break; |
492 | } | 267 | } |
493 | 268 | ||
494 | if (rule->fields[i] & AUDIT_NEGATE) | ||
495 | result = !result; | ||
496 | if (!result) | 269 | if (!result) |
497 | return 0; | 270 | return 0; |
498 | } | 271 | } |
@@ -527,7 +300,7 @@ static enum audit_state audit_filter_task(struct task_struct *tsk) | |||
527 | /* At syscall entry and exit time, this filter is called if the | 300 | /* At syscall entry and exit time, this filter is called if the |
528 | * audit_state is not low enough that auditing cannot take place, but is | 301 | * audit_state is not low enough that auditing cannot take place, but is |
529 | * also not high enough that we already know we have to write an audit | 302 | * also not high enough that we already know we have to write an audit |
530 | * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT). | 303 | * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT). |
531 | */ | 304 | */ |
532 | static enum audit_state audit_filter_syscall(struct task_struct *tsk, | 305 | static enum audit_state audit_filter_syscall(struct task_struct *tsk, |
533 | struct audit_context *ctx, | 306 | struct audit_context *ctx, |
@@ -541,77 +314,19 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk, | |||
541 | 314 | ||
542 | rcu_read_lock(); | 315 | rcu_read_lock(); |
543 | if (!list_empty(list)) { | 316 | if (!list_empty(list)) { |
544 | int word = AUDIT_WORD(ctx->major); | 317 | int word = AUDIT_WORD(ctx->major); |
545 | int bit = AUDIT_BIT(ctx->major); | 318 | int bit = AUDIT_BIT(ctx->major); |
546 | 319 | ||
547 | list_for_each_entry_rcu(e, list, list) { | 320 | list_for_each_entry_rcu(e, list, list) { |
548 | if ((e->rule.mask[word] & bit) == bit | 321 | if ((e->rule.mask[word] & bit) == bit |
549 | && audit_filter_rules(tsk, &e->rule, ctx, &state)) { | 322 | && audit_filter_rules(tsk, &e->rule, ctx, &state)) { |
550 | rcu_read_unlock(); | 323 | rcu_read_unlock(); |
551 | return state; | 324 | return state; |
552 | } | 325 | } |
553 | } | ||
554 | } | ||
555 | rcu_read_unlock(); | ||
556 | return AUDIT_BUILD_CONTEXT; | ||
557 | } | ||
558 | |||
559 | static int audit_filter_user_rules(struct netlink_skb_parms *cb, | ||
560 | struct audit_rule *rule, | ||
561 | enum audit_state *state) | ||
562 | { | ||
563 | int i; | ||
564 | |||
565 | for (i = 0; i < rule->field_count; i++) { | ||
566 | u32 field = rule->fields[i] & ~AUDIT_NEGATE; | ||
567 | u32 value = rule->values[i]; | ||
568 | int result = 0; | ||
569 | |||
570 | switch (field) { | ||
571 | case AUDIT_PID: | ||
572 | result = (cb->creds.pid == value); | ||
573 | break; | ||
574 | case AUDIT_UID: | ||
575 | result = (cb->creds.uid == value); | ||
576 | break; | ||
577 | case AUDIT_GID: | ||
578 | result = (cb->creds.gid == value); | ||
579 | break; | ||
580 | case AUDIT_LOGINUID: | ||
581 | result = (cb->loginuid == value); | ||
582 | break; | ||
583 | } | ||
584 | |||
585 | if (rule->fields[i] & AUDIT_NEGATE) | ||
586 | result = !result; | ||
587 | if (!result) | ||
588 | return 0; | ||
589 | } | ||
590 | switch (rule->action) { | ||
591 | case AUDIT_NEVER: *state = AUDIT_DISABLED; break; | ||
592 | case AUDIT_POSSIBLE: *state = AUDIT_BUILD_CONTEXT; break; | ||
593 | case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; | ||
594 | } | ||
595 | return 1; | ||
596 | } | ||
597 | |||
598 | int audit_filter_user(struct netlink_skb_parms *cb, int type) | ||
599 | { | ||
600 | struct audit_entry *e; | ||
601 | enum audit_state state; | ||
602 | int ret = 1; | ||
603 | |||
604 | rcu_read_lock(); | ||
605 | list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { | ||
606 | if (audit_filter_user_rules(cb, &e->rule, &state)) { | ||
607 | if (state == AUDIT_DISABLED) | ||
608 | ret = 0; | ||
609 | break; | ||
610 | } | 326 | } |
611 | } | 327 | } |
612 | rcu_read_unlock(); | 328 | rcu_read_unlock(); |
613 | 329 | return AUDIT_BUILD_CONTEXT; | |
614 | return ret; /* Audit by default */ | ||
615 | } | 330 | } |
616 | 331 | ||
617 | /* This should be called with task_lock() held. */ | 332 | /* This should be called with task_lock() held. */ |
@@ -654,17 +369,18 @@ static inline void audit_free_names(struct audit_context *context) | |||
654 | #if AUDIT_DEBUG == 2 | 369 | #if AUDIT_DEBUG == 2 |
655 | if (context->auditable | 370 | if (context->auditable |
656 | ||context->put_count + context->ino_count != context->name_count) { | 371 | ||context->put_count + context->ino_count != context->name_count) { |
657 | printk(KERN_ERR "audit.c:%d(:%d): major=%d in_syscall=%d" | 372 | printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d" |
658 | " name_count=%d put_count=%d" | 373 | " name_count=%d put_count=%d" |
659 | " ino_count=%d [NOT freeing]\n", | 374 | " ino_count=%d [NOT freeing]\n", |
660 | __LINE__, | 375 | __FILE__, __LINE__, |
661 | context->serial, context->major, context->in_syscall, | 376 | context->serial, context->major, context->in_syscall, |
662 | context->name_count, context->put_count, | 377 | context->name_count, context->put_count, |
663 | context->ino_count); | 378 | context->ino_count); |
664 | for (i = 0; i < context->name_count; i++) | 379 | for (i = 0; i < context->name_count; i++) { |
665 | printk(KERN_ERR "names[%d] = %p = %s\n", i, | 380 | printk(KERN_ERR "names[%d] = %p = %s\n", i, |
666 | context->names[i].name, | 381 | context->names[i].name, |
667 | context->names[i].name); | 382 | context->names[i].name ?: "(null)"); |
383 | } | ||
668 | dump_stack(); | 384 | dump_stack(); |
669 | return; | 385 | return; |
670 | } | 386 | } |
@@ -674,9 +390,13 @@ static inline void audit_free_names(struct audit_context *context) | |||
674 | context->ino_count = 0; | 390 | context->ino_count = 0; |
675 | #endif | 391 | #endif |
676 | 392 | ||
677 | for (i = 0; i < context->name_count; i++) | 393 | for (i = 0; i < context->name_count; i++) { |
394 | char *p = context->names[i].ctx; | ||
395 | context->names[i].ctx = NULL; | ||
396 | kfree(p); | ||
678 | if (context->names[i].name) | 397 | if (context->names[i].name) |
679 | __putname(context->names[i].name); | 398 | __putname(context->names[i].name); |
399 | } | ||
680 | context->name_count = 0; | 400 | context->name_count = 0; |
681 | if (context->pwd) | 401 | if (context->pwd) |
682 | dput(context->pwd); | 402 | dput(context->pwd); |
@@ -696,6 +416,12 @@ static inline void audit_free_aux(struct audit_context *context) | |||
696 | dput(axi->dentry); | 416 | dput(axi->dentry); |
697 | mntput(axi->mnt); | 417 | mntput(axi->mnt); |
698 | } | 418 | } |
419 | if ( aux->type == AUDIT_IPC ) { | ||
420 | struct audit_aux_data_ipcctl *axi = (void *)aux; | ||
421 | if (axi->ctx) | ||
422 | kfree(axi->ctx); | ||
423 | } | ||
424 | |||
699 | context->aux = aux->next; | 425 | context->aux = aux->next; |
700 | kfree(aux); | 426 | kfree(aux); |
701 | } | 427 | } |
@@ -721,10 +447,15 @@ static inline struct audit_context *audit_alloc_context(enum audit_state state) | |||
721 | return context; | 447 | return context; |
722 | } | 448 | } |
723 | 449 | ||
724 | /* Filter on the task information and allocate a per-task audit context | 450 | /** |
451 | * audit_alloc - allocate an audit context block for a task | ||
452 | * @tsk: task | ||
453 | * | ||
454 | * Filter on the task information and allocate a per-task audit context | ||
725 | * if necessary. Doing so turns on system call auditing for the | 455 | * if necessary. Doing so turns on system call auditing for the |
726 | * specified task. This is called from copy_process, so no lock is | 456 | * specified task. This is called from copy_process, so no lock is |
727 | * needed. */ | 457 | * needed. |
458 | */ | ||
728 | int audit_alloc(struct task_struct *tsk) | 459 | int audit_alloc(struct task_struct *tsk) |
729 | { | 460 | { |
730 | struct audit_context *context; | 461 | struct audit_context *context; |
@@ -775,7 +506,37 @@ static inline void audit_free_context(struct audit_context *context) | |||
775 | printk(KERN_ERR "audit: freed %d contexts\n", count); | 506 | printk(KERN_ERR "audit: freed %d contexts\n", count); |
776 | } | 507 | } |
777 | 508 | ||
778 | static void audit_log_task_info(struct audit_buffer *ab) | 509 | static void audit_log_task_context(struct audit_buffer *ab, gfp_t gfp_mask) |
510 | { | ||
511 | char *ctx = NULL; | ||
512 | ssize_t len = 0; | ||
513 | |||
514 | len = security_getprocattr(current, "current", NULL, 0); | ||
515 | if (len < 0) { | ||
516 | if (len != -EINVAL) | ||
517 | goto error_path; | ||
518 | return; | ||
519 | } | ||
520 | |||
521 | ctx = kmalloc(len, gfp_mask); | ||
522 | if (!ctx) | ||
523 | goto error_path; | ||
524 | |||
525 | len = security_getprocattr(current, "current", ctx, len); | ||
526 | if (len < 0 ) | ||
527 | goto error_path; | ||
528 | |||
529 | audit_log_format(ab, " subj=%s", ctx); | ||
530 | return; | ||
531 | |||
532 | error_path: | ||
533 | if (ctx) | ||
534 | kfree(ctx); | ||
535 | audit_panic("error in audit_log_task_context"); | ||
536 | return; | ||
537 | } | ||
538 | |||
539 | static void audit_log_task_info(struct audit_buffer *ab, gfp_t gfp_mask) | ||
779 | { | 540 | { |
780 | char name[sizeof(current->comm)]; | 541 | char name[sizeof(current->comm)]; |
781 | struct mm_struct *mm = current->mm; | 542 | struct mm_struct *mm = current->mm; |
@@ -788,6 +549,10 @@ static void audit_log_task_info(struct audit_buffer *ab) | |||
788 | if (!mm) | 549 | if (!mm) |
789 | return; | 550 | return; |
790 | 551 | ||
552 | /* | ||
553 | * this is brittle; all callers that pass GFP_ATOMIC will have | ||
554 | * NULL current->mm and we won't get here. | ||
555 | */ | ||
791 | down_read(&mm->mmap_sem); | 556 | down_read(&mm->mmap_sem); |
792 | vma = mm->mmap; | 557 | vma = mm->mmap; |
793 | while (vma) { | 558 | while (vma) { |
@@ -801,6 +566,7 @@ static void audit_log_task_info(struct audit_buffer *ab) | |||
801 | vma = vma->vm_next; | 566 | vma = vma->vm_next; |
802 | } | 567 | } |
803 | up_read(&mm->mmap_sem); | 568 | up_read(&mm->mmap_sem); |
569 | audit_log_task_context(ab, gfp_mask); | ||
804 | } | 570 | } |
805 | 571 | ||
806 | static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask) | 572 | static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask) |
@@ -808,6 +574,7 @@ static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask) | |||
808 | int i; | 574 | int i; |
809 | struct audit_buffer *ab; | 575 | struct audit_buffer *ab; |
810 | struct audit_aux_data *aux; | 576 | struct audit_aux_data *aux; |
577 | const char *tty; | ||
811 | 578 | ||
812 | ab = audit_log_start(context, gfp_mask, AUDIT_SYSCALL); | 579 | ab = audit_log_start(context, gfp_mask, AUDIT_SYSCALL); |
813 | if (!ab) | 580 | if (!ab) |
@@ -820,11 +587,15 @@ static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask) | |||
820 | audit_log_format(ab, " success=%s exit=%ld", | 587 | audit_log_format(ab, " success=%s exit=%ld", |
821 | (context->return_valid==AUDITSC_SUCCESS)?"yes":"no", | 588 | (context->return_valid==AUDITSC_SUCCESS)?"yes":"no", |
822 | context->return_code); | 589 | context->return_code); |
590 | if (current->signal->tty && current->signal->tty->name) | ||
591 | tty = current->signal->tty->name; | ||
592 | else | ||
593 | tty = "(none)"; | ||
823 | audit_log_format(ab, | 594 | audit_log_format(ab, |
824 | " a0=%lx a1=%lx a2=%lx a3=%lx items=%d" | 595 | " a0=%lx a1=%lx a2=%lx a3=%lx items=%d" |
825 | " pid=%d auid=%u uid=%u gid=%u" | 596 | " pid=%d auid=%u uid=%u gid=%u" |
826 | " euid=%u suid=%u fsuid=%u" | 597 | " euid=%u suid=%u fsuid=%u" |
827 | " egid=%u sgid=%u fsgid=%u", | 598 | " egid=%u sgid=%u fsgid=%u tty=%s", |
828 | context->argv[0], | 599 | context->argv[0], |
829 | context->argv[1], | 600 | context->argv[1], |
830 | context->argv[2], | 601 | context->argv[2], |
@@ -835,8 +606,8 @@ static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask) | |||
835 | context->uid, | 606 | context->uid, |
836 | context->gid, | 607 | context->gid, |
837 | context->euid, context->suid, context->fsuid, | 608 | context->euid, context->suid, context->fsuid, |
838 | context->egid, context->sgid, context->fsgid); | 609 | context->egid, context->sgid, context->fsgid, tty); |
839 | audit_log_task_info(ab); | 610 | audit_log_task_info(ab, gfp_mask); |
840 | audit_log_end(ab); | 611 | audit_log_end(ab); |
841 | 612 | ||
842 | for (aux = context->aux; aux; aux = aux->next) { | 613 | for (aux = context->aux; aux; aux = aux->next) { |
@@ -849,8 +620,8 @@ static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask) | |||
849 | case AUDIT_IPC: { | 620 | case AUDIT_IPC: { |
850 | struct audit_aux_data_ipcctl *axi = (void *)aux; | 621 | struct audit_aux_data_ipcctl *axi = (void *)aux; |
851 | audit_log_format(ab, | 622 | audit_log_format(ab, |
852 | " qbytes=%lx iuid=%u igid=%u mode=%x", | 623 | " qbytes=%lx iuid=%u igid=%u mode=%x obj=%s", |
853 | axi->qbytes, axi->uid, axi->gid, axi->mode); | 624 | axi->qbytes, axi->uid, axi->gid, axi->mode, axi->ctx); |
854 | break; } | 625 | break; } |
855 | 626 | ||
856 | case AUDIT_SOCKETCALL: { | 627 | case AUDIT_SOCKETCALL: { |
@@ -885,42 +656,62 @@ static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask) | |||
885 | } | 656 | } |
886 | } | 657 | } |
887 | for (i = 0; i < context->name_count; i++) { | 658 | for (i = 0; i < context->name_count; i++) { |
659 | unsigned long ino = context->names[i].ino; | ||
660 | unsigned long pino = context->names[i].pino; | ||
661 | |||
888 | ab = audit_log_start(context, gfp_mask, AUDIT_PATH); | 662 | ab = audit_log_start(context, gfp_mask, AUDIT_PATH); |
889 | if (!ab) | 663 | if (!ab) |
890 | continue; /* audit_panic has been called */ | 664 | continue; /* audit_panic has been called */ |
891 | 665 | ||
892 | audit_log_format(ab, "item=%d", i); | 666 | audit_log_format(ab, "item=%d", i); |
893 | if (context->names[i].name) { | 667 | |
894 | audit_log_format(ab, " name="); | 668 | audit_log_format(ab, " name="); |
669 | if (context->names[i].name) | ||
895 | audit_log_untrustedstring(ab, context->names[i].name); | 670 | audit_log_untrustedstring(ab, context->names[i].name); |
896 | } | 671 | else |
897 | audit_log_format(ab, " flags=%x\n", context->names[i].flags); | 672 | audit_log_format(ab, "(null)"); |
898 | 673 | ||
899 | if (context->names[i].ino != (unsigned long)-1) | 674 | if (pino != (unsigned long)-1) |
900 | audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o" | 675 | audit_log_format(ab, " parent=%lu", pino); |
901 | " ouid=%u ogid=%u rdev=%02x:%02x", | 676 | if (ino != (unsigned long)-1) |
902 | context->names[i].ino, | 677 | audit_log_format(ab, " inode=%lu", ino); |
903 | MAJOR(context->names[i].dev), | 678 | if ((pino != (unsigned long)-1) || (ino != (unsigned long)-1)) |
904 | MINOR(context->names[i].dev), | 679 | audit_log_format(ab, " dev=%02x:%02x mode=%#o" |
905 | context->names[i].mode, | 680 | " ouid=%u ogid=%u rdev=%02x:%02x", |
906 | context->names[i].uid, | 681 | MAJOR(context->names[i].dev), |
907 | context->names[i].gid, | 682 | MINOR(context->names[i].dev), |
908 | MAJOR(context->names[i].rdev), | 683 | context->names[i].mode, |
684 | context->names[i].uid, | ||
685 | context->names[i].gid, | ||
686 | MAJOR(context->names[i].rdev), | ||
909 | MINOR(context->names[i].rdev)); | 687 | MINOR(context->names[i].rdev)); |
688 | if (context->names[i].ctx) { | ||
689 | audit_log_format(ab, " obj=%s", | ||
690 | context->names[i].ctx); | ||
691 | } | ||
692 | |||
910 | audit_log_end(ab); | 693 | audit_log_end(ab); |
911 | } | 694 | } |
912 | } | 695 | } |
913 | 696 | ||
914 | /* Free a per-task audit context. Called from copy_process and | 697 | /** |
915 | * __put_task_struct. */ | 698 | * audit_free - free a per-task audit context |
699 | * @tsk: task whose audit context block to free | ||
700 | * | ||
701 | * Called from copy_process and __put_task_struct. | ||
702 | */ | ||
916 | void audit_free(struct task_struct *tsk) | 703 | void audit_free(struct task_struct *tsk) |
917 | { | 704 | { |
918 | struct audit_context *context; | 705 | struct audit_context *context; |
919 | 706 | ||
920 | task_lock(tsk); | 707 | /* |
708 | * No need to lock the task - when we execute audit_free() | ||
709 | * then the task has no external references anymore, and | ||
710 | * we are tearing it down. (The locking also confuses | ||
711 | * DEBUG_LOCKDEP - this freeing may occur in softirq | ||
712 | * contexts as well, via RCU.) | ||
713 | */ | ||
921 | context = audit_get_context(tsk, 0, 0); | 714 | context = audit_get_context(tsk, 0, 0); |
922 | task_unlock(tsk); | ||
923 | |||
924 | if (likely(!context)) | 715 | if (likely(!context)) |
925 | return; | 716 | return; |
926 | 717 | ||
@@ -934,13 +725,24 @@ void audit_free(struct task_struct *tsk) | |||
934 | audit_free_context(context); | 725 | audit_free_context(context); |
935 | } | 726 | } |
936 | 727 | ||
937 | /* Fill in audit context at syscall entry. This only happens if the | 728 | /** |
729 | * audit_syscall_entry - fill in an audit record at syscall entry | ||
730 | * @tsk: task being audited | ||
731 | * @arch: architecture type | ||
732 | * @major: major syscall type (function) | ||
733 | * @a1: additional syscall register 1 | ||
734 | * @a2: additional syscall register 2 | ||
735 | * @a3: additional syscall register 3 | ||
736 | * @a4: additional syscall register 4 | ||
737 | * | ||
738 | * Fill in audit context at syscall entry. This only happens if the | ||
938 | * audit context was created when the task was created and the state or | 739 | * audit context was created when the task was created and the state or |
939 | * filters demand the audit context be built. If the state from the | 740 | * filters demand the audit context be built. If the state from the |
940 | * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT, | 741 | * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT, |
941 | * then the record will be written at syscall exit time (otherwise, it | 742 | * then the record will be written at syscall exit time (otherwise, it |
942 | * will only be written if another part of the kernel requests that it | 743 | * will only be written if another part of the kernel requests that it |
943 | * be written). */ | 744 | * be written). |
745 | */ | ||
944 | void audit_syscall_entry(struct task_struct *tsk, int arch, int major, | 746 | void audit_syscall_entry(struct task_struct *tsk, int arch, int major, |
945 | unsigned long a1, unsigned long a2, | 747 | unsigned long a1, unsigned long a2, |
946 | unsigned long a3, unsigned long a4) | 748 | unsigned long a3, unsigned long a4) |
@@ -950,7 +752,8 @@ void audit_syscall_entry(struct task_struct *tsk, int arch, int major, | |||
950 | 752 | ||
951 | BUG_ON(!context); | 753 | BUG_ON(!context); |
952 | 754 | ||
953 | /* This happens only on certain architectures that make system | 755 | /* |
756 | * This happens only on certain architectures that make system | ||
954 | * calls in kernel_thread via the entry.S interface, instead of | 757 | * calls in kernel_thread via the entry.S interface, instead of |
955 | * with direct calls. (If you are porting to a new | 758 | * with direct calls. (If you are porting to a new |
956 | * architecture, hitting this condition can indicate that you | 759 | * architecture, hitting this condition can indicate that you |
@@ -966,11 +769,6 @@ void audit_syscall_entry(struct task_struct *tsk, int arch, int major, | |||
966 | if (context->in_syscall) { | 769 | if (context->in_syscall) { |
967 | struct audit_context *newctx; | 770 | struct audit_context *newctx; |
968 | 771 | ||
969 | #if defined(__NR_vm86) && defined(__NR_vm86old) | ||
970 | /* vm86 mode should only be entered once */ | ||
971 | if (major == __NR_vm86 || major == __NR_vm86old) | ||
972 | return; | ||
973 | #endif | ||
974 | #if AUDIT_DEBUG | 772 | #if AUDIT_DEBUG |
975 | printk(KERN_ERR | 773 | printk(KERN_ERR |
976 | "audit(:%d) pid=%d in syscall=%d;" | 774 | "audit(:%d) pid=%d in syscall=%d;" |
@@ -1014,11 +812,18 @@ void audit_syscall_entry(struct task_struct *tsk, int arch, int major, | |||
1014 | context->auditable = !!(state == AUDIT_RECORD_CONTEXT); | 812 | context->auditable = !!(state == AUDIT_RECORD_CONTEXT); |
1015 | } | 813 | } |
1016 | 814 | ||
1017 | /* Tear down after system call. If the audit context has been marked as | 815 | /** |
816 | * audit_syscall_exit - deallocate audit context after a system call | ||
817 | * @tsk: task being audited | ||
818 | * @valid: success/failure flag | ||
819 | * @return_code: syscall return value | ||
820 | * | ||
821 | * Tear down after system call. If the audit context has been marked as | ||
1018 | * auditable (either because of the AUDIT_RECORD_CONTEXT state from | 822 | * auditable (either because of the AUDIT_RECORD_CONTEXT state from |
1019 | * filtering, or because some other part of the kernel write an audit | 823 | * filtering, or because some other part of the kernel write an audit |
1020 | * message), then write out the syscall information. In call cases, | 824 | * message), then write out the syscall information. In call cases, |
1021 | * free the names stored from getname(). */ | 825 | * free the names stored from getname(). |
826 | */ | ||
1022 | void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code) | 827 | void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code) |
1023 | { | 828 | { |
1024 | struct audit_context *context; | 829 | struct audit_context *context; |
@@ -1053,7 +858,13 @@ void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code) | |||
1053 | put_task_struct(tsk); | 858 | put_task_struct(tsk); |
1054 | } | 859 | } |
1055 | 860 | ||
1056 | /* Add a name to the list. Called from fs/namei.c:getname(). */ | 861 | /** |
862 | * audit_getname - add a name to the list | ||
863 | * @name: name to add | ||
864 | * | ||
865 | * Add a name to the list of audit names for this context. | ||
866 | * Called from fs/namei.c:getname(). | ||
867 | */ | ||
1057 | void audit_getname(const char *name) | 868 | void audit_getname(const char *name) |
1058 | { | 869 | { |
1059 | struct audit_context *context = current->audit_context; | 870 | struct audit_context *context = current->audit_context; |
@@ -1082,10 +893,13 @@ void audit_getname(const char *name) | |||
1082 | 893 | ||
1083 | } | 894 | } |
1084 | 895 | ||
1085 | /* Intercept a putname request. Called from | 896 | /* audit_putname - intercept a putname request |
1086 | * include/linux/fs.h:putname(). If we have stored the name from | 897 | * @name: name to intercept and delay for putname |
1087 | * getname in the audit context, then we delay the putname until syscall | 898 | * |
1088 | * exit. */ | 899 | * If we have stored the name from getname in the audit context, |
900 | * then we delay the putname until syscall exit. | ||
901 | * Called from include/linux/fs.h:putname(). | ||
902 | */ | ||
1089 | void audit_putname(const char *name) | 903 | void audit_putname(const char *name) |
1090 | { | 904 | { |
1091 | struct audit_context *context = current->audit_context; | 905 | struct audit_context *context = current->audit_context; |
@@ -1100,7 +914,7 @@ void audit_putname(const char *name) | |||
1100 | for (i = 0; i < context->name_count; i++) | 914 | for (i = 0; i < context->name_count; i++) |
1101 | printk(KERN_ERR "name[%d] = %p = %s\n", i, | 915 | printk(KERN_ERR "name[%d] = %p = %s\n", i, |
1102 | context->names[i].name, | 916 | context->names[i].name, |
1103 | context->names[i].name); | 917 | context->names[i].name ?: "(null)"); |
1104 | } | 918 | } |
1105 | #endif | 919 | #endif |
1106 | __putname(name); | 920 | __putname(name); |
@@ -1122,9 +936,52 @@ void audit_putname(const char *name) | |||
1122 | #endif | 936 | #endif |
1123 | } | 937 | } |
1124 | 938 | ||
1125 | /* Store the inode and device from a lookup. Called from | 939 | void audit_inode_context(int idx, const struct inode *inode) |
1126 | * fs/namei.c:path_lookup(). */ | 940 | { |
1127 | void audit_inode(const char *name, const struct inode *inode, unsigned flags) | 941 | struct audit_context *context = current->audit_context; |
942 | const char *suffix = security_inode_xattr_getsuffix(); | ||
943 | char *ctx = NULL; | ||
944 | int len = 0; | ||
945 | |||
946 | if (!suffix) | ||
947 | goto ret; | ||
948 | |||
949 | len = security_inode_getsecurity(inode, suffix, NULL, 0, 0); | ||
950 | if (len == -EOPNOTSUPP) | ||
951 | goto ret; | ||
952 | if (len < 0) | ||
953 | goto error_path; | ||
954 | |||
955 | ctx = kmalloc(len, GFP_KERNEL); | ||
956 | if (!ctx) | ||
957 | goto error_path; | ||
958 | |||
959 | len = security_inode_getsecurity(inode, suffix, ctx, len, 0); | ||
960 | if (len < 0) | ||
961 | goto error_path; | ||
962 | |||
963 | kfree(context->names[idx].ctx); | ||
964 | context->names[idx].ctx = ctx; | ||
965 | goto ret; | ||
966 | |||
967 | error_path: | ||
968 | if (ctx) | ||
969 | kfree(ctx); | ||
970 | audit_panic("error in audit_inode_context"); | ||
971 | ret: | ||
972 | return; | ||
973 | } | ||
974 | |||
975 | |||
976 | /** | ||
977 | * audit_inode - store the inode and device from a lookup | ||
978 | * @name: name being audited | ||
979 | * @inode: inode being audited | ||
980 | * @flags: lookup flags (as used in path_lookup()) | ||
981 | * | ||
982 | * Called from fs/namei.c:path_lookup(). | ||
983 | */ | ||
984 | void __audit_inode(const char *name, const struct inode *inode, unsigned flags) | ||
1128 | { | 985 | { |
1129 | int idx; | 986 | int idx; |
1130 | struct audit_context *context = current->audit_context; | 987 | struct audit_context *context = current->audit_context; |
@@ -1150,15 +1007,105 @@ void audit_inode(const char *name, const struct inode *inode, unsigned flags) | |||
1150 | ++context->ino_count; | 1007 | ++context->ino_count; |
1151 | #endif | 1008 | #endif |
1152 | } | 1009 | } |
1153 | context->names[idx].flags = flags; | ||
1154 | context->names[idx].ino = inode->i_ino; | ||
1155 | context->names[idx].dev = inode->i_sb->s_dev; | 1010 | context->names[idx].dev = inode->i_sb->s_dev; |
1156 | context->names[idx].mode = inode->i_mode; | 1011 | context->names[idx].mode = inode->i_mode; |
1157 | context->names[idx].uid = inode->i_uid; | 1012 | context->names[idx].uid = inode->i_uid; |
1158 | context->names[idx].gid = inode->i_gid; | 1013 | context->names[idx].gid = inode->i_gid; |
1159 | context->names[idx].rdev = inode->i_rdev; | 1014 | context->names[idx].rdev = inode->i_rdev; |
1015 | audit_inode_context(idx, inode); | ||
1016 | if ((flags & LOOKUP_PARENT) && (strcmp(name, "/") != 0) && | ||
1017 | (strcmp(name, ".") != 0)) { | ||
1018 | context->names[idx].ino = (unsigned long)-1; | ||
1019 | context->names[idx].pino = inode->i_ino; | ||
1020 | } else { | ||
1021 | context->names[idx].ino = inode->i_ino; | ||
1022 | context->names[idx].pino = (unsigned long)-1; | ||
1023 | } | ||
1024 | } | ||
1025 | |||
1026 | /** | ||
1027 | * audit_inode_child - collect inode info for created/removed objects | ||
1028 | * @dname: inode's dentry name | ||
1029 | * @inode: inode being audited | ||
1030 | * @pino: inode number of dentry parent | ||
1031 | * | ||
1032 | * For syscalls that create or remove filesystem objects, audit_inode | ||
1033 | * can only collect information for the filesystem object's parent. | ||
1034 | * This call updates the audit context with the child's information. | ||
1035 | * Syscalls that create a new filesystem object must be hooked after | ||
1036 | * the object is created. Syscalls that remove a filesystem object | ||
1037 | * must be hooked prior, in order to capture the target inode during | ||
1038 | * unsuccessful attempts. | ||
1039 | */ | ||
1040 | void __audit_inode_child(const char *dname, const struct inode *inode, | ||
1041 | unsigned long pino) | ||
1042 | { | ||
1043 | int idx; | ||
1044 | struct audit_context *context = current->audit_context; | ||
1045 | |||
1046 | if (!context->in_syscall) | ||
1047 | return; | ||
1048 | |||
1049 | /* determine matching parent */ | ||
1050 | if (dname) | ||
1051 | for (idx = 0; idx < context->name_count; idx++) | ||
1052 | if (context->names[idx].pino == pino) { | ||
1053 | const char *n; | ||
1054 | const char *name = context->names[idx].name; | ||
1055 | int dlen = strlen(dname); | ||
1056 | int nlen = name ? strlen(name) : 0; | ||
1057 | |||
1058 | if (nlen < dlen) | ||
1059 | continue; | ||
1060 | |||
1061 | /* disregard trailing slashes */ | ||
1062 | n = name + nlen - 1; | ||
1063 | while ((*n == '/') && (n > name)) | ||
1064 | n--; | ||
1065 | |||
1066 | /* find last path component */ | ||
1067 | n = n - dlen + 1; | ||
1068 | if (n < name) | ||
1069 | continue; | ||
1070 | else if (n > name) { | ||
1071 | if (*--n != '/') | ||
1072 | continue; | ||
1073 | else | ||
1074 | n++; | ||
1075 | } | ||
1076 | |||
1077 | if (strncmp(n, dname, dlen) == 0) | ||
1078 | goto update_context; | ||
1079 | } | ||
1080 | |||
1081 | /* catch-all in case match not found */ | ||
1082 | idx = context->name_count++; | ||
1083 | context->names[idx].name = NULL; | ||
1084 | context->names[idx].pino = pino; | ||
1085 | #if AUDIT_DEBUG | ||
1086 | context->ino_count++; | ||
1087 | #endif | ||
1088 | |||
1089 | update_context: | ||
1090 | if (inode) { | ||
1091 | context->names[idx].ino = inode->i_ino; | ||
1092 | context->names[idx].dev = inode->i_sb->s_dev; | ||
1093 | context->names[idx].mode = inode->i_mode; | ||
1094 | context->names[idx].uid = inode->i_uid; | ||
1095 | context->names[idx].gid = inode->i_gid; | ||
1096 | context->names[idx].rdev = inode->i_rdev; | ||
1097 | audit_inode_context(idx, inode); | ||
1098 | } | ||
1160 | } | 1099 | } |
1161 | 1100 | ||
1101 | /** | ||
1102 | * auditsc_get_stamp - get local copies of audit_context values | ||
1103 | * @ctx: audit_context for the task | ||
1104 | * @t: timespec to store time recorded in the audit_context | ||
1105 | * @serial: serial value that is recorded in the audit_context | ||
1106 | * | ||
1107 | * Also sets the context as auditable. | ||
1108 | */ | ||
1162 | void auditsc_get_stamp(struct audit_context *ctx, | 1109 | void auditsc_get_stamp(struct audit_context *ctx, |
1163 | struct timespec *t, unsigned int *serial) | 1110 | struct timespec *t, unsigned int *serial) |
1164 | { | 1111 | { |
@@ -1170,6 +1117,15 @@ void auditsc_get_stamp(struct audit_context *ctx, | |||
1170 | ctx->auditable = 1; | 1117 | ctx->auditable = 1; |
1171 | } | 1118 | } |
1172 | 1119 | ||
1120 | /** | ||
1121 | * audit_set_loginuid - set a task's audit_context loginuid | ||
1122 | * @task: task whose audit context is being modified | ||
1123 | * @loginuid: loginuid value | ||
1124 | * | ||
1125 | * Returns 0. | ||
1126 | * | ||
1127 | * Called (set) from fs/proc/base.c::proc_loginuid_write(). | ||
1128 | */ | ||
1173 | int audit_set_loginuid(struct task_struct *task, uid_t loginuid) | 1129 | int audit_set_loginuid(struct task_struct *task, uid_t loginuid) |
1174 | { | 1130 | { |
1175 | if (task->audit_context) { | 1131 | if (task->audit_context) { |
@@ -1188,12 +1144,59 @@ int audit_set_loginuid(struct task_struct *task, uid_t loginuid) | |||
1188 | return 0; | 1144 | return 0; |
1189 | } | 1145 | } |
1190 | 1146 | ||
1147 | /** | ||
1148 | * audit_get_loginuid - get the loginuid for an audit_context | ||
1149 | * @ctx: the audit_context | ||
1150 | * | ||
1151 | * Returns the context's loginuid or -1 if @ctx is NULL. | ||
1152 | */ | ||
1191 | uid_t audit_get_loginuid(struct audit_context *ctx) | 1153 | uid_t audit_get_loginuid(struct audit_context *ctx) |
1192 | { | 1154 | { |
1193 | return ctx ? ctx->loginuid : -1; | 1155 | return ctx ? ctx->loginuid : -1; |
1194 | } | 1156 | } |
1195 | 1157 | ||
1196 | int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode) | 1158 | static char *audit_ipc_context(struct kern_ipc_perm *ipcp) |
1159 | { | ||
1160 | struct audit_context *context = current->audit_context; | ||
1161 | char *ctx = NULL; | ||
1162 | int len = 0; | ||
1163 | |||
1164 | if (likely(!context)) | ||
1165 | return NULL; | ||
1166 | |||
1167 | len = security_ipc_getsecurity(ipcp, NULL, 0); | ||
1168 | if (len == -EOPNOTSUPP) | ||
1169 | goto ret; | ||
1170 | if (len < 0) | ||
1171 | goto error_path; | ||
1172 | |||
1173 | ctx = kmalloc(len, GFP_ATOMIC); | ||
1174 | if (!ctx) | ||
1175 | goto error_path; | ||
1176 | |||
1177 | len = security_ipc_getsecurity(ipcp, ctx, len); | ||
1178 | if (len < 0) | ||
1179 | goto error_path; | ||
1180 | |||
1181 | return ctx; | ||
1182 | |||
1183 | error_path: | ||
1184 | kfree(ctx); | ||
1185 | audit_panic("error in audit_ipc_context"); | ||
1186 | ret: | ||
1187 | return NULL; | ||
1188 | } | ||
1189 | |||
1190 | /** | ||
1191 | * audit_ipc_perms - record audit data for ipc | ||
1192 | * @qbytes: msgq bytes | ||
1193 | * @uid: msgq user id | ||
1194 | * @gid: msgq group id | ||
1195 | * @mode: msgq mode (permissions) | ||
1196 | * | ||
1197 | * Returns 0 for success or NULL context or < 0 on error. | ||
1198 | */ | ||
1199 | int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, struct kern_ipc_perm *ipcp) | ||
1197 | { | 1200 | { |
1198 | struct audit_aux_data_ipcctl *ax; | 1201 | struct audit_aux_data_ipcctl *ax; |
1199 | struct audit_context *context = current->audit_context; | 1202 | struct audit_context *context = current->audit_context; |
@@ -1201,7 +1204,7 @@ int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode) | |||
1201 | if (likely(!context)) | 1204 | if (likely(!context)) |
1202 | return 0; | 1205 | return 0; |
1203 | 1206 | ||
1204 | ax = kmalloc(sizeof(*ax), GFP_KERNEL); | 1207 | ax = kmalloc(sizeof(*ax), GFP_ATOMIC); |
1205 | if (!ax) | 1208 | if (!ax) |
1206 | return -ENOMEM; | 1209 | return -ENOMEM; |
1207 | 1210 | ||
@@ -1209,6 +1212,7 @@ int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode) | |||
1209 | ax->uid = uid; | 1212 | ax->uid = uid; |
1210 | ax->gid = gid; | 1213 | ax->gid = gid; |
1211 | ax->mode = mode; | 1214 | ax->mode = mode; |
1215 | ax->ctx = audit_ipc_context(ipcp); | ||
1212 | 1216 | ||
1213 | ax->d.type = AUDIT_IPC; | 1217 | ax->d.type = AUDIT_IPC; |
1214 | ax->d.next = context->aux; | 1218 | ax->d.next = context->aux; |
@@ -1216,6 +1220,13 @@ int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode) | |||
1216 | return 0; | 1220 | return 0; |
1217 | } | 1221 | } |
1218 | 1222 | ||
1223 | /** | ||
1224 | * audit_socketcall - record audit data for sys_socketcall | ||
1225 | * @nargs: number of args | ||
1226 | * @args: args array | ||
1227 | * | ||
1228 | * Returns 0 for success or NULL context or < 0 on error. | ||
1229 | */ | ||
1219 | int audit_socketcall(int nargs, unsigned long *args) | 1230 | int audit_socketcall(int nargs, unsigned long *args) |
1220 | { | 1231 | { |
1221 | struct audit_aux_data_socketcall *ax; | 1232 | struct audit_aux_data_socketcall *ax; |
@@ -1237,6 +1248,13 @@ int audit_socketcall(int nargs, unsigned long *args) | |||
1237 | return 0; | 1248 | return 0; |
1238 | } | 1249 | } |
1239 | 1250 | ||
1251 | /** | ||
1252 | * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto | ||
1253 | * @len: data length in user space | ||
1254 | * @a: data address in kernel space | ||
1255 | * | ||
1256 | * Returns 0 for success or NULL context or < 0 on error. | ||
1257 | */ | ||
1240 | int audit_sockaddr(int len, void *a) | 1258 | int audit_sockaddr(int len, void *a) |
1241 | { | 1259 | { |
1242 | struct audit_aux_data_sockaddr *ax; | 1260 | struct audit_aux_data_sockaddr *ax; |
@@ -1258,6 +1276,15 @@ int audit_sockaddr(int len, void *a) | |||
1258 | return 0; | 1276 | return 0; |
1259 | } | 1277 | } |
1260 | 1278 | ||
1279 | /** | ||
1280 | * audit_avc_path - record the granting or denial of permissions | ||
1281 | * @dentry: dentry to record | ||
1282 | * @mnt: mnt to record | ||
1283 | * | ||
1284 | * Returns 0 for success or NULL context or < 0 on error. | ||
1285 | * | ||
1286 | * Called from security/selinux/avc.c::avc_audit() | ||
1287 | */ | ||
1261 | int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt) | 1288 | int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt) |
1262 | { | 1289 | { |
1263 | struct audit_aux_data_path *ax; | 1290 | struct audit_aux_data_path *ax; |
@@ -1279,6 +1306,14 @@ int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt) | |||
1279 | return 0; | 1306 | return 0; |
1280 | } | 1307 | } |
1281 | 1308 | ||
1309 | /** | ||
1310 | * audit_signal_info - record signal info for shutting down audit subsystem | ||
1311 | * @sig: signal value | ||
1312 | * @t: task being signaled | ||
1313 | * | ||
1314 | * If the audit subsystem is being terminated, record the task (pid) | ||
1315 | * and uid that is doing that. | ||
1316 | */ | ||
1282 | void audit_signal_info(int sig, struct task_struct *t) | 1317 | void audit_signal_info(int sig, struct task_struct *t) |
1283 | { | 1318 | { |
1284 | extern pid_t audit_sig_pid; | 1319 | extern pid_t audit_sig_pid; |
@@ -1295,4 +1330,3 @@ void audit_signal_info(int sig, struct task_struct *t) | |||
1295 | } | 1330 | } |
1296 | } | 1331 | } |
1297 | } | 1332 | } |
1298 | |||