aboutsummaryrefslogtreecommitdiffstats
path: root/kernel/auditsc.c
diff options
context:
space:
mode:
Diffstat (limited to 'kernel/auditsc.c')
-rw-r--r--kernel/auditsc.c754
1 files changed, 466 insertions, 288 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 47b7fc1ea893..af1de0f34eae 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -70,9 +70,15 @@
70 70
71#include "audit.h" 71#include "audit.h"
72 72
73/* flags stating the success for a syscall */
74#define AUDITSC_INVALID 0
75#define AUDITSC_SUCCESS 1
76#define AUDITSC_FAILURE 2
77
73/* AUDIT_NAMES is the number of slots we reserve in the audit_context 78/* AUDIT_NAMES is the number of slots we reserve in the audit_context
74 * for saving names from getname(). */ 79 * for saving names from getname(). If we get more names we will allocate
75#define AUDIT_NAMES 20 80 * a name dynamically and also add those to the list anchored by names_list. */
81#define AUDIT_NAMES 5
76 82
77/* Indicates that audit should log the full pathname. */ 83/* Indicates that audit should log the full pathname. */
78#define AUDIT_NAME_FULL -1 84#define AUDIT_NAME_FULL -1
@@ -101,9 +107,8 @@ struct audit_cap_data {
101 * 107 *
102 * Further, in fs/namei.c:path_lookup() we store the inode and device. */ 108 * Further, in fs/namei.c:path_lookup() we store the inode and device. */
103struct audit_names { 109struct audit_names {
110 struct list_head list; /* audit_context->names_list */
104 const char *name; 111 const char *name;
105 int name_len; /* number of name's characters to log */
106 unsigned name_put; /* call __putname() for this name */
107 unsigned long ino; 112 unsigned long ino;
108 dev_t dev; 113 dev_t dev;
109 umode_t mode; 114 umode_t mode;
@@ -113,6 +118,14 @@ struct audit_names {
113 u32 osid; 118 u32 osid;
114 struct audit_cap_data fcap; 119 struct audit_cap_data fcap;
115 unsigned int fcap_ver; 120 unsigned int fcap_ver;
121 int name_len; /* number of name's characters to log */
122 bool name_put; /* call __putname() for this name */
123 /*
124 * This was an allocated audit_names and not from the array of
125 * names allocated in the task audit context. Thus this name
126 * should be freed on syscall exit
127 */
128 bool should_free;
116}; 129};
117 130
118struct audit_aux_data { 131struct audit_aux_data {
@@ -174,8 +187,17 @@ struct audit_context {
174 long return_code;/* syscall return code */ 187 long return_code;/* syscall return code */
175 u64 prio; 188 u64 prio;
176 int return_valid; /* return code is valid */ 189 int return_valid; /* return code is valid */
177 int name_count; 190 /*
178 struct audit_names names[AUDIT_NAMES]; 191 * The names_list is the list of all audit_names collected during this
192 * syscall. The first AUDIT_NAMES entries in the names_list will
193 * actually be from the preallocated_names array for performance
194 * reasons. Except during allocation they should never be referenced
195 * through the preallocated_names array and should only be found/used
196 * by running the names_list.
197 */
198 struct audit_names preallocated_names[AUDIT_NAMES];
199 int name_count; /* total records in names_list */
200 struct list_head names_list; /* anchor for struct audit_names->list */
179 char * filterkey; /* key for rule that triggered record */ 201 char * filterkey; /* key for rule that triggered record */
180 struct path pwd; 202 struct path pwd;
181 struct audit_context *previous; /* For nested syscalls */ 203 struct audit_context *previous; /* For nested syscalls */
@@ -210,12 +232,12 @@ struct audit_context {
210 struct { 232 struct {
211 uid_t uid; 233 uid_t uid;
212 gid_t gid; 234 gid_t gid;
213 mode_t mode; 235 umode_t mode;
214 u32 osid; 236 u32 osid;
215 int has_perm; 237 int has_perm;
216 uid_t perm_uid; 238 uid_t perm_uid;
217 gid_t perm_gid; 239 gid_t perm_gid;
218 mode_t perm_mode; 240 umode_t perm_mode;
219 unsigned long qbytes; 241 unsigned long qbytes;
220 } ipc; 242 } ipc;
221 struct { 243 struct {
@@ -234,7 +256,7 @@ struct audit_context {
234 } mq_sendrecv; 256 } mq_sendrecv;
235 struct { 257 struct {
236 int oflag; 258 int oflag;
237 mode_t mode; 259 umode_t mode;
238 struct mq_attr attr; 260 struct mq_attr attr;
239 } mq_open; 261 } mq_open;
240 struct { 262 struct {
@@ -305,21 +327,21 @@ static int audit_match_perm(struct audit_context *ctx, int mask)
305 } 327 }
306} 328}
307 329
308static int audit_match_filetype(struct audit_context *ctx, int which) 330static int audit_match_filetype(struct audit_context *ctx, int val)
309{ 331{
310 unsigned index = which & ~S_IFMT; 332 struct audit_names *n;
311 mode_t mode = which & S_IFMT; 333 umode_t mode = (umode_t)val;
312 334
313 if (unlikely(!ctx)) 335 if (unlikely(!ctx))
314 return 0; 336 return 0;
315 337
316 if (index >= ctx->name_count) 338 list_for_each_entry(n, &ctx->names_list, list) {
317 return 0; 339 if ((n->ino != -1) &&
318 if (ctx->names[index].ino == -1) 340 ((n->mode & S_IFMT) == mode))
319 return 0; 341 return 1;
320 if ((ctx->names[index].mode ^ mode) & S_IFMT) 342 }
321 return 0; 343
322 return 1; 344 return 0;
323} 345}
324 346
325/* 347/*
@@ -441,6 +463,134 @@ static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
441 return 0; 463 return 0;
442} 464}
443 465
466static int audit_compare_id(uid_t uid1,
467 struct audit_names *name,
468 unsigned long name_offset,
469 struct audit_field *f,
470 struct audit_context *ctx)
471{
472 struct audit_names *n;
473 unsigned long addr;
474 uid_t uid2;
475 int rc;
476
477 BUILD_BUG_ON(sizeof(uid_t) != sizeof(gid_t));
478
479 if (name) {
480 addr = (unsigned long)name;
481 addr += name_offset;
482
483 uid2 = *(uid_t *)addr;
484 rc = audit_comparator(uid1, f->op, uid2);
485 if (rc)
486 return rc;
487 }
488
489 if (ctx) {
490 list_for_each_entry(n, &ctx->names_list, list) {
491 addr = (unsigned long)n;
492 addr += name_offset;
493
494 uid2 = *(uid_t *)addr;
495
496 rc = audit_comparator(uid1, f->op, uid2);
497 if (rc)
498 return rc;
499 }
500 }
501 return 0;
502}
503
504static int audit_field_compare(struct task_struct *tsk,
505 const struct cred *cred,
506 struct audit_field *f,
507 struct audit_context *ctx,
508 struct audit_names *name)
509{
510 switch (f->val) {
511 /* process to file object comparisons */
512 case AUDIT_COMPARE_UID_TO_OBJ_UID:
513 return audit_compare_id(cred->uid,
514 name, offsetof(struct audit_names, uid),
515 f, ctx);
516 case AUDIT_COMPARE_GID_TO_OBJ_GID:
517 return audit_compare_id(cred->gid,
518 name, offsetof(struct audit_names, gid),
519 f, ctx);
520 case AUDIT_COMPARE_EUID_TO_OBJ_UID:
521 return audit_compare_id(cred->euid,
522 name, offsetof(struct audit_names, uid),
523 f, ctx);
524 case AUDIT_COMPARE_EGID_TO_OBJ_GID:
525 return audit_compare_id(cred->egid,
526 name, offsetof(struct audit_names, gid),
527 f, ctx);
528 case AUDIT_COMPARE_AUID_TO_OBJ_UID:
529 return audit_compare_id(tsk->loginuid,
530 name, offsetof(struct audit_names, uid),
531 f, ctx);
532 case AUDIT_COMPARE_SUID_TO_OBJ_UID:
533 return audit_compare_id(cred->suid,
534 name, offsetof(struct audit_names, uid),
535 f, ctx);
536 case AUDIT_COMPARE_SGID_TO_OBJ_GID:
537 return audit_compare_id(cred->sgid,
538 name, offsetof(struct audit_names, gid),
539 f, ctx);
540 case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
541 return audit_compare_id(cred->fsuid,
542 name, offsetof(struct audit_names, uid),
543 f, ctx);
544 case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
545 return audit_compare_id(cred->fsgid,
546 name, offsetof(struct audit_names, gid),
547 f, ctx);
548 /* uid comparisons */
549 case AUDIT_COMPARE_UID_TO_AUID:
550 return audit_comparator(cred->uid, f->op, tsk->loginuid);
551 case AUDIT_COMPARE_UID_TO_EUID:
552 return audit_comparator(cred->uid, f->op, cred->euid);
553 case AUDIT_COMPARE_UID_TO_SUID:
554 return audit_comparator(cred->uid, f->op, cred->suid);
555 case AUDIT_COMPARE_UID_TO_FSUID:
556 return audit_comparator(cred->uid, f->op, cred->fsuid);
557 /* auid comparisons */
558 case AUDIT_COMPARE_AUID_TO_EUID:
559 return audit_comparator(tsk->loginuid, f->op, cred->euid);
560 case AUDIT_COMPARE_AUID_TO_SUID:
561 return audit_comparator(tsk->loginuid, f->op, cred->suid);
562 case AUDIT_COMPARE_AUID_TO_FSUID:
563 return audit_comparator(tsk->loginuid, f->op, cred->fsuid);
564 /* euid comparisons */
565 case AUDIT_COMPARE_EUID_TO_SUID:
566 return audit_comparator(cred->euid, f->op, cred->suid);
567 case AUDIT_COMPARE_EUID_TO_FSUID:
568 return audit_comparator(cred->euid, f->op, cred->fsuid);
569 /* suid comparisons */
570 case AUDIT_COMPARE_SUID_TO_FSUID:
571 return audit_comparator(cred->suid, f->op, cred->fsuid);
572 /* gid comparisons */
573 case AUDIT_COMPARE_GID_TO_EGID:
574 return audit_comparator(cred->gid, f->op, cred->egid);
575 case AUDIT_COMPARE_GID_TO_SGID:
576 return audit_comparator(cred->gid, f->op, cred->sgid);
577 case AUDIT_COMPARE_GID_TO_FSGID:
578 return audit_comparator(cred->gid, f->op, cred->fsgid);
579 /* egid comparisons */
580 case AUDIT_COMPARE_EGID_TO_SGID:
581 return audit_comparator(cred->egid, f->op, cred->sgid);
582 case AUDIT_COMPARE_EGID_TO_FSGID:
583 return audit_comparator(cred->egid, f->op, cred->fsgid);
584 /* sgid comparison */
585 case AUDIT_COMPARE_SGID_TO_FSGID:
586 return audit_comparator(cred->sgid, f->op, cred->fsgid);
587 default:
588 WARN(1, "Missing AUDIT_COMPARE define. Report as a bug\n");
589 return 0;
590 }
591 return 0;
592}
593
444/* Determine if any context name data matches a rule's watch data */ 594/* Determine if any context name data matches a rule's watch data */
445/* Compare a task_struct with an audit_rule. Return 1 on match, 0 595/* Compare a task_struct with an audit_rule. Return 1 on match, 0
446 * otherwise. 596 * otherwise.
@@ -457,13 +607,14 @@ static int audit_filter_rules(struct task_struct *tsk,
457 bool task_creation) 607 bool task_creation)
458{ 608{
459 const struct cred *cred; 609 const struct cred *cred;
460 int i, j, need_sid = 1; 610 int i, need_sid = 1;
461 u32 sid; 611 u32 sid;
462 612
463 cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation); 613 cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
464 614
465 for (i = 0; i < rule->field_count; i++) { 615 for (i = 0; i < rule->field_count; i++) {
466 struct audit_field *f = &rule->fields[i]; 616 struct audit_field *f = &rule->fields[i];
617 struct audit_names *n;
467 int result = 0; 618 int result = 0;
468 619
469 switch (f->type) { 620 switch (f->type) {
@@ -522,12 +673,14 @@ static int audit_filter_rules(struct task_struct *tsk,
522 } 673 }
523 break; 674 break;
524 case AUDIT_DEVMAJOR: 675 case AUDIT_DEVMAJOR:
525 if (name) 676 if (name) {
526 result = audit_comparator(MAJOR(name->dev), 677 if (audit_comparator(MAJOR(name->dev), f->op, f->val) ||
527 f->op, f->val); 678 audit_comparator(MAJOR(name->rdev), f->op, f->val))
528 else if (ctx) { 679 ++result;
529 for (j = 0; j < ctx->name_count; j++) { 680 } else if (ctx) {
530 if (audit_comparator(MAJOR(ctx->names[j].dev), f->op, f->val)) { 681 list_for_each_entry(n, &ctx->names_list, list) {
682 if (audit_comparator(MAJOR(n->dev), f->op, f->val) ||
683 audit_comparator(MAJOR(n->rdev), f->op, f->val)) {
531 ++result; 684 ++result;
532 break; 685 break;
533 } 686 }
@@ -535,12 +688,14 @@ static int audit_filter_rules(struct task_struct *tsk,
535 } 688 }
536 break; 689 break;
537 case AUDIT_DEVMINOR: 690 case AUDIT_DEVMINOR:
538 if (name) 691 if (name) {
539 result = audit_comparator(MINOR(name->dev), 692 if (audit_comparator(MINOR(name->dev), f->op, f->val) ||
540 f->op, f->val); 693 audit_comparator(MINOR(name->rdev), f->op, f->val))
541 else if (ctx) { 694 ++result;
542 for (j = 0; j < ctx->name_count; j++) { 695 } else if (ctx) {
543 if (audit_comparator(MINOR(ctx->names[j].dev), f->op, f->val)) { 696 list_for_each_entry(n, &ctx->names_list, list) {
697 if (audit_comparator(MINOR(n->dev), f->op, f->val) ||
698 audit_comparator(MINOR(n->rdev), f->op, f->val)) {
544 ++result; 699 ++result;
545 break; 700 break;
546 } 701 }
@@ -551,8 +706,32 @@ static int audit_filter_rules(struct task_struct *tsk,
551 if (name) 706 if (name)
552 result = (name->ino == f->val); 707 result = (name->ino == f->val);
553 else if (ctx) { 708 else if (ctx) {
554 for (j = 0; j < ctx->name_count; j++) { 709 list_for_each_entry(n, &ctx->names_list, list) {
555 if (audit_comparator(ctx->names[j].ino, f->op, f->val)) { 710 if (audit_comparator(n->ino, f->op, f->val)) {
711 ++result;
712 break;
713 }
714 }
715 }
716 break;
717 case AUDIT_OBJ_UID:
718 if (name) {
719 result = audit_comparator(name->uid, f->op, f->val);
720 } else if (ctx) {
721 list_for_each_entry(n, &ctx->names_list, list) {
722 if (audit_comparator(n->uid, f->op, f->val)) {
723 ++result;
724 break;
725 }
726 }
727 }
728 break;
729 case AUDIT_OBJ_GID:
730 if (name) {
731 result = audit_comparator(name->gid, f->op, f->val);
732 } else if (ctx) {
733 list_for_each_entry(n, &ctx->names_list, list) {
734 if (audit_comparator(n->gid, f->op, f->val)) {
556 ++result; 735 ++result;
557 break; 736 break;
558 } 737 }
@@ -607,11 +786,10 @@ static int audit_filter_rules(struct task_struct *tsk,
607 name->osid, f->type, f->op, 786 name->osid, f->type, f->op,
608 f->lsm_rule, ctx); 787 f->lsm_rule, ctx);
609 } else if (ctx) { 788 } else if (ctx) {
610 for (j = 0; j < ctx->name_count; j++) { 789 list_for_each_entry(n, &ctx->names_list, list) {
611 if (security_audit_rule_match( 790 if (security_audit_rule_match(n->osid, f->type,
612 ctx->names[j].osid, 791 f->op, f->lsm_rule,
613 f->type, f->op, 792 ctx)) {
614 f->lsm_rule, ctx)) {
615 ++result; 793 ++result;
616 break; 794 break;
617 } 795 }
@@ -643,8 +821,10 @@ static int audit_filter_rules(struct task_struct *tsk,
643 case AUDIT_FILETYPE: 821 case AUDIT_FILETYPE:
644 result = audit_match_filetype(ctx, f->val); 822 result = audit_match_filetype(ctx, f->val);
645 break; 823 break;
824 case AUDIT_FIELD_COMPARE:
825 result = audit_field_compare(tsk, cred, f, ctx, name);
826 break;
646 } 827 }
647
648 if (!result) 828 if (!result)
649 return 0; 829 return 0;
650 } 830 }
@@ -722,40 +902,53 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk,
722 return AUDIT_BUILD_CONTEXT; 902 return AUDIT_BUILD_CONTEXT;
723} 903}
724 904
725/* At syscall exit time, this filter is called if any audit_names[] have been 905/*
906 * Given an audit_name check the inode hash table to see if they match.
907 * Called holding the rcu read lock to protect the use of audit_inode_hash
908 */
909static int audit_filter_inode_name(struct task_struct *tsk,
910 struct audit_names *n,
911 struct audit_context *ctx) {
912 int word, bit;
913 int h = audit_hash_ino((u32)n->ino);
914 struct list_head *list = &audit_inode_hash[h];
915 struct audit_entry *e;
916 enum audit_state state;
917
918 word = AUDIT_WORD(ctx->major);
919 bit = AUDIT_BIT(ctx->major);
920
921 if (list_empty(list))
922 return 0;
923
924 list_for_each_entry_rcu(e, list, list) {
925 if ((e->rule.mask[word] & bit) == bit &&
926 audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) {
927 ctx->current_state = state;
928 return 1;
929 }
930 }
931
932 return 0;
933}
934
935/* At syscall exit time, this filter is called if any audit_names have been
726 * collected during syscall processing. We only check rules in sublists at hash 936 * collected during syscall processing. We only check rules in sublists at hash
727 * buckets applicable to the inode numbers in audit_names[]. 937 * buckets applicable to the inode numbers in audit_names.
728 * Regarding audit_state, same rules apply as for audit_filter_syscall(). 938 * Regarding audit_state, same rules apply as for audit_filter_syscall().
729 */ 939 */
730void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx) 940void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx)
731{ 941{
732 int i; 942 struct audit_names *n;
733 struct audit_entry *e;
734 enum audit_state state;
735 943
736 if (audit_pid && tsk->tgid == audit_pid) 944 if (audit_pid && tsk->tgid == audit_pid)
737 return; 945 return;
738 946
739 rcu_read_lock(); 947 rcu_read_lock();
740 for (i = 0; i < ctx->name_count; i++) {
741 int word = AUDIT_WORD(ctx->major);
742 int bit = AUDIT_BIT(ctx->major);
743 struct audit_names *n = &ctx->names[i];
744 int h = audit_hash_ino((u32)n->ino);
745 struct list_head *list = &audit_inode_hash[h];
746
747 if (list_empty(list))
748 continue;
749 948
750 list_for_each_entry_rcu(e, list, list) { 949 list_for_each_entry(n, &ctx->names_list, list) {
751 if ((e->rule.mask[word] & bit) == bit && 950 if (audit_filter_inode_name(tsk, n, ctx))
752 audit_filter_rules(tsk, &e->rule, ctx, n, 951 break;
753 &state, false)) {
754 rcu_read_unlock();
755 ctx->current_state = state;
756 return;
757 }
758 }
759 } 952 }
760 rcu_read_unlock(); 953 rcu_read_unlock();
761} 954}
@@ -766,7 +959,7 @@ static inline struct audit_context *audit_get_context(struct task_struct *tsk,
766{ 959{
767 struct audit_context *context = tsk->audit_context; 960 struct audit_context *context = tsk->audit_context;
768 961
769 if (likely(!context)) 962 if (!context)
770 return NULL; 963 return NULL;
771 context->return_valid = return_valid; 964 context->return_valid = return_valid;
772 965
@@ -799,7 +992,7 @@ static inline struct audit_context *audit_get_context(struct task_struct *tsk,
799 992
800static inline void audit_free_names(struct audit_context *context) 993static inline void audit_free_names(struct audit_context *context)
801{ 994{
802 int i; 995 struct audit_names *n, *next;
803 996
804#if AUDIT_DEBUG == 2 997#if AUDIT_DEBUG == 2
805 if (context->put_count + context->ino_count != context->name_count) { 998 if (context->put_count + context->ino_count != context->name_count) {
@@ -810,10 +1003,9 @@ static inline void audit_free_names(struct audit_context *context)
810 context->serial, context->major, context->in_syscall, 1003 context->serial, context->major, context->in_syscall,
811 context->name_count, context->put_count, 1004 context->name_count, context->put_count,
812 context->ino_count); 1005 context->ino_count);
813 for (i = 0; i < context->name_count; i++) { 1006 list_for_each_entry(n, &context->names_list, list) {
814 printk(KERN_ERR "names[%d] = %p = %s\n", i, 1007 printk(KERN_ERR "names[%d] = %p = %s\n", i,
815 context->names[i].name, 1008 n->name, n->name ?: "(null)");
816 context->names[i].name ?: "(null)");
817 } 1009 }
818 dump_stack(); 1010 dump_stack();
819 return; 1011 return;
@@ -824,9 +1016,12 @@ static inline void audit_free_names(struct audit_context *context)
824 context->ino_count = 0; 1016 context->ino_count = 0;
825#endif 1017#endif
826 1018
827 for (i = 0; i < context->name_count; i++) { 1019 list_for_each_entry_safe(n, next, &context->names_list, list) {
828 if (context->names[i].name && context->names[i].name_put) 1020 list_del(&n->list);
829 __putname(context->names[i].name); 1021 if (n->name && n->name_put)
1022 __putname(n->name);
1023 if (n->should_free)
1024 kfree(n);
830 } 1025 }
831 context->name_count = 0; 1026 context->name_count = 0;
832 path_put(&context->pwd); 1027 path_put(&context->pwd);
@@ -864,6 +1059,7 @@ static inline struct audit_context *audit_alloc_context(enum audit_state state)
864 return NULL; 1059 return NULL;
865 audit_zero_context(context, state); 1060 audit_zero_context(context, state);
866 INIT_LIST_HEAD(&context->killed_trees); 1061 INIT_LIST_HEAD(&context->killed_trees);
1062 INIT_LIST_HEAD(&context->names_list);
867 return context; 1063 return context;
868} 1064}
869 1065
@@ -886,7 +1082,7 @@ int audit_alloc(struct task_struct *tsk)
886 return 0; /* Return if not auditing. */ 1082 return 0; /* Return if not auditing. */
887 1083
888 state = audit_filter_task(tsk, &key); 1084 state = audit_filter_task(tsk, &key);
889 if (likely(state == AUDIT_DISABLED)) 1085 if (state == AUDIT_DISABLED)
890 return 0; 1086 return 0;
891 1087
892 if (!(context = audit_alloc_context(state))) { 1088 if (!(context = audit_alloc_context(state))) {
@@ -975,7 +1171,7 @@ static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk
975 while (vma) { 1171 while (vma) {
976 if ((vma->vm_flags & VM_EXECUTABLE) && 1172 if ((vma->vm_flags & VM_EXECUTABLE) &&
977 vma->vm_file) { 1173 vma->vm_file) {
978 audit_log_d_path(ab, "exe=", 1174 audit_log_d_path(ab, " exe=",
979 &vma->vm_file->f_path); 1175 &vma->vm_file->f_path);
980 break; 1176 break;
981 } 1177 }
@@ -1166,8 +1362,8 @@ static void audit_log_execve_info(struct audit_context *context,
1166 struct audit_buffer **ab, 1362 struct audit_buffer **ab,
1167 struct audit_aux_data_execve *axi) 1363 struct audit_aux_data_execve *axi)
1168{ 1364{
1169 int i; 1365 int i, len;
1170 size_t len, len_sent = 0; 1366 size_t len_sent = 0;
1171 const char __user *p; 1367 const char __user *p;
1172 char *buf; 1368 char *buf;
1173 1369
@@ -1249,7 +1445,7 @@ static void show_special(struct audit_context *context, int *call_panic)
1249 case AUDIT_IPC: { 1445 case AUDIT_IPC: {
1250 u32 osid = context->ipc.osid; 1446 u32 osid = context->ipc.osid;
1251 1447
1252 audit_log_format(ab, "ouid=%u ogid=%u mode=%#o", 1448 audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
1253 context->ipc.uid, context->ipc.gid, context->ipc.mode); 1449 context->ipc.uid, context->ipc.gid, context->ipc.mode);
1254 if (osid) { 1450 if (osid) {
1255 char *ctx = NULL; 1451 char *ctx = NULL;
@@ -1267,7 +1463,7 @@ static void show_special(struct audit_context *context, int *call_panic)
1267 ab = audit_log_start(context, GFP_KERNEL, 1463 ab = audit_log_start(context, GFP_KERNEL,
1268 AUDIT_IPC_SET_PERM); 1464 AUDIT_IPC_SET_PERM);
1269 audit_log_format(ab, 1465 audit_log_format(ab,
1270 "qbytes=%lx ouid=%u ogid=%u mode=%#o", 1466 "qbytes=%lx ouid=%u ogid=%u mode=%#ho",
1271 context->ipc.qbytes, 1467 context->ipc.qbytes,
1272 context->ipc.perm_uid, 1468 context->ipc.perm_uid,
1273 context->ipc.perm_gid, 1469 context->ipc.perm_gid,
@@ -1278,7 +1474,7 @@ static void show_special(struct audit_context *context, int *call_panic)
1278 break; } 1474 break; }
1279 case AUDIT_MQ_OPEN: { 1475 case AUDIT_MQ_OPEN: {
1280 audit_log_format(ab, 1476 audit_log_format(ab,
1281 "oflag=0x%x mode=%#o mq_flags=0x%lx mq_maxmsg=%ld " 1477 "oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
1282 "mq_msgsize=%ld mq_curmsgs=%ld", 1478 "mq_msgsize=%ld mq_curmsgs=%ld",
1283 context->mq_open.oflag, context->mq_open.mode, 1479 context->mq_open.oflag, context->mq_open.mode,
1284 context->mq_open.attr.mq_flags, 1480 context->mq_open.attr.mq_flags,
@@ -1324,6 +1520,68 @@ static void show_special(struct audit_context *context, int *call_panic)
1324 audit_log_end(ab); 1520 audit_log_end(ab);
1325} 1521}
1326 1522
1523static void audit_log_name(struct audit_context *context, struct audit_names *n,
1524 int record_num, int *call_panic)
1525{
1526 struct audit_buffer *ab;
1527 ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
1528 if (!ab)
1529 return; /* audit_panic has been called */
1530
1531 audit_log_format(ab, "item=%d", record_num);
1532
1533 if (n->name) {
1534 switch (n->name_len) {
1535 case AUDIT_NAME_FULL:
1536 /* log the full path */
1537 audit_log_format(ab, " name=");
1538 audit_log_untrustedstring(ab, n->name);
1539 break;
1540 case 0:
1541 /* name was specified as a relative path and the
1542 * directory component is the cwd */
1543 audit_log_d_path(ab, " name=", &context->pwd);
1544 break;
1545 default:
1546 /* log the name's directory component */
1547 audit_log_format(ab, " name=");
1548 audit_log_n_untrustedstring(ab, n->name,
1549 n->name_len);
1550 }
1551 } else
1552 audit_log_format(ab, " name=(null)");
1553
1554 if (n->ino != (unsigned long)-1) {
1555 audit_log_format(ab, " inode=%lu"
1556 " dev=%02x:%02x mode=%#ho"
1557 " ouid=%u ogid=%u rdev=%02x:%02x",
1558 n->ino,
1559 MAJOR(n->dev),
1560 MINOR(n->dev),
1561 n->mode,
1562 n->uid,
1563 n->gid,
1564 MAJOR(n->rdev),
1565 MINOR(n->rdev));
1566 }
1567 if (n->osid != 0) {
1568 char *ctx = NULL;
1569 u32 len;
1570 if (security_secid_to_secctx(
1571 n->osid, &ctx, &len)) {
1572 audit_log_format(ab, " osid=%u", n->osid);
1573 *call_panic = 2;
1574 } else {
1575 audit_log_format(ab, " obj=%s", ctx);
1576 security_release_secctx(ctx, len);
1577 }
1578 }
1579
1580 audit_log_fcaps(ab, n);
1581
1582 audit_log_end(ab);
1583}
1584
1327static void audit_log_exit(struct audit_context *context, struct task_struct *tsk) 1585static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
1328{ 1586{
1329 const struct cred *cred; 1587 const struct cred *cred;
@@ -1331,6 +1589,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
1331 struct audit_buffer *ab; 1589 struct audit_buffer *ab;
1332 struct audit_aux_data *aux; 1590 struct audit_aux_data *aux;
1333 const char *tty; 1591 const char *tty;
1592 struct audit_names *n;
1334 1593
1335 /* tsk == current */ 1594 /* tsk == current */
1336 context->pid = tsk->pid; 1595 context->pid = tsk->pid;
@@ -1466,70 +1725,14 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
1466 if (context->pwd.dentry && context->pwd.mnt) { 1725 if (context->pwd.dentry && context->pwd.mnt) {
1467 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD); 1726 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
1468 if (ab) { 1727 if (ab) {
1469 audit_log_d_path(ab, "cwd=", &context->pwd); 1728 audit_log_d_path(ab, " cwd=", &context->pwd);
1470 audit_log_end(ab); 1729 audit_log_end(ab);
1471 } 1730 }
1472 } 1731 }
1473 for (i = 0; i < context->name_count; i++) {
1474 struct audit_names *n = &context->names[i];
1475 1732
1476 ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH); 1733 i = 0;
1477 if (!ab) 1734 list_for_each_entry(n, &context->names_list, list)
1478 continue; /* audit_panic has been called */ 1735 audit_log_name(context, n, i++, &call_panic);
1479
1480 audit_log_format(ab, "item=%d", i);
1481
1482 if (n->name) {
1483 switch(n->name_len) {
1484 case AUDIT_NAME_FULL:
1485 /* log the full path */
1486 audit_log_format(ab, " name=");
1487 audit_log_untrustedstring(ab, n->name);
1488 break;
1489 case 0:
1490 /* name was specified as a relative path and the
1491 * directory component is the cwd */
1492 audit_log_d_path(ab, "name=", &context->pwd);
1493 break;
1494 default:
1495 /* log the name's directory component */
1496 audit_log_format(ab, " name=");
1497 audit_log_n_untrustedstring(ab, n->name,
1498 n->name_len);
1499 }
1500 } else
1501 audit_log_format(ab, " name=(null)");
1502
1503 if (n->ino != (unsigned long)-1) {
1504 audit_log_format(ab, " inode=%lu"
1505 " dev=%02x:%02x mode=%#o"
1506 " ouid=%u ogid=%u rdev=%02x:%02x",
1507 n->ino,
1508 MAJOR(n->dev),
1509 MINOR(n->dev),
1510 n->mode,
1511 n->uid,
1512 n->gid,
1513 MAJOR(n->rdev),
1514 MINOR(n->rdev));
1515 }
1516 if (n->osid != 0) {
1517 char *ctx = NULL;
1518 u32 len;
1519 if (security_secid_to_secctx(
1520 n->osid, &ctx, &len)) {
1521 audit_log_format(ab, " osid=%u", n->osid);
1522 call_panic = 2;
1523 } else {
1524 audit_log_format(ab, " obj=%s", ctx);
1525 security_release_secctx(ctx, len);
1526 }
1527 }
1528
1529 audit_log_fcaps(ab, n);
1530
1531 audit_log_end(ab);
1532 }
1533 1736
1534 /* Send end of event record to help user space know we are finished */ 1737 /* Send end of event record to help user space know we are finished */
1535 ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE); 1738 ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
@@ -1545,12 +1748,12 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
1545 * 1748 *
1546 * Called from copy_process and do_exit 1749 * Called from copy_process and do_exit
1547 */ 1750 */
1548void audit_free(struct task_struct *tsk) 1751void __audit_free(struct task_struct *tsk)
1549{ 1752{
1550 struct audit_context *context; 1753 struct audit_context *context;
1551 1754
1552 context = audit_get_context(tsk, 0, 0); 1755 context = audit_get_context(tsk, 0, 0);
1553 if (likely(!context)) 1756 if (!context)
1554 return; 1757 return;
1555 1758
1556 /* Check for system calls that do not go through the exit 1759 /* Check for system calls that do not go through the exit
@@ -1583,7 +1786,7 @@ void audit_free(struct task_struct *tsk)
1583 * will only be written if another part of the kernel requests that it 1786 * will only be written if another part of the kernel requests that it
1584 * be written). 1787 * be written).
1585 */ 1788 */
1586void audit_syscall_entry(int arch, int major, 1789void __audit_syscall_entry(int arch, int major,
1587 unsigned long a1, unsigned long a2, 1790 unsigned long a1, unsigned long a2,
1588 unsigned long a3, unsigned long a4) 1791 unsigned long a3, unsigned long a4)
1589{ 1792{
@@ -1591,7 +1794,7 @@ void audit_syscall_entry(int arch, int major,
1591 struct audit_context *context = tsk->audit_context; 1794 struct audit_context *context = tsk->audit_context;
1592 enum audit_state state; 1795 enum audit_state state;
1593 1796
1594 if (unlikely(!context)) 1797 if (!context)
1595 return; 1798 return;
1596 1799
1597 /* 1800 /*
@@ -1648,7 +1851,7 @@ void audit_syscall_entry(int arch, int major,
1648 context->prio = 0; 1851 context->prio = 0;
1649 state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]); 1852 state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
1650 } 1853 }
1651 if (likely(state == AUDIT_DISABLED)) 1854 if (state == AUDIT_DISABLED)
1652 return; 1855 return;
1653 1856
1654 context->serial = 0; 1857 context->serial = 0;
@@ -1658,45 +1861,29 @@ void audit_syscall_entry(int arch, int major,
1658 context->ppid = 0; 1861 context->ppid = 0;
1659} 1862}
1660 1863
1661void audit_finish_fork(struct task_struct *child)
1662{
1663 struct audit_context *ctx = current->audit_context;
1664 struct audit_context *p = child->audit_context;
1665 if (!p || !ctx)
1666 return;
1667 if (!ctx->in_syscall || ctx->current_state != AUDIT_RECORD_CONTEXT)
1668 return;
1669 p->arch = ctx->arch;
1670 p->major = ctx->major;
1671 memcpy(p->argv, ctx->argv, sizeof(ctx->argv));
1672 p->ctime = ctx->ctime;
1673 p->dummy = ctx->dummy;
1674 p->in_syscall = ctx->in_syscall;
1675 p->filterkey = kstrdup(ctx->filterkey, GFP_KERNEL);
1676 p->ppid = current->pid;
1677 p->prio = ctx->prio;
1678 p->current_state = ctx->current_state;
1679}
1680
1681/** 1864/**
1682 * audit_syscall_exit - deallocate audit context after a system call 1865 * audit_syscall_exit - deallocate audit context after a system call
1683 * @valid: success/failure flag 1866 * @success: success value of the syscall
1684 * @return_code: syscall return value 1867 * @return_code: return value of the syscall
1685 * 1868 *
1686 * Tear down after system call. If the audit context has been marked as 1869 * Tear down after system call. If the audit context has been marked as
1687 * auditable (either because of the AUDIT_RECORD_CONTEXT state from 1870 * auditable (either because of the AUDIT_RECORD_CONTEXT state from
1688 * filtering, or because some other part of the kernel write an audit 1871 * filtering, or because some other part of the kernel wrote an audit
1689 * message), then write out the syscall information. In call cases, 1872 * message), then write out the syscall information. In call cases,
1690 * free the names stored from getname(). 1873 * free the names stored from getname().
1691 */ 1874 */
1692void audit_syscall_exit(int valid, long return_code) 1875void __audit_syscall_exit(int success, long return_code)
1693{ 1876{
1694 struct task_struct *tsk = current; 1877 struct task_struct *tsk = current;
1695 struct audit_context *context; 1878 struct audit_context *context;
1696 1879
1697 context = audit_get_context(tsk, valid, return_code); 1880 if (success)
1881 success = AUDITSC_SUCCESS;
1882 else
1883 success = AUDITSC_FAILURE;
1698 1884
1699 if (likely(!context)) 1885 context = audit_get_context(tsk, success, return_code);
1886 if (!context)
1700 return; 1887 return;
1701 1888
1702 if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT) 1889 if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
@@ -1821,6 +2008,30 @@ retry:
1821#endif 2008#endif
1822} 2009}
1823 2010
2011static struct audit_names *audit_alloc_name(struct audit_context *context)
2012{
2013 struct audit_names *aname;
2014
2015 if (context->name_count < AUDIT_NAMES) {
2016 aname = &context->preallocated_names[context->name_count];
2017 memset(aname, 0, sizeof(*aname));
2018 } else {
2019 aname = kzalloc(sizeof(*aname), GFP_NOFS);
2020 if (!aname)
2021 return NULL;
2022 aname->should_free = true;
2023 }
2024
2025 aname->ino = (unsigned long)-1;
2026 list_add_tail(&aname->list, &context->names_list);
2027
2028 context->name_count++;
2029#if AUDIT_DEBUG
2030 context->ino_count++;
2031#endif
2032 return aname;
2033}
2034
1824/** 2035/**
1825 * audit_getname - add a name to the list 2036 * audit_getname - add a name to the list
1826 * @name: name to add 2037 * @name: name to add
@@ -1831,9 +2042,7 @@ retry:
1831void __audit_getname(const char *name) 2042void __audit_getname(const char *name)
1832{ 2043{
1833 struct audit_context *context = current->audit_context; 2044 struct audit_context *context = current->audit_context;
1834 2045 struct audit_names *n;
1835 if (IS_ERR(name) || !name)
1836 return;
1837 2046
1838 if (!context->in_syscall) { 2047 if (!context->in_syscall) {
1839#if AUDIT_DEBUG == 2 2048#if AUDIT_DEBUG == 2
@@ -1843,13 +2052,15 @@ void __audit_getname(const char *name)
1843#endif 2052#endif
1844 return; 2053 return;
1845 } 2054 }
1846 BUG_ON(context->name_count >= AUDIT_NAMES); 2055
1847 context->names[context->name_count].name = name; 2056 n = audit_alloc_name(context);
1848 context->names[context->name_count].name_len = AUDIT_NAME_FULL; 2057 if (!n)
1849 context->names[context->name_count].name_put = 1; 2058 return;
1850 context->names[context->name_count].ino = (unsigned long)-1; 2059
1851 context->names[context->name_count].osid = 0; 2060 n->name = name;
1852 ++context->name_count; 2061 n->name_len = AUDIT_NAME_FULL;
2062 n->name_put = true;
2063
1853 if (!context->pwd.dentry) 2064 if (!context->pwd.dentry)
1854 get_fs_pwd(current->fs, &context->pwd); 2065 get_fs_pwd(current->fs, &context->pwd);
1855} 2066}
@@ -1871,12 +2082,13 @@ void audit_putname(const char *name)
1871 printk(KERN_ERR "%s:%d(:%d): __putname(%p)\n", 2082 printk(KERN_ERR "%s:%d(:%d): __putname(%p)\n",
1872 __FILE__, __LINE__, context->serial, name); 2083 __FILE__, __LINE__, context->serial, name);
1873 if (context->name_count) { 2084 if (context->name_count) {
2085 struct audit_names *n;
1874 int i; 2086 int i;
1875 for (i = 0; i < context->name_count; i++) 2087
2088 list_for_each_entry(n, &context->names_list, list)
1876 printk(KERN_ERR "name[%d] = %p = %s\n", i, 2089 printk(KERN_ERR "name[%d] = %p = %s\n", i,
1877 context->names[i].name, 2090 n->name, n->name ?: "(null)");
1878 context->names[i].name ?: "(null)"); 2091 }
1879 }
1880#endif 2092#endif
1881 __putname(name); 2093 __putname(name);
1882 } 2094 }
@@ -1897,39 +2109,11 @@ void audit_putname(const char *name)
1897#endif 2109#endif
1898} 2110}
1899 2111
1900static int audit_inc_name_count(struct audit_context *context,
1901 const struct inode *inode)
1902{
1903 if (context->name_count >= AUDIT_NAMES) {
1904 if (inode)
1905 printk(KERN_DEBUG "audit: name_count maxed, losing inode data: "
1906 "dev=%02x:%02x, inode=%lu\n",
1907 MAJOR(inode->i_sb->s_dev),
1908 MINOR(inode->i_sb->s_dev),
1909 inode->i_ino);
1910
1911 else
1912 printk(KERN_DEBUG "name_count maxed, losing inode data\n");
1913 return 1;
1914 }
1915 context->name_count++;
1916#if AUDIT_DEBUG
1917 context->ino_count++;
1918#endif
1919 return 0;
1920}
1921
1922
1923static inline int audit_copy_fcaps(struct audit_names *name, const struct dentry *dentry) 2112static inline int audit_copy_fcaps(struct audit_names *name, const struct dentry *dentry)
1924{ 2113{
1925 struct cpu_vfs_cap_data caps; 2114 struct cpu_vfs_cap_data caps;
1926 int rc; 2115 int rc;
1927 2116
1928 memset(&name->fcap.permitted, 0, sizeof(kernel_cap_t));
1929 memset(&name->fcap.inheritable, 0, sizeof(kernel_cap_t));
1930 name->fcap.fE = 0;
1931 name->fcap_ver = 0;
1932
1933 if (!dentry) 2117 if (!dentry)
1934 return 0; 2118 return 0;
1935 2119
@@ -1969,30 +2153,25 @@ static void audit_copy_inode(struct audit_names *name, const struct dentry *dent
1969 */ 2153 */
1970void __audit_inode(const char *name, const struct dentry *dentry) 2154void __audit_inode(const char *name, const struct dentry *dentry)
1971{ 2155{
1972 int idx;
1973 struct audit_context *context = current->audit_context; 2156 struct audit_context *context = current->audit_context;
1974 const struct inode *inode = dentry->d_inode; 2157 const struct inode *inode = dentry->d_inode;
2158 struct audit_names *n;
1975 2159
1976 if (!context->in_syscall) 2160 if (!context->in_syscall)
1977 return; 2161 return;
1978 if (context->name_count 2162
1979 && context->names[context->name_count-1].name 2163 list_for_each_entry_reverse(n, &context->names_list, list) {
1980 && context->names[context->name_count-1].name == name) 2164 if (n->name && (n->name == name))
1981 idx = context->name_count - 1; 2165 goto out;
1982 else if (context->name_count > 1
1983 && context->names[context->name_count-2].name
1984 && context->names[context->name_count-2].name == name)
1985 idx = context->name_count - 2;
1986 else {
1987 /* FIXME: how much do we care about inodes that have no
1988 * associated name? */
1989 if (audit_inc_name_count(context, inode))
1990 return;
1991 idx = context->name_count - 1;
1992 context->names[idx].name = NULL;
1993 } 2166 }
2167
2168 /* unable to find the name from a previous getname() */
2169 n = audit_alloc_name(context);
2170 if (!n)
2171 return;
2172out:
1994 handle_path(dentry); 2173 handle_path(dentry);
1995 audit_copy_inode(&context->names[idx], dentry, inode); 2174 audit_copy_inode(n, dentry, inode);
1996} 2175}
1997 2176
1998/** 2177/**
@@ -2011,11 +2190,11 @@ void __audit_inode(const char *name, const struct dentry *dentry)
2011void __audit_inode_child(const struct dentry *dentry, 2190void __audit_inode_child(const struct dentry *dentry,
2012 const struct inode *parent) 2191 const struct inode *parent)
2013{ 2192{
2014 int idx;
2015 struct audit_context *context = current->audit_context; 2193 struct audit_context *context = current->audit_context;
2016 const char *found_parent = NULL, *found_child = NULL; 2194 const char *found_parent = NULL, *found_child = NULL;
2017 const struct inode *inode = dentry->d_inode; 2195 const struct inode *inode = dentry->d_inode;
2018 const char *dname = dentry->d_name.name; 2196 const char *dname = dentry->d_name.name;
2197 struct audit_names *n;
2019 int dirlen = 0; 2198 int dirlen = 0;
2020 2199
2021 if (!context->in_syscall) 2200 if (!context->in_syscall)
@@ -2025,9 +2204,7 @@ void __audit_inode_child(const struct dentry *dentry,
2025 handle_one(inode); 2204 handle_one(inode);
2026 2205
2027 /* parent is more likely, look for it first */ 2206 /* parent is more likely, look for it first */
2028 for (idx = 0; idx < context->name_count; idx++) { 2207 list_for_each_entry(n, &context->names_list, list) {
2029 struct audit_names *n = &context->names[idx];
2030
2031 if (!n->name) 2208 if (!n->name)
2032 continue; 2209 continue;
2033 2210
@@ -2040,9 +2217,7 @@ void __audit_inode_child(const struct dentry *dentry,
2040 } 2217 }
2041 2218
2042 /* no matching parent, look for matching child */ 2219 /* no matching parent, look for matching child */
2043 for (idx = 0; idx < context->name_count; idx++) { 2220 list_for_each_entry(n, &context->names_list, list) {
2044 struct audit_names *n = &context->names[idx];
2045
2046 if (!n->name) 2221 if (!n->name)
2047 continue; 2222 continue;
2048 2223
@@ -2060,34 +2235,29 @@ void __audit_inode_child(const struct dentry *dentry,
2060 2235
2061add_names: 2236add_names:
2062 if (!found_parent) { 2237 if (!found_parent) {
2063 if (audit_inc_name_count(context, parent)) 2238 n = audit_alloc_name(context);
2239 if (!n)
2064 return; 2240 return;
2065 idx = context->name_count - 1; 2241 audit_copy_inode(n, NULL, parent);
2066 context->names[idx].name = NULL;
2067 audit_copy_inode(&context->names[idx], NULL, parent);
2068 } 2242 }
2069 2243
2070 if (!found_child) { 2244 if (!found_child) {
2071 if (audit_inc_name_count(context, inode)) 2245 n = audit_alloc_name(context);
2246 if (!n)
2072 return; 2247 return;
2073 idx = context->name_count - 1;
2074 2248
2075 /* Re-use the name belonging to the slot for a matching parent 2249 /* Re-use the name belonging to the slot for a matching parent
2076 * directory. All names for this context are relinquished in 2250 * directory. All names for this context are relinquished in
2077 * audit_free_names() */ 2251 * audit_free_names() */
2078 if (found_parent) { 2252 if (found_parent) {
2079 context->names[idx].name = found_parent; 2253 n->name = found_parent;
2080 context->names[idx].name_len = AUDIT_NAME_FULL; 2254 n->name_len = AUDIT_NAME_FULL;
2081 /* don't call __putname() */ 2255 /* don't call __putname() */
2082 context->names[idx].name_put = 0; 2256 n->name_put = false;
2083 } else {
2084 context->names[idx].name = NULL;
2085 } 2257 }
2086 2258
2087 if (inode) 2259 if (inode)
2088 audit_copy_inode(&context->names[idx], NULL, inode); 2260 audit_copy_inode(n, NULL, inode);
2089 else
2090 context->names[idx].ino = (unsigned long)-1;
2091 } 2261 }
2092} 2262}
2093EXPORT_SYMBOL_GPL(__audit_inode_child); 2263EXPORT_SYMBOL_GPL(__audit_inode_child);
@@ -2121,19 +2291,28 @@ int auditsc_get_stamp(struct audit_context *ctx,
2121static atomic_t session_id = ATOMIC_INIT(0); 2291static atomic_t session_id = ATOMIC_INIT(0);
2122 2292
2123/** 2293/**
2124 * audit_set_loginuid - set a task's audit_context loginuid 2294 * audit_set_loginuid - set current task's audit_context loginuid
2125 * @task: task whose audit context is being modified
2126 * @loginuid: loginuid value 2295 * @loginuid: loginuid value
2127 * 2296 *
2128 * Returns 0. 2297 * Returns 0.
2129 * 2298 *
2130 * Called (set) from fs/proc/base.c::proc_loginuid_write(). 2299 * Called (set) from fs/proc/base.c::proc_loginuid_write().
2131 */ 2300 */
2132int audit_set_loginuid(struct task_struct *task, uid_t loginuid) 2301int audit_set_loginuid(uid_t loginuid)
2133{ 2302{
2134 unsigned int sessionid = atomic_inc_return(&session_id); 2303 struct task_struct *task = current;
2135 struct audit_context *context = task->audit_context; 2304 struct audit_context *context = task->audit_context;
2305 unsigned int sessionid;
2306
2307#ifdef CONFIG_AUDIT_LOGINUID_IMMUTABLE
2308 if (task->loginuid != -1)
2309 return -EPERM;
2310#else /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */
2311 if (!capable(CAP_AUDIT_CONTROL))
2312 return -EPERM;
2313#endif /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */
2136 2314
2315 sessionid = atomic_inc_return(&session_id);
2137 if (context && context->in_syscall) { 2316 if (context && context->in_syscall) {
2138 struct audit_buffer *ab; 2317 struct audit_buffer *ab;
2139 2318
@@ -2160,7 +2339,7 @@ int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
2160 * @attr: queue attributes 2339 * @attr: queue attributes
2161 * 2340 *
2162 */ 2341 */
2163void __audit_mq_open(int oflag, mode_t mode, struct mq_attr *attr) 2342void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
2164{ 2343{
2165 struct audit_context *context = current->audit_context; 2344 struct audit_context *context = current->audit_context;
2166 2345
@@ -2260,7 +2439,7 @@ void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
2260 * 2439 *
2261 * Called only after audit_ipc_obj(). 2440 * Called only after audit_ipc_obj().
2262 */ 2441 */
2263void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode) 2442void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode)
2264{ 2443{
2265 struct audit_context *context = current->audit_context; 2444 struct audit_context *context = current->audit_context;
2266 2445
@@ -2271,14 +2450,11 @@ void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mod
2271 context->ipc.has_perm = 1; 2450 context->ipc.has_perm = 1;
2272} 2451}
2273 2452
2274int audit_bprm(struct linux_binprm *bprm) 2453int __audit_bprm(struct linux_binprm *bprm)
2275{ 2454{
2276 struct audit_aux_data_execve *ax; 2455 struct audit_aux_data_execve *ax;
2277 struct audit_context *context = current->audit_context; 2456 struct audit_context *context = current->audit_context;
2278 2457
2279 if (likely(!audit_enabled || !context || context->dummy))
2280 return 0;
2281
2282 ax = kmalloc(sizeof(*ax), GFP_KERNEL); 2458 ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2283 if (!ax) 2459 if (!ax)
2284 return -ENOMEM; 2460 return -ENOMEM;
@@ -2299,13 +2475,10 @@ int audit_bprm(struct linux_binprm *bprm)
2299 * @args: args array 2475 * @args: args array
2300 * 2476 *
2301 */ 2477 */
2302void audit_socketcall(int nargs, unsigned long *args) 2478void __audit_socketcall(int nargs, unsigned long *args)
2303{ 2479{
2304 struct audit_context *context = current->audit_context; 2480 struct audit_context *context = current->audit_context;
2305 2481
2306 if (likely(!context || context->dummy))
2307 return;
2308
2309 context->type = AUDIT_SOCKETCALL; 2482 context->type = AUDIT_SOCKETCALL;
2310 context->socketcall.nargs = nargs; 2483 context->socketcall.nargs = nargs;
2311 memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long)); 2484 memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
@@ -2331,13 +2504,10 @@ void __audit_fd_pair(int fd1, int fd2)
2331 * 2504 *
2332 * Returns 0 for success or NULL context or < 0 on error. 2505 * Returns 0 for success or NULL context or < 0 on error.
2333 */ 2506 */
2334int audit_sockaddr(int len, void *a) 2507int __audit_sockaddr(int len, void *a)
2335{ 2508{
2336 struct audit_context *context = current->audit_context; 2509 struct audit_context *context = current->audit_context;
2337 2510
2338 if (likely(!context || context->dummy))
2339 return 0;
2340
2341 if (!context->sockaddr) { 2511 if (!context->sockaddr) {
2342 void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL); 2512 void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL);
2343 if (!p) 2513 if (!p)
@@ -2499,6 +2669,25 @@ void __audit_mmap_fd(int fd, int flags)
2499 context->type = AUDIT_MMAP; 2669 context->type = AUDIT_MMAP;
2500} 2670}
2501 2671
2672static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
2673{
2674 uid_t auid, uid;
2675 gid_t gid;
2676 unsigned int sessionid;
2677
2678 auid = audit_get_loginuid(current);
2679 sessionid = audit_get_sessionid(current);
2680 current_uid_gid(&uid, &gid);
2681
2682 audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
2683 auid, uid, gid, sessionid);
2684 audit_log_task_context(ab);
2685 audit_log_format(ab, " pid=%d comm=", current->pid);
2686 audit_log_untrustedstring(ab, current->comm);
2687 audit_log_format(ab, " reason=");
2688 audit_log_string(ab, reason);
2689 audit_log_format(ab, " sig=%ld", signr);
2690}
2502/** 2691/**
2503 * audit_core_dumps - record information about processes that end abnormally 2692 * audit_core_dumps - record information about processes that end abnormally
2504 * @signr: signal value 2693 * @signr: signal value
@@ -2509,10 +2698,6 @@ void __audit_mmap_fd(int fd, int flags)
2509void audit_core_dumps(long signr) 2698void audit_core_dumps(long signr)
2510{ 2699{
2511 struct audit_buffer *ab; 2700 struct audit_buffer *ab;
2512 u32 sid;
2513 uid_t auid = audit_get_loginuid(current), uid;
2514 gid_t gid;
2515 unsigned int sessionid = audit_get_sessionid(current);
2516 2701
2517 if (!audit_enabled) 2702 if (!audit_enabled)
2518 return; 2703 return;
@@ -2521,24 +2706,17 @@ void audit_core_dumps(long signr)
2521 return; 2706 return;
2522 2707
2523 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); 2708 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
2524 current_uid_gid(&uid, &gid); 2709 audit_log_abend(ab, "memory violation", signr);
2525 audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u", 2710 audit_log_end(ab);
2526 auid, uid, gid, sessionid); 2711}
2527 security_task_getsecid(current, &sid);
2528 if (sid) {
2529 char *ctx = NULL;
2530 u32 len;
2531 2712
2532 if (security_secid_to_secctx(sid, &ctx, &len)) 2713void __audit_seccomp(unsigned long syscall)
2533 audit_log_format(ab, " ssid=%u", sid); 2714{
2534 else { 2715 struct audit_buffer *ab;
2535 audit_log_format(ab, " subj=%s", ctx); 2716
2536 security_release_secctx(ctx, len); 2717 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
2537 } 2718 audit_log_abend(ab, "seccomp", SIGKILL);
2538 } 2719 audit_log_format(ab, " syscall=%ld", syscall);
2539 audit_log_format(ab, " pid=%d comm=", current->pid);
2540 audit_log_untrustedstring(ab, current->comm);
2541 audit_log_format(ab, " sig=%ld", signr);
2542 audit_log_end(ab); 2720 audit_log_end(ab);
2543} 2721}
2544 2722