aboutsummaryrefslogtreecommitdiffstats
path: root/kernel
diff options
context:
space:
mode:
Diffstat (limited to 'kernel')
-rw-r--r--kernel/audit.c191
-rw-r--r--kernel/auditfilter.c54
2 files changed, 93 insertions, 152 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index 26ff925e13f2..7e29372da284 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -66,9 +66,9 @@
66 * (Initialization happens after skb_init is called.) */ 66 * (Initialization happens after skb_init is called.) */
67static int audit_initialized; 67static int audit_initialized;
68 68
69/* 0 - no auditing 69#define AUDIT_OFF 0
70 * 1 - auditing enabled 70#define AUDIT_ON 1
71 * 2 - auditing enabled and configuration is locked/unchangeable. */ 71#define AUDIT_LOCKED 2
72int audit_enabled; 72int audit_enabled;
73 73
74/* Default state when kernel boots without any parameters. */ 74/* Default state when kernel boots without any parameters. */
@@ -240,152 +240,90 @@ void audit_log_lost(const char *message)
240 } 240 }
241} 241}
242 242
243static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid) 243static int audit_log_config_change(char *function_name, int new, int old,
244 uid_t loginuid, u32 sid, int allow_changes)
244{ 245{
245 int res, rc = 0, old = audit_rate_limit; 246 struct audit_buffer *ab;
246 247 int rc = 0;
247 /* check if we are locked */
248 if (audit_enabled == 2)
249 res = 0;
250 else
251 res = 1;
252 248
249 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
250 audit_log_format(ab, "%s=%d old=%d by auid=%u", function_name, new,
251 old, loginuid);
253 if (sid) { 252 if (sid) {
254 char *ctx = NULL; 253 char *ctx = NULL;
255 u32 len; 254 u32 len;
256 if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) { 255
257 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 256 rc = selinux_sid_to_string(sid, &ctx, &len);
258 "audit_rate_limit=%d old=%d by auid=%u" 257 if (rc) {
259 " subj=%s res=%d", 258 audit_log_format(ab, " sid=%u", sid);
260 limit, old, loginuid, ctx, res); 259 allow_changes = 0; /* Something weird, deny request */
260 } else {
261 audit_log_format(ab, " subj=%s", ctx);
261 kfree(ctx); 262 kfree(ctx);
262 } else 263 }
263 res = 0; /* Something weird, deny request */
264 } 264 }
265 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 265 audit_log_format(ab, " res=%d", allow_changes);
266 "audit_rate_limit=%d old=%d by auid=%u res=%d", 266 audit_log_end(ab);
267 limit, old, loginuid, res);
268
269 /* If we are allowed, make the change */
270 if (res == 1)
271 audit_rate_limit = limit;
272 /* Not allowed, update reason */
273 else if (rc == 0)
274 rc = -EPERM;
275 return rc; 267 return rc;
276} 268}
277 269
278static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid) 270static int audit_do_config_change(char *function_name, int *to_change,
271 int new, uid_t loginuid, u32 sid)
279{ 272{
280 int res, rc = 0, old = audit_backlog_limit; 273 int allow_changes, rc = 0, old = *to_change;
281 274
282 /* check if we are locked */ 275 /* check if we are locked */
283 if (audit_enabled == 2) 276 if (audit_enabled == AUDIT_LOCKED)
284 res = 0; 277 allow_changes = 0;
285 else 278 else
286 res = 1; 279 allow_changes = 1;
287 280
288 if (sid) { 281 if (audit_enabled != AUDIT_OFF) {
289 char *ctx = NULL; 282 rc = audit_log_config_change(function_name, new, old,
290 u32 len; 283 loginuid, sid, allow_changes);
291 if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) { 284 if (rc)
292 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 285 allow_changes = 0;
293 "audit_backlog_limit=%d old=%d by auid=%u"
294 " subj=%s res=%d",
295 limit, old, loginuid, ctx, res);
296 kfree(ctx);
297 } else
298 res = 0; /* Something weird, deny request */
299 } 286 }
300 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
301 "audit_backlog_limit=%d old=%d by auid=%u res=%d",
302 limit, old, loginuid, res);
303 287
304 /* If we are allowed, make the change */ 288 /* If we are allowed, make the change */
305 if (res == 1) 289 if (allow_changes == 1)
306 audit_backlog_limit = limit; 290 *to_change = new;
307 /* Not allowed, update reason */ 291 /* Not allowed, update reason */
308 else if (rc == 0) 292 else if (rc == 0)
309 rc = -EPERM; 293 rc = -EPERM;
310 return rc; 294 return rc;
311} 295}
312 296
313static int audit_set_enabled(int state, uid_t loginuid, u32 sid) 297static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
314{ 298{
315 int res, rc = 0, old = audit_enabled; 299 return audit_do_config_change("audit_rate_limit", &audit_rate_limit,
316 300 limit, loginuid, sid);
317 if (state < 0 || state > 2) 301}
318 return -EINVAL;
319 302
320 /* check if we are locked */ 303static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)
321 if (audit_enabled == 2) 304{
322 res = 0; 305 return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit,
323 else 306 limit, loginuid, sid);
324 res = 1; 307}
325 308
326 if (sid) { 309static int audit_set_enabled(int state, uid_t loginuid, u32 sid)
327 char *ctx = NULL; 310{
328 u32 len; 311 if (state < AUDIT_OFF || state > AUDIT_LOCKED)
329 if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) { 312 return -EINVAL;
330 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
331 "audit_enabled=%d old=%d by auid=%u"
332 " subj=%s res=%d",
333 state, old, loginuid, ctx, res);
334 kfree(ctx);
335 } else
336 res = 0; /* Something weird, deny request */
337 }
338 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
339 "audit_enabled=%d old=%d by auid=%u res=%d",
340 state, old, loginuid, res);
341 313
342 /* If we are allowed, make the change */ 314 return audit_do_config_change("audit_enabled", &audit_enabled, state,
343 if (res == 1) 315 loginuid, sid);
344 audit_enabled = state;
345 /* Not allowed, update reason */
346 else if (rc == 0)
347 rc = -EPERM;
348 return rc;
349} 316}
350 317
351static int audit_set_failure(int state, uid_t loginuid, u32 sid) 318static int audit_set_failure(int state, uid_t loginuid, u32 sid)
352{ 319{
353 int res, rc = 0, old = audit_failure;
354
355 if (state != AUDIT_FAIL_SILENT 320 if (state != AUDIT_FAIL_SILENT
356 && state != AUDIT_FAIL_PRINTK 321 && state != AUDIT_FAIL_PRINTK
357 && state != AUDIT_FAIL_PANIC) 322 && state != AUDIT_FAIL_PANIC)
358 return -EINVAL; 323 return -EINVAL;
359 324
360 /* check if we are locked */ 325 return audit_do_config_change("audit_failure", &audit_failure, state,
361 if (audit_enabled == 2) 326 loginuid, sid);
362 res = 0;
363 else
364 res = 1;
365
366 if (sid) {
367 char *ctx = NULL;
368 u32 len;
369 if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
370 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
371 "audit_failure=%d old=%d by auid=%u"
372 " subj=%s res=%d",
373 state, old, loginuid, ctx, res);
374 kfree(ctx);
375 } else
376 res = 0; /* Something weird, deny request */
377 }
378 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
379 "audit_failure=%d old=%d by auid=%u res=%d",
380 state, old, loginuid, res);
381
382 /* If we are allowed, make the change */
383 if (res == 1)
384 audit_failure = state;
385 /* Not allowed, update reason */
386 else if (rc == 0)
387 rc = -EPERM;
388 return rc;
389} 327}
390 328
391static int kauditd_thread(void *dummy) 329static int kauditd_thread(void *dummy)
@@ -634,23 +572,14 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
634 if (err < 0) return err; 572 if (err < 0) return err;
635 } 573 }
636 if (status_get->mask & AUDIT_STATUS_PID) { 574 if (status_get->mask & AUDIT_STATUS_PID) {
637 int old = audit_pid; 575 int new_pid = status_get->pid;
638 if (sid) { 576
639 if ((err = selinux_sid_to_string( 577 if (audit_enabled != AUDIT_OFF)
640 sid, &ctx, &len))) 578 audit_log_config_change("audit_pid", new_pid,
641 return err; 579 audit_pid, loginuid,
642 else 580 sid, 1);
643 audit_log(NULL, GFP_KERNEL, 581
644 AUDIT_CONFIG_CHANGE, 582 audit_pid = new_pid;
645 "audit_pid=%d old=%d by auid=%u subj=%s",
646 status_get->pid, old,
647 loginuid, ctx);
648 kfree(ctx);
649 } else
650 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
651 "audit_pid=%d old=%d by auid=%u",
652 status_get->pid, old, loginuid);
653 audit_pid = status_get->pid;
654 } 583 }
655 if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) 584 if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
656 err = audit_set_rate_limit(status_get->rate_limit, 585 err = audit_set_rate_limit(status_get->rate_limit,
@@ -709,7 +638,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
709 case AUDIT_DEL: 638 case AUDIT_DEL:
710 if (nlmsg_len(nlh) < sizeof(struct audit_rule)) 639 if (nlmsg_len(nlh) < sizeof(struct audit_rule))
711 return -EINVAL; 640 return -EINVAL;
712 if (audit_enabled == 2) { 641 if (audit_enabled == AUDIT_LOCKED) {
713 ab = audit_log_start(NULL, GFP_KERNEL, 642 ab = audit_log_start(NULL, GFP_KERNEL,
714 AUDIT_CONFIG_CHANGE); 643 AUDIT_CONFIG_CHANGE);
715 if (ab) { 644 if (ab) {
@@ -743,7 +672,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
743 case AUDIT_DEL_RULE: 672 case AUDIT_DEL_RULE:
744 if (nlmsg_len(nlh) < sizeof(struct audit_rule_data)) 673 if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
745 return -EINVAL; 674 return -EINVAL;
746 if (audit_enabled == 2) { 675 if (audit_enabled == AUDIT_LOCKED) {
747 ab = audit_log_start(NULL, GFP_KERNEL, 676 ab = audit_log_start(NULL, GFP_KERNEL,
748 AUDIT_CONFIG_CHANGE); 677 AUDIT_CONFIG_CHANGE);
749 if (ab) { 678 if (ab) {
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 5d96f2cc7be8..6f19fd477aac 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -95,6 +95,8 @@ extern struct inotify_handle *audit_ih;
95/* Inotify events we care about. */ 95/* Inotify events we care about. */
96#define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF 96#define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF
97 97
98extern int audit_enabled;
99
98void audit_free_parent(struct inotify_watch *i_watch) 100void audit_free_parent(struct inotify_watch *i_watch)
99{ 101{
100 struct audit_parent *parent; 102 struct audit_parent *parent;
@@ -974,7 +976,6 @@ static void audit_update_watch(struct audit_parent *parent,
974 struct audit_watch *owatch, *nwatch, *nextw; 976 struct audit_watch *owatch, *nwatch, *nextw;
975 struct audit_krule *r, *nextr; 977 struct audit_krule *r, *nextr;
976 struct audit_entry *oentry, *nentry; 978 struct audit_entry *oentry, *nentry;
977 struct audit_buffer *ab;
978 979
979 mutex_lock(&audit_filter_mutex); 980 mutex_lock(&audit_filter_mutex);
980 list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) { 981 list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) {
@@ -1014,13 +1015,18 @@ static void audit_update_watch(struct audit_parent *parent,
1014 call_rcu(&oentry->rcu, audit_free_rule_rcu); 1015 call_rcu(&oentry->rcu, audit_free_rule_rcu);
1015 } 1016 }
1016 1017
1017 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1018 if (audit_enabled) {
1018 audit_log_format(ab, "op=updated rules specifying path="); 1019 struct audit_buffer *ab;
1019 audit_log_untrustedstring(ab, owatch->path); 1020 ab = audit_log_start(NULL, GFP_KERNEL,
1020 audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino); 1021 AUDIT_CONFIG_CHANGE);
1021 audit_log_format(ab, " list=%d res=1", r->listnr); 1022 audit_log_format(ab,
1022 audit_log_end(ab); 1023 "op=updated rules specifying path=");
1023 1024 audit_log_untrustedstring(ab, owatch->path);
1025 audit_log_format(ab, " with dev=%u ino=%lu\n",
1026 dev, ino);
1027 audit_log_format(ab, " list=%d res=1", r->listnr);
1028 audit_log_end(ab);
1029 }
1024 audit_remove_watch(owatch); 1030 audit_remove_watch(owatch);
1025 goto add_watch_to_parent; /* event applies to a single watch */ 1031 goto add_watch_to_parent; /* event applies to a single watch */
1026 } 1032 }
@@ -1039,25 +1045,28 @@ static void audit_remove_parent_watches(struct audit_parent *parent)
1039 struct audit_watch *w, *nextw; 1045 struct audit_watch *w, *nextw;
1040 struct audit_krule *r, *nextr; 1046 struct audit_krule *r, *nextr;
1041 struct audit_entry *e; 1047 struct audit_entry *e;
1042 struct audit_buffer *ab;
1043 1048
1044 mutex_lock(&audit_filter_mutex); 1049 mutex_lock(&audit_filter_mutex);
1045 parent->flags |= AUDIT_PARENT_INVALID; 1050 parent->flags |= AUDIT_PARENT_INVALID;
1046 list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { 1051 list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
1047 list_for_each_entry_safe(r, nextr, &w->rules, rlist) { 1052 list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
1048 e = container_of(r, struct audit_entry, rule); 1053 e = container_of(r, struct audit_entry, rule);
1049 1054 if (audit_enabled) {
1050 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1055 struct audit_buffer *ab;
1051 audit_log_format(ab, "op=remove rule path="); 1056 ab = audit_log_start(NULL, GFP_KERNEL,
1052 audit_log_untrustedstring(ab, w->path); 1057 AUDIT_CONFIG_CHANGE);
1053 if (r->filterkey) { 1058 audit_log_format(ab, "op=remove rule path=");
1054 audit_log_format(ab, " key="); 1059 audit_log_untrustedstring(ab, w->path);
1055 audit_log_untrustedstring(ab, r->filterkey); 1060 if (r->filterkey) {
1056 } else 1061 audit_log_format(ab, " key=");
1057 audit_log_format(ab, " key=(null)"); 1062 audit_log_untrustedstring(ab,
1058 audit_log_format(ab, " list=%d res=1", r->listnr); 1063 r->filterkey);
1059 audit_log_end(ab); 1064 } else
1060 1065 audit_log_format(ab, " key=(null)");
1066 audit_log_format(ab, " list=%d res=1",
1067 r->listnr);
1068 audit_log_end(ab);
1069 }
1061 list_del(&r->rlist); 1070 list_del(&r->rlist);
1062 list_del_rcu(&e->list); 1071 list_del_rcu(&e->list);
1063 call_rcu(&e->rcu, audit_free_rule_rcu); 1072 call_rcu(&e->rcu, audit_free_rule_rcu);
@@ -1495,6 +1504,9 @@ static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action,
1495{ 1504{
1496 struct audit_buffer *ab; 1505 struct audit_buffer *ab;
1497 1506
1507 if (!audit_enabled)
1508 return;
1509
1498 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1510 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
1499 if (!ab) 1511 if (!ab)
1500 return; 1512 return;