diff options
Diffstat (limited to 'kernel')
-rw-r--r-- | kernel/audit.h | 13 | ||||
-rw-r--r-- | kernel/auditfilter.c | 48 | ||||
-rw-r--r-- | kernel/auditsc.c | 311 | ||||
-rw-r--r-- | kernel/ptrace.c | 3 | ||||
-rw-r--r-- | kernel/signal.c | 10 |
5 files changed, 290 insertions, 95 deletions
diff --git a/kernel/audit.h b/kernel/audit.h index a3370232a390..815d6f5c04ee 100644 --- a/kernel/audit.h +++ b/kernel/audit.h | |||
@@ -83,6 +83,7 @@ struct audit_krule { | |||
83 | u32 field_count; | 83 | u32 field_count; |
84 | char *filterkey; /* ties events to rules */ | 84 | char *filterkey; /* ties events to rules */ |
85 | struct audit_field *fields; | 85 | struct audit_field *fields; |
86 | struct audit_field *arch_f; /* quick access to arch field */ | ||
86 | struct audit_field *inode_f; /* quick access to an inode field */ | 87 | struct audit_field *inode_f; /* quick access to an inode field */ |
87 | struct audit_watch *watch; /* associated watch */ | 88 | struct audit_watch *watch; /* associated watch */ |
88 | struct list_head rlist; /* entry in audit_watch.rules list */ | 89 | struct list_head rlist; /* entry in audit_watch.rules list */ |
@@ -131,17 +132,19 @@ extern void audit_handle_ievent(struct inotify_watch *, u32, u32, u32, | |||
131 | extern int selinux_audit_rule_update(void); | 132 | extern int selinux_audit_rule_update(void); |
132 | 133 | ||
133 | #ifdef CONFIG_AUDITSYSCALL | 134 | #ifdef CONFIG_AUDITSYSCALL |
134 | extern void __audit_signal_info(int sig, struct task_struct *t); | 135 | extern int __audit_signal_info(int sig, struct task_struct *t); |
135 | static inline void audit_signal_info(int sig, struct task_struct *t) | 136 | static inline int audit_signal_info(int sig, struct task_struct *t) |
136 | { | 137 | { |
137 | if (unlikely(audit_pid && t->tgid == audit_pid)) | 138 | if (unlikely((audit_pid && t->tgid == audit_pid) || |
138 | __audit_signal_info(sig, t); | 139 | (audit_signals && !audit_dummy_context()))) |
140 | return __audit_signal_info(sig, t); | ||
141 | return 0; | ||
139 | } | 142 | } |
140 | extern enum audit_state audit_filter_inodes(struct task_struct *, | 143 | extern enum audit_state audit_filter_inodes(struct task_struct *, |
141 | struct audit_context *); | 144 | struct audit_context *); |
142 | extern void audit_set_auditable(struct audit_context *); | 145 | extern void audit_set_auditable(struct audit_context *); |
143 | #else | 146 | #else |
144 | #define audit_signal_info(s,t) | 147 | #define audit_signal_info(s,t) AUDIT_DISABLED |
145 | #define audit_filter_inodes(t,c) AUDIT_DISABLED | 148 | #define audit_filter_inodes(t,c) AUDIT_DISABLED |
146 | #define audit_set_auditable(c) | 149 | #define audit_set_auditable(c) |
147 | #endif | 150 | #endif |
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 3749193aed8c..6c61263ff96d 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c | |||
@@ -311,6 +311,43 @@ int audit_match_class(int class, unsigned syscall) | |||
311 | return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall); | 311 | return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall); |
312 | } | 312 | } |
313 | 313 | ||
314 | static inline int audit_match_class_bits(int class, u32 *mask) | ||
315 | { | ||
316 | int i; | ||
317 | |||
318 | if (classes[class]) { | ||
319 | for (i = 0; i < AUDIT_BITMASK_SIZE; i++) | ||
320 | if (mask[i] & classes[class][i]) | ||
321 | return 0; | ||
322 | } | ||
323 | return 1; | ||
324 | } | ||
325 | |||
326 | static int audit_match_signal(struct audit_entry *entry) | ||
327 | { | ||
328 | struct audit_field *arch = entry->rule.arch_f; | ||
329 | |||
330 | if (!arch) { | ||
331 | /* When arch is unspecified, we must check both masks on biarch | ||
332 | * as syscall number alone is ambiguous. */ | ||
333 | return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, | ||
334 | entry->rule.mask) && | ||
335 | audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, | ||
336 | entry->rule.mask)); | ||
337 | } | ||
338 | |||
339 | switch(audit_classify_arch(arch->val)) { | ||
340 | case 0: /* native */ | ||
341 | return (audit_match_class_bits(AUDIT_CLASS_SIGNAL, | ||
342 | entry->rule.mask)); | ||
343 | case 1: /* 32bit on biarch */ | ||
344 | return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32, | ||
345 | entry->rule.mask)); | ||
346 | default: | ||
347 | return 1; | ||
348 | } | ||
349 | } | ||
350 | |||
314 | /* Common user-space to kernel rule translation. */ | 351 | /* Common user-space to kernel rule translation. */ |
315 | static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) | 352 | static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule) |
316 | { | 353 | { |
@@ -429,6 +466,7 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule) | |||
429 | err = -EINVAL; | 466 | err = -EINVAL; |
430 | goto exit_free; | 467 | goto exit_free; |
431 | } | 468 | } |
469 | entry->rule.arch_f = f; | ||
432 | break; | 470 | break; |
433 | case AUDIT_PERM: | 471 | case AUDIT_PERM: |
434 | if (f->val & ~15) | 472 | if (f->val & ~15) |
@@ -519,7 +557,6 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, | |||
519 | case AUDIT_FSGID: | 557 | case AUDIT_FSGID: |
520 | case AUDIT_LOGINUID: | 558 | case AUDIT_LOGINUID: |
521 | case AUDIT_PERS: | 559 | case AUDIT_PERS: |
522 | case AUDIT_ARCH: | ||
523 | case AUDIT_MSGTYPE: | 560 | case AUDIT_MSGTYPE: |
524 | case AUDIT_PPID: | 561 | case AUDIT_PPID: |
525 | case AUDIT_DEVMAJOR: | 562 | case AUDIT_DEVMAJOR: |
@@ -531,6 +568,9 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, | |||
531 | case AUDIT_ARG2: | 568 | case AUDIT_ARG2: |
532 | case AUDIT_ARG3: | 569 | case AUDIT_ARG3: |
533 | break; | 570 | break; |
571 | case AUDIT_ARCH: | ||
572 | entry->rule.arch_f = f; | ||
573 | break; | ||
534 | case AUDIT_SUBJ_USER: | 574 | case AUDIT_SUBJ_USER: |
535 | case AUDIT_SUBJ_ROLE: | 575 | case AUDIT_SUBJ_ROLE: |
536 | case AUDIT_SUBJ_TYPE: | 576 | case AUDIT_SUBJ_TYPE: |
@@ -1221,6 +1261,9 @@ static inline int audit_add_rule(struct audit_entry *entry, | |||
1221 | #ifdef CONFIG_AUDITSYSCALL | 1261 | #ifdef CONFIG_AUDITSYSCALL |
1222 | if (!dont_count) | 1262 | if (!dont_count) |
1223 | audit_n_rules++; | 1263 | audit_n_rules++; |
1264 | |||
1265 | if (!audit_match_signal(entry)) | ||
1266 | audit_signals++; | ||
1224 | #endif | 1267 | #endif |
1225 | mutex_unlock(&audit_filter_mutex); | 1268 | mutex_unlock(&audit_filter_mutex); |
1226 | 1269 | ||
@@ -1294,6 +1337,9 @@ static inline int audit_del_rule(struct audit_entry *entry, | |||
1294 | #ifdef CONFIG_AUDITSYSCALL | 1337 | #ifdef CONFIG_AUDITSYSCALL |
1295 | if (!dont_count) | 1338 | if (!dont_count) |
1296 | audit_n_rules--; | 1339 | audit_n_rules--; |
1340 | |||
1341 | if (!audit_match_signal(entry)) | ||
1342 | audit_signals--; | ||
1297 | #endif | 1343 | #endif |
1298 | mutex_unlock(&audit_filter_mutex); | 1344 | mutex_unlock(&audit_filter_mutex); |
1299 | 1345 | ||
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 628c7ac590a0..e36481ed61b4 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c | |||
@@ -78,17 +78,15 @@ extern int audit_enabled; | |||
78 | * for saving names from getname(). */ | 78 | * for saving names from getname(). */ |
79 | #define AUDIT_NAMES 20 | 79 | #define AUDIT_NAMES 20 |
80 | 80 | ||
81 | /* AUDIT_NAMES_RESERVED is the number of slots we reserve in the | ||
82 | * audit_context from being used for nameless inodes from | ||
83 | * path_lookup. */ | ||
84 | #define AUDIT_NAMES_RESERVED 7 | ||
85 | |||
86 | /* Indicates that audit should log the full pathname. */ | 81 | /* Indicates that audit should log the full pathname. */ |
87 | #define AUDIT_NAME_FULL -1 | 82 | #define AUDIT_NAME_FULL -1 |
88 | 83 | ||
89 | /* number of audit rules */ | 84 | /* number of audit rules */ |
90 | int audit_n_rules; | 85 | int audit_n_rules; |
91 | 86 | ||
87 | /* determines whether we collect data for signals sent */ | ||
88 | int audit_signals; | ||
89 | |||
92 | /* When fs/namei.c:getname() is called, we store the pointer in name and | 90 | /* When fs/namei.c:getname() is called, we store the pointer in name and |
93 | * we don't let putname() free it (instead we free all of the saved | 91 | * we don't let putname() free it (instead we free all of the saved |
94 | * pointers at syscall exit time). | 92 | * pointers at syscall exit time). |
@@ -114,6 +112,9 @@ struct audit_aux_data { | |||
114 | 112 | ||
115 | #define AUDIT_AUX_IPCPERM 0 | 113 | #define AUDIT_AUX_IPCPERM 0 |
116 | 114 | ||
115 | /* Number of target pids per aux struct. */ | ||
116 | #define AUDIT_AUX_PIDS 16 | ||
117 | |||
117 | struct audit_aux_data_mq_open { | 118 | struct audit_aux_data_mq_open { |
118 | struct audit_aux_data d; | 119 | struct audit_aux_data d; |
119 | int oflag; | 120 | int oflag; |
@@ -181,6 +182,13 @@ struct audit_aux_data_path { | |||
181 | struct vfsmount *mnt; | 182 | struct vfsmount *mnt; |
182 | }; | 183 | }; |
183 | 184 | ||
185 | struct audit_aux_data_pids { | ||
186 | struct audit_aux_data d; | ||
187 | pid_t target_pid[AUDIT_AUX_PIDS]; | ||
188 | u32 target_sid[AUDIT_AUX_PIDS]; | ||
189 | int pid_count; | ||
190 | }; | ||
191 | |||
184 | /* The per-task audit context. */ | 192 | /* The per-task audit context. */ |
185 | struct audit_context { | 193 | struct audit_context { |
186 | int dummy; /* must be the first element */ | 194 | int dummy; /* must be the first element */ |
@@ -201,6 +209,7 @@ struct audit_context { | |||
201 | struct vfsmount * pwdmnt; | 209 | struct vfsmount * pwdmnt; |
202 | struct audit_context *previous; /* For nested syscalls */ | 210 | struct audit_context *previous; /* For nested syscalls */ |
203 | struct audit_aux_data *aux; | 211 | struct audit_aux_data *aux; |
212 | struct audit_aux_data *aux_pids; | ||
204 | 213 | ||
205 | /* Save things to print about task_struct */ | 214 | /* Save things to print about task_struct */ |
206 | pid_t pid, ppid; | 215 | pid_t pid, ppid; |
@@ -209,6 +218,9 @@ struct audit_context { | |||
209 | unsigned long personality; | 218 | unsigned long personality; |
210 | int arch; | 219 | int arch; |
211 | 220 | ||
221 | pid_t target_pid; | ||
222 | u32 target_sid; | ||
223 | |||
212 | #if AUDIT_DEBUG | 224 | #if AUDIT_DEBUG |
213 | int put_count; | 225 | int put_count; |
214 | int ino_count; | 226 | int ino_count; |
@@ -654,6 +666,10 @@ static inline void audit_free_aux(struct audit_context *context) | |||
654 | context->aux = aux->next; | 666 | context->aux = aux->next; |
655 | kfree(aux); | 667 | kfree(aux); |
656 | } | 668 | } |
669 | while ((aux = context->aux_pids)) { | ||
670 | context->aux_pids = aux->next; | ||
671 | kfree(aux); | ||
672 | } | ||
657 | } | 673 | } |
658 | 674 | ||
659 | static inline void audit_zero_context(struct audit_context *context, | 675 | static inline void audit_zero_context(struct audit_context *context, |
@@ -795,6 +811,29 @@ static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk | |||
795 | audit_log_task_context(ab); | 811 | audit_log_task_context(ab); |
796 | } | 812 | } |
797 | 813 | ||
814 | static int audit_log_pid_context(struct audit_context *context, pid_t pid, | ||
815 | u32 sid) | ||
816 | { | ||
817 | struct audit_buffer *ab; | ||
818 | char *s = NULL; | ||
819 | u32 len; | ||
820 | int rc = 0; | ||
821 | |||
822 | ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); | ||
823 | if (!ab) | ||
824 | return 1; | ||
825 | |||
826 | if (selinux_sid_to_string(sid, &s, &len)) { | ||
827 | audit_log_format(ab, "opid=%d obj=(none)", pid); | ||
828 | rc = 1; | ||
829 | } else | ||
830 | audit_log_format(ab, "opid=%d obj=%s", pid, s); | ||
831 | audit_log_end(ab); | ||
832 | kfree(s); | ||
833 | |||
834 | return rc; | ||
835 | } | ||
836 | |||
798 | static void audit_log_exit(struct audit_context *context, struct task_struct *tsk) | 837 | static void audit_log_exit(struct audit_context *context, struct task_struct *tsk) |
799 | { | 838 | { |
800 | int i, call_panic = 0; | 839 | int i, call_panic = 0; |
@@ -973,6 +1012,21 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts | |||
973 | audit_log_end(ab); | 1012 | audit_log_end(ab); |
974 | } | 1013 | } |
975 | 1014 | ||
1015 | for (aux = context->aux_pids; aux; aux = aux->next) { | ||
1016 | struct audit_aux_data_pids *axs = (void *)aux; | ||
1017 | int i; | ||
1018 | |||
1019 | for (i = 0; i < axs->pid_count; i++) | ||
1020 | if (audit_log_pid_context(context, axs->target_pid[i], | ||
1021 | axs->target_sid[i])) | ||
1022 | call_panic = 1; | ||
1023 | } | ||
1024 | |||
1025 | if (context->target_pid && | ||
1026 | audit_log_pid_context(context, context->target_pid, | ||
1027 | context->target_sid)) | ||
1028 | call_panic = 1; | ||
1029 | |||
976 | if (context->pwd && context->pwdmnt) { | 1030 | if (context->pwd && context->pwdmnt) { |
977 | ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD); | 1031 | ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD); |
978 | if (ab) { | 1032 | if (ab) { |
@@ -1193,6 +1247,10 @@ void audit_syscall_exit(int valid, long return_code) | |||
1193 | } else { | 1247 | } else { |
1194 | audit_free_names(context); | 1248 | audit_free_names(context); |
1195 | audit_free_aux(context); | 1249 | audit_free_aux(context); |
1250 | context->aux = NULL; | ||
1251 | context->aux_pids = NULL; | ||
1252 | context->target_pid = 0; | ||
1253 | context->target_sid = 0; | ||
1196 | kfree(context->filterkey); | 1254 | kfree(context->filterkey); |
1197 | context->filterkey = NULL; | 1255 | context->filterkey = NULL; |
1198 | tsk->audit_context = context; | 1256 | tsk->audit_context = context; |
@@ -1226,6 +1284,7 @@ void __audit_getname(const char *name) | |||
1226 | context->names[context->name_count].name_len = AUDIT_NAME_FULL; | 1284 | context->names[context->name_count].name_len = AUDIT_NAME_FULL; |
1227 | context->names[context->name_count].name_put = 1; | 1285 | context->names[context->name_count].name_put = 1; |
1228 | context->names[context->name_count].ino = (unsigned long)-1; | 1286 | context->names[context->name_count].ino = (unsigned long)-1; |
1287 | context->names[context->name_count].osid = 0; | ||
1229 | ++context->name_count; | 1288 | ++context->name_count; |
1230 | if (!context->pwd) { | 1289 | if (!context->pwd) { |
1231 | read_lock(¤t->fs->lock); | 1290 | read_lock(¤t->fs->lock); |
@@ -1279,6 +1338,28 @@ void audit_putname(const char *name) | |||
1279 | #endif | 1338 | #endif |
1280 | } | 1339 | } |
1281 | 1340 | ||
1341 | static int audit_inc_name_count(struct audit_context *context, | ||
1342 | const struct inode *inode) | ||
1343 | { | ||
1344 | if (context->name_count >= AUDIT_NAMES) { | ||
1345 | if (inode) | ||
1346 | printk(KERN_DEBUG "name_count maxed, losing inode data: " | ||
1347 | "dev=%02x:%02x, inode=%lu", | ||
1348 | MAJOR(inode->i_sb->s_dev), | ||
1349 | MINOR(inode->i_sb->s_dev), | ||
1350 | inode->i_ino); | ||
1351 | |||
1352 | else | ||
1353 | printk(KERN_DEBUG "name_count maxed, losing inode data"); | ||
1354 | return 1; | ||
1355 | } | ||
1356 | context->name_count++; | ||
1357 | #if AUDIT_DEBUG | ||
1358 | context->ino_count++; | ||
1359 | #endif | ||
1360 | return 0; | ||
1361 | } | ||
1362 | |||
1282 | /* Copy inode data into an audit_names. */ | 1363 | /* Copy inode data into an audit_names. */ |
1283 | static void audit_copy_inode(struct audit_names *name, const struct inode *inode) | 1364 | static void audit_copy_inode(struct audit_names *name, const struct inode *inode) |
1284 | { | 1365 | { |
@@ -1316,13 +1397,10 @@ void __audit_inode(const char *name, const struct inode *inode) | |||
1316 | else { | 1397 | else { |
1317 | /* FIXME: how much do we care about inodes that have no | 1398 | /* FIXME: how much do we care about inodes that have no |
1318 | * associated name? */ | 1399 | * associated name? */ |
1319 | if (context->name_count >= AUDIT_NAMES - AUDIT_NAMES_RESERVED) | 1400 | if (audit_inc_name_count(context, inode)) |
1320 | return; | 1401 | return; |
1321 | idx = context->name_count++; | 1402 | idx = context->name_count - 1; |
1322 | context->names[idx].name = NULL; | 1403 | context->names[idx].name = NULL; |
1323 | #if AUDIT_DEBUG | ||
1324 | ++context->ino_count; | ||
1325 | #endif | ||
1326 | } | 1404 | } |
1327 | audit_copy_inode(&context->names[idx], inode); | 1405 | audit_copy_inode(&context->names[idx], inode); |
1328 | } | 1406 | } |
@@ -1346,7 +1424,7 @@ void __audit_inode_child(const char *dname, const struct inode *inode, | |||
1346 | { | 1424 | { |
1347 | int idx; | 1425 | int idx; |
1348 | struct audit_context *context = current->audit_context; | 1426 | struct audit_context *context = current->audit_context; |
1349 | const char *found_name = NULL; | 1427 | const char *found_parent = NULL, *found_child = NULL; |
1350 | int dirlen = 0; | 1428 | int dirlen = 0; |
1351 | 1429 | ||
1352 | if (!context->in_syscall) | 1430 | if (!context->in_syscall) |
@@ -1354,88 +1432,73 @@ void __audit_inode_child(const char *dname, const struct inode *inode, | |||
1354 | 1432 | ||
1355 | /* determine matching parent */ | 1433 | /* determine matching parent */ |
1356 | if (!dname) | 1434 | if (!dname) |
1357 | goto update_context; | 1435 | goto add_names; |
1358 | for (idx = 0; idx < context->name_count; idx++) | ||
1359 | if (context->names[idx].ino == parent->i_ino) { | ||
1360 | const char *name = context->names[idx].name; | ||
1361 | 1436 | ||
1362 | if (!name) | 1437 | /* parent is more likely, look for it first */ |
1363 | continue; | 1438 | for (idx = 0; idx < context->name_count; idx++) { |
1439 | struct audit_names *n = &context->names[idx]; | ||
1364 | 1440 | ||
1365 | if (audit_compare_dname_path(dname, name, &dirlen) == 0) { | 1441 | if (!n->name) |
1366 | context->names[idx].name_len = dirlen; | 1442 | continue; |
1367 | found_name = name; | 1443 | |
1368 | break; | 1444 | if (n->ino == parent->i_ino && |
1369 | } | 1445 | !audit_compare_dname_path(dname, n->name, &dirlen)) { |
1446 | n->name_len = dirlen; /* update parent data in place */ | ||
1447 | found_parent = n->name; | ||
1448 | goto add_names; | ||
1370 | } | 1449 | } |
1450 | } | ||
1371 | 1451 | ||
1372 | update_context: | 1452 | /* no matching parent, look for matching child */ |
1373 | idx = context->name_count; | 1453 | for (idx = 0; idx < context->name_count; idx++) { |
1374 | if (context->name_count == AUDIT_NAMES) { | 1454 | struct audit_names *n = &context->names[idx]; |
1375 | printk(KERN_DEBUG "name_count maxed and losing %s\n", | 1455 | |
1376 | found_name ?: "(null)"); | 1456 | if (!n->name) |
1377 | return; | 1457 | continue; |
1458 | |||
1459 | /* strcmp() is the more likely scenario */ | ||
1460 | if (!strcmp(dname, n->name) || | ||
1461 | !audit_compare_dname_path(dname, n->name, &dirlen)) { | ||
1462 | if (inode) | ||
1463 | audit_copy_inode(n, inode); | ||
1464 | else | ||
1465 | n->ino = (unsigned long)-1; | ||
1466 | found_child = n->name; | ||
1467 | goto add_names; | ||
1468 | } | ||
1378 | } | 1469 | } |
1379 | context->name_count++; | 1470 | |
1380 | #if AUDIT_DEBUG | 1471 | add_names: |
1381 | context->ino_count++; | 1472 | if (!found_parent) { |
1382 | #endif | 1473 | if (audit_inc_name_count(context, parent)) |
1383 | /* Re-use the name belonging to the slot for a matching parent directory. | ||
1384 | * All names for this context are relinquished in audit_free_names() */ | ||
1385 | context->names[idx].name = found_name; | ||
1386 | context->names[idx].name_len = AUDIT_NAME_FULL; | ||
1387 | context->names[idx].name_put = 0; /* don't call __putname() */ | ||
1388 | |||
1389 | if (!inode) | ||
1390 | context->names[idx].ino = (unsigned long)-1; | ||
1391 | else | ||
1392 | audit_copy_inode(&context->names[idx], inode); | ||
1393 | |||
1394 | /* A parent was not found in audit_names, so copy the inode data for the | ||
1395 | * provided parent. */ | ||
1396 | if (!found_name) { | ||
1397 | idx = context->name_count; | ||
1398 | if (context->name_count == AUDIT_NAMES) { | ||
1399 | printk(KERN_DEBUG | ||
1400 | "name_count maxed and losing parent inode data: dev=%02x:%02x, inode=%lu", | ||
1401 | MAJOR(parent->i_sb->s_dev), | ||
1402 | MINOR(parent->i_sb->s_dev), | ||
1403 | parent->i_ino); | ||
1404 | return; | 1474 | return; |
1405 | } | 1475 | idx = context->name_count - 1; |
1406 | context->name_count++; | 1476 | context->names[idx].name = NULL; |
1407 | #if AUDIT_DEBUG | ||
1408 | context->ino_count++; | ||
1409 | #endif | ||
1410 | audit_copy_inode(&context->names[idx], parent); | 1477 | audit_copy_inode(&context->names[idx], parent); |
1411 | } | 1478 | } |
1412 | } | ||
1413 | 1479 | ||
1414 | /** | 1480 | if (!found_child) { |
1415 | * audit_inode_update - update inode info for last collected name | 1481 | if (audit_inc_name_count(context, inode)) |
1416 | * @inode: inode being audited | 1482 | return; |
1417 | * | 1483 | idx = context->name_count - 1; |
1418 | * When open() is called on an existing object with the O_CREAT flag, the inode | ||
1419 | * data audit initially collects is incorrect. This additional hook ensures | ||
1420 | * audit has the inode data for the actual object to be opened. | ||
1421 | */ | ||
1422 | void __audit_inode_update(const struct inode *inode) | ||
1423 | { | ||
1424 | struct audit_context *context = current->audit_context; | ||
1425 | int idx; | ||
1426 | 1484 | ||
1427 | if (!context->in_syscall || !inode) | 1485 | /* Re-use the name belonging to the slot for a matching parent |
1428 | return; | 1486 | * directory. All names for this context are relinquished in |
1487 | * audit_free_names() */ | ||
1488 | if (found_parent) { | ||
1489 | context->names[idx].name = found_parent; | ||
1490 | context->names[idx].name_len = AUDIT_NAME_FULL; | ||
1491 | /* don't call __putname() */ | ||
1492 | context->names[idx].name_put = 0; | ||
1493 | } else { | ||
1494 | context->names[idx].name = NULL; | ||
1495 | } | ||
1429 | 1496 | ||
1430 | if (context->name_count == 0) { | 1497 | if (inode) |
1431 | context->name_count++; | 1498 | audit_copy_inode(&context->names[idx], inode); |
1432 | #if AUDIT_DEBUG | 1499 | else |
1433 | context->ino_count++; | 1500 | context->names[idx].ino = (unsigned long)-1; |
1434 | #endif | ||
1435 | } | 1501 | } |
1436 | idx = context->name_count - 1; | ||
1437 | |||
1438 | audit_copy_inode(&context->names[idx], inode); | ||
1439 | } | 1502 | } |
1440 | 1503 | ||
1441 | /** | 1504 | /** |
@@ -1880,6 +1943,14 @@ int audit_sockaddr(int len, void *a) | |||
1880 | return 0; | 1943 | return 0; |
1881 | } | 1944 | } |
1882 | 1945 | ||
1946 | void __audit_ptrace(struct task_struct *t) | ||
1947 | { | ||
1948 | struct audit_context *context = current->audit_context; | ||
1949 | |||
1950 | context->target_pid = t->pid; | ||
1951 | selinux_get_task_sid(t, &context->target_sid); | ||
1952 | } | ||
1953 | |||
1883 | /** | 1954 | /** |
1884 | * audit_avc_path - record the granting or denial of permissions | 1955 | * audit_avc_path - record the granting or denial of permissions |
1885 | * @dentry: dentry to record | 1956 | * @dentry: dentry to record |
@@ -1918,15 +1989,17 @@ int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt) | |||
1918 | * If the audit subsystem is being terminated, record the task (pid) | 1989 | * If the audit subsystem is being terminated, record the task (pid) |
1919 | * and uid that is doing that. | 1990 | * and uid that is doing that. |
1920 | */ | 1991 | */ |
1921 | void __audit_signal_info(int sig, struct task_struct *t) | 1992 | int __audit_signal_info(int sig, struct task_struct *t) |
1922 | { | 1993 | { |
1994 | struct audit_aux_data_pids *axp; | ||
1995 | struct task_struct *tsk = current; | ||
1996 | struct audit_context *ctx = tsk->audit_context; | ||
1923 | extern pid_t audit_sig_pid; | 1997 | extern pid_t audit_sig_pid; |
1924 | extern uid_t audit_sig_uid; | 1998 | extern uid_t audit_sig_uid; |
1925 | extern u32 audit_sig_sid; | 1999 | extern u32 audit_sig_sid; |
1926 | 2000 | ||
1927 | if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1) { | 2001 | if (audit_pid && t->tgid == audit_pid && |
1928 | struct task_struct *tsk = current; | 2002 | (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1)) { |
1929 | struct audit_context *ctx = tsk->audit_context; | ||
1930 | audit_sig_pid = tsk->pid; | 2003 | audit_sig_pid = tsk->pid; |
1931 | if (ctx) | 2004 | if (ctx) |
1932 | audit_sig_uid = ctx->loginuid; | 2005 | audit_sig_uid = ctx->loginuid; |
@@ -1934,4 +2007,72 @@ void __audit_signal_info(int sig, struct task_struct *t) | |||
1934 | audit_sig_uid = tsk->uid; | 2007 | audit_sig_uid = tsk->uid; |
1935 | selinux_get_task_sid(tsk, &audit_sig_sid); | 2008 | selinux_get_task_sid(tsk, &audit_sig_sid); |
1936 | } | 2009 | } |
2010 | |||
2011 | if (!audit_signals) /* audit_context checked in wrapper */ | ||
2012 | return 0; | ||
2013 | |||
2014 | /* optimize the common case by putting first signal recipient directly | ||
2015 | * in audit_context */ | ||
2016 | if (!ctx->target_pid) { | ||
2017 | ctx->target_pid = t->tgid; | ||
2018 | selinux_get_task_sid(t, &ctx->target_sid); | ||
2019 | return 0; | ||
2020 | } | ||
2021 | |||
2022 | axp = (void *)ctx->aux_pids; | ||
2023 | if (!axp || axp->pid_count == AUDIT_AUX_PIDS) { | ||
2024 | axp = kzalloc(sizeof(*axp), GFP_ATOMIC); | ||
2025 | if (!axp) | ||
2026 | return -ENOMEM; | ||
2027 | |||
2028 | axp->d.type = AUDIT_OBJ_PID; | ||
2029 | axp->d.next = ctx->aux_pids; | ||
2030 | ctx->aux_pids = (void *)axp; | ||
2031 | } | ||
2032 | BUG_ON(axp->pid_count > AUDIT_AUX_PIDS); | ||
2033 | |||
2034 | axp->target_pid[axp->pid_count] = t->tgid; | ||
2035 | selinux_get_task_sid(t, &axp->target_sid[axp->pid_count]); | ||
2036 | axp->pid_count++; | ||
2037 | |||
2038 | return 0; | ||
2039 | } | ||
2040 | |||
2041 | /** | ||
2042 | * audit_core_dumps - record information about processes that end abnormally | ||
2043 | * @sig: signal value | ||
2044 | * | ||
2045 | * If a process ends with a core dump, something fishy is going on and we | ||
2046 | * should record the event for investigation. | ||
2047 | */ | ||
2048 | void audit_core_dumps(long signr) | ||
2049 | { | ||
2050 | struct audit_buffer *ab; | ||
2051 | u32 sid; | ||
2052 | |||
2053 | if (!audit_enabled) | ||
2054 | return; | ||
2055 | |||
2056 | if (signr == SIGQUIT) /* don't care for those */ | ||
2057 | return; | ||
2058 | |||
2059 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); | ||
2060 | audit_log_format(ab, "auid=%u uid=%u gid=%u", | ||
2061 | audit_get_loginuid(current->audit_context), | ||
2062 | current->uid, current->gid); | ||
2063 | selinux_get_task_sid(current, &sid); | ||
2064 | if (sid) { | ||
2065 | char *ctx = NULL; | ||
2066 | u32 len; | ||
2067 | |||
2068 | if (selinux_sid_to_string(sid, &ctx, &len)) | ||
2069 | audit_log_format(ab, " ssid=%u", sid); | ||
2070 | else | ||
2071 | audit_log_format(ab, " subj=%s", ctx); | ||
2072 | kfree(ctx); | ||
2073 | } | ||
2074 | audit_log_format(ab, " pid=%d comm=", current->pid); | ||
2075 | audit_log_untrustedstring(ab, current->comm); | ||
2076 | audit_log_format(ab, " sig=%ld", signr); | ||
2077 | audit_log_end(ab); | ||
1937 | } | 2078 | } |
diff --git a/kernel/ptrace.c b/kernel/ptrace.c index 4d50e06fd745..ad7949a589dd 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c | |||
@@ -18,6 +18,7 @@ | |||
18 | #include <linux/ptrace.h> | 18 | #include <linux/ptrace.h> |
19 | #include <linux/security.h> | 19 | #include <linux/security.h> |
20 | #include <linux/signal.h> | 20 | #include <linux/signal.h> |
21 | #include <linux/audit.h> | ||
21 | 22 | ||
22 | #include <asm/pgtable.h> | 23 | #include <asm/pgtable.h> |
23 | #include <asm/uaccess.h> | 24 | #include <asm/uaccess.h> |
@@ -161,6 +162,8 @@ int ptrace_attach(struct task_struct *task) | |||
161 | { | 162 | { |
162 | int retval; | 163 | int retval; |
163 | 164 | ||
165 | audit_ptrace(task); | ||
166 | |||
164 | retval = -EPERM; | 167 | retval = -EPERM; |
165 | if (task->pid <= 1) | 168 | if (task->pid <= 1) |
166 | goto out; | 169 | goto out; |
diff --git a/kernel/signal.c b/kernel/signal.c index 34b7d6abce8f..364fc95bf97c 100644 --- a/kernel/signal.c +++ b/kernel/signal.c | |||
@@ -497,6 +497,11 @@ static int check_kill_permission(int sig, struct siginfo *info, | |||
497 | int error = -EINVAL; | 497 | int error = -EINVAL; |
498 | if (!valid_signal(sig)) | 498 | if (!valid_signal(sig)) |
499 | return error; | 499 | return error; |
500 | |||
501 | error = audit_signal_info(sig, t); /* Let audit system see the signal */ | ||
502 | if (error) | ||
503 | return error; | ||
504 | |||
500 | error = -EPERM; | 505 | error = -EPERM; |
501 | if ((info == SEND_SIG_NOINFO || (!is_si_special(info) && SI_FROMUSER(info))) | 506 | if ((info == SEND_SIG_NOINFO || (!is_si_special(info) && SI_FROMUSER(info))) |
502 | && ((sig != SIGCONT) || | 507 | && ((sig != SIGCONT) || |
@@ -506,10 +511,7 @@ static int check_kill_permission(int sig, struct siginfo *info, | |||
506 | && !capable(CAP_KILL)) | 511 | && !capable(CAP_KILL)) |
507 | return error; | 512 | return error; |
508 | 513 | ||
509 | error = security_task_kill(t, info, sig, 0); | 514 | return security_task_kill(t, info, sig, 0); |
510 | if (!error) | ||
511 | audit_signal_info(sig, t); /* Let audit system see the signal */ | ||
512 | return error; | ||
513 | } | 515 | } |
514 | 516 | ||
515 | /* forward decl */ | 517 | /* forward decl */ |