aboutsummaryrefslogtreecommitdiffstats
path: root/kernel
diff options
context:
space:
mode:
Diffstat (limited to 'kernel')
-rw-r--r--kernel/audit.c548
-rw-r--r--kernel/auditsc.c143
-rw-r--r--kernel/signal.c7
3 files changed, 370 insertions, 328 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index 9c4f1af0c794..bbc6f542c8f7 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -46,6 +46,8 @@
46#include <asm/types.h> 46#include <asm/types.h>
47#include <linux/mm.h> 47#include <linux/mm.h>
48#include <linux/module.h> 48#include <linux/module.h>
49#include <linux/err.h>
50#include <linux/kthread.h>
49 51
50#include <linux/audit.h> 52#include <linux/audit.h>
51 53
@@ -68,7 +70,7 @@ static int audit_failure = AUDIT_FAIL_PRINTK;
68 70
69/* If audit records are to be written to the netlink socket, audit_pid 71/* If audit records are to be written to the netlink socket, audit_pid
70 * contains the (non-zero) pid. */ 72 * contains the (non-zero) pid. */
71static int audit_pid; 73int audit_pid;
72 74
73/* If audit_limit is non-zero, limit the rate of sending audit records 75/* If audit_limit is non-zero, limit the rate of sending audit records
74 * to that number per second. This prevents DoS attacks, but results in 76 * to that number per second. This prevents DoS attacks, but results in
@@ -77,7 +79,10 @@ static int audit_rate_limit;
77 79
78/* Number of outstanding audit_buffers allowed. */ 80/* Number of outstanding audit_buffers allowed. */
79static int audit_backlog_limit = 64; 81static int audit_backlog_limit = 64;
80static atomic_t audit_backlog = ATOMIC_INIT(0); 82
83/* The identity of the user shutting down the audit system. */
84uid_t audit_sig_uid = -1;
85pid_t audit_sig_pid = -1;
81 86
82/* Records can be lost in several ways: 87/* Records can be lost in several ways:
83 0) [suppressed in audit_alloc] 88 0) [suppressed in audit_alloc]
@@ -91,19 +96,17 @@ static atomic_t audit_lost = ATOMIC_INIT(0);
91/* The netlink socket. */ 96/* The netlink socket. */
92static struct sock *audit_sock; 97static struct sock *audit_sock;
93 98
94/* There are two lists of audit buffers. The txlist contains audit 99/* The audit_freelist is a list of pre-allocated audit buffers (if more
95 * buffers that cannot be sent immediately to the netlink device because
96 * we are in an irq context (these are sent later in a tasklet).
97 *
98 * The second list is a list of pre-allocated audit buffers (if more
99 * than AUDIT_MAXFREE are in use, the audit buffer is freed instead of 100 * than AUDIT_MAXFREE are in use, the audit buffer is freed instead of
100 * being placed on the freelist). */ 101 * being placed on the freelist). */
101static DEFINE_SPINLOCK(audit_txlist_lock);
102static DEFINE_SPINLOCK(audit_freelist_lock); 102static DEFINE_SPINLOCK(audit_freelist_lock);
103static int audit_freelist_count = 0; 103static int audit_freelist_count = 0;
104static LIST_HEAD(audit_txlist);
105static LIST_HEAD(audit_freelist); 104static LIST_HEAD(audit_freelist);
106 105
106static struct sk_buff_head audit_skb_queue;
107static struct task_struct *kauditd_task;
108static DECLARE_WAIT_QUEUE_HEAD(kauditd_wait);
109
107/* There are three lists of rules -- one to search at task creation 110/* There are three lists of rules -- one to search at task creation
108 * time, one to search at syscall entry time, and another to search at 111 * time, one to search at syscall entry time, and another to search at
109 * syscall exit time. */ 112 * syscall exit time. */
@@ -112,7 +115,7 @@ static LIST_HEAD(audit_entlist);
112static LIST_HEAD(audit_extlist); 115static LIST_HEAD(audit_extlist);
113 116
114/* The netlink socket is only to be read by 1 CPU, which lets us assume 117/* The netlink socket is only to be read by 1 CPU, which lets us assume
115 * that list additions and deletions never happen simultaneiously in 118 * that list additions and deletions never happen simultaneously in
116 * auditsc.c */ 119 * auditsc.c */
117static DECLARE_MUTEX(audit_netlink_sem); 120static DECLARE_MUTEX(audit_netlink_sem);
118 121
@@ -132,21 +135,14 @@ static DECLARE_MUTEX(audit_netlink_sem);
132 * use simultaneously. */ 135 * use simultaneously. */
133struct audit_buffer { 136struct audit_buffer {
134 struct list_head list; 137 struct list_head list;
135 struct sk_buff_head sklist; /* formatted skbs ready to send */ 138 struct sk_buff *skb; /* formatted skb ready to send */
136 struct audit_context *ctx; /* NULL or associated context */ 139 struct audit_context *ctx; /* NULL or associated context */
137 int len; /* used area of tmp */
138 char tmp[AUDIT_BUFSIZ];
139
140 /* Pointer to header and contents */
141 struct nlmsghdr *nlh;
142 int total;
143 int type;
144 int pid;
145}; 140};
146 141
147void audit_set_type(struct audit_buffer *ab, int type) 142static void audit_set_pid(struct audit_buffer *ab, pid_t pid)
148{ 143{
149 ab->type = type; 144 struct nlmsghdr *nlh = (struct nlmsghdr *)ab->skb->data;
145 nlh->nlmsg_pid = pid;
150} 146}
151 147
152struct audit_entry { 148struct audit_entry {
@@ -154,9 +150,6 @@ struct audit_entry {
154 struct audit_rule rule; 150 struct audit_rule rule;
155}; 151};
156 152
157static void audit_log_end_irq(struct audit_buffer *ab);
158static void audit_log_end_fast(struct audit_buffer *ab);
159
160static void audit_panic(const char *message) 153static void audit_panic(const char *message)
161{ 154{
162 switch (audit_failure) 155 switch (audit_failure)
@@ -227,10 +220,8 @@ void audit_log_lost(const char *message)
227 220
228 if (print) { 221 if (print) {
229 printk(KERN_WARNING 222 printk(KERN_WARNING
230 "audit: audit_lost=%d audit_backlog=%d" 223 "audit: audit_lost=%d audit_rate_limit=%d audit_backlog_limit=%d\n",
231 " audit_rate_limit=%d audit_backlog_limit=%d\n",
232 atomic_read(&audit_lost), 224 atomic_read(&audit_lost),
233 atomic_read(&audit_backlog),
234 audit_rate_limit, 225 audit_rate_limit,
235 audit_backlog_limit); 226 audit_backlog_limit);
236 audit_panic(message); 227 audit_panic(message);
@@ -242,7 +233,8 @@ static int audit_set_rate_limit(int limit, uid_t loginuid)
242{ 233{
243 int old = audit_rate_limit; 234 int old = audit_rate_limit;
244 audit_rate_limit = limit; 235 audit_rate_limit = limit;
245 audit_log(NULL, "audit_rate_limit=%d old=%d by auid %u", 236 audit_log(NULL, AUDIT_CONFIG_CHANGE,
237 "audit_rate_limit=%d old=%d by auid %u",
246 audit_rate_limit, old, loginuid); 238 audit_rate_limit, old, loginuid);
247 return old; 239 return old;
248} 240}
@@ -251,7 +243,8 @@ static int audit_set_backlog_limit(int limit, uid_t loginuid)
251{ 243{
252 int old = audit_backlog_limit; 244 int old = audit_backlog_limit;
253 audit_backlog_limit = limit; 245 audit_backlog_limit = limit;
254 audit_log(NULL, "audit_backlog_limit=%d old=%d by auid %u", 246 audit_log(NULL, AUDIT_CONFIG_CHANGE,
247 "audit_backlog_limit=%d old=%d by auid %u",
255 audit_backlog_limit, old, loginuid); 248 audit_backlog_limit, old, loginuid);
256 return old; 249 return old;
257} 250}
@@ -262,8 +255,9 @@ static int audit_set_enabled(int state, uid_t loginuid)
262 if (state != 0 && state != 1) 255 if (state != 0 && state != 1)
263 return -EINVAL; 256 return -EINVAL;
264 audit_enabled = state; 257 audit_enabled = state;
265 audit_log(NULL, "audit_enabled=%d old=%d by auid %u", 258 audit_log(NULL, AUDIT_CONFIG_CHANGE,
266 audit_enabled, old, loginuid); 259 "audit_enabled=%d old=%d by auid %u",
260 audit_enabled, old, loginuid);
267 return old; 261 return old;
268} 262}
269 263
@@ -275,12 +269,44 @@ static int audit_set_failure(int state, uid_t loginuid)
275 && state != AUDIT_FAIL_PANIC) 269 && state != AUDIT_FAIL_PANIC)
276 return -EINVAL; 270 return -EINVAL;
277 audit_failure = state; 271 audit_failure = state;
278 audit_log(NULL, "audit_failure=%d old=%d by auid %u", 272 audit_log(NULL, AUDIT_CONFIG_CHANGE,
279 audit_failure, old, loginuid); 273 "audit_failure=%d old=%d by auid %u",
274 audit_failure, old, loginuid);
280 return old; 275 return old;
281} 276}
282 277
283#ifdef CONFIG_NET 278int kauditd_thread(void *dummy)
279{
280 struct sk_buff *skb;
281
282 while (1) {
283 skb = skb_dequeue(&audit_skb_queue);
284 if (skb) {
285 if (audit_pid) {
286 int err = netlink_unicast(audit_sock, skb, audit_pid, 0);
287 if (err < 0) {
288 BUG_ON(err != -ECONNREFUSED); /* Shoudn't happen */
289 printk(KERN_ERR "audit: *NO* daemon at audit_pid=%d\n", audit_pid);
290 audit_pid = 0;
291 }
292 } else {
293 printk(KERN_ERR "%s\n", skb->data + NLMSG_SPACE(0));
294 kfree_skb(skb);
295 }
296 } else {
297 DECLARE_WAITQUEUE(wait, current);
298 set_current_state(TASK_INTERRUPTIBLE);
299 add_wait_queue(&kauditd_wait, &wait);
300
301 if (!skb_queue_len(&audit_skb_queue))
302 schedule();
303
304 __set_current_state(TASK_RUNNING);
305 remove_wait_queue(&kauditd_wait, &wait);
306 }
307 }
308}
309
284void audit_send_reply(int pid, int seq, int type, int done, int multi, 310void audit_send_reply(int pid, int seq, int type, int done, int multi,
285 void *payload, int size) 311 void *payload, int size)
286{ 312{
@@ -293,13 +319,16 @@ void audit_send_reply(int pid, int seq, int type, int done, int multi,
293 319
294 skb = alloc_skb(len, GFP_KERNEL); 320 skb = alloc_skb(len, GFP_KERNEL);
295 if (!skb) 321 if (!skb)
296 goto nlmsg_failure; 322 return;
297 323
298 nlh = NLMSG_PUT(skb, pid, seq, t, len - sizeof(*nlh)); 324 nlh = NLMSG_PUT(skb, pid, seq, t, size);
299 nlh->nlmsg_flags = flags; 325 nlh->nlmsg_flags = flags;
300 data = NLMSG_DATA(nlh); 326 data = NLMSG_DATA(nlh);
301 memcpy(data, payload, size); 327 memcpy(data, payload, size);
302 netlink_unicast(audit_sock, skb, pid, MSG_DONTWAIT); 328
329 /* Ignore failure. It'll only happen if the sender goes away,
330 because our timeout is set to infinite. */
331 netlink_unicast(audit_sock, skb, pid, 0);
303 return; 332 return;
304 333
305nlmsg_failure: /* Used by NLMSG_PUT */ 334nlmsg_failure: /* Used by NLMSG_PUT */
@@ -321,10 +350,11 @@ static int audit_netlink_ok(kernel_cap_t eff_cap, u16 msg_type)
321 case AUDIT_SET: 350 case AUDIT_SET:
322 case AUDIT_ADD: 351 case AUDIT_ADD:
323 case AUDIT_DEL: 352 case AUDIT_DEL:
353 case AUDIT_SIGNAL_INFO:
324 if (!cap_raised(eff_cap, CAP_AUDIT_CONTROL)) 354 if (!cap_raised(eff_cap, CAP_AUDIT_CONTROL))
325 err = -EPERM; 355 err = -EPERM;
326 break; 356 break;
327 case AUDIT_USER: 357 case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
328 if (!cap_raised(eff_cap, CAP_AUDIT_WRITE)) 358 if (!cap_raised(eff_cap, CAP_AUDIT_WRITE))
329 err = -EPERM; 359 err = -EPERM;
330 break; 360 break;
@@ -344,11 +374,21 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
344 struct audit_buffer *ab; 374 struct audit_buffer *ab;
345 u16 msg_type = nlh->nlmsg_type; 375 u16 msg_type = nlh->nlmsg_type;
346 uid_t loginuid; /* loginuid of sender */ 376 uid_t loginuid; /* loginuid of sender */
377 struct audit_sig_info sig_data;
347 378
348 err = audit_netlink_ok(NETLINK_CB(skb).eff_cap, msg_type); 379 err = audit_netlink_ok(NETLINK_CB(skb).eff_cap, msg_type);
349 if (err) 380 if (err)
350 return err; 381 return err;
351 382
383 /* As soon as there's any sign of userspace auditd, start kauditd to talk to it */
384 if (!kauditd_task)
385 kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd");
386 if (IS_ERR(kauditd_task)) {
387 err = PTR_ERR(kauditd_task);
388 kauditd_task = NULL;
389 return err;
390 }
391
352 pid = NETLINK_CREDS(skb)->pid; 392 pid = NETLINK_CREDS(skb)->pid;
353 uid = NETLINK_CREDS(skb)->uid; 393 uid = NETLINK_CREDS(skb)->uid;
354 loginuid = NETLINK_CB(skb).loginuid; 394 loginuid = NETLINK_CB(skb).loginuid;
@@ -363,7 +403,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
363 status_set.rate_limit = audit_rate_limit; 403 status_set.rate_limit = audit_rate_limit;
364 status_set.backlog_limit = audit_backlog_limit; 404 status_set.backlog_limit = audit_backlog_limit;
365 status_set.lost = atomic_read(&audit_lost); 405 status_set.lost = atomic_read(&audit_lost);
366 status_set.backlog = atomic_read(&audit_backlog); 406 status_set.backlog = skb_queue_len(&audit_skb_queue);
367 audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0, 407 audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0,
368 &status_set, sizeof(status_set)); 408 &status_set, sizeof(status_set));
369 break; 409 break;
@@ -382,7 +422,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
382 if (status_get->mask & AUDIT_STATUS_PID) { 422 if (status_get->mask & AUDIT_STATUS_PID) {
383 int old = audit_pid; 423 int old = audit_pid;
384 audit_pid = status_get->pid; 424 audit_pid = status_get->pid;
385 audit_log(NULL, "audit_pid=%d old=%d by auid %u", 425 audit_log(NULL, AUDIT_CONFIG_CHANGE,
426 "audit_pid=%d old=%d by auid %u",
386 audit_pid, old, loginuid); 427 audit_pid, old, loginuid);
387 } 428 }
388 if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) 429 if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
@@ -391,8 +432,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
391 audit_set_backlog_limit(status_get->backlog_limit, 432 audit_set_backlog_limit(status_get->backlog_limit,
392 loginuid); 433 loginuid);
393 break; 434 break;
394 case AUDIT_USER: 435 case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
395 ab = audit_log_start(NULL); 436 ab = audit_log_start(NULL, msg_type);
396 if (!ab) 437 if (!ab)
397 break; /* audit_panic has been called */ 438 break; /* audit_panic has been called */
398 audit_log_format(ab, 439 audit_log_format(ab,
@@ -402,8 +443,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
402 (int)(nlh->nlmsg_len 443 (int)(nlh->nlmsg_len
403 - ((char *)data - (char *)nlh)), 444 - ((char *)data - (char *)nlh)),
404 loginuid, (char *)data); 445 loginuid, (char *)data);
405 ab->type = AUDIT_USER; 446 audit_set_pid(ab, pid);
406 ab->pid = pid;
407 audit_log_end(ab); 447 audit_log_end(ab);
408 break; 448 break;
409 case AUDIT_ADD: 449 case AUDIT_ADD:
@@ -412,12 +452,14 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
412 return -EINVAL; 452 return -EINVAL;
413 /* fallthrough */ 453 /* fallthrough */
414 case AUDIT_LIST: 454 case AUDIT_LIST:
415#ifdef CONFIG_AUDITSYSCALL
416 err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid, 455 err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
417 uid, seq, data, loginuid); 456 uid, seq, data, loginuid);
418#else 457 break;
419 err = -EOPNOTSUPP; 458 case AUDIT_SIGNAL_INFO:
420#endif 459 sig_data.uid = audit_sig_uid;
460 sig_data.pid = audit_sig_pid;
461 audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_SIGNAL_INFO,
462 0, 0, &sig_data, sizeof(sig_data));
421 break; 463 break;
422 default: 464 default:
423 err = -EINVAL; 465 err = -EINVAL;
@@ -467,87 +509,6 @@ static void audit_receive(struct sock *sk, int length)
467 up(&audit_netlink_sem); 509 up(&audit_netlink_sem);
468} 510}
469 511
470/* Move data from tmp buffer into an skb. This is an extra copy, and
471 * that is unfortunate. However, the copy will only occur when a record
472 * is being written to user space, which is already a high-overhead
473 * operation. (Elimination of the copy is possible, for example, by
474 * writing directly into a pre-allocated skb, at the cost of wasting
475 * memory. */
476static void audit_log_move(struct audit_buffer *ab)
477{
478 struct sk_buff *skb;
479 char *start;
480 int extra = ab->nlh ? 0 : NLMSG_SPACE(0);
481
482 /* possible resubmission */
483 if (ab->len == 0)
484 return;
485
486 skb = skb_peek_tail(&ab->sklist);
487 if (!skb || skb_tailroom(skb) <= ab->len + extra) {
488 skb = alloc_skb(2 * ab->len + extra, GFP_ATOMIC);
489 if (!skb) {
490 ab->len = 0; /* Lose information in ab->tmp */
491 audit_log_lost("out of memory in audit_log_move");
492 return;
493 }
494 __skb_queue_tail(&ab->sklist, skb);
495 if (!ab->nlh)
496 ab->nlh = (struct nlmsghdr *)skb_put(skb,
497 NLMSG_SPACE(0));
498 }
499 start = skb_put(skb, ab->len);
500 memcpy(start, ab->tmp, ab->len);
501 ab->len = 0;
502}
503
504/* Iterate over the skbuff in the audit_buffer, sending their contents
505 * to user space. */
506static inline int audit_log_drain(struct audit_buffer *ab)
507{
508 struct sk_buff *skb;
509
510 while ((skb = skb_dequeue(&ab->sklist))) {
511 int retval = 0;
512
513 if (audit_pid) {
514 if (ab->nlh) {
515 ab->nlh->nlmsg_len = ab->total;
516 ab->nlh->nlmsg_type = ab->type;
517 ab->nlh->nlmsg_flags = 0;
518 ab->nlh->nlmsg_seq = 0;
519 ab->nlh->nlmsg_pid = ab->pid;
520 }
521 skb_get(skb); /* because netlink_* frees */
522 retval = netlink_unicast(audit_sock, skb, audit_pid,
523 MSG_DONTWAIT);
524 }
525 if (retval == -EAGAIN &&
526 (atomic_read(&audit_backlog)) < audit_backlog_limit) {
527 skb_queue_head(&ab->sklist, skb);
528 audit_log_end_irq(ab);
529 return 1;
530 }
531 if (retval < 0) {
532 if (retval == -ECONNREFUSED) {
533 printk(KERN_ERR
534 "audit: *NO* daemon at audit_pid=%d\n",
535 audit_pid);
536 audit_pid = 0;
537 } else
538 audit_log_lost("netlink socket too busy");
539 }
540 if (!audit_pid) { /* No daemon */
541 int offset = ab->nlh ? NLMSG_SPACE(0) : 0;
542 int len = skb->len - offset;
543 skb->data[offset + len] = '\0';
544 printk(KERN_ERR "%s\n", skb->data + offset);
545 }
546 kfree_skb(skb);
547 ab->nlh = NULL;
548 }
549 return 0;
550}
551 512
552/* Initialize audit support at boot time. */ 513/* Initialize audit support at boot time. */
553static int __init audit_init(void) 514static int __init audit_init(void)
@@ -558,40 +519,13 @@ static int __init audit_init(void)
558 if (!audit_sock) 519 if (!audit_sock)
559 audit_panic("cannot initialize netlink socket"); 520 audit_panic("cannot initialize netlink socket");
560 521
522 audit_sock->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
523 skb_queue_head_init(&audit_skb_queue);
561 audit_initialized = 1; 524 audit_initialized = 1;
562 audit_enabled = audit_default; 525 audit_enabled = audit_default;
563 audit_log(NULL, "initialized"); 526 audit_log(NULL, AUDIT_KERNEL, "initialized");
564 return 0; 527 return 0;
565} 528}
566
567#else
568/* Without CONFIG_NET, we have no skbuffs. For now, print what we have
569 * in the buffer. */
570static void audit_log_move(struct audit_buffer *ab)
571{
572 printk(KERN_ERR "%*.*s\n", ab->len, ab->len, ab->tmp);
573 ab->len = 0;
574}
575
576static inline int audit_log_drain(struct audit_buffer *ab)
577{
578 return 0;
579}
580
581/* Initialize audit support at boot time. */
582int __init audit_init(void)
583{
584 printk(KERN_INFO "audit: initializing WITHOUT netlink support\n");
585 audit_sock = NULL;
586 audit_pid = 0;
587
588 audit_initialized = 1;
589 audit_enabled = audit_default;
590 audit_log(NULL, "initialized");
591 return 0;
592}
593#endif
594
595__initcall(audit_init); 529__initcall(audit_init);
596 530
597/* Process kernel command-line parameter at boot time. audit=0 or audit=1. */ 531/* Process kernel command-line parameter at boot time. audit=0 or audit=1. */
@@ -608,6 +542,61 @@ static int __init audit_enable(char *str)
608 542
609__setup("audit=", audit_enable); 543__setup("audit=", audit_enable);
610 544
545static void audit_buffer_free(struct audit_buffer *ab)
546{
547 unsigned long flags;
548
549 if (!ab)
550 return;
551
552 if (ab->skb)
553 kfree_skb(ab->skb);
554
555 spin_lock_irqsave(&audit_freelist_lock, flags);
556 if (++audit_freelist_count > AUDIT_MAXFREE)
557 kfree(ab);
558 else
559 list_add(&ab->list, &audit_freelist);
560 spin_unlock_irqrestore(&audit_freelist_lock, flags);
561}
562
563static struct audit_buffer * audit_buffer_alloc(struct audit_context *ctx,
564 int gfp_mask, int type)
565{
566 unsigned long flags;
567 struct audit_buffer *ab = NULL;
568 struct nlmsghdr *nlh;
569
570 spin_lock_irqsave(&audit_freelist_lock, flags);
571 if (!list_empty(&audit_freelist)) {
572 ab = list_entry(audit_freelist.next,
573 struct audit_buffer, list);
574 list_del(&ab->list);
575 --audit_freelist_count;
576 }
577 spin_unlock_irqrestore(&audit_freelist_lock, flags);
578
579 if (!ab) {
580 ab = kmalloc(sizeof(*ab), gfp_mask);
581 if (!ab)
582 goto err;
583 }
584
585 ab->skb = alloc_skb(AUDIT_BUFSIZ, gfp_mask);
586 if (!ab->skb)
587 goto err;
588
589 ab->ctx = ctx;
590 nlh = (struct nlmsghdr *)skb_put(ab->skb, NLMSG_SPACE(0));
591 nlh->nlmsg_type = type;
592 nlh->nlmsg_flags = 0;
593 nlh->nlmsg_pid = 0;
594 nlh->nlmsg_seq = 0;
595 return ab;
596err:
597 audit_buffer_free(ab);
598 return NULL;
599}
611 600
612/* Obtain an audit buffer. This routine does locking to obtain the 601/* Obtain an audit buffer. This routine does locking to obtain the
613 * audit buffer, but then no locking is required for calls to 602 * audit buffer, but then no locking is required for calls to
@@ -615,68 +604,49 @@ __setup("audit=", audit_enable);
615 * syscall, then the syscall is marked as auditable and an audit record 604 * syscall, then the syscall is marked as auditable and an audit record
616 * will be written at syscall exit. If there is no associated task, tsk 605 * will be written at syscall exit. If there is no associated task, tsk
617 * should be NULL. */ 606 * should be NULL. */
618struct audit_buffer *audit_log_start(struct audit_context *ctx) 607struct audit_buffer *audit_log_start(struct audit_context *ctx, int type)
619{ 608{
620 struct audit_buffer *ab = NULL; 609 struct audit_buffer *ab = NULL;
621 unsigned long flags;
622 struct timespec t; 610 struct timespec t;
623 unsigned int serial; 611 unsigned int serial;
624 612
625 if (!audit_initialized) 613 if (!audit_initialized)
626 return NULL; 614 return NULL;
627 615
628 if (audit_backlog_limit 616 ab = audit_buffer_alloc(ctx, GFP_ATOMIC, type);
629 && atomic_read(&audit_backlog) > audit_backlog_limit) {
630 if (audit_rate_check())
631 printk(KERN_WARNING
632 "audit: audit_backlog=%d > "
633 "audit_backlog_limit=%d\n",
634 atomic_read(&audit_backlog),
635 audit_backlog_limit);
636 audit_log_lost("backlog limit exceeded");
637 return NULL;
638 }
639
640 spin_lock_irqsave(&audit_freelist_lock, flags);
641 if (!list_empty(&audit_freelist)) {
642 ab = list_entry(audit_freelist.next,
643 struct audit_buffer, list);
644 list_del(&ab->list);
645 --audit_freelist_count;
646 }
647 spin_unlock_irqrestore(&audit_freelist_lock, flags);
648
649 if (!ab)
650 ab = kmalloc(sizeof(*ab), GFP_ATOMIC);
651 if (!ab) { 617 if (!ab) {
652 audit_log_lost("out of memory in audit_log_start"); 618 audit_log_lost("out of memory in audit_log_start");
653 return NULL; 619 return NULL;
654 } 620 }
655 621
656 atomic_inc(&audit_backlog); 622 if (!audit_get_stamp(ab->ctx, &t, &serial)) {
657 skb_queue_head_init(&ab->sklist);
658
659 ab->ctx = ctx;
660 ab->len = 0;
661 ab->nlh = NULL;
662 ab->total = 0;
663 ab->type = AUDIT_KERNEL;
664 ab->pid = 0;
665
666#ifdef CONFIG_AUDITSYSCALL
667 if (ab->ctx)
668 audit_get_stamp(ab->ctx, &t, &serial);
669 else
670#endif
671 {
672 t = CURRENT_TIME; 623 t = CURRENT_TIME;
673 serial = 0; 624 serial = 0;
674 } 625 }
626
675 audit_log_format(ab, "audit(%lu.%03lu:%u): ", 627 audit_log_format(ab, "audit(%lu.%03lu:%u): ",
676 t.tv_sec, t.tv_nsec/1000000, serial); 628 t.tv_sec, t.tv_nsec/1000000, serial);
677 return ab; 629 return ab;
678} 630}
679 631
632/**
633 * audit_expand - expand skb in the audit buffer
634 * @ab: audit_buffer
635 *
636 * Returns 0 (no space) on failed expansion, or available space if
637 * successful.
638 */
639static inline int audit_expand(struct audit_buffer *ab, int extra)
640{
641 struct sk_buff *skb = ab->skb;
642 int ret = pskb_expand_head(skb, skb_headroom(skb), extra,
643 GFP_ATOMIC);
644 if (ret < 0) {
645 audit_log_lost("out of memory in audit_expand");
646 return 0;
647 }
648 return skb_tailroom(skb);
649}
680 650
681/* Format an audit message into the audit buffer. If there isn't enough 651/* Format an audit message into the audit buffer. If there isn't enough
682 * room in the audit buffer, more room will be allocated and vsnprint 652 * room in the audit buffer, more room will be allocated and vsnprint
@@ -686,26 +656,35 @@ static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
686 va_list args) 656 va_list args)
687{ 657{
688 int len, avail; 658 int len, avail;
659 struct sk_buff *skb;
660 va_list args2;
689 661
690 if (!ab) 662 if (!ab)
691 return; 663 return;
692 664
693 avail = sizeof(ab->tmp) - ab->len; 665 BUG_ON(!ab->skb);
694 if (avail <= 0) { 666 skb = ab->skb;
695 audit_log_move(ab); 667 avail = skb_tailroom(skb);
696 avail = sizeof(ab->tmp) - ab->len; 668 if (avail == 0) {
669 avail = audit_expand(ab, AUDIT_BUFSIZ);
670 if (!avail)
671 goto out;
697 } 672 }
698 len = vsnprintf(ab->tmp + ab->len, avail, fmt, args); 673 va_copy(args2, args);
674 len = vsnprintf(skb->tail, avail, fmt, args);
699 if (len >= avail) { 675 if (len >= avail) {
700 /* The printk buffer is 1024 bytes long, so if we get 676 /* The printk buffer is 1024 bytes long, so if we get
701 * here and AUDIT_BUFSIZ is at least 1024, then we can 677 * here and AUDIT_BUFSIZ is at least 1024, then we can
702 * log everything that printk could have logged. */ 678 * log everything that printk could have logged. */
703 audit_log_move(ab); 679 avail = audit_expand(ab, max_t(unsigned, AUDIT_BUFSIZ, 1+len-avail));
704 avail = sizeof(ab->tmp) - ab->len; 680 if (!avail)
705 len = vsnprintf(ab->tmp + ab->len, avail, fmt, args); 681 goto out;
682 len = vsnprintf(skb->tail, avail, fmt, args2);
706 } 683 }
707 ab->len += (len < avail) ? len : avail; 684 if (len > 0)
708 ab->total += (len < avail) ? len : avail; 685 skb_put(skb, len);
686out:
687 return;
709} 688}
710 689
711/* Format a message into the audit buffer. All the work is done in 690/* Format a message into the audit buffer. All the work is done in
@@ -721,20 +700,47 @@ void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
721 va_end(args); 700 va_end(args);
722} 701}
723 702
724void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len) 703/* This function will take the passed buf and convert it into a string of
704 * ascii hex digits. The new string is placed onto the skb. */
705void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf,
706 size_t len)
725{ 707{
726 int i; 708 int i, avail, new_len;
709 unsigned char *ptr;
710 struct sk_buff *skb;
711 static const unsigned char *hex = "0123456789ABCDEF";
712
713 BUG_ON(!ab->skb);
714 skb = ab->skb;
715 avail = skb_tailroom(skb);
716 new_len = len<<1;
717 if (new_len >= avail) {
718 /* Round the buffer request up to the next multiple */
719 new_len = AUDIT_BUFSIZ*(((new_len-avail)/AUDIT_BUFSIZ) + 1);
720 avail = audit_expand(ab, new_len);
721 if (!avail)
722 return;
723 }
727 724
728 for (i=0; i<len; i++) 725 ptr = skb->tail;
729 audit_log_format(ab, "%02x", buf[i]); 726 for (i=0; i<len; i++) {
727 *ptr++ = hex[(buf[i] & 0xF0)>>4]; /* Upper nibble */
728 *ptr++ = hex[buf[i] & 0x0F]; /* Lower nibble */
729 }
730 *ptr = 0;
731 skb_put(skb, len << 1); /* new string is twice the old string */
730} 732}
731 733
734/* This code will escape a string that is passed to it if the string
735 * contains a control character, unprintable character, double quote mark,
736 * or a space. Unescaped strings will start and end with a double quote mark.
737 * Strings that are escaped are printed in hex (2 digits per char). */
732void audit_log_untrustedstring(struct audit_buffer *ab, const char *string) 738void audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
733{ 739{
734 const unsigned char *p = string; 740 const unsigned char *p = string;
735 741
736 while (*p) { 742 while (*p) {
737 if (*p == '"' || *p == ' ' || *p < 0x20 || *p > 0x7f) { 743 if (*p == '"' || *p < 0x21 || *p > 0x7f) {
738 audit_log_hex(ab, string, strlen(string)); 744 audit_log_hex(ab, string, strlen(string));
739 return; 745 return;
740 } 746 }
@@ -743,117 +749,63 @@ void audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
743 audit_log_format(ab, "\"%s\"", string); 749 audit_log_format(ab, "\"%s\"", string);
744} 750}
745 751
746 752/* This is a helper-function to print the escaped d_path */
747/* This is a helper-function to print the d_path without using a static
748 * buffer or allocating another buffer in addition to the one in
749 * audit_buffer. */
750void audit_log_d_path(struct audit_buffer *ab, const char *prefix, 753void audit_log_d_path(struct audit_buffer *ab, const char *prefix,
751 struct dentry *dentry, struct vfsmount *vfsmnt) 754 struct dentry *dentry, struct vfsmount *vfsmnt)
752{ 755{
753 char *p; 756 char *p, *path;
754 int len, avail;
755
756 if (prefix) audit_log_format(ab, " %s", prefix);
757
758 if (ab->len > 128)
759 audit_log_move(ab);
760 avail = sizeof(ab->tmp) - ab->len;
761 p = d_path(dentry, vfsmnt, ab->tmp + ab->len, avail);
762 if (IS_ERR(p)) {
763 /* FIXME: can we save some information here? */
764 audit_log_format(ab, "<toolong>");
765 } else {
766 /* path isn't at start of buffer */
767 len = (ab->tmp + sizeof(ab->tmp) - 1) - p;
768 memmove(ab->tmp + ab->len, p, len);
769 ab->len += len;
770 ab->total += len;
771 }
772}
773
774/* Remove queued messages from the audit_txlist and send them to userspace. */
775static void audit_tasklet_handler(unsigned long arg)
776{
777 LIST_HEAD(list);
778 struct audit_buffer *ab;
779 unsigned long flags;
780 757
781 spin_lock_irqsave(&audit_txlist_lock, flags); 758 if (prefix)
782 list_splice_init(&audit_txlist, &list); 759 audit_log_format(ab, " %s", prefix);
783 spin_unlock_irqrestore(&audit_txlist_lock, flags);
784 760
785 while (!list_empty(&list)) { 761 /* We will allow 11 spaces for ' (deleted)' to be appended */
786 ab = list_entry(list.next, struct audit_buffer, list); 762 path = kmalloc(PATH_MAX+11, GFP_KERNEL);
787 list_del(&ab->list); 763 if (!path) {
788 audit_log_end_fast(ab); 764 audit_log_format(ab, "<no memory>");
765 return;
789 } 766 }
767 p = d_path(dentry, vfsmnt, path, PATH_MAX+11);
768 if (IS_ERR(p)) { /* Should never happen since we send PATH_MAX */
769 /* FIXME: can we save some information here? */
770 audit_log_format(ab, "<too long>");
771 } else
772 audit_log_untrustedstring(ab, p);
773 kfree(path);
790} 774}
791 775
792static DECLARE_TASKLET(audit_tasklet, audit_tasklet_handler, 0);
793
794/* The netlink_* functions cannot be called inside an irq context, so 776/* The netlink_* functions cannot be called inside an irq context, so
795 * the audit buffer is places on a queue and a tasklet is scheduled to 777 * the audit buffer is places on a queue and a tasklet is scheduled to
796 * remove them from the queue outside the irq context. May be called in 778 * remove them from the queue outside the irq context. May be called in
797 * any context. */ 779 * any context. */
798static void audit_log_end_irq(struct audit_buffer *ab) 780void audit_log_end(struct audit_buffer *ab)
799{
800 unsigned long flags;
801
802 if (!ab)
803 return;
804 spin_lock_irqsave(&audit_txlist_lock, flags);
805 list_add_tail(&ab->list, &audit_txlist);
806 spin_unlock_irqrestore(&audit_txlist_lock, flags);
807
808 tasklet_schedule(&audit_tasklet);
809}
810
811/* Send the message in the audit buffer directly to user space. May not
812 * be called in an irq context. */
813static void audit_log_end_fast(struct audit_buffer *ab)
814{ 781{
815 unsigned long flags;
816
817 BUG_ON(in_irq());
818 if (!ab) 782 if (!ab)
819 return; 783 return;
820 if (!audit_rate_check()) { 784 if (!audit_rate_check()) {
821 audit_log_lost("rate limit exceeded"); 785 audit_log_lost("rate limit exceeded");
822 } else { 786 } else {
823 audit_log_move(ab); 787 if (audit_pid) {
824 if (audit_log_drain(ab)) 788 struct nlmsghdr *nlh = (struct nlmsghdr *)ab->skb->data;
825 return; 789 nlh->nlmsg_len = ab->skb->len - NLMSG_SPACE(0);
790 skb_queue_tail(&audit_skb_queue, ab->skb);
791 ab->skb = NULL;
792 wake_up_interruptible(&kauditd_wait);
793 } else {
794 printk("%s\n", ab->skb->data + NLMSG_SPACE(0));
795 }
826 } 796 }
827 797 audit_buffer_free(ab);
828 atomic_dec(&audit_backlog);
829 spin_lock_irqsave(&audit_freelist_lock, flags);
830 if (++audit_freelist_count > AUDIT_MAXFREE)
831 kfree(ab);
832 else
833 list_add(&ab->list, &audit_freelist);
834 spin_unlock_irqrestore(&audit_freelist_lock, flags);
835}
836
837/* Send or queue the message in the audit buffer, depending on the
838 * current context. (A convenience function that may be called in any
839 * context.) */
840void audit_log_end(struct audit_buffer *ab)
841{
842 if (in_irq())
843 audit_log_end_irq(ab);
844 else
845 audit_log_end_fast(ab);
846} 798}
847 799
848/* Log an audit record. This is a convenience function that calls 800/* Log an audit record. This is a convenience function that calls
849 * audit_log_start, audit_log_vformat, and audit_log_end. It may be 801 * audit_log_start, audit_log_vformat, and audit_log_end. It may be
850 * called in any context. */ 802 * called in any context. */
851void audit_log(struct audit_context *ctx, const char *fmt, ...) 803void audit_log(struct audit_context *ctx, int type, const char *fmt, ...)
852{ 804{
853 struct audit_buffer *ab; 805 struct audit_buffer *ab;
854 va_list args; 806 va_list args;
855 807
856 ab = audit_log_start(ctx); 808 ab = audit_log_start(ctx, type);
857 if (ab) { 809 if (ab) {
858 va_start(args, fmt); 810 va_start(args, fmt);
859 audit_log_vformat(ab, fmt, args); 811 audit_log_vformat(ab, fmt, args);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 37b3ac94bc47..78d7a13fc86f 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -34,7 +34,7 @@
34#include <asm/types.h> 34#include <asm/types.h>
35#include <linux/mm.h> 35#include <linux/mm.h>
36#include <linux/module.h> 36#include <linux/module.h>
37 37#include <linux/socket.h>
38#include <linux/audit.h> 38#include <linux/audit.h>
39#include <linux/personality.h> 39#include <linux/personality.h>
40#include <linux/time.h> 40#include <linux/time.h>
@@ -112,6 +112,18 @@ struct audit_aux_data_ipcctl {
112 mode_t mode; 112 mode_t mode;
113}; 113};
114 114
115struct audit_aux_data_socketcall {
116 struct audit_aux_data d;
117 int nargs;
118 unsigned long args[0];
119};
120
121struct audit_aux_data_sockaddr {
122 struct audit_aux_data d;
123 int len;
124 char a[0];
125};
126
115 127
116/* The per-task audit context. */ 128/* The per-task audit context. */
117struct audit_context { 129struct audit_context {
@@ -157,6 +169,8 @@ struct audit_entry {
157 struct audit_rule rule; 169 struct audit_rule rule;
158}; 170};
159 171
172extern int audit_pid;
173
160/* Check to see if two rules are identical. It is called from 174/* Check to see if two rules are identical. It is called from
161 * audit_del_rule during AUDIT_DEL. */ 175 * audit_del_rule during AUDIT_DEL. */
162static int audit_compare_rule(struct audit_rule *a, struct audit_rule *b) 176static int audit_compare_rule(struct audit_rule *a, struct audit_rule *b)
@@ -226,7 +240,6 @@ static inline int audit_del_rule(struct audit_rule *rule,
226 return -EFAULT; /* No matching rule */ 240 return -EFAULT; /* No matching rule */
227} 241}
228 242
229#ifdef CONFIG_NET
230/* Copy rule from user-space to kernel-space. Called during 243/* Copy rule from user-space to kernel-space. Called during
231 * AUDIT_ADD. */ 244 * AUDIT_ADD. */
232static int audit_copy_rule(struct audit_rule *d, struct audit_rule *s) 245static int audit_copy_rule(struct audit_rule *d, struct audit_rule *s)
@@ -287,7 +300,8 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
287 err = audit_add_rule(entry, &audit_entlist); 300 err = audit_add_rule(entry, &audit_entlist);
288 if (!err && (flags & AUDIT_AT_EXIT)) 301 if (!err && (flags & AUDIT_AT_EXIT))
289 err = audit_add_rule(entry, &audit_extlist); 302 err = audit_add_rule(entry, &audit_extlist);
290 audit_log(NULL, "auid %u added an audit rule\n", loginuid); 303 audit_log(NULL, AUDIT_CONFIG_CHANGE,
304 "auid %u added an audit rule\n", loginuid);
291 break; 305 break;
292 case AUDIT_DEL: 306 case AUDIT_DEL:
293 flags =((struct audit_rule *)data)->flags; 307 flags =((struct audit_rule *)data)->flags;
@@ -297,7 +311,8 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
297 err = audit_del_rule(data, &audit_entlist); 311 err = audit_del_rule(data, &audit_entlist);
298 if (!err && (flags & AUDIT_AT_EXIT)) 312 if (!err && (flags & AUDIT_AT_EXIT))
299 err = audit_del_rule(data, &audit_extlist); 313 err = audit_del_rule(data, &audit_extlist);
300 audit_log(NULL, "auid %u removed an audit rule\n", loginuid); 314 audit_log(NULL, AUDIT_CONFIG_CHANGE,
315 "auid %u removed an audit rule\n", loginuid);
301 break; 316 break;
302 default: 317 default:
303 return -EINVAL; 318 return -EINVAL;
@@ -305,7 +320,6 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
305 320
306 return err; 321 return err;
307} 322}
308#endif
309 323
310/* Compare a task_struct with an audit_rule. Return 1 on match, 0 324/* Compare a task_struct with an audit_rule. Return 1 on match, 0
311 * otherwise. */ 325 * otherwise. */
@@ -444,7 +458,7 @@ static enum audit_state audit_filter_task(struct task_struct *tsk)
444 458
445/* At syscall entry and exit time, this filter is called if the 459/* At syscall entry and exit time, this filter is called if the
446 * audit_state is not low enough that auditing cannot take place, but is 460 * audit_state is not low enough that auditing cannot take place, but is
447 * also not high enough that we already know we have to write and audit 461 * also not high enough that we already know we have to write an audit
448 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT). 462 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
449 */ 463 */
450static enum audit_state audit_filter_syscall(struct task_struct *tsk, 464static enum audit_state audit_filter_syscall(struct task_struct *tsk,
@@ -650,7 +664,7 @@ static void audit_log_exit(struct audit_context *context)
650 int i; 664 int i;
651 struct audit_buffer *ab; 665 struct audit_buffer *ab;
652 666
653 ab = audit_log_start(context); 667 ab = audit_log_start(context, AUDIT_SYSCALL);
654 if (!ab) 668 if (!ab)
655 return; /* audit_panic has been called */ 669 return; /* audit_panic has been called */
656 audit_log_format(ab, "syscall=%d", context->major); 670 audit_log_format(ab, "syscall=%d", context->major);
@@ -682,28 +696,43 @@ static void audit_log_exit(struct audit_context *context)
682 while (context->aux) { 696 while (context->aux) {
683 struct audit_aux_data *aux; 697 struct audit_aux_data *aux;
684 698
685 ab = audit_log_start(context); 699 aux = context->aux;
700
701 ab = audit_log_start(context, aux->type);
686 if (!ab) 702 if (!ab)
687 continue; /* audit_panic has been called */ 703 continue; /* audit_panic has been called */
688 704
689 aux = context->aux;
690 context->aux = aux->next;
691
692 audit_log_format(ab, "auxitem=%d", aux->type);
693 switch (aux->type) { 705 switch (aux->type) {
694 case AUDIT_AUX_IPCPERM: { 706 case AUDIT_IPC: {
695 struct audit_aux_data_ipcctl *axi = (void *)aux; 707 struct audit_aux_data_ipcctl *axi = (void *)aux;
696 audit_log_format(ab, 708 audit_log_format(ab,
697 " qbytes=%lx uid=%d gid=%d mode=%x", 709 " qbytes=%lx iuid=%d igid=%d mode=%x",
698 axi->qbytes, axi->uid, axi->gid, axi->mode); 710 axi->qbytes, axi->uid, axi->gid, axi->mode);
699 } 711 break; }
712
713 case AUDIT_SOCKETCALL: {
714 int i;
715 struct audit_aux_data_socketcall *axs = (void *)aux;
716 audit_log_format(ab, "nargs=%d", axs->nargs);
717 for (i=0; i<axs->nargs; i++)
718 audit_log_format(ab, " a%d=%lx", i, axs->args[i]);
719 break; }
720
721 case AUDIT_SOCKADDR: {
722 struct audit_aux_data_sockaddr *axs = (void *)aux;
723
724 audit_log_format(ab, "saddr=");
725 audit_log_hex(ab, axs->a, axs->len);
726 break; }
700 } 727 }
701 audit_log_end(ab); 728 audit_log_end(ab);
729
730 context->aux = aux->next;
702 kfree(aux); 731 kfree(aux);
703 } 732 }
704 733
705 for (i = 0; i < context->name_count; i++) { 734 for (i = 0; i < context->name_count; i++) {
706 ab = audit_log_start(context); 735 ab = audit_log_start(context, AUDIT_PATH);
707 if (!ab) 736 if (!ab)
708 continue; /* audit_panic has been called */ 737 continue; /* audit_panic has been called */
709 audit_log_format(ab, "item=%d", i); 738 audit_log_format(ab, "item=%d", i);
@@ -713,7 +742,7 @@ static void audit_log_exit(struct audit_context *context)
713 } 742 }
714 if (context->names[i].ino != (unsigned long)-1) 743 if (context->names[i].ino != (unsigned long)-1)
715 audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o" 744 audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o"
716 " uid=%d gid=%d rdev=%02x:%02x", 745 " ouid=%d ogid=%d rdev=%02x:%02x",
717 context->names[i].ino, 746 context->names[i].ino,
718 MAJOR(context->names[i].dev), 747 MAJOR(context->names[i].dev),
719 MINOR(context->names[i].dev), 748 MINOR(context->names[i].dev),
@@ -741,7 +770,7 @@ void audit_free(struct task_struct *tsk)
741 770
742 /* Check for system calls that do not go through the exit 771 /* Check for system calls that do not go through the exit
743 * function (e.g., exit_group), then free context block. */ 772 * function (e.g., exit_group), then free context block. */
744 if (context->in_syscall && context->auditable) 773 if (context->in_syscall && context->auditable && context->pid != audit_pid)
745 audit_log_exit(context); 774 audit_log_exit(context);
746 775
747 audit_free_context(context); 776 audit_free_context(context);
@@ -750,7 +779,7 @@ void audit_free(struct task_struct *tsk)
750/* Compute a serial number for the audit record. Audit records are 779/* Compute a serial number for the audit record. Audit records are
751 * written to user-space as soon as they are generated, so a complete 780 * written to user-space as soon as they are generated, so a complete
752 * audit record may be written in several pieces. The timestamp of the 781 * audit record may be written in several pieces. The timestamp of the
753 * record and this serial number are used by the user-space daemon to 782 * record and this serial number are used by the user-space tools to
754 * determine which pieces belong to the same audit record. The 783 * determine which pieces belong to the same audit record. The
755 * (timestamp,serial) tuple is unique for each syscall and is live from 784 * (timestamp,serial) tuple is unique for each syscall and is live from
756 * syscall entry to syscall exit. 785 * syscall entry to syscall exit.
@@ -876,7 +905,7 @@ void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code)
876 if (likely(!context)) 905 if (likely(!context))
877 return; 906 return;
878 907
879 if (context->in_syscall && context->auditable) 908 if (context->in_syscall && context->auditable && context->pid != audit_pid)
880 audit_log_exit(context); 909 audit_log_exit(context);
881 910
882 context->in_syscall = 0; 911 context->in_syscall = 0;
@@ -994,7 +1023,7 @@ void audit_inode(const char *name, const struct inode *inode)
994 context->names[idx].rdev = inode->i_rdev; 1023 context->names[idx].rdev = inode->i_rdev;
995} 1024}
996 1025
997void audit_get_stamp(struct audit_context *ctx, 1026int audit_get_stamp(struct audit_context *ctx,
998 struct timespec *t, unsigned int *serial) 1027 struct timespec *t, unsigned int *serial)
999{ 1028{
1000 if (ctx) { 1029 if (ctx) {
@@ -1002,26 +1031,22 @@ void audit_get_stamp(struct audit_context *ctx,
1002 t->tv_nsec = ctx->ctime.tv_nsec; 1031 t->tv_nsec = ctx->ctime.tv_nsec;
1003 *serial = ctx->serial; 1032 *serial = ctx->serial;
1004 ctx->auditable = 1; 1033 ctx->auditable = 1;
1005 } else { 1034 return 1;
1006 *t = CURRENT_TIME;
1007 *serial = 0;
1008 } 1035 }
1036 return 0;
1009} 1037}
1010 1038
1011extern int audit_set_type(struct audit_buffer *ab, int type);
1012
1013int audit_set_loginuid(struct task_struct *task, uid_t loginuid) 1039int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
1014{ 1040{
1015 if (task->audit_context) { 1041 if (task->audit_context) {
1016 struct audit_buffer *ab; 1042 struct audit_buffer *ab;
1017 1043
1018 ab = audit_log_start(NULL); 1044 ab = audit_log_start(NULL, AUDIT_LOGIN);
1019 if (ab) { 1045 if (ab) {
1020 audit_log_format(ab, "login pid=%d uid=%u " 1046 audit_log_format(ab, "login pid=%d uid=%u "
1021 "old loginuid=%u new loginuid=%u", 1047 "old loginuid=%u new loginuid=%u",
1022 task->pid, task->uid, 1048 task->pid, task->uid,
1023 task->audit_context->loginuid, loginuid); 1049 task->audit_context->loginuid, loginuid);
1024 audit_set_type(ab, AUDIT_LOGIN);
1025 audit_log_end(ab); 1050 audit_log_end(ab);
1026 } 1051 }
1027 task->audit_context->loginuid = loginuid; 1052 task->audit_context->loginuid = loginuid;
@@ -1051,8 +1076,68 @@ int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
1051 ax->gid = gid; 1076 ax->gid = gid;
1052 ax->mode = mode; 1077 ax->mode = mode;
1053 1078
1054 ax->d.type = AUDIT_AUX_IPCPERM; 1079 ax->d.type = AUDIT_IPC;
1055 ax->d.next = context->aux; 1080 ax->d.next = context->aux;
1056 context->aux = (void *)ax; 1081 context->aux = (void *)ax;
1057 return 0; 1082 return 0;
1058} 1083}
1084
1085int audit_socketcall(int nargs, unsigned long *args)
1086{
1087 struct audit_aux_data_socketcall *ax;
1088 struct audit_context *context = current->audit_context;
1089
1090 if (likely(!context))
1091 return 0;
1092
1093 ax = kmalloc(sizeof(*ax) + nargs * sizeof(unsigned long), GFP_KERNEL);
1094 if (!ax)
1095 return -ENOMEM;
1096
1097 ax->nargs = nargs;
1098 memcpy(ax->args, args, nargs * sizeof(unsigned long));
1099
1100 ax->d.type = AUDIT_SOCKETCALL;
1101 ax->d.next = context->aux;
1102 context->aux = (void *)ax;
1103 return 0;
1104}
1105
1106int audit_sockaddr(int len, void *a)
1107{
1108 struct audit_aux_data_sockaddr *ax;
1109 struct audit_context *context = current->audit_context;
1110
1111 if (likely(!context))
1112 return 0;
1113
1114 ax = kmalloc(sizeof(*ax) + len, GFP_KERNEL);
1115 if (!ax)
1116 return -ENOMEM;
1117
1118 ax->len = len;
1119 memcpy(ax->a, a, len);
1120
1121 ax->d.type = AUDIT_SOCKADDR;
1122 ax->d.next = context->aux;
1123 context->aux = (void *)ax;
1124 return 0;
1125}
1126
1127void audit_signal_info(int sig, struct task_struct *t)
1128{
1129 extern pid_t audit_sig_pid;
1130 extern uid_t audit_sig_uid;
1131
1132 if (unlikely(audit_pid && t->pid == audit_pid)) {
1133 if (sig == SIGTERM || sig == SIGHUP) {
1134 struct audit_context *ctx = current->audit_context;
1135 audit_sig_pid = current->pid;
1136 if (ctx)
1137 audit_sig_uid = ctx->loginuid;
1138 else
1139 audit_sig_uid = current->uid;
1140 }
1141 }
1142}
1143
diff --git a/kernel/signal.c b/kernel/signal.c
index 8f3debc77c5b..293e189d8bc3 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -24,6 +24,7 @@
24#include <linux/ptrace.h> 24#include <linux/ptrace.h>
25#include <linux/posix-timers.h> 25#include <linux/posix-timers.h>
26#include <linux/signal.h> 26#include <linux/signal.h>
27#include <linux/audit.h>
27#include <asm/param.h> 28#include <asm/param.h>
28#include <asm/uaccess.h> 29#include <asm/uaccess.h>
29#include <asm/unistd.h> 30#include <asm/unistd.h>
@@ -658,7 +659,11 @@ static int check_kill_permission(int sig, struct siginfo *info,
658 && (current->uid ^ t->suid) && (current->uid ^ t->uid) 659 && (current->uid ^ t->suid) && (current->uid ^ t->uid)
659 && !capable(CAP_KILL)) 660 && !capable(CAP_KILL))
660 return error; 661 return error;
661 return security_task_kill(t, info, sig); 662
663 error = security_task_kill(t, info, sig);
664 if (!error)
665 audit_signal_info(sig, t); /* Let audit system see the signal */
666 return error;
662} 667}
663 668
664/* forward decl */ 669/* forward decl */
generated by cgit v1.2.2 (git 2.25.0) at 2025-03-08 00:27:36 -0500