2 files changed, 90 insertions, 48 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index 0f84dd7af2c8..4a697c73faec 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1,4 +1,4 @@
-/* audit.c -- Auditing support -*- linux-c -*-
+/* audit.c -- Auditing support
 * Gateway between the kernel (e.g., selinux) and the user-space audit daemon.
 * System-call specific features have moved to auditsc.c
 *
@@ -38,7 +38,7 @@
 *        6) Support low-overhead kernel-based filtering to minimize the
 *           information that must be passed to user-space.
 *
- * Example user-space utilities: http://people.redhat.com/faith/audit/
+ * Example user-space utilities: http://people.redhat.com/sgrubb/audit/
 */
 #include <linux/init.h>
@@ -142,7 +142,6 @@ struct audit_buffer {
        int                  total;
        int                  type;
        int                  pid;
-        int                  count; /* Times requeued */
 };
 void audit_set_type(struct audit_buffer *ab, int type)
@@ -239,36 +238,36 @@ void audit_log_lost(const char *message)
 }
-static int audit_set_rate_limit(int limit)
+static int audit_set_rate_limit(int limit, uid_t loginuid)
 {
        int old          = audit_rate_limit;
        audit_rate_limit = limit;
-        audit_log(current->audit_context, "audit_rate_limit=%d old=%d",
+        audit_log(NULL, "audit_rate_limit=%d old=%d by auid %u",
-                  audit_rate_limit, old);
+                        audit_rate_limit, old, loginuid);
        return old;
 }
-static int audit_set_backlog_limit(int limit)
+static int audit_set_backlog_limit(int limit, uid_t loginuid)
 {
        int old          = audit_backlog_limit;
        audit_backlog_limit = limit;
-        audit_log(current->audit_context, "audit_backlog_limit=%d old=%d",
+        audit_log(NULL, "audit_backlog_limit=%d old=%d by auid %u",
-                  audit_backlog_limit, old);
+                        audit_backlog_limit, old, loginuid);
        return old;
 }
-static int audit_set_enabled(int state)
+static int audit_set_enabled(int state, uid_t loginuid)
 {
        int old          = audit_enabled;
        if (state != 0 && state != 1)
                return -EINVAL;
        audit_enabled = state;
-        audit_log(current->audit_context, "audit_enabled=%d old=%d",
+        audit_log(NULL, "audit_enabled=%d old=%d by auid %u",
-                  audit_enabled, old);
+                  audit_enabled, old, loginuid);
        return old;
 }
-static int audit_set_failure(int state)
+static int audit_set_failure(int state, uid_t loginuid)
 {
        int old          = audit_failure;
        if (state != AUDIT_FAIL_SILENT
@@ -276,8 +275,8 @@ static int audit_set_failure(int state)
            && state != AUDIT_FAIL_PANIC)
                return -EINVAL;
        audit_failure = state;
-        audit_log(current->audit_context, "audit_failure=%d old=%d",
+        audit_log(NULL, "audit_failure=%d old=%d by auid %u",
-                  audit_failure, old);
+                  audit_failure, old, loginuid);
        return old;
 }
@@ -344,6 +343,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
        int                     err;
        struct audit_buffer     *ab;
        u16                     msg_type = nlh->nlmsg_type;
+        uid_t                   loginuid; /* loginuid of sender */
        err = audit_netlink_ok(NETLINK_CB(skb).eff_cap, msg_type);
        if (err)
@@ -351,6 +351,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
        pid  = NETLINK_CREDS(skb)->pid;
        uid  = NETLINK_CREDS(skb)->uid;
+        loginuid = NETLINK_CB(skb).loginuid;
        seq  = nlh->nlmsg_seq;
        data = NLMSG_DATA(nlh);
@@ -371,34 +372,36 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                        return -EINVAL;
                status_get   = (struct audit_status *)data;
                if (status_get->mask & AUDIT_STATUS_ENABLED) {
-                        err = audit_set_enabled(status_get->enabled);
+                        err = audit_set_enabled(status_get->enabled, loginuid);
                        if (err < 0) return err;
                }
                if (status_get->mask & AUDIT_STATUS_FAILURE) {
-                        err = audit_set_failure(status_get->failure);
+                        err = audit_set_failure(status_get->failure, loginuid);
                        if (err < 0) return err;
                }
                if (status_get->mask & AUDIT_STATUS_PID) {
                        int old   = audit_pid;
                        audit_pid = status_get->pid;
-                        audit_log(current->audit_context,
+                        audit_log(NULL, "audit_pid=%d old=%d by auid %u",
-                                  "audit_pid=%d old=%d", audit_pid, old);
+                                  audit_pid, old, loginuid);
                }
                if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
-                        audit_set_rate_limit(status_get->rate_limit);
+                        audit_set_rate_limit(status_get->rate_limit, loginuid);
                if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT)
-                        audit_set_backlog_limit(status_get->backlog_limit);
+                        audit_set_backlog_limit(status_get->backlog_limit,
+                                                        loginuid);
                break;
        case AUDIT_USER:
                ab = audit_log_start(NULL);
                if (!ab)
                        break;  /* audit_panic has been called */
                audit_log_format(ab,
-                                 "user pid=%d uid=%d length=%d msg='%.1024s'",
+                                 "user pid=%d uid=%d length=%d loginuid=%u"
+                                 " msg='%.1024s'",
                                 pid, uid,
                                 (int)(nlh->nlmsg_len
                                       - ((char *)data - (char *)nlh)),
-                                 (char *)data);
+                                 loginuid, (char *)data);
                ab->type = AUDIT_USER;
                ab->pid  = pid;
                audit_log_end(ab);
@@ -411,7 +414,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
        case AUDIT_LIST:
 #ifdef CONFIG_AUDITSYSCALL
                err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
-                                           uid, seq, data);
+                                           uid, seq, data, loginuid);
 #else
                err = -EOPNOTSUPP;
 #endif
@@ -522,9 +525,9 @@ static inline int audit_log_drain(struct audit_buffer *ab)
                        retval = netlink_unicast(audit_sock, skb, audit_pid,
                                                 MSG_DONTWAIT);
                }
-                if (retval == -EAGAIN && ab->count < 5) {
+                if (retval == -EAGAIN &&
-                        ++ab->count;
+                    (atomic_read(&audit_backlog)) < audit_backlog_limit) {
-                        skb_queue_tail(&ab->sklist, skb);
+                        skb_queue_head(&ab->sklist, skb);
                        audit_log_end_irq(ab);
                        return 1;
                }
@@ -540,8 +543,8 @@ static inline int audit_log_drain(struct audit_buffer *ab)
                if (!audit_pid) { /* No daemon */
                        int offset = ab->nlh ? NLMSG_SPACE(0) : 0;
                        int len    = skb->len - offset;
-                        printk(KERN_ERR "%*.*s\n",
+                        skb->data[offset + len] = '\0';
-                               len, len, skb->data + offset);
+                        printk(KERN_ERR "%s\n", skb->data + offset);
                }
                kfree_skb(skb);
                ab->nlh = NULL;
@@ -620,7 +623,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx)
        struct audit_buffer     *ab     = NULL;
        unsigned long           flags;
        struct timespec         t;
-        int                     serial  = 0;
+        unsigned int            serial;
        if (!audit_initialized)
                return NULL;
@@ -662,15 +665,16 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx)
        ab->total = 0;
        ab->type  = AUDIT_KERNEL;
        ab->pid   = 0;
-        ab->count = 0;
 #ifdef CONFIG_AUDITSYSCALL
        if (ab->ctx)
                audit_get_stamp(ab->ctx, &t, &serial);
        else
 #endif
+        {
                t = CURRENT_TIME;
+                serial = 0;
+        }
        audit_log_format(ab, "audit(%lu.%03lu:%u): ",
                         t.tv_sec, t.tv_nsec/1000000, serial);
        return ab;
@@ -720,6 +724,29 @@ void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
        va_end(args);
 }
+void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len)
+{
+        int i;
+        for (i=0; i<len; i++)
+                audit_log_format(ab, "%02x", buf[i]);
+}
+void audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
+{
+        const unsigned char *p = string;
+        while (*p) {
+                if (*p == '"' || *p == ' ' || *p < 0x20 || *p > 0x7f) {
+                        audit_log_hex(ab, string, strlen(string));
+                        return;
+                }
+                p++;
+        }
+        audit_log_format(ab, "\"%s\"", string);
+}
 /* This is a helper-function to print the d_path without using a static
 * buffer or allocating another buffer in addition to the one in
 * audit_buffer. */
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 6f1931381bc9..37b3ac94bc47 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1,4 +1,4 @@
-/* auditsc.c -- System-call auditing support -*- linux-c -*-
+/* auditsc.c -- System-call auditing support
 * Handles all system-call specific auditing features.
 *
 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
@@ -123,7 +123,7 @@ struct audit_context {
        int                 major;      /* syscall number */
        unsigned long       argv[4];    /* syscall arguments */
        int                 return_valid; /* return code is valid */
-        int                 return_code;/* syscall return code */
+        long                return_code;/* syscall return code */
        int                 auditable;  /* 1 if record should be written */
        int                 name_count;
        struct audit_names  names[AUDIT_NAMES];
@@ -135,6 +135,7 @@ struct audit_context {
        uid_t               uid, euid, suid, fsuid;
        gid_t               gid, egid, sgid, fsgid;
        unsigned long       personality;
+        int                 arch;
 #if AUDIT_DEBUG
        int                 put_count;
@@ -250,7 +251,8 @@ static int audit_copy_rule(struct audit_rule *d, struct audit_rule *s)
        return 0;
 }
-int audit_receive_filter(int type, int pid, int uid, int seq, void *data)
+int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
+                                                        uid_t loginuid)
 {
        u32                flags;
        struct audit_entry *entry;
@@ -285,6 +287,7 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data)
                        err = audit_add_rule(entry, &audit_entlist);
                if (!err && (flags & AUDIT_AT_EXIT))
                        err = audit_add_rule(entry, &audit_extlist);
+                audit_log(NULL, "auid %u added an audit rule\n", loginuid);
                break;
        case AUDIT_DEL:
                flags =((struct audit_rule *)data)->flags;
@@ -294,6 +297,7 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data)
                        err = audit_del_rule(data, &audit_entlist);
                if (!err && (flags & AUDIT_AT_EXIT))
                        err = audit_del_rule(data, &audit_extlist);
+                audit_log(NULL, "auid %u removed an audit rule\n", loginuid);
                break;
        default:
                return -EINVAL;
@@ -348,6 +352,10 @@ static int audit_filter_rules(struct task_struct *tsk,
                case AUDIT_PERS:
                        result = (tsk->personality == value);
                        break;
+                case AUDIT_ARCH:
+                        if (ctx) 
+                                result = (ctx->arch == value);
+                        break;
                case AUDIT_EXIT:
                        if (ctx && ctx->return_valid)
@@ -355,7 +363,7 @@ static int audit_filter_rules(struct task_struct *tsk,
                        break;
                case AUDIT_SUCCESS:
                        if (ctx && ctx->return_valid)
-                                result = (ctx->return_code >= 0);
+                                result = (ctx->return_valid == AUDITSC_SUCCESS);
                        break;
                case AUDIT_DEVMAJOR:
                        if (ctx) {
@@ -648,8 +656,11 @@ static void audit_log_exit(struct audit_context *context)
        audit_log_format(ab, "syscall=%d", context->major);
        if (context->personality != PER_LINUX)
                audit_log_format(ab, " per=%lx", context->personality);
+        audit_log_format(ab, " arch=%x", context->arch);
        if (context->return_valid)
-                audit_log_format(ab, " exit=%d", context->return_code);
+                audit_log_format(ab, " success=%s exit=%ld", 
+                                 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
+                                 context->return_code);
        audit_log_format(ab,
                  " a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
                  " pid=%d loginuid=%d uid=%d gid=%d"
@@ -696,9 +707,10 @@ static void audit_log_exit(struct audit_context *context)
                if (!ab)
                        continue; /* audit_panic has been called */
                audit_log_format(ab, "item=%d", i);
-                if (context->names[i].name)
+                if (context->names[i].name) {
-                        audit_log_format(ab, " name=%s",
+                        audit_log_format(ab, " name=");
-                                         context->names[i].name);
+                        audit_log_untrustedstring(ab, context->names[i].name);
+                }
                if (context->names[i].ino != (unsigned long)-1)
                        audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o"
                                             " uid=%d gid=%d rdev=%02x:%02x",
@@ -772,7 +784,7 @@ static inline unsigned int audit_serial(void)
 * then the record will be written at syscall exit time (otherwise, it
 * will only be written if another part of the kernel requests that it
 * be written). */
-void audit_syscall_entry(struct task_struct *tsk, int major,
+void audit_syscall_entry(struct task_struct *tsk, int arch, int major,
                         unsigned long a1, unsigned long a2,
                         unsigned long a3, unsigned long a4)
 {
@@ -826,6 +838,7 @@ void audit_syscall_entry(struct task_struct *tsk, int major,
        if (!audit_enabled)
                return;
+        context->arch       = arch;
        context->major      = major;
        context->argv[0]    = a1;
        context->argv[1]    = a2;
@@ -849,13 +862,13 @@ void audit_syscall_entry(struct task_struct *tsk, int major,
 * filtering, or because some other part of the kernel write an audit
 * message), then write out the syscall information.  In call cases,
 * free the names stored from getname(). */
-void audit_syscall_exit(struct task_struct *tsk, int return_code)
+void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code)
 {
        struct audit_context *context;
        get_task_struct(tsk);
        task_lock(tsk);
-        context = audit_get_context(tsk, 1, return_code);
+        context = audit_get_context(tsk, valid, return_code);
        task_unlock(tsk);
        /* Not having a context here is ok, since the parent may have
@@ -868,6 +881,7 @@ void audit_syscall_exit(struct task_struct *tsk, int return_code)
        context->in_syscall = 0;
        context->auditable  = 0;
        if (context->previous) {
                struct audit_context *new_context = context->previous;
                context->previous  = NULL;
@@ -981,7 +995,7 @@ void audit_inode(const char *name, const struct inode *inode)
 }
 void audit_get_stamp(struct audit_context *ctx,
-                     struct timespec *t, int *serial)
+                     struct timespec *t, unsigned int *serial)
 {
        if (ctx) {
                t->tv_sec  = ctx->ctime.tv_sec;
@@ -996,20 +1010,21 @@ void audit_get_stamp(struct audit_context *ctx,
 extern int audit_set_type(struct audit_buffer *ab, int type);
-int audit_set_loginuid(struct audit_context *ctx, uid_t loginuid)
+int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
 {
-        if (ctx) {
+        if (task->audit_context) {
                struct audit_buffer *ab;
                ab = audit_log_start(NULL);
                if (ab) {
                        audit_log_format(ab, "login pid=%d uid=%u "
                                "old loginuid=%u new loginuid=%u",
-                                ctx->pid, ctx->uid, ctx->loginuid, loginuid);
+                                task->pid, task->uid, 
+                                task->audit_context->loginuid, loginuid);
                        audit_set_type(ab, AUDIT_LOGIN);
                        audit_log_end(ab);
                }
-                ctx->loginuid = loginuid;
+                task->audit_context->loginuid = loginuid;
        }
        return 0;
 }

diff --git a/kernel/audit.c b/kernel/audit.c index 0f84dd7af2c8..4a697c73faec 100644 --- a/kernel/audit.c +++ b/kernel/audit.c
@@ -1,4 +1,4 @@
1	/* audit.c -- Auditing support -- linux-c --	1	/* audit.c -- Auditing support
2	* Gateway between the kernel (e.g., selinux) and the user-space audit daemon.	2	* Gateway between the kernel (e.g., selinux) and the user-space audit daemon.
3	* System-call specific features have moved to auditsc.c	3	* System-call specific features have moved to auditsc.c
4	*	4	*
@@ -38,7 +38,7 @@
38	* 6) Support low-overhead kernel-based filtering to minimize the	38	* 6) Support low-overhead kernel-based filtering to minimize the
39	* information that must be passed to user-space.	39	* information that must be passed to user-space.
40	*	40	*
41	* Example user-space utilities: http://people.redhat.com/faith/audit/	41	* Example user-space utilities: http://people.redhat.com/sgrubb/audit/
42	*/	42	*/
43		43
44	#include <linux/init.h>	44	#include <linux/init.h>
@@ -142,7 +142,6 @@ struct audit_buffer {
142	int total;	142	int total;
143	int type;	143	int type;
144	int pid;	144	int pid;
145	int count; /* Times requeued */
146	};	145	};
147		146
148	void audit_set_type(struct audit_buffer *ab, int type)	147	void audit_set_type(struct audit_buffer *ab, int type)
@@ -239,36 +238,36 @@ void audit_log_lost(const char *message)
239		238
240	}	239	}
241		240
242	static int audit_set_rate_limit(int limit)	241	static int audit_set_rate_limit(int limit, uid_t loginuid)
243	{	242	{
244	int old = audit_rate_limit;	243	int old = audit_rate_limit;
245	audit_rate_limit = limit;	244	audit_rate_limit = limit;
246	audit_log(current->audit_context, "audit_rate_limit=%d old=%d",	245	audit_log(NULL, "audit_rate_limit=%d old=%d by auid %u",
247	audit_rate_limit, old);	246	audit_rate_limit, old, loginuid);
248	return old;	247	return old;
249	}	248	}
250		249
251	static int audit_set_backlog_limit(int limit)	250	static int audit_set_backlog_limit(int limit, uid_t loginuid)
252	{	251	{
253	int old = audit_backlog_limit;	252	int old = audit_backlog_limit;
254	audit_backlog_limit = limit;	253	audit_backlog_limit = limit;
255	audit_log(current->audit_context, "audit_backlog_limit=%d old=%d",	254	audit_log(NULL, "audit_backlog_limit=%d old=%d by auid %u",
256	audit_backlog_limit, old);	255	audit_backlog_limit, old, loginuid);
257	return old;	256	return old;
258	}	257	}
259		258
260	static int audit_set_enabled(int state)	259	static int audit_set_enabled(int state, uid_t loginuid)
261	{	260	{
262	int old = audit_enabled;	261	int old = audit_enabled;
263	if (state != 0 && state != 1)	262	if (state != 0 && state != 1)
264	return -EINVAL;	263	return -EINVAL;
265	audit_enabled = state;	264	audit_enabled = state;
266	audit_log(current->audit_context, "audit_enabled=%d old=%d",	265	audit_log(NULL, "audit_enabled=%d old=%d by auid %u",
267	audit_enabled, old);	266	audit_enabled, old, loginuid);
268	return old;	267	return old;
269	}	268	}
270		269
271	static int audit_set_failure(int state)	270	static int audit_set_failure(int state, uid_t loginuid)
272	{	271	{
273	int old = audit_failure;	272	int old = audit_failure;
274	if (state != AUDIT_FAIL_SILENT	273	if (state != AUDIT_FAIL_SILENT
@@ -276,8 +275,8 @@ static int audit_set_failure(int state)
276	&& state != AUDIT_FAIL_PANIC)	275	&& state != AUDIT_FAIL_PANIC)
277	return -EINVAL;	276	return -EINVAL;
278	audit_failure = state;	277	audit_failure = state;
279	audit_log(current->audit_context, "audit_failure=%d old=%d",	278	audit_log(NULL, "audit_failure=%d old=%d by auid %u",
280	audit_failure, old);	279	audit_failure, old, loginuid);
281	return old;	280	return old;
282	}	281	}
283		282
@@ -344,6 +343,7 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
344	int err;	343	int err;
345	struct audit_buffer *ab;	344	struct audit_buffer *ab;
346	u16 msg_type = nlh->nlmsg_type;	345	u16 msg_type = nlh->nlmsg_type;
		346	uid_t loginuid; /* loginuid of sender */
347		347
348	err = audit_netlink_ok(NETLINK_CB(skb).eff_cap, msg_type);	348	err = audit_netlink_ok(NETLINK_CB(skb).eff_cap, msg_type);
349	if (err)	349	if (err)
@@ -351,6 +351,7 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
351		351
352	pid = NETLINK_CREDS(skb)->pid;	352	pid = NETLINK_CREDS(skb)->pid;
353	uid = NETLINK_CREDS(skb)->uid;	353	uid = NETLINK_CREDS(skb)->uid;
		354	loginuid = NETLINK_CB(skb).loginuid;
354	seq = nlh->nlmsg_seq;	355	seq = nlh->nlmsg_seq;
355	data = NLMSG_DATA(nlh);	356	data = NLMSG_DATA(nlh);
356		357
@@ -371,34 +372,36 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
371	return -EINVAL;	372	return -EINVAL;
372	status_get = (struct audit_status *)data;	373	status_get = (struct audit_status *)data;
373	if (status_get->mask & AUDIT_STATUS_ENABLED) {	374	if (status_get->mask & AUDIT_STATUS_ENABLED) {
374	err = audit_set_enabled(status_get->enabled);	375	err = audit_set_enabled(status_get->enabled, loginuid);
375	if (err < 0) return err;	376	if (err < 0) return err;
376	}	377	}
377	if (status_get->mask & AUDIT_STATUS_FAILURE) {	378	if (status_get->mask & AUDIT_STATUS_FAILURE) {
378	err = audit_set_failure(status_get->failure);	379	err = audit_set_failure(status_get->failure, loginuid);
379	if (err < 0) return err;	380	if (err < 0) return err;
380	}	381	}
381	if (status_get->mask & AUDIT_STATUS_PID) {	382	if (status_get->mask & AUDIT_STATUS_PID) {
382	int old = audit_pid;	383	int old = audit_pid;
383	audit_pid = status_get->pid;	384	audit_pid = status_get->pid;
384	audit_log(current->audit_context,	385	audit_log(NULL, "audit_pid=%d old=%d by auid %u",
385	"audit_pid=%d old=%d", audit_pid, old);	386	audit_pid, old, loginuid);
386	}	387	}
387	if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)	388	if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
388	audit_set_rate_limit(status_get->rate_limit);	389	audit_set_rate_limit(status_get->rate_limit, loginuid);
389	if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT)	390	if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT)
390	audit_set_backlog_limit(status_get->backlog_limit);	391	audit_set_backlog_limit(status_get->backlog_limit,
		392	loginuid);
391	break;	393	break;
392	case AUDIT_USER:	394	case AUDIT_USER:
393	ab = audit_log_start(NULL);	395	ab = audit_log_start(NULL);
394	if (!ab)	396	if (!ab)
395	break; /* audit_panic has been called */	397	break; /* audit_panic has been called */
396	audit_log_format(ab,	398	audit_log_format(ab,
397	"user pid=%d uid=%d length=%d msg='%.1024s'",	399	"user pid=%d uid=%d length=%d loginuid=%u"
		400	" msg='%.1024s'",
398	pid, uid,	401	pid, uid,
399	(int)(nlh->nlmsg_len	402	(int)(nlh->nlmsg_len
400	- ((char )data - (char )nlh)),	403	- ((char )data - (char )nlh)),
401	(char *)data);	404	loginuid, (char *)data);
402	ab->type = AUDIT_USER;	405	ab->type = AUDIT_USER;
403	ab->pid = pid;	406	ab->pid = pid;
404	audit_log_end(ab);	407	audit_log_end(ab);
@@ -411,7 +414,7 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
411	case AUDIT_LIST:	414	case AUDIT_LIST:
412	#ifdef CONFIG_AUDITSYSCALL	415	#ifdef CONFIG_AUDITSYSCALL
413	err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,	416	err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
414	uid, seq, data);	417	uid, seq, data, loginuid);
415	#else	418	#else
416	err = -EOPNOTSUPP;	419	err = -EOPNOTSUPP;
417	#endif	420	#endif
@@ -522,9 +525,9 @@ static inline int audit_log_drain(struct audit_buffer *ab)
522	retval = netlink_unicast(audit_sock, skb, audit_pid,	525	retval = netlink_unicast(audit_sock, skb, audit_pid,
523	MSG_DONTWAIT);	526	MSG_DONTWAIT);
524	}	527	}
525	if (retval == -EAGAIN && ab->count < 5) {	528	if (retval == -EAGAIN &&
526	++ab->count;	529	(atomic_read(&audit_backlog)) < audit_backlog_limit) {
527	skb_queue_tail(&ab->sklist, skb);	530	skb_queue_head(&ab->sklist, skb);
528	audit_log_end_irq(ab);	531	audit_log_end_irq(ab);
529	return 1;	532	return 1;
530	}	533	}
@@ -540,8 +543,8 @@ static inline int audit_log_drain(struct audit_buffer *ab)
540	if (!audit_pid) { /* No daemon */	543	if (!audit_pid) { /* No daemon */
541	int offset = ab->nlh ? NLMSG_SPACE(0) : 0;	544	int offset = ab->nlh ? NLMSG_SPACE(0) : 0;
542	int len = skb->len - offset;	545	int len = skb->len - offset;
543	printk(KERN_ERR "%.s\n",	546	skb->data[offset + len] = '\0';
544	len, len, skb->data + offset);	547	printk(KERN_ERR "%s\n", skb->data + offset);
545	}	548	}
546	kfree_skb(skb);	549	kfree_skb(skb);
547	ab->nlh = NULL;	550	ab->nlh = NULL;
@@ -620,7 +623,7 @@ struct audit_buffer audit_log_start(struct audit_context ctx)
620	struct audit_buffer *ab = NULL;	623	struct audit_buffer *ab = NULL;
621	unsigned long flags;	624	unsigned long flags;
622	struct timespec t;	625	struct timespec t;
623	int serial = 0;	626	unsigned int serial;
624		627
625	if (!audit_initialized)	628	if (!audit_initialized)
626	return NULL;	629	return NULL;
@@ -662,15 +665,16 @@ struct audit_buffer audit_log_start(struct audit_context ctx)
662	ab->total = 0;	665	ab->total = 0;
663	ab->type = AUDIT_KERNEL;	666	ab->type = AUDIT_KERNEL;
664	ab->pid = 0;	667	ab->pid = 0;
665	ab->count = 0;
666		668
667	#ifdef CONFIG_AUDITSYSCALL	669	#ifdef CONFIG_AUDITSYSCALL
668	if (ab->ctx)	670	if (ab->ctx)
669	audit_get_stamp(ab->ctx, &t, &serial);	671	audit_get_stamp(ab->ctx, &t, &serial);
670	else	672	else
671	#endif	673	#endif
		674	{
672	t = CURRENT_TIME;	675	t = CURRENT_TIME;
673		676	serial = 0;
		677	}
674	audit_log_format(ab, "audit(%lu.%03lu:%u): ",	678	audit_log_format(ab, "audit(%lu.%03lu:%u): ",
675	t.tv_sec, t.tv_nsec/1000000, serial);	679	t.tv_sec, t.tv_nsec/1000000, serial);
676	return ab;	680	return ab;
@@ -720,6 +724,29 @@ void audit_log_format(struct audit_buffer ab, const char fmt, ...)
720	va_end(args);	724	va_end(args);
721	}	725	}
722		726
		727	void audit_log_hex(struct audit_buffer ab, const unsigned char buf, size_t len)
		728	{
		729	int i;
		730
		731	for (i=0; i<len; i++)
		732	audit_log_format(ab, "%02x", buf[i]);
		733	}
		734
		735	void audit_log_untrustedstring(struct audit_buffer ab, const char string)
		736	{
		737	const unsigned char *p = string;
		738
		739	while (*p) {
		740	if (p == '"' \|\| p == ' ' \|\| p < 0x20 \|\| p > 0x7f) {
		741	audit_log_hex(ab, string, strlen(string));
		742	return;
		743	}
		744	p++;
		745	}
		746	audit_log_format(ab, "\"%s\"", string);
		747	}
		748
		749
723	/* This is a helper-function to print the d_path without using a static	750	/* This is a helper-function to print the d_path without using a static
724	* buffer or allocating another buffer in addition to the one in	751	* buffer or allocating another buffer in addition to the one in
725	* audit_buffer. */	752	* audit_buffer. */


diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 6f1931381bc9..37b3ac94bc47 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c
@@ -1,4 +1,4 @@
1	/* auditsc.c -- System-call auditing support -- linux-c --	1	/* auditsc.c -- System-call auditing support
2	* Handles all system-call specific auditing features.	2	* Handles all system-call specific auditing features.
3	*	3	*
4	* Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.	4	* Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
@@ -123,7 +123,7 @@ struct audit_context {
123	int major; /* syscall number */	123	int major; /* syscall number */
124	unsigned long argv[4]; /* syscall arguments */	124	unsigned long argv[4]; /* syscall arguments */
125	int return_valid; /* return code is valid */	125	int return_valid; /* return code is valid */
126	int return_code;/* syscall return code */	126	long return_code;/* syscall return code */
127	int auditable; /* 1 if record should be written */	127	int auditable; /* 1 if record should be written */
128	int name_count;	128	int name_count;
129	struct audit_names names[AUDIT_NAMES];	129	struct audit_names names[AUDIT_NAMES];
@@ -135,6 +135,7 @@ struct audit_context {
135	uid_t uid, euid, suid, fsuid;	135	uid_t uid, euid, suid, fsuid;
136	gid_t gid, egid, sgid, fsgid;	136	gid_t gid, egid, sgid, fsgid;
137	unsigned long personality;	137	unsigned long personality;
		138	int arch;
138		139
139	#if AUDIT_DEBUG	140	#if AUDIT_DEBUG
140	int put_count;	141	int put_count;
@@ -250,7 +251,8 @@ static int audit_copy_rule(struct audit_rule d, struct audit_rule s)
250	return 0;	251	return 0;
251	}	252	}
252		253
253	int audit_receive_filter(int type, int pid, int uid, int seq, void *data)	254	int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
		255	uid_t loginuid)
254	{	256	{
255	u32 flags;	257	u32 flags;
256	struct audit_entry *entry;	258	struct audit_entry *entry;
@@ -285,6 +287,7 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data)
285	err = audit_add_rule(entry, &audit_entlist);	287	err = audit_add_rule(entry, &audit_entlist);
286	if (!err && (flags & AUDIT_AT_EXIT))	288	if (!err && (flags & AUDIT_AT_EXIT))
287	err = audit_add_rule(entry, &audit_extlist);	289	err = audit_add_rule(entry, &audit_extlist);
		290	audit_log(NULL, "auid %u added an audit rule\n", loginuid);
288	break;	291	break;
289	case AUDIT_DEL:	292	case AUDIT_DEL:
290	flags =((struct audit_rule *)data)->flags;	293	flags =((struct audit_rule *)data)->flags;
@@ -294,6 +297,7 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data)
294	err = audit_del_rule(data, &audit_entlist);	297	err = audit_del_rule(data, &audit_entlist);
295	if (!err && (flags & AUDIT_AT_EXIT))	298	if (!err && (flags & AUDIT_AT_EXIT))
296	err = audit_del_rule(data, &audit_extlist);	299	err = audit_del_rule(data, &audit_extlist);
		300	audit_log(NULL, "auid %u removed an audit rule\n", loginuid);
297	break;	301	break;
298	default:	302	default:
299	return -EINVAL;	303	return -EINVAL;
@@ -348,6 +352,10 @@ static int audit_filter_rules(struct task_struct *tsk,
348	case AUDIT_PERS:	352	case AUDIT_PERS:
349	result = (tsk->personality == value);	353	result = (tsk->personality == value);
350	break;	354	break;
		355	case AUDIT_ARCH:
		356	if (ctx)
		357	result = (ctx->arch == value);
		358	break;
351		359
352	case AUDIT_EXIT:	360	case AUDIT_EXIT:
353	if (ctx && ctx->return_valid)	361	if (ctx && ctx->return_valid)
@@ -355,7 +363,7 @@ static int audit_filter_rules(struct task_struct *tsk,
355	break;	363	break;
356	case AUDIT_SUCCESS:	364	case AUDIT_SUCCESS:
357	if (ctx && ctx->return_valid)	365	if (ctx && ctx->return_valid)
358	result = (ctx->return_code >= 0);	366	result = (ctx->return_valid == AUDITSC_SUCCESS);
359	break;	367	break;
360	case AUDIT_DEVMAJOR:	368	case AUDIT_DEVMAJOR:
361	if (ctx) {	369	if (ctx) {
@@ -648,8 +656,11 @@ static void audit_log_exit(struct audit_context *context)
648	audit_log_format(ab, "syscall=%d", context->major);	656	audit_log_format(ab, "syscall=%d", context->major);
649	if (context->personality != PER_LINUX)	657	if (context->personality != PER_LINUX)
650	audit_log_format(ab, " per=%lx", context->personality);	658	audit_log_format(ab, " per=%lx", context->personality);
		659	audit_log_format(ab, " arch=%x", context->arch);
651	if (context->return_valid)	660	if (context->return_valid)
652	audit_log_format(ab, " exit=%d", context->return_code);	661	audit_log_format(ab, " success=%s exit=%ld",
		662	(context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
		663	context->return_code);
653	audit_log_format(ab,	664	audit_log_format(ab,
654	" a0=%lx a1=%lx a2=%lx a3=%lx items=%d"	665	" a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
655	" pid=%d loginuid=%d uid=%d gid=%d"	666	" pid=%d loginuid=%d uid=%d gid=%d"
@@ -696,9 +707,10 @@ static void audit_log_exit(struct audit_context *context)
696	if (!ab)	707	if (!ab)
697	continue; /* audit_panic has been called */	708	continue; /* audit_panic has been called */
698	audit_log_format(ab, "item=%d", i);	709	audit_log_format(ab, "item=%d", i);
699	if (context->names[i].name)	710	if (context->names[i].name) {
700	audit_log_format(ab, " name=%s",	711	audit_log_format(ab, " name=");
701	context->names[i].name);	712	audit_log_untrustedstring(ab, context->names[i].name);
		713	}
702	if (context->names[i].ino != (unsigned long)-1)	714	if (context->names[i].ino != (unsigned long)-1)
703	audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o"	715	audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o"
704	" uid=%d gid=%d rdev=%02x:%02x",	716	" uid=%d gid=%d rdev=%02x:%02x",
@@ -772,7 +784,7 @@ static inline unsigned int audit_serial(void)
772	* then the record will be written at syscall exit time (otherwise, it	784	* then the record will be written at syscall exit time (otherwise, it
773	* will only be written if another part of the kernel requests that it	785	* will only be written if another part of the kernel requests that it
774	* be written). */	786	* be written). */
775	void audit_syscall_entry(struct task_struct *tsk, int major,	787	void audit_syscall_entry(struct task_struct *tsk, int arch, int major,
776	unsigned long a1, unsigned long a2,	788	unsigned long a1, unsigned long a2,
777	unsigned long a3, unsigned long a4)	789	unsigned long a3, unsigned long a4)
778	{	790	{
@@ -826,6 +838,7 @@ void audit_syscall_entry(struct task_struct *tsk, int major,
826	if (!audit_enabled)	838	if (!audit_enabled)
827	return;	839	return;
828		840
		841	context->arch = arch;
829	context->major = major;	842	context->major = major;
830	context->argv[0] = a1;	843	context->argv[0] = a1;
831	context->argv[1] = a2;	844	context->argv[1] = a2;
@@ -849,13 +862,13 @@ void audit_syscall_entry(struct task_struct *tsk, int major,
849	* filtering, or because some other part of the kernel write an audit	862	* filtering, or because some other part of the kernel write an audit
850	* message), then write out the syscall information. In call cases,	863	* message), then write out the syscall information. In call cases,
851	* free the names stored from getname(). */	864	* free the names stored from getname(). */
852	void audit_syscall_exit(struct task_struct *tsk, int return_code)	865	void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code)
853	{	866	{
854	struct audit_context *context;	867	struct audit_context *context;
855		868
856	get_task_struct(tsk);	869	get_task_struct(tsk);
857	task_lock(tsk);	870	task_lock(tsk);
858	context = audit_get_context(tsk, 1, return_code);	871	context = audit_get_context(tsk, valid, return_code);
859	task_unlock(tsk);	872	task_unlock(tsk);
860		873
861	/* Not having a context here is ok, since the parent may have	874	/* Not having a context here is ok, since the parent may have
@@ -868,6 +881,7 @@ void audit_syscall_exit(struct task_struct *tsk, int return_code)
868		881
869	context->in_syscall = 0;	882	context->in_syscall = 0;
870	context->auditable = 0;	883	context->auditable = 0;
		884
871	if (context->previous) {	885	if (context->previous) {
872	struct audit_context *new_context = context->previous;	886	struct audit_context *new_context = context->previous;
873	context->previous = NULL;	887	context->previous = NULL;
@@ -981,7 +995,7 @@ void audit_inode(const char name, const struct inode inode)
981	}	995	}
982		996
983	void audit_get_stamp(struct audit_context *ctx,	997	void audit_get_stamp(struct audit_context *ctx,
984	struct timespec t, int serial)	998	struct timespec t, unsigned int serial)
985	{	999	{
986	if (ctx) {	1000	if (ctx) {
987	t->tv_sec = ctx->ctime.tv_sec;	1001	t->tv_sec = ctx->ctime.tv_sec;
@@ -996,20 +1010,21 @@ void audit_get_stamp(struct audit_context *ctx,
996		1010
997	extern int audit_set_type(struct audit_buffer *ab, int type);	1011	extern int audit_set_type(struct audit_buffer *ab, int type);
998		1012
999	int audit_set_loginuid(struct audit_context *ctx, uid_t loginuid)	1013	int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
1000	{	1014	{
1001	if (ctx) {	1015	if (task->audit_context) {
1002	struct audit_buffer *ab;	1016	struct audit_buffer *ab;
1003		1017
1004	ab = audit_log_start(NULL);	1018	ab = audit_log_start(NULL);
1005	if (ab) {	1019	if (ab) {
1006	audit_log_format(ab, "login pid=%d uid=%u "	1020	audit_log_format(ab, "login pid=%d uid=%u "
1007	"old loginuid=%u new loginuid=%u",	1021	"old loginuid=%u new loginuid=%u",
1008	ctx->pid, ctx->uid, ctx->loginuid, loginuid);	1022	task->pid, task->uid,
		1023	task->audit_context->loginuid, loginuid);
1009	audit_set_type(ab, AUDIT_LOGIN);	1024	audit_set_type(ab, AUDIT_LOGIN);
1010	audit_log_end(ab);	1025	audit_log_end(ab);
1011	}	1026	}
1012	ctx->loginuid = loginuid;	1027	task->audit_context->loginuid = loginuid;
1013	}	1028	}
1014	return 0;	1029	return 0;
1015	}	1030	}