Kernel

Kernel Git Source Tree

Root/kernel/auditsc.c

1	/* auditsc.c -- System-call auditing support
2	* Handles all system-call specific auditing features.
3	*
4	* Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
5	* Copyright 2005 Hewlett-Packard Development Company, L.P.
6	* Copyright (C) 2005, 2006 IBM Corporation
7	* All Rights Reserved.
8	*
9	* This program is free software; you can redistribute it and/or modify
10	* it under the terms of the GNU General Public License as published by
11	* the Free Software Foundation; either version 2 of the License, or
12	* (at your option) any later version.
13	*
14	* This program is distributed in the hope that it will be useful,
15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17	* GNU General Public License for more details.
18	*
19	* You should have received a copy of the GNU General Public License
20	* along with this program; if not, write to the Free Software
21	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22	*
23	* Written by Rickard E. (Rik) Faith <faith@redhat.com>
24	*
25	* Many of the ideas implemented here are from Stephen C. Tweedie,
26	* especially the idea of avoiding a copy by using getname.
27	*
28	* The method for actual interception of syscall entry and exit (not in
29	* this file -- see entry.S) is based on a GPL'd patch written by
30	* okir@suse.de and Copyright 2003 SuSE Linux AG.
31	*
32	* POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>,
33	* 2006.
34	*
35	* The support of additional filter rules compares (>, <, >=, <=) was
36	* added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
37	*
38	* Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
39	* filesystem information.
40	*
41	* Subject and object context labeling support added by <danjones@us.ibm.com>
42	* and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
43	*/
44
45	#include <linux/init.h>
46	#include <asm/types.h>
47	#include <asm/atomic.h>
48	#include <linux/fs.h>
49	#include <linux/namei.h>
50	#include <linux/mm.h>
51	#include <linux/module.h>
52	#include <linux/slab.h>
53	#include <linux/mount.h>
54	#include <linux/socket.h>
55	#include <linux/mqueue.h>
56	#include <linux/audit.h>
57	#include <linux/personality.h>
58	#include <linux/time.h>
59	#include <linux/netlink.h>
60	#include <linux/compiler.h>
61	#include <asm/unistd.h>
62	#include <linux/security.h>
63	#include <linux/list.h>
64	#include <linux/tty.h>
65	#include <linux/binfmts.h>
66	#include <linux/highmem.h>
67	#include <linux/syscalls.h>
68	#include <linux/capability.h>
69	#include <linux/fs_struct.h>
70
71	#include "audit.h"
72
73	/* AUDIT_NAMES is the number of slots we reserve in the audit_context
74	* for saving names from getname(). */
75	#define AUDIT_NAMES 20
76
77	/* Indicates that audit should log the full pathname. */
78	#define AUDIT_NAME_FULL -1
79
80	/* no execve audit message should be longer than this (userspace limits) */
81	#define MAX_EXECVE_AUDIT_LEN 7500
82
83	/* number of audit rules */
84	int audit_n_rules;
85
86	/* determines whether we collect data for signals sent */
87	int audit_signals;
88
89	struct audit_cap_data {
90	kernel_cap_t permitted;
91	kernel_cap_t inheritable;
92	union {
93	unsigned int fE; /* effective bit of a file capability */
94	kernel_cap_t effective; /* effective set of a process */
95	};
96	};
97
98	/* When fs/namei.c:getname() is called, we store the pointer in name and
99	* we don't let putname() free it (instead we free all of the saved
100	* pointers at syscall exit time).
101	*
102	* Further, in fs/namei.c:path_lookup() we store the inode and device. */
103	struct audit_names {
104	const char *name;
105	int name_len; /* number of name's characters to log */
106	unsigned name_put; /* call __putname() for this name */
107	unsigned long ino;
108	dev_t dev;
109	umode_t mode;
110	uid_t uid;
111	gid_t gid;
112	dev_t rdev;
113	u32 osid;
114	struct audit_cap_data fcap;
115	unsigned int fcap_ver;
116	};
117
118	struct audit_aux_data {
119	struct audit_aux_data *next;
120	int type;
121	};
122
123	#define AUDIT_AUX_IPCPERM 0
124
125	/* Number of target pids per aux struct. */
126	#define AUDIT_AUX_PIDS 16
127
128	struct audit_aux_data_execve {
129	struct audit_aux_data d;
130	int argc;
131	int envc;
132	struct mm_struct *mm;
133	};
134
135	struct audit_aux_data_pids {
136	struct audit_aux_data d;
137	pid_t target_pid[AUDIT_AUX_PIDS];
138	uid_t target_auid[AUDIT_AUX_PIDS];
139	uid_t target_uid[AUDIT_AUX_PIDS];
140	unsigned int target_sessionid[AUDIT_AUX_PIDS];
141	u32 target_sid[AUDIT_AUX_PIDS];
142	char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
143	int pid_count;
144	};
145
146	struct audit_aux_data_bprm_fcaps {
147	struct audit_aux_data d;
148	struct audit_cap_data fcap;
149	unsigned int fcap_ver;
150	struct audit_cap_data old_pcap;
151	struct audit_cap_data new_pcap;
152	};
153
154	struct audit_aux_data_capset {
155	struct audit_aux_data d;
156	pid_t pid;
157	struct audit_cap_data cap;
158	};
159
160	struct audit_tree_refs {
161	struct audit_tree_refs *next;
162	struct audit_chunk *c[31];
163	};
164
165	/* The per-task audit context. */
166	struct audit_context {
167	int dummy; /* must be the first element */
168	int in_syscall; /* 1 if task is in a syscall */
169	enum audit_state state, current_state;
170	unsigned int serial; /* serial number for record */
171	int major; /* syscall number */
172	struct timespec ctime; /* time of syscall entry */
173	unsigned long argv[4]; /* syscall arguments */
174	long return_code;/* syscall return code */
175	u64 prio;
176	int return_valid; /* return code is valid */
177	int name_count;
178	struct audit_names names[AUDIT_NAMES];
179	char * filterkey; /* key for rule that triggered record */
180	struct path pwd;
181	struct audit_context previous; / For nested syscalls */
182	struct audit_aux_data *aux;
183	struct audit_aux_data *aux_pids;
184	struct sockaddr_storage *sockaddr;
185	size_t sockaddr_len;
186	/* Save things to print about task_struct */
187	pid_t pid, ppid;
188	uid_t uid, euid, suid, fsuid;
189	gid_t gid, egid, sgid, fsgid;
190	unsigned long personality;
191	int arch;
192
193	pid_t target_pid;
194	uid_t target_auid;
195	uid_t target_uid;
196	unsigned int target_sessionid;
197	u32 target_sid;
198	char target_comm[TASK_COMM_LEN];
199
200	struct audit_tree_refs trees, first_trees;
201	struct list_head killed_trees;
202	int tree_count;
203
204	int type;
205	union {
206	struct {
207	int nargs;
208	long args[6];
209	} socketcall;
210	struct {
211	uid_t uid;
212	gid_t gid;
213	mode_t mode;
214	u32 osid;
215	int has_perm;
216	uid_t perm_uid;
217	gid_t perm_gid;
218	mode_t perm_mode;
219	unsigned long qbytes;
220	} ipc;
221	struct {
222	mqd_t mqdes;
223	struct mq_attr mqstat;
224	} mq_getsetattr;
225	struct {
226	mqd_t mqdes;
227	int sigev_signo;
228	} mq_notify;
229	struct {
230	mqd_t mqdes;
231	size_t msg_len;
232	unsigned int msg_prio;
233	struct timespec abs_timeout;
234	} mq_sendrecv;
235	struct {
236	int oflag;
237	mode_t mode;
238	struct mq_attr attr;
239	} mq_open;
240	struct {
241	pid_t pid;
242	struct audit_cap_data cap;
243	} capset;
244	struct {
245	int fd;
246	int flags;
247	} mmap;
248	};
249	int fds[2];
250
251	#if AUDIT_DEBUG
252	int put_count;
253	int ino_count;
254	#endif
255	};
256
257	static inline int open_arg(int flags, int mask)
258	{
259	int n = ACC_MODE(flags);
260	if (flags & (O_TRUNC \| O_CREAT))
261	n \|= AUDIT_PERM_WRITE;
262	return n & mask;
263	}
264
265	static int audit_match_perm(struct audit_context *ctx, int mask)
266	{
267	unsigned n;
268	if (unlikely(!ctx))
269	return 0;
270	n = ctx->major;
271
272	switch (audit_classify_syscall(ctx->arch, n)) {
273	case 0: /* native */
274	if ((mask & AUDIT_PERM_WRITE) &&
275	audit_match_class(AUDIT_CLASS_WRITE, n))
276	return 1;
277	if ((mask & AUDIT_PERM_READ) &&
278	audit_match_class(AUDIT_CLASS_READ, n))
279	return 1;
280	if ((mask & AUDIT_PERM_ATTR) &&
281	audit_match_class(AUDIT_CLASS_CHATTR, n))
282	return 1;
283	return 0;
284	case 1: /* 32bit on biarch */
285	if ((mask & AUDIT_PERM_WRITE) &&
286	audit_match_class(AUDIT_CLASS_WRITE_32, n))
287	return 1;
288	if ((mask & AUDIT_PERM_READ) &&
289	audit_match_class(AUDIT_CLASS_READ_32, n))
290	return 1;
291	if ((mask & AUDIT_PERM_ATTR) &&
292	audit_match_class(AUDIT_CLASS_CHATTR_32, n))
293	return 1;
294	return 0;
295	case 2: /* open */
296	return mask & ACC_MODE(ctx->argv[1]);
297	case 3: /* openat */
298	return mask & ACC_MODE(ctx->argv[2]);
299	case 4: /* socketcall */
300	return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
301	case 5: /* execve */
302	return mask & AUDIT_PERM_EXEC;
303	default:
304	return 0;
305	}
306	}
307
308	static int audit_match_filetype(struct audit_context *ctx, int which)
309	{
310	unsigned index = which & ~S_IFMT;
311	mode_t mode = which & S_IFMT;
312
313	if (unlikely(!ctx))
314	return 0;
315
316	if (index >= ctx->name_count)
317	return 0;
318	if (ctx->names[index].ino == -1)
319	return 0;
320	if ((ctx->names[index].mode ^ mode) & S_IFMT)
321	return 0;
322	return 1;
323	}
324
325	/*
326	* We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *;
327	* ->first_trees points to its beginning, ->trees - to the current end of data.
328	* ->tree_count is the number of free entries in array pointed to by ->trees.
329	* Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL,
330	* "empty" becomes (p, p, 31) afterwards. We don't shrink the list (and seriously,
331	* it's going to remain 1-element for almost any setup) until we free context itself.
332	* References in it _are_ dropped - at the same time we free/drop aux stuff.
333	*/
334
335	#ifdef CONFIG_AUDIT_TREE
336	static void audit_set_auditable(struct audit_context *ctx)
337	{
338	if (!ctx->prio) {
339	ctx->prio = 1;
340	ctx->current_state = AUDIT_RECORD_CONTEXT;
341	}
342	}
343
344	static int put_tree_ref(struct audit_context ctx, struct audit_chunk chunk)
345	{
346	struct audit_tree_refs *p = ctx->trees;
347	int left = ctx->tree_count;
348	if (likely(left)) {
349	p->c[--left] = chunk;
350	ctx->tree_count = left;
351	return 1;
352	}
353	if (!p)
354	return 0;
355	p = p->next;
356	if (p) {
357	p->c[30] = chunk;
358	ctx->trees = p;
359	ctx->tree_count = 30;
360	return 1;
361	}
362	return 0;
363	}
364
365	static int grow_tree_refs(struct audit_context *ctx)
366	{
367	struct audit_tree_refs *p = ctx->trees;
368	ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL);
369	if (!ctx->trees) {
370	ctx->trees = p;
371	return 0;
372	}
373	if (p)
374	p->next = ctx->trees;
375	else
376	ctx->first_trees = ctx->trees;
377	ctx->tree_count = 31;
378	return 1;
379	}
380	#endif
381
382	static void unroll_tree_refs(struct audit_context *ctx,
383	struct audit_tree_refs *p, int count)
384	{
385	#ifdef CONFIG_AUDIT_TREE
386	struct audit_tree_refs *q;
387	int n;
388	if (!p) {
389	/* we started with empty chain */
390	p = ctx->first_trees;
391	count = 31;
392	/* if the very first allocation has failed, nothing to do */
393	if (!p)
394	return;
395	}
396	n = count;
397	for (q = p; q != ctx->trees; q = q->next, n = 31) {
398	while (n--) {
399	audit_put_chunk(q->c[n]);
400	q->c[n] = NULL;
401	}
402	}
403	while (n-- > ctx->tree_count) {
404	audit_put_chunk(q->c[n]);
405	q->c[n] = NULL;
406	}
407	ctx->trees = p;
408	ctx->tree_count = count;
409	#endif
410	}
411
412	static void free_tree_refs(struct audit_context *ctx)
413	{
414	struct audit_tree_refs p, q;
415	for (p = ctx->first_trees; p; p = q) {
416	q = p->next;
417	kfree(p);
418	}
419	}
420
421	static int match_tree_refs(struct audit_context ctx, struct audit_tree tree)
422	{
423	#ifdef CONFIG_AUDIT_TREE
424	struct audit_tree_refs *p;
425	int n;
426	if (!tree)
427	return 0;
428	/* full ones */
429	for (p = ctx->first_trees; p != ctx->trees; p = p->next) {
430	for (n = 0; n < 31; n++)
431	if (audit_tree_match(p->c[n], tree))
432	return 1;
433	}
434	/* partial */
435	if (p) {
436	for (n = ctx->tree_count; n < 31; n++)
437	if (audit_tree_match(p->c[n], tree))
438	return 1;
439	}
440	#endif
441	return 0;
442	}
443
444	/* Determine if any context name data matches a rule's watch data */
445	/* Compare a task_struct with an audit_rule. Return 1 on match, 0
446	* otherwise. */
447	static int audit_filter_rules(struct task_struct *tsk,
448	struct audit_krule *rule,
449	struct audit_context *ctx,
450	struct audit_names *name,
451	enum audit_state *state)
452	{
453	const struct cred *cred = get_task_cred(tsk);
454	int i, j, need_sid = 1;
455	u32 sid;
456
457	for (i = 0; i < rule->field_count; i++) {
458	struct audit_field *f = &rule->fields[i];
459	int result = 0;
460
461	switch (f->type) {
462	case AUDIT_PID:
463	result = audit_comparator(tsk->pid, f->op, f->val);
464	break;
465	case AUDIT_PPID:
466	if (ctx) {
467	if (!ctx->ppid)
468	ctx->ppid = sys_getppid();
469	result = audit_comparator(ctx->ppid, f->op, f->val);
470	}
471	break;
472	case AUDIT_UID:
473	result = audit_comparator(cred->uid, f->op, f->val);
474	break;
475	case AUDIT_EUID:
476	result = audit_comparator(cred->euid, f->op, f->val);
477	break;
478	case AUDIT_SUID:
479	result = audit_comparator(cred->suid, f->op, f->val);
480	break;
481	case AUDIT_FSUID:
482	result = audit_comparator(cred->fsuid, f->op, f->val);
483	break;
484	case AUDIT_GID:
485	result = audit_comparator(cred->gid, f->op, f->val);
486	break;
487	case AUDIT_EGID:
488	result = audit_comparator(cred->egid, f->op, f->val);
489	break;
490	case AUDIT_SGID:
491	result = audit_comparator(cred->sgid, f->op, f->val);
492	break;
493	case AUDIT_FSGID:
494	result = audit_comparator(cred->fsgid, f->op, f->val);
495	break;
496	case AUDIT_PERS:
497	result = audit_comparator(tsk->personality, f->op, f->val);
498	break;
499	case AUDIT_ARCH:
500	if (ctx)
501	result = audit_comparator(ctx->arch, f->op, f->val);
502	break;
503
504	case AUDIT_EXIT:
505	if (ctx && ctx->return_valid)
506	result = audit_comparator(ctx->return_code, f->op, f->val);
507	break;
508	case AUDIT_SUCCESS:
509	if (ctx && ctx->return_valid) {
510	if (f->val)
511	result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
512	else
513	result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
514	}
515	break;
516	case AUDIT_DEVMAJOR:
517	if (name)
518	result = audit_comparator(MAJOR(name->dev),
519	f->op, f->val);
520	else if (ctx) {
521	for (j = 0; j < ctx->name_count; j++) {
522	if (audit_comparator(MAJOR(ctx->names[j].dev), f->op, f->val)) {
523	++result;
524	break;
525	}
526	}
527	}
528	break;
529	case AUDIT_DEVMINOR:
530	if (name)
531	result = audit_comparator(MINOR(name->dev),
532	f->op, f->val);
533	else if (ctx) {
534	for (j = 0; j < ctx->name_count; j++) {
535	if (audit_comparator(MINOR(ctx->names[j].dev), f->op, f->val)) {
536	++result;
537	break;
538	}
539	}
540	}
541	break;
542	case AUDIT_INODE:
543	if (name)
544	result = (name->ino == f->val);
545	else if (ctx) {
546	for (j = 0; j < ctx->name_count; j++) {
547	if (audit_comparator(ctx->names[j].ino, f->op, f->val)) {
548	++result;
549	break;
550	}
551	}
552	}
553	break;
554	case AUDIT_WATCH:
555	if (name)
556	result = audit_watch_compare(rule->watch, name->ino, name->dev);
557	break;
558	case AUDIT_DIR:
559	if (ctx)
560	result = match_tree_refs(ctx, rule->tree);
561	break;
562	case AUDIT_LOGINUID:
563	result = 0;
564	if (ctx)
565	result = audit_comparator(tsk->loginuid, f->op, f->val);
566	break;
567	case AUDIT_SUBJ_USER:
568	case AUDIT_SUBJ_ROLE:
569	case AUDIT_SUBJ_TYPE:
570	case AUDIT_SUBJ_SEN:
571	case AUDIT_SUBJ_CLR:
572	/* NOTE: this may return negative values indicating
573	a temporary error. We simply treat this as a
574	match for now to avoid losing information that
575	may be wanted. An error message will also be
576	logged upon error */
577	if (f->lsm_rule) {
578	if (need_sid) {
579	security_task_getsecid(tsk, &sid);
580	need_sid = 0;
581	}
582	result = security_audit_rule_match(sid, f->type,
583	f->op,
584	f->lsm_rule,
585	ctx);
586	}
587	break;
588	case AUDIT_OBJ_USER:
589	case AUDIT_OBJ_ROLE:
590	case AUDIT_OBJ_TYPE:
591	case AUDIT_OBJ_LEV_LOW:
592	case AUDIT_OBJ_LEV_HIGH:
593	/* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
594	also applies here */
595	if (f->lsm_rule) {
596	/* Find files that match */
597	if (name) {
598	result = security_audit_rule_match(
599	name->osid, f->type, f->op,
600	f->lsm_rule, ctx);
601	} else if (ctx) {
602	for (j = 0; j < ctx->name_count; j++) {
603	if (security_audit_rule_match(
604	ctx->names[j].osid,
605	f->type, f->op,
606	f->lsm_rule, ctx)) {
607	++result;
608	break;
609	}
610	}
611	}
612	/* Find ipc objects that match */
613	if (!ctx \|\| ctx->type != AUDIT_IPC)
614	break;
615	if (security_audit_rule_match(ctx->ipc.osid,
616	f->type, f->op,
617	f->lsm_rule, ctx))
618	++result;
619	}
620	break;
621	case AUDIT_ARG0:
622	case AUDIT_ARG1:
623	case AUDIT_ARG2:
624	case AUDIT_ARG3:
625	if (ctx)
626	result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
627	break;
628	case AUDIT_FILTERKEY:
629	/* ignore this field for filtering */
630	result = 1;
631	break;
632	case AUDIT_PERM:
633	result = audit_match_perm(ctx, f->val);
634	break;
635	case AUDIT_FILETYPE:
636	result = audit_match_filetype(ctx, f->val);
637	break;
638	}
639
640	if (!result) {
641	put_cred(cred);
642	return 0;
643	}
644	}
645
646	if (ctx) {
647	if (rule->prio <= ctx->prio)
648	return 0;
649	if (rule->filterkey) {
650	kfree(ctx->filterkey);
651	ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
652	}
653	ctx->prio = rule->prio;
654	}
655	switch (rule->action) {
656	case AUDIT_NEVER: *state = AUDIT_DISABLED; break;
657	case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break;
658	}
659	put_cred(cred);
660	return 1;
661	}
662
663	/* At process creation time, we can determine if system-call auditing is
664	* completely disabled for this task. Since we only have the task
665	* structure at this point, we can only check uid and gid.
666	*/
667	static enum audit_state audit_filter_task(struct task_struct tsk, char *key)
668	{
669	struct audit_entry *e;
670	enum audit_state state;
671
672	rcu_read_lock();
673	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
674	if (audit_filter_rules(tsk, &e->rule, NULL, NULL, &state)) {
675	if (state == AUDIT_RECORD_CONTEXT)
676	*key = kstrdup(e->rule.filterkey, GFP_ATOMIC);
677	rcu_read_unlock();
678	return state;
679	}
680	}
681	rcu_read_unlock();
682	return AUDIT_BUILD_CONTEXT;
683	}
684
685	/* At syscall entry and exit time, this filter is called if the
686	* audit_state is not low enough that auditing cannot take place, but is
687	* also not high enough that we already know we have to write an audit
688	* record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
689	*/
690	static enum audit_state audit_filter_syscall(struct task_struct *tsk,
691	struct audit_context *ctx,
692	struct list_head *list)
693	{
694	struct audit_entry *e;
695	enum audit_state state;
696
697	if (audit_pid && tsk->tgid == audit_pid)
698	return AUDIT_DISABLED;
699
700	rcu_read_lock();
701	if (!list_empty(list)) {
702	int word = AUDIT_WORD(ctx->major);
703	int bit = AUDIT_BIT(ctx->major);
704
705	list_for_each_entry_rcu(e, list, list) {
706	if ((e->rule.mask[word] & bit) == bit &&
707	audit_filter_rules(tsk, &e->rule, ctx, NULL,
708	&state)) {
709	rcu_read_unlock();
710	ctx->current_state = state;
711	return state;
712	}
713	}
714	}
715	rcu_read_unlock();
716	return AUDIT_BUILD_CONTEXT;
717	}
718
719	/* At syscall exit time, this filter is called if any audit_names[] have been
720	* collected during syscall processing. We only check rules in sublists at hash
721	* buckets applicable to the inode numbers in audit_names[].
722	* Regarding audit_state, same rules apply as for audit_filter_syscall().
723	*/
724	void audit_filter_inodes(struct task_struct tsk, struct audit_context ctx)
725	{
726	int i;
727	struct audit_entry *e;
728	enum audit_state state;
729
730	if (audit_pid && tsk->tgid == audit_pid)
731	return;
732
733	rcu_read_lock();
734	for (i = 0; i < ctx->name_count; i++) {
735	int word = AUDIT_WORD(ctx->major);
736	int bit = AUDIT_BIT(ctx->major);
737	struct audit_names *n = &ctx->names[i];
738	int h = audit_hash_ino((u32)n->ino);
739	struct list_head *list = &audit_inode_hash[h];
740
741	if (list_empty(list))
742	continue;
743
744	list_for_each_entry_rcu(e, list, list) {
745	if ((e->rule.mask[word] & bit) == bit &&
746	audit_filter_rules(tsk, &e->rule, ctx, n, &state)) {
747	rcu_read_unlock();
748	ctx->current_state = state;
749	return;
750	}
751	}
752	}
753	rcu_read_unlock();
754	}
755
756	static inline struct audit_context audit_get_context(struct task_struct tsk,
757	int return_valid,
758	long return_code)
759	{
760	struct audit_context *context = tsk->audit_context;
761
762	if (likely(!context))
763	return NULL;
764	context->return_valid = return_valid;
765
766	/*
767	* we need to fix up the return code in the audit logs if the actual
768	* return codes are later going to be fixed up by the arch specific
769	* signal handlers
770	*
771	* This is actually a test for:
772	* (rc == ERESTARTSYS ) \|\| (rc == ERESTARTNOINTR) \|\|
773	* (rc == ERESTARTNOHAND) \|\| (rc == ERESTART_RESTARTBLOCK)
774	*
775	* but is faster than a bunch of \|\|
776	*/
777	if (unlikely(return_code <= -ERESTARTSYS) &&
778	(return_code >= -ERESTART_RESTARTBLOCK) &&
779	(return_code != -ENOIOCTLCMD))
780	context->return_code = -EINTR;
781	else
782	context->return_code = return_code;
783
784	if (context->in_syscall && !context->dummy) {
785	audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
786	audit_filter_inodes(tsk, context);
787	}
788
789	tsk->audit_context = NULL;
790	return context;
791	}
792
793	static inline void audit_free_names(struct audit_context *context)
794	{
795	int i;
796
797	#if AUDIT_DEBUG == 2
798	if (context->put_count + context->ino_count != context->name_count) {
799	printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d"
800	" name_count=%d put_count=%d"
801	" ino_count=%d [NOT freeing]\n",
802	__FILE__, __LINE__,
803	context->serial, context->major, context->in_syscall,
804	context->name_count, context->put_count,
805	context->ino_count);
806	for (i = 0; i < context->name_count; i++) {
807	printk(KERN_ERR "names[%d] = %p = %s\n", i,
808	context->names[i].name,
809	context->names[i].name ?: "(null)");
810	}
811	dump_stack();
812	return;
813	}
814	#endif
815	#if AUDIT_DEBUG
816	context->put_count = 0;
817	context->ino_count = 0;
818	#endif
819
820	for (i = 0; i < context->name_count; i++) {
821	if (context->names[i].name && context->names[i].name_put)
822	__putname(context->names[i].name);
823	}
824	context->name_count = 0;
825	path_put(&context->pwd);
826	context->pwd.dentry = NULL;
827	context->pwd.mnt = NULL;
828	}
829
830	static inline void audit_free_aux(struct audit_context *context)
831	{
832	struct audit_aux_data *aux;
833
834	while ((aux = context->aux)) {
835	context->aux = aux->next;
836	kfree(aux);
837	}
838	while ((aux = context->aux_pids)) {
839	context->aux_pids = aux->next;
840	kfree(aux);
841	}
842	}
843
844	static inline void audit_zero_context(struct audit_context *context,
845	enum audit_state state)
846	{
847	memset(context, 0, sizeof(*context));
848	context->state = state;
849	context->prio = state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
850	}
851
852	static inline struct audit_context *audit_alloc_context(enum audit_state state)
853	{
854	struct audit_context *context;
855
856	if (!(context = kmalloc(sizeof(*context), GFP_KERNEL)))
857	return NULL;
858	audit_zero_context(context, state);
859	INIT_LIST_HEAD(&context->killed_trees);
860	return context;
861	}
862
863	/**
864	* audit_alloc - allocate an audit context block for a task
865	* @tsk: task
866	*
867	* Filter on the task information and allocate a per-task audit context
868	* if necessary. Doing so turns on system call auditing for the
869	* specified task. This is called from copy_process, so no lock is
870	* needed.
871	*/
872	int audit_alloc(struct task_struct *tsk)
873	{
874	struct audit_context *context;
875	enum audit_state state;
876	char *key = NULL;
877
878	if (likely(!audit_ever_enabled))
879	return 0; /* Return if not auditing. */
880
881	state = audit_filter_task(tsk, &key);
882	if (likely(state == AUDIT_DISABLED))
883	return 0;
884
885	if (!(context = audit_alloc_context(state))) {
886	kfree(key);
887	audit_log_lost("out of memory in audit_alloc");
888	return -ENOMEM;
889	}
890	context->filterkey = key;
891
892	tsk->audit_context = context;
893	set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
894	return 0;
895	}
896
897	static inline void audit_free_context(struct audit_context *context)
898	{
899	struct audit_context *previous;
900	int count = 0;
901
902	do {
903	previous = context->previous;
904	if (previous \|\| (count && count < 10)) {
905	++count;
906	printk(KERN_ERR "audit(:%d): major=%d name_count=%d:"
907	" freeing multiple contexts (%d)\n",
908	context->serial, context->major,
909	context->name_count, count);
910	}
911	audit_free_names(context);
912	unroll_tree_refs(context, NULL, 0);
913	free_tree_refs(context);
914	audit_free_aux(context);
915	kfree(context->filterkey);
916	kfree(context->sockaddr);
917	kfree(context);
918	context = previous;
919	} while (context);
920	if (count >= 10)
921	printk(KERN_ERR "audit: freed %d contexts\n", count);
922	}
923
924	void audit_log_task_context(struct audit_buffer *ab)
925	{
926	char *ctx = NULL;
927	unsigned len;
928	int error;
929	u32 sid;
930
931	security_task_getsecid(current, &sid);
932	if (!sid)
933	return;
934
935	error = security_secid_to_secctx(sid, &ctx, &len);
936	if (error) {
937	if (error != -EINVAL)
938	goto error_path;
939	return;
940	}
941
942	audit_log_format(ab, " subj=%s", ctx);
943	security_release_secctx(ctx, len);
944	return;
945
946	error_path:
947	audit_panic("error in audit_log_task_context");
948	return;
949	}
950
951	EXPORT_SYMBOL(audit_log_task_context);
952
953	static void audit_log_task_info(struct audit_buffer ab, struct task_struct tsk)
954	{
955	char name[sizeof(tsk->comm)];
956	struct mm_struct *mm = tsk->mm;
957	struct vm_area_struct *vma;
958
959	/* tsk == current */
960
961	get_task_comm(name, tsk);
962	audit_log_format(ab, " comm=");
963	audit_log_untrustedstring(ab, name);
964
965	if (mm) {
966	down_read(&mm->mmap_sem);
967	vma = mm->mmap;
968	while (vma) {
969	if ((vma->vm_flags & VM_EXECUTABLE) &&
970	vma->vm_file) {
971	audit_log_d_path(ab, "exe=",
972	&vma->vm_file->f_path);
973	break;
974	}
975	vma = vma->vm_next;
976	}
977	up_read(&mm->mmap_sem);
978	}
979	audit_log_task_context(ab);
980	}
981
982	static int audit_log_pid_context(struct audit_context *context, pid_t pid,
983	uid_t auid, uid_t uid, unsigned int sessionid,
984	u32 sid, char *comm)
985	{
986	struct audit_buffer *ab;
987	char *ctx = NULL;
988	u32 len;
989	int rc = 0;
990
991	ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
992	if (!ab)
993	return rc;
994
995	audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid,
996	uid, sessionid);
997	if (security_secid_to_secctx(sid, &ctx, &len)) {
998	audit_log_format(ab, " obj=(none)");
999	rc = 1;
1000	} else {
1001	audit_log_format(ab, " obj=%s", ctx);
1002	security_release_secctx(ctx, len);
1003	}
1004	audit_log_format(ab, " ocomm=");
1005	audit_log_untrustedstring(ab, comm);
1006	audit_log_end(ab);
1007
1008	return rc;
1009	}
1010
1011	/*
1012	* to_send and len_sent accounting are very loose estimates. We aren't
1013	* really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being
1014	* within about 500 bytes (next page boundry)
1015	*
1016	* why snprintf? an int is up to 12 digits long. if we just assumed when
1017	* logging that a[%d]= was going to be 16 characters long we would be wasting
1018	* space in every audit message. In one 7500 byte message we can log up to
1019	* about 1000 min size arguments. That comes down to about 50% waste of space
1020	* if we didn't do the snprintf to find out how long arg_num_len was.
1021	*/
1022	static int audit_log_single_execve_arg(struct audit_context *context,
1023	struct audit_buffer **ab,
1024	int arg_num,
1025	size_t *len_sent,
1026	const char __user *p,
1027	char *buf)
1028	{
1029	char arg_num_len_buf[12];
1030	const char __user *tmp_p = p;
1031	/* how many digits are in arg_num? 5 is the length of ' a=""' */
1032	size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 5;
1033	size_t len, len_left, to_send;
1034	size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
1035	unsigned int i, has_cntl = 0, too_long = 0;
1036	int ret;
1037
1038	/* strnlen_user includes the null we don't want to send */
1039	len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1;
1040
1041	/*
1042	* We just created this mm, if we can't find the strings
1043	* we just copied into it something is _very_ wrong. Similar
1044	* for strings that are too long, we should not have created
1045	* any.
1046	*/
1047	if (unlikely((len == -1) \|\| len > MAX_ARG_STRLEN - 1)) {
1048	WARN_ON(1);
1049	send_sig(SIGKILL, current, 0);
1050	return -1;
1051	}
1052
1053	/* walk the whole argument looking for non-ascii chars */
1054	do {
1055	if (len_left > MAX_EXECVE_AUDIT_LEN)
1056	to_send = MAX_EXECVE_AUDIT_LEN;
1057	else
1058	to_send = len_left;
1059	ret = copy_from_user(buf, tmp_p, to_send);
1060	/*
1061	* There is no reason for this copy to be short. We just
1062	* copied them here, and the mm hasn't been exposed to user-
1063	* space yet.
1064	*/
1065	if (ret) {
1066	WARN_ON(1);
1067	send_sig(SIGKILL, current, 0);
1068	return -1;
1069	}
1070	buf[to_send] = '\0';
1071	has_cntl = audit_string_contains_control(buf, to_send);
1072	if (has_cntl) {
1073	/*
1074	* hex messages get logged as 2 bytes, so we can only
1075	* send half as much in each message
1076	*/
1077	max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2;
1078	break;
1079	}
1080	len_left -= to_send;
1081	tmp_p += to_send;
1082	} while (len_left > 0);
1083
1084	len_left = len;
1085
1086	if (len > max_execve_audit_len)
1087	too_long = 1;
1088
1089	/* rewalk the argument actually logging the message */
1090	for (i = 0; len_left > 0; i++) {
1091	int room_left;
1092
1093	if (len_left > max_execve_audit_len)
1094	to_send = max_execve_audit_len;
1095	else
1096	to_send = len_left;
1097
1098	/* do we have space left to send this argument in this ab? */
1099	room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent;
1100	if (has_cntl)
1101	room_left -= (to_send * 2);
1102	else
1103	room_left -= to_send;
1104	if (room_left < 0) {
1105	*len_sent = 0;
1106	audit_log_end(*ab);
1107	*ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
1108	if (!*ab)
1109	return 0;
1110	}
1111
1112	/*
1113	* first record needs to say how long the original string was
1114	* so we can be sure nothing was lost.
1115	*/
1116	if ((i == 0) && (too_long))
1117	audit_log_format(*ab, " a%d_len=%zu", arg_num,
1118	has_cntl ? 2*len : len);
1119
1120	/*
1121	* normally arguments are small enough to fit and we already
1122	* filled buf above when we checked for control characters
1123	* so don't bother with another copy_from_user
1124	*/
1125	if (len >= max_execve_audit_len)
1126	ret = copy_from_user(buf, p, to_send);
1127	else
1128	ret = 0;
1129	if (ret) {
1130	WARN_ON(1);
1131	send_sig(SIGKILL, current, 0);
1132	return -1;
1133	}
1134	buf[to_send] = '\0';
1135
1136	/* actually log it */
1137	audit_log_format(*ab, " a%d", arg_num);
1138	if (too_long)
1139	audit_log_format(*ab, "[%d]", i);
1140	audit_log_format(*ab, "=");
1141	if (has_cntl)
1142	audit_log_n_hex(*ab, buf, to_send);
1143	else
1144	audit_log_string(*ab, buf);
1145
1146	p += to_send;
1147	len_left -= to_send;
1148	*len_sent += arg_num_len;
1149	if (has_cntl)
1150	len_sent += to_send 2;
1151	else
1152	*len_sent += to_send;
1153	}
1154	/* include the null we didn't log */
1155	return len + 1;
1156	}
1157
1158	static void audit_log_execve_info(struct audit_context *context,
1159	struct audit_buffer **ab,
1160	struct audit_aux_data_execve *axi)
1161	{
1162	int i;
1163	size_t len, len_sent = 0;
1164	const char __user *p;
1165	char *buf;
1166
1167	if (axi->mm != current->mm)
1168	return; /* execve failed, no additional info */
1169
1170	p = (const char __user *)axi->mm->arg_start;
1171
1172	audit_log_format(*ab, "argc=%d", axi->argc);
1173
1174	/*
1175	* we need some kernel buffer to hold the userspace args. Just
1176	* allocate one big one rather than allocating one of the right size
1177	* for every single argument inside audit_log_single_execve_arg()
1178	* should be <8k allocation so should be pretty safe.
1179	*/
1180	buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
1181	if (!buf) {
1182	audit_panic("out of memory for argv string\n");
1183	return;
1184	}
1185
1186	for (i = 0; i < axi->argc; i++) {
1187	len = audit_log_single_execve_arg(context, ab, i,
1188	&len_sent, p, buf);
1189	if (len <= 0)
1190	break;
1191	p += len;
1192	}
1193	kfree(buf);
1194	}
1195
1196	static void audit_log_cap(struct audit_buffer ab, char prefix, kernel_cap_t *cap)
1197	{
1198	int i;
1199
1200	audit_log_format(ab, " %s=", prefix);
1201	CAP_FOR_EACH_U32(i) {
1202	audit_log_format(ab, "%08x", cap->cap[(_KERNEL_CAPABILITY_U32S-1) - i]);
1203	}
1204	}
1205
1206	static void audit_log_fcaps(struct audit_buffer ab, struct audit_names name)
1207	{
1208	kernel_cap_t *perm = &name->fcap.permitted;
1209	kernel_cap_t *inh = &name->fcap.inheritable;
1210	int log = 0;
1211
1212	if (!cap_isclear(*perm)) {
1213	audit_log_cap(ab, "cap_fp", perm);
1214	log = 1;
1215	}
1216	if (!cap_isclear(*inh)) {
1217	audit_log_cap(ab, "cap_fi", inh);
1218	log = 1;
1219	}
1220
1221	if (log)
1222	audit_log_format(ab, " cap_fe=%d cap_fver=%x", name->fcap.fE, name->fcap_ver);
1223	}
1224
1225	static void show_special(struct audit_context context, int call_panic)
1226	{
1227	struct audit_buffer *ab;
1228	int i;
1229
1230	ab = audit_log_start(context, GFP_KERNEL, context->type);
1231	if (!ab)
1232	return;
1233
1234	switch (context->type) {
1235	case AUDIT_SOCKETCALL: {
1236	int nargs = context->socketcall.nargs;
1237	audit_log_format(ab, "nargs=%d", nargs);
1238	for (i = 0; i < nargs; i++)
1239	audit_log_format(ab, " a%d=%lx", i,
1240	context->socketcall.args[i]);
1241	break; }
1242	case AUDIT_IPC: {
1243	u32 osid = context->ipc.osid;
1244
1245	audit_log_format(ab, "ouid=%u ogid=%u mode=%#o",
1246	context->ipc.uid, context->ipc.gid, context->ipc.mode);
1247	if (osid) {
1248	char *ctx = NULL;
1249	u32 len;
1250	if (security_secid_to_secctx(osid, &ctx, &len)) {
1251	audit_log_format(ab, " osid=%u", osid);
1252	*call_panic = 1;
1253	} else {
1254	audit_log_format(ab, " obj=%s", ctx);
1255	security_release_secctx(ctx, len);
1256	}
1257	}
1258	if (context->ipc.has_perm) {
1259	audit_log_end(ab);
1260	ab = audit_log_start(context, GFP_KERNEL,
1261	AUDIT_IPC_SET_PERM);
1262	audit_log_format(ab,
1263	"qbytes=%lx ouid=%u ogid=%u mode=%#o",
1264	context->ipc.qbytes,
1265	context->ipc.perm_uid,
1266	context->ipc.perm_gid,
1267	context->ipc.perm_mode);
1268	if (!ab)
1269	return;
1270	}
1271	break; }
1272	case AUDIT_MQ_OPEN: {
1273	audit_log_format(ab,
1274	"oflag=0x%x mode=%#o mq_flags=0x%lx mq_maxmsg=%ld "
1275	"mq_msgsize=%ld mq_curmsgs=%ld",
1276	context->mq_open.oflag, context->mq_open.mode,
1277	context->mq_open.attr.mq_flags,
1278	context->mq_open.attr.mq_maxmsg,
1279	context->mq_open.attr.mq_msgsize,
1280	context->mq_open.attr.mq_curmsgs);
1281	break; }
1282	case AUDIT_MQ_SENDRECV: {
1283	audit_log_format(ab,
1284	"mqdes=%d msg_len=%zd msg_prio=%u "
1285	"abs_timeout_sec=%ld abs_timeout_nsec=%ld",
1286	context->mq_sendrecv.mqdes,
1287	context->mq_sendrecv.msg_len,
1288	context->mq_sendrecv.msg_prio,
1289	context->mq_sendrecv.abs_timeout.tv_sec,
1290	context->mq_sendrecv.abs_timeout.tv_nsec);
1291	break; }
1292	case AUDIT_MQ_NOTIFY: {
1293	audit_log_format(ab, "mqdes=%d sigev_signo=%d",
1294	context->mq_notify.mqdes,
1295	context->mq_notify.sigev_signo);
1296	break; }
1297	case AUDIT_MQ_GETSETATTR: {
1298	struct mq_attr *attr = &context->mq_getsetattr.mqstat;
1299	audit_log_format(ab,
1300	"mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
1301	"mq_curmsgs=%ld ",
1302	context->mq_getsetattr.mqdes,
1303	attr->mq_flags, attr->mq_maxmsg,
1304	attr->mq_msgsize, attr->mq_curmsgs);
1305	break; }
1306	case AUDIT_CAPSET: {
1307	audit_log_format(ab, "pid=%d", context->capset.pid);
1308	audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
1309	audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
1310	audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
1311	break; }
1312	case AUDIT_MMAP: {
1313	audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd,
1314	context->mmap.flags);
1315	break; }
1316	}
1317	audit_log_end(ab);
1318	}
1319
1320	static void audit_log_exit(struct audit_context context, struct task_struct tsk)
1321	{
1322	const struct cred *cred;
1323	int i, call_panic = 0;
1324	struct audit_buffer *ab;
1325	struct audit_aux_data *aux;
1326	const char *tty;
1327
1328	/* tsk == current */
1329	context->pid = tsk->pid;
1330	if (!context->ppid)
1331	context->ppid = sys_getppid();
1332	cred = current_cred();
1333	context->uid = cred->uid;
1334	context->gid = cred->gid;
1335	context->euid = cred->euid;
1336	context->suid = cred->suid;
1337	context->fsuid = cred->fsuid;
1338	context->egid = cred->egid;
1339	context->sgid = cred->sgid;
1340	context->fsgid = cred->fsgid;
1341	context->personality = tsk->personality;
1342
1343	ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
1344	if (!ab)
1345	return; /* audit_panic has been called */
1346	audit_log_format(ab, "arch=%x syscall=%d",
1347	context->arch, context->major);
1348	if (context->personality != PER_LINUX)
1349	audit_log_format(ab, " per=%lx", context->personality);
1350	if (context->return_valid)
1351	audit_log_format(ab, " success=%s exit=%ld",
1352	(context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
1353	context->return_code);
1354
1355	spin_lock_irq(&tsk->sighand->siglock);
1356	if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
1357	tty = tsk->signal->tty->name;
1358	else
1359	tty = "(none)";
1360	spin_unlock_irq(&tsk->sighand->siglock);
1361
1362	audit_log_format(ab,
1363	" a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
1364	" ppid=%d pid=%d auid=%u uid=%u gid=%u"
1365	" euid=%u suid=%u fsuid=%u"
1366	" egid=%u sgid=%u fsgid=%u tty=%s ses=%u",
1367	context->argv[0],
1368	context->argv[1],
1369	context->argv[2],
1370	context->argv[3],
1371	context->name_count,
1372	context->ppid,
1373	context->pid,
1374	tsk->loginuid,
1375	context->uid,
1376	context->gid,
1377	context->euid, context->suid, context->fsuid,
1378	context->egid, context->sgid, context->fsgid, tty,
1379	tsk->sessionid);
1380
1381
1382	audit_log_task_info(ab, tsk);
1383	audit_log_key(ab, context->filterkey);
1384	audit_log_end(ab);
1385
1386	for (aux = context->aux; aux; aux = aux->next) {
1387
1388	ab = audit_log_start(context, GFP_KERNEL, aux->type);
1389	if (!ab)
1390	continue; /* audit_panic has been called */
1391
1392	switch (aux->type) {
1393
1394	case AUDIT_EXECVE: {
1395	struct audit_aux_data_execve axi = (void )aux;
1396	audit_log_execve_info(context, &ab, axi);
1397	break; }
1398
1399	case AUDIT_BPRM_FCAPS: {
1400	struct audit_aux_data_bprm_fcaps axs = (void )aux;
1401	audit_log_format(ab, "fver=%x", axs->fcap_ver);
1402	audit_log_cap(ab, "fp", &axs->fcap.permitted);
1403	audit_log_cap(ab, "fi", &axs->fcap.inheritable);
1404	audit_log_format(ab, " fe=%d", axs->fcap.fE);
1405	audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
1406	audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
1407	audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
1408	audit_log_cap(ab, "new_pp", &axs->new_pcap.permitted);
1409	audit_log_cap(ab, "new_pi", &axs->new_pcap.inheritable);
1410	audit_log_cap(ab, "new_pe", &axs->new_pcap.effective);
1411	break; }
1412
1413	}
1414	audit_log_end(ab);
1415	}
1416
1417	if (context->type)
1418	show_special(context, &call_panic);
1419
1420	if (context->fds[0] >= 0) {
1421	ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR);
1422	if (ab) {
1423	audit_log_format(ab, "fd0=%d fd1=%d",
1424	context->fds[0], context->fds[1]);
1425	audit_log_end(ab);
1426	}
1427	}
1428
1429	if (context->sockaddr_len) {
1430	ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR);
1431	if (ab) {
1432	audit_log_format(ab, "saddr=");
1433	audit_log_n_hex(ab, (void *)context->sockaddr,
1434	context->sockaddr_len);
1435	audit_log_end(ab);
1436	}
1437	}
1438
1439	for (aux = context->aux_pids; aux; aux = aux->next) {
1440	struct audit_aux_data_pids axs = (void )aux;
1441
1442	for (i = 0; i < axs->pid_count; i++)
1443	if (audit_log_pid_context(context, axs->target_pid[i],
1444	axs->target_auid[i],
1445	axs->target_uid[i],
1446	axs->target_sessionid[i],
1447	axs->target_sid[i],
1448	axs->target_comm[i]))
1449	call_panic = 1;
1450	}
1451
1452	if (context->target_pid &&
1453	audit_log_pid_context(context, context->target_pid,
1454	context->target_auid, context->target_uid,
1455	context->target_sessionid,
1456	context->target_sid, context->target_comm))
1457	call_panic = 1;
1458
1459	if (context->pwd.dentry && context->pwd.mnt) {
1460	ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
1461	if (ab) {
1462	audit_log_d_path(ab, "cwd=", &context->pwd);
1463	audit_log_end(ab);
1464	}
1465	}
1466	for (i = 0; i < context->name_count; i++) {
1467	struct audit_names *n = &context->names[i];
1468
1469	ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
1470	if (!ab)
1471	continue; /* audit_panic has been called */
1472
1473	audit_log_format(ab, "item=%d", i);
1474
1475	if (n->name) {
1476	switch(n->name_len) {
1477	case AUDIT_NAME_FULL:
1478	/* log the full path */
1479	audit_log_format(ab, " name=");
1480	audit_log_untrustedstring(ab, n->name);
1481	break;
1482	case 0:
1483	/* name was specified as a relative path and the
1484	* directory component is the cwd */
1485	audit_log_d_path(ab, "name=", &context->pwd);
1486	break;
1487	default:
1488	/* log the name's directory component */
1489	audit_log_format(ab, " name=");
1490	audit_log_n_untrustedstring(ab, n->name,
1491	n->name_len);
1492	}
1493	} else
1494	audit_log_format(ab, " name=(null)");
1495
1496	if (n->ino != (unsigned long)-1) {
1497	audit_log_format(ab, " inode=%lu"
1498	" dev=%02x:%02x mode=%#o"
1499	" ouid=%u ogid=%u rdev=%02x:%02x",
1500	n->ino,
1501	MAJOR(n->dev),
1502	MINOR(n->dev),
1503	n->mode,
1504	n->uid,
1505	n->gid,
1506	MAJOR(n->rdev),
1507	MINOR(n->rdev));
1508	}
1509	if (n->osid != 0) {
1510	char *ctx = NULL;
1511	u32 len;
1512	if (security_secid_to_secctx(
1513	n->osid, &ctx, &len)) {
1514	audit_log_format(ab, " osid=%u", n->osid);
1515	call_panic = 2;
1516	} else {
1517	audit_log_format(ab, " obj=%s", ctx);
1518	security_release_secctx(ctx, len);
1519	}
1520	}
1521
1522	audit_log_fcaps(ab, n);
1523
1524	audit_log_end(ab);
1525	}
1526
1527	/* Send end of event record to help user space know we are finished */
1528	ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
1529	if (ab)
1530	audit_log_end(ab);
1531	if (call_panic)
1532	audit_panic("error converting sid to string");
1533	}
1534
1535	/**
1536	* audit_free - free a per-task audit context
1537	* @tsk: task whose audit context block to free
1538	*
1539	* Called from copy_process and do_exit
1540	*/
1541	void audit_free(struct task_struct *tsk)
1542	{
1543	struct audit_context *context;
1544
1545	context = audit_get_context(tsk, 0, 0);
1546	if (likely(!context))
1547	return;
1548
1549	/* Check for system calls that do not go through the exit
1550	* function (e.g., exit_group), then free context block.
1551	* We use GFP_ATOMIC here because we might be doing this
1552	* in the context of the idle thread */
1553	/* that can happen only if we are called from do_exit() */
1554	if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
1555	audit_log_exit(context, tsk);
1556	if (!list_empty(&context->killed_trees))
1557	audit_kill_trees(&context->killed_trees);
1558
1559	audit_free_context(context);
1560	}
1561
1562	/**
1563	* audit_syscall_entry - fill in an audit record at syscall entry
1564	* @arch: architecture type
1565	* @major: major syscall type (function)
1566	* @a1: additional syscall register 1
1567	* @a2: additional syscall register 2
1568	* @a3: additional syscall register 3
1569	* @a4: additional syscall register 4
1570	*
1571	* Fill in audit context at syscall entry. This only happens if the
1572	* audit context was created when the task was created and the state or
1573	* filters demand the audit context be built. If the state from the
1574	* per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
1575	* then the record will be written at syscall exit time (otherwise, it
1576	* will only be written if another part of the kernel requests that it
1577	* be written).
1578	*/
1579	void audit_syscall_entry(int arch, int major,
1580	unsigned long a1, unsigned long a2,
1581	unsigned long a3, unsigned long a4)
1582	{
1583	struct task_struct *tsk = current;
1584	struct audit_context *context = tsk->audit_context;
1585	enum audit_state state;
1586
1587	if (unlikely(!context))
1588	return;
1589
1590	/*
1591	* This happens only on certain architectures that make system
1592	* calls in kernel_thread via the entry.S interface, instead of
1593	* with direct calls. (If you are porting to a new
1594	* architecture, hitting this condition can indicate that you
1595	* got the _exit/_leave calls backward in entry.S.)
1596	*
1597	* i386 no
1598	* x86_64 no
1599	* ppc64 yes (see arch/powerpc/platforms/iseries/misc.S)
1600	*
1601	* This also happens with vm86 emulation in a non-nested manner
1602	* (entries without exits), so this case must be caught.
1603	*/
1604	if (context->in_syscall) {
1605	struct audit_context *newctx;
1606
1607	#if AUDIT_DEBUG
1608	printk(KERN_ERR
1609	"audit(:%d) pid=%d in syscall=%d;"
1610	" entering syscall=%d\n",
1611	context->serial, tsk->pid, context->major, major);
1612	#endif
1613	newctx = audit_alloc_context(context->state);
1614	if (newctx) {
1615	newctx->previous = context;
1616	context = newctx;
1617	tsk->audit_context = newctx;
1618	} else {
1619	/* If we can't alloc a new context, the best we
1620	* can do is to leak memory (any pending putname
1621	* will be lost). The only other alternative is
1622	* to abandon auditing. */
1623	audit_zero_context(context, context->state);
1624	}
1625	}
1626	BUG_ON(context->in_syscall \|\| context->name_count);
1627
1628	if (!audit_enabled)
1629	return;
1630
1631	context->arch = arch;
1632	context->major = major;
1633	context->argv[0] = a1;
1634	context->argv[1] = a2;
1635	context->argv[2] = a3;
1636	context->argv[3] = a4;
1637
1638	state = context->state;
1639	context->dummy = !audit_n_rules;
1640	if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
1641	context->prio = 0;
1642	state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
1643	}
1644	if (likely(state == AUDIT_DISABLED))
1645	return;
1646
1647	context->serial = 0;
1648	context->ctime = CURRENT_TIME;
1649	context->in_syscall = 1;
1650	context->current_state = state;
1651	context->ppid = 0;
1652	}
1653
1654	void audit_finish_fork(struct task_struct *child)
1655	{
1656	struct audit_context *ctx = current->audit_context;
1657	struct audit_context *p = child->audit_context;
1658	if (!p \|\| !ctx)
1659	return;
1660	if (!ctx->in_syscall \|\| ctx->current_state != AUDIT_RECORD_CONTEXT)
1661	return;
1662	p->arch = ctx->arch;
1663	p->major = ctx->major;
1664	memcpy(p->argv, ctx->argv, sizeof(ctx->argv));
1665	p->ctime = ctx->ctime;
1666	p->dummy = ctx->dummy;
1667	p->in_syscall = ctx->in_syscall;
1668	p->filterkey = kstrdup(ctx->filterkey, GFP_KERNEL);
1669	p->ppid = current->pid;
1670	p->prio = ctx->prio;
1671	p->current_state = ctx->current_state;
1672	}
1673
1674	/**
1675	* audit_syscall_exit - deallocate audit context after a system call
1676	* @valid: success/failure flag
1677	* @return_code: syscall return value
1678	*
1679	* Tear down after system call. If the audit context has been marked as
1680	* auditable (either because of the AUDIT_RECORD_CONTEXT state from
1681	* filtering, or because some other part of the kernel write an audit
1682	* message), then write out the syscall information. In call cases,
1683	* free the names stored from getname().
1684	*/
1685	void audit_syscall_exit(int valid, long return_code)
1686	{
1687	struct task_struct *tsk = current;
1688	struct audit_context *context;
1689
1690	context = audit_get_context(tsk, valid, return_code);
1691
1692	if (likely(!context))
1693	return;
1694
1695	if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
1696	audit_log_exit(context, tsk);
1697
1698	context->in_syscall = 0;
1699	context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
1700
1701	if (!list_empty(&context->killed_trees))
1702	audit_kill_trees(&context->killed_trees);
1703
1704	if (context->previous) {
1705	struct audit_context *new_context = context->previous;
1706	context->previous = NULL;
1707	audit_free_context(context);
1708	tsk->audit_context = new_context;
1709	} else {
1710	audit_free_names(context);
1711	unroll_tree_refs(context, NULL, 0);
1712	audit_free_aux(context);
1713	context->aux = NULL;
1714	context->aux_pids = NULL;
1715	context->target_pid = 0;
1716	context->target_sid = 0;
1717	context->sockaddr_len = 0;
1718	context->type = 0;
1719	context->fds[0] = -1;
1720	if (context->state != AUDIT_RECORD_CONTEXT) {
1721	kfree(context->filterkey);
1722	context->filterkey = NULL;
1723	}
1724	tsk->audit_context = context;
1725	}
1726	}
1727
1728	static inline void handle_one(const struct inode *inode)
1729	{
1730	#ifdef CONFIG_AUDIT_TREE
1731	struct audit_context *context;
1732	struct audit_tree_refs *p;
1733	struct audit_chunk *chunk;
1734	int count;
1735	if (likely(hlist_empty(&inode->i_fsnotify_marks)))
1736	return;
1737	context = current->audit_context;
1738	p = context->trees;
1739	count = context->tree_count;
1740	rcu_read_lock();
1741	chunk = audit_tree_lookup(inode);
1742	rcu_read_unlock();
1743	if (!chunk)
1744	return;
1745	if (likely(put_tree_ref(context, chunk)))
1746	return;
1747	if (unlikely(!grow_tree_refs(context))) {
1748	printk(KERN_WARNING "out of memory, audit has lost a tree reference\n");
1749	audit_set_auditable(context);
1750	audit_put_chunk(chunk);
1751	unroll_tree_refs(context, p, count);
1752	return;
1753	}
1754	put_tree_ref(context, chunk);
1755	#endif
1756	}
1757
1758	static void handle_path(const struct dentry *dentry)
1759	{
1760	#ifdef CONFIG_AUDIT_TREE
1761	struct audit_context *context;
1762	struct audit_tree_refs *p;
1763	const struct dentry d, parent;
1764	struct audit_chunk *drop;
1765	unsigned long seq;
1766	int count;
1767
1768	context = current->audit_context;
1769	p = context->trees;
1770	count = context->tree_count;
1771	retry:
1772	drop = NULL;
1773	d = dentry;
1774	rcu_read_lock();
1775	seq = read_seqbegin(&rename_lock);
1776	for(;;) {
1777	struct inode *inode = d->d_inode;
1778	if (inode && unlikely(!hlist_empty(&inode->i_fsnotify_marks))) {
1779	struct audit_chunk *chunk;
1780	chunk = audit_tree_lookup(inode);
1781	if (chunk) {
1782	if (unlikely(!put_tree_ref(context, chunk))) {
1783	drop = chunk;
1784	break;
1785	}
1786	}
1787	}
1788	parent = d->d_parent;
1789	if (parent == d)
1790	break;
1791	d = parent;
1792	}
1793	if (unlikely(read_seqretry(&rename_lock, seq) \|\| drop)) { /* in this order */
1794	rcu_read_unlock();
1795	if (!drop) {
1796	/* just a race with rename */
1797	unroll_tree_refs(context, p, count);
1798	goto retry;
1799	}
1800	audit_put_chunk(drop);
1801	if (grow_tree_refs(context)) {
1802	/* OK, got more space */
1803	unroll_tree_refs(context, p, count);
1804	goto retry;
1805	}
1806	/* too bad */
1807	printk(KERN_WARNING
1808	"out of memory, audit has lost a tree reference\n");
1809	unroll_tree_refs(context, p, count);
1810	audit_set_auditable(context);
1811	return;
1812	}
1813	rcu_read_unlock();
1814	#endif
1815	}
1816
1817	/**
1818	* audit_getname - add a name to the list
1819	* @name: name to add
1820	*
1821	* Add a name to the list of audit names for this context.
1822	* Called from fs/namei.c:getname().
1823	*/
1824	void __audit_getname(const char *name)
1825	{
1826	struct audit_context *context = current->audit_context;
1827
1828	if (IS_ERR(name) \|\| !name)
1829	return;
1830
1831	if (!context->in_syscall) {
1832	#if AUDIT_DEBUG == 2
1833	printk(KERN_ERR "%s:%d(:%d): ignoring getname(%p)\n",
1834	__FILE__, __LINE__, context->serial, name);
1835	dump_stack();
1836	#endif
1837	return;
1838	}
1839	BUG_ON(context->name_count >= AUDIT_NAMES);
1840	context->names[context->name_count].name = name;
1841	context->names[context->name_count].name_len = AUDIT_NAME_FULL;
1842	context->names[context->name_count].name_put = 1;
1843	context->names[context->name_count].ino = (unsigned long)-1;
1844	context->names[context->name_count].osid = 0;
1845	++context->name_count;
1846	if (!context->pwd.dentry)
1847	get_fs_pwd(current->fs, &context->pwd);
1848	}
1849
1850	/* audit_putname - intercept a putname request
1851	* @name: name to intercept and delay for putname
1852	*
1853	* If we have stored the name from getname in the audit context,
1854	* then we delay the putname until syscall exit.
1855	* Called from include/linux/fs.h:putname().
1856	*/
1857	void audit_putname(const char *name)
1858	{
1859	struct audit_context *context = current->audit_context;
1860
1861	BUG_ON(!context);
1862	if (!context->in_syscall) {
1863	#if AUDIT_DEBUG == 2
1864	printk(KERN_ERR "%s:%d(:%d): __putname(%p)\n",
1865	__FILE__, __LINE__, context->serial, name);
1866	if (context->name_count) {
1867	int i;
1868	for (i = 0; i < context->name_count; i++)
1869	printk(KERN_ERR "name[%d] = %p = %s\n", i,
1870	context->names[i].name,
1871	context->names[i].name ?: "(null)");
1872	}
1873	#endif
1874	__putname(name);
1875	}
1876	#if AUDIT_DEBUG
1877	else {
1878	++context->put_count;
1879	if (context->put_count > context->name_count) {
1880	printk(KERN_ERR "%s:%d(:%d): major=%d"
1881	" in_syscall=%d putname(%p) name_count=%d"
1882	" put_count=%d\n",
1883	__FILE__, __LINE__,
1884	context->serial, context->major,
1885	context->in_syscall, name, context->name_count,
1886	context->put_count);
1887	dump_stack();
1888	}
1889	}
1890	#endif
1891	}
1892
1893	static int audit_inc_name_count(struct audit_context *context,
1894	const struct inode *inode)
1895	{
1896	if (context->name_count >= AUDIT_NAMES) {
1897	if (inode)
1898	printk(KERN_DEBUG "audit: name_count maxed, losing inode data: "
1899	"dev=%02x:%02x, inode=%lu\n",
1900	MAJOR(inode->i_sb->s_dev),
1901	MINOR(inode->i_sb->s_dev),
1902	inode->i_ino);
1903
1904	else
1905	printk(KERN_DEBUG "name_count maxed, losing inode data\n");
1906	return 1;
1907	}
1908	context->name_count++;
1909	#if AUDIT_DEBUG
1910	context->ino_count++;
1911	#endif
1912	return 0;
1913	}
1914
1915
1916	static inline int audit_copy_fcaps(struct audit_names name, const struct dentry dentry)
1917	{
1918	struct cpu_vfs_cap_data caps;
1919	int rc;
1920
1921	memset(&name->fcap.permitted, 0, sizeof(kernel_cap_t));
1922	memset(&name->fcap.inheritable, 0, sizeof(kernel_cap_t));
1923	name->fcap.fE = 0;
1924	name->fcap_ver = 0;
1925
1926	if (!dentry)
1927	return 0;
1928
1929	rc = get_vfs_caps_from_disk(dentry, &caps);
1930	if (rc)
1931	return rc;
1932
1933	name->fcap.permitted = caps.permitted;
1934	name->fcap.inheritable = caps.inheritable;
1935	name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
1936	name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
1937
1938	return 0;
1939	}
1940
1941
1942	/* Copy inode data into an audit_names. */
1943	static void audit_copy_inode(struct audit_names name, const struct dentry dentry,
1944	const struct inode *inode)
1945	{
1946	name->ino = inode->i_ino;
1947	name->dev = inode->i_sb->s_dev;
1948	name->mode = inode->i_mode;
1949	name->uid = inode->i_uid;
1950	name->gid = inode->i_gid;
1951	name->rdev = inode->i_rdev;
1952	security_inode_getsecid(inode, &name->osid);
1953	audit_copy_fcaps(name, dentry);
1954	}
1955
1956	/**
1957	* audit_inode - store the inode and device from a lookup
1958	* @name: name being audited
1959	* @dentry: dentry being audited
1960	*
1961	* Called from fs/namei.c:path_lookup().
1962	*/
1963	void __audit_inode(const char name, const struct dentry dentry)
1964	{
1965	int idx;
1966	struct audit_context *context = current->audit_context;
1967	const struct inode *inode = dentry->d_inode;
1968
1969	if (!context->in_syscall)
1970	return;
1971	if (context->name_count
1972	&& context->names[context->name_count-1].name
1973	&& context->names[context->name_count-1].name == name)
1974	idx = context->name_count - 1;
1975	else if (context->name_count > 1
1976	&& context->names[context->name_count-2].name
1977	&& context->names[context->name_count-2].name == name)
1978	idx = context->name_count - 2;
1979	else {
1980	/* FIXME: how much do we care about inodes that have no
1981	* associated name? */
1982	if (audit_inc_name_count(context, inode))
1983	return;
1984	idx = context->name_count - 1;
1985	context->names[idx].name = NULL;
1986	}
1987	handle_path(dentry);
1988	audit_copy_inode(&context->names[idx], dentry, inode);
1989	}
1990
1991	/**
1992	* audit_inode_child - collect inode info for created/removed objects
1993	* @dentry: dentry being audited
1994	* @parent: inode of dentry parent
1995	*
1996	* For syscalls that create or remove filesystem objects, audit_inode
1997	* can only collect information for the filesystem object's parent.
1998	* This call updates the audit context with the child's information.
1999	* Syscalls that create a new filesystem object must be hooked after
2000	* the object is created. Syscalls that remove a filesystem object
2001	* must be hooked prior, in order to capture the target inode during
2002	* unsuccessful attempts.
2003	*/
2004	void __audit_inode_child(const struct dentry *dentry,
2005	const struct inode *parent)
2006	{
2007	int idx;
2008	struct audit_context *context = current->audit_context;
2009	const char found_parent = NULL, found_child = NULL;
2010	const struct inode *inode = dentry->d_inode;
2011	const char *dname = dentry->d_name.name;
2012	int dirlen = 0;
2013
2014	if (!context->in_syscall)
2015	return;
2016
2017	if (inode)
2018	handle_one(inode);
2019
2020	/* parent is more likely, look for it first */
2021	for (idx = 0; idx < context->name_count; idx++) {
2022	struct audit_names *n = &context->names[idx];
2023
2024	if (!n->name)
2025	continue;
2026
2027	if (n->ino == parent->i_ino &&
2028	!audit_compare_dname_path(dname, n->name, &dirlen)) {
2029	n->name_len = dirlen; /* update parent data in place */
2030	found_parent = n->name;
2031	goto add_names;
2032	}
2033	}
2034
2035	/* no matching parent, look for matching child */
2036	for (idx = 0; idx < context->name_count; idx++) {
2037	struct audit_names *n = &context->names[idx];
2038
2039	if (!n->name)
2040	continue;
2041
2042	/* strcmp() is the more likely scenario */
2043	if (!strcmp(dname, n->name) \|\|
2044	!audit_compare_dname_path(dname, n->name, &dirlen)) {
2045	if (inode)
2046	audit_copy_inode(n, NULL, inode);
2047	else
2048	n->ino = (unsigned long)-1;
2049	found_child = n->name;
2050	goto add_names;
2051	}
2052	}
2053
2054	add_names:
2055	if (!found_parent) {
2056	if (audit_inc_name_count(context, parent))
2057	return;
2058	idx = context->name_count - 1;
2059	context->names[idx].name = NULL;
2060	audit_copy_inode(&context->names[idx], NULL, parent);
2061	}
2062
2063	if (!found_child) {
2064	if (audit_inc_name_count(context, inode))
2065	return;
2066	idx = context->name_count - 1;
2067
2068	/* Re-use the name belonging to the slot for a matching parent
2069	* directory. All names for this context are relinquished in
2070	* audit_free_names() */
2071	if (found_parent) {
2072	context->names[idx].name = found_parent;
2073	context->names[idx].name_len = AUDIT_NAME_FULL;
2074	/* don't call __putname() */
2075	context->names[idx].name_put = 0;
2076	} else {
2077	context->names[idx].name = NULL;
2078	}
2079
2080	if (inode)
2081	audit_copy_inode(&context->names[idx], NULL, inode);
2082	else
2083	context->names[idx].ino = (unsigned long)-1;
2084	}
2085	}
2086	EXPORT_SYMBOL_GPL(__audit_inode_child);
2087
2088	/**
2089	* auditsc_get_stamp - get local copies of audit_context values
2090	* @ctx: audit_context for the task
2091	* @t: timespec to store time recorded in the audit_context
2092	* @serial: serial value that is recorded in the audit_context
2093	*
2094	* Also sets the context as auditable.
2095	*/
2096	int auditsc_get_stamp(struct audit_context *ctx,
2097	struct timespec t, unsigned int serial)
2098	{
2099	if (!ctx->in_syscall)
2100	return 0;
2101	if (!ctx->serial)
2102	ctx->serial = audit_serial();
2103	t->tv_sec = ctx->ctime.tv_sec;
2104	t->tv_nsec = ctx->ctime.tv_nsec;
2105	*serial = ctx->serial;
2106	if (!ctx->prio) {
2107	ctx->prio = 1;
2108	ctx->current_state = AUDIT_RECORD_CONTEXT;
2109	}
2110	return 1;
2111	}
2112
2113	/* global counter which is incremented every time something logs in */
2114	static atomic_t session_id = ATOMIC_INIT(0);
2115
2116	/**
2117	* audit_set_loginuid - set a task's audit_context loginuid
2118	* @task: task whose audit context is being modified
2119	* @loginuid: loginuid value
2120	*
2121	* Returns 0.
2122	*
2123	* Called (set) from fs/proc/base.c::proc_loginuid_write().
2124	*/
2125	int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
2126	{
2127	unsigned int sessionid = atomic_inc_return(&session_id);
2128	struct audit_context *context = task->audit_context;
2129
2130	if (context && context->in_syscall) {
2131	struct audit_buffer *ab;
2132
2133	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
2134	if (ab) {
2135	audit_log_format(ab, "login pid=%d uid=%u "
2136	"old auid=%u new auid=%u"
2137	" old ses=%u new ses=%u",
2138	task->pid, task_uid(task),
2139	task->loginuid, loginuid,
2140	task->sessionid, sessionid);
2141	audit_log_end(ab);
2142	}
2143	}
2144	task->sessionid = sessionid;
2145	task->loginuid = loginuid;
2146	return 0;
2147	}
2148
2149	/**
2150	* __audit_mq_open - record audit data for a POSIX MQ open
2151	* @oflag: open flag
2152	* @mode: mode bits
2153	* @attr: queue attributes
2154	*
2155	*/
2156	void __audit_mq_open(int oflag, mode_t mode, struct mq_attr *attr)
2157	{
2158	struct audit_context *context = current->audit_context;
2159
2160	if (attr)
2161	memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr));
2162	else
2163	memset(&context->mq_open.attr, 0, sizeof(struct mq_attr));
2164
2165	context->mq_open.oflag = oflag;
2166	context->mq_open.mode = mode;
2167
2168	context->type = AUDIT_MQ_OPEN;
2169	}
2170
2171	/**
2172	* __audit_mq_sendrecv - record audit data for a POSIX MQ timed send/receive
2173	* @mqdes: MQ descriptor
2174	* @msg_len: Message length
2175	* @msg_prio: Message priority
2176	* @abs_timeout: Message timeout in absolute time
2177	*
2178	*/
2179	void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
2180	const struct timespec *abs_timeout)
2181	{
2182	struct audit_context *context = current->audit_context;
2183	struct timespec *p = &context->mq_sendrecv.abs_timeout;
2184
2185	if (abs_timeout)
2186	memcpy(p, abs_timeout, sizeof(struct timespec));
2187	else
2188	memset(p, 0, sizeof(struct timespec));
2189
2190	context->mq_sendrecv.mqdes = mqdes;
2191	context->mq_sendrecv.msg_len = msg_len;
2192	context->mq_sendrecv.msg_prio = msg_prio;
2193
2194	context->type = AUDIT_MQ_SENDRECV;
2195	}
2196
2197	/**
2198	* __audit_mq_notify - record audit data for a POSIX MQ notify
2199	* @mqdes: MQ descriptor
2200	* @notification: Notification event
2201	*
2202	*/
2203
2204	void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
2205	{
2206	struct audit_context *context = current->audit_context;
2207
2208	if (notification)
2209	context->mq_notify.sigev_signo = notification->sigev_signo;
2210	else
2211	context->mq_notify.sigev_signo = 0;
2212
2213	context->mq_notify.mqdes = mqdes;
2214	context->type = AUDIT_MQ_NOTIFY;
2215	}
2216
2217	/**
2218	* __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute
2219	* @mqdes: MQ descriptor
2220	* @mqstat: MQ flags
2221	*
2222	*/
2223	void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
2224	{
2225	struct audit_context *context = current->audit_context;
2226	context->mq_getsetattr.mqdes = mqdes;
2227	context->mq_getsetattr.mqstat = *mqstat;
2228	context->type = AUDIT_MQ_GETSETATTR;
2229	}
2230
2231	/**
2232	* audit_ipc_obj - record audit data for ipc object
2233	* @ipcp: ipc permissions
2234	*
2235	*/
2236	void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
2237	{
2238	struct audit_context *context = current->audit_context;
2239	context->ipc.uid = ipcp->uid;
2240	context->ipc.gid = ipcp->gid;
2241	context->ipc.mode = ipcp->mode;
2242	context->ipc.has_perm = 0;
2243	security_ipc_getsecid(ipcp, &context->ipc.osid);
2244	context->type = AUDIT_IPC;
2245	}
2246
2247	/**
2248	* audit_ipc_set_perm - record audit data for new ipc permissions
2249	* @qbytes: msgq bytes
2250	* @uid: msgq user id
2251	* @gid: msgq group id
2252	* @mode: msgq mode (permissions)
2253	*
2254	* Called only after audit_ipc_obj().
2255	*/
2256	void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
2257	{
2258	struct audit_context *context = current->audit_context;
2259
2260	context->ipc.qbytes = qbytes;
2261	context->ipc.perm_uid = uid;
2262	context->ipc.perm_gid = gid;
2263	context->ipc.perm_mode = mode;
2264	context->ipc.has_perm = 1;
2265	}
2266
2267	int audit_bprm(struct linux_binprm *bprm)
2268	{
2269	struct audit_aux_data_execve *ax;
2270	struct audit_context *context = current->audit_context;
2271
2272	if (likely(!audit_enabled \|\| !context \|\| context->dummy))
2273	return 0;
2274
2275	ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2276	if (!ax)
2277	return -ENOMEM;
2278
2279	ax->argc = bprm->argc;
2280	ax->envc = bprm->envc;
2281	ax->mm = bprm->mm;
2282	ax->d.type = AUDIT_EXECVE;
2283	ax->d.next = context->aux;
2284	context->aux = (void *)ax;
2285	return 0;
2286	}
2287
2288
2289	/**
2290	* audit_socketcall - record audit data for sys_socketcall
2291	* @nargs: number of args
2292	* @args: args array
2293	*
2294	*/
2295	void audit_socketcall(int nargs, unsigned long *args)
2296	{
2297	struct audit_context *context = current->audit_context;
2298
2299	if (likely(!context \|\| context->dummy))
2300	return;
2301
2302	context->type = AUDIT_SOCKETCALL;
2303	context->socketcall.nargs = nargs;
2304	memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
2305	}
2306
2307	/**
2308	* __audit_fd_pair - record audit data for pipe and socketpair
2309	* @fd1: the first file descriptor
2310	* @fd2: the second file descriptor
2311	*
2312	*/
2313	void __audit_fd_pair(int fd1, int fd2)
2314	{
2315	struct audit_context *context = current->audit_context;
2316	context->fds[0] = fd1;
2317	context->fds[1] = fd2;
2318	}
2319
2320	/**
2321	* audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
2322	* @len: data length in user space
2323	* @a: data address in kernel space
2324	*
2325	* Returns 0 for success or NULL context or < 0 on error.
2326	*/
2327	int audit_sockaddr(int len, void *a)
2328	{
2329	struct audit_context *context = current->audit_context;
2330
2331	if (likely(!context \|\| context->dummy))
2332	return 0;
2333
2334	if (!context->sockaddr) {
2335	void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL);
2336	if (!p)
2337	return -ENOMEM;
2338	context->sockaddr = p;
2339	}
2340
2341	context->sockaddr_len = len;
2342	memcpy(context->sockaddr, a, len);
2343	return 0;
2344	}
2345
2346	void __audit_ptrace(struct task_struct *t)
2347	{
2348	struct audit_context *context = current->audit_context;
2349
2350	context->target_pid = t->pid;
2351	context->target_auid = audit_get_loginuid(t);
2352	context->target_uid = task_uid(t);
2353	context->target_sessionid = audit_get_sessionid(t);
2354	security_task_getsecid(t, &context->target_sid);
2355	memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
2356	}
2357
2358	/**
2359	* audit_signal_info - record signal info for shutting down audit subsystem
2360	* @sig: signal value
2361	* @t: task being signaled
2362	*
2363	* If the audit subsystem is being terminated, record the task (pid)
2364	* and uid that is doing that.
2365	*/
2366	int __audit_signal_info(int sig, struct task_struct *t)
2367	{
2368	struct audit_aux_data_pids *axp;
2369	struct task_struct *tsk = current;
2370	struct audit_context *ctx = tsk->audit_context;
2371	uid_t uid = current_uid(), t_uid = task_uid(t);
2372
2373	if (audit_pid && t->tgid == audit_pid) {
2374	if (sig == SIGTERM \|\| sig == SIGHUP \|\| sig == SIGUSR1 \|\| sig == SIGUSR2) {
2375	audit_sig_pid = tsk->pid;
2376	if (tsk->loginuid != -1)
2377	audit_sig_uid = tsk->loginuid;
2378	else
2379	audit_sig_uid = uid;
2380	security_task_getsecid(tsk, &audit_sig_sid);
2381	}
2382	if (!audit_signals \|\| audit_dummy_context())
2383	return 0;
2384	}
2385
2386	/* optimize the common case by putting first signal recipient directly
2387	* in audit_context */
2388	if (!ctx->target_pid) {
2389	ctx->target_pid = t->tgid;
2390	ctx->target_auid = audit_get_loginuid(t);
2391	ctx->target_uid = t_uid;
2392	ctx->target_sessionid = audit_get_sessionid(t);
2393	security_task_getsecid(t, &ctx->target_sid);
2394	memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
2395	return 0;
2396	}
2397
2398	axp = (void *)ctx->aux_pids;
2399	if (!axp \|\| axp->pid_count == AUDIT_AUX_PIDS) {
2400	axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
2401	if (!axp)
2402	return -ENOMEM;
2403
2404	axp->d.type = AUDIT_OBJ_PID;
2405	axp->d.next = ctx->aux_pids;
2406	ctx->aux_pids = (void *)axp;
2407	}
2408	BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
2409
2410	axp->target_pid[axp->pid_count] = t->tgid;
2411	axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
2412	axp->target_uid[axp->pid_count] = t_uid;
2413	axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
2414	security_task_getsecid(t, &axp->target_sid[axp->pid_count]);
2415	memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
2416	axp->pid_count++;
2417
2418	return 0;
2419	}
2420
2421	/**
2422	* __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps
2423	* @bprm: pointer to the bprm being processed
2424	* @new: the proposed new credentials
2425	* @old: the old credentials
2426	*
2427	* Simply check if the proc already has the caps given by the file and if not
2428	* store the priv escalation info for later auditing at the end of the syscall
2429	*
2430	* -Eric
2431	*/
2432	int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
2433	const struct cred new, const struct cred old)
2434	{
2435	struct audit_aux_data_bprm_fcaps *ax;
2436	struct audit_context *context = current->audit_context;
2437	struct cpu_vfs_cap_data vcaps;
2438	struct dentry *dentry;
2439
2440	ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2441	if (!ax)
2442	return -ENOMEM;
2443
2444	ax->d.type = AUDIT_BPRM_FCAPS;
2445	ax->d.next = context->aux;
2446	context->aux = (void *)ax;
2447
2448	dentry = dget(bprm->file->f_dentry);
2449	get_vfs_caps_from_disk(dentry, &vcaps);
2450	dput(dentry);
2451
2452	ax->fcap.permitted = vcaps.permitted;
2453	ax->fcap.inheritable = vcaps.inheritable;
2454	ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2455	ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
2456
2457	ax->old_pcap.permitted = old->cap_permitted;
2458	ax->old_pcap.inheritable = old->cap_inheritable;
2459	ax->old_pcap.effective = old->cap_effective;
2460
2461	ax->new_pcap.permitted = new->cap_permitted;
2462	ax->new_pcap.inheritable = new->cap_inheritable;
2463	ax->new_pcap.effective = new->cap_effective;
2464	return 0;
2465	}
2466
2467	/**
2468	* __audit_log_capset - store information about the arguments to the capset syscall
2469	* @pid: target pid of the capset call
2470	* @new: the new credentials
2471	* @old: the old (current) credentials
2472	*
2473	* Record the aguments userspace sent to sys_capset for later printing by the
2474	* audit system if applicable
2475	*/
2476	void __audit_log_capset(pid_t pid,
2477	const struct cred new, const struct cred old)
2478	{
2479	struct audit_context *context = current->audit_context;
2480	context->capset.pid = pid;
2481	context->capset.cap.effective = new->cap_effective;
2482	context->capset.cap.inheritable = new->cap_effective;
2483	context->capset.cap.permitted = new->cap_permitted;
2484	context->type = AUDIT_CAPSET;
2485	}
2486
2487	void __audit_mmap_fd(int fd, int flags)
2488	{
2489	struct audit_context *context = current->audit_context;
2490	context->mmap.fd = fd;
2491	context->mmap.flags = flags;
2492	context->type = AUDIT_MMAP;
2493	}
2494
2495	/**
2496	* audit_core_dumps - record information about processes that end abnormally
2497	* @signr: signal value
2498	*
2499	* If a process ends with a core dump, something fishy is going on and we
2500	* should record the event for investigation.
2501	*/
2502	void audit_core_dumps(long signr)
2503	{
2504	struct audit_buffer *ab;
2505	u32 sid;
2506	uid_t auid = audit_get_loginuid(current), uid;
2507	gid_t gid;
2508	unsigned int sessionid = audit_get_sessionid(current);
2509
2510	if (!audit_enabled)
2511	return;
2512
2513	if (signr == SIGQUIT) /* don't care for those */
2514	return;
2515
2516	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
2517	current_uid_gid(&uid, &gid);
2518	audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
2519	auid, uid, gid, sessionid);
2520	security_task_getsecid(current, &sid);
2521	if (sid) {
2522	char *ctx = NULL;
2523	u32 len;
2524
2525	if (security_secid_to_secctx(sid, &ctx, &len))
2526	audit_log_format(ab, " ssid=%u", sid);
2527	else {
2528	audit_log_format(ab, " subj=%s", ctx);
2529	security_release_secctx(ctx, len);
2530	}
2531	}
2532	audit_log_format(ab, " pid=%d comm=", current->pid);
2533	audit_log_untrustedstring(ab, current->comm);
2534	audit_log_format(ab, " sig=%ld", signr);
2535	audit_log_end(ab);
2536	}
2537
2538	struct list_head *audit_killed_trees(void)
2539	{
2540	struct audit_context *ctx = current->audit_context;
2541	if (likely(!ctx \|\| !ctx->in_syscall))
2542	return NULL;
2543	return &ctx->killed_trees;
2544	}
2545

Download this file

Branches:
ben-wpan
ben-wpan-stefan
javiroman/ks7010
jz-2.6.34
jz-2.6.34-rc5
jz-2.6.34-rc6
jz-2.6.34-rc7
jz-2.6.35
jz-2.6.36
jz-2.6.37
jz-2.6.38
jz-2.6.39
jz-3.0
jz-3.1
jz-3.11
jz-3.12
jz-3.13
jz-3.15
jz-3.16
jz-3.18-dt
jz-3.2
jz-3.3
jz-3.4
jz-3.5
jz-3.6
jz-3.6-rc2-pwm
jz-3.9
jz-3.9-clk
jz-3.9-rc8
jz47xx
jz47xx-2.6.38
master

Tags:
od-2011-09-04
od-2011-09-18
v2.6.34-rc5
v2.6.34-rc6
v2.6.34-rc7
v3.9

Kernel

Kernel Git Source Tree

Root/kernel/auditsc.c

interactive