Root/drivers/tty/tty_audit.c

1/*
2 * Creating audit events from TTY input.
3 *
4 * Copyright (C) 2007 Red Hat, Inc. All rights reserved. This copyrighted
5 * material is made available to anyone wishing to use, modify, copy, or
6 * redistribute it subject to the terms and conditions of the GNU General
7 * Public License v.2.
8 *
9 * Authors: Miloslav Trmac <mitr@redhat.com>
10 */
11
12#include <linux/audit.h>
13#include <linux/slab.h>
14#include <linux/tty.h>
15
16struct tty_audit_buf {
17    atomic_t count;
18    struct mutex mutex; /* Protects all data below */
19    int major, minor; /* The TTY which the data is from */
20    unsigned icanon:1;
21    size_t valid;
22    unsigned char *data; /* Allocated size N_TTY_BUF_SIZE */
23};
24
25static struct tty_audit_buf *tty_audit_buf_alloc(int major, int minor,
26                         unsigned icanon)
27{
28    struct tty_audit_buf *buf;
29
30    buf = kmalloc(sizeof(*buf), GFP_KERNEL);
31    if (!buf)
32        goto err;
33    buf->data = kmalloc(N_TTY_BUF_SIZE, GFP_KERNEL);
34    if (!buf->data)
35        goto err_buf;
36    atomic_set(&buf->count, 1);
37    mutex_init(&buf->mutex);
38    buf->major = major;
39    buf->minor = minor;
40    buf->icanon = icanon;
41    buf->valid = 0;
42    return buf;
43
44err_buf:
45    kfree(buf);
46err:
47    return NULL;
48}
49
50static void tty_audit_buf_free(struct tty_audit_buf *buf)
51{
52    WARN_ON(buf->valid != 0);
53    kfree(buf->data);
54    kfree(buf);
55}
56
57static void tty_audit_buf_put(struct tty_audit_buf *buf)
58{
59    if (atomic_dec_and_test(&buf->count))
60        tty_audit_buf_free(buf);
61}
62
63static void tty_audit_log(const char *description, struct task_struct *tsk,
64              kuid_t loginuid, unsigned sessionid, int major,
65              int minor, unsigned char *data, size_t size)
66{
67    struct audit_buffer *ab;
68
69    ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_TTY);
70    if (ab) {
71        char name[sizeof(tsk->comm)];
72        kuid_t uid = task_uid(tsk);
73
74        audit_log_format(ab, "%s pid=%u uid=%u auid=%u ses=%u "
75                 "major=%d minor=%d comm=", description,
76                 tsk->pid,
77                 from_kuid(&init_user_ns, uid),
78                 from_kuid(&init_user_ns, loginuid),
79                 sessionid,
80                 major, minor);
81        get_task_comm(name, tsk);
82        audit_log_untrustedstring(ab, name);
83        audit_log_format(ab, " data=");
84        audit_log_n_hex(ab, data, size);
85        audit_log_end(ab);
86    }
87}
88
89/**
90 * tty_audit_buf_push - Push buffered data out
91 *
92 * Generate an audit message from the contents of @buf, which is owned by
93 * @tsk with @loginuid. @buf->mutex must be locked.
94 */
95static void tty_audit_buf_push(struct task_struct *tsk, kuid_t loginuid,
96                   unsigned int sessionid,
97                   struct tty_audit_buf *buf)
98{
99    if (buf->valid == 0)
100        return;
101    if (audit_enabled == 0) {
102        buf->valid = 0;
103        return;
104    }
105    tty_audit_log("tty", tsk, loginuid, sessionid, buf->major, buf->minor,
106              buf->data, buf->valid);
107    buf->valid = 0;
108}
109
110/**
111 * tty_audit_buf_push_current - Push buffered data out
112 *
113 * Generate an audit message from the contents of @buf, which is owned by
114 * the current task. @buf->mutex must be locked.
115 */
116static void tty_audit_buf_push_current(struct tty_audit_buf *buf)
117{
118    kuid_t auid = audit_get_loginuid(current);
119    unsigned int sessionid = audit_get_sessionid(current);
120    tty_audit_buf_push(current, auid, sessionid, buf);
121}
122
123/**
124 * tty_audit_exit - Handle a task exit
125 *
126 * Make sure all buffered data is written out and deallocate the buffer.
127 * Only needs to be called if current->signal->tty_audit_buf != %NULL.
128 */
129void tty_audit_exit(void)
130{
131    struct tty_audit_buf *buf;
132
133    spin_lock_irq(&current->sighand->siglock);
134    buf = current->signal->tty_audit_buf;
135    current->signal->tty_audit_buf = NULL;
136    spin_unlock_irq(&current->sighand->siglock);
137    if (!buf)
138        return;
139
140    mutex_lock(&buf->mutex);
141    tty_audit_buf_push_current(buf);
142    mutex_unlock(&buf->mutex);
143
144    tty_audit_buf_put(buf);
145}
146
147/**
148 * tty_audit_fork - Copy TTY audit state for a new task
149 *
150 * Set up TTY audit state in @sig from current. @sig needs no locking.
151 */
152void tty_audit_fork(struct signal_struct *sig)
153{
154    spin_lock_irq(&current->sighand->siglock);
155    sig->audit_tty = current->signal->audit_tty;
156    spin_unlock_irq(&current->sighand->siglock);
157}
158
159/**
160 * tty_audit_tiocsti - Log TIOCSTI
161 */
162void tty_audit_tiocsti(struct tty_struct *tty, char ch)
163{
164    struct tty_audit_buf *buf;
165    int major, minor, should_audit;
166
167    spin_lock_irq(&current->sighand->siglock);
168    should_audit = current->signal->audit_tty;
169    buf = current->signal->tty_audit_buf;
170    if (buf)
171        atomic_inc(&buf->count);
172    spin_unlock_irq(&current->sighand->siglock);
173
174    major = tty->driver->major;
175    minor = tty->driver->minor_start + tty->index;
176    if (buf) {
177        mutex_lock(&buf->mutex);
178        if (buf->major == major && buf->minor == minor)
179            tty_audit_buf_push_current(buf);
180        mutex_unlock(&buf->mutex);
181        tty_audit_buf_put(buf);
182    }
183
184    if (should_audit && audit_enabled) {
185        kuid_t auid;
186        unsigned int sessionid;
187
188        auid = audit_get_loginuid(current);
189        sessionid = audit_get_sessionid(current);
190        tty_audit_log("ioctl=TIOCSTI", current, auid, sessionid, major,
191                  minor, &ch, 1);
192    }
193}
194
195/**
196 * tty_audit_push_task - Flush task's pending audit data
197 * @tsk: task pointer
198 * @loginuid: sender login uid
199 * @sessionid: sender session id
200 *
201 * Called with a ref on @tsk held. Try to lock sighand and get a
202 * reference to the tty audit buffer if available.
203 * Flush the buffer or return an appropriate error code.
204 */
205int tty_audit_push_task(struct task_struct *tsk, kuid_t loginuid, u32 sessionid)
206{
207    struct tty_audit_buf *buf = ERR_PTR(-EPERM);
208    unsigned long flags;
209
210    if (!lock_task_sighand(tsk, &flags))
211        return -ESRCH;
212
213    if (tsk->signal->audit_tty) {
214        buf = tsk->signal->tty_audit_buf;
215        if (buf)
216            atomic_inc(&buf->count);
217    }
218    unlock_task_sighand(tsk, &flags);
219
220    /*
221     * Return 0 when signal->audit_tty set
222     * but tsk->signal->tty_audit_buf == NULL.
223     */
224    if (!buf || IS_ERR(buf))
225        return PTR_ERR(buf);
226
227    mutex_lock(&buf->mutex);
228    tty_audit_buf_push(tsk, loginuid, sessionid, buf);
229    mutex_unlock(&buf->mutex);
230
231    tty_audit_buf_put(buf);
232    return 0;
233}
234
235/**
236 * tty_audit_buf_get - Get an audit buffer.
237 *
238 * Get an audit buffer for @tty, allocate it if necessary. Return %NULL
239 * if TTY auditing is disabled or out of memory. Otherwise, return a new
240 * reference to the buffer.
241 */
242static struct tty_audit_buf *tty_audit_buf_get(struct tty_struct *tty,
243        unsigned icanon)
244{
245    struct tty_audit_buf *buf, *buf2;
246
247    buf = NULL;
248    buf2 = NULL;
249    spin_lock_irq(&current->sighand->siglock);
250    if (likely(!current->signal->audit_tty))
251        goto out;
252    buf = current->signal->tty_audit_buf;
253    if (buf) {
254        atomic_inc(&buf->count);
255        goto out;
256    }
257    spin_unlock_irq(&current->sighand->siglock);
258
259    buf2 = tty_audit_buf_alloc(tty->driver->major,
260                   tty->driver->minor_start + tty->index,
261                   icanon);
262    if (buf2 == NULL) {
263        audit_log_lost("out of memory in TTY auditing");
264        return NULL;
265    }
266
267    spin_lock_irq(&current->sighand->siglock);
268    if (!current->signal->audit_tty)
269        goto out;
270    buf = current->signal->tty_audit_buf;
271    if (!buf) {
272        current->signal->tty_audit_buf = buf2;
273        buf = buf2;
274        buf2 = NULL;
275    }
276    atomic_inc(&buf->count);
277    /* Fall through */
278 out:
279    spin_unlock_irq(&current->sighand->siglock);
280    if (buf2)
281        tty_audit_buf_free(buf2);
282    return buf;
283}
284
285/**
286 * tty_audit_add_data - Add data for TTY auditing.
287 *
288 * Audit @data of @size from @tty, if necessary.
289 */
290void tty_audit_add_data(struct tty_struct *tty, unsigned char *data,
291            size_t size, unsigned icanon)
292{
293    struct tty_audit_buf *buf;
294    int major, minor;
295
296    if (unlikely(size == 0))
297        return;
298
299    if (tty->driver->type == TTY_DRIVER_TYPE_PTY
300        && tty->driver->subtype == PTY_TYPE_MASTER)
301        return;
302
303    buf = tty_audit_buf_get(tty, icanon);
304    if (!buf)
305        return;
306
307    mutex_lock(&buf->mutex);
308    major = tty->driver->major;
309    minor = tty->driver->minor_start + tty->index;
310    if (buf->major != major || buf->minor != minor
311        || buf->icanon != icanon) {
312        tty_audit_buf_push_current(buf);
313        buf->major = major;
314        buf->minor = minor;
315        buf->icanon = icanon;
316    }
317    do {
318        size_t run;
319
320        run = N_TTY_BUF_SIZE - buf->valid;
321        if (run > size)
322            run = size;
323        memcpy(buf->data + buf->valid, data, run);
324        buf->valid += run;
325        data += run;
326        size -= run;
327        if (buf->valid == N_TTY_BUF_SIZE)
328            tty_audit_buf_push_current(buf);
329    } while (size != 0);
330    mutex_unlock(&buf->mutex);
331    tty_audit_buf_put(buf);
332}
333
334/**
335 * tty_audit_push - Push buffered data out
336 *
337 * Make sure no audit data is pending for @tty on the current process.
338 */
339void tty_audit_push(struct tty_struct *tty)
340{
341    struct tty_audit_buf *buf;
342
343    spin_lock_irq(&current->sighand->siglock);
344    if (likely(!current->signal->audit_tty)) {
345        spin_unlock_irq(&current->sighand->siglock);
346        return;
347    }
348    buf = current->signal->tty_audit_buf;
349    if (buf)
350        atomic_inc(&buf->count);
351    spin_unlock_irq(&current->sighand->siglock);
352
353    if (buf) {
354        int major, minor;
355
356        major = tty->driver->major;
357        minor = tty->driver->minor_start + tty->index;
358        mutex_lock(&buf->mutex);
359        if (buf->major == major && buf->minor == minor)
360            tty_audit_buf_push_current(buf);
361        mutex_unlock(&buf->mutex);
362        tty_audit_buf_put(buf);
363    }
364}
365

Archive Download this file



interactive