Kernel

Kernel Git Source Tree

Root/kernel/auditsc.c

1	/* auditsc.c -- System-call auditing support
2	* Handles all system-call specific auditing features.
3	*
4	* Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
5	* Copyright 2005 Hewlett-Packard Development Company, L.P.
6	* Copyright (C) 2005, 2006 IBM Corporation
7	* All Rights Reserved.
8	*
9	* This program is free software; you can redistribute it and/or modify
10	* it under the terms of the GNU General Public License as published by
11	* the Free Software Foundation; either version 2 of the License, or
12	* (at your option) any later version.
13	*
14	* This program is distributed in the hope that it will be useful,
15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17	* GNU General Public License for more details.
18	*
19	* You should have received a copy of the GNU General Public License
20	* along with this program; if not, write to the Free Software
21	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22	*
23	* Written by Rickard E. (Rik) Faith <faith@redhat.com>
24	*
25	* Many of the ideas implemented here are from Stephen C. Tweedie,
26	* especially the idea of avoiding a copy by using getname.
27	*
28	* The method for actual interception of syscall entry and exit (not in
29	* this file -- see entry.S) is based on a GPL'd patch written by
30	* okir@suse.de and Copyright 2003 SuSE Linux AG.
31	*
32	* POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>,
33	* 2006.
34	*
35	* The support of additional filter rules compares (>, <, >=, <=) was
36	* added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
37	*
38	* Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
39	* filesystem information.
40	*
41	* Subject and object context labeling support added by <danjones@us.ibm.com>
42	* and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
43	*/
44
45	#include <linux/init.h>
46	#include <asm/types.h>
47	#include <asm/atomic.h>
48	#include <linux/fs.h>
49	#include <linux/namei.h>
50	#include <linux/mm.h>
51	#include <linux/module.h>
52	#include <linux/mount.h>
53	#include <linux/socket.h>
54	#include <linux/mqueue.h>
55	#include <linux/audit.h>
56	#include <linux/personality.h>
57	#include <linux/time.h>
58	#include <linux/netlink.h>
59	#include <linux/compiler.h>
60	#include <asm/unistd.h>
61	#include <linux/security.h>
62	#include <linux/list.h>
63	#include <linux/tty.h>
64	#include <linux/binfmts.h>
65	#include <linux/highmem.h>
66	#include <linux/syscalls.h>
67	#include <linux/inotify.h>
68	#include <linux/capability.h>
69	#include <linux/fs_struct.h>
70
71	#include "audit.h"
72
73	/* AUDIT_NAMES is the number of slots we reserve in the audit_context
74	* for saving names from getname(). */
75	#define AUDIT_NAMES 20
76
77	/* Indicates that audit should log the full pathname. */
78	#define AUDIT_NAME_FULL -1
79
80	/* no execve audit message should be longer than this (userspace limits) */
81	#define MAX_EXECVE_AUDIT_LEN 7500
82
83	/* number of audit rules */
84	int audit_n_rules;
85
86	/* determines whether we collect data for signals sent */
87	int audit_signals;
88
89	struct audit_cap_data {
90	kernel_cap_t permitted;
91	kernel_cap_t inheritable;
92	union {
93	unsigned int fE; /* effective bit of a file capability */
94	kernel_cap_t effective; /* effective set of a process */
95	};
96	};
97
98	/* When fs/namei.c:getname() is called, we store the pointer in name and
99	* we don't let putname() free it (instead we free all of the saved
100	* pointers at syscall exit time).
101	*
102	* Further, in fs/namei.c:path_lookup() we store the inode and device. */
103	struct audit_names {
104	const char *name;
105	int name_len; /* number of name's characters to log */
106	unsigned name_put; /* call __putname() for this name */
107	unsigned long ino;
108	dev_t dev;
109	umode_t mode;
110	uid_t uid;
111	gid_t gid;
112	dev_t rdev;
113	u32 osid;
114	struct audit_cap_data fcap;
115	unsigned int fcap_ver;
116	};
117
118	struct audit_aux_data {
119	struct audit_aux_data *next;
120	int type;
121	};
122
123	#define AUDIT_AUX_IPCPERM 0
124
125	/* Number of target pids per aux struct. */
126	#define AUDIT_AUX_PIDS 16
127
128	struct audit_aux_data_execve {
129	struct audit_aux_data d;
130	int argc;
131	int envc;
132	struct mm_struct *mm;
133	};
134
135	struct audit_aux_data_pids {
136	struct audit_aux_data d;
137	pid_t target_pid[AUDIT_AUX_PIDS];
138	uid_t target_auid[AUDIT_AUX_PIDS];
139	uid_t target_uid[AUDIT_AUX_PIDS];
140	unsigned int target_sessionid[AUDIT_AUX_PIDS];
141	u32 target_sid[AUDIT_AUX_PIDS];
142	char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
143	int pid_count;
144	};
145
146	struct audit_aux_data_bprm_fcaps {
147	struct audit_aux_data d;
148	struct audit_cap_data fcap;
149	unsigned int fcap_ver;
150	struct audit_cap_data old_pcap;
151	struct audit_cap_data new_pcap;
152	};
153
154	struct audit_aux_data_capset {
155	struct audit_aux_data d;
156	pid_t pid;
157	struct audit_cap_data cap;
158	};
159
160	struct audit_tree_refs {
161	struct audit_tree_refs *next;
162	struct audit_chunk *c[31];
163	};
164
165	/* The per-task audit context. */
166	struct audit_context {
167	int dummy; /* must be the first element */
168	int in_syscall; /* 1 if task is in a syscall */
169	enum audit_state state, current_state;
170	unsigned int serial; /* serial number for record */
171	int major; /* syscall number */
172	struct timespec ctime; /* time of syscall entry */
173	unsigned long argv[4]; /* syscall arguments */
174	long return_code;/* syscall return code */
175	u64 prio;
176	int return_valid; /* return code is valid */
177	int name_count;
178	struct audit_names names[AUDIT_NAMES];
179	char * filterkey; /* key for rule that triggered record */
180	struct path pwd;
181	struct audit_context previous; / For nested syscalls */
182	struct audit_aux_data *aux;
183	struct audit_aux_data *aux_pids;
184	struct sockaddr_storage *sockaddr;
185	size_t sockaddr_len;
186	/* Save things to print about task_struct */
187	pid_t pid, ppid;
188	uid_t uid, euid, suid, fsuid;
189	gid_t gid, egid, sgid, fsgid;
190	unsigned long personality;
191	int arch;
192
193	pid_t target_pid;
194	uid_t target_auid;
195	uid_t target_uid;
196	unsigned int target_sessionid;
197	u32 target_sid;
198	char target_comm[TASK_COMM_LEN];
199
200	struct audit_tree_refs trees, first_trees;
201	struct list_head killed_trees;
202	int tree_count;
203
204	int type;
205	union {
206	struct {
207	int nargs;
208	long args[6];
209	} socketcall;
210	struct {
211	uid_t uid;
212	gid_t gid;
213	mode_t mode;
214	u32 osid;
215	int has_perm;
216	uid_t perm_uid;
217	gid_t perm_gid;
218	mode_t perm_mode;
219	unsigned long qbytes;
220	} ipc;
221	struct {
222	mqd_t mqdes;
223	struct mq_attr mqstat;
224	} mq_getsetattr;
225	struct {
226	mqd_t mqdes;
227	int sigev_signo;
228	} mq_notify;
229	struct {
230	mqd_t mqdes;
231	size_t msg_len;
232	unsigned int msg_prio;
233	struct timespec abs_timeout;
234	} mq_sendrecv;
235	struct {
236	int oflag;
237	mode_t mode;
238	struct mq_attr attr;
239	} mq_open;
240	struct {
241	pid_t pid;
242	struct audit_cap_data cap;
243	} capset;
244	};
245	int fds[2];
246
247	#if AUDIT_DEBUG
248	int put_count;
249	int ino_count;
250	#endif
251	};
252
253	#define ACC_MODE(x) ("\004\002\006\006"[(x)&O_ACCMODE])
254	static inline int open_arg(int flags, int mask)
255	{
256	int n = ACC_MODE(flags);
257	if (flags & (O_TRUNC \| O_CREAT))
258	n \|= AUDIT_PERM_WRITE;
259	return n & mask;
260	}
261
262	static int audit_match_perm(struct audit_context *ctx, int mask)
263	{
264	unsigned n;
265	if (unlikely(!ctx))
266	return 0;
267	n = ctx->major;
268
269	switch (audit_classify_syscall(ctx->arch, n)) {
270	case 0: /* native */
271	if ((mask & AUDIT_PERM_WRITE) &&
272	audit_match_class(AUDIT_CLASS_WRITE, n))
273	return 1;
274	if ((mask & AUDIT_PERM_READ) &&
275	audit_match_class(AUDIT_CLASS_READ, n))
276	return 1;
277	if ((mask & AUDIT_PERM_ATTR) &&
278	audit_match_class(AUDIT_CLASS_CHATTR, n))
279	return 1;
280	return 0;
281	case 1: /* 32bit on biarch */
282	if ((mask & AUDIT_PERM_WRITE) &&
283	audit_match_class(AUDIT_CLASS_WRITE_32, n))
284	return 1;
285	if ((mask & AUDIT_PERM_READ) &&
286	audit_match_class(AUDIT_CLASS_READ_32, n))
287	return 1;
288	if ((mask & AUDIT_PERM_ATTR) &&
289	audit_match_class(AUDIT_CLASS_CHATTR_32, n))
290	return 1;
291	return 0;
292	case 2: /* open */
293	return mask & ACC_MODE(ctx->argv[1]);
294	case 3: /* openat */
295	return mask & ACC_MODE(ctx->argv[2]);
296	case 4: /* socketcall */
297	return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
298	case 5: /* execve */
299	return mask & AUDIT_PERM_EXEC;
300	default:
301	return 0;
302	}
303	}
304
305	static int audit_match_filetype(struct audit_context *ctx, int which)
306	{
307	unsigned index = which & ~S_IFMT;
308	mode_t mode = which & S_IFMT;
309
310	if (unlikely(!ctx))
311	return 0;
312
313	if (index >= ctx->name_count)
314	return 0;
315	if (ctx->names[index].ino == -1)
316	return 0;
317	if ((ctx->names[index].mode ^ mode) & S_IFMT)
318	return 0;
319	return 1;
320	}
321
322	/*
323	* We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *;
324	* ->first_trees points to its beginning, ->trees - to the current end of data.
325	* ->tree_count is the number of free entries in array pointed to by ->trees.
326	* Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL,
327	* "empty" becomes (p, p, 31) afterwards. We don't shrink the list (and seriously,
328	* it's going to remain 1-element for almost any setup) until we free context itself.
329	* References in it _are_ dropped - at the same time we free/drop aux stuff.
330	*/
331
332	#ifdef CONFIG_AUDIT_TREE
333	static void audit_set_auditable(struct audit_context *ctx)
334	{
335	if (!ctx->prio) {
336	ctx->prio = 1;
337	ctx->current_state = AUDIT_RECORD_CONTEXT;
338	}
339	}
340
341	static int put_tree_ref(struct audit_context ctx, struct audit_chunk chunk)
342	{
343	struct audit_tree_refs *p = ctx->trees;
344	int left = ctx->tree_count;
345	if (likely(left)) {
346	p->c[--left] = chunk;
347	ctx->tree_count = left;
348	return 1;
349	}
350	if (!p)
351	return 0;
352	p = p->next;
353	if (p) {
354	p->c[30] = chunk;
355	ctx->trees = p;
356	ctx->tree_count = 30;
357	return 1;
358	}
359	return 0;
360	}
361
362	static int grow_tree_refs(struct audit_context *ctx)
363	{
364	struct audit_tree_refs *p = ctx->trees;
365	ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL);
366	if (!ctx->trees) {
367	ctx->trees = p;
368	return 0;
369	}
370	if (p)
371	p->next = ctx->trees;
372	else
373	ctx->first_trees = ctx->trees;
374	ctx->tree_count = 31;
375	return 1;
376	}
377	#endif
378
379	static void unroll_tree_refs(struct audit_context *ctx,
380	struct audit_tree_refs *p, int count)
381	{
382	#ifdef CONFIG_AUDIT_TREE
383	struct audit_tree_refs *q;
384	int n;
385	if (!p) {
386	/* we started with empty chain */
387	p = ctx->first_trees;
388	count = 31;
389	/* if the very first allocation has failed, nothing to do */
390	if (!p)
391	return;
392	}
393	n = count;
394	for (q = p; q != ctx->trees; q = q->next, n = 31) {
395	while (n--) {
396	audit_put_chunk(q->c[n]);
397	q->c[n] = NULL;
398	}
399	}
400	while (n-- > ctx->tree_count) {
401	audit_put_chunk(q->c[n]);
402	q->c[n] = NULL;
403	}
404	ctx->trees = p;
405	ctx->tree_count = count;
406	#endif
407	}
408
409	static void free_tree_refs(struct audit_context *ctx)
410	{
411	struct audit_tree_refs p, q;
412	for (p = ctx->first_trees; p; p = q) {
413	q = p->next;
414	kfree(p);
415	}
416	}
417
418	static int match_tree_refs(struct audit_context ctx, struct audit_tree tree)
419	{
420	#ifdef CONFIG_AUDIT_TREE
421	struct audit_tree_refs *p;
422	int n;
423	if (!tree)
424	return 0;
425	/* full ones */
426	for (p = ctx->first_trees; p != ctx->trees; p = p->next) {
427	for (n = 0; n < 31; n++)
428	if (audit_tree_match(p->c[n], tree))
429	return 1;
430	}
431	/* partial */
432	if (p) {
433	for (n = ctx->tree_count; n < 31; n++)
434	if (audit_tree_match(p->c[n], tree))
435	return 1;
436	}
437	#endif
438	return 0;
439	}
440
441	/* Determine if any context name data matches a rule's watch data */
442	/* Compare a task_struct with an audit_rule. Return 1 on match, 0
443	* otherwise. */
444	static int audit_filter_rules(struct task_struct *tsk,
445	struct audit_krule *rule,
446	struct audit_context *ctx,
447	struct audit_names *name,
448	enum audit_state *state)
449	{
450	const struct cred *cred = get_task_cred(tsk);
451	int i, j, need_sid = 1;
452	u32 sid;
453
454	for (i = 0; i < rule->field_count; i++) {
455	struct audit_field *f = &rule->fields[i];
456	int result = 0;
457
458	switch (f->type) {
459	case AUDIT_PID:
460	result = audit_comparator(tsk->pid, f->op, f->val);
461	break;
462	case AUDIT_PPID:
463	if (ctx) {
464	if (!ctx->ppid)
465	ctx->ppid = sys_getppid();
466	result = audit_comparator(ctx->ppid, f->op, f->val);
467	}
468	break;
469	case AUDIT_UID:
470	result = audit_comparator(cred->uid, f->op, f->val);
471	break;
472	case AUDIT_EUID:
473	result = audit_comparator(cred->euid, f->op, f->val);
474	break;
475	case AUDIT_SUID:
476	result = audit_comparator(cred->suid, f->op, f->val);
477	break;
478	case AUDIT_FSUID:
479	result = audit_comparator(cred->fsuid, f->op, f->val);
480	break;
481	case AUDIT_GID:
482	result = audit_comparator(cred->gid, f->op, f->val);
483	break;
484	case AUDIT_EGID:
485	result = audit_comparator(cred->egid, f->op, f->val);
486	break;
487	case AUDIT_SGID:
488	result = audit_comparator(cred->sgid, f->op, f->val);
489	break;
490	case AUDIT_FSGID:
491	result = audit_comparator(cred->fsgid, f->op, f->val);
492	break;
493	case AUDIT_PERS:
494	result = audit_comparator(tsk->personality, f->op, f->val);
495	break;
496	case AUDIT_ARCH:
497	if (ctx)
498	result = audit_comparator(ctx->arch, f->op, f->val);
499	break;
500
501	case AUDIT_EXIT:
502	if (ctx && ctx->return_valid)
503	result = audit_comparator(ctx->return_code, f->op, f->val);
504	break;
505	case AUDIT_SUCCESS:
506	if (ctx && ctx->return_valid) {
507	if (f->val)
508	result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
509	else
510	result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
511	}
512	break;
513	case AUDIT_DEVMAJOR:
514	if (name)
515	result = audit_comparator(MAJOR(name->dev),
516	f->op, f->val);
517	else if (ctx) {
518	for (j = 0; j < ctx->name_count; j++) {
519	if (audit_comparator(MAJOR(ctx->names[j].dev), f->op, f->val)) {
520	++result;
521	break;
522	}
523	}
524	}
525	break;
526	case AUDIT_DEVMINOR:
527	if (name)
528	result = audit_comparator(MINOR(name->dev),
529	f->op, f->val);
530	else if (ctx) {
531	for (j = 0; j < ctx->name_count; j++) {
532	if (audit_comparator(MINOR(ctx->names[j].dev), f->op, f->val)) {
533	++result;
534	break;
535	}
536	}
537	}
538	break;
539	case AUDIT_INODE:
540	if (name)
541	result = (name->ino == f->val);
542	else if (ctx) {
543	for (j = 0; j < ctx->name_count; j++) {
544	if (audit_comparator(ctx->names[j].ino, f->op, f->val)) {
545	++result;
546	break;
547	}
548	}
549	}
550	break;
551	case AUDIT_WATCH:
552	if (name && audit_watch_inode(rule->watch) != (unsigned long)-1)
553	result = (name->dev == audit_watch_dev(rule->watch) &&
554	name->ino == audit_watch_inode(rule->watch));
555	break;
556	case AUDIT_DIR:
557	if (ctx)
558	result = match_tree_refs(ctx, rule->tree);
559	break;
560	case AUDIT_LOGINUID:
561	result = 0;
562	if (ctx)
563	result = audit_comparator(tsk->loginuid, f->op, f->val);
564	break;
565	case AUDIT_SUBJ_USER:
566	case AUDIT_SUBJ_ROLE:
567	case AUDIT_SUBJ_TYPE:
568	case AUDIT_SUBJ_SEN:
569	case AUDIT_SUBJ_CLR:
570	/* NOTE: this may return negative values indicating
571	a temporary error. We simply treat this as a
572	match for now to avoid losing information that
573	may be wanted. An error message will also be
574	logged upon error */
575	if (f->lsm_rule) {
576	if (need_sid) {
577	security_task_getsecid(tsk, &sid);
578	need_sid = 0;
579	}
580	result = security_audit_rule_match(sid, f->type,
581	f->op,
582	f->lsm_rule,
583	ctx);
584	}
585	break;
586	case AUDIT_OBJ_USER:
587	case AUDIT_OBJ_ROLE:
588	case AUDIT_OBJ_TYPE:
589	case AUDIT_OBJ_LEV_LOW:
590	case AUDIT_OBJ_LEV_HIGH:
591	/* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
592	also applies here */
593	if (f->lsm_rule) {
594	/* Find files that match */
595	if (name) {
596	result = security_audit_rule_match(
597	name->osid, f->type, f->op,
598	f->lsm_rule, ctx);
599	} else if (ctx) {
600	for (j = 0; j < ctx->name_count; j++) {
601	if (security_audit_rule_match(
602	ctx->names[j].osid,
603	f->type, f->op,
604	f->lsm_rule, ctx)) {
605	++result;
606	break;
607	}
608	}
609	}
610	/* Find ipc objects that match */
611	if (!ctx \|\| ctx->type != AUDIT_IPC)
612	break;
613	if (security_audit_rule_match(ctx->ipc.osid,
614	f->type, f->op,
615	f->lsm_rule, ctx))
616	++result;
617	}
618	break;
619	case AUDIT_ARG0:
620	case AUDIT_ARG1:
621	case AUDIT_ARG2:
622	case AUDIT_ARG3:
623	if (ctx)
624	result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
625	break;
626	case AUDIT_FILTERKEY:
627	/* ignore this field for filtering */
628	result = 1;
629	break;
630	case AUDIT_PERM:
631	result = audit_match_perm(ctx, f->val);
632	break;
633	case AUDIT_FILETYPE:
634	result = audit_match_filetype(ctx, f->val);
635	break;
636	}
637
638	if (!result) {
639	put_cred(cred);
640	return 0;
641	}
642	}
643
644	if (ctx) {
645	if (rule->prio <= ctx->prio)
646	return 0;
647	if (rule->filterkey) {
648	kfree(ctx->filterkey);
649	ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
650	}
651	ctx->prio = rule->prio;
652	}
653	switch (rule->action) {
654	case AUDIT_NEVER: *state = AUDIT_DISABLED; break;
655	case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break;
656	}
657	put_cred(cred);
658	return 1;
659	}
660
661	/* At process creation time, we can determine if system-call auditing is
662	* completely disabled for this task. Since we only have the task
663	* structure at this point, we can only check uid and gid.
664	*/
665	static enum audit_state audit_filter_task(struct task_struct tsk, char *key)
666	{
667	struct audit_entry *e;
668	enum audit_state state;
669
670	rcu_read_lock();
671	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
672	if (audit_filter_rules(tsk, &e->rule, NULL, NULL, &state)) {
673	if (state == AUDIT_RECORD_CONTEXT)
674	*key = kstrdup(e->rule.filterkey, GFP_ATOMIC);
675	rcu_read_unlock();
676	return state;
677	}
678	}
679	rcu_read_unlock();
680	return AUDIT_BUILD_CONTEXT;
681	}
682
683	/* At syscall entry and exit time, this filter is called if the
684	* audit_state is not low enough that auditing cannot take place, but is
685	* also not high enough that we already know we have to write an audit
686	* record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
687	*/
688	static enum audit_state audit_filter_syscall(struct task_struct *tsk,
689	struct audit_context *ctx,
690	struct list_head *list)
691	{
692	struct audit_entry *e;
693	enum audit_state state;
694
695	if (audit_pid && tsk->tgid == audit_pid)
696	return AUDIT_DISABLED;
697
698	rcu_read_lock();
699	if (!list_empty(list)) {
700	int word = AUDIT_WORD(ctx->major);
701	int bit = AUDIT_BIT(ctx->major);
702
703	list_for_each_entry_rcu(e, list, list) {
704	if ((e->rule.mask[word] & bit) == bit &&
705	audit_filter_rules(tsk, &e->rule, ctx, NULL,
706	&state)) {
707	rcu_read_unlock();
708	ctx->current_state = state;
709	return state;
710	}
711	}
712	}
713	rcu_read_unlock();
714	return AUDIT_BUILD_CONTEXT;
715	}
716
717	/* At syscall exit time, this filter is called if any audit_names[] have been
718	* collected during syscall processing. We only check rules in sublists at hash
719	* buckets applicable to the inode numbers in audit_names[].
720	* Regarding audit_state, same rules apply as for audit_filter_syscall().
721	*/
722	void audit_filter_inodes(struct task_struct tsk, struct audit_context ctx)
723	{
724	int i;
725	struct audit_entry *e;
726	enum audit_state state;
727
728	if (audit_pid && tsk->tgid == audit_pid)
729	return;
730
731	rcu_read_lock();
732	for (i = 0; i < ctx->name_count; i++) {
733	int word = AUDIT_WORD(ctx->major);
734	int bit = AUDIT_BIT(ctx->major);
735	struct audit_names *n = &ctx->names[i];
736	int h = audit_hash_ino((u32)n->ino);
737	struct list_head *list = &audit_inode_hash[h];
738
739	if (list_empty(list))
740	continue;
741
742	list_for_each_entry_rcu(e, list, list) {
743	if ((e->rule.mask[word] & bit) == bit &&
744	audit_filter_rules(tsk, &e->rule, ctx, n, &state)) {
745	rcu_read_unlock();
746	ctx->current_state = state;
747	return;
748	}
749	}
750	}
751	rcu_read_unlock();
752	}
753
754	static inline struct audit_context audit_get_context(struct task_struct tsk,
755	int return_valid,
756	long return_code)
757	{
758	struct audit_context *context = tsk->audit_context;
759
760	if (likely(!context))
761	return NULL;
762	context->return_valid = return_valid;
763
764	/*
765	* we need to fix up the return code in the audit logs if the actual
766	* return codes are later going to be fixed up by the arch specific
767	* signal handlers
768	*
769	* This is actually a test for:
770	* (rc == ERESTARTSYS ) \|\| (rc == ERESTARTNOINTR) \|\|
771	* (rc == ERESTARTNOHAND) \|\| (rc == ERESTART_RESTARTBLOCK)
772	*
773	* but is faster than a bunch of \|\|
774	*/
775	if (unlikely(return_code <= -ERESTARTSYS) &&
776	(return_code >= -ERESTART_RESTARTBLOCK) &&
777	(return_code != -ENOIOCTLCMD))
778	context->return_code = -EINTR;
779	else
780	context->return_code = return_code;
781
782	if (context->in_syscall && !context->dummy) {
783	audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
784	audit_filter_inodes(tsk, context);
785	}
786
787	tsk->audit_context = NULL;
788	return context;
789	}
790
791	static inline void audit_free_names(struct audit_context *context)
792	{
793	int i;
794
795	#if AUDIT_DEBUG == 2
796	if (context->put_count + context->ino_count != context->name_count) {
797	printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d"
798	" name_count=%d put_count=%d"
799	" ino_count=%d [NOT freeing]\n",
800	__FILE__, __LINE__,
801	context->serial, context->major, context->in_syscall,
802	context->name_count, context->put_count,
803	context->ino_count);
804	for (i = 0; i < context->name_count; i++) {
805	printk(KERN_ERR "names[%d] = %p = %s\n", i,
806	context->names[i].name,
807	context->names[i].name ?: "(null)");
808	}
809	dump_stack();
810	return;
811	}
812	#endif
813	#if AUDIT_DEBUG
814	context->put_count = 0;
815	context->ino_count = 0;
816	#endif
817
818	for (i = 0; i < context->name_count; i++) {
819	if (context->names[i].name && context->names[i].name_put)
820	__putname(context->names[i].name);
821	}
822	context->name_count = 0;
823	path_put(&context->pwd);
824	context->pwd.dentry = NULL;
825	context->pwd.mnt = NULL;
826	}
827
828	static inline void audit_free_aux(struct audit_context *context)
829	{
830	struct audit_aux_data *aux;
831
832	while ((aux = context->aux)) {
833	context->aux = aux->next;
834	kfree(aux);
835	}
836	while ((aux = context->aux_pids)) {
837	context->aux_pids = aux->next;
838	kfree(aux);
839	}
840	}
841
842	static inline void audit_zero_context(struct audit_context *context,
843	enum audit_state state)
844	{
845	memset(context, 0, sizeof(*context));
846	context->state = state;
847	context->prio = state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
848	}
849
850	static inline struct audit_context *audit_alloc_context(enum audit_state state)
851	{
852	struct audit_context *context;
853
854	if (!(context = kmalloc(sizeof(*context), GFP_KERNEL)))
855	return NULL;
856	audit_zero_context(context, state);
857	INIT_LIST_HEAD(&context->killed_trees);
858	return context;
859	}
860
861	/**
862	* audit_alloc - allocate an audit context block for a task
863	* @tsk: task
864	*
865	* Filter on the task information and allocate a per-task audit context
866	* if necessary. Doing so turns on system call auditing for the
867	* specified task. This is called from copy_process, so no lock is
868	* needed.
869	*/
870	int audit_alloc(struct task_struct *tsk)
871	{
872	struct audit_context *context;
873	enum audit_state state;
874	char *key = NULL;
875
876	if (likely(!audit_ever_enabled))
877	return 0; /* Return if not auditing. */
878
879	state = audit_filter_task(tsk, &key);
880	if (likely(state == AUDIT_DISABLED))
881	return 0;
882
883	if (!(context = audit_alloc_context(state))) {
884	kfree(key);
885	audit_log_lost("out of memory in audit_alloc");
886	return -ENOMEM;
887	}
888	context->filterkey = key;
889
890	tsk->audit_context = context;
891	set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
892	return 0;
893	}
894
895	static inline void audit_free_context(struct audit_context *context)
896	{
897	struct audit_context *previous;
898	int count = 0;
899
900	do {
901	previous = context->previous;
902	if (previous \|\| (count && count < 10)) {
903	++count;
904	printk(KERN_ERR "audit(:%d): major=%d name_count=%d:"
905	" freeing multiple contexts (%d)\n",
906	context->serial, context->major,
907	context->name_count, count);
908	}
909	audit_free_names(context);
910	unroll_tree_refs(context, NULL, 0);
911	free_tree_refs(context);
912	audit_free_aux(context);
913	kfree(context->filterkey);
914	kfree(context->sockaddr);
915	kfree(context);
916	context = previous;
917	} while (context);
918	if (count >= 10)
919	printk(KERN_ERR "audit: freed %d contexts\n", count);
920	}
921
922	void audit_log_task_context(struct audit_buffer *ab)
923	{
924	char *ctx = NULL;
925	unsigned len;
926	int error;
927	u32 sid;
928
929	security_task_getsecid(current, &sid);
930	if (!sid)
931	return;
932
933	error = security_secid_to_secctx(sid, &ctx, &len);
934	if (error) {
935	if (error != -EINVAL)
936	goto error_path;
937	return;
938	}
939
940	audit_log_format(ab, " subj=%s", ctx);
941	security_release_secctx(ctx, len);
942	return;
943
944	error_path:
945	audit_panic("error in audit_log_task_context");
946	return;
947	}
948
949	EXPORT_SYMBOL(audit_log_task_context);
950
951	static void audit_log_task_info(struct audit_buffer ab, struct task_struct tsk)
952	{
953	char name[sizeof(tsk->comm)];
954	struct mm_struct *mm = tsk->mm;
955	struct vm_area_struct *vma;
956
957	/* tsk == current */
958
959	get_task_comm(name, tsk);
960	audit_log_format(ab, " comm=");
961	audit_log_untrustedstring(ab, name);
962
963	if (mm) {
964	down_read(&mm->mmap_sem);
965	vma = mm->mmap;
966	while (vma) {
967	if ((vma->vm_flags & VM_EXECUTABLE) &&
968	vma->vm_file) {
969	audit_log_d_path(ab, "exe=",
970	&vma->vm_file->f_path);
971	break;
972	}
973	vma = vma->vm_next;
974	}
975	up_read(&mm->mmap_sem);
976	}
977	audit_log_task_context(ab);
978	}
979
980	static int audit_log_pid_context(struct audit_context *context, pid_t pid,
981	uid_t auid, uid_t uid, unsigned int sessionid,
982	u32 sid, char *comm)
983	{
984	struct audit_buffer *ab;
985	char *ctx = NULL;
986	u32 len;
987	int rc = 0;
988
989	ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
990	if (!ab)
991	return rc;
992
993	audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid,
994	uid, sessionid);
995	if (security_secid_to_secctx(sid, &ctx, &len)) {
996	audit_log_format(ab, " obj=(none)");
997	rc = 1;
998	} else {
999	audit_log_format(ab, " obj=%s", ctx);
1000	security_release_secctx(ctx, len);
1001	}
1002	audit_log_format(ab, " ocomm=");
1003	audit_log_untrustedstring(ab, comm);
1004	audit_log_end(ab);
1005
1006	return rc;
1007	}
1008
1009	/*
1010	* to_send and len_sent accounting are very loose estimates. We aren't
1011	* really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being
1012	* within about 500 bytes (next page boundry)
1013	*
1014	* why snprintf? an int is up to 12 digits long. if we just assumed when
1015	* logging that a[%d]= was going to be 16 characters long we would be wasting
1016	* space in every audit message. In one 7500 byte message we can log up to
1017	* about 1000 min size arguments. That comes down to about 50% waste of space
1018	* if we didn't do the snprintf to find out how long arg_num_len was.
1019	*/
1020	static int audit_log_single_execve_arg(struct audit_context *context,
1021	struct audit_buffer **ab,
1022	int arg_num,
1023	size_t *len_sent,
1024	const char __user *p,
1025	char *buf)
1026	{
1027	char arg_num_len_buf[12];
1028	const char __user *tmp_p = p;
1029	/* how many digits are in arg_num? 5 is the length of ' a=""' */
1030	size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 5;
1031	size_t len, len_left, to_send;
1032	size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
1033	unsigned int i, has_cntl = 0, too_long = 0;
1034	int ret;
1035
1036	/* strnlen_user includes the null we don't want to send */
1037	len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1;
1038
1039	/*
1040	* We just created this mm, if we can't find the strings
1041	* we just copied into it something is _very_ wrong. Similar
1042	* for strings that are too long, we should not have created
1043	* any.
1044	*/
1045	if (unlikely((len == -1) \|\| len > MAX_ARG_STRLEN - 1)) {
1046	WARN_ON(1);
1047	send_sig(SIGKILL, current, 0);
1048	return -1;
1049	}
1050
1051	/* walk the whole argument looking for non-ascii chars */
1052	do {
1053	if (len_left > MAX_EXECVE_AUDIT_LEN)
1054	to_send = MAX_EXECVE_AUDIT_LEN;
1055	else
1056	to_send = len_left;
1057	ret = copy_from_user(buf, tmp_p, to_send);
1058	/*
1059	* There is no reason for this copy to be short. We just
1060	* copied them here, and the mm hasn't been exposed to user-
1061	* space yet.
1062	*/
1063	if (ret) {
1064	WARN_ON(1);
1065	send_sig(SIGKILL, current, 0);
1066	return -1;
1067	}
1068	buf[to_send] = '\0';
1069	has_cntl = audit_string_contains_control(buf, to_send);
1070	if (has_cntl) {
1071	/*
1072	* hex messages get logged as 2 bytes, so we can only
1073	* send half as much in each message
1074	*/
1075	max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2;
1076	break;
1077	}
1078	len_left -= to_send;
1079	tmp_p += to_send;
1080	} while (len_left > 0);
1081
1082	len_left = len;
1083
1084	if (len > max_execve_audit_len)
1085	too_long = 1;
1086
1087	/* rewalk the argument actually logging the message */
1088	for (i = 0; len_left > 0; i++) {
1089	int room_left;
1090
1091	if (len_left > max_execve_audit_len)
1092	to_send = max_execve_audit_len;
1093	else
1094	to_send = len_left;
1095
1096	/* do we have space left to send this argument in this ab? */
1097	room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent;
1098	if (has_cntl)
1099	room_left -= (to_send * 2);
1100	else
1101	room_left -= to_send;
1102	if (room_left < 0) {
1103	*len_sent = 0;
1104	audit_log_end(*ab);
1105	*ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
1106	if (!*ab)
1107	return 0;
1108	}
1109
1110	/*
1111	* first record needs to say how long the original string was
1112	* so we can be sure nothing was lost.
1113	*/
1114	if ((i == 0) && (too_long))
1115	audit_log_format(*ab, " a%d_len=%zu", arg_num,
1116	has_cntl ? 2*len : len);
1117
1118	/*
1119	* normally arguments are small enough to fit and we already
1120	* filled buf above when we checked for control characters
1121	* so don't bother with another copy_from_user
1122	*/
1123	if (len >= max_execve_audit_len)
1124	ret = copy_from_user(buf, p, to_send);
1125	else
1126	ret = 0;
1127	if (ret) {
1128	WARN_ON(1);
1129	send_sig(SIGKILL, current, 0);
1130	return -1;
1131	}
1132	buf[to_send] = '\0';
1133
1134	/* actually log it */
1135	audit_log_format(*ab, " a%d", arg_num);
1136	if (too_long)
1137	audit_log_format(*ab, "[%d]", i);
1138	audit_log_format(*ab, "=");
1139	if (has_cntl)
1140	audit_log_n_hex(*ab, buf, to_send);
1141	else
1142	audit_log_string(*ab, buf);
1143
1144	p += to_send;
1145	len_left -= to_send;
1146	*len_sent += arg_num_len;
1147	if (has_cntl)
1148	len_sent += to_send 2;
1149	else
1150	*len_sent += to_send;
1151	}
1152	/* include the null we didn't log */
1153	return len + 1;
1154	}
1155
1156	static void audit_log_execve_info(struct audit_context *context,
1157	struct audit_buffer **ab,
1158	struct audit_aux_data_execve *axi)
1159	{
1160	int i;
1161	size_t len, len_sent = 0;
1162	const char __user *p;
1163	char *buf;
1164
1165	if (axi->mm != current->mm)
1166	return; /* execve failed, no additional info */
1167
1168	p = (const char __user *)axi->mm->arg_start;
1169
1170	audit_log_format(*ab, "argc=%d", axi->argc);
1171
1172	/*
1173	* we need some kernel buffer to hold the userspace args. Just
1174	* allocate one big one rather than allocating one of the right size
1175	* for every single argument inside audit_log_single_execve_arg()
1176	* should be <8k allocation so should be pretty safe.
1177	*/
1178	buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
1179	if (!buf) {
1180	audit_panic("out of memory for argv string\n");
1181	return;
1182	}
1183
1184	for (i = 0; i < axi->argc; i++) {
1185	len = audit_log_single_execve_arg(context, ab, i,
1186	&len_sent, p, buf);
1187	if (len <= 0)
1188	break;
1189	p += len;
1190	}
1191	kfree(buf);
1192	}
1193
1194	static void audit_log_cap(struct audit_buffer ab, char prefix, kernel_cap_t *cap)
1195	{
1196	int i;
1197
1198	audit_log_format(ab, " %s=", prefix);
1199	CAP_FOR_EACH_U32(i) {
1200	audit_log_format(ab, "%08x", cap->cap[(_KERNEL_CAPABILITY_U32S-1) - i]);
1201	}
1202	}
1203
1204	static void audit_log_fcaps(struct audit_buffer ab, struct audit_names name)
1205	{
1206	kernel_cap_t *perm = &name->fcap.permitted;
1207	kernel_cap_t *inh = &name->fcap.inheritable;
1208	int log = 0;
1209
1210	if (!cap_isclear(*perm)) {
1211	audit_log_cap(ab, "cap_fp", perm);
1212	log = 1;
1213	}
1214	if (!cap_isclear(*inh)) {
1215	audit_log_cap(ab, "cap_fi", inh);
1216	log = 1;
1217	}
1218
1219	if (log)
1220	audit_log_format(ab, " cap_fe=%d cap_fver=%x", name->fcap.fE, name->fcap_ver);
1221	}
1222
1223	static void show_special(struct audit_context context, int call_panic)
1224	{
1225	struct audit_buffer *ab;
1226	int i;
1227
1228	ab = audit_log_start(context, GFP_KERNEL, context->type);
1229	if (!ab)
1230	return;
1231
1232	switch (context->type) {
1233	case AUDIT_SOCKETCALL: {
1234	int nargs = context->socketcall.nargs;
1235	audit_log_format(ab, "nargs=%d", nargs);
1236	for (i = 0; i < nargs; i++)
1237	audit_log_format(ab, " a%d=%lx", i,
1238	context->socketcall.args[i]);
1239	break; }
1240	case AUDIT_IPC: {
1241	u32 osid = context->ipc.osid;
1242
1243	audit_log_format(ab, "ouid=%u ogid=%u mode=%#o",
1244	context->ipc.uid, context->ipc.gid, context->ipc.mode);
1245	if (osid) {
1246	char *ctx = NULL;
1247	u32 len;
1248	if (security_secid_to_secctx(osid, &ctx, &len)) {
1249	audit_log_format(ab, " osid=%u", osid);
1250	*call_panic = 1;
1251	} else {
1252	audit_log_format(ab, " obj=%s", ctx);
1253	security_release_secctx(ctx, len);
1254	}
1255	}
1256	if (context->ipc.has_perm) {
1257	audit_log_end(ab);
1258	ab = audit_log_start(context, GFP_KERNEL,
1259	AUDIT_IPC_SET_PERM);
1260	audit_log_format(ab,
1261	"qbytes=%lx ouid=%u ogid=%u mode=%#o",
1262	context->ipc.qbytes,
1263	context->ipc.perm_uid,
1264	context->ipc.perm_gid,
1265	context->ipc.perm_mode);
1266	if (!ab)
1267	return;
1268	}
1269	break; }
1270	case AUDIT_MQ_OPEN: {
1271	audit_log_format(ab,
1272	"oflag=0x%x mode=%#o mq_flags=0x%lx mq_maxmsg=%ld "
1273	"mq_msgsize=%ld mq_curmsgs=%ld",
1274	context->mq_open.oflag, context->mq_open.mode,
1275	context->mq_open.attr.mq_flags,
1276	context->mq_open.attr.mq_maxmsg,
1277	context->mq_open.attr.mq_msgsize,
1278	context->mq_open.attr.mq_curmsgs);
1279	break; }
1280	case AUDIT_MQ_SENDRECV: {
1281	audit_log_format(ab,
1282	"mqdes=%d msg_len=%zd msg_prio=%u "
1283	"abs_timeout_sec=%ld abs_timeout_nsec=%ld",
1284	context->mq_sendrecv.mqdes,
1285	context->mq_sendrecv.msg_len,
1286	context->mq_sendrecv.msg_prio,
1287	context->mq_sendrecv.abs_timeout.tv_sec,
1288	context->mq_sendrecv.abs_timeout.tv_nsec);
1289	break; }
1290	case AUDIT_MQ_NOTIFY: {
1291	audit_log_format(ab, "mqdes=%d sigev_signo=%d",
1292	context->mq_notify.mqdes,
1293	context->mq_notify.sigev_signo);
1294	break; }
1295	case AUDIT_MQ_GETSETATTR: {
1296	struct mq_attr *attr = &context->mq_getsetattr.mqstat;
1297	audit_log_format(ab,
1298	"mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
1299	"mq_curmsgs=%ld ",
1300	context->mq_getsetattr.mqdes,
1301	attr->mq_flags, attr->mq_maxmsg,
1302	attr->mq_msgsize, attr->mq_curmsgs);
1303	break; }
1304	case AUDIT_CAPSET: {
1305	audit_log_format(ab, "pid=%d", context->capset.pid);
1306	audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
1307	audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
1308	audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
1309	break; }
1310	}
1311	audit_log_end(ab);
1312	}
1313
1314	static void audit_log_exit(struct audit_context context, struct task_struct tsk)
1315	{
1316	const struct cred *cred;
1317	int i, call_panic = 0;
1318	struct audit_buffer *ab;
1319	struct audit_aux_data *aux;
1320	const char *tty;
1321
1322	/* tsk == current */
1323	context->pid = tsk->pid;
1324	if (!context->ppid)
1325	context->ppid = sys_getppid();
1326	cred = current_cred();
1327	context->uid = cred->uid;
1328	context->gid = cred->gid;
1329	context->euid = cred->euid;
1330	context->suid = cred->suid;
1331	context->fsuid = cred->fsuid;
1332	context->egid = cred->egid;
1333	context->sgid = cred->sgid;
1334	context->fsgid = cred->fsgid;
1335	context->personality = tsk->personality;
1336
1337	ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
1338	if (!ab)
1339	return; /* audit_panic has been called */
1340	audit_log_format(ab, "arch=%x syscall=%d",
1341	context->arch, context->major);
1342	if (context->personality != PER_LINUX)
1343	audit_log_format(ab, " per=%lx", context->personality);
1344	if (context->return_valid)
1345	audit_log_format(ab, " success=%s exit=%ld",
1346	(context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
1347	context->return_code);
1348
1349	spin_lock_irq(&tsk->sighand->siglock);
1350	if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
1351	tty = tsk->signal->tty->name;
1352	else
1353	tty = "(none)";
1354	spin_unlock_irq(&tsk->sighand->siglock);
1355
1356	audit_log_format(ab,
1357	" a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
1358	" ppid=%d pid=%d auid=%u uid=%u gid=%u"
1359	" euid=%u suid=%u fsuid=%u"
1360	" egid=%u sgid=%u fsgid=%u tty=%s ses=%u",
1361	context->argv[0],
1362	context->argv[1],
1363	context->argv[2],
1364	context->argv[3],
1365	context->name_count,
1366	context->ppid,
1367	context->pid,
1368	tsk->loginuid,
1369	context->uid,
1370	context->gid,
1371	context->euid, context->suid, context->fsuid,
1372	context->egid, context->sgid, context->fsgid, tty,
1373	tsk->sessionid);
1374
1375
1376	audit_log_task_info(ab, tsk);
1377	audit_log_key(ab, context->filterkey);
1378	audit_log_end(ab);
1379
1380	for (aux = context->aux; aux; aux = aux->next) {
1381
1382	ab = audit_log_start(context, GFP_KERNEL, aux->type);
1383	if (!ab)
1384	continue; /* audit_panic has been called */
1385
1386	switch (aux->type) {
1387
1388	case AUDIT_EXECVE: {
1389	struct audit_aux_data_execve axi = (void )aux;
1390	audit_log_execve_info(context, &ab, axi);
1391	break; }
1392
1393	case AUDIT_BPRM_FCAPS: {
1394	struct audit_aux_data_bprm_fcaps axs = (void )aux;
1395	audit_log_format(ab, "fver=%x", axs->fcap_ver);
1396	audit_log_cap(ab, "fp", &axs->fcap.permitted);
1397	audit_log_cap(ab, "fi", &axs->fcap.inheritable);
1398	audit_log_format(ab, " fe=%d", axs->fcap.fE);
1399	audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
1400	audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
1401	audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
1402	audit_log_cap(ab, "new_pp", &axs->new_pcap.permitted);
1403	audit_log_cap(ab, "new_pi", &axs->new_pcap.inheritable);
1404	audit_log_cap(ab, "new_pe", &axs->new_pcap.effective);
1405	break; }
1406
1407	}
1408	audit_log_end(ab);
1409	}
1410
1411	if (context->type)
1412	show_special(context, &call_panic);
1413
1414	if (context->fds[0] >= 0) {
1415	ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR);
1416	if (ab) {
1417	audit_log_format(ab, "fd0=%d fd1=%d",
1418	context->fds[0], context->fds[1]);
1419	audit_log_end(ab);
1420	}
1421	}
1422
1423	if (context->sockaddr_len) {
1424	ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR);
1425	if (ab) {
1426	audit_log_format(ab, "saddr=");
1427	audit_log_n_hex(ab, (void *)context->sockaddr,
1428	context->sockaddr_len);
1429	audit_log_end(ab);
1430	}
1431	}
1432
1433	for (aux = context->aux_pids; aux; aux = aux->next) {
1434	struct audit_aux_data_pids axs = (void )aux;
1435
1436	for (i = 0; i < axs->pid_count; i++)
1437	if (audit_log_pid_context(context, axs->target_pid[i],
1438	axs->target_auid[i],
1439	axs->target_uid[i],
1440	axs->target_sessionid[i],
1441	axs->target_sid[i],
1442	axs->target_comm[i]))
1443	call_panic = 1;
1444	}
1445
1446	if (context->target_pid &&
1447	audit_log_pid_context(context, context->target_pid,
1448	context->target_auid, context->target_uid,
1449	context->target_sessionid,
1450	context->target_sid, context->target_comm))
1451	call_panic = 1;
1452
1453	if (context->pwd.dentry && context->pwd.mnt) {
1454	ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
1455	if (ab) {
1456	audit_log_d_path(ab, "cwd=", &context->pwd);
1457	audit_log_end(ab);
1458	}
1459	}
1460	for (i = 0; i < context->name_count; i++) {
1461	struct audit_names *n = &context->names[i];
1462
1463	ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
1464	if (!ab)
1465	continue; /* audit_panic has been called */
1466
1467	audit_log_format(ab, "item=%d", i);
1468
1469	if (n->name) {
1470	switch(n->name_len) {
1471	case AUDIT_NAME_FULL:
1472	/* log the full path */
1473	audit_log_format(ab, " name=");
1474	audit_log_untrustedstring(ab, n->name);
1475	break;
1476	case 0:
1477	/* name was specified as a relative path and the
1478	* directory component is the cwd */
1479	audit_log_d_path(ab, "name=", &context->pwd);
1480	break;
1481	default:
1482	/* log the name's directory component */
1483	audit_log_format(ab, " name=");
1484	audit_log_n_untrustedstring(ab, n->name,
1485	n->name_len);
1486	}
1487	} else
1488	audit_log_format(ab, " name=(null)");
1489
1490	if (n->ino != (unsigned long)-1) {
1491	audit_log_format(ab, " inode=%lu"
1492	" dev=%02x:%02x mode=%#o"
1493	" ouid=%u ogid=%u rdev=%02x:%02x",
1494	n->ino,
1495	MAJOR(n->dev),
1496	MINOR(n->dev),
1497	n->mode,
1498	n->uid,
1499	n->gid,
1500	MAJOR(n->rdev),
1501	MINOR(n->rdev));
1502	}
1503	if (n->osid != 0) {
1504	char *ctx = NULL;
1505	u32 len;
1506	if (security_secid_to_secctx(
1507	n->osid, &ctx, &len)) {
1508	audit_log_format(ab, " osid=%u", n->osid);
1509	call_panic = 2;
1510	} else {
1511	audit_log_format(ab, " obj=%s", ctx);
1512	security_release_secctx(ctx, len);
1513	}
1514	}
1515
1516	audit_log_fcaps(ab, n);
1517
1518	audit_log_end(ab);
1519	}
1520
1521	/* Send end of event record to help user space know we are finished */
1522	ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
1523	if (ab)
1524	audit_log_end(ab);
1525	if (call_panic)
1526	audit_panic("error converting sid to string");
1527	}
1528
1529	/**
1530	* audit_free - free a per-task audit context
1531	* @tsk: task whose audit context block to free
1532	*
1533	* Called from copy_process and do_exit
1534	*/
1535	void audit_free(struct task_struct *tsk)
1536	{
1537	struct audit_context *context;
1538
1539	context = audit_get_context(tsk, 0, 0);
1540	if (likely(!context))
1541	return;
1542
1543	/* Check for system calls that do not go through the exit
1544	* function (e.g., exit_group), then free context block.
1545	* We use GFP_ATOMIC here because we might be doing this
1546	* in the context of the idle thread */
1547	/* that can happen only if we are called from do_exit() */
1548	if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
1549	audit_log_exit(context, tsk);
1550	if (!list_empty(&context->killed_trees))
1551	audit_kill_trees(&context->killed_trees);
1552
1553	audit_free_context(context);
1554	}
1555
1556	/**
1557	* audit_syscall_entry - fill in an audit record at syscall entry
1558	* @arch: architecture type
1559	* @major: major syscall type (function)
1560	* @a1: additional syscall register 1
1561	* @a2: additional syscall register 2
1562	* @a3: additional syscall register 3
1563	* @a4: additional syscall register 4
1564	*
1565	* Fill in audit context at syscall entry. This only happens if the
1566	* audit context was created when the task was created and the state or
1567	* filters demand the audit context be built. If the state from the
1568	* per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
1569	* then the record will be written at syscall exit time (otherwise, it
1570	* will only be written if another part of the kernel requests that it
1571	* be written).
1572	*/
1573	void audit_syscall_entry(int arch, int major,
1574	unsigned long a1, unsigned long a2,
1575	unsigned long a3, unsigned long a4)
1576	{
1577	struct task_struct *tsk = current;
1578	struct audit_context *context = tsk->audit_context;
1579	enum audit_state state;
1580
1581	if (unlikely(!context))
1582	return;
1583
1584	/*
1585	* This happens only on certain architectures that make system
1586	* calls in kernel_thread via the entry.S interface, instead of
1587	* with direct calls. (If you are porting to a new
1588	* architecture, hitting this condition can indicate that you
1589	* got the _exit/_leave calls backward in entry.S.)
1590	*
1591	* i386 no
1592	* x86_64 no
1593	* ppc64 yes (see arch/powerpc/platforms/iseries/misc.S)
1594	*
1595	* This also happens with vm86 emulation in a non-nested manner
1596	* (entries without exits), so this case must be caught.
1597	*/
1598	if (context->in_syscall) {
1599	struct audit_context *newctx;
1600
1601	#if AUDIT_DEBUG
1602	printk(KERN_ERR
1603	"audit(:%d) pid=%d in syscall=%d;"
1604	" entering syscall=%d\n",
1605	context->serial, tsk->pid, context->major, major);
1606	#endif
1607	newctx = audit_alloc_context(context->state);
1608	if (newctx) {
1609	newctx->previous = context;
1610	context = newctx;
1611	tsk->audit_context = newctx;
1612	} else {
1613	/* If we can't alloc a new context, the best we
1614	* can do is to leak memory (any pending putname
1615	* will be lost). The only other alternative is
1616	* to abandon auditing. */
1617	audit_zero_context(context, context->state);
1618	}
1619	}
1620	BUG_ON(context->in_syscall \|\| context->name_count);
1621
1622	if (!audit_enabled)
1623	return;
1624
1625	context->arch = arch;
1626	context->major = major;
1627	context->argv[0] = a1;
1628	context->argv[1] = a2;
1629	context->argv[2] = a3;
1630	context->argv[3] = a4;
1631
1632	state = context->state;
1633	context->dummy = !audit_n_rules;
1634	if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
1635	context->prio = 0;
1636	state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
1637	}
1638	if (likely(state == AUDIT_DISABLED))
1639	return;
1640
1641	context->serial = 0;
1642	context->ctime = CURRENT_TIME;
1643	context->in_syscall = 1;
1644	context->current_state = state;
1645	context->ppid = 0;
1646	}
1647
1648	void audit_finish_fork(struct task_struct *child)
1649	{
1650	struct audit_context *ctx = current->audit_context;
1651	struct audit_context *p = child->audit_context;
1652	if (!p \|\| !ctx)
1653	return;
1654	if (!ctx->in_syscall \|\| ctx->current_state != AUDIT_RECORD_CONTEXT)
1655	return;
1656	p->arch = ctx->arch;
1657	p->major = ctx->major;
1658	memcpy(p->argv, ctx->argv, sizeof(ctx->argv));
1659	p->ctime = ctx->ctime;
1660	p->dummy = ctx->dummy;
1661	p->in_syscall = ctx->in_syscall;
1662	p->filterkey = kstrdup(ctx->filterkey, GFP_KERNEL);
1663	p->ppid = current->pid;
1664	p->prio = ctx->prio;
1665	p->current_state = ctx->current_state;
1666	}
1667
1668	/**
1669	* audit_syscall_exit - deallocate audit context after a system call
1670	* @valid: success/failure flag
1671	* @return_code: syscall return value
1672	*
1673	* Tear down after system call. If the audit context has been marked as
1674	* auditable (either because of the AUDIT_RECORD_CONTEXT state from
1675	* filtering, or because some other part of the kernel write an audit
1676	* message), then write out the syscall information. In call cases,
1677	* free the names stored from getname().
1678	*/
1679	void audit_syscall_exit(int valid, long return_code)
1680	{
1681	struct task_struct *tsk = current;
1682	struct audit_context *context;
1683
1684	context = audit_get_context(tsk, valid, return_code);
1685
1686	if (likely(!context))
1687	return;
1688
1689	if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
1690	audit_log_exit(context, tsk);
1691
1692	context->in_syscall = 0;
1693	context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
1694
1695	if (!list_empty(&context->killed_trees))
1696	audit_kill_trees(&context->killed_trees);
1697
1698	if (context->previous) {
1699	struct audit_context *new_context = context->previous;
1700	context->previous = NULL;
1701	audit_free_context(context);
1702	tsk->audit_context = new_context;
1703	} else {
1704	audit_free_names(context);
1705	unroll_tree_refs(context, NULL, 0);
1706	audit_free_aux(context);
1707	context->aux = NULL;
1708	context->aux_pids = NULL;
1709	context->target_pid = 0;
1710	context->target_sid = 0;
1711	context->sockaddr_len = 0;
1712	context->type = 0;
1713	context->fds[0] = -1;
1714	if (context->state != AUDIT_RECORD_CONTEXT) {
1715	kfree(context->filterkey);
1716	context->filterkey = NULL;
1717	}
1718	tsk->audit_context = context;
1719	}
1720	}
1721
1722	static inline void handle_one(const struct inode *inode)
1723	{
1724	#ifdef CONFIG_AUDIT_TREE
1725	struct audit_context *context;
1726	struct audit_tree_refs *p;
1727	struct audit_chunk *chunk;
1728	int count;
1729	if (likely(list_empty(&inode->inotify_watches)))
1730	return;
1731	context = current->audit_context;
1732	p = context->trees;
1733	count = context->tree_count;
1734	rcu_read_lock();
1735	chunk = audit_tree_lookup(inode);
1736	rcu_read_unlock();
1737	if (!chunk)
1738	return;
1739	if (likely(put_tree_ref(context, chunk)))
1740	return;
1741	if (unlikely(!grow_tree_refs(context))) {
1742	printk(KERN_WARNING "out of memory, audit has lost a tree reference\n");
1743	audit_set_auditable(context);
1744	audit_put_chunk(chunk);
1745	unroll_tree_refs(context, p, count);
1746	return;
1747	}
1748	put_tree_ref(context, chunk);
1749	#endif
1750	}
1751
1752	static void handle_path(const struct dentry *dentry)
1753	{
1754	#ifdef CONFIG_AUDIT_TREE
1755	struct audit_context *context;
1756	struct audit_tree_refs *p;
1757	const struct dentry d, parent;
1758	struct audit_chunk *drop;
1759	unsigned long seq;
1760	int count;
1761
1762	context = current->audit_context;
1763	p = context->trees;
1764	count = context->tree_count;
1765	retry:
1766	drop = NULL;
1767	d = dentry;
1768	rcu_read_lock();
1769	seq = read_seqbegin(&rename_lock);
1770	for(;;) {
1771	struct inode *inode = d->d_inode;
1772	if (inode && unlikely(!list_empty(&inode->inotify_watches))) {
1773	struct audit_chunk *chunk;
1774	chunk = audit_tree_lookup(inode);
1775	if (chunk) {
1776	if (unlikely(!put_tree_ref(context, chunk))) {
1777	drop = chunk;
1778	break;
1779	}
1780	}
1781	}
1782	parent = d->d_parent;
1783	if (parent == d)
1784	break;
1785	d = parent;
1786	}
1787	if (unlikely(read_seqretry(&rename_lock, seq) \|\| drop)) { /* in this order */
1788	rcu_read_unlock();
1789	if (!drop) {
1790	/* just a race with rename */
1791	unroll_tree_refs(context, p, count);
1792	goto retry;
1793	}
1794	audit_put_chunk(drop);
1795	if (grow_tree_refs(context)) {
1796	/* OK, got more space */
1797	unroll_tree_refs(context, p, count);
1798	goto retry;
1799	}
1800	/* too bad */
1801	printk(KERN_WARNING
1802	"out of memory, audit has lost a tree reference\n");
1803	unroll_tree_refs(context, p, count);
1804	audit_set_auditable(context);
1805	return;
1806	}
1807	rcu_read_unlock();
1808	#endif
1809	}
1810
1811	/**
1812	* audit_getname - add a name to the list
1813	* @name: name to add
1814	*
1815	* Add a name to the list of audit names for this context.
1816	* Called from fs/namei.c:getname().
1817	*/
1818	void __audit_getname(const char *name)
1819	{
1820	struct audit_context *context = current->audit_context;
1821
1822	if (IS_ERR(name) \|\| !name)
1823	return;
1824
1825	if (!context->in_syscall) {
1826	#if AUDIT_DEBUG == 2
1827	printk(KERN_ERR "%s:%d(:%d): ignoring getname(%p)\n",
1828	__FILE__, __LINE__, context->serial, name);
1829	dump_stack();
1830	#endif
1831	return;
1832	}
1833	BUG_ON(context->name_count >= AUDIT_NAMES);
1834	context->names[context->name_count].name = name;
1835	context->names[context->name_count].name_len = AUDIT_NAME_FULL;
1836	context->names[context->name_count].name_put = 1;
1837	context->names[context->name_count].ino = (unsigned long)-1;
1838	context->names[context->name_count].osid = 0;
1839	++context->name_count;
1840	if (!context->pwd.dentry) {
1841	read_lock(&current->fs->lock);
1842	context->pwd = current->fs->pwd;
1843	path_get(&current->fs->pwd);
1844	read_unlock(&current->fs->lock);
1845	}
1846
1847	}
1848
1849	/* audit_putname - intercept a putname request
1850	* @name: name to intercept and delay for putname
1851	*
1852	* If we have stored the name from getname in the audit context,
1853	* then we delay the putname until syscall exit.
1854	* Called from include/linux/fs.h:putname().
1855	*/
1856	void audit_putname(const char *name)
1857	{
1858	struct audit_context *context = current->audit_context;
1859
1860	BUG_ON(!context);
1861	if (!context->in_syscall) {
1862	#if AUDIT_DEBUG == 2
1863	printk(KERN_ERR "%s:%d(:%d): __putname(%p)\n",
1864	__FILE__, __LINE__, context->serial, name);
1865	if (context->name_count) {
1866	int i;
1867	for (i = 0; i < context->name_count; i++)
1868	printk(KERN_ERR "name[%d] = %p = %s\n", i,
1869	context->names[i].name,
1870	context->names[i].name ?: "(null)");
1871	}
1872	#endif
1873	__putname(name);
1874	}
1875	#if AUDIT_DEBUG
1876	else {
1877	++context->put_count;
1878	if (context->put_count > context->name_count) {
1879	printk(KERN_ERR "%s:%d(:%d): major=%d"
1880	" in_syscall=%d putname(%p) name_count=%d"
1881	" put_count=%d\n",
1882	__FILE__, __LINE__,
1883	context->serial, context->major,
1884	context->in_syscall, name, context->name_count,
1885	context->put_count);
1886	dump_stack();
1887	}
1888	}
1889	#endif
1890	}
1891
1892	static int audit_inc_name_count(struct audit_context *context,
1893	const struct inode *inode)
1894	{
1895	if (context->name_count >= AUDIT_NAMES) {
1896	if (inode)
1897	printk(KERN_DEBUG "name_count maxed, losing inode data: "
1898	"dev=%02x:%02x, inode=%lu\n",
1899	MAJOR(inode->i_sb->s_dev),
1900	MINOR(inode->i_sb->s_dev),
1901	inode->i_ino);
1902
1903	else
1904	printk(KERN_DEBUG "name_count maxed, losing inode data\n");
1905	return 1;
1906	}
1907	context->name_count++;
1908	#if AUDIT_DEBUG
1909	context->ino_count++;
1910	#endif
1911	return 0;
1912	}
1913
1914
1915	static inline int audit_copy_fcaps(struct audit_names name, const struct dentry dentry)
1916	{
1917	struct cpu_vfs_cap_data caps;
1918	int rc;
1919
1920	memset(&name->fcap.permitted, 0, sizeof(kernel_cap_t));
1921	memset(&name->fcap.inheritable, 0, sizeof(kernel_cap_t));
1922	name->fcap.fE = 0;
1923	name->fcap_ver = 0;
1924
1925	if (!dentry)
1926	return 0;
1927
1928	rc = get_vfs_caps_from_disk(dentry, &caps);
1929	if (rc)
1930	return rc;
1931
1932	name->fcap.permitted = caps.permitted;
1933	name->fcap.inheritable = caps.inheritable;
1934	name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
1935	name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
1936
1937	return 0;
1938	}
1939
1940
1941	/* Copy inode data into an audit_names. */
1942	static void audit_copy_inode(struct audit_names name, const struct dentry dentry,
1943	const struct inode *inode)
1944	{
1945	name->ino = inode->i_ino;
1946	name->dev = inode->i_sb->s_dev;
1947	name->mode = inode->i_mode;
1948	name->uid = inode->i_uid;
1949	name->gid = inode->i_gid;
1950	name->rdev = inode->i_rdev;
1951	security_inode_getsecid(inode, &name->osid);
1952	audit_copy_fcaps(name, dentry);
1953	}
1954
1955	/**
1956	* audit_inode - store the inode and device from a lookup
1957	* @name: name being audited
1958	* @dentry: dentry being audited
1959	*
1960	* Called from fs/namei.c:path_lookup().
1961	*/
1962	void __audit_inode(const char name, const struct dentry dentry)
1963	{
1964	int idx;
1965	struct audit_context *context = current->audit_context;
1966	const struct inode *inode = dentry->d_inode;
1967
1968	if (!context->in_syscall)
1969	return;
1970	if (context->name_count
1971	&& context->names[context->name_count-1].name
1972	&& context->names[context->name_count-1].name == name)
1973	idx = context->name_count - 1;
1974	else if (context->name_count > 1
1975	&& context->names[context->name_count-2].name
1976	&& context->names[context->name_count-2].name == name)
1977	idx = context->name_count - 2;
1978	else {
1979	/* FIXME: how much do we care about inodes that have no
1980	* associated name? */
1981	if (audit_inc_name_count(context, inode))
1982	return;
1983	idx = context->name_count - 1;
1984	context->names[idx].name = NULL;
1985	}
1986	handle_path(dentry);
1987	audit_copy_inode(&context->names[idx], dentry, inode);
1988	}
1989
1990	/**
1991	* audit_inode_child - collect inode info for created/removed objects
1992	* @dname: inode's dentry name
1993	* @dentry: dentry being audited
1994	* @parent: inode of dentry parent
1995	*
1996	* For syscalls that create or remove filesystem objects, audit_inode
1997	* can only collect information for the filesystem object's parent.
1998	* This call updates the audit context with the child's information.
1999	* Syscalls that create a new filesystem object must be hooked after
2000	* the object is created. Syscalls that remove a filesystem object
2001	* must be hooked prior, in order to capture the target inode during
2002	* unsuccessful attempts.
2003	*/
2004	void __audit_inode_child(const char dname, const struct dentry dentry,
2005	const struct inode *parent)
2006	{
2007	int idx;
2008	struct audit_context *context = current->audit_context;
2009	const char found_parent = NULL, found_child = NULL;
2010	const struct inode *inode = dentry->d_inode;
2011	int dirlen = 0;
2012
2013	if (!context->in_syscall)
2014	return;
2015
2016	if (inode)
2017	handle_one(inode);
2018	/* determine matching parent */
2019	if (!dname)
2020	goto add_names;
2021
2022	/* parent is more likely, look for it first */
2023	for (idx = 0; idx < context->name_count; idx++) {
2024	struct audit_names *n = &context->names[idx];
2025
2026	if (!n->name)
2027	continue;
2028
2029	if (n->ino == parent->i_ino &&
2030	!audit_compare_dname_path(dname, n->name, &dirlen)) {
2031	n->name_len = dirlen; /* update parent data in place */
2032	found_parent = n->name;
2033	goto add_names;
2034	}
2035	}
2036
2037	/* no matching parent, look for matching child */
2038	for (idx = 0; idx < context->name_count; idx++) {
2039	struct audit_names *n = &context->names[idx];
2040
2041	if (!n->name)
2042	continue;
2043
2044	/* strcmp() is the more likely scenario */
2045	if (!strcmp(dname, n->name) \|\|
2046	!audit_compare_dname_path(dname, n->name, &dirlen)) {
2047	if (inode)
2048	audit_copy_inode(n, NULL, inode);
2049	else
2050	n->ino = (unsigned long)-1;
2051	found_child = n->name;
2052	goto add_names;
2053	}
2054	}
2055
2056	add_names:
2057	if (!found_parent) {
2058	if (audit_inc_name_count(context, parent))
2059	return;
2060	idx = context->name_count - 1;
2061	context->names[idx].name = NULL;
2062	audit_copy_inode(&context->names[idx], NULL, parent);
2063	}
2064
2065	if (!found_child) {
2066	if (audit_inc_name_count(context, inode))
2067	return;
2068	idx = context->name_count - 1;
2069
2070	/* Re-use the name belonging to the slot for a matching parent
2071	* directory. All names for this context are relinquished in
2072	* audit_free_names() */
2073	if (found_parent) {
2074	context->names[idx].name = found_parent;
2075	context->names[idx].name_len = AUDIT_NAME_FULL;
2076	/* don't call __putname() */
2077	context->names[idx].name_put = 0;
2078	} else {
2079	context->names[idx].name = NULL;
2080	}
2081
2082	if (inode)
2083	audit_copy_inode(&context->names[idx], NULL, inode);
2084	else
2085	context->names[idx].ino = (unsigned long)-1;
2086	}
2087	}
2088	EXPORT_SYMBOL_GPL(__audit_inode_child);
2089
2090	/**
2091	* auditsc_get_stamp - get local copies of audit_context values
2092	* @ctx: audit_context for the task
2093	* @t: timespec to store time recorded in the audit_context
2094	* @serial: serial value that is recorded in the audit_context
2095	*
2096	* Also sets the context as auditable.
2097	*/
2098	int auditsc_get_stamp(struct audit_context *ctx,
2099	struct timespec t, unsigned int serial)
2100	{
2101	if (!ctx->in_syscall)
2102	return 0;
2103	if (!ctx->serial)
2104	ctx->serial = audit_serial();
2105	t->tv_sec = ctx->ctime.tv_sec;
2106	t->tv_nsec = ctx->ctime.tv_nsec;
2107	*serial = ctx->serial;
2108	if (!ctx->prio) {
2109	ctx->prio = 1;
2110	ctx->current_state = AUDIT_RECORD_CONTEXT;
2111	}
2112	return 1;
2113	}
2114
2115	/* global counter which is incremented every time something logs in */
2116	static atomic_t session_id = ATOMIC_INIT(0);
2117
2118	/**
2119	* audit_set_loginuid - set a task's audit_context loginuid
2120	* @task: task whose audit context is being modified
2121	* @loginuid: loginuid value
2122	*
2123	* Returns 0.
2124	*
2125	* Called (set) from fs/proc/base.c::proc_loginuid_write().
2126	*/
2127	int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
2128	{
2129	unsigned int sessionid = atomic_inc_return(&session_id);
2130	struct audit_context *context = task->audit_context;
2131
2132	if (context && context->in_syscall) {
2133	struct audit_buffer *ab;
2134
2135	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
2136	if (ab) {
2137	audit_log_format(ab, "login pid=%d uid=%u "
2138	"old auid=%u new auid=%u"
2139	" old ses=%u new ses=%u",
2140	task->pid, task_uid(task),
2141	task->loginuid, loginuid,
2142	task->sessionid, sessionid);
2143	audit_log_end(ab);
2144	}
2145	}
2146	task->sessionid = sessionid;
2147	task->loginuid = loginuid;
2148	return 0;
2149	}
2150
2151	/**
2152	* __audit_mq_open - record audit data for a POSIX MQ open
2153	* @oflag: open flag
2154	* @mode: mode bits
2155	* @attr: queue attributes
2156	*
2157	*/
2158	void __audit_mq_open(int oflag, mode_t mode, struct mq_attr *attr)
2159	{
2160	struct audit_context *context = current->audit_context;
2161
2162	if (attr)
2163	memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr));
2164	else
2165	memset(&context->mq_open.attr, 0, sizeof(struct mq_attr));
2166
2167	context->mq_open.oflag = oflag;
2168	context->mq_open.mode = mode;
2169
2170	context->type = AUDIT_MQ_OPEN;
2171	}
2172
2173	/**
2174	* __audit_mq_sendrecv - record audit data for a POSIX MQ timed send/receive
2175	* @mqdes: MQ descriptor
2176	* @msg_len: Message length
2177	* @msg_prio: Message priority
2178	* @abs_timeout: Message timeout in absolute time
2179	*
2180	*/
2181	void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
2182	const struct timespec *abs_timeout)
2183	{
2184	struct audit_context *context = current->audit_context;
2185	struct timespec *p = &context->mq_sendrecv.abs_timeout;
2186
2187	if (abs_timeout)
2188	memcpy(p, abs_timeout, sizeof(struct timespec));
2189	else
2190	memset(p, 0, sizeof(struct timespec));
2191
2192	context->mq_sendrecv.mqdes = mqdes;
2193	context->mq_sendrecv.msg_len = msg_len;
2194	context->mq_sendrecv.msg_prio = msg_prio;
2195
2196	context->type = AUDIT_MQ_SENDRECV;
2197	}
2198
2199	/**
2200	* __audit_mq_notify - record audit data for a POSIX MQ notify
2201	* @mqdes: MQ descriptor
2202	* @notification: Notification event
2203	*
2204	*/
2205
2206	void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
2207	{
2208	struct audit_context *context = current->audit_context;
2209
2210	if (notification)
2211	context->mq_notify.sigev_signo = notification->sigev_signo;
2212	else
2213	context->mq_notify.sigev_signo = 0;
2214
2215	context->mq_notify.mqdes = mqdes;
2216	context->type = AUDIT_MQ_NOTIFY;
2217	}
2218
2219	/**
2220	* __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute
2221	* @mqdes: MQ descriptor
2222	* @mqstat: MQ flags
2223	*
2224	*/
2225	void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
2226	{
2227	struct audit_context *context = current->audit_context;
2228	context->mq_getsetattr.mqdes = mqdes;
2229	context->mq_getsetattr.mqstat = *mqstat;
2230	context->type = AUDIT_MQ_GETSETATTR;
2231	}
2232
2233	/**
2234	* audit_ipc_obj - record audit data for ipc object
2235	* @ipcp: ipc permissions
2236	*
2237	*/
2238	void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
2239	{
2240	struct audit_context *context = current->audit_context;
2241	context->ipc.uid = ipcp->uid;
2242	context->ipc.gid = ipcp->gid;
2243	context->ipc.mode = ipcp->mode;
2244	context->ipc.has_perm = 0;
2245	security_ipc_getsecid(ipcp, &context->ipc.osid);
2246	context->type = AUDIT_IPC;
2247	}
2248
2249	/**
2250	* audit_ipc_set_perm - record audit data for new ipc permissions
2251	* @qbytes: msgq bytes
2252	* @uid: msgq user id
2253	* @gid: msgq group id
2254	* @mode: msgq mode (permissions)
2255	*
2256	* Called only after audit_ipc_obj().
2257	*/
2258	void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
2259	{
2260	struct audit_context *context = current->audit_context;
2261
2262	context->ipc.qbytes = qbytes;
2263	context->ipc.perm_uid = uid;
2264	context->ipc.perm_gid = gid;
2265	context->ipc.perm_mode = mode;
2266	context->ipc.has_perm = 1;
2267	}
2268
2269	int audit_bprm(struct linux_binprm *bprm)
2270	{
2271	struct audit_aux_data_execve *ax;
2272	struct audit_context *context = current->audit_context;
2273
2274	if (likely(!audit_enabled \|\| !context \|\| context->dummy))
2275	return 0;
2276
2277	ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2278	if (!ax)
2279	return -ENOMEM;
2280
2281	ax->argc = bprm->argc;
2282	ax->envc = bprm->envc;
2283	ax->mm = bprm->mm;
2284	ax->d.type = AUDIT_EXECVE;
2285	ax->d.next = context->aux;
2286	context->aux = (void *)ax;
2287	return 0;
2288	}
2289
2290
2291	/**
2292	* audit_socketcall - record audit data for sys_socketcall
2293	* @nargs: number of args
2294	* @args: args array
2295	*
2296	*/
2297	void audit_socketcall(int nargs, unsigned long *args)
2298	{
2299	struct audit_context *context = current->audit_context;
2300
2301	if (likely(!context \|\| context->dummy))
2302	return;
2303
2304	context->type = AUDIT_SOCKETCALL;
2305	context->socketcall.nargs = nargs;
2306	memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
2307	}
2308
2309	/**
2310	* __audit_fd_pair - record audit data for pipe and socketpair
2311	* @fd1: the first file descriptor
2312	* @fd2: the second file descriptor
2313	*
2314	*/
2315	void __audit_fd_pair(int fd1, int fd2)
2316	{
2317	struct audit_context *context = current->audit_context;
2318	context->fds[0] = fd1;
2319	context->fds[1] = fd2;
2320	}
2321
2322	/**
2323	* audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
2324	* @len: data length in user space
2325	* @a: data address in kernel space
2326	*
2327	* Returns 0 for success or NULL context or < 0 on error.
2328	*/
2329	int audit_sockaddr(int len, void *a)
2330	{
2331	struct audit_context *context = current->audit_context;
2332
2333	if (likely(!context \|\| context->dummy))
2334	return 0;
2335
2336	if (!context->sockaddr) {
2337	void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL);
2338	if (!p)
2339	return -ENOMEM;
2340	context->sockaddr = p;
2341	}
2342
2343	context->sockaddr_len = len;
2344	memcpy(context->sockaddr, a, len);
2345	return 0;
2346	}
2347
2348	void __audit_ptrace(struct task_struct *t)
2349	{
2350	struct audit_context *context = current->audit_context;
2351
2352	context->target_pid = t->pid;
2353	context->target_auid = audit_get_loginuid(t);
2354	context->target_uid = task_uid(t);
2355	context->target_sessionid = audit_get_sessionid(t);
2356	security_task_getsecid(t, &context->target_sid);
2357	memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
2358	}
2359
2360	/**
2361	* audit_signal_info - record signal info for shutting down audit subsystem
2362	* @sig: signal value
2363	* @t: task being signaled
2364	*
2365	* If the audit subsystem is being terminated, record the task (pid)
2366	* and uid that is doing that.
2367	*/
2368	int __audit_signal_info(int sig, struct task_struct *t)
2369	{
2370	struct audit_aux_data_pids *axp;
2371	struct task_struct *tsk = current;
2372	struct audit_context *ctx = tsk->audit_context;
2373	uid_t uid = current_uid(), t_uid = task_uid(t);
2374
2375	if (audit_pid && t->tgid == audit_pid) {
2376	if (sig == SIGTERM \|\| sig == SIGHUP \|\| sig == SIGUSR1 \|\| sig == SIGUSR2) {
2377	audit_sig_pid = tsk->pid;
2378	if (tsk->loginuid != -1)
2379	audit_sig_uid = tsk->loginuid;
2380	else
2381	audit_sig_uid = uid;
2382	security_task_getsecid(tsk, &audit_sig_sid);
2383	}
2384	if (!audit_signals \|\| audit_dummy_context())
2385	return 0;
2386	}
2387
2388	/* optimize the common case by putting first signal recipient directly
2389	* in audit_context */
2390	if (!ctx->target_pid) {
2391	ctx->target_pid = t->tgid;
2392	ctx->target_auid = audit_get_loginuid(t);
2393	ctx->target_uid = t_uid;
2394	ctx->target_sessionid = audit_get_sessionid(t);
2395	security_task_getsecid(t, &ctx->target_sid);
2396	memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
2397	return 0;
2398	}
2399
2400	axp = (void *)ctx->aux_pids;
2401	if (!axp \|\| axp->pid_count == AUDIT_AUX_PIDS) {
2402	axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
2403	if (!axp)
2404	return -ENOMEM;
2405
2406	axp->d.type = AUDIT_OBJ_PID;
2407	axp->d.next = ctx->aux_pids;
2408	ctx->aux_pids = (void *)axp;
2409	}
2410	BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
2411
2412	axp->target_pid[axp->pid_count] = t->tgid;
2413	axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
2414	axp->target_uid[axp->pid_count] = t_uid;
2415	axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
2416	security_task_getsecid(t, &axp->target_sid[axp->pid_count]);
2417	memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
2418	axp->pid_count++;
2419
2420	return 0;
2421	}
2422
2423	/**
2424	* __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps
2425	* @bprm: pointer to the bprm being processed
2426	* @new: the proposed new credentials
2427	* @old: the old credentials
2428	*
2429	* Simply check if the proc already has the caps given by the file and if not
2430	* store the priv escalation info for later auditing at the end of the syscall
2431	*
2432	* -Eric
2433	*/
2434	int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
2435	const struct cred new, const struct cred old)
2436	{
2437	struct audit_aux_data_bprm_fcaps *ax;
2438	struct audit_context *context = current->audit_context;
2439	struct cpu_vfs_cap_data vcaps;
2440	struct dentry *dentry;
2441
2442	ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2443	if (!ax)
2444	return -ENOMEM;
2445
2446	ax->d.type = AUDIT_BPRM_FCAPS;
2447	ax->d.next = context->aux;
2448	context->aux = (void *)ax;
2449
2450	dentry = dget(bprm->file->f_dentry);
2451	get_vfs_caps_from_disk(dentry, &vcaps);
2452	dput(dentry);
2453
2454	ax->fcap.permitted = vcaps.permitted;
2455	ax->fcap.inheritable = vcaps.inheritable;
2456	ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2457	ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
2458
2459	ax->old_pcap.permitted = old->cap_permitted;
2460	ax->old_pcap.inheritable = old->cap_inheritable;
2461	ax->old_pcap.effective = old->cap_effective;
2462
2463	ax->new_pcap.permitted = new->cap_permitted;
2464	ax->new_pcap.inheritable = new->cap_inheritable;
2465	ax->new_pcap.effective = new->cap_effective;
2466	return 0;
2467	}
2468
2469	/**
2470	* __audit_log_capset - store information about the arguments to the capset syscall
2471	* @pid: target pid of the capset call
2472	* @new: the new credentials
2473	* @old: the old (current) credentials
2474	*
2475	* Record the aguments userspace sent to sys_capset for later printing by the
2476	* audit system if applicable
2477	*/
2478	void __audit_log_capset(pid_t pid,
2479	const struct cred new, const struct cred old)
2480	{
2481	struct audit_context *context = current->audit_context;
2482	context->capset.pid = pid;
2483	context->capset.cap.effective = new->cap_effective;
2484	context->capset.cap.inheritable = new->cap_effective;
2485	context->capset.cap.permitted = new->cap_permitted;
2486	context->type = AUDIT_CAPSET;
2487	}
2488
2489	/**
2490	* audit_core_dumps - record information about processes that end abnormally
2491	* @signr: signal value
2492	*
2493	* If a process ends with a core dump, something fishy is going on and we
2494	* should record the event for investigation.
2495	*/
2496	void audit_core_dumps(long signr)
2497	{
2498	struct audit_buffer *ab;
2499	u32 sid;
2500	uid_t auid = audit_get_loginuid(current), uid;
2501	gid_t gid;
2502	unsigned int sessionid = audit_get_sessionid(current);
2503
2504	if (!audit_enabled)
2505	return;
2506
2507	if (signr == SIGQUIT) /* don't care for those */
2508	return;
2509
2510	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
2511	current_uid_gid(&uid, &gid);
2512	audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
2513	auid, uid, gid, sessionid);
2514	security_task_getsecid(current, &sid);
2515	if (sid) {
2516	char *ctx = NULL;
2517	u32 len;
2518
2519	if (security_secid_to_secctx(sid, &ctx, &len))
2520	audit_log_format(ab, " ssid=%u", sid);
2521	else {
2522	audit_log_format(ab, " subj=%s", ctx);
2523	security_release_secctx(ctx, len);
2524	}
2525	}
2526	audit_log_format(ab, " pid=%d comm=", current->pid);
2527	audit_log_untrustedstring(ab, current->comm);
2528	audit_log_format(ab, " sig=%ld", signr);
2529	audit_log_end(ab);
2530	}
2531
2532	struct list_head *audit_killed_trees(void)
2533	{
2534	struct audit_context *ctx = current->audit_context;
2535	if (likely(!ctx \|\| !ctx->in_syscall))
2536	return NULL;
2537	return &ctx->killed_trees;
2538	}
2539

Download this file

Branches:
ben-wpan
ben-wpan-stefan
javiroman/ks7010
jz-2.6.34
jz-2.6.34-rc5
jz-2.6.34-rc6
jz-2.6.34-rc7
jz-2.6.35
jz-2.6.36
jz-2.6.37
jz-2.6.38
jz-2.6.39
jz-3.0
jz-3.1
jz-3.11
jz-3.12
jz-3.13
jz-3.15
jz-3.16
jz-3.18-dt
jz-3.2
jz-3.3
jz-3.4
jz-3.5
jz-3.6
jz-3.6-rc2-pwm
jz-3.9
jz-3.9-clk
jz-3.9-rc8
jz47xx
jz47xx-2.6.38
master

Tags:
od-2011-09-04
od-2011-09-18
v2.6.34-rc5
v2.6.34-rc6
v2.6.34-rc7
v3.9

Kernel

Kernel Git Source Tree

Root/kernel/auditsc.c

interactive