Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
Data Structures | Macros | Functions | Variables
auditsc.c File Reference
#include <linux/init.h>
#include <asm/types.h>
#include <linux/atomic.h>
#include <linux/fs.h>
#include <linux/namei.h>
#include <linux/mm.h>
#include <linux/export.h>
#include <linux/slab.h>
#include <linux/mount.h>
#include <linux/socket.h>
#include <linux/mqueue.h>
#include <linux/audit.h>
#include <linux/personality.h>
#include <linux/time.h>
#include <linux/netlink.h>
#include <linux/compiler.h>
#include <asm/unistd.h>
#include <linux/security.h>
#include <linux/list.h>
#include <linux/tty.h>
#include <linux/binfmts.h>
#include <linux/highmem.h>
#include <linux/syscalls.h>
#include <linux/capability.h>
#include <linux/fs_struct.h>
#include <linux/compat.h>
#include "audit.h"

Go to the source code of this file.

Data Structures

struct  audit_cap_data
 
struct  audit_names
 
struct  audit_aux_data
 
struct  audit_aux_data_execve
 
struct  audit_aux_data_pids
 
struct  audit_aux_data_bprm_fcaps
 
struct  audit_aux_data_capset
 
struct  audit_tree_refs
 
struct  audit_context
 

Macros

#define AUDITSC_INVALID   0
 
#define AUDITSC_SUCCESS   1
 
#define AUDITSC_FAILURE   2
 
#define AUDIT_NAMES   5
 
#define MAX_EXECVE_AUDIT_LEN   7500
 
#define AUDIT_AUX_IPCPERM   0
 
#define AUDIT_AUX_PIDS   16
 

Functions

void audit_filter_inodes (struct task_struct *tsk, struct audit_context *ctx)
 
int audit_alloc (struct task_struct *tsk)
 
void audit_log_task_context (struct audit_buffer *ab)
 
 EXPORT_SYMBOL (audit_log_task_context)
 
void audit_log_task_info (struct audit_buffer *ab, struct task_struct *tsk)
 
 EXPORT_SYMBOL (audit_log_task_info)
 
void __audit_free (struct task_struct *tsk)
 
void __audit_syscall_entry (int arch, int major, unsigned long a1, unsigned long a2, unsigned long a3, unsigned long a4)
 
void __audit_syscall_exit (int success, long return_code)
 
struct filename__audit_reusename (const __user char *uptr)
 
: name to add

audit_getname - add a name to the list

Add a name to the list of audit names for this context. Called from fs/namei.c:getname().

void __audit_getname (struct filename *name)
 
void audit_putname (struct filename *name)
 

Variables

int audit_n_rules
 
int audit_signals
 

: name being audited

__audit_inode - store the inode and device from a lookup

: dentry being audited : does this dentry represent the parent?

void __audit_inode (struct filename *name, const struct dentry *dentry, unsigned int parent)
 
void __audit_inode_child (const struct inode *parent, const struct dentry *dentry, const unsigned char type)
 
 EXPORT_SYMBOL_GPL (__audit_inode_child)
 
int auditsc_get_stamp (struct audit_context *ctx, struct timespec *t, unsigned int *serial)
 
int audit_set_loginuid (kuid_t loginuid)
 
void __audit_mq_open (int oflag, umode_t mode, struct mq_attr *attr)
 
void __audit_mq_sendrecv (mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout)
 
void __audit_mq_notify (mqd_t mqdes, const struct sigevent *notification)
 
void __audit_mq_getsetattr (mqd_t mqdes, struct mq_attr *mqstat)
 
void __audit_ipc_obj (struct kern_ipc_perm *ipcp)
 
void __audit_ipc_set_perm (unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode)
 
int __audit_bprm (struct linux_binprm *bprm)
 
void __audit_socketcall (int nargs, unsigned long *args)
 
void __audit_fd_pair (int fd1, int fd2)
 
int __audit_sockaddr (int len, void *a)
 
void __audit_ptrace (struct task_struct *t)
 
int __audit_signal_info (int sig, struct task_struct *t)
 
int __audit_log_bprm_fcaps (struct linux_binprm *bprm, const struct cred *new, const struct cred *old)
 
void __audit_log_capset (pid_t pid, const struct cred *new, const struct cred *old)
 
void __audit_mmap_fd (int fd, int flags)
 
void audit_core_dumps (long signr)
 
void __audit_seccomp (unsigned long syscall, long signr, int code)
 
struct list_headaudit_killed_trees (void)
 

Macro Definition Documentation

#define AUDIT_AUX_IPCPERM   0

Definition at line 136 of file auditsc.c.

#define AUDIT_AUX_PIDS   16

Definition at line 139 of file auditsc.c.

#define AUDIT_NAMES   5

Definition at line 82 of file auditsc.c.

#define AUDITSC_FAILURE   2

Definition at line 77 of file auditsc.c.

#define AUDITSC_INVALID   0

Definition at line 75 of file auditsc.c.

#define AUDITSC_SUCCESS   1

Definition at line 76 of file auditsc.c.

#define MAX_EXECVE_AUDIT_LEN   7500

Definition at line 85 of file auditsc.c.

Function Documentation

int __audit_bprm ( struct linux_binprm bprm)

Definition at line 2519 of file auditsc.c.

void __audit_fd_pair ( int  fd1,
int  fd2 
)

__audit_fd_pair - record audit data for pipe and socketpair : the first file descriptor : the second file descriptor

Definition at line 2559 of file auditsc.c.

void __audit_free ( struct task_struct tsk)

audit_free - free a per-task audit context : task whose audit context block to free

Called from copy_process and do_exit

Definition at line 1737 of file auditsc.c.

void __audit_getname ( struct filename name)

Definition at line 2053 of file auditsc.c.

void __audit_inode ( struct filename name,
const struct dentry dentry,
unsigned int  parent 
)

Definition at line 2170 of file auditsc.c.

void __audit_inode_child ( const struct inode parent,
const struct dentry dentry,
const unsigned char  type 
)

__audit_inode_child - collect inode info for created/removed objects : inode of dentry parent : dentry being audited : AUDIT_TYPE_* value that we're looking for

For syscalls that create or remove filesystem objects, audit_inode can only collect information for the filesystem object's parent. This call updates the audit context with the child's information. Syscalls that create a new filesystem object must be hooked after the object is created. Syscalls that remove a filesystem object must be hooked prior, in order to capture the target inode during unsuccessful attempts.

Definition at line 2252 of file auditsc.c.

void __audit_ipc_obj ( struct kern_ipc_perm ipcp)

audit_ipc_obj - record audit data for ipc object : ipc permissions

Definition at line 2488 of file auditsc.c.

void __audit_ipc_set_perm ( unsigned long  qbytes,
uid_t  uid,
gid_t  gid,
umode_t  mode 
)

audit_ipc_set_perm - record audit data for new ipc permissions : msgq bytes : msgq user id : msgq group id : msgq mode (permissions)

Called only after audit_ipc_obj().

Definition at line 2508 of file auditsc.c.

int __audit_log_bprm_fcaps ( struct linux_binprm bprm,
const struct cred new,
const struct cred old 
)

__audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps : pointer to the bprm being processed : the proposed new credentials : the old credentials

Simply check if the proc already has the caps given by the file and if not store the priv escalation info for later auditing at the end of the syscall

-Eric

Definition at line 2675 of file auditsc.c.

void __audit_log_capset ( pid_t  pid,
const struct cred new,
const struct cred old 
)

__audit_log_capset - store information about the arguments to the capset syscall : target pid of the capset call : the new credentials : the old (current) credentials

Record the aguments userspace sent to sys_capset for later printing by the audit system if applicable

Definition at line 2719 of file auditsc.c.

void __audit_mmap_fd ( int  fd,
int  flags 
)

Definition at line 2730 of file auditsc.c.

void __audit_mq_getsetattr ( mqd_t  mqdes,
struct mq_attr mqstat 
)

__audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute : MQ descriptor : MQ flags

Definition at line 2475 of file auditsc.c.

void __audit_mq_notify ( mqd_t  mqdes,
const struct sigevent notification 
)

__audit_mq_notify - record audit data for a POSIX MQ notify : MQ descriptor : Notification event

Definition at line 2456 of file auditsc.c.

void __audit_mq_open ( int  oflag,
umode_t  mode,
struct mq_attr attr 
)

__audit_mq_open - record audit data for a POSIX MQ open : open flag : mode bits : queue attributes

Definition at line 2408 of file auditsc.c.

void __audit_mq_sendrecv ( mqd_t  mqdes,
size_t  msg_len,
unsigned int  msg_prio,
const struct timespec abs_timeout 
)

__audit_mq_sendrecv - record audit data for a POSIX MQ timed send/receive : MQ descriptor : Message length : Message priority : Message timeout in absolute time

Definition at line 2431 of file auditsc.c.

void __audit_ptrace ( struct task_struct t)

Definition at line 2589 of file auditsc.c.

struct filename* __audit_reusename ( const __user char uptr)
read

audit_reusename - fill out filename with info from existing entry : userland ptr to pathname

Search the audit_names list for the current audit context. If there is an existing entry with a matching "uptr" then return the filename associated with that audit_name. If not, return NULL.

Definition at line 2032 of file auditsc.c.

void __audit_seccomp ( unsigned long  syscall,
long  signr,
int  code 
)

Definition at line 2782 of file auditsc.c.

int __audit_signal_info ( int  sig,
struct task_struct t 
)

audit_signal_info - record signal info for shutting down audit subsystem : signal value : task being signaled

If the audit subsystem is being terminated, record the task (pid) and uid that is doing that.

Definition at line 2609 of file auditsc.c.

int __audit_sockaddr ( int  len,
void a 
)

audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto : data length in user space : data address in kernel space

Returns 0 for success or NULL context or < 0 on error.

Definition at line 2573 of file auditsc.c.

void __audit_socketcall ( int  nargs,
unsigned long args 
)

audit_socketcall - record audit data for sys_socketcall : number of args : args array

Definition at line 2544 of file auditsc.c.

void __audit_syscall_entry ( int  arch,
int  major,
unsigned long  a1,
unsigned long  a2,
unsigned long  a3,
unsigned long  a4 
)

audit_syscall_entry - fill in an audit record at syscall entry : architecture type : major syscall type (function) : additional syscall register 1 : additional syscall register 2 : additional syscall register 3 : additional syscall register 4

Fill in audit context at syscall entry. This only happens if the audit context was created when the task was created and the state or filters demand the audit context be built. If the state from the per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT, then the record will be written at syscall exit time (otherwise, it will only be written if another part of the kernel requests that it be written).

Definition at line 1775 of file auditsc.c.

void __audit_syscall_exit ( int  success,
long  return_code 
)

audit_syscall_exit - deallocate audit context after a system call : success value of the syscall : return value of the syscall

Tear down after system call. If the audit context has been marked as auditable (either because of the AUDIT_RECORD_CONTEXT state from filtering, or because some other part of the kernel wrote an audit message), then write out the syscall information. In call cases, free the names stored from getname().

Definition at line 1861 of file auditsc.c.

int audit_alloc ( struct task_struct tsk)

audit_alloc - allocate an audit context block for a task : task

Filter on the task information and allocate a per-task audit context if necessary. Doing so turns on system call auditing for the specified task. This is called from copy_process, so no lock is needed.

Definition at line 1067 of file auditsc.c.

void audit_core_dumps ( long  signr)

audit_core_dumps - record information about processes that end abnormally : signal value

If a process ends with a core dump, something fishy is going on and we should record the event for investigation.

Definition at line 2767 of file auditsc.c.

void audit_filter_inodes ( struct task_struct tsk,
struct audit_context ctx 
)

Definition at line 932 of file auditsc.c.

struct list_head* audit_killed_trees ( void  )
read

Definition at line 2795 of file auditsc.c.

void audit_log_task_context ( struct audit_buffer ab)

Definition at line 1119 of file auditsc.c.

void audit_log_task_info ( struct audit_buffer ab,
struct task_struct tsk 
)

Definition at line 1148 of file auditsc.c.

void audit_putname ( struct filename name)

Definition at line 2092 of file auditsc.c.

int audit_set_loginuid ( kuid_t  loginuid)

audit_set_loginuid - set current task's audit_context loginuid : loginuid value

Returns 0.

Called (set) from fs/proc/base.c::proc_loginuid_write().

Definition at line 2365 of file auditsc.c.

int auditsc_get_stamp ( struct audit_context ctx,
struct timespec t,
unsigned int serial 
)

auditsc_get_stamp - get local copies of audit_context values : audit_context for the task : timespec to store time recorded in the audit_context : serial value that is recorded in the audit_context

Also sets the context as auditable.

Definition at line 2337 of file auditsc.c.

EXPORT_SYMBOL ( audit_log_task_context  )
EXPORT_SYMBOL ( audit_log_task_info  )
EXPORT_SYMBOL_GPL ( __audit_inode_child  )

Variable Documentation

int audit_n_rules

Definition at line 88 of file auditsc.c.

int audit_signals

Definition at line 91 of file auditsc.c.

Generated on Thu Jan 10 2013 15:59:27 for Linux Kernel by   doxygen 1.8.2