Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
auditsc.c
Go to the documentation of this file.
1 /* auditsc.c -- System-call auditing support
2  * Handles all system-call specific auditing features.
3  *
4  * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
5  * Copyright 2005 Hewlett-Packard Development Company, L.P.
6  * Copyright (C) 2005, 2006 IBM Corporation
7  * All Rights Reserved.
8  *
9  * This program is free software; you can redistribute it and/or modify
10  * it under the terms of the GNU General Public License as published by
11  * the Free Software Foundation; either version 2 of the License, or
12  * (at your option) any later version.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License
20  * along with this program; if not, write to the Free Software
21  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22  *
23  * Written by Rickard E. (Rik) Faith <[email protected]>
24  *
25  * Many of the ideas implemented here are from Stephen C. Tweedie,
26  * especially the idea of avoiding a copy by using getname.
27  *
28  * The method for actual interception of syscall entry and exit (not in
29  * this file -- see entry.S) is based on a GPL'd patch written by
30  * [email protected] and Copyright 2003 SuSE Linux AG.
31  *
32  * POSIX message queue support added by George Wilson <[email protected]>,
33  * 2006.
34  *
35  * The support of additional filter rules compares (>, <, >=, <=) was
36  * added by Dustin Kirkland <[email protected]>, 2005.
37  *
38  * Modified by Amy Griffis <[email protected]> to collect additional
39  * filesystem information.
40  *
41  * Subject and object context labeling support added by <[email protected]>
42  * and <[email protected]> for LSPP certification compliance.
43  */
44 
45 #include <linux/init.h>
46 #include <asm/types.h>
47 #include <linux/atomic.h>
48 #include <linux/fs.h>
49 #include <linux/namei.h>
50 #include <linux/mm.h>
51 #include <linux/export.h>
52 #include <linux/slab.h>
53 #include <linux/mount.h>
54 #include <linux/socket.h>
55 #include <linux/mqueue.h>
56 #include <linux/audit.h>
57 #include <linux/personality.h>
58 #include <linux/time.h>
59 #include <linux/netlink.h>
60 #include <linux/compiler.h>
61 #include <asm/unistd.h>
62 #include <linux/security.h>
63 #include <linux/list.h>
64 #include <linux/tty.h>
65 #include <linux/binfmts.h>
66 #include <linux/highmem.h>
67 #include <linux/syscalls.h>
68 #include <linux/capability.h>
69 #include <linux/fs_struct.h>
70 #include <linux/compat.h>
71 
72 #include "audit.h"
73 
74 /* flags stating the success for a syscall */
75 #define AUDITSC_INVALID 0
76 #define AUDITSC_SUCCESS 1
77 #define AUDITSC_FAILURE 2
78 
79 /* AUDIT_NAMES is the number of slots we reserve in the audit_context
80  * for saving names from getname(). If we get more names we will allocate
81  * a name dynamically and also add those to the list anchored by names_list. */
82 #define AUDIT_NAMES 5
83 
84 /* no execve audit message should be longer than this (userspace limits) */
85 #define MAX_EXECVE_AUDIT_LEN 7500
86 
87 /* number of audit rules */
88 int audit_n_rules;
89 
90 /* determines whether we collect data for signals sent */
91 int audit_signals;
92 
93 struct audit_cap_data {
94  kernel_cap_t permitted;
95  kernel_cap_t inheritable;
96  union {
97  unsigned int fE; /* effective bit of a file capability */
98  kernel_cap_t effective; /* effective set of a process */
99  };
100 };
101 
102 /* When fs/namei.c:getname() is called, we store the pointer in name and
103  * we don't let putname() free it (instead we free all of the saved
104  * pointers at syscall exit time).
105  *
106  * Further, in fs/namei.c:path_lookup() we store the inode and device.
107  */
108 struct audit_names {
109  struct list_head list; /* audit_context->names_list */
110  struct filename *name;
111  unsigned long ino;
112  dev_t dev;
113  umode_t mode;
114  kuid_t uid;
115  kgid_t gid;
116  dev_t rdev;
117  u32 osid;
118  struct audit_cap_data fcap;
119  unsigned int fcap_ver;
120  int name_len; /* number of name's characters to log */
121  unsigned char type; /* record type */
122  bool name_put; /* call __putname() for this name */
123  /*
124  * This was an allocated audit_names and not from the array of
125  * names allocated in the task audit context. Thus this name
126  * should be freed on syscall exit
127  */
128  bool should_free;
129 };
130 
131 struct audit_aux_data {
132  struct audit_aux_data *next;
133  int type;
134 };
135 
136 #define AUDIT_AUX_IPCPERM 0
137 
138 /* Number of target pids per aux struct. */
139 #define AUDIT_AUX_PIDS 16
140 
141 struct audit_aux_data_execve {
142  struct audit_aux_data d;
143  int argc;
144  int envc;
145  struct mm_struct *mm;
146 };
147 
148 struct audit_aux_data_pids {
149  struct audit_aux_data d;
150  pid_t target_pid[AUDIT_AUX_PIDS];
151  kuid_t target_auid[AUDIT_AUX_PIDS];
152  kuid_t target_uid[AUDIT_AUX_PIDS];
153  unsigned int target_sessionid[AUDIT_AUX_PIDS];
154  u32 target_sid[AUDIT_AUX_PIDS];
155  char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
156  int pid_count;
157 };
158 
159 struct audit_aux_data_bprm_fcaps {
160  struct audit_aux_data d;
161  struct audit_cap_data fcap;
162  unsigned int fcap_ver;
163  struct audit_cap_data old_pcap;
164  struct audit_cap_data new_pcap;
165 };
166 
167 struct audit_aux_data_capset {
168  struct audit_aux_data d;
169  pid_t pid;
170  struct audit_cap_data cap;
171 };
172 
173 struct audit_tree_refs {
174  struct audit_tree_refs *next;
175  struct audit_chunk *c[31];
176 };
177 
178 /* The per-task audit context. */
179 struct audit_context {
180  int dummy; /* must be the first element */
181  int in_syscall; /* 1 if task is in a syscall */
182  enum audit_state state, current_state;
183  unsigned int serial; /* serial number for record */
184  int major; /* syscall number */
185  struct timespec ctime; /* time of syscall entry */
186  unsigned long argv[4]; /* syscall arguments */
187  long return_code;/* syscall return code */
188  u64 prio;
189  int return_valid; /* return code is valid */
190  /*
191  * The names_list is the list of all audit_names collected during this
192  * syscall. The first AUDIT_NAMES entries in the names_list will
193  * actually be from the preallocated_names array for performance
194  * reasons. Except during allocation they should never be referenced
195  * through the preallocated_names array and should only be found/used
196  * by running the names_list.
197  */
198  struct audit_names preallocated_names[AUDIT_NAMES];
199  int name_count; /* total records in names_list */
200  struct list_head names_list; /* anchor for struct audit_names->list */
201  char * filterkey; /* key for rule that triggered record */
202  struct path pwd;
203  struct audit_context *previous; /* For nested syscalls */
204  struct audit_aux_data *aux;
205  struct audit_aux_data *aux_pids;
206  struct sockaddr_storage *sockaddr;
207  size_t sockaddr_len;
208  /* Save things to print about task_struct */
209  pid_t pid, ppid;
210  kuid_t uid, euid, suid, fsuid;
211  kgid_t gid, egid, sgid, fsgid;
212  unsigned long personality;
213  int arch;
214 
215  pid_t target_pid;
216  kuid_t target_auid;
217  kuid_t target_uid;
218  unsigned int target_sessionid;
219  u32 target_sid;
220  char target_comm[TASK_COMM_LEN];
221 
222  struct audit_tree_refs *trees, *first_trees;
223  struct list_head killed_trees;
224  int tree_count;
225 
226  int type;
227  union {
228  struct {
229  int nargs;
230  long args[6];
231  } socketcall;
232  struct {
233  kuid_t uid;
234  kgid_t gid;
235  umode_t mode;
236  u32 osid;
237  int has_perm;
238  uid_t perm_uid;
239  gid_t perm_gid;
240  umode_t perm_mode;
241  unsigned long qbytes;
242  } ipc;
243  struct {
244  mqd_t mqdes;
245  struct mq_attr mqstat;
246  } mq_getsetattr;
247  struct {
248  mqd_t mqdes;
249  int sigev_signo;
250  } mq_notify;
251  struct {
252  mqd_t mqdes;
253  size_t msg_len;
254  unsigned int msg_prio;
255  struct timespec abs_timeout;
256  } mq_sendrecv;
257  struct {
258  int oflag;
259  umode_t mode;
260  struct mq_attr attr;
261  } mq_open;
262  struct {
263  pid_t pid;
264  struct audit_cap_data cap;
265  } capset;
266  struct {
267  int fd;
268  int flags;
269  } mmap;
270  };
271  int fds[2];
272 
273 #if AUDIT_DEBUG
274  int put_count;
275  int ino_count;
276 #endif
277 };
278 
279 static inline int open_arg(int flags, int mask)
280 {
281  int n = ACC_MODE(flags);
282  if (flags & (O_TRUNC | O_CREAT))
283  n |= AUDIT_PERM_WRITE;
284  return n & mask;
285 }
286 
287 static int audit_match_perm(struct audit_context *ctx, int mask)
288 {
289  unsigned n;
290  if (unlikely(!ctx))
291  return 0;
292  n = ctx->major;
293 
294  switch (audit_classify_syscall(ctx->arch, n)) {
295  case 0: /* native */
296  if ((mask & AUDIT_PERM_WRITE) &&
297  audit_match_class(AUDIT_CLASS_WRITE, n))
298  return 1;
299  if ((mask & AUDIT_PERM_READ) &&
300  audit_match_class(AUDIT_CLASS_READ, n))
301  return 1;
302  if ((mask & AUDIT_PERM_ATTR) &&
303  audit_match_class(AUDIT_CLASS_CHATTR, n))
304  return 1;
305  return 0;
306  case 1: /* 32bit on biarch */
307  if ((mask & AUDIT_PERM_WRITE) &&
308  audit_match_class(AUDIT_CLASS_WRITE_32, n))
309  return 1;
310  if ((mask & AUDIT_PERM_READ) &&
311  audit_match_class(AUDIT_CLASS_READ_32, n))
312  return 1;
313  if ((mask & AUDIT_PERM_ATTR) &&
314  audit_match_class(AUDIT_CLASS_CHATTR_32, n))
315  return 1;
316  return 0;
317  case 2: /* open */
318  return mask & ACC_MODE(ctx->argv[1]);
319  case 3: /* openat */
320  return mask & ACC_MODE(ctx->argv[2]);
321  case 4: /* socketcall */
322  return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
323  case 5: /* execve */
324  return mask & AUDIT_PERM_EXEC;
325  default:
326  return 0;
327  }
328 }
329 
330 static int audit_match_filetype(struct audit_context *ctx, int val)
331 {
332  struct audit_names *n;
333  umode_t mode = (umode_t)val;
334 
335  if (unlikely(!ctx))
336  return 0;
337 
338  list_for_each_entry(n, &ctx->names_list, list) {
339  if ((n->ino != -1) &&
340  ((n->mode & S_IFMT) == mode))
341  return 1;
342  }
343 
344  return 0;
345 }
346 
347 /*
348  * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *;
349  * ->first_trees points to its beginning, ->trees - to the current end of data.
350  * ->tree_count is the number of free entries in array pointed to by ->trees.
351  * Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL,
352  * "empty" becomes (p, p, 31) afterwards. We don't shrink the list (and seriously,
353  * it's going to remain 1-element for almost any setup) until we free context itself.
354  * References in it _are_ dropped - at the same time we free/drop aux stuff.
355  */
356 
357 #ifdef CONFIG_AUDIT_TREE
358 static void audit_set_auditable(struct audit_context *ctx)
359 {
360  if (!ctx->prio) {
361  ctx->prio = 1;
362  ctx->current_state = AUDIT_RECORD_CONTEXT;
363  }
364 }
365 
366 static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
367 {
368  struct audit_tree_refs *p = ctx->trees;
369  int left = ctx->tree_count;
370  if (likely(left)) {
371  p->c[--left] = chunk;
372  ctx->tree_count = left;
373  return 1;
374  }
375  if (!p)
376  return 0;
377  p = p->next;
378  if (p) {
379  p->c[30] = chunk;
380  ctx->trees = p;
381  ctx->tree_count = 30;
382  return 1;
383  }
384  return 0;
385 }
386 
387 static int grow_tree_refs(struct audit_context *ctx)
388 {
389  struct audit_tree_refs *p = ctx->trees;
390  ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL);
391  if (!ctx->trees) {
392  ctx->trees = p;
393  return 0;
394  }
395  if (p)
396  p->next = ctx->trees;
397  else
398  ctx->first_trees = ctx->trees;
399  ctx->tree_count = 31;
400  return 1;
401 }
402 #endif
403 
404 static void unroll_tree_refs(struct audit_context *ctx,
405  struct audit_tree_refs *p, int count)
406 {
407 #ifdef CONFIG_AUDIT_TREE
408  struct audit_tree_refs *q;
409  int n;
410  if (!p) {
411  /* we started with empty chain */
412  p = ctx->first_trees;
413  count = 31;
414  /* if the very first allocation has failed, nothing to do */
415  if (!p)
416  return;
417  }
418  n = count;
419  for (q = p; q != ctx->trees; q = q->next, n = 31) {
420  while (n--) {
421  audit_put_chunk(q->c[n]);
422  q->c[n] = NULL;
423  }
424  }
425  while (n-- > ctx->tree_count) {
426  audit_put_chunk(q->c[n]);
427  q->c[n] = NULL;
428  }
429  ctx->trees = p;
430  ctx->tree_count = count;
431 #endif
432 }
433 
434 static void free_tree_refs(struct audit_context *ctx)
435 {
436  struct audit_tree_refs *p, *q;
437  for (p = ctx->first_trees; p; p = q) {
438  q = p->next;
439  kfree(p);
440  }
441 }
442 
443 static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
444 {
445 #ifdef CONFIG_AUDIT_TREE
446  struct audit_tree_refs *p;
447  int n;
448  if (!tree)
449  return 0;
450  /* full ones */
451  for (p = ctx->first_trees; p != ctx->trees; p = p->next) {
452  for (n = 0; n < 31; n++)
453  if (audit_tree_match(p->c[n], tree))
454  return 1;
455  }
456  /* partial */
457  if (p) {
458  for (n = ctx->tree_count; n < 31; n++)
459  if (audit_tree_match(p->c[n], tree))
460  return 1;
461  }
462 #endif
463  return 0;
464 }
465 
466 static int audit_compare_uid(kuid_t uid,
467  struct audit_names *name,
468  struct audit_field *f,
469  struct audit_context *ctx)
470 {
471  struct audit_names *n;
472  int rc;
473 
474  if (name) {
475  rc = audit_uid_comparator(uid, f->op, name->uid);
476  if (rc)
477  return rc;
478  }
479 
480  if (ctx) {
481  list_for_each_entry(n, &ctx->names_list, list) {
482  rc = audit_uid_comparator(uid, f->op, n->uid);
483  if (rc)
484  return rc;
485  }
486  }
487  return 0;
488 }
489 
490 static int audit_compare_gid(kgid_t gid,
491  struct audit_names *name,
492  struct audit_field *f,
493  struct audit_context *ctx)
494 {
495  struct audit_names *n;
496  int rc;
497 
498  if (name) {
499  rc = audit_gid_comparator(gid, f->op, name->gid);
500  if (rc)
501  return rc;
502  }
503 
504  if (ctx) {
505  list_for_each_entry(n, &ctx->names_list, list) {
506  rc = audit_gid_comparator(gid, f->op, n->gid);
507  if (rc)
508  return rc;
509  }
510  }
511  return 0;
512 }
513 
514 static int audit_field_compare(struct task_struct *tsk,
515  const struct cred *cred,
516  struct audit_field *f,
517  struct audit_context *ctx,
518  struct audit_names *name)
519 {
520  switch (f->val) {
521  /* process to file object comparisons */
522  case AUDIT_COMPARE_UID_TO_OBJ_UID:
523  return audit_compare_uid(cred->uid, name, f, ctx);
524  case AUDIT_COMPARE_GID_TO_OBJ_GID:
525  return audit_compare_gid(cred->gid, name, f, ctx);
526  case AUDIT_COMPARE_EUID_TO_OBJ_UID:
527  return audit_compare_uid(cred->euid, name, f, ctx);
528  case AUDIT_COMPARE_EGID_TO_OBJ_GID:
529  return audit_compare_gid(cred->egid, name, f, ctx);
530  case AUDIT_COMPARE_AUID_TO_OBJ_UID:
531  return audit_compare_uid(tsk->loginuid, name, f, ctx);
532  case AUDIT_COMPARE_SUID_TO_OBJ_UID:
533  return audit_compare_uid(cred->suid, name, f, ctx);
534  case AUDIT_COMPARE_SGID_TO_OBJ_GID:
535  return audit_compare_gid(cred->sgid, name, f, ctx);
536  case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
537  return audit_compare_uid(cred->fsuid, name, f, ctx);
538  case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
539  return audit_compare_gid(cred->fsgid, name, f, ctx);
540  /* uid comparisons */
541  case AUDIT_COMPARE_UID_TO_AUID:
542  return audit_uid_comparator(cred->uid, f->op, tsk->loginuid);
543  case AUDIT_COMPARE_UID_TO_EUID:
544  return audit_uid_comparator(cred->uid, f->op, cred->euid);
545  case AUDIT_COMPARE_UID_TO_SUID:
546  return audit_uid_comparator(cred->uid, f->op, cred->suid);
547  case AUDIT_COMPARE_UID_TO_FSUID:
548  return audit_uid_comparator(cred->uid, f->op, cred->fsuid);
549  /* auid comparisons */
550  case AUDIT_COMPARE_AUID_TO_EUID:
551  return audit_uid_comparator(tsk->loginuid, f->op, cred->euid);
552  case AUDIT_COMPARE_AUID_TO_SUID:
553  return audit_uid_comparator(tsk->loginuid, f->op, cred->suid);
554  case AUDIT_COMPARE_AUID_TO_FSUID:
555  return audit_uid_comparator(tsk->loginuid, f->op, cred->fsuid);
556  /* euid comparisons */
557  case AUDIT_COMPARE_EUID_TO_SUID:
558  return audit_uid_comparator(cred->euid, f->op, cred->suid);
559  case AUDIT_COMPARE_EUID_TO_FSUID:
560  return audit_uid_comparator(cred->euid, f->op, cred->fsuid);
561  /* suid comparisons */
562  case AUDIT_COMPARE_SUID_TO_FSUID:
563  return audit_uid_comparator(cred->suid, f->op, cred->fsuid);
564  /* gid comparisons */
565  case AUDIT_COMPARE_GID_TO_EGID:
566  return audit_gid_comparator(cred->gid, f->op, cred->egid);
567  case AUDIT_COMPARE_GID_TO_SGID:
568  return audit_gid_comparator(cred->gid, f->op, cred->sgid);
569  case AUDIT_COMPARE_GID_TO_FSGID:
570  return audit_gid_comparator(cred->gid, f->op, cred->fsgid);
571  /* egid comparisons */
572  case AUDIT_COMPARE_EGID_TO_SGID:
573  return audit_gid_comparator(cred->egid, f->op, cred->sgid);
574  case AUDIT_COMPARE_EGID_TO_FSGID:
575  return audit_gid_comparator(cred->egid, f->op, cred->fsgid);
576  /* sgid comparison */
577  case AUDIT_COMPARE_SGID_TO_FSGID:
578  return audit_gid_comparator(cred->sgid, f->op, cred->fsgid);
579  default:
580  WARN(1, "Missing AUDIT_COMPARE define. Report as a bug\n");
581  return 0;
582  }
583  return 0;
584 }
585 
586 /* Determine if any context name data matches a rule's watch data */
587 /* Compare a task_struct with an audit_rule. Return 1 on match, 0
588  * otherwise.
589  *
590  * If task_creation is true, this is an explicit indication that we are
591  * filtering a task rule at task creation time. This and tsk == current are
592  * the only situations where tsk->cred may be accessed without an rcu read lock.
593  */
594 static int audit_filter_rules(struct task_struct *tsk,
595  struct audit_krule *rule,
596  struct audit_context *ctx,
597  struct audit_names *name,
598  enum audit_state *state,
599  bool task_creation)
600 {
601  const struct cred *cred;
602  int i, need_sid = 1;
603  u32 sid;
604 
605  cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
606 
607  for (i = 0; i < rule->field_count; i++) {
608  struct audit_field *f = &rule->fields[i];
609  struct audit_names *n;
610  int result = 0;
611 
612  switch (f->type) {
613  case AUDIT_PID:
614  result = audit_comparator(tsk->pid, f->op, f->val);
615  break;
616  case AUDIT_PPID:
617  if (ctx) {
618  if (!ctx->ppid)
619  ctx->ppid = sys_getppid();
620  result = audit_comparator(ctx->ppid, f->op, f->val);
621  }
622  break;
623  case AUDIT_UID:
624  result = audit_uid_comparator(cred->uid, f->op, f->uid);
625  break;
626  case AUDIT_EUID:
627  result = audit_uid_comparator(cred->euid, f->op, f->uid);
628  break;
629  case AUDIT_SUID:
630  result = audit_uid_comparator(cred->suid, f->op, f->uid);
631  break;
632  case AUDIT_FSUID:
633  result = audit_uid_comparator(cred->fsuid, f->op, f->uid);
634  break;
635  case AUDIT_GID:
636  result = audit_gid_comparator(cred->gid, f->op, f->gid);
637  break;
638  case AUDIT_EGID:
639  result = audit_gid_comparator(cred->egid, f->op, f->gid);
640  break;
641  case AUDIT_SGID:
642  result = audit_gid_comparator(cred->sgid, f->op, f->gid);
643  break;
644  case AUDIT_FSGID:
645  result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
646  break;
647  case AUDIT_PERS:
648  result = audit_comparator(tsk->personality, f->op, f->val);
649  break;
650  case AUDIT_ARCH:
651  if (ctx)
652  result = audit_comparator(ctx->arch, f->op, f->val);
653  break;
654 
655  case AUDIT_EXIT:
656  if (ctx && ctx->return_valid)
657  result = audit_comparator(ctx->return_code, f->op, f->val);
658  break;
659  case AUDIT_SUCCESS:
660  if (ctx && ctx->return_valid) {
661  if (f->val)
662  result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
663  else
664  result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
665  }
666  break;
667  case AUDIT_DEVMAJOR:
668  if (name) {
669  if (audit_comparator(MAJOR(name->dev), f->op, f->val) ||
670  audit_comparator(MAJOR(name->rdev), f->op, f->val))
671  ++result;
672  } else if (ctx) {
673  list_for_each_entry(n, &ctx->names_list, list) {
674  if (audit_comparator(MAJOR(n->dev), f->op, f->val) ||
675  audit_comparator(MAJOR(n->rdev), f->op, f->val)) {
676  ++result;
677  break;
678  }
679  }
680  }
681  break;
682  case AUDIT_DEVMINOR:
683  if (name) {
684  if (audit_comparator(MINOR(name->dev), f->op, f->val) ||
685  audit_comparator(MINOR(name->rdev), f->op, f->val))
686  ++result;
687  } else if (ctx) {
688  list_for_each_entry(n, &ctx->names_list, list) {
689  if (audit_comparator(MINOR(n->dev), f->op, f->val) ||
690  audit_comparator(MINOR(n->rdev), f->op, f->val)) {
691  ++result;
692  break;
693  }
694  }
695  }
696  break;
697  case AUDIT_INODE:
698  if (name)
699  result = (name->ino == f->val);
700  else if (ctx) {
701  list_for_each_entry(n, &ctx->names_list, list) {
702  if (audit_comparator(n->ino, f->op, f->val)) {
703  ++result;
704  break;
705  }
706  }
707  }
708  break;
709  case AUDIT_OBJ_UID:
710  if (name) {
711  result = audit_uid_comparator(name->uid, f->op, f->uid);
712  } else if (ctx) {
713  list_for_each_entry(n, &ctx->names_list, list) {
714  if (audit_uid_comparator(n->uid, f->op, f->uid)) {
715  ++result;
716  break;
717  }
718  }
719  }
720  break;
721  case AUDIT_OBJ_GID:
722  if (name) {
723  result = audit_gid_comparator(name->gid, f->op, f->gid);
724  } else if (ctx) {
725  list_for_each_entry(n, &ctx->names_list, list) {
726  if (audit_gid_comparator(n->gid, f->op, f->gid)) {
727  ++result;
728  break;
729  }
730  }
731  }
732  break;
733  case AUDIT_WATCH:
734  if (name)
735  result = audit_watch_compare(rule->watch, name->ino, name->dev);
736  break;
737  case AUDIT_DIR:
738  if (ctx)
739  result = match_tree_refs(ctx, rule->tree);
740  break;
741  case AUDIT_LOGINUID:
742  result = 0;
743  if (ctx)
744  result = audit_uid_comparator(tsk->loginuid, f->op, f->uid);
745  break;
746  case AUDIT_SUBJ_USER:
747  case AUDIT_SUBJ_ROLE:
748  case AUDIT_SUBJ_TYPE:
749  case AUDIT_SUBJ_SEN:
750  case AUDIT_SUBJ_CLR:
751  /* NOTE: this may return negative values indicating
752  a temporary error. We simply treat this as a
753  match for now to avoid losing information that
754  may be wanted. An error message will also be
755  logged upon error */
756  if (f->lsm_rule) {
757  if (need_sid) {
758  security_task_getsecid(tsk, &sid);
759  need_sid = 0;
760  }
761  result = security_audit_rule_match(sid, f->type,
762  f->op,
763  f->lsm_rule,
764  ctx);
765  }
766  break;
767  case AUDIT_OBJ_USER:
768  case AUDIT_OBJ_ROLE:
769  case AUDIT_OBJ_TYPE:
770  case AUDIT_OBJ_LEV_LOW:
771  case AUDIT_OBJ_LEV_HIGH:
772  /* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
773  also applies here */
774  if (f->lsm_rule) {
775  /* Find files that match */
776  if (name) {
777  result = security_audit_rule_match(
778  name->osid, f->type, f->op,
779  f->lsm_rule, ctx);
780  } else if (ctx) {
781  list_for_each_entry(n, &ctx->names_list, list) {
782  if (security_audit_rule_match(n->osid, f->type,
783  f->op, f->lsm_rule,
784  ctx)) {
785  ++result;
786  break;
787  }
788  }
789  }
790  /* Find ipc objects that match */
791  if (!ctx || ctx->type != AUDIT_IPC)
792  break;
793  if (security_audit_rule_match(ctx->ipc.osid,
794  f->type, f->op,
795  f->lsm_rule, ctx))
796  ++result;
797  }
798  break;
799  case AUDIT_ARG0:
800  case AUDIT_ARG1:
801  case AUDIT_ARG2:
802  case AUDIT_ARG3:
803  if (ctx)
804  result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
805  break;
806  case AUDIT_FILTERKEY:
807  /* ignore this field for filtering */
808  result = 1;
809  break;
810  case AUDIT_PERM:
811  result = audit_match_perm(ctx, f->val);
812  break;
813  case AUDIT_FILETYPE:
814  result = audit_match_filetype(ctx, f->val);
815  break;
816  case AUDIT_FIELD_COMPARE:
817  result = audit_field_compare(tsk, cred, f, ctx, name);
818  break;
819  }
820  if (!result)
821  return 0;
822  }
823 
824  if (ctx) {
825  if (rule->prio <= ctx->prio)
826  return 0;
827  if (rule->filterkey) {
828  kfree(ctx->filterkey);
829  ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
830  }
831  ctx->prio = rule->prio;
832  }
833  switch (rule->action) {
834  case AUDIT_NEVER: *state = AUDIT_DISABLED; break;
835  case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break;
836  }
837  return 1;
838 }
839 
840 /* At process creation time, we can determine if system-call auditing is
841  * completely disabled for this task. Since we only have the task
842  * structure at this point, we can only check uid and gid.
843  */
844 static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)
845 {
846  struct audit_entry *e;
847  enum audit_state state;
848 
849  rcu_read_lock();
850  list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
851  if (audit_filter_rules(tsk, &e->rule, NULL, NULL,
852  &state, true)) {
853  if (state == AUDIT_RECORD_CONTEXT)
854  *key = kstrdup(e->rule.filterkey, GFP_ATOMIC);
855  rcu_read_unlock();
856  return state;
857  }
858  }
859  rcu_read_unlock();
860  return AUDIT_BUILD_CONTEXT;
861 }
862 
863 /* At syscall entry and exit time, this filter is called if the
864  * audit_state is not low enough that auditing cannot take place, but is
865  * also not high enough that we already know we have to write an audit
866  * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
867  */
868 static enum audit_state audit_filter_syscall(struct task_struct *tsk,
869  struct audit_context *ctx,
870  struct list_head *list)
871 {
872  struct audit_entry *e;
873  enum audit_state state;
874 
875  if (audit_pid && tsk->tgid == audit_pid)
876  return AUDIT_DISABLED;
877 
878  rcu_read_lock();
879  if (!list_empty(list)) {
880  int word = AUDIT_WORD(ctx->major);
881  int bit = AUDIT_BIT(ctx->major);
882 
883  list_for_each_entry_rcu(e, list, list) {
884  if ((e->rule.mask[word] & bit) == bit &&
885  audit_filter_rules(tsk, &e->rule, ctx, NULL,
886  &state, false)) {
887  rcu_read_unlock();
888  ctx->current_state = state;
889  return state;
890  }
891  }
892  }
893  rcu_read_unlock();
894  return AUDIT_BUILD_CONTEXT;
895 }
896 
897 /*
898  * Given an audit_name check the inode hash table to see if they match.
899  * Called holding the rcu read lock to protect the use of audit_inode_hash
900  */
901 static int audit_filter_inode_name(struct task_struct *tsk,
902  struct audit_names *n,
903  struct audit_context *ctx) {
904  int word, bit;
905  int h = audit_hash_ino((u32)n->ino);
906  struct list_head *list = &audit_inode_hash[h];
907  struct audit_entry *e;
908  enum audit_state state;
909 
910  word = AUDIT_WORD(ctx->major);
911  bit = AUDIT_BIT(ctx->major);
912 
913  if (list_empty(list))
914  return 0;
915 
916  list_for_each_entry_rcu(e, list, list) {
917  if ((e->rule.mask[word] & bit) == bit &&
918  audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) {
919  ctx->current_state = state;
920  return 1;
921  }
922  }
923 
924  return 0;
925 }
926 
927 /* At syscall exit time, this filter is called if any audit_names have been
928  * collected during syscall processing. We only check rules in sublists at hash
929  * buckets applicable to the inode numbers in audit_names.
930  * Regarding audit_state, same rules apply as for audit_filter_syscall().
931  */
932 void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx)
933 {
934  struct audit_names *n;
935 
936  if (audit_pid && tsk->tgid == audit_pid)
937  return;
938 
939  rcu_read_lock();
940 
941  list_for_each_entry(n, &ctx->names_list, list) {
942  if (audit_filter_inode_name(tsk, n, ctx))
943  break;
944  }
945  rcu_read_unlock();
946 }
947 
948 static inline struct audit_context *audit_get_context(struct task_struct *tsk,
949  int return_valid,
950  long return_code)
951 {
952  struct audit_context *context = tsk->audit_context;
953 
954  if (!context)
955  return NULL;
956  context->return_valid = return_valid;
957 
958  /*
959  * we need to fix up the return code in the audit logs if the actual
960  * return codes are later going to be fixed up by the arch specific
961  * signal handlers
962  *
963  * This is actually a test for:
964  * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||
965  * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)
966  *
967  * but is faster than a bunch of ||
968  */
969  if (unlikely(return_code <= -ERESTARTSYS) &&
970  (return_code >= -ERESTART_RESTARTBLOCK) &&
971  (return_code != -ENOIOCTLCMD))
972  context->return_code = -EINTR;
973  else
974  context->return_code = return_code;
975 
976  if (context->in_syscall && !context->dummy) {
977  audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
978  audit_filter_inodes(tsk, context);
979  }
980 
981  tsk->audit_context = NULL;
982  return context;
983 }
984 
985 static inline void audit_free_names(struct audit_context *context)
986 {
987  struct audit_names *n, *next;
988 
989 #if AUDIT_DEBUG == 2
990  if (context->put_count + context->ino_count != context->name_count) {
991  printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d"
992  " name_count=%d put_count=%d"
993  " ino_count=%d [NOT freeing]\n",
994  __FILE__, __LINE__,
995  context->serial, context->major, context->in_syscall,
996  context->name_count, context->put_count,
997  context->ino_count);
998  list_for_each_entry(n, &context->names_list, list) {
999  printk(KERN_ERR "names[%d] = %p = %s\n", i,
1000  n->name, n->name->name ?: "(null)");
1001  }
1002  dump_stack();
1003  return;
1004  }
1005 #endif
1006 #if AUDIT_DEBUG
1007  context->put_count = 0;
1008  context->ino_count = 0;
1009 #endif
1010 
1011  list_for_each_entry_safe(n, next, &context->names_list, list) {
1012  list_del(&n->list);
1013  if (n->name && n->name_put)
1014  __putname(n->name);
1015  if (n->should_free)
1016  kfree(n);
1017  }
1018  context->name_count = 0;
1019  path_put(&context->pwd);
1020  context->pwd.dentry = NULL;
1021  context->pwd.mnt = NULL;
1022 }
1023 
1024 static inline void audit_free_aux(struct audit_context *context)
1025 {
1026  struct audit_aux_data *aux;
1027 
1028  while ((aux = context->aux)) {
1029  context->aux = aux->next;
1030  kfree(aux);
1031  }
1032  while ((aux = context->aux_pids)) {
1033  context->aux_pids = aux->next;
1034  kfree(aux);
1035  }
1036 }
1037 
1038 static inline void audit_zero_context(struct audit_context *context,
1039  enum audit_state state)
1040 {
1041  memset(context, 0, sizeof(*context));
1042  context->state = state;
1043  context->prio = state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
1044 }
1045 
1046 static inline struct audit_context *audit_alloc_context(enum audit_state state)
1047 {
1048  struct audit_context *context;
1049 
1050  if (!(context = kmalloc(sizeof(*context), GFP_KERNEL)))
1051  return NULL;
1052  audit_zero_context(context, state);
1053  INIT_LIST_HEAD(&context->killed_trees);
1054  INIT_LIST_HEAD(&context->names_list);
1055  return context;
1056 }
1057 
1067 int audit_alloc(struct task_struct *tsk)
1068 {
1069  struct audit_context *context;
1070  enum audit_state state;
1071  char *key = NULL;
1072 
1073  if (likely(!audit_ever_enabled))
1074  return 0; /* Return if not auditing. */
1075 
1076  state = audit_filter_task(tsk, &key);
1077  if (state == AUDIT_DISABLED)
1078  return 0;
1079 
1080  if (!(context = audit_alloc_context(state))) {
1081  kfree(key);
1082  audit_log_lost("out of memory in audit_alloc");
1083  return -ENOMEM;
1084  }
1085  context->filterkey = key;
1086 
1087  tsk->audit_context = context;
1088  set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
1089  return 0;
1090 }
1091 
1092 static inline void audit_free_context(struct audit_context *context)
1093 {
1094  struct audit_context *previous;
1095  int count = 0;
1096 
1097  do {
1098  previous = context->previous;
1099  if (previous || (count && count < 10)) {
1100  ++count;
1101  printk(KERN_ERR "audit(:%d): major=%d name_count=%d:"
1102  " freeing multiple contexts (%d)\n",
1103  context->serial, context->major,
1104  context->name_count, count);
1105  }
1106  audit_free_names(context);
1107  unroll_tree_refs(context, NULL, 0);
1108  free_tree_refs(context);
1109  audit_free_aux(context);
1110  kfree(context->filterkey);
1111  kfree(context->sockaddr);
1112  kfree(context);
1113  context = previous;
1114  } while (context);
1115  if (count >= 10)
1116  printk(KERN_ERR "audit: freed %d contexts\n", count);
1117 }
1118 
1119 void audit_log_task_context(struct audit_buffer *ab)
1120 {
1121  char *ctx = NULL;
1122  unsigned len;
1123  int error;
1124  u32 sid;
1125 
1126  security_task_getsecid(current, &sid);
1127  if (!sid)
1128  return;
1129 
1130  error = security_secid_to_secctx(sid, &ctx, &len);
1131  if (error) {
1132  if (error != -EINVAL)
1133  goto error_path;
1134  return;
1135  }
1136 
1137  audit_log_format(ab, " subj=%s", ctx);
1138  security_release_secctx(ctx, len);
1139  return;
1140 
1141 error_path:
1142  audit_panic("error in audit_log_task_context");
1143  return;
1144 }
1145 
1146 EXPORT_SYMBOL(audit_log_task_context);
1147 
1148 void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
1149 {
1150  const struct cred *cred;
1151  char name[sizeof(tsk->comm)];
1152  struct mm_struct *mm = tsk->mm;
1153  char *tty;
1154 
1155  if (!ab)
1156  return;
1157 
1158  /* tsk == current */
1159  cred = current_cred();
1160 
1161  spin_lock_irq(&tsk->sighand->siglock);
1162  if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
1163  tty = tsk->signal->tty->name;
1164  else
1165  tty = "(none)";
1166  spin_unlock_irq(&tsk->sighand->siglock);
1167 
1168 
1169  audit_log_format(ab,
1170  " ppid=%ld pid=%d auid=%u uid=%u gid=%u"
1171  " euid=%u suid=%u fsuid=%u"
1172  " egid=%u sgid=%u fsgid=%u ses=%u tty=%s",
1173  sys_getppid(),
1174  tsk->pid,
1175  from_kuid(&init_user_ns, tsk->loginuid),
1176  from_kuid(&init_user_ns, cred->uid),
1177  from_kgid(&init_user_ns, cred->gid),
1178  from_kuid(&init_user_ns, cred->euid),
1179  from_kuid(&init_user_ns, cred->suid),
1180  from_kuid(&init_user_ns, cred->fsuid),
1181  from_kgid(&init_user_ns, cred->egid),
1182  from_kgid(&init_user_ns, cred->sgid),
1183  from_kgid(&init_user_ns, cred->fsgid),
1184  tsk->sessionid, tty);
1185 
1186  get_task_comm(name, tsk);
1187  audit_log_format(ab, " comm=");
1188  audit_log_untrustedstring(ab, name);
1189 
1190  if (mm) {
1191  down_read(&mm->mmap_sem);
1192  if (mm->exe_file)
1193  audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
1194  up_read(&mm->mmap_sem);
1195  }
1196  audit_log_task_context(ab);
1197 }
1198 
1199 EXPORT_SYMBOL(audit_log_task_info);
1200 
1201 static int audit_log_pid_context(struct audit_context *context, pid_t pid,
1202  kuid_t auid, kuid_t uid, unsigned int sessionid,
1203  u32 sid, char *comm)
1204 {
1205  struct audit_buffer *ab;
1206  char *ctx = NULL;
1207  u32 len;
1208  int rc = 0;
1209 
1210  ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
1211  if (!ab)
1212  return rc;
1213 
1214  audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
1215  from_kuid(&init_user_ns, auid),
1216  from_kuid(&init_user_ns, uid), sessionid);
1217  if (security_secid_to_secctx(sid, &ctx, &len)) {
1218  audit_log_format(ab, " obj=(none)");
1219  rc = 1;
1220  } else {
1221  audit_log_format(ab, " obj=%s", ctx);
1222  security_release_secctx(ctx, len);
1223  }
1224  audit_log_format(ab, " ocomm=");
1225  audit_log_untrustedstring(ab, comm);
1226  audit_log_end(ab);
1227 
1228  return rc;
1229 }
1230 
1231 /*
1232  * to_send and len_sent accounting are very loose estimates. We aren't
1233  * really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being
1234  * within about 500 bytes (next page boundary)
1235  *
1236  * why snprintf? an int is up to 12 digits long. if we just assumed when
1237  * logging that a[%d]= was going to be 16 characters long we would be wasting
1238  * space in every audit message. In one 7500 byte message we can log up to
1239  * about 1000 min size arguments. That comes down to about 50% waste of space
1240  * if we didn't do the snprintf to find out how long arg_num_len was.
1241  */
1242 static int audit_log_single_execve_arg(struct audit_context *context,
1243  struct audit_buffer **ab,
1244  int arg_num,
1245  size_t *len_sent,
1246  const char __user *p,
1247  char *buf)
1248 {
1249  char arg_num_len_buf[12];
1250  const char __user *tmp_p = p;
1251  /* how many digits are in arg_num? 5 is the length of ' a=""' */
1252  size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 5;
1253  size_t len, len_left, to_send;
1254  size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
1255  unsigned int i, has_cntl = 0, too_long = 0;
1256  int ret;
1257 
1258  /* strnlen_user includes the null we don't want to send */
1259  len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1;
1260 
1261  /*
1262  * We just created this mm, if we can't find the strings
1263  * we just copied into it something is _very_ wrong. Similar
1264  * for strings that are too long, we should not have created
1265  * any.
1266  */
1267  if (unlikely((len == -1) || len > MAX_ARG_STRLEN - 1)) {
1268  WARN_ON(1);
1269  send_sig(SIGKILL, current, 0);
1270  return -1;
1271  }
1272 
1273  /* walk the whole argument looking for non-ascii chars */
1274  do {
1275  if (len_left > MAX_EXECVE_AUDIT_LEN)
1276  to_send = MAX_EXECVE_AUDIT_LEN;
1277  else
1278  to_send = len_left;
1279  ret = copy_from_user(buf, tmp_p, to_send);
1280  /*
1281  * There is no reason for this copy to be short. We just
1282  * copied them here, and the mm hasn't been exposed to user-
1283  * space yet.
1284  */
1285  if (ret) {
1286  WARN_ON(1);
1287  send_sig(SIGKILL, current, 0);
1288  return -1;
1289  }
1290  buf[to_send] = '\0';
1291  has_cntl = audit_string_contains_control(buf, to_send);
1292  if (has_cntl) {
1293  /*
1294  * hex messages get logged as 2 bytes, so we can only
1295  * send half as much in each message
1296  */
1297  max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2;
1298  break;
1299  }
1300  len_left -= to_send;
1301  tmp_p += to_send;
1302  } while (len_left > 0);
1303 
1304  len_left = len;
1305 
1306  if (len > max_execve_audit_len)
1307  too_long = 1;
1308 
1309  /* rewalk the argument actually logging the message */
1310  for (i = 0; len_left > 0; i++) {
1311  int room_left;
1312 
1313  if (len_left > max_execve_audit_len)
1314  to_send = max_execve_audit_len;
1315  else
1316  to_send = len_left;
1317 
1318  /* do we have space left to send this argument in this ab? */
1319  room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent;
1320  if (has_cntl)
1321  room_left -= (to_send * 2);
1322  else
1323  room_left -= to_send;
1324  if (room_left < 0) {
1325  *len_sent = 0;
1326  audit_log_end(*ab);
1327  *ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
1328  if (!*ab)
1329  return 0;
1330  }
1331 
1332  /*
1333  * first record needs to say how long the original string was
1334  * so we can be sure nothing was lost.
1335  */
1336  if ((i == 0) && (too_long))
1337  audit_log_format(*ab, " a%d_len=%zu", arg_num,
1338  has_cntl ? 2*len : len);
1339 
1340  /*
1341  * normally arguments are small enough to fit and we already
1342  * filled buf above when we checked for control characters
1343  * so don't bother with another copy_from_user
1344  */
1345  if (len >= max_execve_audit_len)
1346  ret = copy_from_user(buf, p, to_send);
1347  else
1348  ret = 0;
1349  if (ret) {
1350  WARN_ON(1);
1351  send_sig(SIGKILL, current, 0);
1352  return -1;
1353  }
1354  buf[to_send] = '\0';
1355 
1356  /* actually log it */
1357  audit_log_format(*ab, " a%d", arg_num);
1358  if (too_long)
1359  audit_log_format(*ab, "[%d]", i);
1360  audit_log_format(*ab, "=");
1361  if (has_cntl)
1362  audit_log_n_hex(*ab, buf, to_send);
1363  else
1364  audit_log_string(*ab, buf);
1365 
1366  p += to_send;
1367  len_left -= to_send;
1368  *len_sent += arg_num_len;
1369  if (has_cntl)
1370  *len_sent += to_send * 2;
1371  else
1372  *len_sent += to_send;
1373  }
1374  /* include the null we didn't log */
1375  return len + 1;
1376 }
1377 
1378 static void audit_log_execve_info(struct audit_context *context,
1379  struct audit_buffer **ab,
1380  struct audit_aux_data_execve *axi)
1381 {
1382  int i, len;
1383  size_t len_sent = 0;
1384  const char __user *p;
1385  char *buf;
1386 
1387  if (axi->mm != current->mm)
1388  return; /* execve failed, no additional info */
1389 
1390  p = (const char __user *)axi->mm->arg_start;
1391 
1392  audit_log_format(*ab, "argc=%d", axi->argc);
1393 
1394  /*
1395  * we need some kernel buffer to hold the userspace args. Just
1396  * allocate one big one rather than allocating one of the right size
1397  * for every single argument inside audit_log_single_execve_arg()
1398  * should be <8k allocation so should be pretty safe.
1399  */
1400  buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
1401  if (!buf) {
1402  audit_panic("out of memory for argv string\n");
1403  return;
1404  }
1405 
1406  for (i = 0; i < axi->argc; i++) {
1407  len = audit_log_single_execve_arg(context, ab, i,
1408  &len_sent, p, buf);
1409  if (len <= 0)
1410  break;
1411  p += len;
1412  }
1413  kfree(buf);
1414 }
1415 
1416 static void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
1417 {
1418  int i;
1419 
1420  audit_log_format(ab, " %s=", prefix);
1421  CAP_FOR_EACH_U32(i) {
1422  audit_log_format(ab, "%08x", cap->cap[(_KERNEL_CAPABILITY_U32S-1) - i]);
1423  }
1424 }
1425 
1426 static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
1427 {
1428  kernel_cap_t *perm = &name->fcap.permitted;
1429  kernel_cap_t *inh = &name->fcap.inheritable;
1430  int log = 0;
1431 
1432  if (!cap_isclear(*perm)) {
1433  audit_log_cap(ab, "cap_fp", perm);
1434  log = 1;
1435  }
1436  if (!cap_isclear(*inh)) {
1437  audit_log_cap(ab, "cap_fi", inh);
1438  log = 1;
1439  }
1440 
1441  if (log)
1442  audit_log_format(ab, " cap_fe=%d cap_fver=%x", name->fcap.fE, name->fcap_ver);
1443 }
1444 
1445 static void show_special(struct audit_context *context, int *call_panic)
1446 {
1447  struct audit_buffer *ab;
1448  int i;
1449 
1450  ab = audit_log_start(context, GFP_KERNEL, context->type);
1451  if (!ab)
1452  return;
1453 
1454  switch (context->type) {
1455  case AUDIT_SOCKETCALL: {
1456  int nargs = context->socketcall.nargs;
1457  audit_log_format(ab, "nargs=%d", nargs);
1458  for (i = 0; i < nargs; i++)
1459  audit_log_format(ab, " a%d=%lx", i,
1460  context->socketcall.args[i]);
1461  break; }
1462  case AUDIT_IPC: {
1463  u32 osid = context->ipc.osid;
1464 
1465  audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
1466  from_kuid(&init_user_ns, context->ipc.uid),
1467  from_kgid(&init_user_ns, context->ipc.gid),
1468  context->ipc.mode);
1469  if (osid) {
1470  char *ctx = NULL;
1471  u32 len;
1472  if (security_secid_to_secctx(osid, &ctx, &len)) {
1473  audit_log_format(ab, " osid=%u", osid);
1474  *call_panic = 1;
1475  } else {
1476  audit_log_format(ab, " obj=%s", ctx);
1477  security_release_secctx(ctx, len);
1478  }
1479  }
1480  if (context->ipc.has_perm) {
1481  audit_log_end(ab);
1482  ab = audit_log_start(context, GFP_KERNEL,
1483  AUDIT_IPC_SET_PERM);
1484  audit_log_format(ab,
1485  "qbytes=%lx ouid=%u ogid=%u mode=%#ho",
1486  context->ipc.qbytes,
1487  context->ipc.perm_uid,
1488  context->ipc.perm_gid,
1489  context->ipc.perm_mode);
1490  if (!ab)
1491  return;
1492  }
1493  break; }
1494  case AUDIT_MQ_OPEN: {
1495  audit_log_format(ab,
1496  "oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
1497  "mq_msgsize=%ld mq_curmsgs=%ld",
1498  context->mq_open.oflag, context->mq_open.mode,
1499  context->mq_open.attr.mq_flags,
1500  context->mq_open.attr.mq_maxmsg,
1501  context->mq_open.attr.mq_msgsize,
1502  context->mq_open.attr.mq_curmsgs);
1503  break; }
1504  case AUDIT_MQ_SENDRECV: {
1505  audit_log_format(ab,
1506  "mqdes=%d msg_len=%zd msg_prio=%u "
1507  "abs_timeout_sec=%ld abs_timeout_nsec=%ld",
1508  context->mq_sendrecv.mqdes,
1509  context->mq_sendrecv.msg_len,
1510  context->mq_sendrecv.msg_prio,
1511  context->mq_sendrecv.abs_timeout.tv_sec,
1512  context->mq_sendrecv.abs_timeout.tv_nsec);
1513  break; }
1514  case AUDIT_MQ_NOTIFY: {
1515  audit_log_format(ab, "mqdes=%d sigev_signo=%d",
1516  context->mq_notify.mqdes,
1517  context->mq_notify.sigev_signo);
1518  break; }
1519  case AUDIT_MQ_GETSETATTR: {
1520  struct mq_attr *attr = &context->mq_getsetattr.mqstat;
1521  audit_log_format(ab,
1522  "mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
1523  "mq_curmsgs=%ld ",
1524  context->mq_getsetattr.mqdes,
1525  attr->mq_flags, attr->mq_maxmsg,
1526  attr->mq_msgsize, attr->mq_curmsgs);
1527  break; }
1528  case AUDIT_CAPSET: {
1529  audit_log_format(ab, "pid=%d", context->capset.pid);
1530  audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
1531  audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
1532  audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
1533  break; }
1534  case AUDIT_MMAP: {
1535  audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd,
1536  context->mmap.flags);
1537  break; }
1538  }
1539  audit_log_end(ab);
1540 }
1541 
1542 static void audit_log_name(struct audit_context *context, struct audit_names *n,
1543  int record_num, int *call_panic)
1544 {
1545  struct audit_buffer *ab;
1546  ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
1547  if (!ab)
1548  return; /* audit_panic has been called */
1549 
1550  audit_log_format(ab, "item=%d", record_num);
1551 
1552  if (n->name) {
1553  switch (n->name_len) {
1554  case AUDIT_NAME_FULL:
1555  /* log the full path */
1556  audit_log_format(ab, " name=");
1557  audit_log_untrustedstring(ab, n->name->name);
1558  break;
1559  case 0:
1560  /* name was specified as a relative path and the
1561  * directory component is the cwd */
1562  audit_log_d_path(ab, " name=", &context->pwd);
1563  break;
1564  default:
1565  /* log the name's directory component */
1566  audit_log_format(ab, " name=");
1567  audit_log_n_untrustedstring(ab, n->name->name,
1568  n->name_len);
1569  }
1570  } else
1571  audit_log_format(ab, " name=(null)");
1572 
1573  if (n->ino != (unsigned long)-1) {
1574  audit_log_format(ab, " inode=%lu"
1575  " dev=%02x:%02x mode=%#ho"
1576  " ouid=%u ogid=%u rdev=%02x:%02x",
1577  n->ino,
1578  MAJOR(n->dev),
1579  MINOR(n->dev),
1580  n->mode,
1581  from_kuid(&init_user_ns, n->uid),
1582  from_kgid(&init_user_ns, n->gid),
1583  MAJOR(n->rdev),
1584  MINOR(n->rdev));
1585  }
1586  if (n->osid != 0) {
1587  char *ctx = NULL;
1588  u32 len;
1589  if (security_secid_to_secctx(
1590  n->osid, &ctx, &len)) {
1591  audit_log_format(ab, " osid=%u", n->osid);
1592  *call_panic = 2;
1593  } else {
1594  audit_log_format(ab, " obj=%s", ctx);
1595  security_release_secctx(ctx, len);
1596  }
1597  }
1598 
1599  audit_log_fcaps(ab, n);
1600 
1601  audit_log_end(ab);
1602 }
1603 
1604 static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
1605 {
1606  int i, call_panic = 0;
1607  struct audit_buffer *ab;
1608  struct audit_aux_data *aux;
1609  struct audit_names *n;
1610 
1611  /* tsk == current */
1612  context->personality = tsk->personality;
1613 
1614  ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
1615  if (!ab)
1616  return; /* audit_panic has been called */
1617  audit_log_format(ab, "arch=%x syscall=%d",
1618  context->arch, context->major);
1619  if (context->personality != PER_LINUX)
1620  audit_log_format(ab, " per=%lx", context->personality);
1621  if (context->return_valid)
1622  audit_log_format(ab, " success=%s exit=%ld",
1623  (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
1624  context->return_code);
1625 
1626  audit_log_format(ab,
1627  " a0=%lx a1=%lx a2=%lx a3=%lx items=%d",
1628  context->argv[0],
1629  context->argv[1],
1630  context->argv[2],
1631  context->argv[3],
1632  context->name_count);
1633 
1634  audit_log_task_info(ab, tsk);
1635  audit_log_key(ab, context->filterkey);
1636  audit_log_end(ab);
1637 
1638  for (aux = context->aux; aux; aux = aux->next) {
1639 
1640  ab = audit_log_start(context, GFP_KERNEL, aux->type);
1641  if (!ab)
1642  continue; /* audit_panic has been called */
1643 
1644  switch (aux->type) {
1645 
1646  case AUDIT_EXECVE: {
1647  struct audit_aux_data_execve *axi = (void *)aux;
1648  audit_log_execve_info(context, &ab, axi);
1649  break; }
1650 
1651  case AUDIT_BPRM_FCAPS: {
1652  struct audit_aux_data_bprm_fcaps *axs = (void *)aux;
1653  audit_log_format(ab, "fver=%x", axs->fcap_ver);
1654  audit_log_cap(ab, "fp", &axs->fcap.permitted);
1655  audit_log_cap(ab, "fi", &axs->fcap.inheritable);
1656  audit_log_format(ab, " fe=%d", axs->fcap.fE);
1657  audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
1658  audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
1659  audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
1660  audit_log_cap(ab, "new_pp", &axs->new_pcap.permitted);
1661  audit_log_cap(ab, "new_pi", &axs->new_pcap.inheritable);
1662  audit_log_cap(ab, "new_pe", &axs->new_pcap.effective);
1663  break; }
1664 
1665  }
1666  audit_log_end(ab);
1667  }
1668 
1669  if (context->type)
1670  show_special(context, &call_panic);
1671 
1672  if (context->fds[0] >= 0) {
1673  ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR);
1674  if (ab) {
1675  audit_log_format(ab, "fd0=%d fd1=%d",
1676  context->fds[0], context->fds[1]);
1677  audit_log_end(ab);
1678  }
1679  }
1680 
1681  if (context->sockaddr_len) {
1682  ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR);
1683  if (ab) {
1684  audit_log_format(ab, "saddr=");
1685  audit_log_n_hex(ab, (void *)context->sockaddr,
1686  context->sockaddr_len);
1687  audit_log_end(ab);
1688  }
1689  }
1690 
1691  for (aux = context->aux_pids; aux; aux = aux->next) {
1692  struct audit_aux_data_pids *axs = (void *)aux;
1693 
1694  for (i = 0; i < axs->pid_count; i++)
1695  if (audit_log_pid_context(context, axs->target_pid[i],
1696  axs->target_auid[i],
1697  axs->target_uid[i],
1698  axs->target_sessionid[i],
1699  axs->target_sid[i],
1700  axs->target_comm[i]))
1701  call_panic = 1;
1702  }
1703 
1704  if (context->target_pid &&
1705  audit_log_pid_context(context, context->target_pid,
1706  context->target_auid, context->target_uid,
1707  context->target_sessionid,
1708  context->target_sid, context->target_comm))
1709  call_panic = 1;
1710 
1711  if (context->pwd.dentry && context->pwd.mnt) {
1712  ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
1713  if (ab) {
1714  audit_log_d_path(ab, " cwd=", &context->pwd);
1715  audit_log_end(ab);
1716  }
1717  }
1718 
1719  i = 0;
1720  list_for_each_entry(n, &context->names_list, list)
1721  audit_log_name(context, n, i++, &call_panic);
1722 
1723  /* Send end of event record to help user space know we are finished */
1724  ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
1725  if (ab)
1726  audit_log_end(ab);
1727  if (call_panic)
1728  audit_panic("error converting sid to string");
1729 }
1730 
1737 void __audit_free(struct task_struct *tsk)
1738 {
1739  struct audit_context *context;
1740 
1741  context = audit_get_context(tsk, 0, 0);
1742  if (!context)
1743  return;
1744 
1745  /* Check for system calls that do not go through the exit
1746  * function (e.g., exit_group), then free context block.
1747  * We use GFP_ATOMIC here because we might be doing this
1748  * in the context of the idle thread */
1749  /* that can happen only if we are called from do_exit() */
1750  if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
1751  audit_log_exit(context, tsk);
1752  if (!list_empty(&context->killed_trees))
1753  audit_kill_trees(&context->killed_trees);
1754 
1755  audit_free_context(context);
1756 }
1757 
1775 void __audit_syscall_entry(int arch, int major,
1776  unsigned long a1, unsigned long a2,
1777  unsigned long a3, unsigned long a4)
1778 {
1779  struct task_struct *tsk = current;
1780  struct audit_context *context = tsk->audit_context;
1781  enum audit_state state;
1782 
1783  if (!context)
1784  return;
1785 
1786  /*
1787  * This happens only on certain architectures that make system
1788  * calls in kernel_thread via the entry.S interface, instead of
1789  * with direct calls. (If you are porting to a new
1790  * architecture, hitting this condition can indicate that you
1791  * got the _exit/_leave calls backward in entry.S.)
1792  *
1793  * i386 no
1794  * x86_64 no
1795  * ppc64 yes (see arch/powerpc/platforms/iseries/misc.S)
1796  *
1797  * This also happens with vm86 emulation in a non-nested manner
1798  * (entries without exits), so this case must be caught.
1799  */
1800  if (context->in_syscall) {
1801  struct audit_context *newctx;
1802 
1803 #if AUDIT_DEBUG
1804  printk(KERN_ERR
1805  "audit(:%d) pid=%d in syscall=%d;"
1806  " entering syscall=%d\n",
1807  context->serial, tsk->pid, context->major, major);
1808 #endif
1809  newctx = audit_alloc_context(context->state);
1810  if (newctx) {
1811  newctx->previous = context;
1812  context = newctx;
1813  tsk->audit_context = newctx;
1814  } else {
1815  /* If we can't alloc a new context, the best we
1816  * can do is to leak memory (any pending putname
1817  * will be lost). The only other alternative is
1818  * to abandon auditing. */
1819  audit_zero_context(context, context->state);
1820  }
1821  }
1822  BUG_ON(context->in_syscall || context->name_count);
1823 
1824  if (!audit_enabled)
1825  return;
1826 
1827  context->arch = arch;
1828  context->major = major;
1829  context->argv[0] = a1;
1830  context->argv[1] = a2;
1831  context->argv[2] = a3;
1832  context->argv[3] = a4;
1833 
1834  state = context->state;
1835  context->dummy = !audit_n_rules;
1836  if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
1837  context->prio = 0;
1838  state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
1839  }
1840  if (state == AUDIT_DISABLED)
1841  return;
1842 
1843  context->serial = 0;
1844  context->ctime = CURRENT_TIME;
1845  context->in_syscall = 1;
1846  context->current_state = state;
1847  context->ppid = 0;
1848 }
1849 
1861 void __audit_syscall_exit(int success, long return_code)
1862 {
1863  struct task_struct *tsk = current;
1864  struct audit_context *context;
1865 
1866  if (success)
1867  success = AUDITSC_SUCCESS;
1868  else
1869  success = AUDITSC_FAILURE;
1870 
1871  context = audit_get_context(tsk, success, return_code);
1872  if (!context)
1873  return;
1874 
1875  if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
1876  audit_log_exit(context, tsk);
1877 
1878  context->in_syscall = 0;
1879  context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
1880 
1881  if (!list_empty(&context->killed_trees))
1882  audit_kill_trees(&context->killed_trees);
1883 
1884  if (context->previous) {
1885  struct audit_context *new_context = context->previous;
1886  context->previous = NULL;
1887  audit_free_context(context);
1888  tsk->audit_context = new_context;
1889  } else {
1890  audit_free_names(context);
1891  unroll_tree_refs(context, NULL, 0);
1892  audit_free_aux(context);
1893  context->aux = NULL;
1894  context->aux_pids = NULL;
1895  context->target_pid = 0;
1896  context->target_sid = 0;
1897  context->sockaddr_len = 0;
1898  context->type = 0;
1899  context->fds[0] = -1;
1900  if (context->state != AUDIT_RECORD_CONTEXT) {
1901  kfree(context->filterkey);
1902  context->filterkey = NULL;
1903  }
1904  tsk->audit_context = context;
1905  }
1906 }
1907 
1908 static inline void handle_one(const struct inode *inode)
1909 {
1910 #ifdef CONFIG_AUDIT_TREE
1911  struct audit_context *context;
1912  struct audit_tree_refs *p;
1913  struct audit_chunk *chunk;
1914  int count;
1915  if (likely(hlist_empty(&inode->i_fsnotify_marks)))
1916  return;
1917  context = current->audit_context;
1918  p = context->trees;
1919  count = context->tree_count;
1920  rcu_read_lock();
1921  chunk = audit_tree_lookup(inode);
1922  rcu_read_unlock();
1923  if (!chunk)
1924  return;
1925  if (likely(put_tree_ref(context, chunk)))
1926  return;
1927  if (unlikely(!grow_tree_refs(context))) {
1928  printk(KERN_WARNING "out of memory, audit has lost a tree reference\n");
1929  audit_set_auditable(context);
1930  audit_put_chunk(chunk);
1931  unroll_tree_refs(context, p, count);
1932  return;
1933  }
1934  put_tree_ref(context, chunk);
1935 #endif
1936 }
1937 
1938 static void handle_path(const struct dentry *dentry)
1939 {
1940 #ifdef CONFIG_AUDIT_TREE
1941  struct audit_context *context;
1942  struct audit_tree_refs *p;
1943  const struct dentry *d, *parent;
1944  struct audit_chunk *drop;
1945  unsigned long seq;
1946  int count;
1947 
1948  context = current->audit_context;
1949  p = context->trees;
1950  count = context->tree_count;
1951 retry:
1952  drop = NULL;
1953  d = dentry;
1954  rcu_read_lock();
1955  seq = read_seqbegin(&rename_lock);
1956  for(;;) {
1957  struct inode *inode = d->d_inode;
1958  if (inode && unlikely(!hlist_empty(&inode->i_fsnotify_marks))) {
1959  struct audit_chunk *chunk;
1960  chunk = audit_tree_lookup(inode);
1961  if (chunk) {
1962  if (unlikely(!put_tree_ref(context, chunk))) {
1963  drop = chunk;
1964  break;
1965  }
1966  }
1967  }
1968  parent = d->d_parent;
1969  if (parent == d)
1970  break;
1971  d = parent;
1972  }
1973  if (unlikely(read_seqretry(&rename_lock, seq) || drop)) { /* in this order */
1974  rcu_read_unlock();
1975  if (!drop) {
1976  /* just a race with rename */
1977  unroll_tree_refs(context, p, count);
1978  goto retry;
1979  }
1980  audit_put_chunk(drop);
1981  if (grow_tree_refs(context)) {
1982  /* OK, got more space */
1983  unroll_tree_refs(context, p, count);
1984  goto retry;
1985  }
1986  /* too bad */
1987  printk(KERN_WARNING
1988  "out of memory, audit has lost a tree reference\n");
1989  unroll_tree_refs(context, p, count);
1990  audit_set_auditable(context);
1991  return;
1992  }
1993  rcu_read_unlock();
1994 #endif
1995 }
1996 
1997 static struct audit_names *audit_alloc_name(struct audit_context *context,
1998  unsigned char type)
1999 {
2000  struct audit_names *aname;
2001 
2002  if (context->name_count < AUDIT_NAMES) {
2003  aname = &context->preallocated_names[context->name_count];
2004  memset(aname, 0, sizeof(*aname));
2005  } else {
2006  aname = kzalloc(sizeof(*aname), GFP_NOFS);
2007  if (!aname)
2008  return NULL;
2009  aname->should_free = true;
2010  }
2011 
2012  aname->ino = (unsigned long)-1;
2013  aname->type = type;
2014  list_add_tail(&aname->list, &context->names_list);
2015 
2016  context->name_count++;
2017 #if AUDIT_DEBUG
2018  context->ino_count++;
2019 #endif
2020  return aname;
2021 }
2022 
2031 struct filename *
2032 __audit_reusename(const __user char *uptr)
2033 {
2034  struct audit_context *context = current->audit_context;
2035  struct audit_names *n;
2036 
2037  list_for_each_entry(n, &context->names_list, list) {
2038  if (!n->name)
2039  continue;
2040  if (n->name->uptr == uptr)
2041  return n->name;
2042  }
2043  return NULL;
2044 }
2045 
2053 void __audit_getname(struct filename *name)
2054 {
2055  struct audit_context *context = current->audit_context;
2056  struct audit_names *n;
2057 
2058  if (!context->in_syscall) {
2059 #if AUDIT_DEBUG == 2
2060  printk(KERN_ERR "%s:%d(:%d): ignoring getname(%p)\n",
2061  __FILE__, __LINE__, context->serial, name);
2062  dump_stack();
2063 #endif
2064  return;
2065  }
2066 
2067 #if AUDIT_DEBUG
2068  /* The filename _must_ have a populated ->name */
2069  BUG_ON(!name->name);
2070 #endif
2071 
2072  n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
2073  if (!n)
2074  return;
2075 
2076  n->name = name;
2077  n->name_len = AUDIT_NAME_FULL;
2078  n->name_put = true;
2079  name->aname = n;
2080 
2081  if (!context->pwd.dentry)
2082  get_fs_pwd(current->fs, &context->pwd);
2083 }
2084 
2085 /* audit_putname - intercept a putname request
2086  * @name: name to intercept and delay for putname
2087  *
2088  * If we have stored the name from getname in the audit context,
2089  * then we delay the putname until syscall exit.
2090  * Called from include/linux/fs.h:putname().
2091  */
2092 void audit_putname(struct filename *name)
2093 {
2094  struct audit_context *context = current->audit_context;
2095 
2096  BUG_ON(!context);
2097  if (!context->in_syscall) {
2098 #if AUDIT_DEBUG == 2
2099  printk(KERN_ERR "%s:%d(:%d): __putname(%p)\n",
2100  __FILE__, __LINE__, context->serial, name);
2101  if (context->name_count) {
2102  struct audit_names *n;
2103  int i;
2104 
2105  list_for_each_entry(n, &context->names_list, list)
2106  printk(KERN_ERR "name[%d] = %p = %s\n", i,
2107  n->name, n->name->name ?: "(null)");
2108  }
2109 #endif
2110  __putname(name);
2111  }
2112 #if AUDIT_DEBUG
2113  else {
2114  ++context->put_count;
2115  if (context->put_count > context->name_count) {
2116  printk(KERN_ERR "%s:%d(:%d): major=%d"
2117  " in_syscall=%d putname(%p) name_count=%d"
2118  " put_count=%d\n",
2119  __FILE__, __LINE__,
2120  context->serial, context->major,
2121  context->in_syscall, name->name,
2122  context->name_count, context->put_count);
2123  dump_stack();
2124  }
2125  }
2126 #endif
2127 }
2128 
2129 static inline int audit_copy_fcaps(struct audit_names *name, const struct dentry *dentry)
2130 {
2131  struct cpu_vfs_cap_data caps;
2132  int rc;
2133 
2134  if (!dentry)
2135  return 0;
2136 
2137  rc = get_vfs_caps_from_disk(dentry, &caps);
2138  if (rc)
2139  return rc;
2140 
2141  name->fcap.permitted = caps.permitted;
2142  name->fcap.inheritable = caps.inheritable;
2143  name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2144  name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
2145 
2146  return 0;
2147 }
2148 
2149 
2150 /* Copy inode data into an audit_names. */
2151 static void audit_copy_inode(struct audit_names *name, const struct dentry *dentry,
2152  const struct inode *inode)
2153 {
2154  name->ino = inode->i_ino;
2155  name->dev = inode->i_sb->s_dev;
2156  name->mode = inode->i_mode;
2157  name->uid = inode->i_uid;
2158  name->gid = inode->i_gid;
2159  name->rdev = inode->i_rdev;
2160  security_inode_getsecid(inode, &name->osid);
2161  audit_copy_fcaps(name, dentry);
2162 }
2163 
2170 void __audit_inode(struct filename *name, const struct dentry *dentry,
2171  unsigned int parent)
2172 {
2173  struct audit_context *context = current->audit_context;
2174  const struct inode *inode = dentry->d_inode;
2175  struct audit_names *n;
2176 
2177  if (!context->in_syscall)
2178  return;
2179 
2180  if (!name)
2181  goto out_alloc;
2182 
2183 #if AUDIT_DEBUG
2184  /* The struct filename _must_ have a populated ->name */
2185  BUG_ON(!name->name);
2186 #endif
2187  /*
2188  * If we have a pointer to an audit_names entry already, then we can
2189  * just use it directly if the type is correct.
2190  */
2191  n = name->aname;
2192  if (n) {
2193  if (parent) {
2194  if (n->type == AUDIT_TYPE_PARENT ||
2195  n->type == AUDIT_TYPE_UNKNOWN)
2196  goto out;
2197  } else {
2198  if (n->type != AUDIT_TYPE_PARENT)
2199  goto out;
2200  }
2201  }
2202 
2203  list_for_each_entry_reverse(n, &context->names_list, list) {
2204  /* does the name pointer match? */
2205  if (!n->name || n->name->name != name->name)
2206  continue;
2207 
2208  /* match the correct record type */
2209  if (parent) {
2210  if (n->type == AUDIT_TYPE_PARENT ||
2211  n->type == AUDIT_TYPE_UNKNOWN)
2212  goto out;
2213  } else {
2214  if (n->type != AUDIT_TYPE_PARENT)
2215  goto out;
2216  }
2217  }
2218 
2219 out_alloc:
2220  /* unable to find the name from a previous getname(). Allocate a new
2221  * anonymous entry.
2222  */
2223  n = audit_alloc_name(context, AUDIT_TYPE_NORMAL);
2224  if (!n)
2225  return;
2226 out:
2227  if (parent) {
2228  n->name_len = n->name ? parent_len(n->name->name) : AUDIT_NAME_FULL;
2229  n->type = AUDIT_TYPE_PARENT;
2230  } else {
2231  n->name_len = AUDIT_NAME_FULL;
2232  n->type = AUDIT_TYPE_NORMAL;
2233  }
2234  handle_path(dentry);
2235  audit_copy_inode(n, dentry, inode);
2236 }
2237 
2252 void __audit_inode_child(const struct inode *parent,
2253  const struct dentry *dentry,
2254  const unsigned char type)
2255 {
2256  struct audit_context *context = current->audit_context;
2257  const struct inode *inode = dentry->d_inode;
2258  const char *dname = dentry->d_name.name;
2259  struct audit_names *n, *found_parent = NULL, *found_child = NULL;
2260 
2261  if (!context->in_syscall)
2262  return;
2263 
2264  if (inode)
2265  handle_one(inode);
2266 
2267  /* look for a parent entry first */
2268  list_for_each_entry(n, &context->names_list, list) {
2269  if (!n->name || n->type != AUDIT_TYPE_PARENT)
2270  continue;
2271 
2272  if (n->ino == parent->i_ino &&
2273  !audit_compare_dname_path(dname, n->name->name, n->name_len)) {
2274  found_parent = n;
2275  break;
2276  }
2277  }
2278 
2279  /* is there a matching child entry? */
2280  list_for_each_entry(n, &context->names_list, list) {
2281  /* can only match entries that have a name */
2282  if (!n->name || n->type != type)
2283  continue;
2284 
2285  /* if we found a parent, make sure this one is a child of it */
2286  if (found_parent && (n->name != found_parent->name))
2287  continue;
2288 
2289  if (!strcmp(dname, n->name->name) ||
2290  !audit_compare_dname_path(dname, n->name->name,
2291  found_parent ?
2292  found_parent->name_len :
2293  AUDIT_NAME_FULL)) {
2294  found_child = n;
2295  break;
2296  }
2297  }
2298 
2299  if (!found_parent) {
2300  /* create a new, "anonymous" parent record */
2301  n = audit_alloc_name(context, AUDIT_TYPE_PARENT);
2302  if (!n)
2303  return;
2304  audit_copy_inode(n, NULL, parent);
2305  }
2306 
2307  if (!found_child) {
2308  found_child = audit_alloc_name(context, type);
2309  if (!found_child)
2310  return;
2311 
2312  /* Re-use the name belonging to the slot for a matching parent
2313  * directory. All names for this context are relinquished in
2314  * audit_free_names() */
2315  if (found_parent) {
2316  found_child->name = found_parent->name;
2317  found_child->name_len = AUDIT_NAME_FULL;
2318  /* don't call __putname() */
2319  found_child->name_put = false;
2320  }
2321  }
2322  if (inode)
2323  audit_copy_inode(found_child, dentry, inode);
2324  else
2325  found_child->ino = (unsigned long)-1;
2326 }
2327 EXPORT_SYMBOL_GPL(__audit_inode_child);
2328 
2337 int auditsc_get_stamp(struct audit_context *ctx,
2338  struct timespec *t, unsigned int *serial)
2339 {
2340  if (!ctx->in_syscall)
2341  return 0;
2342  if (!ctx->serial)
2343  ctx->serial = audit_serial();
2344  t->tv_sec = ctx->ctime.tv_sec;
2345  t->tv_nsec = ctx->ctime.tv_nsec;
2346  *serial = ctx->serial;
2347  if (!ctx->prio) {
2348  ctx->prio = 1;
2349  ctx->current_state = AUDIT_RECORD_CONTEXT;
2350  }
2351  return 1;
2352 }
2353 
2354 /* global counter which is incremented every time something logs in */
2355 static atomic_t session_id = ATOMIC_INIT(0);
2356 
2365 int audit_set_loginuid(kuid_t loginuid)
2366 {
2367  struct task_struct *task = current;
2368  struct audit_context *context = task->audit_context;
2369  unsigned int sessionid;
2370 
2371 #ifdef CONFIG_AUDIT_LOGINUID_IMMUTABLE
2372  if (uid_valid(task->loginuid))
2373  return -EPERM;
2374 #else /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */
2375  if (!capable(CAP_AUDIT_CONTROL))
2376  return -EPERM;
2377 #endif /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */
2378 
2379  sessionid = atomic_inc_return(&session_id);
2380  if (context && context->in_syscall) {
2381  struct audit_buffer *ab;
2382 
2383  ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
2384  if (ab) {
2385  audit_log_format(ab, "login pid=%d uid=%u "
2386  "old auid=%u new auid=%u"
2387  " old ses=%u new ses=%u",
2388  task->pid,
2389  from_kuid(&init_user_ns, task_uid(task)),
2390  from_kuid(&init_user_ns, task->loginuid),
2391  from_kuid(&init_user_ns, loginuid),
2392  task->sessionid, sessionid);
2393  audit_log_end(ab);
2394  }
2395  }
2396  task->sessionid = sessionid;
2397  task->loginuid = loginuid;
2398  return 0;
2399 }
2400 
2408 void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
2409 {
2410  struct audit_context *context = current->audit_context;
2411 
2412  if (attr)
2413  memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr));
2414  else
2415  memset(&context->mq_open.attr, 0, sizeof(struct mq_attr));
2416 
2417  context->mq_open.oflag = oflag;
2418  context->mq_open.mode = mode;
2419 
2420  context->type = AUDIT_MQ_OPEN;
2421 }
2422 
2431 void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
2432  const struct timespec *abs_timeout)
2433 {
2434  struct audit_context *context = current->audit_context;
2435  struct timespec *p = &context->mq_sendrecv.abs_timeout;
2436 
2437  if (abs_timeout)
2438  memcpy(p, abs_timeout, sizeof(struct timespec));
2439  else
2440  memset(p, 0, sizeof(struct timespec));
2441 
2442  context->mq_sendrecv.mqdes = mqdes;
2443  context->mq_sendrecv.msg_len = msg_len;
2444  context->mq_sendrecv.msg_prio = msg_prio;
2445 
2446  context->type = AUDIT_MQ_SENDRECV;
2447 }
2448 
2456 void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
2457 {
2458  struct audit_context *context = current->audit_context;
2459 
2460  if (notification)
2461  context->mq_notify.sigev_signo = notification->sigev_signo;
2462  else
2463  context->mq_notify.sigev_signo = 0;
2464 
2465  context->mq_notify.mqdes = mqdes;
2466  context->type = AUDIT_MQ_NOTIFY;
2467 }
2468 
2475 void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
2476 {
2477  struct audit_context *context = current->audit_context;
2478  context->mq_getsetattr.mqdes = mqdes;
2479  context->mq_getsetattr.mqstat = *mqstat;
2480  context->type = AUDIT_MQ_GETSETATTR;
2481 }
2482 
2488 void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
2489 {
2490  struct audit_context *context = current->audit_context;
2491  context->ipc.uid = ipcp->uid;
2492  context->ipc.gid = ipcp->gid;
2493  context->ipc.mode = ipcp->mode;
2494  context->ipc.has_perm = 0;
2495  security_ipc_getsecid(ipcp, &context->ipc.osid);
2496  context->type = AUDIT_IPC;
2497 }
2498 
2508 void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode)
2509 {
2510  struct audit_context *context = current->audit_context;
2511 
2512  context->ipc.qbytes = qbytes;
2513  context->ipc.perm_uid = uid;
2514  context->ipc.perm_gid = gid;
2515  context->ipc.perm_mode = mode;
2516  context->ipc.has_perm = 1;
2517 }
2518 
2519 int __audit_bprm(struct linux_binprm *bprm)
2520 {
2521  struct audit_aux_data_execve *ax;
2522  struct audit_context *context = current->audit_context;
2523 
2524  ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2525  if (!ax)
2526  return -ENOMEM;
2527 
2528  ax->argc = bprm->argc;
2529  ax->envc = bprm->envc;
2530  ax->mm = bprm->mm;
2531  ax->d.type = AUDIT_EXECVE;
2532  ax->d.next = context->aux;
2533  context->aux = (void *)ax;
2534  return 0;
2535 }
2536 
2537 
2544 void __audit_socketcall(int nargs, unsigned long *args)
2545 {
2546  struct audit_context *context = current->audit_context;
2547 
2548  context->type = AUDIT_SOCKETCALL;
2549  context->socketcall.nargs = nargs;
2550  memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
2551 }
2552 
2559 void __audit_fd_pair(int fd1, int fd2)
2560 {
2561  struct audit_context *context = current->audit_context;
2562  context->fds[0] = fd1;
2563  context->fds[1] = fd2;
2564 }
2565 
2573 int __audit_sockaddr(int len, void *a)
2574 {
2575  struct audit_context *context = current->audit_context;
2576 
2577  if (!context->sockaddr) {
2578  void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL);
2579  if (!p)
2580  return -ENOMEM;
2581  context->sockaddr = p;
2582  }
2583 
2584  context->sockaddr_len = len;
2585  memcpy(context->sockaddr, a, len);
2586  return 0;
2587 }
2588 
2589 void __audit_ptrace(struct task_struct *t)
2590 {
2591  struct audit_context *context = current->audit_context;
2592 
2593  context->target_pid = t->pid;
2594  context->target_auid = audit_get_loginuid(t);
2595  context->target_uid = task_uid(t);
2596  context->target_sessionid = audit_get_sessionid(t);
2597  security_task_getsecid(t, &context->target_sid);
2598  memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
2599 }
2600 
2609 int __audit_signal_info(int sig, struct task_struct *t)
2610 {
2611  struct audit_aux_data_pids *axp;
2612  struct task_struct *tsk = current;
2613  struct audit_context *ctx = tsk->audit_context;
2614  kuid_t uid = current_uid(), t_uid = task_uid(t);
2615 
2616  if (audit_pid && t->tgid == audit_pid) {
2617  if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) {
2618  audit_sig_pid = tsk->pid;
2619  if (uid_valid(tsk->loginuid))
2620  audit_sig_uid = tsk->loginuid;
2621  else
2622  audit_sig_uid = uid;
2623  security_task_getsecid(tsk, &audit_sig_sid);
2624  }
2625  if (!audit_signals || audit_dummy_context())
2626  return 0;
2627  }
2628 
2629  /* optimize the common case by putting first signal recipient directly
2630  * in audit_context */
2631  if (!ctx->target_pid) {
2632  ctx->target_pid = t->tgid;
2633  ctx->target_auid = audit_get_loginuid(t);
2634  ctx->target_uid = t_uid;
2635  ctx->target_sessionid = audit_get_sessionid(t);
2636  security_task_getsecid(t, &ctx->target_sid);
2637  memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
2638  return 0;
2639  }
2640 
2641  axp = (void *)ctx->aux_pids;
2642  if (!axp || axp->pid_count == AUDIT_AUX_PIDS) {
2643  axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
2644  if (!axp)
2645  return -ENOMEM;
2646 
2647  axp->d.type = AUDIT_OBJ_PID;
2648  axp->d.next = ctx->aux_pids;
2649  ctx->aux_pids = (void *)axp;
2650  }
2651  BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
2652 
2653  axp->target_pid[axp->pid_count] = t->tgid;
2654  axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
2655  axp->target_uid[axp->pid_count] = t_uid;
2656  axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
2657  security_task_getsecid(t, &axp->target_sid[axp->pid_count]);
2658  memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
2659  axp->pid_count++;
2660 
2661  return 0;
2662 }
2663 
2675 int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
2676  const struct cred *new, const struct cred *old)
2677 {
2678  struct audit_aux_data_bprm_fcaps *ax;
2679  struct audit_context *context = current->audit_context;
2680  struct cpu_vfs_cap_data vcaps;
2681  struct dentry *dentry;
2682 
2683  ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2684  if (!ax)
2685  return -ENOMEM;
2686 
2687  ax->d.type = AUDIT_BPRM_FCAPS;
2688  ax->d.next = context->aux;
2689  context->aux = (void *)ax;
2690 
2691  dentry = dget(bprm->file->f_dentry);
2692  get_vfs_caps_from_disk(dentry, &vcaps);
2693  dput(dentry);
2694 
2695  ax->fcap.permitted = vcaps.permitted;
2696  ax->fcap.inheritable = vcaps.inheritable;
2697  ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2698  ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
2699 
2700  ax->old_pcap.permitted = old->cap_permitted;
2701  ax->old_pcap.inheritable = old->cap_inheritable;
2702  ax->old_pcap.effective = old->cap_effective;
2703 
2704  ax->new_pcap.permitted = new->cap_permitted;
2705  ax->new_pcap.inheritable = new->cap_inheritable;
2706  ax->new_pcap.effective = new->cap_effective;
2707  return 0;
2708 }
2709 
2719 void __audit_log_capset(pid_t pid,
2720  const struct cred *new, const struct cred *old)
2721 {
2722  struct audit_context *context = current->audit_context;
2723  context->capset.pid = pid;
2724  context->capset.cap.effective = new->cap_effective;
2725  context->capset.cap.inheritable = new->cap_effective;
2726  context->capset.cap.permitted = new->cap_permitted;
2727  context->type = AUDIT_CAPSET;
2728 }
2729 
2730 void __audit_mmap_fd(int fd, int flags)
2731 {
2732  struct audit_context *context = current->audit_context;
2733  context->mmap.fd = fd;
2734  context->mmap.flags = flags;
2735  context->type = AUDIT_MMAP;
2736 }
2737 
2738 static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
2739 {
2740  kuid_t auid, uid;
2741  kgid_t gid;
2742  unsigned int sessionid;
2743 
2744  auid = audit_get_loginuid(current);
2745  sessionid = audit_get_sessionid(current);
2746  current_uid_gid(&uid, &gid);
2747 
2748  audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
2749  from_kuid(&init_user_ns, auid),
2750  from_kuid(&init_user_ns, uid),
2751  from_kgid(&init_user_ns, gid),
2752  sessionid);
2753  audit_log_task_context(ab);
2754  audit_log_format(ab, " pid=%d comm=", current->pid);
2755  audit_log_untrustedstring(ab, current->comm);
2756  audit_log_format(ab, " reason=");
2757  audit_log_string(ab, reason);
2758  audit_log_format(ab, " sig=%ld", signr);
2759 }
2767 void audit_core_dumps(long signr)
2768 {
2769  struct audit_buffer *ab;
2770 
2771  if (!audit_enabled)
2772  return;
2773 
2774  if (signr == SIGQUIT) /* don't care for those */
2775  return;
2776 
2777  ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
2778  audit_log_abend(ab, "memory violation", signr);
2779  audit_log_end(ab);
2780 }
2781 
2782 void __audit_seccomp(unsigned long syscall, long signr, int code)
2783 {
2784  struct audit_buffer *ab;
2785 
2786  ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
2787  audit_log_abend(ab, "seccomp", signr);
2788  audit_log_format(ab, " syscall=%ld", syscall);
2789  audit_log_format(ab, " compat=%d", is_compat_task());
2790  audit_log_format(ab, " ip=0x%lx", KSTK_EIP(current));
2791  audit_log_format(ab, " code=0x%x", code);
2792  audit_log_end(ab);
2793 }
2794 
2795 struct list_head *audit_killed_trees(void)
2796 {
2797  struct audit_context *ctx = current->audit_context;
2798  if (likely(!ctx || !ctx->in_syscall))
2799  return NULL;
2800  return &ctx->killed_trees;
2801 }
Generated on Thu Jan 10 2013 14:54:09 for Linux Kernel by   doxygen 1.8.2