1 // SPDX-License-Identifier: GPL-2.0-or-later <<
2 /* auditsc.c -- System-call auditing support 1 /* auditsc.c -- System-call auditing support
3 * Handles all system-call specific auditing f 2 * Handles all system-call specific auditing features.
4 * 3 *
5 * Copyright 2003-2004 Red Hat Inc., Durham, N 4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
6 * Copyright 2005 Hewlett-Packard Development 5 * Copyright 2005 Hewlett-Packard Development Company, L.P.
7 * Copyright (C) 2005, 2006 IBM Corporation 6 * Copyright (C) 2005, 2006 IBM Corporation
8 * All Rights Reserved. 7 * All Rights Reserved.
9 * 8 *
>> 9 * This program is free software; you can redistribute it and/or modify
>> 10 * it under the terms of the GNU General Public License as published by
>> 11 * the Free Software Foundation; either version 2 of the License, or
>> 12 * (at your option) any later version.
>> 13 *
>> 14 * This program is distributed in the hope that it will be useful,
>> 15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
>> 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
>> 17 * GNU General Public License for more details.
>> 18 *
>> 19 * You should have received a copy of the GNU General Public License
>> 20 * along with this program; if not, write to the Free Software
>> 21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
>> 22 *
10 * Written by Rickard E. (Rik) Faith <faith@re 23 * Written by Rickard E. (Rik) Faith <faith@redhat.com>
11 * 24 *
12 * Many of the ideas implemented here are from 25 * Many of the ideas implemented here are from Stephen C. Tweedie,
13 * especially the idea of avoiding a copy by u 26 * especially the idea of avoiding a copy by using getname.
14 * 27 *
15 * The method for actual interception of sysca 28 * The method for actual interception of syscall entry and exit (not in
16 * this file -- see entry.S) is based on a GPL 29 * this file -- see entry.S) is based on a GPL'd patch written by
17 * okir@suse.de and Copyright 2003 SuSE Linux 30 * okir@suse.de and Copyright 2003 SuSE Linux AG.
18 * 31 *
19 * POSIX message queue support added by George 32 * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>,
20 * 2006. 33 * 2006.
21 * 34 *
22 * The support of additional filter rules comp 35 * The support of additional filter rules compares (>, <, >=, <=) was
23 * added by Dustin Kirkland <dustin.kirkland@u 36 * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
24 * 37 *
25 * Modified by Amy Griffis <amy.griffis@hp.com 38 * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
26 * filesystem information. 39 * filesystem information.
27 * 40 *
28 * Subject and object context labeling support 41 * Subject and object context labeling support added by <danjones@us.ibm.com>
29 * and <dustin.kirkland@us.ibm.com> for LSPP c 42 * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
30 */ 43 */
31 44
32 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt <<
33 <<
34 #include <linux/init.h> 45 #include <linux/init.h>
35 #include <asm/types.h> 46 #include <asm/types.h>
36 #include <linux/atomic.h> !! 47 #include <asm/atomic.h>
37 #include <linux/fs.h> 48 #include <linux/fs.h>
38 #include <linux/namei.h> 49 #include <linux/namei.h>
39 #include <linux/mm.h> 50 #include <linux/mm.h>
40 #include <linux/export.h> !! 51 #include <linux/module.h>
41 #include <linux/slab.h> <<
42 #include <linux/mount.h> 52 #include <linux/mount.h>
43 #include <linux/socket.h> 53 #include <linux/socket.h>
44 #include <linux/mqueue.h> 54 #include <linux/mqueue.h>
45 #include <linux/audit.h> 55 #include <linux/audit.h>
46 #include <linux/personality.h> 56 #include <linux/personality.h>
47 #include <linux/time.h> 57 #include <linux/time.h>
48 #include <linux/netlink.h> 58 #include <linux/netlink.h>
49 #include <linux/compiler.h> 59 #include <linux/compiler.h>
50 #include <asm/unistd.h> 60 #include <asm/unistd.h>
51 #include <linux/security.h> 61 #include <linux/security.h>
52 #include <linux/list.h> 62 #include <linux/list.h>
>> 63 #include <linux/tty.h>
53 #include <linux/binfmts.h> 64 #include <linux/binfmts.h>
54 #include <linux/highmem.h> 65 #include <linux/highmem.h>
55 #include <linux/syscalls.h> 66 #include <linux/syscalls.h>
56 #include <asm/syscall.h> !! 67 #include <linux/inotify.h>
57 #include <linux/capability.h> 68 #include <linux/capability.h>
58 #include <linux/fs_struct.h> 69 #include <linux/fs_struct.h>
59 #include <linux/compat.h> <<
60 #include <linux/ctype.h> <<
61 #include <linux/string.h> <<
62 #include <linux/uaccess.h> <<
63 #include <linux/fsnotify_backend.h> <<
64 #include <uapi/linux/limits.h> <<
65 #include <uapi/linux/netfilter/nf_tables.h> <<
66 #include <uapi/linux/openat2.h> // struct open <<
67 #include <uapi/linux/fanotify.h> <<
68 70
69 #include "audit.h" 71 #include "audit.h"
70 72
71 /* flags stating the success for a syscall */ !! 73 /* AUDIT_NAMES is the number of slots we reserve in the audit_context
72 #define AUDITSC_INVALID 0 !! 74 * for saving names from getname(). */
73 #define AUDITSC_SUCCESS 1 !! 75 #define AUDIT_NAMES 20
74 #define AUDITSC_FAILURE 2 <<
75 76
76 /* no execve audit message should be longer th !! 77 /* Indicates that audit should log the full pathname. */
77 * see the note near the top of audit_log_exec !! 78 #define AUDIT_NAME_FULL -1
78 #define MAX_EXECVE_AUDIT_LEN 7500 <<
79 79
80 /* max length to print of cmdline/proctitle va !! 80 /* no execve audit message should be longer than this (userspace limits) */
81 #define MAX_PROCTITLE_AUDIT_LEN 128 !! 81 #define MAX_EXECVE_AUDIT_LEN 7500
82 82
83 /* number of audit rules */ 83 /* number of audit rules */
84 int audit_n_rules; 84 int audit_n_rules;
85 85
86 /* determines whether we collect data for sign 86 /* determines whether we collect data for signals sent */
87 int audit_signals; 87 int audit_signals;
88 88
>> 89 struct audit_cap_data {
>> 90 kernel_cap_t permitted;
>> 91 kernel_cap_t inheritable;
>> 92 union {
>> 93 unsigned int fE; /* effective bit of a file capability */
>> 94 kernel_cap_t effective; /* effective set of a process */
>> 95 };
>> 96 };
>> 97
>> 98 /* When fs/namei.c:getname() is called, we store the pointer in name and
>> 99 * we don't let putname() free it (instead we free all of the saved
>> 100 * pointers at syscall exit time).
>> 101 *
>> 102 * Further, in fs/namei.c:path_lookup() we store the inode and device. */
>> 103 struct audit_names {
>> 104 const char *name;
>> 105 int name_len; /* number of name's characters to log */
>> 106 unsigned name_put; /* call __putname() for this name */
>> 107 unsigned long ino;
>> 108 dev_t dev;
>> 109 umode_t mode;
>> 110 uid_t uid;
>> 111 gid_t gid;
>> 112 dev_t rdev;
>> 113 u32 osid;
>> 114 struct audit_cap_data fcap;
>> 115 unsigned int fcap_ver;
>> 116 };
>> 117
89 struct audit_aux_data { 118 struct audit_aux_data {
90 struct audit_aux_data *next; 119 struct audit_aux_data *next;
91 int type; 120 int type;
92 }; 121 };
93 122
>> 123 #define AUDIT_AUX_IPCPERM 0
>> 124
94 /* Number of target pids per aux struct. */ 125 /* Number of target pids per aux struct. */
95 #define AUDIT_AUX_PIDS 16 126 #define AUDIT_AUX_PIDS 16
96 127
>> 128 struct audit_aux_data_execve {
>> 129 struct audit_aux_data d;
>> 130 int argc;
>> 131 int envc;
>> 132 struct mm_struct *mm;
>> 133 };
>> 134
97 struct audit_aux_data_pids { 135 struct audit_aux_data_pids {
98 struct audit_aux_data d; 136 struct audit_aux_data d;
99 pid_t target_pid[AUD 137 pid_t target_pid[AUDIT_AUX_PIDS];
100 kuid_t target_auid[AU !! 138 uid_t target_auid[AUDIT_AUX_PIDS];
101 kuid_t target_uid[AUD !! 139 uid_t target_uid[AUDIT_AUX_PIDS];
102 unsigned int target_session 140 unsigned int target_sessionid[AUDIT_AUX_PIDS];
103 u32 target_sid[AUD 141 u32 target_sid[AUDIT_AUX_PIDS];
104 char target_comm[AU 142 char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
105 int pid_count; 143 int pid_count;
106 }; 144 };
107 145
108 struct audit_aux_data_bprm_fcaps { 146 struct audit_aux_data_bprm_fcaps {
109 struct audit_aux_data d; 147 struct audit_aux_data d;
110 struct audit_cap_data fcap; 148 struct audit_cap_data fcap;
111 unsigned int fcap_ver; 149 unsigned int fcap_ver;
112 struct audit_cap_data old_pcap; 150 struct audit_cap_data old_pcap;
113 struct audit_cap_data new_pcap; 151 struct audit_cap_data new_pcap;
114 }; 152 };
115 153
>> 154 struct audit_aux_data_capset {
>> 155 struct audit_aux_data d;
>> 156 pid_t pid;
>> 157 struct audit_cap_data cap;
>> 158 };
>> 159
116 struct audit_tree_refs { 160 struct audit_tree_refs {
117 struct audit_tree_refs *next; 161 struct audit_tree_refs *next;
118 struct audit_chunk *c[31]; 162 struct audit_chunk *c[31];
119 }; 163 };
120 164
121 struct audit_nfcfgop_tab { !! 165 /* The per-task audit context. */
122 enum audit_nfcfgop op; !! 166 struct audit_context {
123 const char *s; !! 167 int dummy; /* must be the first element */
124 }; !! 168 int in_syscall; /* 1 if task is in a syscall */
>> 169 enum audit_state state, current_state;
>> 170 unsigned int serial; /* serial number for record */
>> 171 int major; /* syscall number */
>> 172 struct timespec ctime; /* time of syscall entry */
>> 173 unsigned long argv[4]; /* syscall arguments */
>> 174 long return_code;/* syscall return code */
>> 175 u64 prio;
>> 176 int return_valid; /* return code is valid */
>> 177 int name_count;
>> 178 struct audit_names names[AUDIT_NAMES];
>> 179 char * filterkey; /* key for rule that triggered record */
>> 180 struct path pwd;
>> 181 struct audit_context *previous; /* For nested syscalls */
>> 182 struct audit_aux_data *aux;
>> 183 struct audit_aux_data *aux_pids;
>> 184 struct sockaddr_storage *sockaddr;
>> 185 size_t sockaddr_len;
>> 186 /* Save things to print about task_struct */
>> 187 pid_t pid, ppid;
>> 188 uid_t uid, euid, suid, fsuid;
>> 189 gid_t gid, egid, sgid, fsgid;
>> 190 unsigned long personality;
>> 191 int arch;
>> 192
>> 193 pid_t target_pid;
>> 194 uid_t target_auid;
>> 195 uid_t target_uid;
>> 196 unsigned int target_sessionid;
>> 197 u32 target_sid;
>> 198 char target_comm[TASK_COMM_LEN];
>> 199
>> 200 struct audit_tree_refs *trees, *first_trees;
>> 201 struct list_head killed_trees;
>> 202 int tree_count;
125 203
126 static const struct audit_nfcfgop_tab audit_nf !! 204 int type;
127 { AUDIT_XT_OP_REGISTER, !! 205 union {
128 { AUDIT_XT_OP_REPLACE, !! 206 struct {
129 { AUDIT_XT_OP_UNREGISTER, !! 207 int nargs;
130 { AUDIT_NFT_OP_TABLE_REGISTER, !! 208 long args[6];
131 { AUDIT_NFT_OP_TABLE_UNREGISTER, !! 209 } socketcall;
132 { AUDIT_NFT_OP_CHAIN_REGISTER, !! 210 struct {
133 { AUDIT_NFT_OP_CHAIN_UNREGISTER, !! 211 uid_t uid;
134 { AUDIT_NFT_OP_RULE_REGISTER, !! 212 gid_t gid;
135 { AUDIT_NFT_OP_RULE_UNREGISTER, !! 213 mode_t mode;
136 { AUDIT_NFT_OP_SET_REGISTER, !! 214 u32 osid;
137 { AUDIT_NFT_OP_SET_UNREGISTER, !! 215 int has_perm;
138 { AUDIT_NFT_OP_SETELEM_REGISTER, !! 216 uid_t perm_uid;
139 { AUDIT_NFT_OP_SETELEM_UNREGISTER, !! 217 gid_t perm_gid;
140 { AUDIT_NFT_OP_GEN_REGISTER, !! 218 mode_t perm_mode;
141 { AUDIT_NFT_OP_OBJ_REGISTER, !! 219 unsigned long qbytes;
142 { AUDIT_NFT_OP_OBJ_UNREGISTER, !! 220 } ipc;
143 { AUDIT_NFT_OP_OBJ_RESET, !! 221 struct {
144 { AUDIT_NFT_OP_FLOWTABLE_REGISTER, !! 222 mqd_t mqdes;
145 { AUDIT_NFT_OP_FLOWTABLE_UNREGISTER, !! 223 struct mq_attr mqstat;
146 { AUDIT_NFT_OP_SETELEM_RESET, !! 224 } mq_getsetattr;
147 { AUDIT_NFT_OP_RULE_RESET, !! 225 struct {
148 { AUDIT_NFT_OP_INVALID, !! 226 mqd_t mqdes;
>> 227 int sigev_signo;
>> 228 } mq_notify;
>> 229 struct {
>> 230 mqd_t mqdes;
>> 231 size_t msg_len;
>> 232 unsigned int msg_prio;
>> 233 struct timespec abs_timeout;
>> 234 } mq_sendrecv;
>> 235 struct {
>> 236 int oflag;
>> 237 mode_t mode;
>> 238 struct mq_attr attr;
>> 239 } mq_open;
>> 240 struct {
>> 241 pid_t pid;
>> 242 struct audit_cap_data cap;
>> 243 } capset;
>> 244 };
>> 245 int fds[2];
>> 246
>> 247 #if AUDIT_DEBUG
>> 248 int put_count;
>> 249 int ino_count;
>> 250 #endif
149 }; 251 };
150 252
>> 253 #define ACC_MODE(x) ("\004\002\006\006"[(x)&O_ACCMODE])
>> 254 static inline int open_arg(int flags, int mask)
>> 255 {
>> 256 int n = ACC_MODE(flags);
>> 257 if (flags & (O_TRUNC | O_CREAT))
>> 258 n |= AUDIT_PERM_WRITE;
>> 259 return n & mask;
>> 260 }
>> 261
151 static int audit_match_perm(struct audit_conte 262 static int audit_match_perm(struct audit_context *ctx, int mask)
152 { 263 {
153 unsigned n; 264 unsigned n;
154 <<
155 if (unlikely(!ctx)) 265 if (unlikely(!ctx))
156 return 0; 266 return 0;
157 n = ctx->major; 267 n = ctx->major;
158 268
159 switch (audit_classify_syscall(ctx->ar 269 switch (audit_classify_syscall(ctx->arch, n)) {
160 case AUDITSC_NATIVE: !! 270 case 0: /* native */
161 if ((mask & AUDIT_PERM_WRITE) 271 if ((mask & AUDIT_PERM_WRITE) &&
162 audit_match_class(AUDIT_C 272 audit_match_class(AUDIT_CLASS_WRITE, n))
163 return 1; 273 return 1;
164 if ((mask & AUDIT_PERM_READ) & 274 if ((mask & AUDIT_PERM_READ) &&
165 audit_match_class(AUDIT_C 275 audit_match_class(AUDIT_CLASS_READ, n))
166 return 1; 276 return 1;
167 if ((mask & AUDIT_PERM_ATTR) & 277 if ((mask & AUDIT_PERM_ATTR) &&
168 audit_match_class(AUDIT_C 278 audit_match_class(AUDIT_CLASS_CHATTR, n))
169 return 1; 279 return 1;
170 return 0; 280 return 0;
171 case AUDITSC_COMPAT: /* 32bit on biarc !! 281 case 1: /* 32bit on biarch */
172 if ((mask & AUDIT_PERM_WRITE) 282 if ((mask & AUDIT_PERM_WRITE) &&
173 audit_match_class(AUDIT_C 283 audit_match_class(AUDIT_CLASS_WRITE_32, n))
174 return 1; 284 return 1;
175 if ((mask & AUDIT_PERM_READ) & 285 if ((mask & AUDIT_PERM_READ) &&
176 audit_match_class(AUDIT_C 286 audit_match_class(AUDIT_CLASS_READ_32, n))
177 return 1; 287 return 1;
178 if ((mask & AUDIT_PERM_ATTR) & 288 if ((mask & AUDIT_PERM_ATTR) &&
179 audit_match_class(AUDIT_C 289 audit_match_class(AUDIT_CLASS_CHATTR_32, n))
180 return 1; 290 return 1;
181 return 0; 291 return 0;
182 case AUDITSC_OPEN: !! 292 case 2: /* open */
183 return mask & ACC_MODE(ctx->ar 293 return mask & ACC_MODE(ctx->argv[1]);
184 case AUDITSC_OPENAT: !! 294 case 3: /* openat */
185 return mask & ACC_MODE(ctx->ar 295 return mask & ACC_MODE(ctx->argv[2]);
186 case AUDITSC_SOCKETCALL: !! 296 case 4: /* socketcall */
187 return ((mask & AUDIT_PERM_WRI 297 return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
188 case AUDITSC_EXECVE: !! 298 case 5: /* execve */
189 return mask & AUDIT_PERM_EXEC; 299 return mask & AUDIT_PERM_EXEC;
190 case AUDITSC_OPENAT2: <<
191 return mask & ACC_MODE((u32)ct <<
192 default: 300 default:
193 return 0; 301 return 0;
194 } 302 }
195 } 303 }
196 304
197 static int audit_match_filetype(struct audit_c !! 305 static int audit_match_filetype(struct audit_context *ctx, int which)
198 { 306 {
199 struct audit_names *n; !! 307 unsigned index = which & ~S_IFMT;
200 umode_t mode = (umode_t)val; !! 308 mode_t mode = which & S_IFMT;
201 309
202 if (unlikely(!ctx)) 310 if (unlikely(!ctx))
203 return 0; 311 return 0;
204 312
205 list_for_each_entry(n, &ctx->names_lis !! 313 if (index >= ctx->name_count)
206 if ((n->ino != AUDIT_INO_UNSET !! 314 return 0;
207 ((n->mode & S_IFMT) == mod !! 315 if (ctx->names[index].ino == -1)
208 return 1; !! 316 return 0;
209 } !! 317 if ((ctx->names[index].mode ^ mode) & S_IFMT)
210 !! 318 return 0;
211 return 0; !! 319 return 1;
212 } 320 }
213 321
214 /* 322 /*
215 * We keep a linked list of fixed-sized (31 po 323 * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *;
216 * ->first_trees points to its beginning, ->tr 324 * ->first_trees points to its beginning, ->trees - to the current end of data.
217 * ->tree_count is the number of free entries 325 * ->tree_count is the number of free entries in array pointed to by ->trees.
218 * Original condition is (NULL, NULL, 0); as s 326 * Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL,
219 * "empty" becomes (p, p, 31) afterwards. We 327 * "empty" becomes (p, p, 31) afterwards. We don't shrink the list (and seriously,
220 * it's going to remain 1-element for almost a 328 * it's going to remain 1-element for almost any setup) until we free context itself.
221 * References in it _are_ dropped - at the sam 329 * References in it _are_ dropped - at the same time we free/drop aux stuff.
222 */ 330 */
223 331
>> 332 #ifdef CONFIG_AUDIT_TREE
224 static void audit_set_auditable(struct audit_c 333 static void audit_set_auditable(struct audit_context *ctx)
225 { 334 {
226 if (!ctx->prio) { 335 if (!ctx->prio) {
227 ctx->prio = 1; 336 ctx->prio = 1;
228 ctx->current_state = AUDIT_STA !! 337 ctx->current_state = AUDIT_RECORD_CONTEXT;
229 } 338 }
230 } 339 }
231 340
232 static int put_tree_ref(struct audit_context * 341 static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
233 { 342 {
234 struct audit_tree_refs *p = ctx->trees 343 struct audit_tree_refs *p = ctx->trees;
235 int left = ctx->tree_count; 344 int left = ctx->tree_count;
236 <<
237 if (likely(left)) { 345 if (likely(left)) {
238 p->c[--left] = chunk; 346 p->c[--left] = chunk;
239 ctx->tree_count = left; 347 ctx->tree_count = left;
240 return 1; 348 return 1;
241 } 349 }
242 if (!p) 350 if (!p)
243 return 0; 351 return 0;
244 p = p->next; 352 p = p->next;
245 if (p) { 353 if (p) {
246 p->c[30] = chunk; 354 p->c[30] = chunk;
247 ctx->trees = p; 355 ctx->trees = p;
248 ctx->tree_count = 30; 356 ctx->tree_count = 30;
249 return 1; 357 return 1;
250 } 358 }
251 return 0; 359 return 0;
252 } 360 }
253 361
254 static int grow_tree_refs(struct audit_context 362 static int grow_tree_refs(struct audit_context *ctx)
255 { 363 {
256 struct audit_tree_refs *p = ctx->trees 364 struct audit_tree_refs *p = ctx->trees;
257 <<
258 ctx->trees = kzalloc(sizeof(struct aud 365 ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL);
259 if (!ctx->trees) { 366 if (!ctx->trees) {
260 ctx->trees = p; 367 ctx->trees = p;
261 return 0; 368 return 0;
262 } 369 }
263 if (p) 370 if (p)
264 p->next = ctx->trees; 371 p->next = ctx->trees;
265 else 372 else
266 ctx->first_trees = ctx->trees; 373 ctx->first_trees = ctx->trees;
267 ctx->tree_count = 31; 374 ctx->tree_count = 31;
268 return 1; 375 return 1;
269 } 376 }
>> 377 #endif
270 378
271 static void unroll_tree_refs(struct audit_cont 379 static void unroll_tree_refs(struct audit_context *ctx,
272 struct audit_tree_refs * 380 struct audit_tree_refs *p, int count)
273 { 381 {
>> 382 #ifdef CONFIG_AUDIT_TREE
274 struct audit_tree_refs *q; 383 struct audit_tree_refs *q;
275 int n; 384 int n;
276 <<
277 if (!p) { 385 if (!p) {
278 /* we started with empty chain 386 /* we started with empty chain */
279 p = ctx->first_trees; 387 p = ctx->first_trees;
280 count = 31; 388 count = 31;
281 /* if the very first allocatio 389 /* if the very first allocation has failed, nothing to do */
282 if (!p) 390 if (!p)
283 return; 391 return;
284 } 392 }
285 n = count; 393 n = count;
286 for (q = p; q != ctx->trees; q = q->ne 394 for (q = p; q != ctx->trees; q = q->next, n = 31) {
287 while (n--) { 395 while (n--) {
288 audit_put_chunk(q->c[n 396 audit_put_chunk(q->c[n]);
289 q->c[n] = NULL; 397 q->c[n] = NULL;
290 } 398 }
291 } 399 }
292 while (n-- > ctx->tree_count) { 400 while (n-- > ctx->tree_count) {
293 audit_put_chunk(q->c[n]); 401 audit_put_chunk(q->c[n]);
294 q->c[n] = NULL; 402 q->c[n] = NULL;
295 } 403 }
296 ctx->trees = p; 404 ctx->trees = p;
297 ctx->tree_count = count; 405 ctx->tree_count = count;
>> 406 #endif
298 } 407 }
299 408
300 static void free_tree_refs(struct audit_contex 409 static void free_tree_refs(struct audit_context *ctx)
301 { 410 {
302 struct audit_tree_refs *p, *q; 411 struct audit_tree_refs *p, *q;
303 <<
304 for (p = ctx->first_trees; p; p = q) { 412 for (p = ctx->first_trees; p; p = q) {
305 q = p->next; 413 q = p->next;
306 kfree(p); 414 kfree(p);
307 } 415 }
308 } 416 }
309 417
310 static int match_tree_refs(struct audit_contex 418 static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
311 { 419 {
>> 420 #ifdef CONFIG_AUDIT_TREE
312 struct audit_tree_refs *p; 421 struct audit_tree_refs *p;
313 int n; 422 int n;
314 <<
315 if (!tree) 423 if (!tree)
316 return 0; 424 return 0;
317 /* full ones */ 425 /* full ones */
318 for (p = ctx->first_trees; p != ctx->t 426 for (p = ctx->first_trees; p != ctx->trees; p = p->next) {
319 for (n = 0; n < 31; n++) 427 for (n = 0; n < 31; n++)
320 if (audit_tree_match(p 428 if (audit_tree_match(p->c[n], tree))
321 return 1; 429 return 1;
322 } 430 }
323 /* partial */ 431 /* partial */
324 if (p) { 432 if (p) {
325 for (n = ctx->tree_count; n < 433 for (n = ctx->tree_count; n < 31; n++)
326 if (audit_tree_match(p 434 if (audit_tree_match(p->c[n], tree))
327 return 1; 435 return 1;
328 } 436 }
329 return 0; !! 437 #endif
330 } <<
331 <<
332 static int audit_compare_uid(kuid_t uid, <<
333 struct audit_name <<
334 struct audit_fiel <<
335 struct audit_cont <<
336 { <<
337 struct audit_names *n; <<
338 int rc; <<
339 <<
340 if (name) { <<
341 rc = audit_uid_comparator(uid, <<
342 if (rc) <<
343 return rc; <<
344 } <<
345 <<
346 if (ctx) { <<
347 list_for_each_entry(n, &ctx->n <<
348 rc = audit_uid_compara <<
349 if (rc) <<
350 return rc; <<
351 } <<
352 } <<
353 return 0; <<
354 } <<
355 <<
356 static int audit_compare_gid(kgid_t gid, <<
357 struct audit_name <<
358 struct audit_fiel <<
359 struct audit_cont <<
360 { <<
361 struct audit_names *n; <<
362 int rc; <<
363 <<
364 if (name) { <<
365 rc = audit_gid_comparator(gid, <<
366 if (rc) <<
367 return rc; <<
368 } <<
369 <<
370 if (ctx) { <<
371 list_for_each_entry(n, &ctx->n <<
372 rc = audit_gid_compara <<
373 if (rc) <<
374 return rc; <<
375 } <<
376 } <<
377 return 0; <<
378 } <<
379 <<
380 static int audit_field_compare(struct task_str <<
381 const struct cr <<
382 struct audit_fi <<
383 struct audit_co <<
384 struct audit_na <<
385 { <<
386 switch (f->val) { <<
387 /* process to file object comparisons <<
388 case AUDIT_COMPARE_UID_TO_OBJ_UID: <<
389 return audit_compare_uid(cred- <<
390 case AUDIT_COMPARE_GID_TO_OBJ_GID: <<
391 return audit_compare_gid(cred- <<
392 case AUDIT_COMPARE_EUID_TO_OBJ_UID: <<
393 return audit_compare_uid(cred- <<
394 case AUDIT_COMPARE_EGID_TO_OBJ_GID: <<
395 return audit_compare_gid(cred- <<
396 case AUDIT_COMPARE_AUID_TO_OBJ_UID: <<
397 return audit_compare_uid(audit <<
398 case AUDIT_COMPARE_SUID_TO_OBJ_UID: <<
399 return audit_compare_uid(cred- <<
400 case AUDIT_COMPARE_SGID_TO_OBJ_GID: <<
401 return audit_compare_gid(cred- <<
402 case AUDIT_COMPARE_FSUID_TO_OBJ_UID: <<
403 return audit_compare_uid(cred- <<
404 case AUDIT_COMPARE_FSGID_TO_OBJ_GID: <<
405 return audit_compare_gid(cred- <<
406 /* uid comparisons */ <<
407 case AUDIT_COMPARE_UID_TO_AUID: <<
408 return audit_uid_comparator(cr <<
409 au <<
410 case AUDIT_COMPARE_UID_TO_EUID: <<
411 return audit_uid_comparator(cr <<
412 case AUDIT_COMPARE_UID_TO_SUID: <<
413 return audit_uid_comparator(cr <<
414 case AUDIT_COMPARE_UID_TO_FSUID: <<
415 return audit_uid_comparator(cr <<
416 /* auid comparisons */ <<
417 case AUDIT_COMPARE_AUID_TO_EUID: <<
418 return audit_uid_comparator(au <<
419 cr <<
420 case AUDIT_COMPARE_AUID_TO_SUID: <<
421 return audit_uid_comparator(au <<
422 cr <<
423 case AUDIT_COMPARE_AUID_TO_FSUID: <<
424 return audit_uid_comparator(au <<
425 cr <<
426 /* euid comparisons */ <<
427 case AUDIT_COMPARE_EUID_TO_SUID: <<
428 return audit_uid_comparator(cr <<
429 case AUDIT_COMPARE_EUID_TO_FSUID: <<
430 return audit_uid_comparator(cr <<
431 /* suid comparisons */ <<
432 case AUDIT_COMPARE_SUID_TO_FSUID: <<
433 return audit_uid_comparator(cr <<
434 /* gid comparisons */ <<
435 case AUDIT_COMPARE_GID_TO_EGID: <<
436 return audit_gid_comparator(cr <<
437 case AUDIT_COMPARE_GID_TO_SGID: <<
438 return audit_gid_comparator(cr <<
439 case AUDIT_COMPARE_GID_TO_FSGID: <<
440 return audit_gid_comparator(cr <<
441 /* egid comparisons */ <<
442 case AUDIT_COMPARE_EGID_TO_SGID: <<
443 return audit_gid_comparator(cr <<
444 case AUDIT_COMPARE_EGID_TO_FSGID: <<
445 return audit_gid_comparator(cr <<
446 /* sgid comparison */ <<
447 case AUDIT_COMPARE_SGID_TO_FSGID: <<
448 return audit_gid_comparator(cr <<
449 default: <<
450 WARN(1, "Missing AUDIT_COMPARE <<
451 return 0; <<
452 } <<
453 return 0; 438 return 0;
454 } 439 }
455 440
456 /* Determine if any context name data matches 441 /* Determine if any context name data matches a rule's watch data */
457 /* Compare a task_struct with an audit_rule. 442 /* Compare a task_struct with an audit_rule. Return 1 on match, 0
458 * otherwise. !! 443 * otherwise. */
459 * <<
460 * If task_creation is true, this is an explic <<
461 * filtering a task rule at task creation time <<
462 * the only situations where tsk->cred may be <<
463 */ <<
464 static int audit_filter_rules(struct task_stru 444 static int audit_filter_rules(struct task_struct *tsk,
465 struct audit_kru 445 struct audit_krule *rule,
466 struct audit_con 446 struct audit_context *ctx,
467 struct audit_nam 447 struct audit_names *name,
468 enum audit_state !! 448 enum audit_state *state)
469 bool task_creati <<
470 { 449 {
471 const struct cred *cred; !! 450 const struct cred *cred = get_task_cred(tsk);
472 int i, need_sid = 1; !! 451 int i, j, need_sid = 1;
473 u32 sid; 452 u32 sid;
474 unsigned int sessionid; <<
475 <<
476 if (ctx && rule->prio <= ctx->prio) <<
477 return 0; <<
478 <<
479 cred = rcu_dereference_check(tsk->cred <<
480 453
481 for (i = 0; i < rule->field_count; i++ 454 for (i = 0; i < rule->field_count; i++) {
482 struct audit_field *f = &rule- 455 struct audit_field *f = &rule->fields[i];
483 struct audit_names *n; <<
484 int result = 0; 456 int result = 0;
485 pid_t pid; <<
486 457
487 switch (f->type) { 458 switch (f->type) {
488 case AUDIT_PID: 459 case AUDIT_PID:
489 pid = task_tgid_nr(tsk !! 460 result = audit_comparator(tsk->pid, f->op, f->val);
490 result = audit_compara <<
491 break; 461 break;
492 case AUDIT_PPID: 462 case AUDIT_PPID:
493 if (ctx) { 463 if (ctx) {
494 if (!ctx->ppid 464 if (!ctx->ppid)
495 ctx->p !! 465 ctx->ppid = sys_getppid();
496 result = audit 466 result = audit_comparator(ctx->ppid, f->op, f->val);
497 } 467 }
498 break; 468 break;
499 case AUDIT_EXE: <<
500 result = audit_exe_com <<
501 if (f->op == Audit_not <<
502 result = !resu <<
503 break; <<
504 case AUDIT_UID: 469 case AUDIT_UID:
505 result = audit_uid_com !! 470 result = audit_comparator(cred->uid, f->op, f->val);
506 break; 471 break;
507 case AUDIT_EUID: 472 case AUDIT_EUID:
508 result = audit_uid_com !! 473 result = audit_comparator(cred->euid, f->op, f->val);
509 break; 474 break;
510 case AUDIT_SUID: 475 case AUDIT_SUID:
511 result = audit_uid_com !! 476 result = audit_comparator(cred->suid, f->op, f->val);
512 break; 477 break;
513 case AUDIT_FSUID: 478 case AUDIT_FSUID:
514 result = audit_uid_com !! 479 result = audit_comparator(cred->fsuid, f->op, f->val);
515 break; 480 break;
516 case AUDIT_GID: 481 case AUDIT_GID:
517 result = audit_gid_com !! 482 result = audit_comparator(cred->gid, f->op, f->val);
518 if (f->op == Audit_equ <<
519 if (!result) <<
520 result <<
521 } else if (f->op == Au <<
522 if (result) <<
523 result <<
524 } <<
525 break; 483 break;
526 case AUDIT_EGID: 484 case AUDIT_EGID:
527 result = audit_gid_com !! 485 result = audit_comparator(cred->egid, f->op, f->val);
528 if (f->op == Audit_equ <<
529 if (!result) <<
530 result <<
531 } else if (f->op == Au <<
532 if (result) <<
533 result <<
534 } <<
535 break; 486 break;
536 case AUDIT_SGID: 487 case AUDIT_SGID:
537 result = audit_gid_com !! 488 result = audit_comparator(cred->sgid, f->op, f->val);
538 break; 489 break;
539 case AUDIT_FSGID: 490 case AUDIT_FSGID:
540 result = audit_gid_com !! 491 result = audit_comparator(cred->fsgid, f->op, f->val);
541 break; <<
542 case AUDIT_SESSIONID: <<
543 sessionid = audit_get_ <<
544 result = audit_compara <<
545 break; 492 break;
546 case AUDIT_PERS: 493 case AUDIT_PERS:
547 result = audit_compara 494 result = audit_comparator(tsk->personality, f->op, f->val);
548 break; 495 break;
549 case AUDIT_ARCH: 496 case AUDIT_ARCH:
550 if (ctx) 497 if (ctx)
551 result = audit 498 result = audit_comparator(ctx->arch, f->op, f->val);
552 break; 499 break;
553 500
554 case AUDIT_EXIT: 501 case AUDIT_EXIT:
555 if (ctx && ctx->return !! 502 if (ctx && ctx->return_valid)
556 result = audit 503 result = audit_comparator(ctx->return_code, f->op, f->val);
557 break; 504 break;
558 case AUDIT_SUCCESS: 505 case AUDIT_SUCCESS:
559 if (ctx && ctx->return !! 506 if (ctx && ctx->return_valid) {
560 if (f->val) 507 if (f->val)
561 result 508 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
562 else 509 else
563 result 510 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
564 } 511 }
565 break; 512 break;
566 case AUDIT_DEVMAJOR: 513 case AUDIT_DEVMAJOR:
567 if (name) { !! 514 if (name)
568 if (audit_comp !! 515 result = audit_comparator(MAJOR(name->dev),
569 audit_comp !! 516 f->op, f->val);
570 ++resu !! 517 else if (ctx) {
571 } else if (ctx) { !! 518 for (j = 0; j < ctx->name_count; j++) {
572 list_for_each_ !! 519 if (audit_comparator(MAJOR(ctx->names[j].dev), f->op, f->val)) {
573 if (au <<
574 au <<
575 520 ++result;
576 521 break;
577 } 522 }
578 } 523 }
579 } 524 }
580 break; 525 break;
581 case AUDIT_DEVMINOR: 526 case AUDIT_DEVMINOR:
582 if (name) { !! 527 if (name)
583 if (audit_comp !! 528 result = audit_comparator(MINOR(name->dev),
584 audit_comp !! 529 f->op, f->val);
585 ++resu !! 530 else if (ctx) {
586 } else if (ctx) { !! 531 for (j = 0; j < ctx->name_count; j++) {
587 list_for_each_ !! 532 if (audit_comparator(MINOR(ctx->names[j].dev), f->op, f->val)) {
588 if (au <<
589 au <<
590 533 ++result;
591 534 break;
592 } 535 }
593 } 536 }
594 } 537 }
595 break; 538 break;
596 case AUDIT_INODE: 539 case AUDIT_INODE:
597 if (name) 540 if (name)
598 result = audit !! 541 result = (name->ino == f->val);
599 else if (ctx) { 542 else if (ctx) {
600 list_for_each_ !! 543 for (j = 0; j < ctx->name_count; j++) {
601 if (au !! 544 if (audit_comparator(ctx->names[j].ino, f->op, f->val)) {
602 <<
603 <<
604 } <<
605 } <<
606 } <<
607 break; <<
608 case AUDIT_OBJ_UID: <<
609 if (name) { <<
610 result = audit <<
611 } else if (ctx) { <<
612 list_for_each_ <<
613 if (au <<
614 <<
615 <<
616 } <<
617 } <<
618 } <<
619 break; <<
620 case AUDIT_OBJ_GID: <<
621 if (name) { <<
622 result = audit <<
623 } else if (ctx) { <<
624 list_for_each_ <<
625 if (au <<
626 545 ++result;
627 546 break;
628 } 547 }
629 } 548 }
630 } 549 }
631 break; 550 break;
632 case AUDIT_WATCH: 551 case AUDIT_WATCH:
633 if (name) { !! 552 if (name && audit_watch_inode(rule->watch) != (unsigned long)-1)
634 result = audit !! 553 result = (name->dev == audit_watch_dev(rule->watch) &&
635 !! 554 name->ino == audit_watch_inode(rule->watch));
636 <<
637 if (f->op == A <<
638 result <<
639 } <<
640 break; 555 break;
641 case AUDIT_DIR: 556 case AUDIT_DIR:
642 if (ctx) { !! 557 if (ctx)
643 result = match 558 result = match_tree_refs(ctx, rule->tree);
644 if (f->op == A <<
645 result <<
646 } <<
647 break; 559 break;
648 case AUDIT_LOGINUID: 560 case AUDIT_LOGINUID:
649 result = audit_uid_com !! 561 result = 0;
650 !! 562 if (ctx)
651 break; !! 563 result = audit_comparator(tsk->loginuid, f->op, f->val);
652 case AUDIT_LOGINUID_SET: <<
653 result = audit_compara <<
654 break; <<
655 case AUDIT_SADDR_FAM: <<
656 if (ctx && ctx->sockad <<
657 result = audit <<
658 <<
659 break; 564 break;
660 case AUDIT_SUBJ_USER: 565 case AUDIT_SUBJ_USER:
661 case AUDIT_SUBJ_ROLE: 566 case AUDIT_SUBJ_ROLE:
662 case AUDIT_SUBJ_TYPE: 567 case AUDIT_SUBJ_TYPE:
663 case AUDIT_SUBJ_SEN: 568 case AUDIT_SUBJ_SEN:
664 case AUDIT_SUBJ_CLR: 569 case AUDIT_SUBJ_CLR:
665 /* NOTE: this may retu 570 /* NOTE: this may return negative values indicating
666 a temporary error. 571 a temporary error. We simply treat this as a
667 match for now to av 572 match for now to avoid losing information that
668 may be wanted. An 573 may be wanted. An error message will also be
669 logged upon error * 574 logged upon error */
670 if (f->lsm_rule) { 575 if (f->lsm_rule) {
671 if (need_sid) 576 if (need_sid) {
672 /* @ts !! 577 security_task_getsecid(tsk, &sid);
673 * @cu <<
674 * for <<
675 * the <<
676 * of <<
677 * use <<
678 * her <<
679 * @cu <<
680 */ <<
681 securi <<
682 need_s 578 need_sid = 0;
683 } 579 }
684 result = secur 580 result = security_audit_rule_match(sid, f->type,
685 !! 581 f->op,
686 !! 582 f->lsm_rule,
>> 583 ctx);
687 } 584 }
688 break; 585 break;
689 case AUDIT_OBJ_USER: 586 case AUDIT_OBJ_USER:
690 case AUDIT_OBJ_ROLE: 587 case AUDIT_OBJ_ROLE:
691 case AUDIT_OBJ_TYPE: 588 case AUDIT_OBJ_TYPE:
692 case AUDIT_OBJ_LEV_LOW: 589 case AUDIT_OBJ_LEV_LOW:
693 case AUDIT_OBJ_LEV_HIGH: 590 case AUDIT_OBJ_LEV_HIGH:
694 /* The above note for 591 /* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
695 also applies here * 592 also applies here */
696 if (f->lsm_rule) { 593 if (f->lsm_rule) {
697 /* Find files 594 /* Find files that match */
698 if (name) { 595 if (name) {
699 result 596 result = security_audit_rule_match(
700 !! 597 name->osid, f->type, f->op,
701 !! 598 f->lsm_rule, ctx);
702 <<
703 <<
704 } else if (ctx 599 } else if (ctx) {
705 list_f !! 600 for (j = 0; j < ctx->name_count; j++) {
706 601 if (security_audit_rule_match(
707 !! 602 ctx->names[j].osid,
708 !! 603 f->type, f->op,
709 !! 604 f->lsm_rule, ctx)) {
710 <<
711 605 ++result;
712 606 break;
713 607 }
714 } 608 }
715 } 609 }
716 /* Find ipc ob 610 /* Find ipc objects that match */
717 if (!ctx || ct 611 if (!ctx || ctx->type != AUDIT_IPC)
718 break; 612 break;
719 if (security_a 613 if (security_audit_rule_match(ctx->ipc.osid,
720 614 f->type, f->op,
721 !! 615 f->lsm_rule, ctx))
722 ++resu 616 ++result;
723 } 617 }
724 break; 618 break;
725 case AUDIT_ARG0: 619 case AUDIT_ARG0:
726 case AUDIT_ARG1: 620 case AUDIT_ARG1:
727 case AUDIT_ARG2: 621 case AUDIT_ARG2:
728 case AUDIT_ARG3: 622 case AUDIT_ARG3:
729 if (ctx) 623 if (ctx)
730 result = audit 624 result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
731 break; 625 break;
732 case AUDIT_FILTERKEY: 626 case AUDIT_FILTERKEY:
733 /* ignore this field f 627 /* ignore this field for filtering */
734 result = 1; 628 result = 1;
735 break; 629 break;
736 case AUDIT_PERM: 630 case AUDIT_PERM:
737 result = audit_match_p 631 result = audit_match_perm(ctx, f->val);
738 if (f->op == Audit_not <<
739 result = !resu <<
740 break; 632 break;
741 case AUDIT_FILETYPE: 633 case AUDIT_FILETYPE:
742 result = audit_match_f 634 result = audit_match_filetype(ctx, f->val);
743 if (f->op == Audit_not <<
744 result = !resu <<
745 break; <<
746 case AUDIT_FIELD_COMPARE: <<
747 result = audit_field_c <<
748 break; 635 break;
749 } 636 }
750 if (!result) !! 637
>> 638 if (!result) {
>> 639 put_cred(cred);
751 return 0; 640 return 0;
>> 641 }
752 } 642 }
753 643
754 if (ctx) { 644 if (ctx) {
>> 645 if (rule->prio <= ctx->prio)
>> 646 return 0;
755 if (rule->filterkey) { 647 if (rule->filterkey) {
756 kfree(ctx->filterkey); 648 kfree(ctx->filterkey);
757 ctx->filterkey = kstrd 649 ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
758 } 650 }
759 ctx->prio = rule->prio; 651 ctx->prio = rule->prio;
760 } 652 }
761 switch (rule->action) { 653 switch (rule->action) {
762 case AUDIT_NEVER: !! 654 case AUDIT_NEVER: *state = AUDIT_DISABLED; break;
763 *state = AUDIT_STATE_DISABLED; !! 655 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break;
764 break; <<
765 case AUDIT_ALWAYS: <<
766 *state = AUDIT_STATE_RECORD; <<
767 break; <<
768 } 656 }
>> 657 put_cred(cred);
769 return 1; 658 return 1;
770 } 659 }
771 660
772 /* At process creation time, we can determine 661 /* At process creation time, we can determine if system-call auditing is
773 * completely disabled for this task. Since w 662 * completely disabled for this task. Since we only have the task
774 * structure at this point, we can only check 663 * structure at this point, we can only check uid and gid.
775 */ 664 */
776 static enum audit_state audit_filter_task(stru 665 static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)
777 { 666 {
778 struct audit_entry *e; 667 struct audit_entry *e;
779 enum audit_state state; 668 enum audit_state state;
780 669
781 rcu_read_lock(); 670 rcu_read_lock();
782 list_for_each_entry_rcu(e, &audit_filt 671 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
783 if (audit_filter_rules(tsk, &e !! 672 if (audit_filter_rules(tsk, &e->rule, NULL, NULL, &state)) {
784 &state, !! 673 if (state == AUDIT_RECORD_CONTEXT)
785 if (state == AUDIT_STA <<
786 *key = kstrdup 674 *key = kstrdup(e->rule.filterkey, GFP_ATOMIC);
787 rcu_read_unlock(); 675 rcu_read_unlock();
788 return state; 676 return state;
789 } 677 }
790 } 678 }
791 rcu_read_unlock(); 679 rcu_read_unlock();
792 return AUDIT_STATE_BUILD; !! 680 return AUDIT_BUILD_CONTEXT;
793 } 681 }
794 682
795 static int audit_in_mask(const struct audit_kr 683 static int audit_in_mask(const struct audit_krule *rule, unsigned long val)
796 { 684 {
797 int word, bit; 685 int word, bit;
798 686
799 if (val > 0xffffffff) 687 if (val > 0xffffffff)
800 return false; 688 return false;
801 689
802 word = AUDIT_WORD(val); 690 word = AUDIT_WORD(val);
803 if (word >= AUDIT_BITMASK_SIZE) 691 if (word >= AUDIT_BITMASK_SIZE)
804 return false; 692 return false;
805 693
806 bit = AUDIT_BIT(val); 694 bit = AUDIT_BIT(val);
807 695
808 return rule->mask[word] & bit; 696 return rule->mask[word] & bit;
809 } 697 }
810 698
811 /** !! 699 /* At syscall entry and exit time, this filter is called if the
812 * __audit_filter_op - common filter helper fo !! 700 * audit_state is not low enough that auditing cannot take place, but is
813 * @tsk: associated task !! 701 * also not high enough that we already know we have to write an audit
814 * @ctx: audit context !! 702 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
815 * @list: audit filter list !! 703 */
816 * @name: audit_name (can be NULL) !! 704 static enum audit_state audit_filter_syscall(struct task_struct *tsk,
817 * @op: current syscall/uring_op !! 705 struct audit_context *ctx,
818 * !! 706 struct list_head *list)
819 * Run the udit filters specified in @list aga <<
820 * @name, and @op, as necessary; the caller is <<
821 * that the call is made while the RCU read lo <<
822 * parameter can be NULL, but all others must <<
823 * Returns 1/true if the filter finds a match, <<
824 */ <<
825 static int __audit_filter_op(struct task_struc <<
826 struct audit_contex <<
827 struct list_head *l <<
828 struct audit_names <<
829 unsigned long op) <<
830 { 707 {
831 struct audit_entry *e; 708 struct audit_entry *e;
832 enum audit_state state; 709 enum audit_state state;
833 710
834 list_for_each_entry_rcu(e, list, list) !! 711 if (audit_pid && tsk->tgid == audit_pid)
835 if (audit_in_mask(&e->rule, op !! 712 return AUDIT_DISABLED;
836 audit_filter_rules(tsk, &e <<
837 &state, <<
838 ctx->current_state = s <<
839 return 1; <<
840 } <<
841 } <<
842 return 0; <<
843 } <<
844 <<
845 /** <<
846 * audit_filter_uring - apply filters to an io <<
847 * @tsk: associated task <<
848 * @ctx: audit context <<
849 */ <<
850 static void audit_filter_uring(struct task_str <<
851 struct audit_co <<
852 { <<
853 if (auditd_test_task(tsk)) <<
854 return; <<
855 <<
856 rcu_read_lock(); <<
857 __audit_filter_op(tsk, ctx, &audit_fil <<
858 NULL, ctx->uring_op); <<
859 rcu_read_unlock(); <<
860 } <<
861 <<
862 /* At syscall exit time, this filter is called <<
863 * not low enough that auditing cannot take pl <<
864 * high enough that we already know we have to <<
865 * (i.e., the state is AUDIT_STATE_BUILD). <<
866 */ <<
867 static void audit_filter_syscall(struct task_s <<
868 struct audit_ <<
869 { <<
870 if (auditd_test_task(tsk)) <<
871 return; <<
872 713
873 rcu_read_lock(); 714 rcu_read_lock();
874 __audit_filter_op(tsk, ctx, &audit_fil !! 715 if (!list_empty(list)) {
875 NULL, ctx->major); !! 716 list_for_each_entry_rcu(e, list, list) {
>> 717 if (audit_in_mask(&e->rule, ctx->major) &&
>> 718 audit_filter_rules(tsk, &e->rule, ctx, NULL,
>> 719 &state)) {
>> 720 rcu_read_unlock();
>> 721 ctx->current_state = state;
>> 722 return state;
>> 723 }
>> 724 }
>> 725 }
876 rcu_read_unlock(); 726 rcu_read_unlock();
>> 727 return AUDIT_BUILD_CONTEXT;
877 } 728 }
878 729
879 /* !! 730 /* At syscall exit time, this filter is called if any audit_names[] have been
880 * Given an audit_name check the inode hash ta <<
881 * Called holding the rcu read lock to protect <<
882 */ <<
883 static int audit_filter_inode_name(struct task <<
884 struct audi <<
885 struct audi <<
886 { <<
887 int h = audit_hash_ino((u32)n->ino); <<
888 struct list_head *list = &audit_inode_ <<
889 <<
890 return __audit_filter_op(tsk, ctx, lis <<
891 } <<
892 <<
893 /* At syscall exit time, this filter is called <<
894 * collected during syscall processing. We on 731 * collected during syscall processing. We only check rules in sublists at hash
895 * buckets applicable to the inode numbers in !! 732 * buckets applicable to the inode numbers in audit_names[].
896 * Regarding audit_state, same rules apply as 733 * Regarding audit_state, same rules apply as for audit_filter_syscall().
897 */ 734 */
898 void audit_filter_inodes(struct task_struct *t 735 void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx)
899 { 736 {
900 struct audit_names *n; !! 737 int i;
>> 738 struct audit_entry *e;
>> 739 enum audit_state state;
901 740
902 if (auditd_test_task(tsk)) !! 741 if (audit_pid && tsk->tgid == audit_pid)
903 return; 742 return;
904 743
905 rcu_read_lock(); 744 rcu_read_lock();
>> 745 for (i = 0; i < ctx->name_count; i++) {
>> 746 struct audit_names *n = &ctx->names[i];
>> 747 int h = audit_hash_ino((u32)n->ino);
>> 748 struct list_head *list = &audit_inode_hash[h];
906 749
907 list_for_each_entry(n, &ctx->names_lis !! 750 if (list_empty(list))
908 if (audit_filter_inode_name(ts !! 751 continue;
909 break; !! 752
>> 753 list_for_each_entry_rcu(e, list, list) {
>> 754 if (audit_in_mask(&e->rule, ctx->major) &&
>> 755 audit_filter_rules(tsk, &e->rule, ctx, n, &state)) {
>> 756 rcu_read_unlock();
>> 757 ctx->current_state = state;
>> 758 return;
>> 759 }
>> 760 }
910 } 761 }
911 rcu_read_unlock(); 762 rcu_read_unlock();
912 } 763 }
913 764
914 static inline void audit_proctitle_free(struct !! 765 static inline struct audit_context *audit_get_context(struct task_struct *tsk,
>> 766 int return_valid,
>> 767 long return_code)
915 { 768 {
916 kfree(context->proctitle.value); !! 769 struct audit_context *context = tsk->audit_context;
917 context->proctitle.value = NULL; <<
918 context->proctitle.len = 0; <<
919 } <<
920 770
921 static inline void audit_free_module(struct au !! 771 if (likely(!context))
922 { !! 772 return NULL;
923 if (context->type == AUDIT_KERN_MODULE !! 773 context->return_valid = return_valid;
924 kfree(context->module.name); !! 774
925 context->module.name = NULL; !! 775 /*
>> 776 * we need to fix up the return code in the audit logs if the actual
>> 777 * return codes are later going to be fixed up by the arch specific
>> 778 * signal handlers
>> 779 *
>> 780 * This is actually a test for:
>> 781 * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||
>> 782 * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)
>> 783 *
>> 784 * but is faster than a bunch of ||
>> 785 */
>> 786 if (unlikely(return_code <= -ERESTARTSYS) &&
>> 787 (return_code >= -ERESTART_RESTARTBLOCK) &&
>> 788 (return_code != -ENOIOCTLCMD))
>> 789 context->return_code = -EINTR;
>> 790 else
>> 791 context->return_code = return_code;
>> 792
>> 793 if (context->in_syscall && !context->dummy) {
>> 794 audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
>> 795 audit_filter_inodes(tsk, context);
926 } 796 }
>> 797
>> 798 tsk->audit_context = NULL;
>> 799 return context;
927 } 800 }
>> 801
928 static inline void audit_free_names(struct aud 802 static inline void audit_free_names(struct audit_context *context)
929 { 803 {
930 struct audit_names *n, *next; !! 804 int i;
931 805
932 list_for_each_entry_safe(n, next, &con !! 806 #if AUDIT_DEBUG == 2
933 list_del(&n->list); !! 807 if (context->put_count + context->ino_count != context->name_count) {
934 if (n->name) !! 808 printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d"
935 putname(n->name); !! 809 " name_count=%d put_count=%d"
936 if (n->should_free) !! 810 " ino_count=%d [NOT freeing]\n",
937 kfree(n); !! 811 __FILE__, __LINE__,
>> 812 context->serial, context->major, context->in_syscall,
>> 813 context->name_count, context->put_count,
>> 814 context->ino_count);
>> 815 for (i = 0; i < context->name_count; i++) {
>> 816 printk(KERN_ERR "names[%d] = %p = %s\n", i,
>> 817 context->names[i].name,
>> 818 context->names[i].name ?: "(null)");
>> 819 }
>> 820 dump_stack();
>> 821 return;
>> 822 }
>> 823 #endif
>> 824 #if AUDIT_DEBUG
>> 825 context->put_count = 0;
>> 826 context->ino_count = 0;
>> 827 #endif
>> 828
>> 829 for (i = 0; i < context->name_count; i++) {
>> 830 if (context->names[i].name && context->names[i].name_put)
>> 831 __putname(context->names[i].name);
938 } 832 }
939 context->name_count = 0; 833 context->name_count = 0;
940 path_put(&context->pwd); 834 path_put(&context->pwd);
941 context->pwd.dentry = NULL; 835 context->pwd.dentry = NULL;
942 context->pwd.mnt = NULL; 836 context->pwd.mnt = NULL;
943 } 837 }
944 838
945 static inline void audit_free_aux(struct audit 839 static inline void audit_free_aux(struct audit_context *context)
946 { 840 {
947 struct audit_aux_data *aux; 841 struct audit_aux_data *aux;
948 842
949 while ((aux = context->aux)) { 843 while ((aux = context->aux)) {
950 context->aux = aux->next; 844 context->aux = aux->next;
951 kfree(aux); 845 kfree(aux);
952 } 846 }
953 context->aux = NULL; <<
954 while ((aux = context->aux_pids)) { 847 while ((aux = context->aux_pids)) {
955 context->aux_pids = aux->next; 848 context->aux_pids = aux->next;
956 kfree(aux); 849 kfree(aux);
957 } 850 }
958 context->aux_pids = NULL; <<
959 } 851 }
960 852
961 /** !! 853 static inline void audit_zero_context(struct audit_context *context,
962 * audit_reset_context - reset a audit_context !! 854 enum audit_state state)
963 * @ctx: the audit_context to reset <<
964 * <<
965 * All fields in the audit_context will be res <<
966 * references held by fields will be dropped, <<
967 * released. When this function returns the a <<
968 * for reuse, so long as the passed context is <<
969 */ <<
970 static void audit_reset_context(struct audit_c <<
971 { 855 {
972 if (!ctx) !! 856 memset(context, 0, sizeof(*context));
973 return; !! 857 context->state = state;
974 !! 858 context->prio = state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
975 /* if ctx is non-null, reset the "ctx- <<
976 ctx->context = AUDIT_CTX_UNUSED; <<
977 if (ctx->dummy) <<
978 return; <<
979 <<
980 /* <<
981 * NOTE: It shouldn't matter in what o <<
982 * release them in the order in <<
983 * this gives us some hope of qu <<
984 * resetting the audit_context p <<
985 * <<
986 * Other things worth mentioning <<
987 * - we don't reset "dummy" <<
988 * - we don't reset "state", we <<
989 * - we preserve "filterkey" if <<
990 * - much of this is likely over <<
991 * - we really need to work on i <<
992 */ <<
993 <<
994 ctx->current_state = ctx->state; <<
995 ctx->serial = 0; <<
996 ctx->major = 0; <<
997 ctx->uring_op = 0; <<
998 ctx->ctime = (struct timespec64){ .tv_ <<
999 memset(ctx->argv, 0, sizeof(ctx->argv) <<
1000 ctx->return_code = 0; <<
1001 ctx->prio = (ctx->state == AUDIT_STAT <<
1002 ctx->return_valid = AUDITSC_INVALID; <<
1003 audit_free_names(ctx); <<
1004 if (ctx->state != AUDIT_STATE_RECORD) <<
1005 kfree(ctx->filterkey); <<
1006 ctx->filterkey = NULL; <<
1007 } <<
1008 audit_free_aux(ctx); <<
1009 kfree(ctx->sockaddr); <<
1010 ctx->sockaddr = NULL; <<
1011 ctx->sockaddr_len = 0; <<
1012 ctx->ppid = 0; <<
1013 ctx->uid = ctx->euid = ctx->suid = ct <<
1014 ctx->gid = ctx->egid = ctx->sgid = ct <<
1015 ctx->personality = 0; <<
1016 ctx->arch = 0; <<
1017 ctx->target_pid = 0; <<
1018 ctx->target_auid = ctx->target_uid = <<
1019 ctx->target_sessionid = 0; <<
1020 ctx->target_sid = 0; <<
1021 ctx->target_comm[0] = '\0'; <<
1022 unroll_tree_refs(ctx, NULL, 0); <<
1023 WARN_ON(!list_empty(&ctx->killed_tree <<
1024 audit_free_module(ctx); <<
1025 ctx->fds[0] = -1; <<
1026 ctx->type = 0; /* reset last for audi <<
1027 } 859 }
1028 860
1029 static inline struct audit_context *audit_all 861 static inline struct audit_context *audit_alloc_context(enum audit_state state)
1030 { 862 {
1031 struct audit_context *context; 863 struct audit_context *context;
1032 864
1033 context = kzalloc(sizeof(*context), G !! 865 if (!(context = kmalloc(sizeof(*context), GFP_KERNEL)))
1034 if (!context) <<
1035 return NULL; 866 return NULL;
1036 context->context = AUDIT_CTX_UNUSED; !! 867 audit_zero_context(context, state);
1037 context->state = state; <<
1038 context->prio = state == AUDIT_STATE_ <<
1039 INIT_LIST_HEAD(&context->killed_trees 868 INIT_LIST_HEAD(&context->killed_trees);
1040 INIT_LIST_HEAD(&context->names_list); <<
1041 context->fds[0] = -1; <<
1042 context->return_valid = AUDITSC_INVAL <<
1043 return context; 869 return context;
1044 } 870 }
1045 871
1046 /** 872 /**
1047 * audit_alloc - allocate an audit context bl 873 * audit_alloc - allocate an audit context block for a task
1048 * @tsk: task 874 * @tsk: task
1049 * 875 *
1050 * Filter on the task information and allocat 876 * Filter on the task information and allocate a per-task audit context
1051 * if necessary. Doing so turns on system ca 877 * if necessary. Doing so turns on system call auditing for the
1052 * specified task. This is called from copy_ 878 * specified task. This is called from copy_process, so no lock is
1053 * needed. 879 * needed.
1054 */ 880 */
1055 int audit_alloc(struct task_struct *tsk) 881 int audit_alloc(struct task_struct *tsk)
1056 { 882 {
1057 struct audit_context *context; 883 struct audit_context *context;
1058 enum audit_state state; 884 enum audit_state state;
1059 char *key = NULL; 885 char *key = NULL;
1060 886
1061 if (likely(!audit_ever_enabled)) 887 if (likely(!audit_ever_enabled))
1062 return 0; !! 888 return 0; /* Return if not auditing. */
1063 889
1064 state = audit_filter_task(tsk, &key); 890 state = audit_filter_task(tsk, &key);
1065 if (state == AUDIT_STATE_DISABLED) { !! 891 if (likely(state == AUDIT_DISABLED))
1066 clear_task_syscall_work(tsk, <<
1067 return 0; 892 return 0;
1068 } <<
1069 893
1070 context = audit_alloc_context(state); !! 894 if (!(context = audit_alloc_context(state))) {
1071 if (!context) { <<
1072 kfree(key); 895 kfree(key);
1073 audit_log_lost("out of memory 896 audit_log_lost("out of memory in audit_alloc");
1074 return -ENOMEM; 897 return -ENOMEM;
1075 } 898 }
1076 context->filterkey = key; 899 context->filterkey = key;
1077 900
1078 audit_set_context(tsk, context); !! 901 tsk->audit_context = context;
1079 set_task_syscall_work(tsk, SYSCALL_AU !! 902 set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
1080 return 0; 903 return 0;
1081 } 904 }
1082 905
1083 static inline void audit_free_context(struct 906 static inline void audit_free_context(struct audit_context *context)
1084 { 907 {
1085 /* resetting is extra work, but it is !! 908 struct audit_context *previous;
1086 audit_reset_context(context); !! 909 int count = 0;
1087 audit_proctitle_free(context); !! 910
1088 free_tree_refs(context); !! 911 do {
1089 kfree(context->filterkey); !! 912 previous = context->previous;
1090 kfree(context); !! 913 if (previous || (count && count < 10)) {
>> 914 ++count;
>> 915 printk(KERN_ERR "audit(:%d): major=%d name_count=%d:"
>> 916 " freeing multiple contexts (%d)\n",
>> 917 context->serial, context->major,
>> 918 context->name_count, count);
>> 919 }
>> 920 audit_free_names(context);
>> 921 unroll_tree_refs(context, NULL, 0);
>> 922 free_tree_refs(context);
>> 923 audit_free_aux(context);
>> 924 kfree(context->filterkey);
>> 925 kfree(context->sockaddr);
>> 926 kfree(context);
>> 927 context = previous;
>> 928 } while (context);
>> 929 if (count >= 10)
>> 930 printk(KERN_ERR "audit: freed %d contexts\n", count);
>> 931 }
>> 932
>> 933 void audit_log_task_context(struct audit_buffer *ab)
>> 934 {
>> 935 char *ctx = NULL;
>> 936 unsigned len;
>> 937 int error;
>> 938 u32 sid;
>> 939
>> 940 security_task_getsecid(current, &sid);
>> 941 if (!sid)
>> 942 return;
>> 943
>> 944 error = security_secid_to_secctx(sid, &ctx, &len);
>> 945 if (error) {
>> 946 if (error != -EINVAL)
>> 947 goto error_path;
>> 948 return;
>> 949 }
>> 950
>> 951 audit_log_format(ab, " subj=%s", ctx);
>> 952 security_release_secctx(ctx, len);
>> 953 return;
>> 954
>> 955 error_path:
>> 956 audit_panic("error in audit_log_task_context");
>> 957 return;
>> 958 }
>> 959
>> 960 EXPORT_SYMBOL(audit_log_task_context);
>> 961
>> 962 static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
>> 963 {
>> 964 char name[sizeof(tsk->comm)];
>> 965 struct mm_struct *mm = tsk->mm;
>> 966 struct vm_area_struct *vma;
>> 967
>> 968 /* tsk == current */
>> 969
>> 970 get_task_comm(name, tsk);
>> 971 audit_log_format(ab, " comm=");
>> 972 audit_log_untrustedstring(ab, name);
>> 973
>> 974 if (mm) {
>> 975 down_read(&mm->mmap_sem);
>> 976 vma = mm->mmap;
>> 977 while (vma) {
>> 978 if ((vma->vm_flags & VM_EXECUTABLE) &&
>> 979 vma->vm_file) {
>> 980 audit_log_d_path(ab, "exe=",
>> 981 &vma->vm_file->f_path);
>> 982 break;
>> 983 }
>> 984 vma = vma->vm_next;
>> 985 }
>> 986 up_read(&mm->mmap_sem);
>> 987 }
>> 988 audit_log_task_context(ab);
1091 } 989 }
1092 990
1093 static int audit_log_pid_context(struct audit 991 static int audit_log_pid_context(struct audit_context *context, pid_t pid,
1094 kuid_t auid, !! 992 uid_t auid, uid_t uid, unsigned int sessionid,
1095 u32 sid, cha 993 u32 sid, char *comm)
1096 { 994 {
1097 struct audit_buffer *ab; 995 struct audit_buffer *ab;
1098 char *ctx = NULL; 996 char *ctx = NULL;
1099 u32 len; 997 u32 len;
1100 int rc = 0; 998 int rc = 0;
1101 999
1102 ab = audit_log_start(context, GFP_KER 1000 ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
1103 if (!ab) 1001 if (!ab)
1104 return rc; 1002 return rc;
1105 1003
1106 audit_log_format(ab, "opid=%d oauid=% !! 1004 audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid,
1107 from_kuid(&init_user !! 1005 uid, sessionid);
1108 from_kuid(&init_user !! 1006 if (security_secid_to_secctx(sid, &ctx, &len)) {
1109 if (sid) { !! 1007 audit_log_format(ab, " obj=(none)");
1110 if (security_secid_to_secctx( !! 1008 rc = 1;
1111 audit_log_format(ab, !! 1009 } else {
1112 rc = 1; !! 1010 audit_log_format(ab, " obj=%s", ctx);
1113 } else { !! 1011 security_release_secctx(ctx, len);
1114 audit_log_format(ab, <<
1115 security_release_secc <<
1116 } <<
1117 } 1012 }
1118 audit_log_format(ab, " ocomm="); 1013 audit_log_format(ab, " ocomm=");
1119 audit_log_untrustedstring(ab, comm); 1014 audit_log_untrustedstring(ab, comm);
1120 audit_log_end(ab); 1015 audit_log_end(ab);
1121 1016
1122 return rc; 1017 return rc;
1123 } 1018 }
1124 1019
1125 static void audit_log_execve_info(struct audi !! 1020 /*
1126 struct audi !! 1021 * to_send and len_sent accounting are very loose estimates. We aren't
1127 { !! 1022 * really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being
1128 long len_max; !! 1023 * within about 500 bytes (next page boundry)
1129 long len_rem; !! 1024 *
1130 long len_full; !! 1025 * why snprintf? an int is up to 12 digits long. if we just assumed when
1131 long len_buf; !! 1026 * logging that a[%d]= was going to be 16 characters long we would be wasting
1132 long len_abuf = 0; !! 1027 * space in every audit message. In one 7500 byte message we can log up to
1133 long len_tmp; !! 1028 * about 1000 min size arguments. That comes down to about 50% waste of space
1134 bool require_data; !! 1029 * if we didn't do the snprintf to find out how long arg_num_len was.
1135 bool encode; !! 1030 */
1136 unsigned int iter; !! 1031 static int audit_log_single_execve_arg(struct audit_context *context,
1137 unsigned int arg; !! 1032 struct audit_buffer **ab,
1138 char *buf_head; !! 1033 int arg_num,
1139 char *buf; !! 1034 size_t *len_sent,
1140 const char __user *p = (const char __ !! 1035 const char __user *p,
>> 1036 char *buf)
>> 1037 {
>> 1038 char arg_num_len_buf[12];
>> 1039 const char __user *tmp_p = p;
>> 1040 /* how many digits are in arg_num? 5 is the length of ' a=""' */
>> 1041 size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 5;
>> 1042 size_t len, len_left, to_send;
>> 1043 size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
>> 1044 unsigned int i, has_cntl = 0, too_long = 0;
>> 1045 int ret;
1141 1046
1142 /* NOTE: this buffer needs to be larg !! 1047 /* strnlen_user includes the null we don't want to send */
1143 * data we put in the audit rec !! 1048 len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1;
1144 * code below) ... at this poin <<
1145 char abuf[96]; <<
1146 <<
1147 /* NOTE: we set MAX_EXECVE_AUDIT_LEN <<
1148 * current value of 7500 is not <<
1149 * is less than 8k, a setting o <<
1150 * room if we go over a little <<
1151 WARN_ON_ONCE(MAX_EXECVE_AUDIT_LEN > 7 <<
1152 len_max = MAX_EXECVE_AUDIT_LEN; <<
1153 <<
1154 /* scratch buffer to hold the userspa <<
1155 buf_head = kmalloc(MAX_EXECVE_AUDIT_L <<
1156 if (!buf_head) { <<
1157 audit_panic("out of memory fo <<
1158 return; <<
1159 } <<
1160 buf = buf_head; <<
1161 <<
1162 audit_log_format(*ab, "argc=%d", cont <<
1163 <<
1164 len_rem = len_max; <<
1165 len_buf = 0; <<
1166 len_full = 0; <<
1167 require_data = true; <<
1168 encode = false; <<
1169 iter = 0; <<
1170 arg = 0; <<
1171 do { <<
1172 /* NOTE: we don't ever want t <<
1173 * serious, but the aud <<
1174 * provide an argument <<
1175 * e.g. > MAX_EXECVE_AU <<
1176 * to use strncpy_from_ <<
1177 * recording in the log <<
1178 * anywhere here to avo <<
1179 if (len_full == 0) <<
1180 len_full = strnlen_us <<
1181 <<
1182 /* read more data from usersp <<
1183 if (require_data) { <<
1184 /* can we make more r <<
1185 if (buf != buf_head) <<
1186 memmove(buf_h <<
1187 buf = buf_hea <<
1188 } <<
1189 1049
1190 /* fetch as much as w !! 1050 /*
1191 len_tmp = strncpy_fro !! 1051 * We just created this mm, if we can't find the strings
1192 !! 1052 * we just copied into it something is _very_ wrong. Similar
1193 if (len_tmp == -EFAUL !! 1053 * for strings that are too long, we should not have created
1194 /* unable to !! 1054 * any.
1195 send_sig(SIGK !! 1055 */
1196 goto out; !! 1056 if (unlikely((len == -1) || len > MAX_ARG_STRLEN - 1)) {
1197 } else if (len_tmp == !! 1057 WARN_ON(1);
1198 /* buffer is !! 1058 send_sig(SIGKILL, current, 0);
1199 require_data !! 1059 return -1;
1200 /* NOTE: if w !! 1060 }
1201 * buff <<
1202 * a ch <<
1203 * cons <<
1204 encode = true <<
1205 len_full = le <<
1206 p += len_tmp; <<
1207 } else { <<
1208 require_data <<
1209 if (!encode) <<
1210 encod <<
1211 <<
1212 /* try to use <<
1213 if (len_full <<
1214 len_f <<
1215 <<
1216 p += len_tmp <<
1217 } <<
1218 len_buf += len_tmp; <<
1219 buf_head[len_buf] = ' <<
1220 1061
1221 /* length of the buff !! 1062 /* walk the whole argument looking for non-ascii chars */
1222 len_abuf = (encode ? !! 1063 do {
>> 1064 if (len_left > MAX_EXECVE_AUDIT_LEN)
>> 1065 to_send = MAX_EXECVE_AUDIT_LEN;
>> 1066 else
>> 1067 to_send = len_left;
>> 1068 ret = copy_from_user(buf, tmp_p, to_send);
>> 1069 /*
>> 1070 * There is no reason for this copy to be short. We just
>> 1071 * copied them here, and the mm hasn't been exposed to user-
>> 1072 * space yet.
>> 1073 */
>> 1074 if (ret) {
>> 1075 WARN_ON(1);
>> 1076 send_sig(SIGKILL, current, 0);
>> 1077 return -1;
>> 1078 }
>> 1079 buf[to_send] = '\0';
>> 1080 has_cntl = audit_string_contains_control(buf, to_send);
>> 1081 if (has_cntl) {
>> 1082 /*
>> 1083 * hex messages get logged as 2 bytes, so we can only
>> 1084 * send half as much in each message
>> 1085 */
>> 1086 max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2;
>> 1087 break;
>> 1088 }
>> 1089 len_left -= to_send;
>> 1090 tmp_p += to_send;
>> 1091 } while (len_left > 0);
>> 1092
>> 1093 len_left = len;
>> 1094
>> 1095 if (len > max_execve_audit_len)
>> 1096 too_long = 1;
>> 1097
>> 1098 /* rewalk the argument actually logging the message */
>> 1099 for (i = 0; len_left > 0; i++) {
>> 1100 int room_left;
>> 1101
>> 1102 if (len_left > max_execve_audit_len)
>> 1103 to_send = max_execve_audit_len;
>> 1104 else
>> 1105 to_send = len_left;
>> 1106
>> 1107 /* do we have space left to send this argument in this ab? */
>> 1108 room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent;
>> 1109 if (has_cntl)
>> 1110 room_left -= (to_send * 2);
>> 1111 else
>> 1112 room_left -= to_send;
>> 1113 if (room_left < 0) {
>> 1114 *len_sent = 0;
>> 1115 audit_log_end(*ab);
>> 1116 *ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
>> 1117 if (!*ab)
>> 1118 return 0;
1223 } 1119 }
1224 1120
1225 /* write as much as we can to !! 1121 /*
1226 if (len_buf >= 0) { !! 1122 * first record needs to say how long the original string was
1227 /* NOTE: some magic n !! 1123 * so we can be sure nothing was lost.
1228 * can't fit a !! 1124 */
1229 * existing aud !! 1125 if ((i == 0) && (too_long))
1230 * a new buffer !! 1126 audit_log_format(*ab, " a%d_len=%zu", arg_num,
1231 if ((sizeof(abuf) + 8 !! 1127 has_cntl ? 2*len : len);
1232 len_rem = len <<
1233 audit_log_end <<
1234 *ab = audit_l <<
1235 <<
1236 if (!*ab) <<
1237 goto <<
1238 } <<
1239 1128
1240 /* create the non-arg !! 1129 /*
1241 len_tmp = 0; !! 1130 * normally arguments are small enough to fit and we already
1242 if (require_data || ( !! 1131 * filled buf above when we checked for control characters
1243 ((len_abuf + size !! 1132 * so don't bother with another copy_from_user
1244 if (iter == 0 !! 1133 */
1245 len_t !! 1134 if (len >= max_execve_audit_len)
1246 !! 1135 ret = copy_from_user(buf, p, to_send);
1247 !! 1136 else
1248 !! 1137 ret = 0;
1249 } !! 1138 if (ret) {
1250 len_tmp += sn !! 1139 WARN_ON(1);
1251 !! 1140 send_sig(SIGKILL, current, 0);
1252 !! 1141 return -1;
1253 } else !! 1142 }
1254 len_tmp += sn !! 1143 buf[to_send] = '\0';
1255 !! 1144
1256 !! 1145 /* actually log it */
1257 WARN_ON(len_tmp >= si !! 1146 audit_log_format(*ab, " a%d", arg_num);
1258 abuf[sizeof(abuf) - 1 !! 1147 if (too_long)
1259 !! 1148 audit_log_format(*ab, "[%d]", i);
1260 /* log the arg in the !! 1149 audit_log_format(*ab, "=");
1261 audit_log_format(*ab, !! 1150 if (has_cntl)
1262 len_rem -= len_tmp; !! 1151 audit_log_n_hex(*ab, buf, to_send);
1263 len_tmp = len_buf; !! 1152 else
1264 if (encode) { !! 1153 audit_log_string(*ab, buf);
1265 if (len_abuf !! 1154
1266 len_t !! 1155 p += to_send;
1267 audit_log_n_h !! 1156 len_left -= to_send;
1268 len_rem -= le !! 1157 *len_sent += arg_num_len;
1269 len_abuf -= l !! 1158 if (has_cntl)
1270 } else { !! 1159 *len_sent += to_send * 2;
1271 if (len_abuf !! 1160 else
1272 len_t !! 1161 *len_sent += to_send;
1273 audit_log_n_s !! 1162 }
1274 len_rem -= le !! 1163 /* include the null we didn't log */
1275 /* don't subt !! 1164 return len + 1;
1276 * to add quo !! 1165 }
1277 len_abuf -= l <<
1278 } <<
1279 len_buf -= len_tmp; <<
1280 buf += len_tmp; <<
1281 } <<
1282 1166
1283 /* ready to move to the next !! 1167 static void audit_log_execve_info(struct audit_context *context,
1284 if ((len_buf == 0) && !requir !! 1168 struct audit_buffer **ab,
1285 arg++; !! 1169 struct audit_aux_data_execve *axi)
1286 iter = 0; !! 1170 {
1287 len_full = 0; !! 1171 int i;
1288 require_data = true; !! 1172 size_t len, len_sent = 0;
1289 encode = false; !! 1173 const char __user *p;
1290 } !! 1174 char *buf;
1291 } while (arg < context->execve.argc); !! 1175
>> 1176 if (axi->mm != current->mm)
>> 1177 return; /* execve failed, no additional info */
>> 1178
>> 1179 p = (const char __user *)axi->mm->arg_start;
1292 1180
1293 /* NOTE: the caller handles the final !! 1181 audit_log_format(*ab, "argc=%d", axi->argc);
>> 1182
>> 1183 /*
>> 1184 * we need some kernel buffer to hold the userspace args. Just
>> 1185 * allocate one big one rather than allocating one of the right size
>> 1186 * for every single argument inside audit_log_single_execve_arg()
>> 1187 * should be <8k allocation so should be pretty safe.
>> 1188 */
>> 1189 buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
>> 1190 if (!buf) {
>> 1191 audit_panic("out of memory for argv string\n");
>> 1192 return;
>> 1193 }
1294 1194
1295 out: !! 1195 for (i = 0; i < axi->argc; i++) {
1296 kfree(buf_head); !! 1196 len = audit_log_single_execve_arg(context, ab, i,
>> 1197 &len_sent, p, buf);
>> 1198 if (len <= 0)
>> 1199 break;
>> 1200 p += len;
>> 1201 }
>> 1202 kfree(buf);
1297 } 1203 }
1298 1204
1299 static void audit_log_cap(struct audit_buffer !! 1205 static void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
1300 kernel_cap_t *cap) <<
1301 { 1206 {
1302 if (cap_isclear(*cap)) { !! 1207 int i;
1303 audit_log_format(ab, " %s=0", !! 1208
1304 return; !! 1209 audit_log_format(ab, " %s=", prefix);
>> 1210 CAP_FOR_EACH_U32(i) {
>> 1211 audit_log_format(ab, "%08x", cap->cap[(_KERNEL_CAPABILITY_U32S-1) - i]);
1305 } 1212 }
1306 audit_log_format(ab, " %s=%016llx", p <<
1307 } 1213 }
1308 1214
1309 static void audit_log_fcaps(struct audit_buff 1215 static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
1310 { 1216 {
1311 if (name->fcap_ver == -1) { !! 1217 kernel_cap_t *perm = &name->fcap.permitted;
1312 audit_log_format(ab, " cap_fe !! 1218 kernel_cap_t *inh = &name->fcap.inheritable;
1313 return; !! 1219 int log = 0;
1314 } <<
1315 audit_log_cap(ab, "cap_fp", &name->fc <<
1316 audit_log_cap(ab, "cap_fi", &name->fc <<
1317 audit_log_format(ab, " cap_fe=%d cap_ <<
1318 name->fcap.fE, name- <<
1319 from_kuid(&init_user <<
1320 } <<
1321 <<
1322 static void audit_log_time(struct audit_conte <<
1323 { <<
1324 const struct audit_ntp_data *ntp = &c <<
1325 const struct timespec64 *tk = &contex <<
1326 static const char * const ntp_name[] <<
1327 "offset", <<
1328 "freq", <<
1329 "status", <<
1330 "tai", <<
1331 "tick", <<
1332 "adjust", <<
1333 }; <<
1334 int type; <<
1335 1220
1336 if (context->type == AUDIT_TIME_ADJNT !! 1221 if (!cap_isclear(*perm)) {
1337 for (type = 0; type < AUDIT_N !! 1222 audit_log_cap(ab, "cap_fp", perm);
1338 if (ntp->vals[type].n !! 1223 log = 1;
1339 if (!*ab) { <<
1340 *ab = <<
1341 <<
1342 <<
1343 if (! <<
1344 <<
1345 } <<
1346 audit_log_for <<
1347 <<
1348 <<
1349 <<
1350 audit_log_end <<
1351 *ab = NULL; <<
1352 } <<
1353 } <<
1354 } 1224 }
1355 if (tk->tv_sec != 0 || tk->tv_nsec != !! 1225 if (!cap_isclear(*inh)) {
1356 if (!*ab) { !! 1226 audit_log_cap(ab, "cap_fi", inh);
1357 *ab = audit_log_start !! 1227 log = 1;
1358 <<
1359 if (!*ab) <<
1360 return; <<
1361 } <<
1362 audit_log_format(*ab, "sec=%l <<
1363 (long long)t <<
1364 audit_log_end(*ab); <<
1365 *ab = NULL; <<
1366 } 1228 }
>> 1229
>> 1230 if (log)
>> 1231 audit_log_format(ab, " cap_fe=%d cap_fver=%x", name->fcap.fE, name->fcap_ver);
1367 } 1232 }
1368 1233
1369 static void show_special(struct audit_context 1234 static void show_special(struct audit_context *context, int *call_panic)
1370 { 1235 {
1371 struct audit_buffer *ab; 1236 struct audit_buffer *ab;
1372 int i; 1237 int i;
1373 1238
1374 ab = audit_log_start(context, GFP_KER 1239 ab = audit_log_start(context, GFP_KERNEL, context->type);
1375 if (!ab) 1240 if (!ab)
1376 return; 1241 return;
1377 1242
1378 switch (context->type) { 1243 switch (context->type) {
1379 case AUDIT_SOCKETCALL: { 1244 case AUDIT_SOCKETCALL: {
1380 int nargs = context->socketca 1245 int nargs = context->socketcall.nargs;
1381 <<
1382 audit_log_format(ab, "nargs=% 1246 audit_log_format(ab, "nargs=%d", nargs);
1383 for (i = 0; i < nargs; i++) 1247 for (i = 0; i < nargs; i++)
1384 audit_log_format(ab, 1248 audit_log_format(ab, " a%d=%lx", i,
1385 context->sock 1249 context->socketcall.args[i]);
1386 break; } 1250 break; }
1387 case AUDIT_IPC: { 1251 case AUDIT_IPC: {
1388 u32 osid = context->ipc.osid; 1252 u32 osid = context->ipc.osid;
1389 1253
1390 audit_log_format(ab, "ouid=%u !! 1254 audit_log_format(ab, "ouid=%u ogid=%u mode=%#o",
1391 from_kuid(&i !! 1255 context->ipc.uid, context->ipc.gid, context->ipc.mode);
1392 from_kgid(&i <<
1393 context->ipc <<
1394 if (osid) { 1256 if (osid) {
1395 char *ctx = NULL; 1257 char *ctx = NULL;
1396 u32 len; 1258 u32 len;
1397 <<
1398 if (security_secid_to 1259 if (security_secid_to_secctx(osid, &ctx, &len)) {
1399 audit_log_for 1260 audit_log_format(ab, " osid=%u", osid);
1400 *call_panic = 1261 *call_panic = 1;
1401 } else { 1262 } else {
1402 audit_log_for 1263 audit_log_format(ab, " obj=%s", ctx);
1403 security_rele 1264 security_release_secctx(ctx, len);
1404 } 1265 }
1405 } 1266 }
1406 if (context->ipc.has_perm) { 1267 if (context->ipc.has_perm) {
1407 audit_log_end(ab); 1268 audit_log_end(ab);
1408 ab = audit_log_start( 1269 ab = audit_log_start(context, GFP_KERNEL,
1409 1270 AUDIT_IPC_SET_PERM);
1410 if (unlikely(!ab)) <<
1411 return; <<
1412 audit_log_format(ab, 1271 audit_log_format(ab,
1413 "qbytes=%lx o !! 1272 "qbytes=%lx ouid=%u ogid=%u mode=%#o",
1414 context->ipc. 1273 context->ipc.qbytes,
1415 context->ipc. 1274 context->ipc.perm_uid,
1416 context->ipc. 1275 context->ipc.perm_gid,
1417 context->ipc. 1276 context->ipc.perm_mode);
>> 1277 if (!ab)
>> 1278 return;
1418 } 1279 }
1419 break; } 1280 break; }
1420 case AUDIT_MQ_OPEN: !! 1281 case AUDIT_MQ_OPEN: {
1421 audit_log_format(ab, 1282 audit_log_format(ab,
1422 "oflag=0x%x mode=%#ho !! 1283 "oflag=0x%x mode=%#o mq_flags=0x%lx mq_maxmsg=%ld "
1423 "mq_msgsize=%ld mq_cu 1284 "mq_msgsize=%ld mq_curmsgs=%ld",
1424 context->mq_open.ofla 1285 context->mq_open.oflag, context->mq_open.mode,
1425 context->mq_open.attr 1286 context->mq_open.attr.mq_flags,
1426 context->mq_open.attr 1287 context->mq_open.attr.mq_maxmsg,
1427 context->mq_open.attr 1288 context->mq_open.attr.mq_msgsize,
1428 context->mq_open.attr 1289 context->mq_open.attr.mq_curmsgs);
1429 break; !! 1290 break; }
1430 case AUDIT_MQ_SENDRECV: !! 1291 case AUDIT_MQ_SENDRECV: {
1431 audit_log_format(ab, 1292 audit_log_format(ab,
1432 "mqdes=%d msg_len=%zd 1293 "mqdes=%d msg_len=%zd msg_prio=%u "
1433 "abs_timeout_sec=%lld !! 1294 "abs_timeout_sec=%ld abs_timeout_nsec=%ld",
1434 context->mq_sendrecv. 1295 context->mq_sendrecv.mqdes,
1435 context->mq_sendrecv. 1296 context->mq_sendrecv.msg_len,
1436 context->mq_sendrecv. 1297 context->mq_sendrecv.msg_prio,
1437 (long long) context-> !! 1298 context->mq_sendrecv.abs_timeout.tv_sec,
1438 context->mq_sendrecv. 1299 context->mq_sendrecv.abs_timeout.tv_nsec);
1439 break; !! 1300 break; }
1440 case AUDIT_MQ_NOTIFY: !! 1301 case AUDIT_MQ_NOTIFY: {
1441 audit_log_format(ab, "mqdes=% 1302 audit_log_format(ab, "mqdes=%d sigev_signo=%d",
1442 context->mq_n 1303 context->mq_notify.mqdes,
1443 context->mq_n 1304 context->mq_notify.sigev_signo);
1444 break; !! 1305 break; }
1445 case AUDIT_MQ_GETSETATTR: { 1306 case AUDIT_MQ_GETSETATTR: {
1446 struct mq_attr *attr = &conte 1307 struct mq_attr *attr = &context->mq_getsetattr.mqstat;
1447 <<
1448 audit_log_format(ab, 1308 audit_log_format(ab,
1449 "mqdes=%d mq_flags=0x 1309 "mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
1450 "mq_curmsgs=%ld ", 1310 "mq_curmsgs=%ld ",
1451 context->mq_getsetatt 1311 context->mq_getsetattr.mqdes,
1452 attr->mq_flags, attr- 1312 attr->mq_flags, attr->mq_maxmsg,
1453 attr->mq_msgsize, att 1313 attr->mq_msgsize, attr->mq_curmsgs);
1454 break; } 1314 break; }
1455 case AUDIT_CAPSET: !! 1315 case AUDIT_CAPSET: {
1456 audit_log_format(ab, "pid=%d" 1316 audit_log_format(ab, "pid=%d", context->capset.pid);
1457 audit_log_cap(ab, "cap_pi", & 1317 audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
1458 audit_log_cap(ab, "cap_pp", & 1318 audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
1459 audit_log_cap(ab, "cap_pe", & 1319 audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
1460 audit_log_cap(ab, "cap_pa", & !! 1320 break; }
1461 break; <<
1462 case AUDIT_MMAP: <<
1463 audit_log_format(ab, "fd=%d f <<
1464 context->mma <<
1465 break; <<
1466 case AUDIT_OPENAT2: <<
1467 audit_log_format(ab, "oflag=0 <<
1468 context->ope <<
1469 context->ope <<
1470 context->ope <<
1471 break; <<
1472 case AUDIT_EXECVE: <<
1473 audit_log_execve_info(context <<
1474 break; <<
1475 case AUDIT_KERN_MODULE: <<
1476 audit_log_format(ab, "name=") <<
1477 if (context->module.name) { <<
1478 audit_log_untrustedst <<
1479 } else <<
1480 audit_log_format(ab, <<
1481 <<
1482 break; <<
1483 case AUDIT_TIME_ADJNTPVAL: <<
1484 case AUDIT_TIME_INJOFFSET: <<
1485 /* this call deviates from th <<
1486 audit_log_time(context, &ab); <<
1487 break; <<
1488 } 1321 }
1489 audit_log_end(ab); 1322 audit_log_end(ab);
1490 } 1323 }
1491 1324
1492 static inline int audit_proctitle_rtrim(char !! 1325 static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
1493 { <<
1494 char *end = proctitle + len - 1; <<
1495 <<
1496 while (end > proctitle && !isprint(*e <<
1497 end--; <<
1498 <<
1499 /* catch the case where proctitle is <<
1500 len = end - proctitle + 1; <<
1501 len -= isprint(proctitle[len-1]) == 0 <<
1502 return len; <<
1503 } <<
1504 <<
1505 /* <<
1506 * audit_log_name - produce AUDIT_PATH record <<
1507 * @context: audit_context for the task <<
1508 * @n: audit_names structure with reportable <<
1509 * @path: optional path to report instead of <<
1510 * @record_num: record number to report when <<
1511 * @call_panic: optional pointer to int that <<
1512 */ <<
1513 static void audit_log_name(struct audit_conte <<
1514 const struct path *path, <<
1515 { 1326 {
>> 1327 const struct cred *cred;
>> 1328 int i, call_panic = 0;
1516 struct audit_buffer *ab; 1329 struct audit_buffer *ab;
>> 1330 struct audit_aux_data *aux;
>> 1331 const char *tty;
1517 1332
1518 ab = audit_log_start(context, GFP_KER !! 1333 /* tsk == current */
1519 if (!ab) !! 1334 context->pid = tsk->pid;
1520 return; !! 1335 if (!context->ppid)
1521 !! 1336 context->ppid = sys_getppid();
1522 audit_log_format(ab, "item=%d", recor !! 1337 cred = current_cred();
1523 !! 1338 context->uid = cred->uid;
1524 if (path) !! 1339 context->gid = cred->gid;
1525 audit_log_d_path(ab, " name=" !! 1340 context->euid = cred->euid;
1526 else if (n->name) { !! 1341 context->suid = cred->suid;
1527 switch (n->name_len) { !! 1342 context->fsuid = cred->fsuid;
1528 case AUDIT_NAME_FULL: !! 1343 context->egid = cred->egid;
1529 /* log the full path !! 1344 context->sgid = cred->sgid;
1530 audit_log_format(ab, !! 1345 context->fsgid = cred->fsgid;
1531 audit_log_untrustedst !! 1346 context->personality = tsk->personality;
1532 break; <<
1533 case 0: <<
1534 /* name was specified <<
1535 * directory componen <<
1536 */ <<
1537 if (context->pwd.dent <<
1538 audit_log_d_p <<
1539 else <<
1540 audit_log_for <<
1541 break; <<
1542 default: <<
1543 /* log the name's dir <<
1544 audit_log_format(ab, <<
1545 audit_log_n_untrusted <<
1546 <<
1547 } <<
1548 } else <<
1549 audit_log_format(ab, " name=( <<
1550 <<
1551 if (n->ino != AUDIT_INO_UNSET) <<
1552 audit_log_format(ab, " inode= <<
1553 n->ino, <<
1554 MAJOR(n->dev <<
1555 MINOR(n->dev <<
1556 n->mode, <<
1557 from_kuid(&i <<
1558 from_kgid(&i <<
1559 MAJOR(n->rde <<
1560 MINOR(n->rde <<
1561 if (n->osid != 0) { <<
1562 char *ctx = NULL; <<
1563 u32 len; <<
1564 <<
1565 if (security_secid_to_secctx( <<
1566 n->osid, &ctx, &len)) <<
1567 audit_log_format(ab, <<
1568 if (call_panic) <<
1569 *call_panic = <<
1570 } else { <<
1571 audit_log_format(ab, <<
1572 security_release_secc <<
1573 } <<
1574 } <<
1575 <<
1576 /* log the audit_names record type */ <<
1577 switch (n->type) { <<
1578 case AUDIT_TYPE_NORMAL: <<
1579 audit_log_format(ab, " namety <<
1580 break; <<
1581 case AUDIT_TYPE_PARENT: <<
1582 audit_log_format(ab, " namety <<
1583 break; <<
1584 case AUDIT_TYPE_CHILD_DELETE: <<
1585 audit_log_format(ab, " namety <<
1586 break; <<
1587 case AUDIT_TYPE_CHILD_CREATE: <<
1588 audit_log_format(ab, " namety <<
1589 break; <<
1590 default: <<
1591 audit_log_format(ab, " namety <<
1592 break; <<
1593 } <<
1594 <<
1595 audit_log_fcaps(ab, n); <<
1596 audit_log_end(ab); <<
1597 } <<
1598 <<
1599 static void audit_log_proctitle(void) <<
1600 { <<
1601 int res; <<
1602 char *buf; <<
1603 char *msg = "(null)"; <<
1604 int len = strlen(msg); <<
1605 struct audit_context *context = audit <<
1606 struct audit_buffer *ab; <<
1607 1347
1608 ab = audit_log_start(context, GFP_KER !! 1348 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
1609 if (!ab) 1349 if (!ab)
1610 return; /* audit_panic or bei !! 1350 return; /* audit_panic has been called */
1611 !! 1351 audit_log_format(ab, "arch=%x syscall=%d",
1612 audit_log_format(ab, "proctitle="); !! 1352 context->arch, context->major);
1613 !! 1353 if (context->personality != PER_LINUX)
1614 /* Not cached */ !! 1354 audit_log_format(ab, " per=%lx", context->personality);
1615 if (!context->proctitle.value) { !! 1355 if (context->return_valid)
1616 buf = kmalloc(MAX_PROCTITLE_A !! 1356 audit_log_format(ab, " success=%s exit=%ld",
1617 if (!buf) !! 1357 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
1618 goto out; !! 1358 context->return_code);
1619 /* Historically called this f <<
1620 res = get_cmdline(current, bu <<
1621 if (res == 0) { <<
1622 kfree(buf); <<
1623 goto out; <<
1624 } <<
1625 res = audit_proctitle_rtrim(b <<
1626 if (res == 0) { <<
1627 kfree(buf); <<
1628 goto out; <<
1629 } <<
1630 context->proctitle.value = bu <<
1631 context->proctitle.len = res; <<
1632 } <<
1633 msg = context->proctitle.value; <<
1634 len = context->proctitle.len; <<
1635 out: <<
1636 audit_log_n_untrustedstring(ab, msg, <<
1637 audit_log_end(ab); <<
1638 } <<
1639 1359
1640 /** !! 1360 spin_lock_irq(&tsk->sighand->siglock);
1641 * audit_log_uring - generate a AUDIT_URINGOP !! 1361 if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
1642 * @ctx: the audit context !! 1362 tty = tsk->signal->tty->name;
1643 */ !! 1363 else
1644 static void audit_log_uring(struct audit_cont !! 1364 tty = "(none)";
1645 { !! 1365 spin_unlock_irq(&tsk->sighand->siglock);
1646 struct audit_buffer *ab; <<
1647 const struct cred *cred; <<
1648 1366
1649 ab = audit_log_start(ctx, GFP_ATOMIC, <<
1650 if (!ab) <<
1651 return; <<
1652 cred = current_cred(); <<
1653 audit_log_format(ab, "uring_op=%d", c <<
1654 if (ctx->return_valid != AUDITSC_INVA <<
1655 audit_log_format(ab, " succes <<
1656 (ctx->return <<
1657 "yes" : "no <<
1658 ctx->return_ <<
1659 audit_log_format(ab, 1367 audit_log_format(ab,
1660 " items=%d" !! 1368 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
1661 " ppid=%d pid=%d uid !! 1369 " ppid=%d pid=%d auid=%u uid=%u gid=%u"
1662 " fsuid=%u egid=%u s !! 1370 " euid=%u suid=%u fsuid=%u"
1663 ctx->name_count, !! 1371 " egid=%u sgid=%u fsgid=%u tty=%s ses=%u",
1664 task_ppid_nr(current !! 1372 context->argv[0],
1665 from_kuid(&init_user !! 1373 context->argv[1],
1666 from_kgid(&init_user !! 1374 context->argv[2],
1667 from_kuid(&init_user !! 1375 context->argv[3],
1668 from_kuid(&init_user !! 1376 context->name_count,
1669 from_kuid(&init_user !! 1377 context->ppid,
1670 from_kgid(&init_user !! 1378 context->pid,
1671 from_kgid(&init_user !! 1379 tsk->loginuid,
1672 from_kgid(&init_user !! 1380 context->uid,
1673 audit_log_task_context(ab); !! 1381 context->gid,
1674 audit_log_key(ab, ctx->filterkey); !! 1382 context->euid, context->suid, context->fsuid,
1675 audit_log_end(ab); !! 1383 context->egid, context->sgid, context->fsgid, tty,
1676 } !! 1384 tsk->sessionid);
1677 <<
1678 static void audit_log_exit(void) <<
1679 { <<
1680 int i, call_panic = 0; <<
1681 struct audit_context *context = audit <<
1682 struct audit_buffer *ab; <<
1683 struct audit_aux_data *aux; <<
1684 struct audit_names *n; <<
1685 1385
1686 context->personality = current->perso <<
1687 1386
1688 switch (context->context) { !! 1387 audit_log_task_info(ab, tsk);
1689 case AUDIT_CTX_SYSCALL: !! 1388 audit_log_key(ab, context->filterkey);
1690 ab = audit_log_start(context, !! 1389 audit_log_end(ab);
1691 if (!ab) <<
1692 return; <<
1693 audit_log_format(ab, "arch=%x <<
1694 context->arc <<
1695 if (context->personality != P <<
1696 audit_log_format(ab, <<
1697 if (context->return_valid != <<
1698 audit_log_format(ab, <<
1699 (con <<
1700 "ye <<
1701 cont <<
1702 audit_log_format(ab, <<
1703 " a0=%lx a1= <<
1704 context->arg <<
1705 context->arg <<
1706 context->arg <<
1707 context->arg <<
1708 context->nam <<
1709 audit_log_task_info(ab); <<
1710 audit_log_key(ab, context->fi <<
1711 audit_log_end(ab); <<
1712 break; <<
1713 case AUDIT_CTX_URING: <<
1714 audit_log_uring(context); <<
1715 break; <<
1716 default: <<
1717 BUG(); <<
1718 break; <<
1719 } <<
1720 1390
1721 for (aux = context->aux; aux; aux = a 1391 for (aux = context->aux; aux; aux = aux->next) {
1722 1392
1723 ab = audit_log_start(context, 1393 ab = audit_log_start(context, GFP_KERNEL, aux->type);
1724 if (!ab) 1394 if (!ab)
1725 continue; /* audit_pa 1395 continue; /* audit_panic has been called */
1726 1396
1727 switch (aux->type) { 1397 switch (aux->type) {
1728 1398
>> 1399 case AUDIT_EXECVE: {
>> 1400 struct audit_aux_data_execve *axi = (void *)aux;
>> 1401 audit_log_execve_info(context, &ab, axi);
>> 1402 break; }
>> 1403
1729 case AUDIT_BPRM_FCAPS: { 1404 case AUDIT_BPRM_FCAPS: {
1730 struct audit_aux_data 1405 struct audit_aux_data_bprm_fcaps *axs = (void *)aux;
1731 <<
1732 audit_log_format(ab, 1406 audit_log_format(ab, "fver=%x", axs->fcap_ver);
1733 audit_log_cap(ab, "fp 1407 audit_log_cap(ab, "fp", &axs->fcap.permitted);
1734 audit_log_cap(ab, "fi 1408 audit_log_cap(ab, "fi", &axs->fcap.inheritable);
1735 audit_log_format(ab, 1409 audit_log_format(ab, " fe=%d", axs->fcap.fE);
1736 audit_log_cap(ab, "ol 1410 audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
1737 audit_log_cap(ab, "ol 1411 audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
1738 audit_log_cap(ab, "ol 1412 audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
1739 audit_log_cap(ab, "ol !! 1413 audit_log_cap(ab, "new_pp", &axs->new_pcap.permitted);
1740 audit_log_cap(ab, "pp !! 1414 audit_log_cap(ab, "new_pi", &axs->new_pcap.inheritable);
1741 audit_log_cap(ab, "pi !! 1415 audit_log_cap(ab, "new_pe", &axs->new_pcap.effective);
1742 audit_log_cap(ab, "pe <<
1743 audit_log_cap(ab, "pa <<
1744 audit_log_format(ab, <<
1745 from <<
1746 <<
1747 break; } 1416 break; }
1748 1417
1749 } 1418 }
1750 audit_log_end(ab); 1419 audit_log_end(ab);
1751 } 1420 }
1752 1421
1753 if (context->type) 1422 if (context->type)
1754 show_special(context, &call_p 1423 show_special(context, &call_panic);
1755 1424
1756 if (context->fds[0] >= 0) { 1425 if (context->fds[0] >= 0) {
1757 ab = audit_log_start(context, 1426 ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR);
1758 if (ab) { 1427 if (ab) {
1759 audit_log_format(ab, 1428 audit_log_format(ab, "fd0=%d fd1=%d",
1760 conte 1429 context->fds[0], context->fds[1]);
1761 audit_log_end(ab); 1430 audit_log_end(ab);
1762 } 1431 }
1763 } 1432 }
1764 1433
1765 if (context->sockaddr_len) { 1434 if (context->sockaddr_len) {
1766 ab = audit_log_start(context, 1435 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR);
1767 if (ab) { 1436 if (ab) {
1768 audit_log_format(ab, 1437 audit_log_format(ab, "saddr=");
1769 audit_log_n_hex(ab, ( 1438 audit_log_n_hex(ab, (void *)context->sockaddr,
1770 conte 1439 context->sockaddr_len);
1771 audit_log_end(ab); 1440 audit_log_end(ab);
1772 } 1441 }
1773 } 1442 }
1774 1443
1775 for (aux = context->aux_pids; aux; au 1444 for (aux = context->aux_pids; aux; aux = aux->next) {
1776 struct audit_aux_data_pids *a 1445 struct audit_aux_data_pids *axs = (void *)aux;
1777 1446
1778 for (i = 0; i < axs->pid_coun 1447 for (i = 0; i < axs->pid_count; i++)
1779 if (audit_log_pid_con 1448 if (audit_log_pid_context(context, axs->target_pid[i],
1780 1449 axs->target_auid[i],
1781 1450 axs->target_uid[i],
1782 1451 axs->target_sessionid[i],
1783 1452 axs->target_sid[i],
1784 1453 axs->target_comm[i]))
1785 call_panic = 1454 call_panic = 1;
1786 } 1455 }
1787 1456
1788 if (context->target_pid && 1457 if (context->target_pid &&
1789 audit_log_pid_context(context, co 1458 audit_log_pid_context(context, context->target_pid,
1790 context->ta 1459 context->target_auid, context->target_uid,
1791 context->ta 1460 context->target_sessionid,
1792 context->ta 1461 context->target_sid, context->target_comm))
1793 call_panic = 1; 1462 call_panic = 1;
1794 1463
1795 if (context->pwd.dentry && context->p 1464 if (context->pwd.dentry && context->pwd.mnt) {
1796 ab = audit_log_start(context, 1465 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
1797 if (ab) { 1466 if (ab) {
1798 audit_log_d_path(ab, 1467 audit_log_d_path(ab, "cwd=", &context->pwd);
1799 audit_log_end(ab); 1468 audit_log_end(ab);
1800 } 1469 }
1801 } 1470 }
>> 1471 for (i = 0; i < context->name_count; i++) {
>> 1472 struct audit_names *n = &context->names[i];
1802 1473
1803 i = 0; !! 1474 ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
1804 list_for_each_entry(n, &context->name !! 1475 if (!ab)
1805 if (n->hidden) !! 1476 continue; /* audit_panic has been called */
1806 continue; !! 1477
1807 audit_log_name(context, n, NU !! 1478 audit_log_format(ab, "item=%d", i);
1808 } !! 1479
>> 1480 if (n->name) {
>> 1481 switch(n->name_len) {
>> 1482 case AUDIT_NAME_FULL:
>> 1483 /* log the full path */
>> 1484 audit_log_format(ab, " name=");
>> 1485 audit_log_untrustedstring(ab, n->name);
>> 1486 break;
>> 1487 case 0:
>> 1488 /* name was specified as a relative path and the
>> 1489 * directory component is the cwd */
>> 1490 audit_log_d_path(ab, "name=", &context->pwd);
>> 1491 break;
>> 1492 default:
>> 1493 /* log the name's directory component */
>> 1494 audit_log_format(ab, " name=");
>> 1495 audit_log_n_untrustedstring(ab, n->name,
>> 1496 n->name_len);
>> 1497 }
>> 1498 } else
>> 1499 audit_log_format(ab, " name=(null)");
>> 1500
>> 1501 if (n->ino != (unsigned long)-1) {
>> 1502 audit_log_format(ab, " inode=%lu"
>> 1503 " dev=%02x:%02x mode=%#o"
>> 1504 " ouid=%u ogid=%u rdev=%02x:%02x",
>> 1505 n->ino,
>> 1506 MAJOR(n->dev),
>> 1507 MINOR(n->dev),
>> 1508 n->mode,
>> 1509 n->uid,
>> 1510 n->gid,
>> 1511 MAJOR(n->rdev),
>> 1512 MINOR(n->rdev));
>> 1513 }
>> 1514 if (n->osid != 0) {
>> 1515 char *ctx = NULL;
>> 1516 u32 len;
>> 1517 if (security_secid_to_secctx(
>> 1518 n->osid, &ctx, &len)) {
>> 1519 audit_log_format(ab, " osid=%u", n->osid);
>> 1520 call_panic = 2;
>> 1521 } else {
>> 1522 audit_log_format(ab, " obj=%s", ctx);
>> 1523 security_release_secctx(ctx, len);
>> 1524 }
>> 1525 }
1809 1526
1810 if (context->context == AUDIT_CTX_SYS !! 1527 audit_log_fcaps(ab, n);
1811 audit_log_proctitle(); !! 1528
>> 1529 audit_log_end(ab);
>> 1530 }
1812 1531
1813 /* Send end of event record to help u 1532 /* Send end of event record to help user space know we are finished */
1814 ab = audit_log_start(context, GFP_KER 1533 ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
1815 if (ab) 1534 if (ab)
1816 audit_log_end(ab); 1535 audit_log_end(ab);
1817 if (call_panic) 1536 if (call_panic)
1818 audit_panic("error in audit_l !! 1537 audit_panic("error converting sid to string");
1819 } 1538 }
1820 1539
1821 /** 1540 /**
1822 * __audit_free - free a per-task audit conte !! 1541 * audit_free - free a per-task audit context
1823 * @tsk: task whose audit context block to fr 1542 * @tsk: task whose audit context block to free
1824 * 1543 *
1825 * Called from copy_process, do_exit, and the !! 1544 * Called from copy_process and do_exit
1826 */ 1545 */
1827 void __audit_free(struct task_struct *tsk) !! 1546 void audit_free(struct task_struct *tsk)
1828 { 1547 {
1829 struct audit_context *context = tsk-> !! 1548 struct audit_context *context;
1830 1549
1831 if (!context) !! 1550 context = audit_get_context(tsk, 0, 0);
>> 1551 if (likely(!context))
1832 return; 1552 return;
1833 1553
1834 /* this may generate CONFIG_CHANGE re !! 1554 /* Check for system calls that do not go through the exit
>> 1555 * function (e.g., exit_group), then free context block.
>> 1556 * We use GFP_ATOMIC here because we might be doing this
>> 1557 * in the context of the idle thread */
>> 1558 /* that can happen only if we are called from do_exit() */
>> 1559 if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
>> 1560 audit_log_exit(context, tsk);
1835 if (!list_empty(&context->killed_tree 1561 if (!list_empty(&context->killed_trees))
1836 audit_kill_trees(context); !! 1562 audit_kill_trees(&context->killed_trees);
1837 1563
1838 /* We are called either by do_exit() <<
1839 * in the former case tsk == current <<
1840 * random task_struct that doesn't ha <<
1841 * need to log via audit_log_exit(). <<
1842 */ <<
1843 if (tsk == current && !context->dummy <<
1844 context->return_valid = AUDIT <<
1845 context->return_code = 0; <<
1846 if (context->context == AUDIT <<
1847 audit_filter_syscall( <<
1848 audit_filter_inodes(t <<
1849 if (context->current_ <<
1850 audit_log_exi <<
1851 } else if (context->context = <<
1852 /* TODO: verify this <<
1853 audit_filter_uring(ts <<
1854 audit_filter_inodes(t <<
1855 if (context->current_ <<
1856 audit_log_uri <<
1857 } <<
1858 } <<
1859 <<
1860 audit_set_context(tsk, NULL); <<
1861 audit_free_context(context); 1564 audit_free_context(context);
1862 } 1565 }
1863 1566
1864 /** 1567 /**
1865 * audit_return_fixup - fixup the return code !! 1568 * audit_syscall_entry - fill in an audit record at syscall entry
1866 * @ctx: the audit_context !! 1569 * @arch: architecture type
1867 * @success: true/false value to indicate if <<
1868 * @code: operation return code <<
1869 * <<
1870 * We need to fixup the return code in the au <<
1871 * codes are later going to be fixed by the a <<
1872 */ <<
1873 static void audit_return_fixup(struct audit_c <<
1874 int success, l <<
1875 { <<
1876 /* <<
1877 * This is actually a test for: <<
1878 * (rc == ERESTARTSYS ) || (rc == ERE <<
1879 * (rc == ERESTARTNOHAND) || (rc == E <<
1880 * <<
1881 * but is faster than a bunch of || <<
1882 */ <<
1883 if (unlikely(code <= -ERESTARTSYS) && <<
1884 (code >= -ERESTART_RESTARTBLOCK) <<
1885 (code != -ENOIOCTLCMD)) <<
1886 ctx->return_code = -EINTR; <<
1887 else <<
1888 ctx->return_code = code; <<
1889 ctx->return_valid = (success ? AUDITS <<
1890 } <<
1891 <<
1892 /** <<
1893 * __audit_uring_entry - prepare the kernel t <<
1894 * @op: the io_uring opcode <<
1895 * <<
1896 * This is similar to audit_syscall_entry() b <<
1897 * operations. This function should only eve <<
1898 * audit_uring_entry() as we rely on the audi <<
1899 * function. <<
1900 */ <<
1901 void __audit_uring_entry(u8 op) <<
1902 { <<
1903 struct audit_context *ctx = audit_con <<
1904 <<
1905 if (ctx->state == AUDIT_STATE_DISABLE <<
1906 return; <<
1907 <<
1908 /* <<
1909 * NOTE: It's possible that we can be <<
1910 * before it returns to userspa <<
1911 * is called. In this case the <<
1912 * the io_uring details and ret <<
1913 */ <<
1914 ctx->uring_op = op; <<
1915 if (ctx->context == AUDIT_CTX_SYSCALL <<
1916 return; <<
1917 <<
1918 ctx->dummy = !audit_n_rules; <<
1919 if (!ctx->dummy && ctx->state == AUDI <<
1920 ctx->prio = 0; <<
1921 <<
1922 ctx->context = AUDIT_CTX_URING; <<
1923 ctx->current_state = ctx->state; <<
1924 ktime_get_coarse_real_ts64(&ctx->ctim <<
1925 } <<
1926 <<
1927 /** <<
1928 * __audit_uring_exit - wrap up the kernel ta <<
1929 * @success: true/false value to indicate if <<
1930 * @code: operation return code <<
1931 * <<
1932 * This is similar to audit_syscall_exit() bu <<
1933 * operations. This function should only eve <<
1934 * audit_uring_exit() as we rely on the audit <<
1935 * function. <<
1936 */ <<
1937 void __audit_uring_exit(int success, long cod <<
1938 { <<
1939 struct audit_context *ctx = audit_con <<
1940 <<
1941 if (ctx->dummy) { <<
1942 if (ctx->context != AUDIT_CTX <<
1943 return; <<
1944 goto out; <<
1945 } <<
1946 <<
1947 audit_return_fixup(ctx, success, code <<
1948 if (ctx->context == AUDIT_CTX_SYSCALL <<
1949 /* <<
1950 * NOTE: See the note in __au <<
1951 * where we may be call <<
1952 * return to userspace <<
1953 * case we simply emit <<
1954 * normal syscall exit <<
1955 * everything else. <<
1956 * It is also worth men <<
1957 * the current process <<
1958 * used during the norm <<
1959 * in mind if/when we m <<
1960 */ <<
1961 <<
1962 /* <<
1963 * We need to filter on the s <<
1964 * should emit a URINGOP reco <<
1965 * solves the problem where u <<
1966 * syscall records in the "ex <<
1967 * the behavior here. <<
1968 */ <<
1969 audit_filter_syscall(current, <<
1970 if (ctx->current_state != AUD <<
1971 audit_filter_uring(cu <<
1972 audit_filter_inodes(current, <<
1973 if (ctx->current_state != AUD <<
1974 return; <<
1975 <<
1976 audit_log_uring(ctx); <<
1977 return; <<
1978 } <<
1979 <<
1980 /* this may generate CONFIG_CHANGE re <<
1981 if (!list_empty(&ctx->killed_trees)) <<
1982 audit_kill_trees(ctx); <<
1983 <<
1984 /* run through both filters to ensure <<
1985 audit_filter_uring(current, ctx); <<
1986 audit_filter_inodes(current, ctx); <<
1987 if (ctx->current_state != AUDIT_STATE <<
1988 goto out; <<
1989 audit_log_exit(); <<
1990 <<
1991 out: <<
1992 audit_reset_context(ctx); <<
1993 } <<
1994 <<
1995 /** <<
1996 * __audit_syscall_entry - fill in an audit r <<
1997 * @major: major syscall type (function) 1570 * @major: major syscall type (function)
1998 * @a1: additional syscall register 1 1571 * @a1: additional syscall register 1
1999 * @a2: additional syscall register 2 1572 * @a2: additional syscall register 2
2000 * @a3: additional syscall register 3 1573 * @a3: additional syscall register 3
2001 * @a4: additional syscall register 4 1574 * @a4: additional syscall register 4
2002 * 1575 *
2003 * Fill in audit context at syscall entry. T 1576 * Fill in audit context at syscall entry. This only happens if the
2004 * audit context was created when the task wa 1577 * audit context was created when the task was created and the state or
2005 * filters demand the audit context be built. 1578 * filters demand the audit context be built. If the state from the
2006 * per-task filter or from the per-syscall fi !! 1579 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
2007 * then the record will be written at syscall 1580 * then the record will be written at syscall exit time (otherwise, it
2008 * will only be written if another part of th 1581 * will only be written if another part of the kernel requests that it
2009 * be written). 1582 * be written).
2010 */ 1583 */
2011 void __audit_syscall_entry(int major, unsigne !! 1584 void audit_syscall_entry(int arch, int major,
2012 unsigned long a3, !! 1585 unsigned long a1, unsigned long a2,
>> 1586 unsigned long a3, unsigned long a4)
2013 { 1587 {
2014 struct audit_context *context = audit !! 1588 struct task_struct *tsk = current;
>> 1589 struct audit_context *context = tsk->audit_context;
2015 enum audit_state state; 1590 enum audit_state state;
2016 1591
2017 if (!audit_enabled || !context) !! 1592 if (unlikely(!context))
2018 return; 1593 return;
2019 1594
2020 WARN_ON(context->context != AUDIT_CTX !! 1595 /*
2021 WARN_ON(context->name_count); !! 1596 * This happens only on certain architectures that make system
2022 if (context->context != AUDIT_CTX_UNU !! 1597 * calls in kernel_thread via the entry.S interface, instead of
2023 audit_panic("unrecoverable er !! 1598 * with direct calls. (If you are porting to a new
2024 return; !! 1599 * architecture, hitting this condition can indicate that you
>> 1600 * got the _exit/_leave calls backward in entry.S.)
>> 1601 *
>> 1602 * i386 no
>> 1603 * x86_64 no
>> 1604 * ppc64 yes (see arch/powerpc/platforms/iseries/misc.S)
>> 1605 *
>> 1606 * This also happens with vm86 emulation in a non-nested manner
>> 1607 * (entries without exits), so this case must be caught.
>> 1608 */
>> 1609 if (context->in_syscall) {
>> 1610 struct audit_context *newctx;
>> 1611
>> 1612 #if AUDIT_DEBUG
>> 1613 printk(KERN_ERR
>> 1614 "audit(:%d) pid=%d in syscall=%d;"
>> 1615 " entering syscall=%d\n",
>> 1616 context->serial, tsk->pid, context->major, major);
>> 1617 #endif
>> 1618 newctx = audit_alloc_context(context->state);
>> 1619 if (newctx) {
>> 1620 newctx->previous = context;
>> 1621 context = newctx;
>> 1622 tsk->audit_context = newctx;
>> 1623 } else {
>> 1624 /* If we can't alloc a new context, the best we
>> 1625 * can do is to leak memory (any pending putname
>> 1626 * will be lost). The only other alternative is
>> 1627 * to abandon auditing. */
>> 1628 audit_zero_context(context, context->state);
>> 1629 }
2025 } 1630 }
>> 1631 BUG_ON(context->in_syscall || context->name_count);
2026 1632
2027 state = context->state; !! 1633 if (!audit_enabled)
2028 if (state == AUDIT_STATE_DISABLED) <<
2029 return; 1634 return;
2030 1635
2031 context->dummy = !audit_n_rules; !! 1636 context->arch = arch;
2032 if (!context->dummy && state == AUDIT <<
2033 context->prio = 0; <<
2034 if (auditd_test_task(current) <<
2035 return; <<
2036 } <<
2037 <<
2038 context->arch = syscall_get_arc <<
2039 context->major = major; 1637 context->major = major;
2040 context->argv[0] = a1; 1638 context->argv[0] = a1;
2041 context->argv[1] = a2; 1639 context->argv[1] = a2;
2042 context->argv[2] = a3; 1640 context->argv[2] = a3;
2043 context->argv[3] = a4; 1641 context->argv[3] = a4;
2044 context->context = AUDIT_CTX_SYSCALL; !! 1642
>> 1643 state = context->state;
>> 1644 context->dummy = !audit_n_rules;
>> 1645 if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
>> 1646 context->prio = 0;
>> 1647 state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
>> 1648 }
>> 1649 if (likely(state == AUDIT_DISABLED))
>> 1650 return;
>> 1651
>> 1652 context->serial = 0;
>> 1653 context->ctime = CURRENT_TIME;
>> 1654 context->in_syscall = 1;
2045 context->current_state = state; 1655 context->current_state = state;
2046 ktime_get_coarse_real_ts64(&context-> !! 1656 context->ppid = 0;
>> 1657 }
>> 1658
>> 1659 void audit_finish_fork(struct task_struct *child)
>> 1660 {
>> 1661 struct audit_context *ctx = current->audit_context;
>> 1662 struct audit_context *p = child->audit_context;
>> 1663 if (!p || !ctx)
>> 1664 return;
>> 1665 if (!ctx->in_syscall || ctx->current_state != AUDIT_RECORD_CONTEXT)
>> 1666 return;
>> 1667 p->arch = ctx->arch;
>> 1668 p->major = ctx->major;
>> 1669 memcpy(p->argv, ctx->argv, sizeof(ctx->argv));
>> 1670 p->ctime = ctx->ctime;
>> 1671 p->dummy = ctx->dummy;
>> 1672 p->in_syscall = ctx->in_syscall;
>> 1673 p->filterkey = kstrdup(ctx->filterkey, GFP_KERNEL);
>> 1674 p->ppid = current->pid;
>> 1675 p->prio = ctx->prio;
>> 1676 p->current_state = ctx->current_state;
2047 } 1677 }
2048 1678
2049 /** 1679 /**
2050 * __audit_syscall_exit - deallocate audit co !! 1680 * audit_syscall_exit - deallocate audit context after a system call
2051 * @success: success value of the syscall !! 1681 * @valid: success/failure flag
2052 * @return_code: return value of the syscall !! 1682 * @return_code: syscall return value
2053 * 1683 *
2054 * Tear down after system call. If the audit 1684 * Tear down after system call. If the audit context has been marked as
2055 * auditable (either because of the AUDIT_STA !! 1685 * auditable (either because of the AUDIT_RECORD_CONTEXT state from
2056 * filtering, or because some other part of t !! 1686 * filtering, or because some other part of the kernel write an audit
2057 * message), then write out the syscall infor 1687 * message), then write out the syscall information. In call cases,
2058 * free the names stored from getname(). 1688 * free the names stored from getname().
2059 */ 1689 */
2060 void __audit_syscall_exit(int success, long r !! 1690 void audit_syscall_exit(int valid, long return_code)
2061 { 1691 {
2062 struct audit_context *context = audit !! 1692 struct task_struct *tsk = current;
>> 1693 struct audit_context *context;
2063 1694
2064 if (!context || context->dummy || !! 1695 context = audit_get_context(tsk, valid, return_code);
2065 context->context != AUDIT_CTX_SYS <<
2066 goto out; <<
2067 1696
2068 /* this may generate CONFIG_CHANGE re !! 1697 if (likely(!context))
2069 if (!list_empty(&context->killed_tree !! 1698 return;
2070 audit_kill_trees(context); <<
2071 1699
2072 audit_return_fixup(context, success, !! 1700 if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
2073 /* run through both filters to ensure !! 1701 audit_log_exit(context, tsk);
2074 audit_filter_syscall(current, context <<
2075 audit_filter_inodes(current, context) <<
2076 if (context->current_state != AUDIT_S <<
2077 goto out; <<
2078 1702
2079 audit_log_exit(); !! 1703 context->in_syscall = 0;
>> 1704 context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
2080 1705
2081 out: !! 1706 if (!list_empty(&context->killed_trees))
2082 audit_reset_context(context); !! 1707 audit_kill_trees(&context->killed_trees);
>> 1708
>> 1709 if (context->previous) {
>> 1710 struct audit_context *new_context = context->previous;
>> 1711 context->previous = NULL;
>> 1712 audit_free_context(context);
>> 1713 tsk->audit_context = new_context;
>> 1714 } else {
>> 1715 audit_free_names(context);
>> 1716 unroll_tree_refs(context, NULL, 0);
>> 1717 audit_free_aux(context);
>> 1718 context->aux = NULL;
>> 1719 context->aux_pids = NULL;
>> 1720 context->target_pid = 0;
>> 1721 context->target_sid = 0;
>> 1722 context->sockaddr_len = 0;
>> 1723 context->type = 0;
>> 1724 context->fds[0] = -1;
>> 1725 if (context->state != AUDIT_RECORD_CONTEXT) {
>> 1726 kfree(context->filterkey);
>> 1727 context->filterkey = NULL;
>> 1728 }
>> 1729 tsk->audit_context = context;
>> 1730 }
2083 } 1731 }
2084 1732
2085 static inline void handle_one(const struct in 1733 static inline void handle_one(const struct inode *inode)
2086 { 1734 {
>> 1735 #ifdef CONFIG_AUDIT_TREE
2087 struct audit_context *context; 1736 struct audit_context *context;
2088 struct audit_tree_refs *p; 1737 struct audit_tree_refs *p;
2089 struct audit_chunk *chunk; 1738 struct audit_chunk *chunk;
2090 int count; 1739 int count;
2091 !! 1740 if (likely(list_empty(&inode->inotify_watches)))
2092 if (likely(!inode->i_fsnotify_marks)) <<
2093 return; 1741 return;
2094 context = audit_context(); !! 1742 context = current->audit_context;
2095 p = context->trees; 1743 p = context->trees;
2096 count = context->tree_count; 1744 count = context->tree_count;
2097 rcu_read_lock(); 1745 rcu_read_lock();
2098 chunk = audit_tree_lookup(inode); 1746 chunk = audit_tree_lookup(inode);
2099 rcu_read_unlock(); 1747 rcu_read_unlock();
2100 if (!chunk) 1748 if (!chunk)
2101 return; 1749 return;
2102 if (likely(put_tree_ref(context, chun 1750 if (likely(put_tree_ref(context, chunk)))
2103 return; 1751 return;
2104 if (unlikely(!grow_tree_refs(context) 1752 if (unlikely(!grow_tree_refs(context))) {
2105 pr_warn("out of memory, audit !! 1753 printk(KERN_WARNING "out of memory, audit has lost a tree reference\n");
2106 audit_set_auditable(context); 1754 audit_set_auditable(context);
2107 audit_put_chunk(chunk); 1755 audit_put_chunk(chunk);
2108 unroll_tree_refs(context, p, 1756 unroll_tree_refs(context, p, count);
2109 return; 1757 return;
2110 } 1758 }
2111 put_tree_ref(context, chunk); 1759 put_tree_ref(context, chunk);
>> 1760 #endif
2112 } 1761 }
2113 1762
2114 static void handle_path(const struct dentry * 1763 static void handle_path(const struct dentry *dentry)
2115 { 1764 {
>> 1765 #ifdef CONFIG_AUDIT_TREE
2116 struct audit_context *context; 1766 struct audit_context *context;
2117 struct audit_tree_refs *p; 1767 struct audit_tree_refs *p;
2118 const struct dentry *d, *parent; 1768 const struct dentry *d, *parent;
2119 struct audit_chunk *drop; 1769 struct audit_chunk *drop;
2120 unsigned long seq; 1770 unsigned long seq;
2121 int count; 1771 int count;
2122 1772
2123 context = audit_context(); !! 1773 context = current->audit_context;
2124 p = context->trees; 1774 p = context->trees;
2125 count = context->tree_count; 1775 count = context->tree_count;
2126 retry: 1776 retry:
2127 drop = NULL; 1777 drop = NULL;
2128 d = dentry; 1778 d = dentry;
2129 rcu_read_lock(); 1779 rcu_read_lock();
2130 seq = read_seqbegin(&rename_lock); 1780 seq = read_seqbegin(&rename_lock);
2131 for (;;) { !! 1781 for(;;) {
2132 struct inode *inode = d_backi !! 1782 struct inode *inode = d->d_inode;
2133 !! 1783 if (inode && unlikely(!list_empty(&inode->inotify_watches))) {
2134 if (inode && unlikely(inode-> <<
2135 struct audit_chunk *c 1784 struct audit_chunk *chunk;
2136 <<
2137 chunk = audit_tree_lo 1785 chunk = audit_tree_lookup(inode);
2138 if (chunk) { 1786 if (chunk) {
2139 if (unlikely( 1787 if (unlikely(!put_tree_ref(context, chunk))) {
2140 drop 1788 drop = chunk;
2141 break 1789 break;
2142 } 1790 }
2143 } 1791 }
2144 } 1792 }
2145 parent = d->d_parent; 1793 parent = d->d_parent;
2146 if (parent == d) 1794 if (parent == d)
2147 break; 1795 break;
2148 d = parent; 1796 d = parent;
2149 } 1797 }
2150 if (unlikely(read_seqretry(&rename_lo 1798 if (unlikely(read_seqretry(&rename_lock, seq) || drop)) { /* in this order */
2151 rcu_read_unlock(); 1799 rcu_read_unlock();
2152 if (!drop) { 1800 if (!drop) {
2153 /* just a race with r 1801 /* just a race with rename */
2154 unroll_tree_refs(cont 1802 unroll_tree_refs(context, p, count);
2155 goto retry; 1803 goto retry;
2156 } 1804 }
2157 audit_put_chunk(drop); 1805 audit_put_chunk(drop);
2158 if (grow_tree_refs(context)) 1806 if (grow_tree_refs(context)) {
2159 /* OK, got more space 1807 /* OK, got more space */
2160 unroll_tree_refs(cont 1808 unroll_tree_refs(context, p, count);
2161 goto retry; 1809 goto retry;
2162 } 1810 }
2163 /* too bad */ 1811 /* too bad */
2164 pr_warn("out of memory, audit !! 1812 printk(KERN_WARNING
>> 1813 "out of memory, audit has lost a tree reference\n");
2165 unroll_tree_refs(context, p, 1814 unroll_tree_refs(context, p, count);
2166 audit_set_auditable(context); 1815 audit_set_auditable(context);
2167 return; 1816 return;
2168 } 1817 }
2169 rcu_read_unlock(); 1818 rcu_read_unlock();
>> 1819 #endif
2170 } 1820 }
2171 1821
2172 static struct audit_names *audit_alloc_name(s !! 1822 /**
2173 !! 1823 * audit_getname - add a name to the list
>> 1824 * @name: name to add
>> 1825 *
>> 1826 * Add a name to the list of audit names for this context.
>> 1827 * Called from fs/namei.c:getname().
>> 1828 */
>> 1829 void __audit_getname(const char *name)
2174 { 1830 {
2175 struct audit_names *aname; !! 1831 struct audit_context *context = current->audit_context;
2176 1832
2177 if (context->name_count < AUDIT_NAMES !! 1833 if (IS_ERR(name) || !name)
2178 aname = &context->preallocate !! 1834 return;
2179 memset(aname, 0, sizeof(*anam <<
2180 } else { <<
2181 aname = kzalloc(sizeof(*aname <<
2182 if (!aname) <<
2183 return NULL; <<
2184 aname->should_free = true; <<
2185 } <<
2186 1835
2187 aname->ino = AUDIT_INO_UNSET; !! 1836 if (!context->in_syscall) {
2188 aname->type = type; !! 1837 #if AUDIT_DEBUG == 2
2189 list_add_tail(&aname->list, &context- !! 1838 printk(KERN_ERR "%s:%d(:%d): ignoring getname(%p)\n",
>> 1839 __FILE__, __LINE__, context->serial, name);
>> 1840 dump_stack();
>> 1841 #endif
>> 1842 return;
>> 1843 }
>> 1844 BUG_ON(context->name_count >= AUDIT_NAMES);
>> 1845 context->names[context->name_count].name = name;
>> 1846 context->names[context->name_count].name_len = AUDIT_NAME_FULL;
>> 1847 context->names[context->name_count].name_put = 1;
>> 1848 context->names[context->name_count].ino = (unsigned long)-1;
>> 1849 context->names[context->name_count].osid = 0;
>> 1850 ++context->name_count;
>> 1851 if (!context->pwd.dentry) {
>> 1852 read_lock(¤t->fs->lock);
>> 1853 context->pwd = current->fs->pwd;
>> 1854 path_get(¤t->fs->pwd);
>> 1855 read_unlock(¤t->fs->lock);
>> 1856 }
2190 1857
2191 context->name_count++; <<
2192 if (!context->pwd.dentry) <<
2193 get_fs_pwd(current->fs, &cont <<
2194 return aname; <<
2195 } 1858 }
2196 1859
2197 /** !! 1860 /* audit_putname - intercept a putname request
2198 * __audit_reusename - fill out filename with !! 1861 * @name: name to intercept and delay for putname
2199 * @uptr: userland ptr to pathname <<
2200 * 1862 *
2201 * Search the audit_names list for the curren !! 1863 * If we have stored the name from getname in the audit context,
2202 * existing entry with a matching "uptr" then !! 1864 * then we delay the putname until syscall exit.
2203 * associated with that audit_name. If not, r !! 1865 * Called from include/linux/fs.h:putname().
2204 */ 1866 */
2205 struct filename * !! 1867 void audit_putname(const char *name)
2206 __audit_reusename(const __user char *uptr) <<
2207 { 1868 {
2208 struct audit_context *context = audit !! 1869 struct audit_context *context = current->audit_context;
2209 struct audit_names *n; <<
2210 1870
2211 list_for_each_entry(n, &context->name !! 1871 BUG_ON(!context);
2212 if (!n->name) !! 1872 if (!context->in_syscall) {
2213 continue; !! 1873 #if AUDIT_DEBUG == 2
2214 if (n->name->uptr == uptr) { !! 1874 printk(KERN_ERR "%s:%d(:%d): __putname(%p)\n",
2215 atomic_inc(&n->name-> !! 1875 __FILE__, __LINE__, context->serial, name);
2216 return n->name; !! 1876 if (context->name_count) {
>> 1877 int i;
>> 1878 for (i = 0; i < context->name_count; i++)
>> 1879 printk(KERN_ERR "name[%d] = %p = %s\n", i,
>> 1880 context->names[i].name,
>> 1881 context->names[i].name ?: "(null)");
2217 } 1882 }
>> 1883 #endif
>> 1884 __putname(name);
2218 } 1885 }
2219 return NULL; !! 1886 #if AUDIT_DEBUG
>> 1887 else {
>> 1888 ++context->put_count;
>> 1889 if (context->put_count > context->name_count) {
>> 1890 printk(KERN_ERR "%s:%d(:%d): major=%d"
>> 1891 " in_syscall=%d putname(%p) name_count=%d"
>> 1892 " put_count=%d\n",
>> 1893 __FILE__, __LINE__,
>> 1894 context->serial, context->major,
>> 1895 context->in_syscall, name, context->name_count,
>> 1896 context->put_count);
>> 1897 dump_stack();
>> 1898 }
>> 1899 }
>> 1900 #endif
2220 } 1901 }
2221 1902
2222 /** !! 1903 static int audit_inc_name_count(struct audit_context *context,
2223 * __audit_getname - add a name to the list !! 1904 const struct inode *inode)
2224 * @name: name to add <<
2225 * <<
2226 * Add a name to the list of audit names for <<
2227 * Called from fs/namei.c:getname(). <<
2228 */ <<
2229 void __audit_getname(struct filename *name) <<
2230 { 1905 {
2231 struct audit_context *context = audit !! 1906 if (context->name_count >= AUDIT_NAMES) {
2232 struct audit_names *n; !! 1907 if (inode)
>> 1908 printk(KERN_DEBUG "name_count maxed, losing inode data: "
>> 1909 "dev=%02x:%02x, inode=%lu\n",
>> 1910 MAJOR(inode->i_sb->s_dev),
>> 1911 MINOR(inode->i_sb->s_dev),
>> 1912 inode->i_ino);
2233 1913
2234 if (context->context == AUDIT_CTX_UNU !! 1914 else
2235 return; !! 1915 printk(KERN_DEBUG "name_count maxed, losing inode data\n");
2236 !! 1916 return 1;
2237 n = audit_alloc_name(context, AUDIT_T !! 1917 }
2238 if (!n) !! 1918 context->name_count++;
2239 return; !! 1919 #if AUDIT_DEBUG
2240 !! 1920 context->ino_count++;
2241 n->name = name; !! 1921 #endif
2242 n->name_len = AUDIT_NAME_FULL; !! 1922 return 0;
2243 name->aname = n; <<
2244 atomic_inc(&name->refcnt); <<
2245 } 1923 }
2246 1924
2247 static inline int audit_copy_fcaps(struct aud !! 1925
2248 const stru !! 1926 static inline int audit_copy_fcaps(struct audit_names *name, const struct dentry *dentry)
2249 { 1927 {
2250 struct cpu_vfs_cap_data caps; 1928 struct cpu_vfs_cap_data caps;
2251 int rc; 1929 int rc;
2252 1930
>> 1931 memset(&name->fcap.permitted, 0, sizeof(kernel_cap_t));
>> 1932 memset(&name->fcap.inheritable, 0, sizeof(kernel_cap_t));
>> 1933 name->fcap.fE = 0;
>> 1934 name->fcap_ver = 0;
>> 1935
2253 if (!dentry) 1936 if (!dentry)
2254 return 0; 1937 return 0;
2255 1938
2256 rc = get_vfs_caps_from_disk(&nop_mnt_ !! 1939 rc = get_vfs_caps_from_disk(dentry, &caps);
2257 if (rc) 1940 if (rc)
2258 return rc; 1941 return rc;
2259 1942
2260 name->fcap.permitted = caps.permitted 1943 name->fcap.permitted = caps.permitted;
2261 name->fcap.inheritable = caps.inherit 1944 name->fcap.inheritable = caps.inheritable;
2262 name->fcap.fE = !!(caps.magic_etc & V 1945 name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2263 name->fcap.rootid = caps.rootid; !! 1946 name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
2264 name->fcap_ver = (caps.magic_etc & VF <<
2265 VFS_CAP_REVIS <<
2266 1947
2267 return 0; 1948 return 0;
2268 } 1949 }
2269 1950
>> 1951
2270 /* Copy inode data into an audit_names. */ 1952 /* Copy inode data into an audit_names. */
2271 static void audit_copy_inode(struct audit_nam !! 1953 static void audit_copy_inode(struct audit_names *name, const struct dentry *dentry,
2272 const struct den !! 1954 const struct inode *inode)
2273 struct inode *in <<
2274 { 1955 {
2275 name->ino = inode->i_ino; 1956 name->ino = inode->i_ino;
2276 name->dev = inode->i_sb->s_dev; 1957 name->dev = inode->i_sb->s_dev;
2277 name->mode = inode->i_mode; 1958 name->mode = inode->i_mode;
2278 name->uid = inode->i_uid; 1959 name->uid = inode->i_uid;
2279 name->gid = inode->i_gid; 1960 name->gid = inode->i_gid;
2280 name->rdev = inode->i_rdev; 1961 name->rdev = inode->i_rdev;
2281 security_inode_getsecid(inode, &name- 1962 security_inode_getsecid(inode, &name->osid);
2282 if (flags & AUDIT_INODE_NOEVAL) { <<
2283 name->fcap_ver = -1; <<
2284 return; <<
2285 } <<
2286 audit_copy_fcaps(name, dentry); 1963 audit_copy_fcaps(name, dentry);
2287 } 1964 }
2288 1965
2289 /** 1966 /**
2290 * __audit_inode - store the inode and device !! 1967 * audit_inode - store the inode and device from a lookup
2291 * @name: name being audited 1968 * @name: name being audited
2292 * @dentry: dentry being audited 1969 * @dentry: dentry being audited
2293 * @flags: attributes for this particular ent !! 1970 *
>> 1971 * Called from fs/namei.c:path_lookup().
2294 */ 1972 */
2295 void __audit_inode(struct filename *name, con !! 1973 void __audit_inode(const char *name, const struct dentry *dentry)
2296 unsigned int flags) <<
2297 { 1974 {
2298 struct audit_context *context = audit !! 1975 int idx;
2299 struct inode *inode = d_backing_inode !! 1976 struct audit_context *context = current->audit_context;
2300 struct audit_names *n; !! 1977 const struct inode *inode = dentry->d_inode;
2301 bool parent = flags & AUDIT_INODE_PAR !! 1978
2302 struct audit_entry *e; !! 1979 if (!context->in_syscall)
2303 struct list_head *list = &audit_filte !! 1980 return;
2304 int i; !! 1981 if (context->name_count
2305 !! 1982 && context->names[context->name_count-1].name
2306 if (context->context == AUDIT_CTX_UNU !! 1983 && context->names[context->name_count-1].name == name)
2307 return; !! 1984 idx = context->name_count - 1;
2308 !! 1985 else if (context->name_count > 1
2309 rcu_read_lock(); !! 1986 && context->names[context->name_count-2].name
2310 list_for_each_entry_rcu(e, list, list !! 1987 && context->names[context->name_count-2].name == name)
2311 for (i = 0; i < e->rule.field !! 1988 idx = context->name_count - 2;
2312 struct audit_field *f !! 1989 else {
2313 !! 1990 /* FIXME: how much do we care about inodes that have no
2314 if (f->type == AUDIT_ !! 1991 * associated name? */
2315 && audit_comparat !! 1992 if (audit_inc_name_count(context, inode))
2316 !! 1993 return;
2317 && e->rule.action !! 1994 idx = context->name_count - 1;
2318 rcu_read_unlo !! 1995 context->names[idx].name = NULL;
2319 return; <<
2320 } <<
2321 } <<
2322 } <<
2323 rcu_read_unlock(); <<
2324 <<
2325 if (!name) <<
2326 goto out_alloc; <<
2327 <<
2328 /* <<
2329 * If we have a pointer to an audit_n <<
2330 * just use it directly if the type i <<
2331 */ <<
2332 n = name->aname; <<
2333 if (n) { <<
2334 if (parent) { <<
2335 if (n->type == AUDIT_ <<
2336 n->type == AUDIT_ <<
2337 goto out; <<
2338 } else { <<
2339 if (n->type != AUDIT_ <<
2340 goto out; <<
2341 } <<
2342 } <<
2343 <<
2344 list_for_each_entry_reverse(n, &conte <<
2345 if (n->ino) { <<
2346 /* valid inode number <<
2347 if (n->ino != inode-> <<
2348 n->dev != inode-> <<
2349 continue; <<
2350 } else if (n->name) { <<
2351 /* inode number has n <<
2352 if (strcmp(n->name->n <<
2353 continue; <<
2354 } else <<
2355 /* no inode and no na <<
2356 continue; <<
2357 <<
2358 /* match the correct record t <<
2359 if (parent) { <<
2360 if (n->type == AUDIT_ <<
2361 n->type == AUDIT_ <<
2362 goto out; <<
2363 } else { <<
2364 if (n->type != AUDIT_ <<
2365 goto out; <<
2366 } <<
2367 } <<
2368 <<
2369 out_alloc: <<
2370 /* unable to find an entry with both <<
2371 n = audit_alloc_name(context, AUDIT_T <<
2372 if (!n) <<
2373 return; <<
2374 if (name) { <<
2375 n->name = name; <<
2376 atomic_inc(&name->refcnt); <<
2377 } <<
2378 <<
2379 out: <<
2380 if (parent) { <<
2381 n->name_len = n->name ? paren <<
2382 n->type = AUDIT_TYPE_PARENT; <<
2383 if (flags & AUDIT_INODE_HIDDE <<
2384 n->hidden = true; <<
2385 } else { <<
2386 n->name_len = AUDIT_NAME_FULL <<
2387 n->type = AUDIT_TYPE_NORMAL; <<
2388 } 1996 }
2389 handle_path(dentry); 1997 handle_path(dentry);
2390 audit_copy_inode(n, dentry, inode, fl !! 1998 audit_copy_inode(&context->names[idx], dentry, inode);
2391 } <<
2392 <<
2393 void __audit_file(const struct file *file) <<
2394 { <<
2395 __audit_inode(NULL, file->f_path.dent <<
2396 } 1999 }
2397 2000
2398 /** 2001 /**
2399 * __audit_inode_child - collect inode info f !! 2002 * audit_inode_child - collect inode info for created/removed objects
2400 * @parent: inode of dentry parent !! 2003 * @dname: inode's dentry name
2401 * @dentry: dentry being audited 2004 * @dentry: dentry being audited
2402 * @type: AUDIT_TYPE_* value that we're loo !! 2005 * @parent: inode of dentry parent
2403 * 2006 *
2404 * For syscalls that create or remove filesys 2007 * For syscalls that create or remove filesystem objects, audit_inode
2405 * can only collect information for the files 2008 * can only collect information for the filesystem object's parent.
2406 * This call updates the audit context with t 2009 * This call updates the audit context with the child's information.
2407 * Syscalls that create a new filesystem obje 2010 * Syscalls that create a new filesystem object must be hooked after
2408 * the object is created. Syscalls that remo 2011 * the object is created. Syscalls that remove a filesystem object
2409 * must be hooked prior, in order to capture 2012 * must be hooked prior, in order to capture the target inode during
2410 * unsuccessful attempts. 2013 * unsuccessful attempts.
2411 */ 2014 */
2412 void __audit_inode_child(struct inode *parent !! 2015 void __audit_inode_child(const char *dname, const struct dentry *dentry,
2413 const struct dentry !! 2016 const struct inode *parent)
2414 const unsigned char !! 2017 {
2415 { !! 2018 int idx;
2416 struct audit_context *context = audit !! 2019 struct audit_context *context = current->audit_context;
2417 struct inode *inode = d_backing_inode !! 2020 const char *found_parent = NULL, *found_child = NULL;
2418 const struct qstr *dname = &dentry->d !! 2021 const struct inode *inode = dentry->d_inode;
2419 struct audit_names *n, *found_parent !! 2022 int dirlen = 0;
2420 struct audit_entry *e; <<
2421 struct list_head *list = &audit_filte <<
2422 int i; <<
2423 2023
2424 if (context->context == AUDIT_CTX_UNU !! 2024 if (!context->in_syscall)
2425 return; 2025 return;
2426 2026
2427 rcu_read_lock(); <<
2428 list_for_each_entry_rcu(e, list, list <<
2429 for (i = 0; i < e->rule.field <<
2430 struct audit_field *f <<
2431 <<
2432 if (f->type == AUDIT_ <<
2433 && audit_comparat <<
2434 <<
2435 && e->rule.action <<
2436 rcu_read_unlo <<
2437 return; <<
2438 } <<
2439 } <<
2440 } <<
2441 rcu_read_unlock(); <<
2442 <<
2443 if (inode) 2027 if (inode)
2444 handle_one(inode); 2028 handle_one(inode);
>> 2029 /* determine matching parent */
>> 2030 if (!dname)
>> 2031 goto add_names;
>> 2032
>> 2033 /* parent is more likely, look for it first */
>> 2034 for (idx = 0; idx < context->name_count; idx++) {
>> 2035 struct audit_names *n = &context->names[idx];
2445 2036
2446 /* look for a parent entry first */ !! 2037 if (!n->name)
2447 list_for_each_entry(n, &context->name <<
2448 if (!n->name || <<
2449 (n->type != AUDIT_TYPE_PA <<
2450 n->type != AUDIT_TYPE_UN <<
2451 continue; 2038 continue;
2452 2039
2453 if (n->ino == parent->i_ino & !! 2040 if (n->ino == parent->i_ino &&
2454 !audit_compare_dname_path !! 2041 !audit_compare_dname_path(dname, n->name, &dirlen)) {
2455 !! 2042 n->name_len = dirlen; /* update parent data in place */
2456 if (n->type == AUDIT_ !! 2043 found_parent = n->name;
2457 n->type = AUD !! 2044 goto add_names;
2458 found_parent = n; <<
2459 break; <<
2460 } 2045 }
2461 } 2046 }
2462 2047
2463 cond_resched(); !! 2048 /* no matching parent, look for matching child */
>> 2049 for (idx = 0; idx < context->name_count; idx++) {
>> 2050 struct audit_names *n = &context->names[idx];
2464 2051
2465 /* is there a matching child entry? * !! 2052 if (!n->name)
2466 list_for_each_entry(n, &context->name <<
2467 /* can only match entries tha <<
2468 if (!n->name || <<
2469 (n->type != type && n->ty <<
2470 continue; 2053 continue;
2471 2054
2472 if (!strcmp(dname->name, n->n !! 2055 /* strcmp() is the more likely scenario */
2473 !audit_compare_dname_path !! 2056 if (!strcmp(dname, n->name) ||
2474 !! 2057 !audit_compare_dname_path(dname, n->name, &dirlen)) {
2475 !! 2058 if (inode)
2476 !! 2059 audit_copy_inode(n, NULL, inode);
2477 if (n->type == AUDIT_ !! 2060 else
2478 n->type = typ !! 2061 n->ino = (unsigned long)-1;
2479 found_child = n; !! 2062 found_child = n->name;
2480 break; !! 2063 goto add_names;
2481 } 2064 }
2482 } 2065 }
2483 2066
>> 2067 add_names:
2484 if (!found_parent) { 2068 if (!found_parent) {
2485 /* create a new, "anonymous" !! 2069 if (audit_inc_name_count(context, parent))
2486 n = audit_alloc_name(context, <<
2487 if (!n) <<
2488 return; 2070 return;
2489 audit_copy_inode(n, NULL, par !! 2071 idx = context->name_count - 1;
>> 2072 context->names[idx].name = NULL;
>> 2073 audit_copy_inode(&context->names[idx], NULL, parent);
2490 } 2074 }
2491 2075
2492 if (!found_child) { 2076 if (!found_child) {
2493 found_child = audit_alloc_nam !! 2077 if (audit_inc_name_count(context, inode))
2494 if (!found_child) <<
2495 return; 2078 return;
>> 2079 idx = context->name_count - 1;
2496 2080
2497 /* Re-use the name belonging 2081 /* Re-use the name belonging to the slot for a matching parent
2498 * directory. All names for t 2082 * directory. All names for this context are relinquished in
2499 * audit_free_names() */ 2083 * audit_free_names() */
2500 if (found_parent) { 2084 if (found_parent) {
2501 found_child->name = f !! 2085 context->names[idx].name = found_parent;
2502 found_child->name_len !! 2086 context->names[idx].name_len = AUDIT_NAME_FULL;
2503 atomic_inc(&found_chi !! 2087 /* don't call __putname() */
>> 2088 context->names[idx].name_put = 0;
>> 2089 } else {
>> 2090 context->names[idx].name = NULL;
2504 } 2091 }
2505 } <<
2506 2092
2507 if (inode) !! 2093 if (inode)
2508 audit_copy_inode(found_child, !! 2094 audit_copy_inode(&context->names[idx], NULL, inode);
2509 else !! 2095 else
2510 found_child->ino = AUDIT_INO_ !! 2096 context->names[idx].ino = (unsigned long)-1;
>> 2097 }
2511 } 2098 }
2512 EXPORT_SYMBOL_GPL(__audit_inode_child); 2099 EXPORT_SYMBOL_GPL(__audit_inode_child);
2513 2100
2514 /** 2101 /**
2515 * auditsc_get_stamp - get local copies of au 2102 * auditsc_get_stamp - get local copies of audit_context values
2516 * @ctx: audit_context for the task 2103 * @ctx: audit_context for the task
2517 * @t: timespec64 to store time recorded in t !! 2104 * @t: timespec to store time recorded in the audit_context
2518 * @serial: serial value that is recorded in 2105 * @serial: serial value that is recorded in the audit_context
2519 * 2106 *
2520 * Also sets the context as auditable. 2107 * Also sets the context as auditable.
2521 */ 2108 */
2522 int auditsc_get_stamp(struct audit_context *c 2109 int auditsc_get_stamp(struct audit_context *ctx,
2523 struct timespec64 *t, !! 2110 struct timespec *t, unsigned int *serial)
2524 { 2111 {
2525 if (ctx->context == AUDIT_CTX_UNUSED) !! 2112 if (!ctx->in_syscall)
2526 return 0; 2113 return 0;
2527 if (!ctx->serial) 2114 if (!ctx->serial)
2528 ctx->serial = audit_serial(); 2115 ctx->serial = audit_serial();
2529 t->tv_sec = ctx->ctime.tv_sec; 2116 t->tv_sec = ctx->ctime.tv_sec;
2530 t->tv_nsec = ctx->ctime.tv_nsec; 2117 t->tv_nsec = ctx->ctime.tv_nsec;
2531 *serial = ctx->serial; 2118 *serial = ctx->serial;
2532 if (!ctx->prio) { 2119 if (!ctx->prio) {
2533 ctx->prio = 1; 2120 ctx->prio = 1;
2534 ctx->current_state = AUDIT_ST !! 2121 ctx->current_state = AUDIT_RECORD_CONTEXT;
2535 } 2122 }
2536 return 1; 2123 return 1;
2537 } 2124 }
2538 2125
>> 2126 /* global counter which is incremented every time something logs in */
>> 2127 static atomic_t session_id = ATOMIC_INIT(0);
>> 2128
>> 2129 /**
>> 2130 * audit_set_loginuid - set a task's audit_context loginuid
>> 2131 * @task: task whose audit context is being modified
>> 2132 * @loginuid: loginuid value
>> 2133 *
>> 2134 * Returns 0.
>> 2135 *
>> 2136 * Called (set) from fs/proc/base.c::proc_loginuid_write().
>> 2137 */
>> 2138 int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
>> 2139 {
>> 2140 unsigned int sessionid = atomic_inc_return(&session_id);
>> 2141 struct audit_context *context = task->audit_context;
>> 2142
>> 2143 if (context && context->in_syscall) {
>> 2144 struct audit_buffer *ab;
>> 2145
>> 2146 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
>> 2147 if (ab) {
>> 2148 audit_log_format(ab, "login pid=%d uid=%u "
>> 2149 "old auid=%u new auid=%u"
>> 2150 " old ses=%u new ses=%u",
>> 2151 task->pid, task_uid(task),
>> 2152 task->loginuid, loginuid,
>> 2153 task->sessionid, sessionid);
>> 2154 audit_log_end(ab);
>> 2155 }
>> 2156 }
>> 2157 task->sessionid = sessionid;
>> 2158 task->loginuid = loginuid;
>> 2159 return 0;
>> 2160 }
>> 2161
2539 /** 2162 /**
2540 * __audit_mq_open - record audit data for a 2163 * __audit_mq_open - record audit data for a POSIX MQ open
2541 * @oflag: open flag 2164 * @oflag: open flag
2542 * @mode: mode bits 2165 * @mode: mode bits
2543 * @attr: queue attributes 2166 * @attr: queue attributes
2544 * 2167 *
2545 */ 2168 */
2546 void __audit_mq_open(int oflag, umode_t mode, !! 2169 void __audit_mq_open(int oflag, mode_t mode, struct mq_attr *attr)
2547 { 2170 {
2548 struct audit_context *context = audit !! 2171 struct audit_context *context = current->audit_context;
2549 2172
2550 if (attr) 2173 if (attr)
2551 memcpy(&context->mq_open.attr 2174 memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr));
2552 else 2175 else
2553 memset(&context->mq_open.attr 2176 memset(&context->mq_open.attr, 0, sizeof(struct mq_attr));
2554 2177
2555 context->mq_open.oflag = oflag; 2178 context->mq_open.oflag = oflag;
2556 context->mq_open.mode = mode; 2179 context->mq_open.mode = mode;
2557 2180
2558 context->type = AUDIT_MQ_OPEN; 2181 context->type = AUDIT_MQ_OPEN;
2559 } 2182 }
2560 2183
2561 /** 2184 /**
2562 * __audit_mq_sendrecv - record audit data fo 2185 * __audit_mq_sendrecv - record audit data for a POSIX MQ timed send/receive
2563 * @mqdes: MQ descriptor 2186 * @mqdes: MQ descriptor
2564 * @msg_len: Message length 2187 * @msg_len: Message length
2565 * @msg_prio: Message priority 2188 * @msg_prio: Message priority
2566 * @abs_timeout: Message timeout in absolute 2189 * @abs_timeout: Message timeout in absolute time
2567 * 2190 *
2568 */ 2191 */
2569 void __audit_mq_sendrecv(mqd_t mqdes, size_t 2192 void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
2570 const struct timespec !! 2193 const struct timespec *abs_timeout)
2571 { 2194 {
2572 struct audit_context *context = audit !! 2195 struct audit_context *context = current->audit_context;
2573 struct timespec64 *p = &context->mq_s !! 2196 struct timespec *p = &context->mq_sendrecv.abs_timeout;
2574 2197
2575 if (abs_timeout) 2198 if (abs_timeout)
2576 memcpy(p, abs_timeout, sizeof !! 2199 memcpy(p, abs_timeout, sizeof(struct timespec));
2577 else 2200 else
2578 memset(p, 0, sizeof(*p)); !! 2201 memset(p, 0, sizeof(struct timespec));
2579 2202
2580 context->mq_sendrecv.mqdes = mqdes; 2203 context->mq_sendrecv.mqdes = mqdes;
2581 context->mq_sendrecv.msg_len = msg_le 2204 context->mq_sendrecv.msg_len = msg_len;
2582 context->mq_sendrecv.msg_prio = msg_p 2205 context->mq_sendrecv.msg_prio = msg_prio;
2583 2206
2584 context->type = AUDIT_MQ_SENDRECV; 2207 context->type = AUDIT_MQ_SENDRECV;
2585 } 2208 }
2586 2209
2587 /** 2210 /**
2588 * __audit_mq_notify - record audit data for 2211 * __audit_mq_notify - record audit data for a POSIX MQ notify
2589 * @mqdes: MQ descriptor 2212 * @mqdes: MQ descriptor
2590 * @notification: Notification event 2213 * @notification: Notification event
2591 * 2214 *
2592 */ 2215 */
2593 2216
2594 void __audit_mq_notify(mqd_t mqdes, const str 2217 void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
2595 { 2218 {
2596 struct audit_context *context = audit !! 2219 struct audit_context *context = current->audit_context;
2597 2220
2598 if (notification) 2221 if (notification)
2599 context->mq_notify.sigev_sign 2222 context->mq_notify.sigev_signo = notification->sigev_signo;
2600 else 2223 else
2601 context->mq_notify.sigev_sign 2224 context->mq_notify.sigev_signo = 0;
2602 2225
2603 context->mq_notify.mqdes = mqdes; 2226 context->mq_notify.mqdes = mqdes;
2604 context->type = AUDIT_MQ_NOTIFY; 2227 context->type = AUDIT_MQ_NOTIFY;
2605 } 2228 }
2606 2229
2607 /** 2230 /**
2608 * __audit_mq_getsetattr - record audit data 2231 * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute
2609 * @mqdes: MQ descriptor 2232 * @mqdes: MQ descriptor
2610 * @mqstat: MQ flags 2233 * @mqstat: MQ flags
2611 * 2234 *
2612 */ 2235 */
2613 void __audit_mq_getsetattr(mqd_t mqdes, struc 2236 void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
2614 { 2237 {
2615 struct audit_context *context = audit !! 2238 struct audit_context *context = current->audit_context;
2616 <<
2617 context->mq_getsetattr.mqdes = mqdes; 2239 context->mq_getsetattr.mqdes = mqdes;
2618 context->mq_getsetattr.mqstat = *mqst 2240 context->mq_getsetattr.mqstat = *mqstat;
2619 context->type = AUDIT_MQ_GETSETATTR; 2241 context->type = AUDIT_MQ_GETSETATTR;
2620 } 2242 }
2621 2243
2622 /** 2244 /**
2623 * __audit_ipc_obj - record audit data for ip !! 2245 * audit_ipc_obj - record audit data for ipc object
2624 * @ipcp: ipc permissions 2246 * @ipcp: ipc permissions
2625 * 2247 *
2626 */ 2248 */
2627 void __audit_ipc_obj(struct kern_ipc_perm *ip 2249 void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
2628 { 2250 {
2629 struct audit_context *context = audit !! 2251 struct audit_context *context = current->audit_context;
2630 <<
2631 context->ipc.uid = ipcp->uid; 2252 context->ipc.uid = ipcp->uid;
2632 context->ipc.gid = ipcp->gid; 2253 context->ipc.gid = ipcp->gid;
2633 context->ipc.mode = ipcp->mode; 2254 context->ipc.mode = ipcp->mode;
2634 context->ipc.has_perm = 0; 2255 context->ipc.has_perm = 0;
2635 security_ipc_getsecid(ipcp, &context- 2256 security_ipc_getsecid(ipcp, &context->ipc.osid);
2636 context->type = AUDIT_IPC; 2257 context->type = AUDIT_IPC;
2637 } 2258 }
2638 2259
2639 /** 2260 /**
2640 * __audit_ipc_set_perm - record audit data f !! 2261 * audit_ipc_set_perm - record audit data for new ipc permissions
2641 * @qbytes: msgq bytes 2262 * @qbytes: msgq bytes
2642 * @uid: msgq user id 2263 * @uid: msgq user id
2643 * @gid: msgq group id 2264 * @gid: msgq group id
2644 * @mode: msgq mode (permissions) 2265 * @mode: msgq mode (permissions)
2645 * 2266 *
2646 * Called only after audit_ipc_obj(). 2267 * Called only after audit_ipc_obj().
2647 */ 2268 */
2648 void __audit_ipc_set_perm(unsigned long qbyte !! 2269 void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
2649 { 2270 {
2650 struct audit_context *context = audit !! 2271 struct audit_context *context = current->audit_context;
2651 2272
2652 context->ipc.qbytes = qbytes; 2273 context->ipc.qbytes = qbytes;
2653 context->ipc.perm_uid = uid; 2274 context->ipc.perm_uid = uid;
2654 context->ipc.perm_gid = gid; 2275 context->ipc.perm_gid = gid;
2655 context->ipc.perm_mode = mode; 2276 context->ipc.perm_mode = mode;
2656 context->ipc.has_perm = 1; 2277 context->ipc.has_perm = 1;
2657 } 2278 }
2658 2279
2659 void __audit_bprm(struct linux_binprm *bprm) !! 2280 int audit_bprm(struct linux_binprm *bprm)
2660 { 2281 {
2661 struct audit_context *context = audit !! 2282 struct audit_aux_data_execve *ax;
>> 2283 struct audit_context *context = current->audit_context;
>> 2284
>> 2285 if (likely(!audit_enabled || !context || context->dummy))
>> 2286 return 0;
>> 2287
>> 2288 ax = kmalloc(sizeof(*ax), GFP_KERNEL);
>> 2289 if (!ax)
>> 2290 return -ENOMEM;
2662 2291
2663 context->type = AUDIT_EXECVE; !! 2292 ax->argc = bprm->argc;
2664 context->execve.argc = bprm->argc; !! 2293 ax->envc = bprm->envc;
>> 2294 ax->mm = bprm->mm;
>> 2295 ax->d.type = AUDIT_EXECVE;
>> 2296 ax->d.next = context->aux;
>> 2297 context->aux = (void *)ax;
>> 2298 return 0;
2665 } 2299 }
2666 2300
2667 2301
2668 /** 2302 /**
2669 * __audit_socketcall - record audit data for !! 2303 * audit_socketcall - record audit data for sys_socketcall
2670 * @nargs: number of args, which should not b !! 2304 * @nargs: number of args
2671 * @args: args array 2305 * @args: args array
2672 * 2306 *
2673 */ 2307 */
2674 int __audit_socketcall(int nargs, unsigned lo !! 2308 void audit_socketcall(int nargs, unsigned long *args)
2675 { 2309 {
2676 struct audit_context *context = audit !! 2310 struct audit_context *context = current->audit_context;
>> 2311
>> 2312 if (likely(!context || context->dummy))
>> 2313 return;
2677 2314
2678 if (nargs <= 0 || nargs > AUDITSC_ARG <<
2679 return -EINVAL; <<
2680 context->type = AUDIT_SOCKETCALL; 2315 context->type = AUDIT_SOCKETCALL;
2681 context->socketcall.nargs = nargs; 2316 context->socketcall.nargs = nargs;
2682 memcpy(context->socketcall.args, args 2317 memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
2683 return 0; <<
2684 } 2318 }
2685 2319
2686 /** 2320 /**
2687 * __audit_fd_pair - record audit data for pi 2321 * __audit_fd_pair - record audit data for pipe and socketpair
2688 * @fd1: the first file descriptor 2322 * @fd1: the first file descriptor
2689 * @fd2: the second file descriptor 2323 * @fd2: the second file descriptor
2690 * 2324 *
2691 */ 2325 */
2692 void __audit_fd_pair(int fd1, int fd2) 2326 void __audit_fd_pair(int fd1, int fd2)
2693 { 2327 {
2694 struct audit_context *context = audit !! 2328 struct audit_context *context = current->audit_context;
2695 <<
2696 context->fds[0] = fd1; 2329 context->fds[0] = fd1;
2697 context->fds[1] = fd2; 2330 context->fds[1] = fd2;
2698 } 2331 }
2699 2332
2700 /** 2333 /**
2701 * __audit_sockaddr - record audit data for s !! 2334 * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
2702 * @len: data length in user space 2335 * @len: data length in user space
2703 * @a: data address in kernel space 2336 * @a: data address in kernel space
2704 * 2337 *
2705 * Returns 0 for success or NULL context or < 2338 * Returns 0 for success or NULL context or < 0 on error.
2706 */ 2339 */
2707 int __audit_sockaddr(int len, void *a) !! 2340 int audit_sockaddr(int len, void *a)
2708 { 2341 {
2709 struct audit_context *context = audit !! 2342 struct audit_context *context = current->audit_context;
>> 2343
>> 2344 if (likely(!context || context->dummy))
>> 2345 return 0;
2710 2346
2711 if (!context->sockaddr) { 2347 if (!context->sockaddr) {
2712 void *p = kmalloc(sizeof(stru 2348 void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL);
2713 <<
2714 if (!p) 2349 if (!p)
2715 return -ENOMEM; 2350 return -ENOMEM;
2716 context->sockaddr = p; 2351 context->sockaddr = p;
2717 } 2352 }
2718 2353
2719 context->sockaddr_len = len; 2354 context->sockaddr_len = len;
2720 memcpy(context->sockaddr, a, len); 2355 memcpy(context->sockaddr, a, len);
2721 return 0; 2356 return 0;
2722 } 2357 }
2723 2358
2724 void __audit_ptrace(struct task_struct *t) 2359 void __audit_ptrace(struct task_struct *t)
2725 { 2360 {
2726 struct audit_context *context = audit !! 2361 struct audit_context *context = current->audit_context;
2727 2362
2728 context->target_pid = task_tgid_nr(t) !! 2363 context->target_pid = t->pid;
2729 context->target_auid = audit_get_logi 2364 context->target_auid = audit_get_loginuid(t);
2730 context->target_uid = task_uid(t); 2365 context->target_uid = task_uid(t);
2731 context->target_sessionid = audit_get 2366 context->target_sessionid = audit_get_sessionid(t);
2732 security_task_getsecid_obj(t, &contex !! 2367 security_task_getsecid(t, &context->target_sid);
2733 memcpy(context->target_comm, t->comm, 2368 memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
2734 } 2369 }
2735 2370
2736 /** 2371 /**
2737 * audit_signal_info_syscall - record signal !! 2372 * audit_signal_info - record signal info for shutting down audit subsystem
>> 2373 * @sig: signal value
2738 * @t: task being signaled 2374 * @t: task being signaled
2739 * 2375 *
2740 * If the audit subsystem is being terminated 2376 * If the audit subsystem is being terminated, record the task (pid)
2741 * and uid that is doing that. 2377 * and uid that is doing that.
2742 */ 2378 */
2743 int audit_signal_info_syscall(struct task_str !! 2379 int __audit_signal_info(int sig, struct task_struct *t)
2744 { 2380 {
2745 struct audit_aux_data_pids *axp; 2381 struct audit_aux_data_pids *axp;
2746 struct audit_context *ctx = audit_con !! 2382 struct task_struct *tsk = current;
2747 kuid_t t_uid = task_uid(t); !! 2383 struct audit_context *ctx = tsk->audit_context;
2748 !! 2384 uid_t uid = current_uid(), t_uid = task_uid(t);
2749 if (!audit_signals || audit_dummy_con !! 2385
2750 return 0; !! 2386 if (audit_pid && t->tgid == audit_pid) {
>> 2387 if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) {
>> 2388 audit_sig_pid = tsk->pid;
>> 2389 if (tsk->loginuid != -1)
>> 2390 audit_sig_uid = tsk->loginuid;
>> 2391 else
>> 2392 audit_sig_uid = uid;
>> 2393 security_task_getsecid(tsk, &audit_sig_sid);
>> 2394 }
>> 2395 if (!audit_signals || audit_dummy_context())
>> 2396 return 0;
>> 2397 }
2751 2398
2752 /* optimize the common case by puttin 2399 /* optimize the common case by putting first signal recipient directly
2753 * in audit_context */ 2400 * in audit_context */
2754 if (!ctx->target_pid) { 2401 if (!ctx->target_pid) {
2755 ctx->target_pid = task_tgid_n !! 2402 ctx->target_pid = t->tgid;
2756 ctx->target_auid = audit_get_ 2403 ctx->target_auid = audit_get_loginuid(t);
2757 ctx->target_uid = t_uid; 2404 ctx->target_uid = t_uid;
2758 ctx->target_sessionid = audit 2405 ctx->target_sessionid = audit_get_sessionid(t);
2759 security_task_getsecid_obj(t, !! 2406 security_task_getsecid(t, &ctx->target_sid);
2760 memcpy(ctx->target_comm, t->c 2407 memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
2761 return 0; 2408 return 0;
2762 } 2409 }
2763 2410
2764 axp = (void *)ctx->aux_pids; 2411 axp = (void *)ctx->aux_pids;
2765 if (!axp || axp->pid_count == AUDIT_A 2412 if (!axp || axp->pid_count == AUDIT_AUX_PIDS) {
2766 axp = kzalloc(sizeof(*axp), G 2413 axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
2767 if (!axp) 2414 if (!axp)
2768 return -ENOMEM; 2415 return -ENOMEM;
2769 2416
2770 axp->d.type = AUDIT_OBJ_PID; 2417 axp->d.type = AUDIT_OBJ_PID;
2771 axp->d.next = ctx->aux_pids; 2418 axp->d.next = ctx->aux_pids;
2772 ctx->aux_pids = (void *)axp; 2419 ctx->aux_pids = (void *)axp;
2773 } 2420 }
2774 BUG_ON(axp->pid_count >= AUDIT_AUX_PI 2421 BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
2775 2422
2776 axp->target_pid[axp->pid_count] = tas !! 2423 axp->target_pid[axp->pid_count] = t->tgid;
2777 axp->target_auid[axp->pid_count] = au 2424 axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
2778 axp->target_uid[axp->pid_count] = t_u 2425 axp->target_uid[axp->pid_count] = t_uid;
2779 axp->target_sessionid[axp->pid_count] 2426 axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
2780 security_task_getsecid_obj(t, &axp->t !! 2427 security_task_getsecid(t, &axp->target_sid[axp->pid_count]);
2781 memcpy(axp->target_comm[axp->pid_coun 2428 memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
2782 axp->pid_count++; 2429 axp->pid_count++;
2783 2430
2784 return 0; 2431 return 0;
2785 } 2432 }
2786 2433
2787 /** 2434 /**
2788 * __audit_log_bprm_fcaps - store information 2435 * __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps
2789 * @bprm: pointer to the bprm being processed 2436 * @bprm: pointer to the bprm being processed
2790 * @new: the proposed new credentials 2437 * @new: the proposed new credentials
2791 * @old: the old credentials 2438 * @old: the old credentials
2792 * 2439 *
2793 * Simply check if the proc already has the c 2440 * Simply check if the proc already has the caps given by the file and if not
2794 * store the priv escalation info for later a 2441 * store the priv escalation info for later auditing at the end of the syscall
2795 * 2442 *
2796 * -Eric 2443 * -Eric
2797 */ 2444 */
2798 int __audit_log_bprm_fcaps(struct linux_binpr 2445 int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
2799 const struct cred 2446 const struct cred *new, const struct cred *old)
2800 { 2447 {
2801 struct audit_aux_data_bprm_fcaps *ax; 2448 struct audit_aux_data_bprm_fcaps *ax;
2802 struct audit_context *context = audit !! 2449 struct audit_context *context = current->audit_context;
2803 struct cpu_vfs_cap_data vcaps; 2450 struct cpu_vfs_cap_data vcaps;
>> 2451 struct dentry *dentry;
2804 2452
2805 ax = kmalloc(sizeof(*ax), GFP_KERNEL) 2453 ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2806 if (!ax) 2454 if (!ax)
2807 return -ENOMEM; 2455 return -ENOMEM;
2808 2456
2809 ax->d.type = AUDIT_BPRM_FCAPS; 2457 ax->d.type = AUDIT_BPRM_FCAPS;
2810 ax->d.next = context->aux; 2458 ax->d.next = context->aux;
2811 context->aux = (void *)ax; 2459 context->aux = (void *)ax;
2812 2460
2813 get_vfs_caps_from_disk(&nop_mnt_idmap !! 2461 dentry = dget(bprm->file->f_dentry);
2814 bprm->file->f_ !! 2462 get_vfs_caps_from_disk(dentry, &vcaps);
>> 2463 dput(dentry);
2815 2464
2816 ax->fcap.permitted = vcaps.permitted; 2465 ax->fcap.permitted = vcaps.permitted;
2817 ax->fcap.inheritable = vcaps.inherita 2466 ax->fcap.inheritable = vcaps.inheritable;
2818 ax->fcap.fE = !!(vcaps.magic_etc & VF 2467 ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2819 ax->fcap.rootid = vcaps.rootid; <<
2820 ax->fcap_ver = (vcaps.magic_etc & VFS 2468 ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
2821 2469
2822 ax->old_pcap.permitted = old->cap_p 2470 ax->old_pcap.permitted = old->cap_permitted;
2823 ax->old_pcap.inheritable = old->cap_i 2471 ax->old_pcap.inheritable = old->cap_inheritable;
2824 ax->old_pcap.effective = old->cap_e 2472 ax->old_pcap.effective = old->cap_effective;
2825 ax->old_pcap.ambient = old->cap_a <<
2826 2473
2827 ax->new_pcap.permitted = new->cap_p 2474 ax->new_pcap.permitted = new->cap_permitted;
2828 ax->new_pcap.inheritable = new->cap_i 2475 ax->new_pcap.inheritable = new->cap_inheritable;
2829 ax->new_pcap.effective = new->cap_e 2476 ax->new_pcap.effective = new->cap_effective;
2830 ax->new_pcap.ambient = new->cap_a <<
2831 return 0; 2477 return 0;
2832 } 2478 }
2833 2479
2834 /** 2480 /**
2835 * __audit_log_capset - store information abo 2481 * __audit_log_capset - store information about the arguments to the capset syscall
>> 2482 * @pid: target pid of the capset call
2836 * @new: the new credentials 2483 * @new: the new credentials
2837 * @old: the old (current) credentials 2484 * @old: the old (current) credentials
2838 * 2485 *
2839 * Record the arguments userspace sent to sys !! 2486 * Record the aguments userspace sent to sys_capset for later printing by the
2840 * audit system if applicable 2487 * audit system if applicable
2841 */ 2488 */
2842 void __audit_log_capset(const struct cred *ne !! 2489 void __audit_log_capset(pid_t pid,
>> 2490 const struct cred *new, const struct cred *old)
2843 { 2491 {
2844 struct audit_context *context = audit !! 2492 struct audit_context *context = current->audit_context;
2845 !! 2493 context->capset.pid = pid;
2846 context->capset.pid = task_tgid_nr(cu <<
2847 context->capset.cap.effective = new 2494 context->capset.cap.effective = new->cap_effective;
2848 context->capset.cap.inheritable = new 2495 context->capset.cap.inheritable = new->cap_effective;
2849 context->capset.cap.permitted = new 2496 context->capset.cap.permitted = new->cap_permitted;
2850 context->capset.cap.ambient = new <<
2851 context->type = AUDIT_CAPSET; 2497 context->type = AUDIT_CAPSET;
2852 } 2498 }
2853 2499
2854 void __audit_mmap_fd(int fd, int flags) <<
2855 { <<
2856 struct audit_context *context = audit <<
2857 <<
2858 context->mmap.fd = fd; <<
2859 context->mmap.flags = flags; <<
2860 context->type = AUDIT_MMAP; <<
2861 } <<
2862 <<
2863 void __audit_openat2_how(struct open_how *how <<
2864 { <<
2865 struct audit_context *context = audit <<
2866 <<
2867 context->openat2.flags = how->flags; <<
2868 context->openat2.mode = how->mode; <<
2869 context->openat2.resolve = how->resol <<
2870 context->type = AUDIT_OPENAT2; <<
2871 } <<
2872 <<
2873 void __audit_log_kern_module(char *name) <<
2874 { <<
2875 struct audit_context *context = audit <<
2876 <<
2877 context->module.name = kstrdup(name, <<
2878 if (!context->module.name) <<
2879 audit_log_lost("out of memory <<
2880 context->type = AUDIT_KERN_MODULE; <<
2881 } <<
2882 <<
2883 void __audit_fanotify(u32 response, struct fa <<
2884 { <<
2885 /* {subj,obj}_trust values are {0,1,2 <<
2886 switch (friar->hdr.type) { <<
2887 case FAN_RESPONSE_INFO_NONE: <<
2888 audit_log(audit_context(), GF <<
2889 "resp=%u fan_type=% <<
2890 response, FAN_RESPO <<
2891 break; <<
2892 case FAN_RESPONSE_INFO_AUDIT_RULE: <<
2893 audit_log(audit_context(), GF <<
2894 "resp=%u fan_type=% <<
2895 response, friar->hd <<
2896 friar->subj_trust, <<
2897 } <<
2898 } <<
2899 <<
2900 void __audit_tk_injoffset(struct timespec64 o <<
2901 { <<
2902 struct audit_context *context = audit <<
2903 <<
2904 /* only set type if not already set b <<
2905 if (!context->type) <<
2906 context->type = AUDIT_TIME_IN <<
2907 memcpy(&context->time.tk_injoffset, & <<
2908 } <<
2909 <<
2910 void __audit_ntp_log(const struct audit_ntp_d <<
2911 { <<
2912 struct audit_context *context = audit <<
2913 int type; <<
2914 <<
2915 for (type = 0; type < AUDIT_NTP_NVALS <<
2916 if (ad->vals[type].newval != <<
2917 /* unconditionally se <<
2918 context->type = AUDIT <<
2919 memcpy(&context->time <<
2920 break; <<
2921 } <<
2922 } <<
2923 <<
2924 void __audit_log_nfcfg(const char *name, u8 a <<
2925 enum audit_nfcfgop op, <<
2926 { <<
2927 struct audit_buffer *ab; <<
2928 char comm[sizeof(current->comm)]; <<
2929 <<
2930 ab = audit_log_start(audit_context(), <<
2931 if (!ab) <<
2932 return; <<
2933 audit_log_format(ab, "table=%s family <<
2934 name, af, nentries, <<
2935 <<
2936 audit_log_format(ab, " pid=%u", task_ <<
2937 audit_log_task_context(ab); /* subj= <<
2938 audit_log_format(ab, " comm="); <<
2939 audit_log_untrustedstring(ab, get_tas <<
2940 audit_log_end(ab); <<
2941 } <<
2942 EXPORT_SYMBOL_GPL(__audit_log_nfcfg); <<
2943 <<
2944 static void audit_log_task(struct audit_buffe <<
2945 { <<
2946 kuid_t auid, uid; <<
2947 kgid_t gid; <<
2948 unsigned int sessionid; <<
2949 char comm[sizeof(current->comm)]; <<
2950 <<
2951 auid = audit_get_loginuid(current); <<
2952 sessionid = audit_get_sessionid(curre <<
2953 current_uid_gid(&uid, &gid); <<
2954 <<
2955 audit_log_format(ab, "auid=%u uid=%u <<
2956 from_kuid(&init_user <<
2957 from_kuid(&init_user <<
2958 from_kgid(&init_user <<
2959 sessionid); <<
2960 audit_log_task_context(ab); <<
2961 audit_log_format(ab, " pid=%d comm=", <<
2962 audit_log_untrustedstring(ab, get_tas <<
2963 audit_log_d_path_exe(ab, current->mm) <<
2964 } <<
2965 <<
2966 /** 2500 /**
2967 * audit_core_dumps - record information abou 2501 * audit_core_dumps - record information about processes that end abnormally
2968 * @signr: signal value 2502 * @signr: signal value
2969 * 2503 *
2970 * If a process ends with a core dump, someth 2504 * If a process ends with a core dump, something fishy is going on and we
2971 * should record the event for investigation. 2505 * should record the event for investigation.
2972 */ 2506 */
2973 void audit_core_dumps(long signr) 2507 void audit_core_dumps(long signr)
2974 { 2508 {
2975 struct audit_buffer *ab; 2509 struct audit_buffer *ab;
>> 2510 u32 sid;
>> 2511 uid_t auid = audit_get_loginuid(current), uid;
>> 2512 gid_t gid;
>> 2513 unsigned int sessionid = audit_get_sessionid(current);
2976 2514
2977 if (!audit_enabled) 2515 if (!audit_enabled)
2978 return; 2516 return;
2979 2517
2980 if (signr == SIGQUIT) /* don't care 2518 if (signr == SIGQUIT) /* don't care for those */
2981 return; 2519 return;
2982 2520
2983 ab = audit_log_start(audit_context(), !! 2521 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
2984 if (unlikely(!ab)) !! 2522 current_uid_gid(&uid, &gid);
2985 return; !! 2523 audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
2986 audit_log_task(ab); !! 2524 auid, uid, gid, sessionid);
2987 audit_log_format(ab, " sig=%ld res=1" !! 2525 security_task_getsecid(current, &sid);
2988 audit_log_end(ab); !! 2526 if (sid) {
2989 } !! 2527 char *ctx = NULL;
2990 !! 2528 u32 len;
2991 /** <<
2992 * audit_seccomp - record information about a <<
2993 * @syscall: syscall number <<
2994 * @signr: signal value <<
2995 * @code: the seccomp action <<
2996 * <<
2997 * Record the information associated with a s <<
2998 * seccomp actions that are not to be logged <<
2999 * Therefore, this function forces auditing i <<
3000 * and dummy context state because seccomp ac <<
3001 * audit is not in use. <<
3002 */ <<
3003 void audit_seccomp(unsigned long syscall, lon <<
3004 { <<
3005 struct audit_buffer *ab; <<
3006 <<
3007 ab = audit_log_start(audit_context(), <<
3008 if (unlikely(!ab)) <<
3009 return; <<
3010 audit_log_task(ab); <<
3011 audit_log_format(ab, " sig=%ld arch=% <<
3012 signr, syscall_get_a <<
3013 in_compat_syscall(), <<
3014 audit_log_end(ab); <<
3015 } <<
3016 <<
3017 void audit_seccomp_actions_logged(const char <<
3018 int res) <<
3019 { <<
3020 struct audit_buffer *ab; <<
3021 <<
3022 if (!audit_enabled) <<
3023 return; <<
3024 <<
3025 ab = audit_log_start(audit_context(), <<
3026 AUDIT_CONFIG_CHA <<
3027 if (unlikely(!ab)) <<
3028 return; <<
3029 2529
3030 audit_log_format(ab, !! 2530 if (security_secid_to_secctx(sid, &ctx, &len))
3031 "op=seccomp-logging !! 2531 audit_log_format(ab, " ssid=%u", sid);
3032 names, old_names, re !! 2532 else {
>> 2533 audit_log_format(ab, " subj=%s", ctx);
>> 2534 security_release_secctx(ctx, len);
>> 2535 }
>> 2536 }
>> 2537 audit_log_format(ab, " pid=%d comm=", current->pid);
>> 2538 audit_log_untrustedstring(ab, current->comm);
>> 2539 audit_log_format(ab, " sig=%ld", signr);
3033 audit_log_end(ab); 2540 audit_log_end(ab);
3034 } 2541 }
3035 2542
3036 struct list_head *audit_killed_trees(void) 2543 struct list_head *audit_killed_trees(void)
3037 { 2544 {
3038 struct audit_context *ctx = audit_con !! 2545 struct audit_context *ctx = current->audit_context;
3039 if (likely(!ctx || ctx->context == AU !! 2546 if (likely(!ctx || !ctx->in_syscall))
3040 return NULL; 2547 return NULL;
3041 return &ctx->killed_trees; 2548 return &ctx->killed_trees;
3042 } 2549 }
3043 2550
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.