1 // SPDX-License-Identifier: GPL-2.0-or-later <<
2 /* auditsc.c -- System-call auditing support 1 /* auditsc.c -- System-call auditing support
3 * Handles all system-call specific auditing f 2 * Handles all system-call specific auditing features.
4 * 3 *
5 * Copyright 2003-2004 Red Hat Inc., Durham, N 4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
6 * Copyright 2005 Hewlett-Packard Development 5 * Copyright 2005 Hewlett-Packard Development Company, L.P.
7 * Copyright (C) 2005, 2006 IBM Corporation 6 * Copyright (C) 2005, 2006 IBM Corporation
8 * All Rights Reserved. 7 * All Rights Reserved.
9 * 8 *
>> 9 * This program is free software; you can redistribute it and/or modify
>> 10 * it under the terms of the GNU General Public License as published by
>> 11 * the Free Software Foundation; either version 2 of the License, or
>> 12 * (at your option) any later version.
>> 13 *
>> 14 * This program is distributed in the hope that it will be useful,
>> 15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
>> 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
>> 17 * GNU General Public License for more details.
>> 18 *
>> 19 * You should have received a copy of the GNU General Public License
>> 20 * along with this program; if not, write to the Free Software
>> 21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
>> 22 *
10 * Written by Rickard E. (Rik) Faith <faith@re 23 * Written by Rickard E. (Rik) Faith <faith@redhat.com>
11 * 24 *
12 * Many of the ideas implemented here are from 25 * Many of the ideas implemented here are from Stephen C. Tweedie,
13 * especially the idea of avoiding a copy by u 26 * especially the idea of avoiding a copy by using getname.
14 * 27 *
15 * The method for actual interception of sysca 28 * The method for actual interception of syscall entry and exit (not in
16 * this file -- see entry.S) is based on a GPL 29 * this file -- see entry.S) is based on a GPL'd patch written by
17 * okir@suse.de and Copyright 2003 SuSE Linux 30 * okir@suse.de and Copyright 2003 SuSE Linux AG.
18 * 31 *
19 * POSIX message queue support added by George 32 * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>,
20 * 2006. 33 * 2006.
21 * 34 *
22 * The support of additional filter rules comp 35 * The support of additional filter rules compares (>, <, >=, <=) was
23 * added by Dustin Kirkland <dustin.kirkland@u 36 * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
24 * 37 *
25 * Modified by Amy Griffis <amy.griffis@hp.com 38 * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
26 * filesystem information. 39 * filesystem information.
27 * 40 *
28 * Subject and object context labeling support 41 * Subject and object context labeling support added by <danjones@us.ibm.com>
29 * and <dustin.kirkland@us.ibm.com> for LSPP c 42 * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
30 */ 43 */
31 44
32 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 45 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
33 46
34 #include <linux/init.h> 47 #include <linux/init.h>
35 #include <asm/types.h> 48 #include <asm/types.h>
36 #include <linux/atomic.h> 49 #include <linux/atomic.h>
37 #include <linux/fs.h> 50 #include <linux/fs.h>
38 #include <linux/namei.h> 51 #include <linux/namei.h>
39 #include <linux/mm.h> 52 #include <linux/mm.h>
40 #include <linux/export.h> 53 #include <linux/export.h>
41 #include <linux/slab.h> 54 #include <linux/slab.h>
42 #include <linux/mount.h> 55 #include <linux/mount.h>
43 #include <linux/socket.h> 56 #include <linux/socket.h>
44 #include <linux/mqueue.h> 57 #include <linux/mqueue.h>
45 #include <linux/audit.h> 58 #include <linux/audit.h>
46 #include <linux/personality.h> 59 #include <linux/personality.h>
47 #include <linux/time.h> 60 #include <linux/time.h>
48 #include <linux/netlink.h> 61 #include <linux/netlink.h>
49 #include <linux/compiler.h> 62 #include <linux/compiler.h>
50 #include <asm/unistd.h> 63 #include <asm/unistd.h>
51 #include <linux/security.h> 64 #include <linux/security.h>
52 #include <linux/list.h> 65 #include <linux/list.h>
53 #include <linux/binfmts.h> 66 #include <linux/binfmts.h>
54 #include <linux/highmem.h> 67 #include <linux/highmem.h>
55 #include <linux/syscalls.h> 68 #include <linux/syscalls.h>
56 #include <asm/syscall.h> 69 #include <asm/syscall.h>
57 #include <linux/capability.h> 70 #include <linux/capability.h>
58 #include <linux/fs_struct.h> 71 #include <linux/fs_struct.h>
59 #include <linux/compat.h> 72 #include <linux/compat.h>
60 #include <linux/ctype.h> 73 #include <linux/ctype.h>
61 #include <linux/string.h> 74 #include <linux/string.h>
62 #include <linux/uaccess.h> 75 #include <linux/uaccess.h>
63 #include <linux/fsnotify_backend.h> <<
64 #include <uapi/linux/limits.h> 76 #include <uapi/linux/limits.h>
65 #include <uapi/linux/netfilter/nf_tables.h> <<
66 #include <uapi/linux/openat2.h> // struct open <<
67 #include <uapi/linux/fanotify.h> <<
68 77
69 #include "audit.h" 78 #include "audit.h"
70 79
71 /* flags stating the success for a syscall */ 80 /* flags stating the success for a syscall */
72 #define AUDITSC_INVALID 0 81 #define AUDITSC_INVALID 0
73 #define AUDITSC_SUCCESS 1 82 #define AUDITSC_SUCCESS 1
74 #define AUDITSC_FAILURE 2 83 #define AUDITSC_FAILURE 2
75 84
76 /* no execve audit message should be longer th 85 /* no execve audit message should be longer than this (userspace limits),
77 * see the note near the top of audit_log_exec 86 * see the note near the top of audit_log_execve_info() about this value */
78 #define MAX_EXECVE_AUDIT_LEN 7500 87 #define MAX_EXECVE_AUDIT_LEN 7500
79 88
80 /* max length to print of cmdline/proctitle va 89 /* max length to print of cmdline/proctitle value during audit */
81 #define MAX_PROCTITLE_AUDIT_LEN 128 90 #define MAX_PROCTITLE_AUDIT_LEN 128
82 91
83 /* number of audit rules */ 92 /* number of audit rules */
84 int audit_n_rules; 93 int audit_n_rules;
85 94
86 /* determines whether we collect data for sign 95 /* determines whether we collect data for signals sent */
87 int audit_signals; 96 int audit_signals;
88 97
89 struct audit_aux_data { 98 struct audit_aux_data {
90 struct audit_aux_data *next; 99 struct audit_aux_data *next;
91 int type; 100 int type;
92 }; 101 };
93 102
>> 103 #define AUDIT_AUX_IPCPERM 0
>> 104
94 /* Number of target pids per aux struct. */ 105 /* Number of target pids per aux struct. */
95 #define AUDIT_AUX_PIDS 16 106 #define AUDIT_AUX_PIDS 16
96 107
97 struct audit_aux_data_pids { 108 struct audit_aux_data_pids {
98 struct audit_aux_data d; 109 struct audit_aux_data d;
99 pid_t target_pid[AUD 110 pid_t target_pid[AUDIT_AUX_PIDS];
100 kuid_t target_auid[AU 111 kuid_t target_auid[AUDIT_AUX_PIDS];
101 kuid_t target_uid[AUD 112 kuid_t target_uid[AUDIT_AUX_PIDS];
102 unsigned int target_session 113 unsigned int target_sessionid[AUDIT_AUX_PIDS];
103 u32 target_sid[AUD 114 u32 target_sid[AUDIT_AUX_PIDS];
104 char target_comm[AU 115 char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
105 int pid_count; 116 int pid_count;
106 }; 117 };
107 118
108 struct audit_aux_data_bprm_fcaps { 119 struct audit_aux_data_bprm_fcaps {
109 struct audit_aux_data d; 120 struct audit_aux_data d;
110 struct audit_cap_data fcap; 121 struct audit_cap_data fcap;
111 unsigned int fcap_ver; 122 unsigned int fcap_ver;
112 struct audit_cap_data old_pcap; 123 struct audit_cap_data old_pcap;
113 struct audit_cap_data new_pcap; 124 struct audit_cap_data new_pcap;
114 }; 125 };
115 126
116 struct audit_tree_refs { 127 struct audit_tree_refs {
117 struct audit_tree_refs *next; 128 struct audit_tree_refs *next;
118 struct audit_chunk *c[31]; 129 struct audit_chunk *c[31];
119 }; 130 };
120 131
121 struct audit_nfcfgop_tab { <<
122 enum audit_nfcfgop op; <<
123 const char *s; <<
124 }; <<
125 <<
126 static const struct audit_nfcfgop_tab audit_nf <<
127 { AUDIT_XT_OP_REGISTER, <<
128 { AUDIT_XT_OP_REPLACE, <<
129 { AUDIT_XT_OP_UNREGISTER, <<
130 { AUDIT_NFT_OP_TABLE_REGISTER, <<
131 { AUDIT_NFT_OP_TABLE_UNREGISTER, <<
132 { AUDIT_NFT_OP_CHAIN_REGISTER, <<
133 { AUDIT_NFT_OP_CHAIN_UNREGISTER, <<
134 { AUDIT_NFT_OP_RULE_REGISTER, <<
135 { AUDIT_NFT_OP_RULE_UNREGISTER, <<
136 { AUDIT_NFT_OP_SET_REGISTER, <<
137 { AUDIT_NFT_OP_SET_UNREGISTER, <<
138 { AUDIT_NFT_OP_SETELEM_REGISTER, <<
139 { AUDIT_NFT_OP_SETELEM_UNREGISTER, <<
140 { AUDIT_NFT_OP_GEN_REGISTER, <<
141 { AUDIT_NFT_OP_OBJ_REGISTER, <<
142 { AUDIT_NFT_OP_OBJ_UNREGISTER, <<
143 { AUDIT_NFT_OP_OBJ_RESET, <<
144 { AUDIT_NFT_OP_FLOWTABLE_REGISTER, <<
145 { AUDIT_NFT_OP_FLOWTABLE_UNREGISTER, <<
146 { AUDIT_NFT_OP_SETELEM_RESET, <<
147 { AUDIT_NFT_OP_RULE_RESET, <<
148 { AUDIT_NFT_OP_INVALID, <<
149 }; <<
150 <<
151 static int audit_match_perm(struct audit_conte 132 static int audit_match_perm(struct audit_context *ctx, int mask)
152 { 133 {
153 unsigned n; 134 unsigned n;
154 <<
155 if (unlikely(!ctx)) 135 if (unlikely(!ctx))
156 return 0; 136 return 0;
157 n = ctx->major; 137 n = ctx->major;
158 138
159 switch (audit_classify_syscall(ctx->ar 139 switch (audit_classify_syscall(ctx->arch, n)) {
160 case AUDITSC_NATIVE: !! 140 case 0: /* native */
161 if ((mask & AUDIT_PERM_WRITE) 141 if ((mask & AUDIT_PERM_WRITE) &&
162 audit_match_class(AUDIT_C 142 audit_match_class(AUDIT_CLASS_WRITE, n))
163 return 1; 143 return 1;
164 if ((mask & AUDIT_PERM_READ) & 144 if ((mask & AUDIT_PERM_READ) &&
165 audit_match_class(AUDIT_C 145 audit_match_class(AUDIT_CLASS_READ, n))
166 return 1; 146 return 1;
167 if ((mask & AUDIT_PERM_ATTR) & 147 if ((mask & AUDIT_PERM_ATTR) &&
168 audit_match_class(AUDIT_C 148 audit_match_class(AUDIT_CLASS_CHATTR, n))
169 return 1; 149 return 1;
170 return 0; 150 return 0;
171 case AUDITSC_COMPAT: /* 32bit on biarc !! 151 case 1: /* 32bit on biarch */
172 if ((mask & AUDIT_PERM_WRITE) 152 if ((mask & AUDIT_PERM_WRITE) &&
173 audit_match_class(AUDIT_C 153 audit_match_class(AUDIT_CLASS_WRITE_32, n))
174 return 1; 154 return 1;
175 if ((mask & AUDIT_PERM_READ) & 155 if ((mask & AUDIT_PERM_READ) &&
176 audit_match_class(AUDIT_C 156 audit_match_class(AUDIT_CLASS_READ_32, n))
177 return 1; 157 return 1;
178 if ((mask & AUDIT_PERM_ATTR) & 158 if ((mask & AUDIT_PERM_ATTR) &&
179 audit_match_class(AUDIT_C 159 audit_match_class(AUDIT_CLASS_CHATTR_32, n))
180 return 1; 160 return 1;
181 return 0; 161 return 0;
182 case AUDITSC_OPEN: !! 162 case 2: /* open */
183 return mask & ACC_MODE(ctx->ar 163 return mask & ACC_MODE(ctx->argv[1]);
184 case AUDITSC_OPENAT: !! 164 case 3: /* openat */
185 return mask & ACC_MODE(ctx->ar 165 return mask & ACC_MODE(ctx->argv[2]);
186 case AUDITSC_SOCKETCALL: !! 166 case 4: /* socketcall */
187 return ((mask & AUDIT_PERM_WRI 167 return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
188 case AUDITSC_EXECVE: !! 168 case 5: /* execve */
189 return mask & AUDIT_PERM_EXEC; 169 return mask & AUDIT_PERM_EXEC;
190 case AUDITSC_OPENAT2: <<
191 return mask & ACC_MODE((u32)ct <<
192 default: 170 default:
193 return 0; 171 return 0;
194 } 172 }
195 } 173 }
196 174
197 static int audit_match_filetype(struct audit_c 175 static int audit_match_filetype(struct audit_context *ctx, int val)
198 { 176 {
199 struct audit_names *n; 177 struct audit_names *n;
200 umode_t mode = (umode_t)val; 178 umode_t mode = (umode_t)val;
201 179
202 if (unlikely(!ctx)) 180 if (unlikely(!ctx))
203 return 0; 181 return 0;
204 182
205 list_for_each_entry(n, &ctx->names_lis 183 list_for_each_entry(n, &ctx->names_list, list) {
206 if ((n->ino != AUDIT_INO_UNSET 184 if ((n->ino != AUDIT_INO_UNSET) &&
207 ((n->mode & S_IFMT) == mod 185 ((n->mode & S_IFMT) == mode))
208 return 1; 186 return 1;
209 } 187 }
210 188
211 return 0; 189 return 0;
212 } 190 }
213 191
214 /* 192 /*
215 * We keep a linked list of fixed-sized (31 po 193 * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *;
216 * ->first_trees points to its beginning, ->tr 194 * ->first_trees points to its beginning, ->trees - to the current end of data.
217 * ->tree_count is the number of free entries 195 * ->tree_count is the number of free entries in array pointed to by ->trees.
218 * Original condition is (NULL, NULL, 0); as s 196 * Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL,
219 * "empty" becomes (p, p, 31) afterwards. We 197 * "empty" becomes (p, p, 31) afterwards. We don't shrink the list (and seriously,
220 * it's going to remain 1-element for almost a 198 * it's going to remain 1-element for almost any setup) until we free context itself.
221 * References in it _are_ dropped - at the sam 199 * References in it _are_ dropped - at the same time we free/drop aux stuff.
222 */ 200 */
223 201
>> 202 #ifdef CONFIG_AUDIT_TREE
224 static void audit_set_auditable(struct audit_c 203 static void audit_set_auditable(struct audit_context *ctx)
225 { 204 {
226 if (!ctx->prio) { 205 if (!ctx->prio) {
227 ctx->prio = 1; 206 ctx->prio = 1;
228 ctx->current_state = AUDIT_STA !! 207 ctx->current_state = AUDIT_RECORD_CONTEXT;
229 } 208 }
230 } 209 }
231 210
232 static int put_tree_ref(struct audit_context * 211 static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
233 { 212 {
234 struct audit_tree_refs *p = ctx->trees 213 struct audit_tree_refs *p = ctx->trees;
235 int left = ctx->tree_count; 214 int left = ctx->tree_count;
236 <<
237 if (likely(left)) { 215 if (likely(left)) {
238 p->c[--left] = chunk; 216 p->c[--left] = chunk;
239 ctx->tree_count = left; 217 ctx->tree_count = left;
240 return 1; 218 return 1;
241 } 219 }
242 if (!p) 220 if (!p)
243 return 0; 221 return 0;
244 p = p->next; 222 p = p->next;
245 if (p) { 223 if (p) {
246 p->c[30] = chunk; 224 p->c[30] = chunk;
247 ctx->trees = p; 225 ctx->trees = p;
248 ctx->tree_count = 30; 226 ctx->tree_count = 30;
249 return 1; 227 return 1;
250 } 228 }
251 return 0; 229 return 0;
252 } 230 }
253 231
254 static int grow_tree_refs(struct audit_context 232 static int grow_tree_refs(struct audit_context *ctx)
255 { 233 {
256 struct audit_tree_refs *p = ctx->trees 234 struct audit_tree_refs *p = ctx->trees;
257 <<
258 ctx->trees = kzalloc(sizeof(struct aud 235 ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL);
259 if (!ctx->trees) { 236 if (!ctx->trees) {
260 ctx->trees = p; 237 ctx->trees = p;
261 return 0; 238 return 0;
262 } 239 }
263 if (p) 240 if (p)
264 p->next = ctx->trees; 241 p->next = ctx->trees;
265 else 242 else
266 ctx->first_trees = ctx->trees; 243 ctx->first_trees = ctx->trees;
267 ctx->tree_count = 31; 244 ctx->tree_count = 31;
268 return 1; 245 return 1;
269 } 246 }
>> 247 #endif
270 248
271 static void unroll_tree_refs(struct audit_cont 249 static void unroll_tree_refs(struct audit_context *ctx,
272 struct audit_tree_refs * 250 struct audit_tree_refs *p, int count)
273 { 251 {
>> 252 #ifdef CONFIG_AUDIT_TREE
274 struct audit_tree_refs *q; 253 struct audit_tree_refs *q;
275 int n; 254 int n;
276 <<
277 if (!p) { 255 if (!p) {
278 /* we started with empty chain 256 /* we started with empty chain */
279 p = ctx->first_trees; 257 p = ctx->first_trees;
280 count = 31; 258 count = 31;
281 /* if the very first allocatio 259 /* if the very first allocation has failed, nothing to do */
282 if (!p) 260 if (!p)
283 return; 261 return;
284 } 262 }
285 n = count; 263 n = count;
286 for (q = p; q != ctx->trees; q = q->ne 264 for (q = p; q != ctx->trees; q = q->next, n = 31) {
287 while (n--) { 265 while (n--) {
288 audit_put_chunk(q->c[n 266 audit_put_chunk(q->c[n]);
289 q->c[n] = NULL; 267 q->c[n] = NULL;
290 } 268 }
291 } 269 }
292 while (n-- > ctx->tree_count) { 270 while (n-- > ctx->tree_count) {
293 audit_put_chunk(q->c[n]); 271 audit_put_chunk(q->c[n]);
294 q->c[n] = NULL; 272 q->c[n] = NULL;
295 } 273 }
296 ctx->trees = p; 274 ctx->trees = p;
297 ctx->tree_count = count; 275 ctx->tree_count = count;
>> 276 #endif
298 } 277 }
299 278
300 static void free_tree_refs(struct audit_contex 279 static void free_tree_refs(struct audit_context *ctx)
301 { 280 {
302 struct audit_tree_refs *p, *q; 281 struct audit_tree_refs *p, *q;
303 <<
304 for (p = ctx->first_trees; p; p = q) { 282 for (p = ctx->first_trees; p; p = q) {
305 q = p->next; 283 q = p->next;
306 kfree(p); 284 kfree(p);
307 } 285 }
308 } 286 }
309 287
310 static int match_tree_refs(struct audit_contex 288 static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
311 { 289 {
>> 290 #ifdef CONFIG_AUDIT_TREE
312 struct audit_tree_refs *p; 291 struct audit_tree_refs *p;
313 int n; 292 int n;
314 <<
315 if (!tree) 293 if (!tree)
316 return 0; 294 return 0;
317 /* full ones */ 295 /* full ones */
318 for (p = ctx->first_trees; p != ctx->t 296 for (p = ctx->first_trees; p != ctx->trees; p = p->next) {
319 for (n = 0; n < 31; n++) 297 for (n = 0; n < 31; n++)
320 if (audit_tree_match(p 298 if (audit_tree_match(p->c[n], tree))
321 return 1; 299 return 1;
322 } 300 }
323 /* partial */ 301 /* partial */
324 if (p) { 302 if (p) {
325 for (n = ctx->tree_count; n < 303 for (n = ctx->tree_count; n < 31; n++)
326 if (audit_tree_match(p 304 if (audit_tree_match(p->c[n], tree))
327 return 1; 305 return 1;
328 } 306 }
>> 307 #endif
329 return 0; 308 return 0;
330 } 309 }
331 310
332 static int audit_compare_uid(kuid_t uid, 311 static int audit_compare_uid(kuid_t uid,
333 struct audit_name 312 struct audit_names *name,
334 struct audit_fiel 313 struct audit_field *f,
335 struct audit_cont 314 struct audit_context *ctx)
336 { 315 {
337 struct audit_names *n; 316 struct audit_names *n;
338 int rc; 317 int rc;
339 !! 318
340 if (name) { 319 if (name) {
341 rc = audit_uid_comparator(uid, 320 rc = audit_uid_comparator(uid, f->op, name->uid);
342 if (rc) 321 if (rc)
343 return rc; 322 return rc;
344 } 323 }
345 !! 324
346 if (ctx) { 325 if (ctx) {
347 list_for_each_entry(n, &ctx->n 326 list_for_each_entry(n, &ctx->names_list, list) {
348 rc = audit_uid_compara 327 rc = audit_uid_comparator(uid, f->op, n->uid);
349 if (rc) 328 if (rc)
350 return rc; 329 return rc;
351 } 330 }
352 } 331 }
353 return 0; 332 return 0;
354 } 333 }
355 334
356 static int audit_compare_gid(kgid_t gid, 335 static int audit_compare_gid(kgid_t gid,
357 struct audit_name 336 struct audit_names *name,
358 struct audit_fiel 337 struct audit_field *f,
359 struct audit_cont 338 struct audit_context *ctx)
360 { 339 {
361 struct audit_names *n; 340 struct audit_names *n;
362 int rc; 341 int rc;
363 !! 342
364 if (name) { 343 if (name) {
365 rc = audit_gid_comparator(gid, 344 rc = audit_gid_comparator(gid, f->op, name->gid);
366 if (rc) 345 if (rc)
367 return rc; 346 return rc;
368 } 347 }
369 !! 348
370 if (ctx) { 349 if (ctx) {
371 list_for_each_entry(n, &ctx->n 350 list_for_each_entry(n, &ctx->names_list, list) {
372 rc = audit_gid_compara 351 rc = audit_gid_comparator(gid, f->op, n->gid);
373 if (rc) 352 if (rc)
374 return rc; 353 return rc;
375 } 354 }
376 } 355 }
377 return 0; 356 return 0;
378 } 357 }
379 358
380 static int audit_field_compare(struct task_str 359 static int audit_field_compare(struct task_struct *tsk,
381 const struct cr 360 const struct cred *cred,
382 struct audit_fi 361 struct audit_field *f,
383 struct audit_co 362 struct audit_context *ctx,
384 struct audit_na 363 struct audit_names *name)
385 { 364 {
386 switch (f->val) { 365 switch (f->val) {
387 /* process to file object comparisons 366 /* process to file object comparisons */
388 case AUDIT_COMPARE_UID_TO_OBJ_UID: 367 case AUDIT_COMPARE_UID_TO_OBJ_UID:
389 return audit_compare_uid(cred- 368 return audit_compare_uid(cred->uid, name, f, ctx);
390 case AUDIT_COMPARE_GID_TO_OBJ_GID: 369 case AUDIT_COMPARE_GID_TO_OBJ_GID:
391 return audit_compare_gid(cred- 370 return audit_compare_gid(cred->gid, name, f, ctx);
392 case AUDIT_COMPARE_EUID_TO_OBJ_UID: 371 case AUDIT_COMPARE_EUID_TO_OBJ_UID:
393 return audit_compare_uid(cred- 372 return audit_compare_uid(cred->euid, name, f, ctx);
394 case AUDIT_COMPARE_EGID_TO_OBJ_GID: 373 case AUDIT_COMPARE_EGID_TO_OBJ_GID:
395 return audit_compare_gid(cred- 374 return audit_compare_gid(cred->egid, name, f, ctx);
396 case AUDIT_COMPARE_AUID_TO_OBJ_UID: 375 case AUDIT_COMPARE_AUID_TO_OBJ_UID:
397 return audit_compare_uid(audit !! 376 return audit_compare_uid(tsk->loginuid, name, f, ctx);
398 case AUDIT_COMPARE_SUID_TO_OBJ_UID: 377 case AUDIT_COMPARE_SUID_TO_OBJ_UID:
399 return audit_compare_uid(cred- 378 return audit_compare_uid(cred->suid, name, f, ctx);
400 case AUDIT_COMPARE_SGID_TO_OBJ_GID: 379 case AUDIT_COMPARE_SGID_TO_OBJ_GID:
401 return audit_compare_gid(cred- 380 return audit_compare_gid(cred->sgid, name, f, ctx);
402 case AUDIT_COMPARE_FSUID_TO_OBJ_UID: 381 case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
403 return audit_compare_uid(cred- 382 return audit_compare_uid(cred->fsuid, name, f, ctx);
404 case AUDIT_COMPARE_FSGID_TO_OBJ_GID: 383 case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
405 return audit_compare_gid(cred- 384 return audit_compare_gid(cred->fsgid, name, f, ctx);
406 /* uid comparisons */ 385 /* uid comparisons */
407 case AUDIT_COMPARE_UID_TO_AUID: 386 case AUDIT_COMPARE_UID_TO_AUID:
408 return audit_uid_comparator(cr !! 387 return audit_uid_comparator(cred->uid, f->op, tsk->loginuid);
409 au <<
410 case AUDIT_COMPARE_UID_TO_EUID: 388 case AUDIT_COMPARE_UID_TO_EUID:
411 return audit_uid_comparator(cr 389 return audit_uid_comparator(cred->uid, f->op, cred->euid);
412 case AUDIT_COMPARE_UID_TO_SUID: 390 case AUDIT_COMPARE_UID_TO_SUID:
413 return audit_uid_comparator(cr 391 return audit_uid_comparator(cred->uid, f->op, cred->suid);
414 case AUDIT_COMPARE_UID_TO_FSUID: 392 case AUDIT_COMPARE_UID_TO_FSUID:
415 return audit_uid_comparator(cr 393 return audit_uid_comparator(cred->uid, f->op, cred->fsuid);
416 /* auid comparisons */ 394 /* auid comparisons */
417 case AUDIT_COMPARE_AUID_TO_EUID: 395 case AUDIT_COMPARE_AUID_TO_EUID:
418 return audit_uid_comparator(au !! 396 return audit_uid_comparator(tsk->loginuid, f->op, cred->euid);
419 cr <<
420 case AUDIT_COMPARE_AUID_TO_SUID: 397 case AUDIT_COMPARE_AUID_TO_SUID:
421 return audit_uid_comparator(au !! 398 return audit_uid_comparator(tsk->loginuid, f->op, cred->suid);
422 cr <<
423 case AUDIT_COMPARE_AUID_TO_FSUID: 399 case AUDIT_COMPARE_AUID_TO_FSUID:
424 return audit_uid_comparator(au !! 400 return audit_uid_comparator(tsk->loginuid, f->op, cred->fsuid);
425 cr <<
426 /* euid comparisons */ 401 /* euid comparisons */
427 case AUDIT_COMPARE_EUID_TO_SUID: 402 case AUDIT_COMPARE_EUID_TO_SUID:
428 return audit_uid_comparator(cr 403 return audit_uid_comparator(cred->euid, f->op, cred->suid);
429 case AUDIT_COMPARE_EUID_TO_FSUID: 404 case AUDIT_COMPARE_EUID_TO_FSUID:
430 return audit_uid_comparator(cr 405 return audit_uid_comparator(cred->euid, f->op, cred->fsuid);
431 /* suid comparisons */ 406 /* suid comparisons */
432 case AUDIT_COMPARE_SUID_TO_FSUID: 407 case AUDIT_COMPARE_SUID_TO_FSUID:
433 return audit_uid_comparator(cr 408 return audit_uid_comparator(cred->suid, f->op, cred->fsuid);
434 /* gid comparisons */ 409 /* gid comparisons */
435 case AUDIT_COMPARE_GID_TO_EGID: 410 case AUDIT_COMPARE_GID_TO_EGID:
436 return audit_gid_comparator(cr 411 return audit_gid_comparator(cred->gid, f->op, cred->egid);
437 case AUDIT_COMPARE_GID_TO_SGID: 412 case AUDIT_COMPARE_GID_TO_SGID:
438 return audit_gid_comparator(cr 413 return audit_gid_comparator(cred->gid, f->op, cred->sgid);
439 case AUDIT_COMPARE_GID_TO_FSGID: 414 case AUDIT_COMPARE_GID_TO_FSGID:
440 return audit_gid_comparator(cr 415 return audit_gid_comparator(cred->gid, f->op, cred->fsgid);
441 /* egid comparisons */ 416 /* egid comparisons */
442 case AUDIT_COMPARE_EGID_TO_SGID: 417 case AUDIT_COMPARE_EGID_TO_SGID:
443 return audit_gid_comparator(cr 418 return audit_gid_comparator(cred->egid, f->op, cred->sgid);
444 case AUDIT_COMPARE_EGID_TO_FSGID: 419 case AUDIT_COMPARE_EGID_TO_FSGID:
445 return audit_gid_comparator(cr 420 return audit_gid_comparator(cred->egid, f->op, cred->fsgid);
446 /* sgid comparison */ 421 /* sgid comparison */
447 case AUDIT_COMPARE_SGID_TO_FSGID: 422 case AUDIT_COMPARE_SGID_TO_FSGID:
448 return audit_gid_comparator(cr 423 return audit_gid_comparator(cred->sgid, f->op, cred->fsgid);
449 default: 424 default:
450 WARN(1, "Missing AUDIT_COMPARE 425 WARN(1, "Missing AUDIT_COMPARE define. Report as a bug\n");
451 return 0; 426 return 0;
452 } 427 }
453 return 0; 428 return 0;
454 } 429 }
455 430
456 /* Determine if any context name data matches 431 /* Determine if any context name data matches a rule's watch data */
457 /* Compare a task_struct with an audit_rule. 432 /* Compare a task_struct with an audit_rule. Return 1 on match, 0
458 * otherwise. 433 * otherwise.
459 * 434 *
460 * If task_creation is true, this is an explic 435 * If task_creation is true, this is an explicit indication that we are
461 * filtering a task rule at task creation time 436 * filtering a task rule at task creation time. This and tsk == current are
462 * the only situations where tsk->cred may be 437 * the only situations where tsk->cred may be accessed without an rcu read lock.
463 */ 438 */
464 static int audit_filter_rules(struct task_stru 439 static int audit_filter_rules(struct task_struct *tsk,
465 struct audit_kru 440 struct audit_krule *rule,
466 struct audit_con 441 struct audit_context *ctx,
467 struct audit_nam 442 struct audit_names *name,
468 enum audit_state 443 enum audit_state *state,
469 bool task_creati 444 bool task_creation)
470 { 445 {
471 const struct cred *cred; 446 const struct cred *cred;
472 int i, need_sid = 1; 447 int i, need_sid = 1;
473 u32 sid; 448 u32 sid;
474 unsigned int sessionid; 449 unsigned int sessionid;
475 450
476 if (ctx && rule->prio <= ctx->prio) <<
477 return 0; <<
478 <<
479 cred = rcu_dereference_check(tsk->cred 451 cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
480 452
481 for (i = 0; i < rule->field_count; i++ 453 for (i = 0; i < rule->field_count; i++) {
482 struct audit_field *f = &rule- 454 struct audit_field *f = &rule->fields[i];
483 struct audit_names *n; 455 struct audit_names *n;
484 int result = 0; 456 int result = 0;
485 pid_t pid; 457 pid_t pid;
486 458
487 switch (f->type) { 459 switch (f->type) {
488 case AUDIT_PID: 460 case AUDIT_PID:
489 pid = task_tgid_nr(tsk 461 pid = task_tgid_nr(tsk);
490 result = audit_compara 462 result = audit_comparator(pid, f->op, f->val);
491 break; 463 break;
492 case AUDIT_PPID: 464 case AUDIT_PPID:
493 if (ctx) { 465 if (ctx) {
494 if (!ctx->ppid 466 if (!ctx->ppid)
495 ctx->p 467 ctx->ppid = task_ppid_nr(tsk);
496 result = audit 468 result = audit_comparator(ctx->ppid, f->op, f->val);
497 } 469 }
498 break; 470 break;
499 case AUDIT_EXE: 471 case AUDIT_EXE:
500 result = audit_exe_com 472 result = audit_exe_compare(tsk, rule->exe);
501 if (f->op == Audit_not <<
502 result = !resu <<
503 break; 473 break;
504 case AUDIT_UID: 474 case AUDIT_UID:
505 result = audit_uid_com 475 result = audit_uid_comparator(cred->uid, f->op, f->uid);
506 break; 476 break;
507 case AUDIT_EUID: 477 case AUDIT_EUID:
508 result = audit_uid_com 478 result = audit_uid_comparator(cred->euid, f->op, f->uid);
509 break; 479 break;
510 case AUDIT_SUID: 480 case AUDIT_SUID:
511 result = audit_uid_com 481 result = audit_uid_comparator(cred->suid, f->op, f->uid);
512 break; 482 break;
513 case AUDIT_FSUID: 483 case AUDIT_FSUID:
514 result = audit_uid_com 484 result = audit_uid_comparator(cred->fsuid, f->op, f->uid);
515 break; 485 break;
516 case AUDIT_GID: 486 case AUDIT_GID:
517 result = audit_gid_com 487 result = audit_gid_comparator(cred->gid, f->op, f->gid);
518 if (f->op == Audit_equ 488 if (f->op == Audit_equal) {
519 if (!result) 489 if (!result)
520 result !! 490 result = in_group_p(f->gid);
521 } else if (f->op == Au 491 } else if (f->op == Audit_not_equal) {
522 if (result) 492 if (result)
523 result !! 493 result = !in_group_p(f->gid);
524 } 494 }
525 break; 495 break;
526 case AUDIT_EGID: 496 case AUDIT_EGID:
527 result = audit_gid_com 497 result = audit_gid_comparator(cred->egid, f->op, f->gid);
528 if (f->op == Audit_equ 498 if (f->op == Audit_equal) {
529 if (!result) 499 if (!result)
530 result !! 500 result = in_egroup_p(f->gid);
531 } else if (f->op == Au 501 } else if (f->op == Audit_not_equal) {
532 if (result) 502 if (result)
533 result !! 503 result = !in_egroup_p(f->gid);
534 } 504 }
535 break; 505 break;
536 case AUDIT_SGID: 506 case AUDIT_SGID:
537 result = audit_gid_com 507 result = audit_gid_comparator(cred->sgid, f->op, f->gid);
538 break; 508 break;
539 case AUDIT_FSGID: 509 case AUDIT_FSGID:
540 result = audit_gid_com 510 result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
541 break; 511 break;
542 case AUDIT_SESSIONID: 512 case AUDIT_SESSIONID:
543 sessionid = audit_get_ !! 513 sessionid = audit_get_sessionid(current);
544 result = audit_compara 514 result = audit_comparator(sessionid, f->op, f->val);
545 break; 515 break;
546 case AUDIT_PERS: 516 case AUDIT_PERS:
547 result = audit_compara 517 result = audit_comparator(tsk->personality, f->op, f->val);
548 break; 518 break;
549 case AUDIT_ARCH: 519 case AUDIT_ARCH:
550 if (ctx) 520 if (ctx)
551 result = audit 521 result = audit_comparator(ctx->arch, f->op, f->val);
552 break; 522 break;
553 523
554 case AUDIT_EXIT: 524 case AUDIT_EXIT:
555 if (ctx && ctx->return !! 525 if (ctx && ctx->return_valid)
556 result = audit 526 result = audit_comparator(ctx->return_code, f->op, f->val);
557 break; 527 break;
558 case AUDIT_SUCCESS: 528 case AUDIT_SUCCESS:
559 if (ctx && ctx->return !! 529 if (ctx && ctx->return_valid) {
560 if (f->val) 530 if (f->val)
561 result 531 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
562 else 532 else
563 result 533 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
564 } 534 }
565 break; 535 break;
566 case AUDIT_DEVMAJOR: 536 case AUDIT_DEVMAJOR:
567 if (name) { 537 if (name) {
568 if (audit_comp 538 if (audit_comparator(MAJOR(name->dev), f->op, f->val) ||
569 audit_comp 539 audit_comparator(MAJOR(name->rdev), f->op, f->val))
570 ++resu 540 ++result;
571 } else if (ctx) { 541 } else if (ctx) {
572 list_for_each_ 542 list_for_each_entry(n, &ctx->names_list, list) {
573 if (au 543 if (audit_comparator(MAJOR(n->dev), f->op, f->val) ||
574 au 544 audit_comparator(MAJOR(n->rdev), f->op, f->val)) {
575 545 ++result;
576 546 break;
577 } 547 }
578 } 548 }
579 } 549 }
580 break; 550 break;
581 case AUDIT_DEVMINOR: 551 case AUDIT_DEVMINOR:
582 if (name) { 552 if (name) {
583 if (audit_comp 553 if (audit_comparator(MINOR(name->dev), f->op, f->val) ||
584 audit_comp 554 audit_comparator(MINOR(name->rdev), f->op, f->val))
585 ++resu 555 ++result;
586 } else if (ctx) { 556 } else if (ctx) {
587 list_for_each_ 557 list_for_each_entry(n, &ctx->names_list, list) {
588 if (au 558 if (audit_comparator(MINOR(n->dev), f->op, f->val) ||
589 au 559 audit_comparator(MINOR(n->rdev), f->op, f->val)) {
590 560 ++result;
591 561 break;
592 } 562 }
593 } 563 }
594 } 564 }
595 break; 565 break;
596 case AUDIT_INODE: 566 case AUDIT_INODE:
597 if (name) 567 if (name)
598 result = audit 568 result = audit_comparator(name->ino, f->op, f->val);
599 else if (ctx) { 569 else if (ctx) {
600 list_for_each_ 570 list_for_each_entry(n, &ctx->names_list, list) {
601 if (au 571 if (audit_comparator(n->ino, f->op, f->val)) {
602 572 ++result;
603 573 break;
604 } 574 }
605 } 575 }
606 } 576 }
607 break; 577 break;
608 case AUDIT_OBJ_UID: 578 case AUDIT_OBJ_UID:
609 if (name) { 579 if (name) {
610 result = audit 580 result = audit_uid_comparator(name->uid, f->op, f->uid);
611 } else if (ctx) { 581 } else if (ctx) {
612 list_for_each_ 582 list_for_each_entry(n, &ctx->names_list, list) {
613 if (au 583 if (audit_uid_comparator(n->uid, f->op, f->uid)) {
614 584 ++result;
615 585 break;
616 } 586 }
617 } 587 }
618 } 588 }
619 break; 589 break;
620 case AUDIT_OBJ_GID: 590 case AUDIT_OBJ_GID:
621 if (name) { 591 if (name) {
622 result = audit 592 result = audit_gid_comparator(name->gid, f->op, f->gid);
623 } else if (ctx) { 593 } else if (ctx) {
624 list_for_each_ 594 list_for_each_entry(n, &ctx->names_list, list) {
625 if (au 595 if (audit_gid_comparator(n->gid, f->op, f->gid)) {
626 596 ++result;
627 597 break;
628 } 598 }
629 } 599 }
630 } 600 }
631 break; 601 break;
632 case AUDIT_WATCH: 602 case AUDIT_WATCH:
633 if (name) { !! 603 if (name)
634 result = audit !! 604 result = audit_watch_compare(rule->watch, name->ino, name->dev);
635 <<
636 <<
637 if (f->op == A <<
638 result <<
639 } <<
640 break; 605 break;
641 case AUDIT_DIR: 606 case AUDIT_DIR:
642 if (ctx) { !! 607 if (ctx)
643 result = match 608 result = match_tree_refs(ctx, rule->tree);
644 if (f->op == A <<
645 result <<
646 } <<
647 break; 609 break;
648 case AUDIT_LOGINUID: 610 case AUDIT_LOGINUID:
649 result = audit_uid_com !! 611 result = audit_uid_comparator(tsk->loginuid, f->op, f->uid);
650 <<
651 break; 612 break;
652 case AUDIT_LOGINUID_SET: 613 case AUDIT_LOGINUID_SET:
653 result = audit_compara 614 result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
654 break; 615 break;
655 case AUDIT_SADDR_FAM: <<
656 if (ctx && ctx->sockad <<
657 result = audit <<
658 <<
659 break; <<
660 case AUDIT_SUBJ_USER: 616 case AUDIT_SUBJ_USER:
661 case AUDIT_SUBJ_ROLE: 617 case AUDIT_SUBJ_ROLE:
662 case AUDIT_SUBJ_TYPE: 618 case AUDIT_SUBJ_TYPE:
663 case AUDIT_SUBJ_SEN: 619 case AUDIT_SUBJ_SEN:
664 case AUDIT_SUBJ_CLR: 620 case AUDIT_SUBJ_CLR:
665 /* NOTE: this may retu 621 /* NOTE: this may return negative values indicating
666 a temporary error. 622 a temporary error. We simply treat this as a
667 match for now to av 623 match for now to avoid losing information that
668 may be wanted. An 624 may be wanted. An error message will also be
669 logged upon error * 625 logged upon error */
670 if (f->lsm_rule) { 626 if (f->lsm_rule) {
671 if (need_sid) 627 if (need_sid) {
672 /* @ts !! 628 security_task_getsecid(tsk, &sid);
673 * @cu <<
674 * for <<
675 * the <<
676 * of <<
677 * use <<
678 * her <<
679 * @cu <<
680 */ <<
681 securi <<
682 need_s 629 need_sid = 0;
683 } 630 }
684 result = secur 631 result = security_audit_rule_match(sid, f->type,
685 !! 632 f->op,
686 !! 633 f->lsm_rule,
>> 634 ctx);
687 } 635 }
688 break; 636 break;
689 case AUDIT_OBJ_USER: 637 case AUDIT_OBJ_USER:
690 case AUDIT_OBJ_ROLE: 638 case AUDIT_OBJ_ROLE:
691 case AUDIT_OBJ_TYPE: 639 case AUDIT_OBJ_TYPE:
692 case AUDIT_OBJ_LEV_LOW: 640 case AUDIT_OBJ_LEV_LOW:
693 case AUDIT_OBJ_LEV_HIGH: 641 case AUDIT_OBJ_LEV_HIGH:
694 /* The above note for 642 /* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
695 also applies here * 643 also applies here */
696 if (f->lsm_rule) { 644 if (f->lsm_rule) {
697 /* Find files 645 /* Find files that match */
698 if (name) { 646 if (name) {
699 result 647 result = security_audit_rule_match(
700 !! 648 name->osid, f->type, f->op,
701 !! 649 f->lsm_rule, ctx);
702 <<
703 <<
704 } else if (ctx 650 } else if (ctx) {
705 list_f 651 list_for_each_entry(n, &ctx->names_list, list) {
706 !! 652 if (security_audit_rule_match(n->osid, f->type,
707 !! 653 f->op, f->lsm_rule,
708 !! 654 ctx)) {
709 <<
710 <<
711 655 ++result;
712 656 break;
713 657 }
714 } 658 }
715 } 659 }
716 /* Find ipc ob 660 /* Find ipc objects that match */
717 if (!ctx || ct 661 if (!ctx || ctx->type != AUDIT_IPC)
718 break; 662 break;
719 if (security_a 663 if (security_audit_rule_match(ctx->ipc.osid,
720 664 f->type, f->op,
721 !! 665 f->lsm_rule, ctx))
722 ++resu 666 ++result;
723 } 667 }
724 break; 668 break;
725 case AUDIT_ARG0: 669 case AUDIT_ARG0:
726 case AUDIT_ARG1: 670 case AUDIT_ARG1:
727 case AUDIT_ARG2: 671 case AUDIT_ARG2:
728 case AUDIT_ARG3: 672 case AUDIT_ARG3:
729 if (ctx) 673 if (ctx)
730 result = audit 674 result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
731 break; 675 break;
732 case AUDIT_FILTERKEY: 676 case AUDIT_FILTERKEY:
733 /* ignore this field f 677 /* ignore this field for filtering */
734 result = 1; 678 result = 1;
735 break; 679 break;
736 case AUDIT_PERM: 680 case AUDIT_PERM:
737 result = audit_match_p 681 result = audit_match_perm(ctx, f->val);
738 if (f->op == Audit_not <<
739 result = !resu <<
740 break; 682 break;
741 case AUDIT_FILETYPE: 683 case AUDIT_FILETYPE:
742 result = audit_match_f 684 result = audit_match_filetype(ctx, f->val);
743 if (f->op == Audit_not <<
744 result = !resu <<
745 break; 685 break;
746 case AUDIT_FIELD_COMPARE: 686 case AUDIT_FIELD_COMPARE:
747 result = audit_field_c 687 result = audit_field_compare(tsk, cred, f, ctx, name);
748 break; 688 break;
749 } 689 }
750 if (!result) 690 if (!result)
751 return 0; 691 return 0;
752 } 692 }
753 693
754 if (ctx) { 694 if (ctx) {
>> 695 if (rule->prio <= ctx->prio)
>> 696 return 0;
755 if (rule->filterkey) { 697 if (rule->filterkey) {
756 kfree(ctx->filterkey); 698 kfree(ctx->filterkey);
757 ctx->filterkey = kstrd 699 ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
758 } 700 }
759 ctx->prio = rule->prio; 701 ctx->prio = rule->prio;
760 } 702 }
761 switch (rule->action) { 703 switch (rule->action) {
762 case AUDIT_NEVER: 704 case AUDIT_NEVER:
763 *state = AUDIT_STATE_DISABLED; !! 705 *state = AUDIT_DISABLED;
764 break; 706 break;
765 case AUDIT_ALWAYS: 707 case AUDIT_ALWAYS:
766 *state = AUDIT_STATE_RECORD; !! 708 *state = AUDIT_RECORD_CONTEXT;
767 break; 709 break;
768 } 710 }
769 return 1; 711 return 1;
770 } 712 }
771 713
772 /* At process creation time, we can determine 714 /* At process creation time, we can determine if system-call auditing is
773 * completely disabled for this task. Since w 715 * completely disabled for this task. Since we only have the task
774 * structure at this point, we can only check 716 * structure at this point, we can only check uid and gid.
775 */ 717 */
776 static enum audit_state audit_filter_task(stru 718 static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)
777 { 719 {
778 struct audit_entry *e; 720 struct audit_entry *e;
779 enum audit_state state; 721 enum audit_state state;
780 722
781 rcu_read_lock(); 723 rcu_read_lock();
782 list_for_each_entry_rcu(e, &audit_filt 724 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
783 if (audit_filter_rules(tsk, &e 725 if (audit_filter_rules(tsk, &e->rule, NULL, NULL,
784 &state, 726 &state, true)) {
785 if (state == AUDIT_STA !! 727 if (state == AUDIT_RECORD_CONTEXT)
786 *key = kstrdup 728 *key = kstrdup(e->rule.filterkey, GFP_ATOMIC);
787 rcu_read_unlock(); 729 rcu_read_unlock();
788 return state; 730 return state;
789 } 731 }
790 } 732 }
791 rcu_read_unlock(); 733 rcu_read_unlock();
792 return AUDIT_STATE_BUILD; !! 734 return AUDIT_BUILD_CONTEXT;
793 } 735 }
794 736
795 static int audit_in_mask(const struct audit_kr 737 static int audit_in_mask(const struct audit_krule *rule, unsigned long val)
796 { 738 {
797 int word, bit; 739 int word, bit;
798 740
799 if (val > 0xffffffff) 741 if (val > 0xffffffff)
800 return false; 742 return false;
801 743
802 word = AUDIT_WORD(val); 744 word = AUDIT_WORD(val);
803 if (word >= AUDIT_BITMASK_SIZE) 745 if (word >= AUDIT_BITMASK_SIZE)
804 return false; 746 return false;
805 747
806 bit = AUDIT_BIT(val); 748 bit = AUDIT_BIT(val);
807 749
808 return rule->mask[word] & bit; 750 return rule->mask[word] & bit;
809 } 751 }
810 752
811 /** !! 753 /* At syscall entry and exit time, this filter is called if the
812 * __audit_filter_op - common filter helper fo !! 754 * audit_state is not low enough that auditing cannot take place, but is
813 * @tsk: associated task !! 755 * also not high enough that we already know we have to write an audit
814 * @ctx: audit context !! 756 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
815 * @list: audit filter list !! 757 */
816 * @name: audit_name (can be NULL) !! 758 static enum audit_state audit_filter_syscall(struct task_struct *tsk,
817 * @op: current syscall/uring_op !! 759 struct audit_context *ctx,
818 * !! 760 struct list_head *list)
819 * Run the udit filters specified in @list aga <<
820 * @name, and @op, as necessary; the caller is <<
821 * that the call is made while the RCU read lo <<
822 * parameter can be NULL, but all others must <<
823 * Returns 1/true if the filter finds a match, <<
824 */ <<
825 static int __audit_filter_op(struct task_struc <<
826 struct audit_contex <<
827 struct list_head *l <<
828 struct audit_names <<
829 unsigned long op) <<
830 { 761 {
831 struct audit_entry *e; 762 struct audit_entry *e;
832 enum audit_state state; 763 enum audit_state state;
833 764
834 list_for_each_entry_rcu(e, list, list) <<
835 if (audit_in_mask(&e->rule, op <<
836 audit_filter_rules(tsk, &e <<
837 &state, <<
838 ctx->current_state = s <<
839 return 1; <<
840 } <<
841 } <<
842 return 0; <<
843 } <<
844 <<
845 /** <<
846 * audit_filter_uring - apply filters to an io <<
847 * @tsk: associated task <<
848 * @ctx: audit context <<
849 */ <<
850 static void audit_filter_uring(struct task_str <<
851 struct audit_co <<
852 { <<
853 if (auditd_test_task(tsk)) <<
854 return; <<
855 <<
856 rcu_read_lock(); <<
857 __audit_filter_op(tsk, ctx, &audit_fil <<
858 NULL, ctx->uring_op); <<
859 rcu_read_unlock(); <<
860 } <<
861 <<
862 /* At syscall exit time, this filter is called <<
863 * not low enough that auditing cannot take pl <<
864 * high enough that we already know we have to <<
865 * (i.e., the state is AUDIT_STATE_BUILD). <<
866 */ <<
867 static void audit_filter_syscall(struct task_s <<
868 struct audit_ <<
869 { <<
870 if (auditd_test_task(tsk)) 765 if (auditd_test_task(tsk))
871 return; !! 766 return AUDIT_DISABLED;
872 767
873 rcu_read_lock(); 768 rcu_read_lock();
874 __audit_filter_op(tsk, ctx, &audit_fil !! 769 if (!list_empty(list)) {
875 NULL, ctx->major); !! 770 list_for_each_entry_rcu(e, list, list) {
>> 771 if (audit_in_mask(&e->rule, ctx->major) &&
>> 772 audit_filter_rules(tsk, &e->rule, ctx, NULL,
>> 773 &state, false)) {
>> 774 rcu_read_unlock();
>> 775 ctx->current_state = state;
>> 776 return state;
>> 777 }
>> 778 }
>> 779 }
876 rcu_read_unlock(); 780 rcu_read_unlock();
>> 781 return AUDIT_BUILD_CONTEXT;
877 } 782 }
878 783
879 /* 784 /*
880 * Given an audit_name check the inode hash ta 785 * Given an audit_name check the inode hash table to see if they match.
881 * Called holding the rcu read lock to protect 786 * Called holding the rcu read lock to protect the use of audit_inode_hash
882 */ 787 */
883 static int audit_filter_inode_name(struct task 788 static int audit_filter_inode_name(struct task_struct *tsk,
884 struct audi 789 struct audit_names *n,
885 struct audi !! 790 struct audit_context *ctx) {
886 { <<
887 int h = audit_hash_ino((u32)n->ino); 791 int h = audit_hash_ino((u32)n->ino);
888 struct list_head *list = &audit_inode_ 792 struct list_head *list = &audit_inode_hash[h];
>> 793 struct audit_entry *e;
>> 794 enum audit_state state;
889 795
890 return __audit_filter_op(tsk, ctx, lis !! 796 if (list_empty(list))
>> 797 return 0;
>> 798
>> 799 list_for_each_entry_rcu(e, list, list) {
>> 800 if (audit_in_mask(&e->rule, ctx->major) &&
>> 801 audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) {
>> 802 ctx->current_state = state;
>> 803 return 1;
>> 804 }
>> 805 }
>> 806
>> 807 return 0;
891 } 808 }
892 809
893 /* At syscall exit time, this filter is called 810 /* At syscall exit time, this filter is called if any audit_names have been
894 * collected during syscall processing. We on 811 * collected during syscall processing. We only check rules in sublists at hash
895 * buckets applicable to the inode numbers in 812 * buckets applicable to the inode numbers in audit_names.
896 * Regarding audit_state, same rules apply as 813 * Regarding audit_state, same rules apply as for audit_filter_syscall().
897 */ 814 */
898 void audit_filter_inodes(struct task_struct *t 815 void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx)
899 { 816 {
900 struct audit_names *n; 817 struct audit_names *n;
901 818
902 if (auditd_test_task(tsk)) 819 if (auditd_test_task(tsk))
903 return; 820 return;
904 821
905 rcu_read_lock(); 822 rcu_read_lock();
906 823
907 list_for_each_entry(n, &ctx->names_lis 824 list_for_each_entry(n, &ctx->names_list, list) {
908 if (audit_filter_inode_name(ts 825 if (audit_filter_inode_name(tsk, n, ctx))
909 break; 826 break;
910 } 827 }
911 rcu_read_unlock(); 828 rcu_read_unlock();
912 } 829 }
913 830
>> 831 /* Transfer the audit context pointer to the caller, clearing it in the tsk's struct */
>> 832 static inline struct audit_context *audit_take_context(struct task_struct *tsk,
>> 833 int return_valid,
>> 834 long return_code)
>> 835 {
>> 836 struct audit_context *context = tsk->audit_context;
>> 837
>> 838 if (!context)
>> 839 return NULL;
>> 840 context->return_valid = return_valid;
>> 841
>> 842 /*
>> 843 * we need to fix up the return code in the audit logs if the actual
>> 844 * return codes are later going to be fixed up by the arch specific
>> 845 * signal handlers
>> 846 *
>> 847 * This is actually a test for:
>> 848 * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||
>> 849 * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)
>> 850 *
>> 851 * but is faster than a bunch of ||
>> 852 */
>> 853 if (unlikely(return_code <= -ERESTARTSYS) &&
>> 854 (return_code >= -ERESTART_RESTARTBLOCK) &&
>> 855 (return_code != -ENOIOCTLCMD))
>> 856 context->return_code = -EINTR;
>> 857 else
>> 858 context->return_code = return_code;
>> 859
>> 860 if (context->in_syscall && !context->dummy) {
>> 861 audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
>> 862 audit_filter_inodes(tsk, context);
>> 863 }
>> 864
>> 865 tsk->audit_context = NULL;
>> 866 return context;
>> 867 }
>> 868
914 static inline void audit_proctitle_free(struct 869 static inline void audit_proctitle_free(struct audit_context *context)
915 { 870 {
916 kfree(context->proctitle.value); 871 kfree(context->proctitle.value);
917 context->proctitle.value = NULL; 872 context->proctitle.value = NULL;
918 context->proctitle.len = 0; 873 context->proctitle.len = 0;
919 } 874 }
920 875
921 static inline void audit_free_module(struct au <<
922 { <<
923 if (context->type == AUDIT_KERN_MODULE <<
924 kfree(context->module.name); <<
925 context->module.name = NULL; <<
926 } <<
927 } <<
928 static inline void audit_free_names(struct aud 876 static inline void audit_free_names(struct audit_context *context)
929 { 877 {
930 struct audit_names *n, *next; 878 struct audit_names *n, *next;
931 879
932 list_for_each_entry_safe(n, next, &con 880 list_for_each_entry_safe(n, next, &context->names_list, list) {
933 list_del(&n->list); 881 list_del(&n->list);
934 if (n->name) 882 if (n->name)
935 putname(n->name); 883 putname(n->name);
936 if (n->should_free) 884 if (n->should_free)
937 kfree(n); 885 kfree(n);
938 } 886 }
939 context->name_count = 0; 887 context->name_count = 0;
940 path_put(&context->pwd); 888 path_put(&context->pwd);
941 context->pwd.dentry = NULL; 889 context->pwd.dentry = NULL;
942 context->pwd.mnt = NULL; 890 context->pwd.mnt = NULL;
943 } 891 }
944 892
945 static inline void audit_free_aux(struct audit 893 static inline void audit_free_aux(struct audit_context *context)
946 { 894 {
947 struct audit_aux_data *aux; 895 struct audit_aux_data *aux;
948 896
949 while ((aux = context->aux)) { 897 while ((aux = context->aux)) {
950 context->aux = aux->next; 898 context->aux = aux->next;
951 kfree(aux); 899 kfree(aux);
952 } 900 }
953 context->aux = NULL; <<
954 while ((aux = context->aux_pids)) { 901 while ((aux = context->aux_pids)) {
955 context->aux_pids = aux->next; 902 context->aux_pids = aux->next;
956 kfree(aux); 903 kfree(aux);
957 } 904 }
958 context->aux_pids = NULL; <<
959 } <<
960 <<
961 /** <<
962 * audit_reset_context - reset a audit_context <<
963 * @ctx: the audit_context to reset <<
964 * <<
965 * All fields in the audit_context will be res <<
966 * references held by fields will be dropped, <<
967 * released. When this function returns the a <<
968 * for reuse, so long as the passed context is <<
969 */ <<
970 static void audit_reset_context(struct audit_c <<
971 { <<
972 if (!ctx) <<
973 return; <<
974 <<
975 /* if ctx is non-null, reset the "ctx- <<
976 ctx->context = AUDIT_CTX_UNUSED; <<
977 if (ctx->dummy) <<
978 return; <<
979 <<
980 /* <<
981 * NOTE: It shouldn't matter in what o <<
982 * release them in the order in <<
983 * this gives us some hope of qu <<
984 * resetting the audit_context p <<
985 * <<
986 * Other things worth mentioning <<
987 * - we don't reset "dummy" <<
988 * - we don't reset "state", we <<
989 * - we preserve "filterkey" if <<
990 * - much of this is likely over <<
991 * - we really need to work on i <<
992 */ <<
993 <<
994 ctx->current_state = ctx->state; <<
995 ctx->serial = 0; <<
996 ctx->major = 0; <<
997 ctx->uring_op = 0; <<
998 ctx->ctime = (struct timespec64){ .tv_ <<
999 memset(ctx->argv, 0, sizeof(ctx->argv) <<
1000 ctx->return_code = 0; <<
1001 ctx->prio = (ctx->state == AUDIT_STAT <<
1002 ctx->return_valid = AUDITSC_INVALID; <<
1003 audit_free_names(ctx); <<
1004 if (ctx->state != AUDIT_STATE_RECORD) <<
1005 kfree(ctx->filterkey); <<
1006 ctx->filterkey = NULL; <<
1007 } <<
1008 audit_free_aux(ctx); <<
1009 kfree(ctx->sockaddr); <<
1010 ctx->sockaddr = NULL; <<
1011 ctx->sockaddr_len = 0; <<
1012 ctx->ppid = 0; <<
1013 ctx->uid = ctx->euid = ctx->suid = ct <<
1014 ctx->gid = ctx->egid = ctx->sgid = ct <<
1015 ctx->personality = 0; <<
1016 ctx->arch = 0; <<
1017 ctx->target_pid = 0; <<
1018 ctx->target_auid = ctx->target_uid = <<
1019 ctx->target_sessionid = 0; <<
1020 ctx->target_sid = 0; <<
1021 ctx->target_comm[0] = '\0'; <<
1022 unroll_tree_refs(ctx, NULL, 0); <<
1023 WARN_ON(!list_empty(&ctx->killed_tree <<
1024 audit_free_module(ctx); <<
1025 ctx->fds[0] = -1; <<
1026 ctx->type = 0; /* reset last for audi <<
1027 } 905 }
1028 906
1029 static inline struct audit_context *audit_all 907 static inline struct audit_context *audit_alloc_context(enum audit_state state)
1030 { 908 {
1031 struct audit_context *context; 909 struct audit_context *context;
1032 910
1033 context = kzalloc(sizeof(*context), G 911 context = kzalloc(sizeof(*context), GFP_KERNEL);
1034 if (!context) 912 if (!context)
1035 return NULL; 913 return NULL;
1036 context->context = AUDIT_CTX_UNUSED; <<
1037 context->state = state; 914 context->state = state;
1038 context->prio = state == AUDIT_STATE_ !! 915 context->prio = state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
1039 INIT_LIST_HEAD(&context->killed_trees 916 INIT_LIST_HEAD(&context->killed_trees);
1040 INIT_LIST_HEAD(&context->names_list); 917 INIT_LIST_HEAD(&context->names_list);
1041 context->fds[0] = -1; <<
1042 context->return_valid = AUDITSC_INVAL <<
1043 return context; 918 return context;
1044 } 919 }
1045 920
1046 /** 921 /**
1047 * audit_alloc - allocate an audit context bl 922 * audit_alloc - allocate an audit context block for a task
1048 * @tsk: task 923 * @tsk: task
1049 * 924 *
1050 * Filter on the task information and allocat 925 * Filter on the task information and allocate a per-task audit context
1051 * if necessary. Doing so turns on system ca 926 * if necessary. Doing so turns on system call auditing for the
1052 * specified task. This is called from copy_ 927 * specified task. This is called from copy_process, so no lock is
1053 * needed. 928 * needed.
1054 */ 929 */
1055 int audit_alloc(struct task_struct *tsk) 930 int audit_alloc(struct task_struct *tsk)
1056 { 931 {
1057 struct audit_context *context; 932 struct audit_context *context;
1058 enum audit_state state; 933 enum audit_state state;
1059 char *key = NULL; 934 char *key = NULL;
1060 935
1061 if (likely(!audit_ever_enabled)) 936 if (likely(!audit_ever_enabled))
1062 return 0; !! 937 return 0; /* Return if not auditing. */
1063 938
1064 state = audit_filter_task(tsk, &key); 939 state = audit_filter_task(tsk, &key);
1065 if (state == AUDIT_STATE_DISABLED) { !! 940 if (state == AUDIT_DISABLED) {
1066 clear_task_syscall_work(tsk, !! 941 clear_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
1067 return 0; 942 return 0;
1068 } 943 }
1069 944
1070 context = audit_alloc_context(state); !! 945 if (!(context = audit_alloc_context(state))) {
1071 if (!context) { <<
1072 kfree(key); 946 kfree(key);
1073 audit_log_lost("out of memory 947 audit_log_lost("out of memory in audit_alloc");
1074 return -ENOMEM; 948 return -ENOMEM;
1075 } 949 }
1076 context->filterkey = key; 950 context->filterkey = key;
1077 951
1078 audit_set_context(tsk, context); !! 952 tsk->audit_context = context;
1079 set_task_syscall_work(tsk, SYSCALL_AU !! 953 set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
1080 return 0; 954 return 0;
1081 } 955 }
1082 956
1083 static inline void audit_free_context(struct 957 static inline void audit_free_context(struct audit_context *context)
1084 { 958 {
1085 /* resetting is extra work, but it is !! 959 audit_free_names(context);
1086 audit_reset_context(context); !! 960 unroll_tree_refs(context, NULL, 0);
1087 audit_proctitle_free(context); <<
1088 free_tree_refs(context); 961 free_tree_refs(context);
>> 962 audit_free_aux(context);
1089 kfree(context->filterkey); 963 kfree(context->filterkey);
>> 964 kfree(context->sockaddr);
>> 965 audit_proctitle_free(context);
1090 kfree(context); 966 kfree(context);
1091 } 967 }
1092 968
1093 static int audit_log_pid_context(struct audit 969 static int audit_log_pid_context(struct audit_context *context, pid_t pid,
1094 kuid_t auid, 970 kuid_t auid, kuid_t uid, unsigned int sessionid,
1095 u32 sid, cha 971 u32 sid, char *comm)
1096 { 972 {
1097 struct audit_buffer *ab; 973 struct audit_buffer *ab;
1098 char *ctx = NULL; 974 char *ctx = NULL;
1099 u32 len; 975 u32 len;
1100 int rc = 0; 976 int rc = 0;
1101 977
1102 ab = audit_log_start(context, GFP_KER 978 ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
1103 if (!ab) 979 if (!ab)
1104 return rc; 980 return rc;
1105 981
1106 audit_log_format(ab, "opid=%d oauid=% 982 audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
1107 from_kuid(&init_user 983 from_kuid(&init_user_ns, auid),
1108 from_kuid(&init_user 984 from_kuid(&init_user_ns, uid), sessionid);
1109 if (sid) { 985 if (sid) {
1110 if (security_secid_to_secctx( 986 if (security_secid_to_secctx(sid, &ctx, &len)) {
1111 audit_log_format(ab, 987 audit_log_format(ab, " obj=(none)");
1112 rc = 1; 988 rc = 1;
1113 } else { 989 } else {
1114 audit_log_format(ab, 990 audit_log_format(ab, " obj=%s", ctx);
1115 security_release_secc 991 security_release_secctx(ctx, len);
1116 } 992 }
1117 } 993 }
1118 audit_log_format(ab, " ocomm="); 994 audit_log_format(ab, " ocomm=");
1119 audit_log_untrustedstring(ab, comm); 995 audit_log_untrustedstring(ab, comm);
1120 audit_log_end(ab); 996 audit_log_end(ab);
1121 997
1122 return rc; 998 return rc;
1123 } 999 }
1124 1000
1125 static void audit_log_execve_info(struct audi 1001 static void audit_log_execve_info(struct audit_context *context,
1126 struct audi 1002 struct audit_buffer **ab)
1127 { 1003 {
1128 long len_max; 1004 long len_max;
1129 long len_rem; 1005 long len_rem;
1130 long len_full; 1006 long len_full;
1131 long len_buf; 1007 long len_buf;
1132 long len_abuf = 0; 1008 long len_abuf = 0;
1133 long len_tmp; 1009 long len_tmp;
1134 bool require_data; 1010 bool require_data;
1135 bool encode; 1011 bool encode;
1136 unsigned int iter; 1012 unsigned int iter;
1137 unsigned int arg; 1013 unsigned int arg;
1138 char *buf_head; 1014 char *buf_head;
1139 char *buf; 1015 char *buf;
1140 const char __user *p = (const char __ 1016 const char __user *p = (const char __user *)current->mm->arg_start;
1141 1017
1142 /* NOTE: this buffer needs to be larg 1018 /* NOTE: this buffer needs to be large enough to hold all the non-arg
1143 * data we put in the audit rec 1019 * data we put in the audit record for this argument (see the
1144 * code below) ... at this poin 1020 * code below) ... at this point in time 96 is plenty */
1145 char abuf[96]; 1021 char abuf[96];
1146 1022
1147 /* NOTE: we set MAX_EXECVE_AUDIT_LEN 1023 /* NOTE: we set MAX_EXECVE_AUDIT_LEN to a rather arbitrary limit, the
1148 * current value of 7500 is not 1024 * current value of 7500 is not as important as the fact that it
1149 * is less than 8k, a setting o 1025 * is less than 8k, a setting of 7500 gives us plenty of wiggle
1150 * room if we go over a little 1026 * room if we go over a little bit in the logging below */
1151 WARN_ON_ONCE(MAX_EXECVE_AUDIT_LEN > 7 1027 WARN_ON_ONCE(MAX_EXECVE_AUDIT_LEN > 7500);
1152 len_max = MAX_EXECVE_AUDIT_LEN; 1028 len_max = MAX_EXECVE_AUDIT_LEN;
1153 1029
1154 /* scratch buffer to hold the userspa 1030 /* scratch buffer to hold the userspace args */
1155 buf_head = kmalloc(MAX_EXECVE_AUDIT_L 1031 buf_head = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
1156 if (!buf_head) { 1032 if (!buf_head) {
1157 audit_panic("out of memory fo 1033 audit_panic("out of memory for argv string");
1158 return; 1034 return;
1159 } 1035 }
1160 buf = buf_head; 1036 buf = buf_head;
1161 1037
1162 audit_log_format(*ab, "argc=%d", cont 1038 audit_log_format(*ab, "argc=%d", context->execve.argc);
1163 1039
1164 len_rem = len_max; 1040 len_rem = len_max;
1165 len_buf = 0; 1041 len_buf = 0;
1166 len_full = 0; 1042 len_full = 0;
1167 require_data = true; 1043 require_data = true;
1168 encode = false; 1044 encode = false;
1169 iter = 0; 1045 iter = 0;
1170 arg = 0; 1046 arg = 0;
1171 do { 1047 do {
1172 /* NOTE: we don't ever want t 1048 /* NOTE: we don't ever want to trust this value for anything
1173 * serious, but the aud 1049 * serious, but the audit record format insists we
1174 * provide an argument 1050 * provide an argument length for really long arguments,
1175 * e.g. > MAX_EXECVE_AU 1051 * e.g. > MAX_EXECVE_AUDIT_LEN, so we have no choice but
1176 * to use strncpy_from_ 1052 * to use strncpy_from_user() to obtain this value for
1177 * recording in the log 1053 * recording in the log, although we don't use it
1178 * anywhere here to avo 1054 * anywhere here to avoid a double-fetch problem */
1179 if (len_full == 0) 1055 if (len_full == 0)
1180 len_full = strnlen_us 1056 len_full = strnlen_user(p, MAX_ARG_STRLEN) - 1;
1181 1057
1182 /* read more data from usersp 1058 /* read more data from userspace */
1183 if (require_data) { 1059 if (require_data) {
1184 /* can we make more r 1060 /* can we make more room in the buffer? */
1185 if (buf != buf_head) 1061 if (buf != buf_head) {
1186 memmove(buf_h 1062 memmove(buf_head, buf, len_buf);
1187 buf = buf_hea 1063 buf = buf_head;
1188 } 1064 }
1189 1065
1190 /* fetch as much as w 1066 /* fetch as much as we can of the argument */
1191 len_tmp = strncpy_fro 1067 len_tmp = strncpy_from_user(&buf_head[len_buf], p,
1192 1068 len_max - len_buf);
1193 if (len_tmp == -EFAUL 1069 if (len_tmp == -EFAULT) {
1194 /* unable to 1070 /* unable to copy from userspace */
1195 send_sig(SIGK 1071 send_sig(SIGKILL, current, 0);
1196 goto out; 1072 goto out;
1197 } else if (len_tmp == 1073 } else if (len_tmp == (len_max - len_buf)) {
1198 /* buffer is 1074 /* buffer is not large enough */
1199 require_data 1075 require_data = true;
1200 /* NOTE: if w 1076 /* NOTE: if we are going to span multiple
1201 * buff 1077 * buffers force the encoding so we stand
1202 * a ch 1078 * a chance at a sane len_full value and
1203 * cons 1079 * consistent record encoding */
1204 encode = true 1080 encode = true;
1205 len_full = le 1081 len_full = len_full * 2;
1206 p += len_tmp; 1082 p += len_tmp;
1207 } else { 1083 } else {
1208 require_data 1084 require_data = false;
1209 if (!encode) 1085 if (!encode)
1210 encod 1086 encode = audit_string_contains_control(
1211 1087 buf, len_tmp);
1212 /* try to use 1088 /* try to use a trusted value for len_full */
1213 if (len_full 1089 if (len_full < len_max)
1214 len_f 1090 len_full = (encode ?
1215 1091 len_tmp * 2 : len_tmp);
1216 p += len_tmp 1092 p += len_tmp + 1;
1217 } 1093 }
1218 len_buf += len_tmp; 1094 len_buf += len_tmp;
1219 buf_head[len_buf] = ' 1095 buf_head[len_buf] = '\0';
1220 1096
1221 /* length of the buff 1097 /* length of the buffer in the audit record? */
1222 len_abuf = (encode ? 1098 len_abuf = (encode ? len_buf * 2 : len_buf + 2);
1223 } 1099 }
1224 1100
1225 /* write as much as we can to 1101 /* write as much as we can to the audit log */
1226 if (len_buf >= 0) { !! 1102 if (len_buf > 0) {
1227 /* NOTE: some magic n 1103 /* NOTE: some magic numbers here - basically if we
1228 * can't fit a 1104 * can't fit a reasonable amount of data into the
1229 * existing aud 1105 * existing audit buffer, flush it and start with
1230 * a new buffer 1106 * a new buffer */
1231 if ((sizeof(abuf) + 8 1107 if ((sizeof(abuf) + 8) > len_rem) {
1232 len_rem = len 1108 len_rem = len_max;
1233 audit_log_end 1109 audit_log_end(*ab);
1234 *ab = audit_l 1110 *ab = audit_log_start(context,
1235 1111 GFP_KERNEL, AUDIT_EXECVE);
1236 if (!*ab) 1112 if (!*ab)
1237 goto 1113 goto out;
1238 } 1114 }
1239 1115
1240 /* create the non-arg 1116 /* create the non-arg portion of the arg record */
1241 len_tmp = 0; 1117 len_tmp = 0;
1242 if (require_data || ( 1118 if (require_data || (iter > 0) ||
1243 ((len_abuf + size 1119 ((len_abuf + sizeof(abuf)) > len_rem)) {
1244 if (iter == 0 1120 if (iter == 0) {
1245 len_t 1121 len_tmp += snprintf(&abuf[len_tmp],
1246 1122 sizeof(abuf) - len_tmp,
1247 1123 " a%d_len=%lu",
1248 1124 arg, len_full);
1249 } 1125 }
1250 len_tmp += sn 1126 len_tmp += snprintf(&abuf[len_tmp],
1251 1127 sizeof(abuf) - len_tmp,
1252 1128 " a%d[%d]=", arg, iter++);
1253 } else 1129 } else
1254 len_tmp += sn 1130 len_tmp += snprintf(&abuf[len_tmp],
1255 1131 sizeof(abuf) - len_tmp,
1256 1132 " a%d=", arg);
1257 WARN_ON(len_tmp >= si 1133 WARN_ON(len_tmp >= sizeof(abuf));
1258 abuf[sizeof(abuf) - 1 1134 abuf[sizeof(abuf) - 1] = '\0';
1259 1135
1260 /* log the arg in the 1136 /* log the arg in the audit record */
1261 audit_log_format(*ab, 1137 audit_log_format(*ab, "%s", abuf);
1262 len_rem -= len_tmp; 1138 len_rem -= len_tmp;
1263 len_tmp = len_buf; 1139 len_tmp = len_buf;
1264 if (encode) { 1140 if (encode) {
1265 if (len_abuf 1141 if (len_abuf > len_rem)
1266 len_t 1142 len_tmp = len_rem / 2; /* encoding */
1267 audit_log_n_h 1143 audit_log_n_hex(*ab, buf, len_tmp);
1268 len_rem -= le 1144 len_rem -= len_tmp * 2;
1269 len_abuf -= l 1145 len_abuf -= len_tmp * 2;
1270 } else { 1146 } else {
1271 if (len_abuf 1147 if (len_abuf > len_rem)
1272 len_t 1148 len_tmp = len_rem - 2; /* quotes */
1273 audit_log_n_s 1149 audit_log_n_string(*ab, buf, len_tmp);
1274 len_rem -= le 1150 len_rem -= len_tmp + 2;
1275 /* don't subt 1151 /* don't subtract the "2" because we still need
1276 * to add quo 1152 * to add quotes to the remaining string */
1277 len_abuf -= l 1153 len_abuf -= len_tmp;
1278 } 1154 }
1279 len_buf -= len_tmp; 1155 len_buf -= len_tmp;
1280 buf += len_tmp; 1156 buf += len_tmp;
1281 } 1157 }
1282 1158
1283 /* ready to move to the next 1159 /* ready to move to the next argument? */
1284 if ((len_buf == 0) && !requir 1160 if ((len_buf == 0) && !require_data) {
1285 arg++; 1161 arg++;
1286 iter = 0; 1162 iter = 0;
1287 len_full = 0; 1163 len_full = 0;
1288 require_data = true; 1164 require_data = true;
1289 encode = false; 1165 encode = false;
1290 } 1166 }
1291 } while (arg < context->execve.argc); 1167 } while (arg < context->execve.argc);
1292 1168
1293 /* NOTE: the caller handles the final 1169 /* NOTE: the caller handles the final audit_log_end() call */
1294 1170
1295 out: 1171 out:
1296 kfree(buf_head); 1172 kfree(buf_head);
1297 } 1173 }
1298 1174
1299 static void audit_log_cap(struct audit_buffer <<
1300 kernel_cap_t *cap) <<
1301 { <<
1302 if (cap_isclear(*cap)) { <<
1303 audit_log_format(ab, " %s=0", <<
1304 return; <<
1305 } <<
1306 audit_log_format(ab, " %s=%016llx", p <<
1307 } <<
1308 <<
1309 static void audit_log_fcaps(struct audit_buff <<
1310 { <<
1311 if (name->fcap_ver == -1) { <<
1312 audit_log_format(ab, " cap_fe <<
1313 return; <<
1314 } <<
1315 audit_log_cap(ab, "cap_fp", &name->fc <<
1316 audit_log_cap(ab, "cap_fi", &name->fc <<
1317 audit_log_format(ab, " cap_fe=%d cap_ <<
1318 name->fcap.fE, name- <<
1319 from_kuid(&init_user <<
1320 } <<
1321 <<
1322 static void audit_log_time(struct audit_conte <<
1323 { <<
1324 const struct audit_ntp_data *ntp = &c <<
1325 const struct timespec64 *tk = &contex <<
1326 static const char * const ntp_name[] <<
1327 "offset", <<
1328 "freq", <<
1329 "status", <<
1330 "tai", <<
1331 "tick", <<
1332 "adjust", <<
1333 }; <<
1334 int type; <<
1335 <<
1336 if (context->type == AUDIT_TIME_ADJNT <<
1337 for (type = 0; type < AUDIT_N <<
1338 if (ntp->vals[type].n <<
1339 if (!*ab) { <<
1340 *ab = <<
1341 <<
1342 <<
1343 if (! <<
1344 <<
1345 } <<
1346 audit_log_for <<
1347 <<
1348 <<
1349 <<
1350 audit_log_end <<
1351 *ab = NULL; <<
1352 } <<
1353 } <<
1354 } <<
1355 if (tk->tv_sec != 0 || tk->tv_nsec != <<
1356 if (!*ab) { <<
1357 *ab = audit_log_start <<
1358 <<
1359 if (!*ab) <<
1360 return; <<
1361 } <<
1362 audit_log_format(*ab, "sec=%l <<
1363 (long long)t <<
1364 audit_log_end(*ab); <<
1365 *ab = NULL; <<
1366 } <<
1367 } <<
1368 <<
1369 static void show_special(struct audit_context 1175 static void show_special(struct audit_context *context, int *call_panic)
1370 { 1176 {
1371 struct audit_buffer *ab; 1177 struct audit_buffer *ab;
1372 int i; 1178 int i;
1373 1179
1374 ab = audit_log_start(context, GFP_KER 1180 ab = audit_log_start(context, GFP_KERNEL, context->type);
1375 if (!ab) 1181 if (!ab)
1376 return; 1182 return;
1377 1183
1378 switch (context->type) { 1184 switch (context->type) {
1379 case AUDIT_SOCKETCALL: { 1185 case AUDIT_SOCKETCALL: {
1380 int nargs = context->socketca 1186 int nargs = context->socketcall.nargs;
1381 <<
1382 audit_log_format(ab, "nargs=% 1187 audit_log_format(ab, "nargs=%d", nargs);
1383 for (i = 0; i < nargs; i++) 1188 for (i = 0; i < nargs; i++)
1384 audit_log_format(ab, 1189 audit_log_format(ab, " a%d=%lx", i,
1385 context->sock 1190 context->socketcall.args[i]);
1386 break; } 1191 break; }
1387 case AUDIT_IPC: { 1192 case AUDIT_IPC: {
1388 u32 osid = context->ipc.osid; 1193 u32 osid = context->ipc.osid;
1389 1194
1390 audit_log_format(ab, "ouid=%u 1195 audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
1391 from_kuid(&i 1196 from_kuid(&init_user_ns, context->ipc.uid),
1392 from_kgid(&i 1197 from_kgid(&init_user_ns, context->ipc.gid),
1393 context->ipc 1198 context->ipc.mode);
1394 if (osid) { 1199 if (osid) {
1395 char *ctx = NULL; 1200 char *ctx = NULL;
1396 u32 len; 1201 u32 len;
1397 <<
1398 if (security_secid_to 1202 if (security_secid_to_secctx(osid, &ctx, &len)) {
1399 audit_log_for 1203 audit_log_format(ab, " osid=%u", osid);
1400 *call_panic = 1204 *call_panic = 1;
1401 } else { 1205 } else {
1402 audit_log_for 1206 audit_log_format(ab, " obj=%s", ctx);
1403 security_rele 1207 security_release_secctx(ctx, len);
1404 } 1208 }
1405 } 1209 }
1406 if (context->ipc.has_perm) { 1210 if (context->ipc.has_perm) {
1407 audit_log_end(ab); 1211 audit_log_end(ab);
1408 ab = audit_log_start( 1212 ab = audit_log_start(context, GFP_KERNEL,
1409 1213 AUDIT_IPC_SET_PERM);
1410 if (unlikely(!ab)) 1214 if (unlikely(!ab))
1411 return; 1215 return;
1412 audit_log_format(ab, 1216 audit_log_format(ab,
1413 "qbytes=%lx o 1217 "qbytes=%lx ouid=%u ogid=%u mode=%#ho",
1414 context->ipc. 1218 context->ipc.qbytes,
1415 context->ipc. 1219 context->ipc.perm_uid,
1416 context->ipc. 1220 context->ipc.perm_gid,
1417 context->ipc. 1221 context->ipc.perm_mode);
1418 } 1222 }
1419 break; } 1223 break; }
1420 case AUDIT_MQ_OPEN: !! 1224 case AUDIT_MQ_OPEN: {
1421 audit_log_format(ab, 1225 audit_log_format(ab,
1422 "oflag=0x%x mode=%#ho 1226 "oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
1423 "mq_msgsize=%ld mq_cu 1227 "mq_msgsize=%ld mq_curmsgs=%ld",
1424 context->mq_open.ofla 1228 context->mq_open.oflag, context->mq_open.mode,
1425 context->mq_open.attr 1229 context->mq_open.attr.mq_flags,
1426 context->mq_open.attr 1230 context->mq_open.attr.mq_maxmsg,
1427 context->mq_open.attr 1231 context->mq_open.attr.mq_msgsize,
1428 context->mq_open.attr 1232 context->mq_open.attr.mq_curmsgs);
1429 break; !! 1233 break; }
1430 case AUDIT_MQ_SENDRECV: !! 1234 case AUDIT_MQ_SENDRECV: {
1431 audit_log_format(ab, 1235 audit_log_format(ab,
1432 "mqdes=%d msg_len=%zd 1236 "mqdes=%d msg_len=%zd msg_prio=%u "
1433 "abs_timeout_sec=%lld !! 1237 "abs_timeout_sec=%ld abs_timeout_nsec=%ld",
1434 context->mq_sendrecv. 1238 context->mq_sendrecv.mqdes,
1435 context->mq_sendrecv. 1239 context->mq_sendrecv.msg_len,
1436 context->mq_sendrecv. 1240 context->mq_sendrecv.msg_prio,
1437 (long long) context-> !! 1241 context->mq_sendrecv.abs_timeout.tv_sec,
1438 context->mq_sendrecv. 1242 context->mq_sendrecv.abs_timeout.tv_nsec);
1439 break; !! 1243 break; }
1440 case AUDIT_MQ_NOTIFY: !! 1244 case AUDIT_MQ_NOTIFY: {
1441 audit_log_format(ab, "mqdes=% 1245 audit_log_format(ab, "mqdes=%d sigev_signo=%d",
1442 context->mq_n 1246 context->mq_notify.mqdes,
1443 context->mq_n 1247 context->mq_notify.sigev_signo);
1444 break; !! 1248 break; }
1445 case AUDIT_MQ_GETSETATTR: { 1249 case AUDIT_MQ_GETSETATTR: {
1446 struct mq_attr *attr = &conte 1250 struct mq_attr *attr = &context->mq_getsetattr.mqstat;
1447 <<
1448 audit_log_format(ab, 1251 audit_log_format(ab,
1449 "mqdes=%d mq_flags=0x 1252 "mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
1450 "mq_curmsgs=%ld ", 1253 "mq_curmsgs=%ld ",
1451 context->mq_getsetatt 1254 context->mq_getsetattr.mqdes,
1452 attr->mq_flags, attr- 1255 attr->mq_flags, attr->mq_maxmsg,
1453 attr->mq_msgsize, att 1256 attr->mq_msgsize, attr->mq_curmsgs);
1454 break; } 1257 break; }
1455 case AUDIT_CAPSET: !! 1258 case AUDIT_CAPSET: {
1456 audit_log_format(ab, "pid=%d" 1259 audit_log_format(ab, "pid=%d", context->capset.pid);
1457 audit_log_cap(ab, "cap_pi", & 1260 audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
1458 audit_log_cap(ab, "cap_pp", & 1261 audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
1459 audit_log_cap(ab, "cap_pe", & 1262 audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
1460 audit_log_cap(ab, "cap_pa", & !! 1263 break; }
1461 break; !! 1264 case AUDIT_MMAP: {
1462 case AUDIT_MMAP: <<
1463 audit_log_format(ab, "fd=%d f 1265 audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd,
1464 context->mma 1266 context->mmap.flags);
1465 break; !! 1267 break; }
1466 case AUDIT_OPENAT2: !! 1268 case AUDIT_EXECVE: {
1467 audit_log_format(ab, "oflag=0 <<
1468 context->ope <<
1469 context->ope <<
1470 context->ope <<
1471 break; <<
1472 case AUDIT_EXECVE: <<
1473 audit_log_execve_info(context 1269 audit_log_execve_info(context, &ab);
1474 break; !! 1270 break; }
1475 case AUDIT_KERN_MODULE: <<
1476 audit_log_format(ab, "name=") <<
1477 if (context->module.name) { <<
1478 audit_log_untrustedst <<
1479 } else <<
1480 audit_log_format(ab, <<
1481 <<
1482 break; <<
1483 case AUDIT_TIME_ADJNTPVAL: <<
1484 case AUDIT_TIME_INJOFFSET: <<
1485 /* this call deviates from th <<
1486 audit_log_time(context, &ab); <<
1487 break; <<
1488 } 1271 }
1489 audit_log_end(ab); 1272 audit_log_end(ab);
1490 } 1273 }
1491 1274
1492 static inline int audit_proctitle_rtrim(char 1275 static inline int audit_proctitle_rtrim(char *proctitle, int len)
1493 { 1276 {
1494 char *end = proctitle + len - 1; 1277 char *end = proctitle + len - 1;
1495 <<
1496 while (end > proctitle && !isprint(*e 1278 while (end > proctitle && !isprint(*end))
1497 end--; 1279 end--;
1498 1280
1499 /* catch the case where proctitle is 1281 /* catch the case where proctitle is only 1 non-print character */
1500 len = end - proctitle + 1; 1282 len = end - proctitle + 1;
1501 len -= isprint(proctitle[len-1]) == 0 1283 len -= isprint(proctitle[len-1]) == 0;
1502 return len; 1284 return len;
1503 } 1285 }
1504 1286
1505 /* !! 1287 static void audit_log_proctitle(struct task_struct *tsk,
1506 * audit_log_name - produce AUDIT_PATH record !! 1288 struct audit_context *context)
1507 * @context: audit_context for the task <<
1508 * @n: audit_names structure with reportable <<
1509 * @path: optional path to report instead of <<
1510 * @record_num: record number to report when <<
1511 * @call_panic: optional pointer to int that <<
1512 */ <<
1513 static void audit_log_name(struct audit_conte <<
1514 const struct path *path, <<
1515 { <<
1516 struct audit_buffer *ab; <<
1517 <<
1518 ab = audit_log_start(context, GFP_KER <<
1519 if (!ab) <<
1520 return; <<
1521 <<
1522 audit_log_format(ab, "item=%d", recor <<
1523 <<
1524 if (path) <<
1525 audit_log_d_path(ab, " name=" <<
1526 else if (n->name) { <<
1527 switch (n->name_len) { <<
1528 case AUDIT_NAME_FULL: <<
1529 /* log the full path <<
1530 audit_log_format(ab, <<
1531 audit_log_untrustedst <<
1532 break; <<
1533 case 0: <<
1534 /* name was specified <<
1535 * directory componen <<
1536 */ <<
1537 if (context->pwd.dent <<
1538 audit_log_d_p <<
1539 else <<
1540 audit_log_for <<
1541 break; <<
1542 default: <<
1543 /* log the name's dir <<
1544 audit_log_format(ab, <<
1545 audit_log_n_untrusted <<
1546 <<
1547 } <<
1548 } else <<
1549 audit_log_format(ab, " name=( <<
1550 <<
1551 if (n->ino != AUDIT_INO_UNSET) <<
1552 audit_log_format(ab, " inode= <<
1553 n->ino, <<
1554 MAJOR(n->dev <<
1555 MINOR(n->dev <<
1556 n->mode, <<
1557 from_kuid(&i <<
1558 from_kgid(&i <<
1559 MAJOR(n->rde <<
1560 MINOR(n->rde <<
1561 if (n->osid != 0) { <<
1562 char *ctx = NULL; <<
1563 u32 len; <<
1564 <<
1565 if (security_secid_to_secctx( <<
1566 n->osid, &ctx, &len)) <<
1567 audit_log_format(ab, <<
1568 if (call_panic) <<
1569 *call_panic = <<
1570 } else { <<
1571 audit_log_format(ab, <<
1572 security_release_secc <<
1573 } <<
1574 } <<
1575 <<
1576 /* log the audit_names record type */ <<
1577 switch (n->type) { <<
1578 case AUDIT_TYPE_NORMAL: <<
1579 audit_log_format(ab, " namety <<
1580 break; <<
1581 case AUDIT_TYPE_PARENT: <<
1582 audit_log_format(ab, " namety <<
1583 break; <<
1584 case AUDIT_TYPE_CHILD_DELETE: <<
1585 audit_log_format(ab, " namety <<
1586 break; <<
1587 case AUDIT_TYPE_CHILD_CREATE: <<
1588 audit_log_format(ab, " namety <<
1589 break; <<
1590 default: <<
1591 audit_log_format(ab, " namety <<
1592 break; <<
1593 } <<
1594 <<
1595 audit_log_fcaps(ab, n); <<
1596 audit_log_end(ab); <<
1597 } <<
1598 <<
1599 static void audit_log_proctitle(void) <<
1600 { 1289 {
1601 int res; 1290 int res;
1602 char *buf; 1291 char *buf;
1603 char *msg = "(null)"; 1292 char *msg = "(null)";
1604 int len = strlen(msg); 1293 int len = strlen(msg);
1605 struct audit_context *context = audit <<
1606 struct audit_buffer *ab; 1294 struct audit_buffer *ab;
1607 1295
1608 ab = audit_log_start(context, GFP_KER 1296 ab = audit_log_start(context, GFP_KERNEL, AUDIT_PROCTITLE);
1609 if (!ab) 1297 if (!ab)
1610 return; /* audit_panic or bei 1298 return; /* audit_panic or being filtered */
1611 1299
1612 audit_log_format(ab, "proctitle="); 1300 audit_log_format(ab, "proctitle=");
1613 1301
1614 /* Not cached */ 1302 /* Not cached */
1615 if (!context->proctitle.value) { 1303 if (!context->proctitle.value) {
1616 buf = kmalloc(MAX_PROCTITLE_A 1304 buf = kmalloc(MAX_PROCTITLE_AUDIT_LEN, GFP_KERNEL);
1617 if (!buf) 1305 if (!buf)
1618 goto out; 1306 goto out;
1619 /* Historically called this f 1307 /* Historically called this from procfs naming */
1620 res = get_cmdline(current, bu !! 1308 res = get_cmdline(tsk, buf, MAX_PROCTITLE_AUDIT_LEN);
1621 if (res == 0) { 1309 if (res == 0) {
1622 kfree(buf); 1310 kfree(buf);
1623 goto out; 1311 goto out;
1624 } 1312 }
1625 res = audit_proctitle_rtrim(b 1313 res = audit_proctitle_rtrim(buf, res);
1626 if (res == 0) { 1314 if (res == 0) {
1627 kfree(buf); 1315 kfree(buf);
1628 goto out; 1316 goto out;
1629 } 1317 }
1630 context->proctitle.value = bu 1318 context->proctitle.value = buf;
1631 context->proctitle.len = res; 1319 context->proctitle.len = res;
1632 } 1320 }
1633 msg = context->proctitle.value; 1321 msg = context->proctitle.value;
1634 len = context->proctitle.len; 1322 len = context->proctitle.len;
1635 out: 1323 out:
1636 audit_log_n_untrustedstring(ab, msg, 1324 audit_log_n_untrustedstring(ab, msg, len);
1637 audit_log_end(ab); 1325 audit_log_end(ab);
1638 } 1326 }
1639 1327
1640 /** !! 1328 static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
1641 * audit_log_uring - generate a AUDIT_URINGOP <<
1642 * @ctx: the audit context <<
1643 */ <<
1644 static void audit_log_uring(struct audit_cont <<
1645 { <<
1646 struct audit_buffer *ab; <<
1647 const struct cred *cred; <<
1648 <<
1649 ab = audit_log_start(ctx, GFP_ATOMIC, <<
1650 if (!ab) <<
1651 return; <<
1652 cred = current_cred(); <<
1653 audit_log_format(ab, "uring_op=%d", c <<
1654 if (ctx->return_valid != AUDITSC_INVA <<
1655 audit_log_format(ab, " succes <<
1656 (ctx->return <<
1657 "yes" : "no <<
1658 ctx->return_ <<
1659 audit_log_format(ab, <<
1660 " items=%d" <<
1661 " ppid=%d pid=%d uid <<
1662 " fsuid=%u egid=%u s <<
1663 ctx->name_count, <<
1664 task_ppid_nr(current <<
1665 from_kuid(&init_user <<
1666 from_kgid(&init_user <<
1667 from_kuid(&init_user <<
1668 from_kuid(&init_user <<
1669 from_kuid(&init_user <<
1670 from_kgid(&init_user <<
1671 from_kgid(&init_user <<
1672 from_kgid(&init_user <<
1673 audit_log_task_context(ab); <<
1674 audit_log_key(ab, ctx->filterkey); <<
1675 audit_log_end(ab); <<
1676 } <<
1677 <<
1678 static void audit_log_exit(void) <<
1679 { 1329 {
1680 int i, call_panic = 0; 1330 int i, call_panic = 0;
1681 struct audit_context *context = audit <<
1682 struct audit_buffer *ab; 1331 struct audit_buffer *ab;
1683 struct audit_aux_data *aux; 1332 struct audit_aux_data *aux;
1684 struct audit_names *n; 1333 struct audit_names *n;
1685 1334
1686 context->personality = current->perso !! 1335 /* tsk == current */
>> 1336 context->personality = tsk->personality;
1687 1337
1688 switch (context->context) { !! 1338 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
1689 case AUDIT_CTX_SYSCALL: !! 1339 if (!ab)
1690 ab = audit_log_start(context, !! 1340 return; /* audit_panic has been called */
1691 if (!ab) !! 1341 audit_log_format(ab, "arch=%x syscall=%d",
1692 return; !! 1342 context->arch, context->major);
1693 audit_log_format(ab, "arch=%x !! 1343 if (context->personality != PER_LINUX)
1694 context->arc !! 1344 audit_log_format(ab, " per=%lx", context->personality);
1695 if (context->personality != P !! 1345 if (context->return_valid)
1696 audit_log_format(ab, !! 1346 audit_log_format(ab, " success=%s exit=%ld",
1697 if (context->return_valid != !! 1347 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
1698 audit_log_format(ab, !! 1348 context->return_code);
1699 (con !! 1349
1700 "ye !! 1350 audit_log_format(ab,
1701 cont !! 1351 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d",
1702 audit_log_format(ab, !! 1352 context->argv[0],
1703 " a0=%lx a1= !! 1353 context->argv[1],
1704 context->arg !! 1354 context->argv[2],
1705 context->arg !! 1355 context->argv[3],
1706 context->arg !! 1356 context->name_count);
1707 context->arg !! 1357
1708 context->nam !! 1358 audit_log_task_info(ab, tsk);
1709 audit_log_task_info(ab); !! 1359 audit_log_key(ab, context->filterkey);
1710 audit_log_key(ab, context->fi !! 1360 audit_log_end(ab);
1711 audit_log_end(ab); <<
1712 break; <<
1713 case AUDIT_CTX_URING: <<
1714 audit_log_uring(context); <<
1715 break; <<
1716 default: <<
1717 BUG(); <<
1718 break; <<
1719 } <<
1720 1361
1721 for (aux = context->aux; aux; aux = a 1362 for (aux = context->aux; aux; aux = aux->next) {
1722 1363
1723 ab = audit_log_start(context, 1364 ab = audit_log_start(context, GFP_KERNEL, aux->type);
1724 if (!ab) 1365 if (!ab)
1725 continue; /* audit_pa 1366 continue; /* audit_panic has been called */
1726 1367
1727 switch (aux->type) { 1368 switch (aux->type) {
1728 1369
1729 case AUDIT_BPRM_FCAPS: { 1370 case AUDIT_BPRM_FCAPS: {
1730 struct audit_aux_data 1371 struct audit_aux_data_bprm_fcaps *axs = (void *)aux;
1731 <<
1732 audit_log_format(ab, 1372 audit_log_format(ab, "fver=%x", axs->fcap_ver);
1733 audit_log_cap(ab, "fp 1373 audit_log_cap(ab, "fp", &axs->fcap.permitted);
1734 audit_log_cap(ab, "fi 1374 audit_log_cap(ab, "fi", &axs->fcap.inheritable);
1735 audit_log_format(ab, 1375 audit_log_format(ab, " fe=%d", axs->fcap.fE);
1736 audit_log_cap(ab, "ol 1376 audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
1737 audit_log_cap(ab, "ol 1377 audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
1738 audit_log_cap(ab, "ol 1378 audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
1739 audit_log_cap(ab, "ol !! 1379 audit_log_cap(ab, "new_pp", &axs->new_pcap.permitted);
1740 audit_log_cap(ab, "pp !! 1380 audit_log_cap(ab, "new_pi", &axs->new_pcap.inheritable);
1741 audit_log_cap(ab, "pi !! 1381 audit_log_cap(ab, "new_pe", &axs->new_pcap.effective);
1742 audit_log_cap(ab, "pe <<
1743 audit_log_cap(ab, "pa <<
1744 audit_log_format(ab, <<
1745 from <<
1746 <<
1747 break; } 1382 break; }
1748 1383
1749 } 1384 }
1750 audit_log_end(ab); 1385 audit_log_end(ab);
1751 } 1386 }
1752 1387
1753 if (context->type) 1388 if (context->type)
1754 show_special(context, &call_p 1389 show_special(context, &call_panic);
1755 1390
1756 if (context->fds[0] >= 0) { 1391 if (context->fds[0] >= 0) {
1757 ab = audit_log_start(context, 1392 ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR);
1758 if (ab) { 1393 if (ab) {
1759 audit_log_format(ab, 1394 audit_log_format(ab, "fd0=%d fd1=%d",
1760 conte 1395 context->fds[0], context->fds[1]);
1761 audit_log_end(ab); 1396 audit_log_end(ab);
1762 } 1397 }
1763 } 1398 }
1764 1399
1765 if (context->sockaddr_len) { 1400 if (context->sockaddr_len) {
1766 ab = audit_log_start(context, 1401 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR);
1767 if (ab) { 1402 if (ab) {
1768 audit_log_format(ab, 1403 audit_log_format(ab, "saddr=");
1769 audit_log_n_hex(ab, ( 1404 audit_log_n_hex(ab, (void *)context->sockaddr,
1770 conte 1405 context->sockaddr_len);
1771 audit_log_end(ab); 1406 audit_log_end(ab);
1772 } 1407 }
1773 } 1408 }
1774 1409
1775 for (aux = context->aux_pids; aux; au 1410 for (aux = context->aux_pids; aux; aux = aux->next) {
1776 struct audit_aux_data_pids *a 1411 struct audit_aux_data_pids *axs = (void *)aux;
1777 1412
1778 for (i = 0; i < axs->pid_coun 1413 for (i = 0; i < axs->pid_count; i++)
1779 if (audit_log_pid_con 1414 if (audit_log_pid_context(context, axs->target_pid[i],
1780 1415 axs->target_auid[i],
1781 1416 axs->target_uid[i],
1782 1417 axs->target_sessionid[i],
1783 1418 axs->target_sid[i],
1784 1419 axs->target_comm[i]))
1785 call_panic = 1420 call_panic = 1;
1786 } 1421 }
1787 1422
1788 if (context->target_pid && 1423 if (context->target_pid &&
1789 audit_log_pid_context(context, co 1424 audit_log_pid_context(context, context->target_pid,
1790 context->ta 1425 context->target_auid, context->target_uid,
1791 context->ta 1426 context->target_sessionid,
1792 context->ta 1427 context->target_sid, context->target_comm))
1793 call_panic = 1; 1428 call_panic = 1;
1794 1429
1795 if (context->pwd.dentry && context->p 1430 if (context->pwd.dentry && context->pwd.mnt) {
1796 ab = audit_log_start(context, 1431 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
1797 if (ab) { 1432 if (ab) {
1798 audit_log_d_path(ab, 1433 audit_log_d_path(ab, "cwd=", &context->pwd);
1799 audit_log_end(ab); 1434 audit_log_end(ab);
1800 } 1435 }
1801 } 1436 }
1802 1437
1803 i = 0; 1438 i = 0;
1804 list_for_each_entry(n, &context->name 1439 list_for_each_entry(n, &context->names_list, list) {
1805 if (n->hidden) 1440 if (n->hidden)
1806 continue; 1441 continue;
1807 audit_log_name(context, n, NU 1442 audit_log_name(context, n, NULL, i++, &call_panic);
1808 } 1443 }
1809 1444
1810 if (context->context == AUDIT_CTX_SYS !! 1445 audit_log_proctitle(tsk, context);
1811 audit_log_proctitle(); <<
1812 1446
1813 /* Send end of event record to help u 1447 /* Send end of event record to help user space know we are finished */
1814 ab = audit_log_start(context, GFP_KER 1448 ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
1815 if (ab) 1449 if (ab)
1816 audit_log_end(ab); 1450 audit_log_end(ab);
1817 if (call_panic) 1451 if (call_panic)
1818 audit_panic("error in audit_l !! 1452 audit_panic("error converting sid to string");
1819 } 1453 }
1820 1454
1821 /** 1455 /**
1822 * __audit_free - free a per-task audit conte !! 1456 * audit_free - free a per-task audit context
1823 * @tsk: task whose audit context block to fr 1457 * @tsk: task whose audit context block to free
1824 * 1458 *
1825 * Called from copy_process, do_exit, and the !! 1459 * Called from copy_process and do_exit
1826 */ 1460 */
1827 void __audit_free(struct task_struct *tsk) 1461 void __audit_free(struct task_struct *tsk)
1828 { 1462 {
1829 struct audit_context *context = tsk-> !! 1463 struct audit_context *context;
1830 1464
>> 1465 context = audit_take_context(tsk, 0, 0);
1831 if (!context) 1466 if (!context)
1832 return; 1467 return;
1833 1468
1834 /* this may generate CONFIG_CHANGE re !! 1469 /* Check for system calls that do not go through the exit
>> 1470 * function (e.g., exit_group), then free context block.
>> 1471 * We use GFP_ATOMIC here because we might be doing this
>> 1472 * in the context of the idle thread */
>> 1473 /* that can happen only if we are called from do_exit() */
>> 1474 if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
>> 1475 audit_log_exit(context, tsk);
1835 if (!list_empty(&context->killed_tree 1476 if (!list_empty(&context->killed_trees))
1836 audit_kill_trees(context); !! 1477 audit_kill_trees(&context->killed_trees);
1837 <<
1838 /* We are called either by do_exit() <<
1839 * in the former case tsk == current <<
1840 * random task_struct that doesn't ha <<
1841 * need to log via audit_log_exit(). <<
1842 */ <<
1843 if (tsk == current && !context->dummy <<
1844 context->return_valid = AUDIT <<
1845 context->return_code = 0; <<
1846 if (context->context == AUDIT <<
1847 audit_filter_syscall( <<
1848 audit_filter_inodes(t <<
1849 if (context->current_ <<
1850 audit_log_exi <<
1851 } else if (context->context = <<
1852 /* TODO: verify this <<
1853 audit_filter_uring(ts <<
1854 audit_filter_inodes(t <<
1855 if (context->current_ <<
1856 audit_log_uri <<
1857 } <<
1858 } <<
1859 1478
1860 audit_set_context(tsk, NULL); <<
1861 audit_free_context(context); 1479 audit_free_context(context);
1862 } 1480 }
1863 1481
1864 /** 1482 /**
1865 * audit_return_fixup - fixup the return code !! 1483 * audit_syscall_entry - fill in an audit record at syscall entry
1866 * @ctx: the audit_context <<
1867 * @success: true/false value to indicate if <<
1868 * @code: operation return code <<
1869 * <<
1870 * We need to fixup the return code in the au <<
1871 * codes are later going to be fixed by the a <<
1872 */ <<
1873 static void audit_return_fixup(struct audit_c <<
1874 int success, l <<
1875 { <<
1876 /* <<
1877 * This is actually a test for: <<
1878 * (rc == ERESTARTSYS ) || (rc == ERE <<
1879 * (rc == ERESTARTNOHAND) || (rc == E <<
1880 * <<
1881 * but is faster than a bunch of || <<
1882 */ <<
1883 if (unlikely(code <= -ERESTARTSYS) && <<
1884 (code >= -ERESTART_RESTARTBLOCK) <<
1885 (code != -ENOIOCTLCMD)) <<
1886 ctx->return_code = -EINTR; <<
1887 else <<
1888 ctx->return_code = code; <<
1889 ctx->return_valid = (success ? AUDITS <<
1890 } <<
1891 <<
1892 /** <<
1893 * __audit_uring_entry - prepare the kernel t <<
1894 * @op: the io_uring opcode <<
1895 * <<
1896 * This is similar to audit_syscall_entry() b <<
1897 * operations. This function should only eve <<
1898 * audit_uring_entry() as we rely on the audi <<
1899 * function. <<
1900 */ <<
1901 void __audit_uring_entry(u8 op) <<
1902 { <<
1903 struct audit_context *ctx = audit_con <<
1904 <<
1905 if (ctx->state == AUDIT_STATE_DISABLE <<
1906 return; <<
1907 <<
1908 /* <<
1909 * NOTE: It's possible that we can be <<
1910 * before it returns to userspa <<
1911 * is called. In this case the <<
1912 * the io_uring details and ret <<
1913 */ <<
1914 ctx->uring_op = op; <<
1915 if (ctx->context == AUDIT_CTX_SYSCALL <<
1916 return; <<
1917 <<
1918 ctx->dummy = !audit_n_rules; <<
1919 if (!ctx->dummy && ctx->state == AUDI <<
1920 ctx->prio = 0; <<
1921 <<
1922 ctx->context = AUDIT_CTX_URING; <<
1923 ctx->current_state = ctx->state; <<
1924 ktime_get_coarse_real_ts64(&ctx->ctim <<
1925 } <<
1926 <<
1927 /** <<
1928 * __audit_uring_exit - wrap up the kernel ta <<
1929 * @success: true/false value to indicate if <<
1930 * @code: operation return code <<
1931 * <<
1932 * This is similar to audit_syscall_exit() bu <<
1933 * operations. This function should only eve <<
1934 * audit_uring_exit() as we rely on the audit <<
1935 * function. <<
1936 */ <<
1937 void __audit_uring_exit(int success, long cod <<
1938 { <<
1939 struct audit_context *ctx = audit_con <<
1940 <<
1941 if (ctx->dummy) { <<
1942 if (ctx->context != AUDIT_CTX <<
1943 return; <<
1944 goto out; <<
1945 } <<
1946 <<
1947 audit_return_fixup(ctx, success, code <<
1948 if (ctx->context == AUDIT_CTX_SYSCALL <<
1949 /* <<
1950 * NOTE: See the note in __au <<
1951 * where we may be call <<
1952 * return to userspace <<
1953 * case we simply emit <<
1954 * normal syscall exit <<
1955 * everything else. <<
1956 * It is also worth men <<
1957 * the current process <<
1958 * used during the norm <<
1959 * in mind if/when we m <<
1960 */ <<
1961 <<
1962 /* <<
1963 * We need to filter on the s <<
1964 * should emit a URINGOP reco <<
1965 * solves the problem where u <<
1966 * syscall records in the "ex <<
1967 * the behavior here. <<
1968 */ <<
1969 audit_filter_syscall(current, <<
1970 if (ctx->current_state != AUD <<
1971 audit_filter_uring(cu <<
1972 audit_filter_inodes(current, <<
1973 if (ctx->current_state != AUD <<
1974 return; <<
1975 <<
1976 audit_log_uring(ctx); <<
1977 return; <<
1978 } <<
1979 <<
1980 /* this may generate CONFIG_CHANGE re <<
1981 if (!list_empty(&ctx->killed_trees)) <<
1982 audit_kill_trees(ctx); <<
1983 <<
1984 /* run through both filters to ensure <<
1985 audit_filter_uring(current, ctx); <<
1986 audit_filter_inodes(current, ctx); <<
1987 if (ctx->current_state != AUDIT_STATE <<
1988 goto out; <<
1989 audit_log_exit(); <<
1990 <<
1991 out: <<
1992 audit_reset_context(ctx); <<
1993 } <<
1994 <<
1995 /** <<
1996 * __audit_syscall_entry - fill in an audit r <<
1997 * @major: major syscall type (function) 1484 * @major: major syscall type (function)
1998 * @a1: additional syscall register 1 1485 * @a1: additional syscall register 1
1999 * @a2: additional syscall register 2 1486 * @a2: additional syscall register 2
2000 * @a3: additional syscall register 3 1487 * @a3: additional syscall register 3
2001 * @a4: additional syscall register 4 1488 * @a4: additional syscall register 4
2002 * 1489 *
2003 * Fill in audit context at syscall entry. T 1490 * Fill in audit context at syscall entry. This only happens if the
2004 * audit context was created when the task wa 1491 * audit context was created when the task was created and the state or
2005 * filters demand the audit context be built. 1492 * filters demand the audit context be built. If the state from the
2006 * per-task filter or from the per-syscall fi !! 1493 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
2007 * then the record will be written at syscall 1494 * then the record will be written at syscall exit time (otherwise, it
2008 * will only be written if another part of th 1495 * will only be written if another part of the kernel requests that it
2009 * be written). 1496 * be written).
2010 */ 1497 */
2011 void __audit_syscall_entry(int major, unsigne 1498 void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
2012 unsigned long a3, 1499 unsigned long a3, unsigned long a4)
2013 { 1500 {
2014 struct audit_context *context = audit !! 1501 struct task_struct *tsk = current;
>> 1502 struct audit_context *context = tsk->audit_context;
2015 enum audit_state state; 1503 enum audit_state state;
2016 1504
2017 if (!audit_enabled || !context) !! 1505 if (!context)
2018 return; 1506 return;
2019 1507
2020 WARN_ON(context->context != AUDIT_CTX !! 1508 BUG_ON(context->in_syscall || context->name_count);
2021 WARN_ON(context->name_count); <<
2022 if (context->context != AUDIT_CTX_UNU <<
2023 audit_panic("unrecoverable er <<
2024 return; <<
2025 } <<
2026 1509
2027 state = context->state; !! 1510 if (!audit_enabled)
2028 if (state == AUDIT_STATE_DISABLED) <<
2029 return; 1511 return;
2030 1512
2031 context->dummy = !audit_n_rules; !! 1513 context->arch = syscall_get_arch();
2032 if (!context->dummy && state == AUDIT <<
2033 context->prio = 0; <<
2034 if (auditd_test_task(current) <<
2035 return; <<
2036 } <<
2037 <<
2038 context->arch = syscall_get_arc <<
2039 context->major = major; 1514 context->major = major;
2040 context->argv[0] = a1; 1515 context->argv[0] = a1;
2041 context->argv[1] = a2; 1516 context->argv[1] = a2;
2042 context->argv[2] = a3; 1517 context->argv[2] = a3;
2043 context->argv[3] = a4; 1518 context->argv[3] = a4;
2044 context->context = AUDIT_CTX_SYSCALL; !! 1519
>> 1520 state = context->state;
>> 1521 context->dummy = !audit_n_rules;
>> 1522 if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
>> 1523 context->prio = 0;
>> 1524 state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
>> 1525 }
>> 1526 if (state == AUDIT_DISABLED)
>> 1527 return;
>> 1528
>> 1529 context->serial = 0;
>> 1530 context->ctime = CURRENT_TIME;
>> 1531 context->in_syscall = 1;
2045 context->current_state = state; 1532 context->current_state = state;
2046 ktime_get_coarse_real_ts64(&context-> !! 1533 context->ppid = 0;
2047 } 1534 }
2048 1535
2049 /** 1536 /**
2050 * __audit_syscall_exit - deallocate audit co !! 1537 * audit_syscall_exit - deallocate audit context after a system call
2051 * @success: success value of the syscall 1538 * @success: success value of the syscall
2052 * @return_code: return value of the syscall 1539 * @return_code: return value of the syscall
2053 * 1540 *
2054 * Tear down after system call. If the audit 1541 * Tear down after system call. If the audit context has been marked as
2055 * auditable (either because of the AUDIT_STA !! 1542 * auditable (either because of the AUDIT_RECORD_CONTEXT state from
2056 * filtering, or because some other part of t 1543 * filtering, or because some other part of the kernel wrote an audit
2057 * message), then write out the syscall infor 1544 * message), then write out the syscall information. In call cases,
2058 * free the names stored from getname(). 1545 * free the names stored from getname().
2059 */ 1546 */
2060 void __audit_syscall_exit(int success, long r 1547 void __audit_syscall_exit(int success, long return_code)
2061 { 1548 {
2062 struct audit_context *context = audit !! 1549 struct task_struct *tsk = current;
>> 1550 struct audit_context *context;
2063 1551
2064 if (!context || context->dummy || !! 1552 if (success)
2065 context->context != AUDIT_CTX_SYS !! 1553 success = AUDITSC_SUCCESS;
2066 goto out; !! 1554 else
>> 1555 success = AUDITSC_FAILURE;
2067 1556
2068 /* this may generate CONFIG_CHANGE re !! 1557 context = audit_take_context(tsk, success, return_code);
2069 if (!list_empty(&context->killed_tree !! 1558 if (!context)
2070 audit_kill_trees(context); !! 1559 return;
2071 1560
2072 audit_return_fixup(context, success, !! 1561 if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
2073 /* run through both filters to ensure !! 1562 audit_log_exit(context, tsk);
2074 audit_filter_syscall(current, context <<
2075 audit_filter_inodes(current, context) <<
2076 if (context->current_state != AUDIT_S <<
2077 goto out; <<
2078 1563
2079 audit_log_exit(); !! 1564 context->in_syscall = 0;
>> 1565 context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
2080 1566
2081 out: !! 1567 if (!list_empty(&context->killed_trees))
2082 audit_reset_context(context); !! 1568 audit_kill_trees(&context->killed_trees);
>> 1569
>> 1570 audit_free_names(context);
>> 1571 unroll_tree_refs(context, NULL, 0);
>> 1572 audit_free_aux(context);
>> 1573 context->aux = NULL;
>> 1574 context->aux_pids = NULL;
>> 1575 context->target_pid = 0;
>> 1576 context->target_sid = 0;
>> 1577 context->sockaddr_len = 0;
>> 1578 context->type = 0;
>> 1579 context->fds[0] = -1;
>> 1580 if (context->state != AUDIT_RECORD_CONTEXT) {
>> 1581 kfree(context->filterkey);
>> 1582 context->filterkey = NULL;
>> 1583 }
>> 1584 tsk->audit_context = context;
2083 } 1585 }
2084 1586
2085 static inline void handle_one(const struct in 1587 static inline void handle_one(const struct inode *inode)
2086 { 1588 {
>> 1589 #ifdef CONFIG_AUDIT_TREE
2087 struct audit_context *context; 1590 struct audit_context *context;
2088 struct audit_tree_refs *p; 1591 struct audit_tree_refs *p;
2089 struct audit_chunk *chunk; 1592 struct audit_chunk *chunk;
2090 int count; 1593 int count;
2091 !! 1594 if (likely(hlist_empty(&inode->i_fsnotify_marks)))
2092 if (likely(!inode->i_fsnotify_marks)) <<
2093 return; 1595 return;
2094 context = audit_context(); !! 1596 context = current->audit_context;
2095 p = context->trees; 1597 p = context->trees;
2096 count = context->tree_count; 1598 count = context->tree_count;
2097 rcu_read_lock(); 1599 rcu_read_lock();
2098 chunk = audit_tree_lookup(inode); 1600 chunk = audit_tree_lookup(inode);
2099 rcu_read_unlock(); 1601 rcu_read_unlock();
2100 if (!chunk) 1602 if (!chunk)
2101 return; 1603 return;
2102 if (likely(put_tree_ref(context, chun 1604 if (likely(put_tree_ref(context, chunk)))
2103 return; 1605 return;
2104 if (unlikely(!grow_tree_refs(context) 1606 if (unlikely(!grow_tree_refs(context))) {
2105 pr_warn("out of memory, audit 1607 pr_warn("out of memory, audit has lost a tree reference\n");
2106 audit_set_auditable(context); 1608 audit_set_auditable(context);
2107 audit_put_chunk(chunk); 1609 audit_put_chunk(chunk);
2108 unroll_tree_refs(context, p, 1610 unroll_tree_refs(context, p, count);
2109 return; 1611 return;
2110 } 1612 }
2111 put_tree_ref(context, chunk); 1613 put_tree_ref(context, chunk);
>> 1614 #endif
2112 } 1615 }
2113 1616
2114 static void handle_path(const struct dentry * 1617 static void handle_path(const struct dentry *dentry)
2115 { 1618 {
>> 1619 #ifdef CONFIG_AUDIT_TREE
2116 struct audit_context *context; 1620 struct audit_context *context;
2117 struct audit_tree_refs *p; 1621 struct audit_tree_refs *p;
2118 const struct dentry *d, *parent; 1622 const struct dentry *d, *parent;
2119 struct audit_chunk *drop; 1623 struct audit_chunk *drop;
2120 unsigned long seq; 1624 unsigned long seq;
2121 int count; 1625 int count;
2122 1626
2123 context = audit_context(); !! 1627 context = current->audit_context;
2124 p = context->trees; 1628 p = context->trees;
2125 count = context->tree_count; 1629 count = context->tree_count;
2126 retry: 1630 retry:
2127 drop = NULL; 1631 drop = NULL;
2128 d = dentry; 1632 d = dentry;
2129 rcu_read_lock(); 1633 rcu_read_lock();
2130 seq = read_seqbegin(&rename_lock); 1634 seq = read_seqbegin(&rename_lock);
2131 for (;;) { !! 1635 for(;;) {
2132 struct inode *inode = d_backi 1636 struct inode *inode = d_backing_inode(d);
2133 !! 1637 if (inode && unlikely(!hlist_empty(&inode->i_fsnotify_marks))) {
2134 if (inode && unlikely(inode-> <<
2135 struct audit_chunk *c 1638 struct audit_chunk *chunk;
2136 <<
2137 chunk = audit_tree_lo 1639 chunk = audit_tree_lookup(inode);
2138 if (chunk) { 1640 if (chunk) {
2139 if (unlikely( 1641 if (unlikely(!put_tree_ref(context, chunk))) {
2140 drop 1642 drop = chunk;
2141 break 1643 break;
2142 } 1644 }
2143 } 1645 }
2144 } 1646 }
2145 parent = d->d_parent; 1647 parent = d->d_parent;
2146 if (parent == d) 1648 if (parent == d)
2147 break; 1649 break;
2148 d = parent; 1650 d = parent;
2149 } 1651 }
2150 if (unlikely(read_seqretry(&rename_lo 1652 if (unlikely(read_seqretry(&rename_lock, seq) || drop)) { /* in this order */
2151 rcu_read_unlock(); 1653 rcu_read_unlock();
2152 if (!drop) { 1654 if (!drop) {
2153 /* just a race with r 1655 /* just a race with rename */
2154 unroll_tree_refs(cont 1656 unroll_tree_refs(context, p, count);
2155 goto retry; 1657 goto retry;
2156 } 1658 }
2157 audit_put_chunk(drop); 1659 audit_put_chunk(drop);
2158 if (grow_tree_refs(context)) 1660 if (grow_tree_refs(context)) {
2159 /* OK, got more space 1661 /* OK, got more space */
2160 unroll_tree_refs(cont 1662 unroll_tree_refs(context, p, count);
2161 goto retry; 1663 goto retry;
2162 } 1664 }
2163 /* too bad */ 1665 /* too bad */
2164 pr_warn("out of memory, audit 1666 pr_warn("out of memory, audit has lost a tree reference\n");
2165 unroll_tree_refs(context, p, 1667 unroll_tree_refs(context, p, count);
2166 audit_set_auditable(context); 1668 audit_set_auditable(context);
2167 return; 1669 return;
2168 } 1670 }
2169 rcu_read_unlock(); 1671 rcu_read_unlock();
>> 1672 #endif
2170 } 1673 }
2171 1674
2172 static struct audit_names *audit_alloc_name(s 1675 static struct audit_names *audit_alloc_name(struct audit_context *context,
2173 1676 unsigned char type)
2174 { 1677 {
2175 struct audit_names *aname; 1678 struct audit_names *aname;
2176 1679
2177 if (context->name_count < AUDIT_NAMES 1680 if (context->name_count < AUDIT_NAMES) {
2178 aname = &context->preallocate 1681 aname = &context->preallocated_names[context->name_count];
2179 memset(aname, 0, sizeof(*anam 1682 memset(aname, 0, sizeof(*aname));
2180 } else { 1683 } else {
2181 aname = kzalloc(sizeof(*aname 1684 aname = kzalloc(sizeof(*aname), GFP_NOFS);
2182 if (!aname) 1685 if (!aname)
2183 return NULL; 1686 return NULL;
2184 aname->should_free = true; 1687 aname->should_free = true;
2185 } 1688 }
2186 1689
2187 aname->ino = AUDIT_INO_UNSET; 1690 aname->ino = AUDIT_INO_UNSET;
2188 aname->type = type; 1691 aname->type = type;
2189 list_add_tail(&aname->list, &context- 1692 list_add_tail(&aname->list, &context->names_list);
2190 1693
2191 context->name_count++; 1694 context->name_count++;
2192 if (!context->pwd.dentry) <<
2193 get_fs_pwd(current->fs, &cont <<
2194 return aname; 1695 return aname;
2195 } 1696 }
2196 1697
2197 /** 1698 /**
2198 * __audit_reusename - fill out filename with !! 1699 * audit_reusename - fill out filename with info from existing entry
2199 * @uptr: userland ptr to pathname 1700 * @uptr: userland ptr to pathname
2200 * 1701 *
2201 * Search the audit_names list for the curren 1702 * Search the audit_names list for the current audit context. If there is an
2202 * existing entry with a matching "uptr" then 1703 * existing entry with a matching "uptr" then return the filename
2203 * associated with that audit_name. If not, r 1704 * associated with that audit_name. If not, return NULL.
2204 */ 1705 */
2205 struct filename * 1706 struct filename *
2206 __audit_reusename(const __user char *uptr) 1707 __audit_reusename(const __user char *uptr)
2207 { 1708 {
2208 struct audit_context *context = audit !! 1709 struct audit_context *context = current->audit_context;
2209 struct audit_names *n; 1710 struct audit_names *n;
2210 1711
2211 list_for_each_entry(n, &context->name 1712 list_for_each_entry(n, &context->names_list, list) {
2212 if (!n->name) 1713 if (!n->name)
2213 continue; 1714 continue;
2214 if (n->name->uptr == uptr) { 1715 if (n->name->uptr == uptr) {
2215 atomic_inc(&n->name-> !! 1716 n->name->refcnt++;
2216 return n->name; 1717 return n->name;
2217 } 1718 }
2218 } 1719 }
2219 return NULL; 1720 return NULL;
2220 } 1721 }
2221 1722
2222 /** 1723 /**
2223 * __audit_getname - add a name to the list !! 1724 * audit_getname - add a name to the list
2224 * @name: name to add 1725 * @name: name to add
2225 * 1726 *
2226 * Add a name to the list of audit names for 1727 * Add a name to the list of audit names for this context.
2227 * Called from fs/namei.c:getname(). 1728 * Called from fs/namei.c:getname().
2228 */ 1729 */
2229 void __audit_getname(struct filename *name) 1730 void __audit_getname(struct filename *name)
2230 { 1731 {
2231 struct audit_context *context = audit !! 1732 struct audit_context *context = current->audit_context;
2232 struct audit_names *n; 1733 struct audit_names *n;
2233 1734
2234 if (context->context == AUDIT_CTX_UNU !! 1735 if (!context->in_syscall)
2235 return; 1736 return;
2236 1737
2237 n = audit_alloc_name(context, AUDIT_T 1738 n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
2238 if (!n) 1739 if (!n)
2239 return; 1740 return;
2240 1741
2241 n->name = name; 1742 n->name = name;
2242 n->name_len = AUDIT_NAME_FULL; 1743 n->name_len = AUDIT_NAME_FULL;
2243 name->aname = n; 1744 name->aname = n;
2244 atomic_inc(&name->refcnt); !! 1745 name->refcnt++;
2245 } <<
2246 1746
2247 static inline int audit_copy_fcaps(struct aud !! 1747 if (!context->pwd.dentry)
2248 const stru !! 1748 get_fs_pwd(current->fs, &context->pwd);
2249 { <<
2250 struct cpu_vfs_cap_data caps; <<
2251 int rc; <<
2252 <<
2253 if (!dentry) <<
2254 return 0; <<
2255 <<
2256 rc = get_vfs_caps_from_disk(&nop_mnt_ <<
2257 if (rc) <<
2258 return rc; <<
2259 <<
2260 name->fcap.permitted = caps.permitted <<
2261 name->fcap.inheritable = caps.inherit <<
2262 name->fcap.fE = !!(caps.magic_etc & V <<
2263 name->fcap.rootid = caps.rootid; <<
2264 name->fcap_ver = (caps.magic_etc & VF <<
2265 VFS_CAP_REVIS <<
2266 <<
2267 return 0; <<
2268 } <<
2269 <<
2270 /* Copy inode data into an audit_names. */ <<
2271 static void audit_copy_inode(struct audit_nam <<
2272 const struct den <<
2273 struct inode *in <<
2274 { <<
2275 name->ino = inode->i_ino; <<
2276 name->dev = inode->i_sb->s_dev; <<
2277 name->mode = inode->i_mode; <<
2278 name->uid = inode->i_uid; <<
2279 name->gid = inode->i_gid; <<
2280 name->rdev = inode->i_rdev; <<
2281 security_inode_getsecid(inode, &name- <<
2282 if (flags & AUDIT_INODE_NOEVAL) { <<
2283 name->fcap_ver = -1; <<
2284 return; <<
2285 } <<
2286 audit_copy_fcaps(name, dentry); <<
2287 } 1749 }
2288 1750
2289 /** 1751 /**
2290 * __audit_inode - store the inode and device 1752 * __audit_inode - store the inode and device from a lookup
2291 * @name: name being audited 1753 * @name: name being audited
2292 * @dentry: dentry being audited 1754 * @dentry: dentry being audited
2293 * @flags: attributes for this particular ent 1755 * @flags: attributes for this particular entry
2294 */ 1756 */
2295 void __audit_inode(struct filename *name, con 1757 void __audit_inode(struct filename *name, const struct dentry *dentry,
2296 unsigned int flags) 1758 unsigned int flags)
2297 { 1759 {
2298 struct audit_context *context = audit !! 1760 struct audit_context *context = current->audit_context;
2299 struct inode *inode = d_backing_inode 1761 struct inode *inode = d_backing_inode(dentry);
2300 struct audit_names *n; 1762 struct audit_names *n;
2301 bool parent = flags & AUDIT_INODE_PAR 1763 bool parent = flags & AUDIT_INODE_PARENT;
2302 struct audit_entry *e; <<
2303 struct list_head *list = &audit_filte <<
2304 int i; <<
2305 1764
2306 if (context->context == AUDIT_CTX_UNU !! 1765 if (!context->in_syscall)
2307 return; 1766 return;
2308 1767
2309 rcu_read_lock(); <<
2310 list_for_each_entry_rcu(e, list, list <<
2311 for (i = 0; i < e->rule.field <<
2312 struct audit_field *f <<
2313 <<
2314 if (f->type == AUDIT_ <<
2315 && audit_comparat <<
2316 <<
2317 && e->rule.action <<
2318 rcu_read_unlo <<
2319 return; <<
2320 } <<
2321 } <<
2322 } <<
2323 rcu_read_unlock(); <<
2324 <<
2325 if (!name) 1768 if (!name)
2326 goto out_alloc; 1769 goto out_alloc;
2327 1770
2328 /* 1771 /*
2329 * If we have a pointer to an audit_n 1772 * If we have a pointer to an audit_names entry already, then we can
2330 * just use it directly if the type i 1773 * just use it directly if the type is correct.
2331 */ 1774 */
2332 n = name->aname; 1775 n = name->aname;
2333 if (n) { 1776 if (n) {
2334 if (parent) { 1777 if (parent) {
2335 if (n->type == AUDIT_ 1778 if (n->type == AUDIT_TYPE_PARENT ||
2336 n->type == AUDIT_ 1779 n->type == AUDIT_TYPE_UNKNOWN)
2337 goto out; 1780 goto out;
2338 } else { 1781 } else {
2339 if (n->type != AUDIT_ 1782 if (n->type != AUDIT_TYPE_PARENT)
2340 goto out; 1783 goto out;
2341 } 1784 }
2342 } 1785 }
2343 1786
2344 list_for_each_entry_reverse(n, &conte 1787 list_for_each_entry_reverse(n, &context->names_list, list) {
2345 if (n->ino) { 1788 if (n->ino) {
2346 /* valid inode number 1789 /* valid inode number, use that for the comparison */
2347 if (n->ino != inode-> 1790 if (n->ino != inode->i_ino ||
2348 n->dev != inode-> 1791 n->dev != inode->i_sb->s_dev)
2349 continue; 1792 continue;
2350 } else if (n->name) { 1793 } else if (n->name) {
2351 /* inode number has n 1794 /* inode number has not been set, check the name */
2352 if (strcmp(n->name->n 1795 if (strcmp(n->name->name, name->name))
2353 continue; 1796 continue;
2354 } else 1797 } else
2355 /* no inode and no na 1798 /* no inode and no name (?!) ... this is odd ... */
2356 continue; 1799 continue;
2357 1800
2358 /* match the correct record t 1801 /* match the correct record type */
2359 if (parent) { 1802 if (parent) {
2360 if (n->type == AUDIT_ 1803 if (n->type == AUDIT_TYPE_PARENT ||
2361 n->type == AUDIT_ 1804 n->type == AUDIT_TYPE_UNKNOWN)
2362 goto out; 1805 goto out;
2363 } else { 1806 } else {
2364 if (n->type != AUDIT_ 1807 if (n->type != AUDIT_TYPE_PARENT)
2365 goto out; 1808 goto out;
2366 } 1809 }
2367 } 1810 }
2368 1811
2369 out_alloc: 1812 out_alloc:
2370 /* unable to find an entry with both 1813 /* unable to find an entry with both a matching name and type */
2371 n = audit_alloc_name(context, AUDIT_T 1814 n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
2372 if (!n) 1815 if (!n)
2373 return; 1816 return;
2374 if (name) { 1817 if (name) {
2375 n->name = name; 1818 n->name = name;
2376 atomic_inc(&name->refcnt); !! 1819 name->refcnt++;
2377 } 1820 }
2378 1821
2379 out: 1822 out:
2380 if (parent) { 1823 if (parent) {
2381 n->name_len = n->name ? paren 1824 n->name_len = n->name ? parent_len(n->name->name) : AUDIT_NAME_FULL;
2382 n->type = AUDIT_TYPE_PARENT; 1825 n->type = AUDIT_TYPE_PARENT;
2383 if (flags & AUDIT_INODE_HIDDE 1826 if (flags & AUDIT_INODE_HIDDEN)
2384 n->hidden = true; 1827 n->hidden = true;
2385 } else { 1828 } else {
2386 n->name_len = AUDIT_NAME_FULL 1829 n->name_len = AUDIT_NAME_FULL;
2387 n->type = AUDIT_TYPE_NORMAL; 1830 n->type = AUDIT_TYPE_NORMAL;
2388 } 1831 }
2389 handle_path(dentry); 1832 handle_path(dentry);
2390 audit_copy_inode(n, dentry, inode, fl !! 1833 audit_copy_inode(n, dentry, inode);
2391 } 1834 }
2392 1835
2393 void __audit_file(const struct file *file) 1836 void __audit_file(const struct file *file)
2394 { 1837 {
2395 __audit_inode(NULL, file->f_path.dent 1838 __audit_inode(NULL, file->f_path.dentry, 0);
2396 } 1839 }
2397 1840
2398 /** 1841 /**
2399 * __audit_inode_child - collect inode info f 1842 * __audit_inode_child - collect inode info for created/removed objects
2400 * @parent: inode of dentry parent 1843 * @parent: inode of dentry parent
2401 * @dentry: dentry being audited 1844 * @dentry: dentry being audited
2402 * @type: AUDIT_TYPE_* value that we're loo 1845 * @type: AUDIT_TYPE_* value that we're looking for
2403 * 1846 *
2404 * For syscalls that create or remove filesys 1847 * For syscalls that create or remove filesystem objects, audit_inode
2405 * can only collect information for the files 1848 * can only collect information for the filesystem object's parent.
2406 * This call updates the audit context with t 1849 * This call updates the audit context with the child's information.
2407 * Syscalls that create a new filesystem obje 1850 * Syscalls that create a new filesystem object must be hooked after
2408 * the object is created. Syscalls that remo 1851 * the object is created. Syscalls that remove a filesystem object
2409 * must be hooked prior, in order to capture 1852 * must be hooked prior, in order to capture the target inode during
2410 * unsuccessful attempts. 1853 * unsuccessful attempts.
2411 */ 1854 */
2412 void __audit_inode_child(struct inode *parent 1855 void __audit_inode_child(struct inode *parent,
2413 const struct dentry 1856 const struct dentry *dentry,
2414 const unsigned char 1857 const unsigned char type)
2415 { 1858 {
2416 struct audit_context *context = audit !! 1859 struct audit_context *context = current->audit_context;
2417 struct inode *inode = d_backing_inode 1860 struct inode *inode = d_backing_inode(dentry);
2418 const struct qstr *dname = &dentry->d !! 1861 const char *dname = dentry->d_name.name;
2419 struct audit_names *n, *found_parent 1862 struct audit_names *n, *found_parent = NULL, *found_child = NULL;
2420 struct audit_entry *e; <<
2421 struct list_head *list = &audit_filte <<
2422 int i; <<
2423 1863
2424 if (context->context == AUDIT_CTX_UNU !! 1864 if (!context->in_syscall)
2425 return; 1865 return;
2426 1866
2427 rcu_read_lock(); <<
2428 list_for_each_entry_rcu(e, list, list <<
2429 for (i = 0; i < e->rule.field <<
2430 struct audit_field *f <<
2431 <<
2432 if (f->type == AUDIT_ <<
2433 && audit_comparat <<
2434 <<
2435 && e->rule.action <<
2436 rcu_read_unlo <<
2437 return; <<
2438 } <<
2439 } <<
2440 } <<
2441 rcu_read_unlock(); <<
2442 <<
2443 if (inode) 1867 if (inode)
2444 handle_one(inode); 1868 handle_one(inode);
2445 1869
2446 /* look for a parent entry first */ 1870 /* look for a parent entry first */
2447 list_for_each_entry(n, &context->name 1871 list_for_each_entry(n, &context->names_list, list) {
2448 if (!n->name || 1872 if (!n->name ||
2449 (n->type != AUDIT_TYPE_PA 1873 (n->type != AUDIT_TYPE_PARENT &&
2450 n->type != AUDIT_TYPE_UN 1874 n->type != AUDIT_TYPE_UNKNOWN))
2451 continue; 1875 continue;
2452 1876
2453 if (n->ino == parent->i_ino & 1877 if (n->ino == parent->i_ino && n->dev == parent->i_sb->s_dev &&
2454 !audit_compare_dname_path 1878 !audit_compare_dname_path(dname,
2455 1879 n->name->name, n->name_len)) {
2456 if (n->type == AUDIT_ 1880 if (n->type == AUDIT_TYPE_UNKNOWN)
2457 n->type = AUD 1881 n->type = AUDIT_TYPE_PARENT;
2458 found_parent = n; 1882 found_parent = n;
2459 break; 1883 break;
2460 } 1884 }
2461 } 1885 }
2462 1886
2463 cond_resched(); <<
2464 <<
2465 /* is there a matching child entry? * 1887 /* is there a matching child entry? */
2466 list_for_each_entry(n, &context->name 1888 list_for_each_entry(n, &context->names_list, list) {
2467 /* can only match entries tha 1889 /* can only match entries that have a name */
2468 if (!n->name || 1890 if (!n->name ||
2469 (n->type != type && n->ty 1891 (n->type != type && n->type != AUDIT_TYPE_UNKNOWN))
2470 continue; 1892 continue;
2471 1893
2472 if (!strcmp(dname->name, n->n !! 1894 if (!strcmp(dname, n->name->name) ||
2473 !audit_compare_dname_path 1895 !audit_compare_dname_path(dname, n->name->name,
2474 1896 found_parent ?
2475 1897 found_parent->name_len :
2476 1898 AUDIT_NAME_FULL)) {
2477 if (n->type == AUDIT_ 1899 if (n->type == AUDIT_TYPE_UNKNOWN)
2478 n->type = typ 1900 n->type = type;
2479 found_child = n; 1901 found_child = n;
2480 break; 1902 break;
2481 } 1903 }
2482 } 1904 }
2483 1905
2484 if (!found_parent) { 1906 if (!found_parent) {
2485 /* create a new, "anonymous" 1907 /* create a new, "anonymous" parent record */
2486 n = audit_alloc_name(context, 1908 n = audit_alloc_name(context, AUDIT_TYPE_PARENT);
2487 if (!n) 1909 if (!n)
2488 return; 1910 return;
2489 audit_copy_inode(n, NULL, par !! 1911 audit_copy_inode(n, NULL, parent);
2490 } 1912 }
2491 1913
2492 if (!found_child) { 1914 if (!found_child) {
2493 found_child = audit_alloc_nam 1915 found_child = audit_alloc_name(context, type);
2494 if (!found_child) 1916 if (!found_child)
2495 return; 1917 return;
2496 1918
2497 /* Re-use the name belonging 1919 /* Re-use the name belonging to the slot for a matching parent
2498 * directory. All names for t 1920 * directory. All names for this context are relinquished in
2499 * audit_free_names() */ 1921 * audit_free_names() */
2500 if (found_parent) { 1922 if (found_parent) {
2501 found_child->name = f 1923 found_child->name = found_parent->name;
2502 found_child->name_len 1924 found_child->name_len = AUDIT_NAME_FULL;
2503 atomic_inc(&found_chi !! 1925 found_child->name->refcnt++;
2504 } 1926 }
2505 } 1927 }
2506 1928
2507 if (inode) 1929 if (inode)
2508 audit_copy_inode(found_child, !! 1930 audit_copy_inode(found_child, dentry, inode);
2509 else 1931 else
2510 found_child->ino = AUDIT_INO_ 1932 found_child->ino = AUDIT_INO_UNSET;
2511 } 1933 }
2512 EXPORT_SYMBOL_GPL(__audit_inode_child); 1934 EXPORT_SYMBOL_GPL(__audit_inode_child);
2513 1935
2514 /** 1936 /**
2515 * auditsc_get_stamp - get local copies of au 1937 * auditsc_get_stamp - get local copies of audit_context values
2516 * @ctx: audit_context for the task 1938 * @ctx: audit_context for the task
2517 * @t: timespec64 to store time recorded in t !! 1939 * @t: timespec to store time recorded in the audit_context
2518 * @serial: serial value that is recorded in 1940 * @serial: serial value that is recorded in the audit_context
2519 * 1941 *
2520 * Also sets the context as auditable. 1942 * Also sets the context as auditable.
2521 */ 1943 */
2522 int auditsc_get_stamp(struct audit_context *c 1944 int auditsc_get_stamp(struct audit_context *ctx,
2523 struct timespec64 *t, !! 1945 struct timespec *t, unsigned int *serial)
2524 { 1946 {
2525 if (ctx->context == AUDIT_CTX_UNUSED) !! 1947 if (!ctx->in_syscall)
2526 return 0; 1948 return 0;
2527 if (!ctx->serial) 1949 if (!ctx->serial)
2528 ctx->serial = audit_serial(); 1950 ctx->serial = audit_serial();
2529 t->tv_sec = ctx->ctime.tv_sec; 1951 t->tv_sec = ctx->ctime.tv_sec;
2530 t->tv_nsec = ctx->ctime.tv_nsec; 1952 t->tv_nsec = ctx->ctime.tv_nsec;
2531 *serial = ctx->serial; 1953 *serial = ctx->serial;
2532 if (!ctx->prio) { 1954 if (!ctx->prio) {
2533 ctx->prio = 1; 1955 ctx->prio = 1;
2534 ctx->current_state = AUDIT_ST !! 1956 ctx->current_state = AUDIT_RECORD_CONTEXT;
2535 } 1957 }
2536 return 1; 1958 return 1;
2537 } 1959 }
2538 1960
>> 1961 /* global counter which is incremented every time something logs in */
>> 1962 static atomic_t session_id = ATOMIC_INIT(0);
>> 1963
>> 1964 static int audit_set_loginuid_perm(kuid_t loginuid)
>> 1965 {
>> 1966 /* if we are unset, we don't need privs */
>> 1967 if (!audit_loginuid_set(current))
>> 1968 return 0;
>> 1969 /* if AUDIT_FEATURE_LOGINUID_IMMUTABLE means never ever allow a change*/
>> 1970 if (is_audit_feature_set(AUDIT_FEATURE_LOGINUID_IMMUTABLE))
>> 1971 return -EPERM;
>> 1972 /* it is set, you need permission */
>> 1973 if (!capable(CAP_AUDIT_CONTROL))
>> 1974 return -EPERM;
>> 1975 /* reject if this is not an unset and we don't allow that */
>> 1976 if (is_audit_feature_set(AUDIT_FEATURE_ONLY_UNSET_LOGINUID) && uid_valid(loginuid))
>> 1977 return -EPERM;
>> 1978 return 0;
>> 1979 }
>> 1980
>> 1981 static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
>> 1982 unsigned int oldsessionid, unsigned int sessionid,
>> 1983 int rc)
>> 1984 {
>> 1985 struct audit_buffer *ab;
>> 1986 uid_t uid, oldloginuid, loginuid;
>> 1987 struct tty_struct *tty;
>> 1988
>> 1989 if (!audit_enabled)
>> 1990 return;
>> 1991
>> 1992 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
>> 1993 if (!ab)
>> 1994 return;
>> 1995
>> 1996 uid = from_kuid(&init_user_ns, task_uid(current));
>> 1997 oldloginuid = from_kuid(&init_user_ns, koldloginuid);
>> 1998 loginuid = from_kuid(&init_user_ns, kloginuid),
>> 1999 tty = audit_get_tty(current);
>> 2000
>> 2001 audit_log_format(ab, "pid=%d uid=%u", task_tgid_nr(current), uid);
>> 2002 audit_log_task_context(ab);
>> 2003 audit_log_format(ab, " old-auid=%u auid=%u tty=%s old-ses=%u ses=%u res=%d",
>> 2004 oldloginuid, loginuid, tty ? tty_name(tty) : "(none)",
>> 2005 oldsessionid, sessionid, !rc);
>> 2006 audit_put_tty(tty);
>> 2007 audit_log_end(ab);
>> 2008 }
>> 2009
>> 2010 /**
>> 2011 * audit_set_loginuid - set current task's audit_context loginuid
>> 2012 * @loginuid: loginuid value
>> 2013 *
>> 2014 * Returns 0.
>> 2015 *
>> 2016 * Called (set) from fs/proc/base.c::proc_loginuid_write().
>> 2017 */
>> 2018 int audit_set_loginuid(kuid_t loginuid)
>> 2019 {
>> 2020 struct task_struct *task = current;
>> 2021 unsigned int oldsessionid, sessionid = (unsigned int)-1;
>> 2022 kuid_t oldloginuid;
>> 2023 int rc;
>> 2024
>> 2025 oldloginuid = audit_get_loginuid(current);
>> 2026 oldsessionid = audit_get_sessionid(current);
>> 2027
>> 2028 rc = audit_set_loginuid_perm(loginuid);
>> 2029 if (rc)
>> 2030 goto out;
>> 2031
>> 2032 /* are we setting or clearing? */
>> 2033 if (uid_valid(loginuid)) {
>> 2034 sessionid = (unsigned int)atomic_inc_return(&session_id);
>> 2035 if (unlikely(sessionid == (unsigned int)-1))
>> 2036 sessionid = (unsigned int)atomic_inc_return(&session_id);
>> 2037 }
>> 2038
>> 2039 task->sessionid = sessionid;
>> 2040 task->loginuid = loginuid;
>> 2041 out:
>> 2042 audit_log_set_loginuid(oldloginuid, loginuid, oldsessionid, sessionid, rc);
>> 2043 return rc;
>> 2044 }
>> 2045
2539 /** 2046 /**
2540 * __audit_mq_open - record audit data for a 2047 * __audit_mq_open - record audit data for a POSIX MQ open
2541 * @oflag: open flag 2048 * @oflag: open flag
2542 * @mode: mode bits 2049 * @mode: mode bits
2543 * @attr: queue attributes 2050 * @attr: queue attributes
2544 * 2051 *
2545 */ 2052 */
2546 void __audit_mq_open(int oflag, umode_t mode, 2053 void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
2547 { 2054 {
2548 struct audit_context *context = audit !! 2055 struct audit_context *context = current->audit_context;
2549 2056
2550 if (attr) 2057 if (attr)
2551 memcpy(&context->mq_open.attr 2058 memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr));
2552 else 2059 else
2553 memset(&context->mq_open.attr 2060 memset(&context->mq_open.attr, 0, sizeof(struct mq_attr));
2554 2061
2555 context->mq_open.oflag = oflag; 2062 context->mq_open.oflag = oflag;
2556 context->mq_open.mode = mode; 2063 context->mq_open.mode = mode;
2557 2064
2558 context->type = AUDIT_MQ_OPEN; 2065 context->type = AUDIT_MQ_OPEN;
2559 } 2066 }
2560 2067
2561 /** 2068 /**
2562 * __audit_mq_sendrecv - record audit data fo 2069 * __audit_mq_sendrecv - record audit data for a POSIX MQ timed send/receive
2563 * @mqdes: MQ descriptor 2070 * @mqdes: MQ descriptor
2564 * @msg_len: Message length 2071 * @msg_len: Message length
2565 * @msg_prio: Message priority 2072 * @msg_prio: Message priority
2566 * @abs_timeout: Message timeout in absolute 2073 * @abs_timeout: Message timeout in absolute time
2567 * 2074 *
2568 */ 2075 */
2569 void __audit_mq_sendrecv(mqd_t mqdes, size_t 2076 void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
2570 const struct timespec !! 2077 const struct timespec *abs_timeout)
2571 { 2078 {
2572 struct audit_context *context = audit !! 2079 struct audit_context *context = current->audit_context;
2573 struct timespec64 *p = &context->mq_s !! 2080 struct timespec *p = &context->mq_sendrecv.abs_timeout;
2574 2081
2575 if (abs_timeout) 2082 if (abs_timeout)
2576 memcpy(p, abs_timeout, sizeof !! 2083 memcpy(p, abs_timeout, sizeof(struct timespec));
2577 else 2084 else
2578 memset(p, 0, sizeof(*p)); !! 2085 memset(p, 0, sizeof(struct timespec));
2579 2086
2580 context->mq_sendrecv.mqdes = mqdes; 2087 context->mq_sendrecv.mqdes = mqdes;
2581 context->mq_sendrecv.msg_len = msg_le 2088 context->mq_sendrecv.msg_len = msg_len;
2582 context->mq_sendrecv.msg_prio = msg_p 2089 context->mq_sendrecv.msg_prio = msg_prio;
2583 2090
2584 context->type = AUDIT_MQ_SENDRECV; 2091 context->type = AUDIT_MQ_SENDRECV;
2585 } 2092 }
2586 2093
2587 /** 2094 /**
2588 * __audit_mq_notify - record audit data for 2095 * __audit_mq_notify - record audit data for a POSIX MQ notify
2589 * @mqdes: MQ descriptor 2096 * @mqdes: MQ descriptor
2590 * @notification: Notification event 2097 * @notification: Notification event
2591 * 2098 *
2592 */ 2099 */
2593 2100
2594 void __audit_mq_notify(mqd_t mqdes, const str 2101 void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
2595 { 2102 {
2596 struct audit_context *context = audit !! 2103 struct audit_context *context = current->audit_context;
2597 2104
2598 if (notification) 2105 if (notification)
2599 context->mq_notify.sigev_sign 2106 context->mq_notify.sigev_signo = notification->sigev_signo;
2600 else 2107 else
2601 context->mq_notify.sigev_sign 2108 context->mq_notify.sigev_signo = 0;
2602 2109
2603 context->mq_notify.mqdes = mqdes; 2110 context->mq_notify.mqdes = mqdes;
2604 context->type = AUDIT_MQ_NOTIFY; 2111 context->type = AUDIT_MQ_NOTIFY;
2605 } 2112 }
2606 2113
2607 /** 2114 /**
2608 * __audit_mq_getsetattr - record audit data 2115 * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute
2609 * @mqdes: MQ descriptor 2116 * @mqdes: MQ descriptor
2610 * @mqstat: MQ flags 2117 * @mqstat: MQ flags
2611 * 2118 *
2612 */ 2119 */
2613 void __audit_mq_getsetattr(mqd_t mqdes, struc 2120 void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
2614 { 2121 {
2615 struct audit_context *context = audit !! 2122 struct audit_context *context = current->audit_context;
2616 <<
2617 context->mq_getsetattr.mqdes = mqdes; 2123 context->mq_getsetattr.mqdes = mqdes;
2618 context->mq_getsetattr.mqstat = *mqst 2124 context->mq_getsetattr.mqstat = *mqstat;
2619 context->type = AUDIT_MQ_GETSETATTR; 2125 context->type = AUDIT_MQ_GETSETATTR;
2620 } 2126 }
2621 2127
2622 /** 2128 /**
2623 * __audit_ipc_obj - record audit data for ip !! 2129 * audit_ipc_obj - record audit data for ipc object
2624 * @ipcp: ipc permissions 2130 * @ipcp: ipc permissions
2625 * 2131 *
2626 */ 2132 */
2627 void __audit_ipc_obj(struct kern_ipc_perm *ip 2133 void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
2628 { 2134 {
2629 struct audit_context *context = audit !! 2135 struct audit_context *context = current->audit_context;
2630 <<
2631 context->ipc.uid = ipcp->uid; 2136 context->ipc.uid = ipcp->uid;
2632 context->ipc.gid = ipcp->gid; 2137 context->ipc.gid = ipcp->gid;
2633 context->ipc.mode = ipcp->mode; 2138 context->ipc.mode = ipcp->mode;
2634 context->ipc.has_perm = 0; 2139 context->ipc.has_perm = 0;
2635 security_ipc_getsecid(ipcp, &context- 2140 security_ipc_getsecid(ipcp, &context->ipc.osid);
2636 context->type = AUDIT_IPC; 2141 context->type = AUDIT_IPC;
2637 } 2142 }
2638 2143
2639 /** 2144 /**
2640 * __audit_ipc_set_perm - record audit data f !! 2145 * audit_ipc_set_perm - record audit data for new ipc permissions
2641 * @qbytes: msgq bytes 2146 * @qbytes: msgq bytes
2642 * @uid: msgq user id 2147 * @uid: msgq user id
2643 * @gid: msgq group id 2148 * @gid: msgq group id
2644 * @mode: msgq mode (permissions) 2149 * @mode: msgq mode (permissions)
2645 * 2150 *
2646 * Called only after audit_ipc_obj(). 2151 * Called only after audit_ipc_obj().
2647 */ 2152 */
2648 void __audit_ipc_set_perm(unsigned long qbyte 2153 void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode)
2649 { 2154 {
2650 struct audit_context *context = audit !! 2155 struct audit_context *context = current->audit_context;
2651 2156
2652 context->ipc.qbytes = qbytes; 2157 context->ipc.qbytes = qbytes;
2653 context->ipc.perm_uid = uid; 2158 context->ipc.perm_uid = uid;
2654 context->ipc.perm_gid = gid; 2159 context->ipc.perm_gid = gid;
2655 context->ipc.perm_mode = mode; 2160 context->ipc.perm_mode = mode;
2656 context->ipc.has_perm = 1; 2161 context->ipc.has_perm = 1;
2657 } 2162 }
2658 2163
2659 void __audit_bprm(struct linux_binprm *bprm) 2164 void __audit_bprm(struct linux_binprm *bprm)
2660 { 2165 {
2661 struct audit_context *context = audit !! 2166 struct audit_context *context = current->audit_context;
2662 2167
2663 context->type = AUDIT_EXECVE; 2168 context->type = AUDIT_EXECVE;
2664 context->execve.argc = bprm->argc; 2169 context->execve.argc = bprm->argc;
2665 } 2170 }
2666 2171
2667 2172
2668 /** 2173 /**
2669 * __audit_socketcall - record audit data for !! 2174 * audit_socketcall - record audit data for sys_socketcall
2670 * @nargs: number of args, which should not b 2175 * @nargs: number of args, which should not be more than AUDITSC_ARGS.
2671 * @args: args array 2176 * @args: args array
2672 * 2177 *
2673 */ 2178 */
2674 int __audit_socketcall(int nargs, unsigned lo 2179 int __audit_socketcall(int nargs, unsigned long *args)
2675 { 2180 {
2676 struct audit_context *context = audit !! 2181 struct audit_context *context = current->audit_context;
2677 2182
2678 if (nargs <= 0 || nargs > AUDITSC_ARG 2183 if (nargs <= 0 || nargs > AUDITSC_ARGS || !args)
2679 return -EINVAL; 2184 return -EINVAL;
2680 context->type = AUDIT_SOCKETCALL; 2185 context->type = AUDIT_SOCKETCALL;
2681 context->socketcall.nargs = nargs; 2186 context->socketcall.nargs = nargs;
2682 memcpy(context->socketcall.args, args 2187 memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
2683 return 0; 2188 return 0;
2684 } 2189 }
2685 2190
2686 /** 2191 /**
2687 * __audit_fd_pair - record audit data for pi 2192 * __audit_fd_pair - record audit data for pipe and socketpair
2688 * @fd1: the first file descriptor 2193 * @fd1: the first file descriptor
2689 * @fd2: the second file descriptor 2194 * @fd2: the second file descriptor
2690 * 2195 *
2691 */ 2196 */
2692 void __audit_fd_pair(int fd1, int fd2) 2197 void __audit_fd_pair(int fd1, int fd2)
2693 { 2198 {
2694 struct audit_context *context = audit !! 2199 struct audit_context *context = current->audit_context;
2695 <<
2696 context->fds[0] = fd1; 2200 context->fds[0] = fd1;
2697 context->fds[1] = fd2; 2201 context->fds[1] = fd2;
2698 } 2202 }
2699 2203
2700 /** 2204 /**
2701 * __audit_sockaddr - record audit data for s !! 2205 * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
2702 * @len: data length in user space 2206 * @len: data length in user space
2703 * @a: data address in kernel space 2207 * @a: data address in kernel space
2704 * 2208 *
2705 * Returns 0 for success or NULL context or < 2209 * Returns 0 for success or NULL context or < 0 on error.
2706 */ 2210 */
2707 int __audit_sockaddr(int len, void *a) 2211 int __audit_sockaddr(int len, void *a)
2708 { 2212 {
2709 struct audit_context *context = audit !! 2213 struct audit_context *context = current->audit_context;
2710 2214
2711 if (!context->sockaddr) { 2215 if (!context->sockaddr) {
2712 void *p = kmalloc(sizeof(stru 2216 void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL);
2713 <<
2714 if (!p) 2217 if (!p)
2715 return -ENOMEM; 2218 return -ENOMEM;
2716 context->sockaddr = p; 2219 context->sockaddr = p;
2717 } 2220 }
2718 2221
2719 context->sockaddr_len = len; 2222 context->sockaddr_len = len;
2720 memcpy(context->sockaddr, a, len); 2223 memcpy(context->sockaddr, a, len);
2721 return 0; 2224 return 0;
2722 } 2225 }
2723 2226
2724 void __audit_ptrace(struct task_struct *t) 2227 void __audit_ptrace(struct task_struct *t)
2725 { 2228 {
2726 struct audit_context *context = audit !! 2229 struct audit_context *context = current->audit_context;
2727 2230
2728 context->target_pid = task_tgid_nr(t) 2231 context->target_pid = task_tgid_nr(t);
2729 context->target_auid = audit_get_logi 2232 context->target_auid = audit_get_loginuid(t);
2730 context->target_uid = task_uid(t); 2233 context->target_uid = task_uid(t);
2731 context->target_sessionid = audit_get 2234 context->target_sessionid = audit_get_sessionid(t);
2732 security_task_getsecid_obj(t, &contex !! 2235 security_task_getsecid(t, &context->target_sid);
2733 memcpy(context->target_comm, t->comm, 2236 memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
2734 } 2237 }
2735 2238
2736 /** 2239 /**
2737 * audit_signal_info_syscall - record signal !! 2240 * audit_signal_info - record signal info for shutting down audit subsystem
>> 2241 * @sig: signal value
2738 * @t: task being signaled 2242 * @t: task being signaled
2739 * 2243 *
2740 * If the audit subsystem is being terminated 2244 * If the audit subsystem is being terminated, record the task (pid)
2741 * and uid that is doing that. 2245 * and uid that is doing that.
2742 */ 2246 */
2743 int audit_signal_info_syscall(struct task_str !! 2247 int __audit_signal_info(int sig, struct task_struct *t)
2744 { 2248 {
2745 struct audit_aux_data_pids *axp; 2249 struct audit_aux_data_pids *axp;
2746 struct audit_context *ctx = audit_con !! 2250 struct task_struct *tsk = current;
2747 kuid_t t_uid = task_uid(t); !! 2251 struct audit_context *ctx = tsk->audit_context;
2748 !! 2252 kuid_t uid = current_uid(), t_uid = task_uid(t);
2749 if (!audit_signals || audit_dummy_con !! 2253
2750 return 0; !! 2254 if (auditd_test_task(t)) {
>> 2255 if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) {
>> 2256 audit_sig_pid = task_tgid_nr(tsk);
>> 2257 if (uid_valid(tsk->loginuid))
>> 2258 audit_sig_uid = tsk->loginuid;
>> 2259 else
>> 2260 audit_sig_uid = uid;
>> 2261 security_task_getsecid(tsk, &audit_sig_sid);
>> 2262 }
>> 2263 if (!audit_signals || audit_dummy_context())
>> 2264 return 0;
>> 2265 }
2751 2266
2752 /* optimize the common case by puttin 2267 /* optimize the common case by putting first signal recipient directly
2753 * in audit_context */ 2268 * in audit_context */
2754 if (!ctx->target_pid) { 2269 if (!ctx->target_pid) {
2755 ctx->target_pid = task_tgid_n 2270 ctx->target_pid = task_tgid_nr(t);
2756 ctx->target_auid = audit_get_ 2271 ctx->target_auid = audit_get_loginuid(t);
2757 ctx->target_uid = t_uid; 2272 ctx->target_uid = t_uid;
2758 ctx->target_sessionid = audit 2273 ctx->target_sessionid = audit_get_sessionid(t);
2759 security_task_getsecid_obj(t, !! 2274 security_task_getsecid(t, &ctx->target_sid);
2760 memcpy(ctx->target_comm, t->c 2275 memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
2761 return 0; 2276 return 0;
2762 } 2277 }
2763 2278
2764 axp = (void *)ctx->aux_pids; 2279 axp = (void *)ctx->aux_pids;
2765 if (!axp || axp->pid_count == AUDIT_A 2280 if (!axp || axp->pid_count == AUDIT_AUX_PIDS) {
2766 axp = kzalloc(sizeof(*axp), G 2281 axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
2767 if (!axp) 2282 if (!axp)
2768 return -ENOMEM; 2283 return -ENOMEM;
2769 2284
2770 axp->d.type = AUDIT_OBJ_PID; 2285 axp->d.type = AUDIT_OBJ_PID;
2771 axp->d.next = ctx->aux_pids; 2286 axp->d.next = ctx->aux_pids;
2772 ctx->aux_pids = (void *)axp; 2287 ctx->aux_pids = (void *)axp;
2773 } 2288 }
2774 BUG_ON(axp->pid_count >= AUDIT_AUX_PI 2289 BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
2775 2290
2776 axp->target_pid[axp->pid_count] = tas 2291 axp->target_pid[axp->pid_count] = task_tgid_nr(t);
2777 axp->target_auid[axp->pid_count] = au 2292 axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
2778 axp->target_uid[axp->pid_count] = t_u 2293 axp->target_uid[axp->pid_count] = t_uid;
2779 axp->target_sessionid[axp->pid_count] 2294 axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
2780 security_task_getsecid_obj(t, &axp->t !! 2295 security_task_getsecid(t, &axp->target_sid[axp->pid_count]);
2781 memcpy(axp->target_comm[axp->pid_coun 2296 memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
2782 axp->pid_count++; 2297 axp->pid_count++;
2783 2298
2784 return 0; 2299 return 0;
2785 } 2300 }
2786 2301
2787 /** 2302 /**
2788 * __audit_log_bprm_fcaps - store information 2303 * __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps
2789 * @bprm: pointer to the bprm being processed 2304 * @bprm: pointer to the bprm being processed
2790 * @new: the proposed new credentials 2305 * @new: the proposed new credentials
2791 * @old: the old credentials 2306 * @old: the old credentials
2792 * 2307 *
2793 * Simply check if the proc already has the c 2308 * Simply check if the proc already has the caps given by the file and if not
2794 * store the priv escalation info for later a 2309 * store the priv escalation info for later auditing at the end of the syscall
2795 * 2310 *
2796 * -Eric 2311 * -Eric
2797 */ 2312 */
2798 int __audit_log_bprm_fcaps(struct linux_binpr 2313 int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
2799 const struct cred 2314 const struct cred *new, const struct cred *old)
2800 { 2315 {
2801 struct audit_aux_data_bprm_fcaps *ax; 2316 struct audit_aux_data_bprm_fcaps *ax;
2802 struct audit_context *context = audit !! 2317 struct audit_context *context = current->audit_context;
2803 struct cpu_vfs_cap_data vcaps; 2318 struct cpu_vfs_cap_data vcaps;
2804 2319
2805 ax = kmalloc(sizeof(*ax), GFP_KERNEL) 2320 ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2806 if (!ax) 2321 if (!ax)
2807 return -ENOMEM; 2322 return -ENOMEM;
2808 2323
2809 ax->d.type = AUDIT_BPRM_FCAPS; 2324 ax->d.type = AUDIT_BPRM_FCAPS;
2810 ax->d.next = context->aux; 2325 ax->d.next = context->aux;
2811 context->aux = (void *)ax; 2326 context->aux = (void *)ax;
2812 2327
2813 get_vfs_caps_from_disk(&nop_mnt_idmap !! 2328 get_vfs_caps_from_disk(bprm->file->f_path.dentry, &vcaps);
2814 bprm->file->f_ <<
2815 2329
2816 ax->fcap.permitted = vcaps.permitted; 2330 ax->fcap.permitted = vcaps.permitted;
2817 ax->fcap.inheritable = vcaps.inherita 2331 ax->fcap.inheritable = vcaps.inheritable;
2818 ax->fcap.fE = !!(vcaps.magic_etc & VF 2332 ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2819 ax->fcap.rootid = vcaps.rootid; <<
2820 ax->fcap_ver = (vcaps.magic_etc & VFS 2333 ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
2821 2334
2822 ax->old_pcap.permitted = old->cap_p 2335 ax->old_pcap.permitted = old->cap_permitted;
2823 ax->old_pcap.inheritable = old->cap_i 2336 ax->old_pcap.inheritable = old->cap_inheritable;
2824 ax->old_pcap.effective = old->cap_e 2337 ax->old_pcap.effective = old->cap_effective;
2825 ax->old_pcap.ambient = old->cap_a <<
2826 2338
2827 ax->new_pcap.permitted = new->cap_p 2339 ax->new_pcap.permitted = new->cap_permitted;
2828 ax->new_pcap.inheritable = new->cap_i 2340 ax->new_pcap.inheritable = new->cap_inheritable;
2829 ax->new_pcap.effective = new->cap_e 2341 ax->new_pcap.effective = new->cap_effective;
2830 ax->new_pcap.ambient = new->cap_a <<
2831 return 0; 2342 return 0;
2832 } 2343 }
2833 2344
2834 /** 2345 /**
2835 * __audit_log_capset - store information abo 2346 * __audit_log_capset - store information about the arguments to the capset syscall
2836 * @new: the new credentials 2347 * @new: the new credentials
2837 * @old: the old (current) credentials 2348 * @old: the old (current) credentials
2838 * 2349 *
2839 * Record the arguments userspace sent to sys 2350 * Record the arguments userspace sent to sys_capset for later printing by the
2840 * audit system if applicable 2351 * audit system if applicable
2841 */ 2352 */
2842 void __audit_log_capset(const struct cred *ne 2353 void __audit_log_capset(const struct cred *new, const struct cred *old)
2843 { 2354 {
2844 struct audit_context *context = audit !! 2355 struct audit_context *context = current->audit_context;
2845 <<
2846 context->capset.pid = task_tgid_nr(cu 2356 context->capset.pid = task_tgid_nr(current);
2847 context->capset.cap.effective = new 2357 context->capset.cap.effective = new->cap_effective;
2848 context->capset.cap.inheritable = new 2358 context->capset.cap.inheritable = new->cap_effective;
2849 context->capset.cap.permitted = new 2359 context->capset.cap.permitted = new->cap_permitted;
2850 context->capset.cap.ambient = new <<
2851 context->type = AUDIT_CAPSET; 2360 context->type = AUDIT_CAPSET;
2852 } 2361 }
2853 2362
2854 void __audit_mmap_fd(int fd, int flags) 2363 void __audit_mmap_fd(int fd, int flags)
2855 { 2364 {
2856 struct audit_context *context = audit !! 2365 struct audit_context *context = current->audit_context;
2857 <<
2858 context->mmap.fd = fd; 2366 context->mmap.fd = fd;
2859 context->mmap.flags = flags; 2367 context->mmap.flags = flags;
2860 context->type = AUDIT_MMAP; 2368 context->type = AUDIT_MMAP;
2861 } 2369 }
2862 2370
2863 void __audit_openat2_how(struct open_how *how <<
2864 { <<
2865 struct audit_context *context = audit <<
2866 <<
2867 context->openat2.flags = how->flags; <<
2868 context->openat2.mode = how->mode; <<
2869 context->openat2.resolve = how->resol <<
2870 context->type = AUDIT_OPENAT2; <<
2871 } <<
2872 <<
2873 void __audit_log_kern_module(char *name) <<
2874 { <<
2875 struct audit_context *context = audit <<
2876 <<
2877 context->module.name = kstrdup(name, <<
2878 if (!context->module.name) <<
2879 audit_log_lost("out of memory <<
2880 context->type = AUDIT_KERN_MODULE; <<
2881 } <<
2882 <<
2883 void __audit_fanotify(u32 response, struct fa <<
2884 { <<
2885 /* {subj,obj}_trust values are {0,1,2 <<
2886 switch (friar->hdr.type) { <<
2887 case FAN_RESPONSE_INFO_NONE: <<
2888 audit_log(audit_context(), GF <<
2889 "resp=%u fan_type=% <<
2890 response, FAN_RESPO <<
2891 break; <<
2892 case FAN_RESPONSE_INFO_AUDIT_RULE: <<
2893 audit_log(audit_context(), GF <<
2894 "resp=%u fan_type=% <<
2895 response, friar->hd <<
2896 friar->subj_trust, <<
2897 } <<
2898 } <<
2899 <<
2900 void __audit_tk_injoffset(struct timespec64 o <<
2901 { <<
2902 struct audit_context *context = audit <<
2903 <<
2904 /* only set type if not already set b <<
2905 if (!context->type) <<
2906 context->type = AUDIT_TIME_IN <<
2907 memcpy(&context->time.tk_injoffset, & <<
2908 } <<
2909 <<
2910 void __audit_ntp_log(const struct audit_ntp_d <<
2911 { <<
2912 struct audit_context *context = audit <<
2913 int type; <<
2914 <<
2915 for (type = 0; type < AUDIT_NTP_NVALS <<
2916 if (ad->vals[type].newval != <<
2917 /* unconditionally se <<
2918 context->type = AUDIT <<
2919 memcpy(&context->time <<
2920 break; <<
2921 } <<
2922 } <<
2923 <<
2924 void __audit_log_nfcfg(const char *name, u8 a <<
2925 enum audit_nfcfgop op, <<
2926 { <<
2927 struct audit_buffer *ab; <<
2928 char comm[sizeof(current->comm)]; <<
2929 <<
2930 ab = audit_log_start(audit_context(), <<
2931 if (!ab) <<
2932 return; <<
2933 audit_log_format(ab, "table=%s family <<
2934 name, af, nentries, <<
2935 <<
2936 audit_log_format(ab, " pid=%u", task_ <<
2937 audit_log_task_context(ab); /* subj= <<
2938 audit_log_format(ab, " comm="); <<
2939 audit_log_untrustedstring(ab, get_tas <<
2940 audit_log_end(ab); <<
2941 } <<
2942 EXPORT_SYMBOL_GPL(__audit_log_nfcfg); <<
2943 <<
2944 static void audit_log_task(struct audit_buffe 2371 static void audit_log_task(struct audit_buffer *ab)
2945 { 2372 {
2946 kuid_t auid, uid; 2373 kuid_t auid, uid;
2947 kgid_t gid; 2374 kgid_t gid;
2948 unsigned int sessionid; 2375 unsigned int sessionid;
2949 char comm[sizeof(current->comm)]; 2376 char comm[sizeof(current->comm)];
2950 2377
2951 auid = audit_get_loginuid(current); 2378 auid = audit_get_loginuid(current);
2952 sessionid = audit_get_sessionid(curre 2379 sessionid = audit_get_sessionid(current);
2953 current_uid_gid(&uid, &gid); 2380 current_uid_gid(&uid, &gid);
2954 2381
2955 audit_log_format(ab, "auid=%u uid=%u 2382 audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
2956 from_kuid(&init_user 2383 from_kuid(&init_user_ns, auid),
2957 from_kuid(&init_user 2384 from_kuid(&init_user_ns, uid),
2958 from_kgid(&init_user 2385 from_kgid(&init_user_ns, gid),
2959 sessionid); 2386 sessionid);
2960 audit_log_task_context(ab); 2387 audit_log_task_context(ab);
2961 audit_log_format(ab, " pid=%d comm=", 2388 audit_log_format(ab, " pid=%d comm=", task_tgid_nr(current));
2962 audit_log_untrustedstring(ab, get_tas 2389 audit_log_untrustedstring(ab, get_task_comm(comm, current));
2963 audit_log_d_path_exe(ab, current->mm) 2390 audit_log_d_path_exe(ab, current->mm);
2964 } 2391 }
2965 2392
2966 /** 2393 /**
2967 * audit_core_dumps - record information abou 2394 * audit_core_dumps - record information about processes that end abnormally
2968 * @signr: signal value 2395 * @signr: signal value
2969 * 2396 *
2970 * If a process ends with a core dump, someth 2397 * If a process ends with a core dump, something fishy is going on and we
2971 * should record the event for investigation. 2398 * should record the event for investigation.
2972 */ 2399 */
2973 void audit_core_dumps(long signr) 2400 void audit_core_dumps(long signr)
2974 { 2401 {
2975 struct audit_buffer *ab; 2402 struct audit_buffer *ab;
2976 2403
2977 if (!audit_enabled) 2404 if (!audit_enabled)
2978 return; 2405 return;
2979 2406
2980 if (signr == SIGQUIT) /* don't care 2407 if (signr == SIGQUIT) /* don't care for those */
2981 return; 2408 return;
2982 2409
2983 ab = audit_log_start(audit_context(), !! 2410 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
2984 if (unlikely(!ab)) 2411 if (unlikely(!ab))
2985 return; 2412 return;
2986 audit_log_task(ab); 2413 audit_log_task(ab);
2987 audit_log_format(ab, " sig=%ld res=1" !! 2414 audit_log_format(ab, " sig=%ld", signr);
2988 audit_log_end(ab); 2415 audit_log_end(ab);
2989 } 2416 }
2990 2417
2991 /** !! 2418 void __audit_seccomp(unsigned long syscall, long signr, int code)
2992 * audit_seccomp - record information about a <<
2993 * @syscall: syscall number <<
2994 * @signr: signal value <<
2995 * @code: the seccomp action <<
2996 * <<
2997 * Record the information associated with a s <<
2998 * seccomp actions that are not to be logged <<
2999 * Therefore, this function forces auditing i <<
3000 * and dummy context state because seccomp ac <<
3001 * audit is not in use. <<
3002 */ <<
3003 void audit_seccomp(unsigned long syscall, lon <<
3004 { 2419 {
3005 struct audit_buffer *ab; 2420 struct audit_buffer *ab;
3006 2421
3007 ab = audit_log_start(audit_context(), !! 2422 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_SECCOMP);
3008 if (unlikely(!ab)) 2423 if (unlikely(!ab))
3009 return; 2424 return;
3010 audit_log_task(ab); 2425 audit_log_task(ab);
3011 audit_log_format(ab, " sig=%ld arch=% 2426 audit_log_format(ab, " sig=%ld arch=%x syscall=%ld compat=%d ip=0x%lx code=0x%x",
3012 signr, syscall_get_a !! 2427 signr, syscall_get_arch(), syscall,
3013 in_compat_syscall(), 2428 in_compat_syscall(), KSTK_EIP(current), code);
3014 audit_log_end(ab); 2429 audit_log_end(ab);
3015 } 2430 }
3016 2431
3017 void audit_seccomp_actions_logged(const char <<
3018 int res) <<
3019 { <<
3020 struct audit_buffer *ab; <<
3021 <<
3022 if (!audit_enabled) <<
3023 return; <<
3024 <<
3025 ab = audit_log_start(audit_context(), <<
3026 AUDIT_CONFIG_CHA <<
3027 if (unlikely(!ab)) <<
3028 return; <<
3029 <<
3030 audit_log_format(ab, <<
3031 "op=seccomp-logging <<
3032 names, old_names, re <<
3033 audit_log_end(ab); <<
3034 } <<
3035 <<
3036 struct list_head *audit_killed_trees(void) 2432 struct list_head *audit_killed_trees(void)
3037 { 2433 {
3038 struct audit_context *ctx = audit_con !! 2434 struct audit_context *ctx = current->audit_context;
3039 if (likely(!ctx || ctx->context == AU !! 2435 if (likely(!ctx || !ctx->in_syscall))
3040 return NULL; 2436 return NULL;
3041 return &ctx->killed_trees; 2437 return &ctx->killed_trees;
3042 } 2438 }
3043 2439
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.