1 // SPDX-License-Identifier: GPL-2.0-or-later 1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* auditsc.c -- System-call auditing support 2 /* auditsc.c -- System-call auditing support
3 * Handles all system-call specific auditing f 3 * Handles all system-call specific auditing features.
4 * 4 *
5 * Copyright 2003-2004 Red Hat Inc., Durham, N 5 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
6 * Copyright 2005 Hewlett-Packard Development 6 * Copyright 2005 Hewlett-Packard Development Company, L.P.
7 * Copyright (C) 2005, 2006 IBM Corporation 7 * Copyright (C) 2005, 2006 IBM Corporation
8 * All Rights Reserved. 8 * All Rights Reserved.
9 * 9 *
10 * Written by Rickard E. (Rik) Faith <faith@re 10 * Written by Rickard E. (Rik) Faith <faith@redhat.com>
11 * 11 *
12 * Many of the ideas implemented here are from 12 * Many of the ideas implemented here are from Stephen C. Tweedie,
13 * especially the idea of avoiding a copy by u 13 * especially the idea of avoiding a copy by using getname.
14 * 14 *
15 * The method for actual interception of sysca 15 * The method for actual interception of syscall entry and exit (not in
16 * this file -- see entry.S) is based on a GPL 16 * this file -- see entry.S) is based on a GPL'd patch written by
17 * okir@suse.de and Copyright 2003 SuSE Linux 17 * okir@suse.de and Copyright 2003 SuSE Linux AG.
18 * 18 *
19 * POSIX message queue support added by George 19 * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>,
20 * 2006. 20 * 2006.
21 * 21 *
22 * The support of additional filter rules comp 22 * The support of additional filter rules compares (>, <, >=, <=) was
23 * added by Dustin Kirkland <dustin.kirkland@u 23 * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
24 * 24 *
25 * Modified by Amy Griffis <amy.griffis@hp.com 25 * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
26 * filesystem information. 26 * filesystem information.
27 * 27 *
28 * Subject and object context labeling support 28 * Subject and object context labeling support added by <danjones@us.ibm.com>
29 * and <dustin.kirkland@us.ibm.com> for LSPP c 29 * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
30 */ 30 */
31 31
32 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 32 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
33 33
34 #include <linux/init.h> 34 #include <linux/init.h>
35 #include <asm/types.h> 35 #include <asm/types.h>
36 #include <linux/atomic.h> 36 #include <linux/atomic.h>
37 #include <linux/fs.h> 37 #include <linux/fs.h>
38 #include <linux/namei.h> 38 #include <linux/namei.h>
39 #include <linux/mm.h> 39 #include <linux/mm.h>
40 #include <linux/export.h> 40 #include <linux/export.h>
41 #include <linux/slab.h> 41 #include <linux/slab.h>
42 #include <linux/mount.h> 42 #include <linux/mount.h>
43 #include <linux/socket.h> 43 #include <linux/socket.h>
44 #include <linux/mqueue.h> 44 #include <linux/mqueue.h>
45 #include <linux/audit.h> 45 #include <linux/audit.h>
46 #include <linux/personality.h> 46 #include <linux/personality.h>
47 #include <linux/time.h> 47 #include <linux/time.h>
48 #include <linux/netlink.h> 48 #include <linux/netlink.h>
49 #include <linux/compiler.h> 49 #include <linux/compiler.h>
50 #include <asm/unistd.h> 50 #include <asm/unistd.h>
51 #include <linux/security.h> 51 #include <linux/security.h>
52 #include <linux/list.h> 52 #include <linux/list.h>
53 #include <linux/binfmts.h> 53 #include <linux/binfmts.h>
54 #include <linux/highmem.h> 54 #include <linux/highmem.h>
55 #include <linux/syscalls.h> 55 #include <linux/syscalls.h>
56 #include <asm/syscall.h> 56 #include <asm/syscall.h>
57 #include <linux/capability.h> 57 #include <linux/capability.h>
58 #include <linux/fs_struct.h> 58 #include <linux/fs_struct.h>
59 #include <linux/compat.h> 59 #include <linux/compat.h>
60 #include <linux/ctype.h> 60 #include <linux/ctype.h>
61 #include <linux/string.h> 61 #include <linux/string.h>
62 #include <linux/uaccess.h> 62 #include <linux/uaccess.h>
63 #include <linux/fsnotify_backend.h> 63 #include <linux/fsnotify_backend.h>
64 #include <uapi/linux/limits.h> 64 #include <uapi/linux/limits.h>
65 #include <uapi/linux/netfilter/nf_tables.h> 65 #include <uapi/linux/netfilter/nf_tables.h>
66 #include <uapi/linux/openat2.h> // struct open 66 #include <uapi/linux/openat2.h> // struct open_how
67 #include <uapi/linux/fanotify.h> <<
68 67
69 #include "audit.h" 68 #include "audit.h"
70 69
71 /* flags stating the success for a syscall */ 70 /* flags stating the success for a syscall */
72 #define AUDITSC_INVALID 0 71 #define AUDITSC_INVALID 0
73 #define AUDITSC_SUCCESS 1 72 #define AUDITSC_SUCCESS 1
74 #define AUDITSC_FAILURE 2 73 #define AUDITSC_FAILURE 2
75 74
76 /* no execve audit message should be longer th 75 /* no execve audit message should be longer than this (userspace limits),
77 * see the note near the top of audit_log_exec 76 * see the note near the top of audit_log_execve_info() about this value */
78 #define MAX_EXECVE_AUDIT_LEN 7500 77 #define MAX_EXECVE_AUDIT_LEN 7500
79 78
80 /* max length to print of cmdline/proctitle va 79 /* max length to print of cmdline/proctitle value during audit */
81 #define MAX_PROCTITLE_AUDIT_LEN 128 80 #define MAX_PROCTITLE_AUDIT_LEN 128
82 81
83 /* number of audit rules */ 82 /* number of audit rules */
84 int audit_n_rules; 83 int audit_n_rules;
85 84
86 /* determines whether we collect data for sign 85 /* determines whether we collect data for signals sent */
87 int audit_signals; 86 int audit_signals;
88 87
89 struct audit_aux_data { 88 struct audit_aux_data {
90 struct audit_aux_data *next; 89 struct audit_aux_data *next;
91 int type; 90 int type;
92 }; 91 };
93 92
94 /* Number of target pids per aux struct. */ 93 /* Number of target pids per aux struct. */
95 #define AUDIT_AUX_PIDS 16 94 #define AUDIT_AUX_PIDS 16
96 95
97 struct audit_aux_data_pids { 96 struct audit_aux_data_pids {
98 struct audit_aux_data d; 97 struct audit_aux_data d;
99 pid_t target_pid[AUD 98 pid_t target_pid[AUDIT_AUX_PIDS];
100 kuid_t target_auid[AU 99 kuid_t target_auid[AUDIT_AUX_PIDS];
101 kuid_t target_uid[AUD 100 kuid_t target_uid[AUDIT_AUX_PIDS];
102 unsigned int target_session 101 unsigned int target_sessionid[AUDIT_AUX_PIDS];
103 u32 target_sid[AUD 102 u32 target_sid[AUDIT_AUX_PIDS];
104 char target_comm[AU 103 char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
105 int pid_count; 104 int pid_count;
106 }; 105 };
107 106
108 struct audit_aux_data_bprm_fcaps { 107 struct audit_aux_data_bprm_fcaps {
109 struct audit_aux_data d; 108 struct audit_aux_data d;
110 struct audit_cap_data fcap; 109 struct audit_cap_data fcap;
111 unsigned int fcap_ver; 110 unsigned int fcap_ver;
112 struct audit_cap_data old_pcap; 111 struct audit_cap_data old_pcap;
113 struct audit_cap_data new_pcap; 112 struct audit_cap_data new_pcap;
114 }; 113 };
115 114
116 struct audit_tree_refs { 115 struct audit_tree_refs {
117 struct audit_tree_refs *next; 116 struct audit_tree_refs *next;
118 struct audit_chunk *c[31]; 117 struct audit_chunk *c[31];
119 }; 118 };
120 119
121 struct audit_nfcfgop_tab { 120 struct audit_nfcfgop_tab {
122 enum audit_nfcfgop op; 121 enum audit_nfcfgop op;
123 const char *s; 122 const char *s;
124 }; 123 };
125 124
126 static const struct audit_nfcfgop_tab audit_nf 125 static const struct audit_nfcfgop_tab audit_nfcfgs[] = {
127 { AUDIT_XT_OP_REGISTER, 126 { AUDIT_XT_OP_REGISTER, "xt_register" },
128 { AUDIT_XT_OP_REPLACE, 127 { AUDIT_XT_OP_REPLACE, "xt_replace" },
129 { AUDIT_XT_OP_UNREGISTER, 128 { AUDIT_XT_OP_UNREGISTER, "xt_unregister" },
130 { AUDIT_NFT_OP_TABLE_REGISTER, 129 { AUDIT_NFT_OP_TABLE_REGISTER, "nft_register_table" },
131 { AUDIT_NFT_OP_TABLE_UNREGISTER, 130 { AUDIT_NFT_OP_TABLE_UNREGISTER, "nft_unregister_table" },
132 { AUDIT_NFT_OP_CHAIN_REGISTER, 131 { AUDIT_NFT_OP_CHAIN_REGISTER, "nft_register_chain" },
133 { AUDIT_NFT_OP_CHAIN_UNREGISTER, 132 { AUDIT_NFT_OP_CHAIN_UNREGISTER, "nft_unregister_chain" },
134 { AUDIT_NFT_OP_RULE_REGISTER, 133 { AUDIT_NFT_OP_RULE_REGISTER, "nft_register_rule" },
135 { AUDIT_NFT_OP_RULE_UNREGISTER, 134 { AUDIT_NFT_OP_RULE_UNREGISTER, "nft_unregister_rule" },
136 { AUDIT_NFT_OP_SET_REGISTER, 135 { AUDIT_NFT_OP_SET_REGISTER, "nft_register_set" },
137 { AUDIT_NFT_OP_SET_UNREGISTER, 136 { AUDIT_NFT_OP_SET_UNREGISTER, "nft_unregister_set" },
138 { AUDIT_NFT_OP_SETELEM_REGISTER, 137 { AUDIT_NFT_OP_SETELEM_REGISTER, "nft_register_setelem" },
139 { AUDIT_NFT_OP_SETELEM_UNREGISTER, 138 { AUDIT_NFT_OP_SETELEM_UNREGISTER, "nft_unregister_setelem" },
140 { AUDIT_NFT_OP_GEN_REGISTER, 139 { AUDIT_NFT_OP_GEN_REGISTER, "nft_register_gen" },
141 { AUDIT_NFT_OP_OBJ_REGISTER, 140 { AUDIT_NFT_OP_OBJ_REGISTER, "nft_register_obj" },
142 { AUDIT_NFT_OP_OBJ_UNREGISTER, 141 { AUDIT_NFT_OP_OBJ_UNREGISTER, "nft_unregister_obj" },
143 { AUDIT_NFT_OP_OBJ_RESET, 142 { AUDIT_NFT_OP_OBJ_RESET, "nft_reset_obj" },
144 { AUDIT_NFT_OP_FLOWTABLE_REGISTER, 143 { AUDIT_NFT_OP_FLOWTABLE_REGISTER, "nft_register_flowtable" },
145 { AUDIT_NFT_OP_FLOWTABLE_UNREGISTER, 144 { AUDIT_NFT_OP_FLOWTABLE_UNREGISTER, "nft_unregister_flowtable" },
146 { AUDIT_NFT_OP_SETELEM_RESET, <<
147 { AUDIT_NFT_OP_RULE_RESET, <<
148 { AUDIT_NFT_OP_INVALID, 145 { AUDIT_NFT_OP_INVALID, "nft_invalid" },
149 }; 146 };
150 147
151 static int audit_match_perm(struct audit_conte 148 static int audit_match_perm(struct audit_context *ctx, int mask)
152 { 149 {
153 unsigned n; 150 unsigned n;
154 151
155 if (unlikely(!ctx)) 152 if (unlikely(!ctx))
156 return 0; 153 return 0;
157 n = ctx->major; 154 n = ctx->major;
158 155
159 switch (audit_classify_syscall(ctx->ar 156 switch (audit_classify_syscall(ctx->arch, n)) {
160 case AUDITSC_NATIVE: 157 case AUDITSC_NATIVE:
161 if ((mask & AUDIT_PERM_WRITE) 158 if ((mask & AUDIT_PERM_WRITE) &&
162 audit_match_class(AUDIT_C 159 audit_match_class(AUDIT_CLASS_WRITE, n))
163 return 1; 160 return 1;
164 if ((mask & AUDIT_PERM_READ) & 161 if ((mask & AUDIT_PERM_READ) &&
165 audit_match_class(AUDIT_C 162 audit_match_class(AUDIT_CLASS_READ, n))
166 return 1; 163 return 1;
167 if ((mask & AUDIT_PERM_ATTR) & 164 if ((mask & AUDIT_PERM_ATTR) &&
168 audit_match_class(AUDIT_C 165 audit_match_class(AUDIT_CLASS_CHATTR, n))
169 return 1; 166 return 1;
170 return 0; 167 return 0;
171 case AUDITSC_COMPAT: /* 32bit on biarc 168 case AUDITSC_COMPAT: /* 32bit on biarch */
172 if ((mask & AUDIT_PERM_WRITE) 169 if ((mask & AUDIT_PERM_WRITE) &&
173 audit_match_class(AUDIT_C 170 audit_match_class(AUDIT_CLASS_WRITE_32, n))
174 return 1; 171 return 1;
175 if ((mask & AUDIT_PERM_READ) & 172 if ((mask & AUDIT_PERM_READ) &&
176 audit_match_class(AUDIT_C 173 audit_match_class(AUDIT_CLASS_READ_32, n))
177 return 1; 174 return 1;
178 if ((mask & AUDIT_PERM_ATTR) & 175 if ((mask & AUDIT_PERM_ATTR) &&
179 audit_match_class(AUDIT_C 176 audit_match_class(AUDIT_CLASS_CHATTR_32, n))
180 return 1; 177 return 1;
181 return 0; 178 return 0;
182 case AUDITSC_OPEN: 179 case AUDITSC_OPEN:
183 return mask & ACC_MODE(ctx->ar 180 return mask & ACC_MODE(ctx->argv[1]);
184 case AUDITSC_OPENAT: 181 case AUDITSC_OPENAT:
185 return mask & ACC_MODE(ctx->ar 182 return mask & ACC_MODE(ctx->argv[2]);
186 case AUDITSC_SOCKETCALL: 183 case AUDITSC_SOCKETCALL:
187 return ((mask & AUDIT_PERM_WRI 184 return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
188 case AUDITSC_EXECVE: 185 case AUDITSC_EXECVE:
189 return mask & AUDIT_PERM_EXEC; 186 return mask & AUDIT_PERM_EXEC;
190 case AUDITSC_OPENAT2: 187 case AUDITSC_OPENAT2:
191 return mask & ACC_MODE((u32)ct 188 return mask & ACC_MODE((u32)ctx->openat2.flags);
192 default: 189 default:
193 return 0; 190 return 0;
194 } 191 }
195 } 192 }
196 193
197 static int audit_match_filetype(struct audit_c 194 static int audit_match_filetype(struct audit_context *ctx, int val)
198 { 195 {
199 struct audit_names *n; 196 struct audit_names *n;
200 umode_t mode = (umode_t)val; 197 umode_t mode = (umode_t)val;
201 198
202 if (unlikely(!ctx)) 199 if (unlikely(!ctx))
203 return 0; 200 return 0;
204 201
205 list_for_each_entry(n, &ctx->names_lis 202 list_for_each_entry(n, &ctx->names_list, list) {
206 if ((n->ino != AUDIT_INO_UNSET 203 if ((n->ino != AUDIT_INO_UNSET) &&
207 ((n->mode & S_IFMT) == mod 204 ((n->mode & S_IFMT) == mode))
208 return 1; 205 return 1;
209 } 206 }
210 207
211 return 0; 208 return 0;
212 } 209 }
213 210
214 /* 211 /*
215 * We keep a linked list of fixed-sized (31 po 212 * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *;
216 * ->first_trees points to its beginning, ->tr 213 * ->first_trees points to its beginning, ->trees - to the current end of data.
217 * ->tree_count is the number of free entries 214 * ->tree_count is the number of free entries in array pointed to by ->trees.
218 * Original condition is (NULL, NULL, 0); as s 215 * Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL,
219 * "empty" becomes (p, p, 31) afterwards. We 216 * "empty" becomes (p, p, 31) afterwards. We don't shrink the list (and seriously,
220 * it's going to remain 1-element for almost a 217 * it's going to remain 1-element for almost any setup) until we free context itself.
221 * References in it _are_ dropped - at the sam 218 * References in it _are_ dropped - at the same time we free/drop aux stuff.
222 */ 219 */
223 220
224 static void audit_set_auditable(struct audit_c 221 static void audit_set_auditable(struct audit_context *ctx)
225 { 222 {
226 if (!ctx->prio) { 223 if (!ctx->prio) {
227 ctx->prio = 1; 224 ctx->prio = 1;
228 ctx->current_state = AUDIT_STA 225 ctx->current_state = AUDIT_STATE_RECORD;
229 } 226 }
230 } 227 }
231 228
232 static int put_tree_ref(struct audit_context * 229 static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
233 { 230 {
234 struct audit_tree_refs *p = ctx->trees 231 struct audit_tree_refs *p = ctx->trees;
235 int left = ctx->tree_count; 232 int left = ctx->tree_count;
236 233
237 if (likely(left)) { 234 if (likely(left)) {
238 p->c[--left] = chunk; 235 p->c[--left] = chunk;
239 ctx->tree_count = left; 236 ctx->tree_count = left;
240 return 1; 237 return 1;
241 } 238 }
242 if (!p) 239 if (!p)
243 return 0; 240 return 0;
244 p = p->next; 241 p = p->next;
245 if (p) { 242 if (p) {
246 p->c[30] = chunk; 243 p->c[30] = chunk;
247 ctx->trees = p; 244 ctx->trees = p;
248 ctx->tree_count = 30; 245 ctx->tree_count = 30;
249 return 1; 246 return 1;
250 } 247 }
251 return 0; 248 return 0;
252 } 249 }
253 250
254 static int grow_tree_refs(struct audit_context 251 static int grow_tree_refs(struct audit_context *ctx)
255 { 252 {
256 struct audit_tree_refs *p = ctx->trees 253 struct audit_tree_refs *p = ctx->trees;
257 254
258 ctx->trees = kzalloc(sizeof(struct aud 255 ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL);
259 if (!ctx->trees) { 256 if (!ctx->trees) {
260 ctx->trees = p; 257 ctx->trees = p;
261 return 0; 258 return 0;
262 } 259 }
263 if (p) 260 if (p)
264 p->next = ctx->trees; 261 p->next = ctx->trees;
265 else 262 else
266 ctx->first_trees = ctx->trees; 263 ctx->first_trees = ctx->trees;
267 ctx->tree_count = 31; 264 ctx->tree_count = 31;
268 return 1; 265 return 1;
269 } 266 }
270 267
271 static void unroll_tree_refs(struct audit_cont 268 static void unroll_tree_refs(struct audit_context *ctx,
272 struct audit_tree_refs * 269 struct audit_tree_refs *p, int count)
273 { 270 {
274 struct audit_tree_refs *q; 271 struct audit_tree_refs *q;
275 int n; 272 int n;
276 273
277 if (!p) { 274 if (!p) {
278 /* we started with empty chain 275 /* we started with empty chain */
279 p = ctx->first_trees; 276 p = ctx->first_trees;
280 count = 31; 277 count = 31;
281 /* if the very first allocatio 278 /* if the very first allocation has failed, nothing to do */
282 if (!p) 279 if (!p)
283 return; 280 return;
284 } 281 }
285 n = count; 282 n = count;
286 for (q = p; q != ctx->trees; q = q->ne 283 for (q = p; q != ctx->trees; q = q->next, n = 31) {
287 while (n--) { 284 while (n--) {
288 audit_put_chunk(q->c[n 285 audit_put_chunk(q->c[n]);
289 q->c[n] = NULL; 286 q->c[n] = NULL;
290 } 287 }
291 } 288 }
292 while (n-- > ctx->tree_count) { 289 while (n-- > ctx->tree_count) {
293 audit_put_chunk(q->c[n]); 290 audit_put_chunk(q->c[n]);
294 q->c[n] = NULL; 291 q->c[n] = NULL;
295 } 292 }
296 ctx->trees = p; 293 ctx->trees = p;
297 ctx->tree_count = count; 294 ctx->tree_count = count;
298 } 295 }
299 296
300 static void free_tree_refs(struct audit_contex 297 static void free_tree_refs(struct audit_context *ctx)
301 { 298 {
302 struct audit_tree_refs *p, *q; 299 struct audit_tree_refs *p, *q;
303 300
304 for (p = ctx->first_trees; p; p = q) { 301 for (p = ctx->first_trees; p; p = q) {
305 q = p->next; 302 q = p->next;
306 kfree(p); 303 kfree(p);
307 } 304 }
308 } 305 }
309 306
310 static int match_tree_refs(struct audit_contex 307 static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
311 { 308 {
312 struct audit_tree_refs *p; 309 struct audit_tree_refs *p;
313 int n; 310 int n;
314 311
315 if (!tree) 312 if (!tree)
316 return 0; 313 return 0;
317 /* full ones */ 314 /* full ones */
318 for (p = ctx->first_trees; p != ctx->t 315 for (p = ctx->first_trees; p != ctx->trees; p = p->next) {
319 for (n = 0; n < 31; n++) 316 for (n = 0; n < 31; n++)
320 if (audit_tree_match(p 317 if (audit_tree_match(p->c[n], tree))
321 return 1; 318 return 1;
322 } 319 }
323 /* partial */ 320 /* partial */
324 if (p) { 321 if (p) {
325 for (n = ctx->tree_count; n < 322 for (n = ctx->tree_count; n < 31; n++)
326 if (audit_tree_match(p 323 if (audit_tree_match(p->c[n], tree))
327 return 1; 324 return 1;
328 } 325 }
329 return 0; 326 return 0;
330 } 327 }
331 328
332 static int audit_compare_uid(kuid_t uid, 329 static int audit_compare_uid(kuid_t uid,
333 struct audit_name 330 struct audit_names *name,
334 struct audit_fiel 331 struct audit_field *f,
335 struct audit_cont 332 struct audit_context *ctx)
336 { 333 {
337 struct audit_names *n; 334 struct audit_names *n;
338 int rc; 335 int rc;
339 336
340 if (name) { 337 if (name) {
341 rc = audit_uid_comparator(uid, 338 rc = audit_uid_comparator(uid, f->op, name->uid);
342 if (rc) 339 if (rc)
343 return rc; 340 return rc;
344 } 341 }
345 342
346 if (ctx) { 343 if (ctx) {
347 list_for_each_entry(n, &ctx->n 344 list_for_each_entry(n, &ctx->names_list, list) {
348 rc = audit_uid_compara 345 rc = audit_uid_comparator(uid, f->op, n->uid);
349 if (rc) 346 if (rc)
350 return rc; 347 return rc;
351 } 348 }
352 } 349 }
353 return 0; 350 return 0;
354 } 351 }
355 352
356 static int audit_compare_gid(kgid_t gid, 353 static int audit_compare_gid(kgid_t gid,
357 struct audit_name 354 struct audit_names *name,
358 struct audit_fiel 355 struct audit_field *f,
359 struct audit_cont 356 struct audit_context *ctx)
360 { 357 {
361 struct audit_names *n; 358 struct audit_names *n;
362 int rc; 359 int rc;
363 360
364 if (name) { 361 if (name) {
365 rc = audit_gid_comparator(gid, 362 rc = audit_gid_comparator(gid, f->op, name->gid);
366 if (rc) 363 if (rc)
367 return rc; 364 return rc;
368 } 365 }
369 366
370 if (ctx) { 367 if (ctx) {
371 list_for_each_entry(n, &ctx->n 368 list_for_each_entry(n, &ctx->names_list, list) {
372 rc = audit_gid_compara 369 rc = audit_gid_comparator(gid, f->op, n->gid);
373 if (rc) 370 if (rc)
374 return rc; 371 return rc;
375 } 372 }
376 } 373 }
377 return 0; 374 return 0;
378 } 375 }
379 376
380 static int audit_field_compare(struct task_str 377 static int audit_field_compare(struct task_struct *tsk,
381 const struct cr 378 const struct cred *cred,
382 struct audit_fi 379 struct audit_field *f,
383 struct audit_co 380 struct audit_context *ctx,
384 struct audit_na 381 struct audit_names *name)
385 { 382 {
386 switch (f->val) { 383 switch (f->val) {
387 /* process to file object comparisons 384 /* process to file object comparisons */
388 case AUDIT_COMPARE_UID_TO_OBJ_UID: 385 case AUDIT_COMPARE_UID_TO_OBJ_UID:
389 return audit_compare_uid(cred- 386 return audit_compare_uid(cred->uid, name, f, ctx);
390 case AUDIT_COMPARE_GID_TO_OBJ_GID: 387 case AUDIT_COMPARE_GID_TO_OBJ_GID:
391 return audit_compare_gid(cred- 388 return audit_compare_gid(cred->gid, name, f, ctx);
392 case AUDIT_COMPARE_EUID_TO_OBJ_UID: 389 case AUDIT_COMPARE_EUID_TO_OBJ_UID:
393 return audit_compare_uid(cred- 390 return audit_compare_uid(cred->euid, name, f, ctx);
394 case AUDIT_COMPARE_EGID_TO_OBJ_GID: 391 case AUDIT_COMPARE_EGID_TO_OBJ_GID:
395 return audit_compare_gid(cred- 392 return audit_compare_gid(cred->egid, name, f, ctx);
396 case AUDIT_COMPARE_AUID_TO_OBJ_UID: 393 case AUDIT_COMPARE_AUID_TO_OBJ_UID:
397 return audit_compare_uid(audit 394 return audit_compare_uid(audit_get_loginuid(tsk), name, f, ctx);
398 case AUDIT_COMPARE_SUID_TO_OBJ_UID: 395 case AUDIT_COMPARE_SUID_TO_OBJ_UID:
399 return audit_compare_uid(cred- 396 return audit_compare_uid(cred->suid, name, f, ctx);
400 case AUDIT_COMPARE_SGID_TO_OBJ_GID: 397 case AUDIT_COMPARE_SGID_TO_OBJ_GID:
401 return audit_compare_gid(cred- 398 return audit_compare_gid(cred->sgid, name, f, ctx);
402 case AUDIT_COMPARE_FSUID_TO_OBJ_UID: 399 case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
403 return audit_compare_uid(cred- 400 return audit_compare_uid(cred->fsuid, name, f, ctx);
404 case AUDIT_COMPARE_FSGID_TO_OBJ_GID: 401 case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
405 return audit_compare_gid(cred- 402 return audit_compare_gid(cred->fsgid, name, f, ctx);
406 /* uid comparisons */ 403 /* uid comparisons */
407 case AUDIT_COMPARE_UID_TO_AUID: 404 case AUDIT_COMPARE_UID_TO_AUID:
408 return audit_uid_comparator(cr 405 return audit_uid_comparator(cred->uid, f->op,
409 au 406 audit_get_loginuid(tsk));
410 case AUDIT_COMPARE_UID_TO_EUID: 407 case AUDIT_COMPARE_UID_TO_EUID:
411 return audit_uid_comparator(cr 408 return audit_uid_comparator(cred->uid, f->op, cred->euid);
412 case AUDIT_COMPARE_UID_TO_SUID: 409 case AUDIT_COMPARE_UID_TO_SUID:
413 return audit_uid_comparator(cr 410 return audit_uid_comparator(cred->uid, f->op, cred->suid);
414 case AUDIT_COMPARE_UID_TO_FSUID: 411 case AUDIT_COMPARE_UID_TO_FSUID:
415 return audit_uid_comparator(cr 412 return audit_uid_comparator(cred->uid, f->op, cred->fsuid);
416 /* auid comparisons */ 413 /* auid comparisons */
417 case AUDIT_COMPARE_AUID_TO_EUID: 414 case AUDIT_COMPARE_AUID_TO_EUID:
418 return audit_uid_comparator(au 415 return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
419 cr 416 cred->euid);
420 case AUDIT_COMPARE_AUID_TO_SUID: 417 case AUDIT_COMPARE_AUID_TO_SUID:
421 return audit_uid_comparator(au 418 return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
422 cr 419 cred->suid);
423 case AUDIT_COMPARE_AUID_TO_FSUID: 420 case AUDIT_COMPARE_AUID_TO_FSUID:
424 return audit_uid_comparator(au 421 return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
425 cr 422 cred->fsuid);
426 /* euid comparisons */ 423 /* euid comparisons */
427 case AUDIT_COMPARE_EUID_TO_SUID: 424 case AUDIT_COMPARE_EUID_TO_SUID:
428 return audit_uid_comparator(cr 425 return audit_uid_comparator(cred->euid, f->op, cred->suid);
429 case AUDIT_COMPARE_EUID_TO_FSUID: 426 case AUDIT_COMPARE_EUID_TO_FSUID:
430 return audit_uid_comparator(cr 427 return audit_uid_comparator(cred->euid, f->op, cred->fsuid);
431 /* suid comparisons */ 428 /* suid comparisons */
432 case AUDIT_COMPARE_SUID_TO_FSUID: 429 case AUDIT_COMPARE_SUID_TO_FSUID:
433 return audit_uid_comparator(cr 430 return audit_uid_comparator(cred->suid, f->op, cred->fsuid);
434 /* gid comparisons */ 431 /* gid comparisons */
435 case AUDIT_COMPARE_GID_TO_EGID: 432 case AUDIT_COMPARE_GID_TO_EGID:
436 return audit_gid_comparator(cr 433 return audit_gid_comparator(cred->gid, f->op, cred->egid);
437 case AUDIT_COMPARE_GID_TO_SGID: 434 case AUDIT_COMPARE_GID_TO_SGID:
438 return audit_gid_comparator(cr 435 return audit_gid_comparator(cred->gid, f->op, cred->sgid);
439 case AUDIT_COMPARE_GID_TO_FSGID: 436 case AUDIT_COMPARE_GID_TO_FSGID:
440 return audit_gid_comparator(cr 437 return audit_gid_comparator(cred->gid, f->op, cred->fsgid);
441 /* egid comparisons */ 438 /* egid comparisons */
442 case AUDIT_COMPARE_EGID_TO_SGID: 439 case AUDIT_COMPARE_EGID_TO_SGID:
443 return audit_gid_comparator(cr 440 return audit_gid_comparator(cred->egid, f->op, cred->sgid);
444 case AUDIT_COMPARE_EGID_TO_FSGID: 441 case AUDIT_COMPARE_EGID_TO_FSGID:
445 return audit_gid_comparator(cr 442 return audit_gid_comparator(cred->egid, f->op, cred->fsgid);
446 /* sgid comparison */ 443 /* sgid comparison */
447 case AUDIT_COMPARE_SGID_TO_FSGID: 444 case AUDIT_COMPARE_SGID_TO_FSGID:
448 return audit_gid_comparator(cr 445 return audit_gid_comparator(cred->sgid, f->op, cred->fsgid);
449 default: 446 default:
450 WARN(1, "Missing AUDIT_COMPARE 447 WARN(1, "Missing AUDIT_COMPARE define. Report as a bug\n");
451 return 0; 448 return 0;
452 } 449 }
453 return 0; 450 return 0;
454 } 451 }
455 452
456 /* Determine if any context name data matches 453 /* Determine if any context name data matches a rule's watch data */
457 /* Compare a task_struct with an audit_rule. 454 /* Compare a task_struct with an audit_rule. Return 1 on match, 0
458 * otherwise. 455 * otherwise.
459 * 456 *
460 * If task_creation is true, this is an explic 457 * If task_creation is true, this is an explicit indication that we are
461 * filtering a task rule at task creation time 458 * filtering a task rule at task creation time. This and tsk == current are
462 * the only situations where tsk->cred may be 459 * the only situations where tsk->cred may be accessed without an rcu read lock.
463 */ 460 */
464 static int audit_filter_rules(struct task_stru 461 static int audit_filter_rules(struct task_struct *tsk,
465 struct audit_kru 462 struct audit_krule *rule,
466 struct audit_con 463 struct audit_context *ctx,
467 struct audit_nam 464 struct audit_names *name,
468 enum audit_state 465 enum audit_state *state,
469 bool task_creati 466 bool task_creation)
470 { 467 {
471 const struct cred *cred; 468 const struct cred *cred;
472 int i, need_sid = 1; 469 int i, need_sid = 1;
473 u32 sid; 470 u32 sid;
474 unsigned int sessionid; 471 unsigned int sessionid;
475 472
476 if (ctx && rule->prio <= ctx->prio) 473 if (ctx && rule->prio <= ctx->prio)
477 return 0; 474 return 0;
478 475
479 cred = rcu_dereference_check(tsk->cred 476 cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
480 477
481 for (i = 0; i < rule->field_count; i++ 478 for (i = 0; i < rule->field_count; i++) {
482 struct audit_field *f = &rule- 479 struct audit_field *f = &rule->fields[i];
483 struct audit_names *n; 480 struct audit_names *n;
484 int result = 0; 481 int result = 0;
485 pid_t pid; 482 pid_t pid;
486 483
487 switch (f->type) { 484 switch (f->type) {
488 case AUDIT_PID: 485 case AUDIT_PID:
489 pid = task_tgid_nr(tsk 486 pid = task_tgid_nr(tsk);
490 result = audit_compara 487 result = audit_comparator(pid, f->op, f->val);
491 break; 488 break;
492 case AUDIT_PPID: 489 case AUDIT_PPID:
493 if (ctx) { 490 if (ctx) {
494 if (!ctx->ppid 491 if (!ctx->ppid)
495 ctx->p 492 ctx->ppid = task_ppid_nr(tsk);
496 result = audit 493 result = audit_comparator(ctx->ppid, f->op, f->val);
497 } 494 }
498 break; 495 break;
499 case AUDIT_EXE: 496 case AUDIT_EXE:
500 result = audit_exe_com 497 result = audit_exe_compare(tsk, rule->exe);
501 if (f->op == Audit_not 498 if (f->op == Audit_not_equal)
502 result = !resu 499 result = !result;
503 break; 500 break;
504 case AUDIT_UID: 501 case AUDIT_UID:
505 result = audit_uid_com 502 result = audit_uid_comparator(cred->uid, f->op, f->uid);
506 break; 503 break;
507 case AUDIT_EUID: 504 case AUDIT_EUID:
508 result = audit_uid_com 505 result = audit_uid_comparator(cred->euid, f->op, f->uid);
509 break; 506 break;
510 case AUDIT_SUID: 507 case AUDIT_SUID:
511 result = audit_uid_com 508 result = audit_uid_comparator(cred->suid, f->op, f->uid);
512 break; 509 break;
513 case AUDIT_FSUID: 510 case AUDIT_FSUID:
514 result = audit_uid_com 511 result = audit_uid_comparator(cred->fsuid, f->op, f->uid);
515 break; 512 break;
516 case AUDIT_GID: 513 case AUDIT_GID:
517 result = audit_gid_com 514 result = audit_gid_comparator(cred->gid, f->op, f->gid);
518 if (f->op == Audit_equ 515 if (f->op == Audit_equal) {
519 if (!result) 516 if (!result)
520 result 517 result = groups_search(cred->group_info, f->gid);
521 } else if (f->op == Au 518 } else if (f->op == Audit_not_equal) {
522 if (result) 519 if (result)
523 result 520 result = !groups_search(cred->group_info, f->gid);
524 } 521 }
525 break; 522 break;
526 case AUDIT_EGID: 523 case AUDIT_EGID:
527 result = audit_gid_com 524 result = audit_gid_comparator(cred->egid, f->op, f->gid);
528 if (f->op == Audit_equ 525 if (f->op == Audit_equal) {
529 if (!result) 526 if (!result)
530 result 527 result = groups_search(cred->group_info, f->gid);
531 } else if (f->op == Au 528 } else if (f->op == Audit_not_equal) {
532 if (result) 529 if (result)
533 result 530 result = !groups_search(cred->group_info, f->gid);
534 } 531 }
535 break; 532 break;
536 case AUDIT_SGID: 533 case AUDIT_SGID:
537 result = audit_gid_com 534 result = audit_gid_comparator(cred->sgid, f->op, f->gid);
538 break; 535 break;
539 case AUDIT_FSGID: 536 case AUDIT_FSGID:
540 result = audit_gid_com 537 result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
541 break; 538 break;
542 case AUDIT_SESSIONID: 539 case AUDIT_SESSIONID:
543 sessionid = audit_get_ 540 sessionid = audit_get_sessionid(tsk);
544 result = audit_compara 541 result = audit_comparator(sessionid, f->op, f->val);
545 break; 542 break;
546 case AUDIT_PERS: 543 case AUDIT_PERS:
547 result = audit_compara 544 result = audit_comparator(tsk->personality, f->op, f->val);
548 break; 545 break;
549 case AUDIT_ARCH: 546 case AUDIT_ARCH:
550 if (ctx) 547 if (ctx)
551 result = audit 548 result = audit_comparator(ctx->arch, f->op, f->val);
552 break; 549 break;
553 550
554 case AUDIT_EXIT: 551 case AUDIT_EXIT:
555 if (ctx && ctx->return 552 if (ctx && ctx->return_valid != AUDITSC_INVALID)
556 result = audit 553 result = audit_comparator(ctx->return_code, f->op, f->val);
557 break; 554 break;
558 case AUDIT_SUCCESS: 555 case AUDIT_SUCCESS:
559 if (ctx && ctx->return 556 if (ctx && ctx->return_valid != AUDITSC_INVALID) {
560 if (f->val) 557 if (f->val)
561 result 558 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
562 else 559 else
563 result 560 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
564 } 561 }
565 break; 562 break;
566 case AUDIT_DEVMAJOR: 563 case AUDIT_DEVMAJOR:
567 if (name) { 564 if (name) {
568 if (audit_comp 565 if (audit_comparator(MAJOR(name->dev), f->op, f->val) ||
569 audit_comp 566 audit_comparator(MAJOR(name->rdev), f->op, f->val))
570 ++resu 567 ++result;
571 } else if (ctx) { 568 } else if (ctx) {
572 list_for_each_ 569 list_for_each_entry(n, &ctx->names_list, list) {
573 if (au 570 if (audit_comparator(MAJOR(n->dev), f->op, f->val) ||
574 au 571 audit_comparator(MAJOR(n->rdev), f->op, f->val)) {
575 572 ++result;
576 573 break;
577 } 574 }
578 } 575 }
579 } 576 }
580 break; 577 break;
581 case AUDIT_DEVMINOR: 578 case AUDIT_DEVMINOR:
582 if (name) { 579 if (name) {
583 if (audit_comp 580 if (audit_comparator(MINOR(name->dev), f->op, f->val) ||
584 audit_comp 581 audit_comparator(MINOR(name->rdev), f->op, f->val))
585 ++resu 582 ++result;
586 } else if (ctx) { 583 } else if (ctx) {
587 list_for_each_ 584 list_for_each_entry(n, &ctx->names_list, list) {
588 if (au 585 if (audit_comparator(MINOR(n->dev), f->op, f->val) ||
589 au 586 audit_comparator(MINOR(n->rdev), f->op, f->val)) {
590 587 ++result;
591 588 break;
592 } 589 }
593 } 590 }
594 } 591 }
595 break; 592 break;
596 case AUDIT_INODE: 593 case AUDIT_INODE:
597 if (name) 594 if (name)
598 result = audit 595 result = audit_comparator(name->ino, f->op, f->val);
599 else if (ctx) { 596 else if (ctx) {
600 list_for_each_ 597 list_for_each_entry(n, &ctx->names_list, list) {
601 if (au 598 if (audit_comparator(n->ino, f->op, f->val)) {
602 599 ++result;
603 600 break;
604 } 601 }
605 } 602 }
606 } 603 }
607 break; 604 break;
608 case AUDIT_OBJ_UID: 605 case AUDIT_OBJ_UID:
609 if (name) { 606 if (name) {
610 result = audit 607 result = audit_uid_comparator(name->uid, f->op, f->uid);
611 } else if (ctx) { 608 } else if (ctx) {
612 list_for_each_ 609 list_for_each_entry(n, &ctx->names_list, list) {
613 if (au 610 if (audit_uid_comparator(n->uid, f->op, f->uid)) {
614 611 ++result;
615 612 break;
616 } 613 }
617 } 614 }
618 } 615 }
619 break; 616 break;
620 case AUDIT_OBJ_GID: 617 case AUDIT_OBJ_GID:
621 if (name) { 618 if (name) {
622 result = audit 619 result = audit_gid_comparator(name->gid, f->op, f->gid);
623 } else if (ctx) { 620 } else if (ctx) {
624 list_for_each_ 621 list_for_each_entry(n, &ctx->names_list, list) {
625 if (au 622 if (audit_gid_comparator(n->gid, f->op, f->gid)) {
626 623 ++result;
627 624 break;
628 } 625 }
629 } 626 }
630 } 627 }
631 break; 628 break;
632 case AUDIT_WATCH: 629 case AUDIT_WATCH:
633 if (name) { 630 if (name) {
634 result = audit 631 result = audit_watch_compare(rule->watch,
635 632 name->ino,
636 633 name->dev);
637 if (f->op == A 634 if (f->op == Audit_not_equal)
638 result 635 result = !result;
639 } 636 }
640 break; 637 break;
641 case AUDIT_DIR: 638 case AUDIT_DIR:
642 if (ctx) { 639 if (ctx) {
643 result = match 640 result = match_tree_refs(ctx, rule->tree);
644 if (f->op == A 641 if (f->op == Audit_not_equal)
645 result 642 result = !result;
646 } 643 }
647 break; 644 break;
648 case AUDIT_LOGINUID: 645 case AUDIT_LOGINUID:
649 result = audit_uid_com 646 result = audit_uid_comparator(audit_get_loginuid(tsk),
650 647 f->op, f->uid);
651 break; 648 break;
652 case AUDIT_LOGINUID_SET: 649 case AUDIT_LOGINUID_SET:
653 result = audit_compara 650 result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
654 break; 651 break;
655 case AUDIT_SADDR_FAM: 652 case AUDIT_SADDR_FAM:
656 if (ctx && ctx->sockad 653 if (ctx && ctx->sockaddr)
657 result = audit 654 result = audit_comparator(ctx->sockaddr->ss_family,
658 655 f->op, f->val);
659 break; 656 break;
660 case AUDIT_SUBJ_USER: 657 case AUDIT_SUBJ_USER:
661 case AUDIT_SUBJ_ROLE: 658 case AUDIT_SUBJ_ROLE:
662 case AUDIT_SUBJ_TYPE: 659 case AUDIT_SUBJ_TYPE:
663 case AUDIT_SUBJ_SEN: 660 case AUDIT_SUBJ_SEN:
664 case AUDIT_SUBJ_CLR: 661 case AUDIT_SUBJ_CLR:
665 /* NOTE: this may retu 662 /* NOTE: this may return negative values indicating
666 a temporary error. 663 a temporary error. We simply treat this as a
667 match for now to av 664 match for now to avoid losing information that
668 may be wanted. An 665 may be wanted. An error message will also be
669 logged upon error * 666 logged upon error */
670 if (f->lsm_rule) { 667 if (f->lsm_rule) {
671 if (need_sid) 668 if (need_sid) {
672 /* @ts 669 /* @tsk should always be equal to
673 * @cu 670 * @current with the exception of
674 * for 671 * fork()/copy_process() in which case
675 * the 672 * the new @tsk creds are still a dup
676 * of 673 * of @current's creds so we can still
677 * use 674 * use security_current_getsecid_subj()
678 * her 675 * here even though it always refs
679 * @cu 676 * @current's creds
680 */ 677 */
681 securi 678 security_current_getsecid_subj(&sid);
682 need_s 679 need_sid = 0;
683 } 680 }
684 result = secur 681 result = security_audit_rule_match(sid, f->type,
685 682 f->op,
686 683 f->lsm_rule);
687 } 684 }
688 break; 685 break;
689 case AUDIT_OBJ_USER: 686 case AUDIT_OBJ_USER:
690 case AUDIT_OBJ_ROLE: 687 case AUDIT_OBJ_ROLE:
691 case AUDIT_OBJ_TYPE: 688 case AUDIT_OBJ_TYPE:
692 case AUDIT_OBJ_LEV_LOW: 689 case AUDIT_OBJ_LEV_LOW:
693 case AUDIT_OBJ_LEV_HIGH: 690 case AUDIT_OBJ_LEV_HIGH:
694 /* The above note for 691 /* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
695 also applies here * 692 also applies here */
696 if (f->lsm_rule) { 693 if (f->lsm_rule) {
697 /* Find files 694 /* Find files that match */
698 if (name) { 695 if (name) {
699 result 696 result = security_audit_rule_match(
700 697 name->osid,
701 698 f->type,
702 699 f->op,
703 700 f->lsm_rule);
704 } else if (ctx 701 } else if (ctx) {
705 list_f 702 list_for_each_entry(n, &ctx->names_list, list) {
706 703 if (security_audit_rule_match(
707 704 n->osid,
708 705 f->type,
709 706 f->op,
710 707 f->lsm_rule)) {
711 708 ++result;
712 709 break;
713 710 }
714 } 711 }
715 } 712 }
716 /* Find ipc ob 713 /* Find ipc objects that match */
717 if (!ctx || ct 714 if (!ctx || ctx->type != AUDIT_IPC)
718 break; 715 break;
719 if (security_a 716 if (security_audit_rule_match(ctx->ipc.osid,
720 717 f->type, f->op,
721 718 f->lsm_rule))
722 ++resu 719 ++result;
723 } 720 }
724 break; 721 break;
725 case AUDIT_ARG0: 722 case AUDIT_ARG0:
726 case AUDIT_ARG1: 723 case AUDIT_ARG1:
727 case AUDIT_ARG2: 724 case AUDIT_ARG2:
728 case AUDIT_ARG3: 725 case AUDIT_ARG3:
729 if (ctx) 726 if (ctx)
730 result = audit 727 result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
731 break; 728 break;
732 case AUDIT_FILTERKEY: 729 case AUDIT_FILTERKEY:
733 /* ignore this field f 730 /* ignore this field for filtering */
734 result = 1; 731 result = 1;
735 break; 732 break;
736 case AUDIT_PERM: 733 case AUDIT_PERM:
737 result = audit_match_p 734 result = audit_match_perm(ctx, f->val);
738 if (f->op == Audit_not 735 if (f->op == Audit_not_equal)
739 result = !resu 736 result = !result;
740 break; 737 break;
741 case AUDIT_FILETYPE: 738 case AUDIT_FILETYPE:
742 result = audit_match_f 739 result = audit_match_filetype(ctx, f->val);
743 if (f->op == Audit_not 740 if (f->op == Audit_not_equal)
744 result = !resu 741 result = !result;
745 break; 742 break;
746 case AUDIT_FIELD_COMPARE: 743 case AUDIT_FIELD_COMPARE:
747 result = audit_field_c 744 result = audit_field_compare(tsk, cred, f, ctx, name);
748 break; 745 break;
749 } 746 }
750 if (!result) 747 if (!result)
751 return 0; 748 return 0;
752 } 749 }
753 750
754 if (ctx) { 751 if (ctx) {
755 if (rule->filterkey) { 752 if (rule->filterkey) {
756 kfree(ctx->filterkey); 753 kfree(ctx->filterkey);
757 ctx->filterkey = kstrd 754 ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
758 } 755 }
759 ctx->prio = rule->prio; 756 ctx->prio = rule->prio;
760 } 757 }
761 switch (rule->action) { 758 switch (rule->action) {
762 case AUDIT_NEVER: 759 case AUDIT_NEVER:
763 *state = AUDIT_STATE_DISABLED; 760 *state = AUDIT_STATE_DISABLED;
764 break; 761 break;
765 case AUDIT_ALWAYS: 762 case AUDIT_ALWAYS:
766 *state = AUDIT_STATE_RECORD; 763 *state = AUDIT_STATE_RECORD;
767 break; 764 break;
768 } 765 }
769 return 1; 766 return 1;
770 } 767 }
771 768
772 /* At process creation time, we can determine 769 /* At process creation time, we can determine if system-call auditing is
773 * completely disabled for this task. Since w 770 * completely disabled for this task. Since we only have the task
774 * structure at this point, we can only check 771 * structure at this point, we can only check uid and gid.
775 */ 772 */
776 static enum audit_state audit_filter_task(stru 773 static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)
777 { 774 {
778 struct audit_entry *e; 775 struct audit_entry *e;
779 enum audit_state state; 776 enum audit_state state;
780 777
781 rcu_read_lock(); 778 rcu_read_lock();
782 list_for_each_entry_rcu(e, &audit_filt 779 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
783 if (audit_filter_rules(tsk, &e 780 if (audit_filter_rules(tsk, &e->rule, NULL, NULL,
784 &state, 781 &state, true)) {
785 if (state == AUDIT_STA 782 if (state == AUDIT_STATE_RECORD)
786 *key = kstrdup 783 *key = kstrdup(e->rule.filterkey, GFP_ATOMIC);
787 rcu_read_unlock(); 784 rcu_read_unlock();
788 return state; 785 return state;
789 } 786 }
790 } 787 }
791 rcu_read_unlock(); 788 rcu_read_unlock();
792 return AUDIT_STATE_BUILD; 789 return AUDIT_STATE_BUILD;
793 } 790 }
794 791
795 static int audit_in_mask(const struct audit_kr 792 static int audit_in_mask(const struct audit_krule *rule, unsigned long val)
796 { 793 {
797 int word, bit; 794 int word, bit;
798 795
799 if (val > 0xffffffff) 796 if (val > 0xffffffff)
800 return false; 797 return false;
801 798
802 word = AUDIT_WORD(val); 799 word = AUDIT_WORD(val);
803 if (word >= AUDIT_BITMASK_SIZE) 800 if (word >= AUDIT_BITMASK_SIZE)
804 return false; 801 return false;
805 802
806 bit = AUDIT_BIT(val); 803 bit = AUDIT_BIT(val);
807 804
808 return rule->mask[word] & bit; 805 return rule->mask[word] & bit;
809 } 806 }
810 807
811 /** 808 /**
812 * __audit_filter_op - common filter helper fo <<
813 * @tsk: associated task <<
814 * @ctx: audit context <<
815 * @list: audit filter list <<
816 * @name: audit_name (can be NULL) <<
817 * @op: current syscall/uring_op <<
818 * <<
819 * Run the udit filters specified in @list aga <<
820 * @name, and @op, as necessary; the caller is <<
821 * that the call is made while the RCU read lo <<
822 * parameter can be NULL, but all others must <<
823 * Returns 1/true if the filter finds a match, <<
824 */ <<
825 static int __audit_filter_op(struct task_struc <<
826 struct audit_contex <<
827 struct list_head *l <<
828 struct audit_names <<
829 unsigned long op) <<
830 { <<
831 struct audit_entry *e; <<
832 enum audit_state state; <<
833 <<
834 list_for_each_entry_rcu(e, list, list) <<
835 if (audit_in_mask(&e->rule, op <<
836 audit_filter_rules(tsk, &e <<
837 &state, <<
838 ctx->current_state = s <<
839 return 1; <<
840 } <<
841 } <<
842 return 0; <<
843 } <<
844 <<
845 /** <<
846 * audit_filter_uring - apply filters to an io 809 * audit_filter_uring - apply filters to an io_uring operation
847 * @tsk: associated task 810 * @tsk: associated task
848 * @ctx: audit context 811 * @ctx: audit context
849 */ 812 */
850 static void audit_filter_uring(struct task_str 813 static void audit_filter_uring(struct task_struct *tsk,
851 struct audit_co 814 struct audit_context *ctx)
852 { 815 {
>> 816 struct audit_entry *e;
>> 817 enum audit_state state;
>> 818
853 if (auditd_test_task(tsk)) 819 if (auditd_test_task(tsk))
854 return; 820 return;
855 821
856 rcu_read_lock(); 822 rcu_read_lock();
857 __audit_filter_op(tsk, ctx, &audit_fil !! 823 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_URING_EXIT],
858 NULL, ctx->uring_op); !! 824 list) {
>> 825 if (audit_in_mask(&e->rule, ctx->uring_op) &&
>> 826 audit_filter_rules(tsk, &e->rule, ctx, NULL, &state,
>> 827 false)) {
>> 828 rcu_read_unlock();
>> 829 ctx->current_state = state;
>> 830 return;
>> 831 }
>> 832 }
859 rcu_read_unlock(); 833 rcu_read_unlock();
860 } 834 }
861 835
862 /* At syscall exit time, this filter is called 836 /* At syscall exit time, this filter is called if the audit_state is
863 * not low enough that auditing cannot take pl 837 * not low enough that auditing cannot take place, but is also not
864 * high enough that we already know we have to 838 * high enough that we already know we have to write an audit record
865 * (i.e., the state is AUDIT_STATE_BUILD). 839 * (i.e., the state is AUDIT_STATE_BUILD).
866 */ 840 */
867 static void audit_filter_syscall(struct task_s 841 static void audit_filter_syscall(struct task_struct *tsk,
868 struct audit_ 842 struct audit_context *ctx)
869 { 843 {
>> 844 struct audit_entry *e;
>> 845 enum audit_state state;
>> 846
870 if (auditd_test_task(tsk)) 847 if (auditd_test_task(tsk))
871 return; 848 return;
872 849
873 rcu_read_lock(); 850 rcu_read_lock();
874 __audit_filter_op(tsk, ctx, &audit_fil !! 851 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_EXIT], list) {
875 NULL, ctx->major); !! 852 if (audit_in_mask(&e->rule, ctx->major) &&
>> 853 audit_filter_rules(tsk, &e->rule, ctx, NULL,
>> 854 &state, false)) {
>> 855 rcu_read_unlock();
>> 856 ctx->current_state = state;
>> 857 return;
>> 858 }
>> 859 }
876 rcu_read_unlock(); 860 rcu_read_unlock();
>> 861 return;
877 } 862 }
878 863
879 /* 864 /*
880 * Given an audit_name check the inode hash ta 865 * Given an audit_name check the inode hash table to see if they match.
881 * Called holding the rcu read lock to protect 866 * Called holding the rcu read lock to protect the use of audit_inode_hash
882 */ 867 */
883 static int audit_filter_inode_name(struct task 868 static int audit_filter_inode_name(struct task_struct *tsk,
884 struct audi 869 struct audit_names *n,
885 struct audi !! 870 struct audit_context *ctx) {
886 { <<
887 int h = audit_hash_ino((u32)n->ino); 871 int h = audit_hash_ino((u32)n->ino);
888 struct list_head *list = &audit_inode_ 872 struct list_head *list = &audit_inode_hash[h];
>> 873 struct audit_entry *e;
>> 874 enum audit_state state;
889 875
890 return __audit_filter_op(tsk, ctx, lis !! 876 list_for_each_entry_rcu(e, list, list) {
>> 877 if (audit_in_mask(&e->rule, ctx->major) &&
>> 878 audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) {
>> 879 ctx->current_state = state;
>> 880 return 1;
>> 881 }
>> 882 }
>> 883 return 0;
891 } 884 }
892 885
893 /* At syscall exit time, this filter is called 886 /* At syscall exit time, this filter is called if any audit_names have been
894 * collected during syscall processing. We on 887 * collected during syscall processing. We only check rules in sublists at hash
895 * buckets applicable to the inode numbers in 888 * buckets applicable to the inode numbers in audit_names.
896 * Regarding audit_state, same rules apply as 889 * Regarding audit_state, same rules apply as for audit_filter_syscall().
897 */ 890 */
898 void audit_filter_inodes(struct task_struct *t 891 void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx)
899 { 892 {
900 struct audit_names *n; 893 struct audit_names *n;
901 894
902 if (auditd_test_task(tsk)) 895 if (auditd_test_task(tsk))
903 return; 896 return;
904 897
905 rcu_read_lock(); 898 rcu_read_lock();
906 899
907 list_for_each_entry(n, &ctx->names_lis 900 list_for_each_entry(n, &ctx->names_list, list) {
908 if (audit_filter_inode_name(ts 901 if (audit_filter_inode_name(tsk, n, ctx))
909 break; 902 break;
910 } 903 }
911 rcu_read_unlock(); 904 rcu_read_unlock();
912 } 905 }
913 906
914 static inline void audit_proctitle_free(struct 907 static inline void audit_proctitle_free(struct audit_context *context)
915 { 908 {
916 kfree(context->proctitle.value); 909 kfree(context->proctitle.value);
917 context->proctitle.value = NULL; 910 context->proctitle.value = NULL;
918 context->proctitle.len = 0; 911 context->proctitle.len = 0;
919 } 912 }
920 913
921 static inline void audit_free_module(struct au 914 static inline void audit_free_module(struct audit_context *context)
922 { 915 {
923 if (context->type == AUDIT_KERN_MODULE 916 if (context->type == AUDIT_KERN_MODULE) {
924 kfree(context->module.name); 917 kfree(context->module.name);
925 context->module.name = NULL; 918 context->module.name = NULL;
926 } 919 }
927 } 920 }
928 static inline void audit_free_names(struct aud 921 static inline void audit_free_names(struct audit_context *context)
929 { 922 {
930 struct audit_names *n, *next; 923 struct audit_names *n, *next;
931 924
932 list_for_each_entry_safe(n, next, &con 925 list_for_each_entry_safe(n, next, &context->names_list, list) {
933 list_del(&n->list); 926 list_del(&n->list);
934 if (n->name) 927 if (n->name)
935 putname(n->name); 928 putname(n->name);
936 if (n->should_free) 929 if (n->should_free)
937 kfree(n); 930 kfree(n);
938 } 931 }
939 context->name_count = 0; 932 context->name_count = 0;
940 path_put(&context->pwd); 933 path_put(&context->pwd);
941 context->pwd.dentry = NULL; 934 context->pwd.dentry = NULL;
942 context->pwd.mnt = NULL; 935 context->pwd.mnt = NULL;
943 } 936 }
944 937
945 static inline void audit_free_aux(struct audit 938 static inline void audit_free_aux(struct audit_context *context)
946 { 939 {
947 struct audit_aux_data *aux; 940 struct audit_aux_data *aux;
948 941
949 while ((aux = context->aux)) { 942 while ((aux = context->aux)) {
950 context->aux = aux->next; 943 context->aux = aux->next;
951 kfree(aux); 944 kfree(aux);
952 } 945 }
953 context->aux = NULL; 946 context->aux = NULL;
954 while ((aux = context->aux_pids)) { 947 while ((aux = context->aux_pids)) {
955 context->aux_pids = aux->next; 948 context->aux_pids = aux->next;
956 kfree(aux); 949 kfree(aux);
957 } 950 }
958 context->aux_pids = NULL; 951 context->aux_pids = NULL;
959 } 952 }
960 953
961 /** 954 /**
962 * audit_reset_context - reset a audit_context 955 * audit_reset_context - reset a audit_context structure
963 * @ctx: the audit_context to reset 956 * @ctx: the audit_context to reset
964 * 957 *
965 * All fields in the audit_context will be res 958 * All fields in the audit_context will be reset to an initial state, all
966 * references held by fields will be dropped, 959 * references held by fields will be dropped, and private memory will be
967 * released. When this function returns the a 960 * released. When this function returns the audit_context will be suitable
968 * for reuse, so long as the passed context is 961 * for reuse, so long as the passed context is not NULL or a dummy context.
969 */ 962 */
970 static void audit_reset_context(struct audit_c 963 static void audit_reset_context(struct audit_context *ctx)
971 { 964 {
972 if (!ctx) 965 if (!ctx)
973 return; 966 return;
974 967
975 /* if ctx is non-null, reset the "ctx- !! 968 /* if ctx is non-null, reset the "ctx->state" regardless */
976 ctx->context = AUDIT_CTX_UNUSED; 969 ctx->context = AUDIT_CTX_UNUSED;
977 if (ctx->dummy) 970 if (ctx->dummy)
978 return; 971 return;
979 972
980 /* 973 /*
981 * NOTE: It shouldn't matter in what o 974 * NOTE: It shouldn't matter in what order we release the fields, so
982 * release them in the order in 975 * release them in the order in which they appear in the struct;
983 * this gives us some hope of qu 976 * this gives us some hope of quickly making sure we are
984 * resetting the audit_context p 977 * resetting the audit_context properly.
985 * 978 *
986 * Other things worth mentioning 979 * Other things worth mentioning:
987 * - we don't reset "dummy" 980 * - we don't reset "dummy"
988 * - we don't reset "state", we 981 * - we don't reset "state", we do reset "current_state"
989 * - we preserve "filterkey" if 982 * - we preserve "filterkey" if "state" is AUDIT_STATE_RECORD
990 * - much of this is likely over 983 * - much of this is likely overkill, but play it safe for now
991 * - we really need to work on i 984 * - we really need to work on improving the audit_context struct
992 */ 985 */
993 986
994 ctx->current_state = ctx->state; 987 ctx->current_state = ctx->state;
995 ctx->serial = 0; 988 ctx->serial = 0;
996 ctx->major = 0; 989 ctx->major = 0;
997 ctx->uring_op = 0; 990 ctx->uring_op = 0;
998 ctx->ctime = (struct timespec64){ .tv_ 991 ctx->ctime = (struct timespec64){ .tv_sec = 0, .tv_nsec = 0 };
999 memset(ctx->argv, 0, sizeof(ctx->argv) 992 memset(ctx->argv, 0, sizeof(ctx->argv));
1000 ctx->return_code = 0; 993 ctx->return_code = 0;
1001 ctx->prio = (ctx->state == AUDIT_STAT 994 ctx->prio = (ctx->state == AUDIT_STATE_RECORD ? ~0ULL : 0);
1002 ctx->return_valid = AUDITSC_INVALID; 995 ctx->return_valid = AUDITSC_INVALID;
1003 audit_free_names(ctx); 996 audit_free_names(ctx);
1004 if (ctx->state != AUDIT_STATE_RECORD) 997 if (ctx->state != AUDIT_STATE_RECORD) {
1005 kfree(ctx->filterkey); 998 kfree(ctx->filterkey);
1006 ctx->filterkey = NULL; 999 ctx->filterkey = NULL;
1007 } 1000 }
1008 audit_free_aux(ctx); 1001 audit_free_aux(ctx);
1009 kfree(ctx->sockaddr); 1002 kfree(ctx->sockaddr);
1010 ctx->sockaddr = NULL; 1003 ctx->sockaddr = NULL;
1011 ctx->sockaddr_len = 0; 1004 ctx->sockaddr_len = 0;
1012 ctx->ppid = 0; !! 1005 ctx->pid = ctx->ppid = 0;
1013 ctx->uid = ctx->euid = ctx->suid = ct 1006 ctx->uid = ctx->euid = ctx->suid = ctx->fsuid = KUIDT_INIT(0);
1014 ctx->gid = ctx->egid = ctx->sgid = ct 1007 ctx->gid = ctx->egid = ctx->sgid = ctx->fsgid = KGIDT_INIT(0);
1015 ctx->personality = 0; 1008 ctx->personality = 0;
1016 ctx->arch = 0; 1009 ctx->arch = 0;
1017 ctx->target_pid = 0; 1010 ctx->target_pid = 0;
1018 ctx->target_auid = ctx->target_uid = 1011 ctx->target_auid = ctx->target_uid = KUIDT_INIT(0);
1019 ctx->target_sessionid = 0; 1012 ctx->target_sessionid = 0;
1020 ctx->target_sid = 0; 1013 ctx->target_sid = 0;
1021 ctx->target_comm[0] = '\0'; 1014 ctx->target_comm[0] = '\0';
1022 unroll_tree_refs(ctx, NULL, 0); 1015 unroll_tree_refs(ctx, NULL, 0);
1023 WARN_ON(!list_empty(&ctx->killed_tree 1016 WARN_ON(!list_empty(&ctx->killed_trees));
>> 1017 ctx->type = 0;
1024 audit_free_module(ctx); 1018 audit_free_module(ctx);
1025 ctx->fds[0] = -1; 1019 ctx->fds[0] = -1;
1026 ctx->type = 0; /* reset last for audi !! 1020 audit_proctitle_free(ctx);
1027 } 1021 }
1028 1022
1029 static inline struct audit_context *audit_all 1023 static inline struct audit_context *audit_alloc_context(enum audit_state state)
1030 { 1024 {
1031 struct audit_context *context; 1025 struct audit_context *context;
1032 1026
1033 context = kzalloc(sizeof(*context), G 1027 context = kzalloc(sizeof(*context), GFP_KERNEL);
1034 if (!context) 1028 if (!context)
1035 return NULL; 1029 return NULL;
1036 context->context = AUDIT_CTX_UNUSED; 1030 context->context = AUDIT_CTX_UNUSED;
1037 context->state = state; 1031 context->state = state;
1038 context->prio = state == AUDIT_STATE_ 1032 context->prio = state == AUDIT_STATE_RECORD ? ~0ULL : 0;
1039 INIT_LIST_HEAD(&context->killed_trees 1033 INIT_LIST_HEAD(&context->killed_trees);
1040 INIT_LIST_HEAD(&context->names_list); 1034 INIT_LIST_HEAD(&context->names_list);
1041 context->fds[0] = -1; 1035 context->fds[0] = -1;
1042 context->return_valid = AUDITSC_INVAL 1036 context->return_valid = AUDITSC_INVALID;
1043 return context; 1037 return context;
1044 } 1038 }
1045 1039
1046 /** 1040 /**
1047 * audit_alloc - allocate an audit context bl 1041 * audit_alloc - allocate an audit context block for a task
1048 * @tsk: task 1042 * @tsk: task
1049 * 1043 *
1050 * Filter on the task information and allocat 1044 * Filter on the task information and allocate a per-task audit context
1051 * if necessary. Doing so turns on system ca 1045 * if necessary. Doing so turns on system call auditing for the
1052 * specified task. This is called from copy_ 1046 * specified task. This is called from copy_process, so no lock is
1053 * needed. 1047 * needed.
1054 */ 1048 */
1055 int audit_alloc(struct task_struct *tsk) 1049 int audit_alloc(struct task_struct *tsk)
1056 { 1050 {
1057 struct audit_context *context; 1051 struct audit_context *context;
1058 enum audit_state state; 1052 enum audit_state state;
1059 char *key = NULL; 1053 char *key = NULL;
1060 1054
1061 if (likely(!audit_ever_enabled)) 1055 if (likely(!audit_ever_enabled))
1062 return 0; 1056 return 0;
1063 1057
1064 state = audit_filter_task(tsk, &key); 1058 state = audit_filter_task(tsk, &key);
1065 if (state == AUDIT_STATE_DISABLED) { 1059 if (state == AUDIT_STATE_DISABLED) {
1066 clear_task_syscall_work(tsk, 1060 clear_task_syscall_work(tsk, SYSCALL_AUDIT);
1067 return 0; 1061 return 0;
1068 } 1062 }
1069 1063
1070 context = audit_alloc_context(state); !! 1064 if (!(context = audit_alloc_context(state))) {
1071 if (!context) { <<
1072 kfree(key); 1065 kfree(key);
1073 audit_log_lost("out of memory 1066 audit_log_lost("out of memory in audit_alloc");
1074 return -ENOMEM; 1067 return -ENOMEM;
1075 } 1068 }
1076 context->filterkey = key; 1069 context->filterkey = key;
1077 1070
1078 audit_set_context(tsk, context); 1071 audit_set_context(tsk, context);
1079 set_task_syscall_work(tsk, SYSCALL_AU 1072 set_task_syscall_work(tsk, SYSCALL_AUDIT);
1080 return 0; 1073 return 0;
1081 } 1074 }
1082 1075
>> 1076 /**
>> 1077 * audit_alloc_kernel - allocate an audit_context for a kernel task
>> 1078 * @tsk: the kernel task
>> 1079 *
>> 1080 * Similar to the audit_alloc() function, but intended for kernel private
>> 1081 * threads. Returns zero on success, negative values on failure.
>> 1082 */
>> 1083 int audit_alloc_kernel(struct task_struct *tsk)
>> 1084 {
>> 1085 /*
>> 1086 * At the moment we are just going to call into audit_alloc() to
>> 1087 * simplify the code, but there two things to keep in mind with this
>> 1088 * approach:
>> 1089 *
>> 1090 * 1. Filtering internal kernel tasks is a bit laughable in almost all
>> 1091 * cases, but there is at least one case where there is a benefit:
>> 1092 * the '-a task,never' case allows the admin to effectively disable
>> 1093 * task auditing at runtime.
>> 1094 *
>> 1095 * 2. The {set,clear}_task_syscall_work() ops likely have zero effect
>> 1096 * on these internal kernel tasks, but they probably don't hurt either.
>> 1097 */
>> 1098 return audit_alloc(tsk);
>> 1099 }
>> 1100
1083 static inline void audit_free_context(struct 1101 static inline void audit_free_context(struct audit_context *context)
1084 { 1102 {
1085 /* resetting is extra work, but it is 1103 /* resetting is extra work, but it is likely just noise */
1086 audit_reset_context(context); 1104 audit_reset_context(context);
1087 audit_proctitle_free(context); <<
1088 free_tree_refs(context); 1105 free_tree_refs(context);
1089 kfree(context->filterkey); 1106 kfree(context->filterkey);
1090 kfree(context); 1107 kfree(context);
1091 } 1108 }
1092 1109
1093 static int audit_log_pid_context(struct audit 1110 static int audit_log_pid_context(struct audit_context *context, pid_t pid,
1094 kuid_t auid, 1111 kuid_t auid, kuid_t uid, unsigned int sessionid,
1095 u32 sid, cha 1112 u32 sid, char *comm)
1096 { 1113 {
1097 struct audit_buffer *ab; 1114 struct audit_buffer *ab;
1098 char *ctx = NULL; 1115 char *ctx = NULL;
1099 u32 len; 1116 u32 len;
1100 int rc = 0; 1117 int rc = 0;
1101 1118
1102 ab = audit_log_start(context, GFP_KER 1119 ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
1103 if (!ab) 1120 if (!ab)
1104 return rc; 1121 return rc;
1105 1122
1106 audit_log_format(ab, "opid=%d oauid=% 1123 audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
1107 from_kuid(&init_user 1124 from_kuid(&init_user_ns, auid),
1108 from_kuid(&init_user 1125 from_kuid(&init_user_ns, uid), sessionid);
1109 if (sid) { 1126 if (sid) {
1110 if (security_secid_to_secctx( 1127 if (security_secid_to_secctx(sid, &ctx, &len)) {
1111 audit_log_format(ab, 1128 audit_log_format(ab, " obj=(none)");
1112 rc = 1; 1129 rc = 1;
1113 } else { 1130 } else {
1114 audit_log_format(ab, 1131 audit_log_format(ab, " obj=%s", ctx);
1115 security_release_secc 1132 security_release_secctx(ctx, len);
1116 } 1133 }
1117 } 1134 }
1118 audit_log_format(ab, " ocomm="); 1135 audit_log_format(ab, " ocomm=");
1119 audit_log_untrustedstring(ab, comm); 1136 audit_log_untrustedstring(ab, comm);
1120 audit_log_end(ab); 1137 audit_log_end(ab);
1121 1138
1122 return rc; 1139 return rc;
1123 } 1140 }
1124 1141
1125 static void audit_log_execve_info(struct audi 1142 static void audit_log_execve_info(struct audit_context *context,
1126 struct audi 1143 struct audit_buffer **ab)
1127 { 1144 {
1128 long len_max; 1145 long len_max;
1129 long len_rem; 1146 long len_rem;
1130 long len_full; 1147 long len_full;
1131 long len_buf; 1148 long len_buf;
1132 long len_abuf = 0; 1149 long len_abuf = 0;
1133 long len_tmp; 1150 long len_tmp;
1134 bool require_data; 1151 bool require_data;
1135 bool encode; 1152 bool encode;
1136 unsigned int iter; 1153 unsigned int iter;
1137 unsigned int arg; 1154 unsigned int arg;
1138 char *buf_head; 1155 char *buf_head;
1139 char *buf; 1156 char *buf;
1140 const char __user *p = (const char __ 1157 const char __user *p = (const char __user *)current->mm->arg_start;
1141 1158
1142 /* NOTE: this buffer needs to be larg 1159 /* NOTE: this buffer needs to be large enough to hold all the non-arg
1143 * data we put in the audit rec 1160 * data we put in the audit record for this argument (see the
1144 * code below) ... at this poin 1161 * code below) ... at this point in time 96 is plenty */
1145 char abuf[96]; 1162 char abuf[96];
1146 1163
1147 /* NOTE: we set MAX_EXECVE_AUDIT_LEN 1164 /* NOTE: we set MAX_EXECVE_AUDIT_LEN to a rather arbitrary limit, the
1148 * current value of 7500 is not 1165 * current value of 7500 is not as important as the fact that it
1149 * is less than 8k, a setting o 1166 * is less than 8k, a setting of 7500 gives us plenty of wiggle
1150 * room if we go over a little 1167 * room if we go over a little bit in the logging below */
1151 WARN_ON_ONCE(MAX_EXECVE_AUDIT_LEN > 7 1168 WARN_ON_ONCE(MAX_EXECVE_AUDIT_LEN > 7500);
1152 len_max = MAX_EXECVE_AUDIT_LEN; 1169 len_max = MAX_EXECVE_AUDIT_LEN;
1153 1170
1154 /* scratch buffer to hold the userspa 1171 /* scratch buffer to hold the userspace args */
1155 buf_head = kmalloc(MAX_EXECVE_AUDIT_L 1172 buf_head = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
1156 if (!buf_head) { 1173 if (!buf_head) {
1157 audit_panic("out of memory fo 1174 audit_panic("out of memory for argv string");
1158 return; 1175 return;
1159 } 1176 }
1160 buf = buf_head; 1177 buf = buf_head;
1161 1178
1162 audit_log_format(*ab, "argc=%d", cont 1179 audit_log_format(*ab, "argc=%d", context->execve.argc);
1163 1180
1164 len_rem = len_max; 1181 len_rem = len_max;
1165 len_buf = 0; 1182 len_buf = 0;
1166 len_full = 0; 1183 len_full = 0;
1167 require_data = true; 1184 require_data = true;
1168 encode = false; 1185 encode = false;
1169 iter = 0; 1186 iter = 0;
1170 arg = 0; 1187 arg = 0;
1171 do { 1188 do {
1172 /* NOTE: we don't ever want t 1189 /* NOTE: we don't ever want to trust this value for anything
1173 * serious, but the aud 1190 * serious, but the audit record format insists we
1174 * provide an argument 1191 * provide an argument length for really long arguments,
1175 * e.g. > MAX_EXECVE_AU 1192 * e.g. > MAX_EXECVE_AUDIT_LEN, so we have no choice but
1176 * to use strncpy_from_ 1193 * to use strncpy_from_user() to obtain this value for
1177 * recording in the log 1194 * recording in the log, although we don't use it
1178 * anywhere here to avo 1195 * anywhere here to avoid a double-fetch problem */
1179 if (len_full == 0) 1196 if (len_full == 0)
1180 len_full = strnlen_us 1197 len_full = strnlen_user(p, MAX_ARG_STRLEN) - 1;
1181 1198
1182 /* read more data from usersp 1199 /* read more data from userspace */
1183 if (require_data) { 1200 if (require_data) {
1184 /* can we make more r 1201 /* can we make more room in the buffer? */
1185 if (buf != buf_head) 1202 if (buf != buf_head) {
1186 memmove(buf_h 1203 memmove(buf_head, buf, len_buf);
1187 buf = buf_hea 1204 buf = buf_head;
1188 } 1205 }
1189 1206
1190 /* fetch as much as w 1207 /* fetch as much as we can of the argument */
1191 len_tmp = strncpy_fro 1208 len_tmp = strncpy_from_user(&buf_head[len_buf], p,
1192 1209 len_max - len_buf);
1193 if (len_tmp == -EFAUL 1210 if (len_tmp == -EFAULT) {
1194 /* unable to 1211 /* unable to copy from userspace */
1195 send_sig(SIGK 1212 send_sig(SIGKILL, current, 0);
1196 goto out; 1213 goto out;
1197 } else if (len_tmp == 1214 } else if (len_tmp == (len_max - len_buf)) {
1198 /* buffer is 1215 /* buffer is not large enough */
1199 require_data 1216 require_data = true;
1200 /* NOTE: if w 1217 /* NOTE: if we are going to span multiple
1201 * buff 1218 * buffers force the encoding so we stand
1202 * a ch 1219 * a chance at a sane len_full value and
1203 * cons 1220 * consistent record encoding */
1204 encode = true 1221 encode = true;
1205 len_full = le 1222 len_full = len_full * 2;
1206 p += len_tmp; 1223 p += len_tmp;
1207 } else { 1224 } else {
1208 require_data 1225 require_data = false;
1209 if (!encode) 1226 if (!encode)
1210 encod 1227 encode = audit_string_contains_control(
1211 1228 buf, len_tmp);
1212 /* try to use 1229 /* try to use a trusted value for len_full */
1213 if (len_full 1230 if (len_full < len_max)
1214 len_f 1231 len_full = (encode ?
1215 1232 len_tmp * 2 : len_tmp);
1216 p += len_tmp 1233 p += len_tmp + 1;
1217 } 1234 }
1218 len_buf += len_tmp; 1235 len_buf += len_tmp;
1219 buf_head[len_buf] = ' 1236 buf_head[len_buf] = '\0';
1220 1237
1221 /* length of the buff 1238 /* length of the buffer in the audit record? */
1222 len_abuf = (encode ? 1239 len_abuf = (encode ? len_buf * 2 : len_buf + 2);
1223 } 1240 }
1224 1241
1225 /* write as much as we can to 1242 /* write as much as we can to the audit log */
1226 if (len_buf >= 0) { 1243 if (len_buf >= 0) {
1227 /* NOTE: some magic n 1244 /* NOTE: some magic numbers here - basically if we
1228 * can't fit a 1245 * can't fit a reasonable amount of data into the
1229 * existing aud 1246 * existing audit buffer, flush it and start with
1230 * a new buffer 1247 * a new buffer */
1231 if ((sizeof(abuf) + 8 1248 if ((sizeof(abuf) + 8) > len_rem) {
1232 len_rem = len 1249 len_rem = len_max;
1233 audit_log_end 1250 audit_log_end(*ab);
1234 *ab = audit_l 1251 *ab = audit_log_start(context,
1235 1252 GFP_KERNEL, AUDIT_EXECVE);
1236 if (!*ab) 1253 if (!*ab)
1237 goto 1254 goto out;
1238 } 1255 }
1239 1256
1240 /* create the non-arg 1257 /* create the non-arg portion of the arg record */
1241 len_tmp = 0; 1258 len_tmp = 0;
1242 if (require_data || ( 1259 if (require_data || (iter > 0) ||
1243 ((len_abuf + size 1260 ((len_abuf + sizeof(abuf)) > len_rem)) {
1244 if (iter == 0 1261 if (iter == 0) {
1245 len_t 1262 len_tmp += snprintf(&abuf[len_tmp],
1246 1263 sizeof(abuf) - len_tmp,
1247 1264 " a%d_len=%lu",
1248 1265 arg, len_full);
1249 } 1266 }
1250 len_tmp += sn 1267 len_tmp += snprintf(&abuf[len_tmp],
1251 1268 sizeof(abuf) - len_tmp,
1252 1269 " a%d[%d]=", arg, iter++);
1253 } else 1270 } else
1254 len_tmp += sn 1271 len_tmp += snprintf(&abuf[len_tmp],
1255 1272 sizeof(abuf) - len_tmp,
1256 1273 " a%d=", arg);
1257 WARN_ON(len_tmp >= si 1274 WARN_ON(len_tmp >= sizeof(abuf));
1258 abuf[sizeof(abuf) - 1 1275 abuf[sizeof(abuf) - 1] = '\0';
1259 1276
1260 /* log the arg in the 1277 /* log the arg in the audit record */
1261 audit_log_format(*ab, 1278 audit_log_format(*ab, "%s", abuf);
1262 len_rem -= len_tmp; 1279 len_rem -= len_tmp;
1263 len_tmp = len_buf; 1280 len_tmp = len_buf;
1264 if (encode) { 1281 if (encode) {
1265 if (len_abuf 1282 if (len_abuf > len_rem)
1266 len_t 1283 len_tmp = len_rem / 2; /* encoding */
1267 audit_log_n_h 1284 audit_log_n_hex(*ab, buf, len_tmp);
1268 len_rem -= le 1285 len_rem -= len_tmp * 2;
1269 len_abuf -= l 1286 len_abuf -= len_tmp * 2;
1270 } else { 1287 } else {
1271 if (len_abuf 1288 if (len_abuf > len_rem)
1272 len_t 1289 len_tmp = len_rem - 2; /* quotes */
1273 audit_log_n_s 1290 audit_log_n_string(*ab, buf, len_tmp);
1274 len_rem -= le 1291 len_rem -= len_tmp + 2;
1275 /* don't subt 1292 /* don't subtract the "2" because we still need
1276 * to add quo 1293 * to add quotes to the remaining string */
1277 len_abuf -= l 1294 len_abuf -= len_tmp;
1278 } 1295 }
1279 len_buf -= len_tmp; 1296 len_buf -= len_tmp;
1280 buf += len_tmp; 1297 buf += len_tmp;
1281 } 1298 }
1282 1299
1283 /* ready to move to the next 1300 /* ready to move to the next argument? */
1284 if ((len_buf == 0) && !requir 1301 if ((len_buf == 0) && !require_data) {
1285 arg++; 1302 arg++;
1286 iter = 0; 1303 iter = 0;
1287 len_full = 0; 1304 len_full = 0;
1288 require_data = true; 1305 require_data = true;
1289 encode = false; 1306 encode = false;
1290 } 1307 }
1291 } while (arg < context->execve.argc); 1308 } while (arg < context->execve.argc);
1292 1309
1293 /* NOTE: the caller handles the final 1310 /* NOTE: the caller handles the final audit_log_end() call */
1294 1311
1295 out: 1312 out:
1296 kfree(buf_head); 1313 kfree(buf_head);
1297 } 1314 }
1298 1315
1299 static void audit_log_cap(struct audit_buffer 1316 static void audit_log_cap(struct audit_buffer *ab, char *prefix,
1300 kernel_cap_t *cap) 1317 kernel_cap_t *cap)
1301 { 1318 {
>> 1319 int i;
>> 1320
1302 if (cap_isclear(*cap)) { 1321 if (cap_isclear(*cap)) {
1303 audit_log_format(ab, " %s=0", 1322 audit_log_format(ab, " %s=0", prefix);
1304 return; 1323 return;
1305 } 1324 }
1306 audit_log_format(ab, " %s=%016llx", p !! 1325 audit_log_format(ab, " %s=", prefix);
>> 1326 CAP_FOR_EACH_U32(i)
>> 1327 audit_log_format(ab, "%08x", cap->cap[CAP_LAST_U32 - i]);
1307 } 1328 }
1308 1329
1309 static void audit_log_fcaps(struct audit_buff 1330 static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
1310 { 1331 {
1311 if (name->fcap_ver == -1) { 1332 if (name->fcap_ver == -1) {
1312 audit_log_format(ab, " cap_fe 1333 audit_log_format(ab, " cap_fe=? cap_fver=? cap_fp=? cap_fi=?");
1313 return; 1334 return;
1314 } 1335 }
1315 audit_log_cap(ab, "cap_fp", &name->fc 1336 audit_log_cap(ab, "cap_fp", &name->fcap.permitted);
1316 audit_log_cap(ab, "cap_fi", &name->fc 1337 audit_log_cap(ab, "cap_fi", &name->fcap.inheritable);
1317 audit_log_format(ab, " cap_fe=%d cap_ 1338 audit_log_format(ab, " cap_fe=%d cap_fver=%x cap_frootid=%d",
1318 name->fcap.fE, name- 1339 name->fcap.fE, name->fcap_ver,
1319 from_kuid(&init_user 1340 from_kuid(&init_user_ns, name->fcap.rootid));
1320 } 1341 }
1321 1342
1322 static void audit_log_time(struct audit_conte 1343 static void audit_log_time(struct audit_context *context, struct audit_buffer **ab)
1323 { 1344 {
1324 const struct audit_ntp_data *ntp = &c 1345 const struct audit_ntp_data *ntp = &context->time.ntp_data;
1325 const struct timespec64 *tk = &contex 1346 const struct timespec64 *tk = &context->time.tk_injoffset;
1326 static const char * const ntp_name[] 1347 static const char * const ntp_name[] = {
1327 "offset", 1348 "offset",
1328 "freq", 1349 "freq",
1329 "status", 1350 "status",
1330 "tai", 1351 "tai",
1331 "tick", 1352 "tick",
1332 "adjust", 1353 "adjust",
1333 }; 1354 };
1334 int type; 1355 int type;
1335 1356
1336 if (context->type == AUDIT_TIME_ADJNT 1357 if (context->type == AUDIT_TIME_ADJNTPVAL) {
1337 for (type = 0; type < AUDIT_N 1358 for (type = 0; type < AUDIT_NTP_NVALS; type++) {
1338 if (ntp->vals[type].n 1359 if (ntp->vals[type].newval != ntp->vals[type].oldval) {
1339 if (!*ab) { 1360 if (!*ab) {
1340 *ab = 1361 *ab = audit_log_start(context,
1341 1362 GFP_KERNEL,
1342 1363 AUDIT_TIME_ADJNTPVAL);
1343 if (! 1364 if (!*ab)
1344 1365 return;
1345 } 1366 }
1346 audit_log_for 1367 audit_log_format(*ab, "op=%s old=%lli new=%lli",
1347 1368 ntp_name[type],
1348 1369 ntp->vals[type].oldval,
1349 1370 ntp->vals[type].newval);
1350 audit_log_end 1371 audit_log_end(*ab);
1351 *ab = NULL; 1372 *ab = NULL;
1352 } 1373 }
1353 } 1374 }
1354 } 1375 }
1355 if (tk->tv_sec != 0 || tk->tv_nsec != 1376 if (tk->tv_sec != 0 || tk->tv_nsec != 0) {
1356 if (!*ab) { 1377 if (!*ab) {
1357 *ab = audit_log_start 1378 *ab = audit_log_start(context, GFP_KERNEL,
1358 1379 AUDIT_TIME_INJOFFSET);
1359 if (!*ab) 1380 if (!*ab)
1360 return; 1381 return;
1361 } 1382 }
1362 audit_log_format(*ab, "sec=%l 1383 audit_log_format(*ab, "sec=%lli nsec=%li",
1363 (long long)t 1384 (long long)tk->tv_sec, tk->tv_nsec);
1364 audit_log_end(*ab); 1385 audit_log_end(*ab);
1365 *ab = NULL; 1386 *ab = NULL;
1366 } 1387 }
1367 } 1388 }
1368 1389
1369 static void show_special(struct audit_context 1390 static void show_special(struct audit_context *context, int *call_panic)
1370 { 1391 {
1371 struct audit_buffer *ab; 1392 struct audit_buffer *ab;
1372 int i; 1393 int i;
1373 1394
1374 ab = audit_log_start(context, GFP_KER 1395 ab = audit_log_start(context, GFP_KERNEL, context->type);
1375 if (!ab) 1396 if (!ab)
1376 return; 1397 return;
1377 1398
1378 switch (context->type) { 1399 switch (context->type) {
1379 case AUDIT_SOCKETCALL: { 1400 case AUDIT_SOCKETCALL: {
1380 int nargs = context->socketca 1401 int nargs = context->socketcall.nargs;
1381 1402
1382 audit_log_format(ab, "nargs=% 1403 audit_log_format(ab, "nargs=%d", nargs);
1383 for (i = 0; i < nargs; i++) 1404 for (i = 0; i < nargs; i++)
1384 audit_log_format(ab, 1405 audit_log_format(ab, " a%d=%lx", i,
1385 context->sock 1406 context->socketcall.args[i]);
1386 break; } 1407 break; }
1387 case AUDIT_IPC: { 1408 case AUDIT_IPC: {
1388 u32 osid = context->ipc.osid; 1409 u32 osid = context->ipc.osid;
1389 1410
1390 audit_log_format(ab, "ouid=%u 1411 audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
1391 from_kuid(&i 1412 from_kuid(&init_user_ns, context->ipc.uid),
1392 from_kgid(&i 1413 from_kgid(&init_user_ns, context->ipc.gid),
1393 context->ipc 1414 context->ipc.mode);
1394 if (osid) { 1415 if (osid) {
1395 char *ctx = NULL; 1416 char *ctx = NULL;
1396 u32 len; 1417 u32 len;
1397 1418
1398 if (security_secid_to 1419 if (security_secid_to_secctx(osid, &ctx, &len)) {
1399 audit_log_for 1420 audit_log_format(ab, " osid=%u", osid);
1400 *call_panic = 1421 *call_panic = 1;
1401 } else { 1422 } else {
1402 audit_log_for 1423 audit_log_format(ab, " obj=%s", ctx);
1403 security_rele 1424 security_release_secctx(ctx, len);
1404 } 1425 }
1405 } 1426 }
1406 if (context->ipc.has_perm) { 1427 if (context->ipc.has_perm) {
1407 audit_log_end(ab); 1428 audit_log_end(ab);
1408 ab = audit_log_start( 1429 ab = audit_log_start(context, GFP_KERNEL,
1409 1430 AUDIT_IPC_SET_PERM);
1410 if (unlikely(!ab)) 1431 if (unlikely(!ab))
1411 return; 1432 return;
1412 audit_log_format(ab, 1433 audit_log_format(ab,
1413 "qbytes=%lx o 1434 "qbytes=%lx ouid=%u ogid=%u mode=%#ho",
1414 context->ipc. 1435 context->ipc.qbytes,
1415 context->ipc. 1436 context->ipc.perm_uid,
1416 context->ipc. 1437 context->ipc.perm_gid,
1417 context->ipc. 1438 context->ipc.perm_mode);
1418 } 1439 }
1419 break; } 1440 break; }
1420 case AUDIT_MQ_OPEN: 1441 case AUDIT_MQ_OPEN:
1421 audit_log_format(ab, 1442 audit_log_format(ab,
1422 "oflag=0x%x mode=%#ho 1443 "oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
1423 "mq_msgsize=%ld mq_cu 1444 "mq_msgsize=%ld mq_curmsgs=%ld",
1424 context->mq_open.ofla 1445 context->mq_open.oflag, context->mq_open.mode,
1425 context->mq_open.attr 1446 context->mq_open.attr.mq_flags,
1426 context->mq_open.attr 1447 context->mq_open.attr.mq_maxmsg,
1427 context->mq_open.attr 1448 context->mq_open.attr.mq_msgsize,
1428 context->mq_open.attr 1449 context->mq_open.attr.mq_curmsgs);
1429 break; 1450 break;
1430 case AUDIT_MQ_SENDRECV: 1451 case AUDIT_MQ_SENDRECV:
1431 audit_log_format(ab, 1452 audit_log_format(ab,
1432 "mqdes=%d msg_len=%zd 1453 "mqdes=%d msg_len=%zd msg_prio=%u "
1433 "abs_timeout_sec=%lld 1454 "abs_timeout_sec=%lld abs_timeout_nsec=%ld",
1434 context->mq_sendrecv. 1455 context->mq_sendrecv.mqdes,
1435 context->mq_sendrecv. 1456 context->mq_sendrecv.msg_len,
1436 context->mq_sendrecv. 1457 context->mq_sendrecv.msg_prio,
1437 (long long) context-> 1458 (long long) context->mq_sendrecv.abs_timeout.tv_sec,
1438 context->mq_sendrecv. 1459 context->mq_sendrecv.abs_timeout.tv_nsec);
1439 break; 1460 break;
1440 case AUDIT_MQ_NOTIFY: 1461 case AUDIT_MQ_NOTIFY:
1441 audit_log_format(ab, "mqdes=% 1462 audit_log_format(ab, "mqdes=%d sigev_signo=%d",
1442 context->mq_n 1463 context->mq_notify.mqdes,
1443 context->mq_n 1464 context->mq_notify.sigev_signo);
1444 break; 1465 break;
1445 case AUDIT_MQ_GETSETATTR: { 1466 case AUDIT_MQ_GETSETATTR: {
1446 struct mq_attr *attr = &conte 1467 struct mq_attr *attr = &context->mq_getsetattr.mqstat;
1447 1468
1448 audit_log_format(ab, 1469 audit_log_format(ab,
1449 "mqdes=%d mq_flags=0x 1470 "mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
1450 "mq_curmsgs=%ld ", 1471 "mq_curmsgs=%ld ",
1451 context->mq_getsetatt 1472 context->mq_getsetattr.mqdes,
1452 attr->mq_flags, attr- 1473 attr->mq_flags, attr->mq_maxmsg,
1453 attr->mq_msgsize, att 1474 attr->mq_msgsize, attr->mq_curmsgs);
1454 break; } 1475 break; }
1455 case AUDIT_CAPSET: 1476 case AUDIT_CAPSET:
1456 audit_log_format(ab, "pid=%d" 1477 audit_log_format(ab, "pid=%d", context->capset.pid);
1457 audit_log_cap(ab, "cap_pi", & 1478 audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
1458 audit_log_cap(ab, "cap_pp", & 1479 audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
1459 audit_log_cap(ab, "cap_pe", & 1480 audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
1460 audit_log_cap(ab, "cap_pa", & 1481 audit_log_cap(ab, "cap_pa", &context->capset.cap.ambient);
1461 break; 1482 break;
1462 case AUDIT_MMAP: 1483 case AUDIT_MMAP:
1463 audit_log_format(ab, "fd=%d f 1484 audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd,
1464 context->mma 1485 context->mmap.flags);
1465 break; 1486 break;
1466 case AUDIT_OPENAT2: 1487 case AUDIT_OPENAT2:
1467 audit_log_format(ab, "oflag=0 1488 audit_log_format(ab, "oflag=0%llo mode=0%llo resolve=0x%llx",
1468 context->ope 1489 context->openat2.flags,
1469 context->ope 1490 context->openat2.mode,
1470 context->ope 1491 context->openat2.resolve);
1471 break; 1492 break;
1472 case AUDIT_EXECVE: 1493 case AUDIT_EXECVE:
1473 audit_log_execve_info(context 1494 audit_log_execve_info(context, &ab);
1474 break; 1495 break;
1475 case AUDIT_KERN_MODULE: 1496 case AUDIT_KERN_MODULE:
1476 audit_log_format(ab, "name=") 1497 audit_log_format(ab, "name=");
1477 if (context->module.name) { 1498 if (context->module.name) {
1478 audit_log_untrustedst 1499 audit_log_untrustedstring(ab, context->module.name);
1479 } else 1500 } else
1480 audit_log_format(ab, 1501 audit_log_format(ab, "(null)");
1481 1502
1482 break; 1503 break;
1483 case AUDIT_TIME_ADJNTPVAL: 1504 case AUDIT_TIME_ADJNTPVAL:
1484 case AUDIT_TIME_INJOFFSET: 1505 case AUDIT_TIME_INJOFFSET:
1485 /* this call deviates from th 1506 /* this call deviates from the rest, eating the buffer */
1486 audit_log_time(context, &ab); 1507 audit_log_time(context, &ab);
1487 break; 1508 break;
1488 } 1509 }
1489 audit_log_end(ab); 1510 audit_log_end(ab);
1490 } 1511 }
1491 1512
1492 static inline int audit_proctitle_rtrim(char 1513 static inline int audit_proctitle_rtrim(char *proctitle, int len)
1493 { 1514 {
1494 char *end = proctitle + len - 1; 1515 char *end = proctitle + len - 1;
1495 1516
1496 while (end > proctitle && !isprint(*e 1517 while (end > proctitle && !isprint(*end))
1497 end--; 1518 end--;
1498 1519
1499 /* catch the case where proctitle is 1520 /* catch the case where proctitle is only 1 non-print character */
1500 len = end - proctitle + 1; 1521 len = end - proctitle + 1;
1501 len -= isprint(proctitle[len-1]) == 0 1522 len -= isprint(proctitle[len-1]) == 0;
1502 return len; 1523 return len;
1503 } 1524 }
1504 1525
1505 /* 1526 /*
1506 * audit_log_name - produce AUDIT_PATH record 1527 * audit_log_name - produce AUDIT_PATH record from struct audit_names
1507 * @context: audit_context for the task 1528 * @context: audit_context for the task
1508 * @n: audit_names structure with reportable 1529 * @n: audit_names structure with reportable details
1509 * @path: optional path to report instead of 1530 * @path: optional path to report instead of audit_names->name
1510 * @record_num: record number to report when 1531 * @record_num: record number to report when handling a list of names
1511 * @call_panic: optional pointer to int that 1532 * @call_panic: optional pointer to int that will be updated if secid fails
1512 */ 1533 */
1513 static void audit_log_name(struct audit_conte 1534 static void audit_log_name(struct audit_context *context, struct audit_names *n,
1514 const struct path *path, 1535 const struct path *path, int record_num, int *call_panic)
1515 { 1536 {
1516 struct audit_buffer *ab; 1537 struct audit_buffer *ab;
1517 1538
1518 ab = audit_log_start(context, GFP_KER 1539 ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
1519 if (!ab) 1540 if (!ab)
1520 return; 1541 return;
1521 1542
1522 audit_log_format(ab, "item=%d", recor 1543 audit_log_format(ab, "item=%d", record_num);
1523 1544
1524 if (path) 1545 if (path)
1525 audit_log_d_path(ab, " name=" 1546 audit_log_d_path(ab, " name=", path);
1526 else if (n->name) { 1547 else if (n->name) {
1527 switch (n->name_len) { 1548 switch (n->name_len) {
1528 case AUDIT_NAME_FULL: 1549 case AUDIT_NAME_FULL:
1529 /* log the full path 1550 /* log the full path */
1530 audit_log_format(ab, 1551 audit_log_format(ab, " name=");
1531 audit_log_untrustedst 1552 audit_log_untrustedstring(ab, n->name->name);
1532 break; 1553 break;
1533 case 0: 1554 case 0:
1534 /* name was specified 1555 /* name was specified as a relative path and the
1535 * directory componen 1556 * directory component is the cwd
1536 */ 1557 */
1537 if (context->pwd.dent 1558 if (context->pwd.dentry && context->pwd.mnt)
1538 audit_log_d_p 1559 audit_log_d_path(ab, " name=", &context->pwd);
1539 else 1560 else
1540 audit_log_for 1561 audit_log_format(ab, " name=(null)");
1541 break; 1562 break;
1542 default: 1563 default:
1543 /* log the name's dir 1564 /* log the name's directory component */
1544 audit_log_format(ab, 1565 audit_log_format(ab, " name=");
1545 audit_log_n_untrusted 1566 audit_log_n_untrustedstring(ab, n->name->name,
1546 1567 n->name_len);
1547 } 1568 }
1548 } else 1569 } else
1549 audit_log_format(ab, " name=( 1570 audit_log_format(ab, " name=(null)");
1550 1571
1551 if (n->ino != AUDIT_INO_UNSET) 1572 if (n->ino != AUDIT_INO_UNSET)
1552 audit_log_format(ab, " inode= 1573 audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#ho ouid=%u ogid=%u rdev=%02x:%02x",
1553 n->ino, 1574 n->ino,
1554 MAJOR(n->dev 1575 MAJOR(n->dev),
1555 MINOR(n->dev 1576 MINOR(n->dev),
1556 n->mode, 1577 n->mode,
1557 from_kuid(&i 1578 from_kuid(&init_user_ns, n->uid),
1558 from_kgid(&i 1579 from_kgid(&init_user_ns, n->gid),
1559 MAJOR(n->rde 1580 MAJOR(n->rdev),
1560 MINOR(n->rde 1581 MINOR(n->rdev));
1561 if (n->osid != 0) { 1582 if (n->osid != 0) {
1562 char *ctx = NULL; 1583 char *ctx = NULL;
1563 u32 len; 1584 u32 len;
1564 1585
1565 if (security_secid_to_secctx( 1586 if (security_secid_to_secctx(
1566 n->osid, &ctx, &len)) 1587 n->osid, &ctx, &len)) {
1567 audit_log_format(ab, 1588 audit_log_format(ab, " osid=%u", n->osid);
1568 if (call_panic) 1589 if (call_panic)
1569 *call_panic = 1590 *call_panic = 2;
1570 } else { 1591 } else {
1571 audit_log_format(ab, 1592 audit_log_format(ab, " obj=%s", ctx);
1572 security_release_secc 1593 security_release_secctx(ctx, len);
1573 } 1594 }
1574 } 1595 }
1575 1596
1576 /* log the audit_names record type */ 1597 /* log the audit_names record type */
1577 switch (n->type) { 1598 switch (n->type) {
1578 case AUDIT_TYPE_NORMAL: 1599 case AUDIT_TYPE_NORMAL:
1579 audit_log_format(ab, " namety 1600 audit_log_format(ab, " nametype=NORMAL");
1580 break; 1601 break;
1581 case AUDIT_TYPE_PARENT: 1602 case AUDIT_TYPE_PARENT:
1582 audit_log_format(ab, " namety 1603 audit_log_format(ab, " nametype=PARENT");
1583 break; 1604 break;
1584 case AUDIT_TYPE_CHILD_DELETE: 1605 case AUDIT_TYPE_CHILD_DELETE:
1585 audit_log_format(ab, " namety 1606 audit_log_format(ab, " nametype=DELETE");
1586 break; 1607 break;
1587 case AUDIT_TYPE_CHILD_CREATE: 1608 case AUDIT_TYPE_CHILD_CREATE:
1588 audit_log_format(ab, " namety 1609 audit_log_format(ab, " nametype=CREATE");
1589 break; 1610 break;
1590 default: 1611 default:
1591 audit_log_format(ab, " namety 1612 audit_log_format(ab, " nametype=UNKNOWN");
1592 break; 1613 break;
1593 } 1614 }
1594 1615
1595 audit_log_fcaps(ab, n); 1616 audit_log_fcaps(ab, n);
1596 audit_log_end(ab); 1617 audit_log_end(ab);
1597 } 1618 }
1598 1619
1599 static void audit_log_proctitle(void) 1620 static void audit_log_proctitle(void)
1600 { 1621 {
1601 int res; 1622 int res;
1602 char *buf; 1623 char *buf;
1603 char *msg = "(null)"; 1624 char *msg = "(null)";
1604 int len = strlen(msg); 1625 int len = strlen(msg);
1605 struct audit_context *context = audit 1626 struct audit_context *context = audit_context();
1606 struct audit_buffer *ab; 1627 struct audit_buffer *ab;
1607 1628
1608 ab = audit_log_start(context, GFP_KER 1629 ab = audit_log_start(context, GFP_KERNEL, AUDIT_PROCTITLE);
1609 if (!ab) 1630 if (!ab)
1610 return; /* audit_panic or bei 1631 return; /* audit_panic or being filtered */
1611 1632
1612 audit_log_format(ab, "proctitle="); 1633 audit_log_format(ab, "proctitle=");
1613 1634
1614 /* Not cached */ 1635 /* Not cached */
1615 if (!context->proctitle.value) { 1636 if (!context->proctitle.value) {
1616 buf = kmalloc(MAX_PROCTITLE_A 1637 buf = kmalloc(MAX_PROCTITLE_AUDIT_LEN, GFP_KERNEL);
1617 if (!buf) 1638 if (!buf)
1618 goto out; 1639 goto out;
1619 /* Historically called this f 1640 /* Historically called this from procfs naming */
1620 res = get_cmdline(current, bu 1641 res = get_cmdline(current, buf, MAX_PROCTITLE_AUDIT_LEN);
1621 if (res == 0) { 1642 if (res == 0) {
1622 kfree(buf); 1643 kfree(buf);
1623 goto out; 1644 goto out;
1624 } 1645 }
1625 res = audit_proctitle_rtrim(b 1646 res = audit_proctitle_rtrim(buf, res);
1626 if (res == 0) { 1647 if (res == 0) {
1627 kfree(buf); 1648 kfree(buf);
1628 goto out; 1649 goto out;
1629 } 1650 }
1630 context->proctitle.value = bu 1651 context->proctitle.value = buf;
1631 context->proctitle.len = res; 1652 context->proctitle.len = res;
1632 } 1653 }
1633 msg = context->proctitle.value; 1654 msg = context->proctitle.value;
1634 len = context->proctitle.len; 1655 len = context->proctitle.len;
1635 out: 1656 out:
1636 audit_log_n_untrustedstring(ab, msg, 1657 audit_log_n_untrustedstring(ab, msg, len);
1637 audit_log_end(ab); 1658 audit_log_end(ab);
1638 } 1659 }
1639 1660
1640 /** 1661 /**
1641 * audit_log_uring - generate a AUDIT_URINGOP 1662 * audit_log_uring - generate a AUDIT_URINGOP record
1642 * @ctx: the audit context 1663 * @ctx: the audit context
1643 */ 1664 */
1644 static void audit_log_uring(struct audit_cont 1665 static void audit_log_uring(struct audit_context *ctx)
1645 { 1666 {
1646 struct audit_buffer *ab; 1667 struct audit_buffer *ab;
1647 const struct cred *cred; 1668 const struct cred *cred;
1648 1669
1649 ab = audit_log_start(ctx, GFP_ATOMIC, 1670 ab = audit_log_start(ctx, GFP_ATOMIC, AUDIT_URINGOP);
1650 if (!ab) 1671 if (!ab)
1651 return; 1672 return;
1652 cred = current_cred(); 1673 cred = current_cred();
1653 audit_log_format(ab, "uring_op=%d", c 1674 audit_log_format(ab, "uring_op=%d", ctx->uring_op);
1654 if (ctx->return_valid != AUDITSC_INVA 1675 if (ctx->return_valid != AUDITSC_INVALID)
1655 audit_log_format(ab, " succes 1676 audit_log_format(ab, " success=%s exit=%ld",
1656 (ctx->return 1677 (ctx->return_valid == AUDITSC_SUCCESS ?
1657 "yes" : "no 1678 "yes" : "no"),
1658 ctx->return_ 1679 ctx->return_code);
1659 audit_log_format(ab, 1680 audit_log_format(ab,
1660 " items=%d" 1681 " items=%d"
1661 " ppid=%d pid=%d uid 1682 " ppid=%d pid=%d uid=%u gid=%u euid=%u suid=%u"
1662 " fsuid=%u egid=%u s 1683 " fsuid=%u egid=%u sgid=%u fsgid=%u",
1663 ctx->name_count, 1684 ctx->name_count,
1664 task_ppid_nr(current 1685 task_ppid_nr(current), task_tgid_nr(current),
1665 from_kuid(&init_user 1686 from_kuid(&init_user_ns, cred->uid),
1666 from_kgid(&init_user 1687 from_kgid(&init_user_ns, cred->gid),
1667 from_kuid(&init_user 1688 from_kuid(&init_user_ns, cred->euid),
1668 from_kuid(&init_user 1689 from_kuid(&init_user_ns, cred->suid),
1669 from_kuid(&init_user 1690 from_kuid(&init_user_ns, cred->fsuid),
1670 from_kgid(&init_user 1691 from_kgid(&init_user_ns, cred->egid),
1671 from_kgid(&init_user 1692 from_kgid(&init_user_ns, cred->sgid),
1672 from_kgid(&init_user 1693 from_kgid(&init_user_ns, cred->fsgid));
1673 audit_log_task_context(ab); 1694 audit_log_task_context(ab);
1674 audit_log_key(ab, ctx->filterkey); 1695 audit_log_key(ab, ctx->filterkey);
1675 audit_log_end(ab); 1696 audit_log_end(ab);
1676 } 1697 }
1677 1698
1678 static void audit_log_exit(void) 1699 static void audit_log_exit(void)
1679 { 1700 {
1680 int i, call_panic = 0; 1701 int i, call_panic = 0;
1681 struct audit_context *context = audit 1702 struct audit_context *context = audit_context();
1682 struct audit_buffer *ab; 1703 struct audit_buffer *ab;
1683 struct audit_aux_data *aux; 1704 struct audit_aux_data *aux;
1684 struct audit_names *n; 1705 struct audit_names *n;
1685 1706
1686 context->personality = current->perso 1707 context->personality = current->personality;
1687 1708
1688 switch (context->context) { 1709 switch (context->context) {
1689 case AUDIT_CTX_SYSCALL: 1710 case AUDIT_CTX_SYSCALL:
1690 ab = audit_log_start(context, 1711 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
1691 if (!ab) 1712 if (!ab)
1692 return; 1713 return;
1693 audit_log_format(ab, "arch=%x 1714 audit_log_format(ab, "arch=%x syscall=%d",
1694 context->arc 1715 context->arch, context->major);
1695 if (context->personality != P 1716 if (context->personality != PER_LINUX)
1696 audit_log_format(ab, 1717 audit_log_format(ab, " per=%lx", context->personality);
1697 if (context->return_valid != 1718 if (context->return_valid != AUDITSC_INVALID)
1698 audit_log_format(ab, 1719 audit_log_format(ab, " success=%s exit=%ld",
1699 (con 1720 (context->return_valid == AUDITSC_SUCCESS ?
1700 "ye 1721 "yes" : "no"),
1701 cont 1722 context->return_code);
1702 audit_log_format(ab, 1723 audit_log_format(ab,
1703 " a0=%lx a1= 1724 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d",
1704 context->arg 1725 context->argv[0],
1705 context->arg 1726 context->argv[1],
1706 context->arg 1727 context->argv[2],
1707 context->arg 1728 context->argv[3],
1708 context->nam 1729 context->name_count);
1709 audit_log_task_info(ab); 1730 audit_log_task_info(ab);
1710 audit_log_key(ab, context->fi 1731 audit_log_key(ab, context->filterkey);
1711 audit_log_end(ab); 1732 audit_log_end(ab);
1712 break; 1733 break;
1713 case AUDIT_CTX_URING: 1734 case AUDIT_CTX_URING:
1714 audit_log_uring(context); 1735 audit_log_uring(context);
1715 break; 1736 break;
1716 default: 1737 default:
1717 BUG(); 1738 BUG();
1718 break; 1739 break;
1719 } 1740 }
1720 1741
1721 for (aux = context->aux; aux; aux = a 1742 for (aux = context->aux; aux; aux = aux->next) {
1722 1743
1723 ab = audit_log_start(context, 1744 ab = audit_log_start(context, GFP_KERNEL, aux->type);
1724 if (!ab) 1745 if (!ab)
1725 continue; /* audit_pa 1746 continue; /* audit_panic has been called */
1726 1747
1727 switch (aux->type) { 1748 switch (aux->type) {
1728 1749
1729 case AUDIT_BPRM_FCAPS: { 1750 case AUDIT_BPRM_FCAPS: {
1730 struct audit_aux_data 1751 struct audit_aux_data_bprm_fcaps *axs = (void *)aux;
1731 1752
1732 audit_log_format(ab, 1753 audit_log_format(ab, "fver=%x", axs->fcap_ver);
1733 audit_log_cap(ab, "fp 1754 audit_log_cap(ab, "fp", &axs->fcap.permitted);
1734 audit_log_cap(ab, "fi 1755 audit_log_cap(ab, "fi", &axs->fcap.inheritable);
1735 audit_log_format(ab, 1756 audit_log_format(ab, " fe=%d", axs->fcap.fE);
1736 audit_log_cap(ab, "ol 1757 audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
1737 audit_log_cap(ab, "ol 1758 audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
1738 audit_log_cap(ab, "ol 1759 audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
1739 audit_log_cap(ab, "ol 1760 audit_log_cap(ab, "old_pa", &axs->old_pcap.ambient);
1740 audit_log_cap(ab, "pp 1761 audit_log_cap(ab, "pp", &axs->new_pcap.permitted);
1741 audit_log_cap(ab, "pi 1762 audit_log_cap(ab, "pi", &axs->new_pcap.inheritable);
1742 audit_log_cap(ab, "pe 1763 audit_log_cap(ab, "pe", &axs->new_pcap.effective);
1743 audit_log_cap(ab, "pa 1764 audit_log_cap(ab, "pa", &axs->new_pcap.ambient);
1744 audit_log_format(ab, 1765 audit_log_format(ab, " frootid=%d",
1745 from 1766 from_kuid(&init_user_ns,
1746 1767 axs->fcap.rootid));
1747 break; } 1768 break; }
1748 1769
1749 } 1770 }
1750 audit_log_end(ab); 1771 audit_log_end(ab);
1751 } 1772 }
1752 1773
1753 if (context->type) 1774 if (context->type)
1754 show_special(context, &call_p 1775 show_special(context, &call_panic);
1755 1776
1756 if (context->fds[0] >= 0) { 1777 if (context->fds[0] >= 0) {
1757 ab = audit_log_start(context, 1778 ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR);
1758 if (ab) { 1779 if (ab) {
1759 audit_log_format(ab, 1780 audit_log_format(ab, "fd0=%d fd1=%d",
1760 conte 1781 context->fds[0], context->fds[1]);
1761 audit_log_end(ab); 1782 audit_log_end(ab);
1762 } 1783 }
1763 } 1784 }
1764 1785
1765 if (context->sockaddr_len) { 1786 if (context->sockaddr_len) {
1766 ab = audit_log_start(context, 1787 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR);
1767 if (ab) { 1788 if (ab) {
1768 audit_log_format(ab, 1789 audit_log_format(ab, "saddr=");
1769 audit_log_n_hex(ab, ( 1790 audit_log_n_hex(ab, (void *)context->sockaddr,
1770 conte 1791 context->sockaddr_len);
1771 audit_log_end(ab); 1792 audit_log_end(ab);
1772 } 1793 }
1773 } 1794 }
1774 1795
1775 for (aux = context->aux_pids; aux; au 1796 for (aux = context->aux_pids; aux; aux = aux->next) {
1776 struct audit_aux_data_pids *a 1797 struct audit_aux_data_pids *axs = (void *)aux;
1777 1798
1778 for (i = 0; i < axs->pid_coun 1799 for (i = 0; i < axs->pid_count; i++)
1779 if (audit_log_pid_con 1800 if (audit_log_pid_context(context, axs->target_pid[i],
1780 1801 axs->target_auid[i],
1781 1802 axs->target_uid[i],
1782 1803 axs->target_sessionid[i],
1783 1804 axs->target_sid[i],
1784 1805 axs->target_comm[i]))
1785 call_panic = 1806 call_panic = 1;
1786 } 1807 }
1787 1808
1788 if (context->target_pid && 1809 if (context->target_pid &&
1789 audit_log_pid_context(context, co 1810 audit_log_pid_context(context, context->target_pid,
1790 context->ta 1811 context->target_auid, context->target_uid,
1791 context->ta 1812 context->target_sessionid,
1792 context->ta 1813 context->target_sid, context->target_comm))
1793 call_panic = 1; 1814 call_panic = 1;
1794 1815
1795 if (context->pwd.dentry && context->p 1816 if (context->pwd.dentry && context->pwd.mnt) {
1796 ab = audit_log_start(context, 1817 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
1797 if (ab) { 1818 if (ab) {
1798 audit_log_d_path(ab, 1819 audit_log_d_path(ab, "cwd=", &context->pwd);
1799 audit_log_end(ab); 1820 audit_log_end(ab);
1800 } 1821 }
1801 } 1822 }
1802 1823
1803 i = 0; 1824 i = 0;
1804 list_for_each_entry(n, &context->name 1825 list_for_each_entry(n, &context->names_list, list) {
1805 if (n->hidden) 1826 if (n->hidden)
1806 continue; 1827 continue;
1807 audit_log_name(context, n, NU 1828 audit_log_name(context, n, NULL, i++, &call_panic);
1808 } 1829 }
1809 1830
1810 if (context->context == AUDIT_CTX_SYS 1831 if (context->context == AUDIT_CTX_SYSCALL)
1811 audit_log_proctitle(); 1832 audit_log_proctitle();
1812 1833
1813 /* Send end of event record to help u 1834 /* Send end of event record to help user space know we are finished */
1814 ab = audit_log_start(context, GFP_KER 1835 ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
1815 if (ab) 1836 if (ab)
1816 audit_log_end(ab); 1837 audit_log_end(ab);
1817 if (call_panic) 1838 if (call_panic)
1818 audit_panic("error in audit_l 1839 audit_panic("error in audit_log_exit()");
1819 } 1840 }
1820 1841
1821 /** 1842 /**
1822 * __audit_free - free a per-task audit conte 1843 * __audit_free - free a per-task audit context
1823 * @tsk: task whose audit context block to fr 1844 * @tsk: task whose audit context block to free
1824 * 1845 *
1825 * Called from copy_process, do_exit, and the 1846 * Called from copy_process, do_exit, and the io_uring code
1826 */ 1847 */
1827 void __audit_free(struct task_struct *tsk) 1848 void __audit_free(struct task_struct *tsk)
1828 { 1849 {
1829 struct audit_context *context = tsk-> 1850 struct audit_context *context = tsk->audit_context;
1830 1851
1831 if (!context) 1852 if (!context)
1832 return; 1853 return;
1833 1854
1834 /* this may generate CONFIG_CHANGE re 1855 /* this may generate CONFIG_CHANGE records */
1835 if (!list_empty(&context->killed_tree 1856 if (!list_empty(&context->killed_trees))
1836 audit_kill_trees(context); 1857 audit_kill_trees(context);
1837 1858
1838 /* We are called either by do_exit() 1859 /* We are called either by do_exit() or the fork() error handling code;
1839 * in the former case tsk == current 1860 * in the former case tsk == current and in the latter tsk is a
1840 * random task_struct that doesn't ha !! 1861 * random task_struct that doesn't doesn't have any meaningful data we
1841 * need to log via audit_log_exit(). 1862 * need to log via audit_log_exit().
1842 */ 1863 */
1843 if (tsk == current && !context->dummy 1864 if (tsk == current && !context->dummy) {
1844 context->return_valid = AUDIT 1865 context->return_valid = AUDITSC_INVALID;
1845 context->return_code = 0; 1866 context->return_code = 0;
1846 if (context->context == AUDIT 1867 if (context->context == AUDIT_CTX_SYSCALL) {
1847 audit_filter_syscall( 1868 audit_filter_syscall(tsk, context);
1848 audit_filter_inodes(t 1869 audit_filter_inodes(tsk, context);
1849 if (context->current_ 1870 if (context->current_state == AUDIT_STATE_RECORD)
1850 audit_log_exi 1871 audit_log_exit();
1851 } else if (context->context = 1872 } else if (context->context == AUDIT_CTX_URING) {
1852 /* TODO: verify this 1873 /* TODO: verify this case is real and valid */
1853 audit_filter_uring(ts 1874 audit_filter_uring(tsk, context);
1854 audit_filter_inodes(t 1875 audit_filter_inodes(tsk, context);
1855 if (context->current_ 1876 if (context->current_state == AUDIT_STATE_RECORD)
1856 audit_log_uri 1877 audit_log_uring(context);
1857 } 1878 }
1858 } 1879 }
1859 1880
1860 audit_set_context(tsk, NULL); 1881 audit_set_context(tsk, NULL);
1861 audit_free_context(context); 1882 audit_free_context(context);
1862 } 1883 }
1863 1884
1864 /** 1885 /**
1865 * audit_return_fixup - fixup the return code 1886 * audit_return_fixup - fixup the return codes in the audit_context
1866 * @ctx: the audit_context 1887 * @ctx: the audit_context
1867 * @success: true/false value to indicate if 1888 * @success: true/false value to indicate if the operation succeeded or not
1868 * @code: operation return code 1889 * @code: operation return code
1869 * 1890 *
1870 * We need to fixup the return code in the au 1891 * We need to fixup the return code in the audit logs if the actual return
1871 * codes are later going to be fixed by the a 1892 * codes are later going to be fixed by the arch specific signal handlers.
1872 */ 1893 */
1873 static void audit_return_fixup(struct audit_c 1894 static void audit_return_fixup(struct audit_context *ctx,
1874 int success, l 1895 int success, long code)
1875 { 1896 {
1876 /* 1897 /*
1877 * This is actually a test for: 1898 * This is actually a test for:
1878 * (rc == ERESTARTSYS ) || (rc == ERE 1899 * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||
1879 * (rc == ERESTARTNOHAND) || (rc == E 1900 * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)
1880 * 1901 *
1881 * but is faster than a bunch of || 1902 * but is faster than a bunch of ||
1882 */ 1903 */
1883 if (unlikely(code <= -ERESTARTSYS) && 1904 if (unlikely(code <= -ERESTARTSYS) &&
1884 (code >= -ERESTART_RESTARTBLOCK) 1905 (code >= -ERESTART_RESTARTBLOCK) &&
1885 (code != -ENOIOCTLCMD)) 1906 (code != -ENOIOCTLCMD))
1886 ctx->return_code = -EINTR; 1907 ctx->return_code = -EINTR;
1887 else 1908 else
1888 ctx->return_code = code; 1909 ctx->return_code = code;
1889 ctx->return_valid = (success ? AUDITS 1910 ctx->return_valid = (success ? AUDITSC_SUCCESS : AUDITSC_FAILURE);
1890 } 1911 }
1891 1912
1892 /** 1913 /**
1893 * __audit_uring_entry - prepare the kernel t 1914 * __audit_uring_entry - prepare the kernel task's audit context for io_uring
1894 * @op: the io_uring opcode 1915 * @op: the io_uring opcode
1895 * 1916 *
1896 * This is similar to audit_syscall_entry() b 1917 * This is similar to audit_syscall_entry() but is intended for use by io_uring
1897 * operations. This function should only eve 1918 * operations. This function should only ever be called from
1898 * audit_uring_entry() as we rely on the audi 1919 * audit_uring_entry() as we rely on the audit context checking present in that
1899 * function. 1920 * function.
1900 */ 1921 */
1901 void __audit_uring_entry(u8 op) 1922 void __audit_uring_entry(u8 op)
1902 { 1923 {
1903 struct audit_context *ctx = audit_con 1924 struct audit_context *ctx = audit_context();
1904 1925
1905 if (ctx->state == AUDIT_STATE_DISABLE 1926 if (ctx->state == AUDIT_STATE_DISABLED)
1906 return; 1927 return;
1907 1928
1908 /* 1929 /*
1909 * NOTE: It's possible that we can be 1930 * NOTE: It's possible that we can be called from the process' context
1910 * before it returns to userspa 1931 * before it returns to userspace, and before audit_syscall_exit()
1911 * is called. In this case the 1932 * is called. In this case there is not much to do, just record
1912 * the io_uring details and ret 1933 * the io_uring details and return.
1913 */ 1934 */
1914 ctx->uring_op = op; 1935 ctx->uring_op = op;
1915 if (ctx->context == AUDIT_CTX_SYSCALL 1936 if (ctx->context == AUDIT_CTX_SYSCALL)
1916 return; 1937 return;
1917 1938
1918 ctx->dummy = !audit_n_rules; 1939 ctx->dummy = !audit_n_rules;
1919 if (!ctx->dummy && ctx->state == AUDI 1940 if (!ctx->dummy && ctx->state == AUDIT_STATE_BUILD)
1920 ctx->prio = 0; 1941 ctx->prio = 0;
1921 1942
1922 ctx->context = AUDIT_CTX_URING; 1943 ctx->context = AUDIT_CTX_URING;
1923 ctx->current_state = ctx->state; 1944 ctx->current_state = ctx->state;
1924 ktime_get_coarse_real_ts64(&ctx->ctim 1945 ktime_get_coarse_real_ts64(&ctx->ctime);
1925 } 1946 }
1926 1947
1927 /** 1948 /**
1928 * __audit_uring_exit - wrap up the kernel ta 1949 * __audit_uring_exit - wrap up the kernel task's audit context after io_uring
1929 * @success: true/false value to indicate if 1950 * @success: true/false value to indicate if the operation succeeded or not
1930 * @code: operation return code 1951 * @code: operation return code
1931 * 1952 *
1932 * This is similar to audit_syscall_exit() bu 1953 * This is similar to audit_syscall_exit() but is intended for use by io_uring
1933 * operations. This function should only eve 1954 * operations. This function should only ever be called from
1934 * audit_uring_exit() as we rely on the audit 1955 * audit_uring_exit() as we rely on the audit context checking present in that
1935 * function. 1956 * function.
1936 */ 1957 */
1937 void __audit_uring_exit(int success, long cod 1958 void __audit_uring_exit(int success, long code)
1938 { 1959 {
1939 struct audit_context *ctx = audit_con 1960 struct audit_context *ctx = audit_context();
1940 1961
1941 if (ctx->dummy) { 1962 if (ctx->dummy) {
1942 if (ctx->context != AUDIT_CTX 1963 if (ctx->context != AUDIT_CTX_URING)
1943 return; 1964 return;
1944 goto out; 1965 goto out;
1945 } 1966 }
1946 1967
1947 audit_return_fixup(ctx, success, code <<
1948 if (ctx->context == AUDIT_CTX_SYSCALL 1968 if (ctx->context == AUDIT_CTX_SYSCALL) {
1949 /* 1969 /*
1950 * NOTE: See the note in __au 1970 * NOTE: See the note in __audit_uring_entry() about the case
1951 * where we may be call 1971 * where we may be called from process context before we
1952 * return to userspace 1972 * return to userspace via audit_syscall_exit(). In this
1953 * case we simply emit 1973 * case we simply emit a URINGOP record and bail, the
1954 * normal syscall exit 1974 * normal syscall exit handling will take care of
1955 * everything else. 1975 * everything else.
1956 * It is also worth men 1976 * It is also worth mentioning that when we are called,
1957 * the current process 1977 * the current process creds may differ from the creds
1958 * used during the norm 1978 * used during the normal syscall processing; keep that
1959 * in mind if/when we m 1979 * in mind if/when we move the record generation code.
1960 */ 1980 */
1961 1981
1962 /* 1982 /*
1963 * We need to filter on the s 1983 * We need to filter on the syscall info here to decide if we
1964 * should emit a URINGOP reco 1984 * should emit a URINGOP record. I know it seems odd but this
1965 * solves the problem where u 1985 * solves the problem where users have a filter to block *all*
1966 * syscall records in the "ex 1986 * syscall records in the "exit" filter; we want to preserve
1967 * the behavior here. 1987 * the behavior here.
1968 */ 1988 */
1969 audit_filter_syscall(current, 1989 audit_filter_syscall(current, ctx);
1970 if (ctx->current_state != AUD 1990 if (ctx->current_state != AUDIT_STATE_RECORD)
1971 audit_filter_uring(cu 1991 audit_filter_uring(current, ctx);
1972 audit_filter_inodes(current, 1992 audit_filter_inodes(current, ctx);
1973 if (ctx->current_state != AUD 1993 if (ctx->current_state != AUDIT_STATE_RECORD)
1974 return; 1994 return;
1975 1995
1976 audit_log_uring(ctx); 1996 audit_log_uring(ctx);
1977 return; 1997 return;
1978 } 1998 }
1979 1999
1980 /* this may generate CONFIG_CHANGE re 2000 /* this may generate CONFIG_CHANGE records */
1981 if (!list_empty(&ctx->killed_trees)) 2001 if (!list_empty(&ctx->killed_trees))
1982 audit_kill_trees(ctx); 2002 audit_kill_trees(ctx);
1983 2003
1984 /* run through both filters to ensure 2004 /* run through both filters to ensure we set the filterkey properly */
1985 audit_filter_uring(current, ctx); 2005 audit_filter_uring(current, ctx);
1986 audit_filter_inodes(current, ctx); 2006 audit_filter_inodes(current, ctx);
1987 if (ctx->current_state != AUDIT_STATE 2007 if (ctx->current_state != AUDIT_STATE_RECORD)
1988 goto out; 2008 goto out;
>> 2009 audit_return_fixup(ctx, success, code);
1989 audit_log_exit(); 2010 audit_log_exit();
1990 2011
1991 out: 2012 out:
1992 audit_reset_context(ctx); 2013 audit_reset_context(ctx);
1993 } 2014 }
1994 2015
1995 /** 2016 /**
1996 * __audit_syscall_entry - fill in an audit r 2017 * __audit_syscall_entry - fill in an audit record at syscall entry
1997 * @major: major syscall type (function) 2018 * @major: major syscall type (function)
1998 * @a1: additional syscall register 1 2019 * @a1: additional syscall register 1
1999 * @a2: additional syscall register 2 2020 * @a2: additional syscall register 2
2000 * @a3: additional syscall register 3 2021 * @a3: additional syscall register 3
2001 * @a4: additional syscall register 4 2022 * @a4: additional syscall register 4
2002 * 2023 *
2003 * Fill in audit context at syscall entry. T 2024 * Fill in audit context at syscall entry. This only happens if the
2004 * audit context was created when the task wa 2025 * audit context was created when the task was created and the state or
2005 * filters demand the audit context be built. 2026 * filters demand the audit context be built. If the state from the
2006 * per-task filter or from the per-syscall fi 2027 * per-task filter or from the per-syscall filter is AUDIT_STATE_RECORD,
2007 * then the record will be written at syscall 2028 * then the record will be written at syscall exit time (otherwise, it
2008 * will only be written if another part of th 2029 * will only be written if another part of the kernel requests that it
2009 * be written). 2030 * be written).
2010 */ 2031 */
2011 void __audit_syscall_entry(int major, unsigne 2032 void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
2012 unsigned long a3, 2033 unsigned long a3, unsigned long a4)
2013 { 2034 {
2014 struct audit_context *context = audit 2035 struct audit_context *context = audit_context();
2015 enum audit_state state; 2036 enum audit_state state;
2016 2037
2017 if (!audit_enabled || !context) 2038 if (!audit_enabled || !context)
2018 return; 2039 return;
2019 2040
2020 WARN_ON(context->context != AUDIT_CTX 2041 WARN_ON(context->context != AUDIT_CTX_UNUSED);
2021 WARN_ON(context->name_count); 2042 WARN_ON(context->name_count);
2022 if (context->context != AUDIT_CTX_UNU 2043 if (context->context != AUDIT_CTX_UNUSED || context->name_count) {
2023 audit_panic("unrecoverable er 2044 audit_panic("unrecoverable error in audit_syscall_entry()");
2024 return; 2045 return;
2025 } 2046 }
2026 2047
2027 state = context->state; 2048 state = context->state;
2028 if (state == AUDIT_STATE_DISABLED) 2049 if (state == AUDIT_STATE_DISABLED)
2029 return; 2050 return;
2030 2051
2031 context->dummy = !audit_n_rules; 2052 context->dummy = !audit_n_rules;
2032 if (!context->dummy && state == AUDIT 2053 if (!context->dummy && state == AUDIT_STATE_BUILD) {
2033 context->prio = 0; 2054 context->prio = 0;
2034 if (auditd_test_task(current) 2055 if (auditd_test_task(current))
2035 return; 2056 return;
2036 } 2057 }
2037 2058
2038 context->arch = syscall_get_arc 2059 context->arch = syscall_get_arch(current);
2039 context->major = major; 2060 context->major = major;
2040 context->argv[0] = a1; 2061 context->argv[0] = a1;
2041 context->argv[1] = a2; 2062 context->argv[1] = a2;
2042 context->argv[2] = a3; 2063 context->argv[2] = a3;
2043 context->argv[3] = a4; 2064 context->argv[3] = a4;
2044 context->context = AUDIT_CTX_SYSCALL; 2065 context->context = AUDIT_CTX_SYSCALL;
2045 context->current_state = state; 2066 context->current_state = state;
2046 ktime_get_coarse_real_ts64(&context-> 2067 ktime_get_coarse_real_ts64(&context->ctime);
2047 } 2068 }
2048 2069
2049 /** 2070 /**
2050 * __audit_syscall_exit - deallocate audit co 2071 * __audit_syscall_exit - deallocate audit context after a system call
2051 * @success: success value of the syscall 2072 * @success: success value of the syscall
2052 * @return_code: return value of the syscall 2073 * @return_code: return value of the syscall
2053 * 2074 *
2054 * Tear down after system call. If the audit 2075 * Tear down after system call. If the audit context has been marked as
2055 * auditable (either because of the AUDIT_STA 2076 * auditable (either because of the AUDIT_STATE_RECORD state from
2056 * filtering, or because some other part of t 2077 * filtering, or because some other part of the kernel wrote an audit
2057 * message), then write out the syscall infor 2078 * message), then write out the syscall information. In call cases,
2058 * free the names stored from getname(). 2079 * free the names stored from getname().
2059 */ 2080 */
2060 void __audit_syscall_exit(int success, long r 2081 void __audit_syscall_exit(int success, long return_code)
2061 { 2082 {
2062 struct audit_context *context = audit 2083 struct audit_context *context = audit_context();
2063 2084
2064 if (!context || context->dummy || 2085 if (!context || context->dummy ||
2065 context->context != AUDIT_CTX_SYS 2086 context->context != AUDIT_CTX_SYSCALL)
2066 goto out; 2087 goto out;
2067 2088
2068 /* this may generate CONFIG_CHANGE re 2089 /* this may generate CONFIG_CHANGE records */
2069 if (!list_empty(&context->killed_tree 2090 if (!list_empty(&context->killed_trees))
2070 audit_kill_trees(context); 2091 audit_kill_trees(context);
2071 2092
2072 audit_return_fixup(context, success, <<
2073 /* run through both filters to ensure 2093 /* run through both filters to ensure we set the filterkey properly */
2074 audit_filter_syscall(current, context 2094 audit_filter_syscall(current, context);
2075 audit_filter_inodes(current, context) 2095 audit_filter_inodes(current, context);
2076 if (context->current_state != AUDIT_S !! 2096 if (context->current_state < AUDIT_STATE_RECORD)
2077 goto out; 2097 goto out;
2078 2098
>> 2099 audit_return_fixup(context, success, return_code);
2079 audit_log_exit(); 2100 audit_log_exit();
2080 2101
2081 out: 2102 out:
2082 audit_reset_context(context); 2103 audit_reset_context(context);
2083 } 2104 }
2084 2105
2085 static inline void handle_one(const struct in 2106 static inline void handle_one(const struct inode *inode)
2086 { 2107 {
2087 struct audit_context *context; 2108 struct audit_context *context;
2088 struct audit_tree_refs *p; 2109 struct audit_tree_refs *p;
2089 struct audit_chunk *chunk; 2110 struct audit_chunk *chunk;
2090 int count; 2111 int count;
2091 2112
2092 if (likely(!inode->i_fsnotify_marks)) 2113 if (likely(!inode->i_fsnotify_marks))
2093 return; 2114 return;
2094 context = audit_context(); 2115 context = audit_context();
2095 p = context->trees; 2116 p = context->trees;
2096 count = context->tree_count; 2117 count = context->tree_count;
2097 rcu_read_lock(); 2118 rcu_read_lock();
2098 chunk = audit_tree_lookup(inode); 2119 chunk = audit_tree_lookup(inode);
2099 rcu_read_unlock(); 2120 rcu_read_unlock();
2100 if (!chunk) 2121 if (!chunk)
2101 return; 2122 return;
2102 if (likely(put_tree_ref(context, chun 2123 if (likely(put_tree_ref(context, chunk)))
2103 return; 2124 return;
2104 if (unlikely(!grow_tree_refs(context) 2125 if (unlikely(!grow_tree_refs(context))) {
2105 pr_warn("out of memory, audit 2126 pr_warn("out of memory, audit has lost a tree reference\n");
2106 audit_set_auditable(context); 2127 audit_set_auditable(context);
2107 audit_put_chunk(chunk); 2128 audit_put_chunk(chunk);
2108 unroll_tree_refs(context, p, 2129 unroll_tree_refs(context, p, count);
2109 return; 2130 return;
2110 } 2131 }
2111 put_tree_ref(context, chunk); 2132 put_tree_ref(context, chunk);
2112 } 2133 }
2113 2134
2114 static void handle_path(const struct dentry * 2135 static void handle_path(const struct dentry *dentry)
2115 { 2136 {
2116 struct audit_context *context; 2137 struct audit_context *context;
2117 struct audit_tree_refs *p; 2138 struct audit_tree_refs *p;
2118 const struct dentry *d, *parent; 2139 const struct dentry *d, *parent;
2119 struct audit_chunk *drop; 2140 struct audit_chunk *drop;
2120 unsigned long seq; 2141 unsigned long seq;
2121 int count; 2142 int count;
2122 2143
2123 context = audit_context(); 2144 context = audit_context();
2124 p = context->trees; 2145 p = context->trees;
2125 count = context->tree_count; 2146 count = context->tree_count;
2126 retry: 2147 retry:
2127 drop = NULL; 2148 drop = NULL;
2128 d = dentry; 2149 d = dentry;
2129 rcu_read_lock(); 2150 rcu_read_lock();
2130 seq = read_seqbegin(&rename_lock); 2151 seq = read_seqbegin(&rename_lock);
2131 for (;;) { !! 2152 for(;;) {
2132 struct inode *inode = d_backi 2153 struct inode *inode = d_backing_inode(d);
2133 2154
2134 if (inode && unlikely(inode-> 2155 if (inode && unlikely(inode->i_fsnotify_marks)) {
2135 struct audit_chunk *c 2156 struct audit_chunk *chunk;
2136 2157
2137 chunk = audit_tree_lo 2158 chunk = audit_tree_lookup(inode);
2138 if (chunk) { 2159 if (chunk) {
2139 if (unlikely( 2160 if (unlikely(!put_tree_ref(context, chunk))) {
2140 drop 2161 drop = chunk;
2141 break 2162 break;
2142 } 2163 }
2143 } 2164 }
2144 } 2165 }
2145 parent = d->d_parent; 2166 parent = d->d_parent;
2146 if (parent == d) 2167 if (parent == d)
2147 break; 2168 break;
2148 d = parent; 2169 d = parent;
2149 } 2170 }
2150 if (unlikely(read_seqretry(&rename_lo 2171 if (unlikely(read_seqretry(&rename_lock, seq) || drop)) { /* in this order */
2151 rcu_read_unlock(); 2172 rcu_read_unlock();
2152 if (!drop) { 2173 if (!drop) {
2153 /* just a race with r 2174 /* just a race with rename */
2154 unroll_tree_refs(cont 2175 unroll_tree_refs(context, p, count);
2155 goto retry; 2176 goto retry;
2156 } 2177 }
2157 audit_put_chunk(drop); 2178 audit_put_chunk(drop);
2158 if (grow_tree_refs(context)) 2179 if (grow_tree_refs(context)) {
2159 /* OK, got more space 2180 /* OK, got more space */
2160 unroll_tree_refs(cont 2181 unroll_tree_refs(context, p, count);
2161 goto retry; 2182 goto retry;
2162 } 2183 }
2163 /* too bad */ 2184 /* too bad */
2164 pr_warn("out of memory, audit 2185 pr_warn("out of memory, audit has lost a tree reference\n");
2165 unroll_tree_refs(context, p, 2186 unroll_tree_refs(context, p, count);
2166 audit_set_auditable(context); 2187 audit_set_auditable(context);
2167 return; 2188 return;
2168 } 2189 }
2169 rcu_read_unlock(); 2190 rcu_read_unlock();
2170 } 2191 }
2171 2192
2172 static struct audit_names *audit_alloc_name(s 2193 static struct audit_names *audit_alloc_name(struct audit_context *context,
2173 2194 unsigned char type)
2174 { 2195 {
2175 struct audit_names *aname; 2196 struct audit_names *aname;
2176 2197
2177 if (context->name_count < AUDIT_NAMES 2198 if (context->name_count < AUDIT_NAMES) {
2178 aname = &context->preallocate 2199 aname = &context->preallocated_names[context->name_count];
2179 memset(aname, 0, sizeof(*anam 2200 memset(aname, 0, sizeof(*aname));
2180 } else { 2201 } else {
2181 aname = kzalloc(sizeof(*aname 2202 aname = kzalloc(sizeof(*aname), GFP_NOFS);
2182 if (!aname) 2203 if (!aname)
2183 return NULL; 2204 return NULL;
2184 aname->should_free = true; 2205 aname->should_free = true;
2185 } 2206 }
2186 2207
2187 aname->ino = AUDIT_INO_UNSET; 2208 aname->ino = AUDIT_INO_UNSET;
2188 aname->type = type; 2209 aname->type = type;
2189 list_add_tail(&aname->list, &context- 2210 list_add_tail(&aname->list, &context->names_list);
2190 2211
2191 context->name_count++; 2212 context->name_count++;
2192 if (!context->pwd.dentry) 2213 if (!context->pwd.dentry)
2193 get_fs_pwd(current->fs, &cont 2214 get_fs_pwd(current->fs, &context->pwd);
2194 return aname; 2215 return aname;
2195 } 2216 }
2196 2217
2197 /** 2218 /**
2198 * __audit_reusename - fill out filename with 2219 * __audit_reusename - fill out filename with info from existing entry
2199 * @uptr: userland ptr to pathname 2220 * @uptr: userland ptr to pathname
2200 * 2221 *
2201 * Search the audit_names list for the curren 2222 * Search the audit_names list for the current audit context. If there is an
2202 * existing entry with a matching "uptr" then 2223 * existing entry with a matching "uptr" then return the filename
2203 * associated with that audit_name. If not, r 2224 * associated with that audit_name. If not, return NULL.
2204 */ 2225 */
2205 struct filename * 2226 struct filename *
2206 __audit_reusename(const __user char *uptr) 2227 __audit_reusename(const __user char *uptr)
2207 { 2228 {
2208 struct audit_context *context = audit 2229 struct audit_context *context = audit_context();
2209 struct audit_names *n; 2230 struct audit_names *n;
2210 2231
2211 list_for_each_entry(n, &context->name 2232 list_for_each_entry(n, &context->names_list, list) {
2212 if (!n->name) 2233 if (!n->name)
2213 continue; 2234 continue;
2214 if (n->name->uptr == uptr) { 2235 if (n->name->uptr == uptr) {
2215 atomic_inc(&n->name-> !! 2236 n->name->refcnt++;
2216 return n->name; 2237 return n->name;
2217 } 2238 }
2218 } 2239 }
2219 return NULL; 2240 return NULL;
2220 } 2241 }
2221 2242
2222 /** 2243 /**
2223 * __audit_getname - add a name to the list 2244 * __audit_getname - add a name to the list
2224 * @name: name to add 2245 * @name: name to add
2225 * 2246 *
2226 * Add a name to the list of audit names for 2247 * Add a name to the list of audit names for this context.
2227 * Called from fs/namei.c:getname(). 2248 * Called from fs/namei.c:getname().
2228 */ 2249 */
2229 void __audit_getname(struct filename *name) 2250 void __audit_getname(struct filename *name)
2230 { 2251 {
2231 struct audit_context *context = audit 2252 struct audit_context *context = audit_context();
2232 struct audit_names *n; 2253 struct audit_names *n;
2233 2254
2234 if (context->context == AUDIT_CTX_UNU 2255 if (context->context == AUDIT_CTX_UNUSED)
2235 return; 2256 return;
2236 2257
2237 n = audit_alloc_name(context, AUDIT_T 2258 n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
2238 if (!n) 2259 if (!n)
2239 return; 2260 return;
2240 2261
2241 n->name = name; 2262 n->name = name;
2242 n->name_len = AUDIT_NAME_FULL; 2263 n->name_len = AUDIT_NAME_FULL;
2243 name->aname = n; 2264 name->aname = n;
2244 atomic_inc(&name->refcnt); !! 2265 name->refcnt++;
2245 } 2266 }
2246 2267
2247 static inline int audit_copy_fcaps(struct aud 2268 static inline int audit_copy_fcaps(struct audit_names *name,
2248 const stru 2269 const struct dentry *dentry)
2249 { 2270 {
2250 struct cpu_vfs_cap_data caps; 2271 struct cpu_vfs_cap_data caps;
2251 int rc; 2272 int rc;
2252 2273
2253 if (!dentry) 2274 if (!dentry)
2254 return 0; 2275 return 0;
2255 2276
2256 rc = get_vfs_caps_from_disk(&nop_mnt_ !! 2277 rc = get_vfs_caps_from_disk(&init_user_ns, dentry, &caps);
2257 if (rc) 2278 if (rc)
2258 return rc; 2279 return rc;
2259 2280
2260 name->fcap.permitted = caps.permitted 2281 name->fcap.permitted = caps.permitted;
2261 name->fcap.inheritable = caps.inherit 2282 name->fcap.inheritable = caps.inheritable;
2262 name->fcap.fE = !!(caps.magic_etc & V 2283 name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2263 name->fcap.rootid = caps.rootid; 2284 name->fcap.rootid = caps.rootid;
2264 name->fcap_ver = (caps.magic_etc & VF 2285 name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >>
2265 VFS_CAP_REVIS 2286 VFS_CAP_REVISION_SHIFT;
2266 2287
2267 return 0; 2288 return 0;
2268 } 2289 }
2269 2290
2270 /* Copy inode data into an audit_names. */ 2291 /* Copy inode data into an audit_names. */
2271 static void audit_copy_inode(struct audit_nam 2292 static void audit_copy_inode(struct audit_names *name,
2272 const struct den 2293 const struct dentry *dentry,
2273 struct inode *in 2294 struct inode *inode, unsigned int flags)
2274 { 2295 {
2275 name->ino = inode->i_ino; 2296 name->ino = inode->i_ino;
2276 name->dev = inode->i_sb->s_dev; 2297 name->dev = inode->i_sb->s_dev;
2277 name->mode = inode->i_mode; 2298 name->mode = inode->i_mode;
2278 name->uid = inode->i_uid; 2299 name->uid = inode->i_uid;
2279 name->gid = inode->i_gid; 2300 name->gid = inode->i_gid;
2280 name->rdev = inode->i_rdev; 2301 name->rdev = inode->i_rdev;
2281 security_inode_getsecid(inode, &name- 2302 security_inode_getsecid(inode, &name->osid);
2282 if (flags & AUDIT_INODE_NOEVAL) { 2303 if (flags & AUDIT_INODE_NOEVAL) {
2283 name->fcap_ver = -1; 2304 name->fcap_ver = -1;
2284 return; 2305 return;
2285 } 2306 }
2286 audit_copy_fcaps(name, dentry); 2307 audit_copy_fcaps(name, dentry);
2287 } 2308 }
2288 2309
2289 /** 2310 /**
2290 * __audit_inode - store the inode and device 2311 * __audit_inode - store the inode and device from a lookup
2291 * @name: name being audited 2312 * @name: name being audited
2292 * @dentry: dentry being audited 2313 * @dentry: dentry being audited
2293 * @flags: attributes for this particular ent 2314 * @flags: attributes for this particular entry
2294 */ 2315 */
2295 void __audit_inode(struct filename *name, con 2316 void __audit_inode(struct filename *name, const struct dentry *dentry,
2296 unsigned int flags) 2317 unsigned int flags)
2297 { 2318 {
2298 struct audit_context *context = audit 2319 struct audit_context *context = audit_context();
2299 struct inode *inode = d_backing_inode 2320 struct inode *inode = d_backing_inode(dentry);
2300 struct audit_names *n; 2321 struct audit_names *n;
2301 bool parent = flags & AUDIT_INODE_PAR 2322 bool parent = flags & AUDIT_INODE_PARENT;
2302 struct audit_entry *e; 2323 struct audit_entry *e;
2303 struct list_head *list = &audit_filte 2324 struct list_head *list = &audit_filter_list[AUDIT_FILTER_FS];
2304 int i; 2325 int i;
2305 2326
2306 if (context->context == AUDIT_CTX_UNU 2327 if (context->context == AUDIT_CTX_UNUSED)
2307 return; 2328 return;
2308 2329
2309 rcu_read_lock(); 2330 rcu_read_lock();
2310 list_for_each_entry_rcu(e, list, list 2331 list_for_each_entry_rcu(e, list, list) {
2311 for (i = 0; i < e->rule.field 2332 for (i = 0; i < e->rule.field_count; i++) {
2312 struct audit_field *f 2333 struct audit_field *f = &e->rule.fields[i];
2313 2334
2314 if (f->type == AUDIT_ 2335 if (f->type == AUDIT_FSTYPE
2315 && audit_comparat 2336 && audit_comparator(inode->i_sb->s_magic,
2316 2337 f->op, f->val)
2317 && e->rule.action 2338 && e->rule.action == AUDIT_NEVER) {
2318 rcu_read_unlo 2339 rcu_read_unlock();
2319 return; 2340 return;
2320 } 2341 }
2321 } 2342 }
2322 } 2343 }
2323 rcu_read_unlock(); 2344 rcu_read_unlock();
2324 2345
2325 if (!name) 2346 if (!name)
2326 goto out_alloc; 2347 goto out_alloc;
2327 2348
2328 /* 2349 /*
2329 * If we have a pointer to an audit_n 2350 * If we have a pointer to an audit_names entry already, then we can
2330 * just use it directly if the type i 2351 * just use it directly if the type is correct.
2331 */ 2352 */
2332 n = name->aname; 2353 n = name->aname;
2333 if (n) { 2354 if (n) {
2334 if (parent) { 2355 if (parent) {
2335 if (n->type == AUDIT_ 2356 if (n->type == AUDIT_TYPE_PARENT ||
2336 n->type == AUDIT_ 2357 n->type == AUDIT_TYPE_UNKNOWN)
2337 goto out; 2358 goto out;
2338 } else { 2359 } else {
2339 if (n->type != AUDIT_ 2360 if (n->type != AUDIT_TYPE_PARENT)
2340 goto out; 2361 goto out;
2341 } 2362 }
2342 } 2363 }
2343 2364
2344 list_for_each_entry_reverse(n, &conte 2365 list_for_each_entry_reverse(n, &context->names_list, list) {
2345 if (n->ino) { 2366 if (n->ino) {
2346 /* valid inode number 2367 /* valid inode number, use that for the comparison */
2347 if (n->ino != inode-> 2368 if (n->ino != inode->i_ino ||
2348 n->dev != inode-> 2369 n->dev != inode->i_sb->s_dev)
2349 continue; 2370 continue;
2350 } else if (n->name) { 2371 } else if (n->name) {
2351 /* inode number has n 2372 /* inode number has not been set, check the name */
2352 if (strcmp(n->name->n 2373 if (strcmp(n->name->name, name->name))
2353 continue; 2374 continue;
2354 } else 2375 } else
2355 /* no inode and no na 2376 /* no inode and no name (?!) ... this is odd ... */
2356 continue; 2377 continue;
2357 2378
2358 /* match the correct record t 2379 /* match the correct record type */
2359 if (parent) { 2380 if (parent) {
2360 if (n->type == AUDIT_ 2381 if (n->type == AUDIT_TYPE_PARENT ||
2361 n->type == AUDIT_ 2382 n->type == AUDIT_TYPE_UNKNOWN)
2362 goto out; 2383 goto out;
2363 } else { 2384 } else {
2364 if (n->type != AUDIT_ 2385 if (n->type != AUDIT_TYPE_PARENT)
2365 goto out; 2386 goto out;
2366 } 2387 }
2367 } 2388 }
2368 2389
2369 out_alloc: 2390 out_alloc:
2370 /* unable to find an entry with both 2391 /* unable to find an entry with both a matching name and type */
2371 n = audit_alloc_name(context, AUDIT_T 2392 n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
2372 if (!n) 2393 if (!n)
2373 return; 2394 return;
2374 if (name) { 2395 if (name) {
2375 n->name = name; 2396 n->name = name;
2376 atomic_inc(&name->refcnt); !! 2397 name->refcnt++;
2377 } 2398 }
2378 2399
2379 out: 2400 out:
2380 if (parent) { 2401 if (parent) {
2381 n->name_len = n->name ? paren 2402 n->name_len = n->name ? parent_len(n->name->name) : AUDIT_NAME_FULL;
2382 n->type = AUDIT_TYPE_PARENT; 2403 n->type = AUDIT_TYPE_PARENT;
2383 if (flags & AUDIT_INODE_HIDDE 2404 if (flags & AUDIT_INODE_HIDDEN)
2384 n->hidden = true; 2405 n->hidden = true;
2385 } else { 2406 } else {
2386 n->name_len = AUDIT_NAME_FULL 2407 n->name_len = AUDIT_NAME_FULL;
2387 n->type = AUDIT_TYPE_NORMAL; 2408 n->type = AUDIT_TYPE_NORMAL;
2388 } 2409 }
2389 handle_path(dentry); 2410 handle_path(dentry);
2390 audit_copy_inode(n, dentry, inode, fl 2411 audit_copy_inode(n, dentry, inode, flags & AUDIT_INODE_NOEVAL);
2391 } 2412 }
2392 2413
2393 void __audit_file(const struct file *file) 2414 void __audit_file(const struct file *file)
2394 { 2415 {
2395 __audit_inode(NULL, file->f_path.dent 2416 __audit_inode(NULL, file->f_path.dentry, 0);
2396 } 2417 }
2397 2418
2398 /** 2419 /**
2399 * __audit_inode_child - collect inode info f 2420 * __audit_inode_child - collect inode info for created/removed objects
2400 * @parent: inode of dentry parent 2421 * @parent: inode of dentry parent
2401 * @dentry: dentry being audited 2422 * @dentry: dentry being audited
2402 * @type: AUDIT_TYPE_* value that we're loo 2423 * @type: AUDIT_TYPE_* value that we're looking for
2403 * 2424 *
2404 * For syscalls that create or remove filesys 2425 * For syscalls that create or remove filesystem objects, audit_inode
2405 * can only collect information for the files 2426 * can only collect information for the filesystem object's parent.
2406 * This call updates the audit context with t 2427 * This call updates the audit context with the child's information.
2407 * Syscalls that create a new filesystem obje 2428 * Syscalls that create a new filesystem object must be hooked after
2408 * the object is created. Syscalls that remo 2429 * the object is created. Syscalls that remove a filesystem object
2409 * must be hooked prior, in order to capture 2430 * must be hooked prior, in order to capture the target inode during
2410 * unsuccessful attempts. 2431 * unsuccessful attempts.
2411 */ 2432 */
2412 void __audit_inode_child(struct inode *parent 2433 void __audit_inode_child(struct inode *parent,
2413 const struct dentry 2434 const struct dentry *dentry,
2414 const unsigned char 2435 const unsigned char type)
2415 { 2436 {
2416 struct audit_context *context = audit 2437 struct audit_context *context = audit_context();
2417 struct inode *inode = d_backing_inode 2438 struct inode *inode = d_backing_inode(dentry);
2418 const struct qstr *dname = &dentry->d 2439 const struct qstr *dname = &dentry->d_name;
2419 struct audit_names *n, *found_parent 2440 struct audit_names *n, *found_parent = NULL, *found_child = NULL;
2420 struct audit_entry *e; 2441 struct audit_entry *e;
2421 struct list_head *list = &audit_filte 2442 struct list_head *list = &audit_filter_list[AUDIT_FILTER_FS];
2422 int i; 2443 int i;
2423 2444
2424 if (context->context == AUDIT_CTX_UNU 2445 if (context->context == AUDIT_CTX_UNUSED)
2425 return; 2446 return;
2426 2447
2427 rcu_read_lock(); 2448 rcu_read_lock();
2428 list_for_each_entry_rcu(e, list, list 2449 list_for_each_entry_rcu(e, list, list) {
2429 for (i = 0; i < e->rule.field 2450 for (i = 0; i < e->rule.field_count; i++) {
2430 struct audit_field *f 2451 struct audit_field *f = &e->rule.fields[i];
2431 2452
2432 if (f->type == AUDIT_ 2453 if (f->type == AUDIT_FSTYPE
2433 && audit_comparat 2454 && audit_comparator(parent->i_sb->s_magic,
2434 2455 f->op, f->val)
2435 && e->rule.action 2456 && e->rule.action == AUDIT_NEVER) {
2436 rcu_read_unlo 2457 rcu_read_unlock();
2437 return; 2458 return;
2438 } 2459 }
2439 } 2460 }
2440 } 2461 }
2441 rcu_read_unlock(); 2462 rcu_read_unlock();
2442 2463
2443 if (inode) 2464 if (inode)
2444 handle_one(inode); 2465 handle_one(inode);
2445 2466
2446 /* look for a parent entry first */ 2467 /* look for a parent entry first */
2447 list_for_each_entry(n, &context->name 2468 list_for_each_entry(n, &context->names_list, list) {
2448 if (!n->name || 2469 if (!n->name ||
2449 (n->type != AUDIT_TYPE_PA 2470 (n->type != AUDIT_TYPE_PARENT &&
2450 n->type != AUDIT_TYPE_UN 2471 n->type != AUDIT_TYPE_UNKNOWN))
2451 continue; 2472 continue;
2452 2473
2453 if (n->ino == parent->i_ino & 2474 if (n->ino == parent->i_ino && n->dev == parent->i_sb->s_dev &&
2454 !audit_compare_dname_path 2475 !audit_compare_dname_path(dname,
2455 2476 n->name->name, n->name_len)) {
2456 if (n->type == AUDIT_ 2477 if (n->type == AUDIT_TYPE_UNKNOWN)
2457 n->type = AUD 2478 n->type = AUDIT_TYPE_PARENT;
2458 found_parent = n; 2479 found_parent = n;
2459 break; 2480 break;
2460 } 2481 }
2461 } 2482 }
2462 2483
2463 cond_resched(); <<
2464 <<
2465 /* is there a matching child entry? * 2484 /* is there a matching child entry? */
2466 list_for_each_entry(n, &context->name 2485 list_for_each_entry(n, &context->names_list, list) {
2467 /* can only match entries tha 2486 /* can only match entries that have a name */
2468 if (!n->name || 2487 if (!n->name ||
2469 (n->type != type && n->ty 2488 (n->type != type && n->type != AUDIT_TYPE_UNKNOWN))
2470 continue; 2489 continue;
2471 2490
2472 if (!strcmp(dname->name, n->n 2491 if (!strcmp(dname->name, n->name->name) ||
2473 !audit_compare_dname_path 2492 !audit_compare_dname_path(dname, n->name->name,
2474 2493 found_parent ?
2475 2494 found_parent->name_len :
2476 2495 AUDIT_NAME_FULL)) {
2477 if (n->type == AUDIT_ 2496 if (n->type == AUDIT_TYPE_UNKNOWN)
2478 n->type = typ 2497 n->type = type;
2479 found_child = n; 2498 found_child = n;
2480 break; 2499 break;
2481 } 2500 }
2482 } 2501 }
2483 2502
2484 if (!found_parent) { 2503 if (!found_parent) {
2485 /* create a new, "anonymous" 2504 /* create a new, "anonymous" parent record */
2486 n = audit_alloc_name(context, 2505 n = audit_alloc_name(context, AUDIT_TYPE_PARENT);
2487 if (!n) 2506 if (!n)
2488 return; 2507 return;
2489 audit_copy_inode(n, NULL, par 2508 audit_copy_inode(n, NULL, parent, 0);
2490 } 2509 }
2491 2510
2492 if (!found_child) { 2511 if (!found_child) {
2493 found_child = audit_alloc_nam 2512 found_child = audit_alloc_name(context, type);
2494 if (!found_child) 2513 if (!found_child)
2495 return; 2514 return;
2496 2515
2497 /* Re-use the name belonging 2516 /* Re-use the name belonging to the slot for a matching parent
2498 * directory. All names for t 2517 * directory. All names for this context are relinquished in
2499 * audit_free_names() */ 2518 * audit_free_names() */
2500 if (found_parent) { 2519 if (found_parent) {
2501 found_child->name = f 2520 found_child->name = found_parent->name;
2502 found_child->name_len 2521 found_child->name_len = AUDIT_NAME_FULL;
2503 atomic_inc(&found_chi !! 2522 found_child->name->refcnt++;
2504 } 2523 }
2505 } 2524 }
2506 2525
2507 if (inode) 2526 if (inode)
2508 audit_copy_inode(found_child, 2527 audit_copy_inode(found_child, dentry, inode, 0);
2509 else 2528 else
2510 found_child->ino = AUDIT_INO_ 2529 found_child->ino = AUDIT_INO_UNSET;
2511 } 2530 }
2512 EXPORT_SYMBOL_GPL(__audit_inode_child); 2531 EXPORT_SYMBOL_GPL(__audit_inode_child);
2513 2532
2514 /** 2533 /**
2515 * auditsc_get_stamp - get local copies of au 2534 * auditsc_get_stamp - get local copies of audit_context values
2516 * @ctx: audit_context for the task 2535 * @ctx: audit_context for the task
2517 * @t: timespec64 to store time recorded in t 2536 * @t: timespec64 to store time recorded in the audit_context
2518 * @serial: serial value that is recorded in 2537 * @serial: serial value that is recorded in the audit_context
2519 * 2538 *
2520 * Also sets the context as auditable. 2539 * Also sets the context as auditable.
2521 */ 2540 */
2522 int auditsc_get_stamp(struct audit_context *c 2541 int auditsc_get_stamp(struct audit_context *ctx,
2523 struct timespec64 *t, 2542 struct timespec64 *t, unsigned int *serial)
2524 { 2543 {
2525 if (ctx->context == AUDIT_CTX_UNUSED) 2544 if (ctx->context == AUDIT_CTX_UNUSED)
2526 return 0; 2545 return 0;
2527 if (!ctx->serial) 2546 if (!ctx->serial)
2528 ctx->serial = audit_serial(); 2547 ctx->serial = audit_serial();
2529 t->tv_sec = ctx->ctime.tv_sec; 2548 t->tv_sec = ctx->ctime.tv_sec;
2530 t->tv_nsec = ctx->ctime.tv_nsec; 2549 t->tv_nsec = ctx->ctime.tv_nsec;
2531 *serial = ctx->serial; 2550 *serial = ctx->serial;
2532 if (!ctx->prio) { 2551 if (!ctx->prio) {
2533 ctx->prio = 1; 2552 ctx->prio = 1;
2534 ctx->current_state = AUDIT_ST 2553 ctx->current_state = AUDIT_STATE_RECORD;
2535 } 2554 }
2536 return 1; 2555 return 1;
2537 } 2556 }
2538 2557
2539 /** 2558 /**
2540 * __audit_mq_open - record audit data for a 2559 * __audit_mq_open - record audit data for a POSIX MQ open
2541 * @oflag: open flag 2560 * @oflag: open flag
2542 * @mode: mode bits 2561 * @mode: mode bits
2543 * @attr: queue attributes 2562 * @attr: queue attributes
2544 * 2563 *
2545 */ 2564 */
2546 void __audit_mq_open(int oflag, umode_t mode, 2565 void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
2547 { 2566 {
2548 struct audit_context *context = audit 2567 struct audit_context *context = audit_context();
2549 2568
2550 if (attr) 2569 if (attr)
2551 memcpy(&context->mq_open.attr 2570 memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr));
2552 else 2571 else
2553 memset(&context->mq_open.attr 2572 memset(&context->mq_open.attr, 0, sizeof(struct mq_attr));
2554 2573
2555 context->mq_open.oflag = oflag; 2574 context->mq_open.oflag = oflag;
2556 context->mq_open.mode = mode; 2575 context->mq_open.mode = mode;
2557 2576
2558 context->type = AUDIT_MQ_OPEN; 2577 context->type = AUDIT_MQ_OPEN;
2559 } 2578 }
2560 2579
2561 /** 2580 /**
2562 * __audit_mq_sendrecv - record audit data fo 2581 * __audit_mq_sendrecv - record audit data for a POSIX MQ timed send/receive
2563 * @mqdes: MQ descriptor 2582 * @mqdes: MQ descriptor
2564 * @msg_len: Message length 2583 * @msg_len: Message length
2565 * @msg_prio: Message priority 2584 * @msg_prio: Message priority
2566 * @abs_timeout: Message timeout in absolute 2585 * @abs_timeout: Message timeout in absolute time
2567 * 2586 *
2568 */ 2587 */
2569 void __audit_mq_sendrecv(mqd_t mqdes, size_t 2588 void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
2570 const struct timespec 2589 const struct timespec64 *abs_timeout)
2571 { 2590 {
2572 struct audit_context *context = audit 2591 struct audit_context *context = audit_context();
2573 struct timespec64 *p = &context->mq_s 2592 struct timespec64 *p = &context->mq_sendrecv.abs_timeout;
2574 2593
2575 if (abs_timeout) 2594 if (abs_timeout)
2576 memcpy(p, abs_timeout, sizeof 2595 memcpy(p, abs_timeout, sizeof(*p));
2577 else 2596 else
2578 memset(p, 0, sizeof(*p)); 2597 memset(p, 0, sizeof(*p));
2579 2598
2580 context->mq_sendrecv.mqdes = mqdes; 2599 context->mq_sendrecv.mqdes = mqdes;
2581 context->mq_sendrecv.msg_len = msg_le 2600 context->mq_sendrecv.msg_len = msg_len;
2582 context->mq_sendrecv.msg_prio = msg_p 2601 context->mq_sendrecv.msg_prio = msg_prio;
2583 2602
2584 context->type = AUDIT_MQ_SENDRECV; 2603 context->type = AUDIT_MQ_SENDRECV;
2585 } 2604 }
2586 2605
2587 /** 2606 /**
2588 * __audit_mq_notify - record audit data for 2607 * __audit_mq_notify - record audit data for a POSIX MQ notify
2589 * @mqdes: MQ descriptor 2608 * @mqdes: MQ descriptor
2590 * @notification: Notification event 2609 * @notification: Notification event
2591 * 2610 *
2592 */ 2611 */
2593 2612
2594 void __audit_mq_notify(mqd_t mqdes, const str 2613 void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
2595 { 2614 {
2596 struct audit_context *context = audit 2615 struct audit_context *context = audit_context();
2597 2616
2598 if (notification) 2617 if (notification)
2599 context->mq_notify.sigev_sign 2618 context->mq_notify.sigev_signo = notification->sigev_signo;
2600 else 2619 else
2601 context->mq_notify.sigev_sign 2620 context->mq_notify.sigev_signo = 0;
2602 2621
2603 context->mq_notify.mqdes = mqdes; 2622 context->mq_notify.mqdes = mqdes;
2604 context->type = AUDIT_MQ_NOTIFY; 2623 context->type = AUDIT_MQ_NOTIFY;
2605 } 2624 }
2606 2625
2607 /** 2626 /**
2608 * __audit_mq_getsetattr - record audit data 2627 * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute
2609 * @mqdes: MQ descriptor 2628 * @mqdes: MQ descriptor
2610 * @mqstat: MQ flags 2629 * @mqstat: MQ flags
2611 * 2630 *
2612 */ 2631 */
2613 void __audit_mq_getsetattr(mqd_t mqdes, struc 2632 void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
2614 { 2633 {
2615 struct audit_context *context = audit 2634 struct audit_context *context = audit_context();
2616 2635
2617 context->mq_getsetattr.mqdes = mqdes; 2636 context->mq_getsetattr.mqdes = mqdes;
2618 context->mq_getsetattr.mqstat = *mqst 2637 context->mq_getsetattr.mqstat = *mqstat;
2619 context->type = AUDIT_MQ_GETSETATTR; 2638 context->type = AUDIT_MQ_GETSETATTR;
2620 } 2639 }
2621 2640
2622 /** 2641 /**
2623 * __audit_ipc_obj - record audit data for ip 2642 * __audit_ipc_obj - record audit data for ipc object
2624 * @ipcp: ipc permissions 2643 * @ipcp: ipc permissions
2625 * 2644 *
2626 */ 2645 */
2627 void __audit_ipc_obj(struct kern_ipc_perm *ip 2646 void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
2628 { 2647 {
2629 struct audit_context *context = audit 2648 struct audit_context *context = audit_context();
2630 2649
2631 context->ipc.uid = ipcp->uid; 2650 context->ipc.uid = ipcp->uid;
2632 context->ipc.gid = ipcp->gid; 2651 context->ipc.gid = ipcp->gid;
2633 context->ipc.mode = ipcp->mode; 2652 context->ipc.mode = ipcp->mode;
2634 context->ipc.has_perm = 0; 2653 context->ipc.has_perm = 0;
2635 security_ipc_getsecid(ipcp, &context- 2654 security_ipc_getsecid(ipcp, &context->ipc.osid);
2636 context->type = AUDIT_IPC; 2655 context->type = AUDIT_IPC;
2637 } 2656 }
2638 2657
2639 /** 2658 /**
2640 * __audit_ipc_set_perm - record audit data f 2659 * __audit_ipc_set_perm - record audit data for new ipc permissions
2641 * @qbytes: msgq bytes 2660 * @qbytes: msgq bytes
2642 * @uid: msgq user id 2661 * @uid: msgq user id
2643 * @gid: msgq group id 2662 * @gid: msgq group id
2644 * @mode: msgq mode (permissions) 2663 * @mode: msgq mode (permissions)
2645 * 2664 *
2646 * Called only after audit_ipc_obj(). 2665 * Called only after audit_ipc_obj().
2647 */ 2666 */
2648 void __audit_ipc_set_perm(unsigned long qbyte 2667 void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode)
2649 { 2668 {
2650 struct audit_context *context = audit 2669 struct audit_context *context = audit_context();
2651 2670
2652 context->ipc.qbytes = qbytes; 2671 context->ipc.qbytes = qbytes;
2653 context->ipc.perm_uid = uid; 2672 context->ipc.perm_uid = uid;
2654 context->ipc.perm_gid = gid; 2673 context->ipc.perm_gid = gid;
2655 context->ipc.perm_mode = mode; 2674 context->ipc.perm_mode = mode;
2656 context->ipc.has_perm = 1; 2675 context->ipc.has_perm = 1;
2657 } 2676 }
2658 2677
2659 void __audit_bprm(struct linux_binprm *bprm) 2678 void __audit_bprm(struct linux_binprm *bprm)
2660 { 2679 {
2661 struct audit_context *context = audit 2680 struct audit_context *context = audit_context();
2662 2681
2663 context->type = AUDIT_EXECVE; 2682 context->type = AUDIT_EXECVE;
2664 context->execve.argc = bprm->argc; 2683 context->execve.argc = bprm->argc;
2665 } 2684 }
2666 2685
2667 2686
2668 /** 2687 /**
2669 * __audit_socketcall - record audit data for 2688 * __audit_socketcall - record audit data for sys_socketcall
2670 * @nargs: number of args, which should not b 2689 * @nargs: number of args, which should not be more than AUDITSC_ARGS.
2671 * @args: args array 2690 * @args: args array
2672 * 2691 *
2673 */ 2692 */
2674 int __audit_socketcall(int nargs, unsigned lo 2693 int __audit_socketcall(int nargs, unsigned long *args)
2675 { 2694 {
2676 struct audit_context *context = audit 2695 struct audit_context *context = audit_context();
2677 2696
2678 if (nargs <= 0 || nargs > AUDITSC_ARG 2697 if (nargs <= 0 || nargs > AUDITSC_ARGS || !args)
2679 return -EINVAL; 2698 return -EINVAL;
2680 context->type = AUDIT_SOCKETCALL; 2699 context->type = AUDIT_SOCKETCALL;
2681 context->socketcall.nargs = nargs; 2700 context->socketcall.nargs = nargs;
2682 memcpy(context->socketcall.args, args 2701 memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
2683 return 0; 2702 return 0;
2684 } 2703 }
2685 2704
2686 /** 2705 /**
2687 * __audit_fd_pair - record audit data for pi 2706 * __audit_fd_pair - record audit data for pipe and socketpair
2688 * @fd1: the first file descriptor 2707 * @fd1: the first file descriptor
2689 * @fd2: the second file descriptor 2708 * @fd2: the second file descriptor
2690 * 2709 *
2691 */ 2710 */
2692 void __audit_fd_pair(int fd1, int fd2) 2711 void __audit_fd_pair(int fd1, int fd2)
2693 { 2712 {
2694 struct audit_context *context = audit 2713 struct audit_context *context = audit_context();
2695 2714
2696 context->fds[0] = fd1; 2715 context->fds[0] = fd1;
2697 context->fds[1] = fd2; 2716 context->fds[1] = fd2;
2698 } 2717 }
2699 2718
2700 /** 2719 /**
2701 * __audit_sockaddr - record audit data for s 2720 * __audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
2702 * @len: data length in user space 2721 * @len: data length in user space
2703 * @a: data address in kernel space 2722 * @a: data address in kernel space
2704 * 2723 *
2705 * Returns 0 for success or NULL context or < 2724 * Returns 0 for success or NULL context or < 0 on error.
2706 */ 2725 */
2707 int __audit_sockaddr(int len, void *a) 2726 int __audit_sockaddr(int len, void *a)
2708 { 2727 {
2709 struct audit_context *context = audit 2728 struct audit_context *context = audit_context();
2710 2729
2711 if (!context->sockaddr) { 2730 if (!context->sockaddr) {
2712 void *p = kmalloc(sizeof(stru 2731 void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL);
2713 2732
2714 if (!p) 2733 if (!p)
2715 return -ENOMEM; 2734 return -ENOMEM;
2716 context->sockaddr = p; 2735 context->sockaddr = p;
2717 } 2736 }
2718 2737
2719 context->sockaddr_len = len; 2738 context->sockaddr_len = len;
2720 memcpy(context->sockaddr, a, len); 2739 memcpy(context->sockaddr, a, len);
2721 return 0; 2740 return 0;
2722 } 2741 }
2723 2742
2724 void __audit_ptrace(struct task_struct *t) 2743 void __audit_ptrace(struct task_struct *t)
2725 { 2744 {
2726 struct audit_context *context = audit 2745 struct audit_context *context = audit_context();
2727 2746
2728 context->target_pid = task_tgid_nr(t) 2747 context->target_pid = task_tgid_nr(t);
2729 context->target_auid = audit_get_logi 2748 context->target_auid = audit_get_loginuid(t);
2730 context->target_uid = task_uid(t); 2749 context->target_uid = task_uid(t);
2731 context->target_sessionid = audit_get 2750 context->target_sessionid = audit_get_sessionid(t);
2732 security_task_getsecid_obj(t, &contex 2751 security_task_getsecid_obj(t, &context->target_sid);
2733 memcpy(context->target_comm, t->comm, 2752 memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
2734 } 2753 }
2735 2754
2736 /** 2755 /**
2737 * audit_signal_info_syscall - record signal 2756 * audit_signal_info_syscall - record signal info for syscalls
2738 * @t: task being signaled 2757 * @t: task being signaled
2739 * 2758 *
2740 * If the audit subsystem is being terminated 2759 * If the audit subsystem is being terminated, record the task (pid)
2741 * and uid that is doing that. 2760 * and uid that is doing that.
2742 */ 2761 */
2743 int audit_signal_info_syscall(struct task_str 2762 int audit_signal_info_syscall(struct task_struct *t)
2744 { 2763 {
2745 struct audit_aux_data_pids *axp; 2764 struct audit_aux_data_pids *axp;
2746 struct audit_context *ctx = audit_con 2765 struct audit_context *ctx = audit_context();
2747 kuid_t t_uid = task_uid(t); 2766 kuid_t t_uid = task_uid(t);
2748 2767
2749 if (!audit_signals || audit_dummy_con 2768 if (!audit_signals || audit_dummy_context())
2750 return 0; 2769 return 0;
2751 2770
2752 /* optimize the common case by puttin 2771 /* optimize the common case by putting first signal recipient directly
2753 * in audit_context */ 2772 * in audit_context */
2754 if (!ctx->target_pid) { 2773 if (!ctx->target_pid) {
2755 ctx->target_pid = task_tgid_n 2774 ctx->target_pid = task_tgid_nr(t);
2756 ctx->target_auid = audit_get_ 2775 ctx->target_auid = audit_get_loginuid(t);
2757 ctx->target_uid = t_uid; 2776 ctx->target_uid = t_uid;
2758 ctx->target_sessionid = audit 2777 ctx->target_sessionid = audit_get_sessionid(t);
2759 security_task_getsecid_obj(t, 2778 security_task_getsecid_obj(t, &ctx->target_sid);
2760 memcpy(ctx->target_comm, t->c 2779 memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
2761 return 0; 2780 return 0;
2762 } 2781 }
2763 2782
2764 axp = (void *)ctx->aux_pids; 2783 axp = (void *)ctx->aux_pids;
2765 if (!axp || axp->pid_count == AUDIT_A 2784 if (!axp || axp->pid_count == AUDIT_AUX_PIDS) {
2766 axp = kzalloc(sizeof(*axp), G 2785 axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
2767 if (!axp) 2786 if (!axp)
2768 return -ENOMEM; 2787 return -ENOMEM;
2769 2788
2770 axp->d.type = AUDIT_OBJ_PID; 2789 axp->d.type = AUDIT_OBJ_PID;
2771 axp->d.next = ctx->aux_pids; 2790 axp->d.next = ctx->aux_pids;
2772 ctx->aux_pids = (void *)axp; 2791 ctx->aux_pids = (void *)axp;
2773 } 2792 }
2774 BUG_ON(axp->pid_count >= AUDIT_AUX_PI 2793 BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
2775 2794
2776 axp->target_pid[axp->pid_count] = tas 2795 axp->target_pid[axp->pid_count] = task_tgid_nr(t);
2777 axp->target_auid[axp->pid_count] = au 2796 axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
2778 axp->target_uid[axp->pid_count] = t_u 2797 axp->target_uid[axp->pid_count] = t_uid;
2779 axp->target_sessionid[axp->pid_count] 2798 axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
2780 security_task_getsecid_obj(t, &axp->t 2799 security_task_getsecid_obj(t, &axp->target_sid[axp->pid_count]);
2781 memcpy(axp->target_comm[axp->pid_coun 2800 memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
2782 axp->pid_count++; 2801 axp->pid_count++;
2783 2802
2784 return 0; 2803 return 0;
2785 } 2804 }
2786 2805
2787 /** 2806 /**
2788 * __audit_log_bprm_fcaps - store information 2807 * __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps
2789 * @bprm: pointer to the bprm being processed 2808 * @bprm: pointer to the bprm being processed
2790 * @new: the proposed new credentials 2809 * @new: the proposed new credentials
2791 * @old: the old credentials 2810 * @old: the old credentials
2792 * 2811 *
2793 * Simply check if the proc already has the c 2812 * Simply check if the proc already has the caps given by the file and if not
2794 * store the priv escalation info for later a 2813 * store the priv escalation info for later auditing at the end of the syscall
2795 * 2814 *
2796 * -Eric 2815 * -Eric
2797 */ 2816 */
2798 int __audit_log_bprm_fcaps(struct linux_binpr 2817 int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
2799 const struct cred 2818 const struct cred *new, const struct cred *old)
2800 { 2819 {
2801 struct audit_aux_data_bprm_fcaps *ax; 2820 struct audit_aux_data_bprm_fcaps *ax;
2802 struct audit_context *context = audit 2821 struct audit_context *context = audit_context();
2803 struct cpu_vfs_cap_data vcaps; 2822 struct cpu_vfs_cap_data vcaps;
2804 2823
2805 ax = kmalloc(sizeof(*ax), GFP_KERNEL) 2824 ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2806 if (!ax) 2825 if (!ax)
2807 return -ENOMEM; 2826 return -ENOMEM;
2808 2827
2809 ax->d.type = AUDIT_BPRM_FCAPS; 2828 ax->d.type = AUDIT_BPRM_FCAPS;
2810 ax->d.next = context->aux; 2829 ax->d.next = context->aux;
2811 context->aux = (void *)ax; 2830 context->aux = (void *)ax;
2812 2831
2813 get_vfs_caps_from_disk(&nop_mnt_idmap !! 2832 get_vfs_caps_from_disk(&init_user_ns,
2814 bprm->file->f_ 2833 bprm->file->f_path.dentry, &vcaps);
2815 2834
2816 ax->fcap.permitted = vcaps.permitted; 2835 ax->fcap.permitted = vcaps.permitted;
2817 ax->fcap.inheritable = vcaps.inherita 2836 ax->fcap.inheritable = vcaps.inheritable;
2818 ax->fcap.fE = !!(vcaps.magic_etc & VF 2837 ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2819 ax->fcap.rootid = vcaps.rootid; 2838 ax->fcap.rootid = vcaps.rootid;
2820 ax->fcap_ver = (vcaps.magic_etc & VFS 2839 ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
2821 2840
2822 ax->old_pcap.permitted = old->cap_p 2841 ax->old_pcap.permitted = old->cap_permitted;
2823 ax->old_pcap.inheritable = old->cap_i 2842 ax->old_pcap.inheritable = old->cap_inheritable;
2824 ax->old_pcap.effective = old->cap_e 2843 ax->old_pcap.effective = old->cap_effective;
2825 ax->old_pcap.ambient = old->cap_a 2844 ax->old_pcap.ambient = old->cap_ambient;
2826 2845
2827 ax->new_pcap.permitted = new->cap_p 2846 ax->new_pcap.permitted = new->cap_permitted;
2828 ax->new_pcap.inheritable = new->cap_i 2847 ax->new_pcap.inheritable = new->cap_inheritable;
2829 ax->new_pcap.effective = new->cap_e 2848 ax->new_pcap.effective = new->cap_effective;
2830 ax->new_pcap.ambient = new->cap_a 2849 ax->new_pcap.ambient = new->cap_ambient;
2831 return 0; 2850 return 0;
2832 } 2851 }
2833 2852
2834 /** 2853 /**
2835 * __audit_log_capset - store information abo 2854 * __audit_log_capset - store information about the arguments to the capset syscall
2836 * @new: the new credentials 2855 * @new: the new credentials
2837 * @old: the old (current) credentials 2856 * @old: the old (current) credentials
2838 * 2857 *
2839 * Record the arguments userspace sent to sys 2858 * Record the arguments userspace sent to sys_capset for later printing by the
2840 * audit system if applicable 2859 * audit system if applicable
2841 */ 2860 */
2842 void __audit_log_capset(const struct cred *ne 2861 void __audit_log_capset(const struct cred *new, const struct cred *old)
2843 { 2862 {
2844 struct audit_context *context = audit 2863 struct audit_context *context = audit_context();
2845 2864
2846 context->capset.pid = task_tgid_nr(cu 2865 context->capset.pid = task_tgid_nr(current);
2847 context->capset.cap.effective = new 2866 context->capset.cap.effective = new->cap_effective;
2848 context->capset.cap.inheritable = new 2867 context->capset.cap.inheritable = new->cap_effective;
2849 context->capset.cap.permitted = new 2868 context->capset.cap.permitted = new->cap_permitted;
2850 context->capset.cap.ambient = new 2869 context->capset.cap.ambient = new->cap_ambient;
2851 context->type = AUDIT_CAPSET; 2870 context->type = AUDIT_CAPSET;
2852 } 2871 }
2853 2872
2854 void __audit_mmap_fd(int fd, int flags) 2873 void __audit_mmap_fd(int fd, int flags)
2855 { 2874 {
2856 struct audit_context *context = audit 2875 struct audit_context *context = audit_context();
2857 2876
2858 context->mmap.fd = fd; 2877 context->mmap.fd = fd;
2859 context->mmap.flags = flags; 2878 context->mmap.flags = flags;
2860 context->type = AUDIT_MMAP; 2879 context->type = AUDIT_MMAP;
2861 } 2880 }
2862 2881
2863 void __audit_openat2_how(struct open_how *how 2882 void __audit_openat2_how(struct open_how *how)
2864 { 2883 {
2865 struct audit_context *context = audit 2884 struct audit_context *context = audit_context();
2866 2885
2867 context->openat2.flags = how->flags; 2886 context->openat2.flags = how->flags;
2868 context->openat2.mode = how->mode; 2887 context->openat2.mode = how->mode;
2869 context->openat2.resolve = how->resol 2888 context->openat2.resolve = how->resolve;
2870 context->type = AUDIT_OPENAT2; 2889 context->type = AUDIT_OPENAT2;
2871 } 2890 }
2872 2891
2873 void __audit_log_kern_module(char *name) 2892 void __audit_log_kern_module(char *name)
2874 { 2893 {
2875 struct audit_context *context = audit 2894 struct audit_context *context = audit_context();
2876 2895
2877 context->module.name = kstrdup(name, 2896 context->module.name = kstrdup(name, GFP_KERNEL);
2878 if (!context->module.name) 2897 if (!context->module.name)
2879 audit_log_lost("out of memory 2898 audit_log_lost("out of memory in __audit_log_kern_module");
2880 context->type = AUDIT_KERN_MODULE; 2899 context->type = AUDIT_KERN_MODULE;
2881 } 2900 }
2882 2901
2883 void __audit_fanotify(u32 response, struct fa !! 2902 void __audit_fanotify(unsigned int response)
2884 { 2903 {
2885 /* {subj,obj}_trust values are {0,1,2 !! 2904 audit_log(audit_context(), GFP_KERNEL,
2886 switch (friar->hdr.type) { !! 2905 AUDIT_FANOTIFY, "resp=%u", response);
2887 case FAN_RESPONSE_INFO_NONE: <<
2888 audit_log(audit_context(), GF <<
2889 "resp=%u fan_type=% <<
2890 response, FAN_RESPO <<
2891 break; <<
2892 case FAN_RESPONSE_INFO_AUDIT_RULE: <<
2893 audit_log(audit_context(), GF <<
2894 "resp=%u fan_type=% <<
2895 response, friar->hd <<
2896 friar->subj_trust, <<
2897 } <<
2898 } 2906 }
2899 2907
2900 void __audit_tk_injoffset(struct timespec64 o 2908 void __audit_tk_injoffset(struct timespec64 offset)
2901 { 2909 {
2902 struct audit_context *context = audit 2910 struct audit_context *context = audit_context();
2903 2911
2904 /* only set type if not already set b 2912 /* only set type if not already set by NTP */
2905 if (!context->type) 2913 if (!context->type)
2906 context->type = AUDIT_TIME_IN 2914 context->type = AUDIT_TIME_INJOFFSET;
2907 memcpy(&context->time.tk_injoffset, & 2915 memcpy(&context->time.tk_injoffset, &offset, sizeof(offset));
2908 } 2916 }
2909 2917
2910 void __audit_ntp_log(const struct audit_ntp_d 2918 void __audit_ntp_log(const struct audit_ntp_data *ad)
2911 { 2919 {
2912 struct audit_context *context = audit 2920 struct audit_context *context = audit_context();
2913 int type; 2921 int type;
2914 2922
2915 for (type = 0; type < AUDIT_NTP_NVALS 2923 for (type = 0; type < AUDIT_NTP_NVALS; type++)
2916 if (ad->vals[type].newval != 2924 if (ad->vals[type].newval != ad->vals[type].oldval) {
2917 /* unconditionally se 2925 /* unconditionally set type, overwriting TK */
2918 context->type = AUDIT 2926 context->type = AUDIT_TIME_ADJNTPVAL;
2919 memcpy(&context->time 2927 memcpy(&context->time.ntp_data, ad, sizeof(*ad));
2920 break; 2928 break;
2921 } 2929 }
2922 } 2930 }
2923 2931
2924 void __audit_log_nfcfg(const char *name, u8 a 2932 void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries,
2925 enum audit_nfcfgop op, 2933 enum audit_nfcfgop op, gfp_t gfp)
2926 { 2934 {
2927 struct audit_buffer *ab; 2935 struct audit_buffer *ab;
2928 char comm[sizeof(current->comm)]; 2936 char comm[sizeof(current->comm)];
2929 2937
2930 ab = audit_log_start(audit_context(), 2938 ab = audit_log_start(audit_context(), gfp, AUDIT_NETFILTER_CFG);
2931 if (!ab) 2939 if (!ab)
2932 return; 2940 return;
2933 audit_log_format(ab, "table=%s family 2941 audit_log_format(ab, "table=%s family=%u entries=%u op=%s",
2934 name, af, nentries, 2942 name, af, nentries, audit_nfcfgs[op].s);
2935 2943
2936 audit_log_format(ab, " pid=%u", task_ 2944 audit_log_format(ab, " pid=%u", task_pid_nr(current));
2937 audit_log_task_context(ab); /* subj= 2945 audit_log_task_context(ab); /* subj= */
2938 audit_log_format(ab, " comm="); 2946 audit_log_format(ab, " comm=");
2939 audit_log_untrustedstring(ab, get_tas 2947 audit_log_untrustedstring(ab, get_task_comm(comm, current));
2940 audit_log_end(ab); 2948 audit_log_end(ab);
2941 } 2949 }
2942 EXPORT_SYMBOL_GPL(__audit_log_nfcfg); 2950 EXPORT_SYMBOL_GPL(__audit_log_nfcfg);
2943 2951
2944 static void audit_log_task(struct audit_buffe 2952 static void audit_log_task(struct audit_buffer *ab)
2945 { 2953 {
2946 kuid_t auid, uid; 2954 kuid_t auid, uid;
2947 kgid_t gid; 2955 kgid_t gid;
2948 unsigned int sessionid; 2956 unsigned int sessionid;
2949 char comm[sizeof(current->comm)]; 2957 char comm[sizeof(current->comm)];
2950 2958
2951 auid = audit_get_loginuid(current); 2959 auid = audit_get_loginuid(current);
2952 sessionid = audit_get_sessionid(curre 2960 sessionid = audit_get_sessionid(current);
2953 current_uid_gid(&uid, &gid); 2961 current_uid_gid(&uid, &gid);
2954 2962
2955 audit_log_format(ab, "auid=%u uid=%u 2963 audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
2956 from_kuid(&init_user 2964 from_kuid(&init_user_ns, auid),
2957 from_kuid(&init_user 2965 from_kuid(&init_user_ns, uid),
2958 from_kgid(&init_user 2966 from_kgid(&init_user_ns, gid),
2959 sessionid); 2967 sessionid);
2960 audit_log_task_context(ab); 2968 audit_log_task_context(ab);
2961 audit_log_format(ab, " pid=%d comm=", 2969 audit_log_format(ab, " pid=%d comm=", task_tgid_nr(current));
2962 audit_log_untrustedstring(ab, get_tas 2970 audit_log_untrustedstring(ab, get_task_comm(comm, current));
2963 audit_log_d_path_exe(ab, current->mm) 2971 audit_log_d_path_exe(ab, current->mm);
2964 } 2972 }
2965 2973
2966 /** 2974 /**
2967 * audit_core_dumps - record information abou 2975 * audit_core_dumps - record information about processes that end abnormally
2968 * @signr: signal value 2976 * @signr: signal value
2969 * 2977 *
2970 * If a process ends with a core dump, someth 2978 * If a process ends with a core dump, something fishy is going on and we
2971 * should record the event for investigation. 2979 * should record the event for investigation.
2972 */ 2980 */
2973 void audit_core_dumps(long signr) 2981 void audit_core_dumps(long signr)
2974 { 2982 {
2975 struct audit_buffer *ab; 2983 struct audit_buffer *ab;
2976 2984
2977 if (!audit_enabled) 2985 if (!audit_enabled)
2978 return; 2986 return;
2979 2987
2980 if (signr == SIGQUIT) /* don't care 2988 if (signr == SIGQUIT) /* don't care for those */
2981 return; 2989 return;
2982 2990
2983 ab = audit_log_start(audit_context(), 2991 ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_ANOM_ABEND);
2984 if (unlikely(!ab)) 2992 if (unlikely(!ab))
2985 return; 2993 return;
2986 audit_log_task(ab); 2994 audit_log_task(ab);
2987 audit_log_format(ab, " sig=%ld res=1" 2995 audit_log_format(ab, " sig=%ld res=1", signr);
2988 audit_log_end(ab); 2996 audit_log_end(ab);
2989 } 2997 }
2990 2998
2991 /** 2999 /**
2992 * audit_seccomp - record information about a 3000 * audit_seccomp - record information about a seccomp action
2993 * @syscall: syscall number 3001 * @syscall: syscall number
2994 * @signr: signal value 3002 * @signr: signal value
2995 * @code: the seccomp action 3003 * @code: the seccomp action
2996 * 3004 *
2997 * Record the information associated with a s 3005 * Record the information associated with a seccomp action. Event filtering for
2998 * seccomp actions that are not to be logged 3006 * seccomp actions that are not to be logged is done in seccomp_log().
2999 * Therefore, this function forces auditing i 3007 * Therefore, this function forces auditing independent of the audit_enabled
3000 * and dummy context state because seccomp ac 3008 * and dummy context state because seccomp actions should be logged even when
3001 * audit is not in use. 3009 * audit is not in use.
3002 */ 3010 */
3003 void audit_seccomp(unsigned long syscall, lon 3011 void audit_seccomp(unsigned long syscall, long signr, int code)
3004 { 3012 {
3005 struct audit_buffer *ab; 3013 struct audit_buffer *ab;
3006 3014
3007 ab = audit_log_start(audit_context(), 3015 ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_SECCOMP);
3008 if (unlikely(!ab)) 3016 if (unlikely(!ab))
3009 return; 3017 return;
3010 audit_log_task(ab); 3018 audit_log_task(ab);
3011 audit_log_format(ab, " sig=%ld arch=% 3019 audit_log_format(ab, " sig=%ld arch=%x syscall=%ld compat=%d ip=0x%lx code=0x%x",
3012 signr, syscall_get_a 3020 signr, syscall_get_arch(current), syscall,
3013 in_compat_syscall(), 3021 in_compat_syscall(), KSTK_EIP(current), code);
3014 audit_log_end(ab); 3022 audit_log_end(ab);
3015 } 3023 }
3016 3024
3017 void audit_seccomp_actions_logged(const char 3025 void audit_seccomp_actions_logged(const char *names, const char *old_names,
3018 int res) 3026 int res)
3019 { 3027 {
3020 struct audit_buffer *ab; 3028 struct audit_buffer *ab;
3021 3029
3022 if (!audit_enabled) 3030 if (!audit_enabled)
3023 return; 3031 return;
3024 3032
3025 ab = audit_log_start(audit_context(), 3033 ab = audit_log_start(audit_context(), GFP_KERNEL,
3026 AUDIT_CONFIG_CHA 3034 AUDIT_CONFIG_CHANGE);
3027 if (unlikely(!ab)) 3035 if (unlikely(!ab))
3028 return; 3036 return;
3029 3037
3030 audit_log_format(ab, 3038 audit_log_format(ab,
3031 "op=seccomp-logging 3039 "op=seccomp-logging actions=%s old-actions=%s res=%d",
3032 names, old_names, re 3040 names, old_names, res);
3033 audit_log_end(ab); 3041 audit_log_end(ab);
3034 } 3042 }
3035 3043
3036 struct list_head *audit_killed_trees(void) 3044 struct list_head *audit_killed_trees(void)
3037 { 3045 {
3038 struct audit_context *ctx = audit_con 3046 struct audit_context *ctx = audit_context();
3039 if (likely(!ctx || ctx->context == AU 3047 if (likely(!ctx || ctx->context == AUDIT_CTX_UNUSED))
3040 return NULL; 3048 return NULL;
3041 return &ctx->killed_trees; 3049 return &ctx->killed_trees;
3042 } 3050 }
3043 3051
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.