1 // SPDX-License-Identifier: GPL-2.0-or-later <<
2 /* auditsc.c -- System-call auditing support 1 /* auditsc.c -- System-call auditing support
3 * Handles all system-call specific auditing f 2 * Handles all system-call specific auditing features.
4 * 3 *
5 * Copyright 2003-2004 Red Hat Inc., Durham, N 4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
6 * Copyright 2005 Hewlett-Packard Development 5 * Copyright 2005 Hewlett-Packard Development Company, L.P.
7 * Copyright (C) 2005, 2006 IBM Corporation 6 * Copyright (C) 2005, 2006 IBM Corporation
8 * All Rights Reserved. 7 * All Rights Reserved.
9 * 8 *
>> 9 * This program is free software; you can redistribute it and/or modify
>> 10 * it under the terms of the GNU General Public License as published by
>> 11 * the Free Software Foundation; either version 2 of the License, or
>> 12 * (at your option) any later version.
>> 13 *
>> 14 * This program is distributed in the hope that it will be useful,
>> 15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
>> 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
>> 17 * GNU General Public License for more details.
>> 18 *
>> 19 * You should have received a copy of the GNU General Public License
>> 20 * along with this program; if not, write to the Free Software
>> 21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
>> 22 *
10 * Written by Rickard E. (Rik) Faith <faith@re 23 * Written by Rickard E. (Rik) Faith <faith@redhat.com>
11 * 24 *
12 * Many of the ideas implemented here are from 25 * Many of the ideas implemented here are from Stephen C. Tweedie,
13 * especially the idea of avoiding a copy by u 26 * especially the idea of avoiding a copy by using getname.
14 * 27 *
15 * The method for actual interception of sysca 28 * The method for actual interception of syscall entry and exit (not in
16 * this file -- see entry.S) is based on a GPL 29 * this file -- see entry.S) is based on a GPL'd patch written by
17 * okir@suse.de and Copyright 2003 SuSE Linux 30 * okir@suse.de and Copyright 2003 SuSE Linux AG.
18 * 31 *
19 * POSIX message queue support added by George 32 * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>,
20 * 2006. 33 * 2006.
21 * 34 *
22 * The support of additional filter rules comp 35 * The support of additional filter rules compares (>, <, >=, <=) was
23 * added by Dustin Kirkland <dustin.kirkland@u 36 * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
24 * 37 *
25 * Modified by Amy Griffis <amy.griffis@hp.com 38 * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
26 * filesystem information. 39 * filesystem information.
27 * 40 *
28 * Subject and object context labeling support 41 * Subject and object context labeling support added by <danjones@us.ibm.com>
29 * and <dustin.kirkland@us.ibm.com> for LSPP c 42 * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
30 */ 43 */
31 44
32 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 45 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
33 46
34 #include <linux/init.h> 47 #include <linux/init.h>
35 #include <asm/types.h> 48 #include <asm/types.h>
36 #include <linux/atomic.h> 49 #include <linux/atomic.h>
37 #include <linux/fs.h> 50 #include <linux/fs.h>
38 #include <linux/namei.h> 51 #include <linux/namei.h>
39 #include <linux/mm.h> 52 #include <linux/mm.h>
40 #include <linux/export.h> 53 #include <linux/export.h>
41 #include <linux/slab.h> 54 #include <linux/slab.h>
42 #include <linux/mount.h> 55 #include <linux/mount.h>
43 #include <linux/socket.h> 56 #include <linux/socket.h>
44 #include <linux/mqueue.h> 57 #include <linux/mqueue.h>
45 #include <linux/audit.h> 58 #include <linux/audit.h>
46 #include <linux/personality.h> 59 #include <linux/personality.h>
47 #include <linux/time.h> 60 #include <linux/time.h>
48 #include <linux/netlink.h> 61 #include <linux/netlink.h>
49 #include <linux/compiler.h> 62 #include <linux/compiler.h>
50 #include <asm/unistd.h> 63 #include <asm/unistd.h>
51 #include <linux/security.h> 64 #include <linux/security.h>
52 #include <linux/list.h> 65 #include <linux/list.h>
53 #include <linux/binfmts.h> 66 #include <linux/binfmts.h>
54 #include <linux/highmem.h> 67 #include <linux/highmem.h>
55 #include <linux/syscalls.h> 68 #include <linux/syscalls.h>
56 #include <asm/syscall.h> 69 #include <asm/syscall.h>
57 #include <linux/capability.h> 70 #include <linux/capability.h>
58 #include <linux/fs_struct.h> 71 #include <linux/fs_struct.h>
59 #include <linux/compat.h> 72 #include <linux/compat.h>
60 #include <linux/ctype.h> 73 #include <linux/ctype.h>
61 #include <linux/string.h> 74 #include <linux/string.h>
62 #include <linux/uaccess.h> 75 #include <linux/uaccess.h>
63 #include <linux/fsnotify_backend.h> 76 #include <linux/fsnotify_backend.h>
64 #include <uapi/linux/limits.h> 77 #include <uapi/linux/limits.h>
65 #include <uapi/linux/netfilter/nf_tables.h> <<
66 #include <uapi/linux/openat2.h> // struct open <<
67 #include <uapi/linux/fanotify.h> <<
68 78
69 #include "audit.h" 79 #include "audit.h"
70 80
71 /* flags stating the success for a syscall */ 81 /* flags stating the success for a syscall */
72 #define AUDITSC_INVALID 0 82 #define AUDITSC_INVALID 0
73 #define AUDITSC_SUCCESS 1 83 #define AUDITSC_SUCCESS 1
74 #define AUDITSC_FAILURE 2 84 #define AUDITSC_FAILURE 2
75 85
76 /* no execve audit message should be longer th 86 /* no execve audit message should be longer than this (userspace limits),
77 * see the note near the top of audit_log_exec 87 * see the note near the top of audit_log_execve_info() about this value */
78 #define MAX_EXECVE_AUDIT_LEN 7500 88 #define MAX_EXECVE_AUDIT_LEN 7500
79 89
80 /* max length to print of cmdline/proctitle va 90 /* max length to print of cmdline/proctitle value during audit */
81 #define MAX_PROCTITLE_AUDIT_LEN 128 91 #define MAX_PROCTITLE_AUDIT_LEN 128
82 92
83 /* number of audit rules */ 93 /* number of audit rules */
84 int audit_n_rules; 94 int audit_n_rules;
85 95
86 /* determines whether we collect data for sign 96 /* determines whether we collect data for signals sent */
87 int audit_signals; 97 int audit_signals;
88 98
89 struct audit_aux_data { 99 struct audit_aux_data {
90 struct audit_aux_data *next; 100 struct audit_aux_data *next;
91 int type; 101 int type;
92 }; 102 };
93 103
>> 104 #define AUDIT_AUX_IPCPERM 0
>> 105
94 /* Number of target pids per aux struct. */ 106 /* Number of target pids per aux struct. */
95 #define AUDIT_AUX_PIDS 16 107 #define AUDIT_AUX_PIDS 16
96 108
97 struct audit_aux_data_pids { 109 struct audit_aux_data_pids {
98 struct audit_aux_data d; 110 struct audit_aux_data d;
99 pid_t target_pid[AUD 111 pid_t target_pid[AUDIT_AUX_PIDS];
100 kuid_t target_auid[AU 112 kuid_t target_auid[AUDIT_AUX_PIDS];
101 kuid_t target_uid[AUD 113 kuid_t target_uid[AUDIT_AUX_PIDS];
102 unsigned int target_session 114 unsigned int target_sessionid[AUDIT_AUX_PIDS];
103 u32 target_sid[AUD 115 u32 target_sid[AUDIT_AUX_PIDS];
104 char target_comm[AU 116 char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
105 int pid_count; 117 int pid_count;
106 }; 118 };
107 119
108 struct audit_aux_data_bprm_fcaps { 120 struct audit_aux_data_bprm_fcaps {
109 struct audit_aux_data d; 121 struct audit_aux_data d;
110 struct audit_cap_data fcap; 122 struct audit_cap_data fcap;
111 unsigned int fcap_ver; 123 unsigned int fcap_ver;
112 struct audit_cap_data old_pcap; 124 struct audit_cap_data old_pcap;
113 struct audit_cap_data new_pcap; 125 struct audit_cap_data new_pcap;
114 }; 126 };
115 127
116 struct audit_tree_refs { 128 struct audit_tree_refs {
117 struct audit_tree_refs *next; 129 struct audit_tree_refs *next;
118 struct audit_chunk *c[31]; 130 struct audit_chunk *c[31];
119 }; 131 };
120 132
121 struct audit_nfcfgop_tab { <<
122 enum audit_nfcfgop op; <<
123 const char *s; <<
124 }; <<
125 <<
126 static const struct audit_nfcfgop_tab audit_nf <<
127 { AUDIT_XT_OP_REGISTER, <<
128 { AUDIT_XT_OP_REPLACE, <<
129 { AUDIT_XT_OP_UNREGISTER, <<
130 { AUDIT_NFT_OP_TABLE_REGISTER, <<
131 { AUDIT_NFT_OP_TABLE_UNREGISTER, <<
132 { AUDIT_NFT_OP_CHAIN_REGISTER, <<
133 { AUDIT_NFT_OP_CHAIN_UNREGISTER, <<
134 { AUDIT_NFT_OP_RULE_REGISTER, <<
135 { AUDIT_NFT_OP_RULE_UNREGISTER, <<
136 { AUDIT_NFT_OP_SET_REGISTER, <<
137 { AUDIT_NFT_OP_SET_UNREGISTER, <<
138 { AUDIT_NFT_OP_SETELEM_REGISTER, <<
139 { AUDIT_NFT_OP_SETELEM_UNREGISTER, <<
140 { AUDIT_NFT_OP_GEN_REGISTER, <<
141 { AUDIT_NFT_OP_OBJ_REGISTER, <<
142 { AUDIT_NFT_OP_OBJ_UNREGISTER, <<
143 { AUDIT_NFT_OP_OBJ_RESET, <<
144 { AUDIT_NFT_OP_FLOWTABLE_REGISTER, <<
145 { AUDIT_NFT_OP_FLOWTABLE_UNREGISTER, <<
146 { AUDIT_NFT_OP_SETELEM_RESET, <<
147 { AUDIT_NFT_OP_RULE_RESET, <<
148 { AUDIT_NFT_OP_INVALID, <<
149 }; <<
150 <<
151 static int audit_match_perm(struct audit_conte 133 static int audit_match_perm(struct audit_context *ctx, int mask)
152 { 134 {
153 unsigned n; 135 unsigned n;
154 <<
155 if (unlikely(!ctx)) 136 if (unlikely(!ctx))
156 return 0; 137 return 0;
157 n = ctx->major; 138 n = ctx->major;
158 139
159 switch (audit_classify_syscall(ctx->ar 140 switch (audit_classify_syscall(ctx->arch, n)) {
160 case AUDITSC_NATIVE: !! 141 case 0: /* native */
161 if ((mask & AUDIT_PERM_WRITE) 142 if ((mask & AUDIT_PERM_WRITE) &&
162 audit_match_class(AUDIT_C 143 audit_match_class(AUDIT_CLASS_WRITE, n))
163 return 1; 144 return 1;
164 if ((mask & AUDIT_PERM_READ) & 145 if ((mask & AUDIT_PERM_READ) &&
165 audit_match_class(AUDIT_C 146 audit_match_class(AUDIT_CLASS_READ, n))
166 return 1; 147 return 1;
167 if ((mask & AUDIT_PERM_ATTR) & 148 if ((mask & AUDIT_PERM_ATTR) &&
168 audit_match_class(AUDIT_C 149 audit_match_class(AUDIT_CLASS_CHATTR, n))
169 return 1; 150 return 1;
170 return 0; 151 return 0;
171 case AUDITSC_COMPAT: /* 32bit on biarc !! 152 case 1: /* 32bit on biarch */
172 if ((mask & AUDIT_PERM_WRITE) 153 if ((mask & AUDIT_PERM_WRITE) &&
173 audit_match_class(AUDIT_C 154 audit_match_class(AUDIT_CLASS_WRITE_32, n))
174 return 1; 155 return 1;
175 if ((mask & AUDIT_PERM_READ) & 156 if ((mask & AUDIT_PERM_READ) &&
176 audit_match_class(AUDIT_C 157 audit_match_class(AUDIT_CLASS_READ_32, n))
177 return 1; 158 return 1;
178 if ((mask & AUDIT_PERM_ATTR) & 159 if ((mask & AUDIT_PERM_ATTR) &&
179 audit_match_class(AUDIT_C 160 audit_match_class(AUDIT_CLASS_CHATTR_32, n))
180 return 1; 161 return 1;
181 return 0; 162 return 0;
182 case AUDITSC_OPEN: !! 163 case 2: /* open */
183 return mask & ACC_MODE(ctx->ar 164 return mask & ACC_MODE(ctx->argv[1]);
184 case AUDITSC_OPENAT: !! 165 case 3: /* openat */
185 return mask & ACC_MODE(ctx->ar 166 return mask & ACC_MODE(ctx->argv[2]);
186 case AUDITSC_SOCKETCALL: !! 167 case 4: /* socketcall */
187 return ((mask & AUDIT_PERM_WRI 168 return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
188 case AUDITSC_EXECVE: !! 169 case 5: /* execve */
189 return mask & AUDIT_PERM_EXEC; 170 return mask & AUDIT_PERM_EXEC;
190 case AUDITSC_OPENAT2: <<
191 return mask & ACC_MODE((u32)ct <<
192 default: 171 default:
193 return 0; 172 return 0;
194 } 173 }
195 } 174 }
196 175
197 static int audit_match_filetype(struct audit_c 176 static int audit_match_filetype(struct audit_context *ctx, int val)
198 { 177 {
199 struct audit_names *n; 178 struct audit_names *n;
200 umode_t mode = (umode_t)val; 179 umode_t mode = (umode_t)val;
201 180
202 if (unlikely(!ctx)) 181 if (unlikely(!ctx))
203 return 0; 182 return 0;
204 183
205 list_for_each_entry(n, &ctx->names_lis 184 list_for_each_entry(n, &ctx->names_list, list) {
206 if ((n->ino != AUDIT_INO_UNSET 185 if ((n->ino != AUDIT_INO_UNSET) &&
207 ((n->mode & S_IFMT) == mod 186 ((n->mode & S_IFMT) == mode))
208 return 1; 187 return 1;
209 } 188 }
210 189
211 return 0; 190 return 0;
212 } 191 }
213 192
214 /* 193 /*
215 * We keep a linked list of fixed-sized (31 po 194 * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *;
216 * ->first_trees points to its beginning, ->tr 195 * ->first_trees points to its beginning, ->trees - to the current end of data.
217 * ->tree_count is the number of free entries 196 * ->tree_count is the number of free entries in array pointed to by ->trees.
218 * Original condition is (NULL, NULL, 0); as s 197 * Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL,
219 * "empty" becomes (p, p, 31) afterwards. We 198 * "empty" becomes (p, p, 31) afterwards. We don't shrink the list (and seriously,
220 * it's going to remain 1-element for almost a 199 * it's going to remain 1-element for almost any setup) until we free context itself.
221 * References in it _are_ dropped - at the sam 200 * References in it _are_ dropped - at the same time we free/drop aux stuff.
222 */ 201 */
223 202
224 static void audit_set_auditable(struct audit_c 203 static void audit_set_auditable(struct audit_context *ctx)
225 { 204 {
226 if (!ctx->prio) { 205 if (!ctx->prio) {
227 ctx->prio = 1; 206 ctx->prio = 1;
228 ctx->current_state = AUDIT_STA !! 207 ctx->current_state = AUDIT_RECORD_CONTEXT;
229 } 208 }
230 } 209 }
231 210
232 static int put_tree_ref(struct audit_context * 211 static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
233 { 212 {
234 struct audit_tree_refs *p = ctx->trees 213 struct audit_tree_refs *p = ctx->trees;
235 int left = ctx->tree_count; 214 int left = ctx->tree_count;
236 <<
237 if (likely(left)) { 215 if (likely(left)) {
238 p->c[--left] = chunk; 216 p->c[--left] = chunk;
239 ctx->tree_count = left; 217 ctx->tree_count = left;
240 return 1; 218 return 1;
241 } 219 }
242 if (!p) 220 if (!p)
243 return 0; 221 return 0;
244 p = p->next; 222 p = p->next;
245 if (p) { 223 if (p) {
246 p->c[30] = chunk; 224 p->c[30] = chunk;
247 ctx->trees = p; 225 ctx->trees = p;
248 ctx->tree_count = 30; 226 ctx->tree_count = 30;
249 return 1; 227 return 1;
250 } 228 }
251 return 0; 229 return 0;
252 } 230 }
253 231
254 static int grow_tree_refs(struct audit_context 232 static int grow_tree_refs(struct audit_context *ctx)
255 { 233 {
256 struct audit_tree_refs *p = ctx->trees 234 struct audit_tree_refs *p = ctx->trees;
257 <<
258 ctx->trees = kzalloc(sizeof(struct aud 235 ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL);
259 if (!ctx->trees) { 236 if (!ctx->trees) {
260 ctx->trees = p; 237 ctx->trees = p;
261 return 0; 238 return 0;
262 } 239 }
263 if (p) 240 if (p)
264 p->next = ctx->trees; 241 p->next = ctx->trees;
265 else 242 else
266 ctx->first_trees = ctx->trees; 243 ctx->first_trees = ctx->trees;
267 ctx->tree_count = 31; 244 ctx->tree_count = 31;
268 return 1; 245 return 1;
269 } 246 }
270 247
271 static void unroll_tree_refs(struct audit_cont 248 static void unroll_tree_refs(struct audit_context *ctx,
272 struct audit_tree_refs * 249 struct audit_tree_refs *p, int count)
273 { 250 {
274 struct audit_tree_refs *q; 251 struct audit_tree_refs *q;
275 int n; 252 int n;
276 <<
277 if (!p) { 253 if (!p) {
278 /* we started with empty chain 254 /* we started with empty chain */
279 p = ctx->first_trees; 255 p = ctx->first_trees;
280 count = 31; 256 count = 31;
281 /* if the very first allocatio 257 /* if the very first allocation has failed, nothing to do */
282 if (!p) 258 if (!p)
283 return; 259 return;
284 } 260 }
285 n = count; 261 n = count;
286 for (q = p; q != ctx->trees; q = q->ne 262 for (q = p; q != ctx->trees; q = q->next, n = 31) {
287 while (n--) { 263 while (n--) {
288 audit_put_chunk(q->c[n 264 audit_put_chunk(q->c[n]);
289 q->c[n] = NULL; 265 q->c[n] = NULL;
290 } 266 }
291 } 267 }
292 while (n-- > ctx->tree_count) { 268 while (n-- > ctx->tree_count) {
293 audit_put_chunk(q->c[n]); 269 audit_put_chunk(q->c[n]);
294 q->c[n] = NULL; 270 q->c[n] = NULL;
295 } 271 }
296 ctx->trees = p; 272 ctx->trees = p;
297 ctx->tree_count = count; 273 ctx->tree_count = count;
298 } 274 }
299 275
300 static void free_tree_refs(struct audit_contex 276 static void free_tree_refs(struct audit_context *ctx)
301 { 277 {
302 struct audit_tree_refs *p, *q; 278 struct audit_tree_refs *p, *q;
303 <<
304 for (p = ctx->first_trees; p; p = q) { 279 for (p = ctx->first_trees; p; p = q) {
305 q = p->next; 280 q = p->next;
306 kfree(p); 281 kfree(p);
307 } 282 }
308 } 283 }
309 284
310 static int match_tree_refs(struct audit_contex 285 static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
311 { 286 {
312 struct audit_tree_refs *p; 287 struct audit_tree_refs *p;
313 int n; 288 int n;
314 <<
315 if (!tree) 289 if (!tree)
316 return 0; 290 return 0;
317 /* full ones */ 291 /* full ones */
318 for (p = ctx->first_trees; p != ctx->t 292 for (p = ctx->first_trees; p != ctx->trees; p = p->next) {
319 for (n = 0; n < 31; n++) 293 for (n = 0; n < 31; n++)
320 if (audit_tree_match(p 294 if (audit_tree_match(p->c[n], tree))
321 return 1; 295 return 1;
322 } 296 }
323 /* partial */ 297 /* partial */
324 if (p) { 298 if (p) {
325 for (n = ctx->tree_count; n < 299 for (n = ctx->tree_count; n < 31; n++)
326 if (audit_tree_match(p 300 if (audit_tree_match(p->c[n], tree))
327 return 1; 301 return 1;
328 } 302 }
329 return 0; 303 return 0;
330 } 304 }
331 305
332 static int audit_compare_uid(kuid_t uid, 306 static int audit_compare_uid(kuid_t uid,
333 struct audit_name 307 struct audit_names *name,
334 struct audit_fiel 308 struct audit_field *f,
335 struct audit_cont 309 struct audit_context *ctx)
336 { 310 {
337 struct audit_names *n; 311 struct audit_names *n;
338 int rc; 312 int rc;
339 !! 313
340 if (name) { 314 if (name) {
341 rc = audit_uid_comparator(uid, 315 rc = audit_uid_comparator(uid, f->op, name->uid);
342 if (rc) 316 if (rc)
343 return rc; 317 return rc;
344 } 318 }
345 !! 319
346 if (ctx) { 320 if (ctx) {
347 list_for_each_entry(n, &ctx->n 321 list_for_each_entry(n, &ctx->names_list, list) {
348 rc = audit_uid_compara 322 rc = audit_uid_comparator(uid, f->op, n->uid);
349 if (rc) 323 if (rc)
350 return rc; 324 return rc;
351 } 325 }
352 } 326 }
353 return 0; 327 return 0;
354 } 328 }
355 329
356 static int audit_compare_gid(kgid_t gid, 330 static int audit_compare_gid(kgid_t gid,
357 struct audit_name 331 struct audit_names *name,
358 struct audit_fiel 332 struct audit_field *f,
359 struct audit_cont 333 struct audit_context *ctx)
360 { 334 {
361 struct audit_names *n; 335 struct audit_names *n;
362 int rc; 336 int rc;
363 !! 337
364 if (name) { 338 if (name) {
365 rc = audit_gid_comparator(gid, 339 rc = audit_gid_comparator(gid, f->op, name->gid);
366 if (rc) 340 if (rc)
367 return rc; 341 return rc;
368 } 342 }
369 !! 343
370 if (ctx) { 344 if (ctx) {
371 list_for_each_entry(n, &ctx->n 345 list_for_each_entry(n, &ctx->names_list, list) {
372 rc = audit_gid_compara 346 rc = audit_gid_comparator(gid, f->op, n->gid);
373 if (rc) 347 if (rc)
374 return rc; 348 return rc;
375 } 349 }
376 } 350 }
377 return 0; 351 return 0;
378 } 352 }
379 353
380 static int audit_field_compare(struct task_str 354 static int audit_field_compare(struct task_struct *tsk,
381 const struct cr 355 const struct cred *cred,
382 struct audit_fi 356 struct audit_field *f,
383 struct audit_co 357 struct audit_context *ctx,
384 struct audit_na 358 struct audit_names *name)
385 { 359 {
386 switch (f->val) { 360 switch (f->val) {
387 /* process to file object comparisons 361 /* process to file object comparisons */
388 case AUDIT_COMPARE_UID_TO_OBJ_UID: 362 case AUDIT_COMPARE_UID_TO_OBJ_UID:
389 return audit_compare_uid(cred- 363 return audit_compare_uid(cred->uid, name, f, ctx);
390 case AUDIT_COMPARE_GID_TO_OBJ_GID: 364 case AUDIT_COMPARE_GID_TO_OBJ_GID:
391 return audit_compare_gid(cred- 365 return audit_compare_gid(cred->gid, name, f, ctx);
392 case AUDIT_COMPARE_EUID_TO_OBJ_UID: 366 case AUDIT_COMPARE_EUID_TO_OBJ_UID:
393 return audit_compare_uid(cred- 367 return audit_compare_uid(cred->euid, name, f, ctx);
394 case AUDIT_COMPARE_EGID_TO_OBJ_GID: 368 case AUDIT_COMPARE_EGID_TO_OBJ_GID:
395 return audit_compare_gid(cred- 369 return audit_compare_gid(cred->egid, name, f, ctx);
396 case AUDIT_COMPARE_AUID_TO_OBJ_UID: 370 case AUDIT_COMPARE_AUID_TO_OBJ_UID:
397 return audit_compare_uid(audit 371 return audit_compare_uid(audit_get_loginuid(tsk), name, f, ctx);
398 case AUDIT_COMPARE_SUID_TO_OBJ_UID: 372 case AUDIT_COMPARE_SUID_TO_OBJ_UID:
399 return audit_compare_uid(cred- 373 return audit_compare_uid(cred->suid, name, f, ctx);
400 case AUDIT_COMPARE_SGID_TO_OBJ_GID: 374 case AUDIT_COMPARE_SGID_TO_OBJ_GID:
401 return audit_compare_gid(cred- 375 return audit_compare_gid(cred->sgid, name, f, ctx);
402 case AUDIT_COMPARE_FSUID_TO_OBJ_UID: 376 case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
403 return audit_compare_uid(cred- 377 return audit_compare_uid(cred->fsuid, name, f, ctx);
404 case AUDIT_COMPARE_FSGID_TO_OBJ_GID: 378 case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
405 return audit_compare_gid(cred- 379 return audit_compare_gid(cred->fsgid, name, f, ctx);
406 /* uid comparisons */ 380 /* uid comparisons */
407 case AUDIT_COMPARE_UID_TO_AUID: 381 case AUDIT_COMPARE_UID_TO_AUID:
408 return audit_uid_comparator(cr 382 return audit_uid_comparator(cred->uid, f->op,
409 au 383 audit_get_loginuid(tsk));
410 case AUDIT_COMPARE_UID_TO_EUID: 384 case AUDIT_COMPARE_UID_TO_EUID:
411 return audit_uid_comparator(cr 385 return audit_uid_comparator(cred->uid, f->op, cred->euid);
412 case AUDIT_COMPARE_UID_TO_SUID: 386 case AUDIT_COMPARE_UID_TO_SUID:
413 return audit_uid_comparator(cr 387 return audit_uid_comparator(cred->uid, f->op, cred->suid);
414 case AUDIT_COMPARE_UID_TO_FSUID: 388 case AUDIT_COMPARE_UID_TO_FSUID:
415 return audit_uid_comparator(cr 389 return audit_uid_comparator(cred->uid, f->op, cred->fsuid);
416 /* auid comparisons */ 390 /* auid comparisons */
417 case AUDIT_COMPARE_AUID_TO_EUID: 391 case AUDIT_COMPARE_AUID_TO_EUID:
418 return audit_uid_comparator(au 392 return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
419 cr 393 cred->euid);
420 case AUDIT_COMPARE_AUID_TO_SUID: 394 case AUDIT_COMPARE_AUID_TO_SUID:
421 return audit_uid_comparator(au 395 return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
422 cr 396 cred->suid);
423 case AUDIT_COMPARE_AUID_TO_FSUID: 397 case AUDIT_COMPARE_AUID_TO_FSUID:
424 return audit_uid_comparator(au 398 return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
425 cr 399 cred->fsuid);
426 /* euid comparisons */ 400 /* euid comparisons */
427 case AUDIT_COMPARE_EUID_TO_SUID: 401 case AUDIT_COMPARE_EUID_TO_SUID:
428 return audit_uid_comparator(cr 402 return audit_uid_comparator(cred->euid, f->op, cred->suid);
429 case AUDIT_COMPARE_EUID_TO_FSUID: 403 case AUDIT_COMPARE_EUID_TO_FSUID:
430 return audit_uid_comparator(cr 404 return audit_uid_comparator(cred->euid, f->op, cred->fsuid);
431 /* suid comparisons */ 405 /* suid comparisons */
432 case AUDIT_COMPARE_SUID_TO_FSUID: 406 case AUDIT_COMPARE_SUID_TO_FSUID:
433 return audit_uid_comparator(cr 407 return audit_uid_comparator(cred->suid, f->op, cred->fsuid);
434 /* gid comparisons */ 408 /* gid comparisons */
435 case AUDIT_COMPARE_GID_TO_EGID: 409 case AUDIT_COMPARE_GID_TO_EGID:
436 return audit_gid_comparator(cr 410 return audit_gid_comparator(cred->gid, f->op, cred->egid);
437 case AUDIT_COMPARE_GID_TO_SGID: 411 case AUDIT_COMPARE_GID_TO_SGID:
438 return audit_gid_comparator(cr 412 return audit_gid_comparator(cred->gid, f->op, cred->sgid);
439 case AUDIT_COMPARE_GID_TO_FSGID: 413 case AUDIT_COMPARE_GID_TO_FSGID:
440 return audit_gid_comparator(cr 414 return audit_gid_comparator(cred->gid, f->op, cred->fsgid);
441 /* egid comparisons */ 415 /* egid comparisons */
442 case AUDIT_COMPARE_EGID_TO_SGID: 416 case AUDIT_COMPARE_EGID_TO_SGID:
443 return audit_gid_comparator(cr 417 return audit_gid_comparator(cred->egid, f->op, cred->sgid);
444 case AUDIT_COMPARE_EGID_TO_FSGID: 418 case AUDIT_COMPARE_EGID_TO_FSGID:
445 return audit_gid_comparator(cr 419 return audit_gid_comparator(cred->egid, f->op, cred->fsgid);
446 /* sgid comparison */ 420 /* sgid comparison */
447 case AUDIT_COMPARE_SGID_TO_FSGID: 421 case AUDIT_COMPARE_SGID_TO_FSGID:
448 return audit_gid_comparator(cr 422 return audit_gid_comparator(cred->sgid, f->op, cred->fsgid);
449 default: 423 default:
450 WARN(1, "Missing AUDIT_COMPARE 424 WARN(1, "Missing AUDIT_COMPARE define. Report as a bug\n");
451 return 0; 425 return 0;
452 } 426 }
453 return 0; 427 return 0;
454 } 428 }
455 429
456 /* Determine if any context name data matches 430 /* Determine if any context name data matches a rule's watch data */
457 /* Compare a task_struct with an audit_rule. 431 /* Compare a task_struct with an audit_rule. Return 1 on match, 0
458 * otherwise. 432 * otherwise.
459 * 433 *
460 * If task_creation is true, this is an explic 434 * If task_creation is true, this is an explicit indication that we are
461 * filtering a task rule at task creation time 435 * filtering a task rule at task creation time. This and tsk == current are
462 * the only situations where tsk->cred may be 436 * the only situations where tsk->cred may be accessed without an rcu read lock.
463 */ 437 */
464 static int audit_filter_rules(struct task_stru 438 static int audit_filter_rules(struct task_struct *tsk,
465 struct audit_kru 439 struct audit_krule *rule,
466 struct audit_con 440 struct audit_context *ctx,
467 struct audit_nam 441 struct audit_names *name,
468 enum audit_state 442 enum audit_state *state,
469 bool task_creati 443 bool task_creation)
470 { 444 {
471 const struct cred *cred; 445 const struct cred *cred;
472 int i, need_sid = 1; 446 int i, need_sid = 1;
473 u32 sid; 447 u32 sid;
474 unsigned int sessionid; 448 unsigned int sessionid;
475 449
476 if (ctx && rule->prio <= ctx->prio) <<
477 return 0; <<
478 <<
479 cred = rcu_dereference_check(tsk->cred 450 cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
480 451
481 for (i = 0; i < rule->field_count; i++ 452 for (i = 0; i < rule->field_count; i++) {
482 struct audit_field *f = &rule- 453 struct audit_field *f = &rule->fields[i];
483 struct audit_names *n; 454 struct audit_names *n;
484 int result = 0; 455 int result = 0;
485 pid_t pid; 456 pid_t pid;
486 457
487 switch (f->type) { 458 switch (f->type) {
488 case AUDIT_PID: 459 case AUDIT_PID:
489 pid = task_tgid_nr(tsk 460 pid = task_tgid_nr(tsk);
490 result = audit_compara 461 result = audit_comparator(pid, f->op, f->val);
491 break; 462 break;
492 case AUDIT_PPID: 463 case AUDIT_PPID:
493 if (ctx) { 464 if (ctx) {
494 if (!ctx->ppid 465 if (!ctx->ppid)
495 ctx->p 466 ctx->ppid = task_ppid_nr(tsk);
496 result = audit 467 result = audit_comparator(ctx->ppid, f->op, f->val);
497 } 468 }
498 break; 469 break;
499 case AUDIT_EXE: 470 case AUDIT_EXE:
500 result = audit_exe_com 471 result = audit_exe_compare(tsk, rule->exe);
501 if (f->op == Audit_not 472 if (f->op == Audit_not_equal)
502 result = !resu 473 result = !result;
503 break; 474 break;
504 case AUDIT_UID: 475 case AUDIT_UID:
505 result = audit_uid_com 476 result = audit_uid_comparator(cred->uid, f->op, f->uid);
506 break; 477 break;
507 case AUDIT_EUID: 478 case AUDIT_EUID:
508 result = audit_uid_com 479 result = audit_uid_comparator(cred->euid, f->op, f->uid);
509 break; 480 break;
510 case AUDIT_SUID: 481 case AUDIT_SUID:
511 result = audit_uid_com 482 result = audit_uid_comparator(cred->suid, f->op, f->uid);
512 break; 483 break;
513 case AUDIT_FSUID: 484 case AUDIT_FSUID:
514 result = audit_uid_com 485 result = audit_uid_comparator(cred->fsuid, f->op, f->uid);
515 break; 486 break;
516 case AUDIT_GID: 487 case AUDIT_GID:
517 result = audit_gid_com 488 result = audit_gid_comparator(cred->gid, f->op, f->gid);
518 if (f->op == Audit_equ 489 if (f->op == Audit_equal) {
519 if (!result) 490 if (!result)
520 result 491 result = groups_search(cred->group_info, f->gid);
521 } else if (f->op == Au 492 } else if (f->op == Audit_not_equal) {
522 if (result) 493 if (result)
523 result 494 result = !groups_search(cred->group_info, f->gid);
524 } 495 }
525 break; 496 break;
526 case AUDIT_EGID: 497 case AUDIT_EGID:
527 result = audit_gid_com 498 result = audit_gid_comparator(cred->egid, f->op, f->gid);
528 if (f->op == Audit_equ 499 if (f->op == Audit_equal) {
529 if (!result) 500 if (!result)
530 result 501 result = groups_search(cred->group_info, f->gid);
531 } else if (f->op == Au 502 } else if (f->op == Audit_not_equal) {
532 if (result) 503 if (result)
533 result 504 result = !groups_search(cred->group_info, f->gid);
534 } 505 }
535 break; 506 break;
536 case AUDIT_SGID: 507 case AUDIT_SGID:
537 result = audit_gid_com 508 result = audit_gid_comparator(cred->sgid, f->op, f->gid);
538 break; 509 break;
539 case AUDIT_FSGID: 510 case AUDIT_FSGID:
540 result = audit_gid_com 511 result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
541 break; 512 break;
542 case AUDIT_SESSIONID: 513 case AUDIT_SESSIONID:
543 sessionid = audit_get_ 514 sessionid = audit_get_sessionid(tsk);
544 result = audit_compara 515 result = audit_comparator(sessionid, f->op, f->val);
545 break; 516 break;
546 case AUDIT_PERS: 517 case AUDIT_PERS:
547 result = audit_compara 518 result = audit_comparator(tsk->personality, f->op, f->val);
548 break; 519 break;
549 case AUDIT_ARCH: 520 case AUDIT_ARCH:
550 if (ctx) 521 if (ctx)
551 result = audit 522 result = audit_comparator(ctx->arch, f->op, f->val);
552 break; 523 break;
553 524
554 case AUDIT_EXIT: 525 case AUDIT_EXIT:
555 if (ctx && ctx->return !! 526 if (ctx && ctx->return_valid)
556 result = audit 527 result = audit_comparator(ctx->return_code, f->op, f->val);
557 break; 528 break;
558 case AUDIT_SUCCESS: 529 case AUDIT_SUCCESS:
559 if (ctx && ctx->return !! 530 if (ctx && ctx->return_valid) {
560 if (f->val) 531 if (f->val)
561 result 532 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
562 else 533 else
563 result 534 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
564 } 535 }
565 break; 536 break;
566 case AUDIT_DEVMAJOR: 537 case AUDIT_DEVMAJOR:
567 if (name) { 538 if (name) {
568 if (audit_comp 539 if (audit_comparator(MAJOR(name->dev), f->op, f->val) ||
569 audit_comp 540 audit_comparator(MAJOR(name->rdev), f->op, f->val))
570 ++resu 541 ++result;
571 } else if (ctx) { 542 } else if (ctx) {
572 list_for_each_ 543 list_for_each_entry(n, &ctx->names_list, list) {
573 if (au 544 if (audit_comparator(MAJOR(n->dev), f->op, f->val) ||
574 au 545 audit_comparator(MAJOR(n->rdev), f->op, f->val)) {
575 546 ++result;
576 547 break;
577 } 548 }
578 } 549 }
579 } 550 }
580 break; 551 break;
581 case AUDIT_DEVMINOR: 552 case AUDIT_DEVMINOR:
582 if (name) { 553 if (name) {
583 if (audit_comp 554 if (audit_comparator(MINOR(name->dev), f->op, f->val) ||
584 audit_comp 555 audit_comparator(MINOR(name->rdev), f->op, f->val))
585 ++resu 556 ++result;
586 } else if (ctx) { 557 } else if (ctx) {
587 list_for_each_ 558 list_for_each_entry(n, &ctx->names_list, list) {
588 if (au 559 if (audit_comparator(MINOR(n->dev), f->op, f->val) ||
589 au 560 audit_comparator(MINOR(n->rdev), f->op, f->val)) {
590 561 ++result;
591 562 break;
592 } 563 }
593 } 564 }
594 } 565 }
595 break; 566 break;
596 case AUDIT_INODE: 567 case AUDIT_INODE:
597 if (name) 568 if (name)
598 result = audit 569 result = audit_comparator(name->ino, f->op, f->val);
599 else if (ctx) { 570 else if (ctx) {
600 list_for_each_ 571 list_for_each_entry(n, &ctx->names_list, list) {
601 if (au 572 if (audit_comparator(n->ino, f->op, f->val)) {
602 573 ++result;
603 574 break;
604 } 575 }
605 } 576 }
606 } 577 }
607 break; 578 break;
608 case AUDIT_OBJ_UID: 579 case AUDIT_OBJ_UID:
609 if (name) { 580 if (name) {
610 result = audit 581 result = audit_uid_comparator(name->uid, f->op, f->uid);
611 } else if (ctx) { 582 } else if (ctx) {
612 list_for_each_ 583 list_for_each_entry(n, &ctx->names_list, list) {
613 if (au 584 if (audit_uid_comparator(n->uid, f->op, f->uid)) {
614 585 ++result;
615 586 break;
616 } 587 }
617 } 588 }
618 } 589 }
619 break; 590 break;
620 case AUDIT_OBJ_GID: 591 case AUDIT_OBJ_GID:
621 if (name) { 592 if (name) {
622 result = audit 593 result = audit_gid_comparator(name->gid, f->op, f->gid);
623 } else if (ctx) { 594 } else if (ctx) {
624 list_for_each_ 595 list_for_each_entry(n, &ctx->names_list, list) {
625 if (au 596 if (audit_gid_comparator(n->gid, f->op, f->gid)) {
626 597 ++result;
627 598 break;
628 } 599 }
629 } 600 }
630 } 601 }
631 break; 602 break;
632 case AUDIT_WATCH: 603 case AUDIT_WATCH:
633 if (name) { !! 604 if (name)
634 result = audit !! 605 result = audit_watch_compare(rule->watch, name->ino, name->dev);
635 <<
636 <<
637 if (f->op == A <<
638 result <<
639 } <<
640 break; 606 break;
641 case AUDIT_DIR: 607 case AUDIT_DIR:
642 if (ctx) { !! 608 if (ctx)
643 result = match 609 result = match_tree_refs(ctx, rule->tree);
644 if (f->op == A <<
645 result <<
646 } <<
647 break; 610 break;
648 case AUDIT_LOGINUID: 611 case AUDIT_LOGINUID:
649 result = audit_uid_com 612 result = audit_uid_comparator(audit_get_loginuid(tsk),
650 613 f->op, f->uid);
651 break; 614 break;
652 case AUDIT_LOGINUID_SET: 615 case AUDIT_LOGINUID_SET:
653 result = audit_compara 616 result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
654 break; 617 break;
655 case AUDIT_SADDR_FAM: <<
656 if (ctx && ctx->sockad <<
657 result = audit <<
658 <<
659 break; <<
660 case AUDIT_SUBJ_USER: 618 case AUDIT_SUBJ_USER:
661 case AUDIT_SUBJ_ROLE: 619 case AUDIT_SUBJ_ROLE:
662 case AUDIT_SUBJ_TYPE: 620 case AUDIT_SUBJ_TYPE:
663 case AUDIT_SUBJ_SEN: 621 case AUDIT_SUBJ_SEN:
664 case AUDIT_SUBJ_CLR: 622 case AUDIT_SUBJ_CLR:
665 /* NOTE: this may retu 623 /* NOTE: this may return negative values indicating
666 a temporary error. 624 a temporary error. We simply treat this as a
667 match for now to av 625 match for now to avoid losing information that
668 may be wanted. An 626 may be wanted. An error message will also be
669 logged upon error * 627 logged upon error */
670 if (f->lsm_rule) { 628 if (f->lsm_rule) {
671 if (need_sid) 629 if (need_sid) {
672 /* @ts !! 630 security_task_getsecid(tsk, &sid);
673 * @cu <<
674 * for <<
675 * the <<
676 * of <<
677 * use <<
678 * her <<
679 * @cu <<
680 */ <<
681 securi <<
682 need_s 631 need_sid = 0;
683 } 632 }
684 result = secur 633 result = security_audit_rule_match(sid, f->type,
685 634 f->op,
686 635 f->lsm_rule);
687 } 636 }
688 break; 637 break;
689 case AUDIT_OBJ_USER: 638 case AUDIT_OBJ_USER:
690 case AUDIT_OBJ_ROLE: 639 case AUDIT_OBJ_ROLE:
691 case AUDIT_OBJ_TYPE: 640 case AUDIT_OBJ_TYPE:
692 case AUDIT_OBJ_LEV_LOW: 641 case AUDIT_OBJ_LEV_LOW:
693 case AUDIT_OBJ_LEV_HIGH: 642 case AUDIT_OBJ_LEV_HIGH:
694 /* The above note for 643 /* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
695 also applies here * 644 also applies here */
696 if (f->lsm_rule) { 645 if (f->lsm_rule) {
697 /* Find files 646 /* Find files that match */
698 if (name) { 647 if (name) {
699 result 648 result = security_audit_rule_match(
700 649 name->osid,
701 650 f->type,
702 651 f->op,
703 652 f->lsm_rule);
704 } else if (ctx 653 } else if (ctx) {
705 list_f 654 list_for_each_entry(n, &ctx->names_list, list) {
706 655 if (security_audit_rule_match(
707 656 n->osid,
708 657 f->type,
709 658 f->op,
710 659 f->lsm_rule)) {
711 660 ++result;
712 661 break;
713 662 }
714 } 663 }
715 } 664 }
716 /* Find ipc ob 665 /* Find ipc objects that match */
717 if (!ctx || ct 666 if (!ctx || ctx->type != AUDIT_IPC)
718 break; 667 break;
719 if (security_a 668 if (security_audit_rule_match(ctx->ipc.osid,
720 669 f->type, f->op,
721 670 f->lsm_rule))
722 ++resu 671 ++result;
723 } 672 }
724 break; 673 break;
725 case AUDIT_ARG0: 674 case AUDIT_ARG0:
726 case AUDIT_ARG1: 675 case AUDIT_ARG1:
727 case AUDIT_ARG2: 676 case AUDIT_ARG2:
728 case AUDIT_ARG3: 677 case AUDIT_ARG3:
729 if (ctx) 678 if (ctx)
730 result = audit 679 result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
731 break; 680 break;
732 case AUDIT_FILTERKEY: 681 case AUDIT_FILTERKEY:
733 /* ignore this field f 682 /* ignore this field for filtering */
734 result = 1; 683 result = 1;
735 break; 684 break;
736 case AUDIT_PERM: 685 case AUDIT_PERM:
737 result = audit_match_p 686 result = audit_match_perm(ctx, f->val);
738 if (f->op == Audit_not <<
739 result = !resu <<
740 break; 687 break;
741 case AUDIT_FILETYPE: 688 case AUDIT_FILETYPE:
742 result = audit_match_f 689 result = audit_match_filetype(ctx, f->val);
743 if (f->op == Audit_not <<
744 result = !resu <<
745 break; 690 break;
746 case AUDIT_FIELD_COMPARE: 691 case AUDIT_FIELD_COMPARE:
747 result = audit_field_c 692 result = audit_field_compare(tsk, cred, f, ctx, name);
748 break; 693 break;
749 } 694 }
750 if (!result) 695 if (!result)
751 return 0; 696 return 0;
752 } 697 }
753 698
754 if (ctx) { 699 if (ctx) {
>> 700 if (rule->prio <= ctx->prio)
>> 701 return 0;
755 if (rule->filterkey) { 702 if (rule->filterkey) {
756 kfree(ctx->filterkey); 703 kfree(ctx->filterkey);
757 ctx->filterkey = kstrd 704 ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
758 } 705 }
759 ctx->prio = rule->prio; 706 ctx->prio = rule->prio;
760 } 707 }
761 switch (rule->action) { 708 switch (rule->action) {
762 case AUDIT_NEVER: 709 case AUDIT_NEVER:
763 *state = AUDIT_STATE_DISABLED; !! 710 *state = AUDIT_DISABLED;
764 break; 711 break;
765 case AUDIT_ALWAYS: 712 case AUDIT_ALWAYS:
766 *state = AUDIT_STATE_RECORD; !! 713 *state = AUDIT_RECORD_CONTEXT;
767 break; 714 break;
768 } 715 }
769 return 1; 716 return 1;
770 } 717 }
771 718
772 /* At process creation time, we can determine 719 /* At process creation time, we can determine if system-call auditing is
773 * completely disabled for this task. Since w 720 * completely disabled for this task. Since we only have the task
774 * structure at this point, we can only check 721 * structure at this point, we can only check uid and gid.
775 */ 722 */
776 static enum audit_state audit_filter_task(stru 723 static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)
777 { 724 {
778 struct audit_entry *e; 725 struct audit_entry *e;
779 enum audit_state state; 726 enum audit_state state;
780 727
781 rcu_read_lock(); 728 rcu_read_lock();
782 list_for_each_entry_rcu(e, &audit_filt 729 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
783 if (audit_filter_rules(tsk, &e 730 if (audit_filter_rules(tsk, &e->rule, NULL, NULL,
784 &state, 731 &state, true)) {
785 if (state == AUDIT_STA !! 732 if (state == AUDIT_RECORD_CONTEXT)
786 *key = kstrdup 733 *key = kstrdup(e->rule.filterkey, GFP_ATOMIC);
787 rcu_read_unlock(); 734 rcu_read_unlock();
788 return state; 735 return state;
789 } 736 }
790 } 737 }
791 rcu_read_unlock(); 738 rcu_read_unlock();
792 return AUDIT_STATE_BUILD; !! 739 return AUDIT_BUILD_CONTEXT;
793 } 740 }
794 741
795 static int audit_in_mask(const struct audit_kr 742 static int audit_in_mask(const struct audit_krule *rule, unsigned long val)
796 { 743 {
797 int word, bit; 744 int word, bit;
798 745
799 if (val > 0xffffffff) 746 if (val > 0xffffffff)
800 return false; 747 return false;
801 748
802 word = AUDIT_WORD(val); 749 word = AUDIT_WORD(val);
803 if (word >= AUDIT_BITMASK_SIZE) 750 if (word >= AUDIT_BITMASK_SIZE)
804 return false; 751 return false;
805 752
806 bit = AUDIT_BIT(val); 753 bit = AUDIT_BIT(val);
807 754
808 return rule->mask[word] & bit; 755 return rule->mask[word] & bit;
809 } 756 }
810 757
811 /** !! 758 /* At syscall entry and exit time, this filter is called if the
812 * __audit_filter_op - common filter helper fo !! 759 * audit_state is not low enough that auditing cannot take place, but is
813 * @tsk: associated task !! 760 * also not high enough that we already know we have to write an audit
814 * @ctx: audit context !! 761 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
815 * @list: audit filter list !! 762 */
816 * @name: audit_name (can be NULL) !! 763 static enum audit_state audit_filter_syscall(struct task_struct *tsk,
817 * @op: current syscall/uring_op !! 764 struct audit_context *ctx,
818 * !! 765 struct list_head *list)
819 * Run the udit filters specified in @list aga <<
820 * @name, and @op, as necessary; the caller is <<
821 * that the call is made while the RCU read lo <<
822 * parameter can be NULL, but all others must <<
823 * Returns 1/true if the filter finds a match, <<
824 */ <<
825 static int __audit_filter_op(struct task_struc <<
826 struct audit_contex <<
827 struct list_head *l <<
828 struct audit_names <<
829 unsigned long op) <<
830 { 766 {
831 struct audit_entry *e; 767 struct audit_entry *e;
832 enum audit_state state; 768 enum audit_state state;
833 769
>> 770 if (auditd_test_task(tsk))
>> 771 return AUDIT_DISABLED;
>> 772
>> 773 rcu_read_lock();
834 list_for_each_entry_rcu(e, list, list) 774 list_for_each_entry_rcu(e, list, list) {
835 if (audit_in_mask(&e->rule, op !! 775 if (audit_in_mask(&e->rule, ctx->major) &&
836 audit_filter_rules(tsk, &e !! 776 audit_filter_rules(tsk, &e->rule, ctx, NULL,
837 &state, 777 &state, false)) {
>> 778 rcu_read_unlock();
838 ctx->current_state = s 779 ctx->current_state = state;
839 return 1; !! 780 return state;
840 } 781 }
841 } 782 }
842 return 0; <<
843 } <<
844 <<
845 /** <<
846 * audit_filter_uring - apply filters to an io <<
847 * @tsk: associated task <<
848 * @ctx: audit context <<
849 */ <<
850 static void audit_filter_uring(struct task_str <<
851 struct audit_co <<
852 { <<
853 if (auditd_test_task(tsk)) <<
854 return; <<
855 <<
856 rcu_read_lock(); <<
857 __audit_filter_op(tsk, ctx, &audit_fil <<
858 NULL, ctx->uring_op); <<
859 rcu_read_unlock(); <<
860 } <<
861 <<
862 /* At syscall exit time, this filter is called <<
863 * not low enough that auditing cannot take pl <<
864 * high enough that we already know we have to <<
865 * (i.e., the state is AUDIT_STATE_BUILD). <<
866 */ <<
867 static void audit_filter_syscall(struct task_s <<
868 struct audit_ <<
869 { <<
870 if (auditd_test_task(tsk)) <<
871 return; <<
872 <<
873 rcu_read_lock(); <<
874 __audit_filter_op(tsk, ctx, &audit_fil <<
875 NULL, ctx->major); <<
876 rcu_read_unlock(); 783 rcu_read_unlock();
>> 784 return AUDIT_BUILD_CONTEXT;
877 } 785 }
878 786
879 /* 787 /*
880 * Given an audit_name check the inode hash ta 788 * Given an audit_name check the inode hash table to see if they match.
881 * Called holding the rcu read lock to protect 789 * Called holding the rcu read lock to protect the use of audit_inode_hash
882 */ 790 */
883 static int audit_filter_inode_name(struct task 791 static int audit_filter_inode_name(struct task_struct *tsk,
884 struct audi 792 struct audit_names *n,
885 struct audi !! 793 struct audit_context *ctx) {
886 { <<
887 int h = audit_hash_ino((u32)n->ino); 794 int h = audit_hash_ino((u32)n->ino);
888 struct list_head *list = &audit_inode_ 795 struct list_head *list = &audit_inode_hash[h];
>> 796 struct audit_entry *e;
>> 797 enum audit_state state;
889 798
890 return __audit_filter_op(tsk, ctx, lis !! 799 list_for_each_entry_rcu(e, list, list) {
>> 800 if (audit_in_mask(&e->rule, ctx->major) &&
>> 801 audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) {
>> 802 ctx->current_state = state;
>> 803 return 1;
>> 804 }
>> 805 }
>> 806 return 0;
891 } 807 }
892 808
893 /* At syscall exit time, this filter is called 809 /* At syscall exit time, this filter is called if any audit_names have been
894 * collected during syscall processing. We on 810 * collected during syscall processing. We only check rules in sublists at hash
895 * buckets applicable to the inode numbers in 811 * buckets applicable to the inode numbers in audit_names.
896 * Regarding audit_state, same rules apply as 812 * Regarding audit_state, same rules apply as for audit_filter_syscall().
897 */ 813 */
898 void audit_filter_inodes(struct task_struct *t 814 void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx)
899 { 815 {
900 struct audit_names *n; 816 struct audit_names *n;
901 817
902 if (auditd_test_task(tsk)) 818 if (auditd_test_task(tsk))
903 return; 819 return;
904 820
905 rcu_read_lock(); 821 rcu_read_lock();
906 822
907 list_for_each_entry(n, &ctx->names_lis 823 list_for_each_entry(n, &ctx->names_list, list) {
908 if (audit_filter_inode_name(ts 824 if (audit_filter_inode_name(tsk, n, ctx))
909 break; 825 break;
910 } 826 }
911 rcu_read_unlock(); 827 rcu_read_unlock();
912 } 828 }
913 829
914 static inline void audit_proctitle_free(struct 830 static inline void audit_proctitle_free(struct audit_context *context)
915 { 831 {
916 kfree(context->proctitle.value); 832 kfree(context->proctitle.value);
917 context->proctitle.value = NULL; 833 context->proctitle.value = NULL;
918 context->proctitle.len = 0; 834 context->proctitle.len = 0;
919 } 835 }
920 836
921 static inline void audit_free_module(struct au 837 static inline void audit_free_module(struct audit_context *context)
922 { 838 {
923 if (context->type == AUDIT_KERN_MODULE 839 if (context->type == AUDIT_KERN_MODULE) {
924 kfree(context->module.name); 840 kfree(context->module.name);
925 context->module.name = NULL; 841 context->module.name = NULL;
926 } 842 }
927 } 843 }
928 static inline void audit_free_names(struct aud 844 static inline void audit_free_names(struct audit_context *context)
929 { 845 {
930 struct audit_names *n, *next; 846 struct audit_names *n, *next;
931 847
932 list_for_each_entry_safe(n, next, &con 848 list_for_each_entry_safe(n, next, &context->names_list, list) {
933 list_del(&n->list); 849 list_del(&n->list);
934 if (n->name) 850 if (n->name)
935 putname(n->name); 851 putname(n->name);
936 if (n->should_free) 852 if (n->should_free)
937 kfree(n); 853 kfree(n);
938 } 854 }
939 context->name_count = 0; 855 context->name_count = 0;
940 path_put(&context->pwd); 856 path_put(&context->pwd);
941 context->pwd.dentry = NULL; 857 context->pwd.dentry = NULL;
942 context->pwd.mnt = NULL; 858 context->pwd.mnt = NULL;
943 } 859 }
944 860
945 static inline void audit_free_aux(struct audit 861 static inline void audit_free_aux(struct audit_context *context)
946 { 862 {
947 struct audit_aux_data *aux; 863 struct audit_aux_data *aux;
948 864
949 while ((aux = context->aux)) { 865 while ((aux = context->aux)) {
950 context->aux = aux->next; 866 context->aux = aux->next;
951 kfree(aux); 867 kfree(aux);
952 } 868 }
953 context->aux = NULL; <<
954 while ((aux = context->aux_pids)) { 869 while ((aux = context->aux_pids)) {
955 context->aux_pids = aux->next; 870 context->aux_pids = aux->next;
956 kfree(aux); 871 kfree(aux);
957 } 872 }
958 context->aux_pids = NULL; <<
959 } <<
960 <<
961 /** <<
962 * audit_reset_context - reset a audit_context <<
963 * @ctx: the audit_context to reset <<
964 * <<
965 * All fields in the audit_context will be res <<
966 * references held by fields will be dropped, <<
967 * released. When this function returns the a <<
968 * for reuse, so long as the passed context is <<
969 */ <<
970 static void audit_reset_context(struct audit_c <<
971 { <<
972 if (!ctx) <<
973 return; <<
974 <<
975 /* if ctx is non-null, reset the "ctx- <<
976 ctx->context = AUDIT_CTX_UNUSED; <<
977 if (ctx->dummy) <<
978 return; <<
979 <<
980 /* <<
981 * NOTE: It shouldn't matter in what o <<
982 * release them in the order in <<
983 * this gives us some hope of qu <<
984 * resetting the audit_context p <<
985 * <<
986 * Other things worth mentioning <<
987 * - we don't reset "dummy" <<
988 * - we don't reset "state", we <<
989 * - we preserve "filterkey" if <<
990 * - much of this is likely over <<
991 * - we really need to work on i <<
992 */ <<
993 <<
994 ctx->current_state = ctx->state; <<
995 ctx->serial = 0; <<
996 ctx->major = 0; <<
997 ctx->uring_op = 0; <<
998 ctx->ctime = (struct timespec64){ .tv_ <<
999 memset(ctx->argv, 0, sizeof(ctx->argv) <<
1000 ctx->return_code = 0; <<
1001 ctx->prio = (ctx->state == AUDIT_STAT <<
1002 ctx->return_valid = AUDITSC_INVALID; <<
1003 audit_free_names(ctx); <<
1004 if (ctx->state != AUDIT_STATE_RECORD) <<
1005 kfree(ctx->filterkey); <<
1006 ctx->filterkey = NULL; <<
1007 } <<
1008 audit_free_aux(ctx); <<
1009 kfree(ctx->sockaddr); <<
1010 ctx->sockaddr = NULL; <<
1011 ctx->sockaddr_len = 0; <<
1012 ctx->ppid = 0; <<
1013 ctx->uid = ctx->euid = ctx->suid = ct <<
1014 ctx->gid = ctx->egid = ctx->sgid = ct <<
1015 ctx->personality = 0; <<
1016 ctx->arch = 0; <<
1017 ctx->target_pid = 0; <<
1018 ctx->target_auid = ctx->target_uid = <<
1019 ctx->target_sessionid = 0; <<
1020 ctx->target_sid = 0; <<
1021 ctx->target_comm[0] = '\0'; <<
1022 unroll_tree_refs(ctx, NULL, 0); <<
1023 WARN_ON(!list_empty(&ctx->killed_tree <<
1024 audit_free_module(ctx); <<
1025 ctx->fds[0] = -1; <<
1026 ctx->type = 0; /* reset last for audi <<
1027 } 873 }
1028 874
1029 static inline struct audit_context *audit_all 875 static inline struct audit_context *audit_alloc_context(enum audit_state state)
1030 { 876 {
1031 struct audit_context *context; 877 struct audit_context *context;
1032 878
1033 context = kzalloc(sizeof(*context), G 879 context = kzalloc(sizeof(*context), GFP_KERNEL);
1034 if (!context) 880 if (!context)
1035 return NULL; 881 return NULL;
1036 context->context = AUDIT_CTX_UNUSED; <<
1037 context->state = state; 882 context->state = state;
1038 context->prio = state == AUDIT_STATE_ !! 883 context->prio = state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
1039 INIT_LIST_HEAD(&context->killed_trees 884 INIT_LIST_HEAD(&context->killed_trees);
1040 INIT_LIST_HEAD(&context->names_list); 885 INIT_LIST_HEAD(&context->names_list);
1041 context->fds[0] = -1; <<
1042 context->return_valid = AUDITSC_INVAL <<
1043 return context; 886 return context;
1044 } 887 }
1045 888
1046 /** 889 /**
1047 * audit_alloc - allocate an audit context bl 890 * audit_alloc - allocate an audit context block for a task
1048 * @tsk: task 891 * @tsk: task
1049 * 892 *
1050 * Filter on the task information and allocat 893 * Filter on the task information and allocate a per-task audit context
1051 * if necessary. Doing so turns on system ca 894 * if necessary. Doing so turns on system call auditing for the
1052 * specified task. This is called from copy_ 895 * specified task. This is called from copy_process, so no lock is
1053 * needed. 896 * needed.
1054 */ 897 */
1055 int audit_alloc(struct task_struct *tsk) 898 int audit_alloc(struct task_struct *tsk)
1056 { 899 {
1057 struct audit_context *context; 900 struct audit_context *context;
1058 enum audit_state state; 901 enum audit_state state;
1059 char *key = NULL; 902 char *key = NULL;
1060 903
1061 if (likely(!audit_ever_enabled)) 904 if (likely(!audit_ever_enabled))
1062 return 0; !! 905 return 0; /* Return if not auditing. */
1063 906
1064 state = audit_filter_task(tsk, &key); 907 state = audit_filter_task(tsk, &key);
1065 if (state == AUDIT_STATE_DISABLED) { !! 908 if (state == AUDIT_DISABLED) {
1066 clear_task_syscall_work(tsk, !! 909 clear_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
1067 return 0; 910 return 0;
1068 } 911 }
1069 912
1070 context = audit_alloc_context(state); !! 913 if (!(context = audit_alloc_context(state))) {
1071 if (!context) { <<
1072 kfree(key); 914 kfree(key);
1073 audit_log_lost("out of memory 915 audit_log_lost("out of memory in audit_alloc");
1074 return -ENOMEM; 916 return -ENOMEM;
1075 } 917 }
1076 context->filterkey = key; 918 context->filterkey = key;
1077 919
1078 audit_set_context(tsk, context); 920 audit_set_context(tsk, context);
1079 set_task_syscall_work(tsk, SYSCALL_AU !! 921 set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
1080 return 0; 922 return 0;
1081 } 923 }
1082 924
1083 static inline void audit_free_context(struct 925 static inline void audit_free_context(struct audit_context *context)
1084 { 926 {
1085 /* resetting is extra work, but it is !! 927 audit_free_module(context);
1086 audit_reset_context(context); !! 928 audit_free_names(context);
1087 audit_proctitle_free(context); !! 929 unroll_tree_refs(context, NULL, 0);
1088 free_tree_refs(context); 930 free_tree_refs(context);
>> 931 audit_free_aux(context);
1089 kfree(context->filterkey); 932 kfree(context->filterkey);
>> 933 kfree(context->sockaddr);
>> 934 audit_proctitle_free(context);
1090 kfree(context); 935 kfree(context);
1091 } 936 }
1092 937
1093 static int audit_log_pid_context(struct audit 938 static int audit_log_pid_context(struct audit_context *context, pid_t pid,
1094 kuid_t auid, 939 kuid_t auid, kuid_t uid, unsigned int sessionid,
1095 u32 sid, cha 940 u32 sid, char *comm)
1096 { 941 {
1097 struct audit_buffer *ab; 942 struct audit_buffer *ab;
1098 char *ctx = NULL; 943 char *ctx = NULL;
1099 u32 len; 944 u32 len;
1100 int rc = 0; 945 int rc = 0;
1101 946
1102 ab = audit_log_start(context, GFP_KER 947 ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
1103 if (!ab) 948 if (!ab)
1104 return rc; 949 return rc;
1105 950
1106 audit_log_format(ab, "opid=%d oauid=% 951 audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
1107 from_kuid(&init_user 952 from_kuid(&init_user_ns, auid),
1108 from_kuid(&init_user 953 from_kuid(&init_user_ns, uid), sessionid);
1109 if (sid) { 954 if (sid) {
1110 if (security_secid_to_secctx( 955 if (security_secid_to_secctx(sid, &ctx, &len)) {
1111 audit_log_format(ab, 956 audit_log_format(ab, " obj=(none)");
1112 rc = 1; 957 rc = 1;
1113 } else { 958 } else {
1114 audit_log_format(ab, 959 audit_log_format(ab, " obj=%s", ctx);
1115 security_release_secc 960 security_release_secctx(ctx, len);
1116 } 961 }
1117 } 962 }
1118 audit_log_format(ab, " ocomm="); 963 audit_log_format(ab, " ocomm=");
1119 audit_log_untrustedstring(ab, comm); 964 audit_log_untrustedstring(ab, comm);
1120 audit_log_end(ab); 965 audit_log_end(ab);
1121 966
1122 return rc; 967 return rc;
1123 } 968 }
1124 969
1125 static void audit_log_execve_info(struct audi 970 static void audit_log_execve_info(struct audit_context *context,
1126 struct audi 971 struct audit_buffer **ab)
1127 { 972 {
1128 long len_max; 973 long len_max;
1129 long len_rem; 974 long len_rem;
1130 long len_full; 975 long len_full;
1131 long len_buf; 976 long len_buf;
1132 long len_abuf = 0; 977 long len_abuf = 0;
1133 long len_tmp; 978 long len_tmp;
1134 bool require_data; 979 bool require_data;
1135 bool encode; 980 bool encode;
1136 unsigned int iter; 981 unsigned int iter;
1137 unsigned int arg; 982 unsigned int arg;
1138 char *buf_head; 983 char *buf_head;
1139 char *buf; 984 char *buf;
1140 const char __user *p = (const char __ 985 const char __user *p = (const char __user *)current->mm->arg_start;
1141 986
1142 /* NOTE: this buffer needs to be larg 987 /* NOTE: this buffer needs to be large enough to hold all the non-arg
1143 * data we put in the audit rec 988 * data we put in the audit record for this argument (see the
1144 * code below) ... at this poin 989 * code below) ... at this point in time 96 is plenty */
1145 char abuf[96]; 990 char abuf[96];
1146 991
1147 /* NOTE: we set MAX_EXECVE_AUDIT_LEN 992 /* NOTE: we set MAX_EXECVE_AUDIT_LEN to a rather arbitrary limit, the
1148 * current value of 7500 is not 993 * current value of 7500 is not as important as the fact that it
1149 * is less than 8k, a setting o 994 * is less than 8k, a setting of 7500 gives us plenty of wiggle
1150 * room if we go over a little 995 * room if we go over a little bit in the logging below */
1151 WARN_ON_ONCE(MAX_EXECVE_AUDIT_LEN > 7 996 WARN_ON_ONCE(MAX_EXECVE_AUDIT_LEN > 7500);
1152 len_max = MAX_EXECVE_AUDIT_LEN; 997 len_max = MAX_EXECVE_AUDIT_LEN;
1153 998
1154 /* scratch buffer to hold the userspa 999 /* scratch buffer to hold the userspace args */
1155 buf_head = kmalloc(MAX_EXECVE_AUDIT_L 1000 buf_head = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
1156 if (!buf_head) { 1001 if (!buf_head) {
1157 audit_panic("out of memory fo 1002 audit_panic("out of memory for argv string");
1158 return; 1003 return;
1159 } 1004 }
1160 buf = buf_head; 1005 buf = buf_head;
1161 1006
1162 audit_log_format(*ab, "argc=%d", cont 1007 audit_log_format(*ab, "argc=%d", context->execve.argc);
1163 1008
1164 len_rem = len_max; 1009 len_rem = len_max;
1165 len_buf = 0; 1010 len_buf = 0;
1166 len_full = 0; 1011 len_full = 0;
1167 require_data = true; 1012 require_data = true;
1168 encode = false; 1013 encode = false;
1169 iter = 0; 1014 iter = 0;
1170 arg = 0; 1015 arg = 0;
1171 do { 1016 do {
1172 /* NOTE: we don't ever want t 1017 /* NOTE: we don't ever want to trust this value for anything
1173 * serious, but the aud 1018 * serious, but the audit record format insists we
1174 * provide an argument 1019 * provide an argument length for really long arguments,
1175 * e.g. > MAX_EXECVE_AU 1020 * e.g. > MAX_EXECVE_AUDIT_LEN, so we have no choice but
1176 * to use strncpy_from_ 1021 * to use strncpy_from_user() to obtain this value for
1177 * recording in the log 1022 * recording in the log, although we don't use it
1178 * anywhere here to avo 1023 * anywhere here to avoid a double-fetch problem */
1179 if (len_full == 0) 1024 if (len_full == 0)
1180 len_full = strnlen_us 1025 len_full = strnlen_user(p, MAX_ARG_STRLEN) - 1;
1181 1026
1182 /* read more data from usersp 1027 /* read more data from userspace */
1183 if (require_data) { 1028 if (require_data) {
1184 /* can we make more r 1029 /* can we make more room in the buffer? */
1185 if (buf != buf_head) 1030 if (buf != buf_head) {
1186 memmove(buf_h 1031 memmove(buf_head, buf, len_buf);
1187 buf = buf_hea 1032 buf = buf_head;
1188 } 1033 }
1189 1034
1190 /* fetch as much as w 1035 /* fetch as much as we can of the argument */
1191 len_tmp = strncpy_fro 1036 len_tmp = strncpy_from_user(&buf_head[len_buf], p,
1192 1037 len_max - len_buf);
1193 if (len_tmp == -EFAUL 1038 if (len_tmp == -EFAULT) {
1194 /* unable to 1039 /* unable to copy from userspace */
1195 send_sig(SIGK 1040 send_sig(SIGKILL, current, 0);
1196 goto out; 1041 goto out;
1197 } else if (len_tmp == 1042 } else if (len_tmp == (len_max - len_buf)) {
1198 /* buffer is 1043 /* buffer is not large enough */
1199 require_data 1044 require_data = true;
1200 /* NOTE: if w 1045 /* NOTE: if we are going to span multiple
1201 * buff 1046 * buffers force the encoding so we stand
1202 * a ch 1047 * a chance at a sane len_full value and
1203 * cons 1048 * consistent record encoding */
1204 encode = true 1049 encode = true;
1205 len_full = le 1050 len_full = len_full * 2;
1206 p += len_tmp; 1051 p += len_tmp;
1207 } else { 1052 } else {
1208 require_data 1053 require_data = false;
1209 if (!encode) 1054 if (!encode)
1210 encod 1055 encode = audit_string_contains_control(
1211 1056 buf, len_tmp);
1212 /* try to use 1057 /* try to use a trusted value for len_full */
1213 if (len_full 1058 if (len_full < len_max)
1214 len_f 1059 len_full = (encode ?
1215 1060 len_tmp * 2 : len_tmp);
1216 p += len_tmp 1061 p += len_tmp + 1;
1217 } 1062 }
1218 len_buf += len_tmp; 1063 len_buf += len_tmp;
1219 buf_head[len_buf] = ' 1064 buf_head[len_buf] = '\0';
1220 1065
1221 /* length of the buff 1066 /* length of the buffer in the audit record? */
1222 len_abuf = (encode ? 1067 len_abuf = (encode ? len_buf * 2 : len_buf + 2);
1223 } 1068 }
1224 1069
1225 /* write as much as we can to 1070 /* write as much as we can to the audit log */
1226 if (len_buf >= 0) { 1071 if (len_buf >= 0) {
1227 /* NOTE: some magic n 1072 /* NOTE: some magic numbers here - basically if we
1228 * can't fit a 1073 * can't fit a reasonable amount of data into the
1229 * existing aud 1074 * existing audit buffer, flush it and start with
1230 * a new buffer 1075 * a new buffer */
1231 if ((sizeof(abuf) + 8 1076 if ((sizeof(abuf) + 8) > len_rem) {
1232 len_rem = len 1077 len_rem = len_max;
1233 audit_log_end 1078 audit_log_end(*ab);
1234 *ab = audit_l 1079 *ab = audit_log_start(context,
1235 1080 GFP_KERNEL, AUDIT_EXECVE);
1236 if (!*ab) 1081 if (!*ab)
1237 goto 1082 goto out;
1238 } 1083 }
1239 1084
1240 /* create the non-arg 1085 /* create the non-arg portion of the arg record */
1241 len_tmp = 0; 1086 len_tmp = 0;
1242 if (require_data || ( 1087 if (require_data || (iter > 0) ||
1243 ((len_abuf + size 1088 ((len_abuf + sizeof(abuf)) > len_rem)) {
1244 if (iter == 0 1089 if (iter == 0) {
1245 len_t 1090 len_tmp += snprintf(&abuf[len_tmp],
1246 1091 sizeof(abuf) - len_tmp,
1247 1092 " a%d_len=%lu",
1248 1093 arg, len_full);
1249 } 1094 }
1250 len_tmp += sn 1095 len_tmp += snprintf(&abuf[len_tmp],
1251 1096 sizeof(abuf) - len_tmp,
1252 1097 " a%d[%d]=", arg, iter++);
1253 } else 1098 } else
1254 len_tmp += sn 1099 len_tmp += snprintf(&abuf[len_tmp],
1255 1100 sizeof(abuf) - len_tmp,
1256 1101 " a%d=", arg);
1257 WARN_ON(len_tmp >= si 1102 WARN_ON(len_tmp >= sizeof(abuf));
1258 abuf[sizeof(abuf) - 1 1103 abuf[sizeof(abuf) - 1] = '\0';
1259 1104
1260 /* log the arg in the 1105 /* log the arg in the audit record */
1261 audit_log_format(*ab, 1106 audit_log_format(*ab, "%s", abuf);
1262 len_rem -= len_tmp; 1107 len_rem -= len_tmp;
1263 len_tmp = len_buf; 1108 len_tmp = len_buf;
1264 if (encode) { 1109 if (encode) {
1265 if (len_abuf 1110 if (len_abuf > len_rem)
1266 len_t 1111 len_tmp = len_rem / 2; /* encoding */
1267 audit_log_n_h 1112 audit_log_n_hex(*ab, buf, len_tmp);
1268 len_rem -= le 1113 len_rem -= len_tmp * 2;
1269 len_abuf -= l 1114 len_abuf -= len_tmp * 2;
1270 } else { 1115 } else {
1271 if (len_abuf 1116 if (len_abuf > len_rem)
1272 len_t 1117 len_tmp = len_rem - 2; /* quotes */
1273 audit_log_n_s 1118 audit_log_n_string(*ab, buf, len_tmp);
1274 len_rem -= le 1119 len_rem -= len_tmp + 2;
1275 /* don't subt 1120 /* don't subtract the "2" because we still need
1276 * to add quo 1121 * to add quotes to the remaining string */
1277 len_abuf -= l 1122 len_abuf -= len_tmp;
1278 } 1123 }
1279 len_buf -= len_tmp; 1124 len_buf -= len_tmp;
1280 buf += len_tmp; 1125 buf += len_tmp;
1281 } 1126 }
1282 1127
1283 /* ready to move to the next 1128 /* ready to move to the next argument? */
1284 if ((len_buf == 0) && !requir 1129 if ((len_buf == 0) && !require_data) {
1285 arg++; 1130 arg++;
1286 iter = 0; 1131 iter = 0;
1287 len_full = 0; 1132 len_full = 0;
1288 require_data = true; 1133 require_data = true;
1289 encode = false; 1134 encode = false;
1290 } 1135 }
1291 } while (arg < context->execve.argc); 1136 } while (arg < context->execve.argc);
1292 1137
1293 /* NOTE: the caller handles the final 1138 /* NOTE: the caller handles the final audit_log_end() call */
1294 1139
1295 out: 1140 out:
1296 kfree(buf_head); 1141 kfree(buf_head);
1297 } 1142 }
1298 1143
1299 static void audit_log_cap(struct audit_buffer 1144 static void audit_log_cap(struct audit_buffer *ab, char *prefix,
1300 kernel_cap_t *cap) 1145 kernel_cap_t *cap)
1301 { 1146 {
>> 1147 int i;
>> 1148
1302 if (cap_isclear(*cap)) { 1149 if (cap_isclear(*cap)) {
1303 audit_log_format(ab, " %s=0", 1150 audit_log_format(ab, " %s=0", prefix);
1304 return; 1151 return;
1305 } 1152 }
1306 audit_log_format(ab, " %s=%016llx", p !! 1153 audit_log_format(ab, " %s=", prefix);
>> 1154 CAP_FOR_EACH_U32(i)
>> 1155 audit_log_format(ab, "%08x", cap->cap[CAP_LAST_U32 - i]);
1307 } 1156 }
1308 1157
1309 static void audit_log_fcaps(struct audit_buff 1158 static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
1310 { 1159 {
1311 if (name->fcap_ver == -1) { 1160 if (name->fcap_ver == -1) {
1312 audit_log_format(ab, " cap_fe 1161 audit_log_format(ab, " cap_fe=? cap_fver=? cap_fp=? cap_fi=?");
1313 return; 1162 return;
1314 } 1163 }
1315 audit_log_cap(ab, "cap_fp", &name->fc 1164 audit_log_cap(ab, "cap_fp", &name->fcap.permitted);
1316 audit_log_cap(ab, "cap_fi", &name->fc 1165 audit_log_cap(ab, "cap_fi", &name->fcap.inheritable);
1317 audit_log_format(ab, " cap_fe=%d cap_ 1166 audit_log_format(ab, " cap_fe=%d cap_fver=%x cap_frootid=%d",
1318 name->fcap.fE, name- 1167 name->fcap.fE, name->fcap_ver,
1319 from_kuid(&init_user 1168 from_kuid(&init_user_ns, name->fcap.rootid));
1320 } 1169 }
1321 1170
1322 static void audit_log_time(struct audit_conte <<
1323 { <<
1324 const struct audit_ntp_data *ntp = &c <<
1325 const struct timespec64 *tk = &contex <<
1326 static const char * const ntp_name[] <<
1327 "offset", <<
1328 "freq", <<
1329 "status", <<
1330 "tai", <<
1331 "tick", <<
1332 "adjust", <<
1333 }; <<
1334 int type; <<
1335 <<
1336 if (context->type == AUDIT_TIME_ADJNT <<
1337 for (type = 0; type < AUDIT_N <<
1338 if (ntp->vals[type].n <<
1339 if (!*ab) { <<
1340 *ab = <<
1341 <<
1342 <<
1343 if (! <<
1344 <<
1345 } <<
1346 audit_log_for <<
1347 <<
1348 <<
1349 <<
1350 audit_log_end <<
1351 *ab = NULL; <<
1352 } <<
1353 } <<
1354 } <<
1355 if (tk->tv_sec != 0 || tk->tv_nsec != <<
1356 if (!*ab) { <<
1357 *ab = audit_log_start <<
1358 <<
1359 if (!*ab) <<
1360 return; <<
1361 } <<
1362 audit_log_format(*ab, "sec=%l <<
1363 (long long)t <<
1364 audit_log_end(*ab); <<
1365 *ab = NULL; <<
1366 } <<
1367 } <<
1368 <<
1369 static void show_special(struct audit_context 1171 static void show_special(struct audit_context *context, int *call_panic)
1370 { 1172 {
1371 struct audit_buffer *ab; 1173 struct audit_buffer *ab;
1372 int i; 1174 int i;
1373 1175
1374 ab = audit_log_start(context, GFP_KER 1176 ab = audit_log_start(context, GFP_KERNEL, context->type);
1375 if (!ab) 1177 if (!ab)
1376 return; 1178 return;
1377 1179
1378 switch (context->type) { 1180 switch (context->type) {
1379 case AUDIT_SOCKETCALL: { 1181 case AUDIT_SOCKETCALL: {
1380 int nargs = context->socketca 1182 int nargs = context->socketcall.nargs;
1381 <<
1382 audit_log_format(ab, "nargs=% 1183 audit_log_format(ab, "nargs=%d", nargs);
1383 for (i = 0; i < nargs; i++) 1184 for (i = 0; i < nargs; i++)
1384 audit_log_format(ab, 1185 audit_log_format(ab, " a%d=%lx", i,
1385 context->sock 1186 context->socketcall.args[i]);
1386 break; } 1187 break; }
1387 case AUDIT_IPC: { 1188 case AUDIT_IPC: {
1388 u32 osid = context->ipc.osid; 1189 u32 osid = context->ipc.osid;
1389 1190
1390 audit_log_format(ab, "ouid=%u 1191 audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
1391 from_kuid(&i 1192 from_kuid(&init_user_ns, context->ipc.uid),
1392 from_kgid(&i 1193 from_kgid(&init_user_ns, context->ipc.gid),
1393 context->ipc 1194 context->ipc.mode);
1394 if (osid) { 1195 if (osid) {
1395 char *ctx = NULL; 1196 char *ctx = NULL;
1396 u32 len; 1197 u32 len;
1397 <<
1398 if (security_secid_to 1198 if (security_secid_to_secctx(osid, &ctx, &len)) {
1399 audit_log_for 1199 audit_log_format(ab, " osid=%u", osid);
1400 *call_panic = 1200 *call_panic = 1;
1401 } else { 1201 } else {
1402 audit_log_for 1202 audit_log_format(ab, " obj=%s", ctx);
1403 security_rele 1203 security_release_secctx(ctx, len);
1404 } 1204 }
1405 } 1205 }
1406 if (context->ipc.has_perm) { 1206 if (context->ipc.has_perm) {
1407 audit_log_end(ab); 1207 audit_log_end(ab);
1408 ab = audit_log_start( 1208 ab = audit_log_start(context, GFP_KERNEL,
1409 1209 AUDIT_IPC_SET_PERM);
1410 if (unlikely(!ab)) 1210 if (unlikely(!ab))
1411 return; 1211 return;
1412 audit_log_format(ab, 1212 audit_log_format(ab,
1413 "qbytes=%lx o 1213 "qbytes=%lx ouid=%u ogid=%u mode=%#ho",
1414 context->ipc. 1214 context->ipc.qbytes,
1415 context->ipc. 1215 context->ipc.perm_uid,
1416 context->ipc. 1216 context->ipc.perm_gid,
1417 context->ipc. 1217 context->ipc.perm_mode);
1418 } 1218 }
1419 break; } 1219 break; }
1420 case AUDIT_MQ_OPEN: 1220 case AUDIT_MQ_OPEN:
1421 audit_log_format(ab, 1221 audit_log_format(ab,
1422 "oflag=0x%x mode=%#ho 1222 "oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
1423 "mq_msgsize=%ld mq_cu 1223 "mq_msgsize=%ld mq_curmsgs=%ld",
1424 context->mq_open.ofla 1224 context->mq_open.oflag, context->mq_open.mode,
1425 context->mq_open.attr 1225 context->mq_open.attr.mq_flags,
1426 context->mq_open.attr 1226 context->mq_open.attr.mq_maxmsg,
1427 context->mq_open.attr 1227 context->mq_open.attr.mq_msgsize,
1428 context->mq_open.attr 1228 context->mq_open.attr.mq_curmsgs);
1429 break; 1229 break;
1430 case AUDIT_MQ_SENDRECV: 1230 case AUDIT_MQ_SENDRECV:
1431 audit_log_format(ab, 1231 audit_log_format(ab,
1432 "mqdes=%d msg_len=%zd 1232 "mqdes=%d msg_len=%zd msg_prio=%u "
1433 "abs_timeout_sec=%lld 1233 "abs_timeout_sec=%lld abs_timeout_nsec=%ld",
1434 context->mq_sendrecv. 1234 context->mq_sendrecv.mqdes,
1435 context->mq_sendrecv. 1235 context->mq_sendrecv.msg_len,
1436 context->mq_sendrecv. 1236 context->mq_sendrecv.msg_prio,
1437 (long long) context-> 1237 (long long) context->mq_sendrecv.abs_timeout.tv_sec,
1438 context->mq_sendrecv. 1238 context->mq_sendrecv.abs_timeout.tv_nsec);
1439 break; 1239 break;
1440 case AUDIT_MQ_NOTIFY: 1240 case AUDIT_MQ_NOTIFY:
1441 audit_log_format(ab, "mqdes=% 1241 audit_log_format(ab, "mqdes=%d sigev_signo=%d",
1442 context->mq_n 1242 context->mq_notify.mqdes,
1443 context->mq_n 1243 context->mq_notify.sigev_signo);
1444 break; 1244 break;
1445 case AUDIT_MQ_GETSETATTR: { 1245 case AUDIT_MQ_GETSETATTR: {
1446 struct mq_attr *attr = &conte 1246 struct mq_attr *attr = &context->mq_getsetattr.mqstat;
1447 <<
1448 audit_log_format(ab, 1247 audit_log_format(ab,
1449 "mqdes=%d mq_flags=0x 1248 "mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
1450 "mq_curmsgs=%ld ", 1249 "mq_curmsgs=%ld ",
1451 context->mq_getsetatt 1250 context->mq_getsetattr.mqdes,
1452 attr->mq_flags, attr- 1251 attr->mq_flags, attr->mq_maxmsg,
1453 attr->mq_msgsize, att 1252 attr->mq_msgsize, attr->mq_curmsgs);
1454 break; } 1253 break; }
1455 case AUDIT_CAPSET: 1254 case AUDIT_CAPSET:
1456 audit_log_format(ab, "pid=%d" 1255 audit_log_format(ab, "pid=%d", context->capset.pid);
1457 audit_log_cap(ab, "cap_pi", & 1256 audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
1458 audit_log_cap(ab, "cap_pp", & 1257 audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
1459 audit_log_cap(ab, "cap_pe", & 1258 audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
1460 audit_log_cap(ab, "cap_pa", & 1259 audit_log_cap(ab, "cap_pa", &context->capset.cap.ambient);
1461 break; 1260 break;
1462 case AUDIT_MMAP: 1261 case AUDIT_MMAP:
1463 audit_log_format(ab, "fd=%d f 1262 audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd,
1464 context->mma 1263 context->mmap.flags);
1465 break; 1264 break;
1466 case AUDIT_OPENAT2: <<
1467 audit_log_format(ab, "oflag=0 <<
1468 context->ope <<
1469 context->ope <<
1470 context->ope <<
1471 break; <<
1472 case AUDIT_EXECVE: 1265 case AUDIT_EXECVE:
1473 audit_log_execve_info(context 1266 audit_log_execve_info(context, &ab);
1474 break; 1267 break;
1475 case AUDIT_KERN_MODULE: 1268 case AUDIT_KERN_MODULE:
1476 audit_log_format(ab, "name=") 1269 audit_log_format(ab, "name=");
1477 if (context->module.name) { 1270 if (context->module.name) {
1478 audit_log_untrustedst 1271 audit_log_untrustedstring(ab, context->module.name);
1479 } else 1272 } else
1480 audit_log_format(ab, 1273 audit_log_format(ab, "(null)");
1481 1274
1482 break; 1275 break;
1483 case AUDIT_TIME_ADJNTPVAL: <<
1484 case AUDIT_TIME_INJOFFSET: <<
1485 /* this call deviates from th <<
1486 audit_log_time(context, &ab); <<
1487 break; <<
1488 } 1276 }
1489 audit_log_end(ab); 1277 audit_log_end(ab);
1490 } 1278 }
1491 1279
1492 static inline int audit_proctitle_rtrim(char 1280 static inline int audit_proctitle_rtrim(char *proctitle, int len)
1493 { 1281 {
1494 char *end = proctitle + len - 1; 1282 char *end = proctitle + len - 1;
1495 <<
1496 while (end > proctitle && !isprint(*e 1283 while (end > proctitle && !isprint(*end))
1497 end--; 1284 end--;
1498 1285
1499 /* catch the case where proctitle is 1286 /* catch the case where proctitle is only 1 non-print character */
1500 len = end - proctitle + 1; 1287 len = end - proctitle + 1;
1501 len -= isprint(proctitle[len-1]) == 0 1288 len -= isprint(proctitle[len-1]) == 0;
1502 return len; 1289 return len;
1503 } 1290 }
1504 1291
1505 /* 1292 /*
1506 * audit_log_name - produce AUDIT_PATH record 1293 * audit_log_name - produce AUDIT_PATH record from struct audit_names
1507 * @context: audit_context for the task 1294 * @context: audit_context for the task
1508 * @n: audit_names structure with reportable 1295 * @n: audit_names structure with reportable details
1509 * @path: optional path to report instead of 1296 * @path: optional path to report instead of audit_names->name
1510 * @record_num: record number to report when 1297 * @record_num: record number to report when handling a list of names
1511 * @call_panic: optional pointer to int that 1298 * @call_panic: optional pointer to int that will be updated if secid fails
1512 */ 1299 */
1513 static void audit_log_name(struct audit_conte 1300 static void audit_log_name(struct audit_context *context, struct audit_names *n,
1514 const struct path *path, 1301 const struct path *path, int record_num, int *call_panic)
1515 { 1302 {
1516 struct audit_buffer *ab; 1303 struct audit_buffer *ab;
1517 1304
1518 ab = audit_log_start(context, GFP_KER 1305 ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
1519 if (!ab) 1306 if (!ab)
1520 return; 1307 return;
1521 1308
1522 audit_log_format(ab, "item=%d", recor 1309 audit_log_format(ab, "item=%d", record_num);
1523 1310
1524 if (path) 1311 if (path)
1525 audit_log_d_path(ab, " name=" 1312 audit_log_d_path(ab, " name=", path);
1526 else if (n->name) { 1313 else if (n->name) {
1527 switch (n->name_len) { 1314 switch (n->name_len) {
1528 case AUDIT_NAME_FULL: 1315 case AUDIT_NAME_FULL:
1529 /* log the full path 1316 /* log the full path */
1530 audit_log_format(ab, 1317 audit_log_format(ab, " name=");
1531 audit_log_untrustedst 1318 audit_log_untrustedstring(ab, n->name->name);
1532 break; 1319 break;
1533 case 0: 1320 case 0:
1534 /* name was specified 1321 /* name was specified as a relative path and the
1535 * directory componen 1322 * directory component is the cwd
1536 */ 1323 */
1537 if (context->pwd.dent !! 1324 audit_log_d_path(ab, " name=", &context->pwd);
1538 audit_log_d_p <<
1539 else <<
1540 audit_log_for <<
1541 break; 1325 break;
1542 default: 1326 default:
1543 /* log the name's dir 1327 /* log the name's directory component */
1544 audit_log_format(ab, 1328 audit_log_format(ab, " name=");
1545 audit_log_n_untrusted 1329 audit_log_n_untrustedstring(ab, n->name->name,
1546 1330 n->name_len);
1547 } 1331 }
1548 } else 1332 } else
1549 audit_log_format(ab, " name=( 1333 audit_log_format(ab, " name=(null)");
1550 1334
1551 if (n->ino != AUDIT_INO_UNSET) 1335 if (n->ino != AUDIT_INO_UNSET)
1552 audit_log_format(ab, " inode= 1336 audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#ho ouid=%u ogid=%u rdev=%02x:%02x",
1553 n->ino, 1337 n->ino,
1554 MAJOR(n->dev 1338 MAJOR(n->dev),
1555 MINOR(n->dev 1339 MINOR(n->dev),
1556 n->mode, 1340 n->mode,
1557 from_kuid(&i 1341 from_kuid(&init_user_ns, n->uid),
1558 from_kgid(&i 1342 from_kgid(&init_user_ns, n->gid),
1559 MAJOR(n->rde 1343 MAJOR(n->rdev),
1560 MINOR(n->rde 1344 MINOR(n->rdev));
1561 if (n->osid != 0) { 1345 if (n->osid != 0) {
1562 char *ctx = NULL; 1346 char *ctx = NULL;
1563 u32 len; 1347 u32 len;
1564 1348
1565 if (security_secid_to_secctx( 1349 if (security_secid_to_secctx(
1566 n->osid, &ctx, &len)) 1350 n->osid, &ctx, &len)) {
1567 audit_log_format(ab, 1351 audit_log_format(ab, " osid=%u", n->osid);
1568 if (call_panic) 1352 if (call_panic)
1569 *call_panic = 1353 *call_panic = 2;
1570 } else { 1354 } else {
1571 audit_log_format(ab, 1355 audit_log_format(ab, " obj=%s", ctx);
1572 security_release_secc 1356 security_release_secctx(ctx, len);
1573 } 1357 }
1574 } 1358 }
1575 1359
1576 /* log the audit_names record type */ 1360 /* log the audit_names record type */
1577 switch (n->type) { 1361 switch (n->type) {
1578 case AUDIT_TYPE_NORMAL: 1362 case AUDIT_TYPE_NORMAL:
1579 audit_log_format(ab, " namety 1363 audit_log_format(ab, " nametype=NORMAL");
1580 break; 1364 break;
1581 case AUDIT_TYPE_PARENT: 1365 case AUDIT_TYPE_PARENT:
1582 audit_log_format(ab, " namety 1366 audit_log_format(ab, " nametype=PARENT");
1583 break; 1367 break;
1584 case AUDIT_TYPE_CHILD_DELETE: 1368 case AUDIT_TYPE_CHILD_DELETE:
1585 audit_log_format(ab, " namety 1369 audit_log_format(ab, " nametype=DELETE");
1586 break; 1370 break;
1587 case AUDIT_TYPE_CHILD_CREATE: 1371 case AUDIT_TYPE_CHILD_CREATE:
1588 audit_log_format(ab, " namety 1372 audit_log_format(ab, " nametype=CREATE");
1589 break; 1373 break;
1590 default: 1374 default:
1591 audit_log_format(ab, " namety 1375 audit_log_format(ab, " nametype=UNKNOWN");
1592 break; 1376 break;
1593 } 1377 }
1594 1378
1595 audit_log_fcaps(ab, n); 1379 audit_log_fcaps(ab, n);
1596 audit_log_end(ab); 1380 audit_log_end(ab);
1597 } 1381 }
1598 1382
1599 static void audit_log_proctitle(void) 1383 static void audit_log_proctitle(void)
1600 { 1384 {
1601 int res; 1385 int res;
1602 char *buf; 1386 char *buf;
1603 char *msg = "(null)"; 1387 char *msg = "(null)";
1604 int len = strlen(msg); 1388 int len = strlen(msg);
1605 struct audit_context *context = audit 1389 struct audit_context *context = audit_context();
1606 struct audit_buffer *ab; 1390 struct audit_buffer *ab;
1607 1391
>> 1392 if (!context || context->dummy)
>> 1393 return;
>> 1394
1608 ab = audit_log_start(context, GFP_KER 1395 ab = audit_log_start(context, GFP_KERNEL, AUDIT_PROCTITLE);
1609 if (!ab) 1396 if (!ab)
1610 return; /* audit_panic or bei 1397 return; /* audit_panic or being filtered */
1611 1398
1612 audit_log_format(ab, "proctitle="); 1399 audit_log_format(ab, "proctitle=");
1613 1400
1614 /* Not cached */ 1401 /* Not cached */
1615 if (!context->proctitle.value) { 1402 if (!context->proctitle.value) {
1616 buf = kmalloc(MAX_PROCTITLE_A 1403 buf = kmalloc(MAX_PROCTITLE_AUDIT_LEN, GFP_KERNEL);
1617 if (!buf) 1404 if (!buf)
1618 goto out; 1405 goto out;
1619 /* Historically called this f 1406 /* Historically called this from procfs naming */
1620 res = get_cmdline(current, bu 1407 res = get_cmdline(current, buf, MAX_PROCTITLE_AUDIT_LEN);
1621 if (res == 0) { 1408 if (res == 0) {
1622 kfree(buf); 1409 kfree(buf);
1623 goto out; 1410 goto out;
1624 } 1411 }
1625 res = audit_proctitle_rtrim(b 1412 res = audit_proctitle_rtrim(buf, res);
1626 if (res == 0) { 1413 if (res == 0) {
1627 kfree(buf); 1414 kfree(buf);
1628 goto out; 1415 goto out;
1629 } 1416 }
1630 context->proctitle.value = bu 1417 context->proctitle.value = buf;
1631 context->proctitle.len = res; 1418 context->proctitle.len = res;
1632 } 1419 }
1633 msg = context->proctitle.value; 1420 msg = context->proctitle.value;
1634 len = context->proctitle.len; 1421 len = context->proctitle.len;
1635 out: 1422 out:
1636 audit_log_n_untrustedstring(ab, msg, 1423 audit_log_n_untrustedstring(ab, msg, len);
1637 audit_log_end(ab); 1424 audit_log_end(ab);
1638 } 1425 }
1639 1426
1640 /** <<
1641 * audit_log_uring - generate a AUDIT_URINGOP <<
1642 * @ctx: the audit context <<
1643 */ <<
1644 static void audit_log_uring(struct audit_cont <<
1645 { <<
1646 struct audit_buffer *ab; <<
1647 const struct cred *cred; <<
1648 <<
1649 ab = audit_log_start(ctx, GFP_ATOMIC, <<
1650 if (!ab) <<
1651 return; <<
1652 cred = current_cred(); <<
1653 audit_log_format(ab, "uring_op=%d", c <<
1654 if (ctx->return_valid != AUDITSC_INVA <<
1655 audit_log_format(ab, " succes <<
1656 (ctx->return <<
1657 "yes" : "no <<
1658 ctx->return_ <<
1659 audit_log_format(ab, <<
1660 " items=%d" <<
1661 " ppid=%d pid=%d uid <<
1662 " fsuid=%u egid=%u s <<
1663 ctx->name_count, <<
1664 task_ppid_nr(current <<
1665 from_kuid(&init_user <<
1666 from_kgid(&init_user <<
1667 from_kuid(&init_user <<
1668 from_kuid(&init_user <<
1669 from_kuid(&init_user <<
1670 from_kgid(&init_user <<
1671 from_kgid(&init_user <<
1672 from_kgid(&init_user <<
1673 audit_log_task_context(ab); <<
1674 audit_log_key(ab, ctx->filterkey); <<
1675 audit_log_end(ab); <<
1676 } <<
1677 <<
1678 static void audit_log_exit(void) 1427 static void audit_log_exit(void)
1679 { 1428 {
1680 int i, call_panic = 0; 1429 int i, call_panic = 0;
1681 struct audit_context *context = audit 1430 struct audit_context *context = audit_context();
1682 struct audit_buffer *ab; 1431 struct audit_buffer *ab;
1683 struct audit_aux_data *aux; 1432 struct audit_aux_data *aux;
1684 struct audit_names *n; 1433 struct audit_names *n;
1685 1434
1686 context->personality = current->perso 1435 context->personality = current->personality;
1687 1436
1688 switch (context->context) { !! 1437 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
1689 case AUDIT_CTX_SYSCALL: !! 1438 if (!ab)
1690 ab = audit_log_start(context, !! 1439 return; /* audit_panic has been called */
1691 if (!ab) !! 1440 audit_log_format(ab, "arch=%x syscall=%d",
1692 return; !! 1441 context->arch, context->major);
1693 audit_log_format(ab, "arch=%x !! 1442 if (context->personality != PER_LINUX)
1694 context->arc !! 1443 audit_log_format(ab, " per=%lx", context->personality);
1695 if (context->personality != P !! 1444 if (context->return_valid)
1696 audit_log_format(ab, !! 1445 audit_log_format(ab, " success=%s exit=%ld",
1697 if (context->return_valid != !! 1446 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
1698 audit_log_format(ab, !! 1447 context->return_code);
1699 (con !! 1448
1700 "ye !! 1449 audit_log_format(ab,
1701 cont !! 1450 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d",
1702 audit_log_format(ab, !! 1451 context->argv[0],
1703 " a0=%lx a1= !! 1452 context->argv[1],
1704 context->arg !! 1453 context->argv[2],
1705 context->arg !! 1454 context->argv[3],
1706 context->arg !! 1455 context->name_count);
1707 context->arg !! 1456
1708 context->nam !! 1457 audit_log_task_info(ab);
1709 audit_log_task_info(ab); !! 1458 audit_log_key(ab, context->filterkey);
1710 audit_log_key(ab, context->fi !! 1459 audit_log_end(ab);
1711 audit_log_end(ab); <<
1712 break; <<
1713 case AUDIT_CTX_URING: <<
1714 audit_log_uring(context); <<
1715 break; <<
1716 default: <<
1717 BUG(); <<
1718 break; <<
1719 } <<
1720 1460
1721 for (aux = context->aux; aux; aux = a 1461 for (aux = context->aux; aux; aux = aux->next) {
1722 1462
1723 ab = audit_log_start(context, 1463 ab = audit_log_start(context, GFP_KERNEL, aux->type);
1724 if (!ab) 1464 if (!ab)
1725 continue; /* audit_pa 1465 continue; /* audit_panic has been called */
1726 1466
1727 switch (aux->type) { 1467 switch (aux->type) {
1728 1468
1729 case AUDIT_BPRM_FCAPS: { 1469 case AUDIT_BPRM_FCAPS: {
1730 struct audit_aux_data 1470 struct audit_aux_data_bprm_fcaps *axs = (void *)aux;
1731 <<
1732 audit_log_format(ab, 1471 audit_log_format(ab, "fver=%x", axs->fcap_ver);
1733 audit_log_cap(ab, "fp 1472 audit_log_cap(ab, "fp", &axs->fcap.permitted);
1734 audit_log_cap(ab, "fi 1473 audit_log_cap(ab, "fi", &axs->fcap.inheritable);
1735 audit_log_format(ab, 1474 audit_log_format(ab, " fe=%d", axs->fcap.fE);
1736 audit_log_cap(ab, "ol 1475 audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
1737 audit_log_cap(ab, "ol 1476 audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
1738 audit_log_cap(ab, "ol 1477 audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
1739 audit_log_cap(ab, "ol 1478 audit_log_cap(ab, "old_pa", &axs->old_pcap.ambient);
1740 audit_log_cap(ab, "pp 1479 audit_log_cap(ab, "pp", &axs->new_pcap.permitted);
1741 audit_log_cap(ab, "pi 1480 audit_log_cap(ab, "pi", &axs->new_pcap.inheritable);
1742 audit_log_cap(ab, "pe 1481 audit_log_cap(ab, "pe", &axs->new_pcap.effective);
1743 audit_log_cap(ab, "pa 1482 audit_log_cap(ab, "pa", &axs->new_pcap.ambient);
1744 audit_log_format(ab, 1483 audit_log_format(ab, " frootid=%d",
1745 from 1484 from_kuid(&init_user_ns,
1746 1485 axs->fcap.rootid));
1747 break; } 1486 break; }
1748 1487
1749 } 1488 }
1750 audit_log_end(ab); 1489 audit_log_end(ab);
1751 } 1490 }
1752 1491
1753 if (context->type) 1492 if (context->type)
1754 show_special(context, &call_p 1493 show_special(context, &call_panic);
1755 1494
1756 if (context->fds[0] >= 0) { 1495 if (context->fds[0] >= 0) {
1757 ab = audit_log_start(context, 1496 ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR);
1758 if (ab) { 1497 if (ab) {
1759 audit_log_format(ab, 1498 audit_log_format(ab, "fd0=%d fd1=%d",
1760 conte 1499 context->fds[0], context->fds[1]);
1761 audit_log_end(ab); 1500 audit_log_end(ab);
1762 } 1501 }
1763 } 1502 }
1764 1503
1765 if (context->sockaddr_len) { 1504 if (context->sockaddr_len) {
1766 ab = audit_log_start(context, 1505 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR);
1767 if (ab) { 1506 if (ab) {
1768 audit_log_format(ab, 1507 audit_log_format(ab, "saddr=");
1769 audit_log_n_hex(ab, ( 1508 audit_log_n_hex(ab, (void *)context->sockaddr,
1770 conte 1509 context->sockaddr_len);
1771 audit_log_end(ab); 1510 audit_log_end(ab);
1772 } 1511 }
1773 } 1512 }
1774 1513
1775 for (aux = context->aux_pids; aux; au 1514 for (aux = context->aux_pids; aux; aux = aux->next) {
1776 struct audit_aux_data_pids *a 1515 struct audit_aux_data_pids *axs = (void *)aux;
1777 1516
1778 for (i = 0; i < axs->pid_coun 1517 for (i = 0; i < axs->pid_count; i++)
1779 if (audit_log_pid_con 1518 if (audit_log_pid_context(context, axs->target_pid[i],
1780 1519 axs->target_auid[i],
1781 1520 axs->target_uid[i],
1782 1521 axs->target_sessionid[i],
1783 1522 axs->target_sid[i],
1784 1523 axs->target_comm[i]))
1785 call_panic = 1524 call_panic = 1;
1786 } 1525 }
1787 1526
1788 if (context->target_pid && 1527 if (context->target_pid &&
1789 audit_log_pid_context(context, co 1528 audit_log_pid_context(context, context->target_pid,
1790 context->ta 1529 context->target_auid, context->target_uid,
1791 context->ta 1530 context->target_sessionid,
1792 context->ta 1531 context->target_sid, context->target_comm))
1793 call_panic = 1; 1532 call_panic = 1;
1794 1533
1795 if (context->pwd.dentry && context->p 1534 if (context->pwd.dentry && context->pwd.mnt) {
1796 ab = audit_log_start(context, 1535 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
1797 if (ab) { 1536 if (ab) {
1798 audit_log_d_path(ab, 1537 audit_log_d_path(ab, "cwd=", &context->pwd);
1799 audit_log_end(ab); 1538 audit_log_end(ab);
1800 } 1539 }
1801 } 1540 }
1802 1541
1803 i = 0; 1542 i = 0;
1804 list_for_each_entry(n, &context->name 1543 list_for_each_entry(n, &context->names_list, list) {
1805 if (n->hidden) 1544 if (n->hidden)
1806 continue; 1545 continue;
1807 audit_log_name(context, n, NU 1546 audit_log_name(context, n, NULL, i++, &call_panic);
1808 } 1547 }
1809 1548
1810 if (context->context == AUDIT_CTX_SYS !! 1549 audit_log_proctitle();
1811 audit_log_proctitle(); <<
1812 1550
1813 /* Send end of event record to help u 1551 /* Send end of event record to help user space know we are finished */
1814 ab = audit_log_start(context, GFP_KER 1552 ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
1815 if (ab) 1553 if (ab)
1816 audit_log_end(ab); 1554 audit_log_end(ab);
1817 if (call_panic) 1555 if (call_panic)
1818 audit_panic("error in audit_l !! 1556 audit_panic("error converting sid to string");
1819 } 1557 }
1820 1558
1821 /** 1559 /**
1822 * __audit_free - free a per-task audit conte 1560 * __audit_free - free a per-task audit context
1823 * @tsk: task whose audit context block to fr 1561 * @tsk: task whose audit context block to free
1824 * 1562 *
1825 * Called from copy_process, do_exit, and the !! 1563 * Called from copy_process and do_exit
1826 */ 1564 */
1827 void __audit_free(struct task_struct *tsk) 1565 void __audit_free(struct task_struct *tsk)
1828 { 1566 {
1829 struct audit_context *context = tsk-> 1567 struct audit_context *context = tsk->audit_context;
1830 1568
1831 if (!context) 1569 if (!context)
1832 return; 1570 return;
1833 1571
1834 /* this may generate CONFIG_CHANGE re <<
1835 if (!list_empty(&context->killed_tree 1572 if (!list_empty(&context->killed_trees))
1836 audit_kill_trees(context); 1573 audit_kill_trees(context);
1837 1574
1838 /* We are called either by do_exit() 1575 /* We are called either by do_exit() or the fork() error handling code;
1839 * in the former case tsk == current 1576 * in the former case tsk == current and in the latter tsk is a
1840 * random task_struct that doesn't ha !! 1577 * random task_struct that doesn't doesn't have any meaningful data we
1841 * need to log via audit_log_exit(). 1578 * need to log via audit_log_exit().
1842 */ 1579 */
1843 if (tsk == current && !context->dummy !! 1580 if (tsk == current && !context->dummy && context->in_syscall) {
1844 context->return_valid = AUDIT !! 1581 context->return_valid = 0;
1845 context->return_code = 0; 1582 context->return_code = 0;
1846 if (context->context == AUDIT !! 1583
1847 audit_filter_syscall( !! 1584 audit_filter_syscall(tsk, context,
1848 audit_filter_inodes(t !! 1585 &audit_filter_list[AUDIT_FILTER_EXIT]);
1849 if (context->current_ !! 1586 audit_filter_inodes(tsk, context);
1850 audit_log_exi !! 1587 if (context->current_state == AUDIT_RECORD_CONTEXT)
1851 } else if (context->context = !! 1588 audit_log_exit();
1852 /* TODO: verify this <<
1853 audit_filter_uring(ts <<
1854 audit_filter_inodes(t <<
1855 if (context->current_ <<
1856 audit_log_uri <<
1857 } <<
1858 } 1589 }
1859 1590
1860 audit_set_context(tsk, NULL); 1591 audit_set_context(tsk, NULL);
1861 audit_free_context(context); 1592 audit_free_context(context);
1862 } 1593 }
1863 1594
1864 /** 1595 /**
1865 * audit_return_fixup - fixup the return code <<
1866 * @ctx: the audit_context <<
1867 * @success: true/false value to indicate if <<
1868 * @code: operation return code <<
1869 * <<
1870 * We need to fixup the return code in the au <<
1871 * codes are later going to be fixed by the a <<
1872 */ <<
1873 static void audit_return_fixup(struct audit_c <<
1874 int success, l <<
1875 { <<
1876 /* <<
1877 * This is actually a test for: <<
1878 * (rc == ERESTARTSYS ) || (rc == ERE <<
1879 * (rc == ERESTARTNOHAND) || (rc == E <<
1880 * <<
1881 * but is faster than a bunch of || <<
1882 */ <<
1883 if (unlikely(code <= -ERESTARTSYS) && <<
1884 (code >= -ERESTART_RESTARTBLOCK) <<
1885 (code != -ENOIOCTLCMD)) <<
1886 ctx->return_code = -EINTR; <<
1887 else <<
1888 ctx->return_code = code; <<
1889 ctx->return_valid = (success ? AUDITS <<
1890 } <<
1891 <<
1892 /** <<
1893 * __audit_uring_entry - prepare the kernel t <<
1894 * @op: the io_uring opcode <<
1895 * <<
1896 * This is similar to audit_syscall_entry() b <<
1897 * operations. This function should only eve <<
1898 * audit_uring_entry() as we rely on the audi <<
1899 * function. <<
1900 */ <<
1901 void __audit_uring_entry(u8 op) <<
1902 { <<
1903 struct audit_context *ctx = audit_con <<
1904 <<
1905 if (ctx->state == AUDIT_STATE_DISABLE <<
1906 return; <<
1907 <<
1908 /* <<
1909 * NOTE: It's possible that we can be <<
1910 * before it returns to userspa <<
1911 * is called. In this case the <<
1912 * the io_uring details and ret <<
1913 */ <<
1914 ctx->uring_op = op; <<
1915 if (ctx->context == AUDIT_CTX_SYSCALL <<
1916 return; <<
1917 <<
1918 ctx->dummy = !audit_n_rules; <<
1919 if (!ctx->dummy && ctx->state == AUDI <<
1920 ctx->prio = 0; <<
1921 <<
1922 ctx->context = AUDIT_CTX_URING; <<
1923 ctx->current_state = ctx->state; <<
1924 ktime_get_coarse_real_ts64(&ctx->ctim <<
1925 } <<
1926 <<
1927 /** <<
1928 * __audit_uring_exit - wrap up the kernel ta <<
1929 * @success: true/false value to indicate if <<
1930 * @code: operation return code <<
1931 * <<
1932 * This is similar to audit_syscall_exit() bu <<
1933 * operations. This function should only eve <<
1934 * audit_uring_exit() as we rely on the audit <<
1935 * function. <<
1936 */ <<
1937 void __audit_uring_exit(int success, long cod <<
1938 { <<
1939 struct audit_context *ctx = audit_con <<
1940 <<
1941 if (ctx->dummy) { <<
1942 if (ctx->context != AUDIT_CTX <<
1943 return; <<
1944 goto out; <<
1945 } <<
1946 <<
1947 audit_return_fixup(ctx, success, code <<
1948 if (ctx->context == AUDIT_CTX_SYSCALL <<
1949 /* <<
1950 * NOTE: See the note in __au <<
1951 * where we may be call <<
1952 * return to userspace <<
1953 * case we simply emit <<
1954 * normal syscall exit <<
1955 * everything else. <<
1956 * It is also worth men <<
1957 * the current process <<
1958 * used during the norm <<
1959 * in mind if/when we m <<
1960 */ <<
1961 <<
1962 /* <<
1963 * We need to filter on the s <<
1964 * should emit a URINGOP reco <<
1965 * solves the problem where u <<
1966 * syscall records in the "ex <<
1967 * the behavior here. <<
1968 */ <<
1969 audit_filter_syscall(current, <<
1970 if (ctx->current_state != AUD <<
1971 audit_filter_uring(cu <<
1972 audit_filter_inodes(current, <<
1973 if (ctx->current_state != AUD <<
1974 return; <<
1975 <<
1976 audit_log_uring(ctx); <<
1977 return; <<
1978 } <<
1979 <<
1980 /* this may generate CONFIG_CHANGE re <<
1981 if (!list_empty(&ctx->killed_trees)) <<
1982 audit_kill_trees(ctx); <<
1983 <<
1984 /* run through both filters to ensure <<
1985 audit_filter_uring(current, ctx); <<
1986 audit_filter_inodes(current, ctx); <<
1987 if (ctx->current_state != AUDIT_STATE <<
1988 goto out; <<
1989 audit_log_exit(); <<
1990 <<
1991 out: <<
1992 audit_reset_context(ctx); <<
1993 } <<
1994 <<
1995 /** <<
1996 * __audit_syscall_entry - fill in an audit r 1596 * __audit_syscall_entry - fill in an audit record at syscall entry
1997 * @major: major syscall type (function) 1597 * @major: major syscall type (function)
1998 * @a1: additional syscall register 1 1598 * @a1: additional syscall register 1
1999 * @a2: additional syscall register 2 1599 * @a2: additional syscall register 2
2000 * @a3: additional syscall register 3 1600 * @a3: additional syscall register 3
2001 * @a4: additional syscall register 4 1601 * @a4: additional syscall register 4
2002 * 1602 *
2003 * Fill in audit context at syscall entry. T 1603 * Fill in audit context at syscall entry. This only happens if the
2004 * audit context was created when the task wa 1604 * audit context was created when the task was created and the state or
2005 * filters demand the audit context be built. 1605 * filters demand the audit context be built. If the state from the
2006 * per-task filter or from the per-syscall fi !! 1606 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
2007 * then the record will be written at syscall 1607 * then the record will be written at syscall exit time (otherwise, it
2008 * will only be written if another part of th 1608 * will only be written if another part of the kernel requests that it
2009 * be written). 1609 * be written).
2010 */ 1610 */
2011 void __audit_syscall_entry(int major, unsigne 1611 void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
2012 unsigned long a3, 1612 unsigned long a3, unsigned long a4)
2013 { 1613 {
2014 struct audit_context *context = audit 1614 struct audit_context *context = audit_context();
2015 enum audit_state state; 1615 enum audit_state state;
2016 1616
2017 if (!audit_enabled || !context) 1617 if (!audit_enabled || !context)
2018 return; 1618 return;
2019 1619
2020 WARN_ON(context->context != AUDIT_CTX !! 1620 BUG_ON(context->in_syscall || context->name_count);
2021 WARN_ON(context->name_count); <<
2022 if (context->context != AUDIT_CTX_UNU <<
2023 audit_panic("unrecoverable er <<
2024 return; <<
2025 } <<
2026 1621
2027 state = context->state; 1622 state = context->state;
2028 if (state == AUDIT_STATE_DISABLED) !! 1623 if (state == AUDIT_DISABLED)
2029 return; 1624 return;
2030 1625
2031 context->dummy = !audit_n_rules; 1626 context->dummy = !audit_n_rules;
2032 if (!context->dummy && state == AUDIT !! 1627 if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
2033 context->prio = 0; 1628 context->prio = 0;
2034 if (auditd_test_task(current) 1629 if (auditd_test_task(current))
2035 return; 1630 return;
2036 } 1631 }
2037 1632
2038 context->arch = syscall_get_arc 1633 context->arch = syscall_get_arch(current);
2039 context->major = major; 1634 context->major = major;
2040 context->argv[0] = a1; 1635 context->argv[0] = a1;
2041 context->argv[1] = a2; 1636 context->argv[1] = a2;
2042 context->argv[2] = a3; 1637 context->argv[2] = a3;
2043 context->argv[3] = a4; 1638 context->argv[3] = a4;
2044 context->context = AUDIT_CTX_SYSCALL; !! 1639 context->serial = 0;
>> 1640 context->in_syscall = 1;
2045 context->current_state = state; 1641 context->current_state = state;
>> 1642 context->ppid = 0;
2046 ktime_get_coarse_real_ts64(&context-> 1643 ktime_get_coarse_real_ts64(&context->ctime);
2047 } 1644 }
2048 1645
2049 /** 1646 /**
2050 * __audit_syscall_exit - deallocate audit co 1647 * __audit_syscall_exit - deallocate audit context after a system call
2051 * @success: success value of the syscall 1648 * @success: success value of the syscall
2052 * @return_code: return value of the syscall 1649 * @return_code: return value of the syscall
2053 * 1650 *
2054 * Tear down after system call. If the audit 1651 * Tear down after system call. If the audit context has been marked as
2055 * auditable (either because of the AUDIT_STA !! 1652 * auditable (either because of the AUDIT_RECORD_CONTEXT state from
2056 * filtering, or because some other part of t 1653 * filtering, or because some other part of the kernel wrote an audit
2057 * message), then write out the syscall infor 1654 * message), then write out the syscall information. In call cases,
2058 * free the names stored from getname(). 1655 * free the names stored from getname().
2059 */ 1656 */
2060 void __audit_syscall_exit(int success, long r 1657 void __audit_syscall_exit(int success, long return_code)
2061 { 1658 {
2062 struct audit_context *context = audit !! 1659 struct audit_context *context;
2063 1660
2064 if (!context || context->dummy || !! 1661 context = audit_context();
2065 context->context != AUDIT_CTX_SYS !! 1662 if (!context)
2066 goto out; !! 1663 return;
2067 1664
2068 /* this may generate CONFIG_CHANGE re <<
2069 if (!list_empty(&context->killed_tree 1665 if (!list_empty(&context->killed_trees))
2070 audit_kill_trees(context); 1666 audit_kill_trees(context);
2071 1667
2072 audit_return_fixup(context, success, !! 1668 if (!context->dummy && context->in_syscall) {
2073 /* run through both filters to ensure !! 1669 if (success)
2074 audit_filter_syscall(current, context !! 1670 context->return_valid = AUDITSC_SUCCESS;
2075 audit_filter_inodes(current, context) !! 1671 else
2076 if (context->current_state != AUDIT_S !! 1672 context->return_valid = AUDITSC_FAILURE;
2077 goto out; <<
2078 <<
2079 audit_log_exit(); <<
2080 1673
2081 out: !! 1674 /*
2082 audit_reset_context(context); !! 1675 * we need to fix up the return code in the audit logs if the
>> 1676 * actual return codes are later going to be fixed up by the
>> 1677 * arch specific signal handlers
>> 1678 *
>> 1679 * This is actually a test for:
>> 1680 * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||
>> 1681 * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)
>> 1682 *
>> 1683 * but is faster than a bunch of ||
>> 1684 */
>> 1685 if (unlikely(return_code <= -ERESTARTSYS) &&
>> 1686 (return_code >= -ERESTART_RESTARTBLOCK) &&
>> 1687 (return_code != -ENOIOCTLCMD))
>> 1688 context->return_code = -EINTR;
>> 1689 else
>> 1690 context->return_code = return_code;
>> 1691
>> 1692 audit_filter_syscall(current, context,
>> 1693 &audit_filter_list[AUDIT_FILTER_EXIT]);
>> 1694 audit_filter_inodes(current, context);
>> 1695 if (context->current_state == AUDIT_RECORD_CONTEXT)
>> 1696 audit_log_exit();
>> 1697 }
>> 1698
>> 1699 context->in_syscall = 0;
>> 1700 context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
>> 1701
>> 1702 audit_free_module(context);
>> 1703 audit_free_names(context);
>> 1704 unroll_tree_refs(context, NULL, 0);
>> 1705 audit_free_aux(context);
>> 1706 context->aux = NULL;
>> 1707 context->aux_pids = NULL;
>> 1708 context->target_pid = 0;
>> 1709 context->target_sid = 0;
>> 1710 context->sockaddr_len = 0;
>> 1711 context->type = 0;
>> 1712 context->fds[0] = -1;
>> 1713 if (context->state != AUDIT_RECORD_CONTEXT) {
>> 1714 kfree(context->filterkey);
>> 1715 context->filterkey = NULL;
>> 1716 }
2083 } 1717 }
2084 1718
2085 static inline void handle_one(const struct in 1719 static inline void handle_one(const struct inode *inode)
2086 { 1720 {
2087 struct audit_context *context; 1721 struct audit_context *context;
2088 struct audit_tree_refs *p; 1722 struct audit_tree_refs *p;
2089 struct audit_chunk *chunk; 1723 struct audit_chunk *chunk;
2090 int count; 1724 int count;
2091 <<
2092 if (likely(!inode->i_fsnotify_marks)) 1725 if (likely(!inode->i_fsnotify_marks))
2093 return; 1726 return;
2094 context = audit_context(); 1727 context = audit_context();
2095 p = context->trees; 1728 p = context->trees;
2096 count = context->tree_count; 1729 count = context->tree_count;
2097 rcu_read_lock(); 1730 rcu_read_lock();
2098 chunk = audit_tree_lookup(inode); 1731 chunk = audit_tree_lookup(inode);
2099 rcu_read_unlock(); 1732 rcu_read_unlock();
2100 if (!chunk) 1733 if (!chunk)
2101 return; 1734 return;
2102 if (likely(put_tree_ref(context, chun 1735 if (likely(put_tree_ref(context, chunk)))
2103 return; 1736 return;
2104 if (unlikely(!grow_tree_refs(context) 1737 if (unlikely(!grow_tree_refs(context))) {
2105 pr_warn("out of memory, audit 1738 pr_warn("out of memory, audit has lost a tree reference\n");
2106 audit_set_auditable(context); 1739 audit_set_auditable(context);
2107 audit_put_chunk(chunk); 1740 audit_put_chunk(chunk);
2108 unroll_tree_refs(context, p, 1741 unroll_tree_refs(context, p, count);
2109 return; 1742 return;
2110 } 1743 }
2111 put_tree_ref(context, chunk); 1744 put_tree_ref(context, chunk);
2112 } 1745 }
2113 1746
2114 static void handle_path(const struct dentry * 1747 static void handle_path(const struct dentry *dentry)
2115 { 1748 {
2116 struct audit_context *context; 1749 struct audit_context *context;
2117 struct audit_tree_refs *p; 1750 struct audit_tree_refs *p;
2118 const struct dentry *d, *parent; 1751 const struct dentry *d, *parent;
2119 struct audit_chunk *drop; 1752 struct audit_chunk *drop;
2120 unsigned long seq; 1753 unsigned long seq;
2121 int count; 1754 int count;
2122 1755
2123 context = audit_context(); 1756 context = audit_context();
2124 p = context->trees; 1757 p = context->trees;
2125 count = context->tree_count; 1758 count = context->tree_count;
2126 retry: 1759 retry:
2127 drop = NULL; 1760 drop = NULL;
2128 d = dentry; 1761 d = dentry;
2129 rcu_read_lock(); 1762 rcu_read_lock();
2130 seq = read_seqbegin(&rename_lock); 1763 seq = read_seqbegin(&rename_lock);
2131 for (;;) { !! 1764 for(;;) {
2132 struct inode *inode = d_backi 1765 struct inode *inode = d_backing_inode(d);
2133 <<
2134 if (inode && unlikely(inode-> 1766 if (inode && unlikely(inode->i_fsnotify_marks)) {
2135 struct audit_chunk *c 1767 struct audit_chunk *chunk;
2136 <<
2137 chunk = audit_tree_lo 1768 chunk = audit_tree_lookup(inode);
2138 if (chunk) { 1769 if (chunk) {
2139 if (unlikely( 1770 if (unlikely(!put_tree_ref(context, chunk))) {
2140 drop 1771 drop = chunk;
2141 break 1772 break;
2142 } 1773 }
2143 } 1774 }
2144 } 1775 }
2145 parent = d->d_parent; 1776 parent = d->d_parent;
2146 if (parent == d) 1777 if (parent == d)
2147 break; 1778 break;
2148 d = parent; 1779 d = parent;
2149 } 1780 }
2150 if (unlikely(read_seqretry(&rename_lo 1781 if (unlikely(read_seqretry(&rename_lock, seq) || drop)) { /* in this order */
2151 rcu_read_unlock(); 1782 rcu_read_unlock();
2152 if (!drop) { 1783 if (!drop) {
2153 /* just a race with r 1784 /* just a race with rename */
2154 unroll_tree_refs(cont 1785 unroll_tree_refs(context, p, count);
2155 goto retry; 1786 goto retry;
2156 } 1787 }
2157 audit_put_chunk(drop); 1788 audit_put_chunk(drop);
2158 if (grow_tree_refs(context)) 1789 if (grow_tree_refs(context)) {
2159 /* OK, got more space 1790 /* OK, got more space */
2160 unroll_tree_refs(cont 1791 unroll_tree_refs(context, p, count);
2161 goto retry; 1792 goto retry;
2162 } 1793 }
2163 /* too bad */ 1794 /* too bad */
2164 pr_warn("out of memory, audit 1795 pr_warn("out of memory, audit has lost a tree reference\n");
2165 unroll_tree_refs(context, p, 1796 unroll_tree_refs(context, p, count);
2166 audit_set_auditable(context); 1797 audit_set_auditable(context);
2167 return; 1798 return;
2168 } 1799 }
2169 rcu_read_unlock(); 1800 rcu_read_unlock();
2170 } 1801 }
2171 1802
2172 static struct audit_names *audit_alloc_name(s 1803 static struct audit_names *audit_alloc_name(struct audit_context *context,
2173 1804 unsigned char type)
2174 { 1805 {
2175 struct audit_names *aname; 1806 struct audit_names *aname;
2176 1807
2177 if (context->name_count < AUDIT_NAMES 1808 if (context->name_count < AUDIT_NAMES) {
2178 aname = &context->preallocate 1809 aname = &context->preallocated_names[context->name_count];
2179 memset(aname, 0, sizeof(*anam 1810 memset(aname, 0, sizeof(*aname));
2180 } else { 1811 } else {
2181 aname = kzalloc(sizeof(*aname 1812 aname = kzalloc(sizeof(*aname), GFP_NOFS);
2182 if (!aname) 1813 if (!aname)
2183 return NULL; 1814 return NULL;
2184 aname->should_free = true; 1815 aname->should_free = true;
2185 } 1816 }
2186 1817
2187 aname->ino = AUDIT_INO_UNSET; 1818 aname->ino = AUDIT_INO_UNSET;
2188 aname->type = type; 1819 aname->type = type;
2189 list_add_tail(&aname->list, &context- 1820 list_add_tail(&aname->list, &context->names_list);
2190 1821
2191 context->name_count++; 1822 context->name_count++;
2192 if (!context->pwd.dentry) <<
2193 get_fs_pwd(current->fs, &cont <<
2194 return aname; 1823 return aname;
2195 } 1824 }
2196 1825
2197 /** 1826 /**
2198 * __audit_reusename - fill out filename with 1827 * __audit_reusename - fill out filename with info from existing entry
2199 * @uptr: userland ptr to pathname 1828 * @uptr: userland ptr to pathname
2200 * 1829 *
2201 * Search the audit_names list for the curren 1830 * Search the audit_names list for the current audit context. If there is an
2202 * existing entry with a matching "uptr" then 1831 * existing entry with a matching "uptr" then return the filename
2203 * associated with that audit_name. If not, r 1832 * associated with that audit_name. If not, return NULL.
2204 */ 1833 */
2205 struct filename * 1834 struct filename *
2206 __audit_reusename(const __user char *uptr) 1835 __audit_reusename(const __user char *uptr)
2207 { 1836 {
2208 struct audit_context *context = audit 1837 struct audit_context *context = audit_context();
2209 struct audit_names *n; 1838 struct audit_names *n;
2210 1839
2211 list_for_each_entry(n, &context->name 1840 list_for_each_entry(n, &context->names_list, list) {
2212 if (!n->name) 1841 if (!n->name)
2213 continue; 1842 continue;
2214 if (n->name->uptr == uptr) { 1843 if (n->name->uptr == uptr) {
2215 atomic_inc(&n->name-> !! 1844 n->name->refcnt++;
2216 return n->name; 1845 return n->name;
2217 } 1846 }
2218 } 1847 }
2219 return NULL; 1848 return NULL;
2220 } 1849 }
2221 1850
2222 /** 1851 /**
2223 * __audit_getname - add a name to the list 1852 * __audit_getname - add a name to the list
2224 * @name: name to add 1853 * @name: name to add
2225 * 1854 *
2226 * Add a name to the list of audit names for 1855 * Add a name to the list of audit names for this context.
2227 * Called from fs/namei.c:getname(). 1856 * Called from fs/namei.c:getname().
2228 */ 1857 */
2229 void __audit_getname(struct filename *name) 1858 void __audit_getname(struct filename *name)
2230 { 1859 {
2231 struct audit_context *context = audit 1860 struct audit_context *context = audit_context();
2232 struct audit_names *n; 1861 struct audit_names *n;
2233 1862
2234 if (context->context == AUDIT_CTX_UNU !! 1863 if (!context->in_syscall)
2235 return; 1864 return;
2236 1865
2237 n = audit_alloc_name(context, AUDIT_T 1866 n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
2238 if (!n) 1867 if (!n)
2239 return; 1868 return;
2240 1869
2241 n->name = name; 1870 n->name = name;
2242 n->name_len = AUDIT_NAME_FULL; 1871 n->name_len = AUDIT_NAME_FULL;
2243 name->aname = n; 1872 name->aname = n;
2244 atomic_inc(&name->refcnt); !! 1873 name->refcnt++;
>> 1874
>> 1875 if (!context->pwd.dentry)
>> 1876 get_fs_pwd(current->fs, &context->pwd);
2245 } 1877 }
2246 1878
2247 static inline int audit_copy_fcaps(struct aud 1879 static inline int audit_copy_fcaps(struct audit_names *name,
2248 const stru 1880 const struct dentry *dentry)
2249 { 1881 {
2250 struct cpu_vfs_cap_data caps; 1882 struct cpu_vfs_cap_data caps;
2251 int rc; 1883 int rc;
2252 1884
2253 if (!dentry) 1885 if (!dentry)
2254 return 0; 1886 return 0;
2255 1887
2256 rc = get_vfs_caps_from_disk(&nop_mnt_ !! 1888 rc = get_vfs_caps_from_disk(dentry, &caps);
2257 if (rc) 1889 if (rc)
2258 return rc; 1890 return rc;
2259 1891
2260 name->fcap.permitted = caps.permitted 1892 name->fcap.permitted = caps.permitted;
2261 name->fcap.inheritable = caps.inherit 1893 name->fcap.inheritable = caps.inheritable;
2262 name->fcap.fE = !!(caps.magic_etc & V 1894 name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2263 name->fcap.rootid = caps.rootid; 1895 name->fcap.rootid = caps.rootid;
2264 name->fcap_ver = (caps.magic_etc & VF 1896 name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >>
2265 VFS_CAP_REVIS 1897 VFS_CAP_REVISION_SHIFT;
2266 1898
2267 return 0; 1899 return 0;
2268 } 1900 }
2269 1901
2270 /* Copy inode data into an audit_names. */ 1902 /* Copy inode data into an audit_names. */
2271 static void audit_copy_inode(struct audit_nam 1903 static void audit_copy_inode(struct audit_names *name,
2272 const struct den 1904 const struct dentry *dentry,
2273 struct inode *in 1905 struct inode *inode, unsigned int flags)
2274 { 1906 {
2275 name->ino = inode->i_ino; 1907 name->ino = inode->i_ino;
2276 name->dev = inode->i_sb->s_dev; 1908 name->dev = inode->i_sb->s_dev;
2277 name->mode = inode->i_mode; 1909 name->mode = inode->i_mode;
2278 name->uid = inode->i_uid; 1910 name->uid = inode->i_uid;
2279 name->gid = inode->i_gid; 1911 name->gid = inode->i_gid;
2280 name->rdev = inode->i_rdev; 1912 name->rdev = inode->i_rdev;
2281 security_inode_getsecid(inode, &name- 1913 security_inode_getsecid(inode, &name->osid);
2282 if (flags & AUDIT_INODE_NOEVAL) { 1914 if (flags & AUDIT_INODE_NOEVAL) {
2283 name->fcap_ver = -1; 1915 name->fcap_ver = -1;
2284 return; 1916 return;
2285 } 1917 }
2286 audit_copy_fcaps(name, dentry); 1918 audit_copy_fcaps(name, dentry);
2287 } 1919 }
2288 1920
2289 /** 1921 /**
2290 * __audit_inode - store the inode and device 1922 * __audit_inode - store the inode and device from a lookup
2291 * @name: name being audited 1923 * @name: name being audited
2292 * @dentry: dentry being audited 1924 * @dentry: dentry being audited
2293 * @flags: attributes for this particular ent 1925 * @flags: attributes for this particular entry
2294 */ 1926 */
2295 void __audit_inode(struct filename *name, con 1927 void __audit_inode(struct filename *name, const struct dentry *dentry,
2296 unsigned int flags) 1928 unsigned int flags)
2297 { 1929 {
2298 struct audit_context *context = audit 1930 struct audit_context *context = audit_context();
2299 struct inode *inode = d_backing_inode 1931 struct inode *inode = d_backing_inode(dentry);
2300 struct audit_names *n; 1932 struct audit_names *n;
2301 bool parent = flags & AUDIT_INODE_PAR 1933 bool parent = flags & AUDIT_INODE_PARENT;
2302 struct audit_entry *e; 1934 struct audit_entry *e;
2303 struct list_head *list = &audit_filte 1935 struct list_head *list = &audit_filter_list[AUDIT_FILTER_FS];
2304 int i; 1936 int i;
2305 1937
2306 if (context->context == AUDIT_CTX_UNU !! 1938 if (!context->in_syscall)
2307 return; 1939 return;
2308 1940
2309 rcu_read_lock(); 1941 rcu_read_lock();
2310 list_for_each_entry_rcu(e, list, list 1942 list_for_each_entry_rcu(e, list, list) {
2311 for (i = 0; i < e->rule.field 1943 for (i = 0; i < e->rule.field_count; i++) {
2312 struct audit_field *f 1944 struct audit_field *f = &e->rule.fields[i];
2313 1945
2314 if (f->type == AUDIT_ 1946 if (f->type == AUDIT_FSTYPE
2315 && audit_comparat 1947 && audit_comparator(inode->i_sb->s_magic,
2316 1948 f->op, f->val)
2317 && e->rule.action 1949 && e->rule.action == AUDIT_NEVER) {
2318 rcu_read_unlo 1950 rcu_read_unlock();
2319 return; 1951 return;
2320 } 1952 }
2321 } 1953 }
2322 } 1954 }
2323 rcu_read_unlock(); 1955 rcu_read_unlock();
2324 1956
2325 if (!name) 1957 if (!name)
2326 goto out_alloc; 1958 goto out_alloc;
2327 1959
2328 /* 1960 /*
2329 * If we have a pointer to an audit_n 1961 * If we have a pointer to an audit_names entry already, then we can
2330 * just use it directly if the type i 1962 * just use it directly if the type is correct.
2331 */ 1963 */
2332 n = name->aname; 1964 n = name->aname;
2333 if (n) { 1965 if (n) {
2334 if (parent) { 1966 if (parent) {
2335 if (n->type == AUDIT_ 1967 if (n->type == AUDIT_TYPE_PARENT ||
2336 n->type == AUDIT_ 1968 n->type == AUDIT_TYPE_UNKNOWN)
2337 goto out; 1969 goto out;
2338 } else { 1970 } else {
2339 if (n->type != AUDIT_ 1971 if (n->type != AUDIT_TYPE_PARENT)
2340 goto out; 1972 goto out;
2341 } 1973 }
2342 } 1974 }
2343 1975
2344 list_for_each_entry_reverse(n, &conte 1976 list_for_each_entry_reverse(n, &context->names_list, list) {
2345 if (n->ino) { 1977 if (n->ino) {
2346 /* valid inode number 1978 /* valid inode number, use that for the comparison */
2347 if (n->ino != inode-> 1979 if (n->ino != inode->i_ino ||
2348 n->dev != inode-> 1980 n->dev != inode->i_sb->s_dev)
2349 continue; 1981 continue;
2350 } else if (n->name) { 1982 } else if (n->name) {
2351 /* inode number has n 1983 /* inode number has not been set, check the name */
2352 if (strcmp(n->name->n 1984 if (strcmp(n->name->name, name->name))
2353 continue; 1985 continue;
2354 } else 1986 } else
2355 /* no inode and no na 1987 /* no inode and no name (?!) ... this is odd ... */
2356 continue; 1988 continue;
2357 1989
2358 /* match the correct record t 1990 /* match the correct record type */
2359 if (parent) { 1991 if (parent) {
2360 if (n->type == AUDIT_ 1992 if (n->type == AUDIT_TYPE_PARENT ||
2361 n->type == AUDIT_ 1993 n->type == AUDIT_TYPE_UNKNOWN)
2362 goto out; 1994 goto out;
2363 } else { 1995 } else {
2364 if (n->type != AUDIT_ 1996 if (n->type != AUDIT_TYPE_PARENT)
2365 goto out; 1997 goto out;
2366 } 1998 }
2367 } 1999 }
2368 2000
2369 out_alloc: 2001 out_alloc:
2370 /* unable to find an entry with both 2002 /* unable to find an entry with both a matching name and type */
2371 n = audit_alloc_name(context, AUDIT_T 2003 n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
2372 if (!n) 2004 if (!n)
2373 return; 2005 return;
2374 if (name) { 2006 if (name) {
2375 n->name = name; 2007 n->name = name;
2376 atomic_inc(&name->refcnt); !! 2008 name->refcnt++;
2377 } 2009 }
2378 2010
2379 out: 2011 out:
2380 if (parent) { 2012 if (parent) {
2381 n->name_len = n->name ? paren 2013 n->name_len = n->name ? parent_len(n->name->name) : AUDIT_NAME_FULL;
2382 n->type = AUDIT_TYPE_PARENT; 2014 n->type = AUDIT_TYPE_PARENT;
2383 if (flags & AUDIT_INODE_HIDDE 2015 if (flags & AUDIT_INODE_HIDDEN)
2384 n->hidden = true; 2016 n->hidden = true;
2385 } else { 2017 } else {
2386 n->name_len = AUDIT_NAME_FULL 2018 n->name_len = AUDIT_NAME_FULL;
2387 n->type = AUDIT_TYPE_NORMAL; 2019 n->type = AUDIT_TYPE_NORMAL;
2388 } 2020 }
2389 handle_path(dentry); 2021 handle_path(dentry);
2390 audit_copy_inode(n, dentry, inode, fl 2022 audit_copy_inode(n, dentry, inode, flags & AUDIT_INODE_NOEVAL);
2391 } 2023 }
2392 2024
2393 void __audit_file(const struct file *file) 2025 void __audit_file(const struct file *file)
2394 { 2026 {
2395 __audit_inode(NULL, file->f_path.dent 2027 __audit_inode(NULL, file->f_path.dentry, 0);
2396 } 2028 }
2397 2029
2398 /** 2030 /**
2399 * __audit_inode_child - collect inode info f 2031 * __audit_inode_child - collect inode info for created/removed objects
2400 * @parent: inode of dentry parent 2032 * @parent: inode of dentry parent
2401 * @dentry: dentry being audited 2033 * @dentry: dentry being audited
2402 * @type: AUDIT_TYPE_* value that we're loo 2034 * @type: AUDIT_TYPE_* value that we're looking for
2403 * 2035 *
2404 * For syscalls that create or remove filesys 2036 * For syscalls that create or remove filesystem objects, audit_inode
2405 * can only collect information for the files 2037 * can only collect information for the filesystem object's parent.
2406 * This call updates the audit context with t 2038 * This call updates the audit context with the child's information.
2407 * Syscalls that create a new filesystem obje 2039 * Syscalls that create a new filesystem object must be hooked after
2408 * the object is created. Syscalls that remo 2040 * the object is created. Syscalls that remove a filesystem object
2409 * must be hooked prior, in order to capture 2041 * must be hooked prior, in order to capture the target inode during
2410 * unsuccessful attempts. 2042 * unsuccessful attempts.
2411 */ 2043 */
2412 void __audit_inode_child(struct inode *parent 2044 void __audit_inode_child(struct inode *parent,
2413 const struct dentry 2045 const struct dentry *dentry,
2414 const unsigned char 2046 const unsigned char type)
2415 { 2047 {
2416 struct audit_context *context = audit 2048 struct audit_context *context = audit_context();
2417 struct inode *inode = d_backing_inode 2049 struct inode *inode = d_backing_inode(dentry);
2418 const struct qstr *dname = &dentry->d 2050 const struct qstr *dname = &dentry->d_name;
2419 struct audit_names *n, *found_parent 2051 struct audit_names *n, *found_parent = NULL, *found_child = NULL;
2420 struct audit_entry *e; 2052 struct audit_entry *e;
2421 struct list_head *list = &audit_filte 2053 struct list_head *list = &audit_filter_list[AUDIT_FILTER_FS];
2422 int i; 2054 int i;
2423 2055
2424 if (context->context == AUDIT_CTX_UNU !! 2056 if (!context->in_syscall)
2425 return; 2057 return;
2426 2058
2427 rcu_read_lock(); 2059 rcu_read_lock();
2428 list_for_each_entry_rcu(e, list, list 2060 list_for_each_entry_rcu(e, list, list) {
2429 for (i = 0; i < e->rule.field 2061 for (i = 0; i < e->rule.field_count; i++) {
2430 struct audit_field *f 2062 struct audit_field *f = &e->rule.fields[i];
2431 2063
2432 if (f->type == AUDIT_ 2064 if (f->type == AUDIT_FSTYPE
2433 && audit_comparat 2065 && audit_comparator(parent->i_sb->s_magic,
2434 2066 f->op, f->val)
2435 && e->rule.action 2067 && e->rule.action == AUDIT_NEVER) {
2436 rcu_read_unlo 2068 rcu_read_unlock();
2437 return; 2069 return;
2438 } 2070 }
2439 } 2071 }
2440 } 2072 }
2441 rcu_read_unlock(); 2073 rcu_read_unlock();
2442 2074
2443 if (inode) 2075 if (inode)
2444 handle_one(inode); 2076 handle_one(inode);
2445 2077
2446 /* look for a parent entry first */ 2078 /* look for a parent entry first */
2447 list_for_each_entry(n, &context->name 2079 list_for_each_entry(n, &context->names_list, list) {
2448 if (!n->name || 2080 if (!n->name ||
2449 (n->type != AUDIT_TYPE_PA 2081 (n->type != AUDIT_TYPE_PARENT &&
2450 n->type != AUDIT_TYPE_UN 2082 n->type != AUDIT_TYPE_UNKNOWN))
2451 continue; 2083 continue;
2452 2084
2453 if (n->ino == parent->i_ino & 2085 if (n->ino == parent->i_ino && n->dev == parent->i_sb->s_dev &&
2454 !audit_compare_dname_path 2086 !audit_compare_dname_path(dname,
2455 2087 n->name->name, n->name_len)) {
2456 if (n->type == AUDIT_ 2088 if (n->type == AUDIT_TYPE_UNKNOWN)
2457 n->type = AUD 2089 n->type = AUDIT_TYPE_PARENT;
2458 found_parent = n; 2090 found_parent = n;
2459 break; 2091 break;
2460 } 2092 }
2461 } 2093 }
2462 2094
2463 cond_resched(); <<
2464 <<
2465 /* is there a matching child entry? * 2095 /* is there a matching child entry? */
2466 list_for_each_entry(n, &context->name 2096 list_for_each_entry(n, &context->names_list, list) {
2467 /* can only match entries tha 2097 /* can only match entries that have a name */
2468 if (!n->name || 2098 if (!n->name ||
2469 (n->type != type && n->ty 2099 (n->type != type && n->type != AUDIT_TYPE_UNKNOWN))
2470 continue; 2100 continue;
2471 2101
2472 if (!strcmp(dname->name, n->n 2102 if (!strcmp(dname->name, n->name->name) ||
2473 !audit_compare_dname_path 2103 !audit_compare_dname_path(dname, n->name->name,
2474 2104 found_parent ?
2475 2105 found_parent->name_len :
2476 2106 AUDIT_NAME_FULL)) {
2477 if (n->type == AUDIT_ 2107 if (n->type == AUDIT_TYPE_UNKNOWN)
2478 n->type = typ 2108 n->type = type;
2479 found_child = n; 2109 found_child = n;
2480 break; 2110 break;
2481 } 2111 }
2482 } 2112 }
2483 2113
2484 if (!found_parent) { 2114 if (!found_parent) {
2485 /* create a new, "anonymous" 2115 /* create a new, "anonymous" parent record */
2486 n = audit_alloc_name(context, 2116 n = audit_alloc_name(context, AUDIT_TYPE_PARENT);
2487 if (!n) 2117 if (!n)
2488 return; 2118 return;
2489 audit_copy_inode(n, NULL, par 2119 audit_copy_inode(n, NULL, parent, 0);
2490 } 2120 }
2491 2121
2492 if (!found_child) { 2122 if (!found_child) {
2493 found_child = audit_alloc_nam 2123 found_child = audit_alloc_name(context, type);
2494 if (!found_child) 2124 if (!found_child)
2495 return; 2125 return;
2496 2126
2497 /* Re-use the name belonging 2127 /* Re-use the name belonging to the slot for a matching parent
2498 * directory. All names for t 2128 * directory. All names for this context are relinquished in
2499 * audit_free_names() */ 2129 * audit_free_names() */
2500 if (found_parent) { 2130 if (found_parent) {
2501 found_child->name = f 2131 found_child->name = found_parent->name;
2502 found_child->name_len 2132 found_child->name_len = AUDIT_NAME_FULL;
2503 atomic_inc(&found_chi !! 2133 found_child->name->refcnt++;
2504 } 2134 }
2505 } 2135 }
2506 2136
2507 if (inode) 2137 if (inode)
2508 audit_copy_inode(found_child, 2138 audit_copy_inode(found_child, dentry, inode, 0);
2509 else 2139 else
2510 found_child->ino = AUDIT_INO_ 2140 found_child->ino = AUDIT_INO_UNSET;
2511 } 2141 }
2512 EXPORT_SYMBOL_GPL(__audit_inode_child); 2142 EXPORT_SYMBOL_GPL(__audit_inode_child);
2513 2143
2514 /** 2144 /**
2515 * auditsc_get_stamp - get local copies of au 2145 * auditsc_get_stamp - get local copies of audit_context values
2516 * @ctx: audit_context for the task 2146 * @ctx: audit_context for the task
2517 * @t: timespec64 to store time recorded in t 2147 * @t: timespec64 to store time recorded in the audit_context
2518 * @serial: serial value that is recorded in 2148 * @serial: serial value that is recorded in the audit_context
2519 * 2149 *
2520 * Also sets the context as auditable. 2150 * Also sets the context as auditable.
2521 */ 2151 */
2522 int auditsc_get_stamp(struct audit_context *c 2152 int auditsc_get_stamp(struct audit_context *ctx,
2523 struct timespec64 *t, 2153 struct timespec64 *t, unsigned int *serial)
2524 { 2154 {
2525 if (ctx->context == AUDIT_CTX_UNUSED) !! 2155 if (!ctx->in_syscall)
2526 return 0; 2156 return 0;
2527 if (!ctx->serial) 2157 if (!ctx->serial)
2528 ctx->serial = audit_serial(); 2158 ctx->serial = audit_serial();
2529 t->tv_sec = ctx->ctime.tv_sec; 2159 t->tv_sec = ctx->ctime.tv_sec;
2530 t->tv_nsec = ctx->ctime.tv_nsec; 2160 t->tv_nsec = ctx->ctime.tv_nsec;
2531 *serial = ctx->serial; 2161 *serial = ctx->serial;
2532 if (!ctx->prio) { 2162 if (!ctx->prio) {
2533 ctx->prio = 1; 2163 ctx->prio = 1;
2534 ctx->current_state = AUDIT_ST !! 2164 ctx->current_state = AUDIT_RECORD_CONTEXT;
2535 } 2165 }
2536 return 1; 2166 return 1;
2537 } 2167 }
2538 2168
2539 /** 2169 /**
2540 * __audit_mq_open - record audit data for a 2170 * __audit_mq_open - record audit data for a POSIX MQ open
2541 * @oflag: open flag 2171 * @oflag: open flag
2542 * @mode: mode bits 2172 * @mode: mode bits
2543 * @attr: queue attributes 2173 * @attr: queue attributes
2544 * 2174 *
2545 */ 2175 */
2546 void __audit_mq_open(int oflag, umode_t mode, 2176 void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
2547 { 2177 {
2548 struct audit_context *context = audit 2178 struct audit_context *context = audit_context();
2549 2179
2550 if (attr) 2180 if (attr)
2551 memcpy(&context->mq_open.attr 2181 memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr));
2552 else 2182 else
2553 memset(&context->mq_open.attr 2183 memset(&context->mq_open.attr, 0, sizeof(struct mq_attr));
2554 2184
2555 context->mq_open.oflag = oflag; 2185 context->mq_open.oflag = oflag;
2556 context->mq_open.mode = mode; 2186 context->mq_open.mode = mode;
2557 2187
2558 context->type = AUDIT_MQ_OPEN; 2188 context->type = AUDIT_MQ_OPEN;
2559 } 2189 }
2560 2190
2561 /** 2191 /**
2562 * __audit_mq_sendrecv - record audit data fo 2192 * __audit_mq_sendrecv - record audit data for a POSIX MQ timed send/receive
2563 * @mqdes: MQ descriptor 2193 * @mqdes: MQ descriptor
2564 * @msg_len: Message length 2194 * @msg_len: Message length
2565 * @msg_prio: Message priority 2195 * @msg_prio: Message priority
2566 * @abs_timeout: Message timeout in absolute 2196 * @abs_timeout: Message timeout in absolute time
2567 * 2197 *
2568 */ 2198 */
2569 void __audit_mq_sendrecv(mqd_t mqdes, size_t 2199 void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
2570 const struct timespec 2200 const struct timespec64 *abs_timeout)
2571 { 2201 {
2572 struct audit_context *context = audit 2202 struct audit_context *context = audit_context();
2573 struct timespec64 *p = &context->mq_s 2203 struct timespec64 *p = &context->mq_sendrecv.abs_timeout;
2574 2204
2575 if (abs_timeout) 2205 if (abs_timeout)
2576 memcpy(p, abs_timeout, sizeof 2206 memcpy(p, abs_timeout, sizeof(*p));
2577 else 2207 else
2578 memset(p, 0, sizeof(*p)); 2208 memset(p, 0, sizeof(*p));
2579 2209
2580 context->mq_sendrecv.mqdes = mqdes; 2210 context->mq_sendrecv.mqdes = mqdes;
2581 context->mq_sendrecv.msg_len = msg_le 2211 context->mq_sendrecv.msg_len = msg_len;
2582 context->mq_sendrecv.msg_prio = msg_p 2212 context->mq_sendrecv.msg_prio = msg_prio;
2583 2213
2584 context->type = AUDIT_MQ_SENDRECV; 2214 context->type = AUDIT_MQ_SENDRECV;
2585 } 2215 }
2586 2216
2587 /** 2217 /**
2588 * __audit_mq_notify - record audit data for 2218 * __audit_mq_notify - record audit data for a POSIX MQ notify
2589 * @mqdes: MQ descriptor 2219 * @mqdes: MQ descriptor
2590 * @notification: Notification event 2220 * @notification: Notification event
2591 * 2221 *
2592 */ 2222 */
2593 2223
2594 void __audit_mq_notify(mqd_t mqdes, const str 2224 void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
2595 { 2225 {
2596 struct audit_context *context = audit 2226 struct audit_context *context = audit_context();
2597 2227
2598 if (notification) 2228 if (notification)
2599 context->mq_notify.sigev_sign 2229 context->mq_notify.sigev_signo = notification->sigev_signo;
2600 else 2230 else
2601 context->mq_notify.sigev_sign 2231 context->mq_notify.sigev_signo = 0;
2602 2232
2603 context->mq_notify.mqdes = mqdes; 2233 context->mq_notify.mqdes = mqdes;
2604 context->type = AUDIT_MQ_NOTIFY; 2234 context->type = AUDIT_MQ_NOTIFY;
2605 } 2235 }
2606 2236
2607 /** 2237 /**
2608 * __audit_mq_getsetattr - record audit data 2238 * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute
2609 * @mqdes: MQ descriptor 2239 * @mqdes: MQ descriptor
2610 * @mqstat: MQ flags 2240 * @mqstat: MQ flags
2611 * 2241 *
2612 */ 2242 */
2613 void __audit_mq_getsetattr(mqd_t mqdes, struc 2243 void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
2614 { 2244 {
2615 struct audit_context *context = audit 2245 struct audit_context *context = audit_context();
2616 <<
2617 context->mq_getsetattr.mqdes = mqdes; 2246 context->mq_getsetattr.mqdes = mqdes;
2618 context->mq_getsetattr.mqstat = *mqst 2247 context->mq_getsetattr.mqstat = *mqstat;
2619 context->type = AUDIT_MQ_GETSETATTR; 2248 context->type = AUDIT_MQ_GETSETATTR;
2620 } 2249 }
2621 2250
2622 /** 2251 /**
2623 * __audit_ipc_obj - record audit data for ip 2252 * __audit_ipc_obj - record audit data for ipc object
2624 * @ipcp: ipc permissions 2253 * @ipcp: ipc permissions
2625 * 2254 *
2626 */ 2255 */
2627 void __audit_ipc_obj(struct kern_ipc_perm *ip 2256 void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
2628 { 2257 {
2629 struct audit_context *context = audit 2258 struct audit_context *context = audit_context();
2630 <<
2631 context->ipc.uid = ipcp->uid; 2259 context->ipc.uid = ipcp->uid;
2632 context->ipc.gid = ipcp->gid; 2260 context->ipc.gid = ipcp->gid;
2633 context->ipc.mode = ipcp->mode; 2261 context->ipc.mode = ipcp->mode;
2634 context->ipc.has_perm = 0; 2262 context->ipc.has_perm = 0;
2635 security_ipc_getsecid(ipcp, &context- 2263 security_ipc_getsecid(ipcp, &context->ipc.osid);
2636 context->type = AUDIT_IPC; 2264 context->type = AUDIT_IPC;
2637 } 2265 }
2638 2266
2639 /** 2267 /**
2640 * __audit_ipc_set_perm - record audit data f 2268 * __audit_ipc_set_perm - record audit data for new ipc permissions
2641 * @qbytes: msgq bytes 2269 * @qbytes: msgq bytes
2642 * @uid: msgq user id 2270 * @uid: msgq user id
2643 * @gid: msgq group id 2271 * @gid: msgq group id
2644 * @mode: msgq mode (permissions) 2272 * @mode: msgq mode (permissions)
2645 * 2273 *
2646 * Called only after audit_ipc_obj(). 2274 * Called only after audit_ipc_obj().
2647 */ 2275 */
2648 void __audit_ipc_set_perm(unsigned long qbyte 2276 void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode)
2649 { 2277 {
2650 struct audit_context *context = audit 2278 struct audit_context *context = audit_context();
2651 2279
2652 context->ipc.qbytes = qbytes; 2280 context->ipc.qbytes = qbytes;
2653 context->ipc.perm_uid = uid; 2281 context->ipc.perm_uid = uid;
2654 context->ipc.perm_gid = gid; 2282 context->ipc.perm_gid = gid;
2655 context->ipc.perm_mode = mode; 2283 context->ipc.perm_mode = mode;
2656 context->ipc.has_perm = 1; 2284 context->ipc.has_perm = 1;
2657 } 2285 }
2658 2286
2659 void __audit_bprm(struct linux_binprm *bprm) 2287 void __audit_bprm(struct linux_binprm *bprm)
2660 { 2288 {
2661 struct audit_context *context = audit 2289 struct audit_context *context = audit_context();
2662 2290
2663 context->type = AUDIT_EXECVE; 2291 context->type = AUDIT_EXECVE;
2664 context->execve.argc = bprm->argc; 2292 context->execve.argc = bprm->argc;
2665 } 2293 }
2666 2294
2667 2295
2668 /** 2296 /**
2669 * __audit_socketcall - record audit data for 2297 * __audit_socketcall - record audit data for sys_socketcall
2670 * @nargs: number of args, which should not b 2298 * @nargs: number of args, which should not be more than AUDITSC_ARGS.
2671 * @args: args array 2299 * @args: args array
2672 * 2300 *
2673 */ 2301 */
2674 int __audit_socketcall(int nargs, unsigned lo 2302 int __audit_socketcall(int nargs, unsigned long *args)
2675 { 2303 {
2676 struct audit_context *context = audit 2304 struct audit_context *context = audit_context();
2677 2305
2678 if (nargs <= 0 || nargs > AUDITSC_ARG 2306 if (nargs <= 0 || nargs > AUDITSC_ARGS || !args)
2679 return -EINVAL; 2307 return -EINVAL;
2680 context->type = AUDIT_SOCKETCALL; 2308 context->type = AUDIT_SOCKETCALL;
2681 context->socketcall.nargs = nargs; 2309 context->socketcall.nargs = nargs;
2682 memcpy(context->socketcall.args, args 2310 memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
2683 return 0; 2311 return 0;
2684 } 2312 }
2685 2313
2686 /** 2314 /**
2687 * __audit_fd_pair - record audit data for pi 2315 * __audit_fd_pair - record audit data for pipe and socketpair
2688 * @fd1: the first file descriptor 2316 * @fd1: the first file descriptor
2689 * @fd2: the second file descriptor 2317 * @fd2: the second file descriptor
2690 * 2318 *
2691 */ 2319 */
2692 void __audit_fd_pair(int fd1, int fd2) 2320 void __audit_fd_pair(int fd1, int fd2)
2693 { 2321 {
2694 struct audit_context *context = audit 2322 struct audit_context *context = audit_context();
2695 <<
2696 context->fds[0] = fd1; 2323 context->fds[0] = fd1;
2697 context->fds[1] = fd2; 2324 context->fds[1] = fd2;
2698 } 2325 }
2699 2326
2700 /** 2327 /**
2701 * __audit_sockaddr - record audit data for s 2328 * __audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
2702 * @len: data length in user space 2329 * @len: data length in user space
2703 * @a: data address in kernel space 2330 * @a: data address in kernel space
2704 * 2331 *
2705 * Returns 0 for success or NULL context or < 2332 * Returns 0 for success or NULL context or < 0 on error.
2706 */ 2333 */
2707 int __audit_sockaddr(int len, void *a) 2334 int __audit_sockaddr(int len, void *a)
2708 { 2335 {
2709 struct audit_context *context = audit 2336 struct audit_context *context = audit_context();
2710 2337
2711 if (!context->sockaddr) { 2338 if (!context->sockaddr) {
2712 void *p = kmalloc(sizeof(stru 2339 void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL);
2713 <<
2714 if (!p) 2340 if (!p)
2715 return -ENOMEM; 2341 return -ENOMEM;
2716 context->sockaddr = p; 2342 context->sockaddr = p;
2717 } 2343 }
2718 2344
2719 context->sockaddr_len = len; 2345 context->sockaddr_len = len;
2720 memcpy(context->sockaddr, a, len); 2346 memcpy(context->sockaddr, a, len);
2721 return 0; 2347 return 0;
2722 } 2348 }
2723 2349
2724 void __audit_ptrace(struct task_struct *t) 2350 void __audit_ptrace(struct task_struct *t)
2725 { 2351 {
2726 struct audit_context *context = audit 2352 struct audit_context *context = audit_context();
2727 2353
2728 context->target_pid = task_tgid_nr(t) 2354 context->target_pid = task_tgid_nr(t);
2729 context->target_auid = audit_get_logi 2355 context->target_auid = audit_get_loginuid(t);
2730 context->target_uid = task_uid(t); 2356 context->target_uid = task_uid(t);
2731 context->target_sessionid = audit_get 2357 context->target_sessionid = audit_get_sessionid(t);
2732 security_task_getsecid_obj(t, &contex !! 2358 security_task_getsecid(t, &context->target_sid);
2733 memcpy(context->target_comm, t->comm, 2359 memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
2734 } 2360 }
2735 2361
2736 /** 2362 /**
2737 * audit_signal_info_syscall - record signal !! 2363 * audit_signal_info - record signal info for shutting down audit subsystem
>> 2364 * @sig: signal value
2738 * @t: task being signaled 2365 * @t: task being signaled
2739 * 2366 *
2740 * If the audit subsystem is being terminated 2367 * If the audit subsystem is being terminated, record the task (pid)
2741 * and uid that is doing that. 2368 * and uid that is doing that.
2742 */ 2369 */
2743 int audit_signal_info_syscall(struct task_str !! 2370 int audit_signal_info(int sig, struct task_struct *t)
2744 { 2371 {
2745 struct audit_aux_data_pids *axp; 2372 struct audit_aux_data_pids *axp;
2746 struct audit_context *ctx = audit_con 2373 struct audit_context *ctx = audit_context();
2747 kuid_t t_uid = task_uid(t); !! 2374 kuid_t uid = current_uid(), auid, t_uid = task_uid(t);
>> 2375
>> 2376 if (auditd_test_task(t) &&
>> 2377 (sig == SIGTERM || sig == SIGHUP ||
>> 2378 sig == SIGUSR1 || sig == SIGUSR2)) {
>> 2379 audit_sig_pid = task_tgid_nr(current);
>> 2380 auid = audit_get_loginuid(current);
>> 2381 if (uid_valid(auid))
>> 2382 audit_sig_uid = auid;
>> 2383 else
>> 2384 audit_sig_uid = uid;
>> 2385 security_task_getsecid(current, &audit_sig_sid);
>> 2386 }
2748 2387
2749 if (!audit_signals || audit_dummy_con 2388 if (!audit_signals || audit_dummy_context())
2750 return 0; 2389 return 0;
2751 2390
2752 /* optimize the common case by puttin 2391 /* optimize the common case by putting first signal recipient directly
2753 * in audit_context */ 2392 * in audit_context */
2754 if (!ctx->target_pid) { 2393 if (!ctx->target_pid) {
2755 ctx->target_pid = task_tgid_n 2394 ctx->target_pid = task_tgid_nr(t);
2756 ctx->target_auid = audit_get_ 2395 ctx->target_auid = audit_get_loginuid(t);
2757 ctx->target_uid = t_uid; 2396 ctx->target_uid = t_uid;
2758 ctx->target_sessionid = audit 2397 ctx->target_sessionid = audit_get_sessionid(t);
2759 security_task_getsecid_obj(t, !! 2398 security_task_getsecid(t, &ctx->target_sid);
2760 memcpy(ctx->target_comm, t->c 2399 memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
2761 return 0; 2400 return 0;
2762 } 2401 }
2763 2402
2764 axp = (void *)ctx->aux_pids; 2403 axp = (void *)ctx->aux_pids;
2765 if (!axp || axp->pid_count == AUDIT_A 2404 if (!axp || axp->pid_count == AUDIT_AUX_PIDS) {
2766 axp = kzalloc(sizeof(*axp), G 2405 axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
2767 if (!axp) 2406 if (!axp)
2768 return -ENOMEM; 2407 return -ENOMEM;
2769 2408
2770 axp->d.type = AUDIT_OBJ_PID; 2409 axp->d.type = AUDIT_OBJ_PID;
2771 axp->d.next = ctx->aux_pids; 2410 axp->d.next = ctx->aux_pids;
2772 ctx->aux_pids = (void *)axp; 2411 ctx->aux_pids = (void *)axp;
2773 } 2412 }
2774 BUG_ON(axp->pid_count >= AUDIT_AUX_PI 2413 BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
2775 2414
2776 axp->target_pid[axp->pid_count] = tas 2415 axp->target_pid[axp->pid_count] = task_tgid_nr(t);
2777 axp->target_auid[axp->pid_count] = au 2416 axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
2778 axp->target_uid[axp->pid_count] = t_u 2417 axp->target_uid[axp->pid_count] = t_uid;
2779 axp->target_sessionid[axp->pid_count] 2418 axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
2780 security_task_getsecid_obj(t, &axp->t !! 2419 security_task_getsecid(t, &axp->target_sid[axp->pid_count]);
2781 memcpy(axp->target_comm[axp->pid_coun 2420 memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
2782 axp->pid_count++; 2421 axp->pid_count++;
2783 2422
2784 return 0; 2423 return 0;
2785 } 2424 }
2786 2425
2787 /** 2426 /**
2788 * __audit_log_bprm_fcaps - store information 2427 * __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps
2789 * @bprm: pointer to the bprm being processed 2428 * @bprm: pointer to the bprm being processed
2790 * @new: the proposed new credentials 2429 * @new: the proposed new credentials
2791 * @old: the old credentials 2430 * @old: the old credentials
2792 * 2431 *
2793 * Simply check if the proc already has the c 2432 * Simply check if the proc already has the caps given by the file and if not
2794 * store the priv escalation info for later a 2433 * store the priv escalation info for later auditing at the end of the syscall
2795 * 2434 *
2796 * -Eric 2435 * -Eric
2797 */ 2436 */
2798 int __audit_log_bprm_fcaps(struct linux_binpr 2437 int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
2799 const struct cred 2438 const struct cred *new, const struct cred *old)
2800 { 2439 {
2801 struct audit_aux_data_bprm_fcaps *ax; 2440 struct audit_aux_data_bprm_fcaps *ax;
2802 struct audit_context *context = audit 2441 struct audit_context *context = audit_context();
2803 struct cpu_vfs_cap_data vcaps; 2442 struct cpu_vfs_cap_data vcaps;
2804 2443
2805 ax = kmalloc(sizeof(*ax), GFP_KERNEL) 2444 ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2806 if (!ax) 2445 if (!ax)
2807 return -ENOMEM; 2446 return -ENOMEM;
2808 2447
2809 ax->d.type = AUDIT_BPRM_FCAPS; 2448 ax->d.type = AUDIT_BPRM_FCAPS;
2810 ax->d.next = context->aux; 2449 ax->d.next = context->aux;
2811 context->aux = (void *)ax; 2450 context->aux = (void *)ax;
2812 2451
2813 get_vfs_caps_from_disk(&nop_mnt_idmap !! 2452 get_vfs_caps_from_disk(bprm->file->f_path.dentry, &vcaps);
2814 bprm->file->f_ <<
2815 2453
2816 ax->fcap.permitted = vcaps.permitted; 2454 ax->fcap.permitted = vcaps.permitted;
2817 ax->fcap.inheritable = vcaps.inherita 2455 ax->fcap.inheritable = vcaps.inheritable;
2818 ax->fcap.fE = !!(vcaps.magic_etc & VF 2456 ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2819 ax->fcap.rootid = vcaps.rootid; 2457 ax->fcap.rootid = vcaps.rootid;
2820 ax->fcap_ver = (vcaps.magic_etc & VFS 2458 ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
2821 2459
2822 ax->old_pcap.permitted = old->cap_p 2460 ax->old_pcap.permitted = old->cap_permitted;
2823 ax->old_pcap.inheritable = old->cap_i 2461 ax->old_pcap.inheritable = old->cap_inheritable;
2824 ax->old_pcap.effective = old->cap_e 2462 ax->old_pcap.effective = old->cap_effective;
2825 ax->old_pcap.ambient = old->cap_a 2463 ax->old_pcap.ambient = old->cap_ambient;
2826 2464
2827 ax->new_pcap.permitted = new->cap_p 2465 ax->new_pcap.permitted = new->cap_permitted;
2828 ax->new_pcap.inheritable = new->cap_i 2466 ax->new_pcap.inheritable = new->cap_inheritable;
2829 ax->new_pcap.effective = new->cap_e 2467 ax->new_pcap.effective = new->cap_effective;
2830 ax->new_pcap.ambient = new->cap_a 2468 ax->new_pcap.ambient = new->cap_ambient;
2831 return 0; 2469 return 0;
2832 } 2470 }
2833 2471
2834 /** 2472 /**
2835 * __audit_log_capset - store information abo 2473 * __audit_log_capset - store information about the arguments to the capset syscall
2836 * @new: the new credentials 2474 * @new: the new credentials
2837 * @old: the old (current) credentials 2475 * @old: the old (current) credentials
2838 * 2476 *
2839 * Record the arguments userspace sent to sys 2477 * Record the arguments userspace sent to sys_capset for later printing by the
2840 * audit system if applicable 2478 * audit system if applicable
2841 */ 2479 */
2842 void __audit_log_capset(const struct cred *ne 2480 void __audit_log_capset(const struct cred *new, const struct cred *old)
2843 { 2481 {
2844 struct audit_context *context = audit 2482 struct audit_context *context = audit_context();
2845 <<
2846 context->capset.pid = task_tgid_nr(cu 2483 context->capset.pid = task_tgid_nr(current);
2847 context->capset.cap.effective = new 2484 context->capset.cap.effective = new->cap_effective;
2848 context->capset.cap.inheritable = new 2485 context->capset.cap.inheritable = new->cap_effective;
2849 context->capset.cap.permitted = new 2486 context->capset.cap.permitted = new->cap_permitted;
2850 context->capset.cap.ambient = new 2487 context->capset.cap.ambient = new->cap_ambient;
2851 context->type = AUDIT_CAPSET; 2488 context->type = AUDIT_CAPSET;
2852 } 2489 }
2853 2490
2854 void __audit_mmap_fd(int fd, int flags) 2491 void __audit_mmap_fd(int fd, int flags)
2855 { 2492 {
2856 struct audit_context *context = audit 2493 struct audit_context *context = audit_context();
2857 <<
2858 context->mmap.fd = fd; 2494 context->mmap.fd = fd;
2859 context->mmap.flags = flags; 2495 context->mmap.flags = flags;
2860 context->type = AUDIT_MMAP; 2496 context->type = AUDIT_MMAP;
2861 } 2497 }
2862 2498
2863 void __audit_openat2_how(struct open_how *how <<
2864 { <<
2865 struct audit_context *context = audit <<
2866 <<
2867 context->openat2.flags = how->flags; <<
2868 context->openat2.mode = how->mode; <<
2869 context->openat2.resolve = how->resol <<
2870 context->type = AUDIT_OPENAT2; <<
2871 } <<
2872 <<
2873 void __audit_log_kern_module(char *name) 2499 void __audit_log_kern_module(char *name)
2874 { 2500 {
2875 struct audit_context *context = audit 2501 struct audit_context *context = audit_context();
2876 2502
2877 context->module.name = kstrdup(name, 2503 context->module.name = kstrdup(name, GFP_KERNEL);
2878 if (!context->module.name) 2504 if (!context->module.name)
2879 audit_log_lost("out of memory 2505 audit_log_lost("out of memory in __audit_log_kern_module");
2880 context->type = AUDIT_KERN_MODULE; 2506 context->type = AUDIT_KERN_MODULE;
2881 } 2507 }
2882 2508
2883 void __audit_fanotify(u32 response, struct fa !! 2509 void __audit_fanotify(unsigned int response)
2884 { 2510 {
2885 /* {subj,obj}_trust values are {0,1,2 !! 2511 audit_log(audit_context(), GFP_KERNEL,
2886 switch (friar->hdr.type) { !! 2512 AUDIT_FANOTIFY, "resp=%u", response);
2887 case FAN_RESPONSE_INFO_NONE: <<
2888 audit_log(audit_context(), GF <<
2889 "resp=%u fan_type=% <<
2890 response, FAN_RESPO <<
2891 break; <<
2892 case FAN_RESPONSE_INFO_AUDIT_RULE: <<
2893 audit_log(audit_context(), GF <<
2894 "resp=%u fan_type=% <<
2895 response, friar->hd <<
2896 friar->subj_trust, <<
2897 } <<
2898 } 2513 }
2899 2514
2900 void __audit_tk_injoffset(struct timespec64 o 2515 void __audit_tk_injoffset(struct timespec64 offset)
2901 { 2516 {
2902 struct audit_context *context = audit !! 2517 audit_log(audit_context(), GFP_KERNEL, AUDIT_TIME_INJOFFSET,
2903 !! 2518 "sec=%lli nsec=%li",
2904 /* only set type if not already set b !! 2519 (long long)offset.tv_sec, offset.tv_nsec);
2905 if (!context->type) <<
2906 context->type = AUDIT_TIME_IN <<
2907 memcpy(&context->time.tk_injoffset, & <<
2908 } 2520 }
2909 2521
2910 void __audit_ntp_log(const struct audit_ntp_d !! 2522 static void audit_log_ntp_val(const struct audit_ntp_data *ad,
>> 2523 const char *op, enum audit_ntp_type type)
2911 { 2524 {
2912 struct audit_context *context = audit !! 2525 const struct audit_ntp_val *val = &ad->vals[type];
2913 int type; <<
2914 2526
2915 for (type = 0; type < AUDIT_NTP_NVALS !! 2527 if (val->newval == val->oldval)
2916 if (ad->vals[type].newval != !! 2528 return;
2917 /* unconditionally se !! 2529
2918 context->type = AUDIT !! 2530 audit_log(audit_context(), GFP_KERNEL, AUDIT_TIME_ADJNTPVAL,
2919 memcpy(&context->time !! 2531 "op=%s old=%lli new=%lli", op, val->oldval, val->newval);
2920 break; <<
2921 } <<
2922 } 2532 }
2923 2533
2924 void __audit_log_nfcfg(const char *name, u8 a !! 2534 void __audit_ntp_log(const struct audit_ntp_data *ad)
2925 enum audit_nfcfgop op, <<
2926 { 2535 {
2927 struct audit_buffer *ab; !! 2536 audit_log_ntp_val(ad, "offset", AUDIT_NTP_OFFSET);
2928 char comm[sizeof(current->comm)]; !! 2537 audit_log_ntp_val(ad, "freq", AUDIT_NTP_FREQ);
2929 !! 2538 audit_log_ntp_val(ad, "status", AUDIT_NTP_STATUS);
2930 ab = audit_log_start(audit_context(), !! 2539 audit_log_ntp_val(ad, "tai", AUDIT_NTP_TAI);
2931 if (!ab) !! 2540 audit_log_ntp_val(ad, "tick", AUDIT_NTP_TICK);
2932 return; !! 2541 audit_log_ntp_val(ad, "adjust", AUDIT_NTP_ADJUST);
2933 audit_log_format(ab, "table=%s family <<
2934 name, af, nentries, <<
2935 <<
2936 audit_log_format(ab, " pid=%u", task_ <<
2937 audit_log_task_context(ab); /* subj= <<
2938 audit_log_format(ab, " comm="); <<
2939 audit_log_untrustedstring(ab, get_tas <<
2940 audit_log_end(ab); <<
2941 } 2542 }
2942 EXPORT_SYMBOL_GPL(__audit_log_nfcfg); <<
2943 2543
2944 static void audit_log_task(struct audit_buffe 2544 static void audit_log_task(struct audit_buffer *ab)
2945 { 2545 {
2946 kuid_t auid, uid; 2546 kuid_t auid, uid;
2947 kgid_t gid; 2547 kgid_t gid;
2948 unsigned int sessionid; 2548 unsigned int sessionid;
2949 char comm[sizeof(current->comm)]; 2549 char comm[sizeof(current->comm)];
2950 2550
2951 auid = audit_get_loginuid(current); 2551 auid = audit_get_loginuid(current);
2952 sessionid = audit_get_sessionid(curre 2552 sessionid = audit_get_sessionid(current);
2953 current_uid_gid(&uid, &gid); 2553 current_uid_gid(&uid, &gid);
2954 2554
2955 audit_log_format(ab, "auid=%u uid=%u 2555 audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
2956 from_kuid(&init_user 2556 from_kuid(&init_user_ns, auid),
2957 from_kuid(&init_user 2557 from_kuid(&init_user_ns, uid),
2958 from_kgid(&init_user 2558 from_kgid(&init_user_ns, gid),
2959 sessionid); 2559 sessionid);
2960 audit_log_task_context(ab); 2560 audit_log_task_context(ab);
2961 audit_log_format(ab, " pid=%d comm=", 2561 audit_log_format(ab, " pid=%d comm=", task_tgid_nr(current));
2962 audit_log_untrustedstring(ab, get_tas 2562 audit_log_untrustedstring(ab, get_task_comm(comm, current));
2963 audit_log_d_path_exe(ab, current->mm) 2563 audit_log_d_path_exe(ab, current->mm);
2964 } 2564 }
2965 2565
2966 /** 2566 /**
2967 * audit_core_dumps - record information abou 2567 * audit_core_dumps - record information about processes that end abnormally
2968 * @signr: signal value 2568 * @signr: signal value
2969 * 2569 *
2970 * If a process ends with a core dump, someth 2570 * If a process ends with a core dump, something fishy is going on and we
2971 * should record the event for investigation. 2571 * should record the event for investigation.
2972 */ 2572 */
2973 void audit_core_dumps(long signr) 2573 void audit_core_dumps(long signr)
2974 { 2574 {
2975 struct audit_buffer *ab; 2575 struct audit_buffer *ab;
2976 2576
2977 if (!audit_enabled) 2577 if (!audit_enabled)
2978 return; 2578 return;
2979 2579
2980 if (signr == SIGQUIT) /* don't care 2580 if (signr == SIGQUIT) /* don't care for those */
2981 return; 2581 return;
2982 2582
2983 ab = audit_log_start(audit_context(), 2583 ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_ANOM_ABEND);
2984 if (unlikely(!ab)) 2584 if (unlikely(!ab))
2985 return; 2585 return;
2986 audit_log_task(ab); 2586 audit_log_task(ab);
2987 audit_log_format(ab, " sig=%ld res=1" 2587 audit_log_format(ab, " sig=%ld res=1", signr);
2988 audit_log_end(ab); 2588 audit_log_end(ab);
2989 } 2589 }
2990 2590
2991 /** 2591 /**
2992 * audit_seccomp - record information about a 2592 * audit_seccomp - record information about a seccomp action
2993 * @syscall: syscall number 2593 * @syscall: syscall number
2994 * @signr: signal value 2594 * @signr: signal value
2995 * @code: the seccomp action 2595 * @code: the seccomp action
2996 * 2596 *
2997 * Record the information associated with a s 2597 * Record the information associated with a seccomp action. Event filtering for
2998 * seccomp actions that are not to be logged 2598 * seccomp actions that are not to be logged is done in seccomp_log().
2999 * Therefore, this function forces auditing i 2599 * Therefore, this function forces auditing independent of the audit_enabled
3000 * and dummy context state because seccomp ac 2600 * and dummy context state because seccomp actions should be logged even when
3001 * audit is not in use. 2601 * audit is not in use.
3002 */ 2602 */
3003 void audit_seccomp(unsigned long syscall, lon 2603 void audit_seccomp(unsigned long syscall, long signr, int code)
3004 { 2604 {
3005 struct audit_buffer *ab; 2605 struct audit_buffer *ab;
3006 2606
3007 ab = audit_log_start(audit_context(), 2607 ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_SECCOMP);
3008 if (unlikely(!ab)) 2608 if (unlikely(!ab))
3009 return; 2609 return;
3010 audit_log_task(ab); 2610 audit_log_task(ab);
3011 audit_log_format(ab, " sig=%ld arch=% 2611 audit_log_format(ab, " sig=%ld arch=%x syscall=%ld compat=%d ip=0x%lx code=0x%x",
3012 signr, syscall_get_a 2612 signr, syscall_get_arch(current), syscall,
3013 in_compat_syscall(), 2613 in_compat_syscall(), KSTK_EIP(current), code);
3014 audit_log_end(ab); 2614 audit_log_end(ab);
3015 } 2615 }
3016 2616
3017 void audit_seccomp_actions_logged(const char 2617 void audit_seccomp_actions_logged(const char *names, const char *old_names,
3018 int res) 2618 int res)
3019 { 2619 {
3020 struct audit_buffer *ab; 2620 struct audit_buffer *ab;
3021 2621
3022 if (!audit_enabled) 2622 if (!audit_enabled)
3023 return; 2623 return;
3024 2624
3025 ab = audit_log_start(audit_context(), 2625 ab = audit_log_start(audit_context(), GFP_KERNEL,
3026 AUDIT_CONFIG_CHA 2626 AUDIT_CONFIG_CHANGE);
3027 if (unlikely(!ab)) 2627 if (unlikely(!ab))
3028 return; 2628 return;
3029 2629
3030 audit_log_format(ab, 2630 audit_log_format(ab,
3031 "op=seccomp-logging 2631 "op=seccomp-logging actions=%s old-actions=%s res=%d",
3032 names, old_names, re 2632 names, old_names, res);
3033 audit_log_end(ab); 2633 audit_log_end(ab);
3034 } 2634 }
3035 2635
3036 struct list_head *audit_killed_trees(void) 2636 struct list_head *audit_killed_trees(void)
3037 { 2637 {
3038 struct audit_context *ctx = audit_con 2638 struct audit_context *ctx = audit_context();
3039 if (likely(!ctx || ctx->context == AU !! 2639 if (likely(!ctx || !ctx->in_syscall))
3040 return NULL; 2640 return NULL;
3041 return &ctx->killed_trees; 2641 return &ctx->killed_trees;
3042 } 2642 }
3043 2643
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.