1 // SPDX-License-Identifier: GPL-2.0-or-later 1
2 /* auditsc.c -- System-call auditing support
3 * Handles all system-call specific auditing f
4 *
5 * Copyright 2003-2004 Red Hat Inc., Durham, N
6 * Copyright 2005 Hewlett-Packard Development
7 * Copyright (C) 2005, 2006 IBM Corporation
8 * All Rights Reserved.
9 *
10 * Written by Rickard E. (Rik) Faith <faith@re
11 *
12 * Many of the ideas implemented here are from
13 * especially the idea of avoiding a copy by u
14 *
15 * The method for actual interception of sysca
16 * this file -- see entry.S) is based on a GPL
17 * okir@suse.de and Copyright 2003 SuSE Linux
18 *
19 * POSIX message queue support added by George
20 * 2006.
21 *
22 * The support of additional filter rules comp
23 * added by Dustin Kirkland <dustin.kirkland@u
24 *
25 * Modified by Amy Griffis <amy.griffis@hp.com
26 * filesystem information.
27 *
28 * Subject and object context labeling support
29 * and <dustin.kirkland@us.ibm.com> for LSPP c
30 */
31
32 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
33
34 #include <linux/init.h>
35 #include <asm/types.h>
36 #include <linux/atomic.h>
37 #include <linux/fs.h>
38 #include <linux/namei.h>
39 #include <linux/mm.h>
40 #include <linux/export.h>
41 #include <linux/slab.h>
42 #include <linux/mount.h>
43 #include <linux/socket.h>
44 #include <linux/mqueue.h>
45 #include <linux/audit.h>
46 #include <linux/personality.h>
47 #include <linux/time.h>
48 #include <linux/netlink.h>
49 #include <linux/compiler.h>
50 #include <asm/unistd.h>
51 #include <linux/security.h>
52 #include <linux/list.h>
53 #include <linux/binfmts.h>
54 #include <linux/highmem.h>
55 #include <linux/syscalls.h>
56 #include <asm/syscall.h>
57 #include <linux/capability.h>
58 #include <linux/fs_struct.h>
59 #include <linux/compat.h>
60 #include <linux/ctype.h>
61 #include <linux/string.h>
62 #include <linux/uaccess.h>
63 #include <linux/fsnotify_backend.h>
64 #include <uapi/linux/limits.h>
65 #include <uapi/linux/netfilter/nf_tables.h>
66 #include <uapi/linux/openat2.h> // struct open
67 #include <uapi/linux/fanotify.h>
68
69 #include "audit.h"
70
71 /* flags stating the success for a syscall */
72 #define AUDITSC_INVALID 0
73 #define AUDITSC_SUCCESS 1
74 #define AUDITSC_FAILURE 2
75
76 /* no execve audit message should be longer th
77 * see the note near the top of audit_log_exec
78 #define MAX_EXECVE_AUDIT_LEN 7500
79
80 /* max length to print of cmdline/proctitle va
81 #define MAX_PROCTITLE_AUDIT_LEN 128
82
83 /* number of audit rules */
84 int audit_n_rules;
85
86 /* determines whether we collect data for sign
87 int audit_signals;
88
89 struct audit_aux_data {
90 struct audit_aux_data *next;
91 int type;
92 };
93
94 /* Number of target pids per aux struct. */
95 #define AUDIT_AUX_PIDS 16
96
97 struct audit_aux_data_pids {
98 struct audit_aux_data d;
99 pid_t target_pid[AUD
100 kuid_t target_auid[AU
101 kuid_t target_uid[AUD
102 unsigned int target_session
103 u32 target_sid[AUD
104 char target_comm[AU
105 int pid_count;
106 };
107
108 struct audit_aux_data_bprm_fcaps {
109 struct audit_aux_data d;
110 struct audit_cap_data fcap;
111 unsigned int fcap_ver;
112 struct audit_cap_data old_pcap;
113 struct audit_cap_data new_pcap;
114 };
115
116 struct audit_tree_refs {
117 struct audit_tree_refs *next;
118 struct audit_chunk *c[31];
119 };
120
121 struct audit_nfcfgop_tab {
122 enum audit_nfcfgop op;
123 const char *s;
124 };
125
126 static const struct audit_nfcfgop_tab audit_nf
127 { AUDIT_XT_OP_REGISTER,
128 { AUDIT_XT_OP_REPLACE,
129 { AUDIT_XT_OP_UNREGISTER,
130 { AUDIT_NFT_OP_TABLE_REGISTER,
131 { AUDIT_NFT_OP_TABLE_UNREGISTER,
132 { AUDIT_NFT_OP_CHAIN_REGISTER,
133 { AUDIT_NFT_OP_CHAIN_UNREGISTER,
134 { AUDIT_NFT_OP_RULE_REGISTER,
135 { AUDIT_NFT_OP_RULE_UNREGISTER,
136 { AUDIT_NFT_OP_SET_REGISTER,
137 { AUDIT_NFT_OP_SET_UNREGISTER,
138 { AUDIT_NFT_OP_SETELEM_REGISTER,
139 { AUDIT_NFT_OP_SETELEM_UNREGISTER,
140 { AUDIT_NFT_OP_GEN_REGISTER,
141 { AUDIT_NFT_OP_OBJ_REGISTER,
142 { AUDIT_NFT_OP_OBJ_UNREGISTER,
143 { AUDIT_NFT_OP_OBJ_RESET,
144 { AUDIT_NFT_OP_FLOWTABLE_REGISTER,
145 { AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
146 { AUDIT_NFT_OP_SETELEM_RESET,
147 { AUDIT_NFT_OP_RULE_RESET,
148 { AUDIT_NFT_OP_INVALID,
149 };
150
151 static int audit_match_perm(struct audit_conte
152 {
153 unsigned n;
154
155 if (unlikely(!ctx))
156 return 0;
157 n = ctx->major;
158
159 switch (audit_classify_syscall(ctx->ar
160 case AUDITSC_NATIVE:
161 if ((mask & AUDIT_PERM_WRITE)
162 audit_match_class(AUDIT_C
163 return 1;
164 if ((mask & AUDIT_PERM_READ) &
165 audit_match_class(AUDIT_C
166 return 1;
167 if ((mask & AUDIT_PERM_ATTR) &
168 audit_match_class(AUDIT_C
169 return 1;
170 return 0;
171 case AUDITSC_COMPAT: /* 32bit on biarc
172 if ((mask & AUDIT_PERM_WRITE)
173 audit_match_class(AUDIT_C
174 return 1;
175 if ((mask & AUDIT_PERM_READ) &
176 audit_match_class(AUDIT_C
177 return 1;
178 if ((mask & AUDIT_PERM_ATTR) &
179 audit_match_class(AUDIT_C
180 return 1;
181 return 0;
182 case AUDITSC_OPEN:
183 return mask & ACC_MODE(ctx->ar
184 case AUDITSC_OPENAT:
185 return mask & ACC_MODE(ctx->ar
186 case AUDITSC_SOCKETCALL:
187 return ((mask & AUDIT_PERM_WRI
188 case AUDITSC_EXECVE:
189 return mask & AUDIT_PERM_EXEC;
190 case AUDITSC_OPENAT2:
191 return mask & ACC_MODE((u32)ct
192 default:
193 return 0;
194 }
195 }
196
197 static int audit_match_filetype(struct audit_c
198 {
199 struct audit_names *n;
200 umode_t mode = (umode_t)val;
201
202 if (unlikely(!ctx))
203 return 0;
204
205 list_for_each_entry(n, &ctx->names_lis
206 if ((n->ino != AUDIT_INO_UNSET
207 ((n->mode & S_IFMT) == mod
208 return 1;
209 }
210
211 return 0;
212 }
213
214 /*
215 * We keep a linked list of fixed-sized (31 po
216 * ->first_trees points to its beginning, ->tr
217 * ->tree_count is the number of free entries
218 * Original condition is (NULL, NULL, 0); as s
219 * "empty" becomes (p, p, 31) afterwards. We
220 * it's going to remain 1-element for almost a
221 * References in it _are_ dropped - at the sam
222 */
223
224 static void audit_set_auditable(struct audit_c
225 {
226 if (!ctx->prio) {
227 ctx->prio = 1;
228 ctx->current_state = AUDIT_STA
229 }
230 }
231
232 static int put_tree_ref(struct audit_context *
233 {
234 struct audit_tree_refs *p = ctx->trees
235 int left = ctx->tree_count;
236
237 if (likely(left)) {
238 p->c[--left] = chunk;
239 ctx->tree_count = left;
240 return 1;
241 }
242 if (!p)
243 return 0;
244 p = p->next;
245 if (p) {
246 p->c[30] = chunk;
247 ctx->trees = p;
248 ctx->tree_count = 30;
249 return 1;
250 }
251 return 0;
252 }
253
254 static int grow_tree_refs(struct audit_context
255 {
256 struct audit_tree_refs *p = ctx->trees
257
258 ctx->trees = kzalloc(sizeof(struct aud
259 if (!ctx->trees) {
260 ctx->trees = p;
261 return 0;
262 }
263 if (p)
264 p->next = ctx->trees;
265 else
266 ctx->first_trees = ctx->trees;
267 ctx->tree_count = 31;
268 return 1;
269 }
270
271 static void unroll_tree_refs(struct audit_cont
272 struct audit_tree_refs *
273 {
274 struct audit_tree_refs *q;
275 int n;
276
277 if (!p) {
278 /* we started with empty chain
279 p = ctx->first_trees;
280 count = 31;
281 /* if the very first allocatio
282 if (!p)
283 return;
284 }
285 n = count;
286 for (q = p; q != ctx->trees; q = q->ne
287 while (n--) {
288 audit_put_chunk(q->c[n
289 q->c[n] = NULL;
290 }
291 }
292 while (n-- > ctx->tree_count) {
293 audit_put_chunk(q->c[n]);
294 q->c[n] = NULL;
295 }
296 ctx->trees = p;
297 ctx->tree_count = count;
298 }
299
300 static void free_tree_refs(struct audit_contex
301 {
302 struct audit_tree_refs *p, *q;
303
304 for (p = ctx->first_trees; p; p = q) {
305 q = p->next;
306 kfree(p);
307 }
308 }
309
310 static int match_tree_refs(struct audit_contex
311 {
312 struct audit_tree_refs *p;
313 int n;
314
315 if (!tree)
316 return 0;
317 /* full ones */
318 for (p = ctx->first_trees; p != ctx->t
319 for (n = 0; n < 31; n++)
320 if (audit_tree_match(p
321 return 1;
322 }
323 /* partial */
324 if (p) {
325 for (n = ctx->tree_count; n <
326 if (audit_tree_match(p
327 return 1;
328 }
329 return 0;
330 }
331
332 static int audit_compare_uid(kuid_t uid,
333 struct audit_name
334 struct audit_fiel
335 struct audit_cont
336 {
337 struct audit_names *n;
338 int rc;
339
340 if (name) {
341 rc = audit_uid_comparator(uid,
342 if (rc)
343 return rc;
344 }
345
346 if (ctx) {
347 list_for_each_entry(n, &ctx->n
348 rc = audit_uid_compara
349 if (rc)
350 return rc;
351 }
352 }
353 return 0;
354 }
355
356 static int audit_compare_gid(kgid_t gid,
357 struct audit_name
358 struct audit_fiel
359 struct audit_cont
360 {
361 struct audit_names *n;
362 int rc;
363
364 if (name) {
365 rc = audit_gid_comparator(gid,
366 if (rc)
367 return rc;
368 }
369
370 if (ctx) {
371 list_for_each_entry(n, &ctx->n
372 rc = audit_gid_compara
373 if (rc)
374 return rc;
375 }
376 }
377 return 0;
378 }
379
380 static int audit_field_compare(struct task_str
381 const struct cr
382 struct audit_fi
383 struct audit_co
384 struct audit_na
385 {
386 switch (f->val) {
387 /* process to file object comparisons
388 case AUDIT_COMPARE_UID_TO_OBJ_UID:
389 return audit_compare_uid(cred-
390 case AUDIT_COMPARE_GID_TO_OBJ_GID:
391 return audit_compare_gid(cred-
392 case AUDIT_COMPARE_EUID_TO_OBJ_UID:
393 return audit_compare_uid(cred-
394 case AUDIT_COMPARE_EGID_TO_OBJ_GID:
395 return audit_compare_gid(cred-
396 case AUDIT_COMPARE_AUID_TO_OBJ_UID:
397 return audit_compare_uid(audit
398 case AUDIT_COMPARE_SUID_TO_OBJ_UID:
399 return audit_compare_uid(cred-
400 case AUDIT_COMPARE_SGID_TO_OBJ_GID:
401 return audit_compare_gid(cred-
402 case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
403 return audit_compare_uid(cred-
404 case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
405 return audit_compare_gid(cred-
406 /* uid comparisons */
407 case AUDIT_COMPARE_UID_TO_AUID:
408 return audit_uid_comparator(cr
409 au
410 case AUDIT_COMPARE_UID_TO_EUID:
411 return audit_uid_comparator(cr
412 case AUDIT_COMPARE_UID_TO_SUID:
413 return audit_uid_comparator(cr
414 case AUDIT_COMPARE_UID_TO_FSUID:
415 return audit_uid_comparator(cr
416 /* auid comparisons */
417 case AUDIT_COMPARE_AUID_TO_EUID:
418 return audit_uid_comparator(au
419 cr
420 case AUDIT_COMPARE_AUID_TO_SUID:
421 return audit_uid_comparator(au
422 cr
423 case AUDIT_COMPARE_AUID_TO_FSUID:
424 return audit_uid_comparator(au
425 cr
426 /* euid comparisons */
427 case AUDIT_COMPARE_EUID_TO_SUID:
428 return audit_uid_comparator(cr
429 case AUDIT_COMPARE_EUID_TO_FSUID:
430 return audit_uid_comparator(cr
431 /* suid comparisons */
432 case AUDIT_COMPARE_SUID_TO_FSUID:
433 return audit_uid_comparator(cr
434 /* gid comparisons */
435 case AUDIT_COMPARE_GID_TO_EGID:
436 return audit_gid_comparator(cr
437 case AUDIT_COMPARE_GID_TO_SGID:
438 return audit_gid_comparator(cr
439 case AUDIT_COMPARE_GID_TO_FSGID:
440 return audit_gid_comparator(cr
441 /* egid comparisons */
442 case AUDIT_COMPARE_EGID_TO_SGID:
443 return audit_gid_comparator(cr
444 case AUDIT_COMPARE_EGID_TO_FSGID:
445 return audit_gid_comparator(cr
446 /* sgid comparison */
447 case AUDIT_COMPARE_SGID_TO_FSGID:
448 return audit_gid_comparator(cr
449 default:
450 WARN(1, "Missing AUDIT_COMPARE
451 return 0;
452 }
453 return 0;
454 }
455
456 /* Determine if any context name data matches
457 /* Compare a task_struct with an audit_rule.
458 * otherwise.
459 *
460 * If task_creation is true, this is an explic
461 * filtering a task rule at task creation time
462 * the only situations where tsk->cred may be
463 */
464 static int audit_filter_rules(struct task_stru
465 struct audit_kru
466 struct audit_con
467 struct audit_nam
468 enum audit_state
469 bool task_creati
470 {
471 const struct cred *cred;
472 int i, need_sid = 1;
473 u32 sid;
474 unsigned int sessionid;
475
476 if (ctx && rule->prio <= ctx->prio)
477 return 0;
478
479 cred = rcu_dereference_check(tsk->cred
480
481 for (i = 0; i < rule->field_count; i++
482 struct audit_field *f = &rule-
483 struct audit_names *n;
484 int result = 0;
485 pid_t pid;
486
487 switch (f->type) {
488 case AUDIT_PID:
489 pid = task_tgid_nr(tsk
490 result = audit_compara
491 break;
492 case AUDIT_PPID:
493 if (ctx) {
494 if (!ctx->ppid
495 ctx->p
496 result = audit
497 }
498 break;
499 case AUDIT_EXE:
500 result = audit_exe_com
501 if (f->op == Audit_not
502 result = !resu
503 break;
504 case AUDIT_UID:
505 result = audit_uid_com
506 break;
507 case AUDIT_EUID:
508 result = audit_uid_com
509 break;
510 case AUDIT_SUID:
511 result = audit_uid_com
512 break;
513 case AUDIT_FSUID:
514 result = audit_uid_com
515 break;
516 case AUDIT_GID:
517 result = audit_gid_com
518 if (f->op == Audit_equ
519 if (!result)
520 result
521 } else if (f->op == Au
522 if (result)
523 result
524 }
525 break;
526 case AUDIT_EGID:
527 result = audit_gid_com
528 if (f->op == Audit_equ
529 if (!result)
530 result
531 } else if (f->op == Au
532 if (result)
533 result
534 }
535 break;
536 case AUDIT_SGID:
537 result = audit_gid_com
538 break;
539 case AUDIT_FSGID:
540 result = audit_gid_com
541 break;
542 case AUDIT_SESSIONID:
543 sessionid = audit_get_
544 result = audit_compara
545 break;
546 case AUDIT_PERS:
547 result = audit_compara
548 break;
549 case AUDIT_ARCH:
550 if (ctx)
551 result = audit
552 break;
553
554 case AUDIT_EXIT:
555 if (ctx && ctx->return
556 result = audit
557 break;
558 case AUDIT_SUCCESS:
559 if (ctx && ctx->return
560 if (f->val)
561 result
562 else
563 result
564 }
565 break;
566 case AUDIT_DEVMAJOR:
567 if (name) {
568 if (audit_comp
569 audit_comp
570 ++resu
571 } else if (ctx) {
572 list_for_each_
573 if (au
574 au
575
576
577 }
578 }
579 }
580 break;
581 case AUDIT_DEVMINOR:
582 if (name) {
583 if (audit_comp
584 audit_comp
585 ++resu
586 } else if (ctx) {
587 list_for_each_
588 if (au
589 au
590
591
592 }
593 }
594 }
595 break;
596 case AUDIT_INODE:
597 if (name)
598 result = audit
599 else if (ctx) {
600 list_for_each_
601 if (au
602
603
604 }
605 }
606 }
607 break;
608 case AUDIT_OBJ_UID:
609 if (name) {
610 result = audit
611 } else if (ctx) {
612 list_for_each_
613 if (au
614
615
616 }
617 }
618 }
619 break;
620 case AUDIT_OBJ_GID:
621 if (name) {
622 result = audit
623 } else if (ctx) {
624 list_for_each_
625 if (au
626
627
628 }
629 }
630 }
631 break;
632 case AUDIT_WATCH:
633 if (name) {
634 result = audit
635
636
637 if (f->op == A
638 result
639 }
640 break;
641 case AUDIT_DIR:
642 if (ctx) {
643 result = match
644 if (f->op == A
645 result
646 }
647 break;
648 case AUDIT_LOGINUID:
649 result = audit_uid_com
650
651 break;
652 case AUDIT_LOGINUID_SET:
653 result = audit_compara
654 break;
655 case AUDIT_SADDR_FAM:
656 if (ctx && ctx->sockad
657 result = audit
658
659 break;
660 case AUDIT_SUBJ_USER:
661 case AUDIT_SUBJ_ROLE:
662 case AUDIT_SUBJ_TYPE:
663 case AUDIT_SUBJ_SEN:
664 case AUDIT_SUBJ_CLR:
665 /* NOTE: this may retu
666 a temporary error.
667 match for now to av
668 may be wanted. An
669 logged upon error *
670 if (f->lsm_rule) {
671 if (need_sid)
672 /* @ts
673 * @cu
674 * for
675 * the
676 * of
677 * use
678 * her
679 * @cu
680 */
681 securi
682 need_s
683 }
684 result = secur
685
686
687 }
688 break;
689 case AUDIT_OBJ_USER:
690 case AUDIT_OBJ_ROLE:
691 case AUDIT_OBJ_TYPE:
692 case AUDIT_OBJ_LEV_LOW:
693 case AUDIT_OBJ_LEV_HIGH:
694 /* The above note for
695 also applies here *
696 if (f->lsm_rule) {
697 /* Find files
698 if (name) {
699 result
700
701
702
703
704 } else if (ctx
705 list_f
706
707
708
709
710
711
712
713
714 }
715 }
716 /* Find ipc ob
717 if (!ctx || ct
718 break;
719 if (security_a
720
721
722 ++resu
723 }
724 break;
725 case AUDIT_ARG0:
726 case AUDIT_ARG1:
727 case AUDIT_ARG2:
728 case AUDIT_ARG3:
729 if (ctx)
730 result = audit
731 break;
732 case AUDIT_FILTERKEY:
733 /* ignore this field f
734 result = 1;
735 break;
736 case AUDIT_PERM:
737 result = audit_match_p
738 if (f->op == Audit_not
739 result = !resu
740 break;
741 case AUDIT_FILETYPE:
742 result = audit_match_f
743 if (f->op == Audit_not
744 result = !resu
745 break;
746 case AUDIT_FIELD_COMPARE:
747 result = audit_field_c
748 break;
749 }
750 if (!result)
751 return 0;
752 }
753
754 if (ctx) {
755 if (rule->filterkey) {
756 kfree(ctx->filterkey);
757 ctx->filterkey = kstrd
758 }
759 ctx->prio = rule->prio;
760 }
761 switch (rule->action) {
762 case AUDIT_NEVER:
763 *state = AUDIT_STATE_DISABLED;
764 break;
765 case AUDIT_ALWAYS:
766 *state = AUDIT_STATE_RECORD;
767 break;
768 }
769 return 1;
770 }
771
772 /* At process creation time, we can determine
773 * completely disabled for this task. Since w
774 * structure at this point, we can only check
775 */
776 static enum audit_state audit_filter_task(stru
777 {
778 struct audit_entry *e;
779 enum audit_state state;
780
781 rcu_read_lock();
782 list_for_each_entry_rcu(e, &audit_filt
783 if (audit_filter_rules(tsk, &e
784 &state,
785 if (state == AUDIT_STA
786 *key = kstrdup
787 rcu_read_unlock();
788 return state;
789 }
790 }
791 rcu_read_unlock();
792 return AUDIT_STATE_BUILD;
793 }
794
795 static int audit_in_mask(const struct audit_kr
796 {
797 int word, bit;
798
799 if (val > 0xffffffff)
800 return false;
801
802 word = AUDIT_WORD(val);
803 if (word >= AUDIT_BITMASK_SIZE)
804 return false;
805
806 bit = AUDIT_BIT(val);
807
808 return rule->mask[word] & bit;
809 }
810
811 /**
812 * __audit_filter_op - common filter helper fo
813 * @tsk: associated task
814 * @ctx: audit context
815 * @list: audit filter list
816 * @name: audit_name (can be NULL)
817 * @op: current syscall/uring_op
818 *
819 * Run the udit filters specified in @list aga
820 * @name, and @op, as necessary; the caller is
821 * that the call is made while the RCU read lo
822 * parameter can be NULL, but all others must
823 * Returns 1/true if the filter finds a match,
824 */
825 static int __audit_filter_op(struct task_struc
826 struct audit_contex
827 struct list_head *l
828 struct audit_names
829 unsigned long op)
830 {
831 struct audit_entry *e;
832 enum audit_state state;
833
834 list_for_each_entry_rcu(e, list, list)
835 if (audit_in_mask(&e->rule, op
836 audit_filter_rules(tsk, &e
837 &state,
838 ctx->current_state = s
839 return 1;
840 }
841 }
842 return 0;
843 }
844
845 /**
846 * audit_filter_uring - apply filters to an io
847 * @tsk: associated task
848 * @ctx: audit context
849 */
850 static void audit_filter_uring(struct task_str
851 struct audit_co
852 {
853 if (auditd_test_task(tsk))
854 return;
855
856 rcu_read_lock();
857 __audit_filter_op(tsk, ctx, &audit_fil
858 NULL, ctx->uring_op);
859 rcu_read_unlock();
860 }
861
862 /* At syscall exit time, this filter is called
863 * not low enough that auditing cannot take pl
864 * high enough that we already know we have to
865 * (i.e., the state is AUDIT_STATE_BUILD).
866 */
867 static void audit_filter_syscall(struct task_s
868 struct audit_
869 {
870 if (auditd_test_task(tsk))
871 return;
872
873 rcu_read_lock();
874 __audit_filter_op(tsk, ctx, &audit_fil
875 NULL, ctx->major);
876 rcu_read_unlock();
877 }
878
879 /*
880 * Given an audit_name check the inode hash ta
881 * Called holding the rcu read lock to protect
882 */
883 static int audit_filter_inode_name(struct task
884 struct audi
885 struct audi
886 {
887 int h = audit_hash_ino((u32)n->ino);
888 struct list_head *list = &audit_inode_
889
890 return __audit_filter_op(tsk, ctx, lis
891 }
892
893 /* At syscall exit time, this filter is called
894 * collected during syscall processing. We on
895 * buckets applicable to the inode numbers in
896 * Regarding audit_state, same rules apply as
897 */
898 void audit_filter_inodes(struct task_struct *t
899 {
900 struct audit_names *n;
901
902 if (auditd_test_task(tsk))
903 return;
904
905 rcu_read_lock();
906
907 list_for_each_entry(n, &ctx->names_lis
908 if (audit_filter_inode_name(ts
909 break;
910 }
911 rcu_read_unlock();
912 }
913
914 static inline void audit_proctitle_free(struct
915 {
916 kfree(context->proctitle.value);
917 context->proctitle.value = NULL;
918 context->proctitle.len = 0;
919 }
920
921 static inline void audit_free_module(struct au
922 {
923 if (context->type == AUDIT_KERN_MODULE
924 kfree(context->module.name);
925 context->module.name = NULL;
926 }
927 }
928 static inline void audit_free_names(struct aud
929 {
930 struct audit_names *n, *next;
931
932 list_for_each_entry_safe(n, next, &con
933 list_del(&n->list);
934 if (n->name)
935 putname(n->name);
936 if (n->should_free)
937 kfree(n);
938 }
939 context->name_count = 0;
940 path_put(&context->pwd);
941 context->pwd.dentry = NULL;
942 context->pwd.mnt = NULL;
943 }
944
945 static inline void audit_free_aux(struct audit
946 {
947 struct audit_aux_data *aux;
948
949 while ((aux = context->aux)) {
950 context->aux = aux->next;
951 kfree(aux);
952 }
953 context->aux = NULL;
954 while ((aux = context->aux_pids)) {
955 context->aux_pids = aux->next;
956 kfree(aux);
957 }
958 context->aux_pids = NULL;
959 }
960
961 /**
962 * audit_reset_context - reset a audit_context
963 * @ctx: the audit_context to reset
964 *
965 * All fields in the audit_context will be res
966 * references held by fields will be dropped,
967 * released. When this function returns the a
968 * for reuse, so long as the passed context is
969 */
970 static void audit_reset_context(struct audit_c
971 {
972 if (!ctx)
973 return;
974
975 /* if ctx is non-null, reset the "ctx-
976 ctx->context = AUDIT_CTX_UNUSED;
977 if (ctx->dummy)
978 return;
979
980 /*
981 * NOTE: It shouldn't matter in what o
982 * release them in the order in
983 * this gives us some hope of qu
984 * resetting the audit_context p
985 *
986 * Other things worth mentioning
987 * - we don't reset "dummy"
988 * - we don't reset "state", we
989 * - we preserve "filterkey" if
990 * - much of this is likely over
991 * - we really need to work on i
992 */
993
994 ctx->current_state = ctx->state;
995 ctx->serial = 0;
996 ctx->major = 0;
997 ctx->uring_op = 0;
998 ctx->ctime = (struct timespec64){ .tv_
999 memset(ctx->argv, 0, sizeof(ctx->argv)
1000 ctx->return_code = 0;
1001 ctx->prio = (ctx->state == AUDIT_STAT
1002 ctx->return_valid = AUDITSC_INVALID;
1003 audit_free_names(ctx);
1004 if (ctx->state != AUDIT_STATE_RECORD)
1005 kfree(ctx->filterkey);
1006 ctx->filterkey = NULL;
1007 }
1008 audit_free_aux(ctx);
1009 kfree(ctx->sockaddr);
1010 ctx->sockaddr = NULL;
1011 ctx->sockaddr_len = 0;
1012 ctx->ppid = 0;
1013 ctx->uid = ctx->euid = ctx->suid = ct
1014 ctx->gid = ctx->egid = ctx->sgid = ct
1015 ctx->personality = 0;
1016 ctx->arch = 0;
1017 ctx->target_pid = 0;
1018 ctx->target_auid = ctx->target_uid =
1019 ctx->target_sessionid = 0;
1020 ctx->target_sid = 0;
1021 ctx->target_comm[0] = '\0';
1022 unroll_tree_refs(ctx, NULL, 0);
1023 WARN_ON(!list_empty(&ctx->killed_tree
1024 audit_free_module(ctx);
1025 ctx->fds[0] = -1;
1026 ctx->type = 0; /* reset last for audi
1027 }
1028
1029 static inline struct audit_context *audit_all
1030 {
1031 struct audit_context *context;
1032
1033 context = kzalloc(sizeof(*context), G
1034 if (!context)
1035 return NULL;
1036 context->context = AUDIT_CTX_UNUSED;
1037 context->state = state;
1038 context->prio = state == AUDIT_STATE_
1039 INIT_LIST_HEAD(&context->killed_trees
1040 INIT_LIST_HEAD(&context->names_list);
1041 context->fds[0] = -1;
1042 context->return_valid = AUDITSC_INVAL
1043 return context;
1044 }
1045
1046 /**
1047 * audit_alloc - allocate an audit context bl
1048 * @tsk: task
1049 *
1050 * Filter on the task information and allocat
1051 * if necessary. Doing so turns on system ca
1052 * specified task. This is called from copy_
1053 * needed.
1054 */
1055 int audit_alloc(struct task_struct *tsk)
1056 {
1057 struct audit_context *context;
1058 enum audit_state state;
1059 char *key = NULL;
1060
1061 if (likely(!audit_ever_enabled))
1062 return 0;
1063
1064 state = audit_filter_task(tsk, &key);
1065 if (state == AUDIT_STATE_DISABLED) {
1066 clear_task_syscall_work(tsk,
1067 return 0;
1068 }
1069
1070 context = audit_alloc_context(state);
1071 if (!context) {
1072 kfree(key);
1073 audit_log_lost("out of memory
1074 return -ENOMEM;
1075 }
1076 context->filterkey = key;
1077
1078 audit_set_context(tsk, context);
1079 set_task_syscall_work(tsk, SYSCALL_AU
1080 return 0;
1081 }
1082
1083 static inline void audit_free_context(struct
1084 {
1085 /* resetting is extra work, but it is
1086 audit_reset_context(context);
1087 audit_proctitle_free(context);
1088 free_tree_refs(context);
1089 kfree(context->filterkey);
1090 kfree(context);
1091 }
1092
1093 static int audit_log_pid_context(struct audit
1094 kuid_t auid,
1095 u32 sid, cha
1096 {
1097 struct audit_buffer *ab;
1098 char *ctx = NULL;
1099 u32 len;
1100 int rc = 0;
1101
1102 ab = audit_log_start(context, GFP_KER
1103 if (!ab)
1104 return rc;
1105
1106 audit_log_format(ab, "opid=%d oauid=%
1107 from_kuid(&init_user
1108 from_kuid(&init_user
1109 if (sid) {
1110 if (security_secid_to_secctx(
1111 audit_log_format(ab,
1112 rc = 1;
1113 } else {
1114 audit_log_format(ab,
1115 security_release_secc
1116 }
1117 }
1118 audit_log_format(ab, " ocomm=");
1119 audit_log_untrustedstring(ab, comm);
1120 audit_log_end(ab);
1121
1122 return rc;
1123 }
1124
1125 static void audit_log_execve_info(struct audi
1126 struct audi
1127 {
1128 long len_max;
1129 long len_rem;
1130 long len_full;
1131 long len_buf;
1132 long len_abuf = 0;
1133 long len_tmp;
1134 bool require_data;
1135 bool encode;
1136 unsigned int iter;
1137 unsigned int arg;
1138 char *buf_head;
1139 char *buf;
1140 const char __user *p = (const char __
1141
1142 /* NOTE: this buffer needs to be larg
1143 * data we put in the audit rec
1144 * code below) ... at this poin
1145 char abuf[96];
1146
1147 /* NOTE: we set MAX_EXECVE_AUDIT_LEN
1148 * current value of 7500 is not
1149 * is less than 8k, a setting o
1150 * room if we go over a little
1151 WARN_ON_ONCE(MAX_EXECVE_AUDIT_LEN > 7
1152 len_max = MAX_EXECVE_AUDIT_LEN;
1153
1154 /* scratch buffer to hold the userspa
1155 buf_head = kmalloc(MAX_EXECVE_AUDIT_L
1156 if (!buf_head) {
1157 audit_panic("out of memory fo
1158 return;
1159 }
1160 buf = buf_head;
1161
1162 audit_log_format(*ab, "argc=%d", cont
1163
1164 len_rem = len_max;
1165 len_buf = 0;
1166 len_full = 0;
1167 require_data = true;
1168 encode = false;
1169 iter = 0;
1170 arg = 0;
1171 do {
1172 /* NOTE: we don't ever want t
1173 * serious, but the aud
1174 * provide an argument
1175 * e.g. > MAX_EXECVE_AU
1176 * to use strncpy_from_
1177 * recording in the log
1178 * anywhere here to avo
1179 if (len_full == 0)
1180 len_full = strnlen_us
1181
1182 /* read more data from usersp
1183 if (require_data) {
1184 /* can we make more r
1185 if (buf != buf_head)
1186 memmove(buf_h
1187 buf = buf_hea
1188 }
1189
1190 /* fetch as much as w
1191 len_tmp = strncpy_fro
1192
1193 if (len_tmp == -EFAUL
1194 /* unable to
1195 send_sig(SIGK
1196 goto out;
1197 } else if (len_tmp ==
1198 /* buffer is
1199 require_data
1200 /* NOTE: if w
1201 * buff
1202 * a ch
1203 * cons
1204 encode = true
1205 len_full = le
1206 p += len_tmp;
1207 } else {
1208 require_data
1209 if (!encode)
1210 encod
1211
1212 /* try to use
1213 if (len_full
1214 len_f
1215
1216 p += len_tmp
1217 }
1218 len_buf += len_tmp;
1219 buf_head[len_buf] = '
1220
1221 /* length of the buff
1222 len_abuf = (encode ?
1223 }
1224
1225 /* write as much as we can to
1226 if (len_buf >= 0) {
1227 /* NOTE: some magic n
1228 * can't fit a
1229 * existing aud
1230 * a new buffer
1231 if ((sizeof(abuf) + 8
1232 len_rem = len
1233 audit_log_end
1234 *ab = audit_l
1235
1236 if (!*ab)
1237 goto
1238 }
1239
1240 /* create the non-arg
1241 len_tmp = 0;
1242 if (require_data || (
1243 ((len_abuf + size
1244 if (iter == 0
1245 len_t
1246
1247
1248
1249 }
1250 len_tmp += sn
1251
1252
1253 } else
1254 len_tmp += sn
1255
1256
1257 WARN_ON(len_tmp >= si
1258 abuf[sizeof(abuf) - 1
1259
1260 /* log the arg in the
1261 audit_log_format(*ab,
1262 len_rem -= len_tmp;
1263 len_tmp = len_buf;
1264 if (encode) {
1265 if (len_abuf
1266 len_t
1267 audit_log_n_h
1268 len_rem -= le
1269 len_abuf -= l
1270 } else {
1271 if (len_abuf
1272 len_t
1273 audit_log_n_s
1274 len_rem -= le
1275 /* don't subt
1276 * to add quo
1277 len_abuf -= l
1278 }
1279 len_buf -= len_tmp;
1280 buf += len_tmp;
1281 }
1282
1283 /* ready to move to the next
1284 if ((len_buf == 0) && !requir
1285 arg++;
1286 iter = 0;
1287 len_full = 0;
1288 require_data = true;
1289 encode = false;
1290 }
1291 } while (arg < context->execve.argc);
1292
1293 /* NOTE: the caller handles the final
1294
1295 out:
1296 kfree(buf_head);
1297 }
1298
1299 static void audit_log_cap(struct audit_buffer
1300 kernel_cap_t *cap)
1301 {
1302 if (cap_isclear(*cap)) {
1303 audit_log_format(ab, " %s=0",
1304 return;
1305 }
1306 audit_log_format(ab, " %s=%016llx", p
1307 }
1308
1309 static void audit_log_fcaps(struct audit_buff
1310 {
1311 if (name->fcap_ver == -1) {
1312 audit_log_format(ab, " cap_fe
1313 return;
1314 }
1315 audit_log_cap(ab, "cap_fp", &name->fc
1316 audit_log_cap(ab, "cap_fi", &name->fc
1317 audit_log_format(ab, " cap_fe=%d cap_
1318 name->fcap.fE, name-
1319 from_kuid(&init_user
1320 }
1321
1322 static void audit_log_time(struct audit_conte
1323 {
1324 const struct audit_ntp_data *ntp = &c
1325 const struct timespec64 *tk = &contex
1326 static const char * const ntp_name[]
1327 "offset",
1328 "freq",
1329 "status",
1330 "tai",
1331 "tick",
1332 "adjust",
1333 };
1334 int type;
1335
1336 if (context->type == AUDIT_TIME_ADJNT
1337 for (type = 0; type < AUDIT_N
1338 if (ntp->vals[type].n
1339 if (!*ab) {
1340 *ab =
1341
1342
1343 if (!
1344
1345 }
1346 audit_log_for
1347
1348
1349
1350 audit_log_end
1351 *ab = NULL;
1352 }
1353 }
1354 }
1355 if (tk->tv_sec != 0 || tk->tv_nsec !=
1356 if (!*ab) {
1357 *ab = audit_log_start
1358
1359 if (!*ab)
1360 return;
1361 }
1362 audit_log_format(*ab, "sec=%l
1363 (long long)t
1364 audit_log_end(*ab);
1365 *ab = NULL;
1366 }
1367 }
1368
1369 static void show_special(struct audit_context
1370 {
1371 struct audit_buffer *ab;
1372 int i;
1373
1374 ab = audit_log_start(context, GFP_KER
1375 if (!ab)
1376 return;
1377
1378 switch (context->type) {
1379 case AUDIT_SOCKETCALL: {
1380 int nargs = context->socketca
1381
1382 audit_log_format(ab, "nargs=%
1383 for (i = 0; i < nargs; i++)
1384 audit_log_format(ab,
1385 context->sock
1386 break; }
1387 case AUDIT_IPC: {
1388 u32 osid = context->ipc.osid;
1389
1390 audit_log_format(ab, "ouid=%u
1391 from_kuid(&i
1392 from_kgid(&i
1393 context->ipc
1394 if (osid) {
1395 char *ctx = NULL;
1396 u32 len;
1397
1398 if (security_secid_to
1399 audit_log_for
1400 *call_panic =
1401 } else {
1402 audit_log_for
1403 security_rele
1404 }
1405 }
1406 if (context->ipc.has_perm) {
1407 audit_log_end(ab);
1408 ab = audit_log_start(
1409
1410 if (unlikely(!ab))
1411 return;
1412 audit_log_format(ab,
1413 "qbytes=%lx o
1414 context->ipc.
1415 context->ipc.
1416 context->ipc.
1417 context->ipc.
1418 }
1419 break; }
1420 case AUDIT_MQ_OPEN:
1421 audit_log_format(ab,
1422 "oflag=0x%x mode=%#ho
1423 "mq_msgsize=%ld mq_cu
1424 context->mq_open.ofla
1425 context->mq_open.attr
1426 context->mq_open.attr
1427 context->mq_open.attr
1428 context->mq_open.attr
1429 break;
1430 case AUDIT_MQ_SENDRECV:
1431 audit_log_format(ab,
1432 "mqdes=%d msg_len=%zd
1433 "abs_timeout_sec=%lld
1434 context->mq_sendrecv.
1435 context->mq_sendrecv.
1436 context->mq_sendrecv.
1437 (long long) context->
1438 context->mq_sendrecv.
1439 break;
1440 case AUDIT_MQ_NOTIFY:
1441 audit_log_format(ab, "mqdes=%
1442 context->mq_n
1443 context->mq_n
1444 break;
1445 case AUDIT_MQ_GETSETATTR: {
1446 struct mq_attr *attr = &conte
1447
1448 audit_log_format(ab,
1449 "mqdes=%d mq_flags=0x
1450 "mq_curmsgs=%ld ",
1451 context->mq_getsetatt
1452 attr->mq_flags, attr-
1453 attr->mq_msgsize, att
1454 break; }
1455 case AUDIT_CAPSET:
1456 audit_log_format(ab, "pid=%d"
1457 audit_log_cap(ab, "cap_pi", &
1458 audit_log_cap(ab, "cap_pp", &
1459 audit_log_cap(ab, "cap_pe", &
1460 audit_log_cap(ab, "cap_pa", &
1461 break;
1462 case AUDIT_MMAP:
1463 audit_log_format(ab, "fd=%d f
1464 context->mma
1465 break;
1466 case AUDIT_OPENAT2:
1467 audit_log_format(ab, "oflag=0
1468 context->ope
1469 context->ope
1470 context->ope
1471 break;
1472 case AUDIT_EXECVE:
1473 audit_log_execve_info(context
1474 break;
1475 case AUDIT_KERN_MODULE:
1476 audit_log_format(ab, "name=")
1477 if (context->module.name) {
1478 audit_log_untrustedst
1479 } else
1480 audit_log_format(ab,
1481
1482 break;
1483 case AUDIT_TIME_ADJNTPVAL:
1484 case AUDIT_TIME_INJOFFSET:
1485 /* this call deviates from th
1486 audit_log_time(context, &ab);
1487 break;
1488 }
1489 audit_log_end(ab);
1490 }
1491
1492 static inline int audit_proctitle_rtrim(char
1493 {
1494 char *end = proctitle + len - 1;
1495
1496 while (end > proctitle && !isprint(*e
1497 end--;
1498
1499 /* catch the case where proctitle is
1500 len = end - proctitle + 1;
1501 len -= isprint(proctitle[len-1]) == 0
1502 return len;
1503 }
1504
1505 /*
1506 * audit_log_name - produce AUDIT_PATH record
1507 * @context: audit_context for the task
1508 * @n: audit_names structure with reportable
1509 * @path: optional path to report instead of
1510 * @record_num: record number to report when
1511 * @call_panic: optional pointer to int that
1512 */
1513 static void audit_log_name(struct audit_conte
1514 const struct path *path,
1515 {
1516 struct audit_buffer *ab;
1517
1518 ab = audit_log_start(context, GFP_KER
1519 if (!ab)
1520 return;
1521
1522 audit_log_format(ab, "item=%d", recor
1523
1524 if (path)
1525 audit_log_d_path(ab, " name="
1526 else if (n->name) {
1527 switch (n->name_len) {
1528 case AUDIT_NAME_FULL:
1529 /* log the full path
1530 audit_log_format(ab,
1531 audit_log_untrustedst
1532 break;
1533 case 0:
1534 /* name was specified
1535 * directory componen
1536 */
1537 if (context->pwd.dent
1538 audit_log_d_p
1539 else
1540 audit_log_for
1541 break;
1542 default:
1543 /* log the name's dir
1544 audit_log_format(ab,
1545 audit_log_n_untrusted
1546
1547 }
1548 } else
1549 audit_log_format(ab, " name=(
1550
1551 if (n->ino != AUDIT_INO_UNSET)
1552 audit_log_format(ab, " inode=
1553 n->ino,
1554 MAJOR(n->dev
1555 MINOR(n->dev
1556 n->mode,
1557 from_kuid(&i
1558 from_kgid(&i
1559 MAJOR(n->rde
1560 MINOR(n->rde
1561 if (n->osid != 0) {
1562 char *ctx = NULL;
1563 u32 len;
1564
1565 if (security_secid_to_secctx(
1566 n->osid, &ctx, &len))
1567 audit_log_format(ab,
1568 if (call_panic)
1569 *call_panic =
1570 } else {
1571 audit_log_format(ab,
1572 security_release_secc
1573 }
1574 }
1575
1576 /* log the audit_names record type */
1577 switch (n->type) {
1578 case AUDIT_TYPE_NORMAL:
1579 audit_log_format(ab, " namety
1580 break;
1581 case AUDIT_TYPE_PARENT:
1582 audit_log_format(ab, " namety
1583 break;
1584 case AUDIT_TYPE_CHILD_DELETE:
1585 audit_log_format(ab, " namety
1586 break;
1587 case AUDIT_TYPE_CHILD_CREATE:
1588 audit_log_format(ab, " namety
1589 break;
1590 default:
1591 audit_log_format(ab, " namety
1592 break;
1593 }
1594
1595 audit_log_fcaps(ab, n);
1596 audit_log_end(ab);
1597 }
1598
1599 static void audit_log_proctitle(void)
1600 {
1601 int res;
1602 char *buf;
1603 char *msg = "(null)";
1604 int len = strlen(msg);
1605 struct audit_context *context = audit
1606 struct audit_buffer *ab;
1607
1608 ab = audit_log_start(context, GFP_KER
1609 if (!ab)
1610 return; /* audit_panic or bei
1611
1612 audit_log_format(ab, "proctitle=");
1613
1614 /* Not cached */
1615 if (!context->proctitle.value) {
1616 buf = kmalloc(MAX_PROCTITLE_A
1617 if (!buf)
1618 goto out;
1619 /* Historically called this f
1620 res = get_cmdline(current, bu
1621 if (res == 0) {
1622 kfree(buf);
1623 goto out;
1624 }
1625 res = audit_proctitle_rtrim(b
1626 if (res == 0) {
1627 kfree(buf);
1628 goto out;
1629 }
1630 context->proctitle.value = bu
1631 context->proctitle.len = res;
1632 }
1633 msg = context->proctitle.value;
1634 len = context->proctitle.len;
1635 out:
1636 audit_log_n_untrustedstring(ab, msg,
1637 audit_log_end(ab);
1638 }
1639
1640 /**
1641 * audit_log_uring - generate a AUDIT_URINGOP
1642 * @ctx: the audit context
1643 */
1644 static void audit_log_uring(struct audit_cont
1645 {
1646 struct audit_buffer *ab;
1647 const struct cred *cred;
1648
1649 ab = audit_log_start(ctx, GFP_ATOMIC,
1650 if (!ab)
1651 return;
1652 cred = current_cred();
1653 audit_log_format(ab, "uring_op=%d", c
1654 if (ctx->return_valid != AUDITSC_INVA
1655 audit_log_format(ab, " succes
1656 (ctx->return
1657 "yes" : "no
1658 ctx->return_
1659 audit_log_format(ab,
1660 " items=%d"
1661 " ppid=%d pid=%d uid
1662 " fsuid=%u egid=%u s
1663 ctx->name_count,
1664 task_ppid_nr(current
1665 from_kuid(&init_user
1666 from_kgid(&init_user
1667 from_kuid(&init_user
1668 from_kuid(&init_user
1669 from_kuid(&init_user
1670 from_kgid(&init_user
1671 from_kgid(&init_user
1672 from_kgid(&init_user
1673 audit_log_task_context(ab);
1674 audit_log_key(ab, ctx->filterkey);
1675 audit_log_end(ab);
1676 }
1677
1678 static void audit_log_exit(void)
1679 {
1680 int i, call_panic = 0;
1681 struct audit_context *context = audit
1682 struct audit_buffer *ab;
1683 struct audit_aux_data *aux;
1684 struct audit_names *n;
1685
1686 context->personality = current->perso
1687
1688 switch (context->context) {
1689 case AUDIT_CTX_SYSCALL:
1690 ab = audit_log_start(context,
1691 if (!ab)
1692 return;
1693 audit_log_format(ab, "arch=%x
1694 context->arc
1695 if (context->personality != P
1696 audit_log_format(ab,
1697 if (context->return_valid !=
1698 audit_log_format(ab,
1699 (con
1700 "ye
1701 cont
1702 audit_log_format(ab,
1703 " a0=%lx a1=
1704 context->arg
1705 context->arg
1706 context->arg
1707 context->arg
1708 context->nam
1709 audit_log_task_info(ab);
1710 audit_log_key(ab, context->fi
1711 audit_log_end(ab);
1712 break;
1713 case AUDIT_CTX_URING:
1714 audit_log_uring(context);
1715 break;
1716 default:
1717 BUG();
1718 break;
1719 }
1720
1721 for (aux = context->aux; aux; aux = a
1722
1723 ab = audit_log_start(context,
1724 if (!ab)
1725 continue; /* audit_pa
1726
1727 switch (aux->type) {
1728
1729 case AUDIT_BPRM_FCAPS: {
1730 struct audit_aux_data
1731
1732 audit_log_format(ab,
1733 audit_log_cap(ab, "fp
1734 audit_log_cap(ab, "fi
1735 audit_log_format(ab,
1736 audit_log_cap(ab, "ol
1737 audit_log_cap(ab, "ol
1738 audit_log_cap(ab, "ol
1739 audit_log_cap(ab, "ol
1740 audit_log_cap(ab, "pp
1741 audit_log_cap(ab, "pi
1742 audit_log_cap(ab, "pe
1743 audit_log_cap(ab, "pa
1744 audit_log_format(ab,
1745 from
1746
1747 break; }
1748
1749 }
1750 audit_log_end(ab);
1751 }
1752
1753 if (context->type)
1754 show_special(context, &call_p
1755
1756 if (context->fds[0] >= 0) {
1757 ab = audit_log_start(context,
1758 if (ab) {
1759 audit_log_format(ab,
1760 conte
1761 audit_log_end(ab);
1762 }
1763 }
1764
1765 if (context->sockaddr_len) {
1766 ab = audit_log_start(context,
1767 if (ab) {
1768 audit_log_format(ab,
1769 audit_log_n_hex(ab, (
1770 conte
1771 audit_log_end(ab);
1772 }
1773 }
1774
1775 for (aux = context->aux_pids; aux; au
1776 struct audit_aux_data_pids *a
1777
1778 for (i = 0; i < axs->pid_coun
1779 if (audit_log_pid_con
1780
1781
1782
1783
1784
1785 call_panic =
1786 }
1787
1788 if (context->target_pid &&
1789 audit_log_pid_context(context, co
1790 context->ta
1791 context->ta
1792 context->ta
1793 call_panic = 1;
1794
1795 if (context->pwd.dentry && context->p
1796 ab = audit_log_start(context,
1797 if (ab) {
1798 audit_log_d_path(ab,
1799 audit_log_end(ab);
1800 }
1801 }
1802
1803 i = 0;
1804 list_for_each_entry(n, &context->name
1805 if (n->hidden)
1806 continue;
1807 audit_log_name(context, n, NU
1808 }
1809
1810 if (context->context == AUDIT_CTX_SYS
1811 audit_log_proctitle();
1812
1813 /* Send end of event record to help u
1814 ab = audit_log_start(context, GFP_KER
1815 if (ab)
1816 audit_log_end(ab);
1817 if (call_panic)
1818 audit_panic("error in audit_l
1819 }
1820
1821 /**
1822 * __audit_free - free a per-task audit conte
1823 * @tsk: task whose audit context block to fr
1824 *
1825 * Called from copy_process, do_exit, and the
1826 */
1827 void __audit_free(struct task_struct *tsk)
1828 {
1829 struct audit_context *context = tsk->
1830
1831 if (!context)
1832 return;
1833
1834 /* this may generate CONFIG_CHANGE re
1835 if (!list_empty(&context->killed_tree
1836 audit_kill_trees(context);
1837
1838 /* We are called either by do_exit()
1839 * in the former case tsk == current
1840 * random task_struct that doesn't ha
1841 * need to log via audit_log_exit().
1842 */
1843 if (tsk == current && !context->dummy
1844 context->return_valid = AUDIT
1845 context->return_code = 0;
1846 if (context->context == AUDIT
1847 audit_filter_syscall(
1848 audit_filter_inodes(t
1849 if (context->current_
1850 audit_log_exi
1851 } else if (context->context =
1852 /* TODO: verify this
1853 audit_filter_uring(ts
1854 audit_filter_inodes(t
1855 if (context->current_
1856 audit_log_uri
1857 }
1858 }
1859
1860 audit_set_context(tsk, NULL);
1861 audit_free_context(context);
1862 }
1863
1864 /**
1865 * audit_return_fixup - fixup the return code
1866 * @ctx: the audit_context
1867 * @success: true/false value to indicate if
1868 * @code: operation return code
1869 *
1870 * We need to fixup the return code in the au
1871 * codes are later going to be fixed by the a
1872 */
1873 static void audit_return_fixup(struct audit_c
1874 int success, l
1875 {
1876 /*
1877 * This is actually a test for:
1878 * (rc == ERESTARTSYS ) || (rc == ERE
1879 * (rc == ERESTARTNOHAND) || (rc == E
1880 *
1881 * but is faster than a bunch of ||
1882 */
1883 if (unlikely(code <= -ERESTARTSYS) &&
1884 (code >= -ERESTART_RESTARTBLOCK)
1885 (code != -ENOIOCTLCMD))
1886 ctx->return_code = -EINTR;
1887 else
1888 ctx->return_code = code;
1889 ctx->return_valid = (success ? AUDITS
1890 }
1891
1892 /**
1893 * __audit_uring_entry - prepare the kernel t
1894 * @op: the io_uring opcode
1895 *
1896 * This is similar to audit_syscall_entry() b
1897 * operations. This function should only eve
1898 * audit_uring_entry() as we rely on the audi
1899 * function.
1900 */
1901 void __audit_uring_entry(u8 op)
1902 {
1903 struct audit_context *ctx = audit_con
1904
1905 if (ctx->state == AUDIT_STATE_DISABLE
1906 return;
1907
1908 /*
1909 * NOTE: It's possible that we can be
1910 * before it returns to userspa
1911 * is called. In this case the
1912 * the io_uring details and ret
1913 */
1914 ctx->uring_op = op;
1915 if (ctx->context == AUDIT_CTX_SYSCALL
1916 return;
1917
1918 ctx->dummy = !audit_n_rules;
1919 if (!ctx->dummy && ctx->state == AUDI
1920 ctx->prio = 0;
1921
1922 ctx->context = AUDIT_CTX_URING;
1923 ctx->current_state = ctx->state;
1924 ktime_get_coarse_real_ts64(&ctx->ctim
1925 }
1926
1927 /**
1928 * __audit_uring_exit - wrap up the kernel ta
1929 * @success: true/false value to indicate if
1930 * @code: operation return code
1931 *
1932 * This is similar to audit_syscall_exit() bu
1933 * operations. This function should only eve
1934 * audit_uring_exit() as we rely on the audit
1935 * function.
1936 */
1937 void __audit_uring_exit(int success, long cod
1938 {
1939 struct audit_context *ctx = audit_con
1940
1941 if (ctx->dummy) {
1942 if (ctx->context != AUDIT_CTX
1943 return;
1944 goto out;
1945 }
1946
1947 audit_return_fixup(ctx, success, code
1948 if (ctx->context == AUDIT_CTX_SYSCALL
1949 /*
1950 * NOTE: See the note in __au
1951 * where we may be call
1952 * return to userspace
1953 * case we simply emit
1954 * normal syscall exit
1955 * everything else.
1956 * It is also worth men
1957 * the current process
1958 * used during the norm
1959 * in mind if/when we m
1960 */
1961
1962 /*
1963 * We need to filter on the s
1964 * should emit a URINGOP reco
1965 * solves the problem where u
1966 * syscall records in the "ex
1967 * the behavior here.
1968 */
1969 audit_filter_syscall(current,
1970 if (ctx->current_state != AUD
1971 audit_filter_uring(cu
1972 audit_filter_inodes(current,
1973 if (ctx->current_state != AUD
1974 return;
1975
1976 audit_log_uring(ctx);
1977 return;
1978 }
1979
1980 /* this may generate CONFIG_CHANGE re
1981 if (!list_empty(&ctx->killed_trees))
1982 audit_kill_trees(ctx);
1983
1984 /* run through both filters to ensure
1985 audit_filter_uring(current, ctx);
1986 audit_filter_inodes(current, ctx);
1987 if (ctx->current_state != AUDIT_STATE
1988 goto out;
1989 audit_log_exit();
1990
1991 out:
1992 audit_reset_context(ctx);
1993 }
1994
1995 /**
1996 * __audit_syscall_entry - fill in an audit r
1997 * @major: major syscall type (function)
1998 * @a1: additional syscall register 1
1999 * @a2: additional syscall register 2
2000 * @a3: additional syscall register 3
2001 * @a4: additional syscall register 4
2002 *
2003 * Fill in audit context at syscall entry. T
2004 * audit context was created when the task wa
2005 * filters demand the audit context be built.
2006 * per-task filter or from the per-syscall fi
2007 * then the record will be written at syscall
2008 * will only be written if another part of th
2009 * be written).
2010 */
2011 void __audit_syscall_entry(int major, unsigne
2012 unsigned long a3,
2013 {
2014 struct audit_context *context = audit
2015 enum audit_state state;
2016
2017 if (!audit_enabled || !context)
2018 return;
2019
2020 WARN_ON(context->context != AUDIT_CTX
2021 WARN_ON(context->name_count);
2022 if (context->context != AUDIT_CTX_UNU
2023 audit_panic("unrecoverable er
2024 return;
2025 }
2026
2027 state = context->state;
2028 if (state == AUDIT_STATE_DISABLED)
2029 return;
2030
2031 context->dummy = !audit_n_rules;
2032 if (!context->dummy && state == AUDIT
2033 context->prio = 0;
2034 if (auditd_test_task(current)
2035 return;
2036 }
2037
2038 context->arch = syscall_get_arc
2039 context->major = major;
2040 context->argv[0] = a1;
2041 context->argv[1] = a2;
2042 context->argv[2] = a3;
2043 context->argv[3] = a4;
2044 context->context = AUDIT_CTX_SYSCALL;
2045 context->current_state = state;
2046 ktime_get_coarse_real_ts64(&context->
2047 }
2048
2049 /**
2050 * __audit_syscall_exit - deallocate audit co
2051 * @success: success value of the syscall
2052 * @return_code: return value of the syscall
2053 *
2054 * Tear down after system call. If the audit
2055 * auditable (either because of the AUDIT_STA
2056 * filtering, or because some other part of t
2057 * message), then write out the syscall infor
2058 * free the names stored from getname().
2059 */
2060 void __audit_syscall_exit(int success, long r
2061 {
2062 struct audit_context *context = audit
2063
2064 if (!context || context->dummy ||
2065 context->context != AUDIT_CTX_SYS
2066 goto out;
2067
2068 /* this may generate CONFIG_CHANGE re
2069 if (!list_empty(&context->killed_tree
2070 audit_kill_trees(context);
2071
2072 audit_return_fixup(context, success,
2073 /* run through both filters to ensure
2074 audit_filter_syscall(current, context
2075 audit_filter_inodes(current, context)
2076 if (context->current_state != AUDIT_S
2077 goto out;
2078
2079 audit_log_exit();
2080
2081 out:
2082 audit_reset_context(context);
2083 }
2084
2085 static inline void handle_one(const struct in
2086 {
2087 struct audit_context *context;
2088 struct audit_tree_refs *p;
2089 struct audit_chunk *chunk;
2090 int count;
2091
2092 if (likely(!inode->i_fsnotify_marks))
2093 return;
2094 context = audit_context();
2095 p = context->trees;
2096 count = context->tree_count;
2097 rcu_read_lock();
2098 chunk = audit_tree_lookup(inode);
2099 rcu_read_unlock();
2100 if (!chunk)
2101 return;
2102 if (likely(put_tree_ref(context, chun
2103 return;
2104 if (unlikely(!grow_tree_refs(context)
2105 pr_warn("out of memory, audit
2106 audit_set_auditable(context);
2107 audit_put_chunk(chunk);
2108 unroll_tree_refs(context, p,
2109 return;
2110 }
2111 put_tree_ref(context, chunk);
2112 }
2113
2114 static void handle_path(const struct dentry *
2115 {
2116 struct audit_context *context;
2117 struct audit_tree_refs *p;
2118 const struct dentry *d, *parent;
2119 struct audit_chunk *drop;
2120 unsigned long seq;
2121 int count;
2122
2123 context = audit_context();
2124 p = context->trees;
2125 count = context->tree_count;
2126 retry:
2127 drop = NULL;
2128 d = dentry;
2129 rcu_read_lock();
2130 seq = read_seqbegin(&rename_lock);
2131 for (;;) {
2132 struct inode *inode = d_backi
2133
2134 if (inode && unlikely(inode->
2135 struct audit_chunk *c
2136
2137 chunk = audit_tree_lo
2138 if (chunk) {
2139 if (unlikely(
2140 drop
2141 break
2142 }
2143 }
2144 }
2145 parent = d->d_parent;
2146 if (parent == d)
2147 break;
2148 d = parent;
2149 }
2150 if (unlikely(read_seqretry(&rename_lo
2151 rcu_read_unlock();
2152 if (!drop) {
2153 /* just a race with r
2154 unroll_tree_refs(cont
2155 goto retry;
2156 }
2157 audit_put_chunk(drop);
2158 if (grow_tree_refs(context))
2159 /* OK, got more space
2160 unroll_tree_refs(cont
2161 goto retry;
2162 }
2163 /* too bad */
2164 pr_warn("out of memory, audit
2165 unroll_tree_refs(context, p,
2166 audit_set_auditable(context);
2167 return;
2168 }
2169 rcu_read_unlock();
2170 }
2171
2172 static struct audit_names *audit_alloc_name(s
2173
2174 {
2175 struct audit_names *aname;
2176
2177 if (context->name_count < AUDIT_NAMES
2178 aname = &context->preallocate
2179 memset(aname, 0, sizeof(*anam
2180 } else {
2181 aname = kzalloc(sizeof(*aname
2182 if (!aname)
2183 return NULL;
2184 aname->should_free = true;
2185 }
2186
2187 aname->ino = AUDIT_INO_UNSET;
2188 aname->type = type;
2189 list_add_tail(&aname->list, &context-
2190
2191 context->name_count++;
2192 if (!context->pwd.dentry)
2193 get_fs_pwd(current->fs, &cont
2194 return aname;
2195 }
2196
2197 /**
2198 * __audit_reusename - fill out filename with
2199 * @uptr: userland ptr to pathname
2200 *
2201 * Search the audit_names list for the curren
2202 * existing entry with a matching "uptr" then
2203 * associated with that audit_name. If not, r
2204 */
2205 struct filename *
2206 __audit_reusename(const __user char *uptr)
2207 {
2208 struct audit_context *context = audit
2209 struct audit_names *n;
2210
2211 list_for_each_entry(n, &context->name
2212 if (!n->name)
2213 continue;
2214 if (n->name->uptr == uptr) {
2215 atomic_inc(&n->name->
2216 return n->name;
2217 }
2218 }
2219 return NULL;
2220 }
2221
2222 /**
2223 * __audit_getname - add a name to the list
2224 * @name: name to add
2225 *
2226 * Add a name to the list of audit names for
2227 * Called from fs/namei.c:getname().
2228 */
2229 void __audit_getname(struct filename *name)
2230 {
2231 struct audit_context *context = audit
2232 struct audit_names *n;
2233
2234 if (context->context == AUDIT_CTX_UNU
2235 return;
2236
2237 n = audit_alloc_name(context, AUDIT_T
2238 if (!n)
2239 return;
2240
2241 n->name = name;
2242 n->name_len = AUDIT_NAME_FULL;
2243 name->aname = n;
2244 atomic_inc(&name->refcnt);
2245 }
2246
2247 static inline int audit_copy_fcaps(struct aud
2248 const stru
2249 {
2250 struct cpu_vfs_cap_data caps;
2251 int rc;
2252
2253 if (!dentry)
2254 return 0;
2255
2256 rc = get_vfs_caps_from_disk(&nop_mnt_
2257 if (rc)
2258 return rc;
2259
2260 name->fcap.permitted = caps.permitted
2261 name->fcap.inheritable = caps.inherit
2262 name->fcap.fE = !!(caps.magic_etc & V
2263 name->fcap.rootid = caps.rootid;
2264 name->fcap_ver = (caps.magic_etc & VF
2265 VFS_CAP_REVIS
2266
2267 return 0;
2268 }
2269
2270 /* Copy inode data into an audit_names. */
2271 static void audit_copy_inode(struct audit_nam
2272 const struct den
2273 struct inode *in
2274 {
2275 name->ino = inode->i_ino;
2276 name->dev = inode->i_sb->s_dev;
2277 name->mode = inode->i_mode;
2278 name->uid = inode->i_uid;
2279 name->gid = inode->i_gid;
2280 name->rdev = inode->i_rdev;
2281 security_inode_getsecid(inode, &name-
2282 if (flags & AUDIT_INODE_NOEVAL) {
2283 name->fcap_ver = -1;
2284 return;
2285 }
2286 audit_copy_fcaps(name, dentry);
2287 }
2288
2289 /**
2290 * __audit_inode - store the inode and device
2291 * @name: name being audited
2292 * @dentry: dentry being audited
2293 * @flags: attributes for this particular ent
2294 */
2295 void __audit_inode(struct filename *name, con
2296 unsigned int flags)
2297 {
2298 struct audit_context *context = audit
2299 struct inode *inode = d_backing_inode
2300 struct audit_names *n;
2301 bool parent = flags & AUDIT_INODE_PAR
2302 struct audit_entry *e;
2303 struct list_head *list = &audit_filte
2304 int i;
2305
2306 if (context->context == AUDIT_CTX_UNU
2307 return;
2308
2309 rcu_read_lock();
2310 list_for_each_entry_rcu(e, list, list
2311 for (i = 0; i < e->rule.field
2312 struct audit_field *f
2313
2314 if (f->type == AUDIT_
2315 && audit_comparat
2316
2317 && e->rule.action
2318 rcu_read_unlo
2319 return;
2320 }
2321 }
2322 }
2323 rcu_read_unlock();
2324
2325 if (!name)
2326 goto out_alloc;
2327
2328 /*
2329 * If we have a pointer to an audit_n
2330 * just use it directly if the type i
2331 */
2332 n = name->aname;
2333 if (n) {
2334 if (parent) {
2335 if (n->type == AUDIT_
2336 n->type == AUDIT_
2337 goto out;
2338 } else {
2339 if (n->type != AUDIT_
2340 goto out;
2341 }
2342 }
2343
2344 list_for_each_entry_reverse(n, &conte
2345 if (n->ino) {
2346 /* valid inode number
2347 if (n->ino != inode->
2348 n->dev != inode->
2349 continue;
2350 } else if (n->name) {
2351 /* inode number has n
2352 if (strcmp(n->name->n
2353 continue;
2354 } else
2355 /* no inode and no na
2356 continue;
2357
2358 /* match the correct record t
2359 if (parent) {
2360 if (n->type == AUDIT_
2361 n->type == AUDIT_
2362 goto out;
2363 } else {
2364 if (n->type != AUDIT_
2365 goto out;
2366 }
2367 }
2368
2369 out_alloc:
2370 /* unable to find an entry with both
2371 n = audit_alloc_name(context, AUDIT_T
2372 if (!n)
2373 return;
2374 if (name) {
2375 n->name = name;
2376 atomic_inc(&name->refcnt);
2377 }
2378
2379 out:
2380 if (parent) {
2381 n->name_len = n->name ? paren
2382 n->type = AUDIT_TYPE_PARENT;
2383 if (flags & AUDIT_INODE_HIDDE
2384 n->hidden = true;
2385 } else {
2386 n->name_len = AUDIT_NAME_FULL
2387 n->type = AUDIT_TYPE_NORMAL;
2388 }
2389 handle_path(dentry);
2390 audit_copy_inode(n, dentry, inode, fl
2391 }
2392
2393 void __audit_file(const struct file *file)
2394 {
2395 __audit_inode(NULL, file->f_path.dent
2396 }
2397
2398 /**
2399 * __audit_inode_child - collect inode info f
2400 * @parent: inode of dentry parent
2401 * @dentry: dentry being audited
2402 * @type: AUDIT_TYPE_* value that we're loo
2403 *
2404 * For syscalls that create or remove filesys
2405 * can only collect information for the files
2406 * This call updates the audit context with t
2407 * Syscalls that create a new filesystem obje
2408 * the object is created. Syscalls that remo
2409 * must be hooked prior, in order to capture
2410 * unsuccessful attempts.
2411 */
2412 void __audit_inode_child(struct inode *parent
2413 const struct dentry
2414 const unsigned char
2415 {
2416 struct audit_context *context = audit
2417 struct inode *inode = d_backing_inode
2418 const struct qstr *dname = &dentry->d
2419 struct audit_names *n, *found_parent
2420 struct audit_entry *e;
2421 struct list_head *list = &audit_filte
2422 int i;
2423
2424 if (context->context == AUDIT_CTX_UNU
2425 return;
2426
2427 rcu_read_lock();
2428 list_for_each_entry_rcu(e, list, list
2429 for (i = 0; i < e->rule.field
2430 struct audit_field *f
2431
2432 if (f->type == AUDIT_
2433 && audit_comparat
2434
2435 && e->rule.action
2436 rcu_read_unlo
2437 return;
2438 }
2439 }
2440 }
2441 rcu_read_unlock();
2442
2443 if (inode)
2444 handle_one(inode);
2445
2446 /* look for a parent entry first */
2447 list_for_each_entry(n, &context->name
2448 if (!n->name ||
2449 (n->type != AUDIT_TYPE_PA
2450 n->type != AUDIT_TYPE_UN
2451 continue;
2452
2453 if (n->ino == parent->i_ino &
2454 !audit_compare_dname_path
2455
2456 if (n->type == AUDIT_
2457 n->type = AUD
2458 found_parent = n;
2459 break;
2460 }
2461 }
2462
2463 cond_resched();
2464
2465 /* is there a matching child entry? *
2466 list_for_each_entry(n, &context->name
2467 /* can only match entries tha
2468 if (!n->name ||
2469 (n->type != type && n->ty
2470 continue;
2471
2472 if (!strcmp(dname->name, n->n
2473 !audit_compare_dname_path
2474
2475
2476
2477 if (n->type == AUDIT_
2478 n->type = typ
2479 found_child = n;
2480 break;
2481 }
2482 }
2483
2484 if (!found_parent) {
2485 /* create a new, "anonymous"
2486 n = audit_alloc_name(context,
2487 if (!n)
2488 return;
2489 audit_copy_inode(n, NULL, par
2490 }
2491
2492 if (!found_child) {
2493 found_child = audit_alloc_nam
2494 if (!found_child)
2495 return;
2496
2497 /* Re-use the name belonging
2498 * directory. All names for t
2499 * audit_free_names() */
2500 if (found_parent) {
2501 found_child->name = f
2502 found_child->name_len
2503 atomic_inc(&found_chi
2504 }
2505 }
2506
2507 if (inode)
2508 audit_copy_inode(found_child,
2509 else
2510 found_child->ino = AUDIT_INO_
2511 }
2512 EXPORT_SYMBOL_GPL(__audit_inode_child);
2513
2514 /**
2515 * auditsc_get_stamp - get local copies of au
2516 * @ctx: audit_context for the task
2517 * @t: timespec64 to store time recorded in t
2518 * @serial: serial value that is recorded in
2519 *
2520 * Also sets the context as auditable.
2521 */
2522 int auditsc_get_stamp(struct audit_context *c
2523 struct timespec64 *t,
2524 {
2525 if (ctx->context == AUDIT_CTX_UNUSED)
2526 return 0;
2527 if (!ctx->serial)
2528 ctx->serial = audit_serial();
2529 t->tv_sec = ctx->ctime.tv_sec;
2530 t->tv_nsec = ctx->ctime.tv_nsec;
2531 *serial = ctx->serial;
2532 if (!ctx->prio) {
2533 ctx->prio = 1;
2534 ctx->current_state = AUDIT_ST
2535 }
2536 return 1;
2537 }
2538
2539 /**
2540 * __audit_mq_open - record audit data for a
2541 * @oflag: open flag
2542 * @mode: mode bits
2543 * @attr: queue attributes
2544 *
2545 */
2546 void __audit_mq_open(int oflag, umode_t mode,
2547 {
2548 struct audit_context *context = audit
2549
2550 if (attr)
2551 memcpy(&context->mq_open.attr
2552 else
2553 memset(&context->mq_open.attr
2554
2555 context->mq_open.oflag = oflag;
2556 context->mq_open.mode = mode;
2557
2558 context->type = AUDIT_MQ_OPEN;
2559 }
2560
2561 /**
2562 * __audit_mq_sendrecv - record audit data fo
2563 * @mqdes: MQ descriptor
2564 * @msg_len: Message length
2565 * @msg_prio: Message priority
2566 * @abs_timeout: Message timeout in absolute
2567 *
2568 */
2569 void __audit_mq_sendrecv(mqd_t mqdes, size_t
2570 const struct timespec
2571 {
2572 struct audit_context *context = audit
2573 struct timespec64 *p = &context->mq_s
2574
2575 if (abs_timeout)
2576 memcpy(p, abs_timeout, sizeof
2577 else
2578 memset(p, 0, sizeof(*p));
2579
2580 context->mq_sendrecv.mqdes = mqdes;
2581 context->mq_sendrecv.msg_len = msg_le
2582 context->mq_sendrecv.msg_prio = msg_p
2583
2584 context->type = AUDIT_MQ_SENDRECV;
2585 }
2586
2587 /**
2588 * __audit_mq_notify - record audit data for
2589 * @mqdes: MQ descriptor
2590 * @notification: Notification event
2591 *
2592 */
2593
2594 void __audit_mq_notify(mqd_t mqdes, const str
2595 {
2596 struct audit_context *context = audit
2597
2598 if (notification)
2599 context->mq_notify.sigev_sign
2600 else
2601 context->mq_notify.sigev_sign
2602
2603 context->mq_notify.mqdes = mqdes;
2604 context->type = AUDIT_MQ_NOTIFY;
2605 }
2606
2607 /**
2608 * __audit_mq_getsetattr - record audit data
2609 * @mqdes: MQ descriptor
2610 * @mqstat: MQ flags
2611 *
2612 */
2613 void __audit_mq_getsetattr(mqd_t mqdes, struc
2614 {
2615 struct audit_context *context = audit
2616
2617 context->mq_getsetattr.mqdes = mqdes;
2618 context->mq_getsetattr.mqstat = *mqst
2619 context->type = AUDIT_MQ_GETSETATTR;
2620 }
2621
2622 /**
2623 * __audit_ipc_obj - record audit data for ip
2624 * @ipcp: ipc permissions
2625 *
2626 */
2627 void __audit_ipc_obj(struct kern_ipc_perm *ip
2628 {
2629 struct audit_context *context = audit
2630
2631 context->ipc.uid = ipcp->uid;
2632 context->ipc.gid = ipcp->gid;
2633 context->ipc.mode = ipcp->mode;
2634 context->ipc.has_perm = 0;
2635 security_ipc_getsecid(ipcp, &context-
2636 context->type = AUDIT_IPC;
2637 }
2638
2639 /**
2640 * __audit_ipc_set_perm - record audit data f
2641 * @qbytes: msgq bytes
2642 * @uid: msgq user id
2643 * @gid: msgq group id
2644 * @mode: msgq mode (permissions)
2645 *
2646 * Called only after audit_ipc_obj().
2647 */
2648 void __audit_ipc_set_perm(unsigned long qbyte
2649 {
2650 struct audit_context *context = audit
2651
2652 context->ipc.qbytes = qbytes;
2653 context->ipc.perm_uid = uid;
2654 context->ipc.perm_gid = gid;
2655 context->ipc.perm_mode = mode;
2656 context->ipc.has_perm = 1;
2657 }
2658
2659 void __audit_bprm(struct linux_binprm *bprm)
2660 {
2661 struct audit_context *context = audit
2662
2663 context->type = AUDIT_EXECVE;
2664 context->execve.argc = bprm->argc;
2665 }
2666
2667
2668 /**
2669 * __audit_socketcall - record audit data for
2670 * @nargs: number of args, which should not b
2671 * @args: args array
2672 *
2673 */
2674 int __audit_socketcall(int nargs, unsigned lo
2675 {
2676 struct audit_context *context = audit
2677
2678 if (nargs <= 0 || nargs > AUDITSC_ARG
2679 return -EINVAL;
2680 context->type = AUDIT_SOCKETCALL;
2681 context->socketcall.nargs = nargs;
2682 memcpy(context->socketcall.args, args
2683 return 0;
2684 }
2685
2686 /**
2687 * __audit_fd_pair - record audit data for pi
2688 * @fd1: the first file descriptor
2689 * @fd2: the second file descriptor
2690 *
2691 */
2692 void __audit_fd_pair(int fd1, int fd2)
2693 {
2694 struct audit_context *context = audit
2695
2696 context->fds[0] = fd1;
2697 context->fds[1] = fd2;
2698 }
2699
2700 /**
2701 * __audit_sockaddr - record audit data for s
2702 * @len: data length in user space
2703 * @a: data address in kernel space
2704 *
2705 * Returns 0 for success or NULL context or <
2706 */
2707 int __audit_sockaddr(int len, void *a)
2708 {
2709 struct audit_context *context = audit
2710
2711 if (!context->sockaddr) {
2712 void *p = kmalloc(sizeof(stru
2713
2714 if (!p)
2715 return -ENOMEM;
2716 context->sockaddr = p;
2717 }
2718
2719 context->sockaddr_len = len;
2720 memcpy(context->sockaddr, a, len);
2721 return 0;
2722 }
2723
2724 void __audit_ptrace(struct task_struct *t)
2725 {
2726 struct audit_context *context = audit
2727
2728 context->target_pid = task_tgid_nr(t)
2729 context->target_auid = audit_get_logi
2730 context->target_uid = task_uid(t);
2731 context->target_sessionid = audit_get
2732 security_task_getsecid_obj(t, &contex
2733 memcpy(context->target_comm, t->comm,
2734 }
2735
2736 /**
2737 * audit_signal_info_syscall - record signal
2738 * @t: task being signaled
2739 *
2740 * If the audit subsystem is being terminated
2741 * and uid that is doing that.
2742 */
2743 int audit_signal_info_syscall(struct task_str
2744 {
2745 struct audit_aux_data_pids *axp;
2746 struct audit_context *ctx = audit_con
2747 kuid_t t_uid = task_uid(t);
2748
2749 if (!audit_signals || audit_dummy_con
2750 return 0;
2751
2752 /* optimize the common case by puttin
2753 * in audit_context */
2754 if (!ctx->target_pid) {
2755 ctx->target_pid = task_tgid_n
2756 ctx->target_auid = audit_get_
2757 ctx->target_uid = t_uid;
2758 ctx->target_sessionid = audit
2759 security_task_getsecid_obj(t,
2760 memcpy(ctx->target_comm, t->c
2761 return 0;
2762 }
2763
2764 axp = (void *)ctx->aux_pids;
2765 if (!axp || axp->pid_count == AUDIT_A
2766 axp = kzalloc(sizeof(*axp), G
2767 if (!axp)
2768 return -ENOMEM;
2769
2770 axp->d.type = AUDIT_OBJ_PID;
2771 axp->d.next = ctx->aux_pids;
2772 ctx->aux_pids = (void *)axp;
2773 }
2774 BUG_ON(axp->pid_count >= AUDIT_AUX_PI
2775
2776 axp->target_pid[axp->pid_count] = tas
2777 axp->target_auid[axp->pid_count] = au
2778 axp->target_uid[axp->pid_count] = t_u
2779 axp->target_sessionid[axp->pid_count]
2780 security_task_getsecid_obj(t, &axp->t
2781 memcpy(axp->target_comm[axp->pid_coun
2782 axp->pid_count++;
2783
2784 return 0;
2785 }
2786
2787 /**
2788 * __audit_log_bprm_fcaps - store information
2789 * @bprm: pointer to the bprm being processed
2790 * @new: the proposed new credentials
2791 * @old: the old credentials
2792 *
2793 * Simply check if the proc already has the c
2794 * store the priv escalation info for later a
2795 *
2796 * -Eric
2797 */
2798 int __audit_log_bprm_fcaps(struct linux_binpr
2799 const struct cred
2800 {
2801 struct audit_aux_data_bprm_fcaps *ax;
2802 struct audit_context *context = audit
2803 struct cpu_vfs_cap_data vcaps;
2804
2805 ax = kmalloc(sizeof(*ax), GFP_KERNEL)
2806 if (!ax)
2807 return -ENOMEM;
2808
2809 ax->d.type = AUDIT_BPRM_FCAPS;
2810 ax->d.next = context->aux;
2811 context->aux = (void *)ax;
2812
2813 get_vfs_caps_from_disk(&nop_mnt_idmap
2814 bprm->file->f_
2815
2816 ax->fcap.permitted = vcaps.permitted;
2817 ax->fcap.inheritable = vcaps.inherita
2818 ax->fcap.fE = !!(vcaps.magic_etc & VF
2819 ax->fcap.rootid = vcaps.rootid;
2820 ax->fcap_ver = (vcaps.magic_etc & VFS
2821
2822 ax->old_pcap.permitted = old->cap_p
2823 ax->old_pcap.inheritable = old->cap_i
2824 ax->old_pcap.effective = old->cap_e
2825 ax->old_pcap.ambient = old->cap_a
2826
2827 ax->new_pcap.permitted = new->cap_p
2828 ax->new_pcap.inheritable = new->cap_i
2829 ax->new_pcap.effective = new->cap_e
2830 ax->new_pcap.ambient = new->cap_a
2831 return 0;
2832 }
2833
2834 /**
2835 * __audit_log_capset - store information abo
2836 * @new: the new credentials
2837 * @old: the old (current) credentials
2838 *
2839 * Record the arguments userspace sent to sys
2840 * audit system if applicable
2841 */
2842 void __audit_log_capset(const struct cred *ne
2843 {
2844 struct audit_context *context = audit
2845
2846 context->capset.pid = task_tgid_nr(cu
2847 context->capset.cap.effective = new
2848 context->capset.cap.inheritable = new
2849 context->capset.cap.permitted = new
2850 context->capset.cap.ambient = new
2851 context->type = AUDIT_CAPSET;
2852 }
2853
2854 void __audit_mmap_fd(int fd, int flags)
2855 {
2856 struct audit_context *context = audit
2857
2858 context->mmap.fd = fd;
2859 context->mmap.flags = flags;
2860 context->type = AUDIT_MMAP;
2861 }
2862
2863 void __audit_openat2_how(struct open_how *how
2864 {
2865 struct audit_context *context = audit
2866
2867 context->openat2.flags = how->flags;
2868 context->openat2.mode = how->mode;
2869 context->openat2.resolve = how->resol
2870 context->type = AUDIT_OPENAT2;
2871 }
2872
2873 void __audit_log_kern_module(char *name)
2874 {
2875 struct audit_context *context = audit
2876
2877 context->module.name = kstrdup(name,
2878 if (!context->module.name)
2879 audit_log_lost("out of memory
2880 context->type = AUDIT_KERN_MODULE;
2881 }
2882
2883 void __audit_fanotify(u32 response, struct fa
2884 {
2885 /* {subj,obj}_trust values are {0,1,2
2886 switch (friar->hdr.type) {
2887 case FAN_RESPONSE_INFO_NONE:
2888 audit_log(audit_context(), GF
2889 "resp=%u fan_type=%
2890 response, FAN_RESPO
2891 break;
2892 case FAN_RESPONSE_INFO_AUDIT_RULE:
2893 audit_log(audit_context(), GF
2894 "resp=%u fan_type=%
2895 response, friar->hd
2896 friar->subj_trust,
2897 }
2898 }
2899
2900 void __audit_tk_injoffset(struct timespec64 o
2901 {
2902 struct audit_context *context = audit
2903
2904 /* only set type if not already set b
2905 if (!context->type)
2906 context->type = AUDIT_TIME_IN
2907 memcpy(&context->time.tk_injoffset, &
2908 }
2909
2910 void __audit_ntp_log(const struct audit_ntp_d
2911 {
2912 struct audit_context *context = audit
2913 int type;
2914
2915 for (type = 0; type < AUDIT_NTP_NVALS
2916 if (ad->vals[type].newval !=
2917 /* unconditionally se
2918 context->type = AUDIT
2919 memcpy(&context->time
2920 break;
2921 }
2922 }
2923
2924 void __audit_log_nfcfg(const char *name, u8 a
2925 enum audit_nfcfgop op,
2926 {
2927 struct audit_buffer *ab;
2928 char comm[sizeof(current->comm)];
2929
2930 ab = audit_log_start(audit_context(),
2931 if (!ab)
2932 return;
2933 audit_log_format(ab, "table=%s family
2934 name, af, nentries,
2935
2936 audit_log_format(ab, " pid=%u", task_
2937 audit_log_task_context(ab); /* subj=
2938 audit_log_format(ab, " comm=");
2939 audit_log_untrustedstring(ab, get_tas
2940 audit_log_end(ab);
2941 }
2942 EXPORT_SYMBOL_GPL(__audit_log_nfcfg);
2943
2944 static void audit_log_task(struct audit_buffe
2945 {
2946 kuid_t auid, uid;
2947 kgid_t gid;
2948 unsigned int sessionid;
2949 char comm[sizeof(current->comm)];
2950
2951 auid = audit_get_loginuid(current);
2952 sessionid = audit_get_sessionid(curre
2953 current_uid_gid(&uid, &gid);
2954
2955 audit_log_format(ab, "auid=%u uid=%u
2956 from_kuid(&init_user
2957 from_kuid(&init_user
2958 from_kgid(&init_user
2959 sessionid);
2960 audit_log_task_context(ab);
2961 audit_log_format(ab, " pid=%d comm=",
2962 audit_log_untrustedstring(ab, get_tas
2963 audit_log_d_path_exe(ab, current->mm)
2964 }
2965
2966 /**
2967 * audit_core_dumps - record information abou
2968 * @signr: signal value
2969 *
2970 * If a process ends with a core dump, someth
2971 * should record the event for investigation.
2972 */
2973 void audit_core_dumps(long signr)
2974 {
2975 struct audit_buffer *ab;
2976
2977 if (!audit_enabled)
2978 return;
2979
2980 if (signr == SIGQUIT) /* don't care
2981 return;
2982
2983 ab = audit_log_start(audit_context(),
2984 if (unlikely(!ab))
2985 return;
2986 audit_log_task(ab);
2987 audit_log_format(ab, " sig=%ld res=1"
2988 audit_log_end(ab);
2989 }
2990
2991 /**
2992 * audit_seccomp - record information about a
2993 * @syscall: syscall number
2994 * @signr: signal value
2995 * @code: the seccomp action
2996 *
2997 * Record the information associated with a s
2998 * seccomp actions that are not to be logged
2999 * Therefore, this function forces auditing i
3000 * and dummy context state because seccomp ac
3001 * audit is not in use.
3002 */
3003 void audit_seccomp(unsigned long syscall, lon
3004 {
3005 struct audit_buffer *ab;
3006
3007 ab = audit_log_start(audit_context(),
3008 if (unlikely(!ab))
3009 return;
3010 audit_log_task(ab);
3011 audit_log_format(ab, " sig=%ld arch=%
3012 signr, syscall_get_a
3013 in_compat_syscall(),
3014 audit_log_end(ab);
3015 }
3016
3017 void audit_seccomp_actions_logged(const char
3018 int res)
3019 {
3020 struct audit_buffer *ab;
3021
3022 if (!audit_enabled)
3023 return;
3024
3025 ab = audit_log_start(audit_context(),
3026 AUDIT_CONFIG_CHA
3027 if (unlikely(!ab))
3028 return;
3029
3030 audit_log_format(ab,
3031 "op=seccomp-logging
3032 names, old_names, re
3033 audit_log_end(ab);
3034 }
3035
3036 struct list_head *audit_killed_trees(void)
3037 {
3038 struct audit_context *ctx = audit_con
3039 if (likely(!ctx || ctx->context == AU
3040 return NULL;
3041 return &ctx->killed_trees;
3042 }
3043
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.