Doug / smarc-fsl-linux-kernel

Download as
Browse Code ยป

Commit 42ae610c1a820ddecb80943d4ccfc936f7772535

Authored by Randy Dunlap
Committed by Linus Torvalds
1 parent 70c95b00b8
Exists in smarc-l5.0.0_1.0.0-ga and in 5 other branches imx_3.10.17_1.0.1_ga, imx_3.10.53_1.1.0_ga, imx_3.14.28_1.0.0_ga, smarc-imx_3.10.53_1.1.0_ga, smarc-imx_3.14.28_1.0.0_ga

kernel-doc: fix new warnings in auditsc.c 

Fix new kernel-doc warnings in auditsc.c:

Warning(kernel/auditsc.c:1875): No description found for parameter 'success'
Warning(kernel/auditsc.c:1875): No description found for parameter 'return_code'
Warning(kernel/auditsc.c:1875): Excess function parameter 'pt_regs' description in '__audit_syscall_exit'

Signed-off-by: Randy Dunlap <rdunlap@xenotime.net>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Eric Paris <eparis@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Showing 1 changed file with 3 additions and 2 deletions Inline Diff

1 /* auditsc.c -- System-call auditing support 1 /* auditsc.c -- System-call auditing support
2 * Handles all system-call specific auditing features. 2 * Handles all system-call specific auditing features.
3 * 3 *
4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
5 * Copyright 2005 Hewlett-Packard Development Company, L.P. 5 * Copyright 2005 Hewlett-Packard Development Company, L.P.
6 * Copyright (C) 2005, 2006 IBM Corporation 6 * Copyright (C) 2005, 2006 IBM Corporation
7 * All Rights Reserved. 7 * All Rights Reserved.
8 * 8 *
9 * This program is free software; you can redistribute it and/or modify 9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by 10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or 11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version. 12 * (at your option) any later version.
13 * 13 *
14 * This program is distributed in the hope that it will be useful, 14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details. 17 * GNU General Public License for more details.
18 * 18 *
19 * You should have received a copy of the GNU General Public License 19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software 20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22 * 22 *
23 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 23 * Written by Rickard E. (Rik) Faith <faith@redhat.com>
24 * 24 *
25 * Many of the ideas implemented here are from Stephen C. Tweedie, 25 * Many of the ideas implemented here are from Stephen C. Tweedie,
26 * especially the idea of avoiding a copy by using getname. 26 * especially the idea of avoiding a copy by using getname.
27 * 27 *
28 * The method for actual interception of syscall entry and exit (not in 28 * The method for actual interception of syscall entry and exit (not in
29 * this file -- see entry.S) is based on a GPL'd patch written by 29 * this file -- see entry.S) is based on a GPL'd patch written by
30 * okir@suse.de and Copyright 2003 SuSE Linux AG. 30 * okir@suse.de and Copyright 2003 SuSE Linux AG.
31 * 31 *
32 * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>, 32 * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>,
33 * 2006. 33 * 2006.
34 * 34 *
35 * The support of additional filter rules compares (>, <, >=, <=) was 35 * The support of additional filter rules compares (>, <, >=, <=) was
36 * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005. 36 * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
37 * 37 *
38 * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional 38 * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
39 * filesystem information. 39 * filesystem information.
40 * 40 *
41 * Subject and object context labeling support added by <danjones@us.ibm.com> 41 * Subject and object context labeling support added by <danjones@us.ibm.com>
42 * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance. 42 * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
43 */ 43 */
44 44
45 #include <linux/init.h> 45 #include <linux/init.h>
46 #include <asm/types.h> 46 #include <asm/types.h>
47 #include <linux/atomic.h> 47 #include <linux/atomic.h>
48 #include <linux/fs.h> 48 #include <linux/fs.h>
49 #include <linux/namei.h> 49 #include <linux/namei.h>
50 #include <linux/mm.h> 50 #include <linux/mm.h>
51 #include <linux/export.h> 51 #include <linux/export.h>
52 #include <linux/slab.h> 52 #include <linux/slab.h>
53 #include <linux/mount.h> 53 #include <linux/mount.h>
54 #include <linux/socket.h> 54 #include <linux/socket.h>
55 #include <linux/mqueue.h> 55 #include <linux/mqueue.h>
56 #include <linux/audit.h> 56 #include <linux/audit.h>
57 #include <linux/personality.h> 57 #include <linux/personality.h>
58 #include <linux/time.h> 58 #include <linux/time.h>
59 #include <linux/netlink.h> 59 #include <linux/netlink.h>
60 #include <linux/compiler.h> 60 #include <linux/compiler.h>
61 #include <asm/unistd.h> 61 #include <asm/unistd.h>
62 #include <linux/security.h> 62 #include <linux/security.h>
63 #include <linux/list.h> 63 #include <linux/list.h>
64 #include <linux/tty.h> 64 #include <linux/tty.h>
65 #include <linux/binfmts.h> 65 #include <linux/binfmts.h>
66 #include <linux/highmem.h> 66 #include <linux/highmem.h>
67 #include <linux/syscalls.h> 67 #include <linux/syscalls.h>
68 #include <linux/capability.h> 68 #include <linux/capability.h>
69 #include <linux/fs_struct.h> 69 #include <linux/fs_struct.h>
70 70
71 #include "audit.h" 71 #include "audit.h"
72 72
73 /* flags stating the success for a syscall */ 73 /* flags stating the success for a syscall */
74 #define AUDITSC_INVALID 0 74 #define AUDITSC_INVALID 0
75 #define AUDITSC_SUCCESS 1 75 #define AUDITSC_SUCCESS 1
76 #define AUDITSC_FAILURE 2 76 #define AUDITSC_FAILURE 2
77 77
78 /* AUDIT_NAMES is the number of slots we reserve in the audit_context 78 /* AUDIT_NAMES is the number of slots we reserve in the audit_context
79 * for saving names from getname(). If we get more names we will allocate 79 * for saving names from getname(). If we get more names we will allocate
80 * a name dynamically and also add those to the list anchored by names_list. */ 80 * a name dynamically and also add those to the list anchored by names_list. */
81 #define AUDIT_NAMES 5 81 #define AUDIT_NAMES 5
82 82
83 /* Indicates that audit should log the full pathname. */ 83 /* Indicates that audit should log the full pathname. */
84 #define AUDIT_NAME_FULL -1 84 #define AUDIT_NAME_FULL -1
85 85
86 /* no execve audit message should be longer than this (userspace limits) */ 86 /* no execve audit message should be longer than this (userspace limits) */
87 #define MAX_EXECVE_AUDIT_LEN 7500 87 #define MAX_EXECVE_AUDIT_LEN 7500
88 88
89 /* number of audit rules */ 89 /* number of audit rules */
90 int audit_n_rules; 90 int audit_n_rules;
91 91
92 /* determines whether we collect data for signals sent */ 92 /* determines whether we collect data for signals sent */
93 int audit_signals; 93 int audit_signals;
94 94
95 struct audit_cap_data { 95 struct audit_cap_data {
96 kernel_cap_t permitted; 96 kernel_cap_t permitted;
97 kernel_cap_t inheritable; 97 kernel_cap_t inheritable;
98 union { 98 union {
99 unsigned int fE; /* effective bit of a file capability */ 99 unsigned int fE; /* effective bit of a file capability */
100 kernel_cap_t effective; /* effective set of a process */ 100 kernel_cap_t effective; /* effective set of a process */
101 }; 101 };
102 }; 102 };
103 103
104 /* When fs/namei.c:getname() is called, we store the pointer in name and 104 /* When fs/namei.c:getname() is called, we store the pointer in name and
105 * we don't let putname() free it (instead we free all of the saved 105 * we don't let putname() free it (instead we free all of the saved
106 * pointers at syscall exit time). 106 * pointers at syscall exit time).
107 * 107 *
108 * Further, in fs/namei.c:path_lookup() we store the inode and device. */ 108 * Further, in fs/namei.c:path_lookup() we store the inode and device. */
109 struct audit_names { 109 struct audit_names {
110 struct list_head list; /* audit_context->names_list */ 110 struct list_head list; /* audit_context->names_list */
111 const char *name; 111 const char *name;
112 unsigned long ino; 112 unsigned long ino;
113 dev_t dev; 113 dev_t dev;
114 umode_t mode; 114 umode_t mode;
115 uid_t uid; 115 uid_t uid;
116 gid_t gid; 116 gid_t gid;
117 dev_t rdev; 117 dev_t rdev;
118 u32 osid; 118 u32 osid;
119 struct audit_cap_data fcap; 119 struct audit_cap_data fcap;
120 unsigned int fcap_ver; 120 unsigned int fcap_ver;
121 int name_len; /* number of name's characters to log */ 121 int name_len; /* number of name's characters to log */
122 bool name_put; /* call __putname() for this name */ 122 bool name_put; /* call __putname() for this name */
123 /* 123 /*
124 * This was an allocated audit_names and not from the array of 124 * This was an allocated audit_names and not from the array of
125 * names allocated in the task audit context. Thus this name 125 * names allocated in the task audit context. Thus this name
126 * should be freed on syscall exit 126 * should be freed on syscall exit
127 */ 127 */
128 bool should_free; 128 bool should_free;
129 }; 129 };
130 130
131 struct audit_aux_data { 131 struct audit_aux_data {
132 struct audit_aux_data *next; 132 struct audit_aux_data *next;
133 int type; 133 int type;
134 }; 134 };
135 135
136 #define AUDIT_AUX_IPCPERM 0 136 #define AUDIT_AUX_IPCPERM 0
137 137
138 /* Number of target pids per aux struct. */ 138 /* Number of target pids per aux struct. */
139 #define AUDIT_AUX_PIDS 16 139 #define AUDIT_AUX_PIDS 16
140 140
141 struct audit_aux_data_execve { 141 struct audit_aux_data_execve {
142 struct audit_aux_data d; 142 struct audit_aux_data d;
143 int argc; 143 int argc;
144 int envc; 144 int envc;
145 struct mm_struct *mm; 145 struct mm_struct *mm;
146 }; 146 };
147 147
148 struct audit_aux_data_pids { 148 struct audit_aux_data_pids {
149 struct audit_aux_data d; 149 struct audit_aux_data d;
150 pid_t target_pid[AUDIT_AUX_PIDS]; 150 pid_t target_pid[AUDIT_AUX_PIDS];
151 uid_t target_auid[AUDIT_AUX_PIDS]; 151 uid_t target_auid[AUDIT_AUX_PIDS];
152 uid_t target_uid[AUDIT_AUX_PIDS]; 152 uid_t target_uid[AUDIT_AUX_PIDS];
153 unsigned int target_sessionid[AUDIT_AUX_PIDS]; 153 unsigned int target_sessionid[AUDIT_AUX_PIDS];
154 u32 target_sid[AUDIT_AUX_PIDS]; 154 u32 target_sid[AUDIT_AUX_PIDS];
155 char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN]; 155 char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
156 int pid_count; 156 int pid_count;
157 }; 157 };
158 158
159 struct audit_aux_data_bprm_fcaps { 159 struct audit_aux_data_bprm_fcaps {
160 struct audit_aux_data d; 160 struct audit_aux_data d;
161 struct audit_cap_data fcap; 161 struct audit_cap_data fcap;
162 unsigned int fcap_ver; 162 unsigned int fcap_ver;
163 struct audit_cap_data old_pcap; 163 struct audit_cap_data old_pcap;
164 struct audit_cap_data new_pcap; 164 struct audit_cap_data new_pcap;
165 }; 165 };
166 166
167 struct audit_aux_data_capset { 167 struct audit_aux_data_capset {
168 struct audit_aux_data d; 168 struct audit_aux_data d;
169 pid_t pid; 169 pid_t pid;
170 struct audit_cap_data cap; 170 struct audit_cap_data cap;
171 }; 171 };
172 172
173 struct audit_tree_refs { 173 struct audit_tree_refs {
174 struct audit_tree_refs *next; 174 struct audit_tree_refs *next;
175 struct audit_chunk *c[31]; 175 struct audit_chunk *c[31];
176 }; 176 };
177 177
178 /* The per-task audit context. */ 178 /* The per-task audit context. */
179 struct audit_context { 179 struct audit_context {
180 int dummy; /* must be the first element */ 180 int dummy; /* must be the first element */
181 int in_syscall; /* 1 if task is in a syscall */ 181 int in_syscall; /* 1 if task is in a syscall */
182 enum audit_state state, current_state; 182 enum audit_state state, current_state;
183 unsigned int serial; /* serial number for record */ 183 unsigned int serial; /* serial number for record */
184 int major; /* syscall number */ 184 int major; /* syscall number */
185 struct timespec ctime; /* time of syscall entry */ 185 struct timespec ctime; /* time of syscall entry */
186 unsigned long argv[4]; /* syscall arguments */ 186 unsigned long argv[4]; /* syscall arguments */
187 long return_code;/* syscall return code */ 187 long return_code;/* syscall return code */
188 u64 prio; 188 u64 prio;
189 int return_valid; /* return code is valid */ 189 int return_valid; /* return code is valid */
190 /* 190 /*
191 * The names_list is the list of all audit_names collected during this 191 * The names_list is the list of all audit_names collected during this
192 * syscall. The first AUDIT_NAMES entries in the names_list will 192 * syscall. The first AUDIT_NAMES entries in the names_list will
193 * actually be from the preallocated_names array for performance 193 * actually be from the preallocated_names array for performance
194 * reasons. Except during allocation they should never be referenced 194 * reasons. Except during allocation they should never be referenced
195 * through the preallocated_names array and should only be found/used 195 * through the preallocated_names array and should only be found/used
196 * by running the names_list. 196 * by running the names_list.
197 */ 197 */
198 struct audit_names preallocated_names[AUDIT_NAMES]; 198 struct audit_names preallocated_names[AUDIT_NAMES];
199 int name_count; /* total records in names_list */ 199 int name_count; /* total records in names_list */
200 struct list_head names_list; /* anchor for struct audit_names->list */ 200 struct list_head names_list; /* anchor for struct audit_names->list */
201 char * filterkey; /* key for rule that triggered record */ 201 char * filterkey; /* key for rule that triggered record */
202 struct path pwd; 202 struct path pwd;
203 struct audit_context *previous; /* For nested syscalls */ 203 struct audit_context *previous; /* For nested syscalls */
204 struct audit_aux_data *aux; 204 struct audit_aux_data *aux;
205 struct audit_aux_data *aux_pids; 205 struct audit_aux_data *aux_pids;
206 struct sockaddr_storage *sockaddr; 206 struct sockaddr_storage *sockaddr;
207 size_t sockaddr_len; 207 size_t sockaddr_len;
208 /* Save things to print about task_struct */ 208 /* Save things to print about task_struct */
209 pid_t pid, ppid; 209 pid_t pid, ppid;
210 uid_t uid, euid, suid, fsuid; 210 uid_t uid, euid, suid, fsuid;
211 gid_t gid, egid, sgid, fsgid; 211 gid_t gid, egid, sgid, fsgid;
212 unsigned long personality; 212 unsigned long personality;
213 int arch; 213 int arch;
214 214
215 pid_t target_pid; 215 pid_t target_pid;
216 uid_t target_auid; 216 uid_t target_auid;
217 uid_t target_uid; 217 uid_t target_uid;
218 unsigned int target_sessionid; 218 unsigned int target_sessionid;
219 u32 target_sid; 219 u32 target_sid;
220 char target_comm[TASK_COMM_LEN]; 220 char target_comm[TASK_COMM_LEN];
221 221
222 struct audit_tree_refs *trees, *first_trees; 222 struct audit_tree_refs *trees, *first_trees;
223 struct list_head killed_trees; 223 struct list_head killed_trees;
224 int tree_count; 224 int tree_count;
225 225
226 int type; 226 int type;
227 union { 227 union {
228 struct { 228 struct {
229 int nargs; 229 int nargs;
230 long args[6]; 230 long args[6];
231 } socketcall; 231 } socketcall;
232 struct { 232 struct {
233 uid_t uid; 233 uid_t uid;
234 gid_t gid; 234 gid_t gid;
235 umode_t mode; 235 umode_t mode;
236 u32 osid; 236 u32 osid;
237 int has_perm; 237 int has_perm;
238 uid_t perm_uid; 238 uid_t perm_uid;
239 gid_t perm_gid; 239 gid_t perm_gid;
240 umode_t perm_mode; 240 umode_t perm_mode;
241 unsigned long qbytes; 241 unsigned long qbytes;
242 } ipc; 242 } ipc;
243 struct { 243 struct {
244 mqd_t mqdes; 244 mqd_t mqdes;
245 struct mq_attr mqstat; 245 struct mq_attr mqstat;
246 } mq_getsetattr; 246 } mq_getsetattr;
247 struct { 247 struct {
248 mqd_t mqdes; 248 mqd_t mqdes;
249 int sigev_signo; 249 int sigev_signo;
250 } mq_notify; 250 } mq_notify;
251 struct { 251 struct {
252 mqd_t mqdes; 252 mqd_t mqdes;
253 size_t msg_len; 253 size_t msg_len;
254 unsigned int msg_prio; 254 unsigned int msg_prio;
255 struct timespec abs_timeout; 255 struct timespec abs_timeout;
256 } mq_sendrecv; 256 } mq_sendrecv;
257 struct { 257 struct {
258 int oflag; 258 int oflag;
259 umode_t mode; 259 umode_t mode;
260 struct mq_attr attr; 260 struct mq_attr attr;
261 } mq_open; 261 } mq_open;
262 struct { 262 struct {
263 pid_t pid; 263 pid_t pid;
264 struct audit_cap_data cap; 264 struct audit_cap_data cap;
265 } capset; 265 } capset;
266 struct { 266 struct {
267 int fd; 267 int fd;
268 int flags; 268 int flags;
269 } mmap; 269 } mmap;
270 }; 270 };
271 int fds[2]; 271 int fds[2];
272 272
273 #if AUDIT_DEBUG 273 #if AUDIT_DEBUG
274 int put_count; 274 int put_count;
275 int ino_count; 275 int ino_count;
276 #endif 276 #endif
277 }; 277 };
278 278
279 static inline int open_arg(int flags, int mask) 279 static inline int open_arg(int flags, int mask)
280 { 280 {
281 int n = ACC_MODE(flags); 281 int n = ACC_MODE(flags);
282 if (flags & (O_TRUNC | O_CREAT)) 282 if (flags & (O_TRUNC | O_CREAT))
283 n |= AUDIT_PERM_WRITE; 283 n |= AUDIT_PERM_WRITE;
284 return n & mask; 284 return n & mask;
285 } 285 }
286 286
287 static int audit_match_perm(struct audit_context *ctx, int mask) 287 static int audit_match_perm(struct audit_context *ctx, int mask)
288 { 288 {
289 unsigned n; 289 unsigned n;
290 if (unlikely(!ctx)) 290 if (unlikely(!ctx))
291 return 0; 291 return 0;
292 n = ctx->major; 292 n = ctx->major;
293 293
294 switch (audit_classify_syscall(ctx->arch, n)) { 294 switch (audit_classify_syscall(ctx->arch, n)) {
295 case 0: /* native */ 295 case 0: /* native */
296 if ((mask & AUDIT_PERM_WRITE) && 296 if ((mask & AUDIT_PERM_WRITE) &&
297 audit_match_class(AUDIT_CLASS_WRITE, n)) 297 audit_match_class(AUDIT_CLASS_WRITE, n))
298 return 1; 298 return 1;
299 if ((mask & AUDIT_PERM_READ) && 299 if ((mask & AUDIT_PERM_READ) &&
300 audit_match_class(AUDIT_CLASS_READ, n)) 300 audit_match_class(AUDIT_CLASS_READ, n))
301 return 1; 301 return 1;
302 if ((mask & AUDIT_PERM_ATTR) && 302 if ((mask & AUDIT_PERM_ATTR) &&
303 audit_match_class(AUDIT_CLASS_CHATTR, n)) 303 audit_match_class(AUDIT_CLASS_CHATTR, n))
304 return 1; 304 return 1;
305 return 0; 305 return 0;
306 case 1: /* 32bit on biarch */ 306 case 1: /* 32bit on biarch */
307 if ((mask & AUDIT_PERM_WRITE) && 307 if ((mask & AUDIT_PERM_WRITE) &&
308 audit_match_class(AUDIT_CLASS_WRITE_32, n)) 308 audit_match_class(AUDIT_CLASS_WRITE_32, n))
309 return 1; 309 return 1;
310 if ((mask & AUDIT_PERM_READ) && 310 if ((mask & AUDIT_PERM_READ) &&
311 audit_match_class(AUDIT_CLASS_READ_32, n)) 311 audit_match_class(AUDIT_CLASS_READ_32, n))
312 return 1; 312 return 1;
313 if ((mask & AUDIT_PERM_ATTR) && 313 if ((mask & AUDIT_PERM_ATTR) &&
314 audit_match_class(AUDIT_CLASS_CHATTR_32, n)) 314 audit_match_class(AUDIT_CLASS_CHATTR_32, n))
315 return 1; 315 return 1;
316 return 0; 316 return 0;
317 case 2: /* open */ 317 case 2: /* open */
318 return mask & ACC_MODE(ctx->argv[1]); 318 return mask & ACC_MODE(ctx->argv[1]);
319 case 3: /* openat */ 319 case 3: /* openat */
320 return mask & ACC_MODE(ctx->argv[2]); 320 return mask & ACC_MODE(ctx->argv[2]);
321 case 4: /* socketcall */ 321 case 4: /* socketcall */
322 return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); 322 return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
323 case 5: /* execve */ 323 case 5: /* execve */
324 return mask & AUDIT_PERM_EXEC; 324 return mask & AUDIT_PERM_EXEC;
325 default: 325 default:
326 return 0; 326 return 0;
327 } 327 }
328 } 328 }
329 329
330 static int audit_match_filetype(struct audit_context *ctx, int val) 330 static int audit_match_filetype(struct audit_context *ctx, int val)
331 { 331 {
332 struct audit_names *n; 332 struct audit_names *n;
333 umode_t mode = (umode_t)val; 333 umode_t mode = (umode_t)val;
334 334
335 if (unlikely(!ctx)) 335 if (unlikely(!ctx))
336 return 0; 336 return 0;
337 337
338 list_for_each_entry(n, &ctx->names_list, list) { 338 list_for_each_entry(n, &ctx->names_list, list) {
339 if ((n->ino != -1) && 339 if ((n->ino != -1) &&
340 ((n->mode & S_IFMT) == mode)) 340 ((n->mode & S_IFMT) == mode))
341 return 1; 341 return 1;
342 } 342 }
343 343
344 return 0; 344 return 0;
345 } 345 }
346 346
347 /* 347 /*
348 * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *; 348 * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *;
349 * ->first_trees points to its beginning, ->trees - to the current end of data. 349 * ->first_trees points to its beginning, ->trees - to the current end of data.
350 * ->tree_count is the number of free entries in array pointed to by ->trees. 350 * ->tree_count is the number of free entries in array pointed to by ->trees.
351 * Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL, 351 * Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL,
352 * "empty" becomes (p, p, 31) afterwards. We don't shrink the list (and seriously, 352 * "empty" becomes (p, p, 31) afterwards. We don't shrink the list (and seriously,
353 * it's going to remain 1-element for almost any setup) until we free context itself. 353 * it's going to remain 1-element for almost any setup) until we free context itself.
354 * References in it _are_ dropped - at the same time we free/drop aux stuff. 354 * References in it _are_ dropped - at the same time we free/drop aux stuff.
355 */ 355 */
356 356
357 #ifdef CONFIG_AUDIT_TREE 357 #ifdef CONFIG_AUDIT_TREE
358 static void audit_set_auditable(struct audit_context *ctx) 358 static void audit_set_auditable(struct audit_context *ctx)
359 { 359 {
360 if (!ctx->prio) { 360 if (!ctx->prio) {
361 ctx->prio = 1; 361 ctx->prio = 1;
362 ctx->current_state = AUDIT_RECORD_CONTEXT; 362 ctx->current_state = AUDIT_RECORD_CONTEXT;
363 } 363 }
364 } 364 }
365 365
366 static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk) 366 static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
367 { 367 {
368 struct audit_tree_refs *p = ctx->trees; 368 struct audit_tree_refs *p = ctx->trees;
369 int left = ctx->tree_count; 369 int left = ctx->tree_count;
370 if (likely(left)) { 370 if (likely(left)) {
371 p->c[--left] = chunk; 371 p->c[--left] = chunk;
372 ctx->tree_count = left; 372 ctx->tree_count = left;
373 return 1; 373 return 1;
374 } 374 }
375 if (!p) 375 if (!p)
376 return 0; 376 return 0;
377 p = p->next; 377 p = p->next;
378 if (p) { 378 if (p) {
379 p->c[30] = chunk; 379 p->c[30] = chunk;
380 ctx->trees = p; 380 ctx->trees = p;
381 ctx->tree_count = 30; 381 ctx->tree_count = 30;
382 return 1; 382 return 1;
383 } 383 }
384 return 0; 384 return 0;
385 } 385 }
386 386
387 static int grow_tree_refs(struct audit_context *ctx) 387 static int grow_tree_refs(struct audit_context *ctx)
388 { 388 {
389 struct audit_tree_refs *p = ctx->trees; 389 struct audit_tree_refs *p = ctx->trees;
390 ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL); 390 ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL);
391 if (!ctx->trees) { 391 if (!ctx->trees) {
392 ctx->trees = p; 392 ctx->trees = p;
393 return 0; 393 return 0;
394 } 394 }
395 if (p) 395 if (p)
396 p->next = ctx->trees; 396 p->next = ctx->trees;
397 else 397 else
398 ctx->first_trees = ctx->trees; 398 ctx->first_trees = ctx->trees;
399 ctx->tree_count = 31; 399 ctx->tree_count = 31;
400 return 1; 400 return 1;
401 } 401 }
402 #endif 402 #endif
403 403
404 static void unroll_tree_refs(struct audit_context *ctx, 404 static void unroll_tree_refs(struct audit_context *ctx,
405 struct audit_tree_refs *p, int count) 405 struct audit_tree_refs *p, int count)
406 { 406 {
407 #ifdef CONFIG_AUDIT_TREE 407 #ifdef CONFIG_AUDIT_TREE
408 struct audit_tree_refs *q; 408 struct audit_tree_refs *q;
409 int n; 409 int n;
410 if (!p) { 410 if (!p) {
411 /* we started with empty chain */ 411 /* we started with empty chain */
412 p = ctx->first_trees; 412 p = ctx->first_trees;
413 count = 31; 413 count = 31;
414 /* if the very first allocation has failed, nothing to do */ 414 /* if the very first allocation has failed, nothing to do */
415 if (!p) 415 if (!p)
416 return; 416 return;
417 } 417 }
418 n = count; 418 n = count;
419 for (q = p; q != ctx->trees; q = q->next, n = 31) { 419 for (q = p; q != ctx->trees; q = q->next, n = 31) {
420 while (n--) { 420 while (n--) {
421 audit_put_chunk(q->c[n]); 421 audit_put_chunk(q->c[n]);
422 q->c[n] = NULL; 422 q->c[n] = NULL;
423 } 423 }
424 } 424 }
425 while (n-- > ctx->tree_count) { 425 while (n-- > ctx->tree_count) {
426 audit_put_chunk(q->c[n]); 426 audit_put_chunk(q->c[n]);
427 q->c[n] = NULL; 427 q->c[n] = NULL;
428 } 428 }
429 ctx->trees = p; 429 ctx->trees = p;
430 ctx->tree_count = count; 430 ctx->tree_count = count;
431 #endif 431 #endif
432 } 432 }
433 433
434 static void free_tree_refs(struct audit_context *ctx) 434 static void free_tree_refs(struct audit_context *ctx)
435 { 435 {
436 struct audit_tree_refs *p, *q; 436 struct audit_tree_refs *p, *q;
437 for (p = ctx->first_trees; p; p = q) { 437 for (p = ctx->first_trees; p; p = q) {
438 q = p->next; 438 q = p->next;
439 kfree(p); 439 kfree(p);
440 } 440 }
441 } 441 }
442 442
443 static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree) 443 static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
444 { 444 {
445 #ifdef CONFIG_AUDIT_TREE 445 #ifdef CONFIG_AUDIT_TREE
446 struct audit_tree_refs *p; 446 struct audit_tree_refs *p;
447 int n; 447 int n;
448 if (!tree) 448 if (!tree)
449 return 0; 449 return 0;
450 /* full ones */ 450 /* full ones */
451 for (p = ctx->first_trees; p != ctx->trees; p = p->next) { 451 for (p = ctx->first_trees; p != ctx->trees; p = p->next) {
452 for (n = 0; n < 31; n++) 452 for (n = 0; n < 31; n++)
453 if (audit_tree_match(p->c[n], tree)) 453 if (audit_tree_match(p->c[n], tree))
454 return 1; 454 return 1;
455 } 455 }
456 /* partial */ 456 /* partial */
457 if (p) { 457 if (p) {
458 for (n = ctx->tree_count; n < 31; n++) 458 for (n = ctx->tree_count; n < 31; n++)
459 if (audit_tree_match(p->c[n], tree)) 459 if (audit_tree_match(p->c[n], tree))
460 return 1; 460 return 1;
461 } 461 }
462 #endif 462 #endif
463 return 0; 463 return 0;
464 } 464 }
465 465
466 static int audit_compare_id(uid_t uid1, 466 static int audit_compare_id(uid_t uid1,
467 struct audit_names *name, 467 struct audit_names *name,
468 unsigned long name_offset, 468 unsigned long name_offset,
469 struct audit_field *f, 469 struct audit_field *f,
470 struct audit_context *ctx) 470 struct audit_context *ctx)
471 { 471 {
472 struct audit_names *n; 472 struct audit_names *n;
473 unsigned long addr; 473 unsigned long addr;
474 uid_t uid2; 474 uid_t uid2;
475 int rc; 475 int rc;
476 476
477 BUILD_BUG_ON(sizeof(uid_t) != sizeof(gid_t)); 477 BUILD_BUG_ON(sizeof(uid_t) != sizeof(gid_t));
478 478
479 if (name) { 479 if (name) {
480 addr = (unsigned long)name; 480 addr = (unsigned long)name;
481 addr += name_offset; 481 addr += name_offset;
482 482
483 uid2 = *(uid_t *)addr; 483 uid2 = *(uid_t *)addr;
484 rc = audit_comparator(uid1, f->op, uid2); 484 rc = audit_comparator(uid1, f->op, uid2);
485 if (rc) 485 if (rc)
486 return rc; 486 return rc;
487 } 487 }
488 488
489 if (ctx) { 489 if (ctx) {
490 list_for_each_entry(n, &ctx->names_list, list) { 490 list_for_each_entry(n, &ctx->names_list, list) {
491 addr = (unsigned long)n; 491 addr = (unsigned long)n;
492 addr += name_offset; 492 addr += name_offset;
493 493
494 uid2 = *(uid_t *)addr; 494 uid2 = *(uid_t *)addr;
495 495
496 rc = audit_comparator(uid1, f->op, uid2); 496 rc = audit_comparator(uid1, f->op, uid2);
497 if (rc) 497 if (rc)
498 return rc; 498 return rc;
499 } 499 }
500 } 500 }
501 return 0; 501 return 0;
502 } 502 }
503 503
504 static int audit_field_compare(struct task_struct *tsk, 504 static int audit_field_compare(struct task_struct *tsk,
505 const struct cred *cred, 505 const struct cred *cred,
506 struct audit_field *f, 506 struct audit_field *f,
507 struct audit_context *ctx, 507 struct audit_context *ctx,
508 struct audit_names *name) 508 struct audit_names *name)
509 { 509 {
510 switch (f->val) { 510 switch (f->val) {
511 /* process to file object comparisons */ 511 /* process to file object comparisons */
512 case AUDIT_COMPARE_UID_TO_OBJ_UID: 512 case AUDIT_COMPARE_UID_TO_OBJ_UID:
513 return audit_compare_id(cred->uid, 513 return audit_compare_id(cred->uid,
514 name, offsetof(struct audit_names, uid), 514 name, offsetof(struct audit_names, uid),
515 f, ctx); 515 f, ctx);
516 case AUDIT_COMPARE_GID_TO_OBJ_GID: 516 case AUDIT_COMPARE_GID_TO_OBJ_GID:
517 return audit_compare_id(cred->gid, 517 return audit_compare_id(cred->gid,
518 name, offsetof(struct audit_names, gid), 518 name, offsetof(struct audit_names, gid),
519 f, ctx); 519 f, ctx);
520 case AUDIT_COMPARE_EUID_TO_OBJ_UID: 520 case AUDIT_COMPARE_EUID_TO_OBJ_UID:
521 return audit_compare_id(cred->euid, 521 return audit_compare_id(cred->euid,
522 name, offsetof(struct audit_names, uid), 522 name, offsetof(struct audit_names, uid),
523 f, ctx); 523 f, ctx);
524 case AUDIT_COMPARE_EGID_TO_OBJ_GID: 524 case AUDIT_COMPARE_EGID_TO_OBJ_GID:
525 return audit_compare_id(cred->egid, 525 return audit_compare_id(cred->egid,
526 name, offsetof(struct audit_names, gid), 526 name, offsetof(struct audit_names, gid),
527 f, ctx); 527 f, ctx);
528 case AUDIT_COMPARE_AUID_TO_OBJ_UID: 528 case AUDIT_COMPARE_AUID_TO_OBJ_UID:
529 return audit_compare_id(tsk->loginuid, 529 return audit_compare_id(tsk->loginuid,
530 name, offsetof(struct audit_names, uid), 530 name, offsetof(struct audit_names, uid),
531 f, ctx); 531 f, ctx);
532 case AUDIT_COMPARE_SUID_TO_OBJ_UID: 532 case AUDIT_COMPARE_SUID_TO_OBJ_UID:
533 return audit_compare_id(cred->suid, 533 return audit_compare_id(cred->suid,
534 name, offsetof(struct audit_names, uid), 534 name, offsetof(struct audit_names, uid),
535 f, ctx); 535 f, ctx);
536 case AUDIT_COMPARE_SGID_TO_OBJ_GID: 536 case AUDIT_COMPARE_SGID_TO_OBJ_GID:
537 return audit_compare_id(cred->sgid, 537 return audit_compare_id(cred->sgid,
538 name, offsetof(struct audit_names, gid), 538 name, offsetof(struct audit_names, gid),
539 f, ctx); 539 f, ctx);
540 case AUDIT_COMPARE_FSUID_TO_OBJ_UID: 540 case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
541 return audit_compare_id(cred->fsuid, 541 return audit_compare_id(cred->fsuid,
542 name, offsetof(struct audit_names, uid), 542 name, offsetof(struct audit_names, uid),
543 f, ctx); 543 f, ctx);
544 case AUDIT_COMPARE_FSGID_TO_OBJ_GID: 544 case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
545 return audit_compare_id(cred->fsgid, 545 return audit_compare_id(cred->fsgid,
546 name, offsetof(struct audit_names, gid), 546 name, offsetof(struct audit_names, gid),
547 f, ctx); 547 f, ctx);
548 /* uid comparisons */ 548 /* uid comparisons */
549 case AUDIT_COMPARE_UID_TO_AUID: 549 case AUDIT_COMPARE_UID_TO_AUID:
550 return audit_comparator(cred->uid, f->op, tsk->loginuid); 550 return audit_comparator(cred->uid, f->op, tsk->loginuid);
551 case AUDIT_COMPARE_UID_TO_EUID: 551 case AUDIT_COMPARE_UID_TO_EUID:
552 return audit_comparator(cred->uid, f->op, cred->euid); 552 return audit_comparator(cred->uid, f->op, cred->euid);
553 case AUDIT_COMPARE_UID_TO_SUID: 553 case AUDIT_COMPARE_UID_TO_SUID:
554 return audit_comparator(cred->uid, f->op, cred->suid); 554 return audit_comparator(cred->uid, f->op, cred->suid);
555 case AUDIT_COMPARE_UID_TO_FSUID: 555 case AUDIT_COMPARE_UID_TO_FSUID:
556 return audit_comparator(cred->uid, f->op, cred->fsuid); 556 return audit_comparator(cred->uid, f->op, cred->fsuid);
557 /* auid comparisons */ 557 /* auid comparisons */
558 case AUDIT_COMPARE_AUID_TO_EUID: 558 case AUDIT_COMPARE_AUID_TO_EUID:
559 return audit_comparator(tsk->loginuid, f->op, cred->euid); 559 return audit_comparator(tsk->loginuid, f->op, cred->euid);
560 case AUDIT_COMPARE_AUID_TO_SUID: 560 case AUDIT_COMPARE_AUID_TO_SUID:
561 return audit_comparator(tsk->loginuid, f->op, cred->suid); 561 return audit_comparator(tsk->loginuid, f->op, cred->suid);
562 case AUDIT_COMPARE_AUID_TO_FSUID: 562 case AUDIT_COMPARE_AUID_TO_FSUID:
563 return audit_comparator(tsk->loginuid, f->op, cred->fsuid); 563 return audit_comparator(tsk->loginuid, f->op, cred->fsuid);
564 /* euid comparisons */ 564 /* euid comparisons */
565 case AUDIT_COMPARE_EUID_TO_SUID: 565 case AUDIT_COMPARE_EUID_TO_SUID:
566 return audit_comparator(cred->euid, f->op, cred->suid); 566 return audit_comparator(cred->euid, f->op, cred->suid);
567 case AUDIT_COMPARE_EUID_TO_FSUID: 567 case AUDIT_COMPARE_EUID_TO_FSUID:
568 return audit_comparator(cred->euid, f->op, cred->fsuid); 568 return audit_comparator(cred->euid, f->op, cred->fsuid);
569 /* suid comparisons */ 569 /* suid comparisons */
570 case AUDIT_COMPARE_SUID_TO_FSUID: 570 case AUDIT_COMPARE_SUID_TO_FSUID:
571 return audit_comparator(cred->suid, f->op, cred->fsuid); 571 return audit_comparator(cred->suid, f->op, cred->fsuid);
572 /* gid comparisons */ 572 /* gid comparisons */
573 case AUDIT_COMPARE_GID_TO_EGID: 573 case AUDIT_COMPARE_GID_TO_EGID:
574 return audit_comparator(cred->gid, f->op, cred->egid); 574 return audit_comparator(cred->gid, f->op, cred->egid);
575 case AUDIT_COMPARE_GID_TO_SGID: 575 case AUDIT_COMPARE_GID_TO_SGID:
576 return audit_comparator(cred->gid, f->op, cred->sgid); 576 return audit_comparator(cred->gid, f->op, cred->sgid);
577 case AUDIT_COMPARE_GID_TO_FSGID: 577 case AUDIT_COMPARE_GID_TO_FSGID:
578 return audit_comparator(cred->gid, f->op, cred->fsgid); 578 return audit_comparator(cred->gid, f->op, cred->fsgid);
579 /* egid comparisons */ 579 /* egid comparisons */
580 case AUDIT_COMPARE_EGID_TO_SGID: 580 case AUDIT_COMPARE_EGID_TO_SGID:
581 return audit_comparator(cred->egid, f->op, cred->sgid); 581 return audit_comparator(cred->egid, f->op, cred->sgid);
582 case AUDIT_COMPARE_EGID_TO_FSGID: 582 case AUDIT_COMPARE_EGID_TO_FSGID:
583 return audit_comparator(cred->egid, f->op, cred->fsgid); 583 return audit_comparator(cred->egid, f->op, cred->fsgid);
584 /* sgid comparison */ 584 /* sgid comparison */
585 case AUDIT_COMPARE_SGID_TO_FSGID: 585 case AUDIT_COMPARE_SGID_TO_FSGID:
586 return audit_comparator(cred->sgid, f->op, cred->fsgid); 586 return audit_comparator(cred->sgid, f->op, cred->fsgid);
587 default: 587 default:
588 WARN(1, "Missing AUDIT_COMPARE define. Report as a bug\n"); 588 WARN(1, "Missing AUDIT_COMPARE define. Report as a bug\n");
589 return 0; 589 return 0;
590 } 590 }
591 return 0; 591 return 0;
592 } 592 }
593 593
594 /* Determine if any context name data matches a rule's watch data */ 594 /* Determine if any context name data matches a rule's watch data */
595 /* Compare a task_struct with an audit_rule. Return 1 on match, 0 595 /* Compare a task_struct with an audit_rule. Return 1 on match, 0
596 * otherwise. 596 * otherwise.
597 * 597 *
598 * If task_creation is true, this is an explicit indication that we are 598 * If task_creation is true, this is an explicit indication that we are
599 * filtering a task rule at task creation time. This and tsk == current are 599 * filtering a task rule at task creation time. This and tsk == current are
600 * the only situations where tsk->cred may be accessed without an rcu read lock. 600 * the only situations where tsk->cred may be accessed without an rcu read lock.
601 */ 601 */
602 static int audit_filter_rules(struct task_struct *tsk, 602 static int audit_filter_rules(struct task_struct *tsk,
603 struct audit_krule *rule, 603 struct audit_krule *rule,
604 struct audit_context *ctx, 604 struct audit_context *ctx,
605 struct audit_names *name, 605 struct audit_names *name,
606 enum audit_state *state, 606 enum audit_state *state,
607 bool task_creation) 607 bool task_creation)
608 { 608 {
609 const struct cred *cred; 609 const struct cred *cred;
610 int i, need_sid = 1; 610 int i, need_sid = 1;
611 u32 sid; 611 u32 sid;
612 612
613 cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation); 613 cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
614 614
615 for (i = 0; i < rule->field_count; i++) { 615 for (i = 0; i < rule->field_count; i++) {
616 struct audit_field *f = &rule->fields[i]; 616 struct audit_field *f = &rule->fields[i];
617 struct audit_names *n; 617 struct audit_names *n;
618 int result = 0; 618 int result = 0;
619 619
620 switch (f->type) { 620 switch (f->type) {
621 case AUDIT_PID: 621 case AUDIT_PID:
622 result = audit_comparator(tsk->pid, f->op, f->val); 622 result = audit_comparator(tsk->pid, f->op, f->val);
623 break; 623 break;
624 case AUDIT_PPID: 624 case AUDIT_PPID:
625 if (ctx) { 625 if (ctx) {
626 if (!ctx->ppid) 626 if (!ctx->ppid)
627 ctx->ppid = sys_getppid(); 627 ctx->ppid = sys_getppid();
628 result = audit_comparator(ctx->ppid, f->op, f->val); 628 result = audit_comparator(ctx->ppid, f->op, f->val);
629 } 629 }
630 break; 630 break;
631 case AUDIT_UID: 631 case AUDIT_UID:
632 result = audit_comparator(cred->uid, f->op, f->val); 632 result = audit_comparator(cred->uid, f->op, f->val);
633 break; 633 break;
634 case AUDIT_EUID: 634 case AUDIT_EUID:
635 result = audit_comparator(cred->euid, f->op, f->val); 635 result = audit_comparator(cred->euid, f->op, f->val);
636 break; 636 break;
637 case AUDIT_SUID: 637 case AUDIT_SUID:
638 result = audit_comparator(cred->suid, f->op, f->val); 638 result = audit_comparator(cred->suid, f->op, f->val);
639 break; 639 break;
640 case AUDIT_FSUID: 640 case AUDIT_FSUID:
641 result = audit_comparator(cred->fsuid, f->op, f->val); 641 result = audit_comparator(cred->fsuid, f->op, f->val);
642 break; 642 break;
643 case AUDIT_GID: 643 case AUDIT_GID:
644 result = audit_comparator(cred->gid, f->op, f->val); 644 result = audit_comparator(cred->gid, f->op, f->val);
645 break; 645 break;
646 case AUDIT_EGID: 646 case AUDIT_EGID:
647 result = audit_comparator(cred->egid, f->op, f->val); 647 result = audit_comparator(cred->egid, f->op, f->val);
648 break; 648 break;
649 case AUDIT_SGID: 649 case AUDIT_SGID:
650 result = audit_comparator(cred->sgid, f->op, f->val); 650 result = audit_comparator(cred->sgid, f->op, f->val);
651 break; 651 break;
652 case AUDIT_FSGID: 652 case AUDIT_FSGID:
653 result = audit_comparator(cred->fsgid, f->op, f->val); 653 result = audit_comparator(cred->fsgid, f->op, f->val);
654 break; 654 break;
655 case AUDIT_PERS: 655 case AUDIT_PERS:
656 result = audit_comparator(tsk->personality, f->op, f->val); 656 result = audit_comparator(tsk->personality, f->op, f->val);
657 break; 657 break;
658 case AUDIT_ARCH: 658 case AUDIT_ARCH:
659 if (ctx) 659 if (ctx)
660 result = audit_comparator(ctx->arch, f->op, f->val); 660 result = audit_comparator(ctx->arch, f->op, f->val);
661 break; 661 break;
662 662
663 case AUDIT_EXIT: 663 case AUDIT_EXIT:
664 if (ctx && ctx->return_valid) 664 if (ctx && ctx->return_valid)
665 result = audit_comparator(ctx->return_code, f->op, f->val); 665 result = audit_comparator(ctx->return_code, f->op, f->val);
666 break; 666 break;
667 case AUDIT_SUCCESS: 667 case AUDIT_SUCCESS:
668 if (ctx && ctx->return_valid) { 668 if (ctx && ctx->return_valid) {
669 if (f->val) 669 if (f->val)
670 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS); 670 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
671 else 671 else
672 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE); 672 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
673 } 673 }
674 break; 674 break;
675 case AUDIT_DEVMAJOR: 675 case AUDIT_DEVMAJOR:
676 if (name) { 676 if (name) {
677 if (audit_comparator(MAJOR(name->dev), f->op, f->val) || 677 if (audit_comparator(MAJOR(name->dev), f->op, f->val) ||
678 audit_comparator(MAJOR(name->rdev), f->op, f->val)) 678 audit_comparator(MAJOR(name->rdev), f->op, f->val))
679 ++result; 679 ++result;
680 } else if (ctx) { 680 } else if (ctx) {
681 list_for_each_entry(n, &ctx->names_list, list) { 681 list_for_each_entry(n, &ctx->names_list, list) {
682 if (audit_comparator(MAJOR(n->dev), f->op, f->val) || 682 if (audit_comparator(MAJOR(n->dev), f->op, f->val) ||
683 audit_comparator(MAJOR(n->rdev), f->op, f->val)) { 683 audit_comparator(MAJOR(n->rdev), f->op, f->val)) {
684 ++result; 684 ++result;
685 break; 685 break;
686 } 686 }
687 } 687 }
688 } 688 }
689 break; 689 break;
690 case AUDIT_DEVMINOR: 690 case AUDIT_DEVMINOR:
691 if (name) { 691 if (name) {
692 if (audit_comparator(MINOR(name->dev), f->op, f->val) || 692 if (audit_comparator(MINOR(name->dev), f->op, f->val) ||
693 audit_comparator(MINOR(name->rdev), f->op, f->val)) 693 audit_comparator(MINOR(name->rdev), f->op, f->val))
694 ++result; 694 ++result;
695 } else if (ctx) { 695 } else if (ctx) {
696 list_for_each_entry(n, &ctx->names_list, list) { 696 list_for_each_entry(n, &ctx->names_list, list) {
697 if (audit_comparator(MINOR(n->dev), f->op, f->val) || 697 if (audit_comparator(MINOR(n->dev), f->op, f->val) ||
698 audit_comparator(MINOR(n->rdev), f->op, f->val)) { 698 audit_comparator(MINOR(n->rdev), f->op, f->val)) {
699 ++result; 699 ++result;
700 break; 700 break;
701 } 701 }
702 } 702 }
703 } 703 }
704 break; 704 break;
705 case AUDIT_INODE: 705 case AUDIT_INODE:
706 if (name) 706 if (name)
707 result = (name->ino == f->val); 707 result = (name->ino == f->val);
708 else if (ctx) { 708 else if (ctx) {
709 list_for_each_entry(n, &ctx->names_list, list) { 709 list_for_each_entry(n, &ctx->names_list, list) {
710 if (audit_comparator(n->ino, f->op, f->val)) { 710 if (audit_comparator(n->ino, f->op, f->val)) {
711 ++result; 711 ++result;
712 break; 712 break;
713 } 713 }
714 } 714 }
715 } 715 }
716 break; 716 break;
717 case AUDIT_OBJ_UID: 717 case AUDIT_OBJ_UID:
718 if (name) { 718 if (name) {
719 result = audit_comparator(name->uid, f->op, f->val); 719 result = audit_comparator(name->uid, f->op, f->val);
720 } else if (ctx) { 720 } else if (ctx) {
721 list_for_each_entry(n, &ctx->names_list, list) { 721 list_for_each_entry(n, &ctx->names_list, list) {
722 if (audit_comparator(n->uid, f->op, f->val)) { 722 if (audit_comparator(n->uid, f->op, f->val)) {
723 ++result; 723 ++result;
724 break; 724 break;
725 } 725 }
726 } 726 }
727 } 727 }
728 break; 728 break;
729 case AUDIT_OBJ_GID: 729 case AUDIT_OBJ_GID:
730 if (name) { 730 if (name) {
731 result = audit_comparator(name->gid, f->op, f->val); 731 result = audit_comparator(name->gid, f->op, f->val);
732 } else if (ctx) { 732 } else if (ctx) {
733 list_for_each_entry(n, &ctx->names_list, list) { 733 list_for_each_entry(n, &ctx->names_list, list) {
734 if (audit_comparator(n->gid, f->op, f->val)) { 734 if (audit_comparator(n->gid, f->op, f->val)) {
735 ++result; 735 ++result;
736 break; 736 break;
737 } 737 }
738 } 738 }
739 } 739 }
740 break; 740 break;
741 case AUDIT_WATCH: 741 case AUDIT_WATCH:
742 if (name) 742 if (name)
743 result = audit_watch_compare(rule->watch, name->ino, name->dev); 743 result = audit_watch_compare(rule->watch, name->ino, name->dev);
744 break; 744 break;
745 case AUDIT_DIR: 745 case AUDIT_DIR:
746 if (ctx) 746 if (ctx)
747 result = match_tree_refs(ctx, rule->tree); 747 result = match_tree_refs(ctx, rule->tree);
748 break; 748 break;
749 case AUDIT_LOGINUID: 749 case AUDIT_LOGINUID:
750 result = 0; 750 result = 0;
751 if (ctx) 751 if (ctx)
752 result = audit_comparator(tsk->loginuid, f->op, f->val); 752 result = audit_comparator(tsk->loginuid, f->op, f->val);
753 break; 753 break;
754 case AUDIT_SUBJ_USER: 754 case AUDIT_SUBJ_USER:
755 case AUDIT_SUBJ_ROLE: 755 case AUDIT_SUBJ_ROLE:
756 case AUDIT_SUBJ_TYPE: 756 case AUDIT_SUBJ_TYPE:
757 case AUDIT_SUBJ_SEN: 757 case AUDIT_SUBJ_SEN:
758 case AUDIT_SUBJ_CLR: 758 case AUDIT_SUBJ_CLR:
759 /* NOTE: this may return negative values indicating 759 /* NOTE: this may return negative values indicating
760 a temporary error. We simply treat this as a 760 a temporary error. We simply treat this as a
761 match for now to avoid losing information that 761 match for now to avoid losing information that
762 may be wanted. An error message will also be 762 may be wanted. An error message will also be
763 logged upon error */ 763 logged upon error */
764 if (f->lsm_rule) { 764 if (f->lsm_rule) {
765 if (need_sid) { 765 if (need_sid) {
766 security_task_getsecid(tsk, &sid); 766 security_task_getsecid(tsk, &sid);
767 need_sid = 0; 767 need_sid = 0;
768 } 768 }
769 result = security_audit_rule_match(sid, f->type, 769 result = security_audit_rule_match(sid, f->type,
770 f->op, 770 f->op,
771 f->lsm_rule, 771 f->lsm_rule,
772 ctx); 772 ctx);
773 } 773 }
774 break; 774 break;
775 case AUDIT_OBJ_USER: 775 case AUDIT_OBJ_USER:
776 case AUDIT_OBJ_ROLE: 776 case AUDIT_OBJ_ROLE:
777 case AUDIT_OBJ_TYPE: 777 case AUDIT_OBJ_TYPE:
778 case AUDIT_OBJ_LEV_LOW: 778 case AUDIT_OBJ_LEV_LOW:
779 case AUDIT_OBJ_LEV_HIGH: 779 case AUDIT_OBJ_LEV_HIGH:
780 /* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR 780 /* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
781 also applies here */ 781 also applies here */
782 if (f->lsm_rule) { 782 if (f->lsm_rule) {
783 /* Find files that match */ 783 /* Find files that match */
784 if (name) { 784 if (name) {
785 result = security_audit_rule_match( 785 result = security_audit_rule_match(
786 name->osid, f->type, f->op, 786 name->osid, f->type, f->op,
787 f->lsm_rule, ctx); 787 f->lsm_rule, ctx);
788 } else if (ctx) { 788 } else if (ctx) {
789 list_for_each_entry(n, &ctx->names_list, list) { 789 list_for_each_entry(n, &ctx->names_list, list) {
790 if (security_audit_rule_match(n->osid, f->type, 790 if (security_audit_rule_match(n->osid, f->type,
791 f->op, f->lsm_rule, 791 f->op, f->lsm_rule,
792 ctx)) { 792 ctx)) {
793 ++result; 793 ++result;
794 break; 794 break;
795 } 795 }
796 } 796 }
797 } 797 }
798 /* Find ipc objects that match */ 798 /* Find ipc objects that match */
799 if (!ctx || ctx->type != AUDIT_IPC) 799 if (!ctx || ctx->type != AUDIT_IPC)
800 break; 800 break;
801 if (security_audit_rule_match(ctx->ipc.osid, 801 if (security_audit_rule_match(ctx->ipc.osid,
802 f->type, f->op, 802 f->type, f->op,
803 f->lsm_rule, ctx)) 803 f->lsm_rule, ctx))
804 ++result; 804 ++result;
805 } 805 }
806 break; 806 break;
807 case AUDIT_ARG0: 807 case AUDIT_ARG0:
808 case AUDIT_ARG1: 808 case AUDIT_ARG1:
809 case AUDIT_ARG2: 809 case AUDIT_ARG2:
810 case AUDIT_ARG3: 810 case AUDIT_ARG3:
811 if (ctx) 811 if (ctx)
812 result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val); 812 result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
813 break; 813 break;
814 case AUDIT_FILTERKEY: 814 case AUDIT_FILTERKEY:
815 /* ignore this field for filtering */ 815 /* ignore this field for filtering */
816 result = 1; 816 result = 1;
817 break; 817 break;
818 case AUDIT_PERM: 818 case AUDIT_PERM:
819 result = audit_match_perm(ctx, f->val); 819 result = audit_match_perm(ctx, f->val);
820 break; 820 break;
821 case AUDIT_FILETYPE: 821 case AUDIT_FILETYPE:
822 result = audit_match_filetype(ctx, f->val); 822 result = audit_match_filetype(ctx, f->val);
823 break; 823 break;
824 case AUDIT_FIELD_COMPARE: 824 case AUDIT_FIELD_COMPARE:
825 result = audit_field_compare(tsk, cred, f, ctx, name); 825 result = audit_field_compare(tsk, cred, f, ctx, name);
826 break; 826 break;
827 } 827 }
828 if (!result) 828 if (!result)
829 return 0; 829 return 0;
830 } 830 }
831 831
832 if (ctx) { 832 if (ctx) {
833 if (rule->prio <= ctx->prio) 833 if (rule->prio <= ctx->prio)
834 return 0; 834 return 0;
835 if (rule->filterkey) { 835 if (rule->filterkey) {
836 kfree(ctx->filterkey); 836 kfree(ctx->filterkey);
837 ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC); 837 ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
838 } 838 }
839 ctx->prio = rule->prio; 839 ctx->prio = rule->prio;
840 } 840 }
841 switch (rule->action) { 841 switch (rule->action) {
842 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 842 case AUDIT_NEVER: *state = AUDIT_DISABLED; break;
843 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 843 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break;
844 } 844 }
845 return 1; 845 return 1;
846 } 846 }
847 847
848 /* At process creation time, we can determine if system-call auditing is 848 /* At process creation time, we can determine if system-call auditing is
849 * completely disabled for this task. Since we only have the task 849 * completely disabled for this task. Since we only have the task
850 * structure at this point, we can only check uid and gid. 850 * structure at this point, we can only check uid and gid.
851 */ 851 */
852 static enum audit_state audit_filter_task(struct task_struct *tsk, char **key) 852 static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)
853 { 853 {
854 struct audit_entry *e; 854 struct audit_entry *e;
855 enum audit_state state; 855 enum audit_state state;
856 856
857 rcu_read_lock(); 857 rcu_read_lock();
858 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) { 858 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
859 if (audit_filter_rules(tsk, &e->rule, NULL, NULL, 859 if (audit_filter_rules(tsk, &e->rule, NULL, NULL,
860 &state, true)) { 860 &state, true)) {
861 if (state == AUDIT_RECORD_CONTEXT) 861 if (state == AUDIT_RECORD_CONTEXT)
862 *key = kstrdup(e->rule.filterkey, GFP_ATOMIC); 862 *key = kstrdup(e->rule.filterkey, GFP_ATOMIC);
863 rcu_read_unlock(); 863 rcu_read_unlock();
864 return state; 864 return state;
865 } 865 }
866 } 866 }
867 rcu_read_unlock(); 867 rcu_read_unlock();
868 return AUDIT_BUILD_CONTEXT; 868 return AUDIT_BUILD_CONTEXT;
869 } 869 }
870 870
871 /* At syscall entry and exit time, this filter is called if the 871 /* At syscall entry and exit time, this filter is called if the
872 * audit_state is not low enough that auditing cannot take place, but is 872 * audit_state is not low enough that auditing cannot take place, but is
873 * also not high enough that we already know we have to write an audit 873 * also not high enough that we already know we have to write an audit
874 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT). 874 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
875 */ 875 */
876 static enum audit_state audit_filter_syscall(struct task_struct *tsk, 876 static enum audit_state audit_filter_syscall(struct task_struct *tsk,
877 struct audit_context *ctx, 877 struct audit_context *ctx,
878 struct list_head *list) 878 struct list_head *list)
879 { 879 {
880 struct audit_entry *e; 880 struct audit_entry *e;
881 enum audit_state state; 881 enum audit_state state;
882 882
883 if (audit_pid && tsk->tgid == audit_pid) 883 if (audit_pid && tsk->tgid == audit_pid)
884 return AUDIT_DISABLED; 884 return AUDIT_DISABLED;
885 885
886 rcu_read_lock(); 886 rcu_read_lock();
887 if (!list_empty(list)) { 887 if (!list_empty(list)) {
888 int word = AUDIT_WORD(ctx->major); 888 int word = AUDIT_WORD(ctx->major);
889 int bit = AUDIT_BIT(ctx->major); 889 int bit = AUDIT_BIT(ctx->major);
890 890
891 list_for_each_entry_rcu(e, list, list) { 891 list_for_each_entry_rcu(e, list, list) {
892 if ((e->rule.mask[word] & bit) == bit && 892 if ((e->rule.mask[word] & bit) == bit &&
893 audit_filter_rules(tsk, &e->rule, ctx, NULL, 893 audit_filter_rules(tsk, &e->rule, ctx, NULL,
894 &state, false)) { 894 &state, false)) {
895 rcu_read_unlock(); 895 rcu_read_unlock();
896 ctx->current_state = state; 896 ctx->current_state = state;
897 return state; 897 return state;
898 } 898 }
899 } 899 }
900 } 900 }
901 rcu_read_unlock(); 901 rcu_read_unlock();
902 return AUDIT_BUILD_CONTEXT; 902 return AUDIT_BUILD_CONTEXT;
903 } 903 }
904 904
905 /* 905 /*
906 * Given an audit_name check the inode hash table to see if they match. 906 * Given an audit_name check the inode hash table to see if they match.
907 * Called holding the rcu read lock to protect the use of audit_inode_hash 907 * Called holding the rcu read lock to protect the use of audit_inode_hash
908 */ 908 */
909 static int audit_filter_inode_name(struct task_struct *tsk, 909 static int audit_filter_inode_name(struct task_struct *tsk,
910 struct audit_names *n, 910 struct audit_names *n,
911 struct audit_context *ctx) { 911 struct audit_context *ctx) {
912 int word, bit; 912 int word, bit;
913 int h = audit_hash_ino((u32)n->ino); 913 int h = audit_hash_ino((u32)n->ino);
914 struct list_head *list = &audit_inode_hash[h]; 914 struct list_head *list = &audit_inode_hash[h];
915 struct audit_entry *e; 915 struct audit_entry *e;
916 enum audit_state state; 916 enum audit_state state;
917 917
918 word = AUDIT_WORD(ctx->major); 918 word = AUDIT_WORD(ctx->major);
919 bit = AUDIT_BIT(ctx->major); 919 bit = AUDIT_BIT(ctx->major);
920 920
921 if (list_empty(list)) 921 if (list_empty(list))
922 return 0; 922 return 0;
923 923
924 list_for_each_entry_rcu(e, list, list) { 924 list_for_each_entry_rcu(e, list, list) {
925 if ((e->rule.mask[word] & bit) == bit && 925 if ((e->rule.mask[word] & bit) == bit &&
926 audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) { 926 audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) {
927 ctx->current_state = state; 927 ctx->current_state = state;
928 return 1; 928 return 1;
929 } 929 }
930 } 930 }
931 931
932 return 0; 932 return 0;
933 } 933 }
934 934
935 /* At syscall exit time, this filter is called if any audit_names have been 935 /* At syscall exit time, this filter is called if any audit_names have been
936 * collected during syscall processing. We only check rules in sublists at hash 936 * collected during syscall processing. We only check rules in sublists at hash
937 * buckets applicable to the inode numbers in audit_names. 937 * buckets applicable to the inode numbers in audit_names.
938 * Regarding audit_state, same rules apply as for audit_filter_syscall(). 938 * Regarding audit_state, same rules apply as for audit_filter_syscall().
939 */ 939 */
940 void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx) 940 void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx)
941 { 941 {
942 struct audit_names *n; 942 struct audit_names *n;
943 943
944 if (audit_pid && tsk->tgid == audit_pid) 944 if (audit_pid && tsk->tgid == audit_pid)
945 return; 945 return;
946 946
947 rcu_read_lock(); 947 rcu_read_lock();
948 948
949 list_for_each_entry(n, &ctx->names_list, list) { 949 list_for_each_entry(n, &ctx->names_list, list) {
950 if (audit_filter_inode_name(tsk, n, ctx)) 950 if (audit_filter_inode_name(tsk, n, ctx))
951 break; 951 break;
952 } 952 }
953 rcu_read_unlock(); 953 rcu_read_unlock();
954 } 954 }
955 955
956 static inline struct audit_context *audit_get_context(struct task_struct *tsk, 956 static inline struct audit_context *audit_get_context(struct task_struct *tsk,
957 int return_valid, 957 int return_valid,
958 long return_code) 958 long return_code)
959 { 959 {
960 struct audit_context *context = tsk->audit_context; 960 struct audit_context *context = tsk->audit_context;
961 961
962 if (!context) 962 if (!context)
963 return NULL; 963 return NULL;
964 context->return_valid = return_valid; 964 context->return_valid = return_valid;
965 965
966 /* 966 /*
967 * we need to fix up the return code in the audit logs if the actual 967 * we need to fix up the return code in the audit logs if the actual
968 * return codes are later going to be fixed up by the arch specific 968 * return codes are later going to be fixed up by the arch specific
969 * signal handlers 969 * signal handlers
970 * 970 *
971 * This is actually a test for: 971 * This is actually a test for:
972 * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) || 972 * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||
973 * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK) 973 * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)
974 * 974 *
975 * but is faster than a bunch of || 975 * but is faster than a bunch of ||
976 */ 976 */
977 if (unlikely(return_code <= -ERESTARTSYS) && 977 if (unlikely(return_code <= -ERESTARTSYS) &&
978 (return_code >= -ERESTART_RESTARTBLOCK) && 978 (return_code >= -ERESTART_RESTARTBLOCK) &&
979 (return_code != -ENOIOCTLCMD)) 979 (return_code != -ENOIOCTLCMD))
980 context->return_code = -EINTR; 980 context->return_code = -EINTR;
981 else 981 else
982 context->return_code = return_code; 982 context->return_code = return_code;
983 983
984 if (context->in_syscall && !context->dummy) { 984 if (context->in_syscall && !context->dummy) {
985 audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]); 985 audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
986 audit_filter_inodes(tsk, context); 986 audit_filter_inodes(tsk, context);
987 } 987 }
988 988
989 tsk->audit_context = NULL; 989 tsk->audit_context = NULL;
990 return context; 990 return context;
991 } 991 }
992 992
993 static inline void audit_free_names(struct audit_context *context) 993 static inline void audit_free_names(struct audit_context *context)
994 { 994 {
995 struct audit_names *n, *next; 995 struct audit_names *n, *next;
996 996
997 #if AUDIT_DEBUG == 2 997 #if AUDIT_DEBUG == 2
998 if (context->put_count + context->ino_count != context->name_count) { 998 if (context->put_count + context->ino_count != context->name_count) {
999 printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d" 999 printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d"
1000 " name_count=%d put_count=%d" 1000 " name_count=%d put_count=%d"
1001 " ino_count=%d [NOT freeing]\n", 1001 " ino_count=%d [NOT freeing]\n",
1002 __FILE__, __LINE__, 1002 __FILE__, __LINE__,
1003 context->serial, context->major, context->in_syscall, 1003 context->serial, context->major, context->in_syscall,
1004 context->name_count, context->put_count, 1004 context->name_count, context->put_count,
1005 context->ino_count); 1005 context->ino_count);
1006 list_for_each_entry(n, &context->names_list, list) { 1006 list_for_each_entry(n, &context->names_list, list) {
1007 printk(KERN_ERR "names[%d] = %p = %s\n", i, 1007 printk(KERN_ERR "names[%d] = %p = %s\n", i,
1008 n->name, n->name ?: "(null)"); 1008 n->name, n->name ?: "(null)");
1009 } 1009 }
1010 dump_stack(); 1010 dump_stack();
1011 return; 1011 return;
1012 } 1012 }
1013 #endif 1013 #endif
1014 #if AUDIT_DEBUG 1014 #if AUDIT_DEBUG
1015 context->put_count = 0; 1015 context->put_count = 0;
1016 context->ino_count = 0; 1016 context->ino_count = 0;
1017 #endif 1017 #endif
1018 1018
1019 list_for_each_entry_safe(n, next, &context->names_list, list) { 1019 list_for_each_entry_safe(n, next, &context->names_list, list) {
1020 list_del(&n->list); 1020 list_del(&n->list);
1021 if (n->name && n->name_put) 1021 if (n->name && n->name_put)
1022 __putname(n->name); 1022 __putname(n->name);
1023 if (n->should_free) 1023 if (n->should_free)
1024 kfree(n); 1024 kfree(n);
1025 } 1025 }
1026 context->name_count = 0; 1026 context->name_count = 0;
1027 path_put(&context->pwd); 1027 path_put(&context->pwd);
1028 context->pwd.dentry = NULL; 1028 context->pwd.dentry = NULL;
1029 context->pwd.mnt = NULL; 1029 context->pwd.mnt = NULL;
1030 } 1030 }
1031 1031
1032 static inline void audit_free_aux(struct audit_context *context) 1032 static inline void audit_free_aux(struct audit_context *context)
1033 { 1033 {
1034 struct audit_aux_data *aux; 1034 struct audit_aux_data *aux;
1035 1035
1036 while ((aux = context->aux)) { 1036 while ((aux = context->aux)) {
1037 context->aux = aux->next; 1037 context->aux = aux->next;
1038 kfree(aux); 1038 kfree(aux);
1039 } 1039 }
1040 while ((aux = context->aux_pids)) { 1040 while ((aux = context->aux_pids)) {
1041 context->aux_pids = aux->next; 1041 context->aux_pids = aux->next;
1042 kfree(aux); 1042 kfree(aux);
1043 } 1043 }
1044 } 1044 }
1045 1045
1046 static inline void audit_zero_context(struct audit_context *context, 1046 static inline void audit_zero_context(struct audit_context *context,
1047 enum audit_state state) 1047 enum audit_state state)
1048 { 1048 {
1049 memset(context, 0, sizeof(*context)); 1049 memset(context, 0, sizeof(*context));
1050 context->state = state; 1050 context->state = state;
1051 context->prio = state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0; 1051 context->prio = state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
1052 } 1052 }
1053 1053
1054 static inline struct audit_context *audit_alloc_context(enum audit_state state) 1054 static inline struct audit_context *audit_alloc_context(enum audit_state state)
1055 { 1055 {
1056 struct audit_context *context; 1056 struct audit_context *context;
1057 1057
1058 if (!(context = kmalloc(sizeof(*context), GFP_KERNEL))) 1058 if (!(context = kmalloc(sizeof(*context), GFP_KERNEL)))
1059 return NULL; 1059 return NULL;
1060 audit_zero_context(context, state); 1060 audit_zero_context(context, state);
1061 INIT_LIST_HEAD(&context->killed_trees); 1061 INIT_LIST_HEAD(&context->killed_trees);
1062 INIT_LIST_HEAD(&context->names_list); 1062 INIT_LIST_HEAD(&context->names_list);
1063 return context; 1063 return context;
1064 } 1064 }
1065 1065
1066 /** 1066 /**
1067 * audit_alloc - allocate an audit context block for a task 1067 * audit_alloc - allocate an audit context block for a task
1068 * @tsk: task 1068 * @tsk: task
1069 * 1069 *
1070 * Filter on the task information and allocate a per-task audit context 1070 * Filter on the task information and allocate a per-task audit context
1071 * if necessary. Doing so turns on system call auditing for the 1071 * if necessary. Doing so turns on system call auditing for the
1072 * specified task. This is called from copy_process, so no lock is 1072 * specified task. This is called from copy_process, so no lock is
1073 * needed. 1073 * needed.
1074 */ 1074 */
1075 int audit_alloc(struct task_struct *tsk) 1075 int audit_alloc(struct task_struct *tsk)
1076 { 1076 {
1077 struct audit_context *context; 1077 struct audit_context *context;
1078 enum audit_state state; 1078 enum audit_state state;
1079 char *key = NULL; 1079 char *key = NULL;
1080 1080
1081 if (likely(!audit_ever_enabled)) 1081 if (likely(!audit_ever_enabled))
1082 return 0; /* Return if not auditing. */ 1082 return 0; /* Return if not auditing. */
1083 1083
1084 state = audit_filter_task(tsk, &key); 1084 state = audit_filter_task(tsk, &key);
1085 if (state == AUDIT_DISABLED) 1085 if (state == AUDIT_DISABLED)
1086 return 0; 1086 return 0;
1087 1087
1088 if (!(context = audit_alloc_context(state))) { 1088 if (!(context = audit_alloc_context(state))) {
1089 kfree(key); 1089 kfree(key);
1090 audit_log_lost("out of memory in audit_alloc"); 1090 audit_log_lost("out of memory in audit_alloc");
1091 return -ENOMEM; 1091 return -ENOMEM;
1092 } 1092 }
1093 context->filterkey = key; 1093 context->filterkey = key;
1094 1094
1095 tsk->audit_context = context; 1095 tsk->audit_context = context;
1096 set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT); 1096 set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
1097 return 0; 1097 return 0;
1098 } 1098 }
1099 1099
1100 static inline void audit_free_context(struct audit_context *context) 1100 static inline void audit_free_context(struct audit_context *context)
1101 { 1101 {
1102 struct audit_context *previous; 1102 struct audit_context *previous;
1103 int count = 0; 1103 int count = 0;
1104 1104
1105 do { 1105 do {
1106 previous = context->previous; 1106 previous = context->previous;
1107 if (previous || (count && count < 10)) { 1107 if (previous || (count && count < 10)) {
1108 ++count; 1108 ++count;
1109 printk(KERN_ERR "audit(:%d): major=%d name_count=%d:" 1109 printk(KERN_ERR "audit(:%d): major=%d name_count=%d:"
1110 " freeing multiple contexts (%d)\n", 1110 " freeing multiple contexts (%d)\n",
1111 context->serial, context->major, 1111 context->serial, context->major,
1112 context->name_count, count); 1112 context->name_count, count);
1113 } 1113 }
1114 audit_free_names(context); 1114 audit_free_names(context);
1115 unroll_tree_refs(context, NULL, 0); 1115 unroll_tree_refs(context, NULL, 0);
1116 free_tree_refs(context); 1116 free_tree_refs(context);
1117 audit_free_aux(context); 1117 audit_free_aux(context);
1118 kfree(context->filterkey); 1118 kfree(context->filterkey);
1119 kfree(context->sockaddr); 1119 kfree(context->sockaddr);
1120 kfree(context); 1120 kfree(context);
1121 context = previous; 1121 context = previous;
1122 } while (context); 1122 } while (context);
1123 if (count >= 10) 1123 if (count >= 10)
1124 printk(KERN_ERR "audit: freed %d contexts\n", count); 1124 printk(KERN_ERR "audit: freed %d contexts\n", count);
1125 } 1125 }
1126 1126
1127 void audit_log_task_context(struct audit_buffer *ab) 1127 void audit_log_task_context(struct audit_buffer *ab)
1128 { 1128 {
1129 char *ctx = NULL; 1129 char *ctx = NULL;
1130 unsigned len; 1130 unsigned len;
1131 int error; 1131 int error;
1132 u32 sid; 1132 u32 sid;
1133 1133
1134 security_task_getsecid(current, &sid); 1134 security_task_getsecid(current, &sid);
1135 if (!sid) 1135 if (!sid)
1136 return; 1136 return;
1137 1137
1138 error = security_secid_to_secctx(sid, &ctx, &len); 1138 error = security_secid_to_secctx(sid, &ctx, &len);
1139 if (error) { 1139 if (error) {
1140 if (error != -EINVAL) 1140 if (error != -EINVAL)
1141 goto error_path; 1141 goto error_path;
1142 return; 1142 return;
1143 } 1143 }
1144 1144
1145 audit_log_format(ab, " subj=%s", ctx); 1145 audit_log_format(ab, " subj=%s", ctx);
1146 security_release_secctx(ctx, len); 1146 security_release_secctx(ctx, len);
1147 return; 1147 return;
1148 1148
1149 error_path: 1149 error_path:
1150 audit_panic("error in audit_log_task_context"); 1150 audit_panic("error in audit_log_task_context");
1151 return; 1151 return;
1152 } 1152 }
1153 1153
1154 EXPORT_SYMBOL(audit_log_task_context); 1154 EXPORT_SYMBOL(audit_log_task_context);
1155 1155
1156 static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) 1156 static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
1157 { 1157 {
1158 char name[sizeof(tsk->comm)]; 1158 char name[sizeof(tsk->comm)];
1159 struct mm_struct *mm = tsk->mm; 1159 struct mm_struct *mm = tsk->mm;
1160 struct vm_area_struct *vma; 1160 struct vm_area_struct *vma;
1161 1161
1162 /* tsk == current */ 1162 /* tsk == current */
1163 1163
1164 get_task_comm(name, tsk); 1164 get_task_comm(name, tsk);
1165 audit_log_format(ab, " comm="); 1165 audit_log_format(ab, " comm=");
1166 audit_log_untrustedstring(ab, name); 1166 audit_log_untrustedstring(ab, name);
1167 1167
1168 if (mm) { 1168 if (mm) {
1169 down_read(&mm->mmap_sem); 1169 down_read(&mm->mmap_sem);
1170 vma = mm->mmap; 1170 vma = mm->mmap;
1171 while (vma) { 1171 while (vma) {
1172 if ((vma->vm_flags & VM_EXECUTABLE) && 1172 if ((vma->vm_flags & VM_EXECUTABLE) &&
1173 vma->vm_file) { 1173 vma->vm_file) {
1174 audit_log_d_path(ab, " exe=", 1174 audit_log_d_path(ab, " exe=",
1175 &vma->vm_file->f_path); 1175 &vma->vm_file->f_path);
1176 break; 1176 break;
1177 } 1177 }
1178 vma = vma->vm_next; 1178 vma = vma->vm_next;
1179 } 1179 }
1180 up_read(&mm->mmap_sem); 1180 up_read(&mm->mmap_sem);
1181 } 1181 }
1182 audit_log_task_context(ab); 1182 audit_log_task_context(ab);
1183 } 1183 }
1184 1184
1185 static int audit_log_pid_context(struct audit_context *context, pid_t pid, 1185 static int audit_log_pid_context(struct audit_context *context, pid_t pid,
1186 uid_t auid, uid_t uid, unsigned int sessionid, 1186 uid_t auid, uid_t uid, unsigned int sessionid,
1187 u32 sid, char *comm) 1187 u32 sid, char *comm)
1188 { 1188 {
1189 struct audit_buffer *ab; 1189 struct audit_buffer *ab;
1190 char *ctx = NULL; 1190 char *ctx = NULL;
1191 u32 len; 1191 u32 len;
1192 int rc = 0; 1192 int rc = 0;
1193 1193
1194 ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); 1194 ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
1195 if (!ab) 1195 if (!ab)
1196 return rc; 1196 return rc;
1197 1197
1198 audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid, 1198 audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid,
1199 uid, sessionid); 1199 uid, sessionid);
1200 if (security_secid_to_secctx(sid, &ctx, &len)) { 1200 if (security_secid_to_secctx(sid, &ctx, &len)) {
1201 audit_log_format(ab, " obj=(none)"); 1201 audit_log_format(ab, " obj=(none)");
1202 rc = 1; 1202 rc = 1;
1203 } else { 1203 } else {
1204 audit_log_format(ab, " obj=%s", ctx); 1204 audit_log_format(ab, " obj=%s", ctx);
1205 security_release_secctx(ctx, len); 1205 security_release_secctx(ctx, len);
1206 } 1206 }
1207 audit_log_format(ab, " ocomm="); 1207 audit_log_format(ab, " ocomm=");
1208 audit_log_untrustedstring(ab, comm); 1208 audit_log_untrustedstring(ab, comm);
1209 audit_log_end(ab); 1209 audit_log_end(ab);
1210 1210
1211 return rc; 1211 return rc;
1212 } 1212 }
1213 1213
1214 /* 1214 /*
1215 * to_send and len_sent accounting are very loose estimates. We aren't 1215 * to_send and len_sent accounting are very loose estimates. We aren't
1216 * really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being 1216 * really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being
1217 * within about 500 bytes (next page boundary) 1217 * within about 500 bytes (next page boundary)
1218 * 1218 *
1219 * why snprintf? an int is up to 12 digits long. if we just assumed when 1219 * why snprintf? an int is up to 12 digits long. if we just assumed when
1220 * logging that a[%d]= was going to be 16 characters long we would be wasting 1220 * logging that a[%d]= was going to be 16 characters long we would be wasting
1221 * space in every audit message. In one 7500 byte message we can log up to 1221 * space in every audit message. In one 7500 byte message we can log up to
1222 * about 1000 min size arguments. That comes down to about 50% waste of space 1222 * about 1000 min size arguments. That comes down to about 50% waste of space
1223 * if we didn't do the snprintf to find out how long arg_num_len was. 1223 * if we didn't do the snprintf to find out how long arg_num_len was.
1224 */ 1224 */
1225 static int audit_log_single_execve_arg(struct audit_context *context, 1225 static int audit_log_single_execve_arg(struct audit_context *context,
1226 struct audit_buffer **ab, 1226 struct audit_buffer **ab,
1227 int arg_num, 1227 int arg_num,
1228 size_t *len_sent, 1228 size_t *len_sent,
1229 const char __user *p, 1229 const char __user *p,
1230 char *buf) 1230 char *buf)
1231 { 1231 {
1232 char arg_num_len_buf[12]; 1232 char arg_num_len_buf[12];
1233 const char __user *tmp_p = p; 1233 const char __user *tmp_p = p;
1234 /* how many digits are in arg_num? 5 is the length of ' a=""' */ 1234 /* how many digits are in arg_num? 5 is the length of ' a=""' */
1235 size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 5; 1235 size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 5;
1236 size_t len, len_left, to_send; 1236 size_t len, len_left, to_send;
1237 size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN; 1237 size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
1238 unsigned int i, has_cntl = 0, too_long = 0; 1238 unsigned int i, has_cntl = 0, too_long = 0;
1239 int ret; 1239 int ret;
1240 1240
1241 /* strnlen_user includes the null we don't want to send */ 1241 /* strnlen_user includes the null we don't want to send */
1242 len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1; 1242 len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1;
1243 1243
1244 /* 1244 /*
1245 * We just created this mm, if we can't find the strings 1245 * We just created this mm, if we can't find the strings
1246 * we just copied into it something is _very_ wrong. Similar 1246 * we just copied into it something is _very_ wrong. Similar
1247 * for strings that are too long, we should not have created 1247 * for strings that are too long, we should not have created
1248 * any. 1248 * any.
1249 */ 1249 */
1250 if (unlikely((len == -1) || len > MAX_ARG_STRLEN - 1)) { 1250 if (unlikely((len == -1) || len > MAX_ARG_STRLEN - 1)) {
1251 WARN_ON(1); 1251 WARN_ON(1);
1252 send_sig(SIGKILL, current, 0); 1252 send_sig(SIGKILL, current, 0);
1253 return -1; 1253 return -1;
1254 } 1254 }
1255 1255
1256 /* walk the whole argument looking for non-ascii chars */ 1256 /* walk the whole argument looking for non-ascii chars */
1257 do { 1257 do {
1258 if (len_left > MAX_EXECVE_AUDIT_LEN) 1258 if (len_left > MAX_EXECVE_AUDIT_LEN)
1259 to_send = MAX_EXECVE_AUDIT_LEN; 1259 to_send = MAX_EXECVE_AUDIT_LEN;
1260 else 1260 else
1261 to_send = len_left; 1261 to_send = len_left;
1262 ret = copy_from_user(buf, tmp_p, to_send); 1262 ret = copy_from_user(buf, tmp_p, to_send);
1263 /* 1263 /*
1264 * There is no reason for this copy to be short. We just 1264 * There is no reason for this copy to be short. We just
1265 * copied them here, and the mm hasn't been exposed to user- 1265 * copied them here, and the mm hasn't been exposed to user-
1266 * space yet. 1266 * space yet.
1267 */ 1267 */
1268 if (ret) { 1268 if (ret) {
1269 WARN_ON(1); 1269 WARN_ON(1);
1270 send_sig(SIGKILL, current, 0); 1270 send_sig(SIGKILL, current, 0);
1271 return -1; 1271 return -1;
1272 } 1272 }
1273 buf[to_send] = '\0'; 1273 buf[to_send] = '\0';
1274 has_cntl = audit_string_contains_control(buf, to_send); 1274 has_cntl = audit_string_contains_control(buf, to_send);
1275 if (has_cntl) { 1275 if (has_cntl) {
1276 /* 1276 /*
1277 * hex messages get logged as 2 bytes, so we can only 1277 * hex messages get logged as 2 bytes, so we can only
1278 * send half as much in each message 1278 * send half as much in each message
1279 */ 1279 */
1280 max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2; 1280 max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2;
1281 break; 1281 break;
1282 } 1282 }
1283 len_left -= to_send; 1283 len_left -= to_send;
1284 tmp_p += to_send; 1284 tmp_p += to_send;
1285 } while (len_left > 0); 1285 } while (len_left > 0);
1286 1286
1287 len_left = len; 1287 len_left = len;
1288 1288
1289 if (len > max_execve_audit_len) 1289 if (len > max_execve_audit_len)
1290 too_long = 1; 1290 too_long = 1;
1291 1291
1292 /* rewalk the argument actually logging the message */ 1292 /* rewalk the argument actually logging the message */
1293 for (i = 0; len_left > 0; i++) { 1293 for (i = 0; len_left > 0; i++) {
1294 int room_left; 1294 int room_left;
1295 1295
1296 if (len_left > max_execve_audit_len) 1296 if (len_left > max_execve_audit_len)
1297 to_send = max_execve_audit_len; 1297 to_send = max_execve_audit_len;
1298 else 1298 else
1299 to_send = len_left; 1299 to_send = len_left;
1300 1300
1301 /* do we have space left to send this argument in this ab? */ 1301 /* do we have space left to send this argument in this ab? */
1302 room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent; 1302 room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent;
1303 if (has_cntl) 1303 if (has_cntl)
1304 room_left -= (to_send * 2); 1304 room_left -= (to_send * 2);
1305 else 1305 else
1306 room_left -= to_send; 1306 room_left -= to_send;
1307 if (room_left < 0) { 1307 if (room_left < 0) {
1308 *len_sent = 0; 1308 *len_sent = 0;
1309 audit_log_end(*ab); 1309 audit_log_end(*ab);
1310 *ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE); 1310 *ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
1311 if (!*ab) 1311 if (!*ab)
1312 return 0; 1312 return 0;
1313 } 1313 }
1314 1314
1315 /* 1315 /*
1316 * first record needs to say how long the original string was 1316 * first record needs to say how long the original string was
1317 * so we can be sure nothing was lost. 1317 * so we can be sure nothing was lost.
1318 */ 1318 */
1319 if ((i == 0) && (too_long)) 1319 if ((i == 0) && (too_long))
1320 audit_log_format(*ab, " a%d_len=%zu", arg_num, 1320 audit_log_format(*ab, " a%d_len=%zu", arg_num,
1321 has_cntl ? 2*len : len); 1321 has_cntl ? 2*len : len);
1322 1322
1323 /* 1323 /*
1324 * normally arguments are small enough to fit and we already 1324 * normally arguments are small enough to fit and we already
1325 * filled buf above when we checked for control characters 1325 * filled buf above when we checked for control characters
1326 * so don't bother with another copy_from_user 1326 * so don't bother with another copy_from_user
1327 */ 1327 */
1328 if (len >= max_execve_audit_len) 1328 if (len >= max_execve_audit_len)
1329 ret = copy_from_user(buf, p, to_send); 1329 ret = copy_from_user(buf, p, to_send);
1330 else 1330 else
1331 ret = 0; 1331 ret = 0;
1332 if (ret) { 1332 if (ret) {
1333 WARN_ON(1); 1333 WARN_ON(1);
1334 send_sig(SIGKILL, current, 0); 1334 send_sig(SIGKILL, current, 0);
1335 return -1; 1335 return -1;
1336 } 1336 }
1337 buf[to_send] = '\0'; 1337 buf[to_send] = '\0';
1338 1338
1339 /* actually log it */ 1339 /* actually log it */
1340 audit_log_format(*ab, " a%d", arg_num); 1340 audit_log_format(*ab, " a%d", arg_num);
1341 if (too_long) 1341 if (too_long)
1342 audit_log_format(*ab, "[%d]", i); 1342 audit_log_format(*ab, "[%d]", i);
1343 audit_log_format(*ab, "="); 1343 audit_log_format(*ab, "=");
1344 if (has_cntl) 1344 if (has_cntl)
1345 audit_log_n_hex(*ab, buf, to_send); 1345 audit_log_n_hex(*ab, buf, to_send);
1346 else 1346 else
1347 audit_log_string(*ab, buf); 1347 audit_log_string(*ab, buf);
1348 1348
1349 p += to_send; 1349 p += to_send;
1350 len_left -= to_send; 1350 len_left -= to_send;
1351 *len_sent += arg_num_len; 1351 *len_sent += arg_num_len;
1352 if (has_cntl) 1352 if (has_cntl)
1353 *len_sent += to_send * 2; 1353 *len_sent += to_send * 2;
1354 else 1354 else
1355 *len_sent += to_send; 1355 *len_sent += to_send;
1356 } 1356 }
1357 /* include the null we didn't log */ 1357 /* include the null we didn't log */
1358 return len + 1; 1358 return len + 1;
1359 } 1359 }
1360 1360
1361 static void audit_log_execve_info(struct audit_context *context, 1361 static void audit_log_execve_info(struct audit_context *context,
1362 struct audit_buffer **ab, 1362 struct audit_buffer **ab,
1363 struct audit_aux_data_execve *axi) 1363 struct audit_aux_data_execve *axi)
1364 { 1364 {
1365 int i, len; 1365 int i, len;
1366 size_t len_sent = 0; 1366 size_t len_sent = 0;
1367 const char __user *p; 1367 const char __user *p;
1368 char *buf; 1368 char *buf;
1369 1369
1370 if (axi->mm != current->mm) 1370 if (axi->mm != current->mm)
1371 return; /* execve failed, no additional info */ 1371 return; /* execve failed, no additional info */
1372 1372
1373 p = (const char __user *)axi->mm->arg_start; 1373 p = (const char __user *)axi->mm->arg_start;
1374 1374
1375 audit_log_format(*ab, "argc=%d", axi->argc); 1375 audit_log_format(*ab, "argc=%d", axi->argc);
1376 1376
1377 /* 1377 /*
1378 * we need some kernel buffer to hold the userspace args. Just 1378 * we need some kernel buffer to hold the userspace args. Just
1379 * allocate one big one rather than allocating one of the right size 1379 * allocate one big one rather than allocating one of the right size
1380 * for every single argument inside audit_log_single_execve_arg() 1380 * for every single argument inside audit_log_single_execve_arg()
1381 * should be <8k allocation so should be pretty safe. 1381 * should be <8k allocation so should be pretty safe.
1382 */ 1382 */
1383 buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL); 1383 buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
1384 if (!buf) { 1384 if (!buf) {
1385 audit_panic("out of memory for argv string\n"); 1385 audit_panic("out of memory for argv string\n");
1386 return; 1386 return;
1387 } 1387 }
1388 1388
1389 for (i = 0; i < axi->argc; i++) { 1389 for (i = 0; i < axi->argc; i++) {
1390 len = audit_log_single_execve_arg(context, ab, i, 1390 len = audit_log_single_execve_arg(context, ab, i,
1391 &len_sent, p, buf); 1391 &len_sent, p, buf);
1392 if (len <= 0) 1392 if (len <= 0)
1393 break; 1393 break;
1394 p += len; 1394 p += len;
1395 } 1395 }
1396 kfree(buf); 1396 kfree(buf);
1397 } 1397 }
1398 1398
1399 static void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap) 1399 static void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
1400 { 1400 {
1401 int i; 1401 int i;
1402 1402
1403 audit_log_format(ab, " %s=", prefix); 1403 audit_log_format(ab, " %s=", prefix);
1404 CAP_FOR_EACH_U32(i) { 1404 CAP_FOR_EACH_U32(i) {
1405 audit_log_format(ab, "%08x", cap->cap[(_KERNEL_CAPABILITY_U32S-1) - i]); 1405 audit_log_format(ab, "%08x", cap->cap[(_KERNEL_CAPABILITY_U32S-1) - i]);
1406 } 1406 }
1407 } 1407 }
1408 1408
1409 static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name) 1409 static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
1410 { 1410 {
1411 kernel_cap_t *perm = &name->fcap.permitted; 1411 kernel_cap_t *perm = &name->fcap.permitted;
1412 kernel_cap_t *inh = &name->fcap.inheritable; 1412 kernel_cap_t *inh = &name->fcap.inheritable;
1413 int log = 0; 1413 int log = 0;
1414 1414
1415 if (!cap_isclear(*perm)) { 1415 if (!cap_isclear(*perm)) {
1416 audit_log_cap(ab, "cap_fp", perm); 1416 audit_log_cap(ab, "cap_fp", perm);
1417 log = 1; 1417 log = 1;
1418 } 1418 }
1419 if (!cap_isclear(*inh)) { 1419 if (!cap_isclear(*inh)) {
1420 audit_log_cap(ab, "cap_fi", inh); 1420 audit_log_cap(ab, "cap_fi", inh);
1421 log = 1; 1421 log = 1;
1422 } 1422 }
1423 1423
1424 if (log) 1424 if (log)
1425 audit_log_format(ab, " cap_fe=%d cap_fver=%x", name->fcap.fE, name->fcap_ver); 1425 audit_log_format(ab, " cap_fe=%d cap_fver=%x", name->fcap.fE, name->fcap_ver);
1426 } 1426 }
1427 1427
1428 static void show_special(struct audit_context *context, int *call_panic) 1428 static void show_special(struct audit_context *context, int *call_panic)
1429 { 1429 {
1430 struct audit_buffer *ab; 1430 struct audit_buffer *ab;
1431 int i; 1431 int i;
1432 1432
1433 ab = audit_log_start(context, GFP_KERNEL, context->type); 1433 ab = audit_log_start(context, GFP_KERNEL, context->type);
1434 if (!ab) 1434 if (!ab)
1435 return; 1435 return;
1436 1436
1437 switch (context->type) { 1437 switch (context->type) {
1438 case AUDIT_SOCKETCALL: { 1438 case AUDIT_SOCKETCALL: {
1439 int nargs = context->socketcall.nargs; 1439 int nargs = context->socketcall.nargs;
1440 audit_log_format(ab, "nargs=%d", nargs); 1440 audit_log_format(ab, "nargs=%d", nargs);
1441 for (i = 0; i < nargs; i++) 1441 for (i = 0; i < nargs; i++)
1442 audit_log_format(ab, " a%d=%lx", i, 1442 audit_log_format(ab, " a%d=%lx", i,
1443 context->socketcall.args[i]); 1443 context->socketcall.args[i]);
1444 break; } 1444 break; }
1445 case AUDIT_IPC: { 1445 case AUDIT_IPC: {
1446 u32 osid = context->ipc.osid; 1446 u32 osid = context->ipc.osid;
1447 1447
1448 audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho", 1448 audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
1449 context->ipc.uid, context->ipc.gid, context->ipc.mode); 1449 context->ipc.uid, context->ipc.gid, context->ipc.mode);
1450 if (osid) { 1450 if (osid) {
1451 char *ctx = NULL; 1451 char *ctx = NULL;
1452 u32 len; 1452 u32 len;
1453 if (security_secid_to_secctx(osid, &ctx, &len)) { 1453 if (security_secid_to_secctx(osid, &ctx, &len)) {
1454 audit_log_format(ab, " osid=%u", osid); 1454 audit_log_format(ab, " osid=%u", osid);
1455 *call_panic = 1; 1455 *call_panic = 1;
1456 } else { 1456 } else {
1457 audit_log_format(ab, " obj=%s", ctx); 1457 audit_log_format(ab, " obj=%s", ctx);
1458 security_release_secctx(ctx, len); 1458 security_release_secctx(ctx, len);
1459 } 1459 }
1460 } 1460 }
1461 if (context->ipc.has_perm) { 1461 if (context->ipc.has_perm) {
1462 audit_log_end(ab); 1462 audit_log_end(ab);
1463 ab = audit_log_start(context, GFP_KERNEL, 1463 ab = audit_log_start(context, GFP_KERNEL,
1464 AUDIT_IPC_SET_PERM); 1464 AUDIT_IPC_SET_PERM);
1465 audit_log_format(ab, 1465 audit_log_format(ab,
1466 "qbytes=%lx ouid=%u ogid=%u mode=%#ho", 1466 "qbytes=%lx ouid=%u ogid=%u mode=%#ho",
1467 context->ipc.qbytes, 1467 context->ipc.qbytes,
1468 context->ipc.perm_uid, 1468 context->ipc.perm_uid,
1469 context->ipc.perm_gid, 1469 context->ipc.perm_gid,
1470 context->ipc.perm_mode); 1470 context->ipc.perm_mode);
1471 if (!ab) 1471 if (!ab)
1472 return; 1472 return;
1473 } 1473 }
1474 break; } 1474 break; }
1475 case AUDIT_MQ_OPEN: { 1475 case AUDIT_MQ_OPEN: {
1476 audit_log_format(ab, 1476 audit_log_format(ab,
1477 "oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld " 1477 "oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
1478 "mq_msgsize=%ld mq_curmsgs=%ld", 1478 "mq_msgsize=%ld mq_curmsgs=%ld",
1479 context->mq_open.oflag, context->mq_open.mode, 1479 context->mq_open.oflag, context->mq_open.mode,
1480 context->mq_open.attr.mq_flags, 1480 context->mq_open.attr.mq_flags,
1481 context->mq_open.attr.mq_maxmsg, 1481 context->mq_open.attr.mq_maxmsg,
1482 context->mq_open.attr.mq_msgsize, 1482 context->mq_open.attr.mq_msgsize,
1483 context->mq_open.attr.mq_curmsgs); 1483 context->mq_open.attr.mq_curmsgs);
1484 break; } 1484 break; }
1485 case AUDIT_MQ_SENDRECV: { 1485 case AUDIT_MQ_SENDRECV: {
1486 audit_log_format(ab, 1486 audit_log_format(ab,
1487 "mqdes=%d msg_len=%zd msg_prio=%u " 1487 "mqdes=%d msg_len=%zd msg_prio=%u "
1488 "abs_timeout_sec=%ld abs_timeout_nsec=%ld", 1488 "abs_timeout_sec=%ld abs_timeout_nsec=%ld",
1489 context->mq_sendrecv.mqdes, 1489 context->mq_sendrecv.mqdes,
1490 context->mq_sendrecv.msg_len, 1490 context->mq_sendrecv.msg_len,
1491 context->mq_sendrecv.msg_prio, 1491 context->mq_sendrecv.msg_prio,
1492 context->mq_sendrecv.abs_timeout.tv_sec, 1492 context->mq_sendrecv.abs_timeout.tv_sec,
1493 context->mq_sendrecv.abs_timeout.tv_nsec); 1493 context->mq_sendrecv.abs_timeout.tv_nsec);
1494 break; } 1494 break; }
1495 case AUDIT_MQ_NOTIFY: { 1495 case AUDIT_MQ_NOTIFY: {
1496 audit_log_format(ab, "mqdes=%d sigev_signo=%d", 1496 audit_log_format(ab, "mqdes=%d sigev_signo=%d",
1497 context->mq_notify.mqdes, 1497 context->mq_notify.mqdes,
1498 context->mq_notify.sigev_signo); 1498 context->mq_notify.sigev_signo);
1499 break; } 1499 break; }
1500 case AUDIT_MQ_GETSETATTR: { 1500 case AUDIT_MQ_GETSETATTR: {
1501 struct mq_attr *attr = &context->mq_getsetattr.mqstat; 1501 struct mq_attr *attr = &context->mq_getsetattr.mqstat;
1502 audit_log_format(ab, 1502 audit_log_format(ab,
1503 "mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld " 1503 "mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
1504 "mq_curmsgs=%ld ", 1504 "mq_curmsgs=%ld ",
1505 context->mq_getsetattr.mqdes, 1505 context->mq_getsetattr.mqdes,
1506 attr->mq_flags, attr->mq_maxmsg, 1506 attr->mq_flags, attr->mq_maxmsg,
1507 attr->mq_msgsize, attr->mq_curmsgs); 1507 attr->mq_msgsize, attr->mq_curmsgs);
1508 break; } 1508 break; }
1509 case AUDIT_CAPSET: { 1509 case AUDIT_CAPSET: {
1510 audit_log_format(ab, "pid=%d", context->capset.pid); 1510 audit_log_format(ab, "pid=%d", context->capset.pid);
1511 audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable); 1511 audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
1512 audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted); 1512 audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
1513 audit_log_cap(ab, "cap_pe", &context->capset.cap.effective); 1513 audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
1514 break; } 1514 break; }
1515 case AUDIT_MMAP: { 1515 case AUDIT_MMAP: {
1516 audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd, 1516 audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd,
1517 context->mmap.flags); 1517 context->mmap.flags);
1518 break; } 1518 break; }
1519 } 1519 }
1520 audit_log_end(ab); 1520 audit_log_end(ab);
1521 } 1521 }
1522 1522
1523 static void audit_log_name(struct audit_context *context, struct audit_names *n, 1523 static void audit_log_name(struct audit_context *context, struct audit_names *n,
1524 int record_num, int *call_panic) 1524 int record_num, int *call_panic)
1525 { 1525 {
1526 struct audit_buffer *ab; 1526 struct audit_buffer *ab;
1527 ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH); 1527 ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
1528 if (!ab) 1528 if (!ab)
1529 return; /* audit_panic has been called */ 1529 return; /* audit_panic has been called */
1530 1530
1531 audit_log_format(ab, "item=%d", record_num); 1531 audit_log_format(ab, "item=%d", record_num);
1532 1532
1533 if (n->name) { 1533 if (n->name) {
1534 switch (n->name_len) { 1534 switch (n->name_len) {
1535 case AUDIT_NAME_FULL: 1535 case AUDIT_NAME_FULL:
1536 /* log the full path */ 1536 /* log the full path */
1537 audit_log_format(ab, " name="); 1537 audit_log_format(ab, " name=");
1538 audit_log_untrustedstring(ab, n->name); 1538 audit_log_untrustedstring(ab, n->name);
1539 break; 1539 break;
1540 case 0: 1540 case 0:
1541 /* name was specified as a relative path and the 1541 /* name was specified as a relative path and the
1542 * directory component is the cwd */ 1542 * directory component is the cwd */
1543 audit_log_d_path(ab, " name=", &context->pwd); 1543 audit_log_d_path(ab, " name=", &context->pwd);
1544 break; 1544 break;
1545 default: 1545 default:
1546 /* log the name's directory component */ 1546 /* log the name's directory component */
1547 audit_log_format(ab, " name="); 1547 audit_log_format(ab, " name=");
1548 audit_log_n_untrustedstring(ab, n->name, 1548 audit_log_n_untrustedstring(ab, n->name,
1549 n->name_len); 1549 n->name_len);
1550 } 1550 }
1551 } else 1551 } else
1552 audit_log_format(ab, " name=(null)"); 1552 audit_log_format(ab, " name=(null)");
1553 1553
1554 if (n->ino != (unsigned long)-1) { 1554 if (n->ino != (unsigned long)-1) {
1555 audit_log_format(ab, " inode=%lu" 1555 audit_log_format(ab, " inode=%lu"
1556 " dev=%02x:%02x mode=%#ho" 1556 " dev=%02x:%02x mode=%#ho"
1557 " ouid=%u ogid=%u rdev=%02x:%02x", 1557 " ouid=%u ogid=%u rdev=%02x:%02x",
1558 n->ino, 1558 n->ino,
1559 MAJOR(n->dev), 1559 MAJOR(n->dev),
1560 MINOR(n->dev), 1560 MINOR(n->dev),
1561 n->mode, 1561 n->mode,
1562 n->uid, 1562 n->uid,
1563 n->gid, 1563 n->gid,
1564 MAJOR(n->rdev), 1564 MAJOR(n->rdev),
1565 MINOR(n->rdev)); 1565 MINOR(n->rdev));
1566 } 1566 }
1567 if (n->osid != 0) { 1567 if (n->osid != 0) {
1568 char *ctx = NULL; 1568 char *ctx = NULL;
1569 u32 len; 1569 u32 len;
1570 if (security_secid_to_secctx( 1570 if (security_secid_to_secctx(
1571 n->osid, &ctx, &len)) { 1571 n->osid, &ctx, &len)) {
1572 audit_log_format(ab, " osid=%u", n->osid); 1572 audit_log_format(ab, " osid=%u", n->osid);
1573 *call_panic = 2; 1573 *call_panic = 2;
1574 } else { 1574 } else {
1575 audit_log_format(ab, " obj=%s", ctx); 1575 audit_log_format(ab, " obj=%s", ctx);
1576 security_release_secctx(ctx, len); 1576 security_release_secctx(ctx, len);
1577 } 1577 }
1578 } 1578 }
1579 1579
1580 audit_log_fcaps(ab, n); 1580 audit_log_fcaps(ab, n);
1581 1581
1582 audit_log_end(ab); 1582 audit_log_end(ab);
1583 } 1583 }
1584 1584
1585 static void audit_log_exit(struct audit_context *context, struct task_struct *tsk) 1585 static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
1586 { 1586 {
1587 const struct cred *cred; 1587 const struct cred *cred;
1588 int i, call_panic = 0; 1588 int i, call_panic = 0;
1589 struct audit_buffer *ab; 1589 struct audit_buffer *ab;
1590 struct audit_aux_data *aux; 1590 struct audit_aux_data *aux;
1591 const char *tty; 1591 const char *tty;
1592 struct audit_names *n; 1592 struct audit_names *n;
1593 1593
1594 /* tsk == current */ 1594 /* tsk == current */
1595 context->pid = tsk->pid; 1595 context->pid = tsk->pid;
1596 if (!context->ppid) 1596 if (!context->ppid)
1597 context->ppid = sys_getppid(); 1597 context->ppid = sys_getppid();
1598 cred = current_cred(); 1598 cred = current_cred();
1599 context->uid = cred->uid; 1599 context->uid = cred->uid;
1600 context->gid = cred->gid; 1600 context->gid = cred->gid;
1601 context->euid = cred->euid; 1601 context->euid = cred->euid;
1602 context->suid = cred->suid; 1602 context->suid = cred->suid;
1603 context->fsuid = cred->fsuid; 1603 context->fsuid = cred->fsuid;
1604 context->egid = cred->egid; 1604 context->egid = cred->egid;
1605 context->sgid = cred->sgid; 1605 context->sgid = cred->sgid;
1606 context->fsgid = cred->fsgid; 1606 context->fsgid = cred->fsgid;
1607 context->personality = tsk->personality; 1607 context->personality = tsk->personality;
1608 1608
1609 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL); 1609 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
1610 if (!ab) 1610 if (!ab)
1611 return; /* audit_panic has been called */ 1611 return; /* audit_panic has been called */
1612 audit_log_format(ab, "arch=%x syscall=%d", 1612 audit_log_format(ab, "arch=%x syscall=%d",
1613 context->arch, context->major); 1613 context->arch, context->major);
1614 if (context->personality != PER_LINUX) 1614 if (context->personality != PER_LINUX)
1615 audit_log_format(ab, " per=%lx", context->personality); 1615 audit_log_format(ab, " per=%lx", context->personality);
1616 if (context->return_valid) 1616 if (context->return_valid)
1617 audit_log_format(ab, " success=%s exit=%ld", 1617 audit_log_format(ab, " success=%s exit=%ld",
1618 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no", 1618 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
1619 context->return_code); 1619 context->return_code);
1620 1620
1621 spin_lock_irq(&tsk->sighand->siglock); 1621 spin_lock_irq(&tsk->sighand->siglock);
1622 if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name) 1622 if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
1623 tty = tsk->signal->tty->name; 1623 tty = tsk->signal->tty->name;
1624 else 1624 else
1625 tty = "(none)"; 1625 tty = "(none)";
1626 spin_unlock_irq(&tsk->sighand->siglock); 1626 spin_unlock_irq(&tsk->sighand->siglock);
1627 1627
1628 audit_log_format(ab, 1628 audit_log_format(ab,
1629 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d" 1629 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
1630 " ppid=%d pid=%d auid=%u uid=%u gid=%u" 1630 " ppid=%d pid=%d auid=%u uid=%u gid=%u"
1631 " euid=%u suid=%u fsuid=%u" 1631 " euid=%u suid=%u fsuid=%u"
1632 " egid=%u sgid=%u fsgid=%u tty=%s ses=%u", 1632 " egid=%u sgid=%u fsgid=%u tty=%s ses=%u",
1633 context->argv[0], 1633 context->argv[0],
1634 context->argv[1], 1634 context->argv[1],
1635 context->argv[2], 1635 context->argv[2],
1636 context->argv[3], 1636 context->argv[3],
1637 context->name_count, 1637 context->name_count,
1638 context->ppid, 1638 context->ppid,
1639 context->pid, 1639 context->pid,
1640 tsk->loginuid, 1640 tsk->loginuid,
1641 context->uid, 1641 context->uid,
1642 context->gid, 1642 context->gid,
1643 context->euid, context->suid, context->fsuid, 1643 context->euid, context->suid, context->fsuid,
1644 context->egid, context->sgid, context->fsgid, tty, 1644 context->egid, context->sgid, context->fsgid, tty,
1645 tsk->sessionid); 1645 tsk->sessionid);
1646 1646
1647 1647
1648 audit_log_task_info(ab, tsk); 1648 audit_log_task_info(ab, tsk);
1649 audit_log_key(ab, context->filterkey); 1649 audit_log_key(ab, context->filterkey);
1650 audit_log_end(ab); 1650 audit_log_end(ab);
1651 1651
1652 for (aux = context->aux; aux; aux = aux->next) { 1652 for (aux = context->aux; aux; aux = aux->next) {
1653 1653
1654 ab = audit_log_start(context, GFP_KERNEL, aux->type); 1654 ab = audit_log_start(context, GFP_KERNEL, aux->type);
1655 if (!ab) 1655 if (!ab)
1656 continue; /* audit_panic has been called */ 1656 continue; /* audit_panic has been called */
1657 1657
1658 switch (aux->type) { 1658 switch (aux->type) {
1659 1659
1660 case AUDIT_EXECVE: { 1660 case AUDIT_EXECVE: {
1661 struct audit_aux_data_execve *axi = (void *)aux; 1661 struct audit_aux_data_execve *axi = (void *)aux;
1662 audit_log_execve_info(context, &ab, axi); 1662 audit_log_execve_info(context, &ab, axi);
1663 break; } 1663 break; }
1664 1664
1665 case AUDIT_BPRM_FCAPS: { 1665 case AUDIT_BPRM_FCAPS: {
1666 struct audit_aux_data_bprm_fcaps *axs = (void *)aux; 1666 struct audit_aux_data_bprm_fcaps *axs = (void *)aux;
1667 audit_log_format(ab, "fver=%x", axs->fcap_ver); 1667 audit_log_format(ab, "fver=%x", axs->fcap_ver);
1668 audit_log_cap(ab, "fp", &axs->fcap.permitted); 1668 audit_log_cap(ab, "fp", &axs->fcap.permitted);
1669 audit_log_cap(ab, "fi", &axs->fcap.inheritable); 1669 audit_log_cap(ab, "fi", &axs->fcap.inheritable);
1670 audit_log_format(ab, " fe=%d", axs->fcap.fE); 1670 audit_log_format(ab, " fe=%d", axs->fcap.fE);
1671 audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted); 1671 audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
1672 audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable); 1672 audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
1673 audit_log_cap(ab, "old_pe", &axs->old_pcap.effective); 1673 audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
1674 audit_log_cap(ab, "new_pp", &axs->new_pcap.permitted); 1674 audit_log_cap(ab, "new_pp", &axs->new_pcap.permitted);
1675 audit_log_cap(ab, "new_pi", &axs->new_pcap.inheritable); 1675 audit_log_cap(ab, "new_pi", &axs->new_pcap.inheritable);
1676 audit_log_cap(ab, "new_pe", &axs->new_pcap.effective); 1676 audit_log_cap(ab, "new_pe", &axs->new_pcap.effective);
1677 break; } 1677 break; }
1678 1678
1679 } 1679 }
1680 audit_log_end(ab); 1680 audit_log_end(ab);
1681 } 1681 }
1682 1682
1683 if (context->type) 1683 if (context->type)
1684 show_special(context, &call_panic); 1684 show_special(context, &call_panic);
1685 1685
1686 if (context->fds[0] >= 0) { 1686 if (context->fds[0] >= 0) {
1687 ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR); 1687 ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR);
1688 if (ab) { 1688 if (ab) {
1689 audit_log_format(ab, "fd0=%d fd1=%d", 1689 audit_log_format(ab, "fd0=%d fd1=%d",
1690 context->fds[0], context->fds[1]); 1690 context->fds[0], context->fds[1]);
1691 audit_log_end(ab); 1691 audit_log_end(ab);
1692 } 1692 }
1693 } 1693 }
1694 1694
1695 if (context->sockaddr_len) { 1695 if (context->sockaddr_len) {
1696 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR); 1696 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR);
1697 if (ab) { 1697 if (ab) {
1698 audit_log_format(ab, "saddr="); 1698 audit_log_format(ab, "saddr=");
1699 audit_log_n_hex(ab, (void *)context->sockaddr, 1699 audit_log_n_hex(ab, (void *)context->sockaddr,
1700 context->sockaddr_len); 1700 context->sockaddr_len);
1701 audit_log_end(ab); 1701 audit_log_end(ab);
1702 } 1702 }
1703 } 1703 }
1704 1704
1705 for (aux = context->aux_pids; aux; aux = aux->next) { 1705 for (aux = context->aux_pids; aux; aux = aux->next) {
1706 struct audit_aux_data_pids *axs = (void *)aux; 1706 struct audit_aux_data_pids *axs = (void *)aux;
1707 1707
1708 for (i = 0; i < axs->pid_count; i++) 1708 for (i = 0; i < axs->pid_count; i++)
1709 if (audit_log_pid_context(context, axs->target_pid[i], 1709 if (audit_log_pid_context(context, axs->target_pid[i],
1710 axs->target_auid[i], 1710 axs->target_auid[i],
1711 axs->target_uid[i], 1711 axs->target_uid[i],
1712 axs->target_sessionid[i], 1712 axs->target_sessionid[i],
1713 axs->target_sid[i], 1713 axs->target_sid[i],
1714 axs->target_comm[i])) 1714 axs->target_comm[i]))
1715 call_panic = 1; 1715 call_panic = 1;
1716 } 1716 }
1717 1717
1718 if (context->target_pid && 1718 if (context->target_pid &&
1719 audit_log_pid_context(context, context->target_pid, 1719 audit_log_pid_context(context, context->target_pid,
1720 context->target_auid, context->target_uid, 1720 context->target_auid, context->target_uid,
1721 context->target_sessionid, 1721 context->target_sessionid,
1722 context->target_sid, context->target_comm)) 1722 context->target_sid, context->target_comm))
1723 call_panic = 1; 1723 call_panic = 1;
1724 1724
1725 if (context->pwd.dentry && context->pwd.mnt) { 1725 if (context->pwd.dentry && context->pwd.mnt) {
1726 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD); 1726 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
1727 if (ab) { 1727 if (ab) {
1728 audit_log_d_path(ab, " cwd=", &context->pwd); 1728 audit_log_d_path(ab, " cwd=", &context->pwd);
1729 audit_log_end(ab); 1729 audit_log_end(ab);
1730 } 1730 }
1731 } 1731 }
1732 1732
1733 i = 0; 1733 i = 0;
1734 list_for_each_entry(n, &context->names_list, list) 1734 list_for_each_entry(n, &context->names_list, list)
1735 audit_log_name(context, n, i++, &call_panic); 1735 audit_log_name(context, n, i++, &call_panic);
1736 1736
1737 /* Send end of event record to help user space know we are finished */ 1737 /* Send end of event record to help user space know we are finished */
1738 ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE); 1738 ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
1739 if (ab) 1739 if (ab)
1740 audit_log_end(ab); 1740 audit_log_end(ab);
1741 if (call_panic) 1741 if (call_panic)
1742 audit_panic("error converting sid to string"); 1742 audit_panic("error converting sid to string");
1743 } 1743 }
1744 1744
1745 /** 1745 /**
1746 * audit_free - free a per-task audit context 1746 * audit_free - free a per-task audit context
1747 * @tsk: task whose audit context block to free 1747 * @tsk: task whose audit context block to free
1748 * 1748 *
1749 * Called from copy_process and do_exit 1749 * Called from copy_process and do_exit
1750 */ 1750 */
1751 void __audit_free(struct task_struct *tsk) 1751 void __audit_free(struct task_struct *tsk)
1752 { 1752 {
1753 struct audit_context *context; 1753 struct audit_context *context;
1754 1754
1755 context = audit_get_context(tsk, 0, 0); 1755 context = audit_get_context(tsk, 0, 0);
1756 if (!context) 1756 if (!context)
1757 return; 1757 return;
1758 1758
1759 /* Check for system calls that do not go through the exit 1759 /* Check for system calls that do not go through the exit
1760 * function (e.g., exit_group), then free context block. 1760 * function (e.g., exit_group), then free context block.
1761 * We use GFP_ATOMIC here because we might be doing this 1761 * We use GFP_ATOMIC here because we might be doing this
1762 * in the context of the idle thread */ 1762 * in the context of the idle thread */
1763 /* that can happen only if we are called from do_exit() */ 1763 /* that can happen only if we are called from do_exit() */
1764 if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT) 1764 if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
1765 audit_log_exit(context, tsk); 1765 audit_log_exit(context, tsk);
1766 if (!list_empty(&context->killed_trees)) 1766 if (!list_empty(&context->killed_trees))
1767 audit_kill_trees(&context->killed_trees); 1767 audit_kill_trees(&context->killed_trees);
1768 1768
1769 audit_free_context(context); 1769 audit_free_context(context);
1770 } 1770 }
1771 1771
1772 /** 1772 /**
1773 * audit_syscall_entry - fill in an audit record at syscall entry 1773 * audit_syscall_entry - fill in an audit record at syscall entry
1774 * @arch: architecture type 1774 * @arch: architecture type
1775 * @major: major syscall type (function) 1775 * @major: major syscall type (function)
1776 * @a1: additional syscall register 1 1776 * @a1: additional syscall register 1
1777 * @a2: additional syscall register 2 1777 * @a2: additional syscall register 2
1778 * @a3: additional syscall register 3 1778 * @a3: additional syscall register 3
1779 * @a4: additional syscall register 4 1779 * @a4: additional syscall register 4
1780 * 1780 *
1781 * Fill in audit context at syscall entry. This only happens if the 1781 * Fill in audit context at syscall entry. This only happens if the
1782 * audit context was created when the task was created and the state or 1782 * audit context was created when the task was created and the state or
1783 * filters demand the audit context be built. If the state from the 1783 * filters demand the audit context be built. If the state from the
1784 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT, 1784 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
1785 * then the record will be written at syscall exit time (otherwise, it 1785 * then the record will be written at syscall exit time (otherwise, it
1786 * will only be written if another part of the kernel requests that it 1786 * will only be written if another part of the kernel requests that it
1787 * be written). 1787 * be written).
1788 */ 1788 */
1789 void __audit_syscall_entry(int arch, int major, 1789 void __audit_syscall_entry(int arch, int major,
1790 unsigned long a1, unsigned long a2, 1790 unsigned long a1, unsigned long a2,
1791 unsigned long a3, unsigned long a4) 1791 unsigned long a3, unsigned long a4)
1792 { 1792 {
1793 struct task_struct *tsk = current; 1793 struct task_struct *tsk = current;
1794 struct audit_context *context = tsk->audit_context; 1794 struct audit_context *context = tsk->audit_context;
1795 enum audit_state state; 1795 enum audit_state state;
1796 1796
1797 if (!context) 1797 if (!context)
1798 return; 1798 return;
1799 1799
1800 /* 1800 /*
1801 * This happens only on certain architectures that make system 1801 * This happens only on certain architectures that make system
1802 * calls in kernel_thread via the entry.S interface, instead of 1802 * calls in kernel_thread via the entry.S interface, instead of
1803 * with direct calls. (If you are porting to a new 1803 * with direct calls. (If you are porting to a new
1804 * architecture, hitting this condition can indicate that you 1804 * architecture, hitting this condition can indicate that you
1805 * got the _exit/_leave calls backward in entry.S.) 1805 * got the _exit/_leave calls backward in entry.S.)
1806 * 1806 *
1807 * i386 no 1807 * i386 no
1808 * x86_64 no 1808 * x86_64 no
1809 * ppc64 yes (see arch/powerpc/platforms/iseries/misc.S) 1809 * ppc64 yes (see arch/powerpc/platforms/iseries/misc.S)
1810 * 1810 *
1811 * This also happens with vm86 emulation in a non-nested manner 1811 * This also happens with vm86 emulation in a non-nested manner
1812 * (entries without exits), so this case must be caught. 1812 * (entries without exits), so this case must be caught.
1813 */ 1813 */
1814 if (context->in_syscall) { 1814 if (context->in_syscall) {
1815 struct audit_context *newctx; 1815 struct audit_context *newctx;
1816 1816
1817 #if AUDIT_DEBUG 1817 #if AUDIT_DEBUG
1818 printk(KERN_ERR 1818 printk(KERN_ERR
1819 "audit(:%d) pid=%d in syscall=%d;" 1819 "audit(:%d) pid=%d in syscall=%d;"
1820 " entering syscall=%d\n", 1820 " entering syscall=%d\n",
1821 context->serial, tsk->pid, context->major, major); 1821 context->serial, tsk->pid, context->major, major);
1822 #endif 1822 #endif
1823 newctx = audit_alloc_context(context->state); 1823 newctx = audit_alloc_context(context->state);
1824 if (newctx) { 1824 if (newctx) {
1825 newctx->previous = context; 1825 newctx->previous = context;
1826 context = newctx; 1826 context = newctx;
1827 tsk->audit_context = newctx; 1827 tsk->audit_context = newctx;
1828 } else { 1828 } else {
1829 /* If we can't alloc a new context, the best we 1829 /* If we can't alloc a new context, the best we
1830 * can do is to leak memory (any pending putname 1830 * can do is to leak memory (any pending putname
1831 * will be lost). The only other alternative is 1831 * will be lost). The only other alternative is
1832 * to abandon auditing. */ 1832 * to abandon auditing. */
1833 audit_zero_context(context, context->state); 1833 audit_zero_context(context, context->state);
1834 } 1834 }
1835 } 1835 }
1836 BUG_ON(context->in_syscall || context->name_count); 1836 BUG_ON(context->in_syscall || context->name_count);
1837 1837
1838 if (!audit_enabled) 1838 if (!audit_enabled)
1839 return; 1839 return;
1840 1840
1841 context->arch = arch; 1841 context->arch = arch;
1842 context->major = major; 1842 context->major = major;
1843 context->argv[0] = a1; 1843 context->argv[0] = a1;
1844 context->argv[1] = a2; 1844 context->argv[1] = a2;
1845 context->argv[2] = a3; 1845 context->argv[2] = a3;
1846 context->argv[3] = a4; 1846 context->argv[3] = a4;
1847 1847
1848 state = context->state; 1848 state = context->state;
1849 context->dummy = !audit_n_rules; 1849 context->dummy = !audit_n_rules;
1850 if (!context->dummy && state == AUDIT_BUILD_CONTEXT) { 1850 if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
1851 context->prio = 0; 1851 context->prio = 0;
1852 state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]); 1852 state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
1853 } 1853 }
1854 if (state == AUDIT_DISABLED) 1854 if (state == AUDIT_DISABLED)
1855 return; 1855 return;
1856 1856
1857 context->serial = 0; 1857 context->serial = 0;
1858 context->ctime = CURRENT_TIME; 1858 context->ctime = CURRENT_TIME;
1859 context->in_syscall = 1; 1859 context->in_syscall = 1;
1860 context->current_state = state; 1860 context->current_state = state;
1861 context->ppid = 0; 1861 context->ppid = 0;
1862 } 1862 }
1863 1863
1864 /** 1864 /**
1865 * audit_syscall_exit - deallocate audit context after a system call 1865 * audit_syscall_exit - deallocate audit context after a system call
1866 * @pt_regs: syscall registers 1866 * @success: success value of the syscall
1867 * @return_code: return value of the syscall
1867 * 1868 *
1868 * Tear down after system call. If the audit context has been marked as 1869 * Tear down after system call. If the audit context has been marked as
1869 * auditable (either because of the AUDIT_RECORD_CONTEXT state from 1870 * auditable (either because of the AUDIT_RECORD_CONTEXT state from
1870 * filtering, or because some other part of the kernel write an audit 1871 * filtering, or because some other part of the kernel wrote an audit
1871 * message), then write out the syscall information. In call cases, 1872 * message), then write out the syscall information. In call cases,
1872 * free the names stored from getname(). 1873 * free the names stored from getname().
1873 */ 1874 */
1874 void __audit_syscall_exit(int success, long return_code) 1875 void __audit_syscall_exit(int success, long return_code)
1875 { 1876 {
1876 struct task_struct *tsk = current; 1877 struct task_struct *tsk = current;
1877 struct audit_context *context; 1878 struct audit_context *context;
1878 1879
1879 if (success) 1880 if (success)
1880 success = AUDITSC_SUCCESS; 1881 success = AUDITSC_SUCCESS;
1881 else 1882 else
1882 success = AUDITSC_FAILURE; 1883 success = AUDITSC_FAILURE;
1883 1884
1884 context = audit_get_context(tsk, success, return_code); 1885 context = audit_get_context(tsk, success, return_code);
1885 if (!context) 1886 if (!context)
1886 return; 1887 return;
1887 1888
1888 if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT) 1889 if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
1889 audit_log_exit(context, tsk); 1890 audit_log_exit(context, tsk);
1890 1891
1891 context->in_syscall = 0; 1892 context->in_syscall = 0;
1892 context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0; 1893 context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
1893 1894
1894 if (!list_empty(&context->killed_trees)) 1895 if (!list_empty(&context->killed_trees))
1895 audit_kill_trees(&context->killed_trees); 1896 audit_kill_trees(&context->killed_trees);
1896 1897
1897 if (context->previous) { 1898 if (context->previous) {
1898 struct audit_context *new_context = context->previous; 1899 struct audit_context *new_context = context->previous;
1899 context->previous = NULL; 1900 context->previous = NULL;
1900 audit_free_context(context); 1901 audit_free_context(context);
1901 tsk->audit_context = new_context; 1902 tsk->audit_context = new_context;
1902 } else { 1903 } else {
1903 audit_free_names(context); 1904 audit_free_names(context);
1904 unroll_tree_refs(context, NULL, 0); 1905 unroll_tree_refs(context, NULL, 0);
1905 audit_free_aux(context); 1906 audit_free_aux(context);
1906 context->aux = NULL; 1907 context->aux = NULL;
1907 context->aux_pids = NULL; 1908 context->aux_pids = NULL;
1908 context->target_pid = 0; 1909 context->target_pid = 0;
1909 context->target_sid = 0; 1910 context->target_sid = 0;
1910 context->sockaddr_len = 0; 1911 context->sockaddr_len = 0;
1911 context->type = 0; 1912 context->type = 0;
1912 context->fds[0] = -1; 1913 context->fds[0] = -1;
1913 if (context->state != AUDIT_RECORD_CONTEXT) { 1914 if (context->state != AUDIT_RECORD_CONTEXT) {
1914 kfree(context->filterkey); 1915 kfree(context->filterkey);
1915 context->filterkey = NULL; 1916 context->filterkey = NULL;
1916 } 1917 }
1917 tsk->audit_context = context; 1918 tsk->audit_context = context;
1918 } 1919 }
1919 } 1920 }
1920 1921
1921 static inline void handle_one(const struct inode *inode) 1922 static inline void handle_one(const struct inode *inode)
1922 { 1923 {
1923 #ifdef CONFIG_AUDIT_TREE 1924 #ifdef CONFIG_AUDIT_TREE
1924 struct audit_context *context; 1925 struct audit_context *context;
1925 struct audit_tree_refs *p; 1926 struct audit_tree_refs *p;
1926 struct audit_chunk *chunk; 1927 struct audit_chunk *chunk;
1927 int count; 1928 int count;
1928 if (likely(hlist_empty(&inode->i_fsnotify_marks))) 1929 if (likely(hlist_empty(&inode->i_fsnotify_marks)))
1929 return; 1930 return;
1930 context = current->audit_context; 1931 context = current->audit_context;
1931 p = context->trees; 1932 p = context->trees;
1932 count = context->tree_count; 1933 count = context->tree_count;
1933 rcu_read_lock(); 1934 rcu_read_lock();
1934 chunk = audit_tree_lookup(inode); 1935 chunk = audit_tree_lookup(inode);
1935 rcu_read_unlock(); 1936 rcu_read_unlock();
1936 if (!chunk) 1937 if (!chunk)
1937 return; 1938 return;
1938 if (likely(put_tree_ref(context, chunk))) 1939 if (likely(put_tree_ref(context, chunk)))
1939 return; 1940 return;
1940 if (unlikely(!grow_tree_refs(context))) { 1941 if (unlikely(!grow_tree_refs(context))) {
1941 printk(KERN_WARNING "out of memory, audit has lost a tree reference\n"); 1942 printk(KERN_WARNING "out of memory, audit has lost a tree reference\n");
1942 audit_set_auditable(context); 1943 audit_set_auditable(context);
1943 audit_put_chunk(chunk); 1944 audit_put_chunk(chunk);
1944 unroll_tree_refs(context, p, count); 1945 unroll_tree_refs(context, p, count);
1945 return; 1946 return;
1946 } 1947 }
1947 put_tree_ref(context, chunk); 1948 put_tree_ref(context, chunk);
1948 #endif 1949 #endif
1949 } 1950 }
1950 1951
1951 static void handle_path(const struct dentry *dentry) 1952 static void handle_path(const struct dentry *dentry)
1952 { 1953 {
1953 #ifdef CONFIG_AUDIT_TREE 1954 #ifdef CONFIG_AUDIT_TREE
1954 struct audit_context *context; 1955 struct audit_context *context;
1955 struct audit_tree_refs *p; 1956 struct audit_tree_refs *p;
1956 const struct dentry *d, *parent; 1957 const struct dentry *d, *parent;
1957 struct audit_chunk *drop; 1958 struct audit_chunk *drop;
1958 unsigned long seq; 1959 unsigned long seq;
1959 int count; 1960 int count;
1960 1961
1961 context = current->audit_context; 1962 context = current->audit_context;
1962 p = context->trees; 1963 p = context->trees;
1963 count = context->tree_count; 1964 count = context->tree_count;
1964 retry: 1965 retry:
1965 drop = NULL; 1966 drop = NULL;
1966 d = dentry; 1967 d = dentry;
1967 rcu_read_lock(); 1968 rcu_read_lock();
1968 seq = read_seqbegin(&rename_lock); 1969 seq = read_seqbegin(&rename_lock);
1969 for(;;) { 1970 for(;;) {
1970 struct inode *inode = d->d_inode; 1971 struct inode *inode = d->d_inode;
1971 if (inode && unlikely(!hlist_empty(&inode->i_fsnotify_marks))) { 1972 if (inode && unlikely(!hlist_empty(&inode->i_fsnotify_marks))) {
1972 struct audit_chunk *chunk; 1973 struct audit_chunk *chunk;
1973 chunk = audit_tree_lookup(inode); 1974 chunk = audit_tree_lookup(inode);
1974 if (chunk) { 1975 if (chunk) {
1975 if (unlikely(!put_tree_ref(context, chunk))) { 1976 if (unlikely(!put_tree_ref(context, chunk))) {
1976 drop = chunk; 1977 drop = chunk;
1977 break; 1978 break;
1978 } 1979 }
1979 } 1980 }
1980 } 1981 }
1981 parent = d->d_parent; 1982 parent = d->d_parent;
1982 if (parent == d) 1983 if (parent == d)
1983 break; 1984 break;
1984 d = parent; 1985 d = parent;
1985 } 1986 }
1986 if (unlikely(read_seqretry(&rename_lock, seq) || drop)) { /* in this order */ 1987 if (unlikely(read_seqretry(&rename_lock, seq) || drop)) { /* in this order */
1987 rcu_read_unlock(); 1988 rcu_read_unlock();
1988 if (!drop) { 1989 if (!drop) {
1989 /* just a race with rename */ 1990 /* just a race with rename */
1990 unroll_tree_refs(context, p, count); 1991 unroll_tree_refs(context, p, count);
1991 goto retry; 1992 goto retry;
1992 } 1993 }
1993 audit_put_chunk(drop); 1994 audit_put_chunk(drop);
1994 if (grow_tree_refs(context)) { 1995 if (grow_tree_refs(context)) {
1995 /* OK, got more space */ 1996 /* OK, got more space */
1996 unroll_tree_refs(context, p, count); 1997 unroll_tree_refs(context, p, count);
1997 goto retry; 1998 goto retry;
1998 } 1999 }
1999 /* too bad */ 2000 /* too bad */
2000 printk(KERN_WARNING 2001 printk(KERN_WARNING
2001 "out of memory, audit has lost a tree reference\n"); 2002 "out of memory, audit has lost a tree reference\n");
2002 unroll_tree_refs(context, p, count); 2003 unroll_tree_refs(context, p, count);
2003 audit_set_auditable(context); 2004 audit_set_auditable(context);
2004 return; 2005 return;
2005 } 2006 }
2006 rcu_read_unlock(); 2007 rcu_read_unlock();
2007 #endif 2008 #endif
2008 } 2009 }
2009 2010
2010 static struct audit_names *audit_alloc_name(struct audit_context *context) 2011 static struct audit_names *audit_alloc_name(struct audit_context *context)
2011 { 2012 {
2012 struct audit_names *aname; 2013 struct audit_names *aname;
2013 2014
2014 if (context->name_count < AUDIT_NAMES) { 2015 if (context->name_count < AUDIT_NAMES) {
2015 aname = &context->preallocated_names[context->name_count]; 2016 aname = &context->preallocated_names[context->name_count];
2016 memset(aname, 0, sizeof(*aname)); 2017 memset(aname, 0, sizeof(*aname));
2017 } else { 2018 } else {
2018 aname = kzalloc(sizeof(*aname), GFP_NOFS); 2019 aname = kzalloc(sizeof(*aname), GFP_NOFS);
2019 if (!aname) 2020 if (!aname)
2020 return NULL; 2021 return NULL;
2021 aname->should_free = true; 2022 aname->should_free = true;
2022 } 2023 }
2023 2024
2024 aname->ino = (unsigned long)-1; 2025 aname->ino = (unsigned long)-1;
2025 list_add_tail(&aname->list, &context->names_list); 2026 list_add_tail(&aname->list, &context->names_list);
2026 2027
2027 context->name_count++; 2028 context->name_count++;
2028 #if AUDIT_DEBUG 2029 #if AUDIT_DEBUG
2029 context->ino_count++; 2030 context->ino_count++;
2030 #endif 2031 #endif
2031 return aname; 2032 return aname;
2032 } 2033 }
2033 2034
2034 /** 2035 /**
2035 * audit_getname - add a name to the list 2036 * audit_getname - add a name to the list
2036 * @name: name to add 2037 * @name: name to add
2037 * 2038 *
2038 * Add a name to the list of audit names for this context. 2039 * Add a name to the list of audit names for this context.
2039 * Called from fs/namei.c:getname(). 2040 * Called from fs/namei.c:getname().
2040 */ 2041 */
2041 void __audit_getname(const char *name) 2042 void __audit_getname(const char *name)
2042 { 2043 {
2043 struct audit_context *context = current->audit_context; 2044 struct audit_context *context = current->audit_context;
2044 struct audit_names *n; 2045 struct audit_names *n;
2045 2046
2046 if (!context->in_syscall) { 2047 if (!context->in_syscall) {
2047 #if AUDIT_DEBUG == 2 2048 #if AUDIT_DEBUG == 2
2048 printk(KERN_ERR "%s:%d(:%d): ignoring getname(%p)\n", 2049 printk(KERN_ERR "%s:%d(:%d): ignoring getname(%p)\n",
2049 __FILE__, __LINE__, context->serial, name); 2050 __FILE__, __LINE__, context->serial, name);
2050 dump_stack(); 2051 dump_stack();
2051 #endif 2052 #endif
2052 return; 2053 return;
2053 } 2054 }
2054 2055
2055 n = audit_alloc_name(context); 2056 n = audit_alloc_name(context);
2056 if (!n) 2057 if (!n)
2057 return; 2058 return;
2058 2059
2059 n->name = name; 2060 n->name = name;
2060 n->name_len = AUDIT_NAME_FULL; 2061 n->name_len = AUDIT_NAME_FULL;
2061 n->name_put = true; 2062 n->name_put = true;
2062 2063
2063 if (!context->pwd.dentry) 2064 if (!context->pwd.dentry)
2064 get_fs_pwd(current->fs, &context->pwd); 2065 get_fs_pwd(current->fs, &context->pwd);
2065 } 2066 }
2066 2067
2067 /* audit_putname - intercept a putname request 2068 /* audit_putname - intercept a putname request
2068 * @name: name to intercept and delay for putname 2069 * @name: name to intercept and delay for putname
2069 * 2070 *
2070 * If we have stored the name from getname in the audit context, 2071 * If we have stored the name from getname in the audit context,
2071 * then we delay the putname until syscall exit. 2072 * then we delay the putname until syscall exit.
2072 * Called from include/linux/fs.h:putname(). 2073 * Called from include/linux/fs.h:putname().
2073 */ 2074 */
2074 void audit_putname(const char *name) 2075 void audit_putname(const char *name)
2075 { 2076 {
2076 struct audit_context *context = current->audit_context; 2077 struct audit_context *context = current->audit_context;
2077 2078
2078 BUG_ON(!context); 2079 BUG_ON(!context);
2079 if (!context->in_syscall) { 2080 if (!context->in_syscall) {
2080 #if AUDIT_DEBUG == 2 2081 #if AUDIT_DEBUG == 2
2081 printk(KERN_ERR "%s:%d(:%d): __putname(%p)\n", 2082 printk(KERN_ERR "%s:%d(:%d): __putname(%p)\n",
2082 __FILE__, __LINE__, context->serial, name); 2083 __FILE__, __LINE__, context->serial, name);
2083 if (context->name_count) { 2084 if (context->name_count) {
2084 struct audit_names *n; 2085 struct audit_names *n;
2085 int i; 2086 int i;
2086 2087
2087 list_for_each_entry(n, &context->names_list, list) 2088 list_for_each_entry(n, &context->names_list, list)
2088 printk(KERN_ERR "name[%d] = %p = %s\n", i, 2089 printk(KERN_ERR "name[%d] = %p = %s\n", i,
2089 n->name, n->name ?: "(null)"); 2090 n->name, n->name ?: "(null)");
2090 } 2091 }
2091 #endif 2092 #endif
2092 __putname(name); 2093 __putname(name);
2093 } 2094 }
2094 #if AUDIT_DEBUG 2095 #if AUDIT_DEBUG
2095 else { 2096 else {
2096 ++context->put_count; 2097 ++context->put_count;
2097 if (context->put_count > context->name_count) { 2098 if (context->put_count > context->name_count) {
2098 printk(KERN_ERR "%s:%d(:%d): major=%d" 2099 printk(KERN_ERR "%s:%d(:%d): major=%d"
2099 " in_syscall=%d putname(%p) name_count=%d" 2100 " in_syscall=%d putname(%p) name_count=%d"
2100 " put_count=%d\n", 2101 " put_count=%d\n",
2101 __FILE__, __LINE__, 2102 __FILE__, __LINE__,
2102 context->serial, context->major, 2103 context->serial, context->major,
2103 context->in_syscall, name, context->name_count, 2104 context->in_syscall, name, context->name_count,
2104 context->put_count); 2105 context->put_count);
2105 dump_stack(); 2106 dump_stack();
2106 } 2107 }
2107 } 2108 }
2108 #endif 2109 #endif
2109 } 2110 }
2110 2111
2111 static inline int audit_copy_fcaps(struct audit_names *name, const struct dentry *dentry) 2112 static inline int audit_copy_fcaps(struct audit_names *name, const struct dentry *dentry)
2112 { 2113 {
2113 struct cpu_vfs_cap_data caps; 2114 struct cpu_vfs_cap_data caps;
2114 int rc; 2115 int rc;
2115 2116
2116 if (!dentry) 2117 if (!dentry)
2117 return 0; 2118 return 0;
2118 2119
2119 rc = get_vfs_caps_from_disk(dentry, &caps); 2120 rc = get_vfs_caps_from_disk(dentry, &caps);
2120 if (rc) 2121 if (rc)
2121 return rc; 2122 return rc;
2122 2123
2123 name->fcap.permitted = caps.permitted; 2124 name->fcap.permitted = caps.permitted;
2124 name->fcap.inheritable = caps.inheritable; 2125 name->fcap.inheritable = caps.inheritable;
2125 name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE); 2126 name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2126 name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT; 2127 name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
2127 2128
2128 return 0; 2129 return 0;
2129 } 2130 }
2130 2131
2131 2132
2132 /* Copy inode data into an audit_names. */ 2133 /* Copy inode data into an audit_names. */
2133 static void audit_copy_inode(struct audit_names *name, const struct dentry *dentry, 2134 static void audit_copy_inode(struct audit_names *name, const struct dentry *dentry,
2134 const struct inode *inode) 2135 const struct inode *inode)
2135 { 2136 {
2136 name->ino = inode->i_ino; 2137 name->ino = inode->i_ino;
2137 name->dev = inode->i_sb->s_dev; 2138 name->dev = inode->i_sb->s_dev;
2138 name->mode = inode->i_mode; 2139 name->mode = inode->i_mode;
2139 name->uid = inode->i_uid; 2140 name->uid = inode->i_uid;
2140 name->gid = inode->i_gid; 2141 name->gid = inode->i_gid;
2141 name->rdev = inode->i_rdev; 2142 name->rdev = inode->i_rdev;
2142 security_inode_getsecid(inode, &name->osid); 2143 security_inode_getsecid(inode, &name->osid);
2143 audit_copy_fcaps(name, dentry); 2144 audit_copy_fcaps(name, dentry);
2144 } 2145 }
2145 2146
2146 /** 2147 /**
2147 * audit_inode - store the inode and device from a lookup 2148 * audit_inode - store the inode and device from a lookup
2148 * @name: name being audited 2149 * @name: name being audited
2149 * @dentry: dentry being audited 2150 * @dentry: dentry being audited
2150 * 2151 *
2151 * Called from fs/namei.c:path_lookup(). 2152 * Called from fs/namei.c:path_lookup().
2152 */ 2153 */
2153 void __audit_inode(const char *name, const struct dentry *dentry) 2154 void __audit_inode(const char *name, const struct dentry *dentry)
2154 { 2155 {
2155 struct audit_context *context = current->audit_context; 2156 struct audit_context *context = current->audit_context;
2156 const struct inode *inode = dentry->d_inode; 2157 const struct inode *inode = dentry->d_inode;
2157 struct audit_names *n; 2158 struct audit_names *n;
2158 2159
2159 if (!context->in_syscall) 2160 if (!context->in_syscall)
2160 return; 2161 return;
2161 2162
2162 list_for_each_entry_reverse(n, &context->names_list, list) { 2163 list_for_each_entry_reverse(n, &context->names_list, list) {
2163 if (n->name && (n->name == name)) 2164 if (n->name && (n->name == name))
2164 goto out; 2165 goto out;
2165 } 2166 }
2166 2167
2167 /* unable to find the name from a previous getname() */ 2168 /* unable to find the name from a previous getname() */
2168 n = audit_alloc_name(context); 2169 n = audit_alloc_name(context);
2169 if (!n) 2170 if (!n)
2170 return; 2171 return;
2171 out: 2172 out:
2172 handle_path(dentry); 2173 handle_path(dentry);
2173 audit_copy_inode(n, dentry, inode); 2174 audit_copy_inode(n, dentry, inode);
2174 } 2175 }
2175 2176
2176 /** 2177 /**
2177 * audit_inode_child - collect inode info for created/removed objects 2178 * audit_inode_child - collect inode info for created/removed objects
2178 * @dentry: dentry being audited 2179 * @dentry: dentry being audited
2179 * @parent: inode of dentry parent 2180 * @parent: inode of dentry parent
2180 * 2181 *
2181 * For syscalls that create or remove filesystem objects, audit_inode 2182 * For syscalls that create or remove filesystem objects, audit_inode
2182 * can only collect information for the filesystem object's parent. 2183 * can only collect information for the filesystem object's parent.
2183 * This call updates the audit context with the child's information. 2184 * This call updates the audit context with the child's information.
2184 * Syscalls that create a new filesystem object must be hooked after 2185 * Syscalls that create a new filesystem object must be hooked after
2185 * the object is created. Syscalls that remove a filesystem object 2186 * the object is created. Syscalls that remove a filesystem object
2186 * must be hooked prior, in order to capture the target inode during 2187 * must be hooked prior, in order to capture the target inode during
2187 * unsuccessful attempts. 2188 * unsuccessful attempts.
2188 */ 2189 */
2189 void __audit_inode_child(const struct dentry *dentry, 2190 void __audit_inode_child(const struct dentry *dentry,
2190 const struct inode *parent) 2191 const struct inode *parent)
2191 { 2192 {
2192 struct audit_context *context = current->audit_context; 2193 struct audit_context *context = current->audit_context;
2193 const char *found_parent = NULL, *found_child = NULL; 2194 const char *found_parent = NULL, *found_child = NULL;
2194 const struct inode *inode = dentry->d_inode; 2195 const struct inode *inode = dentry->d_inode;
2195 const char *dname = dentry->d_name.name; 2196 const char *dname = dentry->d_name.name;
2196 struct audit_names *n; 2197 struct audit_names *n;
2197 int dirlen = 0; 2198 int dirlen = 0;
2198 2199
2199 if (!context->in_syscall) 2200 if (!context->in_syscall)
2200 return; 2201 return;
2201 2202
2202 if (inode) 2203 if (inode)
2203 handle_one(inode); 2204 handle_one(inode);
2204 2205
2205 /* parent is more likely, look for it first */ 2206 /* parent is more likely, look for it first */
2206 list_for_each_entry(n, &context->names_list, list) { 2207 list_for_each_entry(n, &context->names_list, list) {
2207 if (!n->name) 2208 if (!n->name)
2208 continue; 2209 continue;
2209 2210
2210 if (n->ino == parent->i_ino && 2211 if (n->ino == parent->i_ino &&
2211 !audit_compare_dname_path(dname, n->name, &dirlen)) { 2212 !audit_compare_dname_path(dname, n->name, &dirlen)) {
2212 n->name_len = dirlen; /* update parent data in place */ 2213 n->name_len = dirlen; /* update parent data in place */
2213 found_parent = n->name; 2214 found_parent = n->name;
2214 goto add_names; 2215 goto add_names;
2215 } 2216 }
2216 } 2217 }
2217 2218
2218 /* no matching parent, look for matching child */ 2219 /* no matching parent, look for matching child */
2219 list_for_each_entry(n, &context->names_list, list) { 2220 list_for_each_entry(n, &context->names_list, list) {
2220 if (!n->name) 2221 if (!n->name)
2221 continue; 2222 continue;
2222 2223
2223 /* strcmp() is the more likely scenario */ 2224 /* strcmp() is the more likely scenario */
2224 if (!strcmp(dname, n->name) || 2225 if (!strcmp(dname, n->name) ||
2225 !audit_compare_dname_path(dname, n->name, &dirlen)) { 2226 !audit_compare_dname_path(dname, n->name, &dirlen)) {
2226 if (inode) 2227 if (inode)
2227 audit_copy_inode(n, NULL, inode); 2228 audit_copy_inode(n, NULL, inode);
2228 else 2229 else
2229 n->ino = (unsigned long)-1; 2230 n->ino = (unsigned long)-1;
2230 found_child = n->name; 2231 found_child = n->name;
2231 goto add_names; 2232 goto add_names;
2232 } 2233 }
2233 } 2234 }
2234 2235
2235 add_names: 2236 add_names:
2236 if (!found_parent) { 2237 if (!found_parent) {
2237 n = audit_alloc_name(context); 2238 n = audit_alloc_name(context);
2238 if (!n) 2239 if (!n)
2239 return; 2240 return;
2240 audit_copy_inode(n, NULL, parent); 2241 audit_copy_inode(n, NULL, parent);
2241 } 2242 }
2242 2243
2243 if (!found_child) { 2244 if (!found_child) {
2244 n = audit_alloc_name(context); 2245 n = audit_alloc_name(context);
2245 if (!n) 2246 if (!n)
2246 return; 2247 return;
2247 2248
2248 /* Re-use the name belonging to the slot for a matching parent 2249 /* Re-use the name belonging to the slot for a matching parent
2249 * directory. All names for this context are relinquished in 2250 * directory. All names for this context are relinquished in
2250 * audit_free_names() */ 2251 * audit_free_names() */
2251 if (found_parent) { 2252 if (found_parent) {
2252 n->name = found_parent; 2253 n->name = found_parent;
2253 n->name_len = AUDIT_NAME_FULL; 2254 n->name_len = AUDIT_NAME_FULL;
2254 /* don't call __putname() */ 2255 /* don't call __putname() */
2255 n->name_put = false; 2256 n->name_put = false;
2256 } 2257 }
2257 2258
2258 if (inode) 2259 if (inode)
2259 audit_copy_inode(n, NULL, inode); 2260 audit_copy_inode(n, NULL, inode);
2260 } 2261 }
2261 } 2262 }
2262 EXPORT_SYMBOL_GPL(__audit_inode_child); 2263 EXPORT_SYMBOL_GPL(__audit_inode_child);
2263 2264
2264 /** 2265 /**
2265 * auditsc_get_stamp - get local copies of audit_context values 2266 * auditsc_get_stamp - get local copies of audit_context values
2266 * @ctx: audit_context for the task 2267 * @ctx: audit_context for the task
2267 * @t: timespec to store time recorded in the audit_context 2268 * @t: timespec to store time recorded in the audit_context
2268 * @serial: serial value that is recorded in the audit_context 2269 * @serial: serial value that is recorded in the audit_context
2269 * 2270 *
2270 * Also sets the context as auditable. 2271 * Also sets the context as auditable.
2271 */ 2272 */
2272 int auditsc_get_stamp(struct audit_context *ctx, 2273 int auditsc_get_stamp(struct audit_context *ctx,
2273 struct timespec *t, unsigned int *serial) 2274 struct timespec *t, unsigned int *serial)
2274 { 2275 {
2275 if (!ctx->in_syscall) 2276 if (!ctx->in_syscall)
2276 return 0; 2277 return 0;
2277 if (!ctx->serial) 2278 if (!ctx->serial)
2278 ctx->serial = audit_serial(); 2279 ctx->serial = audit_serial();
2279 t->tv_sec = ctx->ctime.tv_sec; 2280 t->tv_sec = ctx->ctime.tv_sec;
2280 t->tv_nsec = ctx->ctime.tv_nsec; 2281 t->tv_nsec = ctx->ctime.tv_nsec;
2281 *serial = ctx->serial; 2282 *serial = ctx->serial;
2282 if (!ctx->prio) { 2283 if (!ctx->prio) {
2283 ctx->prio = 1; 2284 ctx->prio = 1;
2284 ctx->current_state = AUDIT_RECORD_CONTEXT; 2285 ctx->current_state = AUDIT_RECORD_CONTEXT;
2285 } 2286 }
2286 return 1; 2287 return 1;
2287 } 2288 }
2288 2289
2289 /* global counter which is incremented every time something logs in */ 2290 /* global counter which is incremented every time something logs in */
2290 static atomic_t session_id = ATOMIC_INIT(0); 2291 static atomic_t session_id = ATOMIC_INIT(0);
2291 2292
2292 /** 2293 /**
2293 * audit_set_loginuid - set current task's audit_context loginuid 2294 * audit_set_loginuid - set current task's audit_context loginuid
2294 * @loginuid: loginuid value 2295 * @loginuid: loginuid value
2295 * 2296 *
2296 * Returns 0. 2297 * Returns 0.
2297 * 2298 *
2298 * Called (set) from fs/proc/base.c::proc_loginuid_write(). 2299 * Called (set) from fs/proc/base.c::proc_loginuid_write().
2299 */ 2300 */
2300 int audit_set_loginuid(uid_t loginuid) 2301 int audit_set_loginuid(uid_t loginuid)
2301 { 2302 {
2302 struct task_struct *task = current; 2303 struct task_struct *task = current;
2303 struct audit_context *context = task->audit_context; 2304 struct audit_context *context = task->audit_context;
2304 unsigned int sessionid; 2305 unsigned int sessionid;
2305 2306
2306 #ifdef CONFIG_AUDIT_LOGINUID_IMMUTABLE 2307 #ifdef CONFIG_AUDIT_LOGINUID_IMMUTABLE
2307 if (task->loginuid != -1) 2308 if (task->loginuid != -1)
2308 return -EPERM; 2309 return -EPERM;
2309 #else /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */ 2310 #else /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */
2310 if (!capable(CAP_AUDIT_CONTROL)) 2311 if (!capable(CAP_AUDIT_CONTROL))
2311 return -EPERM; 2312 return -EPERM;
2312 #endif /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */ 2313 #endif /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */
2313 2314
2314 sessionid = atomic_inc_return(&session_id); 2315 sessionid = atomic_inc_return(&session_id);
2315 if (context && context->in_syscall) { 2316 if (context && context->in_syscall) {
2316 struct audit_buffer *ab; 2317 struct audit_buffer *ab;
2317 2318
2318 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN); 2319 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
2319 if (ab) { 2320 if (ab) {
2320 audit_log_format(ab, "login pid=%d uid=%u " 2321 audit_log_format(ab, "login pid=%d uid=%u "
2321 "old auid=%u new auid=%u" 2322 "old auid=%u new auid=%u"
2322 " old ses=%u new ses=%u", 2323 " old ses=%u new ses=%u",
2323 task->pid, task_uid(task), 2324 task->pid, task_uid(task),
2324 task->loginuid, loginuid, 2325 task->loginuid, loginuid,
2325 task->sessionid, sessionid); 2326 task->sessionid, sessionid);
2326 audit_log_end(ab); 2327 audit_log_end(ab);
2327 } 2328 }
2328 } 2329 }
2329 task->sessionid = sessionid; 2330 task->sessionid = sessionid;
2330 task->loginuid = loginuid; 2331 task->loginuid = loginuid;
2331 return 0; 2332 return 0;
2332 } 2333 }
2333 2334
2334 /** 2335 /**
2335 * __audit_mq_open - record audit data for a POSIX MQ open 2336 * __audit_mq_open - record audit data for a POSIX MQ open
2336 * @oflag: open flag 2337 * @oflag: open flag
2337 * @mode: mode bits 2338 * @mode: mode bits
2338 * @attr: queue attributes 2339 * @attr: queue attributes
2339 * 2340 *
2340 */ 2341 */
2341 void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 2342 void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
2342 { 2343 {
2343 struct audit_context *context = current->audit_context; 2344 struct audit_context *context = current->audit_context;
2344 2345
2345 if (attr) 2346 if (attr)
2346 memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr)); 2347 memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr));
2347 else 2348 else
2348 memset(&context->mq_open.attr, 0, sizeof(struct mq_attr)); 2349 memset(&context->mq_open.attr, 0, sizeof(struct mq_attr));
2349 2350
2350 context->mq_open.oflag = oflag; 2351 context->mq_open.oflag = oflag;
2351 context->mq_open.mode = mode; 2352 context->mq_open.mode = mode;
2352 2353
2353 context->type = AUDIT_MQ_OPEN; 2354 context->type = AUDIT_MQ_OPEN;
2354 } 2355 }
2355 2356
2356 /** 2357 /**
2357 * __audit_mq_sendrecv - record audit data for a POSIX MQ timed send/receive 2358 * __audit_mq_sendrecv - record audit data for a POSIX MQ timed send/receive
2358 * @mqdes: MQ descriptor 2359 * @mqdes: MQ descriptor
2359 * @msg_len: Message length 2360 * @msg_len: Message length
2360 * @msg_prio: Message priority 2361 * @msg_prio: Message priority
2361 * @abs_timeout: Message timeout in absolute time 2362 * @abs_timeout: Message timeout in absolute time
2362 * 2363 *
2363 */ 2364 */
2364 void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, 2365 void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
2365 const struct timespec *abs_timeout) 2366 const struct timespec *abs_timeout)
2366 { 2367 {
2367 struct audit_context *context = current->audit_context; 2368 struct audit_context *context = current->audit_context;
2368 struct timespec *p = &context->mq_sendrecv.abs_timeout; 2369 struct timespec *p = &context->mq_sendrecv.abs_timeout;
2369 2370
2370 if (abs_timeout) 2371 if (abs_timeout)
2371 memcpy(p, abs_timeout, sizeof(struct timespec)); 2372 memcpy(p, abs_timeout, sizeof(struct timespec));
2372 else 2373 else
2373 memset(p, 0, sizeof(struct timespec)); 2374 memset(p, 0, sizeof(struct timespec));
2374 2375
2375 context->mq_sendrecv.mqdes = mqdes; 2376 context->mq_sendrecv.mqdes = mqdes;
2376 context->mq_sendrecv.msg_len = msg_len; 2377 context->mq_sendrecv.msg_len = msg_len;
2377 context->mq_sendrecv.msg_prio = msg_prio; 2378 context->mq_sendrecv.msg_prio = msg_prio;
2378 2379
2379 context->type = AUDIT_MQ_SENDRECV; 2380 context->type = AUDIT_MQ_SENDRECV;
2380 } 2381 }
2381 2382
2382 /** 2383 /**
2383 * __audit_mq_notify - record audit data for a POSIX MQ notify 2384 * __audit_mq_notify - record audit data for a POSIX MQ notify
2384 * @mqdes: MQ descriptor 2385 * @mqdes: MQ descriptor
2385 * @notification: Notification event 2386 * @notification: Notification event
2386 * 2387 *
2387 */ 2388 */
2388 2389
2389 void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification) 2390 void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
2390 { 2391 {
2391 struct audit_context *context = current->audit_context; 2392 struct audit_context *context = current->audit_context;
2392 2393
2393 if (notification) 2394 if (notification)
2394 context->mq_notify.sigev_signo = notification->sigev_signo; 2395 context->mq_notify.sigev_signo = notification->sigev_signo;
2395 else 2396 else
2396 context->mq_notify.sigev_signo = 0; 2397 context->mq_notify.sigev_signo = 0;
2397 2398
2398 context->mq_notify.mqdes = mqdes; 2399 context->mq_notify.mqdes = mqdes;
2399 context->type = AUDIT_MQ_NOTIFY; 2400 context->type = AUDIT_MQ_NOTIFY;
2400 } 2401 }
2401 2402
2402 /** 2403 /**
2403 * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute 2404 * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute
2404 * @mqdes: MQ descriptor 2405 * @mqdes: MQ descriptor
2405 * @mqstat: MQ flags 2406 * @mqstat: MQ flags
2406 * 2407 *
2407 */ 2408 */
2408 void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 2409 void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
2409 { 2410 {
2410 struct audit_context *context = current->audit_context; 2411 struct audit_context *context = current->audit_context;
2411 context->mq_getsetattr.mqdes = mqdes; 2412 context->mq_getsetattr.mqdes = mqdes;
2412 context->mq_getsetattr.mqstat = *mqstat; 2413 context->mq_getsetattr.mqstat = *mqstat;
2413 context->type = AUDIT_MQ_GETSETATTR; 2414 context->type = AUDIT_MQ_GETSETATTR;
2414 } 2415 }
2415 2416
2416 /** 2417 /**
2417 * audit_ipc_obj - record audit data for ipc object 2418 * audit_ipc_obj - record audit data for ipc object
2418 * @ipcp: ipc permissions 2419 * @ipcp: ipc permissions
2419 * 2420 *
2420 */ 2421 */
2421 void __audit_ipc_obj(struct kern_ipc_perm *ipcp) 2422 void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
2422 { 2423 {
2423 struct audit_context *context = current->audit_context; 2424 struct audit_context *context = current->audit_context;
2424 context->ipc.uid = ipcp->uid; 2425 context->ipc.uid = ipcp->uid;
2425 context->ipc.gid = ipcp->gid; 2426 context->ipc.gid = ipcp->gid;
2426 context->ipc.mode = ipcp->mode; 2427 context->ipc.mode = ipcp->mode;
2427 context->ipc.has_perm = 0; 2428 context->ipc.has_perm = 0;
2428 security_ipc_getsecid(ipcp, &context->ipc.osid); 2429 security_ipc_getsecid(ipcp, &context->ipc.osid);
2429 context->type = AUDIT_IPC; 2430 context->type = AUDIT_IPC;
2430 } 2431 }
2431 2432
2432 /** 2433 /**
2433 * audit_ipc_set_perm - record audit data for new ipc permissions 2434 * audit_ipc_set_perm - record audit data for new ipc permissions
2434 * @qbytes: msgq bytes 2435 * @qbytes: msgq bytes
2435 * @uid: msgq user id 2436 * @uid: msgq user id
2436 * @gid: msgq group id 2437 * @gid: msgq group id
2437 * @mode: msgq mode (permissions) 2438 * @mode: msgq mode (permissions)
2438 * 2439 *
2439 * Called only after audit_ipc_obj(). 2440 * Called only after audit_ipc_obj().
2440 */ 2441 */
2441 void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode) 2442 void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode)
2442 { 2443 {
2443 struct audit_context *context = current->audit_context; 2444 struct audit_context *context = current->audit_context;
2444 2445
2445 context->ipc.qbytes = qbytes; 2446 context->ipc.qbytes = qbytes;
2446 context->ipc.perm_uid = uid; 2447 context->ipc.perm_uid = uid;
2447 context->ipc.perm_gid = gid; 2448 context->ipc.perm_gid = gid;
2448 context->ipc.perm_mode = mode; 2449 context->ipc.perm_mode = mode;
2449 context->ipc.has_perm = 1; 2450 context->ipc.has_perm = 1;
2450 } 2451 }
2451 2452
2452 int __audit_bprm(struct linux_binprm *bprm) 2453 int __audit_bprm(struct linux_binprm *bprm)
2453 { 2454 {
2454 struct audit_aux_data_execve *ax; 2455 struct audit_aux_data_execve *ax;
2455 struct audit_context *context = current->audit_context; 2456 struct audit_context *context = current->audit_context;
2456 2457
2457 ax = kmalloc(sizeof(*ax), GFP_KERNEL); 2458 ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2458 if (!ax) 2459 if (!ax)
2459 return -ENOMEM; 2460 return -ENOMEM;
2460 2461
2461 ax->argc = bprm->argc; 2462 ax->argc = bprm->argc;
2462 ax->envc = bprm->envc; 2463 ax->envc = bprm->envc;
2463 ax->mm = bprm->mm; 2464 ax->mm = bprm->mm;
2464 ax->d.type = AUDIT_EXECVE; 2465 ax->d.type = AUDIT_EXECVE;
2465 ax->d.next = context->aux; 2466 ax->d.next = context->aux;
2466 context->aux = (void *)ax; 2467 context->aux = (void *)ax;
2467 return 0; 2468 return 0;
2468 } 2469 }
2469 2470
2470 2471
2471 /** 2472 /**
2472 * audit_socketcall - record audit data for sys_socketcall 2473 * audit_socketcall - record audit data for sys_socketcall
2473 * @nargs: number of args 2474 * @nargs: number of args
2474 * @args: args array 2475 * @args: args array
2475 * 2476 *
2476 */ 2477 */
2477 void __audit_socketcall(int nargs, unsigned long *args) 2478 void __audit_socketcall(int nargs, unsigned long *args)
2478 { 2479 {
2479 struct audit_context *context = current->audit_context; 2480 struct audit_context *context = current->audit_context;
2480 2481
2481 context->type = AUDIT_SOCKETCALL; 2482 context->type = AUDIT_SOCKETCALL;
2482 context->socketcall.nargs = nargs; 2483 context->socketcall.nargs = nargs;
2483 memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long)); 2484 memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
2484 } 2485 }
2485 2486
2486 /** 2487 /**
2487 * __audit_fd_pair - record audit data for pipe and socketpair 2488 * __audit_fd_pair - record audit data for pipe and socketpair
2488 * @fd1: the first file descriptor 2489 * @fd1: the first file descriptor
2489 * @fd2: the second file descriptor 2490 * @fd2: the second file descriptor
2490 * 2491 *
2491 */ 2492 */
2492 void __audit_fd_pair(int fd1, int fd2) 2493 void __audit_fd_pair(int fd1, int fd2)
2493 { 2494 {
2494 struct audit_context *context = current->audit_context; 2495 struct audit_context *context = current->audit_context;
2495 context->fds[0] = fd1; 2496 context->fds[0] = fd1;
2496 context->fds[1] = fd2; 2497 context->fds[1] = fd2;
2497 } 2498 }
2498 2499
2499 /** 2500 /**
2500 * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto 2501 * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
2501 * @len: data length in user space 2502 * @len: data length in user space
2502 * @a: data address in kernel space 2503 * @a: data address in kernel space
2503 * 2504 *
2504 * Returns 0 for success or NULL context or < 0 on error. 2505 * Returns 0 for success or NULL context or < 0 on error.
2505 */ 2506 */
2506 int __audit_sockaddr(int len, void *a) 2507 int __audit_sockaddr(int len, void *a)
2507 { 2508 {
2508 struct audit_context *context = current->audit_context; 2509 struct audit_context *context = current->audit_context;
2509 2510
2510 if (!context->sockaddr) { 2511 if (!context->sockaddr) {
2511 void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL); 2512 void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL);
2512 if (!p) 2513 if (!p)
2513 return -ENOMEM; 2514 return -ENOMEM;
2514 context->sockaddr = p; 2515 context->sockaddr = p;
2515 } 2516 }
2516 2517
2517 context->sockaddr_len = len; 2518 context->sockaddr_len = len;
2518 memcpy(context->sockaddr, a, len); 2519 memcpy(context->sockaddr, a, len);
2519 return 0; 2520 return 0;
2520 } 2521 }
2521 2522
2522 void __audit_ptrace(struct task_struct *t) 2523 void __audit_ptrace(struct task_struct *t)
2523 { 2524 {
2524 struct audit_context *context = current->audit_context; 2525 struct audit_context *context = current->audit_context;
2525 2526
2526 context->target_pid = t->pid; 2527 context->target_pid = t->pid;
2527 context->target_auid = audit_get_loginuid(t); 2528 context->target_auid = audit_get_loginuid(t);
2528 context->target_uid = task_uid(t); 2529 context->target_uid = task_uid(t);
2529 context->target_sessionid = audit_get_sessionid(t); 2530 context->target_sessionid = audit_get_sessionid(t);
2530 security_task_getsecid(t, &context->target_sid); 2531 security_task_getsecid(t, &context->target_sid);
2531 memcpy(context->target_comm, t->comm, TASK_COMM_LEN); 2532 memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
2532 } 2533 }
2533 2534
2534 /** 2535 /**
2535 * audit_signal_info - record signal info for shutting down audit subsystem 2536 * audit_signal_info - record signal info for shutting down audit subsystem
2536 * @sig: signal value 2537 * @sig: signal value
2537 * @t: task being signaled 2538 * @t: task being signaled
2538 * 2539 *
2539 * If the audit subsystem is being terminated, record the task (pid) 2540 * If the audit subsystem is being terminated, record the task (pid)
2540 * and uid that is doing that. 2541 * and uid that is doing that.
2541 */ 2542 */
2542 int __audit_signal_info(int sig, struct task_struct *t) 2543 int __audit_signal_info(int sig, struct task_struct *t)
2543 { 2544 {
2544 struct audit_aux_data_pids *axp; 2545 struct audit_aux_data_pids *axp;
2545 struct task_struct *tsk = current; 2546 struct task_struct *tsk = current;
2546 struct audit_context *ctx = tsk->audit_context; 2547 struct audit_context *ctx = tsk->audit_context;
2547 uid_t uid = current_uid(), t_uid = task_uid(t); 2548 uid_t uid = current_uid(), t_uid = task_uid(t);
2548 2549
2549 if (audit_pid && t->tgid == audit_pid) { 2550 if (audit_pid && t->tgid == audit_pid) {
2550 if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) { 2551 if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) {
2551 audit_sig_pid = tsk->pid; 2552 audit_sig_pid = tsk->pid;
2552 if (tsk->loginuid != -1) 2553 if (tsk->loginuid != -1)
2553 audit_sig_uid = tsk->loginuid; 2554 audit_sig_uid = tsk->loginuid;
2554 else 2555 else
2555 audit_sig_uid = uid; 2556 audit_sig_uid = uid;
2556 security_task_getsecid(tsk, &audit_sig_sid); 2557 security_task_getsecid(tsk, &audit_sig_sid);
2557 } 2558 }
2558 if (!audit_signals || audit_dummy_context()) 2559 if (!audit_signals || audit_dummy_context())
2559 return 0; 2560 return 0;
2560 } 2561 }
2561 2562
2562 /* optimize the common case by putting first signal recipient directly 2563 /* optimize the common case by putting first signal recipient directly
2563 * in audit_context */ 2564 * in audit_context */
2564 if (!ctx->target_pid) { 2565 if (!ctx->target_pid) {
2565 ctx->target_pid = t->tgid; 2566 ctx->target_pid = t->tgid;
2566 ctx->target_auid = audit_get_loginuid(t); 2567 ctx->target_auid = audit_get_loginuid(t);
2567 ctx->target_uid = t_uid; 2568 ctx->target_uid = t_uid;
2568 ctx->target_sessionid = audit_get_sessionid(t); 2569 ctx->target_sessionid = audit_get_sessionid(t);
2569 security_task_getsecid(t, &ctx->target_sid); 2570 security_task_getsecid(t, &ctx->target_sid);
2570 memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); 2571 memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
2571 return 0; 2572 return 0;
2572 } 2573 }
2573 2574
2574 axp = (void *)ctx->aux_pids; 2575 axp = (void *)ctx->aux_pids;
2575 if (!axp || axp->pid_count == AUDIT_AUX_PIDS) { 2576 if (!axp || axp->pid_count == AUDIT_AUX_PIDS) {
2576 axp = kzalloc(sizeof(*axp), GFP_ATOMIC); 2577 axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
2577 if (!axp) 2578 if (!axp)
2578 return -ENOMEM; 2579 return -ENOMEM;
2579 2580
2580 axp->d.type = AUDIT_OBJ_PID; 2581 axp->d.type = AUDIT_OBJ_PID;
2581 axp->d.next = ctx->aux_pids; 2582 axp->d.next = ctx->aux_pids;
2582 ctx->aux_pids = (void *)axp; 2583 ctx->aux_pids = (void *)axp;
2583 } 2584 }
2584 BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS); 2585 BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
2585 2586
2586 axp->target_pid[axp->pid_count] = t->tgid; 2587 axp->target_pid[axp->pid_count] = t->tgid;
2587 axp->target_auid[axp->pid_count] = audit_get_loginuid(t); 2588 axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
2588 axp->target_uid[axp->pid_count] = t_uid; 2589 axp->target_uid[axp->pid_count] = t_uid;
2589 axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t); 2590 axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
2590 security_task_getsecid(t, &axp->target_sid[axp->pid_count]); 2591 security_task_getsecid(t, &axp->target_sid[axp->pid_count]);
2591 memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); 2592 memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
2592 axp->pid_count++; 2593 axp->pid_count++;
2593 2594
2594 return 0; 2595 return 0;
2595 } 2596 }
2596 2597
2597 /** 2598 /**
2598 * __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps 2599 * __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps
2599 * @bprm: pointer to the bprm being processed 2600 * @bprm: pointer to the bprm being processed
2600 * @new: the proposed new credentials 2601 * @new: the proposed new credentials
2601 * @old: the old credentials 2602 * @old: the old credentials
2602 * 2603 *
2603 * Simply check if the proc already has the caps given by the file and if not 2604 * Simply check if the proc already has the caps given by the file and if not
2604 * store the priv escalation info for later auditing at the end of the syscall 2605 * store the priv escalation info for later auditing at the end of the syscall
2605 * 2606 *
2606 * -Eric 2607 * -Eric
2607 */ 2608 */
2608 int __audit_log_bprm_fcaps(struct linux_binprm *bprm, 2609 int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
2609 const struct cred *new, const struct cred *old) 2610 const struct cred *new, const struct cred *old)
2610 { 2611 {
2611 struct audit_aux_data_bprm_fcaps *ax; 2612 struct audit_aux_data_bprm_fcaps *ax;
2612 struct audit_context *context = current->audit_context; 2613 struct audit_context *context = current->audit_context;
2613 struct cpu_vfs_cap_data vcaps; 2614 struct cpu_vfs_cap_data vcaps;
2614 struct dentry *dentry; 2615 struct dentry *dentry;
2615 2616
2616 ax = kmalloc(sizeof(*ax), GFP_KERNEL); 2617 ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2617 if (!ax) 2618 if (!ax)
2618 return -ENOMEM; 2619 return -ENOMEM;
2619 2620
2620 ax->d.type = AUDIT_BPRM_FCAPS; 2621 ax->d.type = AUDIT_BPRM_FCAPS;
2621 ax->d.next = context->aux; 2622 ax->d.next = context->aux;
2622 context->aux = (void *)ax; 2623 context->aux = (void *)ax;
2623 2624
2624 dentry = dget(bprm->file->f_dentry); 2625 dentry = dget(bprm->file->f_dentry);
2625 get_vfs_caps_from_disk(dentry, &vcaps); 2626 get_vfs_caps_from_disk(dentry, &vcaps);
2626 dput(dentry); 2627 dput(dentry);
2627 2628
2628 ax->fcap.permitted = vcaps.permitted; 2629 ax->fcap.permitted = vcaps.permitted;
2629 ax->fcap.inheritable = vcaps.inheritable; 2630 ax->fcap.inheritable = vcaps.inheritable;
2630 ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE); 2631 ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2631 ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT; 2632 ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
2632 2633
2633 ax->old_pcap.permitted = old->cap_permitted; 2634 ax->old_pcap.permitted = old->cap_permitted;
2634 ax->old_pcap.inheritable = old->cap_inheritable; 2635 ax->old_pcap.inheritable = old->cap_inheritable;
2635 ax->old_pcap.effective = old->cap_effective; 2636 ax->old_pcap.effective = old->cap_effective;
2636 2637
2637 ax->new_pcap.permitted = new->cap_permitted; 2638 ax->new_pcap.permitted = new->cap_permitted;
2638 ax->new_pcap.inheritable = new->cap_inheritable; 2639 ax->new_pcap.inheritable = new->cap_inheritable;
2639 ax->new_pcap.effective = new->cap_effective; 2640 ax->new_pcap.effective = new->cap_effective;
2640 return 0; 2641 return 0;
2641 } 2642 }
2642 2643
2643 /** 2644 /**
2644 * __audit_log_capset - store information about the arguments to the capset syscall 2645 * __audit_log_capset - store information about the arguments to the capset syscall
2645 * @pid: target pid of the capset call 2646 * @pid: target pid of the capset call
2646 * @new: the new credentials 2647 * @new: the new credentials
2647 * @old: the old (current) credentials 2648 * @old: the old (current) credentials
2648 * 2649 *
2649 * Record the aguments userspace sent to sys_capset for later printing by the 2650 * Record the aguments userspace sent to sys_capset for later printing by the
2650 * audit system if applicable 2651 * audit system if applicable
2651 */ 2652 */
2652 void __audit_log_capset(pid_t pid, 2653 void __audit_log_capset(pid_t pid,
2653 const struct cred *new, const struct cred *old) 2654 const struct cred *new, const struct cred *old)
2654 { 2655 {
2655 struct audit_context *context = current->audit_context; 2656 struct audit_context *context = current->audit_context;
2656 context->capset.pid = pid; 2657 context->capset.pid = pid;
2657 context->capset.cap.effective = new->cap_effective; 2658 context->capset.cap.effective = new->cap_effective;
2658 context->capset.cap.inheritable = new->cap_effective; 2659 context->capset.cap.inheritable = new->cap_effective;
2659 context->capset.cap.permitted = new->cap_permitted; 2660 context->capset.cap.permitted = new->cap_permitted;
2660 context->type = AUDIT_CAPSET; 2661 context->type = AUDIT_CAPSET;
2661 } 2662 }
2662 2663
2663 void __audit_mmap_fd(int fd, int flags) 2664 void __audit_mmap_fd(int fd, int flags)
2664 { 2665 {
2665 struct audit_context *context = current->audit_context; 2666 struct audit_context *context = current->audit_context;
2666 context->mmap.fd = fd; 2667 context->mmap.fd = fd;
2667 context->mmap.flags = flags; 2668 context->mmap.flags = flags;
2668 context->type = AUDIT_MMAP; 2669 context->type = AUDIT_MMAP;
2669 } 2670 }
2670 2671
2671 static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr) 2672 static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
2672 { 2673 {
2673 uid_t auid, uid; 2674 uid_t auid, uid;
2674 gid_t gid; 2675 gid_t gid;
2675 unsigned int sessionid; 2676 unsigned int sessionid;
2676 2677
2677 auid = audit_get_loginuid(current); 2678 auid = audit_get_loginuid(current);
2678 sessionid = audit_get_sessionid(current); 2679 sessionid = audit_get_sessionid(current);
2679 current_uid_gid(&uid, &gid); 2680 current_uid_gid(&uid, &gid);
2680 2681
2681 audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u", 2682 audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
2682 auid, uid, gid, sessionid); 2683 auid, uid, gid, sessionid);
2683 audit_log_task_context(ab); 2684 audit_log_task_context(ab);
2684 audit_log_format(ab, " pid=%d comm=", current->pid); 2685 audit_log_format(ab, " pid=%d comm=", current->pid);
2685 audit_log_untrustedstring(ab, current->comm); 2686 audit_log_untrustedstring(ab, current->comm);
2686 audit_log_format(ab, " reason="); 2687 audit_log_format(ab, " reason=");
2687 audit_log_string(ab, reason); 2688 audit_log_string(ab, reason);
2688 audit_log_format(ab, " sig=%ld", signr); 2689 audit_log_format(ab, " sig=%ld", signr);
2689 } 2690 }
2690 /** 2691 /**
2691 * audit_core_dumps - record information about processes that end abnormally 2692 * audit_core_dumps - record information about processes that end abnormally
2692 * @signr: signal value 2693 * @signr: signal value
2693 * 2694 *
2694 * If a process ends with a core dump, something fishy is going on and we 2695 * If a process ends with a core dump, something fishy is going on and we
2695 * should record the event for investigation. 2696 * should record the event for investigation.
2696 */ 2697 */
2697 void audit_core_dumps(long signr) 2698 void audit_core_dumps(long signr)
2698 { 2699 {
2699 struct audit_buffer *ab; 2700 struct audit_buffer *ab;
2700 2701
2701 if (!audit_enabled) 2702 if (!audit_enabled)
2702 return; 2703 return;
2703 2704
2704 if (signr == SIGQUIT) /* don't care for those */ 2705 if (signr == SIGQUIT) /* don't care for those */
2705 return; 2706 return;
2706 2707
2707 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); 2708 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
2708 audit_log_abend(ab, "memory violation", signr); 2709 audit_log_abend(ab, "memory violation", signr);
2709 audit_log_end(ab); 2710 audit_log_end(ab);
2710 } 2711 }
2711 2712
2712 void __audit_seccomp(unsigned long syscall) 2713 void __audit_seccomp(unsigned long syscall)
2713 { 2714 {
2714 struct audit_buffer *ab; 2715 struct audit_buffer *ab;
2715 2716
2716 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); 2717 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
2717 audit_log_abend(ab, "seccomp", SIGKILL); 2718 audit_log_abend(ab, "seccomp", SIGKILL);
2718 audit_log_format(ab, " syscall=%ld", syscall); 2719 audit_log_format(ab, " syscall=%ld", syscall);
2719 audit_log_end(ab); 2720 audit_log_end(ab);
2720 } 2721 }
2721 2722
2722 struct list_head *audit_killed_trees(void) 2723 struct list_head *audit_killed_trees(void)
2723 { 2724 {
2724 struct audit_context *ctx = current->audit_context; 2725 struct audit_context *ctx = current->audit_context;
2725 if (likely(!ctx || !ctx->in_syscall)) 2726 if (likely(!ctx || !ctx->in_syscall))
2726 return NULL; 2727 return NULL;
2727 return &ctx->killed_trees; 2728 return &ctx->killed_trees;
2728 } 2729 }
2729 2730