Commit 0dd8e06bdaa0a97e706ee1a489a1f6176c4ddc64
Committed by
David Woodhouse
1 parent
27b030d58c
[PATCH] add new audit data to last skb
When adding more formatted audit data to an skb for delivery to userspace, the kernel will attempt to reuse an skb that has spare room. However, if the audit message has already been fragmented to multiple skb's, the search for spare room in the skb uses the head of the list. This will corrupt the audit message with trailing bytes being placed midway through the stream. Fix is to look at the end of the list. Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Showing 1 changed file with 1 additions and 1 deletions Inline Diff
kernel/audit.c
1 | /* audit.c -- Auditing support | 1 | /* audit.c -- Auditing support |
2 | * Gateway between the kernel (e.g., selinux) and the user-space audit daemon. | 2 | * Gateway between the kernel (e.g., selinux) and the user-space audit daemon. |
3 | * System-call specific features have moved to auditsc.c | 3 | * System-call specific features have moved to auditsc.c |
4 | * | 4 | * |
5 | * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. | 5 | * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. |
6 | * All Rights Reserved. | 6 | * All Rights Reserved. |
7 | * | 7 | * |
8 | * This program is free software; you can redistribute it and/or modify | 8 | * This program is free software; you can redistribute it and/or modify |
9 | * it under the terms of the GNU General Public License as published by | 9 | * it under the terms of the GNU General Public License as published by |
10 | * the Free Software Foundation; either version 2 of the License, or | 10 | * the Free Software Foundation; either version 2 of the License, or |
11 | * (at your option) any later version. | 11 | * (at your option) any later version. |
12 | * | 12 | * |
13 | * This program is distributed in the hope that it will be useful, | 13 | * This program is distributed in the hope that it will be useful, |
14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | 14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | 15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
16 | * GNU General Public License for more details. | 16 | * GNU General Public License for more details. |
17 | * | 17 | * |
18 | * You should have received a copy of the GNU General Public License | 18 | * You should have received a copy of the GNU General Public License |
19 | * along with this program; if not, write to the Free Software | 19 | * along with this program; if not, write to the Free Software |
20 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | 20 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
21 | * | 21 | * |
22 | * Written by Rickard E. (Rik) Faith <faith@redhat.com> | 22 | * Written by Rickard E. (Rik) Faith <faith@redhat.com> |
23 | * | 23 | * |
24 | * Goals: 1) Integrate fully with SELinux. | 24 | * Goals: 1) Integrate fully with SELinux. |
25 | * 2) Minimal run-time overhead: | 25 | * 2) Minimal run-time overhead: |
26 | * a) Minimal when syscall auditing is disabled (audit_enable=0). | 26 | * a) Minimal when syscall auditing is disabled (audit_enable=0). |
27 | * b) Small when syscall auditing is enabled and no audit record | 27 | * b) Small when syscall auditing is enabled and no audit record |
28 | * is generated (defer as much work as possible to record | 28 | * is generated (defer as much work as possible to record |
29 | * generation time): | 29 | * generation time): |
30 | * i) context is allocated, | 30 | * i) context is allocated, |
31 | * ii) names from getname are stored without a copy, and | 31 | * ii) names from getname are stored without a copy, and |
32 | * iii) inode information stored from path_lookup. | 32 | * iii) inode information stored from path_lookup. |
33 | * 3) Ability to disable syscall auditing at boot time (audit=0). | 33 | * 3) Ability to disable syscall auditing at boot time (audit=0). |
34 | * 4) Usable by other parts of the kernel (if audit_log* is called, | 34 | * 4) Usable by other parts of the kernel (if audit_log* is called, |
35 | * then a syscall record will be generated automatically for the | 35 | * then a syscall record will be generated automatically for the |
36 | * current syscall). | 36 | * current syscall). |
37 | * 5) Netlink interface to user-space. | 37 | * 5) Netlink interface to user-space. |
38 | * 6) Support low-overhead kernel-based filtering to minimize the | 38 | * 6) Support low-overhead kernel-based filtering to minimize the |
39 | * information that must be passed to user-space. | 39 | * information that must be passed to user-space. |
40 | * | 40 | * |
41 | * Example user-space utilities: http://people.redhat.com/sgrubb/audit/ | 41 | * Example user-space utilities: http://people.redhat.com/sgrubb/audit/ |
42 | */ | 42 | */ |
43 | 43 | ||
44 | #include <linux/init.h> | 44 | #include <linux/init.h> |
45 | #include <asm/atomic.h> | 45 | #include <asm/atomic.h> |
46 | #include <asm/types.h> | 46 | #include <asm/types.h> |
47 | #include <linux/mm.h> | 47 | #include <linux/mm.h> |
48 | #include <linux/module.h> | 48 | #include <linux/module.h> |
49 | 49 | ||
50 | #include <linux/audit.h> | 50 | #include <linux/audit.h> |
51 | 51 | ||
52 | #include <net/sock.h> | 52 | #include <net/sock.h> |
53 | #include <linux/skbuff.h> | 53 | #include <linux/skbuff.h> |
54 | #include <linux/netlink.h> | 54 | #include <linux/netlink.h> |
55 | 55 | ||
56 | /* No auditing will take place until audit_initialized != 0. | 56 | /* No auditing will take place until audit_initialized != 0. |
57 | * (Initialization happens after skb_init is called.) */ | 57 | * (Initialization happens after skb_init is called.) */ |
58 | static int audit_initialized; | 58 | static int audit_initialized; |
59 | 59 | ||
60 | /* No syscall auditing will take place unless audit_enabled != 0. */ | 60 | /* No syscall auditing will take place unless audit_enabled != 0. */ |
61 | int audit_enabled; | 61 | int audit_enabled; |
62 | 62 | ||
63 | /* Default state when kernel boots without any parameters. */ | 63 | /* Default state when kernel boots without any parameters. */ |
64 | static int audit_default; | 64 | static int audit_default; |
65 | 65 | ||
66 | /* If auditing cannot proceed, audit_failure selects what happens. */ | 66 | /* If auditing cannot proceed, audit_failure selects what happens. */ |
67 | static int audit_failure = AUDIT_FAIL_PRINTK; | 67 | static int audit_failure = AUDIT_FAIL_PRINTK; |
68 | 68 | ||
69 | /* If audit records are to be written to the netlink socket, audit_pid | 69 | /* If audit records are to be written to the netlink socket, audit_pid |
70 | * contains the (non-zero) pid. */ | 70 | * contains the (non-zero) pid. */ |
71 | static int audit_pid; | 71 | static int audit_pid; |
72 | 72 | ||
73 | /* If audit_limit is non-zero, limit the rate of sending audit records | 73 | /* If audit_limit is non-zero, limit the rate of sending audit records |
74 | * to that number per second. This prevents DoS attacks, but results in | 74 | * to that number per second. This prevents DoS attacks, but results in |
75 | * audit records being dropped. */ | 75 | * audit records being dropped. */ |
76 | static int audit_rate_limit; | 76 | static int audit_rate_limit; |
77 | 77 | ||
78 | /* Number of outstanding audit_buffers allowed. */ | 78 | /* Number of outstanding audit_buffers allowed. */ |
79 | static int audit_backlog_limit = 64; | 79 | static int audit_backlog_limit = 64; |
80 | static atomic_t audit_backlog = ATOMIC_INIT(0); | 80 | static atomic_t audit_backlog = ATOMIC_INIT(0); |
81 | 81 | ||
82 | /* Records can be lost in several ways: | 82 | /* Records can be lost in several ways: |
83 | 0) [suppressed in audit_alloc] | 83 | 0) [suppressed in audit_alloc] |
84 | 1) out of memory in audit_log_start [kmalloc of struct audit_buffer] | 84 | 1) out of memory in audit_log_start [kmalloc of struct audit_buffer] |
85 | 2) out of memory in audit_log_move [alloc_skb] | 85 | 2) out of memory in audit_log_move [alloc_skb] |
86 | 3) suppressed due to audit_rate_limit | 86 | 3) suppressed due to audit_rate_limit |
87 | 4) suppressed due to audit_backlog_limit | 87 | 4) suppressed due to audit_backlog_limit |
88 | */ | 88 | */ |
89 | static atomic_t audit_lost = ATOMIC_INIT(0); | 89 | static atomic_t audit_lost = ATOMIC_INIT(0); |
90 | 90 | ||
91 | /* The netlink socket. */ | 91 | /* The netlink socket. */ |
92 | static struct sock *audit_sock; | 92 | static struct sock *audit_sock; |
93 | 93 | ||
94 | /* There are two lists of audit buffers. The txlist contains audit | 94 | /* There are two lists of audit buffers. The txlist contains audit |
95 | * buffers that cannot be sent immediately to the netlink device because | 95 | * buffers that cannot be sent immediately to the netlink device because |
96 | * we are in an irq context (these are sent later in a tasklet). | 96 | * we are in an irq context (these are sent later in a tasklet). |
97 | * | 97 | * |
98 | * The second list is a list of pre-allocated audit buffers (if more | 98 | * The second list is a list of pre-allocated audit buffers (if more |
99 | * than AUDIT_MAXFREE are in use, the audit buffer is freed instead of | 99 | * than AUDIT_MAXFREE are in use, the audit buffer is freed instead of |
100 | * being placed on the freelist). */ | 100 | * being placed on the freelist). */ |
101 | static DEFINE_SPINLOCK(audit_txlist_lock); | 101 | static DEFINE_SPINLOCK(audit_txlist_lock); |
102 | static DEFINE_SPINLOCK(audit_freelist_lock); | 102 | static DEFINE_SPINLOCK(audit_freelist_lock); |
103 | static int audit_freelist_count = 0; | 103 | static int audit_freelist_count = 0; |
104 | static LIST_HEAD(audit_txlist); | 104 | static LIST_HEAD(audit_txlist); |
105 | static LIST_HEAD(audit_freelist); | 105 | static LIST_HEAD(audit_freelist); |
106 | 106 | ||
107 | /* There are three lists of rules -- one to search at task creation | 107 | /* There are three lists of rules -- one to search at task creation |
108 | * time, one to search at syscall entry time, and another to search at | 108 | * time, one to search at syscall entry time, and another to search at |
109 | * syscall exit time. */ | 109 | * syscall exit time. */ |
110 | static LIST_HEAD(audit_tsklist); | 110 | static LIST_HEAD(audit_tsklist); |
111 | static LIST_HEAD(audit_entlist); | 111 | static LIST_HEAD(audit_entlist); |
112 | static LIST_HEAD(audit_extlist); | 112 | static LIST_HEAD(audit_extlist); |
113 | 113 | ||
114 | /* The netlink socket is only to be read by 1 CPU, which lets us assume | 114 | /* The netlink socket is only to be read by 1 CPU, which lets us assume |
115 | * that list additions and deletions never happen simultaneiously in | 115 | * that list additions and deletions never happen simultaneiously in |
116 | * auditsc.c */ | 116 | * auditsc.c */ |
117 | static DECLARE_MUTEX(audit_netlink_sem); | 117 | static DECLARE_MUTEX(audit_netlink_sem); |
118 | 118 | ||
119 | /* AUDIT_BUFSIZ is the size of the temporary buffer used for formatting | 119 | /* AUDIT_BUFSIZ is the size of the temporary buffer used for formatting |
120 | * audit records. Since printk uses a 1024 byte buffer, this buffer | 120 | * audit records. Since printk uses a 1024 byte buffer, this buffer |
121 | * should be at least that large. */ | 121 | * should be at least that large. */ |
122 | #define AUDIT_BUFSIZ 1024 | 122 | #define AUDIT_BUFSIZ 1024 |
123 | 123 | ||
124 | /* AUDIT_MAXFREE is the number of empty audit_buffers we keep on the | 124 | /* AUDIT_MAXFREE is the number of empty audit_buffers we keep on the |
125 | * audit_freelist. Doing so eliminates many kmalloc/kfree calls. */ | 125 | * audit_freelist. Doing so eliminates many kmalloc/kfree calls. */ |
126 | #define AUDIT_MAXFREE (2*NR_CPUS) | 126 | #define AUDIT_MAXFREE (2*NR_CPUS) |
127 | 127 | ||
128 | /* The audit_buffer is used when formatting an audit record. The caller | 128 | /* The audit_buffer is used when formatting an audit record. The caller |
129 | * locks briefly to get the record off the freelist or to allocate the | 129 | * locks briefly to get the record off the freelist or to allocate the |
130 | * buffer, and locks briefly to send the buffer to the netlink layer or | 130 | * buffer, and locks briefly to send the buffer to the netlink layer or |
131 | * to place it on a transmit queue. Multiple audit_buffers can be in | 131 | * to place it on a transmit queue. Multiple audit_buffers can be in |
132 | * use simultaneously. */ | 132 | * use simultaneously. */ |
133 | struct audit_buffer { | 133 | struct audit_buffer { |
134 | struct list_head list; | 134 | struct list_head list; |
135 | struct sk_buff_head sklist; /* formatted skbs ready to send */ | 135 | struct sk_buff_head sklist; /* formatted skbs ready to send */ |
136 | struct audit_context *ctx; /* NULL or associated context */ | 136 | struct audit_context *ctx; /* NULL or associated context */ |
137 | int len; /* used area of tmp */ | 137 | int len; /* used area of tmp */ |
138 | char tmp[AUDIT_BUFSIZ]; | 138 | char tmp[AUDIT_BUFSIZ]; |
139 | 139 | ||
140 | /* Pointer to header and contents */ | 140 | /* Pointer to header and contents */ |
141 | struct nlmsghdr *nlh; | 141 | struct nlmsghdr *nlh; |
142 | int total; | 142 | int total; |
143 | int type; | 143 | int type; |
144 | int pid; | 144 | int pid; |
145 | }; | 145 | }; |
146 | 146 | ||
147 | void audit_set_type(struct audit_buffer *ab, int type) | 147 | void audit_set_type(struct audit_buffer *ab, int type) |
148 | { | 148 | { |
149 | ab->type = type; | 149 | ab->type = type; |
150 | } | 150 | } |
151 | 151 | ||
152 | struct audit_entry { | 152 | struct audit_entry { |
153 | struct list_head list; | 153 | struct list_head list; |
154 | struct audit_rule rule; | 154 | struct audit_rule rule; |
155 | }; | 155 | }; |
156 | 156 | ||
157 | static void audit_log_end_irq(struct audit_buffer *ab); | 157 | static void audit_log_end_irq(struct audit_buffer *ab); |
158 | static void audit_log_end_fast(struct audit_buffer *ab); | 158 | static void audit_log_end_fast(struct audit_buffer *ab); |
159 | 159 | ||
160 | static void audit_panic(const char *message) | 160 | static void audit_panic(const char *message) |
161 | { | 161 | { |
162 | switch (audit_failure) | 162 | switch (audit_failure) |
163 | { | 163 | { |
164 | case AUDIT_FAIL_SILENT: | 164 | case AUDIT_FAIL_SILENT: |
165 | break; | 165 | break; |
166 | case AUDIT_FAIL_PRINTK: | 166 | case AUDIT_FAIL_PRINTK: |
167 | printk(KERN_ERR "audit: %s\n", message); | 167 | printk(KERN_ERR "audit: %s\n", message); |
168 | break; | 168 | break; |
169 | case AUDIT_FAIL_PANIC: | 169 | case AUDIT_FAIL_PANIC: |
170 | panic("audit: %s\n", message); | 170 | panic("audit: %s\n", message); |
171 | break; | 171 | break; |
172 | } | 172 | } |
173 | } | 173 | } |
174 | 174 | ||
175 | static inline int audit_rate_check(void) | 175 | static inline int audit_rate_check(void) |
176 | { | 176 | { |
177 | static unsigned long last_check = 0; | 177 | static unsigned long last_check = 0; |
178 | static int messages = 0; | 178 | static int messages = 0; |
179 | static DEFINE_SPINLOCK(lock); | 179 | static DEFINE_SPINLOCK(lock); |
180 | unsigned long flags; | 180 | unsigned long flags; |
181 | unsigned long now; | 181 | unsigned long now; |
182 | unsigned long elapsed; | 182 | unsigned long elapsed; |
183 | int retval = 0; | 183 | int retval = 0; |
184 | 184 | ||
185 | if (!audit_rate_limit) return 1; | 185 | if (!audit_rate_limit) return 1; |
186 | 186 | ||
187 | spin_lock_irqsave(&lock, flags); | 187 | spin_lock_irqsave(&lock, flags); |
188 | if (++messages < audit_rate_limit) { | 188 | if (++messages < audit_rate_limit) { |
189 | retval = 1; | 189 | retval = 1; |
190 | } else { | 190 | } else { |
191 | now = jiffies; | 191 | now = jiffies; |
192 | elapsed = now - last_check; | 192 | elapsed = now - last_check; |
193 | if (elapsed > HZ) { | 193 | if (elapsed > HZ) { |
194 | last_check = now; | 194 | last_check = now; |
195 | messages = 0; | 195 | messages = 0; |
196 | retval = 1; | 196 | retval = 1; |
197 | } | 197 | } |
198 | } | 198 | } |
199 | spin_unlock_irqrestore(&lock, flags); | 199 | spin_unlock_irqrestore(&lock, flags); |
200 | 200 | ||
201 | return retval; | 201 | return retval; |
202 | } | 202 | } |
203 | 203 | ||
204 | /* Emit at least 1 message per second, even if audit_rate_check is | 204 | /* Emit at least 1 message per second, even if audit_rate_check is |
205 | * throttling. */ | 205 | * throttling. */ |
206 | void audit_log_lost(const char *message) | 206 | void audit_log_lost(const char *message) |
207 | { | 207 | { |
208 | static unsigned long last_msg = 0; | 208 | static unsigned long last_msg = 0; |
209 | static DEFINE_SPINLOCK(lock); | 209 | static DEFINE_SPINLOCK(lock); |
210 | unsigned long flags; | 210 | unsigned long flags; |
211 | unsigned long now; | 211 | unsigned long now; |
212 | int print; | 212 | int print; |
213 | 213 | ||
214 | atomic_inc(&audit_lost); | 214 | atomic_inc(&audit_lost); |
215 | 215 | ||
216 | print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit); | 216 | print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit); |
217 | 217 | ||
218 | if (!print) { | 218 | if (!print) { |
219 | spin_lock_irqsave(&lock, flags); | 219 | spin_lock_irqsave(&lock, flags); |
220 | now = jiffies; | 220 | now = jiffies; |
221 | if (now - last_msg > HZ) { | 221 | if (now - last_msg > HZ) { |
222 | print = 1; | 222 | print = 1; |
223 | last_msg = now; | 223 | last_msg = now; |
224 | } | 224 | } |
225 | spin_unlock_irqrestore(&lock, flags); | 225 | spin_unlock_irqrestore(&lock, flags); |
226 | } | 226 | } |
227 | 227 | ||
228 | if (print) { | 228 | if (print) { |
229 | printk(KERN_WARNING | 229 | printk(KERN_WARNING |
230 | "audit: audit_lost=%d audit_backlog=%d" | 230 | "audit: audit_lost=%d audit_backlog=%d" |
231 | " audit_rate_limit=%d audit_backlog_limit=%d\n", | 231 | " audit_rate_limit=%d audit_backlog_limit=%d\n", |
232 | atomic_read(&audit_lost), | 232 | atomic_read(&audit_lost), |
233 | atomic_read(&audit_backlog), | 233 | atomic_read(&audit_backlog), |
234 | audit_rate_limit, | 234 | audit_rate_limit, |
235 | audit_backlog_limit); | 235 | audit_backlog_limit); |
236 | audit_panic(message); | 236 | audit_panic(message); |
237 | } | 237 | } |
238 | 238 | ||
239 | } | 239 | } |
240 | 240 | ||
241 | static int audit_set_rate_limit(int limit, uid_t loginuid) | 241 | static int audit_set_rate_limit(int limit, uid_t loginuid) |
242 | { | 242 | { |
243 | int old = audit_rate_limit; | 243 | int old = audit_rate_limit; |
244 | audit_rate_limit = limit; | 244 | audit_rate_limit = limit; |
245 | audit_log(NULL, "audit_rate_limit=%d old=%d by auid %u", | 245 | audit_log(NULL, "audit_rate_limit=%d old=%d by auid %u", |
246 | audit_rate_limit, old, loginuid); | 246 | audit_rate_limit, old, loginuid); |
247 | return old; | 247 | return old; |
248 | } | 248 | } |
249 | 249 | ||
250 | static int audit_set_backlog_limit(int limit, uid_t loginuid) | 250 | static int audit_set_backlog_limit(int limit, uid_t loginuid) |
251 | { | 251 | { |
252 | int old = audit_backlog_limit; | 252 | int old = audit_backlog_limit; |
253 | audit_backlog_limit = limit; | 253 | audit_backlog_limit = limit; |
254 | audit_log(NULL, "audit_backlog_limit=%d old=%d by auid %u", | 254 | audit_log(NULL, "audit_backlog_limit=%d old=%d by auid %u", |
255 | audit_backlog_limit, old, loginuid); | 255 | audit_backlog_limit, old, loginuid); |
256 | return old; | 256 | return old; |
257 | } | 257 | } |
258 | 258 | ||
259 | static int audit_set_enabled(int state, uid_t loginuid) | 259 | static int audit_set_enabled(int state, uid_t loginuid) |
260 | { | 260 | { |
261 | int old = audit_enabled; | 261 | int old = audit_enabled; |
262 | if (state != 0 && state != 1) | 262 | if (state != 0 && state != 1) |
263 | return -EINVAL; | 263 | return -EINVAL; |
264 | audit_enabled = state; | 264 | audit_enabled = state; |
265 | audit_log(NULL, "audit_enabled=%d old=%d by auid %u", | 265 | audit_log(NULL, "audit_enabled=%d old=%d by auid %u", |
266 | audit_enabled, old, loginuid); | 266 | audit_enabled, old, loginuid); |
267 | return old; | 267 | return old; |
268 | } | 268 | } |
269 | 269 | ||
270 | static int audit_set_failure(int state, uid_t loginuid) | 270 | static int audit_set_failure(int state, uid_t loginuid) |
271 | { | 271 | { |
272 | int old = audit_failure; | 272 | int old = audit_failure; |
273 | if (state != AUDIT_FAIL_SILENT | 273 | if (state != AUDIT_FAIL_SILENT |
274 | && state != AUDIT_FAIL_PRINTK | 274 | && state != AUDIT_FAIL_PRINTK |
275 | && state != AUDIT_FAIL_PANIC) | 275 | && state != AUDIT_FAIL_PANIC) |
276 | return -EINVAL; | 276 | return -EINVAL; |
277 | audit_failure = state; | 277 | audit_failure = state; |
278 | audit_log(NULL, "audit_failure=%d old=%d by auid %u", | 278 | audit_log(NULL, "audit_failure=%d old=%d by auid %u", |
279 | audit_failure, old, loginuid); | 279 | audit_failure, old, loginuid); |
280 | return old; | 280 | return old; |
281 | } | 281 | } |
282 | 282 | ||
283 | #ifdef CONFIG_NET | 283 | #ifdef CONFIG_NET |
284 | void audit_send_reply(int pid, int seq, int type, int done, int multi, | 284 | void audit_send_reply(int pid, int seq, int type, int done, int multi, |
285 | void *payload, int size) | 285 | void *payload, int size) |
286 | { | 286 | { |
287 | struct sk_buff *skb; | 287 | struct sk_buff *skb; |
288 | struct nlmsghdr *nlh; | 288 | struct nlmsghdr *nlh; |
289 | int len = NLMSG_SPACE(size); | 289 | int len = NLMSG_SPACE(size); |
290 | void *data; | 290 | void *data; |
291 | int flags = multi ? NLM_F_MULTI : 0; | 291 | int flags = multi ? NLM_F_MULTI : 0; |
292 | int t = done ? NLMSG_DONE : type; | 292 | int t = done ? NLMSG_DONE : type; |
293 | 293 | ||
294 | skb = alloc_skb(len, GFP_KERNEL); | 294 | skb = alloc_skb(len, GFP_KERNEL); |
295 | if (!skb) | 295 | if (!skb) |
296 | goto nlmsg_failure; | 296 | goto nlmsg_failure; |
297 | 297 | ||
298 | nlh = NLMSG_PUT(skb, pid, seq, t, len - sizeof(*nlh)); | 298 | nlh = NLMSG_PUT(skb, pid, seq, t, len - sizeof(*nlh)); |
299 | nlh->nlmsg_flags = flags; | 299 | nlh->nlmsg_flags = flags; |
300 | data = NLMSG_DATA(nlh); | 300 | data = NLMSG_DATA(nlh); |
301 | memcpy(data, payload, size); | 301 | memcpy(data, payload, size); |
302 | netlink_unicast(audit_sock, skb, pid, MSG_DONTWAIT); | 302 | netlink_unicast(audit_sock, skb, pid, MSG_DONTWAIT); |
303 | return; | 303 | return; |
304 | 304 | ||
305 | nlmsg_failure: /* Used by NLMSG_PUT */ | 305 | nlmsg_failure: /* Used by NLMSG_PUT */ |
306 | if (skb) | 306 | if (skb) |
307 | kfree_skb(skb); | 307 | kfree_skb(skb); |
308 | } | 308 | } |
309 | 309 | ||
310 | /* | 310 | /* |
311 | * Check for appropriate CAP_AUDIT_ capabilities on incoming audit | 311 | * Check for appropriate CAP_AUDIT_ capabilities on incoming audit |
312 | * control messages. | 312 | * control messages. |
313 | */ | 313 | */ |
314 | static int audit_netlink_ok(kernel_cap_t eff_cap, u16 msg_type) | 314 | static int audit_netlink_ok(kernel_cap_t eff_cap, u16 msg_type) |
315 | { | 315 | { |
316 | int err = 0; | 316 | int err = 0; |
317 | 317 | ||
318 | switch (msg_type) { | 318 | switch (msg_type) { |
319 | case AUDIT_GET: | 319 | case AUDIT_GET: |
320 | case AUDIT_LIST: | 320 | case AUDIT_LIST: |
321 | case AUDIT_SET: | 321 | case AUDIT_SET: |
322 | case AUDIT_ADD: | 322 | case AUDIT_ADD: |
323 | case AUDIT_DEL: | 323 | case AUDIT_DEL: |
324 | if (!cap_raised(eff_cap, CAP_AUDIT_CONTROL)) | 324 | if (!cap_raised(eff_cap, CAP_AUDIT_CONTROL)) |
325 | err = -EPERM; | 325 | err = -EPERM; |
326 | break; | 326 | break; |
327 | case AUDIT_USER: | 327 | case AUDIT_USER: |
328 | if (!cap_raised(eff_cap, CAP_AUDIT_WRITE)) | 328 | if (!cap_raised(eff_cap, CAP_AUDIT_WRITE)) |
329 | err = -EPERM; | 329 | err = -EPERM; |
330 | break; | 330 | break; |
331 | default: /* bad msg */ | 331 | default: /* bad msg */ |
332 | err = -EINVAL; | 332 | err = -EINVAL; |
333 | } | 333 | } |
334 | 334 | ||
335 | return err; | 335 | return err; |
336 | } | 336 | } |
337 | 337 | ||
338 | static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | 338 | static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) |
339 | { | 339 | { |
340 | u32 uid, pid, seq; | 340 | u32 uid, pid, seq; |
341 | void *data; | 341 | void *data; |
342 | struct audit_status *status_get, status_set; | 342 | struct audit_status *status_get, status_set; |
343 | int err; | 343 | int err; |
344 | struct audit_buffer *ab; | 344 | struct audit_buffer *ab; |
345 | u16 msg_type = nlh->nlmsg_type; | 345 | u16 msg_type = nlh->nlmsg_type; |
346 | uid_t loginuid; /* loginuid of sender */ | 346 | uid_t loginuid; /* loginuid of sender */ |
347 | 347 | ||
348 | err = audit_netlink_ok(NETLINK_CB(skb).eff_cap, msg_type); | 348 | err = audit_netlink_ok(NETLINK_CB(skb).eff_cap, msg_type); |
349 | if (err) | 349 | if (err) |
350 | return err; | 350 | return err; |
351 | 351 | ||
352 | pid = NETLINK_CREDS(skb)->pid; | 352 | pid = NETLINK_CREDS(skb)->pid; |
353 | uid = NETLINK_CREDS(skb)->uid; | 353 | uid = NETLINK_CREDS(skb)->uid; |
354 | loginuid = NETLINK_CB(skb).loginuid; | 354 | loginuid = NETLINK_CB(skb).loginuid; |
355 | seq = nlh->nlmsg_seq; | 355 | seq = nlh->nlmsg_seq; |
356 | data = NLMSG_DATA(nlh); | 356 | data = NLMSG_DATA(nlh); |
357 | 357 | ||
358 | switch (msg_type) { | 358 | switch (msg_type) { |
359 | case AUDIT_GET: | 359 | case AUDIT_GET: |
360 | status_set.enabled = audit_enabled; | 360 | status_set.enabled = audit_enabled; |
361 | status_set.failure = audit_failure; | 361 | status_set.failure = audit_failure; |
362 | status_set.pid = audit_pid; | 362 | status_set.pid = audit_pid; |
363 | status_set.rate_limit = audit_rate_limit; | 363 | status_set.rate_limit = audit_rate_limit; |
364 | status_set.backlog_limit = audit_backlog_limit; | 364 | status_set.backlog_limit = audit_backlog_limit; |
365 | status_set.lost = atomic_read(&audit_lost); | 365 | status_set.lost = atomic_read(&audit_lost); |
366 | status_set.backlog = atomic_read(&audit_backlog); | 366 | status_set.backlog = atomic_read(&audit_backlog); |
367 | audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0, | 367 | audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0, |
368 | &status_set, sizeof(status_set)); | 368 | &status_set, sizeof(status_set)); |
369 | break; | 369 | break; |
370 | case AUDIT_SET: | 370 | case AUDIT_SET: |
371 | if (nlh->nlmsg_len < sizeof(struct audit_status)) | 371 | if (nlh->nlmsg_len < sizeof(struct audit_status)) |
372 | return -EINVAL; | 372 | return -EINVAL; |
373 | status_get = (struct audit_status *)data; | 373 | status_get = (struct audit_status *)data; |
374 | if (status_get->mask & AUDIT_STATUS_ENABLED) { | 374 | if (status_get->mask & AUDIT_STATUS_ENABLED) { |
375 | err = audit_set_enabled(status_get->enabled, loginuid); | 375 | err = audit_set_enabled(status_get->enabled, loginuid); |
376 | if (err < 0) return err; | 376 | if (err < 0) return err; |
377 | } | 377 | } |
378 | if (status_get->mask & AUDIT_STATUS_FAILURE) { | 378 | if (status_get->mask & AUDIT_STATUS_FAILURE) { |
379 | err = audit_set_failure(status_get->failure, loginuid); | 379 | err = audit_set_failure(status_get->failure, loginuid); |
380 | if (err < 0) return err; | 380 | if (err < 0) return err; |
381 | } | 381 | } |
382 | if (status_get->mask & AUDIT_STATUS_PID) { | 382 | if (status_get->mask & AUDIT_STATUS_PID) { |
383 | int old = audit_pid; | 383 | int old = audit_pid; |
384 | audit_pid = status_get->pid; | 384 | audit_pid = status_get->pid; |
385 | audit_log(NULL, "audit_pid=%d old=%d by auid %u", | 385 | audit_log(NULL, "audit_pid=%d old=%d by auid %u", |
386 | audit_pid, old, loginuid); | 386 | audit_pid, old, loginuid); |
387 | } | 387 | } |
388 | if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) | 388 | if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) |
389 | audit_set_rate_limit(status_get->rate_limit, loginuid); | 389 | audit_set_rate_limit(status_get->rate_limit, loginuid); |
390 | if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT) | 390 | if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT) |
391 | audit_set_backlog_limit(status_get->backlog_limit, | 391 | audit_set_backlog_limit(status_get->backlog_limit, |
392 | loginuid); | 392 | loginuid); |
393 | break; | 393 | break; |
394 | case AUDIT_USER: | 394 | case AUDIT_USER: |
395 | ab = audit_log_start(NULL); | 395 | ab = audit_log_start(NULL); |
396 | if (!ab) | 396 | if (!ab) |
397 | break; /* audit_panic has been called */ | 397 | break; /* audit_panic has been called */ |
398 | audit_log_format(ab, | 398 | audit_log_format(ab, |
399 | "user pid=%d uid=%d length=%d loginuid=%u" | 399 | "user pid=%d uid=%d length=%d loginuid=%u" |
400 | " msg='%.1024s'", | 400 | " msg='%.1024s'", |
401 | pid, uid, | 401 | pid, uid, |
402 | (int)(nlh->nlmsg_len | 402 | (int)(nlh->nlmsg_len |
403 | - ((char *)data - (char *)nlh)), | 403 | - ((char *)data - (char *)nlh)), |
404 | loginuid, (char *)data); | 404 | loginuid, (char *)data); |
405 | ab->type = AUDIT_USER; | 405 | ab->type = AUDIT_USER; |
406 | ab->pid = pid; | 406 | ab->pid = pid; |
407 | audit_log_end(ab); | 407 | audit_log_end(ab); |
408 | break; | 408 | break; |
409 | case AUDIT_ADD: | 409 | case AUDIT_ADD: |
410 | case AUDIT_DEL: | 410 | case AUDIT_DEL: |
411 | if (nlh->nlmsg_len < sizeof(struct audit_rule)) | 411 | if (nlh->nlmsg_len < sizeof(struct audit_rule)) |
412 | return -EINVAL; | 412 | return -EINVAL; |
413 | /* fallthrough */ | 413 | /* fallthrough */ |
414 | case AUDIT_LIST: | 414 | case AUDIT_LIST: |
415 | #ifdef CONFIG_AUDITSYSCALL | 415 | #ifdef CONFIG_AUDITSYSCALL |
416 | err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid, | 416 | err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid, |
417 | uid, seq, data, loginuid); | 417 | uid, seq, data, loginuid); |
418 | #else | 418 | #else |
419 | err = -EOPNOTSUPP; | 419 | err = -EOPNOTSUPP; |
420 | #endif | 420 | #endif |
421 | break; | 421 | break; |
422 | default: | 422 | default: |
423 | err = -EINVAL; | 423 | err = -EINVAL; |
424 | break; | 424 | break; |
425 | } | 425 | } |
426 | 426 | ||
427 | return err < 0 ? err : 0; | 427 | return err < 0 ? err : 0; |
428 | } | 428 | } |
429 | 429 | ||
430 | /* Get message from skb (based on rtnetlink_rcv_skb). Each message is | 430 | /* Get message from skb (based on rtnetlink_rcv_skb). Each message is |
431 | * processed by audit_receive_msg. Malformed skbs with wrong length are | 431 | * processed by audit_receive_msg. Malformed skbs with wrong length are |
432 | * discarded silently. */ | 432 | * discarded silently. */ |
433 | static int audit_receive_skb(struct sk_buff *skb) | 433 | static int audit_receive_skb(struct sk_buff *skb) |
434 | { | 434 | { |
435 | int err; | 435 | int err; |
436 | struct nlmsghdr *nlh; | 436 | struct nlmsghdr *nlh; |
437 | u32 rlen; | 437 | u32 rlen; |
438 | 438 | ||
439 | while (skb->len >= NLMSG_SPACE(0)) { | 439 | while (skb->len >= NLMSG_SPACE(0)) { |
440 | nlh = (struct nlmsghdr *)skb->data; | 440 | nlh = (struct nlmsghdr *)skb->data; |
441 | if (nlh->nlmsg_len < sizeof(*nlh) || skb->len < nlh->nlmsg_len) | 441 | if (nlh->nlmsg_len < sizeof(*nlh) || skb->len < nlh->nlmsg_len) |
442 | return 0; | 442 | return 0; |
443 | rlen = NLMSG_ALIGN(nlh->nlmsg_len); | 443 | rlen = NLMSG_ALIGN(nlh->nlmsg_len); |
444 | if (rlen > skb->len) | 444 | if (rlen > skb->len) |
445 | rlen = skb->len; | 445 | rlen = skb->len; |
446 | if ((err = audit_receive_msg(skb, nlh))) { | 446 | if ((err = audit_receive_msg(skb, nlh))) { |
447 | netlink_ack(skb, nlh, err); | 447 | netlink_ack(skb, nlh, err); |
448 | } else if (nlh->nlmsg_flags & NLM_F_ACK) | 448 | } else if (nlh->nlmsg_flags & NLM_F_ACK) |
449 | netlink_ack(skb, nlh, 0); | 449 | netlink_ack(skb, nlh, 0); |
450 | skb_pull(skb, rlen); | 450 | skb_pull(skb, rlen); |
451 | } | 451 | } |
452 | return 0; | 452 | return 0; |
453 | } | 453 | } |
454 | 454 | ||
455 | /* Receive messages from netlink socket. */ | 455 | /* Receive messages from netlink socket. */ |
456 | static void audit_receive(struct sock *sk, int length) | 456 | static void audit_receive(struct sock *sk, int length) |
457 | { | 457 | { |
458 | struct sk_buff *skb; | 458 | struct sk_buff *skb; |
459 | 459 | ||
460 | if (down_trylock(&audit_netlink_sem)) | 460 | if (down_trylock(&audit_netlink_sem)) |
461 | return; | 461 | return; |
462 | 462 | ||
463 | /* FIXME: this must not cause starvation */ | 463 | /* FIXME: this must not cause starvation */ |
464 | while ((skb = skb_dequeue(&sk->sk_receive_queue))) { | 464 | while ((skb = skb_dequeue(&sk->sk_receive_queue))) { |
465 | if (audit_receive_skb(skb) && skb->len) | 465 | if (audit_receive_skb(skb) && skb->len) |
466 | skb_queue_head(&sk->sk_receive_queue, skb); | 466 | skb_queue_head(&sk->sk_receive_queue, skb); |
467 | else | 467 | else |
468 | kfree_skb(skb); | 468 | kfree_skb(skb); |
469 | } | 469 | } |
470 | up(&audit_netlink_sem); | 470 | up(&audit_netlink_sem); |
471 | } | 471 | } |
472 | 472 | ||
473 | /* Move data from tmp buffer into an skb. This is an extra copy, and | 473 | /* Move data from tmp buffer into an skb. This is an extra copy, and |
474 | * that is unfortunate. However, the copy will only occur when a record | 474 | * that is unfortunate. However, the copy will only occur when a record |
475 | * is being written to user space, which is already a high-overhead | 475 | * is being written to user space, which is already a high-overhead |
476 | * operation. (Elimination of the copy is possible, for example, by | 476 | * operation. (Elimination of the copy is possible, for example, by |
477 | * writing directly into a pre-allocated skb, at the cost of wasting | 477 | * writing directly into a pre-allocated skb, at the cost of wasting |
478 | * memory. */ | 478 | * memory. */ |
479 | static void audit_log_move(struct audit_buffer *ab) | 479 | static void audit_log_move(struct audit_buffer *ab) |
480 | { | 480 | { |
481 | struct sk_buff *skb; | 481 | struct sk_buff *skb; |
482 | char *start; | 482 | char *start; |
483 | int extra = ab->nlh ? 0 : NLMSG_SPACE(0); | 483 | int extra = ab->nlh ? 0 : NLMSG_SPACE(0); |
484 | 484 | ||
485 | /* possible resubmission */ | 485 | /* possible resubmission */ |
486 | if (ab->len == 0) | 486 | if (ab->len == 0) |
487 | return; | 487 | return; |
488 | 488 | ||
489 | skb = skb_peek(&ab->sklist); | 489 | skb = skb_peek_tail(&ab->sklist); |
490 | if (!skb || skb_tailroom(skb) <= ab->len + extra) { | 490 | if (!skb || skb_tailroom(skb) <= ab->len + extra) { |
491 | skb = alloc_skb(2 * ab->len + extra, GFP_ATOMIC); | 491 | skb = alloc_skb(2 * ab->len + extra, GFP_ATOMIC); |
492 | if (!skb) { | 492 | if (!skb) { |
493 | ab->len = 0; /* Lose information in ab->tmp */ | 493 | ab->len = 0; /* Lose information in ab->tmp */ |
494 | audit_log_lost("out of memory in audit_log_move"); | 494 | audit_log_lost("out of memory in audit_log_move"); |
495 | return; | 495 | return; |
496 | } | 496 | } |
497 | __skb_queue_tail(&ab->sklist, skb); | 497 | __skb_queue_tail(&ab->sklist, skb); |
498 | if (!ab->nlh) | 498 | if (!ab->nlh) |
499 | ab->nlh = (struct nlmsghdr *)skb_put(skb, | 499 | ab->nlh = (struct nlmsghdr *)skb_put(skb, |
500 | NLMSG_SPACE(0)); | 500 | NLMSG_SPACE(0)); |
501 | } | 501 | } |
502 | start = skb_put(skb, ab->len); | 502 | start = skb_put(skb, ab->len); |
503 | memcpy(start, ab->tmp, ab->len); | 503 | memcpy(start, ab->tmp, ab->len); |
504 | ab->len = 0; | 504 | ab->len = 0; |
505 | } | 505 | } |
506 | 506 | ||
507 | /* Iterate over the skbuff in the audit_buffer, sending their contents | 507 | /* Iterate over the skbuff in the audit_buffer, sending their contents |
508 | * to user space. */ | 508 | * to user space. */ |
509 | static inline int audit_log_drain(struct audit_buffer *ab) | 509 | static inline int audit_log_drain(struct audit_buffer *ab) |
510 | { | 510 | { |
511 | struct sk_buff *skb; | 511 | struct sk_buff *skb; |
512 | 512 | ||
513 | while ((skb = skb_dequeue(&ab->sklist))) { | 513 | while ((skb = skb_dequeue(&ab->sklist))) { |
514 | int retval = 0; | 514 | int retval = 0; |
515 | 515 | ||
516 | if (audit_pid) { | 516 | if (audit_pid) { |
517 | if (ab->nlh) { | 517 | if (ab->nlh) { |
518 | ab->nlh->nlmsg_len = ab->total; | 518 | ab->nlh->nlmsg_len = ab->total; |
519 | ab->nlh->nlmsg_type = ab->type; | 519 | ab->nlh->nlmsg_type = ab->type; |
520 | ab->nlh->nlmsg_flags = 0; | 520 | ab->nlh->nlmsg_flags = 0; |
521 | ab->nlh->nlmsg_seq = 0; | 521 | ab->nlh->nlmsg_seq = 0; |
522 | ab->nlh->nlmsg_pid = ab->pid; | 522 | ab->nlh->nlmsg_pid = ab->pid; |
523 | } | 523 | } |
524 | skb_get(skb); /* because netlink_* frees */ | 524 | skb_get(skb); /* because netlink_* frees */ |
525 | retval = netlink_unicast(audit_sock, skb, audit_pid, | 525 | retval = netlink_unicast(audit_sock, skb, audit_pid, |
526 | MSG_DONTWAIT); | 526 | MSG_DONTWAIT); |
527 | } | 527 | } |
528 | if (retval == -EAGAIN && | 528 | if (retval == -EAGAIN && |
529 | (atomic_read(&audit_backlog)) < audit_backlog_limit) { | 529 | (atomic_read(&audit_backlog)) < audit_backlog_limit) { |
530 | skb_queue_head(&ab->sklist, skb); | 530 | skb_queue_head(&ab->sklist, skb); |
531 | audit_log_end_irq(ab); | 531 | audit_log_end_irq(ab); |
532 | return 1; | 532 | return 1; |
533 | } | 533 | } |
534 | if (retval < 0) { | 534 | if (retval < 0) { |
535 | if (retval == -ECONNREFUSED) { | 535 | if (retval == -ECONNREFUSED) { |
536 | printk(KERN_ERR | 536 | printk(KERN_ERR |
537 | "audit: *NO* daemon at audit_pid=%d\n", | 537 | "audit: *NO* daemon at audit_pid=%d\n", |
538 | audit_pid); | 538 | audit_pid); |
539 | audit_pid = 0; | 539 | audit_pid = 0; |
540 | } else | 540 | } else |
541 | audit_log_lost("netlink socket too busy"); | 541 | audit_log_lost("netlink socket too busy"); |
542 | } | 542 | } |
543 | if (!audit_pid) { /* No daemon */ | 543 | if (!audit_pid) { /* No daemon */ |
544 | int offset = ab->nlh ? NLMSG_SPACE(0) : 0; | 544 | int offset = ab->nlh ? NLMSG_SPACE(0) : 0; |
545 | int len = skb->len - offset; | 545 | int len = skb->len - offset; |
546 | skb->data[offset + len] = '\0'; | 546 | skb->data[offset + len] = '\0'; |
547 | printk(KERN_ERR "%s\n", skb->data + offset); | 547 | printk(KERN_ERR "%s\n", skb->data + offset); |
548 | } | 548 | } |
549 | kfree_skb(skb); | 549 | kfree_skb(skb); |
550 | ab->nlh = NULL; | 550 | ab->nlh = NULL; |
551 | } | 551 | } |
552 | return 0; | 552 | return 0; |
553 | } | 553 | } |
554 | 554 | ||
555 | /* Initialize audit support at boot time. */ | 555 | /* Initialize audit support at boot time. */ |
556 | static int __init audit_init(void) | 556 | static int __init audit_init(void) |
557 | { | 557 | { |
558 | printk(KERN_INFO "audit: initializing netlink socket (%s)\n", | 558 | printk(KERN_INFO "audit: initializing netlink socket (%s)\n", |
559 | audit_default ? "enabled" : "disabled"); | 559 | audit_default ? "enabled" : "disabled"); |
560 | audit_sock = netlink_kernel_create(NETLINK_AUDIT, audit_receive); | 560 | audit_sock = netlink_kernel_create(NETLINK_AUDIT, audit_receive); |
561 | if (!audit_sock) | 561 | if (!audit_sock) |
562 | audit_panic("cannot initialize netlink socket"); | 562 | audit_panic("cannot initialize netlink socket"); |
563 | 563 | ||
564 | audit_initialized = 1; | 564 | audit_initialized = 1; |
565 | audit_enabled = audit_default; | 565 | audit_enabled = audit_default; |
566 | audit_log(NULL, "initialized"); | 566 | audit_log(NULL, "initialized"); |
567 | return 0; | 567 | return 0; |
568 | } | 568 | } |
569 | 569 | ||
570 | #else | 570 | #else |
571 | /* Without CONFIG_NET, we have no skbuffs. For now, print what we have | 571 | /* Without CONFIG_NET, we have no skbuffs. For now, print what we have |
572 | * in the buffer. */ | 572 | * in the buffer. */ |
573 | static void audit_log_move(struct audit_buffer *ab) | 573 | static void audit_log_move(struct audit_buffer *ab) |
574 | { | 574 | { |
575 | printk(KERN_ERR "%*.*s\n", ab->len, ab->len, ab->tmp); | 575 | printk(KERN_ERR "%*.*s\n", ab->len, ab->len, ab->tmp); |
576 | ab->len = 0; | 576 | ab->len = 0; |
577 | } | 577 | } |
578 | 578 | ||
579 | static inline int audit_log_drain(struct audit_buffer *ab) | 579 | static inline int audit_log_drain(struct audit_buffer *ab) |
580 | { | 580 | { |
581 | return 0; | 581 | return 0; |
582 | } | 582 | } |
583 | 583 | ||
584 | /* Initialize audit support at boot time. */ | 584 | /* Initialize audit support at boot time. */ |
585 | int __init audit_init(void) | 585 | int __init audit_init(void) |
586 | { | 586 | { |
587 | printk(KERN_INFO "audit: initializing WITHOUT netlink support\n"); | 587 | printk(KERN_INFO "audit: initializing WITHOUT netlink support\n"); |
588 | audit_sock = NULL; | 588 | audit_sock = NULL; |
589 | audit_pid = 0; | 589 | audit_pid = 0; |
590 | 590 | ||
591 | audit_initialized = 1; | 591 | audit_initialized = 1; |
592 | audit_enabled = audit_default; | 592 | audit_enabled = audit_default; |
593 | audit_log(NULL, "initialized"); | 593 | audit_log(NULL, "initialized"); |
594 | return 0; | 594 | return 0; |
595 | } | 595 | } |
596 | #endif | 596 | #endif |
597 | 597 | ||
598 | __initcall(audit_init); | 598 | __initcall(audit_init); |
599 | 599 | ||
600 | /* Process kernel command-line parameter at boot time. audit=0 or audit=1. */ | 600 | /* Process kernel command-line parameter at boot time. audit=0 or audit=1. */ |
601 | static int __init audit_enable(char *str) | 601 | static int __init audit_enable(char *str) |
602 | { | 602 | { |
603 | audit_default = !!simple_strtol(str, NULL, 0); | 603 | audit_default = !!simple_strtol(str, NULL, 0); |
604 | printk(KERN_INFO "audit: %s%s\n", | 604 | printk(KERN_INFO "audit: %s%s\n", |
605 | audit_default ? "enabled" : "disabled", | 605 | audit_default ? "enabled" : "disabled", |
606 | audit_initialized ? "" : " (after initialization)"); | 606 | audit_initialized ? "" : " (after initialization)"); |
607 | if (audit_initialized) | 607 | if (audit_initialized) |
608 | audit_enabled = audit_default; | 608 | audit_enabled = audit_default; |
609 | return 0; | 609 | return 0; |
610 | } | 610 | } |
611 | 611 | ||
612 | __setup("audit=", audit_enable); | 612 | __setup("audit=", audit_enable); |
613 | 613 | ||
614 | 614 | ||
615 | /* Obtain an audit buffer. This routine does locking to obtain the | 615 | /* Obtain an audit buffer. This routine does locking to obtain the |
616 | * audit buffer, but then no locking is required for calls to | 616 | * audit buffer, but then no locking is required for calls to |
617 | * audit_log_*format. If the tsk is a task that is currently in a | 617 | * audit_log_*format. If the tsk is a task that is currently in a |
618 | * syscall, then the syscall is marked as auditable and an audit record | 618 | * syscall, then the syscall is marked as auditable and an audit record |
619 | * will be written at syscall exit. If there is no associated task, tsk | 619 | * will be written at syscall exit. If there is no associated task, tsk |
620 | * should be NULL. */ | 620 | * should be NULL. */ |
621 | struct audit_buffer *audit_log_start(struct audit_context *ctx) | 621 | struct audit_buffer *audit_log_start(struct audit_context *ctx) |
622 | { | 622 | { |
623 | struct audit_buffer *ab = NULL; | 623 | struct audit_buffer *ab = NULL; |
624 | unsigned long flags; | 624 | unsigned long flags; |
625 | struct timespec t; | 625 | struct timespec t; |
626 | unsigned int serial; | 626 | unsigned int serial; |
627 | 627 | ||
628 | if (!audit_initialized) | 628 | if (!audit_initialized) |
629 | return NULL; | 629 | return NULL; |
630 | 630 | ||
631 | if (audit_backlog_limit | 631 | if (audit_backlog_limit |
632 | && atomic_read(&audit_backlog) > audit_backlog_limit) { | 632 | && atomic_read(&audit_backlog) > audit_backlog_limit) { |
633 | if (audit_rate_check()) | 633 | if (audit_rate_check()) |
634 | printk(KERN_WARNING | 634 | printk(KERN_WARNING |
635 | "audit: audit_backlog=%d > " | 635 | "audit: audit_backlog=%d > " |
636 | "audit_backlog_limit=%d\n", | 636 | "audit_backlog_limit=%d\n", |
637 | atomic_read(&audit_backlog), | 637 | atomic_read(&audit_backlog), |
638 | audit_backlog_limit); | 638 | audit_backlog_limit); |
639 | audit_log_lost("backlog limit exceeded"); | 639 | audit_log_lost("backlog limit exceeded"); |
640 | return NULL; | 640 | return NULL; |
641 | } | 641 | } |
642 | 642 | ||
643 | spin_lock_irqsave(&audit_freelist_lock, flags); | 643 | spin_lock_irqsave(&audit_freelist_lock, flags); |
644 | if (!list_empty(&audit_freelist)) { | 644 | if (!list_empty(&audit_freelist)) { |
645 | ab = list_entry(audit_freelist.next, | 645 | ab = list_entry(audit_freelist.next, |
646 | struct audit_buffer, list); | 646 | struct audit_buffer, list); |
647 | list_del(&ab->list); | 647 | list_del(&ab->list); |
648 | --audit_freelist_count; | 648 | --audit_freelist_count; |
649 | } | 649 | } |
650 | spin_unlock_irqrestore(&audit_freelist_lock, flags); | 650 | spin_unlock_irqrestore(&audit_freelist_lock, flags); |
651 | 651 | ||
652 | if (!ab) | 652 | if (!ab) |
653 | ab = kmalloc(sizeof(*ab), GFP_ATOMIC); | 653 | ab = kmalloc(sizeof(*ab), GFP_ATOMIC); |
654 | if (!ab) { | 654 | if (!ab) { |
655 | audit_log_lost("out of memory in audit_log_start"); | 655 | audit_log_lost("out of memory in audit_log_start"); |
656 | return NULL; | 656 | return NULL; |
657 | } | 657 | } |
658 | 658 | ||
659 | atomic_inc(&audit_backlog); | 659 | atomic_inc(&audit_backlog); |
660 | skb_queue_head_init(&ab->sklist); | 660 | skb_queue_head_init(&ab->sklist); |
661 | 661 | ||
662 | ab->ctx = ctx; | 662 | ab->ctx = ctx; |
663 | ab->len = 0; | 663 | ab->len = 0; |
664 | ab->nlh = NULL; | 664 | ab->nlh = NULL; |
665 | ab->total = 0; | 665 | ab->total = 0; |
666 | ab->type = AUDIT_KERNEL; | 666 | ab->type = AUDIT_KERNEL; |
667 | ab->pid = 0; | 667 | ab->pid = 0; |
668 | 668 | ||
669 | #ifdef CONFIG_AUDITSYSCALL | 669 | #ifdef CONFIG_AUDITSYSCALL |
670 | if (ab->ctx) | 670 | if (ab->ctx) |
671 | audit_get_stamp(ab->ctx, &t, &serial); | 671 | audit_get_stamp(ab->ctx, &t, &serial); |
672 | else | 672 | else |
673 | #endif | 673 | #endif |
674 | { | 674 | { |
675 | t = CURRENT_TIME; | 675 | t = CURRENT_TIME; |
676 | serial = 0; | 676 | serial = 0; |
677 | } | 677 | } |
678 | audit_log_format(ab, "audit(%lu.%03lu:%u): ", | 678 | audit_log_format(ab, "audit(%lu.%03lu:%u): ", |
679 | t.tv_sec, t.tv_nsec/1000000, serial); | 679 | t.tv_sec, t.tv_nsec/1000000, serial); |
680 | return ab; | 680 | return ab; |
681 | } | 681 | } |
682 | 682 | ||
683 | 683 | ||
684 | /* Format an audit message into the audit buffer. If there isn't enough | 684 | /* Format an audit message into the audit buffer. If there isn't enough |
685 | * room in the audit buffer, more room will be allocated and vsnprint | 685 | * room in the audit buffer, more room will be allocated and vsnprint |
686 | * will be called a second time. Currently, we assume that a printk | 686 | * will be called a second time. Currently, we assume that a printk |
687 | * can't format message larger than 1024 bytes, so we don't either. */ | 687 | * can't format message larger than 1024 bytes, so we don't either. */ |
688 | static void audit_log_vformat(struct audit_buffer *ab, const char *fmt, | 688 | static void audit_log_vformat(struct audit_buffer *ab, const char *fmt, |
689 | va_list args) | 689 | va_list args) |
690 | { | 690 | { |
691 | int len, avail; | 691 | int len, avail; |
692 | 692 | ||
693 | if (!ab) | 693 | if (!ab) |
694 | return; | 694 | return; |
695 | 695 | ||
696 | avail = sizeof(ab->tmp) - ab->len; | 696 | avail = sizeof(ab->tmp) - ab->len; |
697 | if (avail <= 0) { | 697 | if (avail <= 0) { |
698 | audit_log_move(ab); | 698 | audit_log_move(ab); |
699 | avail = sizeof(ab->tmp) - ab->len; | 699 | avail = sizeof(ab->tmp) - ab->len; |
700 | } | 700 | } |
701 | len = vsnprintf(ab->tmp + ab->len, avail, fmt, args); | 701 | len = vsnprintf(ab->tmp + ab->len, avail, fmt, args); |
702 | if (len >= avail) { | 702 | if (len >= avail) { |
703 | /* The printk buffer is 1024 bytes long, so if we get | 703 | /* The printk buffer is 1024 bytes long, so if we get |
704 | * here and AUDIT_BUFSIZ is at least 1024, then we can | 704 | * here and AUDIT_BUFSIZ is at least 1024, then we can |
705 | * log everything that printk could have logged. */ | 705 | * log everything that printk could have logged. */ |
706 | audit_log_move(ab); | 706 | audit_log_move(ab); |
707 | avail = sizeof(ab->tmp) - ab->len; | 707 | avail = sizeof(ab->tmp) - ab->len; |
708 | len = vsnprintf(ab->tmp + ab->len, avail, fmt, args); | 708 | len = vsnprintf(ab->tmp + ab->len, avail, fmt, args); |
709 | } | 709 | } |
710 | ab->len += (len < avail) ? len : avail; | 710 | ab->len += (len < avail) ? len : avail; |
711 | ab->total += (len < avail) ? len : avail; | 711 | ab->total += (len < avail) ? len : avail; |
712 | } | 712 | } |
713 | 713 | ||
714 | /* Format a message into the audit buffer. All the work is done in | 714 | /* Format a message into the audit buffer. All the work is done in |
715 | * audit_log_vformat. */ | 715 | * audit_log_vformat. */ |
716 | void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) | 716 | void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) |
717 | { | 717 | { |
718 | va_list args; | 718 | va_list args; |
719 | 719 | ||
720 | if (!ab) | 720 | if (!ab) |
721 | return; | 721 | return; |
722 | va_start(args, fmt); | 722 | va_start(args, fmt); |
723 | audit_log_vformat(ab, fmt, args); | 723 | audit_log_vformat(ab, fmt, args); |
724 | va_end(args); | 724 | va_end(args); |
725 | } | 725 | } |
726 | 726 | ||
727 | void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len) | 727 | void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len) |
728 | { | 728 | { |
729 | int i; | 729 | int i; |
730 | 730 | ||
731 | for (i=0; i<len; i++) | 731 | for (i=0; i<len; i++) |
732 | audit_log_format(ab, "%02x", buf[i]); | 732 | audit_log_format(ab, "%02x", buf[i]); |
733 | } | 733 | } |
734 | 734 | ||
735 | void audit_log_untrustedstring(struct audit_buffer *ab, const char *string) | 735 | void audit_log_untrustedstring(struct audit_buffer *ab, const char *string) |
736 | { | 736 | { |
737 | const unsigned char *p = string; | 737 | const unsigned char *p = string; |
738 | 738 | ||
739 | while (*p) { | 739 | while (*p) { |
740 | if (*p == '"' || *p == ' ' || *p < 0x20 || *p > 0x7f) { | 740 | if (*p == '"' || *p == ' ' || *p < 0x20 || *p > 0x7f) { |
741 | audit_log_hex(ab, string, strlen(string)); | 741 | audit_log_hex(ab, string, strlen(string)); |
742 | return; | 742 | return; |
743 | } | 743 | } |
744 | p++; | 744 | p++; |
745 | } | 745 | } |
746 | audit_log_format(ab, "\"%s\"", string); | 746 | audit_log_format(ab, "\"%s\"", string); |
747 | } | 747 | } |
748 | 748 | ||
749 | 749 | ||
750 | /* This is a helper-function to print the d_path without using a static | 750 | /* This is a helper-function to print the d_path without using a static |
751 | * buffer or allocating another buffer in addition to the one in | 751 | * buffer or allocating another buffer in addition to the one in |
752 | * audit_buffer. */ | 752 | * audit_buffer. */ |
753 | void audit_log_d_path(struct audit_buffer *ab, const char *prefix, | 753 | void audit_log_d_path(struct audit_buffer *ab, const char *prefix, |
754 | struct dentry *dentry, struct vfsmount *vfsmnt) | 754 | struct dentry *dentry, struct vfsmount *vfsmnt) |
755 | { | 755 | { |
756 | char *p; | 756 | char *p; |
757 | int len, avail; | 757 | int len, avail; |
758 | 758 | ||
759 | if (prefix) audit_log_format(ab, " %s", prefix); | 759 | if (prefix) audit_log_format(ab, " %s", prefix); |
760 | 760 | ||
761 | if (ab->len > 128) | 761 | if (ab->len > 128) |
762 | audit_log_move(ab); | 762 | audit_log_move(ab); |
763 | avail = sizeof(ab->tmp) - ab->len; | 763 | avail = sizeof(ab->tmp) - ab->len; |
764 | p = d_path(dentry, vfsmnt, ab->tmp + ab->len, avail); | 764 | p = d_path(dentry, vfsmnt, ab->tmp + ab->len, avail); |
765 | if (IS_ERR(p)) { | 765 | if (IS_ERR(p)) { |
766 | /* FIXME: can we save some information here? */ | 766 | /* FIXME: can we save some information here? */ |
767 | audit_log_format(ab, "<toolong>"); | 767 | audit_log_format(ab, "<toolong>"); |
768 | } else { | 768 | } else { |
769 | /* path isn't at start of buffer */ | 769 | /* path isn't at start of buffer */ |
770 | len = (ab->tmp + sizeof(ab->tmp) - 1) - p; | 770 | len = (ab->tmp + sizeof(ab->tmp) - 1) - p; |
771 | memmove(ab->tmp + ab->len, p, len); | 771 | memmove(ab->tmp + ab->len, p, len); |
772 | ab->len += len; | 772 | ab->len += len; |
773 | ab->total += len; | 773 | ab->total += len; |
774 | } | 774 | } |
775 | } | 775 | } |
776 | 776 | ||
777 | /* Remove queued messages from the audit_txlist and send them to userspace. */ | 777 | /* Remove queued messages from the audit_txlist and send them to userspace. */ |
778 | static void audit_tasklet_handler(unsigned long arg) | 778 | static void audit_tasklet_handler(unsigned long arg) |
779 | { | 779 | { |
780 | LIST_HEAD(list); | 780 | LIST_HEAD(list); |
781 | struct audit_buffer *ab; | 781 | struct audit_buffer *ab; |
782 | unsigned long flags; | 782 | unsigned long flags; |
783 | 783 | ||
784 | spin_lock_irqsave(&audit_txlist_lock, flags); | 784 | spin_lock_irqsave(&audit_txlist_lock, flags); |
785 | list_splice_init(&audit_txlist, &list); | 785 | list_splice_init(&audit_txlist, &list); |
786 | spin_unlock_irqrestore(&audit_txlist_lock, flags); | 786 | spin_unlock_irqrestore(&audit_txlist_lock, flags); |
787 | 787 | ||
788 | while (!list_empty(&list)) { | 788 | while (!list_empty(&list)) { |
789 | ab = list_entry(list.next, struct audit_buffer, list); | 789 | ab = list_entry(list.next, struct audit_buffer, list); |
790 | list_del(&ab->list); | 790 | list_del(&ab->list); |
791 | audit_log_end_fast(ab); | 791 | audit_log_end_fast(ab); |
792 | } | 792 | } |
793 | } | 793 | } |
794 | 794 | ||
795 | static DECLARE_TASKLET(audit_tasklet, audit_tasklet_handler, 0); | 795 | static DECLARE_TASKLET(audit_tasklet, audit_tasklet_handler, 0); |
796 | 796 | ||
797 | /* The netlink_* functions cannot be called inside an irq context, so | 797 | /* The netlink_* functions cannot be called inside an irq context, so |
798 | * the audit buffer is places on a queue and a tasklet is scheduled to | 798 | * the audit buffer is places on a queue and a tasklet is scheduled to |
799 | * remove them from the queue outside the irq context. May be called in | 799 | * remove them from the queue outside the irq context. May be called in |
800 | * any context. */ | 800 | * any context. */ |
801 | static void audit_log_end_irq(struct audit_buffer *ab) | 801 | static void audit_log_end_irq(struct audit_buffer *ab) |
802 | { | 802 | { |
803 | unsigned long flags; | 803 | unsigned long flags; |
804 | 804 | ||
805 | if (!ab) | 805 | if (!ab) |
806 | return; | 806 | return; |
807 | spin_lock_irqsave(&audit_txlist_lock, flags); | 807 | spin_lock_irqsave(&audit_txlist_lock, flags); |
808 | list_add_tail(&ab->list, &audit_txlist); | 808 | list_add_tail(&ab->list, &audit_txlist); |
809 | spin_unlock_irqrestore(&audit_txlist_lock, flags); | 809 | spin_unlock_irqrestore(&audit_txlist_lock, flags); |
810 | 810 | ||
811 | tasklet_schedule(&audit_tasklet); | 811 | tasklet_schedule(&audit_tasklet); |
812 | } | 812 | } |
813 | 813 | ||
814 | /* Send the message in the audit buffer directly to user space. May not | 814 | /* Send the message in the audit buffer directly to user space. May not |
815 | * be called in an irq context. */ | 815 | * be called in an irq context. */ |
816 | static void audit_log_end_fast(struct audit_buffer *ab) | 816 | static void audit_log_end_fast(struct audit_buffer *ab) |
817 | { | 817 | { |
818 | unsigned long flags; | 818 | unsigned long flags; |
819 | 819 | ||
820 | BUG_ON(in_irq()); | 820 | BUG_ON(in_irq()); |
821 | if (!ab) | 821 | if (!ab) |
822 | return; | 822 | return; |
823 | if (!audit_rate_check()) { | 823 | if (!audit_rate_check()) { |
824 | audit_log_lost("rate limit exceeded"); | 824 | audit_log_lost("rate limit exceeded"); |
825 | } else { | 825 | } else { |
826 | audit_log_move(ab); | 826 | audit_log_move(ab); |
827 | if (audit_log_drain(ab)) | 827 | if (audit_log_drain(ab)) |
828 | return; | 828 | return; |
829 | } | 829 | } |
830 | 830 | ||
831 | atomic_dec(&audit_backlog); | 831 | atomic_dec(&audit_backlog); |
832 | spin_lock_irqsave(&audit_freelist_lock, flags); | 832 | spin_lock_irqsave(&audit_freelist_lock, flags); |
833 | if (++audit_freelist_count > AUDIT_MAXFREE) | 833 | if (++audit_freelist_count > AUDIT_MAXFREE) |
834 | kfree(ab); | 834 | kfree(ab); |
835 | else | 835 | else |
836 | list_add(&ab->list, &audit_freelist); | 836 | list_add(&ab->list, &audit_freelist); |
837 | spin_unlock_irqrestore(&audit_freelist_lock, flags); | 837 | spin_unlock_irqrestore(&audit_freelist_lock, flags); |
838 | } | 838 | } |
839 | 839 | ||
840 | /* Send or queue the message in the audit buffer, depending on the | 840 | /* Send or queue the message in the audit buffer, depending on the |
841 | * current context. (A convenience function that may be called in any | 841 | * current context. (A convenience function that may be called in any |
842 | * context.) */ | 842 | * context.) */ |
843 | void audit_log_end(struct audit_buffer *ab) | 843 | void audit_log_end(struct audit_buffer *ab) |
844 | { | 844 | { |
845 | if (in_irq()) | 845 | if (in_irq()) |
846 | audit_log_end_irq(ab); | 846 | audit_log_end_irq(ab); |
847 | else | 847 | else |
848 | audit_log_end_fast(ab); | 848 | audit_log_end_fast(ab); |
849 | } | 849 | } |
850 | 850 | ||
851 | /* Log an audit record. This is a convenience function that calls | 851 | /* Log an audit record. This is a convenience function that calls |
852 | * audit_log_start, audit_log_vformat, and audit_log_end. It may be | 852 | * audit_log_start, audit_log_vformat, and audit_log_end. It may be |
853 | * called in any context. */ | 853 | * called in any context. */ |
854 | void audit_log(struct audit_context *ctx, const char *fmt, ...) | 854 | void audit_log(struct audit_context *ctx, const char *fmt, ...) |
855 | { | 855 | { |
856 | struct audit_buffer *ab; | 856 | struct audit_buffer *ab; |
857 | va_list args; | 857 | va_list args; |
858 | 858 | ||
859 | ab = audit_log_start(ctx); | 859 | ab = audit_log_start(ctx); |
860 | if (ab) { | 860 | if (ab) { |
861 | va_start(args, fmt); | 861 | va_start(args, fmt); |
862 | audit_log_vformat(ab, fmt, args); | 862 | audit_log_vformat(ab, fmt, args); |
863 | va_end(args); | 863 | va_end(args); |
864 | audit_log_end(ab); | 864 | audit_log_end(ab); |
865 | } | 865 | } |
866 | } | 866 | } |
867 | 867 |