1 /* auditsc.c -- System-call auditing support 2 * Handles all system-call specific auditing features. 3 * 4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 5 * All Rights Reserved. 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 * 21 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 22 * 23 * Many of the ideas implemented here are from Stephen C. Tweedie, 24 * especially the idea of avoiding a copy by using getname. 25 * 26 * The method for actual interception of syscall entry and exit (not in 27 * this file -- see entry.S) is based on a GPL'd patch written by 28 * okir@suse.de and Copyright 2003 SuSE Linux AG. 29 * 30 */ 31 32 #include <linux/init.h> 33 #include <asm/atomic.h> 34 #include <asm/types.h> 35 #include <linux/mm.h> 36 #include <linux/module.h> 37 #include <linux/mount.h> 38 #include <linux/socket.h> 39 #include <linux/audit.h> 40 #include <linux/personality.h> 41 #include <linux/time.h> 42 #include <linux/kthread.h> 43 #include <linux/netlink.h> 44 #include <linux/compiler.h> 45 #include <asm/unistd.h> 46 47 /* 0 = no checking 48 1 = put_count checking 49 2 = verbose put_count checking 50 */ 51 #define AUDIT_DEBUG 0 52 53 /* No syscall auditing will take place unless audit_enabled != 0. */ 54 extern int audit_enabled; 55 56 /* AUDIT_NAMES is the number of slots we reserve in the audit_context 57 * for saving names from getname(). */ 58 #define AUDIT_NAMES 20 59 60 /* AUDIT_NAMES_RESERVED is the number of slots we reserve in the 61 * audit_context from being used for nameless inodes from 62 * path_lookup. */ 63 #define AUDIT_NAMES_RESERVED 7 64 65 /* At task start time, the audit_state is set in the audit_context using 66 a per-task filter. At syscall entry, the audit_state is augmented by 67 the syscall filter. */ 68 enum audit_state { 69 AUDIT_DISABLED, /* Do not create per-task audit_context. 70 * No syscall-specific audit records can 71 * be generated. */ 72 AUDIT_SETUP_CONTEXT, /* Create the per-task audit_context, 73 * but don't necessarily fill it in at 74 * syscall entry time (i.e., filter 75 * instead). */ 76 AUDIT_BUILD_CONTEXT, /* Create the per-task audit_context, 77 * and always fill it in at syscall 78 * entry time. This makes a full 79 * syscall record available if some 80 * other part of the kernel decides it 81 * should be recorded. */ 82 AUDIT_RECORD_CONTEXT /* Create the per-task audit_context, 83 * always fill it in at syscall entry 84 * time, and always write out the audit 85 * record at syscall exit time. */ 86 }; 87 88 /* When fs/namei.c:getname() is called, we store the pointer in name and 89 * we don't let putname() free it (instead we free all of the saved 90 * pointers at syscall exit time). 91 * 92 * Further, in fs/namei.c:path_lookup() we store the inode and device. */ 93 struct audit_names { 94 const char *name; 95 unsigned long ino; 96 dev_t dev; 97 umode_t mode; 98 uid_t uid; 99 gid_t gid; 100 dev_t rdev; 101 unsigned flags; 102 }; 103 104 struct audit_aux_data { 105 struct audit_aux_data *next; 106 int type; 107 }; 108 109 #define AUDIT_AUX_IPCPERM 0 110 111 struct audit_aux_data_ipcctl { 112 struct audit_aux_data d; 113 struct ipc_perm p; 114 unsigned long qbytes; 115 uid_t uid; 116 gid_t gid; 117 mode_t mode; 118 }; 119 120 struct audit_aux_data_socketcall { 121 struct audit_aux_data d; 122 int nargs; 123 unsigned long args[0]; 124 }; 125 126 struct audit_aux_data_sockaddr { 127 struct audit_aux_data d; 128 int len; 129 char a[0]; 130 }; 131 132 struct audit_aux_data_path { 133 struct audit_aux_data d; 134 struct dentry *dentry; 135 struct vfsmount *mnt; 136 }; 137 138 /* The per-task audit context. */ 139 struct audit_context { 140 int in_syscall; /* 1 if task is in a syscall */ 141 enum audit_state state; 142 unsigned int serial; /* serial number for record */ 143 struct timespec ctime; /* time of syscall entry */ 144 uid_t loginuid; /* login uid (identity) */ 145 int major; /* syscall number */ 146 unsigned long argv[4]; /* syscall arguments */ 147 int return_valid; /* return code is valid */ 148 long return_code;/* syscall return code */ 149 int auditable; /* 1 if record should be written */ 150 int name_count; 151 struct audit_names names[AUDIT_NAMES]; 152 struct dentry * pwd; 153 struct vfsmount * pwdmnt; 154 struct audit_context *previous; /* For nested syscalls */ 155 struct audit_aux_data *aux; 156 157 /* Save things to print about task_struct */ 158 pid_t pid; 159 uid_t uid, euid, suid, fsuid; 160 gid_t gid, egid, sgid, fsgid; 161 unsigned long personality; 162 int arch; 163 164 #if AUDIT_DEBUG 165 int put_count; 166 int ino_count; 167 #endif 168 }; 169 170 /* Public API */ 171 /* There are three lists of rules -- one to search at task creation 172 * time, one to search at syscall entry time, and another to search at 173 * syscall exit time. */ 174 static struct list_head audit_filter_list[AUDIT_NR_FILTERS] = { 175 LIST_HEAD_INIT(audit_filter_list[0]), 176 LIST_HEAD_INIT(audit_filter_list[1]), 177 LIST_HEAD_INIT(audit_filter_list[2]), 178 LIST_HEAD_INIT(audit_filter_list[3]), 179 LIST_HEAD_INIT(audit_filter_list[4]), 180 #if AUDIT_NR_FILTERS != 5 181 #error Fix audit_filter_list initialiser 182 #endif 183 }; 184 185 struct audit_entry { 186 struct list_head list; 187 struct rcu_head rcu; 188 struct audit_rule rule; 189 }; 190 191 extern int audit_pid; 192 193 /* Copy rule from user-space to kernel-space. Called from 194 * audit_add_rule during AUDIT_ADD. */ 195 static inline int audit_copy_rule(struct audit_rule *d, struct audit_rule *s) 196 { 197 int i; 198 199 if (s->action != AUDIT_NEVER 200 && s->action != AUDIT_POSSIBLE 201 && s->action != AUDIT_ALWAYS) 202 return -1; 203 if (s->field_count < 0 || s->field_count > AUDIT_MAX_FIELDS) 204 return -1; 205 if ((s->flags & ~AUDIT_FILTER_PREPEND) >= AUDIT_NR_FILTERS) 206 return -1; 207 208 d->flags = s->flags; 209 d->action = s->action; 210 d->field_count = s->field_count; 211 for (i = 0; i < d->field_count; i++) { 212 d->fields[i] = s->fields[i]; 213 d->values[i] = s->values[i]; 214 } 215 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) d->mask[i] = s->mask[i]; 216 return 0; 217 } 218 219 /* Check to see if two rules are identical. It is called from 220 * audit_add_rule during AUDIT_ADD and 221 * audit_del_rule during AUDIT_DEL. */ 222 static inline int audit_compare_rule(struct audit_rule *a, struct audit_rule *b) 223 { 224 int i; 225 226 if (a->flags != b->flags) 227 return 1; 228 229 if (a->action != b->action) 230 return 1; 231 232 if (a->field_count != b->field_count) 233 return 1; 234 235 for (i = 0; i < a->field_count; i++) { 236 if (a->fields[i] != b->fields[i] 237 || a->values[i] != b->values[i]) 238 return 1; 239 } 240 241 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 242 if (a->mask[i] != b->mask[i]) 243 return 1; 244 245 return 0; 246 } 247 248 /* Note that audit_add_rule and audit_del_rule are called via 249 * audit_receive() in audit.c, and are protected by 250 * audit_netlink_sem. */ 251 static inline int audit_add_rule(struct audit_rule *rule, 252 struct list_head *list) 253 { 254 struct audit_entry *entry; 255 256 /* Do not use the _rcu iterator here, since this is the only 257 * addition routine. */ 258 list_for_each_entry(entry, list, list) { 259 if (!audit_compare_rule(rule, &entry->rule)) { 260 return -EEXIST; 261 } 262 } 263 264 if (!(entry = kmalloc(sizeof(*entry), GFP_KERNEL))) 265 return -ENOMEM; 266 if (audit_copy_rule(&entry->rule, rule)) { 267 kfree(entry); 268 return -EINVAL; 269 } 270 271 if (entry->rule.flags & AUDIT_FILTER_PREPEND) { 272 entry->rule.flags &= ~AUDIT_FILTER_PREPEND; 273 list_add_rcu(&entry->list, list); 274 } else { 275 list_add_tail_rcu(&entry->list, list); 276 } 277 278 return 0; 279 } 280 281 static inline void audit_free_rule(struct rcu_head *head) 282 { 283 struct audit_entry *e = container_of(head, struct audit_entry, rcu); 284 kfree(e); 285 } 286 287 /* Note that audit_add_rule and audit_del_rule are called via 288 * audit_receive() in audit.c, and are protected by 289 * audit_netlink_sem. */ 290 static inline int audit_del_rule(struct audit_rule *rule, 291 struct list_head *list) 292 { 293 struct audit_entry *e; 294 295 /* Do not use the _rcu iterator here, since this is the only 296 * deletion routine. */ 297 list_for_each_entry(e, list, list) { 298 if (!audit_compare_rule(rule, &e->rule)) { 299 list_del_rcu(&e->list); 300 call_rcu(&e->rcu, audit_free_rule); 301 return 0; 302 } 303 } 304 return -ENOENT; /* No matching rule */ 305 } 306 307 static int audit_list_rules(void *_dest) 308 { 309 int pid, seq; 310 int *dest = _dest; 311 struct audit_entry *entry; 312 int i; 313 314 pid = dest[0]; 315 seq = dest[1]; 316 kfree(dest); 317 318 down(&audit_netlink_sem); 319 320 /* The *_rcu iterators not needed here because we are 321 always called with audit_netlink_sem held. */ 322 for (i=0; i<AUDIT_NR_FILTERS; i++) { 323 list_for_each_entry(entry, &audit_filter_list[i], list) 324 audit_send_reply(pid, seq, AUDIT_LIST, 0, 1, 325 &entry->rule, sizeof(entry->rule)); 326 } 327 audit_send_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0); 328 329 up(&audit_netlink_sem); 330 return 0; 331 } 332 333 int audit_receive_filter(int type, int pid, int uid, int seq, void *data, 334 uid_t loginuid) 335 { 336 struct task_struct *tsk; 337 int *dest; 338 int err = 0; 339 unsigned listnr; 340 341 switch (type) { 342 case AUDIT_LIST: 343 /* We can't just spew out the rules here because we might fill 344 * the available socket buffer space and deadlock waiting for 345 * auditctl to read from it... which isn't ever going to 346 * happen if we're actually running in the context of auditctl 347 * trying to _send_ the stuff */ 348 349 dest = kmalloc(2 * sizeof(int), GFP_KERNEL); 350 if (!dest) 351 return -ENOMEM; 352 dest[0] = pid; 353 dest[1] = seq; 354 355 tsk = kthread_run(audit_list_rules, dest, "audit_list_rules"); 356 if (IS_ERR(tsk)) { 357 kfree(dest); 358 err = PTR_ERR(tsk); 359 } 360 break; 361 case AUDIT_ADD: 362 listnr =((struct audit_rule *)data)->flags & ~AUDIT_FILTER_PREPEND; 363 if (listnr >= AUDIT_NR_FILTERS) 364 return -EINVAL; 365 366 err = audit_add_rule(data, &audit_filter_list[listnr]); 367 if (!err) 368 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 369 "auid=%u added an audit rule\n", loginuid); 370 break; 371 case AUDIT_DEL: 372 listnr =((struct audit_rule *)data)->flags & ~AUDIT_FILTER_PREPEND; 373 if (listnr >= AUDIT_NR_FILTERS) 374 return -EINVAL; 375 376 err = audit_del_rule(data, &audit_filter_list[listnr]); 377 if (!err) 378 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 379 "auid=%u removed an audit rule\n", loginuid); 380 break; 381 default: 382 return -EINVAL; 383 } 384 385 return err; 386 } 387 388 /* Compare a task_struct with an audit_rule. Return 1 on match, 0 389 * otherwise. */ 390 static int audit_filter_rules(struct task_struct *tsk, 391 struct audit_rule *rule, 392 struct audit_context *ctx, 393 enum audit_state *state) 394 { 395 int i, j; 396 397 for (i = 0; i < rule->field_count; i++) { 398 u32 field = rule->fields[i] & ~AUDIT_NEGATE; 399 u32 value = rule->values[i]; 400 int result = 0; 401 402 switch (field) { 403 case AUDIT_PID: 404 result = (tsk->pid == value); 405 break; 406 case AUDIT_UID: 407 result = (tsk->uid == value); 408 break; 409 case AUDIT_EUID: 410 result = (tsk->euid == value); 411 break; 412 case AUDIT_SUID: 413 result = (tsk->suid == value); 414 break; 415 case AUDIT_FSUID: 416 result = (tsk->fsuid == value); 417 break; 418 case AUDIT_GID: 419 result = (tsk->gid == value); 420 break; 421 case AUDIT_EGID: 422 result = (tsk->egid == value); 423 break; 424 case AUDIT_SGID: 425 result = (tsk->sgid == value); 426 break; 427 case AUDIT_FSGID: 428 result = (tsk->fsgid == value); 429 break; 430 case AUDIT_PERS: 431 result = (tsk->personality == value); 432 break; 433 case AUDIT_ARCH: 434 if (ctx) 435 result = (ctx->arch == value); 436 break; 437 438 case AUDIT_EXIT: 439 if (ctx && ctx->return_valid) 440 result = (ctx->return_code == value); 441 break; 442 case AUDIT_SUCCESS: 443 if (ctx && ctx->return_valid) { 444 if (value) 445 result = (ctx->return_valid == AUDITSC_SUCCESS); 446 else 447 result = (ctx->return_valid == AUDITSC_FAILURE); 448 } 449 break; 450 case AUDIT_DEVMAJOR: 451 if (ctx) { 452 for (j = 0; j < ctx->name_count; j++) { 453 if (MAJOR(ctx->names[j].dev)==value) { 454 ++result; 455 break; 456 } 457 } 458 } 459 break; 460 case AUDIT_DEVMINOR: 461 if (ctx) { 462 for (j = 0; j < ctx->name_count; j++) { 463 if (MINOR(ctx->names[j].dev)==value) { 464 ++result; 465 break; 466 } 467 } 468 } 469 break; 470 case AUDIT_INODE: 471 if (ctx) { 472 for (j = 0; j < ctx->name_count; j++) { 473 if (ctx->names[j].ino == value) { 474 ++result; 475 break; 476 } 477 } 478 } 479 break; 480 case AUDIT_LOGINUID: 481 result = 0; 482 if (ctx) 483 result = (ctx->loginuid == value); 484 break; 485 case AUDIT_ARG0: 486 case AUDIT_ARG1: 487 case AUDIT_ARG2: 488 case AUDIT_ARG3: 489 if (ctx) 490 result = (ctx->argv[field-AUDIT_ARG0]==value); 491 break; 492 } 493 494 if (rule->fields[i] & AUDIT_NEGATE) 495 result = !result; 496 if (!result) 497 return 0; 498 } 499 switch (rule->action) { 500 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 501 case AUDIT_POSSIBLE: *state = AUDIT_BUILD_CONTEXT; break; 502 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 503 } 504 return 1; 505 } 506 507 /* At process creation time, we can determine if system-call auditing is 508 * completely disabled for this task. Since we only have the task 509 * structure at this point, we can only check uid and gid. 510 */ 511 static enum audit_state audit_filter_task(struct task_struct *tsk) 512 { 513 struct audit_entry *e; 514 enum audit_state state; 515 516 rcu_read_lock(); 517 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) { 518 if (audit_filter_rules(tsk, &e->rule, NULL, &state)) { 519 rcu_read_unlock(); 520 return state; 521 } 522 } 523 rcu_read_unlock(); 524 return AUDIT_BUILD_CONTEXT; 525 } 526 527 /* At syscall entry and exit time, this filter is called if the 528 * audit_state is not low enough that auditing cannot take place, but is 529 * also not high enough that we already know we have to write an audit 530 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT). 531 */ 532 static enum audit_state audit_filter_syscall(struct task_struct *tsk, 533 struct audit_context *ctx, 534 struct list_head *list) 535 { 536 struct audit_entry *e; 537 enum audit_state state; 538 539 if (audit_pid && tsk->tgid == audit_pid) 540 return AUDIT_DISABLED; 541 542 rcu_read_lock(); 543 if (!list_empty(list)) { 544 int word = AUDIT_WORD(ctx->major); 545 int bit = AUDIT_BIT(ctx->major); 546 547 list_for_each_entry_rcu(e, list, list) { 548 if ((e->rule.mask[word] & bit) == bit 549 && audit_filter_rules(tsk, &e->rule, ctx, &state)) { 550 rcu_read_unlock(); 551 return state; 552 } 553 } 554 } 555 rcu_read_unlock(); 556 return AUDIT_BUILD_CONTEXT; 557 } 558 559 static int audit_filter_user_rules(struct netlink_skb_parms *cb, 560 struct audit_rule *rule, 561 enum audit_state *state) 562 { 563 int i; 564 565 for (i = 0; i < rule->field_count; i++) { 566 u32 field = rule->fields[i] & ~AUDIT_NEGATE; 567 u32 value = rule->values[i]; 568 int result = 0; 569 570 switch (field) { 571 case AUDIT_PID: 572 result = (cb->creds.pid == value); 573 break; 574 case AUDIT_UID: 575 result = (cb->creds.uid == value); 576 break; 577 case AUDIT_GID: 578 result = (cb->creds.gid == value); 579 break; 580 case AUDIT_LOGINUID: 581 result = (cb->loginuid == value); 582 break; 583 } 584 585 if (rule->fields[i] & AUDIT_NEGATE) 586 result = !result; 587 if (!result) 588 return 0; 589 } 590 switch (rule->action) { 591 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 592 case AUDIT_POSSIBLE: *state = AUDIT_BUILD_CONTEXT; break; 593 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 594 } 595 return 1; 596 } 597 598 int audit_filter_user(struct netlink_skb_parms *cb, int type) 599 { 600 struct audit_entry *e; 601 enum audit_state state; 602 int ret = 1; 603 604 rcu_read_lock(); 605 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { 606 if (audit_filter_user_rules(cb, &e->rule, &state)) { 607 if (state == AUDIT_DISABLED) 608 ret = 0; 609 break; 610 } 611 } 612 rcu_read_unlock(); 613 614 return ret; /* Audit by default */ 615 } 616 617 /* This should be called with task_lock() held. */ 618 static inline struct audit_context *audit_get_context(struct task_struct *tsk, 619 int return_valid, 620 int return_code) 621 { 622 struct audit_context *context = tsk->audit_context; 623 624 if (likely(!context)) 625 return NULL; 626 context->return_valid = return_valid; 627 context->return_code = return_code; 628 629 if (context->in_syscall && !context->auditable) { 630 enum audit_state state; 631 state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]); 632 if (state == AUDIT_RECORD_CONTEXT) 633 context->auditable = 1; 634 } 635 636 context->pid = tsk->pid; 637 context->uid = tsk->uid; 638 context->gid = tsk->gid; 639 context->euid = tsk->euid; 640 context->suid = tsk->suid; 641 context->fsuid = tsk->fsuid; 642 context->egid = tsk->egid; 643 context->sgid = tsk->sgid; 644 context->fsgid = tsk->fsgid; 645 context->personality = tsk->personality; 646 tsk->audit_context = NULL; 647 return context; 648 } 649 650 static inline void audit_free_names(struct audit_context *context) 651 { 652 int i; 653 654 #if AUDIT_DEBUG == 2 655 if (context->auditable 656 ||context->put_count + context->ino_count != context->name_count) { 657 printk(KERN_ERR "audit.c:%d(:%d): major=%d in_syscall=%d" 658 " name_count=%d put_count=%d" 659 " ino_count=%d [NOT freeing]\n", 660 __LINE__, 661 context->serial, context->major, context->in_syscall, 662 context->name_count, context->put_count, 663 context->ino_count); 664 for (i = 0; i < context->name_count; i++) 665 printk(KERN_ERR "names[%d] = %p = %s\n", i, 666 context->names[i].name, 667 context->names[i].name); 668 dump_stack(); 669 return; 670 } 671 #endif 672 #if AUDIT_DEBUG 673 context->put_count = 0; 674 context->ino_count = 0; 675 #endif 676 677 for (i = 0; i < context->name_count; i++) 678 if (context->names[i].name) 679 __putname(context->names[i].name); 680 context->name_count = 0; 681 if (context->pwd) 682 dput(context->pwd); 683 if (context->pwdmnt) 684 mntput(context->pwdmnt); 685 context->pwd = NULL; 686 context->pwdmnt = NULL; 687 } 688 689 static inline void audit_free_aux(struct audit_context *context) 690 { 691 struct audit_aux_data *aux; 692 693 while ((aux = context->aux)) { 694 if (aux->type == AUDIT_AVC_PATH) { 695 struct audit_aux_data_path *axi = (void *)aux; 696 dput(axi->dentry); 697 mntput(axi->mnt); 698 } 699 context->aux = aux->next; 700 kfree(aux); 701 } 702 } 703 704 static inline void audit_zero_context(struct audit_context *context, 705 enum audit_state state) 706 { 707 uid_t loginuid = context->loginuid; 708 709 memset(context, 0, sizeof(*context)); 710 context->state = state; 711 context->loginuid = loginuid; 712 } 713 714 static inline struct audit_context *audit_alloc_context(enum audit_state state) 715 { 716 struct audit_context *context; 717 718 if (!(context = kmalloc(sizeof(*context), GFP_KERNEL))) 719 return NULL; 720 audit_zero_context(context, state); 721 return context; 722 } 723 724 /* Filter on the task information and allocate a per-task audit context 725 * if necessary. Doing so turns on system call auditing for the 726 * specified task. This is called from copy_process, so no lock is 727 * needed. */ 728 int audit_alloc(struct task_struct *tsk) 729 { 730 struct audit_context *context; 731 enum audit_state state; 732 733 if (likely(!audit_enabled)) 734 return 0; /* Return if not auditing. */ 735 736 state = audit_filter_task(tsk); 737 if (likely(state == AUDIT_DISABLED)) 738 return 0; 739 740 if (!(context = audit_alloc_context(state))) { 741 audit_log_lost("out of memory in audit_alloc"); 742 return -ENOMEM; 743 } 744 745 /* Preserve login uid */ 746 context->loginuid = -1; 747 if (current->audit_context) 748 context->loginuid = current->audit_context->loginuid; 749 750 tsk->audit_context = context; 751 set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT); 752 return 0; 753 } 754 755 static inline void audit_free_context(struct audit_context *context) 756 { 757 struct audit_context *previous; 758 int count = 0; 759 760 do { 761 previous = context->previous; 762 if (previous || (count && count < 10)) { 763 ++count; 764 printk(KERN_ERR "audit(:%d): major=%d name_count=%d:" 765 " freeing multiple contexts (%d)\n", 766 context->serial, context->major, 767 context->name_count, count); 768 } 769 audit_free_names(context); 770 audit_free_aux(context); 771 kfree(context); 772 context = previous; 773 } while (context); 774 if (count >= 10) 775 printk(KERN_ERR "audit: freed %d contexts\n", count); 776 } 777 778 static void audit_log_task_info(struct audit_buffer *ab) 779 { 780 char name[sizeof(current->comm)]; 781 struct mm_struct *mm = current->mm; 782 struct vm_area_struct *vma; 783 784 get_task_comm(name, current); 785 audit_log_format(ab, " comm="); 786 audit_log_untrustedstring(ab, name); 787 788 if (!mm) 789 return; 790 791 down_read(&mm->mmap_sem); 792 vma = mm->mmap; 793 while (vma) { 794 if ((vma->vm_flags & VM_EXECUTABLE) && 795 vma->vm_file) { 796 audit_log_d_path(ab, "exe=", 797 vma->vm_file->f_dentry, 798 vma->vm_file->f_vfsmnt); 799 break; 800 } 801 vma = vma->vm_next; 802 } 803 up_read(&mm->mmap_sem); 804 } 805 806 static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask) 807 { 808 int i; 809 struct audit_buffer *ab; 810 struct audit_aux_data *aux; 811 812 ab = audit_log_start(context, gfp_mask, AUDIT_SYSCALL); 813 if (!ab) 814 return; /* audit_panic has been called */ 815 audit_log_format(ab, "arch=%x syscall=%d", 816 context->arch, context->major); 817 if (context->personality != PER_LINUX) 818 audit_log_format(ab, " per=%lx", context->personality); 819 if (context->return_valid) 820 audit_log_format(ab, " success=%s exit=%ld", 821 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no", 822 context->return_code); 823 audit_log_format(ab, 824 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d" 825 " pid=%d auid=%u uid=%u gid=%u" 826 " euid=%u suid=%u fsuid=%u" 827 " egid=%u sgid=%u fsgid=%u", 828 context->argv[0], 829 context->argv[1], 830 context->argv[2], 831 context->argv[3], 832 context->name_count, 833 context->pid, 834 context->loginuid, 835 context->uid, 836 context->gid, 837 context->euid, context->suid, context->fsuid, 838 context->egid, context->sgid, context->fsgid); 839 audit_log_task_info(ab); 840 audit_log_end(ab); 841 842 for (aux = context->aux; aux; aux = aux->next) { 843 844 ab = audit_log_start(context, GFP_KERNEL, aux->type); 845 if (!ab) 846 continue; /* audit_panic has been called */ 847 848 switch (aux->type) { 849 case AUDIT_IPC: { 850 struct audit_aux_data_ipcctl *axi = (void *)aux; 851 audit_log_format(ab, 852 " qbytes=%lx iuid=%u igid=%u mode=%x", 853 axi->qbytes, axi->uid, axi->gid, axi->mode); 854 break; } 855 856 case AUDIT_SOCKETCALL: { 857 int i; 858 struct audit_aux_data_socketcall *axs = (void *)aux; 859 audit_log_format(ab, "nargs=%d", axs->nargs); 860 for (i=0; i<axs->nargs; i++) 861 audit_log_format(ab, " a%d=%lx", i, axs->args[i]); 862 break; } 863 864 case AUDIT_SOCKADDR: { 865 struct audit_aux_data_sockaddr *axs = (void *)aux; 866 867 audit_log_format(ab, "saddr="); 868 audit_log_hex(ab, axs->a, axs->len); 869 break; } 870 871 case AUDIT_AVC_PATH: { 872 struct audit_aux_data_path *axi = (void *)aux; 873 audit_log_d_path(ab, "path=", axi->dentry, axi->mnt); 874 break; } 875 876 } 877 audit_log_end(ab); 878 } 879 880 if (context->pwd && context->pwdmnt) { 881 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD); 882 if (ab) { 883 audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt); 884 audit_log_end(ab); 885 } 886 } 887 for (i = 0; i < context->name_count; i++) { 888 ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH); 889 if (!ab) 890 continue; /* audit_panic has been called */ 891 892 audit_log_format(ab, "item=%d", i); 893 if (context->names[i].name) { 894 audit_log_format(ab, " name="); 895 audit_log_untrustedstring(ab, context->names[i].name); 896 } 897 audit_log_format(ab, " flags=%x\n", context->names[i].flags); 898 899 if (context->names[i].ino != (unsigned long)-1) 900 audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o" 901 " ouid=%u ogid=%u rdev=%02x:%02x", 902 context->names[i].ino, 903 MAJOR(context->names[i].dev), 904 MINOR(context->names[i].dev), 905 context->names[i].mode, 906 context->names[i].uid, 907 context->names[i].gid, 908 MAJOR(context->names[i].rdev), 909 MINOR(context->names[i].rdev)); 910 audit_log_end(ab); 911 } 912 } 913 914 /* Free a per-task audit context. Called from copy_process and 915 * __put_task_struct. */ 916 void audit_free(struct task_struct *tsk) 917 { 918 struct audit_context *context; 919 920 task_lock(tsk); 921 context = audit_get_context(tsk, 0, 0); 922 task_unlock(tsk); 923 924 if (likely(!context)) 925 return; 926 927 /* Check for system calls that do not go through the exit 928 * function (e.g., exit_group), then free context block. 929 * We use GFP_ATOMIC here because we might be doing this 930 * in the context of the idle thread */ 931 if (context->in_syscall && context->auditable) 932 audit_log_exit(context, GFP_ATOMIC); 933 934 audit_free_context(context); 935 } 936 937 /* Fill in audit context at syscall entry. This only happens if the 938 * audit context was created when the task was created and the state or 939 * filters demand the audit context be built. If the state from the 940 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT, 941 * then the record will be written at syscall exit time (otherwise, it 942 * will only be written if another part of the kernel requests that it 943 * be written). */ 944 void audit_syscall_entry(struct task_struct *tsk, int arch, int major, 945 unsigned long a1, unsigned long a2, 946 unsigned long a3, unsigned long a4) 947 { 948 struct audit_context *context = tsk->audit_context; 949 enum audit_state state; 950 951 BUG_ON(!context); 952 953 /* This happens only on certain architectures that make system 954 * calls in kernel_thread via the entry.S interface, instead of 955 * with direct calls. (If you are porting to a new 956 * architecture, hitting this condition can indicate that you 957 * got the _exit/_leave calls backward in entry.S.) 958 * 959 * i386 no 960 * x86_64 no 961 * ppc64 yes (see arch/ppc64/kernel/misc.S) 962 * 963 * This also happens with vm86 emulation in a non-nested manner 964 * (entries without exits), so this case must be caught. 965 */ 966 if (context->in_syscall) { 967 struct audit_context *newctx; 968 969 #if defined(__NR_vm86) && defined(__NR_vm86old) 970 /* vm86 mode should only be entered once */ 971 if (major == __NR_vm86 || major == __NR_vm86old) 972 return; 973 #endif 974 #if AUDIT_DEBUG 975 printk(KERN_ERR 976 "audit(:%d) pid=%d in syscall=%d;" 977 " entering syscall=%d\n", 978 context->serial, tsk->pid, context->major, major); 979 #endif 980 newctx = audit_alloc_context(context->state); 981 if (newctx) { 982 newctx->previous = context; 983 context = newctx; 984 tsk->audit_context = newctx; 985 } else { 986 /* If we can't alloc a new context, the best we 987 * can do is to leak memory (any pending putname 988 * will be lost). The only other alternative is 989 * to abandon auditing. */ 990 audit_zero_context(context, context->state); 991 } 992 } 993 BUG_ON(context->in_syscall || context->name_count); 994 995 if (!audit_enabled) 996 return; 997 998 context->arch = arch; 999 context->major = major; 1000 context->argv[0] = a1; 1001 context->argv[1] = a2; 1002 context->argv[2] = a3; 1003 context->argv[3] = a4; 1004 1005 state = context->state; 1006 if (state == AUDIT_SETUP_CONTEXT || state == AUDIT_BUILD_CONTEXT) 1007 state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]); 1008 if (likely(state == AUDIT_DISABLED)) 1009 return; 1010 1011 context->serial = 0; 1012 context->ctime = CURRENT_TIME; 1013 context->in_syscall = 1; 1014 context->auditable = !!(state == AUDIT_RECORD_CONTEXT); 1015 } 1016 1017 /* Tear down after system call. If the audit context has been marked as 1018 * auditable (either because of the AUDIT_RECORD_CONTEXT state from 1019 * filtering, or because some other part of the kernel write an audit 1020 * message), then write out the syscall information. In call cases, 1021 * free the names stored from getname(). */ 1022 void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code) 1023 { 1024 struct audit_context *context; 1025 1026 get_task_struct(tsk); 1027 task_lock(tsk); 1028 context = audit_get_context(tsk, valid, return_code); 1029 task_unlock(tsk); 1030 1031 /* Not having a context here is ok, since the parent may have 1032 * called __put_task_struct. */ 1033 if (likely(!context)) 1034 goto out; 1035 1036 if (context->in_syscall && context->auditable) 1037 audit_log_exit(context, GFP_KERNEL); 1038 1039 context->in_syscall = 0; 1040 context->auditable = 0; 1041 1042 if (context->previous) { 1043 struct audit_context *new_context = context->previous; 1044 context->previous = NULL; 1045 audit_free_context(context); 1046 tsk->audit_context = new_context; 1047 } else { 1048 audit_free_names(context); 1049 audit_free_aux(context); 1050 tsk->audit_context = context; 1051 } 1052 out: 1053 put_task_struct(tsk); 1054 } 1055 1056 /* Add a name to the list. Called from fs/namei.c:getname(). */ 1057 void audit_getname(const char *name) 1058 { 1059 struct audit_context *context = current->audit_context; 1060 1061 if (!context || IS_ERR(name) || !name) 1062 return; 1063 1064 if (!context->in_syscall) { 1065 #if AUDIT_DEBUG == 2 1066 printk(KERN_ERR "%s:%d(:%d): ignoring getname(%p)\n", 1067 __FILE__, __LINE__, context->serial, name); 1068 dump_stack(); 1069 #endif 1070 return; 1071 } 1072 BUG_ON(context->name_count >= AUDIT_NAMES); 1073 context->names[context->name_count].name = name; 1074 context->names[context->name_count].ino = (unsigned long)-1; 1075 ++context->name_count; 1076 if (!context->pwd) { 1077 read_lock(¤t->fs->lock); 1078 context->pwd = dget(current->fs->pwd); 1079 context->pwdmnt = mntget(current->fs->pwdmnt); 1080 read_unlock(¤t->fs->lock); 1081 } 1082 1083 } 1084 1085 /* Intercept a putname request. Called from 1086 * include/linux/fs.h:putname(). If we have stored the name from 1087 * getname in the audit context, then we delay the putname until syscall 1088 * exit. */ 1089 void audit_putname(const char *name) 1090 { 1091 struct audit_context *context = current->audit_context; 1092 1093 BUG_ON(!context); 1094 if (!context->in_syscall) { 1095 #if AUDIT_DEBUG == 2 1096 printk(KERN_ERR "%s:%d(:%d): __putname(%p)\n", 1097 __FILE__, __LINE__, context->serial, name); 1098 if (context->name_count) { 1099 int i; 1100 for (i = 0; i < context->name_count; i++) 1101 printk(KERN_ERR "name[%d] = %p = %s\n", i, 1102 context->names[i].name, 1103 context->names[i].name); 1104 } 1105 #endif 1106 __putname(name); 1107 } 1108 #if AUDIT_DEBUG 1109 else { 1110 ++context->put_count; 1111 if (context->put_count > context->name_count) { 1112 printk(KERN_ERR "%s:%d(:%d): major=%d" 1113 " in_syscall=%d putname(%p) name_count=%d" 1114 " put_count=%d\n", 1115 __FILE__, __LINE__, 1116 context->serial, context->major, 1117 context->in_syscall, name, context->name_count, 1118 context->put_count); 1119 dump_stack(); 1120 } 1121 } 1122 #endif 1123 } 1124 1125 /* Store the inode and device from a lookup. Called from 1126 * fs/namei.c:path_lookup(). */ 1127 void audit_inode(const char *name, const struct inode *inode, unsigned flags) 1128 { 1129 int idx; 1130 struct audit_context *context = current->audit_context; 1131 1132 if (!context->in_syscall) 1133 return; 1134 if (context->name_count 1135 && context->names[context->name_count-1].name 1136 && context->names[context->name_count-1].name == name) 1137 idx = context->name_count - 1; 1138 else if (context->name_count > 1 1139 && context->names[context->name_count-2].name 1140 && context->names[context->name_count-2].name == name) 1141 idx = context->name_count - 2; 1142 else { 1143 /* FIXME: how much do we care about inodes that have no 1144 * associated name? */ 1145 if (context->name_count >= AUDIT_NAMES - AUDIT_NAMES_RESERVED) 1146 return; 1147 idx = context->name_count++; 1148 context->names[idx].name = NULL; 1149 #if AUDIT_DEBUG 1150 ++context->ino_count; 1151 #endif 1152 } 1153 context->names[idx].flags = flags; 1154 context->names[idx].ino = inode->i_ino; 1155 context->names[idx].dev = inode->i_sb->s_dev; 1156 context->names[idx].mode = inode->i_mode; 1157 context->names[idx].uid = inode->i_uid; 1158 context->names[idx].gid = inode->i_gid; 1159 context->names[idx].rdev = inode->i_rdev; 1160 } 1161 1162 void auditsc_get_stamp(struct audit_context *ctx, 1163 struct timespec *t, unsigned int *serial) 1164 { 1165 if (!ctx->serial) 1166 ctx->serial = audit_serial(); 1167 t->tv_sec = ctx->ctime.tv_sec; 1168 t->tv_nsec = ctx->ctime.tv_nsec; 1169 *serial = ctx->serial; 1170 ctx->auditable = 1; 1171 } 1172 1173 int audit_set_loginuid(struct task_struct *task, uid_t loginuid) 1174 { 1175 if (task->audit_context) { 1176 struct audit_buffer *ab; 1177 1178 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN); 1179 if (ab) { 1180 audit_log_format(ab, "login pid=%d uid=%u " 1181 "old auid=%u new auid=%u", 1182 task->pid, task->uid, 1183 task->audit_context->loginuid, loginuid); 1184 audit_log_end(ab); 1185 } 1186 task->audit_context->loginuid = loginuid; 1187 } 1188 return 0; 1189 } 1190 1191 uid_t audit_get_loginuid(struct audit_context *ctx) 1192 { 1193 return ctx ? ctx->loginuid : -1; 1194 } 1195 1196 int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode) 1197 { 1198 struct audit_aux_data_ipcctl *ax; 1199 struct audit_context *context = current->audit_context; 1200 1201 if (likely(!context)) 1202 return 0; 1203 1204 ax = kmalloc(sizeof(*ax), GFP_KERNEL); 1205 if (!ax) 1206 return -ENOMEM; 1207 1208 ax->qbytes = qbytes; 1209 ax->uid = uid; 1210 ax->gid = gid; 1211 ax->mode = mode; 1212 1213 ax->d.type = AUDIT_IPC; 1214 ax->d.next = context->aux; 1215 context->aux = (void *)ax; 1216 return 0; 1217 } 1218 1219 int audit_socketcall(int nargs, unsigned long *args) 1220 { 1221 struct audit_aux_data_socketcall *ax; 1222 struct audit_context *context = current->audit_context; 1223 1224 if (likely(!context)) 1225 return 0; 1226 1227 ax = kmalloc(sizeof(*ax) + nargs * sizeof(unsigned long), GFP_KERNEL); 1228 if (!ax) 1229 return -ENOMEM; 1230 1231 ax->nargs = nargs; 1232 memcpy(ax->args, args, nargs * sizeof(unsigned long)); 1233 1234 ax->d.type = AUDIT_SOCKETCALL; 1235 ax->d.next = context->aux; 1236 context->aux = (void *)ax; 1237 return 0; 1238 } 1239 1240 int audit_sockaddr(int len, void *a) 1241 { 1242 struct audit_aux_data_sockaddr *ax; 1243 struct audit_context *context = current->audit_context; 1244 1245 if (likely(!context)) 1246 return 0; 1247 1248 ax = kmalloc(sizeof(*ax) + len, GFP_KERNEL); 1249 if (!ax) 1250 return -ENOMEM; 1251 1252 ax->len = len; 1253 memcpy(ax->a, a, len); 1254 1255 ax->d.type = AUDIT_SOCKADDR; 1256 ax->d.next = context->aux; 1257 context->aux = (void *)ax; 1258 return 0; 1259 } 1260 1261 int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt) 1262 { 1263 struct audit_aux_data_path *ax; 1264 struct audit_context *context = current->audit_context; 1265 1266 if (likely(!context)) 1267 return 0; 1268 1269 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1270 if (!ax) 1271 return -ENOMEM; 1272 1273 ax->dentry = dget(dentry); 1274 ax->mnt = mntget(mnt); 1275 1276 ax->d.type = AUDIT_AVC_PATH; 1277 ax->d.next = context->aux; 1278 context->aux = (void *)ax; 1279 return 0; 1280 } 1281 1282 void audit_signal_info(int sig, struct task_struct *t) 1283 { 1284 extern pid_t audit_sig_pid; 1285 extern uid_t audit_sig_uid; 1286 1287 if (unlikely(audit_pid && t->tgid == audit_pid)) { 1288 if (sig == SIGTERM || sig == SIGHUP) { 1289 struct audit_context *ctx = current->audit_context; 1290 audit_sig_pid = current->pid; 1291 if (ctx) 1292 audit_sig_uid = ctx->loginuid; 1293 else 1294 audit_sig_uid = current->uid; 1295 } 1296 } 1297 } 1298 1299