xref: /openbmc/linux/kernel/auditsc.c (revision d5cb9783536a41df9f9cba5b0a1d78047ed787f7)
1 /* auditsc.c -- System-call auditing support
2  * Handles all system-call specific auditing features.
3  *
4  * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
5  * All Rights Reserved.
6  *
7  * This program is free software; you can redistribute it and/or modify
8  * it under the terms of the GNU General Public License as published by
9  * the Free Software Foundation; either version 2 of the License, or
10  * (at your option) any later version.
11  *
12  * This program is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15  * GNU General Public License for more details.
16  *
17  * You should have received a copy of the GNU General Public License
18  * along with this program; if not, write to the Free Software
19  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
20  *
21  * Written by Rickard E. (Rik) Faith <faith@redhat.com>
22  *
23  * Many of the ideas implemented here are from Stephen C. Tweedie,
24  * especially the idea of avoiding a copy by using getname.
25  *
26  * The method for actual interception of syscall entry and exit (not in
27  * this file -- see entry.S) is based on a GPL'd patch written by
28  * okir@suse.de and Copyright 2003 SuSE Linux AG.
29  *
30  */
31 
32 #include <linux/init.h>
33 #include <asm/atomic.h>
34 #include <asm/types.h>
35 #include <linux/mm.h>
36 #include <linux/module.h>
37 #include <linux/mount.h>
38 #include <linux/socket.h>
39 #include <linux/audit.h>
40 #include <linux/personality.h>
41 #include <linux/time.h>
42 #include <linux/kthread.h>
43 #include <linux/netlink.h>
44 #include <linux/compiler.h>
45 #include <asm/unistd.h>
46 
47 /* 0 = no checking
48    1 = put_count checking
49    2 = verbose put_count checking
50 */
51 #define AUDIT_DEBUG 0
52 
53 /* No syscall auditing will take place unless audit_enabled != 0. */
54 extern int audit_enabled;
55 
56 /* AUDIT_NAMES is the number of slots we reserve in the audit_context
57  * for saving names from getname(). */
58 #define AUDIT_NAMES    20
59 
60 /* AUDIT_NAMES_RESERVED is the number of slots we reserve in the
61  * audit_context from being used for nameless inodes from
62  * path_lookup. */
63 #define AUDIT_NAMES_RESERVED 7
64 
65 /* At task start time, the audit_state is set in the audit_context using
66    a per-task filter.  At syscall entry, the audit_state is augmented by
67    the syscall filter. */
68 enum audit_state {
69 	AUDIT_DISABLED,		/* Do not create per-task audit_context.
70 				 * No syscall-specific audit records can
71 				 * be generated. */
72 	AUDIT_SETUP_CONTEXT,	/* Create the per-task audit_context,
73 				 * but don't necessarily fill it in at
74 				 * syscall entry time (i.e., filter
75 				 * instead). */
76 	AUDIT_BUILD_CONTEXT,	/* Create the per-task audit_context,
77 				 * and always fill it in at syscall
78 				 * entry time.  This makes a full
79 				 * syscall record available if some
80 				 * other part of the kernel decides it
81 				 * should be recorded. */
82 	AUDIT_RECORD_CONTEXT	/* Create the per-task audit_context,
83 				 * always fill it in at syscall entry
84 				 * time, and always write out the audit
85 				 * record at syscall exit time.  */
86 };
87 
88 /* When fs/namei.c:getname() is called, we store the pointer in name and
89  * we don't let putname() free it (instead we free all of the saved
90  * pointers at syscall exit time).
91  *
92  * Further, in fs/namei.c:path_lookup() we store the inode and device. */
93 struct audit_names {
94 	const char	*name;
95 	unsigned long	ino;
96 	dev_t		dev;
97 	umode_t		mode;
98 	uid_t		uid;
99 	gid_t		gid;
100 	dev_t		rdev;
101 	unsigned	flags;
102 };
103 
104 struct audit_aux_data {
105 	struct audit_aux_data	*next;
106 	int			type;
107 };
108 
109 #define AUDIT_AUX_IPCPERM	0
110 
111 struct audit_aux_data_ipcctl {
112 	struct audit_aux_data	d;
113 	struct ipc_perm		p;
114 	unsigned long		qbytes;
115 	uid_t			uid;
116 	gid_t			gid;
117 	mode_t			mode;
118 };
119 
120 struct audit_aux_data_socketcall {
121 	struct audit_aux_data	d;
122 	int			nargs;
123 	unsigned long		args[0];
124 };
125 
126 struct audit_aux_data_sockaddr {
127 	struct audit_aux_data	d;
128 	int			len;
129 	char			a[0];
130 };
131 
132 struct audit_aux_data_path {
133 	struct audit_aux_data	d;
134 	struct dentry		*dentry;
135 	struct vfsmount		*mnt;
136 };
137 
138 /* The per-task audit context. */
139 struct audit_context {
140 	int		    in_syscall;	/* 1 if task is in a syscall */
141 	enum audit_state    state;
142 	unsigned int	    serial;     /* serial number for record */
143 	struct timespec	    ctime;      /* time of syscall entry */
144 	uid_t		    loginuid;   /* login uid (identity) */
145 	int		    major;      /* syscall number */
146 	unsigned long	    argv[4];    /* syscall arguments */
147 	int		    return_valid; /* return code is valid */
148 	long		    return_code;/* syscall return code */
149 	int		    auditable;  /* 1 if record should be written */
150 	int		    name_count;
151 	struct audit_names  names[AUDIT_NAMES];
152 	struct dentry *	    pwd;
153 	struct vfsmount *   pwdmnt;
154 	struct audit_context *previous; /* For nested syscalls */
155 	struct audit_aux_data *aux;
156 
157 				/* Save things to print about task_struct */
158 	pid_t		    pid;
159 	uid_t		    uid, euid, suid, fsuid;
160 	gid_t		    gid, egid, sgid, fsgid;
161 	unsigned long	    personality;
162 	int		    arch;
163 
164 #if AUDIT_DEBUG
165 	int		    put_count;
166 	int		    ino_count;
167 #endif
168 };
169 
170 				/* Public API */
171 /* There are three lists of rules -- one to search at task creation
172  * time, one to search at syscall entry time, and another to search at
173  * syscall exit time. */
174 static struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
175 	LIST_HEAD_INIT(audit_filter_list[0]),
176 	LIST_HEAD_INIT(audit_filter_list[1]),
177 	LIST_HEAD_INIT(audit_filter_list[2]),
178 	LIST_HEAD_INIT(audit_filter_list[3]),
179 	LIST_HEAD_INIT(audit_filter_list[4]),
180 #if AUDIT_NR_FILTERS != 5
181 #error Fix audit_filter_list initialiser
182 #endif
183 };
184 
185 struct audit_entry {
186 	struct list_head  list;
187 	struct rcu_head   rcu;
188 	struct audit_rule rule;
189 };
190 
191 extern int audit_pid;
192 
193 /* Copy rule from user-space to kernel-space.  Called from
194  * audit_add_rule during AUDIT_ADD. */
195 static inline int audit_copy_rule(struct audit_rule *d, struct audit_rule *s)
196 {
197 	int i;
198 
199 	if (s->action != AUDIT_NEVER
200 	    && s->action != AUDIT_POSSIBLE
201 	    && s->action != AUDIT_ALWAYS)
202 		return -1;
203 	if (s->field_count < 0 || s->field_count > AUDIT_MAX_FIELDS)
204 		return -1;
205 	if ((s->flags & ~AUDIT_FILTER_PREPEND) >= AUDIT_NR_FILTERS)
206 		return -1;
207 
208 	d->flags	= s->flags;
209 	d->action	= s->action;
210 	d->field_count	= s->field_count;
211 	for (i = 0; i < d->field_count; i++) {
212 		d->fields[i] = s->fields[i];
213 		d->values[i] = s->values[i];
214 	}
215 	for (i = 0; i < AUDIT_BITMASK_SIZE; i++) d->mask[i] = s->mask[i];
216 	return 0;
217 }
218 
219 /* Check to see if two rules are identical.  It is called from
220  * audit_add_rule during AUDIT_ADD and
221  * audit_del_rule during AUDIT_DEL. */
222 static inline int audit_compare_rule(struct audit_rule *a, struct audit_rule *b)
223 {
224 	int i;
225 
226 	if (a->flags != b->flags)
227 		return 1;
228 
229 	if (a->action != b->action)
230 		return 1;
231 
232 	if (a->field_count != b->field_count)
233 		return 1;
234 
235 	for (i = 0; i < a->field_count; i++) {
236 		if (a->fields[i] != b->fields[i]
237 		    || a->values[i] != b->values[i])
238 			return 1;
239 	}
240 
241 	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
242 		if (a->mask[i] != b->mask[i])
243 			return 1;
244 
245 	return 0;
246 }
247 
248 /* Note that audit_add_rule and audit_del_rule are called via
249  * audit_receive() in audit.c, and are protected by
250  * audit_netlink_sem. */
251 static inline int audit_add_rule(struct audit_rule *rule,
252 				  struct list_head *list)
253 {
254 	struct audit_entry  *entry;
255 
256 	/* Do not use the _rcu iterator here, since this is the only
257 	 * addition routine. */
258 	list_for_each_entry(entry, list, list) {
259 		if (!audit_compare_rule(rule, &entry->rule)) {
260 			return -EEXIST;
261 		}
262 	}
263 
264 	if (!(entry = kmalloc(sizeof(*entry), GFP_KERNEL)))
265 		return -ENOMEM;
266 	if (audit_copy_rule(&entry->rule, rule)) {
267 		kfree(entry);
268 		return -EINVAL;
269 	}
270 
271 	if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
272 		entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
273 		list_add_rcu(&entry->list, list);
274 	} else {
275 		list_add_tail_rcu(&entry->list, list);
276 	}
277 
278 	return 0;
279 }
280 
281 static inline void audit_free_rule(struct rcu_head *head)
282 {
283 	struct audit_entry *e = container_of(head, struct audit_entry, rcu);
284 	kfree(e);
285 }
286 
287 /* Note that audit_add_rule and audit_del_rule are called via
288  * audit_receive() in audit.c, and are protected by
289  * audit_netlink_sem. */
290 static inline int audit_del_rule(struct audit_rule *rule,
291 				 struct list_head *list)
292 {
293 	struct audit_entry  *e;
294 
295 	/* Do not use the _rcu iterator here, since this is the only
296 	 * deletion routine. */
297 	list_for_each_entry(e, list, list) {
298 		if (!audit_compare_rule(rule, &e->rule)) {
299 			list_del_rcu(&e->list);
300 			call_rcu(&e->rcu, audit_free_rule);
301 			return 0;
302 		}
303 	}
304 	return -ENOENT;		/* No matching rule */
305 }
306 
307 static int audit_list_rules(void *_dest)
308 {
309 	int pid, seq;
310 	int *dest = _dest;
311 	struct audit_entry *entry;
312 	int i;
313 
314 	pid = dest[0];
315 	seq = dest[1];
316 	kfree(dest);
317 
318 	down(&audit_netlink_sem);
319 
320 	/* The *_rcu iterators not needed here because we are
321 	   always called with audit_netlink_sem held. */
322 	for (i=0; i<AUDIT_NR_FILTERS; i++) {
323 		list_for_each_entry(entry, &audit_filter_list[i], list)
324 			audit_send_reply(pid, seq, AUDIT_LIST, 0, 1,
325 					 &entry->rule, sizeof(entry->rule));
326 	}
327 	audit_send_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0);
328 
329 	up(&audit_netlink_sem);
330 	return 0;
331 }
332 
333 int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
334 							uid_t loginuid)
335 {
336 	struct task_struct *tsk;
337 	int *dest;
338 	int		   err = 0;
339 	unsigned listnr;
340 
341 	switch (type) {
342 	case AUDIT_LIST:
343 		/* We can't just spew out the rules here because we might fill
344 		 * the available socket buffer space and deadlock waiting for
345 		 * auditctl to read from it... which isn't ever going to
346 		 * happen if we're actually running in the context of auditctl
347 		 * trying to _send_ the stuff */
348 
349 		dest = kmalloc(2 * sizeof(int), GFP_KERNEL);
350 		if (!dest)
351 			return -ENOMEM;
352 		dest[0] = pid;
353 		dest[1] = seq;
354 
355 		tsk = kthread_run(audit_list_rules, dest, "audit_list_rules");
356 		if (IS_ERR(tsk)) {
357 			kfree(dest);
358 			err = PTR_ERR(tsk);
359 		}
360 		break;
361 	case AUDIT_ADD:
362 		listnr =((struct audit_rule *)data)->flags & ~AUDIT_FILTER_PREPEND;
363 		if (listnr >= AUDIT_NR_FILTERS)
364 			return -EINVAL;
365 
366 		err = audit_add_rule(data, &audit_filter_list[listnr]);
367 		if (!err)
368 			audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
369 				  "auid=%u added an audit rule\n", loginuid);
370 		break;
371 	case AUDIT_DEL:
372 		listnr =((struct audit_rule *)data)->flags & ~AUDIT_FILTER_PREPEND;
373 		if (listnr >= AUDIT_NR_FILTERS)
374 			return -EINVAL;
375 
376 		err = audit_del_rule(data, &audit_filter_list[listnr]);
377 		if (!err)
378 			audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
379 				  "auid=%u removed an audit rule\n", loginuid);
380 		break;
381 	default:
382 		return -EINVAL;
383 	}
384 
385 	return err;
386 }
387 
388 /* Compare a task_struct with an audit_rule.  Return 1 on match, 0
389  * otherwise. */
390 static int audit_filter_rules(struct task_struct *tsk,
391 			      struct audit_rule *rule,
392 			      struct audit_context *ctx,
393 			      enum audit_state *state)
394 {
395 	int i, j;
396 
397 	for (i = 0; i < rule->field_count; i++) {
398 		u32 field  = rule->fields[i] & ~AUDIT_NEGATE;
399 		u32 value  = rule->values[i];
400 		int result = 0;
401 
402 		switch (field) {
403 		case AUDIT_PID:
404 			result = (tsk->pid == value);
405 			break;
406 		case AUDIT_UID:
407 			result = (tsk->uid == value);
408 			break;
409 		case AUDIT_EUID:
410 			result = (tsk->euid == value);
411 			break;
412 		case AUDIT_SUID:
413 			result = (tsk->suid == value);
414 			break;
415 		case AUDIT_FSUID:
416 			result = (tsk->fsuid == value);
417 			break;
418 		case AUDIT_GID:
419 			result = (tsk->gid == value);
420 			break;
421 		case AUDIT_EGID:
422 			result = (tsk->egid == value);
423 			break;
424 		case AUDIT_SGID:
425 			result = (tsk->sgid == value);
426 			break;
427 		case AUDIT_FSGID:
428 			result = (tsk->fsgid == value);
429 			break;
430 		case AUDIT_PERS:
431 			result = (tsk->personality == value);
432 			break;
433 		case AUDIT_ARCH:
434 			if (ctx)
435 				result = (ctx->arch == value);
436 			break;
437 
438 		case AUDIT_EXIT:
439 			if (ctx && ctx->return_valid)
440 				result = (ctx->return_code == value);
441 			break;
442 		case AUDIT_SUCCESS:
443 			if (ctx && ctx->return_valid) {
444 				if (value)
445 					result = (ctx->return_valid == AUDITSC_SUCCESS);
446 				else
447 					result = (ctx->return_valid == AUDITSC_FAILURE);
448 			}
449 			break;
450 		case AUDIT_DEVMAJOR:
451 			if (ctx) {
452 				for (j = 0; j < ctx->name_count; j++) {
453 					if (MAJOR(ctx->names[j].dev)==value) {
454 						++result;
455 						break;
456 					}
457 				}
458 			}
459 			break;
460 		case AUDIT_DEVMINOR:
461 			if (ctx) {
462 				for (j = 0; j < ctx->name_count; j++) {
463 					if (MINOR(ctx->names[j].dev)==value) {
464 						++result;
465 						break;
466 					}
467 				}
468 			}
469 			break;
470 		case AUDIT_INODE:
471 			if (ctx) {
472 				for (j = 0; j < ctx->name_count; j++) {
473 					if (ctx->names[j].ino == value) {
474 						++result;
475 						break;
476 					}
477 				}
478 			}
479 			break;
480 		case AUDIT_LOGINUID:
481 			result = 0;
482 			if (ctx)
483 				result = (ctx->loginuid == value);
484 			break;
485 		case AUDIT_ARG0:
486 		case AUDIT_ARG1:
487 		case AUDIT_ARG2:
488 		case AUDIT_ARG3:
489 			if (ctx)
490 				result = (ctx->argv[field-AUDIT_ARG0]==value);
491 			break;
492 		}
493 
494 		if (rule->fields[i] & AUDIT_NEGATE)
495 			result = !result;
496 		if (!result)
497 			return 0;
498 	}
499 	switch (rule->action) {
500 	case AUDIT_NEVER:    *state = AUDIT_DISABLED;	    break;
501 	case AUDIT_POSSIBLE: *state = AUDIT_BUILD_CONTEXT;  break;
502 	case AUDIT_ALWAYS:   *state = AUDIT_RECORD_CONTEXT; break;
503 	}
504 	return 1;
505 }
506 
507 /* At process creation time, we can determine if system-call auditing is
508  * completely disabled for this task.  Since we only have the task
509  * structure at this point, we can only check uid and gid.
510  */
511 static enum audit_state audit_filter_task(struct task_struct *tsk)
512 {
513 	struct audit_entry *e;
514 	enum audit_state   state;
515 
516 	rcu_read_lock();
517 	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
518 		if (audit_filter_rules(tsk, &e->rule, NULL, &state)) {
519 			rcu_read_unlock();
520 			return state;
521 		}
522 	}
523 	rcu_read_unlock();
524 	return AUDIT_BUILD_CONTEXT;
525 }
526 
527 /* At syscall entry and exit time, this filter is called if the
528  * audit_state is not low enough that auditing cannot take place, but is
529  * also not high enough that we already know we have to write an audit
530  * record (i.e., the state is AUDIT_SETUP_CONTEXT or  AUDIT_BUILD_CONTEXT).
531  */
532 static enum audit_state audit_filter_syscall(struct task_struct *tsk,
533 					     struct audit_context *ctx,
534 					     struct list_head *list)
535 {
536 	struct audit_entry *e;
537 	enum audit_state state;
538 
539 	if (audit_pid && tsk->tgid == audit_pid)
540 		return AUDIT_DISABLED;
541 
542 	rcu_read_lock();
543 	if (!list_empty(list)) {
544 		    int word = AUDIT_WORD(ctx->major);
545 		    int bit  = AUDIT_BIT(ctx->major);
546 
547 		    list_for_each_entry_rcu(e, list, list) {
548 			    if ((e->rule.mask[word] & bit) == bit
549 				&& audit_filter_rules(tsk, &e->rule, ctx, &state)) {
550 				    rcu_read_unlock();
551 				    return state;
552 			    }
553 		    }
554 	}
555 	rcu_read_unlock();
556 	return AUDIT_BUILD_CONTEXT;
557 }
558 
559 static int audit_filter_user_rules(struct netlink_skb_parms *cb,
560 			      struct audit_rule *rule,
561 			      enum audit_state *state)
562 {
563 	int i;
564 
565 	for (i = 0; i < rule->field_count; i++) {
566 		u32 field  = rule->fields[i] & ~AUDIT_NEGATE;
567 		u32 value  = rule->values[i];
568 		int result = 0;
569 
570 		switch (field) {
571 		case AUDIT_PID:
572 			result = (cb->creds.pid == value);
573 			break;
574 		case AUDIT_UID:
575 			result = (cb->creds.uid == value);
576 			break;
577 		case AUDIT_GID:
578 			result = (cb->creds.gid == value);
579 			break;
580 		case AUDIT_LOGINUID:
581 			result = (cb->loginuid == value);
582 			break;
583 		}
584 
585 		if (rule->fields[i] & AUDIT_NEGATE)
586 			result = !result;
587 		if (!result)
588 			return 0;
589 	}
590 	switch (rule->action) {
591 	case AUDIT_NEVER:    *state = AUDIT_DISABLED;	    break;
592 	case AUDIT_POSSIBLE: *state = AUDIT_BUILD_CONTEXT;  break;
593 	case AUDIT_ALWAYS:   *state = AUDIT_RECORD_CONTEXT; break;
594 	}
595 	return 1;
596 }
597 
598 int audit_filter_user(struct netlink_skb_parms *cb, int type)
599 {
600 	struct audit_entry *e;
601 	enum audit_state   state;
602 	int ret = 1;
603 
604 	rcu_read_lock();
605 	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
606 		if (audit_filter_user_rules(cb, &e->rule, &state)) {
607 			if (state == AUDIT_DISABLED)
608 				ret = 0;
609 			break;
610 		}
611 	}
612 	rcu_read_unlock();
613 
614 	return ret; /* Audit by default */
615 }
616 
617 /* This should be called with task_lock() held. */
618 static inline struct audit_context *audit_get_context(struct task_struct *tsk,
619 						      int return_valid,
620 						      int return_code)
621 {
622 	struct audit_context *context = tsk->audit_context;
623 
624 	if (likely(!context))
625 		return NULL;
626 	context->return_valid = return_valid;
627 	context->return_code  = return_code;
628 
629 	if (context->in_syscall && !context->auditable) {
630 		enum audit_state state;
631 		state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
632 		if (state == AUDIT_RECORD_CONTEXT)
633 			context->auditable = 1;
634 	}
635 
636 	context->pid = tsk->pid;
637 	context->uid = tsk->uid;
638 	context->gid = tsk->gid;
639 	context->euid = tsk->euid;
640 	context->suid = tsk->suid;
641 	context->fsuid = tsk->fsuid;
642 	context->egid = tsk->egid;
643 	context->sgid = tsk->sgid;
644 	context->fsgid = tsk->fsgid;
645 	context->personality = tsk->personality;
646 	tsk->audit_context = NULL;
647 	return context;
648 }
649 
650 static inline void audit_free_names(struct audit_context *context)
651 {
652 	int i;
653 
654 #if AUDIT_DEBUG == 2
655 	if (context->auditable
656 	    ||context->put_count + context->ino_count != context->name_count) {
657 		printk(KERN_ERR "audit.c:%d(:%d): major=%d in_syscall=%d"
658 		       " name_count=%d put_count=%d"
659 		       " ino_count=%d [NOT freeing]\n",
660 		       __LINE__,
661 		       context->serial, context->major, context->in_syscall,
662 		       context->name_count, context->put_count,
663 		       context->ino_count);
664 		for (i = 0; i < context->name_count; i++)
665 			printk(KERN_ERR "names[%d] = %p = %s\n", i,
666 			       context->names[i].name,
667 			       context->names[i].name);
668 		dump_stack();
669 		return;
670 	}
671 #endif
672 #if AUDIT_DEBUG
673 	context->put_count  = 0;
674 	context->ino_count  = 0;
675 #endif
676 
677 	for (i = 0; i < context->name_count; i++)
678 		if (context->names[i].name)
679 			__putname(context->names[i].name);
680 	context->name_count = 0;
681 	if (context->pwd)
682 		dput(context->pwd);
683 	if (context->pwdmnt)
684 		mntput(context->pwdmnt);
685 	context->pwd = NULL;
686 	context->pwdmnt = NULL;
687 }
688 
689 static inline void audit_free_aux(struct audit_context *context)
690 {
691 	struct audit_aux_data *aux;
692 
693 	while ((aux = context->aux)) {
694 		if (aux->type == AUDIT_AVC_PATH) {
695 			struct audit_aux_data_path *axi = (void *)aux;
696 			dput(axi->dentry);
697 			mntput(axi->mnt);
698 		}
699 		context->aux = aux->next;
700 		kfree(aux);
701 	}
702 }
703 
704 static inline void audit_zero_context(struct audit_context *context,
705 				      enum audit_state state)
706 {
707 	uid_t loginuid = context->loginuid;
708 
709 	memset(context, 0, sizeof(*context));
710 	context->state      = state;
711 	context->loginuid   = loginuid;
712 }
713 
714 static inline struct audit_context *audit_alloc_context(enum audit_state state)
715 {
716 	struct audit_context *context;
717 
718 	if (!(context = kmalloc(sizeof(*context), GFP_KERNEL)))
719 		return NULL;
720 	audit_zero_context(context, state);
721 	return context;
722 }
723 
724 /* Filter on the task information and allocate a per-task audit context
725  * if necessary.  Doing so turns on system call auditing for the
726  * specified task.  This is called from copy_process, so no lock is
727  * needed. */
728 int audit_alloc(struct task_struct *tsk)
729 {
730 	struct audit_context *context;
731 	enum audit_state     state;
732 
733 	if (likely(!audit_enabled))
734 		return 0; /* Return if not auditing. */
735 
736 	state = audit_filter_task(tsk);
737 	if (likely(state == AUDIT_DISABLED))
738 		return 0;
739 
740 	if (!(context = audit_alloc_context(state))) {
741 		audit_log_lost("out of memory in audit_alloc");
742 		return -ENOMEM;
743 	}
744 
745 				/* Preserve login uid */
746 	context->loginuid = -1;
747 	if (current->audit_context)
748 		context->loginuid = current->audit_context->loginuid;
749 
750 	tsk->audit_context  = context;
751 	set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
752 	return 0;
753 }
754 
755 static inline void audit_free_context(struct audit_context *context)
756 {
757 	struct audit_context *previous;
758 	int		     count = 0;
759 
760 	do {
761 		previous = context->previous;
762 		if (previous || (count &&  count < 10)) {
763 			++count;
764 			printk(KERN_ERR "audit(:%d): major=%d name_count=%d:"
765 			       " freeing multiple contexts (%d)\n",
766 			       context->serial, context->major,
767 			       context->name_count, count);
768 		}
769 		audit_free_names(context);
770 		audit_free_aux(context);
771 		kfree(context);
772 		context  = previous;
773 	} while (context);
774 	if (count >= 10)
775 		printk(KERN_ERR "audit: freed %d contexts\n", count);
776 }
777 
778 static void audit_log_task_info(struct audit_buffer *ab)
779 {
780 	char name[sizeof(current->comm)];
781 	struct mm_struct *mm = current->mm;
782 	struct vm_area_struct *vma;
783 
784 	get_task_comm(name, current);
785 	audit_log_format(ab, " comm=");
786 	audit_log_untrustedstring(ab, name);
787 
788 	if (!mm)
789 		return;
790 
791 	down_read(&mm->mmap_sem);
792 	vma = mm->mmap;
793 	while (vma) {
794 		if ((vma->vm_flags & VM_EXECUTABLE) &&
795 		    vma->vm_file) {
796 			audit_log_d_path(ab, "exe=",
797 					 vma->vm_file->f_dentry,
798 					 vma->vm_file->f_vfsmnt);
799 			break;
800 		}
801 		vma = vma->vm_next;
802 	}
803 	up_read(&mm->mmap_sem);
804 }
805 
806 static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask)
807 {
808 	int i;
809 	struct audit_buffer *ab;
810 	struct audit_aux_data *aux;
811 
812 	ab = audit_log_start(context, gfp_mask, AUDIT_SYSCALL);
813 	if (!ab)
814 		return;		/* audit_panic has been called */
815 	audit_log_format(ab, "arch=%x syscall=%d",
816 			 context->arch, context->major);
817 	if (context->personality != PER_LINUX)
818 		audit_log_format(ab, " per=%lx", context->personality);
819 	if (context->return_valid)
820 		audit_log_format(ab, " success=%s exit=%ld",
821 				 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
822 				 context->return_code);
823 	audit_log_format(ab,
824 		  " a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
825 		  " pid=%d auid=%u uid=%u gid=%u"
826 		  " euid=%u suid=%u fsuid=%u"
827 		  " egid=%u sgid=%u fsgid=%u",
828 		  context->argv[0],
829 		  context->argv[1],
830 		  context->argv[2],
831 		  context->argv[3],
832 		  context->name_count,
833 		  context->pid,
834 		  context->loginuid,
835 		  context->uid,
836 		  context->gid,
837 		  context->euid, context->suid, context->fsuid,
838 		  context->egid, context->sgid, context->fsgid);
839 	audit_log_task_info(ab);
840 	audit_log_end(ab);
841 
842 	for (aux = context->aux; aux; aux = aux->next) {
843 
844 		ab = audit_log_start(context, GFP_KERNEL, aux->type);
845 		if (!ab)
846 			continue; /* audit_panic has been called */
847 
848 		switch (aux->type) {
849 		case AUDIT_IPC: {
850 			struct audit_aux_data_ipcctl *axi = (void *)aux;
851 			audit_log_format(ab,
852 					 " qbytes=%lx iuid=%u igid=%u mode=%x",
853 					 axi->qbytes, axi->uid, axi->gid, axi->mode);
854 			break; }
855 
856 		case AUDIT_SOCKETCALL: {
857 			int i;
858 			struct audit_aux_data_socketcall *axs = (void *)aux;
859 			audit_log_format(ab, "nargs=%d", axs->nargs);
860 			for (i=0; i<axs->nargs; i++)
861 				audit_log_format(ab, " a%d=%lx", i, axs->args[i]);
862 			break; }
863 
864 		case AUDIT_SOCKADDR: {
865 			struct audit_aux_data_sockaddr *axs = (void *)aux;
866 
867 			audit_log_format(ab, "saddr=");
868 			audit_log_hex(ab, axs->a, axs->len);
869 			break; }
870 
871 		case AUDIT_AVC_PATH: {
872 			struct audit_aux_data_path *axi = (void *)aux;
873 			audit_log_d_path(ab, "path=", axi->dentry, axi->mnt);
874 			break; }
875 
876 		}
877 		audit_log_end(ab);
878 	}
879 
880 	if (context->pwd && context->pwdmnt) {
881 		ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
882 		if (ab) {
883 			audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt);
884 			audit_log_end(ab);
885 		}
886 	}
887 	for (i = 0; i < context->name_count; i++) {
888 		ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
889 		if (!ab)
890 			continue; /* audit_panic has been called */
891 
892 		audit_log_format(ab, "item=%d", i);
893 		if (context->names[i].name) {
894 			audit_log_format(ab, " name=");
895 			audit_log_untrustedstring(ab, context->names[i].name);
896 		}
897 		audit_log_format(ab, " flags=%x\n", context->names[i].flags);
898 
899 		if (context->names[i].ino != (unsigned long)-1)
900 			audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o"
901 					     " ouid=%u ogid=%u rdev=%02x:%02x",
902 					 context->names[i].ino,
903 					 MAJOR(context->names[i].dev),
904 					 MINOR(context->names[i].dev),
905 					 context->names[i].mode,
906 					 context->names[i].uid,
907 					 context->names[i].gid,
908 					 MAJOR(context->names[i].rdev),
909 					 MINOR(context->names[i].rdev));
910 		audit_log_end(ab);
911 	}
912 }
913 
914 /* Free a per-task audit context.  Called from copy_process and
915  * __put_task_struct. */
916 void audit_free(struct task_struct *tsk)
917 {
918 	struct audit_context *context;
919 
920 	task_lock(tsk);
921 	context = audit_get_context(tsk, 0, 0);
922 	task_unlock(tsk);
923 
924 	if (likely(!context))
925 		return;
926 
927 	/* Check for system calls that do not go through the exit
928 	 * function (e.g., exit_group), then free context block.
929 	 * We use GFP_ATOMIC here because we might be doing this
930 	 * in the context of the idle thread */
931 	if (context->in_syscall && context->auditable)
932 		audit_log_exit(context, GFP_ATOMIC);
933 
934 	audit_free_context(context);
935 }
936 
937 /* Fill in audit context at syscall entry.  This only happens if the
938  * audit context was created when the task was created and the state or
939  * filters demand the audit context be built.  If the state from the
940  * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
941  * then the record will be written at syscall exit time (otherwise, it
942  * will only be written if another part of the kernel requests that it
943  * be written). */
944 void audit_syscall_entry(struct task_struct *tsk, int arch, int major,
945 			 unsigned long a1, unsigned long a2,
946 			 unsigned long a3, unsigned long a4)
947 {
948 	struct audit_context *context = tsk->audit_context;
949 	enum audit_state     state;
950 
951 	BUG_ON(!context);
952 
953 	/* This happens only on certain architectures that make system
954 	 * calls in kernel_thread via the entry.S interface, instead of
955 	 * with direct calls.  (If you are porting to a new
956 	 * architecture, hitting this condition can indicate that you
957 	 * got the _exit/_leave calls backward in entry.S.)
958 	 *
959 	 * i386     no
960 	 * x86_64   no
961 	 * ppc64    yes (see arch/ppc64/kernel/misc.S)
962 	 *
963 	 * This also happens with vm86 emulation in a non-nested manner
964 	 * (entries without exits), so this case must be caught.
965 	 */
966 	if (context->in_syscall) {
967 		struct audit_context *newctx;
968 
969 #if defined(__NR_vm86) && defined(__NR_vm86old)
970 		/* vm86 mode should only be entered once */
971 		if (major == __NR_vm86 || major == __NR_vm86old)
972 			return;
973 #endif
974 #if AUDIT_DEBUG
975 		printk(KERN_ERR
976 		       "audit(:%d) pid=%d in syscall=%d;"
977 		       " entering syscall=%d\n",
978 		       context->serial, tsk->pid, context->major, major);
979 #endif
980 		newctx = audit_alloc_context(context->state);
981 		if (newctx) {
982 			newctx->previous   = context;
983 			context		   = newctx;
984 			tsk->audit_context = newctx;
985 		} else	{
986 			/* If we can't alloc a new context, the best we
987 			 * can do is to leak memory (any pending putname
988 			 * will be lost).  The only other alternative is
989 			 * to abandon auditing. */
990 			audit_zero_context(context, context->state);
991 		}
992 	}
993 	BUG_ON(context->in_syscall || context->name_count);
994 
995 	if (!audit_enabled)
996 		return;
997 
998 	context->arch	    = arch;
999 	context->major      = major;
1000 	context->argv[0]    = a1;
1001 	context->argv[1]    = a2;
1002 	context->argv[2]    = a3;
1003 	context->argv[3]    = a4;
1004 
1005 	state = context->state;
1006 	if (state == AUDIT_SETUP_CONTEXT || state == AUDIT_BUILD_CONTEXT)
1007 		state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
1008 	if (likely(state == AUDIT_DISABLED))
1009 		return;
1010 
1011 	context->serial     = 0;
1012 	context->ctime      = CURRENT_TIME;
1013 	context->in_syscall = 1;
1014 	context->auditable  = !!(state == AUDIT_RECORD_CONTEXT);
1015 }
1016 
1017 /* Tear down after system call.  If the audit context has been marked as
1018  * auditable (either because of the AUDIT_RECORD_CONTEXT state from
1019  * filtering, or because some other part of the kernel write an audit
1020  * message), then write out the syscall information.  In call cases,
1021  * free the names stored from getname(). */
1022 void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code)
1023 {
1024 	struct audit_context *context;
1025 
1026 	get_task_struct(tsk);
1027 	task_lock(tsk);
1028 	context = audit_get_context(tsk, valid, return_code);
1029 	task_unlock(tsk);
1030 
1031 	/* Not having a context here is ok, since the parent may have
1032 	 * called __put_task_struct. */
1033 	if (likely(!context))
1034 		goto out;
1035 
1036 	if (context->in_syscall && context->auditable)
1037 		audit_log_exit(context, GFP_KERNEL);
1038 
1039 	context->in_syscall = 0;
1040 	context->auditable  = 0;
1041 
1042 	if (context->previous) {
1043 		struct audit_context *new_context = context->previous;
1044 		context->previous  = NULL;
1045 		audit_free_context(context);
1046 		tsk->audit_context = new_context;
1047 	} else {
1048 		audit_free_names(context);
1049 		audit_free_aux(context);
1050 		tsk->audit_context = context;
1051 	}
1052  out:
1053 	put_task_struct(tsk);
1054 }
1055 
1056 /* Add a name to the list.  Called from fs/namei.c:getname(). */
1057 void audit_getname(const char *name)
1058 {
1059 	struct audit_context *context = current->audit_context;
1060 
1061 	if (!context || IS_ERR(name) || !name)
1062 		return;
1063 
1064 	if (!context->in_syscall) {
1065 #if AUDIT_DEBUG == 2
1066 		printk(KERN_ERR "%s:%d(:%d): ignoring getname(%p)\n",
1067 		       __FILE__, __LINE__, context->serial, name);
1068 		dump_stack();
1069 #endif
1070 		return;
1071 	}
1072 	BUG_ON(context->name_count >= AUDIT_NAMES);
1073 	context->names[context->name_count].name = name;
1074 	context->names[context->name_count].ino  = (unsigned long)-1;
1075 	++context->name_count;
1076 	if (!context->pwd) {
1077 		read_lock(&current->fs->lock);
1078 		context->pwd = dget(current->fs->pwd);
1079 		context->pwdmnt = mntget(current->fs->pwdmnt);
1080 		read_unlock(&current->fs->lock);
1081 	}
1082 
1083 }
1084 
1085 /* Intercept a putname request.  Called from
1086  * include/linux/fs.h:putname().  If we have stored the name from
1087  * getname in the audit context, then we delay the putname until syscall
1088  * exit. */
1089 void audit_putname(const char *name)
1090 {
1091 	struct audit_context *context = current->audit_context;
1092 
1093 	BUG_ON(!context);
1094 	if (!context->in_syscall) {
1095 #if AUDIT_DEBUG == 2
1096 		printk(KERN_ERR "%s:%d(:%d): __putname(%p)\n",
1097 		       __FILE__, __LINE__, context->serial, name);
1098 		if (context->name_count) {
1099 			int i;
1100 			for (i = 0; i < context->name_count; i++)
1101 				printk(KERN_ERR "name[%d] = %p = %s\n", i,
1102 				       context->names[i].name,
1103 				       context->names[i].name);
1104 		}
1105 #endif
1106 		__putname(name);
1107 	}
1108 #if AUDIT_DEBUG
1109 	else {
1110 		++context->put_count;
1111 		if (context->put_count > context->name_count) {
1112 			printk(KERN_ERR "%s:%d(:%d): major=%d"
1113 			       " in_syscall=%d putname(%p) name_count=%d"
1114 			       " put_count=%d\n",
1115 			       __FILE__, __LINE__,
1116 			       context->serial, context->major,
1117 			       context->in_syscall, name, context->name_count,
1118 			       context->put_count);
1119 			dump_stack();
1120 		}
1121 	}
1122 #endif
1123 }
1124 
1125 /* Store the inode and device from a lookup.  Called from
1126  * fs/namei.c:path_lookup(). */
1127 void audit_inode(const char *name, const struct inode *inode, unsigned flags)
1128 {
1129 	int idx;
1130 	struct audit_context *context = current->audit_context;
1131 
1132 	if (!context->in_syscall)
1133 		return;
1134 	if (context->name_count
1135 	    && context->names[context->name_count-1].name
1136 	    && context->names[context->name_count-1].name == name)
1137 		idx = context->name_count - 1;
1138 	else if (context->name_count > 1
1139 		 && context->names[context->name_count-2].name
1140 		 && context->names[context->name_count-2].name == name)
1141 		idx = context->name_count - 2;
1142 	else {
1143 		/* FIXME: how much do we care about inodes that have no
1144 		 * associated name? */
1145 		if (context->name_count >= AUDIT_NAMES - AUDIT_NAMES_RESERVED)
1146 			return;
1147 		idx = context->name_count++;
1148 		context->names[idx].name = NULL;
1149 #if AUDIT_DEBUG
1150 		++context->ino_count;
1151 #endif
1152 	}
1153 	context->names[idx].flags = flags;
1154 	context->names[idx].ino   = inode->i_ino;
1155 	context->names[idx].dev	  = inode->i_sb->s_dev;
1156 	context->names[idx].mode  = inode->i_mode;
1157 	context->names[idx].uid   = inode->i_uid;
1158 	context->names[idx].gid   = inode->i_gid;
1159 	context->names[idx].rdev  = inode->i_rdev;
1160 }
1161 
1162 void auditsc_get_stamp(struct audit_context *ctx,
1163 		       struct timespec *t, unsigned int *serial)
1164 {
1165 	if (!ctx->serial)
1166 		ctx->serial = audit_serial();
1167 	t->tv_sec  = ctx->ctime.tv_sec;
1168 	t->tv_nsec = ctx->ctime.tv_nsec;
1169 	*serial    = ctx->serial;
1170 	ctx->auditable = 1;
1171 }
1172 
1173 int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
1174 {
1175 	if (task->audit_context) {
1176 		struct audit_buffer *ab;
1177 
1178 		ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
1179 		if (ab) {
1180 			audit_log_format(ab, "login pid=%d uid=%u "
1181 				"old auid=%u new auid=%u",
1182 				task->pid, task->uid,
1183 				task->audit_context->loginuid, loginuid);
1184 			audit_log_end(ab);
1185 		}
1186 		task->audit_context->loginuid = loginuid;
1187 	}
1188 	return 0;
1189 }
1190 
1191 uid_t audit_get_loginuid(struct audit_context *ctx)
1192 {
1193 	return ctx ? ctx->loginuid : -1;
1194 }
1195 
1196 int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
1197 {
1198 	struct audit_aux_data_ipcctl *ax;
1199 	struct audit_context *context = current->audit_context;
1200 
1201 	if (likely(!context))
1202 		return 0;
1203 
1204 	ax = kmalloc(sizeof(*ax), GFP_KERNEL);
1205 	if (!ax)
1206 		return -ENOMEM;
1207 
1208 	ax->qbytes = qbytes;
1209 	ax->uid = uid;
1210 	ax->gid = gid;
1211 	ax->mode = mode;
1212 
1213 	ax->d.type = AUDIT_IPC;
1214 	ax->d.next = context->aux;
1215 	context->aux = (void *)ax;
1216 	return 0;
1217 }
1218 
1219 int audit_socketcall(int nargs, unsigned long *args)
1220 {
1221 	struct audit_aux_data_socketcall *ax;
1222 	struct audit_context *context = current->audit_context;
1223 
1224 	if (likely(!context))
1225 		return 0;
1226 
1227 	ax = kmalloc(sizeof(*ax) + nargs * sizeof(unsigned long), GFP_KERNEL);
1228 	if (!ax)
1229 		return -ENOMEM;
1230 
1231 	ax->nargs = nargs;
1232 	memcpy(ax->args, args, nargs * sizeof(unsigned long));
1233 
1234 	ax->d.type = AUDIT_SOCKETCALL;
1235 	ax->d.next = context->aux;
1236 	context->aux = (void *)ax;
1237 	return 0;
1238 }
1239 
1240 int audit_sockaddr(int len, void *a)
1241 {
1242 	struct audit_aux_data_sockaddr *ax;
1243 	struct audit_context *context = current->audit_context;
1244 
1245 	if (likely(!context))
1246 		return 0;
1247 
1248 	ax = kmalloc(sizeof(*ax) + len, GFP_KERNEL);
1249 	if (!ax)
1250 		return -ENOMEM;
1251 
1252 	ax->len = len;
1253 	memcpy(ax->a, a, len);
1254 
1255 	ax->d.type = AUDIT_SOCKADDR;
1256 	ax->d.next = context->aux;
1257 	context->aux = (void *)ax;
1258 	return 0;
1259 }
1260 
1261 int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt)
1262 {
1263 	struct audit_aux_data_path *ax;
1264 	struct audit_context *context = current->audit_context;
1265 
1266 	if (likely(!context))
1267 		return 0;
1268 
1269 	ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
1270 	if (!ax)
1271 		return -ENOMEM;
1272 
1273 	ax->dentry = dget(dentry);
1274 	ax->mnt = mntget(mnt);
1275 
1276 	ax->d.type = AUDIT_AVC_PATH;
1277 	ax->d.next = context->aux;
1278 	context->aux = (void *)ax;
1279 	return 0;
1280 }
1281 
1282 void audit_signal_info(int sig, struct task_struct *t)
1283 {
1284 	extern pid_t audit_sig_pid;
1285 	extern uid_t audit_sig_uid;
1286 
1287 	if (unlikely(audit_pid && t->tgid == audit_pid)) {
1288 		if (sig == SIGTERM || sig == SIGHUP) {
1289 			struct audit_context *ctx = current->audit_context;
1290 			audit_sig_pid = current->pid;
1291 			if (ctx)
1292 				audit_sig_uid = ctx->loginuid;
1293 			else
1294 				audit_sig_uid = current->uid;
1295 		}
1296 	}
1297 }
1298 
1299