1 /* auditsc.c -- System-call auditing support 2 * Handles all system-call specific auditing features. 3 * 4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 5 * Copyright 2005 Hewlett-Packard Development Company, L.P. 6 * Copyright (C) 2005, 2006 IBM Corporation 7 * All Rights Reserved. 8 * 9 * This program is free software; you can redistribute it and/or modify 10 * it under the terms of the GNU General Public License as published by 11 * the Free Software Foundation; either version 2 of the License, or 12 * (at your option) any later version. 13 * 14 * This program is distributed in the hope that it will be useful, 15 * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 * GNU General Public License for more details. 18 * 19 * You should have received a copy of the GNU General Public License 20 * along with this program; if not, write to the Free Software 21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 22 * 23 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 24 * 25 * Many of the ideas implemented here are from Stephen C. Tweedie, 26 * especially the idea of avoiding a copy by using getname. 27 * 28 * The method for actual interception of syscall entry and exit (not in 29 * this file -- see entry.S) is based on a GPL'd patch written by 30 * okir@suse.de and Copyright 2003 SuSE Linux AG. 31 * 32 * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>, 33 * 2006. 34 * 35 * The support of additional filter rules compares (>, <, >=, <=) was 36 * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005. 37 * 38 * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional 39 * filesystem information. 40 * 41 * Subject and object context labeling support added by <danjones@us.ibm.com> 42 * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance. 43 */ 44 45 #include <linux/init.h> 46 #include <asm/types.h> 47 #include <asm/atomic.h> 48 #include <linux/fs.h> 49 #include <linux/namei.h> 50 #include <linux/mm.h> 51 #include <linux/module.h> 52 #include <linux/mount.h> 53 #include <linux/socket.h> 54 #include <linux/mqueue.h> 55 #include <linux/audit.h> 56 #include <linux/personality.h> 57 #include <linux/time.h> 58 #include <linux/netlink.h> 59 #include <linux/compiler.h> 60 #include <asm/unistd.h> 61 #include <linux/security.h> 62 #include <linux/list.h> 63 #include <linux/tty.h> 64 #include <linux/binfmts.h> 65 #include <linux/highmem.h> 66 #include <linux/syscalls.h> 67 #include <linux/inotify.h> 68 #include <linux/capability.h> 69 70 #include "audit.h" 71 72 /* AUDIT_NAMES is the number of slots we reserve in the audit_context 73 * for saving names from getname(). */ 74 #define AUDIT_NAMES 20 75 76 /* Indicates that audit should log the full pathname. */ 77 #define AUDIT_NAME_FULL -1 78 79 /* no execve audit message should be longer than this (userspace limits) */ 80 #define MAX_EXECVE_AUDIT_LEN 7500 81 82 /* number of audit rules */ 83 int audit_n_rules; 84 85 /* determines whether we collect data for signals sent */ 86 int audit_signals; 87 88 struct audit_cap_data { 89 kernel_cap_t permitted; 90 kernel_cap_t inheritable; 91 union { 92 unsigned int fE; /* effective bit of a file capability */ 93 kernel_cap_t effective; /* effective set of a process */ 94 }; 95 }; 96 97 /* When fs/namei.c:getname() is called, we store the pointer in name and 98 * we don't let putname() free it (instead we free all of the saved 99 * pointers at syscall exit time). 100 * 101 * Further, in fs/namei.c:path_lookup() we store the inode and device. */ 102 struct audit_names { 103 const char *name; 104 int name_len; /* number of name's characters to log */ 105 unsigned name_put; /* call __putname() for this name */ 106 unsigned long ino; 107 dev_t dev; 108 umode_t mode; 109 uid_t uid; 110 gid_t gid; 111 dev_t rdev; 112 u32 osid; 113 struct audit_cap_data fcap; 114 unsigned int fcap_ver; 115 }; 116 117 struct audit_aux_data { 118 struct audit_aux_data *next; 119 int type; 120 }; 121 122 #define AUDIT_AUX_IPCPERM 0 123 124 /* Number of target pids per aux struct. */ 125 #define AUDIT_AUX_PIDS 16 126 127 struct audit_aux_data_mq_open { 128 struct audit_aux_data d; 129 int oflag; 130 mode_t mode; 131 struct mq_attr attr; 132 }; 133 134 struct audit_aux_data_mq_sendrecv { 135 struct audit_aux_data d; 136 mqd_t mqdes; 137 size_t msg_len; 138 unsigned int msg_prio; 139 struct timespec abs_timeout; 140 }; 141 142 struct audit_aux_data_mq_notify { 143 struct audit_aux_data d; 144 mqd_t mqdes; 145 struct sigevent notification; 146 }; 147 148 struct audit_aux_data_mq_getsetattr { 149 struct audit_aux_data d; 150 mqd_t mqdes; 151 struct mq_attr mqstat; 152 }; 153 154 struct audit_aux_data_ipcctl { 155 struct audit_aux_data d; 156 struct ipc_perm p; 157 unsigned long qbytes; 158 uid_t uid; 159 gid_t gid; 160 mode_t mode; 161 u32 osid; 162 }; 163 164 struct audit_aux_data_execve { 165 struct audit_aux_data d; 166 int argc; 167 int envc; 168 struct mm_struct *mm; 169 }; 170 171 struct audit_aux_data_socketcall { 172 struct audit_aux_data d; 173 int nargs; 174 unsigned long args[0]; 175 }; 176 177 struct audit_aux_data_sockaddr { 178 struct audit_aux_data d; 179 int len; 180 char a[0]; 181 }; 182 183 struct audit_aux_data_fd_pair { 184 struct audit_aux_data d; 185 int fd[2]; 186 }; 187 188 struct audit_aux_data_pids { 189 struct audit_aux_data d; 190 pid_t target_pid[AUDIT_AUX_PIDS]; 191 uid_t target_auid[AUDIT_AUX_PIDS]; 192 uid_t target_uid[AUDIT_AUX_PIDS]; 193 unsigned int target_sessionid[AUDIT_AUX_PIDS]; 194 u32 target_sid[AUDIT_AUX_PIDS]; 195 char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN]; 196 int pid_count; 197 }; 198 199 struct audit_aux_data_bprm_fcaps { 200 struct audit_aux_data d; 201 struct audit_cap_data fcap; 202 unsigned int fcap_ver; 203 struct audit_cap_data old_pcap; 204 struct audit_cap_data new_pcap; 205 }; 206 207 struct audit_aux_data_capset { 208 struct audit_aux_data d; 209 pid_t pid; 210 struct audit_cap_data cap; 211 }; 212 213 struct audit_tree_refs { 214 struct audit_tree_refs *next; 215 struct audit_chunk *c[31]; 216 }; 217 218 /* The per-task audit context. */ 219 struct audit_context { 220 int dummy; /* must be the first element */ 221 int in_syscall; /* 1 if task is in a syscall */ 222 enum audit_state state; 223 unsigned int serial; /* serial number for record */ 224 struct timespec ctime; /* time of syscall entry */ 225 int major; /* syscall number */ 226 unsigned long argv[4]; /* syscall arguments */ 227 int return_valid; /* return code is valid */ 228 long return_code;/* syscall return code */ 229 int auditable; /* 1 if record should be written */ 230 int name_count; 231 struct audit_names names[AUDIT_NAMES]; 232 char * filterkey; /* key for rule that triggered record */ 233 struct path pwd; 234 struct audit_context *previous; /* For nested syscalls */ 235 struct audit_aux_data *aux; 236 struct audit_aux_data *aux_pids; 237 238 /* Save things to print about task_struct */ 239 pid_t pid, ppid; 240 uid_t uid, euid, suid, fsuid; 241 gid_t gid, egid, sgid, fsgid; 242 unsigned long personality; 243 int arch; 244 245 pid_t target_pid; 246 uid_t target_auid; 247 uid_t target_uid; 248 unsigned int target_sessionid; 249 u32 target_sid; 250 char target_comm[TASK_COMM_LEN]; 251 252 struct audit_tree_refs *trees, *first_trees; 253 int tree_count; 254 255 #if AUDIT_DEBUG 256 int put_count; 257 int ino_count; 258 #endif 259 }; 260 261 #define ACC_MODE(x) ("\004\002\006\006"[(x)&O_ACCMODE]) 262 static inline int open_arg(int flags, int mask) 263 { 264 int n = ACC_MODE(flags); 265 if (flags & (O_TRUNC | O_CREAT)) 266 n |= AUDIT_PERM_WRITE; 267 return n & mask; 268 } 269 270 static int audit_match_perm(struct audit_context *ctx, int mask) 271 { 272 unsigned n; 273 if (unlikely(!ctx)) 274 return 0; 275 n = ctx->major; 276 277 switch (audit_classify_syscall(ctx->arch, n)) { 278 case 0: /* native */ 279 if ((mask & AUDIT_PERM_WRITE) && 280 audit_match_class(AUDIT_CLASS_WRITE, n)) 281 return 1; 282 if ((mask & AUDIT_PERM_READ) && 283 audit_match_class(AUDIT_CLASS_READ, n)) 284 return 1; 285 if ((mask & AUDIT_PERM_ATTR) && 286 audit_match_class(AUDIT_CLASS_CHATTR, n)) 287 return 1; 288 return 0; 289 case 1: /* 32bit on biarch */ 290 if ((mask & AUDIT_PERM_WRITE) && 291 audit_match_class(AUDIT_CLASS_WRITE_32, n)) 292 return 1; 293 if ((mask & AUDIT_PERM_READ) && 294 audit_match_class(AUDIT_CLASS_READ_32, n)) 295 return 1; 296 if ((mask & AUDIT_PERM_ATTR) && 297 audit_match_class(AUDIT_CLASS_CHATTR_32, n)) 298 return 1; 299 return 0; 300 case 2: /* open */ 301 return mask & ACC_MODE(ctx->argv[1]); 302 case 3: /* openat */ 303 return mask & ACC_MODE(ctx->argv[2]); 304 case 4: /* socketcall */ 305 return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); 306 case 5: /* execve */ 307 return mask & AUDIT_PERM_EXEC; 308 default: 309 return 0; 310 } 311 } 312 313 static int audit_match_filetype(struct audit_context *ctx, int which) 314 { 315 unsigned index = which & ~S_IFMT; 316 mode_t mode = which & S_IFMT; 317 318 if (unlikely(!ctx)) 319 return 0; 320 321 if (index >= ctx->name_count) 322 return 0; 323 if (ctx->names[index].ino == -1) 324 return 0; 325 if ((ctx->names[index].mode ^ mode) & S_IFMT) 326 return 0; 327 return 1; 328 } 329 330 /* 331 * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *; 332 * ->first_trees points to its beginning, ->trees - to the current end of data. 333 * ->tree_count is the number of free entries in array pointed to by ->trees. 334 * Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL, 335 * "empty" becomes (p, p, 31) afterwards. We don't shrink the list (and seriously, 336 * it's going to remain 1-element for almost any setup) until we free context itself. 337 * References in it _are_ dropped - at the same time we free/drop aux stuff. 338 */ 339 340 #ifdef CONFIG_AUDIT_TREE 341 static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk) 342 { 343 struct audit_tree_refs *p = ctx->trees; 344 int left = ctx->tree_count; 345 if (likely(left)) { 346 p->c[--left] = chunk; 347 ctx->tree_count = left; 348 return 1; 349 } 350 if (!p) 351 return 0; 352 p = p->next; 353 if (p) { 354 p->c[30] = chunk; 355 ctx->trees = p; 356 ctx->tree_count = 30; 357 return 1; 358 } 359 return 0; 360 } 361 362 static int grow_tree_refs(struct audit_context *ctx) 363 { 364 struct audit_tree_refs *p = ctx->trees; 365 ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL); 366 if (!ctx->trees) { 367 ctx->trees = p; 368 return 0; 369 } 370 if (p) 371 p->next = ctx->trees; 372 else 373 ctx->first_trees = ctx->trees; 374 ctx->tree_count = 31; 375 return 1; 376 } 377 #endif 378 379 static void unroll_tree_refs(struct audit_context *ctx, 380 struct audit_tree_refs *p, int count) 381 { 382 #ifdef CONFIG_AUDIT_TREE 383 struct audit_tree_refs *q; 384 int n; 385 if (!p) { 386 /* we started with empty chain */ 387 p = ctx->first_trees; 388 count = 31; 389 /* if the very first allocation has failed, nothing to do */ 390 if (!p) 391 return; 392 } 393 n = count; 394 for (q = p; q != ctx->trees; q = q->next, n = 31) { 395 while (n--) { 396 audit_put_chunk(q->c[n]); 397 q->c[n] = NULL; 398 } 399 } 400 while (n-- > ctx->tree_count) { 401 audit_put_chunk(q->c[n]); 402 q->c[n] = NULL; 403 } 404 ctx->trees = p; 405 ctx->tree_count = count; 406 #endif 407 } 408 409 static void free_tree_refs(struct audit_context *ctx) 410 { 411 struct audit_tree_refs *p, *q; 412 for (p = ctx->first_trees; p; p = q) { 413 q = p->next; 414 kfree(p); 415 } 416 } 417 418 static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree) 419 { 420 #ifdef CONFIG_AUDIT_TREE 421 struct audit_tree_refs *p; 422 int n; 423 if (!tree) 424 return 0; 425 /* full ones */ 426 for (p = ctx->first_trees; p != ctx->trees; p = p->next) { 427 for (n = 0; n < 31; n++) 428 if (audit_tree_match(p->c[n], tree)) 429 return 1; 430 } 431 /* partial */ 432 if (p) { 433 for (n = ctx->tree_count; n < 31; n++) 434 if (audit_tree_match(p->c[n], tree)) 435 return 1; 436 } 437 #endif 438 return 0; 439 } 440 441 /* Determine if any context name data matches a rule's watch data */ 442 /* Compare a task_struct with an audit_rule. Return 1 on match, 0 443 * otherwise. */ 444 static int audit_filter_rules(struct task_struct *tsk, 445 struct audit_krule *rule, 446 struct audit_context *ctx, 447 struct audit_names *name, 448 enum audit_state *state) 449 { 450 int i, j, need_sid = 1; 451 u32 sid; 452 453 for (i = 0; i < rule->field_count; i++) { 454 struct audit_field *f = &rule->fields[i]; 455 int result = 0; 456 457 switch (f->type) { 458 case AUDIT_PID: 459 result = audit_comparator(tsk->pid, f->op, f->val); 460 break; 461 case AUDIT_PPID: 462 if (ctx) { 463 if (!ctx->ppid) 464 ctx->ppid = sys_getppid(); 465 result = audit_comparator(ctx->ppid, f->op, f->val); 466 } 467 break; 468 case AUDIT_UID: 469 result = audit_comparator(tsk->uid, f->op, f->val); 470 break; 471 case AUDIT_EUID: 472 result = audit_comparator(tsk->euid, f->op, f->val); 473 break; 474 case AUDIT_SUID: 475 result = audit_comparator(tsk->suid, f->op, f->val); 476 break; 477 case AUDIT_FSUID: 478 result = audit_comparator(tsk->fsuid, f->op, f->val); 479 break; 480 case AUDIT_GID: 481 result = audit_comparator(tsk->gid, f->op, f->val); 482 break; 483 case AUDIT_EGID: 484 result = audit_comparator(tsk->egid, f->op, f->val); 485 break; 486 case AUDIT_SGID: 487 result = audit_comparator(tsk->sgid, f->op, f->val); 488 break; 489 case AUDIT_FSGID: 490 result = audit_comparator(tsk->fsgid, f->op, f->val); 491 break; 492 case AUDIT_PERS: 493 result = audit_comparator(tsk->personality, f->op, f->val); 494 break; 495 case AUDIT_ARCH: 496 if (ctx) 497 result = audit_comparator(ctx->arch, f->op, f->val); 498 break; 499 500 case AUDIT_EXIT: 501 if (ctx && ctx->return_valid) 502 result = audit_comparator(ctx->return_code, f->op, f->val); 503 break; 504 case AUDIT_SUCCESS: 505 if (ctx && ctx->return_valid) { 506 if (f->val) 507 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS); 508 else 509 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE); 510 } 511 break; 512 case AUDIT_DEVMAJOR: 513 if (name) 514 result = audit_comparator(MAJOR(name->dev), 515 f->op, f->val); 516 else if (ctx) { 517 for (j = 0; j < ctx->name_count; j++) { 518 if (audit_comparator(MAJOR(ctx->names[j].dev), f->op, f->val)) { 519 ++result; 520 break; 521 } 522 } 523 } 524 break; 525 case AUDIT_DEVMINOR: 526 if (name) 527 result = audit_comparator(MINOR(name->dev), 528 f->op, f->val); 529 else if (ctx) { 530 for (j = 0; j < ctx->name_count; j++) { 531 if (audit_comparator(MINOR(ctx->names[j].dev), f->op, f->val)) { 532 ++result; 533 break; 534 } 535 } 536 } 537 break; 538 case AUDIT_INODE: 539 if (name) 540 result = (name->ino == f->val); 541 else if (ctx) { 542 for (j = 0; j < ctx->name_count; j++) { 543 if (audit_comparator(ctx->names[j].ino, f->op, f->val)) { 544 ++result; 545 break; 546 } 547 } 548 } 549 break; 550 case AUDIT_WATCH: 551 if (name && rule->watch->ino != (unsigned long)-1) 552 result = (name->dev == rule->watch->dev && 553 name->ino == rule->watch->ino); 554 break; 555 case AUDIT_DIR: 556 if (ctx) 557 result = match_tree_refs(ctx, rule->tree); 558 break; 559 case AUDIT_LOGINUID: 560 result = 0; 561 if (ctx) 562 result = audit_comparator(tsk->loginuid, f->op, f->val); 563 break; 564 case AUDIT_SUBJ_USER: 565 case AUDIT_SUBJ_ROLE: 566 case AUDIT_SUBJ_TYPE: 567 case AUDIT_SUBJ_SEN: 568 case AUDIT_SUBJ_CLR: 569 /* NOTE: this may return negative values indicating 570 a temporary error. We simply treat this as a 571 match for now to avoid losing information that 572 may be wanted. An error message will also be 573 logged upon error */ 574 if (f->lsm_rule) { 575 if (need_sid) { 576 security_task_getsecid(tsk, &sid); 577 need_sid = 0; 578 } 579 result = security_audit_rule_match(sid, f->type, 580 f->op, 581 f->lsm_rule, 582 ctx); 583 } 584 break; 585 case AUDIT_OBJ_USER: 586 case AUDIT_OBJ_ROLE: 587 case AUDIT_OBJ_TYPE: 588 case AUDIT_OBJ_LEV_LOW: 589 case AUDIT_OBJ_LEV_HIGH: 590 /* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR 591 also applies here */ 592 if (f->lsm_rule) { 593 /* Find files that match */ 594 if (name) { 595 result = security_audit_rule_match( 596 name->osid, f->type, f->op, 597 f->lsm_rule, ctx); 598 } else if (ctx) { 599 for (j = 0; j < ctx->name_count; j++) { 600 if (security_audit_rule_match( 601 ctx->names[j].osid, 602 f->type, f->op, 603 f->lsm_rule, ctx)) { 604 ++result; 605 break; 606 } 607 } 608 } 609 /* Find ipc objects that match */ 610 if (ctx) { 611 struct audit_aux_data *aux; 612 for (aux = ctx->aux; aux; 613 aux = aux->next) { 614 if (aux->type == AUDIT_IPC) { 615 struct audit_aux_data_ipcctl *axi = (void *)aux; 616 if (security_audit_rule_match(axi->osid, f->type, f->op, f->lsm_rule, ctx)) { 617 ++result; 618 break; 619 } 620 } 621 } 622 } 623 } 624 break; 625 case AUDIT_ARG0: 626 case AUDIT_ARG1: 627 case AUDIT_ARG2: 628 case AUDIT_ARG3: 629 if (ctx) 630 result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val); 631 break; 632 case AUDIT_FILTERKEY: 633 /* ignore this field for filtering */ 634 result = 1; 635 break; 636 case AUDIT_PERM: 637 result = audit_match_perm(ctx, f->val); 638 break; 639 case AUDIT_FILETYPE: 640 result = audit_match_filetype(ctx, f->val); 641 break; 642 } 643 644 if (!result) 645 return 0; 646 } 647 if (rule->filterkey && ctx) 648 ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC); 649 switch (rule->action) { 650 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 651 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 652 } 653 return 1; 654 } 655 656 /* At process creation time, we can determine if system-call auditing is 657 * completely disabled for this task. Since we only have the task 658 * structure at this point, we can only check uid and gid. 659 */ 660 static enum audit_state audit_filter_task(struct task_struct *tsk) 661 { 662 struct audit_entry *e; 663 enum audit_state state; 664 665 rcu_read_lock(); 666 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) { 667 if (audit_filter_rules(tsk, &e->rule, NULL, NULL, &state)) { 668 rcu_read_unlock(); 669 return state; 670 } 671 } 672 rcu_read_unlock(); 673 return AUDIT_BUILD_CONTEXT; 674 } 675 676 /* At syscall entry and exit time, this filter is called if the 677 * audit_state is not low enough that auditing cannot take place, but is 678 * also not high enough that we already know we have to write an audit 679 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT). 680 */ 681 static enum audit_state audit_filter_syscall(struct task_struct *tsk, 682 struct audit_context *ctx, 683 struct list_head *list) 684 { 685 struct audit_entry *e; 686 enum audit_state state; 687 688 if (audit_pid && tsk->tgid == audit_pid) 689 return AUDIT_DISABLED; 690 691 rcu_read_lock(); 692 if (!list_empty(list)) { 693 int word = AUDIT_WORD(ctx->major); 694 int bit = AUDIT_BIT(ctx->major); 695 696 list_for_each_entry_rcu(e, list, list) { 697 if ((e->rule.mask[word] & bit) == bit && 698 audit_filter_rules(tsk, &e->rule, ctx, NULL, 699 &state)) { 700 rcu_read_unlock(); 701 return state; 702 } 703 } 704 } 705 rcu_read_unlock(); 706 return AUDIT_BUILD_CONTEXT; 707 } 708 709 /* At syscall exit time, this filter is called if any audit_names[] have been 710 * collected during syscall processing. We only check rules in sublists at hash 711 * buckets applicable to the inode numbers in audit_names[]. 712 * Regarding audit_state, same rules apply as for audit_filter_syscall(). 713 */ 714 enum audit_state audit_filter_inodes(struct task_struct *tsk, 715 struct audit_context *ctx) 716 { 717 int i; 718 struct audit_entry *e; 719 enum audit_state state; 720 721 if (audit_pid && tsk->tgid == audit_pid) 722 return AUDIT_DISABLED; 723 724 rcu_read_lock(); 725 for (i = 0; i < ctx->name_count; i++) { 726 int word = AUDIT_WORD(ctx->major); 727 int bit = AUDIT_BIT(ctx->major); 728 struct audit_names *n = &ctx->names[i]; 729 int h = audit_hash_ino((u32)n->ino); 730 struct list_head *list = &audit_inode_hash[h]; 731 732 if (list_empty(list)) 733 continue; 734 735 list_for_each_entry_rcu(e, list, list) { 736 if ((e->rule.mask[word] & bit) == bit && 737 audit_filter_rules(tsk, &e->rule, ctx, n, &state)) { 738 rcu_read_unlock(); 739 return state; 740 } 741 } 742 } 743 rcu_read_unlock(); 744 return AUDIT_BUILD_CONTEXT; 745 } 746 747 void audit_set_auditable(struct audit_context *ctx) 748 { 749 ctx->auditable = 1; 750 } 751 752 static inline struct audit_context *audit_get_context(struct task_struct *tsk, 753 int return_valid, 754 int return_code) 755 { 756 struct audit_context *context = tsk->audit_context; 757 758 if (likely(!context)) 759 return NULL; 760 context->return_valid = return_valid; 761 762 /* 763 * we need to fix up the return code in the audit logs if the actual 764 * return codes are later going to be fixed up by the arch specific 765 * signal handlers 766 * 767 * This is actually a test for: 768 * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) || 769 * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK) 770 * 771 * but is faster than a bunch of || 772 */ 773 if (unlikely(return_code <= -ERESTARTSYS) && 774 (return_code >= -ERESTART_RESTARTBLOCK) && 775 (return_code != -ENOIOCTLCMD)) 776 context->return_code = -EINTR; 777 else 778 context->return_code = return_code; 779 780 if (context->in_syscall && !context->dummy && !context->auditable) { 781 enum audit_state state; 782 783 state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]); 784 if (state == AUDIT_RECORD_CONTEXT) { 785 context->auditable = 1; 786 goto get_context; 787 } 788 789 state = audit_filter_inodes(tsk, context); 790 if (state == AUDIT_RECORD_CONTEXT) 791 context->auditable = 1; 792 793 } 794 795 get_context: 796 797 tsk->audit_context = NULL; 798 return context; 799 } 800 801 static inline void audit_free_names(struct audit_context *context) 802 { 803 int i; 804 805 #if AUDIT_DEBUG == 2 806 if (context->auditable 807 ||context->put_count + context->ino_count != context->name_count) { 808 printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d" 809 " name_count=%d put_count=%d" 810 " ino_count=%d [NOT freeing]\n", 811 __FILE__, __LINE__, 812 context->serial, context->major, context->in_syscall, 813 context->name_count, context->put_count, 814 context->ino_count); 815 for (i = 0; i < context->name_count; i++) { 816 printk(KERN_ERR "names[%d] = %p = %s\n", i, 817 context->names[i].name, 818 context->names[i].name ?: "(null)"); 819 } 820 dump_stack(); 821 return; 822 } 823 #endif 824 #if AUDIT_DEBUG 825 context->put_count = 0; 826 context->ino_count = 0; 827 #endif 828 829 for (i = 0; i < context->name_count; i++) { 830 if (context->names[i].name && context->names[i].name_put) 831 __putname(context->names[i].name); 832 } 833 context->name_count = 0; 834 path_put(&context->pwd); 835 context->pwd.dentry = NULL; 836 context->pwd.mnt = NULL; 837 } 838 839 static inline void audit_free_aux(struct audit_context *context) 840 { 841 struct audit_aux_data *aux; 842 843 while ((aux = context->aux)) { 844 context->aux = aux->next; 845 kfree(aux); 846 } 847 while ((aux = context->aux_pids)) { 848 context->aux_pids = aux->next; 849 kfree(aux); 850 } 851 } 852 853 static inline void audit_zero_context(struct audit_context *context, 854 enum audit_state state) 855 { 856 memset(context, 0, sizeof(*context)); 857 context->state = state; 858 } 859 860 static inline struct audit_context *audit_alloc_context(enum audit_state state) 861 { 862 struct audit_context *context; 863 864 if (!(context = kmalloc(sizeof(*context), GFP_KERNEL))) 865 return NULL; 866 audit_zero_context(context, state); 867 return context; 868 } 869 870 /** 871 * audit_alloc - allocate an audit context block for a task 872 * @tsk: task 873 * 874 * Filter on the task information and allocate a per-task audit context 875 * if necessary. Doing so turns on system call auditing for the 876 * specified task. This is called from copy_process, so no lock is 877 * needed. 878 */ 879 int audit_alloc(struct task_struct *tsk) 880 { 881 struct audit_context *context; 882 enum audit_state state; 883 884 if (likely(!audit_ever_enabled)) 885 return 0; /* Return if not auditing. */ 886 887 state = audit_filter_task(tsk); 888 if (likely(state == AUDIT_DISABLED)) 889 return 0; 890 891 if (!(context = audit_alloc_context(state))) { 892 audit_log_lost("out of memory in audit_alloc"); 893 return -ENOMEM; 894 } 895 896 tsk->audit_context = context; 897 set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT); 898 return 0; 899 } 900 901 static inline void audit_free_context(struct audit_context *context) 902 { 903 struct audit_context *previous; 904 int count = 0; 905 906 do { 907 previous = context->previous; 908 if (previous || (count && count < 10)) { 909 ++count; 910 printk(KERN_ERR "audit(:%d): major=%d name_count=%d:" 911 " freeing multiple contexts (%d)\n", 912 context->serial, context->major, 913 context->name_count, count); 914 } 915 audit_free_names(context); 916 unroll_tree_refs(context, NULL, 0); 917 free_tree_refs(context); 918 audit_free_aux(context); 919 kfree(context->filterkey); 920 kfree(context); 921 context = previous; 922 } while (context); 923 if (count >= 10) 924 printk(KERN_ERR "audit: freed %d contexts\n", count); 925 } 926 927 void audit_log_task_context(struct audit_buffer *ab) 928 { 929 char *ctx = NULL; 930 unsigned len; 931 int error; 932 u32 sid; 933 934 security_task_getsecid(current, &sid); 935 if (!sid) 936 return; 937 938 error = security_secid_to_secctx(sid, &ctx, &len); 939 if (error) { 940 if (error != -EINVAL) 941 goto error_path; 942 return; 943 } 944 945 audit_log_format(ab, " subj=%s", ctx); 946 security_release_secctx(ctx, len); 947 return; 948 949 error_path: 950 audit_panic("error in audit_log_task_context"); 951 return; 952 } 953 954 EXPORT_SYMBOL(audit_log_task_context); 955 956 static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) 957 { 958 char name[sizeof(tsk->comm)]; 959 struct mm_struct *mm = tsk->mm; 960 struct vm_area_struct *vma; 961 962 /* tsk == current */ 963 964 get_task_comm(name, tsk); 965 audit_log_format(ab, " comm="); 966 audit_log_untrustedstring(ab, name); 967 968 if (mm) { 969 down_read(&mm->mmap_sem); 970 vma = mm->mmap; 971 while (vma) { 972 if ((vma->vm_flags & VM_EXECUTABLE) && 973 vma->vm_file) { 974 audit_log_d_path(ab, "exe=", 975 &vma->vm_file->f_path); 976 break; 977 } 978 vma = vma->vm_next; 979 } 980 up_read(&mm->mmap_sem); 981 } 982 audit_log_task_context(ab); 983 } 984 985 static int audit_log_pid_context(struct audit_context *context, pid_t pid, 986 uid_t auid, uid_t uid, unsigned int sessionid, 987 u32 sid, char *comm) 988 { 989 struct audit_buffer *ab; 990 char *ctx = NULL; 991 u32 len; 992 int rc = 0; 993 994 ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); 995 if (!ab) 996 return rc; 997 998 audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid, 999 uid, sessionid); 1000 if (security_secid_to_secctx(sid, &ctx, &len)) { 1001 audit_log_format(ab, " obj=(none)"); 1002 rc = 1; 1003 } else { 1004 audit_log_format(ab, " obj=%s", ctx); 1005 security_release_secctx(ctx, len); 1006 } 1007 audit_log_format(ab, " ocomm="); 1008 audit_log_untrustedstring(ab, comm); 1009 audit_log_end(ab); 1010 1011 return rc; 1012 } 1013 1014 /* 1015 * to_send and len_sent accounting are very loose estimates. We aren't 1016 * really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being 1017 * within about 500 bytes (next page boundry) 1018 * 1019 * why snprintf? an int is up to 12 digits long. if we just assumed when 1020 * logging that a[%d]= was going to be 16 characters long we would be wasting 1021 * space in every audit message. In one 7500 byte message we can log up to 1022 * about 1000 min size arguments. That comes down to about 50% waste of space 1023 * if we didn't do the snprintf to find out how long arg_num_len was. 1024 */ 1025 static int audit_log_single_execve_arg(struct audit_context *context, 1026 struct audit_buffer **ab, 1027 int arg_num, 1028 size_t *len_sent, 1029 const char __user *p, 1030 char *buf) 1031 { 1032 char arg_num_len_buf[12]; 1033 const char __user *tmp_p = p; 1034 /* how many digits are in arg_num? 3 is the length of a=\n */ 1035 size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 3; 1036 size_t len, len_left, to_send; 1037 size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN; 1038 unsigned int i, has_cntl = 0, too_long = 0; 1039 int ret; 1040 1041 /* strnlen_user includes the null we don't want to send */ 1042 len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1; 1043 1044 /* 1045 * We just created this mm, if we can't find the strings 1046 * we just copied into it something is _very_ wrong. Similar 1047 * for strings that are too long, we should not have created 1048 * any. 1049 */ 1050 if (unlikely((len == -1) || len > MAX_ARG_STRLEN - 1)) { 1051 WARN_ON(1); 1052 send_sig(SIGKILL, current, 0); 1053 return -1; 1054 } 1055 1056 /* walk the whole argument looking for non-ascii chars */ 1057 do { 1058 if (len_left > MAX_EXECVE_AUDIT_LEN) 1059 to_send = MAX_EXECVE_AUDIT_LEN; 1060 else 1061 to_send = len_left; 1062 ret = copy_from_user(buf, tmp_p, to_send); 1063 /* 1064 * There is no reason for this copy to be short. We just 1065 * copied them here, and the mm hasn't been exposed to user- 1066 * space yet. 1067 */ 1068 if (ret) { 1069 WARN_ON(1); 1070 send_sig(SIGKILL, current, 0); 1071 return -1; 1072 } 1073 buf[to_send] = '\0'; 1074 has_cntl = audit_string_contains_control(buf, to_send); 1075 if (has_cntl) { 1076 /* 1077 * hex messages get logged as 2 bytes, so we can only 1078 * send half as much in each message 1079 */ 1080 max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2; 1081 break; 1082 } 1083 len_left -= to_send; 1084 tmp_p += to_send; 1085 } while (len_left > 0); 1086 1087 len_left = len; 1088 1089 if (len > max_execve_audit_len) 1090 too_long = 1; 1091 1092 /* rewalk the argument actually logging the message */ 1093 for (i = 0; len_left > 0; i++) { 1094 int room_left; 1095 1096 if (len_left > max_execve_audit_len) 1097 to_send = max_execve_audit_len; 1098 else 1099 to_send = len_left; 1100 1101 /* do we have space left to send this argument in this ab? */ 1102 room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent; 1103 if (has_cntl) 1104 room_left -= (to_send * 2); 1105 else 1106 room_left -= to_send; 1107 if (room_left < 0) { 1108 *len_sent = 0; 1109 audit_log_end(*ab); 1110 *ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE); 1111 if (!*ab) 1112 return 0; 1113 } 1114 1115 /* 1116 * first record needs to say how long the original string was 1117 * so we can be sure nothing was lost. 1118 */ 1119 if ((i == 0) && (too_long)) 1120 audit_log_format(*ab, "a%d_len=%zu ", arg_num, 1121 has_cntl ? 2*len : len); 1122 1123 /* 1124 * normally arguments are small enough to fit and we already 1125 * filled buf above when we checked for control characters 1126 * so don't bother with another copy_from_user 1127 */ 1128 if (len >= max_execve_audit_len) 1129 ret = copy_from_user(buf, p, to_send); 1130 else 1131 ret = 0; 1132 if (ret) { 1133 WARN_ON(1); 1134 send_sig(SIGKILL, current, 0); 1135 return -1; 1136 } 1137 buf[to_send] = '\0'; 1138 1139 /* actually log it */ 1140 audit_log_format(*ab, "a%d", arg_num); 1141 if (too_long) 1142 audit_log_format(*ab, "[%d]", i); 1143 audit_log_format(*ab, "="); 1144 if (has_cntl) 1145 audit_log_n_hex(*ab, buf, to_send); 1146 else 1147 audit_log_format(*ab, "\"%s\"", buf); 1148 audit_log_format(*ab, "\n"); 1149 1150 p += to_send; 1151 len_left -= to_send; 1152 *len_sent += arg_num_len; 1153 if (has_cntl) 1154 *len_sent += to_send * 2; 1155 else 1156 *len_sent += to_send; 1157 } 1158 /* include the null we didn't log */ 1159 return len + 1; 1160 } 1161 1162 static void audit_log_execve_info(struct audit_context *context, 1163 struct audit_buffer **ab, 1164 struct audit_aux_data_execve *axi) 1165 { 1166 int i; 1167 size_t len, len_sent = 0; 1168 const char __user *p; 1169 char *buf; 1170 1171 if (axi->mm != current->mm) 1172 return; /* execve failed, no additional info */ 1173 1174 p = (const char __user *)axi->mm->arg_start; 1175 1176 audit_log_format(*ab, "argc=%d ", axi->argc); 1177 1178 /* 1179 * we need some kernel buffer to hold the userspace args. Just 1180 * allocate one big one rather than allocating one of the right size 1181 * for every single argument inside audit_log_single_execve_arg() 1182 * should be <8k allocation so should be pretty safe. 1183 */ 1184 buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL); 1185 if (!buf) { 1186 audit_panic("out of memory for argv string\n"); 1187 return; 1188 } 1189 1190 for (i = 0; i < axi->argc; i++) { 1191 len = audit_log_single_execve_arg(context, ab, i, 1192 &len_sent, p, buf); 1193 if (len <= 0) 1194 break; 1195 p += len; 1196 } 1197 kfree(buf); 1198 } 1199 1200 static void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap) 1201 { 1202 int i; 1203 1204 audit_log_format(ab, " %s=", prefix); 1205 CAP_FOR_EACH_U32(i) { 1206 audit_log_format(ab, "%08x", cap->cap[(_KERNEL_CAPABILITY_U32S-1) - i]); 1207 } 1208 } 1209 1210 static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name) 1211 { 1212 kernel_cap_t *perm = &name->fcap.permitted; 1213 kernel_cap_t *inh = &name->fcap.inheritable; 1214 int log = 0; 1215 1216 if (!cap_isclear(*perm)) { 1217 audit_log_cap(ab, "cap_fp", perm); 1218 log = 1; 1219 } 1220 if (!cap_isclear(*inh)) { 1221 audit_log_cap(ab, "cap_fi", inh); 1222 log = 1; 1223 } 1224 1225 if (log) 1226 audit_log_format(ab, " cap_fe=%d cap_fver=%x", name->fcap.fE, name->fcap_ver); 1227 } 1228 1229 static void audit_log_exit(struct audit_context *context, struct task_struct *tsk) 1230 { 1231 int i, call_panic = 0; 1232 struct audit_buffer *ab; 1233 struct audit_aux_data *aux; 1234 const char *tty; 1235 1236 /* tsk == current */ 1237 context->pid = tsk->pid; 1238 if (!context->ppid) 1239 context->ppid = sys_getppid(); 1240 context->uid = tsk->uid; 1241 context->gid = tsk->gid; 1242 context->euid = tsk->euid; 1243 context->suid = tsk->suid; 1244 context->fsuid = tsk->fsuid; 1245 context->egid = tsk->egid; 1246 context->sgid = tsk->sgid; 1247 context->fsgid = tsk->fsgid; 1248 context->personality = tsk->personality; 1249 1250 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL); 1251 if (!ab) 1252 return; /* audit_panic has been called */ 1253 audit_log_format(ab, "arch=%x syscall=%d", 1254 context->arch, context->major); 1255 if (context->personality != PER_LINUX) 1256 audit_log_format(ab, " per=%lx", context->personality); 1257 if (context->return_valid) 1258 audit_log_format(ab, " success=%s exit=%ld", 1259 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no", 1260 context->return_code); 1261 1262 spin_lock_irq(&tsk->sighand->siglock); 1263 if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name) 1264 tty = tsk->signal->tty->name; 1265 else 1266 tty = "(none)"; 1267 spin_unlock_irq(&tsk->sighand->siglock); 1268 1269 audit_log_format(ab, 1270 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d" 1271 " ppid=%d pid=%d auid=%u uid=%u gid=%u" 1272 " euid=%u suid=%u fsuid=%u" 1273 " egid=%u sgid=%u fsgid=%u tty=%s ses=%u", 1274 context->argv[0], 1275 context->argv[1], 1276 context->argv[2], 1277 context->argv[3], 1278 context->name_count, 1279 context->ppid, 1280 context->pid, 1281 tsk->loginuid, 1282 context->uid, 1283 context->gid, 1284 context->euid, context->suid, context->fsuid, 1285 context->egid, context->sgid, context->fsgid, tty, 1286 tsk->sessionid); 1287 1288 1289 audit_log_task_info(ab, tsk); 1290 if (context->filterkey) { 1291 audit_log_format(ab, " key="); 1292 audit_log_untrustedstring(ab, context->filterkey); 1293 } else 1294 audit_log_format(ab, " key=(null)"); 1295 audit_log_end(ab); 1296 1297 for (aux = context->aux; aux; aux = aux->next) { 1298 1299 ab = audit_log_start(context, GFP_KERNEL, aux->type); 1300 if (!ab) 1301 continue; /* audit_panic has been called */ 1302 1303 switch (aux->type) { 1304 case AUDIT_MQ_OPEN: { 1305 struct audit_aux_data_mq_open *axi = (void *)aux; 1306 audit_log_format(ab, 1307 "oflag=0x%x mode=%#o mq_flags=0x%lx mq_maxmsg=%ld " 1308 "mq_msgsize=%ld mq_curmsgs=%ld", 1309 axi->oflag, axi->mode, axi->attr.mq_flags, 1310 axi->attr.mq_maxmsg, axi->attr.mq_msgsize, 1311 axi->attr.mq_curmsgs); 1312 break; } 1313 1314 case AUDIT_MQ_SENDRECV: { 1315 struct audit_aux_data_mq_sendrecv *axi = (void *)aux; 1316 audit_log_format(ab, 1317 "mqdes=%d msg_len=%zd msg_prio=%u " 1318 "abs_timeout_sec=%ld abs_timeout_nsec=%ld", 1319 axi->mqdes, axi->msg_len, axi->msg_prio, 1320 axi->abs_timeout.tv_sec, axi->abs_timeout.tv_nsec); 1321 break; } 1322 1323 case AUDIT_MQ_NOTIFY: { 1324 struct audit_aux_data_mq_notify *axi = (void *)aux; 1325 audit_log_format(ab, 1326 "mqdes=%d sigev_signo=%d", 1327 axi->mqdes, 1328 axi->notification.sigev_signo); 1329 break; } 1330 1331 case AUDIT_MQ_GETSETATTR: { 1332 struct audit_aux_data_mq_getsetattr *axi = (void *)aux; 1333 audit_log_format(ab, 1334 "mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld " 1335 "mq_curmsgs=%ld ", 1336 axi->mqdes, 1337 axi->mqstat.mq_flags, axi->mqstat.mq_maxmsg, 1338 axi->mqstat.mq_msgsize, axi->mqstat.mq_curmsgs); 1339 break; } 1340 1341 case AUDIT_IPC: { 1342 struct audit_aux_data_ipcctl *axi = (void *)aux; 1343 audit_log_format(ab, 1344 "ouid=%u ogid=%u mode=%#o", 1345 axi->uid, axi->gid, axi->mode); 1346 if (axi->osid != 0) { 1347 char *ctx = NULL; 1348 u32 len; 1349 if (security_secid_to_secctx( 1350 axi->osid, &ctx, &len)) { 1351 audit_log_format(ab, " osid=%u", 1352 axi->osid); 1353 call_panic = 1; 1354 } else { 1355 audit_log_format(ab, " obj=%s", ctx); 1356 security_release_secctx(ctx, len); 1357 } 1358 } 1359 break; } 1360 1361 case AUDIT_IPC_SET_PERM: { 1362 struct audit_aux_data_ipcctl *axi = (void *)aux; 1363 audit_log_format(ab, 1364 "qbytes=%lx ouid=%u ogid=%u mode=%#o", 1365 axi->qbytes, axi->uid, axi->gid, axi->mode); 1366 break; } 1367 1368 case AUDIT_EXECVE: { 1369 struct audit_aux_data_execve *axi = (void *)aux; 1370 audit_log_execve_info(context, &ab, axi); 1371 break; } 1372 1373 case AUDIT_SOCKETCALL: { 1374 struct audit_aux_data_socketcall *axs = (void *)aux; 1375 audit_log_format(ab, "nargs=%d", axs->nargs); 1376 for (i=0; i<axs->nargs; i++) 1377 audit_log_format(ab, " a%d=%lx", i, axs->args[i]); 1378 break; } 1379 1380 case AUDIT_SOCKADDR: { 1381 struct audit_aux_data_sockaddr *axs = (void *)aux; 1382 1383 audit_log_format(ab, "saddr="); 1384 audit_log_n_hex(ab, axs->a, axs->len); 1385 break; } 1386 1387 case AUDIT_FD_PAIR: { 1388 struct audit_aux_data_fd_pair *axs = (void *)aux; 1389 audit_log_format(ab, "fd0=%d fd1=%d", axs->fd[0], axs->fd[1]); 1390 break; } 1391 1392 case AUDIT_BPRM_FCAPS: { 1393 struct audit_aux_data_bprm_fcaps *axs = (void *)aux; 1394 audit_log_format(ab, "fver=%x", axs->fcap_ver); 1395 audit_log_cap(ab, "fp", &axs->fcap.permitted); 1396 audit_log_cap(ab, "fi", &axs->fcap.inheritable); 1397 audit_log_format(ab, " fe=%d", axs->fcap.fE); 1398 audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted); 1399 audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable); 1400 audit_log_cap(ab, "old_pe", &axs->old_pcap.effective); 1401 audit_log_cap(ab, "new_pp", &axs->new_pcap.permitted); 1402 audit_log_cap(ab, "new_pi", &axs->new_pcap.inheritable); 1403 audit_log_cap(ab, "new_pe", &axs->new_pcap.effective); 1404 break; } 1405 1406 case AUDIT_CAPSET: { 1407 struct audit_aux_data_capset *axs = (void *)aux; 1408 audit_log_format(ab, "pid=%d", axs->pid); 1409 audit_log_cap(ab, "cap_pi", &axs->cap.inheritable); 1410 audit_log_cap(ab, "cap_pp", &axs->cap.permitted); 1411 audit_log_cap(ab, "cap_pe", &axs->cap.effective); 1412 break; } 1413 1414 } 1415 audit_log_end(ab); 1416 } 1417 1418 for (aux = context->aux_pids; aux; aux = aux->next) { 1419 struct audit_aux_data_pids *axs = (void *)aux; 1420 1421 for (i = 0; i < axs->pid_count; i++) 1422 if (audit_log_pid_context(context, axs->target_pid[i], 1423 axs->target_auid[i], 1424 axs->target_uid[i], 1425 axs->target_sessionid[i], 1426 axs->target_sid[i], 1427 axs->target_comm[i])) 1428 call_panic = 1; 1429 } 1430 1431 if (context->target_pid && 1432 audit_log_pid_context(context, context->target_pid, 1433 context->target_auid, context->target_uid, 1434 context->target_sessionid, 1435 context->target_sid, context->target_comm)) 1436 call_panic = 1; 1437 1438 if (context->pwd.dentry && context->pwd.mnt) { 1439 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD); 1440 if (ab) { 1441 audit_log_d_path(ab, "cwd=", &context->pwd); 1442 audit_log_end(ab); 1443 } 1444 } 1445 for (i = 0; i < context->name_count; i++) { 1446 struct audit_names *n = &context->names[i]; 1447 1448 ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH); 1449 if (!ab) 1450 continue; /* audit_panic has been called */ 1451 1452 audit_log_format(ab, "item=%d", i); 1453 1454 if (n->name) { 1455 switch(n->name_len) { 1456 case AUDIT_NAME_FULL: 1457 /* log the full path */ 1458 audit_log_format(ab, " name="); 1459 audit_log_untrustedstring(ab, n->name); 1460 break; 1461 case 0: 1462 /* name was specified as a relative path and the 1463 * directory component is the cwd */ 1464 audit_log_d_path(ab, " name=", &context->pwd); 1465 break; 1466 default: 1467 /* log the name's directory component */ 1468 audit_log_format(ab, " name="); 1469 audit_log_n_untrustedstring(ab, n->name, 1470 n->name_len); 1471 } 1472 } else 1473 audit_log_format(ab, " name=(null)"); 1474 1475 if (n->ino != (unsigned long)-1) { 1476 audit_log_format(ab, " inode=%lu" 1477 " dev=%02x:%02x mode=%#o" 1478 " ouid=%u ogid=%u rdev=%02x:%02x", 1479 n->ino, 1480 MAJOR(n->dev), 1481 MINOR(n->dev), 1482 n->mode, 1483 n->uid, 1484 n->gid, 1485 MAJOR(n->rdev), 1486 MINOR(n->rdev)); 1487 } 1488 if (n->osid != 0) { 1489 char *ctx = NULL; 1490 u32 len; 1491 if (security_secid_to_secctx( 1492 n->osid, &ctx, &len)) { 1493 audit_log_format(ab, " osid=%u", n->osid); 1494 call_panic = 2; 1495 } else { 1496 audit_log_format(ab, " obj=%s", ctx); 1497 security_release_secctx(ctx, len); 1498 } 1499 } 1500 1501 audit_log_fcaps(ab, n); 1502 1503 audit_log_end(ab); 1504 } 1505 1506 /* Send end of event record to help user space know we are finished */ 1507 ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE); 1508 if (ab) 1509 audit_log_end(ab); 1510 if (call_panic) 1511 audit_panic("error converting sid to string"); 1512 } 1513 1514 /** 1515 * audit_free - free a per-task audit context 1516 * @tsk: task whose audit context block to free 1517 * 1518 * Called from copy_process and do_exit 1519 */ 1520 void audit_free(struct task_struct *tsk) 1521 { 1522 struct audit_context *context; 1523 1524 context = audit_get_context(tsk, 0, 0); 1525 if (likely(!context)) 1526 return; 1527 1528 /* Check for system calls that do not go through the exit 1529 * function (e.g., exit_group), then free context block. 1530 * We use GFP_ATOMIC here because we might be doing this 1531 * in the context of the idle thread */ 1532 /* that can happen only if we are called from do_exit() */ 1533 if (context->in_syscall && context->auditable) 1534 audit_log_exit(context, tsk); 1535 1536 audit_free_context(context); 1537 } 1538 1539 /** 1540 * audit_syscall_entry - fill in an audit record at syscall entry 1541 * @tsk: task being audited 1542 * @arch: architecture type 1543 * @major: major syscall type (function) 1544 * @a1: additional syscall register 1 1545 * @a2: additional syscall register 2 1546 * @a3: additional syscall register 3 1547 * @a4: additional syscall register 4 1548 * 1549 * Fill in audit context at syscall entry. This only happens if the 1550 * audit context was created when the task was created and the state or 1551 * filters demand the audit context be built. If the state from the 1552 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT, 1553 * then the record will be written at syscall exit time (otherwise, it 1554 * will only be written if another part of the kernel requests that it 1555 * be written). 1556 */ 1557 void audit_syscall_entry(int arch, int major, 1558 unsigned long a1, unsigned long a2, 1559 unsigned long a3, unsigned long a4) 1560 { 1561 struct task_struct *tsk = current; 1562 struct audit_context *context = tsk->audit_context; 1563 enum audit_state state; 1564 1565 if (unlikely(!context)) 1566 return; 1567 1568 /* 1569 * This happens only on certain architectures that make system 1570 * calls in kernel_thread via the entry.S interface, instead of 1571 * with direct calls. (If you are porting to a new 1572 * architecture, hitting this condition can indicate that you 1573 * got the _exit/_leave calls backward in entry.S.) 1574 * 1575 * i386 no 1576 * x86_64 no 1577 * ppc64 yes (see arch/powerpc/platforms/iseries/misc.S) 1578 * 1579 * This also happens with vm86 emulation in a non-nested manner 1580 * (entries without exits), so this case must be caught. 1581 */ 1582 if (context->in_syscall) { 1583 struct audit_context *newctx; 1584 1585 #if AUDIT_DEBUG 1586 printk(KERN_ERR 1587 "audit(:%d) pid=%d in syscall=%d;" 1588 " entering syscall=%d\n", 1589 context->serial, tsk->pid, context->major, major); 1590 #endif 1591 newctx = audit_alloc_context(context->state); 1592 if (newctx) { 1593 newctx->previous = context; 1594 context = newctx; 1595 tsk->audit_context = newctx; 1596 } else { 1597 /* If we can't alloc a new context, the best we 1598 * can do is to leak memory (any pending putname 1599 * will be lost). The only other alternative is 1600 * to abandon auditing. */ 1601 audit_zero_context(context, context->state); 1602 } 1603 } 1604 BUG_ON(context->in_syscall || context->name_count); 1605 1606 if (!audit_enabled) 1607 return; 1608 1609 context->arch = arch; 1610 context->major = major; 1611 context->argv[0] = a1; 1612 context->argv[1] = a2; 1613 context->argv[2] = a3; 1614 context->argv[3] = a4; 1615 1616 state = context->state; 1617 context->dummy = !audit_n_rules; 1618 if (!context->dummy && (state == AUDIT_SETUP_CONTEXT || state == AUDIT_BUILD_CONTEXT)) 1619 state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]); 1620 if (likely(state == AUDIT_DISABLED)) 1621 return; 1622 1623 context->serial = 0; 1624 context->ctime = CURRENT_TIME; 1625 context->in_syscall = 1; 1626 context->auditable = !!(state == AUDIT_RECORD_CONTEXT); 1627 context->ppid = 0; 1628 } 1629 1630 /** 1631 * audit_syscall_exit - deallocate audit context after a system call 1632 * @tsk: task being audited 1633 * @valid: success/failure flag 1634 * @return_code: syscall return value 1635 * 1636 * Tear down after system call. If the audit context has been marked as 1637 * auditable (either because of the AUDIT_RECORD_CONTEXT state from 1638 * filtering, or because some other part of the kernel write an audit 1639 * message), then write out the syscall information. In call cases, 1640 * free the names stored from getname(). 1641 */ 1642 void audit_syscall_exit(int valid, long return_code) 1643 { 1644 struct task_struct *tsk = current; 1645 struct audit_context *context; 1646 1647 context = audit_get_context(tsk, valid, return_code); 1648 1649 if (likely(!context)) 1650 return; 1651 1652 if (context->in_syscall && context->auditable) 1653 audit_log_exit(context, tsk); 1654 1655 context->in_syscall = 0; 1656 context->auditable = 0; 1657 1658 if (context->previous) { 1659 struct audit_context *new_context = context->previous; 1660 context->previous = NULL; 1661 audit_free_context(context); 1662 tsk->audit_context = new_context; 1663 } else { 1664 audit_free_names(context); 1665 unroll_tree_refs(context, NULL, 0); 1666 audit_free_aux(context); 1667 context->aux = NULL; 1668 context->aux_pids = NULL; 1669 context->target_pid = 0; 1670 context->target_sid = 0; 1671 kfree(context->filterkey); 1672 context->filterkey = NULL; 1673 tsk->audit_context = context; 1674 } 1675 } 1676 1677 static inline void handle_one(const struct inode *inode) 1678 { 1679 #ifdef CONFIG_AUDIT_TREE 1680 struct audit_context *context; 1681 struct audit_tree_refs *p; 1682 struct audit_chunk *chunk; 1683 int count; 1684 if (likely(list_empty(&inode->inotify_watches))) 1685 return; 1686 context = current->audit_context; 1687 p = context->trees; 1688 count = context->tree_count; 1689 rcu_read_lock(); 1690 chunk = audit_tree_lookup(inode); 1691 rcu_read_unlock(); 1692 if (!chunk) 1693 return; 1694 if (likely(put_tree_ref(context, chunk))) 1695 return; 1696 if (unlikely(!grow_tree_refs(context))) { 1697 printk(KERN_WARNING "out of memory, audit has lost a tree reference\n"); 1698 audit_set_auditable(context); 1699 audit_put_chunk(chunk); 1700 unroll_tree_refs(context, p, count); 1701 return; 1702 } 1703 put_tree_ref(context, chunk); 1704 #endif 1705 } 1706 1707 static void handle_path(const struct dentry *dentry) 1708 { 1709 #ifdef CONFIG_AUDIT_TREE 1710 struct audit_context *context; 1711 struct audit_tree_refs *p; 1712 const struct dentry *d, *parent; 1713 struct audit_chunk *drop; 1714 unsigned long seq; 1715 int count; 1716 1717 context = current->audit_context; 1718 p = context->trees; 1719 count = context->tree_count; 1720 retry: 1721 drop = NULL; 1722 d = dentry; 1723 rcu_read_lock(); 1724 seq = read_seqbegin(&rename_lock); 1725 for(;;) { 1726 struct inode *inode = d->d_inode; 1727 if (inode && unlikely(!list_empty(&inode->inotify_watches))) { 1728 struct audit_chunk *chunk; 1729 chunk = audit_tree_lookup(inode); 1730 if (chunk) { 1731 if (unlikely(!put_tree_ref(context, chunk))) { 1732 drop = chunk; 1733 break; 1734 } 1735 } 1736 } 1737 parent = d->d_parent; 1738 if (parent == d) 1739 break; 1740 d = parent; 1741 } 1742 if (unlikely(read_seqretry(&rename_lock, seq) || drop)) { /* in this order */ 1743 rcu_read_unlock(); 1744 if (!drop) { 1745 /* just a race with rename */ 1746 unroll_tree_refs(context, p, count); 1747 goto retry; 1748 } 1749 audit_put_chunk(drop); 1750 if (grow_tree_refs(context)) { 1751 /* OK, got more space */ 1752 unroll_tree_refs(context, p, count); 1753 goto retry; 1754 } 1755 /* too bad */ 1756 printk(KERN_WARNING 1757 "out of memory, audit has lost a tree reference\n"); 1758 unroll_tree_refs(context, p, count); 1759 audit_set_auditable(context); 1760 return; 1761 } 1762 rcu_read_unlock(); 1763 #endif 1764 } 1765 1766 /** 1767 * audit_getname - add a name to the list 1768 * @name: name to add 1769 * 1770 * Add a name to the list of audit names for this context. 1771 * Called from fs/namei.c:getname(). 1772 */ 1773 void __audit_getname(const char *name) 1774 { 1775 struct audit_context *context = current->audit_context; 1776 1777 if (IS_ERR(name) || !name) 1778 return; 1779 1780 if (!context->in_syscall) { 1781 #if AUDIT_DEBUG == 2 1782 printk(KERN_ERR "%s:%d(:%d): ignoring getname(%p)\n", 1783 __FILE__, __LINE__, context->serial, name); 1784 dump_stack(); 1785 #endif 1786 return; 1787 } 1788 BUG_ON(context->name_count >= AUDIT_NAMES); 1789 context->names[context->name_count].name = name; 1790 context->names[context->name_count].name_len = AUDIT_NAME_FULL; 1791 context->names[context->name_count].name_put = 1; 1792 context->names[context->name_count].ino = (unsigned long)-1; 1793 context->names[context->name_count].osid = 0; 1794 ++context->name_count; 1795 if (!context->pwd.dentry) { 1796 read_lock(¤t->fs->lock); 1797 context->pwd = current->fs->pwd; 1798 path_get(¤t->fs->pwd); 1799 read_unlock(¤t->fs->lock); 1800 } 1801 1802 } 1803 1804 /* audit_putname - intercept a putname request 1805 * @name: name to intercept and delay for putname 1806 * 1807 * If we have stored the name from getname in the audit context, 1808 * then we delay the putname until syscall exit. 1809 * Called from include/linux/fs.h:putname(). 1810 */ 1811 void audit_putname(const char *name) 1812 { 1813 struct audit_context *context = current->audit_context; 1814 1815 BUG_ON(!context); 1816 if (!context->in_syscall) { 1817 #if AUDIT_DEBUG == 2 1818 printk(KERN_ERR "%s:%d(:%d): __putname(%p)\n", 1819 __FILE__, __LINE__, context->serial, name); 1820 if (context->name_count) { 1821 int i; 1822 for (i = 0; i < context->name_count; i++) 1823 printk(KERN_ERR "name[%d] = %p = %s\n", i, 1824 context->names[i].name, 1825 context->names[i].name ?: "(null)"); 1826 } 1827 #endif 1828 __putname(name); 1829 } 1830 #if AUDIT_DEBUG 1831 else { 1832 ++context->put_count; 1833 if (context->put_count > context->name_count) { 1834 printk(KERN_ERR "%s:%d(:%d): major=%d" 1835 " in_syscall=%d putname(%p) name_count=%d" 1836 " put_count=%d\n", 1837 __FILE__, __LINE__, 1838 context->serial, context->major, 1839 context->in_syscall, name, context->name_count, 1840 context->put_count); 1841 dump_stack(); 1842 } 1843 } 1844 #endif 1845 } 1846 1847 static int audit_inc_name_count(struct audit_context *context, 1848 const struct inode *inode) 1849 { 1850 if (context->name_count >= AUDIT_NAMES) { 1851 if (inode) 1852 printk(KERN_DEBUG "name_count maxed, losing inode data: " 1853 "dev=%02x:%02x, inode=%lu\n", 1854 MAJOR(inode->i_sb->s_dev), 1855 MINOR(inode->i_sb->s_dev), 1856 inode->i_ino); 1857 1858 else 1859 printk(KERN_DEBUG "name_count maxed, losing inode data\n"); 1860 return 1; 1861 } 1862 context->name_count++; 1863 #if AUDIT_DEBUG 1864 context->ino_count++; 1865 #endif 1866 return 0; 1867 } 1868 1869 1870 static inline int audit_copy_fcaps(struct audit_names *name, const struct dentry *dentry) 1871 { 1872 struct cpu_vfs_cap_data caps; 1873 int rc; 1874 1875 memset(&name->fcap.permitted, 0, sizeof(kernel_cap_t)); 1876 memset(&name->fcap.inheritable, 0, sizeof(kernel_cap_t)); 1877 name->fcap.fE = 0; 1878 name->fcap_ver = 0; 1879 1880 if (!dentry) 1881 return 0; 1882 1883 rc = get_vfs_caps_from_disk(dentry, &caps); 1884 if (rc) 1885 return rc; 1886 1887 name->fcap.permitted = caps.permitted; 1888 name->fcap.inheritable = caps.inheritable; 1889 name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE); 1890 name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT; 1891 1892 return 0; 1893 } 1894 1895 1896 /* Copy inode data into an audit_names. */ 1897 static void audit_copy_inode(struct audit_names *name, const struct dentry *dentry, 1898 const struct inode *inode) 1899 { 1900 name->ino = inode->i_ino; 1901 name->dev = inode->i_sb->s_dev; 1902 name->mode = inode->i_mode; 1903 name->uid = inode->i_uid; 1904 name->gid = inode->i_gid; 1905 name->rdev = inode->i_rdev; 1906 security_inode_getsecid(inode, &name->osid); 1907 audit_copy_fcaps(name, dentry); 1908 } 1909 1910 /** 1911 * audit_inode - store the inode and device from a lookup 1912 * @name: name being audited 1913 * @dentry: dentry being audited 1914 * 1915 * Called from fs/namei.c:path_lookup(). 1916 */ 1917 void __audit_inode(const char *name, const struct dentry *dentry) 1918 { 1919 int idx; 1920 struct audit_context *context = current->audit_context; 1921 const struct inode *inode = dentry->d_inode; 1922 1923 if (!context->in_syscall) 1924 return; 1925 if (context->name_count 1926 && context->names[context->name_count-1].name 1927 && context->names[context->name_count-1].name == name) 1928 idx = context->name_count - 1; 1929 else if (context->name_count > 1 1930 && context->names[context->name_count-2].name 1931 && context->names[context->name_count-2].name == name) 1932 idx = context->name_count - 2; 1933 else { 1934 /* FIXME: how much do we care about inodes that have no 1935 * associated name? */ 1936 if (audit_inc_name_count(context, inode)) 1937 return; 1938 idx = context->name_count - 1; 1939 context->names[idx].name = NULL; 1940 } 1941 handle_path(dentry); 1942 audit_copy_inode(&context->names[idx], dentry, inode); 1943 } 1944 1945 /** 1946 * audit_inode_child - collect inode info for created/removed objects 1947 * @dname: inode's dentry name 1948 * @dentry: dentry being audited 1949 * @parent: inode of dentry parent 1950 * 1951 * For syscalls that create or remove filesystem objects, audit_inode 1952 * can only collect information for the filesystem object's parent. 1953 * This call updates the audit context with the child's information. 1954 * Syscalls that create a new filesystem object must be hooked after 1955 * the object is created. Syscalls that remove a filesystem object 1956 * must be hooked prior, in order to capture the target inode during 1957 * unsuccessful attempts. 1958 */ 1959 void __audit_inode_child(const char *dname, const struct dentry *dentry, 1960 const struct inode *parent) 1961 { 1962 int idx; 1963 struct audit_context *context = current->audit_context; 1964 const char *found_parent = NULL, *found_child = NULL; 1965 const struct inode *inode = dentry->d_inode; 1966 int dirlen = 0; 1967 1968 if (!context->in_syscall) 1969 return; 1970 1971 if (inode) 1972 handle_one(inode); 1973 /* determine matching parent */ 1974 if (!dname) 1975 goto add_names; 1976 1977 /* parent is more likely, look for it first */ 1978 for (idx = 0; idx < context->name_count; idx++) { 1979 struct audit_names *n = &context->names[idx]; 1980 1981 if (!n->name) 1982 continue; 1983 1984 if (n->ino == parent->i_ino && 1985 !audit_compare_dname_path(dname, n->name, &dirlen)) { 1986 n->name_len = dirlen; /* update parent data in place */ 1987 found_parent = n->name; 1988 goto add_names; 1989 } 1990 } 1991 1992 /* no matching parent, look for matching child */ 1993 for (idx = 0; idx < context->name_count; idx++) { 1994 struct audit_names *n = &context->names[idx]; 1995 1996 if (!n->name) 1997 continue; 1998 1999 /* strcmp() is the more likely scenario */ 2000 if (!strcmp(dname, n->name) || 2001 !audit_compare_dname_path(dname, n->name, &dirlen)) { 2002 if (inode) 2003 audit_copy_inode(n, NULL, inode); 2004 else 2005 n->ino = (unsigned long)-1; 2006 found_child = n->name; 2007 goto add_names; 2008 } 2009 } 2010 2011 add_names: 2012 if (!found_parent) { 2013 if (audit_inc_name_count(context, parent)) 2014 return; 2015 idx = context->name_count - 1; 2016 context->names[idx].name = NULL; 2017 audit_copy_inode(&context->names[idx], NULL, parent); 2018 } 2019 2020 if (!found_child) { 2021 if (audit_inc_name_count(context, inode)) 2022 return; 2023 idx = context->name_count - 1; 2024 2025 /* Re-use the name belonging to the slot for a matching parent 2026 * directory. All names for this context are relinquished in 2027 * audit_free_names() */ 2028 if (found_parent) { 2029 context->names[idx].name = found_parent; 2030 context->names[idx].name_len = AUDIT_NAME_FULL; 2031 /* don't call __putname() */ 2032 context->names[idx].name_put = 0; 2033 } else { 2034 context->names[idx].name = NULL; 2035 } 2036 2037 if (inode) 2038 audit_copy_inode(&context->names[idx], NULL, inode); 2039 else 2040 context->names[idx].ino = (unsigned long)-1; 2041 } 2042 } 2043 EXPORT_SYMBOL_GPL(__audit_inode_child); 2044 2045 /** 2046 * auditsc_get_stamp - get local copies of audit_context values 2047 * @ctx: audit_context for the task 2048 * @t: timespec to store time recorded in the audit_context 2049 * @serial: serial value that is recorded in the audit_context 2050 * 2051 * Also sets the context as auditable. 2052 */ 2053 void auditsc_get_stamp(struct audit_context *ctx, 2054 struct timespec *t, unsigned int *serial) 2055 { 2056 if (!ctx->serial) 2057 ctx->serial = audit_serial(); 2058 t->tv_sec = ctx->ctime.tv_sec; 2059 t->tv_nsec = ctx->ctime.tv_nsec; 2060 *serial = ctx->serial; 2061 ctx->auditable = 1; 2062 } 2063 2064 /* global counter which is incremented every time something logs in */ 2065 static atomic_t session_id = ATOMIC_INIT(0); 2066 2067 /** 2068 * audit_set_loginuid - set a task's audit_context loginuid 2069 * @task: task whose audit context is being modified 2070 * @loginuid: loginuid value 2071 * 2072 * Returns 0. 2073 * 2074 * Called (set) from fs/proc/base.c::proc_loginuid_write(). 2075 */ 2076 int audit_set_loginuid(struct task_struct *task, uid_t loginuid) 2077 { 2078 unsigned int sessionid = atomic_inc_return(&session_id); 2079 struct audit_context *context = task->audit_context; 2080 2081 if (context && context->in_syscall) { 2082 struct audit_buffer *ab; 2083 2084 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN); 2085 if (ab) { 2086 audit_log_format(ab, "login pid=%d uid=%u " 2087 "old auid=%u new auid=%u" 2088 " old ses=%u new ses=%u", 2089 task->pid, task->uid, 2090 task->loginuid, loginuid, 2091 task->sessionid, sessionid); 2092 audit_log_end(ab); 2093 } 2094 } 2095 task->sessionid = sessionid; 2096 task->loginuid = loginuid; 2097 return 0; 2098 } 2099 2100 /** 2101 * __audit_mq_open - record audit data for a POSIX MQ open 2102 * @oflag: open flag 2103 * @mode: mode bits 2104 * @u_attr: queue attributes 2105 * 2106 * Returns 0 for success or NULL context or < 0 on error. 2107 */ 2108 int __audit_mq_open(int oflag, mode_t mode, struct mq_attr __user *u_attr) 2109 { 2110 struct audit_aux_data_mq_open *ax; 2111 struct audit_context *context = current->audit_context; 2112 2113 if (!audit_enabled) 2114 return 0; 2115 2116 if (likely(!context)) 2117 return 0; 2118 2119 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 2120 if (!ax) 2121 return -ENOMEM; 2122 2123 if (u_attr != NULL) { 2124 if (copy_from_user(&ax->attr, u_attr, sizeof(ax->attr))) { 2125 kfree(ax); 2126 return -EFAULT; 2127 } 2128 } else 2129 memset(&ax->attr, 0, sizeof(ax->attr)); 2130 2131 ax->oflag = oflag; 2132 ax->mode = mode; 2133 2134 ax->d.type = AUDIT_MQ_OPEN; 2135 ax->d.next = context->aux; 2136 context->aux = (void *)ax; 2137 return 0; 2138 } 2139 2140 /** 2141 * __audit_mq_timedsend - record audit data for a POSIX MQ timed send 2142 * @mqdes: MQ descriptor 2143 * @msg_len: Message length 2144 * @msg_prio: Message priority 2145 * @u_abs_timeout: Message timeout in absolute time 2146 * 2147 * Returns 0 for success or NULL context or < 0 on error. 2148 */ 2149 int __audit_mq_timedsend(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, 2150 const struct timespec __user *u_abs_timeout) 2151 { 2152 struct audit_aux_data_mq_sendrecv *ax; 2153 struct audit_context *context = current->audit_context; 2154 2155 if (!audit_enabled) 2156 return 0; 2157 2158 if (likely(!context)) 2159 return 0; 2160 2161 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 2162 if (!ax) 2163 return -ENOMEM; 2164 2165 if (u_abs_timeout != NULL) { 2166 if (copy_from_user(&ax->abs_timeout, u_abs_timeout, sizeof(ax->abs_timeout))) { 2167 kfree(ax); 2168 return -EFAULT; 2169 } 2170 } else 2171 memset(&ax->abs_timeout, 0, sizeof(ax->abs_timeout)); 2172 2173 ax->mqdes = mqdes; 2174 ax->msg_len = msg_len; 2175 ax->msg_prio = msg_prio; 2176 2177 ax->d.type = AUDIT_MQ_SENDRECV; 2178 ax->d.next = context->aux; 2179 context->aux = (void *)ax; 2180 return 0; 2181 } 2182 2183 /** 2184 * __audit_mq_timedreceive - record audit data for a POSIX MQ timed receive 2185 * @mqdes: MQ descriptor 2186 * @msg_len: Message length 2187 * @u_msg_prio: Message priority 2188 * @u_abs_timeout: Message timeout in absolute time 2189 * 2190 * Returns 0 for success or NULL context or < 0 on error. 2191 */ 2192 int __audit_mq_timedreceive(mqd_t mqdes, size_t msg_len, 2193 unsigned int __user *u_msg_prio, 2194 const struct timespec __user *u_abs_timeout) 2195 { 2196 struct audit_aux_data_mq_sendrecv *ax; 2197 struct audit_context *context = current->audit_context; 2198 2199 if (!audit_enabled) 2200 return 0; 2201 2202 if (likely(!context)) 2203 return 0; 2204 2205 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 2206 if (!ax) 2207 return -ENOMEM; 2208 2209 if (u_msg_prio != NULL) { 2210 if (get_user(ax->msg_prio, u_msg_prio)) { 2211 kfree(ax); 2212 return -EFAULT; 2213 } 2214 } else 2215 ax->msg_prio = 0; 2216 2217 if (u_abs_timeout != NULL) { 2218 if (copy_from_user(&ax->abs_timeout, u_abs_timeout, sizeof(ax->abs_timeout))) { 2219 kfree(ax); 2220 return -EFAULT; 2221 } 2222 } else 2223 memset(&ax->abs_timeout, 0, sizeof(ax->abs_timeout)); 2224 2225 ax->mqdes = mqdes; 2226 ax->msg_len = msg_len; 2227 2228 ax->d.type = AUDIT_MQ_SENDRECV; 2229 ax->d.next = context->aux; 2230 context->aux = (void *)ax; 2231 return 0; 2232 } 2233 2234 /** 2235 * __audit_mq_notify - record audit data for a POSIX MQ notify 2236 * @mqdes: MQ descriptor 2237 * @u_notification: Notification event 2238 * 2239 * Returns 0 for success or NULL context or < 0 on error. 2240 */ 2241 2242 int __audit_mq_notify(mqd_t mqdes, const struct sigevent __user *u_notification) 2243 { 2244 struct audit_aux_data_mq_notify *ax; 2245 struct audit_context *context = current->audit_context; 2246 2247 if (!audit_enabled) 2248 return 0; 2249 2250 if (likely(!context)) 2251 return 0; 2252 2253 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 2254 if (!ax) 2255 return -ENOMEM; 2256 2257 if (u_notification != NULL) { 2258 if (copy_from_user(&ax->notification, u_notification, sizeof(ax->notification))) { 2259 kfree(ax); 2260 return -EFAULT; 2261 } 2262 } else 2263 memset(&ax->notification, 0, sizeof(ax->notification)); 2264 2265 ax->mqdes = mqdes; 2266 2267 ax->d.type = AUDIT_MQ_NOTIFY; 2268 ax->d.next = context->aux; 2269 context->aux = (void *)ax; 2270 return 0; 2271 } 2272 2273 /** 2274 * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute 2275 * @mqdes: MQ descriptor 2276 * @mqstat: MQ flags 2277 * 2278 * Returns 0 for success or NULL context or < 0 on error. 2279 */ 2280 int __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 2281 { 2282 struct audit_aux_data_mq_getsetattr *ax; 2283 struct audit_context *context = current->audit_context; 2284 2285 if (!audit_enabled) 2286 return 0; 2287 2288 if (likely(!context)) 2289 return 0; 2290 2291 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 2292 if (!ax) 2293 return -ENOMEM; 2294 2295 ax->mqdes = mqdes; 2296 ax->mqstat = *mqstat; 2297 2298 ax->d.type = AUDIT_MQ_GETSETATTR; 2299 ax->d.next = context->aux; 2300 context->aux = (void *)ax; 2301 return 0; 2302 } 2303 2304 /** 2305 * audit_ipc_obj - record audit data for ipc object 2306 * @ipcp: ipc permissions 2307 * 2308 * Returns 0 for success or NULL context or < 0 on error. 2309 */ 2310 int __audit_ipc_obj(struct kern_ipc_perm *ipcp) 2311 { 2312 struct audit_aux_data_ipcctl *ax; 2313 struct audit_context *context = current->audit_context; 2314 2315 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 2316 if (!ax) 2317 return -ENOMEM; 2318 2319 ax->uid = ipcp->uid; 2320 ax->gid = ipcp->gid; 2321 ax->mode = ipcp->mode; 2322 security_ipc_getsecid(ipcp, &ax->osid); 2323 ax->d.type = AUDIT_IPC; 2324 ax->d.next = context->aux; 2325 context->aux = (void *)ax; 2326 return 0; 2327 } 2328 2329 /** 2330 * audit_ipc_set_perm - record audit data for new ipc permissions 2331 * @qbytes: msgq bytes 2332 * @uid: msgq user id 2333 * @gid: msgq group id 2334 * @mode: msgq mode (permissions) 2335 * 2336 * Returns 0 for success or NULL context or < 0 on error. 2337 */ 2338 int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode) 2339 { 2340 struct audit_aux_data_ipcctl *ax; 2341 struct audit_context *context = current->audit_context; 2342 2343 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 2344 if (!ax) 2345 return -ENOMEM; 2346 2347 ax->qbytes = qbytes; 2348 ax->uid = uid; 2349 ax->gid = gid; 2350 ax->mode = mode; 2351 2352 ax->d.type = AUDIT_IPC_SET_PERM; 2353 ax->d.next = context->aux; 2354 context->aux = (void *)ax; 2355 return 0; 2356 } 2357 2358 int audit_bprm(struct linux_binprm *bprm) 2359 { 2360 struct audit_aux_data_execve *ax; 2361 struct audit_context *context = current->audit_context; 2362 2363 if (likely(!audit_enabled || !context || context->dummy)) 2364 return 0; 2365 2366 ax = kmalloc(sizeof(*ax), GFP_KERNEL); 2367 if (!ax) 2368 return -ENOMEM; 2369 2370 ax->argc = bprm->argc; 2371 ax->envc = bprm->envc; 2372 ax->mm = bprm->mm; 2373 ax->d.type = AUDIT_EXECVE; 2374 ax->d.next = context->aux; 2375 context->aux = (void *)ax; 2376 return 0; 2377 } 2378 2379 2380 /** 2381 * audit_socketcall - record audit data for sys_socketcall 2382 * @nargs: number of args 2383 * @args: args array 2384 * 2385 * Returns 0 for success or NULL context or < 0 on error. 2386 */ 2387 int audit_socketcall(int nargs, unsigned long *args) 2388 { 2389 struct audit_aux_data_socketcall *ax; 2390 struct audit_context *context = current->audit_context; 2391 2392 if (likely(!context || context->dummy)) 2393 return 0; 2394 2395 ax = kmalloc(sizeof(*ax) + nargs * sizeof(unsigned long), GFP_KERNEL); 2396 if (!ax) 2397 return -ENOMEM; 2398 2399 ax->nargs = nargs; 2400 memcpy(ax->args, args, nargs * sizeof(unsigned long)); 2401 2402 ax->d.type = AUDIT_SOCKETCALL; 2403 ax->d.next = context->aux; 2404 context->aux = (void *)ax; 2405 return 0; 2406 } 2407 2408 /** 2409 * __audit_fd_pair - record audit data for pipe and socketpair 2410 * @fd1: the first file descriptor 2411 * @fd2: the second file descriptor 2412 * 2413 * Returns 0 for success or NULL context or < 0 on error. 2414 */ 2415 int __audit_fd_pair(int fd1, int fd2) 2416 { 2417 struct audit_context *context = current->audit_context; 2418 struct audit_aux_data_fd_pair *ax; 2419 2420 if (likely(!context)) { 2421 return 0; 2422 } 2423 2424 ax = kmalloc(sizeof(*ax), GFP_KERNEL); 2425 if (!ax) { 2426 return -ENOMEM; 2427 } 2428 2429 ax->fd[0] = fd1; 2430 ax->fd[1] = fd2; 2431 2432 ax->d.type = AUDIT_FD_PAIR; 2433 ax->d.next = context->aux; 2434 context->aux = (void *)ax; 2435 return 0; 2436 } 2437 2438 /** 2439 * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto 2440 * @len: data length in user space 2441 * @a: data address in kernel space 2442 * 2443 * Returns 0 for success or NULL context or < 0 on error. 2444 */ 2445 int audit_sockaddr(int len, void *a) 2446 { 2447 struct audit_aux_data_sockaddr *ax; 2448 struct audit_context *context = current->audit_context; 2449 2450 if (likely(!context || context->dummy)) 2451 return 0; 2452 2453 ax = kmalloc(sizeof(*ax) + len, GFP_KERNEL); 2454 if (!ax) 2455 return -ENOMEM; 2456 2457 ax->len = len; 2458 memcpy(ax->a, a, len); 2459 2460 ax->d.type = AUDIT_SOCKADDR; 2461 ax->d.next = context->aux; 2462 context->aux = (void *)ax; 2463 return 0; 2464 } 2465 2466 void __audit_ptrace(struct task_struct *t) 2467 { 2468 struct audit_context *context = current->audit_context; 2469 2470 context->target_pid = t->pid; 2471 context->target_auid = audit_get_loginuid(t); 2472 context->target_uid = t->uid; 2473 context->target_sessionid = audit_get_sessionid(t); 2474 security_task_getsecid(t, &context->target_sid); 2475 memcpy(context->target_comm, t->comm, TASK_COMM_LEN); 2476 } 2477 2478 /** 2479 * audit_signal_info - record signal info for shutting down audit subsystem 2480 * @sig: signal value 2481 * @t: task being signaled 2482 * 2483 * If the audit subsystem is being terminated, record the task (pid) 2484 * and uid that is doing that. 2485 */ 2486 int __audit_signal_info(int sig, struct task_struct *t) 2487 { 2488 struct audit_aux_data_pids *axp; 2489 struct task_struct *tsk = current; 2490 struct audit_context *ctx = tsk->audit_context; 2491 2492 if (audit_pid && t->tgid == audit_pid) { 2493 if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) { 2494 audit_sig_pid = tsk->pid; 2495 if (tsk->loginuid != -1) 2496 audit_sig_uid = tsk->loginuid; 2497 else 2498 audit_sig_uid = tsk->uid; 2499 security_task_getsecid(tsk, &audit_sig_sid); 2500 } 2501 if (!audit_signals || audit_dummy_context()) 2502 return 0; 2503 } 2504 2505 /* optimize the common case by putting first signal recipient directly 2506 * in audit_context */ 2507 if (!ctx->target_pid) { 2508 ctx->target_pid = t->tgid; 2509 ctx->target_auid = audit_get_loginuid(t); 2510 ctx->target_uid = t->uid; 2511 ctx->target_sessionid = audit_get_sessionid(t); 2512 security_task_getsecid(t, &ctx->target_sid); 2513 memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); 2514 return 0; 2515 } 2516 2517 axp = (void *)ctx->aux_pids; 2518 if (!axp || axp->pid_count == AUDIT_AUX_PIDS) { 2519 axp = kzalloc(sizeof(*axp), GFP_ATOMIC); 2520 if (!axp) 2521 return -ENOMEM; 2522 2523 axp->d.type = AUDIT_OBJ_PID; 2524 axp->d.next = ctx->aux_pids; 2525 ctx->aux_pids = (void *)axp; 2526 } 2527 BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS); 2528 2529 axp->target_pid[axp->pid_count] = t->tgid; 2530 axp->target_auid[axp->pid_count] = audit_get_loginuid(t); 2531 axp->target_uid[axp->pid_count] = t->uid; 2532 axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t); 2533 security_task_getsecid(t, &axp->target_sid[axp->pid_count]); 2534 memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); 2535 axp->pid_count++; 2536 2537 return 0; 2538 } 2539 2540 /** 2541 * __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps 2542 * @bprm pointer to the bprm being processed 2543 * @caps the caps read from the disk 2544 * 2545 * Simply check if the proc already has the caps given by the file and if not 2546 * store the priv escalation info for later auditing at the end of the syscall 2547 * 2548 * this can fail and we don't care. See the note in audit.h for 2549 * audit_log_bprm_fcaps() for my explaination.... 2550 * 2551 * -Eric 2552 */ 2553 void __audit_log_bprm_fcaps(struct linux_binprm *bprm, kernel_cap_t *pP, kernel_cap_t *pE) 2554 { 2555 struct audit_aux_data_bprm_fcaps *ax; 2556 struct audit_context *context = current->audit_context; 2557 struct cpu_vfs_cap_data vcaps; 2558 struct dentry *dentry; 2559 2560 ax = kmalloc(sizeof(*ax), GFP_KERNEL); 2561 if (!ax) 2562 return; 2563 2564 ax->d.type = AUDIT_BPRM_FCAPS; 2565 ax->d.next = context->aux; 2566 context->aux = (void *)ax; 2567 2568 dentry = dget(bprm->file->f_dentry); 2569 get_vfs_caps_from_disk(dentry, &vcaps); 2570 dput(dentry); 2571 2572 ax->fcap.permitted = vcaps.permitted; 2573 ax->fcap.inheritable = vcaps.inheritable; 2574 ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE); 2575 ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT; 2576 2577 ax->old_pcap.permitted = *pP; 2578 ax->old_pcap.inheritable = current->cap_inheritable; 2579 ax->old_pcap.effective = *pE; 2580 2581 ax->new_pcap.permitted = current->cap_permitted; 2582 ax->new_pcap.inheritable = current->cap_inheritable; 2583 ax->new_pcap.effective = current->cap_effective; 2584 } 2585 2586 /** 2587 * __audit_log_capset - store information about the arguments to the capset syscall 2588 * @pid target pid of the capset call 2589 * @eff effective cap set 2590 * @inh inheritible cap set 2591 * @perm permited cap set 2592 * 2593 * Record the aguments userspace sent to sys_capset for later printing by the 2594 * audit system if applicable 2595 */ 2596 int __audit_log_capset(pid_t pid, kernel_cap_t *eff, kernel_cap_t *inh, kernel_cap_t *perm) 2597 { 2598 struct audit_aux_data_capset *ax; 2599 struct audit_context *context = current->audit_context; 2600 2601 if (likely(!audit_enabled || !context || context->dummy)) 2602 return 0; 2603 2604 ax = kmalloc(sizeof(*ax), GFP_KERNEL); 2605 if (!ax) 2606 return -ENOMEM; 2607 2608 ax->d.type = AUDIT_CAPSET; 2609 ax->d.next = context->aux; 2610 context->aux = (void *)ax; 2611 2612 ax->pid = pid; 2613 ax->cap.effective = *eff; 2614 ax->cap.inheritable = *eff; 2615 ax->cap.permitted = *perm; 2616 2617 return 0; 2618 } 2619 2620 /** 2621 * audit_core_dumps - record information about processes that end abnormally 2622 * @signr: signal value 2623 * 2624 * If a process ends with a core dump, something fishy is going on and we 2625 * should record the event for investigation. 2626 */ 2627 void audit_core_dumps(long signr) 2628 { 2629 struct audit_buffer *ab; 2630 u32 sid; 2631 uid_t auid = audit_get_loginuid(current); 2632 unsigned int sessionid = audit_get_sessionid(current); 2633 2634 if (!audit_enabled) 2635 return; 2636 2637 if (signr == SIGQUIT) /* don't care for those */ 2638 return; 2639 2640 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); 2641 audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u", 2642 auid, current->uid, current->gid, sessionid); 2643 security_task_getsecid(current, &sid); 2644 if (sid) { 2645 char *ctx = NULL; 2646 u32 len; 2647 2648 if (security_secid_to_secctx(sid, &ctx, &len)) 2649 audit_log_format(ab, " ssid=%u", sid); 2650 else { 2651 audit_log_format(ab, " subj=%s", ctx); 2652 security_release_secctx(ctx, len); 2653 } 2654 } 2655 audit_log_format(ab, " pid=%d comm=", current->pid); 2656 audit_log_untrustedstring(ab, current->comm); 2657 audit_log_format(ab, " sig=%ld", signr); 2658 audit_log_end(ab); 2659 } 2660