1 /* auditsc.c -- System-call auditing support 2 * Handles all system-call specific auditing features. 3 * 4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 5 * Copyright 2005 Hewlett-Packard Development Company, L.P. 6 * Copyright (C) 2005, 2006 IBM Corporation 7 * All Rights Reserved. 8 * 9 * This program is free software; you can redistribute it and/or modify 10 * it under the terms of the GNU General Public License as published by 11 * the Free Software Foundation; either version 2 of the License, or 12 * (at your option) any later version. 13 * 14 * This program is distributed in the hope that it will be useful, 15 * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 * GNU General Public License for more details. 18 * 19 * You should have received a copy of the GNU General Public License 20 * along with this program; if not, write to the Free Software 21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 22 * 23 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 24 * 25 * Many of the ideas implemented here are from Stephen C. Tweedie, 26 * especially the idea of avoiding a copy by using getname. 27 * 28 * The method for actual interception of syscall entry and exit (not in 29 * this file -- see entry.S) is based on a GPL'd patch written by 30 * okir@suse.de and Copyright 2003 SuSE Linux AG. 31 * 32 * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>, 33 * 2006. 34 * 35 * The support of additional filter rules compares (>, <, >=, <=) was 36 * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005. 37 * 38 * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional 39 * filesystem information. 40 * 41 * Subject and object context labeling support added by <danjones@us.ibm.com> 42 * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance. 43 */ 44 45 #include <linux/init.h> 46 #include <asm/types.h> 47 #include <asm/atomic.h> 48 #include <linux/fs.h> 49 #include <linux/namei.h> 50 #include <linux/mm.h> 51 #include <linux/module.h> 52 #include <linux/mount.h> 53 #include <linux/socket.h> 54 #include <linux/mqueue.h> 55 #include <linux/audit.h> 56 #include <linux/personality.h> 57 #include <linux/time.h> 58 #include <linux/netlink.h> 59 #include <linux/compiler.h> 60 #include <asm/unistd.h> 61 #include <linux/security.h> 62 #include <linux/list.h> 63 #include <linux/tty.h> 64 #include <linux/selinux.h> 65 #include <linux/binfmts.h> 66 #include <linux/highmem.h> 67 #include <linux/syscalls.h> 68 69 #include "audit.h" 70 71 extern struct list_head audit_filter_list[]; 72 73 /* AUDIT_NAMES is the number of slots we reserve in the audit_context 74 * for saving names from getname(). */ 75 #define AUDIT_NAMES 20 76 77 /* Indicates that audit should log the full pathname. */ 78 #define AUDIT_NAME_FULL -1 79 80 /* number of audit rules */ 81 int audit_n_rules; 82 83 /* determines whether we collect data for signals sent */ 84 int audit_signals; 85 86 /* When fs/namei.c:getname() is called, we store the pointer in name and 87 * we don't let putname() free it (instead we free all of the saved 88 * pointers at syscall exit time). 89 * 90 * Further, in fs/namei.c:path_lookup() we store the inode and device. */ 91 struct audit_names { 92 const char *name; 93 int name_len; /* number of name's characters to log */ 94 unsigned name_put; /* call __putname() for this name */ 95 unsigned long ino; 96 dev_t dev; 97 umode_t mode; 98 uid_t uid; 99 gid_t gid; 100 dev_t rdev; 101 u32 osid; 102 }; 103 104 struct audit_aux_data { 105 struct audit_aux_data *next; 106 int type; 107 }; 108 109 #define AUDIT_AUX_IPCPERM 0 110 111 /* Number of target pids per aux struct. */ 112 #define AUDIT_AUX_PIDS 16 113 114 struct audit_aux_data_mq_open { 115 struct audit_aux_data d; 116 int oflag; 117 mode_t mode; 118 struct mq_attr attr; 119 }; 120 121 struct audit_aux_data_mq_sendrecv { 122 struct audit_aux_data d; 123 mqd_t mqdes; 124 size_t msg_len; 125 unsigned int msg_prio; 126 struct timespec abs_timeout; 127 }; 128 129 struct audit_aux_data_mq_notify { 130 struct audit_aux_data d; 131 mqd_t mqdes; 132 struct sigevent notification; 133 }; 134 135 struct audit_aux_data_mq_getsetattr { 136 struct audit_aux_data d; 137 mqd_t mqdes; 138 struct mq_attr mqstat; 139 }; 140 141 struct audit_aux_data_ipcctl { 142 struct audit_aux_data d; 143 struct ipc_perm p; 144 unsigned long qbytes; 145 uid_t uid; 146 gid_t gid; 147 mode_t mode; 148 u32 osid; 149 }; 150 151 struct audit_aux_data_execve { 152 struct audit_aux_data d; 153 int argc; 154 int envc; 155 struct mm_struct *mm; 156 }; 157 158 struct audit_aux_data_socketcall { 159 struct audit_aux_data d; 160 int nargs; 161 unsigned long args[0]; 162 }; 163 164 struct audit_aux_data_sockaddr { 165 struct audit_aux_data d; 166 int len; 167 char a[0]; 168 }; 169 170 struct audit_aux_data_fd_pair { 171 struct audit_aux_data d; 172 int fd[2]; 173 }; 174 175 struct audit_aux_data_pids { 176 struct audit_aux_data d; 177 pid_t target_pid[AUDIT_AUX_PIDS]; 178 u32 target_sid[AUDIT_AUX_PIDS]; 179 int pid_count; 180 }; 181 182 /* The per-task audit context. */ 183 struct audit_context { 184 int dummy; /* must be the first element */ 185 int in_syscall; /* 1 if task is in a syscall */ 186 enum audit_state state; 187 unsigned int serial; /* serial number for record */ 188 struct timespec ctime; /* time of syscall entry */ 189 uid_t loginuid; /* login uid (identity) */ 190 int major; /* syscall number */ 191 unsigned long argv[4]; /* syscall arguments */ 192 int return_valid; /* return code is valid */ 193 long return_code;/* syscall return code */ 194 int auditable; /* 1 if record should be written */ 195 int name_count; 196 struct audit_names names[AUDIT_NAMES]; 197 char * filterkey; /* key for rule that triggered record */ 198 struct dentry * pwd; 199 struct vfsmount * pwdmnt; 200 struct audit_context *previous; /* For nested syscalls */ 201 struct audit_aux_data *aux; 202 struct audit_aux_data *aux_pids; 203 204 /* Save things to print about task_struct */ 205 pid_t pid, ppid; 206 uid_t uid, euid, suid, fsuid; 207 gid_t gid, egid, sgid, fsgid; 208 unsigned long personality; 209 int arch; 210 211 pid_t target_pid; 212 u32 target_sid; 213 214 #if AUDIT_DEBUG 215 int put_count; 216 int ino_count; 217 #endif 218 }; 219 220 #define ACC_MODE(x) ("\004\002\006\006"[(x)&O_ACCMODE]) 221 static inline int open_arg(int flags, int mask) 222 { 223 int n = ACC_MODE(flags); 224 if (flags & (O_TRUNC | O_CREAT)) 225 n |= AUDIT_PERM_WRITE; 226 return n & mask; 227 } 228 229 static int audit_match_perm(struct audit_context *ctx, int mask) 230 { 231 unsigned n = ctx->major; 232 switch (audit_classify_syscall(ctx->arch, n)) { 233 case 0: /* native */ 234 if ((mask & AUDIT_PERM_WRITE) && 235 audit_match_class(AUDIT_CLASS_WRITE, n)) 236 return 1; 237 if ((mask & AUDIT_PERM_READ) && 238 audit_match_class(AUDIT_CLASS_READ, n)) 239 return 1; 240 if ((mask & AUDIT_PERM_ATTR) && 241 audit_match_class(AUDIT_CLASS_CHATTR, n)) 242 return 1; 243 return 0; 244 case 1: /* 32bit on biarch */ 245 if ((mask & AUDIT_PERM_WRITE) && 246 audit_match_class(AUDIT_CLASS_WRITE_32, n)) 247 return 1; 248 if ((mask & AUDIT_PERM_READ) && 249 audit_match_class(AUDIT_CLASS_READ_32, n)) 250 return 1; 251 if ((mask & AUDIT_PERM_ATTR) && 252 audit_match_class(AUDIT_CLASS_CHATTR_32, n)) 253 return 1; 254 return 0; 255 case 2: /* open */ 256 return mask & ACC_MODE(ctx->argv[1]); 257 case 3: /* openat */ 258 return mask & ACC_MODE(ctx->argv[2]); 259 case 4: /* socketcall */ 260 return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); 261 case 5: /* execve */ 262 return mask & AUDIT_PERM_EXEC; 263 default: 264 return 0; 265 } 266 } 267 268 /* Determine if any context name data matches a rule's watch data */ 269 /* Compare a task_struct with an audit_rule. Return 1 on match, 0 270 * otherwise. */ 271 static int audit_filter_rules(struct task_struct *tsk, 272 struct audit_krule *rule, 273 struct audit_context *ctx, 274 struct audit_names *name, 275 enum audit_state *state) 276 { 277 int i, j, need_sid = 1; 278 u32 sid; 279 280 for (i = 0; i < rule->field_count; i++) { 281 struct audit_field *f = &rule->fields[i]; 282 int result = 0; 283 284 switch (f->type) { 285 case AUDIT_PID: 286 result = audit_comparator(tsk->pid, f->op, f->val); 287 break; 288 case AUDIT_PPID: 289 if (ctx) { 290 if (!ctx->ppid) 291 ctx->ppid = sys_getppid(); 292 result = audit_comparator(ctx->ppid, f->op, f->val); 293 } 294 break; 295 case AUDIT_UID: 296 result = audit_comparator(tsk->uid, f->op, f->val); 297 break; 298 case AUDIT_EUID: 299 result = audit_comparator(tsk->euid, f->op, f->val); 300 break; 301 case AUDIT_SUID: 302 result = audit_comparator(tsk->suid, f->op, f->val); 303 break; 304 case AUDIT_FSUID: 305 result = audit_comparator(tsk->fsuid, f->op, f->val); 306 break; 307 case AUDIT_GID: 308 result = audit_comparator(tsk->gid, f->op, f->val); 309 break; 310 case AUDIT_EGID: 311 result = audit_comparator(tsk->egid, f->op, f->val); 312 break; 313 case AUDIT_SGID: 314 result = audit_comparator(tsk->sgid, f->op, f->val); 315 break; 316 case AUDIT_FSGID: 317 result = audit_comparator(tsk->fsgid, f->op, f->val); 318 break; 319 case AUDIT_PERS: 320 result = audit_comparator(tsk->personality, f->op, f->val); 321 break; 322 case AUDIT_ARCH: 323 if (ctx) 324 result = audit_comparator(ctx->arch, f->op, f->val); 325 break; 326 327 case AUDIT_EXIT: 328 if (ctx && ctx->return_valid) 329 result = audit_comparator(ctx->return_code, f->op, f->val); 330 break; 331 case AUDIT_SUCCESS: 332 if (ctx && ctx->return_valid) { 333 if (f->val) 334 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS); 335 else 336 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE); 337 } 338 break; 339 case AUDIT_DEVMAJOR: 340 if (name) 341 result = audit_comparator(MAJOR(name->dev), 342 f->op, f->val); 343 else if (ctx) { 344 for (j = 0; j < ctx->name_count; j++) { 345 if (audit_comparator(MAJOR(ctx->names[j].dev), f->op, f->val)) { 346 ++result; 347 break; 348 } 349 } 350 } 351 break; 352 case AUDIT_DEVMINOR: 353 if (name) 354 result = audit_comparator(MINOR(name->dev), 355 f->op, f->val); 356 else if (ctx) { 357 for (j = 0; j < ctx->name_count; j++) { 358 if (audit_comparator(MINOR(ctx->names[j].dev), f->op, f->val)) { 359 ++result; 360 break; 361 } 362 } 363 } 364 break; 365 case AUDIT_INODE: 366 if (name) 367 result = (name->ino == f->val); 368 else if (ctx) { 369 for (j = 0; j < ctx->name_count; j++) { 370 if (audit_comparator(ctx->names[j].ino, f->op, f->val)) { 371 ++result; 372 break; 373 } 374 } 375 } 376 break; 377 case AUDIT_WATCH: 378 if (name && rule->watch->ino != (unsigned long)-1) 379 result = (name->dev == rule->watch->dev && 380 name->ino == rule->watch->ino); 381 break; 382 case AUDIT_LOGINUID: 383 result = 0; 384 if (ctx) 385 result = audit_comparator(ctx->loginuid, f->op, f->val); 386 break; 387 case AUDIT_SUBJ_USER: 388 case AUDIT_SUBJ_ROLE: 389 case AUDIT_SUBJ_TYPE: 390 case AUDIT_SUBJ_SEN: 391 case AUDIT_SUBJ_CLR: 392 /* NOTE: this may return negative values indicating 393 a temporary error. We simply treat this as a 394 match for now to avoid losing information that 395 may be wanted. An error message will also be 396 logged upon error */ 397 if (f->se_rule) { 398 if (need_sid) { 399 selinux_get_task_sid(tsk, &sid); 400 need_sid = 0; 401 } 402 result = selinux_audit_rule_match(sid, f->type, 403 f->op, 404 f->se_rule, 405 ctx); 406 } 407 break; 408 case AUDIT_OBJ_USER: 409 case AUDIT_OBJ_ROLE: 410 case AUDIT_OBJ_TYPE: 411 case AUDIT_OBJ_LEV_LOW: 412 case AUDIT_OBJ_LEV_HIGH: 413 /* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR 414 also applies here */ 415 if (f->se_rule) { 416 /* Find files that match */ 417 if (name) { 418 result = selinux_audit_rule_match( 419 name->osid, f->type, f->op, 420 f->se_rule, ctx); 421 } else if (ctx) { 422 for (j = 0; j < ctx->name_count; j++) { 423 if (selinux_audit_rule_match( 424 ctx->names[j].osid, 425 f->type, f->op, 426 f->se_rule, ctx)) { 427 ++result; 428 break; 429 } 430 } 431 } 432 /* Find ipc objects that match */ 433 if (ctx) { 434 struct audit_aux_data *aux; 435 for (aux = ctx->aux; aux; 436 aux = aux->next) { 437 if (aux->type == AUDIT_IPC) { 438 struct audit_aux_data_ipcctl *axi = (void *)aux; 439 if (selinux_audit_rule_match(axi->osid, f->type, f->op, f->se_rule, ctx)) { 440 ++result; 441 break; 442 } 443 } 444 } 445 } 446 } 447 break; 448 case AUDIT_ARG0: 449 case AUDIT_ARG1: 450 case AUDIT_ARG2: 451 case AUDIT_ARG3: 452 if (ctx) 453 result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val); 454 break; 455 case AUDIT_FILTERKEY: 456 /* ignore this field for filtering */ 457 result = 1; 458 break; 459 case AUDIT_PERM: 460 result = audit_match_perm(ctx, f->val); 461 break; 462 } 463 464 if (!result) 465 return 0; 466 } 467 if (rule->filterkey) 468 ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC); 469 switch (rule->action) { 470 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 471 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 472 } 473 return 1; 474 } 475 476 /* At process creation time, we can determine if system-call auditing is 477 * completely disabled for this task. Since we only have the task 478 * structure at this point, we can only check uid and gid. 479 */ 480 static enum audit_state audit_filter_task(struct task_struct *tsk) 481 { 482 struct audit_entry *e; 483 enum audit_state state; 484 485 rcu_read_lock(); 486 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) { 487 if (audit_filter_rules(tsk, &e->rule, NULL, NULL, &state)) { 488 rcu_read_unlock(); 489 return state; 490 } 491 } 492 rcu_read_unlock(); 493 return AUDIT_BUILD_CONTEXT; 494 } 495 496 /* At syscall entry and exit time, this filter is called if the 497 * audit_state is not low enough that auditing cannot take place, but is 498 * also not high enough that we already know we have to write an audit 499 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT). 500 */ 501 static enum audit_state audit_filter_syscall(struct task_struct *tsk, 502 struct audit_context *ctx, 503 struct list_head *list) 504 { 505 struct audit_entry *e; 506 enum audit_state state; 507 508 if (audit_pid && tsk->tgid == audit_pid) 509 return AUDIT_DISABLED; 510 511 rcu_read_lock(); 512 if (!list_empty(list)) { 513 int word = AUDIT_WORD(ctx->major); 514 int bit = AUDIT_BIT(ctx->major); 515 516 list_for_each_entry_rcu(e, list, list) { 517 if ((e->rule.mask[word] & bit) == bit && 518 audit_filter_rules(tsk, &e->rule, ctx, NULL, 519 &state)) { 520 rcu_read_unlock(); 521 return state; 522 } 523 } 524 } 525 rcu_read_unlock(); 526 return AUDIT_BUILD_CONTEXT; 527 } 528 529 /* At syscall exit time, this filter is called if any audit_names[] have been 530 * collected during syscall processing. We only check rules in sublists at hash 531 * buckets applicable to the inode numbers in audit_names[]. 532 * Regarding audit_state, same rules apply as for audit_filter_syscall(). 533 */ 534 enum audit_state audit_filter_inodes(struct task_struct *tsk, 535 struct audit_context *ctx) 536 { 537 int i; 538 struct audit_entry *e; 539 enum audit_state state; 540 541 if (audit_pid && tsk->tgid == audit_pid) 542 return AUDIT_DISABLED; 543 544 rcu_read_lock(); 545 for (i = 0; i < ctx->name_count; i++) { 546 int word = AUDIT_WORD(ctx->major); 547 int bit = AUDIT_BIT(ctx->major); 548 struct audit_names *n = &ctx->names[i]; 549 int h = audit_hash_ino((u32)n->ino); 550 struct list_head *list = &audit_inode_hash[h]; 551 552 if (list_empty(list)) 553 continue; 554 555 list_for_each_entry_rcu(e, list, list) { 556 if ((e->rule.mask[word] & bit) == bit && 557 audit_filter_rules(tsk, &e->rule, ctx, n, &state)) { 558 rcu_read_unlock(); 559 return state; 560 } 561 } 562 } 563 rcu_read_unlock(); 564 return AUDIT_BUILD_CONTEXT; 565 } 566 567 void audit_set_auditable(struct audit_context *ctx) 568 { 569 ctx->auditable = 1; 570 } 571 572 static inline struct audit_context *audit_get_context(struct task_struct *tsk, 573 int return_valid, 574 int return_code) 575 { 576 struct audit_context *context = tsk->audit_context; 577 578 if (likely(!context)) 579 return NULL; 580 context->return_valid = return_valid; 581 context->return_code = return_code; 582 583 if (context->in_syscall && !context->dummy && !context->auditable) { 584 enum audit_state state; 585 586 state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]); 587 if (state == AUDIT_RECORD_CONTEXT) { 588 context->auditable = 1; 589 goto get_context; 590 } 591 592 state = audit_filter_inodes(tsk, context); 593 if (state == AUDIT_RECORD_CONTEXT) 594 context->auditable = 1; 595 596 } 597 598 get_context: 599 600 tsk->audit_context = NULL; 601 return context; 602 } 603 604 static inline void audit_free_names(struct audit_context *context) 605 { 606 int i; 607 608 #if AUDIT_DEBUG == 2 609 if (context->auditable 610 ||context->put_count + context->ino_count != context->name_count) { 611 printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d" 612 " name_count=%d put_count=%d" 613 " ino_count=%d [NOT freeing]\n", 614 __FILE__, __LINE__, 615 context->serial, context->major, context->in_syscall, 616 context->name_count, context->put_count, 617 context->ino_count); 618 for (i = 0; i < context->name_count; i++) { 619 printk(KERN_ERR "names[%d] = %p = %s\n", i, 620 context->names[i].name, 621 context->names[i].name ?: "(null)"); 622 } 623 dump_stack(); 624 return; 625 } 626 #endif 627 #if AUDIT_DEBUG 628 context->put_count = 0; 629 context->ino_count = 0; 630 #endif 631 632 for (i = 0; i < context->name_count; i++) { 633 if (context->names[i].name && context->names[i].name_put) 634 __putname(context->names[i].name); 635 } 636 context->name_count = 0; 637 if (context->pwd) 638 dput(context->pwd); 639 if (context->pwdmnt) 640 mntput(context->pwdmnt); 641 context->pwd = NULL; 642 context->pwdmnt = NULL; 643 } 644 645 static inline void audit_free_aux(struct audit_context *context) 646 { 647 struct audit_aux_data *aux; 648 649 while ((aux = context->aux)) { 650 context->aux = aux->next; 651 kfree(aux); 652 } 653 while ((aux = context->aux_pids)) { 654 context->aux_pids = aux->next; 655 kfree(aux); 656 } 657 } 658 659 static inline void audit_zero_context(struct audit_context *context, 660 enum audit_state state) 661 { 662 uid_t loginuid = context->loginuid; 663 664 memset(context, 0, sizeof(*context)); 665 context->state = state; 666 context->loginuid = loginuid; 667 } 668 669 static inline struct audit_context *audit_alloc_context(enum audit_state state) 670 { 671 struct audit_context *context; 672 673 if (!(context = kmalloc(sizeof(*context), GFP_KERNEL))) 674 return NULL; 675 audit_zero_context(context, state); 676 return context; 677 } 678 679 /** 680 * audit_alloc - allocate an audit context block for a task 681 * @tsk: task 682 * 683 * Filter on the task information and allocate a per-task audit context 684 * if necessary. Doing so turns on system call auditing for the 685 * specified task. This is called from copy_process, so no lock is 686 * needed. 687 */ 688 int audit_alloc(struct task_struct *tsk) 689 { 690 struct audit_context *context; 691 enum audit_state state; 692 693 if (likely(!audit_enabled)) 694 return 0; /* Return if not auditing. */ 695 696 state = audit_filter_task(tsk); 697 if (likely(state == AUDIT_DISABLED)) 698 return 0; 699 700 if (!(context = audit_alloc_context(state))) { 701 audit_log_lost("out of memory in audit_alloc"); 702 return -ENOMEM; 703 } 704 705 /* Preserve login uid */ 706 context->loginuid = -1; 707 if (current->audit_context) 708 context->loginuid = current->audit_context->loginuid; 709 710 tsk->audit_context = context; 711 set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT); 712 return 0; 713 } 714 715 static inline void audit_free_context(struct audit_context *context) 716 { 717 struct audit_context *previous; 718 int count = 0; 719 720 do { 721 previous = context->previous; 722 if (previous || (count && count < 10)) { 723 ++count; 724 printk(KERN_ERR "audit(:%d): major=%d name_count=%d:" 725 " freeing multiple contexts (%d)\n", 726 context->serial, context->major, 727 context->name_count, count); 728 } 729 audit_free_names(context); 730 audit_free_aux(context); 731 kfree(context->filterkey); 732 kfree(context); 733 context = previous; 734 } while (context); 735 if (count >= 10) 736 printk(KERN_ERR "audit: freed %d contexts\n", count); 737 } 738 739 void audit_log_task_context(struct audit_buffer *ab) 740 { 741 char *ctx = NULL; 742 unsigned len; 743 int error; 744 u32 sid; 745 746 selinux_get_task_sid(current, &sid); 747 if (!sid) 748 return; 749 750 error = selinux_sid_to_string(sid, &ctx, &len); 751 if (error) { 752 if (error != -EINVAL) 753 goto error_path; 754 return; 755 } 756 757 audit_log_format(ab, " subj=%s", ctx); 758 kfree(ctx); 759 return; 760 761 error_path: 762 audit_panic("error in audit_log_task_context"); 763 return; 764 } 765 766 EXPORT_SYMBOL(audit_log_task_context); 767 768 static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) 769 { 770 char name[sizeof(tsk->comm)]; 771 struct mm_struct *mm = tsk->mm; 772 struct vm_area_struct *vma; 773 774 /* tsk == current */ 775 776 get_task_comm(name, tsk); 777 audit_log_format(ab, " comm="); 778 audit_log_untrustedstring(ab, name); 779 780 if (mm) { 781 down_read(&mm->mmap_sem); 782 vma = mm->mmap; 783 while (vma) { 784 if ((vma->vm_flags & VM_EXECUTABLE) && 785 vma->vm_file) { 786 audit_log_d_path(ab, "exe=", 787 vma->vm_file->f_path.dentry, 788 vma->vm_file->f_path.mnt); 789 break; 790 } 791 vma = vma->vm_next; 792 } 793 up_read(&mm->mmap_sem); 794 } 795 audit_log_task_context(ab); 796 } 797 798 static int audit_log_pid_context(struct audit_context *context, pid_t pid, 799 u32 sid) 800 { 801 struct audit_buffer *ab; 802 char *s = NULL; 803 u32 len; 804 int rc = 0; 805 806 ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); 807 if (!ab) 808 return 1; 809 810 if (selinux_sid_to_string(sid, &s, &len)) { 811 audit_log_format(ab, "opid=%d obj=(none)", pid); 812 rc = 1; 813 } else 814 audit_log_format(ab, "opid=%d obj=%s", pid, s); 815 audit_log_end(ab); 816 kfree(s); 817 818 return rc; 819 } 820 821 static void audit_log_execve_info(struct audit_buffer *ab, 822 struct audit_aux_data_execve *axi) 823 { 824 int i; 825 long len, ret; 826 const char __user *p; 827 char *buf; 828 829 if (axi->mm != current->mm) 830 return; /* execve failed, no additional info */ 831 832 p = (const char __user *)axi->mm->arg_start; 833 834 for (i = 0; i < axi->argc; i++, p += len) { 835 len = strnlen_user(p, MAX_ARG_STRLEN); 836 /* 837 * We just created this mm, if we can't find the strings 838 * we just copied into it something is _very_ wrong. Similar 839 * for strings that are too long, we should not have created 840 * any. 841 */ 842 if (!len || len > MAX_ARG_STRLEN) { 843 WARN_ON(1); 844 send_sig(SIGKILL, current, 0); 845 } 846 847 buf = kmalloc(len, GFP_KERNEL); 848 if (!buf) { 849 audit_panic("out of memory for argv string\n"); 850 break; 851 } 852 853 ret = copy_from_user(buf, p, len); 854 /* 855 * There is no reason for this copy to be short. We just 856 * copied them here, and the mm hasn't been exposed to user- 857 * space yet. 858 */ 859 if (ret) { 860 WARN_ON(1); 861 send_sig(SIGKILL, current, 0); 862 } 863 864 audit_log_format(ab, "a%d=", i); 865 audit_log_untrustedstring(ab, buf); 866 audit_log_format(ab, "\n"); 867 868 kfree(buf); 869 } 870 } 871 872 static void audit_log_exit(struct audit_context *context, struct task_struct *tsk) 873 { 874 int i, call_panic = 0; 875 struct audit_buffer *ab; 876 struct audit_aux_data *aux; 877 const char *tty; 878 879 /* tsk == current */ 880 context->pid = tsk->pid; 881 if (!context->ppid) 882 context->ppid = sys_getppid(); 883 context->uid = tsk->uid; 884 context->gid = tsk->gid; 885 context->euid = tsk->euid; 886 context->suid = tsk->suid; 887 context->fsuid = tsk->fsuid; 888 context->egid = tsk->egid; 889 context->sgid = tsk->sgid; 890 context->fsgid = tsk->fsgid; 891 context->personality = tsk->personality; 892 893 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL); 894 if (!ab) 895 return; /* audit_panic has been called */ 896 audit_log_format(ab, "arch=%x syscall=%d", 897 context->arch, context->major); 898 if (context->personality != PER_LINUX) 899 audit_log_format(ab, " per=%lx", context->personality); 900 if (context->return_valid) 901 audit_log_format(ab, " success=%s exit=%ld", 902 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no", 903 context->return_code); 904 905 mutex_lock(&tty_mutex); 906 read_lock(&tasklist_lock); 907 if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name) 908 tty = tsk->signal->tty->name; 909 else 910 tty = "(none)"; 911 read_unlock(&tasklist_lock); 912 audit_log_format(ab, 913 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d" 914 " ppid=%d pid=%d auid=%u uid=%u gid=%u" 915 " euid=%u suid=%u fsuid=%u" 916 " egid=%u sgid=%u fsgid=%u tty=%s", 917 context->argv[0], 918 context->argv[1], 919 context->argv[2], 920 context->argv[3], 921 context->name_count, 922 context->ppid, 923 context->pid, 924 context->loginuid, 925 context->uid, 926 context->gid, 927 context->euid, context->suid, context->fsuid, 928 context->egid, context->sgid, context->fsgid, tty); 929 930 mutex_unlock(&tty_mutex); 931 932 audit_log_task_info(ab, tsk); 933 if (context->filterkey) { 934 audit_log_format(ab, " key="); 935 audit_log_untrustedstring(ab, context->filterkey); 936 } else 937 audit_log_format(ab, " key=(null)"); 938 audit_log_end(ab); 939 940 for (aux = context->aux; aux; aux = aux->next) { 941 942 ab = audit_log_start(context, GFP_KERNEL, aux->type); 943 if (!ab) 944 continue; /* audit_panic has been called */ 945 946 switch (aux->type) { 947 case AUDIT_MQ_OPEN: { 948 struct audit_aux_data_mq_open *axi = (void *)aux; 949 audit_log_format(ab, 950 "oflag=0x%x mode=%#o mq_flags=0x%lx mq_maxmsg=%ld " 951 "mq_msgsize=%ld mq_curmsgs=%ld", 952 axi->oflag, axi->mode, axi->attr.mq_flags, 953 axi->attr.mq_maxmsg, axi->attr.mq_msgsize, 954 axi->attr.mq_curmsgs); 955 break; } 956 957 case AUDIT_MQ_SENDRECV: { 958 struct audit_aux_data_mq_sendrecv *axi = (void *)aux; 959 audit_log_format(ab, 960 "mqdes=%d msg_len=%zd msg_prio=%u " 961 "abs_timeout_sec=%ld abs_timeout_nsec=%ld", 962 axi->mqdes, axi->msg_len, axi->msg_prio, 963 axi->abs_timeout.tv_sec, axi->abs_timeout.tv_nsec); 964 break; } 965 966 case AUDIT_MQ_NOTIFY: { 967 struct audit_aux_data_mq_notify *axi = (void *)aux; 968 audit_log_format(ab, 969 "mqdes=%d sigev_signo=%d", 970 axi->mqdes, 971 axi->notification.sigev_signo); 972 break; } 973 974 case AUDIT_MQ_GETSETATTR: { 975 struct audit_aux_data_mq_getsetattr *axi = (void *)aux; 976 audit_log_format(ab, 977 "mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld " 978 "mq_curmsgs=%ld ", 979 axi->mqdes, 980 axi->mqstat.mq_flags, axi->mqstat.mq_maxmsg, 981 axi->mqstat.mq_msgsize, axi->mqstat.mq_curmsgs); 982 break; } 983 984 case AUDIT_IPC: { 985 struct audit_aux_data_ipcctl *axi = (void *)aux; 986 audit_log_format(ab, 987 "ouid=%u ogid=%u mode=%#o", 988 axi->uid, axi->gid, axi->mode); 989 if (axi->osid != 0) { 990 char *ctx = NULL; 991 u32 len; 992 if (selinux_sid_to_string( 993 axi->osid, &ctx, &len)) { 994 audit_log_format(ab, " osid=%u", 995 axi->osid); 996 call_panic = 1; 997 } else 998 audit_log_format(ab, " obj=%s", ctx); 999 kfree(ctx); 1000 } 1001 break; } 1002 1003 case AUDIT_IPC_SET_PERM: { 1004 struct audit_aux_data_ipcctl *axi = (void *)aux; 1005 audit_log_format(ab, 1006 "qbytes=%lx ouid=%u ogid=%u mode=%#o", 1007 axi->qbytes, axi->uid, axi->gid, axi->mode); 1008 break; } 1009 1010 case AUDIT_EXECVE: { 1011 struct audit_aux_data_execve *axi = (void *)aux; 1012 audit_log_execve_info(ab, axi); 1013 break; } 1014 1015 case AUDIT_SOCKETCALL: { 1016 int i; 1017 struct audit_aux_data_socketcall *axs = (void *)aux; 1018 audit_log_format(ab, "nargs=%d", axs->nargs); 1019 for (i=0; i<axs->nargs; i++) 1020 audit_log_format(ab, " a%d=%lx", i, axs->args[i]); 1021 break; } 1022 1023 case AUDIT_SOCKADDR: { 1024 struct audit_aux_data_sockaddr *axs = (void *)aux; 1025 1026 audit_log_format(ab, "saddr="); 1027 audit_log_hex(ab, axs->a, axs->len); 1028 break; } 1029 1030 case AUDIT_FD_PAIR: { 1031 struct audit_aux_data_fd_pair *axs = (void *)aux; 1032 audit_log_format(ab, "fd0=%d fd1=%d", axs->fd[0], axs->fd[1]); 1033 break; } 1034 1035 } 1036 audit_log_end(ab); 1037 } 1038 1039 for (aux = context->aux_pids; aux; aux = aux->next) { 1040 struct audit_aux_data_pids *axs = (void *)aux; 1041 int i; 1042 1043 for (i = 0; i < axs->pid_count; i++) 1044 if (audit_log_pid_context(context, axs->target_pid[i], 1045 axs->target_sid[i])) 1046 call_panic = 1; 1047 } 1048 1049 if (context->target_pid && 1050 audit_log_pid_context(context, context->target_pid, 1051 context->target_sid)) 1052 call_panic = 1; 1053 1054 if (context->pwd && context->pwdmnt) { 1055 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD); 1056 if (ab) { 1057 audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt); 1058 audit_log_end(ab); 1059 } 1060 } 1061 for (i = 0; i < context->name_count; i++) { 1062 struct audit_names *n = &context->names[i]; 1063 1064 ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH); 1065 if (!ab) 1066 continue; /* audit_panic has been called */ 1067 1068 audit_log_format(ab, "item=%d", i); 1069 1070 if (n->name) { 1071 switch(n->name_len) { 1072 case AUDIT_NAME_FULL: 1073 /* log the full path */ 1074 audit_log_format(ab, " name="); 1075 audit_log_untrustedstring(ab, n->name); 1076 break; 1077 case 0: 1078 /* name was specified as a relative path and the 1079 * directory component is the cwd */ 1080 audit_log_d_path(ab, " name=", context->pwd, 1081 context->pwdmnt); 1082 break; 1083 default: 1084 /* log the name's directory component */ 1085 audit_log_format(ab, " name="); 1086 audit_log_n_untrustedstring(ab, n->name_len, 1087 n->name); 1088 } 1089 } else 1090 audit_log_format(ab, " name=(null)"); 1091 1092 if (n->ino != (unsigned long)-1) { 1093 audit_log_format(ab, " inode=%lu" 1094 " dev=%02x:%02x mode=%#o" 1095 " ouid=%u ogid=%u rdev=%02x:%02x", 1096 n->ino, 1097 MAJOR(n->dev), 1098 MINOR(n->dev), 1099 n->mode, 1100 n->uid, 1101 n->gid, 1102 MAJOR(n->rdev), 1103 MINOR(n->rdev)); 1104 } 1105 if (n->osid != 0) { 1106 char *ctx = NULL; 1107 u32 len; 1108 if (selinux_sid_to_string( 1109 n->osid, &ctx, &len)) { 1110 audit_log_format(ab, " osid=%u", n->osid); 1111 call_panic = 2; 1112 } else 1113 audit_log_format(ab, " obj=%s", ctx); 1114 kfree(ctx); 1115 } 1116 1117 audit_log_end(ab); 1118 } 1119 if (call_panic) 1120 audit_panic("error converting sid to string"); 1121 } 1122 1123 /** 1124 * audit_free - free a per-task audit context 1125 * @tsk: task whose audit context block to free 1126 * 1127 * Called from copy_process and do_exit 1128 */ 1129 void audit_free(struct task_struct *tsk) 1130 { 1131 struct audit_context *context; 1132 1133 context = audit_get_context(tsk, 0, 0); 1134 if (likely(!context)) 1135 return; 1136 1137 /* Check for system calls that do not go through the exit 1138 * function (e.g., exit_group), then free context block. 1139 * We use GFP_ATOMIC here because we might be doing this 1140 * in the context of the idle thread */ 1141 /* that can happen only if we are called from do_exit() */ 1142 if (context->in_syscall && context->auditable) 1143 audit_log_exit(context, tsk); 1144 1145 audit_free_context(context); 1146 } 1147 1148 /** 1149 * audit_syscall_entry - fill in an audit record at syscall entry 1150 * @tsk: task being audited 1151 * @arch: architecture type 1152 * @major: major syscall type (function) 1153 * @a1: additional syscall register 1 1154 * @a2: additional syscall register 2 1155 * @a3: additional syscall register 3 1156 * @a4: additional syscall register 4 1157 * 1158 * Fill in audit context at syscall entry. This only happens if the 1159 * audit context was created when the task was created and the state or 1160 * filters demand the audit context be built. If the state from the 1161 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT, 1162 * then the record will be written at syscall exit time (otherwise, it 1163 * will only be written if another part of the kernel requests that it 1164 * be written). 1165 */ 1166 void audit_syscall_entry(int arch, int major, 1167 unsigned long a1, unsigned long a2, 1168 unsigned long a3, unsigned long a4) 1169 { 1170 struct task_struct *tsk = current; 1171 struct audit_context *context = tsk->audit_context; 1172 enum audit_state state; 1173 1174 BUG_ON(!context); 1175 1176 /* 1177 * This happens only on certain architectures that make system 1178 * calls in kernel_thread via the entry.S interface, instead of 1179 * with direct calls. (If you are porting to a new 1180 * architecture, hitting this condition can indicate that you 1181 * got the _exit/_leave calls backward in entry.S.) 1182 * 1183 * i386 no 1184 * x86_64 no 1185 * ppc64 yes (see arch/powerpc/platforms/iseries/misc.S) 1186 * 1187 * This also happens with vm86 emulation in a non-nested manner 1188 * (entries without exits), so this case must be caught. 1189 */ 1190 if (context->in_syscall) { 1191 struct audit_context *newctx; 1192 1193 #if AUDIT_DEBUG 1194 printk(KERN_ERR 1195 "audit(:%d) pid=%d in syscall=%d;" 1196 " entering syscall=%d\n", 1197 context->serial, tsk->pid, context->major, major); 1198 #endif 1199 newctx = audit_alloc_context(context->state); 1200 if (newctx) { 1201 newctx->previous = context; 1202 context = newctx; 1203 tsk->audit_context = newctx; 1204 } else { 1205 /* If we can't alloc a new context, the best we 1206 * can do is to leak memory (any pending putname 1207 * will be lost). The only other alternative is 1208 * to abandon auditing. */ 1209 audit_zero_context(context, context->state); 1210 } 1211 } 1212 BUG_ON(context->in_syscall || context->name_count); 1213 1214 if (!audit_enabled) 1215 return; 1216 1217 context->arch = arch; 1218 context->major = major; 1219 context->argv[0] = a1; 1220 context->argv[1] = a2; 1221 context->argv[2] = a3; 1222 context->argv[3] = a4; 1223 1224 state = context->state; 1225 context->dummy = !audit_n_rules; 1226 if (!context->dummy && (state == AUDIT_SETUP_CONTEXT || state == AUDIT_BUILD_CONTEXT)) 1227 state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]); 1228 if (likely(state == AUDIT_DISABLED)) 1229 return; 1230 1231 context->serial = 0; 1232 context->ctime = CURRENT_TIME; 1233 context->in_syscall = 1; 1234 context->auditable = !!(state == AUDIT_RECORD_CONTEXT); 1235 context->ppid = 0; 1236 } 1237 1238 /** 1239 * audit_syscall_exit - deallocate audit context after a system call 1240 * @tsk: task being audited 1241 * @valid: success/failure flag 1242 * @return_code: syscall return value 1243 * 1244 * Tear down after system call. If the audit context has been marked as 1245 * auditable (either because of the AUDIT_RECORD_CONTEXT state from 1246 * filtering, or because some other part of the kernel write an audit 1247 * message), then write out the syscall information. In call cases, 1248 * free the names stored from getname(). 1249 */ 1250 void audit_syscall_exit(int valid, long return_code) 1251 { 1252 struct task_struct *tsk = current; 1253 struct audit_context *context; 1254 1255 context = audit_get_context(tsk, valid, return_code); 1256 1257 if (likely(!context)) 1258 return; 1259 1260 if (context->in_syscall && context->auditable) 1261 audit_log_exit(context, tsk); 1262 1263 context->in_syscall = 0; 1264 context->auditable = 0; 1265 1266 if (context->previous) { 1267 struct audit_context *new_context = context->previous; 1268 context->previous = NULL; 1269 audit_free_context(context); 1270 tsk->audit_context = new_context; 1271 } else { 1272 audit_free_names(context); 1273 audit_free_aux(context); 1274 context->aux = NULL; 1275 context->aux_pids = NULL; 1276 context->target_pid = 0; 1277 context->target_sid = 0; 1278 kfree(context->filterkey); 1279 context->filterkey = NULL; 1280 tsk->audit_context = context; 1281 } 1282 } 1283 1284 /** 1285 * audit_getname - add a name to the list 1286 * @name: name to add 1287 * 1288 * Add a name to the list of audit names for this context. 1289 * Called from fs/namei.c:getname(). 1290 */ 1291 void __audit_getname(const char *name) 1292 { 1293 struct audit_context *context = current->audit_context; 1294 1295 if (IS_ERR(name) || !name) 1296 return; 1297 1298 if (!context->in_syscall) { 1299 #if AUDIT_DEBUG == 2 1300 printk(KERN_ERR "%s:%d(:%d): ignoring getname(%p)\n", 1301 __FILE__, __LINE__, context->serial, name); 1302 dump_stack(); 1303 #endif 1304 return; 1305 } 1306 BUG_ON(context->name_count >= AUDIT_NAMES); 1307 context->names[context->name_count].name = name; 1308 context->names[context->name_count].name_len = AUDIT_NAME_FULL; 1309 context->names[context->name_count].name_put = 1; 1310 context->names[context->name_count].ino = (unsigned long)-1; 1311 context->names[context->name_count].osid = 0; 1312 ++context->name_count; 1313 if (!context->pwd) { 1314 read_lock(¤t->fs->lock); 1315 context->pwd = dget(current->fs->pwd); 1316 context->pwdmnt = mntget(current->fs->pwdmnt); 1317 read_unlock(¤t->fs->lock); 1318 } 1319 1320 } 1321 1322 /* audit_putname - intercept a putname request 1323 * @name: name to intercept and delay for putname 1324 * 1325 * If we have stored the name from getname in the audit context, 1326 * then we delay the putname until syscall exit. 1327 * Called from include/linux/fs.h:putname(). 1328 */ 1329 void audit_putname(const char *name) 1330 { 1331 struct audit_context *context = current->audit_context; 1332 1333 BUG_ON(!context); 1334 if (!context->in_syscall) { 1335 #if AUDIT_DEBUG == 2 1336 printk(KERN_ERR "%s:%d(:%d): __putname(%p)\n", 1337 __FILE__, __LINE__, context->serial, name); 1338 if (context->name_count) { 1339 int i; 1340 for (i = 0; i < context->name_count; i++) 1341 printk(KERN_ERR "name[%d] = %p = %s\n", i, 1342 context->names[i].name, 1343 context->names[i].name ?: "(null)"); 1344 } 1345 #endif 1346 __putname(name); 1347 } 1348 #if AUDIT_DEBUG 1349 else { 1350 ++context->put_count; 1351 if (context->put_count > context->name_count) { 1352 printk(KERN_ERR "%s:%d(:%d): major=%d" 1353 " in_syscall=%d putname(%p) name_count=%d" 1354 " put_count=%d\n", 1355 __FILE__, __LINE__, 1356 context->serial, context->major, 1357 context->in_syscall, name, context->name_count, 1358 context->put_count); 1359 dump_stack(); 1360 } 1361 } 1362 #endif 1363 } 1364 1365 static int audit_inc_name_count(struct audit_context *context, 1366 const struct inode *inode) 1367 { 1368 if (context->name_count >= AUDIT_NAMES) { 1369 if (inode) 1370 printk(KERN_DEBUG "name_count maxed, losing inode data: " 1371 "dev=%02x:%02x, inode=%lu", 1372 MAJOR(inode->i_sb->s_dev), 1373 MINOR(inode->i_sb->s_dev), 1374 inode->i_ino); 1375 1376 else 1377 printk(KERN_DEBUG "name_count maxed, losing inode data"); 1378 return 1; 1379 } 1380 context->name_count++; 1381 #if AUDIT_DEBUG 1382 context->ino_count++; 1383 #endif 1384 return 0; 1385 } 1386 1387 /* Copy inode data into an audit_names. */ 1388 static void audit_copy_inode(struct audit_names *name, const struct inode *inode) 1389 { 1390 name->ino = inode->i_ino; 1391 name->dev = inode->i_sb->s_dev; 1392 name->mode = inode->i_mode; 1393 name->uid = inode->i_uid; 1394 name->gid = inode->i_gid; 1395 name->rdev = inode->i_rdev; 1396 selinux_get_inode_sid(inode, &name->osid); 1397 } 1398 1399 /** 1400 * audit_inode - store the inode and device from a lookup 1401 * @name: name being audited 1402 * @inode: inode being audited 1403 * 1404 * Called from fs/namei.c:path_lookup(). 1405 */ 1406 void __audit_inode(const char *name, const struct inode *inode) 1407 { 1408 int idx; 1409 struct audit_context *context = current->audit_context; 1410 1411 if (!context->in_syscall) 1412 return; 1413 if (context->name_count 1414 && context->names[context->name_count-1].name 1415 && context->names[context->name_count-1].name == name) 1416 idx = context->name_count - 1; 1417 else if (context->name_count > 1 1418 && context->names[context->name_count-2].name 1419 && context->names[context->name_count-2].name == name) 1420 idx = context->name_count - 2; 1421 else { 1422 /* FIXME: how much do we care about inodes that have no 1423 * associated name? */ 1424 if (audit_inc_name_count(context, inode)) 1425 return; 1426 idx = context->name_count - 1; 1427 context->names[idx].name = NULL; 1428 } 1429 audit_copy_inode(&context->names[idx], inode); 1430 } 1431 1432 /** 1433 * audit_inode_child - collect inode info for created/removed objects 1434 * @dname: inode's dentry name 1435 * @inode: inode being audited 1436 * @parent: inode of dentry parent 1437 * 1438 * For syscalls that create or remove filesystem objects, audit_inode 1439 * can only collect information for the filesystem object's parent. 1440 * This call updates the audit context with the child's information. 1441 * Syscalls that create a new filesystem object must be hooked after 1442 * the object is created. Syscalls that remove a filesystem object 1443 * must be hooked prior, in order to capture the target inode during 1444 * unsuccessful attempts. 1445 */ 1446 void __audit_inode_child(const char *dname, const struct inode *inode, 1447 const struct inode *parent) 1448 { 1449 int idx; 1450 struct audit_context *context = current->audit_context; 1451 const char *found_parent = NULL, *found_child = NULL; 1452 int dirlen = 0; 1453 1454 if (!context->in_syscall) 1455 return; 1456 1457 /* determine matching parent */ 1458 if (!dname) 1459 goto add_names; 1460 1461 /* parent is more likely, look for it first */ 1462 for (idx = 0; idx < context->name_count; idx++) { 1463 struct audit_names *n = &context->names[idx]; 1464 1465 if (!n->name) 1466 continue; 1467 1468 if (n->ino == parent->i_ino && 1469 !audit_compare_dname_path(dname, n->name, &dirlen)) { 1470 n->name_len = dirlen; /* update parent data in place */ 1471 found_parent = n->name; 1472 goto add_names; 1473 } 1474 } 1475 1476 /* no matching parent, look for matching child */ 1477 for (idx = 0; idx < context->name_count; idx++) { 1478 struct audit_names *n = &context->names[idx]; 1479 1480 if (!n->name) 1481 continue; 1482 1483 /* strcmp() is the more likely scenario */ 1484 if (!strcmp(dname, n->name) || 1485 !audit_compare_dname_path(dname, n->name, &dirlen)) { 1486 if (inode) 1487 audit_copy_inode(n, inode); 1488 else 1489 n->ino = (unsigned long)-1; 1490 found_child = n->name; 1491 goto add_names; 1492 } 1493 } 1494 1495 add_names: 1496 if (!found_parent) { 1497 if (audit_inc_name_count(context, parent)) 1498 return; 1499 idx = context->name_count - 1; 1500 context->names[idx].name = NULL; 1501 audit_copy_inode(&context->names[idx], parent); 1502 } 1503 1504 if (!found_child) { 1505 if (audit_inc_name_count(context, inode)) 1506 return; 1507 idx = context->name_count - 1; 1508 1509 /* Re-use the name belonging to the slot for a matching parent 1510 * directory. All names for this context are relinquished in 1511 * audit_free_names() */ 1512 if (found_parent) { 1513 context->names[idx].name = found_parent; 1514 context->names[idx].name_len = AUDIT_NAME_FULL; 1515 /* don't call __putname() */ 1516 context->names[idx].name_put = 0; 1517 } else { 1518 context->names[idx].name = NULL; 1519 } 1520 1521 if (inode) 1522 audit_copy_inode(&context->names[idx], inode); 1523 else 1524 context->names[idx].ino = (unsigned long)-1; 1525 } 1526 } 1527 EXPORT_SYMBOL_GPL(__audit_inode_child); 1528 1529 /** 1530 * auditsc_get_stamp - get local copies of audit_context values 1531 * @ctx: audit_context for the task 1532 * @t: timespec to store time recorded in the audit_context 1533 * @serial: serial value that is recorded in the audit_context 1534 * 1535 * Also sets the context as auditable. 1536 */ 1537 void auditsc_get_stamp(struct audit_context *ctx, 1538 struct timespec *t, unsigned int *serial) 1539 { 1540 if (!ctx->serial) 1541 ctx->serial = audit_serial(); 1542 t->tv_sec = ctx->ctime.tv_sec; 1543 t->tv_nsec = ctx->ctime.tv_nsec; 1544 *serial = ctx->serial; 1545 ctx->auditable = 1; 1546 } 1547 1548 /** 1549 * audit_set_loginuid - set a task's audit_context loginuid 1550 * @task: task whose audit context is being modified 1551 * @loginuid: loginuid value 1552 * 1553 * Returns 0. 1554 * 1555 * Called (set) from fs/proc/base.c::proc_loginuid_write(). 1556 */ 1557 int audit_set_loginuid(struct task_struct *task, uid_t loginuid) 1558 { 1559 struct audit_context *context = task->audit_context; 1560 1561 if (context) { 1562 /* Only log if audit is enabled */ 1563 if (context->in_syscall) { 1564 struct audit_buffer *ab; 1565 1566 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN); 1567 if (ab) { 1568 audit_log_format(ab, "login pid=%d uid=%u " 1569 "old auid=%u new auid=%u", 1570 task->pid, task->uid, 1571 context->loginuid, loginuid); 1572 audit_log_end(ab); 1573 } 1574 } 1575 context->loginuid = loginuid; 1576 } 1577 return 0; 1578 } 1579 1580 /** 1581 * audit_get_loginuid - get the loginuid for an audit_context 1582 * @ctx: the audit_context 1583 * 1584 * Returns the context's loginuid or -1 if @ctx is NULL. 1585 */ 1586 uid_t audit_get_loginuid(struct audit_context *ctx) 1587 { 1588 return ctx ? ctx->loginuid : -1; 1589 } 1590 1591 EXPORT_SYMBOL(audit_get_loginuid); 1592 1593 /** 1594 * __audit_mq_open - record audit data for a POSIX MQ open 1595 * @oflag: open flag 1596 * @mode: mode bits 1597 * @u_attr: queue attributes 1598 * 1599 * Returns 0 for success or NULL context or < 0 on error. 1600 */ 1601 int __audit_mq_open(int oflag, mode_t mode, struct mq_attr __user *u_attr) 1602 { 1603 struct audit_aux_data_mq_open *ax; 1604 struct audit_context *context = current->audit_context; 1605 1606 if (!audit_enabled) 1607 return 0; 1608 1609 if (likely(!context)) 1610 return 0; 1611 1612 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1613 if (!ax) 1614 return -ENOMEM; 1615 1616 if (u_attr != NULL) { 1617 if (copy_from_user(&ax->attr, u_attr, sizeof(ax->attr))) { 1618 kfree(ax); 1619 return -EFAULT; 1620 } 1621 } else 1622 memset(&ax->attr, 0, sizeof(ax->attr)); 1623 1624 ax->oflag = oflag; 1625 ax->mode = mode; 1626 1627 ax->d.type = AUDIT_MQ_OPEN; 1628 ax->d.next = context->aux; 1629 context->aux = (void *)ax; 1630 return 0; 1631 } 1632 1633 /** 1634 * __audit_mq_timedsend - record audit data for a POSIX MQ timed send 1635 * @mqdes: MQ descriptor 1636 * @msg_len: Message length 1637 * @msg_prio: Message priority 1638 * @u_abs_timeout: Message timeout in absolute time 1639 * 1640 * Returns 0 for success or NULL context or < 0 on error. 1641 */ 1642 int __audit_mq_timedsend(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, 1643 const struct timespec __user *u_abs_timeout) 1644 { 1645 struct audit_aux_data_mq_sendrecv *ax; 1646 struct audit_context *context = current->audit_context; 1647 1648 if (!audit_enabled) 1649 return 0; 1650 1651 if (likely(!context)) 1652 return 0; 1653 1654 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1655 if (!ax) 1656 return -ENOMEM; 1657 1658 if (u_abs_timeout != NULL) { 1659 if (copy_from_user(&ax->abs_timeout, u_abs_timeout, sizeof(ax->abs_timeout))) { 1660 kfree(ax); 1661 return -EFAULT; 1662 } 1663 } else 1664 memset(&ax->abs_timeout, 0, sizeof(ax->abs_timeout)); 1665 1666 ax->mqdes = mqdes; 1667 ax->msg_len = msg_len; 1668 ax->msg_prio = msg_prio; 1669 1670 ax->d.type = AUDIT_MQ_SENDRECV; 1671 ax->d.next = context->aux; 1672 context->aux = (void *)ax; 1673 return 0; 1674 } 1675 1676 /** 1677 * __audit_mq_timedreceive - record audit data for a POSIX MQ timed receive 1678 * @mqdes: MQ descriptor 1679 * @msg_len: Message length 1680 * @u_msg_prio: Message priority 1681 * @u_abs_timeout: Message timeout in absolute time 1682 * 1683 * Returns 0 for success or NULL context or < 0 on error. 1684 */ 1685 int __audit_mq_timedreceive(mqd_t mqdes, size_t msg_len, 1686 unsigned int __user *u_msg_prio, 1687 const struct timespec __user *u_abs_timeout) 1688 { 1689 struct audit_aux_data_mq_sendrecv *ax; 1690 struct audit_context *context = current->audit_context; 1691 1692 if (!audit_enabled) 1693 return 0; 1694 1695 if (likely(!context)) 1696 return 0; 1697 1698 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1699 if (!ax) 1700 return -ENOMEM; 1701 1702 if (u_msg_prio != NULL) { 1703 if (get_user(ax->msg_prio, u_msg_prio)) { 1704 kfree(ax); 1705 return -EFAULT; 1706 } 1707 } else 1708 ax->msg_prio = 0; 1709 1710 if (u_abs_timeout != NULL) { 1711 if (copy_from_user(&ax->abs_timeout, u_abs_timeout, sizeof(ax->abs_timeout))) { 1712 kfree(ax); 1713 return -EFAULT; 1714 } 1715 } else 1716 memset(&ax->abs_timeout, 0, sizeof(ax->abs_timeout)); 1717 1718 ax->mqdes = mqdes; 1719 ax->msg_len = msg_len; 1720 1721 ax->d.type = AUDIT_MQ_SENDRECV; 1722 ax->d.next = context->aux; 1723 context->aux = (void *)ax; 1724 return 0; 1725 } 1726 1727 /** 1728 * __audit_mq_notify - record audit data for a POSIX MQ notify 1729 * @mqdes: MQ descriptor 1730 * @u_notification: Notification event 1731 * 1732 * Returns 0 for success or NULL context or < 0 on error. 1733 */ 1734 1735 int __audit_mq_notify(mqd_t mqdes, const struct sigevent __user *u_notification) 1736 { 1737 struct audit_aux_data_mq_notify *ax; 1738 struct audit_context *context = current->audit_context; 1739 1740 if (!audit_enabled) 1741 return 0; 1742 1743 if (likely(!context)) 1744 return 0; 1745 1746 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1747 if (!ax) 1748 return -ENOMEM; 1749 1750 if (u_notification != NULL) { 1751 if (copy_from_user(&ax->notification, u_notification, sizeof(ax->notification))) { 1752 kfree(ax); 1753 return -EFAULT; 1754 } 1755 } else 1756 memset(&ax->notification, 0, sizeof(ax->notification)); 1757 1758 ax->mqdes = mqdes; 1759 1760 ax->d.type = AUDIT_MQ_NOTIFY; 1761 ax->d.next = context->aux; 1762 context->aux = (void *)ax; 1763 return 0; 1764 } 1765 1766 /** 1767 * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute 1768 * @mqdes: MQ descriptor 1769 * @mqstat: MQ flags 1770 * 1771 * Returns 0 for success or NULL context or < 0 on error. 1772 */ 1773 int __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 1774 { 1775 struct audit_aux_data_mq_getsetattr *ax; 1776 struct audit_context *context = current->audit_context; 1777 1778 if (!audit_enabled) 1779 return 0; 1780 1781 if (likely(!context)) 1782 return 0; 1783 1784 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1785 if (!ax) 1786 return -ENOMEM; 1787 1788 ax->mqdes = mqdes; 1789 ax->mqstat = *mqstat; 1790 1791 ax->d.type = AUDIT_MQ_GETSETATTR; 1792 ax->d.next = context->aux; 1793 context->aux = (void *)ax; 1794 return 0; 1795 } 1796 1797 /** 1798 * audit_ipc_obj - record audit data for ipc object 1799 * @ipcp: ipc permissions 1800 * 1801 * Returns 0 for success or NULL context or < 0 on error. 1802 */ 1803 int __audit_ipc_obj(struct kern_ipc_perm *ipcp) 1804 { 1805 struct audit_aux_data_ipcctl *ax; 1806 struct audit_context *context = current->audit_context; 1807 1808 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1809 if (!ax) 1810 return -ENOMEM; 1811 1812 ax->uid = ipcp->uid; 1813 ax->gid = ipcp->gid; 1814 ax->mode = ipcp->mode; 1815 selinux_get_ipc_sid(ipcp, &ax->osid); 1816 1817 ax->d.type = AUDIT_IPC; 1818 ax->d.next = context->aux; 1819 context->aux = (void *)ax; 1820 return 0; 1821 } 1822 1823 /** 1824 * audit_ipc_set_perm - record audit data for new ipc permissions 1825 * @qbytes: msgq bytes 1826 * @uid: msgq user id 1827 * @gid: msgq group id 1828 * @mode: msgq mode (permissions) 1829 * 1830 * Returns 0 for success or NULL context or < 0 on error. 1831 */ 1832 int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode) 1833 { 1834 struct audit_aux_data_ipcctl *ax; 1835 struct audit_context *context = current->audit_context; 1836 1837 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1838 if (!ax) 1839 return -ENOMEM; 1840 1841 ax->qbytes = qbytes; 1842 ax->uid = uid; 1843 ax->gid = gid; 1844 ax->mode = mode; 1845 1846 ax->d.type = AUDIT_IPC_SET_PERM; 1847 ax->d.next = context->aux; 1848 context->aux = (void *)ax; 1849 return 0; 1850 } 1851 1852 int audit_argv_kb = 32; 1853 1854 int audit_bprm(struct linux_binprm *bprm) 1855 { 1856 struct audit_aux_data_execve *ax; 1857 struct audit_context *context = current->audit_context; 1858 1859 if (likely(!audit_enabled || !context || context->dummy)) 1860 return 0; 1861 1862 /* 1863 * Even though the stack code doesn't limit the arg+env size any more, 1864 * the audit code requires that _all_ arguments be logged in a single 1865 * netlink skb. Hence cap it :-( 1866 */ 1867 if (bprm->argv_len > (audit_argv_kb << 10)) 1868 return -E2BIG; 1869 1870 ax = kmalloc(sizeof(*ax), GFP_KERNEL); 1871 if (!ax) 1872 return -ENOMEM; 1873 1874 ax->argc = bprm->argc; 1875 ax->envc = bprm->envc; 1876 ax->mm = bprm->mm; 1877 ax->d.type = AUDIT_EXECVE; 1878 ax->d.next = context->aux; 1879 context->aux = (void *)ax; 1880 return 0; 1881 } 1882 1883 1884 /** 1885 * audit_socketcall - record audit data for sys_socketcall 1886 * @nargs: number of args 1887 * @args: args array 1888 * 1889 * Returns 0 for success or NULL context or < 0 on error. 1890 */ 1891 int audit_socketcall(int nargs, unsigned long *args) 1892 { 1893 struct audit_aux_data_socketcall *ax; 1894 struct audit_context *context = current->audit_context; 1895 1896 if (likely(!context || context->dummy)) 1897 return 0; 1898 1899 ax = kmalloc(sizeof(*ax) + nargs * sizeof(unsigned long), GFP_KERNEL); 1900 if (!ax) 1901 return -ENOMEM; 1902 1903 ax->nargs = nargs; 1904 memcpy(ax->args, args, nargs * sizeof(unsigned long)); 1905 1906 ax->d.type = AUDIT_SOCKETCALL; 1907 ax->d.next = context->aux; 1908 context->aux = (void *)ax; 1909 return 0; 1910 } 1911 1912 /** 1913 * __audit_fd_pair - record audit data for pipe and socketpair 1914 * @fd1: the first file descriptor 1915 * @fd2: the second file descriptor 1916 * 1917 * Returns 0 for success or NULL context or < 0 on error. 1918 */ 1919 int __audit_fd_pair(int fd1, int fd2) 1920 { 1921 struct audit_context *context = current->audit_context; 1922 struct audit_aux_data_fd_pair *ax; 1923 1924 if (likely(!context)) { 1925 return 0; 1926 } 1927 1928 ax = kmalloc(sizeof(*ax), GFP_KERNEL); 1929 if (!ax) { 1930 return -ENOMEM; 1931 } 1932 1933 ax->fd[0] = fd1; 1934 ax->fd[1] = fd2; 1935 1936 ax->d.type = AUDIT_FD_PAIR; 1937 ax->d.next = context->aux; 1938 context->aux = (void *)ax; 1939 return 0; 1940 } 1941 1942 /** 1943 * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto 1944 * @len: data length in user space 1945 * @a: data address in kernel space 1946 * 1947 * Returns 0 for success or NULL context or < 0 on error. 1948 */ 1949 int audit_sockaddr(int len, void *a) 1950 { 1951 struct audit_aux_data_sockaddr *ax; 1952 struct audit_context *context = current->audit_context; 1953 1954 if (likely(!context || context->dummy)) 1955 return 0; 1956 1957 ax = kmalloc(sizeof(*ax) + len, GFP_KERNEL); 1958 if (!ax) 1959 return -ENOMEM; 1960 1961 ax->len = len; 1962 memcpy(ax->a, a, len); 1963 1964 ax->d.type = AUDIT_SOCKADDR; 1965 ax->d.next = context->aux; 1966 context->aux = (void *)ax; 1967 return 0; 1968 } 1969 1970 void __audit_ptrace(struct task_struct *t) 1971 { 1972 struct audit_context *context = current->audit_context; 1973 1974 context->target_pid = t->pid; 1975 selinux_get_task_sid(t, &context->target_sid); 1976 } 1977 1978 /** 1979 * audit_signal_info - record signal info for shutting down audit subsystem 1980 * @sig: signal value 1981 * @t: task being signaled 1982 * 1983 * If the audit subsystem is being terminated, record the task (pid) 1984 * and uid that is doing that. 1985 */ 1986 int __audit_signal_info(int sig, struct task_struct *t) 1987 { 1988 struct audit_aux_data_pids *axp; 1989 struct task_struct *tsk = current; 1990 struct audit_context *ctx = tsk->audit_context; 1991 extern pid_t audit_sig_pid; 1992 extern uid_t audit_sig_uid; 1993 extern u32 audit_sig_sid; 1994 1995 if (audit_pid && t->tgid == audit_pid) { 1996 if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1) { 1997 audit_sig_pid = tsk->pid; 1998 if (ctx) 1999 audit_sig_uid = ctx->loginuid; 2000 else 2001 audit_sig_uid = tsk->uid; 2002 selinux_get_task_sid(tsk, &audit_sig_sid); 2003 } 2004 if (!audit_signals || audit_dummy_context()) 2005 return 0; 2006 } 2007 2008 /* optimize the common case by putting first signal recipient directly 2009 * in audit_context */ 2010 if (!ctx->target_pid) { 2011 ctx->target_pid = t->tgid; 2012 selinux_get_task_sid(t, &ctx->target_sid); 2013 return 0; 2014 } 2015 2016 axp = (void *)ctx->aux_pids; 2017 if (!axp || axp->pid_count == AUDIT_AUX_PIDS) { 2018 axp = kzalloc(sizeof(*axp), GFP_ATOMIC); 2019 if (!axp) 2020 return -ENOMEM; 2021 2022 axp->d.type = AUDIT_OBJ_PID; 2023 axp->d.next = ctx->aux_pids; 2024 ctx->aux_pids = (void *)axp; 2025 } 2026 BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS); 2027 2028 axp->target_pid[axp->pid_count] = t->tgid; 2029 selinux_get_task_sid(t, &axp->target_sid[axp->pid_count]); 2030 axp->pid_count++; 2031 2032 return 0; 2033 } 2034 2035 /** 2036 * audit_core_dumps - record information about processes that end abnormally 2037 * @signr: signal value 2038 * 2039 * If a process ends with a core dump, something fishy is going on and we 2040 * should record the event for investigation. 2041 */ 2042 void audit_core_dumps(long signr) 2043 { 2044 struct audit_buffer *ab; 2045 u32 sid; 2046 2047 if (!audit_enabled) 2048 return; 2049 2050 if (signr == SIGQUIT) /* don't care for those */ 2051 return; 2052 2053 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); 2054 audit_log_format(ab, "auid=%u uid=%u gid=%u", 2055 audit_get_loginuid(current->audit_context), 2056 current->uid, current->gid); 2057 selinux_get_task_sid(current, &sid); 2058 if (sid) { 2059 char *ctx = NULL; 2060 u32 len; 2061 2062 if (selinux_sid_to_string(sid, &ctx, &len)) 2063 audit_log_format(ab, " ssid=%u", sid); 2064 else 2065 audit_log_format(ab, " subj=%s", ctx); 2066 kfree(ctx); 2067 } 2068 audit_log_format(ab, " pid=%d comm=", current->pid); 2069 audit_log_untrustedstring(ab, current->comm); 2070 audit_log_format(ab, " sig=%ld", signr); 2071 audit_log_end(ab); 2072 } 2073