xref: /openbmc/linux/kernel/auditsc.c (revision 8440bb9b)
1 /* auditsc.c -- System-call auditing support
2  * Handles all system-call specific auditing features.
3  *
4  * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
5  * Copyright 2005 Hewlett-Packard Development Company, L.P.
6  * Copyright (C) 2005, 2006 IBM Corporation
7  * All Rights Reserved.
8  *
9  * This program is free software; you can redistribute it and/or modify
10  * it under the terms of the GNU General Public License as published by
11  * the Free Software Foundation; either version 2 of the License, or
12  * (at your option) any later version.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License
20  * along with this program; if not, write to the Free Software
21  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
22  *
23  * Written by Rickard E. (Rik) Faith <faith@redhat.com>
24  *
25  * Many of the ideas implemented here are from Stephen C. Tweedie,
26  * especially the idea of avoiding a copy by using getname.
27  *
28  * The method for actual interception of syscall entry and exit (not in
29  * this file -- see entry.S) is based on a GPL'd patch written by
30  * okir@suse.de and Copyright 2003 SuSE Linux AG.
31  *
32  * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>,
33  * 2006.
34  *
35  * The support of additional filter rules compares (>, <, >=, <=) was
36  * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
37  *
38  * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
39  * filesystem information.
40  *
41  * Subject and object context labeling support added by <danjones@us.ibm.com>
42  * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
43  */
44 
45 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
46 
47 #include <linux/init.h>
48 #include <asm/types.h>
49 #include <linux/atomic.h>
50 #include <linux/fs.h>
51 #include <linux/namei.h>
52 #include <linux/mm.h>
53 #include <linux/export.h>
54 #include <linux/slab.h>
55 #include <linux/mount.h>
56 #include <linux/socket.h>
57 #include <linux/mqueue.h>
58 #include <linux/audit.h>
59 #include <linux/personality.h>
60 #include <linux/time.h>
61 #include <linux/netlink.h>
62 #include <linux/compiler.h>
63 #include <asm/unistd.h>
64 #include <linux/security.h>
65 #include <linux/list.h>
66 #include <linux/binfmts.h>
67 #include <linux/highmem.h>
68 #include <linux/syscalls.h>
69 #include <asm/syscall.h>
70 #include <linux/capability.h>
71 #include <linux/fs_struct.h>
72 #include <linux/compat.h>
73 #include <linux/ctype.h>
74 #include <linux/string.h>
75 #include <linux/uaccess.h>
76 #include <linux/fsnotify_backend.h>
77 #include <uapi/linux/limits.h>
78 
79 #include "audit.h"
80 
81 /* flags stating the success for a syscall */
82 #define AUDITSC_INVALID 0
83 #define AUDITSC_SUCCESS 1
84 #define AUDITSC_FAILURE 2
85 
86 /* no execve audit message should be longer than this (userspace limits),
87  * see the note near the top of audit_log_execve_info() about this value */
88 #define MAX_EXECVE_AUDIT_LEN 7500
89 
90 /* max length to print of cmdline/proctitle value during audit */
91 #define MAX_PROCTITLE_AUDIT_LEN 128
92 
93 /* number of audit rules */
94 int audit_n_rules;
95 
96 /* determines whether we collect data for signals sent */
97 int audit_signals;
98 
99 struct audit_aux_data {
100 	struct audit_aux_data	*next;
101 	int			type;
102 };
103 
104 #define AUDIT_AUX_IPCPERM	0
105 
106 /* Number of target pids per aux struct. */
107 #define AUDIT_AUX_PIDS	16
108 
109 struct audit_aux_data_pids {
110 	struct audit_aux_data	d;
111 	pid_t			target_pid[AUDIT_AUX_PIDS];
112 	kuid_t			target_auid[AUDIT_AUX_PIDS];
113 	kuid_t			target_uid[AUDIT_AUX_PIDS];
114 	unsigned int		target_sessionid[AUDIT_AUX_PIDS];
115 	u32			target_sid[AUDIT_AUX_PIDS];
116 	char 			target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
117 	int			pid_count;
118 };
119 
120 struct audit_aux_data_bprm_fcaps {
121 	struct audit_aux_data	d;
122 	struct audit_cap_data	fcap;
123 	unsigned int		fcap_ver;
124 	struct audit_cap_data	old_pcap;
125 	struct audit_cap_data	new_pcap;
126 };
127 
128 struct audit_tree_refs {
129 	struct audit_tree_refs *next;
130 	struct audit_chunk *c[31];
131 };
132 
133 static int audit_match_perm(struct audit_context *ctx, int mask)
134 {
135 	unsigned n;
136 	if (unlikely(!ctx))
137 		return 0;
138 	n = ctx->major;
139 
140 	switch (audit_classify_syscall(ctx->arch, n)) {
141 	case 0:	/* native */
142 		if ((mask & AUDIT_PERM_WRITE) &&
143 		     audit_match_class(AUDIT_CLASS_WRITE, n))
144 			return 1;
145 		if ((mask & AUDIT_PERM_READ) &&
146 		     audit_match_class(AUDIT_CLASS_READ, n))
147 			return 1;
148 		if ((mask & AUDIT_PERM_ATTR) &&
149 		     audit_match_class(AUDIT_CLASS_CHATTR, n))
150 			return 1;
151 		return 0;
152 	case 1: /* 32bit on biarch */
153 		if ((mask & AUDIT_PERM_WRITE) &&
154 		     audit_match_class(AUDIT_CLASS_WRITE_32, n))
155 			return 1;
156 		if ((mask & AUDIT_PERM_READ) &&
157 		     audit_match_class(AUDIT_CLASS_READ_32, n))
158 			return 1;
159 		if ((mask & AUDIT_PERM_ATTR) &&
160 		     audit_match_class(AUDIT_CLASS_CHATTR_32, n))
161 			return 1;
162 		return 0;
163 	case 2: /* open */
164 		return mask & ACC_MODE(ctx->argv[1]);
165 	case 3: /* openat */
166 		return mask & ACC_MODE(ctx->argv[2]);
167 	case 4: /* socketcall */
168 		return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
169 	case 5: /* execve */
170 		return mask & AUDIT_PERM_EXEC;
171 	default:
172 		return 0;
173 	}
174 }
175 
176 static int audit_match_filetype(struct audit_context *ctx, int val)
177 {
178 	struct audit_names *n;
179 	umode_t mode = (umode_t)val;
180 
181 	if (unlikely(!ctx))
182 		return 0;
183 
184 	list_for_each_entry(n, &ctx->names_list, list) {
185 		if ((n->ino != AUDIT_INO_UNSET) &&
186 		    ((n->mode & S_IFMT) == mode))
187 			return 1;
188 	}
189 
190 	return 0;
191 }
192 
193 /*
194  * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *;
195  * ->first_trees points to its beginning, ->trees - to the current end of data.
196  * ->tree_count is the number of free entries in array pointed to by ->trees.
197  * Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL,
198  * "empty" becomes (p, p, 31) afterwards.  We don't shrink the list (and seriously,
199  * it's going to remain 1-element for almost any setup) until we free context itself.
200  * References in it _are_ dropped - at the same time we free/drop aux stuff.
201  */
202 
203 static void audit_set_auditable(struct audit_context *ctx)
204 {
205 	if (!ctx->prio) {
206 		ctx->prio = 1;
207 		ctx->current_state = AUDIT_RECORD_CONTEXT;
208 	}
209 }
210 
211 static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
212 {
213 	struct audit_tree_refs *p = ctx->trees;
214 	int left = ctx->tree_count;
215 	if (likely(left)) {
216 		p->c[--left] = chunk;
217 		ctx->tree_count = left;
218 		return 1;
219 	}
220 	if (!p)
221 		return 0;
222 	p = p->next;
223 	if (p) {
224 		p->c[30] = chunk;
225 		ctx->trees = p;
226 		ctx->tree_count = 30;
227 		return 1;
228 	}
229 	return 0;
230 }
231 
232 static int grow_tree_refs(struct audit_context *ctx)
233 {
234 	struct audit_tree_refs *p = ctx->trees;
235 	ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL);
236 	if (!ctx->trees) {
237 		ctx->trees = p;
238 		return 0;
239 	}
240 	if (p)
241 		p->next = ctx->trees;
242 	else
243 		ctx->first_trees = ctx->trees;
244 	ctx->tree_count = 31;
245 	return 1;
246 }
247 
248 static void unroll_tree_refs(struct audit_context *ctx,
249 		      struct audit_tree_refs *p, int count)
250 {
251 	struct audit_tree_refs *q;
252 	int n;
253 	if (!p) {
254 		/* we started with empty chain */
255 		p = ctx->first_trees;
256 		count = 31;
257 		/* if the very first allocation has failed, nothing to do */
258 		if (!p)
259 			return;
260 	}
261 	n = count;
262 	for (q = p; q != ctx->trees; q = q->next, n = 31) {
263 		while (n--) {
264 			audit_put_chunk(q->c[n]);
265 			q->c[n] = NULL;
266 		}
267 	}
268 	while (n-- > ctx->tree_count) {
269 		audit_put_chunk(q->c[n]);
270 		q->c[n] = NULL;
271 	}
272 	ctx->trees = p;
273 	ctx->tree_count = count;
274 }
275 
276 static void free_tree_refs(struct audit_context *ctx)
277 {
278 	struct audit_tree_refs *p, *q;
279 	for (p = ctx->first_trees; p; p = q) {
280 		q = p->next;
281 		kfree(p);
282 	}
283 }
284 
285 static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
286 {
287 	struct audit_tree_refs *p;
288 	int n;
289 	if (!tree)
290 		return 0;
291 	/* full ones */
292 	for (p = ctx->first_trees; p != ctx->trees; p = p->next) {
293 		for (n = 0; n < 31; n++)
294 			if (audit_tree_match(p->c[n], tree))
295 				return 1;
296 	}
297 	/* partial */
298 	if (p) {
299 		for (n = ctx->tree_count; n < 31; n++)
300 			if (audit_tree_match(p->c[n], tree))
301 				return 1;
302 	}
303 	return 0;
304 }
305 
306 static int audit_compare_uid(kuid_t uid,
307 			     struct audit_names *name,
308 			     struct audit_field *f,
309 			     struct audit_context *ctx)
310 {
311 	struct audit_names *n;
312 	int rc;
313 
314 	if (name) {
315 		rc = audit_uid_comparator(uid, f->op, name->uid);
316 		if (rc)
317 			return rc;
318 	}
319 
320 	if (ctx) {
321 		list_for_each_entry(n, &ctx->names_list, list) {
322 			rc = audit_uid_comparator(uid, f->op, n->uid);
323 			if (rc)
324 				return rc;
325 		}
326 	}
327 	return 0;
328 }
329 
330 static int audit_compare_gid(kgid_t gid,
331 			     struct audit_names *name,
332 			     struct audit_field *f,
333 			     struct audit_context *ctx)
334 {
335 	struct audit_names *n;
336 	int rc;
337 
338 	if (name) {
339 		rc = audit_gid_comparator(gid, f->op, name->gid);
340 		if (rc)
341 			return rc;
342 	}
343 
344 	if (ctx) {
345 		list_for_each_entry(n, &ctx->names_list, list) {
346 			rc = audit_gid_comparator(gid, f->op, n->gid);
347 			if (rc)
348 				return rc;
349 		}
350 	}
351 	return 0;
352 }
353 
354 static int audit_field_compare(struct task_struct *tsk,
355 			       const struct cred *cred,
356 			       struct audit_field *f,
357 			       struct audit_context *ctx,
358 			       struct audit_names *name)
359 {
360 	switch (f->val) {
361 	/* process to file object comparisons */
362 	case AUDIT_COMPARE_UID_TO_OBJ_UID:
363 		return audit_compare_uid(cred->uid, name, f, ctx);
364 	case AUDIT_COMPARE_GID_TO_OBJ_GID:
365 		return audit_compare_gid(cred->gid, name, f, ctx);
366 	case AUDIT_COMPARE_EUID_TO_OBJ_UID:
367 		return audit_compare_uid(cred->euid, name, f, ctx);
368 	case AUDIT_COMPARE_EGID_TO_OBJ_GID:
369 		return audit_compare_gid(cred->egid, name, f, ctx);
370 	case AUDIT_COMPARE_AUID_TO_OBJ_UID:
371 		return audit_compare_uid(audit_get_loginuid(tsk), name, f, ctx);
372 	case AUDIT_COMPARE_SUID_TO_OBJ_UID:
373 		return audit_compare_uid(cred->suid, name, f, ctx);
374 	case AUDIT_COMPARE_SGID_TO_OBJ_GID:
375 		return audit_compare_gid(cred->sgid, name, f, ctx);
376 	case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
377 		return audit_compare_uid(cred->fsuid, name, f, ctx);
378 	case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
379 		return audit_compare_gid(cred->fsgid, name, f, ctx);
380 	/* uid comparisons */
381 	case AUDIT_COMPARE_UID_TO_AUID:
382 		return audit_uid_comparator(cred->uid, f->op,
383 					    audit_get_loginuid(tsk));
384 	case AUDIT_COMPARE_UID_TO_EUID:
385 		return audit_uid_comparator(cred->uid, f->op, cred->euid);
386 	case AUDIT_COMPARE_UID_TO_SUID:
387 		return audit_uid_comparator(cred->uid, f->op, cred->suid);
388 	case AUDIT_COMPARE_UID_TO_FSUID:
389 		return audit_uid_comparator(cred->uid, f->op, cred->fsuid);
390 	/* auid comparisons */
391 	case AUDIT_COMPARE_AUID_TO_EUID:
392 		return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
393 					    cred->euid);
394 	case AUDIT_COMPARE_AUID_TO_SUID:
395 		return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
396 					    cred->suid);
397 	case AUDIT_COMPARE_AUID_TO_FSUID:
398 		return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
399 					    cred->fsuid);
400 	/* euid comparisons */
401 	case AUDIT_COMPARE_EUID_TO_SUID:
402 		return audit_uid_comparator(cred->euid, f->op, cred->suid);
403 	case AUDIT_COMPARE_EUID_TO_FSUID:
404 		return audit_uid_comparator(cred->euid, f->op, cred->fsuid);
405 	/* suid comparisons */
406 	case AUDIT_COMPARE_SUID_TO_FSUID:
407 		return audit_uid_comparator(cred->suid, f->op, cred->fsuid);
408 	/* gid comparisons */
409 	case AUDIT_COMPARE_GID_TO_EGID:
410 		return audit_gid_comparator(cred->gid, f->op, cred->egid);
411 	case AUDIT_COMPARE_GID_TO_SGID:
412 		return audit_gid_comparator(cred->gid, f->op, cred->sgid);
413 	case AUDIT_COMPARE_GID_TO_FSGID:
414 		return audit_gid_comparator(cred->gid, f->op, cred->fsgid);
415 	/* egid comparisons */
416 	case AUDIT_COMPARE_EGID_TO_SGID:
417 		return audit_gid_comparator(cred->egid, f->op, cred->sgid);
418 	case AUDIT_COMPARE_EGID_TO_FSGID:
419 		return audit_gid_comparator(cred->egid, f->op, cred->fsgid);
420 	/* sgid comparison */
421 	case AUDIT_COMPARE_SGID_TO_FSGID:
422 		return audit_gid_comparator(cred->sgid, f->op, cred->fsgid);
423 	default:
424 		WARN(1, "Missing AUDIT_COMPARE define.  Report as a bug\n");
425 		return 0;
426 	}
427 	return 0;
428 }
429 
430 /* Determine if any context name data matches a rule's watch data */
431 /* Compare a task_struct with an audit_rule.  Return 1 on match, 0
432  * otherwise.
433  *
434  * If task_creation is true, this is an explicit indication that we are
435  * filtering a task rule at task creation time.  This and tsk == current are
436  * the only situations where tsk->cred may be accessed without an rcu read lock.
437  */
438 static int audit_filter_rules(struct task_struct *tsk,
439 			      struct audit_krule *rule,
440 			      struct audit_context *ctx,
441 			      struct audit_names *name,
442 			      enum audit_state *state,
443 			      bool task_creation)
444 {
445 	const struct cred *cred;
446 	int i, need_sid = 1;
447 	u32 sid;
448 	unsigned int sessionid;
449 
450 	cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
451 
452 	for (i = 0; i < rule->field_count; i++) {
453 		struct audit_field *f = &rule->fields[i];
454 		struct audit_names *n;
455 		int result = 0;
456 		pid_t pid;
457 
458 		switch (f->type) {
459 		case AUDIT_PID:
460 			pid = task_tgid_nr(tsk);
461 			result = audit_comparator(pid, f->op, f->val);
462 			break;
463 		case AUDIT_PPID:
464 			if (ctx) {
465 				if (!ctx->ppid)
466 					ctx->ppid = task_ppid_nr(tsk);
467 				result = audit_comparator(ctx->ppid, f->op, f->val);
468 			}
469 			break;
470 		case AUDIT_EXE:
471 			result = audit_exe_compare(tsk, rule->exe);
472 			if (f->op == Audit_not_equal)
473 				result = !result;
474 			break;
475 		case AUDIT_UID:
476 			result = audit_uid_comparator(cred->uid, f->op, f->uid);
477 			break;
478 		case AUDIT_EUID:
479 			result = audit_uid_comparator(cred->euid, f->op, f->uid);
480 			break;
481 		case AUDIT_SUID:
482 			result = audit_uid_comparator(cred->suid, f->op, f->uid);
483 			break;
484 		case AUDIT_FSUID:
485 			result = audit_uid_comparator(cred->fsuid, f->op, f->uid);
486 			break;
487 		case AUDIT_GID:
488 			result = audit_gid_comparator(cred->gid, f->op, f->gid);
489 			if (f->op == Audit_equal) {
490 				if (!result)
491 					result = groups_search(cred->group_info, f->gid);
492 			} else if (f->op == Audit_not_equal) {
493 				if (result)
494 					result = !groups_search(cred->group_info, f->gid);
495 			}
496 			break;
497 		case AUDIT_EGID:
498 			result = audit_gid_comparator(cred->egid, f->op, f->gid);
499 			if (f->op == Audit_equal) {
500 				if (!result)
501 					result = groups_search(cred->group_info, f->gid);
502 			} else if (f->op == Audit_not_equal) {
503 				if (result)
504 					result = !groups_search(cred->group_info, f->gid);
505 			}
506 			break;
507 		case AUDIT_SGID:
508 			result = audit_gid_comparator(cred->sgid, f->op, f->gid);
509 			break;
510 		case AUDIT_FSGID:
511 			result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
512 			break;
513 		case AUDIT_SESSIONID:
514 			sessionid = audit_get_sessionid(tsk);
515 			result = audit_comparator(sessionid, f->op, f->val);
516 			break;
517 		case AUDIT_PERS:
518 			result = audit_comparator(tsk->personality, f->op, f->val);
519 			break;
520 		case AUDIT_ARCH:
521 			if (ctx)
522 				result = audit_comparator(ctx->arch, f->op, f->val);
523 			break;
524 
525 		case AUDIT_EXIT:
526 			if (ctx && ctx->return_valid)
527 				result = audit_comparator(ctx->return_code, f->op, f->val);
528 			break;
529 		case AUDIT_SUCCESS:
530 			if (ctx && ctx->return_valid) {
531 				if (f->val)
532 					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
533 				else
534 					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
535 			}
536 			break;
537 		case AUDIT_DEVMAJOR:
538 			if (name) {
539 				if (audit_comparator(MAJOR(name->dev), f->op, f->val) ||
540 				    audit_comparator(MAJOR(name->rdev), f->op, f->val))
541 					++result;
542 			} else if (ctx) {
543 				list_for_each_entry(n, &ctx->names_list, list) {
544 					if (audit_comparator(MAJOR(n->dev), f->op, f->val) ||
545 					    audit_comparator(MAJOR(n->rdev), f->op, f->val)) {
546 						++result;
547 						break;
548 					}
549 				}
550 			}
551 			break;
552 		case AUDIT_DEVMINOR:
553 			if (name) {
554 				if (audit_comparator(MINOR(name->dev), f->op, f->val) ||
555 				    audit_comparator(MINOR(name->rdev), f->op, f->val))
556 					++result;
557 			} else if (ctx) {
558 				list_for_each_entry(n, &ctx->names_list, list) {
559 					if (audit_comparator(MINOR(n->dev), f->op, f->val) ||
560 					    audit_comparator(MINOR(n->rdev), f->op, f->val)) {
561 						++result;
562 						break;
563 					}
564 				}
565 			}
566 			break;
567 		case AUDIT_INODE:
568 			if (name)
569 				result = audit_comparator(name->ino, f->op, f->val);
570 			else if (ctx) {
571 				list_for_each_entry(n, &ctx->names_list, list) {
572 					if (audit_comparator(n->ino, f->op, f->val)) {
573 						++result;
574 						break;
575 					}
576 				}
577 			}
578 			break;
579 		case AUDIT_OBJ_UID:
580 			if (name) {
581 				result = audit_uid_comparator(name->uid, f->op, f->uid);
582 			} else if (ctx) {
583 				list_for_each_entry(n, &ctx->names_list, list) {
584 					if (audit_uid_comparator(n->uid, f->op, f->uid)) {
585 						++result;
586 						break;
587 					}
588 				}
589 			}
590 			break;
591 		case AUDIT_OBJ_GID:
592 			if (name) {
593 				result = audit_gid_comparator(name->gid, f->op, f->gid);
594 			} else if (ctx) {
595 				list_for_each_entry(n, &ctx->names_list, list) {
596 					if (audit_gid_comparator(n->gid, f->op, f->gid)) {
597 						++result;
598 						break;
599 					}
600 				}
601 			}
602 			break;
603 		case AUDIT_WATCH:
604 			if (name)
605 				result = audit_watch_compare(rule->watch, name->ino, name->dev);
606 			break;
607 		case AUDIT_DIR:
608 			if (ctx)
609 				result = match_tree_refs(ctx, rule->tree);
610 			break;
611 		case AUDIT_LOGINUID:
612 			result = audit_uid_comparator(audit_get_loginuid(tsk),
613 						      f->op, f->uid);
614 			break;
615 		case AUDIT_LOGINUID_SET:
616 			result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
617 			break;
618 		case AUDIT_SUBJ_USER:
619 		case AUDIT_SUBJ_ROLE:
620 		case AUDIT_SUBJ_TYPE:
621 		case AUDIT_SUBJ_SEN:
622 		case AUDIT_SUBJ_CLR:
623 			/* NOTE: this may return negative values indicating
624 			   a temporary error.  We simply treat this as a
625 			   match for now to avoid losing information that
626 			   may be wanted.   An error message will also be
627 			   logged upon error */
628 			if (f->lsm_rule) {
629 				if (need_sid) {
630 					security_task_getsecid(tsk, &sid);
631 					need_sid = 0;
632 				}
633 				result = security_audit_rule_match(sid, f->type,
634 								   f->op,
635 								   f->lsm_rule);
636 			}
637 			break;
638 		case AUDIT_OBJ_USER:
639 		case AUDIT_OBJ_ROLE:
640 		case AUDIT_OBJ_TYPE:
641 		case AUDIT_OBJ_LEV_LOW:
642 		case AUDIT_OBJ_LEV_HIGH:
643 			/* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
644 			   also applies here */
645 			if (f->lsm_rule) {
646 				/* Find files that match */
647 				if (name) {
648 					result = security_audit_rule_match(
649 								name->osid,
650 								f->type,
651 								f->op,
652 								f->lsm_rule);
653 				} else if (ctx) {
654 					list_for_each_entry(n, &ctx->names_list, list) {
655 						if (security_audit_rule_match(
656 								n->osid,
657 								f->type,
658 								f->op,
659 								f->lsm_rule)) {
660 							++result;
661 							break;
662 						}
663 					}
664 				}
665 				/* Find ipc objects that match */
666 				if (!ctx || ctx->type != AUDIT_IPC)
667 					break;
668 				if (security_audit_rule_match(ctx->ipc.osid,
669 							      f->type, f->op,
670 							      f->lsm_rule))
671 					++result;
672 			}
673 			break;
674 		case AUDIT_ARG0:
675 		case AUDIT_ARG1:
676 		case AUDIT_ARG2:
677 		case AUDIT_ARG3:
678 			if (ctx)
679 				result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
680 			break;
681 		case AUDIT_FILTERKEY:
682 			/* ignore this field for filtering */
683 			result = 1;
684 			break;
685 		case AUDIT_PERM:
686 			result = audit_match_perm(ctx, f->val);
687 			break;
688 		case AUDIT_FILETYPE:
689 			result = audit_match_filetype(ctx, f->val);
690 			break;
691 		case AUDIT_FIELD_COMPARE:
692 			result = audit_field_compare(tsk, cred, f, ctx, name);
693 			break;
694 		}
695 		if (!result)
696 			return 0;
697 	}
698 
699 	if (ctx) {
700 		if (rule->prio <= ctx->prio)
701 			return 0;
702 		if (rule->filterkey) {
703 			kfree(ctx->filterkey);
704 			ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
705 		}
706 		ctx->prio = rule->prio;
707 	}
708 	switch (rule->action) {
709 	case AUDIT_NEVER:
710 		*state = AUDIT_DISABLED;
711 		break;
712 	case AUDIT_ALWAYS:
713 		*state = AUDIT_RECORD_CONTEXT;
714 		break;
715 	}
716 	return 1;
717 }
718 
719 /* At process creation time, we can determine if system-call auditing is
720  * completely disabled for this task.  Since we only have the task
721  * structure at this point, we can only check uid and gid.
722  */
723 static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)
724 {
725 	struct audit_entry *e;
726 	enum audit_state   state;
727 
728 	rcu_read_lock();
729 	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
730 		if (audit_filter_rules(tsk, &e->rule, NULL, NULL,
731 				       &state, true)) {
732 			if (state == AUDIT_RECORD_CONTEXT)
733 				*key = kstrdup(e->rule.filterkey, GFP_ATOMIC);
734 			rcu_read_unlock();
735 			return state;
736 		}
737 	}
738 	rcu_read_unlock();
739 	return AUDIT_BUILD_CONTEXT;
740 }
741 
742 static int audit_in_mask(const struct audit_krule *rule, unsigned long val)
743 {
744 	int word, bit;
745 
746 	if (val > 0xffffffff)
747 		return false;
748 
749 	word = AUDIT_WORD(val);
750 	if (word >= AUDIT_BITMASK_SIZE)
751 		return false;
752 
753 	bit = AUDIT_BIT(val);
754 
755 	return rule->mask[word] & bit;
756 }
757 
758 /* At syscall entry and exit time, this filter is called if the
759  * audit_state is not low enough that auditing cannot take place, but is
760  * also not high enough that we already know we have to write an audit
761  * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
762  */
763 static enum audit_state audit_filter_syscall(struct task_struct *tsk,
764 					     struct audit_context *ctx,
765 					     struct list_head *list)
766 {
767 	struct audit_entry *e;
768 	enum audit_state state;
769 
770 	if (auditd_test_task(tsk))
771 		return AUDIT_DISABLED;
772 
773 	rcu_read_lock();
774 	if (!list_empty(list)) {
775 		list_for_each_entry_rcu(e, list, list) {
776 			if (audit_in_mask(&e->rule, ctx->major) &&
777 			    audit_filter_rules(tsk, &e->rule, ctx, NULL,
778 					       &state, false)) {
779 				rcu_read_unlock();
780 				ctx->current_state = state;
781 				return state;
782 			}
783 		}
784 	}
785 	rcu_read_unlock();
786 	return AUDIT_BUILD_CONTEXT;
787 }
788 
789 /*
790  * Given an audit_name check the inode hash table to see if they match.
791  * Called holding the rcu read lock to protect the use of audit_inode_hash
792  */
793 static int audit_filter_inode_name(struct task_struct *tsk,
794 				   struct audit_names *n,
795 				   struct audit_context *ctx) {
796 	int h = audit_hash_ino((u32)n->ino);
797 	struct list_head *list = &audit_inode_hash[h];
798 	struct audit_entry *e;
799 	enum audit_state state;
800 
801 	if (list_empty(list))
802 		return 0;
803 
804 	list_for_each_entry_rcu(e, list, list) {
805 		if (audit_in_mask(&e->rule, ctx->major) &&
806 		    audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) {
807 			ctx->current_state = state;
808 			return 1;
809 		}
810 	}
811 
812 	return 0;
813 }
814 
815 /* At syscall exit time, this filter is called if any audit_names have been
816  * collected during syscall processing.  We only check rules in sublists at hash
817  * buckets applicable to the inode numbers in audit_names.
818  * Regarding audit_state, same rules apply as for audit_filter_syscall().
819  */
820 void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx)
821 {
822 	struct audit_names *n;
823 
824 	if (auditd_test_task(tsk))
825 		return;
826 
827 	rcu_read_lock();
828 
829 	list_for_each_entry(n, &ctx->names_list, list) {
830 		if (audit_filter_inode_name(tsk, n, ctx))
831 			break;
832 	}
833 	rcu_read_unlock();
834 }
835 
836 static inline void audit_proctitle_free(struct audit_context *context)
837 {
838 	kfree(context->proctitle.value);
839 	context->proctitle.value = NULL;
840 	context->proctitle.len = 0;
841 }
842 
843 static inline void audit_free_names(struct audit_context *context)
844 {
845 	struct audit_names *n, *next;
846 
847 	list_for_each_entry_safe(n, next, &context->names_list, list) {
848 		list_del(&n->list);
849 		if (n->name)
850 			putname(n->name);
851 		if (n->should_free)
852 			kfree(n);
853 	}
854 	context->name_count = 0;
855 	path_put(&context->pwd);
856 	context->pwd.dentry = NULL;
857 	context->pwd.mnt = NULL;
858 }
859 
860 static inline void audit_free_aux(struct audit_context *context)
861 {
862 	struct audit_aux_data *aux;
863 
864 	while ((aux = context->aux)) {
865 		context->aux = aux->next;
866 		kfree(aux);
867 	}
868 	while ((aux = context->aux_pids)) {
869 		context->aux_pids = aux->next;
870 		kfree(aux);
871 	}
872 }
873 
874 static inline struct audit_context *audit_alloc_context(enum audit_state state)
875 {
876 	struct audit_context *context;
877 
878 	context = kzalloc(sizeof(*context), GFP_KERNEL);
879 	if (!context)
880 		return NULL;
881 	context->state = state;
882 	context->prio = state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
883 	INIT_LIST_HEAD(&context->killed_trees);
884 	INIT_LIST_HEAD(&context->names_list);
885 	return context;
886 }
887 
888 /**
889  * audit_alloc - allocate an audit context block for a task
890  * @tsk: task
891  *
892  * Filter on the task information and allocate a per-task audit context
893  * if necessary.  Doing so turns on system call auditing for the
894  * specified task.  This is called from copy_process, so no lock is
895  * needed.
896  */
897 int audit_alloc(struct task_struct *tsk)
898 {
899 	struct audit_context *context;
900 	enum audit_state     state;
901 	char *key = NULL;
902 
903 	if (likely(!audit_ever_enabled))
904 		return 0; /* Return if not auditing. */
905 
906 	state = audit_filter_task(tsk, &key);
907 	if (state == AUDIT_DISABLED) {
908 		clear_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
909 		return 0;
910 	}
911 
912 	if (!(context = audit_alloc_context(state))) {
913 		kfree(key);
914 		audit_log_lost("out of memory in audit_alloc");
915 		return -ENOMEM;
916 	}
917 	context->filterkey = key;
918 
919 	audit_set_context(tsk, context);
920 	set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
921 	return 0;
922 }
923 
924 static inline void audit_free_context(struct audit_context *context)
925 {
926 	audit_free_names(context);
927 	unroll_tree_refs(context, NULL, 0);
928 	free_tree_refs(context);
929 	audit_free_aux(context);
930 	kfree(context->filterkey);
931 	kfree(context->sockaddr);
932 	audit_proctitle_free(context);
933 	kfree(context);
934 }
935 
936 static int audit_log_pid_context(struct audit_context *context, pid_t pid,
937 				 kuid_t auid, kuid_t uid, unsigned int sessionid,
938 				 u32 sid, char *comm)
939 {
940 	struct audit_buffer *ab;
941 	char *ctx = NULL;
942 	u32 len;
943 	int rc = 0;
944 
945 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
946 	if (!ab)
947 		return rc;
948 
949 	audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
950 			 from_kuid(&init_user_ns, auid),
951 			 from_kuid(&init_user_ns, uid), sessionid);
952 	if (sid) {
953 		if (security_secid_to_secctx(sid, &ctx, &len)) {
954 			audit_log_format(ab, " obj=(none)");
955 			rc = 1;
956 		} else {
957 			audit_log_format(ab, " obj=%s", ctx);
958 			security_release_secctx(ctx, len);
959 		}
960 	}
961 	audit_log_format(ab, " ocomm=");
962 	audit_log_untrustedstring(ab, comm);
963 	audit_log_end(ab);
964 
965 	return rc;
966 }
967 
968 static void audit_log_execve_info(struct audit_context *context,
969 				  struct audit_buffer **ab)
970 {
971 	long len_max;
972 	long len_rem;
973 	long len_full;
974 	long len_buf;
975 	long len_abuf = 0;
976 	long len_tmp;
977 	bool require_data;
978 	bool encode;
979 	unsigned int iter;
980 	unsigned int arg;
981 	char *buf_head;
982 	char *buf;
983 	const char __user *p = (const char __user *)current->mm->arg_start;
984 
985 	/* NOTE: this buffer needs to be large enough to hold all the non-arg
986 	 *       data we put in the audit record for this argument (see the
987 	 *       code below) ... at this point in time 96 is plenty */
988 	char abuf[96];
989 
990 	/* NOTE: we set MAX_EXECVE_AUDIT_LEN to a rather arbitrary limit, the
991 	 *       current value of 7500 is not as important as the fact that it
992 	 *       is less than 8k, a setting of 7500 gives us plenty of wiggle
993 	 *       room if we go over a little bit in the logging below */
994 	WARN_ON_ONCE(MAX_EXECVE_AUDIT_LEN > 7500);
995 	len_max = MAX_EXECVE_AUDIT_LEN;
996 
997 	/* scratch buffer to hold the userspace args */
998 	buf_head = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
999 	if (!buf_head) {
1000 		audit_panic("out of memory for argv string");
1001 		return;
1002 	}
1003 	buf = buf_head;
1004 
1005 	audit_log_format(*ab, "argc=%d", context->execve.argc);
1006 
1007 	len_rem = len_max;
1008 	len_buf = 0;
1009 	len_full = 0;
1010 	require_data = true;
1011 	encode = false;
1012 	iter = 0;
1013 	arg = 0;
1014 	do {
1015 		/* NOTE: we don't ever want to trust this value for anything
1016 		 *       serious, but the audit record format insists we
1017 		 *       provide an argument length for really long arguments,
1018 		 *       e.g. > MAX_EXECVE_AUDIT_LEN, so we have no choice but
1019 		 *       to use strncpy_from_user() to obtain this value for
1020 		 *       recording in the log, although we don't use it
1021 		 *       anywhere here to avoid a double-fetch problem */
1022 		if (len_full == 0)
1023 			len_full = strnlen_user(p, MAX_ARG_STRLEN) - 1;
1024 
1025 		/* read more data from userspace */
1026 		if (require_data) {
1027 			/* can we make more room in the buffer? */
1028 			if (buf != buf_head) {
1029 				memmove(buf_head, buf, len_buf);
1030 				buf = buf_head;
1031 			}
1032 
1033 			/* fetch as much as we can of the argument */
1034 			len_tmp = strncpy_from_user(&buf_head[len_buf], p,
1035 						    len_max - len_buf);
1036 			if (len_tmp == -EFAULT) {
1037 				/* unable to copy from userspace */
1038 				send_sig(SIGKILL, current, 0);
1039 				goto out;
1040 			} else if (len_tmp == (len_max - len_buf)) {
1041 				/* buffer is not large enough */
1042 				require_data = true;
1043 				/* NOTE: if we are going to span multiple
1044 				 *       buffers force the encoding so we stand
1045 				 *       a chance at a sane len_full value and
1046 				 *       consistent record encoding */
1047 				encode = true;
1048 				len_full = len_full * 2;
1049 				p += len_tmp;
1050 			} else {
1051 				require_data = false;
1052 				if (!encode)
1053 					encode = audit_string_contains_control(
1054 								buf, len_tmp);
1055 				/* try to use a trusted value for len_full */
1056 				if (len_full < len_max)
1057 					len_full = (encode ?
1058 						    len_tmp * 2 : len_tmp);
1059 				p += len_tmp + 1;
1060 			}
1061 			len_buf += len_tmp;
1062 			buf_head[len_buf] = '\0';
1063 
1064 			/* length of the buffer in the audit record? */
1065 			len_abuf = (encode ? len_buf * 2 : len_buf + 2);
1066 		}
1067 
1068 		/* write as much as we can to the audit log */
1069 		if (len_buf >= 0) {
1070 			/* NOTE: some magic numbers here - basically if we
1071 			 *       can't fit a reasonable amount of data into the
1072 			 *       existing audit buffer, flush it and start with
1073 			 *       a new buffer */
1074 			if ((sizeof(abuf) + 8) > len_rem) {
1075 				len_rem = len_max;
1076 				audit_log_end(*ab);
1077 				*ab = audit_log_start(context,
1078 						      GFP_KERNEL, AUDIT_EXECVE);
1079 				if (!*ab)
1080 					goto out;
1081 			}
1082 
1083 			/* create the non-arg portion of the arg record */
1084 			len_tmp = 0;
1085 			if (require_data || (iter > 0) ||
1086 			    ((len_abuf + sizeof(abuf)) > len_rem)) {
1087 				if (iter == 0) {
1088 					len_tmp += snprintf(&abuf[len_tmp],
1089 							sizeof(abuf) - len_tmp,
1090 							" a%d_len=%lu",
1091 							arg, len_full);
1092 				}
1093 				len_tmp += snprintf(&abuf[len_tmp],
1094 						    sizeof(abuf) - len_tmp,
1095 						    " a%d[%d]=", arg, iter++);
1096 			} else
1097 				len_tmp += snprintf(&abuf[len_tmp],
1098 						    sizeof(abuf) - len_tmp,
1099 						    " a%d=", arg);
1100 			WARN_ON(len_tmp >= sizeof(abuf));
1101 			abuf[sizeof(abuf) - 1] = '\0';
1102 
1103 			/* log the arg in the audit record */
1104 			audit_log_format(*ab, "%s", abuf);
1105 			len_rem -= len_tmp;
1106 			len_tmp = len_buf;
1107 			if (encode) {
1108 				if (len_abuf > len_rem)
1109 					len_tmp = len_rem / 2; /* encoding */
1110 				audit_log_n_hex(*ab, buf, len_tmp);
1111 				len_rem -= len_tmp * 2;
1112 				len_abuf -= len_tmp * 2;
1113 			} else {
1114 				if (len_abuf > len_rem)
1115 					len_tmp = len_rem - 2; /* quotes */
1116 				audit_log_n_string(*ab, buf, len_tmp);
1117 				len_rem -= len_tmp + 2;
1118 				/* don't subtract the "2" because we still need
1119 				 * to add quotes to the remaining string */
1120 				len_abuf -= len_tmp;
1121 			}
1122 			len_buf -= len_tmp;
1123 			buf += len_tmp;
1124 		}
1125 
1126 		/* ready to move to the next argument? */
1127 		if ((len_buf == 0) && !require_data) {
1128 			arg++;
1129 			iter = 0;
1130 			len_full = 0;
1131 			require_data = true;
1132 			encode = false;
1133 		}
1134 	} while (arg < context->execve.argc);
1135 
1136 	/* NOTE: the caller handles the final audit_log_end() call */
1137 
1138 out:
1139 	kfree(buf_head);
1140 }
1141 
1142 void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
1143 {
1144 	int i;
1145 
1146 	if (cap_isclear(*cap)) {
1147 		audit_log_format(ab, " %s=0", prefix);
1148 		return;
1149 	}
1150 	audit_log_format(ab, " %s=", prefix);
1151 	CAP_FOR_EACH_U32(i)
1152 		audit_log_format(ab, "%08x", cap->cap[CAP_LAST_U32 - i]);
1153 }
1154 
1155 static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
1156 {
1157 	if (name->fcap_ver == -1) {
1158 		audit_log_format(ab, " cap_fe=? cap_fver=? cap_fp=? cap_fi=?");
1159 		return;
1160 	}
1161 	audit_log_cap(ab, "cap_fp", &name->fcap.permitted);
1162 	audit_log_cap(ab, "cap_fi", &name->fcap.inheritable);
1163 	audit_log_format(ab, " cap_fe=%d cap_fver=%x cap_frootid=%d",
1164 			 name->fcap.fE, name->fcap_ver,
1165 			 from_kuid(&init_user_ns, name->fcap.rootid));
1166 }
1167 
1168 static void show_special(struct audit_context *context, int *call_panic)
1169 {
1170 	struct audit_buffer *ab;
1171 	int i;
1172 
1173 	ab = audit_log_start(context, GFP_KERNEL, context->type);
1174 	if (!ab)
1175 		return;
1176 
1177 	switch (context->type) {
1178 	case AUDIT_SOCKETCALL: {
1179 		int nargs = context->socketcall.nargs;
1180 		audit_log_format(ab, "nargs=%d", nargs);
1181 		for (i = 0; i < nargs; i++)
1182 			audit_log_format(ab, " a%d=%lx", i,
1183 				context->socketcall.args[i]);
1184 		break; }
1185 	case AUDIT_IPC: {
1186 		u32 osid = context->ipc.osid;
1187 
1188 		audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
1189 				 from_kuid(&init_user_ns, context->ipc.uid),
1190 				 from_kgid(&init_user_ns, context->ipc.gid),
1191 				 context->ipc.mode);
1192 		if (osid) {
1193 			char *ctx = NULL;
1194 			u32 len;
1195 			if (security_secid_to_secctx(osid, &ctx, &len)) {
1196 				audit_log_format(ab, " osid=%u", osid);
1197 				*call_panic = 1;
1198 			} else {
1199 				audit_log_format(ab, " obj=%s", ctx);
1200 				security_release_secctx(ctx, len);
1201 			}
1202 		}
1203 		if (context->ipc.has_perm) {
1204 			audit_log_end(ab);
1205 			ab = audit_log_start(context, GFP_KERNEL,
1206 					     AUDIT_IPC_SET_PERM);
1207 			if (unlikely(!ab))
1208 				return;
1209 			audit_log_format(ab,
1210 				"qbytes=%lx ouid=%u ogid=%u mode=%#ho",
1211 				context->ipc.qbytes,
1212 				context->ipc.perm_uid,
1213 				context->ipc.perm_gid,
1214 				context->ipc.perm_mode);
1215 		}
1216 		break; }
1217 	case AUDIT_MQ_OPEN:
1218 		audit_log_format(ab,
1219 			"oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
1220 			"mq_msgsize=%ld mq_curmsgs=%ld",
1221 			context->mq_open.oflag, context->mq_open.mode,
1222 			context->mq_open.attr.mq_flags,
1223 			context->mq_open.attr.mq_maxmsg,
1224 			context->mq_open.attr.mq_msgsize,
1225 			context->mq_open.attr.mq_curmsgs);
1226 		break;
1227 	case AUDIT_MQ_SENDRECV:
1228 		audit_log_format(ab,
1229 			"mqdes=%d msg_len=%zd msg_prio=%u "
1230 			"abs_timeout_sec=%lld abs_timeout_nsec=%ld",
1231 			context->mq_sendrecv.mqdes,
1232 			context->mq_sendrecv.msg_len,
1233 			context->mq_sendrecv.msg_prio,
1234 			(long long) context->mq_sendrecv.abs_timeout.tv_sec,
1235 			context->mq_sendrecv.abs_timeout.tv_nsec);
1236 		break;
1237 	case AUDIT_MQ_NOTIFY:
1238 		audit_log_format(ab, "mqdes=%d sigev_signo=%d",
1239 				context->mq_notify.mqdes,
1240 				context->mq_notify.sigev_signo);
1241 		break;
1242 	case AUDIT_MQ_GETSETATTR: {
1243 		struct mq_attr *attr = &context->mq_getsetattr.mqstat;
1244 		audit_log_format(ab,
1245 			"mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
1246 			"mq_curmsgs=%ld ",
1247 			context->mq_getsetattr.mqdes,
1248 			attr->mq_flags, attr->mq_maxmsg,
1249 			attr->mq_msgsize, attr->mq_curmsgs);
1250 		break; }
1251 	case AUDIT_CAPSET:
1252 		audit_log_format(ab, "pid=%d", context->capset.pid);
1253 		audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
1254 		audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
1255 		audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
1256 		audit_log_cap(ab, "cap_pa", &context->capset.cap.ambient);
1257 		break;
1258 	case AUDIT_MMAP:
1259 		audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd,
1260 				 context->mmap.flags);
1261 		break;
1262 	case AUDIT_EXECVE:
1263 		audit_log_execve_info(context, &ab);
1264 		break;
1265 	case AUDIT_KERN_MODULE:
1266 		audit_log_format(ab, "name=");
1267 		if (context->module.name) {
1268 			audit_log_untrustedstring(ab, context->module.name);
1269 			kfree(context->module.name);
1270 		} else
1271 			audit_log_format(ab, "(null)");
1272 
1273 		break;
1274 	}
1275 	audit_log_end(ab);
1276 }
1277 
1278 static inline int audit_proctitle_rtrim(char *proctitle, int len)
1279 {
1280 	char *end = proctitle + len - 1;
1281 	while (end > proctitle && !isprint(*end))
1282 		end--;
1283 
1284 	/* catch the case where proctitle is only 1 non-print character */
1285 	len = end - proctitle + 1;
1286 	len -= isprint(proctitle[len-1]) == 0;
1287 	return len;
1288 }
1289 
1290 /*
1291  * audit_log_name - produce AUDIT_PATH record from struct audit_names
1292  * @context: audit_context for the task
1293  * @n: audit_names structure with reportable details
1294  * @path: optional path to report instead of audit_names->name
1295  * @record_num: record number to report when handling a list of names
1296  * @call_panic: optional pointer to int that will be updated if secid fails
1297  */
1298 static void audit_log_name(struct audit_context *context, struct audit_names *n,
1299 		    const struct path *path, int record_num, int *call_panic)
1300 {
1301 	struct audit_buffer *ab;
1302 
1303 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
1304 	if (!ab)
1305 		return;
1306 
1307 	audit_log_format(ab, "item=%d", record_num);
1308 
1309 	if (path)
1310 		audit_log_d_path(ab, " name=", path);
1311 	else if (n->name) {
1312 		switch (n->name_len) {
1313 		case AUDIT_NAME_FULL:
1314 			/* log the full path */
1315 			audit_log_format(ab, " name=");
1316 			audit_log_untrustedstring(ab, n->name->name);
1317 			break;
1318 		case 0:
1319 			/* name was specified as a relative path and the
1320 			 * directory component is the cwd
1321 			 */
1322 			audit_log_d_path(ab, " name=", &context->pwd);
1323 			break;
1324 		default:
1325 			/* log the name's directory component */
1326 			audit_log_format(ab, " name=");
1327 			audit_log_n_untrustedstring(ab, n->name->name,
1328 						    n->name_len);
1329 		}
1330 	} else
1331 		audit_log_format(ab, " name=(null)");
1332 
1333 	if (n->ino != AUDIT_INO_UNSET)
1334 		audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#ho ouid=%u ogid=%u rdev=%02x:%02x",
1335 				 n->ino,
1336 				 MAJOR(n->dev),
1337 				 MINOR(n->dev),
1338 				 n->mode,
1339 				 from_kuid(&init_user_ns, n->uid),
1340 				 from_kgid(&init_user_ns, n->gid),
1341 				 MAJOR(n->rdev),
1342 				 MINOR(n->rdev));
1343 	if (n->osid != 0) {
1344 		char *ctx = NULL;
1345 		u32 len;
1346 
1347 		if (security_secid_to_secctx(
1348 			n->osid, &ctx, &len)) {
1349 			audit_log_format(ab, " osid=%u", n->osid);
1350 			if (call_panic)
1351 				*call_panic = 2;
1352 		} else {
1353 			audit_log_format(ab, " obj=%s", ctx);
1354 			security_release_secctx(ctx, len);
1355 		}
1356 	}
1357 
1358 	/* log the audit_names record type */
1359 	switch (n->type) {
1360 	case AUDIT_TYPE_NORMAL:
1361 		audit_log_format(ab, " nametype=NORMAL");
1362 		break;
1363 	case AUDIT_TYPE_PARENT:
1364 		audit_log_format(ab, " nametype=PARENT");
1365 		break;
1366 	case AUDIT_TYPE_CHILD_DELETE:
1367 		audit_log_format(ab, " nametype=DELETE");
1368 		break;
1369 	case AUDIT_TYPE_CHILD_CREATE:
1370 		audit_log_format(ab, " nametype=CREATE");
1371 		break;
1372 	default:
1373 		audit_log_format(ab, " nametype=UNKNOWN");
1374 		break;
1375 	}
1376 
1377 	audit_log_fcaps(ab, n);
1378 	audit_log_end(ab);
1379 }
1380 
1381 static void audit_log_proctitle(void)
1382 {
1383 	int res;
1384 	char *buf;
1385 	char *msg = "(null)";
1386 	int len = strlen(msg);
1387 	struct audit_context *context = audit_context();
1388 	struct audit_buffer *ab;
1389 
1390 	if (!context || context->dummy)
1391 		return;
1392 
1393 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_PROCTITLE);
1394 	if (!ab)
1395 		return;	/* audit_panic or being filtered */
1396 
1397 	audit_log_format(ab, "proctitle=");
1398 
1399 	/* Not  cached */
1400 	if (!context->proctitle.value) {
1401 		buf = kmalloc(MAX_PROCTITLE_AUDIT_LEN, GFP_KERNEL);
1402 		if (!buf)
1403 			goto out;
1404 		/* Historically called this from procfs naming */
1405 		res = get_cmdline(current, buf, MAX_PROCTITLE_AUDIT_LEN);
1406 		if (res == 0) {
1407 			kfree(buf);
1408 			goto out;
1409 		}
1410 		res = audit_proctitle_rtrim(buf, res);
1411 		if (res == 0) {
1412 			kfree(buf);
1413 			goto out;
1414 		}
1415 		context->proctitle.value = buf;
1416 		context->proctitle.len = res;
1417 	}
1418 	msg = context->proctitle.value;
1419 	len = context->proctitle.len;
1420 out:
1421 	audit_log_n_untrustedstring(ab, msg, len);
1422 	audit_log_end(ab);
1423 }
1424 
1425 static void audit_log_exit(void)
1426 {
1427 	int i, call_panic = 0;
1428 	struct audit_context *context = audit_context();
1429 	struct audit_buffer *ab;
1430 	struct audit_aux_data *aux;
1431 	struct audit_names *n;
1432 
1433 	context->personality = current->personality;
1434 
1435 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
1436 	if (!ab)
1437 		return;		/* audit_panic has been called */
1438 	audit_log_format(ab, "arch=%x syscall=%d",
1439 			 context->arch, context->major);
1440 	if (context->personality != PER_LINUX)
1441 		audit_log_format(ab, " per=%lx", context->personality);
1442 	if (context->return_valid)
1443 		audit_log_format(ab, " success=%s exit=%ld",
1444 				 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
1445 				 context->return_code);
1446 
1447 	audit_log_format(ab,
1448 			 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d",
1449 			 context->argv[0],
1450 			 context->argv[1],
1451 			 context->argv[2],
1452 			 context->argv[3],
1453 			 context->name_count);
1454 
1455 	audit_log_task_info(ab);
1456 	audit_log_key(ab, context->filterkey);
1457 	audit_log_end(ab);
1458 
1459 	for (aux = context->aux; aux; aux = aux->next) {
1460 
1461 		ab = audit_log_start(context, GFP_KERNEL, aux->type);
1462 		if (!ab)
1463 			continue; /* audit_panic has been called */
1464 
1465 		switch (aux->type) {
1466 
1467 		case AUDIT_BPRM_FCAPS: {
1468 			struct audit_aux_data_bprm_fcaps *axs = (void *)aux;
1469 			audit_log_format(ab, "fver=%x", axs->fcap_ver);
1470 			audit_log_cap(ab, "fp", &axs->fcap.permitted);
1471 			audit_log_cap(ab, "fi", &axs->fcap.inheritable);
1472 			audit_log_format(ab, " fe=%d", axs->fcap.fE);
1473 			audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
1474 			audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
1475 			audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
1476 			audit_log_cap(ab, "old_pa", &axs->old_pcap.ambient);
1477 			audit_log_cap(ab, "pp", &axs->new_pcap.permitted);
1478 			audit_log_cap(ab, "pi", &axs->new_pcap.inheritable);
1479 			audit_log_cap(ab, "pe", &axs->new_pcap.effective);
1480 			audit_log_cap(ab, "pa", &axs->new_pcap.ambient);
1481 			audit_log_format(ab, " frootid=%d",
1482 					 from_kuid(&init_user_ns,
1483 						   axs->fcap.rootid));
1484 			break; }
1485 
1486 		}
1487 		audit_log_end(ab);
1488 	}
1489 
1490 	if (context->type)
1491 		show_special(context, &call_panic);
1492 
1493 	if (context->fds[0] >= 0) {
1494 		ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR);
1495 		if (ab) {
1496 			audit_log_format(ab, "fd0=%d fd1=%d",
1497 					context->fds[0], context->fds[1]);
1498 			audit_log_end(ab);
1499 		}
1500 	}
1501 
1502 	if (context->sockaddr_len) {
1503 		ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR);
1504 		if (ab) {
1505 			audit_log_format(ab, "saddr=");
1506 			audit_log_n_hex(ab, (void *)context->sockaddr,
1507 					context->sockaddr_len);
1508 			audit_log_end(ab);
1509 		}
1510 	}
1511 
1512 	for (aux = context->aux_pids; aux; aux = aux->next) {
1513 		struct audit_aux_data_pids *axs = (void *)aux;
1514 
1515 		for (i = 0; i < axs->pid_count; i++)
1516 			if (audit_log_pid_context(context, axs->target_pid[i],
1517 						  axs->target_auid[i],
1518 						  axs->target_uid[i],
1519 						  axs->target_sessionid[i],
1520 						  axs->target_sid[i],
1521 						  axs->target_comm[i]))
1522 				call_panic = 1;
1523 	}
1524 
1525 	if (context->target_pid &&
1526 	    audit_log_pid_context(context, context->target_pid,
1527 				  context->target_auid, context->target_uid,
1528 				  context->target_sessionid,
1529 				  context->target_sid, context->target_comm))
1530 			call_panic = 1;
1531 
1532 	if (context->pwd.dentry && context->pwd.mnt) {
1533 		ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
1534 		if (ab) {
1535 			audit_log_d_path(ab, "cwd=", &context->pwd);
1536 			audit_log_end(ab);
1537 		}
1538 	}
1539 
1540 	i = 0;
1541 	list_for_each_entry(n, &context->names_list, list) {
1542 		if (n->hidden)
1543 			continue;
1544 		audit_log_name(context, n, NULL, i++, &call_panic);
1545 	}
1546 
1547 	audit_log_proctitle();
1548 
1549 	/* Send end of event record to help user space know we are finished */
1550 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
1551 	if (ab)
1552 		audit_log_end(ab);
1553 	if (call_panic)
1554 		audit_panic("error converting sid to string");
1555 }
1556 
1557 /**
1558  * __audit_free - free a per-task audit context
1559  * @tsk: task whose audit context block to free
1560  *
1561  * Called from copy_process and do_exit
1562  */
1563 void __audit_free(struct task_struct *tsk)
1564 {
1565 	struct audit_context *context = tsk->audit_context;
1566 
1567 	if (!context)
1568 		return;
1569 
1570 	if (!list_empty(&context->killed_trees))
1571 		audit_kill_trees(context);
1572 
1573 	/* We are called either by do_exit() or the fork() error handling code;
1574 	 * in the former case tsk == current and in the latter tsk is a
1575 	 * random task_struct that doesn't doesn't have any meaningful data we
1576 	 * need to log via audit_log_exit().
1577 	 */
1578 	if (tsk == current && !context->dummy && context->in_syscall) {
1579 		context->return_valid = 0;
1580 		context->return_code = 0;
1581 
1582 		audit_filter_syscall(tsk, context,
1583 				     &audit_filter_list[AUDIT_FILTER_EXIT]);
1584 		audit_filter_inodes(tsk, context);
1585 		if (context->current_state == AUDIT_RECORD_CONTEXT)
1586 			audit_log_exit();
1587 	}
1588 
1589 	audit_set_context(tsk, NULL);
1590 	audit_free_context(context);
1591 }
1592 
1593 /**
1594  * __audit_syscall_entry - fill in an audit record at syscall entry
1595  * @major: major syscall type (function)
1596  * @a1: additional syscall register 1
1597  * @a2: additional syscall register 2
1598  * @a3: additional syscall register 3
1599  * @a4: additional syscall register 4
1600  *
1601  * Fill in audit context at syscall entry.  This only happens if the
1602  * audit context was created when the task was created and the state or
1603  * filters demand the audit context be built.  If the state from the
1604  * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
1605  * then the record will be written at syscall exit time (otherwise, it
1606  * will only be written if another part of the kernel requests that it
1607  * be written).
1608  */
1609 void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
1610 			   unsigned long a3, unsigned long a4)
1611 {
1612 	struct audit_context *context = audit_context();
1613 	enum audit_state     state;
1614 
1615 	if (!audit_enabled || !context)
1616 		return;
1617 
1618 	BUG_ON(context->in_syscall || context->name_count);
1619 
1620 	state = context->state;
1621 	if (state == AUDIT_DISABLED)
1622 		return;
1623 
1624 	context->dummy = !audit_n_rules;
1625 	if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
1626 		context->prio = 0;
1627 		if (auditd_test_task(current))
1628 			return;
1629 	}
1630 
1631 	context->arch	    = syscall_get_arch();
1632 	context->major      = major;
1633 	context->argv[0]    = a1;
1634 	context->argv[1]    = a2;
1635 	context->argv[2]    = a3;
1636 	context->argv[3]    = a4;
1637 	context->serial     = 0;
1638 	context->in_syscall = 1;
1639 	context->current_state  = state;
1640 	context->ppid       = 0;
1641 	ktime_get_coarse_real_ts64(&context->ctime);
1642 }
1643 
1644 /**
1645  * __audit_syscall_exit - deallocate audit context after a system call
1646  * @success: success value of the syscall
1647  * @return_code: return value of the syscall
1648  *
1649  * Tear down after system call.  If the audit context has been marked as
1650  * auditable (either because of the AUDIT_RECORD_CONTEXT state from
1651  * filtering, or because some other part of the kernel wrote an audit
1652  * message), then write out the syscall information.  In call cases,
1653  * free the names stored from getname().
1654  */
1655 void __audit_syscall_exit(int success, long return_code)
1656 {
1657 	struct audit_context *context;
1658 
1659 	context = audit_context();
1660 	if (!context)
1661 		return;
1662 
1663 	if (!list_empty(&context->killed_trees))
1664 		audit_kill_trees(context);
1665 
1666 	if (!context->dummy && context->in_syscall) {
1667 		if (success)
1668 			context->return_valid = AUDITSC_SUCCESS;
1669 		else
1670 			context->return_valid = AUDITSC_FAILURE;
1671 
1672 		/*
1673 		 * we need to fix up the return code in the audit logs if the
1674 		 * actual return codes are later going to be fixed up by the
1675 		 * arch specific signal handlers
1676 		 *
1677 		 * This is actually a test for:
1678 		 * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||
1679 		 * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)
1680 		 *
1681 		 * but is faster than a bunch of ||
1682 		 */
1683 		if (unlikely(return_code <= -ERESTARTSYS) &&
1684 		    (return_code >= -ERESTART_RESTARTBLOCK) &&
1685 		    (return_code != -ENOIOCTLCMD))
1686 			context->return_code = -EINTR;
1687 		else
1688 			context->return_code  = return_code;
1689 
1690 		audit_filter_syscall(current, context,
1691 				     &audit_filter_list[AUDIT_FILTER_EXIT]);
1692 		audit_filter_inodes(current, context);
1693 		if (context->current_state == AUDIT_RECORD_CONTEXT)
1694 			audit_log_exit();
1695 	}
1696 
1697 	context->in_syscall = 0;
1698 	context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
1699 
1700 	audit_free_names(context);
1701 	unroll_tree_refs(context, NULL, 0);
1702 	audit_free_aux(context);
1703 	context->aux = NULL;
1704 	context->aux_pids = NULL;
1705 	context->target_pid = 0;
1706 	context->target_sid = 0;
1707 	context->sockaddr_len = 0;
1708 	context->type = 0;
1709 	context->fds[0] = -1;
1710 	if (context->state != AUDIT_RECORD_CONTEXT) {
1711 		kfree(context->filterkey);
1712 		context->filterkey = NULL;
1713 	}
1714 }
1715 
1716 static inline void handle_one(const struct inode *inode)
1717 {
1718 	struct audit_context *context;
1719 	struct audit_tree_refs *p;
1720 	struct audit_chunk *chunk;
1721 	int count;
1722 	if (likely(!inode->i_fsnotify_marks))
1723 		return;
1724 	context = audit_context();
1725 	p = context->trees;
1726 	count = context->tree_count;
1727 	rcu_read_lock();
1728 	chunk = audit_tree_lookup(inode);
1729 	rcu_read_unlock();
1730 	if (!chunk)
1731 		return;
1732 	if (likely(put_tree_ref(context, chunk)))
1733 		return;
1734 	if (unlikely(!grow_tree_refs(context))) {
1735 		pr_warn("out of memory, audit has lost a tree reference\n");
1736 		audit_set_auditable(context);
1737 		audit_put_chunk(chunk);
1738 		unroll_tree_refs(context, p, count);
1739 		return;
1740 	}
1741 	put_tree_ref(context, chunk);
1742 }
1743 
1744 static void handle_path(const struct dentry *dentry)
1745 {
1746 	struct audit_context *context;
1747 	struct audit_tree_refs *p;
1748 	const struct dentry *d, *parent;
1749 	struct audit_chunk *drop;
1750 	unsigned long seq;
1751 	int count;
1752 
1753 	context = audit_context();
1754 	p = context->trees;
1755 	count = context->tree_count;
1756 retry:
1757 	drop = NULL;
1758 	d = dentry;
1759 	rcu_read_lock();
1760 	seq = read_seqbegin(&rename_lock);
1761 	for(;;) {
1762 		struct inode *inode = d_backing_inode(d);
1763 		if (inode && unlikely(inode->i_fsnotify_marks)) {
1764 			struct audit_chunk *chunk;
1765 			chunk = audit_tree_lookup(inode);
1766 			if (chunk) {
1767 				if (unlikely(!put_tree_ref(context, chunk))) {
1768 					drop = chunk;
1769 					break;
1770 				}
1771 			}
1772 		}
1773 		parent = d->d_parent;
1774 		if (parent == d)
1775 			break;
1776 		d = parent;
1777 	}
1778 	if (unlikely(read_seqretry(&rename_lock, seq) || drop)) {  /* in this order */
1779 		rcu_read_unlock();
1780 		if (!drop) {
1781 			/* just a race with rename */
1782 			unroll_tree_refs(context, p, count);
1783 			goto retry;
1784 		}
1785 		audit_put_chunk(drop);
1786 		if (grow_tree_refs(context)) {
1787 			/* OK, got more space */
1788 			unroll_tree_refs(context, p, count);
1789 			goto retry;
1790 		}
1791 		/* too bad */
1792 		pr_warn("out of memory, audit has lost a tree reference\n");
1793 		unroll_tree_refs(context, p, count);
1794 		audit_set_auditable(context);
1795 		return;
1796 	}
1797 	rcu_read_unlock();
1798 }
1799 
1800 static struct audit_names *audit_alloc_name(struct audit_context *context,
1801 						unsigned char type)
1802 {
1803 	struct audit_names *aname;
1804 
1805 	if (context->name_count < AUDIT_NAMES) {
1806 		aname = &context->preallocated_names[context->name_count];
1807 		memset(aname, 0, sizeof(*aname));
1808 	} else {
1809 		aname = kzalloc(sizeof(*aname), GFP_NOFS);
1810 		if (!aname)
1811 			return NULL;
1812 		aname->should_free = true;
1813 	}
1814 
1815 	aname->ino = AUDIT_INO_UNSET;
1816 	aname->type = type;
1817 	list_add_tail(&aname->list, &context->names_list);
1818 
1819 	context->name_count++;
1820 	return aname;
1821 }
1822 
1823 /**
1824  * __audit_reusename - fill out filename with info from existing entry
1825  * @uptr: userland ptr to pathname
1826  *
1827  * Search the audit_names list for the current audit context. If there is an
1828  * existing entry with a matching "uptr" then return the filename
1829  * associated with that audit_name. If not, return NULL.
1830  */
1831 struct filename *
1832 __audit_reusename(const __user char *uptr)
1833 {
1834 	struct audit_context *context = audit_context();
1835 	struct audit_names *n;
1836 
1837 	list_for_each_entry(n, &context->names_list, list) {
1838 		if (!n->name)
1839 			continue;
1840 		if (n->name->uptr == uptr) {
1841 			n->name->refcnt++;
1842 			return n->name;
1843 		}
1844 	}
1845 	return NULL;
1846 }
1847 
1848 /**
1849  * __audit_getname - add a name to the list
1850  * @name: name to add
1851  *
1852  * Add a name to the list of audit names for this context.
1853  * Called from fs/namei.c:getname().
1854  */
1855 void __audit_getname(struct filename *name)
1856 {
1857 	struct audit_context *context = audit_context();
1858 	struct audit_names *n;
1859 
1860 	if (!context->in_syscall)
1861 		return;
1862 
1863 	n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
1864 	if (!n)
1865 		return;
1866 
1867 	n->name = name;
1868 	n->name_len = AUDIT_NAME_FULL;
1869 	name->aname = n;
1870 	name->refcnt++;
1871 
1872 	if (!context->pwd.dentry)
1873 		get_fs_pwd(current->fs, &context->pwd);
1874 }
1875 
1876 static inline int audit_copy_fcaps(struct audit_names *name,
1877 				   const struct dentry *dentry)
1878 {
1879 	struct cpu_vfs_cap_data caps;
1880 	int rc;
1881 
1882 	if (!dentry)
1883 		return 0;
1884 
1885 	rc = get_vfs_caps_from_disk(dentry, &caps);
1886 	if (rc)
1887 		return rc;
1888 
1889 	name->fcap.permitted = caps.permitted;
1890 	name->fcap.inheritable = caps.inheritable;
1891 	name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
1892 	name->fcap.rootid = caps.rootid;
1893 	name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >>
1894 				VFS_CAP_REVISION_SHIFT;
1895 
1896 	return 0;
1897 }
1898 
1899 /* Copy inode data into an audit_names. */
1900 void audit_copy_inode(struct audit_names *name, const struct dentry *dentry,
1901 		      struct inode *inode, unsigned int flags)
1902 {
1903 	name->ino   = inode->i_ino;
1904 	name->dev   = inode->i_sb->s_dev;
1905 	name->mode  = inode->i_mode;
1906 	name->uid   = inode->i_uid;
1907 	name->gid   = inode->i_gid;
1908 	name->rdev  = inode->i_rdev;
1909 	security_inode_getsecid(inode, &name->osid);
1910 	if (flags & AUDIT_INODE_NOEVAL) {
1911 		name->fcap_ver = -1;
1912 		return;
1913 	}
1914 	audit_copy_fcaps(name, dentry);
1915 }
1916 
1917 /**
1918  * __audit_inode - store the inode and device from a lookup
1919  * @name: name being audited
1920  * @dentry: dentry being audited
1921  * @flags: attributes for this particular entry
1922  */
1923 void __audit_inode(struct filename *name, const struct dentry *dentry,
1924 		   unsigned int flags)
1925 {
1926 	struct audit_context *context = audit_context();
1927 	struct inode *inode = d_backing_inode(dentry);
1928 	struct audit_names *n;
1929 	bool parent = flags & AUDIT_INODE_PARENT;
1930 	struct audit_entry *e;
1931 	struct list_head *list = &audit_filter_list[AUDIT_FILTER_FS];
1932 	int i;
1933 
1934 	if (!context->in_syscall)
1935 		return;
1936 
1937 	rcu_read_lock();
1938 	if (!list_empty(list)) {
1939 		list_for_each_entry_rcu(e, list, list) {
1940 			for (i = 0; i < e->rule.field_count; i++) {
1941 				struct audit_field *f = &e->rule.fields[i];
1942 
1943 				if (f->type == AUDIT_FSTYPE
1944 				    && audit_comparator(inode->i_sb->s_magic,
1945 							f->op, f->val)
1946 				    && e->rule.action == AUDIT_NEVER) {
1947 					rcu_read_unlock();
1948 					return;
1949 				}
1950 			}
1951 		}
1952 	}
1953 	rcu_read_unlock();
1954 
1955 	if (!name)
1956 		goto out_alloc;
1957 
1958 	/*
1959 	 * If we have a pointer to an audit_names entry already, then we can
1960 	 * just use it directly if the type is correct.
1961 	 */
1962 	n = name->aname;
1963 	if (n) {
1964 		if (parent) {
1965 			if (n->type == AUDIT_TYPE_PARENT ||
1966 			    n->type == AUDIT_TYPE_UNKNOWN)
1967 				goto out;
1968 		} else {
1969 			if (n->type != AUDIT_TYPE_PARENT)
1970 				goto out;
1971 		}
1972 	}
1973 
1974 	list_for_each_entry_reverse(n, &context->names_list, list) {
1975 		if (n->ino) {
1976 			/* valid inode number, use that for the comparison */
1977 			if (n->ino != inode->i_ino ||
1978 			    n->dev != inode->i_sb->s_dev)
1979 				continue;
1980 		} else if (n->name) {
1981 			/* inode number has not been set, check the name */
1982 			if (strcmp(n->name->name, name->name))
1983 				continue;
1984 		} else
1985 			/* no inode and no name (?!) ... this is odd ... */
1986 			continue;
1987 
1988 		/* match the correct record type */
1989 		if (parent) {
1990 			if (n->type == AUDIT_TYPE_PARENT ||
1991 			    n->type == AUDIT_TYPE_UNKNOWN)
1992 				goto out;
1993 		} else {
1994 			if (n->type != AUDIT_TYPE_PARENT)
1995 				goto out;
1996 		}
1997 	}
1998 
1999 out_alloc:
2000 	/* unable to find an entry with both a matching name and type */
2001 	n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
2002 	if (!n)
2003 		return;
2004 	if (name) {
2005 		n->name = name;
2006 		name->refcnt++;
2007 	}
2008 
2009 out:
2010 	if (parent) {
2011 		n->name_len = n->name ? parent_len(n->name->name) : AUDIT_NAME_FULL;
2012 		n->type = AUDIT_TYPE_PARENT;
2013 		if (flags & AUDIT_INODE_HIDDEN)
2014 			n->hidden = true;
2015 	} else {
2016 		n->name_len = AUDIT_NAME_FULL;
2017 		n->type = AUDIT_TYPE_NORMAL;
2018 	}
2019 	handle_path(dentry);
2020 	audit_copy_inode(n, dentry, inode, flags & AUDIT_INODE_NOEVAL);
2021 }
2022 
2023 void __audit_file(const struct file *file)
2024 {
2025 	__audit_inode(NULL, file->f_path.dentry, 0);
2026 }
2027 
2028 /**
2029  * __audit_inode_child - collect inode info for created/removed objects
2030  * @parent: inode of dentry parent
2031  * @dentry: dentry being audited
2032  * @type:   AUDIT_TYPE_* value that we're looking for
2033  *
2034  * For syscalls that create or remove filesystem objects, audit_inode
2035  * can only collect information for the filesystem object's parent.
2036  * This call updates the audit context with the child's information.
2037  * Syscalls that create a new filesystem object must be hooked after
2038  * the object is created.  Syscalls that remove a filesystem object
2039  * must be hooked prior, in order to capture the target inode during
2040  * unsuccessful attempts.
2041  */
2042 void __audit_inode_child(struct inode *parent,
2043 			 const struct dentry *dentry,
2044 			 const unsigned char type)
2045 {
2046 	struct audit_context *context = audit_context();
2047 	struct inode *inode = d_backing_inode(dentry);
2048 	const char *dname = dentry->d_name.name;
2049 	struct audit_names *n, *found_parent = NULL, *found_child = NULL;
2050 	struct audit_entry *e;
2051 	struct list_head *list = &audit_filter_list[AUDIT_FILTER_FS];
2052 	int i;
2053 
2054 	if (!context->in_syscall)
2055 		return;
2056 
2057 	rcu_read_lock();
2058 	if (!list_empty(list)) {
2059 		list_for_each_entry_rcu(e, list, list) {
2060 			for (i = 0; i < e->rule.field_count; i++) {
2061 				struct audit_field *f = &e->rule.fields[i];
2062 
2063 				if (f->type == AUDIT_FSTYPE
2064 				    && audit_comparator(parent->i_sb->s_magic,
2065 							f->op, f->val)
2066 				    && e->rule.action == AUDIT_NEVER) {
2067 					rcu_read_unlock();
2068 					return;
2069 				}
2070 			}
2071 		}
2072 	}
2073 	rcu_read_unlock();
2074 
2075 	if (inode)
2076 		handle_one(inode);
2077 
2078 	/* look for a parent entry first */
2079 	list_for_each_entry(n, &context->names_list, list) {
2080 		if (!n->name ||
2081 		    (n->type != AUDIT_TYPE_PARENT &&
2082 		     n->type != AUDIT_TYPE_UNKNOWN))
2083 			continue;
2084 
2085 		if (n->ino == parent->i_ino && n->dev == parent->i_sb->s_dev &&
2086 		    !audit_compare_dname_path(dname,
2087 					      n->name->name, n->name_len)) {
2088 			if (n->type == AUDIT_TYPE_UNKNOWN)
2089 				n->type = AUDIT_TYPE_PARENT;
2090 			found_parent = n;
2091 			break;
2092 		}
2093 	}
2094 
2095 	/* is there a matching child entry? */
2096 	list_for_each_entry(n, &context->names_list, list) {
2097 		/* can only match entries that have a name */
2098 		if (!n->name ||
2099 		    (n->type != type && n->type != AUDIT_TYPE_UNKNOWN))
2100 			continue;
2101 
2102 		if (!strcmp(dname, n->name->name) ||
2103 		    !audit_compare_dname_path(dname, n->name->name,
2104 						found_parent ?
2105 						found_parent->name_len :
2106 						AUDIT_NAME_FULL)) {
2107 			if (n->type == AUDIT_TYPE_UNKNOWN)
2108 				n->type = type;
2109 			found_child = n;
2110 			break;
2111 		}
2112 	}
2113 
2114 	if (!found_parent) {
2115 		/* create a new, "anonymous" parent record */
2116 		n = audit_alloc_name(context, AUDIT_TYPE_PARENT);
2117 		if (!n)
2118 			return;
2119 		audit_copy_inode(n, NULL, parent, 0);
2120 	}
2121 
2122 	if (!found_child) {
2123 		found_child = audit_alloc_name(context, type);
2124 		if (!found_child)
2125 			return;
2126 
2127 		/* Re-use the name belonging to the slot for a matching parent
2128 		 * directory. All names for this context are relinquished in
2129 		 * audit_free_names() */
2130 		if (found_parent) {
2131 			found_child->name = found_parent->name;
2132 			found_child->name_len = AUDIT_NAME_FULL;
2133 			found_child->name->refcnt++;
2134 		}
2135 	}
2136 
2137 	if (inode)
2138 		audit_copy_inode(found_child, dentry, inode, 0);
2139 	else
2140 		found_child->ino = AUDIT_INO_UNSET;
2141 }
2142 EXPORT_SYMBOL_GPL(__audit_inode_child);
2143 
2144 /**
2145  * auditsc_get_stamp - get local copies of audit_context values
2146  * @ctx: audit_context for the task
2147  * @t: timespec64 to store time recorded in the audit_context
2148  * @serial: serial value that is recorded in the audit_context
2149  *
2150  * Also sets the context as auditable.
2151  */
2152 int auditsc_get_stamp(struct audit_context *ctx,
2153 		       struct timespec64 *t, unsigned int *serial)
2154 {
2155 	if (!ctx->in_syscall)
2156 		return 0;
2157 	if (!ctx->serial)
2158 		ctx->serial = audit_serial();
2159 	t->tv_sec  = ctx->ctime.tv_sec;
2160 	t->tv_nsec = ctx->ctime.tv_nsec;
2161 	*serial    = ctx->serial;
2162 	if (!ctx->prio) {
2163 		ctx->prio = 1;
2164 		ctx->current_state = AUDIT_RECORD_CONTEXT;
2165 	}
2166 	return 1;
2167 }
2168 
2169 /**
2170  * __audit_mq_open - record audit data for a POSIX MQ open
2171  * @oflag: open flag
2172  * @mode: mode bits
2173  * @attr: queue attributes
2174  *
2175  */
2176 void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
2177 {
2178 	struct audit_context *context = audit_context();
2179 
2180 	if (attr)
2181 		memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr));
2182 	else
2183 		memset(&context->mq_open.attr, 0, sizeof(struct mq_attr));
2184 
2185 	context->mq_open.oflag = oflag;
2186 	context->mq_open.mode = mode;
2187 
2188 	context->type = AUDIT_MQ_OPEN;
2189 }
2190 
2191 /**
2192  * __audit_mq_sendrecv - record audit data for a POSIX MQ timed send/receive
2193  * @mqdes: MQ descriptor
2194  * @msg_len: Message length
2195  * @msg_prio: Message priority
2196  * @abs_timeout: Message timeout in absolute time
2197  *
2198  */
2199 void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
2200 			const struct timespec64 *abs_timeout)
2201 {
2202 	struct audit_context *context = audit_context();
2203 	struct timespec64 *p = &context->mq_sendrecv.abs_timeout;
2204 
2205 	if (abs_timeout)
2206 		memcpy(p, abs_timeout, sizeof(*p));
2207 	else
2208 		memset(p, 0, sizeof(*p));
2209 
2210 	context->mq_sendrecv.mqdes = mqdes;
2211 	context->mq_sendrecv.msg_len = msg_len;
2212 	context->mq_sendrecv.msg_prio = msg_prio;
2213 
2214 	context->type = AUDIT_MQ_SENDRECV;
2215 }
2216 
2217 /**
2218  * __audit_mq_notify - record audit data for a POSIX MQ notify
2219  * @mqdes: MQ descriptor
2220  * @notification: Notification event
2221  *
2222  */
2223 
2224 void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
2225 {
2226 	struct audit_context *context = audit_context();
2227 
2228 	if (notification)
2229 		context->mq_notify.sigev_signo = notification->sigev_signo;
2230 	else
2231 		context->mq_notify.sigev_signo = 0;
2232 
2233 	context->mq_notify.mqdes = mqdes;
2234 	context->type = AUDIT_MQ_NOTIFY;
2235 }
2236 
2237 /**
2238  * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute
2239  * @mqdes: MQ descriptor
2240  * @mqstat: MQ flags
2241  *
2242  */
2243 void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
2244 {
2245 	struct audit_context *context = audit_context();
2246 	context->mq_getsetattr.mqdes = mqdes;
2247 	context->mq_getsetattr.mqstat = *mqstat;
2248 	context->type = AUDIT_MQ_GETSETATTR;
2249 }
2250 
2251 /**
2252  * __audit_ipc_obj - record audit data for ipc object
2253  * @ipcp: ipc permissions
2254  *
2255  */
2256 void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
2257 {
2258 	struct audit_context *context = audit_context();
2259 	context->ipc.uid = ipcp->uid;
2260 	context->ipc.gid = ipcp->gid;
2261 	context->ipc.mode = ipcp->mode;
2262 	context->ipc.has_perm = 0;
2263 	security_ipc_getsecid(ipcp, &context->ipc.osid);
2264 	context->type = AUDIT_IPC;
2265 }
2266 
2267 /**
2268  * __audit_ipc_set_perm - record audit data for new ipc permissions
2269  * @qbytes: msgq bytes
2270  * @uid: msgq user id
2271  * @gid: msgq group id
2272  * @mode: msgq mode (permissions)
2273  *
2274  * Called only after audit_ipc_obj().
2275  */
2276 void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode)
2277 {
2278 	struct audit_context *context = audit_context();
2279 
2280 	context->ipc.qbytes = qbytes;
2281 	context->ipc.perm_uid = uid;
2282 	context->ipc.perm_gid = gid;
2283 	context->ipc.perm_mode = mode;
2284 	context->ipc.has_perm = 1;
2285 }
2286 
2287 void __audit_bprm(struct linux_binprm *bprm)
2288 {
2289 	struct audit_context *context = audit_context();
2290 
2291 	context->type = AUDIT_EXECVE;
2292 	context->execve.argc = bprm->argc;
2293 }
2294 
2295 
2296 /**
2297  * __audit_socketcall - record audit data for sys_socketcall
2298  * @nargs: number of args, which should not be more than AUDITSC_ARGS.
2299  * @args: args array
2300  *
2301  */
2302 int __audit_socketcall(int nargs, unsigned long *args)
2303 {
2304 	struct audit_context *context = audit_context();
2305 
2306 	if (nargs <= 0 || nargs > AUDITSC_ARGS || !args)
2307 		return -EINVAL;
2308 	context->type = AUDIT_SOCKETCALL;
2309 	context->socketcall.nargs = nargs;
2310 	memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
2311 	return 0;
2312 }
2313 
2314 /**
2315  * __audit_fd_pair - record audit data for pipe and socketpair
2316  * @fd1: the first file descriptor
2317  * @fd2: the second file descriptor
2318  *
2319  */
2320 void __audit_fd_pair(int fd1, int fd2)
2321 {
2322 	struct audit_context *context = audit_context();
2323 	context->fds[0] = fd1;
2324 	context->fds[1] = fd2;
2325 }
2326 
2327 /**
2328  * __audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
2329  * @len: data length in user space
2330  * @a: data address in kernel space
2331  *
2332  * Returns 0 for success or NULL context or < 0 on error.
2333  */
2334 int __audit_sockaddr(int len, void *a)
2335 {
2336 	struct audit_context *context = audit_context();
2337 
2338 	if (!context->sockaddr) {
2339 		void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL);
2340 		if (!p)
2341 			return -ENOMEM;
2342 		context->sockaddr = p;
2343 	}
2344 
2345 	context->sockaddr_len = len;
2346 	memcpy(context->sockaddr, a, len);
2347 	return 0;
2348 }
2349 
2350 void __audit_ptrace(struct task_struct *t)
2351 {
2352 	struct audit_context *context = audit_context();
2353 
2354 	context->target_pid = task_tgid_nr(t);
2355 	context->target_auid = audit_get_loginuid(t);
2356 	context->target_uid = task_uid(t);
2357 	context->target_sessionid = audit_get_sessionid(t);
2358 	security_task_getsecid(t, &context->target_sid);
2359 	memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
2360 }
2361 
2362 /**
2363  * audit_signal_info - record signal info for shutting down audit subsystem
2364  * @sig: signal value
2365  * @t: task being signaled
2366  *
2367  * If the audit subsystem is being terminated, record the task (pid)
2368  * and uid that is doing that.
2369  */
2370 int audit_signal_info(int sig, struct task_struct *t)
2371 {
2372 	struct audit_aux_data_pids *axp;
2373 	struct audit_context *ctx = audit_context();
2374 	kuid_t uid = current_uid(), auid, t_uid = task_uid(t);
2375 
2376 	if (auditd_test_task(t) &&
2377 	    (sig == SIGTERM || sig == SIGHUP ||
2378 	     sig == SIGUSR1 || sig == SIGUSR2)) {
2379 		audit_sig_pid = task_tgid_nr(current);
2380 		auid = audit_get_loginuid(current);
2381 		if (uid_valid(auid))
2382 			audit_sig_uid = auid;
2383 		else
2384 			audit_sig_uid = uid;
2385 		security_task_getsecid(current, &audit_sig_sid);
2386 	}
2387 
2388 	if (!audit_signals || audit_dummy_context())
2389 		return 0;
2390 
2391 	/* optimize the common case by putting first signal recipient directly
2392 	 * in audit_context */
2393 	if (!ctx->target_pid) {
2394 		ctx->target_pid = task_tgid_nr(t);
2395 		ctx->target_auid = audit_get_loginuid(t);
2396 		ctx->target_uid = t_uid;
2397 		ctx->target_sessionid = audit_get_sessionid(t);
2398 		security_task_getsecid(t, &ctx->target_sid);
2399 		memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
2400 		return 0;
2401 	}
2402 
2403 	axp = (void *)ctx->aux_pids;
2404 	if (!axp || axp->pid_count == AUDIT_AUX_PIDS) {
2405 		axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
2406 		if (!axp)
2407 			return -ENOMEM;
2408 
2409 		axp->d.type = AUDIT_OBJ_PID;
2410 		axp->d.next = ctx->aux_pids;
2411 		ctx->aux_pids = (void *)axp;
2412 	}
2413 	BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
2414 
2415 	axp->target_pid[axp->pid_count] = task_tgid_nr(t);
2416 	axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
2417 	axp->target_uid[axp->pid_count] = t_uid;
2418 	axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
2419 	security_task_getsecid(t, &axp->target_sid[axp->pid_count]);
2420 	memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
2421 	axp->pid_count++;
2422 
2423 	return 0;
2424 }
2425 
2426 /**
2427  * __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps
2428  * @bprm: pointer to the bprm being processed
2429  * @new: the proposed new credentials
2430  * @old: the old credentials
2431  *
2432  * Simply check if the proc already has the caps given by the file and if not
2433  * store the priv escalation info for later auditing at the end of the syscall
2434  *
2435  * -Eric
2436  */
2437 int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
2438 			   const struct cred *new, const struct cred *old)
2439 {
2440 	struct audit_aux_data_bprm_fcaps *ax;
2441 	struct audit_context *context = audit_context();
2442 	struct cpu_vfs_cap_data vcaps;
2443 
2444 	ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2445 	if (!ax)
2446 		return -ENOMEM;
2447 
2448 	ax->d.type = AUDIT_BPRM_FCAPS;
2449 	ax->d.next = context->aux;
2450 	context->aux = (void *)ax;
2451 
2452 	get_vfs_caps_from_disk(bprm->file->f_path.dentry, &vcaps);
2453 
2454 	ax->fcap.permitted = vcaps.permitted;
2455 	ax->fcap.inheritable = vcaps.inheritable;
2456 	ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2457 	ax->fcap.rootid = vcaps.rootid;
2458 	ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
2459 
2460 	ax->old_pcap.permitted   = old->cap_permitted;
2461 	ax->old_pcap.inheritable = old->cap_inheritable;
2462 	ax->old_pcap.effective   = old->cap_effective;
2463 	ax->old_pcap.ambient     = old->cap_ambient;
2464 
2465 	ax->new_pcap.permitted   = new->cap_permitted;
2466 	ax->new_pcap.inheritable = new->cap_inheritable;
2467 	ax->new_pcap.effective   = new->cap_effective;
2468 	ax->new_pcap.ambient     = new->cap_ambient;
2469 	return 0;
2470 }
2471 
2472 /**
2473  * __audit_log_capset - store information about the arguments to the capset syscall
2474  * @new: the new credentials
2475  * @old: the old (current) credentials
2476  *
2477  * Record the arguments userspace sent to sys_capset for later printing by the
2478  * audit system if applicable
2479  */
2480 void __audit_log_capset(const struct cred *new, const struct cred *old)
2481 {
2482 	struct audit_context *context = audit_context();
2483 	context->capset.pid = task_tgid_nr(current);
2484 	context->capset.cap.effective   = new->cap_effective;
2485 	context->capset.cap.inheritable = new->cap_effective;
2486 	context->capset.cap.permitted   = new->cap_permitted;
2487 	context->capset.cap.ambient     = new->cap_ambient;
2488 	context->type = AUDIT_CAPSET;
2489 }
2490 
2491 void __audit_mmap_fd(int fd, int flags)
2492 {
2493 	struct audit_context *context = audit_context();
2494 	context->mmap.fd = fd;
2495 	context->mmap.flags = flags;
2496 	context->type = AUDIT_MMAP;
2497 }
2498 
2499 void __audit_log_kern_module(char *name)
2500 {
2501 	struct audit_context *context = audit_context();
2502 
2503 	context->module.name = kstrdup(name, GFP_KERNEL);
2504 	if (!context->module.name)
2505 		audit_log_lost("out of memory in __audit_log_kern_module");
2506 	context->type = AUDIT_KERN_MODULE;
2507 }
2508 
2509 void __audit_fanotify(unsigned int response)
2510 {
2511 	audit_log(audit_context(), GFP_KERNEL,
2512 		AUDIT_FANOTIFY,	"resp=%u", response);
2513 }
2514 
2515 static void audit_log_task(struct audit_buffer *ab)
2516 {
2517 	kuid_t auid, uid;
2518 	kgid_t gid;
2519 	unsigned int sessionid;
2520 	char comm[sizeof(current->comm)];
2521 
2522 	auid = audit_get_loginuid(current);
2523 	sessionid = audit_get_sessionid(current);
2524 	current_uid_gid(&uid, &gid);
2525 
2526 	audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
2527 			 from_kuid(&init_user_ns, auid),
2528 			 from_kuid(&init_user_ns, uid),
2529 			 from_kgid(&init_user_ns, gid),
2530 			 sessionid);
2531 	audit_log_task_context(ab);
2532 	audit_log_format(ab, " pid=%d comm=", task_tgid_nr(current));
2533 	audit_log_untrustedstring(ab, get_task_comm(comm, current));
2534 	audit_log_d_path_exe(ab, current->mm);
2535 }
2536 
2537 /**
2538  * audit_core_dumps - record information about processes that end abnormally
2539  * @signr: signal value
2540  *
2541  * If a process ends with a core dump, something fishy is going on and we
2542  * should record the event for investigation.
2543  */
2544 void audit_core_dumps(long signr)
2545 {
2546 	struct audit_buffer *ab;
2547 
2548 	if (!audit_enabled)
2549 		return;
2550 
2551 	if (signr == SIGQUIT)	/* don't care for those */
2552 		return;
2553 
2554 	ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_ANOM_ABEND);
2555 	if (unlikely(!ab))
2556 		return;
2557 	audit_log_task(ab);
2558 	audit_log_format(ab, " sig=%ld res=1", signr);
2559 	audit_log_end(ab);
2560 }
2561 
2562 /**
2563  * audit_seccomp - record information about a seccomp action
2564  * @syscall: syscall number
2565  * @signr: signal value
2566  * @code: the seccomp action
2567  *
2568  * Record the information associated with a seccomp action. Event filtering for
2569  * seccomp actions that are not to be logged is done in seccomp_log().
2570  * Therefore, this function forces auditing independent of the audit_enabled
2571  * and dummy context state because seccomp actions should be logged even when
2572  * audit is not in use.
2573  */
2574 void audit_seccomp(unsigned long syscall, long signr, int code)
2575 {
2576 	struct audit_buffer *ab;
2577 
2578 	ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_SECCOMP);
2579 	if (unlikely(!ab))
2580 		return;
2581 	audit_log_task(ab);
2582 	audit_log_format(ab, " sig=%ld arch=%x syscall=%ld compat=%d ip=0x%lx code=0x%x",
2583 			 signr, syscall_get_arch(), syscall,
2584 			 in_compat_syscall(), KSTK_EIP(current), code);
2585 	audit_log_end(ab);
2586 }
2587 
2588 void audit_seccomp_actions_logged(const char *names, const char *old_names,
2589 				  int res)
2590 {
2591 	struct audit_buffer *ab;
2592 
2593 	if (!audit_enabled)
2594 		return;
2595 
2596 	ab = audit_log_start(audit_context(), GFP_KERNEL,
2597 			     AUDIT_CONFIG_CHANGE);
2598 	if (unlikely(!ab))
2599 		return;
2600 
2601 	audit_log_format(ab,
2602 			 "op=seccomp-logging actions=%s old-actions=%s res=%d",
2603 			 names, old_names, res);
2604 	audit_log_end(ab);
2605 }
2606 
2607 struct list_head *audit_killed_trees(void)
2608 {
2609 	struct audit_context *ctx = audit_context();
2610 	if (likely(!ctx || !ctx->in_syscall))
2611 		return NULL;
2612 	return &ctx->killed_trees;
2613 }
2614