xref: /openbmc/linux/kernel/auditsc.c (revision b34e08d5)
1 /* auditsc.c -- System-call auditing support
2  * Handles all system-call specific auditing features.
3  *
4  * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
5  * Copyright 2005 Hewlett-Packard Development Company, L.P.
6  * Copyright (C) 2005, 2006 IBM Corporation
7  * All Rights Reserved.
8  *
9  * This program is free software; you can redistribute it and/or modify
10  * it under the terms of the GNU General Public License as published by
11  * the Free Software Foundation; either version 2 of the License, or
12  * (at your option) any later version.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License
20  * along with this program; if not, write to the Free Software
21  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
22  *
23  * Written by Rickard E. (Rik) Faith <faith@redhat.com>
24  *
25  * Many of the ideas implemented here are from Stephen C. Tweedie,
26  * especially the idea of avoiding a copy by using getname.
27  *
28  * The method for actual interception of syscall entry and exit (not in
29  * this file -- see entry.S) is based on a GPL'd patch written by
30  * okir@suse.de and Copyright 2003 SuSE Linux AG.
31  *
32  * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>,
33  * 2006.
34  *
35  * The support of additional filter rules compares (>, <, >=, <=) was
36  * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
37  *
38  * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
39  * filesystem information.
40  *
41  * Subject and object context labeling support added by <danjones@us.ibm.com>
42  * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
43  */
44 
45 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
46 
47 #include <linux/init.h>
48 #include <asm/types.h>
49 #include <linux/atomic.h>
50 #include <linux/fs.h>
51 #include <linux/namei.h>
52 #include <linux/mm.h>
53 #include <linux/export.h>
54 #include <linux/slab.h>
55 #include <linux/mount.h>
56 #include <linux/socket.h>
57 #include <linux/mqueue.h>
58 #include <linux/audit.h>
59 #include <linux/personality.h>
60 #include <linux/time.h>
61 #include <linux/netlink.h>
62 #include <linux/compiler.h>
63 #include <asm/unistd.h>
64 #include <linux/security.h>
65 #include <linux/list.h>
66 #include <linux/tty.h>
67 #include <linux/binfmts.h>
68 #include <linux/highmem.h>
69 #include <linux/syscalls.h>
70 #include <linux/capability.h>
71 #include <linux/fs_struct.h>
72 #include <linux/compat.h>
73 #include <linux/ctype.h>
74 
75 #include "audit.h"
76 
77 /* flags stating the success for a syscall */
78 #define AUDITSC_INVALID 0
79 #define AUDITSC_SUCCESS 1
80 #define AUDITSC_FAILURE 2
81 
82 /* no execve audit message should be longer than this (userspace limits) */
83 #define MAX_EXECVE_AUDIT_LEN 7500
84 
85 /* max length to print of cmdline/proctitle value during audit */
86 #define MAX_PROCTITLE_AUDIT_LEN 128
87 
88 /* number of audit rules */
89 int audit_n_rules;
90 
91 /* determines whether we collect data for signals sent */
92 int audit_signals;
93 
94 struct audit_aux_data {
95 	struct audit_aux_data	*next;
96 	int			type;
97 };
98 
99 #define AUDIT_AUX_IPCPERM	0
100 
101 /* Number of target pids per aux struct. */
102 #define AUDIT_AUX_PIDS	16
103 
104 struct audit_aux_data_pids {
105 	struct audit_aux_data	d;
106 	pid_t			target_pid[AUDIT_AUX_PIDS];
107 	kuid_t			target_auid[AUDIT_AUX_PIDS];
108 	kuid_t			target_uid[AUDIT_AUX_PIDS];
109 	unsigned int		target_sessionid[AUDIT_AUX_PIDS];
110 	u32			target_sid[AUDIT_AUX_PIDS];
111 	char 			target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
112 	int			pid_count;
113 };
114 
115 struct audit_aux_data_bprm_fcaps {
116 	struct audit_aux_data	d;
117 	struct audit_cap_data	fcap;
118 	unsigned int		fcap_ver;
119 	struct audit_cap_data	old_pcap;
120 	struct audit_cap_data	new_pcap;
121 };
122 
123 struct audit_tree_refs {
124 	struct audit_tree_refs *next;
125 	struct audit_chunk *c[31];
126 };
127 
128 static inline int open_arg(int flags, int mask)
129 {
130 	int n = ACC_MODE(flags);
131 	if (flags & (O_TRUNC | O_CREAT))
132 		n |= AUDIT_PERM_WRITE;
133 	return n & mask;
134 }
135 
136 static int audit_match_perm(struct audit_context *ctx, int mask)
137 {
138 	unsigned n;
139 	if (unlikely(!ctx))
140 		return 0;
141 	n = ctx->major;
142 
143 	switch (audit_classify_syscall(ctx->arch, n)) {
144 	case 0:	/* native */
145 		if ((mask & AUDIT_PERM_WRITE) &&
146 		     audit_match_class(AUDIT_CLASS_WRITE, n))
147 			return 1;
148 		if ((mask & AUDIT_PERM_READ) &&
149 		     audit_match_class(AUDIT_CLASS_READ, n))
150 			return 1;
151 		if ((mask & AUDIT_PERM_ATTR) &&
152 		     audit_match_class(AUDIT_CLASS_CHATTR, n))
153 			return 1;
154 		return 0;
155 	case 1: /* 32bit on biarch */
156 		if ((mask & AUDIT_PERM_WRITE) &&
157 		     audit_match_class(AUDIT_CLASS_WRITE_32, n))
158 			return 1;
159 		if ((mask & AUDIT_PERM_READ) &&
160 		     audit_match_class(AUDIT_CLASS_READ_32, n))
161 			return 1;
162 		if ((mask & AUDIT_PERM_ATTR) &&
163 		     audit_match_class(AUDIT_CLASS_CHATTR_32, n))
164 			return 1;
165 		return 0;
166 	case 2: /* open */
167 		return mask & ACC_MODE(ctx->argv[1]);
168 	case 3: /* openat */
169 		return mask & ACC_MODE(ctx->argv[2]);
170 	case 4: /* socketcall */
171 		return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
172 	case 5: /* execve */
173 		return mask & AUDIT_PERM_EXEC;
174 	default:
175 		return 0;
176 	}
177 }
178 
179 static int audit_match_filetype(struct audit_context *ctx, int val)
180 {
181 	struct audit_names *n;
182 	umode_t mode = (umode_t)val;
183 
184 	if (unlikely(!ctx))
185 		return 0;
186 
187 	list_for_each_entry(n, &ctx->names_list, list) {
188 		if ((n->ino != -1) &&
189 		    ((n->mode & S_IFMT) == mode))
190 			return 1;
191 	}
192 
193 	return 0;
194 }
195 
196 /*
197  * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *;
198  * ->first_trees points to its beginning, ->trees - to the current end of data.
199  * ->tree_count is the number of free entries in array pointed to by ->trees.
200  * Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL,
201  * "empty" becomes (p, p, 31) afterwards.  We don't shrink the list (and seriously,
202  * it's going to remain 1-element for almost any setup) until we free context itself.
203  * References in it _are_ dropped - at the same time we free/drop aux stuff.
204  */
205 
206 #ifdef CONFIG_AUDIT_TREE
207 static void audit_set_auditable(struct audit_context *ctx)
208 {
209 	if (!ctx->prio) {
210 		ctx->prio = 1;
211 		ctx->current_state = AUDIT_RECORD_CONTEXT;
212 	}
213 }
214 
215 static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
216 {
217 	struct audit_tree_refs *p = ctx->trees;
218 	int left = ctx->tree_count;
219 	if (likely(left)) {
220 		p->c[--left] = chunk;
221 		ctx->tree_count = left;
222 		return 1;
223 	}
224 	if (!p)
225 		return 0;
226 	p = p->next;
227 	if (p) {
228 		p->c[30] = chunk;
229 		ctx->trees = p;
230 		ctx->tree_count = 30;
231 		return 1;
232 	}
233 	return 0;
234 }
235 
236 static int grow_tree_refs(struct audit_context *ctx)
237 {
238 	struct audit_tree_refs *p = ctx->trees;
239 	ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL);
240 	if (!ctx->trees) {
241 		ctx->trees = p;
242 		return 0;
243 	}
244 	if (p)
245 		p->next = ctx->trees;
246 	else
247 		ctx->first_trees = ctx->trees;
248 	ctx->tree_count = 31;
249 	return 1;
250 }
251 #endif
252 
253 static void unroll_tree_refs(struct audit_context *ctx,
254 		      struct audit_tree_refs *p, int count)
255 {
256 #ifdef CONFIG_AUDIT_TREE
257 	struct audit_tree_refs *q;
258 	int n;
259 	if (!p) {
260 		/* we started with empty chain */
261 		p = ctx->first_trees;
262 		count = 31;
263 		/* if the very first allocation has failed, nothing to do */
264 		if (!p)
265 			return;
266 	}
267 	n = count;
268 	for (q = p; q != ctx->trees; q = q->next, n = 31) {
269 		while (n--) {
270 			audit_put_chunk(q->c[n]);
271 			q->c[n] = NULL;
272 		}
273 	}
274 	while (n-- > ctx->tree_count) {
275 		audit_put_chunk(q->c[n]);
276 		q->c[n] = NULL;
277 	}
278 	ctx->trees = p;
279 	ctx->tree_count = count;
280 #endif
281 }
282 
283 static void free_tree_refs(struct audit_context *ctx)
284 {
285 	struct audit_tree_refs *p, *q;
286 	for (p = ctx->first_trees; p; p = q) {
287 		q = p->next;
288 		kfree(p);
289 	}
290 }
291 
292 static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
293 {
294 #ifdef CONFIG_AUDIT_TREE
295 	struct audit_tree_refs *p;
296 	int n;
297 	if (!tree)
298 		return 0;
299 	/* full ones */
300 	for (p = ctx->first_trees; p != ctx->trees; p = p->next) {
301 		for (n = 0; n < 31; n++)
302 			if (audit_tree_match(p->c[n], tree))
303 				return 1;
304 	}
305 	/* partial */
306 	if (p) {
307 		for (n = ctx->tree_count; n < 31; n++)
308 			if (audit_tree_match(p->c[n], tree))
309 				return 1;
310 	}
311 #endif
312 	return 0;
313 }
314 
315 static int audit_compare_uid(kuid_t uid,
316 			     struct audit_names *name,
317 			     struct audit_field *f,
318 			     struct audit_context *ctx)
319 {
320 	struct audit_names *n;
321 	int rc;
322 
323 	if (name) {
324 		rc = audit_uid_comparator(uid, f->op, name->uid);
325 		if (rc)
326 			return rc;
327 	}
328 
329 	if (ctx) {
330 		list_for_each_entry(n, &ctx->names_list, list) {
331 			rc = audit_uid_comparator(uid, f->op, n->uid);
332 			if (rc)
333 				return rc;
334 		}
335 	}
336 	return 0;
337 }
338 
339 static int audit_compare_gid(kgid_t gid,
340 			     struct audit_names *name,
341 			     struct audit_field *f,
342 			     struct audit_context *ctx)
343 {
344 	struct audit_names *n;
345 	int rc;
346 
347 	if (name) {
348 		rc = audit_gid_comparator(gid, f->op, name->gid);
349 		if (rc)
350 			return rc;
351 	}
352 
353 	if (ctx) {
354 		list_for_each_entry(n, &ctx->names_list, list) {
355 			rc = audit_gid_comparator(gid, f->op, n->gid);
356 			if (rc)
357 				return rc;
358 		}
359 	}
360 	return 0;
361 }
362 
363 static int audit_field_compare(struct task_struct *tsk,
364 			       const struct cred *cred,
365 			       struct audit_field *f,
366 			       struct audit_context *ctx,
367 			       struct audit_names *name)
368 {
369 	switch (f->val) {
370 	/* process to file object comparisons */
371 	case AUDIT_COMPARE_UID_TO_OBJ_UID:
372 		return audit_compare_uid(cred->uid, name, f, ctx);
373 	case AUDIT_COMPARE_GID_TO_OBJ_GID:
374 		return audit_compare_gid(cred->gid, name, f, ctx);
375 	case AUDIT_COMPARE_EUID_TO_OBJ_UID:
376 		return audit_compare_uid(cred->euid, name, f, ctx);
377 	case AUDIT_COMPARE_EGID_TO_OBJ_GID:
378 		return audit_compare_gid(cred->egid, name, f, ctx);
379 	case AUDIT_COMPARE_AUID_TO_OBJ_UID:
380 		return audit_compare_uid(tsk->loginuid, name, f, ctx);
381 	case AUDIT_COMPARE_SUID_TO_OBJ_UID:
382 		return audit_compare_uid(cred->suid, name, f, ctx);
383 	case AUDIT_COMPARE_SGID_TO_OBJ_GID:
384 		return audit_compare_gid(cred->sgid, name, f, ctx);
385 	case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
386 		return audit_compare_uid(cred->fsuid, name, f, ctx);
387 	case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
388 		return audit_compare_gid(cred->fsgid, name, f, ctx);
389 	/* uid comparisons */
390 	case AUDIT_COMPARE_UID_TO_AUID:
391 		return audit_uid_comparator(cred->uid, f->op, tsk->loginuid);
392 	case AUDIT_COMPARE_UID_TO_EUID:
393 		return audit_uid_comparator(cred->uid, f->op, cred->euid);
394 	case AUDIT_COMPARE_UID_TO_SUID:
395 		return audit_uid_comparator(cred->uid, f->op, cred->suid);
396 	case AUDIT_COMPARE_UID_TO_FSUID:
397 		return audit_uid_comparator(cred->uid, f->op, cred->fsuid);
398 	/* auid comparisons */
399 	case AUDIT_COMPARE_AUID_TO_EUID:
400 		return audit_uid_comparator(tsk->loginuid, f->op, cred->euid);
401 	case AUDIT_COMPARE_AUID_TO_SUID:
402 		return audit_uid_comparator(tsk->loginuid, f->op, cred->suid);
403 	case AUDIT_COMPARE_AUID_TO_FSUID:
404 		return audit_uid_comparator(tsk->loginuid, f->op, cred->fsuid);
405 	/* euid comparisons */
406 	case AUDIT_COMPARE_EUID_TO_SUID:
407 		return audit_uid_comparator(cred->euid, f->op, cred->suid);
408 	case AUDIT_COMPARE_EUID_TO_FSUID:
409 		return audit_uid_comparator(cred->euid, f->op, cred->fsuid);
410 	/* suid comparisons */
411 	case AUDIT_COMPARE_SUID_TO_FSUID:
412 		return audit_uid_comparator(cred->suid, f->op, cred->fsuid);
413 	/* gid comparisons */
414 	case AUDIT_COMPARE_GID_TO_EGID:
415 		return audit_gid_comparator(cred->gid, f->op, cred->egid);
416 	case AUDIT_COMPARE_GID_TO_SGID:
417 		return audit_gid_comparator(cred->gid, f->op, cred->sgid);
418 	case AUDIT_COMPARE_GID_TO_FSGID:
419 		return audit_gid_comparator(cred->gid, f->op, cred->fsgid);
420 	/* egid comparisons */
421 	case AUDIT_COMPARE_EGID_TO_SGID:
422 		return audit_gid_comparator(cred->egid, f->op, cred->sgid);
423 	case AUDIT_COMPARE_EGID_TO_FSGID:
424 		return audit_gid_comparator(cred->egid, f->op, cred->fsgid);
425 	/* sgid comparison */
426 	case AUDIT_COMPARE_SGID_TO_FSGID:
427 		return audit_gid_comparator(cred->sgid, f->op, cred->fsgid);
428 	default:
429 		WARN(1, "Missing AUDIT_COMPARE define.  Report as a bug\n");
430 		return 0;
431 	}
432 	return 0;
433 }
434 
435 /* Determine if any context name data matches a rule's watch data */
436 /* Compare a task_struct with an audit_rule.  Return 1 on match, 0
437  * otherwise.
438  *
439  * If task_creation is true, this is an explicit indication that we are
440  * filtering a task rule at task creation time.  This and tsk == current are
441  * the only situations where tsk->cred may be accessed without an rcu read lock.
442  */
443 static int audit_filter_rules(struct task_struct *tsk,
444 			      struct audit_krule *rule,
445 			      struct audit_context *ctx,
446 			      struct audit_names *name,
447 			      enum audit_state *state,
448 			      bool task_creation)
449 {
450 	const struct cred *cred;
451 	int i, need_sid = 1;
452 	u32 sid;
453 
454 	cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
455 
456 	for (i = 0; i < rule->field_count; i++) {
457 		struct audit_field *f = &rule->fields[i];
458 		struct audit_names *n;
459 		int result = 0;
460 		pid_t pid;
461 
462 		switch (f->type) {
463 		case AUDIT_PID:
464 			pid = task_pid_nr(tsk);
465 			result = audit_comparator(pid, f->op, f->val);
466 			break;
467 		case AUDIT_PPID:
468 			if (ctx) {
469 				if (!ctx->ppid)
470 					ctx->ppid = task_ppid_nr(tsk);
471 				result = audit_comparator(ctx->ppid, f->op, f->val);
472 			}
473 			break;
474 		case AUDIT_UID:
475 			result = audit_uid_comparator(cred->uid, f->op, f->uid);
476 			break;
477 		case AUDIT_EUID:
478 			result = audit_uid_comparator(cred->euid, f->op, f->uid);
479 			break;
480 		case AUDIT_SUID:
481 			result = audit_uid_comparator(cred->suid, f->op, f->uid);
482 			break;
483 		case AUDIT_FSUID:
484 			result = audit_uid_comparator(cred->fsuid, f->op, f->uid);
485 			break;
486 		case AUDIT_GID:
487 			result = audit_gid_comparator(cred->gid, f->op, f->gid);
488 			if (f->op == Audit_equal) {
489 				if (!result)
490 					result = in_group_p(f->gid);
491 			} else if (f->op == Audit_not_equal) {
492 				if (result)
493 					result = !in_group_p(f->gid);
494 			}
495 			break;
496 		case AUDIT_EGID:
497 			result = audit_gid_comparator(cred->egid, f->op, f->gid);
498 			if (f->op == Audit_equal) {
499 				if (!result)
500 					result = in_egroup_p(f->gid);
501 			} else if (f->op == Audit_not_equal) {
502 				if (result)
503 					result = !in_egroup_p(f->gid);
504 			}
505 			break;
506 		case AUDIT_SGID:
507 			result = audit_gid_comparator(cred->sgid, f->op, f->gid);
508 			break;
509 		case AUDIT_FSGID:
510 			result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
511 			break;
512 		case AUDIT_PERS:
513 			result = audit_comparator(tsk->personality, f->op, f->val);
514 			break;
515 		case AUDIT_ARCH:
516 			if (ctx)
517 				result = audit_comparator(ctx->arch, f->op, f->val);
518 			break;
519 
520 		case AUDIT_EXIT:
521 			if (ctx && ctx->return_valid)
522 				result = audit_comparator(ctx->return_code, f->op, f->val);
523 			break;
524 		case AUDIT_SUCCESS:
525 			if (ctx && ctx->return_valid) {
526 				if (f->val)
527 					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
528 				else
529 					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
530 			}
531 			break;
532 		case AUDIT_DEVMAJOR:
533 			if (name) {
534 				if (audit_comparator(MAJOR(name->dev), f->op, f->val) ||
535 				    audit_comparator(MAJOR(name->rdev), f->op, f->val))
536 					++result;
537 			} else if (ctx) {
538 				list_for_each_entry(n, &ctx->names_list, list) {
539 					if (audit_comparator(MAJOR(n->dev), f->op, f->val) ||
540 					    audit_comparator(MAJOR(n->rdev), f->op, f->val)) {
541 						++result;
542 						break;
543 					}
544 				}
545 			}
546 			break;
547 		case AUDIT_DEVMINOR:
548 			if (name) {
549 				if (audit_comparator(MINOR(name->dev), f->op, f->val) ||
550 				    audit_comparator(MINOR(name->rdev), f->op, f->val))
551 					++result;
552 			} else if (ctx) {
553 				list_for_each_entry(n, &ctx->names_list, list) {
554 					if (audit_comparator(MINOR(n->dev), f->op, f->val) ||
555 					    audit_comparator(MINOR(n->rdev), f->op, f->val)) {
556 						++result;
557 						break;
558 					}
559 				}
560 			}
561 			break;
562 		case AUDIT_INODE:
563 			if (name)
564 				result = audit_comparator(name->ino, f->op, f->val);
565 			else if (ctx) {
566 				list_for_each_entry(n, &ctx->names_list, list) {
567 					if (audit_comparator(n->ino, f->op, f->val)) {
568 						++result;
569 						break;
570 					}
571 				}
572 			}
573 			break;
574 		case AUDIT_OBJ_UID:
575 			if (name) {
576 				result = audit_uid_comparator(name->uid, f->op, f->uid);
577 			} else if (ctx) {
578 				list_for_each_entry(n, &ctx->names_list, list) {
579 					if (audit_uid_comparator(n->uid, f->op, f->uid)) {
580 						++result;
581 						break;
582 					}
583 				}
584 			}
585 			break;
586 		case AUDIT_OBJ_GID:
587 			if (name) {
588 				result = audit_gid_comparator(name->gid, f->op, f->gid);
589 			} else if (ctx) {
590 				list_for_each_entry(n, &ctx->names_list, list) {
591 					if (audit_gid_comparator(n->gid, f->op, f->gid)) {
592 						++result;
593 						break;
594 					}
595 				}
596 			}
597 			break;
598 		case AUDIT_WATCH:
599 			if (name)
600 				result = audit_watch_compare(rule->watch, name->ino, name->dev);
601 			break;
602 		case AUDIT_DIR:
603 			if (ctx)
604 				result = match_tree_refs(ctx, rule->tree);
605 			break;
606 		case AUDIT_LOGINUID:
607 			result = 0;
608 			if (ctx)
609 				result = audit_uid_comparator(tsk->loginuid, f->op, f->uid);
610 			break;
611 		case AUDIT_LOGINUID_SET:
612 			result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
613 			break;
614 		case AUDIT_SUBJ_USER:
615 		case AUDIT_SUBJ_ROLE:
616 		case AUDIT_SUBJ_TYPE:
617 		case AUDIT_SUBJ_SEN:
618 		case AUDIT_SUBJ_CLR:
619 			/* NOTE: this may return negative values indicating
620 			   a temporary error.  We simply treat this as a
621 			   match for now to avoid losing information that
622 			   may be wanted.   An error message will also be
623 			   logged upon error */
624 			if (f->lsm_rule) {
625 				if (need_sid) {
626 					security_task_getsecid(tsk, &sid);
627 					need_sid = 0;
628 				}
629 				result = security_audit_rule_match(sid, f->type,
630 				                                  f->op,
631 				                                  f->lsm_rule,
632 				                                  ctx);
633 			}
634 			break;
635 		case AUDIT_OBJ_USER:
636 		case AUDIT_OBJ_ROLE:
637 		case AUDIT_OBJ_TYPE:
638 		case AUDIT_OBJ_LEV_LOW:
639 		case AUDIT_OBJ_LEV_HIGH:
640 			/* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
641 			   also applies here */
642 			if (f->lsm_rule) {
643 				/* Find files that match */
644 				if (name) {
645 					result = security_audit_rule_match(
646 					           name->osid, f->type, f->op,
647 					           f->lsm_rule, ctx);
648 				} else if (ctx) {
649 					list_for_each_entry(n, &ctx->names_list, list) {
650 						if (security_audit_rule_match(n->osid, f->type,
651 									      f->op, f->lsm_rule,
652 									      ctx)) {
653 							++result;
654 							break;
655 						}
656 					}
657 				}
658 				/* Find ipc objects that match */
659 				if (!ctx || ctx->type != AUDIT_IPC)
660 					break;
661 				if (security_audit_rule_match(ctx->ipc.osid,
662 							      f->type, f->op,
663 							      f->lsm_rule, ctx))
664 					++result;
665 			}
666 			break;
667 		case AUDIT_ARG0:
668 		case AUDIT_ARG1:
669 		case AUDIT_ARG2:
670 		case AUDIT_ARG3:
671 			if (ctx)
672 				result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
673 			break;
674 		case AUDIT_FILTERKEY:
675 			/* ignore this field for filtering */
676 			result = 1;
677 			break;
678 		case AUDIT_PERM:
679 			result = audit_match_perm(ctx, f->val);
680 			break;
681 		case AUDIT_FILETYPE:
682 			result = audit_match_filetype(ctx, f->val);
683 			break;
684 		case AUDIT_FIELD_COMPARE:
685 			result = audit_field_compare(tsk, cred, f, ctx, name);
686 			break;
687 		}
688 		if (!result)
689 			return 0;
690 	}
691 
692 	if (ctx) {
693 		if (rule->prio <= ctx->prio)
694 			return 0;
695 		if (rule->filterkey) {
696 			kfree(ctx->filterkey);
697 			ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
698 		}
699 		ctx->prio = rule->prio;
700 	}
701 	switch (rule->action) {
702 	case AUDIT_NEVER:    *state = AUDIT_DISABLED;	    break;
703 	case AUDIT_ALWAYS:   *state = AUDIT_RECORD_CONTEXT; break;
704 	}
705 	return 1;
706 }
707 
708 /* At process creation time, we can determine if system-call auditing is
709  * completely disabled for this task.  Since we only have the task
710  * structure at this point, we can only check uid and gid.
711  */
712 static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)
713 {
714 	struct audit_entry *e;
715 	enum audit_state   state;
716 
717 	rcu_read_lock();
718 	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
719 		if (audit_filter_rules(tsk, &e->rule, NULL, NULL,
720 				       &state, true)) {
721 			if (state == AUDIT_RECORD_CONTEXT)
722 				*key = kstrdup(e->rule.filterkey, GFP_ATOMIC);
723 			rcu_read_unlock();
724 			return state;
725 		}
726 	}
727 	rcu_read_unlock();
728 	return AUDIT_BUILD_CONTEXT;
729 }
730 
731 /* At syscall entry and exit time, this filter is called if the
732  * audit_state is not low enough that auditing cannot take place, but is
733  * also not high enough that we already know we have to write an audit
734  * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
735  */
736 static enum audit_state audit_filter_syscall(struct task_struct *tsk,
737 					     struct audit_context *ctx,
738 					     struct list_head *list)
739 {
740 	struct audit_entry *e;
741 	enum audit_state state;
742 
743 	if (audit_pid && tsk->tgid == audit_pid)
744 		return AUDIT_DISABLED;
745 
746 	rcu_read_lock();
747 	if (!list_empty(list)) {
748 		int word = AUDIT_WORD(ctx->major);
749 		int bit  = AUDIT_BIT(ctx->major);
750 
751 		list_for_each_entry_rcu(e, list, list) {
752 			if ((e->rule.mask[word] & bit) == bit &&
753 			    audit_filter_rules(tsk, &e->rule, ctx, NULL,
754 					       &state, false)) {
755 				rcu_read_unlock();
756 				ctx->current_state = state;
757 				return state;
758 			}
759 		}
760 	}
761 	rcu_read_unlock();
762 	return AUDIT_BUILD_CONTEXT;
763 }
764 
765 /*
766  * Given an audit_name check the inode hash table to see if they match.
767  * Called holding the rcu read lock to protect the use of audit_inode_hash
768  */
769 static int audit_filter_inode_name(struct task_struct *tsk,
770 				   struct audit_names *n,
771 				   struct audit_context *ctx) {
772 	int word, bit;
773 	int h = audit_hash_ino((u32)n->ino);
774 	struct list_head *list = &audit_inode_hash[h];
775 	struct audit_entry *e;
776 	enum audit_state state;
777 
778 	word = AUDIT_WORD(ctx->major);
779 	bit  = AUDIT_BIT(ctx->major);
780 
781 	if (list_empty(list))
782 		return 0;
783 
784 	list_for_each_entry_rcu(e, list, list) {
785 		if ((e->rule.mask[word] & bit) == bit &&
786 		    audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) {
787 			ctx->current_state = state;
788 			return 1;
789 		}
790 	}
791 
792 	return 0;
793 }
794 
795 /* At syscall exit time, this filter is called if any audit_names have been
796  * collected during syscall processing.  We only check rules in sublists at hash
797  * buckets applicable to the inode numbers in audit_names.
798  * Regarding audit_state, same rules apply as for audit_filter_syscall().
799  */
800 void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx)
801 {
802 	struct audit_names *n;
803 
804 	if (audit_pid && tsk->tgid == audit_pid)
805 		return;
806 
807 	rcu_read_lock();
808 
809 	list_for_each_entry(n, &ctx->names_list, list) {
810 		if (audit_filter_inode_name(tsk, n, ctx))
811 			break;
812 	}
813 	rcu_read_unlock();
814 }
815 
816 /* Transfer the audit context pointer to the caller, clearing it in the tsk's struct */
817 static inline struct audit_context *audit_take_context(struct task_struct *tsk,
818 						      int return_valid,
819 						      long return_code)
820 {
821 	struct audit_context *context = tsk->audit_context;
822 
823 	if (!context)
824 		return NULL;
825 	context->return_valid = return_valid;
826 
827 	/*
828 	 * we need to fix up the return code in the audit logs if the actual
829 	 * return codes are later going to be fixed up by the arch specific
830 	 * signal handlers
831 	 *
832 	 * This is actually a test for:
833 	 * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||
834 	 * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)
835 	 *
836 	 * but is faster than a bunch of ||
837 	 */
838 	if (unlikely(return_code <= -ERESTARTSYS) &&
839 	    (return_code >= -ERESTART_RESTARTBLOCK) &&
840 	    (return_code != -ENOIOCTLCMD))
841 		context->return_code = -EINTR;
842 	else
843 		context->return_code  = return_code;
844 
845 	if (context->in_syscall && !context->dummy) {
846 		audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
847 		audit_filter_inodes(tsk, context);
848 	}
849 
850 	tsk->audit_context = NULL;
851 	return context;
852 }
853 
854 static inline void audit_proctitle_free(struct audit_context *context)
855 {
856 	kfree(context->proctitle.value);
857 	context->proctitle.value = NULL;
858 	context->proctitle.len = 0;
859 }
860 
861 static inline void audit_free_names(struct audit_context *context)
862 {
863 	struct audit_names *n, *next;
864 
865 #if AUDIT_DEBUG == 2
866 	if (context->put_count + context->ino_count != context->name_count) {
867 		int i = 0;
868 
869 		pr_err("%s:%d(:%d): major=%d in_syscall=%d"
870 		       " name_count=%d put_count=%d ino_count=%d"
871 		       " [NOT freeing]\n", __FILE__, __LINE__,
872 		       context->serial, context->major, context->in_syscall,
873 		       context->name_count, context->put_count,
874 		       context->ino_count);
875 		list_for_each_entry(n, &context->names_list, list) {
876 			pr_err("names[%d] = %p = %s\n", i++, n->name,
877 			       n->name->name ?: "(null)");
878 		}
879 		dump_stack();
880 		return;
881 	}
882 #endif
883 #if AUDIT_DEBUG
884 	context->put_count  = 0;
885 	context->ino_count  = 0;
886 #endif
887 
888 	list_for_each_entry_safe(n, next, &context->names_list, list) {
889 		list_del(&n->list);
890 		if (n->name && n->name_put)
891 			final_putname(n->name);
892 		if (n->should_free)
893 			kfree(n);
894 	}
895 	context->name_count = 0;
896 	path_put(&context->pwd);
897 	context->pwd.dentry = NULL;
898 	context->pwd.mnt = NULL;
899 }
900 
901 static inline void audit_free_aux(struct audit_context *context)
902 {
903 	struct audit_aux_data *aux;
904 
905 	while ((aux = context->aux)) {
906 		context->aux = aux->next;
907 		kfree(aux);
908 	}
909 	while ((aux = context->aux_pids)) {
910 		context->aux_pids = aux->next;
911 		kfree(aux);
912 	}
913 }
914 
915 static inline struct audit_context *audit_alloc_context(enum audit_state state)
916 {
917 	struct audit_context *context;
918 
919 	context = kzalloc(sizeof(*context), GFP_KERNEL);
920 	if (!context)
921 		return NULL;
922 	context->state = state;
923 	context->prio = state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
924 	INIT_LIST_HEAD(&context->killed_trees);
925 	INIT_LIST_HEAD(&context->names_list);
926 	return context;
927 }
928 
929 /**
930  * audit_alloc - allocate an audit context block for a task
931  * @tsk: task
932  *
933  * Filter on the task information and allocate a per-task audit context
934  * if necessary.  Doing so turns on system call auditing for the
935  * specified task.  This is called from copy_process, so no lock is
936  * needed.
937  */
938 int audit_alloc(struct task_struct *tsk)
939 {
940 	struct audit_context *context;
941 	enum audit_state     state;
942 	char *key = NULL;
943 
944 	if (likely(!audit_ever_enabled))
945 		return 0; /* Return if not auditing. */
946 
947 	state = audit_filter_task(tsk, &key);
948 	if (state == AUDIT_DISABLED) {
949 		clear_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
950 		return 0;
951 	}
952 
953 	if (!(context = audit_alloc_context(state))) {
954 		kfree(key);
955 		audit_log_lost("out of memory in audit_alloc");
956 		return -ENOMEM;
957 	}
958 	context->filterkey = key;
959 
960 	tsk->audit_context  = context;
961 	set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
962 	return 0;
963 }
964 
965 static inline void audit_free_context(struct audit_context *context)
966 {
967 	audit_free_names(context);
968 	unroll_tree_refs(context, NULL, 0);
969 	free_tree_refs(context);
970 	audit_free_aux(context);
971 	kfree(context->filterkey);
972 	kfree(context->sockaddr);
973 	audit_proctitle_free(context);
974 	kfree(context);
975 }
976 
977 static int audit_log_pid_context(struct audit_context *context, pid_t pid,
978 				 kuid_t auid, kuid_t uid, unsigned int sessionid,
979 				 u32 sid, char *comm)
980 {
981 	struct audit_buffer *ab;
982 	char *ctx = NULL;
983 	u32 len;
984 	int rc = 0;
985 
986 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
987 	if (!ab)
988 		return rc;
989 
990 	audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
991 			 from_kuid(&init_user_ns, auid),
992 			 from_kuid(&init_user_ns, uid), sessionid);
993 	if (sid) {
994 		if (security_secid_to_secctx(sid, &ctx, &len)) {
995 			audit_log_format(ab, " obj=(none)");
996 			rc = 1;
997 		} else {
998 			audit_log_format(ab, " obj=%s", ctx);
999 			security_release_secctx(ctx, len);
1000 		}
1001 	}
1002 	audit_log_format(ab, " ocomm=");
1003 	audit_log_untrustedstring(ab, comm);
1004 	audit_log_end(ab);
1005 
1006 	return rc;
1007 }
1008 
1009 /*
1010  * to_send and len_sent accounting are very loose estimates.  We aren't
1011  * really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being
1012  * within about 500 bytes (next page boundary)
1013  *
1014  * why snprintf?  an int is up to 12 digits long.  if we just assumed when
1015  * logging that a[%d]= was going to be 16 characters long we would be wasting
1016  * space in every audit message.  In one 7500 byte message we can log up to
1017  * about 1000 min size arguments.  That comes down to about 50% waste of space
1018  * if we didn't do the snprintf to find out how long arg_num_len was.
1019  */
1020 static int audit_log_single_execve_arg(struct audit_context *context,
1021 					struct audit_buffer **ab,
1022 					int arg_num,
1023 					size_t *len_sent,
1024 					const char __user *p,
1025 					char *buf)
1026 {
1027 	char arg_num_len_buf[12];
1028 	const char __user *tmp_p = p;
1029 	/* how many digits are in arg_num? 5 is the length of ' a=""' */
1030 	size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 5;
1031 	size_t len, len_left, to_send;
1032 	size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
1033 	unsigned int i, has_cntl = 0, too_long = 0;
1034 	int ret;
1035 
1036 	/* strnlen_user includes the null we don't want to send */
1037 	len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1;
1038 
1039 	/*
1040 	 * We just created this mm, if we can't find the strings
1041 	 * we just copied into it something is _very_ wrong. Similar
1042 	 * for strings that are too long, we should not have created
1043 	 * any.
1044 	 */
1045 	if (unlikely((len == -1) || len > MAX_ARG_STRLEN - 1)) {
1046 		WARN_ON(1);
1047 		send_sig(SIGKILL, current, 0);
1048 		return -1;
1049 	}
1050 
1051 	/* walk the whole argument looking for non-ascii chars */
1052 	do {
1053 		if (len_left > MAX_EXECVE_AUDIT_LEN)
1054 			to_send = MAX_EXECVE_AUDIT_LEN;
1055 		else
1056 			to_send = len_left;
1057 		ret = copy_from_user(buf, tmp_p, to_send);
1058 		/*
1059 		 * There is no reason for this copy to be short. We just
1060 		 * copied them here, and the mm hasn't been exposed to user-
1061 		 * space yet.
1062 		 */
1063 		if (ret) {
1064 			WARN_ON(1);
1065 			send_sig(SIGKILL, current, 0);
1066 			return -1;
1067 		}
1068 		buf[to_send] = '\0';
1069 		has_cntl = audit_string_contains_control(buf, to_send);
1070 		if (has_cntl) {
1071 			/*
1072 			 * hex messages get logged as 2 bytes, so we can only
1073 			 * send half as much in each message
1074 			 */
1075 			max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2;
1076 			break;
1077 		}
1078 		len_left -= to_send;
1079 		tmp_p += to_send;
1080 	} while (len_left > 0);
1081 
1082 	len_left = len;
1083 
1084 	if (len > max_execve_audit_len)
1085 		too_long = 1;
1086 
1087 	/* rewalk the argument actually logging the message */
1088 	for (i = 0; len_left > 0; i++) {
1089 		int room_left;
1090 
1091 		if (len_left > max_execve_audit_len)
1092 			to_send = max_execve_audit_len;
1093 		else
1094 			to_send = len_left;
1095 
1096 		/* do we have space left to send this argument in this ab? */
1097 		room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent;
1098 		if (has_cntl)
1099 			room_left -= (to_send * 2);
1100 		else
1101 			room_left -= to_send;
1102 		if (room_left < 0) {
1103 			*len_sent = 0;
1104 			audit_log_end(*ab);
1105 			*ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
1106 			if (!*ab)
1107 				return 0;
1108 		}
1109 
1110 		/*
1111 		 * first record needs to say how long the original string was
1112 		 * so we can be sure nothing was lost.
1113 		 */
1114 		if ((i == 0) && (too_long))
1115 			audit_log_format(*ab, " a%d_len=%zu", arg_num,
1116 					 has_cntl ? 2*len : len);
1117 
1118 		/*
1119 		 * normally arguments are small enough to fit and we already
1120 		 * filled buf above when we checked for control characters
1121 		 * so don't bother with another copy_from_user
1122 		 */
1123 		if (len >= max_execve_audit_len)
1124 			ret = copy_from_user(buf, p, to_send);
1125 		else
1126 			ret = 0;
1127 		if (ret) {
1128 			WARN_ON(1);
1129 			send_sig(SIGKILL, current, 0);
1130 			return -1;
1131 		}
1132 		buf[to_send] = '\0';
1133 
1134 		/* actually log it */
1135 		audit_log_format(*ab, " a%d", arg_num);
1136 		if (too_long)
1137 			audit_log_format(*ab, "[%d]", i);
1138 		audit_log_format(*ab, "=");
1139 		if (has_cntl)
1140 			audit_log_n_hex(*ab, buf, to_send);
1141 		else
1142 			audit_log_string(*ab, buf);
1143 
1144 		p += to_send;
1145 		len_left -= to_send;
1146 		*len_sent += arg_num_len;
1147 		if (has_cntl)
1148 			*len_sent += to_send * 2;
1149 		else
1150 			*len_sent += to_send;
1151 	}
1152 	/* include the null we didn't log */
1153 	return len + 1;
1154 }
1155 
1156 static void audit_log_execve_info(struct audit_context *context,
1157 				  struct audit_buffer **ab)
1158 {
1159 	int i, len;
1160 	size_t len_sent = 0;
1161 	const char __user *p;
1162 	char *buf;
1163 
1164 	p = (const char __user *)current->mm->arg_start;
1165 
1166 	audit_log_format(*ab, "argc=%d", context->execve.argc);
1167 
1168 	/*
1169 	 * we need some kernel buffer to hold the userspace args.  Just
1170 	 * allocate one big one rather than allocating one of the right size
1171 	 * for every single argument inside audit_log_single_execve_arg()
1172 	 * should be <8k allocation so should be pretty safe.
1173 	 */
1174 	buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
1175 	if (!buf) {
1176 		audit_panic("out of memory for argv string");
1177 		return;
1178 	}
1179 
1180 	for (i = 0; i < context->execve.argc; i++) {
1181 		len = audit_log_single_execve_arg(context, ab, i,
1182 						  &len_sent, p, buf);
1183 		if (len <= 0)
1184 			break;
1185 		p += len;
1186 	}
1187 	kfree(buf);
1188 }
1189 
1190 static void show_special(struct audit_context *context, int *call_panic)
1191 {
1192 	struct audit_buffer *ab;
1193 	int i;
1194 
1195 	ab = audit_log_start(context, GFP_KERNEL, context->type);
1196 	if (!ab)
1197 		return;
1198 
1199 	switch (context->type) {
1200 	case AUDIT_SOCKETCALL: {
1201 		int nargs = context->socketcall.nargs;
1202 		audit_log_format(ab, "nargs=%d", nargs);
1203 		for (i = 0; i < nargs; i++)
1204 			audit_log_format(ab, " a%d=%lx", i,
1205 				context->socketcall.args[i]);
1206 		break; }
1207 	case AUDIT_IPC: {
1208 		u32 osid = context->ipc.osid;
1209 
1210 		audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
1211 				 from_kuid(&init_user_ns, context->ipc.uid),
1212 				 from_kgid(&init_user_ns, context->ipc.gid),
1213 				 context->ipc.mode);
1214 		if (osid) {
1215 			char *ctx = NULL;
1216 			u32 len;
1217 			if (security_secid_to_secctx(osid, &ctx, &len)) {
1218 				audit_log_format(ab, " osid=%u", osid);
1219 				*call_panic = 1;
1220 			} else {
1221 				audit_log_format(ab, " obj=%s", ctx);
1222 				security_release_secctx(ctx, len);
1223 			}
1224 		}
1225 		if (context->ipc.has_perm) {
1226 			audit_log_end(ab);
1227 			ab = audit_log_start(context, GFP_KERNEL,
1228 					     AUDIT_IPC_SET_PERM);
1229 			if (unlikely(!ab))
1230 				return;
1231 			audit_log_format(ab,
1232 				"qbytes=%lx ouid=%u ogid=%u mode=%#ho",
1233 				context->ipc.qbytes,
1234 				context->ipc.perm_uid,
1235 				context->ipc.perm_gid,
1236 				context->ipc.perm_mode);
1237 		}
1238 		break; }
1239 	case AUDIT_MQ_OPEN: {
1240 		audit_log_format(ab,
1241 			"oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
1242 			"mq_msgsize=%ld mq_curmsgs=%ld",
1243 			context->mq_open.oflag, context->mq_open.mode,
1244 			context->mq_open.attr.mq_flags,
1245 			context->mq_open.attr.mq_maxmsg,
1246 			context->mq_open.attr.mq_msgsize,
1247 			context->mq_open.attr.mq_curmsgs);
1248 		break; }
1249 	case AUDIT_MQ_SENDRECV: {
1250 		audit_log_format(ab,
1251 			"mqdes=%d msg_len=%zd msg_prio=%u "
1252 			"abs_timeout_sec=%ld abs_timeout_nsec=%ld",
1253 			context->mq_sendrecv.mqdes,
1254 			context->mq_sendrecv.msg_len,
1255 			context->mq_sendrecv.msg_prio,
1256 			context->mq_sendrecv.abs_timeout.tv_sec,
1257 			context->mq_sendrecv.abs_timeout.tv_nsec);
1258 		break; }
1259 	case AUDIT_MQ_NOTIFY: {
1260 		audit_log_format(ab, "mqdes=%d sigev_signo=%d",
1261 				context->mq_notify.mqdes,
1262 				context->mq_notify.sigev_signo);
1263 		break; }
1264 	case AUDIT_MQ_GETSETATTR: {
1265 		struct mq_attr *attr = &context->mq_getsetattr.mqstat;
1266 		audit_log_format(ab,
1267 			"mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
1268 			"mq_curmsgs=%ld ",
1269 			context->mq_getsetattr.mqdes,
1270 			attr->mq_flags, attr->mq_maxmsg,
1271 			attr->mq_msgsize, attr->mq_curmsgs);
1272 		break; }
1273 	case AUDIT_CAPSET: {
1274 		audit_log_format(ab, "pid=%d", context->capset.pid);
1275 		audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
1276 		audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
1277 		audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
1278 		break; }
1279 	case AUDIT_MMAP: {
1280 		audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd,
1281 				 context->mmap.flags);
1282 		break; }
1283 	case AUDIT_EXECVE: {
1284 		audit_log_execve_info(context, &ab);
1285 		break; }
1286 	}
1287 	audit_log_end(ab);
1288 }
1289 
1290 static inline int audit_proctitle_rtrim(char *proctitle, int len)
1291 {
1292 	char *end = proctitle + len - 1;
1293 	while (end > proctitle && !isprint(*end))
1294 		end--;
1295 
1296 	/* catch the case where proctitle is only 1 non-print character */
1297 	len = end - proctitle + 1;
1298 	len -= isprint(proctitle[len-1]) == 0;
1299 	return len;
1300 }
1301 
1302 static void audit_log_proctitle(struct task_struct *tsk,
1303 			 struct audit_context *context)
1304 {
1305 	int res;
1306 	char *buf;
1307 	char *msg = "(null)";
1308 	int len = strlen(msg);
1309 	struct audit_buffer *ab;
1310 
1311 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_PROCTITLE);
1312 	if (!ab)
1313 		return;	/* audit_panic or being filtered */
1314 
1315 	audit_log_format(ab, "proctitle=");
1316 
1317 	/* Not  cached */
1318 	if (!context->proctitle.value) {
1319 		buf = kmalloc(MAX_PROCTITLE_AUDIT_LEN, GFP_KERNEL);
1320 		if (!buf)
1321 			goto out;
1322 		/* Historically called this from procfs naming */
1323 		res = get_cmdline(tsk, buf, MAX_PROCTITLE_AUDIT_LEN);
1324 		if (res == 0) {
1325 			kfree(buf);
1326 			goto out;
1327 		}
1328 		res = audit_proctitle_rtrim(buf, res);
1329 		if (res == 0) {
1330 			kfree(buf);
1331 			goto out;
1332 		}
1333 		context->proctitle.value = buf;
1334 		context->proctitle.len = res;
1335 	}
1336 	msg = context->proctitle.value;
1337 	len = context->proctitle.len;
1338 out:
1339 	audit_log_n_untrustedstring(ab, msg, len);
1340 	audit_log_end(ab);
1341 }
1342 
1343 static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
1344 {
1345 	int i, call_panic = 0;
1346 	struct audit_buffer *ab;
1347 	struct audit_aux_data *aux;
1348 	struct audit_names *n;
1349 
1350 	/* tsk == current */
1351 	context->personality = tsk->personality;
1352 
1353 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
1354 	if (!ab)
1355 		return;		/* audit_panic has been called */
1356 	audit_log_format(ab, "arch=%x syscall=%d",
1357 			 context->arch, context->major);
1358 	if (context->personality != PER_LINUX)
1359 		audit_log_format(ab, " per=%lx", context->personality);
1360 	if (context->return_valid)
1361 		audit_log_format(ab, " success=%s exit=%ld",
1362 				 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
1363 				 context->return_code);
1364 
1365 	audit_log_format(ab,
1366 			 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d",
1367 			 context->argv[0],
1368 			 context->argv[1],
1369 			 context->argv[2],
1370 			 context->argv[3],
1371 			 context->name_count);
1372 
1373 	audit_log_task_info(ab, tsk);
1374 	audit_log_key(ab, context->filterkey);
1375 	audit_log_end(ab);
1376 
1377 	for (aux = context->aux; aux; aux = aux->next) {
1378 
1379 		ab = audit_log_start(context, GFP_KERNEL, aux->type);
1380 		if (!ab)
1381 			continue; /* audit_panic has been called */
1382 
1383 		switch (aux->type) {
1384 
1385 		case AUDIT_BPRM_FCAPS: {
1386 			struct audit_aux_data_bprm_fcaps *axs = (void *)aux;
1387 			audit_log_format(ab, "fver=%x", axs->fcap_ver);
1388 			audit_log_cap(ab, "fp", &axs->fcap.permitted);
1389 			audit_log_cap(ab, "fi", &axs->fcap.inheritable);
1390 			audit_log_format(ab, " fe=%d", axs->fcap.fE);
1391 			audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
1392 			audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
1393 			audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
1394 			audit_log_cap(ab, "new_pp", &axs->new_pcap.permitted);
1395 			audit_log_cap(ab, "new_pi", &axs->new_pcap.inheritable);
1396 			audit_log_cap(ab, "new_pe", &axs->new_pcap.effective);
1397 			break; }
1398 
1399 		}
1400 		audit_log_end(ab);
1401 	}
1402 
1403 	if (context->type)
1404 		show_special(context, &call_panic);
1405 
1406 	if (context->fds[0] >= 0) {
1407 		ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR);
1408 		if (ab) {
1409 			audit_log_format(ab, "fd0=%d fd1=%d",
1410 					context->fds[0], context->fds[1]);
1411 			audit_log_end(ab);
1412 		}
1413 	}
1414 
1415 	if (context->sockaddr_len) {
1416 		ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR);
1417 		if (ab) {
1418 			audit_log_format(ab, "saddr=");
1419 			audit_log_n_hex(ab, (void *)context->sockaddr,
1420 					context->sockaddr_len);
1421 			audit_log_end(ab);
1422 		}
1423 	}
1424 
1425 	for (aux = context->aux_pids; aux; aux = aux->next) {
1426 		struct audit_aux_data_pids *axs = (void *)aux;
1427 
1428 		for (i = 0; i < axs->pid_count; i++)
1429 			if (audit_log_pid_context(context, axs->target_pid[i],
1430 						  axs->target_auid[i],
1431 						  axs->target_uid[i],
1432 						  axs->target_sessionid[i],
1433 						  axs->target_sid[i],
1434 						  axs->target_comm[i]))
1435 				call_panic = 1;
1436 	}
1437 
1438 	if (context->target_pid &&
1439 	    audit_log_pid_context(context, context->target_pid,
1440 				  context->target_auid, context->target_uid,
1441 				  context->target_sessionid,
1442 				  context->target_sid, context->target_comm))
1443 			call_panic = 1;
1444 
1445 	if (context->pwd.dentry && context->pwd.mnt) {
1446 		ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
1447 		if (ab) {
1448 			audit_log_d_path(ab, " cwd=", &context->pwd);
1449 			audit_log_end(ab);
1450 		}
1451 	}
1452 
1453 	i = 0;
1454 	list_for_each_entry(n, &context->names_list, list) {
1455 		if (n->hidden)
1456 			continue;
1457 		audit_log_name(context, n, NULL, i++, &call_panic);
1458 	}
1459 
1460 	audit_log_proctitle(tsk, context);
1461 
1462 	/* Send end of event record to help user space know we are finished */
1463 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
1464 	if (ab)
1465 		audit_log_end(ab);
1466 	if (call_panic)
1467 		audit_panic("error converting sid to string");
1468 }
1469 
1470 /**
1471  * audit_free - free a per-task audit context
1472  * @tsk: task whose audit context block to free
1473  *
1474  * Called from copy_process and do_exit
1475  */
1476 void __audit_free(struct task_struct *tsk)
1477 {
1478 	struct audit_context *context;
1479 
1480 	context = audit_take_context(tsk, 0, 0);
1481 	if (!context)
1482 		return;
1483 
1484 	/* Check for system calls that do not go through the exit
1485 	 * function (e.g., exit_group), then free context block.
1486 	 * We use GFP_ATOMIC here because we might be doing this
1487 	 * in the context of the idle thread */
1488 	/* that can happen only if we are called from do_exit() */
1489 	if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
1490 		audit_log_exit(context, tsk);
1491 	if (!list_empty(&context->killed_trees))
1492 		audit_kill_trees(&context->killed_trees);
1493 
1494 	audit_free_context(context);
1495 }
1496 
1497 /**
1498  * audit_syscall_entry - fill in an audit record at syscall entry
1499  * @arch: architecture type
1500  * @major: major syscall type (function)
1501  * @a1: additional syscall register 1
1502  * @a2: additional syscall register 2
1503  * @a3: additional syscall register 3
1504  * @a4: additional syscall register 4
1505  *
1506  * Fill in audit context at syscall entry.  This only happens if the
1507  * audit context was created when the task was created and the state or
1508  * filters demand the audit context be built.  If the state from the
1509  * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
1510  * then the record will be written at syscall exit time (otherwise, it
1511  * will only be written if another part of the kernel requests that it
1512  * be written).
1513  */
1514 void __audit_syscall_entry(int arch, int major,
1515 			 unsigned long a1, unsigned long a2,
1516 			 unsigned long a3, unsigned long a4)
1517 {
1518 	struct task_struct *tsk = current;
1519 	struct audit_context *context = tsk->audit_context;
1520 	enum audit_state     state;
1521 
1522 	if (!context)
1523 		return;
1524 
1525 	BUG_ON(context->in_syscall || context->name_count);
1526 
1527 	if (!audit_enabled)
1528 		return;
1529 
1530 	context->arch	    = arch;
1531 	context->major      = major;
1532 	context->argv[0]    = a1;
1533 	context->argv[1]    = a2;
1534 	context->argv[2]    = a3;
1535 	context->argv[3]    = a4;
1536 
1537 	state = context->state;
1538 	context->dummy = !audit_n_rules;
1539 	if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
1540 		context->prio = 0;
1541 		state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
1542 	}
1543 	if (state == AUDIT_DISABLED)
1544 		return;
1545 
1546 	context->serial     = 0;
1547 	context->ctime      = CURRENT_TIME;
1548 	context->in_syscall = 1;
1549 	context->current_state  = state;
1550 	context->ppid       = 0;
1551 }
1552 
1553 /**
1554  * audit_syscall_exit - deallocate audit context after a system call
1555  * @success: success value of the syscall
1556  * @return_code: return value of the syscall
1557  *
1558  * Tear down after system call.  If the audit context has been marked as
1559  * auditable (either because of the AUDIT_RECORD_CONTEXT state from
1560  * filtering, or because some other part of the kernel wrote an audit
1561  * message), then write out the syscall information.  In call cases,
1562  * free the names stored from getname().
1563  */
1564 void __audit_syscall_exit(int success, long return_code)
1565 {
1566 	struct task_struct *tsk = current;
1567 	struct audit_context *context;
1568 
1569 	if (success)
1570 		success = AUDITSC_SUCCESS;
1571 	else
1572 		success = AUDITSC_FAILURE;
1573 
1574 	context = audit_take_context(tsk, success, return_code);
1575 	if (!context)
1576 		return;
1577 
1578 	if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
1579 		audit_log_exit(context, tsk);
1580 
1581 	context->in_syscall = 0;
1582 	context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
1583 
1584 	if (!list_empty(&context->killed_trees))
1585 		audit_kill_trees(&context->killed_trees);
1586 
1587 	audit_free_names(context);
1588 	unroll_tree_refs(context, NULL, 0);
1589 	audit_free_aux(context);
1590 	context->aux = NULL;
1591 	context->aux_pids = NULL;
1592 	context->target_pid = 0;
1593 	context->target_sid = 0;
1594 	context->sockaddr_len = 0;
1595 	context->type = 0;
1596 	context->fds[0] = -1;
1597 	if (context->state != AUDIT_RECORD_CONTEXT) {
1598 		kfree(context->filterkey);
1599 		context->filterkey = NULL;
1600 	}
1601 	tsk->audit_context = context;
1602 }
1603 
1604 static inline void handle_one(const struct inode *inode)
1605 {
1606 #ifdef CONFIG_AUDIT_TREE
1607 	struct audit_context *context;
1608 	struct audit_tree_refs *p;
1609 	struct audit_chunk *chunk;
1610 	int count;
1611 	if (likely(hlist_empty(&inode->i_fsnotify_marks)))
1612 		return;
1613 	context = current->audit_context;
1614 	p = context->trees;
1615 	count = context->tree_count;
1616 	rcu_read_lock();
1617 	chunk = audit_tree_lookup(inode);
1618 	rcu_read_unlock();
1619 	if (!chunk)
1620 		return;
1621 	if (likely(put_tree_ref(context, chunk)))
1622 		return;
1623 	if (unlikely(!grow_tree_refs(context))) {
1624 		pr_warn("out of memory, audit has lost a tree reference\n");
1625 		audit_set_auditable(context);
1626 		audit_put_chunk(chunk);
1627 		unroll_tree_refs(context, p, count);
1628 		return;
1629 	}
1630 	put_tree_ref(context, chunk);
1631 #endif
1632 }
1633 
1634 static void handle_path(const struct dentry *dentry)
1635 {
1636 #ifdef CONFIG_AUDIT_TREE
1637 	struct audit_context *context;
1638 	struct audit_tree_refs *p;
1639 	const struct dentry *d, *parent;
1640 	struct audit_chunk *drop;
1641 	unsigned long seq;
1642 	int count;
1643 
1644 	context = current->audit_context;
1645 	p = context->trees;
1646 	count = context->tree_count;
1647 retry:
1648 	drop = NULL;
1649 	d = dentry;
1650 	rcu_read_lock();
1651 	seq = read_seqbegin(&rename_lock);
1652 	for(;;) {
1653 		struct inode *inode = d->d_inode;
1654 		if (inode && unlikely(!hlist_empty(&inode->i_fsnotify_marks))) {
1655 			struct audit_chunk *chunk;
1656 			chunk = audit_tree_lookup(inode);
1657 			if (chunk) {
1658 				if (unlikely(!put_tree_ref(context, chunk))) {
1659 					drop = chunk;
1660 					break;
1661 				}
1662 			}
1663 		}
1664 		parent = d->d_parent;
1665 		if (parent == d)
1666 			break;
1667 		d = parent;
1668 	}
1669 	if (unlikely(read_seqretry(&rename_lock, seq) || drop)) {  /* in this order */
1670 		rcu_read_unlock();
1671 		if (!drop) {
1672 			/* just a race with rename */
1673 			unroll_tree_refs(context, p, count);
1674 			goto retry;
1675 		}
1676 		audit_put_chunk(drop);
1677 		if (grow_tree_refs(context)) {
1678 			/* OK, got more space */
1679 			unroll_tree_refs(context, p, count);
1680 			goto retry;
1681 		}
1682 		/* too bad */
1683 		pr_warn("out of memory, audit has lost a tree reference\n");
1684 		unroll_tree_refs(context, p, count);
1685 		audit_set_auditable(context);
1686 		return;
1687 	}
1688 	rcu_read_unlock();
1689 #endif
1690 }
1691 
1692 static struct audit_names *audit_alloc_name(struct audit_context *context,
1693 						unsigned char type)
1694 {
1695 	struct audit_names *aname;
1696 
1697 	if (context->name_count < AUDIT_NAMES) {
1698 		aname = &context->preallocated_names[context->name_count];
1699 		memset(aname, 0, sizeof(*aname));
1700 	} else {
1701 		aname = kzalloc(sizeof(*aname), GFP_NOFS);
1702 		if (!aname)
1703 			return NULL;
1704 		aname->should_free = true;
1705 	}
1706 
1707 	aname->ino = (unsigned long)-1;
1708 	aname->type = type;
1709 	list_add_tail(&aname->list, &context->names_list);
1710 
1711 	context->name_count++;
1712 #if AUDIT_DEBUG
1713 	context->ino_count++;
1714 #endif
1715 	return aname;
1716 }
1717 
1718 /**
1719  * audit_reusename - fill out filename with info from existing entry
1720  * @uptr: userland ptr to pathname
1721  *
1722  * Search the audit_names list for the current audit context. If there is an
1723  * existing entry with a matching "uptr" then return the filename
1724  * associated with that audit_name. If not, return NULL.
1725  */
1726 struct filename *
1727 __audit_reusename(const __user char *uptr)
1728 {
1729 	struct audit_context *context = current->audit_context;
1730 	struct audit_names *n;
1731 
1732 	list_for_each_entry(n, &context->names_list, list) {
1733 		if (!n->name)
1734 			continue;
1735 		if (n->name->uptr == uptr)
1736 			return n->name;
1737 	}
1738 	return NULL;
1739 }
1740 
1741 /**
1742  * audit_getname - add a name to the list
1743  * @name: name to add
1744  *
1745  * Add a name to the list of audit names for this context.
1746  * Called from fs/namei.c:getname().
1747  */
1748 void __audit_getname(struct filename *name)
1749 {
1750 	struct audit_context *context = current->audit_context;
1751 	struct audit_names *n;
1752 
1753 	if (!context->in_syscall) {
1754 #if AUDIT_DEBUG == 2
1755 		pr_err("%s:%d(:%d): ignoring getname(%p)\n",
1756 		       __FILE__, __LINE__, context->serial, name);
1757 		dump_stack();
1758 #endif
1759 		return;
1760 	}
1761 
1762 #if AUDIT_DEBUG
1763 	/* The filename _must_ have a populated ->name */
1764 	BUG_ON(!name->name);
1765 #endif
1766 
1767 	n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
1768 	if (!n)
1769 		return;
1770 
1771 	n->name = name;
1772 	n->name_len = AUDIT_NAME_FULL;
1773 	n->name_put = true;
1774 	name->aname = n;
1775 
1776 	if (!context->pwd.dentry)
1777 		get_fs_pwd(current->fs, &context->pwd);
1778 }
1779 
1780 /* audit_putname - intercept a putname request
1781  * @name: name to intercept and delay for putname
1782  *
1783  * If we have stored the name from getname in the audit context,
1784  * then we delay the putname until syscall exit.
1785  * Called from include/linux/fs.h:putname().
1786  */
1787 void audit_putname(struct filename *name)
1788 {
1789 	struct audit_context *context = current->audit_context;
1790 
1791 	BUG_ON(!context);
1792 	if (!name->aname || !context->in_syscall) {
1793 #if AUDIT_DEBUG == 2
1794 		pr_err("%s:%d(:%d): final_putname(%p)\n",
1795 		       __FILE__, __LINE__, context->serial, name);
1796 		if (context->name_count) {
1797 			struct audit_names *n;
1798 			int i = 0;
1799 
1800 			list_for_each_entry(n, &context->names_list, list)
1801 				pr_err("name[%d] = %p = %s\n", i++, n->name,
1802 				       n->name->name ?: "(null)");
1803 			}
1804 #endif
1805 		final_putname(name);
1806 	}
1807 #if AUDIT_DEBUG
1808 	else {
1809 		++context->put_count;
1810 		if (context->put_count > context->name_count) {
1811 			pr_err("%s:%d(:%d): major=%d in_syscall=%d putname(%p)"
1812 			       " name_count=%d put_count=%d\n",
1813 			       __FILE__, __LINE__,
1814 			       context->serial, context->major,
1815 			       context->in_syscall, name->name,
1816 			       context->name_count, context->put_count);
1817 			dump_stack();
1818 		}
1819 	}
1820 #endif
1821 }
1822 
1823 /**
1824  * __audit_inode - store the inode and device from a lookup
1825  * @name: name being audited
1826  * @dentry: dentry being audited
1827  * @flags: attributes for this particular entry
1828  */
1829 void __audit_inode(struct filename *name, const struct dentry *dentry,
1830 		   unsigned int flags)
1831 {
1832 	struct audit_context *context = current->audit_context;
1833 	const struct inode *inode = dentry->d_inode;
1834 	struct audit_names *n;
1835 	bool parent = flags & AUDIT_INODE_PARENT;
1836 
1837 	if (!context->in_syscall)
1838 		return;
1839 
1840 	if (!name)
1841 		goto out_alloc;
1842 
1843 #if AUDIT_DEBUG
1844 	/* The struct filename _must_ have a populated ->name */
1845 	BUG_ON(!name->name);
1846 #endif
1847 	/*
1848 	 * If we have a pointer to an audit_names entry already, then we can
1849 	 * just use it directly if the type is correct.
1850 	 */
1851 	n = name->aname;
1852 	if (n) {
1853 		if (parent) {
1854 			if (n->type == AUDIT_TYPE_PARENT ||
1855 			    n->type == AUDIT_TYPE_UNKNOWN)
1856 				goto out;
1857 		} else {
1858 			if (n->type != AUDIT_TYPE_PARENT)
1859 				goto out;
1860 		}
1861 	}
1862 
1863 	list_for_each_entry_reverse(n, &context->names_list, list) {
1864 		/* does the name pointer match? */
1865 		if (!n->name || n->name->name != name->name)
1866 			continue;
1867 
1868 		/* match the correct record type */
1869 		if (parent) {
1870 			if (n->type == AUDIT_TYPE_PARENT ||
1871 			    n->type == AUDIT_TYPE_UNKNOWN)
1872 				goto out;
1873 		} else {
1874 			if (n->type != AUDIT_TYPE_PARENT)
1875 				goto out;
1876 		}
1877 	}
1878 
1879 out_alloc:
1880 	/* unable to find the name from a previous getname(). Allocate a new
1881 	 * anonymous entry.
1882 	 */
1883 	n = audit_alloc_name(context, AUDIT_TYPE_NORMAL);
1884 	if (!n)
1885 		return;
1886 out:
1887 	if (parent) {
1888 		n->name_len = n->name ? parent_len(n->name->name) : AUDIT_NAME_FULL;
1889 		n->type = AUDIT_TYPE_PARENT;
1890 		if (flags & AUDIT_INODE_HIDDEN)
1891 			n->hidden = true;
1892 	} else {
1893 		n->name_len = AUDIT_NAME_FULL;
1894 		n->type = AUDIT_TYPE_NORMAL;
1895 	}
1896 	handle_path(dentry);
1897 	audit_copy_inode(n, dentry, inode);
1898 }
1899 
1900 /**
1901  * __audit_inode_child - collect inode info for created/removed objects
1902  * @parent: inode of dentry parent
1903  * @dentry: dentry being audited
1904  * @type:   AUDIT_TYPE_* value that we're looking for
1905  *
1906  * For syscalls that create or remove filesystem objects, audit_inode
1907  * can only collect information for the filesystem object's parent.
1908  * This call updates the audit context with the child's information.
1909  * Syscalls that create a new filesystem object must be hooked after
1910  * the object is created.  Syscalls that remove a filesystem object
1911  * must be hooked prior, in order to capture the target inode during
1912  * unsuccessful attempts.
1913  */
1914 void __audit_inode_child(const struct inode *parent,
1915 			 const struct dentry *dentry,
1916 			 const unsigned char type)
1917 {
1918 	struct audit_context *context = current->audit_context;
1919 	const struct inode *inode = dentry->d_inode;
1920 	const char *dname = dentry->d_name.name;
1921 	struct audit_names *n, *found_parent = NULL, *found_child = NULL;
1922 
1923 	if (!context->in_syscall)
1924 		return;
1925 
1926 	if (inode)
1927 		handle_one(inode);
1928 
1929 	/* look for a parent entry first */
1930 	list_for_each_entry(n, &context->names_list, list) {
1931 		if (!n->name || n->type != AUDIT_TYPE_PARENT)
1932 			continue;
1933 
1934 		if (n->ino == parent->i_ino &&
1935 		    !audit_compare_dname_path(dname, n->name->name, n->name_len)) {
1936 			found_parent = n;
1937 			break;
1938 		}
1939 	}
1940 
1941 	/* is there a matching child entry? */
1942 	list_for_each_entry(n, &context->names_list, list) {
1943 		/* can only match entries that have a name */
1944 		if (!n->name || n->type != type)
1945 			continue;
1946 
1947 		/* if we found a parent, make sure this one is a child of it */
1948 		if (found_parent && (n->name != found_parent->name))
1949 			continue;
1950 
1951 		if (!strcmp(dname, n->name->name) ||
1952 		    !audit_compare_dname_path(dname, n->name->name,
1953 						found_parent ?
1954 						found_parent->name_len :
1955 						AUDIT_NAME_FULL)) {
1956 			found_child = n;
1957 			break;
1958 		}
1959 	}
1960 
1961 	if (!found_parent) {
1962 		/* create a new, "anonymous" parent record */
1963 		n = audit_alloc_name(context, AUDIT_TYPE_PARENT);
1964 		if (!n)
1965 			return;
1966 		audit_copy_inode(n, NULL, parent);
1967 	}
1968 
1969 	if (!found_child) {
1970 		found_child = audit_alloc_name(context, type);
1971 		if (!found_child)
1972 			return;
1973 
1974 		/* Re-use the name belonging to the slot for a matching parent
1975 		 * directory. All names for this context are relinquished in
1976 		 * audit_free_names() */
1977 		if (found_parent) {
1978 			found_child->name = found_parent->name;
1979 			found_child->name_len = AUDIT_NAME_FULL;
1980 			/* don't call __putname() */
1981 			found_child->name_put = false;
1982 		}
1983 	}
1984 	if (inode)
1985 		audit_copy_inode(found_child, dentry, inode);
1986 	else
1987 		found_child->ino = (unsigned long)-1;
1988 }
1989 EXPORT_SYMBOL_GPL(__audit_inode_child);
1990 
1991 /**
1992  * auditsc_get_stamp - get local copies of audit_context values
1993  * @ctx: audit_context for the task
1994  * @t: timespec to store time recorded in the audit_context
1995  * @serial: serial value that is recorded in the audit_context
1996  *
1997  * Also sets the context as auditable.
1998  */
1999 int auditsc_get_stamp(struct audit_context *ctx,
2000 		       struct timespec *t, unsigned int *serial)
2001 {
2002 	if (!ctx->in_syscall)
2003 		return 0;
2004 	if (!ctx->serial)
2005 		ctx->serial = audit_serial();
2006 	t->tv_sec  = ctx->ctime.tv_sec;
2007 	t->tv_nsec = ctx->ctime.tv_nsec;
2008 	*serial    = ctx->serial;
2009 	if (!ctx->prio) {
2010 		ctx->prio = 1;
2011 		ctx->current_state = AUDIT_RECORD_CONTEXT;
2012 	}
2013 	return 1;
2014 }
2015 
2016 /* global counter which is incremented every time something logs in */
2017 static atomic_t session_id = ATOMIC_INIT(0);
2018 
2019 static int audit_set_loginuid_perm(kuid_t loginuid)
2020 {
2021 	/* if we are unset, we don't need privs */
2022 	if (!audit_loginuid_set(current))
2023 		return 0;
2024 	/* if AUDIT_FEATURE_LOGINUID_IMMUTABLE means never ever allow a change*/
2025 	if (is_audit_feature_set(AUDIT_FEATURE_LOGINUID_IMMUTABLE))
2026 		return -EPERM;
2027 	/* it is set, you need permission */
2028 	if (!capable(CAP_AUDIT_CONTROL))
2029 		return -EPERM;
2030 	/* reject if this is not an unset and we don't allow that */
2031 	if (is_audit_feature_set(AUDIT_FEATURE_ONLY_UNSET_LOGINUID) && uid_valid(loginuid))
2032 		return -EPERM;
2033 	return 0;
2034 }
2035 
2036 static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
2037 				   unsigned int oldsessionid, unsigned int sessionid,
2038 				   int rc)
2039 {
2040 	struct audit_buffer *ab;
2041 	uid_t uid, oldloginuid, loginuid;
2042 
2043 	if (!audit_enabled)
2044 		return;
2045 
2046 	uid = from_kuid(&init_user_ns, task_uid(current));
2047 	oldloginuid = from_kuid(&init_user_ns, koldloginuid);
2048 	loginuid = from_kuid(&init_user_ns, kloginuid),
2049 
2050 	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
2051 	if (!ab)
2052 		return;
2053 	audit_log_format(ab, "pid=%d uid=%u", task_pid_nr(current), uid);
2054 	audit_log_task_context(ab);
2055 	audit_log_format(ab, " old-auid=%u auid=%u old-ses=%u ses=%u res=%d",
2056 			 oldloginuid, loginuid, oldsessionid, sessionid, !rc);
2057 	audit_log_end(ab);
2058 }
2059 
2060 /**
2061  * audit_set_loginuid - set current task's audit_context loginuid
2062  * @loginuid: loginuid value
2063  *
2064  * Returns 0.
2065  *
2066  * Called (set) from fs/proc/base.c::proc_loginuid_write().
2067  */
2068 int audit_set_loginuid(kuid_t loginuid)
2069 {
2070 	struct task_struct *task = current;
2071 	unsigned int oldsessionid, sessionid = (unsigned int)-1;
2072 	kuid_t oldloginuid;
2073 	int rc;
2074 
2075 	oldloginuid = audit_get_loginuid(current);
2076 	oldsessionid = audit_get_sessionid(current);
2077 
2078 	rc = audit_set_loginuid_perm(loginuid);
2079 	if (rc)
2080 		goto out;
2081 
2082 	/* are we setting or clearing? */
2083 	if (uid_valid(loginuid))
2084 		sessionid = (unsigned int)atomic_inc_return(&session_id);
2085 
2086 	task->sessionid = sessionid;
2087 	task->loginuid = loginuid;
2088 out:
2089 	audit_log_set_loginuid(oldloginuid, loginuid, oldsessionid, sessionid, rc);
2090 	return rc;
2091 }
2092 
2093 /**
2094  * __audit_mq_open - record audit data for a POSIX MQ open
2095  * @oflag: open flag
2096  * @mode: mode bits
2097  * @attr: queue attributes
2098  *
2099  */
2100 void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
2101 {
2102 	struct audit_context *context = current->audit_context;
2103 
2104 	if (attr)
2105 		memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr));
2106 	else
2107 		memset(&context->mq_open.attr, 0, sizeof(struct mq_attr));
2108 
2109 	context->mq_open.oflag = oflag;
2110 	context->mq_open.mode = mode;
2111 
2112 	context->type = AUDIT_MQ_OPEN;
2113 }
2114 
2115 /**
2116  * __audit_mq_sendrecv - record audit data for a POSIX MQ timed send/receive
2117  * @mqdes: MQ descriptor
2118  * @msg_len: Message length
2119  * @msg_prio: Message priority
2120  * @abs_timeout: Message timeout in absolute time
2121  *
2122  */
2123 void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
2124 			const struct timespec *abs_timeout)
2125 {
2126 	struct audit_context *context = current->audit_context;
2127 	struct timespec *p = &context->mq_sendrecv.abs_timeout;
2128 
2129 	if (abs_timeout)
2130 		memcpy(p, abs_timeout, sizeof(struct timespec));
2131 	else
2132 		memset(p, 0, sizeof(struct timespec));
2133 
2134 	context->mq_sendrecv.mqdes = mqdes;
2135 	context->mq_sendrecv.msg_len = msg_len;
2136 	context->mq_sendrecv.msg_prio = msg_prio;
2137 
2138 	context->type = AUDIT_MQ_SENDRECV;
2139 }
2140 
2141 /**
2142  * __audit_mq_notify - record audit data for a POSIX MQ notify
2143  * @mqdes: MQ descriptor
2144  * @notification: Notification event
2145  *
2146  */
2147 
2148 void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
2149 {
2150 	struct audit_context *context = current->audit_context;
2151 
2152 	if (notification)
2153 		context->mq_notify.sigev_signo = notification->sigev_signo;
2154 	else
2155 		context->mq_notify.sigev_signo = 0;
2156 
2157 	context->mq_notify.mqdes = mqdes;
2158 	context->type = AUDIT_MQ_NOTIFY;
2159 }
2160 
2161 /**
2162  * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute
2163  * @mqdes: MQ descriptor
2164  * @mqstat: MQ flags
2165  *
2166  */
2167 void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
2168 {
2169 	struct audit_context *context = current->audit_context;
2170 	context->mq_getsetattr.mqdes = mqdes;
2171 	context->mq_getsetattr.mqstat = *mqstat;
2172 	context->type = AUDIT_MQ_GETSETATTR;
2173 }
2174 
2175 /**
2176  * audit_ipc_obj - record audit data for ipc object
2177  * @ipcp: ipc permissions
2178  *
2179  */
2180 void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
2181 {
2182 	struct audit_context *context = current->audit_context;
2183 	context->ipc.uid = ipcp->uid;
2184 	context->ipc.gid = ipcp->gid;
2185 	context->ipc.mode = ipcp->mode;
2186 	context->ipc.has_perm = 0;
2187 	security_ipc_getsecid(ipcp, &context->ipc.osid);
2188 	context->type = AUDIT_IPC;
2189 }
2190 
2191 /**
2192  * audit_ipc_set_perm - record audit data for new ipc permissions
2193  * @qbytes: msgq bytes
2194  * @uid: msgq user id
2195  * @gid: msgq group id
2196  * @mode: msgq mode (permissions)
2197  *
2198  * Called only after audit_ipc_obj().
2199  */
2200 void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode)
2201 {
2202 	struct audit_context *context = current->audit_context;
2203 
2204 	context->ipc.qbytes = qbytes;
2205 	context->ipc.perm_uid = uid;
2206 	context->ipc.perm_gid = gid;
2207 	context->ipc.perm_mode = mode;
2208 	context->ipc.has_perm = 1;
2209 }
2210 
2211 void __audit_bprm(struct linux_binprm *bprm)
2212 {
2213 	struct audit_context *context = current->audit_context;
2214 
2215 	context->type = AUDIT_EXECVE;
2216 	context->execve.argc = bprm->argc;
2217 }
2218 
2219 
2220 /**
2221  * audit_socketcall - record audit data for sys_socketcall
2222  * @nargs: number of args, which should not be more than AUDITSC_ARGS.
2223  * @args: args array
2224  *
2225  */
2226 int __audit_socketcall(int nargs, unsigned long *args)
2227 {
2228 	struct audit_context *context = current->audit_context;
2229 
2230 	if (nargs <= 0 || nargs > AUDITSC_ARGS || !args)
2231 		return -EINVAL;
2232 	context->type = AUDIT_SOCKETCALL;
2233 	context->socketcall.nargs = nargs;
2234 	memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
2235 	return 0;
2236 }
2237 
2238 /**
2239  * __audit_fd_pair - record audit data for pipe and socketpair
2240  * @fd1: the first file descriptor
2241  * @fd2: the second file descriptor
2242  *
2243  */
2244 void __audit_fd_pair(int fd1, int fd2)
2245 {
2246 	struct audit_context *context = current->audit_context;
2247 	context->fds[0] = fd1;
2248 	context->fds[1] = fd2;
2249 }
2250 
2251 /**
2252  * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
2253  * @len: data length in user space
2254  * @a: data address in kernel space
2255  *
2256  * Returns 0 for success or NULL context or < 0 on error.
2257  */
2258 int __audit_sockaddr(int len, void *a)
2259 {
2260 	struct audit_context *context = current->audit_context;
2261 
2262 	if (!context->sockaddr) {
2263 		void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL);
2264 		if (!p)
2265 			return -ENOMEM;
2266 		context->sockaddr = p;
2267 	}
2268 
2269 	context->sockaddr_len = len;
2270 	memcpy(context->sockaddr, a, len);
2271 	return 0;
2272 }
2273 
2274 void __audit_ptrace(struct task_struct *t)
2275 {
2276 	struct audit_context *context = current->audit_context;
2277 
2278 	context->target_pid = task_pid_nr(t);
2279 	context->target_auid = audit_get_loginuid(t);
2280 	context->target_uid = task_uid(t);
2281 	context->target_sessionid = audit_get_sessionid(t);
2282 	security_task_getsecid(t, &context->target_sid);
2283 	memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
2284 }
2285 
2286 /**
2287  * audit_signal_info - record signal info for shutting down audit subsystem
2288  * @sig: signal value
2289  * @t: task being signaled
2290  *
2291  * If the audit subsystem is being terminated, record the task (pid)
2292  * and uid that is doing that.
2293  */
2294 int __audit_signal_info(int sig, struct task_struct *t)
2295 {
2296 	struct audit_aux_data_pids *axp;
2297 	struct task_struct *tsk = current;
2298 	struct audit_context *ctx = tsk->audit_context;
2299 	kuid_t uid = current_uid(), t_uid = task_uid(t);
2300 
2301 	if (audit_pid && t->tgid == audit_pid) {
2302 		if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) {
2303 			audit_sig_pid = task_pid_nr(tsk);
2304 			if (uid_valid(tsk->loginuid))
2305 				audit_sig_uid = tsk->loginuid;
2306 			else
2307 				audit_sig_uid = uid;
2308 			security_task_getsecid(tsk, &audit_sig_sid);
2309 		}
2310 		if (!audit_signals || audit_dummy_context())
2311 			return 0;
2312 	}
2313 
2314 	/* optimize the common case by putting first signal recipient directly
2315 	 * in audit_context */
2316 	if (!ctx->target_pid) {
2317 		ctx->target_pid = task_tgid_nr(t);
2318 		ctx->target_auid = audit_get_loginuid(t);
2319 		ctx->target_uid = t_uid;
2320 		ctx->target_sessionid = audit_get_sessionid(t);
2321 		security_task_getsecid(t, &ctx->target_sid);
2322 		memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
2323 		return 0;
2324 	}
2325 
2326 	axp = (void *)ctx->aux_pids;
2327 	if (!axp || axp->pid_count == AUDIT_AUX_PIDS) {
2328 		axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
2329 		if (!axp)
2330 			return -ENOMEM;
2331 
2332 		axp->d.type = AUDIT_OBJ_PID;
2333 		axp->d.next = ctx->aux_pids;
2334 		ctx->aux_pids = (void *)axp;
2335 	}
2336 	BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
2337 
2338 	axp->target_pid[axp->pid_count] = task_tgid_nr(t);
2339 	axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
2340 	axp->target_uid[axp->pid_count] = t_uid;
2341 	axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
2342 	security_task_getsecid(t, &axp->target_sid[axp->pid_count]);
2343 	memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
2344 	axp->pid_count++;
2345 
2346 	return 0;
2347 }
2348 
2349 /**
2350  * __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps
2351  * @bprm: pointer to the bprm being processed
2352  * @new: the proposed new credentials
2353  * @old: the old credentials
2354  *
2355  * Simply check if the proc already has the caps given by the file and if not
2356  * store the priv escalation info for later auditing at the end of the syscall
2357  *
2358  * -Eric
2359  */
2360 int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
2361 			   const struct cred *new, const struct cred *old)
2362 {
2363 	struct audit_aux_data_bprm_fcaps *ax;
2364 	struct audit_context *context = current->audit_context;
2365 	struct cpu_vfs_cap_data vcaps;
2366 	struct dentry *dentry;
2367 
2368 	ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2369 	if (!ax)
2370 		return -ENOMEM;
2371 
2372 	ax->d.type = AUDIT_BPRM_FCAPS;
2373 	ax->d.next = context->aux;
2374 	context->aux = (void *)ax;
2375 
2376 	dentry = dget(bprm->file->f_dentry);
2377 	get_vfs_caps_from_disk(dentry, &vcaps);
2378 	dput(dentry);
2379 
2380 	ax->fcap.permitted = vcaps.permitted;
2381 	ax->fcap.inheritable = vcaps.inheritable;
2382 	ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2383 	ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
2384 
2385 	ax->old_pcap.permitted   = old->cap_permitted;
2386 	ax->old_pcap.inheritable = old->cap_inheritable;
2387 	ax->old_pcap.effective   = old->cap_effective;
2388 
2389 	ax->new_pcap.permitted   = new->cap_permitted;
2390 	ax->new_pcap.inheritable = new->cap_inheritable;
2391 	ax->new_pcap.effective   = new->cap_effective;
2392 	return 0;
2393 }
2394 
2395 /**
2396  * __audit_log_capset - store information about the arguments to the capset syscall
2397  * @new: the new credentials
2398  * @old: the old (current) credentials
2399  *
2400  * Record the aguments userspace sent to sys_capset for later printing by the
2401  * audit system if applicable
2402  */
2403 void __audit_log_capset(const struct cred *new, const struct cred *old)
2404 {
2405 	struct audit_context *context = current->audit_context;
2406 	context->capset.pid = task_pid_nr(current);
2407 	context->capset.cap.effective   = new->cap_effective;
2408 	context->capset.cap.inheritable = new->cap_effective;
2409 	context->capset.cap.permitted   = new->cap_permitted;
2410 	context->type = AUDIT_CAPSET;
2411 }
2412 
2413 void __audit_mmap_fd(int fd, int flags)
2414 {
2415 	struct audit_context *context = current->audit_context;
2416 	context->mmap.fd = fd;
2417 	context->mmap.flags = flags;
2418 	context->type = AUDIT_MMAP;
2419 }
2420 
2421 static void audit_log_task(struct audit_buffer *ab)
2422 {
2423 	kuid_t auid, uid;
2424 	kgid_t gid;
2425 	unsigned int sessionid;
2426 	struct mm_struct *mm = current->mm;
2427 
2428 	auid = audit_get_loginuid(current);
2429 	sessionid = audit_get_sessionid(current);
2430 	current_uid_gid(&uid, &gid);
2431 
2432 	audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
2433 			 from_kuid(&init_user_ns, auid),
2434 			 from_kuid(&init_user_ns, uid),
2435 			 from_kgid(&init_user_ns, gid),
2436 			 sessionid);
2437 	audit_log_task_context(ab);
2438 	audit_log_format(ab, " pid=%d comm=", task_pid_nr(current));
2439 	audit_log_untrustedstring(ab, current->comm);
2440 	if (mm) {
2441 		down_read(&mm->mmap_sem);
2442 		if (mm->exe_file)
2443 			audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
2444 		up_read(&mm->mmap_sem);
2445 	} else
2446 		audit_log_format(ab, " exe=(null)");
2447 }
2448 
2449 /**
2450  * audit_core_dumps - record information about processes that end abnormally
2451  * @signr: signal value
2452  *
2453  * If a process ends with a core dump, something fishy is going on and we
2454  * should record the event for investigation.
2455  */
2456 void audit_core_dumps(long signr)
2457 {
2458 	struct audit_buffer *ab;
2459 
2460 	if (!audit_enabled)
2461 		return;
2462 
2463 	if (signr == SIGQUIT)	/* don't care for those */
2464 		return;
2465 
2466 	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
2467 	if (unlikely(!ab))
2468 		return;
2469 	audit_log_task(ab);
2470 	audit_log_format(ab, " sig=%ld", signr);
2471 	audit_log_end(ab);
2472 }
2473 
2474 void __audit_seccomp(unsigned long syscall, long signr, int code)
2475 {
2476 	struct audit_buffer *ab;
2477 
2478 	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_SECCOMP);
2479 	if (unlikely(!ab))
2480 		return;
2481 	audit_log_task(ab);
2482 	audit_log_format(ab, " sig=%ld", signr);
2483 	audit_log_format(ab, " syscall=%ld", syscall);
2484 	audit_log_format(ab, " compat=%d", is_compat_task());
2485 	audit_log_format(ab, " ip=0x%lx", KSTK_EIP(current));
2486 	audit_log_format(ab, " code=0x%x", code);
2487 	audit_log_end(ab);
2488 }
2489 
2490 struct list_head *audit_killed_trees(void)
2491 {
2492 	struct audit_context *ctx = current->audit_context;
2493 	if (likely(!ctx || !ctx->in_syscall))
2494 		return NULL;
2495 	return &ctx->killed_trees;
2496 }
2497