1 /* auditsc.c -- System-call auditing support 2 * Handles all system-call specific auditing features. 3 * 4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 5 * Copyright 2005 Hewlett-Packard Development Company, L.P. 6 * Copyright (C) 2005, 2006 IBM Corporation 7 * All Rights Reserved. 8 * 9 * This program is free software; you can redistribute it and/or modify 10 * it under the terms of the GNU General Public License as published by 11 * the Free Software Foundation; either version 2 of the License, or 12 * (at your option) any later version. 13 * 14 * This program is distributed in the hope that it will be useful, 15 * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 * GNU General Public License for more details. 18 * 19 * You should have received a copy of the GNU General Public License 20 * along with this program; if not, write to the Free Software 21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 22 * 23 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 24 * 25 * Many of the ideas implemented here are from Stephen C. Tweedie, 26 * especially the idea of avoiding a copy by using getname. 27 * 28 * The method for actual interception of syscall entry and exit (not in 29 * this file -- see entry.S) is based on a GPL'd patch written by 30 * okir@suse.de and Copyright 2003 SuSE Linux AG. 31 * 32 * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>, 33 * 2006. 34 * 35 * The support of additional filter rules compares (>, <, >=, <=) was 36 * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005. 37 * 38 * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional 39 * filesystem information. 40 * 41 * Subject and object context labeling support added by <danjones@us.ibm.com> 42 * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance. 43 */ 44 45 #include <linux/init.h> 46 #include <asm/types.h> 47 #include <asm/atomic.h> 48 #include <asm/types.h> 49 #include <linux/fs.h> 50 #include <linux/namei.h> 51 #include <linux/mm.h> 52 #include <linux/module.h> 53 #include <linux/mount.h> 54 #include <linux/socket.h> 55 #include <linux/mqueue.h> 56 #include <linux/audit.h> 57 #include <linux/personality.h> 58 #include <linux/time.h> 59 #include <linux/netlink.h> 60 #include <linux/compiler.h> 61 #include <asm/unistd.h> 62 #include <linux/security.h> 63 #include <linux/list.h> 64 #include <linux/tty.h> 65 #include <linux/selinux.h> 66 #include <linux/binfmts.h> 67 #include <linux/highmem.h> 68 #include <linux/syscalls.h> 69 70 #include "audit.h" 71 72 extern struct list_head audit_filter_list[]; 73 74 /* AUDIT_NAMES is the number of slots we reserve in the audit_context 75 * for saving names from getname(). */ 76 #define AUDIT_NAMES 20 77 78 /* Indicates that audit should log the full pathname. */ 79 #define AUDIT_NAME_FULL -1 80 81 /* number of audit rules */ 82 int audit_n_rules; 83 84 /* determines whether we collect data for signals sent */ 85 int audit_signals; 86 87 /* When fs/namei.c:getname() is called, we store the pointer in name and 88 * we don't let putname() free it (instead we free all of the saved 89 * pointers at syscall exit time). 90 * 91 * Further, in fs/namei.c:path_lookup() we store the inode and device. */ 92 struct audit_names { 93 const char *name; 94 int name_len; /* number of name's characters to log */ 95 unsigned name_put; /* call __putname() for this name */ 96 unsigned long ino; 97 dev_t dev; 98 umode_t mode; 99 uid_t uid; 100 gid_t gid; 101 dev_t rdev; 102 u32 osid; 103 }; 104 105 struct audit_aux_data { 106 struct audit_aux_data *next; 107 int type; 108 }; 109 110 #define AUDIT_AUX_IPCPERM 0 111 112 /* Number of target pids per aux struct. */ 113 #define AUDIT_AUX_PIDS 16 114 115 struct audit_aux_data_mq_open { 116 struct audit_aux_data d; 117 int oflag; 118 mode_t mode; 119 struct mq_attr attr; 120 }; 121 122 struct audit_aux_data_mq_sendrecv { 123 struct audit_aux_data d; 124 mqd_t mqdes; 125 size_t msg_len; 126 unsigned int msg_prio; 127 struct timespec abs_timeout; 128 }; 129 130 struct audit_aux_data_mq_notify { 131 struct audit_aux_data d; 132 mqd_t mqdes; 133 struct sigevent notification; 134 }; 135 136 struct audit_aux_data_mq_getsetattr { 137 struct audit_aux_data d; 138 mqd_t mqdes; 139 struct mq_attr mqstat; 140 }; 141 142 struct audit_aux_data_ipcctl { 143 struct audit_aux_data d; 144 struct ipc_perm p; 145 unsigned long qbytes; 146 uid_t uid; 147 gid_t gid; 148 mode_t mode; 149 u32 osid; 150 }; 151 152 struct audit_aux_data_execve { 153 struct audit_aux_data d; 154 int argc; 155 int envc; 156 struct mm_struct *mm; 157 }; 158 159 struct audit_aux_data_socketcall { 160 struct audit_aux_data d; 161 int nargs; 162 unsigned long args[0]; 163 }; 164 165 struct audit_aux_data_sockaddr { 166 struct audit_aux_data d; 167 int len; 168 char a[0]; 169 }; 170 171 struct audit_aux_data_fd_pair { 172 struct audit_aux_data d; 173 int fd[2]; 174 }; 175 176 struct audit_aux_data_pids { 177 struct audit_aux_data d; 178 pid_t target_pid[AUDIT_AUX_PIDS]; 179 u32 target_sid[AUDIT_AUX_PIDS]; 180 int pid_count; 181 }; 182 183 /* The per-task audit context. */ 184 struct audit_context { 185 int dummy; /* must be the first element */ 186 int in_syscall; /* 1 if task is in a syscall */ 187 enum audit_state state; 188 unsigned int serial; /* serial number for record */ 189 struct timespec ctime; /* time of syscall entry */ 190 uid_t loginuid; /* login uid (identity) */ 191 int major; /* syscall number */ 192 unsigned long argv[4]; /* syscall arguments */ 193 int return_valid; /* return code is valid */ 194 long return_code;/* syscall return code */ 195 int auditable; /* 1 if record should be written */ 196 int name_count; 197 struct audit_names names[AUDIT_NAMES]; 198 char * filterkey; /* key for rule that triggered record */ 199 struct dentry * pwd; 200 struct vfsmount * pwdmnt; 201 struct audit_context *previous; /* For nested syscalls */ 202 struct audit_aux_data *aux; 203 struct audit_aux_data *aux_pids; 204 205 /* Save things to print about task_struct */ 206 pid_t pid, ppid; 207 uid_t uid, euid, suid, fsuid; 208 gid_t gid, egid, sgid, fsgid; 209 unsigned long personality; 210 int arch; 211 212 pid_t target_pid; 213 u32 target_sid; 214 215 #if AUDIT_DEBUG 216 int put_count; 217 int ino_count; 218 #endif 219 }; 220 221 #define ACC_MODE(x) ("\004\002\006\006"[(x)&O_ACCMODE]) 222 static inline int open_arg(int flags, int mask) 223 { 224 int n = ACC_MODE(flags); 225 if (flags & (O_TRUNC | O_CREAT)) 226 n |= AUDIT_PERM_WRITE; 227 return n & mask; 228 } 229 230 static int audit_match_perm(struct audit_context *ctx, int mask) 231 { 232 unsigned n = ctx->major; 233 switch (audit_classify_syscall(ctx->arch, n)) { 234 case 0: /* native */ 235 if ((mask & AUDIT_PERM_WRITE) && 236 audit_match_class(AUDIT_CLASS_WRITE, n)) 237 return 1; 238 if ((mask & AUDIT_PERM_READ) && 239 audit_match_class(AUDIT_CLASS_READ, n)) 240 return 1; 241 if ((mask & AUDIT_PERM_ATTR) && 242 audit_match_class(AUDIT_CLASS_CHATTR, n)) 243 return 1; 244 return 0; 245 case 1: /* 32bit on biarch */ 246 if ((mask & AUDIT_PERM_WRITE) && 247 audit_match_class(AUDIT_CLASS_WRITE_32, n)) 248 return 1; 249 if ((mask & AUDIT_PERM_READ) && 250 audit_match_class(AUDIT_CLASS_READ_32, n)) 251 return 1; 252 if ((mask & AUDIT_PERM_ATTR) && 253 audit_match_class(AUDIT_CLASS_CHATTR_32, n)) 254 return 1; 255 return 0; 256 case 2: /* open */ 257 return mask & ACC_MODE(ctx->argv[1]); 258 case 3: /* openat */ 259 return mask & ACC_MODE(ctx->argv[2]); 260 case 4: /* socketcall */ 261 return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); 262 case 5: /* execve */ 263 return mask & AUDIT_PERM_EXEC; 264 default: 265 return 0; 266 } 267 } 268 269 /* Determine if any context name data matches a rule's watch data */ 270 /* Compare a task_struct with an audit_rule. Return 1 on match, 0 271 * otherwise. */ 272 static int audit_filter_rules(struct task_struct *tsk, 273 struct audit_krule *rule, 274 struct audit_context *ctx, 275 struct audit_names *name, 276 enum audit_state *state) 277 { 278 int i, j, need_sid = 1; 279 u32 sid; 280 281 for (i = 0; i < rule->field_count; i++) { 282 struct audit_field *f = &rule->fields[i]; 283 int result = 0; 284 285 switch (f->type) { 286 case AUDIT_PID: 287 result = audit_comparator(tsk->pid, f->op, f->val); 288 break; 289 case AUDIT_PPID: 290 if (ctx) { 291 if (!ctx->ppid) 292 ctx->ppid = sys_getppid(); 293 result = audit_comparator(ctx->ppid, f->op, f->val); 294 } 295 break; 296 case AUDIT_UID: 297 result = audit_comparator(tsk->uid, f->op, f->val); 298 break; 299 case AUDIT_EUID: 300 result = audit_comparator(tsk->euid, f->op, f->val); 301 break; 302 case AUDIT_SUID: 303 result = audit_comparator(tsk->suid, f->op, f->val); 304 break; 305 case AUDIT_FSUID: 306 result = audit_comparator(tsk->fsuid, f->op, f->val); 307 break; 308 case AUDIT_GID: 309 result = audit_comparator(tsk->gid, f->op, f->val); 310 break; 311 case AUDIT_EGID: 312 result = audit_comparator(tsk->egid, f->op, f->val); 313 break; 314 case AUDIT_SGID: 315 result = audit_comparator(tsk->sgid, f->op, f->val); 316 break; 317 case AUDIT_FSGID: 318 result = audit_comparator(tsk->fsgid, f->op, f->val); 319 break; 320 case AUDIT_PERS: 321 result = audit_comparator(tsk->personality, f->op, f->val); 322 break; 323 case AUDIT_ARCH: 324 if (ctx) 325 result = audit_comparator(ctx->arch, f->op, f->val); 326 break; 327 328 case AUDIT_EXIT: 329 if (ctx && ctx->return_valid) 330 result = audit_comparator(ctx->return_code, f->op, f->val); 331 break; 332 case AUDIT_SUCCESS: 333 if (ctx && ctx->return_valid) { 334 if (f->val) 335 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS); 336 else 337 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE); 338 } 339 break; 340 case AUDIT_DEVMAJOR: 341 if (name) 342 result = audit_comparator(MAJOR(name->dev), 343 f->op, f->val); 344 else if (ctx) { 345 for (j = 0; j < ctx->name_count; j++) { 346 if (audit_comparator(MAJOR(ctx->names[j].dev), f->op, f->val)) { 347 ++result; 348 break; 349 } 350 } 351 } 352 break; 353 case AUDIT_DEVMINOR: 354 if (name) 355 result = audit_comparator(MINOR(name->dev), 356 f->op, f->val); 357 else if (ctx) { 358 for (j = 0; j < ctx->name_count; j++) { 359 if (audit_comparator(MINOR(ctx->names[j].dev), f->op, f->val)) { 360 ++result; 361 break; 362 } 363 } 364 } 365 break; 366 case AUDIT_INODE: 367 if (name) 368 result = (name->ino == f->val); 369 else if (ctx) { 370 for (j = 0; j < ctx->name_count; j++) { 371 if (audit_comparator(ctx->names[j].ino, f->op, f->val)) { 372 ++result; 373 break; 374 } 375 } 376 } 377 break; 378 case AUDIT_WATCH: 379 if (name && rule->watch->ino != (unsigned long)-1) 380 result = (name->dev == rule->watch->dev && 381 name->ino == rule->watch->ino); 382 break; 383 case AUDIT_LOGINUID: 384 result = 0; 385 if (ctx) 386 result = audit_comparator(ctx->loginuid, f->op, f->val); 387 break; 388 case AUDIT_SUBJ_USER: 389 case AUDIT_SUBJ_ROLE: 390 case AUDIT_SUBJ_TYPE: 391 case AUDIT_SUBJ_SEN: 392 case AUDIT_SUBJ_CLR: 393 /* NOTE: this may return negative values indicating 394 a temporary error. We simply treat this as a 395 match for now to avoid losing information that 396 may be wanted. An error message will also be 397 logged upon error */ 398 if (f->se_rule) { 399 if (need_sid) { 400 selinux_get_task_sid(tsk, &sid); 401 need_sid = 0; 402 } 403 result = selinux_audit_rule_match(sid, f->type, 404 f->op, 405 f->se_rule, 406 ctx); 407 } 408 break; 409 case AUDIT_OBJ_USER: 410 case AUDIT_OBJ_ROLE: 411 case AUDIT_OBJ_TYPE: 412 case AUDIT_OBJ_LEV_LOW: 413 case AUDIT_OBJ_LEV_HIGH: 414 /* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR 415 also applies here */ 416 if (f->se_rule) { 417 /* Find files that match */ 418 if (name) { 419 result = selinux_audit_rule_match( 420 name->osid, f->type, f->op, 421 f->se_rule, ctx); 422 } else if (ctx) { 423 for (j = 0; j < ctx->name_count; j++) { 424 if (selinux_audit_rule_match( 425 ctx->names[j].osid, 426 f->type, f->op, 427 f->se_rule, ctx)) { 428 ++result; 429 break; 430 } 431 } 432 } 433 /* Find ipc objects that match */ 434 if (ctx) { 435 struct audit_aux_data *aux; 436 for (aux = ctx->aux; aux; 437 aux = aux->next) { 438 if (aux->type == AUDIT_IPC) { 439 struct audit_aux_data_ipcctl *axi = (void *)aux; 440 if (selinux_audit_rule_match(axi->osid, f->type, f->op, f->se_rule, ctx)) { 441 ++result; 442 break; 443 } 444 } 445 } 446 } 447 } 448 break; 449 case AUDIT_ARG0: 450 case AUDIT_ARG1: 451 case AUDIT_ARG2: 452 case AUDIT_ARG3: 453 if (ctx) 454 result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val); 455 break; 456 case AUDIT_FILTERKEY: 457 /* ignore this field for filtering */ 458 result = 1; 459 break; 460 case AUDIT_PERM: 461 result = audit_match_perm(ctx, f->val); 462 break; 463 } 464 465 if (!result) 466 return 0; 467 } 468 if (rule->filterkey) 469 ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC); 470 switch (rule->action) { 471 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 472 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 473 } 474 return 1; 475 } 476 477 /* At process creation time, we can determine if system-call auditing is 478 * completely disabled for this task. Since we only have the task 479 * structure at this point, we can only check uid and gid. 480 */ 481 static enum audit_state audit_filter_task(struct task_struct *tsk) 482 { 483 struct audit_entry *e; 484 enum audit_state state; 485 486 rcu_read_lock(); 487 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) { 488 if (audit_filter_rules(tsk, &e->rule, NULL, NULL, &state)) { 489 rcu_read_unlock(); 490 return state; 491 } 492 } 493 rcu_read_unlock(); 494 return AUDIT_BUILD_CONTEXT; 495 } 496 497 /* At syscall entry and exit time, this filter is called if the 498 * audit_state is not low enough that auditing cannot take place, but is 499 * also not high enough that we already know we have to write an audit 500 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT). 501 */ 502 static enum audit_state audit_filter_syscall(struct task_struct *tsk, 503 struct audit_context *ctx, 504 struct list_head *list) 505 { 506 struct audit_entry *e; 507 enum audit_state state; 508 509 if (audit_pid && tsk->tgid == audit_pid) 510 return AUDIT_DISABLED; 511 512 rcu_read_lock(); 513 if (!list_empty(list)) { 514 int word = AUDIT_WORD(ctx->major); 515 int bit = AUDIT_BIT(ctx->major); 516 517 list_for_each_entry_rcu(e, list, list) { 518 if ((e->rule.mask[word] & bit) == bit && 519 audit_filter_rules(tsk, &e->rule, ctx, NULL, 520 &state)) { 521 rcu_read_unlock(); 522 return state; 523 } 524 } 525 } 526 rcu_read_unlock(); 527 return AUDIT_BUILD_CONTEXT; 528 } 529 530 /* At syscall exit time, this filter is called if any audit_names[] have been 531 * collected during syscall processing. We only check rules in sublists at hash 532 * buckets applicable to the inode numbers in audit_names[]. 533 * Regarding audit_state, same rules apply as for audit_filter_syscall(). 534 */ 535 enum audit_state audit_filter_inodes(struct task_struct *tsk, 536 struct audit_context *ctx) 537 { 538 int i; 539 struct audit_entry *e; 540 enum audit_state state; 541 542 if (audit_pid && tsk->tgid == audit_pid) 543 return AUDIT_DISABLED; 544 545 rcu_read_lock(); 546 for (i = 0; i < ctx->name_count; i++) { 547 int word = AUDIT_WORD(ctx->major); 548 int bit = AUDIT_BIT(ctx->major); 549 struct audit_names *n = &ctx->names[i]; 550 int h = audit_hash_ino((u32)n->ino); 551 struct list_head *list = &audit_inode_hash[h]; 552 553 if (list_empty(list)) 554 continue; 555 556 list_for_each_entry_rcu(e, list, list) { 557 if ((e->rule.mask[word] & bit) == bit && 558 audit_filter_rules(tsk, &e->rule, ctx, n, &state)) { 559 rcu_read_unlock(); 560 return state; 561 } 562 } 563 } 564 rcu_read_unlock(); 565 return AUDIT_BUILD_CONTEXT; 566 } 567 568 void audit_set_auditable(struct audit_context *ctx) 569 { 570 ctx->auditable = 1; 571 } 572 573 static inline struct audit_context *audit_get_context(struct task_struct *tsk, 574 int return_valid, 575 int return_code) 576 { 577 struct audit_context *context = tsk->audit_context; 578 579 if (likely(!context)) 580 return NULL; 581 context->return_valid = return_valid; 582 context->return_code = return_code; 583 584 if (context->in_syscall && !context->dummy && !context->auditable) { 585 enum audit_state state; 586 587 state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]); 588 if (state == AUDIT_RECORD_CONTEXT) { 589 context->auditable = 1; 590 goto get_context; 591 } 592 593 state = audit_filter_inodes(tsk, context); 594 if (state == AUDIT_RECORD_CONTEXT) 595 context->auditable = 1; 596 597 } 598 599 get_context: 600 601 tsk->audit_context = NULL; 602 return context; 603 } 604 605 static inline void audit_free_names(struct audit_context *context) 606 { 607 int i; 608 609 #if AUDIT_DEBUG == 2 610 if (context->auditable 611 ||context->put_count + context->ino_count != context->name_count) { 612 printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d" 613 " name_count=%d put_count=%d" 614 " ino_count=%d [NOT freeing]\n", 615 __FILE__, __LINE__, 616 context->serial, context->major, context->in_syscall, 617 context->name_count, context->put_count, 618 context->ino_count); 619 for (i = 0; i < context->name_count; i++) { 620 printk(KERN_ERR "names[%d] = %p = %s\n", i, 621 context->names[i].name, 622 context->names[i].name ?: "(null)"); 623 } 624 dump_stack(); 625 return; 626 } 627 #endif 628 #if AUDIT_DEBUG 629 context->put_count = 0; 630 context->ino_count = 0; 631 #endif 632 633 for (i = 0; i < context->name_count; i++) { 634 if (context->names[i].name && context->names[i].name_put) 635 __putname(context->names[i].name); 636 } 637 context->name_count = 0; 638 if (context->pwd) 639 dput(context->pwd); 640 if (context->pwdmnt) 641 mntput(context->pwdmnt); 642 context->pwd = NULL; 643 context->pwdmnt = NULL; 644 } 645 646 static inline void audit_free_aux(struct audit_context *context) 647 { 648 struct audit_aux_data *aux; 649 650 while ((aux = context->aux)) { 651 context->aux = aux->next; 652 kfree(aux); 653 } 654 while ((aux = context->aux_pids)) { 655 context->aux_pids = aux->next; 656 kfree(aux); 657 } 658 } 659 660 static inline void audit_zero_context(struct audit_context *context, 661 enum audit_state state) 662 { 663 uid_t loginuid = context->loginuid; 664 665 memset(context, 0, sizeof(*context)); 666 context->state = state; 667 context->loginuid = loginuid; 668 } 669 670 static inline struct audit_context *audit_alloc_context(enum audit_state state) 671 { 672 struct audit_context *context; 673 674 if (!(context = kmalloc(sizeof(*context), GFP_KERNEL))) 675 return NULL; 676 audit_zero_context(context, state); 677 return context; 678 } 679 680 /** 681 * audit_alloc - allocate an audit context block for a task 682 * @tsk: task 683 * 684 * Filter on the task information and allocate a per-task audit context 685 * if necessary. Doing so turns on system call auditing for the 686 * specified task. This is called from copy_process, so no lock is 687 * needed. 688 */ 689 int audit_alloc(struct task_struct *tsk) 690 { 691 struct audit_context *context; 692 enum audit_state state; 693 694 if (likely(!audit_enabled)) 695 return 0; /* Return if not auditing. */ 696 697 state = audit_filter_task(tsk); 698 if (likely(state == AUDIT_DISABLED)) 699 return 0; 700 701 if (!(context = audit_alloc_context(state))) { 702 audit_log_lost("out of memory in audit_alloc"); 703 return -ENOMEM; 704 } 705 706 /* Preserve login uid */ 707 context->loginuid = -1; 708 if (current->audit_context) 709 context->loginuid = current->audit_context->loginuid; 710 711 tsk->audit_context = context; 712 set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT); 713 return 0; 714 } 715 716 static inline void audit_free_context(struct audit_context *context) 717 { 718 struct audit_context *previous; 719 int count = 0; 720 721 do { 722 previous = context->previous; 723 if (previous || (count && count < 10)) { 724 ++count; 725 printk(KERN_ERR "audit(:%d): major=%d name_count=%d:" 726 " freeing multiple contexts (%d)\n", 727 context->serial, context->major, 728 context->name_count, count); 729 } 730 audit_free_names(context); 731 audit_free_aux(context); 732 kfree(context->filterkey); 733 kfree(context); 734 context = previous; 735 } while (context); 736 if (count >= 10) 737 printk(KERN_ERR "audit: freed %d contexts\n", count); 738 } 739 740 void audit_log_task_context(struct audit_buffer *ab) 741 { 742 char *ctx = NULL; 743 unsigned len; 744 int error; 745 u32 sid; 746 747 selinux_get_task_sid(current, &sid); 748 if (!sid) 749 return; 750 751 error = selinux_sid_to_string(sid, &ctx, &len); 752 if (error) { 753 if (error != -EINVAL) 754 goto error_path; 755 return; 756 } 757 758 audit_log_format(ab, " subj=%s", ctx); 759 kfree(ctx); 760 return; 761 762 error_path: 763 audit_panic("error in audit_log_task_context"); 764 return; 765 } 766 767 EXPORT_SYMBOL(audit_log_task_context); 768 769 static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) 770 { 771 char name[sizeof(tsk->comm)]; 772 struct mm_struct *mm = tsk->mm; 773 struct vm_area_struct *vma; 774 775 /* tsk == current */ 776 777 get_task_comm(name, tsk); 778 audit_log_format(ab, " comm="); 779 audit_log_untrustedstring(ab, name); 780 781 if (mm) { 782 down_read(&mm->mmap_sem); 783 vma = mm->mmap; 784 while (vma) { 785 if ((vma->vm_flags & VM_EXECUTABLE) && 786 vma->vm_file) { 787 audit_log_d_path(ab, "exe=", 788 vma->vm_file->f_path.dentry, 789 vma->vm_file->f_path.mnt); 790 break; 791 } 792 vma = vma->vm_next; 793 } 794 up_read(&mm->mmap_sem); 795 } 796 audit_log_task_context(ab); 797 } 798 799 static int audit_log_pid_context(struct audit_context *context, pid_t pid, 800 u32 sid) 801 { 802 struct audit_buffer *ab; 803 char *s = NULL; 804 u32 len; 805 int rc = 0; 806 807 ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); 808 if (!ab) 809 return 1; 810 811 if (selinux_sid_to_string(sid, &s, &len)) { 812 audit_log_format(ab, "opid=%d obj=(none)", pid); 813 rc = 1; 814 } else 815 audit_log_format(ab, "opid=%d obj=%s", pid, s); 816 audit_log_end(ab); 817 kfree(s); 818 819 return rc; 820 } 821 822 static void audit_log_execve_info(struct audit_buffer *ab, 823 struct audit_aux_data_execve *axi) 824 { 825 int i; 826 long len, ret; 827 const char __user *p; 828 char *buf; 829 830 if (axi->mm != current->mm) 831 return; /* execve failed, no additional info */ 832 833 p = (const char __user *)axi->mm->arg_start; 834 835 for (i = 0; i < axi->argc; i++, p += len) { 836 len = strnlen_user(p, MAX_ARG_STRLEN); 837 /* 838 * We just created this mm, if we can't find the strings 839 * we just copied into it something is _very_ wrong. Similar 840 * for strings that are too long, we should not have created 841 * any. 842 */ 843 if (!len || len > MAX_ARG_STRLEN) { 844 WARN_ON(1); 845 send_sig(SIGKILL, current, 0); 846 } 847 848 buf = kmalloc(len, GFP_KERNEL); 849 if (!buf) { 850 audit_panic("out of memory for argv string\n"); 851 break; 852 } 853 854 ret = copy_from_user(buf, p, len); 855 /* 856 * There is no reason for this copy to be short. We just 857 * copied them here, and the mm hasn't been exposed to user- 858 * space yet. 859 */ 860 if (ret) { 861 WARN_ON(1); 862 send_sig(SIGKILL, current, 0); 863 } 864 865 audit_log_format(ab, "a%d=", i); 866 audit_log_untrustedstring(ab, buf); 867 audit_log_format(ab, "\n"); 868 869 kfree(buf); 870 } 871 } 872 873 static void audit_log_exit(struct audit_context *context, struct task_struct *tsk) 874 { 875 int i, call_panic = 0; 876 struct audit_buffer *ab; 877 struct audit_aux_data *aux; 878 const char *tty; 879 880 /* tsk == current */ 881 context->pid = tsk->pid; 882 if (!context->ppid) 883 context->ppid = sys_getppid(); 884 context->uid = tsk->uid; 885 context->gid = tsk->gid; 886 context->euid = tsk->euid; 887 context->suid = tsk->suid; 888 context->fsuid = tsk->fsuid; 889 context->egid = tsk->egid; 890 context->sgid = tsk->sgid; 891 context->fsgid = tsk->fsgid; 892 context->personality = tsk->personality; 893 894 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL); 895 if (!ab) 896 return; /* audit_panic has been called */ 897 audit_log_format(ab, "arch=%x syscall=%d", 898 context->arch, context->major); 899 if (context->personality != PER_LINUX) 900 audit_log_format(ab, " per=%lx", context->personality); 901 if (context->return_valid) 902 audit_log_format(ab, " success=%s exit=%ld", 903 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no", 904 context->return_code); 905 906 mutex_lock(&tty_mutex); 907 read_lock(&tasklist_lock); 908 if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name) 909 tty = tsk->signal->tty->name; 910 else 911 tty = "(none)"; 912 read_unlock(&tasklist_lock); 913 audit_log_format(ab, 914 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d" 915 " ppid=%d pid=%d auid=%u uid=%u gid=%u" 916 " euid=%u suid=%u fsuid=%u" 917 " egid=%u sgid=%u fsgid=%u tty=%s", 918 context->argv[0], 919 context->argv[1], 920 context->argv[2], 921 context->argv[3], 922 context->name_count, 923 context->ppid, 924 context->pid, 925 context->loginuid, 926 context->uid, 927 context->gid, 928 context->euid, context->suid, context->fsuid, 929 context->egid, context->sgid, context->fsgid, tty); 930 931 mutex_unlock(&tty_mutex); 932 933 audit_log_task_info(ab, tsk); 934 if (context->filterkey) { 935 audit_log_format(ab, " key="); 936 audit_log_untrustedstring(ab, context->filterkey); 937 } else 938 audit_log_format(ab, " key=(null)"); 939 audit_log_end(ab); 940 941 for (aux = context->aux; aux; aux = aux->next) { 942 943 ab = audit_log_start(context, GFP_KERNEL, aux->type); 944 if (!ab) 945 continue; /* audit_panic has been called */ 946 947 switch (aux->type) { 948 case AUDIT_MQ_OPEN: { 949 struct audit_aux_data_mq_open *axi = (void *)aux; 950 audit_log_format(ab, 951 "oflag=0x%x mode=%#o mq_flags=0x%lx mq_maxmsg=%ld " 952 "mq_msgsize=%ld mq_curmsgs=%ld", 953 axi->oflag, axi->mode, axi->attr.mq_flags, 954 axi->attr.mq_maxmsg, axi->attr.mq_msgsize, 955 axi->attr.mq_curmsgs); 956 break; } 957 958 case AUDIT_MQ_SENDRECV: { 959 struct audit_aux_data_mq_sendrecv *axi = (void *)aux; 960 audit_log_format(ab, 961 "mqdes=%d msg_len=%zd msg_prio=%u " 962 "abs_timeout_sec=%ld abs_timeout_nsec=%ld", 963 axi->mqdes, axi->msg_len, axi->msg_prio, 964 axi->abs_timeout.tv_sec, axi->abs_timeout.tv_nsec); 965 break; } 966 967 case AUDIT_MQ_NOTIFY: { 968 struct audit_aux_data_mq_notify *axi = (void *)aux; 969 audit_log_format(ab, 970 "mqdes=%d sigev_signo=%d", 971 axi->mqdes, 972 axi->notification.sigev_signo); 973 break; } 974 975 case AUDIT_MQ_GETSETATTR: { 976 struct audit_aux_data_mq_getsetattr *axi = (void *)aux; 977 audit_log_format(ab, 978 "mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld " 979 "mq_curmsgs=%ld ", 980 axi->mqdes, 981 axi->mqstat.mq_flags, axi->mqstat.mq_maxmsg, 982 axi->mqstat.mq_msgsize, axi->mqstat.mq_curmsgs); 983 break; } 984 985 case AUDIT_IPC: { 986 struct audit_aux_data_ipcctl *axi = (void *)aux; 987 audit_log_format(ab, 988 "ouid=%u ogid=%u mode=%#o", 989 axi->uid, axi->gid, axi->mode); 990 if (axi->osid != 0) { 991 char *ctx = NULL; 992 u32 len; 993 if (selinux_sid_to_string( 994 axi->osid, &ctx, &len)) { 995 audit_log_format(ab, " osid=%u", 996 axi->osid); 997 call_panic = 1; 998 } else 999 audit_log_format(ab, " obj=%s", ctx); 1000 kfree(ctx); 1001 } 1002 break; } 1003 1004 case AUDIT_IPC_SET_PERM: { 1005 struct audit_aux_data_ipcctl *axi = (void *)aux; 1006 audit_log_format(ab, 1007 "qbytes=%lx ouid=%u ogid=%u mode=%#o", 1008 axi->qbytes, axi->uid, axi->gid, axi->mode); 1009 break; } 1010 1011 case AUDIT_EXECVE: { 1012 struct audit_aux_data_execve *axi = (void *)aux; 1013 audit_log_execve_info(ab, axi); 1014 break; } 1015 1016 case AUDIT_SOCKETCALL: { 1017 int i; 1018 struct audit_aux_data_socketcall *axs = (void *)aux; 1019 audit_log_format(ab, "nargs=%d", axs->nargs); 1020 for (i=0; i<axs->nargs; i++) 1021 audit_log_format(ab, " a%d=%lx", i, axs->args[i]); 1022 break; } 1023 1024 case AUDIT_SOCKADDR: { 1025 struct audit_aux_data_sockaddr *axs = (void *)aux; 1026 1027 audit_log_format(ab, "saddr="); 1028 audit_log_hex(ab, axs->a, axs->len); 1029 break; } 1030 1031 case AUDIT_FD_PAIR: { 1032 struct audit_aux_data_fd_pair *axs = (void *)aux; 1033 audit_log_format(ab, "fd0=%d fd1=%d", axs->fd[0], axs->fd[1]); 1034 break; } 1035 1036 } 1037 audit_log_end(ab); 1038 } 1039 1040 for (aux = context->aux_pids; aux; aux = aux->next) { 1041 struct audit_aux_data_pids *axs = (void *)aux; 1042 int i; 1043 1044 for (i = 0; i < axs->pid_count; i++) 1045 if (audit_log_pid_context(context, axs->target_pid[i], 1046 axs->target_sid[i])) 1047 call_panic = 1; 1048 } 1049 1050 if (context->target_pid && 1051 audit_log_pid_context(context, context->target_pid, 1052 context->target_sid)) 1053 call_panic = 1; 1054 1055 if (context->pwd && context->pwdmnt) { 1056 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD); 1057 if (ab) { 1058 audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt); 1059 audit_log_end(ab); 1060 } 1061 } 1062 for (i = 0; i < context->name_count; i++) { 1063 struct audit_names *n = &context->names[i]; 1064 1065 ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH); 1066 if (!ab) 1067 continue; /* audit_panic has been called */ 1068 1069 audit_log_format(ab, "item=%d", i); 1070 1071 if (n->name) { 1072 switch(n->name_len) { 1073 case AUDIT_NAME_FULL: 1074 /* log the full path */ 1075 audit_log_format(ab, " name="); 1076 audit_log_untrustedstring(ab, n->name); 1077 break; 1078 case 0: 1079 /* name was specified as a relative path and the 1080 * directory component is the cwd */ 1081 audit_log_d_path(ab, " name=", context->pwd, 1082 context->pwdmnt); 1083 break; 1084 default: 1085 /* log the name's directory component */ 1086 audit_log_format(ab, " name="); 1087 audit_log_n_untrustedstring(ab, n->name_len, 1088 n->name); 1089 } 1090 } else 1091 audit_log_format(ab, " name=(null)"); 1092 1093 if (n->ino != (unsigned long)-1) { 1094 audit_log_format(ab, " inode=%lu" 1095 " dev=%02x:%02x mode=%#o" 1096 " ouid=%u ogid=%u rdev=%02x:%02x", 1097 n->ino, 1098 MAJOR(n->dev), 1099 MINOR(n->dev), 1100 n->mode, 1101 n->uid, 1102 n->gid, 1103 MAJOR(n->rdev), 1104 MINOR(n->rdev)); 1105 } 1106 if (n->osid != 0) { 1107 char *ctx = NULL; 1108 u32 len; 1109 if (selinux_sid_to_string( 1110 n->osid, &ctx, &len)) { 1111 audit_log_format(ab, " osid=%u", n->osid); 1112 call_panic = 2; 1113 } else 1114 audit_log_format(ab, " obj=%s", ctx); 1115 kfree(ctx); 1116 } 1117 1118 audit_log_end(ab); 1119 } 1120 if (call_panic) 1121 audit_panic("error converting sid to string"); 1122 } 1123 1124 /** 1125 * audit_free - free a per-task audit context 1126 * @tsk: task whose audit context block to free 1127 * 1128 * Called from copy_process and do_exit 1129 */ 1130 void audit_free(struct task_struct *tsk) 1131 { 1132 struct audit_context *context; 1133 1134 context = audit_get_context(tsk, 0, 0); 1135 if (likely(!context)) 1136 return; 1137 1138 /* Check for system calls that do not go through the exit 1139 * function (e.g., exit_group), then free context block. 1140 * We use GFP_ATOMIC here because we might be doing this 1141 * in the context of the idle thread */ 1142 /* that can happen only if we are called from do_exit() */ 1143 if (context->in_syscall && context->auditable) 1144 audit_log_exit(context, tsk); 1145 1146 audit_free_context(context); 1147 } 1148 1149 /** 1150 * audit_syscall_entry - fill in an audit record at syscall entry 1151 * @tsk: task being audited 1152 * @arch: architecture type 1153 * @major: major syscall type (function) 1154 * @a1: additional syscall register 1 1155 * @a2: additional syscall register 2 1156 * @a3: additional syscall register 3 1157 * @a4: additional syscall register 4 1158 * 1159 * Fill in audit context at syscall entry. This only happens if the 1160 * audit context was created when the task was created and the state or 1161 * filters demand the audit context be built. If the state from the 1162 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT, 1163 * then the record will be written at syscall exit time (otherwise, it 1164 * will only be written if another part of the kernel requests that it 1165 * be written). 1166 */ 1167 void audit_syscall_entry(int arch, int major, 1168 unsigned long a1, unsigned long a2, 1169 unsigned long a3, unsigned long a4) 1170 { 1171 struct task_struct *tsk = current; 1172 struct audit_context *context = tsk->audit_context; 1173 enum audit_state state; 1174 1175 BUG_ON(!context); 1176 1177 /* 1178 * This happens only on certain architectures that make system 1179 * calls in kernel_thread via the entry.S interface, instead of 1180 * with direct calls. (If you are porting to a new 1181 * architecture, hitting this condition can indicate that you 1182 * got the _exit/_leave calls backward in entry.S.) 1183 * 1184 * i386 no 1185 * x86_64 no 1186 * ppc64 yes (see arch/powerpc/platforms/iseries/misc.S) 1187 * 1188 * This also happens with vm86 emulation in a non-nested manner 1189 * (entries without exits), so this case must be caught. 1190 */ 1191 if (context->in_syscall) { 1192 struct audit_context *newctx; 1193 1194 #if AUDIT_DEBUG 1195 printk(KERN_ERR 1196 "audit(:%d) pid=%d in syscall=%d;" 1197 " entering syscall=%d\n", 1198 context->serial, tsk->pid, context->major, major); 1199 #endif 1200 newctx = audit_alloc_context(context->state); 1201 if (newctx) { 1202 newctx->previous = context; 1203 context = newctx; 1204 tsk->audit_context = newctx; 1205 } else { 1206 /* If we can't alloc a new context, the best we 1207 * can do is to leak memory (any pending putname 1208 * will be lost). The only other alternative is 1209 * to abandon auditing. */ 1210 audit_zero_context(context, context->state); 1211 } 1212 } 1213 BUG_ON(context->in_syscall || context->name_count); 1214 1215 if (!audit_enabled) 1216 return; 1217 1218 context->arch = arch; 1219 context->major = major; 1220 context->argv[0] = a1; 1221 context->argv[1] = a2; 1222 context->argv[2] = a3; 1223 context->argv[3] = a4; 1224 1225 state = context->state; 1226 context->dummy = !audit_n_rules; 1227 if (!context->dummy && (state == AUDIT_SETUP_CONTEXT || state == AUDIT_BUILD_CONTEXT)) 1228 state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]); 1229 if (likely(state == AUDIT_DISABLED)) 1230 return; 1231 1232 context->serial = 0; 1233 context->ctime = CURRENT_TIME; 1234 context->in_syscall = 1; 1235 context->auditable = !!(state == AUDIT_RECORD_CONTEXT); 1236 context->ppid = 0; 1237 } 1238 1239 /** 1240 * audit_syscall_exit - deallocate audit context after a system call 1241 * @tsk: task being audited 1242 * @valid: success/failure flag 1243 * @return_code: syscall return value 1244 * 1245 * Tear down after system call. If the audit context has been marked as 1246 * auditable (either because of the AUDIT_RECORD_CONTEXT state from 1247 * filtering, or because some other part of the kernel write an audit 1248 * message), then write out the syscall information. In call cases, 1249 * free the names stored from getname(). 1250 */ 1251 void audit_syscall_exit(int valid, long return_code) 1252 { 1253 struct task_struct *tsk = current; 1254 struct audit_context *context; 1255 1256 context = audit_get_context(tsk, valid, return_code); 1257 1258 if (likely(!context)) 1259 return; 1260 1261 if (context->in_syscall && context->auditable) 1262 audit_log_exit(context, tsk); 1263 1264 context->in_syscall = 0; 1265 context->auditable = 0; 1266 1267 if (context->previous) { 1268 struct audit_context *new_context = context->previous; 1269 context->previous = NULL; 1270 audit_free_context(context); 1271 tsk->audit_context = new_context; 1272 } else { 1273 audit_free_names(context); 1274 audit_free_aux(context); 1275 context->aux = NULL; 1276 context->aux_pids = NULL; 1277 context->target_pid = 0; 1278 context->target_sid = 0; 1279 kfree(context->filterkey); 1280 context->filterkey = NULL; 1281 tsk->audit_context = context; 1282 } 1283 } 1284 1285 /** 1286 * audit_getname - add a name to the list 1287 * @name: name to add 1288 * 1289 * Add a name to the list of audit names for this context. 1290 * Called from fs/namei.c:getname(). 1291 */ 1292 void __audit_getname(const char *name) 1293 { 1294 struct audit_context *context = current->audit_context; 1295 1296 if (IS_ERR(name) || !name) 1297 return; 1298 1299 if (!context->in_syscall) { 1300 #if AUDIT_DEBUG == 2 1301 printk(KERN_ERR "%s:%d(:%d): ignoring getname(%p)\n", 1302 __FILE__, __LINE__, context->serial, name); 1303 dump_stack(); 1304 #endif 1305 return; 1306 } 1307 BUG_ON(context->name_count >= AUDIT_NAMES); 1308 context->names[context->name_count].name = name; 1309 context->names[context->name_count].name_len = AUDIT_NAME_FULL; 1310 context->names[context->name_count].name_put = 1; 1311 context->names[context->name_count].ino = (unsigned long)-1; 1312 context->names[context->name_count].osid = 0; 1313 ++context->name_count; 1314 if (!context->pwd) { 1315 read_lock(¤t->fs->lock); 1316 context->pwd = dget(current->fs->pwd); 1317 context->pwdmnt = mntget(current->fs->pwdmnt); 1318 read_unlock(¤t->fs->lock); 1319 } 1320 1321 } 1322 1323 /* audit_putname - intercept a putname request 1324 * @name: name to intercept and delay for putname 1325 * 1326 * If we have stored the name from getname in the audit context, 1327 * then we delay the putname until syscall exit. 1328 * Called from include/linux/fs.h:putname(). 1329 */ 1330 void audit_putname(const char *name) 1331 { 1332 struct audit_context *context = current->audit_context; 1333 1334 BUG_ON(!context); 1335 if (!context->in_syscall) { 1336 #if AUDIT_DEBUG == 2 1337 printk(KERN_ERR "%s:%d(:%d): __putname(%p)\n", 1338 __FILE__, __LINE__, context->serial, name); 1339 if (context->name_count) { 1340 int i; 1341 for (i = 0; i < context->name_count; i++) 1342 printk(KERN_ERR "name[%d] = %p = %s\n", i, 1343 context->names[i].name, 1344 context->names[i].name ?: "(null)"); 1345 } 1346 #endif 1347 __putname(name); 1348 } 1349 #if AUDIT_DEBUG 1350 else { 1351 ++context->put_count; 1352 if (context->put_count > context->name_count) { 1353 printk(KERN_ERR "%s:%d(:%d): major=%d" 1354 " in_syscall=%d putname(%p) name_count=%d" 1355 " put_count=%d\n", 1356 __FILE__, __LINE__, 1357 context->serial, context->major, 1358 context->in_syscall, name, context->name_count, 1359 context->put_count); 1360 dump_stack(); 1361 } 1362 } 1363 #endif 1364 } 1365 1366 static int audit_inc_name_count(struct audit_context *context, 1367 const struct inode *inode) 1368 { 1369 if (context->name_count >= AUDIT_NAMES) { 1370 if (inode) 1371 printk(KERN_DEBUG "name_count maxed, losing inode data: " 1372 "dev=%02x:%02x, inode=%lu", 1373 MAJOR(inode->i_sb->s_dev), 1374 MINOR(inode->i_sb->s_dev), 1375 inode->i_ino); 1376 1377 else 1378 printk(KERN_DEBUG "name_count maxed, losing inode data"); 1379 return 1; 1380 } 1381 context->name_count++; 1382 #if AUDIT_DEBUG 1383 context->ino_count++; 1384 #endif 1385 return 0; 1386 } 1387 1388 /* Copy inode data into an audit_names. */ 1389 static void audit_copy_inode(struct audit_names *name, const struct inode *inode) 1390 { 1391 name->ino = inode->i_ino; 1392 name->dev = inode->i_sb->s_dev; 1393 name->mode = inode->i_mode; 1394 name->uid = inode->i_uid; 1395 name->gid = inode->i_gid; 1396 name->rdev = inode->i_rdev; 1397 selinux_get_inode_sid(inode, &name->osid); 1398 } 1399 1400 /** 1401 * audit_inode - store the inode and device from a lookup 1402 * @name: name being audited 1403 * @inode: inode being audited 1404 * 1405 * Called from fs/namei.c:path_lookup(). 1406 */ 1407 void __audit_inode(const char *name, const struct inode *inode) 1408 { 1409 int idx; 1410 struct audit_context *context = current->audit_context; 1411 1412 if (!context->in_syscall) 1413 return; 1414 if (context->name_count 1415 && context->names[context->name_count-1].name 1416 && context->names[context->name_count-1].name == name) 1417 idx = context->name_count - 1; 1418 else if (context->name_count > 1 1419 && context->names[context->name_count-2].name 1420 && context->names[context->name_count-2].name == name) 1421 idx = context->name_count - 2; 1422 else { 1423 /* FIXME: how much do we care about inodes that have no 1424 * associated name? */ 1425 if (audit_inc_name_count(context, inode)) 1426 return; 1427 idx = context->name_count - 1; 1428 context->names[idx].name = NULL; 1429 } 1430 audit_copy_inode(&context->names[idx], inode); 1431 } 1432 1433 /** 1434 * audit_inode_child - collect inode info for created/removed objects 1435 * @dname: inode's dentry name 1436 * @inode: inode being audited 1437 * @parent: inode of dentry parent 1438 * 1439 * For syscalls that create or remove filesystem objects, audit_inode 1440 * can only collect information for the filesystem object's parent. 1441 * This call updates the audit context with the child's information. 1442 * Syscalls that create a new filesystem object must be hooked after 1443 * the object is created. Syscalls that remove a filesystem object 1444 * must be hooked prior, in order to capture the target inode during 1445 * unsuccessful attempts. 1446 */ 1447 void __audit_inode_child(const char *dname, const struct inode *inode, 1448 const struct inode *parent) 1449 { 1450 int idx; 1451 struct audit_context *context = current->audit_context; 1452 const char *found_parent = NULL, *found_child = NULL; 1453 int dirlen = 0; 1454 1455 if (!context->in_syscall) 1456 return; 1457 1458 /* determine matching parent */ 1459 if (!dname) 1460 goto add_names; 1461 1462 /* parent is more likely, look for it first */ 1463 for (idx = 0; idx < context->name_count; idx++) { 1464 struct audit_names *n = &context->names[idx]; 1465 1466 if (!n->name) 1467 continue; 1468 1469 if (n->ino == parent->i_ino && 1470 !audit_compare_dname_path(dname, n->name, &dirlen)) { 1471 n->name_len = dirlen; /* update parent data in place */ 1472 found_parent = n->name; 1473 goto add_names; 1474 } 1475 } 1476 1477 /* no matching parent, look for matching child */ 1478 for (idx = 0; idx < context->name_count; idx++) { 1479 struct audit_names *n = &context->names[idx]; 1480 1481 if (!n->name) 1482 continue; 1483 1484 /* strcmp() is the more likely scenario */ 1485 if (!strcmp(dname, n->name) || 1486 !audit_compare_dname_path(dname, n->name, &dirlen)) { 1487 if (inode) 1488 audit_copy_inode(n, inode); 1489 else 1490 n->ino = (unsigned long)-1; 1491 found_child = n->name; 1492 goto add_names; 1493 } 1494 } 1495 1496 add_names: 1497 if (!found_parent) { 1498 if (audit_inc_name_count(context, parent)) 1499 return; 1500 idx = context->name_count - 1; 1501 context->names[idx].name = NULL; 1502 audit_copy_inode(&context->names[idx], parent); 1503 } 1504 1505 if (!found_child) { 1506 if (audit_inc_name_count(context, inode)) 1507 return; 1508 idx = context->name_count - 1; 1509 1510 /* Re-use the name belonging to the slot for a matching parent 1511 * directory. All names for this context are relinquished in 1512 * audit_free_names() */ 1513 if (found_parent) { 1514 context->names[idx].name = found_parent; 1515 context->names[idx].name_len = AUDIT_NAME_FULL; 1516 /* don't call __putname() */ 1517 context->names[idx].name_put = 0; 1518 } else { 1519 context->names[idx].name = NULL; 1520 } 1521 1522 if (inode) 1523 audit_copy_inode(&context->names[idx], inode); 1524 else 1525 context->names[idx].ino = (unsigned long)-1; 1526 } 1527 } 1528 1529 /** 1530 * auditsc_get_stamp - get local copies of audit_context values 1531 * @ctx: audit_context for the task 1532 * @t: timespec to store time recorded in the audit_context 1533 * @serial: serial value that is recorded in the audit_context 1534 * 1535 * Also sets the context as auditable. 1536 */ 1537 void auditsc_get_stamp(struct audit_context *ctx, 1538 struct timespec *t, unsigned int *serial) 1539 { 1540 if (!ctx->serial) 1541 ctx->serial = audit_serial(); 1542 t->tv_sec = ctx->ctime.tv_sec; 1543 t->tv_nsec = ctx->ctime.tv_nsec; 1544 *serial = ctx->serial; 1545 ctx->auditable = 1; 1546 } 1547 1548 /** 1549 * audit_set_loginuid - set a task's audit_context loginuid 1550 * @task: task whose audit context is being modified 1551 * @loginuid: loginuid value 1552 * 1553 * Returns 0. 1554 * 1555 * Called (set) from fs/proc/base.c::proc_loginuid_write(). 1556 */ 1557 int audit_set_loginuid(struct task_struct *task, uid_t loginuid) 1558 { 1559 struct audit_context *context = task->audit_context; 1560 1561 if (context) { 1562 /* Only log if audit is enabled */ 1563 if (context->in_syscall) { 1564 struct audit_buffer *ab; 1565 1566 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN); 1567 if (ab) { 1568 audit_log_format(ab, "login pid=%d uid=%u " 1569 "old auid=%u new auid=%u", 1570 task->pid, task->uid, 1571 context->loginuid, loginuid); 1572 audit_log_end(ab); 1573 } 1574 } 1575 context->loginuid = loginuid; 1576 } 1577 return 0; 1578 } 1579 1580 /** 1581 * audit_get_loginuid - get the loginuid for an audit_context 1582 * @ctx: the audit_context 1583 * 1584 * Returns the context's loginuid or -1 if @ctx is NULL. 1585 */ 1586 uid_t audit_get_loginuid(struct audit_context *ctx) 1587 { 1588 return ctx ? ctx->loginuid : -1; 1589 } 1590 1591 EXPORT_SYMBOL(audit_get_loginuid); 1592 1593 /** 1594 * __audit_mq_open - record audit data for a POSIX MQ open 1595 * @oflag: open flag 1596 * @mode: mode bits 1597 * @u_attr: queue attributes 1598 * 1599 * Returns 0 for success or NULL context or < 0 on error. 1600 */ 1601 int __audit_mq_open(int oflag, mode_t mode, struct mq_attr __user *u_attr) 1602 { 1603 struct audit_aux_data_mq_open *ax; 1604 struct audit_context *context = current->audit_context; 1605 1606 if (!audit_enabled) 1607 return 0; 1608 1609 if (likely(!context)) 1610 return 0; 1611 1612 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1613 if (!ax) 1614 return -ENOMEM; 1615 1616 if (u_attr != NULL) { 1617 if (copy_from_user(&ax->attr, u_attr, sizeof(ax->attr))) { 1618 kfree(ax); 1619 return -EFAULT; 1620 } 1621 } else 1622 memset(&ax->attr, 0, sizeof(ax->attr)); 1623 1624 ax->oflag = oflag; 1625 ax->mode = mode; 1626 1627 ax->d.type = AUDIT_MQ_OPEN; 1628 ax->d.next = context->aux; 1629 context->aux = (void *)ax; 1630 return 0; 1631 } 1632 1633 /** 1634 * __audit_mq_timedsend - record audit data for a POSIX MQ timed send 1635 * @mqdes: MQ descriptor 1636 * @msg_len: Message length 1637 * @msg_prio: Message priority 1638 * @u_abs_timeout: Message timeout in absolute time 1639 * 1640 * Returns 0 for success or NULL context or < 0 on error. 1641 */ 1642 int __audit_mq_timedsend(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, 1643 const struct timespec __user *u_abs_timeout) 1644 { 1645 struct audit_aux_data_mq_sendrecv *ax; 1646 struct audit_context *context = current->audit_context; 1647 1648 if (!audit_enabled) 1649 return 0; 1650 1651 if (likely(!context)) 1652 return 0; 1653 1654 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1655 if (!ax) 1656 return -ENOMEM; 1657 1658 if (u_abs_timeout != NULL) { 1659 if (copy_from_user(&ax->abs_timeout, u_abs_timeout, sizeof(ax->abs_timeout))) { 1660 kfree(ax); 1661 return -EFAULT; 1662 } 1663 } else 1664 memset(&ax->abs_timeout, 0, sizeof(ax->abs_timeout)); 1665 1666 ax->mqdes = mqdes; 1667 ax->msg_len = msg_len; 1668 ax->msg_prio = msg_prio; 1669 1670 ax->d.type = AUDIT_MQ_SENDRECV; 1671 ax->d.next = context->aux; 1672 context->aux = (void *)ax; 1673 return 0; 1674 } 1675 1676 /** 1677 * __audit_mq_timedreceive - record audit data for a POSIX MQ timed receive 1678 * @mqdes: MQ descriptor 1679 * @msg_len: Message length 1680 * @u_msg_prio: Message priority 1681 * @u_abs_timeout: Message timeout in absolute time 1682 * 1683 * Returns 0 for success or NULL context or < 0 on error. 1684 */ 1685 int __audit_mq_timedreceive(mqd_t mqdes, size_t msg_len, 1686 unsigned int __user *u_msg_prio, 1687 const struct timespec __user *u_abs_timeout) 1688 { 1689 struct audit_aux_data_mq_sendrecv *ax; 1690 struct audit_context *context = current->audit_context; 1691 1692 if (!audit_enabled) 1693 return 0; 1694 1695 if (likely(!context)) 1696 return 0; 1697 1698 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1699 if (!ax) 1700 return -ENOMEM; 1701 1702 if (u_msg_prio != NULL) { 1703 if (get_user(ax->msg_prio, u_msg_prio)) { 1704 kfree(ax); 1705 return -EFAULT; 1706 } 1707 } else 1708 ax->msg_prio = 0; 1709 1710 if (u_abs_timeout != NULL) { 1711 if (copy_from_user(&ax->abs_timeout, u_abs_timeout, sizeof(ax->abs_timeout))) { 1712 kfree(ax); 1713 return -EFAULT; 1714 } 1715 } else 1716 memset(&ax->abs_timeout, 0, sizeof(ax->abs_timeout)); 1717 1718 ax->mqdes = mqdes; 1719 ax->msg_len = msg_len; 1720 1721 ax->d.type = AUDIT_MQ_SENDRECV; 1722 ax->d.next = context->aux; 1723 context->aux = (void *)ax; 1724 return 0; 1725 } 1726 1727 /** 1728 * __audit_mq_notify - record audit data for a POSIX MQ notify 1729 * @mqdes: MQ descriptor 1730 * @u_notification: Notification event 1731 * 1732 * Returns 0 for success or NULL context or < 0 on error. 1733 */ 1734 1735 int __audit_mq_notify(mqd_t mqdes, const struct sigevent __user *u_notification) 1736 { 1737 struct audit_aux_data_mq_notify *ax; 1738 struct audit_context *context = current->audit_context; 1739 1740 if (!audit_enabled) 1741 return 0; 1742 1743 if (likely(!context)) 1744 return 0; 1745 1746 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1747 if (!ax) 1748 return -ENOMEM; 1749 1750 if (u_notification != NULL) { 1751 if (copy_from_user(&ax->notification, u_notification, sizeof(ax->notification))) { 1752 kfree(ax); 1753 return -EFAULT; 1754 } 1755 } else 1756 memset(&ax->notification, 0, sizeof(ax->notification)); 1757 1758 ax->mqdes = mqdes; 1759 1760 ax->d.type = AUDIT_MQ_NOTIFY; 1761 ax->d.next = context->aux; 1762 context->aux = (void *)ax; 1763 return 0; 1764 } 1765 1766 /** 1767 * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute 1768 * @mqdes: MQ descriptor 1769 * @mqstat: MQ flags 1770 * 1771 * Returns 0 for success or NULL context or < 0 on error. 1772 */ 1773 int __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 1774 { 1775 struct audit_aux_data_mq_getsetattr *ax; 1776 struct audit_context *context = current->audit_context; 1777 1778 if (!audit_enabled) 1779 return 0; 1780 1781 if (likely(!context)) 1782 return 0; 1783 1784 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1785 if (!ax) 1786 return -ENOMEM; 1787 1788 ax->mqdes = mqdes; 1789 ax->mqstat = *mqstat; 1790 1791 ax->d.type = AUDIT_MQ_GETSETATTR; 1792 ax->d.next = context->aux; 1793 context->aux = (void *)ax; 1794 return 0; 1795 } 1796 1797 /** 1798 * audit_ipc_obj - record audit data for ipc object 1799 * @ipcp: ipc permissions 1800 * 1801 * Returns 0 for success or NULL context or < 0 on error. 1802 */ 1803 int __audit_ipc_obj(struct kern_ipc_perm *ipcp) 1804 { 1805 struct audit_aux_data_ipcctl *ax; 1806 struct audit_context *context = current->audit_context; 1807 1808 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1809 if (!ax) 1810 return -ENOMEM; 1811 1812 ax->uid = ipcp->uid; 1813 ax->gid = ipcp->gid; 1814 ax->mode = ipcp->mode; 1815 selinux_get_ipc_sid(ipcp, &ax->osid); 1816 1817 ax->d.type = AUDIT_IPC; 1818 ax->d.next = context->aux; 1819 context->aux = (void *)ax; 1820 return 0; 1821 } 1822 1823 /** 1824 * audit_ipc_set_perm - record audit data for new ipc permissions 1825 * @qbytes: msgq bytes 1826 * @uid: msgq user id 1827 * @gid: msgq group id 1828 * @mode: msgq mode (permissions) 1829 * 1830 * Returns 0 for success or NULL context or < 0 on error. 1831 */ 1832 int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode) 1833 { 1834 struct audit_aux_data_ipcctl *ax; 1835 struct audit_context *context = current->audit_context; 1836 1837 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1838 if (!ax) 1839 return -ENOMEM; 1840 1841 ax->qbytes = qbytes; 1842 ax->uid = uid; 1843 ax->gid = gid; 1844 ax->mode = mode; 1845 1846 ax->d.type = AUDIT_IPC_SET_PERM; 1847 ax->d.next = context->aux; 1848 context->aux = (void *)ax; 1849 return 0; 1850 } 1851 1852 int audit_argv_kb = 32; 1853 1854 int audit_bprm(struct linux_binprm *bprm) 1855 { 1856 struct audit_aux_data_execve *ax; 1857 struct audit_context *context = current->audit_context; 1858 1859 if (likely(!audit_enabled || !context || context->dummy)) 1860 return 0; 1861 1862 /* 1863 * Even though the stack code doesn't limit the arg+env size any more, 1864 * the audit code requires that _all_ arguments be logged in a single 1865 * netlink skb. Hence cap it :-( 1866 */ 1867 if (bprm->argv_len > (audit_argv_kb << 10)) 1868 return -E2BIG; 1869 1870 ax = kmalloc(sizeof(*ax), GFP_KERNEL); 1871 if (!ax) 1872 return -ENOMEM; 1873 1874 ax->argc = bprm->argc; 1875 ax->envc = bprm->envc; 1876 ax->mm = bprm->mm; 1877 ax->d.type = AUDIT_EXECVE; 1878 ax->d.next = context->aux; 1879 context->aux = (void *)ax; 1880 return 0; 1881 } 1882 1883 1884 /** 1885 * audit_socketcall - record audit data for sys_socketcall 1886 * @nargs: number of args 1887 * @args: args array 1888 * 1889 * Returns 0 for success or NULL context or < 0 on error. 1890 */ 1891 int audit_socketcall(int nargs, unsigned long *args) 1892 { 1893 struct audit_aux_data_socketcall *ax; 1894 struct audit_context *context = current->audit_context; 1895 1896 if (likely(!context || context->dummy)) 1897 return 0; 1898 1899 ax = kmalloc(sizeof(*ax) + nargs * sizeof(unsigned long), GFP_KERNEL); 1900 if (!ax) 1901 return -ENOMEM; 1902 1903 ax->nargs = nargs; 1904 memcpy(ax->args, args, nargs * sizeof(unsigned long)); 1905 1906 ax->d.type = AUDIT_SOCKETCALL; 1907 ax->d.next = context->aux; 1908 context->aux = (void *)ax; 1909 return 0; 1910 } 1911 1912 /** 1913 * __audit_fd_pair - record audit data for pipe and socketpair 1914 * @fd1: the first file descriptor 1915 * @fd2: the second file descriptor 1916 * 1917 * Returns 0 for success or NULL context or < 0 on error. 1918 */ 1919 int __audit_fd_pair(int fd1, int fd2) 1920 { 1921 struct audit_context *context = current->audit_context; 1922 struct audit_aux_data_fd_pair *ax; 1923 1924 if (likely(!context)) { 1925 return 0; 1926 } 1927 1928 ax = kmalloc(sizeof(*ax), GFP_KERNEL); 1929 if (!ax) { 1930 return -ENOMEM; 1931 } 1932 1933 ax->fd[0] = fd1; 1934 ax->fd[1] = fd2; 1935 1936 ax->d.type = AUDIT_FD_PAIR; 1937 ax->d.next = context->aux; 1938 context->aux = (void *)ax; 1939 return 0; 1940 } 1941 1942 /** 1943 * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto 1944 * @len: data length in user space 1945 * @a: data address in kernel space 1946 * 1947 * Returns 0 for success or NULL context or < 0 on error. 1948 */ 1949 int audit_sockaddr(int len, void *a) 1950 { 1951 struct audit_aux_data_sockaddr *ax; 1952 struct audit_context *context = current->audit_context; 1953 1954 if (likely(!context || context->dummy)) 1955 return 0; 1956 1957 ax = kmalloc(sizeof(*ax) + len, GFP_KERNEL); 1958 if (!ax) 1959 return -ENOMEM; 1960 1961 ax->len = len; 1962 memcpy(ax->a, a, len); 1963 1964 ax->d.type = AUDIT_SOCKADDR; 1965 ax->d.next = context->aux; 1966 context->aux = (void *)ax; 1967 return 0; 1968 } 1969 1970 void __audit_ptrace(struct task_struct *t) 1971 { 1972 struct audit_context *context = current->audit_context; 1973 1974 context->target_pid = t->pid; 1975 selinux_get_task_sid(t, &context->target_sid); 1976 } 1977 1978 /** 1979 * audit_signal_info - record signal info for shutting down audit subsystem 1980 * @sig: signal value 1981 * @t: task being signaled 1982 * 1983 * If the audit subsystem is being terminated, record the task (pid) 1984 * and uid that is doing that. 1985 */ 1986 int __audit_signal_info(int sig, struct task_struct *t) 1987 { 1988 struct audit_aux_data_pids *axp; 1989 struct task_struct *tsk = current; 1990 struct audit_context *ctx = tsk->audit_context; 1991 extern pid_t audit_sig_pid; 1992 extern uid_t audit_sig_uid; 1993 extern u32 audit_sig_sid; 1994 1995 if (audit_pid && t->tgid == audit_pid && 1996 (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1)) { 1997 audit_sig_pid = tsk->pid; 1998 if (ctx) 1999 audit_sig_uid = ctx->loginuid; 2000 else 2001 audit_sig_uid = tsk->uid; 2002 selinux_get_task_sid(tsk, &audit_sig_sid); 2003 } 2004 2005 if (!audit_signals) /* audit_context checked in wrapper */ 2006 return 0; 2007 2008 /* optimize the common case by putting first signal recipient directly 2009 * in audit_context */ 2010 if (!ctx->target_pid) { 2011 ctx->target_pid = t->tgid; 2012 selinux_get_task_sid(t, &ctx->target_sid); 2013 return 0; 2014 } 2015 2016 axp = (void *)ctx->aux_pids; 2017 if (!axp || axp->pid_count == AUDIT_AUX_PIDS) { 2018 axp = kzalloc(sizeof(*axp), GFP_ATOMIC); 2019 if (!axp) 2020 return -ENOMEM; 2021 2022 axp->d.type = AUDIT_OBJ_PID; 2023 axp->d.next = ctx->aux_pids; 2024 ctx->aux_pids = (void *)axp; 2025 } 2026 BUG_ON(axp->pid_count > AUDIT_AUX_PIDS); 2027 2028 axp->target_pid[axp->pid_count] = t->tgid; 2029 selinux_get_task_sid(t, &axp->target_sid[axp->pid_count]); 2030 axp->pid_count++; 2031 2032 return 0; 2033 } 2034 2035 /** 2036 * audit_core_dumps - record information about processes that end abnormally 2037 * @signr: signal value 2038 * 2039 * If a process ends with a core dump, something fishy is going on and we 2040 * should record the event for investigation. 2041 */ 2042 void audit_core_dumps(long signr) 2043 { 2044 struct audit_buffer *ab; 2045 u32 sid; 2046 2047 if (!audit_enabled) 2048 return; 2049 2050 if (signr == SIGQUIT) /* don't care for those */ 2051 return; 2052 2053 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); 2054 audit_log_format(ab, "auid=%u uid=%u gid=%u", 2055 audit_get_loginuid(current->audit_context), 2056 current->uid, current->gid); 2057 selinux_get_task_sid(current, &sid); 2058 if (sid) { 2059 char *ctx = NULL; 2060 u32 len; 2061 2062 if (selinux_sid_to_string(sid, &ctx, &len)) 2063 audit_log_format(ab, " ssid=%u", sid); 2064 else 2065 audit_log_format(ab, " subj=%s", ctx); 2066 kfree(ctx); 2067 } 2068 audit_log_format(ab, " pid=%d comm=", current->pid); 2069 audit_log_untrustedstring(ab, current->comm); 2070 audit_log_format(ab, " sig=%ld", signr); 2071 audit_log_end(ab); 2072 } 2073