1/* auditsc.c -- System-call auditing support
   2 * Handles all system-call specific auditing features.
   3 *
   4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
   5 * Copyright 2005 Hewlett-Packard Development Company, L.P.
   6 * Copyright (C) 2005, 2006 IBM Corporation
   7 * All Rights Reserved.
   8 *
   9 * This program is free software; you can redistribute it and/or modify
  10 * it under the terms of the GNU General Public License as published by
  11 * the Free Software Foundation; either version 2 of the License, or
  12 * (at your option) any later version.
  13 *
  14 * This program is distributed in the hope that it will be useful,
  15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17 * GNU General Public License for more details.
  18 *
  19 * You should have received a copy of the GNU General Public License
  20 * along with this program; if not, write to the Free Software
  21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  22 *
  23 * Written by Rickard E. (Rik) Faith <faith@redhat.com>
  24 *
  25 * Many of the ideas implemented here are from Stephen C. Tweedie,
  26 * especially the idea of avoiding a copy by using getname.
  27 *
  28 * The method for actual interception of syscall entry and exit (not in
  29 * this file -- see entry.S) is based on a GPL'd patch written by
  30 * okir@suse.de and Copyright 2003 SuSE Linux AG.
  31 *
  32 * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>,
  33 * 2006.
  34 *
  35 * The support of additional filter rules compares (>, <, >=, <=) was
  36 * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
  37 *
  38 * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
  39 * filesystem information.
  40 *
  41 * Subject and object context labeling support added by <danjones@us.ibm.com>
  42 * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
  43 */
  44
  45#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  46
  47#include <linux/init.h>
  48#include <asm/types.h>
  49#include <linux/atomic.h>
  50#include <linux/fs.h>
  51#include <linux/namei.h>
  52#include <linux/mm.h>
  53#include <linux/export.h>
  54#include <linux/slab.h>
  55#include <linux/mount.h>
  56#include <linux/socket.h>
  57#include <linux/mqueue.h>
  58#include <linux/audit.h>
  59#include <linux/personality.h>
  60#include <linux/time.h>
  61#include <linux/netlink.h>
  62#include <linux/compiler.h>
  63#include <asm/unistd.h>
  64#include <linux/security.h>
  65#include <linux/list.h>
  66#include <linux/tty.h>
  67#include <linux/binfmts.h>
  68#include <linux/highmem.h>
  69#include <linux/syscalls.h>
 
  70#include <linux/capability.h>
  71#include <linux/fs_struct.h>
  72#include <linux/compat.h>
  73#include <linux/ctype.h>
 
 
 
 
  74
  75#include "audit.h"
  76
  77/* flags stating the success for a syscall */
  78#define AUDITSC_INVALID 0
  79#define AUDITSC_SUCCESS 1
  80#define AUDITSC_FAILURE 2
  81
  82/* no execve audit message should be longer than this (userspace limits) */
 
  83#define MAX_EXECVE_AUDIT_LEN 7500
  84
  85/* max length to print of cmdline/proctitle value during audit */
  86#define MAX_PROCTITLE_AUDIT_LEN 128
  87
  88/* number of audit rules */
  89int audit_n_rules;
  90
  91/* determines whether we collect data for signals sent */
  92int audit_signals;
  93
  94struct audit_aux_data {
  95	struct audit_aux_data	*next;
  96	int			type;
  97};
  98
  99#define AUDIT_AUX_IPCPERM	0
 100
 101/* Number of target pids per aux struct. */
 102#define AUDIT_AUX_PIDS	16
 103
 104struct audit_aux_data_pids {
 105	struct audit_aux_data	d;
 106	pid_t			target_pid[AUDIT_AUX_PIDS];
 107	kuid_t			target_auid[AUDIT_AUX_PIDS];
 108	kuid_t			target_uid[AUDIT_AUX_PIDS];
 109	unsigned int		target_sessionid[AUDIT_AUX_PIDS];
 110	u32			target_sid[AUDIT_AUX_PIDS];
 111	char 			target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
 112	int			pid_count;
 113};
 114
 115struct audit_aux_data_bprm_fcaps {
 116	struct audit_aux_data	d;
 117	struct audit_cap_data	fcap;
 118	unsigned int		fcap_ver;
 119	struct audit_cap_data	old_pcap;
 120	struct audit_cap_data	new_pcap;
 121};
 122
 123struct audit_tree_refs {
 124	struct audit_tree_refs *next;
 125	struct audit_chunk *c[31];
 126};
 127
 128static inline int open_arg(int flags, int mask)
 129{
 130	int n = ACC_MODE(flags);
 131	if (flags & (O_TRUNC | O_CREAT))
 132		n |= AUDIT_PERM_WRITE;
 133	return n & mask;
 134}
 135
 136static int audit_match_perm(struct audit_context *ctx, int mask)
 137{
 138	unsigned n;
 139	if (unlikely(!ctx))
 140		return 0;
 141	n = ctx->major;
 142
 143	switch (audit_classify_syscall(ctx->arch, n)) {
 144	case 0:	/* native */
 145		if ((mask & AUDIT_PERM_WRITE) &&
 146		     audit_match_class(AUDIT_CLASS_WRITE, n))
 147			return 1;
 148		if ((mask & AUDIT_PERM_READ) &&
 149		     audit_match_class(AUDIT_CLASS_READ, n))
 150			return 1;
 151		if ((mask & AUDIT_PERM_ATTR) &&
 152		     audit_match_class(AUDIT_CLASS_CHATTR, n))
 153			return 1;
 154		return 0;
 155	case 1: /* 32bit on biarch */
 156		if ((mask & AUDIT_PERM_WRITE) &&
 157		     audit_match_class(AUDIT_CLASS_WRITE_32, n))
 158			return 1;
 159		if ((mask & AUDIT_PERM_READ) &&
 160		     audit_match_class(AUDIT_CLASS_READ_32, n))
 161			return 1;
 162		if ((mask & AUDIT_PERM_ATTR) &&
 163		     audit_match_class(AUDIT_CLASS_CHATTR_32, n))
 164			return 1;
 165		return 0;
 166	case 2: /* open */
 167		return mask & ACC_MODE(ctx->argv[1]);
 168	case 3: /* openat */
 169		return mask & ACC_MODE(ctx->argv[2]);
 170	case 4: /* socketcall */
 171		return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
 172	case 5: /* execve */
 173		return mask & AUDIT_PERM_EXEC;
 174	default:
 175		return 0;
 176	}
 177}
 178
 179static int audit_match_filetype(struct audit_context *ctx, int val)
 180{
 181	struct audit_names *n;
 182	umode_t mode = (umode_t)val;
 183
 184	if (unlikely(!ctx))
 185		return 0;
 186
 187	list_for_each_entry(n, &ctx->names_list, list) {
 188		if ((n->ino != -1) &&
 189		    ((n->mode & S_IFMT) == mode))
 190			return 1;
 191	}
 192
 193	return 0;
 194}
 195
 196/*
 197 * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *;
 198 * ->first_trees points to its beginning, ->trees - to the current end of data.
 199 * ->tree_count is the number of free entries in array pointed to by ->trees.
 200 * Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL,
 201 * "empty" becomes (p, p, 31) afterwards.  We don't shrink the list (and seriously,
 202 * it's going to remain 1-element for almost any setup) until we free context itself.
 203 * References in it _are_ dropped - at the same time we free/drop aux stuff.
 204 */
 205
 206#ifdef CONFIG_AUDIT_TREE
 207static void audit_set_auditable(struct audit_context *ctx)
 208{
 209	if (!ctx->prio) {
 210		ctx->prio = 1;
 211		ctx->current_state = AUDIT_RECORD_CONTEXT;
 212	}
 213}
 214
 215static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
 216{
 217	struct audit_tree_refs *p = ctx->trees;
 218	int left = ctx->tree_count;
 219	if (likely(left)) {
 220		p->c[--left] = chunk;
 221		ctx->tree_count = left;
 222		return 1;
 223	}
 224	if (!p)
 225		return 0;
 226	p = p->next;
 227	if (p) {
 228		p->c[30] = chunk;
 229		ctx->trees = p;
 230		ctx->tree_count = 30;
 231		return 1;
 232	}
 233	return 0;
 234}
 235
 236static int grow_tree_refs(struct audit_context *ctx)
 237{
 238	struct audit_tree_refs *p = ctx->trees;
 239	ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL);
 240	if (!ctx->trees) {
 241		ctx->trees = p;
 242		return 0;
 243	}
 244	if (p)
 245		p->next = ctx->trees;
 246	else
 247		ctx->first_trees = ctx->trees;
 248	ctx->tree_count = 31;
 249	return 1;
 250}
 251#endif
 252
 253static void unroll_tree_refs(struct audit_context *ctx,
 254		      struct audit_tree_refs *p, int count)
 255{
 256#ifdef CONFIG_AUDIT_TREE
 257	struct audit_tree_refs *q;
 258	int n;
 259	if (!p) {
 260		/* we started with empty chain */
 261		p = ctx->first_trees;
 262		count = 31;
 263		/* if the very first allocation has failed, nothing to do */
 264		if (!p)
 265			return;
 266	}
 267	n = count;
 268	for (q = p; q != ctx->trees; q = q->next, n = 31) {
 269		while (n--) {
 270			audit_put_chunk(q->c[n]);
 271			q->c[n] = NULL;
 272		}
 273	}
 274	while (n-- > ctx->tree_count) {
 275		audit_put_chunk(q->c[n]);
 276		q->c[n] = NULL;
 277	}
 278	ctx->trees = p;
 279	ctx->tree_count = count;
 280#endif
 281}
 282
 283static void free_tree_refs(struct audit_context *ctx)
 284{
 285	struct audit_tree_refs *p, *q;
 286	for (p = ctx->first_trees; p; p = q) {
 287		q = p->next;
 288		kfree(p);
 289	}
 290}
 291
 292static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
 293{
 294#ifdef CONFIG_AUDIT_TREE
 295	struct audit_tree_refs *p;
 296	int n;
 297	if (!tree)
 298		return 0;
 299	/* full ones */
 300	for (p = ctx->first_trees; p != ctx->trees; p = p->next) {
 301		for (n = 0; n < 31; n++)
 302			if (audit_tree_match(p->c[n], tree))
 303				return 1;
 304	}
 305	/* partial */
 306	if (p) {
 307		for (n = ctx->tree_count; n < 31; n++)
 308			if (audit_tree_match(p->c[n], tree))
 309				return 1;
 310	}
 311#endif
 312	return 0;
 313}
 314
 315static int audit_compare_uid(kuid_t uid,
 316			     struct audit_names *name,
 317			     struct audit_field *f,
 318			     struct audit_context *ctx)
 319{
 320	struct audit_names *n;
 321	int rc;
 322 
 323	if (name) {
 324		rc = audit_uid_comparator(uid, f->op, name->uid);
 325		if (rc)
 326			return rc;
 327	}
 328 
 329	if (ctx) {
 330		list_for_each_entry(n, &ctx->names_list, list) {
 331			rc = audit_uid_comparator(uid, f->op, n->uid);
 332			if (rc)
 333				return rc;
 334		}
 335	}
 336	return 0;
 337}
 338
 339static int audit_compare_gid(kgid_t gid,
 340			     struct audit_names *name,
 341			     struct audit_field *f,
 342			     struct audit_context *ctx)
 343{
 344	struct audit_names *n;
 345	int rc;
 346 
 347	if (name) {
 348		rc = audit_gid_comparator(gid, f->op, name->gid);
 349		if (rc)
 350			return rc;
 351	}
 352 
 353	if (ctx) {
 354		list_for_each_entry(n, &ctx->names_list, list) {
 355			rc = audit_gid_comparator(gid, f->op, n->gid);
 356			if (rc)
 357				return rc;
 358		}
 359	}
 360	return 0;
 361}
 362
 363static int audit_field_compare(struct task_struct *tsk,
 364			       const struct cred *cred,
 365			       struct audit_field *f,
 366			       struct audit_context *ctx,
 367			       struct audit_names *name)
 368{
 369	switch (f->val) {
 370	/* process to file object comparisons */
 371	case AUDIT_COMPARE_UID_TO_OBJ_UID:
 372		return audit_compare_uid(cred->uid, name, f, ctx);
 373	case AUDIT_COMPARE_GID_TO_OBJ_GID:
 374		return audit_compare_gid(cred->gid, name, f, ctx);
 375	case AUDIT_COMPARE_EUID_TO_OBJ_UID:
 376		return audit_compare_uid(cred->euid, name, f, ctx);
 377	case AUDIT_COMPARE_EGID_TO_OBJ_GID:
 378		return audit_compare_gid(cred->egid, name, f, ctx);
 379	case AUDIT_COMPARE_AUID_TO_OBJ_UID:
 380		return audit_compare_uid(tsk->loginuid, name, f, ctx);
 381	case AUDIT_COMPARE_SUID_TO_OBJ_UID:
 382		return audit_compare_uid(cred->suid, name, f, ctx);
 383	case AUDIT_COMPARE_SGID_TO_OBJ_GID:
 384		return audit_compare_gid(cred->sgid, name, f, ctx);
 385	case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
 386		return audit_compare_uid(cred->fsuid, name, f, ctx);
 387	case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
 388		return audit_compare_gid(cred->fsgid, name, f, ctx);
 389	/* uid comparisons */
 390	case AUDIT_COMPARE_UID_TO_AUID:
 391		return audit_uid_comparator(cred->uid, f->op, tsk->loginuid);
 392	case AUDIT_COMPARE_UID_TO_EUID:
 393		return audit_uid_comparator(cred->uid, f->op, cred->euid);
 394	case AUDIT_COMPARE_UID_TO_SUID:
 395		return audit_uid_comparator(cred->uid, f->op, cred->suid);
 396	case AUDIT_COMPARE_UID_TO_FSUID:
 397		return audit_uid_comparator(cred->uid, f->op, cred->fsuid);
 398	/* auid comparisons */
 399	case AUDIT_COMPARE_AUID_TO_EUID:
 400		return audit_uid_comparator(tsk->loginuid, f->op, cred->euid);
 401	case AUDIT_COMPARE_AUID_TO_SUID:
 402		return audit_uid_comparator(tsk->loginuid, f->op, cred->suid);
 403	case AUDIT_COMPARE_AUID_TO_FSUID:
 404		return audit_uid_comparator(tsk->loginuid, f->op, cred->fsuid);
 405	/* euid comparisons */
 406	case AUDIT_COMPARE_EUID_TO_SUID:
 407		return audit_uid_comparator(cred->euid, f->op, cred->suid);
 408	case AUDIT_COMPARE_EUID_TO_FSUID:
 409		return audit_uid_comparator(cred->euid, f->op, cred->fsuid);
 410	/* suid comparisons */
 411	case AUDIT_COMPARE_SUID_TO_FSUID:
 412		return audit_uid_comparator(cred->suid, f->op, cred->fsuid);
 413	/* gid comparisons */
 414	case AUDIT_COMPARE_GID_TO_EGID:
 415		return audit_gid_comparator(cred->gid, f->op, cred->egid);
 416	case AUDIT_COMPARE_GID_TO_SGID:
 417		return audit_gid_comparator(cred->gid, f->op, cred->sgid);
 418	case AUDIT_COMPARE_GID_TO_FSGID:
 419		return audit_gid_comparator(cred->gid, f->op, cred->fsgid);
 420	/* egid comparisons */
 421	case AUDIT_COMPARE_EGID_TO_SGID:
 422		return audit_gid_comparator(cred->egid, f->op, cred->sgid);
 423	case AUDIT_COMPARE_EGID_TO_FSGID:
 424		return audit_gid_comparator(cred->egid, f->op, cred->fsgid);
 425	/* sgid comparison */
 426	case AUDIT_COMPARE_SGID_TO_FSGID:
 427		return audit_gid_comparator(cred->sgid, f->op, cred->fsgid);
 428	default:
 429		WARN(1, "Missing AUDIT_COMPARE define.  Report as a bug\n");
 430		return 0;
 431	}
 432	return 0;
 433}
 434
 435/* Determine if any context name data matches a rule's watch data */
 436/* Compare a task_struct with an audit_rule.  Return 1 on match, 0
 437 * otherwise.
 438 *
 439 * If task_creation is true, this is an explicit indication that we are
 440 * filtering a task rule at task creation time.  This and tsk == current are
 441 * the only situations where tsk->cred may be accessed without an rcu read lock.
 442 */
 443static int audit_filter_rules(struct task_struct *tsk,
 444			      struct audit_krule *rule,
 445			      struct audit_context *ctx,
 446			      struct audit_names *name,
 447			      enum audit_state *state,
 448			      bool task_creation)
 449{
 450	const struct cred *cred;
 451	int i, need_sid = 1;
 452	u32 sid;
 
 453
 454	cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
 455
 456	for (i = 0; i < rule->field_count; i++) {
 457		struct audit_field *f = &rule->fields[i];
 458		struct audit_names *n;
 459		int result = 0;
 460		pid_t pid;
 461
 462		switch (f->type) {
 463		case AUDIT_PID:
 464			pid = task_pid_nr(tsk);
 465			result = audit_comparator(pid, f->op, f->val);
 466			break;
 467		case AUDIT_PPID:
 468			if (ctx) {
 469				if (!ctx->ppid)
 470					ctx->ppid = task_ppid_nr(tsk);
 471				result = audit_comparator(ctx->ppid, f->op, f->val);
 472			}
 473			break;
 
 
 
 474		case AUDIT_UID:
 475			result = audit_uid_comparator(cred->uid, f->op, f->uid);
 476			break;
 477		case AUDIT_EUID:
 478			result = audit_uid_comparator(cred->euid, f->op, f->uid);
 479			break;
 480		case AUDIT_SUID:
 481			result = audit_uid_comparator(cred->suid, f->op, f->uid);
 482			break;
 483		case AUDIT_FSUID:
 484			result = audit_uid_comparator(cred->fsuid, f->op, f->uid);
 485			break;
 486		case AUDIT_GID:
 487			result = audit_gid_comparator(cred->gid, f->op, f->gid);
 488			if (f->op == Audit_equal) {
 489				if (!result)
 490					result = in_group_p(f->gid);
 491			} else if (f->op == Audit_not_equal) {
 492				if (result)
 493					result = !in_group_p(f->gid);
 494			}
 495			break;
 496		case AUDIT_EGID:
 497			result = audit_gid_comparator(cred->egid, f->op, f->gid);
 498			if (f->op == Audit_equal) {
 499				if (!result)
 500					result = in_egroup_p(f->gid);
 501			} else if (f->op == Audit_not_equal) {
 502				if (result)
 503					result = !in_egroup_p(f->gid);
 504			}
 505			break;
 506		case AUDIT_SGID:
 507			result = audit_gid_comparator(cred->sgid, f->op, f->gid);
 508			break;
 509		case AUDIT_FSGID:
 510			result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
 511			break;
 
 
 
 
 512		case AUDIT_PERS:
 513			result = audit_comparator(tsk->personality, f->op, f->val);
 514			break;
 515		case AUDIT_ARCH:
 516			if (ctx)
 517				result = audit_comparator(ctx->arch, f->op, f->val);
 518			break;
 519
 520		case AUDIT_EXIT:
 521			if (ctx && ctx->return_valid)
 522				result = audit_comparator(ctx->return_code, f->op, f->val);
 523			break;
 524		case AUDIT_SUCCESS:
 525			if (ctx && ctx->return_valid) {
 526				if (f->val)
 527					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
 528				else
 529					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
 530			}
 531			break;
 532		case AUDIT_DEVMAJOR:
 533			if (name) {
 534				if (audit_comparator(MAJOR(name->dev), f->op, f->val) ||
 535				    audit_comparator(MAJOR(name->rdev), f->op, f->val))
 536					++result;
 537			} else if (ctx) {
 538				list_for_each_entry(n, &ctx->names_list, list) {
 539					if (audit_comparator(MAJOR(n->dev), f->op, f->val) ||
 540					    audit_comparator(MAJOR(n->rdev), f->op, f->val)) {
 541						++result;
 542						break;
 543					}
 544				}
 545			}
 546			break;
 547		case AUDIT_DEVMINOR:
 548			if (name) {
 549				if (audit_comparator(MINOR(name->dev), f->op, f->val) ||
 550				    audit_comparator(MINOR(name->rdev), f->op, f->val))
 551					++result;
 552			} else if (ctx) {
 553				list_for_each_entry(n, &ctx->names_list, list) {
 554					if (audit_comparator(MINOR(n->dev), f->op, f->val) ||
 555					    audit_comparator(MINOR(n->rdev), f->op, f->val)) {
 556						++result;
 557						break;
 558					}
 559				}
 560			}
 561			break;
 562		case AUDIT_INODE:
 563			if (name)
 564				result = audit_comparator(name->ino, f->op, f->val);
 565			else if (ctx) {
 566				list_for_each_entry(n, &ctx->names_list, list) {
 567					if (audit_comparator(n->ino, f->op, f->val)) {
 568						++result;
 569						break;
 570					}
 571				}
 572			}
 573			break;
 574		case AUDIT_OBJ_UID:
 575			if (name) {
 576				result = audit_uid_comparator(name->uid, f->op, f->uid);
 577			} else if (ctx) {
 578				list_for_each_entry(n, &ctx->names_list, list) {
 579					if (audit_uid_comparator(n->uid, f->op, f->uid)) {
 580						++result;
 581						break;
 582					}
 583				}
 584			}
 585			break;
 586		case AUDIT_OBJ_GID:
 587			if (name) {
 588				result = audit_gid_comparator(name->gid, f->op, f->gid);
 589			} else if (ctx) {
 590				list_for_each_entry(n, &ctx->names_list, list) {
 591					if (audit_gid_comparator(n->gid, f->op, f->gid)) {
 592						++result;
 593						break;
 594					}
 595				}
 596			}
 597			break;
 598		case AUDIT_WATCH:
 599			if (name)
 600				result = audit_watch_compare(rule->watch, name->ino, name->dev);
 601			break;
 602		case AUDIT_DIR:
 603			if (ctx)
 604				result = match_tree_refs(ctx, rule->tree);
 605			break;
 606		case AUDIT_LOGINUID:
 607			result = 0;
 608			if (ctx)
 609				result = audit_uid_comparator(tsk->loginuid, f->op, f->uid);
 610			break;
 611		case AUDIT_LOGINUID_SET:
 612			result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
 613			break;
 614		case AUDIT_SUBJ_USER:
 615		case AUDIT_SUBJ_ROLE:
 616		case AUDIT_SUBJ_TYPE:
 617		case AUDIT_SUBJ_SEN:
 618		case AUDIT_SUBJ_CLR:
 619			/* NOTE: this may return negative values indicating
 620			   a temporary error.  We simply treat this as a
 621			   match for now to avoid losing information that
 622			   may be wanted.   An error message will also be
 623			   logged upon error */
 624			if (f->lsm_rule) {
 625				if (need_sid) {
 626					security_task_getsecid(tsk, &sid);
 627					need_sid = 0;
 628				}
 629				result = security_audit_rule_match(sid, f->type,
 630				                                  f->op,
 631				                                  f->lsm_rule,
 632				                                  ctx);
 633			}
 634			break;
 635		case AUDIT_OBJ_USER:
 636		case AUDIT_OBJ_ROLE:
 637		case AUDIT_OBJ_TYPE:
 638		case AUDIT_OBJ_LEV_LOW:
 639		case AUDIT_OBJ_LEV_HIGH:
 640			/* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
 641			   also applies here */
 642			if (f->lsm_rule) {
 643				/* Find files that match */
 644				if (name) {
 645					result = security_audit_rule_match(
 646					           name->osid, f->type, f->op,
 647					           f->lsm_rule, ctx);
 648				} else if (ctx) {
 649					list_for_each_entry(n, &ctx->names_list, list) {
 650						if (security_audit_rule_match(n->osid, f->type,
 651									      f->op, f->lsm_rule,
 652									      ctx)) {
 653							++result;
 654							break;
 655						}
 656					}
 657				}
 658				/* Find ipc objects that match */
 659				if (!ctx || ctx->type != AUDIT_IPC)
 660					break;
 661				if (security_audit_rule_match(ctx->ipc.osid,
 662							      f->type, f->op,
 663							      f->lsm_rule, ctx))
 664					++result;
 665			}
 666			break;
 667		case AUDIT_ARG0:
 668		case AUDIT_ARG1:
 669		case AUDIT_ARG2:
 670		case AUDIT_ARG3:
 671			if (ctx)
 672				result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
 673			break;
 674		case AUDIT_FILTERKEY:
 675			/* ignore this field for filtering */
 676			result = 1;
 677			break;
 678		case AUDIT_PERM:
 679			result = audit_match_perm(ctx, f->val);
 680			break;
 681		case AUDIT_FILETYPE:
 682			result = audit_match_filetype(ctx, f->val);
 683			break;
 684		case AUDIT_FIELD_COMPARE:
 685			result = audit_field_compare(tsk, cred, f, ctx, name);
 686			break;
 687		}
 688		if (!result)
 689			return 0;
 690	}
 691
 692	if (ctx) {
 693		if (rule->prio <= ctx->prio)
 694			return 0;
 695		if (rule->filterkey) {
 696			kfree(ctx->filterkey);
 697			ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
 698		}
 699		ctx->prio = rule->prio;
 700	}
 701	switch (rule->action) {
 702	case AUDIT_NEVER:    *state = AUDIT_DISABLED;	    break;
 703	case AUDIT_ALWAYS:   *state = AUDIT_RECORD_CONTEXT; break;
 
 
 
 
 704	}
 705	return 1;
 706}
 707
 708/* At process creation time, we can determine if system-call auditing is
 709 * completely disabled for this task.  Since we only have the task
 710 * structure at this point, we can only check uid and gid.
 711 */
 712static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)
 713{
 714	struct audit_entry *e;
 715	enum audit_state   state;
 716
 717	rcu_read_lock();
 718	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
 719		if (audit_filter_rules(tsk, &e->rule, NULL, NULL,
 720				       &state, true)) {
 721			if (state == AUDIT_RECORD_CONTEXT)
 722				*key = kstrdup(e->rule.filterkey, GFP_ATOMIC);
 723			rcu_read_unlock();
 724			return state;
 725		}
 726	}
 727	rcu_read_unlock();
 728	return AUDIT_BUILD_CONTEXT;
 729}
 730
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 731/* At syscall entry and exit time, this filter is called if the
 732 * audit_state is not low enough that auditing cannot take place, but is
 733 * also not high enough that we already know we have to write an audit
 734 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
 735 */
 736static enum audit_state audit_filter_syscall(struct task_struct *tsk,
 737					     struct audit_context *ctx,
 738					     struct list_head *list)
 739{
 740	struct audit_entry *e;
 741	enum audit_state state;
 742
 743	if (audit_pid && tsk->tgid == audit_pid)
 744		return AUDIT_DISABLED;
 745
 746	rcu_read_lock();
 747	if (!list_empty(list)) {
 748		int word = AUDIT_WORD(ctx->major);
 749		int bit  = AUDIT_BIT(ctx->major);
 750
 751		list_for_each_entry_rcu(e, list, list) {
 752			if ((e->rule.mask[word] & bit) == bit &&
 753			    audit_filter_rules(tsk, &e->rule, ctx, NULL,
 754					       &state, false)) {
 755				rcu_read_unlock();
 756				ctx->current_state = state;
 757				return state;
 758			}
 759		}
 760	}
 761	rcu_read_unlock();
 762	return AUDIT_BUILD_CONTEXT;
 763}
 764
 765/*
 766 * Given an audit_name check the inode hash table to see if they match.
 767 * Called holding the rcu read lock to protect the use of audit_inode_hash
 768 */
 769static int audit_filter_inode_name(struct task_struct *tsk,
 770				   struct audit_names *n,
 771				   struct audit_context *ctx) {
 772	int word, bit;
 773	int h = audit_hash_ino((u32)n->ino);
 774	struct list_head *list = &audit_inode_hash[h];
 775	struct audit_entry *e;
 776	enum audit_state state;
 777
 778	word = AUDIT_WORD(ctx->major);
 779	bit  = AUDIT_BIT(ctx->major);
 780
 781	if (list_empty(list))
 782		return 0;
 783
 784	list_for_each_entry_rcu(e, list, list) {
 785		if ((e->rule.mask[word] & bit) == bit &&
 786		    audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) {
 787			ctx->current_state = state;
 788			return 1;
 789		}
 790	}
 791
 792	return 0;
 793}
 794
 795/* At syscall exit time, this filter is called if any audit_names have been
 796 * collected during syscall processing.  We only check rules in sublists at hash
 797 * buckets applicable to the inode numbers in audit_names.
 798 * Regarding audit_state, same rules apply as for audit_filter_syscall().
 799 */
 800void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx)
 801{
 802	struct audit_names *n;
 803
 804	if (audit_pid && tsk->tgid == audit_pid)
 805		return;
 806
 807	rcu_read_lock();
 808
 809	list_for_each_entry(n, &ctx->names_list, list) {
 810		if (audit_filter_inode_name(tsk, n, ctx))
 811			break;
 812	}
 813	rcu_read_unlock();
 814}
 815
 816/* Transfer the audit context pointer to the caller, clearing it in the tsk's struct */
 817static inline struct audit_context *audit_take_context(struct task_struct *tsk,
 818						      int return_valid,
 819						      long return_code)
 820{
 821	struct audit_context *context = tsk->audit_context;
 822
 823	if (!context)
 824		return NULL;
 825	context->return_valid = return_valid;
 826
 827	/*
 828	 * we need to fix up the return code in the audit logs if the actual
 829	 * return codes are later going to be fixed up by the arch specific
 830	 * signal handlers
 831	 *
 832	 * This is actually a test for:
 833	 * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||
 834	 * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)
 835	 *
 836	 * but is faster than a bunch of ||
 837	 */
 838	if (unlikely(return_code <= -ERESTARTSYS) &&
 839	    (return_code >= -ERESTART_RESTARTBLOCK) &&
 840	    (return_code != -ENOIOCTLCMD))
 841		context->return_code = -EINTR;
 842	else
 843		context->return_code  = return_code;
 844
 845	if (context->in_syscall && !context->dummy) {
 846		audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
 847		audit_filter_inodes(tsk, context);
 848	}
 849
 850	tsk->audit_context = NULL;
 851	return context;
 852}
 853
 854static inline void audit_proctitle_free(struct audit_context *context)
 855{
 856	kfree(context->proctitle.value);
 857	context->proctitle.value = NULL;
 858	context->proctitle.len = 0;
 859}
 860
 861static inline void audit_free_names(struct audit_context *context)
 862{
 863	struct audit_names *n, *next;
 864
 865#if AUDIT_DEBUG == 2
 866	if (context->put_count + context->ino_count != context->name_count) {
 867		int i = 0;
 868
 869		pr_err("%s:%d(:%d): major=%d in_syscall=%d"
 870		       " name_count=%d put_count=%d ino_count=%d"
 871		       " [NOT freeing]\n", __FILE__, __LINE__,
 872		       context->serial, context->major, context->in_syscall,
 873		       context->name_count, context->put_count,
 874		       context->ino_count);
 875		list_for_each_entry(n, &context->names_list, list) {
 876			pr_err("names[%d] = %p = %s\n", i++, n->name,
 877			       n->name->name ?: "(null)");
 878		}
 879		dump_stack();
 880		return;
 881	}
 882#endif
 883#if AUDIT_DEBUG
 884	context->put_count  = 0;
 885	context->ino_count  = 0;
 886#endif
 887
 888	list_for_each_entry_safe(n, next, &context->names_list, list) {
 889		list_del(&n->list);
 890		if (n->name && n->name_put)
 891			final_putname(n->name);
 892		if (n->should_free)
 893			kfree(n);
 894	}
 895	context->name_count = 0;
 896	path_put(&context->pwd);
 897	context->pwd.dentry = NULL;
 898	context->pwd.mnt = NULL;
 899}
 900
 901static inline void audit_free_aux(struct audit_context *context)
 902{
 903	struct audit_aux_data *aux;
 904
 905	while ((aux = context->aux)) {
 906		context->aux = aux->next;
 907		kfree(aux);
 908	}
 909	while ((aux = context->aux_pids)) {
 910		context->aux_pids = aux->next;
 911		kfree(aux);
 912	}
 913}
 914
 915static inline struct audit_context *audit_alloc_context(enum audit_state state)
 916{
 917	struct audit_context *context;
 918
 919	context = kzalloc(sizeof(*context), GFP_KERNEL);
 920	if (!context)
 921		return NULL;
 922	context->state = state;
 923	context->prio = state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
 924	INIT_LIST_HEAD(&context->killed_trees);
 925	INIT_LIST_HEAD(&context->names_list);
 926	return context;
 927}
 928
 929/**
 930 * audit_alloc - allocate an audit context block for a task
 931 * @tsk: task
 932 *
 933 * Filter on the task information and allocate a per-task audit context
 934 * if necessary.  Doing so turns on system call auditing for the
 935 * specified task.  This is called from copy_process, so no lock is
 936 * needed.
 937 */
 938int audit_alloc(struct task_struct *tsk)
 939{
 940	struct audit_context *context;
 941	enum audit_state     state;
 942	char *key = NULL;
 943
 944	if (likely(!audit_ever_enabled))
 945		return 0; /* Return if not auditing. */
 946
 947	state = audit_filter_task(tsk, &key);
 948	if (state == AUDIT_DISABLED) {
 949		clear_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
 950		return 0;
 951	}
 952
 953	if (!(context = audit_alloc_context(state))) {
 954		kfree(key);
 955		audit_log_lost("out of memory in audit_alloc");
 956		return -ENOMEM;
 957	}
 958	context->filterkey = key;
 959
 960	tsk->audit_context  = context;
 961	set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
 962	return 0;
 963}
 964
 965static inline void audit_free_context(struct audit_context *context)
 966{
 967	audit_free_names(context);
 968	unroll_tree_refs(context, NULL, 0);
 969	free_tree_refs(context);
 970	audit_free_aux(context);
 971	kfree(context->filterkey);
 972	kfree(context->sockaddr);
 973	audit_proctitle_free(context);
 974	kfree(context);
 975}
 976
 977static int audit_log_pid_context(struct audit_context *context, pid_t pid,
 978				 kuid_t auid, kuid_t uid, unsigned int sessionid,
 979				 u32 sid, char *comm)
 980{
 981	struct audit_buffer *ab;
 982	char *ctx = NULL;
 983	u32 len;
 984	int rc = 0;
 985
 986	ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
 987	if (!ab)
 988		return rc;
 989
 990	audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
 991			 from_kuid(&init_user_ns, auid),
 992			 from_kuid(&init_user_ns, uid), sessionid);
 993	if (sid) {
 994		if (security_secid_to_secctx(sid, &ctx, &len)) {
 995			audit_log_format(ab, " obj=(none)");
 996			rc = 1;
 997		} else {
 998			audit_log_format(ab, " obj=%s", ctx);
 999			security_release_secctx(ctx, len);
1000		}
1001	}
1002	audit_log_format(ab, " ocomm=");
1003	audit_log_untrustedstring(ab, comm);
1004	audit_log_end(ab);
1005
1006	return rc;
1007}
1008
1009/*
1010 * to_send and len_sent accounting are very loose estimates.  We aren't
1011 * really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being
1012 * within about 500 bytes (next page boundary)
1013 *
1014 * why snprintf?  an int is up to 12 digits long.  if we just assumed when
1015 * logging that a[%d]= was going to be 16 characters long we would be wasting
1016 * space in every audit message.  In one 7500 byte message we can log up to
1017 * about 1000 min size arguments.  That comes down to about 50% waste of space
1018 * if we didn't do the snprintf to find out how long arg_num_len was.
1019 */
1020static int audit_log_single_execve_arg(struct audit_context *context,
1021					struct audit_buffer **ab,
1022					int arg_num,
1023					size_t *len_sent,
1024					const char __user *p,
1025					char *buf)
1026{
1027	char arg_num_len_buf[12];
1028	const char __user *tmp_p = p;
1029	/* how many digits are in arg_num? 5 is the length of ' a=""' */
1030	size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 5;
1031	size_t len, len_left, to_send;
1032	size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
1033	unsigned int i, has_cntl = 0, too_long = 0;
1034	int ret;
1035
1036	/* strnlen_user includes the null we don't want to send */
1037	len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1;
1038
1039	/*
1040	 * We just created this mm, if we can't find the strings
1041	 * we just copied into it something is _very_ wrong. Similar
1042	 * for strings that are too long, we should not have created
1043	 * any.
1044	 */
1045	if (unlikely((len == -1) || len > MAX_ARG_STRLEN - 1)) {
1046		WARN_ON(1);
1047		send_sig(SIGKILL, current, 0);
1048		return -1;
 
 
 
 
 
 
 
1049	}
 
1050
1051	/* walk the whole argument looking for non-ascii chars */
1052	do {
1053		if (len_left > MAX_EXECVE_AUDIT_LEN)
1054			to_send = MAX_EXECVE_AUDIT_LEN;
1055		else
1056			to_send = len_left;
1057		ret = copy_from_user(buf, tmp_p, to_send);
1058		/*
1059		 * There is no reason for this copy to be short. We just
1060		 * copied them here, and the mm hasn't been exposed to user-
1061		 * space yet.
1062		 */
1063		if (ret) {
1064			WARN_ON(1);
1065			send_sig(SIGKILL, current, 0);
1066			return -1;
1067		}
1068		buf[to_send] = '\0';
1069		has_cntl = audit_string_contains_control(buf, to_send);
1070		if (has_cntl) {
1071			/*
1072			 * hex messages get logged as 2 bytes, so we can only
1073			 * send half as much in each message
1074			 */
1075			max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2;
1076			break;
1077		}
1078		len_left -= to_send;
1079		tmp_p += to_send;
1080	} while (len_left > 0);
1081
1082	len_left = len;
1083
1084	if (len > max_execve_audit_len)
1085		too_long = 1;
1086
1087	/* rewalk the argument actually logging the message */
1088	for (i = 0; len_left > 0; i++) {
1089		int room_left;
1090
1091		if (len_left > max_execve_audit_len)
1092			to_send = max_execve_audit_len;
1093		else
1094			to_send = len_left;
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1095
1096		/* do we have space left to send this argument in this ab? */
1097		room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent;
1098		if (has_cntl)
1099			room_left -= (to_send * 2);
1100		else
1101			room_left -= to_send;
1102		if (room_left < 0) {
1103			*len_sent = 0;
1104			audit_log_end(*ab);
1105			*ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
1106			if (!*ab)
1107				return 0;
1108		}
1109
1110		/*
1111		 * first record needs to say how long the original string was
1112		 * so we can be sure nothing was lost.
1113		 */
1114		if ((i == 0) && (too_long))
1115			audit_log_format(*ab, " a%d_len=%zu", arg_num,
1116					 has_cntl ? 2*len : len);
1117
1118		/*
1119		 * normally arguments are small enough to fit and we already
1120		 * filled buf above when we checked for control characters
1121		 * so don't bother with another copy_from_user
1122		 */
1123		if (len >= max_execve_audit_len)
1124			ret = copy_from_user(buf, p, to_send);
1125		else
1126			ret = 0;
1127		if (ret) {
1128			WARN_ON(1);
1129			send_sig(SIGKILL, current, 0);
1130			return -1;
1131		}
1132		buf[to_send] = '\0';
1133
1134		/* actually log it */
1135		audit_log_format(*ab, " a%d", arg_num);
1136		if (too_long)
1137			audit_log_format(*ab, "[%d]", i);
1138		audit_log_format(*ab, "=");
1139		if (has_cntl)
1140			audit_log_n_hex(*ab, buf, to_send);
1141		else
1142			audit_log_string(*ab, buf);
1143
1144		p += to_send;
1145		len_left -= to_send;
1146		*len_sent += arg_num_len;
1147		if (has_cntl)
1148			*len_sent += to_send * 2;
1149		else
1150			*len_sent += to_send;
1151	}
1152	/* include the null we didn't log */
1153	return len + 1;
1154}
1155
1156static void audit_log_execve_info(struct audit_context *context,
1157				  struct audit_buffer **ab)
1158{
1159	int i, len;
1160	size_t len_sent = 0;
1161	const char __user *p;
1162	char *buf;
 
 
 
 
 
 
 
1163
1164	p = (const char __user *)current->mm->arg_start;
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1165
1166	audit_log_format(*ab, "argc=%d", context->execve.argc);
 
 
 
 
 
 
 
 
1167
1168	/*
1169	 * we need some kernel buffer to hold the userspace args.  Just
1170	 * allocate one big one rather than allocating one of the right size
1171	 * for every single argument inside audit_log_single_execve_arg()
1172	 * should be <8k allocation so should be pretty safe.
1173	 */
1174	buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
1175	if (!buf) {
1176		audit_panic("out of memory for argv string");
1177		return;
1178	}
1179
1180	for (i = 0; i < context->execve.argc; i++) {
1181		len = audit_log_single_execve_arg(context, ab, i,
1182						  &len_sent, p, buf);
1183		if (len <= 0)
1184			break;
1185		p += len;
1186	}
1187	kfree(buf);
1188}
1189
1190static void show_special(struct audit_context *context, int *call_panic)
1191{
1192	struct audit_buffer *ab;
1193	int i;
1194
1195	ab = audit_log_start(context, GFP_KERNEL, context->type);
1196	if (!ab)
1197		return;
1198
1199	switch (context->type) {
1200	case AUDIT_SOCKETCALL: {
1201		int nargs = context->socketcall.nargs;
1202		audit_log_format(ab, "nargs=%d", nargs);
1203		for (i = 0; i < nargs; i++)
1204			audit_log_format(ab, " a%d=%lx", i,
1205				context->socketcall.args[i]);
1206		break; }
1207	case AUDIT_IPC: {
1208		u32 osid = context->ipc.osid;
1209
1210		audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
1211				 from_kuid(&init_user_ns, context->ipc.uid),
1212				 from_kgid(&init_user_ns, context->ipc.gid),
1213				 context->ipc.mode);
1214		if (osid) {
1215			char *ctx = NULL;
1216			u32 len;
1217			if (security_secid_to_secctx(osid, &ctx, &len)) {
1218				audit_log_format(ab, " osid=%u", osid);
1219				*call_panic = 1;
1220			} else {
1221				audit_log_format(ab, " obj=%s", ctx);
1222				security_release_secctx(ctx, len);
1223			}
1224		}
1225		if (context->ipc.has_perm) {
1226			audit_log_end(ab);
1227			ab = audit_log_start(context, GFP_KERNEL,
1228					     AUDIT_IPC_SET_PERM);
1229			if (unlikely(!ab))
1230				return;
1231			audit_log_format(ab,
1232				"qbytes=%lx ouid=%u ogid=%u mode=%#ho",
1233				context->ipc.qbytes,
1234				context->ipc.perm_uid,
1235				context->ipc.perm_gid,
1236				context->ipc.perm_mode);
1237		}
1238		break; }
1239	case AUDIT_MQ_OPEN: {
1240		audit_log_format(ab,
1241			"oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
1242			"mq_msgsize=%ld mq_curmsgs=%ld",
1243			context->mq_open.oflag, context->mq_open.mode,
1244			context->mq_open.attr.mq_flags,
1245			context->mq_open.attr.mq_maxmsg,
1246			context->mq_open.attr.mq_msgsize,
1247			context->mq_open.attr.mq_curmsgs);
1248		break; }
1249	case AUDIT_MQ_SENDRECV: {
1250		audit_log_format(ab,
1251			"mqdes=%d msg_len=%zd msg_prio=%u "
1252			"abs_timeout_sec=%ld abs_timeout_nsec=%ld",
1253			context->mq_sendrecv.mqdes,
1254			context->mq_sendrecv.msg_len,
1255			context->mq_sendrecv.msg_prio,
1256			context->mq_sendrecv.abs_timeout.tv_sec,
1257			context->mq_sendrecv.abs_timeout.tv_nsec);
1258		break; }
1259	case AUDIT_MQ_NOTIFY: {
1260		audit_log_format(ab, "mqdes=%d sigev_signo=%d",
1261				context->mq_notify.mqdes,
1262				context->mq_notify.sigev_signo);
1263		break; }
1264	case AUDIT_MQ_GETSETATTR: {
1265		struct mq_attr *attr = &context->mq_getsetattr.mqstat;
1266		audit_log_format(ab,
1267			"mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
1268			"mq_curmsgs=%ld ",
1269			context->mq_getsetattr.mqdes,
1270			attr->mq_flags, attr->mq_maxmsg,
1271			attr->mq_msgsize, attr->mq_curmsgs);
1272		break; }
1273	case AUDIT_CAPSET: {
1274		audit_log_format(ab, "pid=%d", context->capset.pid);
1275		audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
1276		audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
1277		audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
1278		break; }
1279	case AUDIT_MMAP: {
 
1280		audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd,
1281				 context->mmap.flags);
1282		break; }
1283	case AUDIT_EXECVE: {
1284		audit_log_execve_info(context, &ab);
1285		break; }
 
 
 
 
 
1286	}
1287	audit_log_end(ab);
1288}
1289
1290static inline int audit_proctitle_rtrim(char *proctitle, int len)
1291{
1292	char *end = proctitle + len - 1;
1293	while (end > proctitle && !isprint(*end))
1294		end--;
1295
1296	/* catch the case where proctitle is only 1 non-print character */
1297	len = end - proctitle + 1;
1298	len -= isprint(proctitle[len-1]) == 0;
1299	return len;
1300}
1301
1302static void audit_log_proctitle(struct task_struct *tsk,
1303			 struct audit_context *context)
1304{
1305	int res;
1306	char *buf;
1307	char *msg = "(null)";
1308	int len = strlen(msg);
1309	struct audit_buffer *ab;
1310
1311	ab = audit_log_start(context, GFP_KERNEL, AUDIT_PROCTITLE);
1312	if (!ab)
1313		return;	/* audit_panic or being filtered */
1314
1315	audit_log_format(ab, "proctitle=");
1316
1317	/* Not  cached */
1318	if (!context->proctitle.value) {
1319		buf = kmalloc(MAX_PROCTITLE_AUDIT_LEN, GFP_KERNEL);
1320		if (!buf)
1321			goto out;
1322		/* Historically called this from procfs naming */
1323		res = get_cmdline(tsk, buf, MAX_PROCTITLE_AUDIT_LEN);
1324		if (res == 0) {
1325			kfree(buf);
1326			goto out;
1327		}
1328		res = audit_proctitle_rtrim(buf, res);
1329		if (res == 0) {
1330			kfree(buf);
1331			goto out;
1332		}
1333		context->proctitle.value = buf;
1334		context->proctitle.len = res;
1335	}
1336	msg = context->proctitle.value;
1337	len = context->proctitle.len;
1338out:
1339	audit_log_n_untrustedstring(ab, msg, len);
1340	audit_log_end(ab);
1341}
1342
1343static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
1344{
1345	int i, call_panic = 0;
1346	struct audit_buffer *ab;
1347	struct audit_aux_data *aux;
1348	struct audit_names *n;
1349
1350	/* tsk == current */
1351	context->personality = tsk->personality;
1352
1353	ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
1354	if (!ab)
1355		return;		/* audit_panic has been called */
1356	audit_log_format(ab, "arch=%x syscall=%d",
1357			 context->arch, context->major);
1358	if (context->personality != PER_LINUX)
1359		audit_log_format(ab, " per=%lx", context->personality);
1360	if (context->return_valid)
1361		audit_log_format(ab, " success=%s exit=%ld",
1362				 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
1363				 context->return_code);
1364
1365	audit_log_format(ab,
1366			 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d",
1367			 context->argv[0],
1368			 context->argv[1],
1369			 context->argv[2],
1370			 context->argv[3],
1371			 context->name_count);
1372
1373	audit_log_task_info(ab, tsk);
1374	audit_log_key(ab, context->filterkey);
1375	audit_log_end(ab);
1376
1377	for (aux = context->aux; aux; aux = aux->next) {
1378
1379		ab = audit_log_start(context, GFP_KERNEL, aux->type);
1380		if (!ab)
1381			continue; /* audit_panic has been called */
1382
1383		switch (aux->type) {
1384
1385		case AUDIT_BPRM_FCAPS: {
1386			struct audit_aux_data_bprm_fcaps *axs = (void *)aux;
1387			audit_log_format(ab, "fver=%x", axs->fcap_ver);
1388			audit_log_cap(ab, "fp", &axs->fcap.permitted);
1389			audit_log_cap(ab, "fi", &axs->fcap.inheritable);
1390			audit_log_format(ab, " fe=%d", axs->fcap.fE);
1391			audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
1392			audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
1393			audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
1394			audit_log_cap(ab, "new_pp", &axs->new_pcap.permitted);
1395			audit_log_cap(ab, "new_pi", &axs->new_pcap.inheritable);
1396			audit_log_cap(ab, "new_pe", &axs->new_pcap.effective);
 
 
1397			break; }
1398
1399		}
1400		audit_log_end(ab);
1401	}
1402
1403	if (context->type)
1404		show_special(context, &call_panic);
1405
1406	if (context->fds[0] >= 0) {
1407		ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR);
1408		if (ab) {
1409			audit_log_format(ab, "fd0=%d fd1=%d",
1410					context->fds[0], context->fds[1]);
1411			audit_log_end(ab);
1412		}
1413	}
1414
1415	if (context->sockaddr_len) {
1416		ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR);
1417		if (ab) {
1418			audit_log_format(ab, "saddr=");
1419			audit_log_n_hex(ab, (void *)context->sockaddr,
1420					context->sockaddr_len);
1421			audit_log_end(ab);
1422		}
1423	}
1424
1425	for (aux = context->aux_pids; aux; aux = aux->next) {
1426		struct audit_aux_data_pids *axs = (void *)aux;
1427
1428		for (i = 0; i < axs->pid_count; i++)
1429			if (audit_log_pid_context(context, axs->target_pid[i],
1430						  axs->target_auid[i],
1431						  axs->target_uid[i],
1432						  axs->target_sessionid[i],
1433						  axs->target_sid[i],
1434						  axs->target_comm[i]))
1435				call_panic = 1;
1436	}
1437
1438	if (context->target_pid &&
1439	    audit_log_pid_context(context, context->target_pid,
1440				  context->target_auid, context->target_uid,
1441				  context->target_sessionid,
1442				  context->target_sid, context->target_comm))
1443			call_panic = 1;
1444
1445	if (context->pwd.dentry && context->pwd.mnt) {
1446		ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
1447		if (ab) {
1448			audit_log_d_path(ab, " cwd=", &context->pwd);
1449			audit_log_end(ab);
1450		}
1451	}
1452
1453	i = 0;
1454	list_for_each_entry(n, &context->names_list, list) {
1455		if (n->hidden)
1456			continue;
1457		audit_log_name(context, n, NULL, i++, &call_panic);
1458	}
1459
1460	audit_log_proctitle(tsk, context);
1461
1462	/* Send end of event record to help user space know we are finished */
1463	ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
1464	if (ab)
1465		audit_log_end(ab);
1466	if (call_panic)
1467		audit_panic("error converting sid to string");
1468}
1469
1470/**
1471 * audit_free - free a per-task audit context
1472 * @tsk: task whose audit context block to free
1473 *
1474 * Called from copy_process and do_exit
1475 */
1476void __audit_free(struct task_struct *tsk)
1477{
1478	struct audit_context *context;
1479
1480	context = audit_take_context(tsk, 0, 0);
1481	if (!context)
1482		return;
1483
1484	/* Check for system calls that do not go through the exit
1485	 * function (e.g., exit_group), then free context block.
1486	 * We use GFP_ATOMIC here because we might be doing this
1487	 * in the context of the idle thread */
1488	/* that can happen only if we are called from do_exit() */
1489	if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
1490		audit_log_exit(context, tsk);
1491	if (!list_empty(&context->killed_trees))
1492		audit_kill_trees(&context->killed_trees);
1493
1494	audit_free_context(context);
1495}
1496
1497/**
1498 * audit_syscall_entry - fill in an audit record at syscall entry
1499 * @arch: architecture type
1500 * @major: major syscall type (function)
1501 * @a1: additional syscall register 1
1502 * @a2: additional syscall register 2
1503 * @a3: additional syscall register 3
1504 * @a4: additional syscall register 4
1505 *
1506 * Fill in audit context at syscall entry.  This only happens if the
1507 * audit context was created when the task was created and the state or
1508 * filters demand the audit context be built.  If the state from the
1509 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
1510 * then the record will be written at syscall exit time (otherwise, it
1511 * will only be written if another part of the kernel requests that it
1512 * be written).
1513 */
1514void __audit_syscall_entry(int arch, int major,
1515			 unsigned long a1, unsigned long a2,
1516			 unsigned long a3, unsigned long a4)
1517{
1518	struct task_struct *tsk = current;
1519	struct audit_context *context = tsk->audit_context;
1520	enum audit_state     state;
1521
1522	if (!context)
1523		return;
1524
1525	BUG_ON(context->in_syscall || context->name_count);
1526
1527	if (!audit_enabled)
 
1528		return;
1529
1530	context->arch	    = arch;
1531	context->major      = major;
1532	context->argv[0]    = a1;
1533	context->argv[1]    = a2;
1534	context->argv[2]    = a3;
1535	context->argv[3]    = a4;
1536
1537	state = context->state;
1538	context->dummy = !audit_n_rules;
1539	if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
1540		context->prio = 0;
1541		state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
 
1542	}
1543	if (state == AUDIT_DISABLED)
1544		return;
1545
 
 
 
 
 
 
1546	context->serial     = 0;
1547	context->ctime      = CURRENT_TIME;
1548	context->in_syscall = 1;
1549	context->current_state  = state;
1550	context->ppid       = 0;
1551}
1552
1553/**
1554 * audit_syscall_exit - deallocate audit context after a system call
1555 * @success: success value of the syscall
1556 * @return_code: return value of the syscall
1557 *
1558 * Tear down after system call.  If the audit context has been marked as
1559 * auditable (either because of the AUDIT_RECORD_CONTEXT state from
1560 * filtering, or because some other part of the kernel wrote an audit
1561 * message), then write out the syscall information.  In call cases,
1562 * free the names stored from getname().
1563 */
1564void __audit_syscall_exit(int success, long return_code)
1565{
1566	struct task_struct *tsk = current;
1567	struct audit_context *context;
1568
1569	if (success)
1570		success = AUDITSC_SUCCESS;
1571	else
1572		success = AUDITSC_FAILURE;
1573
1574	context = audit_take_context(tsk, success, return_code);
1575	if (!context)
1576		return;
1577
1578	if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
1579		audit_log_exit(context, tsk);
1580
1581	context->in_syscall = 0;
1582	context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
1583
1584	if (!list_empty(&context->killed_trees))
1585		audit_kill_trees(&context->killed_trees);
1586
1587	audit_free_names(context);
1588	unroll_tree_refs(context, NULL, 0);
1589	audit_free_aux(context);
1590	context->aux = NULL;
1591	context->aux_pids = NULL;
1592	context->target_pid = 0;
1593	context->target_sid = 0;
1594	context->sockaddr_len = 0;
1595	context->type = 0;
1596	context->fds[0] = -1;
1597	if (context->state != AUDIT_RECORD_CONTEXT) {
1598		kfree(context->filterkey);
1599		context->filterkey = NULL;
1600	}
1601	tsk->audit_context = context;
1602}
1603
1604static inline void handle_one(const struct inode *inode)
1605{
1606#ifdef CONFIG_AUDIT_TREE
1607	struct audit_context *context;
1608	struct audit_tree_refs *p;
1609	struct audit_chunk *chunk;
1610	int count;
1611	if (likely(hlist_empty(&inode->i_fsnotify_marks)))
1612		return;
1613	context = current->audit_context;
1614	p = context->trees;
1615	count = context->tree_count;
1616	rcu_read_lock();
1617	chunk = audit_tree_lookup(inode);
1618	rcu_read_unlock();
1619	if (!chunk)
1620		return;
1621	if (likely(put_tree_ref(context, chunk)))
1622		return;
1623	if (unlikely(!grow_tree_refs(context))) {
1624		pr_warn("out of memory, audit has lost a tree reference\n");
1625		audit_set_auditable(context);
1626		audit_put_chunk(chunk);
1627		unroll_tree_refs(context, p, count);
1628		return;
1629	}
1630	put_tree_ref(context, chunk);
1631#endif
1632}
1633
1634static void handle_path(const struct dentry *dentry)
1635{
1636#ifdef CONFIG_AUDIT_TREE
1637	struct audit_context *context;
1638	struct audit_tree_refs *p;
1639	const struct dentry *d, *parent;
1640	struct audit_chunk *drop;
1641	unsigned long seq;
1642	int count;
1643
1644	context = current->audit_context;
1645	p = context->trees;
1646	count = context->tree_count;
1647retry:
1648	drop = NULL;
1649	d = dentry;
1650	rcu_read_lock();
1651	seq = read_seqbegin(&rename_lock);
1652	for(;;) {
1653		struct inode *inode = d->d_inode;
1654		if (inode && unlikely(!hlist_empty(&inode->i_fsnotify_marks))) {
1655			struct audit_chunk *chunk;
1656			chunk = audit_tree_lookup(inode);
1657			if (chunk) {
1658				if (unlikely(!put_tree_ref(context, chunk))) {
1659					drop = chunk;
1660					break;
1661				}
1662			}
1663		}
1664		parent = d->d_parent;
1665		if (parent == d)
1666			break;
1667		d = parent;
1668	}
1669	if (unlikely(read_seqretry(&rename_lock, seq) || drop)) {  /* in this order */
1670		rcu_read_unlock();
1671		if (!drop) {
1672			/* just a race with rename */
1673			unroll_tree_refs(context, p, count);
1674			goto retry;
1675		}
1676		audit_put_chunk(drop);
1677		if (grow_tree_refs(context)) {
1678			/* OK, got more space */
1679			unroll_tree_refs(context, p, count);
1680			goto retry;
1681		}
1682		/* too bad */
1683		pr_warn("out of memory, audit has lost a tree reference\n");
1684		unroll_tree_refs(context, p, count);
1685		audit_set_auditable(context);
1686		return;
1687	}
1688	rcu_read_unlock();
1689#endif
1690}
1691
1692static struct audit_names *audit_alloc_name(struct audit_context *context,
1693						unsigned char type)
1694{
1695	struct audit_names *aname;
1696
1697	if (context->name_count < AUDIT_NAMES) {
1698		aname = &context->preallocated_names[context->name_count];
1699		memset(aname, 0, sizeof(*aname));
1700	} else {
1701		aname = kzalloc(sizeof(*aname), GFP_NOFS);
1702		if (!aname)
1703			return NULL;
1704		aname->should_free = true;
1705	}
1706
1707	aname->ino = (unsigned long)-1;
1708	aname->type = type;
1709	list_add_tail(&aname->list, &context->names_list);
1710
1711	context->name_count++;
1712#if AUDIT_DEBUG
1713	context->ino_count++;
1714#endif
1715	return aname;
1716}
1717
1718/**
1719 * audit_reusename - fill out filename with info from existing entry
1720 * @uptr: userland ptr to pathname
1721 *
1722 * Search the audit_names list for the current audit context. If there is an
1723 * existing entry with a matching "uptr" then return the filename
1724 * associated with that audit_name. If not, return NULL.
1725 */
1726struct filename *
1727__audit_reusename(const __user char *uptr)
1728{
1729	struct audit_context *context = current->audit_context;
1730	struct audit_names *n;
1731
1732	list_for_each_entry(n, &context->names_list, list) {
1733		if (!n->name)
1734			continue;
1735		if (n->name->uptr == uptr)
 
1736			return n->name;
 
1737	}
1738	return NULL;
1739}
1740
1741/**
1742 * audit_getname - add a name to the list
1743 * @name: name to add
1744 *
1745 * Add a name to the list of audit names for this context.
1746 * Called from fs/namei.c:getname().
1747 */
1748void __audit_getname(struct filename *name)
1749{
1750	struct audit_context *context = current->audit_context;
1751	struct audit_names *n;
1752
1753	if (!context->in_syscall) {
1754#if AUDIT_DEBUG == 2
1755		pr_err("%s:%d(:%d): ignoring getname(%p)\n",
1756		       __FILE__, __LINE__, context->serial, name);
1757		dump_stack();
1758#endif
1759		return;
1760	}
1761
1762#if AUDIT_DEBUG
1763	/* The filename _must_ have a populated ->name */
1764	BUG_ON(!name->name);
1765#endif
1766
1767	n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
1768	if (!n)
1769		return;
1770
1771	n->name = name;
1772	n->name_len = AUDIT_NAME_FULL;
1773	n->name_put = true;
1774	name->aname = n;
 
1775
1776	if (!context->pwd.dentry)
1777		get_fs_pwd(current->fs, &context->pwd);
1778}
1779
1780/* audit_putname - intercept a putname request
1781 * @name: name to intercept and delay for putname
1782 *
1783 * If we have stored the name from getname in the audit context,
1784 * then we delay the putname until syscall exit.
1785 * Called from include/linux/fs.h:putname().
1786 */
1787void audit_putname(struct filename *name)
1788{
1789	struct audit_context *context = current->audit_context;
1790
1791	BUG_ON(!context);
1792	if (!name->aname || !context->in_syscall) {
1793#if AUDIT_DEBUG == 2
1794		pr_err("%s:%d(:%d): final_putname(%p)\n",
1795		       __FILE__, __LINE__, context->serial, name);
1796		if (context->name_count) {
1797			struct audit_names *n;
1798			int i = 0;
1799
1800			list_for_each_entry(n, &context->names_list, list)
1801				pr_err("name[%d] = %p = %s\n", i++, n->name,
1802				       n->name->name ?: "(null)");
1803			}
1804#endif
1805		final_putname(name);
1806	}
1807#if AUDIT_DEBUG
1808	else {
1809		++context->put_count;
1810		if (context->put_count > context->name_count) {
1811			pr_err("%s:%d(:%d): major=%d in_syscall=%d putname(%p)"
1812			       " name_count=%d put_count=%d\n",
1813			       __FILE__, __LINE__,
1814			       context->serial, context->major,
1815			       context->in_syscall, name->name,
1816			       context->name_count, context->put_count);
1817			dump_stack();
1818		}
1819	}
1820#endif
1821}
1822
1823/**
1824 * __audit_inode - store the inode and device from a lookup
1825 * @name: name being audited
1826 * @dentry: dentry being audited
1827 * @flags: attributes for this particular entry
1828 */
1829void __audit_inode(struct filename *name, const struct dentry *dentry,
1830		   unsigned int flags)
1831{
1832	struct audit_context *context = current->audit_context;
1833	const struct inode *inode = dentry->d_inode;
1834	struct audit_names *n;
1835	bool parent = flags & AUDIT_INODE_PARENT;
1836
1837	if (!context->in_syscall)
1838		return;
1839
1840	if (!name)
1841		goto out_alloc;
1842
1843#if AUDIT_DEBUG
1844	/* The struct filename _must_ have a populated ->name */
1845	BUG_ON(!name->name);
1846#endif
1847	/*
1848	 * If we have a pointer to an audit_names entry already, then we can
1849	 * just use it directly if the type is correct.
1850	 */
1851	n = name->aname;
1852	if (n) {
1853		if (parent) {
1854			if (n->type == AUDIT_TYPE_PARENT ||
1855			    n->type == AUDIT_TYPE_UNKNOWN)
1856				goto out;
1857		} else {
1858			if (n->type != AUDIT_TYPE_PARENT)
1859				goto out;
1860		}
1861	}
1862
1863	list_for_each_entry_reverse(n, &context->names_list, list) {
1864		/* does the name pointer match? */
1865		if (!n->name || n->name->name != name->name)
 
 
 
 
 
 
 
 
 
1866			continue;
1867
1868		/* match the correct record type */
1869		if (parent) {
1870			if (n->type == AUDIT_TYPE_PARENT ||
1871			    n->type == AUDIT_TYPE_UNKNOWN)
1872				goto out;
1873		} else {
1874			if (n->type != AUDIT_TYPE_PARENT)
1875				goto out;
1876		}
1877	}
1878
1879out_alloc:
1880	/* unable to find the name from a previous getname(). Allocate a new
1881	 * anonymous entry.
1882	 */
1883	n = audit_alloc_name(context, AUDIT_TYPE_NORMAL);
1884	if (!n)
1885		return;
 
 
 
 
 
1886out:
1887	if (parent) {
1888		n->name_len = n->name ? parent_len(n->name->name) : AUDIT_NAME_FULL;
1889		n->type = AUDIT_TYPE_PARENT;
1890		if (flags & AUDIT_INODE_HIDDEN)
1891			n->hidden = true;
1892	} else {
1893		n->name_len = AUDIT_NAME_FULL;
1894		n->type = AUDIT_TYPE_NORMAL;
1895	}
1896	handle_path(dentry);
1897	audit_copy_inode(n, dentry, inode);
1898}
1899
 
 
 
 
 
1900/**
1901 * __audit_inode_child - collect inode info for created/removed objects
1902 * @parent: inode of dentry parent
1903 * @dentry: dentry being audited
1904 * @type:   AUDIT_TYPE_* value that we're looking for
1905 *
1906 * For syscalls that create or remove filesystem objects, audit_inode
1907 * can only collect information for the filesystem object's parent.
1908 * This call updates the audit context with the child's information.
1909 * Syscalls that create a new filesystem object must be hooked after
1910 * the object is created.  Syscalls that remove a filesystem object
1911 * must be hooked prior, in order to capture the target inode during
1912 * unsuccessful attempts.
1913 */
1914void __audit_inode_child(const struct inode *parent,
1915			 const struct dentry *dentry,
1916			 const unsigned char type)
1917{
1918	struct audit_context *context = current->audit_context;
1919	const struct inode *inode = dentry->d_inode;
1920	const char *dname = dentry->d_name.name;
1921	struct audit_names *n, *found_parent = NULL, *found_child = NULL;
 
 
 
1922
1923	if (!context->in_syscall)
1924		return;
1925
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1926	if (inode)
1927		handle_one(inode);
1928
1929	/* look for a parent entry first */
1930	list_for_each_entry(n, &context->names_list, list) {
1931		if (!n->name || n->type != AUDIT_TYPE_PARENT)
 
 
1932			continue;
1933
1934		if (n->ino == parent->i_ino &&
1935		    !audit_compare_dname_path(dname, n->name->name, n->name_len)) {
 
 
 
1936			found_parent = n;
1937			break;
1938		}
1939	}
1940
1941	/* is there a matching child entry? */
1942	list_for_each_entry(n, &context->names_list, list) {
1943		/* can only match entries that have a name */
1944		if (!n->name || n->type != type)
1945			continue;
1946
1947		/* if we found a parent, make sure this one is a child of it */
1948		if (found_parent && (n->name != found_parent->name))
1949			continue;
1950
1951		if (!strcmp(dname, n->name->name) ||
1952		    !audit_compare_dname_path(dname, n->name->name,
1953						found_parent ?
1954						found_parent->name_len :
1955						AUDIT_NAME_FULL)) {
 
 
1956			found_child = n;
1957			break;
1958		}
1959	}
1960
1961	if (!found_parent) {
1962		/* create a new, "anonymous" parent record */
1963		n = audit_alloc_name(context, AUDIT_TYPE_PARENT);
1964		if (!n)
1965			return;
1966		audit_copy_inode(n, NULL, parent);
1967	}
1968
1969	if (!found_child) {
1970		found_child = audit_alloc_name(context, type);
1971		if (!found_child)
1972			return;
1973
1974		/* Re-use the name belonging to the slot for a matching parent
1975		 * directory. All names for this context are relinquished in
1976		 * audit_free_names() */
1977		if (found_parent) {
1978			found_child->name = found_parent->name;
1979			found_child->name_len = AUDIT_NAME_FULL;
1980			/* don't call __putname() */
1981			found_child->name_put = false;
1982		}
1983	}
 
1984	if (inode)
1985		audit_copy_inode(found_child, dentry, inode);
1986	else
1987		found_child->ino = (unsigned long)-1;
1988}
1989EXPORT_SYMBOL_GPL(__audit_inode_child);
1990
1991/**
1992 * auditsc_get_stamp - get local copies of audit_context values
1993 * @ctx: audit_context for the task
1994 * @t: timespec to store time recorded in the audit_context
1995 * @serial: serial value that is recorded in the audit_context
1996 *
1997 * Also sets the context as auditable.
1998 */
1999int auditsc_get_stamp(struct audit_context *ctx,
2000		       struct timespec *t, unsigned int *serial)
2001{
2002	if (!ctx->in_syscall)
2003		return 0;
2004	if (!ctx->serial)
2005		ctx->serial = audit_serial();
2006	t->tv_sec  = ctx->ctime.tv_sec;
2007	t->tv_nsec = ctx->ctime.tv_nsec;
2008	*serial    = ctx->serial;
2009	if (!ctx->prio) {
2010		ctx->prio = 1;
2011		ctx->current_state = AUDIT_RECORD_CONTEXT;
2012	}
2013	return 1;
2014}
2015
2016/* global counter which is incremented every time something logs in */
2017static atomic_t session_id = ATOMIC_INIT(0);
2018
2019static int audit_set_loginuid_perm(kuid_t loginuid)
2020{
2021	/* if we are unset, we don't need privs */
2022	if (!audit_loginuid_set(current))
2023		return 0;
2024	/* if AUDIT_FEATURE_LOGINUID_IMMUTABLE means never ever allow a change*/
2025	if (is_audit_feature_set(AUDIT_FEATURE_LOGINUID_IMMUTABLE))
2026		return -EPERM;
2027	/* it is set, you need permission */
2028	if (!capable(CAP_AUDIT_CONTROL))
2029		return -EPERM;
2030	/* reject if this is not an unset and we don't allow that */
2031	if (is_audit_feature_set(AUDIT_FEATURE_ONLY_UNSET_LOGINUID) && uid_valid(loginuid))
2032		return -EPERM;
2033	return 0;
2034}
2035
2036static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
2037				   unsigned int oldsessionid, unsigned int sessionid,
2038				   int rc)
2039{
2040	struct audit_buffer *ab;
2041	uid_t uid, oldloginuid, loginuid;
 
2042
2043	if (!audit_enabled)
2044		return;
2045
 
 
 
 
2046	uid = from_kuid(&init_user_ns, task_uid(current));
2047	oldloginuid = from_kuid(&init_user_ns, koldloginuid);
2048	loginuid = from_kuid(&init_user_ns, kloginuid),
 
2049
2050	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
2051	if (!ab)
2052		return;
2053	audit_log_format(ab, "pid=%d uid=%u", task_pid_nr(current), uid);
2054	audit_log_task_context(ab);
2055	audit_log_format(ab, " old-auid=%u auid=%u old-ses=%u ses=%u res=%d",
2056			 oldloginuid, loginuid, oldsessionid, sessionid, !rc);
 
 
2057	audit_log_end(ab);
2058}
2059
2060/**
2061 * audit_set_loginuid - set current task's audit_context loginuid
2062 * @loginuid: loginuid value
2063 *
2064 * Returns 0.
2065 *
2066 * Called (set) from fs/proc/base.c::proc_loginuid_write().
2067 */
2068int audit_set_loginuid(kuid_t loginuid)
2069{
2070	struct task_struct *task = current;
2071	unsigned int oldsessionid, sessionid = (unsigned int)-1;
2072	kuid_t oldloginuid;
2073	int rc;
2074
2075	oldloginuid = audit_get_loginuid(current);
2076	oldsessionid = audit_get_sessionid(current);
2077
2078	rc = audit_set_loginuid_perm(loginuid);
2079	if (rc)
2080		goto out;
2081
2082	/* are we setting or clearing? */
2083	if (uid_valid(loginuid))
2084		sessionid = (unsigned int)atomic_inc_return(&session_id);
 
 
 
2085
2086	task->sessionid = sessionid;
2087	task->loginuid = loginuid;
2088out:
2089	audit_log_set_loginuid(oldloginuid, loginuid, oldsessionid, sessionid, rc);
2090	return rc;
2091}
2092
2093/**
2094 * __audit_mq_open - record audit data for a POSIX MQ open
2095 * @oflag: open flag
2096 * @mode: mode bits
2097 * @attr: queue attributes
2098 *
2099 */
2100void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
2101{
2102	struct audit_context *context = current->audit_context;
2103
2104	if (attr)
2105		memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr));
2106	else
2107		memset(&context->mq_open.attr, 0, sizeof(struct mq_attr));
2108
2109	context->mq_open.oflag = oflag;
2110	context->mq_open.mode = mode;
2111
2112	context->type = AUDIT_MQ_OPEN;
2113}
2114
2115/**
2116 * __audit_mq_sendrecv - record audit data for a POSIX MQ timed send/receive
2117 * @mqdes: MQ descriptor
2118 * @msg_len: Message length
2119 * @msg_prio: Message priority
2120 * @abs_timeout: Message timeout in absolute time
2121 *
2122 */
2123void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
2124			const struct timespec *abs_timeout)
2125{
2126	struct audit_context *context = current->audit_context;
2127	struct timespec *p = &context->mq_sendrecv.abs_timeout;
2128
2129	if (abs_timeout)
2130		memcpy(p, abs_timeout, sizeof(struct timespec));
2131	else
2132		memset(p, 0, sizeof(struct timespec));
2133
2134	context->mq_sendrecv.mqdes = mqdes;
2135	context->mq_sendrecv.msg_len = msg_len;
2136	context->mq_sendrecv.msg_prio = msg_prio;
2137
2138	context->type = AUDIT_MQ_SENDRECV;
2139}
2140
2141/**
2142 * __audit_mq_notify - record audit data for a POSIX MQ notify
2143 * @mqdes: MQ descriptor
2144 * @notification: Notification event
2145 *
2146 */
2147
2148void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
2149{
2150	struct audit_context *context = current->audit_context;
2151
2152	if (notification)
2153		context->mq_notify.sigev_signo = notification->sigev_signo;
2154	else
2155		context->mq_notify.sigev_signo = 0;
2156
2157	context->mq_notify.mqdes = mqdes;
2158	context->type = AUDIT_MQ_NOTIFY;
2159}
2160
2161/**
2162 * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute
2163 * @mqdes: MQ descriptor
2164 * @mqstat: MQ flags
2165 *
2166 */
2167void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
2168{
2169	struct audit_context *context = current->audit_context;
2170	context->mq_getsetattr.mqdes = mqdes;
2171	context->mq_getsetattr.mqstat = *mqstat;
2172	context->type = AUDIT_MQ_GETSETATTR;
2173}
2174
2175/**
2176 * audit_ipc_obj - record audit data for ipc object
2177 * @ipcp: ipc permissions
2178 *
2179 */
2180void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
2181{
2182	struct audit_context *context = current->audit_context;
2183	context->ipc.uid = ipcp->uid;
2184	context->ipc.gid = ipcp->gid;
2185	context->ipc.mode = ipcp->mode;
2186	context->ipc.has_perm = 0;
2187	security_ipc_getsecid(ipcp, &context->ipc.osid);
2188	context->type = AUDIT_IPC;
2189}
2190
2191/**
2192 * audit_ipc_set_perm - record audit data for new ipc permissions
2193 * @qbytes: msgq bytes
2194 * @uid: msgq user id
2195 * @gid: msgq group id
2196 * @mode: msgq mode (permissions)
2197 *
2198 * Called only after audit_ipc_obj().
2199 */
2200void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode)
2201{
2202	struct audit_context *context = current->audit_context;
2203
2204	context->ipc.qbytes = qbytes;
2205	context->ipc.perm_uid = uid;
2206	context->ipc.perm_gid = gid;
2207	context->ipc.perm_mode = mode;
2208	context->ipc.has_perm = 1;
2209}
2210
2211void __audit_bprm(struct linux_binprm *bprm)
2212{
2213	struct audit_context *context = current->audit_context;
2214
2215	context->type = AUDIT_EXECVE;
2216	context->execve.argc = bprm->argc;
2217}
2218
2219
2220/**
2221 * audit_socketcall - record audit data for sys_socketcall
2222 * @nargs: number of args, which should not be more than AUDITSC_ARGS.
2223 * @args: args array
2224 *
2225 */
2226int __audit_socketcall(int nargs, unsigned long *args)
2227{
2228	struct audit_context *context = current->audit_context;
2229
2230	if (nargs <= 0 || nargs > AUDITSC_ARGS || !args)
2231		return -EINVAL;
2232	context->type = AUDIT_SOCKETCALL;
2233	context->socketcall.nargs = nargs;
2234	memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
2235	return 0;
2236}
2237
2238/**
2239 * __audit_fd_pair - record audit data for pipe and socketpair
2240 * @fd1: the first file descriptor
2241 * @fd2: the second file descriptor
2242 *
2243 */
2244void __audit_fd_pair(int fd1, int fd2)
2245{
2246	struct audit_context *context = current->audit_context;
2247	context->fds[0] = fd1;
2248	context->fds[1] = fd2;
2249}
2250
2251/**
2252 * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
2253 * @len: data length in user space
2254 * @a: data address in kernel space
2255 *
2256 * Returns 0 for success or NULL context or < 0 on error.
2257 */
2258int __audit_sockaddr(int len, void *a)
2259{
2260	struct audit_context *context = current->audit_context;
2261
2262	if (!context->sockaddr) {
2263		void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL);
2264		if (!p)
2265			return -ENOMEM;
2266		context->sockaddr = p;
2267	}
2268
2269	context->sockaddr_len = len;
2270	memcpy(context->sockaddr, a, len);
2271	return 0;
2272}
2273
2274void __audit_ptrace(struct task_struct *t)
2275{
2276	struct audit_context *context = current->audit_context;
2277
2278	context->target_pid = task_pid_nr(t);
2279	context->target_auid = audit_get_loginuid(t);
2280	context->target_uid = task_uid(t);
2281	context->target_sessionid = audit_get_sessionid(t);
2282	security_task_getsecid(t, &context->target_sid);
2283	memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
2284}
2285
2286/**
2287 * audit_signal_info - record signal info for shutting down audit subsystem
2288 * @sig: signal value
2289 * @t: task being signaled
2290 *
2291 * If the audit subsystem is being terminated, record the task (pid)
2292 * and uid that is doing that.
2293 */
2294int __audit_signal_info(int sig, struct task_struct *t)
2295{
2296	struct audit_aux_data_pids *axp;
2297	struct task_struct *tsk = current;
2298	struct audit_context *ctx = tsk->audit_context;
2299	kuid_t uid = current_uid(), t_uid = task_uid(t);
2300
2301	if (audit_pid && t->tgid == audit_pid) {
2302		if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) {
2303			audit_sig_pid = task_pid_nr(tsk);
2304			if (uid_valid(tsk->loginuid))
2305				audit_sig_uid = tsk->loginuid;
2306			else
2307				audit_sig_uid = uid;
2308			security_task_getsecid(tsk, &audit_sig_sid);
2309		}
2310		if (!audit_signals || audit_dummy_context())
2311			return 0;
2312	}
2313
 
 
 
2314	/* optimize the common case by putting first signal recipient directly
2315	 * in audit_context */
2316	if (!ctx->target_pid) {
2317		ctx->target_pid = task_tgid_nr(t);
2318		ctx->target_auid = audit_get_loginuid(t);
2319		ctx->target_uid = t_uid;
2320		ctx->target_sessionid = audit_get_sessionid(t);
2321		security_task_getsecid(t, &ctx->target_sid);
2322		memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
2323		return 0;
2324	}
2325
2326	axp = (void *)ctx->aux_pids;
2327	if (!axp || axp->pid_count == AUDIT_AUX_PIDS) {
2328		axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
2329		if (!axp)
2330			return -ENOMEM;
2331
2332		axp->d.type = AUDIT_OBJ_PID;
2333		axp->d.next = ctx->aux_pids;
2334		ctx->aux_pids = (void *)axp;
2335	}
2336	BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
2337
2338	axp->target_pid[axp->pid_count] = task_tgid_nr(t);
2339	axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
2340	axp->target_uid[axp->pid_count] = t_uid;
2341	axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
2342	security_task_getsecid(t, &axp->target_sid[axp->pid_count]);
2343	memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
2344	axp->pid_count++;
2345
2346	return 0;
2347}
2348
2349/**
2350 * __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps
2351 * @bprm: pointer to the bprm being processed
2352 * @new: the proposed new credentials
2353 * @old: the old credentials
2354 *
2355 * Simply check if the proc already has the caps given by the file and if not
2356 * store the priv escalation info for later auditing at the end of the syscall
2357 *
2358 * -Eric
2359 */
2360int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
2361			   const struct cred *new, const struct cred *old)
2362{
2363	struct audit_aux_data_bprm_fcaps *ax;
2364	struct audit_context *context = current->audit_context;
2365	struct cpu_vfs_cap_data vcaps;
2366	struct dentry *dentry;
2367
2368	ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2369	if (!ax)
2370		return -ENOMEM;
2371
2372	ax->d.type = AUDIT_BPRM_FCAPS;
2373	ax->d.next = context->aux;
2374	context->aux = (void *)ax;
2375
2376	dentry = dget(bprm->file->f_dentry);
2377	get_vfs_caps_from_disk(dentry, &vcaps);
2378	dput(dentry);
2379
2380	ax->fcap.permitted = vcaps.permitted;
2381	ax->fcap.inheritable = vcaps.inheritable;
2382	ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2383	ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
2384
2385	ax->old_pcap.permitted   = old->cap_permitted;
2386	ax->old_pcap.inheritable = old->cap_inheritable;
2387	ax->old_pcap.effective   = old->cap_effective;
 
2388
2389	ax->new_pcap.permitted   = new->cap_permitted;
2390	ax->new_pcap.inheritable = new->cap_inheritable;
2391	ax->new_pcap.effective   = new->cap_effective;
 
2392	return 0;
2393}
2394
2395/**
2396 * __audit_log_capset - store information about the arguments to the capset syscall
2397 * @new: the new credentials
2398 * @old: the old (current) credentials
2399 *
2400 * Record the aguments userspace sent to sys_capset for later printing by the
2401 * audit system if applicable
2402 */
2403void __audit_log_capset(const struct cred *new, const struct cred *old)
2404{
2405	struct audit_context *context = current->audit_context;
2406	context->capset.pid = task_pid_nr(current);
2407	context->capset.cap.effective   = new->cap_effective;
2408	context->capset.cap.inheritable = new->cap_effective;
2409	context->capset.cap.permitted   = new->cap_permitted;
 
2410	context->type = AUDIT_CAPSET;
2411}
2412
2413void __audit_mmap_fd(int fd, int flags)
2414{
2415	struct audit_context *context = current->audit_context;
2416	context->mmap.fd = fd;
2417	context->mmap.flags = flags;
2418	context->type = AUDIT_MMAP;
2419}
2420
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
2421static void audit_log_task(struct audit_buffer *ab)
2422{
2423	kuid_t auid, uid;
2424	kgid_t gid;
2425	unsigned int sessionid;
2426	struct mm_struct *mm = current->mm;
2427
2428	auid = audit_get_loginuid(current);
2429	sessionid = audit_get_sessionid(current);
2430	current_uid_gid(&uid, &gid);
2431
2432	audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
2433			 from_kuid(&init_user_ns, auid),
2434			 from_kuid(&init_user_ns, uid),
2435			 from_kgid(&init_user_ns, gid),
2436			 sessionid);
2437	audit_log_task_context(ab);
2438	audit_log_format(ab, " pid=%d comm=", task_pid_nr(current));
2439	audit_log_untrustedstring(ab, current->comm);
2440	if (mm) {
2441		down_read(&mm->mmap_sem);
2442		if (mm->exe_file)
2443			audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
2444		up_read(&mm->mmap_sem);
2445	} else
2446		audit_log_format(ab, " exe=(null)");
2447}
2448
2449/**
2450 * audit_core_dumps - record information about processes that end abnormally
2451 * @signr: signal value
2452 *
2453 * If a process ends with a core dump, something fishy is going on and we
2454 * should record the event for investigation.
2455 */
2456void audit_core_dumps(long signr)
2457{
2458	struct audit_buffer *ab;
2459
2460	if (!audit_enabled)
2461		return;
2462
2463	if (signr == SIGQUIT)	/* don't care for those */
2464		return;
2465
2466	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
2467	if (unlikely(!ab))
2468		return;
2469	audit_log_task(ab);
2470	audit_log_format(ab, " sig=%ld", signr);
2471	audit_log_end(ab);
2472}
2473
2474void __audit_seccomp(unsigned long syscall, long signr, int code)
2475{
2476	struct audit_buffer *ab;
2477
2478	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_SECCOMP);
2479	if (unlikely(!ab))
2480		return;
2481	audit_log_task(ab);
2482	audit_log_format(ab, " sig=%ld", signr);
2483	audit_log_format(ab, " syscall=%ld", syscall);
2484	audit_log_format(ab, " compat=%d", is_compat_task());
2485	audit_log_format(ab, " ip=0x%lx", KSTK_EIP(current));
2486	audit_log_format(ab, " code=0x%x", code);
2487	audit_log_end(ab);
2488}
2489
2490struct list_head *audit_killed_trees(void)
2491{
2492	struct audit_context *ctx = current->audit_context;
2493	if (likely(!ctx || !ctx->in_syscall))
2494		return NULL;
2495	return &ctx->killed_trees;
2496}