1/* auditsc.c -- System-call auditing support
   2 * Handles all system-call specific auditing features.
   3 *
   4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
   5 * Copyright 2005 Hewlett-Packard Development Company, L.P.
   6 * Copyright (C) 2005, 2006 IBM Corporation
   7 * All Rights Reserved.
   8 *
   9 * This program is free software; you can redistribute it and/or modify
  10 * it under the terms of the GNU General Public License as published by
  11 * the Free Software Foundation; either version 2 of the License, or
  12 * (at your option) any later version.
  13 *
  14 * This program is distributed in the hope that it will be useful,
  15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17 * GNU General Public License for more details.
  18 *
  19 * You should have received a copy of the GNU General Public License
  20 * along with this program; if not, write to the Free Software
  21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  22 *
  23 * Written by Rickard E. (Rik) Faith <faith@redhat.com>
  24 *
  25 * Many of the ideas implemented here are from Stephen C. Tweedie,
  26 * especially the idea of avoiding a copy by using getname.
  27 *
  28 * The method for actual interception of syscall entry and exit (not in
  29 * this file -- see entry.S) is based on a GPL'd patch written by
  30 * okir@suse.de and Copyright 2003 SuSE Linux AG.
  31 *
  32 * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>,
  33 * 2006.
  34 *
  35 * The support of additional filter rules compares (>, <, >=, <=) was
  36 * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
  37 *
  38 * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
  39 * filesystem information.
  40 *
  41 * Subject and object context labeling support added by <danjones@us.ibm.com>
  42 * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
  43 */
  44
  45#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  46
  47#include <linux/init.h>
  48#include <asm/types.h>
  49#include <linux/atomic.h>
  50#include <linux/fs.h>
  51#include <linux/namei.h>
  52#include <linux/mm.h>
  53#include <linux/export.h>
  54#include <linux/slab.h>
  55#include <linux/mount.h>
  56#include <linux/socket.h>
  57#include <linux/mqueue.h>
  58#include <linux/audit.h>
  59#include <linux/personality.h>
  60#include <linux/time.h>
  61#include <linux/netlink.h>
  62#include <linux/compiler.h>
  63#include <asm/unistd.h>
  64#include <linux/security.h>
  65#include <linux/list.h>
  66#include <linux/binfmts.h>
  67#include <linux/highmem.h>
  68#include <linux/syscalls.h>
  69#include <asm/syscall.h>
  70#include <linux/capability.h>
  71#include <linux/fs_struct.h>
  72#include <linux/compat.h>
  73#include <linux/ctype.h>
  74#include <linux/string.h>
  75#include <linux/uaccess.h>
 
  76#include <uapi/linux/limits.h>
  77
  78#include "audit.h"
  79
  80/* flags stating the success for a syscall */
  81#define AUDITSC_INVALID 0
  82#define AUDITSC_SUCCESS 1
  83#define AUDITSC_FAILURE 2
  84
  85/* no execve audit message should be longer than this (userspace limits),
  86 * see the note near the top of audit_log_execve_info() about this value */
  87#define MAX_EXECVE_AUDIT_LEN 7500
  88
  89/* max length to print of cmdline/proctitle value during audit */
  90#define MAX_PROCTITLE_AUDIT_LEN 128
  91
  92/* number of audit rules */
  93int audit_n_rules;
  94
  95/* determines whether we collect data for signals sent */
  96int audit_signals;
  97
  98struct audit_aux_data {
  99	struct audit_aux_data	*next;
 100	int			type;
 101};
 102
 103#define AUDIT_AUX_IPCPERM	0
 104
 105/* Number of target pids per aux struct. */
 106#define AUDIT_AUX_PIDS	16
 107
 108struct audit_aux_data_pids {
 109	struct audit_aux_data	d;
 110	pid_t			target_pid[AUDIT_AUX_PIDS];
 111	kuid_t			target_auid[AUDIT_AUX_PIDS];
 112	kuid_t			target_uid[AUDIT_AUX_PIDS];
 113	unsigned int		target_sessionid[AUDIT_AUX_PIDS];
 114	u32			target_sid[AUDIT_AUX_PIDS];
 115	char 			target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
 116	int			pid_count;
 117};
 118
 119struct audit_aux_data_bprm_fcaps {
 120	struct audit_aux_data	d;
 121	struct audit_cap_data	fcap;
 122	unsigned int		fcap_ver;
 123	struct audit_cap_data	old_pcap;
 124	struct audit_cap_data	new_pcap;
 125};
 126
 127struct audit_tree_refs {
 128	struct audit_tree_refs *next;
 129	struct audit_chunk *c[31];
 130};
 131
 132static int audit_match_perm(struct audit_context *ctx, int mask)
 133{
 134	unsigned n;
 135	if (unlikely(!ctx))
 136		return 0;
 137	n = ctx->major;
 138
 139	switch (audit_classify_syscall(ctx->arch, n)) {
 140	case 0:	/* native */
 141		if ((mask & AUDIT_PERM_WRITE) &&
 142		     audit_match_class(AUDIT_CLASS_WRITE, n))
 143			return 1;
 144		if ((mask & AUDIT_PERM_READ) &&
 145		     audit_match_class(AUDIT_CLASS_READ, n))
 146			return 1;
 147		if ((mask & AUDIT_PERM_ATTR) &&
 148		     audit_match_class(AUDIT_CLASS_CHATTR, n))
 149			return 1;
 150		return 0;
 151	case 1: /* 32bit on biarch */
 152		if ((mask & AUDIT_PERM_WRITE) &&
 153		     audit_match_class(AUDIT_CLASS_WRITE_32, n))
 154			return 1;
 155		if ((mask & AUDIT_PERM_READ) &&
 156		     audit_match_class(AUDIT_CLASS_READ_32, n))
 157			return 1;
 158		if ((mask & AUDIT_PERM_ATTR) &&
 159		     audit_match_class(AUDIT_CLASS_CHATTR_32, n))
 160			return 1;
 161		return 0;
 162	case 2: /* open */
 163		return mask & ACC_MODE(ctx->argv[1]);
 164	case 3: /* openat */
 165		return mask & ACC_MODE(ctx->argv[2]);
 166	case 4: /* socketcall */
 167		return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
 168	case 5: /* execve */
 169		return mask & AUDIT_PERM_EXEC;
 170	default:
 171		return 0;
 172	}
 173}
 174
 175static int audit_match_filetype(struct audit_context *ctx, int val)
 176{
 177	struct audit_names *n;
 178	umode_t mode = (umode_t)val;
 179
 180	if (unlikely(!ctx))
 181		return 0;
 182
 183	list_for_each_entry(n, &ctx->names_list, list) {
 184		if ((n->ino != AUDIT_INO_UNSET) &&
 185		    ((n->mode & S_IFMT) == mode))
 186			return 1;
 187	}
 188
 189	return 0;
 190}
 191
 192/*
 193 * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *;
 194 * ->first_trees points to its beginning, ->trees - to the current end of data.
 195 * ->tree_count is the number of free entries in array pointed to by ->trees.
 196 * Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL,
 197 * "empty" becomes (p, p, 31) afterwards.  We don't shrink the list (and seriously,
 198 * it's going to remain 1-element for almost any setup) until we free context itself.
 199 * References in it _are_ dropped - at the same time we free/drop aux stuff.
 200 */
 201
 202#ifdef CONFIG_AUDIT_TREE
 203static void audit_set_auditable(struct audit_context *ctx)
 204{
 205	if (!ctx->prio) {
 206		ctx->prio = 1;
 207		ctx->current_state = AUDIT_RECORD_CONTEXT;
 208	}
 209}
 210
 211static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
 212{
 213	struct audit_tree_refs *p = ctx->trees;
 214	int left = ctx->tree_count;
 215	if (likely(left)) {
 216		p->c[--left] = chunk;
 217		ctx->tree_count = left;
 218		return 1;
 219	}
 220	if (!p)
 221		return 0;
 222	p = p->next;
 223	if (p) {
 224		p->c[30] = chunk;
 225		ctx->trees = p;
 226		ctx->tree_count = 30;
 227		return 1;
 228	}
 229	return 0;
 230}
 231
 232static int grow_tree_refs(struct audit_context *ctx)
 233{
 234	struct audit_tree_refs *p = ctx->trees;
 235	ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL);
 236	if (!ctx->trees) {
 237		ctx->trees = p;
 238		return 0;
 239	}
 240	if (p)
 241		p->next = ctx->trees;
 242	else
 243		ctx->first_trees = ctx->trees;
 244	ctx->tree_count = 31;
 245	return 1;
 246}
 247#endif
 248
 249static void unroll_tree_refs(struct audit_context *ctx,
 250		      struct audit_tree_refs *p, int count)
 251{
 252#ifdef CONFIG_AUDIT_TREE
 253	struct audit_tree_refs *q;
 254	int n;
 255	if (!p) {
 256		/* we started with empty chain */
 257		p = ctx->first_trees;
 258		count = 31;
 259		/* if the very first allocation has failed, nothing to do */
 260		if (!p)
 261			return;
 262	}
 263	n = count;
 264	for (q = p; q != ctx->trees; q = q->next, n = 31) {
 265		while (n--) {
 266			audit_put_chunk(q->c[n]);
 267			q->c[n] = NULL;
 268		}
 269	}
 270	while (n-- > ctx->tree_count) {
 271		audit_put_chunk(q->c[n]);
 272		q->c[n] = NULL;
 273	}
 274	ctx->trees = p;
 275	ctx->tree_count = count;
 276#endif
 277}
 278
 279static void free_tree_refs(struct audit_context *ctx)
 280{
 281	struct audit_tree_refs *p, *q;
 282	for (p = ctx->first_trees; p; p = q) {
 283		q = p->next;
 284		kfree(p);
 285	}
 286}
 287
 288static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
 289{
 290#ifdef CONFIG_AUDIT_TREE
 291	struct audit_tree_refs *p;
 292	int n;
 293	if (!tree)
 294		return 0;
 295	/* full ones */
 296	for (p = ctx->first_trees; p != ctx->trees; p = p->next) {
 297		for (n = 0; n < 31; n++)
 298			if (audit_tree_match(p->c[n], tree))
 299				return 1;
 300	}
 301	/* partial */
 302	if (p) {
 303		for (n = ctx->tree_count; n < 31; n++)
 304			if (audit_tree_match(p->c[n], tree))
 305				return 1;
 306	}
 307#endif
 308	return 0;
 309}
 310
 311static int audit_compare_uid(kuid_t uid,
 312			     struct audit_names *name,
 313			     struct audit_field *f,
 314			     struct audit_context *ctx)
 315{
 316	struct audit_names *n;
 317	int rc;
 318 
 319	if (name) {
 320		rc = audit_uid_comparator(uid, f->op, name->uid);
 321		if (rc)
 322			return rc;
 323	}
 324 
 325	if (ctx) {
 326		list_for_each_entry(n, &ctx->names_list, list) {
 327			rc = audit_uid_comparator(uid, f->op, n->uid);
 328			if (rc)
 329				return rc;
 330		}
 331	}
 332	return 0;
 333}
 334
 335static int audit_compare_gid(kgid_t gid,
 336			     struct audit_names *name,
 337			     struct audit_field *f,
 338			     struct audit_context *ctx)
 339{
 340	struct audit_names *n;
 341	int rc;
 342 
 343	if (name) {
 344		rc = audit_gid_comparator(gid, f->op, name->gid);
 345		if (rc)
 346			return rc;
 347	}
 348 
 349	if (ctx) {
 350		list_for_each_entry(n, &ctx->names_list, list) {
 351			rc = audit_gid_comparator(gid, f->op, n->gid);
 352			if (rc)
 353				return rc;
 354		}
 355	}
 356	return 0;
 357}
 358
 359static int audit_field_compare(struct task_struct *tsk,
 360			       const struct cred *cred,
 361			       struct audit_field *f,
 362			       struct audit_context *ctx,
 363			       struct audit_names *name)
 364{
 365	switch (f->val) {
 366	/* process to file object comparisons */
 367	case AUDIT_COMPARE_UID_TO_OBJ_UID:
 368		return audit_compare_uid(cred->uid, name, f, ctx);
 369	case AUDIT_COMPARE_GID_TO_OBJ_GID:
 370		return audit_compare_gid(cred->gid, name, f, ctx);
 371	case AUDIT_COMPARE_EUID_TO_OBJ_UID:
 372		return audit_compare_uid(cred->euid, name, f, ctx);
 373	case AUDIT_COMPARE_EGID_TO_OBJ_GID:
 374		return audit_compare_gid(cred->egid, name, f, ctx);
 375	case AUDIT_COMPARE_AUID_TO_OBJ_UID:
 376		return audit_compare_uid(tsk->loginuid, name, f, ctx);
 377	case AUDIT_COMPARE_SUID_TO_OBJ_UID:
 378		return audit_compare_uid(cred->suid, name, f, ctx);
 379	case AUDIT_COMPARE_SGID_TO_OBJ_GID:
 380		return audit_compare_gid(cred->sgid, name, f, ctx);
 381	case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
 382		return audit_compare_uid(cred->fsuid, name, f, ctx);
 383	case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
 384		return audit_compare_gid(cred->fsgid, name, f, ctx);
 385	/* uid comparisons */
 386	case AUDIT_COMPARE_UID_TO_AUID:
 387		return audit_uid_comparator(cred->uid, f->op, tsk->loginuid);
 
 388	case AUDIT_COMPARE_UID_TO_EUID:
 389		return audit_uid_comparator(cred->uid, f->op, cred->euid);
 390	case AUDIT_COMPARE_UID_TO_SUID:
 391		return audit_uid_comparator(cred->uid, f->op, cred->suid);
 392	case AUDIT_COMPARE_UID_TO_FSUID:
 393		return audit_uid_comparator(cred->uid, f->op, cred->fsuid);
 394	/* auid comparisons */
 395	case AUDIT_COMPARE_AUID_TO_EUID:
 396		return audit_uid_comparator(tsk->loginuid, f->op, cred->euid);
 
 397	case AUDIT_COMPARE_AUID_TO_SUID:
 398		return audit_uid_comparator(tsk->loginuid, f->op, cred->suid);
 
 399	case AUDIT_COMPARE_AUID_TO_FSUID:
 400		return audit_uid_comparator(tsk->loginuid, f->op, cred->fsuid);
 
 401	/* euid comparisons */
 402	case AUDIT_COMPARE_EUID_TO_SUID:
 403		return audit_uid_comparator(cred->euid, f->op, cred->suid);
 404	case AUDIT_COMPARE_EUID_TO_FSUID:
 405		return audit_uid_comparator(cred->euid, f->op, cred->fsuid);
 406	/* suid comparisons */
 407	case AUDIT_COMPARE_SUID_TO_FSUID:
 408		return audit_uid_comparator(cred->suid, f->op, cred->fsuid);
 409	/* gid comparisons */
 410	case AUDIT_COMPARE_GID_TO_EGID:
 411		return audit_gid_comparator(cred->gid, f->op, cred->egid);
 412	case AUDIT_COMPARE_GID_TO_SGID:
 413		return audit_gid_comparator(cred->gid, f->op, cred->sgid);
 414	case AUDIT_COMPARE_GID_TO_FSGID:
 415		return audit_gid_comparator(cred->gid, f->op, cred->fsgid);
 416	/* egid comparisons */
 417	case AUDIT_COMPARE_EGID_TO_SGID:
 418		return audit_gid_comparator(cred->egid, f->op, cred->sgid);
 419	case AUDIT_COMPARE_EGID_TO_FSGID:
 420		return audit_gid_comparator(cred->egid, f->op, cred->fsgid);
 421	/* sgid comparison */
 422	case AUDIT_COMPARE_SGID_TO_FSGID:
 423		return audit_gid_comparator(cred->sgid, f->op, cred->fsgid);
 424	default:
 425		WARN(1, "Missing AUDIT_COMPARE define.  Report as a bug\n");
 426		return 0;
 427	}
 428	return 0;
 429}
 430
 431/* Determine if any context name data matches a rule's watch data */
 432/* Compare a task_struct with an audit_rule.  Return 1 on match, 0
 433 * otherwise.
 434 *
 435 * If task_creation is true, this is an explicit indication that we are
 436 * filtering a task rule at task creation time.  This and tsk == current are
 437 * the only situations where tsk->cred may be accessed without an rcu read lock.
 438 */
 439static int audit_filter_rules(struct task_struct *tsk,
 440			      struct audit_krule *rule,
 441			      struct audit_context *ctx,
 442			      struct audit_names *name,
 443			      enum audit_state *state,
 444			      bool task_creation)
 445{
 446	const struct cred *cred;
 447	int i, need_sid = 1;
 448	u32 sid;
 449	unsigned int sessionid;
 450
 451	cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
 452
 453	for (i = 0; i < rule->field_count; i++) {
 454		struct audit_field *f = &rule->fields[i];
 455		struct audit_names *n;
 456		int result = 0;
 457		pid_t pid;
 458
 459		switch (f->type) {
 460		case AUDIT_PID:
 461			pid = task_tgid_nr(tsk);
 462			result = audit_comparator(pid, f->op, f->val);
 463			break;
 464		case AUDIT_PPID:
 465			if (ctx) {
 466				if (!ctx->ppid)
 467					ctx->ppid = task_ppid_nr(tsk);
 468				result = audit_comparator(ctx->ppid, f->op, f->val);
 469			}
 470			break;
 471		case AUDIT_EXE:
 472			result = audit_exe_compare(tsk, rule->exe);
 
 
 473			break;
 474		case AUDIT_UID:
 475			result = audit_uid_comparator(cred->uid, f->op, f->uid);
 476			break;
 477		case AUDIT_EUID:
 478			result = audit_uid_comparator(cred->euid, f->op, f->uid);
 479			break;
 480		case AUDIT_SUID:
 481			result = audit_uid_comparator(cred->suid, f->op, f->uid);
 482			break;
 483		case AUDIT_FSUID:
 484			result = audit_uid_comparator(cred->fsuid, f->op, f->uid);
 485			break;
 486		case AUDIT_GID:
 487			result = audit_gid_comparator(cred->gid, f->op, f->gid);
 488			if (f->op == Audit_equal) {
 489				if (!result)
 490					result = in_group_p(f->gid);
 491			} else if (f->op == Audit_not_equal) {
 492				if (result)
 493					result = !in_group_p(f->gid);
 494			}
 495			break;
 496		case AUDIT_EGID:
 497			result = audit_gid_comparator(cred->egid, f->op, f->gid);
 498			if (f->op == Audit_equal) {
 499				if (!result)
 500					result = in_egroup_p(f->gid);
 501			} else if (f->op == Audit_not_equal) {
 502				if (result)
 503					result = !in_egroup_p(f->gid);
 504			}
 505			break;
 506		case AUDIT_SGID:
 507			result = audit_gid_comparator(cred->sgid, f->op, f->gid);
 508			break;
 509		case AUDIT_FSGID:
 510			result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
 511			break;
 512		case AUDIT_SESSIONID:
 513			sessionid = audit_get_sessionid(current);
 514			result = audit_comparator(sessionid, f->op, f->val);
 515			break;
 516		case AUDIT_PERS:
 517			result = audit_comparator(tsk->personality, f->op, f->val);
 518			break;
 519		case AUDIT_ARCH:
 520			if (ctx)
 521				result = audit_comparator(ctx->arch, f->op, f->val);
 522			break;
 523
 524		case AUDIT_EXIT:
 525			if (ctx && ctx->return_valid)
 526				result = audit_comparator(ctx->return_code, f->op, f->val);
 527			break;
 528		case AUDIT_SUCCESS:
 529			if (ctx && ctx->return_valid) {
 530				if (f->val)
 531					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
 532				else
 533					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
 534			}
 535			break;
 536		case AUDIT_DEVMAJOR:
 537			if (name) {
 538				if (audit_comparator(MAJOR(name->dev), f->op, f->val) ||
 539				    audit_comparator(MAJOR(name->rdev), f->op, f->val))
 540					++result;
 541			} else if (ctx) {
 542				list_for_each_entry(n, &ctx->names_list, list) {
 543					if (audit_comparator(MAJOR(n->dev), f->op, f->val) ||
 544					    audit_comparator(MAJOR(n->rdev), f->op, f->val)) {
 545						++result;
 546						break;
 547					}
 548				}
 549			}
 550			break;
 551		case AUDIT_DEVMINOR:
 552			if (name) {
 553				if (audit_comparator(MINOR(name->dev), f->op, f->val) ||
 554				    audit_comparator(MINOR(name->rdev), f->op, f->val))
 555					++result;
 556			} else if (ctx) {
 557				list_for_each_entry(n, &ctx->names_list, list) {
 558					if (audit_comparator(MINOR(n->dev), f->op, f->val) ||
 559					    audit_comparator(MINOR(n->rdev), f->op, f->val)) {
 560						++result;
 561						break;
 562					}
 563				}
 564			}
 565			break;
 566		case AUDIT_INODE:
 567			if (name)
 568				result = audit_comparator(name->ino, f->op, f->val);
 569			else if (ctx) {
 570				list_for_each_entry(n, &ctx->names_list, list) {
 571					if (audit_comparator(n->ino, f->op, f->val)) {
 572						++result;
 573						break;
 574					}
 575				}
 576			}
 577			break;
 578		case AUDIT_OBJ_UID:
 579			if (name) {
 580				result = audit_uid_comparator(name->uid, f->op, f->uid);
 581			} else if (ctx) {
 582				list_for_each_entry(n, &ctx->names_list, list) {
 583					if (audit_uid_comparator(n->uid, f->op, f->uid)) {
 584						++result;
 585						break;
 586					}
 587				}
 588			}
 589			break;
 590		case AUDIT_OBJ_GID:
 591			if (name) {
 592				result = audit_gid_comparator(name->gid, f->op, f->gid);
 593			} else if (ctx) {
 594				list_for_each_entry(n, &ctx->names_list, list) {
 595					if (audit_gid_comparator(n->gid, f->op, f->gid)) {
 596						++result;
 597						break;
 598					}
 599				}
 600			}
 601			break;
 602		case AUDIT_WATCH:
 603			if (name)
 604				result = audit_watch_compare(rule->watch, name->ino, name->dev);
 
 
 
 
 
 605			break;
 606		case AUDIT_DIR:
 607			if (ctx)
 608				result = match_tree_refs(ctx, rule->tree);
 
 
 
 609			break;
 610		case AUDIT_LOGINUID:
 611			result = audit_uid_comparator(tsk->loginuid, f->op, f->uid);
 
 612			break;
 613		case AUDIT_LOGINUID_SET:
 614			result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
 615			break;
 
 
 
 
 
 616		case AUDIT_SUBJ_USER:
 617		case AUDIT_SUBJ_ROLE:
 618		case AUDIT_SUBJ_TYPE:
 619		case AUDIT_SUBJ_SEN:
 620		case AUDIT_SUBJ_CLR:
 621			/* NOTE: this may return negative values indicating
 622			   a temporary error.  We simply treat this as a
 623			   match for now to avoid losing information that
 624			   may be wanted.   An error message will also be
 625			   logged upon error */
 626			if (f->lsm_rule) {
 627				if (need_sid) {
 628					security_task_getsecid(tsk, &sid);
 629					need_sid = 0;
 630				}
 631				result = security_audit_rule_match(sid, f->type,
 632				                                  f->op,
 633				                                  f->lsm_rule,
 634				                                  ctx);
 635			}
 636			break;
 637		case AUDIT_OBJ_USER:
 638		case AUDIT_OBJ_ROLE:
 639		case AUDIT_OBJ_TYPE:
 640		case AUDIT_OBJ_LEV_LOW:
 641		case AUDIT_OBJ_LEV_HIGH:
 642			/* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
 643			   also applies here */
 644			if (f->lsm_rule) {
 645				/* Find files that match */
 646				if (name) {
 647					result = security_audit_rule_match(
 648					           name->osid, f->type, f->op,
 649					           f->lsm_rule, ctx);
 
 
 650				} else if (ctx) {
 651					list_for_each_entry(n, &ctx->names_list, list) {
 652						if (security_audit_rule_match(n->osid, f->type,
 653									      f->op, f->lsm_rule,
 654									      ctx)) {
 
 
 655							++result;
 656							break;
 657						}
 658					}
 659				}
 660				/* Find ipc objects that match */
 661				if (!ctx || ctx->type != AUDIT_IPC)
 662					break;
 663				if (security_audit_rule_match(ctx->ipc.osid,
 664							      f->type, f->op,
 665							      f->lsm_rule, ctx))
 666					++result;
 667			}
 668			break;
 669		case AUDIT_ARG0:
 670		case AUDIT_ARG1:
 671		case AUDIT_ARG2:
 672		case AUDIT_ARG3:
 673			if (ctx)
 674				result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
 675			break;
 676		case AUDIT_FILTERKEY:
 677			/* ignore this field for filtering */
 678			result = 1;
 679			break;
 680		case AUDIT_PERM:
 681			result = audit_match_perm(ctx, f->val);
 
 
 682			break;
 683		case AUDIT_FILETYPE:
 684			result = audit_match_filetype(ctx, f->val);
 
 
 685			break;
 686		case AUDIT_FIELD_COMPARE:
 687			result = audit_field_compare(tsk, cred, f, ctx, name);
 688			break;
 689		}
 690		if (!result)
 691			return 0;
 692	}
 693
 694	if (ctx) {
 695		if (rule->prio <= ctx->prio)
 696			return 0;
 697		if (rule->filterkey) {
 698			kfree(ctx->filterkey);
 699			ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
 700		}
 701		ctx->prio = rule->prio;
 702	}
 703	switch (rule->action) {
 704	case AUDIT_NEVER:
 705		*state = AUDIT_DISABLED;
 706		break;
 707	case AUDIT_ALWAYS:
 708		*state = AUDIT_RECORD_CONTEXT;
 709		break;
 710	}
 711	return 1;
 712}
 713
 714/* At process creation time, we can determine if system-call auditing is
 715 * completely disabled for this task.  Since we only have the task
 716 * structure at this point, we can only check uid and gid.
 717 */
 718static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)
 719{
 720	struct audit_entry *e;
 721	enum audit_state   state;
 722
 723	rcu_read_lock();
 724	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
 725		if (audit_filter_rules(tsk, &e->rule, NULL, NULL,
 726				       &state, true)) {
 727			if (state == AUDIT_RECORD_CONTEXT)
 728				*key = kstrdup(e->rule.filterkey, GFP_ATOMIC);
 729			rcu_read_unlock();
 730			return state;
 731		}
 732	}
 733	rcu_read_unlock();
 734	return AUDIT_BUILD_CONTEXT;
 735}
 736
 737static int audit_in_mask(const struct audit_krule *rule, unsigned long val)
 738{
 739	int word, bit;
 740
 741	if (val > 0xffffffff)
 742		return false;
 743
 744	word = AUDIT_WORD(val);
 745	if (word >= AUDIT_BITMASK_SIZE)
 746		return false;
 747
 748	bit = AUDIT_BIT(val);
 749
 750	return rule->mask[word] & bit;
 751}
 752
 753/* At syscall entry and exit time, this filter is called if the
 754 * audit_state is not low enough that auditing cannot take place, but is
 755 * also not high enough that we already know we have to write an audit
 756 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
 757 */
 758static enum audit_state audit_filter_syscall(struct task_struct *tsk,
 759					     struct audit_context *ctx,
 760					     struct list_head *list)
 761{
 762	struct audit_entry *e;
 763	enum audit_state state;
 764
 765	if (auditd_test_task(tsk))
 766		return AUDIT_DISABLED;
 767
 768	rcu_read_lock();
 769	if (!list_empty(list)) {
 770		list_for_each_entry_rcu(e, list, list) {
 771			if (audit_in_mask(&e->rule, ctx->major) &&
 772			    audit_filter_rules(tsk, &e->rule, ctx, NULL,
 773					       &state, false)) {
 774				rcu_read_unlock();
 775				ctx->current_state = state;
 776				return state;
 777			}
 778		}
 779	}
 780	rcu_read_unlock();
 781	return AUDIT_BUILD_CONTEXT;
 782}
 783
 784/*
 785 * Given an audit_name check the inode hash table to see if they match.
 786 * Called holding the rcu read lock to protect the use of audit_inode_hash
 787 */
 788static int audit_filter_inode_name(struct task_struct *tsk,
 789				   struct audit_names *n,
 790				   struct audit_context *ctx) {
 791	int h = audit_hash_ino((u32)n->ino);
 792	struct list_head *list = &audit_inode_hash[h];
 793	struct audit_entry *e;
 794	enum audit_state state;
 795
 796	if (list_empty(list))
 797		return 0;
 798
 799	list_for_each_entry_rcu(e, list, list) {
 800		if (audit_in_mask(&e->rule, ctx->major) &&
 801		    audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) {
 802			ctx->current_state = state;
 803			return 1;
 804		}
 805	}
 806
 807	return 0;
 808}
 809
 810/* At syscall exit time, this filter is called if any audit_names have been
 811 * collected during syscall processing.  We only check rules in sublists at hash
 812 * buckets applicable to the inode numbers in audit_names.
 813 * Regarding audit_state, same rules apply as for audit_filter_syscall().
 814 */
 815void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx)
 816{
 817	struct audit_names *n;
 818
 819	if (auditd_test_task(tsk))
 820		return;
 821
 822	rcu_read_lock();
 823
 824	list_for_each_entry(n, &ctx->names_list, list) {
 825		if (audit_filter_inode_name(tsk, n, ctx))
 826			break;
 827	}
 828	rcu_read_unlock();
 829}
 830
 831/* Transfer the audit context pointer to the caller, clearing it in the tsk's struct */
 832static inline struct audit_context *audit_take_context(struct task_struct *tsk,
 833						      int return_valid,
 834						      long return_code)
 835{
 836	struct audit_context *context = tsk->audit_context;
 837
 838	if (!context)
 839		return NULL;
 840	context->return_valid = return_valid;
 841
 842	/*
 843	 * we need to fix up the return code in the audit logs if the actual
 844	 * return codes are later going to be fixed up by the arch specific
 845	 * signal handlers
 846	 *
 847	 * This is actually a test for:
 848	 * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||
 849	 * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)
 850	 *
 851	 * but is faster than a bunch of ||
 852	 */
 853	if (unlikely(return_code <= -ERESTARTSYS) &&
 854	    (return_code >= -ERESTART_RESTARTBLOCK) &&
 855	    (return_code != -ENOIOCTLCMD))
 856		context->return_code = -EINTR;
 857	else
 858		context->return_code  = return_code;
 859
 860	if (context->in_syscall && !context->dummy) {
 861		audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
 862		audit_filter_inodes(tsk, context);
 863	}
 864
 865	tsk->audit_context = NULL;
 866	return context;
 867}
 868
 869static inline void audit_proctitle_free(struct audit_context *context)
 870{
 871	kfree(context->proctitle.value);
 872	context->proctitle.value = NULL;
 873	context->proctitle.len = 0;
 874}
 875
 
 
 
 
 
 
 
 876static inline void audit_free_names(struct audit_context *context)
 877{
 878	struct audit_names *n, *next;
 879
 880	list_for_each_entry_safe(n, next, &context->names_list, list) {
 881		list_del(&n->list);
 882		if (n->name)
 883			putname(n->name);
 884		if (n->should_free)
 885			kfree(n);
 886	}
 887	context->name_count = 0;
 888	path_put(&context->pwd);
 889	context->pwd.dentry = NULL;
 890	context->pwd.mnt = NULL;
 891}
 892
 893static inline void audit_free_aux(struct audit_context *context)
 894{
 895	struct audit_aux_data *aux;
 896
 897	while ((aux = context->aux)) {
 898		context->aux = aux->next;
 899		kfree(aux);
 900	}
 901	while ((aux = context->aux_pids)) {
 902		context->aux_pids = aux->next;
 903		kfree(aux);
 904	}
 905}
 906
 907static inline struct audit_context *audit_alloc_context(enum audit_state state)
 908{
 909	struct audit_context *context;
 910
 911	context = kzalloc(sizeof(*context), GFP_KERNEL);
 912	if (!context)
 913		return NULL;
 914	context->state = state;
 915	context->prio = state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
 916	INIT_LIST_HEAD(&context->killed_trees);
 917	INIT_LIST_HEAD(&context->names_list);
 918	return context;
 919}
 920
 921/**
 922 * audit_alloc - allocate an audit context block for a task
 923 * @tsk: task
 924 *
 925 * Filter on the task information and allocate a per-task audit context
 926 * if necessary.  Doing so turns on system call auditing for the
 927 * specified task.  This is called from copy_process, so no lock is
 928 * needed.
 929 */
 930int audit_alloc(struct task_struct *tsk)
 931{
 932	struct audit_context *context;
 933	enum audit_state     state;
 934	char *key = NULL;
 935
 936	if (likely(!audit_ever_enabled))
 937		return 0; /* Return if not auditing. */
 938
 939	state = audit_filter_task(tsk, &key);
 940	if (state == AUDIT_DISABLED) {
 941		clear_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
 942		return 0;
 943	}
 944
 945	if (!(context = audit_alloc_context(state))) {
 946		kfree(key);
 947		audit_log_lost("out of memory in audit_alloc");
 948		return -ENOMEM;
 949	}
 950	context->filterkey = key;
 951
 952	tsk->audit_context  = context;
 953	set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
 954	return 0;
 955}
 956
 957static inline void audit_free_context(struct audit_context *context)
 958{
 
 959	audit_free_names(context);
 960	unroll_tree_refs(context, NULL, 0);
 961	free_tree_refs(context);
 962	audit_free_aux(context);
 963	kfree(context->filterkey);
 964	kfree(context->sockaddr);
 965	audit_proctitle_free(context);
 966	kfree(context);
 967}
 968
 969static int audit_log_pid_context(struct audit_context *context, pid_t pid,
 970				 kuid_t auid, kuid_t uid, unsigned int sessionid,
 971				 u32 sid, char *comm)
 972{
 973	struct audit_buffer *ab;
 974	char *ctx = NULL;
 975	u32 len;
 976	int rc = 0;
 977
 978	ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
 979	if (!ab)
 980		return rc;
 981
 982	audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
 983			 from_kuid(&init_user_ns, auid),
 984			 from_kuid(&init_user_ns, uid), sessionid);
 985	if (sid) {
 986		if (security_secid_to_secctx(sid, &ctx, &len)) {
 987			audit_log_format(ab, " obj=(none)");
 988			rc = 1;
 989		} else {
 990			audit_log_format(ab, " obj=%s", ctx);
 991			security_release_secctx(ctx, len);
 992		}
 993	}
 994	audit_log_format(ab, " ocomm=");
 995	audit_log_untrustedstring(ab, comm);
 996	audit_log_end(ab);
 997
 998	return rc;
 999}
1000
1001static void audit_log_execve_info(struct audit_context *context,
1002				  struct audit_buffer **ab)
1003{
1004	long len_max;
1005	long len_rem;
1006	long len_full;
1007	long len_buf;
1008	long len_abuf = 0;
1009	long len_tmp;
1010	bool require_data;
1011	bool encode;
1012	unsigned int iter;
1013	unsigned int arg;
1014	char *buf_head;
1015	char *buf;
1016	const char __user *p = (const char __user *)current->mm->arg_start;
1017
1018	/* NOTE: this buffer needs to be large enough to hold all the non-arg
1019	 *       data we put in the audit record for this argument (see the
1020	 *       code below) ... at this point in time 96 is plenty */
1021	char abuf[96];
1022
1023	/* NOTE: we set MAX_EXECVE_AUDIT_LEN to a rather arbitrary limit, the
1024	 *       current value of 7500 is not as important as the fact that it
1025	 *       is less than 8k, a setting of 7500 gives us plenty of wiggle
1026	 *       room if we go over a little bit in the logging below */
1027	WARN_ON_ONCE(MAX_EXECVE_AUDIT_LEN > 7500);
1028	len_max = MAX_EXECVE_AUDIT_LEN;
1029
1030	/* scratch buffer to hold the userspace args */
1031	buf_head = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
1032	if (!buf_head) {
1033		audit_panic("out of memory for argv string");
1034		return;
1035	}
1036	buf = buf_head;
1037
1038	audit_log_format(*ab, "argc=%d", context->execve.argc);
1039
1040	len_rem = len_max;
1041	len_buf = 0;
1042	len_full = 0;
1043	require_data = true;
1044	encode = false;
1045	iter = 0;
1046	arg = 0;
1047	do {
1048		/* NOTE: we don't ever want to trust this value for anything
1049		 *       serious, but the audit record format insists we
1050		 *       provide an argument length for really long arguments,
1051		 *       e.g. > MAX_EXECVE_AUDIT_LEN, so we have no choice but
1052		 *       to use strncpy_from_user() to obtain this value for
1053		 *       recording in the log, although we don't use it
1054		 *       anywhere here to avoid a double-fetch problem */
1055		if (len_full == 0)
1056			len_full = strnlen_user(p, MAX_ARG_STRLEN) - 1;
1057
1058		/* read more data from userspace */
1059		if (require_data) {
1060			/* can we make more room in the buffer? */
1061			if (buf != buf_head) {
1062				memmove(buf_head, buf, len_buf);
1063				buf = buf_head;
1064			}
1065
1066			/* fetch as much as we can of the argument */
1067			len_tmp = strncpy_from_user(&buf_head[len_buf], p,
1068						    len_max - len_buf);
1069			if (len_tmp == -EFAULT) {
1070				/* unable to copy from userspace */
1071				send_sig(SIGKILL, current, 0);
1072				goto out;
1073			} else if (len_tmp == (len_max - len_buf)) {
1074				/* buffer is not large enough */
1075				require_data = true;
1076				/* NOTE: if we are going to span multiple
1077				 *       buffers force the encoding so we stand
1078				 *       a chance at a sane len_full value and
1079				 *       consistent record encoding */
1080				encode = true;
1081				len_full = len_full * 2;
1082				p += len_tmp;
1083			} else {
1084				require_data = false;
1085				if (!encode)
1086					encode = audit_string_contains_control(
1087								buf, len_tmp);
1088				/* try to use a trusted value for len_full */
1089				if (len_full < len_max)
1090					len_full = (encode ?
1091						    len_tmp * 2 : len_tmp);
1092				p += len_tmp + 1;
1093			}
1094			len_buf += len_tmp;
1095			buf_head[len_buf] = '\0';
1096
1097			/* length of the buffer in the audit record? */
1098			len_abuf = (encode ? len_buf * 2 : len_buf + 2);
1099		}
1100
1101		/* write as much as we can to the audit log */
1102		if (len_buf > 0) {
1103			/* NOTE: some magic numbers here - basically if we
1104			 *       can't fit a reasonable amount of data into the
1105			 *       existing audit buffer, flush it and start with
1106			 *       a new buffer */
1107			if ((sizeof(abuf) + 8) > len_rem) {
1108				len_rem = len_max;
1109				audit_log_end(*ab);
1110				*ab = audit_log_start(context,
1111						      GFP_KERNEL, AUDIT_EXECVE);
1112				if (!*ab)
1113					goto out;
1114			}
1115
1116			/* create the non-arg portion of the arg record */
1117			len_tmp = 0;
1118			if (require_data || (iter > 0) ||
1119			    ((len_abuf + sizeof(abuf)) > len_rem)) {
1120				if (iter == 0) {
1121					len_tmp += snprintf(&abuf[len_tmp],
1122							sizeof(abuf) - len_tmp,
1123							" a%d_len=%lu",
1124							arg, len_full);
1125				}
1126				len_tmp += snprintf(&abuf[len_tmp],
1127						    sizeof(abuf) - len_tmp,
1128						    " a%d[%d]=", arg, iter++);
1129			} else
1130				len_tmp += snprintf(&abuf[len_tmp],
1131						    sizeof(abuf) - len_tmp,
1132						    " a%d=", arg);
1133			WARN_ON(len_tmp >= sizeof(abuf));
1134			abuf[sizeof(abuf) - 1] = '\0';
1135
1136			/* log the arg in the audit record */
1137			audit_log_format(*ab, "%s", abuf);
1138			len_rem -= len_tmp;
1139			len_tmp = len_buf;
1140			if (encode) {
1141				if (len_abuf > len_rem)
1142					len_tmp = len_rem / 2; /* encoding */
1143				audit_log_n_hex(*ab, buf, len_tmp);
1144				len_rem -= len_tmp * 2;
1145				len_abuf -= len_tmp * 2;
1146			} else {
1147				if (len_abuf > len_rem)
1148					len_tmp = len_rem - 2; /* quotes */
1149				audit_log_n_string(*ab, buf, len_tmp);
1150				len_rem -= len_tmp + 2;
1151				/* don't subtract the "2" because we still need
1152				 * to add quotes to the remaining string */
1153				len_abuf -= len_tmp;
1154			}
1155			len_buf -= len_tmp;
1156			buf += len_tmp;
1157		}
1158
1159		/* ready to move to the next argument? */
1160		if ((len_buf == 0) && !require_data) {
1161			arg++;
1162			iter = 0;
1163			len_full = 0;
1164			require_data = true;
1165			encode = false;
1166		}
1167	} while (arg < context->execve.argc);
1168
1169	/* NOTE: the caller handles the final audit_log_end() call */
1170
1171out:
1172	kfree(buf_head);
1173}
1174
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1175static void show_special(struct audit_context *context, int *call_panic)
1176{
1177	struct audit_buffer *ab;
1178	int i;
1179
1180	ab = audit_log_start(context, GFP_KERNEL, context->type);
1181	if (!ab)
1182		return;
1183
1184	switch (context->type) {
1185	case AUDIT_SOCKETCALL: {
1186		int nargs = context->socketcall.nargs;
1187		audit_log_format(ab, "nargs=%d", nargs);
1188		for (i = 0; i < nargs; i++)
1189			audit_log_format(ab, " a%d=%lx", i,
1190				context->socketcall.args[i]);
1191		break; }
1192	case AUDIT_IPC: {
1193		u32 osid = context->ipc.osid;
1194
1195		audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
1196				 from_kuid(&init_user_ns, context->ipc.uid),
1197				 from_kgid(&init_user_ns, context->ipc.gid),
1198				 context->ipc.mode);
1199		if (osid) {
1200			char *ctx = NULL;
1201			u32 len;
1202			if (security_secid_to_secctx(osid, &ctx, &len)) {
1203				audit_log_format(ab, " osid=%u", osid);
1204				*call_panic = 1;
1205			} else {
1206				audit_log_format(ab, " obj=%s", ctx);
1207				security_release_secctx(ctx, len);
1208			}
1209		}
1210		if (context->ipc.has_perm) {
1211			audit_log_end(ab);
1212			ab = audit_log_start(context, GFP_KERNEL,
1213					     AUDIT_IPC_SET_PERM);
1214			if (unlikely(!ab))
1215				return;
1216			audit_log_format(ab,
1217				"qbytes=%lx ouid=%u ogid=%u mode=%#ho",
1218				context->ipc.qbytes,
1219				context->ipc.perm_uid,
1220				context->ipc.perm_gid,
1221				context->ipc.perm_mode);
1222		}
1223		break; }
1224	case AUDIT_MQ_OPEN: {
1225		audit_log_format(ab,
1226			"oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
1227			"mq_msgsize=%ld mq_curmsgs=%ld",
1228			context->mq_open.oflag, context->mq_open.mode,
1229			context->mq_open.attr.mq_flags,
1230			context->mq_open.attr.mq_maxmsg,
1231			context->mq_open.attr.mq_msgsize,
1232			context->mq_open.attr.mq_curmsgs);
1233		break; }
1234	case AUDIT_MQ_SENDRECV: {
1235		audit_log_format(ab,
1236			"mqdes=%d msg_len=%zd msg_prio=%u "
1237			"abs_timeout_sec=%ld abs_timeout_nsec=%ld",
1238			context->mq_sendrecv.mqdes,
1239			context->mq_sendrecv.msg_len,
1240			context->mq_sendrecv.msg_prio,
1241			context->mq_sendrecv.abs_timeout.tv_sec,
1242			context->mq_sendrecv.abs_timeout.tv_nsec);
1243		break; }
1244	case AUDIT_MQ_NOTIFY: {
1245		audit_log_format(ab, "mqdes=%d sigev_signo=%d",
1246				context->mq_notify.mqdes,
1247				context->mq_notify.sigev_signo);
1248		break; }
1249	case AUDIT_MQ_GETSETATTR: {
1250		struct mq_attr *attr = &context->mq_getsetattr.mqstat;
1251		audit_log_format(ab,
1252			"mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
1253			"mq_curmsgs=%ld ",
1254			context->mq_getsetattr.mqdes,
1255			attr->mq_flags, attr->mq_maxmsg,
1256			attr->mq_msgsize, attr->mq_curmsgs);
1257		break; }
1258	case AUDIT_CAPSET: {
1259		audit_log_format(ab, "pid=%d", context->capset.pid);
1260		audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
1261		audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
1262		audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
1263		break; }
1264	case AUDIT_MMAP: {
 
1265		audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd,
1266				 context->mmap.flags);
1267		break; }
1268	case AUDIT_EXECVE: {
1269		audit_log_execve_info(context, &ab);
1270		break; }
 
 
 
 
 
 
 
 
1271	}
1272	audit_log_end(ab);
1273}
1274
1275static inline int audit_proctitle_rtrim(char *proctitle, int len)
1276{
1277	char *end = proctitle + len - 1;
1278	while (end > proctitle && !isprint(*end))
1279		end--;
1280
1281	/* catch the case where proctitle is only 1 non-print character */
1282	len = end - proctitle + 1;
1283	len -= isprint(proctitle[len-1]) == 0;
1284	return len;
1285}
1286
1287static void audit_log_proctitle(struct task_struct *tsk,
1288			 struct audit_context *context)
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1289{
1290	int res;
1291	char *buf;
1292	char *msg = "(null)";
1293	int len = strlen(msg);
 
1294	struct audit_buffer *ab;
1295
 
 
 
1296	ab = audit_log_start(context, GFP_KERNEL, AUDIT_PROCTITLE);
1297	if (!ab)
1298		return;	/* audit_panic or being filtered */
1299
1300	audit_log_format(ab, "proctitle=");
1301
1302	/* Not  cached */
1303	if (!context->proctitle.value) {
1304		buf = kmalloc(MAX_PROCTITLE_AUDIT_LEN, GFP_KERNEL);
1305		if (!buf)
1306			goto out;
1307		/* Historically called this from procfs naming */
1308		res = get_cmdline(tsk, buf, MAX_PROCTITLE_AUDIT_LEN);
1309		if (res == 0) {
1310			kfree(buf);
1311			goto out;
1312		}
1313		res = audit_proctitle_rtrim(buf, res);
1314		if (res == 0) {
1315			kfree(buf);
1316			goto out;
1317		}
1318		context->proctitle.value = buf;
1319		context->proctitle.len = res;
1320	}
1321	msg = context->proctitle.value;
1322	len = context->proctitle.len;
1323out:
1324	audit_log_n_untrustedstring(ab, msg, len);
1325	audit_log_end(ab);
1326}
1327
1328static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
1329{
1330	int i, call_panic = 0;
 
1331	struct audit_buffer *ab;
1332	struct audit_aux_data *aux;
1333	struct audit_names *n;
1334
1335	/* tsk == current */
1336	context->personality = tsk->personality;
1337
1338	ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
1339	if (!ab)
1340		return;		/* audit_panic has been called */
1341	audit_log_format(ab, "arch=%x syscall=%d",
1342			 context->arch, context->major);
1343	if (context->personality != PER_LINUX)
1344		audit_log_format(ab, " per=%lx", context->personality);
1345	if (context->return_valid)
1346		audit_log_format(ab, " success=%s exit=%ld",
1347				 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
1348				 context->return_code);
1349
1350	audit_log_format(ab,
1351			 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d",
1352			 context->argv[0],
1353			 context->argv[1],
1354			 context->argv[2],
1355			 context->argv[3],
1356			 context->name_count);
1357
1358	audit_log_task_info(ab, tsk);
1359	audit_log_key(ab, context->filterkey);
1360	audit_log_end(ab);
1361
1362	for (aux = context->aux; aux; aux = aux->next) {
1363
1364		ab = audit_log_start(context, GFP_KERNEL, aux->type);
1365		if (!ab)
1366			continue; /* audit_panic has been called */
1367
1368		switch (aux->type) {
1369
1370		case AUDIT_BPRM_FCAPS: {
1371			struct audit_aux_data_bprm_fcaps *axs = (void *)aux;
1372			audit_log_format(ab, "fver=%x", axs->fcap_ver);
1373			audit_log_cap(ab, "fp", &axs->fcap.permitted);
1374			audit_log_cap(ab, "fi", &axs->fcap.inheritable);
1375			audit_log_format(ab, " fe=%d", axs->fcap.fE);
1376			audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
1377			audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
1378			audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
1379			audit_log_cap(ab, "new_pp", &axs->new_pcap.permitted);
1380			audit_log_cap(ab, "new_pi", &axs->new_pcap.inheritable);
1381			audit_log_cap(ab, "new_pe", &axs->new_pcap.effective);
 
 
 
 
 
1382			break; }
1383
1384		}
1385		audit_log_end(ab);
1386	}
1387
1388	if (context->type)
1389		show_special(context, &call_panic);
1390
1391	if (context->fds[0] >= 0) {
1392		ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR);
1393		if (ab) {
1394			audit_log_format(ab, "fd0=%d fd1=%d",
1395					context->fds[0], context->fds[1]);
1396			audit_log_end(ab);
1397		}
1398	}
1399
1400	if (context->sockaddr_len) {
1401		ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR);
1402		if (ab) {
1403			audit_log_format(ab, "saddr=");
1404			audit_log_n_hex(ab, (void *)context->sockaddr,
1405					context->sockaddr_len);
1406			audit_log_end(ab);
1407		}
1408	}
1409
1410	for (aux = context->aux_pids; aux; aux = aux->next) {
1411		struct audit_aux_data_pids *axs = (void *)aux;
1412
1413		for (i = 0; i < axs->pid_count; i++)
1414			if (audit_log_pid_context(context, axs->target_pid[i],
1415						  axs->target_auid[i],
1416						  axs->target_uid[i],
1417						  axs->target_sessionid[i],
1418						  axs->target_sid[i],
1419						  axs->target_comm[i]))
1420				call_panic = 1;
1421	}
1422
1423	if (context->target_pid &&
1424	    audit_log_pid_context(context, context->target_pid,
1425				  context->target_auid, context->target_uid,
1426				  context->target_sessionid,
1427				  context->target_sid, context->target_comm))
1428			call_panic = 1;
1429
1430	if (context->pwd.dentry && context->pwd.mnt) {
1431		ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
1432		if (ab) {
1433			audit_log_d_path(ab, "cwd=", &context->pwd);
1434			audit_log_end(ab);
1435		}
1436	}
1437
1438	i = 0;
1439	list_for_each_entry(n, &context->names_list, list) {
1440		if (n->hidden)
1441			continue;
1442		audit_log_name(context, n, NULL, i++, &call_panic);
1443	}
1444
1445	audit_log_proctitle(tsk, context);
1446
1447	/* Send end of event record to help user space know we are finished */
1448	ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
1449	if (ab)
1450		audit_log_end(ab);
1451	if (call_panic)
1452		audit_panic("error converting sid to string");
1453}
1454
1455/**
1456 * audit_free - free a per-task audit context
1457 * @tsk: task whose audit context block to free
1458 *
1459 * Called from copy_process and do_exit
1460 */
1461void __audit_free(struct task_struct *tsk)
1462{
1463	struct audit_context *context;
1464
1465	context = audit_take_context(tsk, 0, 0);
1466	if (!context)
1467		return;
1468
1469	/* Check for system calls that do not go through the exit
1470	 * function (e.g., exit_group), then free context block.
1471	 * We use GFP_ATOMIC here because we might be doing this
1472	 * in the context of the idle thread */
1473	/* that can happen only if we are called from do_exit() */
1474	if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
1475		audit_log_exit(context, tsk);
1476	if (!list_empty(&context->killed_trees))
1477		audit_kill_trees(&context->killed_trees);
 
 
 
 
 
 
 
 
 
1478
 
 
 
 
 
 
 
 
1479	audit_free_context(context);
1480}
1481
1482/**
1483 * audit_syscall_entry - fill in an audit record at syscall entry
1484 * @major: major syscall type (function)
1485 * @a1: additional syscall register 1
1486 * @a2: additional syscall register 2
1487 * @a3: additional syscall register 3
1488 * @a4: additional syscall register 4
1489 *
1490 * Fill in audit context at syscall entry.  This only happens if the
1491 * audit context was created when the task was created and the state or
1492 * filters demand the audit context be built.  If the state from the
1493 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
1494 * then the record will be written at syscall exit time (otherwise, it
1495 * will only be written if another part of the kernel requests that it
1496 * be written).
1497 */
1498void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
1499			   unsigned long a3, unsigned long a4)
1500{
1501	struct task_struct *tsk = current;
1502	struct audit_context *context = tsk->audit_context;
1503	enum audit_state     state;
1504
1505	if (!context)
1506		return;
1507
1508	BUG_ON(context->in_syscall || context->name_count);
1509
1510	if (!audit_enabled)
 
1511		return;
1512
1513	context->arch	    = syscall_get_arch();
1514	context->major      = major;
1515	context->argv[0]    = a1;
1516	context->argv[1]    = a2;
1517	context->argv[2]    = a3;
1518	context->argv[3]    = a4;
1519
1520	state = context->state;
1521	context->dummy = !audit_n_rules;
1522	if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
1523		context->prio = 0;
1524		state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
 
1525	}
1526	if (state == AUDIT_DISABLED)
1527		return;
1528
 
 
 
 
 
 
1529	context->serial     = 0;
1530	context->ctime      = CURRENT_TIME;
1531	context->in_syscall = 1;
1532	context->current_state  = state;
1533	context->ppid       = 0;
 
1534}
1535
1536/**
1537 * audit_syscall_exit - deallocate audit context after a system call
1538 * @success: success value of the syscall
1539 * @return_code: return value of the syscall
1540 *
1541 * Tear down after system call.  If the audit context has been marked as
1542 * auditable (either because of the AUDIT_RECORD_CONTEXT state from
1543 * filtering, or because some other part of the kernel wrote an audit
1544 * message), then write out the syscall information.  In call cases,
1545 * free the names stored from getname().
1546 */
1547void __audit_syscall_exit(int success, long return_code)
1548{
1549	struct task_struct *tsk = current;
1550	struct audit_context *context;
1551
1552	if (success)
1553		success = AUDITSC_SUCCESS;
1554	else
1555		success = AUDITSC_FAILURE;
1556
1557	context = audit_take_context(tsk, success, return_code);
1558	if (!context)
1559		return;
1560
1561	if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
1562		audit_log_exit(context, tsk);
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1563
1564	context->in_syscall = 0;
1565	context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
1566
1567	if (!list_empty(&context->killed_trees))
1568		audit_kill_trees(&context->killed_trees);
1569
1570	audit_free_names(context);
1571	unroll_tree_refs(context, NULL, 0);
1572	audit_free_aux(context);
1573	context->aux = NULL;
1574	context->aux_pids = NULL;
1575	context->target_pid = 0;
1576	context->target_sid = 0;
1577	context->sockaddr_len = 0;
1578	context->type = 0;
1579	context->fds[0] = -1;
1580	if (context->state != AUDIT_RECORD_CONTEXT) {
1581		kfree(context->filterkey);
1582		context->filterkey = NULL;
1583	}
1584	tsk->audit_context = context;
1585}
1586
1587static inline void handle_one(const struct inode *inode)
1588{
1589#ifdef CONFIG_AUDIT_TREE
1590	struct audit_context *context;
1591	struct audit_tree_refs *p;
1592	struct audit_chunk *chunk;
1593	int count;
1594	if (likely(hlist_empty(&inode->i_fsnotify_marks)))
1595		return;
1596	context = current->audit_context;
1597	p = context->trees;
1598	count = context->tree_count;
1599	rcu_read_lock();
1600	chunk = audit_tree_lookup(inode);
1601	rcu_read_unlock();
1602	if (!chunk)
1603		return;
1604	if (likely(put_tree_ref(context, chunk)))
1605		return;
1606	if (unlikely(!grow_tree_refs(context))) {
1607		pr_warn("out of memory, audit has lost a tree reference\n");
1608		audit_set_auditable(context);
1609		audit_put_chunk(chunk);
1610		unroll_tree_refs(context, p, count);
1611		return;
1612	}
1613	put_tree_ref(context, chunk);
1614#endif
1615}
1616
1617static void handle_path(const struct dentry *dentry)
1618{
1619#ifdef CONFIG_AUDIT_TREE
1620	struct audit_context *context;
1621	struct audit_tree_refs *p;
1622	const struct dentry *d, *parent;
1623	struct audit_chunk *drop;
1624	unsigned long seq;
1625	int count;
1626
1627	context = current->audit_context;
1628	p = context->trees;
1629	count = context->tree_count;
1630retry:
1631	drop = NULL;
1632	d = dentry;
1633	rcu_read_lock();
1634	seq = read_seqbegin(&rename_lock);
1635	for(;;) {
1636		struct inode *inode = d_backing_inode(d);
1637		if (inode && unlikely(!hlist_empty(&inode->i_fsnotify_marks))) {
1638			struct audit_chunk *chunk;
1639			chunk = audit_tree_lookup(inode);
1640			if (chunk) {
1641				if (unlikely(!put_tree_ref(context, chunk))) {
1642					drop = chunk;
1643					break;
1644				}
1645			}
1646		}
1647		parent = d->d_parent;
1648		if (parent == d)
1649			break;
1650		d = parent;
1651	}
1652	if (unlikely(read_seqretry(&rename_lock, seq) || drop)) {  /* in this order */
1653		rcu_read_unlock();
1654		if (!drop) {
1655			/* just a race with rename */
1656			unroll_tree_refs(context, p, count);
1657			goto retry;
1658		}
1659		audit_put_chunk(drop);
1660		if (grow_tree_refs(context)) {
1661			/* OK, got more space */
1662			unroll_tree_refs(context, p, count);
1663			goto retry;
1664		}
1665		/* too bad */
1666		pr_warn("out of memory, audit has lost a tree reference\n");
1667		unroll_tree_refs(context, p, count);
1668		audit_set_auditable(context);
1669		return;
1670	}
1671	rcu_read_unlock();
1672#endif
1673}
1674
1675static struct audit_names *audit_alloc_name(struct audit_context *context,
1676						unsigned char type)
1677{
1678	struct audit_names *aname;
1679
1680	if (context->name_count < AUDIT_NAMES) {
1681		aname = &context->preallocated_names[context->name_count];
1682		memset(aname, 0, sizeof(*aname));
1683	} else {
1684		aname = kzalloc(sizeof(*aname), GFP_NOFS);
1685		if (!aname)
1686			return NULL;
1687		aname->should_free = true;
1688	}
1689
1690	aname->ino = AUDIT_INO_UNSET;
1691	aname->type = type;
1692	list_add_tail(&aname->list, &context->names_list);
1693
1694	context->name_count++;
1695	return aname;
1696}
1697
1698/**
1699 * audit_reusename - fill out filename with info from existing entry
1700 * @uptr: userland ptr to pathname
1701 *
1702 * Search the audit_names list for the current audit context. If there is an
1703 * existing entry with a matching "uptr" then return the filename
1704 * associated with that audit_name. If not, return NULL.
1705 */
1706struct filename *
1707__audit_reusename(const __user char *uptr)
1708{
1709	struct audit_context *context = current->audit_context;
1710	struct audit_names *n;
1711
1712	list_for_each_entry(n, &context->names_list, list) {
1713		if (!n->name)
1714			continue;
1715		if (n->name->uptr == uptr) {
1716			n->name->refcnt++;
1717			return n->name;
1718		}
1719	}
1720	return NULL;
1721}
1722
1723/**
1724 * audit_getname - add a name to the list
1725 * @name: name to add
1726 *
1727 * Add a name to the list of audit names for this context.
1728 * Called from fs/namei.c:getname().
1729 */
1730void __audit_getname(struct filename *name)
1731{
1732	struct audit_context *context = current->audit_context;
1733	struct audit_names *n;
1734
1735	if (!context->in_syscall)
1736		return;
1737
1738	n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
1739	if (!n)
1740		return;
1741
1742	n->name = name;
1743	n->name_len = AUDIT_NAME_FULL;
1744	name->aname = n;
1745	name->refcnt++;
1746
1747	if (!context->pwd.dentry)
1748		get_fs_pwd(current->fs, &context->pwd);
1749}
1750
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1751/**
1752 * __audit_inode - store the inode and device from a lookup
1753 * @name: name being audited
1754 * @dentry: dentry being audited
1755 * @flags: attributes for this particular entry
1756 */
1757void __audit_inode(struct filename *name, const struct dentry *dentry,
1758		   unsigned int flags)
1759{
1760	struct audit_context *context = current->audit_context;
1761	struct inode *inode = d_backing_inode(dentry);
1762	struct audit_names *n;
1763	bool parent = flags & AUDIT_INODE_PARENT;
 
 
 
1764
1765	if (!context->in_syscall)
1766		return;
1767
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1768	if (!name)
1769		goto out_alloc;
1770
1771	/*
1772	 * If we have a pointer to an audit_names entry already, then we can
1773	 * just use it directly if the type is correct.
1774	 */
1775	n = name->aname;
1776	if (n) {
1777		if (parent) {
1778			if (n->type == AUDIT_TYPE_PARENT ||
1779			    n->type == AUDIT_TYPE_UNKNOWN)
1780				goto out;
1781		} else {
1782			if (n->type != AUDIT_TYPE_PARENT)
1783				goto out;
1784		}
1785	}
1786
1787	list_for_each_entry_reverse(n, &context->names_list, list) {
1788		if (n->ino) {
1789			/* valid inode number, use that for the comparison */
1790			if (n->ino != inode->i_ino ||
1791			    n->dev != inode->i_sb->s_dev)
1792				continue;
1793		} else if (n->name) {
1794			/* inode number has not been set, check the name */
1795			if (strcmp(n->name->name, name->name))
1796				continue;
1797		} else
1798			/* no inode and no name (?!) ... this is odd ... */
1799			continue;
1800
1801		/* match the correct record type */
1802		if (parent) {
1803			if (n->type == AUDIT_TYPE_PARENT ||
1804			    n->type == AUDIT_TYPE_UNKNOWN)
1805				goto out;
1806		} else {
1807			if (n->type != AUDIT_TYPE_PARENT)
1808				goto out;
1809		}
1810	}
1811
1812out_alloc:
1813	/* unable to find an entry with both a matching name and type */
1814	n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
1815	if (!n)
1816		return;
1817	if (name) {
1818		n->name = name;
1819		name->refcnt++;
1820	}
1821
1822out:
1823	if (parent) {
1824		n->name_len = n->name ? parent_len(n->name->name) : AUDIT_NAME_FULL;
1825		n->type = AUDIT_TYPE_PARENT;
1826		if (flags & AUDIT_INODE_HIDDEN)
1827			n->hidden = true;
1828	} else {
1829		n->name_len = AUDIT_NAME_FULL;
1830		n->type = AUDIT_TYPE_NORMAL;
1831	}
1832	handle_path(dentry);
1833	audit_copy_inode(n, dentry, inode);
1834}
1835
1836void __audit_file(const struct file *file)
1837{
1838	__audit_inode(NULL, file->f_path.dentry, 0);
1839}
1840
1841/**
1842 * __audit_inode_child - collect inode info for created/removed objects
1843 * @parent: inode of dentry parent
1844 * @dentry: dentry being audited
1845 * @type:   AUDIT_TYPE_* value that we're looking for
1846 *
1847 * For syscalls that create or remove filesystem objects, audit_inode
1848 * can only collect information for the filesystem object's parent.
1849 * This call updates the audit context with the child's information.
1850 * Syscalls that create a new filesystem object must be hooked after
1851 * the object is created.  Syscalls that remove a filesystem object
1852 * must be hooked prior, in order to capture the target inode during
1853 * unsuccessful attempts.
1854 */
1855void __audit_inode_child(struct inode *parent,
1856			 const struct dentry *dentry,
1857			 const unsigned char type)
1858{
1859	struct audit_context *context = current->audit_context;
1860	struct inode *inode = d_backing_inode(dentry);
1861	const char *dname = dentry->d_name.name;
1862	struct audit_names *n, *found_parent = NULL, *found_child = NULL;
 
 
 
1863
1864	if (!context->in_syscall)
1865		return;
1866
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1867	if (inode)
1868		handle_one(inode);
1869
1870	/* look for a parent entry first */
1871	list_for_each_entry(n, &context->names_list, list) {
1872		if (!n->name ||
1873		    (n->type != AUDIT_TYPE_PARENT &&
1874		     n->type != AUDIT_TYPE_UNKNOWN))
1875			continue;
1876
1877		if (n->ino == parent->i_ino && n->dev == parent->i_sb->s_dev &&
1878		    !audit_compare_dname_path(dname,
1879					      n->name->name, n->name_len)) {
1880			if (n->type == AUDIT_TYPE_UNKNOWN)
1881				n->type = AUDIT_TYPE_PARENT;
1882			found_parent = n;
1883			break;
1884		}
1885	}
1886
1887	/* is there a matching child entry? */
1888	list_for_each_entry(n, &context->names_list, list) {
1889		/* can only match entries that have a name */
1890		if (!n->name ||
1891		    (n->type != type && n->type != AUDIT_TYPE_UNKNOWN))
1892			continue;
1893
1894		if (!strcmp(dname, n->name->name) ||
1895		    !audit_compare_dname_path(dname, n->name->name,
1896						found_parent ?
1897						found_parent->name_len :
1898						AUDIT_NAME_FULL)) {
1899			if (n->type == AUDIT_TYPE_UNKNOWN)
1900				n->type = type;
1901			found_child = n;
1902			break;
1903		}
1904	}
1905
1906	if (!found_parent) {
1907		/* create a new, "anonymous" parent record */
1908		n = audit_alloc_name(context, AUDIT_TYPE_PARENT);
1909		if (!n)
1910			return;
1911		audit_copy_inode(n, NULL, parent);
1912	}
1913
1914	if (!found_child) {
1915		found_child = audit_alloc_name(context, type);
1916		if (!found_child)
1917			return;
1918
1919		/* Re-use the name belonging to the slot for a matching parent
1920		 * directory. All names for this context are relinquished in
1921		 * audit_free_names() */
1922		if (found_parent) {
1923			found_child->name = found_parent->name;
1924			found_child->name_len = AUDIT_NAME_FULL;
1925			found_child->name->refcnt++;
1926		}
1927	}
1928
1929	if (inode)
1930		audit_copy_inode(found_child, dentry, inode);
1931	else
1932		found_child->ino = AUDIT_INO_UNSET;
1933}
1934EXPORT_SYMBOL_GPL(__audit_inode_child);
1935
1936/**
1937 * auditsc_get_stamp - get local copies of audit_context values
1938 * @ctx: audit_context for the task
1939 * @t: timespec to store time recorded in the audit_context
1940 * @serial: serial value that is recorded in the audit_context
1941 *
1942 * Also sets the context as auditable.
1943 */
1944int auditsc_get_stamp(struct audit_context *ctx,
1945		       struct timespec *t, unsigned int *serial)
1946{
1947	if (!ctx->in_syscall)
1948		return 0;
1949	if (!ctx->serial)
1950		ctx->serial = audit_serial();
1951	t->tv_sec  = ctx->ctime.tv_sec;
1952	t->tv_nsec = ctx->ctime.tv_nsec;
1953	*serial    = ctx->serial;
1954	if (!ctx->prio) {
1955		ctx->prio = 1;
1956		ctx->current_state = AUDIT_RECORD_CONTEXT;
1957	}
1958	return 1;
1959}
1960
1961/* global counter which is incremented every time something logs in */
1962static atomic_t session_id = ATOMIC_INIT(0);
1963
1964static int audit_set_loginuid_perm(kuid_t loginuid)
1965{
1966	/* if we are unset, we don't need privs */
1967	if (!audit_loginuid_set(current))
1968		return 0;
1969	/* if AUDIT_FEATURE_LOGINUID_IMMUTABLE means never ever allow a change*/
1970	if (is_audit_feature_set(AUDIT_FEATURE_LOGINUID_IMMUTABLE))
1971		return -EPERM;
1972	/* it is set, you need permission */
1973	if (!capable(CAP_AUDIT_CONTROL))
1974		return -EPERM;
1975	/* reject if this is not an unset and we don't allow that */
1976	if (is_audit_feature_set(AUDIT_FEATURE_ONLY_UNSET_LOGINUID) && uid_valid(loginuid))
1977		return -EPERM;
1978	return 0;
1979}
1980
1981static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
1982				   unsigned int oldsessionid, unsigned int sessionid,
1983				   int rc)
1984{
1985	struct audit_buffer *ab;
1986	uid_t uid, oldloginuid, loginuid;
1987	struct tty_struct *tty;
1988
1989	if (!audit_enabled)
1990		return;
1991
1992	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
1993	if (!ab)
1994		return;
1995
1996	uid = from_kuid(&init_user_ns, task_uid(current));
1997	oldloginuid = from_kuid(&init_user_ns, koldloginuid);
1998	loginuid = from_kuid(&init_user_ns, kloginuid),
1999	tty = audit_get_tty(current);
2000
2001	audit_log_format(ab, "pid=%d uid=%u", task_tgid_nr(current), uid);
2002	audit_log_task_context(ab);
2003	audit_log_format(ab, " old-auid=%u auid=%u tty=%s old-ses=%u ses=%u res=%d",
2004			 oldloginuid, loginuid, tty ? tty_name(tty) : "(none)",
2005			 oldsessionid, sessionid, !rc);
2006	audit_put_tty(tty);
2007	audit_log_end(ab);
2008}
2009
2010/**
2011 * audit_set_loginuid - set current task's audit_context loginuid
2012 * @loginuid: loginuid value
2013 *
2014 * Returns 0.
2015 *
2016 * Called (set) from fs/proc/base.c::proc_loginuid_write().
2017 */
2018int audit_set_loginuid(kuid_t loginuid)
2019{
2020	struct task_struct *task = current;
2021	unsigned int oldsessionid, sessionid = (unsigned int)-1;
2022	kuid_t oldloginuid;
2023	int rc;
2024
2025	oldloginuid = audit_get_loginuid(current);
2026	oldsessionid = audit_get_sessionid(current);
2027
2028	rc = audit_set_loginuid_perm(loginuid);
2029	if (rc)
2030		goto out;
2031
2032	/* are we setting or clearing? */
2033	if (uid_valid(loginuid)) {
2034		sessionid = (unsigned int)atomic_inc_return(&session_id);
2035		if (unlikely(sessionid == (unsigned int)-1))
2036			sessionid = (unsigned int)atomic_inc_return(&session_id);
2037	}
2038
2039	task->sessionid = sessionid;
2040	task->loginuid = loginuid;
2041out:
2042	audit_log_set_loginuid(oldloginuid, loginuid, oldsessionid, sessionid, rc);
2043	return rc;
2044}
2045
2046/**
2047 * __audit_mq_open - record audit data for a POSIX MQ open
2048 * @oflag: open flag
2049 * @mode: mode bits
2050 * @attr: queue attributes
2051 *
2052 */
2053void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
2054{
2055	struct audit_context *context = current->audit_context;
2056
2057	if (attr)
2058		memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr));
2059	else
2060		memset(&context->mq_open.attr, 0, sizeof(struct mq_attr));
2061
2062	context->mq_open.oflag = oflag;
2063	context->mq_open.mode = mode;
2064
2065	context->type = AUDIT_MQ_OPEN;
2066}
2067
2068/**
2069 * __audit_mq_sendrecv - record audit data for a POSIX MQ timed send/receive
2070 * @mqdes: MQ descriptor
2071 * @msg_len: Message length
2072 * @msg_prio: Message priority
2073 * @abs_timeout: Message timeout in absolute time
2074 *
2075 */
2076void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
2077			const struct timespec *abs_timeout)
2078{
2079	struct audit_context *context = current->audit_context;
2080	struct timespec *p = &context->mq_sendrecv.abs_timeout;
2081
2082	if (abs_timeout)
2083		memcpy(p, abs_timeout, sizeof(struct timespec));
2084	else
2085		memset(p, 0, sizeof(struct timespec));
2086
2087	context->mq_sendrecv.mqdes = mqdes;
2088	context->mq_sendrecv.msg_len = msg_len;
2089	context->mq_sendrecv.msg_prio = msg_prio;
2090
2091	context->type = AUDIT_MQ_SENDRECV;
2092}
2093
2094/**
2095 * __audit_mq_notify - record audit data for a POSIX MQ notify
2096 * @mqdes: MQ descriptor
2097 * @notification: Notification event
2098 *
2099 */
2100
2101void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
2102{
2103	struct audit_context *context = current->audit_context;
2104
2105	if (notification)
2106		context->mq_notify.sigev_signo = notification->sigev_signo;
2107	else
2108		context->mq_notify.sigev_signo = 0;
2109
2110	context->mq_notify.mqdes = mqdes;
2111	context->type = AUDIT_MQ_NOTIFY;
2112}
2113
2114/**
2115 * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute
2116 * @mqdes: MQ descriptor
2117 * @mqstat: MQ flags
2118 *
2119 */
2120void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
2121{
2122	struct audit_context *context = current->audit_context;
2123	context->mq_getsetattr.mqdes = mqdes;
2124	context->mq_getsetattr.mqstat = *mqstat;
2125	context->type = AUDIT_MQ_GETSETATTR;
2126}
2127
2128/**
2129 * audit_ipc_obj - record audit data for ipc object
2130 * @ipcp: ipc permissions
2131 *
2132 */
2133void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
2134{
2135	struct audit_context *context = current->audit_context;
2136	context->ipc.uid = ipcp->uid;
2137	context->ipc.gid = ipcp->gid;
2138	context->ipc.mode = ipcp->mode;
2139	context->ipc.has_perm = 0;
2140	security_ipc_getsecid(ipcp, &context->ipc.osid);
2141	context->type = AUDIT_IPC;
2142}
2143
2144/**
2145 * audit_ipc_set_perm - record audit data for new ipc permissions
2146 * @qbytes: msgq bytes
2147 * @uid: msgq user id
2148 * @gid: msgq group id
2149 * @mode: msgq mode (permissions)
2150 *
2151 * Called only after audit_ipc_obj().
2152 */
2153void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode)
2154{
2155	struct audit_context *context = current->audit_context;
2156
2157	context->ipc.qbytes = qbytes;
2158	context->ipc.perm_uid = uid;
2159	context->ipc.perm_gid = gid;
2160	context->ipc.perm_mode = mode;
2161	context->ipc.has_perm = 1;
2162}
2163
2164void __audit_bprm(struct linux_binprm *bprm)
2165{
2166	struct audit_context *context = current->audit_context;
2167
2168	context->type = AUDIT_EXECVE;
2169	context->execve.argc = bprm->argc;
2170}
2171
2172
2173/**
2174 * audit_socketcall - record audit data for sys_socketcall
2175 * @nargs: number of args, which should not be more than AUDITSC_ARGS.
2176 * @args: args array
2177 *
2178 */
2179int __audit_socketcall(int nargs, unsigned long *args)
2180{
2181	struct audit_context *context = current->audit_context;
2182
2183	if (nargs <= 0 || nargs > AUDITSC_ARGS || !args)
2184		return -EINVAL;
2185	context->type = AUDIT_SOCKETCALL;
2186	context->socketcall.nargs = nargs;
2187	memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
2188	return 0;
2189}
2190
2191/**
2192 * __audit_fd_pair - record audit data for pipe and socketpair
2193 * @fd1: the first file descriptor
2194 * @fd2: the second file descriptor
2195 *
2196 */
2197void __audit_fd_pair(int fd1, int fd2)
2198{
2199	struct audit_context *context = current->audit_context;
2200	context->fds[0] = fd1;
2201	context->fds[1] = fd2;
2202}
2203
2204/**
2205 * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
2206 * @len: data length in user space
2207 * @a: data address in kernel space
2208 *
2209 * Returns 0 for success or NULL context or < 0 on error.
2210 */
2211int __audit_sockaddr(int len, void *a)
2212{
2213	struct audit_context *context = current->audit_context;
2214
2215	if (!context->sockaddr) {
2216		void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL);
2217		if (!p)
2218			return -ENOMEM;
2219		context->sockaddr = p;
2220	}
2221
2222	context->sockaddr_len = len;
2223	memcpy(context->sockaddr, a, len);
2224	return 0;
2225}
2226
2227void __audit_ptrace(struct task_struct *t)
2228{
2229	struct audit_context *context = current->audit_context;
2230
2231	context->target_pid = task_tgid_nr(t);
2232	context->target_auid = audit_get_loginuid(t);
2233	context->target_uid = task_uid(t);
2234	context->target_sessionid = audit_get_sessionid(t);
2235	security_task_getsecid(t, &context->target_sid);
2236	memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
2237}
2238
2239/**
2240 * audit_signal_info - record signal info for shutting down audit subsystem
2241 * @sig: signal value
2242 * @t: task being signaled
2243 *
2244 * If the audit subsystem is being terminated, record the task (pid)
2245 * and uid that is doing that.
2246 */
2247int __audit_signal_info(int sig, struct task_struct *t)
2248{
2249	struct audit_aux_data_pids *axp;
2250	struct task_struct *tsk = current;
2251	struct audit_context *ctx = tsk->audit_context;
2252	kuid_t uid = current_uid(), t_uid = task_uid(t);
2253
2254	if (auditd_test_task(t)) {
2255		if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) {
2256			audit_sig_pid = task_tgid_nr(tsk);
2257			if (uid_valid(tsk->loginuid))
2258				audit_sig_uid = tsk->loginuid;
2259			else
2260				audit_sig_uid = uid;
2261			security_task_getsecid(tsk, &audit_sig_sid);
2262		}
2263		if (!audit_signals || audit_dummy_context())
2264			return 0;
2265	}
2266
2267	/* optimize the common case by putting first signal recipient directly
2268	 * in audit_context */
2269	if (!ctx->target_pid) {
2270		ctx->target_pid = task_tgid_nr(t);
2271		ctx->target_auid = audit_get_loginuid(t);
2272		ctx->target_uid = t_uid;
2273		ctx->target_sessionid = audit_get_sessionid(t);
2274		security_task_getsecid(t, &ctx->target_sid);
2275		memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
2276		return 0;
2277	}
2278
2279	axp = (void *)ctx->aux_pids;
2280	if (!axp || axp->pid_count == AUDIT_AUX_PIDS) {
2281		axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
2282		if (!axp)
2283			return -ENOMEM;
2284
2285		axp->d.type = AUDIT_OBJ_PID;
2286		axp->d.next = ctx->aux_pids;
2287		ctx->aux_pids = (void *)axp;
2288	}
2289	BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
2290
2291	axp->target_pid[axp->pid_count] = task_tgid_nr(t);
2292	axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
2293	axp->target_uid[axp->pid_count] = t_uid;
2294	axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
2295	security_task_getsecid(t, &axp->target_sid[axp->pid_count]);
2296	memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
2297	axp->pid_count++;
2298
2299	return 0;
2300}
2301
2302/**
2303 * __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps
2304 * @bprm: pointer to the bprm being processed
2305 * @new: the proposed new credentials
2306 * @old: the old credentials
2307 *
2308 * Simply check if the proc already has the caps given by the file and if not
2309 * store the priv escalation info for later auditing at the end of the syscall
2310 *
2311 * -Eric
2312 */
2313int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
2314			   const struct cred *new, const struct cred *old)
2315{
2316	struct audit_aux_data_bprm_fcaps *ax;
2317	struct audit_context *context = current->audit_context;
2318	struct cpu_vfs_cap_data vcaps;
2319
2320	ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2321	if (!ax)
2322		return -ENOMEM;
2323
2324	ax->d.type = AUDIT_BPRM_FCAPS;
2325	ax->d.next = context->aux;
2326	context->aux = (void *)ax;
2327
2328	get_vfs_caps_from_disk(bprm->file->f_path.dentry, &vcaps);
2329
2330	ax->fcap.permitted = vcaps.permitted;
2331	ax->fcap.inheritable = vcaps.inheritable;
2332	ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
 
2333	ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
2334
2335	ax->old_pcap.permitted   = old->cap_permitted;
2336	ax->old_pcap.inheritable = old->cap_inheritable;
2337	ax->old_pcap.effective   = old->cap_effective;
 
2338
2339	ax->new_pcap.permitted   = new->cap_permitted;
2340	ax->new_pcap.inheritable = new->cap_inheritable;
2341	ax->new_pcap.effective   = new->cap_effective;
 
2342	return 0;
2343}
2344
2345/**
2346 * __audit_log_capset - store information about the arguments to the capset syscall
2347 * @new: the new credentials
2348 * @old: the old (current) credentials
2349 *
2350 * Record the arguments userspace sent to sys_capset for later printing by the
2351 * audit system if applicable
2352 */
2353void __audit_log_capset(const struct cred *new, const struct cred *old)
2354{
2355	struct audit_context *context = current->audit_context;
2356	context->capset.pid = task_tgid_nr(current);
2357	context->capset.cap.effective   = new->cap_effective;
2358	context->capset.cap.inheritable = new->cap_effective;
2359	context->capset.cap.permitted   = new->cap_permitted;
 
2360	context->type = AUDIT_CAPSET;
2361}
2362
2363void __audit_mmap_fd(int fd, int flags)
2364{
2365	struct audit_context *context = current->audit_context;
2366	context->mmap.fd = fd;
2367	context->mmap.flags = flags;
2368	context->type = AUDIT_MMAP;
2369}
2370
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
2371static void audit_log_task(struct audit_buffer *ab)
2372{
2373	kuid_t auid, uid;
2374	kgid_t gid;
2375	unsigned int sessionid;
2376	char comm[sizeof(current->comm)];
2377
2378	auid = audit_get_loginuid(current);
2379	sessionid = audit_get_sessionid(current);
2380	current_uid_gid(&uid, &gid);
2381
2382	audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
2383			 from_kuid(&init_user_ns, auid),
2384			 from_kuid(&init_user_ns, uid),
2385			 from_kgid(&init_user_ns, gid),
2386			 sessionid);
2387	audit_log_task_context(ab);
2388	audit_log_format(ab, " pid=%d comm=", task_tgid_nr(current));
2389	audit_log_untrustedstring(ab, get_task_comm(comm, current));
2390	audit_log_d_path_exe(ab, current->mm);
2391}
2392
2393/**
2394 * audit_core_dumps - record information about processes that end abnormally
2395 * @signr: signal value
2396 *
2397 * If a process ends with a core dump, something fishy is going on and we
2398 * should record the event for investigation.
2399 */
2400void audit_core_dumps(long signr)
2401{
2402	struct audit_buffer *ab;
2403
2404	if (!audit_enabled)
2405		return;
2406
2407	if (signr == SIGQUIT)	/* don't care for those */
2408		return;
2409
2410	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
2411	if (unlikely(!ab))
2412		return;
2413	audit_log_task(ab);
2414	audit_log_format(ab, " sig=%ld", signr);
2415	audit_log_end(ab);
2416}
2417
2418void __audit_seccomp(unsigned long syscall, long signr, int code)
 
 
 
 
 
 
 
 
 
 
 
 
2419{
2420	struct audit_buffer *ab;
2421
2422	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_SECCOMP);
2423	if (unlikely(!ab))
2424		return;
2425	audit_log_task(ab);
2426	audit_log_format(ab, " sig=%ld arch=%x syscall=%ld compat=%d ip=0x%lx code=0x%x",
2427			 signr, syscall_get_arch(), syscall,
2428			 in_compat_syscall(), KSTK_EIP(current), code);
2429	audit_log_end(ab);
2430}
2431
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
2432struct list_head *audit_killed_trees(void)
2433{
2434	struct audit_context *ctx = current->audit_context;
2435	if (likely(!ctx || !ctx->in_syscall))
2436		return NULL;
2437	return &ctx->killed_trees;
2438}