1/* auditsc.c -- System-call auditing support
   2 * Handles all system-call specific auditing features.
   3 *
   4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
   5 * Copyright 2005 Hewlett-Packard Development Company, L.P.
   6 * Copyright (C) 2005, 2006 IBM Corporation
   7 * All Rights Reserved.
   8 *
   9 * This program is free software; you can redistribute it and/or modify
  10 * it under the terms of the GNU General Public License as published by
  11 * the Free Software Foundation; either version 2 of the License, or
  12 * (at your option) any later version.
  13 *
  14 * This program is distributed in the hope that it will be useful,
  15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17 * GNU General Public License for more details.
  18 *
  19 * You should have received a copy of the GNU General Public License
  20 * along with this program; if not, write to the Free Software
  21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  22 *
  23 * Written by Rickard E. (Rik) Faith <faith@redhat.com>
  24 *
  25 * Many of the ideas implemented here are from Stephen C. Tweedie,
  26 * especially the idea of avoiding a copy by using getname.
  27 *
  28 * The method for actual interception of syscall entry and exit (not in
  29 * this file -- see entry.S) is based on a GPL'd patch written by
  30 * okir@suse.de and Copyright 2003 SuSE Linux AG.
  31 *
  32 * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>,
  33 * 2006.
  34 *
  35 * The support of additional filter rules compares (>, <, >=, <=) was
  36 * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
  37 *
  38 * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
  39 * filesystem information.
  40 *
  41 * Subject and object context labeling support added by <danjones@us.ibm.com>
  42 * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
  43 */
  44
  45#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  46
  47#include <linux/init.h>
  48#include <asm/types.h>
  49#include <linux/atomic.h>
  50#include <linux/fs.h>
  51#include <linux/namei.h>
  52#include <linux/mm.h>
  53#include <linux/export.h>
  54#include <linux/slab.h>
  55#include <linux/mount.h>
  56#include <linux/socket.h>
  57#include <linux/mqueue.h>
  58#include <linux/audit.h>
  59#include <linux/personality.h>
  60#include <linux/time.h>
  61#include <linux/netlink.h>
  62#include <linux/compiler.h>
  63#include <asm/unistd.h>
  64#include <linux/security.h>
  65#include <linux/list.h>
  66#include <linux/tty.h>
  67#include <linux/binfmts.h>
  68#include <linux/highmem.h>
  69#include <linux/syscalls.h>
  70#include <asm/syscall.h>
  71#include <linux/capability.h>
  72#include <linux/fs_struct.h>
  73#include <linux/compat.h>
  74#include <linux/ctype.h>
  75#include <linux/string.h>
 
  76#include <uapi/linux/limits.h>
  77
  78#include "audit.h"
  79
  80/* flags stating the success for a syscall */
  81#define AUDITSC_INVALID 0
  82#define AUDITSC_SUCCESS 1
  83#define AUDITSC_FAILURE 2
  84
  85/* no execve audit message should be longer than this (userspace limits) */
 
  86#define MAX_EXECVE_AUDIT_LEN 7500
  87
  88/* max length to print of cmdline/proctitle value during audit */
  89#define MAX_PROCTITLE_AUDIT_LEN 128
  90
  91/* number of audit rules */
  92int audit_n_rules;
  93
  94/* determines whether we collect data for signals sent */
  95int audit_signals;
  96
  97struct audit_aux_data {
  98	struct audit_aux_data	*next;
  99	int			type;
 100};
 101
 102#define AUDIT_AUX_IPCPERM	0
 103
 104/* Number of target pids per aux struct. */
 105#define AUDIT_AUX_PIDS	16
 106
 107struct audit_aux_data_pids {
 108	struct audit_aux_data	d;
 109	pid_t			target_pid[AUDIT_AUX_PIDS];
 110	kuid_t			target_auid[AUDIT_AUX_PIDS];
 111	kuid_t			target_uid[AUDIT_AUX_PIDS];
 112	unsigned int		target_sessionid[AUDIT_AUX_PIDS];
 113	u32			target_sid[AUDIT_AUX_PIDS];
 114	char 			target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
 115	int			pid_count;
 116};
 117
 118struct audit_aux_data_bprm_fcaps {
 119	struct audit_aux_data	d;
 120	struct audit_cap_data	fcap;
 121	unsigned int		fcap_ver;
 122	struct audit_cap_data	old_pcap;
 123	struct audit_cap_data	new_pcap;
 124};
 125
 126struct audit_tree_refs {
 127	struct audit_tree_refs *next;
 128	struct audit_chunk *c[31];
 129};
 130
 131static int audit_match_perm(struct audit_context *ctx, int mask)
 132{
 133	unsigned n;
 134	if (unlikely(!ctx))
 135		return 0;
 136	n = ctx->major;
 137
 138	switch (audit_classify_syscall(ctx->arch, n)) {
 139	case 0:	/* native */
 140		if ((mask & AUDIT_PERM_WRITE) &&
 141		     audit_match_class(AUDIT_CLASS_WRITE, n))
 142			return 1;
 143		if ((mask & AUDIT_PERM_READ) &&
 144		     audit_match_class(AUDIT_CLASS_READ, n))
 145			return 1;
 146		if ((mask & AUDIT_PERM_ATTR) &&
 147		     audit_match_class(AUDIT_CLASS_CHATTR, n))
 148			return 1;
 149		return 0;
 150	case 1: /* 32bit on biarch */
 151		if ((mask & AUDIT_PERM_WRITE) &&
 152		     audit_match_class(AUDIT_CLASS_WRITE_32, n))
 153			return 1;
 154		if ((mask & AUDIT_PERM_READ) &&
 155		     audit_match_class(AUDIT_CLASS_READ_32, n))
 156			return 1;
 157		if ((mask & AUDIT_PERM_ATTR) &&
 158		     audit_match_class(AUDIT_CLASS_CHATTR_32, n))
 159			return 1;
 160		return 0;
 161	case 2: /* open */
 162		return mask & ACC_MODE(ctx->argv[1]);
 163	case 3: /* openat */
 164		return mask & ACC_MODE(ctx->argv[2]);
 165	case 4: /* socketcall */
 166		return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
 167	case 5: /* execve */
 168		return mask & AUDIT_PERM_EXEC;
 169	default:
 170		return 0;
 171	}
 172}
 173
 174static int audit_match_filetype(struct audit_context *ctx, int val)
 175{
 176	struct audit_names *n;
 177	umode_t mode = (umode_t)val;
 178
 179	if (unlikely(!ctx))
 180		return 0;
 181
 182	list_for_each_entry(n, &ctx->names_list, list) {
 183		if ((n->ino != AUDIT_INO_UNSET) &&
 184		    ((n->mode & S_IFMT) == mode))
 185			return 1;
 186	}
 187
 188	return 0;
 189}
 190
 191/*
 192 * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *;
 193 * ->first_trees points to its beginning, ->trees - to the current end of data.
 194 * ->tree_count is the number of free entries in array pointed to by ->trees.
 195 * Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL,
 196 * "empty" becomes (p, p, 31) afterwards.  We don't shrink the list (and seriously,
 197 * it's going to remain 1-element for almost any setup) until we free context itself.
 198 * References in it _are_ dropped - at the same time we free/drop aux stuff.
 199 */
 200
 201#ifdef CONFIG_AUDIT_TREE
 202static void audit_set_auditable(struct audit_context *ctx)
 203{
 204	if (!ctx->prio) {
 205		ctx->prio = 1;
 206		ctx->current_state = AUDIT_RECORD_CONTEXT;
 207	}
 208}
 209
 210static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
 211{
 212	struct audit_tree_refs *p = ctx->trees;
 213	int left = ctx->tree_count;
 214	if (likely(left)) {
 215		p->c[--left] = chunk;
 216		ctx->tree_count = left;
 217		return 1;
 218	}
 219	if (!p)
 220		return 0;
 221	p = p->next;
 222	if (p) {
 223		p->c[30] = chunk;
 224		ctx->trees = p;
 225		ctx->tree_count = 30;
 226		return 1;
 227	}
 228	return 0;
 229}
 230
 231static int grow_tree_refs(struct audit_context *ctx)
 232{
 233	struct audit_tree_refs *p = ctx->trees;
 234	ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL);
 235	if (!ctx->trees) {
 236		ctx->trees = p;
 237		return 0;
 238	}
 239	if (p)
 240		p->next = ctx->trees;
 241	else
 242		ctx->first_trees = ctx->trees;
 243	ctx->tree_count = 31;
 244	return 1;
 245}
 246#endif
 247
 248static void unroll_tree_refs(struct audit_context *ctx,
 249		      struct audit_tree_refs *p, int count)
 250{
 251#ifdef CONFIG_AUDIT_TREE
 252	struct audit_tree_refs *q;
 253	int n;
 254	if (!p) {
 255		/* we started with empty chain */
 256		p = ctx->first_trees;
 257		count = 31;
 258		/* if the very first allocation has failed, nothing to do */
 259		if (!p)
 260			return;
 261	}
 262	n = count;
 263	for (q = p; q != ctx->trees; q = q->next, n = 31) {
 264		while (n--) {
 265			audit_put_chunk(q->c[n]);
 266			q->c[n] = NULL;
 267		}
 268	}
 269	while (n-- > ctx->tree_count) {
 270		audit_put_chunk(q->c[n]);
 271		q->c[n] = NULL;
 272	}
 273	ctx->trees = p;
 274	ctx->tree_count = count;
 275#endif
 276}
 277
 278static void free_tree_refs(struct audit_context *ctx)
 279{
 280	struct audit_tree_refs *p, *q;
 281	for (p = ctx->first_trees; p; p = q) {
 282		q = p->next;
 283		kfree(p);
 284	}
 285}
 286
 287static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
 288{
 289#ifdef CONFIG_AUDIT_TREE
 290	struct audit_tree_refs *p;
 291	int n;
 292	if (!tree)
 293		return 0;
 294	/* full ones */
 295	for (p = ctx->first_trees; p != ctx->trees; p = p->next) {
 296		for (n = 0; n < 31; n++)
 297			if (audit_tree_match(p->c[n], tree))
 298				return 1;
 299	}
 300	/* partial */
 301	if (p) {
 302		for (n = ctx->tree_count; n < 31; n++)
 303			if (audit_tree_match(p->c[n], tree))
 304				return 1;
 305	}
 306#endif
 307	return 0;
 308}
 309
 310static int audit_compare_uid(kuid_t uid,
 311			     struct audit_names *name,
 312			     struct audit_field *f,
 313			     struct audit_context *ctx)
 314{
 315	struct audit_names *n;
 316	int rc;
 317 
 318	if (name) {
 319		rc = audit_uid_comparator(uid, f->op, name->uid);
 320		if (rc)
 321			return rc;
 322	}
 323 
 324	if (ctx) {
 325		list_for_each_entry(n, &ctx->names_list, list) {
 326			rc = audit_uid_comparator(uid, f->op, n->uid);
 327			if (rc)
 328				return rc;
 329		}
 330	}
 331	return 0;
 332}
 333
 334static int audit_compare_gid(kgid_t gid,
 335			     struct audit_names *name,
 336			     struct audit_field *f,
 337			     struct audit_context *ctx)
 338{
 339	struct audit_names *n;
 340	int rc;
 341 
 342	if (name) {
 343		rc = audit_gid_comparator(gid, f->op, name->gid);
 344		if (rc)
 345			return rc;
 346	}
 347 
 348	if (ctx) {
 349		list_for_each_entry(n, &ctx->names_list, list) {
 350			rc = audit_gid_comparator(gid, f->op, n->gid);
 351			if (rc)
 352				return rc;
 353		}
 354	}
 355	return 0;
 356}
 357
 358static int audit_field_compare(struct task_struct *tsk,
 359			       const struct cred *cred,
 360			       struct audit_field *f,
 361			       struct audit_context *ctx,
 362			       struct audit_names *name)
 363{
 364	switch (f->val) {
 365	/* process to file object comparisons */
 366	case AUDIT_COMPARE_UID_TO_OBJ_UID:
 367		return audit_compare_uid(cred->uid, name, f, ctx);
 368	case AUDIT_COMPARE_GID_TO_OBJ_GID:
 369		return audit_compare_gid(cred->gid, name, f, ctx);
 370	case AUDIT_COMPARE_EUID_TO_OBJ_UID:
 371		return audit_compare_uid(cred->euid, name, f, ctx);
 372	case AUDIT_COMPARE_EGID_TO_OBJ_GID:
 373		return audit_compare_gid(cred->egid, name, f, ctx);
 374	case AUDIT_COMPARE_AUID_TO_OBJ_UID:
 375		return audit_compare_uid(tsk->loginuid, name, f, ctx);
 376	case AUDIT_COMPARE_SUID_TO_OBJ_UID:
 377		return audit_compare_uid(cred->suid, name, f, ctx);
 378	case AUDIT_COMPARE_SGID_TO_OBJ_GID:
 379		return audit_compare_gid(cred->sgid, name, f, ctx);
 380	case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
 381		return audit_compare_uid(cred->fsuid, name, f, ctx);
 382	case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
 383		return audit_compare_gid(cred->fsgid, name, f, ctx);
 384	/* uid comparisons */
 385	case AUDIT_COMPARE_UID_TO_AUID:
 386		return audit_uid_comparator(cred->uid, f->op, tsk->loginuid);
 387	case AUDIT_COMPARE_UID_TO_EUID:
 388		return audit_uid_comparator(cred->uid, f->op, cred->euid);
 389	case AUDIT_COMPARE_UID_TO_SUID:
 390		return audit_uid_comparator(cred->uid, f->op, cred->suid);
 391	case AUDIT_COMPARE_UID_TO_FSUID:
 392		return audit_uid_comparator(cred->uid, f->op, cred->fsuid);
 393	/* auid comparisons */
 394	case AUDIT_COMPARE_AUID_TO_EUID:
 395		return audit_uid_comparator(tsk->loginuid, f->op, cred->euid);
 396	case AUDIT_COMPARE_AUID_TO_SUID:
 397		return audit_uid_comparator(tsk->loginuid, f->op, cred->suid);
 398	case AUDIT_COMPARE_AUID_TO_FSUID:
 399		return audit_uid_comparator(tsk->loginuid, f->op, cred->fsuid);
 400	/* euid comparisons */
 401	case AUDIT_COMPARE_EUID_TO_SUID:
 402		return audit_uid_comparator(cred->euid, f->op, cred->suid);
 403	case AUDIT_COMPARE_EUID_TO_FSUID:
 404		return audit_uid_comparator(cred->euid, f->op, cred->fsuid);
 405	/* suid comparisons */
 406	case AUDIT_COMPARE_SUID_TO_FSUID:
 407		return audit_uid_comparator(cred->suid, f->op, cred->fsuid);
 408	/* gid comparisons */
 409	case AUDIT_COMPARE_GID_TO_EGID:
 410		return audit_gid_comparator(cred->gid, f->op, cred->egid);
 411	case AUDIT_COMPARE_GID_TO_SGID:
 412		return audit_gid_comparator(cred->gid, f->op, cred->sgid);
 413	case AUDIT_COMPARE_GID_TO_FSGID:
 414		return audit_gid_comparator(cred->gid, f->op, cred->fsgid);
 415	/* egid comparisons */
 416	case AUDIT_COMPARE_EGID_TO_SGID:
 417		return audit_gid_comparator(cred->egid, f->op, cred->sgid);
 418	case AUDIT_COMPARE_EGID_TO_FSGID:
 419		return audit_gid_comparator(cred->egid, f->op, cred->fsgid);
 420	/* sgid comparison */
 421	case AUDIT_COMPARE_SGID_TO_FSGID:
 422		return audit_gid_comparator(cred->sgid, f->op, cred->fsgid);
 423	default:
 424		WARN(1, "Missing AUDIT_COMPARE define.  Report as a bug\n");
 425		return 0;
 426	}
 427	return 0;
 428}
 429
 430/* Determine if any context name data matches a rule's watch data */
 431/* Compare a task_struct with an audit_rule.  Return 1 on match, 0
 432 * otherwise.
 433 *
 434 * If task_creation is true, this is an explicit indication that we are
 435 * filtering a task rule at task creation time.  This and tsk == current are
 436 * the only situations where tsk->cred may be accessed without an rcu read lock.
 437 */
 438static int audit_filter_rules(struct task_struct *tsk,
 439			      struct audit_krule *rule,
 440			      struct audit_context *ctx,
 441			      struct audit_names *name,
 442			      enum audit_state *state,
 443			      bool task_creation)
 444{
 445	const struct cred *cred;
 446	int i, need_sid = 1;
 447	u32 sid;
 
 448
 449	cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
 450
 451	for (i = 0; i < rule->field_count; i++) {
 452		struct audit_field *f = &rule->fields[i];
 453		struct audit_names *n;
 454		int result = 0;
 455		pid_t pid;
 456
 457		switch (f->type) {
 458		case AUDIT_PID:
 459			pid = task_pid_nr(tsk);
 460			result = audit_comparator(pid, f->op, f->val);
 461			break;
 462		case AUDIT_PPID:
 463			if (ctx) {
 464				if (!ctx->ppid)
 465					ctx->ppid = task_ppid_nr(tsk);
 466				result = audit_comparator(ctx->ppid, f->op, f->val);
 467			}
 468			break;
 469		case AUDIT_EXE:
 470			result = audit_exe_compare(tsk, rule->exe);
 471			break;
 472		case AUDIT_UID:
 473			result = audit_uid_comparator(cred->uid, f->op, f->uid);
 474			break;
 475		case AUDIT_EUID:
 476			result = audit_uid_comparator(cred->euid, f->op, f->uid);
 477			break;
 478		case AUDIT_SUID:
 479			result = audit_uid_comparator(cred->suid, f->op, f->uid);
 480			break;
 481		case AUDIT_FSUID:
 482			result = audit_uid_comparator(cred->fsuid, f->op, f->uid);
 483			break;
 484		case AUDIT_GID:
 485			result = audit_gid_comparator(cred->gid, f->op, f->gid);
 486			if (f->op == Audit_equal) {
 487				if (!result)
 488					result = in_group_p(f->gid);
 489			} else if (f->op == Audit_not_equal) {
 490				if (result)
 491					result = !in_group_p(f->gid);
 492			}
 493			break;
 494		case AUDIT_EGID:
 495			result = audit_gid_comparator(cred->egid, f->op, f->gid);
 496			if (f->op == Audit_equal) {
 497				if (!result)
 498					result = in_egroup_p(f->gid);
 499			} else if (f->op == Audit_not_equal) {
 500				if (result)
 501					result = !in_egroup_p(f->gid);
 502			}
 503			break;
 504		case AUDIT_SGID:
 505			result = audit_gid_comparator(cred->sgid, f->op, f->gid);
 506			break;
 507		case AUDIT_FSGID:
 508			result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
 509			break;
 
 
 
 
 510		case AUDIT_PERS:
 511			result = audit_comparator(tsk->personality, f->op, f->val);
 512			break;
 513		case AUDIT_ARCH:
 514			if (ctx)
 515				result = audit_comparator(ctx->arch, f->op, f->val);
 516			break;
 517
 518		case AUDIT_EXIT:
 519			if (ctx && ctx->return_valid)
 520				result = audit_comparator(ctx->return_code, f->op, f->val);
 521			break;
 522		case AUDIT_SUCCESS:
 523			if (ctx && ctx->return_valid) {
 524				if (f->val)
 525					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
 526				else
 527					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
 528			}
 529			break;
 530		case AUDIT_DEVMAJOR:
 531			if (name) {
 532				if (audit_comparator(MAJOR(name->dev), f->op, f->val) ||
 533				    audit_comparator(MAJOR(name->rdev), f->op, f->val))
 534					++result;
 535			} else if (ctx) {
 536				list_for_each_entry(n, &ctx->names_list, list) {
 537					if (audit_comparator(MAJOR(n->dev), f->op, f->val) ||
 538					    audit_comparator(MAJOR(n->rdev), f->op, f->val)) {
 539						++result;
 540						break;
 541					}
 542				}
 543			}
 544			break;
 545		case AUDIT_DEVMINOR:
 546			if (name) {
 547				if (audit_comparator(MINOR(name->dev), f->op, f->val) ||
 548				    audit_comparator(MINOR(name->rdev), f->op, f->val))
 549					++result;
 550			} else if (ctx) {
 551				list_for_each_entry(n, &ctx->names_list, list) {
 552					if (audit_comparator(MINOR(n->dev), f->op, f->val) ||
 553					    audit_comparator(MINOR(n->rdev), f->op, f->val)) {
 554						++result;
 555						break;
 556					}
 557				}
 558			}
 559			break;
 560		case AUDIT_INODE:
 561			if (name)
 562				result = audit_comparator(name->ino, f->op, f->val);
 563			else if (ctx) {
 564				list_for_each_entry(n, &ctx->names_list, list) {
 565					if (audit_comparator(n->ino, f->op, f->val)) {
 566						++result;
 567						break;
 568					}
 569				}
 570			}
 571			break;
 572		case AUDIT_OBJ_UID:
 573			if (name) {
 574				result = audit_uid_comparator(name->uid, f->op, f->uid);
 575			} else if (ctx) {
 576				list_for_each_entry(n, &ctx->names_list, list) {
 577					if (audit_uid_comparator(n->uid, f->op, f->uid)) {
 578						++result;
 579						break;
 580					}
 581				}
 582			}
 583			break;
 584		case AUDIT_OBJ_GID:
 585			if (name) {
 586				result = audit_gid_comparator(name->gid, f->op, f->gid);
 587			} else if (ctx) {
 588				list_for_each_entry(n, &ctx->names_list, list) {
 589					if (audit_gid_comparator(n->gid, f->op, f->gid)) {
 590						++result;
 591						break;
 592					}
 593				}
 594			}
 595			break;
 596		case AUDIT_WATCH:
 597			if (name)
 598				result = audit_watch_compare(rule->watch, name->ino, name->dev);
 599			break;
 600		case AUDIT_DIR:
 601			if (ctx)
 602				result = match_tree_refs(ctx, rule->tree);
 603			break;
 604		case AUDIT_LOGINUID:
 605			result = audit_uid_comparator(tsk->loginuid, f->op, f->uid);
 606			break;
 607		case AUDIT_LOGINUID_SET:
 608			result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
 609			break;
 610		case AUDIT_SUBJ_USER:
 611		case AUDIT_SUBJ_ROLE:
 612		case AUDIT_SUBJ_TYPE:
 613		case AUDIT_SUBJ_SEN:
 614		case AUDIT_SUBJ_CLR:
 615			/* NOTE: this may return negative values indicating
 616			   a temporary error.  We simply treat this as a
 617			   match for now to avoid losing information that
 618			   may be wanted.   An error message will also be
 619			   logged upon error */
 620			if (f->lsm_rule) {
 621				if (need_sid) {
 622					security_task_getsecid(tsk, &sid);
 623					need_sid = 0;
 624				}
 625				result = security_audit_rule_match(sid, f->type,
 626				                                  f->op,
 627				                                  f->lsm_rule,
 628				                                  ctx);
 629			}
 630			break;
 631		case AUDIT_OBJ_USER:
 632		case AUDIT_OBJ_ROLE:
 633		case AUDIT_OBJ_TYPE:
 634		case AUDIT_OBJ_LEV_LOW:
 635		case AUDIT_OBJ_LEV_HIGH:
 636			/* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
 637			   also applies here */
 638			if (f->lsm_rule) {
 639				/* Find files that match */
 640				if (name) {
 641					result = security_audit_rule_match(
 642					           name->osid, f->type, f->op,
 643					           f->lsm_rule, ctx);
 644				} else if (ctx) {
 645					list_for_each_entry(n, &ctx->names_list, list) {
 646						if (security_audit_rule_match(n->osid, f->type,
 647									      f->op, f->lsm_rule,
 648									      ctx)) {
 649							++result;
 650							break;
 651						}
 652					}
 653				}
 654				/* Find ipc objects that match */
 655				if (!ctx || ctx->type != AUDIT_IPC)
 656					break;
 657				if (security_audit_rule_match(ctx->ipc.osid,
 658							      f->type, f->op,
 659							      f->lsm_rule, ctx))
 660					++result;
 661			}
 662			break;
 663		case AUDIT_ARG0:
 664		case AUDIT_ARG1:
 665		case AUDIT_ARG2:
 666		case AUDIT_ARG3:
 667			if (ctx)
 668				result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
 669			break;
 670		case AUDIT_FILTERKEY:
 671			/* ignore this field for filtering */
 672			result = 1;
 673			break;
 674		case AUDIT_PERM:
 675			result = audit_match_perm(ctx, f->val);
 676			break;
 677		case AUDIT_FILETYPE:
 678			result = audit_match_filetype(ctx, f->val);
 679			break;
 680		case AUDIT_FIELD_COMPARE:
 681			result = audit_field_compare(tsk, cred, f, ctx, name);
 682			break;
 683		}
 684		if (!result)
 685			return 0;
 686	}
 687
 688	if (ctx) {
 689		if (rule->prio <= ctx->prio)
 690			return 0;
 691		if (rule->filterkey) {
 692			kfree(ctx->filterkey);
 693			ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
 694		}
 695		ctx->prio = rule->prio;
 696	}
 697	switch (rule->action) {
 698	case AUDIT_NEVER:    *state = AUDIT_DISABLED;	    break;
 699	case AUDIT_ALWAYS:   *state = AUDIT_RECORD_CONTEXT; break;
 
 
 
 
 700	}
 701	return 1;
 702}
 703
 704/* At process creation time, we can determine if system-call auditing is
 705 * completely disabled for this task.  Since we only have the task
 706 * structure at this point, we can only check uid and gid.
 707 */
 708static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)
 709{
 710	struct audit_entry *e;
 711	enum audit_state   state;
 712
 713	rcu_read_lock();
 714	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
 715		if (audit_filter_rules(tsk, &e->rule, NULL, NULL,
 716				       &state, true)) {
 717			if (state == AUDIT_RECORD_CONTEXT)
 718				*key = kstrdup(e->rule.filterkey, GFP_ATOMIC);
 719			rcu_read_unlock();
 720			return state;
 721		}
 722	}
 723	rcu_read_unlock();
 724	return AUDIT_BUILD_CONTEXT;
 725}
 726
 727static int audit_in_mask(const struct audit_krule *rule, unsigned long val)
 728{
 729	int word, bit;
 730
 731	if (val > 0xffffffff)
 732		return false;
 733
 734	word = AUDIT_WORD(val);
 735	if (word >= AUDIT_BITMASK_SIZE)
 736		return false;
 737
 738	bit = AUDIT_BIT(val);
 739
 740	return rule->mask[word] & bit;
 741}
 742
 743/* At syscall entry and exit time, this filter is called if the
 744 * audit_state is not low enough that auditing cannot take place, but is
 745 * also not high enough that we already know we have to write an audit
 746 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
 747 */
 748static enum audit_state audit_filter_syscall(struct task_struct *tsk,
 749					     struct audit_context *ctx,
 750					     struct list_head *list)
 751{
 752	struct audit_entry *e;
 753	enum audit_state state;
 754
 755	if (audit_pid && tsk->tgid == audit_pid)
 756		return AUDIT_DISABLED;
 757
 758	rcu_read_lock();
 759	if (!list_empty(list)) {
 760		list_for_each_entry_rcu(e, list, list) {
 761			if (audit_in_mask(&e->rule, ctx->major) &&
 762			    audit_filter_rules(tsk, &e->rule, ctx, NULL,
 763					       &state, false)) {
 764				rcu_read_unlock();
 765				ctx->current_state = state;
 766				return state;
 767			}
 768		}
 769	}
 770	rcu_read_unlock();
 771	return AUDIT_BUILD_CONTEXT;
 772}
 773
 774/*
 775 * Given an audit_name check the inode hash table to see if they match.
 776 * Called holding the rcu read lock to protect the use of audit_inode_hash
 777 */
 778static int audit_filter_inode_name(struct task_struct *tsk,
 779				   struct audit_names *n,
 780				   struct audit_context *ctx) {
 781	int h = audit_hash_ino((u32)n->ino);
 782	struct list_head *list = &audit_inode_hash[h];
 783	struct audit_entry *e;
 784	enum audit_state state;
 785
 786	if (list_empty(list))
 787		return 0;
 788
 789	list_for_each_entry_rcu(e, list, list) {
 790		if (audit_in_mask(&e->rule, ctx->major) &&
 791		    audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) {
 792			ctx->current_state = state;
 793			return 1;
 794		}
 795	}
 796
 797	return 0;
 798}
 799
 800/* At syscall exit time, this filter is called if any audit_names have been
 801 * collected during syscall processing.  We only check rules in sublists at hash
 802 * buckets applicable to the inode numbers in audit_names.
 803 * Regarding audit_state, same rules apply as for audit_filter_syscall().
 804 */
 805void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx)
 806{
 807	struct audit_names *n;
 808
 809	if (audit_pid && tsk->tgid == audit_pid)
 810		return;
 811
 812	rcu_read_lock();
 813
 814	list_for_each_entry(n, &ctx->names_list, list) {
 815		if (audit_filter_inode_name(tsk, n, ctx))
 816			break;
 817	}
 818	rcu_read_unlock();
 819}
 820
 821/* Transfer the audit context pointer to the caller, clearing it in the tsk's struct */
 822static inline struct audit_context *audit_take_context(struct task_struct *tsk,
 823						      int return_valid,
 824						      long return_code)
 825{
 826	struct audit_context *context = tsk->audit_context;
 827
 828	if (!context)
 829		return NULL;
 830	context->return_valid = return_valid;
 831
 832	/*
 833	 * we need to fix up the return code in the audit logs if the actual
 834	 * return codes are later going to be fixed up by the arch specific
 835	 * signal handlers
 836	 *
 837	 * This is actually a test for:
 838	 * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||
 839	 * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)
 840	 *
 841	 * but is faster than a bunch of ||
 842	 */
 843	if (unlikely(return_code <= -ERESTARTSYS) &&
 844	    (return_code >= -ERESTART_RESTARTBLOCK) &&
 845	    (return_code != -ENOIOCTLCMD))
 846		context->return_code = -EINTR;
 847	else
 848		context->return_code  = return_code;
 849
 850	if (context->in_syscall && !context->dummy) {
 851		audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
 852		audit_filter_inodes(tsk, context);
 853	}
 854
 855	tsk->audit_context = NULL;
 856	return context;
 857}
 858
 859static inline void audit_proctitle_free(struct audit_context *context)
 860{
 861	kfree(context->proctitle.value);
 862	context->proctitle.value = NULL;
 863	context->proctitle.len = 0;
 864}
 865
 866static inline void audit_free_names(struct audit_context *context)
 867{
 868	struct audit_names *n, *next;
 869
 870	list_for_each_entry_safe(n, next, &context->names_list, list) {
 871		list_del(&n->list);
 872		if (n->name)
 873			putname(n->name);
 874		if (n->should_free)
 875			kfree(n);
 876	}
 877	context->name_count = 0;
 878	path_put(&context->pwd);
 879	context->pwd.dentry = NULL;
 880	context->pwd.mnt = NULL;
 881}
 882
 883static inline void audit_free_aux(struct audit_context *context)
 884{
 885	struct audit_aux_data *aux;
 886
 887	while ((aux = context->aux)) {
 888		context->aux = aux->next;
 889		kfree(aux);
 890	}
 891	while ((aux = context->aux_pids)) {
 892		context->aux_pids = aux->next;
 893		kfree(aux);
 894	}
 895}
 896
 897static inline struct audit_context *audit_alloc_context(enum audit_state state)
 898{
 899	struct audit_context *context;
 900
 901	context = kzalloc(sizeof(*context), GFP_KERNEL);
 902	if (!context)
 903		return NULL;
 904	context->state = state;
 905	context->prio = state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
 906	INIT_LIST_HEAD(&context->killed_trees);
 907	INIT_LIST_HEAD(&context->names_list);
 908	return context;
 909}
 910
 911/**
 912 * audit_alloc - allocate an audit context block for a task
 913 * @tsk: task
 914 *
 915 * Filter on the task information and allocate a per-task audit context
 916 * if necessary.  Doing so turns on system call auditing for the
 917 * specified task.  This is called from copy_process, so no lock is
 918 * needed.
 919 */
 920int audit_alloc(struct task_struct *tsk)
 921{
 922	struct audit_context *context;
 923	enum audit_state     state;
 924	char *key = NULL;
 925
 926	if (likely(!audit_ever_enabled))
 927		return 0; /* Return if not auditing. */
 928
 929	state = audit_filter_task(tsk, &key);
 930	if (state == AUDIT_DISABLED) {
 931		clear_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
 932		return 0;
 933	}
 934
 935	if (!(context = audit_alloc_context(state))) {
 936		kfree(key);
 937		audit_log_lost("out of memory in audit_alloc");
 938		return -ENOMEM;
 939	}
 940	context->filterkey = key;
 941
 942	tsk->audit_context  = context;
 943	set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
 944	return 0;
 945}
 946
 947static inline void audit_free_context(struct audit_context *context)
 948{
 949	audit_free_names(context);
 950	unroll_tree_refs(context, NULL, 0);
 951	free_tree_refs(context);
 952	audit_free_aux(context);
 953	kfree(context->filterkey);
 954	kfree(context->sockaddr);
 955	audit_proctitle_free(context);
 956	kfree(context);
 957}
 958
 959static int audit_log_pid_context(struct audit_context *context, pid_t pid,
 960				 kuid_t auid, kuid_t uid, unsigned int sessionid,
 961				 u32 sid, char *comm)
 962{
 963	struct audit_buffer *ab;
 964	char *ctx = NULL;
 965	u32 len;
 966	int rc = 0;
 967
 968	ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
 969	if (!ab)
 970		return rc;
 971
 972	audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
 973			 from_kuid(&init_user_ns, auid),
 974			 from_kuid(&init_user_ns, uid), sessionid);
 975	if (sid) {
 976		if (security_secid_to_secctx(sid, &ctx, &len)) {
 977			audit_log_format(ab, " obj=(none)");
 978			rc = 1;
 979		} else {
 980			audit_log_format(ab, " obj=%s", ctx);
 981			security_release_secctx(ctx, len);
 982		}
 983	}
 984	audit_log_format(ab, " ocomm=");
 985	audit_log_untrustedstring(ab, comm);
 986	audit_log_end(ab);
 987
 988	return rc;
 989}
 990
 991/*
 992 * to_send and len_sent accounting are very loose estimates.  We aren't
 993 * really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being
 994 * within about 500 bytes (next page boundary)
 995 *
 996 * why snprintf?  an int is up to 12 digits long.  if we just assumed when
 997 * logging that a[%d]= was going to be 16 characters long we would be wasting
 998 * space in every audit message.  In one 7500 byte message we can log up to
 999 * about 1000 min size arguments.  That comes down to about 50% waste of space
1000 * if we didn't do the snprintf to find out how long arg_num_len was.
1001 */
1002static int audit_log_single_execve_arg(struct audit_context *context,
1003					struct audit_buffer **ab,
1004					int arg_num,
1005					size_t *len_sent,
1006					const char __user *p,
1007					char *buf)
1008{
1009	char arg_num_len_buf[12];
1010	const char __user *tmp_p = p;
1011	/* how many digits are in arg_num? 5 is the length of ' a=""' */
1012	size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 5;
1013	size_t len, len_left, to_send;
1014	size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
1015	unsigned int i, has_cntl = 0, too_long = 0;
1016	int ret;
1017
1018	/* strnlen_user includes the null we don't want to send */
1019	len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1;
1020
1021	/*
1022	 * We just created this mm, if we can't find the strings
1023	 * we just copied into it something is _very_ wrong. Similar
1024	 * for strings that are too long, we should not have created
1025	 * any.
1026	 */
1027	if (WARN_ON_ONCE(len < 0 || len > MAX_ARG_STRLEN - 1)) {
1028		send_sig(SIGKILL, current, 0);
1029		return -1;
1030	}
1031
1032	/* walk the whole argument looking for non-ascii chars */
1033	do {
1034		if (len_left > MAX_EXECVE_AUDIT_LEN)
1035			to_send = MAX_EXECVE_AUDIT_LEN;
1036		else
1037			to_send = len_left;
1038		ret = copy_from_user(buf, tmp_p, to_send);
1039		/*
1040		 * There is no reason for this copy to be short. We just
1041		 * copied them here, and the mm hasn't been exposed to user-
1042		 * space yet.
1043		 */
1044		if (ret) {
1045			WARN_ON(1);
1046			send_sig(SIGKILL, current, 0);
1047			return -1;
1048		}
1049		buf[to_send] = '\0';
1050		has_cntl = audit_string_contains_control(buf, to_send);
1051		if (has_cntl) {
1052			/*
1053			 * hex messages get logged as 2 bytes, so we can only
1054			 * send half as much in each message
1055			 */
1056			max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2;
1057			break;
1058		}
1059		len_left -= to_send;
1060		tmp_p += to_send;
1061	} while (len_left > 0);
1062
1063	len_left = len;
1064
1065	if (len > max_execve_audit_len)
1066		too_long = 1;
1067
1068	/* rewalk the argument actually logging the message */
1069	for (i = 0; len_left > 0; i++) {
1070		int room_left;
1071
1072		if (len_left > max_execve_audit_len)
1073			to_send = max_execve_audit_len;
1074		else
1075			to_send = len_left;
1076
1077		/* do we have space left to send this argument in this ab? */
1078		room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent;
1079		if (has_cntl)
1080			room_left -= (to_send * 2);
1081		else
1082			room_left -= to_send;
1083		if (room_left < 0) {
1084			*len_sent = 0;
1085			audit_log_end(*ab);
1086			*ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
1087			if (!*ab)
1088				return 0;
1089		}
1090
1091		/*
1092		 * first record needs to say how long the original string was
1093		 * so we can be sure nothing was lost.
1094		 */
1095		if ((i == 0) && (too_long))
1096			audit_log_format(*ab, " a%d_len=%zu", arg_num,
1097					 has_cntl ? 2*len : len);
1098
1099		/*
1100		 * normally arguments are small enough to fit and we already
1101		 * filled buf above when we checked for control characters
1102		 * so don't bother with another copy_from_user
1103		 */
1104		if (len >= max_execve_audit_len)
1105			ret = copy_from_user(buf, p, to_send);
1106		else
1107			ret = 0;
1108		if (ret) {
1109			WARN_ON(1);
1110			send_sig(SIGKILL, current, 0);
1111			return -1;
1112		}
1113		buf[to_send] = '\0';
1114
1115		/* actually log it */
1116		audit_log_format(*ab, " a%d", arg_num);
1117		if (too_long)
1118			audit_log_format(*ab, "[%d]", i);
1119		audit_log_format(*ab, "=");
1120		if (has_cntl)
1121			audit_log_n_hex(*ab, buf, to_send);
1122		else
1123			audit_log_string(*ab, buf);
1124
1125		p += to_send;
1126		len_left -= to_send;
1127		*len_sent += arg_num_len;
1128		if (has_cntl)
1129			*len_sent += to_send * 2;
1130		else
1131			*len_sent += to_send;
1132	}
1133	/* include the null we didn't log */
1134	return len + 1;
1135}
1136
1137static void audit_log_execve_info(struct audit_context *context,
1138				  struct audit_buffer **ab)
1139{
1140	int i, len;
1141	size_t len_sent = 0;
1142	const char __user *p;
 
 
 
 
 
 
 
 
1143	char *buf;
 
1144
1145	p = (const char __user *)current->mm->arg_start;
1146
1147	audit_log_format(*ab, "argc=%d", context->execve.argc);
1148
1149	/*
1150	 * we need some kernel buffer to hold the userspace args.  Just
1151	 * allocate one big one rather than allocating one of the right size
1152	 * for every single argument inside audit_log_single_execve_arg()
1153	 * should be <8k allocation so should be pretty safe.
1154	 */
1155	buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
1156	if (!buf) {
 
 
 
1157		audit_panic("out of memory for argv string");
1158		return;
1159	}
 
1160
1161	for (i = 0; i < context->execve.argc; i++) {
1162		len = audit_log_single_execve_arg(context, ab, i,
1163						  &len_sent, p, buf);
1164		if (len <= 0)
1165			break;
1166		p += len;
1167	}
1168	kfree(buf);
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1169}
1170
1171static void show_special(struct audit_context *context, int *call_panic)
1172{
1173	struct audit_buffer *ab;
1174	int i;
1175
1176	ab = audit_log_start(context, GFP_KERNEL, context->type);
1177	if (!ab)
1178		return;
1179
1180	switch (context->type) {
1181	case AUDIT_SOCKETCALL: {
1182		int nargs = context->socketcall.nargs;
1183		audit_log_format(ab, "nargs=%d", nargs);
1184		for (i = 0; i < nargs; i++)
1185			audit_log_format(ab, " a%d=%lx", i,
1186				context->socketcall.args[i]);
1187		break; }
1188	case AUDIT_IPC: {
1189		u32 osid = context->ipc.osid;
1190
1191		audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
1192				 from_kuid(&init_user_ns, context->ipc.uid),
1193				 from_kgid(&init_user_ns, context->ipc.gid),
1194				 context->ipc.mode);
1195		if (osid) {
1196			char *ctx = NULL;
1197			u32 len;
1198			if (security_secid_to_secctx(osid, &ctx, &len)) {
1199				audit_log_format(ab, " osid=%u", osid);
1200				*call_panic = 1;
1201			} else {
1202				audit_log_format(ab, " obj=%s", ctx);
1203				security_release_secctx(ctx, len);
1204			}
1205		}
1206		if (context->ipc.has_perm) {
1207			audit_log_end(ab);
1208			ab = audit_log_start(context, GFP_KERNEL,
1209					     AUDIT_IPC_SET_PERM);
1210			if (unlikely(!ab))
1211				return;
1212			audit_log_format(ab,
1213				"qbytes=%lx ouid=%u ogid=%u mode=%#ho",
1214				context->ipc.qbytes,
1215				context->ipc.perm_uid,
1216				context->ipc.perm_gid,
1217				context->ipc.perm_mode);
1218		}
1219		break; }
1220	case AUDIT_MQ_OPEN: {
1221		audit_log_format(ab,
1222			"oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
1223			"mq_msgsize=%ld mq_curmsgs=%ld",
1224			context->mq_open.oflag, context->mq_open.mode,
1225			context->mq_open.attr.mq_flags,
1226			context->mq_open.attr.mq_maxmsg,
1227			context->mq_open.attr.mq_msgsize,
1228			context->mq_open.attr.mq_curmsgs);
1229		break; }
1230	case AUDIT_MQ_SENDRECV: {
1231		audit_log_format(ab,
1232			"mqdes=%d msg_len=%zd msg_prio=%u "
1233			"abs_timeout_sec=%ld abs_timeout_nsec=%ld",
1234			context->mq_sendrecv.mqdes,
1235			context->mq_sendrecv.msg_len,
1236			context->mq_sendrecv.msg_prio,
1237			context->mq_sendrecv.abs_timeout.tv_sec,
1238			context->mq_sendrecv.abs_timeout.tv_nsec);
1239		break; }
1240	case AUDIT_MQ_NOTIFY: {
1241		audit_log_format(ab, "mqdes=%d sigev_signo=%d",
1242				context->mq_notify.mqdes,
1243				context->mq_notify.sigev_signo);
1244		break; }
1245	case AUDIT_MQ_GETSETATTR: {
1246		struct mq_attr *attr = &context->mq_getsetattr.mqstat;
1247		audit_log_format(ab,
1248			"mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
1249			"mq_curmsgs=%ld ",
1250			context->mq_getsetattr.mqdes,
1251			attr->mq_flags, attr->mq_maxmsg,
1252			attr->mq_msgsize, attr->mq_curmsgs);
1253		break; }
1254	case AUDIT_CAPSET: {
1255		audit_log_format(ab, "pid=%d", context->capset.pid);
1256		audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
1257		audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
1258		audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
1259		break; }
1260	case AUDIT_MMAP: {
1261		audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd,
1262				 context->mmap.flags);
1263		break; }
1264	case AUDIT_EXECVE: {
1265		audit_log_execve_info(context, &ab);
1266		break; }
1267	}
1268	audit_log_end(ab);
1269}
1270
1271static inline int audit_proctitle_rtrim(char *proctitle, int len)
1272{
1273	char *end = proctitle + len - 1;
1274	while (end > proctitle && !isprint(*end))
1275		end--;
1276
1277	/* catch the case where proctitle is only 1 non-print character */
1278	len = end - proctitle + 1;
1279	len -= isprint(proctitle[len-1]) == 0;
1280	return len;
1281}
1282
1283static void audit_log_proctitle(struct task_struct *tsk,
1284			 struct audit_context *context)
1285{
1286	int res;
1287	char *buf;
1288	char *msg = "(null)";
1289	int len = strlen(msg);
1290	struct audit_buffer *ab;
1291
1292	ab = audit_log_start(context, GFP_KERNEL, AUDIT_PROCTITLE);
1293	if (!ab)
1294		return;	/* audit_panic or being filtered */
1295
1296	audit_log_format(ab, "proctitle=");
1297
1298	/* Not  cached */
1299	if (!context->proctitle.value) {
1300		buf = kmalloc(MAX_PROCTITLE_AUDIT_LEN, GFP_KERNEL);
1301		if (!buf)
1302			goto out;
1303		/* Historically called this from procfs naming */
1304		res = get_cmdline(tsk, buf, MAX_PROCTITLE_AUDIT_LEN);
1305		if (res == 0) {
1306			kfree(buf);
1307			goto out;
1308		}
1309		res = audit_proctitle_rtrim(buf, res);
1310		if (res == 0) {
1311			kfree(buf);
1312			goto out;
1313		}
1314		context->proctitle.value = buf;
1315		context->proctitle.len = res;
1316	}
1317	msg = context->proctitle.value;
1318	len = context->proctitle.len;
1319out:
1320	audit_log_n_untrustedstring(ab, msg, len);
1321	audit_log_end(ab);
1322}
1323
1324static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
1325{
1326	int i, call_panic = 0;
1327	struct audit_buffer *ab;
1328	struct audit_aux_data *aux;
1329	struct audit_names *n;
1330
1331	/* tsk == current */
1332	context->personality = tsk->personality;
1333
1334	ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
1335	if (!ab)
1336		return;		/* audit_panic has been called */
1337	audit_log_format(ab, "arch=%x syscall=%d",
1338			 context->arch, context->major);
1339	if (context->personality != PER_LINUX)
1340		audit_log_format(ab, " per=%lx", context->personality);
1341	if (context->return_valid)
1342		audit_log_format(ab, " success=%s exit=%ld",
1343				 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
1344				 context->return_code);
1345
1346	audit_log_format(ab,
1347			 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d",
1348			 context->argv[0],
1349			 context->argv[1],
1350			 context->argv[2],
1351			 context->argv[3],
1352			 context->name_count);
1353
1354	audit_log_task_info(ab, tsk);
1355	audit_log_key(ab, context->filterkey);
1356	audit_log_end(ab);
1357
1358	for (aux = context->aux; aux; aux = aux->next) {
1359
1360		ab = audit_log_start(context, GFP_KERNEL, aux->type);
1361		if (!ab)
1362			continue; /* audit_panic has been called */
1363
1364		switch (aux->type) {
1365
1366		case AUDIT_BPRM_FCAPS: {
1367			struct audit_aux_data_bprm_fcaps *axs = (void *)aux;
1368			audit_log_format(ab, "fver=%x", axs->fcap_ver);
1369			audit_log_cap(ab, "fp", &axs->fcap.permitted);
1370			audit_log_cap(ab, "fi", &axs->fcap.inheritable);
1371			audit_log_format(ab, " fe=%d", axs->fcap.fE);
1372			audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
1373			audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
1374			audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
1375			audit_log_cap(ab, "new_pp", &axs->new_pcap.permitted);
1376			audit_log_cap(ab, "new_pi", &axs->new_pcap.inheritable);
1377			audit_log_cap(ab, "new_pe", &axs->new_pcap.effective);
1378			break; }
1379
1380		}
1381		audit_log_end(ab);
1382	}
1383
1384	if (context->type)
1385		show_special(context, &call_panic);
1386
1387	if (context->fds[0] >= 0) {
1388		ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR);
1389		if (ab) {
1390			audit_log_format(ab, "fd0=%d fd1=%d",
1391					context->fds[0], context->fds[1]);
1392			audit_log_end(ab);
1393		}
1394	}
1395
1396	if (context->sockaddr_len) {
1397		ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR);
1398		if (ab) {
1399			audit_log_format(ab, "saddr=");
1400			audit_log_n_hex(ab, (void *)context->sockaddr,
1401					context->sockaddr_len);
1402			audit_log_end(ab);
1403		}
1404	}
1405
1406	for (aux = context->aux_pids; aux; aux = aux->next) {
1407		struct audit_aux_data_pids *axs = (void *)aux;
1408
1409		for (i = 0; i < axs->pid_count; i++)
1410			if (audit_log_pid_context(context, axs->target_pid[i],
1411						  axs->target_auid[i],
1412						  axs->target_uid[i],
1413						  axs->target_sessionid[i],
1414						  axs->target_sid[i],
1415						  axs->target_comm[i]))
1416				call_panic = 1;
1417	}
1418
1419	if (context->target_pid &&
1420	    audit_log_pid_context(context, context->target_pid,
1421				  context->target_auid, context->target_uid,
1422				  context->target_sessionid,
1423				  context->target_sid, context->target_comm))
1424			call_panic = 1;
1425
1426	if (context->pwd.dentry && context->pwd.mnt) {
1427		ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
1428		if (ab) {
1429			audit_log_d_path(ab, " cwd=", &context->pwd);
1430			audit_log_end(ab);
1431		}
1432	}
1433
1434	i = 0;
1435	list_for_each_entry(n, &context->names_list, list) {
1436		if (n->hidden)
1437			continue;
1438		audit_log_name(context, n, NULL, i++, &call_panic);
1439	}
1440
1441	audit_log_proctitle(tsk, context);
1442
1443	/* Send end of event record to help user space know we are finished */
1444	ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
1445	if (ab)
1446		audit_log_end(ab);
1447	if (call_panic)
1448		audit_panic("error converting sid to string");
1449}
1450
1451/**
1452 * audit_free - free a per-task audit context
1453 * @tsk: task whose audit context block to free
1454 *
1455 * Called from copy_process and do_exit
1456 */
1457void __audit_free(struct task_struct *tsk)
1458{
1459	struct audit_context *context;
1460
1461	context = audit_take_context(tsk, 0, 0);
1462	if (!context)
1463		return;
1464
1465	/* Check for system calls that do not go through the exit
1466	 * function (e.g., exit_group), then free context block.
1467	 * We use GFP_ATOMIC here because we might be doing this
1468	 * in the context of the idle thread */
1469	/* that can happen only if we are called from do_exit() */
1470	if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
1471		audit_log_exit(context, tsk);
1472	if (!list_empty(&context->killed_trees))
1473		audit_kill_trees(&context->killed_trees);
1474
1475	audit_free_context(context);
1476}
1477
1478/**
1479 * audit_syscall_entry - fill in an audit record at syscall entry
1480 * @major: major syscall type (function)
1481 * @a1: additional syscall register 1
1482 * @a2: additional syscall register 2
1483 * @a3: additional syscall register 3
1484 * @a4: additional syscall register 4
1485 *
1486 * Fill in audit context at syscall entry.  This only happens if the
1487 * audit context was created when the task was created and the state or
1488 * filters demand the audit context be built.  If the state from the
1489 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
1490 * then the record will be written at syscall exit time (otherwise, it
1491 * will only be written if another part of the kernel requests that it
1492 * be written).
1493 */
1494void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
1495			   unsigned long a3, unsigned long a4)
1496{
1497	struct task_struct *tsk = current;
1498	struct audit_context *context = tsk->audit_context;
1499	enum audit_state     state;
1500
1501	if (!context)
1502		return;
1503
1504	BUG_ON(context->in_syscall || context->name_count);
1505
1506	if (!audit_enabled)
1507		return;
1508
1509	context->arch	    = syscall_get_arch();
1510	context->major      = major;
1511	context->argv[0]    = a1;
1512	context->argv[1]    = a2;
1513	context->argv[2]    = a3;
1514	context->argv[3]    = a4;
1515
1516	state = context->state;
1517	context->dummy = !audit_n_rules;
1518	if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
1519		context->prio = 0;
1520		state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
1521	}
1522	if (state == AUDIT_DISABLED)
1523		return;
1524
1525	context->serial     = 0;
1526	context->ctime      = CURRENT_TIME;
1527	context->in_syscall = 1;
1528	context->current_state  = state;
1529	context->ppid       = 0;
1530}
1531
1532/**
1533 * audit_syscall_exit - deallocate audit context after a system call
1534 * @success: success value of the syscall
1535 * @return_code: return value of the syscall
1536 *
1537 * Tear down after system call.  If the audit context has been marked as
1538 * auditable (either because of the AUDIT_RECORD_CONTEXT state from
1539 * filtering, or because some other part of the kernel wrote an audit
1540 * message), then write out the syscall information.  In call cases,
1541 * free the names stored from getname().
1542 */
1543void __audit_syscall_exit(int success, long return_code)
1544{
1545	struct task_struct *tsk = current;
1546	struct audit_context *context;
1547
1548	if (success)
1549		success = AUDITSC_SUCCESS;
1550	else
1551		success = AUDITSC_FAILURE;
1552
1553	context = audit_take_context(tsk, success, return_code);
1554	if (!context)
1555		return;
1556
1557	if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
1558		audit_log_exit(context, tsk);
1559
1560	context->in_syscall = 0;
1561	context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
1562
1563	if (!list_empty(&context->killed_trees))
1564		audit_kill_trees(&context->killed_trees);
1565
1566	audit_free_names(context);
1567	unroll_tree_refs(context, NULL, 0);
1568	audit_free_aux(context);
1569	context->aux = NULL;
1570	context->aux_pids = NULL;
1571	context->target_pid = 0;
1572	context->target_sid = 0;
1573	context->sockaddr_len = 0;
1574	context->type = 0;
1575	context->fds[0] = -1;
1576	if (context->state != AUDIT_RECORD_CONTEXT) {
1577		kfree(context->filterkey);
1578		context->filterkey = NULL;
1579	}
1580	tsk->audit_context = context;
1581}
1582
1583static inline void handle_one(const struct inode *inode)
1584{
1585#ifdef CONFIG_AUDIT_TREE
1586	struct audit_context *context;
1587	struct audit_tree_refs *p;
1588	struct audit_chunk *chunk;
1589	int count;
1590	if (likely(hlist_empty(&inode->i_fsnotify_marks)))
1591		return;
1592	context = current->audit_context;
1593	p = context->trees;
1594	count = context->tree_count;
1595	rcu_read_lock();
1596	chunk = audit_tree_lookup(inode);
1597	rcu_read_unlock();
1598	if (!chunk)
1599		return;
1600	if (likely(put_tree_ref(context, chunk)))
1601		return;
1602	if (unlikely(!grow_tree_refs(context))) {
1603		pr_warn("out of memory, audit has lost a tree reference\n");
1604		audit_set_auditable(context);
1605		audit_put_chunk(chunk);
1606		unroll_tree_refs(context, p, count);
1607		return;
1608	}
1609	put_tree_ref(context, chunk);
1610#endif
1611}
1612
1613static void handle_path(const struct dentry *dentry)
1614{
1615#ifdef CONFIG_AUDIT_TREE
1616	struct audit_context *context;
1617	struct audit_tree_refs *p;
1618	const struct dentry *d, *parent;
1619	struct audit_chunk *drop;
1620	unsigned long seq;
1621	int count;
1622
1623	context = current->audit_context;
1624	p = context->trees;
1625	count = context->tree_count;
1626retry:
1627	drop = NULL;
1628	d = dentry;
1629	rcu_read_lock();
1630	seq = read_seqbegin(&rename_lock);
1631	for(;;) {
1632		struct inode *inode = d_backing_inode(d);
1633		if (inode && unlikely(!hlist_empty(&inode->i_fsnotify_marks))) {
1634			struct audit_chunk *chunk;
1635			chunk = audit_tree_lookup(inode);
1636			if (chunk) {
1637				if (unlikely(!put_tree_ref(context, chunk))) {
1638					drop = chunk;
1639					break;
1640				}
1641			}
1642		}
1643		parent = d->d_parent;
1644		if (parent == d)
1645			break;
1646		d = parent;
1647	}
1648	if (unlikely(read_seqretry(&rename_lock, seq) || drop)) {  /* in this order */
1649		rcu_read_unlock();
1650		if (!drop) {
1651			/* just a race with rename */
1652			unroll_tree_refs(context, p, count);
1653			goto retry;
1654		}
1655		audit_put_chunk(drop);
1656		if (grow_tree_refs(context)) {
1657			/* OK, got more space */
1658			unroll_tree_refs(context, p, count);
1659			goto retry;
1660		}
1661		/* too bad */
1662		pr_warn("out of memory, audit has lost a tree reference\n");
1663		unroll_tree_refs(context, p, count);
1664		audit_set_auditable(context);
1665		return;
1666	}
1667	rcu_read_unlock();
1668#endif
1669}
1670
1671static struct audit_names *audit_alloc_name(struct audit_context *context,
1672						unsigned char type)
1673{
1674	struct audit_names *aname;
1675
1676	if (context->name_count < AUDIT_NAMES) {
1677		aname = &context->preallocated_names[context->name_count];
1678		memset(aname, 0, sizeof(*aname));
1679	} else {
1680		aname = kzalloc(sizeof(*aname), GFP_NOFS);
1681		if (!aname)
1682			return NULL;
1683		aname->should_free = true;
1684	}
1685
1686	aname->ino = AUDIT_INO_UNSET;
1687	aname->type = type;
1688	list_add_tail(&aname->list, &context->names_list);
1689
1690	context->name_count++;
1691	return aname;
1692}
1693
1694/**
1695 * audit_reusename - fill out filename with info from existing entry
1696 * @uptr: userland ptr to pathname
1697 *
1698 * Search the audit_names list for the current audit context. If there is an
1699 * existing entry with a matching "uptr" then return the filename
1700 * associated with that audit_name. If not, return NULL.
1701 */
1702struct filename *
1703__audit_reusename(const __user char *uptr)
1704{
1705	struct audit_context *context = current->audit_context;
1706	struct audit_names *n;
1707
1708	list_for_each_entry(n, &context->names_list, list) {
1709		if (!n->name)
1710			continue;
1711		if (n->name->uptr == uptr) {
1712			n->name->refcnt++;
1713			return n->name;
1714		}
1715	}
1716	return NULL;
1717}
1718
1719/**
1720 * audit_getname - add a name to the list
1721 * @name: name to add
1722 *
1723 * Add a name to the list of audit names for this context.
1724 * Called from fs/namei.c:getname().
1725 */
1726void __audit_getname(struct filename *name)
1727{
1728	struct audit_context *context = current->audit_context;
1729	struct audit_names *n;
1730
1731	if (!context->in_syscall)
1732		return;
1733
1734	n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
1735	if (!n)
1736		return;
1737
1738	n->name = name;
1739	n->name_len = AUDIT_NAME_FULL;
1740	name->aname = n;
1741	name->refcnt++;
1742
1743	if (!context->pwd.dentry)
1744		get_fs_pwd(current->fs, &context->pwd);
1745}
1746
1747/**
1748 * __audit_inode - store the inode and device from a lookup
1749 * @name: name being audited
1750 * @dentry: dentry being audited
1751 * @flags: attributes for this particular entry
1752 */
1753void __audit_inode(struct filename *name, const struct dentry *dentry,
1754		   unsigned int flags)
1755{
1756	struct audit_context *context = current->audit_context;
1757	struct inode *inode = d_backing_inode(dentry);
1758	struct audit_names *n;
1759	bool parent = flags & AUDIT_INODE_PARENT;
1760
1761	if (!context->in_syscall)
1762		return;
1763
1764	if (!name)
1765		goto out_alloc;
1766
1767	/*
1768	 * If we have a pointer to an audit_names entry already, then we can
1769	 * just use it directly if the type is correct.
1770	 */
1771	n = name->aname;
1772	if (n) {
1773		if (parent) {
1774			if (n->type == AUDIT_TYPE_PARENT ||
1775			    n->type == AUDIT_TYPE_UNKNOWN)
1776				goto out;
1777		} else {
1778			if (n->type != AUDIT_TYPE_PARENT)
1779				goto out;
1780		}
1781	}
1782
1783	list_for_each_entry_reverse(n, &context->names_list, list) {
1784		if (n->ino) {
1785			/* valid inode number, use that for the comparison */
1786			if (n->ino != inode->i_ino ||
1787			    n->dev != inode->i_sb->s_dev)
1788				continue;
1789		} else if (n->name) {
1790			/* inode number has not been set, check the name */
1791			if (strcmp(n->name->name, name->name))
1792				continue;
1793		} else
1794			/* no inode and no name (?!) ... this is odd ... */
1795			continue;
1796
1797		/* match the correct record type */
1798		if (parent) {
1799			if (n->type == AUDIT_TYPE_PARENT ||
1800			    n->type == AUDIT_TYPE_UNKNOWN)
1801				goto out;
1802		} else {
1803			if (n->type != AUDIT_TYPE_PARENT)
1804				goto out;
1805		}
1806	}
1807
1808out_alloc:
1809	/* unable to find an entry with both a matching name and type */
1810	n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
1811	if (!n)
1812		return;
1813	if (name) {
1814		n->name = name;
1815		name->refcnt++;
1816	}
1817
1818out:
1819	if (parent) {
1820		n->name_len = n->name ? parent_len(n->name->name) : AUDIT_NAME_FULL;
1821		n->type = AUDIT_TYPE_PARENT;
1822		if (flags & AUDIT_INODE_HIDDEN)
1823			n->hidden = true;
1824	} else {
1825		n->name_len = AUDIT_NAME_FULL;
1826		n->type = AUDIT_TYPE_NORMAL;
1827	}
1828	handle_path(dentry);
1829	audit_copy_inode(n, dentry, inode);
1830}
1831
1832void __audit_file(const struct file *file)
1833{
1834	__audit_inode(NULL, file->f_path.dentry, 0);
1835}
1836
1837/**
1838 * __audit_inode_child - collect inode info for created/removed objects
1839 * @parent: inode of dentry parent
1840 * @dentry: dentry being audited
1841 * @type:   AUDIT_TYPE_* value that we're looking for
1842 *
1843 * For syscalls that create or remove filesystem objects, audit_inode
1844 * can only collect information for the filesystem object's parent.
1845 * This call updates the audit context with the child's information.
1846 * Syscalls that create a new filesystem object must be hooked after
1847 * the object is created.  Syscalls that remove a filesystem object
1848 * must be hooked prior, in order to capture the target inode during
1849 * unsuccessful attempts.
1850 */
1851void __audit_inode_child(struct inode *parent,
1852			 const struct dentry *dentry,
1853			 const unsigned char type)
1854{
1855	struct audit_context *context = current->audit_context;
1856	struct inode *inode = d_backing_inode(dentry);
1857	const char *dname = dentry->d_name.name;
1858	struct audit_names *n, *found_parent = NULL, *found_child = NULL;
1859
1860	if (!context->in_syscall)
1861		return;
1862
1863	if (inode)
1864		handle_one(inode);
1865
1866	/* look for a parent entry first */
1867	list_for_each_entry(n, &context->names_list, list) {
1868		if (!n->name ||
1869		    (n->type != AUDIT_TYPE_PARENT &&
1870		     n->type != AUDIT_TYPE_UNKNOWN))
1871			continue;
1872
1873		if (n->ino == parent->i_ino && n->dev == parent->i_sb->s_dev &&
1874		    !audit_compare_dname_path(dname,
1875					      n->name->name, n->name_len)) {
1876			if (n->type == AUDIT_TYPE_UNKNOWN)
1877				n->type = AUDIT_TYPE_PARENT;
1878			found_parent = n;
1879			break;
1880		}
1881	}
1882
1883	/* is there a matching child entry? */
1884	list_for_each_entry(n, &context->names_list, list) {
1885		/* can only match entries that have a name */
1886		if (!n->name ||
1887		    (n->type != type && n->type != AUDIT_TYPE_UNKNOWN))
1888			continue;
1889
1890		if (!strcmp(dname, n->name->name) ||
1891		    !audit_compare_dname_path(dname, n->name->name,
1892						found_parent ?
1893						found_parent->name_len :
1894						AUDIT_NAME_FULL)) {
1895			if (n->type == AUDIT_TYPE_UNKNOWN)
1896				n->type = type;
1897			found_child = n;
1898			break;
1899		}
1900	}
1901
1902	if (!found_parent) {
1903		/* create a new, "anonymous" parent record */
1904		n = audit_alloc_name(context, AUDIT_TYPE_PARENT);
1905		if (!n)
1906			return;
1907		audit_copy_inode(n, NULL, parent);
1908	}
1909
1910	if (!found_child) {
1911		found_child = audit_alloc_name(context, type);
1912		if (!found_child)
1913			return;
1914
1915		/* Re-use the name belonging to the slot for a matching parent
1916		 * directory. All names for this context are relinquished in
1917		 * audit_free_names() */
1918		if (found_parent) {
1919			found_child->name = found_parent->name;
1920			found_child->name_len = AUDIT_NAME_FULL;
1921			found_child->name->refcnt++;
1922		}
1923	}
1924
1925	if (inode)
1926		audit_copy_inode(found_child, dentry, inode);
1927	else
1928		found_child->ino = AUDIT_INO_UNSET;
1929}
1930EXPORT_SYMBOL_GPL(__audit_inode_child);
1931
1932/**
1933 * auditsc_get_stamp - get local copies of audit_context values
1934 * @ctx: audit_context for the task
1935 * @t: timespec to store time recorded in the audit_context
1936 * @serial: serial value that is recorded in the audit_context
1937 *
1938 * Also sets the context as auditable.
1939 */
1940int auditsc_get_stamp(struct audit_context *ctx,
1941		       struct timespec *t, unsigned int *serial)
1942{
1943	if (!ctx->in_syscall)
1944		return 0;
1945	if (!ctx->serial)
1946		ctx->serial = audit_serial();
1947	t->tv_sec  = ctx->ctime.tv_sec;
1948	t->tv_nsec = ctx->ctime.tv_nsec;
1949	*serial    = ctx->serial;
1950	if (!ctx->prio) {
1951		ctx->prio = 1;
1952		ctx->current_state = AUDIT_RECORD_CONTEXT;
1953	}
1954	return 1;
1955}
1956
1957/* global counter which is incremented every time something logs in */
1958static atomic_t session_id = ATOMIC_INIT(0);
1959
1960static int audit_set_loginuid_perm(kuid_t loginuid)
1961{
1962	/* if we are unset, we don't need privs */
1963	if (!audit_loginuid_set(current))
1964		return 0;
1965	/* if AUDIT_FEATURE_LOGINUID_IMMUTABLE means never ever allow a change*/
1966	if (is_audit_feature_set(AUDIT_FEATURE_LOGINUID_IMMUTABLE))
1967		return -EPERM;
1968	/* it is set, you need permission */
1969	if (!capable(CAP_AUDIT_CONTROL))
1970		return -EPERM;
1971	/* reject if this is not an unset and we don't allow that */
1972	if (is_audit_feature_set(AUDIT_FEATURE_ONLY_UNSET_LOGINUID) && uid_valid(loginuid))
1973		return -EPERM;
1974	return 0;
1975}
1976
1977static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
1978				   unsigned int oldsessionid, unsigned int sessionid,
1979				   int rc)
1980{
1981	struct audit_buffer *ab;
1982	uid_t uid, oldloginuid, loginuid;
 
1983
1984	if (!audit_enabled)
1985		return;
1986
 
 
 
 
1987	uid = from_kuid(&init_user_ns, task_uid(current));
1988	oldloginuid = from_kuid(&init_user_ns, koldloginuid);
1989	loginuid = from_kuid(&init_user_ns, kloginuid),
 
1990
1991	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
1992	if (!ab)
1993		return;
1994	audit_log_format(ab, "pid=%d uid=%u", task_pid_nr(current), uid);
1995	audit_log_task_context(ab);
1996	audit_log_format(ab, " old-auid=%u auid=%u old-ses=%u ses=%u res=%d",
1997			 oldloginuid, loginuid, oldsessionid, sessionid, !rc);
 
 
1998	audit_log_end(ab);
1999}
2000
2001/**
2002 * audit_set_loginuid - set current task's audit_context loginuid
2003 * @loginuid: loginuid value
2004 *
2005 * Returns 0.
2006 *
2007 * Called (set) from fs/proc/base.c::proc_loginuid_write().
2008 */
2009int audit_set_loginuid(kuid_t loginuid)
2010{
2011	struct task_struct *task = current;
2012	unsigned int oldsessionid, sessionid = (unsigned int)-1;
2013	kuid_t oldloginuid;
2014	int rc;
2015
2016	oldloginuid = audit_get_loginuid(current);
2017	oldsessionid = audit_get_sessionid(current);
2018
2019	rc = audit_set_loginuid_perm(loginuid);
2020	if (rc)
2021		goto out;
2022
2023	/* are we setting or clearing? */
2024	if (uid_valid(loginuid))
2025		sessionid = (unsigned int)atomic_inc_return(&session_id);
 
 
 
2026
2027	task->sessionid = sessionid;
2028	task->loginuid = loginuid;
2029out:
2030	audit_log_set_loginuid(oldloginuid, loginuid, oldsessionid, sessionid, rc);
2031	return rc;
2032}
2033
2034/**
2035 * __audit_mq_open - record audit data for a POSIX MQ open
2036 * @oflag: open flag
2037 * @mode: mode bits
2038 * @attr: queue attributes
2039 *
2040 */
2041void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
2042{
2043	struct audit_context *context = current->audit_context;
2044
2045	if (attr)
2046		memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr));
2047	else
2048		memset(&context->mq_open.attr, 0, sizeof(struct mq_attr));
2049
2050	context->mq_open.oflag = oflag;
2051	context->mq_open.mode = mode;
2052
2053	context->type = AUDIT_MQ_OPEN;
2054}
2055
2056/**
2057 * __audit_mq_sendrecv - record audit data for a POSIX MQ timed send/receive
2058 * @mqdes: MQ descriptor
2059 * @msg_len: Message length
2060 * @msg_prio: Message priority
2061 * @abs_timeout: Message timeout in absolute time
2062 *
2063 */
2064void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
2065			const struct timespec *abs_timeout)
2066{
2067	struct audit_context *context = current->audit_context;
2068	struct timespec *p = &context->mq_sendrecv.abs_timeout;
2069
2070	if (abs_timeout)
2071		memcpy(p, abs_timeout, sizeof(struct timespec));
2072	else
2073		memset(p, 0, sizeof(struct timespec));
2074
2075	context->mq_sendrecv.mqdes = mqdes;
2076	context->mq_sendrecv.msg_len = msg_len;
2077	context->mq_sendrecv.msg_prio = msg_prio;
2078
2079	context->type = AUDIT_MQ_SENDRECV;
2080}
2081
2082/**
2083 * __audit_mq_notify - record audit data for a POSIX MQ notify
2084 * @mqdes: MQ descriptor
2085 * @notification: Notification event
2086 *
2087 */
2088
2089void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
2090{
2091	struct audit_context *context = current->audit_context;
2092
2093	if (notification)
2094		context->mq_notify.sigev_signo = notification->sigev_signo;
2095	else
2096		context->mq_notify.sigev_signo = 0;
2097
2098	context->mq_notify.mqdes = mqdes;
2099	context->type = AUDIT_MQ_NOTIFY;
2100}
2101
2102/**
2103 * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute
2104 * @mqdes: MQ descriptor
2105 * @mqstat: MQ flags
2106 *
2107 */
2108void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
2109{
2110	struct audit_context *context = current->audit_context;
2111	context->mq_getsetattr.mqdes = mqdes;
2112	context->mq_getsetattr.mqstat = *mqstat;
2113	context->type = AUDIT_MQ_GETSETATTR;
2114}
2115
2116/**
2117 * audit_ipc_obj - record audit data for ipc object
2118 * @ipcp: ipc permissions
2119 *
2120 */
2121void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
2122{
2123	struct audit_context *context = current->audit_context;
2124	context->ipc.uid = ipcp->uid;
2125	context->ipc.gid = ipcp->gid;
2126	context->ipc.mode = ipcp->mode;
2127	context->ipc.has_perm = 0;
2128	security_ipc_getsecid(ipcp, &context->ipc.osid);
2129	context->type = AUDIT_IPC;
2130}
2131
2132/**
2133 * audit_ipc_set_perm - record audit data for new ipc permissions
2134 * @qbytes: msgq bytes
2135 * @uid: msgq user id
2136 * @gid: msgq group id
2137 * @mode: msgq mode (permissions)
2138 *
2139 * Called only after audit_ipc_obj().
2140 */
2141void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode)
2142{
2143	struct audit_context *context = current->audit_context;
2144
2145	context->ipc.qbytes = qbytes;
2146	context->ipc.perm_uid = uid;
2147	context->ipc.perm_gid = gid;
2148	context->ipc.perm_mode = mode;
2149	context->ipc.has_perm = 1;
2150}
2151
2152void __audit_bprm(struct linux_binprm *bprm)
2153{
2154	struct audit_context *context = current->audit_context;
2155
2156	context->type = AUDIT_EXECVE;
2157	context->execve.argc = bprm->argc;
2158}
2159
2160
2161/**
2162 * audit_socketcall - record audit data for sys_socketcall
2163 * @nargs: number of args, which should not be more than AUDITSC_ARGS.
2164 * @args: args array
2165 *
2166 */
2167int __audit_socketcall(int nargs, unsigned long *args)
2168{
2169	struct audit_context *context = current->audit_context;
2170
2171	if (nargs <= 0 || nargs > AUDITSC_ARGS || !args)
2172		return -EINVAL;
2173	context->type = AUDIT_SOCKETCALL;
2174	context->socketcall.nargs = nargs;
2175	memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
2176	return 0;
2177}
2178
2179/**
2180 * __audit_fd_pair - record audit data for pipe and socketpair
2181 * @fd1: the first file descriptor
2182 * @fd2: the second file descriptor
2183 *
2184 */
2185void __audit_fd_pair(int fd1, int fd2)
2186{
2187	struct audit_context *context = current->audit_context;
2188	context->fds[0] = fd1;
2189	context->fds[1] = fd2;
2190}
2191
2192/**
2193 * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
2194 * @len: data length in user space
2195 * @a: data address in kernel space
2196 *
2197 * Returns 0 for success or NULL context or < 0 on error.
2198 */
2199int __audit_sockaddr(int len, void *a)
2200{
2201	struct audit_context *context = current->audit_context;
2202
2203	if (!context->sockaddr) {
2204		void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL);
2205		if (!p)
2206			return -ENOMEM;
2207		context->sockaddr = p;
2208	}
2209
2210	context->sockaddr_len = len;
2211	memcpy(context->sockaddr, a, len);
2212	return 0;
2213}
2214
2215void __audit_ptrace(struct task_struct *t)
2216{
2217	struct audit_context *context = current->audit_context;
2218
2219	context->target_pid = task_pid_nr(t);
2220	context->target_auid = audit_get_loginuid(t);
2221	context->target_uid = task_uid(t);
2222	context->target_sessionid = audit_get_sessionid(t);
2223	security_task_getsecid(t, &context->target_sid);
2224	memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
2225}
2226
2227/**
2228 * audit_signal_info - record signal info for shutting down audit subsystem
2229 * @sig: signal value
2230 * @t: task being signaled
2231 *
2232 * If the audit subsystem is being terminated, record the task (pid)
2233 * and uid that is doing that.
2234 */
2235int __audit_signal_info(int sig, struct task_struct *t)
2236{
2237	struct audit_aux_data_pids *axp;
2238	struct task_struct *tsk = current;
2239	struct audit_context *ctx = tsk->audit_context;
2240	kuid_t uid = current_uid(), t_uid = task_uid(t);
2241
2242	if (audit_pid && t->tgid == audit_pid) {
2243		if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) {
2244			audit_sig_pid = task_pid_nr(tsk);
2245			if (uid_valid(tsk->loginuid))
2246				audit_sig_uid = tsk->loginuid;
2247			else
2248				audit_sig_uid = uid;
2249			security_task_getsecid(tsk, &audit_sig_sid);
2250		}
2251		if (!audit_signals || audit_dummy_context())
2252			return 0;
2253	}
2254
2255	/* optimize the common case by putting first signal recipient directly
2256	 * in audit_context */
2257	if (!ctx->target_pid) {
2258		ctx->target_pid = task_tgid_nr(t);
2259		ctx->target_auid = audit_get_loginuid(t);
2260		ctx->target_uid = t_uid;
2261		ctx->target_sessionid = audit_get_sessionid(t);
2262		security_task_getsecid(t, &ctx->target_sid);
2263		memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
2264		return 0;
2265	}
2266
2267	axp = (void *)ctx->aux_pids;
2268	if (!axp || axp->pid_count == AUDIT_AUX_PIDS) {
2269		axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
2270		if (!axp)
2271			return -ENOMEM;
2272
2273		axp->d.type = AUDIT_OBJ_PID;
2274		axp->d.next = ctx->aux_pids;
2275		ctx->aux_pids = (void *)axp;
2276	}
2277	BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
2278
2279	axp->target_pid[axp->pid_count] = task_tgid_nr(t);
2280	axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
2281	axp->target_uid[axp->pid_count] = t_uid;
2282	axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
2283	security_task_getsecid(t, &axp->target_sid[axp->pid_count]);
2284	memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
2285	axp->pid_count++;
2286
2287	return 0;
2288}
2289
2290/**
2291 * __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps
2292 * @bprm: pointer to the bprm being processed
2293 * @new: the proposed new credentials
2294 * @old: the old credentials
2295 *
2296 * Simply check if the proc already has the caps given by the file and if not
2297 * store the priv escalation info for later auditing at the end of the syscall
2298 *
2299 * -Eric
2300 */
2301int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
2302			   const struct cred *new, const struct cred *old)
2303{
2304	struct audit_aux_data_bprm_fcaps *ax;
2305	struct audit_context *context = current->audit_context;
2306	struct cpu_vfs_cap_data vcaps;
2307
2308	ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2309	if (!ax)
2310		return -ENOMEM;
2311
2312	ax->d.type = AUDIT_BPRM_FCAPS;
2313	ax->d.next = context->aux;
2314	context->aux = (void *)ax;
2315
2316	get_vfs_caps_from_disk(bprm->file->f_path.dentry, &vcaps);
2317
2318	ax->fcap.permitted = vcaps.permitted;
2319	ax->fcap.inheritable = vcaps.inheritable;
2320	ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2321	ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
2322
2323	ax->old_pcap.permitted   = old->cap_permitted;
2324	ax->old_pcap.inheritable = old->cap_inheritable;
2325	ax->old_pcap.effective   = old->cap_effective;
2326
2327	ax->new_pcap.permitted   = new->cap_permitted;
2328	ax->new_pcap.inheritable = new->cap_inheritable;
2329	ax->new_pcap.effective   = new->cap_effective;
2330	return 0;
2331}
2332
2333/**
2334 * __audit_log_capset - store information about the arguments to the capset syscall
2335 * @new: the new credentials
2336 * @old: the old (current) credentials
2337 *
2338 * Record the arguments userspace sent to sys_capset for later printing by the
2339 * audit system if applicable
2340 */
2341void __audit_log_capset(const struct cred *new, const struct cred *old)
2342{
2343	struct audit_context *context = current->audit_context;
2344	context->capset.pid = task_pid_nr(current);
2345	context->capset.cap.effective   = new->cap_effective;
2346	context->capset.cap.inheritable = new->cap_effective;
2347	context->capset.cap.permitted   = new->cap_permitted;
2348	context->type = AUDIT_CAPSET;
2349}
2350
2351void __audit_mmap_fd(int fd, int flags)
2352{
2353	struct audit_context *context = current->audit_context;
2354	context->mmap.fd = fd;
2355	context->mmap.flags = flags;
2356	context->type = AUDIT_MMAP;
2357}
2358
2359static void audit_log_task(struct audit_buffer *ab)
2360{
2361	kuid_t auid, uid;
2362	kgid_t gid;
2363	unsigned int sessionid;
2364	char comm[sizeof(current->comm)];
2365
2366	auid = audit_get_loginuid(current);
2367	sessionid = audit_get_sessionid(current);
2368	current_uid_gid(&uid, &gid);
2369
2370	audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
2371			 from_kuid(&init_user_ns, auid),
2372			 from_kuid(&init_user_ns, uid),
2373			 from_kgid(&init_user_ns, gid),
2374			 sessionid);
2375	audit_log_task_context(ab);
2376	audit_log_format(ab, " pid=%d comm=", task_pid_nr(current));
2377	audit_log_untrustedstring(ab, get_task_comm(comm, current));
2378	audit_log_d_path_exe(ab, current->mm);
2379}
2380
2381/**
2382 * audit_core_dumps - record information about processes that end abnormally
2383 * @signr: signal value
2384 *
2385 * If a process ends with a core dump, something fishy is going on and we
2386 * should record the event for investigation.
2387 */
2388void audit_core_dumps(long signr)
2389{
2390	struct audit_buffer *ab;
2391
2392	if (!audit_enabled)
2393		return;
2394
2395	if (signr == SIGQUIT)	/* don't care for those */
2396		return;
2397
2398	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
2399	if (unlikely(!ab))
2400		return;
2401	audit_log_task(ab);
2402	audit_log_format(ab, " sig=%ld", signr);
2403	audit_log_end(ab);
2404}
2405
2406void __audit_seccomp(unsigned long syscall, long signr, int code)
2407{
2408	struct audit_buffer *ab;
2409
2410	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_SECCOMP);
2411	if (unlikely(!ab))
2412		return;
2413	audit_log_task(ab);
2414	audit_log_format(ab, " sig=%ld arch=%x syscall=%ld compat=%d ip=0x%lx code=0x%x",
2415			 signr, syscall_get_arch(), syscall,
2416			 in_compat_syscall(), KSTK_EIP(current), code);
2417	audit_log_end(ab);
2418}
2419
2420struct list_head *audit_killed_trees(void)
2421{
2422	struct audit_context *ctx = current->audit_context;
2423	if (likely(!ctx || !ctx->in_syscall))
2424		return NULL;
2425	return &ctx->killed_trees;
2426}