xref: /linux/kernel/auditsc.c (revision b8f52214c61a5b99a54168145378e91b40d10c90)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* auditsc.c -- System-call auditing support
3  * Handles all system-call specific auditing features.
4  *
5  * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
6  * Copyright 2005 Hewlett-Packard Development Company, L.P.
7  * Copyright (C) 2005, 2006 IBM Corporation
8  * All Rights Reserved.
9  *
10  * Written by Rickard E. (Rik) Faith <faith@redhat.com>
11  *
12  * Many of the ideas implemented here are from Stephen C. Tweedie,
13  * especially the idea of avoiding a copy by using getname.
14  *
15  * The method for actual interception of syscall entry and exit (not in
16  * this file -- see entry.S) is based on a GPL'd patch written by
17  * okir@suse.de and Copyright 2003 SuSE Linux AG.
18  *
19  * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>,
20  * 2006.
21  *
22  * The support of additional filter rules compares (>, <, >=, <=) was
23  * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
24  *
25  * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
26  * filesystem information.
27  *
28  * Subject and object context labeling support added by <danjones@us.ibm.com>
29  * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
30  */
31 
32 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
33 
34 #include <linux/init.h>
35 #include <asm/types.h>
36 #include <linux/atomic.h>
37 #include <linux/fs.h>
38 #include <linux/namei.h>
39 #include <linux/mm.h>
40 #include <linux/export.h>
41 #include <linux/slab.h>
42 #include <linux/mount.h>
43 #include <linux/socket.h>
44 #include <linux/mqueue.h>
45 #include <linux/audit.h>
46 #include <linux/personality.h>
47 #include <linux/time.h>
48 #include <linux/netlink.h>
49 #include <linux/compiler.h>
50 #include <asm/unistd.h>
51 #include <linux/security.h>
52 #include <linux/list.h>
53 #include <linux/binfmts.h>
54 #include <linux/highmem.h>
55 #include <linux/syscalls.h>
56 #include <asm/syscall.h>
57 #include <linux/capability.h>
58 #include <linux/fs_struct.h>
59 #include <linux/compat.h>
60 #include <linux/ctype.h>
61 #include <linux/string.h>
62 #include <linux/uaccess.h>
63 #include <linux/fsnotify_backend.h>
64 #include <uapi/linux/limits.h>
65 #include <uapi/linux/netfilter/nf_tables.h>
66 #include <uapi/linux/openat2.h> // struct open_how
67 #include <uapi/linux/fanotify.h>
68 
69 #include "audit.h"
70 
71 /* flags stating the success for a syscall */
72 #define AUDITSC_INVALID 0
73 #define AUDITSC_SUCCESS 1
74 #define AUDITSC_FAILURE 2
75 
76 /* no execve audit message should be longer than this (userspace limits),
77  * see the note near the top of audit_log_execve_info() about this value */
78 #define MAX_EXECVE_AUDIT_LEN 7500
79 
80 /* max length to print of cmdline/proctitle value during audit */
81 #define MAX_PROCTITLE_AUDIT_LEN 128
82 
83 /* number of audit rules */
84 int audit_n_rules;
85 
86 /* determines whether we collect data for signals sent */
87 int audit_signals;
88 
89 struct audit_aux_data {
90 	struct audit_aux_data	*next;
91 	int			type;
92 };
93 
94 /* Number of target pids per aux struct. */
95 #define AUDIT_AUX_PIDS	16
96 
97 struct audit_aux_data_pids {
98 	struct audit_aux_data	d;
99 	pid_t			target_pid[AUDIT_AUX_PIDS];
100 	kuid_t			target_auid[AUDIT_AUX_PIDS];
101 	kuid_t			target_uid[AUDIT_AUX_PIDS];
102 	unsigned int		target_sessionid[AUDIT_AUX_PIDS];
103 	struct lsm_prop		target_ref[AUDIT_AUX_PIDS];
104 	char 			target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
105 	int			pid_count;
106 };
107 
108 struct audit_aux_data_bprm_fcaps {
109 	struct audit_aux_data	d;
110 	struct audit_cap_data	fcap;
111 	unsigned int		fcap_ver;
112 	struct audit_cap_data	old_pcap;
113 	struct audit_cap_data	new_pcap;
114 };
115 
116 struct audit_tree_refs {
117 	struct audit_tree_refs *next;
118 	struct audit_chunk *c[31];
119 };
120 
121 struct audit_nfcfgop_tab {
122 	enum audit_nfcfgop	op;
123 	const char		*s;
124 };
125 
126 static const struct audit_nfcfgop_tab audit_nfcfgs[] = {
127 	{ AUDIT_XT_OP_REGISTER,			"xt_register"		   },
128 	{ AUDIT_XT_OP_REPLACE,			"xt_replace"		   },
129 	{ AUDIT_XT_OP_UNREGISTER,		"xt_unregister"		   },
130 	{ AUDIT_NFT_OP_TABLE_REGISTER,		"nft_register_table"	   },
131 	{ AUDIT_NFT_OP_TABLE_UNREGISTER,	"nft_unregister_table"	   },
132 	{ AUDIT_NFT_OP_CHAIN_REGISTER,		"nft_register_chain"	   },
133 	{ AUDIT_NFT_OP_CHAIN_UNREGISTER,	"nft_unregister_chain"	   },
134 	{ AUDIT_NFT_OP_RULE_REGISTER,		"nft_register_rule"	   },
135 	{ AUDIT_NFT_OP_RULE_UNREGISTER,		"nft_unregister_rule"	   },
136 	{ AUDIT_NFT_OP_SET_REGISTER,		"nft_register_set"	   },
137 	{ AUDIT_NFT_OP_SET_UNREGISTER,		"nft_unregister_set"	   },
138 	{ AUDIT_NFT_OP_SETELEM_REGISTER,	"nft_register_setelem"	   },
139 	{ AUDIT_NFT_OP_SETELEM_UNREGISTER,	"nft_unregister_setelem"   },
140 	{ AUDIT_NFT_OP_GEN_REGISTER,		"nft_register_gen"	   },
141 	{ AUDIT_NFT_OP_OBJ_REGISTER,		"nft_register_obj"	   },
142 	{ AUDIT_NFT_OP_OBJ_UNREGISTER,		"nft_unregister_obj"	   },
143 	{ AUDIT_NFT_OP_OBJ_RESET,		"nft_reset_obj"		   },
144 	{ AUDIT_NFT_OP_FLOWTABLE_REGISTER,	"nft_register_flowtable"   },
145 	{ AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,	"nft_unregister_flowtable" },
146 	{ AUDIT_NFT_OP_SETELEM_RESET,		"nft_reset_setelem"        },
147 	{ AUDIT_NFT_OP_RULE_RESET,		"nft_reset_rule"           },
148 	{ AUDIT_NFT_OP_INVALID,			"nft_invalid"		   },
149 };
150 
audit_match_perm(struct audit_context * ctx,int mask)151 static int audit_match_perm(struct audit_context *ctx, int mask)
152 {
153 	unsigned n;
154 
155 	if (unlikely(!ctx))
156 		return 0;
157 	n = ctx->major;
158 
159 	switch (audit_classify_syscall(ctx->arch, n)) {
160 	case AUDITSC_NATIVE:
161 		if ((mask & AUDIT_PERM_WRITE) &&
162 		     audit_match_class(AUDIT_CLASS_WRITE, n))
163 			return 1;
164 		if ((mask & AUDIT_PERM_READ) &&
165 		     audit_match_class(AUDIT_CLASS_READ, n))
166 			return 1;
167 		if ((mask & AUDIT_PERM_ATTR) &&
168 		     audit_match_class(AUDIT_CLASS_CHATTR, n))
169 			return 1;
170 		return 0;
171 	case AUDITSC_COMPAT: /* 32bit on biarch */
172 		if ((mask & AUDIT_PERM_WRITE) &&
173 		     audit_match_class(AUDIT_CLASS_WRITE_32, n))
174 			return 1;
175 		if ((mask & AUDIT_PERM_READ) &&
176 		     audit_match_class(AUDIT_CLASS_READ_32, n))
177 			return 1;
178 		if ((mask & AUDIT_PERM_ATTR) &&
179 		     audit_match_class(AUDIT_CLASS_CHATTR_32, n))
180 			return 1;
181 		return 0;
182 	case AUDITSC_OPEN:
183 		return mask & ACC_MODE(ctx->argv[1]);
184 	case AUDITSC_OPENAT:
185 		return mask & ACC_MODE(ctx->argv[2]);
186 	case AUDITSC_SOCKETCALL:
187 		return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
188 	case AUDITSC_EXECVE:
189 		return mask & AUDIT_PERM_EXEC;
190 	case AUDITSC_OPENAT2:
191 		return mask & ACC_MODE((u32)ctx->openat2.flags);
192 	default:
193 		return 0;
194 	}
195 }
196 
audit_match_filetype(struct audit_context * ctx,int val)197 static int audit_match_filetype(struct audit_context *ctx, int val)
198 {
199 	struct audit_names *n;
200 	umode_t mode = (umode_t)val;
201 
202 	if (unlikely(!ctx))
203 		return 0;
204 
205 	list_for_each_entry(n, &ctx->names_list, list) {
206 		if ((n->ino != AUDIT_INO_UNSET) &&
207 		    ((n->mode & S_IFMT) == mode))
208 			return 1;
209 	}
210 
211 	return 0;
212 }
213 
214 /*
215  * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *;
216  * ->first_trees points to its beginning, ->trees - to the current end of data.
217  * ->tree_count is the number of free entries in array pointed to by ->trees.
218  * Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL,
219  * "empty" becomes (p, p, 31) afterwards.  We don't shrink the list (and seriously,
220  * it's going to remain 1-element for almost any setup) until we free context itself.
221  * References in it _are_ dropped - at the same time we free/drop aux stuff.
222  */
223 
audit_set_auditable(struct audit_context * ctx)224 static void audit_set_auditable(struct audit_context *ctx)
225 {
226 	if (!ctx->prio) {
227 		ctx->prio = 1;
228 		ctx->current_state = AUDIT_STATE_RECORD;
229 	}
230 }
231 
put_tree_ref(struct audit_context * ctx,struct audit_chunk * chunk)232 static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
233 {
234 	struct audit_tree_refs *p = ctx->trees;
235 	int left = ctx->tree_count;
236 
237 	if (likely(left)) {
238 		p->c[--left] = chunk;
239 		ctx->tree_count = left;
240 		return 1;
241 	}
242 	if (!p)
243 		return 0;
244 	p = p->next;
245 	if (p) {
246 		p->c[30] = chunk;
247 		ctx->trees = p;
248 		ctx->tree_count = 30;
249 		return 1;
250 	}
251 	return 0;
252 }
253 
grow_tree_refs(struct audit_context * ctx)254 static int grow_tree_refs(struct audit_context *ctx)
255 {
256 	struct audit_tree_refs *p = ctx->trees;
257 
258 	ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL);
259 	if (!ctx->trees) {
260 		ctx->trees = p;
261 		return 0;
262 	}
263 	if (p)
264 		p->next = ctx->trees;
265 	else
266 		ctx->first_trees = ctx->trees;
267 	ctx->tree_count = 31;
268 	return 1;
269 }
270 
unroll_tree_refs(struct audit_context * ctx,struct audit_tree_refs * p,int count)271 static void unroll_tree_refs(struct audit_context *ctx,
272 		      struct audit_tree_refs *p, int count)
273 {
274 	struct audit_tree_refs *q;
275 	int n;
276 
277 	if (!p) {
278 		/* we started with empty chain */
279 		p = ctx->first_trees;
280 		count = 31;
281 		/* if the very first allocation has failed, nothing to do */
282 		if (!p)
283 			return;
284 	}
285 	n = count;
286 	for (q = p; q != ctx->trees; q = q->next, n = 31) {
287 		while (n--) {
288 			audit_put_chunk(q->c[n]);
289 			q->c[n] = NULL;
290 		}
291 	}
292 	while (n-- > ctx->tree_count) {
293 		audit_put_chunk(q->c[n]);
294 		q->c[n] = NULL;
295 	}
296 	ctx->trees = p;
297 	ctx->tree_count = count;
298 }
299 
free_tree_refs(struct audit_context * ctx)300 static void free_tree_refs(struct audit_context *ctx)
301 {
302 	struct audit_tree_refs *p, *q;
303 
304 	for (p = ctx->first_trees; p; p = q) {
305 		q = p->next;
306 		kfree(p);
307 	}
308 }
309 
match_tree_refs(struct audit_context * ctx,struct audit_tree * tree)310 static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
311 {
312 	struct audit_tree_refs *p;
313 	int n;
314 
315 	if (!tree)
316 		return 0;
317 	/* full ones */
318 	for (p = ctx->first_trees; p != ctx->trees; p = p->next) {
319 		for (n = 0; n < 31; n++)
320 			if (audit_tree_match(p->c[n], tree))
321 				return 1;
322 	}
323 	/* partial */
324 	if (p) {
325 		for (n = ctx->tree_count; n < 31; n++)
326 			if (audit_tree_match(p->c[n], tree))
327 				return 1;
328 	}
329 	return 0;
330 }
331 
audit_compare_uid(kuid_t uid,struct audit_names * name,struct audit_field * f,struct audit_context * ctx)332 static int audit_compare_uid(kuid_t uid,
333 			     struct audit_names *name,
334 			     struct audit_field *f,
335 			     struct audit_context *ctx)
336 {
337 	struct audit_names *n;
338 	int rc;
339 
340 	if (name) {
341 		rc = audit_uid_comparator(uid, f->op, name->uid);
342 		if (rc)
343 			return rc;
344 	}
345 
346 	if (ctx) {
347 		list_for_each_entry(n, &ctx->names_list, list) {
348 			rc = audit_uid_comparator(uid, f->op, n->uid);
349 			if (rc)
350 				return rc;
351 		}
352 	}
353 	return 0;
354 }
355 
audit_compare_gid(kgid_t gid,struct audit_names * name,struct audit_field * f,struct audit_context * ctx)356 static int audit_compare_gid(kgid_t gid,
357 			     struct audit_names *name,
358 			     struct audit_field *f,
359 			     struct audit_context *ctx)
360 {
361 	struct audit_names *n;
362 	int rc;
363 
364 	if (name) {
365 		rc = audit_gid_comparator(gid, f->op, name->gid);
366 		if (rc)
367 			return rc;
368 	}
369 
370 	if (ctx) {
371 		list_for_each_entry(n, &ctx->names_list, list) {
372 			rc = audit_gid_comparator(gid, f->op, n->gid);
373 			if (rc)
374 				return rc;
375 		}
376 	}
377 	return 0;
378 }
379 
audit_field_compare(struct task_struct * tsk,const struct cred * cred,struct audit_field * f,struct audit_context * ctx,struct audit_names * name)380 static int audit_field_compare(struct task_struct *tsk,
381 			       const struct cred *cred,
382 			       struct audit_field *f,
383 			       struct audit_context *ctx,
384 			       struct audit_names *name)
385 {
386 	switch (f->val) {
387 	/* process to file object comparisons */
388 	case AUDIT_COMPARE_UID_TO_OBJ_UID:
389 		return audit_compare_uid(cred->uid, name, f, ctx);
390 	case AUDIT_COMPARE_GID_TO_OBJ_GID:
391 		return audit_compare_gid(cred->gid, name, f, ctx);
392 	case AUDIT_COMPARE_EUID_TO_OBJ_UID:
393 		return audit_compare_uid(cred->euid, name, f, ctx);
394 	case AUDIT_COMPARE_EGID_TO_OBJ_GID:
395 		return audit_compare_gid(cred->egid, name, f, ctx);
396 	case AUDIT_COMPARE_AUID_TO_OBJ_UID:
397 		return audit_compare_uid(audit_get_loginuid(tsk), name, f, ctx);
398 	case AUDIT_COMPARE_SUID_TO_OBJ_UID:
399 		return audit_compare_uid(cred->suid, name, f, ctx);
400 	case AUDIT_COMPARE_SGID_TO_OBJ_GID:
401 		return audit_compare_gid(cred->sgid, name, f, ctx);
402 	case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
403 		return audit_compare_uid(cred->fsuid, name, f, ctx);
404 	case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
405 		return audit_compare_gid(cred->fsgid, name, f, ctx);
406 	/* uid comparisons */
407 	case AUDIT_COMPARE_UID_TO_AUID:
408 		return audit_uid_comparator(cred->uid, f->op,
409 					    audit_get_loginuid(tsk));
410 	case AUDIT_COMPARE_UID_TO_EUID:
411 		return audit_uid_comparator(cred->uid, f->op, cred->euid);
412 	case AUDIT_COMPARE_UID_TO_SUID:
413 		return audit_uid_comparator(cred->uid, f->op, cred->suid);
414 	case AUDIT_COMPARE_UID_TO_FSUID:
415 		return audit_uid_comparator(cred->uid, f->op, cred->fsuid);
416 	/* auid comparisons */
417 	case AUDIT_COMPARE_AUID_TO_EUID:
418 		return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
419 					    cred->euid);
420 	case AUDIT_COMPARE_AUID_TO_SUID:
421 		return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
422 					    cred->suid);
423 	case AUDIT_COMPARE_AUID_TO_FSUID:
424 		return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
425 					    cred->fsuid);
426 	/* euid comparisons */
427 	case AUDIT_COMPARE_EUID_TO_SUID:
428 		return audit_uid_comparator(cred->euid, f->op, cred->suid);
429 	case AUDIT_COMPARE_EUID_TO_FSUID:
430 		return audit_uid_comparator(cred->euid, f->op, cred->fsuid);
431 	/* suid comparisons */
432 	case AUDIT_COMPARE_SUID_TO_FSUID:
433 		return audit_uid_comparator(cred->suid, f->op, cred->fsuid);
434 	/* gid comparisons */
435 	case AUDIT_COMPARE_GID_TO_EGID:
436 		return audit_gid_comparator(cred->gid, f->op, cred->egid);
437 	case AUDIT_COMPARE_GID_TO_SGID:
438 		return audit_gid_comparator(cred->gid, f->op, cred->sgid);
439 	case AUDIT_COMPARE_GID_TO_FSGID:
440 		return audit_gid_comparator(cred->gid, f->op, cred->fsgid);
441 	/* egid comparisons */
442 	case AUDIT_COMPARE_EGID_TO_SGID:
443 		return audit_gid_comparator(cred->egid, f->op, cred->sgid);
444 	case AUDIT_COMPARE_EGID_TO_FSGID:
445 		return audit_gid_comparator(cred->egid, f->op, cred->fsgid);
446 	/* sgid comparison */
447 	case AUDIT_COMPARE_SGID_TO_FSGID:
448 		return audit_gid_comparator(cred->sgid, f->op, cred->fsgid);
449 	default:
450 		WARN(1, "Missing AUDIT_COMPARE define.  Report as a bug\n");
451 		return 0;
452 	}
453 	return 0;
454 }
455 
456 /* Determine if any context name data matches a rule's watch data */
457 /* Compare a task_struct with an audit_rule.  Return 1 on match, 0
458  * otherwise.
459  *
460  * If task_creation is true, this is an explicit indication that we are
461  * filtering a task rule at task creation time.  This and tsk == current are
462  * the only situations where tsk->cred may be accessed without an rcu read lock.
463  */
audit_filter_rules(struct task_struct * tsk,struct audit_krule * rule,struct audit_context * ctx,struct audit_names * name,enum audit_state * state,bool task_creation)464 static int audit_filter_rules(struct task_struct *tsk,
465 			      struct audit_krule *rule,
466 			      struct audit_context *ctx,
467 			      struct audit_names *name,
468 			      enum audit_state *state,
469 			      bool task_creation)
470 {
471 	const struct cred *cred;
472 	int i, need_sid = 1;
473 	struct lsm_prop prop = { };
474 	unsigned int sessionid;
475 
476 	if (ctx && rule->prio <= ctx->prio)
477 		return 0;
478 
479 	cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
480 
481 	for (i = 0; i < rule->field_count; i++) {
482 		struct audit_field *f = &rule->fields[i];
483 		struct audit_names *n;
484 		int result = 0;
485 		pid_t pid;
486 
487 		switch (f->type) {
488 		case AUDIT_PID:
489 			pid = task_tgid_nr(tsk);
490 			result = audit_comparator(pid, f->op, f->val);
491 			break;
492 		case AUDIT_PPID:
493 			if (ctx) {
494 				if (!ctx->ppid)
495 					ctx->ppid = task_ppid_nr(tsk);
496 				result = audit_comparator(ctx->ppid, f->op, f->val);
497 			}
498 			break;
499 		case AUDIT_EXE:
500 			result = audit_exe_compare(tsk, rule->exe);
501 			if (f->op == Audit_not_equal)
502 				result = !result;
503 			break;
504 		case AUDIT_UID:
505 			result = audit_uid_comparator(cred->uid, f->op, f->uid);
506 			break;
507 		case AUDIT_EUID:
508 			result = audit_uid_comparator(cred->euid, f->op, f->uid);
509 			break;
510 		case AUDIT_SUID:
511 			result = audit_uid_comparator(cred->suid, f->op, f->uid);
512 			break;
513 		case AUDIT_FSUID:
514 			result = audit_uid_comparator(cred->fsuid, f->op, f->uid);
515 			break;
516 		case AUDIT_GID:
517 			result = audit_gid_comparator(cred->gid, f->op, f->gid);
518 			if (f->op == Audit_equal) {
519 				if (!result)
520 					result = groups_search(cred->group_info, f->gid);
521 			} else if (f->op == Audit_not_equal) {
522 				if (result)
523 					result = !groups_search(cred->group_info, f->gid);
524 			}
525 			break;
526 		case AUDIT_EGID:
527 			result = audit_gid_comparator(cred->egid, f->op, f->gid);
528 			if (f->op == Audit_equal) {
529 				if (!result)
530 					result = groups_search(cred->group_info, f->gid);
531 			} else if (f->op == Audit_not_equal) {
532 				if (result)
533 					result = !groups_search(cred->group_info, f->gid);
534 			}
535 			break;
536 		case AUDIT_SGID:
537 			result = audit_gid_comparator(cred->sgid, f->op, f->gid);
538 			break;
539 		case AUDIT_FSGID:
540 			result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
541 			break;
542 		case AUDIT_SESSIONID:
543 			sessionid = audit_get_sessionid(tsk);
544 			result = audit_comparator(sessionid, f->op, f->val);
545 			break;
546 		case AUDIT_PERS:
547 			result = audit_comparator(tsk->personality, f->op, f->val);
548 			break;
549 		case AUDIT_ARCH:
550 			if (ctx)
551 				result = audit_comparator(ctx->arch, f->op, f->val);
552 			break;
553 
554 		case AUDIT_EXIT:
555 			if (ctx && ctx->return_valid != AUDITSC_INVALID)
556 				result = audit_comparator(ctx->return_code, f->op, f->val);
557 			break;
558 		case AUDIT_SUCCESS:
559 			if (ctx && ctx->return_valid != AUDITSC_INVALID) {
560 				if (f->val)
561 					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
562 				else
563 					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
564 			}
565 			break;
566 		case AUDIT_DEVMAJOR:
567 			if (name) {
568 				if (audit_comparator(MAJOR(name->dev), f->op, f->val) ||
569 				    audit_comparator(MAJOR(name->rdev), f->op, f->val))
570 					++result;
571 			} else if (ctx) {
572 				list_for_each_entry(n, &ctx->names_list, list) {
573 					if (audit_comparator(MAJOR(n->dev), f->op, f->val) ||
574 					    audit_comparator(MAJOR(n->rdev), f->op, f->val)) {
575 						++result;
576 						break;
577 					}
578 				}
579 			}
580 			break;
581 		case AUDIT_DEVMINOR:
582 			if (name) {
583 				if (audit_comparator(MINOR(name->dev), f->op, f->val) ||
584 				    audit_comparator(MINOR(name->rdev), f->op, f->val))
585 					++result;
586 			} else if (ctx) {
587 				list_for_each_entry(n, &ctx->names_list, list) {
588 					if (audit_comparator(MINOR(n->dev), f->op, f->val) ||
589 					    audit_comparator(MINOR(n->rdev), f->op, f->val)) {
590 						++result;
591 						break;
592 					}
593 				}
594 			}
595 			break;
596 		case AUDIT_INODE:
597 			if (name)
598 				result = audit_comparator(name->ino, f->op, f->val);
599 			else if (ctx) {
600 				list_for_each_entry(n, &ctx->names_list, list) {
601 					if (audit_comparator(n->ino, f->op, f->val)) {
602 						++result;
603 						break;
604 					}
605 				}
606 			}
607 			break;
608 		case AUDIT_OBJ_UID:
609 			if (name) {
610 				result = audit_uid_comparator(name->uid, f->op, f->uid);
611 			} else if (ctx) {
612 				list_for_each_entry(n, &ctx->names_list, list) {
613 					if (audit_uid_comparator(n->uid, f->op, f->uid)) {
614 						++result;
615 						break;
616 					}
617 				}
618 			}
619 			break;
620 		case AUDIT_OBJ_GID:
621 			if (name) {
622 				result = audit_gid_comparator(name->gid, f->op, f->gid);
623 			} else if (ctx) {
624 				list_for_each_entry(n, &ctx->names_list, list) {
625 					if (audit_gid_comparator(n->gid, f->op, f->gid)) {
626 						++result;
627 						break;
628 					}
629 				}
630 			}
631 			break;
632 		case AUDIT_WATCH:
633 			if (name) {
634 				result = audit_watch_compare(rule->watch,
635 							     name->ino,
636 							     name->dev);
637 				if (f->op == Audit_not_equal)
638 					result = !result;
639 			}
640 			break;
641 		case AUDIT_DIR:
642 			if (ctx) {
643 				result = match_tree_refs(ctx, rule->tree);
644 				if (f->op == Audit_not_equal)
645 					result = !result;
646 			}
647 			break;
648 		case AUDIT_LOGINUID:
649 			result = audit_uid_comparator(audit_get_loginuid(tsk),
650 						      f->op, f->uid);
651 			break;
652 		case AUDIT_LOGINUID_SET:
653 			result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
654 			break;
655 		case AUDIT_SADDR_FAM:
656 			if (ctx && ctx->sockaddr)
657 				result = audit_comparator(ctx->sockaddr->ss_family,
658 							  f->op, f->val);
659 			break;
660 		case AUDIT_SUBJ_USER:
661 		case AUDIT_SUBJ_ROLE:
662 		case AUDIT_SUBJ_TYPE:
663 		case AUDIT_SUBJ_SEN:
664 		case AUDIT_SUBJ_CLR:
665 			/* NOTE: this may return negative values indicating
666 			   a temporary error.  We simply treat this as a
667 			   match for now to avoid losing information that
668 			   may be wanted.   An error message will also be
669 			   logged upon error */
670 			if (f->lsm_rule) {
671 				if (need_sid) {
672 					/* @tsk should always be equal to
673 					 * @current with the exception of
674 					 * fork()/copy_process() in which case
675 					 * the new @tsk creds are still a dup
676 					 * of @current's creds so we can still
677 					 * use
678 					 * security_current_getlsmprop_subj()
679 					 * here even though it always refs
680 					 * @current's creds
681 					 */
682 					security_current_getlsmprop_subj(&prop);
683 					need_sid = 0;
684 				}
685 				result = security_audit_rule_match(&prop,
686 								   f->type,
687 								   f->op,
688 								   f->lsm_rule);
689 			}
690 			break;
691 		case AUDIT_OBJ_USER:
692 		case AUDIT_OBJ_ROLE:
693 		case AUDIT_OBJ_TYPE:
694 		case AUDIT_OBJ_LEV_LOW:
695 		case AUDIT_OBJ_LEV_HIGH:
696 			/* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
697 			   also applies here */
698 			if (f->lsm_rule) {
699 				/* Find files that match */
700 				if (name) {
701 					result = security_audit_rule_match(
702 								&name->oprop,
703 								f->type,
704 								f->op,
705 								f->lsm_rule);
706 				} else if (ctx) {
707 					list_for_each_entry(n, &ctx->names_list, list) {
708 						if (security_audit_rule_match(
709 								&n->oprop,
710 								f->type,
711 								f->op,
712 								f->lsm_rule)) {
713 							++result;
714 							break;
715 						}
716 					}
717 				}
718 				/* Find ipc objects that match */
719 				if (!ctx || ctx->type != AUDIT_IPC)
720 					break;
721 				if (security_audit_rule_match(&ctx->ipc.oprop,
722 							      f->type, f->op,
723 							      f->lsm_rule))
724 					++result;
725 			}
726 			break;
727 		case AUDIT_ARG0:
728 		case AUDIT_ARG1:
729 		case AUDIT_ARG2:
730 		case AUDIT_ARG3:
731 			if (ctx)
732 				result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
733 			break;
734 		case AUDIT_FILTERKEY:
735 			/* ignore this field for filtering */
736 			result = 1;
737 			break;
738 		case AUDIT_PERM:
739 			result = audit_match_perm(ctx, f->val);
740 			if (f->op == Audit_not_equal)
741 				result = !result;
742 			break;
743 		case AUDIT_FILETYPE:
744 			result = audit_match_filetype(ctx, f->val);
745 			if (f->op == Audit_not_equal)
746 				result = !result;
747 			break;
748 		case AUDIT_FIELD_COMPARE:
749 			result = audit_field_compare(tsk, cred, f, ctx, name);
750 			break;
751 		}
752 		if (!result)
753 			return 0;
754 	}
755 
756 	if (ctx) {
757 		if (rule->filterkey) {
758 			kfree(ctx->filterkey);
759 			ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
760 		}
761 		ctx->prio = rule->prio;
762 	}
763 	switch (rule->action) {
764 	case AUDIT_NEVER:
765 		*state = AUDIT_STATE_DISABLED;
766 		break;
767 	case AUDIT_ALWAYS:
768 		*state = AUDIT_STATE_RECORD;
769 		break;
770 	}
771 	return 1;
772 }
773 
774 /* At process creation time, we can determine if system-call auditing is
775  * completely disabled for this task.  Since we only have the task
776  * structure at this point, we can only check uid and gid.
777  */
audit_filter_task(struct task_struct * tsk,char ** key)778 static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)
779 {
780 	struct audit_entry *e;
781 	enum audit_state   state;
782 
783 	rcu_read_lock();
784 	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
785 		if (audit_filter_rules(tsk, &e->rule, NULL, NULL,
786 				       &state, true)) {
787 			if (state == AUDIT_STATE_RECORD)
788 				*key = kstrdup(e->rule.filterkey, GFP_ATOMIC);
789 			rcu_read_unlock();
790 			return state;
791 		}
792 	}
793 	rcu_read_unlock();
794 	return AUDIT_STATE_BUILD;
795 }
796 
audit_in_mask(const struct audit_krule * rule,unsigned long val)797 static int audit_in_mask(const struct audit_krule *rule, unsigned long val)
798 {
799 	int word, bit;
800 
801 	if (val > 0xffffffff)
802 		return false;
803 
804 	word = AUDIT_WORD(val);
805 	if (word >= AUDIT_BITMASK_SIZE)
806 		return false;
807 
808 	bit = AUDIT_BIT(val);
809 
810 	return rule->mask[word] & bit;
811 }
812 
813 /**
814  * __audit_filter_op - common filter helper for operations (syscall/uring/etc)
815  * @tsk: associated task
816  * @ctx: audit context
817  * @list: audit filter list
818  * @name: audit_name (can be NULL)
819  * @op: current syscall/uring_op
820  *
821  * Run the udit filters specified in @list against @tsk using @ctx,
822  * @name, and @op, as necessary; the caller is responsible for ensuring
823  * that the call is made while the RCU read lock is held. The @name
824  * parameter can be NULL, but all others must be specified.
825  * Returns 1/true if the filter finds a match, 0/false if none are found.
826  */
__audit_filter_op(struct task_struct * tsk,struct audit_context * ctx,struct list_head * list,struct audit_names * name,unsigned long op)827 static int __audit_filter_op(struct task_struct *tsk,
828 			   struct audit_context *ctx,
829 			   struct list_head *list,
830 			   struct audit_names *name,
831 			   unsigned long op)
832 {
833 	struct audit_entry *e;
834 	enum audit_state state;
835 
836 	list_for_each_entry_rcu(e, list, list) {
837 		if (audit_in_mask(&e->rule, op) &&
838 		    audit_filter_rules(tsk, &e->rule, ctx, name,
839 				       &state, false)) {
840 			ctx->current_state = state;
841 			return 1;
842 		}
843 	}
844 	return 0;
845 }
846 
847 /**
848  * audit_filter_uring - apply filters to an io_uring operation
849  * @tsk: associated task
850  * @ctx: audit context
851  */
audit_filter_uring(struct task_struct * tsk,struct audit_context * ctx)852 static void audit_filter_uring(struct task_struct *tsk,
853 			       struct audit_context *ctx)
854 {
855 	if (auditd_test_task(tsk))
856 		return;
857 
858 	rcu_read_lock();
859 	__audit_filter_op(tsk, ctx, &audit_filter_list[AUDIT_FILTER_URING_EXIT],
860 			NULL, ctx->uring_op);
861 	rcu_read_unlock();
862 }
863 
864 /* At syscall exit time, this filter is called if the audit_state is
865  * not low enough that auditing cannot take place, but is also not
866  * high enough that we already know we have to write an audit record
867  * (i.e., the state is AUDIT_STATE_BUILD).
868  */
audit_filter_syscall(struct task_struct * tsk,struct audit_context * ctx)869 static void audit_filter_syscall(struct task_struct *tsk,
870 				 struct audit_context *ctx)
871 {
872 	if (auditd_test_task(tsk))
873 		return;
874 
875 	rcu_read_lock();
876 	__audit_filter_op(tsk, ctx, &audit_filter_list[AUDIT_FILTER_EXIT],
877 			NULL, ctx->major);
878 	rcu_read_unlock();
879 }
880 
881 /*
882  * Given an audit_name check the inode hash table to see if they match.
883  * Called holding the rcu read lock to protect the use of audit_inode_hash
884  */
audit_filter_inode_name(struct task_struct * tsk,struct audit_names * n,struct audit_context * ctx)885 static int audit_filter_inode_name(struct task_struct *tsk,
886 				   struct audit_names *n,
887 				   struct audit_context *ctx)
888 {
889 	int h = audit_hash_ino((u32)n->ino);
890 	struct list_head *list = &audit_inode_hash[h];
891 
892 	return __audit_filter_op(tsk, ctx, list, n, ctx->major);
893 }
894 
895 /* At syscall exit time, this filter is called if any audit_names have been
896  * collected during syscall processing.  We only check rules in sublists at hash
897  * buckets applicable to the inode numbers in audit_names.
898  * Regarding audit_state, same rules apply as for audit_filter_syscall().
899  */
audit_filter_inodes(struct task_struct * tsk,struct audit_context * ctx)900 void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx)
901 {
902 	struct audit_names *n;
903 
904 	if (auditd_test_task(tsk))
905 		return;
906 
907 	rcu_read_lock();
908 
909 	list_for_each_entry(n, &ctx->names_list, list) {
910 		if (audit_filter_inode_name(tsk, n, ctx))
911 			break;
912 	}
913 	rcu_read_unlock();
914 }
915 
audit_proctitle_free(struct audit_context * context)916 static inline void audit_proctitle_free(struct audit_context *context)
917 {
918 	kfree(context->proctitle.value);
919 	context->proctitle.value = NULL;
920 	context->proctitle.len = 0;
921 }
922 
audit_free_module(struct audit_context * context)923 static inline void audit_free_module(struct audit_context *context)
924 {
925 	if (context->type == AUDIT_KERN_MODULE) {
926 		kfree(context->module.name);
927 		context->module.name = NULL;
928 	}
929 }
audit_free_names(struct audit_context * context)930 static inline void audit_free_names(struct audit_context *context)
931 {
932 	struct audit_names *n, *next;
933 
934 	list_for_each_entry_safe(n, next, &context->names_list, list) {
935 		list_del(&n->list);
936 		if (n->name)
937 			putname(n->name);
938 		if (n->should_free)
939 			kfree(n);
940 	}
941 	context->name_count = 0;
942 	path_put(&context->pwd);
943 	context->pwd.dentry = NULL;
944 	context->pwd.mnt = NULL;
945 }
946 
audit_free_aux(struct audit_context * context)947 static inline void audit_free_aux(struct audit_context *context)
948 {
949 	struct audit_aux_data *aux;
950 
951 	while ((aux = context->aux)) {
952 		context->aux = aux->next;
953 		kfree(aux);
954 	}
955 	context->aux = NULL;
956 	while ((aux = context->aux_pids)) {
957 		context->aux_pids = aux->next;
958 		kfree(aux);
959 	}
960 	context->aux_pids = NULL;
961 }
962 
963 /**
964  * audit_reset_context - reset a audit_context structure
965  * @ctx: the audit_context to reset
966  *
967  * All fields in the audit_context will be reset to an initial state, all
968  * references held by fields will be dropped, and private memory will be
969  * released.  When this function returns the audit_context will be suitable
970  * for reuse, so long as the passed context is not NULL or a dummy context.
971  */
audit_reset_context(struct audit_context * ctx)972 static void audit_reset_context(struct audit_context *ctx)
973 {
974 	if (!ctx)
975 		return;
976 
977 	/* if ctx is non-null, reset the "ctx->context" regardless */
978 	ctx->context = AUDIT_CTX_UNUSED;
979 	if (ctx->dummy)
980 		return;
981 
982 	/*
983 	 * NOTE: It shouldn't matter in what order we release the fields, so
984 	 *       release them in the order in which they appear in the struct;
985 	 *       this gives us some hope of quickly making sure we are
986 	 *       resetting the audit_context properly.
987 	 *
988 	 *       Other things worth mentioning:
989 	 *       - we don't reset "dummy"
990 	 *       - we don't reset "state", we do reset "current_state"
991 	 *       - we preserve "filterkey" if "state" is AUDIT_STATE_RECORD
992 	 *       - much of this is likely overkill, but play it safe for now
993 	 *       - we really need to work on improving the audit_context struct
994 	 */
995 
996 	ctx->current_state = ctx->state;
997 	ctx->serial = 0;
998 	ctx->major = 0;
999 	ctx->uring_op = 0;
1000 	ctx->ctime = (struct timespec64){ .tv_sec = 0, .tv_nsec = 0 };
1001 	memset(ctx->argv, 0, sizeof(ctx->argv));
1002 	ctx->return_code = 0;
1003 	ctx->prio = (ctx->state == AUDIT_STATE_RECORD ? ~0ULL : 0);
1004 	ctx->return_valid = AUDITSC_INVALID;
1005 	audit_free_names(ctx);
1006 	if (ctx->state != AUDIT_STATE_RECORD) {
1007 		kfree(ctx->filterkey);
1008 		ctx->filterkey = NULL;
1009 	}
1010 	audit_free_aux(ctx);
1011 	kfree(ctx->sockaddr);
1012 	ctx->sockaddr = NULL;
1013 	ctx->sockaddr_len = 0;
1014 	ctx->ppid = 0;
1015 	ctx->uid = ctx->euid = ctx->suid = ctx->fsuid = KUIDT_INIT(0);
1016 	ctx->gid = ctx->egid = ctx->sgid = ctx->fsgid = KGIDT_INIT(0);
1017 	ctx->personality = 0;
1018 	ctx->arch = 0;
1019 	ctx->target_pid = 0;
1020 	ctx->target_auid = ctx->target_uid = KUIDT_INIT(0);
1021 	ctx->target_sessionid = 0;
1022 	lsmprop_init(&ctx->target_ref);
1023 	ctx->target_comm[0] = '\0';
1024 	unroll_tree_refs(ctx, NULL, 0);
1025 	WARN_ON(!list_empty(&ctx->killed_trees));
1026 	audit_free_module(ctx);
1027 	ctx->fds[0] = -1;
1028 	ctx->type = 0; /* reset last for audit_free_*() */
1029 }
1030 
audit_alloc_context(enum audit_state state)1031 static inline struct audit_context *audit_alloc_context(enum audit_state state)
1032 {
1033 	struct audit_context *context;
1034 
1035 	context = kzalloc(sizeof(*context), GFP_KERNEL);
1036 	if (!context)
1037 		return NULL;
1038 	context->context = AUDIT_CTX_UNUSED;
1039 	context->state = state;
1040 	context->prio = state == AUDIT_STATE_RECORD ? ~0ULL : 0;
1041 	INIT_LIST_HEAD(&context->killed_trees);
1042 	INIT_LIST_HEAD(&context->names_list);
1043 	context->fds[0] = -1;
1044 	context->return_valid = AUDITSC_INVALID;
1045 	return context;
1046 }
1047 
1048 /**
1049  * audit_alloc - allocate an audit context block for a task
1050  * @tsk: task
1051  *
1052  * Filter on the task information and allocate a per-task audit context
1053  * if necessary.  Doing so turns on system call auditing for the
1054  * specified task.  This is called from copy_process, so no lock is
1055  * needed.
1056  */
audit_alloc(struct task_struct * tsk)1057 int audit_alloc(struct task_struct *tsk)
1058 {
1059 	struct audit_context *context;
1060 	enum audit_state     state;
1061 	char *key = NULL;
1062 
1063 	if (likely(!audit_ever_enabled))
1064 		return 0;
1065 
1066 	state = audit_filter_task(tsk, &key);
1067 	if (state == AUDIT_STATE_DISABLED) {
1068 		clear_task_syscall_work(tsk, SYSCALL_AUDIT);
1069 		return 0;
1070 	}
1071 
1072 	context = audit_alloc_context(state);
1073 	if (!context) {
1074 		kfree(key);
1075 		audit_log_lost("out of memory in audit_alloc");
1076 		return -ENOMEM;
1077 	}
1078 	context->filterkey = key;
1079 
1080 	audit_set_context(tsk, context);
1081 	set_task_syscall_work(tsk, SYSCALL_AUDIT);
1082 	return 0;
1083 }
1084 
audit_free_context(struct audit_context * context)1085 static inline void audit_free_context(struct audit_context *context)
1086 {
1087 	/* resetting is extra work, but it is likely just noise */
1088 	audit_reset_context(context);
1089 	audit_proctitle_free(context);
1090 	free_tree_refs(context);
1091 	kfree(context->filterkey);
1092 	kfree(context);
1093 }
1094 
audit_log_pid_context(struct audit_context * context,pid_t pid,kuid_t auid,kuid_t uid,unsigned int sessionid,struct lsm_prop * prop,char * comm)1095 static int audit_log_pid_context(struct audit_context *context, pid_t pid,
1096 				 kuid_t auid, kuid_t uid,
1097 				 unsigned int sessionid, struct lsm_prop *prop,
1098 				 char *comm)
1099 {
1100 	struct audit_buffer *ab;
1101 	char *ctx = NULL;
1102 	u32 len;
1103 	int rc = 0;
1104 
1105 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
1106 	if (!ab)
1107 		return rc;
1108 
1109 	audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
1110 			 from_kuid(&init_user_ns, auid),
1111 			 from_kuid(&init_user_ns, uid), sessionid);
1112 	if (lsmprop_is_set(prop)) {
1113 		if (security_lsmprop_to_secctx(prop, &ctx, &len)) {
1114 			audit_log_format(ab, " obj=(none)");
1115 			rc = 1;
1116 		} else {
1117 			audit_log_format(ab, " obj=%s", ctx);
1118 			security_release_secctx(ctx, len);
1119 		}
1120 	}
1121 	audit_log_format(ab, " ocomm=");
1122 	audit_log_untrustedstring(ab, comm);
1123 	audit_log_end(ab);
1124 
1125 	return rc;
1126 }
1127 
audit_log_execve_info(struct audit_context * context,struct audit_buffer ** ab)1128 static void audit_log_execve_info(struct audit_context *context,
1129 				  struct audit_buffer **ab)
1130 {
1131 	long len_max;
1132 	long len_rem;
1133 	long len_full;
1134 	long len_buf;
1135 	long len_abuf = 0;
1136 	long len_tmp;
1137 	bool require_data;
1138 	bool encode;
1139 	unsigned int iter;
1140 	unsigned int arg;
1141 	char *buf_head;
1142 	char *buf;
1143 	const char __user *p = (const char __user *)current->mm->arg_start;
1144 
1145 	/* NOTE: this buffer needs to be large enough to hold all the non-arg
1146 	 *       data we put in the audit record for this argument (see the
1147 	 *       code below) ... at this point in time 96 is plenty */
1148 	char abuf[96];
1149 
1150 	/* NOTE: we set MAX_EXECVE_AUDIT_LEN to a rather arbitrary limit, the
1151 	 *       current value of 7500 is not as important as the fact that it
1152 	 *       is less than 8k, a setting of 7500 gives us plenty of wiggle
1153 	 *       room if we go over a little bit in the logging below */
1154 	WARN_ON_ONCE(MAX_EXECVE_AUDIT_LEN > 7500);
1155 	len_max = MAX_EXECVE_AUDIT_LEN;
1156 
1157 	/* scratch buffer to hold the userspace args */
1158 	buf_head = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
1159 	if (!buf_head) {
1160 		audit_panic("out of memory for argv string");
1161 		return;
1162 	}
1163 	buf = buf_head;
1164 
1165 	audit_log_format(*ab, "argc=%d", context->execve.argc);
1166 
1167 	len_rem = len_max;
1168 	len_buf = 0;
1169 	len_full = 0;
1170 	require_data = true;
1171 	encode = false;
1172 	iter = 0;
1173 	arg = 0;
1174 	do {
1175 		/* NOTE: we don't ever want to trust this value for anything
1176 		 *       serious, but the audit record format insists we
1177 		 *       provide an argument length for really long arguments,
1178 		 *       e.g. > MAX_EXECVE_AUDIT_LEN, so we have no choice but
1179 		 *       to use strncpy_from_user() to obtain this value for
1180 		 *       recording in the log, although we don't use it
1181 		 *       anywhere here to avoid a double-fetch problem */
1182 		if (len_full == 0)
1183 			len_full = strnlen_user(p, MAX_ARG_STRLEN) - 1;
1184 
1185 		/* read more data from userspace */
1186 		if (require_data) {
1187 			/* can we make more room in the buffer? */
1188 			if (buf != buf_head) {
1189 				memmove(buf_head, buf, len_buf);
1190 				buf = buf_head;
1191 			}
1192 
1193 			/* fetch as much as we can of the argument */
1194 			len_tmp = strncpy_from_user(&buf_head[len_buf], p,
1195 						    len_max - len_buf);
1196 			if (len_tmp == -EFAULT) {
1197 				/* unable to copy from userspace */
1198 				send_sig(SIGKILL, current, 0);
1199 				goto out;
1200 			} else if (len_tmp == (len_max - len_buf)) {
1201 				/* buffer is not large enough */
1202 				require_data = true;
1203 				/* NOTE: if we are going to span multiple
1204 				 *       buffers force the encoding so we stand
1205 				 *       a chance at a sane len_full value and
1206 				 *       consistent record encoding */
1207 				encode = true;
1208 				len_full = len_full * 2;
1209 				p += len_tmp;
1210 			} else {
1211 				require_data = false;
1212 				if (!encode)
1213 					encode = audit_string_contains_control(
1214 								buf, len_tmp);
1215 				/* try to use a trusted value for len_full */
1216 				if (len_full < len_max)
1217 					len_full = (encode ?
1218 						    len_tmp * 2 : len_tmp);
1219 				p += len_tmp + 1;
1220 			}
1221 			len_buf += len_tmp;
1222 			buf_head[len_buf] = '\0';
1223 
1224 			/* length of the buffer in the audit record? */
1225 			len_abuf = (encode ? len_buf * 2 : len_buf + 2);
1226 		}
1227 
1228 		/* write as much as we can to the audit log */
1229 		if (len_buf >= 0) {
1230 			/* NOTE: some magic numbers here - basically if we
1231 			 *       can't fit a reasonable amount of data into the
1232 			 *       existing audit buffer, flush it and start with
1233 			 *       a new buffer */
1234 			if ((sizeof(abuf) + 8) > len_rem) {
1235 				len_rem = len_max;
1236 				audit_log_end(*ab);
1237 				*ab = audit_log_start(context,
1238 						      GFP_KERNEL, AUDIT_EXECVE);
1239 				if (!*ab)
1240 					goto out;
1241 			}
1242 
1243 			/* create the non-arg portion of the arg record */
1244 			len_tmp = 0;
1245 			if (require_data || (iter > 0) ||
1246 			    ((len_abuf + sizeof(abuf)) > len_rem)) {
1247 				if (iter == 0) {
1248 					len_tmp += snprintf(&abuf[len_tmp],
1249 							sizeof(abuf) - len_tmp,
1250 							" a%d_len=%lu",
1251 							arg, len_full);
1252 				}
1253 				len_tmp += snprintf(&abuf[len_tmp],
1254 						    sizeof(abuf) - len_tmp,
1255 						    " a%d[%d]=", arg, iter++);
1256 			} else
1257 				len_tmp += snprintf(&abuf[len_tmp],
1258 						    sizeof(abuf) - len_tmp,
1259 						    " a%d=", arg);
1260 			WARN_ON(len_tmp >= sizeof(abuf));
1261 			abuf[sizeof(abuf) - 1] = '\0';
1262 
1263 			/* log the arg in the audit record */
1264 			audit_log_format(*ab, "%s", abuf);
1265 			len_rem -= len_tmp;
1266 			len_tmp = len_buf;
1267 			if (encode) {
1268 				if (len_abuf > len_rem)
1269 					len_tmp = len_rem / 2; /* encoding */
1270 				audit_log_n_hex(*ab, buf, len_tmp);
1271 				len_rem -= len_tmp * 2;
1272 				len_abuf -= len_tmp * 2;
1273 			} else {
1274 				if (len_abuf > len_rem)
1275 					len_tmp = len_rem - 2; /* quotes */
1276 				audit_log_n_string(*ab, buf, len_tmp);
1277 				len_rem -= len_tmp + 2;
1278 				/* don't subtract the "2" because we still need
1279 				 * to add quotes to the remaining string */
1280 				len_abuf -= len_tmp;
1281 			}
1282 			len_buf -= len_tmp;
1283 			buf += len_tmp;
1284 		}
1285 
1286 		/* ready to move to the next argument? */
1287 		if ((len_buf == 0) && !require_data) {
1288 			arg++;
1289 			iter = 0;
1290 			len_full = 0;
1291 			require_data = true;
1292 			encode = false;
1293 		}
1294 	} while (arg < context->execve.argc);
1295 
1296 	/* NOTE: the caller handles the final audit_log_end() call */
1297 
1298 out:
1299 	kfree(buf_head);
1300 }
1301 
audit_log_cap(struct audit_buffer * ab,char * prefix,kernel_cap_t * cap)1302 static void audit_log_cap(struct audit_buffer *ab, char *prefix,
1303 			  kernel_cap_t *cap)
1304 {
1305 	if (cap_isclear(*cap)) {
1306 		audit_log_format(ab, " %s=0", prefix);
1307 		return;
1308 	}
1309 	audit_log_format(ab, " %s=%016llx", prefix, cap->val);
1310 }
1311 
audit_log_fcaps(struct audit_buffer * ab,struct audit_names * name)1312 static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
1313 {
1314 	if (name->fcap_ver == -1) {
1315 		audit_log_format(ab, " cap_fe=? cap_fver=? cap_fp=? cap_fi=?");
1316 		return;
1317 	}
1318 	audit_log_cap(ab, "cap_fp", &name->fcap.permitted);
1319 	audit_log_cap(ab, "cap_fi", &name->fcap.inheritable);
1320 	audit_log_format(ab, " cap_fe=%d cap_fver=%x cap_frootid=%d",
1321 			 name->fcap.fE, name->fcap_ver,
1322 			 from_kuid(&init_user_ns, name->fcap.rootid));
1323 }
1324 
audit_log_time(struct audit_context * context,struct audit_buffer ** ab)1325 static void audit_log_time(struct audit_context *context, struct audit_buffer **ab)
1326 {
1327 	const struct audit_ntp_data *ntp = &context->time.ntp_data;
1328 	const struct timespec64 *tk = &context->time.tk_injoffset;
1329 	static const char * const ntp_name[] = {
1330 		"offset",
1331 		"freq",
1332 		"status",
1333 		"tai",
1334 		"tick",
1335 		"adjust",
1336 	};
1337 	int type;
1338 
1339 	if (context->type == AUDIT_TIME_ADJNTPVAL) {
1340 		for (type = 0; type < AUDIT_NTP_NVALS; type++) {
1341 			if (ntp->vals[type].newval != ntp->vals[type].oldval) {
1342 				if (!*ab) {
1343 					*ab = audit_log_start(context,
1344 							GFP_KERNEL,
1345 							AUDIT_TIME_ADJNTPVAL);
1346 					if (!*ab)
1347 						return;
1348 				}
1349 				audit_log_format(*ab, "op=%s old=%lli new=%lli",
1350 						 ntp_name[type],
1351 						 ntp->vals[type].oldval,
1352 						 ntp->vals[type].newval);
1353 				audit_log_end(*ab);
1354 				*ab = NULL;
1355 			}
1356 		}
1357 	}
1358 	if (tk->tv_sec != 0 || tk->tv_nsec != 0) {
1359 		if (!*ab) {
1360 			*ab = audit_log_start(context, GFP_KERNEL,
1361 					      AUDIT_TIME_INJOFFSET);
1362 			if (!*ab)
1363 				return;
1364 		}
1365 		audit_log_format(*ab, "sec=%lli nsec=%li",
1366 				 (long long)tk->tv_sec, tk->tv_nsec);
1367 		audit_log_end(*ab);
1368 		*ab = NULL;
1369 	}
1370 }
1371 
show_special(struct audit_context * context,int * call_panic)1372 static void show_special(struct audit_context *context, int *call_panic)
1373 {
1374 	struct audit_buffer *ab;
1375 	int i;
1376 
1377 	ab = audit_log_start(context, GFP_KERNEL, context->type);
1378 	if (!ab)
1379 		return;
1380 
1381 	switch (context->type) {
1382 	case AUDIT_SOCKETCALL: {
1383 		int nargs = context->socketcall.nargs;
1384 
1385 		audit_log_format(ab, "nargs=%d", nargs);
1386 		for (i = 0; i < nargs; i++)
1387 			audit_log_format(ab, " a%d=%lx", i,
1388 				context->socketcall.args[i]);
1389 		break; }
1390 	case AUDIT_IPC:
1391 		audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
1392 				 from_kuid(&init_user_ns, context->ipc.uid),
1393 				 from_kgid(&init_user_ns, context->ipc.gid),
1394 				 context->ipc.mode);
1395 		if (lsmprop_is_set(&context->ipc.oprop)) {
1396 			char *ctx = NULL;
1397 			u32 len;
1398 
1399 			if (security_lsmprop_to_secctx(&context->ipc.oprop,
1400 						       &ctx, &len)) {
1401 				*call_panic = 1;
1402 			} else {
1403 				audit_log_format(ab, " obj=%s", ctx);
1404 				security_release_secctx(ctx, len);
1405 			}
1406 		}
1407 		if (context->ipc.has_perm) {
1408 			audit_log_end(ab);
1409 			ab = audit_log_start(context, GFP_KERNEL,
1410 					     AUDIT_IPC_SET_PERM);
1411 			if (unlikely(!ab))
1412 				return;
1413 			audit_log_format(ab,
1414 				"qbytes=%lx ouid=%u ogid=%u mode=%#ho",
1415 				context->ipc.qbytes,
1416 				context->ipc.perm_uid,
1417 				context->ipc.perm_gid,
1418 				context->ipc.perm_mode);
1419 		}
1420 		break;
1421 	case AUDIT_MQ_OPEN:
1422 		audit_log_format(ab,
1423 			"oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
1424 			"mq_msgsize=%ld mq_curmsgs=%ld",
1425 			context->mq_open.oflag, context->mq_open.mode,
1426 			context->mq_open.attr.mq_flags,
1427 			context->mq_open.attr.mq_maxmsg,
1428 			context->mq_open.attr.mq_msgsize,
1429 			context->mq_open.attr.mq_curmsgs);
1430 		break;
1431 	case AUDIT_MQ_SENDRECV:
1432 		audit_log_format(ab,
1433 			"mqdes=%d msg_len=%zd msg_prio=%u "
1434 			"abs_timeout_sec=%lld abs_timeout_nsec=%ld",
1435 			context->mq_sendrecv.mqdes,
1436 			context->mq_sendrecv.msg_len,
1437 			context->mq_sendrecv.msg_prio,
1438 			(long long) context->mq_sendrecv.abs_timeout.tv_sec,
1439 			context->mq_sendrecv.abs_timeout.tv_nsec);
1440 		break;
1441 	case AUDIT_MQ_NOTIFY:
1442 		audit_log_format(ab, "mqdes=%d sigev_signo=%d",
1443 				context->mq_notify.mqdes,
1444 				context->mq_notify.sigev_signo);
1445 		break;
1446 	case AUDIT_MQ_GETSETATTR: {
1447 		struct mq_attr *attr = &context->mq_getsetattr.mqstat;
1448 
1449 		audit_log_format(ab,
1450 			"mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
1451 			"mq_curmsgs=%ld ",
1452 			context->mq_getsetattr.mqdes,
1453 			attr->mq_flags, attr->mq_maxmsg,
1454 			attr->mq_msgsize, attr->mq_curmsgs);
1455 		break; }
1456 	case AUDIT_CAPSET:
1457 		audit_log_format(ab, "pid=%d", context->capset.pid);
1458 		audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
1459 		audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
1460 		audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
1461 		audit_log_cap(ab, "cap_pa", &context->capset.cap.ambient);
1462 		break;
1463 	case AUDIT_MMAP:
1464 		audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd,
1465 				 context->mmap.flags);
1466 		break;
1467 	case AUDIT_OPENAT2:
1468 		audit_log_format(ab, "oflag=0%llo mode=0%llo resolve=0x%llx",
1469 				 context->openat2.flags,
1470 				 context->openat2.mode,
1471 				 context->openat2.resolve);
1472 		break;
1473 	case AUDIT_EXECVE:
1474 		audit_log_execve_info(context, &ab);
1475 		break;
1476 	case AUDIT_KERN_MODULE:
1477 		audit_log_format(ab, "name=");
1478 		if (context->module.name) {
1479 			audit_log_untrustedstring(ab, context->module.name);
1480 		} else
1481 			audit_log_format(ab, "(null)");
1482 
1483 		break;
1484 	case AUDIT_TIME_ADJNTPVAL:
1485 	case AUDIT_TIME_INJOFFSET:
1486 		/* this call deviates from the rest, eating the buffer */
1487 		audit_log_time(context, &ab);
1488 		break;
1489 	}
1490 	audit_log_end(ab);
1491 }
1492 
audit_proctitle_rtrim(char * proctitle,int len)1493 static inline int audit_proctitle_rtrim(char *proctitle, int len)
1494 {
1495 	char *end = proctitle + len - 1;
1496 
1497 	while (end > proctitle && !isprint(*end))
1498 		end--;
1499 
1500 	/* catch the case where proctitle is only 1 non-print character */
1501 	len = end - proctitle + 1;
1502 	len -= isprint(proctitle[len-1]) == 0;
1503 	return len;
1504 }
1505 
1506 /*
1507  * audit_log_name - produce AUDIT_PATH record from struct audit_names
1508  * @context: audit_context for the task
1509  * @n: audit_names structure with reportable details
1510  * @path: optional path to report instead of audit_names->name
1511  * @record_num: record number to report when handling a list of names
1512  * @call_panic: optional pointer to int that will be updated if secid fails
1513  */
audit_log_name(struct audit_context * context,struct audit_names * n,const struct path * path,int record_num,int * call_panic)1514 static void audit_log_name(struct audit_context *context, struct audit_names *n,
1515 		    const struct path *path, int record_num, int *call_panic)
1516 {
1517 	struct audit_buffer *ab;
1518 
1519 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
1520 	if (!ab)
1521 		return;
1522 
1523 	audit_log_format(ab, "item=%d", record_num);
1524 
1525 	if (path)
1526 		audit_log_d_path(ab, " name=", path);
1527 	else if (n->name) {
1528 		switch (n->name_len) {
1529 		case AUDIT_NAME_FULL:
1530 			/* log the full path */
1531 			audit_log_format(ab, " name=");
1532 			audit_log_untrustedstring(ab, n->name->name);
1533 			break;
1534 		case 0:
1535 			/* name was specified as a relative path and the
1536 			 * directory component is the cwd
1537 			 */
1538 			if (context->pwd.dentry && context->pwd.mnt)
1539 				audit_log_d_path(ab, " name=", &context->pwd);
1540 			else
1541 				audit_log_format(ab, " name=(null)");
1542 			break;
1543 		default:
1544 			/* log the name's directory component */
1545 			audit_log_format(ab, " name=");
1546 			audit_log_n_untrustedstring(ab, n->name->name,
1547 						    n->name_len);
1548 		}
1549 	} else
1550 		audit_log_format(ab, " name=(null)");
1551 
1552 	if (n->ino != AUDIT_INO_UNSET)
1553 		audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#ho ouid=%u ogid=%u rdev=%02x:%02x",
1554 				 n->ino,
1555 				 MAJOR(n->dev),
1556 				 MINOR(n->dev),
1557 				 n->mode,
1558 				 from_kuid(&init_user_ns, n->uid),
1559 				 from_kgid(&init_user_ns, n->gid),
1560 				 MAJOR(n->rdev),
1561 				 MINOR(n->rdev));
1562 	if (lsmprop_is_set(&n->oprop)) {
1563 		char *ctx = NULL;
1564 		u32 len;
1565 
1566 		if (security_lsmprop_to_secctx(&n->oprop, &ctx, &len)) {
1567 			if (call_panic)
1568 				*call_panic = 2;
1569 		} else {
1570 			audit_log_format(ab, " obj=%s", ctx);
1571 			security_release_secctx(ctx, len);
1572 		}
1573 	}
1574 
1575 	/* log the audit_names record type */
1576 	switch (n->type) {
1577 	case AUDIT_TYPE_NORMAL:
1578 		audit_log_format(ab, " nametype=NORMAL");
1579 		break;
1580 	case AUDIT_TYPE_PARENT:
1581 		audit_log_format(ab, " nametype=PARENT");
1582 		break;
1583 	case AUDIT_TYPE_CHILD_DELETE:
1584 		audit_log_format(ab, " nametype=DELETE");
1585 		break;
1586 	case AUDIT_TYPE_CHILD_CREATE:
1587 		audit_log_format(ab, " nametype=CREATE");
1588 		break;
1589 	default:
1590 		audit_log_format(ab, " nametype=UNKNOWN");
1591 		break;
1592 	}
1593 
1594 	audit_log_fcaps(ab, n);
1595 	audit_log_end(ab);
1596 }
1597 
audit_log_proctitle(void)1598 static void audit_log_proctitle(void)
1599 {
1600 	int res;
1601 	char *buf;
1602 	char *msg = "(null)";
1603 	int len = strlen(msg);
1604 	struct audit_context *context = audit_context();
1605 	struct audit_buffer *ab;
1606 
1607 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_PROCTITLE);
1608 	if (!ab)
1609 		return;	/* audit_panic or being filtered */
1610 
1611 	audit_log_format(ab, "proctitle=");
1612 
1613 	/* Not  cached */
1614 	if (!context->proctitle.value) {
1615 		buf = kmalloc(MAX_PROCTITLE_AUDIT_LEN, GFP_KERNEL);
1616 		if (!buf)
1617 			goto out;
1618 		/* Historically called this from procfs naming */
1619 		res = get_cmdline(current, buf, MAX_PROCTITLE_AUDIT_LEN);
1620 		if (res == 0) {
1621 			kfree(buf);
1622 			goto out;
1623 		}
1624 		res = audit_proctitle_rtrim(buf, res);
1625 		if (res == 0) {
1626 			kfree(buf);
1627 			goto out;
1628 		}
1629 		context->proctitle.value = buf;
1630 		context->proctitle.len = res;
1631 	}
1632 	msg = context->proctitle.value;
1633 	len = context->proctitle.len;
1634 out:
1635 	audit_log_n_untrustedstring(ab, msg, len);
1636 	audit_log_end(ab);
1637 }
1638 
1639 /**
1640  * audit_log_uring - generate a AUDIT_URINGOP record
1641  * @ctx: the audit context
1642  */
audit_log_uring(struct audit_context * ctx)1643 static void audit_log_uring(struct audit_context *ctx)
1644 {
1645 	struct audit_buffer *ab;
1646 	const struct cred *cred;
1647 
1648 	ab = audit_log_start(ctx, GFP_ATOMIC, AUDIT_URINGOP);
1649 	if (!ab)
1650 		return;
1651 	cred = current_cred();
1652 	audit_log_format(ab, "uring_op=%d", ctx->uring_op);
1653 	if (ctx->return_valid != AUDITSC_INVALID)
1654 		audit_log_format(ab, " success=%s exit=%ld",
1655 				 str_yes_no(ctx->return_valid ==
1656 					    AUDITSC_SUCCESS),
1657 				 ctx->return_code);
1658 	audit_log_format(ab,
1659 			 " items=%d"
1660 			 " ppid=%d pid=%d uid=%u gid=%u euid=%u suid=%u"
1661 			 " fsuid=%u egid=%u sgid=%u fsgid=%u",
1662 			 ctx->name_count,
1663 			 task_ppid_nr(current), task_tgid_nr(current),
1664 			 from_kuid(&init_user_ns, cred->uid),
1665 			 from_kgid(&init_user_ns, cred->gid),
1666 			 from_kuid(&init_user_ns, cred->euid),
1667 			 from_kuid(&init_user_ns, cred->suid),
1668 			 from_kuid(&init_user_ns, cred->fsuid),
1669 			 from_kgid(&init_user_ns, cred->egid),
1670 			 from_kgid(&init_user_ns, cred->sgid),
1671 			 from_kgid(&init_user_ns, cred->fsgid));
1672 	audit_log_task_context(ab);
1673 	audit_log_key(ab, ctx->filterkey);
1674 	audit_log_end(ab);
1675 }
1676 
audit_log_exit(void)1677 static void audit_log_exit(void)
1678 {
1679 	int i, call_panic = 0;
1680 	struct audit_context *context = audit_context();
1681 	struct audit_buffer *ab;
1682 	struct audit_aux_data *aux;
1683 	struct audit_names *n;
1684 
1685 	context->personality = current->personality;
1686 
1687 	switch (context->context) {
1688 	case AUDIT_CTX_SYSCALL:
1689 		ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
1690 		if (!ab)
1691 			return;
1692 		audit_log_format(ab, "arch=%x syscall=%d",
1693 				 context->arch, context->major);
1694 		if (context->personality != PER_LINUX)
1695 			audit_log_format(ab, " per=%lx", context->personality);
1696 		if (context->return_valid != AUDITSC_INVALID)
1697 			audit_log_format(ab, " success=%s exit=%ld",
1698 					 str_yes_no(context->return_valid ==
1699 						    AUDITSC_SUCCESS),
1700 					 context->return_code);
1701 		audit_log_format(ab,
1702 				 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d",
1703 				 context->argv[0],
1704 				 context->argv[1],
1705 				 context->argv[2],
1706 				 context->argv[3],
1707 				 context->name_count);
1708 		audit_log_task_info(ab);
1709 		audit_log_key(ab, context->filterkey);
1710 		audit_log_end(ab);
1711 		break;
1712 	case AUDIT_CTX_URING:
1713 		audit_log_uring(context);
1714 		break;
1715 	default:
1716 		BUG();
1717 		break;
1718 	}
1719 
1720 	for (aux = context->aux; aux; aux = aux->next) {
1721 
1722 		ab = audit_log_start(context, GFP_KERNEL, aux->type);
1723 		if (!ab)
1724 			continue; /* audit_panic has been called */
1725 
1726 		switch (aux->type) {
1727 
1728 		case AUDIT_BPRM_FCAPS: {
1729 			struct audit_aux_data_bprm_fcaps *axs = (void *)aux;
1730 
1731 			audit_log_format(ab, "fver=%x", axs->fcap_ver);
1732 			audit_log_cap(ab, "fp", &axs->fcap.permitted);
1733 			audit_log_cap(ab, "fi", &axs->fcap.inheritable);
1734 			audit_log_format(ab, " fe=%d", axs->fcap.fE);
1735 			audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
1736 			audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
1737 			audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
1738 			audit_log_cap(ab, "old_pa", &axs->old_pcap.ambient);
1739 			audit_log_cap(ab, "pp", &axs->new_pcap.permitted);
1740 			audit_log_cap(ab, "pi", &axs->new_pcap.inheritable);
1741 			audit_log_cap(ab, "pe", &axs->new_pcap.effective);
1742 			audit_log_cap(ab, "pa", &axs->new_pcap.ambient);
1743 			audit_log_format(ab, " frootid=%d",
1744 					 from_kuid(&init_user_ns,
1745 						   axs->fcap.rootid));
1746 			break; }
1747 
1748 		}
1749 		audit_log_end(ab);
1750 	}
1751 
1752 	if (context->type)
1753 		show_special(context, &call_panic);
1754 
1755 	if (context->fds[0] >= 0) {
1756 		ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR);
1757 		if (ab) {
1758 			audit_log_format(ab, "fd0=%d fd1=%d",
1759 					context->fds[0], context->fds[1]);
1760 			audit_log_end(ab);
1761 		}
1762 	}
1763 
1764 	if (context->sockaddr_len) {
1765 		ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR);
1766 		if (ab) {
1767 			audit_log_format(ab, "saddr=");
1768 			audit_log_n_hex(ab, (void *)context->sockaddr,
1769 					context->sockaddr_len);
1770 			audit_log_end(ab);
1771 		}
1772 	}
1773 
1774 	for (aux = context->aux_pids; aux; aux = aux->next) {
1775 		struct audit_aux_data_pids *axs = (void *)aux;
1776 
1777 		for (i = 0; i < axs->pid_count; i++)
1778 			if (audit_log_pid_context(context, axs->target_pid[i],
1779 						  axs->target_auid[i],
1780 						  axs->target_uid[i],
1781 						  axs->target_sessionid[i],
1782 						  &axs->target_ref[i],
1783 						  axs->target_comm[i]))
1784 				call_panic = 1;
1785 	}
1786 
1787 	if (context->target_pid &&
1788 	    audit_log_pid_context(context, context->target_pid,
1789 				  context->target_auid, context->target_uid,
1790 				  context->target_sessionid,
1791 				  &context->target_ref, context->target_comm))
1792 			call_panic = 1;
1793 
1794 	if (context->pwd.dentry && context->pwd.mnt) {
1795 		ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
1796 		if (ab) {
1797 			audit_log_d_path(ab, "cwd=", &context->pwd);
1798 			audit_log_end(ab);
1799 		}
1800 	}
1801 
1802 	i = 0;
1803 	list_for_each_entry(n, &context->names_list, list) {
1804 		if (n->hidden)
1805 			continue;
1806 		audit_log_name(context, n, NULL, i++, &call_panic);
1807 	}
1808 
1809 	if (context->context == AUDIT_CTX_SYSCALL)
1810 		audit_log_proctitle();
1811 
1812 	/* Send end of event record to help user space know we are finished */
1813 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
1814 	if (ab)
1815 		audit_log_end(ab);
1816 	if (call_panic)
1817 		audit_panic("error in audit_log_exit()");
1818 }
1819 
1820 /**
1821  * __audit_free - free a per-task audit context
1822  * @tsk: task whose audit context block to free
1823  *
1824  * Called from copy_process, do_exit, and the io_uring code
1825  */
__audit_free(struct task_struct * tsk)1826 void __audit_free(struct task_struct *tsk)
1827 {
1828 	struct audit_context *context = tsk->audit_context;
1829 
1830 	if (!context)
1831 		return;
1832 
1833 	/* this may generate CONFIG_CHANGE records */
1834 	if (!list_empty(&context->killed_trees))
1835 		audit_kill_trees(context);
1836 
1837 	/* We are called either by do_exit() or the fork() error handling code;
1838 	 * in the former case tsk == current and in the latter tsk is a
1839 	 * random task_struct that doesn't have any meaningful data we
1840 	 * need to log via audit_log_exit().
1841 	 */
1842 	if (tsk == current && !context->dummy) {
1843 		context->return_valid = AUDITSC_INVALID;
1844 		context->return_code = 0;
1845 		if (context->context == AUDIT_CTX_SYSCALL) {
1846 			audit_filter_syscall(tsk, context);
1847 			audit_filter_inodes(tsk, context);
1848 			if (context->current_state == AUDIT_STATE_RECORD)
1849 				audit_log_exit();
1850 		} else if (context->context == AUDIT_CTX_URING) {
1851 			/* TODO: verify this case is real and valid */
1852 			audit_filter_uring(tsk, context);
1853 			audit_filter_inodes(tsk, context);
1854 			if (context->current_state == AUDIT_STATE_RECORD)
1855 				audit_log_uring(context);
1856 		}
1857 	}
1858 
1859 	audit_set_context(tsk, NULL);
1860 	audit_free_context(context);
1861 }
1862 
1863 /**
1864  * audit_return_fixup - fixup the return codes in the audit_context
1865  * @ctx: the audit_context
1866  * @success: true/false value to indicate if the operation succeeded or not
1867  * @code: operation return code
1868  *
1869  * We need to fixup the return code in the audit logs if the actual return
1870  * codes are later going to be fixed by the arch specific signal handlers.
1871  */
audit_return_fixup(struct audit_context * ctx,int success,long code)1872 static void audit_return_fixup(struct audit_context *ctx,
1873 			       int success, long code)
1874 {
1875 	/*
1876 	 * This is actually a test for:
1877 	 * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||
1878 	 * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)
1879 	 *
1880 	 * but is faster than a bunch of ||
1881 	 */
1882 	if (unlikely(code <= -ERESTARTSYS) &&
1883 	    (code >= -ERESTART_RESTARTBLOCK) &&
1884 	    (code != -ENOIOCTLCMD))
1885 		ctx->return_code = -EINTR;
1886 	else
1887 		ctx->return_code  = code;
1888 	ctx->return_valid = (success ? AUDITSC_SUCCESS : AUDITSC_FAILURE);
1889 }
1890 
1891 /**
1892  * __audit_uring_entry - prepare the kernel task's audit context for io_uring
1893  * @op: the io_uring opcode
1894  *
1895  * This is similar to audit_syscall_entry() but is intended for use by io_uring
1896  * operations.  This function should only ever be called from
1897  * audit_uring_entry() as we rely on the audit context checking present in that
1898  * function.
1899  */
__audit_uring_entry(u8 op)1900 void __audit_uring_entry(u8 op)
1901 {
1902 	struct audit_context *ctx = audit_context();
1903 
1904 	if (ctx->state == AUDIT_STATE_DISABLED)
1905 		return;
1906 
1907 	/*
1908 	 * NOTE: It's possible that we can be called from the process' context
1909 	 *       before it returns to userspace, and before audit_syscall_exit()
1910 	 *       is called.  In this case there is not much to do, just record
1911 	 *       the io_uring details and return.
1912 	 */
1913 	ctx->uring_op = op;
1914 	if (ctx->context == AUDIT_CTX_SYSCALL)
1915 		return;
1916 
1917 	ctx->dummy = !audit_n_rules;
1918 	if (!ctx->dummy && ctx->state == AUDIT_STATE_BUILD)
1919 		ctx->prio = 0;
1920 
1921 	ctx->context = AUDIT_CTX_URING;
1922 	ctx->current_state = ctx->state;
1923 	ktime_get_coarse_real_ts64(&ctx->ctime);
1924 }
1925 
1926 /**
1927  * __audit_uring_exit - wrap up the kernel task's audit context after io_uring
1928  * @success: true/false value to indicate if the operation succeeded or not
1929  * @code: operation return code
1930  *
1931  * This is similar to audit_syscall_exit() but is intended for use by io_uring
1932  * operations.  This function should only ever be called from
1933  * audit_uring_exit() as we rely on the audit context checking present in that
1934  * function.
1935  */
__audit_uring_exit(int success,long code)1936 void __audit_uring_exit(int success, long code)
1937 {
1938 	struct audit_context *ctx = audit_context();
1939 
1940 	if (ctx->dummy) {
1941 		if (ctx->context != AUDIT_CTX_URING)
1942 			return;
1943 		goto out;
1944 	}
1945 
1946 	audit_return_fixup(ctx, success, code);
1947 	if (ctx->context == AUDIT_CTX_SYSCALL) {
1948 		/*
1949 		 * NOTE: See the note in __audit_uring_entry() about the case
1950 		 *       where we may be called from process context before we
1951 		 *       return to userspace via audit_syscall_exit().  In this
1952 		 *       case we simply emit a URINGOP record and bail, the
1953 		 *       normal syscall exit handling will take care of
1954 		 *       everything else.
1955 		 *       It is also worth mentioning that when we are called,
1956 		 *       the current process creds may differ from the creds
1957 		 *       used during the normal syscall processing; keep that
1958 		 *       in mind if/when we move the record generation code.
1959 		 */
1960 
1961 		/*
1962 		 * We need to filter on the syscall info here to decide if we
1963 		 * should emit a URINGOP record.  I know it seems odd but this
1964 		 * solves the problem where users have a filter to block *all*
1965 		 * syscall records in the "exit" filter; we want to preserve
1966 		 * the behavior here.
1967 		 */
1968 		audit_filter_syscall(current, ctx);
1969 		if (ctx->current_state != AUDIT_STATE_RECORD)
1970 			audit_filter_uring(current, ctx);
1971 		audit_filter_inodes(current, ctx);
1972 		if (ctx->current_state != AUDIT_STATE_RECORD)
1973 			return;
1974 
1975 		audit_log_uring(ctx);
1976 		return;
1977 	}
1978 
1979 	/* this may generate CONFIG_CHANGE records */
1980 	if (!list_empty(&ctx->killed_trees))
1981 		audit_kill_trees(ctx);
1982 
1983 	/* run through both filters to ensure we set the filterkey properly */
1984 	audit_filter_uring(current, ctx);
1985 	audit_filter_inodes(current, ctx);
1986 	if (ctx->current_state != AUDIT_STATE_RECORD)
1987 		goto out;
1988 	audit_log_exit();
1989 
1990 out:
1991 	audit_reset_context(ctx);
1992 }
1993 
1994 /**
1995  * __audit_syscall_entry - fill in an audit record at syscall entry
1996  * @major: major syscall type (function)
1997  * @a1: additional syscall register 1
1998  * @a2: additional syscall register 2
1999  * @a3: additional syscall register 3
2000  * @a4: additional syscall register 4
2001  *
2002  * Fill in audit context at syscall entry.  This only happens if the
2003  * audit context was created when the task was created and the state or
2004  * filters demand the audit context be built.  If the state from the
2005  * per-task filter or from the per-syscall filter is AUDIT_STATE_RECORD,
2006  * then the record will be written at syscall exit time (otherwise, it
2007  * will only be written if another part of the kernel requests that it
2008  * be written).
2009  */
__audit_syscall_entry(int major,unsigned long a1,unsigned long a2,unsigned long a3,unsigned long a4)2010 void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
2011 			   unsigned long a3, unsigned long a4)
2012 {
2013 	struct audit_context *context = audit_context();
2014 	enum audit_state     state;
2015 
2016 	if (!audit_enabled || !context)
2017 		return;
2018 
2019 	WARN_ON(context->context != AUDIT_CTX_UNUSED);
2020 	WARN_ON(context->name_count);
2021 	if (context->context != AUDIT_CTX_UNUSED || context->name_count) {
2022 		audit_panic("unrecoverable error in audit_syscall_entry()");
2023 		return;
2024 	}
2025 
2026 	state = context->state;
2027 	if (state == AUDIT_STATE_DISABLED)
2028 		return;
2029 
2030 	context->dummy = !audit_n_rules;
2031 	if (!context->dummy && state == AUDIT_STATE_BUILD) {
2032 		context->prio = 0;
2033 		if (auditd_test_task(current))
2034 			return;
2035 	}
2036 
2037 	context->arch	    = syscall_get_arch(current);
2038 	context->major      = major;
2039 	context->argv[0]    = a1;
2040 	context->argv[1]    = a2;
2041 	context->argv[2]    = a3;
2042 	context->argv[3]    = a4;
2043 	context->context = AUDIT_CTX_SYSCALL;
2044 	context->current_state  = state;
2045 	ktime_get_coarse_real_ts64(&context->ctime);
2046 }
2047 
2048 /**
2049  * __audit_syscall_exit - deallocate audit context after a system call
2050  * @success: success value of the syscall
2051  * @return_code: return value of the syscall
2052  *
2053  * Tear down after system call.  If the audit context has been marked as
2054  * auditable (either because of the AUDIT_STATE_RECORD state from
2055  * filtering, or because some other part of the kernel wrote an audit
2056  * message), then write out the syscall information.  In call cases,
2057  * free the names stored from getname().
2058  */
__audit_syscall_exit(int success,long return_code)2059 void __audit_syscall_exit(int success, long return_code)
2060 {
2061 	struct audit_context *context = audit_context();
2062 
2063 	if (!context || context->dummy ||
2064 	    context->context != AUDIT_CTX_SYSCALL)
2065 		goto out;
2066 
2067 	/* this may generate CONFIG_CHANGE records */
2068 	if (!list_empty(&context->killed_trees))
2069 		audit_kill_trees(context);
2070 
2071 	audit_return_fixup(context, success, return_code);
2072 	/* run through both filters to ensure we set the filterkey properly */
2073 	audit_filter_syscall(current, context);
2074 	audit_filter_inodes(current, context);
2075 	if (context->current_state != AUDIT_STATE_RECORD)
2076 		goto out;
2077 
2078 	audit_log_exit();
2079 
2080 out:
2081 	audit_reset_context(context);
2082 }
2083 
handle_one(const struct inode * inode)2084 static inline void handle_one(const struct inode *inode)
2085 {
2086 	struct audit_context *context;
2087 	struct audit_tree_refs *p;
2088 	struct audit_chunk *chunk;
2089 	int count;
2090 
2091 	if (likely(!inode->i_fsnotify_marks))
2092 		return;
2093 	context = audit_context();
2094 	p = context->trees;
2095 	count = context->tree_count;
2096 	rcu_read_lock();
2097 	chunk = audit_tree_lookup(inode);
2098 	rcu_read_unlock();
2099 	if (!chunk)
2100 		return;
2101 	if (likely(put_tree_ref(context, chunk)))
2102 		return;
2103 	if (unlikely(!grow_tree_refs(context))) {
2104 		pr_warn("out of memory, audit has lost a tree reference\n");
2105 		audit_set_auditable(context);
2106 		audit_put_chunk(chunk);
2107 		unroll_tree_refs(context, p, count);
2108 		return;
2109 	}
2110 	put_tree_ref(context, chunk);
2111 }
2112 
handle_path(const struct dentry * dentry)2113 static void handle_path(const struct dentry *dentry)
2114 {
2115 	struct audit_context *context;
2116 	struct audit_tree_refs *p;
2117 	const struct dentry *d, *parent;
2118 	struct audit_chunk *drop;
2119 	unsigned long seq;
2120 	int count;
2121 
2122 	context = audit_context();
2123 	p = context->trees;
2124 	count = context->tree_count;
2125 retry:
2126 	drop = NULL;
2127 	d = dentry;
2128 	rcu_read_lock();
2129 	seq = read_seqbegin(&rename_lock);
2130 	for (;;) {
2131 		struct inode *inode = d_backing_inode(d);
2132 
2133 		if (inode && unlikely(inode->i_fsnotify_marks)) {
2134 			struct audit_chunk *chunk;
2135 
2136 			chunk = audit_tree_lookup(inode);
2137 			if (chunk) {
2138 				if (unlikely(!put_tree_ref(context, chunk))) {
2139 					drop = chunk;
2140 					break;
2141 				}
2142 			}
2143 		}
2144 		parent = d->d_parent;
2145 		if (parent == d)
2146 			break;
2147 		d = parent;
2148 	}
2149 	if (unlikely(read_seqretry(&rename_lock, seq) || drop)) {  /* in this order */
2150 		rcu_read_unlock();
2151 		if (!drop) {
2152 			/* just a race with rename */
2153 			unroll_tree_refs(context, p, count);
2154 			goto retry;
2155 		}
2156 		audit_put_chunk(drop);
2157 		if (grow_tree_refs(context)) {
2158 			/* OK, got more space */
2159 			unroll_tree_refs(context, p, count);
2160 			goto retry;
2161 		}
2162 		/* too bad */
2163 		pr_warn("out of memory, audit has lost a tree reference\n");
2164 		unroll_tree_refs(context, p, count);
2165 		audit_set_auditable(context);
2166 		return;
2167 	}
2168 	rcu_read_unlock();
2169 }
2170 
audit_alloc_name(struct audit_context * context,unsigned char type)2171 static struct audit_names *audit_alloc_name(struct audit_context *context,
2172 						unsigned char type)
2173 {
2174 	struct audit_names *aname;
2175 
2176 	if (context->name_count < AUDIT_NAMES) {
2177 		aname = &context->preallocated_names[context->name_count];
2178 		memset(aname, 0, sizeof(*aname));
2179 	} else {
2180 		aname = kzalloc(sizeof(*aname), GFP_NOFS);
2181 		if (!aname)
2182 			return NULL;
2183 		aname->should_free = true;
2184 	}
2185 
2186 	aname->ino = AUDIT_INO_UNSET;
2187 	aname->type = type;
2188 	list_add_tail(&aname->list, &context->names_list);
2189 
2190 	context->name_count++;
2191 	if (!context->pwd.dentry)
2192 		get_fs_pwd(current->fs, &context->pwd);
2193 	return aname;
2194 }
2195 
2196 /**
2197  * __audit_reusename - fill out filename with info from existing entry
2198  * @uptr: userland ptr to pathname
2199  *
2200  * Search the audit_names list for the current audit context. If there is an
2201  * existing entry with a matching "uptr" then return the filename
2202  * associated with that audit_name. If not, return NULL.
2203  */
2204 struct filename *
__audit_reusename(const __user char * uptr)2205 __audit_reusename(const __user char *uptr)
2206 {
2207 	struct audit_context *context = audit_context();
2208 	struct audit_names *n;
2209 
2210 	list_for_each_entry(n, &context->names_list, list) {
2211 		if (!n->name)
2212 			continue;
2213 		if (n->name->uptr == uptr) {
2214 			atomic_inc(&n->name->refcnt);
2215 			return n->name;
2216 		}
2217 	}
2218 	return NULL;
2219 }
2220 
2221 /**
2222  * __audit_getname - add a name to the list
2223  * @name: name to add
2224  *
2225  * Add a name to the list of audit names for this context.
2226  * Called from fs/namei.c:getname().
2227  */
__audit_getname(struct filename * name)2228 void __audit_getname(struct filename *name)
2229 {
2230 	struct audit_context *context = audit_context();
2231 	struct audit_names *n;
2232 
2233 	if (context->context == AUDIT_CTX_UNUSED)
2234 		return;
2235 
2236 	n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
2237 	if (!n)
2238 		return;
2239 
2240 	n->name = name;
2241 	n->name_len = AUDIT_NAME_FULL;
2242 	name->aname = n;
2243 	atomic_inc(&name->refcnt);
2244 }
2245 
audit_copy_fcaps(struct audit_names * name,const struct dentry * dentry)2246 static inline int audit_copy_fcaps(struct audit_names *name,
2247 				   const struct dentry *dentry)
2248 {
2249 	struct cpu_vfs_cap_data caps;
2250 	int rc;
2251 
2252 	if (!dentry)
2253 		return 0;
2254 
2255 	rc = get_vfs_caps_from_disk(&nop_mnt_idmap, dentry, &caps);
2256 	if (rc)
2257 		return rc;
2258 
2259 	name->fcap.permitted = caps.permitted;
2260 	name->fcap.inheritable = caps.inheritable;
2261 	name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2262 	name->fcap.rootid = caps.rootid;
2263 	name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >>
2264 				VFS_CAP_REVISION_SHIFT;
2265 
2266 	return 0;
2267 }
2268 
2269 /* Copy inode data into an audit_names. */
audit_copy_inode(struct audit_names * name,const struct dentry * dentry,struct inode * inode,unsigned int flags)2270 static void audit_copy_inode(struct audit_names *name,
2271 			     const struct dentry *dentry,
2272 			     struct inode *inode, unsigned int flags)
2273 {
2274 	name->ino   = inode->i_ino;
2275 	name->dev   = inode->i_sb->s_dev;
2276 	name->mode  = inode->i_mode;
2277 	name->uid   = inode->i_uid;
2278 	name->gid   = inode->i_gid;
2279 	name->rdev  = inode->i_rdev;
2280 	security_inode_getlsmprop(inode, &name->oprop);
2281 	if (flags & AUDIT_INODE_NOEVAL) {
2282 		name->fcap_ver = -1;
2283 		return;
2284 	}
2285 	audit_copy_fcaps(name, dentry);
2286 }
2287 
2288 /**
2289  * __audit_inode - store the inode and device from a lookup
2290  * @name: name being audited
2291  * @dentry: dentry being audited
2292  * @flags: attributes for this particular entry
2293  */
__audit_inode(struct filename * name,const struct dentry * dentry,unsigned int flags)2294 void __audit_inode(struct filename *name, const struct dentry *dentry,
2295 		   unsigned int flags)
2296 {
2297 	struct audit_context *context = audit_context();
2298 	struct inode *inode = d_backing_inode(dentry);
2299 	struct audit_names *n;
2300 	bool parent = flags & AUDIT_INODE_PARENT;
2301 	struct audit_entry *e;
2302 	struct list_head *list = &audit_filter_list[AUDIT_FILTER_FS];
2303 	int i;
2304 
2305 	if (context->context == AUDIT_CTX_UNUSED)
2306 		return;
2307 
2308 	rcu_read_lock();
2309 	list_for_each_entry_rcu(e, list, list) {
2310 		for (i = 0; i < e->rule.field_count; i++) {
2311 			struct audit_field *f = &e->rule.fields[i];
2312 
2313 			if (f->type == AUDIT_FSTYPE
2314 			    && audit_comparator(inode->i_sb->s_magic,
2315 						f->op, f->val)
2316 			    && e->rule.action == AUDIT_NEVER) {
2317 				rcu_read_unlock();
2318 				return;
2319 			}
2320 		}
2321 	}
2322 	rcu_read_unlock();
2323 
2324 	if (!name)
2325 		goto out_alloc;
2326 
2327 	/*
2328 	 * If we have a pointer to an audit_names entry already, then we can
2329 	 * just use it directly if the type is correct.
2330 	 */
2331 	n = name->aname;
2332 	if (n) {
2333 		if (parent) {
2334 			if (n->type == AUDIT_TYPE_PARENT ||
2335 			    n->type == AUDIT_TYPE_UNKNOWN)
2336 				goto out;
2337 		} else {
2338 			if (n->type != AUDIT_TYPE_PARENT)
2339 				goto out;
2340 		}
2341 	}
2342 
2343 	list_for_each_entry_reverse(n, &context->names_list, list) {
2344 		if (n->ino) {
2345 			/* valid inode number, use that for the comparison */
2346 			if (n->ino != inode->i_ino ||
2347 			    n->dev != inode->i_sb->s_dev)
2348 				continue;
2349 		} else if (n->name) {
2350 			/* inode number has not been set, check the name */
2351 			if (strcmp(n->name->name, name->name))
2352 				continue;
2353 		} else
2354 			/* no inode and no name (?!) ... this is odd ... */
2355 			continue;
2356 
2357 		/* match the correct record type */
2358 		if (parent) {
2359 			if (n->type == AUDIT_TYPE_PARENT ||
2360 			    n->type == AUDIT_TYPE_UNKNOWN)
2361 				goto out;
2362 		} else {
2363 			if (n->type != AUDIT_TYPE_PARENT)
2364 				goto out;
2365 		}
2366 	}
2367 
2368 out_alloc:
2369 	/* unable to find an entry with both a matching name and type */
2370 	n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
2371 	if (!n)
2372 		return;
2373 	if (name) {
2374 		n->name = name;
2375 		atomic_inc(&name->refcnt);
2376 	}
2377 
2378 out:
2379 	if (parent) {
2380 		n->name_len = n->name ? parent_len(n->name->name) : AUDIT_NAME_FULL;
2381 		n->type = AUDIT_TYPE_PARENT;
2382 		if (flags & AUDIT_INODE_HIDDEN)
2383 			n->hidden = true;
2384 	} else {
2385 		n->name_len = AUDIT_NAME_FULL;
2386 		n->type = AUDIT_TYPE_NORMAL;
2387 	}
2388 	handle_path(dentry);
2389 	audit_copy_inode(n, dentry, inode, flags & AUDIT_INODE_NOEVAL);
2390 }
2391 
__audit_file(const struct file * file)2392 void __audit_file(const struct file *file)
2393 {
2394 	__audit_inode(NULL, file->f_path.dentry, 0);
2395 }
2396 
2397 /**
2398  * __audit_inode_child - collect inode info for created/removed objects
2399  * @parent: inode of dentry parent
2400  * @dentry: dentry being audited
2401  * @type:   AUDIT_TYPE_* value that we're looking for
2402  *
2403  * For syscalls that create or remove filesystem objects, audit_inode
2404  * can only collect information for the filesystem object's parent.
2405  * This call updates the audit context with the child's information.
2406  * Syscalls that create a new filesystem object must be hooked after
2407  * the object is created.  Syscalls that remove a filesystem object
2408  * must be hooked prior, in order to capture the target inode during
2409  * unsuccessful attempts.
2410  */
__audit_inode_child(struct inode * parent,const struct dentry * dentry,const unsigned char type)2411 void __audit_inode_child(struct inode *parent,
2412 			 const struct dentry *dentry,
2413 			 const unsigned char type)
2414 {
2415 	struct audit_context *context = audit_context();
2416 	struct inode *inode = d_backing_inode(dentry);
2417 	const struct qstr *dname = &dentry->d_name;
2418 	struct audit_names *n, *found_parent = NULL, *found_child = NULL;
2419 	struct audit_entry *e;
2420 	struct list_head *list = &audit_filter_list[AUDIT_FILTER_FS];
2421 	int i;
2422 
2423 	if (context->context == AUDIT_CTX_UNUSED)
2424 		return;
2425 
2426 	rcu_read_lock();
2427 	list_for_each_entry_rcu(e, list, list) {
2428 		for (i = 0; i < e->rule.field_count; i++) {
2429 			struct audit_field *f = &e->rule.fields[i];
2430 
2431 			if (f->type == AUDIT_FSTYPE
2432 			    && audit_comparator(parent->i_sb->s_magic,
2433 						f->op, f->val)
2434 			    && e->rule.action == AUDIT_NEVER) {
2435 				rcu_read_unlock();
2436 				return;
2437 			}
2438 		}
2439 	}
2440 	rcu_read_unlock();
2441 
2442 	if (inode)
2443 		handle_one(inode);
2444 
2445 	/* look for a parent entry first */
2446 	list_for_each_entry(n, &context->names_list, list) {
2447 		if (!n->name ||
2448 		    (n->type != AUDIT_TYPE_PARENT &&
2449 		     n->type != AUDIT_TYPE_UNKNOWN))
2450 			continue;
2451 
2452 		if (n->ino == parent->i_ino && n->dev == parent->i_sb->s_dev &&
2453 		    !audit_compare_dname_path(dname,
2454 					      n->name->name, n->name_len)) {
2455 			if (n->type == AUDIT_TYPE_UNKNOWN)
2456 				n->type = AUDIT_TYPE_PARENT;
2457 			found_parent = n;
2458 			break;
2459 		}
2460 	}
2461 
2462 	cond_resched();
2463 
2464 	/* is there a matching child entry? */
2465 	list_for_each_entry(n, &context->names_list, list) {
2466 		/* can only match entries that have a name */
2467 		if (!n->name ||
2468 		    (n->type != type && n->type != AUDIT_TYPE_UNKNOWN))
2469 			continue;
2470 
2471 		if (!strcmp(dname->name, n->name->name) ||
2472 		    !audit_compare_dname_path(dname, n->name->name,
2473 						found_parent ?
2474 						found_parent->name_len :
2475 						AUDIT_NAME_FULL)) {
2476 			if (n->type == AUDIT_TYPE_UNKNOWN)
2477 				n->type = type;
2478 			found_child = n;
2479 			break;
2480 		}
2481 	}
2482 
2483 	if (!found_parent) {
2484 		/* create a new, "anonymous" parent record */
2485 		n = audit_alloc_name(context, AUDIT_TYPE_PARENT);
2486 		if (!n)
2487 			return;
2488 		audit_copy_inode(n, NULL, parent, 0);
2489 	}
2490 
2491 	if (!found_child) {
2492 		found_child = audit_alloc_name(context, type);
2493 		if (!found_child)
2494 			return;
2495 
2496 		/* Re-use the name belonging to the slot for a matching parent
2497 		 * directory. All names for this context are relinquished in
2498 		 * audit_free_names() */
2499 		if (found_parent) {
2500 			found_child->name = found_parent->name;
2501 			found_child->name_len = AUDIT_NAME_FULL;
2502 			atomic_inc(&found_child->name->refcnt);
2503 		}
2504 	}
2505 
2506 	if (inode)
2507 		audit_copy_inode(found_child, dentry, inode, 0);
2508 	else
2509 		found_child->ino = AUDIT_INO_UNSET;
2510 }
2511 EXPORT_SYMBOL_GPL(__audit_inode_child);
2512 
2513 /**
2514  * auditsc_get_stamp - get local copies of audit_context values
2515  * @ctx: audit_context for the task
2516  * @t: timespec64 to store time recorded in the audit_context
2517  * @serial: serial value that is recorded in the audit_context
2518  *
2519  * Also sets the context as auditable.
2520  */
auditsc_get_stamp(struct audit_context * ctx,struct timespec64 * t,unsigned int * serial)2521 int auditsc_get_stamp(struct audit_context *ctx,
2522 		       struct timespec64 *t, unsigned int *serial)
2523 {
2524 	if (ctx->context == AUDIT_CTX_UNUSED)
2525 		return 0;
2526 	if (!ctx->serial)
2527 		ctx->serial = audit_serial();
2528 	t->tv_sec  = ctx->ctime.tv_sec;
2529 	t->tv_nsec = ctx->ctime.tv_nsec;
2530 	*serial    = ctx->serial;
2531 	if (!ctx->prio) {
2532 		ctx->prio = 1;
2533 		ctx->current_state = AUDIT_STATE_RECORD;
2534 	}
2535 	return 1;
2536 }
2537 
2538 /**
2539  * __audit_mq_open - record audit data for a POSIX MQ open
2540  * @oflag: open flag
2541  * @mode: mode bits
2542  * @attr: queue attributes
2543  *
2544  */
__audit_mq_open(int oflag,umode_t mode,struct mq_attr * attr)2545 void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
2546 {
2547 	struct audit_context *context = audit_context();
2548 
2549 	if (attr)
2550 		memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr));
2551 	else
2552 		memset(&context->mq_open.attr, 0, sizeof(struct mq_attr));
2553 
2554 	context->mq_open.oflag = oflag;
2555 	context->mq_open.mode = mode;
2556 
2557 	context->type = AUDIT_MQ_OPEN;
2558 }
2559 
2560 /**
2561  * __audit_mq_sendrecv - record audit data for a POSIX MQ timed send/receive
2562  * @mqdes: MQ descriptor
2563  * @msg_len: Message length
2564  * @msg_prio: Message priority
2565  * @abs_timeout: Message timeout in absolute time
2566  *
2567  */
__audit_mq_sendrecv(mqd_t mqdes,size_t msg_len,unsigned int msg_prio,const struct timespec64 * abs_timeout)2568 void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
2569 			const struct timespec64 *abs_timeout)
2570 {
2571 	struct audit_context *context = audit_context();
2572 	struct timespec64 *p = &context->mq_sendrecv.abs_timeout;
2573 
2574 	if (abs_timeout)
2575 		memcpy(p, abs_timeout, sizeof(*p));
2576 	else
2577 		memset(p, 0, sizeof(*p));
2578 
2579 	context->mq_sendrecv.mqdes = mqdes;
2580 	context->mq_sendrecv.msg_len = msg_len;
2581 	context->mq_sendrecv.msg_prio = msg_prio;
2582 
2583 	context->type = AUDIT_MQ_SENDRECV;
2584 }
2585 
2586 /**
2587  * __audit_mq_notify - record audit data for a POSIX MQ notify
2588  * @mqdes: MQ descriptor
2589  * @notification: Notification event
2590  *
2591  */
2592 
__audit_mq_notify(mqd_t mqdes,const struct sigevent * notification)2593 void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
2594 {
2595 	struct audit_context *context = audit_context();
2596 
2597 	if (notification)
2598 		context->mq_notify.sigev_signo = notification->sigev_signo;
2599 	else
2600 		context->mq_notify.sigev_signo = 0;
2601 
2602 	context->mq_notify.mqdes = mqdes;
2603 	context->type = AUDIT_MQ_NOTIFY;
2604 }
2605 
2606 /**
2607  * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute
2608  * @mqdes: MQ descriptor
2609  * @mqstat: MQ flags
2610  *
2611  */
__audit_mq_getsetattr(mqd_t mqdes,struct mq_attr * mqstat)2612 void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
2613 {
2614 	struct audit_context *context = audit_context();
2615 
2616 	context->mq_getsetattr.mqdes = mqdes;
2617 	context->mq_getsetattr.mqstat = *mqstat;
2618 	context->type = AUDIT_MQ_GETSETATTR;
2619 }
2620 
2621 /**
2622  * __audit_ipc_obj - record audit data for ipc object
2623  * @ipcp: ipc permissions
2624  *
2625  */
__audit_ipc_obj(struct kern_ipc_perm * ipcp)2626 void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
2627 {
2628 	struct audit_context *context = audit_context();
2629 
2630 	context->ipc.uid = ipcp->uid;
2631 	context->ipc.gid = ipcp->gid;
2632 	context->ipc.mode = ipcp->mode;
2633 	context->ipc.has_perm = 0;
2634 	security_ipc_getlsmprop(ipcp, &context->ipc.oprop);
2635 	context->type = AUDIT_IPC;
2636 }
2637 
2638 /**
2639  * __audit_ipc_set_perm - record audit data for new ipc permissions
2640  * @qbytes: msgq bytes
2641  * @uid: msgq user id
2642  * @gid: msgq group id
2643  * @mode: msgq mode (permissions)
2644  *
2645  * Called only after audit_ipc_obj().
2646  */
__audit_ipc_set_perm(unsigned long qbytes,uid_t uid,gid_t gid,umode_t mode)2647 void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode)
2648 {
2649 	struct audit_context *context = audit_context();
2650 
2651 	context->ipc.qbytes = qbytes;
2652 	context->ipc.perm_uid = uid;
2653 	context->ipc.perm_gid = gid;
2654 	context->ipc.perm_mode = mode;
2655 	context->ipc.has_perm = 1;
2656 }
2657 
__audit_bprm(struct linux_binprm * bprm)2658 void __audit_bprm(struct linux_binprm *bprm)
2659 {
2660 	struct audit_context *context = audit_context();
2661 
2662 	context->type = AUDIT_EXECVE;
2663 	context->execve.argc = bprm->argc;
2664 }
2665 
2666 
2667 /**
2668  * __audit_socketcall - record audit data for sys_socketcall
2669  * @nargs: number of args, which should not be more than AUDITSC_ARGS.
2670  * @args: args array
2671  *
2672  */
__audit_socketcall(int nargs,unsigned long * args)2673 int __audit_socketcall(int nargs, unsigned long *args)
2674 {
2675 	struct audit_context *context = audit_context();
2676 
2677 	if (nargs <= 0 || nargs > AUDITSC_ARGS || !args)
2678 		return -EINVAL;
2679 	context->type = AUDIT_SOCKETCALL;
2680 	context->socketcall.nargs = nargs;
2681 	memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
2682 	return 0;
2683 }
2684 
2685 /**
2686  * __audit_fd_pair - record audit data for pipe and socketpair
2687  * @fd1: the first file descriptor
2688  * @fd2: the second file descriptor
2689  *
2690  */
__audit_fd_pair(int fd1,int fd2)2691 void __audit_fd_pair(int fd1, int fd2)
2692 {
2693 	struct audit_context *context = audit_context();
2694 
2695 	context->fds[0] = fd1;
2696 	context->fds[1] = fd2;
2697 }
2698 
2699 /**
2700  * __audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
2701  * @len: data length in user space
2702  * @a: data address in kernel space
2703  *
2704  * Returns 0 for success or NULL context or < 0 on error.
2705  */
__audit_sockaddr(int len,void * a)2706 int __audit_sockaddr(int len, void *a)
2707 {
2708 	struct audit_context *context = audit_context();
2709 
2710 	if (!context->sockaddr) {
2711 		void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL);
2712 
2713 		if (!p)
2714 			return -ENOMEM;
2715 		context->sockaddr = p;
2716 	}
2717 
2718 	context->sockaddr_len = len;
2719 	memcpy(context->sockaddr, a, len);
2720 	return 0;
2721 }
2722 
__audit_ptrace(struct task_struct * t)2723 void __audit_ptrace(struct task_struct *t)
2724 {
2725 	struct audit_context *context = audit_context();
2726 
2727 	context->target_pid = task_tgid_nr(t);
2728 	context->target_auid = audit_get_loginuid(t);
2729 	context->target_uid = task_uid(t);
2730 	context->target_sessionid = audit_get_sessionid(t);
2731 	strscpy(context->target_comm, t->comm);
2732 	security_task_getlsmprop_obj(t, &context->target_ref);
2733 }
2734 
2735 /**
2736  * audit_signal_info_syscall - record signal info for syscalls
2737  * @t: task being signaled
2738  *
2739  * If the audit subsystem is being terminated, record the task (pid)
2740  * and uid that is doing that.
2741  */
audit_signal_info_syscall(struct task_struct * t)2742 int audit_signal_info_syscall(struct task_struct *t)
2743 {
2744 	struct audit_aux_data_pids *axp;
2745 	struct audit_context *ctx = audit_context();
2746 	kuid_t t_uid = task_uid(t);
2747 
2748 	if (!audit_signals || audit_dummy_context())
2749 		return 0;
2750 
2751 	/* optimize the common case by putting first signal recipient directly
2752 	 * in audit_context */
2753 	if (!ctx->target_pid) {
2754 		ctx->target_pid = task_tgid_nr(t);
2755 		ctx->target_auid = audit_get_loginuid(t);
2756 		ctx->target_uid = t_uid;
2757 		ctx->target_sessionid = audit_get_sessionid(t);
2758 		strscpy(ctx->target_comm, t->comm);
2759 		security_task_getlsmprop_obj(t, &ctx->target_ref);
2760 		return 0;
2761 	}
2762 
2763 	axp = (void *)ctx->aux_pids;
2764 	if (!axp || axp->pid_count == AUDIT_AUX_PIDS) {
2765 		axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
2766 		if (!axp)
2767 			return -ENOMEM;
2768 
2769 		axp->d.type = AUDIT_OBJ_PID;
2770 		axp->d.next = ctx->aux_pids;
2771 		ctx->aux_pids = (void *)axp;
2772 	}
2773 	BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
2774 
2775 	axp->target_pid[axp->pid_count] = task_tgid_nr(t);
2776 	axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
2777 	axp->target_uid[axp->pid_count] = t_uid;
2778 	axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
2779 	security_task_getlsmprop_obj(t, &axp->target_ref[axp->pid_count]);
2780 	strscpy(axp->target_comm[axp->pid_count], t->comm);
2781 	axp->pid_count++;
2782 
2783 	return 0;
2784 }
2785 
2786 /**
2787  * __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps
2788  * @bprm: pointer to the bprm being processed
2789  * @new: the proposed new credentials
2790  * @old: the old credentials
2791  *
2792  * Simply check if the proc already has the caps given by the file and if not
2793  * store the priv escalation info for later auditing at the end of the syscall
2794  *
2795  * -Eric
2796  */
__audit_log_bprm_fcaps(struct linux_binprm * bprm,const struct cred * new,const struct cred * old)2797 int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
2798 			   const struct cred *new, const struct cred *old)
2799 {
2800 	struct audit_aux_data_bprm_fcaps *ax;
2801 	struct audit_context *context = audit_context();
2802 	struct cpu_vfs_cap_data vcaps;
2803 
2804 	ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2805 	if (!ax)
2806 		return -ENOMEM;
2807 
2808 	ax->d.type = AUDIT_BPRM_FCAPS;
2809 	ax->d.next = context->aux;
2810 	context->aux = (void *)ax;
2811 
2812 	get_vfs_caps_from_disk(&nop_mnt_idmap,
2813 			       bprm->file->f_path.dentry, &vcaps);
2814 
2815 	ax->fcap.permitted = vcaps.permitted;
2816 	ax->fcap.inheritable = vcaps.inheritable;
2817 	ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2818 	ax->fcap.rootid = vcaps.rootid;
2819 	ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
2820 
2821 	ax->old_pcap.permitted   = old->cap_permitted;
2822 	ax->old_pcap.inheritable = old->cap_inheritable;
2823 	ax->old_pcap.effective   = old->cap_effective;
2824 	ax->old_pcap.ambient     = old->cap_ambient;
2825 
2826 	ax->new_pcap.permitted   = new->cap_permitted;
2827 	ax->new_pcap.inheritable = new->cap_inheritable;
2828 	ax->new_pcap.effective   = new->cap_effective;
2829 	ax->new_pcap.ambient     = new->cap_ambient;
2830 	return 0;
2831 }
2832 
2833 /**
2834  * __audit_log_capset - store information about the arguments to the capset syscall
2835  * @new: the new credentials
2836  * @old: the old (current) credentials
2837  *
2838  * Record the arguments userspace sent to sys_capset for later printing by the
2839  * audit system if applicable
2840  */
__audit_log_capset(const struct cred * new,const struct cred * old)2841 void __audit_log_capset(const struct cred *new, const struct cred *old)
2842 {
2843 	struct audit_context *context = audit_context();
2844 
2845 	context->capset.pid = task_tgid_nr(current);
2846 	context->capset.cap.effective   = new->cap_effective;
2847 	context->capset.cap.inheritable = new->cap_effective;
2848 	context->capset.cap.permitted   = new->cap_permitted;
2849 	context->capset.cap.ambient     = new->cap_ambient;
2850 	context->type = AUDIT_CAPSET;
2851 }
2852 
__audit_mmap_fd(int fd,int flags)2853 void __audit_mmap_fd(int fd, int flags)
2854 {
2855 	struct audit_context *context = audit_context();
2856 
2857 	context->mmap.fd = fd;
2858 	context->mmap.flags = flags;
2859 	context->type = AUDIT_MMAP;
2860 }
2861 
__audit_openat2_how(struct open_how * how)2862 void __audit_openat2_how(struct open_how *how)
2863 {
2864 	struct audit_context *context = audit_context();
2865 
2866 	context->openat2.flags = how->flags;
2867 	context->openat2.mode = how->mode;
2868 	context->openat2.resolve = how->resolve;
2869 	context->type = AUDIT_OPENAT2;
2870 }
2871 
__audit_log_kern_module(char * name)2872 void __audit_log_kern_module(char *name)
2873 {
2874 	struct audit_context *context = audit_context();
2875 
2876 	context->module.name = kstrdup(name, GFP_KERNEL);
2877 	if (!context->module.name)
2878 		audit_log_lost("out of memory in __audit_log_kern_module");
2879 	context->type = AUDIT_KERN_MODULE;
2880 }
2881 
__audit_fanotify(u32 response,struct fanotify_response_info_audit_rule * friar)2882 void __audit_fanotify(u32 response, struct fanotify_response_info_audit_rule *friar)
2883 {
2884 	/* {subj,obj}_trust values are {0,1,2}: no,yes,unknown */
2885 	switch (friar->hdr.type) {
2886 	case FAN_RESPONSE_INFO_NONE:
2887 		audit_log(audit_context(), GFP_KERNEL, AUDIT_FANOTIFY,
2888 			  "resp=%u fan_type=%u fan_info=0 subj_trust=2 obj_trust=2",
2889 			  response, FAN_RESPONSE_INFO_NONE);
2890 		break;
2891 	case FAN_RESPONSE_INFO_AUDIT_RULE:
2892 		audit_log(audit_context(), GFP_KERNEL, AUDIT_FANOTIFY,
2893 			  "resp=%u fan_type=%u fan_info=%X subj_trust=%u obj_trust=%u",
2894 			  response, friar->hdr.type, friar->rule_number,
2895 			  friar->subj_trust, friar->obj_trust);
2896 	}
2897 }
2898 
__audit_tk_injoffset(struct timespec64 offset)2899 void __audit_tk_injoffset(struct timespec64 offset)
2900 {
2901 	struct audit_context *context = audit_context();
2902 
2903 	/* only set type if not already set by NTP */
2904 	if (!context->type)
2905 		context->type = AUDIT_TIME_INJOFFSET;
2906 	memcpy(&context->time.tk_injoffset, &offset, sizeof(offset));
2907 }
2908 
__audit_ntp_log(const struct audit_ntp_data * ad)2909 void __audit_ntp_log(const struct audit_ntp_data *ad)
2910 {
2911 	struct audit_context *context = audit_context();
2912 	int type;
2913 
2914 	for (type = 0; type < AUDIT_NTP_NVALS; type++)
2915 		if (ad->vals[type].newval != ad->vals[type].oldval) {
2916 			/* unconditionally set type, overwriting TK */
2917 			context->type = AUDIT_TIME_ADJNTPVAL;
2918 			memcpy(&context->time.ntp_data, ad, sizeof(*ad));
2919 			break;
2920 		}
2921 }
2922 
__audit_log_nfcfg(const char * name,u8 af,unsigned int nentries,enum audit_nfcfgop op,gfp_t gfp)2923 void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries,
2924 		       enum audit_nfcfgop op, gfp_t gfp)
2925 {
2926 	struct audit_buffer *ab;
2927 	char comm[sizeof(current->comm)];
2928 
2929 	ab = audit_log_start(audit_context(), gfp, AUDIT_NETFILTER_CFG);
2930 	if (!ab)
2931 		return;
2932 	audit_log_format(ab, "table=%s family=%u entries=%u op=%s",
2933 			 name, af, nentries, audit_nfcfgs[op].s);
2934 
2935 	audit_log_format(ab, " pid=%u", task_tgid_nr(current));
2936 	audit_log_task_context(ab); /* subj= */
2937 	audit_log_format(ab, " comm=");
2938 	audit_log_untrustedstring(ab, get_task_comm(comm, current));
2939 	audit_log_end(ab);
2940 }
2941 EXPORT_SYMBOL_GPL(__audit_log_nfcfg);
2942 
audit_log_task(struct audit_buffer * ab)2943 static void audit_log_task(struct audit_buffer *ab)
2944 {
2945 	kuid_t auid, uid;
2946 	kgid_t gid;
2947 	unsigned int sessionid;
2948 	char comm[sizeof(current->comm)];
2949 
2950 	auid = audit_get_loginuid(current);
2951 	sessionid = audit_get_sessionid(current);
2952 	current_uid_gid(&uid, &gid);
2953 
2954 	audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
2955 			 from_kuid(&init_user_ns, auid),
2956 			 from_kuid(&init_user_ns, uid),
2957 			 from_kgid(&init_user_ns, gid),
2958 			 sessionid);
2959 	audit_log_task_context(ab);
2960 	audit_log_format(ab, " pid=%d comm=", task_tgid_nr(current));
2961 	audit_log_untrustedstring(ab, get_task_comm(comm, current));
2962 	audit_log_d_path_exe(ab, current->mm);
2963 }
2964 
2965 /**
2966  * audit_core_dumps - record information about processes that end abnormally
2967  * @signr: signal value
2968  *
2969  * If a process ends with a core dump, something fishy is going on and we
2970  * should record the event for investigation.
2971  */
audit_core_dumps(long signr)2972 void audit_core_dumps(long signr)
2973 {
2974 	struct audit_buffer *ab;
2975 
2976 	if (!audit_enabled)
2977 		return;
2978 
2979 	if (signr == SIGQUIT)	/* don't care for those */
2980 		return;
2981 
2982 	ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_ANOM_ABEND);
2983 	if (unlikely(!ab))
2984 		return;
2985 	audit_log_task(ab);
2986 	audit_log_format(ab, " sig=%ld res=1", signr);
2987 	audit_log_end(ab);
2988 }
2989 
2990 /**
2991  * audit_seccomp - record information about a seccomp action
2992  * @syscall: syscall number
2993  * @signr: signal value
2994  * @code: the seccomp action
2995  *
2996  * Record the information associated with a seccomp action. Event filtering for
2997  * seccomp actions that are not to be logged is done in seccomp_log().
2998  * Therefore, this function forces auditing independent of the audit_enabled
2999  * and dummy context state because seccomp actions should be logged even when
3000  * audit is not in use.
3001  */
audit_seccomp(unsigned long syscall,long signr,int code)3002 void audit_seccomp(unsigned long syscall, long signr, int code)
3003 {
3004 	struct audit_buffer *ab;
3005 
3006 	ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_SECCOMP);
3007 	if (unlikely(!ab))
3008 		return;
3009 	audit_log_task(ab);
3010 	audit_log_format(ab, " sig=%ld arch=%x syscall=%ld compat=%d ip=0x%lx code=0x%x",
3011 			 signr, syscall_get_arch(current), syscall,
3012 			 in_compat_syscall(), KSTK_EIP(current), code);
3013 	audit_log_end(ab);
3014 }
3015 
audit_seccomp_actions_logged(const char * names,const char * old_names,int res)3016 void audit_seccomp_actions_logged(const char *names, const char *old_names,
3017 				  int res)
3018 {
3019 	struct audit_buffer *ab;
3020 
3021 	if (!audit_enabled)
3022 		return;
3023 
3024 	ab = audit_log_start(audit_context(), GFP_KERNEL,
3025 			     AUDIT_CONFIG_CHANGE);
3026 	if (unlikely(!ab))
3027 		return;
3028 
3029 	audit_log_format(ab,
3030 			 "op=seccomp-logging actions=%s old-actions=%s res=%d",
3031 			 names, old_names, res);
3032 	audit_log_end(ab);
3033 }
3034 
audit_killed_trees(void)3035 struct list_head *audit_killed_trees(void)
3036 {
3037 	struct audit_context *ctx = audit_context();
3038 	if (likely(!ctx || ctx->context == AUDIT_CTX_UNUSED))
3039 		return NULL;
3040 	return &ctx->killed_trees;
3041 }
3042