1 /* audit.c -- Auditing support 2 * Gateway between the kernel (e.g., selinux) and the user-space audit daemon. 3 * System-call specific features have moved to auditsc.c 4 * 5 * Copyright 2003-2007 Red Hat Inc., Durham, North Carolina. 6 * All Rights Reserved. 7 * 8 * This program is free software; you can redistribute it and/or modify 9 * it under the terms of the GNU General Public License as published by 10 * the Free Software Foundation; either version 2 of the License, or 11 * (at your option) any later version. 12 * 13 * This program is distributed in the hope that it will be useful, 14 * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 * GNU General Public License for more details. 17 * 18 * You should have received a copy of the GNU General Public License 19 * along with this program; if not, write to the Free Software 20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 21 * 22 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 23 * 24 * Goals: 1) Integrate fully with Security Modules. 25 * 2) Minimal run-time overhead: 26 * a) Minimal when syscall auditing is disabled (audit_enable=0). 27 * b) Small when syscall auditing is enabled and no audit record 28 * is generated (defer as much work as possible to record 29 * generation time): 30 * i) context is allocated, 31 * ii) names from getname are stored without a copy, and 32 * iii) inode information stored from path_lookup. 33 * 3) Ability to disable syscall auditing at boot time (audit=0). 34 * 4) Usable by other parts of the kernel (if audit_log* is called, 35 * then a syscall record will be generated automatically for the 36 * current syscall). 37 * 5) Netlink interface to user-space. 38 * 6) Support low-overhead kernel-based filtering to minimize the 39 * information that must be passed to user-space. 40 * 41 * Example user-space utilities: http://people.redhat.com/sgrubb/audit/ 42 */ 43 44 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 45 46 #include <linux/file.h> 47 #include <linux/init.h> 48 #include <linux/types.h> 49 #include <linux/atomic.h> 50 #include <linux/mm.h> 51 #include <linux/export.h> 52 #include <linux/slab.h> 53 #include <linux/err.h> 54 #include <linux/kthread.h> 55 #include <linux/kernel.h> 56 #include <linux/syscalls.h> 57 #include <linux/spinlock.h> 58 #include <linux/rcupdate.h> 59 #include <linux/mutex.h> 60 #include <linux/gfp.h> 61 62 #include <linux/audit.h> 63 64 #include <net/sock.h> 65 #include <net/netlink.h> 66 #include <linux/skbuff.h> 67 #ifdef CONFIG_SECURITY 68 #include <linux/security.h> 69 #endif 70 #include <linux/freezer.h> 71 #include <linux/pid_namespace.h> 72 #include <net/netns/generic.h> 73 74 #include "audit.h" 75 76 /* No auditing will take place until audit_initialized == AUDIT_INITIALIZED. 77 * (Initialization happens after skb_init is called.) */ 78 #define AUDIT_DISABLED -1 79 #define AUDIT_UNINITIALIZED 0 80 #define AUDIT_INITIALIZED 1 81 static int audit_initialized; 82 83 #define AUDIT_OFF 0 84 #define AUDIT_ON 1 85 #define AUDIT_LOCKED 2 86 u32 audit_enabled; 87 u32 audit_ever_enabled; 88 89 EXPORT_SYMBOL_GPL(audit_enabled); 90 91 /* Default state when kernel boots without any parameters. */ 92 static u32 audit_default; 93 94 /* If auditing cannot proceed, audit_failure selects what happens. */ 95 static u32 audit_failure = AUDIT_FAIL_PRINTK; 96 97 /* private audit network namespace index */ 98 static unsigned int audit_net_id; 99 100 /** 101 * struct audit_net - audit private network namespace data 102 * @sk: communication socket 103 */ 104 struct audit_net { 105 struct sock *sk; 106 }; 107 108 /** 109 * struct auditd_connection - kernel/auditd connection state 110 * @pid: auditd PID 111 * @portid: netlink portid 112 * @net: the associated network namespace 113 * @lock: spinlock to protect write access 114 * 115 * Description: 116 * This struct is RCU protected; you must either hold the RCU lock for reading 117 * or the included spinlock for writing. 118 */ 119 static struct auditd_connection { 120 int pid; 121 u32 portid; 122 struct net *net; 123 spinlock_t lock; 124 } auditd_conn; 125 126 /* If audit_rate_limit is non-zero, limit the rate of sending audit records 127 * to that number per second. This prevents DoS attacks, but results in 128 * audit records being dropped. */ 129 static u32 audit_rate_limit; 130 131 /* Number of outstanding audit_buffers allowed. 132 * When set to zero, this means unlimited. */ 133 static u32 audit_backlog_limit = 64; 134 #define AUDIT_BACKLOG_WAIT_TIME (60 * HZ) 135 static u32 audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME; 136 137 /* The identity of the user shutting down the audit system. */ 138 kuid_t audit_sig_uid = INVALID_UID; 139 pid_t audit_sig_pid = -1; 140 u32 audit_sig_sid = 0; 141 142 /* Records can be lost in several ways: 143 0) [suppressed in audit_alloc] 144 1) out of memory in audit_log_start [kmalloc of struct audit_buffer] 145 2) out of memory in audit_log_move [alloc_skb] 146 3) suppressed due to audit_rate_limit 147 4) suppressed due to audit_backlog_limit 148 */ 149 static atomic_t audit_lost = ATOMIC_INIT(0); 150 151 /* Hash for inode-based rules */ 152 struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS]; 153 154 /* The audit_freelist is a list of pre-allocated audit buffers (if more 155 * than AUDIT_MAXFREE are in use, the audit buffer is freed instead of 156 * being placed on the freelist). */ 157 static DEFINE_SPINLOCK(audit_freelist_lock); 158 static int audit_freelist_count; 159 static LIST_HEAD(audit_freelist); 160 161 /* queue msgs to send via kauditd_task */ 162 static struct sk_buff_head audit_queue; 163 /* queue msgs due to temporary unicast send problems */ 164 static struct sk_buff_head audit_retry_queue; 165 /* queue msgs waiting for new auditd connection */ 166 static struct sk_buff_head audit_hold_queue; 167 168 /* queue servicing thread */ 169 static struct task_struct *kauditd_task; 170 static DECLARE_WAIT_QUEUE_HEAD(kauditd_wait); 171 172 /* waitqueue for callers who are blocked on the audit backlog */ 173 static DECLARE_WAIT_QUEUE_HEAD(audit_backlog_wait); 174 175 static struct audit_features af = {.vers = AUDIT_FEATURE_VERSION, 176 .mask = -1, 177 .features = 0, 178 .lock = 0,}; 179 180 static char *audit_feature_names[2] = { 181 "only_unset_loginuid", 182 "loginuid_immutable", 183 }; 184 185 186 /* Serialize requests from userspace. */ 187 DEFINE_MUTEX(audit_cmd_mutex); 188 189 /* AUDIT_BUFSIZ is the size of the temporary buffer used for formatting 190 * audit records. Since printk uses a 1024 byte buffer, this buffer 191 * should be at least that large. */ 192 #define AUDIT_BUFSIZ 1024 193 194 /* AUDIT_MAXFREE is the number of empty audit_buffers we keep on the 195 * audit_freelist. Doing so eliminates many kmalloc/kfree calls. */ 196 #define AUDIT_MAXFREE (2*NR_CPUS) 197 198 /* The audit_buffer is used when formatting an audit record. The caller 199 * locks briefly to get the record off the freelist or to allocate the 200 * buffer, and locks briefly to send the buffer to the netlink layer or 201 * to place it on a transmit queue. Multiple audit_buffers can be in 202 * use simultaneously. */ 203 struct audit_buffer { 204 struct list_head list; 205 struct sk_buff *skb; /* formatted skb ready to send */ 206 struct audit_context *ctx; /* NULL or associated context */ 207 gfp_t gfp_mask; 208 }; 209 210 struct audit_reply { 211 __u32 portid; 212 struct net *net; 213 struct sk_buff *skb; 214 }; 215 216 /** 217 * auditd_test_task - Check to see if a given task is an audit daemon 218 * @task: the task to check 219 * 220 * Description: 221 * Return 1 if the task is a registered audit daemon, 0 otherwise. 222 */ 223 int auditd_test_task(const struct task_struct *task) 224 { 225 int rc; 226 227 rcu_read_lock(); 228 rc = (auditd_conn.pid && task->tgid == auditd_conn.pid ? 1 : 0); 229 rcu_read_unlock(); 230 231 return rc; 232 } 233 234 /** 235 * audit_get_sk - Return the audit socket for the given network namespace 236 * @net: the destination network namespace 237 * 238 * Description: 239 * Returns the sock pointer if valid, NULL otherwise. The caller must ensure 240 * that a reference is held for the network namespace while the sock is in use. 241 */ 242 static struct sock *audit_get_sk(const struct net *net) 243 { 244 struct audit_net *aunet; 245 246 if (!net) 247 return NULL; 248 249 aunet = net_generic(net, audit_net_id); 250 return aunet->sk; 251 } 252 253 static void audit_set_portid(struct audit_buffer *ab, __u32 portid) 254 { 255 if (ab) { 256 struct nlmsghdr *nlh = nlmsg_hdr(ab->skb); 257 nlh->nlmsg_pid = portid; 258 } 259 } 260 261 void audit_panic(const char *message) 262 { 263 switch (audit_failure) { 264 case AUDIT_FAIL_SILENT: 265 break; 266 case AUDIT_FAIL_PRINTK: 267 if (printk_ratelimit()) 268 pr_err("%s\n", message); 269 break; 270 case AUDIT_FAIL_PANIC: 271 panic("audit: %s\n", message); 272 break; 273 } 274 } 275 276 static inline int audit_rate_check(void) 277 { 278 static unsigned long last_check = 0; 279 static int messages = 0; 280 static DEFINE_SPINLOCK(lock); 281 unsigned long flags; 282 unsigned long now; 283 unsigned long elapsed; 284 int retval = 0; 285 286 if (!audit_rate_limit) return 1; 287 288 spin_lock_irqsave(&lock, flags); 289 if (++messages < audit_rate_limit) { 290 retval = 1; 291 } else { 292 now = jiffies; 293 elapsed = now - last_check; 294 if (elapsed > HZ) { 295 last_check = now; 296 messages = 0; 297 retval = 1; 298 } 299 } 300 spin_unlock_irqrestore(&lock, flags); 301 302 return retval; 303 } 304 305 /** 306 * audit_log_lost - conditionally log lost audit message event 307 * @message: the message stating reason for lost audit message 308 * 309 * Emit at least 1 message per second, even if audit_rate_check is 310 * throttling. 311 * Always increment the lost messages counter. 312 */ 313 void audit_log_lost(const char *message) 314 { 315 static unsigned long last_msg = 0; 316 static DEFINE_SPINLOCK(lock); 317 unsigned long flags; 318 unsigned long now; 319 int print; 320 321 atomic_inc(&audit_lost); 322 323 print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit); 324 325 if (!print) { 326 spin_lock_irqsave(&lock, flags); 327 now = jiffies; 328 if (now - last_msg > HZ) { 329 print = 1; 330 last_msg = now; 331 } 332 spin_unlock_irqrestore(&lock, flags); 333 } 334 335 if (print) { 336 if (printk_ratelimit()) 337 pr_warn("audit_lost=%u audit_rate_limit=%u audit_backlog_limit=%u\n", 338 atomic_read(&audit_lost), 339 audit_rate_limit, 340 audit_backlog_limit); 341 audit_panic(message); 342 } 343 } 344 345 static int audit_log_config_change(char *function_name, u32 new, u32 old, 346 int allow_changes) 347 { 348 struct audit_buffer *ab; 349 int rc = 0; 350 351 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 352 if (unlikely(!ab)) 353 return rc; 354 audit_log_format(ab, "%s=%u old=%u", function_name, new, old); 355 audit_log_session_info(ab); 356 rc = audit_log_task_context(ab); 357 if (rc) 358 allow_changes = 0; /* Something weird, deny request */ 359 audit_log_format(ab, " res=%d", allow_changes); 360 audit_log_end(ab); 361 return rc; 362 } 363 364 static int audit_do_config_change(char *function_name, u32 *to_change, u32 new) 365 { 366 int allow_changes, rc = 0; 367 u32 old = *to_change; 368 369 /* check if we are locked */ 370 if (audit_enabled == AUDIT_LOCKED) 371 allow_changes = 0; 372 else 373 allow_changes = 1; 374 375 if (audit_enabled != AUDIT_OFF) { 376 rc = audit_log_config_change(function_name, new, old, allow_changes); 377 if (rc) 378 allow_changes = 0; 379 } 380 381 /* If we are allowed, make the change */ 382 if (allow_changes == 1) 383 *to_change = new; 384 /* Not allowed, update reason */ 385 else if (rc == 0) 386 rc = -EPERM; 387 return rc; 388 } 389 390 static int audit_set_rate_limit(u32 limit) 391 { 392 return audit_do_config_change("audit_rate_limit", &audit_rate_limit, limit); 393 } 394 395 static int audit_set_backlog_limit(u32 limit) 396 { 397 return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit, limit); 398 } 399 400 static int audit_set_backlog_wait_time(u32 timeout) 401 { 402 return audit_do_config_change("audit_backlog_wait_time", 403 &audit_backlog_wait_time, timeout); 404 } 405 406 static int audit_set_enabled(u32 state) 407 { 408 int rc; 409 if (state > AUDIT_LOCKED) 410 return -EINVAL; 411 412 rc = audit_do_config_change("audit_enabled", &audit_enabled, state); 413 if (!rc) 414 audit_ever_enabled |= !!state; 415 416 return rc; 417 } 418 419 static int audit_set_failure(u32 state) 420 { 421 if (state != AUDIT_FAIL_SILENT 422 && state != AUDIT_FAIL_PRINTK 423 && state != AUDIT_FAIL_PANIC) 424 return -EINVAL; 425 426 return audit_do_config_change("audit_failure", &audit_failure, state); 427 } 428 429 /** 430 * auditd_set - Set/Reset the auditd connection state 431 * @pid: auditd PID 432 * @portid: auditd netlink portid 433 * @net: auditd network namespace pointer 434 * 435 * Description: 436 * This function will obtain and drop network namespace references as 437 * necessary. 438 */ 439 static void auditd_set(int pid, u32 portid, struct net *net) 440 { 441 unsigned long flags; 442 443 spin_lock_irqsave(&auditd_conn.lock, flags); 444 auditd_conn.pid = pid; 445 auditd_conn.portid = portid; 446 if (auditd_conn.net) 447 put_net(auditd_conn.net); 448 if (net) 449 auditd_conn.net = get_net(net); 450 else 451 auditd_conn.net = NULL; 452 spin_unlock_irqrestore(&auditd_conn.lock, flags); 453 } 454 455 /** 456 * kauditd_print_skb - Print the audit record to the ring buffer 457 * @skb: audit record 458 * 459 * Whatever the reason, this packet may not make it to the auditd connection 460 * so write it via printk so the information isn't completely lost. 461 */ 462 static void kauditd_printk_skb(struct sk_buff *skb) 463 { 464 struct nlmsghdr *nlh = nlmsg_hdr(skb); 465 char *data = nlmsg_data(nlh); 466 467 if (nlh->nlmsg_type != AUDIT_EOE && printk_ratelimit()) 468 pr_notice("type=%d %s\n", nlh->nlmsg_type, data); 469 } 470 471 /** 472 * kauditd_rehold_skb - Handle a audit record send failure in the hold queue 473 * @skb: audit record 474 * 475 * Description: 476 * This should only be used by the kauditd_thread when it fails to flush the 477 * hold queue. 478 */ 479 static void kauditd_rehold_skb(struct sk_buff *skb) 480 { 481 /* put the record back in the queue at the same place */ 482 skb_queue_head(&audit_hold_queue, skb); 483 } 484 485 /** 486 * kauditd_hold_skb - Queue an audit record, waiting for auditd 487 * @skb: audit record 488 * 489 * Description: 490 * Queue the audit record, waiting for an instance of auditd. When this 491 * function is called we haven't given up yet on sending the record, but things 492 * are not looking good. The first thing we want to do is try to write the 493 * record via printk and then see if we want to try and hold on to the record 494 * and queue it, if we have room. If we want to hold on to the record, but we 495 * don't have room, record a record lost message. 496 */ 497 static void kauditd_hold_skb(struct sk_buff *skb) 498 { 499 /* at this point it is uncertain if we will ever send this to auditd so 500 * try to send the message via printk before we go any further */ 501 kauditd_printk_skb(skb); 502 503 /* can we just silently drop the message? */ 504 if (!audit_default) { 505 kfree_skb(skb); 506 return; 507 } 508 509 /* if we have room, queue the message */ 510 if (!audit_backlog_limit || 511 skb_queue_len(&audit_hold_queue) < audit_backlog_limit) { 512 skb_queue_tail(&audit_hold_queue, skb); 513 return; 514 } 515 516 /* we have no other options - drop the message */ 517 audit_log_lost("kauditd hold queue overflow"); 518 kfree_skb(skb); 519 } 520 521 /** 522 * kauditd_retry_skb - Queue an audit record, attempt to send again to auditd 523 * @skb: audit record 524 * 525 * Description: 526 * Not as serious as kauditd_hold_skb() as we still have a connected auditd, 527 * but for some reason we are having problems sending it audit records so 528 * queue the given record and attempt to resend. 529 */ 530 static void kauditd_retry_skb(struct sk_buff *skb) 531 { 532 /* NOTE: because records should only live in the retry queue for a 533 * short period of time, before either being sent or moved to the hold 534 * queue, we don't currently enforce a limit on this queue */ 535 skb_queue_tail(&audit_retry_queue, skb); 536 } 537 538 /** 539 * auditd_reset - Disconnect the auditd connection 540 * 541 * Description: 542 * Break the auditd/kauditd connection and move all the queued records into the 543 * hold queue in case auditd reconnects. 544 */ 545 static void auditd_reset(void) 546 { 547 struct sk_buff *skb; 548 549 /* if it isn't already broken, break the connection */ 550 rcu_read_lock(); 551 if (auditd_conn.pid) 552 auditd_set(0, 0, NULL); 553 rcu_read_unlock(); 554 555 /* flush all of the main and retry queues to the hold queue */ 556 while ((skb = skb_dequeue(&audit_retry_queue))) 557 kauditd_hold_skb(skb); 558 while ((skb = skb_dequeue(&audit_queue))) 559 kauditd_hold_skb(skb); 560 } 561 562 /** 563 * auditd_send_unicast_skb - Send a record via unicast to auditd 564 * @skb: audit record 565 * 566 * Description: 567 * Send a skb to the audit daemon, returns positive/zero values on success and 568 * negative values on failure; in all cases the skb will be consumed by this 569 * function. If the send results in -ECONNREFUSED the connection with auditd 570 * will be reset. This function may sleep so callers should not hold any locks 571 * where this would cause a problem. 572 */ 573 static int auditd_send_unicast_skb(struct sk_buff *skb) 574 { 575 int rc; 576 u32 portid; 577 struct net *net; 578 struct sock *sk; 579 580 /* NOTE: we can't call netlink_unicast while in the RCU section so 581 * take a reference to the network namespace and grab local 582 * copies of the namespace, the sock, and the portid; the 583 * namespace and sock aren't going to go away while we hold a 584 * reference and if the portid does become invalid after the RCU 585 * section netlink_unicast() should safely return an error */ 586 587 rcu_read_lock(); 588 if (!auditd_conn.pid) { 589 rcu_read_unlock(); 590 rc = -ECONNREFUSED; 591 goto err; 592 } 593 net = auditd_conn.net; 594 get_net(net); 595 sk = audit_get_sk(net); 596 portid = auditd_conn.portid; 597 rcu_read_unlock(); 598 599 rc = netlink_unicast(sk, skb, portid, 0); 600 put_net(net); 601 if (rc < 0) 602 goto err; 603 604 return rc; 605 606 err: 607 if (rc == -ECONNREFUSED) 608 auditd_reset(); 609 return rc; 610 } 611 612 /** 613 * kauditd_send_queue - Helper for kauditd_thread to flush skb queues 614 * @sk: the sending sock 615 * @portid: the netlink destination 616 * @queue: the skb queue to process 617 * @retry_limit: limit on number of netlink unicast failures 618 * @skb_hook: per-skb hook for additional processing 619 * @err_hook: hook called if the skb fails the netlink unicast send 620 * 621 * Description: 622 * Run through the given queue and attempt to send the audit records to auditd, 623 * returns zero on success, negative values on failure. It is up to the caller 624 * to ensure that the @sk is valid for the duration of this function. 625 * 626 */ 627 static int kauditd_send_queue(struct sock *sk, u32 portid, 628 struct sk_buff_head *queue, 629 unsigned int retry_limit, 630 void (*skb_hook)(struct sk_buff *skb), 631 void (*err_hook)(struct sk_buff *skb)) 632 { 633 int rc = 0; 634 struct sk_buff *skb; 635 static unsigned int failed = 0; 636 637 /* NOTE: kauditd_thread takes care of all our locking, we just use 638 * the netlink info passed to us (e.g. sk and portid) */ 639 640 while ((skb = skb_dequeue(queue))) { 641 /* call the skb_hook for each skb we touch */ 642 if (skb_hook) 643 (*skb_hook)(skb); 644 645 /* can we send to anyone via unicast? */ 646 if (!sk) { 647 if (err_hook) 648 (*err_hook)(skb); 649 continue; 650 } 651 652 /* grab an extra skb reference in case of error */ 653 skb_get(skb); 654 rc = netlink_unicast(sk, skb, portid, 0); 655 if (rc < 0) { 656 /* fatal failure for our queue flush attempt? */ 657 if (++failed >= retry_limit || 658 rc == -ECONNREFUSED || rc == -EPERM) { 659 /* yes - error processing for the queue */ 660 sk = NULL; 661 if (err_hook) 662 (*err_hook)(skb); 663 if (!skb_hook) 664 goto out; 665 /* keep processing with the skb_hook */ 666 continue; 667 } else 668 /* no - requeue to preserve ordering */ 669 skb_queue_head(queue, skb); 670 } else { 671 /* it worked - drop the extra reference and continue */ 672 consume_skb(skb); 673 failed = 0; 674 } 675 } 676 677 out: 678 return (rc >= 0 ? 0 : rc); 679 } 680 681 /* 682 * kauditd_send_multicast_skb - Send a record to any multicast listeners 683 * @skb: audit record 684 * 685 * Description: 686 * Write a multicast message to anyone listening in the initial network 687 * namespace. This function doesn't consume an skb as might be expected since 688 * it has to copy it anyways. 689 */ 690 static void kauditd_send_multicast_skb(struct sk_buff *skb) 691 { 692 struct sk_buff *copy; 693 struct sock *sock = audit_get_sk(&init_net); 694 struct nlmsghdr *nlh; 695 696 /* NOTE: we are not taking an additional reference for init_net since 697 * we don't have to worry about it going away */ 698 699 if (!netlink_has_listeners(sock, AUDIT_NLGRP_READLOG)) 700 return; 701 702 /* 703 * The seemingly wasteful skb_copy() rather than bumping the refcount 704 * using skb_get() is necessary because non-standard mods are made to 705 * the skb by the original kaudit unicast socket send routine. The 706 * existing auditd daemon assumes this breakage. Fixing this would 707 * require co-ordinating a change in the established protocol between 708 * the kaudit kernel subsystem and the auditd userspace code. There is 709 * no reason for new multicast clients to continue with this 710 * non-compliance. 711 */ 712 copy = skb_copy(skb, GFP_KERNEL); 713 if (!copy) 714 return; 715 nlh = nlmsg_hdr(copy); 716 nlh->nlmsg_len = skb->len; 717 718 nlmsg_multicast(sock, copy, 0, AUDIT_NLGRP_READLOG, GFP_KERNEL); 719 } 720 721 /** 722 * kauditd_thread - Worker thread to send audit records to userspace 723 * @dummy: unused 724 */ 725 static int kauditd_thread(void *dummy) 726 { 727 int rc; 728 u32 portid = 0; 729 struct net *net = NULL; 730 struct sock *sk = NULL; 731 732 #define UNICAST_RETRIES 5 733 734 set_freezable(); 735 while (!kthread_should_stop()) { 736 /* NOTE: see the lock comments in auditd_send_unicast_skb() */ 737 rcu_read_lock(); 738 if (!auditd_conn.pid) { 739 rcu_read_unlock(); 740 goto main_queue; 741 } 742 net = auditd_conn.net; 743 get_net(net); 744 sk = audit_get_sk(net); 745 portid = auditd_conn.portid; 746 rcu_read_unlock(); 747 748 /* attempt to flush the hold queue */ 749 rc = kauditd_send_queue(sk, portid, 750 &audit_hold_queue, UNICAST_RETRIES, 751 NULL, kauditd_rehold_skb); 752 if (rc < 0) { 753 sk = NULL; 754 auditd_reset(); 755 goto main_queue; 756 } 757 758 /* attempt to flush the retry queue */ 759 rc = kauditd_send_queue(sk, portid, 760 &audit_retry_queue, UNICAST_RETRIES, 761 NULL, kauditd_hold_skb); 762 if (rc < 0) { 763 sk = NULL; 764 auditd_reset(); 765 goto main_queue; 766 } 767 768 main_queue: 769 /* process the main queue - do the multicast send and attempt 770 * unicast, dump failed record sends to the retry queue; if 771 * sk == NULL due to previous failures we will just do the 772 * multicast send and move the record to the retry queue */ 773 rc = kauditd_send_queue(sk, portid, &audit_queue, 1, 774 kauditd_send_multicast_skb, 775 kauditd_retry_skb); 776 if (sk == NULL || rc < 0) 777 auditd_reset(); 778 sk = NULL; 779 780 /* drop our netns reference, no auditd sends past this line */ 781 if (net) { 782 put_net(net); 783 net = NULL; 784 } 785 786 /* we have processed all the queues so wake everyone */ 787 wake_up(&audit_backlog_wait); 788 789 /* NOTE: we want to wake up if there is anything on the queue, 790 * regardless of if an auditd is connected, as we need to 791 * do the multicast send and rotate records from the 792 * main queue to the retry/hold queues */ 793 wait_event_freezable(kauditd_wait, 794 (skb_queue_len(&audit_queue) ? 1 : 0)); 795 } 796 797 return 0; 798 } 799 800 int audit_send_list(void *_dest) 801 { 802 struct audit_netlink_list *dest = _dest; 803 struct sk_buff *skb; 804 struct sock *sk = audit_get_sk(dest->net); 805 806 /* wait for parent to finish and send an ACK */ 807 mutex_lock(&audit_cmd_mutex); 808 mutex_unlock(&audit_cmd_mutex); 809 810 while ((skb = __skb_dequeue(&dest->q)) != NULL) 811 netlink_unicast(sk, skb, dest->portid, 0); 812 813 put_net(dest->net); 814 kfree(dest); 815 816 return 0; 817 } 818 819 struct sk_buff *audit_make_reply(__u32 portid, int seq, int type, int done, 820 int multi, const void *payload, int size) 821 { 822 struct sk_buff *skb; 823 struct nlmsghdr *nlh; 824 void *data; 825 int flags = multi ? NLM_F_MULTI : 0; 826 int t = done ? NLMSG_DONE : type; 827 828 skb = nlmsg_new(size, GFP_KERNEL); 829 if (!skb) 830 return NULL; 831 832 nlh = nlmsg_put(skb, portid, seq, t, size, flags); 833 if (!nlh) 834 goto out_kfree_skb; 835 data = nlmsg_data(nlh); 836 memcpy(data, payload, size); 837 return skb; 838 839 out_kfree_skb: 840 kfree_skb(skb); 841 return NULL; 842 } 843 844 static int audit_send_reply_thread(void *arg) 845 { 846 struct audit_reply *reply = (struct audit_reply *)arg; 847 struct sock *sk = audit_get_sk(reply->net); 848 849 mutex_lock(&audit_cmd_mutex); 850 mutex_unlock(&audit_cmd_mutex); 851 852 /* Ignore failure. It'll only happen if the sender goes away, 853 because our timeout is set to infinite. */ 854 netlink_unicast(sk, reply->skb, reply->portid, 0); 855 put_net(reply->net); 856 kfree(reply); 857 return 0; 858 } 859 860 /** 861 * audit_send_reply - send an audit reply message via netlink 862 * @request_skb: skb of request we are replying to (used to target the reply) 863 * @seq: sequence number 864 * @type: audit message type 865 * @done: done (last) flag 866 * @multi: multi-part message flag 867 * @payload: payload data 868 * @size: payload size 869 * 870 * Allocates an skb, builds the netlink message, and sends it to the port id. 871 * No failure notifications. 872 */ 873 static void audit_send_reply(struct sk_buff *request_skb, int seq, int type, int done, 874 int multi, const void *payload, int size) 875 { 876 u32 portid = NETLINK_CB(request_skb).portid; 877 struct net *net = sock_net(NETLINK_CB(request_skb).sk); 878 struct sk_buff *skb; 879 struct task_struct *tsk; 880 struct audit_reply *reply = kmalloc(sizeof(struct audit_reply), 881 GFP_KERNEL); 882 883 if (!reply) 884 return; 885 886 skb = audit_make_reply(portid, seq, type, done, multi, payload, size); 887 if (!skb) 888 goto out; 889 890 reply->net = get_net(net); 891 reply->portid = portid; 892 reply->skb = skb; 893 894 tsk = kthread_run(audit_send_reply_thread, reply, "audit_send_reply"); 895 if (!IS_ERR(tsk)) 896 return; 897 kfree_skb(skb); 898 out: 899 kfree(reply); 900 } 901 902 /* 903 * Check for appropriate CAP_AUDIT_ capabilities on incoming audit 904 * control messages. 905 */ 906 static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type) 907 { 908 int err = 0; 909 910 /* Only support initial user namespace for now. */ 911 /* 912 * We return ECONNREFUSED because it tricks userspace into thinking 913 * that audit was not configured into the kernel. Lots of users 914 * configure their PAM stack (because that's what the distro does) 915 * to reject login if unable to send messages to audit. If we return 916 * ECONNREFUSED the PAM stack thinks the kernel does not have audit 917 * configured in and will let login proceed. If we return EPERM 918 * userspace will reject all logins. This should be removed when we 919 * support non init namespaces!! 920 */ 921 if (current_user_ns() != &init_user_ns) 922 return -ECONNREFUSED; 923 924 switch (msg_type) { 925 case AUDIT_LIST: 926 case AUDIT_ADD: 927 case AUDIT_DEL: 928 return -EOPNOTSUPP; 929 case AUDIT_GET: 930 case AUDIT_SET: 931 case AUDIT_GET_FEATURE: 932 case AUDIT_SET_FEATURE: 933 case AUDIT_LIST_RULES: 934 case AUDIT_ADD_RULE: 935 case AUDIT_DEL_RULE: 936 case AUDIT_SIGNAL_INFO: 937 case AUDIT_TTY_GET: 938 case AUDIT_TTY_SET: 939 case AUDIT_TRIM: 940 case AUDIT_MAKE_EQUIV: 941 /* Only support auditd and auditctl in initial pid namespace 942 * for now. */ 943 if (task_active_pid_ns(current) != &init_pid_ns) 944 return -EPERM; 945 946 if (!netlink_capable(skb, CAP_AUDIT_CONTROL)) 947 err = -EPERM; 948 break; 949 case AUDIT_USER: 950 case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG: 951 case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2: 952 if (!netlink_capable(skb, CAP_AUDIT_WRITE)) 953 err = -EPERM; 954 break; 955 default: /* bad msg */ 956 err = -EINVAL; 957 } 958 959 return err; 960 } 961 962 static void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type) 963 { 964 uid_t uid = from_kuid(&init_user_ns, current_uid()); 965 pid_t pid = task_tgid_nr(current); 966 967 if (!audit_enabled && msg_type != AUDIT_USER_AVC) { 968 *ab = NULL; 969 return; 970 } 971 972 *ab = audit_log_start(NULL, GFP_KERNEL, msg_type); 973 if (unlikely(!*ab)) 974 return; 975 audit_log_format(*ab, "pid=%d uid=%u", pid, uid); 976 audit_log_session_info(*ab); 977 audit_log_task_context(*ab); 978 } 979 980 int is_audit_feature_set(int i) 981 { 982 return af.features & AUDIT_FEATURE_TO_MASK(i); 983 } 984 985 986 static int audit_get_feature(struct sk_buff *skb) 987 { 988 u32 seq; 989 990 seq = nlmsg_hdr(skb)->nlmsg_seq; 991 992 audit_send_reply(skb, seq, AUDIT_GET_FEATURE, 0, 0, &af, sizeof(af)); 993 994 return 0; 995 } 996 997 static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature, 998 u32 old_lock, u32 new_lock, int res) 999 { 1000 struct audit_buffer *ab; 1001 1002 if (audit_enabled == AUDIT_OFF) 1003 return; 1004 1005 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE); 1006 audit_log_task_info(ab, current); 1007 audit_log_format(ab, " feature=%s old=%u new=%u old_lock=%u new_lock=%u res=%d", 1008 audit_feature_names[which], !!old_feature, !!new_feature, 1009 !!old_lock, !!new_lock, res); 1010 audit_log_end(ab); 1011 } 1012 1013 static int audit_set_feature(struct sk_buff *skb) 1014 { 1015 struct audit_features *uaf; 1016 int i; 1017 1018 BUILD_BUG_ON(AUDIT_LAST_FEATURE + 1 > ARRAY_SIZE(audit_feature_names)); 1019 uaf = nlmsg_data(nlmsg_hdr(skb)); 1020 1021 /* if there is ever a version 2 we should handle that here */ 1022 1023 for (i = 0; i <= AUDIT_LAST_FEATURE; i++) { 1024 u32 feature = AUDIT_FEATURE_TO_MASK(i); 1025 u32 old_feature, new_feature, old_lock, new_lock; 1026 1027 /* if we are not changing this feature, move along */ 1028 if (!(feature & uaf->mask)) 1029 continue; 1030 1031 old_feature = af.features & feature; 1032 new_feature = uaf->features & feature; 1033 new_lock = (uaf->lock | af.lock) & feature; 1034 old_lock = af.lock & feature; 1035 1036 /* are we changing a locked feature? */ 1037 if (old_lock && (new_feature != old_feature)) { 1038 audit_log_feature_change(i, old_feature, new_feature, 1039 old_lock, new_lock, 0); 1040 return -EPERM; 1041 } 1042 } 1043 /* nothing invalid, do the changes */ 1044 for (i = 0; i <= AUDIT_LAST_FEATURE; i++) { 1045 u32 feature = AUDIT_FEATURE_TO_MASK(i); 1046 u32 old_feature, new_feature, old_lock, new_lock; 1047 1048 /* if we are not changing this feature, move along */ 1049 if (!(feature & uaf->mask)) 1050 continue; 1051 1052 old_feature = af.features & feature; 1053 new_feature = uaf->features & feature; 1054 old_lock = af.lock & feature; 1055 new_lock = (uaf->lock | af.lock) & feature; 1056 1057 if (new_feature != old_feature) 1058 audit_log_feature_change(i, old_feature, new_feature, 1059 old_lock, new_lock, 1); 1060 1061 if (new_feature) 1062 af.features |= feature; 1063 else 1064 af.features &= ~feature; 1065 af.lock |= new_lock; 1066 } 1067 1068 return 0; 1069 } 1070 1071 static int audit_replace(pid_t pid) 1072 { 1073 struct sk_buff *skb; 1074 1075 skb = audit_make_reply(0, 0, AUDIT_REPLACE, 0, 0, &pid, sizeof(pid)); 1076 if (!skb) 1077 return -ENOMEM; 1078 return auditd_send_unicast_skb(skb); 1079 } 1080 1081 static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) 1082 { 1083 u32 seq; 1084 void *data; 1085 int err; 1086 struct audit_buffer *ab; 1087 u16 msg_type = nlh->nlmsg_type; 1088 struct audit_sig_info *sig_data; 1089 char *ctx = NULL; 1090 u32 len; 1091 1092 err = audit_netlink_ok(skb, msg_type); 1093 if (err) 1094 return err; 1095 1096 seq = nlh->nlmsg_seq; 1097 data = nlmsg_data(nlh); 1098 1099 switch (msg_type) { 1100 case AUDIT_GET: { 1101 struct audit_status s; 1102 memset(&s, 0, sizeof(s)); 1103 s.enabled = audit_enabled; 1104 s.failure = audit_failure; 1105 rcu_read_lock(); 1106 s.pid = auditd_conn.pid; 1107 rcu_read_unlock(); 1108 s.rate_limit = audit_rate_limit; 1109 s.backlog_limit = audit_backlog_limit; 1110 s.lost = atomic_read(&audit_lost); 1111 s.backlog = skb_queue_len(&audit_queue); 1112 s.feature_bitmap = AUDIT_FEATURE_BITMAP_ALL; 1113 s.backlog_wait_time = audit_backlog_wait_time; 1114 audit_send_reply(skb, seq, AUDIT_GET, 0, 0, &s, sizeof(s)); 1115 break; 1116 } 1117 case AUDIT_SET: { 1118 struct audit_status s; 1119 memset(&s, 0, sizeof(s)); 1120 /* guard against past and future API changes */ 1121 memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh))); 1122 if (s.mask & AUDIT_STATUS_ENABLED) { 1123 err = audit_set_enabled(s.enabled); 1124 if (err < 0) 1125 return err; 1126 } 1127 if (s.mask & AUDIT_STATUS_FAILURE) { 1128 err = audit_set_failure(s.failure); 1129 if (err < 0) 1130 return err; 1131 } 1132 if (s.mask & AUDIT_STATUS_PID) { 1133 /* NOTE: we are using task_tgid_vnr() below because 1134 * the s.pid value is relative to the namespace 1135 * of the caller; at present this doesn't matter 1136 * much since you can really only run auditd 1137 * from the initial pid namespace, but something 1138 * to keep in mind if this changes */ 1139 int new_pid = s.pid; 1140 pid_t auditd_pid; 1141 pid_t requesting_pid = task_tgid_vnr(current); 1142 1143 /* test the auditd connection */ 1144 audit_replace(requesting_pid); 1145 1146 rcu_read_lock(); 1147 auditd_pid = auditd_conn.pid; 1148 /* only the current auditd can unregister itself */ 1149 if ((!new_pid) && (requesting_pid != auditd_pid)) { 1150 rcu_read_unlock(); 1151 audit_log_config_change("audit_pid", new_pid, 1152 auditd_pid, 0); 1153 return -EACCES; 1154 } 1155 /* replacing a healthy auditd is not allowed */ 1156 if (auditd_pid && new_pid) { 1157 rcu_read_unlock(); 1158 audit_log_config_change("audit_pid", new_pid, 1159 auditd_pid, 0); 1160 return -EEXIST; 1161 } 1162 rcu_read_unlock(); 1163 1164 if (audit_enabled != AUDIT_OFF) 1165 audit_log_config_change("audit_pid", new_pid, 1166 auditd_pid, 1); 1167 1168 if (new_pid) { 1169 /* register a new auditd connection */ 1170 auditd_set(new_pid, 1171 NETLINK_CB(skb).portid, 1172 sock_net(NETLINK_CB(skb).sk)); 1173 /* try to process any backlog */ 1174 wake_up_interruptible(&kauditd_wait); 1175 } else 1176 /* unregister the auditd connection */ 1177 auditd_reset(); 1178 } 1179 if (s.mask & AUDIT_STATUS_RATE_LIMIT) { 1180 err = audit_set_rate_limit(s.rate_limit); 1181 if (err < 0) 1182 return err; 1183 } 1184 if (s.mask & AUDIT_STATUS_BACKLOG_LIMIT) { 1185 err = audit_set_backlog_limit(s.backlog_limit); 1186 if (err < 0) 1187 return err; 1188 } 1189 if (s.mask & AUDIT_STATUS_BACKLOG_WAIT_TIME) { 1190 if (sizeof(s) > (size_t)nlh->nlmsg_len) 1191 return -EINVAL; 1192 if (s.backlog_wait_time > 10*AUDIT_BACKLOG_WAIT_TIME) 1193 return -EINVAL; 1194 err = audit_set_backlog_wait_time(s.backlog_wait_time); 1195 if (err < 0) 1196 return err; 1197 } 1198 if (s.mask == AUDIT_STATUS_LOST) { 1199 u32 lost = atomic_xchg(&audit_lost, 0); 1200 1201 audit_log_config_change("lost", 0, lost, 1); 1202 return lost; 1203 } 1204 break; 1205 } 1206 case AUDIT_GET_FEATURE: 1207 err = audit_get_feature(skb); 1208 if (err) 1209 return err; 1210 break; 1211 case AUDIT_SET_FEATURE: 1212 err = audit_set_feature(skb); 1213 if (err) 1214 return err; 1215 break; 1216 case AUDIT_USER: 1217 case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG: 1218 case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2: 1219 if (!audit_enabled && msg_type != AUDIT_USER_AVC) 1220 return 0; 1221 1222 err = audit_filter(msg_type, AUDIT_FILTER_USER); 1223 if (err == 1) { /* match or error */ 1224 err = 0; 1225 if (msg_type == AUDIT_USER_TTY) { 1226 err = tty_audit_push(); 1227 if (err) 1228 break; 1229 } 1230 audit_log_common_recv_msg(&ab, msg_type); 1231 if (msg_type != AUDIT_USER_TTY) 1232 audit_log_format(ab, " msg='%.*s'", 1233 AUDIT_MESSAGE_TEXT_MAX, 1234 (char *)data); 1235 else { 1236 int size; 1237 1238 audit_log_format(ab, " data="); 1239 size = nlmsg_len(nlh); 1240 if (size > 0 && 1241 ((unsigned char *)data)[size - 1] == '\0') 1242 size--; 1243 audit_log_n_untrustedstring(ab, data, size); 1244 } 1245 audit_set_portid(ab, NETLINK_CB(skb).portid); 1246 audit_log_end(ab); 1247 } 1248 break; 1249 case AUDIT_ADD_RULE: 1250 case AUDIT_DEL_RULE: 1251 if (nlmsg_len(nlh) < sizeof(struct audit_rule_data)) 1252 return -EINVAL; 1253 if (audit_enabled == AUDIT_LOCKED) { 1254 audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE); 1255 audit_log_format(ab, " audit_enabled=%d res=0", audit_enabled); 1256 audit_log_end(ab); 1257 return -EPERM; 1258 } 1259 err = audit_rule_change(msg_type, NETLINK_CB(skb).portid, 1260 seq, data, nlmsg_len(nlh)); 1261 break; 1262 case AUDIT_LIST_RULES: 1263 err = audit_list_rules_send(skb, seq); 1264 break; 1265 case AUDIT_TRIM: 1266 audit_trim_trees(); 1267 audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE); 1268 audit_log_format(ab, " op=trim res=1"); 1269 audit_log_end(ab); 1270 break; 1271 case AUDIT_MAKE_EQUIV: { 1272 void *bufp = data; 1273 u32 sizes[2]; 1274 size_t msglen = nlmsg_len(nlh); 1275 char *old, *new; 1276 1277 err = -EINVAL; 1278 if (msglen < 2 * sizeof(u32)) 1279 break; 1280 memcpy(sizes, bufp, 2 * sizeof(u32)); 1281 bufp += 2 * sizeof(u32); 1282 msglen -= 2 * sizeof(u32); 1283 old = audit_unpack_string(&bufp, &msglen, sizes[0]); 1284 if (IS_ERR(old)) { 1285 err = PTR_ERR(old); 1286 break; 1287 } 1288 new = audit_unpack_string(&bufp, &msglen, sizes[1]); 1289 if (IS_ERR(new)) { 1290 err = PTR_ERR(new); 1291 kfree(old); 1292 break; 1293 } 1294 /* OK, here comes... */ 1295 err = audit_tag_tree(old, new); 1296 1297 audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE); 1298 1299 audit_log_format(ab, " op=make_equiv old="); 1300 audit_log_untrustedstring(ab, old); 1301 audit_log_format(ab, " new="); 1302 audit_log_untrustedstring(ab, new); 1303 audit_log_format(ab, " res=%d", !err); 1304 audit_log_end(ab); 1305 kfree(old); 1306 kfree(new); 1307 break; 1308 } 1309 case AUDIT_SIGNAL_INFO: 1310 len = 0; 1311 if (audit_sig_sid) { 1312 err = security_secid_to_secctx(audit_sig_sid, &ctx, &len); 1313 if (err) 1314 return err; 1315 } 1316 sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL); 1317 if (!sig_data) { 1318 if (audit_sig_sid) 1319 security_release_secctx(ctx, len); 1320 return -ENOMEM; 1321 } 1322 sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid); 1323 sig_data->pid = audit_sig_pid; 1324 if (audit_sig_sid) { 1325 memcpy(sig_data->ctx, ctx, len); 1326 security_release_secctx(ctx, len); 1327 } 1328 audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0, 1329 sig_data, sizeof(*sig_data) + len); 1330 kfree(sig_data); 1331 break; 1332 case AUDIT_TTY_GET: { 1333 struct audit_tty_status s; 1334 unsigned int t; 1335 1336 t = READ_ONCE(current->signal->audit_tty); 1337 s.enabled = t & AUDIT_TTY_ENABLE; 1338 s.log_passwd = !!(t & AUDIT_TTY_LOG_PASSWD); 1339 1340 audit_send_reply(skb, seq, AUDIT_TTY_GET, 0, 0, &s, sizeof(s)); 1341 break; 1342 } 1343 case AUDIT_TTY_SET: { 1344 struct audit_tty_status s, old; 1345 struct audit_buffer *ab; 1346 unsigned int t; 1347 1348 memset(&s, 0, sizeof(s)); 1349 /* guard against past and future API changes */ 1350 memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh))); 1351 /* check if new data is valid */ 1352 if ((s.enabled != 0 && s.enabled != 1) || 1353 (s.log_passwd != 0 && s.log_passwd != 1)) 1354 err = -EINVAL; 1355 1356 if (err) 1357 t = READ_ONCE(current->signal->audit_tty); 1358 else { 1359 t = s.enabled | (-s.log_passwd & AUDIT_TTY_LOG_PASSWD); 1360 t = xchg(¤t->signal->audit_tty, t); 1361 } 1362 old.enabled = t & AUDIT_TTY_ENABLE; 1363 old.log_passwd = !!(t & AUDIT_TTY_LOG_PASSWD); 1364 1365 audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE); 1366 audit_log_format(ab, " op=tty_set old-enabled=%d new-enabled=%d" 1367 " old-log_passwd=%d new-log_passwd=%d res=%d", 1368 old.enabled, s.enabled, old.log_passwd, 1369 s.log_passwd, !err); 1370 audit_log_end(ab); 1371 break; 1372 } 1373 default: 1374 err = -EINVAL; 1375 break; 1376 } 1377 1378 return err < 0 ? err : 0; 1379 } 1380 1381 /* 1382 * Get message from skb. Each message is processed by audit_receive_msg. 1383 * Malformed skbs with wrong length are discarded silently. 1384 */ 1385 static void audit_receive_skb(struct sk_buff *skb) 1386 { 1387 struct nlmsghdr *nlh; 1388 /* 1389 * len MUST be signed for nlmsg_next to be able to dec it below 0 1390 * if the nlmsg_len was not aligned 1391 */ 1392 int len; 1393 int err; 1394 1395 nlh = nlmsg_hdr(skb); 1396 len = skb->len; 1397 1398 while (nlmsg_ok(nlh, len)) { 1399 err = audit_receive_msg(skb, nlh); 1400 /* if err or if this message says it wants a response */ 1401 if (err || (nlh->nlmsg_flags & NLM_F_ACK)) 1402 netlink_ack(skb, nlh, err); 1403 1404 nlh = nlmsg_next(nlh, &len); 1405 } 1406 } 1407 1408 /* Receive messages from netlink socket. */ 1409 static void audit_receive(struct sk_buff *skb) 1410 { 1411 mutex_lock(&audit_cmd_mutex); 1412 audit_receive_skb(skb); 1413 mutex_unlock(&audit_cmd_mutex); 1414 } 1415 1416 /* Run custom bind function on netlink socket group connect or bind requests. */ 1417 static int audit_bind(struct net *net, int group) 1418 { 1419 if (!capable(CAP_AUDIT_READ)) 1420 return -EPERM; 1421 1422 return 0; 1423 } 1424 1425 static int __net_init audit_net_init(struct net *net) 1426 { 1427 struct netlink_kernel_cfg cfg = { 1428 .input = audit_receive, 1429 .bind = audit_bind, 1430 .flags = NL_CFG_F_NONROOT_RECV, 1431 .groups = AUDIT_NLGRP_MAX, 1432 }; 1433 1434 struct audit_net *aunet = net_generic(net, audit_net_id); 1435 1436 aunet->sk = netlink_kernel_create(net, NETLINK_AUDIT, &cfg); 1437 if (aunet->sk == NULL) { 1438 audit_panic("cannot initialize netlink socket in namespace"); 1439 return -ENOMEM; 1440 } 1441 aunet->sk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT; 1442 1443 return 0; 1444 } 1445 1446 static void __net_exit audit_net_exit(struct net *net) 1447 { 1448 struct audit_net *aunet = net_generic(net, audit_net_id); 1449 1450 rcu_read_lock(); 1451 if (net == auditd_conn.net) 1452 auditd_reset(); 1453 rcu_read_unlock(); 1454 1455 netlink_kernel_release(aunet->sk); 1456 } 1457 1458 static struct pernet_operations audit_net_ops __net_initdata = { 1459 .init = audit_net_init, 1460 .exit = audit_net_exit, 1461 .id = &audit_net_id, 1462 .size = sizeof(struct audit_net), 1463 }; 1464 1465 /* Initialize audit support at boot time. */ 1466 static int __init audit_init(void) 1467 { 1468 int i; 1469 1470 if (audit_initialized == AUDIT_DISABLED) 1471 return 0; 1472 1473 memset(&auditd_conn, 0, sizeof(auditd_conn)); 1474 spin_lock_init(&auditd_conn.lock); 1475 1476 skb_queue_head_init(&audit_queue); 1477 skb_queue_head_init(&audit_retry_queue); 1478 skb_queue_head_init(&audit_hold_queue); 1479 1480 for (i = 0; i < AUDIT_INODE_BUCKETS; i++) 1481 INIT_LIST_HEAD(&audit_inode_hash[i]); 1482 1483 pr_info("initializing netlink subsys (%s)\n", 1484 audit_default ? "enabled" : "disabled"); 1485 register_pernet_subsys(&audit_net_ops); 1486 1487 audit_initialized = AUDIT_INITIALIZED; 1488 audit_enabled = audit_default; 1489 audit_ever_enabled |= !!audit_default; 1490 1491 kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd"); 1492 if (IS_ERR(kauditd_task)) { 1493 int err = PTR_ERR(kauditd_task); 1494 panic("audit: failed to start the kauditd thread (%d)\n", err); 1495 } 1496 1497 audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, 1498 "state=initialized audit_enabled=%u res=1", 1499 audit_enabled); 1500 1501 return 0; 1502 } 1503 __initcall(audit_init); 1504 1505 /* Process kernel command-line parameter at boot time. audit=0 or audit=1. */ 1506 static int __init audit_enable(char *str) 1507 { 1508 audit_default = !!simple_strtol(str, NULL, 0); 1509 if (!audit_default) 1510 audit_initialized = AUDIT_DISABLED; 1511 1512 pr_info("%s\n", audit_default ? 1513 "enabled (after initialization)" : "disabled (until reboot)"); 1514 1515 return 1; 1516 } 1517 __setup("audit=", audit_enable); 1518 1519 /* Process kernel command-line parameter at boot time. 1520 * audit_backlog_limit=<n> */ 1521 static int __init audit_backlog_limit_set(char *str) 1522 { 1523 u32 audit_backlog_limit_arg; 1524 1525 pr_info("audit_backlog_limit: "); 1526 if (kstrtouint(str, 0, &audit_backlog_limit_arg)) { 1527 pr_cont("using default of %u, unable to parse %s\n", 1528 audit_backlog_limit, str); 1529 return 1; 1530 } 1531 1532 audit_backlog_limit = audit_backlog_limit_arg; 1533 pr_cont("%d\n", audit_backlog_limit); 1534 1535 return 1; 1536 } 1537 __setup("audit_backlog_limit=", audit_backlog_limit_set); 1538 1539 static void audit_buffer_free(struct audit_buffer *ab) 1540 { 1541 unsigned long flags; 1542 1543 if (!ab) 1544 return; 1545 1546 kfree_skb(ab->skb); 1547 spin_lock_irqsave(&audit_freelist_lock, flags); 1548 if (audit_freelist_count > AUDIT_MAXFREE) 1549 kfree(ab); 1550 else { 1551 audit_freelist_count++; 1552 list_add(&ab->list, &audit_freelist); 1553 } 1554 spin_unlock_irqrestore(&audit_freelist_lock, flags); 1555 } 1556 1557 static struct audit_buffer * audit_buffer_alloc(struct audit_context *ctx, 1558 gfp_t gfp_mask, int type) 1559 { 1560 unsigned long flags; 1561 struct audit_buffer *ab = NULL; 1562 struct nlmsghdr *nlh; 1563 1564 spin_lock_irqsave(&audit_freelist_lock, flags); 1565 if (!list_empty(&audit_freelist)) { 1566 ab = list_entry(audit_freelist.next, 1567 struct audit_buffer, list); 1568 list_del(&ab->list); 1569 --audit_freelist_count; 1570 } 1571 spin_unlock_irqrestore(&audit_freelist_lock, flags); 1572 1573 if (!ab) { 1574 ab = kmalloc(sizeof(*ab), gfp_mask); 1575 if (!ab) 1576 goto err; 1577 } 1578 1579 ab->ctx = ctx; 1580 ab->gfp_mask = gfp_mask; 1581 1582 ab->skb = nlmsg_new(AUDIT_BUFSIZ, gfp_mask); 1583 if (!ab->skb) 1584 goto err; 1585 1586 nlh = nlmsg_put(ab->skb, 0, 0, type, 0, 0); 1587 if (!nlh) 1588 goto out_kfree_skb; 1589 1590 return ab; 1591 1592 out_kfree_skb: 1593 kfree_skb(ab->skb); 1594 ab->skb = NULL; 1595 err: 1596 audit_buffer_free(ab); 1597 return NULL; 1598 } 1599 1600 /** 1601 * audit_serial - compute a serial number for the audit record 1602 * 1603 * Compute a serial number for the audit record. Audit records are 1604 * written to user-space as soon as they are generated, so a complete 1605 * audit record may be written in several pieces. The timestamp of the 1606 * record and this serial number are used by the user-space tools to 1607 * determine which pieces belong to the same audit record. The 1608 * (timestamp,serial) tuple is unique for each syscall and is live from 1609 * syscall entry to syscall exit. 1610 * 1611 * NOTE: Another possibility is to store the formatted records off the 1612 * audit context (for those records that have a context), and emit them 1613 * all at syscall exit. However, this could delay the reporting of 1614 * significant errors until syscall exit (or never, if the system 1615 * halts). 1616 */ 1617 unsigned int audit_serial(void) 1618 { 1619 static atomic_t serial = ATOMIC_INIT(0); 1620 1621 return atomic_add_return(1, &serial); 1622 } 1623 1624 static inline void audit_get_stamp(struct audit_context *ctx, 1625 struct timespec *t, unsigned int *serial) 1626 { 1627 if (!ctx || !auditsc_get_stamp(ctx, t, serial)) { 1628 *t = CURRENT_TIME; 1629 *serial = audit_serial(); 1630 } 1631 } 1632 1633 /** 1634 * audit_log_start - obtain an audit buffer 1635 * @ctx: audit_context (may be NULL) 1636 * @gfp_mask: type of allocation 1637 * @type: audit message type 1638 * 1639 * Returns audit_buffer pointer on success or NULL on error. 1640 * 1641 * Obtain an audit buffer. This routine does locking to obtain the 1642 * audit buffer, but then no locking is required for calls to 1643 * audit_log_*format. If the task (ctx) is a task that is currently in a 1644 * syscall, then the syscall is marked as auditable and an audit record 1645 * will be written at syscall exit. If there is no associated task, then 1646 * task context (ctx) should be NULL. 1647 */ 1648 struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, 1649 int type) 1650 { 1651 struct audit_buffer *ab; 1652 struct timespec t; 1653 unsigned int uninitialized_var(serial); 1654 1655 if (audit_initialized != AUDIT_INITIALIZED) 1656 return NULL; 1657 1658 if (unlikely(!audit_filter(type, AUDIT_FILTER_TYPE))) 1659 return NULL; 1660 1661 /* NOTE: don't ever fail/sleep on these two conditions: 1662 * 1. auditd generated record - since we need auditd to drain the 1663 * queue; also, when we are checking for auditd, compare PIDs using 1664 * task_tgid_vnr() since auditd_pid is set in audit_receive_msg() 1665 * using a PID anchored in the caller's namespace 1666 * 2. generator holding the audit_cmd_mutex - we don't want to block 1667 * while holding the mutex */ 1668 if (!(auditd_test_task(current) || 1669 (current == __mutex_owner(&audit_cmd_mutex)))) { 1670 long stime = audit_backlog_wait_time; 1671 1672 while (audit_backlog_limit && 1673 (skb_queue_len(&audit_queue) > audit_backlog_limit)) { 1674 /* wake kauditd to try and flush the queue */ 1675 wake_up_interruptible(&kauditd_wait); 1676 1677 /* sleep if we are allowed and we haven't exhausted our 1678 * backlog wait limit */ 1679 if (gfpflags_allow_blocking(gfp_mask) && (stime > 0)) { 1680 DECLARE_WAITQUEUE(wait, current); 1681 1682 add_wait_queue_exclusive(&audit_backlog_wait, 1683 &wait); 1684 set_current_state(TASK_UNINTERRUPTIBLE); 1685 stime = schedule_timeout(stime); 1686 remove_wait_queue(&audit_backlog_wait, &wait); 1687 } else { 1688 if (audit_rate_check() && printk_ratelimit()) 1689 pr_warn("audit_backlog=%d > audit_backlog_limit=%d\n", 1690 skb_queue_len(&audit_queue), 1691 audit_backlog_limit); 1692 audit_log_lost("backlog limit exceeded"); 1693 return NULL; 1694 } 1695 } 1696 } 1697 1698 ab = audit_buffer_alloc(ctx, gfp_mask, type); 1699 if (!ab) { 1700 audit_log_lost("out of memory in audit_log_start"); 1701 return NULL; 1702 } 1703 1704 audit_get_stamp(ab->ctx, &t, &serial); 1705 audit_log_format(ab, "audit(%lu.%03lu:%u): ", 1706 t.tv_sec, t.tv_nsec/1000000, serial); 1707 1708 return ab; 1709 } 1710 1711 /** 1712 * audit_expand - expand skb in the audit buffer 1713 * @ab: audit_buffer 1714 * @extra: space to add at tail of the skb 1715 * 1716 * Returns 0 (no space) on failed expansion, or available space if 1717 * successful. 1718 */ 1719 static inline int audit_expand(struct audit_buffer *ab, int extra) 1720 { 1721 struct sk_buff *skb = ab->skb; 1722 int oldtail = skb_tailroom(skb); 1723 int ret = pskb_expand_head(skb, 0, extra, ab->gfp_mask); 1724 int newtail = skb_tailroom(skb); 1725 1726 if (ret < 0) { 1727 audit_log_lost("out of memory in audit_expand"); 1728 return 0; 1729 } 1730 1731 skb->truesize += newtail - oldtail; 1732 return newtail; 1733 } 1734 1735 /* 1736 * Format an audit message into the audit buffer. If there isn't enough 1737 * room in the audit buffer, more room will be allocated and vsnprint 1738 * will be called a second time. Currently, we assume that a printk 1739 * can't format message larger than 1024 bytes, so we don't either. 1740 */ 1741 static void audit_log_vformat(struct audit_buffer *ab, const char *fmt, 1742 va_list args) 1743 { 1744 int len, avail; 1745 struct sk_buff *skb; 1746 va_list args2; 1747 1748 if (!ab) 1749 return; 1750 1751 BUG_ON(!ab->skb); 1752 skb = ab->skb; 1753 avail = skb_tailroom(skb); 1754 if (avail == 0) { 1755 avail = audit_expand(ab, AUDIT_BUFSIZ); 1756 if (!avail) 1757 goto out; 1758 } 1759 va_copy(args2, args); 1760 len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args); 1761 if (len >= avail) { 1762 /* The printk buffer is 1024 bytes long, so if we get 1763 * here and AUDIT_BUFSIZ is at least 1024, then we can 1764 * log everything that printk could have logged. */ 1765 avail = audit_expand(ab, 1766 max_t(unsigned, AUDIT_BUFSIZ, 1+len-avail)); 1767 if (!avail) 1768 goto out_va_end; 1769 len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args2); 1770 } 1771 if (len > 0) 1772 skb_put(skb, len); 1773 out_va_end: 1774 va_end(args2); 1775 out: 1776 return; 1777 } 1778 1779 /** 1780 * audit_log_format - format a message into the audit buffer. 1781 * @ab: audit_buffer 1782 * @fmt: format string 1783 * @...: optional parameters matching @fmt string 1784 * 1785 * All the work is done in audit_log_vformat. 1786 */ 1787 void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) 1788 { 1789 va_list args; 1790 1791 if (!ab) 1792 return; 1793 va_start(args, fmt); 1794 audit_log_vformat(ab, fmt, args); 1795 va_end(args); 1796 } 1797 1798 /** 1799 * audit_log_hex - convert a buffer to hex and append it to the audit skb 1800 * @ab: the audit_buffer 1801 * @buf: buffer to convert to hex 1802 * @len: length of @buf to be converted 1803 * 1804 * No return value; failure to expand is silently ignored. 1805 * 1806 * This function will take the passed buf and convert it into a string of 1807 * ascii hex digits. The new string is placed onto the skb. 1808 */ 1809 void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf, 1810 size_t len) 1811 { 1812 int i, avail, new_len; 1813 unsigned char *ptr; 1814 struct sk_buff *skb; 1815 1816 if (!ab) 1817 return; 1818 1819 BUG_ON(!ab->skb); 1820 skb = ab->skb; 1821 avail = skb_tailroom(skb); 1822 new_len = len<<1; 1823 if (new_len >= avail) { 1824 /* Round the buffer request up to the next multiple */ 1825 new_len = AUDIT_BUFSIZ*(((new_len-avail)/AUDIT_BUFSIZ) + 1); 1826 avail = audit_expand(ab, new_len); 1827 if (!avail) 1828 return; 1829 } 1830 1831 ptr = skb_tail_pointer(skb); 1832 for (i = 0; i < len; i++) 1833 ptr = hex_byte_pack_upper(ptr, buf[i]); 1834 *ptr = 0; 1835 skb_put(skb, len << 1); /* new string is twice the old string */ 1836 } 1837 1838 /* 1839 * Format a string of no more than slen characters into the audit buffer, 1840 * enclosed in quote marks. 1841 */ 1842 void audit_log_n_string(struct audit_buffer *ab, const char *string, 1843 size_t slen) 1844 { 1845 int avail, new_len; 1846 unsigned char *ptr; 1847 struct sk_buff *skb; 1848 1849 if (!ab) 1850 return; 1851 1852 BUG_ON(!ab->skb); 1853 skb = ab->skb; 1854 avail = skb_tailroom(skb); 1855 new_len = slen + 3; /* enclosing quotes + null terminator */ 1856 if (new_len > avail) { 1857 avail = audit_expand(ab, new_len); 1858 if (!avail) 1859 return; 1860 } 1861 ptr = skb_tail_pointer(skb); 1862 *ptr++ = '"'; 1863 memcpy(ptr, string, slen); 1864 ptr += slen; 1865 *ptr++ = '"'; 1866 *ptr = 0; 1867 skb_put(skb, slen + 2); /* don't include null terminator */ 1868 } 1869 1870 /** 1871 * audit_string_contains_control - does a string need to be logged in hex 1872 * @string: string to be checked 1873 * @len: max length of the string to check 1874 */ 1875 bool audit_string_contains_control(const char *string, size_t len) 1876 { 1877 const unsigned char *p; 1878 for (p = string; p < (const unsigned char *)string + len; p++) { 1879 if (*p == '"' || *p < 0x21 || *p > 0x7e) 1880 return true; 1881 } 1882 return false; 1883 } 1884 1885 /** 1886 * audit_log_n_untrustedstring - log a string that may contain random characters 1887 * @ab: audit_buffer 1888 * @len: length of string (not including trailing null) 1889 * @string: string to be logged 1890 * 1891 * This code will escape a string that is passed to it if the string 1892 * contains a control character, unprintable character, double quote mark, 1893 * or a space. Unescaped strings will start and end with a double quote mark. 1894 * Strings that are escaped are printed in hex (2 digits per char). 1895 * 1896 * The caller specifies the number of characters in the string to log, which may 1897 * or may not be the entire string. 1898 */ 1899 void audit_log_n_untrustedstring(struct audit_buffer *ab, const char *string, 1900 size_t len) 1901 { 1902 if (audit_string_contains_control(string, len)) 1903 audit_log_n_hex(ab, string, len); 1904 else 1905 audit_log_n_string(ab, string, len); 1906 } 1907 1908 /** 1909 * audit_log_untrustedstring - log a string that may contain random characters 1910 * @ab: audit_buffer 1911 * @string: string to be logged 1912 * 1913 * Same as audit_log_n_untrustedstring(), except that strlen is used to 1914 * determine string length. 1915 */ 1916 void audit_log_untrustedstring(struct audit_buffer *ab, const char *string) 1917 { 1918 audit_log_n_untrustedstring(ab, string, strlen(string)); 1919 } 1920 1921 /* This is a helper-function to print the escaped d_path */ 1922 void audit_log_d_path(struct audit_buffer *ab, const char *prefix, 1923 const struct path *path) 1924 { 1925 char *p, *pathname; 1926 1927 if (prefix) 1928 audit_log_format(ab, "%s", prefix); 1929 1930 /* We will allow 11 spaces for ' (deleted)' to be appended */ 1931 pathname = kmalloc(PATH_MAX+11, ab->gfp_mask); 1932 if (!pathname) { 1933 audit_log_string(ab, "<no_memory>"); 1934 return; 1935 } 1936 p = d_path(path, pathname, PATH_MAX+11); 1937 if (IS_ERR(p)) { /* Should never happen since we send PATH_MAX */ 1938 /* FIXME: can we save some information here? */ 1939 audit_log_string(ab, "<too_long>"); 1940 } else 1941 audit_log_untrustedstring(ab, p); 1942 kfree(pathname); 1943 } 1944 1945 void audit_log_session_info(struct audit_buffer *ab) 1946 { 1947 unsigned int sessionid = audit_get_sessionid(current); 1948 uid_t auid = from_kuid(&init_user_ns, audit_get_loginuid(current)); 1949 1950 audit_log_format(ab, " auid=%u ses=%u", auid, sessionid); 1951 } 1952 1953 void audit_log_key(struct audit_buffer *ab, char *key) 1954 { 1955 audit_log_format(ab, " key="); 1956 if (key) 1957 audit_log_untrustedstring(ab, key); 1958 else 1959 audit_log_format(ab, "(null)"); 1960 } 1961 1962 void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap) 1963 { 1964 int i; 1965 1966 audit_log_format(ab, " %s=", prefix); 1967 CAP_FOR_EACH_U32(i) { 1968 audit_log_format(ab, "%08x", 1969 cap->cap[CAP_LAST_U32 - i]); 1970 } 1971 } 1972 1973 static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name) 1974 { 1975 kernel_cap_t *perm = &name->fcap.permitted; 1976 kernel_cap_t *inh = &name->fcap.inheritable; 1977 int log = 0; 1978 1979 if (!cap_isclear(*perm)) { 1980 audit_log_cap(ab, "cap_fp", perm); 1981 log = 1; 1982 } 1983 if (!cap_isclear(*inh)) { 1984 audit_log_cap(ab, "cap_fi", inh); 1985 log = 1; 1986 } 1987 1988 if (log) 1989 audit_log_format(ab, " cap_fe=%d cap_fver=%x", 1990 name->fcap.fE, name->fcap_ver); 1991 } 1992 1993 static inline int audit_copy_fcaps(struct audit_names *name, 1994 const struct dentry *dentry) 1995 { 1996 struct cpu_vfs_cap_data caps; 1997 int rc; 1998 1999 if (!dentry) 2000 return 0; 2001 2002 rc = get_vfs_caps_from_disk(dentry, &caps); 2003 if (rc) 2004 return rc; 2005 2006 name->fcap.permitted = caps.permitted; 2007 name->fcap.inheritable = caps.inheritable; 2008 name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE); 2009 name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >> 2010 VFS_CAP_REVISION_SHIFT; 2011 2012 return 0; 2013 } 2014 2015 /* Copy inode data into an audit_names. */ 2016 void audit_copy_inode(struct audit_names *name, const struct dentry *dentry, 2017 struct inode *inode) 2018 { 2019 name->ino = inode->i_ino; 2020 name->dev = inode->i_sb->s_dev; 2021 name->mode = inode->i_mode; 2022 name->uid = inode->i_uid; 2023 name->gid = inode->i_gid; 2024 name->rdev = inode->i_rdev; 2025 security_inode_getsecid(inode, &name->osid); 2026 audit_copy_fcaps(name, dentry); 2027 } 2028 2029 /** 2030 * audit_log_name - produce AUDIT_PATH record from struct audit_names 2031 * @context: audit_context for the task 2032 * @n: audit_names structure with reportable details 2033 * @path: optional path to report instead of audit_names->name 2034 * @record_num: record number to report when handling a list of names 2035 * @call_panic: optional pointer to int that will be updated if secid fails 2036 */ 2037 void audit_log_name(struct audit_context *context, struct audit_names *n, 2038 const struct path *path, int record_num, int *call_panic) 2039 { 2040 struct audit_buffer *ab; 2041 ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH); 2042 if (!ab) 2043 return; 2044 2045 audit_log_format(ab, "item=%d", record_num); 2046 2047 if (path) 2048 audit_log_d_path(ab, " name=", path); 2049 else if (n->name) { 2050 switch (n->name_len) { 2051 case AUDIT_NAME_FULL: 2052 /* log the full path */ 2053 audit_log_format(ab, " name="); 2054 audit_log_untrustedstring(ab, n->name->name); 2055 break; 2056 case 0: 2057 /* name was specified as a relative path and the 2058 * directory component is the cwd */ 2059 audit_log_d_path(ab, " name=", &context->pwd); 2060 break; 2061 default: 2062 /* log the name's directory component */ 2063 audit_log_format(ab, " name="); 2064 audit_log_n_untrustedstring(ab, n->name->name, 2065 n->name_len); 2066 } 2067 } else 2068 audit_log_format(ab, " name=(null)"); 2069 2070 if (n->ino != AUDIT_INO_UNSET) 2071 audit_log_format(ab, " inode=%lu" 2072 " dev=%02x:%02x mode=%#ho" 2073 " ouid=%u ogid=%u rdev=%02x:%02x", 2074 n->ino, 2075 MAJOR(n->dev), 2076 MINOR(n->dev), 2077 n->mode, 2078 from_kuid(&init_user_ns, n->uid), 2079 from_kgid(&init_user_ns, n->gid), 2080 MAJOR(n->rdev), 2081 MINOR(n->rdev)); 2082 if (n->osid != 0) { 2083 char *ctx = NULL; 2084 u32 len; 2085 if (security_secid_to_secctx( 2086 n->osid, &ctx, &len)) { 2087 audit_log_format(ab, " osid=%u", n->osid); 2088 if (call_panic) 2089 *call_panic = 2; 2090 } else { 2091 audit_log_format(ab, " obj=%s", ctx); 2092 security_release_secctx(ctx, len); 2093 } 2094 } 2095 2096 /* log the audit_names record type */ 2097 audit_log_format(ab, " nametype="); 2098 switch(n->type) { 2099 case AUDIT_TYPE_NORMAL: 2100 audit_log_format(ab, "NORMAL"); 2101 break; 2102 case AUDIT_TYPE_PARENT: 2103 audit_log_format(ab, "PARENT"); 2104 break; 2105 case AUDIT_TYPE_CHILD_DELETE: 2106 audit_log_format(ab, "DELETE"); 2107 break; 2108 case AUDIT_TYPE_CHILD_CREATE: 2109 audit_log_format(ab, "CREATE"); 2110 break; 2111 default: 2112 audit_log_format(ab, "UNKNOWN"); 2113 break; 2114 } 2115 2116 audit_log_fcaps(ab, n); 2117 audit_log_end(ab); 2118 } 2119 2120 int audit_log_task_context(struct audit_buffer *ab) 2121 { 2122 char *ctx = NULL; 2123 unsigned len; 2124 int error; 2125 u32 sid; 2126 2127 security_task_getsecid(current, &sid); 2128 if (!sid) 2129 return 0; 2130 2131 error = security_secid_to_secctx(sid, &ctx, &len); 2132 if (error) { 2133 if (error != -EINVAL) 2134 goto error_path; 2135 return 0; 2136 } 2137 2138 audit_log_format(ab, " subj=%s", ctx); 2139 security_release_secctx(ctx, len); 2140 return 0; 2141 2142 error_path: 2143 audit_panic("error in audit_log_task_context"); 2144 return error; 2145 } 2146 EXPORT_SYMBOL(audit_log_task_context); 2147 2148 void audit_log_d_path_exe(struct audit_buffer *ab, 2149 struct mm_struct *mm) 2150 { 2151 struct file *exe_file; 2152 2153 if (!mm) 2154 goto out_null; 2155 2156 exe_file = get_mm_exe_file(mm); 2157 if (!exe_file) 2158 goto out_null; 2159 2160 audit_log_d_path(ab, " exe=", &exe_file->f_path); 2161 fput(exe_file); 2162 return; 2163 out_null: 2164 audit_log_format(ab, " exe=(null)"); 2165 } 2166 2167 struct tty_struct *audit_get_tty(struct task_struct *tsk) 2168 { 2169 struct tty_struct *tty = NULL; 2170 unsigned long flags; 2171 2172 spin_lock_irqsave(&tsk->sighand->siglock, flags); 2173 if (tsk->signal) 2174 tty = tty_kref_get(tsk->signal->tty); 2175 spin_unlock_irqrestore(&tsk->sighand->siglock, flags); 2176 return tty; 2177 } 2178 2179 void audit_put_tty(struct tty_struct *tty) 2180 { 2181 tty_kref_put(tty); 2182 } 2183 2184 void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) 2185 { 2186 const struct cred *cred; 2187 char comm[sizeof(tsk->comm)]; 2188 struct tty_struct *tty; 2189 2190 if (!ab) 2191 return; 2192 2193 /* tsk == current */ 2194 cred = current_cred(); 2195 tty = audit_get_tty(tsk); 2196 audit_log_format(ab, 2197 " ppid=%d pid=%d auid=%u uid=%u gid=%u" 2198 " euid=%u suid=%u fsuid=%u" 2199 " egid=%u sgid=%u fsgid=%u tty=%s ses=%u", 2200 task_ppid_nr(tsk), 2201 task_tgid_nr(tsk), 2202 from_kuid(&init_user_ns, audit_get_loginuid(tsk)), 2203 from_kuid(&init_user_ns, cred->uid), 2204 from_kgid(&init_user_ns, cred->gid), 2205 from_kuid(&init_user_ns, cred->euid), 2206 from_kuid(&init_user_ns, cred->suid), 2207 from_kuid(&init_user_ns, cred->fsuid), 2208 from_kgid(&init_user_ns, cred->egid), 2209 from_kgid(&init_user_ns, cred->sgid), 2210 from_kgid(&init_user_ns, cred->fsgid), 2211 tty ? tty_name(tty) : "(none)", 2212 audit_get_sessionid(tsk)); 2213 audit_put_tty(tty); 2214 audit_log_format(ab, " comm="); 2215 audit_log_untrustedstring(ab, get_task_comm(comm, tsk)); 2216 audit_log_d_path_exe(ab, tsk->mm); 2217 audit_log_task_context(ab); 2218 } 2219 EXPORT_SYMBOL(audit_log_task_info); 2220 2221 /** 2222 * audit_log_link_denied - report a link restriction denial 2223 * @operation: specific link operation 2224 * @link: the path that triggered the restriction 2225 */ 2226 void audit_log_link_denied(const char *operation, const struct path *link) 2227 { 2228 struct audit_buffer *ab; 2229 struct audit_names *name; 2230 2231 name = kzalloc(sizeof(*name), GFP_NOFS); 2232 if (!name) 2233 return; 2234 2235 /* Generate AUDIT_ANOM_LINK with subject, operation, outcome. */ 2236 ab = audit_log_start(current->audit_context, GFP_KERNEL, 2237 AUDIT_ANOM_LINK); 2238 if (!ab) 2239 goto out; 2240 audit_log_format(ab, "op=%s", operation); 2241 audit_log_task_info(ab, current); 2242 audit_log_format(ab, " res=0"); 2243 audit_log_end(ab); 2244 2245 /* Generate AUDIT_PATH record with object. */ 2246 name->type = AUDIT_TYPE_NORMAL; 2247 audit_copy_inode(name, link->dentry, d_backing_inode(link->dentry)); 2248 audit_log_name(current->audit_context, name, link, 0, NULL); 2249 out: 2250 kfree(name); 2251 } 2252 2253 /** 2254 * audit_log_end - end one audit record 2255 * @ab: the audit_buffer 2256 * 2257 * We can not do a netlink send inside an irq context because it blocks (last 2258 * arg, flags, is not set to MSG_DONTWAIT), so the audit buffer is placed on a 2259 * queue and a tasklet is scheduled to remove them from the queue outside the 2260 * irq context. May be called in any context. 2261 */ 2262 void audit_log_end(struct audit_buffer *ab) 2263 { 2264 struct sk_buff *skb; 2265 struct nlmsghdr *nlh; 2266 2267 if (!ab) 2268 return; 2269 2270 if (audit_rate_check()) { 2271 skb = ab->skb; 2272 ab->skb = NULL; 2273 2274 /* setup the netlink header, see the comments in 2275 * kauditd_send_multicast_skb() for length quirks */ 2276 nlh = nlmsg_hdr(skb); 2277 nlh->nlmsg_len = skb->len - NLMSG_HDRLEN; 2278 2279 /* queue the netlink packet and poke the kauditd thread */ 2280 skb_queue_tail(&audit_queue, skb); 2281 wake_up_interruptible(&kauditd_wait); 2282 } else 2283 audit_log_lost("rate limit exceeded"); 2284 2285 audit_buffer_free(ab); 2286 } 2287 2288 /** 2289 * audit_log - Log an audit record 2290 * @ctx: audit context 2291 * @gfp_mask: type of allocation 2292 * @type: audit message type 2293 * @fmt: format string to use 2294 * @...: variable parameters matching the format string 2295 * 2296 * This is a convenience function that calls audit_log_start, 2297 * audit_log_vformat, and audit_log_end. It may be called 2298 * in any context. 2299 */ 2300 void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 2301 const char *fmt, ...) 2302 { 2303 struct audit_buffer *ab; 2304 va_list args; 2305 2306 ab = audit_log_start(ctx, gfp_mask, type); 2307 if (ab) { 2308 va_start(args, fmt); 2309 audit_log_vformat(ab, fmt, args); 2310 va_end(args); 2311 audit_log_end(ab); 2312 } 2313 } 2314 2315 #ifdef CONFIG_SECURITY 2316 /** 2317 * audit_log_secctx - Converts and logs SELinux context 2318 * @ab: audit_buffer 2319 * @secid: security number 2320 * 2321 * This is a helper function that calls security_secid_to_secctx to convert 2322 * secid to secctx and then adds the (converted) SELinux context to the audit 2323 * log by calling audit_log_format, thus also preventing leak of internal secid 2324 * to userspace. If secid cannot be converted audit_panic is called. 2325 */ 2326 void audit_log_secctx(struct audit_buffer *ab, u32 secid) 2327 { 2328 u32 len; 2329 char *secctx; 2330 2331 if (security_secid_to_secctx(secid, &secctx, &len)) { 2332 audit_panic("Cannot convert secid to context"); 2333 } else { 2334 audit_log_format(ab, " obj=%s", secctx); 2335 security_release_secctx(secctx, len); 2336 } 2337 } 2338 EXPORT_SYMBOL(audit_log_secctx); 2339 #endif 2340 2341 EXPORT_SYMBOL(audit_log_start); 2342 EXPORT_SYMBOL(audit_log_end); 2343 EXPORT_SYMBOL(audit_log_format); 2344 EXPORT_SYMBOL(audit_log); 2345