1 /* auditsc.c -- System-call auditing support 2 * Handles all system-call specific auditing features. 3 * 4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 5 * Copyright 2005 Hewlett-Packard Development Company, L.P. 6 * Copyright (C) 2005, 2006 IBM Corporation 7 * All Rights Reserved. 8 * 9 * This program is free software; you can redistribute it and/or modify 10 * it under the terms of the GNU General Public License as published by 11 * the Free Software Foundation; either version 2 of the License, or 12 * (at your option) any later version. 13 * 14 * This program is distributed in the hope that it will be useful, 15 * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 * GNU General Public License for more details. 18 * 19 * You should have received a copy of the GNU General Public License 20 * along with this program; if not, write to the Free Software 21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 22 * 23 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 24 * 25 * Many of the ideas implemented here are from Stephen C. Tweedie, 26 * especially the idea of avoiding a copy by using getname. 27 * 28 * The method for actual interception of syscall entry and exit (not in 29 * this file -- see entry.S) is based on a GPL'd patch written by 30 * okir@suse.de and Copyright 2003 SuSE Linux AG. 31 * 32 * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>, 33 * 2006. 34 * 35 * The support of additional filter rules compares (>, <, >=, <=) was 36 * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005. 37 * 38 * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional 39 * filesystem information. 40 * 41 * Subject and object context labeling support added by <danjones@us.ibm.com> 42 * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance. 43 */ 44 45 #include <linux/init.h> 46 #include <asm/types.h> 47 #include <asm/atomic.h> 48 #include <asm/types.h> 49 #include <linux/fs.h> 50 #include <linux/namei.h> 51 #include <linux/mm.h> 52 #include <linux/module.h> 53 #include <linux/mount.h> 54 #include <linux/socket.h> 55 #include <linux/mqueue.h> 56 #include <linux/audit.h> 57 #include <linux/personality.h> 58 #include <linux/time.h> 59 #include <linux/netlink.h> 60 #include <linux/compiler.h> 61 #include <asm/unistd.h> 62 #include <linux/security.h> 63 #include <linux/list.h> 64 #include <linux/tty.h> 65 #include <linux/selinux.h> 66 #include <linux/binfmts.h> 67 #include <linux/syscalls.h> 68 69 #include "audit.h" 70 71 extern struct list_head audit_filter_list[]; 72 73 /* No syscall auditing will take place unless audit_enabled != 0. */ 74 extern int audit_enabled; 75 76 /* AUDIT_NAMES is the number of slots we reserve in the audit_context 77 * for saving names from getname(). */ 78 #define AUDIT_NAMES 20 79 80 /* AUDIT_NAMES_RESERVED is the number of slots we reserve in the 81 * audit_context from being used for nameless inodes from 82 * path_lookup. */ 83 #define AUDIT_NAMES_RESERVED 7 84 85 /* Indicates that audit should log the full pathname. */ 86 #define AUDIT_NAME_FULL -1 87 88 /* When fs/namei.c:getname() is called, we store the pointer in name and 89 * we don't let putname() free it (instead we free all of the saved 90 * pointers at syscall exit time). 91 * 92 * Further, in fs/namei.c:path_lookup() we store the inode and device. */ 93 struct audit_names { 94 const char *name; 95 int name_len; /* number of name's characters to log */ 96 unsigned name_put; /* call __putname() for this name */ 97 unsigned long ino; 98 dev_t dev; 99 umode_t mode; 100 uid_t uid; 101 gid_t gid; 102 dev_t rdev; 103 u32 osid; 104 }; 105 106 struct audit_aux_data { 107 struct audit_aux_data *next; 108 int type; 109 }; 110 111 #define AUDIT_AUX_IPCPERM 0 112 113 struct audit_aux_data_mq_open { 114 struct audit_aux_data d; 115 int oflag; 116 mode_t mode; 117 struct mq_attr attr; 118 }; 119 120 struct audit_aux_data_mq_sendrecv { 121 struct audit_aux_data d; 122 mqd_t mqdes; 123 size_t msg_len; 124 unsigned int msg_prio; 125 struct timespec abs_timeout; 126 }; 127 128 struct audit_aux_data_mq_notify { 129 struct audit_aux_data d; 130 mqd_t mqdes; 131 struct sigevent notification; 132 }; 133 134 struct audit_aux_data_mq_getsetattr { 135 struct audit_aux_data d; 136 mqd_t mqdes; 137 struct mq_attr mqstat; 138 }; 139 140 struct audit_aux_data_ipcctl { 141 struct audit_aux_data d; 142 struct ipc_perm p; 143 unsigned long qbytes; 144 uid_t uid; 145 gid_t gid; 146 mode_t mode; 147 u32 osid; 148 }; 149 150 struct audit_aux_data_execve { 151 struct audit_aux_data d; 152 int argc; 153 int envc; 154 char mem[0]; 155 }; 156 157 struct audit_aux_data_socketcall { 158 struct audit_aux_data d; 159 int nargs; 160 unsigned long args[0]; 161 }; 162 163 struct audit_aux_data_sockaddr { 164 struct audit_aux_data d; 165 int len; 166 char a[0]; 167 }; 168 169 struct audit_aux_data_path { 170 struct audit_aux_data d; 171 struct dentry *dentry; 172 struct vfsmount *mnt; 173 }; 174 175 /* The per-task audit context. */ 176 struct audit_context { 177 int in_syscall; /* 1 if task is in a syscall */ 178 enum audit_state state; 179 unsigned int serial; /* serial number for record */ 180 struct timespec ctime; /* time of syscall entry */ 181 uid_t loginuid; /* login uid (identity) */ 182 int major; /* syscall number */ 183 unsigned long argv[4]; /* syscall arguments */ 184 int return_valid; /* return code is valid */ 185 long return_code;/* syscall return code */ 186 int auditable; /* 1 if record should be written */ 187 int name_count; 188 struct audit_names names[AUDIT_NAMES]; 189 struct dentry * pwd; 190 struct vfsmount * pwdmnt; 191 struct audit_context *previous; /* For nested syscalls */ 192 struct audit_aux_data *aux; 193 194 /* Save things to print about task_struct */ 195 pid_t pid, ppid; 196 uid_t uid, euid, suid, fsuid; 197 gid_t gid, egid, sgid, fsgid; 198 unsigned long personality; 199 int arch; 200 201 #if AUDIT_DEBUG 202 int put_count; 203 int ino_count; 204 #endif 205 }; 206 207 /* Determine if any context name data matches a rule's watch data */ 208 /* Compare a task_struct with an audit_rule. Return 1 on match, 0 209 * otherwise. */ 210 static int audit_filter_rules(struct task_struct *tsk, 211 struct audit_krule *rule, 212 struct audit_context *ctx, 213 struct audit_names *name, 214 enum audit_state *state) 215 { 216 int i, j, need_sid = 1; 217 u32 sid; 218 219 for (i = 0; i < rule->field_count; i++) { 220 struct audit_field *f = &rule->fields[i]; 221 int result = 0; 222 223 switch (f->type) { 224 case AUDIT_PID: 225 result = audit_comparator(tsk->pid, f->op, f->val); 226 break; 227 case AUDIT_PPID: 228 if (ctx) 229 result = audit_comparator(ctx->ppid, f->op, f->val); 230 break; 231 case AUDIT_UID: 232 result = audit_comparator(tsk->uid, f->op, f->val); 233 break; 234 case AUDIT_EUID: 235 result = audit_comparator(tsk->euid, f->op, f->val); 236 break; 237 case AUDIT_SUID: 238 result = audit_comparator(tsk->suid, f->op, f->val); 239 break; 240 case AUDIT_FSUID: 241 result = audit_comparator(tsk->fsuid, f->op, f->val); 242 break; 243 case AUDIT_GID: 244 result = audit_comparator(tsk->gid, f->op, f->val); 245 break; 246 case AUDIT_EGID: 247 result = audit_comparator(tsk->egid, f->op, f->val); 248 break; 249 case AUDIT_SGID: 250 result = audit_comparator(tsk->sgid, f->op, f->val); 251 break; 252 case AUDIT_FSGID: 253 result = audit_comparator(tsk->fsgid, f->op, f->val); 254 break; 255 case AUDIT_PERS: 256 result = audit_comparator(tsk->personality, f->op, f->val); 257 break; 258 case AUDIT_ARCH: 259 if (ctx) 260 result = audit_comparator(ctx->arch, f->op, f->val); 261 break; 262 263 case AUDIT_EXIT: 264 if (ctx && ctx->return_valid) 265 result = audit_comparator(ctx->return_code, f->op, f->val); 266 break; 267 case AUDIT_SUCCESS: 268 if (ctx && ctx->return_valid) { 269 if (f->val) 270 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS); 271 else 272 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE); 273 } 274 break; 275 case AUDIT_DEVMAJOR: 276 if (name) 277 result = audit_comparator(MAJOR(name->dev), 278 f->op, f->val); 279 else if (ctx) { 280 for (j = 0; j < ctx->name_count; j++) { 281 if (audit_comparator(MAJOR(ctx->names[j].dev), f->op, f->val)) { 282 ++result; 283 break; 284 } 285 } 286 } 287 break; 288 case AUDIT_DEVMINOR: 289 if (name) 290 result = audit_comparator(MINOR(name->dev), 291 f->op, f->val); 292 else if (ctx) { 293 for (j = 0; j < ctx->name_count; j++) { 294 if (audit_comparator(MINOR(ctx->names[j].dev), f->op, f->val)) { 295 ++result; 296 break; 297 } 298 } 299 } 300 break; 301 case AUDIT_INODE: 302 if (name) 303 result = (name->ino == f->val); 304 else if (ctx) { 305 for (j = 0; j < ctx->name_count; j++) { 306 if (audit_comparator(ctx->names[j].ino, f->op, f->val)) { 307 ++result; 308 break; 309 } 310 } 311 } 312 break; 313 case AUDIT_WATCH: 314 if (name && rule->watch->ino != (unsigned long)-1) 315 result = (name->dev == rule->watch->dev && 316 name->ino == rule->watch->ino); 317 break; 318 case AUDIT_LOGINUID: 319 result = 0; 320 if (ctx) 321 result = audit_comparator(ctx->loginuid, f->op, f->val); 322 break; 323 case AUDIT_SE_USER: 324 case AUDIT_SE_ROLE: 325 case AUDIT_SE_TYPE: 326 case AUDIT_SE_SEN: 327 case AUDIT_SE_CLR: 328 /* NOTE: this may return negative values indicating 329 a temporary error. We simply treat this as a 330 match for now to avoid losing information that 331 may be wanted. An error message will also be 332 logged upon error */ 333 if (f->se_rule) { 334 if (need_sid) { 335 selinux_task_ctxid(tsk, &sid); 336 need_sid = 0; 337 } 338 result = selinux_audit_rule_match(sid, f->type, 339 f->op, 340 f->se_rule, 341 ctx); 342 } 343 break; 344 case AUDIT_ARG0: 345 case AUDIT_ARG1: 346 case AUDIT_ARG2: 347 case AUDIT_ARG3: 348 if (ctx) 349 result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val); 350 break; 351 } 352 353 if (!result) 354 return 0; 355 } 356 switch (rule->action) { 357 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 358 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 359 } 360 return 1; 361 } 362 363 /* At process creation time, we can determine if system-call auditing is 364 * completely disabled for this task. Since we only have the task 365 * structure at this point, we can only check uid and gid. 366 */ 367 static enum audit_state audit_filter_task(struct task_struct *tsk) 368 { 369 struct audit_entry *e; 370 enum audit_state state; 371 372 rcu_read_lock(); 373 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) { 374 if (audit_filter_rules(tsk, &e->rule, NULL, NULL, &state)) { 375 rcu_read_unlock(); 376 return state; 377 } 378 } 379 rcu_read_unlock(); 380 return AUDIT_BUILD_CONTEXT; 381 } 382 383 /* At syscall entry and exit time, this filter is called if the 384 * audit_state is not low enough that auditing cannot take place, but is 385 * also not high enough that we already know we have to write an audit 386 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT). 387 */ 388 static enum audit_state audit_filter_syscall(struct task_struct *tsk, 389 struct audit_context *ctx, 390 struct list_head *list) 391 { 392 struct audit_entry *e; 393 enum audit_state state; 394 395 if (audit_pid && tsk->tgid == audit_pid) 396 return AUDIT_DISABLED; 397 398 rcu_read_lock(); 399 if (!list_empty(list)) { 400 int word = AUDIT_WORD(ctx->major); 401 int bit = AUDIT_BIT(ctx->major); 402 403 list_for_each_entry_rcu(e, list, list) { 404 if ((e->rule.mask[word] & bit) == bit && 405 audit_filter_rules(tsk, &e->rule, ctx, NULL, 406 &state)) { 407 rcu_read_unlock(); 408 return state; 409 } 410 } 411 } 412 rcu_read_unlock(); 413 return AUDIT_BUILD_CONTEXT; 414 } 415 416 /* At syscall exit time, this filter is called if any audit_names[] have been 417 * collected during syscall processing. We only check rules in sublists at hash 418 * buckets applicable to the inode numbers in audit_names[]. 419 * Regarding audit_state, same rules apply as for audit_filter_syscall(). 420 */ 421 enum audit_state audit_filter_inodes(struct task_struct *tsk, 422 struct audit_context *ctx) 423 { 424 int i; 425 struct audit_entry *e; 426 enum audit_state state; 427 428 if (audit_pid && tsk->tgid == audit_pid) 429 return AUDIT_DISABLED; 430 431 rcu_read_lock(); 432 for (i = 0; i < ctx->name_count; i++) { 433 int word = AUDIT_WORD(ctx->major); 434 int bit = AUDIT_BIT(ctx->major); 435 struct audit_names *n = &ctx->names[i]; 436 int h = audit_hash_ino((u32)n->ino); 437 struct list_head *list = &audit_inode_hash[h]; 438 439 if (list_empty(list)) 440 continue; 441 442 list_for_each_entry_rcu(e, list, list) { 443 if ((e->rule.mask[word] & bit) == bit && 444 audit_filter_rules(tsk, &e->rule, ctx, n, &state)) { 445 rcu_read_unlock(); 446 return state; 447 } 448 } 449 } 450 rcu_read_unlock(); 451 return AUDIT_BUILD_CONTEXT; 452 } 453 454 void audit_set_auditable(struct audit_context *ctx) 455 { 456 ctx->auditable = 1; 457 } 458 459 static inline struct audit_context *audit_get_context(struct task_struct *tsk, 460 int return_valid, 461 int return_code) 462 { 463 struct audit_context *context = tsk->audit_context; 464 465 if (likely(!context)) 466 return NULL; 467 context->return_valid = return_valid; 468 context->return_code = return_code; 469 470 if (context->in_syscall && !context->auditable) { 471 enum audit_state state; 472 473 state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]); 474 if (state == AUDIT_RECORD_CONTEXT) { 475 context->auditable = 1; 476 goto get_context; 477 } 478 479 state = audit_filter_inodes(tsk, context); 480 if (state == AUDIT_RECORD_CONTEXT) 481 context->auditable = 1; 482 483 } 484 485 get_context: 486 context->pid = tsk->pid; 487 context->ppid = sys_getppid(); /* sic. tsk == current in all cases */ 488 context->uid = tsk->uid; 489 context->gid = tsk->gid; 490 context->euid = tsk->euid; 491 context->suid = tsk->suid; 492 context->fsuid = tsk->fsuid; 493 context->egid = tsk->egid; 494 context->sgid = tsk->sgid; 495 context->fsgid = tsk->fsgid; 496 context->personality = tsk->personality; 497 tsk->audit_context = NULL; 498 return context; 499 } 500 501 static inline void audit_free_names(struct audit_context *context) 502 { 503 int i; 504 505 #if AUDIT_DEBUG == 2 506 if (context->auditable 507 ||context->put_count + context->ino_count != context->name_count) { 508 printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d" 509 " name_count=%d put_count=%d" 510 " ino_count=%d [NOT freeing]\n", 511 __FILE__, __LINE__, 512 context->serial, context->major, context->in_syscall, 513 context->name_count, context->put_count, 514 context->ino_count); 515 for (i = 0; i < context->name_count; i++) { 516 printk(KERN_ERR "names[%d] = %p = %s\n", i, 517 context->names[i].name, 518 context->names[i].name ?: "(null)"); 519 } 520 dump_stack(); 521 return; 522 } 523 #endif 524 #if AUDIT_DEBUG 525 context->put_count = 0; 526 context->ino_count = 0; 527 #endif 528 529 for (i = 0; i < context->name_count; i++) { 530 if (context->names[i].name && context->names[i].name_put) 531 __putname(context->names[i].name); 532 } 533 context->name_count = 0; 534 if (context->pwd) 535 dput(context->pwd); 536 if (context->pwdmnt) 537 mntput(context->pwdmnt); 538 context->pwd = NULL; 539 context->pwdmnt = NULL; 540 } 541 542 static inline void audit_free_aux(struct audit_context *context) 543 { 544 struct audit_aux_data *aux; 545 546 while ((aux = context->aux)) { 547 if (aux->type == AUDIT_AVC_PATH) { 548 struct audit_aux_data_path *axi = (void *)aux; 549 dput(axi->dentry); 550 mntput(axi->mnt); 551 } 552 553 context->aux = aux->next; 554 kfree(aux); 555 } 556 } 557 558 static inline void audit_zero_context(struct audit_context *context, 559 enum audit_state state) 560 { 561 uid_t loginuid = context->loginuid; 562 563 memset(context, 0, sizeof(*context)); 564 context->state = state; 565 context->loginuid = loginuid; 566 } 567 568 static inline struct audit_context *audit_alloc_context(enum audit_state state) 569 { 570 struct audit_context *context; 571 572 if (!(context = kmalloc(sizeof(*context), GFP_KERNEL))) 573 return NULL; 574 audit_zero_context(context, state); 575 return context; 576 } 577 578 /** 579 * audit_alloc - allocate an audit context block for a task 580 * @tsk: task 581 * 582 * Filter on the task information and allocate a per-task audit context 583 * if necessary. Doing so turns on system call auditing for the 584 * specified task. This is called from copy_process, so no lock is 585 * needed. 586 */ 587 int audit_alloc(struct task_struct *tsk) 588 { 589 struct audit_context *context; 590 enum audit_state state; 591 592 if (likely(!audit_enabled)) 593 return 0; /* Return if not auditing. */ 594 595 state = audit_filter_task(tsk); 596 if (likely(state == AUDIT_DISABLED)) 597 return 0; 598 599 if (!(context = audit_alloc_context(state))) { 600 audit_log_lost("out of memory in audit_alloc"); 601 return -ENOMEM; 602 } 603 604 /* Preserve login uid */ 605 context->loginuid = -1; 606 if (current->audit_context) 607 context->loginuid = current->audit_context->loginuid; 608 609 tsk->audit_context = context; 610 set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT); 611 return 0; 612 } 613 614 static inline void audit_free_context(struct audit_context *context) 615 { 616 struct audit_context *previous; 617 int count = 0; 618 619 do { 620 previous = context->previous; 621 if (previous || (count && count < 10)) { 622 ++count; 623 printk(KERN_ERR "audit(:%d): major=%d name_count=%d:" 624 " freeing multiple contexts (%d)\n", 625 context->serial, context->major, 626 context->name_count, count); 627 } 628 audit_free_names(context); 629 audit_free_aux(context); 630 kfree(context); 631 context = previous; 632 } while (context); 633 if (count >= 10) 634 printk(KERN_ERR "audit: freed %d contexts\n", count); 635 } 636 637 static void audit_log_task_context(struct audit_buffer *ab) 638 { 639 char *ctx = NULL; 640 ssize_t len = 0; 641 642 len = security_getprocattr(current, "current", NULL, 0); 643 if (len < 0) { 644 if (len != -EINVAL) 645 goto error_path; 646 return; 647 } 648 649 ctx = kmalloc(len, GFP_KERNEL); 650 if (!ctx) 651 goto error_path; 652 653 len = security_getprocattr(current, "current", ctx, len); 654 if (len < 0 ) 655 goto error_path; 656 657 audit_log_format(ab, " subj=%s", ctx); 658 return; 659 660 error_path: 661 kfree(ctx); 662 audit_panic("error in audit_log_task_context"); 663 return; 664 } 665 666 static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) 667 { 668 char name[sizeof(tsk->comm)]; 669 struct mm_struct *mm = tsk->mm; 670 struct vm_area_struct *vma; 671 672 /* tsk == current */ 673 674 get_task_comm(name, tsk); 675 audit_log_format(ab, " comm="); 676 audit_log_untrustedstring(ab, name); 677 678 if (mm) { 679 down_read(&mm->mmap_sem); 680 vma = mm->mmap; 681 while (vma) { 682 if ((vma->vm_flags & VM_EXECUTABLE) && 683 vma->vm_file) { 684 audit_log_d_path(ab, "exe=", 685 vma->vm_file->f_dentry, 686 vma->vm_file->f_vfsmnt); 687 break; 688 } 689 vma = vma->vm_next; 690 } 691 up_read(&mm->mmap_sem); 692 } 693 audit_log_task_context(ab); 694 } 695 696 static void audit_log_exit(struct audit_context *context, struct task_struct *tsk) 697 { 698 int i, call_panic = 0; 699 struct audit_buffer *ab; 700 struct audit_aux_data *aux; 701 const char *tty; 702 703 /* tsk == current */ 704 705 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL); 706 if (!ab) 707 return; /* audit_panic has been called */ 708 audit_log_format(ab, "arch=%x syscall=%d", 709 context->arch, context->major); 710 if (context->personality != PER_LINUX) 711 audit_log_format(ab, " per=%lx", context->personality); 712 if (context->return_valid) 713 audit_log_format(ab, " success=%s exit=%ld", 714 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no", 715 context->return_code); 716 if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name) 717 tty = tsk->signal->tty->name; 718 else 719 tty = "(none)"; 720 audit_log_format(ab, 721 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d" 722 " ppid=%d pid=%d auid=%u uid=%u gid=%u" 723 " euid=%u suid=%u fsuid=%u" 724 " egid=%u sgid=%u fsgid=%u tty=%s", 725 context->argv[0], 726 context->argv[1], 727 context->argv[2], 728 context->argv[3], 729 context->name_count, 730 context->ppid, 731 context->pid, 732 context->loginuid, 733 context->uid, 734 context->gid, 735 context->euid, context->suid, context->fsuid, 736 context->egid, context->sgid, context->fsgid, tty); 737 audit_log_task_info(ab, tsk); 738 audit_log_end(ab); 739 740 for (aux = context->aux; aux; aux = aux->next) { 741 742 ab = audit_log_start(context, GFP_KERNEL, aux->type); 743 if (!ab) 744 continue; /* audit_panic has been called */ 745 746 switch (aux->type) { 747 case AUDIT_MQ_OPEN: { 748 struct audit_aux_data_mq_open *axi = (void *)aux; 749 audit_log_format(ab, 750 "oflag=0x%x mode=%#o mq_flags=0x%lx mq_maxmsg=%ld " 751 "mq_msgsize=%ld mq_curmsgs=%ld", 752 axi->oflag, axi->mode, axi->attr.mq_flags, 753 axi->attr.mq_maxmsg, axi->attr.mq_msgsize, 754 axi->attr.mq_curmsgs); 755 break; } 756 757 case AUDIT_MQ_SENDRECV: { 758 struct audit_aux_data_mq_sendrecv *axi = (void *)aux; 759 audit_log_format(ab, 760 "mqdes=%d msg_len=%zd msg_prio=%u " 761 "abs_timeout_sec=%ld abs_timeout_nsec=%ld", 762 axi->mqdes, axi->msg_len, axi->msg_prio, 763 axi->abs_timeout.tv_sec, axi->abs_timeout.tv_nsec); 764 break; } 765 766 case AUDIT_MQ_NOTIFY: { 767 struct audit_aux_data_mq_notify *axi = (void *)aux; 768 audit_log_format(ab, 769 "mqdes=%d sigev_signo=%d", 770 axi->mqdes, 771 axi->notification.sigev_signo); 772 break; } 773 774 case AUDIT_MQ_GETSETATTR: { 775 struct audit_aux_data_mq_getsetattr *axi = (void *)aux; 776 audit_log_format(ab, 777 "mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld " 778 "mq_curmsgs=%ld ", 779 axi->mqdes, 780 axi->mqstat.mq_flags, axi->mqstat.mq_maxmsg, 781 axi->mqstat.mq_msgsize, axi->mqstat.mq_curmsgs); 782 break; } 783 784 case AUDIT_IPC: { 785 struct audit_aux_data_ipcctl *axi = (void *)aux; 786 audit_log_format(ab, 787 "ouid=%u ogid=%u mode=%x", 788 axi->uid, axi->gid, axi->mode); 789 if (axi->osid != 0) { 790 char *ctx = NULL; 791 u32 len; 792 if (selinux_ctxid_to_string( 793 axi->osid, &ctx, &len)) { 794 audit_log_format(ab, " osid=%u", 795 axi->osid); 796 call_panic = 1; 797 } else 798 audit_log_format(ab, " obj=%s", ctx); 799 kfree(ctx); 800 } 801 break; } 802 803 case AUDIT_IPC_SET_PERM: { 804 struct audit_aux_data_ipcctl *axi = (void *)aux; 805 audit_log_format(ab, 806 "qbytes=%lx ouid=%u ogid=%u mode=%x", 807 axi->qbytes, axi->uid, axi->gid, axi->mode); 808 break; } 809 810 case AUDIT_EXECVE: { 811 struct audit_aux_data_execve *axi = (void *)aux; 812 int i; 813 const char *p; 814 for (i = 0, p = axi->mem; i < axi->argc; i++) { 815 audit_log_format(ab, "a%d=", i); 816 p = audit_log_untrustedstring(ab, p); 817 audit_log_format(ab, "\n"); 818 } 819 break; } 820 821 case AUDIT_SOCKETCALL: { 822 int i; 823 struct audit_aux_data_socketcall *axs = (void *)aux; 824 audit_log_format(ab, "nargs=%d", axs->nargs); 825 for (i=0; i<axs->nargs; i++) 826 audit_log_format(ab, " a%d=%lx", i, axs->args[i]); 827 break; } 828 829 case AUDIT_SOCKADDR: { 830 struct audit_aux_data_sockaddr *axs = (void *)aux; 831 832 audit_log_format(ab, "saddr="); 833 audit_log_hex(ab, axs->a, axs->len); 834 break; } 835 836 case AUDIT_AVC_PATH: { 837 struct audit_aux_data_path *axi = (void *)aux; 838 audit_log_d_path(ab, "path=", axi->dentry, axi->mnt); 839 break; } 840 841 } 842 audit_log_end(ab); 843 } 844 845 if (context->pwd && context->pwdmnt) { 846 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD); 847 if (ab) { 848 audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt); 849 audit_log_end(ab); 850 } 851 } 852 for (i = 0; i < context->name_count; i++) { 853 struct audit_names *n = &context->names[i]; 854 855 ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH); 856 if (!ab) 857 continue; /* audit_panic has been called */ 858 859 audit_log_format(ab, "item=%d", i); 860 861 if (n->name) { 862 switch(n->name_len) { 863 case AUDIT_NAME_FULL: 864 /* log the full path */ 865 audit_log_format(ab, " name="); 866 audit_log_untrustedstring(ab, n->name); 867 break; 868 case 0: 869 /* name was specified as a relative path and the 870 * directory component is the cwd */ 871 audit_log_d_path(ab, " name=", context->pwd, 872 context->pwdmnt); 873 break; 874 default: 875 /* log the name's directory component */ 876 audit_log_format(ab, " name="); 877 audit_log_n_untrustedstring(ab, n->name_len, 878 n->name); 879 } 880 } else 881 audit_log_format(ab, " name=(null)"); 882 883 if (n->ino != (unsigned long)-1) { 884 audit_log_format(ab, " inode=%lu" 885 " dev=%02x:%02x mode=%#o" 886 " ouid=%u ogid=%u rdev=%02x:%02x", 887 n->ino, 888 MAJOR(n->dev), 889 MINOR(n->dev), 890 n->mode, 891 n->uid, 892 n->gid, 893 MAJOR(n->rdev), 894 MINOR(n->rdev)); 895 } 896 if (n->osid != 0) { 897 char *ctx = NULL; 898 u32 len; 899 if (selinux_ctxid_to_string( 900 n->osid, &ctx, &len)) { 901 audit_log_format(ab, " osid=%u", n->osid); 902 call_panic = 2; 903 } else 904 audit_log_format(ab, " obj=%s", ctx); 905 kfree(ctx); 906 } 907 908 audit_log_end(ab); 909 } 910 if (call_panic) 911 audit_panic("error converting sid to string"); 912 } 913 914 /** 915 * audit_free - free a per-task audit context 916 * @tsk: task whose audit context block to free 917 * 918 * Called from copy_process and do_exit 919 */ 920 void audit_free(struct task_struct *tsk) 921 { 922 struct audit_context *context; 923 924 context = audit_get_context(tsk, 0, 0); 925 if (likely(!context)) 926 return; 927 928 /* Check for system calls that do not go through the exit 929 * function (e.g., exit_group), then free context block. 930 * We use GFP_ATOMIC here because we might be doing this 931 * in the context of the idle thread */ 932 /* that can happen only if we are called from do_exit() */ 933 if (context->in_syscall && context->auditable) 934 audit_log_exit(context, tsk); 935 936 audit_free_context(context); 937 } 938 939 /** 940 * audit_syscall_entry - fill in an audit record at syscall entry 941 * @tsk: task being audited 942 * @arch: architecture type 943 * @major: major syscall type (function) 944 * @a1: additional syscall register 1 945 * @a2: additional syscall register 2 946 * @a3: additional syscall register 3 947 * @a4: additional syscall register 4 948 * 949 * Fill in audit context at syscall entry. This only happens if the 950 * audit context was created when the task was created and the state or 951 * filters demand the audit context be built. If the state from the 952 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT, 953 * then the record will be written at syscall exit time (otherwise, it 954 * will only be written if another part of the kernel requests that it 955 * be written). 956 */ 957 void audit_syscall_entry(int arch, int major, 958 unsigned long a1, unsigned long a2, 959 unsigned long a3, unsigned long a4) 960 { 961 struct task_struct *tsk = current; 962 struct audit_context *context = tsk->audit_context; 963 enum audit_state state; 964 965 BUG_ON(!context); 966 967 /* 968 * This happens only on certain architectures that make system 969 * calls in kernel_thread via the entry.S interface, instead of 970 * with direct calls. (If you are porting to a new 971 * architecture, hitting this condition can indicate that you 972 * got the _exit/_leave calls backward in entry.S.) 973 * 974 * i386 no 975 * x86_64 no 976 * ppc64 yes (see arch/powerpc/platforms/iseries/misc.S) 977 * 978 * This also happens with vm86 emulation in a non-nested manner 979 * (entries without exits), so this case must be caught. 980 */ 981 if (context->in_syscall) { 982 struct audit_context *newctx; 983 984 #if AUDIT_DEBUG 985 printk(KERN_ERR 986 "audit(:%d) pid=%d in syscall=%d;" 987 " entering syscall=%d\n", 988 context->serial, tsk->pid, context->major, major); 989 #endif 990 newctx = audit_alloc_context(context->state); 991 if (newctx) { 992 newctx->previous = context; 993 context = newctx; 994 tsk->audit_context = newctx; 995 } else { 996 /* If we can't alloc a new context, the best we 997 * can do is to leak memory (any pending putname 998 * will be lost). The only other alternative is 999 * to abandon auditing. */ 1000 audit_zero_context(context, context->state); 1001 } 1002 } 1003 BUG_ON(context->in_syscall || context->name_count); 1004 1005 if (!audit_enabled) 1006 return; 1007 1008 context->arch = arch; 1009 context->major = major; 1010 context->argv[0] = a1; 1011 context->argv[1] = a2; 1012 context->argv[2] = a3; 1013 context->argv[3] = a4; 1014 1015 state = context->state; 1016 if (state == AUDIT_SETUP_CONTEXT || state == AUDIT_BUILD_CONTEXT) 1017 state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]); 1018 if (likely(state == AUDIT_DISABLED)) 1019 return; 1020 1021 context->serial = 0; 1022 context->ctime = CURRENT_TIME; 1023 context->in_syscall = 1; 1024 context->auditable = !!(state == AUDIT_RECORD_CONTEXT); 1025 } 1026 1027 /** 1028 * audit_syscall_exit - deallocate audit context after a system call 1029 * @tsk: task being audited 1030 * @valid: success/failure flag 1031 * @return_code: syscall return value 1032 * 1033 * Tear down after system call. If the audit context has been marked as 1034 * auditable (either because of the AUDIT_RECORD_CONTEXT state from 1035 * filtering, or because some other part of the kernel write an audit 1036 * message), then write out the syscall information. In call cases, 1037 * free the names stored from getname(). 1038 */ 1039 void audit_syscall_exit(int valid, long return_code) 1040 { 1041 struct task_struct *tsk = current; 1042 struct audit_context *context; 1043 1044 context = audit_get_context(tsk, valid, return_code); 1045 1046 if (likely(!context)) 1047 return; 1048 1049 if (context->in_syscall && context->auditable) 1050 audit_log_exit(context, tsk); 1051 1052 context->in_syscall = 0; 1053 context->auditable = 0; 1054 1055 if (context->previous) { 1056 struct audit_context *new_context = context->previous; 1057 context->previous = NULL; 1058 audit_free_context(context); 1059 tsk->audit_context = new_context; 1060 } else { 1061 audit_free_names(context); 1062 audit_free_aux(context); 1063 tsk->audit_context = context; 1064 } 1065 } 1066 1067 /** 1068 * audit_getname - add a name to the list 1069 * @name: name to add 1070 * 1071 * Add a name to the list of audit names for this context. 1072 * Called from fs/namei.c:getname(). 1073 */ 1074 void __audit_getname(const char *name) 1075 { 1076 struct audit_context *context = current->audit_context; 1077 1078 if (IS_ERR(name) || !name) 1079 return; 1080 1081 if (!context->in_syscall) { 1082 #if AUDIT_DEBUG == 2 1083 printk(KERN_ERR "%s:%d(:%d): ignoring getname(%p)\n", 1084 __FILE__, __LINE__, context->serial, name); 1085 dump_stack(); 1086 #endif 1087 return; 1088 } 1089 BUG_ON(context->name_count >= AUDIT_NAMES); 1090 context->names[context->name_count].name = name; 1091 context->names[context->name_count].name_len = AUDIT_NAME_FULL; 1092 context->names[context->name_count].name_put = 1; 1093 context->names[context->name_count].ino = (unsigned long)-1; 1094 ++context->name_count; 1095 if (!context->pwd) { 1096 read_lock(¤t->fs->lock); 1097 context->pwd = dget(current->fs->pwd); 1098 context->pwdmnt = mntget(current->fs->pwdmnt); 1099 read_unlock(¤t->fs->lock); 1100 } 1101 1102 } 1103 1104 /* audit_putname - intercept a putname request 1105 * @name: name to intercept and delay for putname 1106 * 1107 * If we have stored the name from getname in the audit context, 1108 * then we delay the putname until syscall exit. 1109 * Called from include/linux/fs.h:putname(). 1110 */ 1111 void audit_putname(const char *name) 1112 { 1113 struct audit_context *context = current->audit_context; 1114 1115 BUG_ON(!context); 1116 if (!context->in_syscall) { 1117 #if AUDIT_DEBUG == 2 1118 printk(KERN_ERR "%s:%d(:%d): __putname(%p)\n", 1119 __FILE__, __LINE__, context->serial, name); 1120 if (context->name_count) { 1121 int i; 1122 for (i = 0; i < context->name_count; i++) 1123 printk(KERN_ERR "name[%d] = %p = %s\n", i, 1124 context->names[i].name, 1125 context->names[i].name ?: "(null)"); 1126 } 1127 #endif 1128 __putname(name); 1129 } 1130 #if AUDIT_DEBUG 1131 else { 1132 ++context->put_count; 1133 if (context->put_count > context->name_count) { 1134 printk(KERN_ERR "%s:%d(:%d): major=%d" 1135 " in_syscall=%d putname(%p) name_count=%d" 1136 " put_count=%d\n", 1137 __FILE__, __LINE__, 1138 context->serial, context->major, 1139 context->in_syscall, name, context->name_count, 1140 context->put_count); 1141 dump_stack(); 1142 } 1143 } 1144 #endif 1145 } 1146 1147 static void audit_inode_context(int idx, const struct inode *inode) 1148 { 1149 struct audit_context *context = current->audit_context; 1150 1151 selinux_get_inode_sid(inode, &context->names[idx].osid); 1152 } 1153 1154 1155 /** 1156 * audit_inode - store the inode and device from a lookup 1157 * @name: name being audited 1158 * @inode: inode being audited 1159 * 1160 * Called from fs/namei.c:path_lookup(). 1161 */ 1162 void __audit_inode(const char *name, const struct inode *inode) 1163 { 1164 int idx; 1165 struct audit_context *context = current->audit_context; 1166 1167 if (!context->in_syscall) 1168 return; 1169 if (context->name_count 1170 && context->names[context->name_count-1].name 1171 && context->names[context->name_count-1].name == name) 1172 idx = context->name_count - 1; 1173 else if (context->name_count > 1 1174 && context->names[context->name_count-2].name 1175 && context->names[context->name_count-2].name == name) 1176 idx = context->name_count - 2; 1177 else { 1178 /* FIXME: how much do we care about inodes that have no 1179 * associated name? */ 1180 if (context->name_count >= AUDIT_NAMES - AUDIT_NAMES_RESERVED) 1181 return; 1182 idx = context->name_count++; 1183 context->names[idx].name = NULL; 1184 #if AUDIT_DEBUG 1185 ++context->ino_count; 1186 #endif 1187 } 1188 context->names[idx].ino = inode->i_ino; 1189 context->names[idx].dev = inode->i_sb->s_dev; 1190 context->names[idx].mode = inode->i_mode; 1191 context->names[idx].uid = inode->i_uid; 1192 context->names[idx].gid = inode->i_gid; 1193 context->names[idx].rdev = inode->i_rdev; 1194 audit_inode_context(idx, inode); 1195 } 1196 1197 /** 1198 * audit_inode_child - collect inode info for created/removed objects 1199 * @dname: inode's dentry name 1200 * @inode: inode being audited 1201 * @pino: inode number of dentry parent 1202 * 1203 * For syscalls that create or remove filesystem objects, audit_inode 1204 * can only collect information for the filesystem object's parent. 1205 * This call updates the audit context with the child's information. 1206 * Syscalls that create a new filesystem object must be hooked after 1207 * the object is created. Syscalls that remove a filesystem object 1208 * must be hooked prior, in order to capture the target inode during 1209 * unsuccessful attempts. 1210 */ 1211 void __audit_inode_child(const char *dname, const struct inode *inode, 1212 unsigned long pino) 1213 { 1214 int idx; 1215 struct audit_context *context = current->audit_context; 1216 const char *found_name = NULL; 1217 int dirlen = 0; 1218 1219 if (!context->in_syscall) 1220 return; 1221 1222 /* determine matching parent */ 1223 if (!dname) 1224 goto update_context; 1225 for (idx = 0; idx < context->name_count; idx++) 1226 if (context->names[idx].ino == pino) { 1227 const char *name = context->names[idx].name; 1228 1229 if (!name) 1230 continue; 1231 1232 if (audit_compare_dname_path(dname, name, &dirlen) == 0) { 1233 context->names[idx].name_len = dirlen; 1234 found_name = name; 1235 break; 1236 } 1237 } 1238 1239 update_context: 1240 idx = context->name_count++; 1241 #if AUDIT_DEBUG 1242 context->ino_count++; 1243 #endif 1244 /* Re-use the name belonging to the slot for a matching parent directory. 1245 * All names for this context are relinquished in audit_free_names() */ 1246 context->names[idx].name = found_name; 1247 context->names[idx].name_len = AUDIT_NAME_FULL; 1248 context->names[idx].name_put = 0; /* don't call __putname() */ 1249 1250 if (inode) { 1251 context->names[idx].ino = inode->i_ino; 1252 context->names[idx].dev = inode->i_sb->s_dev; 1253 context->names[idx].mode = inode->i_mode; 1254 context->names[idx].uid = inode->i_uid; 1255 context->names[idx].gid = inode->i_gid; 1256 context->names[idx].rdev = inode->i_rdev; 1257 audit_inode_context(idx, inode); 1258 } else 1259 context->names[idx].ino = (unsigned long)-1; 1260 } 1261 1262 /** 1263 * auditsc_get_stamp - get local copies of audit_context values 1264 * @ctx: audit_context for the task 1265 * @t: timespec to store time recorded in the audit_context 1266 * @serial: serial value that is recorded in the audit_context 1267 * 1268 * Also sets the context as auditable. 1269 */ 1270 void auditsc_get_stamp(struct audit_context *ctx, 1271 struct timespec *t, unsigned int *serial) 1272 { 1273 if (!ctx->serial) 1274 ctx->serial = audit_serial(); 1275 t->tv_sec = ctx->ctime.tv_sec; 1276 t->tv_nsec = ctx->ctime.tv_nsec; 1277 *serial = ctx->serial; 1278 ctx->auditable = 1; 1279 } 1280 1281 /** 1282 * audit_set_loginuid - set a task's audit_context loginuid 1283 * @task: task whose audit context is being modified 1284 * @loginuid: loginuid value 1285 * 1286 * Returns 0. 1287 * 1288 * Called (set) from fs/proc/base.c::proc_loginuid_write(). 1289 */ 1290 int audit_set_loginuid(struct task_struct *task, uid_t loginuid) 1291 { 1292 struct audit_context *context = task->audit_context; 1293 1294 if (context) { 1295 /* Only log if audit is enabled */ 1296 if (context->in_syscall) { 1297 struct audit_buffer *ab; 1298 1299 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN); 1300 if (ab) { 1301 audit_log_format(ab, "login pid=%d uid=%u " 1302 "old auid=%u new auid=%u", 1303 task->pid, task->uid, 1304 context->loginuid, loginuid); 1305 audit_log_end(ab); 1306 } 1307 } 1308 context->loginuid = loginuid; 1309 } 1310 return 0; 1311 } 1312 1313 /** 1314 * audit_get_loginuid - get the loginuid for an audit_context 1315 * @ctx: the audit_context 1316 * 1317 * Returns the context's loginuid or -1 if @ctx is NULL. 1318 */ 1319 uid_t audit_get_loginuid(struct audit_context *ctx) 1320 { 1321 return ctx ? ctx->loginuid : -1; 1322 } 1323 1324 /** 1325 * __audit_mq_open - record audit data for a POSIX MQ open 1326 * @oflag: open flag 1327 * @mode: mode bits 1328 * @u_attr: queue attributes 1329 * 1330 * Returns 0 for success or NULL context or < 0 on error. 1331 */ 1332 int __audit_mq_open(int oflag, mode_t mode, struct mq_attr __user *u_attr) 1333 { 1334 struct audit_aux_data_mq_open *ax; 1335 struct audit_context *context = current->audit_context; 1336 1337 if (!audit_enabled) 1338 return 0; 1339 1340 if (likely(!context)) 1341 return 0; 1342 1343 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1344 if (!ax) 1345 return -ENOMEM; 1346 1347 if (u_attr != NULL) { 1348 if (copy_from_user(&ax->attr, u_attr, sizeof(ax->attr))) { 1349 kfree(ax); 1350 return -EFAULT; 1351 } 1352 } else 1353 memset(&ax->attr, 0, sizeof(ax->attr)); 1354 1355 ax->oflag = oflag; 1356 ax->mode = mode; 1357 1358 ax->d.type = AUDIT_MQ_OPEN; 1359 ax->d.next = context->aux; 1360 context->aux = (void *)ax; 1361 return 0; 1362 } 1363 1364 /** 1365 * __audit_mq_timedsend - record audit data for a POSIX MQ timed send 1366 * @mqdes: MQ descriptor 1367 * @msg_len: Message length 1368 * @msg_prio: Message priority 1369 * @u_abs_timeout: Message timeout in absolute time 1370 * 1371 * Returns 0 for success or NULL context or < 0 on error. 1372 */ 1373 int __audit_mq_timedsend(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, 1374 const struct timespec __user *u_abs_timeout) 1375 { 1376 struct audit_aux_data_mq_sendrecv *ax; 1377 struct audit_context *context = current->audit_context; 1378 1379 if (!audit_enabled) 1380 return 0; 1381 1382 if (likely(!context)) 1383 return 0; 1384 1385 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1386 if (!ax) 1387 return -ENOMEM; 1388 1389 if (u_abs_timeout != NULL) { 1390 if (copy_from_user(&ax->abs_timeout, u_abs_timeout, sizeof(ax->abs_timeout))) { 1391 kfree(ax); 1392 return -EFAULT; 1393 } 1394 } else 1395 memset(&ax->abs_timeout, 0, sizeof(ax->abs_timeout)); 1396 1397 ax->mqdes = mqdes; 1398 ax->msg_len = msg_len; 1399 ax->msg_prio = msg_prio; 1400 1401 ax->d.type = AUDIT_MQ_SENDRECV; 1402 ax->d.next = context->aux; 1403 context->aux = (void *)ax; 1404 return 0; 1405 } 1406 1407 /** 1408 * __audit_mq_timedreceive - record audit data for a POSIX MQ timed receive 1409 * @mqdes: MQ descriptor 1410 * @msg_len: Message length 1411 * @u_msg_prio: Message priority 1412 * @u_abs_timeout: Message timeout in absolute time 1413 * 1414 * Returns 0 for success or NULL context or < 0 on error. 1415 */ 1416 int __audit_mq_timedreceive(mqd_t mqdes, size_t msg_len, 1417 unsigned int __user *u_msg_prio, 1418 const struct timespec __user *u_abs_timeout) 1419 { 1420 struct audit_aux_data_mq_sendrecv *ax; 1421 struct audit_context *context = current->audit_context; 1422 1423 if (!audit_enabled) 1424 return 0; 1425 1426 if (likely(!context)) 1427 return 0; 1428 1429 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1430 if (!ax) 1431 return -ENOMEM; 1432 1433 if (u_msg_prio != NULL) { 1434 if (get_user(ax->msg_prio, u_msg_prio)) { 1435 kfree(ax); 1436 return -EFAULT; 1437 } 1438 } else 1439 ax->msg_prio = 0; 1440 1441 if (u_abs_timeout != NULL) { 1442 if (copy_from_user(&ax->abs_timeout, u_abs_timeout, sizeof(ax->abs_timeout))) { 1443 kfree(ax); 1444 return -EFAULT; 1445 } 1446 } else 1447 memset(&ax->abs_timeout, 0, sizeof(ax->abs_timeout)); 1448 1449 ax->mqdes = mqdes; 1450 ax->msg_len = msg_len; 1451 1452 ax->d.type = AUDIT_MQ_SENDRECV; 1453 ax->d.next = context->aux; 1454 context->aux = (void *)ax; 1455 return 0; 1456 } 1457 1458 /** 1459 * __audit_mq_notify - record audit data for a POSIX MQ notify 1460 * @mqdes: MQ descriptor 1461 * @u_notification: Notification event 1462 * 1463 * Returns 0 for success or NULL context or < 0 on error. 1464 */ 1465 1466 int __audit_mq_notify(mqd_t mqdes, const struct sigevent __user *u_notification) 1467 { 1468 struct audit_aux_data_mq_notify *ax; 1469 struct audit_context *context = current->audit_context; 1470 1471 if (!audit_enabled) 1472 return 0; 1473 1474 if (likely(!context)) 1475 return 0; 1476 1477 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1478 if (!ax) 1479 return -ENOMEM; 1480 1481 if (u_notification != NULL) { 1482 if (copy_from_user(&ax->notification, u_notification, sizeof(ax->notification))) { 1483 kfree(ax); 1484 return -EFAULT; 1485 } 1486 } else 1487 memset(&ax->notification, 0, sizeof(ax->notification)); 1488 1489 ax->mqdes = mqdes; 1490 1491 ax->d.type = AUDIT_MQ_NOTIFY; 1492 ax->d.next = context->aux; 1493 context->aux = (void *)ax; 1494 return 0; 1495 } 1496 1497 /** 1498 * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute 1499 * @mqdes: MQ descriptor 1500 * @mqstat: MQ flags 1501 * 1502 * Returns 0 for success or NULL context or < 0 on error. 1503 */ 1504 int __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 1505 { 1506 struct audit_aux_data_mq_getsetattr *ax; 1507 struct audit_context *context = current->audit_context; 1508 1509 if (!audit_enabled) 1510 return 0; 1511 1512 if (likely(!context)) 1513 return 0; 1514 1515 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1516 if (!ax) 1517 return -ENOMEM; 1518 1519 ax->mqdes = mqdes; 1520 ax->mqstat = *mqstat; 1521 1522 ax->d.type = AUDIT_MQ_GETSETATTR; 1523 ax->d.next = context->aux; 1524 context->aux = (void *)ax; 1525 return 0; 1526 } 1527 1528 /** 1529 * audit_ipc_obj - record audit data for ipc object 1530 * @ipcp: ipc permissions 1531 * 1532 * Returns 0 for success or NULL context or < 0 on error. 1533 */ 1534 int __audit_ipc_obj(struct kern_ipc_perm *ipcp) 1535 { 1536 struct audit_aux_data_ipcctl *ax; 1537 struct audit_context *context = current->audit_context; 1538 1539 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1540 if (!ax) 1541 return -ENOMEM; 1542 1543 ax->uid = ipcp->uid; 1544 ax->gid = ipcp->gid; 1545 ax->mode = ipcp->mode; 1546 selinux_get_ipc_sid(ipcp, &ax->osid); 1547 1548 ax->d.type = AUDIT_IPC; 1549 ax->d.next = context->aux; 1550 context->aux = (void *)ax; 1551 return 0; 1552 } 1553 1554 /** 1555 * audit_ipc_set_perm - record audit data for new ipc permissions 1556 * @qbytes: msgq bytes 1557 * @uid: msgq user id 1558 * @gid: msgq group id 1559 * @mode: msgq mode (permissions) 1560 * 1561 * Returns 0 for success or NULL context or < 0 on error. 1562 */ 1563 int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode) 1564 { 1565 struct audit_aux_data_ipcctl *ax; 1566 struct audit_context *context = current->audit_context; 1567 1568 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1569 if (!ax) 1570 return -ENOMEM; 1571 1572 ax->qbytes = qbytes; 1573 ax->uid = uid; 1574 ax->gid = gid; 1575 ax->mode = mode; 1576 1577 ax->d.type = AUDIT_IPC_SET_PERM; 1578 ax->d.next = context->aux; 1579 context->aux = (void *)ax; 1580 return 0; 1581 } 1582 1583 int audit_bprm(struct linux_binprm *bprm) 1584 { 1585 struct audit_aux_data_execve *ax; 1586 struct audit_context *context = current->audit_context; 1587 unsigned long p, next; 1588 void *to; 1589 1590 if (likely(!audit_enabled || !context)) 1591 return 0; 1592 1593 ax = kmalloc(sizeof(*ax) + PAGE_SIZE * MAX_ARG_PAGES - bprm->p, 1594 GFP_KERNEL); 1595 if (!ax) 1596 return -ENOMEM; 1597 1598 ax->argc = bprm->argc; 1599 ax->envc = bprm->envc; 1600 for (p = bprm->p, to = ax->mem; p < MAX_ARG_PAGES*PAGE_SIZE; p = next) { 1601 struct page *page = bprm->page[p / PAGE_SIZE]; 1602 void *kaddr = kmap(page); 1603 next = (p + PAGE_SIZE) & ~(PAGE_SIZE - 1); 1604 memcpy(to, kaddr + (p & (PAGE_SIZE - 1)), next - p); 1605 to += next - p; 1606 kunmap(page); 1607 } 1608 1609 ax->d.type = AUDIT_EXECVE; 1610 ax->d.next = context->aux; 1611 context->aux = (void *)ax; 1612 return 0; 1613 } 1614 1615 1616 /** 1617 * audit_socketcall - record audit data for sys_socketcall 1618 * @nargs: number of args 1619 * @args: args array 1620 * 1621 * Returns 0 for success or NULL context or < 0 on error. 1622 */ 1623 int audit_socketcall(int nargs, unsigned long *args) 1624 { 1625 struct audit_aux_data_socketcall *ax; 1626 struct audit_context *context = current->audit_context; 1627 1628 if (likely(!context)) 1629 return 0; 1630 1631 ax = kmalloc(sizeof(*ax) + nargs * sizeof(unsigned long), GFP_KERNEL); 1632 if (!ax) 1633 return -ENOMEM; 1634 1635 ax->nargs = nargs; 1636 memcpy(ax->args, args, nargs * sizeof(unsigned long)); 1637 1638 ax->d.type = AUDIT_SOCKETCALL; 1639 ax->d.next = context->aux; 1640 context->aux = (void *)ax; 1641 return 0; 1642 } 1643 1644 /** 1645 * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto 1646 * @len: data length in user space 1647 * @a: data address in kernel space 1648 * 1649 * Returns 0 for success or NULL context or < 0 on error. 1650 */ 1651 int audit_sockaddr(int len, void *a) 1652 { 1653 struct audit_aux_data_sockaddr *ax; 1654 struct audit_context *context = current->audit_context; 1655 1656 if (likely(!context)) 1657 return 0; 1658 1659 ax = kmalloc(sizeof(*ax) + len, GFP_KERNEL); 1660 if (!ax) 1661 return -ENOMEM; 1662 1663 ax->len = len; 1664 memcpy(ax->a, a, len); 1665 1666 ax->d.type = AUDIT_SOCKADDR; 1667 ax->d.next = context->aux; 1668 context->aux = (void *)ax; 1669 return 0; 1670 } 1671 1672 /** 1673 * audit_avc_path - record the granting or denial of permissions 1674 * @dentry: dentry to record 1675 * @mnt: mnt to record 1676 * 1677 * Returns 0 for success or NULL context or < 0 on error. 1678 * 1679 * Called from security/selinux/avc.c::avc_audit() 1680 */ 1681 int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt) 1682 { 1683 struct audit_aux_data_path *ax; 1684 struct audit_context *context = current->audit_context; 1685 1686 if (likely(!context)) 1687 return 0; 1688 1689 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1690 if (!ax) 1691 return -ENOMEM; 1692 1693 ax->dentry = dget(dentry); 1694 ax->mnt = mntget(mnt); 1695 1696 ax->d.type = AUDIT_AVC_PATH; 1697 ax->d.next = context->aux; 1698 context->aux = (void *)ax; 1699 return 0; 1700 } 1701 1702 /** 1703 * audit_signal_info - record signal info for shutting down audit subsystem 1704 * @sig: signal value 1705 * @t: task being signaled 1706 * 1707 * If the audit subsystem is being terminated, record the task (pid) 1708 * and uid that is doing that. 1709 */ 1710 void __audit_signal_info(int sig, struct task_struct *t) 1711 { 1712 extern pid_t audit_sig_pid; 1713 extern uid_t audit_sig_uid; 1714 extern u32 audit_sig_sid; 1715 1716 if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1) { 1717 struct task_struct *tsk = current; 1718 struct audit_context *ctx = tsk->audit_context; 1719 audit_sig_pid = tsk->pid; 1720 if (ctx) 1721 audit_sig_uid = ctx->loginuid; 1722 else 1723 audit_sig_uid = tsk->uid; 1724 selinux_get_task_sid(tsk, &audit_sig_sid); 1725 } 1726 } 1727