1 /* auditsc.c -- System-call auditing support 2 * Handles all system-call specific auditing features. 3 * 4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 5 * All Rights Reserved. 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 * 21 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 22 * 23 * Many of the ideas implemented here are from Stephen C. Tweedie, 24 * especially the idea of avoiding a copy by using getname. 25 * 26 * The method for actual interception of syscall entry and exit (not in 27 * this file -- see entry.S) is based on a GPL'd patch written by 28 * okir@suse.de and Copyright 2003 SuSE Linux AG. 29 * 30 */ 31 32 #include <linux/init.h> 33 #include <asm/atomic.h> 34 #include <asm/types.h> 35 #include <linux/mm.h> 36 #include <linux/module.h> 37 38 #include <linux/audit.h> 39 #include <linux/personality.h> 40 #include <linux/time.h> 41 #include <asm/unistd.h> 42 43 /* 0 = no checking 44 1 = put_count checking 45 2 = verbose put_count checking 46 */ 47 #define AUDIT_DEBUG 0 48 49 /* No syscall auditing will take place unless audit_enabled != 0. */ 50 extern int audit_enabled; 51 52 /* AUDIT_NAMES is the number of slots we reserve in the audit_context 53 * for saving names from getname(). */ 54 #define AUDIT_NAMES 20 55 56 /* AUDIT_NAMES_RESERVED is the number of slots we reserve in the 57 * audit_context from being used for nameless inodes from 58 * path_lookup. */ 59 #define AUDIT_NAMES_RESERVED 7 60 61 /* At task start time, the audit_state is set in the audit_context using 62 a per-task filter. At syscall entry, the audit_state is augmented by 63 the syscall filter. */ 64 enum audit_state { 65 AUDIT_DISABLED, /* Do not create per-task audit_context. 66 * No syscall-specific audit records can 67 * be generated. */ 68 AUDIT_SETUP_CONTEXT, /* Create the per-task audit_context, 69 * but don't necessarily fill it in at 70 * syscall entry time (i.e., filter 71 * instead). */ 72 AUDIT_BUILD_CONTEXT, /* Create the per-task audit_context, 73 * and always fill it in at syscall 74 * entry time. This makes a full 75 * syscall record available if some 76 * other part of the kernel decides it 77 * should be recorded. */ 78 AUDIT_RECORD_CONTEXT /* Create the per-task audit_context, 79 * always fill it in at syscall entry 80 * time, and always write out the audit 81 * record at syscall exit time. */ 82 }; 83 84 /* When fs/namei.c:getname() is called, we store the pointer in name and 85 * we don't let putname() free it (instead we free all of the saved 86 * pointers at syscall exit time). 87 * 88 * Further, in fs/namei.c:path_lookup() we store the inode and device. */ 89 struct audit_names { 90 const char *name; 91 unsigned long ino; 92 dev_t dev; 93 umode_t mode; 94 uid_t uid; 95 gid_t gid; 96 dev_t rdev; 97 }; 98 99 struct audit_aux_data { 100 struct audit_aux_data *next; 101 int type; 102 }; 103 104 #define AUDIT_AUX_IPCPERM 0 105 106 struct audit_aux_data_ipcctl { 107 struct audit_aux_data d; 108 struct ipc_perm p; 109 unsigned long qbytes; 110 uid_t uid; 111 gid_t gid; 112 mode_t mode; 113 }; 114 115 116 /* The per-task audit context. */ 117 struct audit_context { 118 int in_syscall; /* 1 if task is in a syscall */ 119 enum audit_state state; 120 unsigned int serial; /* serial number for record */ 121 struct timespec ctime; /* time of syscall entry */ 122 uid_t loginuid; /* login uid (identity) */ 123 int major; /* syscall number */ 124 unsigned long argv[4]; /* syscall arguments */ 125 int return_valid; /* return code is valid */ 126 long return_code;/* syscall return code */ 127 int auditable; /* 1 if record should be written */ 128 int name_count; 129 struct audit_names names[AUDIT_NAMES]; 130 struct audit_context *previous; /* For nested syscalls */ 131 struct audit_aux_data *aux; 132 133 /* Save things to print about task_struct */ 134 pid_t pid; 135 uid_t uid, euid, suid, fsuid; 136 gid_t gid, egid, sgid, fsgid; 137 unsigned long personality; 138 int arch; 139 140 #if AUDIT_DEBUG 141 int put_count; 142 int ino_count; 143 #endif 144 }; 145 146 /* Public API */ 147 /* There are three lists of rules -- one to search at task creation 148 * time, one to search at syscall entry time, and another to search at 149 * syscall exit time. */ 150 static LIST_HEAD(audit_tsklist); 151 static LIST_HEAD(audit_entlist); 152 static LIST_HEAD(audit_extlist); 153 154 struct audit_entry { 155 struct list_head list; 156 struct rcu_head rcu; 157 struct audit_rule rule; 158 }; 159 160 /* Check to see if two rules are identical. It is called from 161 * audit_del_rule during AUDIT_DEL. */ 162 static int audit_compare_rule(struct audit_rule *a, struct audit_rule *b) 163 { 164 int i; 165 166 if (a->flags != b->flags) 167 return 1; 168 169 if (a->action != b->action) 170 return 1; 171 172 if (a->field_count != b->field_count) 173 return 1; 174 175 for (i = 0; i < a->field_count; i++) { 176 if (a->fields[i] != b->fields[i] 177 || a->values[i] != b->values[i]) 178 return 1; 179 } 180 181 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) 182 if (a->mask[i] != b->mask[i]) 183 return 1; 184 185 return 0; 186 } 187 188 /* Note that audit_add_rule and audit_del_rule are called via 189 * audit_receive() in audit.c, and are protected by 190 * audit_netlink_sem. */ 191 static inline int audit_add_rule(struct audit_entry *entry, 192 struct list_head *list) 193 { 194 if (entry->rule.flags & AUDIT_PREPEND) { 195 entry->rule.flags &= ~AUDIT_PREPEND; 196 list_add_rcu(&entry->list, list); 197 } else { 198 list_add_tail_rcu(&entry->list, list); 199 } 200 return 0; 201 } 202 203 static void audit_free_rule(struct rcu_head *head) 204 { 205 struct audit_entry *e = container_of(head, struct audit_entry, rcu); 206 kfree(e); 207 } 208 209 /* Note that audit_add_rule and audit_del_rule are called via 210 * audit_receive() in audit.c, and are protected by 211 * audit_netlink_sem. */ 212 static inline int audit_del_rule(struct audit_rule *rule, 213 struct list_head *list) 214 { 215 struct audit_entry *e; 216 217 /* Do not use the _rcu iterator here, since this is the only 218 * deletion routine. */ 219 list_for_each_entry(e, list, list) { 220 if (!audit_compare_rule(rule, &e->rule)) { 221 list_del_rcu(&e->list); 222 call_rcu(&e->rcu, audit_free_rule); 223 return 0; 224 } 225 } 226 return -EFAULT; /* No matching rule */ 227 } 228 229 #ifdef CONFIG_NET 230 /* Copy rule from user-space to kernel-space. Called during 231 * AUDIT_ADD. */ 232 static int audit_copy_rule(struct audit_rule *d, struct audit_rule *s) 233 { 234 int i; 235 236 if (s->action != AUDIT_NEVER 237 && s->action != AUDIT_POSSIBLE 238 && s->action != AUDIT_ALWAYS) 239 return -1; 240 if (s->field_count < 0 || s->field_count > AUDIT_MAX_FIELDS) 241 return -1; 242 243 d->flags = s->flags; 244 d->action = s->action; 245 d->field_count = s->field_count; 246 for (i = 0; i < d->field_count; i++) { 247 d->fields[i] = s->fields[i]; 248 d->values[i] = s->values[i]; 249 } 250 for (i = 0; i < AUDIT_BITMASK_SIZE; i++) d->mask[i] = s->mask[i]; 251 return 0; 252 } 253 254 int audit_receive_filter(int type, int pid, int uid, int seq, void *data, 255 uid_t loginuid) 256 { 257 u32 flags; 258 struct audit_entry *entry; 259 int err = 0; 260 261 switch (type) { 262 case AUDIT_LIST: 263 /* The *_rcu iterators not needed here because we are 264 always called with audit_netlink_sem held. */ 265 list_for_each_entry(entry, &audit_tsklist, list) 266 audit_send_reply(pid, seq, AUDIT_LIST, 0, 1, 267 &entry->rule, sizeof(entry->rule)); 268 list_for_each_entry(entry, &audit_entlist, list) 269 audit_send_reply(pid, seq, AUDIT_LIST, 0, 1, 270 &entry->rule, sizeof(entry->rule)); 271 list_for_each_entry(entry, &audit_extlist, list) 272 audit_send_reply(pid, seq, AUDIT_LIST, 0, 1, 273 &entry->rule, sizeof(entry->rule)); 274 audit_send_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0); 275 break; 276 case AUDIT_ADD: 277 if (!(entry = kmalloc(sizeof(*entry), GFP_KERNEL))) 278 return -ENOMEM; 279 if (audit_copy_rule(&entry->rule, data)) { 280 kfree(entry); 281 return -EINVAL; 282 } 283 flags = entry->rule.flags; 284 if (!err && (flags & AUDIT_PER_TASK)) 285 err = audit_add_rule(entry, &audit_tsklist); 286 if (!err && (flags & AUDIT_AT_ENTRY)) 287 err = audit_add_rule(entry, &audit_entlist); 288 if (!err && (flags & AUDIT_AT_EXIT)) 289 err = audit_add_rule(entry, &audit_extlist); 290 audit_log(NULL, "auid %u added an audit rule\n", loginuid); 291 break; 292 case AUDIT_DEL: 293 flags =((struct audit_rule *)data)->flags; 294 if (!err && (flags & AUDIT_PER_TASK)) 295 err = audit_del_rule(data, &audit_tsklist); 296 if (!err && (flags & AUDIT_AT_ENTRY)) 297 err = audit_del_rule(data, &audit_entlist); 298 if (!err && (flags & AUDIT_AT_EXIT)) 299 err = audit_del_rule(data, &audit_extlist); 300 audit_log(NULL, "auid %u removed an audit rule\n", loginuid); 301 break; 302 default: 303 return -EINVAL; 304 } 305 306 return err; 307 } 308 #endif 309 310 /* Compare a task_struct with an audit_rule. Return 1 on match, 0 311 * otherwise. */ 312 static int audit_filter_rules(struct task_struct *tsk, 313 struct audit_rule *rule, 314 struct audit_context *ctx, 315 enum audit_state *state) 316 { 317 int i, j; 318 319 for (i = 0; i < rule->field_count; i++) { 320 u32 field = rule->fields[i] & ~AUDIT_NEGATE; 321 u32 value = rule->values[i]; 322 int result = 0; 323 324 switch (field) { 325 case AUDIT_PID: 326 result = (tsk->pid == value); 327 break; 328 case AUDIT_UID: 329 result = (tsk->uid == value); 330 break; 331 case AUDIT_EUID: 332 result = (tsk->euid == value); 333 break; 334 case AUDIT_SUID: 335 result = (tsk->suid == value); 336 break; 337 case AUDIT_FSUID: 338 result = (tsk->fsuid == value); 339 break; 340 case AUDIT_GID: 341 result = (tsk->gid == value); 342 break; 343 case AUDIT_EGID: 344 result = (tsk->egid == value); 345 break; 346 case AUDIT_SGID: 347 result = (tsk->sgid == value); 348 break; 349 case AUDIT_FSGID: 350 result = (tsk->fsgid == value); 351 break; 352 case AUDIT_PERS: 353 result = (tsk->personality == value); 354 break; 355 case AUDIT_ARCH: 356 if (ctx) 357 result = (ctx->arch == value); 358 break; 359 360 case AUDIT_EXIT: 361 if (ctx && ctx->return_valid) 362 result = (ctx->return_code == value); 363 break; 364 case AUDIT_SUCCESS: 365 if (ctx && ctx->return_valid) 366 result = (ctx->return_valid == AUDITSC_SUCCESS); 367 break; 368 case AUDIT_DEVMAJOR: 369 if (ctx) { 370 for (j = 0; j < ctx->name_count; j++) { 371 if (MAJOR(ctx->names[j].dev)==value) { 372 ++result; 373 break; 374 } 375 } 376 } 377 break; 378 case AUDIT_DEVMINOR: 379 if (ctx) { 380 for (j = 0; j < ctx->name_count; j++) { 381 if (MINOR(ctx->names[j].dev)==value) { 382 ++result; 383 break; 384 } 385 } 386 } 387 break; 388 case AUDIT_INODE: 389 if (ctx) { 390 for (j = 0; j < ctx->name_count; j++) { 391 if (ctx->names[j].ino == value) { 392 ++result; 393 break; 394 } 395 } 396 } 397 break; 398 case AUDIT_LOGINUID: 399 result = 0; 400 if (ctx) 401 result = (ctx->loginuid == value); 402 break; 403 case AUDIT_ARG0: 404 case AUDIT_ARG1: 405 case AUDIT_ARG2: 406 case AUDIT_ARG3: 407 if (ctx) 408 result = (ctx->argv[field-AUDIT_ARG0]==value); 409 break; 410 } 411 412 if (rule->fields[i] & AUDIT_NEGATE) 413 result = !result; 414 if (!result) 415 return 0; 416 } 417 switch (rule->action) { 418 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 419 case AUDIT_POSSIBLE: *state = AUDIT_BUILD_CONTEXT; break; 420 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 421 } 422 return 1; 423 } 424 425 /* At process creation time, we can determine if system-call auditing is 426 * completely disabled for this task. Since we only have the task 427 * structure at this point, we can only check uid and gid. 428 */ 429 static enum audit_state audit_filter_task(struct task_struct *tsk) 430 { 431 struct audit_entry *e; 432 enum audit_state state; 433 434 rcu_read_lock(); 435 list_for_each_entry_rcu(e, &audit_tsklist, list) { 436 if (audit_filter_rules(tsk, &e->rule, NULL, &state)) { 437 rcu_read_unlock(); 438 return state; 439 } 440 } 441 rcu_read_unlock(); 442 return AUDIT_BUILD_CONTEXT; 443 } 444 445 /* At syscall entry and exit time, this filter is called if the 446 * audit_state is not low enough that auditing cannot take place, but is 447 * also not high enough that we already know we have to write and audit 448 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT). 449 */ 450 static enum audit_state audit_filter_syscall(struct task_struct *tsk, 451 struct audit_context *ctx, 452 struct list_head *list) 453 { 454 struct audit_entry *e; 455 enum audit_state state; 456 int word = AUDIT_WORD(ctx->major); 457 int bit = AUDIT_BIT(ctx->major); 458 459 rcu_read_lock(); 460 list_for_each_entry_rcu(e, list, list) { 461 if ((e->rule.mask[word] & bit) == bit 462 && audit_filter_rules(tsk, &e->rule, ctx, &state)) { 463 rcu_read_unlock(); 464 return state; 465 } 466 } 467 rcu_read_unlock(); 468 return AUDIT_BUILD_CONTEXT; 469 } 470 471 /* This should be called with task_lock() held. */ 472 static inline struct audit_context *audit_get_context(struct task_struct *tsk, 473 int return_valid, 474 int return_code) 475 { 476 struct audit_context *context = tsk->audit_context; 477 478 if (likely(!context)) 479 return NULL; 480 context->return_valid = return_valid; 481 context->return_code = return_code; 482 483 if (context->in_syscall && !context->auditable) { 484 enum audit_state state; 485 state = audit_filter_syscall(tsk, context, &audit_extlist); 486 if (state == AUDIT_RECORD_CONTEXT) 487 context->auditable = 1; 488 } 489 490 context->pid = tsk->pid; 491 context->uid = tsk->uid; 492 context->gid = tsk->gid; 493 context->euid = tsk->euid; 494 context->suid = tsk->suid; 495 context->fsuid = tsk->fsuid; 496 context->egid = tsk->egid; 497 context->sgid = tsk->sgid; 498 context->fsgid = tsk->fsgid; 499 context->personality = tsk->personality; 500 tsk->audit_context = NULL; 501 return context; 502 } 503 504 static inline void audit_free_names(struct audit_context *context) 505 { 506 int i; 507 508 #if AUDIT_DEBUG == 2 509 if (context->auditable 510 ||context->put_count + context->ino_count != context->name_count) { 511 printk(KERN_ERR "audit.c:%d(:%d): major=%d in_syscall=%d" 512 " name_count=%d put_count=%d" 513 " ino_count=%d [NOT freeing]\n", 514 __LINE__, 515 context->serial, context->major, context->in_syscall, 516 context->name_count, context->put_count, 517 context->ino_count); 518 for (i = 0; i < context->name_count; i++) 519 printk(KERN_ERR "names[%d] = %p = %s\n", i, 520 context->names[i].name, 521 context->names[i].name); 522 dump_stack(); 523 return; 524 } 525 #endif 526 #if AUDIT_DEBUG 527 context->put_count = 0; 528 context->ino_count = 0; 529 #endif 530 531 for (i = 0; i < context->name_count; i++) 532 if (context->names[i].name) 533 __putname(context->names[i].name); 534 context->name_count = 0; 535 } 536 537 static inline void audit_free_aux(struct audit_context *context) 538 { 539 struct audit_aux_data *aux; 540 541 while ((aux = context->aux)) { 542 context->aux = aux->next; 543 kfree(aux); 544 } 545 } 546 547 static inline void audit_zero_context(struct audit_context *context, 548 enum audit_state state) 549 { 550 uid_t loginuid = context->loginuid; 551 552 memset(context, 0, sizeof(*context)); 553 context->state = state; 554 context->loginuid = loginuid; 555 } 556 557 static inline struct audit_context *audit_alloc_context(enum audit_state state) 558 { 559 struct audit_context *context; 560 561 if (!(context = kmalloc(sizeof(*context), GFP_KERNEL))) 562 return NULL; 563 audit_zero_context(context, state); 564 return context; 565 } 566 567 /* Filter on the task information and allocate a per-task audit context 568 * if necessary. Doing so turns on system call auditing for the 569 * specified task. This is called from copy_process, so no lock is 570 * needed. */ 571 int audit_alloc(struct task_struct *tsk) 572 { 573 struct audit_context *context; 574 enum audit_state state; 575 576 if (likely(!audit_enabled)) 577 return 0; /* Return if not auditing. */ 578 579 state = audit_filter_task(tsk); 580 if (likely(state == AUDIT_DISABLED)) 581 return 0; 582 583 if (!(context = audit_alloc_context(state))) { 584 audit_log_lost("out of memory in audit_alloc"); 585 return -ENOMEM; 586 } 587 588 /* Preserve login uid */ 589 context->loginuid = -1; 590 if (current->audit_context) 591 context->loginuid = current->audit_context->loginuid; 592 593 tsk->audit_context = context; 594 set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT); 595 return 0; 596 } 597 598 static inline void audit_free_context(struct audit_context *context) 599 { 600 struct audit_context *previous; 601 int count = 0; 602 603 do { 604 previous = context->previous; 605 if (previous || (count && count < 10)) { 606 ++count; 607 printk(KERN_ERR "audit(:%d): major=%d name_count=%d:" 608 " freeing multiple contexts (%d)\n", 609 context->serial, context->major, 610 context->name_count, count); 611 } 612 audit_free_names(context); 613 audit_free_aux(context); 614 kfree(context); 615 context = previous; 616 } while (context); 617 if (count >= 10) 618 printk(KERN_ERR "audit: freed %d contexts\n", count); 619 } 620 621 static void audit_log_task_info(struct audit_buffer *ab) 622 { 623 char name[sizeof(current->comm)]; 624 struct mm_struct *mm = current->mm; 625 struct vm_area_struct *vma; 626 627 get_task_comm(name, current); 628 audit_log_format(ab, " comm=%s", name); 629 630 if (!mm) 631 return; 632 633 down_read(&mm->mmap_sem); 634 vma = mm->mmap; 635 while (vma) { 636 if ((vma->vm_flags & VM_EXECUTABLE) && 637 vma->vm_file) { 638 audit_log_d_path(ab, "exe=", 639 vma->vm_file->f_dentry, 640 vma->vm_file->f_vfsmnt); 641 break; 642 } 643 vma = vma->vm_next; 644 } 645 up_read(&mm->mmap_sem); 646 } 647 648 static void audit_log_exit(struct audit_context *context) 649 { 650 int i; 651 struct audit_buffer *ab; 652 653 ab = audit_log_start(context); 654 if (!ab) 655 return; /* audit_panic has been called */ 656 audit_log_format(ab, "syscall=%d", context->major); 657 if (context->personality != PER_LINUX) 658 audit_log_format(ab, " per=%lx", context->personality); 659 audit_log_format(ab, " arch=%x", context->arch); 660 if (context->return_valid) 661 audit_log_format(ab, " success=%s exit=%ld", 662 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no", 663 context->return_code); 664 audit_log_format(ab, 665 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d" 666 " pid=%d loginuid=%d uid=%d gid=%d" 667 " euid=%d suid=%d fsuid=%d" 668 " egid=%d sgid=%d fsgid=%d", 669 context->argv[0], 670 context->argv[1], 671 context->argv[2], 672 context->argv[3], 673 context->name_count, 674 context->pid, 675 context->loginuid, 676 context->uid, 677 context->gid, 678 context->euid, context->suid, context->fsuid, 679 context->egid, context->sgid, context->fsgid); 680 audit_log_task_info(ab); 681 audit_log_end(ab); 682 while (context->aux) { 683 struct audit_aux_data *aux; 684 685 ab = audit_log_start(context); 686 if (!ab) 687 continue; /* audit_panic has been called */ 688 689 aux = context->aux; 690 context->aux = aux->next; 691 692 audit_log_format(ab, "auxitem=%d", aux->type); 693 switch (aux->type) { 694 case AUDIT_AUX_IPCPERM: { 695 struct audit_aux_data_ipcctl *axi = (void *)aux; 696 audit_log_format(ab, 697 " qbytes=%lx uid=%d gid=%d mode=%x", 698 axi->qbytes, axi->uid, axi->gid, axi->mode); 699 } 700 } 701 audit_log_end(ab); 702 kfree(aux); 703 } 704 705 for (i = 0; i < context->name_count; i++) { 706 ab = audit_log_start(context); 707 if (!ab) 708 continue; /* audit_panic has been called */ 709 audit_log_format(ab, "item=%d", i); 710 if (context->names[i].name) { 711 audit_log_format(ab, " name="); 712 audit_log_untrustedstring(ab, context->names[i].name); 713 } 714 if (context->names[i].ino != (unsigned long)-1) 715 audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o" 716 " uid=%d gid=%d rdev=%02x:%02x", 717 context->names[i].ino, 718 MAJOR(context->names[i].dev), 719 MINOR(context->names[i].dev), 720 context->names[i].mode, 721 context->names[i].uid, 722 context->names[i].gid, 723 MAJOR(context->names[i].rdev), 724 MINOR(context->names[i].rdev)); 725 audit_log_end(ab); 726 } 727 } 728 729 /* Free a per-task audit context. Called from copy_process and 730 * __put_task_struct. */ 731 void audit_free(struct task_struct *tsk) 732 { 733 struct audit_context *context; 734 735 task_lock(tsk); 736 context = audit_get_context(tsk, 0, 0); 737 task_unlock(tsk); 738 739 if (likely(!context)) 740 return; 741 742 /* Check for system calls that do not go through the exit 743 * function (e.g., exit_group), then free context block. */ 744 if (context->in_syscall && context->auditable) 745 audit_log_exit(context); 746 747 audit_free_context(context); 748 } 749 750 /* Compute a serial number for the audit record. Audit records are 751 * written to user-space as soon as they are generated, so a complete 752 * audit record may be written in several pieces. The timestamp of the 753 * record and this serial number are used by the user-space daemon to 754 * determine which pieces belong to the same audit record. The 755 * (timestamp,serial) tuple is unique for each syscall and is live from 756 * syscall entry to syscall exit. 757 * 758 * Atomic values are only guaranteed to be 24-bit, so we count down. 759 * 760 * NOTE: Another possibility is to store the formatted records off the 761 * audit context (for those records that have a context), and emit them 762 * all at syscall exit. However, this could delay the reporting of 763 * significant errors until syscall exit (or never, if the system 764 * halts). */ 765 static inline unsigned int audit_serial(void) 766 { 767 static atomic_t serial = ATOMIC_INIT(0xffffff); 768 unsigned int a, b; 769 770 do { 771 a = atomic_read(&serial); 772 if (atomic_dec_and_test(&serial)) 773 atomic_set(&serial, 0xffffff); 774 b = atomic_read(&serial); 775 } while (b != a - 1); 776 777 return 0xffffff - b; 778 } 779 780 /* Fill in audit context at syscall entry. This only happens if the 781 * audit context was created when the task was created and the state or 782 * filters demand the audit context be built. If the state from the 783 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT, 784 * then the record will be written at syscall exit time (otherwise, it 785 * will only be written if another part of the kernel requests that it 786 * be written). */ 787 void audit_syscall_entry(struct task_struct *tsk, int arch, int major, 788 unsigned long a1, unsigned long a2, 789 unsigned long a3, unsigned long a4) 790 { 791 struct audit_context *context = tsk->audit_context; 792 enum audit_state state; 793 794 BUG_ON(!context); 795 796 /* This happens only on certain architectures that make system 797 * calls in kernel_thread via the entry.S interface, instead of 798 * with direct calls. (If you are porting to a new 799 * architecture, hitting this condition can indicate that you 800 * got the _exit/_leave calls backward in entry.S.) 801 * 802 * i386 no 803 * x86_64 no 804 * ppc64 yes (see arch/ppc64/kernel/misc.S) 805 * 806 * This also happens with vm86 emulation in a non-nested manner 807 * (entries without exits), so this case must be caught. 808 */ 809 if (context->in_syscall) { 810 struct audit_context *newctx; 811 812 #if defined(__NR_vm86) && defined(__NR_vm86old) 813 /* vm86 mode should only be entered once */ 814 if (major == __NR_vm86 || major == __NR_vm86old) 815 return; 816 #endif 817 #if AUDIT_DEBUG 818 printk(KERN_ERR 819 "audit(:%d) pid=%d in syscall=%d;" 820 " entering syscall=%d\n", 821 context->serial, tsk->pid, context->major, major); 822 #endif 823 newctx = audit_alloc_context(context->state); 824 if (newctx) { 825 newctx->previous = context; 826 context = newctx; 827 tsk->audit_context = newctx; 828 } else { 829 /* If we can't alloc a new context, the best we 830 * can do is to leak memory (any pending putname 831 * will be lost). The only other alternative is 832 * to abandon auditing. */ 833 audit_zero_context(context, context->state); 834 } 835 } 836 BUG_ON(context->in_syscall || context->name_count); 837 838 if (!audit_enabled) 839 return; 840 841 context->arch = arch; 842 context->major = major; 843 context->argv[0] = a1; 844 context->argv[1] = a2; 845 context->argv[2] = a3; 846 context->argv[3] = a4; 847 848 state = context->state; 849 if (state == AUDIT_SETUP_CONTEXT || state == AUDIT_BUILD_CONTEXT) 850 state = audit_filter_syscall(tsk, context, &audit_entlist); 851 if (likely(state == AUDIT_DISABLED)) 852 return; 853 854 context->serial = audit_serial(); 855 context->ctime = CURRENT_TIME; 856 context->in_syscall = 1; 857 context->auditable = !!(state == AUDIT_RECORD_CONTEXT); 858 } 859 860 /* Tear down after system call. If the audit context has been marked as 861 * auditable (either because of the AUDIT_RECORD_CONTEXT state from 862 * filtering, or because some other part of the kernel write an audit 863 * message), then write out the syscall information. In call cases, 864 * free the names stored from getname(). */ 865 void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code) 866 { 867 struct audit_context *context; 868 869 get_task_struct(tsk); 870 task_lock(tsk); 871 context = audit_get_context(tsk, valid, return_code); 872 task_unlock(tsk); 873 874 /* Not having a context here is ok, since the parent may have 875 * called __put_task_struct. */ 876 if (likely(!context)) 877 return; 878 879 if (context->in_syscall && context->auditable) 880 audit_log_exit(context); 881 882 context->in_syscall = 0; 883 context->auditable = 0; 884 885 if (context->previous) { 886 struct audit_context *new_context = context->previous; 887 context->previous = NULL; 888 audit_free_context(context); 889 tsk->audit_context = new_context; 890 } else { 891 audit_free_names(context); 892 audit_free_aux(context); 893 audit_zero_context(context, context->state); 894 tsk->audit_context = context; 895 } 896 put_task_struct(tsk); 897 } 898 899 /* Add a name to the list. Called from fs/namei.c:getname(). */ 900 void audit_getname(const char *name) 901 { 902 struct audit_context *context = current->audit_context; 903 904 if (!context || IS_ERR(name) || !name) 905 return; 906 907 if (!context->in_syscall) { 908 #if AUDIT_DEBUG == 2 909 printk(KERN_ERR "%s:%d(:%d): ignoring getname(%p)\n", 910 __FILE__, __LINE__, context->serial, name); 911 dump_stack(); 912 #endif 913 return; 914 } 915 BUG_ON(context->name_count >= AUDIT_NAMES); 916 context->names[context->name_count].name = name; 917 context->names[context->name_count].ino = (unsigned long)-1; 918 ++context->name_count; 919 } 920 921 /* Intercept a putname request. Called from 922 * include/linux/fs.h:putname(). If we have stored the name from 923 * getname in the audit context, then we delay the putname until syscall 924 * exit. */ 925 void audit_putname(const char *name) 926 { 927 struct audit_context *context = current->audit_context; 928 929 BUG_ON(!context); 930 if (!context->in_syscall) { 931 #if AUDIT_DEBUG == 2 932 printk(KERN_ERR "%s:%d(:%d): __putname(%p)\n", 933 __FILE__, __LINE__, context->serial, name); 934 if (context->name_count) { 935 int i; 936 for (i = 0; i < context->name_count; i++) 937 printk(KERN_ERR "name[%d] = %p = %s\n", i, 938 context->names[i].name, 939 context->names[i].name); 940 } 941 #endif 942 __putname(name); 943 } 944 #if AUDIT_DEBUG 945 else { 946 ++context->put_count; 947 if (context->put_count > context->name_count) { 948 printk(KERN_ERR "%s:%d(:%d): major=%d" 949 " in_syscall=%d putname(%p) name_count=%d" 950 " put_count=%d\n", 951 __FILE__, __LINE__, 952 context->serial, context->major, 953 context->in_syscall, name, context->name_count, 954 context->put_count); 955 dump_stack(); 956 } 957 } 958 #endif 959 } 960 961 /* Store the inode and device from a lookup. Called from 962 * fs/namei.c:path_lookup(). */ 963 void audit_inode(const char *name, const struct inode *inode) 964 { 965 int idx; 966 struct audit_context *context = current->audit_context; 967 968 if (!context->in_syscall) 969 return; 970 if (context->name_count 971 && context->names[context->name_count-1].name 972 && context->names[context->name_count-1].name == name) 973 idx = context->name_count - 1; 974 else if (context->name_count > 1 975 && context->names[context->name_count-2].name 976 && context->names[context->name_count-2].name == name) 977 idx = context->name_count - 2; 978 else { 979 /* FIXME: how much do we care about inodes that have no 980 * associated name? */ 981 if (context->name_count >= AUDIT_NAMES - AUDIT_NAMES_RESERVED) 982 return; 983 idx = context->name_count++; 984 context->names[idx].name = NULL; 985 #if AUDIT_DEBUG 986 ++context->ino_count; 987 #endif 988 } 989 context->names[idx].ino = inode->i_ino; 990 context->names[idx].dev = inode->i_sb->s_dev; 991 context->names[idx].mode = inode->i_mode; 992 context->names[idx].uid = inode->i_uid; 993 context->names[idx].gid = inode->i_gid; 994 context->names[idx].rdev = inode->i_rdev; 995 } 996 997 void audit_get_stamp(struct audit_context *ctx, 998 struct timespec *t, unsigned int *serial) 999 { 1000 if (ctx) { 1001 t->tv_sec = ctx->ctime.tv_sec; 1002 t->tv_nsec = ctx->ctime.tv_nsec; 1003 *serial = ctx->serial; 1004 ctx->auditable = 1; 1005 } else { 1006 *t = CURRENT_TIME; 1007 *serial = 0; 1008 } 1009 } 1010 1011 extern int audit_set_type(struct audit_buffer *ab, int type); 1012 1013 int audit_set_loginuid(struct task_struct *task, uid_t loginuid) 1014 { 1015 if (task->audit_context) { 1016 struct audit_buffer *ab; 1017 1018 ab = audit_log_start(NULL); 1019 if (ab) { 1020 audit_log_format(ab, "login pid=%d uid=%u " 1021 "old loginuid=%u new loginuid=%u", 1022 task->pid, task->uid, 1023 task->audit_context->loginuid, loginuid); 1024 audit_set_type(ab, AUDIT_LOGIN); 1025 audit_log_end(ab); 1026 } 1027 task->audit_context->loginuid = loginuid; 1028 } 1029 return 0; 1030 } 1031 1032 uid_t audit_get_loginuid(struct audit_context *ctx) 1033 { 1034 return ctx ? ctx->loginuid : -1; 1035 } 1036 1037 int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode) 1038 { 1039 struct audit_aux_data_ipcctl *ax; 1040 struct audit_context *context = current->audit_context; 1041 1042 if (likely(!context)) 1043 return 0; 1044 1045 ax = kmalloc(sizeof(*ax), GFP_KERNEL); 1046 if (!ax) 1047 return -ENOMEM; 1048 1049 ax->qbytes = qbytes; 1050 ax->uid = uid; 1051 ax->gid = gid; 1052 ax->mode = mode; 1053 1054 ax->d.type = AUDIT_AUX_IPCPERM; 1055 ax->d.next = context->aux; 1056 context->aux = (void *)ax; 1057 return 0; 1058 } 1059