1 /* auditsc.c -- System-call auditing support 2 * Handles all system-call specific auditing features. 3 * 4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 5 * Copyright 2005 Hewlett-Packard Development Company, L.P. 6 * Copyright (C) 2005, 2006 IBM Corporation 7 * All Rights Reserved. 8 * 9 * This program is free software; you can redistribute it and/or modify 10 * it under the terms of the GNU General Public License as published by 11 * the Free Software Foundation; either version 2 of the License, or 12 * (at your option) any later version. 13 * 14 * This program is distributed in the hope that it will be useful, 15 * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 * GNU General Public License for more details. 18 * 19 * You should have received a copy of the GNU General Public License 20 * along with this program; if not, write to the Free Software 21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 22 * 23 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 24 * 25 * Many of the ideas implemented here are from Stephen C. Tweedie, 26 * especially the idea of avoiding a copy by using getname. 27 * 28 * The method for actual interception of syscall entry and exit (not in 29 * this file -- see entry.S) is based on a GPL'd patch written by 30 * okir@suse.de and Copyright 2003 SuSE Linux AG. 31 * 32 * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>, 33 * 2006. 34 * 35 * The support of additional filter rules compares (>, <, >=, <=) was 36 * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005. 37 * 38 * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional 39 * filesystem information. 40 * 41 * Subject and object context labeling support added by <danjones@us.ibm.com> 42 * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance. 43 */ 44 45 #include <linux/init.h> 46 #include <asm/types.h> 47 #include <asm/atomic.h> 48 #include <asm/types.h> 49 #include <linux/fs.h> 50 #include <linux/namei.h> 51 #include <linux/mm.h> 52 #include <linux/module.h> 53 #include <linux/mount.h> 54 #include <linux/socket.h> 55 #include <linux/mqueue.h> 56 #include <linux/audit.h> 57 #include <linux/personality.h> 58 #include <linux/time.h> 59 #include <linux/netlink.h> 60 #include <linux/compiler.h> 61 #include <asm/unistd.h> 62 #include <linux/security.h> 63 #include <linux/list.h> 64 #include <linux/tty.h> 65 #include <linux/selinux.h> 66 #include <linux/binfmts.h> 67 #include <linux/highmem.h> 68 #include <linux/syscalls.h> 69 70 #include "audit.h" 71 72 extern struct list_head audit_filter_list[]; 73 74 /* AUDIT_NAMES is the number of slots we reserve in the audit_context 75 * for saving names from getname(). */ 76 #define AUDIT_NAMES 20 77 78 /* Indicates that audit should log the full pathname. */ 79 #define AUDIT_NAME_FULL -1 80 81 /* number of audit rules */ 82 int audit_n_rules; 83 84 /* determines whether we collect data for signals sent */ 85 int audit_signals; 86 87 /* When fs/namei.c:getname() is called, we store the pointer in name and 88 * we don't let putname() free it (instead we free all of the saved 89 * pointers at syscall exit time). 90 * 91 * Further, in fs/namei.c:path_lookup() we store the inode and device. */ 92 struct audit_names { 93 const char *name; 94 int name_len; /* number of name's characters to log */ 95 unsigned name_put; /* call __putname() for this name */ 96 unsigned long ino; 97 dev_t dev; 98 umode_t mode; 99 uid_t uid; 100 gid_t gid; 101 dev_t rdev; 102 u32 osid; 103 }; 104 105 struct audit_aux_data { 106 struct audit_aux_data *next; 107 int type; 108 }; 109 110 #define AUDIT_AUX_IPCPERM 0 111 112 /* Number of target pids per aux struct. */ 113 #define AUDIT_AUX_PIDS 16 114 115 struct audit_aux_data_mq_open { 116 struct audit_aux_data d; 117 int oflag; 118 mode_t mode; 119 struct mq_attr attr; 120 }; 121 122 struct audit_aux_data_mq_sendrecv { 123 struct audit_aux_data d; 124 mqd_t mqdes; 125 size_t msg_len; 126 unsigned int msg_prio; 127 struct timespec abs_timeout; 128 }; 129 130 struct audit_aux_data_mq_notify { 131 struct audit_aux_data d; 132 mqd_t mqdes; 133 struct sigevent notification; 134 }; 135 136 struct audit_aux_data_mq_getsetattr { 137 struct audit_aux_data d; 138 mqd_t mqdes; 139 struct mq_attr mqstat; 140 }; 141 142 struct audit_aux_data_ipcctl { 143 struct audit_aux_data d; 144 struct ipc_perm p; 145 unsigned long qbytes; 146 uid_t uid; 147 gid_t gid; 148 mode_t mode; 149 u32 osid; 150 }; 151 152 struct audit_aux_data_execve { 153 struct audit_aux_data d; 154 int argc; 155 int envc; 156 char mem[0]; 157 }; 158 159 struct audit_aux_data_socketcall { 160 struct audit_aux_data d; 161 int nargs; 162 unsigned long args[0]; 163 }; 164 165 struct audit_aux_data_sockaddr { 166 struct audit_aux_data d; 167 int len; 168 char a[0]; 169 }; 170 171 struct audit_aux_data_fd_pair { 172 struct audit_aux_data d; 173 int fd[2]; 174 }; 175 176 struct audit_aux_data_path { 177 struct audit_aux_data d; 178 struct dentry *dentry; 179 struct vfsmount *mnt; 180 }; 181 182 struct audit_aux_data_pids { 183 struct audit_aux_data d; 184 pid_t target_pid[AUDIT_AUX_PIDS]; 185 u32 target_sid[AUDIT_AUX_PIDS]; 186 int pid_count; 187 }; 188 189 /* The per-task audit context. */ 190 struct audit_context { 191 int dummy; /* must be the first element */ 192 int in_syscall; /* 1 if task is in a syscall */ 193 enum audit_state state; 194 unsigned int serial; /* serial number for record */ 195 struct timespec ctime; /* time of syscall entry */ 196 uid_t loginuid; /* login uid (identity) */ 197 int major; /* syscall number */ 198 unsigned long argv[4]; /* syscall arguments */ 199 int return_valid; /* return code is valid */ 200 long return_code;/* syscall return code */ 201 int auditable; /* 1 if record should be written */ 202 int name_count; 203 struct audit_names names[AUDIT_NAMES]; 204 char * filterkey; /* key for rule that triggered record */ 205 struct dentry * pwd; 206 struct vfsmount * pwdmnt; 207 struct audit_context *previous; /* For nested syscalls */ 208 struct audit_aux_data *aux; 209 struct audit_aux_data *aux_pids; 210 211 /* Save things to print about task_struct */ 212 pid_t pid, ppid; 213 uid_t uid, euid, suid, fsuid; 214 gid_t gid, egid, sgid, fsgid; 215 unsigned long personality; 216 int arch; 217 218 pid_t target_pid; 219 u32 target_sid; 220 221 #if AUDIT_DEBUG 222 int put_count; 223 int ino_count; 224 #endif 225 }; 226 227 #define ACC_MODE(x) ("\004\002\006\006"[(x)&O_ACCMODE]) 228 static inline int open_arg(int flags, int mask) 229 { 230 int n = ACC_MODE(flags); 231 if (flags & (O_TRUNC | O_CREAT)) 232 n |= AUDIT_PERM_WRITE; 233 return n & mask; 234 } 235 236 static int audit_match_perm(struct audit_context *ctx, int mask) 237 { 238 unsigned n = ctx->major; 239 switch (audit_classify_syscall(ctx->arch, n)) { 240 case 0: /* native */ 241 if ((mask & AUDIT_PERM_WRITE) && 242 audit_match_class(AUDIT_CLASS_WRITE, n)) 243 return 1; 244 if ((mask & AUDIT_PERM_READ) && 245 audit_match_class(AUDIT_CLASS_READ, n)) 246 return 1; 247 if ((mask & AUDIT_PERM_ATTR) && 248 audit_match_class(AUDIT_CLASS_CHATTR, n)) 249 return 1; 250 return 0; 251 case 1: /* 32bit on biarch */ 252 if ((mask & AUDIT_PERM_WRITE) && 253 audit_match_class(AUDIT_CLASS_WRITE_32, n)) 254 return 1; 255 if ((mask & AUDIT_PERM_READ) && 256 audit_match_class(AUDIT_CLASS_READ_32, n)) 257 return 1; 258 if ((mask & AUDIT_PERM_ATTR) && 259 audit_match_class(AUDIT_CLASS_CHATTR_32, n)) 260 return 1; 261 return 0; 262 case 2: /* open */ 263 return mask & ACC_MODE(ctx->argv[1]); 264 case 3: /* openat */ 265 return mask & ACC_MODE(ctx->argv[2]); 266 case 4: /* socketcall */ 267 return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); 268 case 5: /* execve */ 269 return mask & AUDIT_PERM_EXEC; 270 default: 271 return 0; 272 } 273 } 274 275 /* Determine if any context name data matches a rule's watch data */ 276 /* Compare a task_struct with an audit_rule. Return 1 on match, 0 277 * otherwise. */ 278 static int audit_filter_rules(struct task_struct *tsk, 279 struct audit_krule *rule, 280 struct audit_context *ctx, 281 struct audit_names *name, 282 enum audit_state *state) 283 { 284 int i, j, need_sid = 1; 285 u32 sid; 286 287 for (i = 0; i < rule->field_count; i++) { 288 struct audit_field *f = &rule->fields[i]; 289 int result = 0; 290 291 switch (f->type) { 292 case AUDIT_PID: 293 result = audit_comparator(tsk->pid, f->op, f->val); 294 break; 295 case AUDIT_PPID: 296 if (ctx) { 297 if (!ctx->ppid) 298 ctx->ppid = sys_getppid(); 299 result = audit_comparator(ctx->ppid, f->op, f->val); 300 } 301 break; 302 case AUDIT_UID: 303 result = audit_comparator(tsk->uid, f->op, f->val); 304 break; 305 case AUDIT_EUID: 306 result = audit_comparator(tsk->euid, f->op, f->val); 307 break; 308 case AUDIT_SUID: 309 result = audit_comparator(tsk->suid, f->op, f->val); 310 break; 311 case AUDIT_FSUID: 312 result = audit_comparator(tsk->fsuid, f->op, f->val); 313 break; 314 case AUDIT_GID: 315 result = audit_comparator(tsk->gid, f->op, f->val); 316 break; 317 case AUDIT_EGID: 318 result = audit_comparator(tsk->egid, f->op, f->val); 319 break; 320 case AUDIT_SGID: 321 result = audit_comparator(tsk->sgid, f->op, f->val); 322 break; 323 case AUDIT_FSGID: 324 result = audit_comparator(tsk->fsgid, f->op, f->val); 325 break; 326 case AUDIT_PERS: 327 result = audit_comparator(tsk->personality, f->op, f->val); 328 break; 329 case AUDIT_ARCH: 330 if (ctx) 331 result = audit_comparator(ctx->arch, f->op, f->val); 332 break; 333 334 case AUDIT_EXIT: 335 if (ctx && ctx->return_valid) 336 result = audit_comparator(ctx->return_code, f->op, f->val); 337 break; 338 case AUDIT_SUCCESS: 339 if (ctx && ctx->return_valid) { 340 if (f->val) 341 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS); 342 else 343 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE); 344 } 345 break; 346 case AUDIT_DEVMAJOR: 347 if (name) 348 result = audit_comparator(MAJOR(name->dev), 349 f->op, f->val); 350 else if (ctx) { 351 for (j = 0; j < ctx->name_count; j++) { 352 if (audit_comparator(MAJOR(ctx->names[j].dev), f->op, f->val)) { 353 ++result; 354 break; 355 } 356 } 357 } 358 break; 359 case AUDIT_DEVMINOR: 360 if (name) 361 result = audit_comparator(MINOR(name->dev), 362 f->op, f->val); 363 else if (ctx) { 364 for (j = 0; j < ctx->name_count; j++) { 365 if (audit_comparator(MINOR(ctx->names[j].dev), f->op, f->val)) { 366 ++result; 367 break; 368 } 369 } 370 } 371 break; 372 case AUDIT_INODE: 373 if (name) 374 result = (name->ino == f->val); 375 else if (ctx) { 376 for (j = 0; j < ctx->name_count; j++) { 377 if (audit_comparator(ctx->names[j].ino, f->op, f->val)) { 378 ++result; 379 break; 380 } 381 } 382 } 383 break; 384 case AUDIT_WATCH: 385 if (name && rule->watch->ino != (unsigned long)-1) 386 result = (name->dev == rule->watch->dev && 387 name->ino == rule->watch->ino); 388 break; 389 case AUDIT_LOGINUID: 390 result = 0; 391 if (ctx) 392 result = audit_comparator(ctx->loginuid, f->op, f->val); 393 break; 394 case AUDIT_SUBJ_USER: 395 case AUDIT_SUBJ_ROLE: 396 case AUDIT_SUBJ_TYPE: 397 case AUDIT_SUBJ_SEN: 398 case AUDIT_SUBJ_CLR: 399 /* NOTE: this may return negative values indicating 400 a temporary error. We simply treat this as a 401 match for now to avoid losing information that 402 may be wanted. An error message will also be 403 logged upon error */ 404 if (f->se_rule) { 405 if (need_sid) { 406 selinux_get_task_sid(tsk, &sid); 407 need_sid = 0; 408 } 409 result = selinux_audit_rule_match(sid, f->type, 410 f->op, 411 f->se_rule, 412 ctx); 413 } 414 break; 415 case AUDIT_OBJ_USER: 416 case AUDIT_OBJ_ROLE: 417 case AUDIT_OBJ_TYPE: 418 case AUDIT_OBJ_LEV_LOW: 419 case AUDIT_OBJ_LEV_HIGH: 420 /* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR 421 also applies here */ 422 if (f->se_rule) { 423 /* Find files that match */ 424 if (name) { 425 result = selinux_audit_rule_match( 426 name->osid, f->type, f->op, 427 f->se_rule, ctx); 428 } else if (ctx) { 429 for (j = 0; j < ctx->name_count; j++) { 430 if (selinux_audit_rule_match( 431 ctx->names[j].osid, 432 f->type, f->op, 433 f->se_rule, ctx)) { 434 ++result; 435 break; 436 } 437 } 438 } 439 /* Find ipc objects that match */ 440 if (ctx) { 441 struct audit_aux_data *aux; 442 for (aux = ctx->aux; aux; 443 aux = aux->next) { 444 if (aux->type == AUDIT_IPC) { 445 struct audit_aux_data_ipcctl *axi = (void *)aux; 446 if (selinux_audit_rule_match(axi->osid, f->type, f->op, f->se_rule, ctx)) { 447 ++result; 448 break; 449 } 450 } 451 } 452 } 453 } 454 break; 455 case AUDIT_ARG0: 456 case AUDIT_ARG1: 457 case AUDIT_ARG2: 458 case AUDIT_ARG3: 459 if (ctx) 460 result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val); 461 break; 462 case AUDIT_FILTERKEY: 463 /* ignore this field for filtering */ 464 result = 1; 465 break; 466 case AUDIT_PERM: 467 result = audit_match_perm(ctx, f->val); 468 break; 469 } 470 471 if (!result) 472 return 0; 473 } 474 if (rule->filterkey) 475 ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC); 476 switch (rule->action) { 477 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 478 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 479 } 480 return 1; 481 } 482 483 /* At process creation time, we can determine if system-call auditing is 484 * completely disabled for this task. Since we only have the task 485 * structure at this point, we can only check uid and gid. 486 */ 487 static enum audit_state audit_filter_task(struct task_struct *tsk) 488 { 489 struct audit_entry *e; 490 enum audit_state state; 491 492 rcu_read_lock(); 493 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) { 494 if (audit_filter_rules(tsk, &e->rule, NULL, NULL, &state)) { 495 rcu_read_unlock(); 496 return state; 497 } 498 } 499 rcu_read_unlock(); 500 return AUDIT_BUILD_CONTEXT; 501 } 502 503 /* At syscall entry and exit time, this filter is called if the 504 * audit_state is not low enough that auditing cannot take place, but is 505 * also not high enough that we already know we have to write an audit 506 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT). 507 */ 508 static enum audit_state audit_filter_syscall(struct task_struct *tsk, 509 struct audit_context *ctx, 510 struct list_head *list) 511 { 512 struct audit_entry *e; 513 enum audit_state state; 514 515 if (audit_pid && tsk->tgid == audit_pid) 516 return AUDIT_DISABLED; 517 518 rcu_read_lock(); 519 if (!list_empty(list)) { 520 int word = AUDIT_WORD(ctx->major); 521 int bit = AUDIT_BIT(ctx->major); 522 523 list_for_each_entry_rcu(e, list, list) { 524 if ((e->rule.mask[word] & bit) == bit && 525 audit_filter_rules(tsk, &e->rule, ctx, NULL, 526 &state)) { 527 rcu_read_unlock(); 528 return state; 529 } 530 } 531 } 532 rcu_read_unlock(); 533 return AUDIT_BUILD_CONTEXT; 534 } 535 536 /* At syscall exit time, this filter is called if any audit_names[] have been 537 * collected during syscall processing. We only check rules in sublists at hash 538 * buckets applicable to the inode numbers in audit_names[]. 539 * Regarding audit_state, same rules apply as for audit_filter_syscall(). 540 */ 541 enum audit_state audit_filter_inodes(struct task_struct *tsk, 542 struct audit_context *ctx) 543 { 544 int i; 545 struct audit_entry *e; 546 enum audit_state state; 547 548 if (audit_pid && tsk->tgid == audit_pid) 549 return AUDIT_DISABLED; 550 551 rcu_read_lock(); 552 for (i = 0; i < ctx->name_count; i++) { 553 int word = AUDIT_WORD(ctx->major); 554 int bit = AUDIT_BIT(ctx->major); 555 struct audit_names *n = &ctx->names[i]; 556 int h = audit_hash_ino((u32)n->ino); 557 struct list_head *list = &audit_inode_hash[h]; 558 559 if (list_empty(list)) 560 continue; 561 562 list_for_each_entry_rcu(e, list, list) { 563 if ((e->rule.mask[word] & bit) == bit && 564 audit_filter_rules(tsk, &e->rule, ctx, n, &state)) { 565 rcu_read_unlock(); 566 return state; 567 } 568 } 569 } 570 rcu_read_unlock(); 571 return AUDIT_BUILD_CONTEXT; 572 } 573 574 void audit_set_auditable(struct audit_context *ctx) 575 { 576 ctx->auditable = 1; 577 } 578 579 static inline struct audit_context *audit_get_context(struct task_struct *tsk, 580 int return_valid, 581 int return_code) 582 { 583 struct audit_context *context = tsk->audit_context; 584 585 if (likely(!context)) 586 return NULL; 587 context->return_valid = return_valid; 588 context->return_code = return_code; 589 590 if (context->in_syscall && !context->dummy && !context->auditable) { 591 enum audit_state state; 592 593 state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]); 594 if (state == AUDIT_RECORD_CONTEXT) { 595 context->auditable = 1; 596 goto get_context; 597 } 598 599 state = audit_filter_inodes(tsk, context); 600 if (state == AUDIT_RECORD_CONTEXT) 601 context->auditable = 1; 602 603 } 604 605 get_context: 606 607 tsk->audit_context = NULL; 608 return context; 609 } 610 611 static inline void audit_free_names(struct audit_context *context) 612 { 613 int i; 614 615 #if AUDIT_DEBUG == 2 616 if (context->auditable 617 ||context->put_count + context->ino_count != context->name_count) { 618 printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d" 619 " name_count=%d put_count=%d" 620 " ino_count=%d [NOT freeing]\n", 621 __FILE__, __LINE__, 622 context->serial, context->major, context->in_syscall, 623 context->name_count, context->put_count, 624 context->ino_count); 625 for (i = 0; i < context->name_count; i++) { 626 printk(KERN_ERR "names[%d] = %p = %s\n", i, 627 context->names[i].name, 628 context->names[i].name ?: "(null)"); 629 } 630 dump_stack(); 631 return; 632 } 633 #endif 634 #if AUDIT_DEBUG 635 context->put_count = 0; 636 context->ino_count = 0; 637 #endif 638 639 for (i = 0; i < context->name_count; i++) { 640 if (context->names[i].name && context->names[i].name_put) 641 __putname(context->names[i].name); 642 } 643 context->name_count = 0; 644 if (context->pwd) 645 dput(context->pwd); 646 if (context->pwdmnt) 647 mntput(context->pwdmnt); 648 context->pwd = NULL; 649 context->pwdmnt = NULL; 650 } 651 652 static inline void audit_free_aux(struct audit_context *context) 653 { 654 struct audit_aux_data *aux; 655 656 while ((aux = context->aux)) { 657 if (aux->type == AUDIT_AVC_PATH) { 658 struct audit_aux_data_path *axi = (void *)aux; 659 dput(axi->dentry); 660 mntput(axi->mnt); 661 } 662 663 context->aux = aux->next; 664 kfree(aux); 665 } 666 while ((aux = context->aux_pids)) { 667 context->aux_pids = aux->next; 668 kfree(aux); 669 } 670 } 671 672 static inline void audit_zero_context(struct audit_context *context, 673 enum audit_state state) 674 { 675 uid_t loginuid = context->loginuid; 676 677 memset(context, 0, sizeof(*context)); 678 context->state = state; 679 context->loginuid = loginuid; 680 } 681 682 static inline struct audit_context *audit_alloc_context(enum audit_state state) 683 { 684 struct audit_context *context; 685 686 if (!(context = kmalloc(sizeof(*context), GFP_KERNEL))) 687 return NULL; 688 audit_zero_context(context, state); 689 return context; 690 } 691 692 /** 693 * audit_alloc - allocate an audit context block for a task 694 * @tsk: task 695 * 696 * Filter on the task information and allocate a per-task audit context 697 * if necessary. Doing so turns on system call auditing for the 698 * specified task. This is called from copy_process, so no lock is 699 * needed. 700 */ 701 int audit_alloc(struct task_struct *tsk) 702 { 703 struct audit_context *context; 704 enum audit_state state; 705 706 if (likely(!audit_enabled)) 707 return 0; /* Return if not auditing. */ 708 709 state = audit_filter_task(tsk); 710 if (likely(state == AUDIT_DISABLED)) 711 return 0; 712 713 if (!(context = audit_alloc_context(state))) { 714 audit_log_lost("out of memory in audit_alloc"); 715 return -ENOMEM; 716 } 717 718 /* Preserve login uid */ 719 context->loginuid = -1; 720 if (current->audit_context) 721 context->loginuid = current->audit_context->loginuid; 722 723 tsk->audit_context = context; 724 set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT); 725 return 0; 726 } 727 728 static inline void audit_free_context(struct audit_context *context) 729 { 730 struct audit_context *previous; 731 int count = 0; 732 733 do { 734 previous = context->previous; 735 if (previous || (count && count < 10)) { 736 ++count; 737 printk(KERN_ERR "audit(:%d): major=%d name_count=%d:" 738 " freeing multiple contexts (%d)\n", 739 context->serial, context->major, 740 context->name_count, count); 741 } 742 audit_free_names(context); 743 audit_free_aux(context); 744 kfree(context->filterkey); 745 kfree(context); 746 context = previous; 747 } while (context); 748 if (count >= 10) 749 printk(KERN_ERR "audit: freed %d contexts\n", count); 750 } 751 752 void audit_log_task_context(struct audit_buffer *ab) 753 { 754 char *ctx = NULL; 755 unsigned len; 756 int error; 757 u32 sid; 758 759 selinux_get_task_sid(current, &sid); 760 if (!sid) 761 return; 762 763 error = selinux_sid_to_string(sid, &ctx, &len); 764 if (error) { 765 if (error != -EINVAL) 766 goto error_path; 767 return; 768 } 769 770 audit_log_format(ab, " subj=%s", ctx); 771 kfree(ctx); 772 return; 773 774 error_path: 775 audit_panic("error in audit_log_task_context"); 776 return; 777 } 778 779 EXPORT_SYMBOL(audit_log_task_context); 780 781 static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) 782 { 783 char name[sizeof(tsk->comm)]; 784 struct mm_struct *mm = tsk->mm; 785 struct vm_area_struct *vma; 786 787 /* tsk == current */ 788 789 get_task_comm(name, tsk); 790 audit_log_format(ab, " comm="); 791 audit_log_untrustedstring(ab, name); 792 793 if (mm) { 794 down_read(&mm->mmap_sem); 795 vma = mm->mmap; 796 while (vma) { 797 if ((vma->vm_flags & VM_EXECUTABLE) && 798 vma->vm_file) { 799 audit_log_d_path(ab, "exe=", 800 vma->vm_file->f_path.dentry, 801 vma->vm_file->f_path.mnt); 802 break; 803 } 804 vma = vma->vm_next; 805 } 806 up_read(&mm->mmap_sem); 807 } 808 audit_log_task_context(ab); 809 } 810 811 static int audit_log_pid_context(struct audit_context *context, pid_t pid, 812 u32 sid) 813 { 814 struct audit_buffer *ab; 815 char *s = NULL; 816 u32 len; 817 int rc = 0; 818 819 ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); 820 if (!ab) 821 return 1; 822 823 if (selinux_sid_to_string(sid, &s, &len)) { 824 audit_log_format(ab, "opid=%d obj=(none)", pid); 825 rc = 1; 826 } else 827 audit_log_format(ab, "opid=%d obj=%s", pid, s); 828 audit_log_end(ab); 829 kfree(s); 830 831 return rc; 832 } 833 834 static void audit_log_exit(struct audit_context *context, struct task_struct *tsk) 835 { 836 int i, call_panic = 0; 837 struct audit_buffer *ab; 838 struct audit_aux_data *aux; 839 const char *tty; 840 841 /* tsk == current */ 842 context->pid = tsk->pid; 843 if (!context->ppid) 844 context->ppid = sys_getppid(); 845 context->uid = tsk->uid; 846 context->gid = tsk->gid; 847 context->euid = tsk->euid; 848 context->suid = tsk->suid; 849 context->fsuid = tsk->fsuid; 850 context->egid = tsk->egid; 851 context->sgid = tsk->sgid; 852 context->fsgid = tsk->fsgid; 853 context->personality = tsk->personality; 854 855 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL); 856 if (!ab) 857 return; /* audit_panic has been called */ 858 audit_log_format(ab, "arch=%x syscall=%d", 859 context->arch, context->major); 860 if (context->personality != PER_LINUX) 861 audit_log_format(ab, " per=%lx", context->personality); 862 if (context->return_valid) 863 audit_log_format(ab, " success=%s exit=%ld", 864 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no", 865 context->return_code); 866 867 mutex_lock(&tty_mutex); 868 read_lock(&tasklist_lock); 869 if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name) 870 tty = tsk->signal->tty->name; 871 else 872 tty = "(none)"; 873 read_unlock(&tasklist_lock); 874 audit_log_format(ab, 875 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d" 876 " ppid=%d pid=%d auid=%u uid=%u gid=%u" 877 " euid=%u suid=%u fsuid=%u" 878 " egid=%u sgid=%u fsgid=%u tty=%s", 879 context->argv[0], 880 context->argv[1], 881 context->argv[2], 882 context->argv[3], 883 context->name_count, 884 context->ppid, 885 context->pid, 886 context->loginuid, 887 context->uid, 888 context->gid, 889 context->euid, context->suid, context->fsuid, 890 context->egid, context->sgid, context->fsgid, tty); 891 892 mutex_unlock(&tty_mutex); 893 894 audit_log_task_info(ab, tsk); 895 if (context->filterkey) { 896 audit_log_format(ab, " key="); 897 audit_log_untrustedstring(ab, context->filterkey); 898 } else 899 audit_log_format(ab, " key=(null)"); 900 audit_log_end(ab); 901 902 for (aux = context->aux; aux; aux = aux->next) { 903 904 ab = audit_log_start(context, GFP_KERNEL, aux->type); 905 if (!ab) 906 continue; /* audit_panic has been called */ 907 908 switch (aux->type) { 909 case AUDIT_MQ_OPEN: { 910 struct audit_aux_data_mq_open *axi = (void *)aux; 911 audit_log_format(ab, 912 "oflag=0x%x mode=%#o mq_flags=0x%lx mq_maxmsg=%ld " 913 "mq_msgsize=%ld mq_curmsgs=%ld", 914 axi->oflag, axi->mode, axi->attr.mq_flags, 915 axi->attr.mq_maxmsg, axi->attr.mq_msgsize, 916 axi->attr.mq_curmsgs); 917 break; } 918 919 case AUDIT_MQ_SENDRECV: { 920 struct audit_aux_data_mq_sendrecv *axi = (void *)aux; 921 audit_log_format(ab, 922 "mqdes=%d msg_len=%zd msg_prio=%u " 923 "abs_timeout_sec=%ld abs_timeout_nsec=%ld", 924 axi->mqdes, axi->msg_len, axi->msg_prio, 925 axi->abs_timeout.tv_sec, axi->abs_timeout.tv_nsec); 926 break; } 927 928 case AUDIT_MQ_NOTIFY: { 929 struct audit_aux_data_mq_notify *axi = (void *)aux; 930 audit_log_format(ab, 931 "mqdes=%d sigev_signo=%d", 932 axi->mqdes, 933 axi->notification.sigev_signo); 934 break; } 935 936 case AUDIT_MQ_GETSETATTR: { 937 struct audit_aux_data_mq_getsetattr *axi = (void *)aux; 938 audit_log_format(ab, 939 "mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld " 940 "mq_curmsgs=%ld ", 941 axi->mqdes, 942 axi->mqstat.mq_flags, axi->mqstat.mq_maxmsg, 943 axi->mqstat.mq_msgsize, axi->mqstat.mq_curmsgs); 944 break; } 945 946 case AUDIT_IPC: { 947 struct audit_aux_data_ipcctl *axi = (void *)aux; 948 audit_log_format(ab, 949 "ouid=%u ogid=%u mode=%x", 950 axi->uid, axi->gid, axi->mode); 951 if (axi->osid != 0) { 952 char *ctx = NULL; 953 u32 len; 954 if (selinux_sid_to_string( 955 axi->osid, &ctx, &len)) { 956 audit_log_format(ab, " osid=%u", 957 axi->osid); 958 call_panic = 1; 959 } else 960 audit_log_format(ab, " obj=%s", ctx); 961 kfree(ctx); 962 } 963 break; } 964 965 case AUDIT_IPC_SET_PERM: { 966 struct audit_aux_data_ipcctl *axi = (void *)aux; 967 audit_log_format(ab, 968 "qbytes=%lx ouid=%u ogid=%u mode=%x", 969 axi->qbytes, axi->uid, axi->gid, axi->mode); 970 break; } 971 972 case AUDIT_EXECVE: { 973 struct audit_aux_data_execve *axi = (void *)aux; 974 int i; 975 const char *p; 976 for (i = 0, p = axi->mem; i < axi->argc; i++) { 977 audit_log_format(ab, "a%d=", i); 978 p = audit_log_untrustedstring(ab, p); 979 audit_log_format(ab, "\n"); 980 } 981 break; } 982 983 case AUDIT_SOCKETCALL: { 984 int i; 985 struct audit_aux_data_socketcall *axs = (void *)aux; 986 audit_log_format(ab, "nargs=%d", axs->nargs); 987 for (i=0; i<axs->nargs; i++) 988 audit_log_format(ab, " a%d=%lx", i, axs->args[i]); 989 break; } 990 991 case AUDIT_SOCKADDR: { 992 struct audit_aux_data_sockaddr *axs = (void *)aux; 993 994 audit_log_format(ab, "saddr="); 995 audit_log_hex(ab, axs->a, axs->len); 996 break; } 997 998 case AUDIT_AVC_PATH: { 999 struct audit_aux_data_path *axi = (void *)aux; 1000 audit_log_d_path(ab, "path=", axi->dentry, axi->mnt); 1001 break; } 1002 1003 case AUDIT_FD_PAIR: { 1004 struct audit_aux_data_fd_pair *axs = (void *)aux; 1005 audit_log_format(ab, "fd0=%d fd1=%d", axs->fd[0], axs->fd[1]); 1006 break; } 1007 1008 } 1009 audit_log_end(ab); 1010 } 1011 1012 for (aux = context->aux_pids; aux; aux = aux->next) { 1013 struct audit_aux_data_pids *axs = (void *)aux; 1014 int i; 1015 1016 for (i = 0; i < axs->pid_count; i++) 1017 if (audit_log_pid_context(context, axs->target_pid[i], 1018 axs->target_sid[i])) 1019 call_panic = 1; 1020 } 1021 1022 if (context->target_pid && 1023 audit_log_pid_context(context, context->target_pid, 1024 context->target_sid)) 1025 call_panic = 1; 1026 1027 if (context->pwd && context->pwdmnt) { 1028 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD); 1029 if (ab) { 1030 audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt); 1031 audit_log_end(ab); 1032 } 1033 } 1034 for (i = 0; i < context->name_count; i++) { 1035 struct audit_names *n = &context->names[i]; 1036 1037 ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH); 1038 if (!ab) 1039 continue; /* audit_panic has been called */ 1040 1041 audit_log_format(ab, "item=%d", i); 1042 1043 if (n->name) { 1044 switch(n->name_len) { 1045 case AUDIT_NAME_FULL: 1046 /* log the full path */ 1047 audit_log_format(ab, " name="); 1048 audit_log_untrustedstring(ab, n->name); 1049 break; 1050 case 0: 1051 /* name was specified as a relative path and the 1052 * directory component is the cwd */ 1053 audit_log_d_path(ab, " name=", context->pwd, 1054 context->pwdmnt); 1055 break; 1056 default: 1057 /* log the name's directory component */ 1058 audit_log_format(ab, " name="); 1059 audit_log_n_untrustedstring(ab, n->name_len, 1060 n->name); 1061 } 1062 } else 1063 audit_log_format(ab, " name=(null)"); 1064 1065 if (n->ino != (unsigned long)-1) { 1066 audit_log_format(ab, " inode=%lu" 1067 " dev=%02x:%02x mode=%#o" 1068 " ouid=%u ogid=%u rdev=%02x:%02x", 1069 n->ino, 1070 MAJOR(n->dev), 1071 MINOR(n->dev), 1072 n->mode, 1073 n->uid, 1074 n->gid, 1075 MAJOR(n->rdev), 1076 MINOR(n->rdev)); 1077 } 1078 if (n->osid != 0) { 1079 char *ctx = NULL; 1080 u32 len; 1081 if (selinux_sid_to_string( 1082 n->osid, &ctx, &len)) { 1083 audit_log_format(ab, " osid=%u", n->osid); 1084 call_panic = 2; 1085 } else 1086 audit_log_format(ab, " obj=%s", ctx); 1087 kfree(ctx); 1088 } 1089 1090 audit_log_end(ab); 1091 } 1092 if (call_panic) 1093 audit_panic("error converting sid to string"); 1094 } 1095 1096 /** 1097 * audit_free - free a per-task audit context 1098 * @tsk: task whose audit context block to free 1099 * 1100 * Called from copy_process and do_exit 1101 */ 1102 void audit_free(struct task_struct *tsk) 1103 { 1104 struct audit_context *context; 1105 1106 context = audit_get_context(tsk, 0, 0); 1107 if (likely(!context)) 1108 return; 1109 1110 /* Check for system calls that do not go through the exit 1111 * function (e.g., exit_group), then free context block. 1112 * We use GFP_ATOMIC here because we might be doing this 1113 * in the context of the idle thread */ 1114 /* that can happen only if we are called from do_exit() */ 1115 if (context->in_syscall && context->auditable) 1116 audit_log_exit(context, tsk); 1117 1118 audit_free_context(context); 1119 } 1120 1121 /** 1122 * audit_syscall_entry - fill in an audit record at syscall entry 1123 * @tsk: task being audited 1124 * @arch: architecture type 1125 * @major: major syscall type (function) 1126 * @a1: additional syscall register 1 1127 * @a2: additional syscall register 2 1128 * @a3: additional syscall register 3 1129 * @a4: additional syscall register 4 1130 * 1131 * Fill in audit context at syscall entry. This only happens if the 1132 * audit context was created when the task was created and the state or 1133 * filters demand the audit context be built. If the state from the 1134 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT, 1135 * then the record will be written at syscall exit time (otherwise, it 1136 * will only be written if another part of the kernel requests that it 1137 * be written). 1138 */ 1139 void audit_syscall_entry(int arch, int major, 1140 unsigned long a1, unsigned long a2, 1141 unsigned long a3, unsigned long a4) 1142 { 1143 struct task_struct *tsk = current; 1144 struct audit_context *context = tsk->audit_context; 1145 enum audit_state state; 1146 1147 BUG_ON(!context); 1148 1149 /* 1150 * This happens only on certain architectures that make system 1151 * calls in kernel_thread via the entry.S interface, instead of 1152 * with direct calls. (If you are porting to a new 1153 * architecture, hitting this condition can indicate that you 1154 * got the _exit/_leave calls backward in entry.S.) 1155 * 1156 * i386 no 1157 * x86_64 no 1158 * ppc64 yes (see arch/powerpc/platforms/iseries/misc.S) 1159 * 1160 * This also happens with vm86 emulation in a non-nested manner 1161 * (entries without exits), so this case must be caught. 1162 */ 1163 if (context->in_syscall) { 1164 struct audit_context *newctx; 1165 1166 #if AUDIT_DEBUG 1167 printk(KERN_ERR 1168 "audit(:%d) pid=%d in syscall=%d;" 1169 " entering syscall=%d\n", 1170 context->serial, tsk->pid, context->major, major); 1171 #endif 1172 newctx = audit_alloc_context(context->state); 1173 if (newctx) { 1174 newctx->previous = context; 1175 context = newctx; 1176 tsk->audit_context = newctx; 1177 } else { 1178 /* If we can't alloc a new context, the best we 1179 * can do is to leak memory (any pending putname 1180 * will be lost). The only other alternative is 1181 * to abandon auditing. */ 1182 audit_zero_context(context, context->state); 1183 } 1184 } 1185 BUG_ON(context->in_syscall || context->name_count); 1186 1187 if (!audit_enabled) 1188 return; 1189 1190 context->arch = arch; 1191 context->major = major; 1192 context->argv[0] = a1; 1193 context->argv[1] = a2; 1194 context->argv[2] = a3; 1195 context->argv[3] = a4; 1196 1197 state = context->state; 1198 context->dummy = !audit_n_rules; 1199 if (!context->dummy && (state == AUDIT_SETUP_CONTEXT || state == AUDIT_BUILD_CONTEXT)) 1200 state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]); 1201 if (likely(state == AUDIT_DISABLED)) 1202 return; 1203 1204 context->serial = 0; 1205 context->ctime = CURRENT_TIME; 1206 context->in_syscall = 1; 1207 context->auditable = !!(state == AUDIT_RECORD_CONTEXT); 1208 context->ppid = 0; 1209 } 1210 1211 /** 1212 * audit_syscall_exit - deallocate audit context after a system call 1213 * @tsk: task being audited 1214 * @valid: success/failure flag 1215 * @return_code: syscall return value 1216 * 1217 * Tear down after system call. If the audit context has been marked as 1218 * auditable (either because of the AUDIT_RECORD_CONTEXT state from 1219 * filtering, or because some other part of the kernel write an audit 1220 * message), then write out the syscall information. In call cases, 1221 * free the names stored from getname(). 1222 */ 1223 void audit_syscall_exit(int valid, long return_code) 1224 { 1225 struct task_struct *tsk = current; 1226 struct audit_context *context; 1227 1228 context = audit_get_context(tsk, valid, return_code); 1229 1230 if (likely(!context)) 1231 return; 1232 1233 if (context->in_syscall && context->auditable) 1234 audit_log_exit(context, tsk); 1235 1236 context->in_syscall = 0; 1237 context->auditable = 0; 1238 1239 if (context->previous) { 1240 struct audit_context *new_context = context->previous; 1241 context->previous = NULL; 1242 audit_free_context(context); 1243 tsk->audit_context = new_context; 1244 } else { 1245 audit_free_names(context); 1246 audit_free_aux(context); 1247 context->aux = NULL; 1248 context->aux_pids = NULL; 1249 context->target_pid = 0; 1250 context->target_sid = 0; 1251 kfree(context->filterkey); 1252 context->filterkey = NULL; 1253 tsk->audit_context = context; 1254 } 1255 } 1256 1257 /** 1258 * audit_getname - add a name to the list 1259 * @name: name to add 1260 * 1261 * Add a name to the list of audit names for this context. 1262 * Called from fs/namei.c:getname(). 1263 */ 1264 void __audit_getname(const char *name) 1265 { 1266 struct audit_context *context = current->audit_context; 1267 1268 if (IS_ERR(name) || !name) 1269 return; 1270 1271 if (!context->in_syscall) { 1272 #if AUDIT_DEBUG == 2 1273 printk(KERN_ERR "%s:%d(:%d): ignoring getname(%p)\n", 1274 __FILE__, __LINE__, context->serial, name); 1275 dump_stack(); 1276 #endif 1277 return; 1278 } 1279 BUG_ON(context->name_count >= AUDIT_NAMES); 1280 context->names[context->name_count].name = name; 1281 context->names[context->name_count].name_len = AUDIT_NAME_FULL; 1282 context->names[context->name_count].name_put = 1; 1283 context->names[context->name_count].ino = (unsigned long)-1; 1284 context->names[context->name_count].osid = 0; 1285 ++context->name_count; 1286 if (!context->pwd) { 1287 read_lock(¤t->fs->lock); 1288 context->pwd = dget(current->fs->pwd); 1289 context->pwdmnt = mntget(current->fs->pwdmnt); 1290 read_unlock(¤t->fs->lock); 1291 } 1292 1293 } 1294 1295 /* audit_putname - intercept a putname request 1296 * @name: name to intercept and delay for putname 1297 * 1298 * If we have stored the name from getname in the audit context, 1299 * then we delay the putname until syscall exit. 1300 * Called from include/linux/fs.h:putname(). 1301 */ 1302 void audit_putname(const char *name) 1303 { 1304 struct audit_context *context = current->audit_context; 1305 1306 BUG_ON(!context); 1307 if (!context->in_syscall) { 1308 #if AUDIT_DEBUG == 2 1309 printk(KERN_ERR "%s:%d(:%d): __putname(%p)\n", 1310 __FILE__, __LINE__, context->serial, name); 1311 if (context->name_count) { 1312 int i; 1313 for (i = 0; i < context->name_count; i++) 1314 printk(KERN_ERR "name[%d] = %p = %s\n", i, 1315 context->names[i].name, 1316 context->names[i].name ?: "(null)"); 1317 } 1318 #endif 1319 __putname(name); 1320 } 1321 #if AUDIT_DEBUG 1322 else { 1323 ++context->put_count; 1324 if (context->put_count > context->name_count) { 1325 printk(KERN_ERR "%s:%d(:%d): major=%d" 1326 " in_syscall=%d putname(%p) name_count=%d" 1327 " put_count=%d\n", 1328 __FILE__, __LINE__, 1329 context->serial, context->major, 1330 context->in_syscall, name, context->name_count, 1331 context->put_count); 1332 dump_stack(); 1333 } 1334 } 1335 #endif 1336 } 1337 1338 static int audit_inc_name_count(struct audit_context *context, 1339 const struct inode *inode) 1340 { 1341 if (context->name_count >= AUDIT_NAMES) { 1342 if (inode) 1343 printk(KERN_DEBUG "name_count maxed, losing inode data: " 1344 "dev=%02x:%02x, inode=%lu", 1345 MAJOR(inode->i_sb->s_dev), 1346 MINOR(inode->i_sb->s_dev), 1347 inode->i_ino); 1348 1349 else 1350 printk(KERN_DEBUG "name_count maxed, losing inode data"); 1351 return 1; 1352 } 1353 context->name_count++; 1354 #if AUDIT_DEBUG 1355 context->ino_count++; 1356 #endif 1357 return 0; 1358 } 1359 1360 /* Copy inode data into an audit_names. */ 1361 static void audit_copy_inode(struct audit_names *name, const struct inode *inode) 1362 { 1363 name->ino = inode->i_ino; 1364 name->dev = inode->i_sb->s_dev; 1365 name->mode = inode->i_mode; 1366 name->uid = inode->i_uid; 1367 name->gid = inode->i_gid; 1368 name->rdev = inode->i_rdev; 1369 selinux_get_inode_sid(inode, &name->osid); 1370 } 1371 1372 /** 1373 * audit_inode - store the inode and device from a lookup 1374 * @name: name being audited 1375 * @inode: inode being audited 1376 * 1377 * Called from fs/namei.c:path_lookup(). 1378 */ 1379 void __audit_inode(const char *name, const struct inode *inode) 1380 { 1381 int idx; 1382 struct audit_context *context = current->audit_context; 1383 1384 if (!context->in_syscall) 1385 return; 1386 if (context->name_count 1387 && context->names[context->name_count-1].name 1388 && context->names[context->name_count-1].name == name) 1389 idx = context->name_count - 1; 1390 else if (context->name_count > 1 1391 && context->names[context->name_count-2].name 1392 && context->names[context->name_count-2].name == name) 1393 idx = context->name_count - 2; 1394 else { 1395 /* FIXME: how much do we care about inodes that have no 1396 * associated name? */ 1397 if (audit_inc_name_count(context, inode)) 1398 return; 1399 idx = context->name_count - 1; 1400 context->names[idx].name = NULL; 1401 } 1402 audit_copy_inode(&context->names[idx], inode); 1403 } 1404 1405 /** 1406 * audit_inode_child - collect inode info for created/removed objects 1407 * @dname: inode's dentry name 1408 * @inode: inode being audited 1409 * @parent: inode of dentry parent 1410 * 1411 * For syscalls that create or remove filesystem objects, audit_inode 1412 * can only collect information for the filesystem object's parent. 1413 * This call updates the audit context with the child's information. 1414 * Syscalls that create a new filesystem object must be hooked after 1415 * the object is created. Syscalls that remove a filesystem object 1416 * must be hooked prior, in order to capture the target inode during 1417 * unsuccessful attempts. 1418 */ 1419 void __audit_inode_child(const char *dname, const struct inode *inode, 1420 const struct inode *parent) 1421 { 1422 int idx; 1423 struct audit_context *context = current->audit_context; 1424 const char *found_parent = NULL, *found_child = NULL; 1425 int dirlen = 0; 1426 1427 if (!context->in_syscall) 1428 return; 1429 1430 /* determine matching parent */ 1431 if (!dname) 1432 goto add_names; 1433 1434 /* parent is more likely, look for it first */ 1435 for (idx = 0; idx < context->name_count; idx++) { 1436 struct audit_names *n = &context->names[idx]; 1437 1438 if (!n->name) 1439 continue; 1440 1441 if (n->ino == parent->i_ino && 1442 !audit_compare_dname_path(dname, n->name, &dirlen)) { 1443 n->name_len = dirlen; /* update parent data in place */ 1444 found_parent = n->name; 1445 goto add_names; 1446 } 1447 } 1448 1449 /* no matching parent, look for matching child */ 1450 for (idx = 0; idx < context->name_count; idx++) { 1451 struct audit_names *n = &context->names[idx]; 1452 1453 if (!n->name) 1454 continue; 1455 1456 /* strcmp() is the more likely scenario */ 1457 if (!strcmp(dname, n->name) || 1458 !audit_compare_dname_path(dname, n->name, &dirlen)) { 1459 if (inode) 1460 audit_copy_inode(n, inode); 1461 else 1462 n->ino = (unsigned long)-1; 1463 found_child = n->name; 1464 goto add_names; 1465 } 1466 } 1467 1468 add_names: 1469 if (!found_parent) { 1470 if (audit_inc_name_count(context, parent)) 1471 return; 1472 idx = context->name_count - 1; 1473 context->names[idx].name = NULL; 1474 audit_copy_inode(&context->names[idx], parent); 1475 } 1476 1477 if (!found_child) { 1478 if (audit_inc_name_count(context, inode)) 1479 return; 1480 idx = context->name_count - 1; 1481 1482 /* Re-use the name belonging to the slot for a matching parent 1483 * directory. All names for this context are relinquished in 1484 * audit_free_names() */ 1485 if (found_parent) { 1486 context->names[idx].name = found_parent; 1487 context->names[idx].name_len = AUDIT_NAME_FULL; 1488 /* don't call __putname() */ 1489 context->names[idx].name_put = 0; 1490 } else { 1491 context->names[idx].name = NULL; 1492 } 1493 1494 if (inode) 1495 audit_copy_inode(&context->names[idx], inode); 1496 else 1497 context->names[idx].ino = (unsigned long)-1; 1498 } 1499 } 1500 1501 /** 1502 * auditsc_get_stamp - get local copies of audit_context values 1503 * @ctx: audit_context for the task 1504 * @t: timespec to store time recorded in the audit_context 1505 * @serial: serial value that is recorded in the audit_context 1506 * 1507 * Also sets the context as auditable. 1508 */ 1509 void auditsc_get_stamp(struct audit_context *ctx, 1510 struct timespec *t, unsigned int *serial) 1511 { 1512 if (!ctx->serial) 1513 ctx->serial = audit_serial(); 1514 t->tv_sec = ctx->ctime.tv_sec; 1515 t->tv_nsec = ctx->ctime.tv_nsec; 1516 *serial = ctx->serial; 1517 ctx->auditable = 1; 1518 } 1519 1520 /** 1521 * audit_set_loginuid - set a task's audit_context loginuid 1522 * @task: task whose audit context is being modified 1523 * @loginuid: loginuid value 1524 * 1525 * Returns 0. 1526 * 1527 * Called (set) from fs/proc/base.c::proc_loginuid_write(). 1528 */ 1529 int audit_set_loginuid(struct task_struct *task, uid_t loginuid) 1530 { 1531 struct audit_context *context = task->audit_context; 1532 1533 if (context) { 1534 /* Only log if audit is enabled */ 1535 if (context->in_syscall) { 1536 struct audit_buffer *ab; 1537 1538 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN); 1539 if (ab) { 1540 audit_log_format(ab, "login pid=%d uid=%u " 1541 "old auid=%u new auid=%u", 1542 task->pid, task->uid, 1543 context->loginuid, loginuid); 1544 audit_log_end(ab); 1545 } 1546 } 1547 context->loginuid = loginuid; 1548 } 1549 return 0; 1550 } 1551 1552 /** 1553 * audit_get_loginuid - get the loginuid for an audit_context 1554 * @ctx: the audit_context 1555 * 1556 * Returns the context's loginuid or -1 if @ctx is NULL. 1557 */ 1558 uid_t audit_get_loginuid(struct audit_context *ctx) 1559 { 1560 return ctx ? ctx->loginuid : -1; 1561 } 1562 1563 EXPORT_SYMBOL(audit_get_loginuid); 1564 1565 /** 1566 * __audit_mq_open - record audit data for a POSIX MQ open 1567 * @oflag: open flag 1568 * @mode: mode bits 1569 * @u_attr: queue attributes 1570 * 1571 * Returns 0 for success or NULL context or < 0 on error. 1572 */ 1573 int __audit_mq_open(int oflag, mode_t mode, struct mq_attr __user *u_attr) 1574 { 1575 struct audit_aux_data_mq_open *ax; 1576 struct audit_context *context = current->audit_context; 1577 1578 if (!audit_enabled) 1579 return 0; 1580 1581 if (likely(!context)) 1582 return 0; 1583 1584 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1585 if (!ax) 1586 return -ENOMEM; 1587 1588 if (u_attr != NULL) { 1589 if (copy_from_user(&ax->attr, u_attr, sizeof(ax->attr))) { 1590 kfree(ax); 1591 return -EFAULT; 1592 } 1593 } else 1594 memset(&ax->attr, 0, sizeof(ax->attr)); 1595 1596 ax->oflag = oflag; 1597 ax->mode = mode; 1598 1599 ax->d.type = AUDIT_MQ_OPEN; 1600 ax->d.next = context->aux; 1601 context->aux = (void *)ax; 1602 return 0; 1603 } 1604 1605 /** 1606 * __audit_mq_timedsend - record audit data for a POSIX MQ timed send 1607 * @mqdes: MQ descriptor 1608 * @msg_len: Message length 1609 * @msg_prio: Message priority 1610 * @u_abs_timeout: Message timeout in absolute time 1611 * 1612 * Returns 0 for success or NULL context or < 0 on error. 1613 */ 1614 int __audit_mq_timedsend(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, 1615 const struct timespec __user *u_abs_timeout) 1616 { 1617 struct audit_aux_data_mq_sendrecv *ax; 1618 struct audit_context *context = current->audit_context; 1619 1620 if (!audit_enabled) 1621 return 0; 1622 1623 if (likely(!context)) 1624 return 0; 1625 1626 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1627 if (!ax) 1628 return -ENOMEM; 1629 1630 if (u_abs_timeout != NULL) { 1631 if (copy_from_user(&ax->abs_timeout, u_abs_timeout, sizeof(ax->abs_timeout))) { 1632 kfree(ax); 1633 return -EFAULT; 1634 } 1635 } else 1636 memset(&ax->abs_timeout, 0, sizeof(ax->abs_timeout)); 1637 1638 ax->mqdes = mqdes; 1639 ax->msg_len = msg_len; 1640 ax->msg_prio = msg_prio; 1641 1642 ax->d.type = AUDIT_MQ_SENDRECV; 1643 ax->d.next = context->aux; 1644 context->aux = (void *)ax; 1645 return 0; 1646 } 1647 1648 /** 1649 * __audit_mq_timedreceive - record audit data for a POSIX MQ timed receive 1650 * @mqdes: MQ descriptor 1651 * @msg_len: Message length 1652 * @u_msg_prio: Message priority 1653 * @u_abs_timeout: Message timeout in absolute time 1654 * 1655 * Returns 0 for success or NULL context or < 0 on error. 1656 */ 1657 int __audit_mq_timedreceive(mqd_t mqdes, size_t msg_len, 1658 unsigned int __user *u_msg_prio, 1659 const struct timespec __user *u_abs_timeout) 1660 { 1661 struct audit_aux_data_mq_sendrecv *ax; 1662 struct audit_context *context = current->audit_context; 1663 1664 if (!audit_enabled) 1665 return 0; 1666 1667 if (likely(!context)) 1668 return 0; 1669 1670 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1671 if (!ax) 1672 return -ENOMEM; 1673 1674 if (u_msg_prio != NULL) { 1675 if (get_user(ax->msg_prio, u_msg_prio)) { 1676 kfree(ax); 1677 return -EFAULT; 1678 } 1679 } else 1680 ax->msg_prio = 0; 1681 1682 if (u_abs_timeout != NULL) { 1683 if (copy_from_user(&ax->abs_timeout, u_abs_timeout, sizeof(ax->abs_timeout))) { 1684 kfree(ax); 1685 return -EFAULT; 1686 } 1687 } else 1688 memset(&ax->abs_timeout, 0, sizeof(ax->abs_timeout)); 1689 1690 ax->mqdes = mqdes; 1691 ax->msg_len = msg_len; 1692 1693 ax->d.type = AUDIT_MQ_SENDRECV; 1694 ax->d.next = context->aux; 1695 context->aux = (void *)ax; 1696 return 0; 1697 } 1698 1699 /** 1700 * __audit_mq_notify - record audit data for a POSIX MQ notify 1701 * @mqdes: MQ descriptor 1702 * @u_notification: Notification event 1703 * 1704 * Returns 0 for success or NULL context or < 0 on error. 1705 */ 1706 1707 int __audit_mq_notify(mqd_t mqdes, const struct sigevent __user *u_notification) 1708 { 1709 struct audit_aux_data_mq_notify *ax; 1710 struct audit_context *context = current->audit_context; 1711 1712 if (!audit_enabled) 1713 return 0; 1714 1715 if (likely(!context)) 1716 return 0; 1717 1718 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1719 if (!ax) 1720 return -ENOMEM; 1721 1722 if (u_notification != NULL) { 1723 if (copy_from_user(&ax->notification, u_notification, sizeof(ax->notification))) { 1724 kfree(ax); 1725 return -EFAULT; 1726 } 1727 } else 1728 memset(&ax->notification, 0, sizeof(ax->notification)); 1729 1730 ax->mqdes = mqdes; 1731 1732 ax->d.type = AUDIT_MQ_NOTIFY; 1733 ax->d.next = context->aux; 1734 context->aux = (void *)ax; 1735 return 0; 1736 } 1737 1738 /** 1739 * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute 1740 * @mqdes: MQ descriptor 1741 * @mqstat: MQ flags 1742 * 1743 * Returns 0 for success or NULL context or < 0 on error. 1744 */ 1745 int __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 1746 { 1747 struct audit_aux_data_mq_getsetattr *ax; 1748 struct audit_context *context = current->audit_context; 1749 1750 if (!audit_enabled) 1751 return 0; 1752 1753 if (likely(!context)) 1754 return 0; 1755 1756 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1757 if (!ax) 1758 return -ENOMEM; 1759 1760 ax->mqdes = mqdes; 1761 ax->mqstat = *mqstat; 1762 1763 ax->d.type = AUDIT_MQ_GETSETATTR; 1764 ax->d.next = context->aux; 1765 context->aux = (void *)ax; 1766 return 0; 1767 } 1768 1769 /** 1770 * audit_ipc_obj - record audit data for ipc object 1771 * @ipcp: ipc permissions 1772 * 1773 * Returns 0 for success or NULL context or < 0 on error. 1774 */ 1775 int __audit_ipc_obj(struct kern_ipc_perm *ipcp) 1776 { 1777 struct audit_aux_data_ipcctl *ax; 1778 struct audit_context *context = current->audit_context; 1779 1780 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1781 if (!ax) 1782 return -ENOMEM; 1783 1784 ax->uid = ipcp->uid; 1785 ax->gid = ipcp->gid; 1786 ax->mode = ipcp->mode; 1787 selinux_get_ipc_sid(ipcp, &ax->osid); 1788 1789 ax->d.type = AUDIT_IPC; 1790 ax->d.next = context->aux; 1791 context->aux = (void *)ax; 1792 return 0; 1793 } 1794 1795 /** 1796 * audit_ipc_set_perm - record audit data for new ipc permissions 1797 * @qbytes: msgq bytes 1798 * @uid: msgq user id 1799 * @gid: msgq group id 1800 * @mode: msgq mode (permissions) 1801 * 1802 * Returns 0 for success or NULL context or < 0 on error. 1803 */ 1804 int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode) 1805 { 1806 struct audit_aux_data_ipcctl *ax; 1807 struct audit_context *context = current->audit_context; 1808 1809 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1810 if (!ax) 1811 return -ENOMEM; 1812 1813 ax->qbytes = qbytes; 1814 ax->uid = uid; 1815 ax->gid = gid; 1816 ax->mode = mode; 1817 1818 ax->d.type = AUDIT_IPC_SET_PERM; 1819 ax->d.next = context->aux; 1820 context->aux = (void *)ax; 1821 return 0; 1822 } 1823 1824 int audit_bprm(struct linux_binprm *bprm) 1825 { 1826 struct audit_aux_data_execve *ax; 1827 struct audit_context *context = current->audit_context; 1828 unsigned long p, next; 1829 void *to; 1830 1831 if (likely(!audit_enabled || !context || context->dummy)) 1832 return 0; 1833 1834 ax = kmalloc(sizeof(*ax) + PAGE_SIZE * MAX_ARG_PAGES - bprm->p, 1835 GFP_KERNEL); 1836 if (!ax) 1837 return -ENOMEM; 1838 1839 ax->argc = bprm->argc; 1840 ax->envc = bprm->envc; 1841 for (p = bprm->p, to = ax->mem; p < MAX_ARG_PAGES*PAGE_SIZE; p = next) { 1842 struct page *page = bprm->page[p / PAGE_SIZE]; 1843 void *kaddr = kmap(page); 1844 next = (p + PAGE_SIZE) & ~(PAGE_SIZE - 1); 1845 memcpy(to, kaddr + (p & (PAGE_SIZE - 1)), next - p); 1846 to += next - p; 1847 kunmap(page); 1848 } 1849 1850 ax->d.type = AUDIT_EXECVE; 1851 ax->d.next = context->aux; 1852 context->aux = (void *)ax; 1853 return 0; 1854 } 1855 1856 1857 /** 1858 * audit_socketcall - record audit data for sys_socketcall 1859 * @nargs: number of args 1860 * @args: args array 1861 * 1862 * Returns 0 for success or NULL context or < 0 on error. 1863 */ 1864 int audit_socketcall(int nargs, unsigned long *args) 1865 { 1866 struct audit_aux_data_socketcall *ax; 1867 struct audit_context *context = current->audit_context; 1868 1869 if (likely(!context || context->dummy)) 1870 return 0; 1871 1872 ax = kmalloc(sizeof(*ax) + nargs * sizeof(unsigned long), GFP_KERNEL); 1873 if (!ax) 1874 return -ENOMEM; 1875 1876 ax->nargs = nargs; 1877 memcpy(ax->args, args, nargs * sizeof(unsigned long)); 1878 1879 ax->d.type = AUDIT_SOCKETCALL; 1880 ax->d.next = context->aux; 1881 context->aux = (void *)ax; 1882 return 0; 1883 } 1884 1885 /** 1886 * __audit_fd_pair - record audit data for pipe and socketpair 1887 * @fd1: the first file descriptor 1888 * @fd2: the second file descriptor 1889 * 1890 * Returns 0 for success or NULL context or < 0 on error. 1891 */ 1892 int __audit_fd_pair(int fd1, int fd2) 1893 { 1894 struct audit_context *context = current->audit_context; 1895 struct audit_aux_data_fd_pair *ax; 1896 1897 if (likely(!context)) { 1898 return 0; 1899 } 1900 1901 ax = kmalloc(sizeof(*ax), GFP_KERNEL); 1902 if (!ax) { 1903 return -ENOMEM; 1904 } 1905 1906 ax->fd[0] = fd1; 1907 ax->fd[1] = fd2; 1908 1909 ax->d.type = AUDIT_FD_PAIR; 1910 ax->d.next = context->aux; 1911 context->aux = (void *)ax; 1912 return 0; 1913 } 1914 1915 /** 1916 * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto 1917 * @len: data length in user space 1918 * @a: data address in kernel space 1919 * 1920 * Returns 0 for success or NULL context or < 0 on error. 1921 */ 1922 int audit_sockaddr(int len, void *a) 1923 { 1924 struct audit_aux_data_sockaddr *ax; 1925 struct audit_context *context = current->audit_context; 1926 1927 if (likely(!context || context->dummy)) 1928 return 0; 1929 1930 ax = kmalloc(sizeof(*ax) + len, GFP_KERNEL); 1931 if (!ax) 1932 return -ENOMEM; 1933 1934 ax->len = len; 1935 memcpy(ax->a, a, len); 1936 1937 ax->d.type = AUDIT_SOCKADDR; 1938 ax->d.next = context->aux; 1939 context->aux = (void *)ax; 1940 return 0; 1941 } 1942 1943 void __audit_ptrace(struct task_struct *t) 1944 { 1945 struct audit_context *context = current->audit_context; 1946 1947 context->target_pid = t->pid; 1948 selinux_get_task_sid(t, &context->target_sid); 1949 } 1950 1951 /** 1952 * audit_avc_path - record the granting or denial of permissions 1953 * @dentry: dentry to record 1954 * @mnt: mnt to record 1955 * 1956 * Returns 0 for success or NULL context or < 0 on error. 1957 * 1958 * Called from security/selinux/avc.c::avc_audit() 1959 */ 1960 int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt) 1961 { 1962 struct audit_aux_data_path *ax; 1963 struct audit_context *context = current->audit_context; 1964 1965 if (likely(!context)) 1966 return 0; 1967 1968 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1969 if (!ax) 1970 return -ENOMEM; 1971 1972 ax->dentry = dget(dentry); 1973 ax->mnt = mntget(mnt); 1974 1975 ax->d.type = AUDIT_AVC_PATH; 1976 ax->d.next = context->aux; 1977 context->aux = (void *)ax; 1978 return 0; 1979 } 1980 1981 /** 1982 * audit_signal_info - record signal info for shutting down audit subsystem 1983 * @sig: signal value 1984 * @t: task being signaled 1985 * 1986 * If the audit subsystem is being terminated, record the task (pid) 1987 * and uid that is doing that. 1988 */ 1989 int __audit_signal_info(int sig, struct task_struct *t) 1990 { 1991 struct audit_aux_data_pids *axp; 1992 struct task_struct *tsk = current; 1993 struct audit_context *ctx = tsk->audit_context; 1994 extern pid_t audit_sig_pid; 1995 extern uid_t audit_sig_uid; 1996 extern u32 audit_sig_sid; 1997 1998 if (audit_pid && t->tgid == audit_pid && 1999 (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1)) { 2000 audit_sig_pid = tsk->pid; 2001 if (ctx) 2002 audit_sig_uid = ctx->loginuid; 2003 else 2004 audit_sig_uid = tsk->uid; 2005 selinux_get_task_sid(tsk, &audit_sig_sid); 2006 } 2007 2008 if (!audit_signals) /* audit_context checked in wrapper */ 2009 return 0; 2010 2011 /* optimize the common case by putting first signal recipient directly 2012 * in audit_context */ 2013 if (!ctx->target_pid) { 2014 ctx->target_pid = t->tgid; 2015 selinux_get_task_sid(t, &ctx->target_sid); 2016 return 0; 2017 } 2018 2019 axp = (void *)ctx->aux_pids; 2020 if (!axp || axp->pid_count == AUDIT_AUX_PIDS) { 2021 axp = kzalloc(sizeof(*axp), GFP_ATOMIC); 2022 if (!axp) 2023 return -ENOMEM; 2024 2025 axp->d.type = AUDIT_OBJ_PID; 2026 axp->d.next = ctx->aux_pids; 2027 ctx->aux_pids = (void *)axp; 2028 } 2029 BUG_ON(axp->pid_count > AUDIT_AUX_PIDS); 2030 2031 axp->target_pid[axp->pid_count] = t->tgid; 2032 selinux_get_task_sid(t, &axp->target_sid[axp->pid_count]); 2033 axp->pid_count++; 2034 2035 return 0; 2036 } 2037 2038 /** 2039 * audit_core_dumps - record information about processes that end abnormally 2040 * @signr: signal value 2041 * 2042 * If a process ends with a core dump, something fishy is going on and we 2043 * should record the event for investigation. 2044 */ 2045 void audit_core_dumps(long signr) 2046 { 2047 struct audit_buffer *ab; 2048 u32 sid; 2049 2050 if (!audit_enabled) 2051 return; 2052 2053 if (signr == SIGQUIT) /* don't care for those */ 2054 return; 2055 2056 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); 2057 audit_log_format(ab, "auid=%u uid=%u gid=%u", 2058 audit_get_loginuid(current->audit_context), 2059 current->uid, current->gid); 2060 selinux_get_task_sid(current, &sid); 2061 if (sid) { 2062 char *ctx = NULL; 2063 u32 len; 2064 2065 if (selinux_sid_to_string(sid, &ctx, &len)) 2066 audit_log_format(ab, " ssid=%u", sid); 2067 else 2068 audit_log_format(ab, " subj=%s", ctx); 2069 kfree(ctx); 2070 } 2071 audit_log_format(ab, " pid=%d comm=", current->pid); 2072 audit_log_untrustedstring(ab, current->comm); 2073 audit_log_format(ab, " sig=%ld", signr); 2074 audit_log_end(ab); 2075 } 2076