1 /* auditsc.c -- System-call auditing support 2 * Handles all system-call specific auditing features. 3 * 4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 5 * Copyright 2005 Hewlett-Packard Development Company, L.P. 6 * Copyright (C) 2005, 2006 IBM Corporation 7 * All Rights Reserved. 8 * 9 * This program is free software; you can redistribute it and/or modify 10 * it under the terms of the GNU General Public License as published by 11 * the Free Software Foundation; either version 2 of the License, or 12 * (at your option) any later version. 13 * 14 * This program is distributed in the hope that it will be useful, 15 * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 * GNU General Public License for more details. 18 * 19 * You should have received a copy of the GNU General Public License 20 * along with this program; if not, write to the Free Software 21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 22 * 23 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 24 * 25 * Many of the ideas implemented here are from Stephen C. Tweedie, 26 * especially the idea of avoiding a copy by using getname. 27 * 28 * The method for actual interception of syscall entry and exit (not in 29 * this file -- see entry.S) is based on a GPL'd patch written by 30 * okir@suse.de and Copyright 2003 SuSE Linux AG. 31 * 32 * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>, 33 * 2006. 34 * 35 * The support of additional filter rules compares (>, <, >=, <=) was 36 * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005. 37 * 38 * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional 39 * filesystem information. 40 * 41 * Subject and object context labeling support added by <danjones@us.ibm.com> 42 * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance. 43 */ 44 45 #include <linux/init.h> 46 #include <asm/types.h> 47 #include <asm/atomic.h> 48 #include <linux/fs.h> 49 #include <linux/namei.h> 50 #include <linux/mm.h> 51 #include <linux/module.h> 52 #include <linux/mount.h> 53 #include <linux/socket.h> 54 #include <linux/mqueue.h> 55 #include <linux/audit.h> 56 #include <linux/personality.h> 57 #include <linux/time.h> 58 #include <linux/netlink.h> 59 #include <linux/compiler.h> 60 #include <asm/unistd.h> 61 #include <linux/security.h> 62 #include <linux/list.h> 63 #include <linux/tty.h> 64 #include <linux/selinux.h> 65 #include <linux/binfmts.h> 66 #include <linux/highmem.h> 67 #include <linux/syscalls.h> 68 #include <linux/inotify.h> 69 70 #include "audit.h" 71 72 extern struct list_head audit_filter_list[]; 73 74 /* AUDIT_NAMES is the number of slots we reserve in the audit_context 75 * for saving names from getname(). */ 76 #define AUDIT_NAMES 20 77 78 /* Indicates that audit should log the full pathname. */ 79 #define AUDIT_NAME_FULL -1 80 81 /* number of audit rules */ 82 int audit_n_rules; 83 84 /* determines whether we collect data for signals sent */ 85 int audit_signals; 86 87 /* When fs/namei.c:getname() is called, we store the pointer in name and 88 * we don't let putname() free it (instead we free all of the saved 89 * pointers at syscall exit time). 90 * 91 * Further, in fs/namei.c:path_lookup() we store the inode and device. */ 92 struct audit_names { 93 const char *name; 94 int name_len; /* number of name's characters to log */ 95 unsigned name_put; /* call __putname() for this name */ 96 unsigned long ino; 97 dev_t dev; 98 umode_t mode; 99 uid_t uid; 100 gid_t gid; 101 dev_t rdev; 102 u32 osid; 103 }; 104 105 struct audit_aux_data { 106 struct audit_aux_data *next; 107 int type; 108 }; 109 110 #define AUDIT_AUX_IPCPERM 0 111 112 /* Number of target pids per aux struct. */ 113 #define AUDIT_AUX_PIDS 16 114 115 struct audit_aux_data_mq_open { 116 struct audit_aux_data d; 117 int oflag; 118 mode_t mode; 119 struct mq_attr attr; 120 }; 121 122 struct audit_aux_data_mq_sendrecv { 123 struct audit_aux_data d; 124 mqd_t mqdes; 125 size_t msg_len; 126 unsigned int msg_prio; 127 struct timespec abs_timeout; 128 }; 129 130 struct audit_aux_data_mq_notify { 131 struct audit_aux_data d; 132 mqd_t mqdes; 133 struct sigevent notification; 134 }; 135 136 struct audit_aux_data_mq_getsetattr { 137 struct audit_aux_data d; 138 mqd_t mqdes; 139 struct mq_attr mqstat; 140 }; 141 142 struct audit_aux_data_ipcctl { 143 struct audit_aux_data d; 144 struct ipc_perm p; 145 unsigned long qbytes; 146 uid_t uid; 147 gid_t gid; 148 mode_t mode; 149 u32 osid; 150 }; 151 152 struct audit_aux_data_execve { 153 struct audit_aux_data d; 154 int argc; 155 int envc; 156 struct mm_struct *mm; 157 }; 158 159 struct audit_aux_data_socketcall { 160 struct audit_aux_data d; 161 int nargs; 162 unsigned long args[0]; 163 }; 164 165 struct audit_aux_data_sockaddr { 166 struct audit_aux_data d; 167 int len; 168 char a[0]; 169 }; 170 171 struct audit_aux_data_fd_pair { 172 struct audit_aux_data d; 173 int fd[2]; 174 }; 175 176 struct audit_aux_data_pids { 177 struct audit_aux_data d; 178 pid_t target_pid[AUDIT_AUX_PIDS]; 179 u32 target_sid[AUDIT_AUX_PIDS]; 180 int pid_count; 181 }; 182 183 struct audit_tree_refs { 184 struct audit_tree_refs *next; 185 struct audit_chunk *c[31]; 186 }; 187 188 /* The per-task audit context. */ 189 struct audit_context { 190 int dummy; /* must be the first element */ 191 int in_syscall; /* 1 if task is in a syscall */ 192 enum audit_state state; 193 unsigned int serial; /* serial number for record */ 194 struct timespec ctime; /* time of syscall entry */ 195 uid_t loginuid; /* login uid (identity) */ 196 int major; /* syscall number */ 197 unsigned long argv[4]; /* syscall arguments */ 198 int return_valid; /* return code is valid */ 199 long return_code;/* syscall return code */ 200 int auditable; /* 1 if record should be written */ 201 int name_count; 202 struct audit_names names[AUDIT_NAMES]; 203 char * filterkey; /* key for rule that triggered record */ 204 struct dentry * pwd; 205 struct vfsmount * pwdmnt; 206 struct audit_context *previous; /* For nested syscalls */ 207 struct audit_aux_data *aux; 208 struct audit_aux_data *aux_pids; 209 210 /* Save things to print about task_struct */ 211 pid_t pid, ppid; 212 uid_t uid, euid, suid, fsuid; 213 gid_t gid, egid, sgid, fsgid; 214 unsigned long personality; 215 int arch; 216 217 pid_t target_pid; 218 u32 target_sid; 219 220 struct audit_tree_refs *trees, *first_trees; 221 int tree_count; 222 223 #if AUDIT_DEBUG 224 int put_count; 225 int ino_count; 226 #endif 227 }; 228 229 #define ACC_MODE(x) ("\004\002\006\006"[(x)&O_ACCMODE]) 230 static inline int open_arg(int flags, int mask) 231 { 232 int n = ACC_MODE(flags); 233 if (flags & (O_TRUNC | O_CREAT)) 234 n |= AUDIT_PERM_WRITE; 235 return n & mask; 236 } 237 238 static int audit_match_perm(struct audit_context *ctx, int mask) 239 { 240 unsigned n = ctx->major; 241 switch (audit_classify_syscall(ctx->arch, n)) { 242 case 0: /* native */ 243 if ((mask & AUDIT_PERM_WRITE) && 244 audit_match_class(AUDIT_CLASS_WRITE, n)) 245 return 1; 246 if ((mask & AUDIT_PERM_READ) && 247 audit_match_class(AUDIT_CLASS_READ, n)) 248 return 1; 249 if ((mask & AUDIT_PERM_ATTR) && 250 audit_match_class(AUDIT_CLASS_CHATTR, n)) 251 return 1; 252 return 0; 253 case 1: /* 32bit on biarch */ 254 if ((mask & AUDIT_PERM_WRITE) && 255 audit_match_class(AUDIT_CLASS_WRITE_32, n)) 256 return 1; 257 if ((mask & AUDIT_PERM_READ) && 258 audit_match_class(AUDIT_CLASS_READ_32, n)) 259 return 1; 260 if ((mask & AUDIT_PERM_ATTR) && 261 audit_match_class(AUDIT_CLASS_CHATTR_32, n)) 262 return 1; 263 return 0; 264 case 2: /* open */ 265 return mask & ACC_MODE(ctx->argv[1]); 266 case 3: /* openat */ 267 return mask & ACC_MODE(ctx->argv[2]); 268 case 4: /* socketcall */ 269 return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); 270 case 5: /* execve */ 271 return mask & AUDIT_PERM_EXEC; 272 default: 273 return 0; 274 } 275 } 276 277 /* 278 * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *; 279 * ->first_trees points to its beginning, ->trees - to the current end of data. 280 * ->tree_count is the number of free entries in array pointed to by ->trees. 281 * Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL, 282 * "empty" becomes (p, p, 31) afterwards. We don't shrink the list (and seriously, 283 * it's going to remain 1-element for almost any setup) until we free context itself. 284 * References in it _are_ dropped - at the same time we free/drop aux stuff. 285 */ 286 287 #ifdef CONFIG_AUDIT_TREE 288 static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk) 289 { 290 struct audit_tree_refs *p = ctx->trees; 291 int left = ctx->tree_count; 292 if (likely(left)) { 293 p->c[--left] = chunk; 294 ctx->tree_count = left; 295 return 1; 296 } 297 if (!p) 298 return 0; 299 p = p->next; 300 if (p) { 301 p->c[30] = chunk; 302 ctx->trees = p; 303 ctx->tree_count = 30; 304 return 1; 305 } 306 return 0; 307 } 308 309 static int grow_tree_refs(struct audit_context *ctx) 310 { 311 struct audit_tree_refs *p = ctx->trees; 312 ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL); 313 if (!ctx->trees) { 314 ctx->trees = p; 315 return 0; 316 } 317 if (p) 318 p->next = ctx->trees; 319 else 320 ctx->first_trees = ctx->trees; 321 ctx->tree_count = 31; 322 return 1; 323 } 324 #endif 325 326 static void unroll_tree_refs(struct audit_context *ctx, 327 struct audit_tree_refs *p, int count) 328 { 329 #ifdef CONFIG_AUDIT_TREE 330 struct audit_tree_refs *q; 331 int n; 332 if (!p) { 333 /* we started with empty chain */ 334 p = ctx->first_trees; 335 count = 31; 336 /* if the very first allocation has failed, nothing to do */ 337 if (!p) 338 return; 339 } 340 n = count; 341 for (q = p; q != ctx->trees; q = q->next, n = 31) { 342 while (n--) { 343 audit_put_chunk(q->c[n]); 344 q->c[n] = NULL; 345 } 346 } 347 while (n-- > ctx->tree_count) { 348 audit_put_chunk(q->c[n]); 349 q->c[n] = NULL; 350 } 351 ctx->trees = p; 352 ctx->tree_count = count; 353 #endif 354 } 355 356 static void free_tree_refs(struct audit_context *ctx) 357 { 358 struct audit_tree_refs *p, *q; 359 for (p = ctx->first_trees; p; p = q) { 360 q = p->next; 361 kfree(p); 362 } 363 } 364 365 static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree) 366 { 367 #ifdef CONFIG_AUDIT_TREE 368 struct audit_tree_refs *p; 369 int n; 370 if (!tree) 371 return 0; 372 /* full ones */ 373 for (p = ctx->first_trees; p != ctx->trees; p = p->next) { 374 for (n = 0; n < 31; n++) 375 if (audit_tree_match(p->c[n], tree)) 376 return 1; 377 } 378 /* partial */ 379 if (p) { 380 for (n = ctx->tree_count; n < 31; n++) 381 if (audit_tree_match(p->c[n], tree)) 382 return 1; 383 } 384 #endif 385 return 0; 386 } 387 388 /* Determine if any context name data matches a rule's watch data */ 389 /* Compare a task_struct with an audit_rule. Return 1 on match, 0 390 * otherwise. */ 391 static int audit_filter_rules(struct task_struct *tsk, 392 struct audit_krule *rule, 393 struct audit_context *ctx, 394 struct audit_names *name, 395 enum audit_state *state) 396 { 397 int i, j, need_sid = 1; 398 u32 sid; 399 400 for (i = 0; i < rule->field_count; i++) { 401 struct audit_field *f = &rule->fields[i]; 402 int result = 0; 403 404 switch (f->type) { 405 case AUDIT_PID: 406 result = audit_comparator(tsk->pid, f->op, f->val); 407 break; 408 case AUDIT_PPID: 409 if (ctx) { 410 if (!ctx->ppid) 411 ctx->ppid = sys_getppid(); 412 result = audit_comparator(ctx->ppid, f->op, f->val); 413 } 414 break; 415 case AUDIT_UID: 416 result = audit_comparator(tsk->uid, f->op, f->val); 417 break; 418 case AUDIT_EUID: 419 result = audit_comparator(tsk->euid, f->op, f->val); 420 break; 421 case AUDIT_SUID: 422 result = audit_comparator(tsk->suid, f->op, f->val); 423 break; 424 case AUDIT_FSUID: 425 result = audit_comparator(tsk->fsuid, f->op, f->val); 426 break; 427 case AUDIT_GID: 428 result = audit_comparator(tsk->gid, f->op, f->val); 429 break; 430 case AUDIT_EGID: 431 result = audit_comparator(tsk->egid, f->op, f->val); 432 break; 433 case AUDIT_SGID: 434 result = audit_comparator(tsk->sgid, f->op, f->val); 435 break; 436 case AUDIT_FSGID: 437 result = audit_comparator(tsk->fsgid, f->op, f->val); 438 break; 439 case AUDIT_PERS: 440 result = audit_comparator(tsk->personality, f->op, f->val); 441 break; 442 case AUDIT_ARCH: 443 if (ctx) 444 result = audit_comparator(ctx->arch, f->op, f->val); 445 break; 446 447 case AUDIT_EXIT: 448 if (ctx && ctx->return_valid) 449 result = audit_comparator(ctx->return_code, f->op, f->val); 450 break; 451 case AUDIT_SUCCESS: 452 if (ctx && ctx->return_valid) { 453 if (f->val) 454 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS); 455 else 456 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE); 457 } 458 break; 459 case AUDIT_DEVMAJOR: 460 if (name) 461 result = audit_comparator(MAJOR(name->dev), 462 f->op, f->val); 463 else if (ctx) { 464 for (j = 0; j < ctx->name_count; j++) { 465 if (audit_comparator(MAJOR(ctx->names[j].dev), f->op, f->val)) { 466 ++result; 467 break; 468 } 469 } 470 } 471 break; 472 case AUDIT_DEVMINOR: 473 if (name) 474 result = audit_comparator(MINOR(name->dev), 475 f->op, f->val); 476 else if (ctx) { 477 for (j = 0; j < ctx->name_count; j++) { 478 if (audit_comparator(MINOR(ctx->names[j].dev), f->op, f->val)) { 479 ++result; 480 break; 481 } 482 } 483 } 484 break; 485 case AUDIT_INODE: 486 if (name) 487 result = (name->ino == f->val); 488 else if (ctx) { 489 for (j = 0; j < ctx->name_count; j++) { 490 if (audit_comparator(ctx->names[j].ino, f->op, f->val)) { 491 ++result; 492 break; 493 } 494 } 495 } 496 break; 497 case AUDIT_WATCH: 498 if (name && rule->watch->ino != (unsigned long)-1) 499 result = (name->dev == rule->watch->dev && 500 name->ino == rule->watch->ino); 501 break; 502 case AUDIT_DIR: 503 if (ctx) 504 result = match_tree_refs(ctx, rule->tree); 505 break; 506 case AUDIT_LOGINUID: 507 result = 0; 508 if (ctx) 509 result = audit_comparator(ctx->loginuid, f->op, f->val); 510 break; 511 case AUDIT_SUBJ_USER: 512 case AUDIT_SUBJ_ROLE: 513 case AUDIT_SUBJ_TYPE: 514 case AUDIT_SUBJ_SEN: 515 case AUDIT_SUBJ_CLR: 516 /* NOTE: this may return negative values indicating 517 a temporary error. We simply treat this as a 518 match for now to avoid losing information that 519 may be wanted. An error message will also be 520 logged upon error */ 521 if (f->se_rule) { 522 if (need_sid) { 523 selinux_get_task_sid(tsk, &sid); 524 need_sid = 0; 525 } 526 result = selinux_audit_rule_match(sid, f->type, 527 f->op, 528 f->se_rule, 529 ctx); 530 } 531 break; 532 case AUDIT_OBJ_USER: 533 case AUDIT_OBJ_ROLE: 534 case AUDIT_OBJ_TYPE: 535 case AUDIT_OBJ_LEV_LOW: 536 case AUDIT_OBJ_LEV_HIGH: 537 /* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR 538 also applies here */ 539 if (f->se_rule) { 540 /* Find files that match */ 541 if (name) { 542 result = selinux_audit_rule_match( 543 name->osid, f->type, f->op, 544 f->se_rule, ctx); 545 } else if (ctx) { 546 for (j = 0; j < ctx->name_count; j++) { 547 if (selinux_audit_rule_match( 548 ctx->names[j].osid, 549 f->type, f->op, 550 f->se_rule, ctx)) { 551 ++result; 552 break; 553 } 554 } 555 } 556 /* Find ipc objects that match */ 557 if (ctx) { 558 struct audit_aux_data *aux; 559 for (aux = ctx->aux; aux; 560 aux = aux->next) { 561 if (aux->type == AUDIT_IPC) { 562 struct audit_aux_data_ipcctl *axi = (void *)aux; 563 if (selinux_audit_rule_match(axi->osid, f->type, f->op, f->se_rule, ctx)) { 564 ++result; 565 break; 566 } 567 } 568 } 569 } 570 } 571 break; 572 case AUDIT_ARG0: 573 case AUDIT_ARG1: 574 case AUDIT_ARG2: 575 case AUDIT_ARG3: 576 if (ctx) 577 result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val); 578 break; 579 case AUDIT_FILTERKEY: 580 /* ignore this field for filtering */ 581 result = 1; 582 break; 583 case AUDIT_PERM: 584 result = audit_match_perm(ctx, f->val); 585 break; 586 } 587 588 if (!result) 589 return 0; 590 } 591 if (rule->filterkey) 592 ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC); 593 switch (rule->action) { 594 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 595 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 596 } 597 return 1; 598 } 599 600 /* At process creation time, we can determine if system-call auditing is 601 * completely disabled for this task. Since we only have the task 602 * structure at this point, we can only check uid and gid. 603 */ 604 static enum audit_state audit_filter_task(struct task_struct *tsk) 605 { 606 struct audit_entry *e; 607 enum audit_state state; 608 609 rcu_read_lock(); 610 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) { 611 if (audit_filter_rules(tsk, &e->rule, NULL, NULL, &state)) { 612 rcu_read_unlock(); 613 return state; 614 } 615 } 616 rcu_read_unlock(); 617 return AUDIT_BUILD_CONTEXT; 618 } 619 620 /* At syscall entry and exit time, this filter is called if the 621 * audit_state is not low enough that auditing cannot take place, but is 622 * also not high enough that we already know we have to write an audit 623 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT). 624 */ 625 static enum audit_state audit_filter_syscall(struct task_struct *tsk, 626 struct audit_context *ctx, 627 struct list_head *list) 628 { 629 struct audit_entry *e; 630 enum audit_state state; 631 632 if (audit_pid && tsk->tgid == audit_pid) 633 return AUDIT_DISABLED; 634 635 rcu_read_lock(); 636 if (!list_empty(list)) { 637 int word = AUDIT_WORD(ctx->major); 638 int bit = AUDIT_BIT(ctx->major); 639 640 list_for_each_entry_rcu(e, list, list) { 641 if ((e->rule.mask[word] & bit) == bit && 642 audit_filter_rules(tsk, &e->rule, ctx, NULL, 643 &state)) { 644 rcu_read_unlock(); 645 return state; 646 } 647 } 648 } 649 rcu_read_unlock(); 650 return AUDIT_BUILD_CONTEXT; 651 } 652 653 /* At syscall exit time, this filter is called if any audit_names[] have been 654 * collected during syscall processing. We only check rules in sublists at hash 655 * buckets applicable to the inode numbers in audit_names[]. 656 * Regarding audit_state, same rules apply as for audit_filter_syscall(). 657 */ 658 enum audit_state audit_filter_inodes(struct task_struct *tsk, 659 struct audit_context *ctx) 660 { 661 int i; 662 struct audit_entry *e; 663 enum audit_state state; 664 665 if (audit_pid && tsk->tgid == audit_pid) 666 return AUDIT_DISABLED; 667 668 rcu_read_lock(); 669 for (i = 0; i < ctx->name_count; i++) { 670 int word = AUDIT_WORD(ctx->major); 671 int bit = AUDIT_BIT(ctx->major); 672 struct audit_names *n = &ctx->names[i]; 673 int h = audit_hash_ino((u32)n->ino); 674 struct list_head *list = &audit_inode_hash[h]; 675 676 if (list_empty(list)) 677 continue; 678 679 list_for_each_entry_rcu(e, list, list) { 680 if ((e->rule.mask[word] & bit) == bit && 681 audit_filter_rules(tsk, &e->rule, ctx, n, &state)) { 682 rcu_read_unlock(); 683 return state; 684 } 685 } 686 } 687 rcu_read_unlock(); 688 return AUDIT_BUILD_CONTEXT; 689 } 690 691 void audit_set_auditable(struct audit_context *ctx) 692 { 693 ctx->auditable = 1; 694 } 695 696 static inline struct audit_context *audit_get_context(struct task_struct *tsk, 697 int return_valid, 698 int return_code) 699 { 700 struct audit_context *context = tsk->audit_context; 701 702 if (likely(!context)) 703 return NULL; 704 context->return_valid = return_valid; 705 context->return_code = return_code; 706 707 if (context->in_syscall && !context->dummy && !context->auditable) { 708 enum audit_state state; 709 710 state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]); 711 if (state == AUDIT_RECORD_CONTEXT) { 712 context->auditable = 1; 713 goto get_context; 714 } 715 716 state = audit_filter_inodes(tsk, context); 717 if (state == AUDIT_RECORD_CONTEXT) 718 context->auditable = 1; 719 720 } 721 722 get_context: 723 724 tsk->audit_context = NULL; 725 return context; 726 } 727 728 static inline void audit_free_names(struct audit_context *context) 729 { 730 int i; 731 732 #if AUDIT_DEBUG == 2 733 if (context->auditable 734 ||context->put_count + context->ino_count != context->name_count) { 735 printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d" 736 " name_count=%d put_count=%d" 737 " ino_count=%d [NOT freeing]\n", 738 __FILE__, __LINE__, 739 context->serial, context->major, context->in_syscall, 740 context->name_count, context->put_count, 741 context->ino_count); 742 for (i = 0; i < context->name_count; i++) { 743 printk(KERN_ERR "names[%d] = %p = %s\n", i, 744 context->names[i].name, 745 context->names[i].name ?: "(null)"); 746 } 747 dump_stack(); 748 return; 749 } 750 #endif 751 #if AUDIT_DEBUG 752 context->put_count = 0; 753 context->ino_count = 0; 754 #endif 755 756 for (i = 0; i < context->name_count; i++) { 757 if (context->names[i].name && context->names[i].name_put) 758 __putname(context->names[i].name); 759 } 760 context->name_count = 0; 761 if (context->pwd) 762 dput(context->pwd); 763 if (context->pwdmnt) 764 mntput(context->pwdmnt); 765 context->pwd = NULL; 766 context->pwdmnt = NULL; 767 } 768 769 static inline void audit_free_aux(struct audit_context *context) 770 { 771 struct audit_aux_data *aux; 772 773 while ((aux = context->aux)) { 774 context->aux = aux->next; 775 kfree(aux); 776 } 777 while ((aux = context->aux_pids)) { 778 context->aux_pids = aux->next; 779 kfree(aux); 780 } 781 } 782 783 static inline void audit_zero_context(struct audit_context *context, 784 enum audit_state state) 785 { 786 uid_t loginuid = context->loginuid; 787 788 memset(context, 0, sizeof(*context)); 789 context->state = state; 790 context->loginuid = loginuid; 791 } 792 793 static inline struct audit_context *audit_alloc_context(enum audit_state state) 794 { 795 struct audit_context *context; 796 797 if (!(context = kmalloc(sizeof(*context), GFP_KERNEL))) 798 return NULL; 799 audit_zero_context(context, state); 800 return context; 801 } 802 803 /** 804 * audit_alloc - allocate an audit context block for a task 805 * @tsk: task 806 * 807 * Filter on the task information and allocate a per-task audit context 808 * if necessary. Doing so turns on system call auditing for the 809 * specified task. This is called from copy_process, so no lock is 810 * needed. 811 */ 812 int audit_alloc(struct task_struct *tsk) 813 { 814 struct audit_context *context; 815 enum audit_state state; 816 817 if (likely(!audit_enabled)) 818 return 0; /* Return if not auditing. */ 819 820 state = audit_filter_task(tsk); 821 if (likely(state == AUDIT_DISABLED)) 822 return 0; 823 824 if (!(context = audit_alloc_context(state))) { 825 audit_log_lost("out of memory in audit_alloc"); 826 return -ENOMEM; 827 } 828 829 /* Preserve login uid */ 830 context->loginuid = -1; 831 if (current->audit_context) 832 context->loginuid = current->audit_context->loginuid; 833 834 tsk->audit_context = context; 835 set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT); 836 return 0; 837 } 838 839 static inline void audit_free_context(struct audit_context *context) 840 { 841 struct audit_context *previous; 842 int count = 0; 843 844 do { 845 previous = context->previous; 846 if (previous || (count && count < 10)) { 847 ++count; 848 printk(KERN_ERR "audit(:%d): major=%d name_count=%d:" 849 " freeing multiple contexts (%d)\n", 850 context->serial, context->major, 851 context->name_count, count); 852 } 853 audit_free_names(context); 854 unroll_tree_refs(context, NULL, 0); 855 free_tree_refs(context); 856 audit_free_aux(context); 857 kfree(context->filterkey); 858 kfree(context); 859 context = previous; 860 } while (context); 861 if (count >= 10) 862 printk(KERN_ERR "audit: freed %d contexts\n", count); 863 } 864 865 void audit_log_task_context(struct audit_buffer *ab) 866 { 867 char *ctx = NULL; 868 unsigned len; 869 int error; 870 u32 sid; 871 872 selinux_get_task_sid(current, &sid); 873 if (!sid) 874 return; 875 876 error = selinux_sid_to_string(sid, &ctx, &len); 877 if (error) { 878 if (error != -EINVAL) 879 goto error_path; 880 return; 881 } 882 883 audit_log_format(ab, " subj=%s", ctx); 884 kfree(ctx); 885 return; 886 887 error_path: 888 audit_panic("error in audit_log_task_context"); 889 return; 890 } 891 892 EXPORT_SYMBOL(audit_log_task_context); 893 894 static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) 895 { 896 char name[sizeof(tsk->comm)]; 897 struct mm_struct *mm = tsk->mm; 898 struct vm_area_struct *vma; 899 900 /* tsk == current */ 901 902 get_task_comm(name, tsk); 903 audit_log_format(ab, " comm="); 904 audit_log_untrustedstring(ab, name); 905 906 if (mm) { 907 down_read(&mm->mmap_sem); 908 vma = mm->mmap; 909 while (vma) { 910 if ((vma->vm_flags & VM_EXECUTABLE) && 911 vma->vm_file) { 912 audit_log_d_path(ab, "exe=", 913 vma->vm_file->f_path.dentry, 914 vma->vm_file->f_path.mnt); 915 break; 916 } 917 vma = vma->vm_next; 918 } 919 up_read(&mm->mmap_sem); 920 } 921 audit_log_task_context(ab); 922 } 923 924 static int audit_log_pid_context(struct audit_context *context, pid_t pid, 925 u32 sid) 926 { 927 struct audit_buffer *ab; 928 char *s = NULL; 929 u32 len; 930 int rc = 0; 931 932 ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); 933 if (!ab) 934 return 1; 935 936 if (selinux_sid_to_string(sid, &s, &len)) { 937 audit_log_format(ab, "opid=%d obj=(none)", pid); 938 rc = 1; 939 } else 940 audit_log_format(ab, "opid=%d obj=%s", pid, s); 941 audit_log_end(ab); 942 kfree(s); 943 944 return rc; 945 } 946 947 static void audit_log_execve_info(struct audit_buffer *ab, 948 struct audit_aux_data_execve *axi) 949 { 950 int i; 951 long len, ret; 952 const char __user *p; 953 char *buf; 954 955 if (axi->mm != current->mm) 956 return; /* execve failed, no additional info */ 957 958 p = (const char __user *)axi->mm->arg_start; 959 960 for (i = 0; i < axi->argc; i++, p += len) { 961 len = strnlen_user(p, MAX_ARG_STRLEN); 962 /* 963 * We just created this mm, if we can't find the strings 964 * we just copied into it something is _very_ wrong. Similar 965 * for strings that are too long, we should not have created 966 * any. 967 */ 968 if (!len || len > MAX_ARG_STRLEN) { 969 WARN_ON(1); 970 send_sig(SIGKILL, current, 0); 971 } 972 973 buf = kmalloc(len, GFP_KERNEL); 974 if (!buf) { 975 audit_panic("out of memory for argv string\n"); 976 break; 977 } 978 979 ret = copy_from_user(buf, p, len); 980 /* 981 * There is no reason for this copy to be short. We just 982 * copied them here, and the mm hasn't been exposed to user- 983 * space yet. 984 */ 985 if (ret) { 986 WARN_ON(1); 987 send_sig(SIGKILL, current, 0); 988 } 989 990 audit_log_format(ab, "a%d=", i); 991 audit_log_untrustedstring(ab, buf); 992 audit_log_format(ab, "\n"); 993 994 kfree(buf); 995 } 996 } 997 998 static void audit_log_exit(struct audit_context *context, struct task_struct *tsk) 999 { 1000 int i, call_panic = 0; 1001 struct audit_buffer *ab; 1002 struct audit_aux_data *aux; 1003 const char *tty; 1004 1005 /* tsk == current */ 1006 context->pid = tsk->pid; 1007 if (!context->ppid) 1008 context->ppid = sys_getppid(); 1009 context->uid = tsk->uid; 1010 context->gid = tsk->gid; 1011 context->euid = tsk->euid; 1012 context->suid = tsk->suid; 1013 context->fsuid = tsk->fsuid; 1014 context->egid = tsk->egid; 1015 context->sgid = tsk->sgid; 1016 context->fsgid = tsk->fsgid; 1017 context->personality = tsk->personality; 1018 1019 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL); 1020 if (!ab) 1021 return; /* audit_panic has been called */ 1022 audit_log_format(ab, "arch=%x syscall=%d", 1023 context->arch, context->major); 1024 if (context->personality != PER_LINUX) 1025 audit_log_format(ab, " per=%lx", context->personality); 1026 if (context->return_valid) 1027 audit_log_format(ab, " success=%s exit=%ld", 1028 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no", 1029 context->return_code); 1030 1031 mutex_lock(&tty_mutex); 1032 read_lock(&tasklist_lock); 1033 if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name) 1034 tty = tsk->signal->tty->name; 1035 else 1036 tty = "(none)"; 1037 read_unlock(&tasklist_lock); 1038 audit_log_format(ab, 1039 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d" 1040 " ppid=%d pid=%d auid=%u uid=%u gid=%u" 1041 " euid=%u suid=%u fsuid=%u" 1042 " egid=%u sgid=%u fsgid=%u tty=%s", 1043 context->argv[0], 1044 context->argv[1], 1045 context->argv[2], 1046 context->argv[3], 1047 context->name_count, 1048 context->ppid, 1049 context->pid, 1050 context->loginuid, 1051 context->uid, 1052 context->gid, 1053 context->euid, context->suid, context->fsuid, 1054 context->egid, context->sgid, context->fsgid, tty); 1055 1056 mutex_unlock(&tty_mutex); 1057 1058 audit_log_task_info(ab, tsk); 1059 if (context->filterkey) { 1060 audit_log_format(ab, " key="); 1061 audit_log_untrustedstring(ab, context->filterkey); 1062 } else 1063 audit_log_format(ab, " key=(null)"); 1064 audit_log_end(ab); 1065 1066 for (aux = context->aux; aux; aux = aux->next) { 1067 1068 ab = audit_log_start(context, GFP_KERNEL, aux->type); 1069 if (!ab) 1070 continue; /* audit_panic has been called */ 1071 1072 switch (aux->type) { 1073 case AUDIT_MQ_OPEN: { 1074 struct audit_aux_data_mq_open *axi = (void *)aux; 1075 audit_log_format(ab, 1076 "oflag=0x%x mode=%#o mq_flags=0x%lx mq_maxmsg=%ld " 1077 "mq_msgsize=%ld mq_curmsgs=%ld", 1078 axi->oflag, axi->mode, axi->attr.mq_flags, 1079 axi->attr.mq_maxmsg, axi->attr.mq_msgsize, 1080 axi->attr.mq_curmsgs); 1081 break; } 1082 1083 case AUDIT_MQ_SENDRECV: { 1084 struct audit_aux_data_mq_sendrecv *axi = (void *)aux; 1085 audit_log_format(ab, 1086 "mqdes=%d msg_len=%zd msg_prio=%u " 1087 "abs_timeout_sec=%ld abs_timeout_nsec=%ld", 1088 axi->mqdes, axi->msg_len, axi->msg_prio, 1089 axi->abs_timeout.tv_sec, axi->abs_timeout.tv_nsec); 1090 break; } 1091 1092 case AUDIT_MQ_NOTIFY: { 1093 struct audit_aux_data_mq_notify *axi = (void *)aux; 1094 audit_log_format(ab, 1095 "mqdes=%d sigev_signo=%d", 1096 axi->mqdes, 1097 axi->notification.sigev_signo); 1098 break; } 1099 1100 case AUDIT_MQ_GETSETATTR: { 1101 struct audit_aux_data_mq_getsetattr *axi = (void *)aux; 1102 audit_log_format(ab, 1103 "mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld " 1104 "mq_curmsgs=%ld ", 1105 axi->mqdes, 1106 axi->mqstat.mq_flags, axi->mqstat.mq_maxmsg, 1107 axi->mqstat.mq_msgsize, axi->mqstat.mq_curmsgs); 1108 break; } 1109 1110 case AUDIT_IPC: { 1111 struct audit_aux_data_ipcctl *axi = (void *)aux; 1112 audit_log_format(ab, 1113 "ouid=%u ogid=%u mode=%#o", 1114 axi->uid, axi->gid, axi->mode); 1115 if (axi->osid != 0) { 1116 char *ctx = NULL; 1117 u32 len; 1118 if (selinux_sid_to_string( 1119 axi->osid, &ctx, &len)) { 1120 audit_log_format(ab, " osid=%u", 1121 axi->osid); 1122 call_panic = 1; 1123 } else 1124 audit_log_format(ab, " obj=%s", ctx); 1125 kfree(ctx); 1126 } 1127 break; } 1128 1129 case AUDIT_IPC_SET_PERM: { 1130 struct audit_aux_data_ipcctl *axi = (void *)aux; 1131 audit_log_format(ab, 1132 "qbytes=%lx ouid=%u ogid=%u mode=%#o", 1133 axi->qbytes, axi->uid, axi->gid, axi->mode); 1134 break; } 1135 1136 case AUDIT_EXECVE: { 1137 struct audit_aux_data_execve *axi = (void *)aux; 1138 audit_log_execve_info(ab, axi); 1139 break; } 1140 1141 case AUDIT_SOCKETCALL: { 1142 int i; 1143 struct audit_aux_data_socketcall *axs = (void *)aux; 1144 audit_log_format(ab, "nargs=%d", axs->nargs); 1145 for (i=0; i<axs->nargs; i++) 1146 audit_log_format(ab, " a%d=%lx", i, axs->args[i]); 1147 break; } 1148 1149 case AUDIT_SOCKADDR: { 1150 struct audit_aux_data_sockaddr *axs = (void *)aux; 1151 1152 audit_log_format(ab, "saddr="); 1153 audit_log_hex(ab, axs->a, axs->len); 1154 break; } 1155 1156 case AUDIT_FD_PAIR: { 1157 struct audit_aux_data_fd_pair *axs = (void *)aux; 1158 audit_log_format(ab, "fd0=%d fd1=%d", axs->fd[0], axs->fd[1]); 1159 break; } 1160 1161 } 1162 audit_log_end(ab); 1163 } 1164 1165 for (aux = context->aux_pids; aux; aux = aux->next) { 1166 struct audit_aux_data_pids *axs = (void *)aux; 1167 int i; 1168 1169 for (i = 0; i < axs->pid_count; i++) 1170 if (audit_log_pid_context(context, axs->target_pid[i], 1171 axs->target_sid[i])) 1172 call_panic = 1; 1173 } 1174 1175 if (context->target_pid && 1176 audit_log_pid_context(context, context->target_pid, 1177 context->target_sid)) 1178 call_panic = 1; 1179 1180 if (context->pwd && context->pwdmnt) { 1181 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD); 1182 if (ab) { 1183 audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt); 1184 audit_log_end(ab); 1185 } 1186 } 1187 for (i = 0; i < context->name_count; i++) { 1188 struct audit_names *n = &context->names[i]; 1189 1190 ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH); 1191 if (!ab) 1192 continue; /* audit_panic has been called */ 1193 1194 audit_log_format(ab, "item=%d", i); 1195 1196 if (n->name) { 1197 switch(n->name_len) { 1198 case AUDIT_NAME_FULL: 1199 /* log the full path */ 1200 audit_log_format(ab, " name="); 1201 audit_log_untrustedstring(ab, n->name); 1202 break; 1203 case 0: 1204 /* name was specified as a relative path and the 1205 * directory component is the cwd */ 1206 audit_log_d_path(ab, " name=", context->pwd, 1207 context->pwdmnt); 1208 break; 1209 default: 1210 /* log the name's directory component */ 1211 audit_log_format(ab, " name="); 1212 audit_log_n_untrustedstring(ab, n->name_len, 1213 n->name); 1214 } 1215 } else 1216 audit_log_format(ab, " name=(null)"); 1217 1218 if (n->ino != (unsigned long)-1) { 1219 audit_log_format(ab, " inode=%lu" 1220 " dev=%02x:%02x mode=%#o" 1221 " ouid=%u ogid=%u rdev=%02x:%02x", 1222 n->ino, 1223 MAJOR(n->dev), 1224 MINOR(n->dev), 1225 n->mode, 1226 n->uid, 1227 n->gid, 1228 MAJOR(n->rdev), 1229 MINOR(n->rdev)); 1230 } 1231 if (n->osid != 0) { 1232 char *ctx = NULL; 1233 u32 len; 1234 if (selinux_sid_to_string( 1235 n->osid, &ctx, &len)) { 1236 audit_log_format(ab, " osid=%u", n->osid); 1237 call_panic = 2; 1238 } else 1239 audit_log_format(ab, " obj=%s", ctx); 1240 kfree(ctx); 1241 } 1242 1243 audit_log_end(ab); 1244 } 1245 if (call_panic) 1246 audit_panic("error converting sid to string"); 1247 } 1248 1249 /** 1250 * audit_free - free a per-task audit context 1251 * @tsk: task whose audit context block to free 1252 * 1253 * Called from copy_process and do_exit 1254 */ 1255 void audit_free(struct task_struct *tsk) 1256 { 1257 struct audit_context *context; 1258 1259 context = audit_get_context(tsk, 0, 0); 1260 if (likely(!context)) 1261 return; 1262 1263 /* Check for system calls that do not go through the exit 1264 * function (e.g., exit_group), then free context block. 1265 * We use GFP_ATOMIC here because we might be doing this 1266 * in the context of the idle thread */ 1267 /* that can happen only if we are called from do_exit() */ 1268 if (context->in_syscall && context->auditable) 1269 audit_log_exit(context, tsk); 1270 1271 audit_free_context(context); 1272 } 1273 1274 /** 1275 * audit_syscall_entry - fill in an audit record at syscall entry 1276 * @tsk: task being audited 1277 * @arch: architecture type 1278 * @major: major syscall type (function) 1279 * @a1: additional syscall register 1 1280 * @a2: additional syscall register 2 1281 * @a3: additional syscall register 3 1282 * @a4: additional syscall register 4 1283 * 1284 * Fill in audit context at syscall entry. This only happens if the 1285 * audit context was created when the task was created and the state or 1286 * filters demand the audit context be built. If the state from the 1287 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT, 1288 * then the record will be written at syscall exit time (otherwise, it 1289 * will only be written if another part of the kernel requests that it 1290 * be written). 1291 */ 1292 void audit_syscall_entry(int arch, int major, 1293 unsigned long a1, unsigned long a2, 1294 unsigned long a3, unsigned long a4) 1295 { 1296 struct task_struct *tsk = current; 1297 struct audit_context *context = tsk->audit_context; 1298 enum audit_state state; 1299 1300 BUG_ON(!context); 1301 1302 /* 1303 * This happens only on certain architectures that make system 1304 * calls in kernel_thread via the entry.S interface, instead of 1305 * with direct calls. (If you are porting to a new 1306 * architecture, hitting this condition can indicate that you 1307 * got the _exit/_leave calls backward in entry.S.) 1308 * 1309 * i386 no 1310 * x86_64 no 1311 * ppc64 yes (see arch/powerpc/platforms/iseries/misc.S) 1312 * 1313 * This also happens with vm86 emulation in a non-nested manner 1314 * (entries without exits), so this case must be caught. 1315 */ 1316 if (context->in_syscall) { 1317 struct audit_context *newctx; 1318 1319 #if AUDIT_DEBUG 1320 printk(KERN_ERR 1321 "audit(:%d) pid=%d in syscall=%d;" 1322 " entering syscall=%d\n", 1323 context->serial, tsk->pid, context->major, major); 1324 #endif 1325 newctx = audit_alloc_context(context->state); 1326 if (newctx) { 1327 newctx->previous = context; 1328 context = newctx; 1329 tsk->audit_context = newctx; 1330 } else { 1331 /* If we can't alloc a new context, the best we 1332 * can do is to leak memory (any pending putname 1333 * will be lost). The only other alternative is 1334 * to abandon auditing. */ 1335 audit_zero_context(context, context->state); 1336 } 1337 } 1338 BUG_ON(context->in_syscall || context->name_count); 1339 1340 if (!audit_enabled) 1341 return; 1342 1343 context->arch = arch; 1344 context->major = major; 1345 context->argv[0] = a1; 1346 context->argv[1] = a2; 1347 context->argv[2] = a3; 1348 context->argv[3] = a4; 1349 1350 state = context->state; 1351 context->dummy = !audit_n_rules; 1352 if (!context->dummy && (state == AUDIT_SETUP_CONTEXT || state == AUDIT_BUILD_CONTEXT)) 1353 state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]); 1354 if (likely(state == AUDIT_DISABLED)) 1355 return; 1356 1357 context->serial = 0; 1358 context->ctime = CURRENT_TIME; 1359 context->in_syscall = 1; 1360 context->auditable = !!(state == AUDIT_RECORD_CONTEXT); 1361 context->ppid = 0; 1362 } 1363 1364 /** 1365 * audit_syscall_exit - deallocate audit context after a system call 1366 * @tsk: task being audited 1367 * @valid: success/failure flag 1368 * @return_code: syscall return value 1369 * 1370 * Tear down after system call. If the audit context has been marked as 1371 * auditable (either because of the AUDIT_RECORD_CONTEXT state from 1372 * filtering, or because some other part of the kernel write an audit 1373 * message), then write out the syscall information. In call cases, 1374 * free the names stored from getname(). 1375 */ 1376 void audit_syscall_exit(int valid, long return_code) 1377 { 1378 struct task_struct *tsk = current; 1379 struct audit_context *context; 1380 1381 context = audit_get_context(tsk, valid, return_code); 1382 1383 if (likely(!context)) 1384 return; 1385 1386 if (context->in_syscall && context->auditable) 1387 audit_log_exit(context, tsk); 1388 1389 context->in_syscall = 0; 1390 context->auditable = 0; 1391 1392 if (context->previous) { 1393 struct audit_context *new_context = context->previous; 1394 context->previous = NULL; 1395 audit_free_context(context); 1396 tsk->audit_context = new_context; 1397 } else { 1398 audit_free_names(context); 1399 unroll_tree_refs(context, NULL, 0); 1400 audit_free_aux(context); 1401 context->aux = NULL; 1402 context->aux_pids = NULL; 1403 context->target_pid = 0; 1404 context->target_sid = 0; 1405 kfree(context->filterkey); 1406 context->filterkey = NULL; 1407 tsk->audit_context = context; 1408 } 1409 } 1410 1411 static inline void handle_one(const struct inode *inode) 1412 { 1413 #ifdef CONFIG_AUDIT_TREE 1414 struct audit_context *context; 1415 struct audit_tree_refs *p; 1416 struct audit_chunk *chunk; 1417 int count; 1418 if (likely(list_empty(&inode->inotify_watches))) 1419 return; 1420 context = current->audit_context; 1421 p = context->trees; 1422 count = context->tree_count; 1423 rcu_read_lock(); 1424 chunk = audit_tree_lookup(inode); 1425 rcu_read_unlock(); 1426 if (!chunk) 1427 return; 1428 if (likely(put_tree_ref(context, chunk))) 1429 return; 1430 if (unlikely(!grow_tree_refs(context))) { 1431 printk(KERN_WARNING "out of memory, audit has lost a tree reference"); 1432 audit_set_auditable(context); 1433 audit_put_chunk(chunk); 1434 unroll_tree_refs(context, p, count); 1435 return; 1436 } 1437 put_tree_ref(context, chunk); 1438 #endif 1439 } 1440 1441 static void handle_path(const struct dentry *dentry) 1442 { 1443 #ifdef CONFIG_AUDIT_TREE 1444 struct audit_context *context; 1445 struct audit_tree_refs *p; 1446 const struct dentry *d, *parent; 1447 struct audit_chunk *drop; 1448 unsigned long seq; 1449 int count; 1450 1451 context = current->audit_context; 1452 p = context->trees; 1453 count = context->tree_count; 1454 retry: 1455 drop = NULL; 1456 d = dentry; 1457 rcu_read_lock(); 1458 seq = read_seqbegin(&rename_lock); 1459 for(;;) { 1460 struct inode *inode = d->d_inode; 1461 if (inode && unlikely(!list_empty(&inode->inotify_watches))) { 1462 struct audit_chunk *chunk; 1463 chunk = audit_tree_lookup(inode); 1464 if (chunk) { 1465 if (unlikely(!put_tree_ref(context, chunk))) { 1466 drop = chunk; 1467 break; 1468 } 1469 } 1470 } 1471 parent = d->d_parent; 1472 if (parent == d) 1473 break; 1474 d = parent; 1475 } 1476 if (unlikely(read_seqretry(&rename_lock, seq) || drop)) { /* in this order */ 1477 rcu_read_unlock(); 1478 if (!drop) { 1479 /* just a race with rename */ 1480 unroll_tree_refs(context, p, count); 1481 goto retry; 1482 } 1483 audit_put_chunk(drop); 1484 if (grow_tree_refs(context)) { 1485 /* OK, got more space */ 1486 unroll_tree_refs(context, p, count); 1487 goto retry; 1488 } 1489 /* too bad */ 1490 printk(KERN_WARNING 1491 "out of memory, audit has lost a tree reference"); 1492 unroll_tree_refs(context, p, count); 1493 audit_set_auditable(context); 1494 return; 1495 } 1496 rcu_read_unlock(); 1497 #endif 1498 } 1499 1500 /** 1501 * audit_getname - add a name to the list 1502 * @name: name to add 1503 * 1504 * Add a name to the list of audit names for this context. 1505 * Called from fs/namei.c:getname(). 1506 */ 1507 void __audit_getname(const char *name) 1508 { 1509 struct audit_context *context = current->audit_context; 1510 1511 if (IS_ERR(name) || !name) 1512 return; 1513 1514 if (!context->in_syscall) { 1515 #if AUDIT_DEBUG == 2 1516 printk(KERN_ERR "%s:%d(:%d): ignoring getname(%p)\n", 1517 __FILE__, __LINE__, context->serial, name); 1518 dump_stack(); 1519 #endif 1520 return; 1521 } 1522 BUG_ON(context->name_count >= AUDIT_NAMES); 1523 context->names[context->name_count].name = name; 1524 context->names[context->name_count].name_len = AUDIT_NAME_FULL; 1525 context->names[context->name_count].name_put = 1; 1526 context->names[context->name_count].ino = (unsigned long)-1; 1527 context->names[context->name_count].osid = 0; 1528 ++context->name_count; 1529 if (!context->pwd) { 1530 read_lock(¤t->fs->lock); 1531 context->pwd = dget(current->fs->pwd); 1532 context->pwdmnt = mntget(current->fs->pwdmnt); 1533 read_unlock(¤t->fs->lock); 1534 } 1535 1536 } 1537 1538 /* audit_putname - intercept a putname request 1539 * @name: name to intercept and delay for putname 1540 * 1541 * If we have stored the name from getname in the audit context, 1542 * then we delay the putname until syscall exit. 1543 * Called from include/linux/fs.h:putname(). 1544 */ 1545 void audit_putname(const char *name) 1546 { 1547 struct audit_context *context = current->audit_context; 1548 1549 BUG_ON(!context); 1550 if (!context->in_syscall) { 1551 #if AUDIT_DEBUG == 2 1552 printk(KERN_ERR "%s:%d(:%d): __putname(%p)\n", 1553 __FILE__, __LINE__, context->serial, name); 1554 if (context->name_count) { 1555 int i; 1556 for (i = 0; i < context->name_count; i++) 1557 printk(KERN_ERR "name[%d] = %p = %s\n", i, 1558 context->names[i].name, 1559 context->names[i].name ?: "(null)"); 1560 } 1561 #endif 1562 __putname(name); 1563 } 1564 #if AUDIT_DEBUG 1565 else { 1566 ++context->put_count; 1567 if (context->put_count > context->name_count) { 1568 printk(KERN_ERR "%s:%d(:%d): major=%d" 1569 " in_syscall=%d putname(%p) name_count=%d" 1570 " put_count=%d\n", 1571 __FILE__, __LINE__, 1572 context->serial, context->major, 1573 context->in_syscall, name, context->name_count, 1574 context->put_count); 1575 dump_stack(); 1576 } 1577 } 1578 #endif 1579 } 1580 1581 static int audit_inc_name_count(struct audit_context *context, 1582 const struct inode *inode) 1583 { 1584 if (context->name_count >= AUDIT_NAMES) { 1585 if (inode) 1586 printk(KERN_DEBUG "name_count maxed, losing inode data: " 1587 "dev=%02x:%02x, inode=%lu", 1588 MAJOR(inode->i_sb->s_dev), 1589 MINOR(inode->i_sb->s_dev), 1590 inode->i_ino); 1591 1592 else 1593 printk(KERN_DEBUG "name_count maxed, losing inode data"); 1594 return 1; 1595 } 1596 context->name_count++; 1597 #if AUDIT_DEBUG 1598 context->ino_count++; 1599 #endif 1600 return 0; 1601 } 1602 1603 /* Copy inode data into an audit_names. */ 1604 static void audit_copy_inode(struct audit_names *name, const struct inode *inode) 1605 { 1606 name->ino = inode->i_ino; 1607 name->dev = inode->i_sb->s_dev; 1608 name->mode = inode->i_mode; 1609 name->uid = inode->i_uid; 1610 name->gid = inode->i_gid; 1611 name->rdev = inode->i_rdev; 1612 selinux_get_inode_sid(inode, &name->osid); 1613 } 1614 1615 /** 1616 * audit_inode - store the inode and device from a lookup 1617 * @name: name being audited 1618 * @dentry: dentry being audited 1619 * 1620 * Called from fs/namei.c:path_lookup(). 1621 */ 1622 void __audit_inode(const char *name, const struct dentry *dentry) 1623 { 1624 int idx; 1625 struct audit_context *context = current->audit_context; 1626 const struct inode *inode = dentry->d_inode; 1627 1628 if (!context->in_syscall) 1629 return; 1630 if (context->name_count 1631 && context->names[context->name_count-1].name 1632 && context->names[context->name_count-1].name == name) 1633 idx = context->name_count - 1; 1634 else if (context->name_count > 1 1635 && context->names[context->name_count-2].name 1636 && context->names[context->name_count-2].name == name) 1637 idx = context->name_count - 2; 1638 else { 1639 /* FIXME: how much do we care about inodes that have no 1640 * associated name? */ 1641 if (audit_inc_name_count(context, inode)) 1642 return; 1643 idx = context->name_count - 1; 1644 context->names[idx].name = NULL; 1645 } 1646 handle_path(dentry); 1647 audit_copy_inode(&context->names[idx], inode); 1648 } 1649 1650 /** 1651 * audit_inode_child - collect inode info for created/removed objects 1652 * @dname: inode's dentry name 1653 * @dentry: dentry being audited 1654 * @parent: inode of dentry parent 1655 * 1656 * For syscalls that create or remove filesystem objects, audit_inode 1657 * can only collect information for the filesystem object's parent. 1658 * This call updates the audit context with the child's information. 1659 * Syscalls that create a new filesystem object must be hooked after 1660 * the object is created. Syscalls that remove a filesystem object 1661 * must be hooked prior, in order to capture the target inode during 1662 * unsuccessful attempts. 1663 */ 1664 void __audit_inode_child(const char *dname, const struct dentry *dentry, 1665 const struct inode *parent) 1666 { 1667 int idx; 1668 struct audit_context *context = current->audit_context; 1669 const char *found_parent = NULL, *found_child = NULL; 1670 const struct inode *inode = dentry->d_inode; 1671 int dirlen = 0; 1672 1673 if (!context->in_syscall) 1674 return; 1675 1676 if (inode) 1677 handle_one(inode); 1678 /* determine matching parent */ 1679 if (!dname) 1680 goto add_names; 1681 1682 /* parent is more likely, look for it first */ 1683 for (idx = 0; idx < context->name_count; idx++) { 1684 struct audit_names *n = &context->names[idx]; 1685 1686 if (!n->name) 1687 continue; 1688 1689 if (n->ino == parent->i_ino && 1690 !audit_compare_dname_path(dname, n->name, &dirlen)) { 1691 n->name_len = dirlen; /* update parent data in place */ 1692 found_parent = n->name; 1693 goto add_names; 1694 } 1695 } 1696 1697 /* no matching parent, look for matching child */ 1698 for (idx = 0; idx < context->name_count; idx++) { 1699 struct audit_names *n = &context->names[idx]; 1700 1701 if (!n->name) 1702 continue; 1703 1704 /* strcmp() is the more likely scenario */ 1705 if (!strcmp(dname, n->name) || 1706 !audit_compare_dname_path(dname, n->name, &dirlen)) { 1707 if (inode) 1708 audit_copy_inode(n, inode); 1709 else 1710 n->ino = (unsigned long)-1; 1711 found_child = n->name; 1712 goto add_names; 1713 } 1714 } 1715 1716 add_names: 1717 if (!found_parent) { 1718 if (audit_inc_name_count(context, parent)) 1719 return; 1720 idx = context->name_count - 1; 1721 context->names[idx].name = NULL; 1722 audit_copy_inode(&context->names[idx], parent); 1723 } 1724 1725 if (!found_child) { 1726 if (audit_inc_name_count(context, inode)) 1727 return; 1728 idx = context->name_count - 1; 1729 1730 /* Re-use the name belonging to the slot for a matching parent 1731 * directory. All names for this context are relinquished in 1732 * audit_free_names() */ 1733 if (found_parent) { 1734 context->names[idx].name = found_parent; 1735 context->names[idx].name_len = AUDIT_NAME_FULL; 1736 /* don't call __putname() */ 1737 context->names[idx].name_put = 0; 1738 } else { 1739 context->names[idx].name = NULL; 1740 } 1741 1742 if (inode) 1743 audit_copy_inode(&context->names[idx], inode); 1744 else 1745 context->names[idx].ino = (unsigned long)-1; 1746 } 1747 } 1748 EXPORT_SYMBOL_GPL(__audit_inode_child); 1749 1750 /** 1751 * auditsc_get_stamp - get local copies of audit_context values 1752 * @ctx: audit_context for the task 1753 * @t: timespec to store time recorded in the audit_context 1754 * @serial: serial value that is recorded in the audit_context 1755 * 1756 * Also sets the context as auditable. 1757 */ 1758 void auditsc_get_stamp(struct audit_context *ctx, 1759 struct timespec *t, unsigned int *serial) 1760 { 1761 if (!ctx->serial) 1762 ctx->serial = audit_serial(); 1763 t->tv_sec = ctx->ctime.tv_sec; 1764 t->tv_nsec = ctx->ctime.tv_nsec; 1765 *serial = ctx->serial; 1766 ctx->auditable = 1; 1767 } 1768 1769 /** 1770 * audit_set_loginuid - set a task's audit_context loginuid 1771 * @task: task whose audit context is being modified 1772 * @loginuid: loginuid value 1773 * 1774 * Returns 0. 1775 * 1776 * Called (set) from fs/proc/base.c::proc_loginuid_write(). 1777 */ 1778 int audit_set_loginuid(struct task_struct *task, uid_t loginuid) 1779 { 1780 struct audit_context *context = task->audit_context; 1781 1782 if (context) { 1783 /* Only log if audit is enabled */ 1784 if (context->in_syscall) { 1785 struct audit_buffer *ab; 1786 1787 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN); 1788 if (ab) { 1789 audit_log_format(ab, "login pid=%d uid=%u " 1790 "old auid=%u new auid=%u", 1791 task->pid, task->uid, 1792 context->loginuid, loginuid); 1793 audit_log_end(ab); 1794 } 1795 } 1796 context->loginuid = loginuid; 1797 } 1798 return 0; 1799 } 1800 1801 /** 1802 * audit_get_loginuid - get the loginuid for an audit_context 1803 * @ctx: the audit_context 1804 * 1805 * Returns the context's loginuid or -1 if @ctx is NULL. 1806 */ 1807 uid_t audit_get_loginuid(struct audit_context *ctx) 1808 { 1809 return ctx ? ctx->loginuid : -1; 1810 } 1811 1812 EXPORT_SYMBOL(audit_get_loginuid); 1813 1814 /** 1815 * __audit_mq_open - record audit data for a POSIX MQ open 1816 * @oflag: open flag 1817 * @mode: mode bits 1818 * @u_attr: queue attributes 1819 * 1820 * Returns 0 for success or NULL context or < 0 on error. 1821 */ 1822 int __audit_mq_open(int oflag, mode_t mode, struct mq_attr __user *u_attr) 1823 { 1824 struct audit_aux_data_mq_open *ax; 1825 struct audit_context *context = current->audit_context; 1826 1827 if (!audit_enabled) 1828 return 0; 1829 1830 if (likely(!context)) 1831 return 0; 1832 1833 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1834 if (!ax) 1835 return -ENOMEM; 1836 1837 if (u_attr != NULL) { 1838 if (copy_from_user(&ax->attr, u_attr, sizeof(ax->attr))) { 1839 kfree(ax); 1840 return -EFAULT; 1841 } 1842 } else 1843 memset(&ax->attr, 0, sizeof(ax->attr)); 1844 1845 ax->oflag = oflag; 1846 ax->mode = mode; 1847 1848 ax->d.type = AUDIT_MQ_OPEN; 1849 ax->d.next = context->aux; 1850 context->aux = (void *)ax; 1851 return 0; 1852 } 1853 1854 /** 1855 * __audit_mq_timedsend - record audit data for a POSIX MQ timed send 1856 * @mqdes: MQ descriptor 1857 * @msg_len: Message length 1858 * @msg_prio: Message priority 1859 * @u_abs_timeout: Message timeout in absolute time 1860 * 1861 * Returns 0 for success or NULL context or < 0 on error. 1862 */ 1863 int __audit_mq_timedsend(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, 1864 const struct timespec __user *u_abs_timeout) 1865 { 1866 struct audit_aux_data_mq_sendrecv *ax; 1867 struct audit_context *context = current->audit_context; 1868 1869 if (!audit_enabled) 1870 return 0; 1871 1872 if (likely(!context)) 1873 return 0; 1874 1875 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1876 if (!ax) 1877 return -ENOMEM; 1878 1879 if (u_abs_timeout != NULL) { 1880 if (copy_from_user(&ax->abs_timeout, u_abs_timeout, sizeof(ax->abs_timeout))) { 1881 kfree(ax); 1882 return -EFAULT; 1883 } 1884 } else 1885 memset(&ax->abs_timeout, 0, sizeof(ax->abs_timeout)); 1886 1887 ax->mqdes = mqdes; 1888 ax->msg_len = msg_len; 1889 ax->msg_prio = msg_prio; 1890 1891 ax->d.type = AUDIT_MQ_SENDRECV; 1892 ax->d.next = context->aux; 1893 context->aux = (void *)ax; 1894 return 0; 1895 } 1896 1897 /** 1898 * __audit_mq_timedreceive - record audit data for a POSIX MQ timed receive 1899 * @mqdes: MQ descriptor 1900 * @msg_len: Message length 1901 * @u_msg_prio: Message priority 1902 * @u_abs_timeout: Message timeout in absolute time 1903 * 1904 * Returns 0 for success or NULL context or < 0 on error. 1905 */ 1906 int __audit_mq_timedreceive(mqd_t mqdes, size_t msg_len, 1907 unsigned int __user *u_msg_prio, 1908 const struct timespec __user *u_abs_timeout) 1909 { 1910 struct audit_aux_data_mq_sendrecv *ax; 1911 struct audit_context *context = current->audit_context; 1912 1913 if (!audit_enabled) 1914 return 0; 1915 1916 if (likely(!context)) 1917 return 0; 1918 1919 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1920 if (!ax) 1921 return -ENOMEM; 1922 1923 if (u_msg_prio != NULL) { 1924 if (get_user(ax->msg_prio, u_msg_prio)) { 1925 kfree(ax); 1926 return -EFAULT; 1927 } 1928 } else 1929 ax->msg_prio = 0; 1930 1931 if (u_abs_timeout != NULL) { 1932 if (copy_from_user(&ax->abs_timeout, u_abs_timeout, sizeof(ax->abs_timeout))) { 1933 kfree(ax); 1934 return -EFAULT; 1935 } 1936 } else 1937 memset(&ax->abs_timeout, 0, sizeof(ax->abs_timeout)); 1938 1939 ax->mqdes = mqdes; 1940 ax->msg_len = msg_len; 1941 1942 ax->d.type = AUDIT_MQ_SENDRECV; 1943 ax->d.next = context->aux; 1944 context->aux = (void *)ax; 1945 return 0; 1946 } 1947 1948 /** 1949 * __audit_mq_notify - record audit data for a POSIX MQ notify 1950 * @mqdes: MQ descriptor 1951 * @u_notification: Notification event 1952 * 1953 * Returns 0 for success or NULL context or < 0 on error. 1954 */ 1955 1956 int __audit_mq_notify(mqd_t mqdes, const struct sigevent __user *u_notification) 1957 { 1958 struct audit_aux_data_mq_notify *ax; 1959 struct audit_context *context = current->audit_context; 1960 1961 if (!audit_enabled) 1962 return 0; 1963 1964 if (likely(!context)) 1965 return 0; 1966 1967 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1968 if (!ax) 1969 return -ENOMEM; 1970 1971 if (u_notification != NULL) { 1972 if (copy_from_user(&ax->notification, u_notification, sizeof(ax->notification))) { 1973 kfree(ax); 1974 return -EFAULT; 1975 } 1976 } else 1977 memset(&ax->notification, 0, sizeof(ax->notification)); 1978 1979 ax->mqdes = mqdes; 1980 1981 ax->d.type = AUDIT_MQ_NOTIFY; 1982 ax->d.next = context->aux; 1983 context->aux = (void *)ax; 1984 return 0; 1985 } 1986 1987 /** 1988 * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute 1989 * @mqdes: MQ descriptor 1990 * @mqstat: MQ flags 1991 * 1992 * Returns 0 for success or NULL context or < 0 on error. 1993 */ 1994 int __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 1995 { 1996 struct audit_aux_data_mq_getsetattr *ax; 1997 struct audit_context *context = current->audit_context; 1998 1999 if (!audit_enabled) 2000 return 0; 2001 2002 if (likely(!context)) 2003 return 0; 2004 2005 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 2006 if (!ax) 2007 return -ENOMEM; 2008 2009 ax->mqdes = mqdes; 2010 ax->mqstat = *mqstat; 2011 2012 ax->d.type = AUDIT_MQ_GETSETATTR; 2013 ax->d.next = context->aux; 2014 context->aux = (void *)ax; 2015 return 0; 2016 } 2017 2018 /** 2019 * audit_ipc_obj - record audit data for ipc object 2020 * @ipcp: ipc permissions 2021 * 2022 * Returns 0 for success or NULL context or < 0 on error. 2023 */ 2024 int __audit_ipc_obj(struct kern_ipc_perm *ipcp) 2025 { 2026 struct audit_aux_data_ipcctl *ax; 2027 struct audit_context *context = current->audit_context; 2028 2029 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 2030 if (!ax) 2031 return -ENOMEM; 2032 2033 ax->uid = ipcp->uid; 2034 ax->gid = ipcp->gid; 2035 ax->mode = ipcp->mode; 2036 selinux_get_ipc_sid(ipcp, &ax->osid); 2037 2038 ax->d.type = AUDIT_IPC; 2039 ax->d.next = context->aux; 2040 context->aux = (void *)ax; 2041 return 0; 2042 } 2043 2044 /** 2045 * audit_ipc_set_perm - record audit data for new ipc permissions 2046 * @qbytes: msgq bytes 2047 * @uid: msgq user id 2048 * @gid: msgq group id 2049 * @mode: msgq mode (permissions) 2050 * 2051 * Returns 0 for success or NULL context or < 0 on error. 2052 */ 2053 int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode) 2054 { 2055 struct audit_aux_data_ipcctl *ax; 2056 struct audit_context *context = current->audit_context; 2057 2058 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 2059 if (!ax) 2060 return -ENOMEM; 2061 2062 ax->qbytes = qbytes; 2063 ax->uid = uid; 2064 ax->gid = gid; 2065 ax->mode = mode; 2066 2067 ax->d.type = AUDIT_IPC_SET_PERM; 2068 ax->d.next = context->aux; 2069 context->aux = (void *)ax; 2070 return 0; 2071 } 2072 2073 int audit_argv_kb = 32; 2074 2075 int audit_bprm(struct linux_binprm *bprm) 2076 { 2077 struct audit_aux_data_execve *ax; 2078 struct audit_context *context = current->audit_context; 2079 2080 if (likely(!audit_enabled || !context || context->dummy)) 2081 return 0; 2082 2083 /* 2084 * Even though the stack code doesn't limit the arg+env size any more, 2085 * the audit code requires that _all_ arguments be logged in a single 2086 * netlink skb. Hence cap it :-( 2087 */ 2088 if (bprm->argv_len > (audit_argv_kb << 10)) 2089 return -E2BIG; 2090 2091 ax = kmalloc(sizeof(*ax), GFP_KERNEL); 2092 if (!ax) 2093 return -ENOMEM; 2094 2095 ax->argc = bprm->argc; 2096 ax->envc = bprm->envc; 2097 ax->mm = bprm->mm; 2098 ax->d.type = AUDIT_EXECVE; 2099 ax->d.next = context->aux; 2100 context->aux = (void *)ax; 2101 return 0; 2102 } 2103 2104 2105 /** 2106 * audit_socketcall - record audit data for sys_socketcall 2107 * @nargs: number of args 2108 * @args: args array 2109 * 2110 * Returns 0 for success or NULL context or < 0 on error. 2111 */ 2112 int audit_socketcall(int nargs, unsigned long *args) 2113 { 2114 struct audit_aux_data_socketcall *ax; 2115 struct audit_context *context = current->audit_context; 2116 2117 if (likely(!context || context->dummy)) 2118 return 0; 2119 2120 ax = kmalloc(sizeof(*ax) + nargs * sizeof(unsigned long), GFP_KERNEL); 2121 if (!ax) 2122 return -ENOMEM; 2123 2124 ax->nargs = nargs; 2125 memcpy(ax->args, args, nargs * sizeof(unsigned long)); 2126 2127 ax->d.type = AUDIT_SOCKETCALL; 2128 ax->d.next = context->aux; 2129 context->aux = (void *)ax; 2130 return 0; 2131 } 2132 2133 /** 2134 * __audit_fd_pair - record audit data for pipe and socketpair 2135 * @fd1: the first file descriptor 2136 * @fd2: the second file descriptor 2137 * 2138 * Returns 0 for success or NULL context or < 0 on error. 2139 */ 2140 int __audit_fd_pair(int fd1, int fd2) 2141 { 2142 struct audit_context *context = current->audit_context; 2143 struct audit_aux_data_fd_pair *ax; 2144 2145 if (likely(!context)) { 2146 return 0; 2147 } 2148 2149 ax = kmalloc(sizeof(*ax), GFP_KERNEL); 2150 if (!ax) { 2151 return -ENOMEM; 2152 } 2153 2154 ax->fd[0] = fd1; 2155 ax->fd[1] = fd2; 2156 2157 ax->d.type = AUDIT_FD_PAIR; 2158 ax->d.next = context->aux; 2159 context->aux = (void *)ax; 2160 return 0; 2161 } 2162 2163 /** 2164 * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto 2165 * @len: data length in user space 2166 * @a: data address in kernel space 2167 * 2168 * Returns 0 for success or NULL context or < 0 on error. 2169 */ 2170 int audit_sockaddr(int len, void *a) 2171 { 2172 struct audit_aux_data_sockaddr *ax; 2173 struct audit_context *context = current->audit_context; 2174 2175 if (likely(!context || context->dummy)) 2176 return 0; 2177 2178 ax = kmalloc(sizeof(*ax) + len, GFP_KERNEL); 2179 if (!ax) 2180 return -ENOMEM; 2181 2182 ax->len = len; 2183 memcpy(ax->a, a, len); 2184 2185 ax->d.type = AUDIT_SOCKADDR; 2186 ax->d.next = context->aux; 2187 context->aux = (void *)ax; 2188 return 0; 2189 } 2190 2191 void __audit_ptrace(struct task_struct *t) 2192 { 2193 struct audit_context *context = current->audit_context; 2194 2195 context->target_pid = t->pid; 2196 selinux_get_task_sid(t, &context->target_sid); 2197 } 2198 2199 /** 2200 * audit_signal_info - record signal info for shutting down audit subsystem 2201 * @sig: signal value 2202 * @t: task being signaled 2203 * 2204 * If the audit subsystem is being terminated, record the task (pid) 2205 * and uid that is doing that. 2206 */ 2207 int __audit_signal_info(int sig, struct task_struct *t) 2208 { 2209 struct audit_aux_data_pids *axp; 2210 struct task_struct *tsk = current; 2211 struct audit_context *ctx = tsk->audit_context; 2212 extern pid_t audit_sig_pid; 2213 extern uid_t audit_sig_uid; 2214 extern u32 audit_sig_sid; 2215 2216 if (audit_pid && t->tgid == audit_pid) { 2217 if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1) { 2218 audit_sig_pid = tsk->pid; 2219 if (ctx) 2220 audit_sig_uid = ctx->loginuid; 2221 else 2222 audit_sig_uid = tsk->uid; 2223 selinux_get_task_sid(tsk, &audit_sig_sid); 2224 } 2225 if (!audit_signals || audit_dummy_context()) 2226 return 0; 2227 } 2228 2229 /* optimize the common case by putting first signal recipient directly 2230 * in audit_context */ 2231 if (!ctx->target_pid) { 2232 ctx->target_pid = t->tgid; 2233 selinux_get_task_sid(t, &ctx->target_sid); 2234 return 0; 2235 } 2236 2237 axp = (void *)ctx->aux_pids; 2238 if (!axp || axp->pid_count == AUDIT_AUX_PIDS) { 2239 axp = kzalloc(sizeof(*axp), GFP_ATOMIC); 2240 if (!axp) 2241 return -ENOMEM; 2242 2243 axp->d.type = AUDIT_OBJ_PID; 2244 axp->d.next = ctx->aux_pids; 2245 ctx->aux_pids = (void *)axp; 2246 } 2247 BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS); 2248 2249 axp->target_pid[axp->pid_count] = t->tgid; 2250 selinux_get_task_sid(t, &axp->target_sid[axp->pid_count]); 2251 axp->pid_count++; 2252 2253 return 0; 2254 } 2255 2256 /** 2257 * audit_core_dumps - record information about processes that end abnormally 2258 * @signr: signal value 2259 * 2260 * If a process ends with a core dump, something fishy is going on and we 2261 * should record the event for investigation. 2262 */ 2263 void audit_core_dumps(long signr) 2264 { 2265 struct audit_buffer *ab; 2266 u32 sid; 2267 2268 if (!audit_enabled) 2269 return; 2270 2271 if (signr == SIGQUIT) /* don't care for those */ 2272 return; 2273 2274 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); 2275 audit_log_format(ab, "auid=%u uid=%u gid=%u", 2276 audit_get_loginuid(current->audit_context), 2277 current->uid, current->gid); 2278 selinux_get_task_sid(current, &sid); 2279 if (sid) { 2280 char *ctx = NULL; 2281 u32 len; 2282 2283 if (selinux_sid_to_string(sid, &ctx, &len)) 2284 audit_log_format(ab, " ssid=%u", sid); 2285 else 2286 audit_log_format(ab, " subj=%s", ctx); 2287 kfree(ctx); 2288 } 2289 audit_log_format(ab, " pid=%d comm=", current->pid); 2290 audit_log_untrustedstring(ab, current->comm); 2291 audit_log_format(ab, " sig=%ld", signr); 2292 audit_log_end(ab); 2293 } 2294