1 /* auditsc.c -- System-call auditing support 2 * Handles all system-call specific auditing features. 3 * 4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 5 * Copyright 2005 Hewlett-Packard Development Company, L.P. 6 * Copyright (C) 2005, 2006 IBM Corporation 7 * All Rights Reserved. 8 * 9 * This program is free software; you can redistribute it and/or modify 10 * it under the terms of the GNU General Public License as published by 11 * the Free Software Foundation; either version 2 of the License, or 12 * (at your option) any later version. 13 * 14 * This program is distributed in the hope that it will be useful, 15 * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 * GNU General Public License for more details. 18 * 19 * You should have received a copy of the GNU General Public License 20 * along with this program; if not, write to the Free Software 21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 22 * 23 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 24 * 25 * Many of the ideas implemented here are from Stephen C. Tweedie, 26 * especially the idea of avoiding a copy by using getname. 27 * 28 * The method for actual interception of syscall entry and exit (not in 29 * this file -- see entry.S) is based on a GPL'd patch written by 30 * okir@suse.de and Copyright 2003 SuSE Linux AG. 31 * 32 * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>, 33 * 2006. 34 * 35 * The support of additional filter rules compares (>, <, >=, <=) was 36 * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005. 37 * 38 * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional 39 * filesystem information. 40 * 41 * Subject and object context labeling support added by <danjones@us.ibm.com> 42 * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance. 43 */ 44 45 #include <linux/init.h> 46 #include <asm/types.h> 47 #include <asm/atomic.h> 48 #include <linux/fs.h> 49 #include <linux/namei.h> 50 #include <linux/mm.h> 51 #include <linux/module.h> 52 #include <linux/mount.h> 53 #include <linux/socket.h> 54 #include <linux/mqueue.h> 55 #include <linux/audit.h> 56 #include <linux/personality.h> 57 #include <linux/time.h> 58 #include <linux/netlink.h> 59 #include <linux/compiler.h> 60 #include <asm/unistd.h> 61 #include <linux/security.h> 62 #include <linux/list.h> 63 #include <linux/tty.h> 64 #include <linux/selinux.h> 65 #include <linux/binfmts.h> 66 #include <linux/highmem.h> 67 #include <linux/syscalls.h> 68 #include <linux/inotify.h> 69 70 #include "audit.h" 71 72 extern struct list_head audit_filter_list[]; 73 extern int audit_ever_enabled; 74 75 /* AUDIT_NAMES is the number of slots we reserve in the audit_context 76 * for saving names from getname(). */ 77 #define AUDIT_NAMES 20 78 79 /* Indicates that audit should log the full pathname. */ 80 #define AUDIT_NAME_FULL -1 81 82 /* no execve audit message should be longer than this (userspace limits) */ 83 #define MAX_EXECVE_AUDIT_LEN 7500 84 85 /* number of audit rules */ 86 int audit_n_rules; 87 88 /* determines whether we collect data for signals sent */ 89 int audit_signals; 90 91 /* When fs/namei.c:getname() is called, we store the pointer in name and 92 * we don't let putname() free it (instead we free all of the saved 93 * pointers at syscall exit time). 94 * 95 * Further, in fs/namei.c:path_lookup() we store the inode and device. */ 96 struct audit_names { 97 const char *name; 98 int name_len; /* number of name's characters to log */ 99 unsigned name_put; /* call __putname() for this name */ 100 unsigned long ino; 101 dev_t dev; 102 umode_t mode; 103 uid_t uid; 104 gid_t gid; 105 dev_t rdev; 106 u32 osid; 107 }; 108 109 struct audit_aux_data { 110 struct audit_aux_data *next; 111 int type; 112 }; 113 114 #define AUDIT_AUX_IPCPERM 0 115 116 /* Number of target pids per aux struct. */ 117 #define AUDIT_AUX_PIDS 16 118 119 struct audit_aux_data_mq_open { 120 struct audit_aux_data d; 121 int oflag; 122 mode_t mode; 123 struct mq_attr attr; 124 }; 125 126 struct audit_aux_data_mq_sendrecv { 127 struct audit_aux_data d; 128 mqd_t mqdes; 129 size_t msg_len; 130 unsigned int msg_prio; 131 struct timespec abs_timeout; 132 }; 133 134 struct audit_aux_data_mq_notify { 135 struct audit_aux_data d; 136 mqd_t mqdes; 137 struct sigevent notification; 138 }; 139 140 struct audit_aux_data_mq_getsetattr { 141 struct audit_aux_data d; 142 mqd_t mqdes; 143 struct mq_attr mqstat; 144 }; 145 146 struct audit_aux_data_ipcctl { 147 struct audit_aux_data d; 148 struct ipc_perm p; 149 unsigned long qbytes; 150 uid_t uid; 151 gid_t gid; 152 mode_t mode; 153 u32 osid; 154 }; 155 156 struct audit_aux_data_execve { 157 struct audit_aux_data d; 158 int argc; 159 int envc; 160 struct mm_struct *mm; 161 }; 162 163 struct audit_aux_data_socketcall { 164 struct audit_aux_data d; 165 int nargs; 166 unsigned long args[0]; 167 }; 168 169 struct audit_aux_data_sockaddr { 170 struct audit_aux_data d; 171 int len; 172 char a[0]; 173 }; 174 175 struct audit_aux_data_fd_pair { 176 struct audit_aux_data d; 177 int fd[2]; 178 }; 179 180 struct audit_aux_data_pids { 181 struct audit_aux_data d; 182 pid_t target_pid[AUDIT_AUX_PIDS]; 183 uid_t target_auid[AUDIT_AUX_PIDS]; 184 uid_t target_uid[AUDIT_AUX_PIDS]; 185 unsigned int target_sessionid[AUDIT_AUX_PIDS]; 186 u32 target_sid[AUDIT_AUX_PIDS]; 187 char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN]; 188 int pid_count; 189 }; 190 191 struct audit_tree_refs { 192 struct audit_tree_refs *next; 193 struct audit_chunk *c[31]; 194 }; 195 196 /* The per-task audit context. */ 197 struct audit_context { 198 int dummy; /* must be the first element */ 199 int in_syscall; /* 1 if task is in a syscall */ 200 enum audit_state state; 201 unsigned int serial; /* serial number for record */ 202 struct timespec ctime; /* time of syscall entry */ 203 int major; /* syscall number */ 204 unsigned long argv[4]; /* syscall arguments */ 205 int return_valid; /* return code is valid */ 206 long return_code;/* syscall return code */ 207 int auditable; /* 1 if record should be written */ 208 int name_count; 209 struct audit_names names[AUDIT_NAMES]; 210 char * filterkey; /* key for rule that triggered record */ 211 struct dentry * pwd; 212 struct vfsmount * pwdmnt; 213 struct audit_context *previous; /* For nested syscalls */ 214 struct audit_aux_data *aux; 215 struct audit_aux_data *aux_pids; 216 217 /* Save things to print about task_struct */ 218 pid_t pid, ppid; 219 uid_t uid, euid, suid, fsuid; 220 gid_t gid, egid, sgid, fsgid; 221 unsigned long personality; 222 int arch; 223 224 pid_t target_pid; 225 uid_t target_auid; 226 uid_t target_uid; 227 unsigned int target_sessionid; 228 u32 target_sid; 229 char target_comm[TASK_COMM_LEN]; 230 231 struct audit_tree_refs *trees, *first_trees; 232 int tree_count; 233 234 #if AUDIT_DEBUG 235 int put_count; 236 int ino_count; 237 #endif 238 }; 239 240 #define ACC_MODE(x) ("\004\002\006\006"[(x)&O_ACCMODE]) 241 static inline int open_arg(int flags, int mask) 242 { 243 int n = ACC_MODE(flags); 244 if (flags & (O_TRUNC | O_CREAT)) 245 n |= AUDIT_PERM_WRITE; 246 return n & mask; 247 } 248 249 static int audit_match_perm(struct audit_context *ctx, int mask) 250 { 251 unsigned n = ctx->major; 252 switch (audit_classify_syscall(ctx->arch, n)) { 253 case 0: /* native */ 254 if ((mask & AUDIT_PERM_WRITE) && 255 audit_match_class(AUDIT_CLASS_WRITE, n)) 256 return 1; 257 if ((mask & AUDIT_PERM_READ) && 258 audit_match_class(AUDIT_CLASS_READ, n)) 259 return 1; 260 if ((mask & AUDIT_PERM_ATTR) && 261 audit_match_class(AUDIT_CLASS_CHATTR, n)) 262 return 1; 263 return 0; 264 case 1: /* 32bit on biarch */ 265 if ((mask & AUDIT_PERM_WRITE) && 266 audit_match_class(AUDIT_CLASS_WRITE_32, n)) 267 return 1; 268 if ((mask & AUDIT_PERM_READ) && 269 audit_match_class(AUDIT_CLASS_READ_32, n)) 270 return 1; 271 if ((mask & AUDIT_PERM_ATTR) && 272 audit_match_class(AUDIT_CLASS_CHATTR_32, n)) 273 return 1; 274 return 0; 275 case 2: /* open */ 276 return mask & ACC_MODE(ctx->argv[1]); 277 case 3: /* openat */ 278 return mask & ACC_MODE(ctx->argv[2]); 279 case 4: /* socketcall */ 280 return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); 281 case 5: /* execve */ 282 return mask & AUDIT_PERM_EXEC; 283 default: 284 return 0; 285 } 286 } 287 288 /* 289 * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *; 290 * ->first_trees points to its beginning, ->trees - to the current end of data. 291 * ->tree_count is the number of free entries in array pointed to by ->trees. 292 * Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL, 293 * "empty" becomes (p, p, 31) afterwards. We don't shrink the list (and seriously, 294 * it's going to remain 1-element for almost any setup) until we free context itself. 295 * References in it _are_ dropped - at the same time we free/drop aux stuff. 296 */ 297 298 #ifdef CONFIG_AUDIT_TREE 299 static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk) 300 { 301 struct audit_tree_refs *p = ctx->trees; 302 int left = ctx->tree_count; 303 if (likely(left)) { 304 p->c[--left] = chunk; 305 ctx->tree_count = left; 306 return 1; 307 } 308 if (!p) 309 return 0; 310 p = p->next; 311 if (p) { 312 p->c[30] = chunk; 313 ctx->trees = p; 314 ctx->tree_count = 30; 315 return 1; 316 } 317 return 0; 318 } 319 320 static int grow_tree_refs(struct audit_context *ctx) 321 { 322 struct audit_tree_refs *p = ctx->trees; 323 ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL); 324 if (!ctx->trees) { 325 ctx->trees = p; 326 return 0; 327 } 328 if (p) 329 p->next = ctx->trees; 330 else 331 ctx->first_trees = ctx->trees; 332 ctx->tree_count = 31; 333 return 1; 334 } 335 #endif 336 337 static void unroll_tree_refs(struct audit_context *ctx, 338 struct audit_tree_refs *p, int count) 339 { 340 #ifdef CONFIG_AUDIT_TREE 341 struct audit_tree_refs *q; 342 int n; 343 if (!p) { 344 /* we started with empty chain */ 345 p = ctx->first_trees; 346 count = 31; 347 /* if the very first allocation has failed, nothing to do */ 348 if (!p) 349 return; 350 } 351 n = count; 352 for (q = p; q != ctx->trees; q = q->next, n = 31) { 353 while (n--) { 354 audit_put_chunk(q->c[n]); 355 q->c[n] = NULL; 356 } 357 } 358 while (n-- > ctx->tree_count) { 359 audit_put_chunk(q->c[n]); 360 q->c[n] = NULL; 361 } 362 ctx->trees = p; 363 ctx->tree_count = count; 364 #endif 365 } 366 367 static void free_tree_refs(struct audit_context *ctx) 368 { 369 struct audit_tree_refs *p, *q; 370 for (p = ctx->first_trees; p; p = q) { 371 q = p->next; 372 kfree(p); 373 } 374 } 375 376 static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree) 377 { 378 #ifdef CONFIG_AUDIT_TREE 379 struct audit_tree_refs *p; 380 int n; 381 if (!tree) 382 return 0; 383 /* full ones */ 384 for (p = ctx->first_trees; p != ctx->trees; p = p->next) { 385 for (n = 0; n < 31; n++) 386 if (audit_tree_match(p->c[n], tree)) 387 return 1; 388 } 389 /* partial */ 390 if (p) { 391 for (n = ctx->tree_count; n < 31; n++) 392 if (audit_tree_match(p->c[n], tree)) 393 return 1; 394 } 395 #endif 396 return 0; 397 } 398 399 /* Determine if any context name data matches a rule's watch data */ 400 /* Compare a task_struct with an audit_rule. Return 1 on match, 0 401 * otherwise. */ 402 static int audit_filter_rules(struct task_struct *tsk, 403 struct audit_krule *rule, 404 struct audit_context *ctx, 405 struct audit_names *name, 406 enum audit_state *state) 407 { 408 int i, j, need_sid = 1; 409 u32 sid; 410 411 for (i = 0; i < rule->field_count; i++) { 412 struct audit_field *f = &rule->fields[i]; 413 int result = 0; 414 415 switch (f->type) { 416 case AUDIT_PID: 417 result = audit_comparator(tsk->pid, f->op, f->val); 418 break; 419 case AUDIT_PPID: 420 if (ctx) { 421 if (!ctx->ppid) 422 ctx->ppid = sys_getppid(); 423 result = audit_comparator(ctx->ppid, f->op, f->val); 424 } 425 break; 426 case AUDIT_UID: 427 result = audit_comparator(tsk->uid, f->op, f->val); 428 break; 429 case AUDIT_EUID: 430 result = audit_comparator(tsk->euid, f->op, f->val); 431 break; 432 case AUDIT_SUID: 433 result = audit_comparator(tsk->suid, f->op, f->val); 434 break; 435 case AUDIT_FSUID: 436 result = audit_comparator(tsk->fsuid, f->op, f->val); 437 break; 438 case AUDIT_GID: 439 result = audit_comparator(tsk->gid, f->op, f->val); 440 break; 441 case AUDIT_EGID: 442 result = audit_comparator(tsk->egid, f->op, f->val); 443 break; 444 case AUDIT_SGID: 445 result = audit_comparator(tsk->sgid, f->op, f->val); 446 break; 447 case AUDIT_FSGID: 448 result = audit_comparator(tsk->fsgid, f->op, f->val); 449 break; 450 case AUDIT_PERS: 451 result = audit_comparator(tsk->personality, f->op, f->val); 452 break; 453 case AUDIT_ARCH: 454 if (ctx) 455 result = audit_comparator(ctx->arch, f->op, f->val); 456 break; 457 458 case AUDIT_EXIT: 459 if (ctx && ctx->return_valid) 460 result = audit_comparator(ctx->return_code, f->op, f->val); 461 break; 462 case AUDIT_SUCCESS: 463 if (ctx && ctx->return_valid) { 464 if (f->val) 465 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS); 466 else 467 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE); 468 } 469 break; 470 case AUDIT_DEVMAJOR: 471 if (name) 472 result = audit_comparator(MAJOR(name->dev), 473 f->op, f->val); 474 else if (ctx) { 475 for (j = 0; j < ctx->name_count; j++) { 476 if (audit_comparator(MAJOR(ctx->names[j].dev), f->op, f->val)) { 477 ++result; 478 break; 479 } 480 } 481 } 482 break; 483 case AUDIT_DEVMINOR: 484 if (name) 485 result = audit_comparator(MINOR(name->dev), 486 f->op, f->val); 487 else if (ctx) { 488 for (j = 0; j < ctx->name_count; j++) { 489 if (audit_comparator(MINOR(ctx->names[j].dev), f->op, f->val)) { 490 ++result; 491 break; 492 } 493 } 494 } 495 break; 496 case AUDIT_INODE: 497 if (name) 498 result = (name->ino == f->val); 499 else if (ctx) { 500 for (j = 0; j < ctx->name_count; j++) { 501 if (audit_comparator(ctx->names[j].ino, f->op, f->val)) { 502 ++result; 503 break; 504 } 505 } 506 } 507 break; 508 case AUDIT_WATCH: 509 if (name && rule->watch->ino != (unsigned long)-1) 510 result = (name->dev == rule->watch->dev && 511 name->ino == rule->watch->ino); 512 break; 513 case AUDIT_DIR: 514 if (ctx) 515 result = match_tree_refs(ctx, rule->tree); 516 break; 517 case AUDIT_LOGINUID: 518 result = 0; 519 if (ctx) 520 result = audit_comparator(tsk->loginuid, f->op, f->val); 521 break; 522 case AUDIT_SUBJ_USER: 523 case AUDIT_SUBJ_ROLE: 524 case AUDIT_SUBJ_TYPE: 525 case AUDIT_SUBJ_SEN: 526 case AUDIT_SUBJ_CLR: 527 /* NOTE: this may return negative values indicating 528 a temporary error. We simply treat this as a 529 match for now to avoid losing information that 530 may be wanted. An error message will also be 531 logged upon error */ 532 if (f->se_rule) { 533 if (need_sid) { 534 selinux_get_task_sid(tsk, &sid); 535 need_sid = 0; 536 } 537 result = selinux_audit_rule_match(sid, f->type, 538 f->op, 539 f->se_rule, 540 ctx); 541 } 542 break; 543 case AUDIT_OBJ_USER: 544 case AUDIT_OBJ_ROLE: 545 case AUDIT_OBJ_TYPE: 546 case AUDIT_OBJ_LEV_LOW: 547 case AUDIT_OBJ_LEV_HIGH: 548 /* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR 549 also applies here */ 550 if (f->se_rule) { 551 /* Find files that match */ 552 if (name) { 553 result = selinux_audit_rule_match( 554 name->osid, f->type, f->op, 555 f->se_rule, ctx); 556 } else if (ctx) { 557 for (j = 0; j < ctx->name_count; j++) { 558 if (selinux_audit_rule_match( 559 ctx->names[j].osid, 560 f->type, f->op, 561 f->se_rule, ctx)) { 562 ++result; 563 break; 564 } 565 } 566 } 567 /* Find ipc objects that match */ 568 if (ctx) { 569 struct audit_aux_data *aux; 570 for (aux = ctx->aux; aux; 571 aux = aux->next) { 572 if (aux->type == AUDIT_IPC) { 573 struct audit_aux_data_ipcctl *axi = (void *)aux; 574 if (selinux_audit_rule_match(axi->osid, f->type, f->op, f->se_rule, ctx)) { 575 ++result; 576 break; 577 } 578 } 579 } 580 } 581 } 582 break; 583 case AUDIT_ARG0: 584 case AUDIT_ARG1: 585 case AUDIT_ARG2: 586 case AUDIT_ARG3: 587 if (ctx) 588 result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val); 589 break; 590 case AUDIT_FILTERKEY: 591 /* ignore this field for filtering */ 592 result = 1; 593 break; 594 case AUDIT_PERM: 595 result = audit_match_perm(ctx, f->val); 596 break; 597 } 598 599 if (!result) 600 return 0; 601 } 602 if (rule->filterkey) 603 ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC); 604 switch (rule->action) { 605 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 606 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 607 } 608 return 1; 609 } 610 611 /* At process creation time, we can determine if system-call auditing is 612 * completely disabled for this task. Since we only have the task 613 * structure at this point, we can only check uid and gid. 614 */ 615 static enum audit_state audit_filter_task(struct task_struct *tsk) 616 { 617 struct audit_entry *e; 618 enum audit_state state; 619 620 rcu_read_lock(); 621 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) { 622 if (audit_filter_rules(tsk, &e->rule, NULL, NULL, &state)) { 623 rcu_read_unlock(); 624 return state; 625 } 626 } 627 rcu_read_unlock(); 628 return AUDIT_BUILD_CONTEXT; 629 } 630 631 /* At syscall entry and exit time, this filter is called if the 632 * audit_state is not low enough that auditing cannot take place, but is 633 * also not high enough that we already know we have to write an audit 634 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT). 635 */ 636 static enum audit_state audit_filter_syscall(struct task_struct *tsk, 637 struct audit_context *ctx, 638 struct list_head *list) 639 { 640 struct audit_entry *e; 641 enum audit_state state; 642 643 if (audit_pid && tsk->tgid == audit_pid) 644 return AUDIT_DISABLED; 645 646 rcu_read_lock(); 647 if (!list_empty(list)) { 648 int word = AUDIT_WORD(ctx->major); 649 int bit = AUDIT_BIT(ctx->major); 650 651 list_for_each_entry_rcu(e, list, list) { 652 if ((e->rule.mask[word] & bit) == bit && 653 audit_filter_rules(tsk, &e->rule, ctx, NULL, 654 &state)) { 655 rcu_read_unlock(); 656 return state; 657 } 658 } 659 } 660 rcu_read_unlock(); 661 return AUDIT_BUILD_CONTEXT; 662 } 663 664 /* At syscall exit time, this filter is called if any audit_names[] have been 665 * collected during syscall processing. We only check rules in sublists at hash 666 * buckets applicable to the inode numbers in audit_names[]. 667 * Regarding audit_state, same rules apply as for audit_filter_syscall(). 668 */ 669 enum audit_state audit_filter_inodes(struct task_struct *tsk, 670 struct audit_context *ctx) 671 { 672 int i; 673 struct audit_entry *e; 674 enum audit_state state; 675 676 if (audit_pid && tsk->tgid == audit_pid) 677 return AUDIT_DISABLED; 678 679 rcu_read_lock(); 680 for (i = 0; i < ctx->name_count; i++) { 681 int word = AUDIT_WORD(ctx->major); 682 int bit = AUDIT_BIT(ctx->major); 683 struct audit_names *n = &ctx->names[i]; 684 int h = audit_hash_ino((u32)n->ino); 685 struct list_head *list = &audit_inode_hash[h]; 686 687 if (list_empty(list)) 688 continue; 689 690 list_for_each_entry_rcu(e, list, list) { 691 if ((e->rule.mask[word] & bit) == bit && 692 audit_filter_rules(tsk, &e->rule, ctx, n, &state)) { 693 rcu_read_unlock(); 694 return state; 695 } 696 } 697 } 698 rcu_read_unlock(); 699 return AUDIT_BUILD_CONTEXT; 700 } 701 702 void audit_set_auditable(struct audit_context *ctx) 703 { 704 ctx->auditable = 1; 705 } 706 707 static inline struct audit_context *audit_get_context(struct task_struct *tsk, 708 int return_valid, 709 int return_code) 710 { 711 struct audit_context *context = tsk->audit_context; 712 713 if (likely(!context)) 714 return NULL; 715 context->return_valid = return_valid; 716 717 /* 718 * we need to fix up the return code in the audit logs if the actual 719 * return codes are later going to be fixed up by the arch specific 720 * signal handlers 721 * 722 * This is actually a test for: 723 * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) || 724 * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK) 725 * 726 * but is faster than a bunch of || 727 */ 728 if (unlikely(return_code <= -ERESTARTSYS) && 729 (return_code >= -ERESTART_RESTARTBLOCK) && 730 (return_code != -ENOIOCTLCMD)) 731 context->return_code = -EINTR; 732 else 733 context->return_code = return_code; 734 735 if (context->in_syscall && !context->dummy && !context->auditable) { 736 enum audit_state state; 737 738 state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]); 739 if (state == AUDIT_RECORD_CONTEXT) { 740 context->auditable = 1; 741 goto get_context; 742 } 743 744 state = audit_filter_inodes(tsk, context); 745 if (state == AUDIT_RECORD_CONTEXT) 746 context->auditable = 1; 747 748 } 749 750 get_context: 751 752 tsk->audit_context = NULL; 753 return context; 754 } 755 756 static inline void audit_free_names(struct audit_context *context) 757 { 758 int i; 759 760 #if AUDIT_DEBUG == 2 761 if (context->auditable 762 ||context->put_count + context->ino_count != context->name_count) { 763 printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d" 764 " name_count=%d put_count=%d" 765 " ino_count=%d [NOT freeing]\n", 766 __FILE__, __LINE__, 767 context->serial, context->major, context->in_syscall, 768 context->name_count, context->put_count, 769 context->ino_count); 770 for (i = 0; i < context->name_count; i++) { 771 printk(KERN_ERR "names[%d] = %p = %s\n", i, 772 context->names[i].name, 773 context->names[i].name ?: "(null)"); 774 } 775 dump_stack(); 776 return; 777 } 778 #endif 779 #if AUDIT_DEBUG 780 context->put_count = 0; 781 context->ino_count = 0; 782 #endif 783 784 for (i = 0; i < context->name_count; i++) { 785 if (context->names[i].name && context->names[i].name_put) 786 __putname(context->names[i].name); 787 } 788 context->name_count = 0; 789 if (context->pwd) 790 dput(context->pwd); 791 if (context->pwdmnt) 792 mntput(context->pwdmnt); 793 context->pwd = NULL; 794 context->pwdmnt = NULL; 795 } 796 797 static inline void audit_free_aux(struct audit_context *context) 798 { 799 struct audit_aux_data *aux; 800 801 while ((aux = context->aux)) { 802 context->aux = aux->next; 803 kfree(aux); 804 } 805 while ((aux = context->aux_pids)) { 806 context->aux_pids = aux->next; 807 kfree(aux); 808 } 809 } 810 811 static inline void audit_zero_context(struct audit_context *context, 812 enum audit_state state) 813 { 814 memset(context, 0, sizeof(*context)); 815 context->state = state; 816 } 817 818 static inline struct audit_context *audit_alloc_context(enum audit_state state) 819 { 820 struct audit_context *context; 821 822 if (!(context = kmalloc(sizeof(*context), GFP_KERNEL))) 823 return NULL; 824 audit_zero_context(context, state); 825 return context; 826 } 827 828 /** 829 * audit_alloc - allocate an audit context block for a task 830 * @tsk: task 831 * 832 * Filter on the task information and allocate a per-task audit context 833 * if necessary. Doing so turns on system call auditing for the 834 * specified task. This is called from copy_process, so no lock is 835 * needed. 836 */ 837 int audit_alloc(struct task_struct *tsk) 838 { 839 struct audit_context *context; 840 enum audit_state state; 841 842 if (likely(!audit_ever_enabled)) 843 return 0; /* Return if not auditing. */ 844 845 state = audit_filter_task(tsk); 846 if (likely(state == AUDIT_DISABLED)) 847 return 0; 848 849 if (!(context = audit_alloc_context(state))) { 850 audit_log_lost("out of memory in audit_alloc"); 851 return -ENOMEM; 852 } 853 854 tsk->audit_context = context; 855 set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT); 856 return 0; 857 } 858 859 static inline void audit_free_context(struct audit_context *context) 860 { 861 struct audit_context *previous; 862 int count = 0; 863 864 do { 865 previous = context->previous; 866 if (previous || (count && count < 10)) { 867 ++count; 868 printk(KERN_ERR "audit(:%d): major=%d name_count=%d:" 869 " freeing multiple contexts (%d)\n", 870 context->serial, context->major, 871 context->name_count, count); 872 } 873 audit_free_names(context); 874 unroll_tree_refs(context, NULL, 0); 875 free_tree_refs(context); 876 audit_free_aux(context); 877 kfree(context->filterkey); 878 kfree(context); 879 context = previous; 880 } while (context); 881 if (count >= 10) 882 printk(KERN_ERR "audit: freed %d contexts\n", count); 883 } 884 885 void audit_log_task_context(struct audit_buffer *ab) 886 { 887 char *ctx = NULL; 888 unsigned len; 889 int error; 890 u32 sid; 891 892 selinux_get_task_sid(current, &sid); 893 if (!sid) 894 return; 895 896 error = selinux_sid_to_string(sid, &ctx, &len); 897 if (error) { 898 if (error != -EINVAL) 899 goto error_path; 900 return; 901 } 902 903 audit_log_format(ab, " subj=%s", ctx); 904 kfree(ctx); 905 return; 906 907 error_path: 908 audit_panic("error in audit_log_task_context"); 909 return; 910 } 911 912 EXPORT_SYMBOL(audit_log_task_context); 913 914 static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) 915 { 916 char name[sizeof(tsk->comm)]; 917 struct mm_struct *mm = tsk->mm; 918 struct vm_area_struct *vma; 919 920 /* tsk == current */ 921 922 get_task_comm(name, tsk); 923 audit_log_format(ab, " comm="); 924 audit_log_untrustedstring(ab, name); 925 926 if (mm) { 927 down_read(&mm->mmap_sem); 928 vma = mm->mmap; 929 while (vma) { 930 if ((vma->vm_flags & VM_EXECUTABLE) && 931 vma->vm_file) { 932 audit_log_d_path(ab, "exe=", 933 vma->vm_file->f_path.dentry, 934 vma->vm_file->f_path.mnt); 935 break; 936 } 937 vma = vma->vm_next; 938 } 939 up_read(&mm->mmap_sem); 940 } 941 audit_log_task_context(ab); 942 } 943 944 static int audit_log_pid_context(struct audit_context *context, pid_t pid, 945 uid_t auid, uid_t uid, unsigned int sessionid, 946 u32 sid, char *comm) 947 { 948 struct audit_buffer *ab; 949 char *s = NULL; 950 u32 len; 951 int rc = 0; 952 953 ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); 954 if (!ab) 955 return rc; 956 957 audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid, 958 uid, sessionid); 959 if (selinux_sid_to_string(sid, &s, &len)) { 960 audit_log_format(ab, " obj=(none)"); 961 rc = 1; 962 } else 963 audit_log_format(ab, " obj=%s", s); 964 audit_log_format(ab, " ocomm="); 965 audit_log_untrustedstring(ab, comm); 966 audit_log_end(ab); 967 kfree(s); 968 969 return rc; 970 } 971 972 /* 973 * to_send and len_sent accounting are very loose estimates. We aren't 974 * really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being 975 * within about 500 bytes (next page boundry) 976 * 977 * why snprintf? an int is up to 12 digits long. if we just assumed when 978 * logging that a[%d]= was going to be 16 characters long we would be wasting 979 * space in every audit message. In one 7500 byte message we can log up to 980 * about 1000 min size arguments. That comes down to about 50% waste of space 981 * if we didn't do the snprintf to find out how long arg_num_len was. 982 */ 983 static int audit_log_single_execve_arg(struct audit_context *context, 984 struct audit_buffer **ab, 985 int arg_num, 986 size_t *len_sent, 987 const char __user *p, 988 char *buf) 989 { 990 char arg_num_len_buf[12]; 991 const char __user *tmp_p = p; 992 /* how many digits are in arg_num? 3 is the length of a=\n */ 993 size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 3; 994 size_t len, len_left, to_send; 995 size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN; 996 unsigned int i, has_cntl = 0, too_long = 0; 997 int ret; 998 999 /* strnlen_user includes the null we don't want to send */ 1000 len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1; 1001 1002 /* 1003 * We just created this mm, if we can't find the strings 1004 * we just copied into it something is _very_ wrong. Similar 1005 * for strings that are too long, we should not have created 1006 * any. 1007 */ 1008 if (unlikely((len = -1) || len > MAX_ARG_STRLEN - 1)) { 1009 WARN_ON(1); 1010 send_sig(SIGKILL, current, 0); 1011 } 1012 1013 /* walk the whole argument looking for non-ascii chars */ 1014 do { 1015 if (len_left > MAX_EXECVE_AUDIT_LEN) 1016 to_send = MAX_EXECVE_AUDIT_LEN; 1017 else 1018 to_send = len_left; 1019 ret = copy_from_user(buf, tmp_p, to_send); 1020 /* 1021 * There is no reason for this copy to be short. We just 1022 * copied them here, and the mm hasn't been exposed to user- 1023 * space yet. 1024 */ 1025 if (ret) { 1026 WARN_ON(1); 1027 send_sig(SIGKILL, current, 0); 1028 } 1029 buf[to_send] = '\0'; 1030 has_cntl = audit_string_contains_control(buf, to_send); 1031 if (has_cntl) { 1032 /* 1033 * hex messages get logged as 2 bytes, so we can only 1034 * send half as much in each message 1035 */ 1036 max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2; 1037 break; 1038 } 1039 len_left -= to_send; 1040 tmp_p += to_send; 1041 } while (len_left > 0); 1042 1043 len_left = len; 1044 1045 if (len > max_execve_audit_len) 1046 too_long = 1; 1047 1048 /* rewalk the argument actually logging the message */ 1049 for (i = 0; len_left > 0; i++) { 1050 int room_left; 1051 1052 if (len_left > max_execve_audit_len) 1053 to_send = max_execve_audit_len; 1054 else 1055 to_send = len_left; 1056 1057 /* do we have space left to send this argument in this ab? */ 1058 room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent; 1059 if (has_cntl) 1060 room_left -= (to_send * 2); 1061 else 1062 room_left -= to_send; 1063 if (room_left < 0) { 1064 *len_sent = 0; 1065 audit_log_end(*ab); 1066 *ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE); 1067 if (!*ab) 1068 return 0; 1069 } 1070 1071 /* 1072 * first record needs to say how long the original string was 1073 * so we can be sure nothing was lost. 1074 */ 1075 if ((i == 0) && (too_long)) 1076 audit_log_format(*ab, "a%d_len=%ld ", arg_num, 1077 has_cntl ? 2*len : len); 1078 1079 /* 1080 * normally arguments are small enough to fit and we already 1081 * filled buf above when we checked for control characters 1082 * so don't bother with another copy_from_user 1083 */ 1084 if (len >= max_execve_audit_len) 1085 ret = copy_from_user(buf, p, to_send); 1086 else 1087 ret = 0; 1088 if (ret) { 1089 WARN_ON(1); 1090 send_sig(SIGKILL, current, 0); 1091 } 1092 buf[to_send] = '\0'; 1093 1094 /* actually log it */ 1095 audit_log_format(*ab, "a%d", arg_num); 1096 if (too_long) 1097 audit_log_format(*ab, "[%d]", i); 1098 audit_log_format(*ab, "="); 1099 if (has_cntl) 1100 audit_log_hex(*ab, buf, to_send); 1101 else 1102 audit_log_format(*ab, "\"%s\"", buf); 1103 audit_log_format(*ab, "\n"); 1104 1105 p += to_send; 1106 len_left -= to_send; 1107 *len_sent += arg_num_len; 1108 if (has_cntl) 1109 *len_sent += to_send * 2; 1110 else 1111 *len_sent += to_send; 1112 } 1113 /* include the null we didn't log */ 1114 return len + 1; 1115 } 1116 1117 static void audit_log_execve_info(struct audit_context *context, 1118 struct audit_buffer **ab, 1119 struct audit_aux_data_execve *axi) 1120 { 1121 int i; 1122 size_t len, len_sent = 0; 1123 const char __user *p; 1124 char *buf; 1125 1126 if (axi->mm != current->mm) 1127 return; /* execve failed, no additional info */ 1128 1129 p = (const char __user *)axi->mm->arg_start; 1130 1131 audit_log_format(*ab, "argc=%d ", axi->argc); 1132 1133 /* 1134 * we need some kernel buffer to hold the userspace args. Just 1135 * allocate one big one rather than allocating one of the right size 1136 * for every single argument inside audit_log_single_execve_arg() 1137 * should be <8k allocation so should be pretty safe. 1138 */ 1139 buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL); 1140 if (!buf) { 1141 audit_panic("out of memory for argv string\n"); 1142 return; 1143 } 1144 1145 for (i = 0; i < axi->argc; i++) { 1146 len = audit_log_single_execve_arg(context, ab, i, 1147 &len_sent, p, buf); 1148 if (len <= 0) 1149 break; 1150 p += len; 1151 } 1152 kfree(buf); 1153 } 1154 1155 static void audit_log_exit(struct audit_context *context, struct task_struct *tsk) 1156 { 1157 int i, call_panic = 0; 1158 struct audit_buffer *ab; 1159 struct audit_aux_data *aux; 1160 const char *tty; 1161 1162 /* tsk == current */ 1163 context->pid = tsk->pid; 1164 if (!context->ppid) 1165 context->ppid = sys_getppid(); 1166 context->uid = tsk->uid; 1167 context->gid = tsk->gid; 1168 context->euid = tsk->euid; 1169 context->suid = tsk->suid; 1170 context->fsuid = tsk->fsuid; 1171 context->egid = tsk->egid; 1172 context->sgid = tsk->sgid; 1173 context->fsgid = tsk->fsgid; 1174 context->personality = tsk->personality; 1175 1176 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL); 1177 if (!ab) 1178 return; /* audit_panic has been called */ 1179 audit_log_format(ab, "arch=%x syscall=%d", 1180 context->arch, context->major); 1181 if (context->personality != PER_LINUX) 1182 audit_log_format(ab, " per=%lx", context->personality); 1183 if (context->return_valid) 1184 audit_log_format(ab, " success=%s exit=%ld", 1185 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no", 1186 context->return_code); 1187 1188 mutex_lock(&tty_mutex); 1189 read_lock(&tasklist_lock); 1190 if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name) 1191 tty = tsk->signal->tty->name; 1192 else 1193 tty = "(none)"; 1194 read_unlock(&tasklist_lock); 1195 audit_log_format(ab, 1196 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d" 1197 " ppid=%d pid=%d auid=%u uid=%u gid=%u" 1198 " euid=%u suid=%u fsuid=%u" 1199 " egid=%u sgid=%u fsgid=%u tty=%s ses=%u", 1200 context->argv[0], 1201 context->argv[1], 1202 context->argv[2], 1203 context->argv[3], 1204 context->name_count, 1205 context->ppid, 1206 context->pid, 1207 tsk->loginuid, 1208 context->uid, 1209 context->gid, 1210 context->euid, context->suid, context->fsuid, 1211 context->egid, context->sgid, context->fsgid, tty, 1212 tsk->sessionid); 1213 1214 mutex_unlock(&tty_mutex); 1215 1216 audit_log_task_info(ab, tsk); 1217 if (context->filterkey) { 1218 audit_log_format(ab, " key="); 1219 audit_log_untrustedstring(ab, context->filterkey); 1220 } else 1221 audit_log_format(ab, " key=(null)"); 1222 audit_log_end(ab); 1223 1224 for (aux = context->aux; aux; aux = aux->next) { 1225 1226 ab = audit_log_start(context, GFP_KERNEL, aux->type); 1227 if (!ab) 1228 continue; /* audit_panic has been called */ 1229 1230 switch (aux->type) { 1231 case AUDIT_MQ_OPEN: { 1232 struct audit_aux_data_mq_open *axi = (void *)aux; 1233 audit_log_format(ab, 1234 "oflag=0x%x mode=%#o mq_flags=0x%lx mq_maxmsg=%ld " 1235 "mq_msgsize=%ld mq_curmsgs=%ld", 1236 axi->oflag, axi->mode, axi->attr.mq_flags, 1237 axi->attr.mq_maxmsg, axi->attr.mq_msgsize, 1238 axi->attr.mq_curmsgs); 1239 break; } 1240 1241 case AUDIT_MQ_SENDRECV: { 1242 struct audit_aux_data_mq_sendrecv *axi = (void *)aux; 1243 audit_log_format(ab, 1244 "mqdes=%d msg_len=%zd msg_prio=%u " 1245 "abs_timeout_sec=%ld abs_timeout_nsec=%ld", 1246 axi->mqdes, axi->msg_len, axi->msg_prio, 1247 axi->abs_timeout.tv_sec, axi->abs_timeout.tv_nsec); 1248 break; } 1249 1250 case AUDIT_MQ_NOTIFY: { 1251 struct audit_aux_data_mq_notify *axi = (void *)aux; 1252 audit_log_format(ab, 1253 "mqdes=%d sigev_signo=%d", 1254 axi->mqdes, 1255 axi->notification.sigev_signo); 1256 break; } 1257 1258 case AUDIT_MQ_GETSETATTR: { 1259 struct audit_aux_data_mq_getsetattr *axi = (void *)aux; 1260 audit_log_format(ab, 1261 "mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld " 1262 "mq_curmsgs=%ld ", 1263 axi->mqdes, 1264 axi->mqstat.mq_flags, axi->mqstat.mq_maxmsg, 1265 axi->mqstat.mq_msgsize, axi->mqstat.mq_curmsgs); 1266 break; } 1267 1268 case AUDIT_IPC: { 1269 struct audit_aux_data_ipcctl *axi = (void *)aux; 1270 audit_log_format(ab, 1271 "ouid=%u ogid=%u mode=%#o", 1272 axi->uid, axi->gid, axi->mode); 1273 if (axi->osid != 0) { 1274 char *ctx = NULL; 1275 u32 len; 1276 if (selinux_sid_to_string( 1277 axi->osid, &ctx, &len)) { 1278 audit_log_format(ab, " osid=%u", 1279 axi->osid); 1280 call_panic = 1; 1281 } else 1282 audit_log_format(ab, " obj=%s", ctx); 1283 kfree(ctx); 1284 } 1285 break; } 1286 1287 case AUDIT_IPC_SET_PERM: { 1288 struct audit_aux_data_ipcctl *axi = (void *)aux; 1289 audit_log_format(ab, 1290 "qbytes=%lx ouid=%u ogid=%u mode=%#o", 1291 axi->qbytes, axi->uid, axi->gid, axi->mode); 1292 break; } 1293 1294 case AUDIT_EXECVE: { 1295 struct audit_aux_data_execve *axi = (void *)aux; 1296 audit_log_execve_info(context, &ab, axi); 1297 break; } 1298 1299 case AUDIT_SOCKETCALL: { 1300 int i; 1301 struct audit_aux_data_socketcall *axs = (void *)aux; 1302 audit_log_format(ab, "nargs=%d", axs->nargs); 1303 for (i=0; i<axs->nargs; i++) 1304 audit_log_format(ab, " a%d=%lx", i, axs->args[i]); 1305 break; } 1306 1307 case AUDIT_SOCKADDR: { 1308 struct audit_aux_data_sockaddr *axs = (void *)aux; 1309 1310 audit_log_format(ab, "saddr="); 1311 audit_log_hex(ab, axs->a, axs->len); 1312 break; } 1313 1314 case AUDIT_FD_PAIR: { 1315 struct audit_aux_data_fd_pair *axs = (void *)aux; 1316 audit_log_format(ab, "fd0=%d fd1=%d", axs->fd[0], axs->fd[1]); 1317 break; } 1318 1319 } 1320 audit_log_end(ab); 1321 } 1322 1323 for (aux = context->aux_pids; aux; aux = aux->next) { 1324 struct audit_aux_data_pids *axs = (void *)aux; 1325 int i; 1326 1327 for (i = 0; i < axs->pid_count; i++) 1328 if (audit_log_pid_context(context, axs->target_pid[i], 1329 axs->target_auid[i], 1330 axs->target_uid[i], 1331 axs->target_sessionid[i], 1332 axs->target_sid[i], 1333 axs->target_comm[i])) 1334 call_panic = 1; 1335 } 1336 1337 if (context->target_pid && 1338 audit_log_pid_context(context, context->target_pid, 1339 context->target_auid, context->target_uid, 1340 context->target_sessionid, 1341 context->target_sid, context->target_comm)) 1342 call_panic = 1; 1343 1344 if (context->pwd && context->pwdmnt) { 1345 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD); 1346 if (ab) { 1347 audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt); 1348 audit_log_end(ab); 1349 } 1350 } 1351 for (i = 0; i < context->name_count; i++) { 1352 struct audit_names *n = &context->names[i]; 1353 1354 ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH); 1355 if (!ab) 1356 continue; /* audit_panic has been called */ 1357 1358 audit_log_format(ab, "item=%d", i); 1359 1360 if (n->name) { 1361 switch(n->name_len) { 1362 case AUDIT_NAME_FULL: 1363 /* log the full path */ 1364 audit_log_format(ab, " name="); 1365 audit_log_untrustedstring(ab, n->name); 1366 break; 1367 case 0: 1368 /* name was specified as a relative path and the 1369 * directory component is the cwd */ 1370 audit_log_d_path(ab, " name=", context->pwd, 1371 context->pwdmnt); 1372 break; 1373 default: 1374 /* log the name's directory component */ 1375 audit_log_format(ab, " name="); 1376 audit_log_n_untrustedstring(ab, n->name_len, 1377 n->name); 1378 } 1379 } else 1380 audit_log_format(ab, " name=(null)"); 1381 1382 if (n->ino != (unsigned long)-1) { 1383 audit_log_format(ab, " inode=%lu" 1384 " dev=%02x:%02x mode=%#o" 1385 " ouid=%u ogid=%u rdev=%02x:%02x", 1386 n->ino, 1387 MAJOR(n->dev), 1388 MINOR(n->dev), 1389 n->mode, 1390 n->uid, 1391 n->gid, 1392 MAJOR(n->rdev), 1393 MINOR(n->rdev)); 1394 } 1395 if (n->osid != 0) { 1396 char *ctx = NULL; 1397 u32 len; 1398 if (selinux_sid_to_string( 1399 n->osid, &ctx, &len)) { 1400 audit_log_format(ab, " osid=%u", n->osid); 1401 call_panic = 2; 1402 } else 1403 audit_log_format(ab, " obj=%s", ctx); 1404 kfree(ctx); 1405 } 1406 1407 audit_log_end(ab); 1408 } 1409 1410 /* Send end of event record to help user space know we are finished */ 1411 ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE); 1412 if (ab) 1413 audit_log_end(ab); 1414 if (call_panic) 1415 audit_panic("error converting sid to string"); 1416 } 1417 1418 /** 1419 * audit_free - free a per-task audit context 1420 * @tsk: task whose audit context block to free 1421 * 1422 * Called from copy_process and do_exit 1423 */ 1424 void audit_free(struct task_struct *tsk) 1425 { 1426 struct audit_context *context; 1427 1428 context = audit_get_context(tsk, 0, 0); 1429 if (likely(!context)) 1430 return; 1431 1432 /* Check for system calls that do not go through the exit 1433 * function (e.g., exit_group), then free context block. 1434 * We use GFP_ATOMIC here because we might be doing this 1435 * in the context of the idle thread */ 1436 /* that can happen only if we are called from do_exit() */ 1437 if (context->in_syscall && context->auditable) 1438 audit_log_exit(context, tsk); 1439 1440 audit_free_context(context); 1441 } 1442 1443 /** 1444 * audit_syscall_entry - fill in an audit record at syscall entry 1445 * @tsk: task being audited 1446 * @arch: architecture type 1447 * @major: major syscall type (function) 1448 * @a1: additional syscall register 1 1449 * @a2: additional syscall register 2 1450 * @a3: additional syscall register 3 1451 * @a4: additional syscall register 4 1452 * 1453 * Fill in audit context at syscall entry. This only happens if the 1454 * audit context was created when the task was created and the state or 1455 * filters demand the audit context be built. If the state from the 1456 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT, 1457 * then the record will be written at syscall exit time (otherwise, it 1458 * will only be written if another part of the kernel requests that it 1459 * be written). 1460 */ 1461 void audit_syscall_entry(int arch, int major, 1462 unsigned long a1, unsigned long a2, 1463 unsigned long a3, unsigned long a4) 1464 { 1465 struct task_struct *tsk = current; 1466 struct audit_context *context = tsk->audit_context; 1467 enum audit_state state; 1468 1469 BUG_ON(!context); 1470 1471 /* 1472 * This happens only on certain architectures that make system 1473 * calls in kernel_thread via the entry.S interface, instead of 1474 * with direct calls. (If you are porting to a new 1475 * architecture, hitting this condition can indicate that you 1476 * got the _exit/_leave calls backward in entry.S.) 1477 * 1478 * i386 no 1479 * x86_64 no 1480 * ppc64 yes (see arch/powerpc/platforms/iseries/misc.S) 1481 * 1482 * This also happens with vm86 emulation in a non-nested manner 1483 * (entries without exits), so this case must be caught. 1484 */ 1485 if (context->in_syscall) { 1486 struct audit_context *newctx; 1487 1488 #if AUDIT_DEBUG 1489 printk(KERN_ERR 1490 "audit(:%d) pid=%d in syscall=%d;" 1491 " entering syscall=%d\n", 1492 context->serial, tsk->pid, context->major, major); 1493 #endif 1494 newctx = audit_alloc_context(context->state); 1495 if (newctx) { 1496 newctx->previous = context; 1497 context = newctx; 1498 tsk->audit_context = newctx; 1499 } else { 1500 /* If we can't alloc a new context, the best we 1501 * can do is to leak memory (any pending putname 1502 * will be lost). The only other alternative is 1503 * to abandon auditing. */ 1504 audit_zero_context(context, context->state); 1505 } 1506 } 1507 BUG_ON(context->in_syscall || context->name_count); 1508 1509 if (!audit_enabled) 1510 return; 1511 1512 context->arch = arch; 1513 context->major = major; 1514 context->argv[0] = a1; 1515 context->argv[1] = a2; 1516 context->argv[2] = a3; 1517 context->argv[3] = a4; 1518 1519 state = context->state; 1520 context->dummy = !audit_n_rules; 1521 if (!context->dummy && (state == AUDIT_SETUP_CONTEXT || state == AUDIT_BUILD_CONTEXT)) 1522 state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]); 1523 if (likely(state == AUDIT_DISABLED)) 1524 return; 1525 1526 context->serial = 0; 1527 context->ctime = CURRENT_TIME; 1528 context->in_syscall = 1; 1529 context->auditable = !!(state == AUDIT_RECORD_CONTEXT); 1530 context->ppid = 0; 1531 } 1532 1533 /** 1534 * audit_syscall_exit - deallocate audit context after a system call 1535 * @tsk: task being audited 1536 * @valid: success/failure flag 1537 * @return_code: syscall return value 1538 * 1539 * Tear down after system call. If the audit context has been marked as 1540 * auditable (either because of the AUDIT_RECORD_CONTEXT state from 1541 * filtering, or because some other part of the kernel write an audit 1542 * message), then write out the syscall information. In call cases, 1543 * free the names stored from getname(). 1544 */ 1545 void audit_syscall_exit(int valid, long return_code) 1546 { 1547 struct task_struct *tsk = current; 1548 struct audit_context *context; 1549 1550 context = audit_get_context(tsk, valid, return_code); 1551 1552 if (likely(!context)) 1553 return; 1554 1555 if (context->in_syscall && context->auditable) 1556 audit_log_exit(context, tsk); 1557 1558 context->in_syscall = 0; 1559 context->auditable = 0; 1560 1561 if (context->previous) { 1562 struct audit_context *new_context = context->previous; 1563 context->previous = NULL; 1564 audit_free_context(context); 1565 tsk->audit_context = new_context; 1566 } else { 1567 audit_free_names(context); 1568 unroll_tree_refs(context, NULL, 0); 1569 audit_free_aux(context); 1570 context->aux = NULL; 1571 context->aux_pids = NULL; 1572 context->target_pid = 0; 1573 context->target_sid = 0; 1574 kfree(context->filterkey); 1575 context->filterkey = NULL; 1576 tsk->audit_context = context; 1577 } 1578 } 1579 1580 static inline void handle_one(const struct inode *inode) 1581 { 1582 #ifdef CONFIG_AUDIT_TREE 1583 struct audit_context *context; 1584 struct audit_tree_refs *p; 1585 struct audit_chunk *chunk; 1586 int count; 1587 if (likely(list_empty(&inode->inotify_watches))) 1588 return; 1589 context = current->audit_context; 1590 p = context->trees; 1591 count = context->tree_count; 1592 rcu_read_lock(); 1593 chunk = audit_tree_lookup(inode); 1594 rcu_read_unlock(); 1595 if (!chunk) 1596 return; 1597 if (likely(put_tree_ref(context, chunk))) 1598 return; 1599 if (unlikely(!grow_tree_refs(context))) { 1600 printk(KERN_WARNING "out of memory, audit has lost a tree reference"); 1601 audit_set_auditable(context); 1602 audit_put_chunk(chunk); 1603 unroll_tree_refs(context, p, count); 1604 return; 1605 } 1606 put_tree_ref(context, chunk); 1607 #endif 1608 } 1609 1610 static void handle_path(const struct dentry *dentry) 1611 { 1612 #ifdef CONFIG_AUDIT_TREE 1613 struct audit_context *context; 1614 struct audit_tree_refs *p; 1615 const struct dentry *d, *parent; 1616 struct audit_chunk *drop; 1617 unsigned long seq; 1618 int count; 1619 1620 context = current->audit_context; 1621 p = context->trees; 1622 count = context->tree_count; 1623 retry: 1624 drop = NULL; 1625 d = dentry; 1626 rcu_read_lock(); 1627 seq = read_seqbegin(&rename_lock); 1628 for(;;) { 1629 struct inode *inode = d->d_inode; 1630 if (inode && unlikely(!list_empty(&inode->inotify_watches))) { 1631 struct audit_chunk *chunk; 1632 chunk = audit_tree_lookup(inode); 1633 if (chunk) { 1634 if (unlikely(!put_tree_ref(context, chunk))) { 1635 drop = chunk; 1636 break; 1637 } 1638 } 1639 } 1640 parent = d->d_parent; 1641 if (parent == d) 1642 break; 1643 d = parent; 1644 } 1645 if (unlikely(read_seqretry(&rename_lock, seq) || drop)) { /* in this order */ 1646 rcu_read_unlock(); 1647 if (!drop) { 1648 /* just a race with rename */ 1649 unroll_tree_refs(context, p, count); 1650 goto retry; 1651 } 1652 audit_put_chunk(drop); 1653 if (grow_tree_refs(context)) { 1654 /* OK, got more space */ 1655 unroll_tree_refs(context, p, count); 1656 goto retry; 1657 } 1658 /* too bad */ 1659 printk(KERN_WARNING 1660 "out of memory, audit has lost a tree reference"); 1661 unroll_tree_refs(context, p, count); 1662 audit_set_auditable(context); 1663 return; 1664 } 1665 rcu_read_unlock(); 1666 #endif 1667 } 1668 1669 /** 1670 * audit_getname - add a name to the list 1671 * @name: name to add 1672 * 1673 * Add a name to the list of audit names for this context. 1674 * Called from fs/namei.c:getname(). 1675 */ 1676 void __audit_getname(const char *name) 1677 { 1678 struct audit_context *context = current->audit_context; 1679 1680 if (IS_ERR(name) || !name) 1681 return; 1682 1683 if (!context->in_syscall) { 1684 #if AUDIT_DEBUG == 2 1685 printk(KERN_ERR "%s:%d(:%d): ignoring getname(%p)\n", 1686 __FILE__, __LINE__, context->serial, name); 1687 dump_stack(); 1688 #endif 1689 return; 1690 } 1691 BUG_ON(context->name_count >= AUDIT_NAMES); 1692 context->names[context->name_count].name = name; 1693 context->names[context->name_count].name_len = AUDIT_NAME_FULL; 1694 context->names[context->name_count].name_put = 1; 1695 context->names[context->name_count].ino = (unsigned long)-1; 1696 context->names[context->name_count].osid = 0; 1697 ++context->name_count; 1698 if (!context->pwd) { 1699 read_lock(¤t->fs->lock); 1700 context->pwd = dget(current->fs->pwd); 1701 context->pwdmnt = mntget(current->fs->pwdmnt); 1702 read_unlock(¤t->fs->lock); 1703 } 1704 1705 } 1706 1707 /* audit_putname - intercept a putname request 1708 * @name: name to intercept and delay for putname 1709 * 1710 * If we have stored the name from getname in the audit context, 1711 * then we delay the putname until syscall exit. 1712 * Called from include/linux/fs.h:putname(). 1713 */ 1714 void audit_putname(const char *name) 1715 { 1716 struct audit_context *context = current->audit_context; 1717 1718 BUG_ON(!context); 1719 if (!context->in_syscall) { 1720 #if AUDIT_DEBUG == 2 1721 printk(KERN_ERR "%s:%d(:%d): __putname(%p)\n", 1722 __FILE__, __LINE__, context->serial, name); 1723 if (context->name_count) { 1724 int i; 1725 for (i = 0; i < context->name_count; i++) 1726 printk(KERN_ERR "name[%d] = %p = %s\n", i, 1727 context->names[i].name, 1728 context->names[i].name ?: "(null)"); 1729 } 1730 #endif 1731 __putname(name); 1732 } 1733 #if AUDIT_DEBUG 1734 else { 1735 ++context->put_count; 1736 if (context->put_count > context->name_count) { 1737 printk(KERN_ERR "%s:%d(:%d): major=%d" 1738 " in_syscall=%d putname(%p) name_count=%d" 1739 " put_count=%d\n", 1740 __FILE__, __LINE__, 1741 context->serial, context->major, 1742 context->in_syscall, name, context->name_count, 1743 context->put_count); 1744 dump_stack(); 1745 } 1746 } 1747 #endif 1748 } 1749 1750 static int audit_inc_name_count(struct audit_context *context, 1751 const struct inode *inode) 1752 { 1753 if (context->name_count >= AUDIT_NAMES) { 1754 if (inode) 1755 printk(KERN_DEBUG "name_count maxed, losing inode data: " 1756 "dev=%02x:%02x, inode=%lu", 1757 MAJOR(inode->i_sb->s_dev), 1758 MINOR(inode->i_sb->s_dev), 1759 inode->i_ino); 1760 1761 else 1762 printk(KERN_DEBUG "name_count maxed, losing inode data"); 1763 return 1; 1764 } 1765 context->name_count++; 1766 #if AUDIT_DEBUG 1767 context->ino_count++; 1768 #endif 1769 return 0; 1770 } 1771 1772 /* Copy inode data into an audit_names. */ 1773 static void audit_copy_inode(struct audit_names *name, const struct inode *inode) 1774 { 1775 name->ino = inode->i_ino; 1776 name->dev = inode->i_sb->s_dev; 1777 name->mode = inode->i_mode; 1778 name->uid = inode->i_uid; 1779 name->gid = inode->i_gid; 1780 name->rdev = inode->i_rdev; 1781 selinux_get_inode_sid(inode, &name->osid); 1782 } 1783 1784 /** 1785 * audit_inode - store the inode and device from a lookup 1786 * @name: name being audited 1787 * @dentry: dentry being audited 1788 * 1789 * Called from fs/namei.c:path_lookup(). 1790 */ 1791 void __audit_inode(const char *name, const struct dentry *dentry) 1792 { 1793 int idx; 1794 struct audit_context *context = current->audit_context; 1795 const struct inode *inode = dentry->d_inode; 1796 1797 if (!context->in_syscall) 1798 return; 1799 if (context->name_count 1800 && context->names[context->name_count-1].name 1801 && context->names[context->name_count-1].name == name) 1802 idx = context->name_count - 1; 1803 else if (context->name_count > 1 1804 && context->names[context->name_count-2].name 1805 && context->names[context->name_count-2].name == name) 1806 idx = context->name_count - 2; 1807 else { 1808 /* FIXME: how much do we care about inodes that have no 1809 * associated name? */ 1810 if (audit_inc_name_count(context, inode)) 1811 return; 1812 idx = context->name_count - 1; 1813 context->names[idx].name = NULL; 1814 } 1815 handle_path(dentry); 1816 audit_copy_inode(&context->names[idx], inode); 1817 } 1818 1819 /** 1820 * audit_inode_child - collect inode info for created/removed objects 1821 * @dname: inode's dentry name 1822 * @dentry: dentry being audited 1823 * @parent: inode of dentry parent 1824 * 1825 * For syscalls that create or remove filesystem objects, audit_inode 1826 * can only collect information for the filesystem object's parent. 1827 * This call updates the audit context with the child's information. 1828 * Syscalls that create a new filesystem object must be hooked after 1829 * the object is created. Syscalls that remove a filesystem object 1830 * must be hooked prior, in order to capture the target inode during 1831 * unsuccessful attempts. 1832 */ 1833 void __audit_inode_child(const char *dname, const struct dentry *dentry, 1834 const struct inode *parent) 1835 { 1836 int idx; 1837 struct audit_context *context = current->audit_context; 1838 const char *found_parent = NULL, *found_child = NULL; 1839 const struct inode *inode = dentry->d_inode; 1840 int dirlen = 0; 1841 1842 if (!context->in_syscall) 1843 return; 1844 1845 if (inode) 1846 handle_one(inode); 1847 /* determine matching parent */ 1848 if (!dname) 1849 goto add_names; 1850 1851 /* parent is more likely, look for it first */ 1852 for (idx = 0; idx < context->name_count; idx++) { 1853 struct audit_names *n = &context->names[idx]; 1854 1855 if (!n->name) 1856 continue; 1857 1858 if (n->ino == parent->i_ino && 1859 !audit_compare_dname_path(dname, n->name, &dirlen)) { 1860 n->name_len = dirlen; /* update parent data in place */ 1861 found_parent = n->name; 1862 goto add_names; 1863 } 1864 } 1865 1866 /* no matching parent, look for matching child */ 1867 for (idx = 0; idx < context->name_count; idx++) { 1868 struct audit_names *n = &context->names[idx]; 1869 1870 if (!n->name) 1871 continue; 1872 1873 /* strcmp() is the more likely scenario */ 1874 if (!strcmp(dname, n->name) || 1875 !audit_compare_dname_path(dname, n->name, &dirlen)) { 1876 if (inode) 1877 audit_copy_inode(n, inode); 1878 else 1879 n->ino = (unsigned long)-1; 1880 found_child = n->name; 1881 goto add_names; 1882 } 1883 } 1884 1885 add_names: 1886 if (!found_parent) { 1887 if (audit_inc_name_count(context, parent)) 1888 return; 1889 idx = context->name_count - 1; 1890 context->names[idx].name = NULL; 1891 audit_copy_inode(&context->names[idx], parent); 1892 } 1893 1894 if (!found_child) { 1895 if (audit_inc_name_count(context, inode)) 1896 return; 1897 idx = context->name_count - 1; 1898 1899 /* Re-use the name belonging to the slot for a matching parent 1900 * directory. All names for this context are relinquished in 1901 * audit_free_names() */ 1902 if (found_parent) { 1903 context->names[idx].name = found_parent; 1904 context->names[idx].name_len = AUDIT_NAME_FULL; 1905 /* don't call __putname() */ 1906 context->names[idx].name_put = 0; 1907 } else { 1908 context->names[idx].name = NULL; 1909 } 1910 1911 if (inode) 1912 audit_copy_inode(&context->names[idx], inode); 1913 else 1914 context->names[idx].ino = (unsigned long)-1; 1915 } 1916 } 1917 EXPORT_SYMBOL_GPL(__audit_inode_child); 1918 1919 /** 1920 * auditsc_get_stamp - get local copies of audit_context values 1921 * @ctx: audit_context for the task 1922 * @t: timespec to store time recorded in the audit_context 1923 * @serial: serial value that is recorded in the audit_context 1924 * 1925 * Also sets the context as auditable. 1926 */ 1927 void auditsc_get_stamp(struct audit_context *ctx, 1928 struct timespec *t, unsigned int *serial) 1929 { 1930 if (!ctx->serial) 1931 ctx->serial = audit_serial(); 1932 t->tv_sec = ctx->ctime.tv_sec; 1933 t->tv_nsec = ctx->ctime.tv_nsec; 1934 *serial = ctx->serial; 1935 ctx->auditable = 1; 1936 } 1937 1938 /* global counter which is incremented every time something logs in */ 1939 static atomic_t session_id = ATOMIC_INIT(0); 1940 1941 /** 1942 * audit_set_loginuid - set a task's audit_context loginuid 1943 * @task: task whose audit context is being modified 1944 * @loginuid: loginuid value 1945 * 1946 * Returns 0. 1947 * 1948 * Called (set) from fs/proc/base.c::proc_loginuid_write(). 1949 */ 1950 int audit_set_loginuid(struct task_struct *task, uid_t loginuid) 1951 { 1952 unsigned int sessionid = atomic_inc_return(&session_id); 1953 struct audit_context *context = task->audit_context; 1954 1955 if (context && context->in_syscall) { 1956 struct audit_buffer *ab; 1957 1958 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN); 1959 if (ab) { 1960 audit_log_format(ab, "login pid=%d uid=%u " 1961 "old auid=%u new auid=%u" 1962 " old ses=%u new ses=%u", 1963 task->pid, task->uid, 1964 task->loginuid, loginuid, 1965 task->sessionid, sessionid); 1966 audit_log_end(ab); 1967 } 1968 } 1969 task->sessionid = sessionid; 1970 task->loginuid = loginuid; 1971 return 0; 1972 } 1973 1974 /** 1975 * __audit_mq_open - record audit data for a POSIX MQ open 1976 * @oflag: open flag 1977 * @mode: mode bits 1978 * @u_attr: queue attributes 1979 * 1980 * Returns 0 for success or NULL context or < 0 on error. 1981 */ 1982 int __audit_mq_open(int oflag, mode_t mode, struct mq_attr __user *u_attr) 1983 { 1984 struct audit_aux_data_mq_open *ax; 1985 struct audit_context *context = current->audit_context; 1986 1987 if (!audit_enabled) 1988 return 0; 1989 1990 if (likely(!context)) 1991 return 0; 1992 1993 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1994 if (!ax) 1995 return -ENOMEM; 1996 1997 if (u_attr != NULL) { 1998 if (copy_from_user(&ax->attr, u_attr, sizeof(ax->attr))) { 1999 kfree(ax); 2000 return -EFAULT; 2001 } 2002 } else 2003 memset(&ax->attr, 0, sizeof(ax->attr)); 2004 2005 ax->oflag = oflag; 2006 ax->mode = mode; 2007 2008 ax->d.type = AUDIT_MQ_OPEN; 2009 ax->d.next = context->aux; 2010 context->aux = (void *)ax; 2011 return 0; 2012 } 2013 2014 /** 2015 * __audit_mq_timedsend - record audit data for a POSIX MQ timed send 2016 * @mqdes: MQ descriptor 2017 * @msg_len: Message length 2018 * @msg_prio: Message priority 2019 * @u_abs_timeout: Message timeout in absolute time 2020 * 2021 * Returns 0 for success or NULL context or < 0 on error. 2022 */ 2023 int __audit_mq_timedsend(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, 2024 const struct timespec __user *u_abs_timeout) 2025 { 2026 struct audit_aux_data_mq_sendrecv *ax; 2027 struct audit_context *context = current->audit_context; 2028 2029 if (!audit_enabled) 2030 return 0; 2031 2032 if (likely(!context)) 2033 return 0; 2034 2035 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 2036 if (!ax) 2037 return -ENOMEM; 2038 2039 if (u_abs_timeout != NULL) { 2040 if (copy_from_user(&ax->abs_timeout, u_abs_timeout, sizeof(ax->abs_timeout))) { 2041 kfree(ax); 2042 return -EFAULT; 2043 } 2044 } else 2045 memset(&ax->abs_timeout, 0, sizeof(ax->abs_timeout)); 2046 2047 ax->mqdes = mqdes; 2048 ax->msg_len = msg_len; 2049 ax->msg_prio = msg_prio; 2050 2051 ax->d.type = AUDIT_MQ_SENDRECV; 2052 ax->d.next = context->aux; 2053 context->aux = (void *)ax; 2054 return 0; 2055 } 2056 2057 /** 2058 * __audit_mq_timedreceive - record audit data for a POSIX MQ timed receive 2059 * @mqdes: MQ descriptor 2060 * @msg_len: Message length 2061 * @u_msg_prio: Message priority 2062 * @u_abs_timeout: Message timeout in absolute time 2063 * 2064 * Returns 0 for success or NULL context or < 0 on error. 2065 */ 2066 int __audit_mq_timedreceive(mqd_t mqdes, size_t msg_len, 2067 unsigned int __user *u_msg_prio, 2068 const struct timespec __user *u_abs_timeout) 2069 { 2070 struct audit_aux_data_mq_sendrecv *ax; 2071 struct audit_context *context = current->audit_context; 2072 2073 if (!audit_enabled) 2074 return 0; 2075 2076 if (likely(!context)) 2077 return 0; 2078 2079 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 2080 if (!ax) 2081 return -ENOMEM; 2082 2083 if (u_msg_prio != NULL) { 2084 if (get_user(ax->msg_prio, u_msg_prio)) { 2085 kfree(ax); 2086 return -EFAULT; 2087 } 2088 } else 2089 ax->msg_prio = 0; 2090 2091 if (u_abs_timeout != NULL) { 2092 if (copy_from_user(&ax->abs_timeout, u_abs_timeout, sizeof(ax->abs_timeout))) { 2093 kfree(ax); 2094 return -EFAULT; 2095 } 2096 } else 2097 memset(&ax->abs_timeout, 0, sizeof(ax->abs_timeout)); 2098 2099 ax->mqdes = mqdes; 2100 ax->msg_len = msg_len; 2101 2102 ax->d.type = AUDIT_MQ_SENDRECV; 2103 ax->d.next = context->aux; 2104 context->aux = (void *)ax; 2105 return 0; 2106 } 2107 2108 /** 2109 * __audit_mq_notify - record audit data for a POSIX MQ notify 2110 * @mqdes: MQ descriptor 2111 * @u_notification: Notification event 2112 * 2113 * Returns 0 for success or NULL context or < 0 on error. 2114 */ 2115 2116 int __audit_mq_notify(mqd_t mqdes, const struct sigevent __user *u_notification) 2117 { 2118 struct audit_aux_data_mq_notify *ax; 2119 struct audit_context *context = current->audit_context; 2120 2121 if (!audit_enabled) 2122 return 0; 2123 2124 if (likely(!context)) 2125 return 0; 2126 2127 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 2128 if (!ax) 2129 return -ENOMEM; 2130 2131 if (u_notification != NULL) { 2132 if (copy_from_user(&ax->notification, u_notification, sizeof(ax->notification))) { 2133 kfree(ax); 2134 return -EFAULT; 2135 } 2136 } else 2137 memset(&ax->notification, 0, sizeof(ax->notification)); 2138 2139 ax->mqdes = mqdes; 2140 2141 ax->d.type = AUDIT_MQ_NOTIFY; 2142 ax->d.next = context->aux; 2143 context->aux = (void *)ax; 2144 return 0; 2145 } 2146 2147 /** 2148 * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute 2149 * @mqdes: MQ descriptor 2150 * @mqstat: MQ flags 2151 * 2152 * Returns 0 for success or NULL context or < 0 on error. 2153 */ 2154 int __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 2155 { 2156 struct audit_aux_data_mq_getsetattr *ax; 2157 struct audit_context *context = current->audit_context; 2158 2159 if (!audit_enabled) 2160 return 0; 2161 2162 if (likely(!context)) 2163 return 0; 2164 2165 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 2166 if (!ax) 2167 return -ENOMEM; 2168 2169 ax->mqdes = mqdes; 2170 ax->mqstat = *mqstat; 2171 2172 ax->d.type = AUDIT_MQ_GETSETATTR; 2173 ax->d.next = context->aux; 2174 context->aux = (void *)ax; 2175 return 0; 2176 } 2177 2178 /** 2179 * audit_ipc_obj - record audit data for ipc object 2180 * @ipcp: ipc permissions 2181 * 2182 * Returns 0 for success or NULL context or < 0 on error. 2183 */ 2184 int __audit_ipc_obj(struct kern_ipc_perm *ipcp) 2185 { 2186 struct audit_aux_data_ipcctl *ax; 2187 struct audit_context *context = current->audit_context; 2188 2189 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 2190 if (!ax) 2191 return -ENOMEM; 2192 2193 ax->uid = ipcp->uid; 2194 ax->gid = ipcp->gid; 2195 ax->mode = ipcp->mode; 2196 selinux_get_ipc_sid(ipcp, &ax->osid); 2197 2198 ax->d.type = AUDIT_IPC; 2199 ax->d.next = context->aux; 2200 context->aux = (void *)ax; 2201 return 0; 2202 } 2203 2204 /** 2205 * audit_ipc_set_perm - record audit data for new ipc permissions 2206 * @qbytes: msgq bytes 2207 * @uid: msgq user id 2208 * @gid: msgq group id 2209 * @mode: msgq mode (permissions) 2210 * 2211 * Returns 0 for success or NULL context or < 0 on error. 2212 */ 2213 int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode) 2214 { 2215 struct audit_aux_data_ipcctl *ax; 2216 struct audit_context *context = current->audit_context; 2217 2218 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 2219 if (!ax) 2220 return -ENOMEM; 2221 2222 ax->qbytes = qbytes; 2223 ax->uid = uid; 2224 ax->gid = gid; 2225 ax->mode = mode; 2226 2227 ax->d.type = AUDIT_IPC_SET_PERM; 2228 ax->d.next = context->aux; 2229 context->aux = (void *)ax; 2230 return 0; 2231 } 2232 2233 int audit_bprm(struct linux_binprm *bprm) 2234 { 2235 struct audit_aux_data_execve *ax; 2236 struct audit_context *context = current->audit_context; 2237 2238 if (likely(!audit_enabled || !context || context->dummy)) 2239 return 0; 2240 2241 ax = kmalloc(sizeof(*ax), GFP_KERNEL); 2242 if (!ax) 2243 return -ENOMEM; 2244 2245 ax->argc = bprm->argc; 2246 ax->envc = bprm->envc; 2247 ax->mm = bprm->mm; 2248 ax->d.type = AUDIT_EXECVE; 2249 ax->d.next = context->aux; 2250 context->aux = (void *)ax; 2251 return 0; 2252 } 2253 2254 2255 /** 2256 * audit_socketcall - record audit data for sys_socketcall 2257 * @nargs: number of args 2258 * @args: args array 2259 * 2260 * Returns 0 for success or NULL context or < 0 on error. 2261 */ 2262 int audit_socketcall(int nargs, unsigned long *args) 2263 { 2264 struct audit_aux_data_socketcall *ax; 2265 struct audit_context *context = current->audit_context; 2266 2267 if (likely(!context || context->dummy)) 2268 return 0; 2269 2270 ax = kmalloc(sizeof(*ax) + nargs * sizeof(unsigned long), GFP_KERNEL); 2271 if (!ax) 2272 return -ENOMEM; 2273 2274 ax->nargs = nargs; 2275 memcpy(ax->args, args, nargs * sizeof(unsigned long)); 2276 2277 ax->d.type = AUDIT_SOCKETCALL; 2278 ax->d.next = context->aux; 2279 context->aux = (void *)ax; 2280 return 0; 2281 } 2282 2283 /** 2284 * __audit_fd_pair - record audit data for pipe and socketpair 2285 * @fd1: the first file descriptor 2286 * @fd2: the second file descriptor 2287 * 2288 * Returns 0 for success or NULL context or < 0 on error. 2289 */ 2290 int __audit_fd_pair(int fd1, int fd2) 2291 { 2292 struct audit_context *context = current->audit_context; 2293 struct audit_aux_data_fd_pair *ax; 2294 2295 if (likely(!context)) { 2296 return 0; 2297 } 2298 2299 ax = kmalloc(sizeof(*ax), GFP_KERNEL); 2300 if (!ax) { 2301 return -ENOMEM; 2302 } 2303 2304 ax->fd[0] = fd1; 2305 ax->fd[1] = fd2; 2306 2307 ax->d.type = AUDIT_FD_PAIR; 2308 ax->d.next = context->aux; 2309 context->aux = (void *)ax; 2310 return 0; 2311 } 2312 2313 /** 2314 * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto 2315 * @len: data length in user space 2316 * @a: data address in kernel space 2317 * 2318 * Returns 0 for success or NULL context or < 0 on error. 2319 */ 2320 int audit_sockaddr(int len, void *a) 2321 { 2322 struct audit_aux_data_sockaddr *ax; 2323 struct audit_context *context = current->audit_context; 2324 2325 if (likely(!context || context->dummy)) 2326 return 0; 2327 2328 ax = kmalloc(sizeof(*ax) + len, GFP_KERNEL); 2329 if (!ax) 2330 return -ENOMEM; 2331 2332 ax->len = len; 2333 memcpy(ax->a, a, len); 2334 2335 ax->d.type = AUDIT_SOCKADDR; 2336 ax->d.next = context->aux; 2337 context->aux = (void *)ax; 2338 return 0; 2339 } 2340 2341 void __audit_ptrace(struct task_struct *t) 2342 { 2343 struct audit_context *context = current->audit_context; 2344 2345 context->target_pid = t->pid; 2346 context->target_auid = audit_get_loginuid(t); 2347 context->target_uid = t->uid; 2348 context->target_sessionid = audit_get_sessionid(t); 2349 selinux_get_task_sid(t, &context->target_sid); 2350 memcpy(context->target_comm, t->comm, TASK_COMM_LEN); 2351 } 2352 2353 /** 2354 * audit_signal_info - record signal info for shutting down audit subsystem 2355 * @sig: signal value 2356 * @t: task being signaled 2357 * 2358 * If the audit subsystem is being terminated, record the task (pid) 2359 * and uid that is doing that. 2360 */ 2361 int __audit_signal_info(int sig, struct task_struct *t) 2362 { 2363 struct audit_aux_data_pids *axp; 2364 struct task_struct *tsk = current; 2365 struct audit_context *ctx = tsk->audit_context; 2366 extern pid_t audit_sig_pid; 2367 extern uid_t audit_sig_uid; 2368 extern u32 audit_sig_sid; 2369 2370 if (audit_pid && t->tgid == audit_pid) { 2371 if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1) { 2372 audit_sig_pid = tsk->pid; 2373 if (tsk->loginuid != -1) 2374 audit_sig_uid = tsk->loginuid; 2375 else 2376 audit_sig_uid = tsk->uid; 2377 selinux_get_task_sid(tsk, &audit_sig_sid); 2378 } 2379 if (!audit_signals || audit_dummy_context()) 2380 return 0; 2381 } 2382 2383 /* optimize the common case by putting first signal recipient directly 2384 * in audit_context */ 2385 if (!ctx->target_pid) { 2386 ctx->target_pid = t->tgid; 2387 ctx->target_auid = audit_get_loginuid(t); 2388 ctx->target_uid = t->uid; 2389 ctx->target_sessionid = audit_get_sessionid(t); 2390 selinux_get_task_sid(t, &ctx->target_sid); 2391 memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); 2392 return 0; 2393 } 2394 2395 axp = (void *)ctx->aux_pids; 2396 if (!axp || axp->pid_count == AUDIT_AUX_PIDS) { 2397 axp = kzalloc(sizeof(*axp), GFP_ATOMIC); 2398 if (!axp) 2399 return -ENOMEM; 2400 2401 axp->d.type = AUDIT_OBJ_PID; 2402 axp->d.next = ctx->aux_pids; 2403 ctx->aux_pids = (void *)axp; 2404 } 2405 BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS); 2406 2407 axp->target_pid[axp->pid_count] = t->tgid; 2408 axp->target_auid[axp->pid_count] = audit_get_loginuid(t); 2409 axp->target_uid[axp->pid_count] = t->uid; 2410 axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t); 2411 selinux_get_task_sid(t, &axp->target_sid[axp->pid_count]); 2412 memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); 2413 axp->pid_count++; 2414 2415 return 0; 2416 } 2417 2418 /** 2419 * audit_core_dumps - record information about processes that end abnormally 2420 * @signr: signal value 2421 * 2422 * If a process ends with a core dump, something fishy is going on and we 2423 * should record the event for investigation. 2424 */ 2425 void audit_core_dumps(long signr) 2426 { 2427 struct audit_buffer *ab; 2428 u32 sid; 2429 uid_t auid = audit_get_loginuid(current); 2430 unsigned int sessionid = audit_get_sessionid(current); 2431 2432 if (!audit_enabled) 2433 return; 2434 2435 if (signr == SIGQUIT) /* don't care for those */ 2436 return; 2437 2438 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); 2439 audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u", 2440 auid, current->uid, current->gid, sessionid); 2441 selinux_get_task_sid(current, &sid); 2442 if (sid) { 2443 char *ctx = NULL; 2444 u32 len; 2445 2446 if (selinux_sid_to_string(sid, &ctx, &len)) 2447 audit_log_format(ab, " ssid=%u", sid); 2448 else 2449 audit_log_format(ab, " subj=%s", ctx); 2450 kfree(ctx); 2451 } 2452 audit_log_format(ab, " pid=%d comm=", current->pid); 2453 audit_log_untrustedstring(ab, current->comm); 2454 audit_log_format(ab, " sig=%ld", signr); 2455 audit_log_end(ab); 2456 } 2457