1 /* auditsc.c -- System-call auditing support 2 * Handles all system-call specific auditing features. 3 * 4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 5 * Copyright 2005 Hewlett-Packard Development Company, L.P. 6 * Copyright (C) 2005, 2006 IBM Corporation 7 * All Rights Reserved. 8 * 9 * This program is free software; you can redistribute it and/or modify 10 * it under the terms of the GNU General Public License as published by 11 * the Free Software Foundation; either version 2 of the License, or 12 * (at your option) any later version. 13 * 14 * This program is distributed in the hope that it will be useful, 15 * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 * GNU General Public License for more details. 18 * 19 * You should have received a copy of the GNU General Public License 20 * along with this program; if not, write to the Free Software 21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 22 * 23 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 24 * 25 * Many of the ideas implemented here are from Stephen C. Tweedie, 26 * especially the idea of avoiding a copy by using getname. 27 * 28 * The method for actual interception of syscall entry and exit (not in 29 * this file -- see entry.S) is based on a GPL'd patch written by 30 * okir@suse.de and Copyright 2003 SuSE Linux AG. 31 * 32 * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>, 33 * 2006. 34 * 35 * The support of additional filter rules compares (>, <, >=, <=) was 36 * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005. 37 * 38 * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional 39 * filesystem information. 40 * 41 * Subject and object context labeling support added by <danjones@us.ibm.com> 42 * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance. 43 */ 44 45 #include <linux/init.h> 46 #include <asm/types.h> 47 #include <asm/atomic.h> 48 #include <asm/types.h> 49 #include <linux/fs.h> 50 #include <linux/namei.h> 51 #include <linux/mm.h> 52 #include <linux/module.h> 53 #include <linux/mount.h> 54 #include <linux/socket.h> 55 #include <linux/mqueue.h> 56 #include <linux/audit.h> 57 #include <linux/personality.h> 58 #include <linux/time.h> 59 #include <linux/netlink.h> 60 #include <linux/compiler.h> 61 #include <asm/unistd.h> 62 #include <linux/security.h> 63 #include <linux/list.h> 64 #include <linux/tty.h> 65 #include <linux/selinux.h> 66 #include <linux/binfmts.h> 67 #include <linux/syscalls.h> 68 69 #include "audit.h" 70 71 extern struct list_head audit_filter_list[]; 72 73 /* No syscall auditing will take place unless audit_enabled != 0. */ 74 extern int audit_enabled; 75 76 /* AUDIT_NAMES is the number of slots we reserve in the audit_context 77 * for saving names from getname(). */ 78 #define AUDIT_NAMES 20 79 80 /* AUDIT_NAMES_RESERVED is the number of slots we reserve in the 81 * audit_context from being used for nameless inodes from 82 * path_lookup. */ 83 #define AUDIT_NAMES_RESERVED 7 84 85 /* Indicates that audit should log the full pathname. */ 86 #define AUDIT_NAME_FULL -1 87 88 /* number of audit rules */ 89 int audit_n_rules; 90 91 /* When fs/namei.c:getname() is called, we store the pointer in name and 92 * we don't let putname() free it (instead we free all of the saved 93 * pointers at syscall exit time). 94 * 95 * Further, in fs/namei.c:path_lookup() we store the inode and device. */ 96 struct audit_names { 97 const char *name; 98 int name_len; /* number of name's characters to log */ 99 unsigned name_put; /* call __putname() for this name */ 100 unsigned long ino; 101 dev_t dev; 102 umode_t mode; 103 uid_t uid; 104 gid_t gid; 105 dev_t rdev; 106 u32 osid; 107 }; 108 109 struct audit_aux_data { 110 struct audit_aux_data *next; 111 int type; 112 }; 113 114 #define AUDIT_AUX_IPCPERM 0 115 116 struct audit_aux_data_mq_open { 117 struct audit_aux_data d; 118 int oflag; 119 mode_t mode; 120 struct mq_attr attr; 121 }; 122 123 struct audit_aux_data_mq_sendrecv { 124 struct audit_aux_data d; 125 mqd_t mqdes; 126 size_t msg_len; 127 unsigned int msg_prio; 128 struct timespec abs_timeout; 129 }; 130 131 struct audit_aux_data_mq_notify { 132 struct audit_aux_data d; 133 mqd_t mqdes; 134 struct sigevent notification; 135 }; 136 137 struct audit_aux_data_mq_getsetattr { 138 struct audit_aux_data d; 139 mqd_t mqdes; 140 struct mq_attr mqstat; 141 }; 142 143 struct audit_aux_data_ipcctl { 144 struct audit_aux_data d; 145 struct ipc_perm p; 146 unsigned long qbytes; 147 uid_t uid; 148 gid_t gid; 149 mode_t mode; 150 u32 osid; 151 }; 152 153 struct audit_aux_data_execve { 154 struct audit_aux_data d; 155 int argc; 156 int envc; 157 char mem[0]; 158 }; 159 160 struct audit_aux_data_socketcall { 161 struct audit_aux_data d; 162 int nargs; 163 unsigned long args[0]; 164 }; 165 166 struct audit_aux_data_sockaddr { 167 struct audit_aux_data d; 168 int len; 169 char a[0]; 170 }; 171 172 struct audit_aux_data_path { 173 struct audit_aux_data d; 174 struct dentry *dentry; 175 struct vfsmount *mnt; 176 }; 177 178 /* The per-task audit context. */ 179 struct audit_context { 180 int dummy; /* must be the first element */ 181 int in_syscall; /* 1 if task is in a syscall */ 182 enum audit_state state; 183 unsigned int serial; /* serial number for record */ 184 struct timespec ctime; /* time of syscall entry */ 185 uid_t loginuid; /* login uid (identity) */ 186 int major; /* syscall number */ 187 unsigned long argv[4]; /* syscall arguments */ 188 int return_valid; /* return code is valid */ 189 long return_code;/* syscall return code */ 190 int auditable; /* 1 if record should be written */ 191 int name_count; 192 struct audit_names names[AUDIT_NAMES]; 193 char * filterkey; /* key for rule that triggered record */ 194 struct dentry * pwd; 195 struct vfsmount * pwdmnt; 196 struct audit_context *previous; /* For nested syscalls */ 197 struct audit_aux_data *aux; 198 199 /* Save things to print about task_struct */ 200 pid_t pid, ppid; 201 uid_t uid, euid, suid, fsuid; 202 gid_t gid, egid, sgid, fsgid; 203 unsigned long personality; 204 int arch; 205 206 #if AUDIT_DEBUG 207 int put_count; 208 int ino_count; 209 #endif 210 }; 211 212 #define ACC_MODE(x) ("\004\002\006\006"[(x)&O_ACCMODE]) 213 static inline int open_arg(int flags, int mask) 214 { 215 int n = ACC_MODE(flags); 216 if (flags & (O_TRUNC | O_CREAT)) 217 n |= AUDIT_PERM_WRITE; 218 return n & mask; 219 } 220 221 static int audit_match_perm(struct audit_context *ctx, int mask) 222 { 223 unsigned n = ctx->major; 224 switch (audit_classify_syscall(ctx->arch, n)) { 225 case 0: /* native */ 226 if ((mask & AUDIT_PERM_WRITE) && 227 audit_match_class(AUDIT_CLASS_WRITE, n)) 228 return 1; 229 if ((mask & AUDIT_PERM_READ) && 230 audit_match_class(AUDIT_CLASS_READ, n)) 231 return 1; 232 if ((mask & AUDIT_PERM_ATTR) && 233 audit_match_class(AUDIT_CLASS_CHATTR, n)) 234 return 1; 235 return 0; 236 case 1: /* 32bit on biarch */ 237 if ((mask & AUDIT_PERM_WRITE) && 238 audit_match_class(AUDIT_CLASS_WRITE_32, n)) 239 return 1; 240 if ((mask & AUDIT_PERM_READ) && 241 audit_match_class(AUDIT_CLASS_READ_32, n)) 242 return 1; 243 if ((mask & AUDIT_PERM_ATTR) && 244 audit_match_class(AUDIT_CLASS_CHATTR_32, n)) 245 return 1; 246 return 0; 247 case 2: /* open */ 248 return mask & ACC_MODE(ctx->argv[1]); 249 case 3: /* openat */ 250 return mask & ACC_MODE(ctx->argv[2]); 251 case 4: /* socketcall */ 252 return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND); 253 case 5: /* execve */ 254 return mask & AUDIT_PERM_EXEC; 255 default: 256 return 0; 257 } 258 } 259 260 /* Determine if any context name data matches a rule's watch data */ 261 /* Compare a task_struct with an audit_rule. Return 1 on match, 0 262 * otherwise. */ 263 static int audit_filter_rules(struct task_struct *tsk, 264 struct audit_krule *rule, 265 struct audit_context *ctx, 266 struct audit_names *name, 267 enum audit_state *state) 268 { 269 int i, j, need_sid = 1; 270 u32 sid; 271 272 for (i = 0; i < rule->field_count; i++) { 273 struct audit_field *f = &rule->fields[i]; 274 int result = 0; 275 276 switch (f->type) { 277 case AUDIT_PID: 278 result = audit_comparator(tsk->pid, f->op, f->val); 279 break; 280 case AUDIT_PPID: 281 if (ctx) 282 result = audit_comparator(ctx->ppid, f->op, f->val); 283 break; 284 case AUDIT_UID: 285 result = audit_comparator(tsk->uid, f->op, f->val); 286 break; 287 case AUDIT_EUID: 288 result = audit_comparator(tsk->euid, f->op, f->val); 289 break; 290 case AUDIT_SUID: 291 result = audit_comparator(tsk->suid, f->op, f->val); 292 break; 293 case AUDIT_FSUID: 294 result = audit_comparator(tsk->fsuid, f->op, f->val); 295 break; 296 case AUDIT_GID: 297 result = audit_comparator(tsk->gid, f->op, f->val); 298 break; 299 case AUDIT_EGID: 300 result = audit_comparator(tsk->egid, f->op, f->val); 301 break; 302 case AUDIT_SGID: 303 result = audit_comparator(tsk->sgid, f->op, f->val); 304 break; 305 case AUDIT_FSGID: 306 result = audit_comparator(tsk->fsgid, f->op, f->val); 307 break; 308 case AUDIT_PERS: 309 result = audit_comparator(tsk->personality, f->op, f->val); 310 break; 311 case AUDIT_ARCH: 312 if (ctx) 313 result = audit_comparator(ctx->arch, f->op, f->val); 314 break; 315 316 case AUDIT_EXIT: 317 if (ctx && ctx->return_valid) 318 result = audit_comparator(ctx->return_code, f->op, f->val); 319 break; 320 case AUDIT_SUCCESS: 321 if (ctx && ctx->return_valid) { 322 if (f->val) 323 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS); 324 else 325 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE); 326 } 327 break; 328 case AUDIT_DEVMAJOR: 329 if (name) 330 result = audit_comparator(MAJOR(name->dev), 331 f->op, f->val); 332 else if (ctx) { 333 for (j = 0; j < ctx->name_count; j++) { 334 if (audit_comparator(MAJOR(ctx->names[j].dev), f->op, f->val)) { 335 ++result; 336 break; 337 } 338 } 339 } 340 break; 341 case AUDIT_DEVMINOR: 342 if (name) 343 result = audit_comparator(MINOR(name->dev), 344 f->op, f->val); 345 else if (ctx) { 346 for (j = 0; j < ctx->name_count; j++) { 347 if (audit_comparator(MINOR(ctx->names[j].dev), f->op, f->val)) { 348 ++result; 349 break; 350 } 351 } 352 } 353 break; 354 case AUDIT_INODE: 355 if (name) 356 result = (name->ino == f->val); 357 else if (ctx) { 358 for (j = 0; j < ctx->name_count; j++) { 359 if (audit_comparator(ctx->names[j].ino, f->op, f->val)) { 360 ++result; 361 break; 362 } 363 } 364 } 365 break; 366 case AUDIT_WATCH: 367 if (name && rule->watch->ino != (unsigned long)-1) 368 result = (name->dev == rule->watch->dev && 369 name->ino == rule->watch->ino); 370 break; 371 case AUDIT_LOGINUID: 372 result = 0; 373 if (ctx) 374 result = audit_comparator(ctx->loginuid, f->op, f->val); 375 break; 376 case AUDIT_SUBJ_USER: 377 case AUDIT_SUBJ_ROLE: 378 case AUDIT_SUBJ_TYPE: 379 case AUDIT_SUBJ_SEN: 380 case AUDIT_SUBJ_CLR: 381 /* NOTE: this may return negative values indicating 382 a temporary error. We simply treat this as a 383 match for now to avoid losing information that 384 may be wanted. An error message will also be 385 logged upon error */ 386 if (f->se_rule) { 387 if (need_sid) { 388 selinux_task_ctxid(tsk, &sid); 389 need_sid = 0; 390 } 391 result = selinux_audit_rule_match(sid, f->type, 392 f->op, 393 f->se_rule, 394 ctx); 395 } 396 break; 397 case AUDIT_OBJ_USER: 398 case AUDIT_OBJ_ROLE: 399 case AUDIT_OBJ_TYPE: 400 case AUDIT_OBJ_LEV_LOW: 401 case AUDIT_OBJ_LEV_HIGH: 402 /* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR 403 also applies here */ 404 if (f->se_rule) { 405 /* Find files that match */ 406 if (name) { 407 result = selinux_audit_rule_match( 408 name->osid, f->type, f->op, 409 f->se_rule, ctx); 410 } else if (ctx) { 411 for (j = 0; j < ctx->name_count; j++) { 412 if (selinux_audit_rule_match( 413 ctx->names[j].osid, 414 f->type, f->op, 415 f->se_rule, ctx)) { 416 ++result; 417 break; 418 } 419 } 420 } 421 /* Find ipc objects that match */ 422 if (ctx) { 423 struct audit_aux_data *aux; 424 for (aux = ctx->aux; aux; 425 aux = aux->next) { 426 if (aux->type == AUDIT_IPC) { 427 struct audit_aux_data_ipcctl *axi = (void *)aux; 428 if (selinux_audit_rule_match(axi->osid, f->type, f->op, f->se_rule, ctx)) { 429 ++result; 430 break; 431 } 432 } 433 } 434 } 435 } 436 break; 437 case AUDIT_ARG0: 438 case AUDIT_ARG1: 439 case AUDIT_ARG2: 440 case AUDIT_ARG3: 441 if (ctx) 442 result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val); 443 break; 444 case AUDIT_FILTERKEY: 445 /* ignore this field for filtering */ 446 result = 1; 447 break; 448 case AUDIT_PERM: 449 result = audit_match_perm(ctx, f->val); 450 break; 451 } 452 453 if (!result) 454 return 0; 455 } 456 if (rule->filterkey) 457 ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC); 458 switch (rule->action) { 459 case AUDIT_NEVER: *state = AUDIT_DISABLED; break; 460 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break; 461 } 462 return 1; 463 } 464 465 /* At process creation time, we can determine if system-call auditing is 466 * completely disabled for this task. Since we only have the task 467 * structure at this point, we can only check uid and gid. 468 */ 469 static enum audit_state audit_filter_task(struct task_struct *tsk) 470 { 471 struct audit_entry *e; 472 enum audit_state state; 473 474 rcu_read_lock(); 475 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) { 476 if (audit_filter_rules(tsk, &e->rule, NULL, NULL, &state)) { 477 rcu_read_unlock(); 478 return state; 479 } 480 } 481 rcu_read_unlock(); 482 return AUDIT_BUILD_CONTEXT; 483 } 484 485 /* At syscall entry and exit time, this filter is called if the 486 * audit_state is not low enough that auditing cannot take place, but is 487 * also not high enough that we already know we have to write an audit 488 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT). 489 */ 490 static enum audit_state audit_filter_syscall(struct task_struct *tsk, 491 struct audit_context *ctx, 492 struct list_head *list) 493 { 494 struct audit_entry *e; 495 enum audit_state state; 496 497 if (audit_pid && tsk->tgid == audit_pid) 498 return AUDIT_DISABLED; 499 500 rcu_read_lock(); 501 if (!list_empty(list)) { 502 int word = AUDIT_WORD(ctx->major); 503 int bit = AUDIT_BIT(ctx->major); 504 505 list_for_each_entry_rcu(e, list, list) { 506 if ((e->rule.mask[word] & bit) == bit && 507 audit_filter_rules(tsk, &e->rule, ctx, NULL, 508 &state)) { 509 rcu_read_unlock(); 510 return state; 511 } 512 } 513 } 514 rcu_read_unlock(); 515 return AUDIT_BUILD_CONTEXT; 516 } 517 518 /* At syscall exit time, this filter is called if any audit_names[] have been 519 * collected during syscall processing. We only check rules in sublists at hash 520 * buckets applicable to the inode numbers in audit_names[]. 521 * Regarding audit_state, same rules apply as for audit_filter_syscall(). 522 */ 523 enum audit_state audit_filter_inodes(struct task_struct *tsk, 524 struct audit_context *ctx) 525 { 526 int i; 527 struct audit_entry *e; 528 enum audit_state state; 529 530 if (audit_pid && tsk->tgid == audit_pid) 531 return AUDIT_DISABLED; 532 533 rcu_read_lock(); 534 for (i = 0; i < ctx->name_count; i++) { 535 int word = AUDIT_WORD(ctx->major); 536 int bit = AUDIT_BIT(ctx->major); 537 struct audit_names *n = &ctx->names[i]; 538 int h = audit_hash_ino((u32)n->ino); 539 struct list_head *list = &audit_inode_hash[h]; 540 541 if (list_empty(list)) 542 continue; 543 544 list_for_each_entry_rcu(e, list, list) { 545 if ((e->rule.mask[word] & bit) == bit && 546 audit_filter_rules(tsk, &e->rule, ctx, n, &state)) { 547 rcu_read_unlock(); 548 return state; 549 } 550 } 551 } 552 rcu_read_unlock(); 553 return AUDIT_BUILD_CONTEXT; 554 } 555 556 void audit_set_auditable(struct audit_context *ctx) 557 { 558 ctx->auditable = 1; 559 } 560 561 static inline struct audit_context *audit_get_context(struct task_struct *tsk, 562 int return_valid, 563 int return_code) 564 { 565 struct audit_context *context = tsk->audit_context; 566 567 if (likely(!context)) 568 return NULL; 569 context->return_valid = return_valid; 570 context->return_code = return_code; 571 572 if (context->in_syscall && !context->dummy && !context->auditable) { 573 enum audit_state state; 574 575 state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]); 576 if (state == AUDIT_RECORD_CONTEXT) { 577 context->auditable = 1; 578 goto get_context; 579 } 580 581 state = audit_filter_inodes(tsk, context); 582 if (state == AUDIT_RECORD_CONTEXT) 583 context->auditable = 1; 584 585 } 586 587 get_context: 588 589 tsk->audit_context = NULL; 590 return context; 591 } 592 593 static inline void audit_free_names(struct audit_context *context) 594 { 595 int i; 596 597 #if AUDIT_DEBUG == 2 598 if (context->auditable 599 ||context->put_count + context->ino_count != context->name_count) { 600 printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d" 601 " name_count=%d put_count=%d" 602 " ino_count=%d [NOT freeing]\n", 603 __FILE__, __LINE__, 604 context->serial, context->major, context->in_syscall, 605 context->name_count, context->put_count, 606 context->ino_count); 607 for (i = 0; i < context->name_count; i++) { 608 printk(KERN_ERR "names[%d] = %p = %s\n", i, 609 context->names[i].name, 610 context->names[i].name ?: "(null)"); 611 } 612 dump_stack(); 613 return; 614 } 615 #endif 616 #if AUDIT_DEBUG 617 context->put_count = 0; 618 context->ino_count = 0; 619 #endif 620 621 for (i = 0; i < context->name_count; i++) { 622 if (context->names[i].name && context->names[i].name_put) 623 __putname(context->names[i].name); 624 } 625 context->name_count = 0; 626 if (context->pwd) 627 dput(context->pwd); 628 if (context->pwdmnt) 629 mntput(context->pwdmnt); 630 context->pwd = NULL; 631 context->pwdmnt = NULL; 632 } 633 634 static inline void audit_free_aux(struct audit_context *context) 635 { 636 struct audit_aux_data *aux; 637 638 while ((aux = context->aux)) { 639 if (aux->type == AUDIT_AVC_PATH) { 640 struct audit_aux_data_path *axi = (void *)aux; 641 dput(axi->dentry); 642 mntput(axi->mnt); 643 } 644 645 context->aux = aux->next; 646 kfree(aux); 647 } 648 } 649 650 static inline void audit_zero_context(struct audit_context *context, 651 enum audit_state state) 652 { 653 uid_t loginuid = context->loginuid; 654 655 memset(context, 0, sizeof(*context)); 656 context->state = state; 657 context->loginuid = loginuid; 658 } 659 660 static inline struct audit_context *audit_alloc_context(enum audit_state state) 661 { 662 struct audit_context *context; 663 664 if (!(context = kmalloc(sizeof(*context), GFP_KERNEL))) 665 return NULL; 666 audit_zero_context(context, state); 667 return context; 668 } 669 670 /** 671 * audit_alloc - allocate an audit context block for a task 672 * @tsk: task 673 * 674 * Filter on the task information and allocate a per-task audit context 675 * if necessary. Doing so turns on system call auditing for the 676 * specified task. This is called from copy_process, so no lock is 677 * needed. 678 */ 679 int audit_alloc(struct task_struct *tsk) 680 { 681 struct audit_context *context; 682 enum audit_state state; 683 684 if (likely(!audit_enabled)) 685 return 0; /* Return if not auditing. */ 686 687 state = audit_filter_task(tsk); 688 if (likely(state == AUDIT_DISABLED)) 689 return 0; 690 691 if (!(context = audit_alloc_context(state))) { 692 audit_log_lost("out of memory in audit_alloc"); 693 return -ENOMEM; 694 } 695 696 /* Preserve login uid */ 697 context->loginuid = -1; 698 if (current->audit_context) 699 context->loginuid = current->audit_context->loginuid; 700 701 tsk->audit_context = context; 702 set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT); 703 return 0; 704 } 705 706 static inline void audit_free_context(struct audit_context *context) 707 { 708 struct audit_context *previous; 709 int count = 0; 710 711 do { 712 previous = context->previous; 713 if (previous || (count && count < 10)) { 714 ++count; 715 printk(KERN_ERR "audit(:%d): major=%d name_count=%d:" 716 " freeing multiple contexts (%d)\n", 717 context->serial, context->major, 718 context->name_count, count); 719 } 720 audit_free_names(context); 721 audit_free_aux(context); 722 kfree(context->filterkey); 723 kfree(context); 724 context = previous; 725 } while (context); 726 if (count >= 10) 727 printk(KERN_ERR "audit: freed %d contexts\n", count); 728 } 729 730 static void audit_log_task_context(struct audit_buffer *ab) 731 { 732 char *ctx = NULL; 733 ssize_t len = 0; 734 735 len = security_getprocattr(current, "current", NULL, 0); 736 if (len < 0) { 737 if (len != -EINVAL) 738 goto error_path; 739 return; 740 } 741 742 ctx = kmalloc(len, GFP_KERNEL); 743 if (!ctx) 744 goto error_path; 745 746 len = security_getprocattr(current, "current", ctx, len); 747 if (len < 0 ) 748 goto error_path; 749 750 audit_log_format(ab, " subj=%s", ctx); 751 return; 752 753 error_path: 754 kfree(ctx); 755 audit_panic("error in audit_log_task_context"); 756 return; 757 } 758 759 static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) 760 { 761 char name[sizeof(tsk->comm)]; 762 struct mm_struct *mm = tsk->mm; 763 struct vm_area_struct *vma; 764 765 /* tsk == current */ 766 767 get_task_comm(name, tsk); 768 audit_log_format(ab, " comm="); 769 audit_log_untrustedstring(ab, name); 770 771 if (mm) { 772 down_read(&mm->mmap_sem); 773 vma = mm->mmap; 774 while (vma) { 775 if ((vma->vm_flags & VM_EXECUTABLE) && 776 vma->vm_file) { 777 audit_log_d_path(ab, "exe=", 778 vma->vm_file->f_dentry, 779 vma->vm_file->f_vfsmnt); 780 break; 781 } 782 vma = vma->vm_next; 783 } 784 up_read(&mm->mmap_sem); 785 } 786 audit_log_task_context(ab); 787 } 788 789 static void audit_log_exit(struct audit_context *context, struct task_struct *tsk) 790 { 791 int i, call_panic = 0; 792 struct audit_buffer *ab; 793 struct audit_aux_data *aux; 794 const char *tty; 795 796 /* tsk == current */ 797 context->pid = tsk->pid; 798 context->ppid = sys_getppid(); /* sic. tsk == current in all cases */ 799 context->uid = tsk->uid; 800 context->gid = tsk->gid; 801 context->euid = tsk->euid; 802 context->suid = tsk->suid; 803 context->fsuid = tsk->fsuid; 804 context->egid = tsk->egid; 805 context->sgid = tsk->sgid; 806 context->fsgid = tsk->fsgid; 807 context->personality = tsk->personality; 808 809 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL); 810 if (!ab) 811 return; /* audit_panic has been called */ 812 audit_log_format(ab, "arch=%x syscall=%d", 813 context->arch, context->major); 814 if (context->personality != PER_LINUX) 815 audit_log_format(ab, " per=%lx", context->personality); 816 if (context->return_valid) 817 audit_log_format(ab, " success=%s exit=%ld", 818 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no", 819 context->return_code); 820 if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name) 821 tty = tsk->signal->tty->name; 822 else 823 tty = "(none)"; 824 audit_log_format(ab, 825 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d" 826 " ppid=%d pid=%d auid=%u uid=%u gid=%u" 827 " euid=%u suid=%u fsuid=%u" 828 " egid=%u sgid=%u fsgid=%u tty=%s", 829 context->argv[0], 830 context->argv[1], 831 context->argv[2], 832 context->argv[3], 833 context->name_count, 834 context->ppid, 835 context->pid, 836 context->loginuid, 837 context->uid, 838 context->gid, 839 context->euid, context->suid, context->fsuid, 840 context->egid, context->sgid, context->fsgid, tty); 841 audit_log_task_info(ab, tsk); 842 if (context->filterkey) { 843 audit_log_format(ab, " key="); 844 audit_log_untrustedstring(ab, context->filterkey); 845 } else 846 audit_log_format(ab, " key=(null)"); 847 audit_log_end(ab); 848 849 for (aux = context->aux; aux; aux = aux->next) { 850 851 ab = audit_log_start(context, GFP_KERNEL, aux->type); 852 if (!ab) 853 continue; /* audit_panic has been called */ 854 855 switch (aux->type) { 856 case AUDIT_MQ_OPEN: { 857 struct audit_aux_data_mq_open *axi = (void *)aux; 858 audit_log_format(ab, 859 "oflag=0x%x mode=%#o mq_flags=0x%lx mq_maxmsg=%ld " 860 "mq_msgsize=%ld mq_curmsgs=%ld", 861 axi->oflag, axi->mode, axi->attr.mq_flags, 862 axi->attr.mq_maxmsg, axi->attr.mq_msgsize, 863 axi->attr.mq_curmsgs); 864 break; } 865 866 case AUDIT_MQ_SENDRECV: { 867 struct audit_aux_data_mq_sendrecv *axi = (void *)aux; 868 audit_log_format(ab, 869 "mqdes=%d msg_len=%zd msg_prio=%u " 870 "abs_timeout_sec=%ld abs_timeout_nsec=%ld", 871 axi->mqdes, axi->msg_len, axi->msg_prio, 872 axi->abs_timeout.tv_sec, axi->abs_timeout.tv_nsec); 873 break; } 874 875 case AUDIT_MQ_NOTIFY: { 876 struct audit_aux_data_mq_notify *axi = (void *)aux; 877 audit_log_format(ab, 878 "mqdes=%d sigev_signo=%d", 879 axi->mqdes, 880 axi->notification.sigev_signo); 881 break; } 882 883 case AUDIT_MQ_GETSETATTR: { 884 struct audit_aux_data_mq_getsetattr *axi = (void *)aux; 885 audit_log_format(ab, 886 "mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld " 887 "mq_curmsgs=%ld ", 888 axi->mqdes, 889 axi->mqstat.mq_flags, axi->mqstat.mq_maxmsg, 890 axi->mqstat.mq_msgsize, axi->mqstat.mq_curmsgs); 891 break; } 892 893 case AUDIT_IPC: { 894 struct audit_aux_data_ipcctl *axi = (void *)aux; 895 audit_log_format(ab, 896 "ouid=%u ogid=%u mode=%x", 897 axi->uid, axi->gid, axi->mode); 898 if (axi->osid != 0) { 899 char *ctx = NULL; 900 u32 len; 901 if (selinux_ctxid_to_string( 902 axi->osid, &ctx, &len)) { 903 audit_log_format(ab, " osid=%u", 904 axi->osid); 905 call_panic = 1; 906 } else 907 audit_log_format(ab, " obj=%s", ctx); 908 kfree(ctx); 909 } 910 break; } 911 912 case AUDIT_IPC_SET_PERM: { 913 struct audit_aux_data_ipcctl *axi = (void *)aux; 914 audit_log_format(ab, 915 "qbytes=%lx ouid=%u ogid=%u mode=%x", 916 axi->qbytes, axi->uid, axi->gid, axi->mode); 917 break; } 918 919 case AUDIT_EXECVE: { 920 struct audit_aux_data_execve *axi = (void *)aux; 921 int i; 922 const char *p; 923 for (i = 0, p = axi->mem; i < axi->argc; i++) { 924 audit_log_format(ab, "a%d=", i); 925 p = audit_log_untrustedstring(ab, p); 926 audit_log_format(ab, "\n"); 927 } 928 break; } 929 930 case AUDIT_SOCKETCALL: { 931 int i; 932 struct audit_aux_data_socketcall *axs = (void *)aux; 933 audit_log_format(ab, "nargs=%d", axs->nargs); 934 for (i=0; i<axs->nargs; i++) 935 audit_log_format(ab, " a%d=%lx", i, axs->args[i]); 936 break; } 937 938 case AUDIT_SOCKADDR: { 939 struct audit_aux_data_sockaddr *axs = (void *)aux; 940 941 audit_log_format(ab, "saddr="); 942 audit_log_hex(ab, axs->a, axs->len); 943 break; } 944 945 case AUDIT_AVC_PATH: { 946 struct audit_aux_data_path *axi = (void *)aux; 947 audit_log_d_path(ab, "path=", axi->dentry, axi->mnt); 948 break; } 949 950 } 951 audit_log_end(ab); 952 } 953 954 if (context->pwd && context->pwdmnt) { 955 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD); 956 if (ab) { 957 audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt); 958 audit_log_end(ab); 959 } 960 } 961 for (i = 0; i < context->name_count; i++) { 962 struct audit_names *n = &context->names[i]; 963 964 ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH); 965 if (!ab) 966 continue; /* audit_panic has been called */ 967 968 audit_log_format(ab, "item=%d", i); 969 970 if (n->name) { 971 switch(n->name_len) { 972 case AUDIT_NAME_FULL: 973 /* log the full path */ 974 audit_log_format(ab, " name="); 975 audit_log_untrustedstring(ab, n->name); 976 break; 977 case 0: 978 /* name was specified as a relative path and the 979 * directory component is the cwd */ 980 audit_log_d_path(ab, " name=", context->pwd, 981 context->pwdmnt); 982 break; 983 default: 984 /* log the name's directory component */ 985 audit_log_format(ab, " name="); 986 audit_log_n_untrustedstring(ab, n->name_len, 987 n->name); 988 } 989 } else 990 audit_log_format(ab, " name=(null)"); 991 992 if (n->ino != (unsigned long)-1) { 993 audit_log_format(ab, " inode=%lu" 994 " dev=%02x:%02x mode=%#o" 995 " ouid=%u ogid=%u rdev=%02x:%02x", 996 n->ino, 997 MAJOR(n->dev), 998 MINOR(n->dev), 999 n->mode, 1000 n->uid, 1001 n->gid, 1002 MAJOR(n->rdev), 1003 MINOR(n->rdev)); 1004 } 1005 if (n->osid != 0) { 1006 char *ctx = NULL; 1007 u32 len; 1008 if (selinux_ctxid_to_string( 1009 n->osid, &ctx, &len)) { 1010 audit_log_format(ab, " osid=%u", n->osid); 1011 call_panic = 2; 1012 } else 1013 audit_log_format(ab, " obj=%s", ctx); 1014 kfree(ctx); 1015 } 1016 1017 audit_log_end(ab); 1018 } 1019 if (call_panic) 1020 audit_panic("error converting sid to string"); 1021 } 1022 1023 /** 1024 * audit_free - free a per-task audit context 1025 * @tsk: task whose audit context block to free 1026 * 1027 * Called from copy_process and do_exit 1028 */ 1029 void audit_free(struct task_struct *tsk) 1030 { 1031 struct audit_context *context; 1032 1033 context = audit_get_context(tsk, 0, 0); 1034 if (likely(!context)) 1035 return; 1036 1037 /* Check for system calls that do not go through the exit 1038 * function (e.g., exit_group), then free context block. 1039 * We use GFP_ATOMIC here because we might be doing this 1040 * in the context of the idle thread */ 1041 /* that can happen only if we are called from do_exit() */ 1042 if (context->in_syscall && context->auditable) 1043 audit_log_exit(context, tsk); 1044 1045 audit_free_context(context); 1046 } 1047 1048 /** 1049 * audit_syscall_entry - fill in an audit record at syscall entry 1050 * @tsk: task being audited 1051 * @arch: architecture type 1052 * @major: major syscall type (function) 1053 * @a1: additional syscall register 1 1054 * @a2: additional syscall register 2 1055 * @a3: additional syscall register 3 1056 * @a4: additional syscall register 4 1057 * 1058 * Fill in audit context at syscall entry. This only happens if the 1059 * audit context was created when the task was created and the state or 1060 * filters demand the audit context be built. If the state from the 1061 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT, 1062 * then the record will be written at syscall exit time (otherwise, it 1063 * will only be written if another part of the kernel requests that it 1064 * be written). 1065 */ 1066 void audit_syscall_entry(int arch, int major, 1067 unsigned long a1, unsigned long a2, 1068 unsigned long a3, unsigned long a4) 1069 { 1070 struct task_struct *tsk = current; 1071 struct audit_context *context = tsk->audit_context; 1072 enum audit_state state; 1073 1074 BUG_ON(!context); 1075 1076 /* 1077 * This happens only on certain architectures that make system 1078 * calls in kernel_thread via the entry.S interface, instead of 1079 * with direct calls. (If you are porting to a new 1080 * architecture, hitting this condition can indicate that you 1081 * got the _exit/_leave calls backward in entry.S.) 1082 * 1083 * i386 no 1084 * x86_64 no 1085 * ppc64 yes (see arch/powerpc/platforms/iseries/misc.S) 1086 * 1087 * This also happens with vm86 emulation in a non-nested manner 1088 * (entries without exits), so this case must be caught. 1089 */ 1090 if (context->in_syscall) { 1091 struct audit_context *newctx; 1092 1093 #if AUDIT_DEBUG 1094 printk(KERN_ERR 1095 "audit(:%d) pid=%d in syscall=%d;" 1096 " entering syscall=%d\n", 1097 context->serial, tsk->pid, context->major, major); 1098 #endif 1099 newctx = audit_alloc_context(context->state); 1100 if (newctx) { 1101 newctx->previous = context; 1102 context = newctx; 1103 tsk->audit_context = newctx; 1104 } else { 1105 /* If we can't alloc a new context, the best we 1106 * can do is to leak memory (any pending putname 1107 * will be lost). The only other alternative is 1108 * to abandon auditing. */ 1109 audit_zero_context(context, context->state); 1110 } 1111 } 1112 BUG_ON(context->in_syscall || context->name_count); 1113 1114 if (!audit_enabled) 1115 return; 1116 1117 context->arch = arch; 1118 context->major = major; 1119 context->argv[0] = a1; 1120 context->argv[1] = a2; 1121 context->argv[2] = a3; 1122 context->argv[3] = a4; 1123 1124 state = context->state; 1125 context->dummy = !audit_n_rules; 1126 if (!context->dummy && (state == AUDIT_SETUP_CONTEXT || state == AUDIT_BUILD_CONTEXT)) 1127 state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]); 1128 if (likely(state == AUDIT_DISABLED)) 1129 return; 1130 1131 context->serial = 0; 1132 context->ctime = CURRENT_TIME; 1133 context->in_syscall = 1; 1134 context->auditable = !!(state == AUDIT_RECORD_CONTEXT); 1135 } 1136 1137 /** 1138 * audit_syscall_exit - deallocate audit context after a system call 1139 * @tsk: task being audited 1140 * @valid: success/failure flag 1141 * @return_code: syscall return value 1142 * 1143 * Tear down after system call. If the audit context has been marked as 1144 * auditable (either because of the AUDIT_RECORD_CONTEXT state from 1145 * filtering, or because some other part of the kernel write an audit 1146 * message), then write out the syscall information. In call cases, 1147 * free the names stored from getname(). 1148 */ 1149 void audit_syscall_exit(int valid, long return_code) 1150 { 1151 struct task_struct *tsk = current; 1152 struct audit_context *context; 1153 1154 context = audit_get_context(tsk, valid, return_code); 1155 1156 if (likely(!context)) 1157 return; 1158 1159 if (context->in_syscall && context->auditable) 1160 audit_log_exit(context, tsk); 1161 1162 context->in_syscall = 0; 1163 context->auditable = 0; 1164 1165 if (context->previous) { 1166 struct audit_context *new_context = context->previous; 1167 context->previous = NULL; 1168 audit_free_context(context); 1169 tsk->audit_context = new_context; 1170 } else { 1171 audit_free_names(context); 1172 audit_free_aux(context); 1173 kfree(context->filterkey); 1174 context->filterkey = NULL; 1175 tsk->audit_context = context; 1176 } 1177 } 1178 1179 /** 1180 * audit_getname - add a name to the list 1181 * @name: name to add 1182 * 1183 * Add a name to the list of audit names for this context. 1184 * Called from fs/namei.c:getname(). 1185 */ 1186 void __audit_getname(const char *name) 1187 { 1188 struct audit_context *context = current->audit_context; 1189 1190 if (IS_ERR(name) || !name) 1191 return; 1192 1193 if (!context->in_syscall) { 1194 #if AUDIT_DEBUG == 2 1195 printk(KERN_ERR "%s:%d(:%d): ignoring getname(%p)\n", 1196 __FILE__, __LINE__, context->serial, name); 1197 dump_stack(); 1198 #endif 1199 return; 1200 } 1201 BUG_ON(context->name_count >= AUDIT_NAMES); 1202 context->names[context->name_count].name = name; 1203 context->names[context->name_count].name_len = AUDIT_NAME_FULL; 1204 context->names[context->name_count].name_put = 1; 1205 context->names[context->name_count].ino = (unsigned long)-1; 1206 ++context->name_count; 1207 if (!context->pwd) { 1208 read_lock(¤t->fs->lock); 1209 context->pwd = dget(current->fs->pwd); 1210 context->pwdmnt = mntget(current->fs->pwdmnt); 1211 read_unlock(¤t->fs->lock); 1212 } 1213 1214 } 1215 1216 /* audit_putname - intercept a putname request 1217 * @name: name to intercept and delay for putname 1218 * 1219 * If we have stored the name from getname in the audit context, 1220 * then we delay the putname until syscall exit. 1221 * Called from include/linux/fs.h:putname(). 1222 */ 1223 void audit_putname(const char *name) 1224 { 1225 struct audit_context *context = current->audit_context; 1226 1227 BUG_ON(!context); 1228 if (!context->in_syscall) { 1229 #if AUDIT_DEBUG == 2 1230 printk(KERN_ERR "%s:%d(:%d): __putname(%p)\n", 1231 __FILE__, __LINE__, context->serial, name); 1232 if (context->name_count) { 1233 int i; 1234 for (i = 0; i < context->name_count; i++) 1235 printk(KERN_ERR "name[%d] = %p = %s\n", i, 1236 context->names[i].name, 1237 context->names[i].name ?: "(null)"); 1238 } 1239 #endif 1240 __putname(name); 1241 } 1242 #if AUDIT_DEBUG 1243 else { 1244 ++context->put_count; 1245 if (context->put_count > context->name_count) { 1246 printk(KERN_ERR "%s:%d(:%d): major=%d" 1247 " in_syscall=%d putname(%p) name_count=%d" 1248 " put_count=%d\n", 1249 __FILE__, __LINE__, 1250 context->serial, context->major, 1251 context->in_syscall, name, context->name_count, 1252 context->put_count); 1253 dump_stack(); 1254 } 1255 } 1256 #endif 1257 } 1258 1259 /* Copy inode data into an audit_names. */ 1260 static void audit_copy_inode(struct audit_names *name, const struct inode *inode) 1261 { 1262 name->ino = inode->i_ino; 1263 name->dev = inode->i_sb->s_dev; 1264 name->mode = inode->i_mode; 1265 name->uid = inode->i_uid; 1266 name->gid = inode->i_gid; 1267 name->rdev = inode->i_rdev; 1268 selinux_get_inode_sid(inode, &name->osid); 1269 } 1270 1271 /** 1272 * audit_inode - store the inode and device from a lookup 1273 * @name: name being audited 1274 * @inode: inode being audited 1275 * 1276 * Called from fs/namei.c:path_lookup(). 1277 */ 1278 void __audit_inode(const char *name, const struct inode *inode) 1279 { 1280 int idx; 1281 struct audit_context *context = current->audit_context; 1282 1283 if (!context->in_syscall) 1284 return; 1285 if (context->name_count 1286 && context->names[context->name_count-1].name 1287 && context->names[context->name_count-1].name == name) 1288 idx = context->name_count - 1; 1289 else if (context->name_count > 1 1290 && context->names[context->name_count-2].name 1291 && context->names[context->name_count-2].name == name) 1292 idx = context->name_count - 2; 1293 else { 1294 /* FIXME: how much do we care about inodes that have no 1295 * associated name? */ 1296 if (context->name_count >= AUDIT_NAMES - AUDIT_NAMES_RESERVED) 1297 return; 1298 idx = context->name_count++; 1299 context->names[idx].name = NULL; 1300 #if AUDIT_DEBUG 1301 ++context->ino_count; 1302 #endif 1303 } 1304 audit_copy_inode(&context->names[idx], inode); 1305 } 1306 1307 /** 1308 * audit_inode_child - collect inode info for created/removed objects 1309 * @dname: inode's dentry name 1310 * @inode: inode being audited 1311 * @parent: inode of dentry parent 1312 * 1313 * For syscalls that create or remove filesystem objects, audit_inode 1314 * can only collect information for the filesystem object's parent. 1315 * This call updates the audit context with the child's information. 1316 * Syscalls that create a new filesystem object must be hooked after 1317 * the object is created. Syscalls that remove a filesystem object 1318 * must be hooked prior, in order to capture the target inode during 1319 * unsuccessful attempts. 1320 */ 1321 void __audit_inode_child(const char *dname, const struct inode *inode, 1322 const struct inode *parent) 1323 { 1324 int idx; 1325 struct audit_context *context = current->audit_context; 1326 const char *found_name = NULL; 1327 int dirlen = 0; 1328 1329 if (!context->in_syscall) 1330 return; 1331 1332 /* determine matching parent */ 1333 if (!dname) 1334 goto update_context; 1335 for (idx = 0; idx < context->name_count; idx++) 1336 if (context->names[idx].ino == parent->i_ino) { 1337 const char *name = context->names[idx].name; 1338 1339 if (!name) 1340 continue; 1341 1342 if (audit_compare_dname_path(dname, name, &dirlen) == 0) { 1343 context->names[idx].name_len = dirlen; 1344 found_name = name; 1345 break; 1346 } 1347 } 1348 1349 update_context: 1350 idx = context->name_count++; 1351 #if AUDIT_DEBUG 1352 context->ino_count++; 1353 #endif 1354 /* Re-use the name belonging to the slot for a matching parent directory. 1355 * All names for this context are relinquished in audit_free_names() */ 1356 context->names[idx].name = found_name; 1357 context->names[idx].name_len = AUDIT_NAME_FULL; 1358 context->names[idx].name_put = 0; /* don't call __putname() */ 1359 1360 if (!inode) 1361 context->names[idx].ino = (unsigned long)-1; 1362 else 1363 audit_copy_inode(&context->names[idx], inode); 1364 1365 /* A parent was not found in audit_names, so copy the inode data for the 1366 * provided parent. */ 1367 if (!found_name) { 1368 idx = context->name_count++; 1369 #if AUDIT_DEBUG 1370 context->ino_count++; 1371 #endif 1372 audit_copy_inode(&context->names[idx], parent); 1373 } 1374 } 1375 1376 /** 1377 * audit_inode_update - update inode info for last collected name 1378 * @inode: inode being audited 1379 * 1380 * When open() is called on an existing object with the O_CREAT flag, the inode 1381 * data audit initially collects is incorrect. This additional hook ensures 1382 * audit has the inode data for the actual object to be opened. 1383 */ 1384 void __audit_inode_update(const struct inode *inode) 1385 { 1386 struct audit_context *context = current->audit_context; 1387 int idx; 1388 1389 if (!context->in_syscall || !inode) 1390 return; 1391 1392 if (context->name_count == 0) { 1393 context->name_count++; 1394 #if AUDIT_DEBUG 1395 context->ino_count++; 1396 #endif 1397 } 1398 idx = context->name_count - 1; 1399 1400 audit_copy_inode(&context->names[idx], inode); 1401 } 1402 1403 /** 1404 * auditsc_get_stamp - get local copies of audit_context values 1405 * @ctx: audit_context for the task 1406 * @t: timespec to store time recorded in the audit_context 1407 * @serial: serial value that is recorded in the audit_context 1408 * 1409 * Also sets the context as auditable. 1410 */ 1411 void auditsc_get_stamp(struct audit_context *ctx, 1412 struct timespec *t, unsigned int *serial) 1413 { 1414 if (!ctx->serial) 1415 ctx->serial = audit_serial(); 1416 t->tv_sec = ctx->ctime.tv_sec; 1417 t->tv_nsec = ctx->ctime.tv_nsec; 1418 *serial = ctx->serial; 1419 ctx->auditable = 1; 1420 } 1421 1422 /** 1423 * audit_set_loginuid - set a task's audit_context loginuid 1424 * @task: task whose audit context is being modified 1425 * @loginuid: loginuid value 1426 * 1427 * Returns 0. 1428 * 1429 * Called (set) from fs/proc/base.c::proc_loginuid_write(). 1430 */ 1431 int audit_set_loginuid(struct task_struct *task, uid_t loginuid) 1432 { 1433 struct audit_context *context = task->audit_context; 1434 1435 if (context) { 1436 /* Only log if audit is enabled */ 1437 if (context->in_syscall) { 1438 struct audit_buffer *ab; 1439 1440 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN); 1441 if (ab) { 1442 audit_log_format(ab, "login pid=%d uid=%u " 1443 "old auid=%u new auid=%u", 1444 task->pid, task->uid, 1445 context->loginuid, loginuid); 1446 audit_log_end(ab); 1447 } 1448 } 1449 context->loginuid = loginuid; 1450 } 1451 return 0; 1452 } 1453 1454 /** 1455 * audit_get_loginuid - get the loginuid for an audit_context 1456 * @ctx: the audit_context 1457 * 1458 * Returns the context's loginuid or -1 if @ctx is NULL. 1459 */ 1460 uid_t audit_get_loginuid(struct audit_context *ctx) 1461 { 1462 return ctx ? ctx->loginuid : -1; 1463 } 1464 1465 /** 1466 * __audit_mq_open - record audit data for a POSIX MQ open 1467 * @oflag: open flag 1468 * @mode: mode bits 1469 * @u_attr: queue attributes 1470 * 1471 * Returns 0 for success or NULL context or < 0 on error. 1472 */ 1473 int __audit_mq_open(int oflag, mode_t mode, struct mq_attr __user *u_attr) 1474 { 1475 struct audit_aux_data_mq_open *ax; 1476 struct audit_context *context = current->audit_context; 1477 1478 if (!audit_enabled) 1479 return 0; 1480 1481 if (likely(!context)) 1482 return 0; 1483 1484 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1485 if (!ax) 1486 return -ENOMEM; 1487 1488 if (u_attr != NULL) { 1489 if (copy_from_user(&ax->attr, u_attr, sizeof(ax->attr))) { 1490 kfree(ax); 1491 return -EFAULT; 1492 } 1493 } else 1494 memset(&ax->attr, 0, sizeof(ax->attr)); 1495 1496 ax->oflag = oflag; 1497 ax->mode = mode; 1498 1499 ax->d.type = AUDIT_MQ_OPEN; 1500 ax->d.next = context->aux; 1501 context->aux = (void *)ax; 1502 return 0; 1503 } 1504 1505 /** 1506 * __audit_mq_timedsend - record audit data for a POSIX MQ timed send 1507 * @mqdes: MQ descriptor 1508 * @msg_len: Message length 1509 * @msg_prio: Message priority 1510 * @u_abs_timeout: Message timeout in absolute time 1511 * 1512 * Returns 0 for success or NULL context or < 0 on error. 1513 */ 1514 int __audit_mq_timedsend(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, 1515 const struct timespec __user *u_abs_timeout) 1516 { 1517 struct audit_aux_data_mq_sendrecv *ax; 1518 struct audit_context *context = current->audit_context; 1519 1520 if (!audit_enabled) 1521 return 0; 1522 1523 if (likely(!context)) 1524 return 0; 1525 1526 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1527 if (!ax) 1528 return -ENOMEM; 1529 1530 if (u_abs_timeout != NULL) { 1531 if (copy_from_user(&ax->abs_timeout, u_abs_timeout, sizeof(ax->abs_timeout))) { 1532 kfree(ax); 1533 return -EFAULT; 1534 } 1535 } else 1536 memset(&ax->abs_timeout, 0, sizeof(ax->abs_timeout)); 1537 1538 ax->mqdes = mqdes; 1539 ax->msg_len = msg_len; 1540 ax->msg_prio = msg_prio; 1541 1542 ax->d.type = AUDIT_MQ_SENDRECV; 1543 ax->d.next = context->aux; 1544 context->aux = (void *)ax; 1545 return 0; 1546 } 1547 1548 /** 1549 * __audit_mq_timedreceive - record audit data for a POSIX MQ timed receive 1550 * @mqdes: MQ descriptor 1551 * @msg_len: Message length 1552 * @u_msg_prio: Message priority 1553 * @u_abs_timeout: Message timeout in absolute time 1554 * 1555 * Returns 0 for success or NULL context or < 0 on error. 1556 */ 1557 int __audit_mq_timedreceive(mqd_t mqdes, size_t msg_len, 1558 unsigned int __user *u_msg_prio, 1559 const struct timespec __user *u_abs_timeout) 1560 { 1561 struct audit_aux_data_mq_sendrecv *ax; 1562 struct audit_context *context = current->audit_context; 1563 1564 if (!audit_enabled) 1565 return 0; 1566 1567 if (likely(!context)) 1568 return 0; 1569 1570 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1571 if (!ax) 1572 return -ENOMEM; 1573 1574 if (u_msg_prio != NULL) { 1575 if (get_user(ax->msg_prio, u_msg_prio)) { 1576 kfree(ax); 1577 return -EFAULT; 1578 } 1579 } else 1580 ax->msg_prio = 0; 1581 1582 if (u_abs_timeout != NULL) { 1583 if (copy_from_user(&ax->abs_timeout, u_abs_timeout, sizeof(ax->abs_timeout))) { 1584 kfree(ax); 1585 return -EFAULT; 1586 } 1587 } else 1588 memset(&ax->abs_timeout, 0, sizeof(ax->abs_timeout)); 1589 1590 ax->mqdes = mqdes; 1591 ax->msg_len = msg_len; 1592 1593 ax->d.type = AUDIT_MQ_SENDRECV; 1594 ax->d.next = context->aux; 1595 context->aux = (void *)ax; 1596 return 0; 1597 } 1598 1599 /** 1600 * __audit_mq_notify - record audit data for a POSIX MQ notify 1601 * @mqdes: MQ descriptor 1602 * @u_notification: Notification event 1603 * 1604 * Returns 0 for success or NULL context or < 0 on error. 1605 */ 1606 1607 int __audit_mq_notify(mqd_t mqdes, const struct sigevent __user *u_notification) 1608 { 1609 struct audit_aux_data_mq_notify *ax; 1610 struct audit_context *context = current->audit_context; 1611 1612 if (!audit_enabled) 1613 return 0; 1614 1615 if (likely(!context)) 1616 return 0; 1617 1618 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1619 if (!ax) 1620 return -ENOMEM; 1621 1622 if (u_notification != NULL) { 1623 if (copy_from_user(&ax->notification, u_notification, sizeof(ax->notification))) { 1624 kfree(ax); 1625 return -EFAULT; 1626 } 1627 } else 1628 memset(&ax->notification, 0, sizeof(ax->notification)); 1629 1630 ax->mqdes = mqdes; 1631 1632 ax->d.type = AUDIT_MQ_NOTIFY; 1633 ax->d.next = context->aux; 1634 context->aux = (void *)ax; 1635 return 0; 1636 } 1637 1638 /** 1639 * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute 1640 * @mqdes: MQ descriptor 1641 * @mqstat: MQ flags 1642 * 1643 * Returns 0 for success or NULL context or < 0 on error. 1644 */ 1645 int __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 1646 { 1647 struct audit_aux_data_mq_getsetattr *ax; 1648 struct audit_context *context = current->audit_context; 1649 1650 if (!audit_enabled) 1651 return 0; 1652 1653 if (likely(!context)) 1654 return 0; 1655 1656 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1657 if (!ax) 1658 return -ENOMEM; 1659 1660 ax->mqdes = mqdes; 1661 ax->mqstat = *mqstat; 1662 1663 ax->d.type = AUDIT_MQ_GETSETATTR; 1664 ax->d.next = context->aux; 1665 context->aux = (void *)ax; 1666 return 0; 1667 } 1668 1669 /** 1670 * audit_ipc_obj - record audit data for ipc object 1671 * @ipcp: ipc permissions 1672 * 1673 * Returns 0 for success or NULL context or < 0 on error. 1674 */ 1675 int __audit_ipc_obj(struct kern_ipc_perm *ipcp) 1676 { 1677 struct audit_aux_data_ipcctl *ax; 1678 struct audit_context *context = current->audit_context; 1679 1680 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1681 if (!ax) 1682 return -ENOMEM; 1683 1684 ax->uid = ipcp->uid; 1685 ax->gid = ipcp->gid; 1686 ax->mode = ipcp->mode; 1687 selinux_get_ipc_sid(ipcp, &ax->osid); 1688 1689 ax->d.type = AUDIT_IPC; 1690 ax->d.next = context->aux; 1691 context->aux = (void *)ax; 1692 return 0; 1693 } 1694 1695 /** 1696 * audit_ipc_set_perm - record audit data for new ipc permissions 1697 * @qbytes: msgq bytes 1698 * @uid: msgq user id 1699 * @gid: msgq group id 1700 * @mode: msgq mode (permissions) 1701 * 1702 * Returns 0 for success or NULL context or < 0 on error. 1703 */ 1704 int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode) 1705 { 1706 struct audit_aux_data_ipcctl *ax; 1707 struct audit_context *context = current->audit_context; 1708 1709 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1710 if (!ax) 1711 return -ENOMEM; 1712 1713 ax->qbytes = qbytes; 1714 ax->uid = uid; 1715 ax->gid = gid; 1716 ax->mode = mode; 1717 1718 ax->d.type = AUDIT_IPC_SET_PERM; 1719 ax->d.next = context->aux; 1720 context->aux = (void *)ax; 1721 return 0; 1722 } 1723 1724 int audit_bprm(struct linux_binprm *bprm) 1725 { 1726 struct audit_aux_data_execve *ax; 1727 struct audit_context *context = current->audit_context; 1728 unsigned long p, next; 1729 void *to; 1730 1731 if (likely(!audit_enabled || !context || context->dummy)) 1732 return 0; 1733 1734 ax = kmalloc(sizeof(*ax) + PAGE_SIZE * MAX_ARG_PAGES - bprm->p, 1735 GFP_KERNEL); 1736 if (!ax) 1737 return -ENOMEM; 1738 1739 ax->argc = bprm->argc; 1740 ax->envc = bprm->envc; 1741 for (p = bprm->p, to = ax->mem; p < MAX_ARG_PAGES*PAGE_SIZE; p = next) { 1742 struct page *page = bprm->page[p / PAGE_SIZE]; 1743 void *kaddr = kmap(page); 1744 next = (p + PAGE_SIZE) & ~(PAGE_SIZE - 1); 1745 memcpy(to, kaddr + (p & (PAGE_SIZE - 1)), next - p); 1746 to += next - p; 1747 kunmap(page); 1748 } 1749 1750 ax->d.type = AUDIT_EXECVE; 1751 ax->d.next = context->aux; 1752 context->aux = (void *)ax; 1753 return 0; 1754 } 1755 1756 1757 /** 1758 * audit_socketcall - record audit data for sys_socketcall 1759 * @nargs: number of args 1760 * @args: args array 1761 * 1762 * Returns 0 for success or NULL context or < 0 on error. 1763 */ 1764 int audit_socketcall(int nargs, unsigned long *args) 1765 { 1766 struct audit_aux_data_socketcall *ax; 1767 struct audit_context *context = current->audit_context; 1768 1769 if (likely(!context || context->dummy)) 1770 return 0; 1771 1772 ax = kmalloc(sizeof(*ax) + nargs * sizeof(unsigned long), GFP_KERNEL); 1773 if (!ax) 1774 return -ENOMEM; 1775 1776 ax->nargs = nargs; 1777 memcpy(ax->args, args, nargs * sizeof(unsigned long)); 1778 1779 ax->d.type = AUDIT_SOCKETCALL; 1780 ax->d.next = context->aux; 1781 context->aux = (void *)ax; 1782 return 0; 1783 } 1784 1785 /** 1786 * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto 1787 * @len: data length in user space 1788 * @a: data address in kernel space 1789 * 1790 * Returns 0 for success or NULL context or < 0 on error. 1791 */ 1792 int audit_sockaddr(int len, void *a) 1793 { 1794 struct audit_aux_data_sockaddr *ax; 1795 struct audit_context *context = current->audit_context; 1796 1797 if (likely(!context || context->dummy)) 1798 return 0; 1799 1800 ax = kmalloc(sizeof(*ax) + len, GFP_KERNEL); 1801 if (!ax) 1802 return -ENOMEM; 1803 1804 ax->len = len; 1805 memcpy(ax->a, a, len); 1806 1807 ax->d.type = AUDIT_SOCKADDR; 1808 ax->d.next = context->aux; 1809 context->aux = (void *)ax; 1810 return 0; 1811 } 1812 1813 /** 1814 * audit_avc_path - record the granting or denial of permissions 1815 * @dentry: dentry to record 1816 * @mnt: mnt to record 1817 * 1818 * Returns 0 for success or NULL context or < 0 on error. 1819 * 1820 * Called from security/selinux/avc.c::avc_audit() 1821 */ 1822 int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt) 1823 { 1824 struct audit_aux_data_path *ax; 1825 struct audit_context *context = current->audit_context; 1826 1827 if (likely(!context)) 1828 return 0; 1829 1830 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 1831 if (!ax) 1832 return -ENOMEM; 1833 1834 ax->dentry = dget(dentry); 1835 ax->mnt = mntget(mnt); 1836 1837 ax->d.type = AUDIT_AVC_PATH; 1838 ax->d.next = context->aux; 1839 context->aux = (void *)ax; 1840 return 0; 1841 } 1842 1843 /** 1844 * audit_signal_info - record signal info for shutting down audit subsystem 1845 * @sig: signal value 1846 * @t: task being signaled 1847 * 1848 * If the audit subsystem is being terminated, record the task (pid) 1849 * and uid that is doing that. 1850 */ 1851 void __audit_signal_info(int sig, struct task_struct *t) 1852 { 1853 extern pid_t audit_sig_pid; 1854 extern uid_t audit_sig_uid; 1855 extern u32 audit_sig_sid; 1856 1857 if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1) { 1858 struct task_struct *tsk = current; 1859 struct audit_context *ctx = tsk->audit_context; 1860 audit_sig_pid = tsk->pid; 1861 if (ctx) 1862 audit_sig_uid = ctx->loginuid; 1863 else 1864 audit_sig_uid = tsk->uid; 1865 selinux_get_task_sid(tsk, &audit_sig_sid); 1866 } 1867 } 1868