audit.c 50.8 KB
Newer Older
1
/* audit.c -- Auditing support
L
Linus Torvalds 已提交
2 3 4
 * Gateway between the kernel (e.g., selinux) and the user-space audit daemon.
 * System-call specific features have moved to auditsc.c
 *
S
Steve Grubb 已提交
5
 * Copyright 2003-2007 Red Hat Inc., Durham, North Carolina.
L
Linus Torvalds 已提交
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
 * All Rights Reserved.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 *
 * Written by Rickard E. (Rik) Faith <faith@redhat.com>
 *
24
 * Goals: 1) Integrate fully with Security Modules.
L
Linus Torvalds 已提交
25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
 *	  2) Minimal run-time overhead:
 *	     a) Minimal when syscall auditing is disabled (audit_enable=0).
 *	     b) Small when syscall auditing is enabled and no audit record
 *		is generated (defer as much work as possible to record
 *		generation time):
 *		i) context is allocated,
 *		ii) names from getname are stored without a copy, and
 *		iii) inode information stored from path_lookup.
 *	  3) Ability to disable syscall auditing at boot time (audit=0).
 *	  4) Usable by other parts of the kernel (if audit_log* is called,
 *	     then a syscall record will be generated automatically for the
 *	     current syscall).
 *	  5) Netlink interface to user-space.
 *	  6) Support low-overhead kernel-based filtering to minimize the
 *	     information that must be passed to user-space.
 *
41
 * Example user-space utilities: http://people.redhat.com/sgrubb/audit/
L
Linus Torvalds 已提交
42 43 44 45
 */

#include <linux/init.h>
#include <asm/types.h>
A
Arun Sharma 已提交
46
#include <linux/atomic.h>
L
Linus Torvalds 已提交
47
#include <linux/mm.h>
48
#include <linux/export.h>
49
#include <linux/slab.h>
50 51
#include <linux/err.h>
#include <linux/kthread.h>
52
#include <linux/kernel.h>
53
#include <linux/syscalls.h>
L
Linus Torvalds 已提交
54 55 56 57

#include <linux/audit.h>

#include <net/sock.h>
58
#include <net/netlink.h>
L
Linus Torvalds 已提交
59
#include <linux/skbuff.h>
60 61 62
#ifdef CONFIG_SECURITY
#include <linux/security.h>
#endif
63
#include <linux/freezer.h>
M
Miloslav Trmac 已提交
64
#include <linux/tty.h>
65
#include <linux/pid_namespace.h>
66
#include <net/netns/generic.h>
67 68

#include "audit.h"
L
Linus Torvalds 已提交
69

70
/* No auditing will take place until audit_initialized == AUDIT_INITIALIZED.
L
Linus Torvalds 已提交
71
 * (Initialization happens after skb_init is called.) */
72 73 74
#define AUDIT_DISABLED		-1
#define AUDIT_UNINITIALIZED	0
#define AUDIT_INITIALIZED	1
L
Linus Torvalds 已提交
75 76
static int	audit_initialized;

77 78 79
#define AUDIT_OFF	0
#define AUDIT_ON	1
#define AUDIT_LOCKED	2
L
Linus Torvalds 已提交
80
int		audit_enabled;
81
int		audit_ever_enabled;
L
Linus Torvalds 已提交
82

83 84
EXPORT_SYMBOL_GPL(audit_enabled);

L
Linus Torvalds 已提交
85 86 87 88 89 90
/* Default state when kernel boots without any parameters. */
static int	audit_default;

/* If auditing cannot proceed, audit_failure selects what happens. */
static int	audit_failure = AUDIT_FAIL_PRINTK;

91 92
/*
 * If audit records are to be written to the netlink socket, audit_pid
93 94
 * contains the pid of the auditd process and audit_nlk_portid contains
 * the portid to use to send netlink messages to that process.
95
 */
96
int		audit_pid;
97
static __u32	audit_nlk_portid;
L
Linus Torvalds 已提交
98

99
/* If audit_rate_limit is non-zero, limit the rate of sending audit records
L
Linus Torvalds 已提交
100 101 102 103
 * to that number per second.  This prevents DoS attacks, but results in
 * audit records being dropped. */
static int	audit_rate_limit;

104 105
/* Number of outstanding audit_buffers allowed.
 * When set to zero, this means unlimited. */
L
Linus Torvalds 已提交
106
static int	audit_backlog_limit = 64;
107 108
#define AUDIT_BACKLOG_WAIT_TIME (60 * HZ)
static int	audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME;
109
static int	audit_backlog_wait_overflow = 0;
L
Linus Torvalds 已提交
110

111
/* The identity of the user shutting down the audit system. */
112
kuid_t		audit_sig_uid = INVALID_UID;
113
pid_t		audit_sig_pid = -1;
114
u32		audit_sig_sid = 0;
115

L
Linus Torvalds 已提交
116 117 118 119 120 121 122 123 124 125 126
/* Records can be lost in several ways:
   0) [suppressed in audit_alloc]
   1) out of memory in audit_log_start [kmalloc of struct audit_buffer]
   2) out of memory in audit_log_move [alloc_skb]
   3) suppressed due to audit_rate_limit
   4) suppressed due to audit_backlog_limit
*/
static atomic_t    audit_lost = ATOMIC_INIT(0);

/* The netlink socket. */
static struct sock *audit_sock;
127
int audit_net_id;
L
Linus Torvalds 已提交
128

A
Amy Griffis 已提交
129 130 131
/* Hash for inode-based rules */
struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];

132
/* The audit_freelist is a list of pre-allocated audit buffers (if more
L
Linus Torvalds 已提交
133 134 135
 * than AUDIT_MAXFREE are in use, the audit buffer is freed instead of
 * being placed on the freelist). */
static DEFINE_SPINLOCK(audit_freelist_lock);
136
static int	   audit_freelist_count;
L
Linus Torvalds 已提交
137 138
static LIST_HEAD(audit_freelist);

139
static struct sk_buff_head audit_skb_queue;
140 141
/* queue of skbs to send to auditd when/if it comes back */
static struct sk_buff_head audit_skb_hold_queue;
142 143
static struct task_struct *kauditd_task;
static DECLARE_WAIT_QUEUE_HEAD(kauditd_wait);
144
static DECLARE_WAIT_QUEUE_HEAD(audit_backlog_wait);
L
Linus Torvalds 已提交
145

146 147 148 149 150
static struct audit_features af = {.vers = AUDIT_FEATURE_VERSION,
				   .mask = -1,
				   .features = 0,
				   .lock = 0,};

151
static char *audit_feature_names[2] = {
152
	"only_unset_loginuid",
153
	"loginuid_immutable",
154 155 156
};


A
Amy Griffis 已提交
157
/* Serialize requests from userspace. */
A
Al Viro 已提交
158
DEFINE_MUTEX(audit_cmd_mutex);
L
Linus Torvalds 已提交
159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175

/* AUDIT_BUFSIZ is the size of the temporary buffer used for formatting
 * audit records.  Since printk uses a 1024 byte buffer, this buffer
 * should be at least that large. */
#define AUDIT_BUFSIZ 1024

/* AUDIT_MAXFREE is the number of empty audit_buffers we keep on the
 * audit_freelist.  Doing so eliminates many kmalloc/kfree calls. */
#define AUDIT_MAXFREE  (2*NR_CPUS)

/* The audit_buffer is used when formatting an audit record.  The caller
 * locks briefly to get the record off the freelist or to allocate the
 * buffer, and locks briefly to send the buffer to the netlink layer or
 * to place it on a transmit queue.  Multiple audit_buffers can be in
 * use simultaneously. */
struct audit_buffer {
	struct list_head     list;
176
	struct sk_buff       *skb;	/* formatted skb ready to send */
L
Linus Torvalds 已提交
177
	struct audit_context *ctx;	/* NULL or associated context */
A
Al Viro 已提交
178
	gfp_t		     gfp_mask;
L
Linus Torvalds 已提交
179 180
};

181
struct audit_reply {
182
	__u32 portid;
183
	pid_t pid;
184 185 186
	struct sk_buff *skb;
};

187
static void audit_set_portid(struct audit_buffer *ab, __u32 portid)
188
{
189 190
	if (ab) {
		struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
191
		nlh->nlmsg_pid = portid;
192
	}
193 194
}

195
void audit_panic(const char *message)
L
Linus Torvalds 已提交
196 197 198 199 200 201
{
	switch (audit_failure)
	{
	case AUDIT_FAIL_SILENT:
		break;
	case AUDIT_FAIL_PRINTK:
202 203
		if (printk_ratelimit())
			printk(KERN_ERR "audit: %s\n", message);
L
Linus Torvalds 已提交
204 205
		break;
	case AUDIT_FAIL_PANIC:
206 207 208
		/* test audit_pid since printk is always losey, why bother? */
		if (audit_pid)
			panic("audit: %s\n", message);
L
Linus Torvalds 已提交
209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241
		break;
	}
}

static inline int audit_rate_check(void)
{
	static unsigned long	last_check = 0;
	static int		messages   = 0;
	static DEFINE_SPINLOCK(lock);
	unsigned long		flags;
	unsigned long		now;
	unsigned long		elapsed;
	int			retval	   = 0;

	if (!audit_rate_limit) return 1;

	spin_lock_irqsave(&lock, flags);
	if (++messages < audit_rate_limit) {
		retval = 1;
	} else {
		now     = jiffies;
		elapsed = now - last_check;
		if (elapsed > HZ) {
			last_check = now;
			messages   = 0;
			retval     = 1;
		}
	}
	spin_unlock_irqrestore(&lock, flags);

	return retval;
}

242 243 244 245 246 247 248 249
/**
 * audit_log_lost - conditionally log lost audit message event
 * @message: the message stating reason for lost audit message
 *
 * Emit at least 1 message per second, even if audit_rate_check is
 * throttling.
 * Always increment the lost messages counter.
*/
L
Linus Torvalds 已提交
250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272
void audit_log_lost(const char *message)
{
	static unsigned long	last_msg = 0;
	static DEFINE_SPINLOCK(lock);
	unsigned long		flags;
	unsigned long		now;
	int			print;

	atomic_inc(&audit_lost);

	print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit);

	if (!print) {
		spin_lock_irqsave(&lock, flags);
		now = jiffies;
		if (now - last_msg > HZ) {
			print = 1;
			last_msg = now;
		}
		spin_unlock_irqrestore(&lock, flags);
	}

	if (print) {
273 274 275 276 277 278 279
		if (printk_ratelimit())
			printk(KERN_WARNING
				"audit: audit_lost=%d audit_rate_limit=%d "
				"audit_backlog_limit=%d\n",
				atomic_read(&audit_lost),
				audit_rate_limit,
				audit_backlog_limit);
L
Linus Torvalds 已提交
280 281 282 283
		audit_panic(message);
	}
}

284
static int audit_log_config_change(char *function_name, int new, int old,
285
				   int allow_changes)
L
Linus Torvalds 已提交
286
{
287 288
	struct audit_buffer *ab;
	int rc = 0;
289

290
	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
291 292
	if (unlikely(!ab))
		return rc;
E
Eric Paris 已提交
293 294
	audit_log_format(ab, "%s=%d old=%d", function_name, new, old);
	audit_log_session_info(ab);
295 296 297
	rc = audit_log_task_context(ab);
	if (rc)
		allow_changes = 0; /* Something weird, deny request */
298 299
	audit_log_format(ab, " res=%d", allow_changes);
	audit_log_end(ab);
S
Steve Grubb 已提交
300
	return rc;
L
Linus Torvalds 已提交
301 302
}

303
static int audit_do_config_change(char *function_name, int *to_change, int new)
L
Linus Torvalds 已提交
304
{
305
	int allow_changes, rc = 0, old = *to_change;
S
Steve Grubb 已提交
306 307

	/* check if we are locked */
308 309
	if (audit_enabled == AUDIT_LOCKED)
		allow_changes = 0;
S
Steve Grubb 已提交
310
	else
311
		allow_changes = 1;
312

313
	if (audit_enabled != AUDIT_OFF) {
314
		rc = audit_log_config_change(function_name, new, old, allow_changes);
315 316
		if (rc)
			allow_changes = 0;
S
Steve Grubb 已提交
317 318 319
	}

	/* If we are allowed, make the change */
320 321
	if (allow_changes == 1)
		*to_change = new;
S
Steve Grubb 已提交
322 323 324 325
	/* Not allowed, update reason */
	else if (rc == 0)
		rc = -EPERM;
	return rc;
L
Linus Torvalds 已提交
326 327
}

328
static int audit_set_rate_limit(int limit)
L
Linus Torvalds 已提交
329
{
330
	return audit_do_config_change("audit_rate_limit", &audit_rate_limit, limit);
331
}
332

333
static int audit_set_backlog_limit(int limit)
334
{
335
	return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit, limit);
336
}
S
Steve Grubb 已提交
337

338 339 340 341 342 343
static int audit_set_backlog_wait_time(int timeout)
{
	return audit_do_config_change("audit_backlog_wait_time",
				      &audit_backlog_wait_time, timeout);
}

344
static int audit_set_enabled(int state)
345
{
346
	int rc;
347 348
	if (state < AUDIT_OFF || state > AUDIT_LOCKED)
		return -EINVAL;
S
Steve Grubb 已提交
349

350
	rc =  audit_do_config_change("audit_enabled", &audit_enabled, state);
351 352 353 354
	if (!rc)
		audit_ever_enabled |= !!state;

	return rc;
L
Linus Torvalds 已提交
355 356
}

357
static int audit_set_failure(int state)
L
Linus Torvalds 已提交
358 359 360 361 362
{
	if (state != AUDIT_FAIL_SILENT
	    && state != AUDIT_FAIL_PRINTK
	    && state != AUDIT_FAIL_PANIC)
		return -EINVAL;
363

364
	return audit_do_config_change("audit_failure", &audit_failure, state);
L
Linus Torvalds 已提交
365 366
}

367 368 369 370 371 372 373 374 375 376 377 378
/*
 * Queue skbs to be sent to auditd when/if it comes back.  These skbs should
 * already have been sent via prink/syslog and so if these messages are dropped
 * it is not a huge concern since we already passed the audit_log_lost()
 * notification and stuff.  This is just nice to get audit messages during
 * boot before auditd is running or messages generated while auditd is stopped.
 * This only holds messages is audit_default is set, aka booting with audit=1
 * or building your kernel that way.
 */
static void audit_hold_skb(struct sk_buff *skb)
{
	if (audit_default &&
379 380
	    (!audit_backlog_limit ||
	     skb_queue_len(&audit_skb_hold_queue) < audit_backlog_limit))
381 382 383 384 385
		skb_queue_tail(&audit_skb_hold_queue, skb);
	else
		kfree_skb(skb);
}

386 387 388 389 390 391 392
/*
 * For one reason or another this nlh isn't getting delivered to the userspace
 * audit daemon, just send it to printk.
 */
static void audit_printk_skb(struct sk_buff *skb)
{
	struct nlmsghdr *nlh = nlmsg_hdr(skb);
393
	char *data = nlmsg_data(nlh);
394 395 396 397 398 399 400 401 402 403 404

	if (nlh->nlmsg_type != AUDIT_EOE) {
		if (printk_ratelimit())
			printk(KERN_NOTICE "type=%d %s\n", nlh->nlmsg_type, data);
		else
			audit_log_lost("printk limit exceeded\n");
	}

	audit_hold_skb(skb);
}

405 406 407 408 409
static void kauditd_send_skb(struct sk_buff *skb)
{
	int err;
	/* take a reference in case we can't send it and we want to hold it */
	skb_get(skb);
410
	err = netlink_unicast(audit_sock, skb, audit_nlk_portid, 0);
411
	if (err < 0) {
412
		BUG_ON(err != -ECONNREFUSED); /* Shouldn't happen */
413 414 415 416 417 418
		if (audit_pid) {
			printk(KERN_ERR "audit: *NO* daemon at audit_pid=%d\n", audit_pid);
			audit_log_lost("auditd disappeared\n");
			audit_pid = 0;
			audit_sock = NULL;
		}
419 420 421 422
		/* we might get lucky and get this in the next auditd */
		audit_hold_skb(skb);
	} else
		/* drop the extra reference if sent ok */
423
		consume_skb(skb);
424 425
}

426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441
/*
 * flush_hold_queue - empty the hold queue if auditd appears
 *
 * If auditd just started, drain the queue of messages already
 * sent to syslog/printk.  Remember loss here is ok.  We already
 * called audit_log_lost() if it didn't go out normally.  so the
 * race between the skb_dequeue and the next check for audit_pid
 * doesn't matter.
 *
 * If you ever find kauditd to be too slow we can get a perf win
 * by doing our own locking and keeping better track if there
 * are messages in this queue.  I don't see the need now, but
 * in 5 years when I want to play with this again I'll see this
 * note and still have no friggin idea what i'm thinking today.
 */
static void flush_hold_queue(void)
442 443 444
{
	struct sk_buff *skb;

445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464
	if (!audit_default || !audit_pid)
		return;

	skb = skb_dequeue(&audit_skb_hold_queue);
	if (likely(!skb))
		return;

	while (skb && audit_pid) {
		kauditd_send_skb(skb);
		skb = skb_dequeue(&audit_skb_hold_queue);
	}

	/*
	 * if auditd just disappeared but we
	 * dequeued an skb we need to drop ref
	 */
	if (skb)
		consume_skb(skb);
}

A
Adrian Bunk 已提交
465
static int kauditd_thread(void *dummy)
466
{
467
	set_freezable();
A
Andrew Morton 已提交
468
	while (!kthread_should_stop()) {
469 470 471
		struct sk_buff *skb;
		DECLARE_WAITQUEUE(wait, current);

472
		flush_hold_queue();
473

474
		skb = skb_dequeue(&audit_skb_queue);
475

476
		if (skb) {
477 478
			if (skb_queue_len(&audit_skb_queue) <= audit_backlog_limit)
				wake_up(&audit_backlog_wait);
479 480
			if (audit_pid)
				kauditd_send_skb(skb);
481 482
			else
				audit_printk_skb(skb);
483 484 485 486
			continue;
		}
		set_current_state(TASK_INTERRUPTIBLE);
		add_wait_queue(&kauditd_wait, &wait);
487

488 489 490
		if (!skb_queue_len(&audit_skb_queue)) {
			try_to_freeze();
			schedule();
491
		}
492 493 494

		__set_current_state(TASK_RUNNING);
		remove_wait_queue(&kauditd_wait, &wait);
495
	}
A
Andrew Morton 已提交
496
	return 0;
497 498
}

499 500 501 502
int audit_send_list(void *_dest)
{
	struct audit_netlink_list *dest = _dest;
	struct sk_buff *skb;
503 504
	struct net *net = get_net_ns_by_pid(dest->pid);
	struct audit_net *aunet = net_generic(net, audit_net_id);
505 506

	/* wait for parent to finish and send an ACK */
A
Amy Griffis 已提交
507 508
	mutex_lock(&audit_cmd_mutex);
	mutex_unlock(&audit_cmd_mutex);
509 510

	while ((skb = __skb_dequeue(&dest->q)) != NULL)
511
		netlink_unicast(aunet->nlsk, skb, dest->portid, 0);
512 513 514 515 516 517

	kfree(dest);

	return 0;
}

518
struct sk_buff *audit_make_reply(__u32 portid, int seq, int type, int done,
S
Stephen Hemminger 已提交
519
				 int multi, const void *payload, int size)
520 521 522 523 524 525 526
{
	struct sk_buff	*skb;
	struct nlmsghdr	*nlh;
	void		*data;
	int		flags = multi ? NLM_F_MULTI : 0;
	int		t     = done  ? NLMSG_DONE  : type;

527
	skb = nlmsg_new(size, GFP_KERNEL);
528 529 530
	if (!skb)
		return NULL;

531
	nlh	= nlmsg_put(skb, portid, seq, t, size, flags);
532 533 534
	if (!nlh)
		goto out_kfree_skb;
	data = nlmsg_data(nlh);
535 536 537
	memcpy(data, payload, size);
	return skb;

538 539
out_kfree_skb:
	kfree_skb(skb);
540 541 542
	return NULL;
}

543 544 545
static int audit_send_reply_thread(void *arg)
{
	struct audit_reply *reply = (struct audit_reply *)arg;
546 547
	struct net *net = get_net_ns_by_pid(reply->pid);
	struct audit_net *aunet = net_generic(net, audit_net_id);
548 549 550 551 552 553

	mutex_lock(&audit_cmd_mutex);
	mutex_unlock(&audit_cmd_mutex);

	/* Ignore failure. It'll only happen if the sender goes away,
	   because our timeout is set to infinite. */
554
	netlink_unicast(aunet->nlsk , reply->skb, reply->portid, 0);
555 556 557
	kfree(reply);
	return 0;
}
558 559
/**
 * audit_send_reply - send an audit reply message via netlink
560
 * @portid: netlink port to which to send reply
561 562 563 564 565 566 567
 * @seq: sequence number
 * @type: audit message type
 * @done: done (last) flag
 * @multi: multi-part message flag
 * @payload: payload data
 * @size: payload size
 *
568
 * Allocates an skb, builds the netlink message, and sends it to the port id.
569 570
 * No failure notifications.
 */
571 572
static void audit_send_reply(__u32 portid, int seq, int type, int done,
			     int multi, const void *payload, int size)
L
Linus Torvalds 已提交
573
{
574 575 576 577 578 579 580 581
	struct sk_buff *skb;
	struct task_struct *tsk;
	struct audit_reply *reply = kmalloc(sizeof(struct audit_reply),
					    GFP_KERNEL);

	if (!reply)
		return;

582
	skb = audit_make_reply(portid, seq, type, done, multi, payload, size);
L
Linus Torvalds 已提交
583
	if (!skb)
584
		goto out;
585

586
	reply->portid = portid;
587
	reply->pid = task_pid_vnr(current);
588 589 590
	reply->skb = skb;

	tsk = kthread_run(audit_send_reply_thread, reply, "audit_send_reply");
591 592 593 594 595
	if (!IS_ERR(tsk))
		return;
	kfree_skb(skb);
out:
	kfree(reply);
L
Linus Torvalds 已提交
596 597 598 599 600 601
}

/*
 * Check for appropriate CAP_AUDIT_ capabilities on incoming audit
 * control messages.
 */
602
static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
L
Linus Torvalds 已提交
603 604 605
{
	int err = 0;

606 607 608 609 610
	/* Only support the initial namespaces for now. */
	if ((current_user_ns() != &init_user_ns) ||
	    (task_active_pid_ns(current) != &init_pid_ns))
		return -EPERM;

L
Linus Torvalds 已提交
611 612 613 614
	switch (msg_type) {
	case AUDIT_LIST:
	case AUDIT_ADD:
	case AUDIT_DEL:
615 616 617
		return -EOPNOTSUPP;
	case AUDIT_GET:
	case AUDIT_SET:
618 619
	case AUDIT_GET_FEATURE:
	case AUDIT_SET_FEATURE:
620 621
	case AUDIT_LIST_RULES:
	case AUDIT_ADD_RULE:
622
	case AUDIT_DEL_RULE:
623
	case AUDIT_SIGNAL_INFO:
M
Miloslav Trmac 已提交
624 625
	case AUDIT_TTY_GET:
	case AUDIT_TTY_SET:
A
Al Viro 已提交
626 627
	case AUDIT_TRIM:
	case AUDIT_MAKE_EQUIV:
628
		if (!capable(CAP_AUDIT_CONTROL))
L
Linus Torvalds 已提交
629 630
			err = -EPERM;
		break;
631
	case AUDIT_USER:
632 633
	case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
	case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
634
		if (!capable(CAP_AUDIT_WRITE))
L
Linus Torvalds 已提交
635 636 637 638 639 640 641 642 643
			err = -EPERM;
		break;
	default:  /* bad msg */
		err = -EINVAL;
	}

	return err;
}

644
static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
645 646
{
	int rc = 0;
647
	uid_t uid = from_kuid(&init_user_ns, current_uid());
648

649
	if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
650 651 652 653 654
		*ab = NULL;
		return rc;
	}

	*ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
655 656
	if (unlikely(!*ab))
		return rc;
E
Eric Paris 已提交
657 658
	audit_log_format(*ab, "pid=%d uid=%u", task_tgid_vnr(current), uid);
	audit_log_session_info(*ab);
659
	audit_log_task_context(*ab);
660 661 662 663

	return rc;
}

664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686
int is_audit_feature_set(int i)
{
	return af.features & AUDIT_FEATURE_TO_MASK(i);
}


static int audit_get_feature(struct sk_buff *skb)
{
	u32 seq;

	seq = nlmsg_hdr(skb)->nlmsg_seq;

	audit_send_reply(NETLINK_CB(skb).portid, seq, AUDIT_GET, 0, 0,
			 &af, sizeof(af));

	return 0;
}

static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature,
				     u32 old_lock, u32 new_lock, int res)
{
	struct audit_buffer *ab;

687 688 689
	if (audit_enabled == AUDIT_OFF)
		return;

690
	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE);
691
	audit_log_format(ab, "feature=%s old=%d new=%d old_lock=%d new_lock=%d res=%d",
692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720
			 audit_feature_names[which], !!old_feature, !!new_feature,
			 !!old_lock, !!new_lock, res);
	audit_log_end(ab);
}

static int audit_set_feature(struct sk_buff *skb)
{
	struct audit_features *uaf;
	int i;

	BUILD_BUG_ON(AUDIT_LAST_FEATURE + 1 > sizeof(audit_feature_names)/sizeof(audit_feature_names[0]));
	uaf = nlmsg_data(nlmsg_hdr(skb));

	/* if there is ever a version 2 we should handle that here */

	for (i = 0; i <= AUDIT_LAST_FEATURE; i++) {
		u32 feature = AUDIT_FEATURE_TO_MASK(i);
		u32 old_feature, new_feature, old_lock, new_lock;

		/* if we are not changing this feature, move along */
		if (!(feature & uaf->mask))
			continue;

		old_feature = af.features & feature;
		new_feature = uaf->features & feature;
		new_lock = (uaf->lock | af.lock) & feature;
		old_lock = af.lock & feature;

		/* are we changing a locked feature? */
721
		if (old_lock && (new_feature != old_feature)) {
722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754
			audit_log_feature_change(i, old_feature, new_feature,
						 old_lock, new_lock, 0);
			return -EPERM;
		}
	}
	/* nothing invalid, do the changes */
	for (i = 0; i <= AUDIT_LAST_FEATURE; i++) {
		u32 feature = AUDIT_FEATURE_TO_MASK(i);
		u32 old_feature, new_feature, old_lock, new_lock;

		/* if we are not changing this feature, move along */
		if (!(feature & uaf->mask))
			continue;

		old_feature = af.features & feature;
		new_feature = uaf->features & feature;
		old_lock = af.lock & feature;
		new_lock = (uaf->lock | af.lock) & feature;

		if (new_feature != old_feature)
			audit_log_feature_change(i, old_feature, new_feature,
						 old_lock, new_lock, 1);

		if (new_feature)
			af.features |= feature;
		else
			af.features &= ~feature;
		af.lock |= new_lock;
	}

	return 0;
}

L
Linus Torvalds 已提交
755 756
static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
{
757
	u32			seq;
L
Linus Torvalds 已提交
758 759
	void			*data;
	int			err;
760
	struct audit_buffer	*ab;
L
Linus Torvalds 已提交
761
	u16			msg_type = nlh->nlmsg_type;
762
	struct audit_sig_info   *sig_data;
763
	char			*ctx = NULL;
764
	u32			len;
L
Linus Torvalds 已提交
765

766
	err = audit_netlink_ok(skb, msg_type);
L
Linus Torvalds 已提交
767 768 769
	if (err)
		return err;

770 771
	/* As soon as there's any sign of userspace auditd,
	 * start kauditd to talk to it */
772
	if (!kauditd_task) {
773
		kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd");
774 775 776 777 778
		if (IS_ERR(kauditd_task)) {
			err = PTR_ERR(kauditd_task);
			kauditd_task = NULL;
			return err;
		}
779
	}
L
Linus Torvalds 已提交
780
	seq  = nlh->nlmsg_seq;
781
	data = nlmsg_data(nlh);
L
Linus Torvalds 已提交
782 783

	switch (msg_type) {
784 785 786 787 788 789 790 791 792 793
	case AUDIT_GET: {
		struct audit_status	s;
		memset(&s, 0, sizeof(s));
		s.enabled		= audit_enabled;
		s.failure		= audit_failure;
		s.pid			= audit_pid;
		s.rate_limit		= audit_rate_limit;
		s.backlog_limit		= audit_backlog_limit;
		s.lost			= atomic_read(&audit_lost);
		s.backlog		= skb_queue_len(&audit_skb_queue);
794 795
		s.version		= 2;
		s.backlog_wait_time	= audit_backlog_wait_time;
796
		audit_send_reply(NETLINK_CB(skb).portid, seq, AUDIT_GET, 0, 0,
797
				 &s, sizeof(s));
L
Linus Torvalds 已提交
798
		break;
799 800 801 802 803 804 805 806
	}
	case AUDIT_SET: {
		struct audit_status	s;
		memset(&s, 0, sizeof(s));
		/* guard against past and future API changes */
		memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh)));
		if (s.mask & AUDIT_STATUS_ENABLED) {
			err = audit_set_enabled(s.enabled);
807 808
			if (err < 0)
				return err;
L
Linus Torvalds 已提交
809
		}
810 811
		if (s.mask & AUDIT_STATUS_FAILURE) {
			err = audit_set_failure(s.failure);
812 813
			if (err < 0)
				return err;
L
Linus Torvalds 已提交
814
		}
815 816
		if (s.mask & AUDIT_STATUS_PID) {
			int new_pid = s.pid;
817

818 819
			if ((!new_pid) && (task_tgid_vnr(current) != audit_pid))
				return -EACCES;
820
			if (audit_enabled != AUDIT_OFF)
821
				audit_log_config_change("audit_pid", new_pid, audit_pid, 1);
822
			audit_pid = new_pid;
823
			audit_nlk_portid = NETLINK_CB(skb).portid;
824
			audit_sock = NETLINK_CB(skb).sk;
L
Linus Torvalds 已提交
825
		}
826 827
		if (s.mask & AUDIT_STATUS_RATE_LIMIT) {
			err = audit_set_rate_limit(s.rate_limit);
828 829 830
			if (err < 0)
				return err;
		}
831
		if (s.mask & AUDIT_STATUS_BACKLOG_LIMIT) {
832
			err = audit_set_backlog_limit(s.backlog_limit);
833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852
			if (err < 0)
				return err;
		}
		switch (s.version) {
		/* add future vers # cases immediately below and allow
		 * to fall through */
		case 2:
			if (s.mask & AUDIT_STATUS_BACKLOG_WAIT_TIME) {
				if (sizeof(s) > (size_t)nlh->nlmsg_len)
					return -EINVAL;
				if (s.backlog_wait_time < 0 ||
				    s.backlog_wait_time > 10*AUDIT_BACKLOG_WAIT_TIME)
					return -EINVAL;
				err = audit_set_backlog_wait_time(s.backlog_wait_time);
				if (err < 0)
					return err;
			}
		default:
			break;
		}
L
Linus Torvalds 已提交
853
		break;
854
	}
855 856 857 858 859 860 861 862 863 864
	case AUDIT_GET_FEATURE:
		err = audit_get_feature(skb);
		if (err)
			return err;
		break;
	case AUDIT_SET_FEATURE:
		err = audit_set_feature(skb);
		if (err)
			return err;
		break;
865
	case AUDIT_USER:
866 867
	case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
	case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
868 869 870
		if (!audit_enabled && msg_type != AUDIT_USER_AVC)
			return 0;

871
		err = audit_filter_user(msg_type);
872 873
		if (err == 1) {
			err = 0;
M
Miloslav Trmac 已提交
874
			if (msg_type == AUDIT_USER_TTY) {
875
				err = tty_audit_push_current();
M
Miloslav Trmac 已提交
876 877 878
				if (err)
					break;
			}
879
			audit_log_common_recv_msg(&ab, msg_type);
880
			if (msg_type != AUDIT_USER_TTY)
881 882
				audit_log_format(ab, " msg='%.*s'",
						 AUDIT_MESSAGE_TEXT_MAX,
883 884 885 886
						 (char *)data);
			else {
				int size;

887
				audit_log_format(ab, " data=");
888
				size = nlmsg_len(nlh);
889 890 891
				if (size > 0 &&
				    ((unsigned char *)data)[size - 1] == '\0')
					size--;
892
				audit_log_n_untrustedstring(ab, data, size);
893
			}
894
			audit_set_portid(ab, NETLINK_CB(skb).portid);
895
			audit_log_end(ab);
896
		}
L
Linus Torvalds 已提交
897
		break;
898 899 900 901
	case AUDIT_ADD_RULE:
	case AUDIT_DEL_RULE:
		if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
			return -EINVAL;
902
		if (audit_enabled == AUDIT_LOCKED) {
903 904
			audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);
			audit_log_format(ab, " audit_enabled=%d res=0", audit_enabled);
905
			audit_log_end(ab);
S
Steve Grubb 已提交
906 907
			return -EPERM;
		}
908
		err = audit_rule_change(msg_type, NETLINK_CB(skb).portid,
909
					   seq, data, nlmsg_len(nlh));
L
Linus Torvalds 已提交
910
		break;
911 912 913
	case AUDIT_LIST_RULES:
		err = audit_list_rules_send(NETLINK_CB(skb).portid, seq);
		break;
A
Al Viro 已提交
914 915
	case AUDIT_TRIM:
		audit_trim_trees();
916
		audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);
A
Al Viro 已提交
917 918 919 920 921 922
		audit_log_format(ab, " op=trim res=1");
		audit_log_end(ab);
		break;
	case AUDIT_MAKE_EQUIV: {
		void *bufp = data;
		u32 sizes[2];
923
		size_t msglen = nlmsg_len(nlh);
A
Al Viro 已提交
924 925 926
		char *old, *new;

		err = -EINVAL;
927
		if (msglen < 2 * sizeof(u32))
A
Al Viro 已提交
928 929 930
			break;
		memcpy(sizes, bufp, 2 * sizeof(u32));
		bufp += 2 * sizeof(u32);
931 932
		msglen -= 2 * sizeof(u32);
		old = audit_unpack_string(&bufp, &msglen, sizes[0]);
A
Al Viro 已提交
933 934 935 936
		if (IS_ERR(old)) {
			err = PTR_ERR(old);
			break;
		}
937
		new = audit_unpack_string(&bufp, &msglen, sizes[1]);
A
Al Viro 已提交
938 939 940 941 942 943 944 945
		if (IS_ERR(new)) {
			err = PTR_ERR(new);
			kfree(old);
			break;
		}
		/* OK, here comes... */
		err = audit_tag_tree(old, new);

946
		audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);
947

A
Al Viro 已提交
948 949 950 951 952 953 954 955 956 957
		audit_log_format(ab, " op=make_equiv old=");
		audit_log_untrustedstring(ab, old);
		audit_log_format(ab, " new=");
		audit_log_untrustedstring(ab, new);
		audit_log_format(ab, " res=%d", !err);
		audit_log_end(ab);
		kfree(old);
		kfree(new);
		break;
	}
958
	case AUDIT_SIGNAL_INFO:
959 960 961 962 963 964
		len = 0;
		if (audit_sig_sid) {
			err = security_secid_to_secctx(audit_sig_sid, &ctx, &len);
			if (err)
				return err;
		}
965 966
		sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL);
		if (!sig_data) {
967 968
			if (audit_sig_sid)
				security_release_secctx(ctx, len);
969 970
			return -ENOMEM;
		}
971
		sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid);
972
		sig_data->pid = audit_sig_pid;
973 974 975 976
		if (audit_sig_sid) {
			memcpy(sig_data->ctx, ctx, len);
			security_release_secctx(ctx, len);
		}
977
		audit_send_reply(NETLINK_CB(skb).portid, seq, AUDIT_SIGNAL_INFO,
978 979
				0, 0, sig_data, sizeof(*sig_data) + len);
		kfree(sig_data);
980
		break;
M
Miloslav Trmac 已提交
981 982
	case AUDIT_TTY_GET: {
		struct audit_tty_status s;
983 984
		struct task_struct *tsk = current;

985
		spin_lock(&tsk->sighand->siglock);
986
		s.enabled = tsk->signal->audit_tty;
987
		s.log_passwd = tsk->signal->audit_tty_log_passwd;
988
		spin_unlock(&tsk->sighand->siglock);
989

990
		audit_send_reply(NETLINK_CB(skb).portid, seq,
991
				 AUDIT_TTY_GET, 0, 0, &s, sizeof(s));
M
Miloslav Trmac 已提交
992 993 994
		break;
	}
	case AUDIT_TTY_SET: {
995
		struct audit_tty_status s, old;
996
		struct task_struct *tsk = current;
997 998 999 1000 1001 1002 1003
		struct audit_buffer	*ab;
		int res = 0;

		spin_lock(&tsk->sighand->siglock);
		old.enabled = tsk->signal->audit_tty;
		old.log_passwd = tsk->signal->audit_tty_log_passwd;
		spin_unlock(&tsk->sighand->siglock);
M
Miloslav Trmac 已提交
1004

1005 1006
		memset(&s, 0, sizeof(s));
		/* guard against past and future API changes */
1007
		memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh)));
1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025
		if ((s.enabled == 0 || s.enabled == 1) &&
		    (s.log_passwd == 0 || s.log_passwd == 1))
			res = 1;
		audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);
		audit_log_format(ab, " op=tty_set"
				 " old-enabled=%d old-log_passwd=%d"
				 " new-enabled=%d new-log_passwd=%d"
				 " res=%d",
				 old.enabled, old.log_passwd,
				 s.enabled, s.log_passwd,
				 res);
		audit_log_end(ab);
		if (res) {
			spin_lock(&tsk->sighand->siglock);
			tsk->signal->audit_tty = s.enabled;
			tsk->signal->audit_tty_log_passwd = s.log_passwd;
			spin_unlock(&tsk->sighand->siglock);
		} else
M
Miloslav Trmac 已提交
1026 1027 1028
			return -EINVAL;
		break;
	}
L
Linus Torvalds 已提交
1029 1030 1031 1032 1033 1034 1035 1036
	default:
		err = -EINVAL;
		break;
	}

	return err < 0 ? err : 0;
}

1037
/*
E
Eric Paris 已提交
1038 1039
 * Get message from skb.  Each message is processed by audit_receive_msg.
 * Malformed skbs with wrong length are discarded silently.
1040
 */
1041
static void audit_receive_skb(struct sk_buff *skb)
L
Linus Torvalds 已提交
1042
{
E
Eric Paris 已提交
1043 1044
	struct nlmsghdr *nlh;
	/*
1045
	 * len MUST be signed for nlmsg_next to be able to dec it below 0
E
Eric Paris 已提交
1046 1047 1048 1049 1050 1051 1052 1053
	 * if the nlmsg_len was not aligned
	 */
	int len;
	int err;

	nlh = nlmsg_hdr(skb);
	len = skb->len;

1054
	while (nlmsg_ok(nlh, len)) {
E
Eric Paris 已提交
1055 1056 1057
		err = audit_receive_msg(skb, nlh);
		/* if err or if this message says it wants a response */
		if (err || (nlh->nlmsg_flags & NLM_F_ACK))
L
Linus Torvalds 已提交
1058
			netlink_ack(skb, nlh, err);
E
Eric Paris 已提交
1059

A
Alexandru Copot 已提交
1060
		nlh = nlmsg_next(nlh, &len);
L
Linus Torvalds 已提交
1061 1062 1063 1064
	}
}

/* Receive messages from netlink socket. */
1065
static void audit_receive(struct sk_buff  *skb)
L
Linus Torvalds 已提交
1066
{
A
Amy Griffis 已提交
1067
	mutex_lock(&audit_cmd_mutex);
1068
	audit_receive_skb(skb);
A
Amy Griffis 已提交
1069
	mutex_unlock(&audit_cmd_mutex);
L
Linus Torvalds 已提交
1070 1071
}

1072
static int __net_init audit_net_init(struct net *net)
L
Linus Torvalds 已提交
1073
{
1074 1075 1076
	struct netlink_kernel_cfg cfg = {
		.input	= audit_receive,
	};
A
Amy Griffis 已提交
1077

1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117
	struct audit_net *aunet = net_generic(net, audit_net_id);

	pr_info("audit: initializing netlink socket in namespace\n");

	aunet->nlsk = netlink_kernel_create(net, NETLINK_AUDIT, &cfg);
	if (aunet->nlsk == NULL)
		return -ENOMEM;
	if (!aunet->nlsk)
		audit_panic("cannot initialize netlink socket in namespace");
	else
		aunet->nlsk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
	return 0;
}

static void __net_exit audit_net_exit(struct net *net)
{
	struct audit_net *aunet = net_generic(net, audit_net_id);
	struct sock *sock = aunet->nlsk;
	if (sock == audit_sock) {
		audit_pid = 0;
		audit_sock = NULL;
	}

	rcu_assign_pointer(aunet->nlsk, NULL);
	synchronize_net();
	netlink_kernel_release(sock);
}

static struct pernet_operations __net_initdata audit_net_ops = {
	.init = audit_net_init,
	.exit = audit_net_exit,
	.id = &audit_net_id,
	.size = sizeof(struct audit_net),
};

/* Initialize audit support at boot time. */
static int __init audit_init(void)
{
	int i;

1118 1119 1120
	if (audit_initialized == AUDIT_DISABLED)
		return 0;

1121
	pr_info("audit: initializing netlink subsys (%s)\n",
L
Linus Torvalds 已提交
1122
	       audit_default ? "enabled" : "disabled");
1123
	register_pernet_subsys(&audit_net_ops);
L
Linus Torvalds 已提交
1124

1125
	skb_queue_head_init(&audit_skb_queue);
1126
	skb_queue_head_init(&audit_skb_hold_queue);
1127
	audit_initialized = AUDIT_INITIALIZED;
L
Linus Torvalds 已提交
1128
	audit_enabled = audit_default;
1129
	audit_ever_enabled |= !!audit_default;
1130

1131
	audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized");
A
Amy Griffis 已提交
1132 1133 1134 1135

	for (i = 0; i < AUDIT_INODE_BUCKETS; i++)
		INIT_LIST_HEAD(&audit_inode_hash[i]);

L
Linus Torvalds 已提交
1136 1137 1138 1139 1140 1141 1142 1143
	return 0;
}
__initcall(audit_init);

/* Process kernel command-line parameter at boot time.  audit=0 or audit=1. */
static int __init audit_enable(char *str)
{
	audit_default = !!simple_strtol(str, NULL, 0);
1144 1145 1146
	if (!audit_default)
		audit_initialized = AUDIT_DISABLED;

1147 1148
	pr_info("audit: %s\n", audit_default ?
		"enabled (after initialization)" : "disabled (until reboot)");
1149

1150
	return 1;
L
Linus Torvalds 已提交
1151 1152 1153
}
__setup("audit=", audit_enable);

1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172
/* Process kernel command-line parameter at boot time.
 * audit_backlog_limit=<n> */
static int __init audit_backlog_limit_set(char *str)
{
	long int audit_backlog_limit_arg;
	pr_info("audit_backlog_limit: ");
	if (kstrtol(str, 0, &audit_backlog_limit_arg)) {
		printk("using default of %d, unable to parse %s\n",
		       audit_backlog_limit, str);
		return 1;
	}
	if (audit_backlog_limit_arg >= 0)
		audit_backlog_limit = (int)audit_backlog_limit_arg;
	printk("%d\n", audit_backlog_limit);

	return 1;
}
__setup("audit_backlog_limit=", audit_backlog_limit_set);

1173 1174 1175 1176
static void audit_buffer_free(struct audit_buffer *ab)
{
	unsigned long flags;

1177 1178 1179
	if (!ab)
		return;

1180 1181
	if (ab->skb)
		kfree_skb(ab->skb);
1182

1183
	spin_lock_irqsave(&audit_freelist_lock, flags);
S
Serge E. Hallyn 已提交
1184
	if (audit_freelist_count > AUDIT_MAXFREE)
1185
		kfree(ab);
S
Serge E. Hallyn 已提交
1186 1187
	else {
		audit_freelist_count++;
1188
		list_add(&ab->list, &audit_freelist);
S
Serge E. Hallyn 已提交
1189
	}
1190 1191 1192
	spin_unlock_irqrestore(&audit_freelist_lock, flags);
}

1193
static struct audit_buffer * audit_buffer_alloc(struct audit_context *ctx,
A
Al Viro 已提交
1194
						gfp_t gfp_mask, int type)
1195 1196 1197
{
	unsigned long flags;
	struct audit_buffer *ab = NULL;
1198
	struct nlmsghdr *nlh;
1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209

	spin_lock_irqsave(&audit_freelist_lock, flags);
	if (!list_empty(&audit_freelist)) {
		ab = list_entry(audit_freelist.next,
				struct audit_buffer, list);
		list_del(&ab->list);
		--audit_freelist_count;
	}
	spin_unlock_irqrestore(&audit_freelist_lock, flags);

	if (!ab) {
1210
		ab = kmalloc(sizeof(*ab), gfp_mask);
1211
		if (!ab)
1212
			goto err;
1213
	}
1214

1215
	ab->ctx = ctx;
1216
	ab->gfp_mask = gfp_mask;
1217 1218 1219

	ab->skb = nlmsg_new(AUDIT_BUFSIZ, gfp_mask);
	if (!ab->skb)
1220
		goto err;
1221

1222 1223 1224
	nlh = nlmsg_put(ab->skb, 0, 0, type, 0, 0);
	if (!nlh)
		goto out_kfree_skb;
1225

1226
	return ab;
1227

1228
out_kfree_skb:
1229 1230
	kfree_skb(ab->skb);
	ab->skb = NULL;
1231 1232 1233
err:
	audit_buffer_free(ab);
	return NULL;
1234
}
L
Linus Torvalds 已提交
1235

1236 1237 1238 1239
/**
 * audit_serial - compute a serial number for the audit record
 *
 * Compute a serial number for the audit record.  Audit records are
1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250
 * written to user-space as soon as they are generated, so a complete
 * audit record may be written in several pieces.  The timestamp of the
 * record and this serial number are used by the user-space tools to
 * determine which pieces belong to the same audit record.  The
 * (timestamp,serial) tuple is unique for each syscall and is live from
 * syscall entry to syscall exit.
 *
 * NOTE: Another possibility is to store the formatted records off the
 * audit context (for those records that have a context), and emit them
 * all at syscall exit.  However, this could delay the reporting of
 * significant errors until syscall exit (or never, if the system
1251 1252
 * halts).
 */
1253 1254
unsigned int audit_serial(void)
{
I
Ingo Molnar 已提交
1255
	static DEFINE_SPINLOCK(serial_lock);
1256 1257 1258 1259
	static unsigned int serial = 0;

	unsigned long flags;
	unsigned int ret;
1260

1261
	spin_lock_irqsave(&serial_lock, flags);
1262
	do {
1263 1264
		ret = ++serial;
	} while (unlikely(!ret));
1265
	spin_unlock_irqrestore(&serial_lock, flags);
1266

1267
	return ret;
1268 1269
}

D
Daniel Walker 已提交
1270
static inline void audit_get_stamp(struct audit_context *ctx,
1271 1272
				   struct timespec *t, unsigned int *serial)
{
1273
	if (!ctx || !auditsc_get_stamp(ctx, t, serial)) {
1274 1275 1276 1277 1278
		*t = CURRENT_TIME;
		*serial = audit_serial();
	}
}

1279 1280 1281
/*
 * Wait for auditd to drain the queue a little
 */
1282
static unsigned long wait_for_auditd(unsigned long sleep_time)
1283
{
1284
	unsigned long timeout = sleep_time;
1285
	DECLARE_WAITQUEUE(wait, current);
1286
	set_current_state(TASK_UNINTERRUPTIBLE);
1287
	add_wait_queue_exclusive(&audit_backlog_wait, &wait);
1288 1289 1290

	if (audit_backlog_limit &&
	    skb_queue_len(&audit_skb_queue) > audit_backlog_limit)
1291
		timeout = schedule_timeout(sleep_time);
1292 1293 1294

	__set_current_state(TASK_RUNNING);
	remove_wait_queue(&audit_backlog_wait, &wait);
1295 1296

	return timeout;
1297 1298
}

1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313
/**
 * audit_log_start - obtain an audit buffer
 * @ctx: audit_context (may be NULL)
 * @gfp_mask: type of allocation
 * @type: audit message type
 *
 * Returns audit_buffer pointer on success or NULL on error.
 *
 * Obtain an audit buffer.  This routine does locking to obtain the
 * audit buffer, but then no locking is required for calls to
 * audit_log_*format.  If the task (ctx) is a task that is currently in a
 * syscall, then the syscall is marked as auditable and an audit record
 * will be written at syscall exit.  If there is no associated task, then
 * task context (ctx) should be NULL.
 */
A
Al Viro 已提交
1314
struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
1315
				     int type)
L
Linus Torvalds 已提交
1316 1317 1318
{
	struct audit_buffer	*ab	= NULL;
	struct timespec		t;
1319
	unsigned int		uninitialized_var(serial);
1320
	int reserve;
1321
	unsigned long timeout_start = jiffies;
L
Linus Torvalds 已提交
1322

1323
	if (audit_initialized != AUDIT_INITIALIZED)
L
Linus Torvalds 已提交
1324 1325
		return NULL;

1326 1327 1328
	if (unlikely(audit_filter_type(type)))
		return NULL;

1329 1330 1331
	if (gfp_mask & __GFP_WAIT)
		reserve = 0;
	else
D
Daniel Walker 已提交
1332
		reserve = 5; /* Allow atomic callers to go up to five
1333 1334 1335 1336
				entries over the normal backlog limit */

	while (audit_backlog_limit
	       && skb_queue_len(&audit_skb_queue) > audit_backlog_limit + reserve) {
1337 1338
		if (gfp_mask & __GFP_WAIT && audit_backlog_wait_time) {
			unsigned long sleep_time;
1339

1340 1341
			sleep_time = timeout_start + audit_backlog_wait_time -
					jiffies;
1342
			if ((long)sleep_time > 0) {
1343 1344 1345
				sleep_time = wait_for_auditd(sleep_time);
				if ((long)sleep_time > 0)
					continue;
1346
			}
1347
		}
1348
		if (audit_rate_check() && printk_ratelimit())
1349 1350 1351 1352 1353 1354
			printk(KERN_WARNING
			       "audit: audit_backlog=%d > "
			       "audit_backlog_limit=%d\n",
			       skb_queue_len(&audit_skb_queue),
			       audit_backlog_limit);
		audit_log_lost("backlog limit exceeded");
1355 1356
		audit_backlog_wait_time = audit_backlog_wait_overflow;
		wake_up(&audit_backlog_wait);
1357 1358 1359
		return NULL;
	}

1360 1361
	audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME;

1362
	ab = audit_buffer_alloc(ctx, gfp_mask, type);
L
Linus Torvalds 已提交
1363 1364 1365 1366 1367
	if (!ab) {
		audit_log_lost("out of memory in audit_log_start");
		return NULL;
	}

1368
	audit_get_stamp(ab->ctx, &t, &serial);
1369

L
Linus Torvalds 已提交
1370 1371 1372 1373 1374
	audit_log_format(ab, "audit(%lu.%03lu:%u): ",
			 t.tv_sec, t.tv_nsec/1000000, serial);
	return ab;
}

1375
/**
1376
 * audit_expand - expand skb in the audit buffer
1377
 * @ab: audit_buffer
1378
 * @extra: space to add at tail of the skb
1379 1380 1381 1382
 *
 * Returns 0 (no space) on failed expansion, or available space if
 * successful.
 */
1383
static inline int audit_expand(struct audit_buffer *ab, int extra)
1384
{
1385
	struct sk_buff *skb = ab->skb;
1386 1387 1388 1389
	int oldtail = skb_tailroom(skb);
	int ret = pskb_expand_head(skb, 0, extra, ab->gfp_mask);
	int newtail = skb_tailroom(skb);

1390 1391
	if (ret < 0) {
		audit_log_lost("out of memory in audit_expand");
1392
		return 0;
1393
	}
1394 1395 1396

	skb->truesize += newtail - oldtail;
	return newtail;
1397
}
L
Linus Torvalds 已提交
1398

1399 1400
/*
 * Format an audit message into the audit buffer.  If there isn't enough
L
Linus Torvalds 已提交
1401 1402
 * room in the audit buffer, more room will be allocated and vsnprint
 * will be called a second time.  Currently, we assume that a printk
1403 1404
 * can't format message larger than 1024 bytes, so we don't either.
 */
L
Linus Torvalds 已提交
1405 1406 1407 1408
static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
			      va_list args)
{
	int len, avail;
1409
	struct sk_buff *skb;
D
David Woodhouse 已提交
1410
	va_list args2;
L
Linus Torvalds 已提交
1411 1412 1413 1414

	if (!ab)
		return;

1415 1416 1417 1418
	BUG_ON(!ab->skb);
	skb = ab->skb;
	avail = skb_tailroom(skb);
	if (avail == 0) {
1419
		avail = audit_expand(ab, AUDIT_BUFSIZ);
1420 1421
		if (!avail)
			goto out;
L
Linus Torvalds 已提交
1422
	}
D
David Woodhouse 已提交
1423
	va_copy(args2, args);
1424
	len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args);
L
Linus Torvalds 已提交
1425 1426 1427 1428
	if (len >= avail) {
		/* The printk buffer is 1024 bytes long, so if we get
		 * here and AUDIT_BUFSIZ is at least 1024, then we can
		 * log everything that printk could have logged. */
1429 1430
		avail = audit_expand(ab,
			max_t(unsigned, AUDIT_BUFSIZ, 1+len-avail));
1431
		if (!avail)
1432
			goto out_va_end;
1433
		len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args2);
L
Linus Torvalds 已提交
1434
	}
1435 1436
	if (len > 0)
		skb_put(skb, len);
1437 1438
out_va_end:
	va_end(args2);
1439 1440
out:
	return;
L
Linus Torvalds 已提交
1441 1442
}

1443 1444 1445 1446 1447 1448 1449 1450
/**
 * audit_log_format - format a message into the audit buffer.
 * @ab: audit_buffer
 * @fmt: format string
 * @...: optional parameters matching @fmt string
 *
 * All the work is done in audit_log_vformat.
 */
L
Linus Torvalds 已提交
1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461
void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
{
	va_list args;

	if (!ab)
		return;
	va_start(args, fmt);
	audit_log_vformat(ab, fmt, args);
	va_end(args);
}

1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472
/**
 * audit_log_hex - convert a buffer to hex and append it to the audit skb
 * @ab: the audit_buffer
 * @buf: buffer to convert to hex
 * @len: length of @buf to be converted
 *
 * No return value; failure to expand is silently ignored.
 *
 * This function will take the passed buf and convert it into a string of
 * ascii hex digits. The new string is placed onto the skb.
 */
1473
void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf,
1474
		size_t len)
1475
{
1476 1477 1478 1479 1480
	int i, avail, new_len;
	unsigned char *ptr;
	struct sk_buff *skb;
	static const unsigned char *hex = "0123456789ABCDEF";

A
Amy Griffis 已提交
1481 1482 1483
	if (!ab)
		return;

1484 1485 1486 1487 1488 1489 1490 1491 1492 1493 1494
	BUG_ON(!ab->skb);
	skb = ab->skb;
	avail = skb_tailroom(skb);
	new_len = len<<1;
	if (new_len >= avail) {
		/* Round the buffer request up to the next multiple */
		new_len = AUDIT_BUFSIZ*(((new_len-avail)/AUDIT_BUFSIZ) + 1);
		avail = audit_expand(ab, new_len);
		if (!avail)
			return;
	}
1495

1496
	ptr = skb_tail_pointer(skb);
1497 1498 1499 1500 1501 1502
	for (i=0; i<len; i++) {
		*ptr++ = hex[(buf[i] & 0xF0)>>4]; /* Upper nibble */
		*ptr++ = hex[buf[i] & 0x0F];	  /* Lower nibble */
	}
	*ptr = 0;
	skb_put(skb, len << 1); /* new string is twice the old string */
1503 1504
}

1505 1506 1507 1508
/*
 * Format a string of no more than slen characters into the audit buffer,
 * enclosed in quote marks.
 */
1509 1510
void audit_log_n_string(struct audit_buffer *ab, const char *string,
			size_t slen)
1511 1512 1513 1514 1515
{
	int avail, new_len;
	unsigned char *ptr;
	struct sk_buff *skb;

A
Amy Griffis 已提交
1516 1517 1518
	if (!ab)
		return;

1519 1520 1521 1522 1523 1524 1525 1526 1527
	BUG_ON(!ab->skb);
	skb = ab->skb;
	avail = skb_tailroom(skb);
	new_len = slen + 3;	/* enclosing quotes + null terminator */
	if (new_len > avail) {
		avail = audit_expand(ab, new_len);
		if (!avail)
			return;
	}
1528
	ptr = skb_tail_pointer(skb);
1529 1530 1531 1532 1533 1534 1535 1536
	*ptr++ = '"';
	memcpy(ptr, string, slen);
	ptr += slen;
	*ptr++ = '"';
	*ptr = 0;
	skb_put(skb, slen + 2);	/* don't include null terminator */
}

1537 1538
/**
 * audit_string_contains_control - does a string need to be logged in hex
1539 1540
 * @string: string to be checked
 * @len: max length of the string to check
1541 1542 1543 1544
 */
int audit_string_contains_control(const char *string, size_t len)
{
	const unsigned char *p;
1545
	for (p = string; p < (const unsigned char *)string + len; p++) {
1546
		if (*p == '"' || *p < 0x21 || *p > 0x7e)
1547 1548 1549 1550 1551
			return 1;
	}
	return 0;
}

1552
/**
M
Miloslav Trmac 已提交
1553
 * audit_log_n_untrustedstring - log a string that may contain random characters
1554
 * @ab: audit_buffer
1555
 * @len: length of string (not including trailing null)
1556 1557 1558 1559
 * @string: string to be logged
 *
 * This code will escape a string that is passed to it if the string
 * contains a control character, unprintable character, double quote mark,
1560
 * or a space. Unescaped strings will start and end with a double quote mark.
1561
 * Strings that are escaped are printed in hex (2 digits per char).
1562 1563 1564
 *
 * The caller specifies the number of characters in the string to log, which may
 * or may not be the entire string.
1565
 */
1566 1567
void audit_log_n_untrustedstring(struct audit_buffer *ab, const char *string,
				 size_t len)
1568
{
1569
	if (audit_string_contains_control(string, len))
1570
		audit_log_n_hex(ab, string, len);
1571
	else
1572
		audit_log_n_string(ab, string, len);
1573 1574
}

1575
/**
M
Miloslav Trmac 已提交
1576
 * audit_log_untrustedstring - log a string that may contain random characters
1577 1578 1579
 * @ab: audit_buffer
 * @string: string to be logged
 *
M
Miloslav Trmac 已提交
1580
 * Same as audit_log_n_untrustedstring(), except that strlen is used to
1581 1582
 * determine string length.
 */
1583
void audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
1584
{
1585
	audit_log_n_untrustedstring(ab, string, strlen(string));
1586 1587
}

1588
/* This is a helper-function to print the escaped d_path */
L
Linus Torvalds 已提交
1589
void audit_log_d_path(struct audit_buffer *ab, const char *prefix,
1590
		      const struct path *path)
L
Linus Torvalds 已提交
1591
{
1592
	char *p, *pathname;
L
Linus Torvalds 已提交
1593

1594
	if (prefix)
1595
		audit_log_format(ab, "%s", prefix);
L
Linus Torvalds 已提交
1596

1597
	/* We will allow 11 spaces for ' (deleted)' to be appended */
1598 1599
	pathname = kmalloc(PATH_MAX+11, ab->gfp_mask);
	if (!pathname) {
1600
		audit_log_string(ab, "<no_memory>");
1601
		return;
L
Linus Torvalds 已提交
1602
	}
1603
	p = d_path(path, pathname, PATH_MAX+11);
1604 1605
	if (IS_ERR(p)) { /* Should never happen since we send PATH_MAX */
		/* FIXME: can we save some information here? */
1606
		audit_log_string(ab, "<too_long>");
D
Daniel Walker 已提交
1607
	} else
1608
		audit_log_untrustedstring(ab, p);
1609
	kfree(pathname);
L
Linus Torvalds 已提交
1610 1611
}

E
Eric Paris 已提交
1612 1613
void audit_log_session_info(struct audit_buffer *ab)
{
1614
	unsigned int sessionid = audit_get_sessionid(current);
E
Eric Paris 已提交
1615 1616
	uid_t auid = from_kuid(&init_user_ns, audit_get_loginuid(current));

1617
	audit_log_format(ab, " auid=%u ses=%u", auid, sessionid);
E
Eric Paris 已提交
1618 1619
}

1620 1621 1622 1623 1624 1625 1626 1627 1628
void audit_log_key(struct audit_buffer *ab, char *key)
{
	audit_log_format(ab, " key=");
	if (key)
		audit_log_untrustedstring(ab, key);
	else
		audit_log_format(ab, "(null)");
}

1629 1630 1631 1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 1642 1643 1644 1645 1646 1647 1648 1649 1650 1651 1652 1653 1654 1655 1656 1657 1658 1659 1660 1661 1662 1663 1664 1665 1666 1667 1668 1669 1670 1671 1672 1673 1674 1675 1676 1677 1678 1679 1680 1681 1682 1683 1684 1685 1686 1687 1688 1689 1690 1691 1692 1693 1694 1695 1696 1697 1698 1699 1700 1701 1702 1703 1704 1705 1706 1707 1708 1709 1710 1711 1712 1713 1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763
void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
{
	int i;

	audit_log_format(ab, " %s=", prefix);
	CAP_FOR_EACH_U32(i) {
		audit_log_format(ab, "%08x",
				 cap->cap[(_KERNEL_CAPABILITY_U32S-1) - i]);
	}
}

void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
{
	kernel_cap_t *perm = &name->fcap.permitted;
	kernel_cap_t *inh = &name->fcap.inheritable;
	int log = 0;

	if (!cap_isclear(*perm)) {
		audit_log_cap(ab, "cap_fp", perm);
		log = 1;
	}
	if (!cap_isclear(*inh)) {
		audit_log_cap(ab, "cap_fi", inh);
		log = 1;
	}

	if (log)
		audit_log_format(ab, " cap_fe=%d cap_fver=%x",
				 name->fcap.fE, name->fcap_ver);
}

static inline int audit_copy_fcaps(struct audit_names *name,
				   const struct dentry *dentry)
{
	struct cpu_vfs_cap_data caps;
	int rc;

	if (!dentry)
		return 0;

	rc = get_vfs_caps_from_disk(dentry, &caps);
	if (rc)
		return rc;

	name->fcap.permitted = caps.permitted;
	name->fcap.inheritable = caps.inheritable;
	name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
	name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >>
				VFS_CAP_REVISION_SHIFT;

	return 0;
}

/* Copy inode data into an audit_names. */
void audit_copy_inode(struct audit_names *name, const struct dentry *dentry,
		      const struct inode *inode)
{
	name->ino   = inode->i_ino;
	name->dev   = inode->i_sb->s_dev;
	name->mode  = inode->i_mode;
	name->uid   = inode->i_uid;
	name->gid   = inode->i_gid;
	name->rdev  = inode->i_rdev;
	security_inode_getsecid(inode, &name->osid);
	audit_copy_fcaps(name, dentry);
}

/**
 * audit_log_name - produce AUDIT_PATH record from struct audit_names
 * @context: audit_context for the task
 * @n: audit_names structure with reportable details
 * @path: optional path to report instead of audit_names->name
 * @record_num: record number to report when handling a list of names
 * @call_panic: optional pointer to int that will be updated if secid fails
 */
void audit_log_name(struct audit_context *context, struct audit_names *n,
		    struct path *path, int record_num, int *call_panic)
{
	struct audit_buffer *ab;
	ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
	if (!ab)
		return;

	audit_log_format(ab, "item=%d", record_num);

	if (path)
		audit_log_d_path(ab, " name=", path);
	else if (n->name) {
		switch (n->name_len) {
		case AUDIT_NAME_FULL:
			/* log the full path */
			audit_log_format(ab, " name=");
			audit_log_untrustedstring(ab, n->name->name);
			break;
		case 0:
			/* name was specified as a relative path and the
			 * directory component is the cwd */
			audit_log_d_path(ab, " name=", &context->pwd);
			break;
		default:
			/* log the name's directory component */
			audit_log_format(ab, " name=");
			audit_log_n_untrustedstring(ab, n->name->name,
						    n->name_len);
		}
	} else
		audit_log_format(ab, " name=(null)");

	if (n->ino != (unsigned long)-1) {
		audit_log_format(ab, " inode=%lu"
				 " dev=%02x:%02x mode=%#ho"
				 " ouid=%u ogid=%u rdev=%02x:%02x",
				 n->ino,
				 MAJOR(n->dev),
				 MINOR(n->dev),
				 n->mode,
				 from_kuid(&init_user_ns, n->uid),
				 from_kgid(&init_user_ns, n->gid),
				 MAJOR(n->rdev),
				 MINOR(n->rdev));
	}
	if (n->osid != 0) {
		char *ctx = NULL;
		u32 len;
		if (security_secid_to_secctx(
			n->osid, &ctx, &len)) {
			audit_log_format(ab, " osid=%u", n->osid);
			if (call_panic)
				*call_panic = 2;
		} else {
			audit_log_format(ab, " obj=%s", ctx);
			security_release_secctx(ctx, len);
		}
	}

1764 1765 1766 1767 1768 1769 1770 1771 1772 1773 1774 1775 1776 1777 1778 1779 1780 1781 1782 1783
	/* log the audit_names record type */
	audit_log_format(ab, " nametype=");
	switch(n->type) {
	case AUDIT_TYPE_NORMAL:
		audit_log_format(ab, "NORMAL");
		break;
	case AUDIT_TYPE_PARENT:
		audit_log_format(ab, "PARENT");
		break;
	case AUDIT_TYPE_CHILD_DELETE:
		audit_log_format(ab, "DELETE");
		break;
	case AUDIT_TYPE_CHILD_CREATE:
		audit_log_format(ab, "CREATE");
		break;
	default:
		audit_log_format(ab, "UNKNOWN");
		break;
	}

1784 1785 1786 1787 1788 1789 1790 1791 1792 1793 1794 1795 1796 1797 1798 1799 1800 1801 1802 1803 1804 1805 1806 1807 1808 1809 1810 1811 1812 1813 1814 1815 1816 1817 1818 1819 1820 1821 1822 1823 1824 1825 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 1836 1837 1838
	audit_log_fcaps(ab, n);
	audit_log_end(ab);
}

int audit_log_task_context(struct audit_buffer *ab)
{
	char *ctx = NULL;
	unsigned len;
	int error;
	u32 sid;

	security_task_getsecid(current, &sid);
	if (!sid)
		return 0;

	error = security_secid_to_secctx(sid, &ctx, &len);
	if (error) {
		if (error != -EINVAL)
			goto error_path;
		return 0;
	}

	audit_log_format(ab, " subj=%s", ctx);
	security_release_secctx(ctx, len);
	return 0;

error_path:
	audit_panic("error in audit_log_task_context");
	return error;
}
EXPORT_SYMBOL(audit_log_task_context);

void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
{
	const struct cred *cred;
	char name[sizeof(tsk->comm)];
	struct mm_struct *mm = tsk->mm;
	char *tty;

	if (!ab)
		return;

	/* tsk == current */
	cred = current_cred();

	spin_lock_irq(&tsk->sighand->siglock);
	if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
		tty = tsk->signal->tty->name;
	else
		tty = "(none)";
	spin_unlock_irq(&tsk->sighand->siglock);

	audit_log_format(ab,
			 " ppid=%ld pid=%d auid=%u uid=%u gid=%u"
			 " euid=%u suid=%u fsuid=%u"
1839
			 " egid=%u sgid=%u fsgid=%u tty=%s ses=%u",
1840 1841 1842 1843 1844 1845 1846 1847 1848 1849 1850
			 sys_getppid(),
			 tsk->pid,
			 from_kuid(&init_user_ns, audit_get_loginuid(tsk)),
			 from_kuid(&init_user_ns, cred->uid),
			 from_kgid(&init_user_ns, cred->gid),
			 from_kuid(&init_user_ns, cred->euid),
			 from_kuid(&init_user_ns, cred->suid),
			 from_kuid(&init_user_ns, cred->fsuid),
			 from_kgid(&init_user_ns, cred->egid),
			 from_kgid(&init_user_ns, cred->sgid),
			 from_kgid(&init_user_ns, cred->fsgid),
1851
			 tty, audit_get_sessionid(tsk));
1852 1853 1854 1855 1856 1857 1858 1859 1860 1861

	get_task_comm(name, tsk);
	audit_log_format(ab, " comm=");
	audit_log_untrustedstring(ab, name);

	if (mm) {
		down_read(&mm->mmap_sem);
		if (mm->exe_file)
			audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
		up_read(&mm->mmap_sem);
1862 1863
	} else
		audit_log_format(ab, " exe=(null)");
1864 1865 1866 1867
	audit_log_task_context(ab);
}
EXPORT_SYMBOL(audit_log_task_info);

1868 1869 1870 1871 1872 1873 1874 1875
/**
 * audit_log_link_denied - report a link restriction denial
 * @operation: specific link opreation
 * @link: the path that triggered the restriction
 */
void audit_log_link_denied(const char *operation, struct path *link)
{
	struct audit_buffer *ab;
1876 1877 1878 1879 1880
	struct audit_names *name;

	name = kzalloc(sizeof(*name), GFP_NOFS);
	if (!name)
		return;
1881

1882
	/* Generate AUDIT_ANOM_LINK with subject, operation, outcome. */
1883 1884
	ab = audit_log_start(current->audit_context, GFP_KERNEL,
			     AUDIT_ANOM_LINK);
1885
	if (!ab)
1886 1887 1888 1889
		goto out;
	audit_log_format(ab, "op=%s", operation);
	audit_log_task_info(ab, current);
	audit_log_format(ab, " res=0");
1890
	audit_log_end(ab);
1891 1892 1893 1894 1895 1896 1897

	/* Generate AUDIT_PATH record with object. */
	name->type = AUDIT_TYPE_NORMAL;
	audit_copy_inode(name, link->dentry, link->dentry->d_inode);
	audit_log_name(current->audit_context, name, link, 0, NULL);
out:
	kfree(name);
1898 1899
}

1900 1901 1902 1903 1904 1905
/**
 * audit_log_end - end one audit record
 * @ab: the audit_buffer
 *
 * The netlink_* functions cannot be called inside an irq context, so
 * the audit buffer is placed on a queue and a tasklet is scheduled to
L
Linus Torvalds 已提交
1906
 * remove them from the queue outside the irq context.  May be called in
1907 1908
 * any context.
 */
1909
void audit_log_end(struct audit_buffer *ab)
L
Linus Torvalds 已提交
1910 1911 1912 1913 1914 1915
{
	if (!ab)
		return;
	if (!audit_rate_check()) {
		audit_log_lost("rate limit exceeded");
	} else {
1916
		struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
1917
		nlh->nlmsg_len = ab->skb->len - NLMSG_HDRLEN;
1918

1919 1920 1921
		if (audit_pid) {
			skb_queue_tail(&audit_skb_queue, ab->skb);
			wake_up_interruptible(&kauditd_wait);
1922
		} else {
1923
			audit_printk_skb(ab->skb);
1924
		}
1925
		ab->skb = NULL;
L
Linus Torvalds 已提交
1926
	}
1927
	audit_buffer_free(ab);
L
Linus Torvalds 已提交
1928 1929
}

1930 1931 1932 1933 1934 1935 1936 1937 1938 1939 1940 1941
/**
 * audit_log - Log an audit record
 * @ctx: audit context
 * @gfp_mask: type of allocation
 * @type: audit message type
 * @fmt: format string to use
 * @...: variable parameters matching the format string
 *
 * This is a convenience function that calls audit_log_start,
 * audit_log_vformat, and audit_log_end.  It may be called
 * in any context.
 */
D
Daniel Walker 已提交
1942
void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
1943
	       const char *fmt, ...)
L
Linus Torvalds 已提交
1944 1945 1946 1947
{
	struct audit_buffer *ab;
	va_list args;

1948
	ab = audit_log_start(ctx, gfp_mask, type);
L
Linus Torvalds 已提交
1949 1950 1951 1952 1953 1954 1955
	if (ab) {
		va_start(args, fmt);
		audit_log_vformat(ab, fmt, args);
		va_end(args);
		audit_log_end(ab);
	}
}
1956

1957 1958 1959 1960 1961 1962 1963 1964 1965 1966 1967 1968 1969 1970 1971 1972 1973 1974 1975 1976 1977 1978 1979 1980 1981 1982
#ifdef CONFIG_SECURITY
/**
 * audit_log_secctx - Converts and logs SELinux context
 * @ab: audit_buffer
 * @secid: security number
 *
 * This is a helper function that calls security_secid_to_secctx to convert
 * secid to secctx and then adds the (converted) SELinux context to the audit
 * log by calling audit_log_format, thus also preventing leak of internal secid
 * to userspace. If secid cannot be converted audit_panic is called.
 */
void audit_log_secctx(struct audit_buffer *ab, u32 secid)
{
	u32 len;
	char *secctx;

	if (security_secid_to_secctx(secid, &secctx, &len)) {
		audit_panic("Cannot convert secid to context");
	} else {
		audit_log_format(ab, " obj=%s", secctx);
		security_release_secctx(secctx, len);
	}
}
EXPORT_SYMBOL(audit_log_secctx);
#endif

1983 1984 1985 1986
EXPORT_SYMBOL(audit_log_start);
EXPORT_SYMBOL(audit_log_end);
EXPORT_SYMBOL(audit_log_format);
EXPORT_SYMBOL(audit_log);