auditsc.c 43.5 KB
Newer Older
1
/* auditsc.c -- System-call auditing support
L
Linus Torvalds 已提交
2 3 4
 * Handles all system-call specific auditing features.
 *
 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
5
 * Copyright 2005 Hewlett-Packard Development Company, L.P.
6
 * Copyright (C) 2005 IBM Corporation
L
Linus Torvalds 已提交
7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
 * All Rights Reserved.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 *
 * Written by Rickard E. (Rik) Faith <faith@redhat.com>
 *
 * Many of the ideas implemented here are from Stephen C. Tweedie,
 * especially the idea of avoiding a copy by using getname.
 *
 * The method for actual interception of syscall entry and exit (not in
 * this file -- see entry.S) is based on a GPL'd patch written by
 * okir@suse.de and Copyright 2003 SuSE Linux AG.
 *
32 33 34
 * The support of additional filter rules compares (>, <, >=, <=) was
 * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
 *
35 36
 * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
 * filesystem information.
37 38 39
 *
 * Subject and object context labeling support added by <danjones@us.ibm.com>
 * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
L
Linus Torvalds 已提交
40 41 42 43
 */

#include <linux/init.h>
#include <asm/types.h>
A
Alan Cox 已提交
44
#include <asm/atomic.h>
45 46 47
#include <asm/types.h>
#include <linux/fs.h>
#include <linux/namei.h>
L
Linus Torvalds 已提交
48 49
#include <linux/mm.h>
#include <linux/module.h>
50
#include <linux/mount.h>
51
#include <linux/socket.h>
L
Linus Torvalds 已提交
52 53 54
#include <linux/audit.h>
#include <linux/personality.h>
#include <linux/time.h>
55
#include <linux/kthread.h>
56
#include <linux/netlink.h>
57
#include <linux/compiler.h>
L
Linus Torvalds 已提交
58
#include <asm/unistd.h>
59
#include <linux/security.h>
L
Linus Torvalds 已提交
60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109

/* 0 = no checking
   1 = put_count checking
   2 = verbose put_count checking
*/
#define AUDIT_DEBUG 0

/* No syscall auditing will take place unless audit_enabled != 0. */
extern int audit_enabled;

/* AUDIT_NAMES is the number of slots we reserve in the audit_context
 * for saving names from getname(). */
#define AUDIT_NAMES    20

/* AUDIT_NAMES_RESERVED is the number of slots we reserve in the
 * audit_context from being used for nameless inodes from
 * path_lookup. */
#define AUDIT_NAMES_RESERVED 7

/* At task start time, the audit_state is set in the audit_context using
   a per-task filter.  At syscall entry, the audit_state is augmented by
   the syscall filter. */
enum audit_state {
	AUDIT_DISABLED,		/* Do not create per-task audit_context.
				 * No syscall-specific audit records can
				 * be generated. */
	AUDIT_SETUP_CONTEXT,	/* Create the per-task audit_context,
				 * but don't necessarily fill it in at
				 * syscall entry time (i.e., filter
				 * instead). */
	AUDIT_BUILD_CONTEXT,	/* Create the per-task audit_context,
				 * and always fill it in at syscall
				 * entry time.  This makes a full
				 * syscall record available if some
				 * other part of the kernel decides it
				 * should be recorded. */
	AUDIT_RECORD_CONTEXT	/* Create the per-task audit_context,
				 * always fill it in at syscall entry
				 * time, and always write out the audit
				 * record at syscall exit time.  */
};

/* When fs/namei.c:getname() is called, we store the pointer in name and
 * we don't let putname() free it (instead we free all of the saved
 * pointers at syscall exit time).
 *
 * Further, in fs/namei.c:path_lookup() we store the inode and device. */
struct audit_names {
	const char	*name;
	unsigned long	ino;
110
	unsigned long	pino;
L
Linus Torvalds 已提交
111 112 113 114 115
	dev_t		dev;
	umode_t		mode;
	uid_t		uid;
	gid_t		gid;
	dev_t		rdev;
116
	char		*ctx;
L
Linus Torvalds 已提交
117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132
};

struct audit_aux_data {
	struct audit_aux_data	*next;
	int			type;
};

#define AUDIT_AUX_IPCPERM	0

struct audit_aux_data_ipcctl {
	struct audit_aux_data	d;
	struct ipc_perm		p;
	unsigned long		qbytes;
	uid_t			uid;
	gid_t			gid;
	mode_t			mode;
133
	char 			*ctx;
L
Linus Torvalds 已提交
134 135
};

136 137 138 139 140 141 142 143 144 145 146 147
struct audit_aux_data_socketcall {
	struct audit_aux_data	d;
	int			nargs;
	unsigned long		args[0];
};

struct audit_aux_data_sockaddr {
	struct audit_aux_data	d;
	int			len;
	char			a[0];
};

148 149 150 151 152
struct audit_aux_data_path {
	struct audit_aux_data	d;
	struct dentry		*dentry;
	struct vfsmount		*mnt;
};
L
Linus Torvalds 已提交
153 154 155 156 157 158 159 160 161 162 163

/* The per-task audit context. */
struct audit_context {
	int		    in_syscall;	/* 1 if task is in a syscall */
	enum audit_state    state;
	unsigned int	    serial;     /* serial number for record */
	struct timespec	    ctime;      /* time of syscall entry */
	uid_t		    loginuid;   /* login uid (identity) */
	int		    major;      /* syscall number */
	unsigned long	    argv[4];    /* syscall arguments */
	int		    return_valid; /* return code is valid */
164
	long		    return_code;/* syscall return code */
L
Linus Torvalds 已提交
165 166 167
	int		    auditable;  /* 1 if record should be written */
	int		    name_count;
	struct audit_names  names[AUDIT_NAMES];
168 169
	struct dentry *	    pwd;
	struct vfsmount *   pwdmnt;
L
Linus Torvalds 已提交
170 171 172 173 174 175 176 177
	struct audit_context *previous; /* For nested syscalls */
	struct audit_aux_data *aux;

				/* Save things to print about task_struct */
	pid_t		    pid;
	uid_t		    uid, euid, suid, fsuid;
	gid_t		    gid, egid, sgid, fsgid;
	unsigned long	    personality;
178
	int		    arch;
L
Linus Torvalds 已提交
179 180 181 182 183 184 185 186 187 188 189

#if AUDIT_DEBUG
	int		    put_count;
	int		    ino_count;
#endif
};

				/* Public API */
/* There are three lists of rules -- one to search at task creation
 * time, one to search at syscall entry time, and another to search at
 * syscall exit time. */
190 191 192 193 194 195
static struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
	LIST_HEAD_INIT(audit_filter_list[0]),
	LIST_HEAD_INIT(audit_filter_list[1]),
	LIST_HEAD_INIT(audit_filter_list[2]),
	LIST_HEAD_INIT(audit_filter_list[3]),
	LIST_HEAD_INIT(audit_filter_list[4]),
196 197
	LIST_HEAD_INIT(audit_filter_list[5]),
#if AUDIT_NR_FILTERS != 6
198 199 200
#error Fix audit_filter_list initialiser
#endif
};
L
Linus Torvalds 已提交
201 202 203 204 205 206 207

struct audit_entry {
	struct list_head  list;
	struct rcu_head   rcu;
	struct audit_rule rule;
};

208 209
extern int audit_pid;

210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235
/* Copy rule from user-space to kernel-space.  Called from 
 * audit_add_rule during AUDIT_ADD. */
static inline int audit_copy_rule(struct audit_rule *d, struct audit_rule *s)
{
	int i;

	if (s->action != AUDIT_NEVER
	    && s->action != AUDIT_POSSIBLE
	    && s->action != AUDIT_ALWAYS)
		return -1;
	if (s->field_count < 0 || s->field_count > AUDIT_MAX_FIELDS)
		return -1;
	if ((s->flags & ~AUDIT_FILTER_PREPEND) >= AUDIT_NR_FILTERS)
		return -1;

	d->flags	= s->flags;
	d->action	= s->action;
	d->field_count	= s->field_count;
	for (i = 0; i < d->field_count; i++) {
		d->fields[i] = s->fields[i];
		d->values[i] = s->values[i];
	}
	for (i = 0; i < AUDIT_BITMASK_SIZE; i++) d->mask[i] = s->mask[i];
	return 0;
}

L
Linus Torvalds 已提交
236
/* Check to see if two rules are identical.  It is called from
237
 * audit_add_rule during AUDIT_ADD and 
L
Linus Torvalds 已提交
238
 * audit_del_rule during AUDIT_DEL. */
239
static inline int audit_compare_rule(struct audit_rule *a, struct audit_rule *b)
L
Linus Torvalds 已提交
240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267
{
	int i;

	if (a->flags != b->flags)
		return 1;

	if (a->action != b->action)
		return 1;

	if (a->field_count != b->field_count)
		return 1;

	for (i = 0; i < a->field_count; i++) {
		if (a->fields[i] != b->fields[i]
		    || a->values[i] != b->values[i])
			return 1;
	}

	for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
		if (a->mask[i] != b->mask[i])
			return 1;

	return 0;
}

/* Note that audit_add_rule and audit_del_rule are called via
 * audit_receive() in audit.c, and are protected by
 * audit_netlink_sem. */
268
static inline int audit_add_rule(struct audit_rule *rule,
269
				  struct list_head *list)
L
Linus Torvalds 已提交
270
{
271
	struct audit_entry  *entry;
272
	int i;
273 274 275 276 277 278 279 280 281

	/* Do not use the _rcu iterator here, since this is the only
	 * addition routine. */
	list_for_each_entry(entry, list, list) {
		if (!audit_compare_rule(rule, &entry->rule)) {
			return -EEXIST;
		}
	}

282 283 284 285 286 287 288 289 290 291
	for (i = 0; i < rule->field_count; i++) {
		if (rule->fields[i] & AUDIT_UNUSED_BITS)
			return -EINVAL;
		if ( rule->fields[i] & AUDIT_NEGATE )
			rule->fields[i] |= AUDIT_NOT_EQUAL;
		else if ( (rule->fields[i] & AUDIT_OPERATORS) == 0 )
			rule->fields[i] |= AUDIT_EQUAL;
		rule->fields[i] &= (~AUDIT_NEGATE);
	}

292 293 294 295 296 297 298
	if (!(entry = kmalloc(sizeof(*entry), GFP_KERNEL)))
		return -ENOMEM;
	if (audit_copy_rule(&entry->rule, rule)) {
		kfree(entry);
		return -EINVAL;
	}

299 300
	if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
		entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
L
Linus Torvalds 已提交
301 302 303 304
		list_add_rcu(&entry->list, list);
	} else {
		list_add_tail_rcu(&entry->list, list);
	}
305 306

	return 0;
L
Linus Torvalds 已提交
307 308
}

309
static inline void audit_free_rule(struct rcu_head *head)
L
Linus Torvalds 已提交
310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331
{
	struct audit_entry *e = container_of(head, struct audit_entry, rcu);
	kfree(e);
}

/* Note that audit_add_rule and audit_del_rule are called via
 * audit_receive() in audit.c, and are protected by
 * audit_netlink_sem. */
static inline int audit_del_rule(struct audit_rule *rule,
				 struct list_head *list)
{
	struct audit_entry  *e;

	/* Do not use the _rcu iterator here, since this is the only
	 * deletion routine. */
	list_for_each_entry(e, list, list) {
		if (!audit_compare_rule(rule, &e->rule)) {
			list_del_rcu(&e->list);
			call_rcu(&e->rcu, audit_free_rule);
			return 0;
		}
	}
332
	return -ENOENT;		/* No matching rule */
L
Linus Torvalds 已提交
333 334
}

335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360
static int audit_list_rules(void *_dest)
{
	int pid, seq;
	int *dest = _dest;
	struct audit_entry *entry;
	int i;

	pid = dest[0];
	seq = dest[1];
	kfree(dest);

	down(&audit_netlink_sem);

	/* The *_rcu iterators not needed here because we are
	   always called with audit_netlink_sem held. */
	for (i=0; i<AUDIT_NR_FILTERS; i++) {
		list_for_each_entry(entry, &audit_filter_list[i], list)
			audit_send_reply(pid, seq, AUDIT_LIST, 0, 1,
					 &entry->rule, sizeof(entry->rule));
	}
	audit_send_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0);
	
	up(&audit_netlink_sem);
	return 0;
}

361 362 363 364 365 366 367 368 369
/**
 * audit_receive_filter - apply all rules to the specified message type
 * @type: audit message type
 * @pid: target pid for netlink audit messages
 * @uid: target uid for netlink audit messages
 * @seq: netlink audit message sequence (serial) number
 * @data: payload data
 * @loginuid: loginuid of sender
 */
370 371
int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
							uid_t loginuid)
L
Linus Torvalds 已提交
372
{
373 374
	struct task_struct *tsk;
	int *dest;
L
Linus Torvalds 已提交
375
	int		   err = 0;
376
	unsigned listnr;
L
Linus Torvalds 已提交
377 378 379

	switch (type) {
	case AUDIT_LIST:
380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395
		/* We can't just spew out the rules here because we might fill
		 * the available socket buffer space and deadlock waiting for
		 * auditctl to read from it... which isn't ever going to
		 * happen if we're actually running in the context of auditctl
		 * trying to _send_ the stuff */
		 
		dest = kmalloc(2 * sizeof(int), GFP_KERNEL);
		if (!dest)
			return -ENOMEM;
		dest[0] = pid;
		dest[1] = seq;

		tsk = kthread_run(audit_list_rules, dest, "audit_list_rules");
		if (IS_ERR(tsk)) {
			kfree(dest);
			err = PTR_ERR(tsk);
396
		}
L
Linus Torvalds 已提交
397 398
		break;
	case AUDIT_ADD:
399 400
		listnr =((struct audit_rule *)data)->flags & ~AUDIT_FILTER_PREPEND;
		if (listnr >= AUDIT_NR_FILTERS)
L
Linus Torvalds 已提交
401
			return -EINVAL;
402 403 404 405 406

		err = audit_add_rule(data, &audit_filter_list[listnr]);
		if (!err)
			audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
				  "auid=%u added an audit rule\n", loginuid);
L
Linus Torvalds 已提交
407 408
		break;
	case AUDIT_DEL:
409 410 411 412 413 414
		listnr =((struct audit_rule *)data)->flags & ~AUDIT_FILTER_PREPEND;
		if (listnr >= AUDIT_NR_FILTERS)
			return -EINVAL;

		err = audit_del_rule(data, &audit_filter_list[listnr]);
		if (!err)
415
			audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
416
				  "auid=%u removed an audit rule\n", loginuid);
L
Linus Torvalds 已提交
417 418 419 420 421 422 423 424
		break;
	default:
		return -EINVAL;
	}

	return err;
}

425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444
static int audit_comparator(const u32 left, const u32 op, const u32 right)
{
	switch (op) {
	case AUDIT_EQUAL:
		return (left == right);
	case AUDIT_NOT_EQUAL:
		return (left != right);
	case AUDIT_LESS_THAN:
		return (left < right);
	case AUDIT_LESS_THAN_OR_EQUAL:
		return (left <= right);
	case AUDIT_GREATER_THAN:
		return (left > right);
	case AUDIT_GREATER_THAN_OR_EQUAL:
		return (left >= right);
	default:
		return -EINVAL;
	}
}

L
Linus Torvalds 已提交
445 446 447 448 449 450 451 452 453 454
/* Compare a task_struct with an audit_rule.  Return 1 on match, 0
 * otherwise. */
static int audit_filter_rules(struct task_struct *tsk,
			      struct audit_rule *rule,
			      struct audit_context *ctx,
			      enum audit_state *state)
{
	int i, j;

	for (i = 0; i < rule->field_count; i++) {
455 456
		u32 field  = rule->fields[i] & ~AUDIT_OPERATORS;
		u32 op  = rule->fields[i] & AUDIT_OPERATORS;
L
Linus Torvalds 已提交
457 458 459 460 461
		u32 value  = rule->values[i];
		int result = 0;

		switch (field) {
		case AUDIT_PID:
462
			result = audit_comparator(tsk->pid, op, value);
L
Linus Torvalds 已提交
463 464
			break;
		case AUDIT_UID:
465
			result = audit_comparator(tsk->uid, op, value);
L
Linus Torvalds 已提交
466 467
			break;
		case AUDIT_EUID:
468
			result = audit_comparator(tsk->euid, op, value);
L
Linus Torvalds 已提交
469 470
			break;
		case AUDIT_SUID:
471
			result = audit_comparator(tsk->suid, op, value);
L
Linus Torvalds 已提交
472 473
			break;
		case AUDIT_FSUID:
474
			result = audit_comparator(tsk->fsuid, op, value);
L
Linus Torvalds 已提交
475 476
			break;
		case AUDIT_GID:
477
			result = audit_comparator(tsk->gid, op, value);
L
Linus Torvalds 已提交
478 479
			break;
		case AUDIT_EGID:
480
			result = audit_comparator(tsk->egid, op, value);
L
Linus Torvalds 已提交
481 482
			break;
		case AUDIT_SGID:
483
			result = audit_comparator(tsk->sgid, op, value);
L
Linus Torvalds 已提交
484 485
			break;
		case AUDIT_FSGID:
486
			result = audit_comparator(tsk->fsgid, op, value);
L
Linus Torvalds 已提交
487 488
			break;
		case AUDIT_PERS:
489
			result = audit_comparator(tsk->personality, op, value);
L
Linus Torvalds 已提交
490
			break;
491
		case AUDIT_ARCH:
492 493
 			if (ctx)
				result = audit_comparator(ctx->arch, op, value);
494
			break;
L
Linus Torvalds 已提交
495 496 497

		case AUDIT_EXIT:
			if (ctx && ctx->return_valid)
498
				result = audit_comparator(ctx->return_code, op, value);
L
Linus Torvalds 已提交
499 500
			break;
		case AUDIT_SUCCESS:
501 502
			if (ctx && ctx->return_valid) {
				if (value)
503
					result = audit_comparator(ctx->return_valid, op, AUDITSC_SUCCESS);
504
				else
505
					result = audit_comparator(ctx->return_valid, op, AUDITSC_FAILURE);
506
			}
L
Linus Torvalds 已提交
507 508 509 510
			break;
		case AUDIT_DEVMAJOR:
			if (ctx) {
				for (j = 0; j < ctx->name_count; j++) {
511
					if (audit_comparator(MAJOR(ctx->names[j].dev),	op, value)) {
L
Linus Torvalds 已提交
512 513 514 515 516 517 518 519 520
						++result;
						break;
					}
				}
			}
			break;
		case AUDIT_DEVMINOR:
			if (ctx) {
				for (j = 0; j < ctx->name_count; j++) {
521
					if (audit_comparator(MINOR(ctx->names[j].dev), op, value)) {
L
Linus Torvalds 已提交
522 523 524 525 526 527 528 529 530
						++result;
						break;
					}
				}
			}
			break;
		case AUDIT_INODE:
			if (ctx) {
				for (j = 0; j < ctx->name_count; j++) {
531 532
					if (audit_comparator(ctx->names[j].ino, op, value) ||
					    audit_comparator(ctx->names[j].pino, op, value)) {
L
Linus Torvalds 已提交
533 534 535 536 537 538 539 540 541
						++result;
						break;
					}
				}
			}
			break;
		case AUDIT_LOGINUID:
			result = 0;
			if (ctx)
542
				result = audit_comparator(ctx->loginuid, op, value);
L
Linus Torvalds 已提交
543 544 545 546 547 548
			break;
		case AUDIT_ARG0:
		case AUDIT_ARG1:
		case AUDIT_ARG2:
		case AUDIT_ARG3:
			if (ctx)
549
				result = audit_comparator(ctx->argv[field-AUDIT_ARG0], op, value);
L
Linus Torvalds 已提交
550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573
			break;
		}

		if (!result)
			return 0;
	}
	switch (rule->action) {
	case AUDIT_NEVER:    *state = AUDIT_DISABLED;	    break;
	case AUDIT_POSSIBLE: *state = AUDIT_BUILD_CONTEXT;  break;
	case AUDIT_ALWAYS:   *state = AUDIT_RECORD_CONTEXT; break;
	}
	return 1;
}

/* At process creation time, we can determine if system-call auditing is
 * completely disabled for this task.  Since we only have the task
 * structure at this point, we can only check uid and gid.
 */
static enum audit_state audit_filter_task(struct task_struct *tsk)
{
	struct audit_entry *e;
	enum audit_state   state;

	rcu_read_lock();
574
	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
L
Linus Torvalds 已提交
575 576 577 578 579 580 581 582 583 584 585
		if (audit_filter_rules(tsk, &e->rule, NULL, &state)) {
			rcu_read_unlock();
			return state;
		}
	}
	rcu_read_unlock();
	return AUDIT_BUILD_CONTEXT;
}

/* At syscall entry and exit time, this filter is called if the
 * audit_state is not low enough that auditing cannot take place, but is
S
Steve Grubb 已提交
586
 * also not high enough that we already know we have to write an audit
587
 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
L
Linus Torvalds 已提交
588 589 590 591 592 593
 */
static enum audit_state audit_filter_syscall(struct task_struct *tsk,
					     struct audit_context *ctx,
					     struct list_head *list)
{
	struct audit_entry *e;
594
	enum audit_state state;
L
Linus Torvalds 已提交
595

596
	if (audit_pid && tsk->tgid == audit_pid)
597 598
		return AUDIT_DISABLED;

L
Linus Torvalds 已提交
599
	rcu_read_lock();
600
	if (!list_empty(list)) {
601 602 603 604 605 606 607 608 609 610
		int word = AUDIT_WORD(ctx->major);
		int bit  = AUDIT_BIT(ctx->major);

		list_for_each_entry_rcu(e, list, list) {
			if ((e->rule.mask[word] & bit) == bit
					&& audit_filter_rules(tsk, &e->rule, ctx, &state)) {
				rcu_read_unlock();
				return state;
			}
		}
L
Linus Torvalds 已提交
611 612 613 614 615
	}
	rcu_read_unlock();
	return AUDIT_BUILD_CONTEXT;
}

616
static int audit_filter_user_rules(struct netlink_skb_parms *cb,
617 618
				   struct audit_rule *rule,
				   enum audit_state *state)
619 620 621 622
{
	int i;

	for (i = 0; i < rule->field_count; i++) {
623 624
		u32 field  = rule->fields[i] & ~AUDIT_OPERATORS;
		u32 op  = rule->fields[i] & AUDIT_OPERATORS;
625 626 627 628 629
		u32 value  = rule->values[i];
		int result = 0;

		switch (field) {
		case AUDIT_PID:
630
			result = audit_comparator(cb->creds.pid, op, value);
631 632
			break;
		case AUDIT_UID:
633
			result = audit_comparator(cb->creds.uid, op, value);
634 635
			break;
		case AUDIT_GID:
636
			result = audit_comparator(cb->creds.gid, op, value);
637 638
			break;
		case AUDIT_LOGINUID:
639
			result = audit_comparator(cb->loginuid, op, value);
640 641 642 643 644 645 646 647 648 649 650 651 652 653 654
			break;
		}

		if (!result)
			return 0;
	}
	switch (rule->action) {
	case AUDIT_NEVER:    *state = AUDIT_DISABLED;	    break;
	case AUDIT_POSSIBLE: *state = AUDIT_BUILD_CONTEXT;  break;
	case AUDIT_ALWAYS:   *state = AUDIT_RECORD_CONTEXT; break;
	}
	return 1;
}

int audit_filter_user(struct netlink_skb_parms *cb, int type)
655 656 657
{
	struct audit_entry *e;
	enum audit_state   state;
658
	int ret = 1;
659 660 661

	rcu_read_lock();
	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
662
		if (audit_filter_user_rules(cb, &e->rule, &state)) {
663 664 665
			if (state == AUDIT_DISABLED)
				ret = 0;
			break;
666 667 668
		}
	}
	rcu_read_unlock();
669

670
	return ret; /* Audit by default */
671 672
}

673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704
int audit_filter_type(int type)
{
	struct audit_entry *e;
	int result = 0;
	
	rcu_read_lock();
	if (list_empty(&audit_filter_list[AUDIT_FILTER_TYPE]))
		goto unlock_and_return;

	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TYPE],
				list) {
		struct audit_rule *rule = &e->rule;
		int i;
		for (i = 0; i < rule->field_count; i++) {
			u32 field  = rule->fields[i] & ~AUDIT_OPERATORS;
			u32 op  = rule->fields[i] & AUDIT_OPERATORS;
			u32 value  = rule->values[i];
			if ( field == AUDIT_MSGTYPE ) {
				result = audit_comparator(type, op, value); 
				if (!result)
					break;
			}
		}
		if (result)
			goto unlock_and_return;
	}
unlock_and_return:
	rcu_read_unlock();
	return result;
}


L
Linus Torvalds 已提交
705 706 707 708 709 710 711 712 713 714 715 716
/* This should be called with task_lock() held. */
static inline struct audit_context *audit_get_context(struct task_struct *tsk,
						      int return_valid,
						      int return_code)
{
	struct audit_context *context = tsk->audit_context;

	if (likely(!context))
		return NULL;
	context->return_valid = return_valid;
	context->return_code  = return_code;

717
	if (context->in_syscall && !context->auditable) {
L
Linus Torvalds 已提交
718
		enum audit_state state;
719
		state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
L
Linus Torvalds 已提交
720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744
		if (state == AUDIT_RECORD_CONTEXT)
			context->auditable = 1;
	}

	context->pid = tsk->pid;
	context->uid = tsk->uid;
	context->gid = tsk->gid;
	context->euid = tsk->euid;
	context->suid = tsk->suid;
	context->fsuid = tsk->fsuid;
	context->egid = tsk->egid;
	context->sgid = tsk->sgid;
	context->fsgid = tsk->fsgid;
	context->personality = tsk->personality;
	tsk->audit_context = NULL;
	return context;
}

static inline void audit_free_names(struct audit_context *context)
{
	int i;

#if AUDIT_DEBUG == 2
	if (context->auditable
	    ||context->put_count + context->ino_count != context->name_count) {
745
		printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d"
L
Linus Torvalds 已提交
746 747
		       " name_count=%d put_count=%d"
		       " ino_count=%d [NOT freeing]\n",
748
		       __FILE__, __LINE__,
L
Linus Torvalds 已提交
749 750 751
		       context->serial, context->major, context->in_syscall,
		       context->name_count, context->put_count,
		       context->ino_count);
752
		for (i = 0; i < context->name_count; i++) {
L
Linus Torvalds 已提交
753 754
			printk(KERN_ERR "names[%d] = %p = %s\n", i,
			       context->names[i].name,
755
			       context->names[i].name ?: "(null)");
756
		}
L
Linus Torvalds 已提交
757 758 759 760 761 762 763 764 765
		dump_stack();
		return;
	}
#endif
#if AUDIT_DEBUG
	context->put_count  = 0;
	context->ino_count  = 0;
#endif

766 767 768 769
	for (i = 0; i < context->name_count; i++) {
		char *p = context->names[i].ctx;
		context->names[i].ctx = NULL;
		kfree(p);
L
Linus Torvalds 已提交
770 771
		if (context->names[i].name)
			__putname(context->names[i].name);
772
	}
L
Linus Torvalds 已提交
773
	context->name_count = 0;
774 775 776 777 778 779
	if (context->pwd)
		dput(context->pwd);
	if (context->pwdmnt)
		mntput(context->pwdmnt);
	context->pwd = NULL;
	context->pwdmnt = NULL;
L
Linus Torvalds 已提交
780 781 782 783 784 785 786
}

static inline void audit_free_aux(struct audit_context *context)
{
	struct audit_aux_data *aux;

	while ((aux = context->aux)) {
787 788 789 790 791
		if (aux->type == AUDIT_AVC_PATH) {
			struct audit_aux_data_path *axi = (void *)aux;
			dput(axi->dentry);
			mntput(axi->mnt);
		}
792 793 794 795 796 797
		if ( aux->type == AUDIT_IPC ) {
			struct audit_aux_data_ipcctl *axi = (void *)aux;
			if (axi->ctx)
				kfree(axi->ctx);
		}

L
Linus Torvalds 已提交
798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822
		context->aux = aux->next;
		kfree(aux);
	}
}

static inline void audit_zero_context(struct audit_context *context,
				      enum audit_state state)
{
	uid_t loginuid = context->loginuid;

	memset(context, 0, sizeof(*context));
	context->state      = state;
	context->loginuid   = loginuid;
}

static inline struct audit_context *audit_alloc_context(enum audit_state state)
{
	struct audit_context *context;

	if (!(context = kmalloc(sizeof(*context), GFP_KERNEL)))
		return NULL;
	audit_zero_context(context, state);
	return context;
}

823 824 825 826 827
/**
 * audit_alloc - allocate an audit context block for a task
 * @tsk: task
 *
 * Filter on the task information and allocate a per-task audit context
L
Linus Torvalds 已提交
828 829
 * if necessary.  Doing so turns on system call auditing for the
 * specified task.  This is called from copy_process, so no lock is
830 831
 * needed.
 */
L
Linus Torvalds 已提交
832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881
int audit_alloc(struct task_struct *tsk)
{
	struct audit_context *context;
	enum audit_state     state;

	if (likely(!audit_enabled))
		return 0; /* Return if not auditing. */

	state = audit_filter_task(tsk);
	if (likely(state == AUDIT_DISABLED))
		return 0;

	if (!(context = audit_alloc_context(state))) {
		audit_log_lost("out of memory in audit_alloc");
		return -ENOMEM;
	}

				/* Preserve login uid */
	context->loginuid = -1;
	if (current->audit_context)
		context->loginuid = current->audit_context->loginuid;

	tsk->audit_context  = context;
	set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
	return 0;
}

static inline void audit_free_context(struct audit_context *context)
{
	struct audit_context *previous;
	int		     count = 0;

	do {
		previous = context->previous;
		if (previous || (count &&  count < 10)) {
			++count;
			printk(KERN_ERR "audit(:%d): major=%d name_count=%d:"
			       " freeing multiple contexts (%d)\n",
			       context->serial, context->major,
			       context->name_count, count);
		}
		audit_free_names(context);
		audit_free_aux(context);
		kfree(context);
		context  = previous;
	} while (context);
	if (count >= 10)
		printk(KERN_ERR "audit: freed %d contexts\n", count);
}

882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913
static void audit_log_task_context(struct audit_buffer *ab, gfp_t gfp_mask)
{
	char *ctx = NULL;
	ssize_t len = 0;

	len = security_getprocattr(current, "current", NULL, 0);
	if (len < 0) {
		if (len != -EINVAL)
			goto error_path;
		return;
	}

	ctx = kmalloc(len, gfp_mask);
	if (!ctx) {
		goto error_path;
		return;
	}

	len = security_getprocattr(current, "current", ctx, len);
	if (len < 0 )
		goto error_path;

	audit_log_format(ab, " subj=%s", ctx);

error_path:
	if (ctx)
		kfree(ctx);
	audit_panic("security_getprocattr error in audit_log_task_context");
	return;
}

static void audit_log_task_info(struct audit_buffer *ab, gfp_t gfp_mask)
914 915 916 917 918 919
{
	char name[sizeof(current->comm)];
	struct mm_struct *mm = current->mm;
	struct vm_area_struct *vma;

	get_task_comm(name, current);
920 921
	audit_log_format(ab, " comm=");
	audit_log_untrustedstring(ab, name);
922 923 924 925

	if (!mm)
		return;

926 927 928 929
	/*
	 * this is brittle; all callers that pass GFP_ATOMIC will have
	 * NULL current->mm and we won't get here.
	 */
930 931 932 933 934 935 936 937 938 939 940 941 942
	down_read(&mm->mmap_sem);
	vma = mm->mmap;
	while (vma) {
		if ((vma->vm_flags & VM_EXECUTABLE) &&
		    vma->vm_file) {
			audit_log_d_path(ab, "exe=",
					 vma->vm_file->f_dentry,
					 vma->vm_file->f_vfsmnt);
			break;
		}
		vma = vma->vm_next;
	}
	up_read(&mm->mmap_sem);
943
	audit_log_task_context(ab, gfp_mask);
944 945
}

A
Al Viro 已提交
946
static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask)
L
Linus Torvalds 已提交
947 948 949
{
	int i;
	struct audit_buffer *ab;
950
	struct audit_aux_data *aux;
L
Linus Torvalds 已提交
951

952
	ab = audit_log_start(context, gfp_mask, AUDIT_SYSCALL);
L
Linus Torvalds 已提交
953 954
	if (!ab)
		return;		/* audit_panic has been called */
955 956
	audit_log_format(ab, "arch=%x syscall=%d",
			 context->arch, context->major);
L
Linus Torvalds 已提交
957 958 959
	if (context->personality != PER_LINUX)
		audit_log_format(ab, " per=%lx", context->personality);
	if (context->return_valid)
960 961 962
		audit_log_format(ab, " success=%s exit=%ld", 
				 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
				 context->return_code);
L
Linus Torvalds 已提交
963 964
	audit_log_format(ab,
		  " a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
965 966 967
		  " pid=%d auid=%u uid=%u gid=%u"
		  " euid=%u suid=%u fsuid=%u"
		  " egid=%u sgid=%u fsgid=%u",
L
Linus Torvalds 已提交
968 969 970 971 972 973 974 975 976 977 978
		  context->argv[0],
		  context->argv[1],
		  context->argv[2],
		  context->argv[3],
		  context->name_count,
		  context->pid,
		  context->loginuid,
		  context->uid,
		  context->gid,
		  context->euid, context->suid, context->fsuid,
		  context->egid, context->sgid, context->fsgid);
979
	audit_log_task_info(ab, gfp_mask);
L
Linus Torvalds 已提交
980 981
	audit_log_end(ab);

982
	for (aux = context->aux; aux; aux = aux->next) {
983

984
		ab = audit_log_start(context, gfp_mask, aux->type);
L
Linus Torvalds 已提交
985 986 987 988
		if (!ab)
			continue; /* audit_panic has been called */

		switch (aux->type) {
989
		case AUDIT_IPC: {
L
Linus Torvalds 已提交
990 991
			struct audit_aux_data_ipcctl *axi = (void *)aux;
			audit_log_format(ab, 
992 993
					 " qbytes=%lx iuid=%u igid=%u mode=%x obj=%s",
					 axi->qbytes, axi->uid, axi->gid, axi->mode, axi->ctx);
994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009
			break; }

		case AUDIT_SOCKETCALL: {
			int i;
			struct audit_aux_data_socketcall *axs = (void *)aux;
			audit_log_format(ab, "nargs=%d", axs->nargs);
			for (i=0; i<axs->nargs; i++)
				audit_log_format(ab, " a%d=%lx", i, axs->args[i]);
			break; }

		case AUDIT_SOCKADDR: {
			struct audit_aux_data_sockaddr *axs = (void *)aux;

			audit_log_format(ab, "saddr=");
			audit_log_hex(ab, axs->a, axs->len);
			break; }
1010 1011 1012 1013 1014 1015

		case AUDIT_AVC_PATH: {
			struct audit_aux_data_path *axi = (void *)aux;
			audit_log_d_path(ab, "path=", axi->dentry, axi->mnt);
			break; }

L
Linus Torvalds 已提交
1016 1017 1018 1019
		}
		audit_log_end(ab);
	}

1020
	if (context->pwd && context->pwdmnt) {
1021
		ab = audit_log_start(context, gfp_mask, AUDIT_CWD);
1022 1023 1024 1025 1026
		if (ab) {
			audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt);
			audit_log_end(ab);
		}
	}
L
Linus Torvalds 已提交
1027
	for (i = 0; i < context->name_count; i++) {
1028 1029 1030
		unsigned long ino  = context->names[i].ino;
		unsigned long pino = context->names[i].pino;

1031
		ab = audit_log_start(context, gfp_mask, AUDIT_PATH);
L
Linus Torvalds 已提交
1032 1033
		if (!ab)
			continue; /* audit_panic has been called */
1034

L
Linus Torvalds 已提交
1035
		audit_log_format(ab, "item=%d", i);
1036 1037 1038

		audit_log_format(ab, " name=");
		if (context->names[i].name)
1039
			audit_log_untrustedstring(ab, context->names[i].name);
1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055
		else
			audit_log_format(ab, "(null)");

		if (pino != (unsigned long)-1)
			audit_log_format(ab, " parent=%lu",  pino);
		if (ino != (unsigned long)-1)
			audit_log_format(ab, " inode=%lu",  ino);
		if ((pino != (unsigned long)-1) || (ino != (unsigned long)-1))
			audit_log_format(ab, " dev=%02x:%02x mode=%#o" 
					 " ouid=%u ogid=%u rdev=%02x:%02x", 
					 MAJOR(context->names[i].dev), 
					 MINOR(context->names[i].dev), 
					 context->names[i].mode, 
					 context->names[i].uid, 
					 context->names[i].gid, 
					 MAJOR(context->names[i].rdev), 
L
Linus Torvalds 已提交
1056
					 MINOR(context->names[i].rdev));
1057 1058 1059 1060 1061
		if (context->names[i].ctx) {
			audit_log_format(ab, " obj=%s",
					context->names[i].ctx);
		}

L
Linus Torvalds 已提交
1062 1063 1064 1065
		audit_log_end(ab);
	}
}

1066 1067 1068 1069 1070 1071
/**
 * audit_free - free a per-task audit context
 * @tsk: task whose audit context block to free
 *
 * Called from copy_process and __put_task_struct.
 */
L
Linus Torvalds 已提交
1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083
void audit_free(struct task_struct *tsk)
{
	struct audit_context *context;

	task_lock(tsk);
	context = audit_get_context(tsk, 0, 0);
	task_unlock(tsk);

	if (likely(!context))
		return;

	/* Check for system calls that do not go through the exit
1084 1085 1086
	 * function (e.g., exit_group), then free context block. 
	 * We use GFP_ATOMIC here because we might be doing this 
	 * in the context of the idle thread */
1087
	if (context->in_syscall && context->auditable)
1088
		audit_log_exit(context, GFP_ATOMIC);
L
Linus Torvalds 已提交
1089 1090 1091 1092

	audit_free_context(context);
}

1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103
/**
 * audit_syscall_entry - fill in an audit record at syscall entry
 * @tsk: task being audited
 * @arch: architecture type
 * @major: major syscall type (function)
 * @a1: additional syscall register 1
 * @a2: additional syscall register 2
 * @a3: additional syscall register 3
 * @a4: additional syscall register 4
 *
 * Fill in audit context at syscall entry.  This only happens if the
L
Linus Torvalds 已提交
1104 1105 1106 1107 1108
 * audit context was created when the task was created and the state or
 * filters demand the audit context be built.  If the state from the
 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
 * then the record will be written at syscall exit time (otherwise, it
 * will only be written if another part of the kernel requests that it
1109 1110
 * be written).
 */
1111
void audit_syscall_entry(struct task_struct *tsk, int arch, int major,
L
Linus Torvalds 已提交
1112 1113 1114 1115 1116 1117 1118 1119
			 unsigned long a1, unsigned long a2,
			 unsigned long a3, unsigned long a4)
{
	struct audit_context *context = tsk->audit_context;
	enum audit_state     state;

	BUG_ON(!context);

1120 1121
	/*
	 * This happens only on certain architectures that make system
L
Linus Torvalds 已提交
1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160
	 * calls in kernel_thread via the entry.S interface, instead of
	 * with direct calls.  (If you are porting to a new
	 * architecture, hitting this condition can indicate that you
	 * got the _exit/_leave calls backward in entry.S.)
	 *
	 * i386     no
	 * x86_64   no
	 * ppc64    yes (see arch/ppc64/kernel/misc.S)
	 *
	 * This also happens with vm86 emulation in a non-nested manner
	 * (entries without exits), so this case must be caught.
	 */
	if (context->in_syscall) {
		struct audit_context *newctx;

#if AUDIT_DEBUG
		printk(KERN_ERR
		       "audit(:%d) pid=%d in syscall=%d;"
		       " entering syscall=%d\n",
		       context->serial, tsk->pid, context->major, major);
#endif
		newctx = audit_alloc_context(context->state);
		if (newctx) {
			newctx->previous   = context;
			context		   = newctx;
			tsk->audit_context = newctx;
		} else	{
			/* If we can't alloc a new context, the best we
			 * can do is to leak memory (any pending putname
			 * will be lost).  The only other alternative is
			 * to abandon auditing. */
			audit_zero_context(context, context->state);
		}
	}
	BUG_ON(context->in_syscall || context->name_count);

	if (!audit_enabled)
		return;

1161
	context->arch	    = arch;
L
Linus Torvalds 已提交
1162 1163 1164 1165 1166 1167 1168 1169
	context->major      = major;
	context->argv[0]    = a1;
	context->argv[1]    = a2;
	context->argv[2]    = a3;
	context->argv[3]    = a4;

	state = context->state;
	if (state == AUDIT_SETUP_CONTEXT || state == AUDIT_BUILD_CONTEXT)
1170
		state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
L
Linus Torvalds 已提交
1171 1172 1173
	if (likely(state == AUDIT_DISABLED))
		return;

1174
	context->serial     = 0;
L
Linus Torvalds 已提交
1175 1176 1177 1178 1179
	context->ctime      = CURRENT_TIME;
	context->in_syscall = 1;
	context->auditable  = !!(state == AUDIT_RECORD_CONTEXT);
}

1180 1181 1182 1183 1184 1185 1186
/**
 * audit_syscall_exit - deallocate audit context after a system call
 * @tsk: task being audited
 * @valid: success/failure flag
 * @return_code: syscall return value
 *
 * Tear down after system call.  If the audit context has been marked as
L
Linus Torvalds 已提交
1187 1188 1189
 * auditable (either because of the AUDIT_RECORD_CONTEXT state from
 * filtering, or because some other part of the kernel write an audit
 * message), then write out the syscall information.  In call cases,
1190 1191
 * free the names stored from getname().
 */
1192
void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code)
L
Linus Torvalds 已提交
1193 1194 1195 1196 1197
{
	struct audit_context *context;

	get_task_struct(tsk);
	task_lock(tsk);
1198
	context = audit_get_context(tsk, valid, return_code);
L
Linus Torvalds 已提交
1199 1200 1201 1202 1203
	task_unlock(tsk);

	/* Not having a context here is ok, since the parent may have
	 * called __put_task_struct. */
	if (likely(!context))
1204
		goto out;
L
Linus Torvalds 已提交
1205

1206
	if (context->in_syscall && context->auditable)
1207
		audit_log_exit(context, GFP_KERNEL);
L
Linus Torvalds 已提交
1208 1209 1210

	context->in_syscall = 0;
	context->auditable  = 0;
1211

L
Linus Torvalds 已提交
1212 1213 1214 1215 1216 1217 1218 1219 1220 1221
	if (context->previous) {
		struct audit_context *new_context = context->previous;
		context->previous  = NULL;
		audit_free_context(context);
		tsk->audit_context = new_context;
	} else {
		audit_free_names(context);
		audit_free_aux(context);
		tsk->audit_context = context;
	}
1222
 out:
L
Linus Torvalds 已提交
1223 1224 1225
	put_task_struct(tsk);
}

1226 1227 1228 1229 1230 1231 1232
/**
 * audit_getname - add a name to the list
 * @name: name to add
 *
 * Add a name to the list of audit names for this context.
 * Called from fs/namei.c:getname().
 */
L
Linus Torvalds 已提交
1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251
void audit_getname(const char *name)
{
	struct audit_context *context = current->audit_context;

	if (!context || IS_ERR(name) || !name)
		return;

	if (!context->in_syscall) {
#if AUDIT_DEBUG == 2
		printk(KERN_ERR "%s:%d(:%d): ignoring getname(%p)\n",
		       __FILE__, __LINE__, context->serial, name);
		dump_stack();
#endif
		return;
	}
	BUG_ON(context->name_count >= AUDIT_NAMES);
	context->names[context->name_count].name = name;
	context->names[context->name_count].ino  = (unsigned long)-1;
	++context->name_count;
1252 1253 1254 1255 1256 1257 1258
	if (!context->pwd) {
		read_lock(&current->fs->lock);
		context->pwd = dget(current->fs->pwd);
		context->pwdmnt = mntget(current->fs->pwdmnt);
		read_unlock(&current->fs->lock);
	}
		
L
Linus Torvalds 已提交
1259 1260
}

1261 1262 1263 1264 1265 1266 1267
/* audit_putname - intercept a putname request
 * @name: name to intercept and delay for putname
 *
 * If we have stored the name from getname in the audit context,
 * then we delay the putname until syscall exit.
 * Called from include/linux/fs.h:putname().
 */
L
Linus Torvalds 已提交
1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281
void audit_putname(const char *name)
{
	struct audit_context *context = current->audit_context;

	BUG_ON(!context);
	if (!context->in_syscall) {
#if AUDIT_DEBUG == 2
		printk(KERN_ERR "%s:%d(:%d): __putname(%p)\n",
		       __FILE__, __LINE__, context->serial, name);
		if (context->name_count) {
			int i;
			for (i = 0; i < context->name_count; i++)
				printk(KERN_ERR "name[%d] = %p = %s\n", i,
				       context->names[i].name,
1282
				       context->names[i].name ?: "(null)");
L
Linus Torvalds 已提交
1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303
		}
#endif
		__putname(name);
	}
#if AUDIT_DEBUG
	else {
		++context->put_count;
		if (context->put_count > context->name_count) {
			printk(KERN_ERR "%s:%d(:%d): major=%d"
			       " in_syscall=%d putname(%p) name_count=%d"
			       " put_count=%d\n",
			       __FILE__, __LINE__,
			       context->serial, context->major,
			       context->in_syscall, name, context->name_count,
			       context->put_count);
			dump_stack();
		}
	}
#endif
}

1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336
void audit_inode_context(int idx, const struct inode *inode)
{
	struct audit_context *context = current->audit_context;
	char *ctx = NULL;
	int len = 0;

	if (!security_inode_xattr_getsuffix())
		return;

	len = security_inode_getsecurity(inode, (char *)security_inode_xattr_getsuffix(), NULL, 0, 0);
	if (len < 0) 
		goto error_path;

	ctx = kmalloc(len, GFP_KERNEL);
	if (!ctx) 
		goto error_path;

	len = security_inode_getsecurity(inode, (char *)security_inode_xattr_getsuffix(), ctx, len, 0);
	if (len < 0)
		goto error_path;

	kfree(context->names[idx].ctx);
	context->names[idx].ctx = ctx;
	return;

error_path:
	if (ctx)
		kfree(ctx);
	audit_panic("error in audit_inode_context");
	return;
}


1337 1338 1339 1340 1341 1342 1343 1344
/**
 * audit_inode - store the inode and device from a lookup
 * @name: name being audited
 * @inode: inode being audited
 * @flags: lookup flags (as used in path_lookup())
 *
 * Called from fs/namei.c:path_lookup().
 */
1345
void __audit_inode(const char *name, const struct inode *inode, unsigned flags)
L
Linus Torvalds 已提交
1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370
{
	int idx;
	struct audit_context *context = current->audit_context;

	if (!context->in_syscall)
		return;
	if (context->name_count
	    && context->names[context->name_count-1].name
	    && context->names[context->name_count-1].name == name)
		idx = context->name_count - 1;
	else if (context->name_count > 1
		 && context->names[context->name_count-2].name
		 && context->names[context->name_count-2].name == name)
		idx = context->name_count - 2;
	else {
		/* FIXME: how much do we care about inodes that have no
		 * associated name? */
		if (context->name_count >= AUDIT_NAMES - AUDIT_NAMES_RESERVED)
			return;
		idx = context->name_count++;
		context->names[idx].name = NULL;
#if AUDIT_DEBUG
		++context->ino_count;
#endif
	}
1371 1372 1373 1374 1375
	context->names[idx].dev	  = inode->i_sb->s_dev;
	context->names[idx].mode  = inode->i_mode;
	context->names[idx].uid   = inode->i_uid;
	context->names[idx].gid   = inode->i_gid;
	context->names[idx].rdev  = inode->i_rdev;
1376
	audit_inode_context(idx, inode);
1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457
	if ((flags & LOOKUP_PARENT) && (strcmp(name, "/") != 0) && 
	    (strcmp(name, ".") != 0)) {
		context->names[idx].ino   = (unsigned long)-1;
		context->names[idx].pino  = inode->i_ino;
	} else {
		context->names[idx].ino   = inode->i_ino;
		context->names[idx].pino  = (unsigned long)-1;
	}
}

/**
 * audit_inode_child - collect inode info for created/removed objects
 * @dname: inode's dentry name
 * @inode: inode being audited
 * @pino: inode number of dentry parent
 *
 * For syscalls that create or remove filesystem objects, audit_inode
 * can only collect information for the filesystem object's parent.
 * This call updates the audit context with the child's information.
 * Syscalls that create a new filesystem object must be hooked after
 * the object is created.  Syscalls that remove a filesystem object
 * must be hooked prior, in order to capture the target inode during
 * unsuccessful attempts.
 */
void __audit_inode_child(const char *dname, const struct inode *inode,
			 unsigned long pino)
{
	int idx;
	struct audit_context *context = current->audit_context;

	if (!context->in_syscall)
		return;

	/* determine matching parent */
	if (dname)
		for (idx = 0; idx < context->name_count; idx++)
			if (context->names[idx].pino == pino) {
				const char *n;
				const char *name = context->names[idx].name;
				int dlen = strlen(dname);
				int nlen = name ? strlen(name) : 0;

				if (nlen < dlen)
					continue;
				
				/* disregard trailing slashes */
				n = name + nlen - 1;
				while ((*n == '/') && (n > name))
					n--;

				/* find last path component */
				n = n - dlen + 1;
				if (n < name)
					continue;
				else if (n > name) {
					if (*--n != '/')
						continue;
					else
						n++;
				}

				if (strncmp(n, dname, dlen) == 0)
					goto update_context;
			}

	/* catch-all in case match not found */
	idx = context->name_count++;
	context->names[idx].name  = NULL;
	context->names[idx].pino  = pino;
#if AUDIT_DEBUG
	context->ino_count++;
#endif

update_context:
	if (inode) {
		context->names[idx].ino   = inode->i_ino;
		context->names[idx].dev	  = inode->i_sb->s_dev;
		context->names[idx].mode  = inode->i_mode;
		context->names[idx].uid   = inode->i_uid;
		context->names[idx].gid   = inode->i_gid;
		context->names[idx].rdev  = inode->i_rdev;
1458
		audit_inode_context(idx, inode);
1459
	}
L
Linus Torvalds 已提交
1460 1461
}

1462 1463 1464 1465 1466 1467 1468 1469
/**
 * auditsc_get_stamp - get local copies of audit_context values
 * @ctx: audit_context for the task
 * @t: timespec to store time recorded in the audit_context
 * @serial: serial value that is recorded in the audit_context
 *
 * Also sets the context as auditable.
 */
1470 1471
void auditsc_get_stamp(struct audit_context *ctx,
		       struct timespec *t, unsigned int *serial)
L
Linus Torvalds 已提交
1472
{
1473 1474
	if (!ctx->serial)
		ctx->serial = audit_serial();
1475 1476 1477 1478
	t->tv_sec  = ctx->ctime.tv_sec;
	t->tv_nsec = ctx->ctime.tv_nsec;
	*serial    = ctx->serial;
	ctx->auditable = 1;
L
Linus Torvalds 已提交
1479 1480
}

1481 1482 1483 1484 1485 1486 1487 1488 1489
/**
 * audit_set_loginuid - set a task's audit_context loginuid
 * @task: task whose audit context is being modified
 * @loginuid: loginuid value
 *
 * Returns 0.
 *
 * Called (set) from fs/proc/base.c::proc_loginuid_write().
 */
S
Steve Grubb 已提交
1490
int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
L
Linus Torvalds 已提交
1491
{
S
Steve Grubb 已提交
1492
	if (task->audit_context) {
1493 1494
		struct audit_buffer *ab;

1495
		ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
1496 1497
		if (ab) {
			audit_log_format(ab, "login pid=%d uid=%u "
1498
				"old auid=%u new auid=%u",
1499 1500 1501 1502
				task->pid, task->uid, 
				task->audit_context->loginuid, loginuid);
			audit_log_end(ab);
		}
S
Steve Grubb 已提交
1503
		task->audit_context->loginuid = loginuid;
L
Linus Torvalds 已提交
1504 1505 1506 1507
	}
	return 0;
}

1508 1509 1510 1511 1512 1513
/**
 * audit_get_loginuid - get the loginuid for an audit_context
 * @ctx: the audit_context
 *
 * Returns the context's loginuid or -1 if @ctx is NULL.
 */
L
Linus Torvalds 已提交
1514 1515 1516 1517 1518
uid_t audit_get_loginuid(struct audit_context *ctx)
{
	return ctx ? ctx->loginuid : -1;
}

1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550
static char *audit_ipc_context(struct kern_ipc_perm *ipcp)
{
	struct audit_context *context = current->audit_context;
	char *ctx = NULL;
	int len = 0;

	if (likely(!context))
		return NULL;

	len = security_ipc_getsecurity(ipcp, NULL, 0);
	if (len == -EOPNOTSUPP)
		goto ret;
	if (len < 0)
		goto error_path;

	ctx = kmalloc(len, GFP_ATOMIC);
	if (!ctx)
		goto error_path;

	len = security_ipc_getsecurity(ipcp, ctx, len);
	if (len < 0)
		goto error_path;

	return ctx;

error_path:
	kfree(ctx);
	audit_panic("error in audit_ipc_context");
ret:
	return NULL;
}

1551 1552 1553 1554 1555 1556 1557 1558 1559
/**
 * audit_ipc_perms - record audit data for ipc
 * @qbytes: msgq bytes
 * @uid: msgq user id
 * @gid: msgq group id
 * @mode: msgq mode (permissions)
 *
 * Returns 0 for success or NULL context or < 0 on error.
 */
1560
int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, struct kern_ipc_perm *ipcp)
L
Linus Torvalds 已提交
1561 1562 1563 1564 1565 1566 1567
{
	struct audit_aux_data_ipcctl *ax;
	struct audit_context *context = current->audit_context;

	if (likely(!context))
		return 0;

1568
	ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
L
Linus Torvalds 已提交
1569 1570 1571 1572 1573 1574 1575
	if (!ax)
		return -ENOMEM;

	ax->qbytes = qbytes;
	ax->uid = uid;
	ax->gid = gid;
	ax->mode = mode;
1576
	ax->ctx = audit_ipc_context(ipcp);
L
Linus Torvalds 已提交
1577

1578
	ax->d.type = AUDIT_IPC;
L
Linus Torvalds 已提交
1579 1580 1581 1582
	ax->d.next = context->aux;
	context->aux = (void *)ax;
	return 0;
}
1583

1584 1585 1586 1587 1588 1589 1590
/**
 * audit_socketcall - record audit data for sys_socketcall
 * @nargs: number of args
 * @args: args array
 *
 * Returns 0 for success or NULL context or < 0 on error.
 */
1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601 1602 1603 1604 1605 1606 1607 1608 1609 1610 1611
int audit_socketcall(int nargs, unsigned long *args)
{
	struct audit_aux_data_socketcall *ax;
	struct audit_context *context = current->audit_context;

	if (likely(!context))
		return 0;

	ax = kmalloc(sizeof(*ax) + nargs * sizeof(unsigned long), GFP_KERNEL);
	if (!ax)
		return -ENOMEM;

	ax->nargs = nargs;
	memcpy(ax->args, args, nargs * sizeof(unsigned long));

	ax->d.type = AUDIT_SOCKETCALL;
	ax->d.next = context->aux;
	context->aux = (void *)ax;
	return 0;
}

1612 1613 1614 1615 1616 1617 1618
/**
 * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
 * @len: data length in user space
 * @a: data address in kernel space
 *
 * Returns 0 for success or NULL context or < 0 on error.
 */
1619 1620 1621 1622 1623 1624 1625 1626 1627 1628 1629 1630 1631 1632 1633 1634 1635 1636 1637 1638 1639
int audit_sockaddr(int len, void *a)
{
	struct audit_aux_data_sockaddr *ax;
	struct audit_context *context = current->audit_context;

	if (likely(!context))
		return 0;

	ax = kmalloc(sizeof(*ax) + len, GFP_KERNEL);
	if (!ax)
		return -ENOMEM;

	ax->len = len;
	memcpy(ax->a, a, len);

	ax->d.type = AUDIT_SOCKADDR;
	ax->d.next = context->aux;
	context->aux = (void *)ax;
	return 0;
}

1640 1641 1642 1643 1644 1645 1646 1647 1648
/**
 * audit_avc_path - record the granting or denial of permissions
 * @dentry: dentry to record
 * @mnt: mnt to record
 *
 * Returns 0 for success or NULL context or < 0 on error.
 *
 * Called from security/selinux/avc.c::avc_audit()
 */
1649 1650 1651 1652 1653 1654 1655 1656 1657 1658 1659 1660 1661 1662 1663 1664 1665 1666 1667 1668 1669
int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt)
{
	struct audit_aux_data_path *ax;
	struct audit_context *context = current->audit_context;

	if (likely(!context))
		return 0;

	ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
	if (!ax)
		return -ENOMEM;

	ax->dentry = dget(dentry);
	ax->mnt = mntget(mnt);

	ax->d.type = AUDIT_AVC_PATH;
	ax->d.next = context->aux;
	context->aux = (void *)ax;
	return 0;
}

1670 1671 1672 1673 1674 1675 1676 1677
/**
 * audit_signal_info - record signal info for shutting down audit subsystem
 * @sig: signal value
 * @t: task being signaled
 *
 * If the audit subsystem is being terminated, record the task (pid)
 * and uid that is doing that.
 */
1678 1679 1680 1681 1682
void audit_signal_info(int sig, struct task_struct *t)
{
	extern pid_t audit_sig_pid;
	extern uid_t audit_sig_uid;

1683
	if (unlikely(audit_pid && t->tgid == audit_pid)) {
1684 1685 1686 1687 1688 1689 1690 1691 1692 1693
		if (sig == SIGTERM || sig == SIGHUP) {
			struct audit_context *ctx = current->audit_context;
			audit_sig_pid = current->pid;
			if (ctx)
				audit_sig_uid = ctx->loginuid;
			else
				audit_sig_uid = current->uid;
		}
	}
}