audit.c 47.7 KB
Newer Older
1
/* audit.c -- Auditing support
L
Linus Torvalds 已提交
2 3 4
 * Gateway between the kernel (e.g., selinux) and the user-space audit daemon.
 * System-call specific features have moved to auditsc.c
 *
S
Steve Grubb 已提交
5
 * Copyright 2003-2007 Red Hat Inc., Durham, North Carolina.
L
Linus Torvalds 已提交
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
 * All Rights Reserved.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 *
 * Written by Rickard E. (Rik) Faith <faith@redhat.com>
 *
24
 * Goals: 1) Integrate fully with Security Modules.
L
Linus Torvalds 已提交
25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
 *	  2) Minimal run-time overhead:
 *	     a) Minimal when syscall auditing is disabled (audit_enable=0).
 *	     b) Small when syscall auditing is enabled and no audit record
 *		is generated (defer as much work as possible to record
 *		generation time):
 *		i) context is allocated,
 *		ii) names from getname are stored without a copy, and
 *		iii) inode information stored from path_lookup.
 *	  3) Ability to disable syscall auditing at boot time (audit=0).
 *	  4) Usable by other parts of the kernel (if audit_log* is called,
 *	     then a syscall record will be generated automatically for the
 *	     current syscall).
 *	  5) Netlink interface to user-space.
 *	  6) Support low-overhead kernel-based filtering to minimize the
 *	     information that must be passed to user-space.
 *
41
 * Example user-space utilities: http://people.redhat.com/sgrubb/audit/
L
Linus Torvalds 已提交
42 43 44 45
 */

#include <linux/init.h>
#include <asm/types.h>
A
Arun Sharma 已提交
46
#include <linux/atomic.h>
L
Linus Torvalds 已提交
47
#include <linux/mm.h>
48
#include <linux/export.h>
49
#include <linux/slab.h>
50 51
#include <linux/err.h>
#include <linux/kthread.h>
52
#include <linux/kernel.h>
53
#include <linux/syscalls.h>
L
Linus Torvalds 已提交
54 55 56 57

#include <linux/audit.h>

#include <net/sock.h>
58
#include <net/netlink.h>
L
Linus Torvalds 已提交
59
#include <linux/skbuff.h>
60 61 62
#ifdef CONFIG_SECURITY
#include <linux/security.h>
#endif
63
#include <linux/freezer.h>
M
Miloslav Trmac 已提交
64
#include <linux/tty.h>
65
#include <linux/pid_namespace.h>
66 67

#include "audit.h"
L
Linus Torvalds 已提交
68

69
/* No auditing will take place until audit_initialized == AUDIT_INITIALIZED.
L
Linus Torvalds 已提交
70
 * (Initialization happens after skb_init is called.) */
71 72 73
#define AUDIT_DISABLED		-1
#define AUDIT_UNINITIALIZED	0
#define AUDIT_INITIALIZED	1
L
Linus Torvalds 已提交
74 75
static int	audit_initialized;

76 77 78
#define AUDIT_OFF	0
#define AUDIT_ON	1
#define AUDIT_LOCKED	2
L
Linus Torvalds 已提交
79
int		audit_enabled;
80
int		audit_ever_enabled;
L
Linus Torvalds 已提交
81

82 83
EXPORT_SYMBOL_GPL(audit_enabled);

L
Linus Torvalds 已提交
84 85 86 87 88 89
/* Default state when kernel boots without any parameters. */
static int	audit_default;

/* If auditing cannot proceed, audit_failure selects what happens. */
static int	audit_failure = AUDIT_FAIL_PRINTK;

90 91
/*
 * If audit records are to be written to the netlink socket, audit_pid
92 93
 * contains the pid of the auditd process and audit_nlk_portid contains
 * the portid to use to send netlink messages to that process.
94
 */
95
int		audit_pid;
96
static __u32	audit_nlk_portid;
L
Linus Torvalds 已提交
97

98
/* If audit_rate_limit is non-zero, limit the rate of sending audit records
L
Linus Torvalds 已提交
99 100 101 102 103 104
 * to that number per second.  This prevents DoS attacks, but results in
 * audit records being dropped. */
static int	audit_rate_limit;

/* Number of outstanding audit_buffers allowed. */
static int	audit_backlog_limit = 64;
105 106
static int	audit_backlog_wait_time = 60 * HZ;
static int	audit_backlog_wait_overflow = 0;
L
Linus Torvalds 已提交
107

108
/* The identity of the user shutting down the audit system. */
109
kuid_t		audit_sig_uid = INVALID_UID;
110
pid_t		audit_sig_pid = -1;
111
u32		audit_sig_sid = 0;
112

L
Linus Torvalds 已提交
113 114 115 116 117 118 119 120 121 122 123 124
/* Records can be lost in several ways:
   0) [suppressed in audit_alloc]
   1) out of memory in audit_log_start [kmalloc of struct audit_buffer]
   2) out of memory in audit_log_move [alloc_skb]
   3) suppressed due to audit_rate_limit
   4) suppressed due to audit_backlog_limit
*/
static atomic_t    audit_lost = ATOMIC_INIT(0);

/* The netlink socket. */
static struct sock *audit_sock;

A
Amy Griffis 已提交
125 126 127
/* Hash for inode-based rules */
struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];

128
/* The audit_freelist is a list of pre-allocated audit buffers (if more
L
Linus Torvalds 已提交
129 130 131
 * than AUDIT_MAXFREE are in use, the audit buffer is freed instead of
 * being placed on the freelist). */
static DEFINE_SPINLOCK(audit_freelist_lock);
132
static int	   audit_freelist_count;
L
Linus Torvalds 已提交
133 134
static LIST_HEAD(audit_freelist);

135
static struct sk_buff_head audit_skb_queue;
136 137
/* queue of skbs to send to auditd when/if it comes back */
static struct sk_buff_head audit_skb_hold_queue;
138 139
static struct task_struct *kauditd_task;
static DECLARE_WAIT_QUEUE_HEAD(kauditd_wait);
140
static DECLARE_WAIT_QUEUE_HEAD(audit_backlog_wait);
L
Linus Torvalds 已提交
141

142 143 144 145 146
static struct audit_features af = {.vers = AUDIT_FEATURE_VERSION,
				   .mask = -1,
				   .features = 0,
				   .lock = 0,};

147
static char *audit_feature_names[2] = {
148
	"only_unset_loginuid",
149
	"loginuid_immutable",
150 151 152
};


A
Amy Griffis 已提交
153
/* Serialize requests from userspace. */
A
Al Viro 已提交
154
DEFINE_MUTEX(audit_cmd_mutex);
L
Linus Torvalds 已提交
155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171

/* AUDIT_BUFSIZ is the size of the temporary buffer used for formatting
 * audit records.  Since printk uses a 1024 byte buffer, this buffer
 * should be at least that large. */
#define AUDIT_BUFSIZ 1024

/* AUDIT_MAXFREE is the number of empty audit_buffers we keep on the
 * audit_freelist.  Doing so eliminates many kmalloc/kfree calls. */
#define AUDIT_MAXFREE  (2*NR_CPUS)

/* The audit_buffer is used when formatting an audit record.  The caller
 * locks briefly to get the record off the freelist or to allocate the
 * buffer, and locks briefly to send the buffer to the netlink layer or
 * to place it on a transmit queue.  Multiple audit_buffers can be in
 * use simultaneously. */
struct audit_buffer {
	struct list_head     list;
172
	struct sk_buff       *skb;	/* formatted skb ready to send */
L
Linus Torvalds 已提交
173
	struct audit_context *ctx;	/* NULL or associated context */
A
Al Viro 已提交
174
	gfp_t		     gfp_mask;
L
Linus Torvalds 已提交
175 176
};

177
struct audit_reply {
178
	__u32 portid;
179 180 181
	struct sk_buff *skb;
};

182
static void audit_set_portid(struct audit_buffer *ab, __u32 portid)
183
{
184 185
	if (ab) {
		struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
186
		nlh->nlmsg_pid = portid;
187
	}
188 189
}

190
void audit_panic(const char *message)
L
Linus Torvalds 已提交
191 192 193 194 195 196
{
	switch (audit_failure)
	{
	case AUDIT_FAIL_SILENT:
		break;
	case AUDIT_FAIL_PRINTK:
197 198
		if (printk_ratelimit())
			printk(KERN_ERR "audit: %s\n", message);
L
Linus Torvalds 已提交
199 200
		break;
	case AUDIT_FAIL_PANIC:
201 202 203
		/* test audit_pid since printk is always losey, why bother? */
		if (audit_pid)
			panic("audit: %s\n", message);
L
Linus Torvalds 已提交
204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236
		break;
	}
}

static inline int audit_rate_check(void)
{
	static unsigned long	last_check = 0;
	static int		messages   = 0;
	static DEFINE_SPINLOCK(lock);
	unsigned long		flags;
	unsigned long		now;
	unsigned long		elapsed;
	int			retval	   = 0;

	if (!audit_rate_limit) return 1;

	spin_lock_irqsave(&lock, flags);
	if (++messages < audit_rate_limit) {
		retval = 1;
	} else {
		now     = jiffies;
		elapsed = now - last_check;
		if (elapsed > HZ) {
			last_check = now;
			messages   = 0;
			retval     = 1;
		}
	}
	spin_unlock_irqrestore(&lock, flags);

	return retval;
}

237 238 239 240 241 242 243 244
/**
 * audit_log_lost - conditionally log lost audit message event
 * @message: the message stating reason for lost audit message
 *
 * Emit at least 1 message per second, even if audit_rate_check is
 * throttling.
 * Always increment the lost messages counter.
*/
L
Linus Torvalds 已提交
245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267
void audit_log_lost(const char *message)
{
	static unsigned long	last_msg = 0;
	static DEFINE_SPINLOCK(lock);
	unsigned long		flags;
	unsigned long		now;
	int			print;

	atomic_inc(&audit_lost);

	print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit);

	if (!print) {
		spin_lock_irqsave(&lock, flags);
		now = jiffies;
		if (now - last_msg > HZ) {
			print = 1;
			last_msg = now;
		}
		spin_unlock_irqrestore(&lock, flags);
	}

	if (print) {
268 269 270 271 272 273 274
		if (printk_ratelimit())
			printk(KERN_WARNING
				"audit: audit_lost=%d audit_rate_limit=%d "
				"audit_backlog_limit=%d\n",
				atomic_read(&audit_lost),
				audit_rate_limit,
				audit_backlog_limit);
L
Linus Torvalds 已提交
275 276 277 278
		audit_panic(message);
	}
}

279
static int audit_log_config_change(char *function_name, int new, int old,
280
				   int allow_changes)
L
Linus Torvalds 已提交
281
{
282 283
	struct audit_buffer *ab;
	int rc = 0;
284

285
	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
286 287
	if (unlikely(!ab))
		return rc;
E
Eric Paris 已提交
288 289
	audit_log_format(ab, "%s=%d old=%d", function_name, new, old);
	audit_log_session_info(ab);
290 291 292
	rc = audit_log_task_context(ab);
	if (rc)
		allow_changes = 0; /* Something weird, deny request */
293 294
	audit_log_format(ab, " res=%d", allow_changes);
	audit_log_end(ab);
S
Steve Grubb 已提交
295
	return rc;
L
Linus Torvalds 已提交
296 297
}

298
static int audit_do_config_change(char *function_name, int *to_change, int new)
L
Linus Torvalds 已提交
299
{
300
	int allow_changes, rc = 0, old = *to_change;
S
Steve Grubb 已提交
301 302

	/* check if we are locked */
303 304
	if (audit_enabled == AUDIT_LOCKED)
		allow_changes = 0;
S
Steve Grubb 已提交
305
	else
306
		allow_changes = 1;
307

308
	if (audit_enabled != AUDIT_OFF) {
309
		rc = audit_log_config_change(function_name, new, old, allow_changes);
310 311
		if (rc)
			allow_changes = 0;
S
Steve Grubb 已提交
312 313 314
	}

	/* If we are allowed, make the change */
315 316
	if (allow_changes == 1)
		*to_change = new;
S
Steve Grubb 已提交
317 318 319 320
	/* Not allowed, update reason */
	else if (rc == 0)
		rc = -EPERM;
	return rc;
L
Linus Torvalds 已提交
321 322
}

323
static int audit_set_rate_limit(int limit)
L
Linus Torvalds 已提交
324
{
325
	return audit_do_config_change("audit_rate_limit", &audit_rate_limit, limit);
326
}
327

328
static int audit_set_backlog_limit(int limit)
329
{
330
	return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit, limit);
331
}
S
Steve Grubb 已提交
332

333
static int audit_set_enabled(int state)
334
{
335
	int rc;
336 337
	if (state < AUDIT_OFF || state > AUDIT_LOCKED)
		return -EINVAL;
S
Steve Grubb 已提交
338

339
	rc =  audit_do_config_change("audit_enabled", &audit_enabled, state);
340 341 342 343
	if (!rc)
		audit_ever_enabled |= !!state;

	return rc;
L
Linus Torvalds 已提交
344 345
}

346
static int audit_set_failure(int state)
L
Linus Torvalds 已提交
347 348 349 350 351
{
	if (state != AUDIT_FAIL_SILENT
	    && state != AUDIT_FAIL_PRINTK
	    && state != AUDIT_FAIL_PANIC)
		return -EINVAL;
352

353
	return audit_do_config_change("audit_failure", &audit_failure, state);
L
Linus Torvalds 已提交
354 355
}

356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373
/*
 * Queue skbs to be sent to auditd when/if it comes back.  These skbs should
 * already have been sent via prink/syslog and so if these messages are dropped
 * it is not a huge concern since we already passed the audit_log_lost()
 * notification and stuff.  This is just nice to get audit messages during
 * boot before auditd is running or messages generated while auditd is stopped.
 * This only holds messages is audit_default is set, aka booting with audit=1
 * or building your kernel that way.
 */
static void audit_hold_skb(struct sk_buff *skb)
{
	if (audit_default &&
	    skb_queue_len(&audit_skb_hold_queue) < audit_backlog_limit)
		skb_queue_tail(&audit_skb_hold_queue, skb);
	else
		kfree_skb(skb);
}

374 375 376 377 378 379 380
/*
 * For one reason or another this nlh isn't getting delivered to the userspace
 * audit daemon, just send it to printk.
 */
static void audit_printk_skb(struct sk_buff *skb)
{
	struct nlmsghdr *nlh = nlmsg_hdr(skb);
381
	char *data = nlmsg_data(nlh);
382 383 384 385 386 387 388 389 390 391 392

	if (nlh->nlmsg_type != AUDIT_EOE) {
		if (printk_ratelimit())
			printk(KERN_NOTICE "type=%d %s\n", nlh->nlmsg_type, data);
		else
			audit_log_lost("printk limit exceeded\n");
	}

	audit_hold_skb(skb);
}

393 394 395 396 397
static void kauditd_send_skb(struct sk_buff *skb)
{
	int err;
	/* take a reference in case we can't send it and we want to hold it */
	skb_get(skb);
398
	err = netlink_unicast(audit_sock, skb, audit_nlk_portid, 0);
399
	if (err < 0) {
400
		BUG_ON(err != -ECONNREFUSED); /* Shouldn't happen */
401
		printk(KERN_ERR "audit: *NO* daemon at audit_pid=%d\n", audit_pid);
R
Ross Kirk 已提交
402
		audit_log_lost("auditd disappeared\n");
403 404 405 406 407
		audit_pid = 0;
		/* we might get lucky and get this in the next auditd */
		audit_hold_skb(skb);
	} else
		/* drop the extra reference if sent ok */
408
		consume_skb(skb);
409 410
}

411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426
/*
 * flush_hold_queue - empty the hold queue if auditd appears
 *
 * If auditd just started, drain the queue of messages already
 * sent to syslog/printk.  Remember loss here is ok.  We already
 * called audit_log_lost() if it didn't go out normally.  so the
 * race between the skb_dequeue and the next check for audit_pid
 * doesn't matter.
 *
 * If you ever find kauditd to be too slow we can get a perf win
 * by doing our own locking and keeping better track if there
 * are messages in this queue.  I don't see the need now, but
 * in 5 years when I want to play with this again I'll see this
 * note and still have no friggin idea what i'm thinking today.
 */
static void flush_hold_queue(void)
427 428 429
{
	struct sk_buff *skb;

430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449
	if (!audit_default || !audit_pid)
		return;

	skb = skb_dequeue(&audit_skb_hold_queue);
	if (likely(!skb))
		return;

	while (skb && audit_pid) {
		kauditd_send_skb(skb);
		skb = skb_dequeue(&audit_skb_hold_queue);
	}

	/*
	 * if auditd just disappeared but we
	 * dequeued an skb we need to drop ref
	 */
	if (skb)
		consume_skb(skb);
}

A
Adrian Bunk 已提交
450
static int kauditd_thread(void *dummy)
451
{
452
	set_freezable();
A
Andrew Morton 已提交
453
	while (!kthread_should_stop()) {
454 455 456
		struct sk_buff *skb;
		DECLARE_WAITQUEUE(wait, current);

457
		flush_hold_queue();
458

459
		skb = skb_dequeue(&audit_skb_queue);
460
		wake_up(&audit_backlog_wait);
461
		if (skb) {
462 463
			if (audit_pid)
				kauditd_send_skb(skb);
464 465
			else
				audit_printk_skb(skb);
466 467 468 469
			continue;
		}
		set_current_state(TASK_INTERRUPTIBLE);
		add_wait_queue(&kauditd_wait, &wait);
470

471 472 473
		if (!skb_queue_len(&audit_skb_queue)) {
			try_to_freeze();
			schedule();
474
		}
475 476 477

		__set_current_state(TASK_RUNNING);
		remove_wait_queue(&kauditd_wait, &wait);
478
	}
A
Andrew Morton 已提交
479
	return 0;
480 481
}

482 483 484
int audit_send_list(void *_dest)
{
	struct audit_netlink_list *dest = _dest;
485
	__u32 portid = dest->portid;
486 487 488
	struct sk_buff *skb;

	/* wait for parent to finish and send an ACK */
A
Amy Griffis 已提交
489 490
	mutex_lock(&audit_cmd_mutex);
	mutex_unlock(&audit_cmd_mutex);
491 492

	while ((skb = __skb_dequeue(&dest->q)) != NULL)
493
		netlink_unicast(audit_sock, skb, portid, 0);
494 495 496 497 498 499

	kfree(dest);

	return 0;
}

500
struct sk_buff *audit_make_reply(__u32 portid, int seq, int type, int done,
S
Stephen Hemminger 已提交
501
				 int multi, const void *payload, int size)
502 503 504 505 506 507 508
{
	struct sk_buff	*skb;
	struct nlmsghdr	*nlh;
	void		*data;
	int		flags = multi ? NLM_F_MULTI : 0;
	int		t     = done  ? NLMSG_DONE  : type;

509
	skb = nlmsg_new(size, GFP_KERNEL);
510 511 512
	if (!skb)
		return NULL;

513
	nlh	= nlmsg_put(skb, portid, seq, t, size, flags);
514 515 516
	if (!nlh)
		goto out_kfree_skb;
	data = nlmsg_data(nlh);
517 518 519
	memcpy(data, payload, size);
	return skb;

520 521
out_kfree_skb:
	kfree_skb(skb);
522 523 524
	return NULL;
}

525 526 527 528 529 530 531 532 533
static int audit_send_reply_thread(void *arg)
{
	struct audit_reply *reply = (struct audit_reply *)arg;

	mutex_lock(&audit_cmd_mutex);
	mutex_unlock(&audit_cmd_mutex);

	/* Ignore failure. It'll only happen if the sender goes away,
	   because our timeout is set to infinite. */
534
	netlink_unicast(audit_sock, reply->skb, reply->portid, 0);
535 536 537
	kfree(reply);
	return 0;
}
538 539
/**
 * audit_send_reply - send an audit reply message via netlink
540
 * @portid: netlink port to which to send reply
541 542 543 544 545 546 547
 * @seq: sequence number
 * @type: audit message type
 * @done: done (last) flag
 * @multi: multi-part message flag
 * @payload: payload data
 * @size: payload size
 *
548
 * Allocates an skb, builds the netlink message, and sends it to the port id.
549 550
 * No failure notifications.
 */
551 552
static void audit_send_reply(__u32 portid, int seq, int type, int done,
			     int multi, const void *payload, int size)
L
Linus Torvalds 已提交
553
{
554 555 556 557 558 559 560 561
	struct sk_buff *skb;
	struct task_struct *tsk;
	struct audit_reply *reply = kmalloc(sizeof(struct audit_reply),
					    GFP_KERNEL);

	if (!reply)
		return;

562
	skb = audit_make_reply(portid, seq, type, done, multi, payload, size);
L
Linus Torvalds 已提交
563
	if (!skb)
564
		goto out;
565

566
	reply->portid = portid;
567 568 569
	reply->skb = skb;

	tsk = kthread_run(audit_send_reply_thread, reply, "audit_send_reply");
570 571 572 573 574
	if (!IS_ERR(tsk))
		return;
	kfree_skb(skb);
out:
	kfree(reply);
L
Linus Torvalds 已提交
575 576 577 578 579 580
}

/*
 * Check for appropriate CAP_AUDIT_ capabilities on incoming audit
 * control messages.
 */
581
static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
L
Linus Torvalds 已提交
582 583 584
{
	int err = 0;

585 586 587 588 589
	/* Only support the initial namespaces for now. */
	if ((current_user_ns() != &init_user_ns) ||
	    (task_active_pid_ns(current) != &init_pid_ns))
		return -EPERM;

L
Linus Torvalds 已提交
590 591 592 593
	switch (msg_type) {
	case AUDIT_LIST:
	case AUDIT_ADD:
	case AUDIT_DEL:
594 595 596
		return -EOPNOTSUPP;
	case AUDIT_GET:
	case AUDIT_SET:
597 598
	case AUDIT_GET_FEATURE:
	case AUDIT_SET_FEATURE:
599 600
	case AUDIT_LIST_RULES:
	case AUDIT_ADD_RULE:
601
	case AUDIT_DEL_RULE:
602
	case AUDIT_SIGNAL_INFO:
M
Miloslav Trmac 已提交
603 604
	case AUDIT_TTY_GET:
	case AUDIT_TTY_SET:
A
Al Viro 已提交
605 606
	case AUDIT_TRIM:
	case AUDIT_MAKE_EQUIV:
607
		if (!capable(CAP_AUDIT_CONTROL))
L
Linus Torvalds 已提交
608 609
			err = -EPERM;
		break;
610
	case AUDIT_USER:
611 612
	case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
	case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
613
		if (!capable(CAP_AUDIT_WRITE))
L
Linus Torvalds 已提交
614 615 616 617 618 619 620 621 622
			err = -EPERM;
		break;
	default:  /* bad msg */
		err = -EINVAL;
	}

	return err;
}

623
static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
624 625
{
	int rc = 0;
626
	uid_t uid = from_kuid(&init_user_ns, current_uid());
627

628
	if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
629 630 631 632 633
		*ab = NULL;
		return rc;
	}

	*ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
634 635
	if (unlikely(!*ab))
		return rc;
E
Eric Paris 已提交
636 637
	audit_log_format(*ab, "pid=%d uid=%u", task_tgid_vnr(current), uid);
	audit_log_session_info(*ab);
638
	audit_log_task_context(*ab);
639 640 641 642

	return rc;
}

643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730
int is_audit_feature_set(int i)
{
	return af.features & AUDIT_FEATURE_TO_MASK(i);
}


static int audit_get_feature(struct sk_buff *skb)
{
	u32 seq;

	seq = nlmsg_hdr(skb)->nlmsg_seq;

	audit_send_reply(NETLINK_CB(skb).portid, seq, AUDIT_GET, 0, 0,
			 &af, sizeof(af));

	return 0;
}

static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature,
				     u32 old_lock, u32 new_lock, int res)
{
	struct audit_buffer *ab;

	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE);
	audit_log_format(ab, "feature=%s new=%d old=%d old_lock=%d new_lock=%d res=%d",
			 audit_feature_names[which], !!old_feature, !!new_feature,
			 !!old_lock, !!new_lock, res);
	audit_log_end(ab);
}

static int audit_set_feature(struct sk_buff *skb)
{
	struct audit_features *uaf;
	int i;

	BUILD_BUG_ON(AUDIT_LAST_FEATURE + 1 > sizeof(audit_feature_names)/sizeof(audit_feature_names[0]));
	uaf = nlmsg_data(nlmsg_hdr(skb));

	/* if there is ever a version 2 we should handle that here */

	for (i = 0; i <= AUDIT_LAST_FEATURE; i++) {
		u32 feature = AUDIT_FEATURE_TO_MASK(i);
		u32 old_feature, new_feature, old_lock, new_lock;

		/* if we are not changing this feature, move along */
		if (!(feature & uaf->mask))
			continue;

		old_feature = af.features & feature;
		new_feature = uaf->features & feature;
		new_lock = (uaf->lock | af.lock) & feature;
		old_lock = af.lock & feature;

		/* are we changing a locked feature? */
		if ((af.lock & feature) && (new_feature != old_feature)) {
			audit_log_feature_change(i, old_feature, new_feature,
						 old_lock, new_lock, 0);
			return -EPERM;
		}
	}
	/* nothing invalid, do the changes */
	for (i = 0; i <= AUDIT_LAST_FEATURE; i++) {
		u32 feature = AUDIT_FEATURE_TO_MASK(i);
		u32 old_feature, new_feature, old_lock, new_lock;

		/* if we are not changing this feature, move along */
		if (!(feature & uaf->mask))
			continue;

		old_feature = af.features & feature;
		new_feature = uaf->features & feature;
		old_lock = af.lock & feature;
		new_lock = (uaf->lock | af.lock) & feature;

		if (new_feature != old_feature)
			audit_log_feature_change(i, old_feature, new_feature,
						 old_lock, new_lock, 1);

		if (new_feature)
			af.features |= feature;
		else
			af.features &= ~feature;
		af.lock |= new_lock;
	}

	return 0;
}

L
Linus Torvalds 已提交
731 732
static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
{
733
	u32			seq;
L
Linus Torvalds 已提交
734 735 736
	void			*data;
	struct audit_status	*status_get, status_set;
	int			err;
737
	struct audit_buffer	*ab;
L
Linus Torvalds 已提交
738
	u16			msg_type = nlh->nlmsg_type;
739
	struct audit_sig_info   *sig_data;
740
	char			*ctx = NULL;
741
	u32			len;
L
Linus Torvalds 已提交
742

743
	err = audit_netlink_ok(skb, msg_type);
L
Linus Torvalds 已提交
744 745 746
	if (err)
		return err;

747 748
	/* As soon as there's any sign of userspace auditd,
	 * start kauditd to talk to it */
749
	if (!kauditd_task) {
750
		kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd");
751 752 753 754 755
		if (IS_ERR(kauditd_task)) {
			err = PTR_ERR(kauditd_task);
			kauditd_task = NULL;
			return err;
		}
756
	}
L
Linus Torvalds 已提交
757
	seq  = nlh->nlmsg_seq;
758
	data = nlmsg_data(nlh);
L
Linus Torvalds 已提交
759 760 761

	switch (msg_type) {
	case AUDIT_GET:
762
		memset(&status_set, 0, sizeof(status_set));
L
Linus Torvalds 已提交
763 764 765 766 767 768
		status_set.enabled	 = audit_enabled;
		status_set.failure	 = audit_failure;
		status_set.pid		 = audit_pid;
		status_set.rate_limit	 = audit_rate_limit;
		status_set.backlog_limit = audit_backlog_limit;
		status_set.lost		 = atomic_read(&audit_lost);
769
		status_set.backlog	 = skb_queue_len(&audit_skb_queue);
770
		audit_send_reply(NETLINK_CB(skb).portid, seq, AUDIT_GET, 0, 0,
L
Linus Torvalds 已提交
771 772 773
				 &status_set, sizeof(status_set));
		break;
	case AUDIT_SET:
774
		if (nlmsg_len(nlh) < sizeof(struct audit_status))
L
Linus Torvalds 已提交
775 776 777
			return -EINVAL;
		status_get   = (struct audit_status *)data;
		if (status_get->mask & AUDIT_STATUS_ENABLED) {
778
			err = audit_set_enabled(status_get->enabled);
779 780
			if (err < 0)
				return err;
L
Linus Torvalds 已提交
781 782
		}
		if (status_get->mask & AUDIT_STATUS_FAILURE) {
783
			err = audit_set_failure(status_get->failure);
784 785
			if (err < 0)
				return err;
L
Linus Torvalds 已提交
786 787
		}
		if (status_get->mask & AUDIT_STATUS_PID) {
788 789 790
			int new_pid = status_get->pid;

			if (audit_enabled != AUDIT_OFF)
791
				audit_log_config_change("audit_pid", new_pid, audit_pid, 1);
792
			audit_pid = new_pid;
793
			audit_nlk_portid = NETLINK_CB(skb).portid;
L
Linus Torvalds 已提交
794
		}
795
		if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) {
796
			err = audit_set_rate_limit(status_get->rate_limit);
797 798 799
			if (err < 0)
				return err;
		}
L
Linus Torvalds 已提交
800
		if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT)
801
			err = audit_set_backlog_limit(status_get->backlog_limit);
L
Linus Torvalds 已提交
802
		break;
803 804 805 806 807 808 809 810 811 812
	case AUDIT_GET_FEATURE:
		err = audit_get_feature(skb);
		if (err)
			return err;
		break;
	case AUDIT_SET_FEATURE:
		err = audit_set_feature(skb);
		if (err)
			return err;
		break;
813
	case AUDIT_USER:
814 815
	case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
	case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
816 817 818
		if (!audit_enabled && msg_type != AUDIT_USER_AVC)
			return 0;

819
		err = audit_filter_user(msg_type);
820 821
		if (err == 1) {
			err = 0;
M
Miloslav Trmac 已提交
822
			if (msg_type == AUDIT_USER_TTY) {
823
				err = tty_audit_push_current();
M
Miloslav Trmac 已提交
824 825 826
				if (err)
					break;
			}
827
			audit_log_common_recv_msg(&ab, msg_type);
828
			if (msg_type != AUDIT_USER_TTY)
829 830
				audit_log_format(ab, " msg='%.*s'",
						 AUDIT_MESSAGE_TEXT_MAX,
831 832 833 834
						 (char *)data);
			else {
				int size;

835
				audit_log_format(ab, " data=");
836
				size = nlmsg_len(nlh);
837 838 839
				if (size > 0 &&
				    ((unsigned char *)data)[size - 1] == '\0')
					size--;
840
				audit_log_n_untrustedstring(ab, data, size);
841
			}
842
			audit_set_portid(ab, NETLINK_CB(skb).portid);
843
			audit_log_end(ab);
844
		}
L
Linus Torvalds 已提交
845
		break;
846 847 848 849
	case AUDIT_ADD_RULE:
	case AUDIT_DEL_RULE:
		if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
			return -EINVAL;
850
		if (audit_enabled == AUDIT_LOCKED) {
851 852
			audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);
			audit_log_format(ab, " audit_enabled=%d res=0", audit_enabled);
853
			audit_log_end(ab);
S
Steve Grubb 已提交
854 855
			return -EPERM;
		}
856 857
		/* fallthrough */
	case AUDIT_LIST_RULES:
858
		err = audit_receive_filter(msg_type, NETLINK_CB(skb).portid,
859
					   seq, data, nlmsg_len(nlh));
L
Linus Torvalds 已提交
860
		break;
A
Al Viro 已提交
861 862
	case AUDIT_TRIM:
		audit_trim_trees();
863
		audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);
A
Al Viro 已提交
864 865 866 867 868 869
		audit_log_format(ab, " op=trim res=1");
		audit_log_end(ab);
		break;
	case AUDIT_MAKE_EQUIV: {
		void *bufp = data;
		u32 sizes[2];
870
		size_t msglen = nlmsg_len(nlh);
A
Al Viro 已提交
871 872 873
		char *old, *new;

		err = -EINVAL;
874
		if (msglen < 2 * sizeof(u32))
A
Al Viro 已提交
875 876 877
			break;
		memcpy(sizes, bufp, 2 * sizeof(u32));
		bufp += 2 * sizeof(u32);
878 879
		msglen -= 2 * sizeof(u32);
		old = audit_unpack_string(&bufp, &msglen, sizes[0]);
A
Al Viro 已提交
880 881 882 883
		if (IS_ERR(old)) {
			err = PTR_ERR(old);
			break;
		}
884
		new = audit_unpack_string(&bufp, &msglen, sizes[1]);
A
Al Viro 已提交
885 886 887 888 889 890 891 892
		if (IS_ERR(new)) {
			err = PTR_ERR(new);
			kfree(old);
			break;
		}
		/* OK, here comes... */
		err = audit_tag_tree(old, new);

893
		audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);
894

A
Al Viro 已提交
895 896 897 898 899 900 901 902 903 904
		audit_log_format(ab, " op=make_equiv old=");
		audit_log_untrustedstring(ab, old);
		audit_log_format(ab, " new=");
		audit_log_untrustedstring(ab, new);
		audit_log_format(ab, " res=%d", !err);
		audit_log_end(ab);
		kfree(old);
		kfree(new);
		break;
	}
905
	case AUDIT_SIGNAL_INFO:
906 907 908 909 910 911
		len = 0;
		if (audit_sig_sid) {
			err = security_secid_to_secctx(audit_sig_sid, &ctx, &len);
			if (err)
				return err;
		}
912 913
		sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL);
		if (!sig_data) {
914 915
			if (audit_sig_sid)
				security_release_secctx(ctx, len);
916 917
			return -ENOMEM;
		}
918
		sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid);
919
		sig_data->pid = audit_sig_pid;
920 921 922 923
		if (audit_sig_sid) {
			memcpy(sig_data->ctx, ctx, len);
			security_release_secctx(ctx, len);
		}
924
		audit_send_reply(NETLINK_CB(skb).portid, seq, AUDIT_SIGNAL_INFO,
925 926
				0, 0, sig_data, sizeof(*sig_data) + len);
		kfree(sig_data);
927
		break;
M
Miloslav Trmac 已提交
928 929
	case AUDIT_TTY_GET: {
		struct audit_tty_status s;
930 931
		struct task_struct *tsk = current;

932
		spin_lock(&tsk->sighand->siglock);
933
		s.enabled = tsk->signal->audit_tty;
934
		s.log_passwd = tsk->signal->audit_tty_log_passwd;
935
		spin_unlock(&tsk->sighand->siglock);
936

937
		audit_send_reply(NETLINK_CB(skb).portid, seq,
938
				 AUDIT_TTY_GET, 0, 0, &s, sizeof(s));
M
Miloslav Trmac 已提交
939 940 941
		break;
	}
	case AUDIT_TTY_SET: {
942
		struct audit_tty_status s;
943
		struct task_struct *tsk = current;
M
Miloslav Trmac 已提交
944

945 946
		memset(&s, 0, sizeof(s));
		/* guard against past and future API changes */
947
		memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh)));
948 949
		if ((s.enabled != 0 && s.enabled != 1) ||
		    (s.log_passwd != 0 && s.log_passwd != 1))
M
Miloslav Trmac 已提交
950
			return -EINVAL;
951

952
		spin_lock(&tsk->sighand->siglock);
953 954
		tsk->signal->audit_tty = s.enabled;
		tsk->signal->audit_tty_log_passwd = s.log_passwd;
955
		spin_unlock(&tsk->sighand->siglock);
M
Miloslav Trmac 已提交
956 957
		break;
	}
L
Linus Torvalds 已提交
958 959 960 961 962 963 964 965
	default:
		err = -EINVAL;
		break;
	}

	return err < 0 ? err : 0;
}

966
/*
E
Eric Paris 已提交
967 968
 * Get message from skb.  Each message is processed by audit_receive_msg.
 * Malformed skbs with wrong length are discarded silently.
969
 */
970
static void audit_receive_skb(struct sk_buff *skb)
L
Linus Torvalds 已提交
971
{
E
Eric Paris 已提交
972 973
	struct nlmsghdr *nlh;
	/*
974
	 * len MUST be signed for nlmsg_next to be able to dec it below 0
E
Eric Paris 已提交
975 976 977 978 979 980 981 982
	 * if the nlmsg_len was not aligned
	 */
	int len;
	int err;

	nlh = nlmsg_hdr(skb);
	len = skb->len;

983
	while (nlmsg_ok(nlh, len)) {
E
Eric Paris 已提交
984 985 986
		err = audit_receive_msg(skb, nlh);
		/* if err or if this message says it wants a response */
		if (err || (nlh->nlmsg_flags & NLM_F_ACK))
L
Linus Torvalds 已提交
987
			netlink_ack(skb, nlh, err);
E
Eric Paris 已提交
988

A
Alexandru Copot 已提交
989
		nlh = nlmsg_next(nlh, &len);
L
Linus Torvalds 已提交
990 991 992 993
	}
}

/* Receive messages from netlink socket. */
994
static void audit_receive(struct sk_buff  *skb)
L
Linus Torvalds 已提交
995
{
A
Amy Griffis 已提交
996
	mutex_lock(&audit_cmd_mutex);
997
	audit_receive_skb(skb);
A
Amy Griffis 已提交
998
	mutex_unlock(&audit_cmd_mutex);
L
Linus Torvalds 已提交
999 1000 1001 1002 1003
}

/* Initialize audit support at boot time. */
static int __init audit_init(void)
{
A
Amy Griffis 已提交
1004
	int i;
1005 1006 1007
	struct netlink_kernel_cfg cfg = {
		.input	= audit_receive,
	};
A
Amy Griffis 已提交
1008

1009 1010 1011
	if (audit_initialized == AUDIT_DISABLED)
		return 0;

L
Linus Torvalds 已提交
1012 1013
	printk(KERN_INFO "audit: initializing netlink socket (%s)\n",
	       audit_default ? "enabled" : "disabled");
1014
	audit_sock = netlink_kernel_create(&init_net, NETLINK_AUDIT, &cfg);
L
Linus Torvalds 已提交
1015 1016
	if (!audit_sock)
		audit_panic("cannot initialize netlink socket");
1017 1018
	else
		audit_sock->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
L
Linus Torvalds 已提交
1019

1020
	skb_queue_head_init(&audit_skb_queue);
1021
	skb_queue_head_init(&audit_skb_hold_queue);
1022
	audit_initialized = AUDIT_INITIALIZED;
L
Linus Torvalds 已提交
1023
	audit_enabled = audit_default;
1024
	audit_ever_enabled |= !!audit_default;
1025

1026
	audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized");
A
Amy Griffis 已提交
1027 1028 1029 1030

	for (i = 0; i < AUDIT_INODE_BUCKETS; i++)
		INIT_LIST_HEAD(&audit_inode_hash[i]);

L
Linus Torvalds 已提交
1031 1032 1033 1034 1035 1036 1037 1038
	return 0;
}
__initcall(audit_init);

/* Process kernel command-line parameter at boot time.  audit=0 or audit=1. */
static int __init audit_enable(char *str)
{
	audit_default = !!simple_strtol(str, NULL, 0);
1039 1040 1041 1042 1043 1044
	if (!audit_default)
		audit_initialized = AUDIT_DISABLED;

	printk(KERN_INFO "audit: %s", audit_default ? "enabled" : "disabled");

	if (audit_initialized == AUDIT_INITIALIZED) {
L
Linus Torvalds 已提交
1045
		audit_enabled = audit_default;
1046
		audit_ever_enabled |= !!audit_default;
1047 1048 1049 1050
	} else if (audit_initialized == AUDIT_UNINITIALIZED) {
		printk(" (after initialization)");
	} else {
		printk(" (until reboot)");
1051
	}
1052 1053
	printk("\n");

1054
	return 1;
L
Linus Torvalds 已提交
1055 1056 1057 1058
}

__setup("audit=", audit_enable);

1059 1060 1061 1062
static void audit_buffer_free(struct audit_buffer *ab)
{
	unsigned long flags;

1063 1064 1065
	if (!ab)
		return;

1066 1067
	if (ab->skb)
		kfree_skb(ab->skb);
1068

1069
	spin_lock_irqsave(&audit_freelist_lock, flags);
S
Serge E. Hallyn 已提交
1070
	if (audit_freelist_count > AUDIT_MAXFREE)
1071
		kfree(ab);
S
Serge E. Hallyn 已提交
1072 1073
	else {
		audit_freelist_count++;
1074
		list_add(&ab->list, &audit_freelist);
S
Serge E. Hallyn 已提交
1075
	}
1076 1077 1078
	spin_unlock_irqrestore(&audit_freelist_lock, flags);
}

1079
static struct audit_buffer * audit_buffer_alloc(struct audit_context *ctx,
A
Al Viro 已提交
1080
						gfp_t gfp_mask, int type)
1081 1082 1083
{
	unsigned long flags;
	struct audit_buffer *ab = NULL;
1084
	struct nlmsghdr *nlh;
1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095

	spin_lock_irqsave(&audit_freelist_lock, flags);
	if (!list_empty(&audit_freelist)) {
		ab = list_entry(audit_freelist.next,
				struct audit_buffer, list);
		list_del(&ab->list);
		--audit_freelist_count;
	}
	spin_unlock_irqrestore(&audit_freelist_lock, flags);

	if (!ab) {
1096
		ab = kmalloc(sizeof(*ab), gfp_mask);
1097
		if (!ab)
1098
			goto err;
1099
	}
1100

1101
	ab->ctx = ctx;
1102
	ab->gfp_mask = gfp_mask;
1103 1104 1105

	ab->skb = nlmsg_new(AUDIT_BUFSIZ, gfp_mask);
	if (!ab->skb)
1106
		goto err;
1107

1108 1109 1110
	nlh = nlmsg_put(ab->skb, 0, 0, type, 0, 0);
	if (!nlh)
		goto out_kfree_skb;
1111

1112
	return ab;
1113

1114
out_kfree_skb:
1115 1116
	kfree_skb(ab->skb);
	ab->skb = NULL;
1117 1118 1119
err:
	audit_buffer_free(ab);
	return NULL;
1120
}
L
Linus Torvalds 已提交
1121

1122 1123 1124 1125
/**
 * audit_serial - compute a serial number for the audit record
 *
 * Compute a serial number for the audit record.  Audit records are
1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136
 * written to user-space as soon as they are generated, so a complete
 * audit record may be written in several pieces.  The timestamp of the
 * record and this serial number are used by the user-space tools to
 * determine which pieces belong to the same audit record.  The
 * (timestamp,serial) tuple is unique for each syscall and is live from
 * syscall entry to syscall exit.
 *
 * NOTE: Another possibility is to store the formatted records off the
 * audit context (for those records that have a context), and emit them
 * all at syscall exit.  However, this could delay the reporting of
 * significant errors until syscall exit (or never, if the system
1137 1138
 * halts).
 */
1139 1140
unsigned int audit_serial(void)
{
I
Ingo Molnar 已提交
1141
	static DEFINE_SPINLOCK(serial_lock);
1142 1143 1144 1145
	static unsigned int serial = 0;

	unsigned long flags;
	unsigned int ret;
1146

1147
	spin_lock_irqsave(&serial_lock, flags);
1148
	do {
1149 1150
		ret = ++serial;
	} while (unlikely(!ret));
1151
	spin_unlock_irqrestore(&serial_lock, flags);
1152

1153
	return ret;
1154 1155
}

D
Daniel Walker 已提交
1156
static inline void audit_get_stamp(struct audit_context *ctx,
1157 1158
				   struct timespec *t, unsigned int *serial)
{
1159
	if (!ctx || !auditsc_get_stamp(ctx, t, serial)) {
1160 1161 1162 1163 1164
		*t = CURRENT_TIME;
		*serial = audit_serial();
	}
}

1165 1166 1167 1168 1169 1170
/*
 * Wait for auditd to drain the queue a little
 */
static void wait_for_auditd(unsigned long sleep_time)
{
	DECLARE_WAITQUEUE(wait, current);
1171
	set_current_state(TASK_UNINTERRUPTIBLE);
1172 1173 1174 1175 1176 1177 1178 1179 1180 1181
	add_wait_queue(&audit_backlog_wait, &wait);

	if (audit_backlog_limit &&
	    skb_queue_len(&audit_skb_queue) > audit_backlog_limit)
		schedule_timeout(sleep_time);

	__set_current_state(TASK_RUNNING);
	remove_wait_queue(&audit_backlog_wait, &wait);
}

1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196
/**
 * audit_log_start - obtain an audit buffer
 * @ctx: audit_context (may be NULL)
 * @gfp_mask: type of allocation
 * @type: audit message type
 *
 * Returns audit_buffer pointer on success or NULL on error.
 *
 * Obtain an audit buffer.  This routine does locking to obtain the
 * audit buffer, but then no locking is required for calls to
 * audit_log_*format.  If the task (ctx) is a task that is currently in a
 * syscall, then the syscall is marked as auditable and an audit record
 * will be written at syscall exit.  If there is no associated task, then
 * task context (ctx) should be NULL.
 */
A
Al Viro 已提交
1197
struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
1198
				     int type)
L
Linus Torvalds 已提交
1199 1200 1201
{
	struct audit_buffer	*ab	= NULL;
	struct timespec		t;
1202
	unsigned int		uninitialized_var(serial);
1203
	int reserve;
1204
	unsigned long timeout_start = jiffies;
L
Linus Torvalds 已提交
1205

1206
	if (audit_initialized != AUDIT_INITIALIZED)
L
Linus Torvalds 已提交
1207 1208
		return NULL;

1209 1210 1211
	if (unlikely(audit_filter_type(type)))
		return NULL;

1212 1213 1214
	if (gfp_mask & __GFP_WAIT)
		reserve = 0;
	else
D
Daniel Walker 已提交
1215
		reserve = 5; /* Allow atomic callers to go up to five
1216 1217 1218 1219
				entries over the normal backlog limit */

	while (audit_backlog_limit
	       && skb_queue_len(&audit_skb_queue) > audit_backlog_limit + reserve) {
1220 1221
		if (gfp_mask & __GFP_WAIT && audit_backlog_wait_time) {
			unsigned long sleep_time;
1222

1223 1224
			sleep_time = timeout_start + audit_backlog_wait_time -
					jiffies;
1225
			if ((long)sleep_time > 0) {
1226
				wait_for_auditd(sleep_time);
1227 1228
				continue;
			}
1229
		}
1230
		if (audit_rate_check() && printk_ratelimit())
1231 1232 1233 1234 1235 1236
			printk(KERN_WARNING
			       "audit: audit_backlog=%d > "
			       "audit_backlog_limit=%d\n",
			       skb_queue_len(&audit_skb_queue),
			       audit_backlog_limit);
		audit_log_lost("backlog limit exceeded");
1237 1238
		audit_backlog_wait_time = audit_backlog_wait_overflow;
		wake_up(&audit_backlog_wait);
1239 1240 1241
		return NULL;
	}

1242
	ab = audit_buffer_alloc(ctx, gfp_mask, type);
L
Linus Torvalds 已提交
1243 1244 1245 1246 1247
	if (!ab) {
		audit_log_lost("out of memory in audit_log_start");
		return NULL;
	}

1248
	audit_get_stamp(ab->ctx, &t, &serial);
1249

L
Linus Torvalds 已提交
1250 1251 1252 1253 1254
	audit_log_format(ab, "audit(%lu.%03lu:%u): ",
			 t.tv_sec, t.tv_nsec/1000000, serial);
	return ab;
}

1255
/**
1256
 * audit_expand - expand skb in the audit buffer
1257
 * @ab: audit_buffer
1258
 * @extra: space to add at tail of the skb
1259 1260 1261 1262
 *
 * Returns 0 (no space) on failed expansion, or available space if
 * successful.
 */
1263
static inline int audit_expand(struct audit_buffer *ab, int extra)
1264
{
1265
	struct sk_buff *skb = ab->skb;
1266 1267 1268 1269
	int oldtail = skb_tailroom(skb);
	int ret = pskb_expand_head(skb, 0, extra, ab->gfp_mask);
	int newtail = skb_tailroom(skb);

1270 1271
	if (ret < 0) {
		audit_log_lost("out of memory in audit_expand");
1272
		return 0;
1273
	}
1274 1275 1276

	skb->truesize += newtail - oldtail;
	return newtail;
1277
}
L
Linus Torvalds 已提交
1278

1279 1280
/*
 * Format an audit message into the audit buffer.  If there isn't enough
L
Linus Torvalds 已提交
1281 1282
 * room in the audit buffer, more room will be allocated and vsnprint
 * will be called a second time.  Currently, we assume that a printk
1283 1284
 * can't format message larger than 1024 bytes, so we don't either.
 */
L
Linus Torvalds 已提交
1285 1286 1287 1288
static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
			      va_list args)
{
	int len, avail;
1289
	struct sk_buff *skb;
D
David Woodhouse 已提交
1290
	va_list args2;
L
Linus Torvalds 已提交
1291 1292 1293 1294

	if (!ab)
		return;

1295 1296 1297 1298
	BUG_ON(!ab->skb);
	skb = ab->skb;
	avail = skb_tailroom(skb);
	if (avail == 0) {
1299
		avail = audit_expand(ab, AUDIT_BUFSIZ);
1300 1301
		if (!avail)
			goto out;
L
Linus Torvalds 已提交
1302
	}
D
David Woodhouse 已提交
1303
	va_copy(args2, args);
1304
	len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args);
L
Linus Torvalds 已提交
1305 1306 1307 1308
	if (len >= avail) {
		/* The printk buffer is 1024 bytes long, so if we get
		 * here and AUDIT_BUFSIZ is at least 1024, then we can
		 * log everything that printk could have logged. */
1309 1310
		avail = audit_expand(ab,
			max_t(unsigned, AUDIT_BUFSIZ, 1+len-avail));
1311
		if (!avail)
1312
			goto out_va_end;
1313
		len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args2);
L
Linus Torvalds 已提交
1314
	}
1315 1316
	if (len > 0)
		skb_put(skb, len);
1317 1318
out_va_end:
	va_end(args2);
1319 1320
out:
	return;
L
Linus Torvalds 已提交
1321 1322
}

1323 1324 1325 1326 1327 1328 1329 1330
/**
 * audit_log_format - format a message into the audit buffer.
 * @ab: audit_buffer
 * @fmt: format string
 * @...: optional parameters matching @fmt string
 *
 * All the work is done in audit_log_vformat.
 */
L
Linus Torvalds 已提交
1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341
void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
{
	va_list args;

	if (!ab)
		return;
	va_start(args, fmt);
	audit_log_vformat(ab, fmt, args);
	va_end(args);
}

1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352
/**
 * audit_log_hex - convert a buffer to hex and append it to the audit skb
 * @ab: the audit_buffer
 * @buf: buffer to convert to hex
 * @len: length of @buf to be converted
 *
 * No return value; failure to expand is silently ignored.
 *
 * This function will take the passed buf and convert it into a string of
 * ascii hex digits. The new string is placed onto the skb.
 */
1353
void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf,
1354
		size_t len)
1355
{
1356 1357 1358 1359 1360
	int i, avail, new_len;
	unsigned char *ptr;
	struct sk_buff *skb;
	static const unsigned char *hex = "0123456789ABCDEF";

A
Amy Griffis 已提交
1361 1362 1363
	if (!ab)
		return;

1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374
	BUG_ON(!ab->skb);
	skb = ab->skb;
	avail = skb_tailroom(skb);
	new_len = len<<1;
	if (new_len >= avail) {
		/* Round the buffer request up to the next multiple */
		new_len = AUDIT_BUFSIZ*(((new_len-avail)/AUDIT_BUFSIZ) + 1);
		avail = audit_expand(ab, new_len);
		if (!avail)
			return;
	}
1375

1376
	ptr = skb_tail_pointer(skb);
1377 1378 1379 1380 1381 1382
	for (i=0; i<len; i++) {
		*ptr++ = hex[(buf[i] & 0xF0)>>4]; /* Upper nibble */
		*ptr++ = hex[buf[i] & 0x0F];	  /* Lower nibble */
	}
	*ptr = 0;
	skb_put(skb, len << 1); /* new string is twice the old string */
1383 1384
}

1385 1386 1387 1388
/*
 * Format a string of no more than slen characters into the audit buffer,
 * enclosed in quote marks.
 */
1389 1390
void audit_log_n_string(struct audit_buffer *ab, const char *string,
			size_t slen)
1391 1392 1393 1394 1395
{
	int avail, new_len;
	unsigned char *ptr;
	struct sk_buff *skb;

A
Amy Griffis 已提交
1396 1397 1398
	if (!ab)
		return;

1399 1400 1401 1402 1403 1404 1405 1406 1407
	BUG_ON(!ab->skb);
	skb = ab->skb;
	avail = skb_tailroom(skb);
	new_len = slen + 3;	/* enclosing quotes + null terminator */
	if (new_len > avail) {
		avail = audit_expand(ab, new_len);
		if (!avail)
			return;
	}
1408
	ptr = skb_tail_pointer(skb);
1409 1410 1411 1412 1413 1414 1415 1416
	*ptr++ = '"';
	memcpy(ptr, string, slen);
	ptr += slen;
	*ptr++ = '"';
	*ptr = 0;
	skb_put(skb, slen + 2);	/* don't include null terminator */
}

1417 1418
/**
 * audit_string_contains_control - does a string need to be logged in hex
1419 1420
 * @string: string to be checked
 * @len: max length of the string to check
1421 1422 1423 1424
 */
int audit_string_contains_control(const char *string, size_t len)
{
	const unsigned char *p;
1425
	for (p = string; p < (const unsigned char *)string + len; p++) {
1426
		if (*p == '"' || *p < 0x21 || *p > 0x7e)
1427 1428 1429 1430 1431
			return 1;
	}
	return 0;
}

1432
/**
M
Miloslav Trmac 已提交
1433
 * audit_log_n_untrustedstring - log a string that may contain random characters
1434
 * @ab: audit_buffer
1435
 * @len: length of string (not including trailing null)
1436 1437 1438 1439
 * @string: string to be logged
 *
 * This code will escape a string that is passed to it if the string
 * contains a control character, unprintable character, double quote mark,
1440
 * or a space. Unescaped strings will start and end with a double quote mark.
1441
 * Strings that are escaped are printed in hex (2 digits per char).
1442 1443 1444
 *
 * The caller specifies the number of characters in the string to log, which may
 * or may not be the entire string.
1445
 */
1446 1447
void audit_log_n_untrustedstring(struct audit_buffer *ab, const char *string,
				 size_t len)
1448
{
1449
	if (audit_string_contains_control(string, len))
1450
		audit_log_n_hex(ab, string, len);
1451
	else
1452
		audit_log_n_string(ab, string, len);
1453 1454
}

1455
/**
M
Miloslav Trmac 已提交
1456
 * audit_log_untrustedstring - log a string that may contain random characters
1457 1458 1459
 * @ab: audit_buffer
 * @string: string to be logged
 *
M
Miloslav Trmac 已提交
1460
 * Same as audit_log_n_untrustedstring(), except that strlen is used to
1461 1462
 * determine string length.
 */
1463
void audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
1464
{
1465
	audit_log_n_untrustedstring(ab, string, strlen(string));
1466 1467
}

1468
/* This is a helper-function to print the escaped d_path */
L
Linus Torvalds 已提交
1469
void audit_log_d_path(struct audit_buffer *ab, const char *prefix,
1470
		      const struct path *path)
L
Linus Torvalds 已提交
1471
{
1472
	char *p, *pathname;
L
Linus Torvalds 已提交
1473

1474
	if (prefix)
1475
		audit_log_format(ab, "%s", prefix);
L
Linus Torvalds 已提交
1476

1477
	/* We will allow 11 spaces for ' (deleted)' to be appended */
1478 1479
	pathname = kmalloc(PATH_MAX+11, ab->gfp_mask);
	if (!pathname) {
1480
		audit_log_string(ab, "<no_memory>");
1481
		return;
L
Linus Torvalds 已提交
1482
	}
1483
	p = d_path(path, pathname, PATH_MAX+11);
1484 1485
	if (IS_ERR(p)) { /* Should never happen since we send PATH_MAX */
		/* FIXME: can we save some information here? */
1486
		audit_log_string(ab, "<too_long>");
D
Daniel Walker 已提交
1487
	} else
1488
		audit_log_untrustedstring(ab, p);
1489
	kfree(pathname);
L
Linus Torvalds 已提交
1490 1491
}

E
Eric Paris 已提交
1492 1493 1494 1495 1496
void audit_log_session_info(struct audit_buffer *ab)
{
	u32 sessionid = audit_get_sessionid(current);
	uid_t auid = from_kuid(&init_user_ns, audit_get_loginuid(current));

1497
	audit_log_format(ab, " auid=%u ses=%u", auid, sessionid);
E
Eric Paris 已提交
1498 1499
}

1500 1501 1502 1503 1504 1505 1506 1507 1508
void audit_log_key(struct audit_buffer *ab, char *key)
{
	audit_log_format(ab, " key=");
	if (key)
		audit_log_untrustedstring(ab, key);
	else
		audit_log_format(ab, "(null)");
}

1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601 1602 1603 1604 1605 1606 1607 1608 1609 1610 1611 1612 1613 1614 1615 1616 1617 1618 1619 1620 1621 1622 1623 1624 1625 1626 1627 1628 1629 1630 1631 1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 1642 1643
void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
{
	int i;

	audit_log_format(ab, " %s=", prefix);
	CAP_FOR_EACH_U32(i) {
		audit_log_format(ab, "%08x",
				 cap->cap[(_KERNEL_CAPABILITY_U32S-1) - i]);
	}
}

void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
{
	kernel_cap_t *perm = &name->fcap.permitted;
	kernel_cap_t *inh = &name->fcap.inheritable;
	int log = 0;

	if (!cap_isclear(*perm)) {
		audit_log_cap(ab, "cap_fp", perm);
		log = 1;
	}
	if (!cap_isclear(*inh)) {
		audit_log_cap(ab, "cap_fi", inh);
		log = 1;
	}

	if (log)
		audit_log_format(ab, " cap_fe=%d cap_fver=%x",
				 name->fcap.fE, name->fcap_ver);
}

static inline int audit_copy_fcaps(struct audit_names *name,
				   const struct dentry *dentry)
{
	struct cpu_vfs_cap_data caps;
	int rc;

	if (!dentry)
		return 0;

	rc = get_vfs_caps_from_disk(dentry, &caps);
	if (rc)
		return rc;

	name->fcap.permitted = caps.permitted;
	name->fcap.inheritable = caps.inheritable;
	name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
	name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >>
				VFS_CAP_REVISION_SHIFT;

	return 0;
}

/* Copy inode data into an audit_names. */
void audit_copy_inode(struct audit_names *name, const struct dentry *dentry,
		      const struct inode *inode)
{
	name->ino   = inode->i_ino;
	name->dev   = inode->i_sb->s_dev;
	name->mode  = inode->i_mode;
	name->uid   = inode->i_uid;
	name->gid   = inode->i_gid;
	name->rdev  = inode->i_rdev;
	security_inode_getsecid(inode, &name->osid);
	audit_copy_fcaps(name, dentry);
}

/**
 * audit_log_name - produce AUDIT_PATH record from struct audit_names
 * @context: audit_context for the task
 * @n: audit_names structure with reportable details
 * @path: optional path to report instead of audit_names->name
 * @record_num: record number to report when handling a list of names
 * @call_panic: optional pointer to int that will be updated if secid fails
 */
void audit_log_name(struct audit_context *context, struct audit_names *n,
		    struct path *path, int record_num, int *call_panic)
{
	struct audit_buffer *ab;
	ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
	if (!ab)
		return;

	audit_log_format(ab, "item=%d", record_num);

	if (path)
		audit_log_d_path(ab, " name=", path);
	else if (n->name) {
		switch (n->name_len) {
		case AUDIT_NAME_FULL:
			/* log the full path */
			audit_log_format(ab, " name=");
			audit_log_untrustedstring(ab, n->name->name);
			break;
		case 0:
			/* name was specified as a relative path and the
			 * directory component is the cwd */
			audit_log_d_path(ab, " name=", &context->pwd);
			break;
		default:
			/* log the name's directory component */
			audit_log_format(ab, " name=");
			audit_log_n_untrustedstring(ab, n->name->name,
						    n->name_len);
		}
	} else
		audit_log_format(ab, " name=(null)");

	if (n->ino != (unsigned long)-1) {
		audit_log_format(ab, " inode=%lu"
				 " dev=%02x:%02x mode=%#ho"
				 " ouid=%u ogid=%u rdev=%02x:%02x",
				 n->ino,
				 MAJOR(n->dev),
				 MINOR(n->dev),
				 n->mode,
				 from_kuid(&init_user_ns, n->uid),
				 from_kgid(&init_user_ns, n->gid),
				 MAJOR(n->rdev),
				 MINOR(n->rdev));
	}
	if (n->osid != 0) {
		char *ctx = NULL;
		u32 len;
		if (security_secid_to_secctx(
			n->osid, &ctx, &len)) {
			audit_log_format(ab, " osid=%u", n->osid);
			if (call_panic)
				*call_panic = 2;
		} else {
			audit_log_format(ab, " obj=%s", ctx);
			security_release_secctx(ctx, len);
		}
	}

1644 1645 1646 1647 1648 1649 1650 1651 1652 1653 1654 1655 1656 1657 1658 1659 1660 1661 1662 1663
	/* log the audit_names record type */
	audit_log_format(ab, " nametype=");
	switch(n->type) {
	case AUDIT_TYPE_NORMAL:
		audit_log_format(ab, "NORMAL");
		break;
	case AUDIT_TYPE_PARENT:
		audit_log_format(ab, "PARENT");
		break;
	case AUDIT_TYPE_CHILD_DELETE:
		audit_log_format(ab, "DELETE");
		break;
	case AUDIT_TYPE_CHILD_CREATE:
		audit_log_format(ab, "CREATE");
		break;
	default:
		audit_log_format(ab, "UNKNOWN");
		break;
	}

1664 1665 1666 1667 1668 1669 1670 1671 1672 1673 1674 1675 1676 1677 1678 1679 1680 1681 1682 1683 1684 1685 1686 1687 1688 1689 1690 1691 1692 1693 1694 1695 1696 1697 1698 1699 1700 1701 1702 1703 1704 1705 1706 1707 1708 1709 1710 1711 1712 1713 1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746
	audit_log_fcaps(ab, n);
	audit_log_end(ab);
}

int audit_log_task_context(struct audit_buffer *ab)
{
	char *ctx = NULL;
	unsigned len;
	int error;
	u32 sid;

	security_task_getsecid(current, &sid);
	if (!sid)
		return 0;

	error = security_secid_to_secctx(sid, &ctx, &len);
	if (error) {
		if (error != -EINVAL)
			goto error_path;
		return 0;
	}

	audit_log_format(ab, " subj=%s", ctx);
	security_release_secctx(ctx, len);
	return 0;

error_path:
	audit_panic("error in audit_log_task_context");
	return error;
}
EXPORT_SYMBOL(audit_log_task_context);

void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
{
	const struct cred *cred;
	char name[sizeof(tsk->comm)];
	struct mm_struct *mm = tsk->mm;
	char *tty;

	if (!ab)
		return;

	/* tsk == current */
	cred = current_cred();

	spin_lock_irq(&tsk->sighand->siglock);
	if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
		tty = tsk->signal->tty->name;
	else
		tty = "(none)";
	spin_unlock_irq(&tsk->sighand->siglock);

	audit_log_format(ab,
			 " ppid=%ld pid=%d auid=%u uid=%u gid=%u"
			 " euid=%u suid=%u fsuid=%u"
			 " egid=%u sgid=%u fsgid=%u ses=%u tty=%s",
			 sys_getppid(),
			 tsk->pid,
			 from_kuid(&init_user_ns, audit_get_loginuid(tsk)),
			 from_kuid(&init_user_ns, cred->uid),
			 from_kgid(&init_user_ns, cred->gid),
			 from_kuid(&init_user_ns, cred->euid),
			 from_kuid(&init_user_ns, cred->suid),
			 from_kuid(&init_user_ns, cred->fsuid),
			 from_kgid(&init_user_ns, cred->egid),
			 from_kgid(&init_user_ns, cred->sgid),
			 from_kgid(&init_user_ns, cred->fsgid),
			 audit_get_sessionid(tsk), tty);

	get_task_comm(name, tsk);
	audit_log_format(ab, " comm=");
	audit_log_untrustedstring(ab, name);

	if (mm) {
		down_read(&mm->mmap_sem);
		if (mm->exe_file)
			audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
		up_read(&mm->mmap_sem);
	}
	audit_log_task_context(ab);
}
EXPORT_SYMBOL(audit_log_task_info);

1747 1748 1749 1750 1751 1752 1753 1754
/**
 * audit_log_link_denied - report a link restriction denial
 * @operation: specific link opreation
 * @link: the path that triggered the restriction
 */
void audit_log_link_denied(const char *operation, struct path *link)
{
	struct audit_buffer *ab;
1755 1756 1757 1758 1759
	struct audit_names *name;

	name = kzalloc(sizeof(*name), GFP_NOFS);
	if (!name)
		return;
1760

1761
	/* Generate AUDIT_ANOM_LINK with subject, operation, outcome. */
1762 1763
	ab = audit_log_start(current->audit_context, GFP_KERNEL,
			     AUDIT_ANOM_LINK);
1764
	if (!ab)
1765 1766 1767 1768
		goto out;
	audit_log_format(ab, "op=%s", operation);
	audit_log_task_info(ab, current);
	audit_log_format(ab, " res=0");
1769
	audit_log_end(ab);
1770 1771 1772 1773 1774 1775 1776

	/* Generate AUDIT_PATH record with object. */
	name->type = AUDIT_TYPE_NORMAL;
	audit_copy_inode(name, link->dentry, link->dentry->d_inode);
	audit_log_name(current->audit_context, name, link, 0, NULL);
out:
	kfree(name);
1777 1778
}

1779 1780 1781 1782 1783 1784
/**
 * audit_log_end - end one audit record
 * @ab: the audit_buffer
 *
 * The netlink_* functions cannot be called inside an irq context, so
 * the audit buffer is placed on a queue and a tasklet is scheduled to
L
Linus Torvalds 已提交
1785
 * remove them from the queue outside the irq context.  May be called in
1786 1787
 * any context.
 */
1788
void audit_log_end(struct audit_buffer *ab)
L
Linus Torvalds 已提交
1789 1790 1791 1792 1793 1794
{
	if (!ab)
		return;
	if (!audit_rate_check()) {
		audit_log_lost("rate limit exceeded");
	} else {
1795
		struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
1796
		nlh->nlmsg_len = ab->skb->len - NLMSG_HDRLEN;
1797

1798 1799 1800
		if (audit_pid) {
			skb_queue_tail(&audit_skb_queue, ab->skb);
			wake_up_interruptible(&kauditd_wait);
1801
		} else {
1802
			audit_printk_skb(ab->skb);
1803
		}
1804
		ab->skb = NULL;
L
Linus Torvalds 已提交
1805
	}
1806
	audit_buffer_free(ab);
L
Linus Torvalds 已提交
1807 1808
}

1809 1810 1811 1812 1813 1814 1815 1816 1817 1818 1819 1820
/**
 * audit_log - Log an audit record
 * @ctx: audit context
 * @gfp_mask: type of allocation
 * @type: audit message type
 * @fmt: format string to use
 * @...: variable parameters matching the format string
 *
 * This is a convenience function that calls audit_log_start,
 * audit_log_vformat, and audit_log_end.  It may be called
 * in any context.
 */
D
Daniel Walker 已提交
1821
void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
1822
	       const char *fmt, ...)
L
Linus Torvalds 已提交
1823 1824 1825 1826
{
	struct audit_buffer *ab;
	va_list args;

1827
	ab = audit_log_start(ctx, gfp_mask, type);
L
Linus Torvalds 已提交
1828 1829 1830 1831 1832 1833 1834
	if (ab) {
		va_start(args, fmt);
		audit_log_vformat(ab, fmt, args);
		va_end(args);
		audit_log_end(ab);
	}
}
1835

1836 1837 1838 1839 1840 1841 1842 1843 1844 1845 1846 1847 1848 1849 1850 1851 1852 1853 1854 1855 1856 1857 1858 1859 1860 1861
#ifdef CONFIG_SECURITY
/**
 * audit_log_secctx - Converts and logs SELinux context
 * @ab: audit_buffer
 * @secid: security number
 *
 * This is a helper function that calls security_secid_to_secctx to convert
 * secid to secctx and then adds the (converted) SELinux context to the audit
 * log by calling audit_log_format, thus also preventing leak of internal secid
 * to userspace. If secid cannot be converted audit_panic is called.
 */
void audit_log_secctx(struct audit_buffer *ab, u32 secid)
{
	u32 len;
	char *secctx;

	if (security_secid_to_secctx(secid, &secctx, &len)) {
		audit_panic("Cannot convert secid to context");
	} else {
		audit_log_format(ab, " obj=%s", secctx);
		security_release_secctx(secctx, len);
	}
}
EXPORT_SYMBOL(audit_log_secctx);
#endif

1862 1863 1864 1865
EXPORT_SYMBOL(audit_log_start);
EXPORT_SYMBOL(audit_log_end);
EXPORT_SYMBOL(audit_log_format);
EXPORT_SYMBOL(audit_log);