auditsc.c 65.8 KB
Newer Older
1
/* auditsc.c -- System-call auditing support
L
Linus Torvalds 已提交
2 3 4
 * Handles all system-call specific auditing features.
 *
 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
5
 * Copyright 2005 Hewlett-Packard Development Company, L.P.
6
 * Copyright (C) 2005, 2006 IBM Corporation
L
Linus Torvalds 已提交
7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
 * All Rights Reserved.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 *
 * Written by Rickard E. (Rik) Faith <faith@redhat.com>
 *
 * Many of the ideas implemented here are from Stephen C. Tweedie,
 * especially the idea of avoiding a copy by using getname.
 *
 * The method for actual interception of syscall entry and exit (not in
 * this file -- see entry.S) is based on a GPL'd patch written by
 * okir@suse.de and Copyright 2003 SuSE Linux AG.
 *
32 33 34
 * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>,
 * 2006.
 *
35 36 37
 * The support of additional filter rules compares (>, <, >=, <=) was
 * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
 *
38 39
 * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
 * filesystem information.
40 41 42
 *
 * Subject and object context labeling support added by <danjones@us.ibm.com>
 * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
L
Linus Torvalds 已提交
43 44 45 46
 */

#include <linux/init.h>
#include <asm/types.h>
A
Alan Cox 已提交
47
#include <asm/atomic.h>
48 49
#include <linux/fs.h>
#include <linux/namei.h>
L
Linus Torvalds 已提交
50 51
#include <linux/mm.h>
#include <linux/module.h>
52
#include <linux/mount.h>
53
#include <linux/socket.h>
54
#include <linux/mqueue.h>
L
Linus Torvalds 已提交
55 56 57
#include <linux/audit.h>
#include <linux/personality.h>
#include <linux/time.h>
58
#include <linux/netlink.h>
59
#include <linux/compiler.h>
L
Linus Torvalds 已提交
60
#include <asm/unistd.h>
61
#include <linux/security.h>
62
#include <linux/list.h>
63
#include <linux/tty.h>
A
Al Viro 已提交
64
#include <linux/binfmts.h>
A
Al Viro 已提交
65
#include <linux/highmem.h>
A
Al Viro 已提交
66
#include <linux/syscalls.h>
A
Al Viro 已提交
67
#include <linux/inotify.h>
68
#include <linux/capability.h>
69
#include <linux/fs_struct.h>
L
Linus Torvalds 已提交
70

71
#include "audit.h"
L
Linus Torvalds 已提交
72 73 74 75 76

/* AUDIT_NAMES is the number of slots we reserve in the audit_context
 * for saving names from getname(). */
#define AUDIT_NAMES    20

77 78 79
/* Indicates that audit should log the full pathname. */
#define AUDIT_NAME_FULL -1

80 81 82
/* no execve audit message should be longer than this (userspace limits) */
#define MAX_EXECVE_AUDIT_LEN 7500

A
Al Viro 已提交
83 84 85
/* number of audit rules */
int audit_n_rules;

A
Amy Griffis 已提交
86 87 88
/* determines whether we collect data for signals sent */
int audit_signals;

89 90 91 92 93 94 95 96 97
struct audit_cap_data {
	kernel_cap_t		permitted;
	kernel_cap_t		inheritable;
	union {
		unsigned int	fE;		/* effective bit of a file capability */
		kernel_cap_t	effective;	/* effective set of a process */
	};
};

L
Linus Torvalds 已提交
98 99 100 101 102 103 104
/* When fs/namei.c:getname() is called, we store the pointer in name and
 * we don't let putname() free it (instead we free all of the saved
 * pointers at syscall exit time).
 *
 * Further, in fs/namei.c:path_lookup() we store the inode and device. */
struct audit_names {
	const char	*name;
105 106
	int		name_len;	/* number of name's characters to log */
	unsigned	name_put;	/* call __putname() for this name */
L
Linus Torvalds 已提交
107 108 109 110 111 112
	unsigned long	ino;
	dev_t		dev;
	umode_t		mode;
	uid_t		uid;
	gid_t		gid;
	dev_t		rdev;
S
Steve Grubb 已提交
113
	u32		osid;
114 115
	struct audit_cap_data fcap;
	unsigned int	fcap_ver;
L
Linus Torvalds 已提交
116 117 118 119 120 121 122 123 124
};

struct audit_aux_data {
	struct audit_aux_data	*next;
	int			type;
};

#define AUDIT_AUX_IPCPERM	0

A
Amy Griffis 已提交
125 126 127
/* Number of target pids per aux struct. */
#define AUDIT_AUX_PIDS	16

A
Al Viro 已提交
128 129 130 131
struct audit_aux_data_execve {
	struct audit_aux_data	d;
	int argc;
	int envc;
P
Peter Zijlstra 已提交
132
	struct mm_struct *mm;
A
Al Viro 已提交
133 134
};

A
Amy Griffis 已提交
135 136 137
struct audit_aux_data_pids {
	struct audit_aux_data	d;
	pid_t			target_pid[AUDIT_AUX_PIDS];
138 139
	uid_t			target_auid[AUDIT_AUX_PIDS];
	uid_t			target_uid[AUDIT_AUX_PIDS];
140
	unsigned int		target_sessionid[AUDIT_AUX_PIDS];
A
Amy Griffis 已提交
141
	u32			target_sid[AUDIT_AUX_PIDS];
142
	char 			target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
A
Amy Griffis 已提交
143 144 145
	int			pid_count;
};

146 147 148 149 150 151 152 153
struct audit_aux_data_bprm_fcaps {
	struct audit_aux_data	d;
	struct audit_cap_data	fcap;
	unsigned int		fcap_ver;
	struct audit_cap_data	old_pcap;
	struct audit_cap_data	new_pcap;
};

154 155 156 157 158 159
struct audit_aux_data_capset {
	struct audit_aux_data	d;
	pid_t			pid;
	struct audit_cap_data	cap;
};

A
Al Viro 已提交
160 161 162 163 164
struct audit_tree_refs {
	struct audit_tree_refs *next;
	struct audit_chunk *c[31];
};

L
Linus Torvalds 已提交
165 166
/* The per-task audit context. */
struct audit_context {
167
	int		    dummy;	/* must be the first element */
L
Linus Torvalds 已提交
168
	int		    in_syscall;	/* 1 if task is in a syscall */
169
	enum audit_state    state, current_state;
L
Linus Torvalds 已提交
170 171 172 173 174
	unsigned int	    serial;     /* serial number for record */
	struct timespec	    ctime;      /* time of syscall entry */
	int		    major;      /* syscall number */
	unsigned long	    argv[4];    /* syscall arguments */
	int		    return_valid; /* return code is valid */
175
	long		    return_code;/* syscall return code */
176
	u64		    prio;
L
Linus Torvalds 已提交
177 178
	int		    name_count;
	struct audit_names  names[AUDIT_NAMES];
A
Amy Griffis 已提交
179
	char *		    filterkey;	/* key for rule that triggered record */
180
	struct path	    pwd;
L
Linus Torvalds 已提交
181 182
	struct audit_context *previous; /* For nested syscalls */
	struct audit_aux_data *aux;
A
Amy Griffis 已提交
183
	struct audit_aux_data *aux_pids;
184 185
	struct sockaddr_storage *sockaddr;
	size_t sockaddr_len;
L
Linus Torvalds 已提交
186
				/* Save things to print about task_struct */
A
Al Viro 已提交
187
	pid_t		    pid, ppid;
L
Linus Torvalds 已提交
188 189 190
	uid_t		    uid, euid, suid, fsuid;
	gid_t		    gid, egid, sgid, fsgid;
	unsigned long	    personality;
191
	int		    arch;
L
Linus Torvalds 已提交
192

A
Al Viro 已提交
193
	pid_t		    target_pid;
194 195
	uid_t		    target_auid;
	uid_t		    target_uid;
196
	unsigned int	    target_sessionid;
A
Al Viro 已提交
197
	u32		    target_sid;
198
	char		    target_comm[TASK_COMM_LEN];
A
Al Viro 已提交
199

A
Al Viro 已提交
200 201 202
	struct audit_tree_refs *trees, *first_trees;
	int tree_count;

A
Al Viro 已提交
203 204 205 206 207 208
	int type;
	union {
		struct {
			int nargs;
			long args[6];
		} socketcall;
A
Al Viro 已提交
209 210 211 212 213
		struct {
			uid_t			uid;
			gid_t			gid;
			mode_t			mode;
			u32			osid;
A
Al Viro 已提交
214 215 216 217 218
			int			has_perm;
			uid_t			perm_uid;
			gid_t			perm_gid;
			mode_t			perm_mode;
			unsigned long		qbytes;
A
Al Viro 已提交
219
		} ipc;
A
Al Viro 已提交
220 221 222 223
		struct {
			mqd_t			mqdes;
			struct mq_attr 		mqstat;
		} mq_getsetattr;
A
Al Viro 已提交
224 225 226 227
		struct {
			mqd_t			mqdes;
			int			sigev_signo;
		} mq_notify;
A
Al Viro 已提交
228 229 230 231 232 233
		struct {
			mqd_t			mqdes;
			size_t			msg_len;
			unsigned int		msg_prio;
			struct timespec		abs_timeout;
		} mq_sendrecv;
A
Al Viro 已提交
234 235 236 237 238
		struct {
			int			oflag;
			mode_t			mode;
			struct mq_attr		attr;
		} mq_open;
A
Al Viro 已提交
239 240 241 242
		struct {
			pid_t			pid;
			struct audit_cap_data	cap;
		} capset;
A
Al Viro 已提交
243
	};
A
Al Viro 已提交
244
	int fds[2];
A
Al Viro 已提交
245

L
Linus Torvalds 已提交
246 247 248 249 250 251
#if AUDIT_DEBUG
	int		    put_count;
	int		    ino_count;
#endif
};

A
Al Viro 已提交
252 253 254 255 256 257 258 259 260 261 262
#define ACC_MODE(x) ("\004\002\006\006"[(x)&O_ACCMODE])
static inline int open_arg(int flags, int mask)
{
	int n = ACC_MODE(flags);
	if (flags & (O_TRUNC | O_CREAT))
		n |= AUDIT_PERM_WRITE;
	return n & mask;
}

static int audit_match_perm(struct audit_context *ctx, int mask)
{
263
	unsigned n;
264 265
	if (unlikely(!ctx))
		return 0;
266
	n = ctx->major;
267

A
Al Viro 已提交
268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303
	switch (audit_classify_syscall(ctx->arch, n)) {
	case 0:	/* native */
		if ((mask & AUDIT_PERM_WRITE) &&
		     audit_match_class(AUDIT_CLASS_WRITE, n))
			return 1;
		if ((mask & AUDIT_PERM_READ) &&
		     audit_match_class(AUDIT_CLASS_READ, n))
			return 1;
		if ((mask & AUDIT_PERM_ATTR) &&
		     audit_match_class(AUDIT_CLASS_CHATTR, n))
			return 1;
		return 0;
	case 1: /* 32bit on biarch */
		if ((mask & AUDIT_PERM_WRITE) &&
		     audit_match_class(AUDIT_CLASS_WRITE_32, n))
			return 1;
		if ((mask & AUDIT_PERM_READ) &&
		     audit_match_class(AUDIT_CLASS_READ_32, n))
			return 1;
		if ((mask & AUDIT_PERM_ATTR) &&
		     audit_match_class(AUDIT_CLASS_CHATTR_32, n))
			return 1;
		return 0;
	case 2: /* open */
		return mask & ACC_MODE(ctx->argv[1]);
	case 3: /* openat */
		return mask & ACC_MODE(ctx->argv[2]);
	case 4: /* socketcall */
		return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
	case 5: /* execve */
		return mask & AUDIT_PERM_EXEC;
	default:
		return 0;
	}
}

A
Al Viro 已提交
304 305 306 307
static int audit_match_filetype(struct audit_context *ctx, int which)
{
	unsigned index = which & ~S_IFMT;
	mode_t mode = which & S_IFMT;
308 309 310 311

	if (unlikely(!ctx))
		return 0;

A
Al Viro 已提交
312 313 314 315 316 317 318 319 320
	if (index >= ctx->name_count)
		return 0;
	if (ctx->names[index].ino == -1)
		return 0;
	if ((ctx->names[index].mode ^ mode) & S_IFMT)
		return 0;
	return 1;
}

A
Al Viro 已提交
321 322 323 324 325 326 327 328 329 330 331
/*
 * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *;
 * ->first_trees points to its beginning, ->trees - to the current end of data.
 * ->tree_count is the number of free entries in array pointed to by ->trees.
 * Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL,
 * "empty" becomes (p, p, 31) afterwards.  We don't shrink the list (and seriously,
 * it's going to remain 1-element for almost any setup) until we free context itself.
 * References in it _are_ dropped - at the same time we free/drop aux stuff.
 */

#ifdef CONFIG_AUDIT_TREE
332 333 334 335 336 337 338 339
static void audit_set_auditable(struct audit_context *ctx)
{
	if (!ctx->prio) {
		ctx->prio = 1;
		ctx->current_state = AUDIT_RECORD_CONTEXT;
	}
}

A
Al Viro 已提交
340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439
static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
{
	struct audit_tree_refs *p = ctx->trees;
	int left = ctx->tree_count;
	if (likely(left)) {
		p->c[--left] = chunk;
		ctx->tree_count = left;
		return 1;
	}
	if (!p)
		return 0;
	p = p->next;
	if (p) {
		p->c[30] = chunk;
		ctx->trees = p;
		ctx->tree_count = 30;
		return 1;
	}
	return 0;
}

static int grow_tree_refs(struct audit_context *ctx)
{
	struct audit_tree_refs *p = ctx->trees;
	ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL);
	if (!ctx->trees) {
		ctx->trees = p;
		return 0;
	}
	if (p)
		p->next = ctx->trees;
	else
		ctx->first_trees = ctx->trees;
	ctx->tree_count = 31;
	return 1;
}
#endif

static void unroll_tree_refs(struct audit_context *ctx,
		      struct audit_tree_refs *p, int count)
{
#ifdef CONFIG_AUDIT_TREE
	struct audit_tree_refs *q;
	int n;
	if (!p) {
		/* we started with empty chain */
		p = ctx->first_trees;
		count = 31;
		/* if the very first allocation has failed, nothing to do */
		if (!p)
			return;
	}
	n = count;
	for (q = p; q != ctx->trees; q = q->next, n = 31) {
		while (n--) {
			audit_put_chunk(q->c[n]);
			q->c[n] = NULL;
		}
	}
	while (n-- > ctx->tree_count) {
		audit_put_chunk(q->c[n]);
		q->c[n] = NULL;
	}
	ctx->trees = p;
	ctx->tree_count = count;
#endif
}

static void free_tree_refs(struct audit_context *ctx)
{
	struct audit_tree_refs *p, *q;
	for (p = ctx->first_trees; p; p = q) {
		q = p->next;
		kfree(p);
	}
}

static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
{
#ifdef CONFIG_AUDIT_TREE
	struct audit_tree_refs *p;
	int n;
	if (!tree)
		return 0;
	/* full ones */
	for (p = ctx->first_trees; p != ctx->trees; p = p->next) {
		for (n = 0; n < 31; n++)
			if (audit_tree_match(p->c[n], tree))
				return 1;
	}
	/* partial */
	if (p) {
		for (n = ctx->tree_count; n < 31; n++)
			if (audit_tree_match(p->c[n], tree))
				return 1;
	}
#endif
	return 0;
}

A
Amy Griffis 已提交
440
/* Determine if any context name data matches a rule's watch data */
L
Linus Torvalds 已提交
441 442 443
/* Compare a task_struct with an audit_rule.  Return 1 on match, 0
 * otherwise. */
static int audit_filter_rules(struct task_struct *tsk,
444
			      struct audit_krule *rule,
L
Linus Torvalds 已提交
445
			      struct audit_context *ctx,
A
Amy Griffis 已提交
446
			      struct audit_names *name,
L
Linus Torvalds 已提交
447 448
			      enum audit_state *state)
{
449
	const struct cred *cred = get_task_cred(tsk);
S
Steve Grubb 已提交
450
	int i, j, need_sid = 1;
451 452
	u32 sid;

L
Linus Torvalds 已提交
453
	for (i = 0; i < rule->field_count; i++) {
454
		struct audit_field *f = &rule->fields[i];
L
Linus Torvalds 已提交
455 456
		int result = 0;

457
		switch (f->type) {
L
Linus Torvalds 已提交
458
		case AUDIT_PID:
459
			result = audit_comparator(tsk->pid, f->op, f->val);
L
Linus Torvalds 已提交
460
			break;
A
Al Viro 已提交
461
		case AUDIT_PPID:
A
Alexander Viro 已提交
462 463 464
			if (ctx) {
				if (!ctx->ppid)
					ctx->ppid = sys_getppid();
A
Al Viro 已提交
465
				result = audit_comparator(ctx->ppid, f->op, f->val);
A
Alexander Viro 已提交
466
			}
A
Al Viro 已提交
467
			break;
L
Linus Torvalds 已提交
468
		case AUDIT_UID:
469
			result = audit_comparator(cred->uid, f->op, f->val);
L
Linus Torvalds 已提交
470 471
			break;
		case AUDIT_EUID:
472
			result = audit_comparator(cred->euid, f->op, f->val);
L
Linus Torvalds 已提交
473 474
			break;
		case AUDIT_SUID:
475
			result = audit_comparator(cred->suid, f->op, f->val);
L
Linus Torvalds 已提交
476 477
			break;
		case AUDIT_FSUID:
478
			result = audit_comparator(cred->fsuid, f->op, f->val);
L
Linus Torvalds 已提交
479 480
			break;
		case AUDIT_GID:
481
			result = audit_comparator(cred->gid, f->op, f->val);
L
Linus Torvalds 已提交
482 483
			break;
		case AUDIT_EGID:
484
			result = audit_comparator(cred->egid, f->op, f->val);
L
Linus Torvalds 已提交
485 486
			break;
		case AUDIT_SGID:
487
			result = audit_comparator(cred->sgid, f->op, f->val);
L
Linus Torvalds 已提交
488 489
			break;
		case AUDIT_FSGID:
490
			result = audit_comparator(cred->fsgid, f->op, f->val);
L
Linus Torvalds 已提交
491 492
			break;
		case AUDIT_PERS:
493
			result = audit_comparator(tsk->personality, f->op, f->val);
L
Linus Torvalds 已提交
494
			break;
495
		case AUDIT_ARCH:
D
Daniel Walker 已提交
496
			if (ctx)
497
				result = audit_comparator(ctx->arch, f->op, f->val);
498
			break;
L
Linus Torvalds 已提交
499 500 501

		case AUDIT_EXIT:
			if (ctx && ctx->return_valid)
502
				result = audit_comparator(ctx->return_code, f->op, f->val);
L
Linus Torvalds 已提交
503 504
			break;
		case AUDIT_SUCCESS:
505
			if (ctx && ctx->return_valid) {
506 507
				if (f->val)
					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
508
				else
509
					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
510
			}
L
Linus Torvalds 已提交
511 512
			break;
		case AUDIT_DEVMAJOR:
A
Amy Griffis 已提交
513 514 515 516
			if (name)
				result = audit_comparator(MAJOR(name->dev),
							  f->op, f->val);
			else if (ctx) {
L
Linus Torvalds 已提交
517
				for (j = 0; j < ctx->name_count; j++) {
518
					if (audit_comparator(MAJOR(ctx->names[j].dev),	f->op, f->val)) {
L
Linus Torvalds 已提交
519 520 521 522 523 524 525
						++result;
						break;
					}
				}
			}
			break;
		case AUDIT_DEVMINOR:
A
Amy Griffis 已提交
526 527 528 529
			if (name)
				result = audit_comparator(MINOR(name->dev),
							  f->op, f->val);
			else if (ctx) {
L
Linus Torvalds 已提交
530
				for (j = 0; j < ctx->name_count; j++) {
531
					if (audit_comparator(MINOR(ctx->names[j].dev), f->op, f->val)) {
L
Linus Torvalds 已提交
532 533 534 535 536 537 538
						++result;
						break;
					}
				}
			}
			break;
		case AUDIT_INODE:
A
Amy Griffis 已提交
539
			if (name)
540
				result = (name->ino == f->val);
A
Amy Griffis 已提交
541
			else if (ctx) {
L
Linus Torvalds 已提交
542
				for (j = 0; j < ctx->name_count; j++) {
543
					if (audit_comparator(ctx->names[j].ino, f->op, f->val)) {
L
Linus Torvalds 已提交
544 545 546 547 548 549
						++result;
						break;
					}
				}
			}
			break;
A
Amy Griffis 已提交
550
		case AUDIT_WATCH:
551 552 553
			if (name && audit_watch_inode(rule->watch) != (unsigned long)-1)
				result = (name->dev == audit_watch_dev(rule->watch) &&
					  name->ino == audit_watch_inode(rule->watch));
A
Amy Griffis 已提交
554
			break;
A
Al Viro 已提交
555 556 557 558
		case AUDIT_DIR:
			if (ctx)
				result = match_tree_refs(ctx, rule->tree);
			break;
L
Linus Torvalds 已提交
559 560 561
		case AUDIT_LOGINUID:
			result = 0;
			if (ctx)
A
Al Viro 已提交
562
				result = audit_comparator(tsk->loginuid, f->op, f->val);
L
Linus Torvalds 已提交
563
			break;
564 565 566 567 568
		case AUDIT_SUBJ_USER:
		case AUDIT_SUBJ_ROLE:
		case AUDIT_SUBJ_TYPE:
		case AUDIT_SUBJ_SEN:
		case AUDIT_SUBJ_CLR:
569 570 571 572 573
			/* NOTE: this may return negative values indicating
			   a temporary error.  We simply treat this as a
			   match for now to avoid losing information that
			   may be wanted.   An error message will also be
			   logged upon error */
574
			if (f->lsm_rule) {
S
Steve Grubb 已提交
575
				if (need_sid) {
576
					security_task_getsecid(tsk, &sid);
S
Steve Grubb 已提交
577 578
					need_sid = 0;
				}
579
				result = security_audit_rule_match(sid, f->type,
580
				                                  f->op,
581
				                                  f->lsm_rule,
582
				                                  ctx);
S
Steve Grubb 已提交
583
			}
584
			break;
585 586 587 588 589 590 591
		case AUDIT_OBJ_USER:
		case AUDIT_OBJ_ROLE:
		case AUDIT_OBJ_TYPE:
		case AUDIT_OBJ_LEV_LOW:
		case AUDIT_OBJ_LEV_HIGH:
			/* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
			   also applies here */
592
			if (f->lsm_rule) {
593 594
				/* Find files that match */
				if (name) {
595
					result = security_audit_rule_match(
596
					           name->osid, f->type, f->op,
597
					           f->lsm_rule, ctx);
598 599
				} else if (ctx) {
					for (j = 0; j < ctx->name_count; j++) {
600
						if (security_audit_rule_match(
601 602
						      ctx->names[j].osid,
						      f->type, f->op,
603
						      f->lsm_rule, ctx)) {
604 605 606 607 608 609
							++result;
							break;
						}
					}
				}
				/* Find ipc objects that match */
A
Al Viro 已提交
610 611 612 613 614 615
				if (!ctx || ctx->type != AUDIT_IPC)
					break;
				if (security_audit_rule_match(ctx->ipc.osid,
							      f->type, f->op,
							      f->lsm_rule, ctx))
					++result;
616 617
			}
			break;
L
Linus Torvalds 已提交
618 619 620 621 622
		case AUDIT_ARG0:
		case AUDIT_ARG1:
		case AUDIT_ARG2:
		case AUDIT_ARG3:
			if (ctx)
623
				result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
L
Linus Torvalds 已提交
624
			break;
A
Amy Griffis 已提交
625 626 627 628
		case AUDIT_FILTERKEY:
			/* ignore this field for filtering */
			result = 1;
			break;
A
Al Viro 已提交
629 630 631
		case AUDIT_PERM:
			result = audit_match_perm(ctx, f->val);
			break;
A
Al Viro 已提交
632 633 634
		case AUDIT_FILETYPE:
			result = audit_match_filetype(ctx, f->val);
			break;
L
Linus Torvalds 已提交
635 636
		}

637 638
		if (!result) {
			put_cred(cred);
L
Linus Torvalds 已提交
639
			return 0;
640
		}
L
Linus Torvalds 已提交
641
	}
642 643 644 645 646 647 648 649 650 651

	if (ctx) {
		if (rule->prio <= ctx->prio)
			return 0;
		if (rule->filterkey) {
			kfree(ctx->filterkey);
			ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
		}
		ctx->prio = rule->prio;
	}
L
Linus Torvalds 已提交
652 653 654 655
	switch (rule->action) {
	case AUDIT_NEVER:    *state = AUDIT_DISABLED;	    break;
	case AUDIT_ALWAYS:   *state = AUDIT_RECORD_CONTEXT; break;
	}
656
	put_cred(cred);
L
Linus Torvalds 已提交
657 658 659 660 661 662 663
	return 1;
}

/* At process creation time, we can determine if system-call auditing is
 * completely disabled for this task.  Since we only have the task
 * structure at this point, we can only check uid and gid.
 */
664
static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)
L
Linus Torvalds 已提交
665 666 667 668 669
{
	struct audit_entry *e;
	enum audit_state   state;

	rcu_read_lock();
670
	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
A
Amy Griffis 已提交
671
		if (audit_filter_rules(tsk, &e->rule, NULL, NULL, &state)) {
672 673
			if (state == AUDIT_RECORD_CONTEXT)
				*key = kstrdup(e->rule.filterkey, GFP_ATOMIC);
L
Linus Torvalds 已提交
674 675 676 677 678 679 680 681 682 683
			rcu_read_unlock();
			return state;
		}
	}
	rcu_read_unlock();
	return AUDIT_BUILD_CONTEXT;
}

/* At syscall entry and exit time, this filter is called if the
 * audit_state is not low enough that auditing cannot take place, but is
S
Steve Grubb 已提交
684
 * also not high enough that we already know we have to write an audit
685
 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
L
Linus Torvalds 已提交
686 687 688 689 690 691
 */
static enum audit_state audit_filter_syscall(struct task_struct *tsk,
					     struct audit_context *ctx,
					     struct list_head *list)
{
	struct audit_entry *e;
692
	enum audit_state state;
L
Linus Torvalds 已提交
693

694
	if (audit_pid && tsk->tgid == audit_pid)
695 696
		return AUDIT_DISABLED;

L
Linus Torvalds 已提交
697
	rcu_read_lock();
698
	if (!list_empty(list)) {
699 700 701 702
		int word = AUDIT_WORD(ctx->major);
		int bit  = AUDIT_BIT(ctx->major);

		list_for_each_entry_rcu(e, list, list) {
A
Amy Griffis 已提交
703 704 705 706
			if ((e->rule.mask[word] & bit) == bit &&
			    audit_filter_rules(tsk, &e->rule, ctx, NULL,
					       &state)) {
				rcu_read_unlock();
707
				ctx->current_state = state;
A
Amy Griffis 已提交
708 709 710 711 712 713 714 715 716 717 718 719 720
				return state;
			}
		}
	}
	rcu_read_unlock();
	return AUDIT_BUILD_CONTEXT;
}

/* At syscall exit time, this filter is called if any audit_names[] have been
 * collected during syscall processing.  We only check rules in sublists at hash
 * buckets applicable to the inode numbers in audit_names[].
 * Regarding audit_state, same rules apply as for audit_filter_syscall().
 */
721
void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx)
A
Amy Griffis 已提交
722 723 724 725 726 727
{
	int i;
	struct audit_entry *e;
	enum audit_state state;

	if (audit_pid && tsk->tgid == audit_pid)
728
		return;
A
Amy Griffis 已提交
729 730 731 732 733 734 735 736 737 738 739 740 741 742 743

	rcu_read_lock();
	for (i = 0; i < ctx->name_count; i++) {
		int word = AUDIT_WORD(ctx->major);
		int bit  = AUDIT_BIT(ctx->major);
		struct audit_names *n = &ctx->names[i];
		int h = audit_hash_ino((u32)n->ino);
		struct list_head *list = &audit_inode_hash[h];

		if (list_empty(list))
			continue;

		list_for_each_entry_rcu(e, list, list) {
			if ((e->rule.mask[word] & bit) == bit &&
			    audit_filter_rules(tsk, &e->rule, ctx, n, &state)) {
744
				rcu_read_unlock();
745 746
				ctx->current_state = state;
				return;
747
			}
748 749 750 751 752
		}
	}
	rcu_read_unlock();
}

L
Linus Torvalds 已提交
753 754
static inline struct audit_context *audit_get_context(struct task_struct *tsk,
						      int return_valid,
755
						      long return_code)
L
Linus Torvalds 已提交
756 757 758 759 760 761
{
	struct audit_context *context = tsk->audit_context;

	if (likely(!context))
		return NULL;
	context->return_valid = return_valid;
E
Eric Paris 已提交
762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779

	/*
	 * we need to fix up the return code in the audit logs if the actual
	 * return codes are later going to be fixed up by the arch specific
	 * signal handlers
	 *
	 * This is actually a test for:
	 * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||
	 * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)
	 *
	 * but is faster than a bunch of ||
	 */
	if (unlikely(return_code <= -ERESTARTSYS) &&
	    (return_code >= -ERESTART_RESTARTBLOCK) &&
	    (return_code != -ENOIOCTLCMD))
		context->return_code = -EINTR;
	else
		context->return_code  = return_code;
L
Linus Torvalds 已提交
780

781 782 783
	if (context->in_syscall && !context->dummy) {
		audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
		audit_filter_inodes(tsk, context);
L
Linus Torvalds 已提交
784 785 786 787 788 789 790 791 792 793 794
	}

	tsk->audit_context = NULL;
	return context;
}

static inline void audit_free_names(struct audit_context *context)
{
	int i;

#if AUDIT_DEBUG == 2
795
	if (context->put_count + context->ino_count != context->name_count) {
796
		printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d"
L
Linus Torvalds 已提交
797 798
		       " name_count=%d put_count=%d"
		       " ino_count=%d [NOT freeing]\n",
799
		       __FILE__, __LINE__,
L
Linus Torvalds 已提交
800 801 802
		       context->serial, context->major, context->in_syscall,
		       context->name_count, context->put_count,
		       context->ino_count);
803
		for (i = 0; i < context->name_count; i++) {
L
Linus Torvalds 已提交
804 805
			printk(KERN_ERR "names[%d] = %p = %s\n", i,
			       context->names[i].name,
806
			       context->names[i].name ?: "(null)");
807
		}
L
Linus Torvalds 已提交
808 809 810 811 812 813 814 815 816
		dump_stack();
		return;
	}
#endif
#if AUDIT_DEBUG
	context->put_count  = 0;
	context->ino_count  = 0;
#endif

817
	for (i = 0; i < context->name_count; i++) {
818
		if (context->names[i].name && context->names[i].name_put)
L
Linus Torvalds 已提交
819
			__putname(context->names[i].name);
820
	}
L
Linus Torvalds 已提交
821
	context->name_count = 0;
822 823 824
	path_put(&context->pwd);
	context->pwd.dentry = NULL;
	context->pwd.mnt = NULL;
L
Linus Torvalds 已提交
825 826 827 828 829 830 831 832 833 834
}

static inline void audit_free_aux(struct audit_context *context)
{
	struct audit_aux_data *aux;

	while ((aux = context->aux)) {
		context->aux = aux->next;
		kfree(aux);
	}
A
Amy Griffis 已提交
835 836 837 838
	while ((aux = context->aux_pids)) {
		context->aux_pids = aux->next;
		kfree(aux);
	}
L
Linus Torvalds 已提交
839 840 841 842 843 844 845
}

static inline void audit_zero_context(struct audit_context *context,
				      enum audit_state state)
{
	memset(context, 0, sizeof(*context));
	context->state      = state;
846
	context->prio = state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
L
Linus Torvalds 已提交
847 848 849 850 851 852 853 854 855 856 857 858
}

static inline struct audit_context *audit_alloc_context(enum audit_state state)
{
	struct audit_context *context;

	if (!(context = kmalloc(sizeof(*context), GFP_KERNEL)))
		return NULL;
	audit_zero_context(context, state);
	return context;
}

859 860 861 862 863
/**
 * audit_alloc - allocate an audit context block for a task
 * @tsk: task
 *
 * Filter on the task information and allocate a per-task audit context
L
Linus Torvalds 已提交
864 865
 * if necessary.  Doing so turns on system call auditing for the
 * specified task.  This is called from copy_process, so no lock is
866 867
 * needed.
 */
L
Linus Torvalds 已提交
868 869 870 871
int audit_alloc(struct task_struct *tsk)
{
	struct audit_context *context;
	enum audit_state     state;
872
	char *key = NULL;
L
Linus Torvalds 已提交
873

874
	if (likely(!audit_ever_enabled))
L
Linus Torvalds 已提交
875 876
		return 0; /* Return if not auditing. */

877
	state = audit_filter_task(tsk, &key);
L
Linus Torvalds 已提交
878 879 880 881
	if (likely(state == AUDIT_DISABLED))
		return 0;

	if (!(context = audit_alloc_context(state))) {
882
		kfree(key);
L
Linus Torvalds 已提交
883 884 885
		audit_log_lost("out of memory in audit_alloc");
		return -ENOMEM;
	}
886
	context->filterkey = key;
L
Linus Torvalds 已提交
887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907

	tsk->audit_context  = context;
	set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
	return 0;
}

static inline void audit_free_context(struct audit_context *context)
{
	struct audit_context *previous;
	int		     count = 0;

	do {
		previous = context->previous;
		if (previous || (count &&  count < 10)) {
			++count;
			printk(KERN_ERR "audit(:%d): major=%d name_count=%d:"
			       " freeing multiple contexts (%d)\n",
			       context->serial, context->major,
			       context->name_count, count);
		}
		audit_free_names(context);
A
Al Viro 已提交
908 909
		unroll_tree_refs(context, NULL, 0);
		free_tree_refs(context);
L
Linus Torvalds 已提交
910
		audit_free_aux(context);
A
Amy Griffis 已提交
911
		kfree(context->filterkey);
912
		kfree(context->sockaddr);
L
Linus Torvalds 已提交
913 914 915 916 917 918 919
		kfree(context);
		context  = previous;
	} while (context);
	if (count >= 10)
		printk(KERN_ERR "audit: freed %d contexts\n", count);
}

J
Joy Latten 已提交
920
void audit_log_task_context(struct audit_buffer *ab)
921 922
{
	char *ctx = NULL;
923 924 925 926
	unsigned len;
	int error;
	u32 sid;

927
	security_task_getsecid(current, &sid);
928 929
	if (!sid)
		return;
930

931
	error = security_secid_to_secctx(sid, &ctx, &len);
932 933
	if (error) {
		if (error != -EINVAL)
934 935 936 937 938
			goto error_path;
		return;
	}

	audit_log_format(ab, " subj=%s", ctx);
939
	security_release_secctx(ctx, len);
940
	return;
941 942

error_path:
943
	audit_panic("error in audit_log_task_context");
944 945 946
	return;
}

J
Joy Latten 已提交
947 948
EXPORT_SYMBOL(audit_log_task_context);

949
static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
950
{
951 952
	char name[sizeof(tsk->comm)];
	struct mm_struct *mm = tsk->mm;
953 954
	struct vm_area_struct *vma;

955 956
	/* tsk == current */

957
	get_task_comm(name, tsk);
958 959
	audit_log_format(ab, " comm=");
	audit_log_untrustedstring(ab, name);
960

961 962 963 964 965 966 967
	if (mm) {
		down_read(&mm->mmap_sem);
		vma = mm->mmap;
		while (vma) {
			if ((vma->vm_flags & VM_EXECUTABLE) &&
			    vma->vm_file) {
				audit_log_d_path(ab, "exe=",
968
						 &vma->vm_file->f_path);
969 970 971
				break;
			}
			vma = vma->vm_next;
972
		}
973
		up_read(&mm->mmap_sem);
974
	}
975
	audit_log_task_context(ab);
976 977
}

A
Amy Griffis 已提交
978
static int audit_log_pid_context(struct audit_context *context, pid_t pid,
979 980
				 uid_t auid, uid_t uid, unsigned int sessionid,
				 u32 sid, char *comm)
A
Amy Griffis 已提交
981 982
{
	struct audit_buffer *ab;
983
	char *ctx = NULL;
A
Amy Griffis 已提交
984 985 986 987 988
	u32 len;
	int rc = 0;

	ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
	if (!ab)
989
		return rc;
A
Amy Griffis 已提交
990

991 992
	audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid,
			 uid, sessionid);
993
	if (security_secid_to_secctx(sid, &ctx, &len)) {
994
		audit_log_format(ab, " obj=(none)");
A
Amy Griffis 已提交
995
		rc = 1;
996 997 998 999
	} else {
		audit_log_format(ab, " obj=%s", ctx);
		security_release_secctx(ctx, len);
	}
1000 1001
	audit_log_format(ab, " ocomm=");
	audit_log_untrustedstring(ab, comm);
A
Amy Griffis 已提交
1002 1003 1004 1005 1006
	audit_log_end(ab);

	return rc;
}

1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023
/*
 * to_send and len_sent accounting are very loose estimates.  We aren't
 * really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being
 * within about 500 bytes (next page boundry)
 *
 * why snprintf?  an int is up to 12 digits long.  if we just assumed when
 * logging that a[%d]= was going to be 16 characters long we would be wasting
 * space in every audit message.  In one 7500 byte message we can log up to
 * about 1000 min size arguments.  That comes down to about 50% waste of space
 * if we didn't do the snprintf to find out how long arg_num_len was.
 */
static int audit_log_single_execve_arg(struct audit_context *context,
					struct audit_buffer **ab,
					int arg_num,
					size_t *len_sent,
					const char __user *p,
					char *buf)
P
Peter Zijlstra 已提交
1024
{
1025 1026
	char arg_num_len_buf[12];
	const char __user *tmp_p = p;
1027 1028
	/* how many digits are in arg_num? 5 is the length of ' a=""' */
	size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 5;
1029 1030 1031 1032 1033 1034 1035
	size_t len, len_left, to_send;
	size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
	unsigned int i, has_cntl = 0, too_long = 0;
	int ret;

	/* strnlen_user includes the null we don't want to send */
	len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1;
P
Peter Zijlstra 已提交
1036

1037 1038 1039 1040 1041 1042
	/*
	 * We just created this mm, if we can't find the strings
	 * we just copied into it something is _very_ wrong. Similar
	 * for strings that are too long, we should not have created
	 * any.
	 */
1043
	if (unlikely((len == -1) || len > MAX_ARG_STRLEN - 1)) {
1044 1045
		WARN_ON(1);
		send_sig(SIGKILL, current, 0);
1046
		return -1;
1047
	}
1048

1049 1050 1051 1052 1053 1054 1055
	/* walk the whole argument looking for non-ascii chars */
	do {
		if (len_left > MAX_EXECVE_AUDIT_LEN)
			to_send = MAX_EXECVE_AUDIT_LEN;
		else
			to_send = len_left;
		ret = copy_from_user(buf, tmp_p, to_send);
P
Peter Zijlstra 已提交
1056
		/*
1057 1058 1059
		 * There is no reason for this copy to be short. We just
		 * copied them here, and the mm hasn't been exposed to user-
		 * space yet.
P
Peter Zijlstra 已提交
1060
		 */
1061
		if (ret) {
P
Peter Zijlstra 已提交
1062 1063
			WARN_ON(1);
			send_sig(SIGKILL, current, 0);
1064
			return -1;
P
Peter Zijlstra 已提交
1065
		}
1066 1067 1068 1069 1070 1071 1072 1073
		buf[to_send] = '\0';
		has_cntl = audit_string_contains_control(buf, to_send);
		if (has_cntl) {
			/*
			 * hex messages get logged as 2 bytes, so we can only
			 * send half as much in each message
			 */
			max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2;
P
Peter Zijlstra 已提交
1074 1075
			break;
		}
1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106
		len_left -= to_send;
		tmp_p += to_send;
	} while (len_left > 0);

	len_left = len;

	if (len > max_execve_audit_len)
		too_long = 1;

	/* rewalk the argument actually logging the message */
	for (i = 0; len_left > 0; i++) {
		int room_left;

		if (len_left > max_execve_audit_len)
			to_send = max_execve_audit_len;
		else
			to_send = len_left;

		/* do we have space left to send this argument in this ab? */
		room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent;
		if (has_cntl)
			room_left -= (to_send * 2);
		else
			room_left -= to_send;
		if (room_left < 0) {
			*len_sent = 0;
			audit_log_end(*ab);
			*ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
			if (!*ab)
				return 0;
		}
P
Peter Zijlstra 已提交
1107 1108

		/*
1109 1110 1111 1112
		 * first record needs to say how long the original string was
		 * so we can be sure nothing was lost.
		 */
		if ((i == 0) && (too_long))
1113
			audit_log_format(*ab, " a%d_len=%zu", arg_num,
1114 1115 1116 1117 1118 1119
					 has_cntl ? 2*len : len);

		/*
		 * normally arguments are small enough to fit and we already
		 * filled buf above when we checked for control characters
		 * so don't bother with another copy_from_user
P
Peter Zijlstra 已提交
1120
		 */
1121 1122 1123 1124
		if (len >= max_execve_audit_len)
			ret = copy_from_user(buf, p, to_send);
		else
			ret = 0;
1125
		if (ret) {
P
Peter Zijlstra 已提交
1126 1127
			WARN_ON(1);
			send_sig(SIGKILL, current, 0);
1128
			return -1;
P
Peter Zijlstra 已提交
1129
		}
1130 1131 1132
		buf[to_send] = '\0';

		/* actually log it */
1133
		audit_log_format(*ab, " a%d", arg_num);
1134 1135 1136 1137
		if (too_long)
			audit_log_format(*ab, "[%d]", i);
		audit_log_format(*ab, "=");
		if (has_cntl)
1138
			audit_log_n_hex(*ab, buf, to_send);
1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161
		else
			audit_log_format(*ab, "\"%s\"", buf);

		p += to_send;
		len_left -= to_send;
		*len_sent += arg_num_len;
		if (has_cntl)
			*len_sent += to_send * 2;
		else
			*len_sent += to_send;
	}
	/* include the null we didn't log */
	return len + 1;
}

static void audit_log_execve_info(struct audit_context *context,
				  struct audit_buffer **ab,
				  struct audit_aux_data_execve *axi)
{
	int i;
	size_t len, len_sent = 0;
	const char __user *p;
	char *buf;
P
Peter Zijlstra 已提交
1162

1163 1164 1165 1166
	if (axi->mm != current->mm)
		return; /* execve failed, no additional info */

	p = (const char __user *)axi->mm->arg_start;
P
Peter Zijlstra 已提交
1167

1168
	audit_log_format(*ab, "argc=%d", axi->argc);
1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179

	/*
	 * we need some kernel buffer to hold the userspace args.  Just
	 * allocate one big one rather than allocating one of the right size
	 * for every single argument inside audit_log_single_execve_arg()
	 * should be <8k allocation so should be pretty safe.
	 */
	buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
	if (!buf) {
		audit_panic("out of memory for argv string\n");
		return;
P
Peter Zijlstra 已提交
1180
	}
1181 1182 1183 1184 1185 1186 1187 1188 1189

	for (i = 0; i < axi->argc; i++) {
		len = audit_log_single_execve_arg(context, ab, i,
						  &len_sent, p, buf);
		if (len <= 0)
			break;
		p += len;
	}
	kfree(buf);
P
Peter Zijlstra 已提交
1190 1191
}

1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220
static void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
{
	int i;

	audit_log_format(ab, " %s=", prefix);
	CAP_FOR_EACH_U32(i) {
		audit_log_format(ab, "%08x", cap->cap[(_KERNEL_CAPABILITY_U32S-1) - i]);
	}
}

static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
{
	kernel_cap_t *perm = &name->fcap.permitted;
	kernel_cap_t *inh = &name->fcap.inheritable;
	int log = 0;

	if (!cap_isclear(*perm)) {
		audit_log_cap(ab, "cap_fp", perm);
		log = 1;
	}
	if (!cap_isclear(*inh)) {
		audit_log_cap(ab, "cap_fi", inh);
		log = 1;
	}

	if (log)
		audit_log_format(ab, " cap_fe=%d cap_fver=%x", name->fcap.fE, name->fcap_ver);
}

A
Al Viro 已提交
1221
static void show_special(struct audit_context *context, int *call_panic)
A
Al Viro 已提交
1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237
{
	struct audit_buffer *ab;
	int i;

	ab = audit_log_start(context, GFP_KERNEL, context->type);
	if (!ab)
		return;

	switch (context->type) {
	case AUDIT_SOCKETCALL: {
		int nargs = context->socketcall.nargs;
		audit_log_format(ab, "nargs=%d", nargs);
		for (i = 0; i < nargs; i++)
			audit_log_format(ab, " a%d=%lx", i,
				context->socketcall.args[i]);
		break; }
A
Al Viro 已提交
1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253
	case AUDIT_IPC: {
		u32 osid = context->ipc.osid;

		audit_log_format(ab, "ouid=%u ogid=%u mode=%#o",
			 context->ipc.uid, context->ipc.gid, context->ipc.mode);
		if (osid) {
			char *ctx = NULL;
			u32 len;
			if (security_secid_to_secctx(osid, &ctx, &len)) {
				audit_log_format(ab, " osid=%u", osid);
				*call_panic = 1;
			} else {
				audit_log_format(ab, " obj=%s", ctx);
				security_release_secctx(ctx, len);
			}
		}
A
Al Viro 已提交
1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266
		if (context->ipc.has_perm) {
			audit_log_end(ab);
			ab = audit_log_start(context, GFP_KERNEL,
					     AUDIT_IPC_SET_PERM);
			audit_log_format(ab,
				"qbytes=%lx ouid=%u ogid=%u mode=%#o",
				context->ipc.qbytes,
				context->ipc.perm_uid,
				context->ipc.perm_gid,
				context->ipc.perm_mode);
			if (!ab)
				return;
		}
A
Al Viro 已提交
1267
		break; }
A
Al Viro 已提交
1268 1269 1270 1271 1272 1273 1274 1275 1276 1277
	case AUDIT_MQ_OPEN: {
		audit_log_format(ab,
			"oflag=0x%x mode=%#o mq_flags=0x%lx mq_maxmsg=%ld "
			"mq_msgsize=%ld mq_curmsgs=%ld",
			context->mq_open.oflag, context->mq_open.mode,
			context->mq_open.attr.mq_flags,
			context->mq_open.attr.mq_maxmsg,
			context->mq_open.attr.mq_msgsize,
			context->mq_open.attr.mq_curmsgs);
		break; }
A
Al Viro 已提交
1278 1279 1280 1281 1282 1283 1284 1285 1286 1287
	case AUDIT_MQ_SENDRECV: {
		audit_log_format(ab,
			"mqdes=%d msg_len=%zd msg_prio=%u "
			"abs_timeout_sec=%ld abs_timeout_nsec=%ld",
			context->mq_sendrecv.mqdes,
			context->mq_sendrecv.msg_len,
			context->mq_sendrecv.msg_prio,
			context->mq_sendrecv.abs_timeout.tv_sec,
			context->mq_sendrecv.abs_timeout.tv_nsec);
		break; }
A
Al Viro 已提交
1288 1289 1290 1291 1292
	case AUDIT_MQ_NOTIFY: {
		audit_log_format(ab, "mqdes=%d sigev_signo=%d",
				context->mq_notify.mqdes,
				context->mq_notify.sigev_signo);
		break; }
A
Al Viro 已提交
1293 1294 1295 1296 1297 1298 1299 1300 1301
	case AUDIT_MQ_GETSETATTR: {
		struct mq_attr *attr = &context->mq_getsetattr.mqstat;
		audit_log_format(ab,
			"mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
			"mq_curmsgs=%ld ",
			context->mq_getsetattr.mqdes,
			attr->mq_flags, attr->mq_maxmsg,
			attr->mq_msgsize, attr->mq_curmsgs);
		break; }
A
Al Viro 已提交
1302 1303 1304 1305 1306 1307
	case AUDIT_CAPSET: {
		audit_log_format(ab, "pid=%d", context->capset.pid);
		audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
		audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
		audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
		break; }
A
Al Viro 已提交
1308 1309 1310 1311
	}
	audit_log_end(ab);
}

1312
static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
L
Linus Torvalds 已提交
1313
{
1314
	const struct cred *cred;
S
Steve Grubb 已提交
1315
	int i, call_panic = 0;
L
Linus Torvalds 已提交
1316
	struct audit_buffer *ab;
1317
	struct audit_aux_data *aux;
1318
	const char *tty;
L
Linus Torvalds 已提交
1319

1320
	/* tsk == current */
1321
	context->pid = tsk->pid;
A
Alexander Viro 已提交
1322 1323
	if (!context->ppid)
		context->ppid = sys_getppid();
1324 1325 1326 1327 1328
	cred = current_cred();
	context->uid   = cred->uid;
	context->gid   = cred->gid;
	context->euid  = cred->euid;
	context->suid  = cred->suid;
1329
	context->fsuid = cred->fsuid;
1330 1331
	context->egid  = cred->egid;
	context->sgid  = cred->sgid;
1332
	context->fsgid = cred->fsgid;
1333
	context->personality = tsk->personality;
1334 1335

	ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
L
Linus Torvalds 已提交
1336 1337
	if (!ab)
		return;		/* audit_panic has been called */
1338 1339
	audit_log_format(ab, "arch=%x syscall=%d",
			 context->arch, context->major);
L
Linus Torvalds 已提交
1340 1341 1342
	if (context->personality != PER_LINUX)
		audit_log_format(ab, " per=%lx", context->personality);
	if (context->return_valid)
D
Daniel Walker 已提交
1343
		audit_log_format(ab, " success=%s exit=%ld",
1344 1345
				 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
				 context->return_code);
A
Alan Cox 已提交
1346

1347
	spin_lock_irq(&tsk->sighand->siglock);
1348 1349
	if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
		tty = tsk->signal->tty->name;
1350 1351
	else
		tty = "(none)";
1352 1353
	spin_unlock_irq(&tsk->sighand->siglock);

L
Linus Torvalds 已提交
1354 1355
	audit_log_format(ab,
		  " a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
A
Al Viro 已提交
1356
		  " ppid=%d pid=%d auid=%u uid=%u gid=%u"
1357
		  " euid=%u suid=%u fsuid=%u"
1358
		  " egid=%u sgid=%u fsgid=%u tty=%s ses=%u",
L
Linus Torvalds 已提交
1359 1360 1361 1362 1363
		  context->argv[0],
		  context->argv[1],
		  context->argv[2],
		  context->argv[3],
		  context->name_count,
A
Al Viro 已提交
1364
		  context->ppid,
L
Linus Torvalds 已提交
1365
		  context->pid,
A
Al Viro 已提交
1366
		  tsk->loginuid,
L
Linus Torvalds 已提交
1367 1368 1369
		  context->uid,
		  context->gid,
		  context->euid, context->suid, context->fsuid,
1370 1371
		  context->egid, context->sgid, context->fsgid, tty,
		  tsk->sessionid);
A
Alan Cox 已提交
1372 1373


1374
	audit_log_task_info(ab, tsk);
A
Amy Griffis 已提交
1375 1376 1377 1378 1379
	if (context->filterkey) {
		audit_log_format(ab, " key=");
		audit_log_untrustedstring(ab, context->filterkey);
	} else
		audit_log_format(ab, " key=(null)");
L
Linus Torvalds 已提交
1380 1381
	audit_log_end(ab);

1382
	for (aux = context->aux; aux; aux = aux->next) {
1383

1384
		ab = audit_log_start(context, GFP_KERNEL, aux->type);
L
Linus Torvalds 已提交
1385 1386 1387 1388
		if (!ab)
			continue; /* audit_panic has been called */

		switch (aux->type) {
1389

A
Al Viro 已提交
1390 1391
		case AUDIT_EXECVE: {
			struct audit_aux_data_execve *axi = (void *)aux;
1392
			audit_log_execve_info(context, &ab, axi);
A
Al Viro 已提交
1393
			break; }
S
Steve Grubb 已提交
1394

1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408
		case AUDIT_BPRM_FCAPS: {
			struct audit_aux_data_bprm_fcaps *axs = (void *)aux;
			audit_log_format(ab, "fver=%x", axs->fcap_ver);
			audit_log_cap(ab, "fp", &axs->fcap.permitted);
			audit_log_cap(ab, "fi", &axs->fcap.inheritable);
			audit_log_format(ab, " fe=%d", axs->fcap.fE);
			audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
			audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
			audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
			audit_log_cap(ab, "new_pp", &axs->new_pcap.permitted);
			audit_log_cap(ab, "new_pi", &axs->new_pcap.inheritable);
			audit_log_cap(ab, "new_pe", &axs->new_pcap.effective);
			break; }

L
Linus Torvalds 已提交
1409 1410 1411 1412
		}
		audit_log_end(ab);
	}

A
Al Viro 已提交
1413
	if (context->type)
A
Al Viro 已提交
1414
		show_special(context, &call_panic);
A
Al Viro 已提交
1415

A
Al Viro 已提交
1416 1417 1418 1419 1420 1421 1422 1423 1424
	if (context->fds[0] >= 0) {
		ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR);
		if (ab) {
			audit_log_format(ab, "fd0=%d fd1=%d",
					context->fds[0], context->fds[1]);
			audit_log_end(ab);
		}
	}

1425 1426 1427 1428 1429 1430 1431 1432 1433 1434
	if (context->sockaddr_len) {
		ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR);
		if (ab) {
			audit_log_format(ab, "saddr=");
			audit_log_n_hex(ab, (void *)context->sockaddr,
					context->sockaddr_len);
			audit_log_end(ab);
		}
	}

A
Amy Griffis 已提交
1435 1436 1437 1438 1439
	for (aux = context->aux_pids; aux; aux = aux->next) {
		struct audit_aux_data_pids *axs = (void *)aux;

		for (i = 0; i < axs->pid_count; i++)
			if (audit_log_pid_context(context, axs->target_pid[i],
1440 1441
						  axs->target_auid[i],
						  axs->target_uid[i],
1442
						  axs->target_sessionid[i],
1443 1444
						  axs->target_sid[i],
						  axs->target_comm[i]))
A
Amy Griffis 已提交
1445
				call_panic = 1;
A
Al Viro 已提交
1446 1447
	}

A
Amy Griffis 已提交
1448 1449
	if (context->target_pid &&
	    audit_log_pid_context(context, context->target_pid,
1450
				  context->target_auid, context->target_uid,
1451
				  context->target_sessionid,
1452
				  context->target_sid, context->target_comm))
A
Amy Griffis 已提交
1453 1454
			call_panic = 1;

1455
	if (context->pwd.dentry && context->pwd.mnt) {
1456
		ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
1457
		if (ab) {
1458
			audit_log_d_path(ab, "cwd=", &context->pwd);
1459 1460 1461
			audit_log_end(ab);
		}
	}
L
Linus Torvalds 已提交
1462
	for (i = 0; i < context->name_count; i++) {
1463
		struct audit_names *n = &context->names[i];
1464

1465
		ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
L
Linus Torvalds 已提交
1466 1467
		if (!ab)
			continue; /* audit_panic has been called */
1468

L
Linus Torvalds 已提交
1469
		audit_log_format(ab, "item=%d", i);
1470

1471 1472 1473 1474 1475 1476 1477 1478 1479 1480
		if (n->name) {
			switch(n->name_len) {
			case AUDIT_NAME_FULL:
				/* log the full path */
				audit_log_format(ab, " name=");
				audit_log_untrustedstring(ab, n->name);
				break;
			case 0:
				/* name was specified as a relative path and the
				 * directory component is the cwd */
1481
				audit_log_d_path(ab, "name=", &context->pwd);
1482 1483 1484 1485
				break;
			default:
				/* log the name's directory component */
				audit_log_format(ab, " name=");
1486 1487
				audit_log_n_untrustedstring(ab, n->name,
							    n->name_len);
1488 1489 1490 1491 1492 1493 1494 1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505
			}
		} else
			audit_log_format(ab, " name=(null)");

		if (n->ino != (unsigned long)-1) {
			audit_log_format(ab, " inode=%lu"
					 " dev=%02x:%02x mode=%#o"
					 " ouid=%u ogid=%u rdev=%02x:%02x",
					 n->ino,
					 MAJOR(n->dev),
					 MINOR(n->dev),
					 n->mode,
					 n->uid,
					 n->gid,
					 MAJOR(n->rdev),
					 MINOR(n->rdev));
		}
		if (n->osid != 0) {
S
Steve Grubb 已提交
1506 1507
			char *ctx = NULL;
			u32 len;
1508
			if (security_secid_to_secctx(
1509 1510
				n->osid, &ctx, &len)) {
				audit_log_format(ab, " osid=%u", n->osid);
S
Steve Grubb 已提交
1511
				call_panic = 2;
1512
			} else {
S
Steve Grubb 已提交
1513
				audit_log_format(ab, " obj=%s", ctx);
1514 1515
				security_release_secctx(ctx, len);
			}
1516 1517
		}

1518 1519
		audit_log_fcaps(ab, n);

L
Linus Torvalds 已提交
1520 1521
		audit_log_end(ab);
	}
E
Eric Paris 已提交
1522 1523 1524 1525 1526

	/* Send end of event record to help user space know we are finished */
	ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
	if (ab)
		audit_log_end(ab);
S
Steve Grubb 已提交
1527 1528
	if (call_panic)
		audit_panic("error converting sid to string");
L
Linus Torvalds 已提交
1529 1530
}

1531 1532 1533 1534
/**
 * audit_free - free a per-task audit context
 * @tsk: task whose audit context block to free
 *
1535
 * Called from copy_process and do_exit
1536
 */
L
Linus Torvalds 已提交
1537 1538 1539 1540 1541 1542 1543 1544 1545
void audit_free(struct task_struct *tsk)
{
	struct audit_context *context;

	context = audit_get_context(tsk, 0, 0);
	if (likely(!context))
		return;

	/* Check for system calls that do not go through the exit
D
Daniel Walker 已提交
1546 1547
	 * function (e.g., exit_group), then free context block.
	 * We use GFP_ATOMIC here because we might be doing this
1548
	 * in the context of the idle thread */
1549
	/* that can happen only if we are called from do_exit() */
1550
	if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
1551
		audit_log_exit(context, tsk);
L
Linus Torvalds 已提交
1552 1553 1554 1555

	audit_free_context(context);
}

1556 1557 1558 1559 1560 1561 1562 1563 1564 1565
/**
 * audit_syscall_entry - fill in an audit record at syscall entry
 * @arch: architecture type
 * @major: major syscall type (function)
 * @a1: additional syscall register 1
 * @a2: additional syscall register 2
 * @a3: additional syscall register 3
 * @a4: additional syscall register 4
 *
 * Fill in audit context at syscall entry.  This only happens if the
L
Linus Torvalds 已提交
1566 1567 1568 1569 1570
 * audit context was created when the task was created and the state or
 * filters demand the audit context be built.  If the state from the
 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
 * then the record will be written at syscall exit time (otherwise, it
 * will only be written if another part of the kernel requests that it
1571 1572
 * be written).
 */
1573
void audit_syscall_entry(int arch, int major,
L
Linus Torvalds 已提交
1574 1575 1576
			 unsigned long a1, unsigned long a2,
			 unsigned long a3, unsigned long a4)
{
1577
	struct task_struct *tsk = current;
L
Linus Torvalds 已提交
1578 1579 1580
	struct audit_context *context = tsk->audit_context;
	enum audit_state     state;

R
Roland McGrath 已提交
1581 1582
	if (unlikely(!context))
		return;
L
Linus Torvalds 已提交
1583

1584 1585
	/*
	 * This happens only on certain architectures that make system
L
Linus Torvalds 已提交
1586 1587 1588 1589 1590 1591 1592
	 * calls in kernel_thread via the entry.S interface, instead of
	 * with direct calls.  (If you are porting to a new
	 * architecture, hitting this condition can indicate that you
	 * got the _exit/_leave calls backward in entry.S.)
	 *
	 * i386     no
	 * x86_64   no
1593
	 * ppc64    yes (see arch/powerpc/platforms/iseries/misc.S)
L
Linus Torvalds 已提交
1594 1595 1596 1597 1598 1599 1600 1601 1602 1603 1604 1605 1606 1607 1608 1609 1610 1611 1612 1613 1614 1615 1616 1617 1618 1619 1620 1621 1622 1623 1624
	 *
	 * This also happens with vm86 emulation in a non-nested manner
	 * (entries without exits), so this case must be caught.
	 */
	if (context->in_syscall) {
		struct audit_context *newctx;

#if AUDIT_DEBUG
		printk(KERN_ERR
		       "audit(:%d) pid=%d in syscall=%d;"
		       " entering syscall=%d\n",
		       context->serial, tsk->pid, context->major, major);
#endif
		newctx = audit_alloc_context(context->state);
		if (newctx) {
			newctx->previous   = context;
			context		   = newctx;
			tsk->audit_context = newctx;
		} else	{
			/* If we can't alloc a new context, the best we
			 * can do is to leak memory (any pending putname
			 * will be lost).  The only other alternative is
			 * to abandon auditing. */
			audit_zero_context(context, context->state);
		}
	}
	BUG_ON(context->in_syscall || context->name_count);

	if (!audit_enabled)
		return;

1625
	context->arch	    = arch;
L
Linus Torvalds 已提交
1626 1627 1628 1629 1630 1631 1632
	context->major      = major;
	context->argv[0]    = a1;
	context->argv[1]    = a2;
	context->argv[2]    = a3;
	context->argv[3]    = a4;

	state = context->state;
1633
	context->dummy = !audit_n_rules;
1634 1635
	if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
		context->prio = 0;
1636
		state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
1637
	}
L
Linus Torvalds 已提交
1638 1639 1640
	if (likely(state == AUDIT_DISABLED))
		return;

1641
	context->serial     = 0;
L
Linus Torvalds 已提交
1642 1643
	context->ctime      = CURRENT_TIME;
	context->in_syscall = 1;
1644
	context->current_state  = state;
A
Alexander Viro 已提交
1645
	context->ppid       = 0;
L
Linus Torvalds 已提交
1646 1647
}

1648 1649 1650 1651
void audit_finish_fork(struct task_struct *child)
{
	struct audit_context *ctx = current->audit_context;
	struct audit_context *p = child->audit_context;
1652 1653 1654
	if (!p || !ctx)
		return;
	if (!ctx->in_syscall || ctx->current_state != AUDIT_RECORD_CONTEXT)
1655 1656 1657 1658 1659 1660 1661 1662 1663
		return;
	p->arch = ctx->arch;
	p->major = ctx->major;
	memcpy(p->argv, ctx->argv, sizeof(ctx->argv));
	p->ctime = ctx->ctime;
	p->dummy = ctx->dummy;
	p->in_syscall = ctx->in_syscall;
	p->filterkey = kstrdup(ctx->filterkey, GFP_KERNEL);
	p->ppid = current->pid;
1664 1665
	p->prio = ctx->prio;
	p->current_state = ctx->current_state;
1666 1667
}

1668 1669 1670 1671 1672 1673
/**
 * audit_syscall_exit - deallocate audit context after a system call
 * @valid: success/failure flag
 * @return_code: syscall return value
 *
 * Tear down after system call.  If the audit context has been marked as
L
Linus Torvalds 已提交
1674 1675 1676
 * auditable (either because of the AUDIT_RECORD_CONTEXT state from
 * filtering, or because some other part of the kernel write an audit
 * message), then write out the syscall information.  In call cases,
1677 1678
 * free the names stored from getname().
 */
1679
void audit_syscall_exit(int valid, long return_code)
L
Linus Torvalds 已提交
1680
{
1681
	struct task_struct *tsk = current;
L
Linus Torvalds 已提交
1682 1683
	struct audit_context *context;

1684
	context = audit_get_context(tsk, valid, return_code);
L
Linus Torvalds 已提交
1685 1686

	if (likely(!context))
1687
		return;
L
Linus Torvalds 已提交
1688

1689
	if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
1690
		audit_log_exit(context, tsk);
L
Linus Torvalds 已提交
1691 1692

	context->in_syscall = 0;
1693
	context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
1694

L
Linus Torvalds 已提交
1695 1696 1697 1698 1699 1700 1701
	if (context->previous) {
		struct audit_context *new_context = context->previous;
		context->previous  = NULL;
		audit_free_context(context);
		tsk->audit_context = new_context;
	} else {
		audit_free_names(context);
A
Al Viro 已提交
1702
		unroll_tree_refs(context, NULL, 0);
L
Linus Torvalds 已提交
1703
		audit_free_aux(context);
A
Amy Griffis 已提交
1704 1705
		context->aux = NULL;
		context->aux_pids = NULL;
A
Al Viro 已提交
1706
		context->target_pid = 0;
A
Amy Griffis 已提交
1707
		context->target_sid = 0;
1708
		context->sockaddr_len = 0;
A
Al Viro 已提交
1709
		context->type = 0;
A
Al Viro 已提交
1710
		context->fds[0] = -1;
1711 1712 1713 1714
		if (context->state != AUDIT_RECORD_CONTEXT) {
			kfree(context->filterkey);
			context->filterkey = NULL;
		}
L
Linus Torvalds 已提交
1715 1716 1717 1718
		tsk->audit_context = context;
	}
}

A
Al Viro 已提交
1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738
static inline void handle_one(const struct inode *inode)
{
#ifdef CONFIG_AUDIT_TREE
	struct audit_context *context;
	struct audit_tree_refs *p;
	struct audit_chunk *chunk;
	int count;
	if (likely(list_empty(&inode->inotify_watches)))
		return;
	context = current->audit_context;
	p = context->trees;
	count = context->tree_count;
	rcu_read_lock();
	chunk = audit_tree_lookup(inode);
	rcu_read_unlock();
	if (!chunk)
		return;
	if (likely(put_tree_ref(context, chunk)))
		return;
	if (unlikely(!grow_tree_refs(context))) {
E
Eric Paris 已提交
1739
		printk(KERN_WARNING "out of memory, audit has lost a tree reference\n");
A
Al Viro 已提交
1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764 1765 1766 1767 1768 1769 1770 1771 1772 1773 1774 1775 1776 1777 1778 1779 1780 1781 1782 1783 1784 1785 1786 1787 1788 1789 1790 1791 1792 1793 1794 1795 1796 1797 1798
		audit_set_auditable(context);
		audit_put_chunk(chunk);
		unroll_tree_refs(context, p, count);
		return;
	}
	put_tree_ref(context, chunk);
#endif
}

static void handle_path(const struct dentry *dentry)
{
#ifdef CONFIG_AUDIT_TREE
	struct audit_context *context;
	struct audit_tree_refs *p;
	const struct dentry *d, *parent;
	struct audit_chunk *drop;
	unsigned long seq;
	int count;

	context = current->audit_context;
	p = context->trees;
	count = context->tree_count;
retry:
	drop = NULL;
	d = dentry;
	rcu_read_lock();
	seq = read_seqbegin(&rename_lock);
	for(;;) {
		struct inode *inode = d->d_inode;
		if (inode && unlikely(!list_empty(&inode->inotify_watches))) {
			struct audit_chunk *chunk;
			chunk = audit_tree_lookup(inode);
			if (chunk) {
				if (unlikely(!put_tree_ref(context, chunk))) {
					drop = chunk;
					break;
				}
			}
		}
		parent = d->d_parent;
		if (parent == d)
			break;
		d = parent;
	}
	if (unlikely(read_seqretry(&rename_lock, seq) || drop)) {  /* in this order */
		rcu_read_unlock();
		if (!drop) {
			/* just a race with rename */
			unroll_tree_refs(context, p, count);
			goto retry;
		}
		audit_put_chunk(drop);
		if (grow_tree_refs(context)) {
			/* OK, got more space */
			unroll_tree_refs(context, p, count);
			goto retry;
		}
		/* too bad */
		printk(KERN_WARNING
E
Eric Paris 已提交
1799
			"out of memory, audit has lost a tree reference\n");
A
Al Viro 已提交
1800 1801 1802 1803 1804 1805 1806 1807
		unroll_tree_refs(context, p, count);
		audit_set_auditable(context);
		return;
	}
	rcu_read_unlock();
#endif
}

1808 1809 1810 1811 1812 1813 1814
/**
 * audit_getname - add a name to the list
 * @name: name to add
 *
 * Add a name to the list of audit names for this context.
 * Called from fs/namei.c:getname().
 */
A
Al Viro 已提交
1815
void __audit_getname(const char *name)
L
Linus Torvalds 已提交
1816 1817 1818
{
	struct audit_context *context = current->audit_context;

A
Al Viro 已提交
1819
	if (IS_ERR(name) || !name)
L
Linus Torvalds 已提交
1820 1821 1822 1823 1824 1825 1826 1827 1828 1829 1830 1831
		return;

	if (!context->in_syscall) {
#if AUDIT_DEBUG == 2
		printk(KERN_ERR "%s:%d(:%d): ignoring getname(%p)\n",
		       __FILE__, __LINE__, context->serial, name);
		dump_stack();
#endif
		return;
	}
	BUG_ON(context->name_count >= AUDIT_NAMES);
	context->names[context->name_count].name = name;
1832 1833
	context->names[context->name_count].name_len = AUDIT_NAME_FULL;
	context->names[context->name_count].name_put = 1;
L
Linus Torvalds 已提交
1834
	context->names[context->name_count].ino  = (unsigned long)-1;
A
Amy Griffis 已提交
1835
	context->names[context->name_count].osid = 0;
L
Linus Torvalds 已提交
1836
	++context->name_count;
1837
	if (!context->pwd.dentry) {
1838
		read_lock(&current->fs->lock);
1839 1840
		context->pwd = current->fs->pwd;
		path_get(&current->fs->pwd);
1841 1842
		read_unlock(&current->fs->lock);
	}
D
Daniel Walker 已提交
1843

L
Linus Torvalds 已提交
1844 1845
}

1846 1847 1848 1849 1850 1851 1852
/* audit_putname - intercept a putname request
 * @name: name to intercept and delay for putname
 *
 * If we have stored the name from getname in the audit context,
 * then we delay the putname until syscall exit.
 * Called from include/linux/fs.h:putname().
 */
L
Linus Torvalds 已提交
1853 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 1864 1865 1866
void audit_putname(const char *name)
{
	struct audit_context *context = current->audit_context;

	BUG_ON(!context);
	if (!context->in_syscall) {
#if AUDIT_DEBUG == 2
		printk(KERN_ERR "%s:%d(:%d): __putname(%p)\n",
		       __FILE__, __LINE__, context->serial, name);
		if (context->name_count) {
			int i;
			for (i = 0; i < context->name_count; i++)
				printk(KERN_ERR "name[%d] = %p = %s\n", i,
				       context->names[i].name,
1867
				       context->names[i].name ?: "(null)");
L
Linus Torvalds 已提交
1868 1869 1870 1871 1872 1873 1874 1875 1876 1877 1878 1879 1880 1881 1882 1883 1884 1885 1886 1887 1888
		}
#endif
		__putname(name);
	}
#if AUDIT_DEBUG
	else {
		++context->put_count;
		if (context->put_count > context->name_count) {
			printk(KERN_ERR "%s:%d(:%d): major=%d"
			       " in_syscall=%d putname(%p) name_count=%d"
			       " put_count=%d\n",
			       __FILE__, __LINE__,
			       context->serial, context->major,
			       context->in_syscall, name, context->name_count,
			       context->put_count);
			dump_stack();
		}
	}
#endif
}

A
Amy Griffis 已提交
1889 1890 1891 1892 1893 1894
static int audit_inc_name_count(struct audit_context *context,
				const struct inode *inode)
{
	if (context->name_count >= AUDIT_NAMES) {
		if (inode)
			printk(KERN_DEBUG "name_count maxed, losing inode data: "
E
Eric Paris 已提交
1895
			       "dev=%02x:%02x, inode=%lu\n",
A
Amy Griffis 已提交
1896 1897 1898 1899 1900
			       MAJOR(inode->i_sb->s_dev),
			       MINOR(inode->i_sb->s_dev),
			       inode->i_ino);

		else
E
Eric Paris 已提交
1901
			printk(KERN_DEBUG "name_count maxed, losing inode data\n");
A
Amy Griffis 已提交
1902 1903 1904 1905 1906 1907 1908 1909 1910
		return 1;
	}
	context->name_count++;
#if AUDIT_DEBUG
	context->ino_count++;
#endif
	return 0;
}

1911 1912 1913 1914 1915 1916 1917 1918 1919 1920 1921 1922 1923 1924 1925 1926 1927 1928 1929 1930 1931 1932 1933 1934 1935 1936 1937

static inline int audit_copy_fcaps(struct audit_names *name, const struct dentry *dentry)
{
	struct cpu_vfs_cap_data caps;
	int rc;

	memset(&name->fcap.permitted, 0, sizeof(kernel_cap_t));
	memset(&name->fcap.inheritable, 0, sizeof(kernel_cap_t));
	name->fcap.fE = 0;
	name->fcap_ver = 0;

	if (!dentry)
		return 0;

	rc = get_vfs_caps_from_disk(dentry, &caps);
	if (rc)
		return rc;

	name->fcap.permitted = caps.permitted;
	name->fcap.inheritable = caps.inheritable;
	name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
	name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;

	return 0;
}


1938
/* Copy inode data into an audit_names. */
1939 1940
static void audit_copy_inode(struct audit_names *name, const struct dentry *dentry,
			     const struct inode *inode)
1941
{
1942 1943 1944 1945 1946 1947
	name->ino   = inode->i_ino;
	name->dev   = inode->i_sb->s_dev;
	name->mode  = inode->i_mode;
	name->uid   = inode->i_uid;
	name->gid   = inode->i_gid;
	name->rdev  = inode->i_rdev;
1948
	security_inode_getsecid(inode, &name->osid);
1949
	audit_copy_fcaps(name, dentry);
1950 1951
}

1952 1953 1954
/**
 * audit_inode - store the inode and device from a lookup
 * @name: name being audited
1955
 * @dentry: dentry being audited
1956 1957 1958
 *
 * Called from fs/namei.c:path_lookup().
 */
1959
void __audit_inode(const char *name, const struct dentry *dentry)
L
Linus Torvalds 已提交
1960 1961 1962
{
	int idx;
	struct audit_context *context = current->audit_context;
A
Al Viro 已提交
1963
	const struct inode *inode = dentry->d_inode;
L
Linus Torvalds 已提交
1964 1965 1966 1967 1968 1969 1970 1971 1972 1973 1974 1975 1976 1977

	if (!context->in_syscall)
		return;
	if (context->name_count
	    && context->names[context->name_count-1].name
	    && context->names[context->name_count-1].name == name)
		idx = context->name_count - 1;
	else if (context->name_count > 1
		 && context->names[context->name_count-2].name
		 && context->names[context->name_count-2].name == name)
		idx = context->name_count - 2;
	else {
		/* FIXME: how much do we care about inodes that have no
		 * associated name? */
A
Amy Griffis 已提交
1978
		if (audit_inc_name_count(context, inode))
L
Linus Torvalds 已提交
1979
			return;
A
Amy Griffis 已提交
1980
		idx = context->name_count - 1;
L
Linus Torvalds 已提交
1981 1982
		context->names[idx].name = NULL;
	}
A
Al Viro 已提交
1983
	handle_path(dentry);
1984
	audit_copy_inode(&context->names[idx], dentry, inode);
1985 1986 1987 1988 1989
}

/**
 * audit_inode_child - collect inode info for created/removed objects
 * @dname: inode's dentry name
1990
 * @dentry: dentry being audited
1991
 * @parent: inode of dentry parent
1992 1993 1994 1995 1996 1997 1998 1999 2000
 *
 * For syscalls that create or remove filesystem objects, audit_inode
 * can only collect information for the filesystem object's parent.
 * This call updates the audit context with the child's information.
 * Syscalls that create a new filesystem object must be hooked after
 * the object is created.  Syscalls that remove a filesystem object
 * must be hooked prior, in order to capture the target inode during
 * unsuccessful attempts.
 */
2001
void __audit_inode_child(const char *dname, const struct dentry *dentry,
2002
			 const struct inode *parent)
2003 2004 2005
{
	int idx;
	struct audit_context *context = current->audit_context;
A
Amy Griffis 已提交
2006
	const char *found_parent = NULL, *found_child = NULL;
2007
	const struct inode *inode = dentry->d_inode;
2008
	int dirlen = 0;
2009 2010 2011 2012

	if (!context->in_syscall)
		return;

A
Al Viro 已提交
2013 2014
	if (inode)
		handle_one(inode);
2015
	/* determine matching parent */
A
Amy Griffis 已提交
2016
	if (!dname)
A
Amy Griffis 已提交
2017
		goto add_names;
2018

A
Amy Griffis 已提交
2019 2020 2021
	/* parent is more likely, look for it first */
	for (idx = 0; idx < context->name_count; idx++) {
		struct audit_names *n = &context->names[idx];
A
Amy Griffis 已提交
2022

A
Amy Griffis 已提交
2023 2024 2025 2026 2027 2028 2029 2030
		if (!n->name)
			continue;

		if (n->ino == parent->i_ino &&
		    !audit_compare_dname_path(dname, n->name, &dirlen)) {
			n->name_len = dirlen; /* update parent data in place */
			found_parent = n->name;
			goto add_names;
A
Amy Griffis 已提交
2031
		}
A
Amy Griffis 已提交
2032
	}
2033

A
Amy Griffis 已提交
2034 2035 2036 2037 2038 2039 2040 2041 2042 2043 2044
	/* no matching parent, look for matching child */
	for (idx = 0; idx < context->name_count; idx++) {
		struct audit_names *n = &context->names[idx];

		if (!n->name)
			continue;

		/* strcmp() is the more likely scenario */
		if (!strcmp(dname, n->name) ||
		     !audit_compare_dname_path(dname, n->name, &dirlen)) {
			if (inode)
2045
				audit_copy_inode(n, NULL, inode);
A
Amy Griffis 已提交
2046 2047 2048 2049 2050
			else
				n->ino = (unsigned long)-1;
			found_child = n->name;
			goto add_names;
		}
S
Steve Grubb 已提交
2051
	}
A
Amy Griffis 已提交
2052 2053 2054 2055

add_names:
	if (!found_parent) {
		if (audit_inc_name_count(context, parent))
S
Steve Grubb 已提交
2056
			return;
A
Amy Griffis 已提交
2057 2058
		idx = context->name_count - 1;
		context->names[idx].name = NULL;
2059
		audit_copy_inode(&context->names[idx], NULL, parent);
2060
	}
A
Amy Griffis 已提交
2061 2062 2063 2064 2065 2066 2067 2068 2069 2070 2071 2072 2073 2074 2075 2076 2077 2078 2079

	if (!found_child) {
		if (audit_inc_name_count(context, inode))
			return;
		idx = context->name_count - 1;

		/* Re-use the name belonging to the slot for a matching parent
		 * directory. All names for this context are relinquished in
		 * audit_free_names() */
		if (found_parent) {
			context->names[idx].name = found_parent;
			context->names[idx].name_len = AUDIT_NAME_FULL;
			/* don't call __putname() */
			context->names[idx].name_put = 0;
		} else {
			context->names[idx].name = NULL;
		}

		if (inode)
2080
			audit_copy_inode(&context->names[idx], NULL, inode);
A
Amy Griffis 已提交
2081 2082 2083
		else
			context->names[idx].ino = (unsigned long)-1;
	}
2084
}
2085
EXPORT_SYMBOL_GPL(__audit_inode_child);
2086

2087 2088 2089 2090 2091 2092 2093 2094
/**
 * auditsc_get_stamp - get local copies of audit_context values
 * @ctx: audit_context for the task
 * @t: timespec to store time recorded in the audit_context
 * @serial: serial value that is recorded in the audit_context
 *
 * Also sets the context as auditable.
 */
2095
int auditsc_get_stamp(struct audit_context *ctx,
2096
		       struct timespec *t, unsigned int *serial)
L
Linus Torvalds 已提交
2097
{
2098 2099
	if (!ctx->in_syscall)
		return 0;
2100 2101
	if (!ctx->serial)
		ctx->serial = audit_serial();
2102 2103 2104
	t->tv_sec  = ctx->ctime.tv_sec;
	t->tv_nsec = ctx->ctime.tv_nsec;
	*serial    = ctx->serial;
2105 2106 2107 2108
	if (!ctx->prio) {
		ctx->prio = 1;
		ctx->current_state = AUDIT_RECORD_CONTEXT;
	}
2109
	return 1;
L
Linus Torvalds 已提交
2110 2111
}

2112 2113 2114
/* global counter which is incremented every time something logs in */
static atomic_t session_id = ATOMIC_INIT(0);

2115 2116 2117 2118 2119 2120 2121 2122 2123
/**
 * audit_set_loginuid - set a task's audit_context loginuid
 * @task: task whose audit context is being modified
 * @loginuid: loginuid value
 *
 * Returns 0.
 *
 * Called (set) from fs/proc/base.c::proc_loginuid_write().
 */
S
Steve Grubb 已提交
2124
int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
L
Linus Torvalds 已提交
2125
{
2126
	unsigned int sessionid = atomic_inc_return(&session_id);
2127 2128
	struct audit_context *context = task->audit_context;

A
Al Viro 已提交
2129 2130 2131 2132 2133 2134
	if (context && context->in_syscall) {
		struct audit_buffer *ab;

		ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
		if (ab) {
			audit_log_format(ab, "login pid=%d uid=%u "
2135 2136
				"old auid=%u new auid=%u"
				" old ses=%u new ses=%u",
2137
				task->pid, task_uid(task),
2138 2139
				task->loginuid, loginuid,
				task->sessionid, sessionid);
A
Al Viro 已提交
2140
			audit_log_end(ab);
2141
		}
L
Linus Torvalds 已提交
2142
	}
2143
	task->sessionid = sessionid;
A
Al Viro 已提交
2144
	task->loginuid = loginuid;
L
Linus Torvalds 已提交
2145 2146 2147
	return 0;
}

2148 2149 2150 2151
/**
 * __audit_mq_open - record audit data for a POSIX MQ open
 * @oflag: open flag
 * @mode: mode bits
R
Randy Dunlap 已提交
2152
 * @attr: queue attributes
2153 2154
 *
 */
A
Al Viro 已提交
2155
void __audit_mq_open(int oflag, mode_t mode, struct mq_attr *attr)
2156 2157 2158
{
	struct audit_context *context = current->audit_context;

A
Al Viro 已提交
2159 2160 2161 2162
	if (attr)
		memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr));
	else
		memset(&context->mq_open.attr, 0, sizeof(struct mq_attr));
2163

A
Al Viro 已提交
2164 2165
	context->mq_open.oflag = oflag;
	context->mq_open.mode = mode;
2166

A
Al Viro 已提交
2167
	context->type = AUDIT_MQ_OPEN;
2168 2169 2170
}

/**
A
Al Viro 已提交
2171
 * __audit_mq_sendrecv - record audit data for a POSIX MQ timed send/receive
2172 2173 2174
 * @mqdes: MQ descriptor
 * @msg_len: Message length
 * @msg_prio: Message priority
A
Al Viro 已提交
2175
 * @abs_timeout: Message timeout in absolute time
2176 2177
 *
 */
A
Al Viro 已提交
2178 2179
void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
			const struct timespec *abs_timeout)
2180 2181
{
	struct audit_context *context = current->audit_context;
A
Al Viro 已提交
2182
	struct timespec *p = &context->mq_sendrecv.abs_timeout;
2183

A
Al Viro 已提交
2184 2185 2186 2187
	if (abs_timeout)
		memcpy(p, abs_timeout, sizeof(struct timespec));
	else
		memset(p, 0, sizeof(struct timespec));
2188

A
Al Viro 已提交
2189 2190 2191
	context->mq_sendrecv.mqdes = mqdes;
	context->mq_sendrecv.msg_len = msg_len;
	context->mq_sendrecv.msg_prio = msg_prio;
2192

A
Al Viro 已提交
2193
	context->type = AUDIT_MQ_SENDRECV;
2194 2195 2196 2197 2198
}

/**
 * __audit_mq_notify - record audit data for a POSIX MQ notify
 * @mqdes: MQ descriptor
R
Randy Dunlap 已提交
2199
 * @notification: Notification event
2200 2201 2202
 *
 */

A
Al Viro 已提交
2203
void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
2204 2205 2206
{
	struct audit_context *context = current->audit_context;

A
Al Viro 已提交
2207 2208 2209 2210
	if (notification)
		context->mq_notify.sigev_signo = notification->sigev_signo;
	else
		context->mq_notify.sigev_signo = 0;
2211

A
Al Viro 已提交
2212 2213
	context->mq_notify.mqdes = mqdes;
	context->type = AUDIT_MQ_NOTIFY;
2214 2215 2216 2217 2218 2219 2220 2221
}

/**
 * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute
 * @mqdes: MQ descriptor
 * @mqstat: MQ flags
 *
 */
A
Al Viro 已提交
2222
void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
2223 2224
{
	struct audit_context *context = current->audit_context;
A
Al Viro 已提交
2225 2226 2227
	context->mq_getsetattr.mqdes = mqdes;
	context->mq_getsetattr.mqstat = *mqstat;
	context->type = AUDIT_MQ_GETSETATTR;
2228 2229
}

2230
/**
S
Steve Grubb 已提交
2231 2232 2233 2234
 * audit_ipc_obj - record audit data for ipc object
 * @ipcp: ipc permissions
 *
 */
A
Al Viro 已提交
2235
void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
S
Steve Grubb 已提交
2236 2237
{
	struct audit_context *context = current->audit_context;
A
Al Viro 已提交
2238 2239 2240
	context->ipc.uid = ipcp->uid;
	context->ipc.gid = ipcp->gid;
	context->ipc.mode = ipcp->mode;
A
Al Viro 已提交
2241
	context->ipc.has_perm = 0;
A
Al Viro 已提交
2242 2243
	security_ipc_getsecid(ipcp, &context->ipc.osid);
	context->type = AUDIT_IPC;
S
Steve Grubb 已提交
2244 2245 2246 2247
}

/**
 * audit_ipc_set_perm - record audit data for new ipc permissions
2248 2249 2250 2251 2252
 * @qbytes: msgq bytes
 * @uid: msgq user id
 * @gid: msgq group id
 * @mode: msgq mode (permissions)
 *
A
Al Viro 已提交
2253
 * Called only after audit_ipc_obj().
2254
 */
A
Al Viro 已提交
2255
void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
L
Linus Torvalds 已提交
2256 2257 2258
{
	struct audit_context *context = current->audit_context;

A
Al Viro 已提交
2259 2260 2261 2262 2263
	context->ipc.qbytes = qbytes;
	context->ipc.perm_uid = uid;
	context->ipc.perm_gid = gid;
	context->ipc.perm_mode = mode;
	context->ipc.has_perm = 1;
L
Linus Torvalds 已提交
2264
}
2265

A
Al Viro 已提交
2266 2267 2268 2269 2270
int audit_bprm(struct linux_binprm *bprm)
{
	struct audit_aux_data_execve *ax;
	struct audit_context *context = current->audit_context;

2271
	if (likely(!audit_enabled || !context || context->dummy))
A
Al Viro 已提交
2272 2273
		return 0;

P
Peter Zijlstra 已提交
2274
	ax = kmalloc(sizeof(*ax), GFP_KERNEL);
A
Al Viro 已提交
2275 2276 2277 2278 2279
	if (!ax)
		return -ENOMEM;

	ax->argc = bprm->argc;
	ax->envc = bprm->envc;
P
Peter Zijlstra 已提交
2280
	ax->mm = bprm->mm;
A
Al Viro 已提交
2281 2282 2283 2284 2285 2286 2287
	ax->d.type = AUDIT_EXECVE;
	ax->d.next = context->aux;
	context->aux = (void *)ax;
	return 0;
}


2288 2289 2290 2291 2292 2293
/**
 * audit_socketcall - record audit data for sys_socketcall
 * @nargs: number of args
 * @args: args array
 *
 */
A
Al Viro 已提交
2294
void audit_socketcall(int nargs, unsigned long *args)
2295 2296 2297
{
	struct audit_context *context = current->audit_context;

2298
	if (likely(!context || context->dummy))
A
Al Viro 已提交
2299
		return;
2300

A
Al Viro 已提交
2301 2302 2303
	context->type = AUDIT_SOCKETCALL;
	context->socketcall.nargs = nargs;
	memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
2304 2305
}

A
Al Viro 已提交
2306 2307 2308 2309 2310 2311
/**
 * __audit_fd_pair - record audit data for pipe and socketpair
 * @fd1: the first file descriptor
 * @fd2: the second file descriptor
 *
 */
A
Al Viro 已提交
2312
void __audit_fd_pair(int fd1, int fd2)
A
Al Viro 已提交
2313 2314
{
	struct audit_context *context = current->audit_context;
A
Al Viro 已提交
2315 2316
	context->fds[0] = fd1;
	context->fds[1] = fd2;
A
Al Viro 已提交
2317 2318
}

2319 2320 2321 2322 2323 2324 2325
/**
 * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
 * @len: data length in user space
 * @a: data address in kernel space
 *
 * Returns 0 for success or NULL context or < 0 on error.
 */
2326 2327 2328 2329
int audit_sockaddr(int len, void *a)
{
	struct audit_context *context = current->audit_context;

2330
	if (likely(!context || context->dummy))
2331 2332
		return 0;

2333 2334 2335 2336 2337 2338
	if (!context->sockaddr) {
		void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL);
		if (!p)
			return -ENOMEM;
		context->sockaddr = p;
	}
2339

2340 2341
	context->sockaddr_len = len;
	memcpy(context->sockaddr, a, len);
2342 2343 2344
	return 0;
}

A
Al Viro 已提交
2345 2346 2347 2348 2349
void __audit_ptrace(struct task_struct *t)
{
	struct audit_context *context = current->audit_context;

	context->target_pid = t->pid;
2350
	context->target_auid = audit_get_loginuid(t);
2351
	context->target_uid = task_uid(t);
2352
	context->target_sessionid = audit_get_sessionid(t);
2353
	security_task_getsecid(t, &context->target_sid);
2354
	memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
A
Al Viro 已提交
2355 2356
}

2357 2358 2359 2360 2361 2362 2363 2364
/**
 * audit_signal_info - record signal info for shutting down audit subsystem
 * @sig: signal value
 * @t: task being signaled
 *
 * If the audit subsystem is being terminated, record the task (pid)
 * and uid that is doing that.
 */
A
Amy Griffis 已提交
2365
int __audit_signal_info(int sig, struct task_struct *t)
2366
{
A
Amy Griffis 已提交
2367 2368 2369
	struct audit_aux_data_pids *axp;
	struct task_struct *tsk = current;
	struct audit_context *ctx = tsk->audit_context;
2370
	uid_t uid = current_uid(), t_uid = task_uid(t);
2371

A
Al Viro 已提交
2372
	if (audit_pid && t->tgid == audit_pid) {
2373
		if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) {
A
Al Viro 已提交
2374
			audit_sig_pid = tsk->pid;
A
Al Viro 已提交
2375 2376
			if (tsk->loginuid != -1)
				audit_sig_uid = tsk->loginuid;
A
Al Viro 已提交
2377
			else
2378
				audit_sig_uid = uid;
2379
			security_task_getsecid(tsk, &audit_sig_sid);
A
Al Viro 已提交
2380 2381 2382
		}
		if (!audit_signals || audit_dummy_context())
			return 0;
2383
	}
A
Amy Griffis 已提交
2384 2385 2386 2387 2388

	/* optimize the common case by putting first signal recipient directly
	 * in audit_context */
	if (!ctx->target_pid) {
		ctx->target_pid = t->tgid;
2389
		ctx->target_auid = audit_get_loginuid(t);
2390
		ctx->target_uid = t_uid;
2391
		ctx->target_sessionid = audit_get_sessionid(t);
2392
		security_task_getsecid(t, &ctx->target_sid);
2393
		memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
A
Amy Griffis 已提交
2394 2395 2396 2397 2398 2399 2400 2401 2402 2403 2404 2405 2406
		return 0;
	}

	axp = (void *)ctx->aux_pids;
	if (!axp || axp->pid_count == AUDIT_AUX_PIDS) {
		axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
		if (!axp)
			return -ENOMEM;

		axp->d.type = AUDIT_OBJ_PID;
		axp->d.next = ctx->aux_pids;
		ctx->aux_pids = (void *)axp;
	}
2407
	BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
A
Amy Griffis 已提交
2408 2409

	axp->target_pid[axp->pid_count] = t->tgid;
2410
	axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
2411
	axp->target_uid[axp->pid_count] = t_uid;
2412
	axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
2413
	security_task_getsecid(t, &axp->target_sid[axp->pid_count]);
2414
	memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
A
Amy Griffis 已提交
2415 2416 2417
	axp->pid_count++;

	return 0;
2418
}
S
Steve Grubb 已提交
2419

2420 2421
/**
 * __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps
D
David Howells 已提交
2422 2423 2424
 * @bprm: pointer to the bprm being processed
 * @new: the proposed new credentials
 * @old: the old credentials
2425 2426 2427 2428 2429 2430
 *
 * Simply check if the proc already has the caps given by the file and if not
 * store the priv escalation info for later auditing at the end of the syscall
 *
 * -Eric
 */
D
David Howells 已提交
2431 2432
int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
			   const struct cred *new, const struct cred *old)
2433 2434 2435 2436 2437 2438 2439 2440
{
	struct audit_aux_data_bprm_fcaps *ax;
	struct audit_context *context = current->audit_context;
	struct cpu_vfs_cap_data vcaps;
	struct dentry *dentry;

	ax = kmalloc(sizeof(*ax), GFP_KERNEL);
	if (!ax)
D
David Howells 已提交
2441
		return -ENOMEM;
2442 2443 2444 2445 2446 2447 2448 2449 2450 2451 2452 2453 2454 2455

	ax->d.type = AUDIT_BPRM_FCAPS;
	ax->d.next = context->aux;
	context->aux = (void *)ax;

	dentry = dget(bprm->file->f_dentry);
	get_vfs_caps_from_disk(dentry, &vcaps);
	dput(dentry);

	ax->fcap.permitted = vcaps.permitted;
	ax->fcap.inheritable = vcaps.inheritable;
	ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
	ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;

D
David Howells 已提交
2456 2457 2458
	ax->old_pcap.permitted   = old->cap_permitted;
	ax->old_pcap.inheritable = old->cap_inheritable;
	ax->old_pcap.effective   = old->cap_effective;
2459

D
David Howells 已提交
2460 2461 2462 2463
	ax->new_pcap.permitted   = new->cap_permitted;
	ax->new_pcap.inheritable = new->cap_inheritable;
	ax->new_pcap.effective   = new->cap_effective;
	return 0;
2464 2465
}

2466 2467
/**
 * __audit_log_capset - store information about the arguments to the capset syscall
D
David Howells 已提交
2468 2469 2470
 * @pid: target pid of the capset call
 * @new: the new credentials
 * @old: the old (current) credentials
2471 2472 2473 2474
 *
 * Record the aguments userspace sent to sys_capset for later printing by the
 * audit system if applicable
 */
A
Al Viro 已提交
2475
void __audit_log_capset(pid_t pid,
D
David Howells 已提交
2476
		       const struct cred *new, const struct cred *old)
2477 2478
{
	struct audit_context *context = current->audit_context;
A
Al Viro 已提交
2479 2480 2481 2482 2483
	context->capset.pid = pid;
	context->capset.cap.effective   = new->cap_effective;
	context->capset.cap.inheritable = new->cap_effective;
	context->capset.cap.permitted   = new->cap_permitted;
	context->type = AUDIT_CAPSET;
2484 2485
}

S
Steve Grubb 已提交
2486 2487
/**
 * audit_core_dumps - record information about processes that end abnormally
2488
 * @signr: signal value
S
Steve Grubb 已提交
2489 2490 2491 2492 2493 2494 2495 2496
 *
 * If a process ends with a core dump, something fishy is going on and we
 * should record the event for investigation.
 */
void audit_core_dumps(long signr)
{
	struct audit_buffer *ab;
	u32 sid;
2497 2498
	uid_t auid = audit_get_loginuid(current), uid;
	gid_t gid;
2499
	unsigned int sessionid = audit_get_sessionid(current);
S
Steve Grubb 已提交
2500 2501 2502 2503 2504 2505 2506 2507

	if (!audit_enabled)
		return;

	if (signr == SIGQUIT)	/* don't care for those */
		return;

	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
2508
	current_uid_gid(&uid, &gid);
2509
	audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
2510
			 auid, uid, gid, sessionid);
2511
	security_task_getsecid(current, &sid);
S
Steve Grubb 已提交
2512 2513 2514 2515
	if (sid) {
		char *ctx = NULL;
		u32 len;

2516
		if (security_secid_to_secctx(sid, &ctx, &len))
S
Steve Grubb 已提交
2517
			audit_log_format(ab, " ssid=%u", sid);
2518
		else {
S
Steve Grubb 已提交
2519
			audit_log_format(ab, " subj=%s", ctx);
2520 2521
			security_release_secctx(ctx, len);
		}
S
Steve Grubb 已提交
2522 2523 2524 2525 2526 2527
	}
	audit_log_format(ab, " pid=%d comm=", current->pid);
	audit_log_untrustedstring(ab, current->comm);
	audit_log_format(ab, " sig=%ld", signr);
	audit_log_end(ab);
}