• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* auditsc.c -- System-call auditing support
2  * Handles all system-call specific auditing features.
3  *
4  * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
5  * Copyright 2005 Hewlett-Packard Development Company, L.P.
6  * Copyright (C) 2005, 2006 IBM Corporation
7  * All Rights Reserved.
8  *
9  * This program is free software; you can redistribute it and/or modify
10  * it under the terms of the GNU General Public License as published by
11  * the Free Software Foundation; either version 2 of the License, or
12  * (at your option) any later version.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License
20  * along with this program; if not, write to the Free Software
21  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
22  *
23  * Written by Rickard E. (Rik) Faith <faith@redhat.com>
24  *
25  * Many of the ideas implemented here are from Stephen C. Tweedie,
26  * especially the idea of avoiding a copy by using getname.
27  *
28  * The method for actual interception of syscall entry and exit (not in
29  * this file -- see entry.S) is based on a GPL'd patch written by
30  * okir@suse.de and Copyright 2003 SuSE Linux AG.
31  *
32  * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>,
33  * 2006.
34  *
35  * The support of additional filter rules compares (>, <, >=, <=) was
36  * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
37  *
38  * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
39  * filesystem information.
40  *
41  * Subject and object context labeling support added by <danjones@us.ibm.com>
42  * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
43  */
44 
45 #include <linux/init.h>
46 #include <asm/types.h>
47 #include <asm/atomic.h>
48 #include <linux/fs.h>
49 #include <linux/namei.h>
50 #include <linux/mm.h>
51 #include <linux/module.h>
52 #include <linux/mount.h>
53 #include <linux/socket.h>
54 #include <linux/mqueue.h>
55 #include <linux/audit.h>
56 #include <linux/personality.h>
57 #include <linux/time.h>
58 #include <linux/netlink.h>
59 #include <linux/compiler.h>
60 #include <asm/unistd.h>
61 #include <linux/security.h>
62 #include <linux/list.h>
63 #include <linux/tty.h>
64 #include <linux/binfmts.h>
65 #include <linux/highmem.h>
66 #include <linux/syscalls.h>
67 #include <linux/inotify.h>
68 #include <linux/capability.h>
69 
70 #include "audit.h"
71 
72 /* AUDIT_NAMES is the number of slots we reserve in the audit_context
73  * for saving names from getname(). */
74 #define AUDIT_NAMES    20
75 
76 /* Indicates that audit should log the full pathname. */
77 #define AUDIT_NAME_FULL -1
78 
79 /* no execve audit message should be longer than this (userspace limits) */
80 #define MAX_EXECVE_AUDIT_LEN 7500
81 
82 /* number of audit rules */
83 int audit_n_rules;
84 
85 /* determines whether we collect data for signals sent */
86 int audit_signals;
87 
88 struct audit_cap_data {
89 	kernel_cap_t		permitted;
90 	kernel_cap_t		inheritable;
91 	union {
92 		unsigned int	fE;		/* effective bit of a file capability */
93 		kernel_cap_t	effective;	/* effective set of a process */
94 	};
95 };
96 
97 /* When fs/namei.c:getname() is called, we store the pointer in name and
98  * we don't let putname() free it (instead we free all of the saved
99  * pointers at syscall exit time).
100  *
101  * Further, in fs/namei.c:path_lookup() we store the inode and device. */
102 struct audit_names {
103 	const char	*name;
104 	int		name_len;	/* number of name's characters to log */
105 	unsigned	name_put;	/* call __putname() for this name */
106 	unsigned long	ino;
107 	dev_t		dev;
108 	umode_t		mode;
109 	uid_t		uid;
110 	gid_t		gid;
111 	dev_t		rdev;
112 	u32		osid;
113 	struct audit_cap_data fcap;
114 	unsigned int	fcap_ver;
115 };
116 
117 struct audit_aux_data {
118 	struct audit_aux_data	*next;
119 	int			type;
120 };
121 
122 #define AUDIT_AUX_IPCPERM	0
123 
124 /* Number of target pids per aux struct. */
125 #define AUDIT_AUX_PIDS	16
126 
127 struct audit_aux_data_execve {
128 	struct audit_aux_data	d;
129 	int argc;
130 	int envc;
131 	struct mm_struct *mm;
132 };
133 
134 struct audit_aux_data_pids {
135 	struct audit_aux_data	d;
136 	pid_t			target_pid[AUDIT_AUX_PIDS];
137 	uid_t			target_auid[AUDIT_AUX_PIDS];
138 	uid_t			target_uid[AUDIT_AUX_PIDS];
139 	unsigned int		target_sessionid[AUDIT_AUX_PIDS];
140 	u32			target_sid[AUDIT_AUX_PIDS];
141 	char 			target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
142 	int			pid_count;
143 };
144 
145 struct audit_aux_data_bprm_fcaps {
146 	struct audit_aux_data	d;
147 	struct audit_cap_data	fcap;
148 	unsigned int		fcap_ver;
149 	struct audit_cap_data	old_pcap;
150 	struct audit_cap_data	new_pcap;
151 };
152 
153 struct audit_aux_data_capset {
154 	struct audit_aux_data	d;
155 	pid_t			pid;
156 	struct audit_cap_data	cap;
157 };
158 
159 struct audit_tree_refs {
160 	struct audit_tree_refs *next;
161 	struct audit_chunk *c[31];
162 };
163 
164 /* The per-task audit context. */
165 struct audit_context {
166 	int		    dummy;	/* must be the first element */
167 	int		    in_syscall;	/* 1 if task is in a syscall */
168 	enum audit_state    state, current_state;
169 	unsigned int	    serial;     /* serial number for record */
170 	struct timespec	    ctime;      /* time of syscall entry */
171 	int		    major;      /* syscall number */
172 	unsigned long	    argv[4];    /* syscall arguments */
173 	int		    return_valid; /* return code is valid */
174 	long		    return_code;/* syscall return code */
175 	u64		    prio;
176 	int		    name_count;
177 	struct audit_names  names[AUDIT_NAMES];
178 	char *		    filterkey;	/* key for rule that triggered record */
179 	struct path	    pwd;
180 	struct audit_context *previous; /* For nested syscalls */
181 	struct audit_aux_data *aux;
182 	struct audit_aux_data *aux_pids;
183 	struct sockaddr_storage *sockaddr;
184 	size_t sockaddr_len;
185 				/* Save things to print about task_struct */
186 	pid_t		    pid, ppid;
187 	uid_t		    uid, euid, suid, fsuid;
188 	gid_t		    gid, egid, sgid, fsgid;
189 	unsigned long	    personality;
190 	int		    arch;
191 
192 	pid_t		    target_pid;
193 	uid_t		    target_auid;
194 	uid_t		    target_uid;
195 	unsigned int	    target_sessionid;
196 	u32		    target_sid;
197 	char		    target_comm[TASK_COMM_LEN];
198 
199 	struct audit_tree_refs *trees, *first_trees;
200 	int tree_count;
201 
202 	int type;
203 	union {
204 		struct {
205 			int nargs;
206 			long args[6];
207 		} socketcall;
208 		struct {
209 			uid_t			uid;
210 			gid_t			gid;
211 			mode_t			mode;
212 			u32			osid;
213 			int			has_perm;
214 			uid_t			perm_uid;
215 			gid_t			perm_gid;
216 			mode_t			perm_mode;
217 			unsigned long		qbytes;
218 		} ipc;
219 		struct {
220 			mqd_t			mqdes;
221 			struct mq_attr 		mqstat;
222 		} mq_getsetattr;
223 		struct {
224 			mqd_t			mqdes;
225 			int			sigev_signo;
226 		} mq_notify;
227 		struct {
228 			mqd_t			mqdes;
229 			size_t			msg_len;
230 			unsigned int		msg_prio;
231 			struct timespec		abs_timeout;
232 		} mq_sendrecv;
233 		struct {
234 			int			oflag;
235 			mode_t			mode;
236 			struct mq_attr		attr;
237 		} mq_open;
238 		struct {
239 			pid_t			pid;
240 			struct audit_cap_data	cap;
241 		} capset;
242 	};
243 	int fds[2];
244 
245 #if AUDIT_DEBUG
246 	int		    put_count;
247 	int		    ino_count;
248 #endif
249 };
250 
251 #define ACC_MODE(x) ("\004\002\006\006"[(x)&O_ACCMODE])
open_arg(int flags,int mask)252 static inline int open_arg(int flags, int mask)
253 {
254 	int n = ACC_MODE(flags);
255 	if (flags & (O_TRUNC | O_CREAT))
256 		n |= AUDIT_PERM_WRITE;
257 	return n & mask;
258 }
259 
audit_match_perm(struct audit_context * ctx,int mask)260 static int audit_match_perm(struct audit_context *ctx, int mask)
261 {
262 	unsigned n;
263 	if (unlikely(!ctx))
264 		return 0;
265 	n = ctx->major;
266 
267 	switch (audit_classify_syscall(ctx->arch, n)) {
268 	case 0:	/* native */
269 		if ((mask & AUDIT_PERM_WRITE) &&
270 		     audit_match_class(AUDIT_CLASS_WRITE, n))
271 			return 1;
272 		if ((mask & AUDIT_PERM_READ) &&
273 		     audit_match_class(AUDIT_CLASS_READ, n))
274 			return 1;
275 		if ((mask & AUDIT_PERM_ATTR) &&
276 		     audit_match_class(AUDIT_CLASS_CHATTR, n))
277 			return 1;
278 		return 0;
279 	case 1: /* 32bit on biarch */
280 		if ((mask & AUDIT_PERM_WRITE) &&
281 		     audit_match_class(AUDIT_CLASS_WRITE_32, n))
282 			return 1;
283 		if ((mask & AUDIT_PERM_READ) &&
284 		     audit_match_class(AUDIT_CLASS_READ_32, n))
285 			return 1;
286 		if ((mask & AUDIT_PERM_ATTR) &&
287 		     audit_match_class(AUDIT_CLASS_CHATTR_32, n))
288 			return 1;
289 		return 0;
290 	case 2: /* open */
291 		return mask & ACC_MODE(ctx->argv[1]);
292 	case 3: /* openat */
293 		return mask & ACC_MODE(ctx->argv[2]);
294 	case 4: /* socketcall */
295 		return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
296 	case 5: /* execve */
297 		return mask & AUDIT_PERM_EXEC;
298 	default:
299 		return 0;
300 	}
301 }
302 
audit_match_filetype(struct audit_context * ctx,int which)303 static int audit_match_filetype(struct audit_context *ctx, int which)
304 {
305 	unsigned index = which & ~S_IFMT;
306 	mode_t mode = which & S_IFMT;
307 
308 	if (unlikely(!ctx))
309 		return 0;
310 
311 	if (index >= ctx->name_count)
312 		return 0;
313 	if (ctx->names[index].ino == -1)
314 		return 0;
315 	if ((ctx->names[index].mode ^ mode) & S_IFMT)
316 		return 0;
317 	return 1;
318 }
319 
320 /*
321  * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *;
322  * ->first_trees points to its beginning, ->trees - to the current end of data.
323  * ->tree_count is the number of free entries in array pointed to by ->trees.
324  * Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL,
325  * "empty" becomes (p, p, 31) afterwards.  We don't shrink the list (and seriously,
326  * it's going to remain 1-element for almost any setup) until we free context itself.
327  * References in it _are_ dropped - at the same time we free/drop aux stuff.
328  */
329 
330 #ifdef CONFIG_AUDIT_TREE
put_tree_ref(struct audit_context * ctx,struct audit_chunk * chunk)331 static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
332 {
333 	struct audit_tree_refs *p = ctx->trees;
334 	int left = ctx->tree_count;
335 	if (likely(left)) {
336 		p->c[--left] = chunk;
337 		ctx->tree_count = left;
338 		return 1;
339 	}
340 	if (!p)
341 		return 0;
342 	p = p->next;
343 	if (p) {
344 		p->c[30] = chunk;
345 		ctx->trees = p;
346 		ctx->tree_count = 30;
347 		return 1;
348 	}
349 	return 0;
350 }
351 
grow_tree_refs(struct audit_context * ctx)352 static int grow_tree_refs(struct audit_context *ctx)
353 {
354 	struct audit_tree_refs *p = ctx->trees;
355 	ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL);
356 	if (!ctx->trees) {
357 		ctx->trees = p;
358 		return 0;
359 	}
360 	if (p)
361 		p->next = ctx->trees;
362 	else
363 		ctx->first_trees = ctx->trees;
364 	ctx->tree_count = 31;
365 	return 1;
366 }
367 #endif
368 
unroll_tree_refs(struct audit_context * ctx,struct audit_tree_refs * p,int count)369 static void unroll_tree_refs(struct audit_context *ctx,
370 		      struct audit_tree_refs *p, int count)
371 {
372 #ifdef CONFIG_AUDIT_TREE
373 	struct audit_tree_refs *q;
374 	int n;
375 	if (!p) {
376 		/* we started with empty chain */
377 		p = ctx->first_trees;
378 		count = 31;
379 		/* if the very first allocation has failed, nothing to do */
380 		if (!p)
381 			return;
382 	}
383 	n = count;
384 	for (q = p; q != ctx->trees; q = q->next, n = 31) {
385 		while (n--) {
386 			audit_put_chunk(q->c[n]);
387 			q->c[n] = NULL;
388 		}
389 	}
390 	while (n-- > ctx->tree_count) {
391 		audit_put_chunk(q->c[n]);
392 		q->c[n] = NULL;
393 	}
394 	ctx->trees = p;
395 	ctx->tree_count = count;
396 #endif
397 }
398 
free_tree_refs(struct audit_context * ctx)399 static void free_tree_refs(struct audit_context *ctx)
400 {
401 	struct audit_tree_refs *p, *q;
402 	for (p = ctx->first_trees; p; p = q) {
403 		q = p->next;
404 		kfree(p);
405 	}
406 }
407 
match_tree_refs(struct audit_context * ctx,struct audit_tree * tree)408 static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
409 {
410 #ifdef CONFIG_AUDIT_TREE
411 	struct audit_tree_refs *p;
412 	int n;
413 	if (!tree)
414 		return 0;
415 	/* full ones */
416 	for (p = ctx->first_trees; p != ctx->trees; p = p->next) {
417 		for (n = 0; n < 31; n++)
418 			if (audit_tree_match(p->c[n], tree))
419 				return 1;
420 	}
421 	/* partial */
422 	if (p) {
423 		for (n = ctx->tree_count; n < 31; n++)
424 			if (audit_tree_match(p->c[n], tree))
425 				return 1;
426 	}
427 #endif
428 	return 0;
429 }
430 
431 /* Determine if any context name data matches a rule's watch data */
432 /* Compare a task_struct with an audit_rule.  Return 1 on match, 0
433  * otherwise. */
audit_filter_rules(struct task_struct * tsk,struct audit_krule * rule,struct audit_context * ctx,struct audit_names * name,enum audit_state * state)434 static int audit_filter_rules(struct task_struct *tsk,
435 			      struct audit_krule *rule,
436 			      struct audit_context *ctx,
437 			      struct audit_names *name,
438 			      enum audit_state *state)
439 {
440 	const struct cred *cred = get_task_cred(tsk);
441 	int i, j, need_sid = 1;
442 	u32 sid;
443 
444 	for (i = 0; i < rule->field_count; i++) {
445 		struct audit_field *f = &rule->fields[i];
446 		int result = 0;
447 
448 		switch (f->type) {
449 		case AUDIT_PID:
450 			result = audit_comparator(tsk->pid, f->op, f->val);
451 			break;
452 		case AUDIT_PPID:
453 			if (ctx) {
454 				if (!ctx->ppid)
455 					ctx->ppid = sys_getppid();
456 				result = audit_comparator(ctx->ppid, f->op, f->val);
457 			}
458 			break;
459 		case AUDIT_UID:
460 			result = audit_comparator(cred->uid, f->op, f->val);
461 			break;
462 		case AUDIT_EUID:
463 			result = audit_comparator(cred->euid, f->op, f->val);
464 			break;
465 		case AUDIT_SUID:
466 			result = audit_comparator(cred->suid, f->op, f->val);
467 			break;
468 		case AUDIT_FSUID:
469 			result = audit_comparator(cred->fsuid, f->op, f->val);
470 			break;
471 		case AUDIT_GID:
472 			result = audit_comparator(cred->gid, f->op, f->val);
473 			break;
474 		case AUDIT_EGID:
475 			result = audit_comparator(cred->egid, f->op, f->val);
476 			break;
477 		case AUDIT_SGID:
478 			result = audit_comparator(cred->sgid, f->op, f->val);
479 			break;
480 		case AUDIT_FSGID:
481 			result = audit_comparator(cred->fsgid, f->op, f->val);
482 			break;
483 		case AUDIT_PERS:
484 			result = audit_comparator(tsk->personality, f->op, f->val);
485 			break;
486 		case AUDIT_ARCH:
487 			if (ctx)
488 				result = audit_comparator(ctx->arch, f->op, f->val);
489 			break;
490 
491 		case AUDIT_EXIT:
492 			if (ctx && ctx->return_valid)
493 				result = audit_comparator(ctx->return_code, f->op, f->val);
494 			break;
495 		case AUDIT_SUCCESS:
496 			if (ctx && ctx->return_valid) {
497 				if (f->val)
498 					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
499 				else
500 					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
501 			}
502 			break;
503 		case AUDIT_DEVMAJOR:
504 			if (name)
505 				result = audit_comparator(MAJOR(name->dev),
506 							  f->op, f->val);
507 			else if (ctx) {
508 				for (j = 0; j < ctx->name_count; j++) {
509 					if (audit_comparator(MAJOR(ctx->names[j].dev),	f->op, f->val)) {
510 						++result;
511 						break;
512 					}
513 				}
514 			}
515 			break;
516 		case AUDIT_DEVMINOR:
517 			if (name)
518 				result = audit_comparator(MINOR(name->dev),
519 							  f->op, f->val);
520 			else if (ctx) {
521 				for (j = 0; j < ctx->name_count; j++) {
522 					if (audit_comparator(MINOR(ctx->names[j].dev), f->op, f->val)) {
523 						++result;
524 						break;
525 					}
526 				}
527 			}
528 			break;
529 		case AUDIT_INODE:
530 			if (name)
531 				result = (name->ino == f->val);
532 			else if (ctx) {
533 				for (j = 0; j < ctx->name_count; j++) {
534 					if (audit_comparator(ctx->names[j].ino, f->op, f->val)) {
535 						++result;
536 						break;
537 					}
538 				}
539 			}
540 			break;
541 		case AUDIT_WATCH:
542 			if (name && rule->watch->ino != (unsigned long)-1)
543 				result = (name->dev == rule->watch->dev &&
544 					  name->ino == rule->watch->ino);
545 			break;
546 		case AUDIT_DIR:
547 			if (ctx)
548 				result = match_tree_refs(ctx, rule->tree);
549 			break;
550 		case AUDIT_LOGINUID:
551 			result = 0;
552 			if (ctx)
553 				result = audit_comparator(tsk->loginuid, f->op, f->val);
554 			break;
555 		case AUDIT_SUBJ_USER:
556 		case AUDIT_SUBJ_ROLE:
557 		case AUDIT_SUBJ_TYPE:
558 		case AUDIT_SUBJ_SEN:
559 		case AUDIT_SUBJ_CLR:
560 			/* NOTE: this may return negative values indicating
561 			   a temporary error.  We simply treat this as a
562 			   match for now to avoid losing information that
563 			   may be wanted.   An error message will also be
564 			   logged upon error */
565 			if (f->lsm_rule) {
566 				if (need_sid) {
567 					security_task_getsecid(tsk, &sid);
568 					need_sid = 0;
569 				}
570 				result = security_audit_rule_match(sid, f->type,
571 				                                  f->op,
572 				                                  f->lsm_rule,
573 				                                  ctx);
574 			}
575 			break;
576 		case AUDIT_OBJ_USER:
577 		case AUDIT_OBJ_ROLE:
578 		case AUDIT_OBJ_TYPE:
579 		case AUDIT_OBJ_LEV_LOW:
580 		case AUDIT_OBJ_LEV_HIGH:
581 			/* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
582 			   also applies here */
583 			if (f->lsm_rule) {
584 				/* Find files that match */
585 				if (name) {
586 					result = security_audit_rule_match(
587 					           name->osid, f->type, f->op,
588 					           f->lsm_rule, ctx);
589 				} else if (ctx) {
590 					for (j = 0; j < ctx->name_count; j++) {
591 						if (security_audit_rule_match(
592 						      ctx->names[j].osid,
593 						      f->type, f->op,
594 						      f->lsm_rule, ctx)) {
595 							++result;
596 							break;
597 						}
598 					}
599 				}
600 				/* Find ipc objects that match */
601 				if (!ctx || ctx->type != AUDIT_IPC)
602 					break;
603 				if (security_audit_rule_match(ctx->ipc.osid,
604 							      f->type, f->op,
605 							      f->lsm_rule, ctx))
606 					++result;
607 			}
608 			break;
609 		case AUDIT_ARG0:
610 		case AUDIT_ARG1:
611 		case AUDIT_ARG2:
612 		case AUDIT_ARG3:
613 			if (ctx)
614 				result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
615 			break;
616 		case AUDIT_FILTERKEY:
617 			/* ignore this field for filtering */
618 			result = 1;
619 			break;
620 		case AUDIT_PERM:
621 			result = audit_match_perm(ctx, f->val);
622 			break;
623 		case AUDIT_FILETYPE:
624 			result = audit_match_filetype(ctx, f->val);
625 			break;
626 		}
627 
628 		if (!result) {
629 			put_cred(cred);
630 			return 0;
631 		}
632 	}
633 
634 	if (ctx) {
635 		if (rule->prio <= ctx->prio)
636 			return 0;
637 		if (rule->filterkey) {
638 			kfree(ctx->filterkey);
639 			ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
640 		}
641 		ctx->prio = rule->prio;
642 	}
643 	switch (rule->action) {
644 	case AUDIT_NEVER:    *state = AUDIT_DISABLED;	    break;
645 	case AUDIT_ALWAYS:   *state = AUDIT_RECORD_CONTEXT; break;
646 	}
647 	put_cred(cred);
648 	return 1;
649 }
650 
651 /* At process creation time, we can determine if system-call auditing is
652  * completely disabled for this task.  Since we only have the task
653  * structure at this point, we can only check uid and gid.
654  */
audit_filter_task(struct task_struct * tsk,char ** key)655 static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)
656 {
657 	struct audit_entry *e;
658 	enum audit_state   state;
659 
660 	rcu_read_lock();
661 	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
662 		if (audit_filter_rules(tsk, &e->rule, NULL, NULL, &state)) {
663 			if (state == AUDIT_RECORD_CONTEXT)
664 				*key = kstrdup(e->rule.filterkey, GFP_ATOMIC);
665 			rcu_read_unlock();
666 			return state;
667 		}
668 	}
669 	rcu_read_unlock();
670 	return AUDIT_BUILD_CONTEXT;
671 }
672 
673 /* At syscall entry and exit time, this filter is called if the
674  * audit_state is not low enough that auditing cannot take place, but is
675  * also not high enough that we already know we have to write an audit
676  * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
677  */
audit_filter_syscall(struct task_struct * tsk,struct audit_context * ctx,struct list_head * list)678 static enum audit_state audit_filter_syscall(struct task_struct *tsk,
679 					     struct audit_context *ctx,
680 					     struct list_head *list)
681 {
682 	struct audit_entry *e;
683 	enum audit_state state;
684 
685 	if (audit_pid && tsk->tgid == audit_pid)
686 		return AUDIT_DISABLED;
687 
688 	rcu_read_lock();
689 	if (!list_empty(list)) {
690 		int word = AUDIT_WORD(ctx->major);
691 		int bit  = AUDIT_BIT(ctx->major);
692 
693 		list_for_each_entry_rcu(e, list, list) {
694 			if ((e->rule.mask[word] & bit) == bit &&
695 			    audit_filter_rules(tsk, &e->rule, ctx, NULL,
696 					       &state)) {
697 				rcu_read_unlock();
698 				ctx->current_state = state;
699 				return state;
700 			}
701 		}
702 	}
703 	rcu_read_unlock();
704 	return AUDIT_BUILD_CONTEXT;
705 }
706 
707 /* At syscall exit time, this filter is called if any audit_names[] have been
708  * collected during syscall processing.  We only check rules in sublists at hash
709  * buckets applicable to the inode numbers in audit_names[].
710  * Regarding audit_state, same rules apply as for audit_filter_syscall().
711  */
audit_filter_inodes(struct task_struct * tsk,struct audit_context * ctx)712 void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx)
713 {
714 	int i;
715 	struct audit_entry *e;
716 	enum audit_state state;
717 
718 	if (audit_pid && tsk->tgid == audit_pid)
719 		return;
720 
721 	rcu_read_lock();
722 	for (i = 0; i < ctx->name_count; i++) {
723 		int word = AUDIT_WORD(ctx->major);
724 		int bit  = AUDIT_BIT(ctx->major);
725 		struct audit_names *n = &ctx->names[i];
726 		int h = audit_hash_ino((u32)n->ino);
727 		struct list_head *list = &audit_inode_hash[h];
728 
729 		if (list_empty(list))
730 			continue;
731 
732 		list_for_each_entry_rcu(e, list, list) {
733 			if ((e->rule.mask[word] & bit) == bit &&
734 			    audit_filter_rules(tsk, &e->rule, ctx, n, &state)) {
735 				rcu_read_unlock();
736 				ctx->current_state = state;
737 				return;
738 			}
739 		}
740 	}
741 	rcu_read_unlock();
742 }
743 
audit_set_auditable(struct audit_context * ctx)744 static void audit_set_auditable(struct audit_context *ctx)
745 {
746 	if (!ctx->prio) {
747 		ctx->prio = 1;
748 		ctx->current_state = AUDIT_RECORD_CONTEXT;
749 	}
750 }
751 
audit_get_context(struct task_struct * tsk,int return_valid,int return_code)752 static inline struct audit_context *audit_get_context(struct task_struct *tsk,
753 						      int return_valid,
754 						      int return_code)
755 {
756 	struct audit_context *context = tsk->audit_context;
757 
758 	if (likely(!context))
759 		return NULL;
760 	context->return_valid = return_valid;
761 
762 	/*
763 	 * we need to fix up the return code in the audit logs if the actual
764 	 * return codes are later going to be fixed up by the arch specific
765 	 * signal handlers
766 	 *
767 	 * This is actually a test for:
768 	 * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||
769 	 * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)
770 	 *
771 	 * but is faster than a bunch of ||
772 	 */
773 	if (unlikely(return_code <= -ERESTARTSYS) &&
774 	    (return_code >= -ERESTART_RESTARTBLOCK) &&
775 	    (return_code != -ENOIOCTLCMD))
776 		context->return_code = -EINTR;
777 	else
778 		context->return_code  = return_code;
779 
780 	if (context->in_syscall && !context->dummy) {
781 		audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
782 		audit_filter_inodes(tsk, context);
783 	}
784 
785 	tsk->audit_context = NULL;
786 	return context;
787 }
788 
audit_free_names(struct audit_context * context)789 static inline void audit_free_names(struct audit_context *context)
790 {
791 	int i;
792 
793 #if AUDIT_DEBUG == 2
794 	if (context->put_count + context->ino_count != context->name_count) {
795 		printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d"
796 		       " name_count=%d put_count=%d"
797 		       " ino_count=%d [NOT freeing]\n",
798 		       __FILE__, __LINE__,
799 		       context->serial, context->major, context->in_syscall,
800 		       context->name_count, context->put_count,
801 		       context->ino_count);
802 		for (i = 0; i < context->name_count; i++) {
803 			printk(KERN_ERR "names[%d] = %p = %s\n", i,
804 			       context->names[i].name,
805 			       context->names[i].name ?: "(null)");
806 		}
807 		dump_stack();
808 		return;
809 	}
810 #endif
811 #if AUDIT_DEBUG
812 	context->put_count  = 0;
813 	context->ino_count  = 0;
814 #endif
815 
816 	for (i = 0; i < context->name_count; i++) {
817 		if (context->names[i].name && context->names[i].name_put)
818 			__putname(context->names[i].name);
819 	}
820 	context->name_count = 0;
821 	path_put(&context->pwd);
822 	context->pwd.dentry = NULL;
823 	context->pwd.mnt = NULL;
824 }
825 
audit_free_aux(struct audit_context * context)826 static inline void audit_free_aux(struct audit_context *context)
827 {
828 	struct audit_aux_data *aux;
829 
830 	while ((aux = context->aux)) {
831 		context->aux = aux->next;
832 		kfree(aux);
833 	}
834 	while ((aux = context->aux_pids)) {
835 		context->aux_pids = aux->next;
836 		kfree(aux);
837 	}
838 }
839 
audit_zero_context(struct audit_context * context,enum audit_state state)840 static inline void audit_zero_context(struct audit_context *context,
841 				      enum audit_state state)
842 {
843 	memset(context, 0, sizeof(*context));
844 	context->state      = state;
845 	context->prio = state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
846 }
847 
audit_alloc_context(enum audit_state state)848 static inline struct audit_context *audit_alloc_context(enum audit_state state)
849 {
850 	struct audit_context *context;
851 
852 	if (!(context = kmalloc(sizeof(*context), GFP_KERNEL)))
853 		return NULL;
854 	audit_zero_context(context, state);
855 	return context;
856 }
857 
858 /**
859  * audit_alloc - allocate an audit context block for a task
860  * @tsk: task
861  *
862  * Filter on the task information and allocate a per-task audit context
863  * if necessary.  Doing so turns on system call auditing for the
864  * specified task.  This is called from copy_process, so no lock is
865  * needed.
866  */
audit_alloc(struct task_struct * tsk)867 int audit_alloc(struct task_struct *tsk)
868 {
869 	struct audit_context *context;
870 	enum audit_state     state;
871 	char *key = NULL;
872 
873 	if (likely(!audit_ever_enabled))
874 		return 0; /* Return if not auditing. */
875 
876 	state = audit_filter_task(tsk, &key);
877 	if (likely(state == AUDIT_DISABLED))
878 		return 0;
879 
880 	if (!(context = audit_alloc_context(state))) {
881 		kfree(key);
882 		audit_log_lost("out of memory in audit_alloc");
883 		return -ENOMEM;
884 	}
885 	context->filterkey = key;
886 
887 	tsk->audit_context  = context;
888 	set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
889 	return 0;
890 }
891 
audit_free_context(struct audit_context * context)892 static inline void audit_free_context(struct audit_context *context)
893 {
894 	struct audit_context *previous;
895 	int		     count = 0;
896 
897 	do {
898 		previous = context->previous;
899 		if (previous || (count &&  count < 10)) {
900 			++count;
901 			printk(KERN_ERR "audit(:%d): major=%d name_count=%d:"
902 			       " freeing multiple contexts (%d)\n",
903 			       context->serial, context->major,
904 			       context->name_count, count);
905 		}
906 		audit_free_names(context);
907 		unroll_tree_refs(context, NULL, 0);
908 		free_tree_refs(context);
909 		audit_free_aux(context);
910 		kfree(context->filterkey);
911 		kfree(context->sockaddr);
912 		kfree(context);
913 		context  = previous;
914 	} while (context);
915 	if (count >= 10)
916 		printk(KERN_ERR "audit: freed %d contexts\n", count);
917 }
918 
audit_log_task_context(struct audit_buffer * ab)919 void audit_log_task_context(struct audit_buffer *ab)
920 {
921 	char *ctx = NULL;
922 	unsigned len;
923 	int error;
924 	u32 sid;
925 
926 	security_task_getsecid(current, &sid);
927 	if (!sid)
928 		return;
929 
930 	error = security_secid_to_secctx(sid, &ctx, &len);
931 	if (error) {
932 		if (error != -EINVAL)
933 			goto error_path;
934 		return;
935 	}
936 
937 	audit_log_format(ab, " subj=%s", ctx);
938 	security_release_secctx(ctx, len);
939 	return;
940 
941 error_path:
942 	audit_panic("error in audit_log_task_context");
943 	return;
944 }
945 
946 EXPORT_SYMBOL(audit_log_task_context);
947 
audit_log_task_info(struct audit_buffer * ab,struct task_struct * tsk)948 static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
949 {
950 	char name[sizeof(tsk->comm)];
951 	struct mm_struct *mm = tsk->mm;
952 	struct vm_area_struct *vma;
953 
954 	/* tsk == current */
955 
956 	get_task_comm(name, tsk);
957 	audit_log_format(ab, " comm=");
958 	audit_log_untrustedstring(ab, name);
959 
960 	if (mm) {
961 		down_read(&mm->mmap_sem);
962 		vma = mm->mmap;
963 		while (vma) {
964 			if ((vma->vm_flags & VM_EXECUTABLE) &&
965 			    vma->vm_file) {
966 				audit_log_d_path(ab, "exe=",
967 						 &vma->vm_file->f_path);
968 				break;
969 			}
970 			vma = vma->vm_next;
971 		}
972 		up_read(&mm->mmap_sem);
973 	}
974 	audit_log_task_context(ab);
975 }
976 
audit_log_pid_context(struct audit_context * context,pid_t pid,uid_t auid,uid_t uid,unsigned int sessionid,u32 sid,char * comm)977 static int audit_log_pid_context(struct audit_context *context, pid_t pid,
978 				 uid_t auid, uid_t uid, unsigned int sessionid,
979 				 u32 sid, char *comm)
980 {
981 	struct audit_buffer *ab;
982 	char *ctx = NULL;
983 	u32 len;
984 	int rc = 0;
985 
986 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
987 	if (!ab)
988 		return rc;
989 
990 	audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid,
991 			 uid, sessionid);
992 	if (security_secid_to_secctx(sid, &ctx, &len)) {
993 		audit_log_format(ab, " obj=(none)");
994 		rc = 1;
995 	} else {
996 		audit_log_format(ab, " obj=%s", ctx);
997 		security_release_secctx(ctx, len);
998 	}
999 	audit_log_format(ab, " ocomm=");
1000 	audit_log_untrustedstring(ab, comm);
1001 	audit_log_end(ab);
1002 
1003 	return rc;
1004 }
1005 
1006 /*
1007  * to_send and len_sent accounting are very loose estimates.  We aren't
1008  * really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being
1009  * within about 500 bytes (next page boundry)
1010  *
1011  * why snprintf?  an int is up to 12 digits long.  if we just assumed when
1012  * logging that a[%d]= was going to be 16 characters long we would be wasting
1013  * space in every audit message.  In one 7500 byte message we can log up to
1014  * about 1000 min size arguments.  That comes down to about 50% waste of space
1015  * if we didn't do the snprintf to find out how long arg_num_len was.
1016  */
audit_log_single_execve_arg(struct audit_context * context,struct audit_buffer ** ab,int arg_num,size_t * len_sent,const char __user * p,char * buf)1017 static int audit_log_single_execve_arg(struct audit_context *context,
1018 					struct audit_buffer **ab,
1019 					int arg_num,
1020 					size_t *len_sent,
1021 					const char __user *p,
1022 					char *buf)
1023 {
1024 	char arg_num_len_buf[12];
1025 	const char __user *tmp_p = p;
1026 	/* how many digits are in arg_num? 3 is the length of a=\n */
1027 	size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 3;
1028 	size_t len, len_left, to_send;
1029 	size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
1030 	unsigned int i, has_cntl = 0, too_long = 0;
1031 	int ret;
1032 
1033 	/* strnlen_user includes the null we don't want to send */
1034 	len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1;
1035 
1036 	/*
1037 	 * We just created this mm, if we can't find the strings
1038 	 * we just copied into it something is _very_ wrong. Similar
1039 	 * for strings that are too long, we should not have created
1040 	 * any.
1041 	 */
1042 	if (unlikely((len == -1) || len > MAX_ARG_STRLEN - 1)) {
1043 		WARN_ON(1);
1044 		send_sig(SIGKILL, current, 0);
1045 		return -1;
1046 	}
1047 
1048 	/* walk the whole argument looking for non-ascii chars */
1049 	do {
1050 		if (len_left > MAX_EXECVE_AUDIT_LEN)
1051 			to_send = MAX_EXECVE_AUDIT_LEN;
1052 		else
1053 			to_send = len_left;
1054 		ret = copy_from_user(buf, tmp_p, to_send);
1055 		/*
1056 		 * There is no reason for this copy to be short. We just
1057 		 * copied them here, and the mm hasn't been exposed to user-
1058 		 * space yet.
1059 		 */
1060 		if (ret) {
1061 			WARN_ON(1);
1062 			send_sig(SIGKILL, current, 0);
1063 			return -1;
1064 		}
1065 		buf[to_send] = '\0';
1066 		has_cntl = audit_string_contains_control(buf, to_send);
1067 		if (has_cntl) {
1068 			/*
1069 			 * hex messages get logged as 2 bytes, so we can only
1070 			 * send half as much in each message
1071 			 */
1072 			max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2;
1073 			break;
1074 		}
1075 		len_left -= to_send;
1076 		tmp_p += to_send;
1077 	} while (len_left > 0);
1078 
1079 	len_left = len;
1080 
1081 	if (len > max_execve_audit_len)
1082 		too_long = 1;
1083 
1084 	/* rewalk the argument actually logging the message */
1085 	for (i = 0; len_left > 0; i++) {
1086 		int room_left;
1087 
1088 		if (len_left > max_execve_audit_len)
1089 			to_send = max_execve_audit_len;
1090 		else
1091 			to_send = len_left;
1092 
1093 		/* do we have space left to send this argument in this ab? */
1094 		room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent;
1095 		if (has_cntl)
1096 			room_left -= (to_send * 2);
1097 		else
1098 			room_left -= to_send;
1099 		if (room_left < 0) {
1100 			*len_sent = 0;
1101 			audit_log_end(*ab);
1102 			*ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
1103 			if (!*ab)
1104 				return 0;
1105 		}
1106 
1107 		/*
1108 		 * first record needs to say how long the original string was
1109 		 * so we can be sure nothing was lost.
1110 		 */
1111 		if ((i == 0) && (too_long))
1112 			audit_log_format(*ab, "a%d_len=%zu ", arg_num,
1113 					 has_cntl ? 2*len : len);
1114 
1115 		/*
1116 		 * normally arguments are small enough to fit and we already
1117 		 * filled buf above when we checked for control characters
1118 		 * so don't bother with another copy_from_user
1119 		 */
1120 		if (len >= max_execve_audit_len)
1121 			ret = copy_from_user(buf, p, to_send);
1122 		else
1123 			ret = 0;
1124 		if (ret) {
1125 			WARN_ON(1);
1126 			send_sig(SIGKILL, current, 0);
1127 			return -1;
1128 		}
1129 		buf[to_send] = '\0';
1130 
1131 		/* actually log it */
1132 		audit_log_format(*ab, "a%d", arg_num);
1133 		if (too_long)
1134 			audit_log_format(*ab, "[%d]", i);
1135 		audit_log_format(*ab, "=");
1136 		if (has_cntl)
1137 			audit_log_n_hex(*ab, buf, to_send);
1138 		else
1139 			audit_log_format(*ab, "\"%s\"", buf);
1140 		audit_log_format(*ab, "\n");
1141 
1142 		p += to_send;
1143 		len_left -= to_send;
1144 		*len_sent += arg_num_len;
1145 		if (has_cntl)
1146 			*len_sent += to_send * 2;
1147 		else
1148 			*len_sent += to_send;
1149 	}
1150 	/* include the null we didn't log */
1151 	return len + 1;
1152 }
1153 
audit_log_execve_info(struct audit_context * context,struct audit_buffer ** ab,struct audit_aux_data_execve * axi)1154 static void audit_log_execve_info(struct audit_context *context,
1155 				  struct audit_buffer **ab,
1156 				  struct audit_aux_data_execve *axi)
1157 {
1158 	int i;
1159 	size_t len, len_sent = 0;
1160 	const char __user *p;
1161 	char *buf;
1162 
1163 	if (axi->mm != current->mm)
1164 		return; /* execve failed, no additional info */
1165 
1166 	p = (const char __user *)axi->mm->arg_start;
1167 
1168 	audit_log_format(*ab, "argc=%d ", axi->argc);
1169 
1170 	/*
1171 	 * we need some kernel buffer to hold the userspace args.  Just
1172 	 * allocate one big one rather than allocating one of the right size
1173 	 * for every single argument inside audit_log_single_execve_arg()
1174 	 * should be <8k allocation so should be pretty safe.
1175 	 */
1176 	buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
1177 	if (!buf) {
1178 		audit_panic("out of memory for argv string\n");
1179 		return;
1180 	}
1181 
1182 	for (i = 0; i < axi->argc; i++) {
1183 		len = audit_log_single_execve_arg(context, ab, i,
1184 						  &len_sent, p, buf);
1185 		if (len <= 0)
1186 			break;
1187 		p += len;
1188 	}
1189 	kfree(buf);
1190 }
1191 
audit_log_cap(struct audit_buffer * ab,char * prefix,kernel_cap_t * cap)1192 static void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
1193 {
1194 	int i;
1195 
1196 	audit_log_format(ab, " %s=", prefix);
1197 	CAP_FOR_EACH_U32(i) {
1198 		audit_log_format(ab, "%08x", cap->cap[(_KERNEL_CAPABILITY_U32S-1) - i]);
1199 	}
1200 }
1201 
audit_log_fcaps(struct audit_buffer * ab,struct audit_names * name)1202 static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
1203 {
1204 	kernel_cap_t *perm = &name->fcap.permitted;
1205 	kernel_cap_t *inh = &name->fcap.inheritable;
1206 	int log = 0;
1207 
1208 	if (!cap_isclear(*perm)) {
1209 		audit_log_cap(ab, "cap_fp", perm);
1210 		log = 1;
1211 	}
1212 	if (!cap_isclear(*inh)) {
1213 		audit_log_cap(ab, "cap_fi", inh);
1214 		log = 1;
1215 	}
1216 
1217 	if (log)
1218 		audit_log_format(ab, " cap_fe=%d cap_fver=%x", name->fcap.fE, name->fcap_ver);
1219 }
1220 
show_special(struct audit_context * context,int * call_panic)1221 static void show_special(struct audit_context *context, int *call_panic)
1222 {
1223 	struct audit_buffer *ab;
1224 	int i;
1225 
1226 	ab = audit_log_start(context, GFP_KERNEL, context->type);
1227 	if (!ab)
1228 		return;
1229 
1230 	switch (context->type) {
1231 	case AUDIT_SOCKETCALL: {
1232 		int nargs = context->socketcall.nargs;
1233 		audit_log_format(ab, "nargs=%d", nargs);
1234 		for (i = 0; i < nargs; i++)
1235 			audit_log_format(ab, " a%d=%lx", i,
1236 				context->socketcall.args[i]);
1237 		break; }
1238 	case AUDIT_IPC: {
1239 		u32 osid = context->ipc.osid;
1240 
1241 		audit_log_format(ab, "ouid=%u ogid=%u mode=%#o",
1242 			 context->ipc.uid, context->ipc.gid, context->ipc.mode);
1243 		if (osid) {
1244 			char *ctx = NULL;
1245 			u32 len;
1246 			if (security_secid_to_secctx(osid, &ctx, &len)) {
1247 				audit_log_format(ab, " osid=%u", osid);
1248 				*call_panic = 1;
1249 			} else {
1250 				audit_log_format(ab, " obj=%s", ctx);
1251 				security_release_secctx(ctx, len);
1252 			}
1253 		}
1254 		if (context->ipc.has_perm) {
1255 			audit_log_end(ab);
1256 			ab = audit_log_start(context, GFP_KERNEL,
1257 					     AUDIT_IPC_SET_PERM);
1258 			audit_log_format(ab,
1259 				"qbytes=%lx ouid=%u ogid=%u mode=%#o",
1260 				context->ipc.qbytes,
1261 				context->ipc.perm_uid,
1262 				context->ipc.perm_gid,
1263 				context->ipc.perm_mode);
1264 			if (!ab)
1265 				return;
1266 		}
1267 		break; }
1268 	case AUDIT_MQ_OPEN: {
1269 		audit_log_format(ab,
1270 			"oflag=0x%x mode=%#o mq_flags=0x%lx mq_maxmsg=%ld "
1271 			"mq_msgsize=%ld mq_curmsgs=%ld",
1272 			context->mq_open.oflag, context->mq_open.mode,
1273 			context->mq_open.attr.mq_flags,
1274 			context->mq_open.attr.mq_maxmsg,
1275 			context->mq_open.attr.mq_msgsize,
1276 			context->mq_open.attr.mq_curmsgs);
1277 		break; }
1278 	case AUDIT_MQ_SENDRECV: {
1279 		audit_log_format(ab,
1280 			"mqdes=%d msg_len=%zd msg_prio=%u "
1281 			"abs_timeout_sec=%ld abs_timeout_nsec=%ld",
1282 			context->mq_sendrecv.mqdes,
1283 			context->mq_sendrecv.msg_len,
1284 			context->mq_sendrecv.msg_prio,
1285 			context->mq_sendrecv.abs_timeout.tv_sec,
1286 			context->mq_sendrecv.abs_timeout.tv_nsec);
1287 		break; }
1288 	case AUDIT_MQ_NOTIFY: {
1289 		audit_log_format(ab, "mqdes=%d sigev_signo=%d",
1290 				context->mq_notify.mqdes,
1291 				context->mq_notify.sigev_signo);
1292 		break; }
1293 	case AUDIT_MQ_GETSETATTR: {
1294 		struct mq_attr *attr = &context->mq_getsetattr.mqstat;
1295 		audit_log_format(ab,
1296 			"mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
1297 			"mq_curmsgs=%ld ",
1298 			context->mq_getsetattr.mqdes,
1299 			attr->mq_flags, attr->mq_maxmsg,
1300 			attr->mq_msgsize, attr->mq_curmsgs);
1301 		break; }
1302 	case AUDIT_CAPSET: {
1303 		audit_log_format(ab, "pid=%d", context->capset.pid);
1304 		audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
1305 		audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
1306 		audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
1307 		break; }
1308 	}
1309 	audit_log_end(ab);
1310 }
1311 
audit_log_exit(struct audit_context * context,struct task_struct * tsk)1312 static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
1313 {
1314 	const struct cred *cred;
1315 	int i, call_panic = 0;
1316 	struct audit_buffer *ab;
1317 	struct audit_aux_data *aux;
1318 	const char *tty;
1319 
1320 	/* tsk == current */
1321 	context->pid = tsk->pid;
1322 	if (!context->ppid)
1323 		context->ppid = sys_getppid();
1324 	cred = current_cred();
1325 	context->uid   = cred->uid;
1326 	context->gid   = cred->gid;
1327 	context->euid  = cred->euid;
1328 	context->suid  = cred->suid;
1329 	context->fsuid = cred->fsuid;
1330 	context->egid  = cred->egid;
1331 	context->sgid  = cred->sgid;
1332 	context->fsgid = cred->fsgid;
1333 	context->personality = tsk->personality;
1334 
1335 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
1336 	if (!ab)
1337 		return;		/* audit_panic has been called */
1338 	audit_log_format(ab, "arch=%x syscall=%d",
1339 			 context->arch, context->major);
1340 	if (context->personality != PER_LINUX)
1341 		audit_log_format(ab, " per=%lx", context->personality);
1342 	if (context->return_valid)
1343 		audit_log_format(ab, " success=%s exit=%ld",
1344 				 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
1345 				 context->return_code);
1346 
1347 	spin_lock_irq(&tsk->sighand->siglock);
1348 	if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
1349 		tty = tsk->signal->tty->name;
1350 	else
1351 		tty = "(none)";
1352 	spin_unlock_irq(&tsk->sighand->siglock);
1353 
1354 	audit_log_format(ab,
1355 		  " a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
1356 		  " ppid=%d pid=%d auid=%u uid=%u gid=%u"
1357 		  " euid=%u suid=%u fsuid=%u"
1358 		  " egid=%u sgid=%u fsgid=%u tty=%s ses=%u",
1359 		  context->argv[0],
1360 		  context->argv[1],
1361 		  context->argv[2],
1362 		  context->argv[3],
1363 		  context->name_count,
1364 		  context->ppid,
1365 		  context->pid,
1366 		  tsk->loginuid,
1367 		  context->uid,
1368 		  context->gid,
1369 		  context->euid, context->suid, context->fsuid,
1370 		  context->egid, context->sgid, context->fsgid, tty,
1371 		  tsk->sessionid);
1372 
1373 
1374 	audit_log_task_info(ab, tsk);
1375 	if (context->filterkey) {
1376 		audit_log_format(ab, " key=");
1377 		audit_log_untrustedstring(ab, context->filterkey);
1378 	} else
1379 		audit_log_format(ab, " key=(null)");
1380 	audit_log_end(ab);
1381 
1382 	for (aux = context->aux; aux; aux = aux->next) {
1383 
1384 		ab = audit_log_start(context, GFP_KERNEL, aux->type);
1385 		if (!ab)
1386 			continue; /* audit_panic has been called */
1387 
1388 		switch (aux->type) {
1389 
1390 		case AUDIT_EXECVE: {
1391 			struct audit_aux_data_execve *axi = (void *)aux;
1392 			audit_log_execve_info(context, &ab, axi);
1393 			break; }
1394 
1395 		case AUDIT_BPRM_FCAPS: {
1396 			struct audit_aux_data_bprm_fcaps *axs = (void *)aux;
1397 			audit_log_format(ab, "fver=%x", axs->fcap_ver);
1398 			audit_log_cap(ab, "fp", &axs->fcap.permitted);
1399 			audit_log_cap(ab, "fi", &axs->fcap.inheritable);
1400 			audit_log_format(ab, " fe=%d", axs->fcap.fE);
1401 			audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
1402 			audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
1403 			audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
1404 			audit_log_cap(ab, "new_pp", &axs->new_pcap.permitted);
1405 			audit_log_cap(ab, "new_pi", &axs->new_pcap.inheritable);
1406 			audit_log_cap(ab, "new_pe", &axs->new_pcap.effective);
1407 			break; }
1408 
1409 		}
1410 		audit_log_end(ab);
1411 	}
1412 
1413 	if (context->type)
1414 		show_special(context, &call_panic);
1415 
1416 	if (context->fds[0] >= 0) {
1417 		ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR);
1418 		if (ab) {
1419 			audit_log_format(ab, "fd0=%d fd1=%d",
1420 					context->fds[0], context->fds[1]);
1421 			audit_log_end(ab);
1422 		}
1423 	}
1424 
1425 	if (context->sockaddr_len) {
1426 		ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR);
1427 		if (ab) {
1428 			audit_log_format(ab, "saddr=");
1429 			audit_log_n_hex(ab, (void *)context->sockaddr,
1430 					context->sockaddr_len);
1431 			audit_log_end(ab);
1432 		}
1433 	}
1434 
1435 	for (aux = context->aux_pids; aux; aux = aux->next) {
1436 		struct audit_aux_data_pids *axs = (void *)aux;
1437 
1438 		for (i = 0; i < axs->pid_count; i++)
1439 			if (audit_log_pid_context(context, axs->target_pid[i],
1440 						  axs->target_auid[i],
1441 						  axs->target_uid[i],
1442 						  axs->target_sessionid[i],
1443 						  axs->target_sid[i],
1444 						  axs->target_comm[i]))
1445 				call_panic = 1;
1446 	}
1447 
1448 	if (context->target_pid &&
1449 	    audit_log_pid_context(context, context->target_pid,
1450 				  context->target_auid, context->target_uid,
1451 				  context->target_sessionid,
1452 				  context->target_sid, context->target_comm))
1453 			call_panic = 1;
1454 
1455 	if (context->pwd.dentry && context->pwd.mnt) {
1456 		ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
1457 		if (ab) {
1458 			audit_log_d_path(ab, "cwd=", &context->pwd);
1459 			audit_log_end(ab);
1460 		}
1461 	}
1462 	for (i = 0; i < context->name_count; i++) {
1463 		struct audit_names *n = &context->names[i];
1464 
1465 		ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
1466 		if (!ab)
1467 			continue; /* audit_panic has been called */
1468 
1469 		audit_log_format(ab, "item=%d", i);
1470 
1471 		if (n->name) {
1472 			switch(n->name_len) {
1473 			case AUDIT_NAME_FULL:
1474 				/* log the full path */
1475 				audit_log_format(ab, " name=");
1476 				audit_log_untrustedstring(ab, n->name);
1477 				break;
1478 			case 0:
1479 				/* name was specified as a relative path and the
1480 				 * directory component is the cwd */
1481 				audit_log_d_path(ab, " name=", &context->pwd);
1482 				break;
1483 			default:
1484 				/* log the name's directory component */
1485 				audit_log_format(ab, " name=");
1486 				audit_log_n_untrustedstring(ab, n->name,
1487 							    n->name_len);
1488 			}
1489 		} else
1490 			audit_log_format(ab, " name=(null)");
1491 
1492 		if (n->ino != (unsigned long)-1) {
1493 			audit_log_format(ab, " inode=%lu"
1494 					 " dev=%02x:%02x mode=%#o"
1495 					 " ouid=%u ogid=%u rdev=%02x:%02x",
1496 					 n->ino,
1497 					 MAJOR(n->dev),
1498 					 MINOR(n->dev),
1499 					 n->mode,
1500 					 n->uid,
1501 					 n->gid,
1502 					 MAJOR(n->rdev),
1503 					 MINOR(n->rdev));
1504 		}
1505 		if (n->osid != 0) {
1506 			char *ctx = NULL;
1507 			u32 len;
1508 			if (security_secid_to_secctx(
1509 				n->osid, &ctx, &len)) {
1510 				audit_log_format(ab, " osid=%u", n->osid);
1511 				call_panic = 2;
1512 			} else {
1513 				audit_log_format(ab, " obj=%s", ctx);
1514 				security_release_secctx(ctx, len);
1515 			}
1516 		}
1517 
1518 		audit_log_fcaps(ab, n);
1519 
1520 		audit_log_end(ab);
1521 	}
1522 
1523 	/* Send end of event record to help user space know we are finished */
1524 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
1525 	if (ab)
1526 		audit_log_end(ab);
1527 	if (call_panic)
1528 		audit_panic("error converting sid to string");
1529 }
1530 
1531 /**
1532  * audit_free - free a per-task audit context
1533  * @tsk: task whose audit context block to free
1534  *
1535  * Called from copy_process and do_exit
1536  */
audit_free(struct task_struct * tsk)1537 void audit_free(struct task_struct *tsk)
1538 {
1539 	struct audit_context *context;
1540 
1541 	context = audit_get_context(tsk, 0, 0);
1542 	if (likely(!context))
1543 		return;
1544 
1545 	/* Check for system calls that do not go through the exit
1546 	 * function (e.g., exit_group), then free context block.
1547 	 * We use GFP_ATOMIC here because we might be doing this
1548 	 * in the context of the idle thread */
1549 	/* that can happen only if we are called from do_exit() */
1550 	if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
1551 		audit_log_exit(context, tsk);
1552 
1553 	audit_free_context(context);
1554 }
1555 
1556 /**
1557  * audit_syscall_entry - fill in an audit record at syscall entry
1558  * @arch: architecture type
1559  * @major: major syscall type (function)
1560  * @a1: additional syscall register 1
1561  * @a2: additional syscall register 2
1562  * @a3: additional syscall register 3
1563  * @a4: additional syscall register 4
1564  *
1565  * Fill in audit context at syscall entry.  This only happens if the
1566  * audit context was created when the task was created and the state or
1567  * filters demand the audit context be built.  If the state from the
1568  * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
1569  * then the record will be written at syscall exit time (otherwise, it
1570  * will only be written if another part of the kernel requests that it
1571  * be written).
1572  */
audit_syscall_entry(int arch,int major,unsigned long a1,unsigned long a2,unsigned long a3,unsigned long a4)1573 void audit_syscall_entry(int arch, int major,
1574 			 unsigned long a1, unsigned long a2,
1575 			 unsigned long a3, unsigned long a4)
1576 {
1577 	struct task_struct *tsk = current;
1578 	struct audit_context *context = tsk->audit_context;
1579 	enum audit_state     state;
1580 
1581 	if (unlikely(!context))
1582 		return;
1583 
1584 	/*
1585 	 * This happens only on certain architectures that make system
1586 	 * calls in kernel_thread via the entry.S interface, instead of
1587 	 * with direct calls.  (If you are porting to a new
1588 	 * architecture, hitting this condition can indicate that you
1589 	 * got the _exit/_leave calls backward in entry.S.)
1590 	 *
1591 	 * i386     no
1592 	 * x86_64   no
1593 	 * ppc64    yes (see arch/powerpc/platforms/iseries/misc.S)
1594 	 *
1595 	 * This also happens with vm86 emulation in a non-nested manner
1596 	 * (entries without exits), so this case must be caught.
1597 	 */
1598 	if (context->in_syscall) {
1599 		struct audit_context *newctx;
1600 
1601 #if AUDIT_DEBUG
1602 		printk(KERN_ERR
1603 		       "audit(:%d) pid=%d in syscall=%d;"
1604 		       " entering syscall=%d\n",
1605 		       context->serial, tsk->pid, context->major, major);
1606 #endif
1607 		newctx = audit_alloc_context(context->state);
1608 		if (newctx) {
1609 			newctx->previous   = context;
1610 			context		   = newctx;
1611 			tsk->audit_context = newctx;
1612 		} else	{
1613 			/* If we can't alloc a new context, the best we
1614 			 * can do is to leak memory (any pending putname
1615 			 * will be lost).  The only other alternative is
1616 			 * to abandon auditing. */
1617 			audit_zero_context(context, context->state);
1618 		}
1619 	}
1620 	BUG_ON(context->in_syscall || context->name_count);
1621 
1622 	if (!audit_enabled)
1623 		return;
1624 
1625 	context->arch	    = arch;
1626 	context->major      = major;
1627 	context->argv[0]    = a1;
1628 	context->argv[1]    = a2;
1629 	context->argv[2]    = a3;
1630 	context->argv[3]    = a4;
1631 
1632 	state = context->state;
1633 	context->dummy = !audit_n_rules;
1634 	if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
1635 		context->prio = 0;
1636 		state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
1637 	}
1638 	if (likely(state == AUDIT_DISABLED))
1639 		return;
1640 
1641 	context->serial     = 0;
1642 	context->ctime      = CURRENT_TIME;
1643 	context->in_syscall = 1;
1644 	context->current_state  = state;
1645 	context->ppid       = 0;
1646 }
1647 
audit_finish_fork(struct task_struct * child)1648 void audit_finish_fork(struct task_struct *child)
1649 {
1650 	struct audit_context *ctx = current->audit_context;
1651 	struct audit_context *p = child->audit_context;
1652 	if (!p || !ctx)
1653 		return;
1654 	if (!ctx->in_syscall || ctx->current_state != AUDIT_RECORD_CONTEXT)
1655 		return;
1656 	p->arch = ctx->arch;
1657 	p->major = ctx->major;
1658 	memcpy(p->argv, ctx->argv, sizeof(ctx->argv));
1659 	p->ctime = ctx->ctime;
1660 	p->dummy = ctx->dummy;
1661 	p->in_syscall = ctx->in_syscall;
1662 	p->filterkey = kstrdup(ctx->filterkey, GFP_KERNEL);
1663 	p->ppid = current->pid;
1664 	p->prio = ctx->prio;
1665 	p->current_state = ctx->current_state;
1666 }
1667 
1668 /**
1669  * audit_syscall_exit - deallocate audit context after a system call
1670  * @valid: success/failure flag
1671  * @return_code: syscall return value
1672  *
1673  * Tear down after system call.  If the audit context has been marked as
1674  * auditable (either because of the AUDIT_RECORD_CONTEXT state from
1675  * filtering, or because some other part of the kernel write an audit
1676  * message), then write out the syscall information.  In call cases,
1677  * free the names stored from getname().
1678  */
audit_syscall_exit(int valid,long return_code)1679 void audit_syscall_exit(int valid, long return_code)
1680 {
1681 	struct task_struct *tsk = current;
1682 	struct audit_context *context;
1683 
1684 	context = audit_get_context(tsk, valid, return_code);
1685 
1686 	if (likely(!context))
1687 		return;
1688 
1689 	if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
1690 		audit_log_exit(context, tsk);
1691 
1692 	context->in_syscall = 0;
1693 	context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
1694 
1695 	if (context->previous) {
1696 		struct audit_context *new_context = context->previous;
1697 		context->previous  = NULL;
1698 		audit_free_context(context);
1699 		tsk->audit_context = new_context;
1700 	} else {
1701 		audit_free_names(context);
1702 		unroll_tree_refs(context, NULL, 0);
1703 		audit_free_aux(context);
1704 		context->aux = NULL;
1705 		context->aux_pids = NULL;
1706 		context->target_pid = 0;
1707 		context->target_sid = 0;
1708 		context->sockaddr_len = 0;
1709 		context->type = 0;
1710 		context->fds[0] = -1;
1711 		if (context->state != AUDIT_RECORD_CONTEXT) {
1712 			kfree(context->filterkey);
1713 			context->filterkey = NULL;
1714 		}
1715 		tsk->audit_context = context;
1716 	}
1717 }
1718 
handle_one(const struct inode * inode)1719 static inline void handle_one(const struct inode *inode)
1720 {
1721 #ifdef CONFIG_AUDIT_TREE
1722 	struct audit_context *context;
1723 	struct audit_tree_refs *p;
1724 	struct audit_chunk *chunk;
1725 	int count;
1726 	if (likely(list_empty(&inode->inotify_watches)))
1727 		return;
1728 	context = current->audit_context;
1729 	p = context->trees;
1730 	count = context->tree_count;
1731 	rcu_read_lock();
1732 	chunk = audit_tree_lookup(inode);
1733 	rcu_read_unlock();
1734 	if (!chunk)
1735 		return;
1736 	if (likely(put_tree_ref(context, chunk)))
1737 		return;
1738 	if (unlikely(!grow_tree_refs(context))) {
1739 		printk(KERN_WARNING "out of memory, audit has lost a tree reference\n");
1740 		audit_set_auditable(context);
1741 		audit_put_chunk(chunk);
1742 		unroll_tree_refs(context, p, count);
1743 		return;
1744 	}
1745 	put_tree_ref(context, chunk);
1746 #endif
1747 }
1748 
handle_path(const struct dentry * dentry)1749 static void handle_path(const struct dentry *dentry)
1750 {
1751 #ifdef CONFIG_AUDIT_TREE
1752 	struct audit_context *context;
1753 	struct audit_tree_refs *p;
1754 	const struct dentry *d, *parent;
1755 	struct audit_chunk *drop;
1756 	unsigned long seq;
1757 	int count;
1758 
1759 	context = current->audit_context;
1760 	p = context->trees;
1761 	count = context->tree_count;
1762 retry:
1763 	drop = NULL;
1764 	d = dentry;
1765 	rcu_read_lock();
1766 	seq = read_seqbegin(&rename_lock);
1767 	for(;;) {
1768 		struct inode *inode = d->d_inode;
1769 		if (inode && unlikely(!list_empty(&inode->inotify_watches))) {
1770 			struct audit_chunk *chunk;
1771 			chunk = audit_tree_lookup(inode);
1772 			if (chunk) {
1773 				if (unlikely(!put_tree_ref(context, chunk))) {
1774 					drop = chunk;
1775 					break;
1776 				}
1777 			}
1778 		}
1779 		parent = d->d_parent;
1780 		if (parent == d)
1781 			break;
1782 		d = parent;
1783 	}
1784 	if (unlikely(read_seqretry(&rename_lock, seq) || drop)) {  /* in this order */
1785 		rcu_read_unlock();
1786 		if (!drop) {
1787 			/* just a race with rename */
1788 			unroll_tree_refs(context, p, count);
1789 			goto retry;
1790 		}
1791 		audit_put_chunk(drop);
1792 		if (grow_tree_refs(context)) {
1793 			/* OK, got more space */
1794 			unroll_tree_refs(context, p, count);
1795 			goto retry;
1796 		}
1797 		/* too bad */
1798 		printk(KERN_WARNING
1799 			"out of memory, audit has lost a tree reference\n");
1800 		unroll_tree_refs(context, p, count);
1801 		audit_set_auditable(context);
1802 		return;
1803 	}
1804 	rcu_read_unlock();
1805 #endif
1806 }
1807 
1808 /**
1809  * audit_getname - add a name to the list
1810  * @name: name to add
1811  *
1812  * Add a name to the list of audit names for this context.
1813  * Called from fs/namei.c:getname().
1814  */
__audit_getname(const char * name)1815 void __audit_getname(const char *name)
1816 {
1817 	struct audit_context *context = current->audit_context;
1818 
1819 	if (IS_ERR(name) || !name)
1820 		return;
1821 
1822 	if (!context->in_syscall) {
1823 #if AUDIT_DEBUG == 2
1824 		printk(KERN_ERR "%s:%d(:%d): ignoring getname(%p)\n",
1825 		       __FILE__, __LINE__, context->serial, name);
1826 		dump_stack();
1827 #endif
1828 		return;
1829 	}
1830 	BUG_ON(context->name_count >= AUDIT_NAMES);
1831 	context->names[context->name_count].name = name;
1832 	context->names[context->name_count].name_len = AUDIT_NAME_FULL;
1833 	context->names[context->name_count].name_put = 1;
1834 	context->names[context->name_count].ino  = (unsigned long)-1;
1835 	context->names[context->name_count].osid = 0;
1836 	++context->name_count;
1837 	if (!context->pwd.dentry) {
1838 		read_lock(&current->fs->lock);
1839 		context->pwd = current->fs->pwd;
1840 		path_get(&current->fs->pwd);
1841 		read_unlock(&current->fs->lock);
1842 	}
1843 
1844 }
1845 
1846 /* audit_putname - intercept a putname request
1847  * @name: name to intercept and delay for putname
1848  *
1849  * If we have stored the name from getname in the audit context,
1850  * then we delay the putname until syscall exit.
1851  * Called from include/linux/fs.h:putname().
1852  */
audit_putname(const char * name)1853 void audit_putname(const char *name)
1854 {
1855 	struct audit_context *context = current->audit_context;
1856 
1857 	BUG_ON(!context);
1858 	if (!context->in_syscall) {
1859 #if AUDIT_DEBUG == 2
1860 		printk(KERN_ERR "%s:%d(:%d): __putname(%p)\n",
1861 		       __FILE__, __LINE__, context->serial, name);
1862 		if (context->name_count) {
1863 			int i;
1864 			for (i = 0; i < context->name_count; i++)
1865 				printk(KERN_ERR "name[%d] = %p = %s\n", i,
1866 				       context->names[i].name,
1867 				       context->names[i].name ?: "(null)");
1868 		}
1869 #endif
1870 		__putname(name);
1871 	}
1872 #if AUDIT_DEBUG
1873 	else {
1874 		++context->put_count;
1875 		if (context->put_count > context->name_count) {
1876 			printk(KERN_ERR "%s:%d(:%d): major=%d"
1877 			       " in_syscall=%d putname(%p) name_count=%d"
1878 			       " put_count=%d\n",
1879 			       __FILE__, __LINE__,
1880 			       context->serial, context->major,
1881 			       context->in_syscall, name, context->name_count,
1882 			       context->put_count);
1883 			dump_stack();
1884 		}
1885 	}
1886 #endif
1887 }
1888 
audit_inc_name_count(struct audit_context * context,const struct inode * inode)1889 static int audit_inc_name_count(struct audit_context *context,
1890 				const struct inode *inode)
1891 {
1892 	if (context->name_count >= AUDIT_NAMES) {
1893 		if (inode)
1894 			printk(KERN_DEBUG "name_count maxed, losing inode data: "
1895 			       "dev=%02x:%02x, inode=%lu\n",
1896 			       MAJOR(inode->i_sb->s_dev),
1897 			       MINOR(inode->i_sb->s_dev),
1898 			       inode->i_ino);
1899 
1900 		else
1901 			printk(KERN_DEBUG "name_count maxed, losing inode data\n");
1902 		return 1;
1903 	}
1904 	context->name_count++;
1905 #if AUDIT_DEBUG
1906 	context->ino_count++;
1907 #endif
1908 	return 0;
1909 }
1910 
1911 
audit_copy_fcaps(struct audit_names * name,const struct dentry * dentry)1912 static inline int audit_copy_fcaps(struct audit_names *name, const struct dentry *dentry)
1913 {
1914 	struct cpu_vfs_cap_data caps;
1915 	int rc;
1916 
1917 	memset(&name->fcap.permitted, 0, sizeof(kernel_cap_t));
1918 	memset(&name->fcap.inheritable, 0, sizeof(kernel_cap_t));
1919 	name->fcap.fE = 0;
1920 	name->fcap_ver = 0;
1921 
1922 	if (!dentry)
1923 		return 0;
1924 
1925 	rc = get_vfs_caps_from_disk(dentry, &caps);
1926 	if (rc)
1927 		return rc;
1928 
1929 	name->fcap.permitted = caps.permitted;
1930 	name->fcap.inheritable = caps.inheritable;
1931 	name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
1932 	name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
1933 
1934 	return 0;
1935 }
1936 
1937 
1938 /* Copy inode data into an audit_names. */
audit_copy_inode(struct audit_names * name,const struct dentry * dentry,const struct inode * inode)1939 static void audit_copy_inode(struct audit_names *name, const struct dentry *dentry,
1940 			     const struct inode *inode)
1941 {
1942 	name->ino   = inode->i_ino;
1943 	name->dev   = inode->i_sb->s_dev;
1944 	name->mode  = inode->i_mode;
1945 	name->uid   = inode->i_uid;
1946 	name->gid   = inode->i_gid;
1947 	name->rdev  = inode->i_rdev;
1948 	security_inode_getsecid(inode, &name->osid);
1949 	audit_copy_fcaps(name, dentry);
1950 }
1951 
1952 /**
1953  * audit_inode - store the inode and device from a lookup
1954  * @name: name being audited
1955  * @dentry: dentry being audited
1956  *
1957  * Called from fs/namei.c:path_lookup().
1958  */
__audit_inode(const char * name,const struct dentry * dentry)1959 void __audit_inode(const char *name, const struct dentry *dentry)
1960 {
1961 	int idx;
1962 	struct audit_context *context = current->audit_context;
1963 	const struct inode *inode = dentry->d_inode;
1964 
1965 	if (!context->in_syscall)
1966 		return;
1967 	if (context->name_count
1968 	    && context->names[context->name_count-1].name
1969 	    && context->names[context->name_count-1].name == name)
1970 		idx = context->name_count - 1;
1971 	else if (context->name_count > 1
1972 		 && context->names[context->name_count-2].name
1973 		 && context->names[context->name_count-2].name == name)
1974 		idx = context->name_count - 2;
1975 	else {
1976 		/* FIXME: how much do we care about inodes that have no
1977 		 * associated name? */
1978 		if (audit_inc_name_count(context, inode))
1979 			return;
1980 		idx = context->name_count - 1;
1981 		context->names[idx].name = NULL;
1982 	}
1983 	handle_path(dentry);
1984 	audit_copy_inode(&context->names[idx], dentry, inode);
1985 }
1986 
1987 /**
1988  * audit_inode_child - collect inode info for created/removed objects
1989  * @dname: inode's dentry name
1990  * @dentry: dentry being audited
1991  * @parent: inode of dentry parent
1992  *
1993  * For syscalls that create or remove filesystem objects, audit_inode
1994  * can only collect information for the filesystem object's parent.
1995  * This call updates the audit context with the child's information.
1996  * Syscalls that create a new filesystem object must be hooked after
1997  * the object is created.  Syscalls that remove a filesystem object
1998  * must be hooked prior, in order to capture the target inode during
1999  * unsuccessful attempts.
2000  */
__audit_inode_child(const char * dname,const struct dentry * dentry,const struct inode * parent)2001 void __audit_inode_child(const char *dname, const struct dentry *dentry,
2002 			 const struct inode *parent)
2003 {
2004 	int idx;
2005 	struct audit_context *context = current->audit_context;
2006 	const char *found_parent = NULL, *found_child = NULL;
2007 	const struct inode *inode = dentry->d_inode;
2008 	int dirlen = 0;
2009 
2010 	if (!context->in_syscall)
2011 		return;
2012 
2013 	if (inode)
2014 		handle_one(inode);
2015 	/* determine matching parent */
2016 	if (!dname)
2017 		goto add_names;
2018 
2019 	/* parent is more likely, look for it first */
2020 	for (idx = 0; idx < context->name_count; idx++) {
2021 		struct audit_names *n = &context->names[idx];
2022 
2023 		if (!n->name)
2024 			continue;
2025 
2026 		if (n->ino == parent->i_ino &&
2027 		    !audit_compare_dname_path(dname, n->name, &dirlen)) {
2028 			n->name_len = dirlen; /* update parent data in place */
2029 			found_parent = n->name;
2030 			goto add_names;
2031 		}
2032 	}
2033 
2034 	/* no matching parent, look for matching child */
2035 	for (idx = 0; idx < context->name_count; idx++) {
2036 		struct audit_names *n = &context->names[idx];
2037 
2038 		if (!n->name)
2039 			continue;
2040 
2041 		/* strcmp() is the more likely scenario */
2042 		if (!strcmp(dname, n->name) ||
2043 		     !audit_compare_dname_path(dname, n->name, &dirlen)) {
2044 			if (inode)
2045 				audit_copy_inode(n, NULL, inode);
2046 			else
2047 				n->ino = (unsigned long)-1;
2048 			found_child = n->name;
2049 			goto add_names;
2050 		}
2051 	}
2052 
2053 add_names:
2054 	if (!found_parent) {
2055 		if (audit_inc_name_count(context, parent))
2056 			return;
2057 		idx = context->name_count - 1;
2058 		context->names[idx].name = NULL;
2059 		audit_copy_inode(&context->names[idx], NULL, parent);
2060 	}
2061 
2062 	if (!found_child) {
2063 		if (audit_inc_name_count(context, inode))
2064 			return;
2065 		idx = context->name_count - 1;
2066 
2067 		/* Re-use the name belonging to the slot for a matching parent
2068 		 * directory. All names for this context are relinquished in
2069 		 * audit_free_names() */
2070 		if (found_parent) {
2071 			context->names[idx].name = found_parent;
2072 			context->names[idx].name_len = AUDIT_NAME_FULL;
2073 			/* don't call __putname() */
2074 			context->names[idx].name_put = 0;
2075 		} else {
2076 			context->names[idx].name = NULL;
2077 		}
2078 
2079 		if (inode)
2080 			audit_copy_inode(&context->names[idx], NULL, inode);
2081 		else
2082 			context->names[idx].ino = (unsigned long)-1;
2083 	}
2084 }
2085 EXPORT_SYMBOL_GPL(__audit_inode_child);
2086 
2087 /**
2088  * auditsc_get_stamp - get local copies of audit_context values
2089  * @ctx: audit_context for the task
2090  * @t: timespec to store time recorded in the audit_context
2091  * @serial: serial value that is recorded in the audit_context
2092  *
2093  * Also sets the context as auditable.
2094  */
auditsc_get_stamp(struct audit_context * ctx,struct timespec * t,unsigned int * serial)2095 int auditsc_get_stamp(struct audit_context *ctx,
2096 		       struct timespec *t, unsigned int *serial)
2097 {
2098 	if (!ctx->in_syscall)
2099 		return 0;
2100 	if (!ctx->serial)
2101 		ctx->serial = audit_serial();
2102 	t->tv_sec  = ctx->ctime.tv_sec;
2103 	t->tv_nsec = ctx->ctime.tv_nsec;
2104 	*serial    = ctx->serial;
2105 	if (!ctx->prio) {
2106 		ctx->prio = 1;
2107 		ctx->current_state = AUDIT_RECORD_CONTEXT;
2108 	}
2109 	return 1;
2110 }
2111 
2112 /* global counter which is incremented every time something logs in */
2113 static atomic_t session_id = ATOMIC_INIT(0);
2114 
2115 /**
2116  * audit_set_loginuid - set a task's audit_context loginuid
2117  * @task: task whose audit context is being modified
2118  * @loginuid: loginuid value
2119  *
2120  * Returns 0.
2121  *
2122  * Called (set) from fs/proc/base.c::proc_loginuid_write().
2123  */
audit_set_loginuid(struct task_struct * task,uid_t loginuid)2124 int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
2125 {
2126 	unsigned int sessionid = atomic_inc_return(&session_id);
2127 	struct audit_context *context = task->audit_context;
2128 
2129 	if (context && context->in_syscall) {
2130 		struct audit_buffer *ab;
2131 
2132 		ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
2133 		if (ab) {
2134 			audit_log_format(ab, "login pid=%d uid=%u "
2135 				"old auid=%u new auid=%u"
2136 				" old ses=%u new ses=%u",
2137 				task->pid, task_uid(task),
2138 				task->loginuid, loginuid,
2139 				task->sessionid, sessionid);
2140 			audit_log_end(ab);
2141 		}
2142 	}
2143 	task->sessionid = sessionid;
2144 	task->loginuid = loginuid;
2145 	return 0;
2146 }
2147 
2148 /**
2149  * __audit_mq_open - record audit data for a POSIX MQ open
2150  * @oflag: open flag
2151  * @mode: mode bits
2152  * @u_attr: queue attributes
2153  *
2154  */
__audit_mq_open(int oflag,mode_t mode,struct mq_attr * attr)2155 void __audit_mq_open(int oflag, mode_t mode, struct mq_attr *attr)
2156 {
2157 	struct audit_context *context = current->audit_context;
2158 
2159 	if (attr)
2160 		memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr));
2161 	else
2162 		memset(&context->mq_open.attr, 0, sizeof(struct mq_attr));
2163 
2164 	context->mq_open.oflag = oflag;
2165 	context->mq_open.mode = mode;
2166 
2167 	context->type = AUDIT_MQ_OPEN;
2168 }
2169 
2170 /**
2171  * __audit_mq_sendrecv - record audit data for a POSIX MQ timed send/receive
2172  * @mqdes: MQ descriptor
2173  * @msg_len: Message length
2174  * @msg_prio: Message priority
2175  * @abs_timeout: Message timeout in absolute time
2176  *
2177  */
__audit_mq_sendrecv(mqd_t mqdes,size_t msg_len,unsigned int msg_prio,const struct timespec * abs_timeout)2178 void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
2179 			const struct timespec *abs_timeout)
2180 {
2181 	struct audit_context *context = current->audit_context;
2182 	struct timespec *p = &context->mq_sendrecv.abs_timeout;
2183 
2184 	if (abs_timeout)
2185 		memcpy(p, abs_timeout, sizeof(struct timespec));
2186 	else
2187 		memset(p, 0, sizeof(struct timespec));
2188 
2189 	context->mq_sendrecv.mqdes = mqdes;
2190 	context->mq_sendrecv.msg_len = msg_len;
2191 	context->mq_sendrecv.msg_prio = msg_prio;
2192 
2193 	context->type = AUDIT_MQ_SENDRECV;
2194 }
2195 
2196 /**
2197  * __audit_mq_notify - record audit data for a POSIX MQ notify
2198  * @mqdes: MQ descriptor
2199  * @u_notification: Notification event
2200  *
2201  */
2202 
__audit_mq_notify(mqd_t mqdes,const struct sigevent * notification)2203 void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
2204 {
2205 	struct audit_context *context = current->audit_context;
2206 
2207 	if (notification)
2208 		context->mq_notify.sigev_signo = notification->sigev_signo;
2209 	else
2210 		context->mq_notify.sigev_signo = 0;
2211 
2212 	context->mq_notify.mqdes = mqdes;
2213 	context->type = AUDIT_MQ_NOTIFY;
2214 }
2215 
2216 /**
2217  * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute
2218  * @mqdes: MQ descriptor
2219  * @mqstat: MQ flags
2220  *
2221  */
__audit_mq_getsetattr(mqd_t mqdes,struct mq_attr * mqstat)2222 void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
2223 {
2224 	struct audit_context *context = current->audit_context;
2225 	context->mq_getsetattr.mqdes = mqdes;
2226 	context->mq_getsetattr.mqstat = *mqstat;
2227 	context->type = AUDIT_MQ_GETSETATTR;
2228 }
2229 
2230 /**
2231  * audit_ipc_obj - record audit data for ipc object
2232  * @ipcp: ipc permissions
2233  *
2234  */
__audit_ipc_obj(struct kern_ipc_perm * ipcp)2235 void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
2236 {
2237 	struct audit_context *context = current->audit_context;
2238 	context->ipc.uid = ipcp->uid;
2239 	context->ipc.gid = ipcp->gid;
2240 	context->ipc.mode = ipcp->mode;
2241 	context->ipc.has_perm = 0;
2242 	security_ipc_getsecid(ipcp, &context->ipc.osid);
2243 	context->type = AUDIT_IPC;
2244 }
2245 
2246 /**
2247  * audit_ipc_set_perm - record audit data for new ipc permissions
2248  * @qbytes: msgq bytes
2249  * @uid: msgq user id
2250  * @gid: msgq group id
2251  * @mode: msgq mode (permissions)
2252  *
2253  * Called only after audit_ipc_obj().
2254  */
__audit_ipc_set_perm(unsigned long qbytes,uid_t uid,gid_t gid,mode_t mode)2255 void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
2256 {
2257 	struct audit_context *context = current->audit_context;
2258 
2259 	context->ipc.qbytes = qbytes;
2260 	context->ipc.perm_uid = uid;
2261 	context->ipc.perm_gid = gid;
2262 	context->ipc.perm_mode = mode;
2263 	context->ipc.has_perm = 1;
2264 }
2265 
audit_bprm(struct linux_binprm * bprm)2266 int audit_bprm(struct linux_binprm *bprm)
2267 {
2268 	struct audit_aux_data_execve *ax;
2269 	struct audit_context *context = current->audit_context;
2270 
2271 	if (likely(!audit_enabled || !context || context->dummy))
2272 		return 0;
2273 
2274 	ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2275 	if (!ax)
2276 		return -ENOMEM;
2277 
2278 	ax->argc = bprm->argc;
2279 	ax->envc = bprm->envc;
2280 	ax->mm = bprm->mm;
2281 	ax->d.type = AUDIT_EXECVE;
2282 	ax->d.next = context->aux;
2283 	context->aux = (void *)ax;
2284 	return 0;
2285 }
2286 
2287 
2288 /**
2289  * audit_socketcall - record audit data for sys_socketcall
2290  * @nargs: number of args
2291  * @args: args array
2292  *
2293  */
audit_socketcall(int nargs,unsigned long * args)2294 void audit_socketcall(int nargs, unsigned long *args)
2295 {
2296 	struct audit_context *context = current->audit_context;
2297 
2298 	if (likely(!context || context->dummy))
2299 		return;
2300 
2301 	context->type = AUDIT_SOCKETCALL;
2302 	context->socketcall.nargs = nargs;
2303 	memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
2304 }
2305 
2306 /**
2307  * __audit_fd_pair - record audit data for pipe and socketpair
2308  * @fd1: the first file descriptor
2309  * @fd2: the second file descriptor
2310  *
2311  */
__audit_fd_pair(int fd1,int fd2)2312 void __audit_fd_pair(int fd1, int fd2)
2313 {
2314 	struct audit_context *context = current->audit_context;
2315 	context->fds[0] = fd1;
2316 	context->fds[1] = fd2;
2317 }
2318 
2319 /**
2320  * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
2321  * @len: data length in user space
2322  * @a: data address in kernel space
2323  *
2324  * Returns 0 for success or NULL context or < 0 on error.
2325  */
audit_sockaddr(int len,void * a)2326 int audit_sockaddr(int len, void *a)
2327 {
2328 	struct audit_context *context = current->audit_context;
2329 
2330 	if (likely(!context || context->dummy))
2331 		return 0;
2332 
2333 	if (!context->sockaddr) {
2334 		void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL);
2335 		if (!p)
2336 			return -ENOMEM;
2337 		context->sockaddr = p;
2338 	}
2339 
2340 	context->sockaddr_len = len;
2341 	memcpy(context->sockaddr, a, len);
2342 	return 0;
2343 }
2344 
__audit_ptrace(struct task_struct * t)2345 void __audit_ptrace(struct task_struct *t)
2346 {
2347 	struct audit_context *context = current->audit_context;
2348 
2349 	context->target_pid = t->pid;
2350 	context->target_auid = audit_get_loginuid(t);
2351 	context->target_uid = task_uid(t);
2352 	context->target_sessionid = audit_get_sessionid(t);
2353 	security_task_getsecid(t, &context->target_sid);
2354 	memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
2355 }
2356 
2357 /**
2358  * audit_signal_info - record signal info for shutting down audit subsystem
2359  * @sig: signal value
2360  * @t: task being signaled
2361  *
2362  * If the audit subsystem is being terminated, record the task (pid)
2363  * and uid that is doing that.
2364  */
__audit_signal_info(int sig,struct task_struct * t)2365 int __audit_signal_info(int sig, struct task_struct *t)
2366 {
2367 	struct audit_aux_data_pids *axp;
2368 	struct task_struct *tsk = current;
2369 	struct audit_context *ctx = tsk->audit_context;
2370 	uid_t uid = current_uid(), t_uid = task_uid(t);
2371 
2372 	if (audit_pid && t->tgid == audit_pid) {
2373 		if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) {
2374 			audit_sig_pid = tsk->pid;
2375 			if (tsk->loginuid != -1)
2376 				audit_sig_uid = tsk->loginuid;
2377 			else
2378 				audit_sig_uid = uid;
2379 			security_task_getsecid(tsk, &audit_sig_sid);
2380 		}
2381 		if (!audit_signals || audit_dummy_context())
2382 			return 0;
2383 	}
2384 
2385 	/* optimize the common case by putting first signal recipient directly
2386 	 * in audit_context */
2387 	if (!ctx->target_pid) {
2388 		ctx->target_pid = t->tgid;
2389 		ctx->target_auid = audit_get_loginuid(t);
2390 		ctx->target_uid = t_uid;
2391 		ctx->target_sessionid = audit_get_sessionid(t);
2392 		security_task_getsecid(t, &ctx->target_sid);
2393 		memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
2394 		return 0;
2395 	}
2396 
2397 	axp = (void *)ctx->aux_pids;
2398 	if (!axp || axp->pid_count == AUDIT_AUX_PIDS) {
2399 		axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
2400 		if (!axp)
2401 			return -ENOMEM;
2402 
2403 		axp->d.type = AUDIT_OBJ_PID;
2404 		axp->d.next = ctx->aux_pids;
2405 		ctx->aux_pids = (void *)axp;
2406 	}
2407 	BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
2408 
2409 	axp->target_pid[axp->pid_count] = t->tgid;
2410 	axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
2411 	axp->target_uid[axp->pid_count] = t_uid;
2412 	axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
2413 	security_task_getsecid(t, &axp->target_sid[axp->pid_count]);
2414 	memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
2415 	axp->pid_count++;
2416 
2417 	return 0;
2418 }
2419 
2420 /**
2421  * __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps
2422  * @bprm: pointer to the bprm being processed
2423  * @new: the proposed new credentials
2424  * @old: the old credentials
2425  *
2426  * Simply check if the proc already has the caps given by the file and if not
2427  * store the priv escalation info for later auditing at the end of the syscall
2428  *
2429  * -Eric
2430  */
__audit_log_bprm_fcaps(struct linux_binprm * bprm,const struct cred * new,const struct cred * old)2431 int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
2432 			   const struct cred *new, const struct cred *old)
2433 {
2434 	struct audit_aux_data_bprm_fcaps *ax;
2435 	struct audit_context *context = current->audit_context;
2436 	struct cpu_vfs_cap_data vcaps;
2437 	struct dentry *dentry;
2438 
2439 	ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2440 	if (!ax)
2441 		return -ENOMEM;
2442 
2443 	ax->d.type = AUDIT_BPRM_FCAPS;
2444 	ax->d.next = context->aux;
2445 	context->aux = (void *)ax;
2446 
2447 	dentry = dget(bprm->file->f_dentry);
2448 	get_vfs_caps_from_disk(dentry, &vcaps);
2449 	dput(dentry);
2450 
2451 	ax->fcap.permitted = vcaps.permitted;
2452 	ax->fcap.inheritable = vcaps.inheritable;
2453 	ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2454 	ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
2455 
2456 	ax->old_pcap.permitted   = old->cap_permitted;
2457 	ax->old_pcap.inheritable = old->cap_inheritable;
2458 	ax->old_pcap.effective   = old->cap_effective;
2459 
2460 	ax->new_pcap.permitted   = new->cap_permitted;
2461 	ax->new_pcap.inheritable = new->cap_inheritable;
2462 	ax->new_pcap.effective   = new->cap_effective;
2463 	return 0;
2464 }
2465 
2466 /**
2467  * __audit_log_capset - store information about the arguments to the capset syscall
2468  * @pid: target pid of the capset call
2469  * @new: the new credentials
2470  * @old: the old (current) credentials
2471  *
2472  * Record the aguments userspace sent to sys_capset for later printing by the
2473  * audit system if applicable
2474  */
__audit_log_capset(pid_t pid,const struct cred * new,const struct cred * old)2475 void __audit_log_capset(pid_t pid,
2476 		       const struct cred *new, const struct cred *old)
2477 {
2478 	struct audit_context *context = current->audit_context;
2479 	context->capset.pid = pid;
2480 	context->capset.cap.effective   = new->cap_effective;
2481 	context->capset.cap.inheritable = new->cap_effective;
2482 	context->capset.cap.permitted   = new->cap_permitted;
2483 	context->type = AUDIT_CAPSET;
2484 }
2485 
2486 /**
2487  * audit_core_dumps - record information about processes that end abnormally
2488  * @signr: signal value
2489  *
2490  * If a process ends with a core dump, something fishy is going on and we
2491  * should record the event for investigation.
2492  */
audit_core_dumps(long signr)2493 void audit_core_dumps(long signr)
2494 {
2495 	struct audit_buffer *ab;
2496 	u32 sid;
2497 	uid_t auid = audit_get_loginuid(current), uid;
2498 	gid_t gid;
2499 	unsigned int sessionid = audit_get_sessionid(current);
2500 
2501 	if (!audit_enabled)
2502 		return;
2503 
2504 	if (signr == SIGQUIT)	/* don't care for those */
2505 		return;
2506 
2507 	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
2508 	current_uid_gid(&uid, &gid);
2509 	audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
2510 			 auid, uid, gid, sessionid);
2511 	security_task_getsecid(current, &sid);
2512 	if (sid) {
2513 		char *ctx = NULL;
2514 		u32 len;
2515 
2516 		if (security_secid_to_secctx(sid, &ctx, &len))
2517 			audit_log_format(ab, " ssid=%u", sid);
2518 		else {
2519 			audit_log_format(ab, " subj=%s", ctx);
2520 			security_release_secctx(ctx, len);
2521 		}
2522 	}
2523 	audit_log_format(ab, " pid=%d comm=", current->pid);
2524 	audit_log_untrustedstring(ab, current->comm);
2525 	audit_log_format(ab, " sig=%ld", signr);
2526 	audit_log_end(ab);
2527 }
2528