1 /* auditsc.c -- System-call auditing support
2 * Handles all system-call specific auditing features.
3 *
4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
5 * Copyright 2005 Hewlett-Packard Development Company, L.P.
6 * Copyright (C) 2005, 2006 IBM Corporation
7 * All Rights Reserved.
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22 *
23 * Written by Rickard E. (Rik) Faith <faith@redhat.com>
24 *
25 * Many of the ideas implemented here are from Stephen C. Tweedie,
26 * especially the idea of avoiding a copy by using getname.
27 *
28 * The method for actual interception of syscall entry and exit (not in
29 * this file -- see entry.S) is based on a GPL'd patch written by
30 * okir@suse.de and Copyright 2003 SuSE Linux AG.
31 *
32 * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>,
33 * 2006.
34 *
35 * The support of additional filter rules compares (>, <, >=, <=) was
36 * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
37 *
38 * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
39 * filesystem information.
40 *
41 * Subject and object context labeling support added by <danjones@us.ibm.com>
42 * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
43 */
44
45 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
46
47 #include <linux/init.h>
48 #include <asm/types.h>
49 #include <linux/atomic.h>
50 #include <linux/fs.h>
51 #include <linux/namei.h>
52 #include <linux/mm.h>
53 #include <linux/export.h>
54 #include <linux/slab.h>
55 #include <linux/mount.h>
56 #include <linux/socket.h>
57 #include <linux/mqueue.h>
58 #include <linux/audit.h>
59 #include <linux/personality.h>
60 #include <linux/time.h>
61 #include <linux/netlink.h>
62 #include <linux/compiler.h>
63 #include <asm/unistd.h>
64 #include <linux/security.h>
65 #include <linux/list.h>
66 #include <linux/tty.h>
67 #include <linux/binfmts.h>
68 #include <linux/highmem.h>
69 #include <linux/syscalls.h>
70 #include <asm/syscall.h>
71 #include <linux/capability.h>
72 #include <linux/fs_struct.h>
73 #include <linux/compat.h>
74 #include <linux/ctype.h>
75 #include <linux/uaccess.h>
76 #include <linux/string.h>
77 #include <linux/uaccess.h>
78 #include <uapi/linux/limits.h>
79
80 #include "audit.h"
81
82 /* flags stating the success for a syscall */
83 #define AUDITSC_INVALID 0
84 #define AUDITSC_SUCCESS 1
85 #define AUDITSC_FAILURE 2
86
87 /* no execve audit message should be longer than this (userspace limits),
88 * see the note near the top of audit_log_execve_info() about this value */
89 #define MAX_EXECVE_AUDIT_LEN 7500
90
91 /* max length to print of cmdline/proctitle value during audit */
92 #define MAX_PROCTITLE_AUDIT_LEN 128
93
94 /* number of audit rules */
95 int audit_n_rules;
96
97 /* determines whether we collect data for signals sent */
98 int audit_signals;
99
100 struct audit_aux_data {
101 struct audit_aux_data *next;
102 int type;
103 };
104
105 #define AUDIT_AUX_IPCPERM 0
106
107 /* Number of target pids per aux struct. */
108 #define AUDIT_AUX_PIDS 16
109
110 struct audit_aux_data_pids {
111 struct audit_aux_data d;
112 pid_t target_pid[AUDIT_AUX_PIDS];
113 kuid_t target_auid[AUDIT_AUX_PIDS];
114 kuid_t target_uid[AUDIT_AUX_PIDS];
115 unsigned int target_sessionid[AUDIT_AUX_PIDS];
116 u32 target_sid[AUDIT_AUX_PIDS];
117 char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
118 int pid_count;
119 };
120
121 struct audit_aux_data_bprm_fcaps {
122 struct audit_aux_data d;
123 struct audit_cap_data fcap;
124 unsigned int fcap_ver;
125 struct audit_cap_data old_pcap;
126 struct audit_cap_data new_pcap;
127 };
128
129 struct audit_tree_refs {
130 struct audit_tree_refs *next;
131 struct audit_chunk *c[31];
132 };
133
audit_match_perm(struct audit_context * ctx,int mask)134 static int audit_match_perm(struct audit_context *ctx, int mask)
135 {
136 unsigned n;
137 if (unlikely(!ctx))
138 return 0;
139 n = ctx->major;
140
141 switch (audit_classify_syscall(ctx->arch, n)) {
142 case 0: /* native */
143 if ((mask & AUDIT_PERM_WRITE) &&
144 audit_match_class(AUDIT_CLASS_WRITE, n))
145 return 1;
146 if ((mask & AUDIT_PERM_READ) &&
147 audit_match_class(AUDIT_CLASS_READ, n))
148 return 1;
149 if ((mask & AUDIT_PERM_ATTR) &&
150 audit_match_class(AUDIT_CLASS_CHATTR, n))
151 return 1;
152 return 0;
153 case 1: /* 32bit on biarch */
154 if ((mask & AUDIT_PERM_WRITE) &&
155 audit_match_class(AUDIT_CLASS_WRITE_32, n))
156 return 1;
157 if ((mask & AUDIT_PERM_READ) &&
158 audit_match_class(AUDIT_CLASS_READ_32, n))
159 return 1;
160 if ((mask & AUDIT_PERM_ATTR) &&
161 audit_match_class(AUDIT_CLASS_CHATTR_32, n))
162 return 1;
163 return 0;
164 case 2: /* open */
165 return mask & ACC_MODE(ctx->argv[1]);
166 case 3: /* openat */
167 return mask & ACC_MODE(ctx->argv[2]);
168 case 4: /* socketcall */
169 return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
170 case 5: /* execve */
171 return mask & AUDIT_PERM_EXEC;
172 default:
173 return 0;
174 }
175 }
176
audit_match_filetype(struct audit_context * ctx,int val)177 static int audit_match_filetype(struct audit_context *ctx, int val)
178 {
179 struct audit_names *n;
180 umode_t mode = (umode_t)val;
181
182 if (unlikely(!ctx))
183 return 0;
184
185 list_for_each_entry(n, &ctx->names_list, list) {
186 if ((n->ino != -1) &&
187 ((n->mode & S_IFMT) == mode))
188 return 1;
189 }
190
191 return 0;
192 }
193
194 /*
195 * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *;
196 * ->first_trees points to its beginning, ->trees - to the current end of data.
197 * ->tree_count is the number of free entries in array pointed to by ->trees.
198 * Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL,
199 * "empty" becomes (p, p, 31) afterwards. We don't shrink the list (and seriously,
200 * it's going to remain 1-element for almost any setup) until we free context itself.
201 * References in it _are_ dropped - at the same time we free/drop aux stuff.
202 */
203
204 #ifdef CONFIG_AUDIT_TREE
audit_set_auditable(struct audit_context * ctx)205 static void audit_set_auditable(struct audit_context *ctx)
206 {
207 if (!ctx->prio) {
208 ctx->prio = 1;
209 ctx->current_state = AUDIT_RECORD_CONTEXT;
210 }
211 }
212
put_tree_ref(struct audit_context * ctx,struct audit_chunk * chunk)213 static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
214 {
215 struct audit_tree_refs *p = ctx->trees;
216 int left = ctx->tree_count;
217 if (likely(left)) {
218 p->c[--left] = chunk;
219 ctx->tree_count = left;
220 return 1;
221 }
222 if (!p)
223 return 0;
224 p = p->next;
225 if (p) {
226 p->c[30] = chunk;
227 ctx->trees = p;
228 ctx->tree_count = 30;
229 return 1;
230 }
231 return 0;
232 }
233
grow_tree_refs(struct audit_context * ctx)234 static int grow_tree_refs(struct audit_context *ctx)
235 {
236 struct audit_tree_refs *p = ctx->trees;
237 ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL);
238 if (!ctx->trees) {
239 ctx->trees = p;
240 return 0;
241 }
242 if (p)
243 p->next = ctx->trees;
244 else
245 ctx->first_trees = ctx->trees;
246 ctx->tree_count = 31;
247 return 1;
248 }
249 #endif
250
unroll_tree_refs(struct audit_context * ctx,struct audit_tree_refs * p,int count)251 static void unroll_tree_refs(struct audit_context *ctx,
252 struct audit_tree_refs *p, int count)
253 {
254 #ifdef CONFIG_AUDIT_TREE
255 struct audit_tree_refs *q;
256 int n;
257 if (!p) {
258 /* we started with empty chain */
259 p = ctx->first_trees;
260 count = 31;
261 /* if the very first allocation has failed, nothing to do */
262 if (!p)
263 return;
264 }
265 n = count;
266 for (q = p; q != ctx->trees; q = q->next, n = 31) {
267 while (n--) {
268 audit_put_chunk(q->c[n]);
269 q->c[n] = NULL;
270 }
271 }
272 while (n-- > ctx->tree_count) {
273 audit_put_chunk(q->c[n]);
274 q->c[n] = NULL;
275 }
276 ctx->trees = p;
277 ctx->tree_count = count;
278 #endif
279 }
280
free_tree_refs(struct audit_context * ctx)281 static void free_tree_refs(struct audit_context *ctx)
282 {
283 struct audit_tree_refs *p, *q;
284 for (p = ctx->first_trees; p; p = q) {
285 q = p->next;
286 kfree(p);
287 }
288 }
289
match_tree_refs(struct audit_context * ctx,struct audit_tree * tree)290 static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
291 {
292 #ifdef CONFIG_AUDIT_TREE
293 struct audit_tree_refs *p;
294 int n;
295 if (!tree)
296 return 0;
297 /* full ones */
298 for (p = ctx->first_trees; p != ctx->trees; p = p->next) {
299 for (n = 0; n < 31; n++)
300 if (audit_tree_match(p->c[n], tree))
301 return 1;
302 }
303 /* partial */
304 if (p) {
305 for (n = ctx->tree_count; n < 31; n++)
306 if (audit_tree_match(p->c[n], tree))
307 return 1;
308 }
309 #endif
310 return 0;
311 }
312
audit_compare_uid(kuid_t uid,struct audit_names * name,struct audit_field * f,struct audit_context * ctx)313 static int audit_compare_uid(kuid_t uid,
314 struct audit_names *name,
315 struct audit_field *f,
316 struct audit_context *ctx)
317 {
318 struct audit_names *n;
319 int rc;
320
321 if (name) {
322 rc = audit_uid_comparator(uid, f->op, name->uid);
323 if (rc)
324 return rc;
325 }
326
327 if (ctx) {
328 list_for_each_entry(n, &ctx->names_list, list) {
329 rc = audit_uid_comparator(uid, f->op, n->uid);
330 if (rc)
331 return rc;
332 }
333 }
334 return 0;
335 }
336
audit_compare_gid(kgid_t gid,struct audit_names * name,struct audit_field * f,struct audit_context * ctx)337 static int audit_compare_gid(kgid_t gid,
338 struct audit_names *name,
339 struct audit_field *f,
340 struct audit_context *ctx)
341 {
342 struct audit_names *n;
343 int rc;
344
345 if (name) {
346 rc = audit_gid_comparator(gid, f->op, name->gid);
347 if (rc)
348 return rc;
349 }
350
351 if (ctx) {
352 list_for_each_entry(n, &ctx->names_list, list) {
353 rc = audit_gid_comparator(gid, f->op, n->gid);
354 if (rc)
355 return rc;
356 }
357 }
358 return 0;
359 }
360
audit_field_compare(struct task_struct * tsk,const struct cred * cred,struct audit_field * f,struct audit_context * ctx,struct audit_names * name)361 static int audit_field_compare(struct task_struct *tsk,
362 const struct cred *cred,
363 struct audit_field *f,
364 struct audit_context *ctx,
365 struct audit_names *name)
366 {
367 switch (f->val) {
368 /* process to file object comparisons */
369 case AUDIT_COMPARE_UID_TO_OBJ_UID:
370 return audit_compare_uid(cred->uid, name, f, ctx);
371 case AUDIT_COMPARE_GID_TO_OBJ_GID:
372 return audit_compare_gid(cred->gid, name, f, ctx);
373 case AUDIT_COMPARE_EUID_TO_OBJ_UID:
374 return audit_compare_uid(cred->euid, name, f, ctx);
375 case AUDIT_COMPARE_EGID_TO_OBJ_GID:
376 return audit_compare_gid(cred->egid, name, f, ctx);
377 case AUDIT_COMPARE_AUID_TO_OBJ_UID:
378 return audit_compare_uid(tsk->loginuid, name, f, ctx);
379 case AUDIT_COMPARE_SUID_TO_OBJ_UID:
380 return audit_compare_uid(cred->suid, name, f, ctx);
381 case AUDIT_COMPARE_SGID_TO_OBJ_GID:
382 return audit_compare_gid(cred->sgid, name, f, ctx);
383 case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
384 return audit_compare_uid(cred->fsuid, name, f, ctx);
385 case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
386 return audit_compare_gid(cred->fsgid, name, f, ctx);
387 /* uid comparisons */
388 case AUDIT_COMPARE_UID_TO_AUID:
389 return audit_uid_comparator(cred->uid, f->op, tsk->loginuid);
390 case AUDIT_COMPARE_UID_TO_EUID:
391 return audit_uid_comparator(cred->uid, f->op, cred->euid);
392 case AUDIT_COMPARE_UID_TO_SUID:
393 return audit_uid_comparator(cred->uid, f->op, cred->suid);
394 case AUDIT_COMPARE_UID_TO_FSUID:
395 return audit_uid_comparator(cred->uid, f->op, cred->fsuid);
396 /* auid comparisons */
397 case AUDIT_COMPARE_AUID_TO_EUID:
398 return audit_uid_comparator(tsk->loginuid, f->op, cred->euid);
399 case AUDIT_COMPARE_AUID_TO_SUID:
400 return audit_uid_comparator(tsk->loginuid, f->op, cred->suid);
401 case AUDIT_COMPARE_AUID_TO_FSUID:
402 return audit_uid_comparator(tsk->loginuid, f->op, cred->fsuid);
403 /* euid comparisons */
404 case AUDIT_COMPARE_EUID_TO_SUID:
405 return audit_uid_comparator(cred->euid, f->op, cred->suid);
406 case AUDIT_COMPARE_EUID_TO_FSUID:
407 return audit_uid_comparator(cred->euid, f->op, cred->fsuid);
408 /* suid comparisons */
409 case AUDIT_COMPARE_SUID_TO_FSUID:
410 return audit_uid_comparator(cred->suid, f->op, cred->fsuid);
411 /* gid comparisons */
412 case AUDIT_COMPARE_GID_TO_EGID:
413 return audit_gid_comparator(cred->gid, f->op, cred->egid);
414 case AUDIT_COMPARE_GID_TO_SGID:
415 return audit_gid_comparator(cred->gid, f->op, cred->sgid);
416 case AUDIT_COMPARE_GID_TO_FSGID:
417 return audit_gid_comparator(cred->gid, f->op, cred->fsgid);
418 /* egid comparisons */
419 case AUDIT_COMPARE_EGID_TO_SGID:
420 return audit_gid_comparator(cred->egid, f->op, cred->sgid);
421 case AUDIT_COMPARE_EGID_TO_FSGID:
422 return audit_gid_comparator(cred->egid, f->op, cred->fsgid);
423 /* sgid comparison */
424 case AUDIT_COMPARE_SGID_TO_FSGID:
425 return audit_gid_comparator(cred->sgid, f->op, cred->fsgid);
426 default:
427 WARN(1, "Missing AUDIT_COMPARE define. Report as a bug\n");
428 return 0;
429 }
430 return 0;
431 }
432
433 /* Determine if any context name data matches a rule's watch data */
434 /* Compare a task_struct with an audit_rule. Return 1 on match, 0
435 * otherwise.
436 *
437 * If task_creation is true, this is an explicit indication that we are
438 * filtering a task rule at task creation time. This and tsk == current are
439 * the only situations where tsk->cred may be accessed without an rcu read lock.
440 */
audit_filter_rules(struct task_struct * tsk,struct audit_krule * rule,struct audit_context * ctx,struct audit_names * name,enum audit_state * state,bool task_creation)441 static int audit_filter_rules(struct task_struct *tsk,
442 struct audit_krule *rule,
443 struct audit_context *ctx,
444 struct audit_names *name,
445 enum audit_state *state,
446 bool task_creation)
447 {
448 const struct cred *cred;
449 int i, need_sid = 1;
450 u32 sid;
451
452 cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
453
454 for (i = 0; i < rule->field_count; i++) {
455 struct audit_field *f = &rule->fields[i];
456 struct audit_names *n;
457 int result = 0;
458 pid_t pid;
459
460 switch (f->type) {
461 case AUDIT_PID:
462 pid = task_tgid_nr(tsk);
463 result = audit_comparator(pid, f->op, f->val);
464 break;
465 case AUDIT_PPID:
466 if (ctx) {
467 if (!ctx->ppid)
468 ctx->ppid = task_ppid_nr(tsk);
469 result = audit_comparator(ctx->ppid, f->op, f->val);
470 }
471 break;
472 case AUDIT_UID:
473 result = audit_uid_comparator(cred->uid, f->op, f->uid);
474 break;
475 case AUDIT_EUID:
476 result = audit_uid_comparator(cred->euid, f->op, f->uid);
477 break;
478 case AUDIT_SUID:
479 result = audit_uid_comparator(cred->suid, f->op, f->uid);
480 break;
481 case AUDIT_FSUID:
482 result = audit_uid_comparator(cred->fsuid, f->op, f->uid);
483 break;
484 case AUDIT_GID:
485 result = audit_gid_comparator(cred->gid, f->op, f->gid);
486 if (f->op == Audit_equal) {
487 if (!result)
488 result = in_group_p(f->gid);
489 } else if (f->op == Audit_not_equal) {
490 if (result)
491 result = !in_group_p(f->gid);
492 }
493 break;
494 case AUDIT_EGID:
495 result = audit_gid_comparator(cred->egid, f->op, f->gid);
496 if (f->op == Audit_equal) {
497 if (!result)
498 result = in_egroup_p(f->gid);
499 } else if (f->op == Audit_not_equal) {
500 if (result)
501 result = !in_egroup_p(f->gid);
502 }
503 break;
504 case AUDIT_SGID:
505 result = audit_gid_comparator(cred->sgid, f->op, f->gid);
506 break;
507 case AUDIT_FSGID:
508 result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
509 break;
510 case AUDIT_PERS:
511 result = audit_comparator(tsk->personality, f->op, f->val);
512 break;
513 case AUDIT_ARCH:
514 if (ctx)
515 result = audit_comparator(ctx->arch, f->op, f->val);
516 break;
517
518 case AUDIT_EXIT:
519 if (ctx && ctx->return_valid)
520 result = audit_comparator(ctx->return_code, f->op, f->val);
521 break;
522 case AUDIT_SUCCESS:
523 if (ctx && ctx->return_valid) {
524 if (f->val)
525 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
526 else
527 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
528 }
529 break;
530 case AUDIT_DEVMAJOR:
531 if (name) {
532 if (audit_comparator(MAJOR(name->dev), f->op, f->val) ||
533 audit_comparator(MAJOR(name->rdev), f->op, f->val))
534 ++result;
535 } else if (ctx) {
536 list_for_each_entry(n, &ctx->names_list, list) {
537 if (audit_comparator(MAJOR(n->dev), f->op, f->val) ||
538 audit_comparator(MAJOR(n->rdev), f->op, f->val)) {
539 ++result;
540 break;
541 }
542 }
543 }
544 break;
545 case AUDIT_DEVMINOR:
546 if (name) {
547 if (audit_comparator(MINOR(name->dev), f->op, f->val) ||
548 audit_comparator(MINOR(name->rdev), f->op, f->val))
549 ++result;
550 } else if (ctx) {
551 list_for_each_entry(n, &ctx->names_list, list) {
552 if (audit_comparator(MINOR(n->dev), f->op, f->val) ||
553 audit_comparator(MINOR(n->rdev), f->op, f->val)) {
554 ++result;
555 break;
556 }
557 }
558 }
559 break;
560 case AUDIT_INODE:
561 if (name)
562 result = audit_comparator(name->ino, f->op, f->val);
563 else if (ctx) {
564 list_for_each_entry(n, &ctx->names_list, list) {
565 if (audit_comparator(n->ino, f->op, f->val)) {
566 ++result;
567 break;
568 }
569 }
570 }
571 break;
572 case AUDIT_OBJ_UID:
573 if (name) {
574 result = audit_uid_comparator(name->uid, f->op, f->uid);
575 } else if (ctx) {
576 list_for_each_entry(n, &ctx->names_list, list) {
577 if (audit_uid_comparator(n->uid, f->op, f->uid)) {
578 ++result;
579 break;
580 }
581 }
582 }
583 break;
584 case AUDIT_OBJ_GID:
585 if (name) {
586 result = audit_gid_comparator(name->gid, f->op, f->gid);
587 } else if (ctx) {
588 list_for_each_entry(n, &ctx->names_list, list) {
589 if (audit_gid_comparator(n->gid, f->op, f->gid)) {
590 ++result;
591 break;
592 }
593 }
594 }
595 break;
596 case AUDIT_WATCH:
597 if (name)
598 result = audit_watch_compare(rule->watch, name->ino, name->dev);
599 break;
600 case AUDIT_DIR:
601 if (ctx)
602 result = match_tree_refs(ctx, rule->tree);
603 break;
604 case AUDIT_LOGINUID:
605 result = 0;
606 if (ctx)
607 result = audit_uid_comparator(tsk->loginuid, f->op, f->uid);
608 break;
609 case AUDIT_LOGINUID_SET:
610 result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
611 break;
612 case AUDIT_SUBJ_USER:
613 case AUDIT_SUBJ_ROLE:
614 case AUDIT_SUBJ_TYPE:
615 case AUDIT_SUBJ_SEN:
616 case AUDIT_SUBJ_CLR:
617 /* NOTE: this may return negative values indicating
618 a temporary error. We simply treat this as a
619 match for now to avoid losing information that
620 may be wanted. An error message will also be
621 logged upon error */
622 if (f->lsm_rule) {
623 if (need_sid) {
624 security_task_getsecid(tsk, &sid);
625 need_sid = 0;
626 }
627 result = security_audit_rule_match(sid, f->type,
628 f->op,
629 f->lsm_rule,
630 ctx);
631 }
632 break;
633 case AUDIT_OBJ_USER:
634 case AUDIT_OBJ_ROLE:
635 case AUDIT_OBJ_TYPE:
636 case AUDIT_OBJ_LEV_LOW:
637 case AUDIT_OBJ_LEV_HIGH:
638 /* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
639 also applies here */
640 if (f->lsm_rule) {
641 /* Find files that match */
642 if (name) {
643 result = security_audit_rule_match(
644 name->osid, f->type, f->op,
645 f->lsm_rule, ctx);
646 } else if (ctx) {
647 list_for_each_entry(n, &ctx->names_list, list) {
648 if (security_audit_rule_match(n->osid, f->type,
649 f->op, f->lsm_rule,
650 ctx)) {
651 ++result;
652 break;
653 }
654 }
655 }
656 /* Find ipc objects that match */
657 if (!ctx || ctx->type != AUDIT_IPC)
658 break;
659 if (security_audit_rule_match(ctx->ipc.osid,
660 f->type, f->op,
661 f->lsm_rule, ctx))
662 ++result;
663 }
664 break;
665 case AUDIT_ARG0:
666 case AUDIT_ARG1:
667 case AUDIT_ARG2:
668 case AUDIT_ARG3:
669 if (ctx)
670 result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
671 break;
672 case AUDIT_FILTERKEY:
673 /* ignore this field for filtering */
674 result = 1;
675 break;
676 case AUDIT_PERM:
677 result = audit_match_perm(ctx, f->val);
678 break;
679 case AUDIT_FILETYPE:
680 result = audit_match_filetype(ctx, f->val);
681 break;
682 case AUDIT_FIELD_COMPARE:
683 result = audit_field_compare(tsk, cred, f, ctx, name);
684 break;
685 }
686 if (!result)
687 return 0;
688 }
689
690 if (ctx) {
691 if (rule->prio <= ctx->prio)
692 return 0;
693 if (rule->filterkey) {
694 kfree(ctx->filterkey);
695 ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
696 }
697 ctx->prio = rule->prio;
698 }
699 switch (rule->action) {
700 case AUDIT_NEVER: *state = AUDIT_DISABLED; break;
701 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break;
702 }
703 return 1;
704 }
705
706 /* At process creation time, we can determine if system-call auditing is
707 * completely disabled for this task. Since we only have the task
708 * structure at this point, we can only check uid and gid.
709 */
audit_filter_task(struct task_struct * tsk,char ** key)710 static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)
711 {
712 struct audit_entry *e;
713 enum audit_state state;
714
715 rcu_read_lock();
716 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
717 if (audit_filter_rules(tsk, &e->rule, NULL, NULL,
718 &state, true)) {
719 if (state == AUDIT_RECORD_CONTEXT)
720 *key = kstrdup(e->rule.filterkey, GFP_ATOMIC);
721 rcu_read_unlock();
722 return state;
723 }
724 }
725 rcu_read_unlock();
726 return AUDIT_BUILD_CONTEXT;
727 }
728
audit_in_mask(const struct audit_krule * rule,unsigned long val)729 static int audit_in_mask(const struct audit_krule *rule, unsigned long val)
730 {
731 int word, bit;
732
733 if (val > 0xffffffff)
734 return false;
735
736 word = AUDIT_WORD(val);
737 if (word >= AUDIT_BITMASK_SIZE)
738 return false;
739
740 bit = AUDIT_BIT(val);
741
742 return rule->mask[word] & bit;
743 }
744
745 /* At syscall entry and exit time, this filter is called if the
746 * audit_state is not low enough that auditing cannot take place, but is
747 * also not high enough that we already know we have to write an audit
748 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
749 */
audit_filter_syscall(struct task_struct * tsk,struct audit_context * ctx,struct list_head * list)750 static enum audit_state audit_filter_syscall(struct task_struct *tsk,
751 struct audit_context *ctx,
752 struct list_head *list)
753 {
754 struct audit_entry *e;
755 enum audit_state state;
756
757 if (audit_pid && tsk->tgid == audit_pid)
758 return AUDIT_DISABLED;
759
760 rcu_read_lock();
761 if (!list_empty(list)) {
762 list_for_each_entry_rcu(e, list, list) {
763 if (audit_in_mask(&e->rule, ctx->major) &&
764 audit_filter_rules(tsk, &e->rule, ctx, NULL,
765 &state, false)) {
766 rcu_read_unlock();
767 ctx->current_state = state;
768 return state;
769 }
770 }
771 }
772 rcu_read_unlock();
773 return AUDIT_BUILD_CONTEXT;
774 }
775
776 /*
777 * Given an audit_name check the inode hash table to see if they match.
778 * Called holding the rcu read lock to protect the use of audit_inode_hash
779 */
audit_filter_inode_name(struct task_struct * tsk,struct audit_names * n,struct audit_context * ctx)780 static int audit_filter_inode_name(struct task_struct *tsk,
781 struct audit_names *n,
782 struct audit_context *ctx) {
783 int h = audit_hash_ino((u32)n->ino);
784 struct list_head *list = &audit_inode_hash[h];
785 struct audit_entry *e;
786 enum audit_state state;
787
788 if (list_empty(list))
789 return 0;
790
791 list_for_each_entry_rcu(e, list, list) {
792 if (audit_in_mask(&e->rule, ctx->major) &&
793 audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) {
794 ctx->current_state = state;
795 return 1;
796 }
797 }
798
799 return 0;
800 }
801
802 /* At syscall exit time, this filter is called if any audit_names have been
803 * collected during syscall processing. We only check rules in sublists at hash
804 * buckets applicable to the inode numbers in audit_names.
805 * Regarding audit_state, same rules apply as for audit_filter_syscall().
806 */
audit_filter_inodes(struct task_struct * tsk,struct audit_context * ctx)807 void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx)
808 {
809 struct audit_names *n;
810
811 if (audit_pid && tsk->tgid == audit_pid)
812 return;
813
814 rcu_read_lock();
815
816 list_for_each_entry(n, &ctx->names_list, list) {
817 if (audit_filter_inode_name(tsk, n, ctx))
818 break;
819 }
820 rcu_read_unlock();
821 }
822
823 /* Transfer the audit context pointer to the caller, clearing it in the tsk's struct */
audit_take_context(struct task_struct * tsk,int return_valid,long return_code)824 static inline struct audit_context *audit_take_context(struct task_struct *tsk,
825 int return_valid,
826 long return_code)
827 {
828 struct audit_context *context = tsk->audit_context;
829
830 if (!context)
831 return NULL;
832 context->return_valid = return_valid;
833
834 /*
835 * we need to fix up the return code in the audit logs if the actual
836 * return codes are later going to be fixed up by the arch specific
837 * signal handlers
838 *
839 * This is actually a test for:
840 * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||
841 * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)
842 *
843 * but is faster than a bunch of ||
844 */
845 if (unlikely(return_code <= -ERESTARTSYS) &&
846 (return_code >= -ERESTART_RESTARTBLOCK) &&
847 (return_code != -ENOIOCTLCMD))
848 context->return_code = -EINTR;
849 else
850 context->return_code = return_code;
851
852 if (context->in_syscall && !context->dummy) {
853 audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
854 audit_filter_inodes(tsk, context);
855 }
856
857 tsk->audit_context = NULL;
858 return context;
859 }
860
audit_proctitle_free(struct audit_context * context)861 static inline void audit_proctitle_free(struct audit_context *context)
862 {
863 kfree(context->proctitle.value);
864 context->proctitle.value = NULL;
865 context->proctitle.len = 0;
866 }
867
audit_free_names(struct audit_context * context)868 static inline void audit_free_names(struct audit_context *context)
869 {
870 struct audit_names *n, *next;
871
872 #if AUDIT_DEBUG == 2
873 if (context->put_count + context->ino_count != context->name_count) {
874 int i = 0;
875
876 pr_err("%s:%d(:%d): major=%d in_syscall=%d"
877 " name_count=%d put_count=%d ino_count=%d"
878 " [NOT freeing]\n", __FILE__, __LINE__,
879 context->serial, context->major, context->in_syscall,
880 context->name_count, context->put_count,
881 context->ino_count);
882 list_for_each_entry(n, &context->names_list, list) {
883 pr_err("names[%d] = %p = %s\n", i++, n->name,
884 n->name->name ?: "(null)");
885 }
886 dump_stack();
887 return;
888 }
889 #endif
890 #if AUDIT_DEBUG
891 context->put_count = 0;
892 context->ino_count = 0;
893 #endif
894
895 list_for_each_entry_safe(n, next, &context->names_list, list) {
896 list_del(&n->list);
897 if (n->name && n->name_put)
898 final_putname(n->name);
899 if (n->should_free)
900 kfree(n);
901 }
902 context->name_count = 0;
903 path_put(&context->pwd);
904 context->pwd.dentry = NULL;
905 context->pwd.mnt = NULL;
906 }
907
audit_free_aux(struct audit_context * context)908 static inline void audit_free_aux(struct audit_context *context)
909 {
910 struct audit_aux_data *aux;
911
912 while ((aux = context->aux)) {
913 context->aux = aux->next;
914 kfree(aux);
915 }
916 while ((aux = context->aux_pids)) {
917 context->aux_pids = aux->next;
918 kfree(aux);
919 }
920 }
921
audit_alloc_context(enum audit_state state)922 static inline struct audit_context *audit_alloc_context(enum audit_state state)
923 {
924 struct audit_context *context;
925
926 context = kzalloc(sizeof(*context), GFP_KERNEL);
927 if (!context)
928 return NULL;
929 context->state = state;
930 context->prio = state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
931 INIT_LIST_HEAD(&context->killed_trees);
932 INIT_LIST_HEAD(&context->names_list);
933 return context;
934 }
935
936 /**
937 * audit_alloc - allocate an audit context block for a task
938 * @tsk: task
939 *
940 * Filter on the task information and allocate a per-task audit context
941 * if necessary. Doing so turns on system call auditing for the
942 * specified task. This is called from copy_process, so no lock is
943 * needed.
944 */
audit_alloc(struct task_struct * tsk)945 int audit_alloc(struct task_struct *tsk)
946 {
947 struct audit_context *context;
948 enum audit_state state;
949 char *key = NULL;
950
951 if (likely(!audit_ever_enabled))
952 return 0; /* Return if not auditing. */
953
954 state = audit_filter_task(tsk, &key);
955 if (state == AUDIT_DISABLED) {
956 clear_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
957 return 0;
958 }
959
960 if (!(context = audit_alloc_context(state))) {
961 kfree(key);
962 audit_log_lost("out of memory in audit_alloc");
963 return -ENOMEM;
964 }
965 context->filterkey = key;
966
967 tsk->audit_context = context;
968 set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
969 return 0;
970 }
971
audit_free_context(struct audit_context * context)972 static inline void audit_free_context(struct audit_context *context)
973 {
974 audit_free_names(context);
975 unroll_tree_refs(context, NULL, 0);
976 free_tree_refs(context);
977 audit_free_aux(context);
978 kfree(context->filterkey);
979 kfree(context->sockaddr);
980 audit_proctitle_free(context);
981 kfree(context);
982 }
983
audit_log_pid_context(struct audit_context * context,pid_t pid,kuid_t auid,kuid_t uid,unsigned int sessionid,u32 sid,char * comm)984 static int audit_log_pid_context(struct audit_context *context, pid_t pid,
985 kuid_t auid, kuid_t uid, unsigned int sessionid,
986 u32 sid, char *comm)
987 {
988 struct audit_buffer *ab;
989 char *ctx = NULL;
990 u32 len;
991 int rc = 0;
992
993 ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
994 if (!ab)
995 return rc;
996
997 audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
998 from_kuid(&init_user_ns, auid),
999 from_kuid(&init_user_ns, uid), sessionid);
1000 if (sid) {
1001 if (security_secid_to_secctx(sid, &ctx, &len)) {
1002 audit_log_format(ab, " obj=(none)");
1003 rc = 1;
1004 } else {
1005 audit_log_format(ab, " obj=%s", ctx);
1006 security_release_secctx(ctx, len);
1007 }
1008 }
1009 audit_log_format(ab, " ocomm=");
1010 audit_log_untrustedstring(ab, comm);
1011 audit_log_end(ab);
1012
1013 return rc;
1014 }
1015
audit_log_execve_info(struct audit_context * context,struct audit_buffer ** ab)1016 static void audit_log_execve_info(struct audit_context *context,
1017 struct audit_buffer **ab)
1018 {
1019 long len_max;
1020 long len_rem;
1021 long len_full;
1022 long len_buf;
1023 long len_abuf;
1024 long len_tmp;
1025 bool require_data;
1026 bool encode;
1027 unsigned int iter;
1028 unsigned int arg;
1029 char *buf_head;
1030 char *buf;
1031 const char __user *p = (const char __user *)current->mm->arg_start;
1032
1033 /* NOTE: this buffer needs to be large enough to hold all the non-arg
1034 * data we put in the audit record for this argument (see the
1035 * code below) ... at this point in time 96 is plenty */
1036 char abuf[96];
1037
1038 /* NOTE: we set MAX_EXECVE_AUDIT_LEN to a rather arbitrary limit, the
1039 * current value of 7500 is not as important as the fact that it
1040 * is less than 8k, a setting of 7500 gives us plenty of wiggle
1041 * room if we go over a little bit in the logging below */
1042 WARN_ON_ONCE(MAX_EXECVE_AUDIT_LEN > 7500);
1043 len_max = MAX_EXECVE_AUDIT_LEN;
1044
1045 /* scratch buffer to hold the userspace args */
1046 buf_head = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
1047 if (!buf_head) {
1048 audit_panic("out of memory for argv string");
1049 return;
1050 }
1051 buf = buf_head;
1052
1053 audit_log_format(*ab, "argc=%d", context->execve.argc);
1054
1055 len_rem = len_max;
1056 len_buf = 0;
1057 len_full = 0;
1058 require_data = true;
1059 encode = false;
1060 iter = 0;
1061 arg = 0;
1062 do {
1063 /* NOTE: we don't ever want to trust this value for anything
1064 * serious, but the audit record format insists we
1065 * provide an argument length for really long arguments,
1066 * e.g. > MAX_EXECVE_AUDIT_LEN, so we have no choice but
1067 * to use strncpy_from_user() to obtain this value for
1068 * recording in the log, although we don't use it
1069 * anywhere here to avoid a double-fetch problem */
1070 if (len_full == 0)
1071 len_full = strnlen_user(p, MAX_ARG_STRLEN) - 1;
1072
1073 /* read more data from userspace */
1074 if (require_data) {
1075 /* can we make more room in the buffer? */
1076 if (buf != buf_head) {
1077 memmove(buf_head, buf, len_buf);
1078 buf = buf_head;
1079 }
1080
1081 /* fetch as much as we can of the argument */
1082 len_tmp = strncpy_from_user(&buf_head[len_buf], p,
1083 len_max - len_buf);
1084 if (len_tmp == -EFAULT) {
1085 /* unable to copy from userspace */
1086 send_sig(SIGKILL, current, 0);
1087 goto out;
1088 } else if (len_tmp == (len_max - len_buf)) {
1089 /* buffer is not large enough */
1090 require_data = true;
1091 /* NOTE: if we are going to span multiple
1092 * buffers force the encoding so we stand
1093 * a chance at a sane len_full value and
1094 * consistent record encoding */
1095 encode = true;
1096 len_full = len_full * 2;
1097 p += len_tmp;
1098 } else {
1099 require_data = false;
1100 if (!encode)
1101 encode = audit_string_contains_control(
1102 buf, len_tmp);
1103 /* try to use a trusted value for len_full */
1104 if (len_full < len_max)
1105 len_full = (encode ?
1106 len_tmp * 2 : len_tmp);
1107 p += len_tmp + 1;
1108 }
1109 len_buf += len_tmp;
1110 buf_head[len_buf] = '\0';
1111
1112 /* length of the buffer in the audit record? */
1113 len_abuf = (encode ? len_buf * 2 : len_buf + 2);
1114 }
1115
1116 /* write as much as we can to the audit log */
1117 if (len_buf > 0) {
1118 /* NOTE: some magic numbers here - basically if we
1119 * can't fit a reasonable amount of data into the
1120 * existing audit buffer, flush it and start with
1121 * a new buffer */
1122 if ((sizeof(abuf) + 8) > len_rem) {
1123 len_rem = len_max;
1124 audit_log_end(*ab);
1125 *ab = audit_log_start(context,
1126 GFP_KERNEL, AUDIT_EXECVE);
1127 if (!*ab)
1128 goto out;
1129 }
1130
1131 /* create the non-arg portion of the arg record */
1132 len_tmp = 0;
1133 if (require_data || (iter > 0) ||
1134 ((len_abuf + sizeof(abuf)) > len_rem)) {
1135 if (iter == 0) {
1136 len_tmp += snprintf(&abuf[len_tmp],
1137 sizeof(abuf) - len_tmp,
1138 " a%d_len=%lu",
1139 arg, len_full);
1140 }
1141 len_tmp += snprintf(&abuf[len_tmp],
1142 sizeof(abuf) - len_tmp,
1143 " a%d[%d]=", arg, iter++);
1144 } else
1145 len_tmp += snprintf(&abuf[len_tmp],
1146 sizeof(abuf) - len_tmp,
1147 " a%d=", arg);
1148 WARN_ON(len_tmp >= sizeof(abuf));
1149 abuf[sizeof(abuf) - 1] = '\0';
1150
1151 /* log the arg in the audit record */
1152 audit_log_format(*ab, "%s", abuf);
1153 len_rem -= len_tmp;
1154 len_tmp = len_buf;
1155 if (encode) {
1156 if (len_abuf > len_rem)
1157 len_tmp = len_rem / 2; /* encoding */
1158 audit_log_n_hex(*ab, buf, len_tmp);
1159 len_rem -= len_tmp * 2;
1160 len_abuf -= len_tmp * 2;
1161 } else {
1162 if (len_abuf > len_rem)
1163 len_tmp = len_rem - 2; /* quotes */
1164 audit_log_n_string(*ab, buf, len_tmp);
1165 len_rem -= len_tmp + 2;
1166 /* don't subtract the "2" because we still need
1167 * to add quotes to the remaining string */
1168 len_abuf -= len_tmp;
1169 }
1170 len_buf -= len_tmp;
1171 buf += len_tmp;
1172 }
1173
1174 /* ready to move to the next argument? */
1175 if ((len_buf == 0) && !require_data) {
1176 arg++;
1177 iter = 0;
1178 len_full = 0;
1179 require_data = true;
1180 encode = false;
1181 }
1182 } while (arg < context->execve.argc);
1183
1184 /* NOTE: the caller handles the final audit_log_end() call */
1185
1186 out:
1187 kfree(buf_head);
1188 }
1189
show_special(struct audit_context * context,int * call_panic)1190 static void show_special(struct audit_context *context, int *call_panic)
1191 {
1192 struct audit_buffer *ab;
1193 int i;
1194
1195 ab = audit_log_start(context, GFP_KERNEL, context->type);
1196 if (!ab)
1197 return;
1198
1199 switch (context->type) {
1200 case AUDIT_SOCKETCALL: {
1201 int nargs = context->socketcall.nargs;
1202 audit_log_format(ab, "nargs=%d", nargs);
1203 for (i = 0; i < nargs; i++)
1204 audit_log_format(ab, " a%d=%lx", i,
1205 context->socketcall.args[i]);
1206 break; }
1207 case AUDIT_IPC: {
1208 u32 osid = context->ipc.osid;
1209
1210 audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
1211 from_kuid(&init_user_ns, context->ipc.uid),
1212 from_kgid(&init_user_ns, context->ipc.gid),
1213 context->ipc.mode);
1214 if (osid) {
1215 char *ctx = NULL;
1216 u32 len;
1217 if (security_secid_to_secctx(osid, &ctx, &len)) {
1218 audit_log_format(ab, " osid=%u", osid);
1219 *call_panic = 1;
1220 } else {
1221 audit_log_format(ab, " obj=%s", ctx);
1222 security_release_secctx(ctx, len);
1223 }
1224 }
1225 if (context->ipc.has_perm) {
1226 audit_log_end(ab);
1227 ab = audit_log_start(context, GFP_KERNEL,
1228 AUDIT_IPC_SET_PERM);
1229 if (unlikely(!ab))
1230 return;
1231 audit_log_format(ab,
1232 "qbytes=%lx ouid=%u ogid=%u mode=%#ho",
1233 context->ipc.qbytes,
1234 context->ipc.perm_uid,
1235 context->ipc.perm_gid,
1236 context->ipc.perm_mode);
1237 }
1238 break; }
1239 case AUDIT_MQ_OPEN: {
1240 audit_log_format(ab,
1241 "oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
1242 "mq_msgsize=%ld mq_curmsgs=%ld",
1243 context->mq_open.oflag, context->mq_open.mode,
1244 context->mq_open.attr.mq_flags,
1245 context->mq_open.attr.mq_maxmsg,
1246 context->mq_open.attr.mq_msgsize,
1247 context->mq_open.attr.mq_curmsgs);
1248 break; }
1249 case AUDIT_MQ_SENDRECV: {
1250 audit_log_format(ab,
1251 "mqdes=%d msg_len=%zd msg_prio=%u "
1252 "abs_timeout_sec=%ld abs_timeout_nsec=%ld",
1253 context->mq_sendrecv.mqdes,
1254 context->mq_sendrecv.msg_len,
1255 context->mq_sendrecv.msg_prio,
1256 context->mq_sendrecv.abs_timeout.tv_sec,
1257 context->mq_sendrecv.abs_timeout.tv_nsec);
1258 break; }
1259 case AUDIT_MQ_NOTIFY: {
1260 audit_log_format(ab, "mqdes=%d sigev_signo=%d",
1261 context->mq_notify.mqdes,
1262 context->mq_notify.sigev_signo);
1263 break; }
1264 case AUDIT_MQ_GETSETATTR: {
1265 struct mq_attr *attr = &context->mq_getsetattr.mqstat;
1266 audit_log_format(ab,
1267 "mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
1268 "mq_curmsgs=%ld ",
1269 context->mq_getsetattr.mqdes,
1270 attr->mq_flags, attr->mq_maxmsg,
1271 attr->mq_msgsize, attr->mq_curmsgs);
1272 break; }
1273 case AUDIT_CAPSET: {
1274 audit_log_format(ab, "pid=%d", context->capset.pid);
1275 audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
1276 audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
1277 audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
1278 break; }
1279 case AUDIT_MMAP: {
1280 audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd,
1281 context->mmap.flags);
1282 break; }
1283 case AUDIT_EXECVE: {
1284 audit_log_execve_info(context, &ab);
1285 break; }
1286 }
1287 audit_log_end(ab);
1288 }
1289
audit_proctitle_rtrim(char * proctitle,int len)1290 static inline int audit_proctitle_rtrim(char *proctitle, int len)
1291 {
1292 char *end = proctitle + len - 1;
1293 while (end > proctitle && !isprint(*end))
1294 end--;
1295
1296 /* catch the case where proctitle is only 1 non-print character */
1297 len = end - proctitle + 1;
1298 len -= isprint(proctitle[len-1]) == 0;
1299 return len;
1300 }
1301
audit_log_proctitle(struct task_struct * tsk,struct audit_context * context)1302 static void audit_log_proctitle(struct task_struct *tsk,
1303 struct audit_context *context)
1304 {
1305 int res;
1306 char *buf;
1307 char *msg = "(null)";
1308 int len = strlen(msg);
1309 struct audit_buffer *ab;
1310
1311 ab = audit_log_start(context, GFP_KERNEL, AUDIT_PROCTITLE);
1312 if (!ab)
1313 return; /* audit_panic or being filtered */
1314
1315 audit_log_format(ab, "proctitle=");
1316
1317 /* Not cached */
1318 if (!context->proctitle.value) {
1319 buf = kmalloc(MAX_PROCTITLE_AUDIT_LEN, GFP_KERNEL);
1320 if (!buf)
1321 goto out;
1322 /* Historically called this from procfs naming */
1323 res = get_cmdline(tsk, buf, MAX_PROCTITLE_AUDIT_LEN);
1324 if (res == 0) {
1325 kfree(buf);
1326 goto out;
1327 }
1328 res = audit_proctitle_rtrim(buf, res);
1329 if (res == 0) {
1330 kfree(buf);
1331 goto out;
1332 }
1333 context->proctitle.value = buf;
1334 context->proctitle.len = res;
1335 }
1336 msg = context->proctitle.value;
1337 len = context->proctitle.len;
1338 out:
1339 audit_log_n_untrustedstring(ab, msg, len);
1340 audit_log_end(ab);
1341 }
1342
audit_log_exit(struct audit_context * context,struct task_struct * tsk)1343 static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
1344 {
1345 int i, call_panic = 0;
1346 struct audit_buffer *ab;
1347 struct audit_aux_data *aux;
1348 struct audit_names *n;
1349
1350 /* tsk == current */
1351 context->personality = tsk->personality;
1352
1353 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
1354 if (!ab)
1355 return; /* audit_panic has been called */
1356 audit_log_format(ab, "arch=%x syscall=%d",
1357 context->arch, context->major);
1358 if (context->personality != PER_LINUX)
1359 audit_log_format(ab, " per=%lx", context->personality);
1360 if (context->return_valid)
1361 audit_log_format(ab, " success=%s exit=%ld",
1362 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
1363 context->return_code);
1364
1365 audit_log_format(ab,
1366 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d",
1367 context->argv[0],
1368 context->argv[1],
1369 context->argv[2],
1370 context->argv[3],
1371 context->name_count);
1372
1373 audit_log_task_info(ab, tsk);
1374 audit_log_key(ab, context->filterkey);
1375 audit_log_end(ab);
1376
1377 for (aux = context->aux; aux; aux = aux->next) {
1378
1379 ab = audit_log_start(context, GFP_KERNEL, aux->type);
1380 if (!ab)
1381 continue; /* audit_panic has been called */
1382
1383 switch (aux->type) {
1384
1385 case AUDIT_BPRM_FCAPS: {
1386 struct audit_aux_data_bprm_fcaps *axs = (void *)aux;
1387 audit_log_format(ab, "fver=%x", axs->fcap_ver);
1388 audit_log_cap(ab, "fp", &axs->fcap.permitted);
1389 audit_log_cap(ab, "fi", &axs->fcap.inheritable);
1390 audit_log_format(ab, " fe=%d", axs->fcap.fE);
1391 audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
1392 audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
1393 audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
1394 audit_log_cap(ab, "new_pp", &axs->new_pcap.permitted);
1395 audit_log_cap(ab, "new_pi", &axs->new_pcap.inheritable);
1396 audit_log_cap(ab, "new_pe", &axs->new_pcap.effective);
1397 break; }
1398
1399 }
1400 audit_log_end(ab);
1401 }
1402
1403 if (context->type)
1404 show_special(context, &call_panic);
1405
1406 if (context->fds[0] >= 0) {
1407 ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR);
1408 if (ab) {
1409 audit_log_format(ab, "fd0=%d fd1=%d",
1410 context->fds[0], context->fds[1]);
1411 audit_log_end(ab);
1412 }
1413 }
1414
1415 if (context->sockaddr_len) {
1416 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR);
1417 if (ab) {
1418 audit_log_format(ab, "saddr=");
1419 audit_log_n_hex(ab, (void *)context->sockaddr,
1420 context->sockaddr_len);
1421 audit_log_end(ab);
1422 }
1423 }
1424
1425 for (aux = context->aux_pids; aux; aux = aux->next) {
1426 struct audit_aux_data_pids *axs = (void *)aux;
1427
1428 for (i = 0; i < axs->pid_count; i++)
1429 if (audit_log_pid_context(context, axs->target_pid[i],
1430 axs->target_auid[i],
1431 axs->target_uid[i],
1432 axs->target_sessionid[i],
1433 axs->target_sid[i],
1434 axs->target_comm[i]))
1435 call_panic = 1;
1436 }
1437
1438 if (context->target_pid &&
1439 audit_log_pid_context(context, context->target_pid,
1440 context->target_auid, context->target_uid,
1441 context->target_sessionid,
1442 context->target_sid, context->target_comm))
1443 call_panic = 1;
1444
1445 if (context->pwd.dentry && context->pwd.mnt) {
1446 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
1447 if (ab) {
1448 audit_log_d_path(ab, " cwd=", &context->pwd);
1449 audit_log_end(ab);
1450 }
1451 }
1452
1453 i = 0;
1454 list_for_each_entry(n, &context->names_list, list) {
1455 if (n->hidden)
1456 continue;
1457 audit_log_name(context, n, NULL, i++, &call_panic);
1458 }
1459
1460 audit_log_proctitle(tsk, context);
1461
1462 /* Send end of event record to help user space know we are finished */
1463 ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
1464 if (ab)
1465 audit_log_end(ab);
1466 if (call_panic)
1467 audit_panic("error converting sid to string");
1468 }
1469
1470 /**
1471 * audit_free - free a per-task audit context
1472 * @tsk: task whose audit context block to free
1473 *
1474 * Called from copy_process and do_exit
1475 */
__audit_free(struct task_struct * tsk)1476 void __audit_free(struct task_struct *tsk)
1477 {
1478 struct audit_context *context;
1479
1480 context = audit_take_context(tsk, 0, 0);
1481 if (!context)
1482 return;
1483
1484 /* Check for system calls that do not go through the exit
1485 * function (e.g., exit_group), then free context block.
1486 * We use GFP_ATOMIC here because we might be doing this
1487 * in the context of the idle thread */
1488 /* that can happen only if we are called from do_exit() */
1489 if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
1490 audit_log_exit(context, tsk);
1491 if (!list_empty(&context->killed_trees))
1492 audit_kill_trees(&context->killed_trees);
1493
1494 audit_free_context(context);
1495 }
1496
1497 /**
1498 * audit_syscall_entry - fill in an audit record at syscall entry
1499 * @major: major syscall type (function)
1500 * @a1: additional syscall register 1
1501 * @a2: additional syscall register 2
1502 * @a3: additional syscall register 3
1503 * @a4: additional syscall register 4
1504 *
1505 * Fill in audit context at syscall entry. This only happens if the
1506 * audit context was created when the task was created and the state or
1507 * filters demand the audit context be built. If the state from the
1508 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
1509 * then the record will be written at syscall exit time (otherwise, it
1510 * will only be written if another part of the kernel requests that it
1511 * be written).
1512 */
__audit_syscall_entry(int major,unsigned long a1,unsigned long a2,unsigned long a3,unsigned long a4)1513 void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
1514 unsigned long a3, unsigned long a4)
1515 {
1516 struct task_struct *tsk = current;
1517 struct audit_context *context = tsk->audit_context;
1518 enum audit_state state;
1519
1520 if (!context)
1521 return;
1522
1523 BUG_ON(context->in_syscall || context->name_count);
1524
1525 if (!audit_enabled)
1526 return;
1527
1528 context->arch = syscall_get_arch();
1529 context->major = major;
1530 context->argv[0] = a1;
1531 context->argv[1] = a2;
1532 context->argv[2] = a3;
1533 context->argv[3] = a4;
1534
1535 state = context->state;
1536 context->dummy = !audit_n_rules;
1537 if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
1538 context->prio = 0;
1539 state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
1540 }
1541 if (state == AUDIT_DISABLED)
1542 return;
1543
1544 context->serial = 0;
1545 context->ctime = CURRENT_TIME;
1546 context->in_syscall = 1;
1547 context->current_state = state;
1548 context->ppid = 0;
1549 }
1550
1551 /**
1552 * audit_syscall_exit - deallocate audit context after a system call
1553 * @success: success value of the syscall
1554 * @return_code: return value of the syscall
1555 *
1556 * Tear down after system call. If the audit context has been marked as
1557 * auditable (either because of the AUDIT_RECORD_CONTEXT state from
1558 * filtering, or because some other part of the kernel wrote an audit
1559 * message), then write out the syscall information. In call cases,
1560 * free the names stored from getname().
1561 */
__audit_syscall_exit(int success,long return_code)1562 void __audit_syscall_exit(int success, long return_code)
1563 {
1564 struct task_struct *tsk = current;
1565 struct audit_context *context;
1566
1567 if (success)
1568 success = AUDITSC_SUCCESS;
1569 else
1570 success = AUDITSC_FAILURE;
1571
1572 context = audit_take_context(tsk, success, return_code);
1573 if (!context)
1574 return;
1575
1576 if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
1577 audit_log_exit(context, tsk);
1578
1579 context->in_syscall = 0;
1580 context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
1581
1582 if (!list_empty(&context->killed_trees))
1583 audit_kill_trees(&context->killed_trees);
1584
1585 audit_free_names(context);
1586 unroll_tree_refs(context, NULL, 0);
1587 audit_free_aux(context);
1588 context->aux = NULL;
1589 context->aux_pids = NULL;
1590 context->target_pid = 0;
1591 context->target_sid = 0;
1592 context->sockaddr_len = 0;
1593 context->type = 0;
1594 context->fds[0] = -1;
1595 if (context->state != AUDIT_RECORD_CONTEXT) {
1596 kfree(context->filterkey);
1597 context->filterkey = NULL;
1598 }
1599 tsk->audit_context = context;
1600 }
1601
handle_one(const struct inode * inode)1602 static inline void handle_one(const struct inode *inode)
1603 {
1604 #ifdef CONFIG_AUDIT_TREE
1605 struct audit_context *context;
1606 struct audit_tree_refs *p;
1607 struct audit_chunk *chunk;
1608 int count;
1609 if (likely(hlist_empty(&inode->i_fsnotify_marks)))
1610 return;
1611 context = current->audit_context;
1612 p = context->trees;
1613 count = context->tree_count;
1614 rcu_read_lock();
1615 chunk = audit_tree_lookup(inode);
1616 rcu_read_unlock();
1617 if (!chunk)
1618 return;
1619 if (likely(put_tree_ref(context, chunk)))
1620 return;
1621 if (unlikely(!grow_tree_refs(context))) {
1622 pr_warn("out of memory, audit has lost a tree reference\n");
1623 audit_set_auditable(context);
1624 audit_put_chunk(chunk);
1625 unroll_tree_refs(context, p, count);
1626 return;
1627 }
1628 put_tree_ref(context, chunk);
1629 #endif
1630 }
1631
handle_path(const struct dentry * dentry)1632 static void handle_path(const struct dentry *dentry)
1633 {
1634 #ifdef CONFIG_AUDIT_TREE
1635 struct audit_context *context;
1636 struct audit_tree_refs *p;
1637 const struct dentry *d, *parent;
1638 struct audit_chunk *drop;
1639 unsigned long seq;
1640 int count;
1641
1642 context = current->audit_context;
1643 p = context->trees;
1644 count = context->tree_count;
1645 retry:
1646 drop = NULL;
1647 d = dentry;
1648 rcu_read_lock();
1649 seq = read_seqbegin(&rename_lock);
1650 for(;;) {
1651 struct inode *inode = d->d_inode;
1652 if (inode && unlikely(!hlist_empty(&inode->i_fsnotify_marks))) {
1653 struct audit_chunk *chunk;
1654 chunk = audit_tree_lookup(inode);
1655 if (chunk) {
1656 if (unlikely(!put_tree_ref(context, chunk))) {
1657 drop = chunk;
1658 break;
1659 }
1660 }
1661 }
1662 parent = d->d_parent;
1663 if (parent == d)
1664 break;
1665 d = parent;
1666 }
1667 if (unlikely(read_seqretry(&rename_lock, seq) || drop)) { /* in this order */
1668 rcu_read_unlock();
1669 if (!drop) {
1670 /* just a race with rename */
1671 unroll_tree_refs(context, p, count);
1672 goto retry;
1673 }
1674 audit_put_chunk(drop);
1675 if (grow_tree_refs(context)) {
1676 /* OK, got more space */
1677 unroll_tree_refs(context, p, count);
1678 goto retry;
1679 }
1680 /* too bad */
1681 pr_warn("out of memory, audit has lost a tree reference\n");
1682 unroll_tree_refs(context, p, count);
1683 audit_set_auditable(context);
1684 return;
1685 }
1686 rcu_read_unlock();
1687 #endif
1688 }
1689
audit_alloc_name(struct audit_context * context,unsigned char type)1690 static struct audit_names *audit_alloc_name(struct audit_context *context,
1691 unsigned char type)
1692 {
1693 struct audit_names *aname;
1694
1695 if (context->name_count < AUDIT_NAMES) {
1696 aname = &context->preallocated_names[context->name_count];
1697 memset(aname, 0, sizeof(*aname));
1698 } else {
1699 aname = kzalloc(sizeof(*aname), GFP_NOFS);
1700 if (!aname)
1701 return NULL;
1702 aname->should_free = true;
1703 }
1704
1705 aname->ino = (unsigned long)-1;
1706 aname->type = type;
1707 list_add_tail(&aname->list, &context->names_list);
1708
1709 context->name_count++;
1710 #if AUDIT_DEBUG
1711 context->ino_count++;
1712 #endif
1713 return aname;
1714 }
1715
1716 /**
1717 * audit_reusename - fill out filename with info from existing entry
1718 * @uptr: userland ptr to pathname
1719 *
1720 * Search the audit_names list for the current audit context. If there is an
1721 * existing entry with a matching "uptr" then return the filename
1722 * associated with that audit_name. If not, return NULL.
1723 */
1724 struct filename *
__audit_reusename(const __user char * uptr)1725 __audit_reusename(const __user char *uptr)
1726 {
1727 struct audit_context *context = current->audit_context;
1728 struct audit_names *n;
1729
1730 list_for_each_entry(n, &context->names_list, list) {
1731 if (!n->name)
1732 continue;
1733 if (n->name->uptr == uptr)
1734 return n->name;
1735 }
1736 return NULL;
1737 }
1738
1739 /**
1740 * audit_getname - add a name to the list
1741 * @name: name to add
1742 *
1743 * Add a name to the list of audit names for this context.
1744 * Called from fs/namei.c:getname().
1745 */
__audit_getname(struct filename * name)1746 void __audit_getname(struct filename *name)
1747 {
1748 struct audit_context *context = current->audit_context;
1749 struct audit_names *n;
1750
1751 if (!context->in_syscall) {
1752 #if AUDIT_DEBUG == 2
1753 pr_err("%s:%d(:%d): ignoring getname(%p)\n",
1754 __FILE__, __LINE__, context->serial, name);
1755 dump_stack();
1756 #endif
1757 return;
1758 }
1759
1760 #if AUDIT_DEBUG
1761 /* The filename _must_ have a populated ->name */
1762 BUG_ON(!name->name);
1763 #endif
1764
1765 n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
1766 if (!n)
1767 return;
1768
1769 n->name = name;
1770 n->name_len = AUDIT_NAME_FULL;
1771 n->name_put = true;
1772 name->aname = n;
1773
1774 if (!context->pwd.dentry)
1775 get_fs_pwd(current->fs, &context->pwd);
1776 }
1777
1778 /* audit_putname - intercept a putname request
1779 * @name: name to intercept and delay for putname
1780 *
1781 * If we have stored the name from getname in the audit context,
1782 * then we delay the putname until syscall exit.
1783 * Called from include/linux/fs.h:putname().
1784 */
audit_putname(struct filename * name)1785 void audit_putname(struct filename *name)
1786 {
1787 struct audit_context *context = current->audit_context;
1788
1789 BUG_ON(!context);
1790 if (!name->aname || !context->in_syscall) {
1791 #if AUDIT_DEBUG == 2
1792 pr_err("%s:%d(:%d): final_putname(%p)\n",
1793 __FILE__, __LINE__, context->serial, name);
1794 if (context->name_count) {
1795 struct audit_names *n;
1796 int i = 0;
1797
1798 list_for_each_entry(n, &context->names_list, list)
1799 pr_err("name[%d] = %p = %s\n", i++, n->name,
1800 n->name->name ?: "(null)");
1801 }
1802 #endif
1803 final_putname(name);
1804 }
1805 #if AUDIT_DEBUG
1806 else {
1807 ++context->put_count;
1808 if (context->put_count > context->name_count) {
1809 pr_err("%s:%d(:%d): major=%d in_syscall=%d putname(%p)"
1810 " name_count=%d put_count=%d\n",
1811 __FILE__, __LINE__,
1812 context->serial, context->major,
1813 context->in_syscall, name->name,
1814 context->name_count, context->put_count);
1815 dump_stack();
1816 }
1817 }
1818 #endif
1819 }
1820
1821 /**
1822 * __audit_inode - store the inode and device from a lookup
1823 * @name: name being audited
1824 * @dentry: dentry being audited
1825 * @flags: attributes for this particular entry
1826 */
__audit_inode(struct filename * name,const struct dentry * dentry,unsigned int flags)1827 void __audit_inode(struct filename *name, const struct dentry *dentry,
1828 unsigned int flags)
1829 {
1830 struct audit_context *context = current->audit_context;
1831 const struct inode *inode = dentry->d_inode;
1832 struct audit_names *n;
1833 bool parent = flags & AUDIT_INODE_PARENT;
1834
1835 if (!context->in_syscall)
1836 return;
1837
1838 if (!name)
1839 goto out_alloc;
1840
1841 #if AUDIT_DEBUG
1842 /* The struct filename _must_ have a populated ->name */
1843 BUG_ON(!name->name);
1844 #endif
1845 /*
1846 * If we have a pointer to an audit_names entry already, then we can
1847 * just use it directly if the type is correct.
1848 */
1849 n = name->aname;
1850 if (n) {
1851 if (parent) {
1852 if (n->type == AUDIT_TYPE_PARENT ||
1853 n->type == AUDIT_TYPE_UNKNOWN)
1854 goto out;
1855 } else {
1856 if (n->type != AUDIT_TYPE_PARENT)
1857 goto out;
1858 }
1859 }
1860
1861 list_for_each_entry_reverse(n, &context->names_list, list) {
1862 if (!n->name || strcmp(n->name->name, name->name))
1863 continue;
1864
1865 /* match the correct record type */
1866 if (parent) {
1867 if (n->type == AUDIT_TYPE_PARENT ||
1868 n->type == AUDIT_TYPE_UNKNOWN)
1869 goto out;
1870 } else {
1871 if (n->type != AUDIT_TYPE_PARENT)
1872 goto out;
1873 }
1874 }
1875
1876 out_alloc:
1877 /* unable to find an entry with both a matching name and type */
1878 n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
1879 if (!n)
1880 return;
1881 /* unfortunately, while we may have a path name to record with the
1882 * inode, we can't always rely on the string lasting until the end of
1883 * the syscall so we need to create our own copy, it may fail due to
1884 * memory allocation issues, but we do our best */
1885 if (name) {
1886 /* we can't use getname_kernel() due to size limits */
1887 size_t len = strlen(name->name) + 1;
1888 struct filename *new = __getname();
1889
1890 if (unlikely(!new))
1891 goto out;
1892
1893 if (len <= (PATH_MAX - sizeof(*new))) {
1894 new->name = (char *)(new) + sizeof(*new);
1895 new->separate = false;
1896 } else if (len <= PATH_MAX) {
1897 /* this looks odd, but is due to final_putname() */
1898 struct filename *new2;
1899
1900 new2 = kmalloc(sizeof(*new2), GFP_KERNEL);
1901 if (unlikely(!new2)) {
1902 __putname(new);
1903 goto out;
1904 }
1905 new2->name = (char *)new;
1906 new2->separate = true;
1907 new = new2;
1908 } else {
1909 /* we should never get here, but let's be safe */
1910 __putname(new);
1911 goto out;
1912 }
1913 strlcpy((char *)new->name, name->name, len);
1914 new->uptr = NULL;
1915 new->aname = n;
1916 n->name = new;
1917 n->name_put = true;
1918 }
1919 out:
1920 if (parent) {
1921 n->name_len = n->name ? parent_len(n->name->name) : AUDIT_NAME_FULL;
1922 n->type = AUDIT_TYPE_PARENT;
1923 if (flags & AUDIT_INODE_HIDDEN)
1924 n->hidden = true;
1925 } else {
1926 n->name_len = AUDIT_NAME_FULL;
1927 n->type = AUDIT_TYPE_NORMAL;
1928 }
1929 handle_path(dentry);
1930 audit_copy_inode(n, dentry, inode);
1931 }
1932
1933 /**
1934 * __audit_inode_child - collect inode info for created/removed objects
1935 * @parent: inode of dentry parent
1936 * @dentry: dentry being audited
1937 * @type: AUDIT_TYPE_* value that we're looking for
1938 *
1939 * For syscalls that create or remove filesystem objects, audit_inode
1940 * can only collect information for the filesystem object's parent.
1941 * This call updates the audit context with the child's information.
1942 * Syscalls that create a new filesystem object must be hooked after
1943 * the object is created. Syscalls that remove a filesystem object
1944 * must be hooked prior, in order to capture the target inode during
1945 * unsuccessful attempts.
1946 */
__audit_inode_child(const struct inode * parent,const struct dentry * dentry,const unsigned char type)1947 void __audit_inode_child(const struct inode *parent,
1948 const struct dentry *dentry,
1949 const unsigned char type)
1950 {
1951 struct audit_context *context = current->audit_context;
1952 const struct inode *inode = dentry->d_inode;
1953 const char *dname = dentry->d_name.name;
1954 struct audit_names *n, *found_parent = NULL, *found_child = NULL;
1955
1956 if (!context->in_syscall)
1957 return;
1958
1959 if (inode)
1960 handle_one(inode);
1961
1962 /* look for a parent entry first */
1963 list_for_each_entry(n, &context->names_list, list) {
1964 if (!n->name || n->type != AUDIT_TYPE_PARENT)
1965 continue;
1966
1967 if (n->ino == parent->i_ino &&
1968 !audit_compare_dname_path(dname, n->name->name, n->name_len)) {
1969 found_parent = n;
1970 break;
1971 }
1972 }
1973
1974 /* is there a matching child entry? */
1975 list_for_each_entry(n, &context->names_list, list) {
1976 /* can only match entries that have a name */
1977 if (!n->name || n->type != type)
1978 continue;
1979
1980 /* if we found a parent, make sure this one is a child of it */
1981 if (found_parent && (n->name != found_parent->name))
1982 continue;
1983
1984 if (!strcmp(dname, n->name->name) ||
1985 !audit_compare_dname_path(dname, n->name->name,
1986 found_parent ?
1987 found_parent->name_len :
1988 AUDIT_NAME_FULL)) {
1989 found_child = n;
1990 break;
1991 }
1992 }
1993
1994 if (!found_parent) {
1995 /* create a new, "anonymous" parent record */
1996 n = audit_alloc_name(context, AUDIT_TYPE_PARENT);
1997 if (!n)
1998 return;
1999 audit_copy_inode(n, NULL, parent);
2000 }
2001
2002 if (!found_child) {
2003 found_child = audit_alloc_name(context, type);
2004 if (!found_child)
2005 return;
2006
2007 /* Re-use the name belonging to the slot for a matching parent
2008 * directory. All names for this context are relinquished in
2009 * audit_free_names() */
2010 if (found_parent) {
2011 found_child->name = found_parent->name;
2012 found_child->name_len = AUDIT_NAME_FULL;
2013 /* don't call __putname() */
2014 found_child->name_put = false;
2015 }
2016 }
2017 if (inode)
2018 audit_copy_inode(found_child, dentry, inode);
2019 else
2020 found_child->ino = (unsigned long)-1;
2021 }
2022 EXPORT_SYMBOL_GPL(__audit_inode_child);
2023
2024 /**
2025 * auditsc_get_stamp - get local copies of audit_context values
2026 * @ctx: audit_context for the task
2027 * @t: timespec to store time recorded in the audit_context
2028 * @serial: serial value that is recorded in the audit_context
2029 *
2030 * Also sets the context as auditable.
2031 */
auditsc_get_stamp(struct audit_context * ctx,struct timespec * t,unsigned int * serial)2032 int auditsc_get_stamp(struct audit_context *ctx,
2033 struct timespec *t, unsigned int *serial)
2034 {
2035 if (!ctx->in_syscall)
2036 return 0;
2037 if (!ctx->serial)
2038 ctx->serial = audit_serial();
2039 t->tv_sec = ctx->ctime.tv_sec;
2040 t->tv_nsec = ctx->ctime.tv_nsec;
2041 *serial = ctx->serial;
2042 if (!ctx->prio) {
2043 ctx->prio = 1;
2044 ctx->current_state = AUDIT_RECORD_CONTEXT;
2045 }
2046 return 1;
2047 }
2048
2049 /* global counter which is incremented every time something logs in */
2050 static atomic_t session_id = ATOMIC_INIT(0);
2051
audit_set_loginuid_perm(kuid_t loginuid)2052 static int audit_set_loginuid_perm(kuid_t loginuid)
2053 {
2054 /* if we are unset, we don't need privs */
2055 if (!audit_loginuid_set(current))
2056 return 0;
2057 /* if AUDIT_FEATURE_LOGINUID_IMMUTABLE means never ever allow a change*/
2058 if (is_audit_feature_set(AUDIT_FEATURE_LOGINUID_IMMUTABLE))
2059 return -EPERM;
2060 /* it is set, you need permission */
2061 if (!capable(CAP_AUDIT_CONTROL))
2062 return -EPERM;
2063 /* reject if this is not an unset and we don't allow that */
2064 if (is_audit_feature_set(AUDIT_FEATURE_ONLY_UNSET_LOGINUID) && uid_valid(loginuid))
2065 return -EPERM;
2066 return 0;
2067 }
2068
audit_log_set_loginuid(kuid_t koldloginuid,kuid_t kloginuid,unsigned int oldsessionid,unsigned int sessionid,int rc)2069 static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
2070 unsigned int oldsessionid, unsigned int sessionid,
2071 int rc)
2072 {
2073 struct audit_buffer *ab;
2074 uid_t uid, oldloginuid, loginuid;
2075
2076 if (!audit_enabled)
2077 return;
2078
2079 uid = from_kuid(&init_user_ns, task_uid(current));
2080 oldloginuid = from_kuid(&init_user_ns, koldloginuid);
2081 loginuid = from_kuid(&init_user_ns, kloginuid),
2082
2083 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
2084 if (!ab)
2085 return;
2086 audit_log_format(ab, "pid=%d uid=%u", task_tgid_nr(current), uid);
2087 audit_log_task_context(ab);
2088 audit_log_format(ab, " old-auid=%u auid=%u old-ses=%u ses=%u res=%d",
2089 oldloginuid, loginuid, oldsessionid, sessionid, !rc);
2090 audit_log_end(ab);
2091 }
2092
2093 /**
2094 * audit_set_loginuid - set current task's audit_context loginuid
2095 * @loginuid: loginuid value
2096 *
2097 * Returns 0.
2098 *
2099 * Called (set) from fs/proc/base.c::proc_loginuid_write().
2100 */
audit_set_loginuid(kuid_t loginuid)2101 int audit_set_loginuid(kuid_t loginuid)
2102 {
2103 struct task_struct *task = current;
2104 unsigned int oldsessionid, sessionid = (unsigned int)-1;
2105 kuid_t oldloginuid;
2106 int rc;
2107
2108 oldloginuid = audit_get_loginuid(current);
2109 oldsessionid = audit_get_sessionid(current);
2110
2111 rc = audit_set_loginuid_perm(loginuid);
2112 if (rc)
2113 goto out;
2114
2115 /* are we setting or clearing? */
2116 if (uid_valid(loginuid))
2117 sessionid = (unsigned int)atomic_inc_return(&session_id);
2118
2119 task->sessionid = sessionid;
2120 task->loginuid = loginuid;
2121 out:
2122 audit_log_set_loginuid(oldloginuid, loginuid, oldsessionid, sessionid, rc);
2123 return rc;
2124 }
2125
2126 /**
2127 * __audit_mq_open - record audit data for a POSIX MQ open
2128 * @oflag: open flag
2129 * @mode: mode bits
2130 * @attr: queue attributes
2131 *
2132 */
__audit_mq_open(int oflag,umode_t mode,struct mq_attr * attr)2133 void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
2134 {
2135 struct audit_context *context = current->audit_context;
2136
2137 if (attr)
2138 memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr));
2139 else
2140 memset(&context->mq_open.attr, 0, sizeof(struct mq_attr));
2141
2142 context->mq_open.oflag = oflag;
2143 context->mq_open.mode = mode;
2144
2145 context->type = AUDIT_MQ_OPEN;
2146 }
2147
2148 /**
2149 * __audit_mq_sendrecv - record audit data for a POSIX MQ timed send/receive
2150 * @mqdes: MQ descriptor
2151 * @msg_len: Message length
2152 * @msg_prio: Message priority
2153 * @abs_timeout: Message timeout in absolute time
2154 *
2155 */
__audit_mq_sendrecv(mqd_t mqdes,size_t msg_len,unsigned int msg_prio,const struct timespec * abs_timeout)2156 void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
2157 const struct timespec *abs_timeout)
2158 {
2159 struct audit_context *context = current->audit_context;
2160 struct timespec *p = &context->mq_sendrecv.abs_timeout;
2161
2162 if (abs_timeout)
2163 memcpy(p, abs_timeout, sizeof(struct timespec));
2164 else
2165 memset(p, 0, sizeof(struct timespec));
2166
2167 context->mq_sendrecv.mqdes = mqdes;
2168 context->mq_sendrecv.msg_len = msg_len;
2169 context->mq_sendrecv.msg_prio = msg_prio;
2170
2171 context->type = AUDIT_MQ_SENDRECV;
2172 }
2173
2174 /**
2175 * __audit_mq_notify - record audit data for a POSIX MQ notify
2176 * @mqdes: MQ descriptor
2177 * @notification: Notification event
2178 *
2179 */
2180
__audit_mq_notify(mqd_t mqdes,const struct sigevent * notification)2181 void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
2182 {
2183 struct audit_context *context = current->audit_context;
2184
2185 if (notification)
2186 context->mq_notify.sigev_signo = notification->sigev_signo;
2187 else
2188 context->mq_notify.sigev_signo = 0;
2189
2190 context->mq_notify.mqdes = mqdes;
2191 context->type = AUDIT_MQ_NOTIFY;
2192 }
2193
2194 /**
2195 * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute
2196 * @mqdes: MQ descriptor
2197 * @mqstat: MQ flags
2198 *
2199 */
__audit_mq_getsetattr(mqd_t mqdes,struct mq_attr * mqstat)2200 void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
2201 {
2202 struct audit_context *context = current->audit_context;
2203 context->mq_getsetattr.mqdes = mqdes;
2204 context->mq_getsetattr.mqstat = *mqstat;
2205 context->type = AUDIT_MQ_GETSETATTR;
2206 }
2207
2208 /**
2209 * audit_ipc_obj - record audit data for ipc object
2210 * @ipcp: ipc permissions
2211 *
2212 */
__audit_ipc_obj(struct kern_ipc_perm * ipcp)2213 void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
2214 {
2215 struct audit_context *context = current->audit_context;
2216 context->ipc.uid = ipcp->uid;
2217 context->ipc.gid = ipcp->gid;
2218 context->ipc.mode = ipcp->mode;
2219 context->ipc.has_perm = 0;
2220 security_ipc_getsecid(ipcp, &context->ipc.osid);
2221 context->type = AUDIT_IPC;
2222 }
2223
2224 /**
2225 * audit_ipc_set_perm - record audit data for new ipc permissions
2226 * @qbytes: msgq bytes
2227 * @uid: msgq user id
2228 * @gid: msgq group id
2229 * @mode: msgq mode (permissions)
2230 *
2231 * Called only after audit_ipc_obj().
2232 */
__audit_ipc_set_perm(unsigned long qbytes,uid_t uid,gid_t gid,umode_t mode)2233 void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode)
2234 {
2235 struct audit_context *context = current->audit_context;
2236
2237 context->ipc.qbytes = qbytes;
2238 context->ipc.perm_uid = uid;
2239 context->ipc.perm_gid = gid;
2240 context->ipc.perm_mode = mode;
2241 context->ipc.has_perm = 1;
2242 }
2243
__audit_bprm(struct linux_binprm * bprm)2244 void __audit_bprm(struct linux_binprm *bprm)
2245 {
2246 struct audit_context *context = current->audit_context;
2247
2248 context->type = AUDIT_EXECVE;
2249 context->execve.argc = bprm->argc;
2250 }
2251
2252
2253 /**
2254 * audit_socketcall - record audit data for sys_socketcall
2255 * @nargs: number of args, which should not be more than AUDITSC_ARGS.
2256 * @args: args array
2257 *
2258 */
__audit_socketcall(int nargs,unsigned long * args)2259 int __audit_socketcall(int nargs, unsigned long *args)
2260 {
2261 struct audit_context *context = current->audit_context;
2262
2263 if (nargs <= 0 || nargs > AUDITSC_ARGS || !args)
2264 return -EINVAL;
2265 context->type = AUDIT_SOCKETCALL;
2266 context->socketcall.nargs = nargs;
2267 memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
2268 return 0;
2269 }
2270
2271 /**
2272 * __audit_fd_pair - record audit data for pipe and socketpair
2273 * @fd1: the first file descriptor
2274 * @fd2: the second file descriptor
2275 *
2276 */
__audit_fd_pair(int fd1,int fd2)2277 void __audit_fd_pair(int fd1, int fd2)
2278 {
2279 struct audit_context *context = current->audit_context;
2280 context->fds[0] = fd1;
2281 context->fds[1] = fd2;
2282 }
2283
2284 /**
2285 * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
2286 * @len: data length in user space
2287 * @a: data address in kernel space
2288 *
2289 * Returns 0 for success or NULL context or < 0 on error.
2290 */
__audit_sockaddr(int len,void * a)2291 int __audit_sockaddr(int len, void *a)
2292 {
2293 struct audit_context *context = current->audit_context;
2294
2295 if (!context->sockaddr) {
2296 void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL);
2297 if (!p)
2298 return -ENOMEM;
2299 context->sockaddr = p;
2300 }
2301
2302 context->sockaddr_len = len;
2303 memcpy(context->sockaddr, a, len);
2304 return 0;
2305 }
2306
__audit_ptrace(struct task_struct * t)2307 void __audit_ptrace(struct task_struct *t)
2308 {
2309 struct audit_context *context = current->audit_context;
2310
2311 context->target_pid = task_tgid_nr(t);
2312 context->target_auid = audit_get_loginuid(t);
2313 context->target_uid = task_uid(t);
2314 context->target_sessionid = audit_get_sessionid(t);
2315 security_task_getsecid(t, &context->target_sid);
2316 memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
2317 }
2318
2319 /**
2320 * audit_signal_info - record signal info for shutting down audit subsystem
2321 * @sig: signal value
2322 * @t: task being signaled
2323 *
2324 * If the audit subsystem is being terminated, record the task (pid)
2325 * and uid that is doing that.
2326 */
__audit_signal_info(int sig,struct task_struct * t)2327 int __audit_signal_info(int sig, struct task_struct *t)
2328 {
2329 struct audit_aux_data_pids *axp;
2330 struct task_struct *tsk = current;
2331 struct audit_context *ctx = tsk->audit_context;
2332 kuid_t uid = current_uid(), t_uid = task_uid(t);
2333
2334 if (audit_pid && t->tgid == audit_pid) {
2335 if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) {
2336 audit_sig_pid = task_tgid_nr(tsk);
2337 if (uid_valid(tsk->loginuid))
2338 audit_sig_uid = tsk->loginuid;
2339 else
2340 audit_sig_uid = uid;
2341 security_task_getsecid(tsk, &audit_sig_sid);
2342 }
2343 if (!audit_signals || audit_dummy_context())
2344 return 0;
2345 }
2346
2347 /* optimize the common case by putting first signal recipient directly
2348 * in audit_context */
2349 if (!ctx->target_pid) {
2350 ctx->target_pid = task_tgid_nr(t);
2351 ctx->target_auid = audit_get_loginuid(t);
2352 ctx->target_uid = t_uid;
2353 ctx->target_sessionid = audit_get_sessionid(t);
2354 security_task_getsecid(t, &ctx->target_sid);
2355 memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
2356 return 0;
2357 }
2358
2359 axp = (void *)ctx->aux_pids;
2360 if (!axp || axp->pid_count == AUDIT_AUX_PIDS) {
2361 axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
2362 if (!axp)
2363 return -ENOMEM;
2364
2365 axp->d.type = AUDIT_OBJ_PID;
2366 axp->d.next = ctx->aux_pids;
2367 ctx->aux_pids = (void *)axp;
2368 }
2369 BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
2370
2371 axp->target_pid[axp->pid_count] = task_tgid_nr(t);
2372 axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
2373 axp->target_uid[axp->pid_count] = t_uid;
2374 axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
2375 security_task_getsecid(t, &axp->target_sid[axp->pid_count]);
2376 memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
2377 axp->pid_count++;
2378
2379 return 0;
2380 }
2381
2382 /**
2383 * __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps
2384 * @bprm: pointer to the bprm being processed
2385 * @new: the proposed new credentials
2386 * @old: the old credentials
2387 *
2388 * Simply check if the proc already has the caps given by the file and if not
2389 * store the priv escalation info for later auditing at the end of the syscall
2390 *
2391 * -Eric
2392 */
__audit_log_bprm_fcaps(struct linux_binprm * bprm,const struct cred * new,const struct cred * old)2393 int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
2394 const struct cred *new, const struct cred *old)
2395 {
2396 struct audit_aux_data_bprm_fcaps *ax;
2397 struct audit_context *context = current->audit_context;
2398 struct cpu_vfs_cap_data vcaps;
2399 struct dentry *dentry;
2400
2401 ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2402 if (!ax)
2403 return -ENOMEM;
2404
2405 ax->d.type = AUDIT_BPRM_FCAPS;
2406 ax->d.next = context->aux;
2407 context->aux = (void *)ax;
2408
2409 dentry = dget(bprm->file->f_dentry);
2410 get_vfs_caps_from_disk(dentry, &vcaps);
2411 dput(dentry);
2412
2413 ax->fcap.permitted = vcaps.permitted;
2414 ax->fcap.inheritable = vcaps.inheritable;
2415 ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2416 ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
2417
2418 ax->old_pcap.permitted = old->cap_permitted;
2419 ax->old_pcap.inheritable = old->cap_inheritable;
2420 ax->old_pcap.effective = old->cap_effective;
2421
2422 ax->new_pcap.permitted = new->cap_permitted;
2423 ax->new_pcap.inheritable = new->cap_inheritable;
2424 ax->new_pcap.effective = new->cap_effective;
2425 return 0;
2426 }
2427
2428 /**
2429 * __audit_log_capset - store information about the arguments to the capset syscall
2430 * @new: the new credentials
2431 * @old: the old (current) credentials
2432 *
2433 * Record the arguments userspace sent to sys_capset for later printing by the
2434 * audit system if applicable
2435 */
__audit_log_capset(const struct cred * new,const struct cred * old)2436 void __audit_log_capset(const struct cred *new, const struct cred *old)
2437 {
2438 struct audit_context *context = current->audit_context;
2439 context->capset.pid = task_tgid_nr(current);
2440 context->capset.cap.effective = new->cap_effective;
2441 context->capset.cap.inheritable = new->cap_effective;
2442 context->capset.cap.permitted = new->cap_permitted;
2443 context->type = AUDIT_CAPSET;
2444 }
2445
__audit_mmap_fd(int fd,int flags)2446 void __audit_mmap_fd(int fd, int flags)
2447 {
2448 struct audit_context *context = current->audit_context;
2449 context->mmap.fd = fd;
2450 context->mmap.flags = flags;
2451 context->type = AUDIT_MMAP;
2452 }
2453
audit_log_task(struct audit_buffer * ab)2454 static void audit_log_task(struct audit_buffer *ab)
2455 {
2456 kuid_t auid, uid;
2457 kgid_t gid;
2458 unsigned int sessionid;
2459 struct mm_struct *mm = current->mm;
2460 char comm[sizeof(current->comm)];
2461
2462 auid = audit_get_loginuid(current);
2463 sessionid = audit_get_sessionid(current);
2464 current_uid_gid(&uid, &gid);
2465
2466 audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
2467 from_kuid(&init_user_ns, auid),
2468 from_kuid(&init_user_ns, uid),
2469 from_kgid(&init_user_ns, gid),
2470 sessionid);
2471 audit_log_task_context(ab);
2472 audit_log_format(ab, " pid=%d comm=", task_tgid_nr(current));
2473 audit_log_untrustedstring(ab, get_task_comm(comm, current));
2474 if (mm) {
2475 down_read(&mm->mmap_sem);
2476 if (mm->exe_file)
2477 audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
2478 up_read(&mm->mmap_sem);
2479 } else
2480 audit_log_format(ab, " exe=(null)");
2481 }
2482
2483 /**
2484 * audit_core_dumps - record information about processes that end abnormally
2485 * @signr: signal value
2486 *
2487 * If a process ends with a core dump, something fishy is going on and we
2488 * should record the event for investigation.
2489 */
audit_core_dumps(long signr)2490 void audit_core_dumps(long signr)
2491 {
2492 struct audit_buffer *ab;
2493
2494 if (!audit_enabled)
2495 return;
2496
2497 if (signr == SIGQUIT) /* don't care for those */
2498 return;
2499
2500 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
2501 if (unlikely(!ab))
2502 return;
2503 audit_log_task(ab);
2504 audit_log_format(ab, " sig=%ld", signr);
2505 audit_log_end(ab);
2506 }
2507
__audit_seccomp(unsigned long syscall,long signr,int code)2508 void __audit_seccomp(unsigned long syscall, long signr, int code)
2509 {
2510 struct audit_buffer *ab;
2511
2512 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_SECCOMP);
2513 if (unlikely(!ab))
2514 return;
2515 audit_log_task(ab);
2516 audit_log_format(ab, " sig=%ld arch=%x syscall=%ld compat=%d ip=0x%lx code=0x%x",
2517 signr, syscall_get_arch(), syscall, is_compat_task(),
2518 KSTK_EIP(current), code);
2519 audit_log_end(ab);
2520 }
2521
audit_killed_trees(void)2522 struct list_head *audit_killed_trees(void)
2523 {
2524 struct audit_context *ctx = current->audit_context;
2525 if (likely(!ctx || !ctx->in_syscall))
2526 return NULL;
2527 return &ctx->killed_trees;
2528 }
2529