• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* auditsc.c -- System-call auditing support
2  * Handles all system-call specific auditing features.
3  *
4  * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
5  * Copyright 2005 Hewlett-Packard Development Company, L.P.
6  * Copyright (C) 2005, 2006 IBM Corporation
7  * All Rights Reserved.
8  *
9  * This program is free software; you can redistribute it and/or modify
10  * it under the terms of the GNU General Public License as published by
11  * the Free Software Foundation; either version 2 of the License, or
12  * (at your option) any later version.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License
20  * along with this program; if not, write to the Free Software
21  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
22  *
23  * Written by Rickard E. (Rik) Faith <faith@redhat.com>
24  *
25  * Many of the ideas implemented here are from Stephen C. Tweedie,
26  * especially the idea of avoiding a copy by using getname.
27  *
28  * The method for actual interception of syscall entry and exit (not in
29  * this file -- see entry.S) is based on a GPL'd patch written by
30  * okir@suse.de and Copyright 2003 SuSE Linux AG.
31  *
32  * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>,
33  * 2006.
34  *
35  * The support of additional filter rules compares (>, <, >=, <=) was
36  * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
37  *
38  * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
39  * filesystem information.
40  *
41  * Subject and object context labeling support added by <danjones@us.ibm.com>
42  * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
43  */
44 
45 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
46 
47 #include <linux/init.h>
48 #include <asm/types.h>
49 #include <linux/atomic.h>
50 #include <linux/fs.h>
51 #include <linux/namei.h>
52 #include <linux/mm.h>
53 #include <linux/export.h>
54 #include <linux/slab.h>
55 #include <linux/mount.h>
56 #include <linux/socket.h>
57 #include <linux/mqueue.h>
58 #include <linux/audit.h>
59 #include <linux/personality.h>
60 #include <linux/time.h>
61 #include <linux/netlink.h>
62 #include <linux/compiler.h>
63 #include <asm/unistd.h>
64 #include <linux/security.h>
65 #include <linux/list.h>
66 #include <linux/tty.h>
67 #include <linux/binfmts.h>
68 #include <linux/highmem.h>
69 #include <linux/syscalls.h>
70 #include <asm/syscall.h>
71 #include <linux/capability.h>
72 #include <linux/fs_struct.h>
73 #include <linux/compat.h>
74 #include <linux/ctype.h>
75 #include <linux/uaccess.h>
76 #include <linux/string.h>
77 #include <linux/uaccess.h>
78 #include <uapi/linux/limits.h>
79 
80 #include "audit.h"
81 
82 /* flags stating the success for a syscall */
83 #define AUDITSC_INVALID 0
84 #define AUDITSC_SUCCESS 1
85 #define AUDITSC_FAILURE 2
86 
87 /* no execve audit message should be longer than this (userspace limits),
88  * see the note near the top of audit_log_execve_info() about this value */
89 #define MAX_EXECVE_AUDIT_LEN 7500
90 
91 /* max length to print of cmdline/proctitle value during audit */
92 #define MAX_PROCTITLE_AUDIT_LEN 128
93 
94 /* number of audit rules */
95 int audit_n_rules;
96 
97 /* determines whether we collect data for signals sent */
98 int audit_signals;
99 
100 struct audit_aux_data {
101 	struct audit_aux_data	*next;
102 	int			type;
103 };
104 
105 #define AUDIT_AUX_IPCPERM	0
106 
107 /* Number of target pids per aux struct. */
108 #define AUDIT_AUX_PIDS	16
109 
110 struct audit_aux_data_pids {
111 	struct audit_aux_data	d;
112 	pid_t			target_pid[AUDIT_AUX_PIDS];
113 	kuid_t			target_auid[AUDIT_AUX_PIDS];
114 	kuid_t			target_uid[AUDIT_AUX_PIDS];
115 	unsigned int		target_sessionid[AUDIT_AUX_PIDS];
116 	u32			target_sid[AUDIT_AUX_PIDS];
117 	char 			target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
118 	int			pid_count;
119 };
120 
121 struct audit_aux_data_bprm_fcaps {
122 	struct audit_aux_data	d;
123 	struct audit_cap_data	fcap;
124 	unsigned int		fcap_ver;
125 	struct audit_cap_data	old_pcap;
126 	struct audit_cap_data	new_pcap;
127 };
128 
129 struct audit_tree_refs {
130 	struct audit_tree_refs *next;
131 	struct audit_chunk *c[31];
132 };
133 
audit_match_perm(struct audit_context * ctx,int mask)134 static int audit_match_perm(struct audit_context *ctx, int mask)
135 {
136 	unsigned n;
137 	if (unlikely(!ctx))
138 		return 0;
139 	n = ctx->major;
140 
141 	switch (audit_classify_syscall(ctx->arch, n)) {
142 	case 0:	/* native */
143 		if ((mask & AUDIT_PERM_WRITE) &&
144 		     audit_match_class(AUDIT_CLASS_WRITE, n))
145 			return 1;
146 		if ((mask & AUDIT_PERM_READ) &&
147 		     audit_match_class(AUDIT_CLASS_READ, n))
148 			return 1;
149 		if ((mask & AUDIT_PERM_ATTR) &&
150 		     audit_match_class(AUDIT_CLASS_CHATTR, n))
151 			return 1;
152 		return 0;
153 	case 1: /* 32bit on biarch */
154 		if ((mask & AUDIT_PERM_WRITE) &&
155 		     audit_match_class(AUDIT_CLASS_WRITE_32, n))
156 			return 1;
157 		if ((mask & AUDIT_PERM_READ) &&
158 		     audit_match_class(AUDIT_CLASS_READ_32, n))
159 			return 1;
160 		if ((mask & AUDIT_PERM_ATTR) &&
161 		     audit_match_class(AUDIT_CLASS_CHATTR_32, n))
162 			return 1;
163 		return 0;
164 	case 2: /* open */
165 		return mask & ACC_MODE(ctx->argv[1]);
166 	case 3: /* openat */
167 		return mask & ACC_MODE(ctx->argv[2]);
168 	case 4: /* socketcall */
169 		return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
170 	case 5: /* execve */
171 		return mask & AUDIT_PERM_EXEC;
172 	default:
173 		return 0;
174 	}
175 }
176 
audit_match_filetype(struct audit_context * ctx,int val)177 static int audit_match_filetype(struct audit_context *ctx, int val)
178 {
179 	struct audit_names *n;
180 	umode_t mode = (umode_t)val;
181 
182 	if (unlikely(!ctx))
183 		return 0;
184 
185 	list_for_each_entry(n, &ctx->names_list, list) {
186 		if ((n->ino != -1) &&
187 		    ((n->mode & S_IFMT) == mode))
188 			return 1;
189 	}
190 
191 	return 0;
192 }
193 
194 /*
195  * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *;
196  * ->first_trees points to its beginning, ->trees - to the current end of data.
197  * ->tree_count is the number of free entries in array pointed to by ->trees.
198  * Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL,
199  * "empty" becomes (p, p, 31) afterwards.  We don't shrink the list (and seriously,
200  * it's going to remain 1-element for almost any setup) until we free context itself.
201  * References in it _are_ dropped - at the same time we free/drop aux stuff.
202  */
203 
204 #ifdef CONFIG_AUDIT_TREE
audit_set_auditable(struct audit_context * ctx)205 static void audit_set_auditable(struct audit_context *ctx)
206 {
207 	if (!ctx->prio) {
208 		ctx->prio = 1;
209 		ctx->current_state = AUDIT_RECORD_CONTEXT;
210 	}
211 }
212 
put_tree_ref(struct audit_context * ctx,struct audit_chunk * chunk)213 static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
214 {
215 	struct audit_tree_refs *p = ctx->trees;
216 	int left = ctx->tree_count;
217 	if (likely(left)) {
218 		p->c[--left] = chunk;
219 		ctx->tree_count = left;
220 		return 1;
221 	}
222 	if (!p)
223 		return 0;
224 	p = p->next;
225 	if (p) {
226 		p->c[30] = chunk;
227 		ctx->trees = p;
228 		ctx->tree_count = 30;
229 		return 1;
230 	}
231 	return 0;
232 }
233 
grow_tree_refs(struct audit_context * ctx)234 static int grow_tree_refs(struct audit_context *ctx)
235 {
236 	struct audit_tree_refs *p = ctx->trees;
237 	ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL);
238 	if (!ctx->trees) {
239 		ctx->trees = p;
240 		return 0;
241 	}
242 	if (p)
243 		p->next = ctx->trees;
244 	else
245 		ctx->first_trees = ctx->trees;
246 	ctx->tree_count = 31;
247 	return 1;
248 }
249 #endif
250 
unroll_tree_refs(struct audit_context * ctx,struct audit_tree_refs * p,int count)251 static void unroll_tree_refs(struct audit_context *ctx,
252 		      struct audit_tree_refs *p, int count)
253 {
254 #ifdef CONFIG_AUDIT_TREE
255 	struct audit_tree_refs *q;
256 	int n;
257 	if (!p) {
258 		/* we started with empty chain */
259 		p = ctx->first_trees;
260 		count = 31;
261 		/* if the very first allocation has failed, nothing to do */
262 		if (!p)
263 			return;
264 	}
265 	n = count;
266 	for (q = p; q != ctx->trees; q = q->next, n = 31) {
267 		while (n--) {
268 			audit_put_chunk(q->c[n]);
269 			q->c[n] = NULL;
270 		}
271 	}
272 	while (n-- > ctx->tree_count) {
273 		audit_put_chunk(q->c[n]);
274 		q->c[n] = NULL;
275 	}
276 	ctx->trees = p;
277 	ctx->tree_count = count;
278 #endif
279 }
280 
free_tree_refs(struct audit_context * ctx)281 static void free_tree_refs(struct audit_context *ctx)
282 {
283 	struct audit_tree_refs *p, *q;
284 	for (p = ctx->first_trees; p; p = q) {
285 		q = p->next;
286 		kfree(p);
287 	}
288 }
289 
match_tree_refs(struct audit_context * ctx,struct audit_tree * tree)290 static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
291 {
292 #ifdef CONFIG_AUDIT_TREE
293 	struct audit_tree_refs *p;
294 	int n;
295 	if (!tree)
296 		return 0;
297 	/* full ones */
298 	for (p = ctx->first_trees; p != ctx->trees; p = p->next) {
299 		for (n = 0; n < 31; n++)
300 			if (audit_tree_match(p->c[n], tree))
301 				return 1;
302 	}
303 	/* partial */
304 	if (p) {
305 		for (n = ctx->tree_count; n < 31; n++)
306 			if (audit_tree_match(p->c[n], tree))
307 				return 1;
308 	}
309 #endif
310 	return 0;
311 }
312 
audit_compare_uid(kuid_t uid,struct audit_names * name,struct audit_field * f,struct audit_context * ctx)313 static int audit_compare_uid(kuid_t uid,
314 			     struct audit_names *name,
315 			     struct audit_field *f,
316 			     struct audit_context *ctx)
317 {
318 	struct audit_names *n;
319 	int rc;
320 
321 	if (name) {
322 		rc = audit_uid_comparator(uid, f->op, name->uid);
323 		if (rc)
324 			return rc;
325 	}
326 
327 	if (ctx) {
328 		list_for_each_entry(n, &ctx->names_list, list) {
329 			rc = audit_uid_comparator(uid, f->op, n->uid);
330 			if (rc)
331 				return rc;
332 		}
333 	}
334 	return 0;
335 }
336 
audit_compare_gid(kgid_t gid,struct audit_names * name,struct audit_field * f,struct audit_context * ctx)337 static int audit_compare_gid(kgid_t gid,
338 			     struct audit_names *name,
339 			     struct audit_field *f,
340 			     struct audit_context *ctx)
341 {
342 	struct audit_names *n;
343 	int rc;
344 
345 	if (name) {
346 		rc = audit_gid_comparator(gid, f->op, name->gid);
347 		if (rc)
348 			return rc;
349 	}
350 
351 	if (ctx) {
352 		list_for_each_entry(n, &ctx->names_list, list) {
353 			rc = audit_gid_comparator(gid, f->op, n->gid);
354 			if (rc)
355 				return rc;
356 		}
357 	}
358 	return 0;
359 }
360 
audit_field_compare(struct task_struct * tsk,const struct cred * cred,struct audit_field * f,struct audit_context * ctx,struct audit_names * name)361 static int audit_field_compare(struct task_struct *tsk,
362 			       const struct cred *cred,
363 			       struct audit_field *f,
364 			       struct audit_context *ctx,
365 			       struct audit_names *name)
366 {
367 	switch (f->val) {
368 	/* process to file object comparisons */
369 	case AUDIT_COMPARE_UID_TO_OBJ_UID:
370 		return audit_compare_uid(cred->uid, name, f, ctx);
371 	case AUDIT_COMPARE_GID_TO_OBJ_GID:
372 		return audit_compare_gid(cred->gid, name, f, ctx);
373 	case AUDIT_COMPARE_EUID_TO_OBJ_UID:
374 		return audit_compare_uid(cred->euid, name, f, ctx);
375 	case AUDIT_COMPARE_EGID_TO_OBJ_GID:
376 		return audit_compare_gid(cred->egid, name, f, ctx);
377 	case AUDIT_COMPARE_AUID_TO_OBJ_UID:
378 		return audit_compare_uid(tsk->loginuid, name, f, ctx);
379 	case AUDIT_COMPARE_SUID_TO_OBJ_UID:
380 		return audit_compare_uid(cred->suid, name, f, ctx);
381 	case AUDIT_COMPARE_SGID_TO_OBJ_GID:
382 		return audit_compare_gid(cred->sgid, name, f, ctx);
383 	case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
384 		return audit_compare_uid(cred->fsuid, name, f, ctx);
385 	case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
386 		return audit_compare_gid(cred->fsgid, name, f, ctx);
387 	/* uid comparisons */
388 	case AUDIT_COMPARE_UID_TO_AUID:
389 		return audit_uid_comparator(cred->uid, f->op, tsk->loginuid);
390 	case AUDIT_COMPARE_UID_TO_EUID:
391 		return audit_uid_comparator(cred->uid, f->op, cred->euid);
392 	case AUDIT_COMPARE_UID_TO_SUID:
393 		return audit_uid_comparator(cred->uid, f->op, cred->suid);
394 	case AUDIT_COMPARE_UID_TO_FSUID:
395 		return audit_uid_comparator(cred->uid, f->op, cred->fsuid);
396 	/* auid comparisons */
397 	case AUDIT_COMPARE_AUID_TO_EUID:
398 		return audit_uid_comparator(tsk->loginuid, f->op, cred->euid);
399 	case AUDIT_COMPARE_AUID_TO_SUID:
400 		return audit_uid_comparator(tsk->loginuid, f->op, cred->suid);
401 	case AUDIT_COMPARE_AUID_TO_FSUID:
402 		return audit_uid_comparator(tsk->loginuid, f->op, cred->fsuid);
403 	/* euid comparisons */
404 	case AUDIT_COMPARE_EUID_TO_SUID:
405 		return audit_uid_comparator(cred->euid, f->op, cred->suid);
406 	case AUDIT_COMPARE_EUID_TO_FSUID:
407 		return audit_uid_comparator(cred->euid, f->op, cred->fsuid);
408 	/* suid comparisons */
409 	case AUDIT_COMPARE_SUID_TO_FSUID:
410 		return audit_uid_comparator(cred->suid, f->op, cred->fsuid);
411 	/* gid comparisons */
412 	case AUDIT_COMPARE_GID_TO_EGID:
413 		return audit_gid_comparator(cred->gid, f->op, cred->egid);
414 	case AUDIT_COMPARE_GID_TO_SGID:
415 		return audit_gid_comparator(cred->gid, f->op, cred->sgid);
416 	case AUDIT_COMPARE_GID_TO_FSGID:
417 		return audit_gid_comparator(cred->gid, f->op, cred->fsgid);
418 	/* egid comparisons */
419 	case AUDIT_COMPARE_EGID_TO_SGID:
420 		return audit_gid_comparator(cred->egid, f->op, cred->sgid);
421 	case AUDIT_COMPARE_EGID_TO_FSGID:
422 		return audit_gid_comparator(cred->egid, f->op, cred->fsgid);
423 	/* sgid comparison */
424 	case AUDIT_COMPARE_SGID_TO_FSGID:
425 		return audit_gid_comparator(cred->sgid, f->op, cred->fsgid);
426 	default:
427 		WARN(1, "Missing AUDIT_COMPARE define.  Report as a bug\n");
428 		return 0;
429 	}
430 	return 0;
431 }
432 
433 /* Determine if any context name data matches a rule's watch data */
434 /* Compare a task_struct with an audit_rule.  Return 1 on match, 0
435  * otherwise.
436  *
437  * If task_creation is true, this is an explicit indication that we are
438  * filtering a task rule at task creation time.  This and tsk == current are
439  * the only situations where tsk->cred may be accessed without an rcu read lock.
440  */
audit_filter_rules(struct task_struct * tsk,struct audit_krule * rule,struct audit_context * ctx,struct audit_names * name,enum audit_state * state,bool task_creation)441 static int audit_filter_rules(struct task_struct *tsk,
442 			      struct audit_krule *rule,
443 			      struct audit_context *ctx,
444 			      struct audit_names *name,
445 			      enum audit_state *state,
446 			      bool task_creation)
447 {
448 	const struct cred *cred;
449 	int i, need_sid = 1;
450 	u32 sid;
451 
452 	cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
453 
454 	for (i = 0; i < rule->field_count; i++) {
455 		struct audit_field *f = &rule->fields[i];
456 		struct audit_names *n;
457 		int result = 0;
458 		pid_t pid;
459 
460 		switch (f->type) {
461 		case AUDIT_PID:
462 			pid = task_tgid_nr(tsk);
463 			result = audit_comparator(pid, f->op, f->val);
464 			break;
465 		case AUDIT_PPID:
466 			if (ctx) {
467 				if (!ctx->ppid)
468 					ctx->ppid = task_ppid_nr(tsk);
469 				result = audit_comparator(ctx->ppid, f->op, f->val);
470 			}
471 			break;
472 		case AUDIT_UID:
473 			result = audit_uid_comparator(cred->uid, f->op, f->uid);
474 			break;
475 		case AUDIT_EUID:
476 			result = audit_uid_comparator(cred->euid, f->op, f->uid);
477 			break;
478 		case AUDIT_SUID:
479 			result = audit_uid_comparator(cred->suid, f->op, f->uid);
480 			break;
481 		case AUDIT_FSUID:
482 			result = audit_uid_comparator(cred->fsuid, f->op, f->uid);
483 			break;
484 		case AUDIT_GID:
485 			result = audit_gid_comparator(cred->gid, f->op, f->gid);
486 			if (f->op == Audit_equal) {
487 				if (!result)
488 					result = in_group_p(f->gid);
489 			} else if (f->op == Audit_not_equal) {
490 				if (result)
491 					result = !in_group_p(f->gid);
492 			}
493 			break;
494 		case AUDIT_EGID:
495 			result = audit_gid_comparator(cred->egid, f->op, f->gid);
496 			if (f->op == Audit_equal) {
497 				if (!result)
498 					result = in_egroup_p(f->gid);
499 			} else if (f->op == Audit_not_equal) {
500 				if (result)
501 					result = !in_egroup_p(f->gid);
502 			}
503 			break;
504 		case AUDIT_SGID:
505 			result = audit_gid_comparator(cred->sgid, f->op, f->gid);
506 			break;
507 		case AUDIT_FSGID:
508 			result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
509 			break;
510 		case AUDIT_PERS:
511 			result = audit_comparator(tsk->personality, f->op, f->val);
512 			break;
513 		case AUDIT_ARCH:
514 			if (ctx)
515 				result = audit_comparator(ctx->arch, f->op, f->val);
516 			break;
517 
518 		case AUDIT_EXIT:
519 			if (ctx && ctx->return_valid)
520 				result = audit_comparator(ctx->return_code, f->op, f->val);
521 			break;
522 		case AUDIT_SUCCESS:
523 			if (ctx && ctx->return_valid) {
524 				if (f->val)
525 					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
526 				else
527 					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
528 			}
529 			break;
530 		case AUDIT_DEVMAJOR:
531 			if (name) {
532 				if (audit_comparator(MAJOR(name->dev), f->op, f->val) ||
533 				    audit_comparator(MAJOR(name->rdev), f->op, f->val))
534 					++result;
535 			} else if (ctx) {
536 				list_for_each_entry(n, &ctx->names_list, list) {
537 					if (audit_comparator(MAJOR(n->dev), f->op, f->val) ||
538 					    audit_comparator(MAJOR(n->rdev), f->op, f->val)) {
539 						++result;
540 						break;
541 					}
542 				}
543 			}
544 			break;
545 		case AUDIT_DEVMINOR:
546 			if (name) {
547 				if (audit_comparator(MINOR(name->dev), f->op, f->val) ||
548 				    audit_comparator(MINOR(name->rdev), f->op, f->val))
549 					++result;
550 			} else if (ctx) {
551 				list_for_each_entry(n, &ctx->names_list, list) {
552 					if (audit_comparator(MINOR(n->dev), f->op, f->val) ||
553 					    audit_comparator(MINOR(n->rdev), f->op, f->val)) {
554 						++result;
555 						break;
556 					}
557 				}
558 			}
559 			break;
560 		case AUDIT_INODE:
561 			if (name)
562 				result = audit_comparator(name->ino, f->op, f->val);
563 			else if (ctx) {
564 				list_for_each_entry(n, &ctx->names_list, list) {
565 					if (audit_comparator(n->ino, f->op, f->val)) {
566 						++result;
567 						break;
568 					}
569 				}
570 			}
571 			break;
572 		case AUDIT_OBJ_UID:
573 			if (name) {
574 				result = audit_uid_comparator(name->uid, f->op, f->uid);
575 			} else if (ctx) {
576 				list_for_each_entry(n, &ctx->names_list, list) {
577 					if (audit_uid_comparator(n->uid, f->op, f->uid)) {
578 						++result;
579 						break;
580 					}
581 				}
582 			}
583 			break;
584 		case AUDIT_OBJ_GID:
585 			if (name) {
586 				result = audit_gid_comparator(name->gid, f->op, f->gid);
587 			} else if (ctx) {
588 				list_for_each_entry(n, &ctx->names_list, list) {
589 					if (audit_gid_comparator(n->gid, f->op, f->gid)) {
590 						++result;
591 						break;
592 					}
593 				}
594 			}
595 			break;
596 		case AUDIT_WATCH:
597 			if (name)
598 				result = audit_watch_compare(rule->watch, name->ino, name->dev);
599 			break;
600 		case AUDIT_DIR:
601 			if (ctx)
602 				result = match_tree_refs(ctx, rule->tree);
603 			break;
604 		case AUDIT_LOGINUID:
605 			result = 0;
606 			if (ctx)
607 				result = audit_uid_comparator(tsk->loginuid, f->op, f->uid);
608 			break;
609 		case AUDIT_LOGINUID_SET:
610 			result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
611 			break;
612 		case AUDIT_SUBJ_USER:
613 		case AUDIT_SUBJ_ROLE:
614 		case AUDIT_SUBJ_TYPE:
615 		case AUDIT_SUBJ_SEN:
616 		case AUDIT_SUBJ_CLR:
617 			/* NOTE: this may return negative values indicating
618 			   a temporary error.  We simply treat this as a
619 			   match for now to avoid losing information that
620 			   may be wanted.   An error message will also be
621 			   logged upon error */
622 			if (f->lsm_rule) {
623 				if (need_sid) {
624 					security_task_getsecid(tsk, &sid);
625 					need_sid = 0;
626 				}
627 				result = security_audit_rule_match(sid, f->type,
628 				                                  f->op,
629 				                                  f->lsm_rule,
630 				                                  ctx);
631 			}
632 			break;
633 		case AUDIT_OBJ_USER:
634 		case AUDIT_OBJ_ROLE:
635 		case AUDIT_OBJ_TYPE:
636 		case AUDIT_OBJ_LEV_LOW:
637 		case AUDIT_OBJ_LEV_HIGH:
638 			/* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
639 			   also applies here */
640 			if (f->lsm_rule) {
641 				/* Find files that match */
642 				if (name) {
643 					result = security_audit_rule_match(
644 					           name->osid, f->type, f->op,
645 					           f->lsm_rule, ctx);
646 				} else if (ctx) {
647 					list_for_each_entry(n, &ctx->names_list, list) {
648 						if (security_audit_rule_match(n->osid, f->type,
649 									      f->op, f->lsm_rule,
650 									      ctx)) {
651 							++result;
652 							break;
653 						}
654 					}
655 				}
656 				/* Find ipc objects that match */
657 				if (!ctx || ctx->type != AUDIT_IPC)
658 					break;
659 				if (security_audit_rule_match(ctx->ipc.osid,
660 							      f->type, f->op,
661 							      f->lsm_rule, ctx))
662 					++result;
663 			}
664 			break;
665 		case AUDIT_ARG0:
666 		case AUDIT_ARG1:
667 		case AUDIT_ARG2:
668 		case AUDIT_ARG3:
669 			if (ctx)
670 				result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
671 			break;
672 		case AUDIT_FILTERKEY:
673 			/* ignore this field for filtering */
674 			result = 1;
675 			break;
676 		case AUDIT_PERM:
677 			result = audit_match_perm(ctx, f->val);
678 			break;
679 		case AUDIT_FILETYPE:
680 			result = audit_match_filetype(ctx, f->val);
681 			break;
682 		case AUDIT_FIELD_COMPARE:
683 			result = audit_field_compare(tsk, cred, f, ctx, name);
684 			break;
685 		}
686 		if (!result)
687 			return 0;
688 	}
689 
690 	if (ctx) {
691 		if (rule->prio <= ctx->prio)
692 			return 0;
693 		if (rule->filterkey) {
694 			kfree(ctx->filterkey);
695 			ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
696 		}
697 		ctx->prio = rule->prio;
698 	}
699 	switch (rule->action) {
700 	case AUDIT_NEVER:    *state = AUDIT_DISABLED;	    break;
701 	case AUDIT_ALWAYS:   *state = AUDIT_RECORD_CONTEXT; break;
702 	}
703 	return 1;
704 }
705 
706 /* At process creation time, we can determine if system-call auditing is
707  * completely disabled for this task.  Since we only have the task
708  * structure at this point, we can only check uid and gid.
709  */
audit_filter_task(struct task_struct * tsk,char ** key)710 static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)
711 {
712 	struct audit_entry *e;
713 	enum audit_state   state;
714 
715 	rcu_read_lock();
716 	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
717 		if (audit_filter_rules(tsk, &e->rule, NULL, NULL,
718 				       &state, true)) {
719 			if (state == AUDIT_RECORD_CONTEXT)
720 				*key = kstrdup(e->rule.filterkey, GFP_ATOMIC);
721 			rcu_read_unlock();
722 			return state;
723 		}
724 	}
725 	rcu_read_unlock();
726 	return AUDIT_BUILD_CONTEXT;
727 }
728 
audit_in_mask(const struct audit_krule * rule,unsigned long val)729 static int audit_in_mask(const struct audit_krule *rule, unsigned long val)
730 {
731 	int word, bit;
732 
733 	if (val > 0xffffffff)
734 		return false;
735 
736 	word = AUDIT_WORD(val);
737 	if (word >= AUDIT_BITMASK_SIZE)
738 		return false;
739 
740 	bit = AUDIT_BIT(val);
741 
742 	return rule->mask[word] & bit;
743 }
744 
745 /* At syscall entry and exit time, this filter is called if the
746  * audit_state is not low enough that auditing cannot take place, but is
747  * also not high enough that we already know we have to write an audit
748  * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
749  */
audit_filter_syscall(struct task_struct * tsk,struct audit_context * ctx,struct list_head * list)750 static enum audit_state audit_filter_syscall(struct task_struct *tsk,
751 					     struct audit_context *ctx,
752 					     struct list_head *list)
753 {
754 	struct audit_entry *e;
755 	enum audit_state state;
756 
757 	if (audit_pid && tsk->tgid == audit_pid)
758 		return AUDIT_DISABLED;
759 
760 	rcu_read_lock();
761 	if (!list_empty(list)) {
762 		list_for_each_entry_rcu(e, list, list) {
763 			if (audit_in_mask(&e->rule, ctx->major) &&
764 			    audit_filter_rules(tsk, &e->rule, ctx, NULL,
765 					       &state, false)) {
766 				rcu_read_unlock();
767 				ctx->current_state = state;
768 				return state;
769 			}
770 		}
771 	}
772 	rcu_read_unlock();
773 	return AUDIT_BUILD_CONTEXT;
774 }
775 
776 /*
777  * Given an audit_name check the inode hash table to see if they match.
778  * Called holding the rcu read lock to protect the use of audit_inode_hash
779  */
audit_filter_inode_name(struct task_struct * tsk,struct audit_names * n,struct audit_context * ctx)780 static int audit_filter_inode_name(struct task_struct *tsk,
781 				   struct audit_names *n,
782 				   struct audit_context *ctx) {
783 	int h = audit_hash_ino((u32)n->ino);
784 	struct list_head *list = &audit_inode_hash[h];
785 	struct audit_entry *e;
786 	enum audit_state state;
787 
788 	if (list_empty(list))
789 		return 0;
790 
791 	list_for_each_entry_rcu(e, list, list) {
792 		if (audit_in_mask(&e->rule, ctx->major) &&
793 		    audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) {
794 			ctx->current_state = state;
795 			return 1;
796 		}
797 	}
798 
799 	return 0;
800 }
801 
802 /* At syscall exit time, this filter is called if any audit_names have been
803  * collected during syscall processing.  We only check rules in sublists at hash
804  * buckets applicable to the inode numbers in audit_names.
805  * Regarding audit_state, same rules apply as for audit_filter_syscall().
806  */
audit_filter_inodes(struct task_struct * tsk,struct audit_context * ctx)807 void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx)
808 {
809 	struct audit_names *n;
810 
811 	if (audit_pid && tsk->tgid == audit_pid)
812 		return;
813 
814 	rcu_read_lock();
815 
816 	list_for_each_entry(n, &ctx->names_list, list) {
817 		if (audit_filter_inode_name(tsk, n, ctx))
818 			break;
819 	}
820 	rcu_read_unlock();
821 }
822 
823 /* Transfer the audit context pointer to the caller, clearing it in the tsk's struct */
audit_take_context(struct task_struct * tsk,int return_valid,long return_code)824 static inline struct audit_context *audit_take_context(struct task_struct *tsk,
825 						      int return_valid,
826 						      long return_code)
827 {
828 	struct audit_context *context = tsk->audit_context;
829 
830 	if (!context)
831 		return NULL;
832 	context->return_valid = return_valid;
833 
834 	/*
835 	 * we need to fix up the return code in the audit logs if the actual
836 	 * return codes are later going to be fixed up by the arch specific
837 	 * signal handlers
838 	 *
839 	 * This is actually a test for:
840 	 * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||
841 	 * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)
842 	 *
843 	 * but is faster than a bunch of ||
844 	 */
845 	if (unlikely(return_code <= -ERESTARTSYS) &&
846 	    (return_code >= -ERESTART_RESTARTBLOCK) &&
847 	    (return_code != -ENOIOCTLCMD))
848 		context->return_code = -EINTR;
849 	else
850 		context->return_code  = return_code;
851 
852 	if (context->in_syscall && !context->dummy) {
853 		audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
854 		audit_filter_inodes(tsk, context);
855 	}
856 
857 	tsk->audit_context = NULL;
858 	return context;
859 }
860 
audit_proctitle_free(struct audit_context * context)861 static inline void audit_proctitle_free(struct audit_context *context)
862 {
863 	kfree(context->proctitle.value);
864 	context->proctitle.value = NULL;
865 	context->proctitle.len = 0;
866 }
867 
audit_free_names(struct audit_context * context)868 static inline void audit_free_names(struct audit_context *context)
869 {
870 	struct audit_names *n, *next;
871 
872 #if AUDIT_DEBUG == 2
873 	if (context->put_count + context->ino_count != context->name_count) {
874 		int i = 0;
875 
876 		pr_err("%s:%d(:%d): major=%d in_syscall=%d"
877 		       " name_count=%d put_count=%d ino_count=%d"
878 		       " [NOT freeing]\n", __FILE__, __LINE__,
879 		       context->serial, context->major, context->in_syscall,
880 		       context->name_count, context->put_count,
881 		       context->ino_count);
882 		list_for_each_entry(n, &context->names_list, list) {
883 			pr_err("names[%d] = %p = %s\n", i++, n->name,
884 			       n->name->name ?: "(null)");
885 		}
886 		dump_stack();
887 		return;
888 	}
889 #endif
890 #if AUDIT_DEBUG
891 	context->put_count  = 0;
892 	context->ino_count  = 0;
893 #endif
894 
895 	list_for_each_entry_safe(n, next, &context->names_list, list) {
896 		list_del(&n->list);
897 		if (n->name && n->name_put)
898 			final_putname(n->name);
899 		if (n->should_free)
900 			kfree(n);
901 	}
902 	context->name_count = 0;
903 	path_put(&context->pwd);
904 	context->pwd.dentry = NULL;
905 	context->pwd.mnt = NULL;
906 }
907 
audit_free_aux(struct audit_context * context)908 static inline void audit_free_aux(struct audit_context *context)
909 {
910 	struct audit_aux_data *aux;
911 
912 	while ((aux = context->aux)) {
913 		context->aux = aux->next;
914 		kfree(aux);
915 	}
916 	while ((aux = context->aux_pids)) {
917 		context->aux_pids = aux->next;
918 		kfree(aux);
919 	}
920 }
921 
audit_alloc_context(enum audit_state state)922 static inline struct audit_context *audit_alloc_context(enum audit_state state)
923 {
924 	struct audit_context *context;
925 
926 	context = kzalloc(sizeof(*context), GFP_KERNEL);
927 	if (!context)
928 		return NULL;
929 	context->state = state;
930 	context->prio = state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
931 	INIT_LIST_HEAD(&context->killed_trees);
932 	INIT_LIST_HEAD(&context->names_list);
933 	return context;
934 }
935 
936 /**
937  * audit_alloc - allocate an audit context block for a task
938  * @tsk: task
939  *
940  * Filter on the task information and allocate a per-task audit context
941  * if necessary.  Doing so turns on system call auditing for the
942  * specified task.  This is called from copy_process, so no lock is
943  * needed.
944  */
audit_alloc(struct task_struct * tsk)945 int audit_alloc(struct task_struct *tsk)
946 {
947 	struct audit_context *context;
948 	enum audit_state     state;
949 	char *key = NULL;
950 
951 	if (likely(!audit_ever_enabled))
952 		return 0; /* Return if not auditing. */
953 
954 	state = audit_filter_task(tsk, &key);
955 	if (state == AUDIT_DISABLED) {
956 		clear_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
957 		return 0;
958 	}
959 
960 	if (!(context = audit_alloc_context(state))) {
961 		kfree(key);
962 		audit_log_lost("out of memory in audit_alloc");
963 		return -ENOMEM;
964 	}
965 	context->filterkey = key;
966 
967 	tsk->audit_context  = context;
968 	set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
969 	return 0;
970 }
971 
audit_free_context(struct audit_context * context)972 static inline void audit_free_context(struct audit_context *context)
973 {
974 	audit_free_names(context);
975 	unroll_tree_refs(context, NULL, 0);
976 	free_tree_refs(context);
977 	audit_free_aux(context);
978 	kfree(context->filterkey);
979 	kfree(context->sockaddr);
980 	audit_proctitle_free(context);
981 	kfree(context);
982 }
983 
audit_log_pid_context(struct audit_context * context,pid_t pid,kuid_t auid,kuid_t uid,unsigned int sessionid,u32 sid,char * comm)984 static int audit_log_pid_context(struct audit_context *context, pid_t pid,
985 				 kuid_t auid, kuid_t uid, unsigned int sessionid,
986 				 u32 sid, char *comm)
987 {
988 	struct audit_buffer *ab;
989 	char *ctx = NULL;
990 	u32 len;
991 	int rc = 0;
992 
993 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
994 	if (!ab)
995 		return rc;
996 
997 	audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
998 			 from_kuid(&init_user_ns, auid),
999 			 from_kuid(&init_user_ns, uid), sessionid);
1000 	if (sid) {
1001 		if (security_secid_to_secctx(sid, &ctx, &len)) {
1002 			audit_log_format(ab, " obj=(none)");
1003 			rc = 1;
1004 		} else {
1005 			audit_log_format(ab, " obj=%s", ctx);
1006 			security_release_secctx(ctx, len);
1007 		}
1008 	}
1009 	audit_log_format(ab, " ocomm=");
1010 	audit_log_untrustedstring(ab, comm);
1011 	audit_log_end(ab);
1012 
1013 	return rc;
1014 }
1015 
audit_log_execve_info(struct audit_context * context,struct audit_buffer ** ab)1016 static void audit_log_execve_info(struct audit_context *context,
1017 				  struct audit_buffer **ab)
1018 {
1019 	long len_max;
1020 	long len_rem;
1021 	long len_full;
1022 	long len_buf;
1023 	long len_abuf;
1024 	long len_tmp;
1025 	bool require_data;
1026 	bool encode;
1027 	unsigned int iter;
1028 	unsigned int arg;
1029 	char *buf_head;
1030 	char *buf;
1031 	const char __user *p = (const char __user *)current->mm->arg_start;
1032 
1033 	/* NOTE: this buffer needs to be large enough to hold all the non-arg
1034 	 *       data we put in the audit record for this argument (see the
1035 	 *       code below) ... at this point in time 96 is plenty */
1036 	char abuf[96];
1037 
1038 	/* NOTE: we set MAX_EXECVE_AUDIT_LEN to a rather arbitrary limit, the
1039 	 *       current value of 7500 is not as important as the fact that it
1040 	 *       is less than 8k, a setting of 7500 gives us plenty of wiggle
1041 	 *       room if we go over a little bit in the logging below */
1042 	WARN_ON_ONCE(MAX_EXECVE_AUDIT_LEN > 7500);
1043 	len_max = MAX_EXECVE_AUDIT_LEN;
1044 
1045 	/* scratch buffer to hold the userspace args */
1046 	buf_head = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
1047 	if (!buf_head) {
1048 		audit_panic("out of memory for argv string");
1049 		return;
1050 	}
1051 	buf = buf_head;
1052 
1053 	audit_log_format(*ab, "argc=%d", context->execve.argc);
1054 
1055 	len_rem = len_max;
1056 	len_buf = 0;
1057 	len_full = 0;
1058 	require_data = true;
1059 	encode = false;
1060 	iter = 0;
1061 	arg = 0;
1062 	do {
1063 		/* NOTE: we don't ever want to trust this value for anything
1064 		 *       serious, but the audit record format insists we
1065 		 *       provide an argument length for really long arguments,
1066 		 *       e.g. > MAX_EXECVE_AUDIT_LEN, so we have no choice but
1067 		 *       to use strncpy_from_user() to obtain this value for
1068 		 *       recording in the log, although we don't use it
1069 		 *       anywhere here to avoid a double-fetch problem */
1070 		if (len_full == 0)
1071 			len_full = strnlen_user(p, MAX_ARG_STRLEN) - 1;
1072 
1073 		/* read more data from userspace */
1074 		if (require_data) {
1075 			/* can we make more room in the buffer? */
1076 			if (buf != buf_head) {
1077 				memmove(buf_head, buf, len_buf);
1078 				buf = buf_head;
1079 			}
1080 
1081 			/* fetch as much as we can of the argument */
1082 			len_tmp = strncpy_from_user(&buf_head[len_buf], p,
1083 						    len_max - len_buf);
1084 			if (len_tmp == -EFAULT) {
1085 				/* unable to copy from userspace */
1086 				send_sig(SIGKILL, current, 0);
1087 				goto out;
1088 			} else if (len_tmp == (len_max - len_buf)) {
1089 				/* buffer is not large enough */
1090 				require_data = true;
1091 				/* NOTE: if we are going to span multiple
1092 				 *       buffers force the encoding so we stand
1093 				 *       a chance at a sane len_full value and
1094 				 *       consistent record encoding */
1095 				encode = true;
1096 				len_full = len_full * 2;
1097 				p += len_tmp;
1098 			} else {
1099 				require_data = false;
1100 				if (!encode)
1101 					encode = audit_string_contains_control(
1102 								buf, len_tmp);
1103 				/* try to use a trusted value for len_full */
1104 				if (len_full < len_max)
1105 					len_full = (encode ?
1106 						    len_tmp * 2 : len_tmp);
1107 				p += len_tmp + 1;
1108 			}
1109 			len_buf += len_tmp;
1110 			buf_head[len_buf] = '\0';
1111 
1112 			/* length of the buffer in the audit record? */
1113 			len_abuf = (encode ? len_buf * 2 : len_buf + 2);
1114 		}
1115 
1116 		/* write as much as we can to the audit log */
1117 		if (len_buf > 0) {
1118 			/* NOTE: some magic numbers here - basically if we
1119 			 *       can't fit a reasonable amount of data into the
1120 			 *       existing audit buffer, flush it and start with
1121 			 *       a new buffer */
1122 			if ((sizeof(abuf) + 8) > len_rem) {
1123 				len_rem = len_max;
1124 				audit_log_end(*ab);
1125 				*ab = audit_log_start(context,
1126 						      GFP_KERNEL, AUDIT_EXECVE);
1127 				if (!*ab)
1128 					goto out;
1129 			}
1130 
1131 			/* create the non-arg portion of the arg record */
1132 			len_tmp = 0;
1133 			if (require_data || (iter > 0) ||
1134 			    ((len_abuf + sizeof(abuf)) > len_rem)) {
1135 				if (iter == 0) {
1136 					len_tmp += snprintf(&abuf[len_tmp],
1137 							sizeof(abuf) - len_tmp,
1138 							" a%d_len=%lu",
1139 							arg, len_full);
1140 				}
1141 				len_tmp += snprintf(&abuf[len_tmp],
1142 						    sizeof(abuf) - len_tmp,
1143 						    " a%d[%d]=", arg, iter++);
1144 			} else
1145 				len_tmp += snprintf(&abuf[len_tmp],
1146 						    sizeof(abuf) - len_tmp,
1147 						    " a%d=", arg);
1148 			WARN_ON(len_tmp >= sizeof(abuf));
1149 			abuf[sizeof(abuf) - 1] = '\0';
1150 
1151 			/* log the arg in the audit record */
1152 			audit_log_format(*ab, "%s", abuf);
1153 			len_rem -= len_tmp;
1154 			len_tmp = len_buf;
1155 			if (encode) {
1156 				if (len_abuf > len_rem)
1157 					len_tmp = len_rem / 2; /* encoding */
1158 				audit_log_n_hex(*ab, buf, len_tmp);
1159 				len_rem -= len_tmp * 2;
1160 				len_abuf -= len_tmp * 2;
1161 			} else {
1162 				if (len_abuf > len_rem)
1163 					len_tmp = len_rem - 2; /* quotes */
1164 				audit_log_n_string(*ab, buf, len_tmp);
1165 				len_rem -= len_tmp + 2;
1166 				/* don't subtract the "2" because we still need
1167 				 * to add quotes to the remaining string */
1168 				len_abuf -= len_tmp;
1169 			}
1170 			len_buf -= len_tmp;
1171 			buf += len_tmp;
1172 		}
1173 
1174 		/* ready to move to the next argument? */
1175 		if ((len_buf == 0) && !require_data) {
1176 			arg++;
1177 			iter = 0;
1178 			len_full = 0;
1179 			require_data = true;
1180 			encode = false;
1181 		}
1182 	} while (arg < context->execve.argc);
1183 
1184 	/* NOTE: the caller handles the final audit_log_end() call */
1185 
1186 out:
1187 	kfree(buf_head);
1188 }
1189 
show_special(struct audit_context * context,int * call_panic)1190 static void show_special(struct audit_context *context, int *call_panic)
1191 {
1192 	struct audit_buffer *ab;
1193 	int i;
1194 
1195 	ab = audit_log_start(context, GFP_KERNEL, context->type);
1196 	if (!ab)
1197 		return;
1198 
1199 	switch (context->type) {
1200 	case AUDIT_SOCKETCALL: {
1201 		int nargs = context->socketcall.nargs;
1202 		audit_log_format(ab, "nargs=%d", nargs);
1203 		for (i = 0; i < nargs; i++)
1204 			audit_log_format(ab, " a%d=%lx", i,
1205 				context->socketcall.args[i]);
1206 		break; }
1207 	case AUDIT_IPC: {
1208 		u32 osid = context->ipc.osid;
1209 
1210 		audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
1211 				 from_kuid(&init_user_ns, context->ipc.uid),
1212 				 from_kgid(&init_user_ns, context->ipc.gid),
1213 				 context->ipc.mode);
1214 		if (osid) {
1215 			char *ctx = NULL;
1216 			u32 len;
1217 			if (security_secid_to_secctx(osid, &ctx, &len)) {
1218 				audit_log_format(ab, " osid=%u", osid);
1219 				*call_panic = 1;
1220 			} else {
1221 				audit_log_format(ab, " obj=%s", ctx);
1222 				security_release_secctx(ctx, len);
1223 			}
1224 		}
1225 		if (context->ipc.has_perm) {
1226 			audit_log_end(ab);
1227 			ab = audit_log_start(context, GFP_KERNEL,
1228 					     AUDIT_IPC_SET_PERM);
1229 			if (unlikely(!ab))
1230 				return;
1231 			audit_log_format(ab,
1232 				"qbytes=%lx ouid=%u ogid=%u mode=%#ho",
1233 				context->ipc.qbytes,
1234 				context->ipc.perm_uid,
1235 				context->ipc.perm_gid,
1236 				context->ipc.perm_mode);
1237 		}
1238 		break; }
1239 	case AUDIT_MQ_OPEN: {
1240 		audit_log_format(ab,
1241 			"oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
1242 			"mq_msgsize=%ld mq_curmsgs=%ld",
1243 			context->mq_open.oflag, context->mq_open.mode,
1244 			context->mq_open.attr.mq_flags,
1245 			context->mq_open.attr.mq_maxmsg,
1246 			context->mq_open.attr.mq_msgsize,
1247 			context->mq_open.attr.mq_curmsgs);
1248 		break; }
1249 	case AUDIT_MQ_SENDRECV: {
1250 		audit_log_format(ab,
1251 			"mqdes=%d msg_len=%zd msg_prio=%u "
1252 			"abs_timeout_sec=%ld abs_timeout_nsec=%ld",
1253 			context->mq_sendrecv.mqdes,
1254 			context->mq_sendrecv.msg_len,
1255 			context->mq_sendrecv.msg_prio,
1256 			context->mq_sendrecv.abs_timeout.tv_sec,
1257 			context->mq_sendrecv.abs_timeout.tv_nsec);
1258 		break; }
1259 	case AUDIT_MQ_NOTIFY: {
1260 		audit_log_format(ab, "mqdes=%d sigev_signo=%d",
1261 				context->mq_notify.mqdes,
1262 				context->mq_notify.sigev_signo);
1263 		break; }
1264 	case AUDIT_MQ_GETSETATTR: {
1265 		struct mq_attr *attr = &context->mq_getsetattr.mqstat;
1266 		audit_log_format(ab,
1267 			"mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
1268 			"mq_curmsgs=%ld ",
1269 			context->mq_getsetattr.mqdes,
1270 			attr->mq_flags, attr->mq_maxmsg,
1271 			attr->mq_msgsize, attr->mq_curmsgs);
1272 		break; }
1273 	case AUDIT_CAPSET: {
1274 		audit_log_format(ab, "pid=%d", context->capset.pid);
1275 		audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
1276 		audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
1277 		audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
1278 		break; }
1279 	case AUDIT_MMAP: {
1280 		audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd,
1281 				 context->mmap.flags);
1282 		break; }
1283 	case AUDIT_EXECVE: {
1284 		audit_log_execve_info(context, &ab);
1285 		break; }
1286 	}
1287 	audit_log_end(ab);
1288 }
1289 
audit_proctitle_rtrim(char * proctitle,int len)1290 static inline int audit_proctitle_rtrim(char *proctitle, int len)
1291 {
1292 	char *end = proctitle + len - 1;
1293 	while (end > proctitle && !isprint(*end))
1294 		end--;
1295 
1296 	/* catch the case where proctitle is only 1 non-print character */
1297 	len = end - proctitle + 1;
1298 	len -= isprint(proctitle[len-1]) == 0;
1299 	return len;
1300 }
1301 
audit_log_proctitle(struct task_struct * tsk,struct audit_context * context)1302 static void audit_log_proctitle(struct task_struct *tsk,
1303 			 struct audit_context *context)
1304 {
1305 	int res;
1306 	char *buf;
1307 	char *msg = "(null)";
1308 	int len = strlen(msg);
1309 	struct audit_buffer *ab;
1310 
1311 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_PROCTITLE);
1312 	if (!ab)
1313 		return;	/* audit_panic or being filtered */
1314 
1315 	audit_log_format(ab, "proctitle=");
1316 
1317 	/* Not  cached */
1318 	if (!context->proctitle.value) {
1319 		buf = kmalloc(MAX_PROCTITLE_AUDIT_LEN, GFP_KERNEL);
1320 		if (!buf)
1321 			goto out;
1322 		/* Historically called this from procfs naming */
1323 		res = get_cmdline(tsk, buf, MAX_PROCTITLE_AUDIT_LEN);
1324 		if (res == 0) {
1325 			kfree(buf);
1326 			goto out;
1327 		}
1328 		res = audit_proctitle_rtrim(buf, res);
1329 		if (res == 0) {
1330 			kfree(buf);
1331 			goto out;
1332 		}
1333 		context->proctitle.value = buf;
1334 		context->proctitle.len = res;
1335 	}
1336 	msg = context->proctitle.value;
1337 	len = context->proctitle.len;
1338 out:
1339 	audit_log_n_untrustedstring(ab, msg, len);
1340 	audit_log_end(ab);
1341 }
1342 
audit_log_exit(struct audit_context * context,struct task_struct * tsk)1343 static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
1344 {
1345 	int i, call_panic = 0;
1346 	struct audit_buffer *ab;
1347 	struct audit_aux_data *aux;
1348 	struct audit_names *n;
1349 
1350 	/* tsk == current */
1351 	context->personality = tsk->personality;
1352 
1353 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
1354 	if (!ab)
1355 		return;		/* audit_panic has been called */
1356 	audit_log_format(ab, "arch=%x syscall=%d",
1357 			 context->arch, context->major);
1358 	if (context->personality != PER_LINUX)
1359 		audit_log_format(ab, " per=%lx", context->personality);
1360 	if (context->return_valid)
1361 		audit_log_format(ab, " success=%s exit=%ld",
1362 				 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
1363 				 context->return_code);
1364 
1365 	audit_log_format(ab,
1366 			 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d",
1367 			 context->argv[0],
1368 			 context->argv[1],
1369 			 context->argv[2],
1370 			 context->argv[3],
1371 			 context->name_count);
1372 
1373 	audit_log_task_info(ab, tsk);
1374 	audit_log_key(ab, context->filterkey);
1375 	audit_log_end(ab);
1376 
1377 	for (aux = context->aux; aux; aux = aux->next) {
1378 
1379 		ab = audit_log_start(context, GFP_KERNEL, aux->type);
1380 		if (!ab)
1381 			continue; /* audit_panic has been called */
1382 
1383 		switch (aux->type) {
1384 
1385 		case AUDIT_BPRM_FCAPS: {
1386 			struct audit_aux_data_bprm_fcaps *axs = (void *)aux;
1387 			audit_log_format(ab, "fver=%x", axs->fcap_ver);
1388 			audit_log_cap(ab, "fp", &axs->fcap.permitted);
1389 			audit_log_cap(ab, "fi", &axs->fcap.inheritable);
1390 			audit_log_format(ab, " fe=%d", axs->fcap.fE);
1391 			audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
1392 			audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
1393 			audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
1394 			audit_log_cap(ab, "new_pp", &axs->new_pcap.permitted);
1395 			audit_log_cap(ab, "new_pi", &axs->new_pcap.inheritable);
1396 			audit_log_cap(ab, "new_pe", &axs->new_pcap.effective);
1397 			break; }
1398 
1399 		}
1400 		audit_log_end(ab);
1401 	}
1402 
1403 	if (context->type)
1404 		show_special(context, &call_panic);
1405 
1406 	if (context->fds[0] >= 0) {
1407 		ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR);
1408 		if (ab) {
1409 			audit_log_format(ab, "fd0=%d fd1=%d",
1410 					context->fds[0], context->fds[1]);
1411 			audit_log_end(ab);
1412 		}
1413 	}
1414 
1415 	if (context->sockaddr_len) {
1416 		ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR);
1417 		if (ab) {
1418 			audit_log_format(ab, "saddr=");
1419 			audit_log_n_hex(ab, (void *)context->sockaddr,
1420 					context->sockaddr_len);
1421 			audit_log_end(ab);
1422 		}
1423 	}
1424 
1425 	for (aux = context->aux_pids; aux; aux = aux->next) {
1426 		struct audit_aux_data_pids *axs = (void *)aux;
1427 
1428 		for (i = 0; i < axs->pid_count; i++)
1429 			if (audit_log_pid_context(context, axs->target_pid[i],
1430 						  axs->target_auid[i],
1431 						  axs->target_uid[i],
1432 						  axs->target_sessionid[i],
1433 						  axs->target_sid[i],
1434 						  axs->target_comm[i]))
1435 				call_panic = 1;
1436 	}
1437 
1438 	if (context->target_pid &&
1439 	    audit_log_pid_context(context, context->target_pid,
1440 				  context->target_auid, context->target_uid,
1441 				  context->target_sessionid,
1442 				  context->target_sid, context->target_comm))
1443 			call_panic = 1;
1444 
1445 	if (context->pwd.dentry && context->pwd.mnt) {
1446 		ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
1447 		if (ab) {
1448 			audit_log_d_path(ab, " cwd=", &context->pwd);
1449 			audit_log_end(ab);
1450 		}
1451 	}
1452 
1453 	i = 0;
1454 	list_for_each_entry(n, &context->names_list, list) {
1455 		if (n->hidden)
1456 			continue;
1457 		audit_log_name(context, n, NULL, i++, &call_panic);
1458 	}
1459 
1460 	audit_log_proctitle(tsk, context);
1461 
1462 	/* Send end of event record to help user space know we are finished */
1463 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
1464 	if (ab)
1465 		audit_log_end(ab);
1466 	if (call_panic)
1467 		audit_panic("error converting sid to string");
1468 }
1469 
1470 /**
1471  * audit_free - free a per-task audit context
1472  * @tsk: task whose audit context block to free
1473  *
1474  * Called from copy_process and do_exit
1475  */
__audit_free(struct task_struct * tsk)1476 void __audit_free(struct task_struct *tsk)
1477 {
1478 	struct audit_context *context;
1479 
1480 	context = audit_take_context(tsk, 0, 0);
1481 	if (!context)
1482 		return;
1483 
1484 	/* Check for system calls that do not go through the exit
1485 	 * function (e.g., exit_group), then free context block.
1486 	 * We use GFP_ATOMIC here because we might be doing this
1487 	 * in the context of the idle thread */
1488 	/* that can happen only if we are called from do_exit() */
1489 	if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
1490 		audit_log_exit(context, tsk);
1491 	if (!list_empty(&context->killed_trees))
1492 		audit_kill_trees(&context->killed_trees);
1493 
1494 	audit_free_context(context);
1495 }
1496 
1497 /**
1498  * audit_syscall_entry - fill in an audit record at syscall entry
1499  * @major: major syscall type (function)
1500  * @a1: additional syscall register 1
1501  * @a2: additional syscall register 2
1502  * @a3: additional syscall register 3
1503  * @a4: additional syscall register 4
1504  *
1505  * Fill in audit context at syscall entry.  This only happens if the
1506  * audit context was created when the task was created and the state or
1507  * filters demand the audit context be built.  If the state from the
1508  * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
1509  * then the record will be written at syscall exit time (otherwise, it
1510  * will only be written if another part of the kernel requests that it
1511  * be written).
1512  */
__audit_syscall_entry(int major,unsigned long a1,unsigned long a2,unsigned long a3,unsigned long a4)1513 void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
1514 			   unsigned long a3, unsigned long a4)
1515 {
1516 	struct task_struct *tsk = current;
1517 	struct audit_context *context = tsk->audit_context;
1518 	enum audit_state     state;
1519 
1520 	if (!context)
1521 		return;
1522 
1523 	BUG_ON(context->in_syscall || context->name_count);
1524 
1525 	if (!audit_enabled)
1526 		return;
1527 
1528 	context->arch	    = syscall_get_arch();
1529 	context->major      = major;
1530 	context->argv[0]    = a1;
1531 	context->argv[1]    = a2;
1532 	context->argv[2]    = a3;
1533 	context->argv[3]    = a4;
1534 
1535 	state = context->state;
1536 	context->dummy = !audit_n_rules;
1537 	if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
1538 		context->prio = 0;
1539 		state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
1540 	}
1541 	if (state == AUDIT_DISABLED)
1542 		return;
1543 
1544 	context->serial     = 0;
1545 	context->ctime      = CURRENT_TIME;
1546 	context->in_syscall = 1;
1547 	context->current_state  = state;
1548 	context->ppid       = 0;
1549 }
1550 
1551 /**
1552  * audit_syscall_exit - deallocate audit context after a system call
1553  * @success: success value of the syscall
1554  * @return_code: return value of the syscall
1555  *
1556  * Tear down after system call.  If the audit context has been marked as
1557  * auditable (either because of the AUDIT_RECORD_CONTEXT state from
1558  * filtering, or because some other part of the kernel wrote an audit
1559  * message), then write out the syscall information.  In call cases,
1560  * free the names stored from getname().
1561  */
__audit_syscall_exit(int success,long return_code)1562 void __audit_syscall_exit(int success, long return_code)
1563 {
1564 	struct task_struct *tsk = current;
1565 	struct audit_context *context;
1566 
1567 	if (success)
1568 		success = AUDITSC_SUCCESS;
1569 	else
1570 		success = AUDITSC_FAILURE;
1571 
1572 	context = audit_take_context(tsk, success, return_code);
1573 	if (!context)
1574 		return;
1575 
1576 	if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
1577 		audit_log_exit(context, tsk);
1578 
1579 	context->in_syscall = 0;
1580 	context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
1581 
1582 	if (!list_empty(&context->killed_trees))
1583 		audit_kill_trees(&context->killed_trees);
1584 
1585 	audit_free_names(context);
1586 	unroll_tree_refs(context, NULL, 0);
1587 	audit_free_aux(context);
1588 	context->aux = NULL;
1589 	context->aux_pids = NULL;
1590 	context->target_pid = 0;
1591 	context->target_sid = 0;
1592 	context->sockaddr_len = 0;
1593 	context->type = 0;
1594 	context->fds[0] = -1;
1595 	if (context->state != AUDIT_RECORD_CONTEXT) {
1596 		kfree(context->filterkey);
1597 		context->filterkey = NULL;
1598 	}
1599 	tsk->audit_context = context;
1600 }
1601 
handle_one(const struct inode * inode)1602 static inline void handle_one(const struct inode *inode)
1603 {
1604 #ifdef CONFIG_AUDIT_TREE
1605 	struct audit_context *context;
1606 	struct audit_tree_refs *p;
1607 	struct audit_chunk *chunk;
1608 	int count;
1609 	if (likely(hlist_empty(&inode->i_fsnotify_marks)))
1610 		return;
1611 	context = current->audit_context;
1612 	p = context->trees;
1613 	count = context->tree_count;
1614 	rcu_read_lock();
1615 	chunk = audit_tree_lookup(inode);
1616 	rcu_read_unlock();
1617 	if (!chunk)
1618 		return;
1619 	if (likely(put_tree_ref(context, chunk)))
1620 		return;
1621 	if (unlikely(!grow_tree_refs(context))) {
1622 		pr_warn("out of memory, audit has lost a tree reference\n");
1623 		audit_set_auditable(context);
1624 		audit_put_chunk(chunk);
1625 		unroll_tree_refs(context, p, count);
1626 		return;
1627 	}
1628 	put_tree_ref(context, chunk);
1629 #endif
1630 }
1631 
handle_path(const struct dentry * dentry)1632 static void handle_path(const struct dentry *dentry)
1633 {
1634 #ifdef CONFIG_AUDIT_TREE
1635 	struct audit_context *context;
1636 	struct audit_tree_refs *p;
1637 	const struct dentry *d, *parent;
1638 	struct audit_chunk *drop;
1639 	unsigned long seq;
1640 	int count;
1641 
1642 	context = current->audit_context;
1643 	p = context->trees;
1644 	count = context->tree_count;
1645 retry:
1646 	drop = NULL;
1647 	d = dentry;
1648 	rcu_read_lock();
1649 	seq = read_seqbegin(&rename_lock);
1650 	for(;;) {
1651 		struct inode *inode = d->d_inode;
1652 		if (inode && unlikely(!hlist_empty(&inode->i_fsnotify_marks))) {
1653 			struct audit_chunk *chunk;
1654 			chunk = audit_tree_lookup(inode);
1655 			if (chunk) {
1656 				if (unlikely(!put_tree_ref(context, chunk))) {
1657 					drop = chunk;
1658 					break;
1659 				}
1660 			}
1661 		}
1662 		parent = d->d_parent;
1663 		if (parent == d)
1664 			break;
1665 		d = parent;
1666 	}
1667 	if (unlikely(read_seqretry(&rename_lock, seq) || drop)) {  /* in this order */
1668 		rcu_read_unlock();
1669 		if (!drop) {
1670 			/* just a race with rename */
1671 			unroll_tree_refs(context, p, count);
1672 			goto retry;
1673 		}
1674 		audit_put_chunk(drop);
1675 		if (grow_tree_refs(context)) {
1676 			/* OK, got more space */
1677 			unroll_tree_refs(context, p, count);
1678 			goto retry;
1679 		}
1680 		/* too bad */
1681 		pr_warn("out of memory, audit has lost a tree reference\n");
1682 		unroll_tree_refs(context, p, count);
1683 		audit_set_auditable(context);
1684 		return;
1685 	}
1686 	rcu_read_unlock();
1687 #endif
1688 }
1689 
audit_alloc_name(struct audit_context * context,unsigned char type)1690 static struct audit_names *audit_alloc_name(struct audit_context *context,
1691 						unsigned char type)
1692 {
1693 	struct audit_names *aname;
1694 
1695 	if (context->name_count < AUDIT_NAMES) {
1696 		aname = &context->preallocated_names[context->name_count];
1697 		memset(aname, 0, sizeof(*aname));
1698 	} else {
1699 		aname = kzalloc(sizeof(*aname), GFP_NOFS);
1700 		if (!aname)
1701 			return NULL;
1702 		aname->should_free = true;
1703 	}
1704 
1705 	aname->ino = (unsigned long)-1;
1706 	aname->type = type;
1707 	list_add_tail(&aname->list, &context->names_list);
1708 
1709 	context->name_count++;
1710 #if AUDIT_DEBUG
1711 	context->ino_count++;
1712 #endif
1713 	return aname;
1714 }
1715 
1716 /**
1717  * audit_reusename - fill out filename with info from existing entry
1718  * @uptr: userland ptr to pathname
1719  *
1720  * Search the audit_names list for the current audit context. If there is an
1721  * existing entry with a matching "uptr" then return the filename
1722  * associated with that audit_name. If not, return NULL.
1723  */
1724 struct filename *
__audit_reusename(const __user char * uptr)1725 __audit_reusename(const __user char *uptr)
1726 {
1727 	struct audit_context *context = current->audit_context;
1728 	struct audit_names *n;
1729 
1730 	list_for_each_entry(n, &context->names_list, list) {
1731 		if (!n->name)
1732 			continue;
1733 		if (n->name->uptr == uptr)
1734 			return n->name;
1735 	}
1736 	return NULL;
1737 }
1738 
1739 /**
1740  * audit_getname - add a name to the list
1741  * @name: name to add
1742  *
1743  * Add a name to the list of audit names for this context.
1744  * Called from fs/namei.c:getname().
1745  */
__audit_getname(struct filename * name)1746 void __audit_getname(struct filename *name)
1747 {
1748 	struct audit_context *context = current->audit_context;
1749 	struct audit_names *n;
1750 
1751 	if (!context->in_syscall) {
1752 #if AUDIT_DEBUG == 2
1753 		pr_err("%s:%d(:%d): ignoring getname(%p)\n",
1754 		       __FILE__, __LINE__, context->serial, name);
1755 		dump_stack();
1756 #endif
1757 		return;
1758 	}
1759 
1760 #if AUDIT_DEBUG
1761 	/* The filename _must_ have a populated ->name */
1762 	BUG_ON(!name->name);
1763 #endif
1764 
1765 	n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
1766 	if (!n)
1767 		return;
1768 
1769 	n->name = name;
1770 	n->name_len = AUDIT_NAME_FULL;
1771 	n->name_put = true;
1772 	name->aname = n;
1773 
1774 	if (!context->pwd.dentry)
1775 		get_fs_pwd(current->fs, &context->pwd);
1776 }
1777 
1778 /* audit_putname - intercept a putname request
1779  * @name: name to intercept and delay for putname
1780  *
1781  * If we have stored the name from getname in the audit context,
1782  * then we delay the putname until syscall exit.
1783  * Called from include/linux/fs.h:putname().
1784  */
audit_putname(struct filename * name)1785 void audit_putname(struct filename *name)
1786 {
1787 	struct audit_context *context = current->audit_context;
1788 
1789 	BUG_ON(!context);
1790 	if (!name->aname || !context->in_syscall) {
1791 #if AUDIT_DEBUG == 2
1792 		pr_err("%s:%d(:%d): final_putname(%p)\n",
1793 		       __FILE__, __LINE__, context->serial, name);
1794 		if (context->name_count) {
1795 			struct audit_names *n;
1796 			int i = 0;
1797 
1798 			list_for_each_entry(n, &context->names_list, list)
1799 				pr_err("name[%d] = %p = %s\n", i++, n->name,
1800 				       n->name->name ?: "(null)");
1801 			}
1802 #endif
1803 		final_putname(name);
1804 	}
1805 #if AUDIT_DEBUG
1806 	else {
1807 		++context->put_count;
1808 		if (context->put_count > context->name_count) {
1809 			pr_err("%s:%d(:%d): major=%d in_syscall=%d putname(%p)"
1810 			       " name_count=%d put_count=%d\n",
1811 			       __FILE__, __LINE__,
1812 			       context->serial, context->major,
1813 			       context->in_syscall, name->name,
1814 			       context->name_count, context->put_count);
1815 			dump_stack();
1816 		}
1817 	}
1818 #endif
1819 }
1820 
1821 /**
1822  * __audit_inode - store the inode and device from a lookup
1823  * @name: name being audited
1824  * @dentry: dentry being audited
1825  * @flags: attributes for this particular entry
1826  */
__audit_inode(struct filename * name,const struct dentry * dentry,unsigned int flags)1827 void __audit_inode(struct filename *name, const struct dentry *dentry,
1828 		   unsigned int flags)
1829 {
1830 	struct audit_context *context = current->audit_context;
1831 	const struct inode *inode = dentry->d_inode;
1832 	struct audit_names *n;
1833 	bool parent = flags & AUDIT_INODE_PARENT;
1834 
1835 	if (!context->in_syscall)
1836 		return;
1837 
1838 	if (!name)
1839 		goto out_alloc;
1840 
1841 #if AUDIT_DEBUG
1842 	/* The struct filename _must_ have a populated ->name */
1843 	BUG_ON(!name->name);
1844 #endif
1845 	/*
1846 	 * If we have a pointer to an audit_names entry already, then we can
1847 	 * just use it directly if the type is correct.
1848 	 */
1849 	n = name->aname;
1850 	if (n) {
1851 		if (parent) {
1852 			if (n->type == AUDIT_TYPE_PARENT ||
1853 			    n->type == AUDIT_TYPE_UNKNOWN)
1854 				goto out;
1855 		} else {
1856 			if (n->type != AUDIT_TYPE_PARENT)
1857 				goto out;
1858 		}
1859 	}
1860 
1861 	list_for_each_entry_reverse(n, &context->names_list, list) {
1862 		if (!n->name || strcmp(n->name->name, name->name))
1863 			continue;
1864 
1865 		/* match the correct record type */
1866 		if (parent) {
1867 			if (n->type == AUDIT_TYPE_PARENT ||
1868 			    n->type == AUDIT_TYPE_UNKNOWN)
1869 				goto out;
1870 		} else {
1871 			if (n->type != AUDIT_TYPE_PARENT)
1872 				goto out;
1873 		}
1874 	}
1875 
1876 out_alloc:
1877 	/* unable to find an entry with both a matching name and type */
1878 	n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
1879 	if (!n)
1880 		return;
1881 	/* unfortunately, while we may have a path name to record with the
1882 	 * inode, we can't always rely on the string lasting until the end of
1883 	 * the syscall so we need to create our own copy, it may fail due to
1884 	 * memory allocation issues, but we do our best */
1885 	if (name) {
1886 		/* we can't use getname_kernel() due to size limits */
1887 		size_t len = strlen(name->name) + 1;
1888 		struct filename *new = __getname();
1889 
1890 		if (unlikely(!new))
1891 			goto out;
1892 
1893 		if (len <= (PATH_MAX - sizeof(*new))) {
1894 			new->name = (char *)(new) + sizeof(*new);
1895 			new->separate = false;
1896 		} else if (len <= PATH_MAX) {
1897 			/* this looks odd, but is due to final_putname() */
1898 			struct filename *new2;
1899 
1900 			new2 = kmalloc(sizeof(*new2), GFP_KERNEL);
1901 			if (unlikely(!new2)) {
1902 				__putname(new);
1903 				goto out;
1904 			}
1905 			new2->name = (char *)new;
1906 			new2->separate = true;
1907 			new = new2;
1908 		} else {
1909 			/* we should never get here, but let's be safe */
1910 			__putname(new);
1911 			goto out;
1912 		}
1913 		strlcpy((char *)new->name, name->name, len);
1914 		new->uptr = NULL;
1915 		new->aname = n;
1916 		n->name = new;
1917 		n->name_put = true;
1918 	}
1919 out:
1920 	if (parent) {
1921 		n->name_len = n->name ? parent_len(n->name->name) : AUDIT_NAME_FULL;
1922 		n->type = AUDIT_TYPE_PARENT;
1923 		if (flags & AUDIT_INODE_HIDDEN)
1924 			n->hidden = true;
1925 	} else {
1926 		n->name_len = AUDIT_NAME_FULL;
1927 		n->type = AUDIT_TYPE_NORMAL;
1928 	}
1929 	handle_path(dentry);
1930 	audit_copy_inode(n, dentry, inode);
1931 }
1932 
1933 /**
1934  * __audit_inode_child - collect inode info for created/removed objects
1935  * @parent: inode of dentry parent
1936  * @dentry: dentry being audited
1937  * @type:   AUDIT_TYPE_* value that we're looking for
1938  *
1939  * For syscalls that create or remove filesystem objects, audit_inode
1940  * can only collect information for the filesystem object's parent.
1941  * This call updates the audit context with the child's information.
1942  * Syscalls that create a new filesystem object must be hooked after
1943  * the object is created.  Syscalls that remove a filesystem object
1944  * must be hooked prior, in order to capture the target inode during
1945  * unsuccessful attempts.
1946  */
__audit_inode_child(const struct inode * parent,const struct dentry * dentry,const unsigned char type)1947 void __audit_inode_child(const struct inode *parent,
1948 			 const struct dentry *dentry,
1949 			 const unsigned char type)
1950 {
1951 	struct audit_context *context = current->audit_context;
1952 	const struct inode *inode = dentry->d_inode;
1953 	const char *dname = dentry->d_name.name;
1954 	struct audit_names *n, *found_parent = NULL, *found_child = NULL;
1955 
1956 	if (!context->in_syscall)
1957 		return;
1958 
1959 	if (inode)
1960 		handle_one(inode);
1961 
1962 	/* look for a parent entry first */
1963 	list_for_each_entry(n, &context->names_list, list) {
1964 		if (!n->name || n->type != AUDIT_TYPE_PARENT)
1965 			continue;
1966 
1967 		if (n->ino == parent->i_ino &&
1968 		    !audit_compare_dname_path(dname, n->name->name, n->name_len)) {
1969 			found_parent = n;
1970 			break;
1971 		}
1972 	}
1973 
1974 	/* is there a matching child entry? */
1975 	list_for_each_entry(n, &context->names_list, list) {
1976 		/* can only match entries that have a name */
1977 		if (!n->name || n->type != type)
1978 			continue;
1979 
1980 		/* if we found a parent, make sure this one is a child of it */
1981 		if (found_parent && (n->name != found_parent->name))
1982 			continue;
1983 
1984 		if (!strcmp(dname, n->name->name) ||
1985 		    !audit_compare_dname_path(dname, n->name->name,
1986 						found_parent ?
1987 						found_parent->name_len :
1988 						AUDIT_NAME_FULL)) {
1989 			found_child = n;
1990 			break;
1991 		}
1992 	}
1993 
1994 	if (!found_parent) {
1995 		/* create a new, "anonymous" parent record */
1996 		n = audit_alloc_name(context, AUDIT_TYPE_PARENT);
1997 		if (!n)
1998 			return;
1999 		audit_copy_inode(n, NULL, parent);
2000 	}
2001 
2002 	if (!found_child) {
2003 		found_child = audit_alloc_name(context, type);
2004 		if (!found_child)
2005 			return;
2006 
2007 		/* Re-use the name belonging to the slot for a matching parent
2008 		 * directory. All names for this context are relinquished in
2009 		 * audit_free_names() */
2010 		if (found_parent) {
2011 			found_child->name = found_parent->name;
2012 			found_child->name_len = AUDIT_NAME_FULL;
2013 			/* don't call __putname() */
2014 			found_child->name_put = false;
2015 		}
2016 	}
2017 	if (inode)
2018 		audit_copy_inode(found_child, dentry, inode);
2019 	else
2020 		found_child->ino = (unsigned long)-1;
2021 }
2022 EXPORT_SYMBOL_GPL(__audit_inode_child);
2023 
2024 /**
2025  * auditsc_get_stamp - get local copies of audit_context values
2026  * @ctx: audit_context for the task
2027  * @t: timespec to store time recorded in the audit_context
2028  * @serial: serial value that is recorded in the audit_context
2029  *
2030  * Also sets the context as auditable.
2031  */
auditsc_get_stamp(struct audit_context * ctx,struct timespec * t,unsigned int * serial)2032 int auditsc_get_stamp(struct audit_context *ctx,
2033 		       struct timespec *t, unsigned int *serial)
2034 {
2035 	if (!ctx->in_syscall)
2036 		return 0;
2037 	if (!ctx->serial)
2038 		ctx->serial = audit_serial();
2039 	t->tv_sec  = ctx->ctime.tv_sec;
2040 	t->tv_nsec = ctx->ctime.tv_nsec;
2041 	*serial    = ctx->serial;
2042 	if (!ctx->prio) {
2043 		ctx->prio = 1;
2044 		ctx->current_state = AUDIT_RECORD_CONTEXT;
2045 	}
2046 	return 1;
2047 }
2048 
2049 /* global counter which is incremented every time something logs in */
2050 static atomic_t session_id = ATOMIC_INIT(0);
2051 
audit_set_loginuid_perm(kuid_t loginuid)2052 static int audit_set_loginuid_perm(kuid_t loginuid)
2053 {
2054 	/* if we are unset, we don't need privs */
2055 	if (!audit_loginuid_set(current))
2056 		return 0;
2057 	/* if AUDIT_FEATURE_LOGINUID_IMMUTABLE means never ever allow a change*/
2058 	if (is_audit_feature_set(AUDIT_FEATURE_LOGINUID_IMMUTABLE))
2059 		return -EPERM;
2060 	/* it is set, you need permission */
2061 	if (!capable(CAP_AUDIT_CONTROL))
2062 		return -EPERM;
2063 	/* reject if this is not an unset and we don't allow that */
2064 	if (is_audit_feature_set(AUDIT_FEATURE_ONLY_UNSET_LOGINUID) && uid_valid(loginuid))
2065 		return -EPERM;
2066 	return 0;
2067 }
2068 
audit_log_set_loginuid(kuid_t koldloginuid,kuid_t kloginuid,unsigned int oldsessionid,unsigned int sessionid,int rc)2069 static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
2070 				   unsigned int oldsessionid, unsigned int sessionid,
2071 				   int rc)
2072 {
2073 	struct audit_buffer *ab;
2074 	uid_t uid, oldloginuid, loginuid;
2075 
2076 	if (!audit_enabled)
2077 		return;
2078 
2079 	uid = from_kuid(&init_user_ns, task_uid(current));
2080 	oldloginuid = from_kuid(&init_user_ns, koldloginuid);
2081 	loginuid = from_kuid(&init_user_ns, kloginuid),
2082 
2083 	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
2084 	if (!ab)
2085 		return;
2086 	audit_log_format(ab, "pid=%d uid=%u", task_tgid_nr(current), uid);
2087 	audit_log_task_context(ab);
2088 	audit_log_format(ab, " old-auid=%u auid=%u old-ses=%u ses=%u res=%d",
2089 			 oldloginuid, loginuid, oldsessionid, sessionid, !rc);
2090 	audit_log_end(ab);
2091 }
2092 
2093 /**
2094  * audit_set_loginuid - set current task's audit_context loginuid
2095  * @loginuid: loginuid value
2096  *
2097  * Returns 0.
2098  *
2099  * Called (set) from fs/proc/base.c::proc_loginuid_write().
2100  */
audit_set_loginuid(kuid_t loginuid)2101 int audit_set_loginuid(kuid_t loginuid)
2102 {
2103 	struct task_struct *task = current;
2104 	unsigned int oldsessionid, sessionid = (unsigned int)-1;
2105 	kuid_t oldloginuid;
2106 	int rc;
2107 
2108 	oldloginuid = audit_get_loginuid(current);
2109 	oldsessionid = audit_get_sessionid(current);
2110 
2111 	rc = audit_set_loginuid_perm(loginuid);
2112 	if (rc)
2113 		goto out;
2114 
2115 	/* are we setting or clearing? */
2116 	if (uid_valid(loginuid))
2117 		sessionid = (unsigned int)atomic_inc_return(&session_id);
2118 
2119 	task->sessionid = sessionid;
2120 	task->loginuid = loginuid;
2121 out:
2122 	audit_log_set_loginuid(oldloginuid, loginuid, oldsessionid, sessionid, rc);
2123 	return rc;
2124 }
2125 
2126 /**
2127  * __audit_mq_open - record audit data for a POSIX MQ open
2128  * @oflag: open flag
2129  * @mode: mode bits
2130  * @attr: queue attributes
2131  *
2132  */
__audit_mq_open(int oflag,umode_t mode,struct mq_attr * attr)2133 void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
2134 {
2135 	struct audit_context *context = current->audit_context;
2136 
2137 	if (attr)
2138 		memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr));
2139 	else
2140 		memset(&context->mq_open.attr, 0, sizeof(struct mq_attr));
2141 
2142 	context->mq_open.oflag = oflag;
2143 	context->mq_open.mode = mode;
2144 
2145 	context->type = AUDIT_MQ_OPEN;
2146 }
2147 
2148 /**
2149  * __audit_mq_sendrecv - record audit data for a POSIX MQ timed send/receive
2150  * @mqdes: MQ descriptor
2151  * @msg_len: Message length
2152  * @msg_prio: Message priority
2153  * @abs_timeout: Message timeout in absolute time
2154  *
2155  */
__audit_mq_sendrecv(mqd_t mqdes,size_t msg_len,unsigned int msg_prio,const struct timespec * abs_timeout)2156 void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
2157 			const struct timespec *abs_timeout)
2158 {
2159 	struct audit_context *context = current->audit_context;
2160 	struct timespec *p = &context->mq_sendrecv.abs_timeout;
2161 
2162 	if (abs_timeout)
2163 		memcpy(p, abs_timeout, sizeof(struct timespec));
2164 	else
2165 		memset(p, 0, sizeof(struct timespec));
2166 
2167 	context->mq_sendrecv.mqdes = mqdes;
2168 	context->mq_sendrecv.msg_len = msg_len;
2169 	context->mq_sendrecv.msg_prio = msg_prio;
2170 
2171 	context->type = AUDIT_MQ_SENDRECV;
2172 }
2173 
2174 /**
2175  * __audit_mq_notify - record audit data for a POSIX MQ notify
2176  * @mqdes: MQ descriptor
2177  * @notification: Notification event
2178  *
2179  */
2180 
__audit_mq_notify(mqd_t mqdes,const struct sigevent * notification)2181 void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
2182 {
2183 	struct audit_context *context = current->audit_context;
2184 
2185 	if (notification)
2186 		context->mq_notify.sigev_signo = notification->sigev_signo;
2187 	else
2188 		context->mq_notify.sigev_signo = 0;
2189 
2190 	context->mq_notify.mqdes = mqdes;
2191 	context->type = AUDIT_MQ_NOTIFY;
2192 }
2193 
2194 /**
2195  * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute
2196  * @mqdes: MQ descriptor
2197  * @mqstat: MQ flags
2198  *
2199  */
__audit_mq_getsetattr(mqd_t mqdes,struct mq_attr * mqstat)2200 void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
2201 {
2202 	struct audit_context *context = current->audit_context;
2203 	context->mq_getsetattr.mqdes = mqdes;
2204 	context->mq_getsetattr.mqstat = *mqstat;
2205 	context->type = AUDIT_MQ_GETSETATTR;
2206 }
2207 
2208 /**
2209  * audit_ipc_obj - record audit data for ipc object
2210  * @ipcp: ipc permissions
2211  *
2212  */
__audit_ipc_obj(struct kern_ipc_perm * ipcp)2213 void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
2214 {
2215 	struct audit_context *context = current->audit_context;
2216 	context->ipc.uid = ipcp->uid;
2217 	context->ipc.gid = ipcp->gid;
2218 	context->ipc.mode = ipcp->mode;
2219 	context->ipc.has_perm = 0;
2220 	security_ipc_getsecid(ipcp, &context->ipc.osid);
2221 	context->type = AUDIT_IPC;
2222 }
2223 
2224 /**
2225  * audit_ipc_set_perm - record audit data for new ipc permissions
2226  * @qbytes: msgq bytes
2227  * @uid: msgq user id
2228  * @gid: msgq group id
2229  * @mode: msgq mode (permissions)
2230  *
2231  * Called only after audit_ipc_obj().
2232  */
__audit_ipc_set_perm(unsigned long qbytes,uid_t uid,gid_t gid,umode_t mode)2233 void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode)
2234 {
2235 	struct audit_context *context = current->audit_context;
2236 
2237 	context->ipc.qbytes = qbytes;
2238 	context->ipc.perm_uid = uid;
2239 	context->ipc.perm_gid = gid;
2240 	context->ipc.perm_mode = mode;
2241 	context->ipc.has_perm = 1;
2242 }
2243 
__audit_bprm(struct linux_binprm * bprm)2244 void __audit_bprm(struct linux_binprm *bprm)
2245 {
2246 	struct audit_context *context = current->audit_context;
2247 
2248 	context->type = AUDIT_EXECVE;
2249 	context->execve.argc = bprm->argc;
2250 }
2251 
2252 
2253 /**
2254  * audit_socketcall - record audit data for sys_socketcall
2255  * @nargs: number of args, which should not be more than AUDITSC_ARGS.
2256  * @args: args array
2257  *
2258  */
__audit_socketcall(int nargs,unsigned long * args)2259 int __audit_socketcall(int nargs, unsigned long *args)
2260 {
2261 	struct audit_context *context = current->audit_context;
2262 
2263 	if (nargs <= 0 || nargs > AUDITSC_ARGS || !args)
2264 		return -EINVAL;
2265 	context->type = AUDIT_SOCKETCALL;
2266 	context->socketcall.nargs = nargs;
2267 	memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
2268 	return 0;
2269 }
2270 
2271 /**
2272  * __audit_fd_pair - record audit data for pipe and socketpair
2273  * @fd1: the first file descriptor
2274  * @fd2: the second file descriptor
2275  *
2276  */
__audit_fd_pair(int fd1,int fd2)2277 void __audit_fd_pair(int fd1, int fd2)
2278 {
2279 	struct audit_context *context = current->audit_context;
2280 	context->fds[0] = fd1;
2281 	context->fds[1] = fd2;
2282 }
2283 
2284 /**
2285  * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
2286  * @len: data length in user space
2287  * @a: data address in kernel space
2288  *
2289  * Returns 0 for success or NULL context or < 0 on error.
2290  */
__audit_sockaddr(int len,void * a)2291 int __audit_sockaddr(int len, void *a)
2292 {
2293 	struct audit_context *context = current->audit_context;
2294 
2295 	if (!context->sockaddr) {
2296 		void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL);
2297 		if (!p)
2298 			return -ENOMEM;
2299 		context->sockaddr = p;
2300 	}
2301 
2302 	context->sockaddr_len = len;
2303 	memcpy(context->sockaddr, a, len);
2304 	return 0;
2305 }
2306 
__audit_ptrace(struct task_struct * t)2307 void __audit_ptrace(struct task_struct *t)
2308 {
2309 	struct audit_context *context = current->audit_context;
2310 
2311 	context->target_pid = task_tgid_nr(t);
2312 	context->target_auid = audit_get_loginuid(t);
2313 	context->target_uid = task_uid(t);
2314 	context->target_sessionid = audit_get_sessionid(t);
2315 	security_task_getsecid(t, &context->target_sid);
2316 	memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
2317 }
2318 
2319 /**
2320  * audit_signal_info - record signal info for shutting down audit subsystem
2321  * @sig: signal value
2322  * @t: task being signaled
2323  *
2324  * If the audit subsystem is being terminated, record the task (pid)
2325  * and uid that is doing that.
2326  */
__audit_signal_info(int sig,struct task_struct * t)2327 int __audit_signal_info(int sig, struct task_struct *t)
2328 {
2329 	struct audit_aux_data_pids *axp;
2330 	struct task_struct *tsk = current;
2331 	struct audit_context *ctx = tsk->audit_context;
2332 	kuid_t uid = current_uid(), t_uid = task_uid(t);
2333 
2334 	if (audit_pid && t->tgid == audit_pid) {
2335 		if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) {
2336 			audit_sig_pid = task_tgid_nr(tsk);
2337 			if (uid_valid(tsk->loginuid))
2338 				audit_sig_uid = tsk->loginuid;
2339 			else
2340 				audit_sig_uid = uid;
2341 			security_task_getsecid(tsk, &audit_sig_sid);
2342 		}
2343 		if (!audit_signals || audit_dummy_context())
2344 			return 0;
2345 	}
2346 
2347 	/* optimize the common case by putting first signal recipient directly
2348 	 * in audit_context */
2349 	if (!ctx->target_pid) {
2350 		ctx->target_pid = task_tgid_nr(t);
2351 		ctx->target_auid = audit_get_loginuid(t);
2352 		ctx->target_uid = t_uid;
2353 		ctx->target_sessionid = audit_get_sessionid(t);
2354 		security_task_getsecid(t, &ctx->target_sid);
2355 		memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
2356 		return 0;
2357 	}
2358 
2359 	axp = (void *)ctx->aux_pids;
2360 	if (!axp || axp->pid_count == AUDIT_AUX_PIDS) {
2361 		axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
2362 		if (!axp)
2363 			return -ENOMEM;
2364 
2365 		axp->d.type = AUDIT_OBJ_PID;
2366 		axp->d.next = ctx->aux_pids;
2367 		ctx->aux_pids = (void *)axp;
2368 	}
2369 	BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
2370 
2371 	axp->target_pid[axp->pid_count] = task_tgid_nr(t);
2372 	axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
2373 	axp->target_uid[axp->pid_count] = t_uid;
2374 	axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
2375 	security_task_getsecid(t, &axp->target_sid[axp->pid_count]);
2376 	memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
2377 	axp->pid_count++;
2378 
2379 	return 0;
2380 }
2381 
2382 /**
2383  * __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps
2384  * @bprm: pointer to the bprm being processed
2385  * @new: the proposed new credentials
2386  * @old: the old credentials
2387  *
2388  * Simply check if the proc already has the caps given by the file and if not
2389  * store the priv escalation info for later auditing at the end of the syscall
2390  *
2391  * -Eric
2392  */
__audit_log_bprm_fcaps(struct linux_binprm * bprm,const struct cred * new,const struct cred * old)2393 int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
2394 			   const struct cred *new, const struct cred *old)
2395 {
2396 	struct audit_aux_data_bprm_fcaps *ax;
2397 	struct audit_context *context = current->audit_context;
2398 	struct cpu_vfs_cap_data vcaps;
2399 	struct dentry *dentry;
2400 
2401 	ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2402 	if (!ax)
2403 		return -ENOMEM;
2404 
2405 	ax->d.type = AUDIT_BPRM_FCAPS;
2406 	ax->d.next = context->aux;
2407 	context->aux = (void *)ax;
2408 
2409 	dentry = dget(bprm->file->f_dentry);
2410 	get_vfs_caps_from_disk(dentry, &vcaps);
2411 	dput(dentry);
2412 
2413 	ax->fcap.permitted = vcaps.permitted;
2414 	ax->fcap.inheritable = vcaps.inheritable;
2415 	ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2416 	ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
2417 
2418 	ax->old_pcap.permitted   = old->cap_permitted;
2419 	ax->old_pcap.inheritable = old->cap_inheritable;
2420 	ax->old_pcap.effective   = old->cap_effective;
2421 
2422 	ax->new_pcap.permitted   = new->cap_permitted;
2423 	ax->new_pcap.inheritable = new->cap_inheritable;
2424 	ax->new_pcap.effective   = new->cap_effective;
2425 	return 0;
2426 }
2427 
2428 /**
2429  * __audit_log_capset - store information about the arguments to the capset syscall
2430  * @new: the new credentials
2431  * @old: the old (current) credentials
2432  *
2433  * Record the arguments userspace sent to sys_capset for later printing by the
2434  * audit system if applicable
2435  */
__audit_log_capset(const struct cred * new,const struct cred * old)2436 void __audit_log_capset(const struct cred *new, const struct cred *old)
2437 {
2438 	struct audit_context *context = current->audit_context;
2439 	context->capset.pid = task_tgid_nr(current);
2440 	context->capset.cap.effective   = new->cap_effective;
2441 	context->capset.cap.inheritable = new->cap_effective;
2442 	context->capset.cap.permitted   = new->cap_permitted;
2443 	context->type = AUDIT_CAPSET;
2444 }
2445 
__audit_mmap_fd(int fd,int flags)2446 void __audit_mmap_fd(int fd, int flags)
2447 {
2448 	struct audit_context *context = current->audit_context;
2449 	context->mmap.fd = fd;
2450 	context->mmap.flags = flags;
2451 	context->type = AUDIT_MMAP;
2452 }
2453 
audit_log_task(struct audit_buffer * ab)2454 static void audit_log_task(struct audit_buffer *ab)
2455 {
2456 	kuid_t auid, uid;
2457 	kgid_t gid;
2458 	unsigned int sessionid;
2459 	struct mm_struct *mm = current->mm;
2460 	char comm[sizeof(current->comm)];
2461 
2462 	auid = audit_get_loginuid(current);
2463 	sessionid = audit_get_sessionid(current);
2464 	current_uid_gid(&uid, &gid);
2465 
2466 	audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
2467 			 from_kuid(&init_user_ns, auid),
2468 			 from_kuid(&init_user_ns, uid),
2469 			 from_kgid(&init_user_ns, gid),
2470 			 sessionid);
2471 	audit_log_task_context(ab);
2472 	audit_log_format(ab, " pid=%d comm=", task_tgid_nr(current));
2473 	audit_log_untrustedstring(ab, get_task_comm(comm, current));
2474 	if (mm) {
2475 		down_read(&mm->mmap_sem);
2476 		if (mm->exe_file)
2477 			audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
2478 		up_read(&mm->mmap_sem);
2479 	} else
2480 		audit_log_format(ab, " exe=(null)");
2481 }
2482 
2483 /**
2484  * audit_core_dumps - record information about processes that end abnormally
2485  * @signr: signal value
2486  *
2487  * If a process ends with a core dump, something fishy is going on and we
2488  * should record the event for investigation.
2489  */
audit_core_dumps(long signr)2490 void audit_core_dumps(long signr)
2491 {
2492 	struct audit_buffer *ab;
2493 
2494 	if (!audit_enabled)
2495 		return;
2496 
2497 	if (signr == SIGQUIT)	/* don't care for those */
2498 		return;
2499 
2500 	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
2501 	if (unlikely(!ab))
2502 		return;
2503 	audit_log_task(ab);
2504 	audit_log_format(ab, " sig=%ld", signr);
2505 	audit_log_end(ab);
2506 }
2507 
__audit_seccomp(unsigned long syscall,long signr,int code)2508 void __audit_seccomp(unsigned long syscall, long signr, int code)
2509 {
2510 	struct audit_buffer *ab;
2511 
2512 	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_SECCOMP);
2513 	if (unlikely(!ab))
2514 		return;
2515 	audit_log_task(ab);
2516 	audit_log_format(ab, " sig=%ld arch=%x syscall=%ld compat=%d ip=0x%lx code=0x%x",
2517 			 signr, syscall_get_arch(), syscall, is_compat_task(),
2518 			 KSTK_EIP(current), code);
2519 	audit_log_end(ab);
2520 }
2521 
audit_killed_trees(void)2522 struct list_head *audit_killed_trees(void)
2523 {
2524 	struct audit_context *ctx = current->audit_context;
2525 	if (likely(!ctx || !ctx->in_syscall))
2526 		return NULL;
2527 	return &ctx->killed_trees;
2528 }
2529