auditsc.c 66 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468
  1. /* auditsc.c -- System-call auditing support
  2. * Handles all system-call specific auditing features.
  3. *
  4. * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
  5. * Copyright 2005 Hewlett-Packard Development Company, L.P.
  6. * Copyright (C) 2005, 2006 IBM Corporation
  7. * All Rights Reserved.
  8. *
  9. * This program is free software; you can redistribute it and/or modify
  10. * it under the terms of the GNU General Public License as published by
  11. * the Free Software Foundation; either version 2 of the License, or
  12. * (at your option) any later version.
  13. *
  14. * This program is distributed in the hope that it will be useful,
  15. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  16. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  17. * GNU General Public License for more details.
  18. *
  19. * You should have received a copy of the GNU General Public License
  20. * along with this program; if not, write to the Free Software
  21. * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
  22. *
  23. * Written by Rickard E. (Rik) Faith <faith@redhat.com>
  24. *
  25. * Many of the ideas implemented here are from Stephen C. Tweedie,
  26. * especially the idea of avoiding a copy by using getname.
  27. *
  28. * The method for actual interception of syscall entry and exit (not in
  29. * this file -- see entry.S) is based on a GPL'd patch written by
  30. * okir@suse.de and Copyright 2003 SuSE Linux AG.
  31. *
  32. * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>,
  33. * 2006.
  34. *
  35. * The support of additional filter rules compares (>, <, >=, <=) was
  36. * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
  37. *
  38. * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
  39. * filesystem information.
  40. *
  41. * Subject and object context labeling support added by <danjones@us.ibm.com>
  42. * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
  43. */
  44. #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  45. #include <linux/init.h>
  46. #include <asm/types.h>
  47. #include <linux/atomic.h>
  48. #include <linux/fs.h>
  49. #include <linux/namei.h>
  50. #include <linux/mm.h>
  51. #include <linux/export.h>
  52. #include <linux/slab.h>
  53. #include <linux/mount.h>
  54. #include <linux/socket.h>
  55. #include <linux/mqueue.h>
  56. #include <linux/audit.h>
  57. #include <linux/personality.h>
  58. #include <linux/time.h>
  59. #include <linux/netlink.h>
  60. #include <linux/compiler.h>
  61. #include <asm/unistd.h>
  62. #include <linux/security.h>
  63. #include <linux/list.h>
  64. #include <linux/binfmts.h>
  65. #include <linux/highmem.h>
  66. #include <linux/syscalls.h>
  67. #include <asm/syscall.h>
  68. #include <linux/capability.h>
  69. #include <linux/fs_struct.h>
  70. #include <linux/compat.h>
  71. #include <linux/ctype.h>
  72. #include <linux/string.h>
  73. #include <linux/uaccess.h>
  74. #include <linux/fsnotify_backend.h>
  75. #include <uapi/linux/limits.h>
  76. #include "audit.h"
  77. /* flags stating the success for a syscall */
  78. #define AUDITSC_INVALID 0
  79. #define AUDITSC_SUCCESS 1
  80. #define AUDITSC_FAILURE 2
  81. /* no execve audit message should be longer than this (userspace limits),
  82. * see the note near the top of audit_log_execve_info() about this value */
  83. #define MAX_EXECVE_AUDIT_LEN 7500
  84. /* max length to print of cmdline/proctitle value during audit */
  85. #define MAX_PROCTITLE_AUDIT_LEN 128
  86. /* number of audit rules */
  87. int audit_n_rules;
  88. /* determines whether we collect data for signals sent */
  89. int audit_signals;
  90. struct audit_aux_data {
  91. struct audit_aux_data *next;
  92. int type;
  93. };
  94. #define AUDIT_AUX_IPCPERM 0
  95. /* Number of target pids per aux struct. */
  96. #define AUDIT_AUX_PIDS 16
  97. struct audit_aux_data_pids {
  98. struct audit_aux_data d;
  99. pid_t target_pid[AUDIT_AUX_PIDS];
  100. kuid_t target_auid[AUDIT_AUX_PIDS];
  101. kuid_t target_uid[AUDIT_AUX_PIDS];
  102. unsigned int target_sessionid[AUDIT_AUX_PIDS];
  103. u32 target_sid[AUDIT_AUX_PIDS];
  104. char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
  105. int pid_count;
  106. };
  107. struct audit_aux_data_bprm_fcaps {
  108. struct audit_aux_data d;
  109. struct audit_cap_data fcap;
  110. unsigned int fcap_ver;
  111. struct audit_cap_data old_pcap;
  112. struct audit_cap_data new_pcap;
  113. };
  114. struct audit_tree_refs {
  115. struct audit_tree_refs *next;
  116. struct audit_chunk *c[31];
  117. };
  118. static int audit_match_perm(struct audit_context *ctx, int mask)
  119. {
  120. unsigned n;
  121. if (unlikely(!ctx))
  122. return 0;
  123. n = ctx->major;
  124. switch (audit_classify_syscall(ctx->arch, n)) {
  125. case 0: /* native */
  126. if ((mask & AUDIT_PERM_WRITE) &&
  127. audit_match_class(AUDIT_CLASS_WRITE, n))
  128. return 1;
  129. if ((mask & AUDIT_PERM_READ) &&
  130. audit_match_class(AUDIT_CLASS_READ, n))
  131. return 1;
  132. if ((mask & AUDIT_PERM_ATTR) &&
  133. audit_match_class(AUDIT_CLASS_CHATTR, n))
  134. return 1;
  135. return 0;
  136. case 1: /* 32bit on biarch */
  137. if ((mask & AUDIT_PERM_WRITE) &&
  138. audit_match_class(AUDIT_CLASS_WRITE_32, n))
  139. return 1;
  140. if ((mask & AUDIT_PERM_READ) &&
  141. audit_match_class(AUDIT_CLASS_READ_32, n))
  142. return 1;
  143. if ((mask & AUDIT_PERM_ATTR) &&
  144. audit_match_class(AUDIT_CLASS_CHATTR_32, n))
  145. return 1;
  146. return 0;
  147. case 2: /* open */
  148. return mask & ACC_MODE(ctx->argv[1]);
  149. case 3: /* openat */
  150. return mask & ACC_MODE(ctx->argv[2]);
  151. case 4: /* socketcall */
  152. return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
  153. case 5: /* execve */
  154. return mask & AUDIT_PERM_EXEC;
  155. default:
  156. return 0;
  157. }
  158. }
  159. static int audit_match_filetype(struct audit_context *ctx, int val)
  160. {
  161. struct audit_names *n;
  162. umode_t mode = (umode_t)val;
  163. if (unlikely(!ctx))
  164. return 0;
  165. list_for_each_entry(n, &ctx->names_list, list) {
  166. if ((n->ino != AUDIT_INO_UNSET) &&
  167. ((n->mode & S_IFMT) == mode))
  168. return 1;
  169. }
  170. return 0;
  171. }
  172. /*
  173. * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *;
  174. * ->first_trees points to its beginning, ->trees - to the current end of data.
  175. * ->tree_count is the number of free entries in array pointed to by ->trees.
  176. * Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL,
  177. * "empty" becomes (p, p, 31) afterwards. We don't shrink the list (and seriously,
  178. * it's going to remain 1-element for almost any setup) until we free context itself.
  179. * References in it _are_ dropped - at the same time we free/drop aux stuff.
  180. */
  181. #ifdef CONFIG_AUDIT_TREE
  182. static void audit_set_auditable(struct audit_context *ctx)
  183. {
  184. if (!ctx->prio) {
  185. ctx->prio = 1;
  186. ctx->current_state = AUDIT_RECORD_CONTEXT;
  187. }
  188. }
  189. static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
  190. {
  191. struct audit_tree_refs *p = ctx->trees;
  192. int left = ctx->tree_count;
  193. if (likely(left)) {
  194. p->c[--left] = chunk;
  195. ctx->tree_count = left;
  196. return 1;
  197. }
  198. if (!p)
  199. return 0;
  200. p = p->next;
  201. if (p) {
  202. p->c[30] = chunk;
  203. ctx->trees = p;
  204. ctx->tree_count = 30;
  205. return 1;
  206. }
  207. return 0;
  208. }
  209. static int grow_tree_refs(struct audit_context *ctx)
  210. {
  211. struct audit_tree_refs *p = ctx->trees;
  212. ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL);
  213. if (!ctx->trees) {
  214. ctx->trees = p;
  215. return 0;
  216. }
  217. if (p)
  218. p->next = ctx->trees;
  219. else
  220. ctx->first_trees = ctx->trees;
  221. ctx->tree_count = 31;
  222. return 1;
  223. }
  224. #endif
  225. static void unroll_tree_refs(struct audit_context *ctx,
  226. struct audit_tree_refs *p, int count)
  227. {
  228. #ifdef CONFIG_AUDIT_TREE
  229. struct audit_tree_refs *q;
  230. int n;
  231. if (!p) {
  232. /* we started with empty chain */
  233. p = ctx->first_trees;
  234. count = 31;
  235. /* if the very first allocation has failed, nothing to do */
  236. if (!p)
  237. return;
  238. }
  239. n = count;
  240. for (q = p; q != ctx->trees; q = q->next, n = 31) {
  241. while (n--) {
  242. audit_put_chunk(q->c[n]);
  243. q->c[n] = NULL;
  244. }
  245. }
  246. while (n-- > ctx->tree_count) {
  247. audit_put_chunk(q->c[n]);
  248. q->c[n] = NULL;
  249. }
  250. ctx->trees = p;
  251. ctx->tree_count = count;
  252. #endif
  253. }
  254. static void free_tree_refs(struct audit_context *ctx)
  255. {
  256. struct audit_tree_refs *p, *q;
  257. for (p = ctx->first_trees; p; p = q) {
  258. q = p->next;
  259. kfree(p);
  260. }
  261. }
  262. static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
  263. {
  264. #ifdef CONFIG_AUDIT_TREE
  265. struct audit_tree_refs *p;
  266. int n;
  267. if (!tree)
  268. return 0;
  269. /* full ones */
  270. for (p = ctx->first_trees; p != ctx->trees; p = p->next) {
  271. for (n = 0; n < 31; n++)
  272. if (audit_tree_match(p->c[n], tree))
  273. return 1;
  274. }
  275. /* partial */
  276. if (p) {
  277. for (n = ctx->tree_count; n < 31; n++)
  278. if (audit_tree_match(p->c[n], tree))
  279. return 1;
  280. }
  281. #endif
  282. return 0;
  283. }
  284. static int audit_compare_uid(kuid_t uid,
  285. struct audit_names *name,
  286. struct audit_field *f,
  287. struct audit_context *ctx)
  288. {
  289. struct audit_names *n;
  290. int rc;
  291. if (name) {
  292. rc = audit_uid_comparator(uid, f->op, name->uid);
  293. if (rc)
  294. return rc;
  295. }
  296. if (ctx) {
  297. list_for_each_entry(n, &ctx->names_list, list) {
  298. rc = audit_uid_comparator(uid, f->op, n->uid);
  299. if (rc)
  300. return rc;
  301. }
  302. }
  303. return 0;
  304. }
  305. static int audit_compare_gid(kgid_t gid,
  306. struct audit_names *name,
  307. struct audit_field *f,
  308. struct audit_context *ctx)
  309. {
  310. struct audit_names *n;
  311. int rc;
  312. if (name) {
  313. rc = audit_gid_comparator(gid, f->op, name->gid);
  314. if (rc)
  315. return rc;
  316. }
  317. if (ctx) {
  318. list_for_each_entry(n, &ctx->names_list, list) {
  319. rc = audit_gid_comparator(gid, f->op, n->gid);
  320. if (rc)
  321. return rc;
  322. }
  323. }
  324. return 0;
  325. }
  326. static int audit_field_compare(struct task_struct *tsk,
  327. const struct cred *cred,
  328. struct audit_field *f,
  329. struct audit_context *ctx,
  330. struct audit_names *name)
  331. {
  332. switch (f->val) {
  333. /* process to file object comparisons */
  334. case AUDIT_COMPARE_UID_TO_OBJ_UID:
  335. return audit_compare_uid(cred->uid, name, f, ctx);
  336. case AUDIT_COMPARE_GID_TO_OBJ_GID:
  337. return audit_compare_gid(cred->gid, name, f, ctx);
  338. case AUDIT_COMPARE_EUID_TO_OBJ_UID:
  339. return audit_compare_uid(cred->euid, name, f, ctx);
  340. case AUDIT_COMPARE_EGID_TO_OBJ_GID:
  341. return audit_compare_gid(cred->egid, name, f, ctx);
  342. case AUDIT_COMPARE_AUID_TO_OBJ_UID:
  343. return audit_compare_uid(tsk->loginuid, name, f, ctx);
  344. case AUDIT_COMPARE_SUID_TO_OBJ_UID:
  345. return audit_compare_uid(cred->suid, name, f, ctx);
  346. case AUDIT_COMPARE_SGID_TO_OBJ_GID:
  347. return audit_compare_gid(cred->sgid, name, f, ctx);
  348. case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
  349. return audit_compare_uid(cred->fsuid, name, f, ctx);
  350. case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
  351. return audit_compare_gid(cred->fsgid, name, f, ctx);
  352. /* uid comparisons */
  353. case AUDIT_COMPARE_UID_TO_AUID:
  354. return audit_uid_comparator(cred->uid, f->op, tsk->loginuid);
  355. case AUDIT_COMPARE_UID_TO_EUID:
  356. return audit_uid_comparator(cred->uid, f->op, cred->euid);
  357. case AUDIT_COMPARE_UID_TO_SUID:
  358. return audit_uid_comparator(cred->uid, f->op, cred->suid);
  359. case AUDIT_COMPARE_UID_TO_FSUID:
  360. return audit_uid_comparator(cred->uid, f->op, cred->fsuid);
  361. /* auid comparisons */
  362. case AUDIT_COMPARE_AUID_TO_EUID:
  363. return audit_uid_comparator(tsk->loginuid, f->op, cred->euid);
  364. case AUDIT_COMPARE_AUID_TO_SUID:
  365. return audit_uid_comparator(tsk->loginuid, f->op, cred->suid);
  366. case AUDIT_COMPARE_AUID_TO_FSUID:
  367. return audit_uid_comparator(tsk->loginuid, f->op, cred->fsuid);
  368. /* euid comparisons */
  369. case AUDIT_COMPARE_EUID_TO_SUID:
  370. return audit_uid_comparator(cred->euid, f->op, cred->suid);
  371. case AUDIT_COMPARE_EUID_TO_FSUID:
  372. return audit_uid_comparator(cred->euid, f->op, cred->fsuid);
  373. /* suid comparisons */
  374. case AUDIT_COMPARE_SUID_TO_FSUID:
  375. return audit_uid_comparator(cred->suid, f->op, cred->fsuid);
  376. /* gid comparisons */
  377. case AUDIT_COMPARE_GID_TO_EGID:
  378. return audit_gid_comparator(cred->gid, f->op, cred->egid);
  379. case AUDIT_COMPARE_GID_TO_SGID:
  380. return audit_gid_comparator(cred->gid, f->op, cred->sgid);
  381. case AUDIT_COMPARE_GID_TO_FSGID:
  382. return audit_gid_comparator(cred->gid, f->op, cred->fsgid);
  383. /* egid comparisons */
  384. case AUDIT_COMPARE_EGID_TO_SGID:
  385. return audit_gid_comparator(cred->egid, f->op, cred->sgid);
  386. case AUDIT_COMPARE_EGID_TO_FSGID:
  387. return audit_gid_comparator(cred->egid, f->op, cred->fsgid);
  388. /* sgid comparison */
  389. case AUDIT_COMPARE_SGID_TO_FSGID:
  390. return audit_gid_comparator(cred->sgid, f->op, cred->fsgid);
  391. default:
  392. WARN(1, "Missing AUDIT_COMPARE define. Report as a bug\n");
  393. return 0;
  394. }
  395. return 0;
  396. }
  397. /* Determine if any context name data matches a rule's watch data */
  398. /* Compare a task_struct with an audit_rule. Return 1 on match, 0
  399. * otherwise.
  400. *
  401. * If task_creation is true, this is an explicit indication that we are
  402. * filtering a task rule at task creation time. This and tsk == current are
  403. * the only situations where tsk->cred may be accessed without an rcu read lock.
  404. */
  405. static int audit_filter_rules(struct task_struct *tsk,
  406. struct audit_krule *rule,
  407. struct audit_context *ctx,
  408. struct audit_names *name,
  409. enum audit_state *state,
  410. bool task_creation)
  411. {
  412. const struct cred *cred;
  413. int i, need_sid = 1;
  414. u32 sid;
  415. unsigned int sessionid;
  416. cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
  417. for (i = 0; i < rule->field_count; i++) {
  418. struct audit_field *f = &rule->fields[i];
  419. struct audit_names *n;
  420. int result = 0;
  421. pid_t pid;
  422. switch (f->type) {
  423. case AUDIT_PID:
  424. pid = task_tgid_nr(tsk);
  425. result = audit_comparator(pid, f->op, f->val);
  426. break;
  427. case AUDIT_PPID:
  428. if (ctx) {
  429. if (!ctx->ppid)
  430. ctx->ppid = task_ppid_nr(tsk);
  431. result = audit_comparator(ctx->ppid, f->op, f->val);
  432. }
  433. break;
  434. case AUDIT_EXE:
  435. result = audit_exe_compare(tsk, rule->exe);
  436. if (f->op == Audit_not_equal)
  437. result = !result;
  438. break;
  439. case AUDIT_UID:
  440. result = audit_uid_comparator(cred->uid, f->op, f->uid);
  441. break;
  442. case AUDIT_EUID:
  443. result = audit_uid_comparator(cred->euid, f->op, f->uid);
  444. break;
  445. case AUDIT_SUID:
  446. result = audit_uid_comparator(cred->suid, f->op, f->uid);
  447. break;
  448. case AUDIT_FSUID:
  449. result = audit_uid_comparator(cred->fsuid, f->op, f->uid);
  450. break;
  451. case AUDIT_GID:
  452. result = audit_gid_comparator(cred->gid, f->op, f->gid);
  453. if (f->op == Audit_equal) {
  454. if (!result)
  455. result = in_group_p(f->gid);
  456. } else if (f->op == Audit_not_equal) {
  457. if (result)
  458. result = !in_group_p(f->gid);
  459. }
  460. break;
  461. case AUDIT_EGID:
  462. result = audit_gid_comparator(cred->egid, f->op, f->gid);
  463. if (f->op == Audit_equal) {
  464. if (!result)
  465. result = in_egroup_p(f->gid);
  466. } else if (f->op == Audit_not_equal) {
  467. if (result)
  468. result = !in_egroup_p(f->gid);
  469. }
  470. break;
  471. case AUDIT_SGID:
  472. result = audit_gid_comparator(cred->sgid, f->op, f->gid);
  473. break;
  474. case AUDIT_FSGID:
  475. result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
  476. break;
  477. case AUDIT_SESSIONID:
  478. sessionid = audit_get_sessionid(current);
  479. result = audit_comparator(sessionid, f->op, f->val);
  480. break;
  481. case AUDIT_PERS:
  482. result = audit_comparator(tsk->personality, f->op, f->val);
  483. break;
  484. case AUDIT_ARCH:
  485. if (ctx)
  486. result = audit_comparator(ctx->arch, f->op, f->val);
  487. break;
  488. case AUDIT_EXIT:
  489. if (ctx && ctx->return_valid)
  490. result = audit_comparator(ctx->return_code, f->op, f->val);
  491. break;
  492. case AUDIT_SUCCESS:
  493. if (ctx && ctx->return_valid) {
  494. if (f->val)
  495. result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
  496. else
  497. result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
  498. }
  499. break;
  500. case AUDIT_DEVMAJOR:
  501. if (name) {
  502. if (audit_comparator(MAJOR(name->dev), f->op, f->val) ||
  503. audit_comparator(MAJOR(name->rdev), f->op, f->val))
  504. ++result;
  505. } else if (ctx) {
  506. list_for_each_entry(n, &ctx->names_list, list) {
  507. if (audit_comparator(MAJOR(n->dev), f->op, f->val) ||
  508. audit_comparator(MAJOR(n->rdev), f->op, f->val)) {
  509. ++result;
  510. break;
  511. }
  512. }
  513. }
  514. break;
  515. case AUDIT_DEVMINOR:
  516. if (name) {
  517. if (audit_comparator(MINOR(name->dev), f->op, f->val) ||
  518. audit_comparator(MINOR(name->rdev), f->op, f->val))
  519. ++result;
  520. } else if (ctx) {
  521. list_for_each_entry(n, &ctx->names_list, list) {
  522. if (audit_comparator(MINOR(n->dev), f->op, f->val) ||
  523. audit_comparator(MINOR(n->rdev), f->op, f->val)) {
  524. ++result;
  525. break;
  526. }
  527. }
  528. }
  529. break;
  530. case AUDIT_INODE:
  531. if (name)
  532. result = audit_comparator(name->ino, f->op, f->val);
  533. else if (ctx) {
  534. list_for_each_entry(n, &ctx->names_list, list) {
  535. if (audit_comparator(n->ino, f->op, f->val)) {
  536. ++result;
  537. break;
  538. }
  539. }
  540. }
  541. break;
  542. case AUDIT_OBJ_UID:
  543. if (name) {
  544. result = audit_uid_comparator(name->uid, f->op, f->uid);
  545. } else if (ctx) {
  546. list_for_each_entry(n, &ctx->names_list, list) {
  547. if (audit_uid_comparator(n->uid, f->op, f->uid)) {
  548. ++result;
  549. break;
  550. }
  551. }
  552. }
  553. break;
  554. case AUDIT_OBJ_GID:
  555. if (name) {
  556. result = audit_gid_comparator(name->gid, f->op, f->gid);
  557. } else if (ctx) {
  558. list_for_each_entry(n, &ctx->names_list, list) {
  559. if (audit_gid_comparator(n->gid, f->op, f->gid)) {
  560. ++result;
  561. break;
  562. }
  563. }
  564. }
  565. break;
  566. case AUDIT_WATCH:
  567. if (name)
  568. result = audit_watch_compare(rule->watch, name->ino, name->dev);
  569. break;
  570. case AUDIT_DIR:
  571. if (ctx)
  572. result = match_tree_refs(ctx, rule->tree);
  573. break;
  574. case AUDIT_LOGINUID:
  575. result = audit_uid_comparator(tsk->loginuid, f->op, f->uid);
  576. break;
  577. case AUDIT_LOGINUID_SET:
  578. result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
  579. break;
  580. case AUDIT_SUBJ_USER:
  581. case AUDIT_SUBJ_ROLE:
  582. case AUDIT_SUBJ_TYPE:
  583. case AUDIT_SUBJ_SEN:
  584. case AUDIT_SUBJ_CLR:
  585. /* NOTE: this may return negative values indicating
  586. a temporary error. We simply treat this as a
  587. match for now to avoid losing information that
  588. may be wanted. An error message will also be
  589. logged upon error */
  590. if (f->lsm_rule) {
  591. if (need_sid) {
  592. security_task_getsecid(tsk, &sid);
  593. need_sid = 0;
  594. }
  595. result = security_audit_rule_match(sid, f->type,
  596. f->op,
  597. f->lsm_rule,
  598. ctx);
  599. }
  600. break;
  601. case AUDIT_OBJ_USER:
  602. case AUDIT_OBJ_ROLE:
  603. case AUDIT_OBJ_TYPE:
  604. case AUDIT_OBJ_LEV_LOW:
  605. case AUDIT_OBJ_LEV_HIGH:
  606. /* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
  607. also applies here */
  608. if (f->lsm_rule) {
  609. /* Find files that match */
  610. if (name) {
  611. result = security_audit_rule_match(
  612. name->osid, f->type, f->op,
  613. f->lsm_rule, ctx);
  614. } else if (ctx) {
  615. list_for_each_entry(n, &ctx->names_list, list) {
  616. if (security_audit_rule_match(n->osid, f->type,
  617. f->op, f->lsm_rule,
  618. ctx)) {
  619. ++result;
  620. break;
  621. }
  622. }
  623. }
  624. /* Find ipc objects that match */
  625. if (!ctx || ctx->type != AUDIT_IPC)
  626. break;
  627. if (security_audit_rule_match(ctx->ipc.osid,
  628. f->type, f->op,
  629. f->lsm_rule, ctx))
  630. ++result;
  631. }
  632. break;
  633. case AUDIT_ARG0:
  634. case AUDIT_ARG1:
  635. case AUDIT_ARG2:
  636. case AUDIT_ARG3:
  637. if (ctx)
  638. result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
  639. break;
  640. case AUDIT_FILTERKEY:
  641. /* ignore this field for filtering */
  642. result = 1;
  643. break;
  644. case AUDIT_PERM:
  645. result = audit_match_perm(ctx, f->val);
  646. break;
  647. case AUDIT_FILETYPE:
  648. result = audit_match_filetype(ctx, f->val);
  649. break;
  650. case AUDIT_FIELD_COMPARE:
  651. result = audit_field_compare(tsk, cred, f, ctx, name);
  652. break;
  653. }
  654. if (!result)
  655. return 0;
  656. }
  657. if (ctx) {
  658. if (rule->prio <= ctx->prio)
  659. return 0;
  660. if (rule->filterkey) {
  661. kfree(ctx->filterkey);
  662. ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
  663. }
  664. ctx->prio = rule->prio;
  665. }
  666. switch (rule->action) {
  667. case AUDIT_NEVER:
  668. *state = AUDIT_DISABLED;
  669. break;
  670. case AUDIT_ALWAYS:
  671. *state = AUDIT_RECORD_CONTEXT;
  672. break;
  673. }
  674. return 1;
  675. }
  676. /* At process creation time, we can determine if system-call auditing is
  677. * completely disabled for this task. Since we only have the task
  678. * structure at this point, we can only check uid and gid.
  679. */
  680. static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)
  681. {
  682. struct audit_entry *e;
  683. enum audit_state state;
  684. rcu_read_lock();
  685. list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
  686. if (audit_filter_rules(tsk, &e->rule, NULL, NULL,
  687. &state, true)) {
  688. if (state == AUDIT_RECORD_CONTEXT)
  689. *key = kstrdup(e->rule.filterkey, GFP_ATOMIC);
  690. rcu_read_unlock();
  691. return state;
  692. }
  693. }
  694. rcu_read_unlock();
  695. return AUDIT_BUILD_CONTEXT;
  696. }
  697. static int audit_in_mask(const struct audit_krule *rule, unsigned long val)
  698. {
  699. int word, bit;
  700. if (val > 0xffffffff)
  701. return false;
  702. word = AUDIT_WORD(val);
  703. if (word >= AUDIT_BITMASK_SIZE)
  704. return false;
  705. bit = AUDIT_BIT(val);
  706. return rule->mask[word] & bit;
  707. }
  708. /* At syscall entry and exit time, this filter is called if the
  709. * audit_state is not low enough that auditing cannot take place, but is
  710. * also not high enough that we already know we have to write an audit
  711. * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
  712. */
  713. static enum audit_state audit_filter_syscall(struct task_struct *tsk,
  714. struct audit_context *ctx,
  715. struct list_head *list)
  716. {
  717. struct audit_entry *e;
  718. enum audit_state state;
  719. if (auditd_test_task(tsk))
  720. return AUDIT_DISABLED;
  721. rcu_read_lock();
  722. if (!list_empty(list)) {
  723. list_for_each_entry_rcu(e, list, list) {
  724. if (audit_in_mask(&e->rule, ctx->major) &&
  725. audit_filter_rules(tsk, &e->rule, ctx, NULL,
  726. &state, false)) {
  727. rcu_read_unlock();
  728. ctx->current_state = state;
  729. return state;
  730. }
  731. }
  732. }
  733. rcu_read_unlock();
  734. return AUDIT_BUILD_CONTEXT;
  735. }
  736. /*
  737. * Given an audit_name check the inode hash table to see if they match.
  738. * Called holding the rcu read lock to protect the use of audit_inode_hash
  739. */
  740. static int audit_filter_inode_name(struct task_struct *tsk,
  741. struct audit_names *n,
  742. struct audit_context *ctx) {
  743. int h = audit_hash_ino((u32)n->ino);
  744. struct list_head *list = &audit_inode_hash[h];
  745. struct audit_entry *e;
  746. enum audit_state state;
  747. if (list_empty(list))
  748. return 0;
  749. list_for_each_entry_rcu(e, list, list) {
  750. if (audit_in_mask(&e->rule, ctx->major) &&
  751. audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) {
  752. ctx->current_state = state;
  753. return 1;
  754. }
  755. }
  756. return 0;
  757. }
  758. /* At syscall exit time, this filter is called if any audit_names have been
  759. * collected during syscall processing. We only check rules in sublists at hash
  760. * buckets applicable to the inode numbers in audit_names.
  761. * Regarding audit_state, same rules apply as for audit_filter_syscall().
  762. */
  763. void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx)
  764. {
  765. struct audit_names *n;
  766. if (auditd_test_task(tsk))
  767. return;
  768. rcu_read_lock();
  769. list_for_each_entry(n, &ctx->names_list, list) {
  770. if (audit_filter_inode_name(tsk, n, ctx))
  771. break;
  772. }
  773. rcu_read_unlock();
  774. }
  775. /* Transfer the audit context pointer to the caller, clearing it in the tsk's struct */
  776. static inline struct audit_context *audit_take_context(struct task_struct *tsk,
  777. int return_valid,
  778. long return_code)
  779. {
  780. struct audit_context *context = tsk->audit_context;
  781. if (!context)
  782. return NULL;
  783. context->return_valid = return_valid;
  784. /*
  785. * we need to fix up the return code in the audit logs if the actual
  786. * return codes are later going to be fixed up by the arch specific
  787. * signal handlers
  788. *
  789. * This is actually a test for:
  790. * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||
  791. * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)
  792. *
  793. * but is faster than a bunch of ||
  794. */
  795. if (unlikely(return_code <= -ERESTARTSYS) &&
  796. (return_code >= -ERESTART_RESTARTBLOCK) &&
  797. (return_code != -ENOIOCTLCMD))
  798. context->return_code = -EINTR;
  799. else
  800. context->return_code = return_code;
  801. if (context->in_syscall && !context->dummy) {
  802. audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
  803. audit_filter_inodes(tsk, context);
  804. }
  805. tsk->audit_context = NULL;
  806. return context;
  807. }
  808. static inline void audit_proctitle_free(struct audit_context *context)
  809. {
  810. kfree(context->proctitle.value);
  811. context->proctitle.value = NULL;
  812. context->proctitle.len = 0;
  813. }
  814. static inline void audit_free_names(struct audit_context *context)
  815. {
  816. struct audit_names *n, *next;
  817. list_for_each_entry_safe(n, next, &context->names_list, list) {
  818. list_del(&n->list);
  819. if (n->name)
  820. putname(n->name);
  821. if (n->should_free)
  822. kfree(n);
  823. }
  824. context->name_count = 0;
  825. path_put(&context->pwd);
  826. context->pwd.dentry = NULL;
  827. context->pwd.mnt = NULL;
  828. }
  829. static inline void audit_free_aux(struct audit_context *context)
  830. {
  831. struct audit_aux_data *aux;
  832. while ((aux = context->aux)) {
  833. context->aux = aux->next;
  834. kfree(aux);
  835. }
  836. while ((aux = context->aux_pids)) {
  837. context->aux_pids = aux->next;
  838. kfree(aux);
  839. }
  840. }
  841. static inline struct audit_context *audit_alloc_context(enum audit_state state)
  842. {
  843. struct audit_context *context;
  844. context = kzalloc(sizeof(*context), GFP_KERNEL);
  845. if (!context)
  846. return NULL;
  847. context->state = state;
  848. context->prio = state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
  849. INIT_LIST_HEAD(&context->killed_trees);
  850. INIT_LIST_HEAD(&context->names_list);
  851. return context;
  852. }
  853. /**
  854. * audit_alloc - allocate an audit context block for a task
  855. * @tsk: task
  856. *
  857. * Filter on the task information and allocate a per-task audit context
  858. * if necessary. Doing so turns on system call auditing for the
  859. * specified task. This is called from copy_process, so no lock is
  860. * needed.
  861. */
  862. int audit_alloc(struct task_struct *tsk)
  863. {
  864. struct audit_context *context;
  865. enum audit_state state;
  866. char *key = NULL;
  867. if (likely(!audit_ever_enabled))
  868. return 0; /* Return if not auditing. */
  869. state = audit_filter_task(tsk, &key);
  870. if (state == AUDIT_DISABLED) {
  871. clear_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
  872. return 0;
  873. }
  874. if (!(context = audit_alloc_context(state))) {
  875. kfree(key);
  876. audit_log_lost("out of memory in audit_alloc");
  877. return -ENOMEM;
  878. }
  879. context->filterkey = key;
  880. tsk->audit_context = context;
  881. set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
  882. return 0;
  883. }
  884. static inline void audit_free_context(struct audit_context *context)
  885. {
  886. audit_free_names(context);
  887. unroll_tree_refs(context, NULL, 0);
  888. free_tree_refs(context);
  889. audit_free_aux(context);
  890. kfree(context->filterkey);
  891. kfree(context->sockaddr);
  892. audit_proctitle_free(context);
  893. kfree(context);
  894. }
  895. static int audit_log_pid_context(struct audit_context *context, pid_t pid,
  896. kuid_t auid, kuid_t uid, unsigned int sessionid,
  897. u32 sid, char *comm)
  898. {
  899. struct audit_buffer *ab;
  900. char *ctx = NULL;
  901. u32 len;
  902. int rc = 0;
  903. ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
  904. if (!ab)
  905. return rc;
  906. audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
  907. from_kuid(&init_user_ns, auid),
  908. from_kuid(&init_user_ns, uid), sessionid);
  909. if (sid) {
  910. if (security_secid_to_secctx(sid, &ctx, &len)) {
  911. audit_log_format(ab, " obj=(none)");
  912. rc = 1;
  913. } else {
  914. audit_log_format(ab, " obj=%s", ctx);
  915. security_release_secctx(ctx, len);
  916. }
  917. }
  918. audit_log_format(ab, " ocomm=");
  919. audit_log_untrustedstring(ab, comm);
  920. audit_log_end(ab);
  921. return rc;
  922. }
  923. static void audit_log_execve_info(struct audit_context *context,
  924. struct audit_buffer **ab)
  925. {
  926. long len_max;
  927. long len_rem;
  928. long len_full;
  929. long len_buf;
  930. long len_abuf = 0;
  931. long len_tmp;
  932. bool require_data;
  933. bool encode;
  934. unsigned int iter;
  935. unsigned int arg;
  936. char *buf_head;
  937. char *buf;
  938. const char __user *p = (const char __user *)current->mm->arg_start;
  939. /* NOTE: this buffer needs to be large enough to hold all the non-arg
  940. * data we put in the audit record for this argument (see the
  941. * code below) ... at this point in time 96 is plenty */
  942. char abuf[96];
  943. /* NOTE: we set MAX_EXECVE_AUDIT_LEN to a rather arbitrary limit, the
  944. * current value of 7500 is not as important as the fact that it
  945. * is less than 8k, a setting of 7500 gives us plenty of wiggle
  946. * room if we go over a little bit in the logging below */
  947. WARN_ON_ONCE(MAX_EXECVE_AUDIT_LEN > 7500);
  948. len_max = MAX_EXECVE_AUDIT_LEN;
  949. /* scratch buffer to hold the userspace args */
  950. buf_head = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
  951. if (!buf_head) {
  952. audit_panic("out of memory for argv string");
  953. return;
  954. }
  955. buf = buf_head;
  956. audit_log_format(*ab, "argc=%d", context->execve.argc);
  957. len_rem = len_max;
  958. len_buf = 0;
  959. len_full = 0;
  960. require_data = true;
  961. encode = false;
  962. iter = 0;
  963. arg = 0;
  964. do {
  965. /* NOTE: we don't ever want to trust this value for anything
  966. * serious, but the audit record format insists we
  967. * provide an argument length for really long arguments,
  968. * e.g. > MAX_EXECVE_AUDIT_LEN, so we have no choice but
  969. * to use strncpy_from_user() to obtain this value for
  970. * recording in the log, although we don't use it
  971. * anywhere here to avoid a double-fetch problem */
  972. if (len_full == 0)
  973. len_full = strnlen_user(p, MAX_ARG_STRLEN) - 1;
  974. /* read more data from userspace */
  975. if (require_data) {
  976. /* can we make more room in the buffer? */
  977. if (buf != buf_head) {
  978. memmove(buf_head, buf, len_buf);
  979. buf = buf_head;
  980. }
  981. /* fetch as much as we can of the argument */
  982. len_tmp = strncpy_from_user(&buf_head[len_buf], p,
  983. len_max - len_buf);
  984. if (len_tmp == -EFAULT) {
  985. /* unable to copy from userspace */
  986. send_sig(SIGKILL, current, 0);
  987. goto out;
  988. } else if (len_tmp == (len_max - len_buf)) {
  989. /* buffer is not large enough */
  990. require_data = true;
  991. /* NOTE: if we are going to span multiple
  992. * buffers force the encoding so we stand
  993. * a chance at a sane len_full value and
  994. * consistent record encoding */
  995. encode = true;
  996. len_full = len_full * 2;
  997. p += len_tmp;
  998. } else {
  999. require_data = false;
  1000. if (!encode)
  1001. encode = audit_string_contains_control(
  1002. buf, len_tmp);
  1003. /* try to use a trusted value for len_full */
  1004. if (len_full < len_max)
  1005. len_full = (encode ?
  1006. len_tmp * 2 : len_tmp);
  1007. p += len_tmp + 1;
  1008. }
  1009. len_buf += len_tmp;
  1010. buf_head[len_buf] = '\0';
  1011. /* length of the buffer in the audit record? */
  1012. len_abuf = (encode ? len_buf * 2 : len_buf + 2);
  1013. }
  1014. /* write as much as we can to the audit log */
  1015. if (len_buf >= 0) {
  1016. /* NOTE: some magic numbers here - basically if we
  1017. * can't fit a reasonable amount of data into the
  1018. * existing audit buffer, flush it and start with
  1019. * a new buffer */
  1020. if ((sizeof(abuf) + 8) > len_rem) {
  1021. len_rem = len_max;
  1022. audit_log_end(*ab);
  1023. *ab = audit_log_start(context,
  1024. GFP_KERNEL, AUDIT_EXECVE);
  1025. if (!*ab)
  1026. goto out;
  1027. }
  1028. /* create the non-arg portion of the arg record */
  1029. len_tmp = 0;
  1030. if (require_data || (iter > 0) ||
  1031. ((len_abuf + sizeof(abuf)) > len_rem)) {
  1032. if (iter == 0) {
  1033. len_tmp += snprintf(&abuf[len_tmp],
  1034. sizeof(abuf) - len_tmp,
  1035. " a%d_len=%lu",
  1036. arg, len_full);
  1037. }
  1038. len_tmp += snprintf(&abuf[len_tmp],
  1039. sizeof(abuf) - len_tmp,
  1040. " a%d[%d]=", arg, iter++);
  1041. } else
  1042. len_tmp += snprintf(&abuf[len_tmp],
  1043. sizeof(abuf) - len_tmp,
  1044. " a%d=", arg);
  1045. WARN_ON(len_tmp >= sizeof(abuf));
  1046. abuf[sizeof(abuf) - 1] = '\0';
  1047. /* log the arg in the audit record */
  1048. audit_log_format(*ab, "%s", abuf);
  1049. len_rem -= len_tmp;
  1050. len_tmp = len_buf;
  1051. if (encode) {
  1052. if (len_abuf > len_rem)
  1053. len_tmp = len_rem / 2; /* encoding */
  1054. audit_log_n_hex(*ab, buf, len_tmp);
  1055. len_rem -= len_tmp * 2;
  1056. len_abuf -= len_tmp * 2;
  1057. } else {
  1058. if (len_abuf > len_rem)
  1059. len_tmp = len_rem - 2; /* quotes */
  1060. audit_log_n_string(*ab, buf, len_tmp);
  1061. len_rem -= len_tmp + 2;
  1062. /* don't subtract the "2" because we still need
  1063. * to add quotes to the remaining string */
  1064. len_abuf -= len_tmp;
  1065. }
  1066. len_buf -= len_tmp;
  1067. buf += len_tmp;
  1068. }
  1069. /* ready to move to the next argument? */
  1070. if ((len_buf == 0) && !require_data) {
  1071. arg++;
  1072. iter = 0;
  1073. len_full = 0;
  1074. require_data = true;
  1075. encode = false;
  1076. }
  1077. } while (arg < context->execve.argc);
  1078. /* NOTE: the caller handles the final audit_log_end() call */
  1079. out:
  1080. kfree(buf_head);
  1081. }
  1082. static void show_special(struct audit_context *context, int *call_panic)
  1083. {
  1084. struct audit_buffer *ab;
  1085. int i;
  1086. ab = audit_log_start(context, GFP_KERNEL, context->type);
  1087. if (!ab)
  1088. return;
  1089. switch (context->type) {
  1090. case AUDIT_SOCKETCALL: {
  1091. int nargs = context->socketcall.nargs;
  1092. audit_log_format(ab, "nargs=%d", nargs);
  1093. for (i = 0; i < nargs; i++)
  1094. audit_log_format(ab, " a%d=%lx", i,
  1095. context->socketcall.args[i]);
  1096. break; }
  1097. case AUDIT_IPC: {
  1098. u32 osid = context->ipc.osid;
  1099. audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
  1100. from_kuid(&init_user_ns, context->ipc.uid),
  1101. from_kgid(&init_user_ns, context->ipc.gid),
  1102. context->ipc.mode);
  1103. if (osid) {
  1104. char *ctx = NULL;
  1105. u32 len;
  1106. if (security_secid_to_secctx(osid, &ctx, &len)) {
  1107. audit_log_format(ab, " osid=%u", osid);
  1108. *call_panic = 1;
  1109. } else {
  1110. audit_log_format(ab, " obj=%s", ctx);
  1111. security_release_secctx(ctx, len);
  1112. }
  1113. }
  1114. if (context->ipc.has_perm) {
  1115. audit_log_end(ab);
  1116. ab = audit_log_start(context, GFP_KERNEL,
  1117. AUDIT_IPC_SET_PERM);
  1118. if (unlikely(!ab))
  1119. return;
  1120. audit_log_format(ab,
  1121. "qbytes=%lx ouid=%u ogid=%u mode=%#ho",
  1122. context->ipc.qbytes,
  1123. context->ipc.perm_uid,
  1124. context->ipc.perm_gid,
  1125. context->ipc.perm_mode);
  1126. }
  1127. break; }
  1128. case AUDIT_MQ_OPEN:
  1129. audit_log_format(ab,
  1130. "oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
  1131. "mq_msgsize=%ld mq_curmsgs=%ld",
  1132. context->mq_open.oflag, context->mq_open.mode,
  1133. context->mq_open.attr.mq_flags,
  1134. context->mq_open.attr.mq_maxmsg,
  1135. context->mq_open.attr.mq_msgsize,
  1136. context->mq_open.attr.mq_curmsgs);
  1137. break;
  1138. case AUDIT_MQ_SENDRECV:
  1139. audit_log_format(ab,
  1140. "mqdes=%d msg_len=%zd msg_prio=%u "
  1141. "abs_timeout_sec=%lld abs_timeout_nsec=%ld",
  1142. context->mq_sendrecv.mqdes,
  1143. context->mq_sendrecv.msg_len,
  1144. context->mq_sendrecv.msg_prio,
  1145. (long long) context->mq_sendrecv.abs_timeout.tv_sec,
  1146. context->mq_sendrecv.abs_timeout.tv_nsec);
  1147. break;
  1148. case AUDIT_MQ_NOTIFY:
  1149. audit_log_format(ab, "mqdes=%d sigev_signo=%d",
  1150. context->mq_notify.mqdes,
  1151. context->mq_notify.sigev_signo);
  1152. break;
  1153. case AUDIT_MQ_GETSETATTR: {
  1154. struct mq_attr *attr = &context->mq_getsetattr.mqstat;
  1155. audit_log_format(ab,
  1156. "mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
  1157. "mq_curmsgs=%ld ",
  1158. context->mq_getsetattr.mqdes,
  1159. attr->mq_flags, attr->mq_maxmsg,
  1160. attr->mq_msgsize, attr->mq_curmsgs);
  1161. break; }
  1162. case AUDIT_CAPSET:
  1163. audit_log_format(ab, "pid=%d", context->capset.pid);
  1164. audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
  1165. audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
  1166. audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
  1167. audit_log_cap(ab, "cap_pa", &context->capset.cap.ambient);
  1168. break;
  1169. case AUDIT_MMAP:
  1170. audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd,
  1171. context->mmap.flags);
  1172. break;
  1173. case AUDIT_EXECVE:
  1174. audit_log_execve_info(context, &ab);
  1175. break;
  1176. case AUDIT_KERN_MODULE:
  1177. audit_log_format(ab, "name=");
  1178. if (context->module.name) {
  1179. audit_log_untrustedstring(ab, context->module.name);
  1180. kfree(context->module.name);
  1181. } else
  1182. audit_log_format(ab, "(null)");
  1183. break;
  1184. }
  1185. audit_log_end(ab);
  1186. }
  1187. static inline int audit_proctitle_rtrim(char *proctitle, int len)
  1188. {
  1189. char *end = proctitle + len - 1;
  1190. while (end > proctitle && !isprint(*end))
  1191. end--;
  1192. /* catch the case where proctitle is only 1 non-print character */
  1193. len = end - proctitle + 1;
  1194. len -= isprint(proctitle[len-1]) == 0;
  1195. return len;
  1196. }
  1197. static void audit_log_proctitle(struct task_struct *tsk,
  1198. struct audit_context *context)
  1199. {
  1200. int res;
  1201. char *buf;
  1202. char *msg = "(null)";
  1203. int len = strlen(msg);
  1204. struct audit_buffer *ab;
  1205. ab = audit_log_start(context, GFP_KERNEL, AUDIT_PROCTITLE);
  1206. if (!ab)
  1207. return; /* audit_panic or being filtered */
  1208. audit_log_format(ab, "proctitle=");
  1209. /* Not cached */
  1210. if (!context->proctitle.value) {
  1211. buf = kmalloc(MAX_PROCTITLE_AUDIT_LEN, GFP_KERNEL);
  1212. if (!buf)
  1213. goto out;
  1214. /* Historically called this from procfs naming */
  1215. res = get_cmdline(tsk, buf, MAX_PROCTITLE_AUDIT_LEN);
  1216. if (res == 0) {
  1217. kfree(buf);
  1218. goto out;
  1219. }
  1220. res = audit_proctitle_rtrim(buf, res);
  1221. if (res == 0) {
  1222. kfree(buf);
  1223. goto out;
  1224. }
  1225. context->proctitle.value = buf;
  1226. context->proctitle.len = res;
  1227. }
  1228. msg = context->proctitle.value;
  1229. len = context->proctitle.len;
  1230. out:
  1231. audit_log_n_untrustedstring(ab, msg, len);
  1232. audit_log_end(ab);
  1233. }
  1234. static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
  1235. {
  1236. int i, call_panic = 0;
  1237. struct audit_buffer *ab;
  1238. struct audit_aux_data *aux;
  1239. struct audit_names *n;
  1240. /* tsk == current */
  1241. context->personality = tsk->personality;
  1242. ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
  1243. if (!ab)
  1244. return; /* audit_panic has been called */
  1245. audit_log_format(ab, "arch=%x syscall=%d",
  1246. context->arch, context->major);
  1247. if (context->personality != PER_LINUX)
  1248. audit_log_format(ab, " per=%lx", context->personality);
  1249. if (context->return_valid)
  1250. audit_log_format(ab, " success=%s exit=%ld",
  1251. (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
  1252. context->return_code);
  1253. audit_log_format(ab,
  1254. " a0=%lx a1=%lx a2=%lx a3=%lx items=%d",
  1255. context->argv[0],
  1256. context->argv[1],
  1257. context->argv[2],
  1258. context->argv[3],
  1259. context->name_count);
  1260. audit_log_task_info(ab, tsk);
  1261. audit_log_key(ab, context->filterkey);
  1262. audit_log_end(ab);
  1263. for (aux = context->aux; aux; aux = aux->next) {
  1264. ab = audit_log_start(context, GFP_KERNEL, aux->type);
  1265. if (!ab)
  1266. continue; /* audit_panic has been called */
  1267. switch (aux->type) {
  1268. case AUDIT_BPRM_FCAPS: {
  1269. struct audit_aux_data_bprm_fcaps *axs = (void *)aux;
  1270. audit_log_format(ab, "fver=%x", axs->fcap_ver);
  1271. audit_log_cap(ab, "fp", &axs->fcap.permitted);
  1272. audit_log_cap(ab, "fi", &axs->fcap.inheritable);
  1273. audit_log_format(ab, " fe=%d", axs->fcap.fE);
  1274. audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
  1275. audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
  1276. audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
  1277. audit_log_cap(ab, "old_pa", &axs->old_pcap.ambient);
  1278. audit_log_cap(ab, "pp", &axs->new_pcap.permitted);
  1279. audit_log_cap(ab, "pi", &axs->new_pcap.inheritable);
  1280. audit_log_cap(ab, "pe", &axs->new_pcap.effective);
  1281. audit_log_cap(ab, "pa", &axs->new_pcap.ambient);
  1282. break; }
  1283. }
  1284. audit_log_end(ab);
  1285. }
  1286. if (context->type)
  1287. show_special(context, &call_panic);
  1288. if (context->fds[0] >= 0) {
  1289. ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR);
  1290. if (ab) {
  1291. audit_log_format(ab, "fd0=%d fd1=%d",
  1292. context->fds[0], context->fds[1]);
  1293. audit_log_end(ab);
  1294. }
  1295. }
  1296. if (context->sockaddr_len) {
  1297. ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR);
  1298. if (ab) {
  1299. audit_log_format(ab, "saddr=");
  1300. audit_log_n_hex(ab, (void *)context->sockaddr,
  1301. context->sockaddr_len);
  1302. audit_log_end(ab);
  1303. }
  1304. }
  1305. for (aux = context->aux_pids; aux; aux = aux->next) {
  1306. struct audit_aux_data_pids *axs = (void *)aux;
  1307. for (i = 0; i < axs->pid_count; i++)
  1308. if (audit_log_pid_context(context, axs->target_pid[i],
  1309. axs->target_auid[i],
  1310. axs->target_uid[i],
  1311. axs->target_sessionid[i],
  1312. axs->target_sid[i],
  1313. axs->target_comm[i]))
  1314. call_panic = 1;
  1315. }
  1316. if (context->target_pid &&
  1317. audit_log_pid_context(context, context->target_pid,
  1318. context->target_auid, context->target_uid,
  1319. context->target_sessionid,
  1320. context->target_sid, context->target_comm))
  1321. call_panic = 1;
  1322. if (context->pwd.dentry && context->pwd.mnt) {
  1323. ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
  1324. if (ab) {
  1325. audit_log_d_path(ab, "cwd=", &context->pwd);
  1326. audit_log_end(ab);
  1327. }
  1328. }
  1329. i = 0;
  1330. list_for_each_entry(n, &context->names_list, list) {
  1331. if (n->hidden)
  1332. continue;
  1333. audit_log_name(context, n, NULL, i++, &call_panic);
  1334. }
  1335. audit_log_proctitle(tsk, context);
  1336. /* Send end of event record to help user space know we are finished */
  1337. ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
  1338. if (ab)
  1339. audit_log_end(ab);
  1340. if (call_panic)
  1341. audit_panic("error converting sid to string");
  1342. }
  1343. /**
  1344. * __audit_free - free a per-task audit context
  1345. * @tsk: task whose audit context block to free
  1346. *
  1347. * Called from copy_process and do_exit
  1348. */
  1349. void __audit_free(struct task_struct *tsk)
  1350. {
  1351. struct audit_context *context;
  1352. context = audit_take_context(tsk, 0, 0);
  1353. if (!context)
  1354. return;
  1355. /* Check for system calls that do not go through the exit
  1356. * function (e.g., exit_group), then free context block.
  1357. * We use GFP_ATOMIC here because we might be doing this
  1358. * in the context of the idle thread */
  1359. /* that can happen only if we are called from do_exit() */
  1360. if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
  1361. audit_log_exit(context, tsk);
  1362. if (!list_empty(&context->killed_trees))
  1363. audit_kill_trees(&context->killed_trees);
  1364. audit_free_context(context);
  1365. }
  1366. /**
  1367. * __audit_syscall_entry - fill in an audit record at syscall entry
  1368. * @major: major syscall type (function)
  1369. * @a1: additional syscall register 1
  1370. * @a2: additional syscall register 2
  1371. * @a3: additional syscall register 3
  1372. * @a4: additional syscall register 4
  1373. *
  1374. * Fill in audit context at syscall entry. This only happens if the
  1375. * audit context was created when the task was created and the state or
  1376. * filters demand the audit context be built. If the state from the
  1377. * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
  1378. * then the record will be written at syscall exit time (otherwise, it
  1379. * will only be written if another part of the kernel requests that it
  1380. * be written).
  1381. */
  1382. void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
  1383. unsigned long a3, unsigned long a4)
  1384. {
  1385. struct task_struct *tsk = current;
  1386. struct audit_context *context = tsk->audit_context;
  1387. enum audit_state state;
  1388. if (!context)
  1389. return;
  1390. BUG_ON(context->in_syscall || context->name_count);
  1391. if (!audit_enabled)
  1392. return;
  1393. context->arch = syscall_get_arch();
  1394. context->major = major;
  1395. context->argv[0] = a1;
  1396. context->argv[1] = a2;
  1397. context->argv[2] = a3;
  1398. context->argv[3] = a4;
  1399. state = context->state;
  1400. context->dummy = !audit_n_rules;
  1401. if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
  1402. context->prio = 0;
  1403. state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
  1404. }
  1405. if (state == AUDIT_DISABLED)
  1406. return;
  1407. context->serial = 0;
  1408. context->ctime = current_kernel_time64();
  1409. context->in_syscall = 1;
  1410. context->current_state = state;
  1411. context->ppid = 0;
  1412. }
  1413. /**
  1414. * __audit_syscall_exit - deallocate audit context after a system call
  1415. * @success: success value of the syscall
  1416. * @return_code: return value of the syscall
  1417. *
  1418. * Tear down after system call. If the audit context has been marked as
  1419. * auditable (either because of the AUDIT_RECORD_CONTEXT state from
  1420. * filtering, or because some other part of the kernel wrote an audit
  1421. * message), then write out the syscall information. In call cases,
  1422. * free the names stored from getname().
  1423. */
  1424. void __audit_syscall_exit(int success, long return_code)
  1425. {
  1426. struct task_struct *tsk = current;
  1427. struct audit_context *context;
  1428. if (success)
  1429. success = AUDITSC_SUCCESS;
  1430. else
  1431. success = AUDITSC_FAILURE;
  1432. context = audit_take_context(tsk, success, return_code);
  1433. if (!context)
  1434. return;
  1435. if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
  1436. audit_log_exit(context, tsk);
  1437. context->in_syscall = 0;
  1438. context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
  1439. if (!list_empty(&context->killed_trees))
  1440. audit_kill_trees(&context->killed_trees);
  1441. audit_free_names(context);
  1442. unroll_tree_refs(context, NULL, 0);
  1443. audit_free_aux(context);
  1444. context->aux = NULL;
  1445. context->aux_pids = NULL;
  1446. context->target_pid = 0;
  1447. context->target_sid = 0;
  1448. context->sockaddr_len = 0;
  1449. context->type = 0;
  1450. context->fds[0] = -1;
  1451. if (context->state != AUDIT_RECORD_CONTEXT) {
  1452. kfree(context->filterkey);
  1453. context->filterkey = NULL;
  1454. }
  1455. tsk->audit_context = context;
  1456. }
  1457. static inline void handle_one(const struct inode *inode)
  1458. {
  1459. #ifdef CONFIG_AUDIT_TREE
  1460. struct audit_context *context;
  1461. struct audit_tree_refs *p;
  1462. struct audit_chunk *chunk;
  1463. int count;
  1464. if (likely(!inode->i_fsnotify_marks))
  1465. return;
  1466. context = current->audit_context;
  1467. p = context->trees;
  1468. count = context->tree_count;
  1469. rcu_read_lock();
  1470. chunk = audit_tree_lookup(inode);
  1471. rcu_read_unlock();
  1472. if (!chunk)
  1473. return;
  1474. if (likely(put_tree_ref(context, chunk)))
  1475. return;
  1476. if (unlikely(!grow_tree_refs(context))) {
  1477. pr_warn("out of memory, audit has lost a tree reference\n");
  1478. audit_set_auditable(context);
  1479. audit_put_chunk(chunk);
  1480. unroll_tree_refs(context, p, count);
  1481. return;
  1482. }
  1483. put_tree_ref(context, chunk);
  1484. #endif
  1485. }
  1486. static void handle_path(const struct dentry *dentry)
  1487. {
  1488. #ifdef CONFIG_AUDIT_TREE
  1489. struct audit_context *context;
  1490. struct audit_tree_refs *p;
  1491. const struct dentry *d, *parent;
  1492. struct audit_chunk *drop;
  1493. unsigned long seq;
  1494. int count;
  1495. context = current->audit_context;
  1496. p = context->trees;
  1497. count = context->tree_count;
  1498. retry:
  1499. drop = NULL;
  1500. d = dentry;
  1501. rcu_read_lock();
  1502. seq = read_seqbegin(&rename_lock);
  1503. for(;;) {
  1504. struct inode *inode = d_backing_inode(d);
  1505. if (inode && unlikely(inode->i_fsnotify_marks)) {
  1506. struct audit_chunk *chunk;
  1507. chunk = audit_tree_lookup(inode);
  1508. if (chunk) {
  1509. if (unlikely(!put_tree_ref(context, chunk))) {
  1510. drop = chunk;
  1511. break;
  1512. }
  1513. }
  1514. }
  1515. parent = d->d_parent;
  1516. if (parent == d)
  1517. break;
  1518. d = parent;
  1519. }
  1520. if (unlikely(read_seqretry(&rename_lock, seq) || drop)) { /* in this order */
  1521. rcu_read_unlock();
  1522. if (!drop) {
  1523. /* just a race with rename */
  1524. unroll_tree_refs(context, p, count);
  1525. goto retry;
  1526. }
  1527. audit_put_chunk(drop);
  1528. if (grow_tree_refs(context)) {
  1529. /* OK, got more space */
  1530. unroll_tree_refs(context, p, count);
  1531. goto retry;
  1532. }
  1533. /* too bad */
  1534. pr_warn("out of memory, audit has lost a tree reference\n");
  1535. unroll_tree_refs(context, p, count);
  1536. audit_set_auditable(context);
  1537. return;
  1538. }
  1539. rcu_read_unlock();
  1540. #endif
  1541. }
  1542. static struct audit_names *audit_alloc_name(struct audit_context *context,
  1543. unsigned char type)
  1544. {
  1545. struct audit_names *aname;
  1546. if (context->name_count < AUDIT_NAMES) {
  1547. aname = &context->preallocated_names[context->name_count];
  1548. memset(aname, 0, sizeof(*aname));
  1549. } else {
  1550. aname = kzalloc(sizeof(*aname), GFP_NOFS);
  1551. if (!aname)
  1552. return NULL;
  1553. aname->should_free = true;
  1554. }
  1555. aname->ino = AUDIT_INO_UNSET;
  1556. aname->type = type;
  1557. list_add_tail(&aname->list, &context->names_list);
  1558. context->name_count++;
  1559. return aname;
  1560. }
  1561. /**
  1562. * __audit_reusename - fill out filename with info from existing entry
  1563. * @uptr: userland ptr to pathname
  1564. *
  1565. * Search the audit_names list for the current audit context. If there is an
  1566. * existing entry with a matching "uptr" then return the filename
  1567. * associated with that audit_name. If not, return NULL.
  1568. */
  1569. struct filename *
  1570. __audit_reusename(const __user char *uptr)
  1571. {
  1572. struct audit_context *context = current->audit_context;
  1573. struct audit_names *n;
  1574. list_for_each_entry(n, &context->names_list, list) {
  1575. if (!n->name)
  1576. continue;
  1577. if (n->name->uptr == uptr) {
  1578. n->name->refcnt++;
  1579. return n->name;
  1580. }
  1581. }
  1582. return NULL;
  1583. }
  1584. /**
  1585. * __audit_getname - add a name to the list
  1586. * @name: name to add
  1587. *
  1588. * Add a name to the list of audit names for this context.
  1589. * Called from fs/namei.c:getname().
  1590. */
  1591. void __audit_getname(struct filename *name)
  1592. {
  1593. struct audit_context *context = current->audit_context;
  1594. struct audit_names *n;
  1595. if (!context->in_syscall)
  1596. return;
  1597. n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
  1598. if (!n)
  1599. return;
  1600. n->name = name;
  1601. n->name_len = AUDIT_NAME_FULL;
  1602. name->aname = n;
  1603. name->refcnt++;
  1604. if (!context->pwd.dentry)
  1605. get_fs_pwd(current->fs, &context->pwd);
  1606. }
  1607. /**
  1608. * __audit_inode - store the inode and device from a lookup
  1609. * @name: name being audited
  1610. * @dentry: dentry being audited
  1611. * @flags: attributes for this particular entry
  1612. */
  1613. void __audit_inode(struct filename *name, const struct dentry *dentry,
  1614. unsigned int flags)
  1615. {
  1616. struct audit_context *context = current->audit_context;
  1617. struct inode *inode = d_backing_inode(dentry);
  1618. struct audit_names *n;
  1619. bool parent = flags & AUDIT_INODE_PARENT;
  1620. if (!context->in_syscall)
  1621. return;
  1622. if (!name)
  1623. goto out_alloc;
  1624. /*
  1625. * If we have a pointer to an audit_names entry already, then we can
  1626. * just use it directly if the type is correct.
  1627. */
  1628. n = name->aname;
  1629. if (n) {
  1630. if (parent) {
  1631. if (n->type == AUDIT_TYPE_PARENT ||
  1632. n->type == AUDIT_TYPE_UNKNOWN)
  1633. goto out;
  1634. } else {
  1635. if (n->type != AUDIT_TYPE_PARENT)
  1636. goto out;
  1637. }
  1638. }
  1639. list_for_each_entry_reverse(n, &context->names_list, list) {
  1640. if (n->ino) {
  1641. /* valid inode number, use that for the comparison */
  1642. if (n->ino != inode->i_ino ||
  1643. n->dev != inode->i_sb->s_dev)
  1644. continue;
  1645. } else if (n->name) {
  1646. /* inode number has not been set, check the name */
  1647. if (strcmp(n->name->name, name->name))
  1648. continue;
  1649. } else
  1650. /* no inode and no name (?!) ... this is odd ... */
  1651. continue;
  1652. /* match the correct record type */
  1653. if (parent) {
  1654. if (n->type == AUDIT_TYPE_PARENT ||
  1655. n->type == AUDIT_TYPE_UNKNOWN)
  1656. goto out;
  1657. } else {
  1658. if (n->type != AUDIT_TYPE_PARENT)
  1659. goto out;
  1660. }
  1661. }
  1662. out_alloc:
  1663. /* unable to find an entry with both a matching name and type */
  1664. n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
  1665. if (!n)
  1666. return;
  1667. if (name) {
  1668. n->name = name;
  1669. name->refcnt++;
  1670. }
  1671. out:
  1672. if (parent) {
  1673. n->name_len = n->name ? parent_len(n->name->name) : AUDIT_NAME_FULL;
  1674. n->type = AUDIT_TYPE_PARENT;
  1675. if (flags & AUDIT_INODE_HIDDEN)
  1676. n->hidden = true;
  1677. } else {
  1678. n->name_len = AUDIT_NAME_FULL;
  1679. n->type = AUDIT_TYPE_NORMAL;
  1680. }
  1681. handle_path(dentry);
  1682. audit_copy_inode(n, dentry, inode);
  1683. }
  1684. void __audit_file(const struct file *file)
  1685. {
  1686. __audit_inode(NULL, file->f_path.dentry, 0);
  1687. }
  1688. /**
  1689. * __audit_inode_child - collect inode info for created/removed objects
  1690. * @parent: inode of dentry parent
  1691. * @dentry: dentry being audited
  1692. * @type: AUDIT_TYPE_* value that we're looking for
  1693. *
  1694. * For syscalls that create or remove filesystem objects, audit_inode
  1695. * can only collect information for the filesystem object's parent.
  1696. * This call updates the audit context with the child's information.
  1697. * Syscalls that create a new filesystem object must be hooked after
  1698. * the object is created. Syscalls that remove a filesystem object
  1699. * must be hooked prior, in order to capture the target inode during
  1700. * unsuccessful attempts.
  1701. */
  1702. void __audit_inode_child(struct inode *parent,
  1703. const struct dentry *dentry,
  1704. const unsigned char type)
  1705. {
  1706. struct audit_context *context = current->audit_context;
  1707. struct inode *inode = d_backing_inode(dentry);
  1708. const char *dname = dentry->d_name.name;
  1709. struct audit_names *n, *found_parent = NULL, *found_child = NULL;
  1710. if (!context->in_syscall)
  1711. return;
  1712. if (inode)
  1713. handle_one(inode);
  1714. /* look for a parent entry first */
  1715. list_for_each_entry(n, &context->names_list, list) {
  1716. if (!n->name ||
  1717. (n->type != AUDIT_TYPE_PARENT &&
  1718. n->type != AUDIT_TYPE_UNKNOWN))
  1719. continue;
  1720. if (n->ino == parent->i_ino && n->dev == parent->i_sb->s_dev &&
  1721. !audit_compare_dname_path(dname,
  1722. n->name->name, n->name_len)) {
  1723. if (n->type == AUDIT_TYPE_UNKNOWN)
  1724. n->type = AUDIT_TYPE_PARENT;
  1725. found_parent = n;
  1726. break;
  1727. }
  1728. }
  1729. /* is there a matching child entry? */
  1730. list_for_each_entry(n, &context->names_list, list) {
  1731. /* can only match entries that have a name */
  1732. if (!n->name ||
  1733. (n->type != type && n->type != AUDIT_TYPE_UNKNOWN))
  1734. continue;
  1735. if (!strcmp(dname, n->name->name) ||
  1736. !audit_compare_dname_path(dname, n->name->name,
  1737. found_parent ?
  1738. found_parent->name_len :
  1739. AUDIT_NAME_FULL)) {
  1740. if (n->type == AUDIT_TYPE_UNKNOWN)
  1741. n->type = type;
  1742. found_child = n;
  1743. break;
  1744. }
  1745. }
  1746. if (!found_parent) {
  1747. /* create a new, "anonymous" parent record */
  1748. n = audit_alloc_name(context, AUDIT_TYPE_PARENT);
  1749. if (!n)
  1750. return;
  1751. audit_copy_inode(n, NULL, parent);
  1752. }
  1753. if (!found_child) {
  1754. found_child = audit_alloc_name(context, type);
  1755. if (!found_child)
  1756. return;
  1757. /* Re-use the name belonging to the slot for a matching parent
  1758. * directory. All names for this context are relinquished in
  1759. * audit_free_names() */
  1760. if (found_parent) {
  1761. found_child->name = found_parent->name;
  1762. found_child->name_len = AUDIT_NAME_FULL;
  1763. found_child->name->refcnt++;
  1764. }
  1765. }
  1766. if (inode)
  1767. audit_copy_inode(found_child, dentry, inode);
  1768. else
  1769. found_child->ino = AUDIT_INO_UNSET;
  1770. }
  1771. EXPORT_SYMBOL_GPL(__audit_inode_child);
  1772. /**
  1773. * auditsc_get_stamp - get local copies of audit_context values
  1774. * @ctx: audit_context for the task
  1775. * @t: timespec64 to store time recorded in the audit_context
  1776. * @serial: serial value that is recorded in the audit_context
  1777. *
  1778. * Also sets the context as auditable.
  1779. */
  1780. int auditsc_get_stamp(struct audit_context *ctx,
  1781. struct timespec64 *t, unsigned int *serial)
  1782. {
  1783. if (!ctx->in_syscall)
  1784. return 0;
  1785. if (!ctx->serial)
  1786. ctx->serial = audit_serial();
  1787. t->tv_sec = ctx->ctime.tv_sec;
  1788. t->tv_nsec = ctx->ctime.tv_nsec;
  1789. *serial = ctx->serial;
  1790. if (!ctx->prio) {
  1791. ctx->prio = 1;
  1792. ctx->current_state = AUDIT_RECORD_CONTEXT;
  1793. }
  1794. return 1;
  1795. }
  1796. /* global counter which is incremented every time something logs in */
  1797. static atomic_t session_id = ATOMIC_INIT(0);
  1798. static int audit_set_loginuid_perm(kuid_t loginuid)
  1799. {
  1800. /* if we are unset, we don't need privs */
  1801. if (!audit_loginuid_set(current))
  1802. return 0;
  1803. /* if AUDIT_FEATURE_LOGINUID_IMMUTABLE means never ever allow a change*/
  1804. if (is_audit_feature_set(AUDIT_FEATURE_LOGINUID_IMMUTABLE))
  1805. return -EPERM;
  1806. /* it is set, you need permission */
  1807. if (!capable(CAP_AUDIT_CONTROL))
  1808. return -EPERM;
  1809. /* reject if this is not an unset and we don't allow that */
  1810. if (is_audit_feature_set(AUDIT_FEATURE_ONLY_UNSET_LOGINUID) && uid_valid(loginuid))
  1811. return -EPERM;
  1812. return 0;
  1813. }
  1814. static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
  1815. unsigned int oldsessionid, unsigned int sessionid,
  1816. int rc)
  1817. {
  1818. struct audit_buffer *ab;
  1819. uid_t uid, oldloginuid, loginuid;
  1820. struct tty_struct *tty;
  1821. if (!audit_enabled)
  1822. return;
  1823. ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
  1824. if (!ab)
  1825. return;
  1826. uid = from_kuid(&init_user_ns, task_uid(current));
  1827. oldloginuid = from_kuid(&init_user_ns, koldloginuid);
  1828. loginuid = from_kuid(&init_user_ns, kloginuid),
  1829. tty = audit_get_tty(current);
  1830. audit_log_format(ab, "pid=%d uid=%u", task_tgid_nr(current), uid);
  1831. audit_log_task_context(ab);
  1832. audit_log_format(ab, " old-auid=%u auid=%u tty=%s old-ses=%u ses=%u res=%d",
  1833. oldloginuid, loginuid, tty ? tty_name(tty) : "(none)",
  1834. oldsessionid, sessionid, !rc);
  1835. audit_put_tty(tty);
  1836. audit_log_end(ab);
  1837. }
  1838. /**
  1839. * audit_set_loginuid - set current task's audit_context loginuid
  1840. * @loginuid: loginuid value
  1841. *
  1842. * Returns 0.
  1843. *
  1844. * Called (set) from fs/proc/base.c::proc_loginuid_write().
  1845. */
  1846. int audit_set_loginuid(kuid_t loginuid)
  1847. {
  1848. struct task_struct *task = current;
  1849. unsigned int oldsessionid, sessionid = (unsigned int)-1;
  1850. kuid_t oldloginuid;
  1851. int rc;
  1852. oldloginuid = audit_get_loginuid(current);
  1853. oldsessionid = audit_get_sessionid(current);
  1854. rc = audit_set_loginuid_perm(loginuid);
  1855. if (rc)
  1856. goto out;
  1857. /* are we setting or clearing? */
  1858. if (uid_valid(loginuid)) {
  1859. sessionid = (unsigned int)atomic_inc_return(&session_id);
  1860. if (unlikely(sessionid == (unsigned int)-1))
  1861. sessionid = (unsigned int)atomic_inc_return(&session_id);
  1862. }
  1863. task->sessionid = sessionid;
  1864. task->loginuid = loginuid;
  1865. out:
  1866. audit_log_set_loginuid(oldloginuid, loginuid, oldsessionid, sessionid, rc);
  1867. return rc;
  1868. }
  1869. /**
  1870. * __audit_mq_open - record audit data for a POSIX MQ open
  1871. * @oflag: open flag
  1872. * @mode: mode bits
  1873. * @attr: queue attributes
  1874. *
  1875. */
  1876. void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
  1877. {
  1878. struct audit_context *context = current->audit_context;
  1879. if (attr)
  1880. memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr));
  1881. else
  1882. memset(&context->mq_open.attr, 0, sizeof(struct mq_attr));
  1883. context->mq_open.oflag = oflag;
  1884. context->mq_open.mode = mode;
  1885. context->type = AUDIT_MQ_OPEN;
  1886. }
  1887. /**
  1888. * __audit_mq_sendrecv - record audit data for a POSIX MQ timed send/receive
  1889. * @mqdes: MQ descriptor
  1890. * @msg_len: Message length
  1891. * @msg_prio: Message priority
  1892. * @abs_timeout: Message timeout in absolute time
  1893. *
  1894. */
  1895. void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
  1896. const struct timespec64 *abs_timeout)
  1897. {
  1898. struct audit_context *context = current->audit_context;
  1899. struct timespec64 *p = &context->mq_sendrecv.abs_timeout;
  1900. if (abs_timeout)
  1901. memcpy(p, abs_timeout, sizeof(*p));
  1902. else
  1903. memset(p, 0, sizeof(*p));
  1904. context->mq_sendrecv.mqdes = mqdes;
  1905. context->mq_sendrecv.msg_len = msg_len;
  1906. context->mq_sendrecv.msg_prio = msg_prio;
  1907. context->type = AUDIT_MQ_SENDRECV;
  1908. }
  1909. /**
  1910. * __audit_mq_notify - record audit data for a POSIX MQ notify
  1911. * @mqdes: MQ descriptor
  1912. * @notification: Notification event
  1913. *
  1914. */
  1915. void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
  1916. {
  1917. struct audit_context *context = current->audit_context;
  1918. if (notification)
  1919. context->mq_notify.sigev_signo = notification->sigev_signo;
  1920. else
  1921. context->mq_notify.sigev_signo = 0;
  1922. context->mq_notify.mqdes = mqdes;
  1923. context->type = AUDIT_MQ_NOTIFY;
  1924. }
  1925. /**
  1926. * __audit_mq_getsetattr - record audit data for a POSIX MQ get/set attribute
  1927. * @mqdes: MQ descriptor
  1928. * @mqstat: MQ flags
  1929. *
  1930. */
  1931. void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
  1932. {
  1933. struct audit_context *context = current->audit_context;
  1934. context->mq_getsetattr.mqdes = mqdes;
  1935. context->mq_getsetattr.mqstat = *mqstat;
  1936. context->type = AUDIT_MQ_GETSETATTR;
  1937. }
  1938. /**
  1939. * __audit_ipc_obj - record audit data for ipc object
  1940. * @ipcp: ipc permissions
  1941. *
  1942. */
  1943. void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
  1944. {
  1945. struct audit_context *context = current->audit_context;
  1946. context->ipc.uid = ipcp->uid;
  1947. context->ipc.gid = ipcp->gid;
  1948. context->ipc.mode = ipcp->mode;
  1949. context->ipc.has_perm = 0;
  1950. security_ipc_getsecid(ipcp, &context->ipc.osid);
  1951. context->type = AUDIT_IPC;
  1952. }
  1953. /**
  1954. * __audit_ipc_set_perm - record audit data for new ipc permissions
  1955. * @qbytes: msgq bytes
  1956. * @uid: msgq user id
  1957. * @gid: msgq group id
  1958. * @mode: msgq mode (permissions)
  1959. *
  1960. * Called only after audit_ipc_obj().
  1961. */
  1962. void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode)
  1963. {
  1964. struct audit_context *context = current->audit_context;
  1965. context->ipc.qbytes = qbytes;
  1966. context->ipc.perm_uid = uid;
  1967. context->ipc.perm_gid = gid;
  1968. context->ipc.perm_mode = mode;
  1969. context->ipc.has_perm = 1;
  1970. }
  1971. void __audit_bprm(struct linux_binprm *bprm)
  1972. {
  1973. struct audit_context *context = current->audit_context;
  1974. context->type = AUDIT_EXECVE;
  1975. context->execve.argc = bprm->argc;
  1976. }
  1977. /**
  1978. * __audit_socketcall - record audit data for sys_socketcall
  1979. * @nargs: number of args, which should not be more than AUDITSC_ARGS.
  1980. * @args: args array
  1981. *
  1982. */
  1983. int __audit_socketcall(int nargs, unsigned long *args)
  1984. {
  1985. struct audit_context *context = current->audit_context;
  1986. if (nargs <= 0 || nargs > AUDITSC_ARGS || !args)
  1987. return -EINVAL;
  1988. context->type = AUDIT_SOCKETCALL;
  1989. context->socketcall.nargs = nargs;
  1990. memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
  1991. return 0;
  1992. }
  1993. /**
  1994. * __audit_fd_pair - record audit data for pipe and socketpair
  1995. * @fd1: the first file descriptor
  1996. * @fd2: the second file descriptor
  1997. *
  1998. */
  1999. void __audit_fd_pair(int fd1, int fd2)
  2000. {
  2001. struct audit_context *context = current->audit_context;
  2002. context->fds[0] = fd1;
  2003. context->fds[1] = fd2;
  2004. }
  2005. /**
  2006. * __audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
  2007. * @len: data length in user space
  2008. * @a: data address in kernel space
  2009. *
  2010. * Returns 0 for success or NULL context or < 0 on error.
  2011. */
  2012. int __audit_sockaddr(int len, void *a)
  2013. {
  2014. struct audit_context *context = current->audit_context;
  2015. if (!context->sockaddr) {
  2016. void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL);
  2017. if (!p)
  2018. return -ENOMEM;
  2019. context->sockaddr = p;
  2020. }
  2021. context->sockaddr_len = len;
  2022. memcpy(context->sockaddr, a, len);
  2023. return 0;
  2024. }
  2025. void __audit_ptrace(struct task_struct *t)
  2026. {
  2027. struct audit_context *context = current->audit_context;
  2028. context->target_pid = task_tgid_nr(t);
  2029. context->target_auid = audit_get_loginuid(t);
  2030. context->target_uid = task_uid(t);
  2031. context->target_sessionid = audit_get_sessionid(t);
  2032. security_task_getsecid(t, &context->target_sid);
  2033. memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
  2034. }
  2035. /**
  2036. * audit_signal_info - record signal info for shutting down audit subsystem
  2037. * @sig: signal value
  2038. * @t: task being signaled
  2039. *
  2040. * If the audit subsystem is being terminated, record the task (pid)
  2041. * and uid that is doing that.
  2042. */
  2043. int audit_signal_info(int sig, struct task_struct *t)
  2044. {
  2045. struct audit_aux_data_pids *axp;
  2046. struct task_struct *tsk = current;
  2047. struct audit_context *ctx = tsk->audit_context;
  2048. kuid_t uid = current_uid(), t_uid = task_uid(t);
  2049. if (auditd_test_task(t) &&
  2050. (sig == SIGTERM || sig == SIGHUP ||
  2051. sig == SIGUSR1 || sig == SIGUSR2)) {
  2052. audit_sig_pid = task_tgid_nr(tsk);
  2053. if (uid_valid(tsk->loginuid))
  2054. audit_sig_uid = tsk->loginuid;
  2055. else
  2056. audit_sig_uid = uid;
  2057. security_task_getsecid(tsk, &audit_sig_sid);
  2058. }
  2059. if (!audit_signals || audit_dummy_context())
  2060. return 0;
  2061. /* optimize the common case by putting first signal recipient directly
  2062. * in audit_context */
  2063. if (!ctx->target_pid) {
  2064. ctx->target_pid = task_tgid_nr(t);
  2065. ctx->target_auid = audit_get_loginuid(t);
  2066. ctx->target_uid = t_uid;
  2067. ctx->target_sessionid = audit_get_sessionid(t);
  2068. security_task_getsecid(t, &ctx->target_sid);
  2069. memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
  2070. return 0;
  2071. }
  2072. axp = (void *)ctx->aux_pids;
  2073. if (!axp || axp->pid_count == AUDIT_AUX_PIDS) {
  2074. axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
  2075. if (!axp)
  2076. return -ENOMEM;
  2077. axp->d.type = AUDIT_OBJ_PID;
  2078. axp->d.next = ctx->aux_pids;
  2079. ctx->aux_pids = (void *)axp;
  2080. }
  2081. BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
  2082. axp->target_pid[axp->pid_count] = task_tgid_nr(t);
  2083. axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
  2084. axp->target_uid[axp->pid_count] = t_uid;
  2085. axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
  2086. security_task_getsecid(t, &axp->target_sid[axp->pid_count]);
  2087. memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
  2088. axp->pid_count++;
  2089. return 0;
  2090. }
  2091. /**
  2092. * __audit_log_bprm_fcaps - store information about a loading bprm and relevant fcaps
  2093. * @bprm: pointer to the bprm being processed
  2094. * @new: the proposed new credentials
  2095. * @old: the old credentials
  2096. *
  2097. * Simply check if the proc already has the caps given by the file and if not
  2098. * store the priv escalation info for later auditing at the end of the syscall
  2099. *
  2100. * -Eric
  2101. */
  2102. int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
  2103. const struct cred *new, const struct cred *old)
  2104. {
  2105. struct audit_aux_data_bprm_fcaps *ax;
  2106. struct audit_context *context = current->audit_context;
  2107. struct cpu_vfs_cap_data vcaps;
  2108. ax = kmalloc(sizeof(*ax), GFP_KERNEL);
  2109. if (!ax)
  2110. return -ENOMEM;
  2111. ax->d.type = AUDIT_BPRM_FCAPS;
  2112. ax->d.next = context->aux;
  2113. context->aux = (void *)ax;
  2114. get_vfs_caps_from_disk(bprm->file->f_path.dentry, &vcaps);
  2115. ax->fcap.permitted = vcaps.permitted;
  2116. ax->fcap.inheritable = vcaps.inheritable;
  2117. ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
  2118. ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
  2119. ax->old_pcap.permitted = old->cap_permitted;
  2120. ax->old_pcap.inheritable = old->cap_inheritable;
  2121. ax->old_pcap.effective = old->cap_effective;
  2122. ax->old_pcap.ambient = old->cap_ambient;
  2123. ax->new_pcap.permitted = new->cap_permitted;
  2124. ax->new_pcap.inheritable = new->cap_inheritable;
  2125. ax->new_pcap.effective = new->cap_effective;
  2126. ax->new_pcap.ambient = new->cap_ambient;
  2127. return 0;
  2128. }
  2129. /**
  2130. * __audit_log_capset - store information about the arguments to the capset syscall
  2131. * @new: the new credentials
  2132. * @old: the old (current) credentials
  2133. *
  2134. * Record the arguments userspace sent to sys_capset for later printing by the
  2135. * audit system if applicable
  2136. */
  2137. void __audit_log_capset(const struct cred *new, const struct cred *old)
  2138. {
  2139. struct audit_context *context = current->audit_context;
  2140. context->capset.pid = task_tgid_nr(current);
  2141. context->capset.cap.effective = new->cap_effective;
  2142. context->capset.cap.inheritable = new->cap_effective;
  2143. context->capset.cap.permitted = new->cap_permitted;
  2144. context->capset.cap.ambient = new->cap_ambient;
  2145. context->type = AUDIT_CAPSET;
  2146. }
  2147. void __audit_mmap_fd(int fd, int flags)
  2148. {
  2149. struct audit_context *context = current->audit_context;
  2150. context->mmap.fd = fd;
  2151. context->mmap.flags = flags;
  2152. context->type = AUDIT_MMAP;
  2153. }
  2154. void __audit_log_kern_module(char *name)
  2155. {
  2156. struct audit_context *context = current->audit_context;
  2157. context->module.name = kstrdup(name, GFP_KERNEL);
  2158. if (!context->module.name)
  2159. audit_log_lost("out of memory in __audit_log_kern_module");
  2160. context->type = AUDIT_KERN_MODULE;
  2161. }
  2162. static void audit_log_task(struct audit_buffer *ab)
  2163. {
  2164. kuid_t auid, uid;
  2165. kgid_t gid;
  2166. unsigned int sessionid;
  2167. char comm[sizeof(current->comm)];
  2168. auid = audit_get_loginuid(current);
  2169. sessionid = audit_get_sessionid(current);
  2170. current_uid_gid(&uid, &gid);
  2171. audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
  2172. from_kuid(&init_user_ns, auid),
  2173. from_kuid(&init_user_ns, uid),
  2174. from_kgid(&init_user_ns, gid),
  2175. sessionid);
  2176. audit_log_task_context(ab);
  2177. audit_log_format(ab, " pid=%d comm=", task_tgid_nr(current));
  2178. audit_log_untrustedstring(ab, get_task_comm(comm, current));
  2179. audit_log_d_path_exe(ab, current->mm);
  2180. }
  2181. /**
  2182. * audit_core_dumps - record information about processes that end abnormally
  2183. * @signr: signal value
  2184. *
  2185. * If a process ends with a core dump, something fishy is going on and we
  2186. * should record the event for investigation.
  2187. */
  2188. void audit_core_dumps(long signr)
  2189. {
  2190. struct audit_buffer *ab;
  2191. if (!audit_enabled)
  2192. return;
  2193. if (signr == SIGQUIT) /* don't care for those */
  2194. return;
  2195. ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
  2196. if (unlikely(!ab))
  2197. return;
  2198. audit_log_task(ab);
  2199. audit_log_format(ab, " sig=%ld res=1", signr);
  2200. audit_log_end(ab);
  2201. }
  2202. void __audit_seccomp(unsigned long syscall, long signr, int code)
  2203. {
  2204. struct audit_buffer *ab;
  2205. ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_SECCOMP);
  2206. if (unlikely(!ab))
  2207. return;
  2208. audit_log_task(ab);
  2209. audit_log_format(ab, " sig=%ld arch=%x syscall=%ld compat=%d ip=0x%lx code=0x%x",
  2210. signr, syscall_get_arch(), syscall,
  2211. in_compat_syscall(), KSTK_EIP(current), code);
  2212. audit_log_end(ab);
  2213. }
  2214. struct list_head *audit_killed_trees(void)
  2215. {
  2216. struct audit_context *ctx = current->audit_context;
  2217. if (likely(!ctx || !ctx->in_syscall))
  2218. return NULL;
  2219. return &ctx->killed_trees;
  2220. }