tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'audit-pr-20190507' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit
Pull audit updates from Paul Moore:
"We've got a reasonably broad set of audit patches for the v5.2 merge
window, the highlights are below:
- The biggest change, and the source of all the arch/* changes, is
the patchset from Dmitry to help enable some of the work he is
doing around PTRACE_GET_SYSCALL_INFO.
To be honest, including this in the audit tree is a bit of a
stretch, but it does help move audit a little further along towards
proper syscall auditing for all arches, and everyone else seemed to
agree that audit was a "good" spot for this to land (or maybe they
just didn't want to merge it? dunno.).
- We can now audit time/NTP adjustments.
- We continue the work to connect associated audit records into a
single event"
* tag 'audit-pr-20190507' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit: (21 commits)
audit: fix a memory leak bug
ntp: Audit NTP parameters adjustment
timekeeping: Audit clock adjustments
audit: purge unnecessary list_empty calls
audit: link integrity evm_write_xattrs record to syscall event
syscall_get_arch: add "struct task_struct *" argument
unicore32: define syscall_get_arch()
Move EM_UNICORE to uapi/linux/elf-em.h
nios2: define syscall_get_arch()
nds32: define syscall_get_arch()
Move EM_NDS32 to uapi/linux/elf-em.h
m68k: define syscall_get_arch()
hexagon: define syscall_get_arch()
Move EM_HEXAGON to uapi/linux/elf-em.h
h8300: define syscall_get_arch()
c6x: define syscall_get_arch()
arc: define syscall_get_arch()
Move EM_ARCOMPACT and EM_ARCV2 to uapi/linux/elf-em.h
audit: Make audit_log_cap and audit_copy_inode static
audit: connect LOGIN record to its syscall record
...
+329
-105
+1
-1
arch/alpha/include/asm/syscall.h
+1
-1
arch/alpha/include/asm/syscall.h
+1
-5
arch/arc/include/asm/elf.h
+1
-5
arch/arc/include/asm/elf.h
···
10
10
#define __ASM_ARC_ELF_H
11
11
12
12
#include <linux/types.h>
13
+
#include <linux/elf-em.h>
13
14
#include <uapi/asm/elf.h>
14
-
15
-
/* These ELF defines belong to uapi but libc elf.h already defines them */
16
-
#define EM_ARCOMPACT 93
17
-
18
-
#define EM_ARCV2 195 /* ARCv2 Cores */
19
15
20
16
#define EM_ARC_INUSE (IS_ENABLED(CONFIG_ISA_ARCOMPACT) ? \
21
17
EM_ARCOMPACT : EM_ARCV2)
+11
arch/arc/include/asm/syscall.h
+11
arch/arc/include/asm/syscall.h
···
9
9
#ifndef _ASM_ARC_SYSCALL_H
10
10
#define _ASM_ARC_SYSCALL_H 1
11
11
12
+
#include <uapi/linux/audit.h>
12
13
#include <linux/err.h>
13
14
#include <linux/sched.h>
14
15
#include <asm/unistd.h>
···
66
65
args[i++] = (*inside_ptregs);
67
66
inside_ptregs--;
68
67
}
68
+
}
69
+
70
+
static inline int
71
+
syscall_get_arch(struct task_struct *task)
72
+
{
73
+
return IS_ENABLED(CONFIG_ISA_ARCOMPACT)
74
+
? (IS_ENABLED(CONFIG_CPU_BIG_ENDIAN)
75
+
? AUDIT_ARCH_ARCOMPACTBE : AUDIT_ARCH_ARCOMPACT)
76
+
: (IS_ENABLED(CONFIG_CPU_BIG_ENDIAN)
77
+
? AUDIT_ARCH_ARCV2BE : AUDIT_ARCH_ARCV2);
69
78
}
70
79
71
80
#endif
+1
-1
arch/arm/include/asm/syscall.h
+1
-1
arch/arm/include/asm/syscall.h
+2
-2
arch/arm64/include/asm/syscall.h
+2
-2
arch/arm64/include/asm/syscall.h
···
87
87
* We don't care about endianness (__AUDIT_ARCH_LE bit) here because
88
88
* AArch64 has the same system calls both on little- and big- endian.
89
89
*/
90
-
static inline int syscall_get_arch(void)
90
+
static inline int syscall_get_arch(struct task_struct *task)
91
91
{
92
-
if (is_compat_task())
92
+
if (is_compat_thread(task_thread_info(task)))
93
93
return AUDIT_ARCH_ARM;
94
94
95
95
return AUDIT_ARCH_AARCH64;
+7
arch/c6x/include/asm/syscall.h
+7
arch/c6x/include/asm/syscall.h
···
11
11
#ifndef __ASM_C6X_SYSCALL_H
12
12
#define __ASM_C6X_SYSCALL_H
13
13
14
+
#include <uapi/linux/audit.h>
14
15
#include <linux/err.h>
15
16
#include <linux/sched.h>
16
17
···
68
67
regs->b6 = *args++;
69
68
regs->a8 = *args++;
70
69
regs->a9 = *args;
70
+
}
71
+
72
+
static inline int syscall_get_arch(struct task_struct *task)
73
+
{
74
+
return IS_ENABLED(CONFIG_CPU_BIG_ENDIAN)
75
+
? AUDIT_ARCH_C6XBE : AUDIT_ARCH_C6X;
71
76
}
72
77
73
78
#endif /* __ASM_C6X_SYSCALLS_H */
+1
-1
arch/csky/include/asm/syscall.h
+1
-1
arch/csky/include/asm/syscall.h
+6
arch/h8300/include/asm/syscall.h
+6
arch/h8300/include/asm/syscall.h
···
8
8
#include <linux/linkage.h>
9
9
#include <linux/types.h>
10
10
#include <linux/ptrace.h>
11
+
#include <uapi/linux/audit.h>
11
12
12
13
static inline int
13
14
syscall_get_nr(struct task_struct *task, struct pt_regs *regs)
···
28
27
*args = regs->er6;
29
28
}
30
29
30
+
static inline int
31
+
syscall_get_arch(struct task_struct *task)
32
+
{
33
+
return AUDIT_ARCH_H8300;
34
+
}
31
35
32
36
33
37
/* Misc syscall related bits */
+1
-5
arch/hexagon/include/asm/elf.h
+1
-5
arch/hexagon/include/asm/elf.h
+8
arch/hexagon/include/asm/syscall.h
+8
arch/hexagon/include/asm/syscall.h
···
21
21
#ifndef _ASM_HEXAGON_SYSCALL_H
22
22
#define _ASM_HEXAGON_SYSCALL_H
23
23
24
+
#include <uapi/linux/audit.h>
25
+
24
26
typedef long (*syscall_fn)(unsigned long, unsigned long,
25
27
unsigned long, unsigned long,
26
28
unsigned long, unsigned long);
···
43
41
{
44
42
memcpy(args, &(®s->r00)[0], 6 * sizeof(args[0]));
45
43
}
44
+
45
+
static inline int syscall_get_arch(struct task_struct *task)
46
+
{
47
+
return AUDIT_ARCH_HEXAGON;
48
+
}
49
+
46
50
#endif
+1
-1
arch/ia64/include/asm/syscall.h
+1
-1
arch/ia64/include/asm/syscall.h
+12
arch/m68k/include/asm/syscall.h
+12
arch/m68k/include/asm/syscall.h
···
1
+
/* SPDX-License-Identifier: GPL-2.0 */
2
+
#ifndef _ASM_M68K_SYSCALL_H
3
+
#define _ASM_M68K_SYSCALL_H
4
+
5
+
#include <uapi/linux/audit.h>
6
+
7
+
static inline int syscall_get_arch(struct task_struct *task)
8
+
{
9
+
return AUDIT_ARCH_M68K;
10
+
}
11
+
12
+
#endif /* _ASM_M68K_SYSCALL_H */
+1
-1
arch/microblaze/include/asm/syscall.h
+1
-1
arch/microblaze/include/asm/syscall.h
···
105
105
asmlinkage unsigned long do_syscall_trace_enter(struct pt_regs *regs);
106
106
asmlinkage void do_syscall_trace_leave(struct pt_regs *regs);
107
107
108
-
static inline int syscall_get_arch(void)
108
+
static inline int syscall_get_arch(struct task_struct *task)
109
109
{
110
110
return AUDIT_ARCH_MICROBLAZE;
111
111
}
+3
-3
arch/mips/include/asm/syscall.h
+3
-3
arch/mips/include/asm/syscall.h
···
141
141
extern const unsigned long sys32_call_table[];
142
142
extern const unsigned long sysn32_call_table[];
143
143
144
-
static inline int syscall_get_arch(void)
144
+
static inline int syscall_get_arch(struct task_struct *task)
145
145
{
146
146
int arch = AUDIT_ARCH_MIPS;
147
147
#ifdef CONFIG_64BIT
148
-
if (!test_thread_flag(TIF_32BIT_REGS)) {
148
+
if (!test_tsk_thread_flag(task, TIF_32BIT_REGS)) {
149
149
arch |= __AUDIT_ARCH_64BIT;
150
150
/* N32 sets only TIF_32BIT_ADDR */
151
-
if (test_thread_flag(TIF_32BIT_ADDR))
151
+
if (test_tsk_thread_flag(task, TIF_32BIT_ADDR))
152
152
arch |= __AUDIT_ARCH_CONVENTION_MIPS64_N32;
153
153
}
154
154
#endif
+1
-1
arch/mips/kernel/ptrace.c
+1
-1
arch/mips/kernel/ptrace.c
+1
-2
arch/nds32/include/asm/elf.h
+1
-2
arch/nds32/include/asm/elf.h
···
10
10
11
11
#include <asm/ptrace.h>
12
12
#include <asm/fpu.h>
13
+
#include <linux/elf-em.h>
13
14
14
15
typedef unsigned long elf_greg_t;
15
16
typedef unsigned long elf_freg_t[3];
16
17
17
18
extern unsigned int elf_hwcap;
18
-
19
-
#define EM_NDS32 167
20
19
21
20
#define R_NDS32_NONE 0
22
21
#define R_NDS32_16_RELA 19
+9
arch/nds32/include/asm/syscall.h
+9
arch/nds32/include/asm/syscall.h
···
5
5
#ifndef _ASM_NDS32_SYSCALL_H
6
6
#define _ASM_NDS32_SYSCALL_H 1
7
7
8
+
#include <uapi/linux/audit.h>
8
9
#include <linux/err.h>
9
10
struct task_struct;
10
11
struct pt_regs;
···
146
145
147
146
memcpy(®s->uregs[0] + 1, args, 5 * sizeof(args[0]));
148
147
}
148
+
149
+
static inline int
150
+
syscall_get_arch(struct task_struct *task)
151
+
{
152
+
return IS_ENABLED(CONFIG_CPU_BIG_ENDIAN)
153
+
? AUDIT_ARCH_NDS32BE : AUDIT_ARCH_NDS32;
154
+
}
155
+
149
156
#endif /* _ASM_NDS32_SYSCALL_H */
+6
arch/nios2/include/asm/syscall.h
+6
arch/nios2/include/asm/syscall.h
···
17
17
#ifndef __ASM_NIOS2_SYSCALL_H__
18
18
#define __ASM_NIOS2_SYSCALL_H__
19
19
20
+
#include <uapi/linux/audit.h>
20
21
#include <linux/err.h>
21
22
#include <linux/sched.h>
22
23
···
78
77
regs->r7 = *args++;
79
78
regs->r8 = *args++;
80
79
regs->r9 = *args;
80
+
}
81
+
82
+
static inline int syscall_get_arch(struct task_struct *task)
83
+
{
84
+
return AUDIT_ARCH_NIOS2;
81
85
}
82
86
83
87
#endif
+1
-1
arch/openrisc/include/asm/syscall.h
+1
-1
arch/openrisc/include/asm/syscall.h
+2
-2
arch/parisc/include/asm/syscall.h
+2
-2
arch/parisc/include/asm/syscall.h
···
48
48
/* do nothing */
49
49
}
50
50
51
-
static inline int syscall_get_arch(void)
51
+
static inline int syscall_get_arch(struct task_struct *task)
52
52
{
53
53
int arch = AUDIT_ARCH_PARISC;
54
54
#ifdef CONFIG_64BIT
55
-
if (!is_compat_task())
55
+
if (!__is_compat_task(task))
56
56
arch = AUDIT_ARCH_PARISC64;
57
57
#endif
58
58
return arch;
+8
-2
arch/powerpc/include/asm/syscall.h
+8
-2
arch/powerpc/include/asm/syscall.h
···
94
94
regs->orig_gpr3 = args[0];
95
95
}
96
96
97
-
static inline int syscall_get_arch(void)
97
+
static inline int syscall_get_arch(struct task_struct *task)
98
98
{
99
-
int arch = is_32bit_task() ? AUDIT_ARCH_PPC : AUDIT_ARCH_PPC64;
99
+
int arch;
100
+
101
+
if (IS_ENABLED(CONFIG_PPC64) && !test_tsk_thread_flag(task, TIF_32BIT))
102
+
arch = AUDIT_ARCH_PPC64;
103
+
else
104
+
arch = AUDIT_ARCH_PPC;
105
+
100
106
#ifdef __LITTLE_ENDIAN__
101
107
arch |= __AUDIT_ARCH_LE;
102
108
#endif
+1
-1
arch/riscv/include/asm/syscall.h
+1
-1
arch/riscv/include/asm/syscall.h
+2
-2
arch/s390/include/asm/syscall.h
+2
-2
arch/s390/include/asm/syscall.h
···
79
79
regs->orig_gpr2 = args[0];
80
80
}
81
81
82
-
static inline int syscall_get_arch(void)
82
+
static inline int syscall_get_arch(struct task_struct *task)
83
83
{
84
84
#ifdef CONFIG_COMPAT
85
-
if (test_tsk_thread_flag(current, TIF_31BIT))
85
+
if (test_tsk_thread_flag(task, TIF_31BIT))
86
86
return AUDIT_ARCH_S390;
87
87
#endif
88
88
return AUDIT_ARCH_S390X;
+1
-1
arch/sh/include/asm/syscall_32.h
+1
-1
arch/sh/include/asm/syscall_32.h
+1
-1
arch/sh/include/asm/syscall_64.h
+1
-1
arch/sh/include/asm/syscall_64.h
+3
-2
arch/sparc/include/asm/syscall.h
+3
-2
arch/sparc/include/asm/syscall.h
···
127
127
regs->u_regs[UREG_I0 + i] = args[i];
128
128
}
129
129
130
-
static inline int syscall_get_arch(void)
130
+
static inline int syscall_get_arch(struct task_struct *task)
131
131
{
132
132
#if defined(CONFIG_SPARC64) && defined(CONFIG_COMPAT)
133
-
return in_compat_syscall() ? AUDIT_ARCH_SPARC : AUDIT_ARCH_SPARC64;
133
+
return test_tsk_thread_flag(task, TIF_32BIT)
134
+
? AUDIT_ARCH_SPARC : AUDIT_ARCH_SPARC64;
134
135
#elif defined(CONFIG_SPARC64)
135
136
return AUDIT_ARCH_SPARC64;
136
137
#else
+1
-2
arch/unicore32/include/asm/elf.h
+1
-2
arch/unicore32/include/asm/elf.h
···
19
19
* ELF register definitions..
20
20
*/
21
21
#include <asm/ptrace.h>
22
+
#include <linux/elf-em.h>
22
23
23
24
typedef unsigned long elf_greg_t;
24
25
typedef unsigned long elf_freg_t[3];
···
28
27
typedef elf_greg_t elf_gregset_t[ELF_NGREG];
29
28
30
29
typedef struct fp_state elf_fpregset_t;
31
-
32
-
#define EM_UNICORE 110
33
30
34
31
#define R_UNICORE_NONE 0
35
32
#define R_UNICORE_PC24 1
+12
arch/unicore32/include/asm/syscall.h
+12
arch/unicore32/include/asm/syscall.h
···
1
+
/* SPDX-License-Identifier: GPL-2.0 */
2
+
#ifndef _ASM_UNICORE_SYSCALL_H
3
+
#define _ASM_UNICORE_SYSCALL_H
4
+
5
+
#include <uapi/linux/audit.h>
6
+
7
+
static inline int syscall_get_arch(struct task_struct *task)
8
+
{
9
+
return AUDIT_ARCH_UNICORE;
10
+
}
11
+
12
+
#endif /* _ASM_UNICORE_SYSCALL_H */
+5
-3
arch/x86/include/asm/syscall.h
+5
-3
arch/x86/include/asm/syscall.h
···
105
105
memcpy(®s->bx + i, args, n * sizeof(args[0]));
106
106
}
107
107
108
-
static inline int syscall_get_arch(void)
108
+
static inline int syscall_get_arch(struct task_struct *task)
109
109
{
110
110
return AUDIT_ARCH_I386;
111
111
}
···
160
160
}
161
161
}
162
162
163
-
static inline int syscall_get_arch(void)
163
+
static inline int syscall_get_arch(struct task_struct *task)
164
164
{
165
165
/* x32 tasks should be considered AUDIT_ARCH_X86_64. */
166
-
return in_ia32_syscall() ? AUDIT_ARCH_I386 : AUDIT_ARCH_X86_64;
166
+
return (IS_ENABLED(CONFIG_IA32_EMULATION) &&
167
+
task->thread_info.status & TS_COMPAT)
168
+
? AUDIT_ARCH_I386 : AUDIT_ARCH_X86_64;
167
169
}
168
170
#endif /* CONFIG_X86_32 */
169
171
+1
-1
arch/x86/um/asm/syscall.h
+1
-1
arch/x86/um/asm/syscall.h
+1
-1
arch/xtensa/include/asm/syscall.h
+1
-1
arch/xtensa/include/asm/syscall.h
+3
-2
include/asm-generic/syscall.h
+3
-2
include/asm-generic/syscall.h
···
133
133
134
134
/**
135
135
* syscall_get_arch - return the AUDIT_ARCH for the current system call
136
+
* @task: task of interest, must be blocked
136
137
*
137
138
* Returns the AUDIT_ARCH_* based on the system call convention in use.
138
139
*
139
-
* It's only valid to call this when current is stopped on entry to a system
140
+
* It's only valid to call this when @task is stopped on entry to a system
140
141
* call, due to %TIF_SYSCALL_TRACE, %TIF_SYSCALL_AUDIT, or %TIF_SECCOMP.
141
142
*
142
143
* Architectures which permit CONFIG_HAVE_ARCH_SECCOMP_FILTER must
143
144
* provide an implementation of this.
144
145
*/
145
-
int syscall_get_arch(void);
146
+
int syscall_get_arch(struct task_struct *task);
146
147
#endif /* _ASM_SYSCALL_H */
+75
include/linux/audit.h
+75
include/linux/audit.h
···
86
86
u32 op;
87
87
};
88
88
89
+
enum audit_ntp_type {
90
+
AUDIT_NTP_OFFSET,
91
+
AUDIT_NTP_FREQ,
92
+
AUDIT_NTP_STATUS,
93
+
AUDIT_NTP_TAI,
94
+
AUDIT_NTP_TICK,
95
+
AUDIT_NTP_ADJUST,
96
+
97
+
AUDIT_NTP_NVALS /* count */
98
+
};
99
+
100
+
#ifdef CONFIG_AUDITSYSCALL
101
+
struct audit_ntp_val {
102
+
long long oldval, newval;
103
+
};
104
+
105
+
struct audit_ntp_data {
106
+
struct audit_ntp_val vals[AUDIT_NTP_NVALS];
107
+
};
108
+
#else
109
+
struct audit_ntp_data {};
110
+
#endif
111
+
89
112
extern int is_audit_feature_set(int which);
90
113
91
114
extern int __init audit_register_class(int class, unsigned *list);
···
388
365
extern void __audit_mmap_fd(int fd, int flags);
389
366
extern void __audit_log_kern_module(char *name);
390
367
extern void __audit_fanotify(unsigned int response);
368
+
extern void __audit_tk_injoffset(struct timespec64 offset);
369
+
extern void __audit_ntp_log(const struct audit_ntp_data *ad);
391
370
392
371
static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
393
372
{
···
490
465
{
491
466
if (!audit_dummy_context())
492
467
__audit_fanotify(response);
468
+
}
469
+
470
+
static inline void audit_tk_injoffset(struct timespec64 offset)
471
+
{
472
+
/* ignore no-op events */
473
+
if (offset.tv_sec == 0 && offset.tv_nsec == 0)
474
+
return;
475
+
476
+
if (!audit_dummy_context())
477
+
__audit_tk_injoffset(offset);
478
+
}
479
+
480
+
static inline void audit_ntp_init(struct audit_ntp_data *ad)
481
+
{
482
+
memset(ad, 0, sizeof(*ad));
483
+
}
484
+
485
+
static inline void audit_ntp_set_old(struct audit_ntp_data *ad,
486
+
enum audit_ntp_type type, long long val)
487
+
{
488
+
ad->vals[type].oldval = val;
489
+
}
490
+
491
+
static inline void audit_ntp_set_new(struct audit_ntp_data *ad,
492
+
enum audit_ntp_type type, long long val)
493
+
{
494
+
ad->vals[type].newval = val;
495
+
}
496
+
497
+
static inline void audit_ntp_log(const struct audit_ntp_data *ad)
498
+
{
499
+
if (!audit_dummy_context())
500
+
__audit_ntp_log(ad);
493
501
}
494
502
495
503
extern int audit_n_rules;
···
636
578
}
637
579
638
580
static inline void audit_fanotify(unsigned int response)
581
+
{ }
582
+
583
+
static inline void audit_tk_injoffset(struct timespec64 offset)
584
+
{ }
585
+
586
+
static inline void audit_ntp_init(struct audit_ntp_data *ad)
587
+
{ }
588
+
589
+
static inline void audit_ntp_set_old(struct audit_ntp_data *ad,
590
+
enum audit_ntp_type type, long long val)
591
+
{ }
592
+
593
+
static inline void audit_ntp_set_new(struct audit_ntp_data *ad,
594
+
enum audit_ntp_type type, long long val)
595
+
{ }
596
+
597
+
static inline void audit_ntp_log(const struct audit_ntp_data *ad)
639
598
{ }
640
599
641
600
static inline void audit_ptrace(struct task_struct *t)
+14
include/uapi/linux/audit.h
+14
include/uapi/linux/audit.h
···
114
114
#define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */
115
115
#define AUDIT_KERN_MODULE 1330 /* Kernel Module events */
116
116
#define AUDIT_FANOTIFY 1331 /* Fanotify access decision */
117
+
#define AUDIT_TIME_INJOFFSET 1332 /* Timekeeping offset injected */
118
+
#define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */
117
119
118
120
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
119
121
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
···
377
375
378
376
#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
379
377
#define AUDIT_ARCH_ALPHA (EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
378
+
#define AUDIT_ARCH_ARCOMPACT (EM_ARCOMPACT|__AUDIT_ARCH_LE)
379
+
#define AUDIT_ARCH_ARCOMPACTBE (EM_ARCOMPACT)
380
+
#define AUDIT_ARCH_ARCV2 (EM_ARCV2|__AUDIT_ARCH_LE)
381
+
#define AUDIT_ARCH_ARCV2BE (EM_ARCV2)
380
382
#define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE)
381
383
#define AUDIT_ARCH_ARMEB (EM_ARM)
384
+
#define AUDIT_ARCH_C6X (EM_TI_C6000|__AUDIT_ARCH_LE)
385
+
#define AUDIT_ARCH_C6XBE (EM_TI_C6000)
382
386
#define AUDIT_ARCH_CRIS (EM_CRIS|__AUDIT_ARCH_LE)
383
387
#define AUDIT_ARCH_CSKY (EM_CSKY|__AUDIT_ARCH_LE)
384
388
#define AUDIT_ARCH_FRV (EM_FRV)
389
+
#define AUDIT_ARCH_H8300 (EM_H8_300)
390
+
#define AUDIT_ARCH_HEXAGON (EM_HEXAGON)
385
391
#define AUDIT_ARCH_I386 (EM_386|__AUDIT_ARCH_LE)
386
392
#define AUDIT_ARCH_IA64 (EM_IA_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
387
393
#define AUDIT_ARCH_M32R (EM_M32R)
···
403
393
#define AUDIT_ARCH_MIPSEL64 (EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
404
394
#define AUDIT_ARCH_MIPSEL64N32 (EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE|\
405
395
__AUDIT_ARCH_CONVENTION_MIPS64_N32)
396
+
#define AUDIT_ARCH_NDS32 (EM_NDS32|__AUDIT_ARCH_LE)
397
+
#define AUDIT_ARCH_NDS32BE (EM_NDS32)
398
+
#define AUDIT_ARCH_NIOS2 (EM_ALTERA_NIOS2|__AUDIT_ARCH_LE)
406
399
#define AUDIT_ARCH_OPENRISC (EM_OPENRISC)
407
400
#define AUDIT_ARCH_PARISC (EM_PARISC)
408
401
#define AUDIT_ARCH_PARISC64 (EM_PARISC|__AUDIT_ARCH_64BIT)
···
426
413
#define AUDIT_ARCH_TILEGX (EM_TILEGX|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
427
414
#define AUDIT_ARCH_TILEGX32 (EM_TILEGX|__AUDIT_ARCH_LE)
428
415
#define AUDIT_ARCH_TILEPRO (EM_TILEPRO|__AUDIT_ARCH_LE)
416
+
#define AUDIT_ARCH_UNICORE (EM_UNICORE|__AUDIT_ARCH_LE)
429
417
#define AUDIT_ARCH_X86_64 (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
430
418
#define AUDIT_ARCH_XTENSA (EM_XTENSA)
431
419
+6
include/uapi/linux/elf-em.h
+6
include/uapi/linux/elf-em.h
···
34
34
#define EM_M32R 88 /* Renesas M32R */
35
35
#define EM_MN10300 89 /* Panasonic/MEI MN10300, AM33 */
36
36
#define EM_OPENRISC 92 /* OpenRISC 32-bit embedded processor */
37
+
#define EM_ARCOMPACT 93 /* ARCompact processor */
37
38
#define EM_XTENSA 94 /* Tensilica Xtensa Architecture */
38
39
#define EM_BLACKFIN 106 /* ADI Blackfin Processor */
40
+
#define EM_UNICORE 110 /* UniCore-32 */
39
41
#define EM_ALTERA_NIOS2 113 /* Altera Nios II soft-core processor */
40
42
#define EM_TI_C6000 140 /* TI C6X DSPs */
43
+
#define EM_HEXAGON 164 /* QUALCOMM Hexagon */
44
+
#define EM_NDS32 167 /* Andes Technology compact code size
45
+
embedded RISC processor family */
41
46
#define EM_AARCH64 183 /* ARM 64 bit */
42
47
#define EM_TILEPRO 188 /* Tilera TILEPro */
43
48
#define EM_MICROBLAZE 189 /* Xilinx MicroBlaze */
44
49
#define EM_TILEGX 191 /* Tilera TILE-Gx */
50
+
#define EM_ARCV2 195 /* ARCv2 Cores */
45
51
#define EM_RISCV 243 /* RISC-V */
46
52
#define EM_BPF 247 /* Linux BPF - in-kernel virtual machine */
47
53
#define EM_CSKY 252 /* C-SKY */
+1
-1
kernel/audit.c
+1
-1
kernel/audit.c
+7
-7
kernel/auditfilter.c
+7
-7
kernel/auditfilter.c
···
1114
1114
int err = 0;
1115
1115
struct audit_entry *entry;
1116
1116
1117
-
entry = audit_data_to_entry(data, datasz);
1118
-
if (IS_ERR(entry))
1119
-
return PTR_ERR(entry);
1120
-
1121
1117
switch (type) {
1122
1118
case AUDIT_ADD_RULE:
1119
+
entry = audit_data_to_entry(data, datasz);
1120
+
if (IS_ERR(entry))
1121
+
return PTR_ERR(entry);
1123
1122
err = audit_add_rule(entry);
1124
1123
audit_log_rule_change("add_rule", &entry->rule, !err);
1125
1124
break;
1126
1125
case AUDIT_DEL_RULE:
1126
+
entry = audit_data_to_entry(data, datasz);
1127
+
if (IS_ERR(entry))
1128
+
return PTR_ERR(entry);
1127
1129
err = audit_del_rule(entry);
1128
1130
audit_log_rule_change("remove_rule", &entry->rule, !err);
1129
1131
break;
1130
1132
default:
1131
-
err = -EINVAL;
1132
1133
WARN_ON(1);
1134
+
return -EINVAL;
1133
1135
}
1134
1136
1135
1137
if (err || type == AUDIT_DEL_RULE) {
···
1317
1315
int ret = 1; /* Audit by default */
1318
1316
1319
1317
rcu_read_lock();
1320
-
if (list_empty(&audit_filter_list[listtype]))
1321
-
goto unlock_and_return;
1322
1318
list_for_each_entry_rcu(e, &audit_filter_list[listtype], list) {
1323
1319
int i, result = 0;
1324
1320
+70
-41
kernel/auditsc.c
+70
-41
kernel/auditsc.c
···
771
771
return AUDIT_DISABLED;
772
772
773
773
rcu_read_lock();
774
-
if (!list_empty(list)) {
775
-
list_for_each_entry_rcu(e, list, list) {
776
-
if (audit_in_mask(&e->rule, ctx->major) &&
777
-
audit_filter_rules(tsk, &e->rule, ctx, NULL,
778
-
&state, false)) {
779
-
rcu_read_unlock();
780
-
ctx->current_state = state;
781
-
return state;
782
-
}
774
+
list_for_each_entry_rcu(e, list, list) {
775
+
if (audit_in_mask(&e->rule, ctx->major) &&
776
+
audit_filter_rules(tsk, &e->rule, ctx, NULL,
777
+
&state, false)) {
778
+
rcu_read_unlock();
779
+
ctx->current_state = state;
780
+
return state;
783
781
}
784
782
}
785
783
rcu_read_unlock();
···
796
798
struct audit_entry *e;
797
799
enum audit_state state;
798
800
799
-
if (list_empty(list))
800
-
return 0;
801
-
802
801
list_for_each_entry_rcu(e, list, list) {
803
802
if (audit_in_mask(&e->rule, ctx->major) &&
804
803
audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) {
···
803
808
return 1;
804
809
}
805
810
}
806
-
807
811
return 0;
808
812
}
809
813
···
834
840
context->proctitle.len = 0;
835
841
}
836
842
843
+
static inline void audit_free_module(struct audit_context *context)
844
+
{
845
+
if (context->type == AUDIT_KERN_MODULE) {
846
+
kfree(context->module.name);
847
+
context->module.name = NULL;
848
+
}
849
+
}
837
850
static inline void audit_free_names(struct audit_context *context)
838
851
{
839
852
struct audit_names *n, *next;
···
924
923
925
924
static inline void audit_free_context(struct audit_context *context)
926
925
{
926
+
audit_free_module(context);
927
927
audit_free_names(context);
928
928
unroll_tree_refs(context, NULL, 0);
929
929
free_tree_refs(context);
···
1141
1139
kfree(buf_head);
1142
1140
}
1143
1141
1144
-
void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
1142
+
static void audit_log_cap(struct audit_buffer *ab, char *prefix,
1143
+
kernel_cap_t *cap)
1145
1144
{
1146
1145
int i;
1147
1146
···
1269
1266
audit_log_format(ab, "name=");
1270
1267
if (context->module.name) {
1271
1268
audit_log_untrustedstring(ab, context->module.name);
1272
-
kfree(context->module.name);
1273
1269
} else
1274
1270
audit_log_format(ab, "(null)");
1275
1271
···
1630
1628
return;
1631
1629
}
1632
1630
1633
-
context->arch = syscall_get_arch();
1631
+
context->arch = syscall_get_arch(current);
1634
1632
context->major = major;
1635
1633
context->argv[0] = a1;
1636
1634
context->argv[1] = a2;
···
1699
1697
context->in_syscall = 0;
1700
1698
context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
1701
1699
1700
+
audit_free_module(context);
1702
1701
audit_free_names(context);
1703
1702
unroll_tree_refs(context, NULL, 0);
1704
1703
audit_free_aux(context);
···
1900
1897
}
1901
1898
1902
1899
/* Copy inode data into an audit_names. */
1903
-
void audit_copy_inode(struct audit_names *name, const struct dentry *dentry,
1904
-
struct inode *inode, unsigned int flags)
1900
+
static void audit_copy_inode(struct audit_names *name,
1901
+
const struct dentry *dentry,
1902
+
struct inode *inode, unsigned int flags)
1905
1903
{
1906
1904
name->ino = inode->i_ino;
1907
1905
name->dev = inode->i_sb->s_dev;
···
1939
1935
return;
1940
1936
1941
1937
rcu_read_lock();
1942
-
if (!list_empty(list)) {
1943
-
list_for_each_entry_rcu(e, list, list) {
1944
-
for (i = 0; i < e->rule.field_count; i++) {
1945
-
struct audit_field *f = &e->rule.fields[i];
1938
+
list_for_each_entry_rcu(e, list, list) {
1939
+
for (i = 0; i < e->rule.field_count; i++) {
1940
+
struct audit_field *f = &e->rule.fields[i];
1946
1941
1947
-
if (f->type == AUDIT_FSTYPE
1948
-
&& audit_comparator(inode->i_sb->s_magic,
1949
-
f->op, f->val)
1950
-
&& e->rule.action == AUDIT_NEVER) {
1951
-
rcu_read_unlock();
1952
-
return;
1953
-
}
1942
+
if (f->type == AUDIT_FSTYPE
1943
+
&& audit_comparator(inode->i_sb->s_magic,
1944
+
f->op, f->val)
1945
+
&& e->rule.action == AUDIT_NEVER) {
1946
+
rcu_read_unlock();
1947
+
return;
1954
1948
}
1955
1949
}
1956
1950
}
···
2057
2055
return;
2058
2056
2059
2057
rcu_read_lock();
2060
-
if (!list_empty(list)) {
2061
-
list_for_each_entry_rcu(e, list, list) {
2062
-
for (i = 0; i < e->rule.field_count; i++) {
2063
-
struct audit_field *f = &e->rule.fields[i];
2058
+
list_for_each_entry_rcu(e, list, list) {
2059
+
for (i = 0; i < e->rule.field_count; i++) {
2060
+
struct audit_field *f = &e->rule.fields[i];
2064
2061
2065
-
if (f->type == AUDIT_FSTYPE
2066
-
&& audit_comparator(parent->i_sb->s_magic,
2067
-
f->op, f->val)
2068
-
&& e->rule.action == AUDIT_NEVER) {
2069
-
rcu_read_unlock();
2070
-
return;
2071
-
}
2062
+
if (f->type == AUDIT_FSTYPE
2063
+
&& audit_comparator(parent->i_sb->s_magic,
2064
+
f->op, f->val)
2065
+
&& e->rule.action == AUDIT_NEVER) {
2066
+
rcu_read_unlock();
2067
+
return;
2072
2068
}
2073
2069
}
2074
2070
}
···
2512
2512
AUDIT_FANOTIFY, "resp=%u", response);
2513
2513
}
2514
2514
2515
+
void __audit_tk_injoffset(struct timespec64 offset)
2516
+
{
2517
+
audit_log(audit_context(), GFP_KERNEL, AUDIT_TIME_INJOFFSET,
2518
+
"sec=%lli nsec=%li",
2519
+
(long long)offset.tv_sec, offset.tv_nsec);
2520
+
}
2521
+
2522
+
static void audit_log_ntp_val(const struct audit_ntp_data *ad,
2523
+
const char *op, enum audit_ntp_type type)
2524
+
{
2525
+
const struct audit_ntp_val *val = &ad->vals[type];
2526
+
2527
+
if (val->newval == val->oldval)
2528
+
return;
2529
+
2530
+
audit_log(audit_context(), GFP_KERNEL, AUDIT_TIME_ADJNTPVAL,
2531
+
"op=%s old=%lli new=%lli", op, val->oldval, val->newval);
2532
+
}
2533
+
2534
+
void __audit_ntp_log(const struct audit_ntp_data *ad)
2535
+
{
2536
+
audit_log_ntp_val(ad, "offset", AUDIT_NTP_OFFSET);
2537
+
audit_log_ntp_val(ad, "freq", AUDIT_NTP_FREQ);
2538
+
audit_log_ntp_val(ad, "status", AUDIT_NTP_STATUS);
2539
+
audit_log_ntp_val(ad, "tai", AUDIT_NTP_TAI);
2540
+
audit_log_ntp_val(ad, "tick", AUDIT_NTP_TICK);
2541
+
audit_log_ntp_val(ad, "adjust", AUDIT_NTP_ADJUST);
2542
+
}
2543
+
2515
2544
static void audit_log_task(struct audit_buffer *ab)
2516
2545
{
2517
2546
kuid_t auid, uid;
···
2609
2580
return;
2610
2581
audit_log_task(ab);
2611
2582
audit_log_format(ab, " sig=%ld arch=%x syscall=%ld compat=%d ip=0x%lx code=0x%x",
2612
-
signr, syscall_get_arch(), syscall,
2583
+
signr, syscall_get_arch(current), syscall,
2613
2584
in_compat_syscall(), KSTK_EIP(current), code);
2614
2585
audit_log_end(ab);
2615
2586
}
+2
-2
kernel/seccomp.c
+2
-2
kernel/seccomp.c
···
148
148
unsigned long args[6];
149
149
150
150
sd->nr = syscall_get_nr(task, regs);
151
-
sd->arch = syscall_get_arch();
151
+
sd->arch = syscall_get_arch(task);
152
152
syscall_get_arguments(task, regs, args);
153
153
sd->args[0] = args[0];
154
154
sd->args[1] = args[1];
···
594
594
info->si_code = SYS_SECCOMP;
595
595
info->si_call_addr = (void __user *)KSTK_EIP(current);
596
596
info->si_errno = reason;
597
-
info->si_arch = syscall_get_arch();
597
+
info->si_arch = syscall_get_arch(current);
598
598
info->si_syscall = syscall;
599
599
}
600
600
+19
-3
kernel/time/ntp.c
+19
-3
kernel/time/ntp.c
···
17
17
#include <linux/mm.h>
18
18
#include <linux/module.h>
19
19
#include <linux/rtc.h>
20
+
#include <linux/audit.h>
20
21
21
22
#include "ntp_internal.h"
22
23
#include "timekeeping_internal.h"
···
710
709
* kernel time-keeping variables. used by xntpd.
711
710
*/
712
711
int __do_adjtimex(struct __kernel_timex *txc, const struct timespec64 *ts,
713
-
s32 *time_tai)
712
+
s32 *time_tai, struct audit_ntp_data *ad)
714
713
{
715
714
int result;
716
715
···
721
720
/* adjtime() is independent from ntp_adjtime() */
722
721
time_adjust = txc->offset;
723
722
ntp_update_frequency();
723
+
724
+
audit_ntp_set_old(ad, AUDIT_NTP_ADJUST, save_adjust);
725
+
audit_ntp_set_new(ad, AUDIT_NTP_ADJUST, time_adjust);
724
726
}
725
727
txc->offset = save_adjust;
726
728
} else {
727
-
728
729
/* If there are input parameters, then process them: */
729
-
if (txc->modes)
730
+
if (txc->modes) {
731
+
audit_ntp_set_old(ad, AUDIT_NTP_OFFSET, time_offset);
732
+
audit_ntp_set_old(ad, AUDIT_NTP_FREQ, time_freq);
733
+
audit_ntp_set_old(ad, AUDIT_NTP_STATUS, time_status);
734
+
audit_ntp_set_old(ad, AUDIT_NTP_TAI, *time_tai);
735
+
audit_ntp_set_old(ad, AUDIT_NTP_TICK, tick_usec);
736
+
730
737
process_adjtimex_modes(txc, time_tai);
738
+
739
+
audit_ntp_set_new(ad, AUDIT_NTP_OFFSET, time_offset);
740
+
audit_ntp_set_new(ad, AUDIT_NTP_FREQ, time_freq);
741
+
audit_ntp_set_new(ad, AUDIT_NTP_STATUS, time_status);
742
+
audit_ntp_set_new(ad, AUDIT_NTP_TAI, *time_tai);
743
+
audit_ntp_set_new(ad, AUDIT_NTP_TICK, tick_usec);
744
+
}
731
745
732
746
txc->offset = shift_right(time_offset * NTP_INTERVAL_FREQ,
733
747
NTP_SCALE_SHIFT);
+3
-1
kernel/time/ntp_internal.h
+3
-1
kernel/time/ntp_internal.h
···
8
8
extern u64 ntp_tick_length(void);
9
9
extern ktime_t ntp_get_next_leap(void);
10
10
extern int second_overflow(time64_t secs);
11
-
extern int __do_adjtimex(struct __kernel_timex *txc, const struct timespec64 *ts, s32 *time_tai);
11
+
extern int __do_adjtimex(struct __kernel_timex *txc,
12
+
const struct timespec64 *ts,
13
+
s32 *time_tai, struct audit_ntp_data *ad);
12
14
extern void __hardpps(const struct timespec64 *phase_ts, const struct timespec64 *raw_ts);
13
15
#endif /* _LINUX_NTP_INTERNAL_H */
+12
-1
kernel/time/timekeeping.c
+12
-1
kernel/time/timekeeping.c
···
21
21
#include <linux/stop_machine.h>
22
22
#include <linux/pvclock_gtod.h>
23
23
#include <linux/compiler.h>
24
+
#include <linux/audit.h>
24
25
25
26
#include "tick-internal.h"
26
27
#include "ntp_internal.h"
···
1251
1250
/* signal hrtimers about time change */
1252
1251
clock_was_set();
1253
1252
1253
+
if (!ret)
1254
+
audit_tk_injoffset(ts_delta);
1255
+
1254
1256
return ret;
1255
1257
}
1256
1258
EXPORT_SYMBOL(do_settimeofday64);
···
2307
2303
int do_adjtimex(struct __kernel_timex *txc)
2308
2304
{
2309
2305
struct timekeeper *tk = &tk_core.timekeeper;
2306
+
struct audit_ntp_data ad;
2310
2307
unsigned long flags;
2311
2308
struct timespec64 ts;
2312
2309
s32 orig_tai, tai;
···
2327
2322
ret = timekeeping_inject_offset(&delta);
2328
2323
if (ret)
2329
2324
return ret;
2325
+
2326
+
audit_tk_injoffset(delta);
2330
2327
}
2328
+
2329
+
audit_ntp_init(&ad);
2331
2330
2332
2331
ktime_get_real_ts64(&ts);
2333
2332
···
2339
2330
write_seqcount_begin(&tk_core.seq);
2340
2331
2341
2332
orig_tai = tai = tk->tai_offset;
2342
-
ret = __do_adjtimex(txc, &ts, &tai);
2333
+
ret = __do_adjtimex(txc, &ts, &tai, &ad);
2343
2334
2344
2335
if (tai != orig_tai) {
2345
2336
__timekeeping_set_tai_offset(tk, tai);
···
2349
2340
2350
2341
write_seqcount_end(&tk_core.seq);
2351
2342
raw_spin_unlock_irqrestore(&timekeeper_lock, flags);
2343
+
2344
+
audit_ntp_log(&ad);
2352
2345
2353
2346
/* Update the multiplier immediately if frequency was set directly */
2354
2347
if (txc->modes & (ADJ_FREQUENCY | ADJ_TICK))
+5
-5
security/integrity/evm/evm_secfs.c
+5
-5
security/integrity/evm/evm_secfs.c
···
192
192
if (count > XATTR_NAME_MAX)
193
193
return -E2BIG;
194
194
195
-
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_EVM_XATTR);
195
+
ab = audit_log_start(audit_context(), GFP_KERNEL,
196
+
AUDIT_INTEGRITY_EVM_XATTR);
196
197
if (!ab)
197
198
return -ENOMEM;
198
199
···
215
214
if (len && xattr->name[len-1] == '\n')
216
215
xattr->name[len-1] = '\0';
217
216
217
+
audit_log_format(ab, "xattr=");
218
+
audit_log_untrustedstring(ab, xattr->name);
219
+
218
220
if (strcmp(xattr->name, ".") == 0) {
219
221
evm_xattrs_locked = 1;
220
222
newattrs.ia_mode = S_IFREG | 0440;
···
226
222
inode_lock(inode);
227
223
err = simple_setattr(evm_xattrs, &newattrs);
228
224
inode_unlock(inode);
229
-
audit_log_format(ab, "locked");
230
225
if (!err)
231
226
err = count;
232
227
goto out;
233
228
}
234
-
235
-
audit_log_format(ab, "xattr=");
236
-
audit_log_untrustedstring(ab, xattr->name);
237
229
238
230
if (strncmp(xattr->name, XATTR_SECURITY_PREFIX,
239
231
XATTR_SECURITY_PREFIX_LEN) != 0) {