tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge git://git.infradead.org/users/eparis/audit
Pull audit updates from Eric Paris.
* git://git.infradead.org/users/eparis/audit: (28 commits)
AUDIT: make audit_is_compat depend on CONFIG_AUDIT_COMPAT_GENERIC
audit: renumber AUDIT_FEATURE_CHANGE into the 1300 range
audit: do not cast audit_rule_data pointers pointlesly
AUDIT: Allow login in non-init namespaces
audit: define audit_is_compat in kernel internal header
kernel: Use RCU_INIT_POINTER(x, NULL) in audit.c
sched: declare pid_alive as inline
audit: use uapi/linux/audit.h for AUDIT_ARCH declarations
syscall_get_arch: remove useless function arguments
audit: remove stray newline from audit_log_execve_info() audit_panic() call
audit: remove stray newlines from audit_log_lost messages
audit: include subject in login records
audit: remove superfluous new- prefix in AUDIT_LOGIN messages
audit: allow user processes to log from another PID namespace
audit: anchor all pid references in the initial pid namespace
audit: convert PPIDs to the inital PID namespace.
pid: get pid_t ppid of task in init_pid_ns
audit: rename the misleading audit_get_context() to audit_take_context()
audit: Add generic compat syscall support
audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL
...
+351
-119
+1
arch/alpha/Kconfig
+1
arch/alpha/Kconfig
+1
arch/arm/Kconfig
+1
arch/arm/Kconfig
···
24
24
select GENERIC_STRNCPY_FROM_USER
25
25
select GENERIC_STRNLEN_USER
26
26
select HARDIRQS_SW_RESEND
27
+
select HAVE_ARCH_AUDITSYSCALL if (AEABI && !OABI_COMPAT)
27
28
select HAVE_ARCH_JUMP_LABEL if !XIP_KERNEL
28
29
select HAVE_ARCH_KGDB
29
30
select HAVE_ARCH_SECCOMP_FILTER if (AEABI && !OABI_COMPAT)
+2
-3
arch/arm/include/asm/syscall.h
+2
-3
arch/arm/include/asm/syscall.h
···
7
7
#ifndef _ASM_ARM_SYSCALL_H
8
8
#define _ASM_ARM_SYSCALL_H
9
9
10
-
#include <linux/audit.h> /* for AUDIT_ARCH_* */
10
+
#include <uapi/linux/audit.h> /* for AUDIT_ARCH_* */
11
11
#include <linux/elf.h> /* for ELF_EM */
12
12
#include <linux/err.h>
13
13
#include <linux/sched.h>
···
103
103
memcpy(®s->ARM_r0 + i, args, n * sizeof(args[0]));
104
104
}
105
105
106
-
static inline int syscall_get_arch(struct task_struct *task,
107
-
struct pt_regs *regs)
106
+
static inline int syscall_get_arch(void)
108
107
{
109
108
/* ARM tasks don't change audit architectures on the fly. */
110
109
return AUDIT_ARCH_ARM;
+1
arch/ia64/Kconfig
+1
arch/ia64/Kconfig
+3
-4
arch/mips/include/asm/syscall.h
+3
-4
arch/mips/include/asm/syscall.h
···
14
14
#define __ASM_MIPS_SYSCALL_H
15
15
16
16
#include <linux/compiler.h>
17
-
#include <linux/audit.h>
17
+
#include <uapi/linux/audit.h>
18
18
#include <linux/elf-em.h>
19
19
#include <linux/kernel.h>
20
20
#include <linux/sched.h>
···
127
127
extern const unsigned long sys32_call_table[];
128
128
extern const unsigned long sysn32_call_table[];
129
129
130
-
static inline int syscall_get_arch(struct task_struct *task,
131
-
struct pt_regs *regs)
130
+
static inline int syscall_get_arch(void)
132
131
{
133
132
int arch = EM_MIPS;
134
133
#ifdef CONFIG_64BIT
135
-
if (!test_tsk_thread_flag(task, TIF_32BIT_REGS))
134
+
if (!test_thread_flag(TIF_32BIT_REGS))
136
135
arch |= __AUDIT_ARCH_64BIT;
137
136
#endif
138
137
#if defined(__LITTLE_ENDIAN)
+1
-1
arch/mips/kernel/ptrace.c
+1
-1
arch/mips/kernel/ptrace.c
···
649
649
if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
650
650
trace_sys_enter(regs, regs->regs[2]);
651
651
652
-
audit_syscall_entry(syscall_get_arch(current, regs),
652
+
audit_syscall_entry(syscall_get_arch(),
653
653
syscall,
654
654
regs->regs[4], regs->regs[5],
655
655
regs->regs[6], regs->regs[7]);
+1
arch/parisc/Kconfig
+1
arch/parisc/Kconfig
+1
arch/powerpc/Kconfig
+1
arch/powerpc/Kconfig
+1
arch/s390/Kconfig
+1
arch/s390/Kconfig
+3
-4
arch/s390/include/asm/syscall.h
+3
-4
arch/s390/include/asm/syscall.h
···
12
12
#ifndef _ASM_SYSCALL_H
13
13
#define _ASM_SYSCALL_H 1
14
14
15
-
#include <linux/audit.h>
15
+
#include <uapi/linux/audit.h>
16
16
#include <linux/sched.h>
17
17
#include <linux/err.h>
18
18
#include <asm/ptrace.h>
···
89
89
regs->orig_gpr2 = args[0];
90
90
}
91
91
92
-
static inline int syscall_get_arch(struct task_struct *task,
93
-
struct pt_regs *regs)
92
+
static inline int syscall_get_arch(void)
94
93
{
95
94
#ifdef CONFIG_COMPAT
96
-
if (test_tsk_thread_flag(task, TIF_31BIT))
95
+
if (test_tsk_thread_flag(current, TIF_31BIT))
97
96
return AUDIT_ARCH_S390;
98
97
#endif
99
98
return sizeof(long) == 8 ? AUDIT_ARCH_S390X : AUDIT_ARCH_S390;
+1
arch/sh/Kconfig
+1
arch/sh/Kconfig
+1
arch/sparc/Kconfig
+1
arch/sparc/Kconfig
+1
arch/um/Kconfig.common
+1
arch/um/Kconfig.common
+1
arch/x86/Kconfig
+1
arch/x86/Kconfig
+4
-6
arch/x86/include/asm/syscall.h
+4
-6
arch/x86/include/asm/syscall.h
···
13
13
#ifndef _ASM_X86_SYSCALL_H
14
14
#define _ASM_X86_SYSCALL_H
15
15
16
-
#include <linux/audit.h>
16
+
#include <uapi/linux/audit.h>
17
17
#include <linux/sched.h>
18
18
#include <linux/err.h>
19
19
#include <asm/asm-offsets.h> /* For NR_syscalls */
···
91
91
memcpy(®s->bx + i, args, n * sizeof(args[0]));
92
92
}
93
93
94
-
static inline int syscall_get_arch(struct task_struct *task,
95
-
struct pt_regs *regs)
94
+
static inline int syscall_get_arch(void)
96
95
{
97
96
return AUDIT_ARCH_I386;
98
97
}
···
220
221
}
221
222
}
222
223
223
-
static inline int syscall_get_arch(struct task_struct *task,
224
-
struct pt_regs *regs)
224
+
static inline int syscall_get_arch(void)
225
225
{
226
226
#ifdef CONFIG_IA32_EMULATION
227
227
/*
···
232
234
*
233
235
* x32 tasks should be considered AUDIT_ARCH_X86_64.
234
236
*/
235
-
if (task_thread_info(task)->status & TS_COMPAT)
237
+
if (task_thread_info(current)->status & TS_COMPAT)
236
238
return AUDIT_ARCH_I386;
237
239
#endif
238
240
/* Both x32 and x86_64 are considered "64-bit". */
+2
-1
drivers/tty/tty_audit.c
+2
-1
drivers/tty/tty_audit.c
···
65
65
{
66
66
struct audit_buffer *ab;
67
67
struct task_struct *tsk = current;
68
+
pid_t pid = task_pid_nr(tsk);
68
69
uid_t uid = from_kuid(&init_user_ns, task_uid(tsk));
69
70
uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(tsk));
70
71
unsigned int sessionid = audit_get_sessionid(tsk);
···
75
74
char name[sizeof(tsk->comm)];
76
75
77
76
audit_log_format(ab, "%s pid=%u uid=%u auid=%u ses=%u major=%d"
78
-
" minor=%d comm=", description, tsk->pid, uid,
77
+
" minor=%d comm=", description, pid, uid,
79
78
loginuid, sessionid, major, minor);
80
79
get_task_comm(name, tsk);
81
80
audit_log_untrustedstring(ab, name);
+2
-34
fs/proc/base.c
+2
-34
fs/proc/base.c
···
200
200
return result;
201
201
}
202
202
203
-
static int proc_pid_cmdline(struct task_struct *task, char * buffer)
203
+
static int proc_pid_cmdline(struct task_struct *task, char *buffer)
204
204
{
205
-
int res = 0;
206
-
unsigned int len;
207
-
struct mm_struct *mm = get_task_mm(task);
208
-
if (!mm)
209
-
goto out;
210
-
if (!mm->arg_end)
211
-
goto out_mm; /* Shh! No looking before we're done */
212
-
213
-
len = mm->arg_end - mm->arg_start;
214
-
215
-
if (len > PAGE_SIZE)
216
-
len = PAGE_SIZE;
217
-
218
-
res = access_process_vm(task, mm->arg_start, buffer, len, 0);
219
-
220
-
// If the nul at the end of args has been overwritten, then
221
-
// assume application is using setproctitle(3).
222
-
if (res > 0 && buffer[res-1] != '\0' && len < PAGE_SIZE) {
223
-
len = strnlen(buffer, res);
224
-
if (len < res) {
225
-
res = len;
226
-
} else {
227
-
len = mm->env_end - mm->env_start;
228
-
if (len > PAGE_SIZE - res)
229
-
len = PAGE_SIZE - res;
230
-
res += access_process_vm(task, mm->env_start, buffer+res, len, 0);
231
-
res = strnlen(buffer, res);
232
-
}
233
-
}
234
-
out_mm:
235
-
mmput(mm);
236
-
out:
237
-
return res;
205
+
return get_cmdline(task, buffer, PAGE_SIZE);
238
206
}
239
207
240
208
static int proc_pid_auxv(struct task_struct *task, char *buffer)
+1
-3
include/asm-generic/syscall.h
+1
-3
include/asm-generic/syscall.h
···
144
144
145
145
/**
146
146
* syscall_get_arch - return the AUDIT_ARCH for the current system call
147
-
* @task: task of interest, must be in system call entry tracing
148
-
* @regs: task_pt_regs() of @task
149
147
*
150
148
* Returns the AUDIT_ARCH_* based on the system call convention in use.
151
149
*
···
153
155
* Architectures which permit CONFIG_HAVE_ARCH_SECCOMP_FILTER must
154
156
* provide an implementation of this.
155
157
*/
156
-
int syscall_get_arch(struct task_struct *task, struct pt_regs *regs);
158
+
int syscall_get_arch(void);
157
159
#endif /* _ASM_SYSCALL_H */
+14
include/linux/audit.h
+14
include/linux/audit.h
···
79
79
extern int __init audit_register_class(int class, unsigned *list);
80
80
extern int audit_classify_syscall(int abi, unsigned syscall);
81
81
extern int audit_classify_arch(int arch);
82
+
/* only for compat system calls */
83
+
extern unsigned compat_write_class[];
84
+
extern unsigned compat_read_class[];
85
+
extern unsigned compat_dir_class[];
86
+
extern unsigned compat_chattr_class[];
87
+
extern unsigned compat_signal_class[];
88
+
89
+
extern int __weak audit_classify_compat_syscall(int abi, unsigned syscall);
82
90
83
91
/* audit_names->type values */
84
92
#define AUDIT_TYPE_UNKNOWN 0 /* we don't know yet */
···
101
93
struct filename;
102
94
103
95
extern void audit_log_session_info(struct audit_buffer *ab);
96
+
97
+
#ifdef CONFIG_AUDIT_COMPAT_GENERIC
98
+
#define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT))
99
+
#else
100
+
#define audit_is_compat(arch) false
101
+
#endif
104
102
105
103
#ifdef CONFIG_AUDITSYSCALL
106
104
/* These are defined in auditsc.c */
+1
include/linux/mm.h
+1
include/linux/mm.h
···
1204
1204
int set_page_dirty(struct page *page);
1205
1205
int set_page_dirty_lock(struct page *page);
1206
1206
int clear_page_dirty_for_io(struct page *page);
1207
+
int get_cmdline(struct task_struct *task, char *buffer, int buflen);
1207
1208
1208
1209
/* Is the vma a continuation of the stack vma above it? */
1209
1210
static inline int vma_growsdown(struct vm_area_struct *vma, unsigned long addr)
+19
-1
include/linux/sched.h
+19
-1
include/linux/sched.h
···
1719
1719
}
1720
1720
1721
1721
1722
+
static inline int pid_alive(const struct task_struct *p);
1723
+
static inline pid_t task_ppid_nr_ns(const struct task_struct *tsk, struct pid_namespace *ns)
1724
+
{
1725
+
pid_t pid = 0;
1726
+
1727
+
rcu_read_lock();
1728
+
if (pid_alive(tsk))
1729
+
pid = task_tgid_nr_ns(rcu_dereference(tsk->real_parent), ns);
1730
+
rcu_read_unlock();
1731
+
1732
+
return pid;
1733
+
}
1734
+
1735
+
static inline pid_t task_ppid_nr(const struct task_struct *tsk)
1736
+
{
1737
+
return task_ppid_nr_ns(tsk, &init_pid_ns);
1738
+
}
1739
+
1722
1740
static inline pid_t task_pgrp_nr_ns(struct task_struct *tsk,
1723
1741
struct pid_namespace *ns)
1724
1742
{
···
1776
1758
*
1777
1759
* Return: 1 if the process is alive. 0 otherwise.
1778
1760
*/
1779
-
static inline int pid_alive(struct task_struct *p)
1761
+
static inline int pid_alive(const struct task_struct *p)
1780
1762
{
1781
1763
return p->pids[PIDTYPE_PID].pid != NULL;
1782
1764
}
+2
-1
include/uapi/linux/audit.h
+2
-1
include/uapi/linux/audit.h
···
70
70
#define AUDIT_TTY_SET 1017 /* Set TTY auditing status */
71
71
#define AUDIT_SET_FEATURE 1018 /* Turn an audit feature on or off */
72
72
#define AUDIT_GET_FEATURE 1019 /* Get which features are enabled */
73
-
#define AUDIT_FEATURE_CHANGE 1020 /* audit log listing feature changes */
74
73
75
74
#define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages mostly uninteresting to kernel */
76
75
#define AUDIT_USER_AVC 1107 /* We filter this differently */
···
108
109
#define AUDIT_NETFILTER_PKT 1324 /* Packets traversing netfilter chains */
109
110
#define AUDIT_NETFILTER_CFG 1325 /* Netfilter chain modifications */
110
111
#define AUDIT_SECCOMP 1326 /* Secure Computing event */
112
+
#define AUDIT_PROCTITLE 1327 /* Proctitle emit event */
113
+
#define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */
111
114
112
115
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
113
116
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
+4
include/uapi/linux/capability.h
+4
include/uapi/linux/capability.h
+4
-1
init/Kconfig
+4
-1
init/Kconfig
···
292
292
logging of avc messages output). Does not do system-call
293
293
auditing without CONFIG_AUDITSYSCALL.
294
294
295
+
config HAVE_ARCH_AUDITSYSCALL
296
+
bool
297
+
295
298
config AUDITSYSCALL
296
299
bool "Enable system-call auditing support"
297
-
depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
300
+
depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
298
301
default y if SECURITY_SELINUX
299
302
help
300
303
Enable low-overhead system-call auditing infrastructure that
+16
-11
kernel/audit.c
+16
-11
kernel/audit.c
···
182
182
183
183
struct audit_reply {
184
184
__u32 portid;
185
-
struct net *net;
185
+
struct net *net;
186
186
struct sk_buff *skb;
187
187
};
188
188
···
396
396
if (printk_ratelimit())
397
397
pr_notice("type=%d %s\n", nlh->nlmsg_type, data);
398
398
else
399
-
audit_log_lost("printk limit exceeded\n");
399
+
audit_log_lost("printk limit exceeded");
400
400
}
401
401
402
402
audit_hold_skb(skb);
···
412
412
BUG_ON(err != -ECONNREFUSED); /* Shouldn't happen */
413
413
if (audit_pid) {
414
414
pr_err("*NO* daemon at audit_pid=%d\n", audit_pid);
415
-
audit_log_lost("auditd disappeared\n");
415
+
audit_log_lost("auditd disappeared");
416
416
audit_pid = 0;
417
417
audit_sock = NULL;
418
418
}
···
607
607
{
608
608
int err = 0;
609
609
610
-
/* Only support the initial namespaces for now. */
610
+
/* Only support initial user namespace for now. */
611
611
/*
612
612
* We return ECONNREFUSED because it tricks userspace into thinking
613
613
* that audit was not configured into the kernel. Lots of users
···
618
618
* userspace will reject all logins. This should be removed when we
619
619
* support non init namespaces!!
620
620
*/
621
-
if ((current_user_ns() != &init_user_ns) ||
622
-
(task_active_pid_ns(current) != &init_pid_ns))
621
+
if (current_user_ns() != &init_user_ns)
623
622
return -ECONNREFUSED;
624
623
625
624
switch (msg_type) {
···
638
639
case AUDIT_TTY_SET:
639
640
case AUDIT_TRIM:
640
641
case AUDIT_MAKE_EQUIV:
642
+
/* Only support auditd and auditctl in initial pid namespace
643
+
* for now. */
644
+
if ((task_active_pid_ns(current) != &init_pid_ns))
645
+
return -EPERM;
646
+
641
647
if (!capable(CAP_AUDIT_CONTROL))
642
648
err = -EPERM;
643
649
break;
···
663
659
{
664
660
int rc = 0;
665
661
uid_t uid = from_kuid(&init_user_ns, current_uid());
662
+
pid_t pid = task_tgid_nr(current);
666
663
667
664
if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
668
665
*ab = NULL;
···
673
668
*ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
674
669
if (unlikely(!*ab))
675
670
return rc;
676
-
audit_log_format(*ab, "pid=%d uid=%u", task_tgid_vnr(current), uid);
671
+
audit_log_format(*ab, "pid=%d uid=%u", pid, uid);
677
672
audit_log_session_info(*ab);
678
673
audit_log_task_context(*ab);
679
674
···
1102
1097
audit_sock = NULL;
1103
1098
}
1104
1099
1105
-
rcu_assign_pointer(aunet->nlsk, NULL);
1100
+
RCU_INIT_POINTER(aunet->nlsk, NULL);
1106
1101
synchronize_net();
1107
1102
netlink_kernel_release(sock);
1108
1103
}
···
1834
1829
spin_unlock_irq(&tsk->sighand->siglock);
1835
1830
1836
1831
audit_log_format(ab,
1837
-
" ppid=%ld pid=%d auid=%u uid=%u gid=%u"
1832
+
" ppid=%d pid=%d auid=%u uid=%u gid=%u"
1838
1833
" euid=%u suid=%u fsuid=%u"
1839
1834
" egid=%u sgid=%u fsgid=%u tty=%s ses=%u",
1840
-
sys_getppid(),
1841
-
tsk->pid,
1835
+
task_ppid_nr(tsk),
1836
+
task_pid_nr(tsk),
1842
1837
from_kuid(&init_user_ns, audit_get_loginuid(tsk)),
1843
1838
from_kuid(&init_user_ns, cred->uid),
1844
1839
from_kgid(&init_user_ns, cred->gid),
+6
kernel/audit.h
+6
kernel/audit.h
···
106
106
bool should_free;
107
107
};
108
108
109
+
struct audit_proctitle {
110
+
int len; /* length of the cmdline field. */
111
+
char *value; /* the cmdline field */
112
+
};
113
+
109
114
/* The per-task audit context. */
110
115
struct audit_context {
111
116
int dummy; /* must be the first element */
···
207
202
} execve;
208
203
};
209
204
int fds[2];
205
+
struct audit_proctitle proctitle;
210
206
211
207
#if AUDIT_DEBUG
212
208
int put_count;
+25
-8
kernel/auditfilter.c
+25
-8
kernel/auditfilter.c
···
19
19
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20
20
*/
21
21
22
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
23
+
22
24
#include <linux/kernel.h>
23
25
#include <linux/audit.h>
24
26
#include <linux/kthread.h>
···
228
226
#endif
229
227
230
228
/* Common user-space to kernel rule translation. */
231
-
static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule)
229
+
static inline struct audit_entry *audit_to_entry_common(struct audit_rule_data *rule)
232
230
{
233
231
unsigned listnr;
234
232
struct audit_entry *entry;
···
251
249
;
252
250
}
253
251
if (unlikely(rule->action == AUDIT_POSSIBLE)) {
254
-
printk(KERN_ERR "AUDIT_POSSIBLE is deprecated\n");
252
+
pr_err("AUDIT_POSSIBLE is deprecated\n");
255
253
goto exit_err;
256
254
}
257
255
if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS)
···
405
403
int i;
406
404
char *str;
407
405
408
-
entry = audit_to_entry_common((struct audit_rule *)data);
406
+
entry = audit_to_entry_common(data);
409
407
if (IS_ERR(entry))
410
408
goto exit_nofree;
411
409
···
431
429
if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) {
432
430
f->type = AUDIT_LOGINUID_SET;
433
431
f->val = 0;
432
+
}
433
+
434
+
if ((f->type == AUDIT_PID) || (f->type == AUDIT_PPID)) {
435
+
struct pid *pid;
436
+
rcu_read_lock();
437
+
pid = find_vpid(f->val);
438
+
if (!pid) {
439
+
rcu_read_unlock();
440
+
err = -ESRCH;
441
+
goto exit_free;
442
+
}
443
+
f->val = pid_nr(pid);
444
+
rcu_read_unlock();
434
445
}
435
446
436
447
err = audit_field_valid(entry, f);
···
494
479
/* Keep currently invalid fields around in case they
495
480
* become valid after a policy reload. */
496
481
if (err == -EINVAL) {
497
-
printk(KERN_WARNING "audit rule for LSM "
498
-
"\'%s\' is invalid\n", str);
482
+
pr_warn("audit rule for LSM \'%s\' is invalid\n",
483
+
str);
499
484
err = 0;
500
485
}
501
486
if (err) {
···
724
709
/* Keep currently invalid fields around in case they
725
710
* become valid after a policy reload. */
726
711
if (ret == -EINVAL) {
727
-
printk(KERN_WARNING "audit rule for LSM \'%s\' is "
728
-
"invalid\n", df->lsm_str);
712
+
pr_warn("audit rule for LSM \'%s\' is invalid\n",
713
+
df->lsm_str);
729
714
ret = 0;
730
715
}
731
716
···
1255
1240
1256
1241
for (i = 0; i < rule->field_count; i++) {
1257
1242
struct audit_field *f = &rule->fields[i];
1243
+
pid_t pid;
1258
1244
int result = 0;
1259
1245
u32 sid;
1260
1246
1261
1247
switch (f->type) {
1262
1248
case AUDIT_PID:
1263
-
result = audit_comparator(task_pid_vnr(current), f->op, f->val);
1249
+
pid = task_pid_nr(current);
1250
+
result = audit_comparator(pid, f->op, f->val);
1264
1251
break;
1265
1252
case AUDIT_UID:
1266
1253
result = audit_uid_comparator(current_uid(), f->op, f->uid);
+100
-33
kernel/auditsc.c
+100
-33
kernel/auditsc.c
···
42
42
* and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
43
43
*/
44
44
45
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
46
+
45
47
#include <linux/init.h>
46
48
#include <asm/types.h>
47
49
#include <linux/atomic.h>
···
70
68
#include <linux/capability.h>
71
69
#include <linux/fs_struct.h>
72
70
#include <linux/compat.h>
71
+
#include <linux/ctype.h>
73
72
74
73
#include "audit.h"
75
74
···
81
78
82
79
/* no execve audit message should be longer than this (userspace limits) */
83
80
#define MAX_EXECVE_AUDIT_LEN 7500
81
+
82
+
/* max length to print of cmdline/proctitle value during audit */
83
+
#define MAX_PROCTITLE_AUDIT_LEN 128
84
84
85
85
/* number of audit rules */
86
86
int audit_n_rules;
···
457
451
struct audit_field *f = &rule->fields[i];
458
452
struct audit_names *n;
459
453
int result = 0;
454
+
pid_t pid;
460
455
461
456
switch (f->type) {
462
457
case AUDIT_PID:
463
-
result = audit_comparator(tsk->pid, f->op, f->val);
458
+
pid = task_pid_nr(tsk);
459
+
result = audit_comparator(pid, f->op, f->val);
464
460
break;
465
461
case AUDIT_PPID:
466
462
if (ctx) {
467
463
if (!ctx->ppid)
468
-
ctx->ppid = sys_getppid();
464
+
ctx->ppid = task_ppid_nr(tsk);
469
465
result = audit_comparator(ctx->ppid, f->op, f->val);
470
466
}
471
467
break;
···
813
805
rcu_read_unlock();
814
806
}
815
807
816
-
static inline struct audit_context *audit_get_context(struct task_struct *tsk,
808
+
/* Transfer the audit context pointer to the caller, clearing it in the tsk's struct */
809
+
static inline struct audit_context *audit_take_context(struct task_struct *tsk,
817
810
int return_valid,
818
811
long return_code)
819
812
{
···
851
842
return context;
852
843
}
853
844
845
+
static inline void audit_proctitle_free(struct audit_context *context)
846
+
{
847
+
kfree(context->proctitle.value);
848
+
context->proctitle.value = NULL;
849
+
context->proctitle.len = 0;
850
+
}
851
+
854
852
static inline void audit_free_names(struct audit_context *context)
855
853
{
856
854
struct audit_names *n, *next;
···
866
850
if (context->put_count + context->ino_count != context->name_count) {
867
851
int i = 0;
868
852
869
-
printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d"
870
-
" name_count=%d put_count=%d"
871
-
" ino_count=%d [NOT freeing]\n",
872
-
__FILE__, __LINE__,
853
+
pr_err("%s:%d(:%d): major=%d in_syscall=%d"
854
+
" name_count=%d put_count=%d ino_count=%d"
855
+
" [NOT freeing]\n", __FILE__, __LINE__,
873
856
context->serial, context->major, context->in_syscall,
874
857
context->name_count, context->put_count,
875
858
context->ino_count);
876
859
list_for_each_entry(n, &context->names_list, list) {
877
-
printk(KERN_ERR "names[%d] = %p = %s\n", i++,
878
-
n->name, n->name->name ?: "(null)");
860
+
pr_err("names[%d] = %p = %s\n", i++, n->name,
861
+
n->name->name ?: "(null)");
879
862
}
880
863
dump_stack();
881
864
return;
···
970
955
audit_free_aux(context);
971
956
kfree(context->filterkey);
972
957
kfree(context->sockaddr);
958
+
audit_proctitle_free(context);
973
959
kfree(context);
974
960
}
975
961
···
1173
1157
*/
1174
1158
buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
1175
1159
if (!buf) {
1176
-
audit_panic("out of memory for argv string\n");
1160
+
audit_panic("out of memory for argv string");
1177
1161
return;
1178
1162
}
1179
1163
···
1284
1268
audit_log_execve_info(context, &ab);
1285
1269
break; }
1286
1270
}
1271
+
audit_log_end(ab);
1272
+
}
1273
+
1274
+
static inline int audit_proctitle_rtrim(char *proctitle, int len)
1275
+
{
1276
+
char *end = proctitle + len - 1;
1277
+
while (end > proctitle && !isprint(*end))
1278
+
end--;
1279
+
1280
+
/* catch the case where proctitle is only 1 non-print character */
1281
+
len = end - proctitle + 1;
1282
+
len -= isprint(proctitle[len-1]) == 0;
1283
+
return len;
1284
+
}
1285
+
1286
+
static void audit_log_proctitle(struct task_struct *tsk,
1287
+
struct audit_context *context)
1288
+
{
1289
+
int res;
1290
+
char *buf;
1291
+
char *msg = "(null)";
1292
+
int len = strlen(msg);
1293
+
struct audit_buffer *ab;
1294
+
1295
+
ab = audit_log_start(context, GFP_KERNEL, AUDIT_PROCTITLE);
1296
+
if (!ab)
1297
+
return; /* audit_panic or being filtered */
1298
+
1299
+
audit_log_format(ab, "proctitle=");
1300
+
1301
+
/* Not cached */
1302
+
if (!context->proctitle.value) {
1303
+
buf = kmalloc(MAX_PROCTITLE_AUDIT_LEN, GFP_KERNEL);
1304
+
if (!buf)
1305
+
goto out;
1306
+
/* Historically called this from procfs naming */
1307
+
res = get_cmdline(tsk, buf, MAX_PROCTITLE_AUDIT_LEN);
1308
+
if (res == 0) {
1309
+
kfree(buf);
1310
+
goto out;
1311
+
}
1312
+
res = audit_proctitle_rtrim(buf, res);
1313
+
if (res == 0) {
1314
+
kfree(buf);
1315
+
goto out;
1316
+
}
1317
+
context->proctitle.value = buf;
1318
+
context->proctitle.len = res;
1319
+
}
1320
+
msg = context->proctitle.value;
1321
+
len = context->proctitle.len;
1322
+
out:
1323
+
audit_log_n_untrustedstring(ab, msg, len);
1287
1324
audit_log_end(ab);
1288
1325
}
1289
1326
···
1457
1388
audit_log_name(context, n, NULL, i++, &call_panic);
1458
1389
}
1459
1390
1391
+
audit_log_proctitle(tsk, context);
1392
+
1460
1393
/* Send end of event record to help user space know we are finished */
1461
1394
ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
1462
1395
if (ab)
···
1477
1406
{
1478
1407
struct audit_context *context;
1479
1408
1480
-
context = audit_get_context(tsk, 0, 0);
1409
+
context = audit_take_context(tsk, 0, 0);
1481
1410
if (!context)
1482
1411
return;
1483
1412
···
1571
1500
else
1572
1501
success = AUDITSC_FAILURE;
1573
1502
1574
-
context = audit_get_context(tsk, success, return_code);
1503
+
context = audit_take_context(tsk, success, return_code);
1575
1504
if (!context)
1576
1505
return;
1577
1506
···
1621
1550
if (likely(put_tree_ref(context, chunk)))
1622
1551
return;
1623
1552
if (unlikely(!grow_tree_refs(context))) {
1624
-
printk(KERN_WARNING "out of memory, audit has lost a tree reference\n");
1553
+
pr_warn("out of memory, audit has lost a tree reference\n");
1625
1554
audit_set_auditable(context);
1626
1555
audit_put_chunk(chunk);
1627
1556
unroll_tree_refs(context, p, count);
···
1680
1609
goto retry;
1681
1610
}
1682
1611
/* too bad */
1683
-
printk(KERN_WARNING
1684
-
"out of memory, audit has lost a tree reference\n");
1612
+
pr_warn("out of memory, audit has lost a tree reference\n");
1685
1613
unroll_tree_refs(context, p, count);
1686
1614
audit_set_auditable(context);
1687
1615
return;
···
1752
1682
1753
1683
if (!context->in_syscall) {
1754
1684
#if AUDIT_DEBUG == 2
1755
-
printk(KERN_ERR "%s:%d(:%d): ignoring getname(%p)\n",
1685
+
pr_err("%s:%d(:%d): ignoring getname(%p)\n",
1756
1686
__FILE__, __LINE__, context->serial, name);
1757
1687
dump_stack();
1758
1688
#endif
···
1791
1721
BUG_ON(!context);
1792
1722
if (!name->aname || !context->in_syscall) {
1793
1723
#if AUDIT_DEBUG == 2
1794
-
printk(KERN_ERR "%s:%d(:%d): final_putname(%p)\n",
1724
+
pr_err("%s:%d(:%d): final_putname(%p)\n",
1795
1725
__FILE__, __LINE__, context->serial, name);
1796
1726
if (context->name_count) {
1797
1727
struct audit_names *n;
1798
1728
int i = 0;
1799
1729
1800
1730
list_for_each_entry(n, &context->names_list, list)
1801
-
printk(KERN_ERR "name[%d] = %p = %s\n", i++,
1802
-
n->name, n->name->name ?: "(null)");
1731
+
pr_err("name[%d] = %p = %s\n", i++, n->name,
1732
+
n->name->name ?: "(null)");
1803
1733
}
1804
1734
#endif
1805
1735
final_putname(name);
···
1808
1738
else {
1809
1739
++context->put_count;
1810
1740
if (context->put_count > context->name_count) {
1811
-
printk(KERN_ERR "%s:%d(:%d): major=%d"
1812
-
" in_syscall=%d putname(%p) name_count=%d"
1813
-
" put_count=%d\n",
1741
+
pr_err("%s:%d(:%d): major=%d in_syscall=%d putname(%p)"
1742
+
" name_count=%d put_count=%d\n",
1814
1743
__FILE__, __LINE__,
1815
1744
context->serial, context->major,
1816
1745
context->in_syscall, name->name,
···
2050
1981
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
2051
1982
if (!ab)
2052
1983
return;
2053
-
audit_log_format(ab, "pid=%d uid=%u"
2054
-
" old-auid=%u new-auid=%u old-ses=%u new-ses=%u"
2055
-
" res=%d",
2056
-
current->pid, uid,
2057
-
oldloginuid, loginuid, oldsessionid, sessionid,
2058
-
!rc);
1984
+
audit_log_format(ab, "pid=%d uid=%u", task_pid_nr(current), uid);
1985
+
audit_log_task_context(ab);
1986
+
audit_log_format(ab, " old-auid=%u auid=%u old-ses=%u ses=%u res=%d",
1987
+
oldloginuid, loginuid, oldsessionid, sessionid, !rc);
2059
1988
audit_log_end(ab);
2060
1989
}
2061
1990
···
2275
2208
{
2276
2209
struct audit_context *context = current->audit_context;
2277
2210
2278
-
context->target_pid = t->pid;
2211
+
context->target_pid = task_pid_nr(t);
2279
2212
context->target_auid = audit_get_loginuid(t);
2280
2213
context->target_uid = task_uid(t);
2281
2214
context->target_sessionid = audit_get_sessionid(t);
···
2300
2233
2301
2234
if (audit_pid && t->tgid == audit_pid) {
2302
2235
if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) {
2303
-
audit_sig_pid = tsk->pid;
2236
+
audit_sig_pid = task_pid_nr(tsk);
2304
2237
if (uid_valid(tsk->loginuid))
2305
2238
audit_sig_uid = tsk->loginuid;
2306
2239
else
···
2314
2247
/* optimize the common case by putting first signal recipient directly
2315
2248
* in audit_context */
2316
2249
if (!ctx->target_pid) {
2317
-
ctx->target_pid = t->tgid;
2250
+
ctx->target_pid = task_tgid_nr(t);
2318
2251
ctx->target_auid = audit_get_loginuid(t);
2319
2252
ctx->target_uid = t_uid;
2320
2253
ctx->target_sessionid = audit_get_sessionid(t);
···
2335
2268
}
2336
2269
BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
2337
2270
2338
-
axp->target_pid[axp->pid_count] = t->tgid;
2271
+
axp->target_pid[axp->pid_count] = task_tgid_nr(t);
2339
2272
axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
2340
2273
axp->target_uid[axp->pid_count] = t_uid;
2341
2274
axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
···
2435
2368
from_kgid(&init_user_ns, gid),
2436
2369
sessionid);
2437
2370
audit_log_task_context(ab);
2438
-
audit_log_format(ab, " pid=%d comm=", current->pid);
2371
+
audit_log_format(ab, " pid=%d comm=", task_pid_nr(current));
2439
2372
audit_log_untrustedstring(ab, current->comm);
2440
2373
if (mm) {
2441
2374
down_read(&mm->mmap_sem);
+2
-2
kernel/seccomp.c
+2
-2
kernel/seccomp.c
···
71
71
struct pt_regs *regs = task_pt_regs(task);
72
72
73
73
sd->nr = syscall_get_nr(task, regs);
74
-
sd->arch = syscall_get_arch(task, regs);
74
+
sd->arch = syscall_get_arch();
75
75
76
76
/* Unroll syscall_get_args to help gcc on arm. */
77
77
syscall_get_arguments(task, regs, 0, 1, (unsigned long *) &sd->args[0]);
···
348
348
info.si_code = SYS_SECCOMP;
349
349
info.si_call_addr = (void __user *)KSTK_EIP(current);
350
350
info.si_errno = reason;
351
-
info.si_arch = syscall_get_arch(current, task_pt_regs(current));
351
+
info.si_arch = syscall_get_arch();
352
352
info.si_syscall = syscall;
353
353
force_sig_info(SIGSYS, &info, current);
354
354
}
+9
lib/Kconfig
+9
lib/Kconfig
···
182
182
depends on AUDIT && !AUDIT_ARCH
183
183
default y
184
184
185
+
config AUDIT_ARCH_COMPAT_GENERIC
186
+
bool
187
+
default n
188
+
189
+
config AUDIT_COMPAT_GENERIC
190
+
bool
191
+
depends on AUDIT_GENERIC && AUDIT_ARCH_COMPAT_GENERIC && COMPAT
192
+
default y
193
+
185
194
config RANDOM32_SELFTEST
186
195
bool "PRNG perform self test on init"
187
196
default n
+1
lib/Makefile
+1
lib/Makefile
···
96
96
obj-$(CONFIG_TEXTSEARCH_FSM) += ts_fsm.o
97
97
obj-$(CONFIG_SMP) += percpu_counter.o
98
98
obj-$(CONFIG_AUDIT_GENERIC) += audit.o
99
+
obj-$(CONFIG_AUDIT_COMPAT_GENERIC) += compat_audit.o
99
100
100
101
obj-$(CONFIG_SWIOTLB) += swiotlb.o
101
102
obj-$(CONFIG_IOMMU_HELPER) += iommu-helper.o
+14
-1
lib/audit.c
+14
-1
lib/audit.c
···
30
30
31
31
int audit_classify_arch(int arch)
32
32
{
33
-
return 0;
33
+
if (audit_is_compat(arch))
34
+
return 1;
35
+
else
36
+
return 0;
34
37
}
35
38
36
39
int audit_classify_syscall(int abi, unsigned syscall)
37
40
{
41
+
if (audit_is_compat(abi))
42
+
return audit_classify_compat_syscall(abi, syscall);
43
+
38
44
switch(syscall) {
39
45
#ifdef __NR_open
40
46
case __NR_open:
···
63
57
64
58
static int __init audit_classes_init(void)
65
59
{
60
+
#ifdef CONFIG_AUDIT_COMPAT_GENERIC
61
+
audit_register_class(AUDIT_CLASS_WRITE_32, compat_write_class);
62
+
audit_register_class(AUDIT_CLASS_READ_32, compat_read_class);
63
+
audit_register_class(AUDIT_CLASS_DIR_WRITE_32, compat_dir_class);
64
+
audit_register_class(AUDIT_CLASS_CHATTR_32, compat_chattr_class);
65
+
audit_register_class(AUDIT_CLASS_SIGNAL_32, compat_signal_class);
66
+
#endif
66
67
audit_register_class(AUDIT_CLASS_WRITE, write_class);
67
68
audit_register_class(AUDIT_CLASS_READ, read_class);
68
69
audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class);
+50
lib/compat_audit.c
+50
lib/compat_audit.c
···
1
+
#include <linux/init.h>
2
+
#include <linux/types.h>
3
+
#include <asm/unistd32.h>
4
+
5
+
unsigned compat_dir_class[] = {
6
+
#include <asm-generic/audit_dir_write.h>
7
+
~0U
8
+
};
9
+
10
+
unsigned compat_read_class[] = {
11
+
#include <asm-generic/audit_read.h>
12
+
~0U
13
+
};
14
+
15
+
unsigned compat_write_class[] = {
16
+
#include <asm-generic/audit_write.h>
17
+
~0U
18
+
};
19
+
20
+
unsigned compat_chattr_class[] = {
21
+
#include <asm-generic/audit_change_attr.h>
22
+
~0U
23
+
};
24
+
25
+
unsigned compat_signal_class[] = {
26
+
#include <asm-generic/audit_signal.h>
27
+
~0U
28
+
};
29
+
30
+
int audit_classify_compat_syscall(int abi, unsigned syscall)
31
+
{
32
+
switch (syscall) {
33
+
#ifdef __NR_open
34
+
case __NR_open:
35
+
return 2;
36
+
#endif
37
+
#ifdef __NR_openat
38
+
case __NR_openat:
39
+
return 3;
40
+
#endif
41
+
#ifdef __NR_socketcall
42
+
case __NR_socketcall:
43
+
return 4;
44
+
#endif
45
+
case __NR_execve:
46
+
return 5;
47
+
default:
48
+
return 1;
49
+
}
50
+
}
+48
mm/util.c
+48
mm/util.c
···
446
446
return allowed;
447
447
}
448
448
449
+
/**
450
+
* get_cmdline() - copy the cmdline value to a buffer.
451
+
* @task: the task whose cmdline value to copy.
452
+
* @buffer: the buffer to copy to.
453
+
* @buflen: the length of the buffer. Larger cmdline values are truncated
454
+
* to this length.
455
+
* Returns the size of the cmdline field copied. Note that the copy does
456
+
* not guarantee an ending NULL byte.
457
+
*/
458
+
int get_cmdline(struct task_struct *task, char *buffer, int buflen)
459
+
{
460
+
int res = 0;
461
+
unsigned int len;
462
+
struct mm_struct *mm = get_task_mm(task);
463
+
if (!mm)
464
+
goto out;
465
+
if (!mm->arg_end)
466
+
goto out_mm; /* Shh! No looking before we're done */
467
+
468
+
len = mm->arg_end - mm->arg_start;
469
+
470
+
if (len > buflen)
471
+
len = buflen;
472
+
473
+
res = access_process_vm(task, mm->arg_start, buffer, len, 0);
474
+
475
+
/*
476
+
* If the nul at the end of args has been overwritten, then
477
+
* assume application is using setproctitle(3).
478
+
*/
479
+
if (res > 0 && buffer[res-1] != '\0' && len < buflen) {
480
+
len = strnlen(buffer, res);
481
+
if (len < res) {
482
+
res = len;
483
+
} else {
484
+
len = mm->env_end - mm->env_start;
485
+
if (len > buflen - res)
486
+
len = buflen - res;
487
+
res += access_process_vm(task, mm->env_start,
488
+
buffer+res, len, 0);
489
+
res = strnlen(buffer, res);
490
+
}
491
+
}
492
+
out_mm:
493
+
mmput(mm);
494
+
out:
495
+
return res;
496
+
}
449
497
450
498
/* Tracepoints definitions. */
451
499
EXPORT_TRACEPOINT_SYMBOL(kmalloc);
+1
-1
security/integrity/integrity_audit.c
+1
-1
security/integrity/integrity_audit.c
···
40
40
41
41
ab = audit_log_start(current->audit_context, GFP_KERNEL, audit_msgno);
42
42
audit_log_format(ab, "pid=%d uid=%u auid=%u ses=%u",
43
-
current->pid,
43
+
task_pid_nr(current),
44
44
from_kuid(&init_user_ns, current_cred()->uid),
45
45
from_kuid(&init_user_ns, audit_get_loginuid(current)),
46
46
audit_get_sessionid(current));
+7
-4
security/lsm_audit.c
+7
-4
security/lsm_audit.c
···
220
220
*/
221
221
BUILD_BUG_ON(sizeof(a->u) > sizeof(void *)*2);
222
222
223
-
audit_log_format(ab, " pid=%d comm=", tsk->pid);
223
+
audit_log_format(ab, " pid=%d comm=", task_pid_nr(tsk));
224
224
audit_log_untrustedstring(ab, tsk->comm);
225
225
226
226
switch (a->type) {
···
278
278
}
279
279
case LSM_AUDIT_DATA_TASK:
280
280
tsk = a->u.tsk;
281
-
if (tsk && tsk->pid) {
282
-
audit_log_format(ab, " pid=%d comm=", tsk->pid);
283
-
audit_log_untrustedstring(ab, tsk->comm);
281
+
if (tsk) {
282
+
pid_t pid = task_pid_nr(tsk);
283
+
if (pid) {
284
+
audit_log_format(ab, " pid=%d comm=", pid);
285
+
audit_log_untrustedstring(ab, tsk->comm);
286
+
}
284
287
}
285
288
break;
286
289
case LSM_AUDIT_DATA_NET: