tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge master.kernel.org:/pub/scm/linux/kernel/git/dwmw2/audit-2.6
+686
-445
+17
arch/ppc/Kconfig
+17
arch/ppc/Kconfig
···
1083
1083
1084
1084
source kernel/power/Kconfig
1085
1085
1086
+
config SECCOMP
1087
+
bool "Enable seccomp to safely compute untrusted bytecode"
1088
+
depends on PROC_FS
1089
+
default y
1090
+
help
1091
+
This kernel feature is useful for number crunching applications
1092
+
that may need to compute untrusted bytecode during their
1093
+
execution. By using pipes or other transports made available to
1094
+
the process as file descriptors supporting the read/write
1095
+
syscalls, it's possible to isolate those applications in
1096
+
their own address space using seccomp. Once seccomp is
1097
+
enabled via /proc/<pid>/seccomp, it cannot be disabled
1098
+
and the task is only allowed to execute a few safe syscalls
1099
+
defined by each seccomp mode.
1100
+
1101
+
If unsure, say Y. Only embedded should say N here.
1102
+
1086
1103
endmenu
1087
1104
1088
1105
config ISA_DMA_API
+9
-7
arch/ppc/kernel/entry.S
+9
-7
arch/ppc/kernel/entry.S
···
202
202
rlwinm r11,r11,0,~_TIFL_FORCE_NOERROR
203
203
stw r11,TI_LOCAL_FLAGS(r10)
204
204
lwz r11,TI_FLAGS(r10)
205
-
andi. r11,r11,_TIF_SYSCALL_TRACE
205
+
andi. r11,r11,_TIF_SYSCALL_T_OR_A
206
206
bne- syscall_dotrace
207
207
syscall_dotrace_cont:
208
208
cmplwi 0,r0,NR_syscalls
···
237
237
SYNC
238
238
MTMSRD(r10)
239
239
lwz r9,TI_FLAGS(r12)
240
-
andi. r0,r9,(_TIF_SYSCALL_TRACE|_TIF_SIGPENDING|_TIF_NEED_RESCHED)
240
+
andi. r0,r9,(_TIF_SYSCALL_T_OR_A|_TIF_SIGPENDING|_TIF_NEED_RESCHED)
241
241
bne- syscall_exit_work
242
242
syscall_exit_cont:
243
243
#if defined(CONFIG_4xx) || defined(CONFIG_BOOKE)
···
277
277
SAVE_NVGPRS(r1)
278
278
li r0,0xc00
279
279
stw r0,TRAP(r1)
280
-
bl do_syscall_trace
280
+
addi r3,r1,STACK_FRAME_OVERHEAD
281
+
bl do_syscall_trace_enter
281
282
lwz r0,GPR0(r1) /* Restore original registers */
282
283
lwz r3,GPR3(r1)
283
284
lwz r4,GPR4(r1)
···
292
291
syscall_exit_work:
293
292
stw r6,RESULT(r1) /* Save result */
294
293
stw r3,GPR3(r1) /* Update return value */
295
-
andi. r0,r9,_TIF_SYSCALL_TRACE
294
+
andi. r0,r9,_TIF_SYSCALL_T_OR_A
296
295
beq 5f
297
296
ori r10,r10,MSR_EE
298
297
SYNC
···
304
303
li r4,0xc00
305
304
stw r4,TRAP(r1)
306
305
4:
307
-
bl do_syscall_trace
306
+
addi r3,r1,STACK_FRAME_OVERHEAD
307
+
bl do_syscall_trace_leave
308
308
REST_NVGPRS(r1)
309
309
2:
310
310
lwz r3,GPR3(r1)
···
629
627
subi r1,r3,STACK_FRAME_OVERHEAD
630
628
rlwinm r12,r1,0,0,18 /* current_thread_info() */
631
629
lwz r9,TI_FLAGS(r12)
632
-
andi. r0,r9,_TIF_SYSCALL_TRACE
633
-
bnel- do_syscall_trace
630
+
andi. r0,r9,_TIF_SYSCALL_T_OR_A
631
+
bnel- do_syscall_trace_leave
634
632
/* fall through */
635
633
636
634
.globl ret_from_except_full
-2
arch/ppc/kernel/ppc_ksyms.c
-2
arch/ppc/kernel/ppc_ksyms.c
···
55
55
#define EXPORT_SYMTAB_STROPS
56
56
57
57
extern void transfer_to_handler(void);
58
-
extern void do_syscall_trace(void);
59
58
extern void do_IRQ(struct pt_regs *regs);
60
59
extern void MachineCheckException(struct pt_regs *regs);
61
60
extern void AlignmentException(struct pt_regs *regs);
···
73
74
EXPORT_SYMBOL(clear_pages);
74
75
EXPORT_SYMBOL(clear_user_page);
75
76
EXPORT_SYMBOL(do_signal);
76
-
EXPORT_SYMBOL(do_syscall_trace);
77
77
EXPORT_SYMBOL(transfer_to_handler);
78
78
EXPORT_SYMBOL(do_IRQ);
79
79
EXPORT_SYMBOL(MachineCheckException);
+36
-4
arch/ppc/kernel/ptrace.c
+36
-4
arch/ppc/kernel/ptrace.c
···
27
27
#include <linux/user.h>
28
28
#include <linux/security.h>
29
29
#include <linux/signal.h>
30
+
#include <linux/seccomp.h>
31
+
#include <linux/audit.h>
32
+
#include <linux/module.h>
30
33
31
34
#include <asm/uaccess.h>
32
35
#include <asm/page.h>
···
458
455
return ret;
459
456
}
460
457
461
-
void do_syscall_trace(void)
458
+
static void do_syscall_trace(void)
462
459
{
463
-
if (!test_thread_flag(TIF_SYSCALL_TRACE)
464
-
|| !(current->ptrace & PT_PTRACED))
465
-
return;
460
+
/* the 0x80 provides a way for the tracing parent to distinguish
461
+
between a syscall stop and SIGTRAP delivery */
466
462
ptrace_notify(SIGTRAP | ((current->ptrace & PT_TRACESYSGOOD)
467
463
? 0x80 : 0));
468
464
···
475
473
current->exit_code = 0;
476
474
}
477
475
}
476
+
477
+
void do_syscall_trace_enter(struct pt_regs *regs)
478
+
{
479
+
if (test_thread_flag(TIF_SYSCALL_TRACE)
480
+
&& (current->ptrace & PT_PTRACED))
481
+
do_syscall_trace();
482
+
483
+
if (unlikely(current->audit_context))
484
+
audit_syscall_entry(current, AUDIT_ARCH_PPC,
485
+
regs->gpr[0],
486
+
regs->gpr[3], regs->gpr[4],
487
+
regs->gpr[5], regs->gpr[6]);
488
+
}
489
+
490
+
void do_syscall_trace_leave(struct pt_regs *regs)
491
+
{
492
+
secure_computing(regs->gpr[0]);
493
+
494
+
if (unlikely(current->audit_context))
495
+
audit_syscall_exit(current,
496
+
(regs->ccr&0x1000)?AUDITSC_FAILURE:AUDITSC_SUCCESS,
497
+
regs->result);
498
+
499
+
if ((test_thread_flag(TIF_SYSCALL_TRACE))
500
+
&& (current->ptrace & PT_PTRACED))
501
+
do_syscall_trace();
502
+
}
503
+
504
+
EXPORT_SYMBOL(do_syscall_trace_enter);
505
+
EXPORT_SYMBOL(do_syscall_trace_leave);
+10
include/asm-ppc/seccomp.h
+10
include/asm-ppc/seccomp.h
+7
include/asm-ppc/thread_info.h
+7
include/asm-ppc/thread_info.h
···
77
77
#define TIF_POLLING_NRFLAG 4 /* true if poll_idle() is polling
78
78
TIF_NEED_RESCHED */
79
79
#define TIF_MEMDIE 5
80
+
#define TIF_SYSCALL_AUDIT 6 /* syscall auditing active */
81
+
#define TIF_SECCOMP 7 /* secure computing */
82
+
80
83
/* as above, but as bit values */
81
84
#define _TIF_SYSCALL_TRACE (1<<TIF_SYSCALL_TRACE)
82
85
#define _TIF_NOTIFY_RESUME (1<<TIF_NOTIFY_RESUME)
83
86
#define _TIF_SIGPENDING (1<<TIF_SIGPENDING)
84
87
#define _TIF_NEED_RESCHED (1<<TIF_NEED_RESCHED)
85
88
#define _TIF_POLLING_NRFLAG (1<<TIF_POLLING_NRFLAG)
89
+
#define _TIF_SYSCALL_AUDIT (1<<TIF_SYSCALL_AUDIT)
90
+
#define _TIF_SECCOMP (1<<TIF_SECCOMP)
91
+
92
+
#define _TIF_SYSCALL_T_OR_A (_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT|_TIF_SECCOMP)
86
93
87
94
/*
88
95
* Non racy (local) flags bit numbers
+70
-24
include/linux/audit.h
+70
-24
include/linux/audit.h
···
27
27
#include <linux/sched.h>
28
28
#include <linux/elf.h>
29
29
30
-
/* Request and reply types */
31
-
#define AUDIT_GET 1000 /* Get status */
32
-
#define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */
33
-
#define AUDIT_LIST 1002 /* List filtering rules */
34
-
#define AUDIT_ADD 1003 /* Add filtering rule */
35
-
#define AUDIT_DEL 1004 /* Delete filtering rule */
36
-
#define AUDIT_USER 1005 /* Send a message from user-space */
37
-
#define AUDIT_LOGIN 1006 /* Define the login id and informaiton */
38
-
#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
30
+
/* The netlink messages for the audit system is divided into blocks:
31
+
* 1000 - 1099 are for commanding the audit system
32
+
* 1100 - 1199 user space trusted application messages
33
+
* 1200 - 1299 messages internal to the audit daemon
34
+
* 1300 - 1399 audit event messages
35
+
* 1400 - 1499 SE Linux use
36
+
* 1500 - 1999 future use
37
+
* 2000 is for otherwise unclassified kernel audit messages
38
+
*
39
+
* Messages from 1000-1199 are bi-directional. 1200-1299 are exclusively user
40
+
* space. Anything over that is kernel --> user space communication.
41
+
*/
42
+
#define AUDIT_GET 1000 /* Get status */
43
+
#define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */
44
+
#define AUDIT_LIST 1002 /* List syscall filtering rules */
45
+
#define AUDIT_ADD 1003 /* Add syscall filtering rule */
46
+
#define AUDIT_DEL 1004 /* Delete syscall filtering rule */
47
+
#define AUDIT_USER 1005 /* Message from userspace -- deprecated */
48
+
#define AUDIT_LOGIN 1006 /* Define the login id and information */
49
+
#define AUDIT_WATCH_INS 1007 /* Insert file/dir watch entry */
50
+
#define AUDIT_WATCH_REM 1008 /* Remove file/dir watch entry */
51
+
#define AUDIT_WATCH_LIST 1009 /* List all file/dir watches */
52
+
#define AUDIT_SIGNAL_INFO 1010 /* Get info about sender of signal to auditd */
53
+
54
+
#define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages uninteresting to kernel */
55
+
#define AUDIT_LAST_USER_MSG 1199
56
+
57
+
#define AUDIT_DAEMON_START 1200 /* Daemon startup record */
58
+
#define AUDIT_DAEMON_END 1201 /* Daemon normal stop record */
59
+
#define AUDIT_DAEMON_ABORT 1202 /* Daemon error stop record */
60
+
#define AUDIT_DAEMON_CONFIG 1203 /* Daemon config change */
61
+
62
+
#define AUDIT_SYSCALL 1300 /* Syscall event */
63
+
#define AUDIT_FS_WATCH 1301 /* Filesystem watch event */
64
+
#define AUDIT_PATH 1302 /* Filename path information */
65
+
#define AUDIT_IPC 1303 /* IPC record */
66
+
#define AUDIT_SOCKETCALL 1304 /* sys_socketcall arguments */
67
+
#define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */
68
+
#define AUDIT_SOCKADDR 1306 /* sockaddr copied as syscall arg */
69
+
#define AUDIT_CWD 1307 /* Current working directory */
70
+
71
+
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
72
+
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
73
+
#define AUDIT_AVC_PATH 1402 /* dentry, vfsmount pair from avc */
74
+
75
+
#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
39
76
40
77
/* Rule flags */
41
78
#define AUDIT_PER_TASK 0x01 /* Apply rule at task creation (not syscall) */
···
169
132
#define AUDIT_ARCH_V850 (EM_V850|__AUDIT_ARCH_LE)
170
133
#define AUDIT_ARCH_X86_64 (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
171
134
172
-
#ifndef __KERNEL__
173
-
struct audit_message {
174
-
struct nlmsghdr nlh;
175
-
char data[1200];
176
-
};
177
-
#endif
178
-
179
135
struct audit_status {
180
136
__u32 mask; /* Bit mask for valid entries */
181
-
__u32 enabled; /* 1 = enabled, 0 = disbaled */
137
+
__u32 enabled; /* 1 = enabled, 0 = disabled */
182
138
__u32 failure; /* Failure-to-log action */
183
139
__u32 pid; /* pid of auditd process */
184
140
__u32 rate_limit; /* messages rate limit (per second) */
···
190
160
};
191
161
192
162
#ifdef __KERNEL__
163
+
164
+
struct audit_sig_info {
165
+
uid_t uid;
166
+
pid_t pid;
167
+
};
193
168
194
169
struct audit_buffer;
195
170
struct audit_context;
···
220
185
/* Private API (for audit.c only) */
221
186
extern int audit_receive_filter(int type, int pid, int uid, int seq,
222
187
void *data, uid_t loginuid);
223
-
extern void audit_get_stamp(struct audit_context *ctx,
224
-
struct timespec *t, unsigned int *serial);
188
+
extern unsigned int audit_serial(void);
189
+
extern void auditsc_get_stamp(struct audit_context *ctx,
190
+
struct timespec *t, unsigned int *serial);
225
191
extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid);
226
192
extern uid_t audit_get_loginuid(struct audit_context *ctx);
227
193
extern int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode);
194
+
extern int audit_socketcall(int nargs, unsigned long *args);
195
+
extern int audit_sockaddr(int len, void *addr);
196
+
extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt);
197
+
extern void audit_signal_info(int sig, struct task_struct *t);
228
198
#else
229
199
#define audit_alloc(t) ({ 0; })
230
200
#define audit_free(t) do { ; } while (0)
···
238
198
#define audit_getname(n) do { ; } while (0)
239
199
#define audit_putname(n) do { ; } while (0)
240
200
#define audit_inode(n,i) do { ; } while (0)
201
+
#define audit_receive_filter(t,p,u,s,d,l) ({ -EOPNOTSUPP; })
202
+
#define auditsc_get_stamp(c,t,s) do { BUG(); } while (0)
241
203
#define audit_get_loginuid(c) ({ -1; })
242
204
#define audit_ipc_perms(q,u,g,m) ({ 0; })
205
+
#define audit_socketcall(n,a) ({ 0; })
206
+
#define audit_sockaddr(len, addr) ({ 0; })
207
+
#define audit_avc_path(dentry, mnt) ({ 0; })
208
+
#define audit_signal_info(s,t) do { ; } while (0)
243
209
#endif
244
210
245
211
#ifdef CONFIG_AUDIT
246
212
/* These are defined in audit.c */
247
213
/* Public API */
248
-
extern void audit_log(struct audit_context *ctx,
214
+
extern void audit_log(struct audit_context *ctx, int type,
249
215
const char *fmt, ...)
250
-
__attribute__((format(printf,2,3)));
216
+
__attribute__((format(printf,3,4)));
251
217
252
-
extern struct audit_buffer *audit_log_start(struct audit_context *ctx);
218
+
extern struct audit_buffer *audit_log_start(struct audit_context *ctx,int type);
253
219
extern void audit_log_format(struct audit_buffer *ab,
254
220
const char *fmt, ...)
255
221
__attribute__((format(printf,2,3)));
···
275
229
void *payload, int size);
276
230
extern void audit_log_lost(const char *message);
277
231
#else
278
-
#define audit_log(t,f,...) do { ; } while (0)
279
-
#define audit_log_start(t) ({ NULL; })
232
+
#define audit_log(c,t,f,...) do { ; } while (0)
233
+
#define audit_log_start(c,t) ({ NULL; })
280
234
#define audit_log_vformat(b,f,a) do { ; } while (0)
281
235
#define audit_log_format(b,f,...) do { ; } while (0)
282
236
#define audit_log_end(b) do { ; } while (0)
+2
-1
init/Kconfig
+2
-1
init/Kconfig
···
164
164
165
165
config AUDIT
166
166
bool "Auditing support"
167
+
depends on NET
167
168
default y if SECURITY_SELINUX
168
169
help
169
170
Enable auditing infrastructure that can be used with another
···
174
173
175
174
config AUDITSYSCALL
176
175
bool "Enable system-call auditing support"
177
-
depends on AUDIT && (X86 || PPC64 || ARCH_S390 || IA64 || UML)
176
+
depends on AUDIT && (X86 || PPC || PPC64 || ARCH_S390 || IA64 || UML)
178
177
default y if SECURITY_SELINUX
179
178
help
180
179
Enable low-overhead system-call auditing infrastructure that
+306
-305
kernel/audit.c
+306
-305
kernel/audit.c
···
46
46
#include <asm/types.h>
47
47
#include <linux/mm.h>
48
48
#include <linux/module.h>
49
+
#include <linux/err.h>
50
+
#include <linux/kthread.h>
49
51
50
52
#include <linux/audit.h>
51
53
···
70
68
71
69
/* If audit records are to be written to the netlink socket, audit_pid
72
70
* contains the (non-zero) pid. */
73
-
static int audit_pid;
71
+
int audit_pid;
74
72
75
73
/* If audit_limit is non-zero, limit the rate of sending audit records
76
74
* to that number per second. This prevents DoS attacks, but results in
···
79
77
80
78
/* Number of outstanding audit_buffers allowed. */
81
79
static int audit_backlog_limit = 64;
82
-
static atomic_t audit_backlog = ATOMIC_INIT(0);
80
+
81
+
/* The identity of the user shutting down the audit system. */
82
+
uid_t audit_sig_uid = -1;
83
+
pid_t audit_sig_pid = -1;
83
84
84
85
/* Records can be lost in several ways:
85
86
0) [suppressed in audit_alloc]
···
96
91
/* The netlink socket. */
97
92
static struct sock *audit_sock;
98
93
99
-
/* There are two lists of audit buffers. The txlist contains audit
100
-
* buffers that cannot be sent immediately to the netlink device because
101
-
* we are in an irq context (these are sent later in a tasklet).
102
-
*
103
-
* The second list is a list of pre-allocated audit buffers (if more
94
+
/* The audit_freelist is a list of pre-allocated audit buffers (if more
104
95
* than AUDIT_MAXFREE are in use, the audit buffer is freed instead of
105
96
* being placed on the freelist). */
106
-
static DEFINE_SPINLOCK(audit_txlist_lock);
107
97
static DEFINE_SPINLOCK(audit_freelist_lock);
108
98
static int audit_freelist_count = 0;
109
-
static LIST_HEAD(audit_txlist);
110
99
static LIST_HEAD(audit_freelist);
100
+
101
+
static struct sk_buff_head audit_skb_queue;
102
+
static struct task_struct *kauditd_task;
103
+
static DECLARE_WAIT_QUEUE_HEAD(kauditd_wait);
111
104
112
105
/* There are three lists of rules -- one to search at task creation
113
106
* time, one to search at syscall entry time, and another to search at
···
115
112
static LIST_HEAD(audit_extlist);
116
113
117
114
/* The netlink socket is only to be read by 1 CPU, which lets us assume
118
-
* that list additions and deletions never happen simultaneiously in
115
+
* that list additions and deletions never happen simultaneously in
119
116
* auditsc.c */
120
117
static DECLARE_MUTEX(audit_netlink_sem);
121
118
···
135
132
* use simultaneously. */
136
133
struct audit_buffer {
137
134
struct list_head list;
138
-
struct sk_buff_head sklist; /* formatted skbs ready to send */
135
+
struct sk_buff *skb; /* formatted skb ready to send */
139
136
struct audit_context *ctx; /* NULL or associated context */
140
-
int len; /* used area of tmp */
141
-
char tmp[AUDIT_BUFSIZ];
142
-
143
-
/* Pointer to header and contents */
144
-
struct nlmsghdr *nlh;
145
-
int total;
146
-
int type;
147
-
int pid;
148
137
};
149
138
150
-
void audit_set_type(struct audit_buffer *ab, int type)
139
+
static void audit_set_pid(struct audit_buffer *ab, pid_t pid)
151
140
{
152
-
ab->type = type;
141
+
struct nlmsghdr *nlh = (struct nlmsghdr *)ab->skb->data;
142
+
nlh->nlmsg_pid = pid;
153
143
}
154
144
155
145
struct audit_entry {
156
146
struct list_head list;
157
147
struct audit_rule rule;
158
148
};
159
-
160
-
static void audit_log_end_irq(struct audit_buffer *ab);
161
-
static void audit_log_end_fast(struct audit_buffer *ab);
162
149
163
150
static void audit_panic(const char *message)
164
151
{
···
220
227
221
228
if (print) {
222
229
printk(KERN_WARNING
223
-
"audit: audit_lost=%d audit_backlog=%d"
224
-
" audit_rate_limit=%d audit_backlog_limit=%d\n",
230
+
"audit: audit_lost=%d audit_rate_limit=%d audit_backlog_limit=%d\n",
225
231
atomic_read(&audit_lost),
226
-
atomic_read(&audit_backlog),
227
232
audit_rate_limit,
228
233
audit_backlog_limit);
229
234
audit_panic(message);
···
233
242
{
234
243
int old = audit_rate_limit;
235
244
audit_rate_limit = limit;
236
-
audit_log(NULL, "audit_rate_limit=%d old=%d by auid %u",
245
+
audit_log(NULL, AUDIT_CONFIG_CHANGE,
246
+
"audit_rate_limit=%d old=%d by auid=%u",
237
247
audit_rate_limit, old, loginuid);
238
248
return old;
239
249
}
···
243
251
{
244
252
int old = audit_backlog_limit;
245
253
audit_backlog_limit = limit;
246
-
audit_log(NULL, "audit_backlog_limit=%d old=%d by auid %u",
254
+
audit_log(NULL, AUDIT_CONFIG_CHANGE,
255
+
"audit_backlog_limit=%d old=%d by auid=%u",
247
256
audit_backlog_limit, old, loginuid);
248
257
return old;
249
258
}
···
255
262
if (state != 0 && state != 1)
256
263
return -EINVAL;
257
264
audit_enabled = state;
258
-
audit_log(NULL, "audit_enabled=%d old=%d by auid %u",
259
-
audit_enabled, old, loginuid);
265
+
audit_log(NULL, AUDIT_CONFIG_CHANGE,
266
+
"audit_enabled=%d old=%d by auid=%u",
267
+
audit_enabled, old, loginuid);
260
268
return old;
261
269
}
262
270
···
269
275
&& state != AUDIT_FAIL_PANIC)
270
276
return -EINVAL;
271
277
audit_failure = state;
272
-
audit_log(NULL, "audit_failure=%d old=%d by auid %u",
273
-
audit_failure, old, loginuid);
278
+
audit_log(NULL, AUDIT_CONFIG_CHANGE,
279
+
"audit_failure=%d old=%d by auid=%u",
280
+
audit_failure, old, loginuid);
274
281
return old;
275
282
}
276
283
277
-
#ifdef CONFIG_NET
284
+
int kauditd_thread(void *dummy)
285
+
{
286
+
struct sk_buff *skb;
287
+
288
+
while (1) {
289
+
skb = skb_dequeue(&audit_skb_queue);
290
+
if (skb) {
291
+
if (audit_pid) {
292
+
int err = netlink_unicast(audit_sock, skb, audit_pid, 0);
293
+
if (err < 0) {
294
+
BUG_ON(err != -ECONNREFUSED); /* Shoudn't happen */
295
+
printk(KERN_ERR "audit: *NO* daemon at audit_pid=%d\n", audit_pid);
296
+
audit_pid = 0;
297
+
}
298
+
} else {
299
+
printk(KERN_ERR "%s\n", skb->data + NLMSG_SPACE(0));
300
+
kfree_skb(skb);
301
+
}
302
+
} else {
303
+
DECLARE_WAITQUEUE(wait, current);
304
+
set_current_state(TASK_INTERRUPTIBLE);
305
+
add_wait_queue(&kauditd_wait, &wait);
306
+
307
+
if (!skb_queue_len(&audit_skb_queue))
308
+
schedule();
309
+
310
+
__set_current_state(TASK_RUNNING);
311
+
remove_wait_queue(&kauditd_wait, &wait);
312
+
}
313
+
}
314
+
}
315
+
278
316
void audit_send_reply(int pid, int seq, int type, int done, int multi,
279
317
void *payload, int size)
280
318
{
···
319
293
320
294
skb = alloc_skb(len, GFP_KERNEL);
321
295
if (!skb)
322
-
goto nlmsg_failure;
296
+
return;
323
297
324
-
nlh = NLMSG_PUT(skb, pid, seq, t, len - sizeof(*nlh));
298
+
nlh = NLMSG_PUT(skb, pid, seq, t, size);
325
299
nlh->nlmsg_flags = flags;
326
300
data = NLMSG_DATA(nlh);
327
301
memcpy(data, payload, size);
328
-
netlink_unicast(audit_sock, skb, pid, MSG_DONTWAIT);
302
+
303
+
/* Ignore failure. It'll only happen if the sender goes away,
304
+
because our timeout is set to infinite. */
305
+
netlink_unicast(audit_sock, skb, pid, 0);
329
306
return;
330
307
331
308
nlmsg_failure: /* Used by NLMSG_PUT */
···
350
321
case AUDIT_SET:
351
322
case AUDIT_ADD:
352
323
case AUDIT_DEL:
324
+
case AUDIT_SIGNAL_INFO:
353
325
if (!cap_raised(eff_cap, CAP_AUDIT_CONTROL))
354
326
err = -EPERM;
355
327
break;
356
328
case AUDIT_USER:
329
+
case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
357
330
if (!cap_raised(eff_cap, CAP_AUDIT_WRITE))
358
331
err = -EPERM;
359
332
break;
···
375
344
struct audit_buffer *ab;
376
345
u16 msg_type = nlh->nlmsg_type;
377
346
uid_t loginuid; /* loginuid of sender */
347
+
struct audit_sig_info sig_data;
378
348
379
349
err = audit_netlink_ok(NETLINK_CB(skb).eff_cap, msg_type);
380
350
if (err)
381
351
return err;
352
+
353
+
/* As soon as there's any sign of userspace auditd, start kauditd to talk to it */
354
+
if (!kauditd_task)
355
+
kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd");
356
+
if (IS_ERR(kauditd_task)) {
357
+
err = PTR_ERR(kauditd_task);
358
+
kauditd_task = NULL;
359
+
return err;
360
+
}
382
361
383
362
pid = NETLINK_CREDS(skb)->pid;
384
363
uid = NETLINK_CREDS(skb)->uid;
···
404
363
status_set.rate_limit = audit_rate_limit;
405
364
status_set.backlog_limit = audit_backlog_limit;
406
365
status_set.lost = atomic_read(&audit_lost);
407
-
status_set.backlog = atomic_read(&audit_backlog);
366
+
status_set.backlog = skb_queue_len(&audit_skb_queue);
408
367
audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0,
409
368
&status_set, sizeof(status_set));
410
369
break;
···
423
382
if (status_get->mask & AUDIT_STATUS_PID) {
424
383
int old = audit_pid;
425
384
audit_pid = status_get->pid;
426
-
audit_log(NULL, "audit_pid=%d old=%d by auid %u",
385
+
audit_log(NULL, AUDIT_CONFIG_CHANGE,
386
+
"audit_pid=%d old=%d by auid=%u",
427
387
audit_pid, old, loginuid);
428
388
}
429
389
if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
···
434
392
loginuid);
435
393
break;
436
394
case AUDIT_USER:
437
-
ab = audit_log_start(NULL);
395
+
case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
396
+
ab = audit_log_start(NULL, msg_type);
438
397
if (!ab)
439
398
break; /* audit_panic has been called */
440
399
audit_log_format(ab,
441
-
"user pid=%d uid=%d length=%d loginuid=%u"
400
+
"user pid=%d uid=%u auid=%u"
442
401
" msg='%.1024s'",
443
-
pid, uid,
444
-
(int)(nlh->nlmsg_len
445
-
- ((char *)data - (char *)nlh)),
446
-
loginuid, (char *)data);
447
-
ab->type = AUDIT_USER;
448
-
ab->pid = pid;
402
+
pid, uid, loginuid, (char *)data);
403
+
audit_set_pid(ab, pid);
449
404
audit_log_end(ab);
450
405
break;
451
406
case AUDIT_ADD:
···
451
412
return -EINVAL;
452
413
/* fallthrough */
453
414
case AUDIT_LIST:
454
-
#ifdef CONFIG_AUDITSYSCALL
455
415
err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
456
416
uid, seq, data, loginuid);
457
-
#else
458
-
err = -EOPNOTSUPP;
459
-
#endif
417
+
break;
418
+
case AUDIT_SIGNAL_INFO:
419
+
sig_data.uid = audit_sig_uid;
420
+
sig_data.pid = audit_sig_pid;
421
+
audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_SIGNAL_INFO,
422
+
0, 0, &sig_data, sizeof(sig_data));
460
423
break;
461
424
default:
462
425
err = -EINVAL;
···
508
467
up(&audit_netlink_sem);
509
468
}
510
469
511
-
/* Move data from tmp buffer into an skb. This is an extra copy, and
512
-
* that is unfortunate. However, the copy will only occur when a record
513
-
* is being written to user space, which is already a high-overhead
514
-
* operation. (Elimination of the copy is possible, for example, by
515
-
* writing directly into a pre-allocated skb, at the cost of wasting
516
-
* memory. */
517
-
static void audit_log_move(struct audit_buffer *ab)
518
-
{
519
-
struct sk_buff *skb;
520
-
char *start;
521
-
int extra = ab->nlh ? 0 : NLMSG_SPACE(0);
522
-
523
-
/* possible resubmission */
524
-
if (ab->len == 0)
525
-
return;
526
-
527
-
skb = skb_peek_tail(&ab->sklist);
528
-
if (!skb || skb_tailroom(skb) <= ab->len + extra) {
529
-
skb = alloc_skb(2 * ab->len + extra, GFP_ATOMIC);
530
-
if (!skb) {
531
-
ab->len = 0; /* Lose information in ab->tmp */
532
-
audit_log_lost("out of memory in audit_log_move");
533
-
return;
534
-
}
535
-
__skb_queue_tail(&ab->sklist, skb);
536
-
if (!ab->nlh)
537
-
ab->nlh = (struct nlmsghdr *)skb_put(skb,
538
-
NLMSG_SPACE(0));
539
-
}
540
-
start = skb_put(skb, ab->len);
541
-
memcpy(start, ab->tmp, ab->len);
542
-
ab->len = 0;
543
-
}
544
-
545
-
/* Iterate over the skbuff in the audit_buffer, sending their contents
546
-
* to user space. */
547
-
static inline int audit_log_drain(struct audit_buffer *ab)
548
-
{
549
-
struct sk_buff *skb;
550
-
551
-
while ((skb = skb_dequeue(&ab->sklist))) {
552
-
int retval = 0;
553
-
554
-
if (audit_pid) {
555
-
if (ab->nlh) {
556
-
ab->nlh->nlmsg_len = ab->total;
557
-
ab->nlh->nlmsg_type = ab->type;
558
-
ab->nlh->nlmsg_flags = 0;
559
-
ab->nlh->nlmsg_seq = 0;
560
-
ab->nlh->nlmsg_pid = ab->pid;
561
-
}
562
-
skb_get(skb); /* because netlink_* frees */
563
-
retval = netlink_unicast(audit_sock, skb, audit_pid,
564
-
MSG_DONTWAIT);
565
-
}
566
-
if (retval == -EAGAIN &&
567
-
(atomic_read(&audit_backlog)) < audit_backlog_limit) {
568
-
skb_queue_head(&ab->sklist, skb);
569
-
audit_log_end_irq(ab);
570
-
return 1;
571
-
}
572
-
if (retval < 0) {
573
-
if (retval == -ECONNREFUSED) {
574
-
printk(KERN_ERR
575
-
"audit: *NO* daemon at audit_pid=%d\n",
576
-
audit_pid);
577
-
audit_pid = 0;
578
-
} else
579
-
audit_log_lost("netlink socket too busy");
580
-
}
581
-
if (!audit_pid) { /* No daemon */
582
-
int offset = ab->nlh ? NLMSG_SPACE(0) : 0;
583
-
int len = skb->len - offset;
584
-
skb->data[offset + len] = '\0';
585
-
printk(KERN_ERR "%s\n", skb->data + offset);
586
-
}
587
-
kfree_skb(skb);
588
-
ab->nlh = NULL;
589
-
}
590
-
return 0;
591
-
}
592
470
593
471
/* Initialize audit support at boot time. */
594
472
static int __init audit_init(void)
···
518
558
if (!audit_sock)
519
559
audit_panic("cannot initialize netlink socket");
520
560
561
+
audit_sock->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
562
+
skb_queue_head_init(&audit_skb_queue);
521
563
audit_initialized = 1;
522
564
audit_enabled = audit_default;
523
-
audit_log(NULL, "initialized");
565
+
audit_log(NULL, AUDIT_KERNEL, "initialized");
524
566
return 0;
525
567
}
526
-
527
-
#else
528
-
/* Without CONFIG_NET, we have no skbuffs. For now, print what we have
529
-
* in the buffer. */
530
-
static void audit_log_move(struct audit_buffer *ab)
531
-
{
532
-
printk(KERN_ERR "%*.*s\n", ab->len, ab->len, ab->tmp);
533
-
ab->len = 0;
534
-
}
535
-
536
-
static inline int audit_log_drain(struct audit_buffer *ab)
537
-
{
538
-
return 0;
539
-
}
540
-
541
-
/* Initialize audit support at boot time. */
542
-
int __init audit_init(void)
543
-
{
544
-
printk(KERN_INFO "audit: initializing WITHOUT netlink support\n");
545
-
audit_sock = NULL;
546
-
audit_pid = 0;
547
-
548
-
audit_initialized = 1;
549
-
audit_enabled = audit_default;
550
-
audit_log(NULL, "initialized");
551
-
return 0;
552
-
}
553
-
#endif
554
-
555
568
__initcall(audit_init);
556
569
557
570
/* Process kernel command-line parameter at boot time. audit=0 or audit=1. */
···
541
608
542
609
__setup("audit=", audit_enable);
543
610
544
-
545
-
/* Obtain an audit buffer. This routine does locking to obtain the
546
-
* audit buffer, but then no locking is required for calls to
547
-
* audit_log_*format. If the tsk is a task that is currently in a
548
-
* syscall, then the syscall is marked as auditable and an audit record
549
-
* will be written at syscall exit. If there is no associated task, tsk
550
-
* should be NULL. */
551
-
struct audit_buffer *audit_log_start(struct audit_context *ctx)
611
+
static void audit_buffer_free(struct audit_buffer *ab)
552
612
{
553
-
struct audit_buffer *ab = NULL;
554
-
unsigned long flags;
555
-
struct timespec t;
556
-
unsigned int serial;
613
+
unsigned long flags;
557
614
558
-
if (!audit_initialized)
559
-
return NULL;
615
+
if (!ab)
616
+
return;
560
617
561
-
if (audit_backlog_limit
562
-
&& atomic_read(&audit_backlog) > audit_backlog_limit) {
563
-
if (audit_rate_check())
564
-
printk(KERN_WARNING
565
-
"audit: audit_backlog=%d > "
566
-
"audit_backlog_limit=%d\n",
567
-
atomic_read(&audit_backlog),
568
-
audit_backlog_limit);
569
-
audit_log_lost("backlog limit exceeded");
570
-
return NULL;
571
-
}
618
+
if (ab->skb)
619
+
kfree_skb(ab->skb);
620
+
621
+
spin_lock_irqsave(&audit_freelist_lock, flags);
622
+
if (++audit_freelist_count > AUDIT_MAXFREE)
623
+
kfree(ab);
624
+
else
625
+
list_add(&ab->list, &audit_freelist);
626
+
spin_unlock_irqrestore(&audit_freelist_lock, flags);
627
+
}
628
+
629
+
static struct audit_buffer * audit_buffer_alloc(struct audit_context *ctx,
630
+
int gfp_mask, int type)
631
+
{
632
+
unsigned long flags;
633
+
struct audit_buffer *ab = NULL;
634
+
struct nlmsghdr *nlh;
572
635
573
636
spin_lock_irqsave(&audit_freelist_lock, flags);
574
637
if (!list_empty(&audit_freelist)) {
···
575
646
}
576
647
spin_unlock_irqrestore(&audit_freelist_lock, flags);
577
648
578
-
if (!ab)
579
-
ab = kmalloc(sizeof(*ab), GFP_ATOMIC);
649
+
if (!ab) {
650
+
ab = kmalloc(sizeof(*ab), gfp_mask);
651
+
if (!ab)
652
+
goto err;
653
+
}
654
+
655
+
ab->skb = alloc_skb(AUDIT_BUFSIZ, gfp_mask);
656
+
if (!ab->skb)
657
+
goto err;
658
+
659
+
ab->ctx = ctx;
660
+
nlh = (struct nlmsghdr *)skb_put(ab->skb, NLMSG_SPACE(0));
661
+
nlh->nlmsg_type = type;
662
+
nlh->nlmsg_flags = 0;
663
+
nlh->nlmsg_pid = 0;
664
+
nlh->nlmsg_seq = 0;
665
+
return ab;
666
+
err:
667
+
audit_buffer_free(ab);
668
+
return NULL;
669
+
}
670
+
671
+
/* Compute a serial number for the audit record. Audit records are
672
+
* written to user-space as soon as they are generated, so a complete
673
+
* audit record may be written in several pieces. The timestamp of the
674
+
* record and this serial number are used by the user-space tools to
675
+
* determine which pieces belong to the same audit record. The
676
+
* (timestamp,serial) tuple is unique for each syscall and is live from
677
+
* syscall entry to syscall exit.
678
+
*
679
+
* Atomic values are only guaranteed to be 24-bit, so we count down.
680
+
*
681
+
* NOTE: Another possibility is to store the formatted records off the
682
+
* audit context (for those records that have a context), and emit them
683
+
* all at syscall exit. However, this could delay the reporting of
684
+
* significant errors until syscall exit (or never, if the system
685
+
* halts). */
686
+
unsigned int audit_serial(void)
687
+
{
688
+
static atomic_t serial = ATOMIC_INIT(0xffffff);
689
+
unsigned int a, b;
690
+
691
+
do {
692
+
a = atomic_read(&serial);
693
+
if (atomic_dec_and_test(&serial))
694
+
atomic_set(&serial, 0xffffff);
695
+
b = atomic_read(&serial);
696
+
} while (b != a - 1);
697
+
698
+
return 0xffffff - b;
699
+
}
700
+
701
+
static inline void audit_get_stamp(struct audit_context *ctx,
702
+
struct timespec *t, unsigned int *serial)
703
+
{
704
+
if (ctx)
705
+
auditsc_get_stamp(ctx, t, serial);
706
+
else {
707
+
*t = CURRENT_TIME;
708
+
*serial = audit_serial();
709
+
}
710
+
}
711
+
712
+
/* Obtain an audit buffer. This routine does locking to obtain the
713
+
* audit buffer, but then no locking is required for calls to
714
+
* audit_log_*format. If the tsk is a task that is currently in a
715
+
* syscall, then the syscall is marked as auditable and an audit record
716
+
* will be written at syscall exit. If there is no associated task, tsk
717
+
* should be NULL. */
718
+
struct audit_buffer *audit_log_start(struct audit_context *ctx, int type)
719
+
{
720
+
struct audit_buffer *ab = NULL;
721
+
struct timespec t;
722
+
unsigned int serial;
723
+
724
+
if (!audit_initialized)
725
+
return NULL;
726
+
727
+
if (audit_backlog_limit
728
+
&& skb_queue_len(&audit_skb_queue) > audit_backlog_limit) {
729
+
if (audit_rate_check())
730
+
printk(KERN_WARNING
731
+
"audit: audit_backlog=%d > "
732
+
"audit_backlog_limit=%d\n",
733
+
skb_queue_len(&audit_skb_queue),
734
+
audit_backlog_limit);
735
+
audit_log_lost("backlog limit exceeded");
736
+
return NULL;
737
+
}
738
+
739
+
ab = audit_buffer_alloc(ctx, GFP_ATOMIC, type);
580
740
if (!ab) {
581
741
audit_log_lost("out of memory in audit_log_start");
582
742
return NULL;
583
743
}
584
744
585
-
atomic_inc(&audit_backlog);
586
-
skb_queue_head_init(&ab->sklist);
745
+
audit_get_stamp(ab->ctx, &t, &serial);
587
746
588
-
ab->ctx = ctx;
589
-
ab->len = 0;
590
-
ab->nlh = NULL;
591
-
ab->total = 0;
592
-
ab->type = AUDIT_KERNEL;
593
-
ab->pid = 0;
594
-
595
-
#ifdef CONFIG_AUDITSYSCALL
596
-
if (ab->ctx)
597
-
audit_get_stamp(ab->ctx, &t, &serial);
598
-
else
599
-
#endif
600
-
{
601
-
t = CURRENT_TIME;
602
-
serial = 0;
603
-
}
604
747
audit_log_format(ab, "audit(%lu.%03lu:%u): ",
605
748
t.tv_sec, t.tv_nsec/1000000, serial);
606
749
return ab;
607
750
}
608
751
752
+
/**
753
+
* audit_expand - expand skb in the audit buffer
754
+
* @ab: audit_buffer
755
+
*
756
+
* Returns 0 (no space) on failed expansion, or available space if
757
+
* successful.
758
+
*/
759
+
static inline int audit_expand(struct audit_buffer *ab, int extra)
760
+
{
761
+
struct sk_buff *skb = ab->skb;
762
+
int ret = pskb_expand_head(skb, skb_headroom(skb), extra,
763
+
GFP_ATOMIC);
764
+
if (ret < 0) {
765
+
audit_log_lost("out of memory in audit_expand");
766
+
return 0;
767
+
}
768
+
return skb_tailroom(skb);
769
+
}
609
770
610
771
/* Format an audit message into the audit buffer. If there isn't enough
611
772
* room in the audit buffer, more room will be allocated and vsnprint
···
705
686
va_list args)
706
687
{
707
688
int len, avail;
689
+
struct sk_buff *skb;
690
+
va_list args2;
708
691
709
692
if (!ab)
710
693
return;
711
694
712
-
avail = sizeof(ab->tmp) - ab->len;
713
-
if (avail <= 0) {
714
-
audit_log_move(ab);
715
-
avail = sizeof(ab->tmp) - ab->len;
695
+
BUG_ON(!ab->skb);
696
+
skb = ab->skb;
697
+
avail = skb_tailroom(skb);
698
+
if (avail == 0) {
699
+
avail = audit_expand(ab, AUDIT_BUFSIZ);
700
+
if (!avail)
701
+
goto out;
716
702
}
717
-
len = vsnprintf(ab->tmp + ab->len, avail, fmt, args);
703
+
va_copy(args2, args);
704
+
len = vsnprintf(skb->tail, avail, fmt, args);
718
705
if (len >= avail) {
719
706
/* The printk buffer is 1024 bytes long, so if we get
720
707
* here and AUDIT_BUFSIZ is at least 1024, then we can
721
708
* log everything that printk could have logged. */
722
-
audit_log_move(ab);
723
-
avail = sizeof(ab->tmp) - ab->len;
724
-
len = vsnprintf(ab->tmp + ab->len, avail, fmt, args);
709
+
avail = audit_expand(ab, max_t(unsigned, AUDIT_BUFSIZ, 1+len-avail));
710
+
if (!avail)
711
+
goto out;
712
+
len = vsnprintf(skb->tail, avail, fmt, args2);
725
713
}
726
-
ab->len += (len < avail) ? len : avail;
727
-
ab->total += (len < avail) ? len : avail;
714
+
if (len > 0)
715
+
skb_put(skb, len);
716
+
out:
717
+
return;
728
718
}
729
719
730
720
/* Format a message into the audit buffer. All the work is done in
···
749
721
va_end(args);
750
722
}
751
723
752
-
void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len)
724
+
/* This function will take the passed buf and convert it into a string of
725
+
* ascii hex digits. The new string is placed onto the skb. */
726
+
void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf,
727
+
size_t len)
753
728
{
754
-
int i;
729
+
int i, avail, new_len;
730
+
unsigned char *ptr;
731
+
struct sk_buff *skb;
732
+
static const unsigned char *hex = "0123456789ABCDEF";
755
733
756
-
for (i=0; i<len; i++)
757
-
audit_log_format(ab, "%02x", buf[i]);
734
+
BUG_ON(!ab->skb);
735
+
skb = ab->skb;
736
+
avail = skb_tailroom(skb);
737
+
new_len = len<<1;
738
+
if (new_len >= avail) {
739
+
/* Round the buffer request up to the next multiple */
740
+
new_len = AUDIT_BUFSIZ*(((new_len-avail)/AUDIT_BUFSIZ) + 1);
741
+
avail = audit_expand(ab, new_len);
742
+
if (!avail)
743
+
return;
744
+
}
745
+
746
+
ptr = skb->tail;
747
+
for (i=0; i<len; i++) {
748
+
*ptr++ = hex[(buf[i] & 0xF0)>>4]; /* Upper nibble */
749
+
*ptr++ = hex[buf[i] & 0x0F]; /* Lower nibble */
750
+
}
751
+
*ptr = 0;
752
+
skb_put(skb, len << 1); /* new string is twice the old string */
758
753
}
759
754
755
+
/* This code will escape a string that is passed to it if the string
756
+
* contains a control character, unprintable character, double quote mark,
757
+
* or a space. Unescaped strings will start and end with a double quote mark.
758
+
* Strings that are escaped are printed in hex (2 digits per char). */
760
759
void audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
761
760
{
762
761
const unsigned char *p = string;
763
762
764
763
while (*p) {
765
-
if (*p == '"' || *p == ' ' || *p < 0x20 || *p > 0x7f) {
764
+
if (*p == '"' || *p < 0x21 || *p > 0x7f) {
766
765
audit_log_hex(ab, string, strlen(string));
767
766
return;
768
767
}
···
798
743
audit_log_format(ab, "\"%s\"", string);
799
744
}
800
745
801
-
802
-
/* This is a helper-function to print the d_path without using a static
803
-
* buffer or allocating another buffer in addition to the one in
804
-
* audit_buffer. */
746
+
/* This is a helper-function to print the escaped d_path */
805
747
void audit_log_d_path(struct audit_buffer *ab, const char *prefix,
806
748
struct dentry *dentry, struct vfsmount *vfsmnt)
807
749
{
808
-
char *p;
809
-
int len, avail;
750
+
char *p, *path;
810
751
811
-
if (prefix) audit_log_format(ab, " %s", prefix);
752
+
if (prefix)
753
+
audit_log_format(ab, " %s", prefix);
812
754
813
-
if (ab->len > 128)
814
-
audit_log_move(ab);
815
-
avail = sizeof(ab->tmp) - ab->len;
816
-
p = d_path(dentry, vfsmnt, ab->tmp + ab->len, avail);
817
-
if (IS_ERR(p)) {
755
+
/* We will allow 11 spaces for ' (deleted)' to be appended */
756
+
path = kmalloc(PATH_MAX+11, GFP_KERNEL);
757
+
if (!path) {
758
+
audit_log_format(ab, "<no memory>");
759
+
return;
760
+
}
761
+
p = d_path(dentry, vfsmnt, path, PATH_MAX+11);
762
+
if (IS_ERR(p)) { /* Should never happen since we send PATH_MAX */
818
763
/* FIXME: can we save some information here? */
819
-
audit_log_format(ab, "<toolong>");
820
-
} else {
821
-
/* path isn't at start of buffer */
822
-
len = (ab->tmp + sizeof(ab->tmp) - 1) - p;
823
-
memmove(ab->tmp + ab->len, p, len);
824
-
ab->len += len;
825
-
ab->total += len;
826
-
}
764
+
audit_log_format(ab, "<too long>");
765
+
} else
766
+
audit_log_untrustedstring(ab, p);
767
+
kfree(path);
827
768
}
828
-
829
-
/* Remove queued messages from the audit_txlist and send them to userspace. */
830
-
static void audit_tasklet_handler(unsigned long arg)
831
-
{
832
-
LIST_HEAD(list);
833
-
struct audit_buffer *ab;
834
-
unsigned long flags;
835
-
836
-
spin_lock_irqsave(&audit_txlist_lock, flags);
837
-
list_splice_init(&audit_txlist, &list);
838
-
spin_unlock_irqrestore(&audit_txlist_lock, flags);
839
-
840
-
while (!list_empty(&list)) {
841
-
ab = list_entry(list.next, struct audit_buffer, list);
842
-
list_del(&ab->list);
843
-
audit_log_end_fast(ab);
844
-
}
845
-
}
846
-
847
-
static DECLARE_TASKLET(audit_tasklet, audit_tasklet_handler, 0);
848
769
849
770
/* The netlink_* functions cannot be called inside an irq context, so
850
771
* the audit buffer is places on a queue and a tasklet is scheduled to
851
772
* remove them from the queue outside the irq context. May be called in
852
773
* any context. */
853
-
static void audit_log_end_irq(struct audit_buffer *ab)
774
+
void audit_log_end(struct audit_buffer *ab)
854
775
{
855
-
unsigned long flags;
856
-
857
-
if (!ab)
858
-
return;
859
-
spin_lock_irqsave(&audit_txlist_lock, flags);
860
-
list_add_tail(&ab->list, &audit_txlist);
861
-
spin_unlock_irqrestore(&audit_txlist_lock, flags);
862
-
863
-
tasklet_schedule(&audit_tasklet);
864
-
}
865
-
866
-
/* Send the message in the audit buffer directly to user space. May not
867
-
* be called in an irq context. */
868
-
static void audit_log_end_fast(struct audit_buffer *ab)
869
-
{
870
-
unsigned long flags;
871
-
872
-
BUG_ON(in_irq());
873
776
if (!ab)
874
777
return;
875
778
if (!audit_rate_check()) {
876
779
audit_log_lost("rate limit exceeded");
877
780
} else {
878
-
audit_log_move(ab);
879
-
if (audit_log_drain(ab))
880
-
return;
781
+
if (audit_pid) {
782
+
struct nlmsghdr *nlh = (struct nlmsghdr *)ab->skb->data;
783
+
nlh->nlmsg_len = ab->skb->len - NLMSG_SPACE(0);
784
+
skb_queue_tail(&audit_skb_queue, ab->skb);
785
+
ab->skb = NULL;
786
+
wake_up_interruptible(&kauditd_wait);
787
+
} else {
788
+
printk("%s\n", ab->skb->data + NLMSG_SPACE(0));
789
+
}
881
790
}
882
-
883
-
atomic_dec(&audit_backlog);
884
-
spin_lock_irqsave(&audit_freelist_lock, flags);
885
-
if (++audit_freelist_count > AUDIT_MAXFREE)
886
-
kfree(ab);
887
-
else
888
-
list_add(&ab->list, &audit_freelist);
889
-
spin_unlock_irqrestore(&audit_freelist_lock, flags);
890
-
}
891
-
892
-
/* Send or queue the message in the audit buffer, depending on the
893
-
* current context. (A convenience function that may be called in any
894
-
* context.) */
895
-
void audit_log_end(struct audit_buffer *ab)
896
-
{
897
-
if (in_irq())
898
-
audit_log_end_irq(ab);
899
-
else
900
-
audit_log_end_fast(ab);
791
+
audit_buffer_free(ab);
901
792
}
902
793
903
794
/* Log an audit record. This is a convenience function that calls
904
795
* audit_log_start, audit_log_vformat, and audit_log_end. It may be
905
796
* called in any context. */
906
-
void audit_log(struct audit_context *ctx, const char *fmt, ...)
797
+
void audit_log(struct audit_context *ctx, int type, const char *fmt, ...)
907
798
{
908
799
struct audit_buffer *ab;
909
800
va_list args;
910
801
911
-
ab = audit_log_start(ctx);
802
+
ab = audit_log_start(ctx, type);
912
803
if (ab) {
913
804
va_start(args, fmt);
914
805
audit_log_vformat(ab, fmt, args);
+184
-75
kernel/auditsc.c
+184
-75
kernel/auditsc.c
···
34
34
#include <asm/types.h>
35
35
#include <linux/mm.h>
36
36
#include <linux/module.h>
37
-
37
+
#include <linux/mount.h>
38
+
#include <linux/socket.h>
38
39
#include <linux/audit.h>
39
40
#include <linux/personality.h>
40
41
#include <linux/time.h>
···
113
112
mode_t mode;
114
113
};
115
114
115
+
struct audit_aux_data_socketcall {
116
+
struct audit_aux_data d;
117
+
int nargs;
118
+
unsigned long args[0];
119
+
};
120
+
121
+
struct audit_aux_data_sockaddr {
122
+
struct audit_aux_data d;
123
+
int len;
124
+
char a[0];
125
+
};
126
+
127
+
struct audit_aux_data_path {
128
+
struct audit_aux_data d;
129
+
struct dentry *dentry;
130
+
struct vfsmount *mnt;
131
+
};
116
132
117
133
/* The per-task audit context. */
118
134
struct audit_context {
···
145
127
int auditable; /* 1 if record should be written */
146
128
int name_count;
147
129
struct audit_names names[AUDIT_NAMES];
130
+
struct dentry * pwd;
131
+
struct vfsmount * pwdmnt;
148
132
struct audit_context *previous; /* For nested syscalls */
149
133
struct audit_aux_data *aux;
150
134
···
176
156
struct rcu_head rcu;
177
157
struct audit_rule rule;
178
158
};
159
+
160
+
extern int audit_pid;
179
161
180
162
/* Check to see if two rules are identical. It is called from
181
163
* audit_del_rule during AUDIT_DEL. */
···
248
226
return -EFAULT; /* No matching rule */
249
227
}
250
228
251
-
#ifdef CONFIG_NET
252
229
/* Copy rule from user-space to kernel-space. Called during
253
230
* AUDIT_ADD. */
254
231
static int audit_copy_rule(struct audit_rule *d, struct audit_rule *s)
···
308
287
err = audit_add_rule(entry, &audit_entlist);
309
288
if (!err && (flags & AUDIT_AT_EXIT))
310
289
err = audit_add_rule(entry, &audit_extlist);
311
-
audit_log(NULL, "auid %u added an audit rule\n", loginuid);
290
+
audit_log(NULL, AUDIT_CONFIG_CHANGE,
291
+
"auid=%u added an audit rule\n", loginuid);
312
292
break;
313
293
case AUDIT_DEL:
314
294
flags =((struct audit_rule *)data)->flags;
···
319
297
err = audit_del_rule(data, &audit_entlist);
320
298
if (!err && (flags & AUDIT_AT_EXIT))
321
299
err = audit_del_rule(data, &audit_extlist);
322
-
audit_log(NULL, "auid %u removed an audit rule\n", loginuid);
300
+
audit_log(NULL, AUDIT_CONFIG_CHANGE,
301
+
"auid=%u removed an audit rule\n", loginuid);
323
302
break;
324
303
default:
325
304
return -EINVAL;
···
328
305
329
306
return err;
330
307
}
331
-
#endif
332
308
333
309
/* Compare a task_struct with an audit_rule. Return 1 on match, 0
334
310
* otherwise. */
···
466
444
467
445
/* At syscall entry and exit time, this filter is called if the
468
446
* audit_state is not low enough that auditing cannot take place, but is
469
-
* also not high enough that we already know we have to write and audit
447
+
* also not high enough that we already know we have to write an audit
470
448
* record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
471
449
*/
472
450
static enum audit_state audit_filter_syscall(struct task_struct *tsk,
···
554
532
if (context->names[i].name)
555
533
__putname(context->names[i].name);
556
534
context->name_count = 0;
535
+
if (context->pwd)
536
+
dput(context->pwd);
537
+
if (context->pwdmnt)
538
+
mntput(context->pwdmnt);
539
+
context->pwd = NULL;
540
+
context->pwdmnt = NULL;
557
541
}
558
542
559
543
static inline void audit_free_aux(struct audit_context *context)
···
567
539
struct audit_aux_data *aux;
568
540
569
541
while ((aux = context->aux)) {
542
+
if (aux->type == AUDIT_AVC_PATH) {
543
+
struct audit_aux_data_path *axi = (void *)aux;
544
+
dput(axi->dentry);
545
+
mntput(axi->mnt);
546
+
}
570
547
context->aux = aux->next;
571
548
kfree(aux);
572
549
}
···
658
625
struct vm_area_struct *vma;
659
626
660
627
get_task_comm(name, current);
661
-
audit_log_format(ab, " comm=%s", name);
628
+
audit_log_format(ab, " comm=");
629
+
audit_log_untrustedstring(ab, name);
662
630
663
631
if (!mm)
664
632
return;
···
683
649
{
684
650
int i;
685
651
struct audit_buffer *ab;
652
+
struct audit_aux_data *aux;
686
653
687
-
ab = audit_log_start(context);
654
+
ab = audit_log_start(context, AUDIT_SYSCALL);
688
655
if (!ab)
689
656
return; /* audit_panic has been called */
690
-
audit_log_format(ab, "syscall=%d", context->major);
657
+
audit_log_format(ab, "arch=%x syscall=%d",
658
+
context->arch, context->major);
691
659
if (context->personality != PER_LINUX)
692
660
audit_log_format(ab, " per=%lx", context->personality);
693
-
audit_log_format(ab, " arch=%x", context->arch);
694
661
if (context->return_valid)
695
662
audit_log_format(ab, " success=%s exit=%ld",
696
663
(context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
697
664
context->return_code);
698
665
audit_log_format(ab,
699
666
" a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
700
-
" pid=%d loginuid=%d uid=%d gid=%d"
701
-
" euid=%d suid=%d fsuid=%d"
702
-
" egid=%d sgid=%d fsgid=%d",
667
+
" pid=%d auid=%u uid=%u gid=%u"
668
+
" euid=%u suid=%u fsuid=%u"
669
+
" egid=%u sgid=%u fsgid=%u",
703
670
context->argv[0],
704
671
context->argv[1],
705
672
context->argv[2],
···
714
679
context->egid, context->sgid, context->fsgid);
715
680
audit_log_task_info(ab);
716
681
audit_log_end(ab);
717
-
while (context->aux) {
718
-
struct audit_aux_data *aux;
719
682
720
-
ab = audit_log_start(context);
683
+
for (aux = context->aux; aux; aux = aux->next) {
684
+
685
+
ab = audit_log_start(context, aux->type);
721
686
if (!ab)
722
687
continue; /* audit_panic has been called */
723
688
724
-
aux = context->aux;
725
-
context->aux = aux->next;
726
-
727
-
audit_log_format(ab, "auxitem=%d", aux->type);
728
689
switch (aux->type) {
729
-
case AUDIT_AUX_IPCPERM: {
690
+
case AUDIT_IPC: {
730
691
struct audit_aux_data_ipcctl *axi = (void *)aux;
731
692
audit_log_format(ab,
732
-
" qbytes=%lx uid=%d gid=%d mode=%x",
693
+
" qbytes=%lx iuid=%u igid=%u mode=%x",
733
694
axi->qbytes, axi->uid, axi->gid, axi->mode);
734
-
}
695
+
break; }
696
+
697
+
case AUDIT_SOCKETCALL: {
698
+
int i;
699
+
struct audit_aux_data_socketcall *axs = (void *)aux;
700
+
audit_log_format(ab, "nargs=%d", axs->nargs);
701
+
for (i=0; i<axs->nargs; i++)
702
+
audit_log_format(ab, " a%d=%lx", i, axs->args[i]);
703
+
break; }
704
+
705
+
case AUDIT_SOCKADDR: {
706
+
struct audit_aux_data_sockaddr *axs = (void *)aux;
707
+
708
+
audit_log_format(ab, "saddr=");
709
+
audit_log_hex(ab, axs->a, axs->len);
710
+
break; }
711
+
712
+
case AUDIT_AVC_PATH: {
713
+
struct audit_aux_data_path *axi = (void *)aux;
714
+
audit_log_d_path(ab, "path=", axi->dentry, axi->mnt);
715
+
break; }
716
+
735
717
}
736
718
audit_log_end(ab);
737
-
kfree(aux);
738
719
}
739
720
721
+
if (context->pwd && context->pwdmnt) {
722
+
ab = audit_log_start(context, AUDIT_CWD);
723
+
if (ab) {
724
+
audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt);
725
+
audit_log_end(ab);
726
+
}
727
+
}
740
728
for (i = 0; i < context->name_count; i++) {
741
-
ab = audit_log_start(context);
729
+
ab = audit_log_start(context, AUDIT_PATH);
742
730
if (!ab)
743
731
continue; /* audit_panic has been called */
732
+
744
733
audit_log_format(ab, "item=%d", i);
745
734
if (context->names[i].name) {
746
735
audit_log_format(ab, " name=");
···
772
713
}
773
714
if (context->names[i].ino != (unsigned long)-1)
774
715
audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o"
775
-
" uid=%d gid=%d rdev=%02x:%02x",
716
+
" ouid=%u ogid=%u rdev=%02x:%02x",
776
717
context->names[i].ino,
777
718
MAJOR(context->names[i].dev),
778
719
MINOR(context->names[i].dev),
···
800
741
801
742
/* Check for system calls that do not go through the exit
802
743
* function (e.g., exit_group), then free context block. */
803
-
if (context->in_syscall && context->auditable)
744
+
if (context->in_syscall && context->auditable && context->pid != audit_pid)
804
745
audit_log_exit(context);
805
746
806
747
audit_free_context(context);
807
-
}
808
-
809
-
/* Compute a serial number for the audit record. Audit records are
810
-
* written to user-space as soon as they are generated, so a complete
811
-
* audit record may be written in several pieces. The timestamp of the
812
-
* record and this serial number are used by the user-space daemon to
813
-
* determine which pieces belong to the same audit record. The
814
-
* (timestamp,serial) tuple is unique for each syscall and is live from
815
-
* syscall entry to syscall exit.
816
-
*
817
-
* Atomic values are only guaranteed to be 24-bit, so we count down.
818
-
*
819
-
* NOTE: Another possibility is to store the formatted records off the
820
-
* audit context (for those records that have a context), and emit them
821
-
* all at syscall exit. However, this could delay the reporting of
822
-
* significant errors until syscall exit (or never, if the system
823
-
* halts). */
824
-
static inline unsigned int audit_serial(void)
825
-
{
826
-
static atomic_t serial = ATOMIC_INIT(0xffffff);
827
-
unsigned int a, b;
828
-
829
-
do {
830
-
a = atomic_read(&serial);
831
-
if (atomic_dec_and_test(&serial))
832
-
atomic_set(&serial, 0xffffff);
833
-
b = atomic_read(&serial);
834
-
} while (b != a - 1);
835
-
836
-
return 0xffffff - b;
837
748
}
838
749
839
750
/* Fill in audit context at syscall entry. This only happens if the
···
905
876
if (likely(!context))
906
877
return;
907
878
908
-
if (context->in_syscall && context->auditable)
879
+
if (context->in_syscall && context->auditable && context->pid != audit_pid)
909
880
audit_log_exit(context);
910
881
911
882
context->in_syscall = 0;
···
945
916
context->names[context->name_count].name = name;
946
917
context->names[context->name_count].ino = (unsigned long)-1;
947
918
++context->name_count;
919
+
if (!context->pwd) {
920
+
read_lock(¤t->fs->lock);
921
+
context->pwd = dget(current->fs->pwd);
922
+
context->pwdmnt = mntget(current->fs->pwdmnt);
923
+
read_unlock(¤t->fs->lock);
924
+
}
925
+
948
926
}
949
927
950
928
/* Intercept a putname request. Called from
···
1030
994
context->names[idx].rdev = inode->i_rdev;
1031
995
}
1032
996
1033
-
void audit_get_stamp(struct audit_context *ctx,
1034
-
struct timespec *t, unsigned int *serial)
997
+
void auditsc_get_stamp(struct audit_context *ctx,
998
+
struct timespec *t, unsigned int *serial)
1035
999
{
1036
-
if (ctx) {
1037
-
t->tv_sec = ctx->ctime.tv_sec;
1038
-
t->tv_nsec = ctx->ctime.tv_nsec;
1039
-
*serial = ctx->serial;
1040
-
ctx->auditable = 1;
1041
-
} else {
1042
-
*t = CURRENT_TIME;
1043
-
*serial = 0;
1044
-
}
1000
+
t->tv_sec = ctx->ctime.tv_sec;
1001
+
t->tv_nsec = ctx->ctime.tv_nsec;
1002
+
*serial = ctx->serial;
1003
+
ctx->auditable = 1;
1045
1004
}
1046
-
1047
-
extern int audit_set_type(struct audit_buffer *ab, int type);
1048
1005
1049
1006
int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
1050
1007
{
1051
1008
if (task->audit_context) {
1052
1009
struct audit_buffer *ab;
1053
1010
1054
-
ab = audit_log_start(NULL);
1011
+
ab = audit_log_start(NULL, AUDIT_LOGIN);
1055
1012
if (ab) {
1056
1013
audit_log_format(ab, "login pid=%d uid=%u "
1057
-
"old loginuid=%u new loginuid=%u",
1014
+
"old auid=%u new auid=%u",
1058
1015
task->pid, task->uid,
1059
1016
task->audit_context->loginuid, loginuid);
1060
-
audit_set_type(ab, AUDIT_LOGIN);
1061
1017
audit_log_end(ab);
1062
1018
}
1063
1019
task->audit_context->loginuid = loginuid;
···
1079
1051
ax->gid = gid;
1080
1052
ax->mode = mode;
1081
1053
1082
-
ax->d.type = AUDIT_AUX_IPCPERM;
1054
+
ax->d.type = AUDIT_IPC;
1083
1055
ax->d.next = context->aux;
1084
1056
context->aux = (void *)ax;
1085
1057
return 0;
1086
1058
}
1059
+
1060
+
int audit_socketcall(int nargs, unsigned long *args)
1061
+
{
1062
+
struct audit_aux_data_socketcall *ax;
1063
+
struct audit_context *context = current->audit_context;
1064
+
1065
+
if (likely(!context))
1066
+
return 0;
1067
+
1068
+
ax = kmalloc(sizeof(*ax) + nargs * sizeof(unsigned long), GFP_KERNEL);
1069
+
if (!ax)
1070
+
return -ENOMEM;
1071
+
1072
+
ax->nargs = nargs;
1073
+
memcpy(ax->args, args, nargs * sizeof(unsigned long));
1074
+
1075
+
ax->d.type = AUDIT_SOCKETCALL;
1076
+
ax->d.next = context->aux;
1077
+
context->aux = (void *)ax;
1078
+
return 0;
1079
+
}
1080
+
1081
+
int audit_sockaddr(int len, void *a)
1082
+
{
1083
+
struct audit_aux_data_sockaddr *ax;
1084
+
struct audit_context *context = current->audit_context;
1085
+
1086
+
if (likely(!context))
1087
+
return 0;
1088
+
1089
+
ax = kmalloc(sizeof(*ax) + len, GFP_KERNEL);
1090
+
if (!ax)
1091
+
return -ENOMEM;
1092
+
1093
+
ax->len = len;
1094
+
memcpy(ax->a, a, len);
1095
+
1096
+
ax->d.type = AUDIT_SOCKADDR;
1097
+
ax->d.next = context->aux;
1098
+
context->aux = (void *)ax;
1099
+
return 0;
1100
+
}
1101
+
1102
+
int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt)
1103
+
{
1104
+
struct audit_aux_data_path *ax;
1105
+
struct audit_context *context = current->audit_context;
1106
+
1107
+
if (likely(!context))
1108
+
return 0;
1109
+
1110
+
ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
1111
+
if (!ax)
1112
+
return -ENOMEM;
1113
+
1114
+
ax->dentry = dget(dentry);
1115
+
ax->mnt = mntget(mnt);
1116
+
1117
+
ax->d.type = AUDIT_AVC_PATH;
1118
+
ax->d.next = context->aux;
1119
+
context->aux = (void *)ax;
1120
+
return 0;
1121
+
}
1122
+
1123
+
void audit_signal_info(int sig, struct task_struct *t)
1124
+
{
1125
+
extern pid_t audit_sig_pid;
1126
+
extern uid_t audit_sig_uid;
1127
+
1128
+
if (unlikely(audit_pid && t->pid == audit_pid)) {
1129
+
if (sig == SIGTERM || sig == SIGHUP) {
1130
+
struct audit_context *ctx = current->audit_context;
1131
+
audit_sig_pid = current->pid;
1132
+
if (ctx)
1133
+
audit_sig_uid = ctx->loginuid;
1134
+
else
1135
+
audit_sig_uid = current->uid;
1136
+
}
1137
+
}
1138
+
}
1139
+
+6
-1
kernel/signal.c
+6
-1
kernel/signal.c
···
24
24
#include <linux/ptrace.h>
25
25
#include <linux/posix-timers.h>
26
26
#include <linux/signal.h>
27
+
#include <linux/audit.h>
27
28
#include <asm/param.h>
28
29
#include <asm/uaccess.h>
29
30
#include <asm/unistd.h>
···
668
667
&& (current->uid ^ t->suid) && (current->uid ^ t->uid)
669
668
&& !capable(CAP_KILL))
670
669
return error;
671
-
return security_task_kill(t, info, sig);
670
+
671
+
error = security_task_kill(t, info, sig);
672
+
if (!error)
673
+
audit_signal_info(sig, t); /* Let audit system see the signal */
674
+
return error;
672
675
}
673
676
674
677
/* forward decl */
+7
-2
net/socket.c
+7
-2
net/socket.c
···
81
81
#include <linux/syscalls.h>
82
82
#include <linux/compat.h>
83
83
#include <linux/kmod.h>
84
+
#include <linux/audit.h>
84
85
85
86
#ifdef CONFIG_NET_RADIO
86
87
#include <linux/wireless.h> /* Note : will define WIRELESS_EXT */
···
227
226
return 0;
228
227
if(copy_from_user(kaddr,uaddr,ulen))
229
228
return -EFAULT;
230
-
return 0;
229
+
return audit_sockaddr(ulen, kaddr);
231
230
}
232
231
233
232
/**
···
1907
1906
/* copy_from_user should be SMP safe. */
1908
1907
if (copy_from_user(a, args, nargs[call]))
1909
1908
return -EFAULT;
1910
-
1909
+
1910
+
err = audit_socketcall(nargs[call]/sizeof(unsigned long), a);
1911
+
if (err)
1912
+
return err;
1913
+
1911
1914
a0=a[0];
1912
1915
a1=a[1];
1913
1916
+21
-19
security/selinux/avc.c
+21
-19
security/selinux/avc.c
···
242
242
avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node),
243
243
0, SLAB_PANIC, NULL, NULL);
244
244
245
-
audit_log(current->audit_context, "AVC INITIALIZED\n");
245
+
audit_log(current->audit_context, AUDIT_KERNEL, "AVC INITIALIZED\n");
246
246
}
247
247
248
248
int avc_get_hash_stats(char *page)
···
532
532
u16 tclass, u32 requested,
533
533
struct av_decision *avd, int result, struct avc_audit_data *a)
534
534
{
535
+
struct task_struct *tsk = current;
535
536
struct inode *inode = NULL;
536
537
u32 denied, audited;
537
538
struct audit_buffer *ab;
···
550
549
return;
551
550
}
552
551
553
-
ab = audit_log_start(current->audit_context);
552
+
ab = audit_log_start(current->audit_context, AUDIT_AVC);
554
553
if (!ab)
555
554
return; /* audit_panic has been called */
556
555
audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted");
557
556
avc_dump_av(ab, tclass,audited);
558
557
audit_log_format(ab, " for ");
558
+
if (a && a->tsk)
559
+
tsk = a->tsk;
560
+
if (tsk && tsk->pid) {
561
+
audit_log_format(ab, " pid=%d comm=", tsk->pid);
562
+
audit_log_untrustedstring(ab, tsk->comm);
563
+
}
559
564
if (a) {
560
565
switch (a->type) {
561
566
case AVC_AUDIT_DATA_IPC:
···
573
566
case AVC_AUDIT_DATA_FS:
574
567
if (a->u.fs.dentry) {
575
568
struct dentry *dentry = a->u.fs.dentry;
576
-
if (a->u.fs.mnt) {
577
-
audit_log_d_path(ab, "path=", dentry,
578
-
a->u.fs.mnt);
579
-
} else {
580
-
audit_log_format(ab, " name=%s",
581
-
dentry->d_name.name);
582
-
}
569
+
if (a->u.fs.mnt)
570
+
audit_avc_path(dentry, a->u.fs.mnt);
571
+
audit_log_format(ab, " name=");
572
+
audit_log_untrustedstring(ab, dentry->d_name.name);
583
573
inode = dentry->d_inode;
584
574
} else if (a->u.fs.inode) {
585
575
struct dentry *dentry;
586
576
inode = a->u.fs.inode;
587
577
dentry = d_find_alias(inode);
588
578
if (dentry) {
589
-
audit_log_format(ab, " name=%s",
590
-
dentry->d_name.name);
579
+
audit_log_format(ab, " name=");
580
+
audit_log_untrustedstring(ab, dentry->d_name.name);
591
581
dput(dentry);
592
582
}
593
583
}
···
627
623
case AF_UNIX:
628
624
u = unix_sk(sk);
629
625
if (u->dentry) {
630
-
audit_log_d_path(ab, "path=",
631
-
u->dentry, u->mnt);
626
+
audit_avc_path(u->dentry, u->mnt);
627
+
audit_log_format(ab, " name=");
628
+
audit_log_untrustedstring(ab, u->dentry->d_name.name);
632
629
break;
633
630
}
634
631
if (!u->addr)
635
632
break;
636
633
len = u->addr->len-sizeof(short);
637
634
p = &u->addr->name->sun_path[0];
635
+
audit_log_format(ab, " path=");
638
636
if (*p)
639
-
audit_log_format(ab,
640
-
"path=%*.*s", len,
641
-
len, p);
637
+
audit_log_untrustedstring(ab, p);
642
638
else
643
-
audit_log_format(ab,
644
-
"path=@%*.*s", len-1,
645
-
len-1, p+1);
639
+
audit_log_hex(ab, p, len);
646
640
break;
647
641
}
648
642
}
+1
-1
security/selinux/hooks.c
+1
-1
security/selinux/hooks.c
···
3419
3419
err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3420
3420
if (err) {
3421
3421
if (err == -EINVAL) {
3422
-
audit_log(current->audit_context,
3422
+
audit_log(current->audit_context, AUDIT_SELINUX_ERR,
3423
3423
"SELinux: unrecognized netlink message"
3424
3424
" type=%hu for sclass=%hu\n",
3425
3425
nlh->nlmsg_type, isec->sclass);
+8
-2
security/selinux/nlmsgtab.c
+8
-2
security/selinux/nlmsgtab.c
···
97
97
{ AUDIT_ADD, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
98
98
{ AUDIT_DEL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
99
99
{ AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
100
+
{ AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ },
100
101
};
101
102
102
103
···
142
141
break;
143
142
144
143
case SECCLASS_NETLINK_AUDIT_SOCKET:
145
-
err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms,
146
-
sizeof(nlmsg_audit_perms));
144
+
if (nlmsg_type >= AUDIT_FIRST_USER_MSG &&
145
+
nlmsg_type <= AUDIT_LAST_USER_MSG) {
146
+
*perm = NETLINK_AUDIT_SOCKET__NLMSG_RELAY;
147
+
} else {
148
+
err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms,
149
+
sizeof(nlmsg_audit_perms));
150
+
}
147
151
break;
148
152
149
153
/* No messaging from userspace, or class unknown/unhandled */
+2
-2
security/selinux/ss/services.c
+2
-2
security/selinux/ss/services.c
···
365
365
goto out;
366
366
if (context_struct_to_string(tcontext, &t, &tlen) < 0)
367
367
goto out;
368
-
audit_log(current->audit_context,
368
+
audit_log(current->audit_context, AUDIT_SELINUX_ERR,
369
369
"security_validate_transition: denied for"
370
370
" oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
371
371
o, n, t, policydb.p_class_val_to_name[tclass-1]);
···
742
742
goto out;
743
743
if (context_struct_to_string(newcontext, &n, &nlen) < 0)
744
744
goto out;
745
-
audit_log(current->audit_context,
745
+
audit_log(current->audit_context, AUDIT_SELINUX_ERR,
746
746
"security_compute_sid: invalid context %s"
747
747
" for scontext=%s"
748
748
" tcontext=%s"