tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge git://git.infradead.org/users/eparis/audit

Pull audit updates from Eric Paris:
"Nothing amazing. Formatting, small bug fixes, couple of fixes where
we didn't get records due to some old VFS changes, and a change to how
we collect execve info..."

Fixed conflict in fs/exec.c as per Eric and linux-next.

* git://git.infradead.org/users/eparis/audit: (28 commits)
audit: fix type of sessionid in audit_set_loginuid()
audit: call audit_bprm() only once to add AUDIT_EXECVE information
audit: move audit_aux_data_execve contents into audit_context union
audit: remove unused envc member of audit_aux_data_execve
audit: Kill the unused struct audit_aux_data_capset
audit: do not reject all AUDIT_INODE filter types
audit: suppress stock memalloc failure warnings since already managed
audit: log the audit_names record type
audit: add child record before the create to handle case where create fails
audit: use given values in tty_audit enable api
audit: use nlmsg_len() to get message payload length
audit: use memset instead of trying to initialize field by field
audit: fix info leak in AUDIT_GET requests
audit: update AUDIT_INODE filter rule to comparator function
audit: audit feature to set loginuid immutable
audit: audit feature to only allow unsetting the loginuid
audit: allow unsetting the loginuid (with priv)
audit: remove CONFIG_AUDIT_LOGINUID_IMMUTABLE
audit: loginuid functions coding style
selinux: apply selinux checks on new audit message types
...

Linus Torvalds 3eaded86 527d1511

+259 -113
+1 -4
fs/exec.c
··· 1380 1380 if (retval) 1381 1381 return retval; 1382 1382 1383 - retval = audit_bprm(bprm); 1384 - if (retval) 1385 - return retval; 1386 - 1387 1383 retval = -ENOENT; 1388 1384 retry: 1389 1385 read_lock(&binfmt_lock); ··· 1427 1431 1428 1432 ret = search_binary_handler(bprm); 1429 1433 if (ret >= 0) { 1434 + audit_bprm(bprm); 1430 1435 trace_sched_process_exec(current, old_pid, bprm); 1431 1436 ptrace_event(PTRACE_EVENT_EXEC, old_vpid); 1432 1437 current->did_exec = 1;
+1
fs/namei.c
··· 2435 2435 */ 2436 2436 static inline int may_create(struct inode *dir, struct dentry *child) 2437 2437 { 2438 + audit_inode_child(dir, child, AUDIT_TYPE_CHILD_CREATE); 2438 2439 if (child->d_inode) 2439 2440 return -EEXIST; 2440 2441 if (IS_DEADDIR(dir))
+10 -4
fs/proc/base.c
··· 1151 1151 goto out_free_page; 1152 1152 1153 1153 } 1154 - kloginuid = make_kuid(file->f_cred->user_ns, loginuid); 1155 - if (!uid_valid(kloginuid)) { 1156 - length = -EINVAL; 1157 - goto out_free_page; 1154 + 1155 + /* is userspace tring to explicitly UNSET the loginuid? */ 1156 + if (loginuid == AUDIT_UID_UNSET) { 1157 + kloginuid = INVALID_UID; 1158 + } else { 1159 + kloginuid = make_kuid(file->f_cred->user_ns, loginuid); 1160 + if (!uid_valid(kloginuid)) { 1161 + length = -EINVAL; 1162 + goto out_free_page; 1163 + } 1158 1164 } 1159 1165 1160 1166 length = audit_set_loginuid(kloginuid);
+7 -8
include/linux/audit.h
··· 73 73 void *lsm_rule; 74 74 }; 75 75 76 + extern int is_audit_feature_set(int which); 77 + 76 78 extern int __init audit_register_class(int class, unsigned *list); 77 79 extern int audit_classify_syscall(int abi, unsigned syscall); 78 80 extern int audit_classify_arch(int arch); ··· 209 207 210 208 extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); 211 209 extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); 212 - extern int __audit_bprm(struct linux_binprm *bprm); 210 + extern void __audit_bprm(struct linux_binprm *bprm); 213 211 extern int __audit_socketcall(int nargs, unsigned long *args); 214 212 extern int __audit_sockaddr(int len, void *addr); 215 213 extern void __audit_fd_pair(int fd1, int fd2); ··· 238 236 if (unlikely(!audit_dummy_context())) 239 237 __audit_ipc_set_perm(qbytes, uid, gid, mode); 240 238 } 241 - static inline int audit_bprm(struct linux_binprm *bprm) 239 + static inline void audit_bprm(struct linux_binprm *bprm) 242 240 { 243 241 if (unlikely(!audit_dummy_context())) 244 - return __audit_bprm(bprm); 245 - return 0; 242 + __audit_bprm(bprm); 246 243 } 247 244 static inline int audit_socketcall(int nargs, unsigned long *args) 248 245 { ··· 368 367 static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, 369 368 gid_t gid, umode_t mode) 370 369 { } 371 - static inline int audit_bprm(struct linux_binprm *bprm) 372 - { 373 - return 0; 374 - } 370 + static inline void audit_bprm(struct linux_binprm *bprm) 371 + { } 375 372 static inline int audit_socketcall(int nargs, unsigned long *args) 376 373 { 377 374 return 0;
+26
include/uapi/linux/audit.h
··· 68 68 #define AUDIT_MAKE_EQUIV 1015 /* Append to watched tree */ 69 69 #define AUDIT_TTY_GET 1016 /* Get TTY auditing status */ 70 70 #define AUDIT_TTY_SET 1017 /* Set TTY auditing status */ 71 + #define AUDIT_SET_FEATURE 1018 /* Turn an audit feature on or off */ 72 + #define AUDIT_GET_FEATURE 1019 /* Get which features are enabled */ 73 + #define AUDIT_FEATURE_CHANGE 1020 /* audit log listing feature changes */ 71 74 72 75 #define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages mostly uninteresting to kernel */ 73 76 #define AUDIT_USER_AVC 1107 /* We filter this differently */ ··· 360 357 #define AUDIT_PERM_READ 4 361 358 #define AUDIT_PERM_ATTR 8 362 359 360 + /* MAX_AUDIT_MESSAGE_LENGTH is set in audit:lib/libaudit.h as: 361 + * 8970 // PATH_MAX*2+CONTEXT_SIZE*2+11+256+1 362 + * max header+body+tailer: 44 + 29 + 32 + 262 + 7 + pad 363 + */ 364 + #define AUDIT_MESSAGE_TEXT_MAX 8560 365 + 363 366 struct audit_status { 364 367 __u32 mask; /* Bit mask for valid entries */ 365 368 __u32 enabled; /* 1 = enabled, 0 = disabled */ ··· 377 368 __u32 backlog; /* messages waiting in queue */ 378 369 }; 379 370 371 + struct audit_features { 372 + #define AUDIT_FEATURE_VERSION 1 373 + __u32 vers; 374 + __u32 mask; /* which bits we are dealing with */ 375 + __u32 features; /* which feature to enable/disable */ 376 + __u32 lock; /* which features to lock */ 377 + }; 378 + 379 + #define AUDIT_FEATURE_ONLY_UNSET_LOGINUID 0 380 + #define AUDIT_FEATURE_LOGINUID_IMMUTABLE 1 381 + #define AUDIT_LAST_FEATURE AUDIT_FEATURE_LOGINUID_IMMUTABLE 382 + 383 + #define audit_feature_valid(x) ((x) >= 0 && (x) <= AUDIT_LAST_FEATURE) 384 + #define AUDIT_FEATURE_TO_MASK(x) (1 << ((x) & 31)) /* mask for __u32 */ 385 + 380 386 struct audit_tty_status { 381 387 __u32 enabled; /* 1 = enabled, 0 = disabled */ 382 388 __u32 log_passwd; /* 1 = enabled, 0 = disabled */ 383 389 }; 390 + 391 + #define AUDIT_UID_UNSET (unsigned int)-1 384 392 385 393 /* audit_rule_data supports filter rules with both integer and string 386 394 * fields. It corresponds with AUDIT_ADD_RULE, AUDIT_DEL_RULE and
-14
init/Kconfig
··· 301 301 depends on AUDITSYSCALL 302 302 select FSNOTIFY 303 303 304 - config AUDIT_LOGINUID_IMMUTABLE 305 - bool "Make audit loginuid immutable" 306 - depends on AUDIT 307 - help 308 - The config option toggles if a task setting its loginuid requires 309 - CAP_SYS_AUDITCONTROL or if that task should require no special permissions 310 - but should instead only allow setting its loginuid if it was never 311 - previously set. On systems which use systemd or a similar central 312 - process to restart login services this should be set to true. On older 313 - systems in which an admin would typically have to directly stop and 314 - start processes this should be set to false. Setting this to true allows 315 - one to drop potentially dangerous capabilites from the login tasks, 316 - but may not be backwards compatible with older init systems. 317 - 318 304 source "kernel/irq/Kconfig" 319 305 source "kernel/time/Kconfig" 320 306
+139 -14
kernel/audit.c
··· 60 60 #ifdef CONFIG_SECURITY 61 61 #include <linux/security.h> 62 62 #endif 63 - #include <net/netlink.h> 64 63 #include <linux/freezer.h> 65 64 #include <linux/tty.h> 66 65 #include <linux/pid_namespace.h> ··· 138 139 static struct task_struct *kauditd_task; 139 140 static DECLARE_WAIT_QUEUE_HEAD(kauditd_wait); 140 141 static DECLARE_WAIT_QUEUE_HEAD(audit_backlog_wait); 142 + 143 + static struct audit_features af = {.vers = AUDIT_FEATURE_VERSION, 144 + .mask = -1, 145 + .features = 0, 146 + .lock = 0,}; 147 + 148 + static char *audit_feature_names[2] = { 149 + "only_unset_loginuid", 150 + "loginuid_immutable", 151 + }; 152 + 141 153 142 154 /* Serialize requests from userspace. */ 143 155 DEFINE_MUTEX(audit_cmd_mutex); ··· 594 584 return -EOPNOTSUPP; 595 585 case AUDIT_GET: 596 586 case AUDIT_SET: 587 + case AUDIT_GET_FEATURE: 588 + case AUDIT_SET_FEATURE: 597 589 case AUDIT_LIST_RULES: 598 590 case AUDIT_ADD_RULE: 599 591 case AUDIT_DEL_RULE: ··· 625 613 int rc = 0; 626 614 uid_t uid = from_kuid(&init_user_ns, current_uid()); 627 615 628 - if (!audit_enabled) { 616 + if (!audit_enabled && msg_type != AUDIT_USER_AVC) { 629 617 *ab = NULL; 630 618 return rc; 631 619 } ··· 638 626 audit_log_task_context(*ab); 639 627 640 628 return rc; 629 + } 630 + 631 + int is_audit_feature_set(int i) 632 + { 633 + return af.features & AUDIT_FEATURE_TO_MASK(i); 634 + } 635 + 636 + 637 + static int audit_get_feature(struct sk_buff *skb) 638 + { 639 + u32 seq; 640 + 641 + seq = nlmsg_hdr(skb)->nlmsg_seq; 642 + 643 + audit_send_reply(NETLINK_CB(skb).portid, seq, AUDIT_GET, 0, 0, 644 + &af, sizeof(af)); 645 + 646 + return 0; 647 + } 648 + 649 + static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature, 650 + u32 old_lock, u32 new_lock, int res) 651 + { 652 + struct audit_buffer *ab; 653 + 654 + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE); 655 + audit_log_format(ab, "feature=%s new=%d old=%d old_lock=%d new_lock=%d res=%d", 656 + audit_feature_names[which], !!old_feature, !!new_feature, 657 + !!old_lock, !!new_lock, res); 658 + audit_log_end(ab); 659 + } 660 + 661 + static int audit_set_feature(struct sk_buff *skb) 662 + { 663 + struct audit_features *uaf; 664 + int i; 665 + 666 + BUILD_BUG_ON(AUDIT_LAST_FEATURE + 1 > sizeof(audit_feature_names)/sizeof(audit_feature_names[0])); 667 + uaf = nlmsg_data(nlmsg_hdr(skb)); 668 + 669 + /* if there is ever a version 2 we should handle that here */ 670 + 671 + for (i = 0; i <= AUDIT_LAST_FEATURE; i++) { 672 + u32 feature = AUDIT_FEATURE_TO_MASK(i); 673 + u32 old_feature, new_feature, old_lock, new_lock; 674 + 675 + /* if we are not changing this feature, move along */ 676 + if (!(feature & uaf->mask)) 677 + continue; 678 + 679 + old_feature = af.features & feature; 680 + new_feature = uaf->features & feature; 681 + new_lock = (uaf->lock | af.lock) & feature; 682 + old_lock = af.lock & feature; 683 + 684 + /* are we changing a locked feature? */ 685 + if ((af.lock & feature) && (new_feature != old_feature)) { 686 + audit_log_feature_change(i, old_feature, new_feature, 687 + old_lock, new_lock, 0); 688 + return -EPERM; 689 + } 690 + } 691 + /* nothing invalid, do the changes */ 692 + for (i = 0; i <= AUDIT_LAST_FEATURE; i++) { 693 + u32 feature = AUDIT_FEATURE_TO_MASK(i); 694 + u32 old_feature, new_feature, old_lock, new_lock; 695 + 696 + /* if we are not changing this feature, move along */ 697 + if (!(feature & uaf->mask)) 698 + continue; 699 + 700 + old_feature = af.features & feature; 701 + new_feature = uaf->features & feature; 702 + old_lock = af.lock & feature; 703 + new_lock = (uaf->lock | af.lock) & feature; 704 + 705 + if (new_feature != old_feature) 706 + audit_log_feature_change(i, old_feature, new_feature, 707 + old_lock, new_lock, 1); 708 + 709 + if (new_feature) 710 + af.features |= feature; 711 + else 712 + af.features &= ~feature; 713 + af.lock |= new_lock; 714 + } 715 + 716 + return 0; 641 717 } 642 718 643 719 static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) ··· 759 659 760 660 switch (msg_type) { 761 661 case AUDIT_GET: 662 + memset(&status_set, 0, sizeof(status_set)); 762 663 status_set.enabled = audit_enabled; 763 664 status_set.failure = audit_failure; 764 665 status_set.pid = audit_pid; ··· 771 670 &status_set, sizeof(status_set)); 772 671 break; 773 672 case AUDIT_SET: 774 - if (nlh->nlmsg_len < sizeof(struct audit_status)) 673 + if (nlmsg_len(nlh) < sizeof(struct audit_status)) 775 674 return -EINVAL; 776 675 status_get = (struct audit_status *)data; 777 676 if (status_get->mask & AUDIT_STATUS_ENABLED) { ··· 800 699 if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT) 801 700 err = audit_set_backlog_limit(status_get->backlog_limit); 802 701 break; 702 + case AUDIT_GET_FEATURE: 703 + err = audit_get_feature(skb); 704 + if (err) 705 + return err; 706 + break; 707 + case AUDIT_SET_FEATURE: 708 + err = audit_set_feature(skb); 709 + if (err) 710 + return err; 711 + break; 803 712 case AUDIT_USER: 804 713 case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG: 805 714 case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2: ··· 826 715 } 827 716 audit_log_common_recv_msg(&ab, msg_type); 828 717 if (msg_type != AUDIT_USER_TTY) 829 - audit_log_format(ab, " msg='%.1024s'", 718 + audit_log_format(ab, " msg='%.*s'", 719 + AUDIT_MESSAGE_TEXT_MAX, 830 720 (char *)data); 831 721 else { 832 722 int size; ··· 930 818 struct task_struct *tsk = current; 931 819 932 820 spin_lock(&tsk->sighand->siglock); 933 - s.enabled = tsk->signal->audit_tty != 0; 821 + s.enabled = tsk->signal->audit_tty; 934 822 s.log_passwd = tsk->signal->audit_tty_log_passwd; 935 823 spin_unlock(&tsk->sighand->siglock); 936 824 ··· 944 832 945 833 memset(&s, 0, sizeof(s)); 946 834 /* guard against past and future API changes */ 947 - memcpy(&s, data, min(sizeof(s), (size_t)nlh->nlmsg_len)); 835 + memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh))); 948 836 if ((s.enabled != 0 && s.enabled != 1) || 949 837 (s.log_passwd != 0 && s.log_passwd != 1)) 950 838 return -EINVAL; ··· 1178 1066 __set_current_state(TASK_RUNNING); 1179 1067 remove_wait_queue(&audit_backlog_wait, &wait); 1180 1068 } 1181 - 1182 - /* Obtain an audit buffer. This routine does locking to obtain the 1183 - * audit buffer, but then no locking is required for calls to 1184 - * audit_log_*format. If the tsk is a task that is currently in a 1185 - * syscall, then the syscall is marked as auditable and an audit record 1186 - * will be written at syscall exit. If there is no associated task, tsk 1187 - * should be NULL. */ 1188 1069 1189 1070 /** 1190 1071 * audit_log_start - obtain an audit buffer ··· 1494 1389 u32 sessionid = audit_get_sessionid(current); 1495 1390 uid_t auid = from_kuid(&init_user_ns, audit_get_loginuid(current)); 1496 1391 1497 - audit_log_format(ab, " auid=%u ses=%u\n", auid, sessionid); 1392 + audit_log_format(ab, " auid=%u ses=%u", auid, sessionid); 1498 1393 } 1499 1394 1500 1395 void audit_log_key(struct audit_buffer *ab, char *key) ··· 1639 1534 audit_log_format(ab, " obj=%s", ctx); 1640 1535 security_release_secctx(ctx, len); 1641 1536 } 1537 + } 1538 + 1539 + /* log the audit_names record type */ 1540 + audit_log_format(ab, " nametype="); 1541 + switch(n->type) { 1542 + case AUDIT_TYPE_NORMAL: 1543 + audit_log_format(ab, "NORMAL"); 1544 + break; 1545 + case AUDIT_TYPE_PARENT: 1546 + audit_log_format(ab, "PARENT"); 1547 + break; 1548 + case AUDIT_TYPE_CHILD_DELETE: 1549 + audit_log_format(ab, "DELETE"); 1550 + break; 1551 + case AUDIT_TYPE_CHILD_CREATE: 1552 + audit_log_format(ab, "CREATE"); 1553 + break; 1554 + default: 1555 + audit_log_format(ab, "UNKNOWN"); 1556 + break; 1642 1557 } 1643 1558 1644 1559 audit_log_fcaps(ab, n);
+3
kernel/audit.h
··· 197 197 int fd; 198 198 int flags; 199 199 } mmap; 200 + struct { 201 + int argc; 202 + } execve; 200 203 }; 201 204 int fds[2]; 202 205
+2 -1
kernel/auditfilter.c
··· 343 343 case AUDIT_DEVMINOR: 344 344 case AUDIT_EXIT: 345 345 case AUDIT_SUCCESS: 346 + case AUDIT_INODE: 346 347 /* bit ops are only useful on syscall args */ 347 348 if (f->op == Audit_bitmask || f->op == Audit_bittest) 348 349 return -EINVAL; ··· 424 423 f->lsm_rule = NULL; 425 424 426 425 /* Support legacy tests for a valid loginuid */ 427 - if ((f->type == AUDIT_LOGINUID) && (f->val == ~0U)) { 426 + if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) { 428 427 f->type = AUDIT_LOGINUID_SET; 429 428 f->val = 0; 430 429 }
+66 -67
kernel/auditsc.c
··· 95 95 /* Number of target pids per aux struct. */ 96 96 #define AUDIT_AUX_PIDS 16 97 97 98 - struct audit_aux_data_execve { 99 - struct audit_aux_data d; 100 - int argc; 101 - int envc; 102 - struct mm_struct *mm; 103 - }; 104 - 105 98 struct audit_aux_data_pids { 106 99 struct audit_aux_data d; 107 100 pid_t target_pid[AUDIT_AUX_PIDS]; ··· 112 119 unsigned int fcap_ver; 113 120 struct audit_cap_data old_pcap; 114 121 struct audit_cap_data new_pcap; 115 - }; 116 - 117 - struct audit_aux_data_capset { 118 - struct audit_aux_data d; 119 - pid_t pid; 120 - struct audit_cap_data cap; 121 122 }; 122 123 123 124 struct audit_tree_refs { ··· 553 566 break; 554 567 case AUDIT_INODE: 555 568 if (name) 556 - result = (name->ino == f->val); 569 + result = audit_comparator(name->ino, f->op, f->val); 557 570 else if (ctx) { 558 571 list_for_each_entry(n, &ctx->names_list, list) { 559 572 if (audit_comparator(n->ino, f->op, f->val)) { ··· 930 943 return 0; /* Return if not auditing. */ 931 944 932 945 state = audit_filter_task(tsk, &key); 933 - if (state == AUDIT_DISABLED) 946 + if (state == AUDIT_DISABLED) { 947 + clear_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT); 934 948 return 0; 949 + } 935 950 936 951 if (!(context = audit_alloc_context(state))) { 937 952 kfree(key); ··· 1138 1149 } 1139 1150 1140 1151 static void audit_log_execve_info(struct audit_context *context, 1141 - struct audit_buffer **ab, 1142 - struct audit_aux_data_execve *axi) 1152 + struct audit_buffer **ab) 1143 1153 { 1144 1154 int i, len; 1145 1155 size_t len_sent = 0; 1146 1156 const char __user *p; 1147 1157 char *buf; 1148 1158 1149 - if (axi->mm != current->mm) 1150 - return; /* execve failed, no additional info */ 1159 + p = (const char __user *)current->mm->arg_start; 1151 1160 1152 - p = (const char __user *)axi->mm->arg_start; 1153 - 1154 - audit_log_format(*ab, "argc=%d", axi->argc); 1161 + audit_log_format(*ab, "argc=%d", context->execve.argc); 1155 1162 1156 1163 /* 1157 1164 * we need some kernel buffer to hold the userspace args. Just ··· 1161 1176 return; 1162 1177 } 1163 1178 1164 - for (i = 0; i < axi->argc; i++) { 1179 + for (i = 0; i < context->execve.argc; i++) { 1165 1180 len = audit_log_single_execve_arg(context, ab, i, 1166 1181 &len_sent, p, buf); 1167 1182 if (len <= 0) ··· 1264 1279 audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd, 1265 1280 context->mmap.flags); 1266 1281 break; } 1282 + case AUDIT_EXECVE: { 1283 + audit_log_execve_info(context, &ab); 1284 + break; } 1267 1285 } 1268 1286 audit_log_end(ab); 1269 1287 } ··· 1312 1324 continue; /* audit_panic has been called */ 1313 1325 1314 1326 switch (aux->type) { 1315 - 1316 - case AUDIT_EXECVE: { 1317 - struct audit_aux_data_execve *axi = (void *)aux; 1318 - audit_log_execve_info(context, &ab, axi); 1319 - break; } 1320 1327 1321 1328 case AUDIT_BPRM_FCAPS: { 1322 1329 struct audit_aux_data_bprm_fcaps *axs = (void *)aux; ··· 1947 1964 /* global counter which is incremented every time something logs in */ 1948 1965 static atomic_t session_id = ATOMIC_INIT(0); 1949 1966 1967 + static int audit_set_loginuid_perm(kuid_t loginuid) 1968 + { 1969 + /* if we are unset, we don't need privs */ 1970 + if (!audit_loginuid_set(current)) 1971 + return 0; 1972 + /* if AUDIT_FEATURE_LOGINUID_IMMUTABLE means never ever allow a change*/ 1973 + if (is_audit_feature_set(AUDIT_FEATURE_LOGINUID_IMMUTABLE)) 1974 + return -EPERM; 1975 + /* it is set, you need permission */ 1976 + if (!capable(CAP_AUDIT_CONTROL)) 1977 + return -EPERM; 1978 + /* reject if this is not an unset and we don't allow that */ 1979 + if (is_audit_feature_set(AUDIT_FEATURE_ONLY_UNSET_LOGINUID) && uid_valid(loginuid)) 1980 + return -EPERM; 1981 + return 0; 1982 + } 1983 + 1984 + static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid, 1985 + unsigned int oldsessionid, unsigned int sessionid, 1986 + int rc) 1987 + { 1988 + struct audit_buffer *ab; 1989 + uid_t uid, ologinuid, nloginuid; 1990 + 1991 + uid = from_kuid(&init_user_ns, task_uid(current)); 1992 + ologinuid = from_kuid(&init_user_ns, koldloginuid); 1993 + nloginuid = from_kuid(&init_user_ns, kloginuid), 1994 + 1995 + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN); 1996 + if (!ab) 1997 + return; 1998 + audit_log_format(ab, "pid=%d uid=%u old auid=%u new auid=%u old " 1999 + "ses=%u new ses=%u res=%d", current->pid, uid, ologinuid, 2000 + nloginuid, oldsessionid, sessionid, !rc); 2001 + audit_log_end(ab); 2002 + } 2003 + 1950 2004 /** 1951 2005 * audit_set_loginuid - set current task's audit_context loginuid 1952 2006 * @loginuid: loginuid value ··· 1995 1975 int audit_set_loginuid(kuid_t loginuid) 1996 1976 { 1997 1977 struct task_struct *task = current; 1998 - struct audit_context *context = task->audit_context; 1999 - unsigned int sessionid; 1978 + unsigned int oldsessionid, sessionid = (unsigned int)-1; 1979 + kuid_t oldloginuid; 1980 + int rc; 2000 1981 2001 - #ifdef CONFIG_AUDIT_LOGINUID_IMMUTABLE 2002 - if (audit_loginuid_set(task)) 2003 - return -EPERM; 2004 - #else /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */ 2005 - if (!capable(CAP_AUDIT_CONTROL)) 2006 - return -EPERM; 2007 - #endif /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */ 1982 + oldloginuid = audit_get_loginuid(current); 1983 + oldsessionid = audit_get_sessionid(current); 2008 1984 2009 - sessionid = atomic_inc_return(&session_id); 2010 - if (context && context->in_syscall) { 2011 - struct audit_buffer *ab; 1985 + rc = audit_set_loginuid_perm(loginuid); 1986 + if (rc) 1987 + goto out; 2012 1988 2013 - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN); 2014 - if (ab) { 2015 - audit_log_format(ab, "login pid=%d uid=%u " 2016 - "old auid=%u new auid=%u" 2017 - " old ses=%u new ses=%u", 2018 - task->pid, 2019 - from_kuid(&init_user_ns, task_uid(task)), 2020 - from_kuid(&init_user_ns, task->loginuid), 2021 - from_kuid(&init_user_ns, loginuid), 2022 - task->sessionid, sessionid); 2023 - audit_log_end(ab); 2024 - } 2025 - } 1989 + /* are we setting or clearing? */ 1990 + if (uid_valid(loginuid)) 1991 + sessionid = atomic_inc_return(&session_id); 1992 + 2026 1993 task->sessionid = sessionid; 2027 1994 task->loginuid = loginuid; 2028 - return 0; 1995 + out: 1996 + audit_log_set_loginuid(oldloginuid, loginuid, oldsessionid, sessionid, rc); 1997 + return rc; 2029 1998 } 2030 1999 2031 2000 /** ··· 2135 2126 context->ipc.has_perm = 1; 2136 2127 } 2137 2128 2138 - int __audit_bprm(struct linux_binprm *bprm) 2129 + void __audit_bprm(struct linux_binprm *bprm) 2139 2130 { 2140 - struct audit_aux_data_execve *ax; 2141 2131 struct audit_context *context = current->audit_context; 2142 2132 2143 - ax = kmalloc(sizeof(*ax), GFP_KERNEL); 2144 - if (!ax) 2145 - return -ENOMEM; 2146 - 2147 - ax->argc = bprm->argc; 2148 - ax->envc = bprm->envc; 2149 - ax->mm = bprm->mm; 2150 - ax->d.type = AUDIT_EXECVE; 2151 - ax->d.next = context->aux; 2152 - context->aux = (void *)ax; 2153 - return 0; 2133 + context->type = AUDIT_EXECVE; 2134 + context->execve.argc = bprm->argc; 2154 2135 } 2155 2136 2156 2137
+2 -1
security/lsm_audit.c
··· 397 397 if (a == NULL) 398 398 return; 399 399 /* we use GFP_ATOMIC so we won't sleep */ 400 - ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_AVC); 400 + ab = audit_log_start(current->audit_context, GFP_ATOMIC | __GFP_NOWARN, 401 + AUDIT_AVC); 401 402 402 403 if (ab == NULL) 403 404 return;
+2
security/selinux/nlmsgtab.c
··· 116 116 { AUDIT_MAKE_EQUIV, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, 117 117 { AUDIT_TTY_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ }, 118 118 { AUDIT_TTY_SET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT }, 119 + { AUDIT_GET_FEATURE, NETLINK_AUDIT_SOCKET__NLMSG_READ }, 120 + { AUDIT_SET_FEATURE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, 119 121 }; 120 122 121 123