Merge git://git.infradead.org/users/eparis/audit

+16

Documentation/kernel-parameters.txt

··· 463 463 atkbd.softrepeat= [HW] 464 464 Use software keyboard repeat 465 465 466 + audit= [KNL] Enable the audit sub-system 467 + Format: { "0" | "1" } (0 = disabled, 1 = enabled) 468 + 0 - kernel audit is disabled and can not be enabled 469 + until the next reboot 470 + unset - kernel audit is initialized but disabled and 471 + will be fully enabled by the userspace auditd. 472 + 1 - kernel audit is initialized and partially enabled, 473 + storing at most audit_backlog_limit messages in 474 + RAM until it is fully enabled by the userspace 475 + auditd. 476 + Default: unset 477 + 478 + audit_backlog_limit= [KNL] Set the audit queue size limit. 479 + Format: <int> (must be >=0) 480 + Default: 64 481 + 466 482 baycom_epp= [HW,AX25] 467 483 Format: <io>,<mode> 468 484

+1 -2

MAINTAINERS

··· 1597 1597 F: drivers/scsi/esas2r 1598 1598 1599 1599 AUDIT SUBSYSTEM 1600 - M: Al Viro <viro@zeniv.linux.org.uk> 1601 1600 M: Eric Paris <eparis@redhat.com> 1602 1601 L: linux-audit@redhat.com (subscribers-only) 1603 1602 W: http://people.redhat.com/sgrubb/audit/ 1604 - T: git git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current.git 1603 + T: git git://git.infradead.org/users/eparis/audit.git 1605 1604 S: Maintained 1606 1605 F: include/linux/audit.h 1607 1606 F: include/uapi/linux/audit.h

+1 -1

drivers/tty/tty_audit.c

··· 67 67 struct task_struct *tsk = current; 68 68 uid_t uid = from_kuid(&init_user_ns, task_uid(tsk)); 69 69 uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(tsk)); 70 - u32 sessionid = audit_get_sessionid(tsk); 70 + unsigned int sessionid = audit_get_sessionid(tsk); 71 71 72 72 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_TTY); 73 73 if (ab) {

+3 -1

include/asm-generic/audit_change_attr.h

··· 4 4 __NR_fchmod, 5 5 #ifdef __NR_chown 6 6 __NR_chown, 7 - __NR_fchown, 8 7 __NR_lchown, 8 + #endif 9 + #ifdef __NR_fchown 10 + __NR_fchown, 9 11 #endif 10 12 __NR_setxattr, 11 13 __NR_lsetxattr,

+6

include/asm-generic/audit_write.h

··· 10 10 #ifdef __NR_truncate64 11 11 __NR_truncate64, 12 12 #endif 13 + #ifdef __NR_ftruncate 14 + __NR_ftruncate, 15 + #endif 16 + #ifdef __NR_ftruncate64 17 + __NR_ftruncate64, 18 + #endif 13 19 #ifdef __NR_bind 14 20 __NR_bind, /* bind can affect fs object only in one way... */ 15 21 #endif

+12 -10

include/linux/audit.h

··· 137 137 { 138 138 if (unlikely(current->audit_context)) { 139 139 int success = is_syscall_success(pt_regs); 140 - int return_code = regs_return_value(pt_regs); 140 + long return_code = regs_return_value(pt_regs); 141 141 142 142 __audit_syscall_exit(success, return_code); 143 143 } ··· 202 202 return tsk->loginuid; 203 203 } 204 204 205 - static inline int audit_get_sessionid(struct task_struct *tsk) 205 + static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 206 206 { 207 207 return tsk->sessionid; 208 208 } ··· 220 220 extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, 221 221 const struct cred *new, 222 222 const struct cred *old); 223 - extern void __audit_log_capset(pid_t pid, const struct cred *new, const struct cred *old); 223 + extern void __audit_log_capset(const struct cred *new, const struct cred *old); 224 224 extern void __audit_mmap_fd(int fd, int flags); 225 225 226 226 static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) ··· 285 285 return 0; 286 286 } 287 287 288 - static inline void audit_log_capset(pid_t pid, const struct cred *new, 288 + static inline void audit_log_capset(const struct cred *new, 289 289 const struct cred *old) 290 290 { 291 291 if (unlikely(!audit_dummy_context())) 292 - __audit_log_capset(pid, new, old); 292 + __audit_log_capset(new, old); 293 293 } 294 294 295 295 static inline void audit_mmap_fd(int fd, int flags) ··· 359 359 { 360 360 return INVALID_UID; 361 361 } 362 - static inline int audit_get_sessionid(struct task_struct *tsk) 362 + static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 363 363 { 364 364 return -1; 365 365 } ··· 397 397 { 398 398 return 0; 399 399 } 400 - static inline void audit_log_capset(pid_t pid, const struct cred *new, 401 - const struct cred *old) 400 + static inline void audit_log_capset(const struct cred *new, 401 + const struct cred *old) 402 402 { } 403 403 static inline void audit_mmap_fd(int fd, int flags) 404 404 { } ··· 461 461 /* Private API (for audit.c only) */ 462 462 extern int audit_filter_user(int type); 463 463 extern int audit_filter_type(int type); 464 - extern int audit_receive_filter(int type, int pid, int seq, 464 + extern int audit_rule_change(int type, __u32 portid, int seq, 465 465 void *data, size_t datasz); 466 - extern int audit_enabled; 466 + extern int audit_list_rules_send(__u32 portid, int seq); 467 + 468 + extern u32 audit_enabled; 467 469 #else /* CONFIG_AUDIT */ 468 470 static inline __printf(4, 5) 469 471 void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,

+1 -1

include/linux/init_task.h

··· 97 97 #ifdef CONFIG_AUDITSYSCALL 98 98 #define INIT_IDS \ 99 99 .loginuid = INVALID_UID, \ 100 - .sessionid = -1, 100 + .sessionid = (unsigned int)-1, 101 101 #else 102 102 #define INIT_IDS 103 103 #endif

+1 -1

include/net/netlabel.h

··· 111 111 struct netlbl_audit { 112 112 u32 secid; 113 113 kuid_t loginuid; 114 - u32 sessionid; 114 + unsigned int sessionid; 115 115 }; 116 116 117 117 /*

+10 -10

include/net/xfrm.h

··· 681 681 struct xfrm_audit { 682 682 u32 secid; 683 683 kuid_t loginuid; 684 - u32 sessionid; 684 + unsigned int sessionid; 685 685 }; 686 686 687 687 #ifdef CONFIG_AUDITSYSCALL ··· 699 699 return audit_buf; 700 700 } 701 701 702 - static inline void xfrm_audit_helper_usrinfo(kuid_t auid, u32 ses, u32 secid, 702 + static inline void xfrm_audit_helper_usrinfo(kuid_t auid, unsigned int ses, u32 secid, 703 703 struct audit_buffer *audit_buf) 704 704 { 705 705 char *secctx; ··· 716 716 } 717 717 718 718 void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, kuid_t auid, 719 - u32 ses, u32 secid); 719 + unsigned int ses, u32 secid); 720 720 void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, kuid_t auid, 721 - u32 ses, u32 secid); 721 + unsigned int ses, u32 secid); 722 722 void xfrm_audit_state_add(struct xfrm_state *x, int result, kuid_t auid, 723 - u32 ses, u32 secid); 723 + unsigned int ses, u32 secid); 724 724 void xfrm_audit_state_delete(struct xfrm_state *x, int result, kuid_t auid, 725 - u32 ses, u32 secid); 725 + unsigned int ses, u32 secid); 726 726 void xfrm_audit_state_replay_overflow(struct xfrm_state *x, 727 727 struct sk_buff *skb); 728 728 void xfrm_audit_state_replay(struct xfrm_state *x, struct sk_buff *skb, ··· 735 735 #else 736 736 737 737 static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, 738 - kuid_t auid, u32 ses, u32 secid) 738 + kuid_t auid, unsigned int ses, u32 secid) 739 739 { 740 740 } 741 741 742 742 static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, 743 - kuid_t auid, u32 ses, u32 secid) 743 + kuid_t auid, unsigned int ses, u32 secid) 744 744 { 745 745 } 746 746 747 747 static inline void xfrm_audit_state_add(struct xfrm_state *x, int result, 748 - kuid_t auid, u32 ses, u32 secid) 748 + kuid_t auid, unsigned int ses, u32 secid) 749 749 { 750 750 } 751 751 752 752 static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result, 753 - kuid_t auid, u32 ses, u32 secid) 753 + kuid_t auid, unsigned int ses, u32 secid) 754 754 { 755 755 } 756 756

+8

include/uapi/linux/audit.h

··· 319 319 #define AUDIT_STATUS_PID 0x0004 320 320 #define AUDIT_STATUS_RATE_LIMIT 0x0008 321 321 #define AUDIT_STATUS_BACKLOG_LIMIT 0x0010 322 + #define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020 323 + 324 + #define AUDIT_VERSION_BACKLOG_LIMIT 1 325 + #define AUDIT_VERSION_BACKLOG_WAIT_TIME 2 326 + #define AUDIT_VERSION_LATEST AUDIT_VERSION_BACKLOG_WAIT_TIME 327 + 322 328 /* Failure-to-log actions */ 323 329 #define AUDIT_FAIL_SILENT 0 324 330 #define AUDIT_FAIL_PRINTK 1 ··· 381 375 __u32 backlog_limit; /* waiting messages limit */ 382 376 __u32 lost; /* messages lost */ 383 377 __u32 backlog; /* messages waiting in queue */ 378 + __u32 version; /* audit api version number */ 379 + __u32 backlog_wait_time;/* message queue wait timeout */ 384 380 }; 385 381 386 382 struct audit_features {

+236 -131

kernel/audit.c

··· 41 41 * Example user-space utilities: http://people.redhat.com/sgrubb/audit/ 42 42 */ 43 43 44 + #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 45 + 44 46 #include <linux/init.h> 45 47 #include <asm/types.h> 46 48 #include <linux/atomic.h> ··· 65 63 #include <linux/freezer.h> 66 64 #include <linux/tty.h> 67 65 #include <linux/pid_namespace.h> 66 + #include <net/netns/generic.h> 68 67 69 68 #include "audit.h" 70 69 ··· 79 76 #define AUDIT_OFF 0 80 77 #define AUDIT_ON 1 81 78 #define AUDIT_LOCKED 2 82 - int audit_enabled; 83 - int audit_ever_enabled; 79 + u32 audit_enabled; 80 + u32 audit_ever_enabled; 84 81 85 82 EXPORT_SYMBOL_GPL(audit_enabled); 86 83 87 84 /* Default state when kernel boots without any parameters. */ 88 - static int audit_default; 85 + static u32 audit_default; 89 86 90 87 /* If auditing cannot proceed, audit_failure selects what happens. */ 91 - static int audit_failure = AUDIT_FAIL_PRINTK; 88 + static u32 audit_failure = AUDIT_FAIL_PRINTK; 92 89 93 90 /* 94 91 * If audit records are to be written to the netlink socket, audit_pid ··· 96 93 * the portid to use to send netlink messages to that process. 97 94 */ 98 95 int audit_pid; 99 - static int audit_nlk_portid; 96 + static __u32 audit_nlk_portid; 100 97 101 98 /* If audit_rate_limit is non-zero, limit the rate of sending audit records 102 99 * to that number per second. This prevents DoS attacks, but results in 103 100 * audit records being dropped. */ 104 - static int audit_rate_limit; 101 + static u32 audit_rate_limit; 105 102 106 - /* Number of outstanding audit_buffers allowed. */ 107 - static int audit_backlog_limit = 64; 108 - static int audit_backlog_wait_time = 60 * HZ; 109 - static int audit_backlog_wait_overflow = 0; 103 + /* Number of outstanding audit_buffers allowed. 104 + * When set to zero, this means unlimited. */ 105 + static u32 audit_backlog_limit = 64; 106 + #define AUDIT_BACKLOG_WAIT_TIME (60 * HZ) 107 + static u32 audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME; 108 + static u32 audit_backlog_wait_overflow = 0; 110 109 111 110 /* The identity of the user shutting down the audit system. */ 112 111 kuid_t audit_sig_uid = INVALID_UID; ··· 126 121 127 122 /* The netlink socket. */ 128 123 static struct sock *audit_sock; 124 + int audit_net_id; 129 125 130 126 /* Hash for inode-based rules */ 131 127 struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS]; ··· 181 175 }; 182 176 183 177 struct audit_reply { 184 - int pid; 178 + __u32 portid; 179 + pid_t pid; 185 180 struct sk_buff *skb; 186 181 }; 187 182 188 - static void audit_set_pid(struct audit_buffer *ab, pid_t pid) 183 + static void audit_set_portid(struct audit_buffer *ab, __u32 portid) 189 184 { 190 185 if (ab) { 191 186 struct nlmsghdr *nlh = nlmsg_hdr(ab->skb); 192 - nlh->nlmsg_pid = pid; 187 + nlh->nlmsg_pid = portid; 193 188 } 194 189 } 195 190 196 191 void audit_panic(const char *message) 197 192 { 198 - switch (audit_failure) 199 - { 193 + switch (audit_failure) { 200 194 case AUDIT_FAIL_SILENT: 201 195 break; 202 196 case AUDIT_FAIL_PRINTK: 203 197 if (printk_ratelimit()) 204 - printk(KERN_ERR "audit: %s\n", message); 198 + pr_err("%s\n", message); 205 199 break; 206 200 case AUDIT_FAIL_PANIC: 207 201 /* test audit_pid since printk is always losey, why bother? */ ··· 272 266 273 267 if (print) { 274 268 if (printk_ratelimit()) 275 - printk(KERN_WARNING 276 - "audit: audit_lost=%d audit_rate_limit=%d " 277 - "audit_backlog_limit=%d\n", 269 + pr_warn("audit_lost=%u audit_rate_limit=%u audit_backlog_limit=%u\n", 278 270 atomic_read(&audit_lost), 279 271 audit_rate_limit, 280 272 audit_backlog_limit); ··· 280 276 } 281 277 } 282 278 283 - static int audit_log_config_change(char *function_name, int new, int old, 279 + static int audit_log_config_change(char *function_name, u32 new, u32 old, 284 280 int allow_changes) 285 281 { 286 282 struct audit_buffer *ab; ··· 289 285 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 290 286 if (unlikely(!ab)) 291 287 return rc; 292 - audit_log_format(ab, "%s=%d old=%d", function_name, new, old); 288 + audit_log_format(ab, "%s=%u old=%u", function_name, new, old); 293 289 audit_log_session_info(ab); 294 290 rc = audit_log_task_context(ab); 295 291 if (rc) ··· 299 295 return rc; 300 296 } 301 297 302 - static int audit_do_config_change(char *function_name, int *to_change, int new) 298 + static int audit_do_config_change(char *function_name, u32 *to_change, u32 new) 303 299 { 304 - int allow_changes, rc = 0, old = *to_change; 300 + int allow_changes, rc = 0; 301 + u32 old = *to_change; 305 302 306 303 /* check if we are locked */ 307 304 if (audit_enabled == AUDIT_LOCKED) ··· 325 320 return rc; 326 321 } 327 322 328 - static int audit_set_rate_limit(int limit) 323 + static int audit_set_rate_limit(u32 limit) 329 324 { 330 325 return audit_do_config_change("audit_rate_limit", &audit_rate_limit, limit); 331 326 } 332 327 333 - static int audit_set_backlog_limit(int limit) 328 + static int audit_set_backlog_limit(u32 limit) 334 329 { 335 330 return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit, limit); 336 331 } 337 332 338 - static int audit_set_enabled(int state) 333 + static int audit_set_backlog_wait_time(u32 timeout) 334 + { 335 + return audit_do_config_change("audit_backlog_wait_time", 336 + &audit_backlog_wait_time, timeout); 337 + } 338 + 339 + static int audit_set_enabled(u32 state) 339 340 { 340 341 int rc; 341 342 if (state < AUDIT_OFF || state > AUDIT_LOCKED) ··· 354 343 return rc; 355 344 } 356 345 357 - static int audit_set_failure(int state) 346 + static int audit_set_failure(u32 state) 358 347 { 359 348 if (state != AUDIT_FAIL_SILENT 360 349 && state != AUDIT_FAIL_PRINTK ··· 376 365 static void audit_hold_skb(struct sk_buff *skb) 377 366 { 378 367 if (audit_default && 379 - skb_queue_len(&audit_skb_hold_queue) < audit_backlog_limit) 368 + (!audit_backlog_limit || 369 + skb_queue_len(&audit_skb_hold_queue) < audit_backlog_limit)) 380 370 skb_queue_tail(&audit_skb_hold_queue, skb); 381 371 else 382 372 kfree_skb(skb); ··· 394 382 395 383 if (nlh->nlmsg_type != AUDIT_EOE) { 396 384 if (printk_ratelimit()) 397 - printk(KERN_NOTICE "type=%d %s\n", nlh->nlmsg_type, data); 385 + pr_notice("type=%d %s\n", nlh->nlmsg_type, data); 398 386 else 399 387 audit_log_lost("printk limit exceeded\n"); 400 388 } ··· 410 398 err = netlink_unicast(audit_sock, skb, audit_nlk_portid, 0); 411 399 if (err < 0) { 412 400 BUG_ON(err != -ECONNREFUSED); /* Shouldn't happen */ 413 - printk(KERN_ERR "audit: *NO* daemon at audit_pid=%d\n", audit_pid); 414 - audit_log_lost("auditd disappeared\n"); 415 - audit_pid = 0; 401 + if (audit_pid) { 402 + pr_err("*NO* daemon at audit_pid=%d\n", audit_pid); 403 + audit_log_lost("auditd disappeared\n"); 404 + audit_pid = 0; 405 + audit_sock = NULL; 406 + } 416 407 /* we might get lucky and get this in the next auditd */ 417 408 audit_hold_skb(skb); 418 409 } else ··· 472 457 flush_hold_queue(); 473 458 474 459 skb = skb_dequeue(&audit_skb_queue); 475 - wake_up(&audit_backlog_wait); 460 + 476 461 if (skb) { 462 + if (skb_queue_len(&audit_skb_queue) <= audit_backlog_limit) 463 + wake_up(&audit_backlog_wait); 477 464 if (audit_pid) 478 465 kauditd_send_skb(skb); 479 466 else ··· 499 482 int audit_send_list(void *_dest) 500 483 { 501 484 struct audit_netlink_list *dest = _dest; 502 - int pid = dest->pid; 503 485 struct sk_buff *skb; 486 + struct net *net = get_net_ns_by_pid(dest->pid); 487 + struct audit_net *aunet = net_generic(net, audit_net_id); 504 488 505 489 /* wait for parent to finish and send an ACK */ 506 490 mutex_lock(&audit_cmd_mutex); 507 491 mutex_unlock(&audit_cmd_mutex); 508 492 509 493 while ((skb = __skb_dequeue(&dest->q)) != NULL) 510 - netlink_unicast(audit_sock, skb, pid, 0); 494 + netlink_unicast(aunet->nlsk, skb, dest->portid, 0); 511 495 512 496 kfree(dest); 513 497 514 498 return 0; 515 499 } 516 500 517 - struct sk_buff *audit_make_reply(int pid, int seq, int type, int done, 501 + struct sk_buff *audit_make_reply(__u32 portid, int seq, int type, int done, 518 502 int multi, const void *payload, int size) 519 503 { 520 504 struct sk_buff *skb; ··· 528 510 if (!skb) 529 511 return NULL; 530 512 531 - nlh = nlmsg_put(skb, pid, seq, t, size, flags); 513 + nlh = nlmsg_put(skb, portid, seq, t, size, flags); 532 514 if (!nlh) 533 515 goto out_kfree_skb; 534 516 data = nlmsg_data(nlh); ··· 543 525 static int audit_send_reply_thread(void *arg) 544 526 { 545 527 struct audit_reply *reply = (struct audit_reply *)arg; 528 + struct net *net = get_net_ns_by_pid(reply->pid); 529 + struct audit_net *aunet = net_generic(net, audit_net_id); 546 530 547 531 mutex_lock(&audit_cmd_mutex); 548 532 mutex_unlock(&audit_cmd_mutex); 549 533 550 534 /* Ignore failure. It'll only happen if the sender goes away, 551 535 because our timeout is set to infinite. */ 552 - netlink_unicast(audit_sock, reply->skb, reply->pid, 0); 536 + netlink_unicast(aunet->nlsk , reply->skb, reply->portid, 0); 553 537 kfree(reply); 554 538 return 0; 555 539 } 556 540 /** 557 541 * audit_send_reply - send an audit reply message via netlink 558 - * @pid: process id to send reply to 542 + * @portid: netlink port to which to send reply 559 543 * @seq: sequence number 560 544 * @type: audit message type 561 545 * @done: done (last) flag ··· 565 545 * @payload: payload data 566 546 * @size: payload size 567 547 * 568 - * Allocates an skb, builds the netlink message, and sends it to the pid. 548 + * Allocates an skb, builds the netlink message, and sends it to the port id. 569 549 * No failure notifications. 570 550 */ 571 - static void audit_send_reply(int pid, int seq, int type, int done, int multi, 572 - const void *payload, int size) 551 + static void audit_send_reply(__u32 portid, int seq, int type, int done, 552 + int multi, const void *payload, int size) 573 553 { 574 554 struct sk_buff *skb; 575 555 struct task_struct *tsk; ··· 579 559 if (!reply) 580 560 return; 581 561 582 - skb = audit_make_reply(pid, seq, type, done, multi, payload, size); 562 + skb = audit_make_reply(portid, seq, type, done, multi, payload, size); 583 563 if (!skb) 584 564 goto out; 585 565 586 - reply->pid = pid; 566 + reply->portid = portid; 567 + reply->pid = task_pid_vnr(current); 587 568 reply->skb = skb; 588 569 589 570 tsk = kthread_run(audit_send_reply_thread, reply, "audit_send_reply"); ··· 684 663 { 685 664 struct audit_buffer *ab; 686 665 666 + if (audit_enabled == AUDIT_OFF) 667 + return; 668 + 687 669 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE); 688 - audit_log_format(ab, "feature=%s new=%d old=%d old_lock=%d new_lock=%d res=%d", 670 + audit_log_task_info(ab, current); 671 + audit_log_format(ab, "feature=%s old=%u new=%u old_lock=%u new_lock=%u res=%d", 689 672 audit_feature_names[which], !!old_feature, !!new_feature, 690 673 !!old_lock, !!new_lock, res); 691 674 audit_log_end(ab); ··· 719 694 old_lock = af.lock & feature; 720 695 721 696 /* are we changing a locked feature? */ 722 - if ((af.lock & feature) && (new_feature != old_feature)) { 697 + if (old_lock && (new_feature != old_feature)) { 723 698 audit_log_feature_change(i, old_feature, new_feature, 724 699 old_lock, new_lock, 0); 725 700 return -EPERM; ··· 757 732 { 758 733 u32 seq; 759 734 void *data; 760 - struct audit_status *status_get, status_set; 761 735 int err; 762 736 struct audit_buffer *ab; 763 737 u16 msg_type = nlh->nlmsg_type; ··· 782 758 data = nlmsg_data(nlh); 783 759 784 760 switch (msg_type) { 785 - case AUDIT_GET: 786 - memset(&status_set, 0, sizeof(status_set)); 787 - status_set.enabled = audit_enabled; 788 - status_set.failure = audit_failure; 789 - status_set.pid = audit_pid; 790 - status_set.rate_limit = audit_rate_limit; 791 - status_set.backlog_limit = audit_backlog_limit; 792 - status_set.lost = atomic_read(&audit_lost); 793 - status_set.backlog = skb_queue_len(&audit_skb_queue); 761 + case AUDIT_GET: { 762 + struct audit_status s; 763 + memset(&s, 0, sizeof(s)); 764 + s.enabled = audit_enabled; 765 + s.failure = audit_failure; 766 + s.pid = audit_pid; 767 + s.rate_limit = audit_rate_limit; 768 + s.backlog_limit = audit_backlog_limit; 769 + s.lost = atomic_read(&audit_lost); 770 + s.backlog = skb_queue_len(&audit_skb_queue); 771 + s.version = AUDIT_VERSION_LATEST; 772 + s.backlog_wait_time = audit_backlog_wait_time; 794 773 audit_send_reply(NETLINK_CB(skb).portid, seq, AUDIT_GET, 0, 0, 795 - &status_set, sizeof(status_set)); 774 + &s, sizeof(s)); 796 775 break; 797 - case AUDIT_SET: 798 - if (nlmsg_len(nlh) < sizeof(struct audit_status)) 799 - return -EINVAL; 800 - status_get = (struct audit_status *)data; 801 - if (status_get->mask & AUDIT_STATUS_ENABLED) { 802 - err = audit_set_enabled(status_get->enabled); 776 + } 777 + case AUDIT_SET: { 778 + struct audit_status s; 779 + memset(&s, 0, sizeof(s)); 780 + /* guard against past and future API changes */ 781 + memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh))); 782 + if (s.mask & AUDIT_STATUS_ENABLED) { 783 + err = audit_set_enabled(s.enabled); 803 784 if (err < 0) 804 785 return err; 805 786 } 806 - if (status_get->mask & AUDIT_STATUS_FAILURE) { 807 - err = audit_set_failure(status_get->failure); 787 + if (s.mask & AUDIT_STATUS_FAILURE) { 788 + err = audit_set_failure(s.failure); 808 789 if (err < 0) 809 790 return err; 810 791 } 811 - if (status_get->mask & AUDIT_STATUS_PID) { 812 - int new_pid = status_get->pid; 792 + if (s.mask & AUDIT_STATUS_PID) { 793 + int new_pid = s.pid; 813 794 795 + if ((!new_pid) && (task_tgid_vnr(current) != audit_pid)) 796 + return -EACCES; 814 797 if (audit_enabled != AUDIT_OFF) 815 798 audit_log_config_change("audit_pid", new_pid, audit_pid, 1); 816 799 audit_pid = new_pid; 817 800 audit_nlk_portid = NETLINK_CB(skb).portid; 801 + audit_sock = skb->sk; 818 802 } 819 - if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) { 820 - err = audit_set_rate_limit(status_get->rate_limit); 803 + if (s.mask & AUDIT_STATUS_RATE_LIMIT) { 804 + err = audit_set_rate_limit(s.rate_limit); 821 805 if (err < 0) 822 806 return err; 823 807 } 824 - if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT) 825 - err = audit_set_backlog_limit(status_get->backlog_limit); 808 + if (s.mask & AUDIT_STATUS_BACKLOG_LIMIT) { 809 + err = audit_set_backlog_limit(s.backlog_limit); 810 + if (err < 0) 811 + return err; 812 + } 813 + if (s.mask & AUDIT_STATUS_BACKLOG_WAIT_TIME) { 814 + if (sizeof(s) > (size_t)nlh->nlmsg_len) 815 + return -EINVAL; 816 + if (s.backlog_wait_time < 0 || 817 + s.backlog_wait_time > 10*AUDIT_BACKLOG_WAIT_TIME) 818 + return -EINVAL; 819 + err = audit_set_backlog_wait_time(s.backlog_wait_time); 820 + if (err < 0) 821 + return err; 822 + } 826 823 break; 824 + } 827 825 case AUDIT_GET_FEATURE: 828 826 err = audit_get_feature(skb); 829 827 if (err) ··· 863 817 return 0; 864 818 865 819 err = audit_filter_user(msg_type); 866 - if (err == 1) { 820 + if (err == 1) { /* match or error */ 867 821 err = 0; 868 822 if (msg_type == AUDIT_USER_TTY) { 869 823 err = tty_audit_push_current(); 870 824 if (err) 871 825 break; 872 826 } 827 + mutex_unlock(&audit_cmd_mutex); 873 828 audit_log_common_recv_msg(&ab, msg_type); 874 829 if (msg_type != AUDIT_USER_TTY) 875 830 audit_log_format(ab, " msg='%.*s'", ··· 886 839 size--; 887 840 audit_log_n_untrustedstring(ab, data, size); 888 841 } 889 - audit_set_pid(ab, NETLINK_CB(skb).portid); 842 + audit_set_portid(ab, NETLINK_CB(skb).portid); 890 843 audit_log_end(ab); 844 + mutex_lock(&audit_cmd_mutex); 891 845 } 892 846 break; 893 847 case AUDIT_ADD_RULE: ··· 901 853 audit_log_end(ab); 902 854 return -EPERM; 903 855 } 904 - /* fallthrough */ 905 - case AUDIT_LIST_RULES: 906 - err = audit_receive_filter(msg_type, NETLINK_CB(skb).portid, 856 + err = audit_rule_change(msg_type, NETLINK_CB(skb).portid, 907 857 seq, data, nlmsg_len(nlh)); 858 + break; 859 + case AUDIT_LIST_RULES: 860 + err = audit_list_rules_send(NETLINK_CB(skb).portid, seq); 908 861 break; 909 862 case AUDIT_TRIM: 910 863 audit_trim_trees(); ··· 988 939 break; 989 940 } 990 941 case AUDIT_TTY_SET: { 991 - struct audit_tty_status s; 942 + struct audit_tty_status s, old; 992 943 struct task_struct *tsk = current; 944 + struct audit_buffer *ab; 993 945 994 946 memset(&s, 0, sizeof(s)); 995 947 /* guard against past and future API changes */ 996 948 memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh))); 949 + /* check if new data is valid */ 997 950 if ((s.enabled != 0 && s.enabled != 1) || 998 951 (s.log_passwd != 0 && s.log_passwd != 1)) 999 - return -EINVAL; 952 + err = -EINVAL; 1000 953 1001 954 spin_lock(&tsk->sighand->siglock); 1002 - tsk->signal->audit_tty = s.enabled; 1003 - tsk->signal->audit_tty_log_passwd = s.log_passwd; 955 + old.enabled = tsk->signal->audit_tty; 956 + old.log_passwd = tsk->signal->audit_tty_log_passwd; 957 + if (!err) { 958 + tsk->signal->audit_tty = s.enabled; 959 + tsk->signal->audit_tty_log_passwd = s.log_passwd; 960 + } 1004 961 spin_unlock(&tsk->sighand->siglock); 962 + 963 + audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE); 964 + audit_log_format(ab, " op=tty_set old-enabled=%d new-enabled=%d" 965 + " old-log_passwd=%d new-log_passwd=%d res=%d", 966 + old.enabled, s.enabled, old.log_passwd, 967 + s.log_passwd, !err); 968 + audit_log_end(ab); 1005 969 break; 1006 970 } 1007 971 default: ··· 1060 998 mutex_unlock(&audit_cmd_mutex); 1061 999 } 1062 1000 1063 - /* Initialize audit support at boot time. */ 1064 - static int __init audit_init(void) 1001 + static int __net_init audit_net_init(struct net *net) 1065 1002 { 1066 - int i; 1067 1003 struct netlink_kernel_cfg cfg = { 1068 1004 .input = audit_receive, 1069 1005 }; 1070 1006 1007 + struct audit_net *aunet = net_generic(net, audit_net_id); 1008 + 1009 + aunet->nlsk = netlink_kernel_create(net, NETLINK_AUDIT, &cfg); 1010 + if (aunet->nlsk == NULL) { 1011 + audit_panic("cannot initialize netlink socket in namespace"); 1012 + return -ENOMEM; 1013 + } 1014 + aunet->nlsk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT; 1015 + return 0; 1016 + } 1017 + 1018 + static void __net_exit audit_net_exit(struct net *net) 1019 + { 1020 + struct audit_net *aunet = net_generic(net, audit_net_id); 1021 + struct sock *sock = aunet->nlsk; 1022 + if (sock == audit_sock) { 1023 + audit_pid = 0; 1024 + audit_sock = NULL; 1025 + } 1026 + 1027 + rcu_assign_pointer(aunet->nlsk, NULL); 1028 + synchronize_net(); 1029 + netlink_kernel_release(sock); 1030 + } 1031 + 1032 + static struct pernet_operations audit_net_ops __net_initdata = { 1033 + .init = audit_net_init, 1034 + .exit = audit_net_exit, 1035 + .id = &audit_net_id, 1036 + .size = sizeof(struct audit_net), 1037 + }; 1038 + 1039 + /* Initialize audit support at boot time. */ 1040 + static int __init audit_init(void) 1041 + { 1042 + int i; 1043 + 1071 1044 if (audit_initialized == AUDIT_DISABLED) 1072 1045 return 0; 1073 1046 1074 - printk(KERN_INFO "audit: initializing netlink socket (%s)\n", 1075 - audit_default ? "enabled" : "disabled"); 1076 - audit_sock = netlink_kernel_create(&init_net, NETLINK_AUDIT, &cfg); 1077 - if (!audit_sock) 1078 - audit_panic("cannot initialize netlink socket"); 1079 - else 1080 - audit_sock->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT; 1047 + pr_info("initializing netlink subsys (%s)\n", 1048 + audit_default ? "enabled" : "disabled"); 1049 + register_pernet_subsys(&audit_net_ops); 1081 1050 1082 1051 skb_queue_head_init(&audit_skb_queue); 1083 1052 skb_queue_head_init(&audit_skb_hold_queue); ··· 1132 1039 if (!audit_default) 1133 1040 audit_initialized = AUDIT_DISABLED; 1134 1041 1135 - printk(KERN_INFO "audit: %s", audit_default ? "enabled" : "disabled"); 1136 - 1137 - if (audit_initialized == AUDIT_INITIALIZED) { 1138 - audit_enabled = audit_default; 1139 - audit_ever_enabled |= !!audit_default; 1140 - } else if (audit_initialized == AUDIT_UNINITIALIZED) { 1141 - printk(" (after initialization)"); 1142 - } else { 1143 - printk(" (until reboot)"); 1144 - } 1145 - printk("\n"); 1042 + pr_info("%s\n", audit_default ? 1043 + "enabled (after initialization)" : "disabled (until reboot)"); 1146 1044 1147 1045 return 1; 1148 1046 } 1149 - 1150 1047 __setup("audit=", audit_enable); 1048 + 1049 + /* Process kernel command-line parameter at boot time. 1050 + * audit_backlog_limit=<n> */ 1051 + static int __init audit_backlog_limit_set(char *str) 1052 + { 1053 + u32 audit_backlog_limit_arg; 1054 + 1055 + pr_info("audit_backlog_limit: "); 1056 + if (kstrtouint(str, 0, &audit_backlog_limit_arg)) { 1057 + pr_cont("using default of %u, unable to parse %s\n", 1058 + audit_backlog_limit, str); 1059 + return 1; 1060 + } 1061 + 1062 + audit_backlog_limit = audit_backlog_limit_arg; 1063 + pr_cont("%d\n", audit_backlog_limit); 1064 + 1065 + return 1; 1066 + } 1067 + __setup("audit_backlog_limit=", audit_backlog_limit_set); 1151 1068 1152 1069 static void audit_buffer_free(struct audit_buffer *ab) 1153 1070 { ··· 1268 1165 /* 1269 1166 * Wait for auditd to drain the queue a little 1270 1167 */ 1271 - static void wait_for_auditd(unsigned long sleep_time) 1168 + static long wait_for_auditd(long sleep_time) 1272 1169 { 1273 1170 DECLARE_WAITQUEUE(wait, current); 1274 1171 set_current_state(TASK_UNINTERRUPTIBLE); 1275 - add_wait_queue(&audit_backlog_wait, &wait); 1172 + add_wait_queue_exclusive(&audit_backlog_wait, &wait); 1276 1173 1277 1174 if (audit_backlog_limit && 1278 1175 skb_queue_len(&audit_skb_queue) > audit_backlog_limit) 1279 - schedule_timeout(sleep_time); 1176 + sleep_time = schedule_timeout(sleep_time); 1280 1177 1281 1178 __set_current_state(TASK_RUNNING); 1282 1179 remove_wait_queue(&audit_backlog_wait, &wait); 1180 + 1181 + return sleep_time; 1283 1182 } 1284 1183 1285 1184 /** ··· 1305 1200 struct audit_buffer *ab = NULL; 1306 1201 struct timespec t; 1307 1202 unsigned int uninitialized_var(serial); 1308 - int reserve; 1203 + int reserve = 5; /* Allow atomic callers to go up to five 1204 + entries over the normal backlog limit */ 1309 1205 unsigned long timeout_start = jiffies; 1310 1206 1311 1207 if (audit_initialized != AUDIT_INITIALIZED) ··· 1315 1209 if (unlikely(audit_filter_type(type))) 1316 1210 return NULL; 1317 1211 1318 - if (gfp_mask & __GFP_WAIT) 1319 - reserve = 0; 1320 - else 1321 - reserve = 5; /* Allow atomic callers to go up to five 1322 - entries over the normal backlog limit */ 1212 + if (gfp_mask & __GFP_WAIT) { 1213 + if (audit_pid && audit_pid == current->pid) 1214 + gfp_mask &= ~__GFP_WAIT; 1215 + else 1216 + reserve = 0; 1217 + } 1323 1218 1324 1219 while (audit_backlog_limit 1325 1220 && skb_queue_len(&audit_skb_queue) > audit_backlog_limit + reserve) { 1326 1221 if (gfp_mask & __GFP_WAIT && audit_backlog_wait_time) { 1327 - unsigned long sleep_time; 1222 + long sleep_time; 1328 1223 1329 - sleep_time = timeout_start + audit_backlog_wait_time - 1330 - jiffies; 1331 - if ((long)sleep_time > 0) { 1332 - wait_for_auditd(sleep_time); 1333 - continue; 1224 + sleep_time = timeout_start + audit_backlog_wait_time - jiffies; 1225 + if (sleep_time > 0) { 1226 + sleep_time = wait_for_auditd(sleep_time); 1227 + if (sleep_time > 0) 1228 + continue; 1334 1229 } 1335 1230 } 1336 1231 if (audit_rate_check() && printk_ratelimit()) 1337 - printk(KERN_WARNING 1338 - "audit: audit_backlog=%d > " 1339 - "audit_backlog_limit=%d\n", 1340 - skb_queue_len(&audit_skb_queue), 1341 - audit_backlog_limit); 1232 + pr_warn("audit_backlog=%d > audit_backlog_limit=%d\n", 1233 + skb_queue_len(&audit_skb_queue), 1234 + audit_backlog_limit); 1342 1235 audit_log_lost("backlog limit exceeded"); 1343 1236 audit_backlog_wait_time = audit_backlog_wait_overflow; 1344 1237 wake_up(&audit_backlog_wait); 1345 1238 return NULL; 1346 1239 } 1240 + 1241 + audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME; 1347 1242 1348 1243 ab = audit_buffer_alloc(ctx, gfp_mask, type); 1349 1244 if (!ab) { ··· 1463 1356 int i, avail, new_len; 1464 1357 unsigned char *ptr; 1465 1358 struct sk_buff *skb; 1466 - static const unsigned char *hex = "0123456789ABCDEF"; 1467 1359 1468 1360 if (!ab) 1469 1361 return; ··· 1480 1374 } 1481 1375 1482 1376 ptr = skb_tail_pointer(skb); 1483 - for (i=0; i<len; i++) { 1484 - *ptr++ = hex[(buf[i] & 0xF0)>>4]; /* Upper nibble */ 1485 - *ptr++ = hex[buf[i] & 0x0F]; /* Lower nibble */ 1486 - } 1377 + for (i = 0; i < len; i++) 1378 + ptr = hex_byte_pack_upper(ptr, buf[i]); 1487 1379 *ptr = 0; 1488 1380 skb_put(skb, len << 1); /* new string is twice the old string */ 1489 1381 } ··· 1595 1491 1596 1492 void audit_log_session_info(struct audit_buffer *ab) 1597 1493 { 1598 - u32 sessionid = audit_get_sessionid(current); 1494 + unsigned int sessionid = audit_get_sessionid(current); 1599 1495 uid_t auid = from_kuid(&init_user_ns, audit_get_loginuid(current)); 1600 1496 1601 1497 audit_log_format(ab, " auid=%u ses=%u", auid, sessionid); ··· 1820 1716 audit_log_format(ab, 1821 1717 " ppid=%ld pid=%d auid=%u uid=%u gid=%u" 1822 1718 " euid=%u suid=%u fsuid=%u" 1823 - " egid=%u sgid=%u fsgid=%u ses=%u tty=%s", 1719 + " egid=%u sgid=%u fsgid=%u tty=%s ses=%u", 1824 1720 sys_getppid(), 1825 1721 tsk->pid, 1826 1722 from_kuid(&init_user_ns, audit_get_loginuid(tsk)), ··· 1832 1728 from_kgid(&init_user_ns, cred->egid), 1833 1729 from_kgid(&init_user_ns, cred->sgid), 1834 1730 from_kgid(&init_user_ns, cred->fsgid), 1835 - audit_get_sessionid(tsk), tty); 1731 + tty, audit_get_sessionid(tsk)); 1836 1732 1837 1733 get_task_comm(name, tsk); 1838 1734 audit_log_format(ab, " comm="); ··· 1843 1739 if (mm->exe_file) 1844 1740 audit_log_d_path(ab, " exe=", &mm->exe_file->f_path); 1845 1741 up_read(&mm->mmap_sem); 1846 - } 1742 + } else 1743 + audit_log_format(ab, " exe=(null)"); 1847 1744 audit_log_task_context(ab); 1848 1745 } 1849 1746 EXPORT_SYMBOL(audit_log_task_info);

+10 -5

kernel/audit.h

··· 209 209 #endif 210 210 }; 211 211 212 - extern int audit_ever_enabled; 212 + extern u32 audit_ever_enabled; 213 213 214 214 extern void audit_copy_inode(struct audit_names *name, 215 215 const struct dentry *dentry, ··· 240 240 extern int audit_gid_comparator(kgid_t left, u32 op, kgid_t right); 241 241 extern int parent_len(const char *path); 242 242 extern int audit_compare_dname_path(const char *dname, const char *path, int plen); 243 - extern struct sk_buff * audit_make_reply(int pid, int seq, int type, 244 - int done, int multi, 245 - const void *payload, int size); 243 + extern struct sk_buff *audit_make_reply(__u32 portid, int seq, int type, 244 + int done, int multi, 245 + const void *payload, int size); 246 246 extern void audit_panic(const char *message); 247 247 248 248 struct audit_netlink_list { 249 - int pid; 249 + __u32 portid; 250 + pid_t pid; 250 251 struct sk_buff_head q; 251 252 }; 252 253 253 254 int audit_send_list(void *); 255 + 256 + struct audit_net { 257 + struct sock *nlsk; 258 + }; 254 259 255 260 extern int selinux_audit_rule_update(void); 256 261

+55 -38

kernel/auditfilter.c

··· 972 972 } 973 973 974 974 /* List rules using struct audit_rule_data. */ 975 - static void audit_list_rules(int pid, int seq, struct sk_buff_head *q) 975 + static void audit_list_rules(__u32 portid, int seq, struct sk_buff_head *q) 976 976 { 977 977 struct sk_buff *skb; 978 978 struct audit_krule *r; ··· 987 987 data = audit_krule_to_data(r); 988 988 if (unlikely(!data)) 989 989 break; 990 - skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, 991 - data, sizeof(*data) + data->buflen); 990 + skb = audit_make_reply(portid, seq, AUDIT_LIST_RULES, 991 + 0, 1, data, 992 + sizeof(*data) + data->buflen); 992 993 if (skb) 993 994 skb_queue_tail(q, skb); 994 995 kfree(data); 995 996 } 996 997 } 997 - skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0); 998 + skb = audit_make_reply(portid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0); 998 999 if (skb) 999 1000 skb_queue_tail(q, skb); 1000 1001 } ··· 1005 1004 { 1006 1005 struct audit_buffer *ab; 1007 1006 uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(current)); 1008 - u32 sessionid = audit_get_sessionid(current); 1007 + unsigned int sessionid = audit_get_sessionid(current); 1009 1008 1010 1009 if (!audit_enabled) 1011 1010 return; ··· 1023 1022 } 1024 1023 1025 1024 /** 1026 - * audit_receive_filter - apply all rules to the specified message type 1025 + * audit_rule_change - apply all rules to the specified message type 1027 1026 * @type: audit message type 1028 - * @pid: target pid for netlink audit messages 1027 + * @portid: target port id for netlink audit messages 1029 1028 * @seq: netlink audit message sequence (serial) number 1030 1029 * @data: payload data 1031 1030 * @datasz: size of payload data 1032 1031 */ 1033 - int audit_receive_filter(int type, int pid, int seq, void *data, size_t datasz) 1032 + int audit_rule_change(int type, __u32 portid, int seq, void *data, 1033 + size_t datasz) 1034 1034 { 1035 - struct task_struct *tsk; 1036 - struct audit_netlink_list *dest; 1037 1035 int err = 0; 1038 1036 struct audit_entry *entry; 1039 1037 1040 1038 switch (type) { 1041 - case AUDIT_LIST_RULES: 1042 - /* We can't just spew out the rules here because we might fill 1043 - * the available socket buffer space and deadlock waiting for 1044 - * auditctl to read from it... which isn't ever going to 1045 - * happen if we're actually running in the context of auditctl 1046 - * trying to _send_ the stuff */ 1047 - 1048 - dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL); 1049 - if (!dest) 1050 - return -ENOMEM; 1051 - dest->pid = pid; 1052 - skb_queue_head_init(&dest->q); 1053 - 1054 - mutex_lock(&audit_filter_mutex); 1055 - audit_list_rules(pid, seq, &dest->q); 1056 - mutex_unlock(&audit_filter_mutex); 1057 - 1058 - tsk = kthread_run(audit_send_list, dest, "audit_send_list"); 1059 - if (IS_ERR(tsk)) { 1060 - skb_queue_purge(&dest->q); 1061 - kfree(dest); 1062 - err = PTR_ERR(tsk); 1063 - } 1064 - break; 1065 1039 case AUDIT_ADD_RULE: 1066 1040 entry = audit_data_to_entry(data, datasz); 1067 1041 if (IS_ERR(entry)) ··· 1058 1082 break; 1059 1083 default: 1060 1084 return -EINVAL; 1085 + } 1086 + 1087 + return err; 1088 + } 1089 + 1090 + /** 1091 + * audit_list_rules_send - list the audit rules 1092 + * @portid: target portid for netlink audit messages 1093 + * @seq: netlink audit message sequence (serial) number 1094 + */ 1095 + int audit_list_rules_send(__u32 portid, int seq) 1096 + { 1097 + struct task_struct *tsk; 1098 + struct audit_netlink_list *dest; 1099 + int err = 0; 1100 + 1101 + /* We can't just spew out the rules here because we might fill 1102 + * the available socket buffer space and deadlock waiting for 1103 + * auditctl to read from it... which isn't ever going to 1104 + * happen if we're actually running in the context of auditctl 1105 + * trying to _send_ the stuff */ 1106 + 1107 + dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL); 1108 + if (!dest) 1109 + return -ENOMEM; 1110 + dest->portid = portid; 1111 + dest->pid = task_pid_vnr(current); 1112 + skb_queue_head_init(&dest->q); 1113 + 1114 + mutex_lock(&audit_filter_mutex); 1115 + audit_list_rules(portid, seq, &dest->q); 1116 + mutex_unlock(&audit_filter_mutex); 1117 + 1118 + tsk = kthread_run(audit_send_list, dest, "audit_send_list"); 1119 + if (IS_ERR(tsk)) { 1120 + skb_queue_purge(&dest->q); 1121 + kfree(dest); 1122 + err = PTR_ERR(tsk); 1061 1123 } 1062 1124 1063 1125 return err; ··· 1290 1276 { 1291 1277 enum audit_state state = AUDIT_DISABLED; 1292 1278 struct audit_entry *e; 1293 - int ret = 1; 1279 + int rc, ret; 1280 + 1281 + ret = 1; /* Audit by default */ 1294 1282 1295 1283 rcu_read_lock(); 1296 1284 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { 1297 - if (audit_filter_user_rules(&e->rule, type, &state)) { 1298 - if (state == AUDIT_DISABLED) 1285 + rc = audit_filter_user_rules(&e->rule, type, &state); 1286 + if (rc) { 1287 + if (rc > 0 && state == AUDIT_DISABLED) 1299 1288 ret = 0; 1300 1289 break; 1301 1290 } 1302 1291 } 1303 1292 rcu_read_unlock(); 1304 1293 1305 - return ret; /* Audit by default */ 1294 + return ret; 1306 1295 } 1307 1296 1308 1297 int audit_filter_type(int type)

+25 -19

kernel/auditsc.c

··· 1969 1969 int rc) 1970 1970 { 1971 1971 struct audit_buffer *ab; 1972 - uid_t uid, ologinuid, nloginuid; 1972 + uid_t uid, oldloginuid, loginuid; 1973 + 1974 + if (!audit_enabled) 1975 + return; 1973 1976 1974 1977 uid = from_kuid(&init_user_ns, task_uid(current)); 1975 - ologinuid = from_kuid(&init_user_ns, koldloginuid); 1976 - nloginuid = from_kuid(&init_user_ns, kloginuid), 1978 + oldloginuid = from_kuid(&init_user_ns, koldloginuid); 1979 + loginuid = from_kuid(&init_user_ns, kloginuid), 1977 1980 1978 1981 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN); 1979 1982 if (!ab) 1980 1983 return; 1981 - audit_log_format(ab, "pid=%d uid=%u old auid=%u new auid=%u old " 1982 - "ses=%u new ses=%u res=%d", current->pid, uid, ologinuid, 1983 - nloginuid, oldsessionid, sessionid, !rc); 1984 + audit_log_format(ab, "pid=%d uid=%u" 1985 + " old-auid=%u new-auid=%u old-ses=%u new-ses=%u" 1986 + " res=%d", 1987 + current->pid, uid, 1988 + oldloginuid, loginuid, oldsessionid, sessionid, 1989 + !rc); 1984 1990 audit_log_end(ab); 1985 1991 } 1986 1992 ··· 2014 2008 2015 2009 /* are we setting or clearing? */ 2016 2010 if (uid_valid(loginuid)) 2017 - sessionid = atomic_inc_return(&session_id); 2011 + sessionid = (unsigned int)atomic_inc_return(&session_id); 2018 2012 2019 2013 task->sessionid = sessionid; 2020 2014 task->loginuid = loginuid; ··· 2327 2321 2328 2322 /** 2329 2323 * __audit_log_capset - store information about the arguments to the capset syscall 2330 - * @pid: target pid of the capset call 2331 2324 * @new: the new credentials 2332 2325 * @old: the old (current) credentials 2333 2326 * 2334 2327 * Record the aguments userspace sent to sys_capset for later printing by the 2335 2328 * audit system if applicable 2336 2329 */ 2337 - void __audit_log_capset(pid_t pid, 2338 - const struct cred *new, const struct cred *old) 2330 + void __audit_log_capset(const struct cred *new, const struct cred *old) 2339 2331 { 2340 2332 struct audit_context *context = current->audit_context; 2341 - context->capset.pid = pid; 2333 + context->capset.pid = task_pid_nr(current); 2342 2334 context->capset.cap.effective = new->cap_effective; 2343 2335 context->capset.cap.inheritable = new->cap_effective; 2344 2336 context->capset.cap.permitted = new->cap_permitted; ··· 2356 2352 kuid_t auid, uid; 2357 2353 kgid_t gid; 2358 2354 unsigned int sessionid; 2355 + struct mm_struct *mm = current->mm; 2359 2356 2360 2357 auid = audit_get_loginuid(current); 2361 2358 sessionid = audit_get_sessionid(current); ··· 2370 2365 audit_log_task_context(ab); 2371 2366 audit_log_format(ab, " pid=%d comm=", current->pid); 2372 2367 audit_log_untrustedstring(ab, current->comm); 2368 + if (mm) { 2369 + down_read(&mm->mmap_sem); 2370 + if (mm->exe_file) 2371 + audit_log_d_path(ab, " exe=", &mm->exe_file->f_path); 2372 + up_read(&mm->mmap_sem); 2373 + } else 2374 + audit_log_format(ab, " exe=(null)"); 2373 2375 } 2374 2376 2375 - static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr) 2376 - { 2377 - audit_log_task(ab); 2378 - audit_log_format(ab, " reason="); 2379 - audit_log_string(ab, reason); 2380 - audit_log_format(ab, " sig=%ld", signr); 2381 - } 2382 2377 /** 2383 2378 * audit_core_dumps - record information about processes that end abnormally 2384 2379 * @signr: signal value ··· 2399 2394 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); 2400 2395 if (unlikely(!ab)) 2401 2396 return; 2402 - audit_log_abend(ab, "memory violation", signr); 2397 + audit_log_task(ab); 2398 + audit_log_format(ab, " sig=%ld", signr); 2403 2399 audit_log_end(ab); 2404 2400 } 2405 2401

+1 -1

kernel/capability.c

··· 277 277 if (ret < 0) 278 278 goto error; 279 279 280 - audit_log_capset(pid, new, current_cred()); 280 + audit_log_capset(new, current_cred()); 281 281 282 282 return commit_creds(new); 283 283

+4 -4

net/xfrm/xfrm_policy.c

··· 2906 2906 flush_work(&net->xfrm.policy_hash_work); 2907 2907 #ifdef CONFIG_XFRM_SUB_POLICY 2908 2908 audit_info.loginuid = INVALID_UID; 2909 - audit_info.sessionid = -1; 2909 + audit_info.sessionid = (unsigned int)-1; 2910 2910 audit_info.secid = 0; 2911 2911 xfrm_policy_flush(net, XFRM_POLICY_TYPE_SUB, &audit_info); 2912 2912 #endif 2913 2913 audit_info.loginuid = INVALID_UID; 2914 - audit_info.sessionid = -1; 2914 + audit_info.sessionid = (unsigned int)-1; 2915 2915 audit_info.secid = 0; 2916 2916 xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, &audit_info); 2917 2917 ··· 3017 3017 } 3018 3018 3019 3019 void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, 3020 - kuid_t auid, u32 sessionid, u32 secid) 3020 + kuid_t auid, unsigned int sessionid, u32 secid) 3021 3021 { 3022 3022 struct audit_buffer *audit_buf; 3023 3023 ··· 3032 3032 EXPORT_SYMBOL_GPL(xfrm_audit_policy_add); 3033 3033 3034 3034 void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, 3035 - kuid_t auid, u32 sessionid, u32 secid) 3035 + kuid_t auid, unsigned int sessionid, u32 secid) 3036 3036 { 3037 3037 struct audit_buffer *audit_buf; 3038 3038

+3 -3

net/xfrm/xfrm_state.c

··· 2043 2043 2044 2044 flush_work(&net->xfrm.state_hash_work); 2045 2045 audit_info.loginuid = INVALID_UID; 2046 - audit_info.sessionid = -1; 2046 + audit_info.sessionid = (unsigned int)-1; 2047 2047 audit_info.secid = 0; 2048 2048 xfrm_state_flush(net, IPSEC_PROTO_ANY, &audit_info); 2049 2049 flush_work(&net->xfrm.state_gc_work); ··· 2109 2109 } 2110 2110 2111 2111 void xfrm_audit_state_add(struct xfrm_state *x, int result, 2112 - kuid_t auid, u32 sessionid, u32 secid) 2112 + kuid_t auid, unsigned int sessionid, u32 secid) 2113 2113 { 2114 2114 struct audit_buffer *audit_buf; 2115 2115 ··· 2124 2124 EXPORT_SYMBOL_GPL(xfrm_audit_state_add); 2125 2125 2126 2126 void xfrm_audit_state_delete(struct xfrm_state *x, int result, 2127 - kuid_t auid, u32 sessionid, u32 secid) 2127 + kuid_t auid, unsigned int sessionid, u32 secid) 2128 2128 { 2129 2129 struct audit_buffer *audit_buf; 2130 2130

+6 -6

net/xfrm/xfrm_user.c

··· 600 600 int err; 601 601 struct km_event c; 602 602 kuid_t loginuid = audit_get_loginuid(current); 603 - u32 sessionid = audit_get_sessionid(current); 603 + unsigned int sessionid = audit_get_sessionid(current); 604 604 u32 sid; 605 605 606 606 err = verify_newsa_info(p, attrs); ··· 679 679 struct km_event c; 680 680 struct xfrm_usersa_id *p = nlmsg_data(nlh); 681 681 kuid_t loginuid = audit_get_loginuid(current); 682 - u32 sessionid = audit_get_sessionid(current); 682 + unsigned int sessionid = audit_get_sessionid(current); 683 683 u32 sid; 684 684 685 685 x = xfrm_user_state_lookup(net, p, attrs, &err); ··· 1405 1405 int err; 1406 1406 int excl; 1407 1407 kuid_t loginuid = audit_get_loginuid(current); 1408 - u32 sessionid = audit_get_sessionid(current); 1408 + unsigned int sessionid = audit_get_sessionid(current); 1409 1409 u32 sid; 1410 1410 1411 1411 err = verify_newpolicy_info(p); ··· 1663 1663 } 1664 1664 } else { 1665 1665 kuid_t loginuid = audit_get_loginuid(current); 1666 - u32 sessionid = audit_get_sessionid(current); 1666 + unsigned int sessionid = audit_get_sessionid(current); 1667 1667 u32 sid; 1668 1668 1669 1669 security_task_getsecid(current, &sid); ··· 1959 1959 err = 0; 1960 1960 if (up->hard) { 1961 1961 kuid_t loginuid = audit_get_loginuid(current); 1962 - u32 sessionid = audit_get_sessionid(current); 1962 + unsigned int sessionid = audit_get_sessionid(current); 1963 1963 u32 sid; 1964 1964 1965 1965 security_task_getsecid(current, &sid); ··· 2002 2002 2003 2003 if (ue->hard) { 2004 2004 kuid_t loginuid = audit_get_loginuid(current); 2005 - u32 sessionid = audit_get_sessionid(current); 2005 + unsigned int sessionid = audit_get_sessionid(current); 2006 2006 u32 sid; 2007 2007 2008 2008 security_task_getsecid(current, &sid);

+4 -8

security/selinux/ss/services.c

··· 2948 2948 struct selinux_audit_rule *rule = vrule; 2949 2949 int match = 0; 2950 2950 2951 - if (!rule) { 2952 - audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2953 - "selinux_audit_rule_match: missing rule\n"); 2951 + if (unlikely(!rule)) { 2952 + WARN_ONCE(1, "selinux_audit_rule_match: missing rule\n"); 2954 2953 return -ENOENT; 2955 2954 } 2956 2955 2957 2956 read_lock(&policy_rwlock); 2958 2957 2959 2958 if (rule->au_seqno < latest_granting) { 2960 - audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2961 - "selinux_audit_rule_match: stale rule\n"); 2962 2959 match = -ESTALE; 2963 2960 goto out; 2964 2961 } 2965 2962 2966 2963 ctxt = sidtab_search(&sidtab, sid); 2967 - if (!ctxt) { 2968 - audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2969 - "selinux_audit_rule_match: unrecognized SID %d\n", 2964 + if (unlikely(!ctxt)) { 2965 + WARN_ONCE(1, "selinux_audit_rule_match: unrecognized SID %d\n", 2970 2966 sid); 2971 2967 match = -ENOENT; 2972 2968 goto out;

+2 -3

security/smack/smack_lsm.c

··· 3616 3616 struct smack_known *skp; 3617 3617 char *rule = vrule; 3618 3618 3619 - if (!rule) { 3620 - audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 3621 - "Smack: missing rule\n"); 3619 + if (unlikely(!rule)) { 3620 + WARN_ONCE(1, "Smack: missing rule\n"); 3622 3621 return -ENOENT; 3623 3622 } 3624 3623