tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge branch 'audit.b38' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current
* 'audit.b38' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current:
[PATCH] Abnormal End of Processes
[PATCH] match audit name data
[PATCH] complete message queue auditing
[PATCH] audit inode for all xattr syscalls
[PATCH] initialize name osid
[PATCH] audit signal recipients
[PATCH] add SIGNAL syscall class (v3)
[PATCH] auditing ptrace
+438
-100
+5
arch/ia64/ia32/audit.c
+5
arch/ia64/ia32/audit.c
+17
arch/ia64/kernel/audit.c
+17
arch/ia64/kernel/audit.c
···
23
23
~0U
24
24
};
25
25
26
+
static unsigned signal_class[] = {
27
+
#include <asm-generic/audit_signal.h>
28
+
~0U
29
+
};
30
+
31
+
int audit_classify_arch(int arch)
32
+
{
33
+
#ifdef CONFIG_IA32_SUPPORT
34
+
if (arch == AUDIT_ARCH_I386)
35
+
return 1;
36
+
#endif
37
+
return 0;
38
+
}
39
+
26
40
int audit_classify_syscall(int abi, unsigned syscall)
27
41
{
28
42
#ifdef CONFIG_IA32_SUPPORT
···
63
49
extern __u32 ia32_write_class[];
64
50
extern __u32 ia32_read_class[];
65
51
extern __u32 ia32_chattr_class[];
52
+
extern __u32 ia32_signal_class[];
66
53
audit_register_class(AUDIT_CLASS_WRITE_32, ia32_write_class);
67
54
audit_register_class(AUDIT_CLASS_READ_32, ia32_read_class);
68
55
audit_register_class(AUDIT_CLASS_DIR_WRITE_32, ia32_dir_class);
69
56
audit_register_class(AUDIT_CLASS_CHATTR_32, ia32_chattr_class);
57
+
audit_register_class(AUDIT_CLASS_SIGNAL_32, ia32_signal_class);
70
58
#endif
71
59
audit_register_class(AUDIT_CLASS_WRITE, write_class);
72
60
audit_register_class(AUDIT_CLASS_READ, read_class);
73
61
audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class);
74
62
audit_register_class(AUDIT_CLASS_CHATTR, chattr_class);
63
+
audit_register_class(AUDIT_CLASS_SIGNAL, signal_class);
75
64
return 0;
76
65
}
77
66
+17
arch/powerpc/kernel/audit.c
+17
arch/powerpc/kernel/audit.c
···
23
23
~0U
24
24
};
25
25
26
+
static unsigned signal_class[] = {
27
+
#include <asm-generic/audit_signal.h>
28
+
~0U
29
+
};
30
+
31
+
int audit_classify_arch(int arch)
32
+
{
33
+
#ifdef CONFIG_PPC64
34
+
if (arch == AUDIT_ARCH_PPC)
35
+
return 1;
36
+
#endif
37
+
return 0;
38
+
}
39
+
26
40
int audit_classify_syscall(int abi, unsigned syscall)
27
41
{
28
42
#ifdef CONFIG_PPC64
···
65
51
extern __u32 ppc32_write_class[];
66
52
extern __u32 ppc32_read_class[];
67
53
extern __u32 ppc32_chattr_class[];
54
+
extern __u32 ppc32_signal_class[];
68
55
audit_register_class(AUDIT_CLASS_WRITE_32, ppc32_write_class);
69
56
audit_register_class(AUDIT_CLASS_READ_32, ppc32_read_class);
70
57
audit_register_class(AUDIT_CLASS_DIR_WRITE_32, ppc32_dir_class);
71
58
audit_register_class(AUDIT_CLASS_CHATTR_32, ppc32_chattr_class);
59
+
audit_register_class(AUDIT_CLASS_SIGNAL_32, ppc32_signal_class);
72
60
#endif
73
61
audit_register_class(AUDIT_CLASS_WRITE, write_class);
74
62
audit_register_class(AUDIT_CLASS_READ, read_class);
75
63
audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class);
76
64
audit_register_class(AUDIT_CLASS_CHATTR, chattr_class);
65
+
audit_register_class(AUDIT_CLASS_SIGNAL, signal_class);
77
66
return 0;
78
67
}
79
68
+5
arch/powerpc/kernel/compat_audit.c
+5
arch/powerpc/kernel/compat_audit.c
+17
arch/s390/kernel/audit.c
+17
arch/s390/kernel/audit.c
···
23
23
~0U
24
24
};
25
25
26
+
static unsigned signal_class[] = {
27
+
#include <asm-generic/audit_signal.h>
28
+
~0U
29
+
};
30
+
31
+
int audit_classify_arch(int arch)
32
+
{
33
+
#ifdef CONFIG_COMPAT
34
+
if (arch == AUDIT_ARCH_S390)
35
+
return 1;
36
+
#endif
37
+
return 0;
38
+
}
39
+
26
40
int audit_classify_syscall(int abi, unsigned syscall)
27
41
{
28
42
#ifdef CONFIG_COMPAT
···
65
51
extern __u32 s390_write_class[];
66
52
extern __u32 s390_read_class[];
67
53
extern __u32 s390_chattr_class[];
54
+
extern __u32 s390_signal_class[];
68
55
audit_register_class(AUDIT_CLASS_WRITE_32, s390_write_class);
69
56
audit_register_class(AUDIT_CLASS_READ_32, s390_read_class);
70
57
audit_register_class(AUDIT_CLASS_DIR_WRITE_32, s390_dir_class);
71
58
audit_register_class(AUDIT_CLASS_CHATTR_32, s390_chattr_class);
59
+
audit_register_class(AUDIT_CLASS_SIGNAL_32, s390_signal_class);
72
60
#endif
73
61
audit_register_class(AUDIT_CLASS_WRITE, write_class);
74
62
audit_register_class(AUDIT_CLASS_READ, read_class);
75
63
audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class);
76
64
audit_register_class(AUDIT_CLASS_CHATTR, chattr_class);
65
+
audit_register_class(AUDIT_CLASS_SIGNAL, signal_class);
77
66
return 0;
78
67
}
79
68
+5
arch/s390/kernel/compat_audit.c
+5
arch/s390/kernel/compat_audit.c
+17
arch/sparc64/kernel/audit.c
+17
arch/sparc64/kernel/audit.c
···
23
23
~0U
24
24
};
25
25
26
+
static unsigned signal_class[] = {
27
+
#include <asm-generic/audit_signal.h>
28
+
~0U
29
+
};
30
+
31
+
int audit_classify_arch(int arch)
32
+
{
33
+
#ifdef CONFIG_SPARC32_COMPAT
34
+
if (arch == AUDIT_ARCH_SPARC)
35
+
return 1;
36
+
#endif
37
+
return 0;
38
+
}
39
+
26
40
int audit_classify_syscall(int abi, unsigned syscall)
27
41
{
28
42
#ifdef CONFIG_SPARC32_COMPAT
···
65
51
extern __u32 sparc32_write_class[];
66
52
extern __u32 sparc32_read_class[];
67
53
extern __u32 sparc32_chattr_class[];
54
+
extern __u32 sparc32_signal_class[];
68
55
audit_register_class(AUDIT_CLASS_WRITE_32, sparc32_write_class);
69
56
audit_register_class(AUDIT_CLASS_READ_32, sparc32_read_class);
70
57
audit_register_class(AUDIT_CLASS_DIR_WRITE_32, sparc32_dir_class);
71
58
audit_register_class(AUDIT_CLASS_CHATTR_32, sparc32_chattr_class);
59
+
audit_register_class(AUDIT_CLASS_SIGNAL_32, sparc32_signal_class);
72
60
#endif
73
61
audit_register_class(AUDIT_CLASS_WRITE, write_class);
74
62
audit_register_class(AUDIT_CLASS_READ, read_class);
75
63
audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class);
76
64
audit_register_class(AUDIT_CLASS_CHATTR, chattr_class);
65
+
audit_register_class(AUDIT_CLASS_SIGNAL, signal_class);
77
66
return 0;
78
67
}
79
68
+5
arch/sparc64/kernel/compat_audit.c
+5
arch/sparc64/kernel/compat_audit.c
+5
arch/x86_64/ia32/audit.c
+5
arch/x86_64/ia32/audit.c
+17
arch/x86_64/kernel/audit.c
+17
arch/x86_64/kernel/audit.c
···
23
23
~0U
24
24
};
25
25
26
+
static unsigned signal_class[] = {
27
+
#include <asm-generic/audit_signal.h>
28
+
~0U
29
+
};
30
+
31
+
int audit_classify_arch(int arch)
32
+
{
33
+
#ifdef CONFIG_IA32_EMULATION
34
+
if (arch == AUDIT_ARCH_I386)
35
+
return 1;
36
+
#endif
37
+
return 0;
38
+
}
39
+
26
40
int audit_classify_syscall(int abi, unsigned syscall)
27
41
{
28
42
#ifdef CONFIG_IA32_EMULATION
···
63
49
extern __u32 ia32_write_class[];
64
50
extern __u32 ia32_read_class[];
65
51
extern __u32 ia32_chattr_class[];
52
+
extern __u32 ia32_signal_class[];
66
53
audit_register_class(AUDIT_CLASS_WRITE_32, ia32_write_class);
67
54
audit_register_class(AUDIT_CLASS_READ_32, ia32_read_class);
68
55
audit_register_class(AUDIT_CLASS_DIR_WRITE_32, ia32_dir_class);
69
56
audit_register_class(AUDIT_CLASS_CHATTR_32, ia32_chattr_class);
57
+
audit_register_class(AUDIT_CLASS_SIGNAL_32, ia32_signal_class);
70
58
#endif
71
59
audit_register_class(AUDIT_CLASS_WRITE, write_class);
72
60
audit_register_class(AUDIT_CLASS_READ, read_class);
73
61
audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class);
74
62
audit_register_class(AUDIT_CLASS_CHATTR, chattr_class);
63
+
audit_register_class(AUDIT_CLASS_SIGNAL, signal_class);
75
64
return 0;
76
65
}
77
66
+2
fs/exec.c
+2
fs/exec.c
+1
-1
fs/namei.c
+1
-1
fs/namei.c
+2
fs/xattr.c
+2
fs/xattr.c
···
350
350
f = fget(fd);
351
351
if (!f)
352
352
return error;
353
+
audit_inode(NULL, f->f_path.dentry->d_inode);
353
354
error = getxattr(f->f_path.dentry, name, value, size);
354
355
fput(f);
355
356
return error;
···
423
422
f = fget(fd);
424
423
if (!f)
425
424
return error;
425
+
audit_inode(NULL, f->f_path.dentry->d_inode);
426
426
error = listxattr(f->f_path.dentry, list, size);
427
427
fput(f);
428
428
return error;
+16
-5
include/linux/audit.h
+16
-5
include/linux/audit.h
···
91
91
#define AUDIT_MQ_GETSETATTR 1315 /* POSIX MQ get/set attribute record type */
92
92
#define AUDIT_KERNEL_OTHER 1316 /* For use by 3rd party modules */
93
93
#define AUDIT_FD_PAIR 1317 /* audit record for pipe/socketpair */
94
+
#define AUDIT_OBJ_PID 1318 /* ptrace target */
94
95
95
96
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
96
97
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
···
112
111
#define AUDIT_FIRST_KERN_ANOM_MSG 1700
113
112
#define AUDIT_LAST_KERN_ANOM_MSG 1799
114
113
#define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */
114
+
#define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */
115
115
116
116
#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
117
117
···
150
148
#define AUDIT_CLASS_READ_32 5
151
149
#define AUDIT_CLASS_WRITE 6
152
150
#define AUDIT_CLASS_WRITE_32 7
151
+
#define AUDIT_CLASS_SIGNAL 8
152
+
#define AUDIT_CLASS_SIGNAL_32 9
153
153
154
154
/* This bitmask is used to validate user input. It represents all bits that
155
155
* are currently used in an audit field constant understood by the kernel.
···
341
337
#define AUDITSC_RESULT(x) ( ((long)(x))<0?AUDITSC_FAILURE:AUDITSC_SUCCESS )
342
338
extern int __init audit_register_class(int class, unsigned *list);
343
339
extern int audit_classify_syscall(int abi, unsigned syscall);
340
+
extern int audit_classify_arch(int arch);
344
341
#ifdef CONFIG_AUDITSYSCALL
345
342
/* These are defined in auditsc.c */
346
343
/* Public API */
···
356
351
extern void __audit_inode(const char *name, const struct inode *inode);
357
352
extern void __audit_inode_child(const char *dname, const struct inode *inode,
358
353
const struct inode *parent);
359
-
extern void __audit_inode_update(const struct inode *inode);
354
+
extern void __audit_ptrace(struct task_struct *t);
355
+
360
356
static inline int audit_dummy_context(void)
361
357
{
362
358
void *p = current->audit_context;
···
378
372
if (unlikely(!audit_dummy_context()))
379
373
__audit_inode_child(dname, inode, parent);
380
374
}
381
-
static inline void audit_inode_update(const struct inode *inode) {
375
+
void audit_core_dumps(long signr);
376
+
377
+
static inline void audit_ptrace(struct task_struct *t)
378
+
{
382
379
if (unlikely(!audit_dummy_context()))
383
-
__audit_inode_update(inode);
380
+
__audit_ptrace(t);
384
381
}
385
382
386
383
/* Private API (for audit.c only) */
···
456
447
return 0;
457
448
}
458
449
extern int audit_n_rules;
450
+
extern int audit_signals;
459
451
#else
460
452
#define audit_alloc(t) ({ 0; })
461
453
#define audit_free(t) do { ; } while (0)
···
467
457
#define audit_putname(n) do { ; } while (0)
468
458
#define __audit_inode(n,i) do { ; } while (0)
469
459
#define __audit_inode_child(d,i,p) do { ; } while (0)
470
-
#define __audit_inode_update(i) do { ; } while (0)
471
460
#define audit_inode(n,i) do { ; } while (0)
472
461
#define audit_inode_child(d,i,p) do { ; } while (0)
473
-
#define audit_inode_update(i) do { ; } while (0)
462
+
#define audit_core_dumps(i) do { ; } while (0)
474
463
#define auditsc_get_stamp(c,t,s) do { BUG(); } while (0)
475
464
#define audit_get_loginuid(c) ({ -1; })
476
465
#define audit_log_task_context(b) do { ; } while (0)
···
486
477
#define audit_mq_timedreceive(d,l,p,t) ({ 0; })
487
478
#define audit_mq_notify(d,n) ({ 0; })
488
479
#define audit_mq_getsetattr(d,s) ({ 0; })
480
+
#define audit_ptrace(t) ((void)0)
489
481
#define audit_n_rules 0
482
+
#define audit_signals 0
490
483
#endif
491
484
492
485
#ifdef CONFIG_AUDIT
+4
ipc/mqueue.c
+4
ipc/mqueue.c
···
681
681
682
682
if (oflag & O_CREAT) {
683
683
if (dentry->d_inode) { /* entry already exists */
684
+
audit_inode(name, dentry->d_inode);
684
685
error = -EEXIST;
685
686
if (oflag & O_EXCL)
686
687
goto out;
···
694
693
error = -ENOENT;
695
694
if (!dentry->d_inode)
696
695
goto out;
696
+
audit_inode(name, dentry->d_inode);
697
697
filp = do_open(dentry, oflag);
698
698
}
699
699
···
842
840
if (unlikely(filp->f_op != &mqueue_file_operations))
843
841
goto out_fput;
844
842
info = MQUEUE_I(inode);
843
+
audit_inode(NULL, inode);
845
844
846
845
if (unlikely(!(filp->f_mode & FMODE_WRITE)))
847
846
goto out_fput;
···
926
923
if (unlikely(filp->f_op != &mqueue_file_operations))
927
924
goto out_fput;
928
925
info = MQUEUE_I(inode);
926
+
audit_inode(NULL, inode);
929
927
930
928
if (unlikely(!(filp->f_mode & FMODE_READ)))
931
929
goto out_fput;
+8
-5
kernel/audit.h
+8
-5
kernel/audit.h
···
83
83
u32 field_count;
84
84
char *filterkey; /* ties events to rules */
85
85
struct audit_field *fields;
86
+
struct audit_field *arch_f; /* quick access to arch field */
86
87
struct audit_field *inode_f; /* quick access to an inode field */
87
88
struct audit_watch *watch; /* associated watch */
88
89
struct list_head rlist; /* entry in audit_watch.rules list */
···
132
131
extern int selinux_audit_rule_update(void);
133
132
134
133
#ifdef CONFIG_AUDITSYSCALL
135
-
extern void __audit_signal_info(int sig, struct task_struct *t);
136
-
static inline void audit_signal_info(int sig, struct task_struct *t)
134
+
extern int __audit_signal_info(int sig, struct task_struct *t);
135
+
static inline int audit_signal_info(int sig, struct task_struct *t)
137
136
{
138
-
if (unlikely(audit_pid && t->tgid == audit_pid))
139
-
__audit_signal_info(sig, t);
137
+
if (unlikely((audit_pid && t->tgid == audit_pid) ||
138
+
(audit_signals && !audit_dummy_context())))
139
+
return __audit_signal_info(sig, t);
140
+
return 0;
140
141
}
141
142
extern enum audit_state audit_filter_inodes(struct task_struct *,
142
143
struct audit_context *);
143
144
extern void audit_set_auditable(struct audit_context *);
144
145
#else
145
-
#define audit_signal_info(s,t)
146
+
#define audit_signal_info(s,t) AUDIT_DISABLED
146
147
#define audit_filter_inodes(t,c) AUDIT_DISABLED
147
148
#define audit_set_auditable(c)
148
149
#endif
+47
-1
kernel/auditfilter.c
+47
-1
kernel/auditfilter.c
···
311
311
return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
312
312
}
313
313
314
+
static inline int audit_match_class_bits(int class, u32 *mask)
315
+
{
316
+
int i;
317
+
318
+
if (classes[class]) {
319
+
for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
320
+
if (mask[i] & classes[class][i])
321
+
return 0;
322
+
}
323
+
return 1;
324
+
}
325
+
326
+
static int audit_match_signal(struct audit_entry *entry)
327
+
{
328
+
struct audit_field *arch = entry->rule.arch_f;
329
+
330
+
if (!arch) {
331
+
/* When arch is unspecified, we must check both masks on biarch
332
+
* as syscall number alone is ambiguous. */
333
+
return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
334
+
entry->rule.mask) &&
335
+
audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
336
+
entry->rule.mask));
337
+
}
338
+
339
+
switch(audit_classify_arch(arch->val)) {
340
+
case 0: /* native */
341
+
return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
342
+
entry->rule.mask));
343
+
case 1: /* 32bit on biarch */
344
+
return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
345
+
entry->rule.mask));
346
+
default:
347
+
return 1;
348
+
}
349
+
}
350
+
314
351
/* Common user-space to kernel rule translation. */
315
352
static inline struct audit_entry *audit_to_entry_common(struct audit_rule *rule)
316
353
{
···
466
429
err = -EINVAL;
467
430
goto exit_free;
468
431
}
432
+
entry->rule.arch_f = f;
469
433
break;
470
434
case AUDIT_PERM:
471
435
if (f->val & ~15)
···
557
519
case AUDIT_FSGID:
558
520
case AUDIT_LOGINUID:
559
521
case AUDIT_PERS:
560
-
case AUDIT_ARCH:
561
522
case AUDIT_MSGTYPE:
562
523
case AUDIT_PPID:
563
524
case AUDIT_DEVMAJOR:
···
567
530
case AUDIT_ARG1:
568
531
case AUDIT_ARG2:
569
532
case AUDIT_ARG3:
533
+
break;
534
+
case AUDIT_ARCH:
535
+
entry->rule.arch_f = f;
570
536
break;
571
537
case AUDIT_SUBJ_USER:
572
538
case AUDIT_SUBJ_ROLE:
···
1261
1221
#ifdef CONFIG_AUDITSYSCALL
1262
1222
if (!dont_count)
1263
1223
audit_n_rules++;
1224
+
1225
+
if (!audit_match_signal(entry))
1226
+
audit_signals++;
1264
1227
#endif
1265
1228
mutex_unlock(&audit_filter_mutex);
1266
1229
···
1337
1294
#ifdef CONFIG_AUDITSYSCALL
1338
1295
if (!dont_count)
1339
1296
audit_n_rules--;
1297
+
1298
+
if (!audit_match_signal(entry))
1299
+
audit_signals--;
1340
1300
#endif
1341
1301
mutex_unlock(&audit_filter_mutex);
1342
1302
+225
-84
kernel/auditsc.c
+225
-84
kernel/auditsc.c
···
78
78
* for saving names from getname(). */
79
79
#define AUDIT_NAMES 20
80
80
81
-
/* AUDIT_NAMES_RESERVED is the number of slots we reserve in the
82
-
* audit_context from being used for nameless inodes from
83
-
* path_lookup. */
84
-
#define AUDIT_NAMES_RESERVED 7
85
-
86
81
/* Indicates that audit should log the full pathname. */
87
82
#define AUDIT_NAME_FULL -1
88
83
89
84
/* number of audit rules */
90
85
int audit_n_rules;
86
+
87
+
/* determines whether we collect data for signals sent */
88
+
int audit_signals;
91
89
92
90
/* When fs/namei.c:getname() is called, we store the pointer in name and
93
91
* we don't let putname() free it (instead we free all of the saved
···
111
113
};
112
114
113
115
#define AUDIT_AUX_IPCPERM 0
116
+
117
+
/* Number of target pids per aux struct. */
118
+
#define AUDIT_AUX_PIDS 16
114
119
115
120
struct audit_aux_data_mq_open {
116
121
struct audit_aux_data d;
···
182
181
struct vfsmount *mnt;
183
182
};
184
183
184
+
struct audit_aux_data_pids {
185
+
struct audit_aux_data d;
186
+
pid_t target_pid[AUDIT_AUX_PIDS];
187
+
u32 target_sid[AUDIT_AUX_PIDS];
188
+
int pid_count;
189
+
};
190
+
185
191
/* The per-task audit context. */
186
192
struct audit_context {
187
193
int dummy; /* must be the first element */
···
209
201
struct vfsmount * pwdmnt;
210
202
struct audit_context *previous; /* For nested syscalls */
211
203
struct audit_aux_data *aux;
204
+
struct audit_aux_data *aux_pids;
212
205
213
206
/* Save things to print about task_struct */
214
207
pid_t pid, ppid;
···
217
208
gid_t gid, egid, sgid, fsgid;
218
209
unsigned long personality;
219
210
int arch;
211
+
212
+
pid_t target_pid;
213
+
u32 target_sid;
220
214
221
215
#if AUDIT_DEBUG
222
216
int put_count;
···
666
654
context->aux = aux->next;
667
655
kfree(aux);
668
656
}
657
+
while ((aux = context->aux_pids)) {
658
+
context->aux_pids = aux->next;
659
+
kfree(aux);
660
+
}
669
661
}
670
662
671
663
static inline void audit_zero_context(struct audit_context *context,
···
809
793
up_read(&mm->mmap_sem);
810
794
}
811
795
audit_log_task_context(ab);
796
+
}
797
+
798
+
static int audit_log_pid_context(struct audit_context *context, pid_t pid,
799
+
u32 sid)
800
+
{
801
+
struct audit_buffer *ab;
802
+
char *s = NULL;
803
+
u32 len;
804
+
int rc = 0;
805
+
806
+
ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
807
+
if (!ab)
808
+
return 1;
809
+
810
+
if (selinux_sid_to_string(sid, &s, &len)) {
811
+
audit_log_format(ab, "opid=%d obj=(none)", pid);
812
+
rc = 1;
813
+
} else
814
+
audit_log_format(ab, "opid=%d obj=%s", pid, s);
815
+
audit_log_end(ab);
816
+
kfree(s);
817
+
818
+
return rc;
812
819
}
813
820
814
821
static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
···
1011
972
}
1012
973
audit_log_end(ab);
1013
974
}
975
+
976
+
for (aux = context->aux_pids; aux; aux = aux->next) {
977
+
struct audit_aux_data_pids *axs = (void *)aux;
978
+
int i;
979
+
980
+
for (i = 0; i < axs->pid_count; i++)
981
+
if (audit_log_pid_context(context, axs->target_pid[i],
982
+
axs->target_sid[i]))
983
+
call_panic = 1;
984
+
}
985
+
986
+
if (context->target_pid &&
987
+
audit_log_pid_context(context, context->target_pid,
988
+
context->target_sid))
989
+
call_panic = 1;
1014
990
1015
991
if (context->pwd && context->pwdmnt) {
1016
992
ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
···
1247
1193
} else {
1248
1194
audit_free_names(context);
1249
1195
audit_free_aux(context);
1196
+
context->aux = NULL;
1197
+
context->aux_pids = NULL;
1198
+
context->target_pid = 0;
1199
+
context->target_sid = 0;
1250
1200
kfree(context->filterkey);
1251
1201
context->filterkey = NULL;
1252
1202
tsk->audit_context = context;
···
1284
1226
context->names[context->name_count].name_len = AUDIT_NAME_FULL;
1285
1227
context->names[context->name_count].name_put = 1;
1286
1228
context->names[context->name_count].ino = (unsigned long)-1;
1229
+
context->names[context->name_count].osid = 0;
1287
1230
++context->name_count;
1288
1231
if (!context->pwd) {
1289
1232
read_lock(¤t->fs->lock);
···
1338
1279
#endif
1339
1280
}
1340
1281
1282
+
static int audit_inc_name_count(struct audit_context *context,
1283
+
const struct inode *inode)
1284
+
{
1285
+
if (context->name_count >= AUDIT_NAMES) {
1286
+
if (inode)
1287
+
printk(KERN_DEBUG "name_count maxed, losing inode data: "
1288
+
"dev=%02x:%02x, inode=%lu",
1289
+
MAJOR(inode->i_sb->s_dev),
1290
+
MINOR(inode->i_sb->s_dev),
1291
+
inode->i_ino);
1292
+
1293
+
else
1294
+
printk(KERN_DEBUG "name_count maxed, losing inode data");
1295
+
return 1;
1296
+
}
1297
+
context->name_count++;
1298
+
#if AUDIT_DEBUG
1299
+
context->ino_count++;
1300
+
#endif
1301
+
return 0;
1302
+
}
1303
+
1341
1304
/* Copy inode data into an audit_names. */
1342
1305
static void audit_copy_inode(struct audit_names *name, const struct inode *inode)
1343
1306
{
···
1397
1316
else {
1398
1317
/* FIXME: how much do we care about inodes that have no
1399
1318
* associated name? */
1400
-
if (context->name_count >= AUDIT_NAMES - AUDIT_NAMES_RESERVED)
1319
+
if (audit_inc_name_count(context, inode))
1401
1320
return;
1402
-
idx = context->name_count++;
1321
+
idx = context->name_count - 1;
1403
1322
context->names[idx].name = NULL;
1404
-
#if AUDIT_DEBUG
1405
-
++context->ino_count;
1406
-
#endif
1407
1323
}
1408
1324
audit_copy_inode(&context->names[idx], inode);
1409
1325
}
···
1424
1346
{
1425
1347
int idx;
1426
1348
struct audit_context *context = current->audit_context;
1427
-
const char *found_name = NULL;
1349
+
const char *found_parent = NULL, *found_child = NULL;
1428
1350
int dirlen = 0;
1429
1351
1430
1352
if (!context->in_syscall)
···
1432
1354
1433
1355
/* determine matching parent */
1434
1356
if (!dname)
1435
-
goto update_context;
1436
-
for (idx = 0; idx < context->name_count; idx++)
1437
-
if (context->names[idx].ino == parent->i_ino) {
1438
-
const char *name = context->names[idx].name;
1357
+
goto add_names;
1439
1358
1440
-
if (!name)
1441
-
continue;
1359
+
/* parent is more likely, look for it first */
1360
+
for (idx = 0; idx < context->name_count; idx++) {
1361
+
struct audit_names *n = &context->names[idx];
1442
1362
1443
-
if (audit_compare_dname_path(dname, name, &dirlen) == 0) {
1444
-
context->names[idx].name_len = dirlen;
1445
-
found_name = name;
1446
-
break;
1447
-
}
1363
+
if (!n->name)
1364
+
continue;
1365
+
1366
+
if (n->ino == parent->i_ino &&
1367
+
!audit_compare_dname_path(dname, n->name, &dirlen)) {
1368
+
n->name_len = dirlen; /* update parent data in place */
1369
+
found_parent = n->name;
1370
+
goto add_names;
1448
1371
}
1449
-
1450
-
update_context:
1451
-
idx = context->name_count;
1452
-
if (context->name_count == AUDIT_NAMES) {
1453
-
printk(KERN_DEBUG "name_count maxed and losing %s\n",
1454
-
found_name ?: "(null)");
1455
-
return;
1456
1372
}
1457
-
context->name_count++;
1458
-
#if AUDIT_DEBUG
1459
-
context->ino_count++;
1460
-
#endif
1461
-
/* Re-use the name belonging to the slot for a matching parent directory.
1462
-
* All names for this context are relinquished in audit_free_names() */
1463
-
context->names[idx].name = found_name;
1464
-
context->names[idx].name_len = AUDIT_NAME_FULL;
1465
-
context->names[idx].name_put = 0; /* don't call __putname() */
1466
1373
1467
-
if (!inode)
1468
-
context->names[idx].ino = (unsigned long)-1;
1469
-
else
1470
-
audit_copy_inode(&context->names[idx], inode);
1374
+
/* no matching parent, look for matching child */
1375
+
for (idx = 0; idx < context->name_count; idx++) {
1376
+
struct audit_names *n = &context->names[idx];
1471
1377
1472
-
/* A parent was not found in audit_names, so copy the inode data for the
1473
-
* provided parent. */
1474
-
if (!found_name) {
1475
-
idx = context->name_count;
1476
-
if (context->name_count == AUDIT_NAMES) {
1477
-
printk(KERN_DEBUG
1478
-
"name_count maxed and losing parent inode data: dev=%02x:%02x, inode=%lu",
1479
-
MAJOR(parent->i_sb->s_dev),
1480
-
MINOR(parent->i_sb->s_dev),
1481
-
parent->i_ino);
1482
-
return;
1378
+
if (!n->name)
1379
+
continue;
1380
+
1381
+
/* strcmp() is the more likely scenario */
1382
+
if (!strcmp(dname, n->name) ||
1383
+
!audit_compare_dname_path(dname, n->name, &dirlen)) {
1384
+
if (inode)
1385
+
audit_copy_inode(n, inode);
1386
+
else
1387
+
n->ino = (unsigned long)-1;
1388
+
found_child = n->name;
1389
+
goto add_names;
1483
1390
}
1484
-
context->name_count++;
1485
-
#if AUDIT_DEBUG
1486
-
context->ino_count++;
1487
-
#endif
1391
+
}
1392
+
1393
+
add_names:
1394
+
if (!found_parent) {
1395
+
if (audit_inc_name_count(context, parent))
1396
+
return;
1397
+
idx = context->name_count - 1;
1398
+
context->names[idx].name = NULL;
1488
1399
audit_copy_inode(&context->names[idx], parent);
1489
1400
}
1490
-
}
1491
1401
1492
-
/**
1493
-
* audit_inode_update - update inode info for last collected name
1494
-
* @inode: inode being audited
1495
-
*
1496
-
* When open() is called on an existing object with the O_CREAT flag, the inode
1497
-
* data audit initially collects is incorrect. This additional hook ensures
1498
-
* audit has the inode data for the actual object to be opened.
1499
-
*/
1500
-
void __audit_inode_update(const struct inode *inode)
1501
-
{
1502
-
struct audit_context *context = current->audit_context;
1503
-
int idx;
1402
+
if (!found_child) {
1403
+
if (audit_inc_name_count(context, inode))
1404
+
return;
1405
+
idx = context->name_count - 1;
1504
1406
1505
-
if (!context->in_syscall || !inode)
1506
-
return;
1407
+
/* Re-use the name belonging to the slot for a matching parent
1408
+
* directory. All names for this context are relinquished in
1409
+
* audit_free_names() */
1410
+
if (found_parent) {
1411
+
context->names[idx].name = found_parent;
1412
+
context->names[idx].name_len = AUDIT_NAME_FULL;
1413
+
/* don't call __putname() */
1414
+
context->names[idx].name_put = 0;
1415
+
} else {
1416
+
context->names[idx].name = NULL;
1417
+
}
1507
1418
1508
-
if (context->name_count == 0) {
1509
-
context->name_count++;
1510
-
#if AUDIT_DEBUG
1511
-
context->ino_count++;
1512
-
#endif
1419
+
if (inode)
1420
+
audit_copy_inode(&context->names[idx], inode);
1421
+
else
1422
+
context->names[idx].ino = (unsigned long)-1;
1513
1423
}
1514
-
idx = context->name_count - 1;
1515
-
1516
-
audit_copy_inode(&context->names[idx], inode);
1517
1424
}
1518
1425
1519
1426
/**
···
1943
1880
return 0;
1944
1881
}
1945
1882
1883
+
void __audit_ptrace(struct task_struct *t)
1884
+
{
1885
+
struct audit_context *context = current->audit_context;
1886
+
1887
+
context->target_pid = t->pid;
1888
+
selinux_get_task_sid(t, &context->target_sid);
1889
+
}
1890
+
1946
1891
/**
1947
1892
* audit_avc_path - record the granting or denial of permissions
1948
1893
* @dentry: dentry to record
···
1989
1918
* If the audit subsystem is being terminated, record the task (pid)
1990
1919
* and uid that is doing that.
1991
1920
*/
1992
-
void __audit_signal_info(int sig, struct task_struct *t)
1921
+
int __audit_signal_info(int sig, struct task_struct *t)
1993
1922
{
1923
+
struct audit_aux_data_pids *axp;
1924
+
struct task_struct *tsk = current;
1925
+
struct audit_context *ctx = tsk->audit_context;
1994
1926
extern pid_t audit_sig_pid;
1995
1927
extern uid_t audit_sig_uid;
1996
1928
extern u32 audit_sig_sid;
1997
1929
1998
-
if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1) {
1999
-
struct task_struct *tsk = current;
2000
-
struct audit_context *ctx = tsk->audit_context;
1930
+
if (audit_pid && t->tgid == audit_pid &&
1931
+
(sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1)) {
2001
1932
audit_sig_pid = tsk->pid;
2002
1933
if (ctx)
2003
1934
audit_sig_uid = ctx->loginuid;
···
2007
1934
audit_sig_uid = tsk->uid;
2008
1935
selinux_get_task_sid(tsk, &audit_sig_sid);
2009
1936
}
1937
+
1938
+
if (!audit_signals) /* audit_context checked in wrapper */
1939
+
return 0;
1940
+
1941
+
/* optimize the common case by putting first signal recipient directly
1942
+
* in audit_context */
1943
+
if (!ctx->target_pid) {
1944
+
ctx->target_pid = t->tgid;
1945
+
selinux_get_task_sid(t, &ctx->target_sid);
1946
+
return 0;
1947
+
}
1948
+
1949
+
axp = (void *)ctx->aux_pids;
1950
+
if (!axp || axp->pid_count == AUDIT_AUX_PIDS) {
1951
+
axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
1952
+
if (!axp)
1953
+
return -ENOMEM;
1954
+
1955
+
axp->d.type = AUDIT_OBJ_PID;
1956
+
axp->d.next = ctx->aux_pids;
1957
+
ctx->aux_pids = (void *)axp;
1958
+
}
1959
+
BUG_ON(axp->pid_count > AUDIT_AUX_PIDS);
1960
+
1961
+
axp->target_pid[axp->pid_count] = t->tgid;
1962
+
selinux_get_task_sid(t, &axp->target_sid[axp->pid_count]);
1963
+
axp->pid_count++;
1964
+
1965
+
return 0;
1966
+
}
1967
+
1968
+
/**
1969
+
* audit_core_dumps - record information about processes that end abnormally
1970
+
* @sig: signal value
1971
+
*
1972
+
* If a process ends with a core dump, something fishy is going on and we
1973
+
* should record the event for investigation.
1974
+
*/
1975
+
void audit_core_dumps(long signr)
1976
+
{
1977
+
struct audit_buffer *ab;
1978
+
u32 sid;
1979
+
1980
+
if (!audit_enabled)
1981
+
return;
1982
+
1983
+
if (signr == SIGQUIT) /* don't care for those */
1984
+
return;
1985
+
1986
+
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
1987
+
audit_log_format(ab, "auid=%u uid=%u gid=%u",
1988
+
audit_get_loginuid(current->audit_context),
1989
+
current->uid, current->gid);
1990
+
selinux_get_task_sid(current, &sid);
1991
+
if (sid) {
1992
+
char *ctx = NULL;
1993
+
u32 len;
1994
+
1995
+
if (selinux_sid_to_string(sid, &ctx, &len))
1996
+
audit_log_format(ab, " ssid=%u", sid);
1997
+
else
1998
+
audit_log_format(ab, " subj=%s", ctx);
1999
+
kfree(ctx);
2000
+
}
2001
+
audit_log_format(ab, " pid=%d comm=", current->pid);
2002
+
audit_log_untrustedstring(ab, current->comm);
2003
+
audit_log_format(ab, " sig=%ld", signr);
2004
+
audit_log_end(ab);
2010
2005
}
+3
kernel/ptrace.c
+3
kernel/ptrace.c
···
18
18
#include <linux/ptrace.h>
19
19
#include <linux/security.h>
20
20
#include <linux/signal.h>
21
+
#include <linux/audit.h>
21
22
22
23
#include <asm/pgtable.h>
23
24
#include <asm/uaccess.h>
···
161
160
int ptrace_attach(struct task_struct *task)
162
161
{
163
162
int retval;
163
+
164
+
audit_ptrace(task);
164
165
165
166
retval = -EPERM;
166
167
if (task->pid <= 1)
+6
-4
kernel/signal.c
+6
-4
kernel/signal.c
···
497
497
int error = -EINVAL;
498
498
if (!valid_signal(sig))
499
499
return error;
500
+
501
+
error = audit_signal_info(sig, t); /* Let audit system see the signal */
502
+
if (error)
503
+
return error;
504
+
500
505
error = -EPERM;
501
506
if ((info == SEND_SIG_NOINFO || (!is_si_special(info) && SI_FROMUSER(info)))
502
507
&& ((sig != SIGCONT) ||
···
511
506
&& !capable(CAP_KILL))
512
507
return error;
513
508
514
-
error = security_task_kill(t, info, sig, 0);
515
-
if (!error)
516
-
audit_signal_info(sig, t); /* Let audit system see the signal */
517
-
return error;
509
+
return security_task_kill(t, info, sig, 0);
518
510
}
519
511
520
512
/* forward decl */
+11
lib/audit.c
+11
lib/audit.c
···
23
23
~0U
24
24
};
25
25
26
+
static unsigned signal_class[] = {
27
+
#include <asm-generic/audit_signal.h>
28
+
~0U
29
+
};
30
+
31
+
int audit_classify_arch(int arch)
32
+
{
33
+
return 0;
34
+
}
35
+
26
36
int audit_classify_syscall(int abi, unsigned syscall)
27
37
{
28
38
switch(syscall) {
···
59
49
audit_register_class(AUDIT_CLASS_READ, read_class);
60
50
audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class);
61
51
audit_register_class(AUDIT_CLASS_CHATTR, chattr_class);
52
+
audit_register_class(AUDIT_CLASS_SIGNAL, signal_class);
62
53
return 0;
63
54
}
64
55