tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge tag 'audit-pr-20180605' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit

Pull audit updates from Paul Moore:
"Another reasonable chunk of audit changes for v4.18, thirteen patches
in total.

The thirteen patches can mostly be broken down into one of four
categories: general bug fixes, accessor functions for audit state
stored in the task_struct, negative filter matches on executable
names, and extending the (relatively) new seccomp logging knobs to the
audit subsystem.

The main driver for the accessor functions from Richard are the
changes we're working on to associate audit events with containers,
but I think they have some standalone value too so I figured it would
be good to get them in now.

The seccomp/audit patches from Tyler apply the seccomp logging
improvements from a few releases ago to audit's seccomp logging;
starting with this patchset the changes in
/proc/sys/kernel/seccomp/actions_logged should apply to both the
standard kernel logging and audit.

As usual, everything passes the audit-testsuite and it happens to
merge cleanly with your tree"

[ Heh, except it had trivial merge conflicts with the SELinux tree that
also came in from Paul - Linus ]

* tag 'audit-pr-20180605' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:
audit: Fix wrong task in comparison of session ID
audit: use existing session info function
audit: normalize loginuid read access
audit: use new audit_context access funciton for seccomp_actions_logged
audit: use inline function to set audit context
audit: use inline function to get audit context
audit: convert sessionid unset to a macro
seccomp: Don't special case audited processes when logging
seccomp: Audit attempts to modify the actions_logged sysctl
seccomp: Configurable separator for the actions_logged string
seccomp: Separate read and write code for actions_logged sysctl
audit: allow not equal op for audit by executable
audit: add syscall information to FEATURE_CHANGE records

Linus Torvalds 8b5c6a3a 8b70543e

+243 -145
-7
Documentation/userspace-api/seccomp_filter.rst
··· 207 207 to the file do not need to be in ordered form but reads from the file 208 208 will be ordered in the same way as the actions_avail sysctl. 209 209 210 - It is important to note that the value of ``actions_logged`` does not 211 - prevent certain actions from being logged when the audit subsystem is 212 - configured to audit a task. If the action is not found in 213 - ``actions_logged`` list, the final decision on whether to audit the 214 - action for that task is ultimately left up to the audit subsystem to 215 - decide for all seccomp return values other than ``SECCOMP_RET_ALLOW``. 216 - 217 210 The ``allow`` string is not accepted in the ``actions_logged`` sysctl 218 211 as it is not possible to log ``SECCOMP_RET_ALLOW`` actions. Attempting 219 212 to write ``allow`` to the sysctl will result in an EINVAL being
+26 -13
include/linux/audit.h
··· 232 232 extern void __audit_inode_child(struct inode *parent, 233 233 const struct dentry *dentry, 234 234 const unsigned char type); 235 - extern void __audit_seccomp(unsigned long syscall, long signr, int code); 235 + extern void audit_seccomp(unsigned long syscall, long signr, int code); 236 + extern void audit_seccomp_actions_logged(const char *names, 237 + const char *old_names, int res); 236 238 extern void __audit_ptrace(struct task_struct *t); 239 + 240 + static inline void audit_set_context(struct task_struct *task, struct audit_context *ctx) 241 + { 242 + task->audit_context = ctx; 243 + } 244 + 245 + static inline struct audit_context *audit_context(void) 246 + { 247 + return current->audit_context; 248 + } 237 249 238 250 static inline bool audit_dummy_context(void) 239 251 { 240 - void *p = current->audit_context; 252 + void *p = audit_context(); 241 253 return !p || *(int *)p; 242 254 } 243 255 static inline void audit_free(struct task_struct *task) ··· 261 249 unsigned long a1, unsigned long a2, 262 250 unsigned long a3) 263 251 { 264 - if (unlikely(current->audit_context)) 252 + if (unlikely(audit_context())) 265 253 __audit_syscall_entry(major, a0, a1, a2, a3); 266 254 } 267 255 static inline void audit_syscall_exit(void *pt_regs) 268 256 { 269 - if (unlikely(current->audit_context)) { 257 + if (unlikely(audit_context())) { 270 258 int success = is_syscall_success(pt_regs); 271 259 long return_code = regs_return_value(pt_regs); 272 260 ··· 313 301 __audit_inode_child(parent, dentry, type); 314 302 } 315 303 void audit_core_dumps(long signr); 316 - 317 - static inline void audit_seccomp(unsigned long syscall, long signr, int code) 318 - { 319 - if (audit_enabled && unlikely(!audit_dummy_context())) 320 - __audit_seccomp(syscall, signr, code); 321 - } 322 304 323 305 static inline void audit_ptrace(struct task_struct *t) 324 306 { ··· 474 468 { 475 469 return true; 476 470 } 471 + static inline void audit_set_context(struct task_struct *task, struct audit_context *ctx) 472 + { } 473 + static inline struct audit_context *audit_context(void) 474 + { 475 + return NULL; 476 + } 477 477 static inline struct filename *audit_reusename(const __user char *name) 478 478 { 479 479 return NULL; ··· 510 498 { } 511 499 static inline void audit_core_dumps(long signr) 512 500 { } 513 - static inline void __audit_seccomp(unsigned long syscall, long signr, int code) 514 - { } 515 501 static inline void audit_seccomp(unsigned long syscall, long signr, int code) 502 + { } 503 + static inline void audit_seccomp_actions_logged(const char *names, 504 + const char *old_names, int res) 516 505 { } 517 506 static inline int auditsc_get_stamp(struct audit_context *ctx, 518 507 struct timespec64 *t, unsigned int *serial) ··· 526 513 } 527 514 static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 528 515 { 529 - return -1; 516 + return AUDIT_SID_UNSET; 530 517 } 531 518 static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 532 519 { }
+2 -2
include/net/xfrm.h
··· 737 737 738 738 if (audit_enabled == 0) 739 739 return NULL; 740 - audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, 740 + audit_buf = audit_log_start(audit_context(), GFP_ATOMIC, 741 741 AUDIT_MAC_IPSEC_EVENT); 742 742 if (audit_buf == NULL) 743 743 return NULL; ··· 752 752 audit_get_loginuid(current) : 753 753 INVALID_UID); 754 754 const unsigned int ses = task_valid ? audit_get_sessionid(current) : 755 - (unsigned int) -1; 755 + AUDIT_SID_UNSET; 756 756 757 757 audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses); 758 758 audit_log_task_context(audit_buf);
+1
include/uapi/linux/audit.h
··· 465 465 }; 466 466 467 467 #define AUDIT_UID_UNSET (unsigned int)-1 468 + #define AUDIT_SID_UNSET ((unsigned int)-1) 468 469 469 470 /* audit_rule_data supports filter rules with both integer and string 470 471 * fields. It corresponds with AUDIT_ADD_RULE, AUDIT_DEL_RULE and
+2 -1
init/init_task.c
··· 9 9 #include <linux/init.h> 10 10 #include <linux/fs.h> 11 11 #include <linux/mm.h> 12 + #include <linux/audit.h> 12 13 13 14 #include <asm/pgtable.h> 14 15 #include <linux/uaccess.h> ··· 120 119 .thread_node = LIST_HEAD_INIT(init_signals.thread_head), 121 120 #ifdef CONFIG_AUDITSYSCALL 122 121 .loginuid = INVALID_UID, 123 - .sessionid = (unsigned int)-1, 122 + .sessionid = AUDIT_SID_UNSET, 124 123 #endif 125 124 #ifdef CONFIG_PERF_EVENTS 126 125 .perf_event_mutex = __MUTEX_INITIALIZER(init_task.perf_event_mutex),
+2 -4
kernel/audit.c
··· 1099 1099 1100 1100 if (audit_enabled == AUDIT_OFF) 1101 1101 return; 1102 - 1103 - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE); 1102 + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_FEATURE_CHANGE); 1104 1103 if (!ab) 1105 1104 return; 1106 1105 audit_log_task_info(ab, current); ··· 2316 2317 return; 2317 2318 2318 2319 /* Generate AUDIT_ANOM_LINK with subject, operation, outcome. */ 2319 - ab = audit_log_start(current->audit_context, GFP_KERNEL, 2320 - AUDIT_ANOM_LINK); 2320 + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_ANOM_LINK); 2321 2321 if (!ab) 2322 2322 return; 2323 2323 audit_log_format(ab, "op=%s", operation);
+1 -1
kernel/audit_watch.c
··· 274 274 /* If the update involves invalidating rules, do the inode-based 275 275 * filtering now, so we don't omit records. */ 276 276 if (invalidating && !audit_dummy_context()) 277 - audit_filter_inodes(current, current->audit_context); 277 + audit_filter_inodes(current, audit_context()); 278 278 279 279 /* updating ino will likely change which audit_hash_list we 280 280 * are on so we need a new watch for the new list */
+2 -4
kernel/auditfilter.c
··· 426 426 return -EINVAL; 427 427 break; 428 428 case AUDIT_EXE: 429 - if (f->op != Audit_equal) 429 + if (f->op != Audit_not_equal && f->op != Audit_equal) 430 430 return -EINVAL; 431 431 if (entry->rule.listnr != AUDIT_FILTER_EXIT) 432 432 return -EINVAL; ··· 1089 1089 static void audit_log_rule_change(char *action, struct audit_krule *rule, int res) 1090 1090 { 1091 1091 struct audit_buffer *ab; 1092 - uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(current)); 1093 - unsigned int sessionid = audit_get_sessionid(current); 1094 1092 1095 1093 if (!audit_enabled) 1096 1094 return; ··· 1096 1098 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1097 1099 if (!ab) 1098 1100 return; 1099 - audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid); 1101 + audit_log_session_info(ab); 1100 1102 audit_log_task_context(ab); 1101 1103 audit_log_format(ab, " op=%s", action); 1102 1104 audit_log_key(ab, rule->filterkey);
+86 -49
kernel/auditsc.c
··· 374 374 case AUDIT_COMPARE_EGID_TO_OBJ_GID: 375 375 return audit_compare_gid(cred->egid, name, f, ctx); 376 376 case AUDIT_COMPARE_AUID_TO_OBJ_UID: 377 - return audit_compare_uid(tsk->loginuid, name, f, ctx); 377 + return audit_compare_uid(audit_get_loginuid(tsk), name, f, ctx); 378 378 case AUDIT_COMPARE_SUID_TO_OBJ_UID: 379 379 return audit_compare_uid(cred->suid, name, f, ctx); 380 380 case AUDIT_COMPARE_SGID_TO_OBJ_GID: ··· 385 385 return audit_compare_gid(cred->fsgid, name, f, ctx); 386 386 /* uid comparisons */ 387 387 case AUDIT_COMPARE_UID_TO_AUID: 388 - return audit_uid_comparator(cred->uid, f->op, tsk->loginuid); 388 + return audit_uid_comparator(cred->uid, f->op, 389 + audit_get_loginuid(tsk)); 389 390 case AUDIT_COMPARE_UID_TO_EUID: 390 391 return audit_uid_comparator(cred->uid, f->op, cred->euid); 391 392 case AUDIT_COMPARE_UID_TO_SUID: ··· 395 394 return audit_uid_comparator(cred->uid, f->op, cred->fsuid); 396 395 /* auid comparisons */ 397 396 case AUDIT_COMPARE_AUID_TO_EUID: 398 - return audit_uid_comparator(tsk->loginuid, f->op, cred->euid); 397 + return audit_uid_comparator(audit_get_loginuid(tsk), f->op, 398 + cred->euid); 399 399 case AUDIT_COMPARE_AUID_TO_SUID: 400 - return audit_uid_comparator(tsk->loginuid, f->op, cred->suid); 400 + return audit_uid_comparator(audit_get_loginuid(tsk), f->op, 401 + cred->suid); 401 402 case AUDIT_COMPARE_AUID_TO_FSUID: 402 - return audit_uid_comparator(tsk->loginuid, f->op, cred->fsuid); 403 + return audit_uid_comparator(audit_get_loginuid(tsk), f->op, 404 + cred->fsuid); 403 405 /* euid comparisons */ 404 406 case AUDIT_COMPARE_EUID_TO_SUID: 405 407 return audit_uid_comparator(cred->euid, f->op, cred->suid); ··· 475 471 break; 476 472 case AUDIT_EXE: 477 473 result = audit_exe_compare(tsk, rule->exe); 474 + if (f->op == Audit_not_equal) 475 + result = !result; 478 476 break; 479 477 case AUDIT_UID: 480 478 result = audit_uid_comparator(cred->uid, f->op, f->uid); ··· 517 511 result = audit_gid_comparator(cred->fsgid, f->op, f->gid); 518 512 break; 519 513 case AUDIT_SESSIONID: 520 - sessionid = audit_get_sessionid(current); 514 + sessionid = audit_get_sessionid(tsk); 521 515 result = audit_comparator(sessionid, f->op, f->val); 522 516 break; 523 517 case AUDIT_PERS: ··· 615 609 result = match_tree_refs(ctx, rule->tree); 616 610 break; 617 611 case AUDIT_LOGINUID: 618 - result = audit_uid_comparator(tsk->loginuid, f->op, f->uid); 612 + result = audit_uid_comparator(audit_get_loginuid(tsk), 613 + f->op, f->uid); 619 614 break; 620 615 case AUDIT_LOGINUID_SET: 621 616 result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val); ··· 870 863 audit_filter_inodes(tsk, context); 871 864 } 872 865 873 - tsk->audit_context = NULL; 866 + audit_set_context(tsk, NULL); 874 867 return context; 875 868 } 876 869 ··· 957 950 } 958 951 context->filterkey = key; 959 952 960 - tsk->audit_context = context; 953 + audit_set_context(tsk, context); 961 954 set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT); 962 955 return 0; 963 956 } ··· 1514 1507 void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2, 1515 1508 unsigned long a3, unsigned long a4) 1516 1509 { 1517 - struct task_struct *tsk = current; 1518 - struct audit_context *context = tsk->audit_context; 1510 + struct audit_context *context = audit_context(); 1519 1511 enum audit_state state; 1520 1512 1521 1513 if (!audit_enabled || !context) ··· 1529 1523 context->dummy = !audit_n_rules; 1530 1524 if (!context->dummy && state == AUDIT_BUILD_CONTEXT) { 1531 1525 context->prio = 0; 1532 - if (auditd_test_task(tsk)) 1526 + if (auditd_test_task(current)) 1533 1527 return; 1534 1528 } 1535 1529 ··· 1559 1553 */ 1560 1554 void __audit_syscall_exit(int success, long return_code) 1561 1555 { 1562 - struct task_struct *tsk = current; 1563 1556 struct audit_context *context; 1564 1557 1565 1558 if (success) ··· 1566 1561 else 1567 1562 success = AUDITSC_FAILURE; 1568 1563 1569 - context = audit_take_context(tsk, success, return_code); 1564 + context = audit_take_context(current, success, return_code); 1570 1565 if (!context) 1571 1566 return; 1572 1567 1573 1568 if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT) 1574 - audit_log_exit(context, tsk); 1569 + audit_log_exit(context, current); 1575 1570 1576 1571 context->in_syscall = 0; 1577 1572 context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0; ··· 1593 1588 kfree(context->filterkey); 1594 1589 context->filterkey = NULL; 1595 1590 } 1596 - tsk->audit_context = context; 1591 + audit_set_context(current, context); 1597 1592 } 1598 1593 1599 1594 static inline void handle_one(const struct inode *inode) ··· 1605 1600 int count; 1606 1601 if (likely(!inode->i_fsnotify_marks)) 1607 1602 return; 1608 - context = current->audit_context; 1603 + context = audit_context(); 1609 1604 p = context->trees; 1610 1605 count = context->tree_count; 1611 1606 rcu_read_lock(); ··· 1636 1631 unsigned long seq; 1637 1632 int count; 1638 1633 1639 - context = current->audit_context; 1634 + context = audit_context(); 1640 1635 p = context->trees; 1641 1636 count = context->tree_count; 1642 1637 retry: ··· 1718 1713 struct filename * 1719 1714 __audit_reusename(const __user char *uptr) 1720 1715 { 1721 - struct audit_context *context = current->audit_context; 1716 + struct audit_context *context = audit_context(); 1722 1717 struct audit_names *n; 1723 1718 1724 1719 list_for_each_entry(n, &context->names_list, list) { ··· 1741 1736 */ 1742 1737 void __audit_getname(struct filename *name) 1743 1738 { 1744 - struct audit_context *context = current->audit_context; 1739 + struct audit_context *context = audit_context(); 1745 1740 struct audit_names *n; 1746 1741 1747 1742 if (!context->in_syscall) ··· 1769 1764 void __audit_inode(struct filename *name, const struct dentry *dentry, 1770 1765 unsigned int flags) 1771 1766 { 1772 - struct audit_context *context = current->audit_context; 1767 + struct audit_context *context = audit_context(); 1773 1768 struct inode *inode = d_backing_inode(dentry); 1774 1769 struct audit_names *n; 1775 1770 bool parent = flags & AUDIT_INODE_PARENT; ··· 1868 1863 const struct dentry *dentry, 1869 1864 const unsigned char type) 1870 1865 { 1871 - struct audit_context *context = current->audit_context; 1866 + struct audit_context *context = audit_context(); 1872 1867 struct inode *inode = d_backing_inode(dentry); 1873 1868 const char *dname = dentry->d_name.name; 1874 1869 struct audit_names *n, *found_parent = NULL, *found_child = NULL; ··· 2053 2048 int audit_set_loginuid(kuid_t loginuid) 2054 2049 { 2055 2050 struct task_struct *task = current; 2056 - unsigned int oldsessionid, sessionid = (unsigned int)-1; 2051 + unsigned int oldsessionid, sessionid = AUDIT_SID_UNSET; 2057 2052 kuid_t oldloginuid; 2058 2053 int rc; 2059 2054 ··· 2067 2062 /* are we setting or clearing? */ 2068 2063 if (uid_valid(loginuid)) { 2069 2064 sessionid = (unsigned int)atomic_inc_return(&session_id); 2070 - if (unlikely(sessionid == (unsigned int)-1)) 2065 + if (unlikely(sessionid == AUDIT_SID_UNSET)) 2071 2066 sessionid = (unsigned int)atomic_inc_return(&session_id); 2072 2067 } 2073 2068 ··· 2087 2082 */ 2088 2083 void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 2089 2084 { 2090 - struct audit_context *context = current->audit_context; 2085 + struct audit_context *context = audit_context(); 2091 2086 2092 2087 if (attr) 2093 2088 memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr)); ··· 2111 2106 void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, 2112 2107 const struct timespec64 *abs_timeout) 2113 2108 { 2114 - struct audit_context *context = current->audit_context; 2109 + struct audit_context *context = audit_context(); 2115 2110 struct timespec64 *p = &context->mq_sendrecv.abs_timeout; 2116 2111 2117 2112 if (abs_timeout) ··· 2135 2130 2136 2131 void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification) 2137 2132 { 2138 - struct audit_context *context = current->audit_context; 2133 + struct audit_context *context = audit_context(); 2139 2134 2140 2135 if (notification) 2141 2136 context->mq_notify.sigev_signo = notification->sigev_signo; ··· 2154 2149 */ 2155 2150 void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 2156 2151 { 2157 - struct audit_context *context = current->audit_context; 2152 + struct audit_context *context = audit_context(); 2158 2153 context->mq_getsetattr.mqdes = mqdes; 2159 2154 context->mq_getsetattr.mqstat = *mqstat; 2160 2155 context->type = AUDIT_MQ_GETSETATTR; ··· 2167 2162 */ 2168 2163 void __audit_ipc_obj(struct kern_ipc_perm *ipcp) 2169 2164 { 2170 - struct audit_context *context = current->audit_context; 2165 + struct audit_context *context = audit_context(); 2171 2166 context->ipc.uid = ipcp->uid; 2172 2167 context->ipc.gid = ipcp->gid; 2173 2168 context->ipc.mode = ipcp->mode; ··· 2187 2182 */ 2188 2183 void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode) 2189 2184 { 2190 - struct audit_context *context = current->audit_context; 2185 + struct audit_context *context = audit_context(); 2191 2186 2192 2187 context->ipc.qbytes = qbytes; 2193 2188 context->ipc.perm_uid = uid; ··· 2198 2193 2199 2194 void __audit_bprm(struct linux_binprm *bprm) 2200 2195 { 2201 - struct audit_context *context = current->audit_context; 2196 + struct audit_context *context = audit_context(); 2202 2197 2203 2198 context->type = AUDIT_EXECVE; 2204 2199 context->execve.argc = bprm->argc; ··· 2213 2208 */ 2214 2209 int __audit_socketcall(int nargs, unsigned long *args) 2215 2210 { 2216 - struct audit_context *context = current->audit_context; 2211 + struct audit_context *context = audit_context(); 2217 2212 2218 2213 if (nargs <= 0 || nargs > AUDITSC_ARGS || !args) 2219 2214 return -EINVAL; ··· 2231 2226 */ 2232 2227 void __audit_fd_pair(int fd1, int fd2) 2233 2228 { 2234 - struct audit_context *context = current->audit_context; 2229 + struct audit_context *context = audit_context(); 2235 2230 context->fds[0] = fd1; 2236 2231 context->fds[1] = fd2; 2237 2232 } ··· 2245 2240 */ 2246 2241 int __audit_sockaddr(int len, void *a) 2247 2242 { 2248 - struct audit_context *context = current->audit_context; 2243 + struct audit_context *context = audit_context(); 2249 2244 2250 2245 if (!context->sockaddr) { 2251 2246 void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL); ··· 2261 2256 2262 2257 void __audit_ptrace(struct task_struct *t) 2263 2258 { 2264 - struct audit_context *context = current->audit_context; 2259 + struct audit_context *context = audit_context(); 2265 2260 2266 2261 context->target_pid = task_tgid_nr(t); 2267 2262 context->target_auid = audit_get_loginuid(t); ··· 2282 2277 int audit_signal_info(int sig, struct task_struct *t) 2283 2278 { 2284 2279 struct audit_aux_data_pids *axp; 2285 - struct task_struct *tsk = current; 2286 - struct audit_context *ctx = tsk->audit_context; 2287 - kuid_t uid = current_uid(), t_uid = task_uid(t); 2280 + struct audit_context *ctx = audit_context(); 2281 + kuid_t uid = current_uid(), auid, t_uid = task_uid(t); 2288 2282 2289 2283 if (auditd_test_task(t) && 2290 2284 (sig == SIGTERM || sig == SIGHUP || 2291 2285 sig == SIGUSR1 || sig == SIGUSR2)) { 2292 - audit_sig_pid = task_tgid_nr(tsk); 2293 - if (uid_valid(tsk->loginuid)) 2294 - audit_sig_uid = tsk->loginuid; 2286 + audit_sig_pid = task_tgid_nr(current); 2287 + auid = audit_get_loginuid(current); 2288 + if (uid_valid(auid)) 2289 + audit_sig_uid = auid; 2295 2290 else 2296 2291 audit_sig_uid = uid; 2297 - security_task_getsecid(tsk, &audit_sig_sid); 2292 + security_task_getsecid(current, &audit_sig_sid); 2298 2293 } 2299 2294 2300 2295 if (!audit_signals || audit_dummy_context()) ··· 2350 2345 const struct cred *new, const struct cred *old) 2351 2346 { 2352 2347 struct audit_aux_data_bprm_fcaps *ax; 2353 - struct audit_context *context = current->audit_context; 2348 + struct audit_context *context = audit_context(); 2354 2349 struct cpu_vfs_cap_data vcaps; 2355 2350 2356 2351 ax = kmalloc(sizeof(*ax), GFP_KERNEL); ··· 2390 2385 */ 2391 2386 void __audit_log_capset(const struct cred *new, const struct cred *old) 2392 2387 { 2393 - struct audit_context *context = current->audit_context; 2388 + struct audit_context *context = audit_context(); 2394 2389 context->capset.pid = task_tgid_nr(current); 2395 2390 context->capset.cap.effective = new->cap_effective; 2396 2391 context->capset.cap.inheritable = new->cap_effective; ··· 2401 2396 2402 2397 void __audit_mmap_fd(int fd, int flags) 2403 2398 { 2404 - struct audit_context *context = current->audit_context; 2399 + struct audit_context *context = audit_context(); 2405 2400 context->mmap.fd = fd; 2406 2401 context->mmap.flags = flags; 2407 2402 context->type = AUDIT_MMAP; ··· 2409 2404 2410 2405 void __audit_log_kern_module(char *name) 2411 2406 { 2412 - struct audit_context *context = current->audit_context; 2407 + struct audit_context *context = audit_context(); 2413 2408 2414 2409 context->module.name = kmalloc(strlen(name) + 1, GFP_KERNEL); 2415 2410 strcpy(context->module.name, name); ··· 2418 2413 2419 2414 void __audit_fanotify(unsigned int response) 2420 2415 { 2421 - audit_log(current->audit_context, GFP_KERNEL, 2416 + audit_log(audit_context(), GFP_KERNEL, 2422 2417 AUDIT_FANOTIFY, "resp=%u", response); 2423 2418 } 2424 2419 ··· 2469 2464 audit_log_end(ab); 2470 2465 } 2471 2466 2472 - void __audit_seccomp(unsigned long syscall, long signr, int code) 2467 + /** 2468 + * audit_seccomp - record information about a seccomp action 2469 + * @syscall: syscall number 2470 + * @signr: signal value 2471 + * @code: the seccomp action 2472 + * 2473 + * Record the information associated with a seccomp action. Event filtering for 2474 + * seccomp actions that are not to be logged is done in seccomp_log(). 2475 + * Therefore, this function forces auditing independent of the audit_enabled 2476 + * and dummy context state because seccomp actions should be logged even when 2477 + * audit is not in use. 2478 + */ 2479 + void audit_seccomp(unsigned long syscall, long signr, int code) 2473 2480 { 2474 2481 struct audit_buffer *ab; 2475 2482 ··· 2495 2478 audit_log_end(ab); 2496 2479 } 2497 2480 2481 + void audit_seccomp_actions_logged(const char *names, const char *old_names, 2482 + int res) 2483 + { 2484 + struct audit_buffer *ab; 2485 + 2486 + if (!audit_enabled) 2487 + return; 2488 + 2489 + ab = audit_log_start(audit_context(), GFP_KERNEL, 2490 + AUDIT_CONFIG_CHANGE); 2491 + if (unlikely(!ab)) 2492 + return; 2493 + 2494 + audit_log_format(ab, "op=seccomp-logging"); 2495 + audit_log_format(ab, " actions=%s", names); 2496 + audit_log_format(ab, " old-actions=%s", old_names); 2497 + audit_log_format(ab, " res=%d", res); 2498 + audit_log_end(ab); 2499 + } 2500 + 2498 2501 struct list_head *audit_killed_trees(void) 2499 2502 { 2500 - struct audit_context *ctx = current->audit_context; 2503 + struct audit_context *ctx = audit_context(); 2501 2504 if (likely(!ctx || !ctx->in_syscall)) 2502 2505 return NULL; 2503 2506 return &ctx->killed_trees;
+1 -1
kernel/fork.c
··· 1712 1712 p->start_time = ktime_get_ns(); 1713 1713 p->real_start_time = ktime_get_boot_ns(); 1714 1714 p->io_context = NULL; 1715 - p->audit_context = NULL; 1715 + audit_set_context(p, NULL); 1716 1716 cgroup_fork(p); 1717 1717 #ifdef CONFIG_NUMA 1718 1718 p->mempolicy = mpol_dup(p->mempolicy);
+91 -37
kernel/seccomp.c
··· 593 593 } 594 594 595 595 /* 596 - * Force an audit message to be emitted when the action is RET_KILL_*, 597 - * RET_LOG, or the FILTER_FLAG_LOG bit was set and the action is 598 - * allowed to be logged by the admin. 596 + * Emit an audit message when the action is RET_KILL_*, RET_LOG, or the 597 + * FILTER_FLAG_LOG bit was set. The admin has the ability to silence 598 + * any action from being logged by removing the action name from the 599 + * seccomp_actions_logged sysctl. 599 600 */ 600 - if (log) 601 - return __audit_seccomp(syscall, signr, action); 601 + if (!log) 602 + return; 602 603 603 - /* 604 - * Let the audit subsystem decide if the action should be audited based 605 - * on whether the current task itself is being audited. 606 - */ 607 - return audit_seccomp(syscall, signr, action); 604 + audit_seccomp(syscall, signr, action); 608 605 } 609 606 610 607 /* ··· 1141 1144 }; 1142 1145 1143 1146 static bool seccomp_names_from_actions_logged(char *names, size_t size, 1144 - u32 actions_logged) 1147 + u32 actions_logged, 1148 + const char *sep) 1145 1149 { 1146 1150 const struct seccomp_log_name *cur; 1147 - bool append_space = false; 1151 + bool append_sep = false; 1148 1152 1149 1153 for (cur = seccomp_log_names; cur->name && size; cur++) { 1150 1154 ssize_t ret; ··· 1153 1155 if (!(actions_logged & cur->log)) 1154 1156 continue; 1155 1157 1156 - if (append_space) { 1157 - ret = strscpy(names, " ", size); 1158 + if (append_sep) { 1159 + ret = strscpy(names, sep, size); 1158 1160 if (ret < 0) 1159 1161 return false; 1160 1162 1161 1163 names += ret; 1162 1164 size -= ret; 1163 1165 } else 1164 - append_space = true; 1166 + append_sep = true; 1165 1167 1166 1168 ret = strscpy(names, cur->name, size); 1167 1169 if (ret < 0) ··· 1206 1208 return true; 1207 1209 } 1208 1210 1209 - static int seccomp_actions_logged_handler(struct ctl_table *ro_table, int write, 1210 - void __user *buffer, size_t *lenp, 1211 - loff_t *ppos) 1211 + static int read_actions_logged(struct ctl_table *ro_table, void __user *buffer, 1212 + size_t *lenp, loff_t *ppos) 1213 + { 1214 + char names[sizeof(seccomp_actions_avail)]; 1215 + struct ctl_table table; 1216 + 1217 + memset(names, 0, sizeof(names)); 1218 + 1219 + if (!seccomp_names_from_actions_logged(names, sizeof(names), 1220 + seccomp_actions_logged, " ")) 1221 + return -EINVAL; 1222 + 1223 + table = *ro_table; 1224 + table.data = names; 1225 + table.maxlen = sizeof(names); 1226 + return proc_dostring(&table, 0, buffer, lenp, ppos); 1227 + } 1228 + 1229 + static int write_actions_logged(struct ctl_table *ro_table, void __user *buffer, 1230 + size_t *lenp, loff_t *ppos, u32 *actions_logged) 1212 1231 { 1213 1232 char names[sizeof(seccomp_actions_avail)]; 1214 1233 struct ctl_table table; 1215 1234 int ret; 1216 1235 1217 - if (write && !capable(CAP_SYS_ADMIN)) 1236 + if (!capable(CAP_SYS_ADMIN)) 1218 1237 return -EPERM; 1219 1238 1220 1239 memset(names, 0, sizeof(names)); 1221 1240 1222 - if (!write) { 1223 - if (!seccomp_names_from_actions_logged(names, sizeof(names), 1224 - seccomp_actions_logged)) 1225 - return -EINVAL; 1226 - } 1227 - 1228 1241 table = *ro_table; 1229 1242 table.data = names; 1230 1243 table.maxlen = sizeof(names); 1231 - ret = proc_dostring(&table, write, buffer, lenp, ppos); 1244 + ret = proc_dostring(&table, 1, buffer, lenp, ppos); 1232 1245 if (ret) 1233 1246 return ret; 1234 1247 1235 - if (write) { 1236 - u32 actions_logged; 1248 + if (!seccomp_actions_logged_from_names(actions_logged, table.data)) 1249 + return -EINVAL; 1237 1250 1238 - if (!seccomp_actions_logged_from_names(&actions_logged, 1239 - table.data)) 1240 - return -EINVAL; 1251 + if (*actions_logged & SECCOMP_LOG_ALLOW) 1252 + return -EINVAL; 1241 1253 1242 - if (actions_logged & SECCOMP_LOG_ALLOW) 1243 - return -EINVAL; 1244 - 1245 - seccomp_actions_logged = actions_logged; 1246 - } 1247 - 1254 + seccomp_actions_logged = *actions_logged; 1248 1255 return 0; 1256 + } 1257 + 1258 + static void audit_actions_logged(u32 actions_logged, u32 old_actions_logged, 1259 + int ret) 1260 + { 1261 + char names[sizeof(seccomp_actions_avail)]; 1262 + char old_names[sizeof(seccomp_actions_avail)]; 1263 + const char *new = names; 1264 + const char *old = old_names; 1265 + 1266 + if (!audit_enabled) 1267 + return; 1268 + 1269 + memset(names, 0, sizeof(names)); 1270 + memset(old_names, 0, sizeof(old_names)); 1271 + 1272 + if (ret) 1273 + new = "?"; 1274 + else if (!actions_logged) 1275 + new = "(none)"; 1276 + else if (!seccomp_names_from_actions_logged(names, sizeof(names), 1277 + actions_logged, ",")) 1278 + new = "?"; 1279 + 1280 + if (!old_actions_logged) 1281 + old = "(none)"; 1282 + else if (!seccomp_names_from_actions_logged(old_names, 1283 + sizeof(old_names), 1284 + old_actions_logged, ",")) 1285 + old = "?"; 1286 + 1287 + return audit_seccomp_actions_logged(new, old, !ret); 1288 + } 1289 + 1290 + static int seccomp_actions_logged_handler(struct ctl_table *ro_table, int write, 1291 + void __user *buffer, size_t *lenp, 1292 + loff_t *ppos) 1293 + { 1294 + int ret; 1295 + 1296 + if (write) { 1297 + u32 actions_logged = 0; 1298 + u32 old_actions_logged = seccomp_actions_logged; 1299 + 1300 + ret = write_actions_logged(ro_table, buffer, lenp, ppos, 1301 + &actions_logged); 1302 + audit_actions_logged(actions_logged, old_actions_logged, ret); 1303 + } else 1304 + ret = read_actions_logged(ro_table, buffer, lenp, ppos); 1305 + 1306 + return ret; 1249 1307 } 1250 1308 1251 1309 static struct ctl_path seccomp_sysctl_path[] = {
+1 -1
net/bridge/netfilter/ebtables.c
··· 1062 1062 1063 1063 #ifdef CONFIG_AUDIT 1064 1064 if (audit_enabled) { 1065 - audit_log(current->audit_context, GFP_KERNEL, 1065 + audit_log(audit_context(), GFP_KERNEL, 1066 1066 AUDIT_NETFILTER_CFG, 1067 1067 "table=%s family=%u entries=%u", 1068 1068 repl->name, AF_BRIDGE, repl->nentries);
+9 -9
net/core/dev.c
··· 6731 6731 dev->flags & IFF_PROMISC ? "entered" : "left"); 6732 6732 if (audit_enabled) { 6733 6733 current_uid_gid(&uid, &gid); 6734 - audit_log(current->audit_context, GFP_ATOMIC, 6735 - AUDIT_ANOM_PROMISCUOUS, 6736 - "dev=%s prom=%d old_prom=%d auid=%u uid=%u gid=%u ses=%u", 6737 - dev->name, (dev->flags & IFF_PROMISC), 6738 - (old_flags & IFF_PROMISC), 6739 - from_kuid(&init_user_ns, audit_get_loginuid(current)), 6740 - from_kuid(&init_user_ns, uid), 6741 - from_kgid(&init_user_ns, gid), 6742 - audit_get_sessionid(current)); 6734 + audit_log(audit_context(), GFP_ATOMIC, 6735 + AUDIT_ANOM_PROMISCUOUS, 6736 + "dev=%s prom=%d old_prom=%d auid=%u uid=%u gid=%u ses=%u", 6737 + dev->name, (dev->flags & IFF_PROMISC), 6738 + (old_flags & IFF_PROMISC), 6739 + from_kuid(&init_user_ns, audit_get_loginuid(current)), 6740 + from_kuid(&init_user_ns, uid), 6741 + from_kgid(&init_user_ns, gid), 6742 + audit_get_sessionid(current)); 6743 6743 } 6744 6744 6745 6745 dev_change_rx_flags(dev, IFF_PROMISC);
+1 -1
net/netfilter/x_tables.c
··· 1420 1420 1421 1421 #ifdef CONFIG_AUDIT 1422 1422 if (audit_enabled) { 1423 - audit_log(current->audit_context, GFP_KERNEL, 1423 + audit_log(audit_context(), GFP_KERNEL, 1424 1424 AUDIT_NETFILTER_CFG, 1425 1425 "table=%s family=%u entries=%u", 1426 1426 table->name, table->af, private->number);
+1 -1
net/netlabel/netlabel_user.c
··· 104 104 if (audit_enabled == 0) 105 105 return NULL; 106 106 107 - audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type); 107 + audit_buf = audit_log_start(audit_context(), GFP_ATOMIC, type); 108 108 if (audit_buf == NULL) 109 109 return NULL; 110 110
+1 -1
security/integrity/ima/ima_api.c
··· 326 326 hex_byte_pack(hash + (i * 2), iint->ima_hash->digest[i]); 327 327 hash[i * 2] = '\0'; 328 328 329 - ab = audit_log_start(current->audit_context, GFP_KERNEL, 329 + ab = audit_log_start(audit_context(), GFP_KERNEL, 330 330 AUDIT_INTEGRITY_RULE); 331 331 if (!ab) 332 332 goto out;
+1 -1
security/integrity/integrity_audit.c
··· 38 38 if (!integrity_audit_info && audit_info == 1) /* Skip info messages */ 39 39 return; 40 40 41 - ab = audit_log_start(current->audit_context, GFP_KERNEL, audit_msgno); 41 + ab = audit_log_start(audit_context(), GFP_KERNEL, audit_msgno); 42 42 audit_log_format(ab, "pid=%d uid=%u auid=%u ses=%u", 43 43 task_pid_nr(current), 44 44 from_kuid(&init_user_ns, current_cred()->uid),
+1 -1
security/lsm_audit.c
··· 447 447 if (a == NULL) 448 448 return; 449 449 /* we use GFP_ATOMIC so we won't sleep */ 450 - ab = audit_log_start(current->audit_context, GFP_ATOMIC | __GFP_NOWARN, 450 + ab = audit_log_start(audit_context(), GFP_ATOMIC | __GFP_NOWARN, 451 451 AUDIT_AVC); 452 452 453 453 if (ab == NULL)
+5 -2
security/selinux/hooks.c
··· 3305 3305 } else { 3306 3306 audit_size = 0; 3307 3307 } 3308 - ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 3308 + ab = audit_log_start(audit_context(), 3309 + GFP_ATOMIC, AUDIT_SELINUX_ERR); 3309 3310 audit_log_format(ab, "op=setxattr invalid_context="); 3310 3311 audit_log_n_untrustedstring(ab, value, audit_size); 3311 3312 audit_log_end(ab); ··· 6461 6460 audit_size = size - 1; 6462 6461 else 6463 6462 audit_size = size; 6464 - ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 6463 + ab = audit_log_start(audit_context(), 6464 + GFP_ATOMIC, 6465 + AUDIT_SELINUX_ERR); 6465 6466 audit_log_format(ab, "op=fscreate invalid_context="); 6466 6467 audit_log_n_untrustedstring(ab, value, audit_size); 6467 6468 audit_log_end(ab);
+3 -3
security/selinux/selinuxfs.c
··· 167 167 NULL); 168 168 if (length) 169 169 goto out; 170 - audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS, 170 + audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS, 171 171 "enforcing=%d old_enforcing=%d auid=%u ses=%u" 172 172 " enabled=%d old-enabled=%d lsm=selinux res=1", 173 173 new_value, old_value, ··· 303 303 length = selinux_disable(fsi->state); 304 304 if (length) 305 305 goto out; 306 - audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS, 306 + audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS, 307 307 "enforcing=%d old_enforcing=%d auid=%u ses=%u" 308 308 " enabled=%d old-enabled=%d lsm=selinux res=1", 309 309 enforcing, enforcing, ··· 581 581 length = count; 582 582 583 583 out1: 584 - audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD, 584 + audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_POLICY_LOAD, 585 585 "auid=%u ses=%u lsm=selinux res=1", 586 586 from_kuid(&init_user_ns, audit_get_loginuid(current)), 587 587 audit_get_sessionid(current));
+6 -6
security/selinux/ss/services.c
··· 501 501 goto out; 502 502 503 503 /* audit a message */ 504 - ab = audit_log_start(current->audit_context, 504 + ab = audit_log_start(audit_context(), 505 505 GFP_ATOMIC, AUDIT_SELINUX_ERR); 506 506 if (!ab) 507 507 goto out; ··· 743 743 goto out; 744 744 if (context_struct_to_string(p, tcontext, &t, &tlen)) 745 745 goto out; 746 - audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 746 + audit_log(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR, 747 747 "op=security_validate_transition seresult=denied" 748 748 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", 749 749 o, n, t, sym_name(p, SYM_CLASSES, tclass-1)); ··· 929 929 &old_name, &length) && 930 930 !context_struct_to_string(policydb, new_context, 931 931 &new_name, &length)) { 932 - audit_log(current->audit_context, 932 + audit_log(audit_context(), 933 933 GFP_ATOMIC, AUDIT_SELINUX_ERR, 934 934 "op=security_bounded_transition " 935 935 "seresult=denied " ··· 1586 1586 goto out; 1587 1587 if (context_struct_to_string(policydb, newcontext, &n, &nlen)) 1588 1588 goto out; 1589 - audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 1589 + audit_log(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR, 1590 1590 "op=security_compute_sid invalid_context=%s" 1591 1591 " scontext=%s" 1592 1592 " tcontext=%s" ··· 2882 2882 2883 2883 for (i = 0; i < len; i++) { 2884 2884 if (!!values[i] != policydb->bool_val_to_struct[i]->state) { 2885 - audit_log(current->audit_context, GFP_ATOMIC, 2885 + audit_log(audit_context(), GFP_ATOMIC, 2886 2886 AUDIT_MAC_CONFIG_CHANGE, 2887 2887 "bool=%s val=%d old_val=%d auid=%u ses=%u", 2888 2888 sym_name(policydb, SYM_BOOLS, i), ··· 3025 3025 if (rc) { 3026 3026 if (!context_struct_to_string(policydb, &newcon, &s, 3027 3027 &len)) { 3028 - audit_log(current->audit_context, 3028 + audit_log(audit_context(), 3029 3029 GFP_ATOMIC, AUDIT_SELINUX_ERR, 3030 3030 "op=security_sid_mls_copy " 3031 3031 "invalid_context=%s", s);