tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge git://git.infradead.org/users/eparis/audit

Pull audit updates from Eric Paris:
"So this change across a whole bunch of arches really solves one basic
problem. We want to audit when seccomp is killing a process. seccomp
hooks in before the audit syscall entry code. audit_syscall_entry
took as an argument the arch of the given syscall. Since the arch is
part of what makes a syscall number meaningful it's an important part
of the record, but it isn't available when seccomp shoots the
syscall...

For most arch's we have a better way to get the arch (syscall_get_arch)
So the solution was two fold: Implement syscall_get_arch() everywhere
there is audit which didn't have it. Use syscall_get_arch() in the
seccomp audit code. Having syscall_get_arch() everywhere meant it was
a useless flag on the stack and we could get rid of it for the typical
syscall entry.

The other changes inside the audit system aren't grand, fixed some
records that had invalid spaces. Better locking around the task comm
field. Removing some dead functions and structs. Make some things
static. Really minor stuff"

* git://git.infradead.org/users/eparis/audit: (31 commits)
audit: rename audit_log_remove_rule to disambiguate for trees
audit: cull redundancy in audit_rule_change
audit: WARN if audit_rule_change called illegally
audit: put rule existence check in canonical order
next: openrisc: Fix build
audit: get comm using lock to avoid race in string printing
audit: remove open_arg() function that is never used
audit: correct AUDIT_GET_FEATURE return message type
audit: set nlmsg_len for multicast messages.
audit: use union for audit_field values since they are mutually exclusive
audit: invalid op= values for rules
audit: use atomic_t to simplify audit_serial()
kernel/audit.c: use ARRAY_SIZE instead of sizeof/sizeof[0]
audit: reduce scope of audit_log_fcaps
audit: reduce scope of audit_net_id
audit: arm64: Remove the audit arch argument to audit_syscall_entry
arm64: audit: Add audit hook in syscall_trace_enter/exit()
audit: x86: drop arch from __audit_syscall_entry() interface
sparc: implement is_32bit_task
sparc: properly conditionalize use of TIF_32BIT
...

Linus Torvalds ab074ade 61ed53de

options
unified split
Changed files
+204 -180
arch
alpha
include
asm
syscall.h
kernel
ptrace.c
arm
kernel
ptrace.c
arm64
kernel
ptrace.c
ia64
include
asm
syscall.h
kernel
ptrace.c
microblaze
include
asm
syscall.h
kernel
ptrace.c
mips
include
asm
syscall.h
kernel
ptrace.c
openrisc
include
asm
syscall.h
uapi
asm
elf.h
kernel
ptrace.c
parisc
include
asm
syscall.h
kernel
ptrace.c
powerpc
include
asm
syscall.h
kernel
ptrace.c
s390
kernel
ptrace.c
sh
include
asm
syscall_32.h
syscall_64.h
kernel
ptrace_32.c
ptrace_64.c
sparc
include
asm
syscall.h
thread_info_32.h
thread_info_64.h
kernel
ptrace_64.c
um
kernel
ptrace.c
x86
ia32
ia32entry.S
kernel
entry_32.S
ptrace.c
um
asm
ptrace.h
syscall.h
xtensa
kernel
ptrace.c
include
asm-generic
syscall.h
linux
audit.h
uapi
linux
audit.h
elf-em.h
kernel
audit.c
audit.h
audit_tree.c
audit_watch.c
auditfilter.c
auditsc.c
+11
arch/alpha/include/asm/syscall.h
··· 1 + #ifndef _ASM_ALPHA_SYSCALL_H 2 + #define _ASM_ALPHA_SYSCALL_H 3 + 4 + #include <uapi/linux/audit.h> 5 + 6 + static inline int syscall_get_arch(void) 7 + { 8 + return AUDIT_ARCH_ALPHA; 9 + } 10 + 11 + #endif /* _ASM_ALPHA_SYSCALL_H */
+1 -1
arch/alpha/kernel/ptrace.c
··· 321 321 if (test_thread_flag(TIF_SYSCALL_TRACE) && 322 322 tracehook_report_syscall_entry(current_pt_regs())) 323 323 ret = -1UL; 324 - audit_syscall_entry(AUDIT_ARCH_ALPHA, regs->r0, regs->r16, regs->r17, regs->r18, regs->r19); 324 + audit_syscall_entry(regs->r0, regs->r16, regs->r17, regs->r18, regs->r19); 325 325 return ret ?: current_pt_regs()->r0; 326 326 } 327 327
+2 -2
arch/arm/kernel/ptrace.c
··· 949 949 if (test_thread_flag(TIF_SYSCALL_TRACEPOINT)) 950 950 trace_sys_enter(regs, scno); 951 951 952 - audit_syscall_entry(AUDIT_ARCH_ARM, scno, regs->ARM_r0, regs->ARM_r1, 953 - regs->ARM_r2, regs->ARM_r3); 952 + audit_syscall_entry(scno, regs->ARM_r0, regs->ARM_r1, regs->ARM_r2, 953 + regs->ARM_r3); 954 954 955 955 return scno; 956 956 }
+2 -2
arch/arm64/kernel/ptrace.c
··· 1120 1120 if (test_thread_flag(TIF_SYSCALL_TRACEPOINT)) 1121 1121 trace_sys_enter(regs, regs->syscallno); 1122 1122 1123 - audit_syscall_entry(syscall_get_arch(), regs->syscallno, 1124 - regs->orig_x0, regs->regs[1], regs->regs[2], regs->regs[3]); 1123 + audit_syscall_entry(regs->syscallno, regs->orig_x0, regs->regs[1], 1124 + regs->regs[2], regs->regs[3]); 1125 1125 1126 1126 return regs->syscallno; 1127 1127 }
+6
arch/ia64/include/asm/syscall.h
··· 13 13 #ifndef _ASM_SYSCALL_H 14 14 #define _ASM_SYSCALL_H 1 15 15 16 + #include <uapi/linux/audit.h> 16 17 #include <linux/sched.h> 17 18 #include <linux/err.h> 18 19 ··· 79 78 BUG_ON(i + n > 6); 80 79 81 80 ia64_syscall_get_set_arguments(task, regs, i, n, args, 1); 81 + } 82 + 83 + static inline int syscall_get_arch(void) 84 + { 85 + return AUDIT_ARCH_IA64; 82 86 } 83 87 #endif /* _ASM_SYSCALL_H */
+1 -1
arch/ia64/kernel/ptrace.c
··· 1219 1219 ia64_sync_krbs(); 1220 1220 1221 1221 1222 - audit_syscall_entry(AUDIT_ARCH_IA64, regs.r15, arg0, arg1, arg2, arg3); 1222 + audit_syscall_entry(regs.r15, arg0, arg1, arg2, arg3); 1223 1223 1224 1224 return 0; 1225 1225 }
+5
arch/microblaze/include/asm/syscall.h
··· 1 1 #ifndef __ASM_MICROBLAZE_SYSCALL_H 2 2 #define __ASM_MICROBLAZE_SYSCALL_H 3 3 4 + #include <uapi/linux/audit.h> 4 5 #include <linux/kernel.h> 5 6 #include <linux/sched.h> 6 7 #include <asm/ptrace.h> ··· 100 99 asmlinkage long do_syscall_trace_enter(struct pt_regs *regs); 101 100 asmlinkage void do_syscall_trace_leave(struct pt_regs *regs); 102 101 102 + static inline int syscall_get_arch(void) 103 + { 104 + return AUDIT_ARCH_MICROBLAZE; 105 + } 103 106 #endif /* __ASM_MICROBLAZE_SYSCALL_H */
+1 -2
arch/microblaze/kernel/ptrace.c
··· 147 147 */ 148 148 ret = -1L; 149 149 150 - audit_syscall_entry(EM_MICROBLAZE, regs->r12, regs->r5, regs->r6, 151 - regs->r7, regs->r8); 150 + audit_syscall_entry(regs->r12, regs->r5, regs->r6, regs->r7, regs->r8); 152 151 153 152 return ret ?: regs->r12; 154 153 }
+1 -1
arch/mips/include/asm/syscall.h
··· 129 129 130 130 static inline int syscall_get_arch(void) 131 131 { 132 - int arch = EM_MIPS; 132 + int arch = AUDIT_ARCH_MIPS; 133 133 #ifdef CONFIG_64BIT 134 134 if (!test_thread_flag(TIF_32BIT_REGS)) { 135 135 arch |= __AUDIT_ARCH_64BIT;
+1 -3
arch/mips/kernel/ptrace.c
··· 780 780 if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) 781 781 trace_sys_enter(regs, regs->regs[2]); 782 782 783 - audit_syscall_entry(syscall_get_arch(), 784 - syscall, 785 - regs->regs[4], regs->regs[5], 783 + audit_syscall_entry(syscall, regs->regs[4], regs->regs[5], 786 784 regs->regs[6], regs->regs[7]); 787 785 return syscall; 788 786 }
+5
arch/openrisc/include/asm/syscall.h
··· 19 19 #ifndef __ASM_OPENRISC_SYSCALL_H__ 20 20 #define __ASM_OPENRISC_SYSCALL_H__ 21 21 22 + #include <uapi/linux/audit.h> 22 23 #include <linux/err.h> 23 24 #include <linux/sched.h> 24 25 ··· 72 71 memcpy(&regs->gpr[3 + i], args, n * sizeof(args[0])); 73 72 } 74 73 74 + static inline int syscall_get_arch(void) 75 + { 76 + return AUDIT_ARCH_OPENRISC; 77 + } 75 78 #endif
+1 -2
arch/openrisc/include/uapi/asm/elf.h
··· 55 55 /* A placeholder; OR32 does not have fp support yes, so no fp regs for now. */ 56 56 typedef unsigned long elf_fpregset_t; 57 57 58 - /* This should be moved to include/linux/elf.h */ 58 + /* EM_OPENRISC is defined in linux/elf-em.h */ 59 59 #define EM_OR32 0x8472 60 - #define EM_OPENRISC 92 /* OpenRISC 32-bit embedded processor */ 61 60 62 61 /* 63 62 * These are used to set parameters in the core dumps.
+1 -2
arch/openrisc/kernel/ptrace.c
··· 187 187 */ 188 188 ret = -1L; 189 189 190 - audit_syscall_entry(AUDIT_ARCH_OPENRISC, regs->gpr[11], 191 - regs->gpr[3], regs->gpr[4], 190 + audit_syscall_entry(regs->gpr[11], regs->gpr[3], regs->gpr[4], 192 191 regs->gpr[5], regs->gpr[6]); 193 192 194 193 return ret ? : regs->gpr[11];
+11
arch/parisc/include/asm/syscall.h
··· 3 3 #ifndef _ASM_PARISC_SYSCALL_H_ 4 4 #define _ASM_PARISC_SYSCALL_H_ 5 5 6 + #include <uapi/linux/audit.h> 7 + #include <linux/compat.h> 6 8 #include <linux/err.h> 7 9 #include <asm/ptrace.h> 8 10 ··· 39 37 } 40 38 } 41 39 40 + static inline int syscall_get_arch(void) 41 + { 42 + int arch = AUDIT_ARCH_PARISC; 43 + #ifdef CONFIG_64BIT 44 + if (!is_compat_task()) 45 + arch = AUDIT_ARCH_PARISC64; 46 + #endif 47 + return arch; 48 + } 42 49 #endif /*_ASM_PARISC_SYSCALL_H_*/
+3 -6
arch/parisc/kernel/ptrace.c
··· 280 280 281 281 #ifdef CONFIG_64BIT 282 282 if (!is_compat_task()) 283 - audit_syscall_entry(AUDIT_ARCH_PARISC64, 284 - regs->gr[20], 285 - regs->gr[26], regs->gr[25], 286 - regs->gr[24], regs->gr[23]); 283 + audit_syscall_entry(regs->gr[20], regs->gr[26], regs->gr[25], 284 + regs->gr[24], regs->gr[23]); 287 285 else 288 286 #endif 289 - audit_syscall_entry(AUDIT_ARCH_PARISC, 290 - regs->gr[20] & 0xffffffff, 287 + audit_syscall_entry(regs->gr[20] & 0xffffffff, 291 288 regs->gr[26] & 0xffffffff, 292 289 regs->gr[25] & 0xffffffff, 293 290 regs->gr[24] & 0xffffffff,
+6
arch/powerpc/include/asm/syscall.h
··· 13 13 #ifndef _ASM_SYSCALL_H 14 14 #define _ASM_SYSCALL_H 1 15 15 16 + #include <uapi/linux/audit.h> 16 17 #include <linux/sched.h> 18 + #include <linux/thread_info.h> 17 19 18 20 /* ftrace syscalls requires exporting the sys_call_table */ 19 21 #ifdef CONFIG_FTRACE_SYSCALLS ··· 88 86 memcpy(&regs->gpr[3 + i], args, n * sizeof(args[0])); 89 87 } 90 88 89 + static inline int syscall_get_arch(void) 90 + { 91 + return is_32bit_task() ? AUDIT_ARCH_PPC : AUDIT_ARCH_PPC64; 92 + } 91 93 #endif /* _ASM_SYSCALL_H */
+2 -5
arch/powerpc/kernel/ptrace.c
··· 1788 1788 1789 1789 #ifdef CONFIG_PPC64 1790 1790 if (!is_32bit_task()) 1791 - audit_syscall_entry(AUDIT_ARCH_PPC64, 1792 - regs->gpr[0], 1793 - regs->gpr[3], regs->gpr[4], 1791 + audit_syscall_entry(regs->gpr[0], regs->gpr[3], regs->gpr[4], 1794 1792 regs->gpr[5], regs->gpr[6]); 1795 1793 else 1796 1794 #endif 1797 - audit_syscall_entry(AUDIT_ARCH_PPC, 1798 - regs->gpr[0], 1795 + audit_syscall_entry(regs->gpr[0], 1799 1796 regs->gpr[3] & 0xffffffff, 1800 1797 regs->gpr[4] & 0xffffffff, 1801 1798 regs->gpr[5] & 0xffffffff,
+1 -3
arch/s390/kernel/ptrace.c
··· 834 834 if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) 835 835 trace_sys_enter(regs, regs->gprs[2]); 836 836 837 - audit_syscall_entry(is_compat_task() ? 838 - AUDIT_ARCH_S390 : AUDIT_ARCH_S390X, 839 - regs->gprs[2], regs->orig_gpr2, 837 + audit_syscall_entry(regs->gprs[2], regs->orig_gpr2, 840 838 regs->gprs[3], regs->gprs[4], 841 839 regs->gprs[5]); 842 840 out:
+10
arch/sh/include/asm/syscall_32.h
··· 1 1 #ifndef __ASM_SH_SYSCALL_32_H 2 2 #define __ASM_SH_SYSCALL_32_H 3 3 4 + #include <uapi/linux/audit.h> 4 5 #include <linux/kernel.h> 5 6 #include <linux/sched.h> 6 7 #include <linux/err.h> ··· 94 93 } 95 94 } 96 95 96 + static inline int syscall_get_arch(void) 97 + { 98 + int arch = AUDIT_ARCH_SH; 99 + 100 + #ifdef CONFIG_CPU_LITTLE_ENDIAN 101 + arch |= __AUDIT_ARCH_LE; 102 + #endif 103 + return arch; 104 + } 97 105 #endif /* __ASM_SH_SYSCALL_32_H */
+14
arch/sh/include/asm/syscall_64.h
··· 1 1 #ifndef __ASM_SH_SYSCALL_64_H 2 2 #define __ASM_SH_SYSCALL_64_H 3 3 4 + #include <uapi/linux/audit.h> 4 5 #include <linux/kernel.h> 5 6 #include <linux/sched.h> 6 7 #include <asm/ptrace.h> ··· 62 61 memcpy(&regs->regs[2 + i], args, n * sizeof(args[0])); 63 62 } 64 63 64 + static inline int syscall_get_arch(void) 65 + { 66 + int arch = AUDIT_ARCH_SH; 67 + 68 + #ifdef CONFIG_64BIT 69 + arch |= __AUDIT_ARCH_64BIT; 70 + #endif 71 + #ifdef CONFIG_CPU_LITTLE_ENDIAN 72 + arch |= __AUDIT_ARCH_LE; 73 + #endif 74 + 75 + return arch; 76 + } 65 77 #endif /* __ASM_SH_SYSCALL_64_H */
+1 -13
arch/sh/kernel/ptrace_32.c
··· 484 484 return ret; 485 485 } 486 486 487 - static inline int audit_arch(void) 488 - { 489 - int arch = EM_SH; 490 - 491 - #ifdef CONFIG_CPU_LITTLE_ENDIAN 492 - arch |= __AUDIT_ARCH_LE; 493 - #endif 494 - 495 - return arch; 496 - } 497 - 498 487 asmlinkage long do_syscall_trace_enter(struct pt_regs *regs) 499 488 { 500 489 long ret = 0; ··· 502 513 if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) 503 514 trace_sys_enter(regs, regs->regs[0]); 504 515 505 - audit_syscall_entry(audit_arch(), regs->regs[3], 506 - regs->regs[4], regs->regs[5], 516 + audit_syscall_entry(regs->regs[3], regs->regs[4], regs->regs[5], 507 517 regs->regs[6], regs->regs[7]); 508 518 509 519 return ret ?: regs->regs[0];
+1 -16
arch/sh/kernel/ptrace_64.c
··· 504 504 return sys_ptrace(request, pid, addr, data); 505 505 } 506 506 507 - static inline int audit_arch(void) 508 - { 509 - int arch = EM_SH; 510 - 511 - #ifdef CONFIG_64BIT 512 - arch |= __AUDIT_ARCH_64BIT; 513 - #endif 514 - #ifdef CONFIG_CPU_LITTLE_ENDIAN 515 - arch |= __AUDIT_ARCH_LE; 516 - #endif 517 - 518 - return arch; 519 - } 520 - 521 507 asmlinkage long long do_syscall_trace_enter(struct pt_regs *regs) 522 508 { 523 509 long long ret = 0; ··· 522 536 if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) 523 537 trace_sys_enter(regs, regs->regs[9]); 524 538 525 - audit_syscall_entry(audit_arch(), regs->regs[1], 526 - regs->regs[2], regs->regs[3], 539 + audit_syscall_entry(regs->regs[1], regs->regs[2], regs->regs[3], 527 540 regs->regs[4], regs->regs[5]); 528 541 529 542 return ret ?: regs->regs[9];
+7
arch/sparc/include/asm/syscall.h
··· 1 1 #ifndef __ASM_SPARC_SYSCALL_H 2 2 #define __ASM_SPARC_SYSCALL_H 3 3 4 + #include <uapi/linux/audit.h> 4 5 #include <linux/kernel.h> 5 6 #include <linux/sched.h> 6 7 #include <asm/ptrace.h> 8 + #include <asm/thread_info.h> 7 9 8 10 /* 9 11 * The syscall table always contains 32 bit pointers since we know that the ··· 124 122 125 123 for (j = 0; j < n; j++) 126 124 regs->u_regs[UREG_I0 + i + j] = args[j]; 125 + } 126 + 127 + static inline int syscall_get_arch(void) 128 + { 129 + return is_32bit_task() ? AUDIT_ARCH_SPARC : AUDIT_ARCH_SPARC64; 127 130 } 128 131 129 132 #endif /* __ASM_SPARC_SYSCALL_H */
+2
arch/sparc/include/asm/thread_info_32.h
··· 130 130 #define _TIF_DO_NOTIFY_RESUME_MASK (_TIF_NOTIFY_RESUME | \ 131 131 _TIF_SIGPENDING) 132 132 133 + #define is_32bit_task() (1) 134 + 133 135 #endif /* __KERNEL__ */ 134 136 135 137 #endif /* _ASM_THREAD_INFO_H */
+2
arch/sparc/include/asm/thread_info_64.h
··· 221 221 _TIF_NEED_RESCHED) 222 222 #define _TIF_DO_NOTIFY_RESUME_MASK (_TIF_NOTIFY_RESUME | _TIF_SIGPENDING) 223 223 224 + #define is_32bit_task() (test_thread_flag(TIF_32BIT)) 225 + 224 226 /* 225 227 * Thread-synchronous status. 226 228 *
+2 -7
arch/sparc/kernel/ptrace_64.c
··· 1076 1076 if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) 1077 1077 trace_sys_enter(regs, regs->u_regs[UREG_G1]); 1078 1078 1079 - audit_syscall_entry((test_thread_flag(TIF_32BIT) ? 1080 - AUDIT_ARCH_SPARC : 1081 - AUDIT_ARCH_SPARC64), 1082 - regs->u_regs[UREG_G1], 1083 - regs->u_regs[UREG_I0], 1084 - regs->u_regs[UREG_I1], 1085 - regs->u_regs[UREG_I2], 1079 + audit_syscall_entry(regs->u_regs[UREG_G1], regs->u_regs[UREG_I0], 1080 + regs->u_regs[UREG_I1], regs->u_regs[UREG_I2], 1086 1081 regs->u_regs[UREG_I3]); 1087 1082 1088 1083 return ret;
+1 -2
arch/um/kernel/ptrace.c
··· 165 165 */ 166 166 void syscall_trace_enter(struct pt_regs *regs) 167 167 { 168 - audit_syscall_entry(HOST_AUDIT_ARCH, 169 - UPT_SYSCALL_NR(&regs->regs), 168 + audit_syscall_entry(UPT_SYSCALL_NR(&regs->regs), 170 169 UPT_SYSCALL_ARG1(&regs->regs), 171 170 UPT_SYSCALL_ARG2(&regs->regs), 172 171 UPT_SYSCALL_ARG3(&regs->regs),
+6 -6
arch/x86/ia32/ia32entry.S
··· 198 198 199 199 #ifdef CONFIG_AUDITSYSCALL 200 200 .macro auditsys_entry_common 201 - movl %esi,%r9d /* 6th arg: 4th syscall arg */ 202 - movl %edx,%r8d /* 5th arg: 3rd syscall arg */ 203 - /* (already in %ecx) 4th arg: 2nd syscall arg */ 204 - movl %ebx,%edx /* 3rd arg: 1st syscall arg */ 205 - movl %eax,%esi /* 2nd arg: syscall number */ 206 - movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */ 201 + movl %esi,%r8d /* 5th arg: 4th syscall arg */ 202 + movl %ecx,%r9d /*swap with edx*/ 203 + movl %edx,%ecx /* 4th arg: 3rd syscall arg */ 204 + movl %r9d,%edx /* 3rd arg: 2nd syscall arg */ 205 + movl %ebx,%esi /* 2nd arg: 1st syscall arg */ 206 + movl %eax,%edi /* 1st arg: syscall number */ 207 207 call __audit_syscall_entry 208 208 movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */ 209 209 cmpq $(IA32_NR_syscalls-1),%rax
+5 -6
arch/x86/kernel/entry_32.S
··· 449 449 jnz syscall_trace_entry 450 450 addl $4,%esp 451 451 CFI_ADJUST_CFA_OFFSET -4 452 - /* %esi already in 8(%esp) 6th arg: 4th syscall arg */ 453 - /* %edx already in 4(%esp) 5th arg: 3rd syscall arg */ 454 - /* %ecx already in 0(%esp) 4th arg: 2nd syscall arg */ 455 - movl %ebx,%ecx /* 3rd arg: 1st syscall arg */ 456 - movl %eax,%edx /* 2nd arg: syscall number */ 457 - movl $AUDIT_ARCH_I386,%eax /* 1st arg: audit arch */ 452 + movl %esi,4(%esp) /* 5th arg: 4th syscall arg */ 453 + movl %edx,(%esp) /* 4th arg: 3rd syscall arg */ 454 + /* %ecx already in %ecx 3rd arg: 2nd syscall arg */ 455 + movl %ebx,%edx /* 2nd arg: 1st syscall arg */ 456 + /* %eax already in %eax 1st arg: syscall number */ 458 457 call __audit_syscall_entry 459 458 pushl_cfi %ebx 460 459 movl PT_EAX(%esp),%eax /* reload syscall number */
+2 -2
arch/x86/kernel/ptrace.c
··· 1445 1445 { 1446 1446 #ifdef CONFIG_X86_64 1447 1447 if (arch == AUDIT_ARCH_X86_64) { 1448 - audit_syscall_entry(arch, regs->orig_ax, regs->di, 1448 + audit_syscall_entry(regs->orig_ax, regs->di, 1449 1449 regs->si, regs->dx, regs->r10); 1450 1450 } else 1451 1451 #endif 1452 1452 { 1453 - audit_syscall_entry(arch, regs->orig_ax, regs->bx, 1453 + audit_syscall_entry(regs->orig_ax, regs->bx, 1454 1454 regs->cx, regs->dx, regs->si); 1455 1455 } 1456 1456 }
-4
arch/x86/um/asm/ptrace.h
··· 47 47 48 48 #ifdef CONFIG_X86_32 49 49 50 - #define HOST_AUDIT_ARCH AUDIT_ARCH_I386 51 - 52 50 extern int ptrace_get_thread_area(struct task_struct *child, int idx, 53 51 struct user_desc __user *user_desc); 54 52 ··· 54 56 struct user_desc __user *user_desc); 55 57 56 58 #else 57 - 58 - #define HOST_AUDIT_ARCH AUDIT_ARCH_X86_64 59 59 60 60 #define PT_REGS_R8(r) UPT_R8(&(r)->regs) 61 61 #define PT_REGS_R9(r) UPT_R9(&(r)->regs)
+15
arch/x86/um/asm/syscall.h
··· 1 + #ifndef __UM_ASM_SYSCALL_H 2 + #define __UM_ASM_SYSCALL_H 3 + 4 + #include <uapi/linux/audit.h> 5 + 6 + static inline int syscall_get_arch(void) 7 + { 8 + #ifdef CONFIG_X86_32 9 + return AUDIT_ARCH_I386; 10 + #else 11 + return AUDIT_ARCH_X86_64; 12 + #endif 13 + } 14 + 15 + #endif /* __UM_ASM_SYSCALL_H */
+1 -1
arch/xtensa/kernel/ptrace.c
··· 342 342 do_syscall_trace(); 343 343 344 344 #if 0 345 - audit_syscall_entry(current, AUDIT_ARCH_XTENSA..); 345 + audit_syscall_entry(...); 346 346 #endif 347 347 } 348 348
+1 -1
include/asm-generic/syscall.h
··· 147 147 * 148 148 * Returns the AUDIT_ARCH_* based on the system call convention in use. 149 149 * 150 - * It's only valid to call this when @task is stopped on entry to a system 150 + * It's only valid to call this when current is stopped on entry to a system 151 151 * call, due to %TIF_SYSCALL_TRACE, %TIF_SYSCALL_AUDIT, or %TIF_SECCOMP. 152 152 * 153 153 * Architectures which permit CONFIG_HAVE_ARCH_SECCOMP_FILTER must
+15 -10
include/linux/audit.h
··· 66 66 67 67 struct audit_field { 68 68 u32 type; 69 - u32 val; 70 - kuid_t uid; 71 - kgid_t gid; 69 + union { 70 + u32 val; 71 + kuid_t uid; 72 + kgid_t gid; 73 + struct { 74 + char *lsm_str; 75 + void *lsm_rule; 76 + }; 77 + }; 72 78 u32 op; 73 - char *lsm_str; 74 - void *lsm_rule; 75 79 }; 76 80 77 81 extern int is_audit_feature_set(int which); ··· 113 109 #endif 114 110 115 111 #ifdef CONFIG_AUDITSYSCALL 112 + #include <asm/syscall.h> /* for syscall_get_arch() */ 113 + 116 114 /* These are defined in auditsc.c */ 117 115 /* Public API */ 118 116 extern int audit_alloc(struct task_struct *task); 119 117 extern void __audit_free(struct task_struct *task); 120 - extern void __audit_syscall_entry(int arch, 121 - int major, unsigned long a0, unsigned long a1, 118 + extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1, 122 119 unsigned long a2, unsigned long a3); 123 120 extern void __audit_syscall_exit(int ret_success, long ret_value); 124 121 extern struct filename *__audit_reusename(const __user char *uptr); ··· 146 141 if (unlikely(task->audit_context)) 147 142 __audit_free(task); 148 143 } 149 - static inline void audit_syscall_entry(int arch, int major, unsigned long a0, 144 + static inline void audit_syscall_entry(int major, unsigned long a0, 150 145 unsigned long a1, unsigned long a2, 151 146 unsigned long a3) 152 147 { 153 148 if (unlikely(current->audit_context)) 154 - __audit_syscall_entry(arch, major, a0, a1, a2, a3); 149 + __audit_syscall_entry(major, a0, a1, a2, a3); 155 150 } 156 151 static inline void audit_syscall_exit(void *pt_regs) 157 152 { ··· 327 322 } 328 323 static inline void audit_free(struct task_struct *task) 329 324 { } 330 - static inline void audit_syscall_entry(int arch, int major, unsigned long a0, 325 + static inline void audit_syscall_entry(int major, unsigned long a0, 331 326 unsigned long a1, unsigned long a2, 332 327 unsigned long a3) 333 328 { }
+1 -13
include/uapi/linux/audit.h
··· 352 352 #define AUDIT_ARCH_IA64 (EM_IA_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) 353 353 #define AUDIT_ARCH_M32R (EM_M32R) 354 354 #define AUDIT_ARCH_M68K (EM_68K) 355 + #define AUDIT_ARCH_MICROBLAZE (EM_MICROBLAZE) 355 356 #define AUDIT_ARCH_MIPS (EM_MIPS) 356 357 #define AUDIT_ARCH_MIPSEL (EM_MIPS|__AUDIT_ARCH_LE) 357 358 #define AUDIT_ARCH_MIPS64 (EM_MIPS|__AUDIT_ARCH_64BIT) ··· 444 443 __u32 fieldflags[AUDIT_MAX_FIELDS]; 445 444 __u32 buflen; /* total length of string fields */ 446 445 char buf[0]; /* string fields buffer */ 447 - }; 448 - 449 - /* audit_rule is supported to maintain backward compatibility with 450 - * userspace. It supports integer fields only and corresponds to 451 - * AUDIT_ADD, AUDIT_DEL and AUDIT_LIST requests. 452 - */ 453 - struct audit_rule { /* for AUDIT_LIST, AUDIT_ADD, and AUDIT_DEL */ 454 - __u32 flags; /* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */ 455 - __u32 action; /* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */ 456 - __u32 field_count; 457 - __u32 mask[AUDIT_BITMASK_SIZE]; 458 - __u32 fields[AUDIT_MAX_FIELDS]; 459 - __u32 values[AUDIT_MAX_FIELDS]; 460 446 }; 461 447 462 448 #endif /* _UAPI_LINUX_AUDIT_H_ */
+1
include/uapi/linux/elf-em.h
··· 32 32 #define EM_V850 87 /* NEC v850 */ 33 33 #define EM_M32R 88 /* Renesas M32R */ 34 34 #define EM_MN10300 89 /* Panasonic/MEI MN10300, AM33 */ 35 + #define EM_OPENRISC 92 /* OpenRISC 32-bit embedded processor */ 35 36 #define EM_BLACKFIN 106 /* ADI Blackfin Processor */ 36 37 #define EM_TI_C6000 140 /* TI C6X DSPs */ 37 38 #define EM_AARCH64 183 /* ARM 64 bit */
+10 -20
kernel/audit.c
··· 126 126 127 127 /* The netlink socket. */ 128 128 static struct sock *audit_sock; 129 - int audit_net_id; 129 + static int audit_net_id; 130 130 131 131 /* Hash for inode-based rules */ 132 132 struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS]; ··· 724 724 725 725 seq = nlmsg_hdr(skb)->nlmsg_seq; 726 726 727 - audit_send_reply(skb, seq, AUDIT_GET, 0, 0, &af, sizeof(af)); 727 + audit_send_reply(skb, seq, AUDIT_GET_FEATURE, 0, 0, &af, sizeof(af)); 728 728 729 729 return 0; 730 730 } ··· 750 750 struct audit_features *uaf; 751 751 int i; 752 752 753 - BUILD_BUG_ON(AUDIT_LAST_FEATURE + 1 > sizeof(audit_feature_names)/sizeof(audit_feature_names[0])); 753 + BUILD_BUG_ON(AUDIT_LAST_FEATURE + 1 > ARRAY_SIZE(audit_feature_names)); 754 754 uaf = nlmsg_data(nlmsg_hdr(skb)); 755 755 756 756 /* if there is ever a version 2 we should handle that here */ ··· 1301 1301 */ 1302 1302 unsigned int audit_serial(void) 1303 1303 { 1304 - static DEFINE_SPINLOCK(serial_lock); 1305 - static unsigned int serial = 0; 1304 + static atomic_t serial = ATOMIC_INIT(0); 1306 1305 1307 - unsigned long flags; 1308 - unsigned int ret; 1309 - 1310 - spin_lock_irqsave(&serial_lock, flags); 1311 - do { 1312 - ret = ++serial; 1313 - } while (unlikely(!ret)); 1314 - spin_unlock_irqrestore(&serial_lock, flags); 1315 - 1316 - return ret; 1306 + return atomic_add_return(1, &serial); 1317 1307 } 1318 1308 1319 1309 static inline void audit_get_stamp(struct audit_context *ctx, ··· 1671 1681 } 1672 1682 } 1673 1683 1674 - void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name) 1684 + static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name) 1675 1685 { 1676 1686 kernel_cap_t *perm = &name->fcap.permitted; 1677 1687 kernel_cap_t *inh = &name->fcap.inheritable; ··· 1850 1860 void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) 1851 1861 { 1852 1862 const struct cred *cred; 1853 - char name[sizeof(tsk->comm)]; 1863 + char comm[sizeof(tsk->comm)]; 1854 1864 struct mm_struct *mm = tsk->mm; 1855 1865 char *tty; 1856 1866 ··· 1884 1894 from_kgid(&init_user_ns, cred->fsgid), 1885 1895 tty, audit_get_sessionid(tsk)); 1886 1896 1887 - get_task_comm(name, tsk); 1888 1897 audit_log_format(ab, " comm="); 1889 - audit_log_untrustedstring(ab, name); 1898 + audit_log_untrustedstring(ab, get_task_comm(comm, tsk)); 1890 1899 1891 1900 if (mm) { 1892 1901 down_read(&mm->mmap_sem); ··· 1948 1959 } else { 1949 1960 struct nlmsghdr *nlh = nlmsg_hdr(ab->skb); 1950 1961 1962 + nlh->nlmsg_len = ab->skb->len; 1951 1963 kauditd_send_multicast_skb(ab->skb); 1952 1964 1953 1965 /* ··· 1960 1970 * protocol between the kaudit kernel subsystem and the auditd 1961 1971 * userspace code. 1962 1972 */ 1963 - nlh->nlmsg_len = ab->skb->len - NLMSG_HDRLEN; 1973 + nlh->nlmsg_len -= NLMSG_HDRLEN; 1964 1974 1965 1975 if (audit_pid) { 1966 1976 skb_queue_tail(&audit_skb_queue, ab->skb);
-1
kernel/audit.h
··· 222 222 const struct inode *inode); 223 223 extern void audit_log_cap(struct audit_buffer *ab, char *prefix, 224 224 kernel_cap_t *cap); 225 - extern void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name); 226 225 extern void audit_log_name(struct audit_context *context, 227 226 struct audit_names *n, struct path *path, 228 227 int record_num, int *call_panic);
+3 -3
kernel/audit_tree.c
··· 449 449 return 0; 450 450 } 451 451 452 - static void audit_log_remove_rule(struct audit_krule *rule) 452 + static void audit_tree_log_remove_rule(struct audit_krule *rule) 453 453 { 454 454 struct audit_buffer *ab; 455 455 ··· 457 457 if (unlikely(!ab)) 458 458 return; 459 459 audit_log_format(ab, "op="); 460 - audit_log_string(ab, "remove rule"); 460 + audit_log_string(ab, "remove_rule"); 461 461 audit_log_format(ab, " dir="); 462 462 audit_log_untrustedstring(ab, rule->tree->pathname); 463 463 audit_log_key(ab, rule->filterkey); ··· 476 476 list_del_init(&rule->rlist); 477 477 if (rule->tree) { 478 478 /* not a half-baked one */ 479 - audit_log_remove_rule(rule); 479 + audit_tree_log_remove_rule(rule); 480 480 rule->tree = NULL; 481 481 list_del_rcu(&entry->list); 482 482 list_del(&entry->rule.list);
+2 -2
kernel/audit_watch.c
··· 314 314 &nentry->rule.list); 315 315 } 316 316 317 - audit_watch_log_rule_change(r, owatch, "updated rules"); 317 + audit_watch_log_rule_change(r, owatch, "updated_rules"); 318 318 319 319 call_rcu(&oentry->rcu, audit_free_rule_rcu); 320 320 } ··· 342 342 list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { 343 343 list_for_each_entry_safe(r, nextr, &w->rules, rlist) { 344 344 e = container_of(r, struct audit_entry, rule); 345 - audit_watch_log_rule_change(r, w, "remove rule"); 345 + audit_watch_log_rule_change(r, w, "remove_rule"); 346 346 list_del(&r->rlist); 347 347 list_del(&r->list); 348 348 list_del_rcu(&e->list);
+32 -24
kernel/auditfilter.c
··· 71 71 72 72 DEFINE_MUTEX(audit_filter_mutex); 73 73 74 + static void audit_free_lsm_field(struct audit_field *f) 75 + { 76 + switch (f->type) { 77 + case AUDIT_SUBJ_USER: 78 + case AUDIT_SUBJ_ROLE: 79 + case AUDIT_SUBJ_TYPE: 80 + case AUDIT_SUBJ_SEN: 81 + case AUDIT_SUBJ_CLR: 82 + case AUDIT_OBJ_USER: 83 + case AUDIT_OBJ_ROLE: 84 + case AUDIT_OBJ_TYPE: 85 + case AUDIT_OBJ_LEV_LOW: 86 + case AUDIT_OBJ_LEV_HIGH: 87 + kfree(f->lsm_str); 88 + security_audit_rule_free(f->lsm_rule); 89 + } 90 + } 91 + 74 92 static inline void audit_free_rule(struct audit_entry *e) 75 93 { 76 94 int i; ··· 98 80 if (erule->watch) 99 81 audit_put_watch(erule->watch); 100 82 if (erule->fields) 101 - for (i = 0; i < erule->field_count; i++) { 102 - struct audit_field *f = &erule->fields[i]; 103 - kfree(f->lsm_str); 104 - security_audit_rule_free(f->lsm_rule); 105 - } 83 + for (i = 0; i < erule->field_count; i++) 84 + audit_free_lsm_field(&erule->fields[i]); 106 85 kfree(erule->fields); 107 86 kfree(erule->filterkey); 108 87 kfree(e); ··· 163 148 struct audit_field *f) 164 149 { 165 150 if (krule->listnr != AUDIT_FILTER_EXIT || 166 - krule->watch || krule->inode_f || krule->tree || 151 + krule->inode_f || krule->watch || krule->tree || 167 152 (f->op != Audit_equal && f->op != Audit_not_equal)) 168 153 return -EINVAL; 169 154 ··· 437 422 438 423 f->type = data->fields[i]; 439 424 f->val = data->values[i]; 440 - f->uid = INVALID_UID; 441 - f->gid = INVALID_GID; 442 - f->lsm_str = NULL; 443 - f->lsm_rule = NULL; 444 425 445 426 /* Support legacy tests for a valid loginuid */ 446 427 if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) { ··· 1064 1053 int err = 0; 1065 1054 struct audit_entry *entry; 1066 1055 1056 + entry = audit_data_to_entry(data, datasz); 1057 + if (IS_ERR(entry)) 1058 + return PTR_ERR(entry); 1059 + 1067 1060 switch (type) { 1068 1061 case AUDIT_ADD_RULE: 1069 - entry = audit_data_to_entry(data, datasz); 1070 - if (IS_ERR(entry)) 1071 - return PTR_ERR(entry); 1072 - 1073 1062 err = audit_add_rule(entry); 1074 - audit_log_rule_change("add rule", &entry->rule, !err); 1075 - if (err) 1076 - audit_free_rule(entry); 1063 + audit_log_rule_change("add_rule", &entry->rule, !err); 1077 1064 break; 1078 1065 case AUDIT_DEL_RULE: 1079 - entry = audit_data_to_entry(data, datasz); 1080 - if (IS_ERR(entry)) 1081 - return PTR_ERR(entry); 1082 - 1083 1066 err = audit_del_rule(entry); 1084 - audit_log_rule_change("remove rule", &entry->rule, !err); 1085 - audit_free_rule(entry); 1067 + audit_log_rule_change("remove_rule", &entry->rule, !err); 1086 1068 break; 1087 1069 default: 1088 - return -EINVAL; 1070 + err = -EINVAL; 1071 + WARN_ON(1); 1089 1072 } 1073 + 1074 + if (err || type == AUDIT_DEL_RULE) 1075 + audit_free_rule(entry); 1090 1076 1091 1077 return err; 1092 1078 }
+9 -19
kernel/auditsc.c
··· 67 67 #include <linux/binfmts.h> 68 68 #include <linux/highmem.h> 69 69 #include <linux/syscalls.h> 70 + #include <asm/syscall.h> 70 71 #include <linux/capability.h> 71 72 #include <linux/fs_struct.h> 72 73 #include <linux/compat.h> ··· 125 124 struct audit_tree_refs *next; 126 125 struct audit_chunk *c[31]; 127 126 }; 128 - 129 - static inline int open_arg(int flags, int mask) 130 - { 131 - int n = ACC_MODE(flags); 132 - if (flags & (O_TRUNC | O_CREAT)) 133 - n |= AUDIT_PERM_WRITE; 134 - return n & mask; 135 - } 136 127 137 128 static int audit_match_perm(struct audit_context *ctx, int mask) 138 129 { ··· 1498 1505 1499 1506 /** 1500 1507 * audit_syscall_entry - fill in an audit record at syscall entry 1501 - * @arch: architecture type 1502 1508 * @major: major syscall type (function) 1503 1509 * @a1: additional syscall register 1 1504 1510 * @a2: additional syscall register 2 ··· 1512 1520 * will only be written if another part of the kernel requests that it 1513 1521 * be written). 1514 1522 */ 1515 - void __audit_syscall_entry(int arch, int major, 1516 - unsigned long a1, unsigned long a2, 1517 - unsigned long a3, unsigned long a4) 1523 + void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2, 1524 + unsigned long a3, unsigned long a4) 1518 1525 { 1519 1526 struct task_struct *tsk = current; 1520 1527 struct audit_context *context = tsk->audit_context; ··· 1527 1536 if (!audit_enabled) 1528 1537 return; 1529 1538 1530 - context->arch = arch; 1539 + context->arch = syscall_get_arch(); 1531 1540 context->major = major; 1532 1541 context->argv[0] = a1; 1533 1542 context->argv[1] = a2; ··· 2424 2433 kgid_t gid; 2425 2434 unsigned int sessionid; 2426 2435 struct mm_struct *mm = current->mm; 2436 + char comm[sizeof(current->comm)]; 2427 2437 2428 2438 auid = audit_get_loginuid(current); 2429 2439 sessionid = audit_get_sessionid(current); ··· 2437 2445 sessionid); 2438 2446 audit_log_task_context(ab); 2439 2447 audit_log_format(ab, " pid=%d comm=", task_pid_nr(current)); 2440 - audit_log_untrustedstring(ab, current->comm); 2448 + audit_log_untrustedstring(ab, get_task_comm(comm, current)); 2441 2449 if (mm) { 2442 2450 down_read(&mm->mmap_sem); 2443 2451 if (mm->exe_file) ··· 2480 2488 if (unlikely(!ab)) 2481 2489 return; 2482 2490 audit_log_task(ab); 2483 - audit_log_format(ab, " sig=%ld", signr); 2484 - audit_log_format(ab, " syscall=%ld", syscall); 2485 - audit_log_format(ab, " compat=%d", is_compat_task()); 2486 - audit_log_format(ab, " ip=0x%lx", KSTK_EIP(current)); 2487 - audit_log_format(ab, " code=0x%x", code); 2491 + audit_log_format(ab, " sig=%ld arch=%x syscall=%ld compat=%d ip=0x%lx code=0x%x", 2492 + signr, syscall_get_arch(), syscall, is_compat_task(), 2493 + KSTK_EIP(current), code); 2488 2494 audit_log_end(ab); 2489 2495 } 2490 2496