tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge git://git.infradead.org/users/eparis/audit
Pull audit updates from Eric Paris:
"So this change across a whole bunch of arches really solves one basic
problem. We want to audit when seccomp is killing a process. seccomp
hooks in before the audit syscall entry code. audit_syscall_entry
took as an argument the arch of the given syscall. Since the arch is
part of what makes a syscall number meaningful it's an important part
of the record, but it isn't available when seccomp shoots the
syscall...
For most arch's we have a better way to get the arch (syscall_get_arch)
So the solution was two fold: Implement syscall_get_arch() everywhere
there is audit which didn't have it. Use syscall_get_arch() in the
seccomp audit code. Having syscall_get_arch() everywhere meant it was
a useless flag on the stack and we could get rid of it for the typical
syscall entry.
The other changes inside the audit system aren't grand, fixed some
records that had invalid spaces. Better locking around the task comm
field. Removing some dead functions and structs. Make some things
static. Really minor stuff"
* git://git.infradead.org/users/eparis/audit: (31 commits)
audit: rename audit_log_remove_rule to disambiguate for trees
audit: cull redundancy in audit_rule_change
audit: WARN if audit_rule_change called illegally
audit: put rule existence check in canonical order
next: openrisc: Fix build
audit: get comm using lock to avoid race in string printing
audit: remove open_arg() function that is never used
audit: correct AUDIT_GET_FEATURE return message type
audit: set nlmsg_len for multicast messages.
audit: use union for audit_field values since they are mutually exclusive
audit: invalid op= values for rules
audit: use atomic_t to simplify audit_serial()
kernel/audit.c: use ARRAY_SIZE instead of sizeof/sizeof[0]
audit: reduce scope of audit_log_fcaps
audit: reduce scope of audit_net_id
audit: arm64: Remove the audit arch argument to audit_syscall_entry
arm64: audit: Add audit hook in syscall_trace_enter/exit()
audit: x86: drop arch from __audit_syscall_entry() interface
sparc: implement is_32bit_task
sparc: properly conditionalize use of TIF_32BIT
...
+204
-180
+11
arch/alpha/include/asm/syscall.h
+11
arch/alpha/include/asm/syscall.h
+1
-1
arch/alpha/kernel/ptrace.c
+1
-1
arch/alpha/kernel/ptrace.c
+2
-2
arch/arm/kernel/ptrace.c
+2
-2
arch/arm/kernel/ptrace.c
+2
-2
arch/arm64/kernel/ptrace.c
+2
-2
arch/arm64/kernel/ptrace.c
+6
arch/ia64/include/asm/syscall.h
+6
arch/ia64/include/asm/syscall.h
···
13
#ifndef _ASM_SYSCALL_H
14
#define _ASM_SYSCALL_H 1
15
16
+
#include <uapi/linux/audit.h>
17
#include <linux/sched.h>
18
#include <linux/err.h>
19
···
78
BUG_ON(i + n > 6);
79
80
ia64_syscall_get_set_arguments(task, regs, i, n, args, 1);
81
+
}
82
+
83
+
static inline int syscall_get_arch(void)
84
+
{
85
+
return AUDIT_ARCH_IA64;
86
}
87
#endif /* _ASM_SYSCALL_H */
+1
-1
arch/ia64/kernel/ptrace.c
+1
-1
arch/ia64/kernel/ptrace.c
+5
arch/microblaze/include/asm/syscall.h
+5
arch/microblaze/include/asm/syscall.h
···
1
#ifndef __ASM_MICROBLAZE_SYSCALL_H
2
#define __ASM_MICROBLAZE_SYSCALL_H
3
4
#include <linux/kernel.h>
5
#include <linux/sched.h>
6
#include <asm/ptrace.h>
···
100
asmlinkage long do_syscall_trace_enter(struct pt_regs *regs);
101
asmlinkage void do_syscall_trace_leave(struct pt_regs *regs);
102
103
#endif /* __ASM_MICROBLAZE_SYSCALL_H */
···
1
#ifndef __ASM_MICROBLAZE_SYSCALL_H
2
#define __ASM_MICROBLAZE_SYSCALL_H
3
4
+
#include <uapi/linux/audit.h>
5
#include <linux/kernel.h>
6
#include <linux/sched.h>
7
#include <asm/ptrace.h>
···
99
asmlinkage long do_syscall_trace_enter(struct pt_regs *regs);
100
asmlinkage void do_syscall_trace_leave(struct pt_regs *regs);
101
102
+
static inline int syscall_get_arch(void)
103
+
{
104
+
return AUDIT_ARCH_MICROBLAZE;
105
+
}
106
#endif /* __ASM_MICROBLAZE_SYSCALL_H */
+1
-2
arch/microblaze/kernel/ptrace.c
+1
-2
arch/microblaze/kernel/ptrace.c
+1
-1
arch/mips/include/asm/syscall.h
+1
-1
arch/mips/include/asm/syscall.h
+1
-3
arch/mips/kernel/ptrace.c
+1
-3
arch/mips/kernel/ptrace.c
+5
arch/openrisc/include/asm/syscall.h
+5
arch/openrisc/include/asm/syscall.h
···
19
#ifndef __ASM_OPENRISC_SYSCALL_H__
20
#define __ASM_OPENRISC_SYSCALL_H__
21
22
+
#include <uapi/linux/audit.h>
23
#include <linux/err.h>
24
#include <linux/sched.h>
25
···
71
memcpy(®s->gpr[3 + i], args, n * sizeof(args[0]));
72
}
73
74
+
static inline int syscall_get_arch(void)
75
+
{
76
+
return AUDIT_ARCH_OPENRISC;
77
+
}
78
#endif
+1
-2
arch/openrisc/include/uapi/asm/elf.h
+1
-2
arch/openrisc/include/uapi/asm/elf.h
···
55
/* A placeholder; OR32 does not have fp support yes, so no fp regs for now. */
56
typedef unsigned long elf_fpregset_t;
57
58
-
/* This should be moved to include/linux/elf.h */
59
#define EM_OR32 0x8472
60
-
#define EM_OPENRISC 92 /* OpenRISC 32-bit embedded processor */
61
62
/*
63
* These are used to set parameters in the core dumps.
+1
-2
arch/openrisc/kernel/ptrace.c
+1
-2
arch/openrisc/kernel/ptrace.c
+11
arch/parisc/include/asm/syscall.h
+11
arch/parisc/include/asm/syscall.h
···
3
#ifndef _ASM_PARISC_SYSCALL_H_
4
#define _ASM_PARISC_SYSCALL_H_
5
6
+
#include <uapi/linux/audit.h>
7
+
#include <linux/compat.h>
8
#include <linux/err.h>
9
#include <asm/ptrace.h>
10
···
37
}
38
}
39
40
+
static inline int syscall_get_arch(void)
41
+
{
42
+
int arch = AUDIT_ARCH_PARISC;
43
+
#ifdef CONFIG_64BIT
44
+
if (!is_compat_task())
45
+
arch = AUDIT_ARCH_PARISC64;
46
+
#endif
47
+
return arch;
48
+
}
49
#endif /*_ASM_PARISC_SYSCALL_H_*/
+3
-6
arch/parisc/kernel/ptrace.c
+3
-6
arch/parisc/kernel/ptrace.c
···
280
281
#ifdef CONFIG_64BIT
282
if (!is_compat_task())
283
-
audit_syscall_entry(AUDIT_ARCH_PARISC64,
284
-
regs->gr[20],
285
-
regs->gr[26], regs->gr[25],
286
-
regs->gr[24], regs->gr[23]);
287
else
288
#endif
289
-
audit_syscall_entry(AUDIT_ARCH_PARISC,
290
-
regs->gr[20] & 0xffffffff,
291
regs->gr[26] & 0xffffffff,
292
regs->gr[25] & 0xffffffff,
293
regs->gr[24] & 0xffffffff,
···
280
281
#ifdef CONFIG_64BIT
282
if (!is_compat_task())
283
+
audit_syscall_entry(regs->gr[20], regs->gr[26], regs->gr[25],
284
+
regs->gr[24], regs->gr[23]);
285
else
286
#endif
287
+
audit_syscall_entry(regs->gr[20] & 0xffffffff,
288
regs->gr[26] & 0xffffffff,
289
regs->gr[25] & 0xffffffff,
290
regs->gr[24] & 0xffffffff,
+6
arch/powerpc/include/asm/syscall.h
+6
arch/powerpc/include/asm/syscall.h
···
13
#ifndef _ASM_SYSCALL_H
14
#define _ASM_SYSCALL_H 1
15
16
+
#include <uapi/linux/audit.h>
17
#include <linux/sched.h>
18
+
#include <linux/thread_info.h>
19
20
/* ftrace syscalls requires exporting the sys_call_table */
21
#ifdef CONFIG_FTRACE_SYSCALLS
···
86
memcpy(®s->gpr[3 + i], args, n * sizeof(args[0]));
87
}
88
89
+
static inline int syscall_get_arch(void)
90
+
{
91
+
return is_32bit_task() ? AUDIT_ARCH_PPC : AUDIT_ARCH_PPC64;
92
+
}
93
#endif /* _ASM_SYSCALL_H */
+2
-5
arch/powerpc/kernel/ptrace.c
+2
-5
arch/powerpc/kernel/ptrace.c
···
1788
1789
#ifdef CONFIG_PPC64
1790
if (!is_32bit_task())
1791
-
audit_syscall_entry(AUDIT_ARCH_PPC64,
1792
-
regs->gpr[0],
1793
-
regs->gpr[3], regs->gpr[4],
1794
regs->gpr[5], regs->gpr[6]);
1795
else
1796
#endif
1797
-
audit_syscall_entry(AUDIT_ARCH_PPC,
1798
-
regs->gpr[0],
1799
regs->gpr[3] & 0xffffffff,
1800
regs->gpr[4] & 0xffffffff,
1801
regs->gpr[5] & 0xffffffff,
···
1788
1789
#ifdef CONFIG_PPC64
1790
if (!is_32bit_task())
1791
+
audit_syscall_entry(regs->gpr[0], regs->gpr[3], regs->gpr[4],
1792
regs->gpr[5], regs->gpr[6]);
1793
else
1794
#endif
1795
+
audit_syscall_entry(regs->gpr[0],
1796
regs->gpr[3] & 0xffffffff,
1797
regs->gpr[4] & 0xffffffff,
1798
regs->gpr[5] & 0xffffffff,
+1
-3
arch/s390/kernel/ptrace.c
+1
-3
arch/s390/kernel/ptrace.c
+10
arch/sh/include/asm/syscall_32.h
+10
arch/sh/include/asm/syscall_32.h
···
1
#ifndef __ASM_SH_SYSCALL_32_H
2
#define __ASM_SH_SYSCALL_32_H
3
4
+
#include <uapi/linux/audit.h>
5
#include <linux/kernel.h>
6
#include <linux/sched.h>
7
#include <linux/err.h>
···
93
}
94
}
95
96
+
static inline int syscall_get_arch(void)
97
+
{
98
+
int arch = AUDIT_ARCH_SH;
99
+
100
+
#ifdef CONFIG_CPU_LITTLE_ENDIAN
101
+
arch |= __AUDIT_ARCH_LE;
102
+
#endif
103
+
return arch;
104
+
}
105
#endif /* __ASM_SH_SYSCALL_32_H */
+14
arch/sh/include/asm/syscall_64.h
+14
arch/sh/include/asm/syscall_64.h
···
1
#ifndef __ASM_SH_SYSCALL_64_H
2
#define __ASM_SH_SYSCALL_64_H
3
4
+
#include <uapi/linux/audit.h>
5
#include <linux/kernel.h>
6
#include <linux/sched.h>
7
#include <asm/ptrace.h>
···
61
memcpy(®s->regs[2 + i], args, n * sizeof(args[0]));
62
}
63
64
+
static inline int syscall_get_arch(void)
65
+
{
66
+
int arch = AUDIT_ARCH_SH;
67
+
68
+
#ifdef CONFIG_64BIT
69
+
arch |= __AUDIT_ARCH_64BIT;
70
+
#endif
71
+
#ifdef CONFIG_CPU_LITTLE_ENDIAN
72
+
arch |= __AUDIT_ARCH_LE;
73
+
#endif
74
+
75
+
return arch;
76
+
}
77
#endif /* __ASM_SH_SYSCALL_64_H */
+1
-13
arch/sh/kernel/ptrace_32.c
+1
-13
arch/sh/kernel/ptrace_32.c
···
484
return ret;
485
}
486
487
-
static inline int audit_arch(void)
488
-
{
489
-
int arch = EM_SH;
490
-
491
-
#ifdef CONFIG_CPU_LITTLE_ENDIAN
492
-
arch |= __AUDIT_ARCH_LE;
493
-
#endif
494
-
495
-
return arch;
496
-
}
497
-
498
asmlinkage long do_syscall_trace_enter(struct pt_regs *regs)
499
{
500
long ret = 0;
···
502
if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
503
trace_sys_enter(regs, regs->regs[0]);
504
505
-
audit_syscall_entry(audit_arch(), regs->regs[3],
506
-
regs->regs[4], regs->regs[5],
507
regs->regs[6], regs->regs[7]);
508
509
return ret ?: regs->regs[0];
···
484
return ret;
485
}
486
487
asmlinkage long do_syscall_trace_enter(struct pt_regs *regs)
488
{
489
long ret = 0;
···
513
if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
514
trace_sys_enter(regs, regs->regs[0]);
515
516
+
audit_syscall_entry(regs->regs[3], regs->regs[4], regs->regs[5],
517
regs->regs[6], regs->regs[7]);
518
519
return ret ?: regs->regs[0];
+1
-16
arch/sh/kernel/ptrace_64.c
+1
-16
arch/sh/kernel/ptrace_64.c
···
504
return sys_ptrace(request, pid, addr, data);
505
}
506
507
-
static inline int audit_arch(void)
508
-
{
509
-
int arch = EM_SH;
510
-
511
-
#ifdef CONFIG_64BIT
512
-
arch |= __AUDIT_ARCH_64BIT;
513
-
#endif
514
-
#ifdef CONFIG_CPU_LITTLE_ENDIAN
515
-
arch |= __AUDIT_ARCH_LE;
516
-
#endif
517
-
518
-
return arch;
519
-
}
520
-
521
asmlinkage long long do_syscall_trace_enter(struct pt_regs *regs)
522
{
523
long long ret = 0;
···
522
if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
523
trace_sys_enter(regs, regs->regs[9]);
524
525
-
audit_syscall_entry(audit_arch(), regs->regs[1],
526
-
regs->regs[2], regs->regs[3],
527
regs->regs[4], regs->regs[5]);
528
529
return ret ?: regs->regs[9];
···
504
return sys_ptrace(request, pid, addr, data);
505
}
506
507
asmlinkage long long do_syscall_trace_enter(struct pt_regs *regs)
508
{
509
long long ret = 0;
···
536
if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
537
trace_sys_enter(regs, regs->regs[9]);
538
539
+
audit_syscall_entry(regs->regs[1], regs->regs[2], regs->regs[3],
540
regs->regs[4], regs->regs[5]);
541
542
return ret ?: regs->regs[9];
+7
arch/sparc/include/asm/syscall.h
+7
arch/sparc/include/asm/syscall.h
···
1
#ifndef __ASM_SPARC_SYSCALL_H
2
#define __ASM_SPARC_SYSCALL_H
3
4
#include <linux/kernel.h>
5
#include <linux/sched.h>
6
#include <asm/ptrace.h>
7
8
/*
9
* The syscall table always contains 32 bit pointers since we know that the
···
124
125
for (j = 0; j < n; j++)
126
regs->u_regs[UREG_I0 + i + j] = args[j];
127
}
128
129
#endif /* __ASM_SPARC_SYSCALL_H */
···
1
#ifndef __ASM_SPARC_SYSCALL_H
2
#define __ASM_SPARC_SYSCALL_H
3
4
+
#include <uapi/linux/audit.h>
5
#include <linux/kernel.h>
6
#include <linux/sched.h>
7
#include <asm/ptrace.h>
8
+
#include <asm/thread_info.h>
9
10
/*
11
* The syscall table always contains 32 bit pointers since we know that the
···
122
123
for (j = 0; j < n; j++)
124
regs->u_regs[UREG_I0 + i + j] = args[j];
125
+
}
126
+
127
+
static inline int syscall_get_arch(void)
128
+
{
129
+
return is_32bit_task() ? AUDIT_ARCH_SPARC : AUDIT_ARCH_SPARC64;
130
}
131
132
#endif /* __ASM_SPARC_SYSCALL_H */
+2
arch/sparc/include/asm/thread_info_32.h
+2
arch/sparc/include/asm/thread_info_32.h
+2
arch/sparc/include/asm/thread_info_64.h
+2
arch/sparc/include/asm/thread_info_64.h
+2
-7
arch/sparc/kernel/ptrace_64.c
+2
-7
arch/sparc/kernel/ptrace_64.c
···
1076
if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
1077
trace_sys_enter(regs, regs->u_regs[UREG_G1]);
1078
1079
-
audit_syscall_entry((test_thread_flag(TIF_32BIT) ?
1080
-
AUDIT_ARCH_SPARC :
1081
-
AUDIT_ARCH_SPARC64),
1082
-
regs->u_regs[UREG_G1],
1083
-
regs->u_regs[UREG_I0],
1084
-
regs->u_regs[UREG_I1],
1085
-
regs->u_regs[UREG_I2],
1086
regs->u_regs[UREG_I3]);
1087
1088
return ret;
+1
-2
arch/um/kernel/ptrace.c
+1
-2
arch/um/kernel/ptrace.c
+6
-6
arch/x86/ia32/ia32entry.S
+6
-6
arch/x86/ia32/ia32entry.S
···
198
199
#ifdef CONFIG_AUDITSYSCALL
200
.macro auditsys_entry_common
201
-
movl %esi,%r9d /* 6th arg: 4th syscall arg */
202
-
movl %edx,%r8d /* 5th arg: 3rd syscall arg */
203
-
/* (already in %ecx) 4th arg: 2nd syscall arg */
204
-
movl %ebx,%edx /* 3rd arg: 1st syscall arg */
205
-
movl %eax,%esi /* 2nd arg: syscall number */
206
-
movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */
207
call __audit_syscall_entry
208
movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
209
cmpq $(IA32_NR_syscalls-1),%rax
···
198
199
#ifdef CONFIG_AUDITSYSCALL
200
.macro auditsys_entry_common
201
+
movl %esi,%r8d /* 5th arg: 4th syscall arg */
202
+
movl %ecx,%r9d /*swap with edx*/
203
+
movl %edx,%ecx /* 4th arg: 3rd syscall arg */
204
+
movl %r9d,%edx /* 3rd arg: 2nd syscall arg */
205
+
movl %ebx,%esi /* 2nd arg: 1st syscall arg */
206
+
movl %eax,%edi /* 1st arg: syscall number */
207
call __audit_syscall_entry
208
movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
209
cmpq $(IA32_NR_syscalls-1),%rax
+5
-6
arch/x86/kernel/entry_32.S
+5
-6
arch/x86/kernel/entry_32.S
···
449
jnz syscall_trace_entry
450
addl $4,%esp
451
CFI_ADJUST_CFA_OFFSET -4
452
-
/* %esi already in 8(%esp) 6th arg: 4th syscall arg */
453
-
/* %edx already in 4(%esp) 5th arg: 3rd syscall arg */
454
-
/* %ecx already in 0(%esp) 4th arg: 2nd syscall arg */
455
-
movl %ebx,%ecx /* 3rd arg: 1st syscall arg */
456
-
movl %eax,%edx /* 2nd arg: syscall number */
457
-
movl $AUDIT_ARCH_I386,%eax /* 1st arg: audit arch */
458
call __audit_syscall_entry
459
pushl_cfi %ebx
460
movl PT_EAX(%esp),%eax /* reload syscall number */
···
449
jnz syscall_trace_entry
450
addl $4,%esp
451
CFI_ADJUST_CFA_OFFSET -4
452
+
movl %esi,4(%esp) /* 5th arg: 4th syscall arg */
453
+
movl %edx,(%esp) /* 4th arg: 3rd syscall arg */
454
+
/* %ecx already in %ecx 3rd arg: 2nd syscall arg */
455
+
movl %ebx,%edx /* 2nd arg: 1st syscall arg */
456
+
/* %eax already in %eax 1st arg: syscall number */
457
call __audit_syscall_entry
458
pushl_cfi %ebx
459
movl PT_EAX(%esp),%eax /* reload syscall number */
+2
-2
arch/x86/kernel/ptrace.c
+2
-2
arch/x86/kernel/ptrace.c
···
1445
{
1446
#ifdef CONFIG_X86_64
1447
if (arch == AUDIT_ARCH_X86_64) {
1448
-
audit_syscall_entry(arch, regs->orig_ax, regs->di,
1449
regs->si, regs->dx, regs->r10);
1450
} else
1451
#endif
1452
{
1453
-
audit_syscall_entry(arch, regs->orig_ax, regs->bx,
1454
regs->cx, regs->dx, regs->si);
1455
}
1456
}
-4
arch/x86/um/asm/ptrace.h
-4
arch/x86/um/asm/ptrace.h
···
47
48
#ifdef CONFIG_X86_32
49
50
-
#define HOST_AUDIT_ARCH AUDIT_ARCH_I386
51
-
52
extern int ptrace_get_thread_area(struct task_struct *child, int idx,
53
struct user_desc __user *user_desc);
54
···
54
struct user_desc __user *user_desc);
55
56
#else
57
-
58
-
#define HOST_AUDIT_ARCH AUDIT_ARCH_X86_64
59
60
#define PT_REGS_R8(r) UPT_R8(&(r)->regs)
61
#define PT_REGS_R9(r) UPT_R9(&(r)->regs)
+15
arch/x86/um/asm/syscall.h
+15
arch/x86/um/asm/syscall.h
···
···
1
+
#ifndef __UM_ASM_SYSCALL_H
2
+
#define __UM_ASM_SYSCALL_H
3
+
4
+
#include <uapi/linux/audit.h>
5
+
6
+
static inline int syscall_get_arch(void)
7
+
{
8
+
#ifdef CONFIG_X86_32
9
+
return AUDIT_ARCH_I386;
10
+
#else
11
+
return AUDIT_ARCH_X86_64;
12
+
#endif
13
+
}
14
+
15
+
#endif /* __UM_ASM_SYSCALL_H */
+1
-1
arch/xtensa/kernel/ptrace.c
+1
-1
arch/xtensa/kernel/ptrace.c
+1
-1
include/asm-generic/syscall.h
+1
-1
include/asm-generic/syscall.h
···
147
*
148
* Returns the AUDIT_ARCH_* based on the system call convention in use.
149
*
150
-
* It's only valid to call this when @task is stopped on entry to a system
151
* call, due to %TIF_SYSCALL_TRACE, %TIF_SYSCALL_AUDIT, or %TIF_SECCOMP.
152
*
153
* Architectures which permit CONFIG_HAVE_ARCH_SECCOMP_FILTER must
···
147
*
148
* Returns the AUDIT_ARCH_* based on the system call convention in use.
149
*
150
+
* It's only valid to call this when current is stopped on entry to a system
151
* call, due to %TIF_SYSCALL_TRACE, %TIF_SYSCALL_AUDIT, or %TIF_SECCOMP.
152
*
153
* Architectures which permit CONFIG_HAVE_ARCH_SECCOMP_FILTER must
+15
-10
include/linux/audit.h
+15
-10
include/linux/audit.h
···
66
67
struct audit_field {
68
u32 type;
69
-
u32 val;
70
-
kuid_t uid;
71
-
kgid_t gid;
72
u32 op;
73
-
char *lsm_str;
74
-
void *lsm_rule;
75
};
76
77
extern int is_audit_feature_set(int which);
···
113
#endif
114
115
#ifdef CONFIG_AUDITSYSCALL
116
/* These are defined in auditsc.c */
117
/* Public API */
118
extern int audit_alloc(struct task_struct *task);
119
extern void __audit_free(struct task_struct *task);
120
-
extern void __audit_syscall_entry(int arch,
121
-
int major, unsigned long a0, unsigned long a1,
122
unsigned long a2, unsigned long a3);
123
extern void __audit_syscall_exit(int ret_success, long ret_value);
124
extern struct filename *__audit_reusename(const __user char *uptr);
···
146
if (unlikely(task->audit_context))
147
__audit_free(task);
148
}
149
-
static inline void audit_syscall_entry(int arch, int major, unsigned long a0,
150
unsigned long a1, unsigned long a2,
151
unsigned long a3)
152
{
153
if (unlikely(current->audit_context))
154
-
__audit_syscall_entry(arch, major, a0, a1, a2, a3);
155
}
156
static inline void audit_syscall_exit(void *pt_regs)
157
{
···
327
}
328
static inline void audit_free(struct task_struct *task)
329
{ }
330
-
static inline void audit_syscall_entry(int arch, int major, unsigned long a0,
331
unsigned long a1, unsigned long a2,
332
unsigned long a3)
333
{ }
···
66
67
struct audit_field {
68
u32 type;
69
+
union {
70
+
u32 val;
71
+
kuid_t uid;
72
+
kgid_t gid;
73
+
struct {
74
+
char *lsm_str;
75
+
void *lsm_rule;
76
+
};
77
+
};
78
u32 op;
79
};
80
81
extern int is_audit_feature_set(int which);
···
109
#endif
110
111
#ifdef CONFIG_AUDITSYSCALL
112
+
#include <asm/syscall.h> /* for syscall_get_arch() */
113
+
114
/* These are defined in auditsc.c */
115
/* Public API */
116
extern int audit_alloc(struct task_struct *task);
117
extern void __audit_free(struct task_struct *task);
118
+
extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1,
119
unsigned long a2, unsigned long a3);
120
extern void __audit_syscall_exit(int ret_success, long ret_value);
121
extern struct filename *__audit_reusename(const __user char *uptr);
···
141
if (unlikely(task->audit_context))
142
__audit_free(task);
143
}
144
+
static inline void audit_syscall_entry(int major, unsigned long a0,
145
unsigned long a1, unsigned long a2,
146
unsigned long a3)
147
{
148
if (unlikely(current->audit_context))
149
+
__audit_syscall_entry(major, a0, a1, a2, a3);
150
}
151
static inline void audit_syscall_exit(void *pt_regs)
152
{
···
322
}
323
static inline void audit_free(struct task_struct *task)
324
{ }
325
+
static inline void audit_syscall_entry(int major, unsigned long a0,
326
unsigned long a1, unsigned long a2,
327
unsigned long a3)
328
{ }
+1
-13
include/uapi/linux/audit.h
+1
-13
include/uapi/linux/audit.h
···
352
#define AUDIT_ARCH_IA64 (EM_IA_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
353
#define AUDIT_ARCH_M32R (EM_M32R)
354
#define AUDIT_ARCH_M68K (EM_68K)
355
#define AUDIT_ARCH_MIPS (EM_MIPS)
356
#define AUDIT_ARCH_MIPSEL (EM_MIPS|__AUDIT_ARCH_LE)
357
#define AUDIT_ARCH_MIPS64 (EM_MIPS|__AUDIT_ARCH_64BIT)
···
444
__u32 fieldflags[AUDIT_MAX_FIELDS];
445
__u32 buflen; /* total length of string fields */
446
char buf[0]; /* string fields buffer */
447
-
};
448
-
449
-
/* audit_rule is supported to maintain backward compatibility with
450
-
* userspace. It supports integer fields only and corresponds to
451
-
* AUDIT_ADD, AUDIT_DEL and AUDIT_LIST requests.
452
-
*/
453
-
struct audit_rule { /* for AUDIT_LIST, AUDIT_ADD, and AUDIT_DEL */
454
-
__u32 flags; /* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */
455
-
__u32 action; /* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */
456
-
__u32 field_count;
457
-
__u32 mask[AUDIT_BITMASK_SIZE];
458
-
__u32 fields[AUDIT_MAX_FIELDS];
459
-
__u32 values[AUDIT_MAX_FIELDS];
460
};
461
462
#endif /* _UAPI_LINUX_AUDIT_H_ */
···
352
#define AUDIT_ARCH_IA64 (EM_IA_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
353
#define AUDIT_ARCH_M32R (EM_M32R)
354
#define AUDIT_ARCH_M68K (EM_68K)
355
+
#define AUDIT_ARCH_MICROBLAZE (EM_MICROBLAZE)
356
#define AUDIT_ARCH_MIPS (EM_MIPS)
357
#define AUDIT_ARCH_MIPSEL (EM_MIPS|__AUDIT_ARCH_LE)
358
#define AUDIT_ARCH_MIPS64 (EM_MIPS|__AUDIT_ARCH_64BIT)
···
443
__u32 fieldflags[AUDIT_MAX_FIELDS];
444
__u32 buflen; /* total length of string fields */
445
char buf[0]; /* string fields buffer */
446
};
447
448
#endif /* _UAPI_LINUX_AUDIT_H_ */
+1
include/uapi/linux/elf-em.h
+1
include/uapi/linux/elf-em.h
···
32
#define EM_V850 87 /* NEC v850 */
33
#define EM_M32R 88 /* Renesas M32R */
34
#define EM_MN10300 89 /* Panasonic/MEI MN10300, AM33 */
35
+
#define EM_OPENRISC 92 /* OpenRISC 32-bit embedded processor */
36
#define EM_BLACKFIN 106 /* ADI Blackfin Processor */
37
#define EM_TI_C6000 140 /* TI C6X DSPs */
38
#define EM_AARCH64 183 /* ARM 64 bit */
+10
-20
kernel/audit.c
+10
-20
kernel/audit.c
···
126
127
/* The netlink socket. */
128
static struct sock *audit_sock;
129
-
int audit_net_id;
130
131
/* Hash for inode-based rules */
132
struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];
···
724
725
seq = nlmsg_hdr(skb)->nlmsg_seq;
726
727
-
audit_send_reply(skb, seq, AUDIT_GET, 0, 0, &af, sizeof(af));
728
729
return 0;
730
}
···
750
struct audit_features *uaf;
751
int i;
752
753
-
BUILD_BUG_ON(AUDIT_LAST_FEATURE + 1 > sizeof(audit_feature_names)/sizeof(audit_feature_names[0]));
754
uaf = nlmsg_data(nlmsg_hdr(skb));
755
756
/* if there is ever a version 2 we should handle that here */
···
1301
*/
1302
unsigned int audit_serial(void)
1303
{
1304
-
static DEFINE_SPINLOCK(serial_lock);
1305
-
static unsigned int serial = 0;
1306
1307
-
unsigned long flags;
1308
-
unsigned int ret;
1309
-
1310
-
spin_lock_irqsave(&serial_lock, flags);
1311
-
do {
1312
-
ret = ++serial;
1313
-
} while (unlikely(!ret));
1314
-
spin_unlock_irqrestore(&serial_lock, flags);
1315
-
1316
-
return ret;
1317
}
1318
1319
static inline void audit_get_stamp(struct audit_context *ctx,
···
1671
}
1672
}
1673
1674
-
void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
1675
{
1676
kernel_cap_t *perm = &name->fcap.permitted;
1677
kernel_cap_t *inh = &name->fcap.inheritable;
···
1850
void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
1851
{
1852
const struct cred *cred;
1853
-
char name[sizeof(tsk->comm)];
1854
struct mm_struct *mm = tsk->mm;
1855
char *tty;
1856
···
1884
from_kgid(&init_user_ns, cred->fsgid),
1885
tty, audit_get_sessionid(tsk));
1886
1887
-
get_task_comm(name, tsk);
1888
audit_log_format(ab, " comm=");
1889
-
audit_log_untrustedstring(ab, name);
1890
1891
if (mm) {
1892
down_read(&mm->mmap_sem);
···
1948
} else {
1949
struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
1950
1951
kauditd_send_multicast_skb(ab->skb);
1952
1953
/*
···
1960
* protocol between the kaudit kernel subsystem and the auditd
1961
* userspace code.
1962
*/
1963
-
nlh->nlmsg_len = ab->skb->len - NLMSG_HDRLEN;
1964
1965
if (audit_pid) {
1966
skb_queue_tail(&audit_skb_queue, ab->skb);
···
126
127
/* The netlink socket. */
128
static struct sock *audit_sock;
129
+
static int audit_net_id;
130
131
/* Hash for inode-based rules */
132
struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];
···
724
725
seq = nlmsg_hdr(skb)->nlmsg_seq;
726
727
+
audit_send_reply(skb, seq, AUDIT_GET_FEATURE, 0, 0, &af, sizeof(af));
728
729
return 0;
730
}
···
750
struct audit_features *uaf;
751
int i;
752
753
+
BUILD_BUG_ON(AUDIT_LAST_FEATURE + 1 > ARRAY_SIZE(audit_feature_names));
754
uaf = nlmsg_data(nlmsg_hdr(skb));
755
756
/* if there is ever a version 2 we should handle that here */
···
1301
*/
1302
unsigned int audit_serial(void)
1303
{
1304
+
static atomic_t serial = ATOMIC_INIT(0);
1305
1306
+
return atomic_add_return(1, &serial);
1307
}
1308
1309
static inline void audit_get_stamp(struct audit_context *ctx,
···
1681
}
1682
}
1683
1684
+
static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
1685
{
1686
kernel_cap_t *perm = &name->fcap.permitted;
1687
kernel_cap_t *inh = &name->fcap.inheritable;
···
1860
void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
1861
{
1862
const struct cred *cred;
1863
+
char comm[sizeof(tsk->comm)];
1864
struct mm_struct *mm = tsk->mm;
1865
char *tty;
1866
···
1894
from_kgid(&init_user_ns, cred->fsgid),
1895
tty, audit_get_sessionid(tsk));
1896
1897
audit_log_format(ab, " comm=");
1898
+
audit_log_untrustedstring(ab, get_task_comm(comm, tsk));
1899
1900
if (mm) {
1901
down_read(&mm->mmap_sem);
···
1959
} else {
1960
struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
1961
1962
+
nlh->nlmsg_len = ab->skb->len;
1963
kauditd_send_multicast_skb(ab->skb);
1964
1965
/*
···
1970
* protocol between the kaudit kernel subsystem and the auditd
1971
* userspace code.
1972
*/
1973
+
nlh->nlmsg_len -= NLMSG_HDRLEN;
1974
1975
if (audit_pid) {
1976
skb_queue_tail(&audit_skb_queue, ab->skb);
-1
kernel/audit.h
-1
kernel/audit.h
···
222
const struct inode *inode);
223
extern void audit_log_cap(struct audit_buffer *ab, char *prefix,
224
kernel_cap_t *cap);
225
-
extern void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name);
226
extern void audit_log_name(struct audit_context *context,
227
struct audit_names *n, struct path *path,
228
int record_num, int *call_panic);
+3
-3
kernel/audit_tree.c
+3
-3
kernel/audit_tree.c
···
449
return 0;
450
}
451
452
-
static void audit_log_remove_rule(struct audit_krule *rule)
453
{
454
struct audit_buffer *ab;
455
···
457
if (unlikely(!ab))
458
return;
459
audit_log_format(ab, "op=");
460
-
audit_log_string(ab, "remove rule");
461
audit_log_format(ab, " dir=");
462
audit_log_untrustedstring(ab, rule->tree->pathname);
463
audit_log_key(ab, rule->filterkey);
···
476
list_del_init(&rule->rlist);
477
if (rule->tree) {
478
/* not a half-baked one */
479
-
audit_log_remove_rule(rule);
480
rule->tree = NULL;
481
list_del_rcu(&entry->list);
482
list_del(&entry->rule.list);
···
449
return 0;
450
}
451
452
+
static void audit_tree_log_remove_rule(struct audit_krule *rule)
453
{
454
struct audit_buffer *ab;
455
···
457
if (unlikely(!ab))
458
return;
459
audit_log_format(ab, "op=");
460
+
audit_log_string(ab, "remove_rule");
461
audit_log_format(ab, " dir=");
462
audit_log_untrustedstring(ab, rule->tree->pathname);
463
audit_log_key(ab, rule->filterkey);
···
476
list_del_init(&rule->rlist);
477
if (rule->tree) {
478
/* not a half-baked one */
479
+
audit_tree_log_remove_rule(rule);
480
rule->tree = NULL;
481
list_del_rcu(&entry->list);
482
list_del(&entry->rule.list);
+2
-2
kernel/audit_watch.c
+2
-2
kernel/audit_watch.c
···
314
&nentry->rule.list);
315
}
316
317
-
audit_watch_log_rule_change(r, owatch, "updated rules");
318
319
call_rcu(&oentry->rcu, audit_free_rule_rcu);
320
}
···
342
list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
343
list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
344
e = container_of(r, struct audit_entry, rule);
345
-
audit_watch_log_rule_change(r, w, "remove rule");
346
list_del(&r->rlist);
347
list_del(&r->list);
348
list_del_rcu(&e->list);
···
314
&nentry->rule.list);
315
}
316
317
+
audit_watch_log_rule_change(r, owatch, "updated_rules");
318
319
call_rcu(&oentry->rcu, audit_free_rule_rcu);
320
}
···
342
list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
343
list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
344
e = container_of(r, struct audit_entry, rule);
345
+
audit_watch_log_rule_change(r, w, "remove_rule");
346
list_del(&r->rlist);
347
list_del(&r->list);
348
list_del_rcu(&e->list);
+32
-24
kernel/auditfilter.c
+32
-24
kernel/auditfilter.c
···
71
72
DEFINE_MUTEX(audit_filter_mutex);
73
74
static inline void audit_free_rule(struct audit_entry *e)
75
{
76
int i;
···
98
if (erule->watch)
99
audit_put_watch(erule->watch);
100
if (erule->fields)
101
-
for (i = 0; i < erule->field_count; i++) {
102
-
struct audit_field *f = &erule->fields[i];
103
-
kfree(f->lsm_str);
104
-
security_audit_rule_free(f->lsm_rule);
105
-
}
106
kfree(erule->fields);
107
kfree(erule->filterkey);
108
kfree(e);
···
163
struct audit_field *f)
164
{
165
if (krule->listnr != AUDIT_FILTER_EXIT ||
166
-
krule->watch || krule->inode_f || krule->tree ||
167
(f->op != Audit_equal && f->op != Audit_not_equal))
168
return -EINVAL;
169
···
437
438
f->type = data->fields[i];
439
f->val = data->values[i];
440
-
f->uid = INVALID_UID;
441
-
f->gid = INVALID_GID;
442
-
f->lsm_str = NULL;
443
-
f->lsm_rule = NULL;
444
445
/* Support legacy tests for a valid loginuid */
446
if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) {
···
1064
int err = 0;
1065
struct audit_entry *entry;
1066
1067
switch (type) {
1068
case AUDIT_ADD_RULE:
1069
-
entry = audit_data_to_entry(data, datasz);
1070
-
if (IS_ERR(entry))
1071
-
return PTR_ERR(entry);
1072
-
1073
err = audit_add_rule(entry);
1074
-
audit_log_rule_change("add rule", &entry->rule, !err);
1075
-
if (err)
1076
-
audit_free_rule(entry);
1077
break;
1078
case AUDIT_DEL_RULE:
1079
-
entry = audit_data_to_entry(data, datasz);
1080
-
if (IS_ERR(entry))
1081
-
return PTR_ERR(entry);
1082
-
1083
err = audit_del_rule(entry);
1084
-
audit_log_rule_change("remove rule", &entry->rule, !err);
1085
-
audit_free_rule(entry);
1086
break;
1087
default:
1088
-
return -EINVAL;
1089
}
1090
1091
return err;
1092
}
···
71
72
DEFINE_MUTEX(audit_filter_mutex);
73
74
+
static void audit_free_lsm_field(struct audit_field *f)
75
+
{
76
+
switch (f->type) {
77
+
case AUDIT_SUBJ_USER:
78
+
case AUDIT_SUBJ_ROLE:
79
+
case AUDIT_SUBJ_TYPE:
80
+
case AUDIT_SUBJ_SEN:
81
+
case AUDIT_SUBJ_CLR:
82
+
case AUDIT_OBJ_USER:
83
+
case AUDIT_OBJ_ROLE:
84
+
case AUDIT_OBJ_TYPE:
85
+
case AUDIT_OBJ_LEV_LOW:
86
+
case AUDIT_OBJ_LEV_HIGH:
87
+
kfree(f->lsm_str);
88
+
security_audit_rule_free(f->lsm_rule);
89
+
}
90
+
}
91
+
92
static inline void audit_free_rule(struct audit_entry *e)
93
{
94
int i;
···
80
if (erule->watch)
81
audit_put_watch(erule->watch);
82
if (erule->fields)
83
+
for (i = 0; i < erule->field_count; i++)
84
+
audit_free_lsm_field(&erule->fields[i]);
85
kfree(erule->fields);
86
kfree(erule->filterkey);
87
kfree(e);
···
148
struct audit_field *f)
149
{
150
if (krule->listnr != AUDIT_FILTER_EXIT ||
151
+
krule->inode_f || krule->watch || krule->tree ||
152
(f->op != Audit_equal && f->op != Audit_not_equal))
153
return -EINVAL;
154
···
422
423
f->type = data->fields[i];
424
f->val = data->values[i];
425
426
/* Support legacy tests for a valid loginuid */
427
if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) {
···
1053
int err = 0;
1054
struct audit_entry *entry;
1055
1056
+
entry = audit_data_to_entry(data, datasz);
1057
+
if (IS_ERR(entry))
1058
+
return PTR_ERR(entry);
1059
+
1060
switch (type) {
1061
case AUDIT_ADD_RULE:
1062
err = audit_add_rule(entry);
1063
+
audit_log_rule_change("add_rule", &entry->rule, !err);
1064
break;
1065
case AUDIT_DEL_RULE:
1066
err = audit_del_rule(entry);
1067
+
audit_log_rule_change("remove_rule", &entry->rule, !err);
1068
break;
1069
default:
1070
+
err = -EINVAL;
1071
+
WARN_ON(1);
1072
}
1073
+
1074
+
if (err || type == AUDIT_DEL_RULE)
1075
+
audit_free_rule(entry);
1076
1077
return err;
1078
}
+9
-19
kernel/auditsc.c
+9
-19
kernel/auditsc.c
···
67
#include <linux/binfmts.h>
68
#include <linux/highmem.h>
69
#include <linux/syscalls.h>
70
#include <linux/capability.h>
71
#include <linux/fs_struct.h>
72
#include <linux/compat.h>
···
125
struct audit_tree_refs *next;
126
struct audit_chunk *c[31];
127
};
128
-
129
-
static inline int open_arg(int flags, int mask)
130
-
{
131
-
int n = ACC_MODE(flags);
132
-
if (flags & (O_TRUNC | O_CREAT))
133
-
n |= AUDIT_PERM_WRITE;
134
-
return n & mask;
135
-
}
136
137
static int audit_match_perm(struct audit_context *ctx, int mask)
138
{
···
1498
1499
/**
1500
* audit_syscall_entry - fill in an audit record at syscall entry
1501
-
* @arch: architecture type
1502
* @major: major syscall type (function)
1503
* @a1: additional syscall register 1
1504
* @a2: additional syscall register 2
···
1512
* will only be written if another part of the kernel requests that it
1513
* be written).
1514
*/
1515
-
void __audit_syscall_entry(int arch, int major,
1516
-
unsigned long a1, unsigned long a2,
1517
-
unsigned long a3, unsigned long a4)
1518
{
1519
struct task_struct *tsk = current;
1520
struct audit_context *context = tsk->audit_context;
···
1527
if (!audit_enabled)
1528
return;
1529
1530
-
context->arch = arch;
1531
context->major = major;
1532
context->argv[0] = a1;
1533
context->argv[1] = a2;
···
2424
kgid_t gid;
2425
unsigned int sessionid;
2426
struct mm_struct *mm = current->mm;
2427
2428
auid = audit_get_loginuid(current);
2429
sessionid = audit_get_sessionid(current);
···
2437
sessionid);
2438
audit_log_task_context(ab);
2439
audit_log_format(ab, " pid=%d comm=", task_pid_nr(current));
2440
-
audit_log_untrustedstring(ab, current->comm);
2441
if (mm) {
2442
down_read(&mm->mmap_sem);
2443
if (mm->exe_file)
···
2480
if (unlikely(!ab))
2481
return;
2482
audit_log_task(ab);
2483
-
audit_log_format(ab, " sig=%ld", signr);
2484
-
audit_log_format(ab, " syscall=%ld", syscall);
2485
-
audit_log_format(ab, " compat=%d", is_compat_task());
2486
-
audit_log_format(ab, " ip=0x%lx", KSTK_EIP(current));
2487
-
audit_log_format(ab, " code=0x%x", code);
2488
audit_log_end(ab);
2489
}
2490
···
67
#include <linux/binfmts.h>
68
#include <linux/highmem.h>
69
#include <linux/syscalls.h>
70
+
#include <asm/syscall.h>
71
#include <linux/capability.h>
72
#include <linux/fs_struct.h>
73
#include <linux/compat.h>
···
124
struct audit_tree_refs *next;
125
struct audit_chunk *c[31];
126
};
127
128
static int audit_match_perm(struct audit_context *ctx, int mask)
129
{
···
1505
1506
/**
1507
* audit_syscall_entry - fill in an audit record at syscall entry
1508
* @major: major syscall type (function)
1509
* @a1: additional syscall register 1
1510
* @a2: additional syscall register 2
···
1520
* will only be written if another part of the kernel requests that it
1521
* be written).
1522
*/
1523
+
void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
1524
+
unsigned long a3, unsigned long a4)
1525
{
1526
struct task_struct *tsk = current;
1527
struct audit_context *context = tsk->audit_context;
···
1536
if (!audit_enabled)
1537
return;
1538
1539
+
context->arch = syscall_get_arch();
1540
context->major = major;
1541
context->argv[0] = a1;
1542
context->argv[1] = a2;
···
2433
kgid_t gid;
2434
unsigned int sessionid;
2435
struct mm_struct *mm = current->mm;
2436
+
char comm[sizeof(current->comm)];
2437
2438
auid = audit_get_loginuid(current);
2439
sessionid = audit_get_sessionid(current);
···
2445
sessionid);
2446
audit_log_task_context(ab);
2447
audit_log_format(ab, " pid=%d comm=", task_pid_nr(current));
2448
+
audit_log_untrustedstring(ab, get_task_comm(comm, current));
2449
if (mm) {
2450
down_read(&mm->mmap_sem);
2451
if (mm->exe_file)
···
2488
if (unlikely(!ab))
2489
return;
2490
audit_log_task(ab);
2491
+
audit_log_format(ab, " sig=%ld arch=%x syscall=%ld compat=%d ip=0x%lx code=0x%x",
2492
+
signr, syscall_get_arch(), syscall, is_compat_task(),
2493
+
KSTK_EIP(current), code);
2494
audit_log_end(ab);
2495
}
2496