Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
Merge branch 'audit.b46' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current
* 'audit.b46' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current:
[AUDIT] Add uid, gid fields to ANOM_PROMISCUOUS message
[AUDIT] ratelimit printk messages audit
[patch 2/2] audit: complement va_copy with va_end()
[patch 1/2] kernel/audit.c: warning fix
[AUDIT] create context if auditing was ever enabled
[AUDIT] clean up audit_receive_msg()
[AUDIT] make audit=0 really stop audit messages
[AUDIT] break large execve argument logging into smaller messages
[AUDIT] include audit type in audit message when using printk
[AUDIT] do not panic on exclude messages in audit_log_pid_context()
[AUDIT] Add End of Event record
[AUDIT] add session id to audit messages
[AUDIT] collect uid, loginuid, and comm in OBJ_PID records
[AUDIT] return EINTR not ERESTART*
[PATCH] get rid of loginuid races
[PATCH] switch audit_get_loginuid() to task_struct *
-7
Documentation/filesystems/proc.txt
-7
Documentation/filesystems/proc.txt
···
1134
resume it if we have a value of 3 or more percent; consider information about
1135
the amount of free space valid for 30 seconds
1136
1137
-
audit_argv_kb
1138
-
-------------
1139
-
1140
-
The file contains a single value denoting the limit on the argv array size
1141
-
for execve (in KiB). This limit is only applied when system call auditing for
1142
-
execve is enabled, otherwise the value is ignored.
1143
-
1144
ctrl-alt-del
1145
------------
1146
+13
-6
drivers/char/tty_audit.c
+13
-6
drivers/char/tty_audit.c
···
73
* @tsk with @loginuid. @buf->mutex must be locked.
74
*/
75
static void tty_audit_buf_push(struct task_struct *tsk, uid_t loginuid,
76
struct tty_audit_buf *buf)
77
{
78
struct audit_buffer *ab;
···
86
if (ab) {
87
char name[sizeof(tsk->comm)];
88
89
-
audit_log_format(ab, "tty pid=%u uid=%u auid=%u major=%d "
90
-
"minor=%d comm=", tsk->pid, tsk->uid,
91
-
loginuid, buf->major, buf->minor);
92
get_task_comm(name, tsk);
93
audit_log_untrustedstring(ab, name);
94
audit_log_format(ab, " data=");
···
106
*/
107
static void tty_audit_buf_push_current(struct tty_audit_buf *buf)
108
{
109
-
tty_audit_buf_push(current, audit_get_loginuid(current->audit_context),
110
-
buf);
111
}
112
113
/**
···
154
void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid)
155
{
156
struct tty_audit_buf *buf;
157
158
spin_lock_irq(&tsk->sighand->siglock);
159
buf = tsk->signal->tty_audit_buf;
···
169
return;
170
171
mutex_lock(&buf->mutex);
172
-
tty_audit_buf_push(tsk, loginuid, buf);
173
mutex_unlock(&buf->mutex);
174
175
tty_audit_buf_put(buf);
···
73
* @tsk with @loginuid. @buf->mutex must be locked.
74
*/
75
static void tty_audit_buf_push(struct task_struct *tsk, uid_t loginuid,
76
+
unsigned int sessionid,
77
struct tty_audit_buf *buf)
78
{
79
struct audit_buffer *ab;
···
85
if (ab) {
86
char name[sizeof(tsk->comm)];
87
88
+
audit_log_format(ab, "tty pid=%u uid=%u auid=%u ses=%u "
89
+
"major=%d minor=%d comm=", tsk->pid, tsk->uid,
90
+
loginuid, sessionid, buf->major, buf->minor);
91
get_task_comm(name, tsk);
92
audit_log_untrustedstring(ab, name);
93
audit_log_format(ab, " data=");
···
105
*/
106
static void tty_audit_buf_push_current(struct tty_audit_buf *buf)
107
{
108
+
uid_t auid = audit_get_loginuid(current);
109
+
unsigned int sessionid = audit_get_sessionid(current);
110
+
tty_audit_buf_push(current, auid, sessionid, buf);
111
}
112
113
/**
···
152
void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid)
153
{
154
struct tty_audit_buf *buf;
155
+
/* FIXME I think this is correct. Check against netlink once that is
156
+
* I really need to read this code more closely. But that's for
157
+
* another patch.
158
+
*/
159
+
unsigned int sessionid = audit_get_sessionid(tsk);
160
161
spin_lock_irq(&tsk->sighand->siglock);
162
buf = tsk->signal->tty_audit_buf;
···
162
return;
163
164
mutex_lock(&buf->mutex);
165
+
tty_audit_buf_push(tsk, loginuid, sessionid, buf);
166
mutex_unlock(&buf->mutex);
167
168
tty_audit_buf_put(buf);
+1
-1
fs/proc/base.c
+1
-1
fs/proc/base.c
+9
-4
include/linux/audit.h
+9
-4
include/linux/audit.h
···
98
#define AUDIT_FD_PAIR 1317 /* audit record for pipe/socketpair */
99
#define AUDIT_OBJ_PID 1318 /* ptrace target */
100
#define AUDIT_TTY 1319 /* Input on an administrative TTY */
101
102
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
103
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
···
410
extern void auditsc_get_stamp(struct audit_context *ctx,
411
struct timespec *t, unsigned int *serial);
412
extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid);
413
-
extern uid_t audit_get_loginuid(struct audit_context *ctx);
414
extern void audit_log_task_context(struct audit_buffer *ab);
415
extern int __audit_ipc_obj(struct kern_ipc_perm *ipcp);
416
extern int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode);
···
490
#define audit_inode_child(d,i,p) do { ; } while (0)
491
#define audit_core_dumps(i) do { ; } while (0)
492
#define auditsc_get_stamp(c,t,s) do { BUG(); } while (0)
493
-
#define audit_get_loginuid(c) ({ -1; })
494
#define audit_log_task_context(b) do { ; } while (0)
495
#define audit_ipc_obj(i) ({ 0; })
496
#define audit_ipc_set_perm(q,u,g,m) ({ 0; })
···
525
extern void audit_log_hex(struct audit_buffer *ab,
526
const unsigned char *buf,
527
size_t len);
528
-
extern const char * audit_log_untrustedstring(struct audit_buffer *ab,
529
const char *string);
530
-
extern const char * audit_log_n_untrustedstring(struct audit_buffer *ab,
531
size_t n,
532
const char *string);
533
extern void audit_log_d_path(struct audit_buffer *ab,
···
98
#define AUDIT_FD_PAIR 1317 /* audit record for pipe/socketpair */
99
#define AUDIT_OBJ_PID 1318 /* ptrace target */
100
#define AUDIT_TTY 1319 /* Input on an administrative TTY */
101
+
#define AUDIT_EOE 1320 /* End of multi-record event */
102
103
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
104
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
···
409
extern void auditsc_get_stamp(struct audit_context *ctx,
410
struct timespec *t, unsigned int *serial);
411
extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid);
412
+
#define audit_get_loginuid(t) ((t)->loginuid)
413
+
#define audit_get_sessionid(t) ((t)->sessionid)
414
extern void audit_log_task_context(struct audit_buffer *ab);
415
extern int __audit_ipc_obj(struct kern_ipc_perm *ipcp);
416
extern int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode);
···
488
#define audit_inode_child(d,i,p) do { ; } while (0)
489
#define audit_core_dumps(i) do { ; } while (0)
490
#define auditsc_get_stamp(c,t,s) do { BUG(); } while (0)
491
+
#define audit_get_loginuid(t) (-1)
492
+
#define audit_get_sessionid(t) (-1)
493
#define audit_log_task_context(b) do { ; } while (0)
494
#define audit_ipc_obj(i) ({ 0; })
495
#define audit_ipc_set_perm(q,u,g,m) ({ 0; })
···
522
extern void audit_log_hex(struct audit_buffer *ab,
523
const unsigned char *buf,
524
size_t len);
525
+
extern int audit_string_contains_control(const char *string,
526
+
size_t len);
527
+
extern void audit_log_untrustedstring(struct audit_buffer *ab,
528
const char *string);
529
+
extern void audit_log_n_untrustedstring(struct audit_buffer *ab,
530
size_t n,
531
const char *string);
532
extern void audit_log_d_path(struct audit_buffer *ab,
+8
include/linux/init_task.h
+8
include/linux/init_task.h
···
114
.pid = &init_struct_pid, \
115
}
116
117
/*
118
* INIT_TASK is used to set up the first task table, touch at
119
* your own risk!. Base=0, limit=0x1fffff (=2MB)
···
180
[PIDTYPE_SID] = INIT_PID_LINK(PIDTYPE_SID), \
181
}, \
182
.dirties = INIT_PROP_LOCAL_SINGLE(dirties), \
183
INIT_TRACE_IRQFLAGS \
184
INIT_LOCKDEP \
185
}
···
114
.pid = &init_struct_pid, \
115
}
116
117
+
#ifdef CONFIG_AUDITSYSCALL
118
+
#define INIT_IDS \
119
+
.loginuid = -1, \
120
+
.sessionid = -1,
121
+
#else
122
+
#define INIT_IDS
123
+
#endif
124
/*
125
* INIT_TASK is used to set up the first task table, touch at
126
* your own risk!. Base=0, limit=0x1fffff (=2MB)
···
173
[PIDTYPE_SID] = INIT_PID_LINK(PIDTYPE_SID), \
174
}, \
175
.dirties = INIT_PROP_LOCAL_SINGLE(dirties), \
176
+
INIT_IDS \
177
INIT_TRACE_IRQFLAGS \
178
INIT_LOCKDEP \
179
}
+4
include/linux/sched.h
+4
include/linux/sched.h
+182
-260
kernel/audit.c
+182
-260
kernel/audit.c
···
66
* (Initialization happens after skb_init is called.) */
67
static int audit_initialized;
68
69
-
/* 0 - no auditing
70
-
* 1 - auditing enabled
71
-
* 2 - auditing enabled and configuration is locked/unchangeable. */
72
int audit_enabled;
73
74
/* Default state when kernel boots without any parameters. */
75
static int audit_default;
···
153
154
static void audit_set_pid(struct audit_buffer *ab, pid_t pid)
155
{
156
-
struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
157
-
nlh->nlmsg_pid = pid;
158
}
159
160
void audit_panic(const char *message)
···
166
case AUDIT_FAIL_SILENT:
167
break;
168
case AUDIT_FAIL_PRINTK:
169
-
printk(KERN_ERR "audit: %s\n", message);
170
break;
171
case AUDIT_FAIL_PANIC:
172
panic("audit: %s\n", message);
···
235
}
236
237
if (print) {
238
-
printk(KERN_WARNING
239
-
"audit: audit_lost=%d audit_rate_limit=%d audit_backlog_limit=%d\n",
240
-
atomic_read(&audit_lost),
241
-
audit_rate_limit,
242
-
audit_backlog_limit);
243
audit_panic(message);
244
}
245
}
246
247
-
static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
248
{
249
-
int res, rc = 0, old = audit_rate_limit;
250
251
-
/* check if we are locked */
252
-
if (audit_enabled == 2)
253
-
res = 0;
254
-
else
255
-
res = 1;
256
-
257
if (sid) {
258
char *ctx = NULL;
259
u32 len;
260
-
if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
261
-
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
262
-
"audit_rate_limit=%d old=%d by auid=%u"
263
-
" subj=%s res=%d",
264
-
limit, old, loginuid, ctx, res);
265
kfree(ctx);
266
-
} else
267
-
res = 0; /* Something weird, deny request */
268
}
269
-
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
270
-
"audit_rate_limit=%d old=%d by auid=%u res=%d",
271
-
limit, old, loginuid, res);
272
273
/* If we are allowed, make the change */
274
-
if (res == 1)
275
-
audit_rate_limit = limit;
276
/* Not allowed, update reason */
277
else if (rc == 0)
278
rc = -EPERM;
279
return rc;
280
}
281
282
static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)
283
{
284
-
int res, rc = 0, old = audit_backlog_limit;
285
-
286
-
/* check if we are locked */
287
-
if (audit_enabled == 2)
288
-
res = 0;
289
-
else
290
-
res = 1;
291
-
292
-
if (sid) {
293
-
char *ctx = NULL;
294
-
u32 len;
295
-
if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
296
-
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
297
-
"audit_backlog_limit=%d old=%d by auid=%u"
298
-
" subj=%s res=%d",
299
-
limit, old, loginuid, ctx, res);
300
-
kfree(ctx);
301
-
} else
302
-
res = 0; /* Something weird, deny request */
303
-
}
304
-
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
305
-
"audit_backlog_limit=%d old=%d by auid=%u res=%d",
306
-
limit, old, loginuid, res);
307
-
308
-
/* If we are allowed, make the change */
309
-
if (res == 1)
310
-
audit_backlog_limit = limit;
311
-
/* Not allowed, update reason */
312
-
else if (rc == 0)
313
-
rc = -EPERM;
314
-
return rc;
315
}
316
317
static int audit_set_enabled(int state, uid_t loginuid, u32 sid)
318
{
319
-
int res, rc = 0, old = audit_enabled;
320
-
321
-
if (state < 0 || state > 2)
322
return -EINVAL;
323
324
-
/* check if we are locked */
325
-
if (audit_enabled == 2)
326
-
res = 0;
327
-
else
328
-
res = 1;
329
330
-
if (sid) {
331
-
char *ctx = NULL;
332
-
u32 len;
333
-
if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
334
-
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
335
-
"audit_enabled=%d old=%d by auid=%u"
336
-
" subj=%s res=%d",
337
-
state, old, loginuid, ctx, res);
338
-
kfree(ctx);
339
-
} else
340
-
res = 0; /* Something weird, deny request */
341
-
}
342
-
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
343
-
"audit_enabled=%d old=%d by auid=%u res=%d",
344
-
state, old, loginuid, res);
345
346
-
/* If we are allowed, make the change */
347
-
if (res == 1)
348
-
audit_enabled = state;
349
-
/* Not allowed, update reason */
350
-
else if (rc == 0)
351
-
rc = -EPERM;
352
return rc;
353
}
354
355
static int audit_set_failure(int state, uid_t loginuid, u32 sid)
356
{
357
-
int res, rc = 0, old = audit_failure;
358
-
359
if (state != AUDIT_FAIL_SILENT
360
&& state != AUDIT_FAIL_PRINTK
361
&& state != AUDIT_FAIL_PANIC)
362
return -EINVAL;
363
364
-
/* check if we are locked */
365
-
if (audit_enabled == 2)
366
-
res = 0;
367
-
else
368
-
res = 1;
369
-
370
-
if (sid) {
371
-
char *ctx = NULL;
372
-
u32 len;
373
-
if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
374
-
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
375
-
"audit_failure=%d old=%d by auid=%u"
376
-
" subj=%s res=%d",
377
-
state, old, loginuid, ctx, res);
378
-
kfree(ctx);
379
-
} else
380
-
res = 0; /* Something weird, deny request */
381
-
}
382
-
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
383
-
"audit_failure=%d old=%d by auid=%u res=%d",
384
-
state, old, loginuid, res);
385
-
386
-
/* If we are allowed, make the change */
387
-
if (res == 1)
388
-
audit_failure = state;
389
-
/* Not allowed, update reason */
390
-
else if (rc == 0)
391
-
rc = -EPERM;
392
-
return rc;
393
}
394
395
static int kauditd_thread(void *dummy)
···
355
audit_pid = 0;
356
}
357
} else {
358
-
printk(KERN_NOTICE "%s\n", skb->data + NLMSG_SPACE(0));
359
kfree_skb(skb);
360
}
361
} else {
···
527
return err;
528
}
529
530
static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
531
{
532
u32 uid, pid, seq, sid;
···
564
u16 msg_type = nlh->nlmsg_type;
565
uid_t loginuid; /* loginuid of sender */
566
struct audit_sig_info *sig_data;
567
-
char *ctx;
568
u32 len;
569
570
err = audit_netlink_ok(skb, msg_type);
···
615
if (err < 0) return err;
616
}
617
if (status_get->mask & AUDIT_STATUS_PID) {
618
-
int old = audit_pid;
619
-
if (sid) {
620
-
if ((err = selinux_sid_to_string(
621
-
sid, &ctx, &len)))
622
-
return err;
623
-
else
624
-
audit_log(NULL, GFP_KERNEL,
625
-
AUDIT_CONFIG_CHANGE,
626
-
"audit_pid=%d old=%d by auid=%u subj=%s",
627
-
status_get->pid, old,
628
-
loginuid, ctx);
629
-
kfree(ctx);
630
-
} else
631
-
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
632
-
"audit_pid=%d old=%d by auid=%u",
633
-
status_get->pid, old, loginuid);
634
-
audit_pid = status_get->pid;
635
}
636
if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
637
err = audit_set_rate_limit(status_get->rate_limit,
···
645
if (err)
646
break;
647
}
648
-
ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
649
-
if (ab) {
650
-
audit_log_format(ab,
651
-
"user pid=%d uid=%u auid=%u",
652
-
pid, uid, loginuid);
653
-
if (sid) {
654
-
if (selinux_sid_to_string(
655
-
sid, &ctx, &len)) {
656
-
audit_log_format(ab,
657
-
" ssid=%u", sid);
658
-
/* Maybe call audit_panic? */
659
-
} else
660
-
audit_log_format(ab,
661
-
" subj=%s", ctx);
662
-
kfree(ctx);
663
-
}
664
-
if (msg_type != AUDIT_USER_TTY)
665
-
audit_log_format(ab, " msg='%.1024s'",
666
-
(char *)data);
667
-
else {
668
-
int size;
669
670
-
audit_log_format(ab, " msg=");
671
-
size = nlmsg_len(nlh);
672
-
audit_log_n_untrustedstring(ab, size,
673
-
data);
674
-
}
675
-
audit_set_pid(ab, pid);
676
-
audit_log_end(ab);
677
}
678
}
679
break;
680
case AUDIT_ADD:
681
case AUDIT_DEL:
682
if (nlmsg_len(nlh) < sizeof(struct audit_rule))
683
return -EINVAL;
684
-
if (audit_enabled == 2) {
685
-
ab = audit_log_start(NULL, GFP_KERNEL,
686
-
AUDIT_CONFIG_CHANGE);
687
-
if (ab) {
688
-
audit_log_format(ab,
689
-
"pid=%d uid=%u auid=%u",
690
-
pid, uid, loginuid);
691
-
if (sid) {
692
-
if (selinux_sid_to_string(
693
-
sid, &ctx, &len)) {
694
-
audit_log_format(ab,
695
-
" ssid=%u", sid);
696
-
/* Maybe call audit_panic? */
697
-
} else
698
-
audit_log_format(ab,
699
-
" subj=%s", ctx);
700
-
kfree(ctx);
701
-
}
702
-
audit_log_format(ab, " audit_enabled=%d res=0",
703
-
audit_enabled);
704
-
audit_log_end(ab);
705
-
}
706
return -EPERM;
707
}
708
/* fallthrough */
···
686
case AUDIT_DEL_RULE:
687
if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
688
return -EINVAL;
689
-
if (audit_enabled == 2) {
690
-
ab = audit_log_start(NULL, GFP_KERNEL,
691
-
AUDIT_CONFIG_CHANGE);
692
-
if (ab) {
693
-
audit_log_format(ab,
694
-
"pid=%d uid=%u auid=%u",
695
-
pid, uid, loginuid);
696
-
if (sid) {
697
-
if (selinux_sid_to_string(
698
-
sid, &ctx, &len)) {
699
-
audit_log_format(ab,
700
-
" ssid=%u", sid);
701
-
/* Maybe call audit_panic? */
702
-
} else
703
-
audit_log_format(ab,
704
-
" subj=%s", ctx);
705
-
kfree(ctx);
706
-
}
707
-
audit_log_format(ab, " audit_enabled=%d res=0",
708
-
audit_enabled);
709
-
audit_log_end(ab);
710
-
}
711
return -EPERM;
712
}
713
/* fallthrough */
···
703
break;
704
case AUDIT_TRIM:
705
audit_trim_trees();
706
-
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
707
-
if (!ab)
708
-
break;
709
-
audit_log_format(ab, "auid=%u", loginuid);
710
-
if (sid) {
711
-
u32 len;
712
-
ctx = NULL;
713
-
if (selinux_sid_to_string(sid, &ctx, &len))
714
-
audit_log_format(ab, " ssid=%u", sid);
715
-
else
716
-
audit_log_format(ab, " subj=%s", ctx);
717
-
kfree(ctx);
718
-
}
719
audit_log_format(ab, " op=trim res=1");
720
audit_log_end(ab);
721
break;
···
736
/* OK, here comes... */
737
err = audit_tag_tree(old, new);
738
739
-
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
740
-
if (!ab) {
741
-
kfree(old);
742
-
kfree(new);
743
-
break;
744
-
}
745
-
audit_log_format(ab, "auid=%u", loginuid);
746
-
if (sid) {
747
-
u32 len;
748
-
ctx = NULL;
749
-
if (selinux_sid_to_string(sid, &ctx, &len))
750
-
audit_log_format(ab, " ssid=%u", sid);
751
-
else
752
-
audit_log_format(ab, " subj=%s", ctx);
753
-
kfree(ctx);
754
-
}
755
audit_log_format(ab, " op=make_equiv old=");
756
audit_log_untrustedstring(ab, old);
757
audit_log_format(ab, " new=");
···
871
skb_queue_head_init(&audit_skb_queue);
872
audit_initialized = 1;
873
audit_enabled = audit_default;
874
875
/* Register the callback with selinux. This callback will be invoked
876
* when a new policy is loaded. */
···
899
printk(KERN_INFO "audit: %s%s\n",
900
audit_default ? "enabled" : "disabled",
901
audit_initialized ? "" : " (after initialization)");
902
-
if (audit_initialized)
903
audit_enabled = audit_default;
904
return 1;
905
}
906
···
1039
{
1040
struct audit_buffer *ab = NULL;
1041
struct timespec t;
1042
-
unsigned int serial;
1043
int reserve;
1044
unsigned long timeout_start = jiffies;
1045
···
1073
remove_wait_queue(&audit_backlog_wait, &wait);
1074
continue;
1075
}
1076
-
if (audit_rate_check())
1077
printk(KERN_WARNING
1078
"audit: audit_backlog=%d > "
1079
"audit_backlog_limit=%d\n",
···
1158
goto out;
1159
len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args2);
1160
}
1161
if (len > 0)
1162
skb_put(skb, len);
1163
out:
···
1260
}
1261
1262
/**
1263
* audit_log_n_untrustedstring - log a string that may contain random characters
1264
* @ab: audit_buffer
1265
* @len: lenth of string (not including trailing null)
···
1288
* The caller specifies the number of characters in the string to log, which may
1289
* or may not be the entire string.
1290
*/
1291
-
const char *audit_log_n_untrustedstring(struct audit_buffer *ab, size_t len,
1292
-
const char *string)
1293
{
1294
-
const unsigned char *p;
1295
-
1296
-
for (p = string; p < (const unsigned char *)string + len && *p; p++) {
1297
-
if (*p == '"' || *p < 0x21 || *p > 0x7f) {
1298
-
audit_log_hex(ab, string, len);
1299
-
return string + len + 1;
1300
-
}
1301
-
}
1302
-
audit_log_n_string(ab, len, string);
1303
-
return p + 1;
1304
}
1305
1306
/**
···
1305
* Same as audit_log_n_untrustedstring(), except that strlen is used to
1306
* determine string length.
1307
*/
1308
-
const char *audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
1309
{
1310
-
return audit_log_n_untrustedstring(ab, strlen(string), string);
1311
}
1312
1313
/* This is a helper-function to print the escaped d_path */
···
1356
skb_queue_tail(&audit_skb_queue, ab->skb);
1357
ab->skb = NULL;
1358
wake_up_interruptible(&kauditd_wait);
1359
} else {
1360
-
printk(KERN_NOTICE "%s\n", ab->skb->data + NLMSG_SPACE(0));
1361
}
1362
}
1363
audit_buffer_free(ab);
···
66
* (Initialization happens after skb_init is called.) */
67
static int audit_initialized;
68
69
+
#define AUDIT_OFF 0
70
+
#define AUDIT_ON 1
71
+
#define AUDIT_LOCKED 2
72
int audit_enabled;
73
+
int audit_ever_enabled;
74
75
/* Default state when kernel boots without any parameters. */
76
static int audit_default;
···
152
153
static void audit_set_pid(struct audit_buffer *ab, pid_t pid)
154
{
155
+
if (ab) {
156
+
struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
157
+
nlh->nlmsg_pid = pid;
158
+
}
159
}
160
161
void audit_panic(const char *message)
···
163
case AUDIT_FAIL_SILENT:
164
break;
165
case AUDIT_FAIL_PRINTK:
166
+
if (printk_ratelimit())
167
+
printk(KERN_ERR "audit: %s\n", message);
168
break;
169
case AUDIT_FAIL_PANIC:
170
panic("audit: %s\n", message);
···
231
}
232
233
if (print) {
234
+
if (printk_ratelimit())
235
+
printk(KERN_WARNING
236
+
"audit: audit_lost=%d audit_rate_limit=%d "
237
+
"audit_backlog_limit=%d\n",
238
+
atomic_read(&audit_lost),
239
+
audit_rate_limit,
240
+
audit_backlog_limit);
241
audit_panic(message);
242
}
243
}
244
245
+
static int audit_log_config_change(char *function_name, int new, int old,
246
+
uid_t loginuid, u32 sid, int allow_changes)
247
{
248
+
struct audit_buffer *ab;
249
+
int rc = 0;
250
251
+
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
252
+
audit_log_format(ab, "%s=%d old=%d by auid=%u", function_name, new,
253
+
old, loginuid);
254
if (sid) {
255
char *ctx = NULL;
256
u32 len;
257
+
258
+
rc = selinux_sid_to_string(sid, &ctx, &len);
259
+
if (rc) {
260
+
audit_log_format(ab, " sid=%u", sid);
261
+
allow_changes = 0; /* Something weird, deny request */
262
+
} else {
263
+
audit_log_format(ab, " subj=%s", ctx);
264
kfree(ctx);
265
+
}
266
}
267
+
audit_log_format(ab, " res=%d", allow_changes);
268
+
audit_log_end(ab);
269
+
return rc;
270
+
}
271
+
272
+
static int audit_do_config_change(char *function_name, int *to_change,
273
+
int new, uid_t loginuid, u32 sid)
274
+
{
275
+
int allow_changes, rc = 0, old = *to_change;
276
+
277
+
/* check if we are locked */
278
+
if (audit_enabled == AUDIT_LOCKED)
279
+
allow_changes = 0;
280
+
else
281
+
allow_changes = 1;
282
+
283
+
if (audit_enabled != AUDIT_OFF) {
284
+
rc = audit_log_config_change(function_name, new, old,
285
+
loginuid, sid, allow_changes);
286
+
if (rc)
287
+
allow_changes = 0;
288
+
}
289
290
/* If we are allowed, make the change */
291
+
if (allow_changes == 1)
292
+
*to_change = new;
293
/* Not allowed, update reason */
294
else if (rc == 0)
295
rc = -EPERM;
296
return rc;
297
+
}
298
+
299
+
static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
300
+
{
301
+
return audit_do_config_change("audit_rate_limit", &audit_rate_limit,
302
+
limit, loginuid, sid);
303
}
304
305
static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)
306
{
307
+
return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit,
308
+
limit, loginuid, sid);
309
}
310
311
static int audit_set_enabled(int state, uid_t loginuid, u32 sid)
312
{
313
+
int rc;
314
+
if (state < AUDIT_OFF || state > AUDIT_LOCKED)
315
return -EINVAL;
316
317
+
rc = audit_do_config_change("audit_enabled", &audit_enabled, state,
318
+
loginuid, sid);
319
320
+
if (!rc)
321
+
audit_ever_enabled |= !!state;
322
323
return rc;
324
}
325
326
static int audit_set_failure(int state, uid_t loginuid, u32 sid)
327
{
328
if (state != AUDIT_FAIL_SILENT
329
&& state != AUDIT_FAIL_PRINTK
330
&& state != AUDIT_FAIL_PANIC)
331
return -EINVAL;
332
333
+
return audit_do_config_change("audit_failure", &audit_failure, state,
334
+
loginuid, sid);
335
}
336
337
static int kauditd_thread(void *dummy)
···
405
audit_pid = 0;
406
}
407
} else {
408
+
if (printk_ratelimit())
409
+
printk(KERN_NOTICE "%s\n", skb->data +
410
+
NLMSG_SPACE(0));
411
+
else
412
+
audit_log_lost("printk limit exceeded\n");
413
kfree_skb(skb);
414
}
415
} else {
···
573
return err;
574
}
575
576
+
static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
577
+
u32 pid, u32 uid, uid_t auid, u32 sid)
578
+
{
579
+
int rc = 0;
580
+
char *ctx = NULL;
581
+
u32 len;
582
+
583
+
if (!audit_enabled) {
584
+
*ab = NULL;
585
+
return rc;
586
+
}
587
+
588
+
*ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
589
+
audit_log_format(*ab, "user pid=%d uid=%u auid=%u",
590
+
pid, uid, auid);
591
+
if (sid) {
592
+
rc = selinux_sid_to_string(sid, &ctx, &len);
593
+
if (rc)
594
+
audit_log_format(*ab, " ssid=%u", sid);
595
+
else
596
+
audit_log_format(*ab, " subj=%s", ctx);
597
+
kfree(ctx);
598
+
}
599
+
600
+
return rc;
601
+
}
602
+
603
static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
604
{
605
u32 uid, pid, seq, sid;
···
583
u16 msg_type = nlh->nlmsg_type;
584
uid_t loginuid; /* loginuid of sender */
585
struct audit_sig_info *sig_data;
586
+
char *ctx = NULL;
587
u32 len;
588
589
err = audit_netlink_ok(skb, msg_type);
···
634
if (err < 0) return err;
635
}
636
if (status_get->mask & AUDIT_STATUS_PID) {
637
+
int new_pid = status_get->pid;
638
+
639
+
if (audit_enabled != AUDIT_OFF)
640
+
audit_log_config_change("audit_pid", new_pid,
641
+
audit_pid, loginuid,
642
+
sid, 1);
643
+
644
+
audit_pid = new_pid;
645
}
646
if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
647
err = audit_set_rate_limit(status_get->rate_limit,
···
673
if (err)
674
break;
675
}
676
+
audit_log_common_recv_msg(&ab, msg_type, pid, uid,
677
+
loginuid, sid);
678
679
+
if (msg_type != AUDIT_USER_TTY)
680
+
audit_log_format(ab, " msg='%.1024s'",
681
+
(char *)data);
682
+
else {
683
+
int size;
684
+
685
+
audit_log_format(ab, " msg=");
686
+
size = nlmsg_len(nlh);
687
+
audit_log_n_untrustedstring(ab, size,
688
+
data);
689
}
690
+
audit_set_pid(ab, pid);
691
+
audit_log_end(ab);
692
}
693
break;
694
case AUDIT_ADD:
695
case AUDIT_DEL:
696
if (nlmsg_len(nlh) < sizeof(struct audit_rule))
697
return -EINVAL;
698
+
if (audit_enabled == AUDIT_LOCKED) {
699
+
audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
700
+
uid, loginuid, sid);
701
+
702
+
audit_log_format(ab, " audit_enabled=%d res=0",
703
+
audit_enabled);
704
+
audit_log_end(ab);
705
return -EPERM;
706
}
707
/* fallthrough */
···
743
case AUDIT_DEL_RULE:
744
if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
745
return -EINVAL;
746
+
if (audit_enabled == AUDIT_LOCKED) {
747
+
audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
748
+
uid, loginuid, sid);
749
+
750
+
audit_log_format(ab, " audit_enabled=%d res=0",
751
+
audit_enabled);
752
+
audit_log_end(ab);
753
return -EPERM;
754
}
755
/* fallthrough */
···
775
break;
776
case AUDIT_TRIM:
777
audit_trim_trees();
778
+
779
+
audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
780
+
uid, loginuid, sid);
781
+
782
audit_log_format(ab, " op=trim res=1");
783
audit_log_end(ab);
784
break;
···
817
/* OK, here comes... */
818
err = audit_tag_tree(old, new);
819
820
+
audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
821
+
uid, loginuid, sid);
822
+
823
audit_log_format(ab, " op=make_equiv old=");
824
audit_log_untrustedstring(ab, old);
825
audit_log_format(ab, " new=");
···
965
skb_queue_head_init(&audit_skb_queue);
966
audit_initialized = 1;
967
audit_enabled = audit_default;
968
+
audit_ever_enabled |= !!audit_default;
969
970
/* Register the callback with selinux. This callback will be invoked
971
* when a new policy is loaded. */
···
992
printk(KERN_INFO "audit: %s%s\n",
993
audit_default ? "enabled" : "disabled",
994
audit_initialized ? "" : " (after initialization)");
995
+
if (audit_initialized) {
996
audit_enabled = audit_default;
997
+
audit_ever_enabled |= !!audit_default;
998
+
}
999
return 1;
1000
}
1001
···
1130
{
1131
struct audit_buffer *ab = NULL;
1132
struct timespec t;
1133
+
unsigned int uninitialized_var(serial);
1134
int reserve;
1135
unsigned long timeout_start = jiffies;
1136
···
1164
remove_wait_queue(&audit_backlog_wait, &wait);
1165
continue;
1166
}
1167
+
if (audit_rate_check() && printk_ratelimit())
1168
printk(KERN_WARNING
1169
"audit: audit_backlog=%d > "
1170
"audit_backlog_limit=%d\n",
···
1249
goto out;
1250
len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args2);
1251
}
1252
+
va_end(args2);
1253
if (len > 0)
1254
skb_put(skb, len);
1255
out:
···
1350
}
1351
1352
/**
1353
+
* audit_string_contains_control - does a string need to be logged in hex
1354
+
* @string - string to be checked
1355
+
* @len - max length of the string to check
1356
+
*/
1357
+
int audit_string_contains_control(const char *string, size_t len)
1358
+
{
1359
+
const unsigned char *p;
1360
+
for (p = string; p < (const unsigned char *)string + len && *p; p++) {
1361
+
if (*p == '"' || *p < 0x21 || *p > 0x7f)
1362
+
return 1;
1363
+
}
1364
+
return 0;
1365
+
}
1366
+
1367
+
/**
1368
* audit_log_n_untrustedstring - log a string that may contain random characters
1369
* @ab: audit_buffer
1370
* @len: lenth of string (not including trailing null)
···
1363
* The caller specifies the number of characters in the string to log, which may
1364
* or may not be the entire string.
1365
*/
1366
+
void audit_log_n_untrustedstring(struct audit_buffer *ab, size_t len,
1367
+
const char *string)
1368
{
1369
+
if (audit_string_contains_control(string, len))
1370
+
audit_log_hex(ab, string, len);
1371
+
else
1372
+
audit_log_n_string(ab, len, string);
1373
}
1374
1375
/**
···
1386
* Same as audit_log_n_untrustedstring(), except that strlen is used to
1387
* determine string length.
1388
*/
1389
+
void audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
1390
{
1391
+
audit_log_n_untrustedstring(ab, strlen(string), string);
1392
}
1393
1394
/* This is a helper-function to print the escaped d_path */
···
1437
skb_queue_tail(&audit_skb_queue, ab->skb);
1438
ab->skb = NULL;
1439
wake_up_interruptible(&kauditd_wait);
1440
+
} else if (printk_ratelimit()) {
1441
+
struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
1442
+
printk(KERN_NOTICE "type=%d %s\n", nlh->nlmsg_type, ab->skb->data + NLMSG_SPACE(0));
1443
} else {
1444
+
audit_log_lost("printk limit exceeded\n");
1445
}
1446
}
1447
audit_buffer_free(ab);
+33
-21
kernel/auditfilter.c
+33
-21
kernel/auditfilter.c
···
95
/* Inotify events we care about. */
96
#define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF
97
98
void audit_free_parent(struct inotify_watch *i_watch)
99
{
100
struct audit_parent *parent;
···
976
struct audit_watch *owatch, *nwatch, *nextw;
977
struct audit_krule *r, *nextr;
978
struct audit_entry *oentry, *nentry;
979
-
struct audit_buffer *ab;
980
981
mutex_lock(&audit_filter_mutex);
982
list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) {
···
1015
call_rcu(&oentry->rcu, audit_free_rule_rcu);
1016
}
1017
1018
-
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
1019
-
audit_log_format(ab, "op=updated rules specifying path=");
1020
-
audit_log_untrustedstring(ab, owatch->path);
1021
-
audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino);
1022
-
audit_log_format(ab, " list=%d res=1", r->listnr);
1023
-
audit_log_end(ab);
1024
-
1025
audit_remove_watch(owatch);
1026
goto add_watch_to_parent; /* event applies to a single watch */
1027
}
···
1045
struct audit_watch *w, *nextw;
1046
struct audit_krule *r, *nextr;
1047
struct audit_entry *e;
1048
-
struct audit_buffer *ab;
1049
1050
mutex_lock(&audit_filter_mutex);
1051
parent->flags |= AUDIT_PARENT_INVALID;
1052
list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
1053
list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
1054
e = container_of(r, struct audit_entry, rule);
1055
-
1056
-
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
1057
-
audit_log_format(ab, "op=remove rule path=");
1058
-
audit_log_untrustedstring(ab, w->path);
1059
-
if (r->filterkey) {
1060
-
audit_log_format(ab, " key=");
1061
-
audit_log_untrustedstring(ab, r->filterkey);
1062
-
} else
1063
-
audit_log_format(ab, " key=(null)");
1064
-
audit_log_format(ab, " list=%d res=1", r->listnr);
1065
-
audit_log_end(ab);
1066
-
1067
list_del(&r->rlist);
1068
list_del_rcu(&e->list);
1069
call_rcu(&e->rcu, audit_free_rule_rcu);
···
1503
struct audit_krule *rule, int res)
1504
{
1505
struct audit_buffer *ab;
1506
1507
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
1508
if (!ab)
···
95
/* Inotify events we care about. */
96
#define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF
97
98
+
extern int audit_enabled;
99
+
100
void audit_free_parent(struct inotify_watch *i_watch)
101
{
102
struct audit_parent *parent;
···
974
struct audit_watch *owatch, *nwatch, *nextw;
975
struct audit_krule *r, *nextr;
976
struct audit_entry *oentry, *nentry;
977
978
mutex_lock(&audit_filter_mutex);
979
list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) {
···
1014
call_rcu(&oentry->rcu, audit_free_rule_rcu);
1015
}
1016
1017
+
if (audit_enabled) {
1018
+
struct audit_buffer *ab;
1019
+
ab = audit_log_start(NULL, GFP_KERNEL,
1020
+
AUDIT_CONFIG_CHANGE);
1021
+
audit_log_format(ab,
1022
+
"op=updated rules specifying path=");
1023
+
audit_log_untrustedstring(ab, owatch->path);
1024
+
audit_log_format(ab, " with dev=%u ino=%lu\n",
1025
+
dev, ino);
1026
+
audit_log_format(ab, " list=%d res=1", r->listnr);
1027
+
audit_log_end(ab);
1028
+
}
1029
audit_remove_watch(owatch);
1030
goto add_watch_to_parent; /* event applies to a single watch */
1031
}
···
1039
struct audit_watch *w, *nextw;
1040
struct audit_krule *r, *nextr;
1041
struct audit_entry *e;
1042
1043
mutex_lock(&audit_filter_mutex);
1044
parent->flags |= AUDIT_PARENT_INVALID;
1045
list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
1046
list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
1047
e = container_of(r, struct audit_entry, rule);
1048
+
if (audit_enabled) {
1049
+
struct audit_buffer *ab;
1050
+
ab = audit_log_start(NULL, GFP_KERNEL,
1051
+
AUDIT_CONFIG_CHANGE);
1052
+
audit_log_format(ab, "op=remove rule path=");
1053
+
audit_log_untrustedstring(ab, w->path);
1054
+
if (r->filterkey) {
1055
+
audit_log_format(ab, " key=");
1056
+
audit_log_untrustedstring(ab,
1057
+
r->filterkey);
1058
+
} else
1059
+
audit_log_format(ab, " key=(null)");
1060
+
audit_log_format(ab, " list=%d res=1",
1061
+
r->listnr);
1062
+
audit_log_end(ab);
1063
+
}
1064
list_del(&r->rlist);
1065
list_del_rcu(&e->list);
1066
call_rcu(&e->rcu, audit_free_rule_rcu);
···
1494
struct audit_krule *rule, int res)
1495
{
1496
struct audit_buffer *ab;
1497
+
1498
+
if (!audit_enabled)
1499
+
return;
1500
1501
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
1502
if (!ab)
+259
-96
kernel/auditsc.c
+259
-96
kernel/auditsc.c
···
70
#include "audit.h"
71
72
extern struct list_head audit_filter_list[];
73
74
/* AUDIT_NAMES is the number of slots we reserve in the audit_context
75
* for saving names from getname(). */
···
78
79
/* Indicates that audit should log the full pathname. */
80
#define AUDIT_NAME_FULL -1
81
82
/* number of audit rules */
83
int audit_n_rules;
···
180
struct audit_aux_data_pids {
181
struct audit_aux_data d;
182
pid_t target_pid[AUDIT_AUX_PIDS];
183
u32 target_sid[AUDIT_AUX_PIDS];
184
int pid_count;
185
};
186
···
200
enum audit_state state;
201
unsigned int serial; /* serial number for record */
202
struct timespec ctime; /* time of syscall entry */
203
-
uid_t loginuid; /* login uid (identity) */
204
int major; /* syscall number */
205
unsigned long argv[4]; /* syscall arguments */
206
int return_valid; /* return code is valid */
···
222
int arch;
223
224
pid_t target_pid;
225
u32 target_sid;
226
227
struct audit_tree_refs *trees, *first_trees;
228
int tree_count;
···
517
case AUDIT_LOGINUID:
518
result = 0;
519
if (ctx)
520
-
result = audit_comparator(ctx->loginuid, f->op, f->val);
521
break;
522
case AUDIT_SUBJ_USER:
523
case AUDIT_SUBJ_ROLE:
···
713
if (likely(!context))
714
return NULL;
715
context->return_valid = return_valid;
716
-
context->return_code = return_code;
717
718
if (context->in_syscall && !context->dummy && !context->auditable) {
719
enum audit_state state;
···
811
static inline void audit_zero_context(struct audit_context *context,
812
enum audit_state state)
813
{
814
-
uid_t loginuid = context->loginuid;
815
-
816
memset(context, 0, sizeof(*context));
817
context->state = state;
818
-
context->loginuid = loginuid;
819
}
820
821
static inline struct audit_context *audit_alloc_context(enum audit_state state)
···
839
struct audit_context *context;
840
enum audit_state state;
841
842
-
if (likely(!audit_enabled))
843
return 0; /* Return if not auditing. */
844
845
state = audit_filter_task(tsk);
···
850
audit_log_lost("out of memory in audit_alloc");
851
return -ENOMEM;
852
}
853
-
854
-
/* Preserve login uid */
855
-
context->loginuid = -1;
856
-
if (current->audit_context)
857
-
context->loginuid = current->audit_context->loginuid;
858
859
tsk->audit_context = context;
860
set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
···
942
}
943
944
static int audit_log_pid_context(struct audit_context *context, pid_t pid,
945
-
u32 sid)
946
{
947
struct audit_buffer *ab;
948
char *s = NULL;
···
952
953
ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
954
if (!ab)
955
-
return 1;
956
957
if (selinux_sid_to_string(sid, &s, &len)) {
958
-
audit_log_format(ab, "opid=%d obj=(none)", pid);
959
rc = 1;
960
} else
961
-
audit_log_format(ab, "opid=%d obj=%s", pid, s);
962
audit_log_end(ab);
963
kfree(s);
964
965
return rc;
966
}
967
968
-
static void audit_log_execve_info(struct audit_buffer *ab,
969
-
struct audit_aux_data_execve *axi)
970
{
971
-
int i;
972
-
long len, ret;
973
-
const char __user *p;
974
-
char *buf;
975
976
-
if (axi->mm != current->mm)
977
-
return; /* execve failed, no additional info */
978
979
-
p = (const char __user *)axi->mm->arg_start;
980
981
-
for (i = 0; i < axi->argc; i++, p += len) {
982
-
len = strnlen_user(p, MAX_ARG_STRLEN);
983
-
/*
984
-
* We just created this mm, if we can't find the strings
985
-
* we just copied into it something is _very_ wrong. Similar
986
-
* for strings that are too long, we should not have created
987
-
* any.
988
-
*/
989
-
if (!len || len > MAX_ARG_STRLEN) {
990
-
WARN_ON(1);
991
-
send_sig(SIGKILL, current, 0);
992
-
}
993
-
994
-
buf = kmalloc(len, GFP_KERNEL);
995
-
if (!buf) {
996
-
audit_panic("out of memory for argv string\n");
997
-
break;
998
-
}
999
-
1000
-
ret = copy_from_user(buf, p, len);
1001
/*
1002
* There is no reason for this copy to be short. We just
1003
* copied them here, and the mm hasn't been exposed to user-
···
1026
WARN_ON(1);
1027
send_sig(SIGKILL, current, 0);
1028
}
1029
1030
-
audit_log_format(ab, "a%d=", i);
1031
-
audit_log_untrustedstring(ab, buf);
1032
-
audit_log_format(ab, "\n");
1033
1034
-
kfree(buf);
1035
}
1036
}
1037
1038
static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
···
1196
" a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
1197
" ppid=%d pid=%d auid=%u uid=%u gid=%u"
1198
" euid=%u suid=%u fsuid=%u"
1199
-
" egid=%u sgid=%u fsgid=%u tty=%s",
1200
context->argv[0],
1201
context->argv[1],
1202
context->argv[2],
···
1204
context->name_count,
1205
context->ppid,
1206
context->pid,
1207
-
context->loginuid,
1208
context->uid,
1209
context->gid,
1210
context->euid, context->suid, context->fsuid,
1211
-
context->egid, context->sgid, context->fsgid, tty);
1212
1213
mutex_unlock(&tty_mutex);
1214
···
1293
1294
case AUDIT_EXECVE: {
1295
struct audit_aux_data_execve *axi = (void *)aux;
1296
-
audit_log_execve_info(ab, axi);
1297
break; }
1298
1299
case AUDIT_SOCKETCALL: {
···
1326
1327
for (i = 0; i < axs->pid_count; i++)
1328
if (audit_log_pid_context(context, axs->target_pid[i],
1329
-
axs->target_sid[i]))
1330
call_panic = 1;
1331
}
1332
1333
if (context->target_pid &&
1334
audit_log_pid_context(context, context->target_pid,
1335
-
context->target_sid))
1336
call_panic = 1;
1337
1338
if (context->pwd && context->pwdmnt) {
···
1406
1407
audit_log_end(ab);
1408
}
1409
if (call_panic)
1410
audit_panic("error converting sid to string");
1411
}
···
1935
ctx->auditable = 1;
1936
}
1937
1938
/**
1939
* audit_set_loginuid - set a task's audit_context loginuid
1940
* @task: task whose audit context is being modified
···
1949
*/
1950
int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
1951
{
1952
struct audit_context *context = task->audit_context;
1953
1954
-
if (context) {
1955
-
/* Only log if audit is enabled */
1956
-
if (context->in_syscall) {
1957
-
struct audit_buffer *ab;
1958
1959
-
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
1960
-
if (ab) {
1961
-
audit_log_format(ab, "login pid=%d uid=%u "
1962
-
"old auid=%u new auid=%u",
1963
-
task->pid, task->uid,
1964
-
context->loginuid, loginuid);
1965
-
audit_log_end(ab);
1966
-
}
1967
}
1968
-
context->loginuid = loginuid;
1969
}
1970
return 0;
1971
}
1972
-
1973
-
/**
1974
-
* audit_get_loginuid - get the loginuid for an audit_context
1975
-
* @ctx: the audit_context
1976
-
*
1977
-
* Returns the context's loginuid or -1 if @ctx is NULL.
1978
-
*/
1979
-
uid_t audit_get_loginuid(struct audit_context *ctx)
1980
-
{
1981
-
return ctx ? ctx->loginuid : -1;
1982
-
}
1983
-
1984
-
EXPORT_SYMBOL(audit_get_loginuid);
1985
1986
/**
1987
* __audit_mq_open - record audit data for a POSIX MQ open
···
2230
return 0;
2231
}
2232
2233
-
int audit_argv_kb = 32;
2234
-
2235
int audit_bprm(struct linux_binprm *bprm)
2236
{
2237
struct audit_aux_data_execve *ax;
···
2237
2238
if (likely(!audit_enabled || !context || context->dummy))
2239
return 0;
2240
-
2241
-
/*
2242
-
* Even though the stack code doesn't limit the arg+env size any more,
2243
-
* the audit code requires that _all_ arguments be logged in a single
2244
-
* netlink skb. Hence cap it :-(
2245
-
*/
2246
-
if (bprm->argv_len > (audit_argv_kb << 10))
2247
-
return -E2BIG;
2248
2249
ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2250
if (!ax)
···
2343
struct audit_context *context = current->audit_context;
2344
2345
context->target_pid = t->pid;
2346
selinux_get_task_sid(t, &context->target_sid);
2347
}
2348
2349
/**
···
2370
if (audit_pid && t->tgid == audit_pid) {
2371
if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1) {
2372
audit_sig_pid = tsk->pid;
2373
-
if (ctx)
2374
-
audit_sig_uid = ctx->loginuid;
2375
else
2376
audit_sig_uid = tsk->uid;
2377
selinux_get_task_sid(tsk, &audit_sig_sid);
···
2384
* in audit_context */
2385
if (!ctx->target_pid) {
2386
ctx->target_pid = t->tgid;
2387
selinux_get_task_sid(t, &ctx->target_sid);
2388
return 0;
2389
}
2390
···
2405
BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
2406
2407
axp->target_pid[axp->pid_count] = t->tgid;
2408
selinux_get_task_sid(t, &axp->target_sid[axp->pid_count]);
2409
axp->pid_count++;
2410
2411
return 0;
···
2426
{
2427
struct audit_buffer *ab;
2428
u32 sid;
2429
2430
if (!audit_enabled)
2431
return;
···
2436
return;
2437
2438
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
2439
-
audit_log_format(ab, "auid=%u uid=%u gid=%u",
2440
-
audit_get_loginuid(current->audit_context),
2441
-
current->uid, current->gid);
2442
selinux_get_task_sid(current, &sid);
2443
if (sid) {
2444
char *ctx = NULL;
···
70
#include "audit.h"
71
72
extern struct list_head audit_filter_list[];
73
+
extern int audit_ever_enabled;
74
75
/* AUDIT_NAMES is the number of slots we reserve in the audit_context
76
* for saving names from getname(). */
···
77
78
/* Indicates that audit should log the full pathname. */
79
#define AUDIT_NAME_FULL -1
80
+
81
+
/* no execve audit message should be longer than this (userspace limits) */
82
+
#define MAX_EXECVE_AUDIT_LEN 7500
83
84
/* number of audit rules */
85
int audit_n_rules;
···
176
struct audit_aux_data_pids {
177
struct audit_aux_data d;
178
pid_t target_pid[AUDIT_AUX_PIDS];
179
+
uid_t target_auid[AUDIT_AUX_PIDS];
180
+
uid_t target_uid[AUDIT_AUX_PIDS];
181
+
unsigned int target_sessionid[AUDIT_AUX_PIDS];
182
u32 target_sid[AUDIT_AUX_PIDS];
183
+
char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
184
int pid_count;
185
};
186
···
192
enum audit_state state;
193
unsigned int serial; /* serial number for record */
194
struct timespec ctime; /* time of syscall entry */
195
int major; /* syscall number */
196
unsigned long argv[4]; /* syscall arguments */
197
int return_valid; /* return code is valid */
···
215
int arch;
216
217
pid_t target_pid;
218
+
uid_t target_auid;
219
+
uid_t target_uid;
220
+
unsigned int target_sessionid;
221
u32 target_sid;
222
+
char target_comm[TASK_COMM_LEN];
223
224
struct audit_tree_refs *trees, *first_trees;
225
int tree_count;
···
506
case AUDIT_LOGINUID:
507
result = 0;
508
if (ctx)
509
+
result = audit_comparator(tsk->loginuid, f->op, f->val);
510
break;
511
case AUDIT_SUBJ_USER:
512
case AUDIT_SUBJ_ROLE:
···
702
if (likely(!context))
703
return NULL;
704
context->return_valid = return_valid;
705
+
706
+
/*
707
+
* we need to fix up the return code in the audit logs if the actual
708
+
* return codes are later going to be fixed up by the arch specific
709
+
* signal handlers
710
+
*
711
+
* This is actually a test for:
712
+
* (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||
713
+
* (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)
714
+
*
715
+
* but is faster than a bunch of ||
716
+
*/
717
+
if (unlikely(return_code <= -ERESTARTSYS) &&
718
+
(return_code >= -ERESTART_RESTARTBLOCK) &&
719
+
(return_code != -ENOIOCTLCMD))
720
+
context->return_code = -EINTR;
721
+
else
722
+
context->return_code = return_code;
723
724
if (context->in_syscall && !context->dummy && !context->auditable) {
725
enum audit_state state;
···
783
static inline void audit_zero_context(struct audit_context *context,
784
enum audit_state state)
785
{
786
memset(context, 0, sizeof(*context));
787
context->state = state;
788
}
789
790
static inline struct audit_context *audit_alloc_context(enum audit_state state)
···
814
struct audit_context *context;
815
enum audit_state state;
816
817
+
if (likely(!audit_ever_enabled))
818
return 0; /* Return if not auditing. */
819
820
state = audit_filter_task(tsk);
···
825
audit_log_lost("out of memory in audit_alloc");
826
return -ENOMEM;
827
}
828
829
tsk->audit_context = context;
830
set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
···
922
}
923
924
static int audit_log_pid_context(struct audit_context *context, pid_t pid,
925
+
uid_t auid, uid_t uid, unsigned int sessionid,
926
+
u32 sid, char *comm)
927
{
928
struct audit_buffer *ab;
929
char *s = NULL;
···
931
932
ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
933
if (!ab)
934
+
return rc;
935
936
+
audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid,
937
+
uid, sessionid);
938
if (selinux_sid_to_string(sid, &s, &len)) {
939
+
audit_log_format(ab, " obj=(none)");
940
rc = 1;
941
} else
942
+
audit_log_format(ab, " obj=%s", s);
943
+
audit_log_format(ab, " ocomm=");
944
+
audit_log_untrustedstring(ab, comm);
945
audit_log_end(ab);
946
kfree(s);
947
948
return rc;
949
}
950
951
+
/*
952
+
* to_send and len_sent accounting are very loose estimates. We aren't
953
+
* really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being
954
+
* within about 500 bytes (next page boundry)
955
+
*
956
+
* why snprintf? an int is up to 12 digits long. if we just assumed when
957
+
* logging that a[%d]= was going to be 16 characters long we would be wasting
958
+
* space in every audit message. In one 7500 byte message we can log up to
959
+
* about 1000 min size arguments. That comes down to about 50% waste of space
960
+
* if we didn't do the snprintf to find out how long arg_num_len was.
961
+
*/
962
+
static int audit_log_single_execve_arg(struct audit_context *context,
963
+
struct audit_buffer **ab,
964
+
int arg_num,
965
+
size_t *len_sent,
966
+
const char __user *p,
967
+
char *buf)
968
{
969
+
char arg_num_len_buf[12];
970
+
const char __user *tmp_p = p;
971
+
/* how many digits are in arg_num? 3 is the length of a=\n */
972
+
size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 3;
973
+
size_t len, len_left, to_send;
974
+
size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
975
+
unsigned int i, has_cntl = 0, too_long = 0;
976
+
int ret;
977
978
+
/* strnlen_user includes the null we don't want to send */
979
+
len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1;
980
981
+
/*
982
+
* We just created this mm, if we can't find the strings
983
+
* we just copied into it something is _very_ wrong. Similar
984
+
* for strings that are too long, we should not have created
985
+
* any.
986
+
*/
987
+
if (unlikely((len = -1) || len > MAX_ARG_STRLEN - 1)) {
988
+
WARN_ON(1);
989
+
send_sig(SIGKILL, current, 0);
990
+
}
991
992
+
/* walk the whole argument looking for non-ascii chars */
993
+
do {
994
+
if (len_left > MAX_EXECVE_AUDIT_LEN)
995
+
to_send = MAX_EXECVE_AUDIT_LEN;
996
+
else
997
+
to_send = len_left;
998
+
ret = copy_from_user(buf, tmp_p, to_send);
999
/*
1000
* There is no reason for this copy to be short. We just
1001
* copied them here, and the mm hasn't been exposed to user-
···
986
WARN_ON(1);
987
send_sig(SIGKILL, current, 0);
988
}
989
+
buf[to_send] = '\0';
990
+
has_cntl = audit_string_contains_control(buf, to_send);
991
+
if (has_cntl) {
992
+
/*
993
+
* hex messages get logged as 2 bytes, so we can only
994
+
* send half as much in each message
995
+
*/
996
+
max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2;
997
+
break;
998
+
}
999
+
len_left -= to_send;
1000
+
tmp_p += to_send;
1001
+
} while (len_left > 0);
1002
1003
+
len_left = len;
1004
1005
+
if (len > max_execve_audit_len)
1006
+
too_long = 1;
1007
+
1008
+
/* rewalk the argument actually logging the message */
1009
+
for (i = 0; len_left > 0; i++) {
1010
+
int room_left;
1011
+
1012
+
if (len_left > max_execve_audit_len)
1013
+
to_send = max_execve_audit_len;
1014
+
else
1015
+
to_send = len_left;
1016
+
1017
+
/* do we have space left to send this argument in this ab? */
1018
+
room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent;
1019
+
if (has_cntl)
1020
+
room_left -= (to_send * 2);
1021
+
else
1022
+
room_left -= to_send;
1023
+
if (room_left < 0) {
1024
+
*len_sent = 0;
1025
+
audit_log_end(*ab);
1026
+
*ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
1027
+
if (!*ab)
1028
+
return 0;
1029
+
}
1030
+
1031
+
/*
1032
+
* first record needs to say how long the original string was
1033
+
* so we can be sure nothing was lost.
1034
+
*/
1035
+
if ((i == 0) && (too_long))
1036
+
audit_log_format(*ab, "a%d_len=%ld ", arg_num,
1037
+
has_cntl ? 2*len : len);
1038
+
1039
+
/*
1040
+
* normally arguments are small enough to fit and we already
1041
+
* filled buf above when we checked for control characters
1042
+
* so don't bother with another copy_from_user
1043
+
*/
1044
+
if (len >= max_execve_audit_len)
1045
+
ret = copy_from_user(buf, p, to_send);
1046
+
else
1047
+
ret = 0;
1048
+
if (ret) {
1049
+
WARN_ON(1);
1050
+
send_sig(SIGKILL, current, 0);
1051
+
}
1052
+
buf[to_send] = '\0';
1053
+
1054
+
/* actually log it */
1055
+
audit_log_format(*ab, "a%d", arg_num);
1056
+
if (too_long)
1057
+
audit_log_format(*ab, "[%d]", i);
1058
+
audit_log_format(*ab, "=");
1059
+
if (has_cntl)
1060
+
audit_log_hex(*ab, buf, to_send);
1061
+
else
1062
+
audit_log_format(*ab, "\"%s\"", buf);
1063
+
audit_log_format(*ab, "\n");
1064
+
1065
+
p += to_send;
1066
+
len_left -= to_send;
1067
+
*len_sent += arg_num_len;
1068
+
if (has_cntl)
1069
+
*len_sent += to_send * 2;
1070
+
else
1071
+
*len_sent += to_send;
1072
}
1073
+
/* include the null we didn't log */
1074
+
return len + 1;
1075
+
}
1076
+
1077
+
static void audit_log_execve_info(struct audit_context *context,
1078
+
struct audit_buffer **ab,
1079
+
struct audit_aux_data_execve *axi)
1080
+
{
1081
+
int i;
1082
+
size_t len, len_sent = 0;
1083
+
const char __user *p;
1084
+
char *buf;
1085
+
1086
+
if (axi->mm != current->mm)
1087
+
return; /* execve failed, no additional info */
1088
+
1089
+
p = (const char __user *)axi->mm->arg_start;
1090
+
1091
+
audit_log_format(*ab, "argc=%d ", axi->argc);
1092
+
1093
+
/*
1094
+
* we need some kernel buffer to hold the userspace args. Just
1095
+
* allocate one big one rather than allocating one of the right size
1096
+
* for every single argument inside audit_log_single_execve_arg()
1097
+
* should be <8k allocation so should be pretty safe.
1098
+
*/
1099
+
buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
1100
+
if (!buf) {
1101
+
audit_panic("out of memory for argv string\n");
1102
+
return;
1103
+
}
1104
+
1105
+
for (i = 0; i < axi->argc; i++) {
1106
+
len = audit_log_single_execve_arg(context, ab, i,
1107
+
&len_sent, p, buf);
1108
+
if (len <= 0)
1109
+
break;
1110
+
p += len;
1111
+
}
1112
+
kfree(buf);
1113
}
1114
1115
static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
···
1039
" a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
1040
" ppid=%d pid=%d auid=%u uid=%u gid=%u"
1041
" euid=%u suid=%u fsuid=%u"
1042
+
" egid=%u sgid=%u fsgid=%u tty=%s ses=%u",
1043
context->argv[0],
1044
context->argv[1],
1045
context->argv[2],
···
1047
context->name_count,
1048
context->ppid,
1049
context->pid,
1050
+
tsk->loginuid,
1051
context->uid,
1052
context->gid,
1053
context->euid, context->suid, context->fsuid,
1054
+
context->egid, context->sgid, context->fsgid, tty,
1055
+
tsk->sessionid);
1056
1057
mutex_unlock(&tty_mutex);
1058
···
1135
1136
case AUDIT_EXECVE: {
1137
struct audit_aux_data_execve *axi = (void *)aux;
1138
+
audit_log_execve_info(context, &ab, axi);
1139
break; }
1140
1141
case AUDIT_SOCKETCALL: {
···
1168
1169
for (i = 0; i < axs->pid_count; i++)
1170
if (audit_log_pid_context(context, axs->target_pid[i],
1171
+
axs->target_auid[i],
1172
+
axs->target_uid[i],
1173
+
axs->target_sessionid[i],
1174
+
axs->target_sid[i],
1175
+
axs->target_comm[i]))
1176
call_panic = 1;
1177
}
1178
1179
if (context->target_pid &&
1180
audit_log_pid_context(context, context->target_pid,
1181
+
context->target_auid, context->target_uid,
1182
+
context->target_sessionid,
1183
+
context->target_sid, context->target_comm))
1184
call_panic = 1;
1185
1186
if (context->pwd && context->pwdmnt) {
···
1242
1243
audit_log_end(ab);
1244
}
1245
+
1246
+
/* Send end of event record to help user space know we are finished */
1247
+
ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
1248
+
if (ab)
1249
+
audit_log_end(ab);
1250
if (call_panic)
1251
audit_panic("error converting sid to string");
1252
}
···
1766
ctx->auditable = 1;
1767
}
1768
1769
+
/* global counter which is incremented every time something logs in */
1770
+
static atomic_t session_id = ATOMIC_INIT(0);
1771
+
1772
/**
1773
* audit_set_loginuid - set a task's audit_context loginuid
1774
* @task: task whose audit context is being modified
···
1777
*/
1778
int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
1779
{
1780
+
unsigned int sessionid = atomic_inc_return(&session_id);
1781
struct audit_context *context = task->audit_context;
1782
1783
+
if (context && context->in_syscall) {
1784
+
struct audit_buffer *ab;
1785
1786
+
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
1787
+
if (ab) {
1788
+
audit_log_format(ab, "login pid=%d uid=%u "
1789
+
"old auid=%u new auid=%u"
1790
+
" old ses=%u new ses=%u",
1791
+
task->pid, task->uid,
1792
+
task->loginuid, loginuid,
1793
+
task->sessionid, sessionid);
1794
+
audit_log_end(ab);
1795
}
1796
}
1797
+
task->sessionid = sessionid;
1798
+
task->loginuid = loginuid;
1799
return 0;
1800
}
1801
1802
/**
1803
* __audit_mq_open - record audit data for a POSIX MQ open
···
2070
return 0;
2071
}
2072
2073
int audit_bprm(struct linux_binprm *bprm)
2074
{
2075
struct audit_aux_data_execve *ax;
···
2079
2080
if (likely(!audit_enabled || !context || context->dummy))
2081
return 0;
2082
2083
ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2084
if (!ax)
···
2193
struct audit_context *context = current->audit_context;
2194
2195
context->target_pid = t->pid;
2196
+
context->target_auid = audit_get_loginuid(t);
2197
+
context->target_uid = t->uid;
2198
+
context->target_sessionid = audit_get_sessionid(t);
2199
selinux_get_task_sid(t, &context->target_sid);
2200
+
memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
2201
}
2202
2203
/**
···
2216
if (audit_pid && t->tgid == audit_pid) {
2217
if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1) {
2218
audit_sig_pid = tsk->pid;
2219
+
if (tsk->loginuid != -1)
2220
+
audit_sig_uid = tsk->loginuid;
2221
else
2222
audit_sig_uid = tsk->uid;
2223
selinux_get_task_sid(tsk, &audit_sig_sid);
···
2230
* in audit_context */
2231
if (!ctx->target_pid) {
2232
ctx->target_pid = t->tgid;
2233
+
ctx->target_auid = audit_get_loginuid(t);
2234
+
ctx->target_uid = t->uid;
2235
+
ctx->target_sessionid = audit_get_sessionid(t);
2236
selinux_get_task_sid(t, &ctx->target_sid);
2237
+
memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
2238
return 0;
2239
}
2240
···
2247
BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
2248
2249
axp->target_pid[axp->pid_count] = t->tgid;
2250
+
axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
2251
+
axp->target_uid[axp->pid_count] = t->uid;
2252
+
axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
2253
selinux_get_task_sid(t, &axp->target_sid[axp->pid_count]);
2254
+
memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
2255
axp->pid_count++;
2256
2257
return 0;
···
2264
{
2265
struct audit_buffer *ab;
2266
u32 sid;
2267
+
uid_t auid = audit_get_loginuid(current);
2268
+
unsigned int sessionid = audit_get_sessionid(current);
2269
2270
if (!audit_enabled)
2271
return;
···
2272
return;
2273
2274
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
2275
+
audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
2276
+
auid, current->uid, current->gid, sessionid);
2277
selinux_get_task_sid(current, &sid);
2278
if (sid) {
2279
char *ctx = NULL;
-11
kernel/sysctl.c
-11
kernel/sysctl.c
···
81
extern int compat_log;
82
extern int maps_protect;
83
extern int sysctl_stat_interval;
84
-
extern int audit_argv_kb;
85
extern int latencytop_enabled;
86
87
/* Constants used for minimum and maximum */
···
389
.mode = 0644,
390
.proc_handler = &proc_dointvec,
391
},
392
-
#ifdef CONFIG_AUDITSYSCALL
393
-
{
394
-
.ctl_name = CTL_UNNUMBERED,
395
-
.procname = "audit_argv_kb",
396
-
.data = &audit_argv_kb,
397
-
.maxlen = sizeof(int),
398
-
.mode = 0644,
399
-
.proc_handler = &proc_dointvec,
400
-
},
401
-
#endif
402
{
403
.ctl_name = KERN_CORE_PATTERN,
404
.procname = "core_pattern",
···
81
extern int compat_log;
82
extern int maps_protect;
83
extern int sysctl_stat_interval;
84
extern int latencytop_enabled;
85
86
/* Constants used for minimum and maximum */
···
390
.mode = 0644,
391
.proc_handler = &proc_dointvec,
392
},
393
{
394
.ctl_name = KERN_CORE_PATTERN,
395
.procname = "core_pattern",
+9
-6
net/core/dev.c
+9
-6
net/core/dev.c
···
2752
printk(KERN_INFO "device %s %s promiscuous mode\n",
2753
dev->name, (dev->flags & IFF_PROMISC) ? "entered" :
2754
"left");
2755
-
audit_log(current->audit_context, GFP_ATOMIC,
2756
-
AUDIT_ANOM_PROMISCUOUS,
2757
-
"dev=%s prom=%d old_prom=%d auid=%u",
2758
-
dev->name, (dev->flags & IFF_PROMISC),
2759
-
(old_flags & IFF_PROMISC),
2760
-
audit_get_loginuid(current->audit_context));
2761
2762
if (dev->change_rx_flags)
2763
dev->change_rx_flags(dev, IFF_PROMISC);
···
2752
printk(KERN_INFO "device %s %s promiscuous mode\n",
2753
dev->name, (dev->flags & IFF_PROMISC) ? "entered" :
2754
"left");
2755
+
if (audit_enabled)
2756
+
audit_log(current->audit_context, GFP_ATOMIC,
2757
+
AUDIT_ANOM_PROMISCUOUS,
2758
+
"dev=%s prom=%d old_prom=%d auid=%u uid=%u gid=%u ses=%u",
2759
+
dev->name, (dev->flags & IFF_PROMISC),
2760
+
(old_flags & IFF_PROMISC),
2761
+
audit_get_loginuid(current),
2762
+
current->uid, current->gid,
2763
+
audit_get_sessionid(current));
2764
2765
if (dev->change_rx_flags)
2766
dev->change_rx_flags(dev, IFF_PROMISC);
+7
-7
net/key/af_key.c
+7
-7
net/key/af_key.c
···
1466
err = xfrm_state_update(x);
1467
1468
xfrm_audit_state_add(x, err ? 0 : 1,
1469
-
audit_get_loginuid(current->audit_context), 0);
1470
1471
if (err < 0) {
1472
x->km.state = XFRM_STATE_DEAD;
···
1520
km_state_notify(x, &c);
1521
out:
1522
xfrm_audit_state_delete(x, err ? 0 : 1,
1523
-
audit_get_loginuid(current->audit_context), 0);
1524
xfrm_state_put(x);
1525
1526
return err;
···
1695
if (proto == 0)
1696
return -EINVAL;
1697
1698
-
audit_info.loginuid = audit_get_loginuid(current->audit_context);
1699
audit_info.secid = 0;
1700
err = xfrm_state_flush(proto, &audit_info);
1701
if (err)
···
2273
hdr->sadb_msg_type != SADB_X_SPDUPDATE);
2274
2275
xfrm_audit_policy_add(xp, err ? 0 : 1,
2276
-
audit_get_loginuid(current->audit_context), 0);
2277
2278
if (err)
2279
goto out;
···
2356
return -ENOENT;
2357
2358
xfrm_audit_policy_delete(xp, err ? 0 : 1,
2359
-
audit_get_loginuid(current->audit_context), 0);
2360
2361
if (err)
2362
goto out;
···
2617
2618
if (delete) {
2619
xfrm_audit_policy_delete(xp, err ? 0 : 1,
2620
-
audit_get_loginuid(current->audit_context), 0);
2621
2622
if (err)
2623
goto out;
···
2694
struct xfrm_audit audit_info;
2695
int err;
2696
2697
-
audit_info.loginuid = audit_get_loginuid(current->audit_context);
2698
audit_info.secid = 0;
2699
err = xfrm_policy_flush(XFRM_POLICY_TYPE_MAIN, &audit_info);
2700
if (err)
···
1466
err = xfrm_state_update(x);
1467
1468
xfrm_audit_state_add(x, err ? 0 : 1,
1469
+
audit_get_loginuid(current), 0);
1470
1471
if (err < 0) {
1472
x->km.state = XFRM_STATE_DEAD;
···
1520
km_state_notify(x, &c);
1521
out:
1522
xfrm_audit_state_delete(x, err ? 0 : 1,
1523
+
audit_get_loginuid(current), 0);
1524
xfrm_state_put(x);
1525
1526
return err;
···
1695
if (proto == 0)
1696
return -EINVAL;
1697
1698
+
audit_info.loginuid = audit_get_loginuid(current);
1699
audit_info.secid = 0;
1700
err = xfrm_state_flush(proto, &audit_info);
1701
if (err)
···
2273
hdr->sadb_msg_type != SADB_X_SPDUPDATE);
2274
2275
xfrm_audit_policy_add(xp, err ? 0 : 1,
2276
+
audit_get_loginuid(current), 0);
2277
2278
if (err)
2279
goto out;
···
2356
return -ENOENT;
2357
2358
xfrm_audit_policy_delete(xp, err ? 0 : 1,
2359
+
audit_get_loginuid(current), 0);
2360
2361
if (err)
2362
goto out;
···
2617
2618
if (delete) {
2619
xfrm_audit_policy_delete(xp, err ? 0 : 1,
2620
+
audit_get_loginuid(current), 0);
2621
2622
if (err)
2623
goto out;
···
2694
struct xfrm_audit audit_info;
2695
int err;
2696
2697
+
audit_info.loginuid = audit_get_loginuid(current);
2698
audit_info.secid = 0;
2699
err = xfrm_policy_flush(XFRM_POLICY_TYPE_MAIN, &audit_info);
2700
if (err)
+1
-1
net/netlink/af_netlink.c
+1
-1
net/netlink/af_netlink.c
···
1238
1239
NETLINK_CB(skb).pid = nlk->pid;
1240
NETLINK_CB(skb).dst_group = dst_group;
1241
-
NETLINK_CB(skb).loginuid = audit_get_loginuid(current->audit_context);
1242
selinux_get_task_sid(current, &(NETLINK_CB(skb).sid));
1243
memcpy(NETLINK_CREDS(skb), &siocb->scm->creds, sizeof(struct ucred));
1244
+1
-1
net/xfrm/xfrm_state.c
+1
-1
net/xfrm/xfrm_state.c
+10
-7
security/selinux/selinuxfs.c
+10
-7
security/selinux/selinuxfs.c
···
172
if (length)
173
goto out;
174
audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
175
-
"enforcing=%d old_enforcing=%d auid=%u", new_value,
176
-
selinux_enforcing,
177
-
audit_get_loginuid(current->audit_context));
178
selinux_enforcing = new_value;
179
if (selinux_enforcing)
180
avc_ss_reset(0);
···
244
if (length < 0)
245
goto out;
246
audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
247
-
"selinux=0 auid=%u",
248
-
audit_get_loginuid(current->audit_context));
249
}
250
251
length = count;
···
358
(security_get_allow_unknown() ? "allow" : "deny")));
359
360
audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
361
-
"policy loaded auid=%u",
362
-
audit_get_loginuid(current->audit_context));
363
out:
364
mutex_unlock(&sel_mutex);
365
vfree(data);
···
172
if (length)
173
goto out;
174
audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
175
+
"enforcing=%d old_enforcing=%d auid=%u ses=%u",
176
+
new_value, selinux_enforcing,
177
+
audit_get_loginuid(current),
178
+
audit_get_sessionid(current));
179
selinux_enforcing = new_value;
180
if (selinux_enforcing)
181
avc_ss_reset(0);
···
243
if (length < 0)
244
goto out;
245
audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
246
+
"selinux=0 auid=%u ses=%u",
247
+
audit_get_loginuid(current),
248
+
audit_get_sessionid(current));
249
}
250
251
length = count;
···
356
(security_get_allow_unknown() ? "allow" : "deny")));
357
358
audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
359
+
"policy loaded auid=%u ses=%u",
360
+
audit_get_loginuid(current),
361
+
audit_get_sessionid(current));
362
out:
363
mutex_unlock(&sel_mutex);
364
vfree(data);
+3
-2
security/selinux/ss/services.c
+3
-2
security/selinux/ss/services.c
···
1905
if (!!values[i] != policydb.bool_val_to_struct[i]->state) {
1906
audit_log(current->audit_context, GFP_ATOMIC,
1907
AUDIT_MAC_CONFIG_CHANGE,
1908
-
"bool=%s val=%d old_val=%d auid=%u",
1909
policydb.p_bool_val_to_name[i],
1910
!!values[i],
1911
policydb.bool_val_to_struct[i]->state,
1912
-
audit_get_loginuid(current->audit_context));
1913
}
1914
if (values[i]) {
1915
policydb.bool_val_to_struct[i]->state = 1;
···
1905
if (!!values[i] != policydb.bool_val_to_struct[i]->state) {
1906
audit_log(current->audit_context, GFP_ATOMIC,
1907
AUDIT_MAC_CONFIG_CHANGE,
1908
+
"bool=%s val=%d old_val=%d auid=%u ses=%u",
1909
policydb.p_bool_val_to_name[i],
1910
!!values[i],
1911
policydb.bool_val_to_struct[i]->state,
1912
+
audit_get_loginuid(current),
1913
+
audit_get_sessionid(current));
1914
}
1915
if (values[i]) {
1916
policydb.bool_val_to_struct[i]->state = 1;