auditsc.c 34 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324
  1. /* auditsc.c -- System-call auditing support
  2. * Handles all system-call specific auditing features.
  3. *
  4. * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
  5. * Copyright 2005 Hewlett-Packard Development Company, L.P.
  6. * Copyright (C) 2005 IBM Corporation
  7. * All Rights Reserved.
  8. *
  9. * This program is free software; you can redistribute it and/or modify
  10. * it under the terms of the GNU General Public License as published by
  11. * the Free Software Foundation; either version 2 of the License, or
  12. * (at your option) any later version.
  13. *
  14. * This program is distributed in the hope that it will be useful,
  15. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  16. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  17. * GNU General Public License for more details.
  18. *
  19. * You should have received a copy of the GNU General Public License
  20. * along with this program; if not, write to the Free Software
  21. * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
  22. *
  23. * Written by Rickard E. (Rik) Faith <faith@redhat.com>
  24. *
  25. * Many of the ideas implemented here are from Stephen C. Tweedie,
  26. * especially the idea of avoiding a copy by using getname.
  27. *
  28. * The method for actual interception of syscall entry and exit (not in
  29. * this file -- see entry.S) is based on a GPL'd patch written by
  30. * okir@suse.de and Copyright 2003 SuSE Linux AG.
  31. *
  32. * The support of additional filter rules compares (>, <, >=, <=) was
  33. * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
  34. *
  35. * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
  36. * filesystem information.
  37. *
  38. * Subject and object context labeling support added by <danjones@us.ibm.com>
  39. * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
  40. */
  41. #include <linux/init.h>
  42. #include <asm/types.h>
  43. #include <asm/atomic.h>
  44. #include <asm/types.h>
  45. #include <linux/fs.h>
  46. #include <linux/namei.h>
  47. #include <linux/mm.h>
  48. #include <linux/module.h>
  49. #include <linux/mount.h>
  50. #include <linux/socket.h>
  51. #include <linux/audit.h>
  52. #include <linux/personality.h>
  53. #include <linux/time.h>
  54. #include <linux/netlink.h>
  55. #include <linux/compiler.h>
  56. #include <asm/unistd.h>
  57. #include <linux/security.h>
  58. #include <linux/list.h>
  59. #include "audit.h"
  60. extern struct list_head audit_filter_list[];
  61. /* No syscall auditing will take place unless audit_enabled != 0. */
  62. extern int audit_enabled;
  63. /* AUDIT_NAMES is the number of slots we reserve in the audit_context
  64. * for saving names from getname(). */
  65. #define AUDIT_NAMES 20
  66. /* AUDIT_NAMES_RESERVED is the number of slots we reserve in the
  67. * audit_context from being used for nameless inodes from
  68. * path_lookup. */
  69. #define AUDIT_NAMES_RESERVED 7
  70. /* When fs/namei.c:getname() is called, we store the pointer in name and
  71. * we don't let putname() free it (instead we free all of the saved
  72. * pointers at syscall exit time).
  73. *
  74. * Further, in fs/namei.c:path_lookup() we store the inode and device. */
  75. struct audit_names {
  76. const char *name;
  77. unsigned long ino;
  78. unsigned long pino;
  79. dev_t dev;
  80. umode_t mode;
  81. uid_t uid;
  82. gid_t gid;
  83. dev_t rdev;
  84. char *ctx;
  85. };
  86. struct audit_aux_data {
  87. struct audit_aux_data *next;
  88. int type;
  89. };
  90. #define AUDIT_AUX_IPCPERM 0
  91. struct audit_aux_data_ipcctl {
  92. struct audit_aux_data d;
  93. struct ipc_perm p;
  94. unsigned long qbytes;
  95. uid_t uid;
  96. gid_t gid;
  97. mode_t mode;
  98. char *ctx;
  99. };
  100. struct audit_aux_data_socketcall {
  101. struct audit_aux_data d;
  102. int nargs;
  103. unsigned long args[0];
  104. };
  105. struct audit_aux_data_sockaddr {
  106. struct audit_aux_data d;
  107. int len;
  108. char a[0];
  109. };
  110. struct audit_aux_data_path {
  111. struct audit_aux_data d;
  112. struct dentry *dentry;
  113. struct vfsmount *mnt;
  114. };
  115. /* The per-task audit context. */
  116. struct audit_context {
  117. int in_syscall; /* 1 if task is in a syscall */
  118. enum audit_state state;
  119. unsigned int serial; /* serial number for record */
  120. struct timespec ctime; /* time of syscall entry */
  121. uid_t loginuid; /* login uid (identity) */
  122. int major; /* syscall number */
  123. unsigned long argv[4]; /* syscall arguments */
  124. int return_valid; /* return code is valid */
  125. long return_code;/* syscall return code */
  126. int auditable; /* 1 if record should be written */
  127. int name_count;
  128. struct audit_names names[AUDIT_NAMES];
  129. struct dentry * pwd;
  130. struct vfsmount * pwdmnt;
  131. struct audit_context *previous; /* For nested syscalls */
  132. struct audit_aux_data *aux;
  133. /* Save things to print about task_struct */
  134. pid_t pid;
  135. uid_t uid, euid, suid, fsuid;
  136. gid_t gid, egid, sgid, fsgid;
  137. unsigned long personality;
  138. int arch;
  139. #if AUDIT_DEBUG
  140. int put_count;
  141. int ino_count;
  142. #endif
  143. };
  144. /* Compare a task_struct with an audit_rule. Return 1 on match, 0
  145. * otherwise. */
  146. static int audit_filter_rules(struct task_struct *tsk,
  147. struct audit_rule *rule,
  148. struct audit_context *ctx,
  149. enum audit_state *state)
  150. {
  151. int i, j;
  152. for (i = 0; i < rule->field_count; i++) {
  153. u32 field = rule->fields[i] & ~AUDIT_OPERATORS;
  154. u32 op = rule->fields[i] & AUDIT_OPERATORS;
  155. u32 value = rule->values[i];
  156. int result = 0;
  157. switch (field) {
  158. case AUDIT_PID:
  159. result = audit_comparator(tsk->pid, op, value);
  160. break;
  161. case AUDIT_UID:
  162. result = audit_comparator(tsk->uid, op, value);
  163. break;
  164. case AUDIT_EUID:
  165. result = audit_comparator(tsk->euid, op, value);
  166. break;
  167. case AUDIT_SUID:
  168. result = audit_comparator(tsk->suid, op, value);
  169. break;
  170. case AUDIT_FSUID:
  171. result = audit_comparator(tsk->fsuid, op, value);
  172. break;
  173. case AUDIT_GID:
  174. result = audit_comparator(tsk->gid, op, value);
  175. break;
  176. case AUDIT_EGID:
  177. result = audit_comparator(tsk->egid, op, value);
  178. break;
  179. case AUDIT_SGID:
  180. result = audit_comparator(tsk->sgid, op, value);
  181. break;
  182. case AUDIT_FSGID:
  183. result = audit_comparator(tsk->fsgid, op, value);
  184. break;
  185. case AUDIT_PERS:
  186. result = audit_comparator(tsk->personality, op, value);
  187. break;
  188. case AUDIT_ARCH:
  189. if (ctx)
  190. result = audit_comparator(ctx->arch, op, value);
  191. break;
  192. case AUDIT_EXIT:
  193. if (ctx && ctx->return_valid)
  194. result = audit_comparator(ctx->return_code, op, value);
  195. break;
  196. case AUDIT_SUCCESS:
  197. if (ctx && ctx->return_valid) {
  198. if (value)
  199. result = audit_comparator(ctx->return_valid, op, AUDITSC_SUCCESS);
  200. else
  201. result = audit_comparator(ctx->return_valid, op, AUDITSC_FAILURE);
  202. }
  203. break;
  204. case AUDIT_DEVMAJOR:
  205. if (ctx) {
  206. for (j = 0; j < ctx->name_count; j++) {
  207. if (audit_comparator(MAJOR(ctx->names[j].dev), op, value)) {
  208. ++result;
  209. break;
  210. }
  211. }
  212. }
  213. break;
  214. case AUDIT_DEVMINOR:
  215. if (ctx) {
  216. for (j = 0; j < ctx->name_count; j++) {
  217. if (audit_comparator(MINOR(ctx->names[j].dev), op, value)) {
  218. ++result;
  219. break;
  220. }
  221. }
  222. }
  223. break;
  224. case AUDIT_INODE:
  225. if (ctx) {
  226. for (j = 0; j < ctx->name_count; j++) {
  227. if (audit_comparator(ctx->names[j].ino, op, value) ||
  228. audit_comparator(ctx->names[j].pino, op, value)) {
  229. ++result;
  230. break;
  231. }
  232. }
  233. }
  234. break;
  235. case AUDIT_LOGINUID:
  236. result = 0;
  237. if (ctx)
  238. result = audit_comparator(ctx->loginuid, op, value);
  239. break;
  240. case AUDIT_ARG0:
  241. case AUDIT_ARG1:
  242. case AUDIT_ARG2:
  243. case AUDIT_ARG3:
  244. if (ctx)
  245. result = audit_comparator(ctx->argv[field-AUDIT_ARG0], op, value);
  246. break;
  247. }
  248. if (!result)
  249. return 0;
  250. }
  251. switch (rule->action) {
  252. case AUDIT_NEVER: *state = AUDIT_DISABLED; break;
  253. case AUDIT_POSSIBLE: *state = AUDIT_BUILD_CONTEXT; break;
  254. case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break;
  255. }
  256. return 1;
  257. }
  258. /* At process creation time, we can determine if system-call auditing is
  259. * completely disabled for this task. Since we only have the task
  260. * structure at this point, we can only check uid and gid.
  261. */
  262. static enum audit_state audit_filter_task(struct task_struct *tsk)
  263. {
  264. struct audit_entry *e;
  265. enum audit_state state;
  266. rcu_read_lock();
  267. list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
  268. if (audit_filter_rules(tsk, &e->rule, NULL, &state)) {
  269. rcu_read_unlock();
  270. return state;
  271. }
  272. }
  273. rcu_read_unlock();
  274. return AUDIT_BUILD_CONTEXT;
  275. }
  276. /* At syscall entry and exit time, this filter is called if the
  277. * audit_state is not low enough that auditing cannot take place, but is
  278. * also not high enough that we already know we have to write an audit
  279. * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
  280. */
  281. static enum audit_state audit_filter_syscall(struct task_struct *tsk,
  282. struct audit_context *ctx,
  283. struct list_head *list)
  284. {
  285. struct audit_entry *e;
  286. enum audit_state state;
  287. if (audit_pid && tsk->tgid == audit_pid)
  288. return AUDIT_DISABLED;
  289. rcu_read_lock();
  290. if (!list_empty(list)) {
  291. int word = AUDIT_WORD(ctx->major);
  292. int bit = AUDIT_BIT(ctx->major);
  293. list_for_each_entry_rcu(e, list, list) {
  294. if ((e->rule.mask[word] & bit) == bit
  295. && audit_filter_rules(tsk, &e->rule, ctx, &state)) {
  296. rcu_read_unlock();
  297. return state;
  298. }
  299. }
  300. }
  301. rcu_read_unlock();
  302. return AUDIT_BUILD_CONTEXT;
  303. }
  304. /* This should be called with task_lock() held. */
  305. static inline struct audit_context *audit_get_context(struct task_struct *tsk,
  306. int return_valid,
  307. int return_code)
  308. {
  309. struct audit_context *context = tsk->audit_context;
  310. if (likely(!context))
  311. return NULL;
  312. context->return_valid = return_valid;
  313. context->return_code = return_code;
  314. if (context->in_syscall && !context->auditable) {
  315. enum audit_state state;
  316. state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
  317. if (state == AUDIT_RECORD_CONTEXT)
  318. context->auditable = 1;
  319. }
  320. context->pid = tsk->pid;
  321. context->uid = tsk->uid;
  322. context->gid = tsk->gid;
  323. context->euid = tsk->euid;
  324. context->suid = tsk->suid;
  325. context->fsuid = tsk->fsuid;
  326. context->egid = tsk->egid;
  327. context->sgid = tsk->sgid;
  328. context->fsgid = tsk->fsgid;
  329. context->personality = tsk->personality;
  330. tsk->audit_context = NULL;
  331. return context;
  332. }
  333. static inline void audit_free_names(struct audit_context *context)
  334. {
  335. int i;
  336. #if AUDIT_DEBUG == 2
  337. if (context->auditable
  338. ||context->put_count + context->ino_count != context->name_count) {
  339. printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d"
  340. " name_count=%d put_count=%d"
  341. " ino_count=%d [NOT freeing]\n",
  342. __FILE__, __LINE__,
  343. context->serial, context->major, context->in_syscall,
  344. context->name_count, context->put_count,
  345. context->ino_count);
  346. for (i = 0; i < context->name_count; i++) {
  347. printk(KERN_ERR "names[%d] = %p = %s\n", i,
  348. context->names[i].name,
  349. context->names[i].name ?: "(null)");
  350. }
  351. dump_stack();
  352. return;
  353. }
  354. #endif
  355. #if AUDIT_DEBUG
  356. context->put_count = 0;
  357. context->ino_count = 0;
  358. #endif
  359. for (i = 0; i < context->name_count; i++) {
  360. char *p = context->names[i].ctx;
  361. context->names[i].ctx = NULL;
  362. kfree(p);
  363. if (context->names[i].name)
  364. __putname(context->names[i].name);
  365. }
  366. context->name_count = 0;
  367. if (context->pwd)
  368. dput(context->pwd);
  369. if (context->pwdmnt)
  370. mntput(context->pwdmnt);
  371. context->pwd = NULL;
  372. context->pwdmnt = NULL;
  373. }
  374. static inline void audit_free_aux(struct audit_context *context)
  375. {
  376. struct audit_aux_data *aux;
  377. while ((aux = context->aux)) {
  378. if (aux->type == AUDIT_AVC_PATH) {
  379. struct audit_aux_data_path *axi = (void *)aux;
  380. dput(axi->dentry);
  381. mntput(axi->mnt);
  382. }
  383. if ( aux->type == AUDIT_IPC ) {
  384. struct audit_aux_data_ipcctl *axi = (void *)aux;
  385. if (axi->ctx)
  386. kfree(axi->ctx);
  387. }
  388. context->aux = aux->next;
  389. kfree(aux);
  390. }
  391. }
  392. static inline void audit_zero_context(struct audit_context *context,
  393. enum audit_state state)
  394. {
  395. uid_t loginuid = context->loginuid;
  396. memset(context, 0, sizeof(*context));
  397. context->state = state;
  398. context->loginuid = loginuid;
  399. }
  400. static inline struct audit_context *audit_alloc_context(enum audit_state state)
  401. {
  402. struct audit_context *context;
  403. if (!(context = kmalloc(sizeof(*context), GFP_KERNEL)))
  404. return NULL;
  405. audit_zero_context(context, state);
  406. return context;
  407. }
  408. /**
  409. * audit_alloc - allocate an audit context block for a task
  410. * @tsk: task
  411. *
  412. * Filter on the task information and allocate a per-task audit context
  413. * if necessary. Doing so turns on system call auditing for the
  414. * specified task. This is called from copy_process, so no lock is
  415. * needed.
  416. */
  417. int audit_alloc(struct task_struct *tsk)
  418. {
  419. struct audit_context *context;
  420. enum audit_state state;
  421. if (likely(!audit_enabled))
  422. return 0; /* Return if not auditing. */
  423. state = audit_filter_task(tsk);
  424. if (likely(state == AUDIT_DISABLED))
  425. return 0;
  426. if (!(context = audit_alloc_context(state))) {
  427. audit_log_lost("out of memory in audit_alloc");
  428. return -ENOMEM;
  429. }
  430. /* Preserve login uid */
  431. context->loginuid = -1;
  432. if (current->audit_context)
  433. context->loginuid = current->audit_context->loginuid;
  434. tsk->audit_context = context;
  435. set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
  436. return 0;
  437. }
  438. static inline void audit_free_context(struct audit_context *context)
  439. {
  440. struct audit_context *previous;
  441. int count = 0;
  442. do {
  443. previous = context->previous;
  444. if (previous || (count && count < 10)) {
  445. ++count;
  446. printk(KERN_ERR "audit(:%d): major=%d name_count=%d:"
  447. " freeing multiple contexts (%d)\n",
  448. context->serial, context->major,
  449. context->name_count, count);
  450. }
  451. audit_free_names(context);
  452. audit_free_aux(context);
  453. kfree(context);
  454. context = previous;
  455. } while (context);
  456. if (count >= 10)
  457. printk(KERN_ERR "audit: freed %d contexts\n", count);
  458. }
  459. static void audit_log_task_context(struct audit_buffer *ab, gfp_t gfp_mask)
  460. {
  461. char *ctx = NULL;
  462. ssize_t len = 0;
  463. len = security_getprocattr(current, "current", NULL, 0);
  464. if (len < 0) {
  465. if (len != -EINVAL)
  466. goto error_path;
  467. return;
  468. }
  469. ctx = kmalloc(len, gfp_mask);
  470. if (!ctx)
  471. goto error_path;
  472. len = security_getprocattr(current, "current", ctx, len);
  473. if (len < 0 )
  474. goto error_path;
  475. audit_log_format(ab, " subj=%s", ctx);
  476. return;
  477. error_path:
  478. if (ctx)
  479. kfree(ctx);
  480. audit_panic("error in audit_log_task_context");
  481. return;
  482. }
  483. static void audit_log_task_info(struct audit_buffer *ab, gfp_t gfp_mask)
  484. {
  485. char name[sizeof(current->comm)];
  486. struct mm_struct *mm = current->mm;
  487. struct vm_area_struct *vma;
  488. get_task_comm(name, current);
  489. audit_log_format(ab, " comm=");
  490. audit_log_untrustedstring(ab, name);
  491. if (!mm)
  492. return;
  493. /*
  494. * this is brittle; all callers that pass GFP_ATOMIC will have
  495. * NULL current->mm and we won't get here.
  496. */
  497. down_read(&mm->mmap_sem);
  498. vma = mm->mmap;
  499. while (vma) {
  500. if ((vma->vm_flags & VM_EXECUTABLE) &&
  501. vma->vm_file) {
  502. audit_log_d_path(ab, "exe=",
  503. vma->vm_file->f_dentry,
  504. vma->vm_file->f_vfsmnt);
  505. break;
  506. }
  507. vma = vma->vm_next;
  508. }
  509. up_read(&mm->mmap_sem);
  510. audit_log_task_context(ab, gfp_mask);
  511. }
  512. static void audit_log_exit(struct audit_context *context, gfp_t gfp_mask)
  513. {
  514. int i;
  515. struct audit_buffer *ab;
  516. struct audit_aux_data *aux;
  517. ab = audit_log_start(context, gfp_mask, AUDIT_SYSCALL);
  518. if (!ab)
  519. return; /* audit_panic has been called */
  520. audit_log_format(ab, "arch=%x syscall=%d",
  521. context->arch, context->major);
  522. if (context->personality != PER_LINUX)
  523. audit_log_format(ab, " per=%lx", context->personality);
  524. if (context->return_valid)
  525. audit_log_format(ab, " success=%s exit=%ld",
  526. (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
  527. context->return_code);
  528. audit_log_format(ab,
  529. " a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
  530. " pid=%d auid=%u uid=%u gid=%u"
  531. " euid=%u suid=%u fsuid=%u"
  532. " egid=%u sgid=%u fsgid=%u",
  533. context->argv[0],
  534. context->argv[1],
  535. context->argv[2],
  536. context->argv[3],
  537. context->name_count,
  538. context->pid,
  539. context->loginuid,
  540. context->uid,
  541. context->gid,
  542. context->euid, context->suid, context->fsuid,
  543. context->egid, context->sgid, context->fsgid);
  544. audit_log_task_info(ab, gfp_mask);
  545. audit_log_end(ab);
  546. for (aux = context->aux; aux; aux = aux->next) {
  547. ab = audit_log_start(context, gfp_mask, aux->type);
  548. if (!ab)
  549. continue; /* audit_panic has been called */
  550. switch (aux->type) {
  551. case AUDIT_IPC: {
  552. struct audit_aux_data_ipcctl *axi = (void *)aux;
  553. audit_log_format(ab,
  554. " qbytes=%lx iuid=%u igid=%u mode=%x obj=%s",
  555. axi->qbytes, axi->uid, axi->gid, axi->mode, axi->ctx);
  556. break; }
  557. case AUDIT_SOCKETCALL: {
  558. int i;
  559. struct audit_aux_data_socketcall *axs = (void *)aux;
  560. audit_log_format(ab, "nargs=%d", axs->nargs);
  561. for (i=0; i<axs->nargs; i++)
  562. audit_log_format(ab, " a%d=%lx", i, axs->args[i]);
  563. break; }
  564. case AUDIT_SOCKADDR: {
  565. struct audit_aux_data_sockaddr *axs = (void *)aux;
  566. audit_log_format(ab, "saddr=");
  567. audit_log_hex(ab, axs->a, axs->len);
  568. break; }
  569. case AUDIT_AVC_PATH: {
  570. struct audit_aux_data_path *axi = (void *)aux;
  571. audit_log_d_path(ab, "path=", axi->dentry, axi->mnt);
  572. break; }
  573. }
  574. audit_log_end(ab);
  575. }
  576. if (context->pwd && context->pwdmnt) {
  577. ab = audit_log_start(context, gfp_mask, AUDIT_CWD);
  578. if (ab) {
  579. audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt);
  580. audit_log_end(ab);
  581. }
  582. }
  583. for (i = 0; i < context->name_count; i++) {
  584. unsigned long ino = context->names[i].ino;
  585. unsigned long pino = context->names[i].pino;
  586. ab = audit_log_start(context, gfp_mask, AUDIT_PATH);
  587. if (!ab)
  588. continue; /* audit_panic has been called */
  589. audit_log_format(ab, "item=%d", i);
  590. audit_log_format(ab, " name=");
  591. if (context->names[i].name)
  592. audit_log_untrustedstring(ab, context->names[i].name);
  593. else
  594. audit_log_format(ab, "(null)");
  595. if (pino != (unsigned long)-1)
  596. audit_log_format(ab, " parent=%lu", pino);
  597. if (ino != (unsigned long)-1)
  598. audit_log_format(ab, " inode=%lu", ino);
  599. if ((pino != (unsigned long)-1) || (ino != (unsigned long)-1))
  600. audit_log_format(ab, " dev=%02x:%02x mode=%#o"
  601. " ouid=%u ogid=%u rdev=%02x:%02x",
  602. MAJOR(context->names[i].dev),
  603. MINOR(context->names[i].dev),
  604. context->names[i].mode,
  605. context->names[i].uid,
  606. context->names[i].gid,
  607. MAJOR(context->names[i].rdev),
  608. MINOR(context->names[i].rdev));
  609. if (context->names[i].ctx) {
  610. audit_log_format(ab, " obj=%s",
  611. context->names[i].ctx);
  612. }
  613. audit_log_end(ab);
  614. }
  615. }
  616. /**
  617. * audit_free - free a per-task audit context
  618. * @tsk: task whose audit context block to free
  619. *
  620. * Called from copy_process and __put_task_struct.
  621. */
  622. void audit_free(struct task_struct *tsk)
  623. {
  624. struct audit_context *context;
  625. task_lock(tsk);
  626. context = audit_get_context(tsk, 0, 0);
  627. task_unlock(tsk);
  628. if (likely(!context))
  629. return;
  630. /* Check for system calls that do not go through the exit
  631. * function (e.g., exit_group), then free context block.
  632. * We use GFP_ATOMIC here because we might be doing this
  633. * in the context of the idle thread */
  634. if (context->in_syscall && context->auditable)
  635. audit_log_exit(context, GFP_ATOMIC);
  636. audit_free_context(context);
  637. }
  638. /**
  639. * audit_syscall_entry - fill in an audit record at syscall entry
  640. * @tsk: task being audited
  641. * @arch: architecture type
  642. * @major: major syscall type (function)
  643. * @a1: additional syscall register 1
  644. * @a2: additional syscall register 2
  645. * @a3: additional syscall register 3
  646. * @a4: additional syscall register 4
  647. *
  648. * Fill in audit context at syscall entry. This only happens if the
  649. * audit context was created when the task was created and the state or
  650. * filters demand the audit context be built. If the state from the
  651. * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
  652. * then the record will be written at syscall exit time (otherwise, it
  653. * will only be written if another part of the kernel requests that it
  654. * be written).
  655. */
  656. void audit_syscall_entry(struct task_struct *tsk, int arch, int major,
  657. unsigned long a1, unsigned long a2,
  658. unsigned long a3, unsigned long a4)
  659. {
  660. struct audit_context *context = tsk->audit_context;
  661. enum audit_state state;
  662. BUG_ON(!context);
  663. /*
  664. * This happens only on certain architectures that make system
  665. * calls in kernel_thread via the entry.S interface, instead of
  666. * with direct calls. (If you are porting to a new
  667. * architecture, hitting this condition can indicate that you
  668. * got the _exit/_leave calls backward in entry.S.)
  669. *
  670. * i386 no
  671. * x86_64 no
  672. * ppc64 yes (see arch/ppc64/kernel/misc.S)
  673. *
  674. * This also happens with vm86 emulation in a non-nested manner
  675. * (entries without exits), so this case must be caught.
  676. */
  677. if (context->in_syscall) {
  678. struct audit_context *newctx;
  679. #if AUDIT_DEBUG
  680. printk(KERN_ERR
  681. "audit(:%d) pid=%d in syscall=%d;"
  682. " entering syscall=%d\n",
  683. context->serial, tsk->pid, context->major, major);
  684. #endif
  685. newctx = audit_alloc_context(context->state);
  686. if (newctx) {
  687. newctx->previous = context;
  688. context = newctx;
  689. tsk->audit_context = newctx;
  690. } else {
  691. /* If we can't alloc a new context, the best we
  692. * can do is to leak memory (any pending putname
  693. * will be lost). The only other alternative is
  694. * to abandon auditing. */
  695. audit_zero_context(context, context->state);
  696. }
  697. }
  698. BUG_ON(context->in_syscall || context->name_count);
  699. if (!audit_enabled)
  700. return;
  701. context->arch = arch;
  702. context->major = major;
  703. context->argv[0] = a1;
  704. context->argv[1] = a2;
  705. context->argv[2] = a3;
  706. context->argv[3] = a4;
  707. state = context->state;
  708. if (state == AUDIT_SETUP_CONTEXT || state == AUDIT_BUILD_CONTEXT)
  709. state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
  710. if (likely(state == AUDIT_DISABLED))
  711. return;
  712. context->serial = 0;
  713. context->ctime = CURRENT_TIME;
  714. context->in_syscall = 1;
  715. context->auditable = !!(state == AUDIT_RECORD_CONTEXT);
  716. }
  717. /**
  718. * audit_syscall_exit - deallocate audit context after a system call
  719. * @tsk: task being audited
  720. * @valid: success/failure flag
  721. * @return_code: syscall return value
  722. *
  723. * Tear down after system call. If the audit context has been marked as
  724. * auditable (either because of the AUDIT_RECORD_CONTEXT state from
  725. * filtering, or because some other part of the kernel write an audit
  726. * message), then write out the syscall information. In call cases,
  727. * free the names stored from getname().
  728. */
  729. void audit_syscall_exit(struct task_struct *tsk, int valid, long return_code)
  730. {
  731. struct audit_context *context;
  732. get_task_struct(tsk);
  733. task_lock(tsk);
  734. context = audit_get_context(tsk, valid, return_code);
  735. task_unlock(tsk);
  736. /* Not having a context here is ok, since the parent may have
  737. * called __put_task_struct. */
  738. if (likely(!context))
  739. goto out;
  740. if (context->in_syscall && context->auditable)
  741. audit_log_exit(context, GFP_KERNEL);
  742. context->in_syscall = 0;
  743. context->auditable = 0;
  744. if (context->previous) {
  745. struct audit_context *new_context = context->previous;
  746. context->previous = NULL;
  747. audit_free_context(context);
  748. tsk->audit_context = new_context;
  749. } else {
  750. audit_free_names(context);
  751. audit_free_aux(context);
  752. tsk->audit_context = context;
  753. }
  754. out:
  755. put_task_struct(tsk);
  756. }
  757. /**
  758. * audit_getname - add a name to the list
  759. * @name: name to add
  760. *
  761. * Add a name to the list of audit names for this context.
  762. * Called from fs/namei.c:getname().
  763. */
  764. void audit_getname(const char *name)
  765. {
  766. struct audit_context *context = current->audit_context;
  767. if (!context || IS_ERR(name) || !name)
  768. return;
  769. if (!context->in_syscall) {
  770. #if AUDIT_DEBUG == 2
  771. printk(KERN_ERR "%s:%d(:%d): ignoring getname(%p)\n",
  772. __FILE__, __LINE__, context->serial, name);
  773. dump_stack();
  774. #endif
  775. return;
  776. }
  777. BUG_ON(context->name_count >= AUDIT_NAMES);
  778. context->names[context->name_count].name = name;
  779. context->names[context->name_count].ino = (unsigned long)-1;
  780. ++context->name_count;
  781. if (!context->pwd) {
  782. read_lock(&current->fs->lock);
  783. context->pwd = dget(current->fs->pwd);
  784. context->pwdmnt = mntget(current->fs->pwdmnt);
  785. read_unlock(&current->fs->lock);
  786. }
  787. }
  788. /* audit_putname - intercept a putname request
  789. * @name: name to intercept and delay for putname
  790. *
  791. * If we have stored the name from getname in the audit context,
  792. * then we delay the putname until syscall exit.
  793. * Called from include/linux/fs.h:putname().
  794. */
  795. void audit_putname(const char *name)
  796. {
  797. struct audit_context *context = current->audit_context;
  798. BUG_ON(!context);
  799. if (!context->in_syscall) {
  800. #if AUDIT_DEBUG == 2
  801. printk(KERN_ERR "%s:%d(:%d): __putname(%p)\n",
  802. __FILE__, __LINE__, context->serial, name);
  803. if (context->name_count) {
  804. int i;
  805. for (i = 0; i < context->name_count; i++)
  806. printk(KERN_ERR "name[%d] = %p = %s\n", i,
  807. context->names[i].name,
  808. context->names[i].name ?: "(null)");
  809. }
  810. #endif
  811. __putname(name);
  812. }
  813. #if AUDIT_DEBUG
  814. else {
  815. ++context->put_count;
  816. if (context->put_count > context->name_count) {
  817. printk(KERN_ERR "%s:%d(:%d): major=%d"
  818. " in_syscall=%d putname(%p) name_count=%d"
  819. " put_count=%d\n",
  820. __FILE__, __LINE__,
  821. context->serial, context->major,
  822. context->in_syscall, name, context->name_count,
  823. context->put_count);
  824. dump_stack();
  825. }
  826. }
  827. #endif
  828. }
  829. void audit_inode_context(int idx, const struct inode *inode)
  830. {
  831. struct audit_context *context = current->audit_context;
  832. const char *suffix = security_inode_xattr_getsuffix();
  833. char *ctx = NULL;
  834. int len = 0;
  835. if (!suffix)
  836. goto ret;
  837. len = security_inode_getsecurity(inode, suffix, NULL, 0, 0);
  838. if (len == -EOPNOTSUPP)
  839. goto ret;
  840. if (len < 0)
  841. goto error_path;
  842. ctx = kmalloc(len, GFP_KERNEL);
  843. if (!ctx)
  844. goto error_path;
  845. len = security_inode_getsecurity(inode, suffix, ctx, len, 0);
  846. if (len < 0)
  847. goto error_path;
  848. kfree(context->names[idx].ctx);
  849. context->names[idx].ctx = ctx;
  850. goto ret;
  851. error_path:
  852. if (ctx)
  853. kfree(ctx);
  854. audit_panic("error in audit_inode_context");
  855. ret:
  856. return;
  857. }
  858. /**
  859. * audit_inode - store the inode and device from a lookup
  860. * @name: name being audited
  861. * @inode: inode being audited
  862. * @flags: lookup flags (as used in path_lookup())
  863. *
  864. * Called from fs/namei.c:path_lookup().
  865. */
  866. void __audit_inode(const char *name, const struct inode *inode, unsigned flags)
  867. {
  868. int idx;
  869. struct audit_context *context = current->audit_context;
  870. if (!context->in_syscall)
  871. return;
  872. if (context->name_count
  873. && context->names[context->name_count-1].name
  874. && context->names[context->name_count-1].name == name)
  875. idx = context->name_count - 1;
  876. else if (context->name_count > 1
  877. && context->names[context->name_count-2].name
  878. && context->names[context->name_count-2].name == name)
  879. idx = context->name_count - 2;
  880. else {
  881. /* FIXME: how much do we care about inodes that have no
  882. * associated name? */
  883. if (context->name_count >= AUDIT_NAMES - AUDIT_NAMES_RESERVED)
  884. return;
  885. idx = context->name_count++;
  886. context->names[idx].name = NULL;
  887. #if AUDIT_DEBUG
  888. ++context->ino_count;
  889. #endif
  890. }
  891. context->names[idx].dev = inode->i_sb->s_dev;
  892. context->names[idx].mode = inode->i_mode;
  893. context->names[idx].uid = inode->i_uid;
  894. context->names[idx].gid = inode->i_gid;
  895. context->names[idx].rdev = inode->i_rdev;
  896. audit_inode_context(idx, inode);
  897. if ((flags & LOOKUP_PARENT) && (strcmp(name, "/") != 0) &&
  898. (strcmp(name, ".") != 0)) {
  899. context->names[idx].ino = (unsigned long)-1;
  900. context->names[idx].pino = inode->i_ino;
  901. } else {
  902. context->names[idx].ino = inode->i_ino;
  903. context->names[idx].pino = (unsigned long)-1;
  904. }
  905. }
  906. /**
  907. * audit_inode_child - collect inode info for created/removed objects
  908. * @dname: inode's dentry name
  909. * @inode: inode being audited
  910. * @pino: inode number of dentry parent
  911. *
  912. * For syscalls that create or remove filesystem objects, audit_inode
  913. * can only collect information for the filesystem object's parent.
  914. * This call updates the audit context with the child's information.
  915. * Syscalls that create a new filesystem object must be hooked after
  916. * the object is created. Syscalls that remove a filesystem object
  917. * must be hooked prior, in order to capture the target inode during
  918. * unsuccessful attempts.
  919. */
  920. void __audit_inode_child(const char *dname, const struct inode *inode,
  921. unsigned long pino)
  922. {
  923. int idx;
  924. struct audit_context *context = current->audit_context;
  925. if (!context->in_syscall)
  926. return;
  927. /* determine matching parent */
  928. if (dname)
  929. for (idx = 0; idx < context->name_count; idx++)
  930. if (context->names[idx].pino == pino) {
  931. const char *n;
  932. const char *name = context->names[idx].name;
  933. int dlen = strlen(dname);
  934. int nlen = name ? strlen(name) : 0;
  935. if (nlen < dlen)
  936. continue;
  937. /* disregard trailing slashes */
  938. n = name + nlen - 1;
  939. while ((*n == '/') && (n > name))
  940. n--;
  941. /* find last path component */
  942. n = n - dlen + 1;
  943. if (n < name)
  944. continue;
  945. else if (n > name) {
  946. if (*--n != '/')
  947. continue;
  948. else
  949. n++;
  950. }
  951. if (strncmp(n, dname, dlen) == 0)
  952. goto update_context;
  953. }
  954. /* catch-all in case match not found */
  955. idx = context->name_count++;
  956. context->names[idx].name = NULL;
  957. context->names[idx].pino = pino;
  958. #if AUDIT_DEBUG
  959. context->ino_count++;
  960. #endif
  961. update_context:
  962. if (inode) {
  963. context->names[idx].ino = inode->i_ino;
  964. context->names[idx].dev = inode->i_sb->s_dev;
  965. context->names[idx].mode = inode->i_mode;
  966. context->names[idx].uid = inode->i_uid;
  967. context->names[idx].gid = inode->i_gid;
  968. context->names[idx].rdev = inode->i_rdev;
  969. audit_inode_context(idx, inode);
  970. }
  971. }
  972. /**
  973. * auditsc_get_stamp - get local copies of audit_context values
  974. * @ctx: audit_context for the task
  975. * @t: timespec to store time recorded in the audit_context
  976. * @serial: serial value that is recorded in the audit_context
  977. *
  978. * Also sets the context as auditable.
  979. */
  980. void auditsc_get_stamp(struct audit_context *ctx,
  981. struct timespec *t, unsigned int *serial)
  982. {
  983. if (!ctx->serial)
  984. ctx->serial = audit_serial();
  985. t->tv_sec = ctx->ctime.tv_sec;
  986. t->tv_nsec = ctx->ctime.tv_nsec;
  987. *serial = ctx->serial;
  988. ctx->auditable = 1;
  989. }
  990. /**
  991. * audit_set_loginuid - set a task's audit_context loginuid
  992. * @task: task whose audit context is being modified
  993. * @loginuid: loginuid value
  994. *
  995. * Returns 0.
  996. *
  997. * Called (set) from fs/proc/base.c::proc_loginuid_write().
  998. */
  999. int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
  1000. {
  1001. if (task->audit_context) {
  1002. struct audit_buffer *ab;
  1003. ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
  1004. if (ab) {
  1005. audit_log_format(ab, "login pid=%d uid=%u "
  1006. "old auid=%u new auid=%u",
  1007. task->pid, task->uid,
  1008. task->audit_context->loginuid, loginuid);
  1009. audit_log_end(ab);
  1010. }
  1011. task->audit_context->loginuid = loginuid;
  1012. }
  1013. return 0;
  1014. }
  1015. /**
  1016. * audit_get_loginuid - get the loginuid for an audit_context
  1017. * @ctx: the audit_context
  1018. *
  1019. * Returns the context's loginuid or -1 if @ctx is NULL.
  1020. */
  1021. uid_t audit_get_loginuid(struct audit_context *ctx)
  1022. {
  1023. return ctx ? ctx->loginuid : -1;
  1024. }
  1025. static char *audit_ipc_context(struct kern_ipc_perm *ipcp)
  1026. {
  1027. struct audit_context *context = current->audit_context;
  1028. char *ctx = NULL;
  1029. int len = 0;
  1030. if (likely(!context))
  1031. return NULL;
  1032. len = security_ipc_getsecurity(ipcp, NULL, 0);
  1033. if (len == -EOPNOTSUPP)
  1034. goto ret;
  1035. if (len < 0)
  1036. goto error_path;
  1037. ctx = kmalloc(len, GFP_ATOMIC);
  1038. if (!ctx)
  1039. goto error_path;
  1040. len = security_ipc_getsecurity(ipcp, ctx, len);
  1041. if (len < 0)
  1042. goto error_path;
  1043. return ctx;
  1044. error_path:
  1045. kfree(ctx);
  1046. audit_panic("error in audit_ipc_context");
  1047. ret:
  1048. return NULL;
  1049. }
  1050. /**
  1051. * audit_ipc_perms - record audit data for ipc
  1052. * @qbytes: msgq bytes
  1053. * @uid: msgq user id
  1054. * @gid: msgq group id
  1055. * @mode: msgq mode (permissions)
  1056. *
  1057. * Returns 0 for success or NULL context or < 0 on error.
  1058. */
  1059. int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, struct kern_ipc_perm *ipcp)
  1060. {
  1061. struct audit_aux_data_ipcctl *ax;
  1062. struct audit_context *context = current->audit_context;
  1063. if (likely(!context))
  1064. return 0;
  1065. ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
  1066. if (!ax)
  1067. return -ENOMEM;
  1068. ax->qbytes = qbytes;
  1069. ax->uid = uid;
  1070. ax->gid = gid;
  1071. ax->mode = mode;
  1072. ax->ctx = audit_ipc_context(ipcp);
  1073. ax->d.type = AUDIT_IPC;
  1074. ax->d.next = context->aux;
  1075. context->aux = (void *)ax;
  1076. return 0;
  1077. }
  1078. /**
  1079. * audit_socketcall - record audit data for sys_socketcall
  1080. * @nargs: number of args
  1081. * @args: args array
  1082. *
  1083. * Returns 0 for success or NULL context or < 0 on error.
  1084. */
  1085. int audit_socketcall(int nargs, unsigned long *args)
  1086. {
  1087. struct audit_aux_data_socketcall *ax;
  1088. struct audit_context *context = current->audit_context;
  1089. if (likely(!context))
  1090. return 0;
  1091. ax = kmalloc(sizeof(*ax) + nargs * sizeof(unsigned long), GFP_KERNEL);
  1092. if (!ax)
  1093. return -ENOMEM;
  1094. ax->nargs = nargs;
  1095. memcpy(ax->args, args, nargs * sizeof(unsigned long));
  1096. ax->d.type = AUDIT_SOCKETCALL;
  1097. ax->d.next = context->aux;
  1098. context->aux = (void *)ax;
  1099. return 0;
  1100. }
  1101. /**
  1102. * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
  1103. * @len: data length in user space
  1104. * @a: data address in kernel space
  1105. *
  1106. * Returns 0 for success or NULL context or < 0 on error.
  1107. */
  1108. int audit_sockaddr(int len, void *a)
  1109. {
  1110. struct audit_aux_data_sockaddr *ax;
  1111. struct audit_context *context = current->audit_context;
  1112. if (likely(!context))
  1113. return 0;
  1114. ax = kmalloc(sizeof(*ax) + len, GFP_KERNEL);
  1115. if (!ax)
  1116. return -ENOMEM;
  1117. ax->len = len;
  1118. memcpy(ax->a, a, len);
  1119. ax->d.type = AUDIT_SOCKADDR;
  1120. ax->d.next = context->aux;
  1121. context->aux = (void *)ax;
  1122. return 0;
  1123. }
  1124. /**
  1125. * audit_avc_path - record the granting or denial of permissions
  1126. * @dentry: dentry to record
  1127. * @mnt: mnt to record
  1128. *
  1129. * Returns 0 for success or NULL context or < 0 on error.
  1130. *
  1131. * Called from security/selinux/avc.c::avc_audit()
  1132. */
  1133. int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt)
  1134. {
  1135. struct audit_aux_data_path *ax;
  1136. struct audit_context *context = current->audit_context;
  1137. if (likely(!context))
  1138. return 0;
  1139. ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
  1140. if (!ax)
  1141. return -ENOMEM;
  1142. ax->dentry = dget(dentry);
  1143. ax->mnt = mntget(mnt);
  1144. ax->d.type = AUDIT_AVC_PATH;
  1145. ax->d.next = context->aux;
  1146. context->aux = (void *)ax;
  1147. return 0;
  1148. }
  1149. /**
  1150. * audit_signal_info - record signal info for shutting down audit subsystem
  1151. * @sig: signal value
  1152. * @t: task being signaled
  1153. *
  1154. * If the audit subsystem is being terminated, record the task (pid)
  1155. * and uid that is doing that.
  1156. */
  1157. void audit_signal_info(int sig, struct task_struct *t)
  1158. {
  1159. extern pid_t audit_sig_pid;
  1160. extern uid_t audit_sig_uid;
  1161. if (unlikely(audit_pid && t->tgid == audit_pid)) {
  1162. if (sig == SIGTERM || sig == SIGHUP) {
  1163. struct audit_context *ctx = current->audit_context;
  1164. audit_sig_pid = current->pid;
  1165. if (ctx)
  1166. audit_sig_uid = ctx->loginuid;
  1167. else
  1168. audit_sig_uid = current->uid;
  1169. }
  1170. }
  1171. }