1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
46
47#include <linux/init.h>
48#include <asm/types.h>
49#include <linux/atomic.h>
50#include <linux/fs.h>
51#include <linux/namei.h>
52#include <linux/mm.h>
53#include <linux/export.h>
54#include <linux/slab.h>
55#include <linux/mount.h>
56#include <linux/socket.h>
57#include <linux/mqueue.h>
58#include <linux/audit.h>
59#include <linux/personality.h>
60#include <linux/time.h>
61#include <linux/netlink.h>
62#include <linux/compiler.h>
63#include <asm/unistd.h>
64#include <linux/security.h>
65#include <linux/list.h>
66#include <linux/tty.h>
67#include <linux/binfmts.h>
68#include <linux/highmem.h>
69#include <linux/syscalls.h>
70#include <linux/capability.h>
71#include <linux/fs_struct.h>
72#include <linux/compat.h>
73#include <linux/ctype.h>
74
75#include "audit.h"
76
77
78#define AUDITSC_INVALID 0
79#define AUDITSC_SUCCESS 1
80#define AUDITSC_FAILURE 2
81
82
83#define MAX_EXECVE_AUDIT_LEN 7500
84
85
86#define MAX_PROCTITLE_AUDIT_LEN 128
87
88
89int audit_n_rules;
90
91
92int audit_signals;
93
94struct audit_aux_data {
95 struct audit_aux_data *next;
96 int type;
97};
98
99#define AUDIT_AUX_IPCPERM 0
100
101
102#define AUDIT_AUX_PIDS 16
103
104struct audit_aux_data_pids {
105 struct audit_aux_data d;
106 pid_t target_pid[AUDIT_AUX_PIDS];
107 kuid_t target_auid[AUDIT_AUX_PIDS];
108 kuid_t target_uid[AUDIT_AUX_PIDS];
109 unsigned int target_sessionid[AUDIT_AUX_PIDS];
110 u32 target_sid[AUDIT_AUX_PIDS];
111 char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
112 int pid_count;
113};
114
115struct audit_aux_data_bprm_fcaps {
116 struct audit_aux_data d;
117 struct audit_cap_data fcap;
118 unsigned int fcap_ver;
119 struct audit_cap_data old_pcap;
120 struct audit_cap_data new_pcap;
121};
122
123struct audit_tree_refs {
124 struct audit_tree_refs *next;
125 struct audit_chunk *c[31];
126};
127
128static inline int open_arg(int flags, int mask)
129{
130 int n = ACC_MODE(flags);
131 if (flags & (O_TRUNC | O_CREAT))
132 n |= AUDIT_PERM_WRITE;
133 return n & mask;
134}
135
136static int audit_match_perm(struct audit_context *ctx, int mask)
137{
138 unsigned n;
139 if (unlikely(!ctx))
140 return 0;
141 n = ctx->major;
142
143 switch (audit_classify_syscall(ctx->arch, n)) {
144 case 0:
145 if ((mask & AUDIT_PERM_WRITE) &&
146 audit_match_class(AUDIT_CLASS_WRITE, n))
147 return 1;
148 if ((mask & AUDIT_PERM_READ) &&
149 audit_match_class(AUDIT_CLASS_READ, n))
150 return 1;
151 if ((mask & AUDIT_PERM_ATTR) &&
152 audit_match_class(AUDIT_CLASS_CHATTR, n))
153 return 1;
154 return 0;
155 case 1:
156 if ((mask & AUDIT_PERM_WRITE) &&
157 audit_match_class(AUDIT_CLASS_WRITE_32, n))
158 return 1;
159 if ((mask & AUDIT_PERM_READ) &&
160 audit_match_class(AUDIT_CLASS_READ_32, n))
161 return 1;
162 if ((mask & AUDIT_PERM_ATTR) &&
163 audit_match_class(AUDIT_CLASS_CHATTR_32, n))
164 return 1;
165 return 0;
166 case 2:
167 return mask & ACC_MODE(ctx->argv[1]);
168 case 3:
169 return mask & ACC_MODE(ctx->argv[2]);
170 case 4:
171 return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
172 case 5:
173 return mask & AUDIT_PERM_EXEC;
174 default:
175 return 0;
176 }
177}
178
179static int audit_match_filetype(struct audit_context *ctx, int val)
180{
181 struct audit_names *n;
182 umode_t mode = (umode_t)val;
183
184 if (unlikely(!ctx))
185 return 0;
186
187 list_for_each_entry(n, &ctx->names_list, list) {
188 if ((n->ino != -1) &&
189 ((n->mode & S_IFMT) == mode))
190 return 1;
191 }
192
193 return 0;
194}
195
196
197
198
199
200
201
202
203
204
205
206#ifdef CONFIG_AUDIT_TREE
207static void audit_set_auditable(struct audit_context *ctx)
208{
209 if (!ctx->prio) {
210 ctx->prio = 1;
211 ctx->current_state = AUDIT_RECORD_CONTEXT;
212 }
213}
214
215static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
216{
217 struct audit_tree_refs *p = ctx->trees;
218 int left = ctx->tree_count;
219 if (likely(left)) {
220 p->c[--left] = chunk;
221 ctx->tree_count = left;
222 return 1;
223 }
224 if (!p)
225 return 0;
226 p = p->next;
227 if (p) {
228 p->c[30] = chunk;
229 ctx->trees = p;
230 ctx->tree_count = 30;
231 return 1;
232 }
233 return 0;
234}
235
236static int grow_tree_refs(struct audit_context *ctx)
237{
238 struct audit_tree_refs *p = ctx->trees;
239 ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL);
240 if (!ctx->trees) {
241 ctx->trees = p;
242 return 0;
243 }
244 if (p)
245 p->next = ctx->trees;
246 else
247 ctx->first_trees = ctx->trees;
248 ctx->tree_count = 31;
249 return 1;
250}
251#endif
252
253static void unroll_tree_refs(struct audit_context *ctx,
254 struct audit_tree_refs *p, int count)
255{
256#ifdef CONFIG_AUDIT_TREE
257 struct audit_tree_refs *q;
258 int n;
259 if (!p) {
260
261 p = ctx->first_trees;
262 count = 31;
263
264 if (!p)
265 return;
266 }
267 n = count;
268 for (q = p; q != ctx->trees; q = q->next, n = 31) {
269 while (n--) {
270 audit_put_chunk(q->c[n]);
271 q->c[n] = NULL;
272 }
273 }
274 while (n-- > ctx->tree_count) {
275 audit_put_chunk(q->c[n]);
276 q->c[n] = NULL;
277 }
278 ctx->trees = p;
279 ctx->tree_count = count;
280#endif
281}
282
283static void free_tree_refs(struct audit_context *ctx)
284{
285 struct audit_tree_refs *p, *q;
286 for (p = ctx->first_trees; p; p = q) {
287 q = p->next;
288 kfree(p);
289 }
290}
291
292static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
293{
294#ifdef CONFIG_AUDIT_TREE
295 struct audit_tree_refs *p;
296 int n;
297 if (!tree)
298 return 0;
299
300 for (p = ctx->first_trees; p != ctx->trees; p = p->next) {
301 for (n = 0; n < 31; n++)
302 if (audit_tree_match(p->c[n], tree))
303 return 1;
304 }
305
306 if (p) {
307 for (n = ctx->tree_count; n < 31; n++)
308 if (audit_tree_match(p->c[n], tree))
309 return 1;
310 }
311#endif
312 return 0;
313}
314
315static int audit_compare_uid(kuid_t uid,
316 struct audit_names *name,
317 struct audit_field *f,
318 struct audit_context *ctx)
319{
320 struct audit_names *n;
321 int rc;
322
323 if (name) {
324 rc = audit_uid_comparator(uid, f->op, name->uid);
325 if (rc)
326 return rc;
327 }
328
329 if (ctx) {
330 list_for_each_entry(n, &ctx->names_list, list) {
331 rc = audit_uid_comparator(uid, f->op, n->uid);
332 if (rc)
333 return rc;
334 }
335 }
336 return 0;
337}
338
339static int audit_compare_gid(kgid_t gid,
340 struct audit_names *name,
341 struct audit_field *f,
342 struct audit_context *ctx)
343{
344 struct audit_names *n;
345 int rc;
346
347 if (name) {
348 rc = audit_gid_comparator(gid, f->op, name->gid);
349 if (rc)
350 return rc;
351 }
352
353 if (ctx) {
354 list_for_each_entry(n, &ctx->names_list, list) {
355 rc = audit_gid_comparator(gid, f->op, n->gid);
356 if (rc)
357 return rc;
358 }
359 }
360 return 0;
361}
362
363static int audit_field_compare(struct task_struct *tsk,
364 const struct cred *cred,
365 struct audit_field *f,
366 struct audit_context *ctx,
367 struct audit_names *name)
368{
369 switch (f->val) {
370
371 case AUDIT_COMPARE_UID_TO_OBJ_UID:
372 return audit_compare_uid(cred->uid, name, f, ctx);
373 case AUDIT_COMPARE_GID_TO_OBJ_GID:
374 return audit_compare_gid(cred->gid, name, f, ctx);
375 case AUDIT_COMPARE_EUID_TO_OBJ_UID:
376 return audit_compare_uid(cred->euid, name, f, ctx);
377 case AUDIT_COMPARE_EGID_TO_OBJ_GID:
378 return audit_compare_gid(cred->egid, name, f, ctx);
379 case AUDIT_COMPARE_AUID_TO_OBJ_UID:
380 return audit_compare_uid(tsk->loginuid, name, f, ctx);
381 case AUDIT_COMPARE_SUID_TO_OBJ_UID:
382 return audit_compare_uid(cred->suid, name, f, ctx);
383 case AUDIT_COMPARE_SGID_TO_OBJ_GID:
384 return audit_compare_gid(cred->sgid, name, f, ctx);
385 case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
386 return audit_compare_uid(cred->fsuid, name, f, ctx);
387 case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
388 return audit_compare_gid(cred->fsgid, name, f, ctx);
389
390 case AUDIT_COMPARE_UID_TO_AUID:
391 return audit_uid_comparator(cred->uid, f->op, tsk->loginuid);
392 case AUDIT_COMPARE_UID_TO_EUID:
393 return audit_uid_comparator(cred->uid, f->op, cred->euid);
394 case AUDIT_COMPARE_UID_TO_SUID:
395 return audit_uid_comparator(cred->uid, f->op, cred->suid);
396 case AUDIT_COMPARE_UID_TO_FSUID:
397 return audit_uid_comparator(cred->uid, f->op, cred->fsuid);
398
399 case AUDIT_COMPARE_AUID_TO_EUID:
400 return audit_uid_comparator(tsk->loginuid, f->op, cred->euid);
401 case AUDIT_COMPARE_AUID_TO_SUID:
402 return audit_uid_comparator(tsk->loginuid, f->op, cred->suid);
403 case AUDIT_COMPARE_AUID_TO_FSUID:
404 return audit_uid_comparator(tsk->loginuid, f->op, cred->fsuid);
405
406 case AUDIT_COMPARE_EUID_TO_SUID:
407 return audit_uid_comparator(cred->euid, f->op, cred->suid);
408 case AUDIT_COMPARE_EUID_TO_FSUID:
409 return audit_uid_comparator(cred->euid, f->op, cred->fsuid);
410
411 case AUDIT_COMPARE_SUID_TO_FSUID:
412 return audit_uid_comparator(cred->suid, f->op, cred->fsuid);
413
414 case AUDIT_COMPARE_GID_TO_EGID:
415 return audit_gid_comparator(cred->gid, f->op, cred->egid);
416 case AUDIT_COMPARE_GID_TO_SGID:
417 return audit_gid_comparator(cred->gid, f->op, cred->sgid);
418 case AUDIT_COMPARE_GID_TO_FSGID:
419 return audit_gid_comparator(cred->gid, f->op, cred->fsgid);
420
421 case AUDIT_COMPARE_EGID_TO_SGID:
422 return audit_gid_comparator(cred->egid, f->op, cred->sgid);
423 case AUDIT_COMPARE_EGID_TO_FSGID:
424 return audit_gid_comparator(cred->egid, f->op, cred->fsgid);
425
426 case AUDIT_COMPARE_SGID_TO_FSGID:
427 return audit_gid_comparator(cred->sgid, f->op, cred->fsgid);
428 default:
429 WARN(1, "Missing AUDIT_COMPARE define. Report as a bug\n");
430 return 0;
431 }
432 return 0;
433}
434
435
436
437
438
439
440
441
442
443static int audit_filter_rules(struct task_struct *tsk,
444 struct audit_krule *rule,
445 struct audit_context *ctx,
446 struct audit_names *name,
447 enum audit_state *state,
448 bool task_creation)
449{
450 const struct cred *cred;
451 int i, need_sid = 1;
452 u32 sid;
453
454 cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
455
456 for (i = 0; i < rule->field_count; i++) {
457 struct audit_field *f = &rule->fields[i];
458 struct audit_names *n;
459 int result = 0;
460 pid_t pid;
461
462 switch (f->type) {
463 case AUDIT_PID:
464 pid = task_pid_nr(tsk);
465 result = audit_comparator(pid, f->op, f->val);
466 break;
467 case AUDIT_PPID:
468 if (ctx) {
469 if (!ctx->ppid)
470 ctx->ppid = task_ppid_nr(tsk);
471 result = audit_comparator(ctx->ppid, f->op, f->val);
472 }
473 break;
474 case AUDIT_UID:
475 result = audit_uid_comparator(cred->uid, f->op, f->uid);
476 break;
477 case AUDIT_EUID:
478 result = audit_uid_comparator(cred->euid, f->op, f->uid);
479 break;
480 case AUDIT_SUID:
481 result = audit_uid_comparator(cred->suid, f->op, f->uid);
482 break;
483 case AUDIT_FSUID:
484 result = audit_uid_comparator(cred->fsuid, f->op, f->uid);
485 break;
486 case AUDIT_GID:
487 result = audit_gid_comparator(cred->gid, f->op, f->gid);
488 if (f->op == Audit_equal) {
489 if (!result)
490 result = in_group_p(f->gid);
491 } else if (f->op == Audit_not_equal) {
492 if (result)
493 result = !in_group_p(f->gid);
494 }
495 break;
496 case AUDIT_EGID:
497 result = audit_gid_comparator(cred->egid, f->op, f->gid);
498 if (f->op == Audit_equal) {
499 if (!result)
500 result = in_egroup_p(f->gid);
501 } else if (f->op == Audit_not_equal) {
502 if (result)
503 result = !in_egroup_p(f->gid);
504 }
505 break;
506 case AUDIT_SGID:
507 result = audit_gid_comparator(cred->sgid, f->op, f->gid);
508 break;
509 case AUDIT_FSGID:
510 result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
511 break;
512 case AUDIT_PERS:
513 result = audit_comparator(tsk->personality, f->op, f->val);
514 break;
515 case AUDIT_ARCH:
516 if (ctx)
517 result = audit_comparator(ctx->arch, f->op, f->val);
518 break;
519
520 case AUDIT_EXIT:
521 if (ctx && ctx->return_valid)
522 result = audit_comparator(ctx->return_code, f->op, f->val);
523 break;
524 case AUDIT_SUCCESS:
525 if (ctx && ctx->return_valid) {
526 if (f->val)
527 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
528 else
529 result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
530 }
531 break;
532 case AUDIT_DEVMAJOR:
533 if (name) {
534 if (audit_comparator(MAJOR(name->dev), f->op, f->val) ||
535 audit_comparator(MAJOR(name->rdev), f->op, f->val))
536 ++result;
537 } else if (ctx) {
538 list_for_each_entry(n, &ctx->names_list, list) {
539 if (audit_comparator(MAJOR(n->dev), f->op, f->val) ||
540 audit_comparator(MAJOR(n->rdev), f->op, f->val)) {
541 ++result;
542 break;
543 }
544 }
545 }
546 break;
547 case AUDIT_DEVMINOR:
548 if (name) {
549 if (audit_comparator(MINOR(name->dev), f->op, f->val) ||
550 audit_comparator(MINOR(name->rdev), f->op, f->val))
551 ++result;
552 } else if (ctx) {
553 list_for_each_entry(n, &ctx->names_list, list) {
554 if (audit_comparator(MINOR(n->dev), f->op, f->val) ||
555 audit_comparator(MINOR(n->rdev), f->op, f->val)) {
556 ++result;
557 break;
558 }
559 }
560 }
561 break;
562 case AUDIT_INODE:
563 if (name)
564 result = audit_comparator(name->ino, f->op, f->val);
565 else if (ctx) {
566 list_for_each_entry(n, &ctx->names_list, list) {
567 if (audit_comparator(n->ino, f->op, f->val)) {
568 ++result;
569 break;
570 }
571 }
572 }
573 break;
574 case AUDIT_OBJ_UID:
575 if (name) {
576 result = audit_uid_comparator(name->uid, f->op, f->uid);
577 } else if (ctx) {
578 list_for_each_entry(n, &ctx->names_list, list) {
579 if (audit_uid_comparator(n->uid, f->op, f->uid)) {
580 ++result;
581 break;
582 }
583 }
584 }
585 break;
586 case AUDIT_OBJ_GID:
587 if (name) {
588 result = audit_gid_comparator(name->gid, f->op, f->gid);
589 } else if (ctx) {
590 list_for_each_entry(n, &ctx->names_list, list) {
591 if (audit_gid_comparator(n->gid, f->op, f->gid)) {
592 ++result;
593 break;
594 }
595 }
596 }
597 break;
598 case AUDIT_WATCH:
599 if (name)
600 result = audit_watch_compare(rule->watch, name->ino, name->dev);
601 break;
602 case AUDIT_DIR:
603 if (ctx)
604 result = match_tree_refs(ctx, rule->tree);
605 break;
606 case AUDIT_LOGINUID:
607 result = 0;
608 if (ctx)
609 result = audit_uid_comparator(tsk->loginuid, f->op, f->uid);
610 break;
611 case AUDIT_LOGINUID_SET:
612 result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
613 break;
614 case AUDIT_SUBJ_USER:
615 case AUDIT_SUBJ_ROLE:
616 case AUDIT_SUBJ_TYPE:
617 case AUDIT_SUBJ_SEN:
618 case AUDIT_SUBJ_CLR:
619
620
621
622
623
624 if (f->lsm_rule) {
625 if (need_sid) {
626 security_task_getsecid(tsk, &sid);
627 need_sid = 0;
628 }
629 result = security_audit_rule_match(sid, f->type,
630 f->op,
631 f->lsm_rule,
632 ctx);
633 }
634 break;
635 case AUDIT_OBJ_USER:
636 case AUDIT_OBJ_ROLE:
637 case AUDIT_OBJ_TYPE:
638 case AUDIT_OBJ_LEV_LOW:
639 case AUDIT_OBJ_LEV_HIGH:
640
641
642 if (f->lsm_rule) {
643
644 if (name) {
645 result = security_audit_rule_match(
646 name->osid, f->type, f->op,
647 f->lsm_rule, ctx);
648 } else if (ctx) {
649 list_for_each_entry(n, &ctx->names_list, list) {
650 if (security_audit_rule_match(n->osid, f->type,
651 f->op, f->lsm_rule,
652 ctx)) {
653 ++result;
654 break;
655 }
656 }
657 }
658
659 if (!ctx || ctx->type != AUDIT_IPC)
660 break;
661 if (security_audit_rule_match(ctx->ipc.osid,
662 f->type, f->op,
663 f->lsm_rule, ctx))
664 ++result;
665 }
666 break;
667 case AUDIT_ARG0:
668 case AUDIT_ARG1:
669 case AUDIT_ARG2:
670 case AUDIT_ARG3:
671 if (ctx)
672 result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
673 break;
674 case AUDIT_FILTERKEY:
675
676 result = 1;
677 break;
678 case AUDIT_PERM:
679 result = audit_match_perm(ctx, f->val);
680 break;
681 case AUDIT_FILETYPE:
682 result = audit_match_filetype(ctx, f->val);
683 break;
684 case AUDIT_FIELD_COMPARE:
685 result = audit_field_compare(tsk, cred, f, ctx, name);
686 break;
687 }
688 if (!result)
689 return 0;
690 }
691
692 if (ctx) {
693 if (rule->prio <= ctx->prio)
694 return 0;
695 if (rule->filterkey) {
696 kfree(ctx->filterkey);
697 ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
698 }
699 ctx->prio = rule->prio;
700 }
701 switch (rule->action) {
702 case AUDIT_NEVER: *state = AUDIT_DISABLED; break;
703 case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break;
704 }
705 return 1;
706}
707
708
709
710
711
712static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)
713{
714 struct audit_entry *e;
715 enum audit_state state;
716
717 rcu_read_lock();
718 list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
719 if (audit_filter_rules(tsk, &e->rule, NULL, NULL,
720 &state, true)) {
721 if (state == AUDIT_RECORD_CONTEXT)
722 *key = kstrdup(e->rule.filterkey, GFP_ATOMIC);
723 rcu_read_unlock();
724 return state;
725 }
726 }
727 rcu_read_unlock();
728 return AUDIT_BUILD_CONTEXT;
729}
730
731static int audit_in_mask(const struct audit_krule *rule, unsigned long val)
732{
733 int word, bit;
734
735 if (val > 0xffffffff)
736 return false;
737
738 word = AUDIT_WORD(val);
739 if (word >= AUDIT_BITMASK_SIZE)
740 return false;
741
742 bit = AUDIT_BIT(val);
743
744 return rule->mask[word] & bit;
745}
746
747
748
749
750
751
752static enum audit_state audit_filter_syscall(struct task_struct *tsk,
753 struct audit_context *ctx,
754 struct list_head *list)
755{
756 struct audit_entry *e;
757 enum audit_state state;
758
759 if (audit_pid && tsk->tgid == audit_pid)
760 return AUDIT_DISABLED;
761
762 rcu_read_lock();
763 if (!list_empty(list)) {
764 list_for_each_entry_rcu(e, list, list) {
765 if (audit_in_mask(&e->rule, ctx->major) &&
766 audit_filter_rules(tsk, &e->rule, ctx, NULL,
767 &state, false)) {
768 rcu_read_unlock();
769 ctx->current_state = state;
770 return state;
771 }
772 }
773 }
774 rcu_read_unlock();
775 return AUDIT_BUILD_CONTEXT;
776}
777
778
779
780
781
782static int audit_filter_inode_name(struct task_struct *tsk,
783 struct audit_names *n,
784 struct audit_context *ctx) {
785 int h = audit_hash_ino((u32)n->ino);
786 struct list_head *list = &audit_inode_hash[h];
787 struct audit_entry *e;
788 enum audit_state state;
789
790 if (list_empty(list))
791 return 0;
792
793 list_for_each_entry_rcu(e, list, list) {
794 if (audit_in_mask(&e->rule, ctx->major) &&
795 audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) {
796 ctx->current_state = state;
797 return 1;
798 }
799 }
800
801 return 0;
802}
803
804
805
806
807
808
809void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx)
810{
811 struct audit_names *n;
812
813 if (audit_pid && tsk->tgid == audit_pid)
814 return;
815
816 rcu_read_lock();
817
818 list_for_each_entry(n, &ctx->names_list, list) {
819 if (audit_filter_inode_name(tsk, n, ctx))
820 break;
821 }
822 rcu_read_unlock();
823}
824
825
826static inline struct audit_context *audit_take_context(struct task_struct *tsk,
827 int return_valid,
828 long return_code)
829{
830 struct audit_context *context = tsk->audit_context;
831
832 if (!context)
833 return NULL;
834 context->return_valid = return_valid;
835
836
837
838
839
840
841
842
843
844
845
846
847 if (unlikely(return_code <= -ERESTARTSYS) &&
848 (return_code >= -ERESTART_RESTARTBLOCK) &&
849 (return_code != -ENOIOCTLCMD))
850 context->return_code = -EINTR;
851 else
852 context->return_code = return_code;
853
854 if (context->in_syscall && !context->dummy) {
855 audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
856 audit_filter_inodes(tsk, context);
857 }
858
859 tsk->audit_context = NULL;
860 return context;
861}
862
863static inline void audit_proctitle_free(struct audit_context *context)
864{
865 kfree(context->proctitle.value);
866 context->proctitle.value = NULL;
867 context->proctitle.len = 0;
868}
869
870static inline void audit_free_names(struct audit_context *context)
871{
872 struct audit_names *n, *next;
873
874#if AUDIT_DEBUG == 2
875 if (context->put_count + context->ino_count != context->name_count) {
876 int i = 0;
877
878 pr_err("%s:%d(:%d): major=%d in_syscall=%d"
879 " name_count=%d put_count=%d ino_count=%d"
880 " [NOT freeing]\n", __FILE__, __LINE__,
881 context->serial, context->major, context->in_syscall,
882 context->name_count, context->put_count,
883 context->ino_count);
884 list_for_each_entry(n, &context->names_list, list) {
885 pr_err("names[%d] = %p = %s\n", i++, n->name,
886 n->name->name ?: "(null)");
887 }
888 dump_stack();
889 return;
890 }
891#endif
892#if AUDIT_DEBUG
893 context->put_count = 0;
894 context->ino_count = 0;
895#endif
896
897 list_for_each_entry_safe(n, next, &context->names_list, list) {
898 list_del(&n->list);
899 if (n->name && n->name_put)
900 final_putname(n->name);
901 if (n->should_free)
902 kfree(n);
903 }
904 context->name_count = 0;
905 path_put(&context->pwd);
906 context->pwd.dentry = NULL;
907 context->pwd.mnt = NULL;
908}
909
910static inline void audit_free_aux(struct audit_context *context)
911{
912 struct audit_aux_data *aux;
913
914 while ((aux = context->aux)) {
915 context->aux = aux->next;
916 kfree(aux);
917 }
918 while ((aux = context->aux_pids)) {
919 context->aux_pids = aux->next;
920 kfree(aux);
921 }
922}
923
924static inline struct audit_context *audit_alloc_context(enum audit_state state)
925{
926 struct audit_context *context;
927
928 context = kzalloc(sizeof(*context), GFP_KERNEL);
929 if (!context)
930 return NULL;
931 context->state = state;
932 context->prio = state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
933 INIT_LIST_HEAD(&context->killed_trees);
934 INIT_LIST_HEAD(&context->names_list);
935 return context;
936}
937
938
939
940
941
942
943
944
945
946
947int audit_alloc(struct task_struct *tsk)
948{
949 struct audit_context *context;
950 enum audit_state state;
951 char *key = NULL;
952
953 if (likely(!audit_ever_enabled))
954 return 0;
955
956 state = audit_filter_task(tsk, &key);
957 if (state == AUDIT_DISABLED) {
958 clear_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
959 return 0;
960 }
961
962 if (!(context = audit_alloc_context(state))) {
963 kfree(key);
964 audit_log_lost("out of memory in audit_alloc");
965 return -ENOMEM;
966 }
967 context->filterkey = key;
968
969 tsk->audit_context = context;
970 set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
971 return 0;
972}
973
974static inline void audit_free_context(struct audit_context *context)
975{
976 audit_free_names(context);
977 unroll_tree_refs(context, NULL, 0);
978 free_tree_refs(context);
979 audit_free_aux(context);
980 kfree(context->filterkey);
981 kfree(context->sockaddr);
982 audit_proctitle_free(context);
983 kfree(context);
984}
985
986static int audit_log_pid_context(struct audit_context *context, pid_t pid,
987 kuid_t auid, kuid_t uid, unsigned int sessionid,
988 u32 sid, char *comm)
989{
990 struct audit_buffer *ab;
991 char *ctx = NULL;
992 u32 len;
993 int rc = 0;
994
995 ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
996 if (!ab)
997 return rc;
998
999 audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
1000 from_kuid(&init_user_ns, auid),
1001 from_kuid(&init_user_ns, uid), sessionid);
1002 if (sid) {
1003 if (security_secid_to_secctx(sid, &ctx, &len)) {
1004 audit_log_format(ab, " obj=(none)");
1005 rc = 1;
1006 } else {
1007 audit_log_format(ab, " obj=%s", ctx);
1008 security_release_secctx(ctx, len);
1009 }
1010 }
1011 audit_log_format(ab, " ocomm=");
1012 audit_log_untrustedstring(ab, comm);
1013 audit_log_end(ab);
1014
1015 return rc;
1016}
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029static int audit_log_single_execve_arg(struct audit_context *context,
1030 struct audit_buffer **ab,
1031 int arg_num,
1032 size_t *len_sent,
1033 const char __user *p,
1034 char *buf)
1035{
1036 char arg_num_len_buf[12];
1037 const char __user *tmp_p = p;
1038
1039 size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 5;
1040 size_t len, len_left, to_send;
1041 size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
1042 unsigned int i, has_cntl = 0, too_long = 0;
1043 int ret;
1044
1045
1046 len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1;
1047
1048
1049
1050
1051
1052
1053
1054 if (unlikely((len == -1) || len > MAX_ARG_STRLEN - 1)) {
1055 WARN_ON(1);
1056 send_sig(SIGKILL, current, 0);
1057 return -1;
1058 }
1059
1060
1061 do {
1062 if (len_left > MAX_EXECVE_AUDIT_LEN)
1063 to_send = MAX_EXECVE_AUDIT_LEN;
1064 else
1065 to_send = len_left;
1066 ret = copy_from_user(buf, tmp_p, to_send);
1067
1068
1069
1070
1071
1072 if (ret) {
1073 WARN_ON(1);
1074 send_sig(SIGKILL, current, 0);
1075 return -1;
1076 }
1077 buf[to_send] = '\0';
1078 has_cntl = audit_string_contains_control(buf, to_send);
1079 if (has_cntl) {
1080
1081
1082
1083
1084 max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2;
1085 break;
1086 }
1087 len_left -= to_send;
1088 tmp_p += to_send;
1089 } while (len_left > 0);
1090
1091 len_left = len;
1092
1093 if (len > max_execve_audit_len)
1094 too_long = 1;
1095
1096
1097 for (i = 0; len_left > 0; i++) {
1098 int room_left;
1099
1100 if (len_left > max_execve_audit_len)
1101 to_send = max_execve_audit_len;
1102 else
1103 to_send = len_left;
1104
1105
1106 room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent;
1107 if (has_cntl)
1108 room_left -= (to_send * 2);
1109 else
1110 room_left -= to_send;
1111 if (room_left < 0) {
1112 *len_sent = 0;
1113 audit_log_end(*ab);
1114 *ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
1115 if (!*ab)
1116 return 0;
1117 }
1118
1119
1120
1121
1122
1123 if ((i == 0) && (too_long))
1124 audit_log_format(*ab, " a%d_len=%zu", arg_num,
1125 has_cntl ? 2*len : len);
1126
1127
1128
1129
1130
1131
1132 if (len >= max_execve_audit_len)
1133 ret = copy_from_user(buf, p, to_send);
1134 else
1135 ret = 0;
1136 if (ret) {
1137 WARN_ON(1);
1138 send_sig(SIGKILL, current, 0);
1139 return -1;
1140 }
1141 buf[to_send] = '\0';
1142
1143
1144 audit_log_format(*ab, " a%d", arg_num);
1145 if (too_long)
1146 audit_log_format(*ab, "[%d]", i);
1147 audit_log_format(*ab, "=");
1148 if (has_cntl)
1149 audit_log_n_hex(*ab, buf, to_send);
1150 else
1151 audit_log_string(*ab, buf);
1152
1153 p += to_send;
1154 len_left -= to_send;
1155 *len_sent += arg_num_len;
1156 if (has_cntl)
1157 *len_sent += to_send * 2;
1158 else
1159 *len_sent += to_send;
1160 }
1161
1162 return len + 1;
1163}
1164
1165static void audit_log_execve_info(struct audit_context *context,
1166 struct audit_buffer **ab)
1167{
1168 int i, len;
1169 size_t len_sent = 0;
1170 const char __user *p;
1171 char *buf;
1172
1173 p = (const char __user *)current->mm->arg_start;
1174
1175 audit_log_format(*ab, "argc=%d", context->execve.argc);
1176
1177
1178
1179
1180
1181
1182
1183 buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
1184 if (!buf) {
1185 audit_panic("out of memory for argv string");
1186 return;
1187 }
1188
1189 for (i = 0; i < context->execve.argc; i++) {
1190 len = audit_log_single_execve_arg(context, ab, i,
1191 &len_sent, p, buf);
1192 if (len <= 0)
1193 break;
1194 p += len;
1195 }
1196 kfree(buf);
1197}
1198
1199static void show_special(struct audit_context *context, int *call_panic)
1200{
1201 struct audit_buffer *ab;
1202 int i;
1203
1204 ab = audit_log_start(context, GFP_KERNEL, context->type);
1205 if (!ab)
1206 return;
1207
1208 switch (context->type) {
1209 case AUDIT_SOCKETCALL: {
1210 int nargs = context->socketcall.nargs;
1211 audit_log_format(ab, "nargs=%d", nargs);
1212 for (i = 0; i < nargs; i++)
1213 audit_log_format(ab, " a%d=%lx", i,
1214 context->socketcall.args[i]);
1215 break; }
1216 case AUDIT_IPC: {
1217 u32 osid = context->ipc.osid;
1218
1219 audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
1220 from_kuid(&init_user_ns, context->ipc.uid),
1221 from_kgid(&init_user_ns, context->ipc.gid),
1222 context->ipc.mode);
1223 if (osid) {
1224 char *ctx = NULL;
1225 u32 len;
1226 if (security_secid_to_secctx(osid, &ctx, &len)) {
1227 audit_log_format(ab, " osid=%u", osid);
1228 *call_panic = 1;
1229 } else {
1230 audit_log_format(ab, " obj=%s", ctx);
1231 security_release_secctx(ctx, len);
1232 }
1233 }
1234 if (context->ipc.has_perm) {
1235 audit_log_end(ab);
1236 ab = audit_log_start(context, GFP_KERNEL,
1237 AUDIT_IPC_SET_PERM);
1238 if (unlikely(!ab))
1239 return;
1240 audit_log_format(ab,
1241 "qbytes=%lx ouid=%u ogid=%u mode=%#ho",
1242 context->ipc.qbytes,
1243 context->ipc.perm_uid,
1244 context->ipc.perm_gid,
1245 context->ipc.perm_mode);
1246 }
1247 break; }
1248 case AUDIT_MQ_OPEN: {
1249 audit_log_format(ab,
1250 "oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
1251 "mq_msgsize=%ld mq_curmsgs=%ld",
1252 context->mq_open.oflag, context->mq_open.mode,
1253 context->mq_open.attr.mq_flags,
1254 context->mq_open.attr.mq_maxmsg,
1255 context->mq_open.attr.mq_msgsize,
1256 context->mq_open.attr.mq_curmsgs);
1257 break; }
1258 case AUDIT_MQ_SENDRECV: {
1259 audit_log_format(ab,
1260 "mqdes=%d msg_len=%zd msg_prio=%u "
1261 "abs_timeout_sec=%ld abs_timeout_nsec=%ld",
1262 context->mq_sendrecv.mqdes,
1263 context->mq_sendrecv.msg_len,
1264 context->mq_sendrecv.msg_prio,
1265 context->mq_sendrecv.abs_timeout.tv_sec,
1266 context->mq_sendrecv.abs_timeout.tv_nsec);
1267 break; }
1268 case AUDIT_MQ_NOTIFY: {
1269 audit_log_format(ab, "mqdes=%d sigev_signo=%d",
1270 context->mq_notify.mqdes,
1271 context->mq_notify.sigev_signo);
1272 break; }
1273 case AUDIT_MQ_GETSETATTR: {
1274 struct mq_attr *attr = &context->mq_getsetattr.mqstat;
1275 audit_log_format(ab,
1276 "mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
1277 "mq_curmsgs=%ld ",
1278 context->mq_getsetattr.mqdes,
1279 attr->mq_flags, attr->mq_maxmsg,
1280 attr->mq_msgsize, attr->mq_curmsgs);
1281 break; }
1282 case AUDIT_CAPSET: {
1283 audit_log_format(ab, "pid=%d", context->capset.pid);
1284 audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
1285 audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
1286 audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
1287 break; }
1288 case AUDIT_MMAP: {
1289 audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd,
1290 context->mmap.flags);
1291 break; }
1292 case AUDIT_EXECVE: {
1293 audit_log_execve_info(context, &ab);
1294 break; }
1295 }
1296 audit_log_end(ab);
1297}
1298
1299static inline int audit_proctitle_rtrim(char *proctitle, int len)
1300{
1301 char *end = proctitle + len - 1;
1302 while (end > proctitle && !isprint(*end))
1303 end--;
1304
1305
1306 len = end - proctitle + 1;
1307 len -= isprint(proctitle[len-1]) == 0;
1308 return len;
1309}
1310
1311static void audit_log_proctitle(struct task_struct *tsk,
1312 struct audit_context *context)
1313{
1314 int res;
1315 char *buf;
1316 char *msg = "(null)";
1317 int len = strlen(msg);
1318 struct audit_buffer *ab;
1319
1320 ab = audit_log_start(context, GFP_KERNEL, AUDIT_PROCTITLE);
1321 if (!ab)
1322 return;
1323
1324 audit_log_format(ab, "proctitle=");
1325
1326
1327 if (!context->proctitle.value) {
1328 buf = kmalloc(MAX_PROCTITLE_AUDIT_LEN, GFP_KERNEL);
1329 if (!buf)
1330 goto out;
1331
1332 res = get_cmdline(tsk, buf, MAX_PROCTITLE_AUDIT_LEN);
1333 if (res == 0) {
1334 kfree(buf);
1335 goto out;
1336 }
1337 res = audit_proctitle_rtrim(buf, res);
1338 if (res == 0) {
1339 kfree(buf);
1340 goto out;
1341 }
1342 context->proctitle.value = buf;
1343 context->proctitle.len = res;
1344 }
1345 msg = context->proctitle.value;
1346 len = context->proctitle.len;
1347out:
1348 audit_log_n_untrustedstring(ab, msg, len);
1349 audit_log_end(ab);
1350}
1351
1352static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
1353{
1354 int i, call_panic = 0;
1355 struct audit_buffer *ab;
1356 struct audit_aux_data *aux;
1357 struct audit_names *n;
1358
1359
1360 context->personality = tsk->personality;
1361
1362 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
1363 if (!ab)
1364 return;
1365 audit_log_format(ab, "arch=%x syscall=%d",
1366 context->arch, context->major);
1367 if (context->personality != PER_LINUX)
1368 audit_log_format(ab, " per=%lx", context->personality);
1369 if (context->return_valid)
1370 audit_log_format(ab, " success=%s exit=%ld",
1371 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
1372 context->return_code);
1373
1374 audit_log_format(ab,
1375 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d",
1376 context->argv[0],
1377 context->argv[1],
1378 context->argv[2],
1379 context->argv[3],
1380 context->name_count);
1381
1382 audit_log_task_info(ab, tsk);
1383 audit_log_key(ab, context->filterkey);
1384 audit_log_end(ab);
1385
1386 for (aux = context->aux; aux; aux = aux->next) {
1387
1388 ab = audit_log_start(context, GFP_KERNEL, aux->type);
1389 if (!ab)
1390 continue;
1391
1392 switch (aux->type) {
1393
1394 case AUDIT_BPRM_FCAPS: {
1395 struct audit_aux_data_bprm_fcaps *axs = (void *)aux;
1396 audit_log_format(ab, "fver=%x", axs->fcap_ver);
1397 audit_log_cap(ab, "fp", &axs->fcap.permitted);
1398 audit_log_cap(ab, "fi", &axs->fcap.inheritable);
1399 audit_log_format(ab, " fe=%d", axs->fcap.fE);
1400 audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
1401 audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
1402 audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
1403 audit_log_cap(ab, "new_pp", &axs->new_pcap.permitted);
1404 audit_log_cap(ab, "new_pi", &axs->new_pcap.inheritable);
1405 audit_log_cap(ab, "new_pe", &axs->new_pcap.effective);
1406 break; }
1407
1408 }
1409 audit_log_end(ab);
1410 }
1411
1412 if (context->type)
1413 show_special(context, &call_panic);
1414
1415 if (context->fds[0] >= 0) {
1416 ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR);
1417 if (ab) {
1418 audit_log_format(ab, "fd0=%d fd1=%d",
1419 context->fds[0], context->fds[1]);
1420 audit_log_end(ab);
1421 }
1422 }
1423
1424 if (context->sockaddr_len) {
1425 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR);
1426 if (ab) {
1427 audit_log_format(ab, "saddr=");
1428 audit_log_n_hex(ab, (void *)context->sockaddr,
1429 context->sockaddr_len);
1430 audit_log_end(ab);
1431 }
1432 }
1433
1434 for (aux = context->aux_pids; aux; aux = aux->next) {
1435 struct audit_aux_data_pids *axs = (void *)aux;
1436
1437 for (i = 0; i < axs->pid_count; i++)
1438 if (audit_log_pid_context(context, axs->target_pid[i],
1439 axs->target_auid[i],
1440 axs->target_uid[i],
1441 axs->target_sessionid[i],
1442 axs->target_sid[i],
1443 axs->target_comm[i]))
1444 call_panic = 1;
1445 }
1446
1447 if (context->target_pid &&
1448 audit_log_pid_context(context, context->target_pid,
1449 context->target_auid, context->target_uid,
1450 context->target_sessionid,
1451 context->target_sid, context->target_comm))
1452 call_panic = 1;
1453
1454 if (context->pwd.dentry && context->pwd.mnt) {
1455 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
1456 if (ab) {
1457 audit_log_d_path(ab, " cwd=", &context->pwd);
1458 audit_log_end(ab);
1459 }
1460 }
1461
1462 i = 0;
1463 list_for_each_entry(n, &context->names_list, list) {
1464 if (n->hidden)
1465 continue;
1466 audit_log_name(context, n, NULL, i++, &call_panic);
1467 }
1468
1469 audit_log_proctitle(tsk, context);
1470
1471
1472 ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
1473 if (ab)
1474 audit_log_end(ab);
1475 if (call_panic)
1476 audit_panic("error converting sid to string");
1477}
1478
1479
1480
1481
1482
1483
1484
1485void __audit_free(struct task_struct *tsk)
1486{
1487 struct audit_context *context;
1488
1489 context = audit_take_context(tsk, 0, 0);
1490 if (!context)
1491 return;
1492
1493
1494
1495
1496
1497
1498 if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
1499 audit_log_exit(context, tsk);
1500 if (!list_empty(&context->killed_trees))
1501 audit_kill_trees(&context->killed_trees);
1502
1503 audit_free_context(context);
1504}
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523void __audit_syscall_entry(int arch, int major,
1524 unsigned long a1, unsigned long a2,
1525 unsigned long a3, unsigned long a4)
1526{
1527 struct task_struct *tsk = current;
1528 struct audit_context *context = tsk->audit_context;
1529 enum audit_state state;
1530
1531 if (!context)
1532 return;
1533
1534 BUG_ON(context->in_syscall || context->name_count);
1535
1536 if (!audit_enabled)
1537 return;
1538
1539 context->arch = arch;
1540 context->major = major;
1541 context->argv[0] = a1;
1542 context->argv[1] = a2;
1543 context->argv[2] = a3;
1544 context->argv[3] = a4;
1545
1546 state = context->state;
1547 context->dummy = !audit_n_rules;
1548 if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
1549 context->prio = 0;
1550 state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
1551 }
1552 if (state == AUDIT_DISABLED)
1553 return;
1554
1555 context->serial = 0;
1556 context->ctime = CURRENT_TIME;
1557 context->in_syscall = 1;
1558 context->current_state = state;
1559 context->ppid = 0;
1560}
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573void __audit_syscall_exit(int success, long return_code)
1574{
1575 struct task_struct *tsk = current;
1576 struct audit_context *context;
1577
1578 if (success)
1579 success = AUDITSC_SUCCESS;
1580 else
1581 success = AUDITSC_FAILURE;
1582
1583 context = audit_take_context(tsk, success, return_code);
1584 if (!context)
1585 return;
1586
1587 if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
1588 audit_log_exit(context, tsk);
1589
1590 context->in_syscall = 0;
1591 context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
1592
1593 if (!list_empty(&context->killed_trees))
1594 audit_kill_trees(&context->killed_trees);
1595
1596 audit_free_names(context);
1597 unroll_tree_refs(context, NULL, 0);
1598 audit_free_aux(context);
1599 context->aux = NULL;
1600 context->aux_pids = NULL;
1601 context->target_pid = 0;
1602 context->target_sid = 0;
1603 context->sockaddr_len = 0;
1604 context->type = 0;
1605 context->fds[0] = -1;
1606 if (context->state != AUDIT_RECORD_CONTEXT) {
1607 kfree(context->filterkey);
1608 context->filterkey = NULL;
1609 }
1610 tsk->audit_context = context;
1611}
1612
1613static inline void handle_one(const struct inode *inode)
1614{
1615#ifdef CONFIG_AUDIT_TREE
1616 struct audit_context *context;
1617 struct audit_tree_refs *p;
1618 struct audit_chunk *chunk;
1619 int count;
1620 if (likely(hlist_empty(&inode->i_fsnotify_marks)))
1621 return;
1622 context = current->audit_context;
1623 p = context->trees;
1624 count = context->tree_count;
1625 rcu_read_lock();
1626 chunk = audit_tree_lookup(inode);
1627 rcu_read_unlock();
1628 if (!chunk)
1629 return;
1630 if (likely(put_tree_ref(context, chunk)))
1631 return;
1632 if (unlikely(!grow_tree_refs(context))) {
1633 pr_warn("out of memory, audit has lost a tree reference\n");
1634 audit_set_auditable(context);
1635 audit_put_chunk(chunk);
1636 unroll_tree_refs(context, p, count);
1637 return;
1638 }
1639 put_tree_ref(context, chunk);
1640#endif
1641}
1642
1643static void handle_path(const struct dentry *dentry)
1644{
1645#ifdef CONFIG_AUDIT_TREE
1646 struct audit_context *context;
1647 struct audit_tree_refs *p;
1648 const struct dentry *d, *parent;
1649 struct audit_chunk *drop;
1650 unsigned long seq;
1651 int count;
1652
1653 context = current->audit_context;
1654 p = context->trees;
1655 count = context->tree_count;
1656retry:
1657 drop = NULL;
1658 d = dentry;
1659 rcu_read_lock();
1660 seq = read_seqbegin(&rename_lock);
1661 for(;;) {
1662 struct inode *inode = d->d_inode;
1663 if (inode && unlikely(!hlist_empty(&inode->i_fsnotify_marks))) {
1664 struct audit_chunk *chunk;
1665 chunk = audit_tree_lookup(inode);
1666 if (chunk) {
1667 if (unlikely(!put_tree_ref(context, chunk))) {
1668 drop = chunk;
1669 break;
1670 }
1671 }
1672 }
1673 parent = d->d_parent;
1674 if (parent == d)
1675 break;
1676 d = parent;
1677 }
1678 if (unlikely(read_seqretry(&rename_lock, seq) || drop)) {
1679 rcu_read_unlock();
1680 if (!drop) {
1681
1682 unroll_tree_refs(context, p, count);
1683 goto retry;
1684 }
1685 audit_put_chunk(drop);
1686 if (grow_tree_refs(context)) {
1687
1688 unroll_tree_refs(context, p, count);
1689 goto retry;
1690 }
1691
1692 pr_warn("out of memory, audit has lost a tree reference\n");
1693 unroll_tree_refs(context, p, count);
1694 audit_set_auditable(context);
1695 return;
1696 }
1697 rcu_read_unlock();
1698#endif
1699}
1700
1701static struct audit_names *audit_alloc_name(struct audit_context *context,
1702 unsigned char type)
1703{
1704 struct audit_names *aname;
1705
1706 if (context->name_count < AUDIT_NAMES) {
1707 aname = &context->preallocated_names[context->name_count];
1708 memset(aname, 0, sizeof(*aname));
1709 } else {
1710 aname = kzalloc(sizeof(*aname), GFP_NOFS);
1711 if (!aname)
1712 return NULL;
1713 aname->should_free = true;
1714 }
1715
1716 aname->ino = (unsigned long)-1;
1717 aname->type = type;
1718 list_add_tail(&aname->list, &context->names_list);
1719
1720 context->name_count++;
1721#if AUDIT_DEBUG
1722 context->ino_count++;
1723#endif
1724 return aname;
1725}
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735struct filename *
1736__audit_reusename(const __user char *uptr)
1737{
1738 struct audit_context *context = current->audit_context;
1739 struct audit_names *n;
1740
1741 list_for_each_entry(n, &context->names_list, list) {
1742 if (!n->name)
1743 continue;
1744 if (n->name->uptr == uptr)
1745 return n->name;
1746 }
1747 return NULL;
1748}
1749
1750
1751
1752
1753
1754
1755
1756
1757void __audit_getname(struct filename *name)
1758{
1759 struct audit_context *context = current->audit_context;
1760 struct audit_names *n;
1761
1762 if (!context->in_syscall) {
1763#if AUDIT_DEBUG == 2
1764 pr_err("%s:%d(:%d): ignoring getname(%p)\n",
1765 __FILE__, __LINE__, context->serial, name);
1766 dump_stack();
1767#endif
1768 return;
1769 }
1770
1771#if AUDIT_DEBUG
1772
1773 BUG_ON(!name->name);
1774#endif
1775
1776 n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
1777 if (!n)
1778 return;
1779
1780 n->name = name;
1781 n->name_len = AUDIT_NAME_FULL;
1782 n->name_put = true;
1783 name->aname = n;
1784
1785 if (!context->pwd.dentry)
1786 get_fs_pwd(current->fs, &context->pwd);
1787}
1788
1789
1790
1791
1792
1793
1794
1795
1796void audit_putname(struct filename *name)
1797{
1798 struct audit_context *context = current->audit_context;
1799
1800 BUG_ON(!context);
1801 if (!name->aname || !context->in_syscall) {
1802#if AUDIT_DEBUG == 2
1803 pr_err("%s:%d(:%d): final_putname(%p)\n",
1804 __FILE__, __LINE__, context->serial, name);
1805 if (context->name_count) {
1806 struct audit_names *n;
1807 int i = 0;
1808
1809 list_for_each_entry(n, &context->names_list, list)
1810 pr_err("name[%d] = %p = %s\n", i++, n->name,
1811 n->name->name ?: "(null)");
1812 }
1813#endif
1814 final_putname(name);
1815 }
1816#if AUDIT_DEBUG
1817 else {
1818 ++context->put_count;
1819 if (context->put_count > context->name_count) {
1820 pr_err("%s:%d(:%d): major=%d in_syscall=%d putname(%p)"
1821 " name_count=%d put_count=%d\n",
1822 __FILE__, __LINE__,
1823 context->serial, context->major,
1824 context->in_syscall, name->name,
1825 context->name_count, context->put_count);
1826 dump_stack();
1827 }
1828 }
1829#endif
1830}
1831
1832
1833
1834
1835
1836
1837
1838void __audit_inode(struct filename *name, const struct dentry *dentry,
1839 unsigned int flags)
1840{
1841 struct audit_context *context = current->audit_context;
1842 const struct inode *inode = dentry->d_inode;
1843 struct audit_names *n;
1844 bool parent = flags & AUDIT_INODE_PARENT;
1845
1846 if (!context->in_syscall)
1847 return;
1848
1849 if (!name)
1850 goto out_alloc;
1851
1852#if AUDIT_DEBUG
1853
1854 BUG_ON(!name->name);
1855#endif
1856
1857
1858
1859
1860 n = name->aname;
1861 if (n) {
1862 if (parent) {
1863 if (n->type == AUDIT_TYPE_PARENT ||
1864 n->type == AUDIT_TYPE_UNKNOWN)
1865 goto out;
1866 } else {
1867 if (n->type != AUDIT_TYPE_PARENT)
1868 goto out;
1869 }
1870 }
1871
1872 list_for_each_entry_reverse(n, &context->names_list, list) {
1873
1874 if (!n->name || n->name->name != name->name)
1875 continue;
1876
1877
1878 if (parent) {
1879 if (n->type == AUDIT_TYPE_PARENT ||
1880 n->type == AUDIT_TYPE_UNKNOWN)
1881 goto out;
1882 } else {
1883 if (n->type != AUDIT_TYPE_PARENT)
1884 goto out;
1885 }
1886 }
1887
1888out_alloc:
1889
1890
1891
1892 n = audit_alloc_name(context, AUDIT_TYPE_NORMAL);
1893 if (!n)
1894 return;
1895out:
1896 if (parent) {
1897 n->name_len = n->name ? parent_len(n->name->name) : AUDIT_NAME_FULL;
1898 n->type = AUDIT_TYPE_PARENT;
1899 if (flags & AUDIT_INODE_HIDDEN)
1900 n->hidden = true;
1901 } else {
1902 n->name_len = AUDIT_NAME_FULL;
1903 n->type = AUDIT_TYPE_NORMAL;
1904 }
1905 handle_path(dentry);
1906 audit_copy_inode(n, dentry, inode);
1907}
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923void __audit_inode_child(const struct inode *parent,
1924 const struct dentry *dentry,
1925 const unsigned char type)
1926{
1927 struct audit_context *context = current->audit_context;
1928 const struct inode *inode = dentry->d_inode;
1929 const char *dname = dentry->d_name.name;
1930 struct audit_names *n, *found_parent = NULL, *found_child = NULL;
1931
1932 if (!context->in_syscall)
1933 return;
1934
1935 if (inode)
1936 handle_one(inode);
1937
1938
1939 list_for_each_entry(n, &context->names_list, list) {
1940 if (!n->name || n->type != AUDIT_TYPE_PARENT)
1941 continue;
1942
1943 if (n->ino == parent->i_ino &&
1944 !audit_compare_dname_path(dname, n->name->name, n->name_len)) {
1945 found_parent = n;
1946 break;
1947 }
1948 }
1949
1950
1951 list_for_each_entry(n, &context->names_list, list) {
1952
1953 if (!n->name || n->type != type)
1954 continue;
1955
1956
1957 if (found_parent && (n->name != found_parent->name))
1958 continue;
1959
1960 if (!strcmp(dname, n->name->name) ||
1961 !audit_compare_dname_path(dname, n->name->name,
1962 found_parent ?
1963 found_parent->name_len :
1964 AUDIT_NAME_FULL)) {
1965 found_child = n;
1966 break;
1967 }
1968 }
1969
1970 if (!found_parent) {
1971
1972 n = audit_alloc_name(context, AUDIT_TYPE_PARENT);
1973 if (!n)
1974 return;
1975 audit_copy_inode(n, NULL, parent);
1976 }
1977
1978 if (!found_child) {
1979 found_child = audit_alloc_name(context, type);
1980 if (!found_child)
1981 return;
1982
1983
1984
1985
1986 if (found_parent) {
1987 found_child->name = found_parent->name;
1988 found_child->name_len = AUDIT_NAME_FULL;
1989
1990 found_child->name_put = false;
1991 }
1992 }
1993 if (inode)
1994 audit_copy_inode(found_child, dentry, inode);
1995 else
1996 found_child->ino = (unsigned long)-1;
1997}
1998EXPORT_SYMBOL_GPL(__audit_inode_child);
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008int auditsc_get_stamp(struct audit_context *ctx,
2009 struct timespec *t, unsigned int *serial)
2010{
2011 if (!ctx->in_syscall)
2012 return 0;
2013 if (!ctx->serial)
2014 ctx->serial = audit_serial();
2015 t->tv_sec = ctx->ctime.tv_sec;
2016 t->tv_nsec = ctx->ctime.tv_nsec;
2017 *serial = ctx->serial;
2018 if (!ctx->prio) {
2019 ctx->prio = 1;
2020 ctx->current_state = AUDIT_RECORD_CONTEXT;
2021 }
2022 return 1;
2023}
2024
2025
2026static atomic_t session_id = ATOMIC_INIT(0);
2027
2028static int audit_set_loginuid_perm(kuid_t loginuid)
2029{
2030
2031 if (!audit_loginuid_set(current))
2032 return 0;
2033
2034 if (is_audit_feature_set(AUDIT_FEATURE_LOGINUID_IMMUTABLE))
2035 return -EPERM;
2036
2037 if (!capable(CAP_AUDIT_CONTROL))
2038 return -EPERM;
2039
2040 if (is_audit_feature_set(AUDIT_FEATURE_ONLY_UNSET_LOGINUID) && uid_valid(loginuid))
2041 return -EPERM;
2042 return 0;
2043}
2044
2045static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
2046 unsigned int oldsessionid, unsigned int sessionid,
2047 int rc)
2048{
2049 struct audit_buffer *ab;
2050 uid_t uid, oldloginuid, loginuid;
2051
2052 if (!audit_enabled)
2053 return;
2054
2055 uid = from_kuid(&init_user_ns, task_uid(current));
2056 oldloginuid = from_kuid(&init_user_ns, koldloginuid);
2057 loginuid = from_kuid(&init_user_ns, kloginuid),
2058
2059 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
2060 if (!ab)
2061 return;
2062 audit_log_format(ab, "pid=%d uid=%u", task_pid_nr(current), uid);
2063 audit_log_task_context(ab);
2064 audit_log_format(ab, " old-auid=%u auid=%u old-ses=%u ses=%u res=%d",
2065 oldloginuid, loginuid, oldsessionid, sessionid, !rc);
2066 audit_log_end(ab);
2067}
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077int audit_set_loginuid(kuid_t loginuid)
2078{
2079 struct task_struct *task = current;
2080 unsigned int oldsessionid, sessionid = (unsigned int)-1;
2081 kuid_t oldloginuid;
2082 int rc;
2083
2084 oldloginuid = audit_get_loginuid(current);
2085 oldsessionid = audit_get_sessionid(current);
2086
2087 rc = audit_set_loginuid_perm(loginuid);
2088 if (rc)
2089 goto out;
2090
2091
2092 if (uid_valid(loginuid))
2093 sessionid = (unsigned int)atomic_inc_return(&session_id);
2094
2095 task->sessionid = sessionid;
2096 task->loginuid = loginuid;
2097out:
2098 audit_log_set_loginuid(oldloginuid, loginuid, oldsessionid, sessionid, rc);
2099 return rc;
2100}
2101
2102
2103
2104
2105
2106
2107
2108
2109void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
2110{
2111 struct audit_context *context = current->audit_context;
2112
2113 if (attr)
2114 memcpy(&context->mq_open.attr, attr, sizeof(struct mq_attr));
2115 else
2116 memset(&context->mq_open.attr, 0, sizeof(struct mq_attr));
2117
2118 context->mq_open.oflag = oflag;
2119 context->mq_open.mode = mode;
2120
2121 context->type = AUDIT_MQ_OPEN;
2122}
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio,
2133 const struct timespec *abs_timeout)
2134{
2135 struct audit_context *context = current->audit_context;
2136 struct timespec *p = &context->mq_sendrecv.abs_timeout;
2137
2138 if (abs_timeout)
2139 memcpy(p, abs_timeout, sizeof(struct timespec));
2140 else
2141 memset(p, 0, sizeof(struct timespec));
2142
2143 context->mq_sendrecv.mqdes = mqdes;
2144 context->mq_sendrecv.msg_len = msg_len;
2145 context->mq_sendrecv.msg_prio = msg_prio;
2146
2147 context->type = AUDIT_MQ_SENDRECV;
2148}
2149
2150
2151
2152
2153
2154
2155
2156
2157void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
2158{
2159 struct audit_context *context = current->audit_context;
2160
2161 if (notification)
2162 context->mq_notify.sigev_signo = notification->sigev_signo;
2163 else
2164 context->mq_notify.sigev_signo = 0;
2165
2166 context->mq_notify.mqdes = mqdes;
2167 context->type = AUDIT_MQ_NOTIFY;
2168}
2169
2170
2171
2172
2173
2174
2175
2176void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
2177{
2178 struct audit_context *context = current->audit_context;
2179 context->mq_getsetattr.mqdes = mqdes;
2180 context->mq_getsetattr.mqstat = *mqstat;
2181 context->type = AUDIT_MQ_GETSETATTR;
2182}
2183
2184
2185
2186
2187
2188
2189void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
2190{
2191 struct audit_context *context = current->audit_context;
2192 context->ipc.uid = ipcp->uid;
2193 context->ipc.gid = ipcp->gid;
2194 context->ipc.mode = ipcp->mode;
2195 context->ipc.has_perm = 0;
2196 security_ipc_getsecid(ipcp, &context->ipc.osid);
2197 context->type = AUDIT_IPC;
2198}
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode)
2210{
2211 struct audit_context *context = current->audit_context;
2212
2213 context->ipc.qbytes = qbytes;
2214 context->ipc.perm_uid = uid;
2215 context->ipc.perm_gid = gid;
2216 context->ipc.perm_mode = mode;
2217 context->ipc.has_perm = 1;
2218}
2219
2220void __audit_bprm(struct linux_binprm *bprm)
2221{
2222 struct audit_context *context = current->audit_context;
2223
2224 context->type = AUDIT_EXECVE;
2225 context->execve.argc = bprm->argc;
2226}
2227
2228
2229
2230
2231
2232
2233
2234
2235int __audit_socketcall(int nargs, unsigned long *args)
2236{
2237 struct audit_context *context = current->audit_context;
2238
2239 if (nargs <= 0 || nargs > AUDITSC_ARGS || !args)
2240 return -EINVAL;
2241 context->type = AUDIT_SOCKETCALL;
2242 context->socketcall.nargs = nargs;
2243 memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
2244 return 0;
2245}
2246
2247
2248
2249
2250
2251
2252
2253void __audit_fd_pair(int fd1, int fd2)
2254{
2255 struct audit_context *context = current->audit_context;
2256 context->fds[0] = fd1;
2257 context->fds[1] = fd2;
2258}
2259
2260
2261
2262
2263
2264
2265
2266
2267int __audit_sockaddr(int len, void *a)
2268{
2269 struct audit_context *context = current->audit_context;
2270
2271 if (!context->sockaddr) {
2272 void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL);
2273 if (!p)
2274 return -ENOMEM;
2275 context->sockaddr = p;
2276 }
2277
2278 context->sockaddr_len = len;
2279 memcpy(context->sockaddr, a, len);
2280 return 0;
2281}
2282
2283void __audit_ptrace(struct task_struct *t)
2284{
2285 struct audit_context *context = current->audit_context;
2286
2287 context->target_pid = task_pid_nr(t);
2288 context->target_auid = audit_get_loginuid(t);
2289 context->target_uid = task_uid(t);
2290 context->target_sessionid = audit_get_sessionid(t);
2291 security_task_getsecid(t, &context->target_sid);
2292 memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
2293}
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303int __audit_signal_info(int sig, struct task_struct *t)
2304{
2305 struct audit_aux_data_pids *axp;
2306 struct task_struct *tsk = current;
2307 struct audit_context *ctx = tsk->audit_context;
2308 kuid_t uid = current_uid(), t_uid = task_uid(t);
2309
2310 if (audit_pid && t->tgid == audit_pid) {
2311 if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) {
2312 audit_sig_pid = task_pid_nr(tsk);
2313 if (uid_valid(tsk->loginuid))
2314 audit_sig_uid = tsk->loginuid;
2315 else
2316 audit_sig_uid = uid;
2317 security_task_getsecid(tsk, &audit_sig_sid);
2318 }
2319 if (!audit_signals || audit_dummy_context())
2320 return 0;
2321 }
2322
2323
2324
2325 if (!ctx->target_pid) {
2326 ctx->target_pid = task_tgid_nr(t);
2327 ctx->target_auid = audit_get_loginuid(t);
2328 ctx->target_uid = t_uid;
2329 ctx->target_sessionid = audit_get_sessionid(t);
2330 security_task_getsecid(t, &ctx->target_sid);
2331 memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
2332 return 0;
2333 }
2334
2335 axp = (void *)ctx->aux_pids;
2336 if (!axp || axp->pid_count == AUDIT_AUX_PIDS) {
2337 axp = kzalloc(sizeof(*axp), GFP_ATOMIC);
2338 if (!axp)
2339 return -ENOMEM;
2340
2341 axp->d.type = AUDIT_OBJ_PID;
2342 axp->d.next = ctx->aux_pids;
2343 ctx->aux_pids = (void *)axp;
2344 }
2345 BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
2346
2347 axp->target_pid[axp->pid_count] = task_tgid_nr(t);
2348 axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
2349 axp->target_uid[axp->pid_count] = t_uid;
2350 axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
2351 security_task_getsecid(t, &axp->target_sid[axp->pid_count]);
2352 memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
2353 axp->pid_count++;
2354
2355 return 0;
2356}
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
2370 const struct cred *new, const struct cred *old)
2371{
2372 struct audit_aux_data_bprm_fcaps *ax;
2373 struct audit_context *context = current->audit_context;
2374 struct cpu_vfs_cap_data vcaps;
2375 struct dentry *dentry;
2376
2377 ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2378 if (!ax)
2379 return -ENOMEM;
2380
2381 ax->d.type = AUDIT_BPRM_FCAPS;
2382 ax->d.next = context->aux;
2383 context->aux = (void *)ax;
2384
2385 dentry = dget(bprm->file->f_dentry);
2386 get_vfs_caps_from_disk(dentry, &vcaps);
2387 dput(dentry);
2388
2389 ax->fcap.permitted = vcaps.permitted;
2390 ax->fcap.inheritable = vcaps.inheritable;
2391 ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE);
2392 ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT;
2393
2394 ax->old_pcap.permitted = old->cap_permitted;
2395 ax->old_pcap.inheritable = old->cap_inheritable;
2396 ax->old_pcap.effective = old->cap_effective;
2397
2398 ax->new_pcap.permitted = new->cap_permitted;
2399 ax->new_pcap.inheritable = new->cap_inheritable;
2400 ax->new_pcap.effective = new->cap_effective;
2401 return 0;
2402}
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412void __audit_log_capset(const struct cred *new, const struct cred *old)
2413{
2414 struct audit_context *context = current->audit_context;
2415 context->capset.pid = task_pid_nr(current);
2416 context->capset.cap.effective = new->cap_effective;
2417 context->capset.cap.inheritable = new->cap_effective;
2418 context->capset.cap.permitted = new->cap_permitted;
2419 context->type = AUDIT_CAPSET;
2420}
2421
2422void __audit_mmap_fd(int fd, int flags)
2423{
2424 struct audit_context *context = current->audit_context;
2425 context->mmap.fd = fd;
2426 context->mmap.flags = flags;
2427 context->type = AUDIT_MMAP;
2428}
2429
2430static void audit_log_task(struct audit_buffer *ab)
2431{
2432 kuid_t auid, uid;
2433 kgid_t gid;
2434 unsigned int sessionid;
2435 struct mm_struct *mm = current->mm;
2436
2437 auid = audit_get_loginuid(current);
2438 sessionid = audit_get_sessionid(current);
2439 current_uid_gid(&uid, &gid);
2440
2441 audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
2442 from_kuid(&init_user_ns, auid),
2443 from_kuid(&init_user_ns, uid),
2444 from_kgid(&init_user_ns, gid),
2445 sessionid);
2446 audit_log_task_context(ab);
2447 audit_log_format(ab, " pid=%d comm=", task_pid_nr(current));
2448 audit_log_untrustedstring(ab, current->comm);
2449 if (mm) {
2450 down_read(&mm->mmap_sem);
2451 if (mm->exe_file)
2452 audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
2453 up_read(&mm->mmap_sem);
2454 } else
2455 audit_log_format(ab, " exe=(null)");
2456}
2457
2458
2459
2460
2461
2462
2463
2464
2465void audit_core_dumps(long signr)
2466{
2467 struct audit_buffer *ab;
2468
2469 if (!audit_enabled)
2470 return;
2471
2472 if (signr == SIGQUIT)
2473 return;
2474
2475 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
2476 if (unlikely(!ab))
2477 return;
2478 audit_log_task(ab);
2479 audit_log_format(ab, " sig=%ld", signr);
2480 audit_log_end(ab);
2481}
2482
2483void __audit_seccomp(unsigned long syscall, long signr, int code)
2484{
2485 struct audit_buffer *ab;
2486
2487 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_SECCOMP);
2488 if (unlikely(!ab))
2489 return;
2490 audit_log_task(ab);
2491 audit_log_format(ab, " sig=%ld", signr);
2492 audit_log_format(ab, " syscall=%ld", syscall);
2493 audit_log_format(ab, " compat=%d", is_compat_task());
2494 audit_log_format(ab, " ip=0x%lx", KSTK_EIP(current));
2495 audit_log_format(ab, " code=0x%x", code);
2496 audit_log_end(ab);
2497}
2498
2499struct list_head *audit_killed_trees(void)
2500{
2501 struct audit_context *ctx = current->audit_context;
2502 if (likely(!ctx || !ctx->in_syscall))
2503 return NULL;
2504 return &ctx->killed_trees;
2505}
2506
