auditsc.c 52.2 KB
Newer Older
1
/* auditsc.c -- System-call auditing support
Linus Torvalds's avatar
Linus Torvalds committed
2
3
4
 * Handles all system-call specific auditing features.
 *
 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
5
 * Copyright 2005 Hewlett-Packard Development Company, L.P.
6
 * Copyright (C) 2005, 2006 IBM Corporation
Linus Torvalds's avatar
Linus Torvalds committed
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 * All Rights Reserved.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 *
 * Written by Rickard E. (Rik) Faith <faith@redhat.com>
 *
 * Many of the ideas implemented here are from Stephen C. Tweedie,
 * especially the idea of avoiding a copy by using getname.
 *
 * The method for actual interception of syscall entry and exit (not in
 * this file -- see entry.S) is based on a GPL'd patch written by
 * okir@suse.de and Copyright 2003 SuSE Linux AG.
 *
32
33
34
 * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>,
 * 2006.
 *
35
36
37
 * The support of additional filter rules compares (>, <, >=, <=) was
 * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
 *
38
39
 * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
 * filesystem information.
40
41
42
 *
 * Subject and object context labeling support added by <danjones@us.ibm.com>
 * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
Linus Torvalds's avatar
Linus Torvalds committed
43
44
45
46
 */

#include <linux/init.h>
#include <asm/types.h>
47
#include <asm/atomic.h>
48
49
50
#include <asm/types.h>
#include <linux/fs.h>
#include <linux/namei.h>
Linus Torvalds's avatar
Linus Torvalds committed
51
52
#include <linux/mm.h>
#include <linux/module.h>
53
#include <linux/mount.h>
54
#include <linux/socket.h>
55
#include <linux/mqueue.h>
Linus Torvalds's avatar
Linus Torvalds committed
56
57
58
#include <linux/audit.h>
#include <linux/personality.h>
#include <linux/time.h>
59
#include <linux/netlink.h>
60
#include <linux/compiler.h>
Linus Torvalds's avatar
Linus Torvalds committed
61
#include <asm/unistd.h>
62
#include <linux/security.h>
63
#include <linux/list.h>
64
#include <linux/tty.h>
65
#include <linux/selinux.h>
Al Viro's avatar
Al Viro committed
66
#include <linux/binfmts.h>
67
#include <linux/highmem.h>
Al Viro's avatar
Al Viro committed
68
#include <linux/syscalls.h>
Linus Torvalds's avatar
Linus Torvalds committed
69

70
#include "audit.h"
Linus Torvalds's avatar
Linus Torvalds committed
71

72
extern struct list_head audit_filter_list[];
Linus Torvalds's avatar
Linus Torvalds committed
73
74
75
76
77
78
79
80

/* No syscall auditing will take place unless audit_enabled != 0. */
extern int audit_enabled;

/* AUDIT_NAMES is the number of slots we reserve in the audit_context
 * for saving names from getname(). */
#define AUDIT_NAMES    20

81
82
83
/* Indicates that audit should log the full pathname. */
#define AUDIT_NAME_FULL -1

84
85
86
/* number of audit rules */
int audit_n_rules;

Amy Griffis's avatar
Amy Griffis committed
87
88
89
/* determines whether we collect data for signals sent */
int audit_signals;

Linus Torvalds's avatar
Linus Torvalds committed
90
91
92
93
94
95
96
/* When fs/namei.c:getname() is called, we store the pointer in name and
 * we don't let putname() free it (instead we free all of the saved
 * pointers at syscall exit time).
 *
 * Further, in fs/namei.c:path_lookup() we store the inode and device. */
struct audit_names {
	const char	*name;
97
98
	int		name_len;	/* number of name's characters to log */
	unsigned	name_put;	/* call __putname() for this name */
Linus Torvalds's avatar
Linus Torvalds committed
99
100
101
102
103
104
	unsigned long	ino;
	dev_t		dev;
	umode_t		mode;
	uid_t		uid;
	gid_t		gid;
	dev_t		rdev;
Steve Grubb's avatar
Steve Grubb committed
105
	u32		osid;
Linus Torvalds's avatar
Linus Torvalds committed
106
107
108
109
110
111
112
113
114
};

struct audit_aux_data {
	struct audit_aux_data	*next;
	int			type;
};

#define AUDIT_AUX_IPCPERM	0

Amy Griffis's avatar
Amy Griffis committed
115
116
117
/* Number of target pids per aux struct. */
#define AUDIT_AUX_PIDS	16

118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
struct audit_aux_data_mq_open {
	struct audit_aux_data	d;
	int			oflag;
	mode_t			mode;
	struct mq_attr		attr;
};

struct audit_aux_data_mq_sendrecv {
	struct audit_aux_data	d;
	mqd_t			mqdes;
	size_t			msg_len;
	unsigned int		msg_prio;
	struct timespec		abs_timeout;
};

struct audit_aux_data_mq_notify {
	struct audit_aux_data	d;
	mqd_t			mqdes;
	struct sigevent 	notification;
};

struct audit_aux_data_mq_getsetattr {
	struct audit_aux_data	d;
	mqd_t			mqdes;
	struct mq_attr 		mqstat;
};

Linus Torvalds's avatar
Linus Torvalds committed
145
146
147
148
149
150
151
struct audit_aux_data_ipcctl {
	struct audit_aux_data	d;
	struct ipc_perm		p;
	unsigned long		qbytes;
	uid_t			uid;
	gid_t			gid;
	mode_t			mode;
Steve Grubb's avatar
Steve Grubb committed
152
	u32			osid;
Linus Torvalds's avatar
Linus Torvalds committed
153
154
};

Al Viro's avatar
Al Viro committed
155
156
157
158
159
160
161
struct audit_aux_data_execve {
	struct audit_aux_data	d;
	int argc;
	int envc;
	char mem[0];
};

162
163
164
165
166
167
168
169
170
171
172
173
struct audit_aux_data_socketcall {
	struct audit_aux_data	d;
	int			nargs;
	unsigned long		args[0];
};

struct audit_aux_data_sockaddr {
	struct audit_aux_data	d;
	int			len;
	char			a[0];
};

Al Viro's avatar
Al Viro committed
174
175
176
177
178
struct audit_aux_data_fd_pair {
	struct	audit_aux_data d;
	int	fd[2];
};

179
180
181
182
183
struct audit_aux_data_path {
	struct audit_aux_data	d;
	struct dentry		*dentry;
	struct vfsmount		*mnt;
};
Linus Torvalds's avatar
Linus Torvalds committed
184

Amy Griffis's avatar
Amy Griffis committed
185
186
187
188
189
190
191
struct audit_aux_data_pids {
	struct audit_aux_data	d;
	pid_t			target_pid[AUDIT_AUX_PIDS];
	u32			target_sid[AUDIT_AUX_PIDS];
	int			pid_count;
};

Linus Torvalds's avatar
Linus Torvalds committed
192
193
/* The per-task audit context. */
struct audit_context {
194
	int		    dummy;	/* must be the first element */
Linus Torvalds's avatar
Linus Torvalds committed
195
196
197
198
199
200
201
202
	int		    in_syscall;	/* 1 if task is in a syscall */
	enum audit_state    state;
	unsigned int	    serial;     /* serial number for record */
	struct timespec	    ctime;      /* time of syscall entry */
	uid_t		    loginuid;   /* login uid (identity) */
	int		    major;      /* syscall number */
	unsigned long	    argv[4];    /* syscall arguments */
	int		    return_valid; /* return code is valid */
203
	long		    return_code;/* syscall return code */
Linus Torvalds's avatar
Linus Torvalds committed
204
205
206
	int		    auditable;  /* 1 if record should be written */
	int		    name_count;
	struct audit_names  names[AUDIT_NAMES];
Amy Griffis's avatar
Amy Griffis committed
207
	char *		    filterkey;	/* key for rule that triggered record */
208
209
	struct dentry *	    pwd;
	struct vfsmount *   pwdmnt;
Linus Torvalds's avatar
Linus Torvalds committed
210
211
	struct audit_context *previous; /* For nested syscalls */
	struct audit_aux_data *aux;
Amy Griffis's avatar
Amy Griffis committed
212
	struct audit_aux_data *aux_pids;
Linus Torvalds's avatar
Linus Torvalds committed
213
214

				/* Save things to print about task_struct */
Al Viro's avatar
Al Viro committed
215
	pid_t		    pid, ppid;
Linus Torvalds's avatar
Linus Torvalds committed
216
217
218
	uid_t		    uid, euid, suid, fsuid;
	gid_t		    gid, egid, sgid, fsgid;
	unsigned long	    personality;
219
	int		    arch;
Linus Torvalds's avatar
Linus Torvalds committed
220

Al Viro's avatar
Al Viro committed
221
222
223
	pid_t		    target_pid;
	u32		    target_sid;

Linus Torvalds's avatar
Linus Torvalds committed
224
225
226
227
228
229
#if AUDIT_DEBUG
	int		    put_count;
	int		    ino_count;
#endif
};

Al Viro's avatar
Al Viro committed
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
#define ACC_MODE(x) ("\004\002\006\006"[(x)&O_ACCMODE])
static inline int open_arg(int flags, int mask)
{
	int n = ACC_MODE(flags);
	if (flags & (O_TRUNC | O_CREAT))
		n |= AUDIT_PERM_WRITE;
	return n & mask;
}

static int audit_match_perm(struct audit_context *ctx, int mask)
{
	unsigned n = ctx->major;
	switch (audit_classify_syscall(ctx->arch, n)) {
	case 0:	/* native */
		if ((mask & AUDIT_PERM_WRITE) &&
		     audit_match_class(AUDIT_CLASS_WRITE, n))
			return 1;
		if ((mask & AUDIT_PERM_READ) &&
		     audit_match_class(AUDIT_CLASS_READ, n))
			return 1;
		if ((mask & AUDIT_PERM_ATTR) &&
		     audit_match_class(AUDIT_CLASS_CHATTR, n))
			return 1;
		return 0;
	case 1: /* 32bit on biarch */
		if ((mask & AUDIT_PERM_WRITE) &&
		     audit_match_class(AUDIT_CLASS_WRITE_32, n))
			return 1;
		if ((mask & AUDIT_PERM_READ) &&
		     audit_match_class(AUDIT_CLASS_READ_32, n))
			return 1;
		if ((mask & AUDIT_PERM_ATTR) &&
		     audit_match_class(AUDIT_CLASS_CHATTR_32, n))
			return 1;
		return 0;
	case 2: /* open */
		return mask & ACC_MODE(ctx->argv[1]);
	case 3: /* openat */
		return mask & ACC_MODE(ctx->argv[2]);
	case 4: /* socketcall */
		return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
	case 5: /* execve */
		return mask & AUDIT_PERM_EXEC;
	default:
		return 0;
	}
}

Amy Griffis's avatar
Amy Griffis committed
278
/* Determine if any context name data matches a rule's watch data */
Linus Torvalds's avatar
Linus Torvalds committed
279
280
281
/* Compare a task_struct with an audit_rule.  Return 1 on match, 0
 * otherwise. */
static int audit_filter_rules(struct task_struct *tsk,
282
			      struct audit_krule *rule,
Linus Torvalds's avatar
Linus Torvalds committed
283
			      struct audit_context *ctx,
Amy Griffis's avatar
Amy Griffis committed
284
			      struct audit_names *name,
Linus Torvalds's avatar
Linus Torvalds committed
285
286
			      enum audit_state *state)
{
Steve Grubb's avatar
Steve Grubb committed
287
	int i, j, need_sid = 1;
288
289
	u32 sid;

Linus Torvalds's avatar
Linus Torvalds committed
290
	for (i = 0; i < rule->field_count; i++) {
291
		struct audit_field *f = &rule->fields[i];
Linus Torvalds's avatar
Linus Torvalds committed
292
293
		int result = 0;

294
		switch (f->type) {
Linus Torvalds's avatar
Linus Torvalds committed
295
		case AUDIT_PID:
296
			result = audit_comparator(tsk->pid, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
297
			break;
Al Viro's avatar
Al Viro committed
298
		case AUDIT_PPID:
Alexander Viro's avatar
Alexander Viro committed
299
300
301
			if (ctx) {
				if (!ctx->ppid)
					ctx->ppid = sys_getppid();
Al Viro's avatar
Al Viro committed
302
				result = audit_comparator(ctx->ppid, f->op, f->val);
Alexander Viro's avatar
Alexander Viro committed
303
			}
Al Viro's avatar
Al Viro committed
304
			break;
Linus Torvalds's avatar
Linus Torvalds committed
305
		case AUDIT_UID:
306
			result = audit_comparator(tsk->uid, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
307
308
			break;
		case AUDIT_EUID:
309
			result = audit_comparator(tsk->euid, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
310
311
			break;
		case AUDIT_SUID:
312
			result = audit_comparator(tsk->suid, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
313
314
			break;
		case AUDIT_FSUID:
315
			result = audit_comparator(tsk->fsuid, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
316
317
			break;
		case AUDIT_GID:
318
			result = audit_comparator(tsk->gid, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
319
320
			break;
		case AUDIT_EGID:
321
			result = audit_comparator(tsk->egid, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
322
323
			break;
		case AUDIT_SGID:
324
			result = audit_comparator(tsk->sgid, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
325
326
			break;
		case AUDIT_FSGID:
327
			result = audit_comparator(tsk->fsgid, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
328
329
			break;
		case AUDIT_PERS:
330
			result = audit_comparator(tsk->personality, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
331
			break;
332
		case AUDIT_ARCH:
333
 			if (ctx)
334
				result = audit_comparator(ctx->arch, f->op, f->val);
335
			break;
Linus Torvalds's avatar
Linus Torvalds committed
336
337
338

		case AUDIT_EXIT:
			if (ctx && ctx->return_valid)
339
				result = audit_comparator(ctx->return_code, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
340
341
			break;
		case AUDIT_SUCCESS:
342
			if (ctx && ctx->return_valid) {
343
344
				if (f->val)
					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
345
				else
346
					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
347
			}
Linus Torvalds's avatar
Linus Torvalds committed
348
349
			break;
		case AUDIT_DEVMAJOR:
Amy Griffis's avatar
Amy Griffis committed
350
351
352
353
			if (name)
				result = audit_comparator(MAJOR(name->dev),
							  f->op, f->val);
			else if (ctx) {
Linus Torvalds's avatar
Linus Torvalds committed
354
				for (j = 0; j < ctx->name_count; j++) {
355
					if (audit_comparator(MAJOR(ctx->names[j].dev),	f->op, f->val)) {
Linus Torvalds's avatar
Linus Torvalds committed
356
357
358
359
360
361
362
						++result;
						break;
					}
				}
			}
			break;
		case AUDIT_DEVMINOR:
Amy Griffis's avatar
Amy Griffis committed
363
364
365
366
			if (name)
				result = audit_comparator(MINOR(name->dev),
							  f->op, f->val);
			else if (ctx) {
Linus Torvalds's avatar
Linus Torvalds committed
367
				for (j = 0; j < ctx->name_count; j++) {
368
					if (audit_comparator(MINOR(ctx->names[j].dev), f->op, f->val)) {
Linus Torvalds's avatar
Linus Torvalds committed
369
370
371
372
373
374
375
						++result;
						break;
					}
				}
			}
			break;
		case AUDIT_INODE:
Amy Griffis's avatar
Amy Griffis committed
376
			if (name)
377
				result = (name->ino == f->val);
Amy Griffis's avatar
Amy Griffis committed
378
			else if (ctx) {
Linus Torvalds's avatar
Linus Torvalds committed
379
				for (j = 0; j < ctx->name_count; j++) {
380
					if (audit_comparator(ctx->names[j].ino, f->op, f->val)) {
Linus Torvalds's avatar
Linus Torvalds committed
381
382
383
384
385
386
						++result;
						break;
					}
				}
			}
			break;
Amy Griffis's avatar
Amy Griffis committed
387
388
389
		case AUDIT_WATCH:
			if (name && rule->watch->ino != (unsigned long)-1)
				result = (name->dev == rule->watch->dev &&
390
					  name->ino == rule->watch->ino);
Amy Griffis's avatar
Amy Griffis committed
391
			break;
Linus Torvalds's avatar
Linus Torvalds committed
392
393
394
		case AUDIT_LOGINUID:
			result = 0;
			if (ctx)
395
				result = audit_comparator(ctx->loginuid, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
396
			break;
397
398
399
400
401
		case AUDIT_SUBJ_USER:
		case AUDIT_SUBJ_ROLE:
		case AUDIT_SUBJ_TYPE:
		case AUDIT_SUBJ_SEN:
		case AUDIT_SUBJ_CLR:
402
403
404
405
406
			/* NOTE: this may return negative values indicating
			   a temporary error.  We simply treat this as a
			   match for now to avoid losing information that
			   may be wanted.   An error message will also be
			   logged upon error */
Steve Grubb's avatar
Steve Grubb committed
407
408
			if (f->se_rule) {
				if (need_sid) {
409
					selinux_get_task_sid(tsk, &sid);
Steve Grubb's avatar
Steve Grubb committed
410
411
					need_sid = 0;
				}
412
413
414
415
				result = selinux_audit_rule_match(sid, f->type,
				                                  f->op,
				                                  f->se_rule,
				                                  ctx);
Steve Grubb's avatar
Steve Grubb committed
416
			}
417
			break;
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
		case AUDIT_OBJ_USER:
		case AUDIT_OBJ_ROLE:
		case AUDIT_OBJ_TYPE:
		case AUDIT_OBJ_LEV_LOW:
		case AUDIT_OBJ_LEV_HIGH:
			/* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
			   also applies here */
			if (f->se_rule) {
				/* Find files that match */
				if (name) {
					result = selinux_audit_rule_match(
					           name->osid, f->type, f->op,
					           f->se_rule, ctx);
				} else if (ctx) {
					for (j = 0; j < ctx->name_count; j++) {
						if (selinux_audit_rule_match(
						      ctx->names[j].osid,
						      f->type, f->op,
						      f->se_rule, ctx)) {
							++result;
							break;
						}
					}
				}
				/* Find ipc objects that match */
				if (ctx) {
					struct audit_aux_data *aux;
					for (aux = ctx->aux; aux;
					     aux = aux->next) {
						if (aux->type == AUDIT_IPC) {
							struct audit_aux_data_ipcctl *axi = (void *)aux;
							if (selinux_audit_rule_match(axi->osid, f->type, f->op, f->se_rule, ctx)) {
								++result;
								break;
							}
						}
					}
				}
			}
			break;
Linus Torvalds's avatar
Linus Torvalds committed
458
459
460
461
462
		case AUDIT_ARG0:
		case AUDIT_ARG1:
		case AUDIT_ARG2:
		case AUDIT_ARG3:
			if (ctx)
463
				result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
464
			break;
Amy Griffis's avatar
Amy Griffis committed
465
466
467
468
		case AUDIT_FILTERKEY:
			/* ignore this field for filtering */
			result = 1;
			break;
Al Viro's avatar
Al Viro committed
469
470
471
		case AUDIT_PERM:
			result = audit_match_perm(ctx, f->val);
			break;
Linus Torvalds's avatar
Linus Torvalds committed
472
473
474
475
476
		}

		if (!result)
			return 0;
	}
Amy Griffis's avatar
Amy Griffis committed
477
478
	if (rule->filterkey)
		ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
Linus Torvalds's avatar
Linus Torvalds committed
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
	switch (rule->action) {
	case AUDIT_NEVER:    *state = AUDIT_DISABLED;	    break;
	case AUDIT_ALWAYS:   *state = AUDIT_RECORD_CONTEXT; break;
	}
	return 1;
}

/* At process creation time, we can determine if system-call auditing is
 * completely disabled for this task.  Since we only have the task
 * structure at this point, we can only check uid and gid.
 */
static enum audit_state audit_filter_task(struct task_struct *tsk)
{
	struct audit_entry *e;
	enum audit_state   state;

	rcu_read_lock();
496
	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
Amy Griffis's avatar
Amy Griffis committed
497
		if (audit_filter_rules(tsk, &e->rule, NULL, NULL, &state)) {
Linus Torvalds's avatar
Linus Torvalds committed
498
499
500
501
502
503
504
505
506
507
			rcu_read_unlock();
			return state;
		}
	}
	rcu_read_unlock();
	return AUDIT_BUILD_CONTEXT;
}

/* At syscall entry and exit time, this filter is called if the
 * audit_state is not low enough that auditing cannot take place, but is
Steve Grubb's avatar
Steve Grubb committed
508
 * also not high enough that we already know we have to write an audit
509
 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
Linus Torvalds's avatar
Linus Torvalds committed
510
511
512
513
514
515
 */
static enum audit_state audit_filter_syscall(struct task_struct *tsk,
					     struct audit_context *ctx,
					     struct list_head *list)
{
	struct audit_entry *e;
516
	enum audit_state state;
Linus Torvalds's avatar
Linus Torvalds committed
517

518
	if (audit_pid && tsk->tgid == audit_pid)
519
520
		return AUDIT_DISABLED;

Linus Torvalds's avatar
Linus Torvalds committed
521
	rcu_read_lock();
522
	if (!list_empty(list)) {
523
524
525
526
		int word = AUDIT_WORD(ctx->major);
		int bit  = AUDIT_BIT(ctx->major);

		list_for_each_entry_rcu(e, list, list) {
Amy Griffis's avatar
Amy Griffis committed
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
			if ((e->rule.mask[word] & bit) == bit &&
			    audit_filter_rules(tsk, &e->rule, ctx, NULL,
					       &state)) {
				rcu_read_unlock();
				return state;
			}
		}
	}
	rcu_read_unlock();
	return AUDIT_BUILD_CONTEXT;
}

/* At syscall exit time, this filter is called if any audit_names[] have been
 * collected during syscall processing.  We only check rules in sublists at hash
 * buckets applicable to the inode numbers in audit_names[].
 * Regarding audit_state, same rules apply as for audit_filter_syscall().
 */
enum audit_state audit_filter_inodes(struct task_struct *tsk,
				     struct audit_context *ctx)
{
	int i;
	struct audit_entry *e;
	enum audit_state state;

	if (audit_pid && tsk->tgid == audit_pid)
		return AUDIT_DISABLED;

	rcu_read_lock();
	for (i = 0; i < ctx->name_count; i++) {
		int word = AUDIT_WORD(ctx->major);
		int bit  = AUDIT_BIT(ctx->major);
		struct audit_names *n = &ctx->names[i];
		int h = audit_hash_ino((u32)n->ino);
		struct list_head *list = &audit_inode_hash[h];

		if (list_empty(list))
			continue;

		list_for_each_entry_rcu(e, list, list) {
			if ((e->rule.mask[word] & bit) == bit &&
			    audit_filter_rules(tsk, &e->rule, ctx, n, &state)) {
568
569
570
				rcu_read_unlock();
				return state;
			}
571
572
573
		}
	}
	rcu_read_unlock();
Linus Torvalds's avatar
Linus Torvalds committed
574
	return AUDIT_BUILD_CONTEXT;
575
576
}

Amy Griffis's avatar
Amy Griffis committed
577
578
579
580
581
void audit_set_auditable(struct audit_context *ctx)
{
	ctx->auditable = 1;
}

Linus Torvalds's avatar
Linus Torvalds committed
582
583
584
585
586
587
588
589
590
591
592
static inline struct audit_context *audit_get_context(struct task_struct *tsk,
						      int return_valid,
						      int return_code)
{
	struct audit_context *context = tsk->audit_context;

	if (likely(!context))
		return NULL;
	context->return_valid = return_valid;
	context->return_code  = return_code;

593
	if (context->in_syscall && !context->dummy && !context->auditable) {
Linus Torvalds's avatar
Linus Torvalds committed
594
		enum audit_state state;
Amy Griffis's avatar
Amy Griffis committed
595

596
		state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
Amy Griffis's avatar
Amy Griffis committed
597
598
599
600
601
602
		if (state == AUDIT_RECORD_CONTEXT) {
			context->auditable = 1;
			goto get_context;
		}

		state = audit_filter_inodes(tsk, context);
Linus Torvalds's avatar
Linus Torvalds committed
603
604
		if (state == AUDIT_RECORD_CONTEXT)
			context->auditable = 1;
Amy Griffis's avatar
Amy Griffis committed
605

Linus Torvalds's avatar
Linus Torvalds committed
606
607
	}

Amy Griffis's avatar
Amy Griffis committed
608
get_context:
609

Linus Torvalds's avatar
Linus Torvalds committed
610
611
612
613
614
615
616
617
618
619
620
	tsk->audit_context = NULL;
	return context;
}

static inline void audit_free_names(struct audit_context *context)
{
	int i;

#if AUDIT_DEBUG == 2
	if (context->auditable
	    ||context->put_count + context->ino_count != context->name_count) {
621
		printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d"
Linus Torvalds's avatar
Linus Torvalds committed
622
623
		       " name_count=%d put_count=%d"
		       " ino_count=%d [NOT freeing]\n",
624
		       __FILE__, __LINE__,
Linus Torvalds's avatar
Linus Torvalds committed
625
626
627
		       context->serial, context->major, context->in_syscall,
		       context->name_count, context->put_count,
		       context->ino_count);
628
		for (i = 0; i < context->name_count; i++) {
Linus Torvalds's avatar
Linus Torvalds committed
629
630
			printk(KERN_ERR "names[%d] = %p = %s\n", i,
			       context->names[i].name,
631
			       context->names[i].name ?: "(null)");
632
		}
Linus Torvalds's avatar
Linus Torvalds committed
633
634
635
636
637
638
639
640
641
		dump_stack();
		return;
	}
#endif
#if AUDIT_DEBUG
	context->put_count  = 0;
	context->ino_count  = 0;
#endif

642
	for (i = 0; i < context->name_count; i++) {
643
		if (context->names[i].name && context->names[i].name_put)
Linus Torvalds's avatar
Linus Torvalds committed
644
			__putname(context->names[i].name);
645
	}
Linus Torvalds's avatar
Linus Torvalds committed
646
	context->name_count = 0;
647
648
649
650
651
652
	if (context->pwd)
		dput(context->pwd);
	if (context->pwdmnt)
		mntput(context->pwdmnt);
	context->pwd = NULL;
	context->pwdmnt = NULL;
Linus Torvalds's avatar
Linus Torvalds committed
653
654
655
656
657
658
659
}

static inline void audit_free_aux(struct audit_context *context)
{
	struct audit_aux_data *aux;

	while ((aux = context->aux)) {
660
661
662
663
664
		if (aux->type == AUDIT_AVC_PATH) {
			struct audit_aux_data_path *axi = (void *)aux;
			dput(axi->dentry);
			mntput(axi->mnt);
		}
665

Linus Torvalds's avatar
Linus Torvalds committed
666
667
668
		context->aux = aux->next;
		kfree(aux);
	}
Amy Griffis's avatar
Amy Griffis committed
669
670
671
672
	while ((aux = context->aux_pids)) {
		context->aux_pids = aux->next;
		kfree(aux);
	}
Linus Torvalds's avatar
Linus Torvalds committed
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
}

static inline void audit_zero_context(struct audit_context *context,
				      enum audit_state state)
{
	uid_t loginuid = context->loginuid;

	memset(context, 0, sizeof(*context));
	context->state      = state;
	context->loginuid   = loginuid;
}

static inline struct audit_context *audit_alloc_context(enum audit_state state)
{
	struct audit_context *context;

	if (!(context = kmalloc(sizeof(*context), GFP_KERNEL)))
		return NULL;
	audit_zero_context(context, state);
	return context;
}

695
696
697
698
699
/**
 * audit_alloc - allocate an audit context block for a task
 * @tsk: task
 *
 * Filter on the task information and allocate a per-task audit context
Linus Torvalds's avatar
Linus Torvalds committed
700
701
 * if necessary.  Doing so turns on system call auditing for the
 * specified task.  This is called from copy_process, so no lock is
702
703
 * needed.
 */
Linus Torvalds's avatar
Linus Torvalds committed
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
int audit_alloc(struct task_struct *tsk)
{
	struct audit_context *context;
	enum audit_state     state;

	if (likely(!audit_enabled))
		return 0; /* Return if not auditing. */

	state = audit_filter_task(tsk);
	if (likely(state == AUDIT_DISABLED))
		return 0;

	if (!(context = audit_alloc_context(state))) {
		audit_log_lost("out of memory in audit_alloc");
		return -ENOMEM;
	}

				/* Preserve login uid */
	context->loginuid = -1;
	if (current->audit_context)
		context->loginuid = current->audit_context->loginuid;

	tsk->audit_context  = context;
	set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
	return 0;
}

static inline void audit_free_context(struct audit_context *context)
{
	struct audit_context *previous;
	int		     count = 0;

	do {
		previous = context->previous;
		if (previous || (count &&  count < 10)) {
			++count;
			printk(KERN_ERR "audit(:%d): major=%d name_count=%d:"
			       " freeing multiple contexts (%d)\n",
			       context->serial, context->major,
			       context->name_count, count);
		}
		audit_free_names(context);
		audit_free_aux(context);
Amy Griffis's avatar
Amy Griffis committed
747
		kfree(context->filterkey);
Linus Torvalds's avatar
Linus Torvalds committed
748
749
750
751
752
753
754
		kfree(context);
		context  = previous;
	} while (context);
	if (count >= 10)
		printk(KERN_ERR "audit: freed %d contexts\n", count);
}

Joy Latten's avatar
Joy Latten committed
755
void audit_log_task_context(struct audit_buffer *ab)
756
757
{
	char *ctx = NULL;
758
759
760
761
762
763
764
	unsigned len;
	int error;
	u32 sid;

	selinux_get_task_sid(current, &sid);
	if (!sid)
		return;
765

766
767
768
	error = selinux_sid_to_string(sid, &ctx, &len);
	if (error) {
		if (error != -EINVAL)
769
770
771
772
773
			goto error_path;
		return;
	}

	audit_log_format(ab, " subj=%s", ctx);
774
	kfree(ctx);
775
	return;
776
777

error_path:
778
	audit_panic("error in audit_log_task_context");
779
780
781
	return;
}

Joy Latten's avatar
Joy Latten committed
782
783
EXPORT_SYMBOL(audit_log_task_context);

784
static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
785
{
786
787
	char name[sizeof(tsk->comm)];
	struct mm_struct *mm = tsk->mm;
788
789
	struct vm_area_struct *vma;

790
791
	/* tsk == current */

792
	get_task_comm(name, tsk);
793
794
	audit_log_format(ab, " comm=");
	audit_log_untrustedstring(ab, name);
795

796
797
798
799
800
801
802
	if (mm) {
		down_read(&mm->mmap_sem);
		vma = mm->mmap;
		while (vma) {
			if ((vma->vm_flags & VM_EXECUTABLE) &&
			    vma->vm_file) {
				audit_log_d_path(ab, "exe=",
803
804
						 vma->vm_file->f_path.dentry,
						 vma->vm_file->f_path.mnt);
805
806
807
				break;
			}
			vma = vma->vm_next;
808
		}
809
		up_read(&mm->mmap_sem);
810
	}
811
	audit_log_task_context(ab);
812
813
}

Amy Griffis's avatar
Amy Griffis committed
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
static int audit_log_pid_context(struct audit_context *context, pid_t pid,
				 u32 sid)
{
	struct audit_buffer *ab;
	char *s = NULL;
	u32 len;
	int rc = 0;

	ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
	if (!ab)
		return 1;

	if (selinux_sid_to_string(sid, &s, &len)) {
		audit_log_format(ab, "opid=%d obj=(none)", pid);
		rc = 1;
	} else
		audit_log_format(ab, "opid=%d  obj=%s", pid, s);
	audit_log_end(ab);
	kfree(s);

	return rc;
}

837
static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
Linus Torvalds's avatar
Linus Torvalds committed
838
{
Steve Grubb's avatar
Steve Grubb committed
839
	int i, call_panic = 0;
Linus Torvalds's avatar
Linus Torvalds committed
840
	struct audit_buffer *ab;
841
	struct audit_aux_data *aux;
842
	const char *tty;
Linus Torvalds's avatar
Linus Torvalds committed
843

844
	/* tsk == current */
845
	context->pid = tsk->pid;
Alexander Viro's avatar
Alexander Viro committed
846
847
	if (!context->ppid)
		context->ppid = sys_getppid();
848
849
850
851
852
853
854
855
856
	context->uid = tsk->uid;
	context->gid = tsk->gid;
	context->euid = tsk->euid;
	context->suid = tsk->suid;
	context->fsuid = tsk->fsuid;
	context->egid = tsk->egid;
	context->sgid = tsk->sgid;
	context->fsgid = tsk->fsgid;
	context->personality = tsk->personality;
857
858

	ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
Linus Torvalds's avatar
Linus Torvalds committed
859
860
	if (!ab)
		return;		/* audit_panic has been called */
861
862
	audit_log_format(ab, "arch=%x syscall=%d",
			 context->arch, context->major);
Linus Torvalds's avatar
Linus Torvalds committed
863
864
865
	if (context->personality != PER_LINUX)
		audit_log_format(ab, " per=%lx", context->personality);
	if (context->return_valid)
866
867
868
		audit_log_format(ab, " success=%s exit=%ld", 
				 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
				 context->return_code);
869
870

	mutex_lock(&tty_mutex);
871
	read_lock(&tasklist_lock);
872
873
	if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
		tty = tsk->signal->tty->name;
874
875
	else
		tty = "(none)";
876
	read_unlock(&tasklist_lock);
Linus Torvalds's avatar
Linus Torvalds committed
877
878
	audit_log_format(ab,
		  " a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
Al Viro's avatar
Al Viro committed
879
		  " ppid=%d pid=%d auid=%u uid=%u gid=%u"
880
		  " euid=%u suid=%u fsuid=%u"
881
		  " egid=%u sgid=%u fsgid=%u tty=%s",
Linus Torvalds's avatar
Linus Torvalds committed
882
883
884
885
886
		  context->argv[0],
		  context->argv[1],
		  context->argv[2],
		  context->argv[3],
		  context->name_count,
Al Viro's avatar
Al Viro committed
887
		  context->ppid,
Linus Torvalds's avatar
Linus Torvalds committed
888
889
890
891
892
		  context->pid,
		  context->loginuid,
		  context->uid,
		  context->gid,
		  context->euid, context->suid, context->fsuid,
893
		  context->egid, context->sgid, context->fsgid, tty);
894
895
896

	mutex_unlock(&tty_mutex);

897
	audit_log_task_info(ab, tsk);
Amy Griffis's avatar
Amy Griffis committed
898
899
900
901
902
	if (context->filterkey) {
		audit_log_format(ab, " key=");
		audit_log_untrustedstring(ab, context->filterkey);
	} else
		audit_log_format(ab, " key=(null)");
Linus Torvalds's avatar
Linus Torvalds committed
903
904
	audit_log_end(ab);

905
	for (aux = context->aux; aux; aux = aux->next) {
906

907
		ab = audit_log_start(context, GFP_KERNEL, aux->type);
Linus Torvalds's avatar
Linus Torvalds committed
908
909
910
911
		if (!ab)
			continue; /* audit_panic has been called */

		switch (aux->type) {
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
		case AUDIT_MQ_OPEN: {
			struct audit_aux_data_mq_open *axi = (void *)aux;
			audit_log_format(ab,
				"oflag=0x%x mode=%#o mq_flags=0x%lx mq_maxmsg=%ld "
				"mq_msgsize=%ld mq_curmsgs=%ld",
				axi->oflag, axi->mode, axi->attr.mq_flags,
				axi->attr.mq_maxmsg, axi->attr.mq_msgsize,
				axi->attr.mq_curmsgs);
			break; }

		case AUDIT_MQ_SENDRECV: {
			struct audit_aux_data_mq_sendrecv *axi = (void *)aux;
			audit_log_format(ab,
				"mqdes=%d msg_len=%zd msg_prio=%u "
				"abs_timeout_sec=%ld abs_timeout_nsec=%ld",
				axi->mqdes, axi->msg_len, axi->msg_prio,
				axi->abs_timeout.tv_sec, axi->abs_timeout.tv_nsec);
			break; }

		case AUDIT_MQ_NOTIFY: {
			struct audit_aux_data_mq_notify *axi = (void *)aux;
			audit_log_format(ab,
				"mqdes=%d sigev_signo=%d",
				axi->mqdes,
				axi->notification.sigev_signo);
			break; }

		case AUDIT_MQ_GETSETATTR: {
			struct audit_aux_data_mq_getsetattr *axi = (void *)aux;
			audit_log_format(ab,
				"mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
				"mq_curmsgs=%ld ",
				axi->mqdes,
				axi->mqstat.mq_flags, axi->mqstat.mq_maxmsg,
				axi->mqstat.mq_msgsize, axi->mqstat.mq_curmsgs);
			break; }

949
		case AUDIT_IPC: {
Linus Torvalds's avatar
Linus Torvalds committed
950
951
			struct audit_aux_data_ipcctl *axi = (void *)aux;
			audit_log_format(ab, 
952
953
				 "ouid=%u ogid=%u mode=%x",
				 axi->uid, axi->gid, axi->mode);
Steve Grubb's avatar
Steve Grubb committed
954
955
956
			if (axi->osid != 0) {
				char *ctx = NULL;
				u32 len;
957
				if (selinux_sid_to_string(
Steve Grubb's avatar
Steve Grubb committed
958
						axi->osid, &ctx, &len)) {
959
					audit_log_format(ab, " osid=%u",
Steve Grubb's avatar
Steve Grubb committed
960
961
962
963
964
965
							axi->osid);
					call_panic = 1;
				} else
					audit_log_format(ab, " obj=%s", ctx);
				kfree(ctx);
			}
966
967
			break; }

Steve Grubb's avatar
Steve Grubb committed
968
969
970
		case AUDIT_IPC_SET_PERM: {
			struct audit_aux_data_ipcctl *axi = (void *)aux;
			audit_log_format(ab,
971
				"qbytes=%lx ouid=%u ogid=%u mode=%x",
Steve Grubb's avatar
Steve Grubb committed
972
973
				axi->qbytes, axi->uid, axi->gid, axi->mode);
			break; }
974

Al Viro's avatar
Al Viro committed
975
976
977
978
979
980
981
982
983
984
		case AUDIT_EXECVE: {
			struct audit_aux_data_execve *axi = (void *)aux;
			int i;
			const char *p;
			for (i = 0, p = axi->mem; i < axi->argc; i++) {
				audit_log_format(ab, "a%d=", i);
				p = audit_log_untrustedstring(ab, p);
				audit_log_format(ab, "\n");
			}
			break; }
Steve Grubb's avatar
Steve Grubb committed
985

986
987
988
989
990
991
992
993
994
995
996
997
998
999
		case AUDIT_SOCKETCALL: {
			int i;
			struct audit_aux_data_socketcall *axs = (void *)aux;
			audit_log_format(ab, "nargs=%d", axs->nargs);
			for (i=0; i<axs->nargs; i++)
				audit_log_format(ab, " a%d=%lx", i, axs->args[i]);
			break; }

		case AUDIT_SOCKADDR: {
			struct audit_aux_data_sockaddr *axs = (void *)aux;

			audit_log_format(ab, "saddr=");
			audit_log_hex(ab, axs->a, axs->len);
			break; }
1000
1001
1002
1003
1004
1005

		case AUDIT_AVC_PATH: {
			struct audit_aux_data_path *axi = (void *)aux;
			audit_log_d_path(ab, "path=", axi->dentry, axi->mnt);
			break; }

Al Viro's avatar
Al Viro committed
1006
1007
1008
1009
1010
		case AUDIT_FD_PAIR: {
			struct audit_aux_data_fd_pair *axs = (void *)aux;
			audit_log_format(ab, "fd0=%d fd1=%d", axs->fd[0], axs->fd[1]);
			break; }

Linus Torvalds's avatar
Linus Torvalds committed
1011
1012
1013
1014
		}
		audit_log_end(ab);
	}

Amy Griffis's avatar
Amy Griffis committed
1015
1016
1017
1018
1019
1020
1021
1022
	for (aux = context->aux_pids; aux; aux = aux->next) {
		struct audit_aux_data_pids *axs = (void *)aux;
		int i;

		for (i = 0; i < axs->pid_count; i++)
			if (audit_log_pid_context(context, axs->target_pid[i],
						  axs->target_sid[i]))
				call_panic = 1;
Al Viro's avatar
Al Viro committed
1023
1024
	}

Amy Griffis's avatar
Amy Griffis committed
1025
1026
1027
1028
1029
	if (context->target_pid &&
	    audit_log_pid_context(context, context->target_pid,
				  context->target_sid))
			call_panic = 1;

1030
	if (context->pwd && context->pwdmnt) {
1031
		ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
1032
1033
1034
1035
1036
		if (ab) {
			audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt);
			audit_log_end(ab);
		}
	}
Linus Torvalds's avatar
Linus Torvalds committed
1037
	for (i = 0; i < context->name_count; i++) {
1038
		struct audit_names *n = &context->names[i];
1039

1040
		ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
Linus Torvalds's avatar
Linus Torvalds committed
1041
1042
		if (!ab)
			continue; /* audit_panic has been called */
1043

Linus Torvalds's avatar
Linus Torvalds committed
1044
		audit_log_format(ab, "item=%d", i);
1045

1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
		if (n->name) {
			switch(n->name_len) {
			case AUDIT_NAME_FULL:
				/* log the full path */
				audit_log_format(ab, " name=");
				audit_log_untrustedstring(ab, n->name);
				break;
			case 0:
				/* name was specified as a relative path and the
				 * directory component is the cwd */
				audit_log_d_path(ab, " name=", context->pwd,
						 context->pwdmnt);
				break;
			default:
				/* log the name's directory component */
				audit_log_format(ab, " name=");
				audit_log_n_untrustedstring(ab, n->name_len,
							    n->name);
			}
		} else
			audit_log_format(ab, " name=(null)");

		if (n->ino != (unsigned long)-1) {
			audit_log_format(ab, " inode=%lu"
					 " dev=%02x:%02x mode=%#o"
					 " ouid=%u ogid=%u rdev=%02x:%02x",
					 n->ino,
					 MAJOR(n->dev),
					 MINOR(n->dev),
					 n->mode,
					 n->uid,
					 n->gid,
					 MAJOR(n->rdev),
					 MINOR(n->rdev));
		}
		if (n->osid != 0) {
Steve Grubb's avatar
Steve Grubb committed
1082
1083
			char *ctx = NULL;
			u32 len;
1084
			if (selinux_sid_to_string(
1085
1086
				n->osid, &ctx, &len)) {
				audit_log_format(ab, " osid=%u", n->osid);
Steve Grubb's avatar
Steve Grubb committed
1087
				call_panic = 2;
Steve Grubb's avatar
Steve Grubb committed
1088
1089
1090
			} else
				audit_log_format(ab, " obj=%s", ctx);
			kfree(ctx);
1091
1092
		}

Linus Torvalds's avatar
Linus Torvalds committed
1093
1094
		audit_log_end(ab);
	}
Steve Grubb's avatar
Steve Grubb committed
1095
1096
	if (call_panic)
		audit_panic("error converting sid to string");
Linus Torvalds's avatar
Linus Torvalds committed
1097
1098
}

1099
1100
1101
1102
/**
 * audit_free - free a per-task audit context
 * @tsk: task whose audit context block to free
 *
1103
 * Called from copy_process and do_exit
1104
 */
Linus Torvalds's avatar
Linus Torvalds committed
1105
1106
1107
1108
1109
1110
1111
1112
1113
void audit_free(struct task_struct *tsk)
{
	struct audit_context *context;

	context = audit_get_context(tsk, 0, 0);
	if (likely(!context))
		return;

	/* Check for system calls that do not go through the exit
1114
1115
1116
	 * function (e.g., exit_group), then free context block. 
	 * We use GFP_ATOMIC here because we might be doing this 
	 * in the context of the idle thread */
1117
	/* that can happen only if we are called from do_exit() */
1118
	if (context->in_syscall && context->auditable)
1119
		audit_log_exit(context, tsk);
Linus Torvalds's avatar
Linus Torvalds committed
1120
1121
1122
1123

	audit_free_context(context);
}

1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
/**
 * audit_syscall_entry - fill in an audit record at syscall entry
 * @tsk: task being audited
 * @arch: architecture type
 * @major: major syscall type (function)
 * @a1: additional syscall register 1
 * @a2: additional syscall register 2
 * @a3: additional syscall register 3
 * @a4: additional syscall register 4
 *
 * Fill in audit context at syscall entry.  This only happens if the
Linus Torvalds's avatar
Linus Torvalds committed
1135
1136
1137
1138
1139
 * audit context was created when the task was created and the state or
 * filters demand the audit context be built.  If the state from the
 * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
 * then the record will be written at syscall exit time (otherwise, it
 * will only be written if another part of the kernel requests that it
1140
1141
 * be written).
 */
1142
void audit_syscall_entry(int arch, int major,
Linus Torvalds's avatar
Linus Torvalds committed
1143
1144
1145
			 unsigned long a1, unsigned long a2,
			 unsigned long a3, unsigned long a4)
{
1146
	struct task_struct *tsk = current;
Linus Torvalds's avatar
Linus Torvalds committed
1147
1148
1149
1150
1151
	struct audit_context *context = tsk->audit_context;
	enum audit_state     state;

	BUG_ON(!context);

1152
1153
	/*
	 * This happens only on certain architectures that make system
Linus Torvalds's avatar
Linus Torvalds committed
1154
1155
1156
1157
1158
1159
1160
	 * calls in kernel_thread via the entry.S interface, instead of
	 * with direct calls.  (If you are porting to a new
	 * architecture, hitting this condition can indicate that you
	 * got the _exit/_leave calls backward in entry.S.)
	 *
	 * i386     no
	 * x86_64   no
1161
	 * ppc64    yes (see arch/powerpc/platforms/iseries/misc.S)
Linus Torvalds's avatar
Linus Torvalds committed
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
	 *
	 * This also happens with vm86 emulation in a non-nested manner
	 * (entries without exits), so this case must be caught.
	 */
	if (context->in_syscall) {
		struct audit_context *newctx;

#if AUDIT_DEBUG
		printk(KERN_ERR
		       "audit(:%d) pid=%d in syscall=%d;"
		       " entering syscall=%d\n",
		       context->serial, tsk->pid, context->major, major);
#endif
		newctx = audit_alloc_context(context->state);
		if (newctx) {
			newctx->previous   = context;
			context		   = newctx;
			tsk->audit_context = newctx;
		} else	{
			/* If we can't alloc a new context, the best we
			 * can do is to leak memory (any pending putname
			 * will be lost).  The only other alternative is
			 * to abandon auditing. */
			audit_zero_context(context, context->state);
		}
	}
	BUG_ON(context->in_syscall || context->name_count);

	if (!audit_enabled)
		return;

1193
	context->arch	    = arch;
Linus Torvalds's avatar
Linus Torvalds committed
1194
1195
1196
1197
1198
1199
1200
	context->major      = major;
	context->argv[0]    = a1;
	context->argv[1]    = a2;
	context->argv[2]    = a3;
	context->argv[3]    = a4;

	state = context->state;
1201
1202
	context->dummy = !audit_n_rules;
	if (!context->dummy && (state == AUDIT_SETUP_CONTEXT || state == AUDIT_BUILD_CONTEXT))
1203
		state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
Linus Torvalds's avatar
Linus Torvalds committed
1204
1205
1206
	if (likely(state == AUDIT_DISABLED))
		return;

1207
	context->serial     = 0;
Linus Torvalds's avatar
Linus Torvalds committed
1208
1209
1210
	context->ctime      = CURRENT_TIME;
	context->in_syscall = 1;
	context->auditable  = !!(state == AUDIT_RECORD_CONTEXT);
Alexander Viro's avatar
Alexander Viro committed
1211
	context->ppid       = 0;
Linus Torvalds's avatar
Linus Torvalds committed
1212
1213
}

1214
1215
1216
1217
1218
1219
1220
/**
 * audit_syscall_exit - deallocate audit context after a system call
 * @tsk: task being audited
 * @valid: success/failure flag
 * @return_code: syscall return value
 *
 * Tear down after system call.  If the audit context has been marked as
Linus Torvalds's avatar
Linus Torvalds committed
1221
1222
1223
 * auditable (either because of the AUDIT_RECORD_CONTEXT state from
 * filtering, or because some other part of the kernel write an audit
 * message), then write out the syscall information.  In call cases,
1224
1225
 * free the names stored from getname().
 */
1226
void audit_syscall_exit(int valid, long return_code)
Linus Torvalds's avatar
Linus Torvalds committed
1227
{
1228
	struct task_struct *tsk = current;
Linus Torvalds's avatar
Linus Torvalds committed
1229
1230
	struct audit_context *context;

1231
	context = audit_get_context(tsk, valid, return_code);
Linus Torvalds's avatar
Linus Torvalds committed
1232
1233

	if (likely(!context))
1234
		return;
Linus Torvalds's avatar
Linus Torvalds committed
1235

1236
	if (context->in_syscall && context->auditable)
1237
		audit_log_exit(context, tsk);
Linus Torvalds's avatar
Linus Torvalds committed
1238
1239
1240

	context->in_syscall = 0;
	context->auditable  = 0;
1241

Linus Torvalds's avatar
Linus Torvalds committed
1242
1243
1244
1245
1246
1247
1248
1249
	if (context->previous) {
		struct audit_context *new_context = context->previous;
		context->previous  = NULL;
		audit_free_context(context);
		tsk->audit_context = new_context;
	} else {
		audit_free_names(context);
		audit_free_aux(context);
Amy Griffis's avatar
Amy Griffis committed
1250
1251
		context->aux = NULL;
		context->aux_pids = NULL;
Al Viro's avatar
Al Viro committed
1252
		context->target_pid = 0;
Amy Griffis's avatar
Amy Griffis committed
1253
		context->target_sid = 0;
Amy Griffis's avatar
Amy Griffis committed
1254
1255
		kfree(context->filterkey);
		context->filterkey = NULL;
Linus Torvalds's avatar
Linus Torvalds committed
1256
1257
1258
1259
		tsk->audit_context = context;
	}
}

1260
1261
1262
1263
1264
1265
1266
/**
 * audit_getname - add a name to the list
 * @name: name to add
 *
 * Add a name to the list of audit names for this context.
 * Called from fs/namei.c:getname().
 */
Al Viro's avatar
Al Viro committed
1267
void __audit_getname(const char *name)
Linus Torvalds's avatar
Linus Torvalds committed
1268
1269
1270
{
	struct audit_context *context = current->audit_context;

Al Viro's avatar
Al Viro committed
1271
	if (IS_ERR(name) || !name)
Linus Torvalds's avatar
Linus Torvalds committed
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
		return;

	if (!context->in_syscall) {
#if AUDIT_DEBUG == 2
		printk(KERN_ERR "%s:%d(:%d): ignoring getname(%p)\n",
		       __FILE__, __LINE__, context->serial, name);
		dump_stack();
#endif
		return;
	}
	BUG_ON(context->name_count >= AUDIT_NAMES);
	context->names[context->name_count].name = name;
1284
1285
	context->names[context->name_count].name_len = AUDIT_NAME_FULL;
	context->names[context->name_count].name_put = 1;
Linus Torvalds's avatar
Linus Torvalds committed
1286
	context->names[context->name_count].ino  = (unsigned long)-1;
Amy Griffis's avatar
Amy Griffis committed
1287
	context->names[context->name_count].osid = 0;
Linus Torvalds's avatar
Linus Torvalds committed
1288
	++context->name_count;
1289
1290
1291
1292
1293
1294
1295
	if (!context->pwd) {
		read_lock(&current->fs->lock);
		context->pwd = dget(current->fs->pwd);
		context->pwdmnt = mntget(current->fs->pwdmnt);
		read_unlock(&current->fs->lock);
	}
		
Linus Torvalds's avatar
Linus Torvalds committed
1296
1297
}

1298
1299
1300
1301
1302
1303
1304
/* audit_putname - intercept a putname request
 * @name: name to intercept and delay for putname
 *
 * If we have stored the name from getname in the audit context,
 * then we delay the putname until syscall exit.
 * Called from include/linux/fs.h:putname().
 */
Linus Torvalds's avatar
Linus Torvalds committed
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
void audit_putname(const char *name)
{
	struct audit_context *context = current->audit_context;

	BUG_ON(!context);
	if (!context->in_syscall) {
#if AUDIT_DEBUG == 2
		printk(KERN_ERR "%s:%d(:%d): __putname(%p)\n",
		       __FILE__, __LINE__, context->serial, name);
		if (context->name_count) {
			int i;
			for (i = 0; i < context->name_count; i++)
				printk(KERN_ERR "name[%d] = %p = %s\n", i,
				       context->names[i].name,
1319
				       context->names[i].name ?: "(null)");
Linus Torvalds's avatar
Linus Torvalds committed
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
		}
#endif
		__putname(name);
	}
#if AUDIT_DEBUG
	else {
		++context->put_count;
		if (context->put_count > context->name_count) {
			printk(KERN_ERR "%s:%d(:%d): major=%d"
			       " in_syscall=%d putname(%p) name_count=%d"
			       " put_count=%d\n",
			       __FILE__, __LINE__,
			       context->serial, context->major,
			       context->in_syscall, name, context->name_count,
			       context->put_count);
			dump_stack();
		}
	}
#endif
}