auditsc.c 62.6 KB
Newer Older
1
/* auditsc.c -- System-call auditing support
Linus Torvalds's avatar
Linus Torvalds committed
2
3
4
 * Handles all system-call specific auditing features.
 *
 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
5
 * Copyright 2005 Hewlett-Packard Development Company, L.P.
6
 * Copyright (C) 2005, 2006 IBM Corporation
Linus Torvalds's avatar
Linus Torvalds committed
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 * All Rights Reserved.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 *
 * Written by Rickard E. (Rik) Faith <faith@redhat.com>
 *
 * Many of the ideas implemented here are from Stephen C. Tweedie,
 * especially the idea of avoiding a copy by using getname.
 *
 * The method for actual interception of syscall entry and exit (not in
 * this file -- see entry.S) is based on a GPL'd patch written by
 * okir@suse.de and Copyright 2003 SuSE Linux AG.
 *
32
33
34
 * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>,
 * 2006.
 *
35
36
37
 * The support of additional filter rules compares (>, <, >=, <=) was
 * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
 *
38
39
 * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
 * filesystem information.
40
41
42
 *
 * Subject and object context labeling support added by <danjones@us.ibm.com>
 * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
Linus Torvalds's avatar
Linus Torvalds committed
43
44
45
46
 */

#include <linux/init.h>
#include <asm/types.h>
47
#include <asm/atomic.h>
48
49
#include <linux/fs.h>
#include <linux/namei.h>
Linus Torvalds's avatar
Linus Torvalds committed
50
51
#include <linux/mm.h>
#include <linux/module.h>
52
#include <linux/mount.h>
53
#include <linux/socket.h>
54
#include <linux/mqueue.h>
Linus Torvalds's avatar
Linus Torvalds committed
55
56
57
#include <linux/audit.h>
#include <linux/personality.h>
#include <linux/time.h>
58
#include <linux/netlink.h>
59
#include <linux/compiler.h>
Linus Torvalds's avatar
Linus Torvalds committed
60
#include <asm/unistd.h>
61
#include <linux/security.h>
62
#include <linux/list.h>
63
#include <linux/tty.h>
Al Viro's avatar
Al Viro committed
64
#include <linux/binfmts.h>
65
#include <linux/highmem.h>
Al Viro's avatar
Al Viro committed
66
#include <linux/syscalls.h>
Al Viro's avatar
Al Viro committed
67
#include <linux/inotify.h>
Linus Torvalds's avatar
Linus Torvalds committed
68

69
#include "audit.h"
Linus Torvalds's avatar
Linus Torvalds committed
70
71
72
73
74

/* AUDIT_NAMES is the number of slots we reserve in the audit_context
 * for saving names from getname(). */
#define AUDIT_NAMES    20

75
76
77
/* Indicates that audit should log the full pathname. */
#define AUDIT_NAME_FULL -1

78
79
80
/* no execve audit message should be longer than this (userspace limits) */
#define MAX_EXECVE_AUDIT_LEN 7500

81
82
83
/* number of audit rules */
int audit_n_rules;

Amy Griffis's avatar
Amy Griffis committed
84
85
86
/* determines whether we collect data for signals sent */
int audit_signals;

Linus Torvalds's avatar
Linus Torvalds committed
87
88
89
90
91
92
93
/* When fs/namei.c:getname() is called, we store the pointer in name and
 * we don't let putname() free it (instead we free all of the saved
 * pointers at syscall exit time).
 *
 * Further, in fs/namei.c:path_lookup() we store the inode and device. */
struct audit_names {
	const char	*name;
94
95
	int		name_len;	/* number of name's characters to log */
	unsigned	name_put;	/* call __putname() for this name */
Linus Torvalds's avatar
Linus Torvalds committed
96
97
98
99
100
101
	unsigned long	ino;
	dev_t		dev;
	umode_t		mode;
	uid_t		uid;
	gid_t		gid;
	dev_t		rdev;
Steve Grubb's avatar
Steve Grubb committed
102
	u32		osid;
Linus Torvalds's avatar
Linus Torvalds committed
103
104
105
106
107
108
109
110
111
};

struct audit_aux_data {
	struct audit_aux_data	*next;
	int			type;
};

#define AUDIT_AUX_IPCPERM	0

Amy Griffis's avatar
Amy Griffis committed
112
113
114
/* Number of target pids per aux struct. */
#define AUDIT_AUX_PIDS	16

115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
struct audit_aux_data_mq_open {
	struct audit_aux_data	d;
	int			oflag;
	mode_t			mode;
	struct mq_attr		attr;
};

struct audit_aux_data_mq_sendrecv {
	struct audit_aux_data	d;
	mqd_t			mqdes;
	size_t			msg_len;
	unsigned int		msg_prio;
	struct timespec		abs_timeout;
};

struct audit_aux_data_mq_notify {
	struct audit_aux_data	d;
	mqd_t			mqdes;
	struct sigevent 	notification;
};

struct audit_aux_data_mq_getsetattr {
	struct audit_aux_data	d;
	mqd_t			mqdes;
	struct mq_attr 		mqstat;
};

Linus Torvalds's avatar
Linus Torvalds committed
142
143
144
145
146
147
148
struct audit_aux_data_ipcctl {
	struct audit_aux_data	d;
	struct ipc_perm		p;
	unsigned long		qbytes;
	uid_t			uid;
	gid_t			gid;
	mode_t			mode;
Steve Grubb's avatar
Steve Grubb committed
149
	u32			osid;
Linus Torvalds's avatar
Linus Torvalds committed
150
151
};

Al Viro's avatar
Al Viro committed
152
153
154
155
struct audit_aux_data_execve {
	struct audit_aux_data	d;
	int argc;
	int envc;
Peter Zijlstra's avatar
Peter Zijlstra committed
156
	struct mm_struct *mm;
Al Viro's avatar
Al Viro committed
157
158
};

159
160
161
162
163
164
165
166
167
168
169
170
struct audit_aux_data_socketcall {
	struct audit_aux_data	d;
	int			nargs;
	unsigned long		args[0];
};

struct audit_aux_data_sockaddr {
	struct audit_aux_data	d;
	int			len;
	char			a[0];
};

Al Viro's avatar
Al Viro committed
171
172
173
174
175
struct audit_aux_data_fd_pair {
	struct	audit_aux_data d;
	int	fd[2];
};

Amy Griffis's avatar
Amy Griffis committed
176
177
178
struct audit_aux_data_pids {
	struct audit_aux_data	d;
	pid_t			target_pid[AUDIT_AUX_PIDS];
179
180
	uid_t			target_auid[AUDIT_AUX_PIDS];
	uid_t			target_uid[AUDIT_AUX_PIDS];
181
	unsigned int		target_sessionid[AUDIT_AUX_PIDS];
Amy Griffis's avatar
Amy Griffis committed
182
	u32			target_sid[AUDIT_AUX_PIDS];
183
	char 			target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
Amy Griffis's avatar
Amy Griffis committed
184
185
186
	int			pid_count;
};

Al Viro's avatar
Al Viro committed
187
188
189
190
191
struct audit_tree_refs {
	struct audit_tree_refs *next;
	struct audit_chunk *c[31];
};

Linus Torvalds's avatar
Linus Torvalds committed
192
193
/* The per-task audit context. */
struct audit_context {
194
	int		    dummy;	/* must be the first element */
Linus Torvalds's avatar
Linus Torvalds committed
195
196
197
198
199
200
201
	int		    in_syscall;	/* 1 if task is in a syscall */
	enum audit_state    state;
	unsigned int	    serial;     /* serial number for record */
	struct timespec	    ctime;      /* time of syscall entry */
	int		    major;      /* syscall number */
	unsigned long	    argv[4];    /* syscall arguments */
	int		    return_valid; /* return code is valid */
202
	long		    return_code;/* syscall return code */
Linus Torvalds's avatar
Linus Torvalds committed
203
204
205
	int		    auditable;  /* 1 if record should be written */
	int		    name_count;
	struct audit_names  names[AUDIT_NAMES];
Amy Griffis's avatar
Amy Griffis committed
206
	char *		    filterkey;	/* key for rule that triggered record */
207
	struct path	    pwd;
Linus Torvalds's avatar
Linus Torvalds committed
208
209
	struct audit_context *previous; /* For nested syscalls */
	struct audit_aux_data *aux;
Amy Griffis's avatar
Amy Griffis committed
210
	struct audit_aux_data *aux_pids;
Linus Torvalds's avatar
Linus Torvalds committed
211
212

				/* Save things to print about task_struct */
Al Viro's avatar
Al Viro committed
213
	pid_t		    pid, ppid;
Linus Torvalds's avatar
Linus Torvalds committed
214
215
216
	uid_t		    uid, euid, suid, fsuid;
	gid_t		    gid, egid, sgid, fsgid;
	unsigned long	    personality;
217
	int		    arch;
Linus Torvalds's avatar
Linus Torvalds committed
218

Al Viro's avatar
Al Viro committed
219
	pid_t		    target_pid;
220
221
	uid_t		    target_auid;
	uid_t		    target_uid;
222
	unsigned int	    target_sessionid;
Al Viro's avatar
Al Viro committed
223
	u32		    target_sid;
224
	char		    target_comm[TASK_COMM_LEN];
Al Viro's avatar
Al Viro committed
225

Al Viro's avatar
Al Viro committed
226
227
228
	struct audit_tree_refs *trees, *first_trees;
	int tree_count;

Linus Torvalds's avatar
Linus Torvalds committed
229
230
231
232
233
234
#if AUDIT_DEBUG
	int		    put_count;
	int		    ino_count;
#endif
};

Al Viro's avatar
Al Viro committed
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
#define ACC_MODE(x) ("\004\002\006\006"[(x)&O_ACCMODE])
static inline int open_arg(int flags, int mask)
{
	int n = ACC_MODE(flags);
	if (flags & (O_TRUNC | O_CREAT))
		n |= AUDIT_PERM_WRITE;
	return n & mask;
}

static int audit_match_perm(struct audit_context *ctx, int mask)
{
	unsigned n = ctx->major;
	switch (audit_classify_syscall(ctx->arch, n)) {
	case 0:	/* native */
		if ((mask & AUDIT_PERM_WRITE) &&
		     audit_match_class(AUDIT_CLASS_WRITE, n))
			return 1;
		if ((mask & AUDIT_PERM_READ) &&
		     audit_match_class(AUDIT_CLASS_READ, n))
			return 1;
		if ((mask & AUDIT_PERM_ATTR) &&
		     audit_match_class(AUDIT_CLASS_CHATTR, n))
			return 1;
		return 0;
	case 1: /* 32bit on biarch */
		if ((mask & AUDIT_PERM_WRITE) &&
		     audit_match_class(AUDIT_CLASS_WRITE_32, n))
			return 1;
		if ((mask & AUDIT_PERM_READ) &&
		     audit_match_class(AUDIT_CLASS_READ_32, n))
			return 1;
		if ((mask & AUDIT_PERM_ATTR) &&
		     audit_match_class(AUDIT_CLASS_CHATTR_32, n))
			return 1;
		return 0;
	case 2: /* open */
		return mask & ACC_MODE(ctx->argv[1]);
	case 3: /* openat */
		return mask & ACC_MODE(ctx->argv[2]);
	case 4: /* socketcall */
		return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
	case 5: /* execve */
		return mask & AUDIT_PERM_EXEC;
	default:
		return 0;
	}
}

283
284
285
286
287
288
289
290
291
292
293
294
295
static int audit_match_filetype(struct audit_context *ctx, int which)
{
	unsigned index = which & ~S_IFMT;
	mode_t mode = which & S_IFMT;
	if (index >= ctx->name_count)
		return 0;
	if (ctx->names[index].ino == -1)
		return 0;
	if ((ctx->names[index].mode ^ mode) & S_IFMT)
		return 0;
	return 1;
}

Al Viro's avatar
Al Viro committed
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
/*
 * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *;
 * ->first_trees points to its beginning, ->trees - to the current end of data.
 * ->tree_count is the number of free entries in array pointed to by ->trees.
 * Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL,
 * "empty" becomes (p, p, 31) afterwards.  We don't shrink the list (and seriously,
 * it's going to remain 1-element for almost any setup) until we free context itself.
 * References in it _are_ dropped - at the same time we free/drop aux stuff.
 */

#ifdef CONFIG_AUDIT_TREE
static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
{
	struct audit_tree_refs *p = ctx->trees;
	int left = ctx->tree_count;
	if (likely(left)) {
		p->c[--left] = chunk;
		ctx->tree_count = left;
		return 1;
	}
	if (!p)
		return 0;
	p = p->next;
	if (p) {
		p->c[30] = chunk;
		ctx->trees = p;
		ctx->tree_count = 30;
		return 1;
	}
	return 0;
}

static int grow_tree_refs(struct audit_context *ctx)
{
	struct audit_tree_refs *p = ctx->trees;
	ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL);
	if (!ctx->trees) {
		ctx->trees = p;
		return 0;
	}
	if (p)
		p->next = ctx->trees;
	else
		ctx->first_trees = ctx->trees;
	ctx->tree_count = 31;
	return 1;
}
#endif

static void unroll_tree_refs(struct audit_context *ctx,
		      struct audit_tree_refs *p, int count)
{
#ifdef CONFIG_AUDIT_TREE
	struct audit_tree_refs *q;
	int n;
	if (!p) {
		/* we started with empty chain */
		p = ctx->first_trees;
		count = 31;
		/* if the very first allocation has failed, nothing to do */
		if (!p)
			return;
	}
	n = count;
	for (q = p; q != ctx->trees; q = q->next, n = 31) {
		while (n--) {
			audit_put_chunk(q->c[n]);
			q->c[n] = NULL;
		}
	}
	while (n-- > ctx->tree_count) {
		audit_put_chunk(q->c[n]);
		q->c[n] = NULL;
	}
	ctx->trees = p;
	ctx->tree_count = count;
#endif
}

static void free_tree_refs(struct audit_context *ctx)
{
	struct audit_tree_refs *p, *q;
	for (p = ctx->first_trees; p; p = q) {
		q = p->next;
		kfree(p);
	}
}

static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
{
#ifdef CONFIG_AUDIT_TREE
	struct audit_tree_refs *p;
	int n;
	if (!tree)
		return 0;
	/* full ones */
	for (p = ctx->first_trees; p != ctx->trees; p = p->next) {
		for (n = 0; n < 31; n++)
			if (audit_tree_match(p->c[n], tree))
				return 1;
	}
	/* partial */
	if (p) {
		for (n = ctx->tree_count; n < 31; n++)
			if (audit_tree_match(p->c[n], tree))
				return 1;
	}
#endif
	return 0;
}

Amy Griffis's avatar
Amy Griffis committed
407
/* Determine if any context name data matches a rule's watch data */
Linus Torvalds's avatar
Linus Torvalds committed
408
409
410
/* Compare a task_struct with an audit_rule.  Return 1 on match, 0
 * otherwise. */
static int audit_filter_rules(struct task_struct *tsk,
411
			      struct audit_krule *rule,
Linus Torvalds's avatar
Linus Torvalds committed
412
			      struct audit_context *ctx,
Amy Griffis's avatar
Amy Griffis committed
413
			      struct audit_names *name,
Linus Torvalds's avatar
Linus Torvalds committed
414
415
			      enum audit_state *state)
{
Steve Grubb's avatar
Steve Grubb committed
416
	int i, j, need_sid = 1;
417
418
	u32 sid;

Linus Torvalds's avatar
Linus Torvalds committed
419
	for (i = 0; i < rule->field_count; i++) {
420
		struct audit_field *f = &rule->fields[i];
Linus Torvalds's avatar
Linus Torvalds committed
421
422
		int result = 0;

423
		switch (f->type) {
Linus Torvalds's avatar
Linus Torvalds committed
424
		case AUDIT_PID:
425
			result = audit_comparator(tsk->pid, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
426
			break;
Al Viro's avatar
Al Viro committed
427
		case AUDIT_PPID:
Alexander Viro's avatar
Alexander Viro committed
428
429
430
			if (ctx) {
				if (!ctx->ppid)
					ctx->ppid = sys_getppid();
Al Viro's avatar
Al Viro committed
431
				result = audit_comparator(ctx->ppid, f->op, f->val);
Alexander Viro's avatar
Alexander Viro committed
432
			}
Al Viro's avatar
Al Viro committed
433
			break;
Linus Torvalds's avatar
Linus Torvalds committed
434
		case AUDIT_UID:
435
			result = audit_comparator(tsk->uid, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
436
437
			break;
		case AUDIT_EUID:
438
			result = audit_comparator(tsk->euid, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
439
440
			break;
		case AUDIT_SUID:
441
			result = audit_comparator(tsk->suid, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
442
443
			break;
		case AUDIT_FSUID:
444
			result = audit_comparator(tsk->fsuid, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
445
446
			break;
		case AUDIT_GID:
447
			result = audit_comparator(tsk->gid, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
448
449
			break;
		case AUDIT_EGID:
450
			result = audit_comparator(tsk->egid, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
451
452
			break;
		case AUDIT_SGID:
453
			result = audit_comparator(tsk->sgid, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
454
455
			break;
		case AUDIT_FSGID:
456
			result = audit_comparator(tsk->fsgid, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
457
458
			break;
		case AUDIT_PERS:
459
			result = audit_comparator(tsk->personality, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
460
			break;
461
		case AUDIT_ARCH:
462
			if (ctx)
463
				result = audit_comparator(ctx->arch, f->op, f->val);
464
			break;
Linus Torvalds's avatar
Linus Torvalds committed
465
466
467

		case AUDIT_EXIT:
			if (ctx && ctx->return_valid)
468
				result = audit_comparator(ctx->return_code, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
469
470
			break;
		case AUDIT_SUCCESS:
471
			if (ctx && ctx->return_valid) {
472
473
				if (f->val)
					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
474
				else
475
					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
476
			}
Linus Torvalds's avatar
Linus Torvalds committed
477
478
			break;
		case AUDIT_DEVMAJOR:
Amy Griffis's avatar
Amy Griffis committed
479
480
481
482
			if (name)
				result = audit_comparator(MAJOR(name->dev),
							  f->op, f->val);
			else if (ctx) {
Linus Torvalds's avatar
Linus Torvalds committed
483
				for (j = 0; j < ctx->name_count; j++) {
484
					if (audit_comparator(MAJOR(ctx->names[j].dev),	f->op, f->val)) {
Linus Torvalds's avatar
Linus Torvalds committed
485
486
487
488
489
490
491
						++result;
						break;
					}
				}
			}
			break;
		case AUDIT_DEVMINOR:
Amy Griffis's avatar
Amy Griffis committed
492
493
494
495
			if (name)
				result = audit_comparator(MINOR(name->dev),
							  f->op, f->val);
			else if (ctx) {
Linus Torvalds's avatar
Linus Torvalds committed
496
				for (j = 0; j < ctx->name_count; j++) {
497
					if (audit_comparator(MINOR(ctx->names[j].dev), f->op, f->val)) {
Linus Torvalds's avatar
Linus Torvalds committed
498
499
500
501
502
503
504
						++result;
						break;
					}
				}
			}
			break;
		case AUDIT_INODE:
Amy Griffis's avatar
Amy Griffis committed
505
			if (name)
506
				result = (name->ino == f->val);
Amy Griffis's avatar
Amy Griffis committed
507
			else if (ctx) {
Linus Torvalds's avatar
Linus Torvalds committed
508
				for (j = 0; j < ctx->name_count; j++) {
509
					if (audit_comparator(ctx->names[j].ino, f->op, f->val)) {
Linus Torvalds's avatar
Linus Torvalds committed
510
511
512
513
514
515
						++result;
						break;
					}
				}
			}
			break;
Amy Griffis's avatar
Amy Griffis committed
516
517
518
		case AUDIT_WATCH:
			if (name && rule->watch->ino != (unsigned long)-1)
				result = (name->dev == rule->watch->dev &&
519
					  name->ino == rule->watch->ino);
Amy Griffis's avatar
Amy Griffis committed
520
			break;
Al Viro's avatar
Al Viro committed
521
522
523
524
		case AUDIT_DIR:
			if (ctx)
				result = match_tree_refs(ctx, rule->tree);
			break;
Linus Torvalds's avatar
Linus Torvalds committed
525
526
527
		case AUDIT_LOGINUID:
			result = 0;
			if (ctx)
Al Viro's avatar
Al Viro committed
528
				result = audit_comparator(tsk->loginuid, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
529
			break;
530
531
532
533
534
		case AUDIT_SUBJ_USER:
		case AUDIT_SUBJ_ROLE:
		case AUDIT_SUBJ_TYPE:
		case AUDIT_SUBJ_SEN:
		case AUDIT_SUBJ_CLR:
535
536
537
538
539
			/* NOTE: this may return negative values indicating
			   a temporary error.  We simply treat this as a
			   match for now to avoid losing information that
			   may be wanted.   An error message will also be
			   logged upon error */
540
			if (f->lsm_rule) {
Steve Grubb's avatar
Steve Grubb committed
541
				if (need_sid) {
542
					security_task_getsecid(tsk, &sid);
Steve Grubb's avatar
Steve Grubb committed
543
544
					need_sid = 0;
				}
545
				result = security_audit_rule_match(sid, f->type,
546
				                                  f->op,
547
				                                  f->lsm_rule,
548
				                                  ctx);
Steve Grubb's avatar
Steve Grubb committed
549
			}
550
			break;
551
552
553
554
555
556
557
		case AUDIT_OBJ_USER:
		case AUDIT_OBJ_ROLE:
		case AUDIT_OBJ_TYPE:
		case AUDIT_OBJ_LEV_LOW:
		case AUDIT_OBJ_LEV_HIGH:
			/* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
			   also applies here */
558
			if (f->lsm_rule) {
559
560
				/* Find files that match */
				if (name) {
561
					result = security_audit_rule_match(
562
					           name->osid, f->type, f->op,
563
					           f->lsm_rule, ctx);
564
565
				} else if (ctx) {
					for (j = 0; j < ctx->name_count; j++) {
566
						if (security_audit_rule_match(
567
568
						      ctx->names[j].osid,
						      f->type, f->op,
569
						      f->lsm_rule, ctx)) {
570
571
572
573
574
575
576
577
578
579
580
581
							++result;
							break;
						}
					}
				}
				/* Find ipc objects that match */
				if (ctx) {
					struct audit_aux_data *aux;
					for (aux = ctx->aux; aux;
					     aux = aux->next) {
						if (aux->type == AUDIT_IPC) {
							struct audit_aux_data_ipcctl *axi = (void *)aux;
582
							if (security_audit_rule_match(axi->osid, f->type, f->op, f->lsm_rule, ctx)) {
583
584
585
586
587
588
589
590
								++result;
								break;
							}
						}
					}
				}
			}
			break;
Linus Torvalds's avatar
Linus Torvalds committed
591
592
593
594
595
		case AUDIT_ARG0:
		case AUDIT_ARG1:
		case AUDIT_ARG2:
		case AUDIT_ARG3:
			if (ctx)
596
				result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
597
			break;
Amy Griffis's avatar
Amy Griffis committed
598
599
600
601
		case AUDIT_FILTERKEY:
			/* ignore this field for filtering */
			result = 1;
			break;
Al Viro's avatar
Al Viro committed
602
603
604
		case AUDIT_PERM:
			result = audit_match_perm(ctx, f->val);
			break;
605
606
607
		case AUDIT_FILETYPE:
			result = audit_match_filetype(ctx, f->val);
			break;
Linus Torvalds's avatar
Linus Torvalds committed
608
609
610
611
612
		}

		if (!result)
			return 0;
	}
Amy Griffis's avatar
Amy Griffis committed
613
614
	if (rule->filterkey)
		ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
Linus Torvalds's avatar
Linus Torvalds committed
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
	switch (rule->action) {
	case AUDIT_NEVER:    *state = AUDIT_DISABLED;	    break;
	case AUDIT_ALWAYS:   *state = AUDIT_RECORD_CONTEXT; break;
	}
	return 1;
}

/* At process creation time, we can determine if system-call auditing is
 * completely disabled for this task.  Since we only have the task
 * structure at this point, we can only check uid and gid.
 */
static enum audit_state audit_filter_task(struct task_struct *tsk)
{
	struct audit_entry *e;
	enum audit_state   state;

	rcu_read_lock();
632
	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
Amy Griffis's avatar
Amy Griffis committed
633
		if (audit_filter_rules(tsk, &e->rule, NULL, NULL, &state)) {
Linus Torvalds's avatar
Linus Torvalds committed
634
635
636
637
638
639
640
641
642
643
			rcu_read_unlock();
			return state;
		}
	}
	rcu_read_unlock();
	return AUDIT_BUILD_CONTEXT;
}

/* At syscall entry and exit time, this filter is called if the
 * audit_state is not low enough that auditing cannot take place, but is
Steve Grubb's avatar
Steve Grubb committed
644
 * also not high enough that we already know we have to write an audit
645
 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
Linus Torvalds's avatar
Linus Torvalds committed
646
647
648
649
650
651
 */
static enum audit_state audit_filter_syscall(struct task_struct *tsk,
					     struct audit_context *ctx,
					     struct list_head *list)
{
	struct audit_entry *e;
652
	enum audit_state state;
Linus Torvalds's avatar
Linus Torvalds committed
653

654
	if (audit_pid && tsk->tgid == audit_pid)
655
656
		return AUDIT_DISABLED;

Linus Torvalds's avatar
Linus Torvalds committed
657
	rcu_read_lock();
658
	if (!list_empty(list)) {
659
660
661
662
		int word = AUDIT_WORD(ctx->major);
		int bit  = AUDIT_BIT(ctx->major);

		list_for_each_entry_rcu(e, list, list) {
Amy Griffis's avatar
Amy Griffis committed
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
			if ((e->rule.mask[word] & bit) == bit &&
			    audit_filter_rules(tsk, &e->rule, ctx, NULL,
					       &state)) {
				rcu_read_unlock();
				return state;
			}
		}
	}
	rcu_read_unlock();
	return AUDIT_BUILD_CONTEXT;
}

/* At syscall exit time, this filter is called if any audit_names[] have been
 * collected during syscall processing.  We only check rules in sublists at hash
 * buckets applicable to the inode numbers in audit_names[].
 * Regarding audit_state, same rules apply as for audit_filter_syscall().
 */
enum audit_state audit_filter_inodes(struct task_struct *tsk,
				     struct audit_context *ctx)
{
	int i;
	struct audit_entry *e;
	enum audit_state state;

	if (audit_pid && tsk->tgid == audit_pid)
		return AUDIT_DISABLED;

	rcu_read_lock();
	for (i = 0; i < ctx->name_count; i++) {
		int word = AUDIT_WORD(ctx->major);
		int bit  = AUDIT_BIT(ctx->major);
		struct audit_names *n = &ctx->names[i];
		int h = audit_hash_ino((u32)n->ino);
		struct list_head *list = &audit_inode_hash[h];

		if (list_empty(list))
			continue;

		list_for_each_entry_rcu(e, list, list) {
			if ((e->rule.mask[word] & bit) == bit &&
			    audit_filter_rules(tsk, &e->rule, ctx, n, &state)) {
704
705
706
				rcu_read_unlock();
				return state;
			}
707
708
709
		}
	}
	rcu_read_unlock();
Linus Torvalds's avatar
Linus Torvalds committed
710
	return AUDIT_BUILD_CONTEXT;
711
712
}

Amy Griffis's avatar
Amy Griffis committed
713
714
715
716
717
void audit_set_auditable(struct audit_context *ctx)
{
	ctx->auditable = 1;
}

Linus Torvalds's avatar
Linus Torvalds committed
718
719
720
721
722
723
724
725
726
static inline struct audit_context *audit_get_context(struct task_struct *tsk,
						      int return_valid,
						      int return_code)
{
	struct audit_context *context = tsk->audit_context;

	if (likely(!context))
		return NULL;
	context->return_valid = return_valid;
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744

	/*
	 * we need to fix up the return code in the audit logs if the actual
	 * return codes are later going to be fixed up by the arch specific
	 * signal handlers
	 *
	 * This is actually a test for:
	 * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||
	 * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)
	 *
	 * but is faster than a bunch of ||
	 */
	if (unlikely(return_code <= -ERESTARTSYS) &&
	    (return_code >= -ERESTART_RESTARTBLOCK) &&
	    (return_code != -ENOIOCTLCMD))
		context->return_code = -EINTR;
	else
		context->return_code  = return_code;
Linus Torvalds's avatar
Linus Torvalds committed
745

746
	if (context->in_syscall && !context->dummy && !context->auditable) {
Linus Torvalds's avatar
Linus Torvalds committed
747
		enum audit_state state;
Amy Griffis's avatar
Amy Griffis committed
748

749
		state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
Amy Griffis's avatar
Amy Griffis committed
750
751
752
753
754
755
		if (state == AUDIT_RECORD_CONTEXT) {
			context->auditable = 1;
			goto get_context;
		}

		state = audit_filter_inodes(tsk, context);
Linus Torvalds's avatar
Linus Torvalds committed
756
757
		if (state == AUDIT_RECORD_CONTEXT)
			context->auditable = 1;
Amy Griffis's avatar
Amy Griffis committed
758

Linus Torvalds's avatar
Linus Torvalds committed
759
760
	}

Amy Griffis's avatar
Amy Griffis committed
761
get_context:
762

Linus Torvalds's avatar
Linus Torvalds committed
763
764
765
766
767
768
769
770
771
772
773
	tsk->audit_context = NULL;
	return context;
}

static inline void audit_free_names(struct audit_context *context)
{
	int i;

#if AUDIT_DEBUG == 2
	if (context->auditable
	    ||context->put_count + context->ino_count != context->name_count) {
774
		printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d"
Linus Torvalds's avatar
Linus Torvalds committed
775
776
		       " name_count=%d put_count=%d"
		       " ino_count=%d [NOT freeing]\n",
777
		       __FILE__, __LINE__,
Linus Torvalds's avatar
Linus Torvalds committed
778
779
780
		       context->serial, context->major, context->in_syscall,
		       context->name_count, context->put_count,
		       context->ino_count);
781
		for (i = 0; i < context->name_count; i++) {
Linus Torvalds's avatar
Linus Torvalds committed
782
783
			printk(KERN_ERR "names[%d] = %p = %s\n", i,
			       context->names[i].name,
784
			       context->names[i].name ?: "(null)");
785
		}
Linus Torvalds's avatar
Linus Torvalds committed
786
787
788
789
790
791
792
793
794
		dump_stack();
		return;
	}
#endif
#if AUDIT_DEBUG
	context->put_count  = 0;
	context->ino_count  = 0;
#endif

795
	for (i = 0; i < context->name_count; i++) {
796
		if (context->names[i].name && context->names[i].name_put)
Linus Torvalds's avatar
Linus Torvalds committed
797
			__putname(context->names[i].name);
798
	}
Linus Torvalds's avatar
Linus Torvalds committed
799
	context->name_count = 0;
800
801
802
	path_put(&context->pwd);
	context->pwd.dentry = NULL;
	context->pwd.mnt = NULL;
Linus Torvalds's avatar
Linus Torvalds committed
803
804
805
806
807
808
809
810
811
812
}

static inline void audit_free_aux(struct audit_context *context)
{
	struct audit_aux_data *aux;

	while ((aux = context->aux)) {
		context->aux = aux->next;
		kfree(aux);
	}
Amy Griffis's avatar
Amy Griffis committed
813
814
815
816
	while ((aux = context->aux_pids)) {
		context->aux_pids = aux->next;
		kfree(aux);
	}
Linus Torvalds's avatar
Linus Torvalds committed
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
}

static inline void audit_zero_context(struct audit_context *context,
				      enum audit_state state)
{
	memset(context, 0, sizeof(*context));
	context->state      = state;
}

static inline struct audit_context *audit_alloc_context(enum audit_state state)
{
	struct audit_context *context;

	if (!(context = kmalloc(sizeof(*context), GFP_KERNEL)))
		return NULL;
	audit_zero_context(context, state);
	return context;
}

836
837
838
839
840
/**
 * audit_alloc - allocate an audit context block for a task
 * @tsk: task
 *
 * Filter on the task information and allocate a per-task audit context
Linus Torvalds's avatar
Linus Torvalds committed
841
842
 * if necessary.  Doing so turns on system call auditing for the
 * specified task.  This is called from copy_process, so no lock is
843
844
 * needed.
 */
Linus Torvalds's avatar
Linus Torvalds committed
845
846
847
848
849
int audit_alloc(struct task_struct *tsk)
{
	struct audit_context *context;
	enum audit_state     state;

850
	if (likely(!audit_ever_enabled))
Linus Torvalds's avatar
Linus Torvalds committed
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
		return 0; /* Return if not auditing. */

	state = audit_filter_task(tsk);
	if (likely(state == AUDIT_DISABLED))
		return 0;

	if (!(context = audit_alloc_context(state))) {
		audit_log_lost("out of memory in audit_alloc");
		return -ENOMEM;
	}

	tsk->audit_context  = context;
	set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
	return 0;
}

static inline void audit_free_context(struct audit_context *context)
{
	struct audit_context *previous;
	int		     count = 0;

	do {
		previous = context->previous;
		if (previous || (count &&  count < 10)) {
			++count;
			printk(KERN_ERR "audit(:%d): major=%d name_count=%d:"
			       " freeing multiple contexts (%d)\n",
			       context->serial, context->major,
			       context->name_count, count);
		}
		audit_free_names(context);
Al Viro's avatar
Al Viro committed
882
883
		unroll_tree_refs(context, NULL, 0);
		free_tree_refs(context);
Linus Torvalds's avatar
Linus Torvalds committed
884
		audit_free_aux(context);
Amy Griffis's avatar
Amy Griffis committed
885
		kfree(context->filterkey);
Linus Torvalds's avatar
Linus Torvalds committed
886
887
888
889
890
891
892
		kfree(context);
		context  = previous;
	} while (context);
	if (count >= 10)
		printk(KERN_ERR "audit: freed %d contexts\n", count);
}

Joy Latten's avatar
Joy Latten committed
893
void audit_log_task_context(struct audit_buffer *ab)
894
895
{
	char *ctx = NULL;
896
897
898
899
	unsigned len;
	int error;
	u32 sid;

900
	security_task_getsecid(current, &sid);
901
902
	if (!sid)
		return;
903

904
	error = security_secid_to_secctx(sid, &ctx, &len);
905
906
	if (error) {
		if (error != -EINVAL)
907
908
909
910
911
			goto error_path;
		return;
	}

	audit_log_format(ab, " subj=%s", ctx);
912
	security_release_secctx(ctx, len);
913
	return;
914
915

error_path:
916
	audit_panic("error in audit_log_task_context");
917
918
919
	return;
}

Joy Latten's avatar
Joy Latten committed
920
921
EXPORT_SYMBOL(audit_log_task_context);

922
static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
923
{
924
925
	char name[sizeof(tsk->comm)];
	struct mm_struct *mm = tsk->mm;
926
927
	struct vm_area_struct *vma;

928
929
	/* tsk == current */

930
	get_task_comm(name, tsk);
931
932
	audit_log_format(ab, " comm=");
	audit_log_untrustedstring(ab, name);
933

934
935
936
937
938
939
940
	if (mm) {
		down_read(&mm->mmap_sem);
		vma = mm->mmap;
		while (vma) {
			if ((vma->vm_flags & VM_EXECUTABLE) &&
			    vma->vm_file) {
				audit_log_d_path(ab, "exe=",
941
						 &vma->vm_file->f_path);
942
943
944
				break;
			}
			vma = vma->vm_next;
945
		}
946
		up_read(&mm->mmap_sem);
947
	}
948
	audit_log_task_context(ab);
949
950
}

Amy Griffis's avatar
Amy Griffis committed
951
static int audit_log_pid_context(struct audit_context *context, pid_t pid,
952
953
				 uid_t auid, uid_t uid, unsigned int sessionid,
				 u32 sid, char *comm)
Amy Griffis's avatar
Amy Griffis committed
954
955
{
	struct audit_buffer *ab;
956
	char *ctx = NULL;
Amy Griffis's avatar
Amy Griffis committed
957
958
959
960
961
	u32 len;
	int rc = 0;

	ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
	if (!ab)
962
		return rc;
Amy Griffis's avatar
Amy Griffis committed
963

964
965
	audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid,
			 uid, sessionid);
966
	if (security_secid_to_secctx(sid, &ctx, &len)) {
967
		audit_log_format(ab, " obj=(none)");
Amy Griffis's avatar
Amy Griffis committed
968
		rc = 1;
969
970
971
972
	} else {
		audit_log_format(ab, " obj=%s", ctx);
		security_release_secctx(ctx, len);
	}
973
974
	audit_log_format(ab, " ocomm=");
	audit_log_untrustedstring(ab, comm);
Amy Griffis's avatar
Amy Griffis committed
975
976
977
978
979
	audit_log_end(ab);

	return rc;
}

980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
/*
 * to_send and len_sent accounting are very loose estimates.  We aren't
 * really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being
 * within about 500 bytes (next page boundry)
 *
 * why snprintf?  an int is up to 12 digits long.  if we just assumed when
 * logging that a[%d]= was going to be 16 characters long we would be wasting
 * space in every audit message.  In one 7500 byte message we can log up to
 * about 1000 min size arguments.  That comes down to about 50% waste of space
 * if we didn't do the snprintf to find out how long arg_num_len was.
 */
static int audit_log_single_execve_arg(struct audit_context *context,
					struct audit_buffer **ab,
					int arg_num,
					size_t *len_sent,
					const char __user *p,
					char *buf)
Peter Zijlstra's avatar
Peter Zijlstra committed
997
{
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
	char arg_num_len_buf[12];
	const char __user *tmp_p = p;
	/* how many digits are in arg_num? 3 is the length of a=\n */
	size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 3;
	size_t len, len_left, to_send;
	size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
	unsigned int i, has_cntl = 0, too_long = 0;
	int ret;

	/* strnlen_user includes the null we don't want to send */
	len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1;
Peter Zijlstra's avatar
Peter Zijlstra committed
1009

1010
1011
1012
1013
1014
1015
	/*
	 * We just created this mm, if we can't find the strings
	 * we just copied into it something is _very_ wrong. Similar
	 * for strings that are too long, we should not have created
	 * any.
	 */
1016
	if (unlikely((len == -1) || len > MAX_ARG_STRLEN - 1)) {
1017
1018
		WARN_ON(1);
		send_sig(SIGKILL, current, 0);
1019
		return -1;
1020
	}
1021

1022
1023
1024
1025
1026
1027
1028
	/* walk the whole argument looking for non-ascii chars */
	do {
		if (len_left > MAX_EXECVE_AUDIT_LEN)
			to_send = MAX_EXECVE_AUDIT_LEN;
		else
			to_send = len_left;
		ret = copy_from_user(buf, tmp_p, to_send);
Peter Zijlstra's avatar
Peter Zijlstra committed
1029
		/*
1030
1031
1032
		 * There is no reason for this copy to be short. We just
		 * copied them here, and the mm hasn't been exposed to user-
		 * space yet.
Peter Zijlstra's avatar
Peter Zijlstra committed
1033
		 */
1034
		if (ret) {
Peter Zijlstra's avatar
Peter Zijlstra committed
1035
1036
			WARN_ON(1);
			send_sig(SIGKILL, current, 0);
1037
			return -1;
Peter Zijlstra's avatar
Peter Zijlstra committed
1038
		}
1039
1040
1041
1042
1043
1044
1045
1046
		buf[to_send] = '\0';
		has_cntl = audit_string_contains_control(buf, to_send);
		if (has_cntl) {
			/*
			 * hex messages get logged as 2 bytes, so we can only
			 * send half as much in each message
			 */
			max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2;
Peter Zijlstra's avatar
Peter Zijlstra committed
1047
1048
			break;
		}
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
		len_left -= to_send;
		tmp_p += to_send;
	} while (len_left > 0);

	len_left = len;

	if (len > max_execve_audit_len)
		too_long = 1;

	/* rewalk the argument actually logging the message */
	for (i = 0; len_left > 0; i++) {
		int room_left;

		if (len_left > max_execve_audit_len)
			to_send = max_execve_audit_len;
		else
			to_send = len_left;

		/* do we have space left to send this argument in this ab? */
		room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent;
		if (has_cntl)
			room_left -= (to_send * 2);
		else
			room_left -= to_send;
		if (room_left < 0) {
			*len_sent = 0;
			audit_log_end(*ab);
			*ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
			if (!*ab)
				return 0;
		}
Peter Zijlstra's avatar
Peter Zijlstra committed
1080
1081

		/*
1082
1083
1084
1085
		 * first record needs to say how long the original string was
		 * so we can be sure nothing was lost.
		 */
		if ((i == 0) && (too_long))
1086
			audit_log_format(*ab, "a%d_len=%zu ", arg_num,
1087
1088
1089
1090
1091
1092
					 has_cntl ? 2*len : len);

		/*
		 * normally arguments are small enough to fit and we already
		 * filled buf above when we checked for control characters
		 * so don't bother with another copy_from_user
Peter Zijlstra's avatar
Peter Zijlstra committed
1093
		 */
1094
1095
1096
1097
		if (len >= max_execve_audit_len)
			ret = copy_from_user(buf, p, to_send);
		else
			ret = 0;
1098
		if (ret) {
Peter Zijlstra's avatar
Peter Zijlstra committed
1099
1100
			WARN_ON(1);
			send_sig(SIGKILL, current, 0);
1101
			return -1;
Peter Zijlstra's avatar
Peter Zijlstra committed
1102
		}
1103
1104
1105
1106
1107
1108
1109
1110
		buf[to_send] = '\0';

		/* actually log it */
		audit_log_format(*ab, "a%d", arg_num);
		if (too_long)
			audit_log_format(*ab, "[%d]", i);
		audit_log_format(*ab, "=");
		if (has_cntl)
1111
			audit_log_n_hex(*ab, buf, to_send);
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
		else
			audit_log_format(*ab, "\"%s\"", buf);
		audit_log_format(*ab, "\n");

		p += to_send;
		len_left -= to_send;
		*len_sent += arg_num_len;
		if (has_cntl)
			*len_sent += to_send * 2;
		else
			*len_sent += to_send;
	}
	/* include the null we didn't log */
	return len + 1;
}

static void audit_log_execve_info(struct audit_context *context,
				  struct audit_buffer **ab,
				  struct audit_aux_data_execve *axi)
{
	int i;
	size_t len, len_sent = 0;
	const char __user *p;
	char *buf;
Peter Zijlstra's avatar
Peter Zijlstra committed
1136

1137
1138
1139
1140
	if (axi->mm != current->mm)
		return; /* execve failed, no additional info */

	p = (const char __user *)axi->mm->arg_start;
Peter Zijlstra's avatar
Peter Zijlstra committed
1141

1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
	audit_log_format(*ab, "argc=%d ", axi->argc);

	/*
	 * we need some kernel buffer to hold the userspace args.  Just
	 * allocate one big one rather than allocating one of the right size
	 * for every single argument inside audit_log_single_execve_arg()
	 * should be <8k allocation so should be pretty safe.
	 */
	buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
	if (!buf) {
		audit_panic("out of memory for argv string\n");
		return;
Peter Zijlstra's avatar
Peter Zijlstra committed
1154
	}
1155
1156
1157
1158
1159
1160
1161
1162
1163

	for (i = 0; i < axi->argc; i++) {
		len = audit_log_single_execve_arg(context, ab, i,
						  &len_sent, p, buf);
		if (len <= 0)
			break;
		p += len;
	}
	kfree(buf);
Peter Zijlstra's avatar
Peter Zijlstra committed
1164
1165
}

1166
static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
Linus Torvalds's avatar
Linus Torvalds committed
1167
{
Steve Grubb's avatar
Steve Grubb committed
1168
	int i, call_panic = 0;
Linus Torvalds's avatar
Linus Torvalds committed
1169
	struct audit_buffer *ab;
1170
	struct audit_aux_data *aux;
1171
	const char *tty;
Linus Torvalds's avatar
Linus Torvalds committed
1172

1173
	/* tsk == current */
1174
	context->pid = tsk->pid;
Alexander Viro's avatar
Alexander Viro committed
1175
1176
	if (!context->ppid)
		context->ppid = sys_getppid();
1177
1178
1179
1180
1181
1182
1183
1184
1185
	context->uid = tsk->uid;
	context->gid = tsk->gid;
	context->euid = tsk->euid;
	context->suid = tsk->suid;
	context->fsuid = tsk->fsuid;
	context->egid = tsk->egid;
	context->sgid = tsk->sgid;
	context->fsgid = tsk->fsgid;
	context->personality = tsk->personality;
1186
1187

	ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
Linus Torvalds's avatar
Linus Torvalds committed
1188
1189
	if (!ab)
		return;		/* audit_panic has been called */
1190
1191
	audit_log_format(ab, "arch=%x syscall=%d",
			 context->arch, context->major);
Linus Torvalds's avatar
Linus Torvalds committed
1192
1193
1194
	if (context->personality != PER_LINUX)
		audit_log_format(ab, " per=%lx", context->personality);
	if (context->return_valid)
1195
		audit_log_format(ab, " success=%s exit=%ld",
1196
1197
				 (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
				 context->return_code);
1198
1199

	mutex_lock(&tty_mutex);
1200
	read_lock(&tasklist_lock);
1201
1202
	if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
		tty = tsk->signal->tty->name;
1203
1204
	else
		tty = "(none)";
1205
	read_unlock(&tasklist_lock);
Linus Torvalds's avatar
Linus Torvalds committed
1206
1207
	audit_log_format(ab,
		  " a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
Al Viro's avatar
Al Viro committed
1208
		  " ppid=%d pid=%d auid=%u uid=%u gid=%u"
1209
		  " euid=%u suid=%u fsuid=%u"
1210
		  " egid=%u sgid=%u fsgid=%u tty=%s ses=%u",
Linus Torvalds's avatar
Linus Torvalds committed
1211
1212
1213
1214
1215
		  context->argv[0],
		  context->argv[1],
		  context->argv[2],
		  context->argv[3],
		  context->name_count,
Al Viro's avatar
Al Viro committed
1216
		  context->ppid,
Linus Torvalds's avatar
Linus Torvalds committed
1217
		  context->pid,
Al Viro's avatar
Al Viro committed
1218
		  tsk->loginuid,
Linus Torvalds's avatar
Linus Torvalds committed
1219
1220
1221
		  context->uid,
		  context->gid,
		  context->euid, context->suid, context->fsuid,
1222
1223
		  context->egid, context->sgid, context->fsgid, tty,
		  tsk->sessionid);
1224
1225
1226

	mutex_unlock(&tty_mutex);

1227
	audit_log_task_info(ab, tsk);
Amy Griffis's avatar
Amy Griffis committed
1228
1229
1230
1231
1232
	if (context->filterkey) {
		audit_log_format(ab, " key=");
		audit_log_untrustedstring(ab, context->filterkey);
	} else
		audit_log_format(ab, " key=(null)");
Linus Torvalds's avatar
Linus Torvalds committed
1233
1234
	audit_log_end(ab);

1235
	for (aux = context->aux; aux; aux = aux->next) {
1236

1237
		ab = audit_log_start(context, GFP_KERNEL, aux->type);
Linus Torvalds's avatar
Linus Torvalds committed
1238
1239
1240
1241
		if (!ab)
			continue; /* audit_panic has been called */

		switch (aux->type) {
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
		case AUDIT_MQ_OPEN: {
			struct audit_aux_data_mq_open *axi = (void *)aux;
			audit_log_format(ab,
				"oflag=0x%x mode=%#o mq_flags=0x%lx mq_maxmsg=%ld "
				"mq_msgsize=%ld mq_curmsgs=%ld",
				axi->oflag, axi->mode, axi->attr.mq_flags,
				axi->attr.mq_maxmsg, axi->attr.mq_msgsize,
				axi->attr.mq_curmsgs);
			break; }

		case AUDIT_MQ_SENDRECV: {
			struct audit_aux_data_mq_sendrecv *axi = (void *)aux;
			audit_log_format(ab,
				"mqdes=%d msg_len=%zd msg_prio=%u "
				"abs_timeout_sec=%ld abs_timeout_nsec=%ld",
				axi->mqdes, axi->msg_len, axi->msg_prio,
				axi->abs_timeout.tv_sec, axi->abs_timeout.tv_nsec);
			break; }

		case AUDIT_MQ_NOTIFY: {
			struct audit_aux_data_mq_notify *axi = (void *)aux;
			audit_log_format(ab,
				"mqdes=%d sigev_signo=%d",
				axi->mqdes,
				axi->notification.sigev_signo);
			break; }

		case AUDIT_MQ_GETSETATTR: {
			struct audit_aux_data_mq_getsetattr *axi = (void *)aux;
			audit_log_format(ab,
				"mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
				"mq_curmsgs=%ld ",
				axi->mqdes,
				axi->mqstat.mq_flags, axi->mqstat.mq_maxmsg,
				axi->mqstat.mq_msgsize, axi->mqstat.mq_curmsgs);
			break; }

1279
		case AUDIT_IPC: {
Linus Torvalds's avatar
Linus Torvalds committed
1280
1281
			struct audit_aux_data_ipcctl *axi = (void *)aux;
			audit_log_format(ab, 
Steve Grubb's avatar
Steve Grubb committed
1282
				 "ouid=%u ogid=%u mode=%#o",
1283
				 axi->uid, axi->gid, axi->mode);
Steve Grubb's avatar
Steve Grubb committed
1284
1285
1286
			if (axi->osid != 0) {
				char *ctx = NULL;
				u32 len;
1287
				if (security_secid_to_secctx(
Steve Grubb's avatar
Steve Grubb committed
1288
						axi->osid, &ctx, &len)) {
1289
					audit_log_format(ab, " osid=%u",
Steve Grubb's avatar
Steve Grubb committed
1290
1291
							axi->osid);
					call_panic = 1;
1292
				} else {
Steve Grubb's avatar
Steve Grubb committed
1293
					audit_log_format(ab, " obj=%s", ctx);
1294
1295
					security_release_secctx(ctx, len);
				}
Steve Grubb's avatar
Steve Grubb committed
1296
			}
1297
1298
			break; }

Steve Grubb's avatar
Steve Grubb committed
1299
1300
1301
		case AUDIT_IPC_SET_PERM: {
			struct audit_aux_data_ipcctl *axi = (void *)aux;
			audit_log_format(ab,
Steve Grubb's avatar
Steve Grubb committed
1302
				"qbytes=%lx ouid=%u ogid=%u mode=%#o",
Steve Grubb's avatar
Steve Grubb committed
1303
1304
				axi->qbytes, axi->uid, axi->gid, axi->mode);
			break; }
1305

Al Viro's avatar
Al Viro committed
1306
1307
		case AUDIT_EXECVE: {
			struct audit_aux_data_execve *axi = (void *)aux;
1308
			audit_log_execve_info(context, &ab, axi);
Al Viro's avatar
Al Viro committed
1309
			break; }
Steve Grubb's avatar
Steve Grubb committed
1310

1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
		case AUDIT_SOCKETCALL: {
			struct audit_aux_data_socketcall *axs = (void *)aux;
			audit_log_format(ab, "nargs=%d", axs->nargs);
			for (i=0; i<axs->nargs; i++)
				audit_log_format(ab, " a%d=%lx", i, axs->args[i]);
			break; }

		case AUDIT_SOCKADDR: {
			struct audit_aux_data_sockaddr *axs = (void *)aux;

			audit_log_format(ab, "saddr=");
1322
			audit_log_n_hex(ab, axs->a, axs->len);
1323
			break; }
1324

Al Viro's avatar
Al Viro committed
1325
1326
1327
1328
1329
		case AUDIT_FD_PAIR: {
			struct audit_aux_data_fd_pair *axs = (void *)aux;
			audit_log_format(ab, "fd0=%d fd1=%d", axs->fd[0], axs->fd[1]);
			break; }

Linus Torvalds's avatar
Linus Torvalds committed
1330
1331
1332
1333
		}
		audit_log_end(ab);
	}