audit.c 39.3 KB
Newer Older
1
/* audit.c -- Auditing support
Linus Torvalds's avatar
Linus Torvalds committed
2
3
4
 * Gateway between the kernel (e.g., selinux) and the user-space audit daemon.
 * System-call specific features have moved to auditsc.c
 *
Steve Grubb's avatar
Steve Grubb committed
5
 * Copyright 2003-2007 Red Hat Inc., Durham, North Carolina.
Linus Torvalds's avatar
Linus Torvalds committed
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
 * All Rights Reserved.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 *
 * Written by Rickard E. (Rik) Faith <faith@redhat.com>
 *
24
 * Goals: 1) Integrate fully with Security Modules.
Linus Torvalds's avatar
Linus Torvalds committed
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
 *	  2) Minimal run-time overhead:
 *	     a) Minimal when syscall auditing is disabled (audit_enable=0).
 *	     b) Small when syscall auditing is enabled and no audit record
 *		is generated (defer as much work as possible to record
 *		generation time):
 *		i) context is allocated,
 *		ii) names from getname are stored without a copy, and
 *		iii) inode information stored from path_lookup.
 *	  3) Ability to disable syscall auditing at boot time (audit=0).
 *	  4) Usable by other parts of the kernel (if audit_log* is called,
 *	     then a syscall record will be generated automatically for the
 *	     current syscall).
 *	  5) Netlink interface to user-space.
 *	  6) Support low-overhead kernel-based filtering to minimize the
 *	     information that must be passed to user-space.
 *
41
 * Example user-space utilities: http://people.redhat.com/sgrubb/audit/
Linus Torvalds's avatar
Linus Torvalds committed
42
43
44
45
 */

#include <linux/init.h>
#include <asm/types.h>
46
#include <asm/atomic.h>
Linus Torvalds's avatar
Linus Torvalds committed
47
48
#include <linux/mm.h>
#include <linux/module.h>
49
50
#include <linux/err.h>
#include <linux/kthread.h>
Linus Torvalds's avatar
Linus Torvalds committed
51
52
53
54

#include <linux/audit.h>

#include <net/sock.h>
55
#include <net/netlink.h>
Linus Torvalds's avatar
Linus Torvalds committed
56
57
#include <linux/skbuff.h>
#include <linux/netlink.h>
Amy Griffis's avatar
Amy Griffis committed
58
#include <linux/inotify.h>
59
#include <linux/freezer.h>
Miloslav Trmac's avatar
Miloslav Trmac committed
60
#include <linux/tty.h>
61
62

#include "audit.h"
Linus Torvalds's avatar
Linus Torvalds committed
63

64
/* No auditing will take place until audit_initialized == AUDIT_INITIALIZED.
Linus Torvalds's avatar
Linus Torvalds committed
65
 * (Initialization happens after skb_init is called.) */
66
67
68
#define AUDIT_DISABLED		-1
#define AUDIT_UNINITIALIZED	0
#define AUDIT_INITIALIZED	1
Linus Torvalds's avatar
Linus Torvalds committed
69
70
static int	audit_initialized;

71
72
73
#define AUDIT_OFF	0
#define AUDIT_ON	1
#define AUDIT_LOCKED	2
Linus Torvalds's avatar
Linus Torvalds committed
74
int		audit_enabled;
75
int		audit_ever_enabled;
Linus Torvalds's avatar
Linus Torvalds committed
76
77
78
79
80
81
82

/* Default state when kernel boots without any parameters. */
static int	audit_default;

/* If auditing cannot proceed, audit_failure selects what happens. */
static int	audit_failure = AUDIT_FAIL_PRINTK;

83
84
85
86
87
/*
 * If audit records are to be written to the netlink socket, audit_pid
 * contains the pid of the auditd process and audit_nlk_pid contains
 * the pid to use to send netlink messages to that process.
 */
88
int		audit_pid;
89
static int	audit_nlk_pid;
Linus Torvalds's avatar
Linus Torvalds committed
90

91
/* If audit_rate_limit is non-zero, limit the rate of sending audit records
Linus Torvalds's avatar
Linus Torvalds committed
92
93
94
95
96
97
 * to that number per second.  This prevents DoS attacks, but results in
 * audit records being dropped. */
static int	audit_rate_limit;

/* Number of outstanding audit_buffers allowed. */
static int	audit_backlog_limit = 64;
98
99
static int	audit_backlog_wait_time = 60 * HZ;
static int	audit_backlog_wait_overflow = 0;
Linus Torvalds's avatar
Linus Torvalds committed
100

101
102
103
/* The identity of the user shutting down the audit system. */
uid_t		audit_sig_uid = -1;
pid_t		audit_sig_pid = -1;
104
u32		audit_sig_sid = 0;
105

Linus Torvalds's avatar
Linus Torvalds committed
106
107
108
109
110
111
112
113
114
115
116
117
/* Records can be lost in several ways:
   0) [suppressed in audit_alloc]
   1) out of memory in audit_log_start [kmalloc of struct audit_buffer]
   2) out of memory in audit_log_move [alloc_skb]
   3) suppressed due to audit_rate_limit
   4) suppressed due to audit_backlog_limit
*/
static atomic_t    audit_lost = ATOMIC_INIT(0);

/* The netlink socket. */
static struct sock *audit_sock;

Amy Griffis's avatar
Amy Griffis committed
118
119
120
/* Hash for inode-based rules */
struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];

121
/* The audit_freelist is a list of pre-allocated audit buffers (if more
Linus Torvalds's avatar
Linus Torvalds committed
122
123
124
 * than AUDIT_MAXFREE are in use, the audit buffer is freed instead of
 * being placed on the freelist). */
static DEFINE_SPINLOCK(audit_freelist_lock);
125
static int	   audit_freelist_count;
Linus Torvalds's avatar
Linus Torvalds committed
126
127
static LIST_HEAD(audit_freelist);

128
static struct sk_buff_head audit_skb_queue;
129
130
/* queue of skbs to send to auditd when/if it comes back */
static struct sk_buff_head audit_skb_hold_queue;
131
132
static struct task_struct *kauditd_task;
static DECLARE_WAIT_QUEUE_HEAD(kauditd_wait);
133
static DECLARE_WAIT_QUEUE_HEAD(audit_backlog_wait);
Linus Torvalds's avatar
Linus Torvalds committed
134

Amy Griffis's avatar
Amy Griffis committed
135
/* Serialize requests from userspace. */
136
DEFINE_MUTEX(audit_cmd_mutex);
Linus Torvalds's avatar
Linus Torvalds committed
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153

/* AUDIT_BUFSIZ is the size of the temporary buffer used for formatting
 * audit records.  Since printk uses a 1024 byte buffer, this buffer
 * should be at least that large. */
#define AUDIT_BUFSIZ 1024

/* AUDIT_MAXFREE is the number of empty audit_buffers we keep on the
 * audit_freelist.  Doing so eliminates many kmalloc/kfree calls. */
#define AUDIT_MAXFREE  (2*NR_CPUS)

/* The audit_buffer is used when formatting an audit record.  The caller
 * locks briefly to get the record off the freelist or to allocate the
 * buffer, and locks briefly to send the buffer to the netlink layer or
 * to place it on a transmit queue.  Multiple audit_buffers can be in
 * use simultaneously. */
struct audit_buffer {
	struct list_head     list;
154
	struct sk_buff       *skb;	/* formatted skb ready to send */
Linus Torvalds's avatar
Linus Torvalds committed
155
	struct audit_context *ctx;	/* NULL or associated context */
Al Viro's avatar
Al Viro committed
156
	gfp_t		     gfp_mask;
Linus Torvalds's avatar
Linus Torvalds committed
157
158
};

159
160
161
162
163
struct audit_reply {
	int pid;
	struct sk_buff *skb;
};

164
165
static void audit_set_pid(struct audit_buffer *ab, pid_t pid)
{
166
167
168
169
	if (ab) {
		struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
		nlh->nlmsg_pid = pid;
	}
170
171
}

172
void audit_panic(const char *message)
Linus Torvalds's avatar
Linus Torvalds committed
173
174
175
176
177
178
{
	switch (audit_failure)
	{
	case AUDIT_FAIL_SILENT:
		break;
	case AUDIT_FAIL_PRINTK:
179
180
		if (printk_ratelimit())
			printk(KERN_ERR "audit: %s\n", message);
Linus Torvalds's avatar
Linus Torvalds committed
181
182
		break;
	case AUDIT_FAIL_PANIC:
183
184
185
		/* test audit_pid since printk is always losey, why bother? */
		if (audit_pid)
			panic("audit: %s\n", message);
Linus Torvalds's avatar
Linus Torvalds committed
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
		break;
	}
}

static inline int audit_rate_check(void)
{
	static unsigned long	last_check = 0;
	static int		messages   = 0;
	static DEFINE_SPINLOCK(lock);
	unsigned long		flags;
	unsigned long		now;
	unsigned long		elapsed;
	int			retval	   = 0;

	if (!audit_rate_limit) return 1;

	spin_lock_irqsave(&lock, flags);
	if (++messages < audit_rate_limit) {
		retval = 1;
	} else {
		now     = jiffies;
		elapsed = now - last_check;
		if (elapsed > HZ) {
			last_check = now;
			messages   = 0;
			retval     = 1;
		}
	}
	spin_unlock_irqrestore(&lock, flags);

	return retval;
}

219
220
221
222
223
224
225
226
/**
 * audit_log_lost - conditionally log lost audit message event
 * @message: the message stating reason for lost audit message
 *
 * Emit at least 1 message per second, even if audit_rate_check is
 * throttling.
 * Always increment the lost messages counter.
*/
Linus Torvalds's avatar
Linus Torvalds committed
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
void audit_log_lost(const char *message)
{
	static unsigned long	last_msg = 0;
	static DEFINE_SPINLOCK(lock);
	unsigned long		flags;
	unsigned long		now;
	int			print;

	atomic_inc(&audit_lost);

	print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit);

	if (!print) {
		spin_lock_irqsave(&lock, flags);
		now = jiffies;
		if (now - last_msg > HZ) {
			print = 1;
			last_msg = now;
		}
		spin_unlock_irqrestore(&lock, flags);
	}

	if (print) {
250
251
252
253
254
255
256
		if (printk_ratelimit())
			printk(KERN_WARNING
				"audit: audit_lost=%d audit_rate_limit=%d "
				"audit_backlog_limit=%d\n",
				atomic_read(&audit_lost),
				audit_rate_limit,
				audit_backlog_limit);
Linus Torvalds's avatar
Linus Torvalds committed
257
258
259
260
		audit_panic(message);
	}
}

261
static int audit_log_config_change(char *function_name, int new, int old,
262
263
				   uid_t loginuid, u32 sessionid, u32 sid,
				   int allow_changes)
Linus Torvalds's avatar
Linus Torvalds committed
264
{
265
266
	struct audit_buffer *ab;
	int rc = 0;
267

268
	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
269
270
	audit_log_format(ab, "%s=%d old=%d auid=%u ses=%u", function_name, new,
			 old, loginuid, sessionid);
271
272
273
	if (sid) {
		char *ctx = NULL;
		u32 len;
274

275
		rc = security_secid_to_secctx(sid, &ctx, &len);
276
277
278
279
280
		if (rc) {
			audit_log_format(ab, " sid=%u", sid);
			allow_changes = 0; /* Something weird, deny request */
		} else {
			audit_log_format(ab, " subj=%s", ctx);
281
			security_release_secctx(ctx, len);
282
		}
Steve Grubb's avatar
Steve Grubb committed
283
	}
284
285
	audit_log_format(ab, " res=%d", allow_changes);
	audit_log_end(ab);
Steve Grubb's avatar
Steve Grubb committed
286
	return rc;
Linus Torvalds's avatar
Linus Torvalds committed
287
288
}

289
static int audit_do_config_change(char *function_name, int *to_change,
290
291
				  int new, uid_t loginuid, u32 sessionid,
				  u32 sid)
Linus Torvalds's avatar
Linus Torvalds committed
292
{
293
	int allow_changes, rc = 0, old = *to_change;
Steve Grubb's avatar
Steve Grubb committed
294
295

	/* check if we are locked */
296
297
	if (audit_enabled == AUDIT_LOCKED)
		allow_changes = 0;
Steve Grubb's avatar
Steve Grubb committed
298
	else
299
		allow_changes = 1;
300

301
	if (audit_enabled != AUDIT_OFF) {
302
303
		rc = audit_log_config_change(function_name, new, old, loginuid,
					     sessionid, sid, allow_changes);
304
305
		if (rc)
			allow_changes = 0;
Steve Grubb's avatar
Steve Grubb committed
306
307
308
	}

	/* If we are allowed, make the change */
309
310
	if (allow_changes == 1)
		*to_change = new;
Steve Grubb's avatar
Steve Grubb committed
311
312
313
314
	/* Not allowed, update reason */
	else if (rc == 0)
		rc = -EPERM;
	return rc;
Linus Torvalds's avatar
Linus Torvalds committed
315
316
}

317
318
static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sessionid,
				u32 sid)
Linus Torvalds's avatar
Linus Torvalds committed
319
{
320
	return audit_do_config_change("audit_rate_limit", &audit_rate_limit,
321
				      limit, loginuid, sessionid, sid);
322
}
323

324
325
static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sessionid,
				   u32 sid)
326
327
{
	return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit,
328
				      limit, loginuid, sessionid, sid);
329
}
Steve Grubb's avatar
Steve Grubb committed
330

331
static int audit_set_enabled(int state, uid_t loginuid, u32 sessionid, u32 sid)
332
{
333
	int rc;
334
335
	if (state < AUDIT_OFF || state > AUDIT_LOCKED)
		return -EINVAL;
Steve Grubb's avatar
Steve Grubb committed
336

337
	rc =  audit_do_config_change("audit_enabled", &audit_enabled, state,
338
				     loginuid, sessionid, sid);
339
340
341
342
343

	if (!rc)
		audit_ever_enabled |= !!state;

	return rc;
Linus Torvalds's avatar
Linus Torvalds committed
344
345
}

346
static int audit_set_failure(int state, uid_t loginuid, u32 sessionid, u32 sid)
Linus Torvalds's avatar
Linus Torvalds committed
347
348
349
350
351
{
	if (state != AUDIT_FAIL_SILENT
	    && state != AUDIT_FAIL_PRINTK
	    && state != AUDIT_FAIL_PANIC)
		return -EINVAL;
352

353
	return audit_do_config_change("audit_failure", &audit_failure, state,
354
				      loginuid, sessionid, sid);
Linus Torvalds's avatar
Linus Torvalds committed
355
356
}

357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
/*
 * Queue skbs to be sent to auditd when/if it comes back.  These skbs should
 * already have been sent via prink/syslog and so if these messages are dropped
 * it is not a huge concern since we already passed the audit_log_lost()
 * notification and stuff.  This is just nice to get audit messages during
 * boot before auditd is running or messages generated while auditd is stopped.
 * This only holds messages is audit_default is set, aka booting with audit=1
 * or building your kernel that way.
 */
static void audit_hold_skb(struct sk_buff *skb)
{
	if (audit_default &&
	    skb_queue_len(&audit_skb_hold_queue) < audit_backlog_limit)
		skb_queue_tail(&audit_skb_hold_queue, skb);
	else
		kfree_skb(skb);
}

375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
/*
 * For one reason or another this nlh isn't getting delivered to the userspace
 * audit daemon, just send it to printk.
 */
static void audit_printk_skb(struct sk_buff *skb)
{
	struct nlmsghdr *nlh = nlmsg_hdr(skb);
	char *data = NLMSG_DATA(nlh);

	if (nlh->nlmsg_type != AUDIT_EOE) {
		if (printk_ratelimit())
			printk(KERN_NOTICE "type=%d %s\n", nlh->nlmsg_type, data);
		else
			audit_log_lost("printk limit exceeded\n");
	}

	audit_hold_skb(skb);
}

394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
static void kauditd_send_skb(struct sk_buff *skb)
{
	int err;
	/* take a reference in case we can't send it and we want to hold it */
	skb_get(skb);
	err = netlink_unicast(audit_sock, skb, audit_nlk_pid, 0);
	if (err < 0) {
		BUG_ON(err != -ECONNREFUSED); /* Shoudn't happen */
		printk(KERN_ERR "audit: *NO* daemon at audit_pid=%d\n", audit_pid);
		audit_log_lost("auditd dissapeared\n");
		audit_pid = 0;
		/* we might get lucky and get this in the next auditd */
		audit_hold_skb(skb);
	} else
		/* drop the extra reference if sent ok */
		kfree_skb(skb);
}

Adrian Bunk's avatar
Adrian Bunk committed
412
static int kauditd_thread(void *dummy)
413
414
415
{
	struct sk_buff *skb;

416
	set_freezable();
417
	while (!kthread_should_stop()) {
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
		/*
		 * if auditd just started drain the queue of messages already
		 * sent to syslog/printk.  remember loss here is ok.  we already
		 * called audit_log_lost() if it didn't go out normally.  so the
		 * race between the skb_dequeue and the next check for audit_pid
		 * doesn't matter.
		 *
		 * if you ever find kauditd to be too slow we can get a perf win
		 * by doing our own locking and keeping better track if there
		 * are messages in this queue.  I don't see the need now, but
		 * in 5 years when I want to play with this again I'll see this
		 * note and still have no friggin idea what i'm thinking today.
		 */
		if (audit_default && audit_pid) {
			skb = skb_dequeue(&audit_skb_hold_queue);
			if (unlikely(skb)) {
				while (skb && audit_pid) {
					kauditd_send_skb(skb);
					skb = skb_dequeue(&audit_skb_hold_queue);
				}
			}
		}

441
		skb = skb_dequeue(&audit_skb_queue);
442
		wake_up(&audit_backlog_wait);
443
		if (skb) {
444
445
			if (audit_pid)
				kauditd_send_skb(skb);
446
447
			else
				audit_printk_skb(skb);
448
449
450
451
452
		} else {
			DECLARE_WAITQUEUE(wait, current);
			set_current_state(TASK_INTERRUPTIBLE);
			add_wait_queue(&kauditd_wait, &wait);

453
454
			if (!skb_queue_len(&audit_skb_queue)) {
				try_to_freeze();
455
				schedule();
456
			}
457
458
459
460
461

			__set_current_state(TASK_RUNNING);
			remove_wait_queue(&kauditd_wait, &wait);
		}
	}
462
	return 0;
463
464
}

465
static int audit_prepare_user_tty(pid_t pid, uid_t loginuid, u32 sessionid)
Miloslav Trmac's avatar
Miloslav Trmac committed
466
467
468
469
470
{
	struct task_struct *tsk;
	int err;

	read_lock(&tasklist_lock);
471
	tsk = find_task_by_vpid(pid);
Miloslav Trmac's avatar
Miloslav Trmac committed
472
473
474
475
476
477
478
479
480
481
482
483
	err = -ESRCH;
	if (!tsk)
		goto out;
	err = 0;

	spin_lock_irq(&tsk->sighand->siglock);
	if (!tsk->signal->audit_tty)
		err = -EPERM;
	spin_unlock_irq(&tsk->sighand->siglock);
	if (err)
		goto out;

484
	tty_audit_push_task(tsk, loginuid, sessionid);
Miloslav Trmac's avatar
Miloslav Trmac committed
485
486
487
488
489
out:
	read_unlock(&tasklist_lock);
	return err;
}

490
491
492
493
494
495
496
int audit_send_list(void *_dest)
{
	struct audit_netlink_list *dest = _dest;
	int pid = dest->pid;
	struct sk_buff *skb;

	/* wait for parent to finish and send an ACK */
Amy Griffis's avatar
Amy Griffis committed
497
498
	mutex_lock(&audit_cmd_mutex);
	mutex_unlock(&audit_cmd_mutex);
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516

	while ((skb = __skb_dequeue(&dest->q)) != NULL)
		netlink_unicast(audit_sock, skb, pid, 0);

	kfree(dest);

	return 0;
}

struct sk_buff *audit_make_reply(int pid, int seq, int type, int done,
				 int multi, void *payload, int size)
{
	struct sk_buff	*skb;
	struct nlmsghdr	*nlh;
	void		*data;
	int		flags = multi ? NLM_F_MULTI : 0;
	int		t     = done  ? NLMSG_DONE  : type;

517
	skb = nlmsg_new(size, GFP_KERNEL);
518
519
520
	if (!skb)
		return NULL;

521
522
	nlh	= NLMSG_NEW(skb, pid, seq, t, size, flags);
	data	= NLMSG_DATA(nlh);
523
524
525
	memcpy(data, payload, size);
	return skb;

526
nlmsg_failure:			/* Used by NLMSG_NEW */
527
528
529
530
531
	if (skb)
		kfree_skb(skb);
	return NULL;
}

532
533
534
535
536
537
538
539
540
541
542
543
544
static int audit_send_reply_thread(void *arg)
{
	struct audit_reply *reply = (struct audit_reply *)arg;

	mutex_lock(&audit_cmd_mutex);
	mutex_unlock(&audit_cmd_mutex);

	/* Ignore failure. It'll only happen if the sender goes away,
	   because our timeout is set to infinite. */
	netlink_unicast(audit_sock, reply->skb, reply->pid, 0);
	kfree(reply);
	return 0;
}
545
546
547
548
549
550
551
552
553
554
555
556
557
/**
 * audit_send_reply - send an audit reply message via netlink
 * @pid: process id to send reply to
 * @seq: sequence number
 * @type: audit message type
 * @done: done (last) flag
 * @multi: multi-part message flag
 * @payload: payload data
 * @size: payload size
 *
 * Allocates an skb, builds the netlink message, and sends it to the pid.
 * No failure notifications.
 */
Linus Torvalds's avatar
Linus Torvalds committed
558
559
560
void audit_send_reply(int pid, int seq, int type, int done, int multi,
		      void *payload, int size)
{
561
562
563
564
565
566
567
568
	struct sk_buff *skb;
	struct task_struct *tsk;
	struct audit_reply *reply = kmalloc(sizeof(struct audit_reply),
					    GFP_KERNEL);

	if (!reply)
		return;

569
	skb = audit_make_reply(pid, seq, type, done, multi, payload, size);
Linus Torvalds's avatar
Linus Torvalds committed
570
	if (!skb)
571
		goto out;
572
573
574
575
576

	reply->pid = pid;
	reply->skb = skb;

	tsk = kthread_run(audit_send_reply_thread, reply, "audit_send_reply");
577
578
579
580
581
	if (!IS_ERR(tsk))
		return;
	kfree_skb(skb);
out:
	kfree(reply);
Linus Torvalds's avatar
Linus Torvalds committed
582
583
584
585
586
587
}

/*
 * Check for appropriate CAP_AUDIT_ capabilities on incoming audit
 * control messages.
 */
588
static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
Linus Torvalds's avatar
Linus Torvalds committed
589
590
591
592
593
594
{
	int err = 0;

	switch (msg_type) {
	case AUDIT_GET:
	case AUDIT_LIST:
595
	case AUDIT_LIST_RULES:
Linus Torvalds's avatar
Linus Torvalds committed
596
597
	case AUDIT_SET:
	case AUDIT_ADD:
598
	case AUDIT_ADD_RULE:
Linus Torvalds's avatar
Linus Torvalds committed
599
	case AUDIT_DEL:
600
	case AUDIT_DEL_RULE:
601
	case AUDIT_SIGNAL_INFO:
Miloslav Trmac's avatar
Miloslav Trmac committed
602
603
	case AUDIT_TTY_GET:
	case AUDIT_TTY_SET:
Al Viro's avatar
Al Viro committed
604
605
	case AUDIT_TRIM:
	case AUDIT_MAKE_EQUIV:
606
		if (security_netlink_recv(skb, CAP_AUDIT_CONTROL))
Linus Torvalds's avatar
Linus Torvalds committed
607
608
			err = -EPERM;
		break;
609
	case AUDIT_USER:
610
611
	case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
	case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
612
		if (security_netlink_recv(skb, CAP_AUDIT_WRITE))
Linus Torvalds's avatar
Linus Torvalds committed
613
614
615
616
617
618
619
620
621
			err = -EPERM;
		break;
	default:  /* bad msg */
		err = -EINVAL;
	}

	return err;
}

622
static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
623
624
				     u32 pid, u32 uid, uid_t auid, u32 ses,
				     u32 sid)
625
626
627
628
629
630
631
632
633
634
635
{
	int rc = 0;
	char *ctx = NULL;
	u32 len;

	if (!audit_enabled) {
		*ab = NULL;
		return rc;
	}

	*ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
636
637
	audit_log_format(*ab, "user pid=%d uid=%u auid=%u ses=%u",
			 pid, uid, auid, ses);
638
	if (sid) {
639
		rc = security_secid_to_secctx(sid, &ctx, &len);
640
641
		if (rc)
			audit_log_format(*ab, " ssid=%u", sid);
642
		else {
643
			audit_log_format(*ab, " subj=%s", ctx);
644
645
			security_release_secctx(ctx, len);
		}
646
647
648
649
650
	}

	return rc;
}

Linus Torvalds's avatar
Linus Torvalds committed
651
652
static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
{
653
	u32			uid, pid, seq, sid;
Linus Torvalds's avatar
Linus Torvalds committed
654
655
656
	void			*data;
	struct audit_status	*status_get, status_set;
	int			err;
657
	struct audit_buffer	*ab;
Linus Torvalds's avatar
Linus Torvalds committed
658
	u16			msg_type = nlh->nlmsg_type;
659
	uid_t			loginuid; /* loginuid of sender */
660
	u32			sessionid;
661
	struct audit_sig_info   *sig_data;
662
	char			*ctx = NULL;
663
	u32			len;
Linus Torvalds's avatar
Linus Torvalds committed
664

665
	err = audit_netlink_ok(skb, msg_type);
Linus Torvalds's avatar
Linus Torvalds committed
666
667
668
	if (err)
		return err;

669
670
	/* As soon as there's any sign of userspace auditd,
	 * start kauditd to talk to it */
671
672
673
674
675
676
677
678
	if (!kauditd_task)
		kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd");
	if (IS_ERR(kauditd_task)) {
		err = PTR_ERR(kauditd_task);
		kauditd_task = NULL;
		return err;
	}

Linus Torvalds's avatar
Linus Torvalds committed
679
680
	pid  = NETLINK_CREDS(skb)->pid;
	uid  = NETLINK_CREDS(skb)->uid;
681
	loginuid = NETLINK_CB(skb).loginuid;
682
	sessionid = NETLINK_CB(skb).sessionid;
683
	sid  = NETLINK_CB(skb).sid;
Linus Torvalds's avatar
Linus Torvalds committed
684
685
686
687
688
689
690
691
692
693
694
	seq  = nlh->nlmsg_seq;
	data = NLMSG_DATA(nlh);

	switch (msg_type) {
	case AUDIT_GET:
		status_set.enabled	 = audit_enabled;
		status_set.failure	 = audit_failure;
		status_set.pid		 = audit_pid;
		status_set.rate_limit	 = audit_rate_limit;
		status_set.backlog_limit = audit_backlog_limit;
		status_set.lost		 = atomic_read(&audit_lost);
695
		status_set.backlog	 = skb_queue_len(&audit_skb_queue);
Linus Torvalds's avatar
Linus Torvalds committed
696
697
698
699
700
701
702
703
		audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0,
				 &status_set, sizeof(status_set));
		break;
	case AUDIT_SET:
		if (nlh->nlmsg_len < sizeof(struct audit_status))
			return -EINVAL;
		status_get   = (struct audit_status *)data;
		if (status_get->mask & AUDIT_STATUS_ENABLED) {
704
			err = audit_set_enabled(status_get->enabled,
705
						loginuid, sessionid, sid);
706
707
			if (err < 0)
				return err;
Linus Torvalds's avatar
Linus Torvalds committed
708
709
		}
		if (status_get->mask & AUDIT_STATUS_FAILURE) {
710
			err = audit_set_failure(status_get->failure,
711
						loginuid, sessionid, sid);
712
713
			if (err < 0)
				return err;
Linus Torvalds's avatar
Linus Torvalds committed
714
715
		}
		if (status_get->mask & AUDIT_STATUS_PID) {
716
717
718
719
720
			int new_pid = status_get->pid;

			if (audit_enabled != AUDIT_OFF)
				audit_log_config_change("audit_pid", new_pid,
							audit_pid, loginuid,
721
							sessionid, sid, 1);
722
723

			audit_pid = new_pid;
724
			audit_nlk_pid = NETLINK_CB(skb).pid;
Linus Torvalds's avatar
Linus Torvalds committed
725
		}
726
		if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) {
Serge E. Hallyn's avatar
Serge E. Hallyn committed
727
			err = audit_set_rate_limit(status_get->rate_limit,
728
						   loginuid, sessionid, sid);
729
730
731
			if (err < 0)
				return err;
		}
Linus Torvalds's avatar
Linus Torvalds committed
732
		if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT)
Serge E. Hallyn's avatar
Serge E. Hallyn committed
733
			err = audit_set_backlog_limit(status_get->backlog_limit,
734
						      loginuid, sessionid, sid);
Linus Torvalds's avatar
Linus Torvalds committed
735
		break;
736
	case AUDIT_USER:
737
738
	case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
	case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
739
740
741
		if (!audit_enabled && msg_type != AUDIT_USER_AVC)
			return 0;

742
		err = audit_filter_user(&NETLINK_CB(skb));
743
744
		if (err == 1) {
			err = 0;
Miloslav Trmac's avatar
Miloslav Trmac committed
745
			if (msg_type == AUDIT_USER_TTY) {
746
747
				err = audit_prepare_user_tty(pid, loginuid,
							     sessionid);
Miloslav Trmac's avatar
Miloslav Trmac committed
748
749
750
				if (err)
					break;
			}
751
			audit_log_common_recv_msg(&ab, msg_type, pid, uid,
752
						  loginuid, sessionid, sid);
753
754
755
756
757
758
759
760
761

			if (msg_type != AUDIT_USER_TTY)
				audit_log_format(ab, " msg='%.1024s'",
						 (char *)data);
			else {
				int size;

				audit_log_format(ab, " msg=");
				size = nlmsg_len(nlh);
762
763
764
				if (size > 0 &&
				    ((unsigned char *)data)[size - 1] == '\0')
					size--;
765
				audit_log_n_untrustedstring(ab, data, size);
766
			}
767
768
			audit_set_pid(ab, pid);
			audit_log_end(ab);
769
		}
Linus Torvalds's avatar
Linus Torvalds committed
770
771
772
		break;
	case AUDIT_ADD:
	case AUDIT_DEL:
773
		if (nlmsg_len(nlh) < sizeof(struct audit_rule))
Linus Torvalds's avatar
Linus Torvalds committed
774
			return -EINVAL;
775
		if (audit_enabled == AUDIT_LOCKED) {
776
			audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
777
						  uid, loginuid, sessionid, sid);
778
779
780
781

			audit_log_format(ab, " audit_enabled=%d res=0",
					 audit_enabled);
			audit_log_end(ab);
Steve Grubb's avatar
Steve Grubb committed
782
783
			return -EPERM;
		}
Linus Torvalds's avatar
Linus Torvalds committed
784
785
		/* fallthrough */
	case AUDIT_LIST:
786
		err = audit_receive_filter(msg_type, NETLINK_CB(skb).pid,
787
					   uid, seq, data, nlmsg_len(nlh),
788
					   loginuid, sessionid, sid);
789
790
791
792
793
		break;
	case AUDIT_ADD_RULE:
	case AUDIT_DEL_RULE:
		if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
			return -EINVAL;
794
		if (audit_enabled == AUDIT_LOCKED) {
795
			audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
796
						  uid, loginuid, sessionid, sid);
797
798
799
800

			audit_log_format(ab, " audit_enabled=%d res=0",
					 audit_enabled);
			audit_log_end(ab);
Steve Grubb's avatar
Steve Grubb committed
801
802
			return -EPERM;
		}
803
804
		/* fallthrough */
	case AUDIT_LIST_RULES:
805
		err = audit_receive_filter(msg_type, NETLINK_CB(skb).pid,
806
					   uid, seq, data, nlmsg_len(nlh),
807
					   loginuid, sessionid, sid);
Linus Torvalds's avatar
Linus Torvalds committed
808
		break;
Al Viro's avatar
Al Viro committed
809
810
	case AUDIT_TRIM:
		audit_trim_trees();
811
812

		audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
813
					  uid, loginuid, sessionid, sid);
814

Al Viro's avatar
Al Viro committed
815
816
817
818
819
820
		audit_log_format(ab, " op=trim res=1");
		audit_log_end(ab);
		break;
	case AUDIT_MAKE_EQUIV: {
		void *bufp = data;
		u32 sizes[2];
821
		size_t msglen = nlmsg_len(nlh);
Al Viro's avatar
Al Viro committed
822
823
824
		char *old, *new;

		err = -EINVAL;
825
		if (msglen < 2 * sizeof(u32))
Al Viro's avatar
Al Viro committed
826
827
828
			break;
		memcpy(sizes, bufp, 2 * sizeof(u32));
		bufp += 2 * sizeof(u32);
829
830
		msglen -= 2 * sizeof(u32);
		old = audit_unpack_string(&bufp, &msglen, sizes[0]);
Al Viro's avatar
Al Viro committed
831
832
833
834
		if (IS_ERR(old)) {
			err = PTR_ERR(old);
			break;
		}
835
		new = audit_unpack_string(&bufp, &msglen, sizes[1]);
Al Viro's avatar
Al Viro committed
836
837
838
839
840
841
842
843
		if (IS_ERR(new)) {
			err = PTR_ERR(new);
			kfree(old);
			break;
		}
		/* OK, here comes... */
		err = audit_tag_tree(old, new);

844
		audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
845
					  uid, loginuid, sessionid, sid);
846

Al Viro's avatar
Al Viro committed
847
848
849
850
851
852
853
854
855
856
		audit_log_format(ab, " op=make_equiv old=");
		audit_log_untrustedstring(ab, old);
		audit_log_format(ab, " new=");
		audit_log_untrustedstring(ab, new);
		audit_log_format(ab, " res=%d", !err);
		audit_log_end(ab);
		kfree(old);
		kfree(new);
		break;
	}
857
	case AUDIT_SIGNAL_INFO:
858
		err = security_secid_to_secctx(audit_sig_sid, &ctx, &len);
859
860
861
862
		if (err)
			return err;
		sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL);
		if (!sig_data) {
863
			security_release_secctx(ctx, len);
864
865
866
867
868
			return -ENOMEM;
		}
		sig_data->uid = audit_sig_uid;
		sig_data->pid = audit_sig_pid;
		memcpy(sig_data->ctx, ctx, len);
869
		security_release_secctx(ctx, len);
870
		audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_SIGNAL_INFO,
871
872
				0, 0, sig_data, sizeof(*sig_data) + len);
		kfree(sig_data);
873
		break;
Miloslav Trmac's avatar
Miloslav Trmac committed
874
875
876
877
878
	case AUDIT_TTY_GET: {
		struct audit_tty_status s;
		struct task_struct *tsk;

		read_lock(&tasklist_lock);
879
		tsk = find_task_by_vpid(pid);
Miloslav Trmac's avatar
Miloslav Trmac committed
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
		if (!tsk)
			err = -ESRCH;
		else {
			spin_lock_irq(&tsk->sighand->siglock);
			s.enabled = tsk->signal->audit_tty != 0;
			spin_unlock_irq(&tsk->sighand->siglock);
		}
		read_unlock(&tasklist_lock);
		audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_TTY_GET, 0, 0,
				 &s, sizeof(s));
		break;
	}
	case AUDIT_TTY_SET: {
		struct audit_tty_status *s;
		struct task_struct *tsk;

		if (nlh->nlmsg_len < sizeof(struct audit_tty_status))
			return -EINVAL;
		s = data;
		if (s->enabled != 0 && s->enabled != 1)
			return -EINVAL;
		read_lock(&tasklist_lock);
902
		tsk = find_task_by_vpid(pid);
Miloslav Trmac's avatar
Miloslav Trmac committed
903
904
905
906
907
908
909
910
911
912
		if (!tsk)
			err = -ESRCH;
		else {
			spin_lock_irq(&tsk->sighand->siglock);
			tsk->signal->audit_tty = s->enabled != 0;
			spin_unlock_irq(&tsk->sighand->siglock);
		}
		read_unlock(&tasklist_lock);
		break;
	}
Linus Torvalds's avatar
Linus Torvalds committed
913
914
915
916
917
918
919
920
	default:
		err = -EINVAL;
		break;
	}

	return err < 0 ? err : 0;
}

921
/*
Eric Paris's avatar
Eric Paris committed
922
923
 * Get message from skb.  Each message is processed by audit_receive_msg.
 * Malformed skbs with wrong length are discarded silently.
924
 */
925
static void audit_receive_skb(struct sk_buff *skb)
Linus Torvalds's avatar
Linus Torvalds committed
926
{
Eric Paris's avatar
Eric Paris committed
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
	struct nlmsghdr *nlh;
	/*
	 * len MUST be signed for NLMSG_NEXT to be able to dec it below 0
	 * if the nlmsg_len was not aligned
	 */
	int len;
	int err;

	nlh = nlmsg_hdr(skb);
	len = skb->len;

	while (NLMSG_OK(nlh, len)) {
		err = audit_receive_msg(skb, nlh);
		/* if err or if this message says it wants a response */
		if (err || (nlh->nlmsg_flags & NLM_F_ACK))
Linus Torvalds's avatar
Linus Torvalds committed
942
			netlink_ack(skb, nlh, err);
Eric Paris's avatar
Eric Paris committed
943
944

		nlh = NLMSG_NEXT(nlh, len);
Linus Torvalds's avatar
Linus Torvalds committed
945
946
947
948
	}
}

/* Receive messages from netlink socket. */
949
static void audit_receive(struct sk_buff  *skb)
Linus Torvalds's avatar
Linus Torvalds committed
950
{
Amy Griffis's avatar
Amy Griffis committed
951
	mutex_lock(&audit_cmd_mutex);
952
	audit_receive_skb(skb);
Amy Griffis's avatar
Amy Griffis committed
953
	mutex_unlock(&audit_cmd_mutex);
Linus Torvalds's avatar
Linus Torvalds committed
954
955
956
957
958
}

/* Initialize audit support at boot time. */
static int __init audit_init(void)
{
Amy Griffis's avatar
Amy Griffis committed
959
960
	int i;

961
962
963
	if (audit_initialized == AUDIT_DISABLED)
		return 0;

Linus Torvalds's avatar
Linus Torvalds committed
964
965
	printk(KERN_INFO "audit: initializing netlink socket (%s)\n",
	       audit_default ? "enabled" : "disabled");
966
967
	audit_sock = netlink_kernel_create(&init_net, NETLINK_AUDIT, 0,
					   audit_receive, NULL, THIS_MODULE);
Linus Torvalds's avatar
Linus Torvalds committed
968
969
	if (!audit_sock)
		audit_panic("cannot initialize netlink socket");
970
971
	else
		audit_sock->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
Linus Torvalds's avatar
Linus Torvalds committed
972

973
	skb_queue_head_init(&audit_skb_queue);
974
	skb_queue_head_init(&audit_skb_hold_queue);
975
	audit_initialized = AUDIT_INITIALIZED;
Linus Torvalds's avatar
Linus Torvalds committed
976
	audit_enabled = audit_default;
977
	audit_ever_enabled |= !!audit_default;
978

979
	audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized");
Amy Griffis's avatar
Amy Griffis committed
980
981
982
983

	for (i = 0; i < AUDIT_INODE_BUCKETS; i++)
		INIT_LIST_HEAD(&audit_inode_hash[i]);

Linus Torvalds's avatar
Linus Torvalds committed
984
985
986
987
988
989
990
991
	return 0;
}
__initcall(audit_init);

/* Process kernel command-line parameter at boot time.  audit=0 or audit=1. */
static int __init audit_enable(char *str)
{
	audit_default = !!simple_strtol(str, NULL, 0);
992
993
994
995
996
997
	if (!audit_default)
		audit_initialized = AUDIT_DISABLED;

	printk(KERN_INFO "audit: %s", audit_default ? "enabled" : "disabled");

	if (audit_initialized == AUDIT_INITIALIZED) {
Linus Torvalds's avatar
Linus Torvalds committed
998
		audit_enabled = audit_default;
999
		audit_ever_enabled |= !!audit_default;
1000
1001
1002
1003
	} else if (audit_initialized == AUDIT_UNINITIALIZED) {
		printk(" (after initialization)");
	} else {
		printk(" (until reboot)");
1004
	}
1005
1006
	printk("\n");

1007
	return 1;
Linus Torvalds's avatar
Linus Torvalds committed
1008
1009
1010
1011
}

__setup("audit=", audit_enable);

1012
1013
1014
1015
static void audit_buffer_free(struct audit_buffer *ab)
{
	unsigned long flags;

1016
1017
1018
	if (!ab)
		return;

1019
1020
	if (ab->skb)
		kfree_skb(ab->skb);
1021

1022
	spin_lock_irqsave(&audit_freelist_lock, flags);
Serge E. Hallyn's avatar
Serge E. Hallyn committed
1023
	if (audit_freelist_count > AUDIT_MAXFREE)
1024
		kfree(ab);
Serge E. Hallyn's avatar
Serge E. Hallyn committed
1025
1026
	else {
		audit_freelist_count++;
1027
		list_add(&ab->list, &audit_freelist);
Serge E. Hallyn's avatar
Serge E. Hallyn committed
1028
	}
1029
1030
1031
	spin_unlock_irqrestore(&audit_freelist_lock, flags);
}

1032
static struct audit_buffer * audit_buffer_alloc(struct audit_context *ctx,
1033
						gfp_t gfp_mask, int type)
1034
1035
1036
{
	unsigned long flags;
	struct audit_buffer *ab = NULL;
1037
	struct nlmsghdr *nlh;
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048

	spin_lock_irqsave(&audit_freelist_lock, flags);
	if (!list_empty(&audit_freelist)) {
		ab = list_entry(audit_freelist.next,
				struct audit_buffer, list);
		list_del(&ab->list);
		--audit_freelist_count;
	}
	spin_unlock_irqrestore(&audit_freelist_lock, flags);

	if (!ab) {
1049
		ab = kmalloc(sizeof(*ab), gfp_mask);
1050
		if (!ab)
1051
			goto err;
1052
	}
1053

1054
	ab->ctx = ctx;
1055
	ab->gfp_mask = gfp_mask;
1056
1057
1058
1059
1060
1061
1062

	ab->skb = nlmsg_new(AUDIT_BUFSIZ, gfp_mask);
	if (!ab->skb)
		goto nlmsg_failure;

	nlh = NLMSG_NEW(ab->skb, 0, 0, type, 0, 0);

1063
	return ab;
1064
1065
1066
1067

nlmsg_failure:                  /* Used by NLMSG_NEW */
	kfree_skb(ab->skb);
	ab->skb = NULL;
1068
1069
1070
err:
	audit_buffer_free(ab);
	return NULL;
1071
}
Linus Torvalds's avatar
Linus Torvalds committed
1072

1073
1074
1075
1076
/**
 * audit_serial - compute a serial number for the audit record
 *
 * Compute a serial number for the audit record.  Audit records are
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
 * written to user-space as soon as they are generated, so a complete
 * audit record may be written in several pieces.  The timestamp of the
 * record and this serial number are used by the user-space tools to
 * determine which pieces belong to the same audit record.  The
 * (timestamp,serial) tuple is unique for each syscall and is live from
 * syscall entry to syscall exit.
 *
 * NOTE: Another possibility is to store the formatted records off the
 * audit context (for those records that have a context), and emit them
 * all at syscall exit.  However, this could delay the reporting of
 * significant errors until syscall exit (or never, if the system
1088
1089
 * halts).
 */
1090
1091
unsigned int audit_serial(void)
{
1092
	static DEFINE_SPINLOCK(serial_lock);
1093
1094
1095
1096
	static unsigned int serial = 0;

	unsigned long flags;
	unsigned int ret;
1097

1098
	spin_lock_irqsave(&serial_lock, flags);
1099
	do {
1100
1101
		ret = ++serial;
	} while (unlikely(!ret));
1102
	spin_unlock_irqrestore(&serial_lock, flags);
1103

1104
	return ret;
1105
1106
}

1107
static inline void audit_get_stamp(struct audit_context *ctx,
1108
1109
				   struct timespec *t, unsigned int *serial)
{
1110
	if (!ctx || !auditsc_get_stamp(ctx, t, serial)) {
1111
1112
1113
1114
1115
		*t = CURRENT_TIME;
		*serial = audit_serial();
	}
}

Linus Torvalds's avatar
Linus Torvalds committed
1116
1117
1118
1119
1120
1121
/* Obtain an audit buffer.  This routine does locking to obtain the
 * audit buffer, but then no locking is required for calls to
 * audit_log_*format.  If the tsk is a task that is currently in a
 * syscall, then the syscall is marked as auditable and an audit record
 * will be written at syscall exit.  If there is no associated task, tsk
 * should be NULL. */
1122

1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
/**
 * audit_log_start - obtain an audit buffer
 * @ctx: audit_context (may be NULL)
 * @gfp_mask: type of allocation
 * @type: audit message type
 *
 * Returns audit_buffer pointer on success or NULL on error.
 *
 * Obtain an audit buffer.  This routine does locking to obtain the
 * audit buffer, but then no locking is required for calls to
 * audit_log_*format.  If the task (ctx) is a task that is currently in a
 * syscall, then the syscall is marked as auditable and an audit record
 * will be written at syscall exit.  If there is no associated task, then
 * task context (ctx) should be NULL.
 */
Al Viro's avatar
Al Viro committed
1138
struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
1139
				     int type)
Linus Torvalds's avatar
Linus Torvalds committed
1140
1141
1142
{
	struct audit_buffer	*ab	= NULL;
	struct timespec		t;
1143
	unsigned int		uninitialized_var(serial);
1144
	int reserve;
1145
	unsigned long timeout_start = jiffies;
Linus Torvalds's avatar
Linus Torvalds committed
1146

1147
	if (audit_initialized != AUDIT_INITIALIZED)
Linus Torvalds's avatar
Linus Torvalds committed
1148
1149
		return NULL;

1150
1151
1152
	if (unlikely(audit_filter_type(type)))
		return NULL;

1153
1154
1155
	if (gfp_mask & __GFP_WAIT)
		reserve = 0;
	else
1156
		reserve = 5; /* Allow atomic callers to go up to five
1157
1158
1159
1160
				entries over the normal backlog limit */

	while (audit_backlog_limit
	       && skb_queue_len(&audit_skb_queue) > audit_backlog_limit + reserve) {
1161
1162
1163
		if (gfp_mask & __GFP_WAIT && audit_backlog_wait_time
		    && time_before(jiffies, timeout_start + audit_backlog_wait_time)) {

1164
1165
1166
1167
1168
1169
1170
			/* Wait for auditd to drain the queue a little */
			DECLARE_WAITQUEUE(wait, current);
			set_current_state(TASK_INTERRUPTIBLE);
			add_wait_queue(&audit_backlog_wait, &wait);

			if (audit_backlog_limit &&
			    skb_queue_len(&audit_skb_queue) > audit_backlog_limit)
1171
				schedule_timeout(timeout_start + audit_backlog_wait_time - jiffies);
1172
1173
1174

			__set_current_state(TASK_RUNNING);
			remove_wait_queue(&audit_backlog_wait, &wait);
1175
			continue;
1176
		}
1177
		if (audit_rate_check() && printk_ratelimit())
1178
1179
1180
1181
1182
1183
			printk(KERN_WARNING
			       "audit: audit_backlog=%d > "
			       "audit_backlog_limit=%d\n",
			       skb_queue_len(&audit_skb_queue),
			       audit_backlog_limit);
		audit_log_lost("backlog limit exceeded");
1184
1185
		audit_backlog_wait_time = audit_backlog_wait_overflow;
		wake_up(&audit_backlog_wait);
1186
1187
1188
		return NULL;
	}

1189
	ab = audit_buffer_alloc(ctx, gfp_mask, type);
Linus Torvalds's avatar
Linus Torvalds committed
1190
1191
1192
1193
1194
	if (!ab) {
		audit_log_lost("out of memory in audit_log_start");
		return NULL;
	}

1195
	audit_get_stamp(ab->ctx, &t, &serial);
1196

Linus Torvalds's avatar
Linus Torvalds committed
1197
1198
1199
1200
1201
	audit_log_format(ab, "audit(%lu.%03lu:%u): ",
			 t.tv_sec, t.tv_nsec/1000000, serial);
	return ab;
}

1202
/**
1203
 * audit_expand - expand skb in the audit buffer
1204
 * @ab: audit_buffer
1205
 * @extra: space to add at tail of the skb
1206
1207
1208
1209
 *
 * Returns 0 (no space) on failed expansion, or available space if
 * successful.
 */
1210
static inline int audit_expand(struct audit_buffer *ab, int extra)
1211
{
1212
	struct sk_buff *skb = ab->skb;
Herbert Xu's avatar