auditsc.c 66.1 KB
Newer Older
1
/* auditsc.c -- System-call auditing support
Linus Torvalds's avatar
Linus Torvalds committed
2
3
4
 * Handles all system-call specific auditing features.
 *
 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
5
 * Copyright 2005 Hewlett-Packard Development Company, L.P.
6
 * Copyright (C) 2005, 2006 IBM Corporation
Linus Torvalds's avatar
Linus Torvalds committed
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 * All Rights Reserved.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 *
 * Written by Rickard E. (Rik) Faith <faith@redhat.com>
 *
 * Many of the ideas implemented here are from Stephen C. Tweedie,
 * especially the idea of avoiding a copy by using getname.
 *
 * The method for actual interception of syscall entry and exit (not in
 * this file -- see entry.S) is based on a GPL'd patch written by
 * okir@suse.de and Copyright 2003 SuSE Linux AG.
 *
32
33
34
 * POSIX message queue support added by George Wilson <ltcgcw@us.ibm.com>,
 * 2006.
 *
35
36
37
 * The support of additional filter rules compares (>, <, >=, <=) was
 * added by Dustin Kirkland <dustin.kirkland@us.ibm.com>, 2005.
 *
38
39
 * Modified by Amy Griffis <amy.griffis@hp.com> to collect additional
 * filesystem information.
40
41
42
 *
 * Subject and object context labeling support added by <danjones@us.ibm.com>
 * and <dustin.kirkland@us.ibm.com> for LSPP certification compliance.
Linus Torvalds's avatar
Linus Torvalds committed
43
44
45
46
 */

#include <linux/init.h>
#include <asm/types.h>
47
#include <asm/atomic.h>
48
49
#include <linux/fs.h>
#include <linux/namei.h>
Linus Torvalds's avatar
Linus Torvalds committed
50
51
#include <linux/mm.h>
#include <linux/module.h>
52
#include <linux/mount.h>
53
#include <linux/socket.h>
54
#include <linux/mqueue.h>
Linus Torvalds's avatar
Linus Torvalds committed
55
56
57
#include <linux/audit.h>
#include <linux/personality.h>
#include <linux/time.h>
58
#include <linux/netlink.h>
59
#include <linux/compiler.h>
Linus Torvalds's avatar
Linus Torvalds committed
60
#include <asm/unistd.h>
61
#include <linux/security.h>
62
#include <linux/list.h>
63
#include <linux/tty.h>
Al Viro's avatar
Al Viro committed
64
#include <linux/binfmts.h>
65
#include <linux/highmem.h>
Al Viro's avatar
Al Viro committed
66
#include <linux/syscalls.h>
Al Viro's avatar
Al Viro committed
67
#include <linux/inotify.h>
68
#include <linux/capability.h>
69
#include <linux/fs_struct.h>
Linus Torvalds's avatar
Linus Torvalds committed
70

71
#include "audit.h"
Linus Torvalds's avatar
Linus Torvalds committed
72
73
74
75
76

/* AUDIT_NAMES is the number of slots we reserve in the audit_context
 * for saving names from getname(). */
#define AUDIT_NAMES    20

77
78
79
/* Indicates that audit should log the full pathname. */
#define AUDIT_NAME_FULL -1

80
81
82
/* no execve audit message should be longer than this (userspace limits) */
#define MAX_EXECVE_AUDIT_LEN 7500

83
84
85
/* number of audit rules */
int audit_n_rules;

Amy Griffis's avatar
Amy Griffis committed
86
87
88
/* determines whether we collect data for signals sent */
int audit_signals;

89
90
91
92
93
94
95
96
97
struct audit_cap_data {
	kernel_cap_t		permitted;
	kernel_cap_t		inheritable;
	union {
		unsigned int	fE;		/* effective bit of a file capability */
		kernel_cap_t	effective;	/* effective set of a process */
	};
};

Linus Torvalds's avatar
Linus Torvalds committed
98
99
100
101
102
103
104
/* When fs/namei.c:getname() is called, we store the pointer in name and
 * we don't let putname() free it (instead we free all of the saved
 * pointers at syscall exit time).
 *
 * Further, in fs/namei.c:path_lookup() we store the inode and device. */
struct audit_names {
	const char	*name;
105
106
	int		name_len;	/* number of name's characters to log */
	unsigned	name_put;	/* call __putname() for this name */
Linus Torvalds's avatar
Linus Torvalds committed
107
108
109
110
111
112
	unsigned long	ino;
	dev_t		dev;
	umode_t		mode;
	uid_t		uid;
	gid_t		gid;
	dev_t		rdev;
Steve Grubb's avatar
Steve Grubb committed
113
	u32		osid;
114
115
	struct audit_cap_data fcap;
	unsigned int	fcap_ver;
Linus Torvalds's avatar
Linus Torvalds committed
116
117
118
119
120
121
122
123
124
};

struct audit_aux_data {
	struct audit_aux_data	*next;
	int			type;
};

#define AUDIT_AUX_IPCPERM	0

Amy Griffis's avatar
Amy Griffis committed
125
126
127
/* Number of target pids per aux struct. */
#define AUDIT_AUX_PIDS	16

Al Viro's avatar
Al Viro committed
128
129
130
131
struct audit_aux_data_execve {
	struct audit_aux_data	d;
	int argc;
	int envc;
Peter Zijlstra's avatar
Peter Zijlstra committed
132
	struct mm_struct *mm;
Al Viro's avatar
Al Viro committed
133
134
};

Amy Griffis's avatar
Amy Griffis committed
135
136
137
struct audit_aux_data_pids {
	struct audit_aux_data	d;
	pid_t			target_pid[AUDIT_AUX_PIDS];
138
139
	uid_t			target_auid[AUDIT_AUX_PIDS];
	uid_t			target_uid[AUDIT_AUX_PIDS];
140
	unsigned int		target_sessionid[AUDIT_AUX_PIDS];
Amy Griffis's avatar
Amy Griffis committed
141
	u32			target_sid[AUDIT_AUX_PIDS];
142
	char 			target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
Amy Griffis's avatar
Amy Griffis committed
143
144
145
	int			pid_count;
};

146
147
148
149
150
151
152
153
struct audit_aux_data_bprm_fcaps {
	struct audit_aux_data	d;
	struct audit_cap_data	fcap;
	unsigned int		fcap_ver;
	struct audit_cap_data	old_pcap;
	struct audit_cap_data	new_pcap;
};

154
155
156
157
158
159
struct audit_aux_data_capset {
	struct audit_aux_data	d;
	pid_t			pid;
	struct audit_cap_data	cap;
};

Al Viro's avatar
Al Viro committed
160
161
162
163
164
struct audit_tree_refs {
	struct audit_tree_refs *next;
	struct audit_chunk *c[31];
};

Linus Torvalds's avatar
Linus Torvalds committed
165
166
/* The per-task audit context. */
struct audit_context {
167
	int		    dummy;	/* must be the first element */
Linus Torvalds's avatar
Linus Torvalds committed
168
	int		    in_syscall;	/* 1 if task is in a syscall */
169
	enum audit_state    state, current_state;
Linus Torvalds's avatar
Linus Torvalds committed
170
171
172
173
174
	unsigned int	    serial;     /* serial number for record */
	struct timespec	    ctime;      /* time of syscall entry */
	int		    major;      /* syscall number */
	unsigned long	    argv[4];    /* syscall arguments */
	int		    return_valid; /* return code is valid */
175
	long		    return_code;/* syscall return code */
176
	u64		    prio;
Linus Torvalds's avatar
Linus Torvalds committed
177
178
	int		    name_count;
	struct audit_names  names[AUDIT_NAMES];
Amy Griffis's avatar
Amy Griffis committed
179
	char *		    filterkey;	/* key for rule that triggered record */
180
	struct path	    pwd;
Linus Torvalds's avatar
Linus Torvalds committed
181
182
	struct audit_context *previous; /* For nested syscalls */
	struct audit_aux_data *aux;
Amy Griffis's avatar
Amy Griffis committed
183
	struct audit_aux_data *aux_pids;
184
185
	struct sockaddr_storage *sockaddr;
	size_t sockaddr_len;
Linus Torvalds's avatar
Linus Torvalds committed
186
				/* Save things to print about task_struct */
Al Viro's avatar
Al Viro committed
187
	pid_t		    pid, ppid;
Linus Torvalds's avatar
Linus Torvalds committed
188
189
190
	uid_t		    uid, euid, suid, fsuid;
	gid_t		    gid, egid, sgid, fsgid;
	unsigned long	    personality;
191
	int		    arch;
Linus Torvalds's avatar
Linus Torvalds committed
192

Al Viro's avatar
Al Viro committed
193
	pid_t		    target_pid;
194
195
	uid_t		    target_auid;
	uid_t		    target_uid;
196
	unsigned int	    target_sessionid;
Al Viro's avatar
Al Viro committed
197
	u32		    target_sid;
198
	char		    target_comm[TASK_COMM_LEN];
Al Viro's avatar
Al Viro committed
199

Al Viro's avatar
Al Viro committed
200
201
	struct audit_tree_refs *trees, *first_trees;
	int tree_count;
202
	struct list_head killed_trees;
Al Viro's avatar
Al Viro committed
203

Al Viro's avatar
Al Viro committed
204
205
206
207
208
209
	int type;
	union {
		struct {
			int nargs;
			long args[6];
		} socketcall;
Al Viro's avatar
Al Viro committed
210
211
212
213
214
		struct {
			uid_t			uid;
			gid_t			gid;
			mode_t			mode;
			u32			osid;
Al Viro's avatar
Al Viro committed
215
216
217
218
219
			int			has_perm;
			uid_t			perm_uid;
			gid_t			perm_gid;
			mode_t			perm_mode;
			unsigned long		qbytes;
Al Viro's avatar
Al Viro committed
220
		} ipc;
Al Viro's avatar
Al Viro committed
221
222
223
224
		struct {
			mqd_t			mqdes;
			struct mq_attr 		mqstat;
		} mq_getsetattr;
Al Viro's avatar
Al Viro committed
225
226
227
228
		struct {
			mqd_t			mqdes;
			int			sigev_signo;
		} mq_notify;
Al Viro's avatar
Al Viro committed
229
230
231
232
233
234
		struct {
			mqd_t			mqdes;
			size_t			msg_len;
			unsigned int		msg_prio;
			struct timespec		abs_timeout;
		} mq_sendrecv;
Al Viro's avatar
Al Viro committed
235
236
237
238
239
		struct {
			int			oflag;
			mode_t			mode;
			struct mq_attr		attr;
		} mq_open;
Al Viro's avatar
Al Viro committed
240
241
242
243
		struct {
			pid_t			pid;
			struct audit_cap_data	cap;
		} capset;
Al Viro's avatar
Al Viro committed
244
	};
Al Viro's avatar
Al Viro committed
245
	int fds[2];
Al Viro's avatar
Al Viro committed
246

Linus Torvalds's avatar
Linus Torvalds committed
247
248
249
250
251
252
#if AUDIT_DEBUG
	int		    put_count;
	int		    ino_count;
#endif
};

Al Viro's avatar
Al Viro committed
253
254
255
256
257
258
259
260
261
262
263
#define ACC_MODE(x) ("\004\002\006\006"[(x)&O_ACCMODE])
static inline int open_arg(int flags, int mask)
{
	int n = ACC_MODE(flags);
	if (flags & (O_TRUNC | O_CREAT))
		n |= AUDIT_PERM_WRITE;
	return n & mask;
}

static int audit_match_perm(struct audit_context *ctx, int mask)
{
264
	unsigned n;
265
266
	if (unlikely(!ctx))
		return 0;
267
	n = ctx->major;
268

Al Viro's avatar
Al Viro committed
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
	switch (audit_classify_syscall(ctx->arch, n)) {
	case 0:	/* native */
		if ((mask & AUDIT_PERM_WRITE) &&
		     audit_match_class(AUDIT_CLASS_WRITE, n))
			return 1;
		if ((mask & AUDIT_PERM_READ) &&
		     audit_match_class(AUDIT_CLASS_READ, n))
			return 1;
		if ((mask & AUDIT_PERM_ATTR) &&
		     audit_match_class(AUDIT_CLASS_CHATTR, n))
			return 1;
		return 0;
	case 1: /* 32bit on biarch */
		if ((mask & AUDIT_PERM_WRITE) &&
		     audit_match_class(AUDIT_CLASS_WRITE_32, n))
			return 1;
		if ((mask & AUDIT_PERM_READ) &&
		     audit_match_class(AUDIT_CLASS_READ_32, n))
			return 1;
		if ((mask & AUDIT_PERM_ATTR) &&
		     audit_match_class(AUDIT_CLASS_CHATTR_32, n))
			return 1;
		return 0;
	case 2: /* open */
		return mask & ACC_MODE(ctx->argv[1]);
	case 3: /* openat */
		return mask & ACC_MODE(ctx->argv[2]);
	case 4: /* socketcall */
		return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
	case 5: /* execve */
		return mask & AUDIT_PERM_EXEC;
	default:
		return 0;
	}
}

305
306
307
308
static int audit_match_filetype(struct audit_context *ctx, int which)
{
	unsigned index = which & ~S_IFMT;
	mode_t mode = which & S_IFMT;
309
310
311
312

	if (unlikely(!ctx))
		return 0;

313
314
315
316
317
318
319
320
321
	if (index >= ctx->name_count)
		return 0;
	if (ctx->names[index].ino == -1)
		return 0;
	if ((ctx->names[index].mode ^ mode) & S_IFMT)
		return 0;
	return 1;
}

Al Viro's avatar
Al Viro committed
322
323
324
325
326
327
328
329
330
331
332
/*
 * We keep a linked list of fixed-sized (31 pointer) arrays of audit_chunk *;
 * ->first_trees points to its beginning, ->trees - to the current end of data.
 * ->tree_count is the number of free entries in array pointed to by ->trees.
 * Original condition is (NULL, NULL, 0); as soon as it grows we never revert to NULL,
 * "empty" becomes (p, p, 31) afterwards.  We don't shrink the list (and seriously,
 * it's going to remain 1-element for almost any setup) until we free context itself.
 * References in it _are_ dropped - at the same time we free/drop aux stuff.
 */

#ifdef CONFIG_AUDIT_TREE
333
334
335
336
337
338
339
340
static void audit_set_auditable(struct audit_context *ctx)
{
	if (!ctx->prio) {
		ctx->prio = 1;
		ctx->current_state = AUDIT_RECORD_CONTEXT;
	}
}

Al Viro's avatar
Al Viro committed
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
static int put_tree_ref(struct audit_context *ctx, struct audit_chunk *chunk)
{
	struct audit_tree_refs *p = ctx->trees;
	int left = ctx->tree_count;
	if (likely(left)) {
		p->c[--left] = chunk;
		ctx->tree_count = left;
		return 1;
	}
	if (!p)
		return 0;
	p = p->next;
	if (p) {
		p->c[30] = chunk;
		ctx->trees = p;
		ctx->tree_count = 30;
		return 1;
	}
	return 0;
}

static int grow_tree_refs(struct audit_context *ctx)
{
	struct audit_tree_refs *p = ctx->trees;
	ctx->trees = kzalloc(sizeof(struct audit_tree_refs), GFP_KERNEL);
	if (!ctx->trees) {
		ctx->trees = p;
		return 0;
	}
	if (p)
		p->next = ctx->trees;
	else
		ctx->first_trees = ctx->trees;
	ctx->tree_count = 31;
	return 1;
}
#endif

static void unroll_tree_refs(struct audit_context *ctx,
		      struct audit_tree_refs *p, int count)
{
#ifdef CONFIG_AUDIT_TREE
	struct audit_tree_refs *q;
	int n;
	if (!p) {
		/* we started with empty chain */
		p = ctx->first_trees;
		count = 31;
		/* if the very first allocation has failed, nothing to do */
		if (!p)
			return;
	}
	n = count;
	for (q = p; q != ctx->trees; q = q->next, n = 31) {
		while (n--) {
			audit_put_chunk(q->c[n]);
			q->c[n] = NULL;
		}
	}
	while (n-- > ctx->tree_count) {
		audit_put_chunk(q->c[n]);
		q->c[n] = NULL;
	}
	ctx->trees = p;
	ctx->tree_count = count;
#endif
}

static void free_tree_refs(struct audit_context *ctx)
{
	struct audit_tree_refs *p, *q;
	for (p = ctx->first_trees; p; p = q) {
		q = p->next;
		kfree(p);
	}
}

static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
{
#ifdef CONFIG_AUDIT_TREE
	struct audit_tree_refs *p;
	int n;
	if (!tree)
		return 0;
	/* full ones */
	for (p = ctx->first_trees; p != ctx->trees; p = p->next) {
		for (n = 0; n < 31; n++)
			if (audit_tree_match(p->c[n], tree))
				return 1;
	}
	/* partial */
	if (p) {
		for (n = ctx->tree_count; n < 31; n++)
			if (audit_tree_match(p->c[n], tree))
				return 1;
	}
#endif
	return 0;
}

Amy Griffis's avatar
Amy Griffis committed
441
/* Determine if any context name data matches a rule's watch data */
Linus Torvalds's avatar
Linus Torvalds committed
442
443
444
/* Compare a task_struct with an audit_rule.  Return 1 on match, 0
 * otherwise. */
static int audit_filter_rules(struct task_struct *tsk,
445
			      struct audit_krule *rule,
Linus Torvalds's avatar
Linus Torvalds committed
446
			      struct audit_context *ctx,
Amy Griffis's avatar
Amy Griffis committed
447
			      struct audit_names *name,
Linus Torvalds's avatar
Linus Torvalds committed
448
449
			      enum audit_state *state)
{
450
	const struct cred *cred = get_task_cred(tsk);
Steve Grubb's avatar
Steve Grubb committed
451
	int i, j, need_sid = 1;
452
453
	u32 sid;

Linus Torvalds's avatar
Linus Torvalds committed
454
	for (i = 0; i < rule->field_count; i++) {
455
		struct audit_field *f = &rule->fields[i];
Linus Torvalds's avatar
Linus Torvalds committed
456
457
		int result = 0;

458
		switch (f->type) {
Linus Torvalds's avatar
Linus Torvalds committed
459
		case AUDIT_PID:
460
			result = audit_comparator(tsk->pid, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
461
			break;
Al Viro's avatar
Al Viro committed
462
		case AUDIT_PPID:
Alexander Viro's avatar
Alexander Viro committed
463
464
465
			if (ctx) {
				if (!ctx->ppid)
					ctx->ppid = sys_getppid();
Al Viro's avatar
Al Viro committed
466
				result = audit_comparator(ctx->ppid, f->op, f->val);
Alexander Viro's avatar
Alexander Viro committed
467
			}
Al Viro's avatar
Al Viro committed
468
			break;
Linus Torvalds's avatar
Linus Torvalds committed
469
		case AUDIT_UID:
470
			result = audit_comparator(cred->uid, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
471
472
			break;
		case AUDIT_EUID:
473
			result = audit_comparator(cred->euid, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
474
475
			break;
		case AUDIT_SUID:
476
			result = audit_comparator(cred->suid, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
477
478
			break;
		case AUDIT_FSUID:
479
			result = audit_comparator(cred->fsuid, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
480
481
			break;
		case AUDIT_GID:
482
			result = audit_comparator(cred->gid, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
483
484
			break;
		case AUDIT_EGID:
485
			result = audit_comparator(cred->egid, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
486
487
			break;
		case AUDIT_SGID:
488
			result = audit_comparator(cred->sgid, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
489
490
			break;
		case AUDIT_FSGID:
491
			result = audit_comparator(cred->fsgid, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
492
493
			break;
		case AUDIT_PERS:
494
			result = audit_comparator(tsk->personality, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
495
			break;
496
		case AUDIT_ARCH:
497
			if (ctx)
498
				result = audit_comparator(ctx->arch, f->op, f->val);
499
			break;
Linus Torvalds's avatar
Linus Torvalds committed
500
501
502

		case AUDIT_EXIT:
			if (ctx && ctx->return_valid)
503
				result = audit_comparator(ctx->return_code, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
504
505
			break;
		case AUDIT_SUCCESS:
506
			if (ctx && ctx->return_valid) {
507
508
				if (f->val)
					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_SUCCESS);
509
				else
510
					result = audit_comparator(ctx->return_valid, f->op, AUDITSC_FAILURE);
511
			}
Linus Torvalds's avatar
Linus Torvalds committed
512
513
			break;
		case AUDIT_DEVMAJOR:
Amy Griffis's avatar
Amy Griffis committed
514
515
516
517
			if (name)
				result = audit_comparator(MAJOR(name->dev),
							  f->op, f->val);
			else if (ctx) {
Linus Torvalds's avatar
Linus Torvalds committed
518
				for (j = 0; j < ctx->name_count; j++) {
519
					if (audit_comparator(MAJOR(ctx->names[j].dev),	f->op, f->val)) {
Linus Torvalds's avatar
Linus Torvalds committed
520
521
522
523
524
525
526
						++result;
						break;
					}
				}
			}
			break;
		case AUDIT_DEVMINOR:
Amy Griffis's avatar
Amy Griffis committed
527
528
529
530
			if (name)
				result = audit_comparator(MINOR(name->dev),
							  f->op, f->val);
			else if (ctx) {
Linus Torvalds's avatar
Linus Torvalds committed
531
				for (j = 0; j < ctx->name_count; j++) {
532
					if (audit_comparator(MINOR(ctx->names[j].dev), f->op, f->val)) {
Linus Torvalds's avatar
Linus Torvalds committed
533
534
535
536
537
538
539
						++result;
						break;
					}
				}
			}
			break;
		case AUDIT_INODE:
Amy Griffis's avatar
Amy Griffis committed
540
			if (name)
541
				result = (name->ino == f->val);
Amy Griffis's avatar
Amy Griffis committed
542
			else if (ctx) {
Linus Torvalds's avatar
Linus Torvalds committed
543
				for (j = 0; j < ctx->name_count; j++) {
544
					if (audit_comparator(ctx->names[j].ino, f->op, f->val)) {
Linus Torvalds's avatar
Linus Torvalds committed
545
546
547
548
549
550
						++result;
						break;
					}
				}
			}
			break;
Amy Griffis's avatar
Amy Griffis committed
551
		case AUDIT_WATCH:
552
553
554
			if (name && audit_watch_inode(rule->watch) != (unsigned long)-1)
				result = (name->dev == audit_watch_dev(rule->watch) &&
					  name->ino == audit_watch_inode(rule->watch));
Amy Griffis's avatar
Amy Griffis committed
555
			break;
Al Viro's avatar
Al Viro committed
556
557
558
559
		case AUDIT_DIR:
			if (ctx)
				result = match_tree_refs(ctx, rule->tree);
			break;
Linus Torvalds's avatar
Linus Torvalds committed
560
561
562
		case AUDIT_LOGINUID:
			result = 0;
			if (ctx)
Al Viro's avatar
Al Viro committed
563
				result = audit_comparator(tsk->loginuid, f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
564
			break;
565
566
567
568
569
		case AUDIT_SUBJ_USER:
		case AUDIT_SUBJ_ROLE:
		case AUDIT_SUBJ_TYPE:
		case AUDIT_SUBJ_SEN:
		case AUDIT_SUBJ_CLR:
570
571
572
573
574
			/* NOTE: this may return negative values indicating
			   a temporary error.  We simply treat this as a
			   match for now to avoid losing information that
			   may be wanted.   An error message will also be
			   logged upon error */
575
			if (f->lsm_rule) {
Steve Grubb's avatar
Steve Grubb committed
576
				if (need_sid) {
577
					security_task_getsecid(tsk, &sid);
Steve Grubb's avatar
Steve Grubb committed
578
579
					need_sid = 0;
				}
580
				result = security_audit_rule_match(sid, f->type,
581
				                                  f->op,
582
				                                  f->lsm_rule,
583
				                                  ctx);
Steve Grubb's avatar
Steve Grubb committed
584
			}
585
			break;
586
587
588
589
590
591
592
		case AUDIT_OBJ_USER:
		case AUDIT_OBJ_ROLE:
		case AUDIT_OBJ_TYPE:
		case AUDIT_OBJ_LEV_LOW:
		case AUDIT_OBJ_LEV_HIGH:
			/* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
			   also applies here */
593
			if (f->lsm_rule) {
594
595
				/* Find files that match */
				if (name) {
596
					result = security_audit_rule_match(
597
					           name->osid, f->type, f->op,
598
					           f->lsm_rule, ctx);
599
600
				} else if (ctx) {
					for (j = 0; j < ctx->name_count; j++) {
601
						if (security_audit_rule_match(
602
603
						      ctx->names[j].osid,
						      f->type, f->op,
604
						      f->lsm_rule, ctx)) {
605
606
607
608
609
610
							++result;
							break;
						}
					}
				}
				/* Find ipc objects that match */
Al Viro's avatar
Al Viro committed
611
612
613
614
615
616
				if (!ctx || ctx->type != AUDIT_IPC)
					break;
				if (security_audit_rule_match(ctx->ipc.osid,
							      f->type, f->op,
							      f->lsm_rule, ctx))
					++result;
617
618
			}
			break;
Linus Torvalds's avatar
Linus Torvalds committed
619
620
621
622
623
		case AUDIT_ARG0:
		case AUDIT_ARG1:
		case AUDIT_ARG2:
		case AUDIT_ARG3:
			if (ctx)
624
				result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
Linus Torvalds's avatar
Linus Torvalds committed
625
			break;
Amy Griffis's avatar
Amy Griffis committed
626
627
628
629
		case AUDIT_FILTERKEY:
			/* ignore this field for filtering */
			result = 1;
			break;
Al Viro's avatar
Al Viro committed
630
631
632
		case AUDIT_PERM:
			result = audit_match_perm(ctx, f->val);
			break;
633
634
635
		case AUDIT_FILETYPE:
			result = audit_match_filetype(ctx, f->val);
			break;
Linus Torvalds's avatar
Linus Torvalds committed
636
637
		}

638
639
		if (!result) {
			put_cred(cred);
Linus Torvalds's avatar
Linus Torvalds committed
640
			return 0;
641
		}
Linus Torvalds's avatar
Linus Torvalds committed
642
	}
643
644
645
646
647
648
649
650
651
652

	if (ctx) {
		if (rule->prio <= ctx->prio)
			return 0;
		if (rule->filterkey) {
			kfree(ctx->filterkey);
			ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
		}
		ctx->prio = rule->prio;
	}
Linus Torvalds's avatar
Linus Torvalds committed
653
654
655
656
	switch (rule->action) {
	case AUDIT_NEVER:    *state = AUDIT_DISABLED;	    break;
	case AUDIT_ALWAYS:   *state = AUDIT_RECORD_CONTEXT; break;
	}
657
	put_cred(cred);
Linus Torvalds's avatar
Linus Torvalds committed
658
659
660
661
662
663
664
	return 1;
}

/* At process creation time, we can determine if system-call auditing is
 * completely disabled for this task.  Since we only have the task
 * structure at this point, we can only check uid and gid.
 */
665
static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)
Linus Torvalds's avatar
Linus Torvalds committed
666
667
668
669
670
{
	struct audit_entry *e;
	enum audit_state   state;

	rcu_read_lock();
671
	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
Amy Griffis's avatar
Amy Griffis committed
672
		if (audit_filter_rules(tsk, &e->rule, NULL, NULL, &state)) {
673
674
			if (state == AUDIT_RECORD_CONTEXT)
				*key = kstrdup(e->rule.filterkey, GFP_ATOMIC);
Linus Torvalds's avatar
Linus Torvalds committed
675
676
677
678
679
680
681
682
683
684
			rcu_read_unlock();
			return state;
		}
	}
	rcu_read_unlock();
	return AUDIT_BUILD_CONTEXT;
}

/* At syscall entry and exit time, this filter is called if the
 * audit_state is not low enough that auditing cannot take place, but is
Steve Grubb's avatar
Steve Grubb committed
685
 * also not high enough that we already know we have to write an audit
686
 * record (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
Linus Torvalds's avatar
Linus Torvalds committed
687
688
689
690
691
692
 */
static enum audit_state audit_filter_syscall(struct task_struct *tsk,
					     struct audit_context *ctx,
					     struct list_head *list)
{
	struct audit_entry *e;
693
	enum audit_state state;
Linus Torvalds's avatar
Linus Torvalds committed
694

695
	if (audit_pid && tsk->tgid == audit_pid)
696
697
		return AUDIT_DISABLED;

Linus Torvalds's avatar
Linus Torvalds committed
698
	rcu_read_lock();
699
	if (!list_empty(list)) {
700
701
702
703
		int word = AUDIT_WORD(ctx->major);
		int bit  = AUDIT_BIT(ctx->major);

		list_for_each_entry_rcu(e, list, list) {
Amy Griffis's avatar
Amy Griffis committed
704
705
706
707
			if ((e->rule.mask[word] & bit) == bit &&
			    audit_filter_rules(tsk, &e->rule, ctx, NULL,
					       &state)) {
				rcu_read_unlock();
708
				ctx->current_state = state;
Amy Griffis's avatar
Amy Griffis committed
709
710
711
712
713
714
715
716
717
718
719
720
721
				return state;
			}
		}
	}
	rcu_read_unlock();
	return AUDIT_BUILD_CONTEXT;
}

/* At syscall exit time, this filter is called if any audit_names[] have been
 * collected during syscall processing.  We only check rules in sublists at hash
 * buckets applicable to the inode numbers in audit_names[].
 * Regarding audit_state, same rules apply as for audit_filter_syscall().
 */
722
void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx)
Amy Griffis's avatar
Amy Griffis committed
723
724
725
726
727
728
{
	int i;
	struct audit_entry *e;
	enum audit_state state;

	if (audit_pid && tsk->tgid == audit_pid)
729
		return;
Amy Griffis's avatar
Amy Griffis committed
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744

	rcu_read_lock();
	for (i = 0; i < ctx->name_count; i++) {
		int word = AUDIT_WORD(ctx->major);
		int bit  = AUDIT_BIT(ctx->major);
		struct audit_names *n = &ctx->names[i];
		int h = audit_hash_ino((u32)n->ino);
		struct list_head *list = &audit_inode_hash[h];

		if (list_empty(list))
			continue;

		list_for_each_entry_rcu(e, list, list) {
			if ((e->rule.mask[word] & bit) == bit &&
			    audit_filter_rules(tsk, &e->rule, ctx, n, &state)) {
745
				rcu_read_unlock();
746
747
				ctx->current_state = state;
				return;
748
			}
749
750
751
752
753
		}
	}
	rcu_read_unlock();
}

Linus Torvalds's avatar
Linus Torvalds committed
754
755
static inline struct audit_context *audit_get_context(struct task_struct *tsk,
						      int return_valid,
756
						      long return_code)
Linus Torvalds's avatar
Linus Torvalds committed
757
758
759
760
761
762
{
	struct audit_context *context = tsk->audit_context;

	if (likely(!context))
		return NULL;
	context->return_valid = return_valid;
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780

	/*
	 * we need to fix up the return code in the audit logs if the actual
	 * return codes are later going to be fixed up by the arch specific
	 * signal handlers
	 *
	 * This is actually a test for:
	 * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||
	 * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)
	 *
	 * but is faster than a bunch of ||
	 */
	if (unlikely(return_code <= -ERESTARTSYS) &&
	    (return_code >= -ERESTART_RESTARTBLOCK) &&
	    (return_code != -ENOIOCTLCMD))
		context->return_code = -EINTR;
	else
		context->return_code  = return_code;
Linus Torvalds's avatar
Linus Torvalds committed
781

782
783
784
	if (context->in_syscall && !context->dummy) {
		audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
		audit_filter_inodes(tsk, context);
Linus Torvalds's avatar
Linus Torvalds committed
785
786
787
788
789
790
791
792
793
794
795
	}

	tsk->audit_context = NULL;
	return context;
}

static inline void audit_free_names(struct audit_context *context)
{
	int i;

#if AUDIT_DEBUG == 2
796
	if (context->put_count + context->ino_count != context->name_count) {
797
		printk(KERN_ERR "%s:%d(:%d): major=%d in_syscall=%d"
Linus Torvalds's avatar
Linus Torvalds committed
798
799
		       " name_count=%d put_count=%d"
		       " ino_count=%d [NOT freeing]\n",
800
		       __FILE__, __LINE__,
Linus Torvalds's avatar
Linus Torvalds committed
801
802
803
		       context->serial, context->major, context->in_syscall,
		       context->name_count, context->put_count,
		       context->ino_count);
804
		for (i = 0; i < context->name_count; i++) {
Linus Torvalds's avatar
Linus Torvalds committed
805
806
			printk(KERN_ERR "names[%d] = %p = %s\n", i,
			       context->names[i].name,
807
			       context->names[i].name ?: "(null)");
808
		}
Linus Torvalds's avatar
Linus Torvalds committed
809
810
811
812
813
814
815
816
817
		dump_stack();
		return;
	}
#endif
#if AUDIT_DEBUG
	context->put_count  = 0;
	context->ino_count  = 0;
#endif

818
	for (i = 0; i < context->name_count; i++) {
819
		if (context->names[i].name && context->names[i].name_put)
Linus Torvalds's avatar
Linus Torvalds committed
820
			__putname(context->names[i].name);
821
	}
Linus Torvalds's avatar
Linus Torvalds committed
822
	context->name_count = 0;
823
824
825
	path_put(&context->pwd);
	context->pwd.dentry = NULL;
	context->pwd.mnt = NULL;
Linus Torvalds's avatar
Linus Torvalds committed
826
827
828
829
830
831
832
833
834
835
}

static inline void audit_free_aux(struct audit_context *context)
{
	struct audit_aux_data *aux;

	while ((aux = context->aux)) {
		context->aux = aux->next;
		kfree(aux);
	}
Amy Griffis's avatar
Amy Griffis committed
836
837
838
839
	while ((aux = context->aux_pids)) {
		context->aux_pids = aux->next;
		kfree(aux);
	}
Linus Torvalds's avatar
Linus Torvalds committed
840
841
842
843
844
845
846
}

static inline void audit_zero_context(struct audit_context *context,
				      enum audit_state state)
{
	memset(context, 0, sizeof(*context));
	context->state      = state;
847
	context->prio = state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
Linus Torvalds's avatar
Linus Torvalds committed
848
849
850
851
852
853
854
855
856
}

static inline struct audit_context *audit_alloc_context(enum audit_state state)
{
	struct audit_context *context;

	if (!(context = kmalloc(sizeof(*context), GFP_KERNEL)))
		return NULL;
	audit_zero_context(context, state);
857
	INIT_LIST_HEAD(&context->killed_trees);
Linus Torvalds's avatar
Linus Torvalds committed
858
859
860
	return context;
}

861
862
863
864
865
/**
 * audit_alloc - allocate an audit context block for a task
 * @tsk: task
 *
 * Filter on the task information and allocate a per-task audit context
Linus Torvalds's avatar
Linus Torvalds committed
866
867
 * if necessary.  Doing so turns on system call auditing for the
 * specified task.  This is called from copy_process, so no lock is
868
869
 * needed.
 */
Linus Torvalds's avatar
Linus Torvalds committed
870
871
872
873
int audit_alloc(struct task_struct *tsk)
{
	struct audit_context *context;
	enum audit_state     state;
874
	char *key = NULL;
Linus Torvalds's avatar
Linus Torvalds committed
875

876
	if (likely(!audit_ever_enabled))
Linus Torvalds's avatar
Linus Torvalds committed
877
878
		return 0; /* Return if not auditing. */

879
	state = audit_filter_task(tsk, &key);
Linus Torvalds's avatar
Linus Torvalds committed
880
881
882
883
	if (likely(state == AUDIT_DISABLED))
		return 0;

	if (!(context = audit_alloc_context(state))) {
884
		kfree(key);
Linus Torvalds's avatar
Linus Torvalds committed
885
886
887
		audit_log_lost("out of memory in audit_alloc");
		return -ENOMEM;
	}
888
	context->filterkey = key;
Linus Torvalds's avatar
Linus Torvalds committed
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909

	tsk->audit_context  = context;
	set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
	return 0;
}

static inline void audit_free_context(struct audit_context *context)
{
	struct audit_context *previous;
	int		     count = 0;

	do {
		previous = context->previous;
		if (previous || (count &&  count < 10)) {
			++count;
			printk(KERN_ERR "audit(:%d): major=%d name_count=%d:"
			       " freeing multiple contexts (%d)\n",
			       context->serial, context->major,
			       context->name_count, count);
		}
		audit_free_names(context);
Al Viro's avatar
Al Viro committed
910
911
		unroll_tree_refs(context, NULL, 0);
		free_tree_refs(context);
Linus Torvalds's avatar
Linus Torvalds committed
912
		audit_free_aux(context);
Amy Griffis's avatar
Amy Griffis committed
913
		kfree(context->filterkey);
914
		kfree(context->sockaddr);
Linus Torvalds's avatar
Linus Torvalds committed
915
916
917
918
919
920
921
		kfree(context);
		context  = previous;
	} while (context);
	if (count >= 10)
		printk(KERN_ERR "audit: freed %d contexts\n", count);
}

Joy Latten's avatar
Joy Latten committed
922
void audit_log_task_context(struct audit_buffer *ab)
923
924
{
	char *ctx = NULL;
925
926
927
928
	unsigned len;
	int error;
	u32 sid;

929
	security_task_getsecid(current, &sid);
930
931
	if (!sid)
		return;
932

933
	error = security_secid_to_secctx(sid, &ctx, &len);
934
935
	if (error) {
		if (error != -EINVAL)
936
937
938
939
940
			goto error_path;
		return;
	}

	audit_log_format(ab, " subj=%s", ctx);
941
	security_release_secctx(ctx, len);
942
	return;
943
944

error_path:
945
	audit_panic("error in audit_log_task_context");
946
947
948
	return;
}

Joy Latten's avatar
Joy Latten committed
949
950
EXPORT_SYMBOL(audit_log_task_context);

951
static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
952
{
953
954
	char name[sizeof(tsk->comm)];
	struct mm_struct *mm = tsk->mm;
955
956
	struct vm_area_struct *vma;

957
958
	/* tsk == current */

959
	get_task_comm(name, tsk);
960
961
	audit_log_format(ab, " comm=");
	audit_log_untrustedstring(ab, name);
962

963
964
965
966
967
968
969
	if (mm) {
		down_read(&mm->mmap_sem);
		vma = mm->mmap;
		while (vma) {
			if ((vma->vm_flags & VM_EXECUTABLE) &&
			    vma->vm_file) {
				audit_log_d_path(ab, "exe=",
970
						 &vma->vm_file->f_path);
971
972
973
				break;
			}
			vma = vma->vm_next;
974
		}
975
		up_read(&mm->mmap_sem);
976
	}
977
	audit_log_task_context(ab);
978
979
}

Amy Griffis's avatar
Amy Griffis committed
980
static int audit_log_pid_context(struct audit_context *context, pid_t pid,
981
982
				 uid_t auid, uid_t uid, unsigned int sessionid,
				 u32 sid, char *comm)
Amy Griffis's avatar
Amy Griffis committed
983
984
{
	struct audit_buffer *ab;
985
	char *ctx = NULL;
Amy Griffis's avatar
Amy Griffis committed
986
987
988
989
990
	u32 len;
	int rc = 0;

	ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
	if (!ab)
991
		return rc;
Amy Griffis's avatar
Amy Griffis committed
992

993
994
	audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid,
			 uid, sessionid);
995
	if (security_secid_to_secctx(sid, &ctx, &len)) {
996
		audit_log_format(ab, " obj=(none)");
Amy Griffis's avatar
Amy Griffis committed
997
		rc = 1;
998
999
1000
1001
	} else {
		audit_log_format(ab, " obj=%s", ctx);
		security_release_secctx(ctx, len);
	}
1002
1003
	audit_log_format(ab, " ocomm=");
	audit_log_untrustedstring(ab, comm);
Amy Griffis's avatar
Amy Griffis committed
1004
1005
1006
1007
1008
	audit_log_end(ab);

	return rc;
}

1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
/*
 * to_send and len_sent accounting are very loose estimates.  We aren't
 * really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being
 * within about 500 bytes (next page boundry)
 *
 * why snprintf?  an int is up to 12 digits long.  if we just assumed when
 * logging that a[%d]= was going to be 16 characters long we would be wasting
 * space in every audit message.  In one 7500 byte message we can log up to
 * about 1000 min size arguments.  That comes down to about 50% waste of space
 * if we didn't do the snprintf to find out how long arg_num_len was.
 */
static int audit_log_single_execve_arg(struct audit_context *context,
					struct audit_buffer **ab,
					int arg_num,
					size_t *len_sent,
					const char __user *p,
					char *buf)
Peter Zijlstra's avatar
Peter Zijlstra committed
1026
{
1027
1028
	char arg_num_len_buf[12];
	const char __user *tmp_p = p;
1029
1030
	/* how many digits are in arg_num? 5 is the length of ' a=""' */
	size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 5;
1031
1032
1033
1034
1035
1036
1037
	size_t len, len_left, to_send;
	size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
	unsigned int i, has_cntl = 0, too_long = 0;
	int ret;

	/* strnlen_user includes the null we don't want to send */
	len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1;
Peter Zijlstra's avatar
Peter Zijlstra committed
1038

1039
1040
1041
1042
1043
1044
	/*
	 * We just created this mm, if we can't find the strings
	 * we just copied into it something is _very_ wrong. Similar
	 * for strings that are too long, we should not have created
	 * any.
	 */
1045
	if (unlikely((len == -1) || len > MAX_ARG_STRLEN - 1)) {
1046
1047
		WARN_ON(1);
		send_sig(SIGKILL, current, 0);
1048
		return -1;
1049
	}
1050

1051
1052
1053
1054
1055
1056
1057
	/* walk the whole argument looking for non-ascii chars */
	do {
		if (len_left > MAX_EXECVE_AUDIT_LEN)
			to_send = MAX_EXECVE_AUDIT_LEN;
		else
			to_send = len_left;
		ret = copy_from_user(buf, tmp_p, to_send);
Peter Zijlstra's avatar
Peter Zijlstra committed
1058
		/*
1059
1060
1061
		 * There is no reason for this copy to be short. We just
		 * copied them here, and the mm hasn't been exposed to user-
		 * space yet.
Peter Zijlstra's avatar
Peter Zijlstra committed
1062
		 */
1063
		if (ret) {
Peter Zijlstra's avatar
Peter Zijlstra committed
1064
1065
			WARN_ON(1);
			send_sig(SIGKILL, current, 0);
1066
			return -1;
Peter Zijlstra's avatar
Peter Zijlstra committed
1067
		}
1068
1069
1070
1071
1072
1073
1074
1075
		buf[to_send] = '\0';
		has_cntl = audit_string_contains_control(buf, to_send);
		if (has_cntl) {
			/*
			 * hex messages get logged as 2 bytes, so we can only
			 * send half as much in each message
			 */
			max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2;
Peter Zijlstra's avatar
Peter Zijlstra committed
1076
1077
			break;
		}
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
		len_left -= to_send;
		tmp_p += to_send;
	} while (len_left > 0);

	len_left = len;

	if (len > max_execve_audit_len)
		too_long = 1;

	/* rewalk the argument actually logging the message */
	for (i = 0; len_left > 0; i++) {
		int room_left;

		if (len_left > max_execve_audit_len)
			to_send = max_execve_audit_len;
		else
			to_send = len_left;

		/* do we have space left to send this argument in this ab? */
		room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent;
		if (has_cntl)
			room_left -= (to_send * 2);
		else
			room_left -= to_send;
		if (room_left < 0) {
			*len_sent = 0;
			audit_log_end(*ab);
			*ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
			if (!*ab)
				return 0;
		}
Peter Zijlstra's avatar
Peter Zijlstra committed
1109
1110

		/*
1111
1112
1113
1114
		 * first record needs to say how long the original string was
		 * so we can be sure nothing was lost.
		 */
		if ((i == 0) && (too_long))
1115
			audit_log_format(*ab, " a%d_len=%zu", arg_num,
1116
1117
1118
1119
1120
1121
					 has_cntl ? 2*len : len);

		/*
		 * normally arguments are small enough to fit and we already
		 * filled buf above when we checked for control characters
		 * so don't bother with another copy_from_user
Peter Zijlstra's avatar
Peter Zijlstra committed
1122
		 */
1123
1124
1125
1126
		if (len >= max_execve_audit_len)
			ret = copy_from_user(buf, p, to_send);
		else
			ret = 0;
1127
		if (ret) {
Peter Zijlstra's avatar
Peter Zijlstra committed
1128
1129
			WARN_ON(1);
			send_sig(SIGKILL, current, 0);
1130
			return -1;
Peter Zijlstra's avatar
Peter Zijlstra committed
1131
		}
1132
1133
1134
		buf[to_send] = '\0';

		/* actually log it */
1135
		audit_log_format(*ab, " a%d", arg_num);
1136
1137
1138
1139
		if (too_long)
			audit_log_format(*ab, "[%d]", i);
		audit_log_format(*ab, "=");
		if (has_cntl)
1140
			audit_log_n_hex(*ab, buf, to_send);
1141
		else
1142
			audit_log_string(*ab, buf);
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163

		p += to_send;
		len_left -= to_send;
		*len_sent += arg_num_len;
		if (has_cntl)
			*len_sent += to_send * 2;
		else
			*len_sent += to_send;
	}
	/* include the null we didn't log */
	return len + 1;
}

static void audit_log_execve_info(struct audit_context *context,
				  struct audit_buffer **ab,
				  struct audit_aux_data_execve *axi)
{
	int i;
	size_t len, len_sent = 0;
	const char __user *p;
	char *buf;
Peter Zijlstra's avatar
Peter Zijlstra committed
1164

1165
1166
1167
1168
	if (axi->mm != current->mm)
		return; /* execve failed, no additional info */

	p = (const char __user *)axi->mm->arg_start;
Peter Zijlstra's avatar
Peter Zijlstra committed
1169

1170
	audit_log_format(*ab, "argc=%d", axi->argc);
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181

	/*
	 * we need some kernel buffer to hold the userspace args.  Just
	 * allocate one big one rather than allocating one of the right size
	 * for every single argument inside audit_log_single_execve_arg()
	 * should be <8k allocation so should be pretty safe.
	 */
	buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
	if (!buf) {
		audit_panic("out of memory for argv string\n");
		return;
Peter Zijlstra's avatar
Peter Zijlstra committed
1182
	}
1183
1184
1185
1186
1187
1188
1189
1190
1191

	for (i = 0; i < axi->argc; i++) {
		len = audit_log_single_execve_arg(context, ab, i,
						  &len_sent, p, buf);
		if (len <= 0)
			break;
		p += len;
	}
	kfree(buf);
Peter Zijlstra's avatar
Peter Zijlstra committed
1192
1193
}

1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
static void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
{
	int i;

	audit_log_format(ab, " %s=", prefix);
	CAP_FOR_EACH_U32(i) {
		audit_log_format(ab, "%08x", cap->cap[(_KERNEL_CAPABILITY_U32S-1) - i]);
	}
}

static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
{
	kernel_cap_t *perm = &name->fcap.permitted;
	kernel_cap_t *inh = &name->fcap.inheritable;
	int log = 0;

	if (!cap_isclear(*perm)) {
		audit_log_cap(ab, "cap_fp", perm);
		log = 1;
	}
	if (!cap_isclear(*inh)) {
		audit_log_cap(ab, "cap_fi", inh);
		log = 1;
	}

	if (log)
		audit_log_format(ab, " cap_fe=%d cap_fver=%x", name->fcap.fE, name->fcap_ver);
}

Al Viro's avatar
Al Viro committed
1223
static void show_special(struct audit_context *context, int *call_panic)
Al Viro's avatar
Al Viro committed
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
{
	struct audit_buffer *ab;
	int i;

	ab = audit_log_start(context, GFP_KERNEL, context->type);
	if (!ab)
		return;

	switch (context->type) {
	case AUDIT_SOCKETCALL: {
		int nargs = context->socketcall.nargs;
		audit_log_format(ab, "nargs=%d", nargs);
		for (i = 0; i < nargs; i++)
			audit_log_format(ab, " a%d=%lx", i,
				context->socketcall.args[i]);
		break; }
Al Viro's avatar
Al Viro committed
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
	case AUDIT_IPC: {
		u32 osid = context->ipc.osid;

		audit_log_format(ab, "ouid=%u ogid=%u mode=%#o",
			 context->ipc.uid, context->ipc.gid, context->ipc.mode);
		if (osid) {
			char *ctx = NULL;
			u32 len;
			if (security_secid_to_secctx(osid, &ctx, &len)) {
				audit_log_format(ab, " osid=%u", osid);
				*call_panic = 1;
			} else {
				audit_log_format(ab, " obj=%s", ctx);
				security_release_secctx(ctx, len);
			}
		}
Al Viro's avatar
Al Viro committed
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
		if (context->ipc.has_perm) {
			audit_log_end(ab);
			ab = audit_log_start(context, GFP_KERNEL,
					     AUDIT_IPC_SET_PERM);
			audit_log_format(ab,
				"qbytes=%lx ouid=%u ogid=%u mode=%#o",
				context->ipc.qbytes,
				context->ipc.perm_uid,
				context->ipc.perm_gid,
				context->ipc.perm_mode);
			if (!ab)
				return;
		}
Al Viro's avatar
Al Viro committed
1269
		break; }
Al Viro's avatar
Al Viro committed
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
	case AUDIT_MQ_OPEN: {
		audit_log_format(ab,
			"oflag=0x%x mode=%#o mq_flags=0x%lx mq_maxmsg=%ld "
			"mq_msgsize=%ld mq_curmsgs=%ld",
			context->mq_open.oflag, context->mq_open.mode,
			context->mq_open.attr.mq_flags,
			context->mq_open.attr.mq_maxmsg,
			context->mq_open.attr.mq_msgsize,
			context->mq_open.attr.mq_curmsgs);
		break; }
Al Viro's avatar
Al Viro committed
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
	case AUDIT_MQ_SENDRECV: {
		audit_log_format(ab,
			"mqdes=%d msg_len=%zd msg_prio=%u "
			"abs_timeout_sec=%ld abs_timeout_nsec=%ld",
			context->mq_sendrecv.mqdes,
			context->mq_sendrecv.msg_len,
			context->mq_sendrecv.msg_prio,
			context->mq_sendrecv.abs_timeout.tv_sec,
			context->mq_sendrecv.abs_timeout.tv_nsec);
		break; }
Al Viro's avatar
Al Viro committed
1290
1291
1292
1293
1294
	case AUDIT_MQ_NOTIFY: {
		audit_log_format(ab, "mqdes=%d sigev_signo=%d",
				context->mq_notify.mqdes,
				context->mq_notify.sigev_signo);
		break; }
Al Viro's avatar
Al Viro committed
1295
1296
1297
1298
1299
1300
1301
1302
1303
	case AUDIT_MQ_GETSETATTR: {
		struct mq_attr *attr = &context->mq_getsetattr.mqstat;
		audit_log_format(ab,
			"mqdes=%d mq_flags=0x%lx mq_maxmsg=%ld mq_msgsize=%ld "
			"mq_curmsgs=%ld ",
			context->mq_getsetattr.mqdes,
			attr->mq_flags, attr->mq_maxmsg,
			attr->mq_msgsize, attr->mq_curmsgs);
		break; }
Al Viro's avatar
Al Viro committed
1304
1305
1306
1307
1308
1309
	case AUDIT_CAPSET: {
		audit_log_format(ab, "pid=%d", context->capset.pid);
		audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
		audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
		audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
		break; }
Al Viro's avatar
Al Viro committed
1310
1311
1312
1313
	}
	audit_log_end(ab);
}

1314
static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
Linus Torvalds's avatar
Linus Torvalds committed
1315
{
1316
	const struct cred *cred;
Steve Grubb's avatar
Steve Grubb committed
1317
	int i, call_panic = 0;
Linus Torvalds's avatar
Linus Torvalds committed
1318
	struct audit_buffer *ab;
1319