OpenE2K
/
linux
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'audit.b46' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current 

* 'audit.b46' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current:
  [AUDIT] Add uid, gid fields to ANOM_PROMISCUOUS message
  [AUDIT] ratelimit printk messages audit
  [patch 2/2] audit: complement va_copy with va_end()
  [patch 1/2] kernel/audit.c: warning fix
  [AUDIT] create context if auditing was ever enabled
  [AUDIT] clean up audit_receive_msg()
  [AUDIT] make audit=0 really stop audit messages
  [AUDIT] break large execve argument logging into smaller messages
  [AUDIT] include audit type in audit message when using printk
  [AUDIT] do not panic on exclude messages in audit_log_pid_context()
  [AUDIT] Add End of Event record
  [AUDIT] add session id to audit messages
  [AUDIT] collect uid, loginuid, and comm in OBJ_PID records
  [AUDIT] return EINTR not ERESTART*
  [PATCH] get rid of loginuid races
  [PATCH] switch audit_get_loginuid() to task_struct *
This commit is contained in:
Linus Torvalds 2008-02-02 08:37:03 +11:00
parent 3e01dfce13 7759db8277
commit dd5f5fed6c
16 changed files with 540 additions and 430 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Documentation/filesystems/proc.txt
View File

@ -1134,13 +1134,6 @@ check the amount of free space (value is in seconds). Default settings are: 4,
resume it if we have a value of 3 or more percent; consider information about
the amount of free space valid for 30 seconds
audit_argv_kb
-------------
The file contains a single value denoting the limit on the argv array size
for execve (in KiB). This limit is only applied when system call auditing for
execve is enabled, otherwise the value is ignored.
ctrl-alt-del
------------

19
drivers/char/tty_audit.c
View File

@ -73,6 +73,7 @@ static void tty_audit_buf_put(struct tty_audit_buf *buf)
* @tsk with @loginuid. @buf->mutex must be locked.
*/
static void tty_audit_buf_push(struct task_struct *tsk, uid_t loginuid,
unsigned int sessionid,
struct tty_audit_buf *buf)
{
struct audit_buffer *ab;
@ -85,9 +86,9 @@ static void tty_audit_buf_push(struct task_struct *tsk, uid_t loginuid,
if (ab) {
char name[sizeof(tsk->comm)];
audit_log_format(ab, "tty pid=%u uid=%u auid=%u major=%d "
"minor=%d comm=", tsk->pid, tsk->uid,
loginuid, buf->major, buf->minor);
audit_log_format(ab, "tty pid=%u uid=%u auid=%u ses=%u "
"major=%d minor=%d comm=", tsk->pid, tsk->uid,
loginuid, sessionid, buf->major, buf->minor);
get_task_comm(name, tsk);
audit_log_untrustedstring(ab, name);
audit_log_format(ab, " data=");
@ -105,8 +106,9 @@ static void tty_audit_buf_push(struct task_struct *tsk, uid_t loginuid,
*/
static void tty_audit_buf_push_current(struct tty_audit_buf *buf)
{
tty_audit_buf_push(current, audit_get_loginuid(current->audit_context),
buf);
uid_t auid = audit_get_loginuid(current);
unsigned int sessionid = audit_get_sessionid(current);
tty_audit_buf_push(current, auid, sessionid, buf);
}
/**
@ -152,6 +154,11 @@ void tty_audit_fork(struct signal_struct *sig)
void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid)
{
struct tty_audit_buf *buf;
/* FIXME I think this is correct. Check against netlink once that is
* I really need to read this code more closely. But that's for
* another patch.
*/
unsigned int sessionid = audit_get_sessionid(tsk);
spin_lock_irq(&tsk->sighand->siglock);
buf = tsk->signal->tty_audit_buf;
@ -162,7 +169,7 @@ void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid)
return;
mutex_lock(&buf->mutex);
tty_audit_buf_push(tsk, loginuid, buf);
tty_audit_buf_push(tsk, loginuid, sessionid, buf);
mutex_unlock(&buf->mutex);
tty_audit_buf_put(buf);

2
fs/proc/base.c
View File

@ -984,7 +984,7 @@ static ssize_t proc_loginuid_read(struct file * file, char __user * buf,
if (!task)
return -ESRCH;
length = scnprintf(tmpbuf, TMPBUFLEN, "%u",
audit_get_loginuid(task->audit_context));
audit_get_loginuid(task));
put_task_struct(task);
return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
}

13
include/linux/audit.h
View File

@ -98,6 +98,7 @@
#define AUDIT_FD_PAIR 1317 /* audit record for pipe/socketpair */
#define AUDIT_OBJ_PID 1318 /* ptrace target */
#define AUDIT_TTY 1319 /* Input on an administrative TTY */
#define AUDIT_EOE 1320 /* End of multi-record event */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
@ -409,7 +410,8 @@ extern unsigned int audit_serial(void);
extern void auditsc_get_stamp(struct audit_context *ctx,
struct timespec *t, unsigned int *serial);
extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid);
extern uid_t audit_get_loginuid(struct audit_context *ctx);
#define audit_get_loginuid(t) ((t)->loginuid)
#define audit_get_sessionid(t) ((t)->sessionid)
extern void audit_log_task_context(struct audit_buffer *ab);
extern int __audit_ipc_obj(struct kern_ipc_perm *ipcp);
extern int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode);
@ -488,7 +490,8 @@ extern int audit_signals;
#define audit_inode_child(d,i,p) do { ; } while (0)
#define audit_core_dumps(i) do { ; } while (0)
#define auditsc_get_stamp(c,t,s) do { BUG(); } while (0)
#define audit_get_loginuid(c) ({ -1; })
#define audit_get_loginuid(t) (-1)
#define audit_get_sessionid(t) (-1)
#define audit_log_task_context(b) do { ; } while (0)
#define audit_ipc_obj(i) ({ 0; })
#define audit_ipc_set_perm(q,u,g,m) ({ 0; })
@ -522,9 +525,11 @@ extern void audit_log_end(struct audit_buffer *ab);
extern void audit_log_hex(struct audit_buffer *ab,
const unsigned char *buf,
size_t len);
extern const char * audit_log_untrustedstring(struct audit_buffer *ab,
extern int audit_string_contains_control(const char *string,
size_t len);
extern void audit_log_untrustedstring(struct audit_buffer *ab,
const char *string);
extern const char * audit_log_n_untrustedstring(struct audit_buffer *ab,
extern void audit_log_n_untrustedstring(struct audit_buffer *ab,
size_t n,
const char *string);
extern void audit_log_d_path(struct audit_buffer *ab,

8
include/linux/init_task.h
View File

@ -114,6 +114,13 @@ extern struct group_info init_groups;
.pid = &init_struct_pid, \
}
#ifdef CONFIG_AUDITSYSCALL
#define INIT_IDS \
.loginuid = -1, \
.sessionid = -1,
#else
#define INIT_IDS
#endif
/*
* INIT_TASK is used to set up the first task table, touch at
* your own risk!. Base=0, limit=0x1fffff (=2MB)
@ -173,6 +180,7 @@ extern struct group_info init_groups;
[PIDTYPE_SID] = INIT_PID_LINK(PIDTYPE_SID), \
}, \
.dirties = INIT_PROP_LOCAL_SINGLE(dirties), \
INIT_IDS \
INIT_TRACE_IRQFLAGS \
INIT_LOCKDEP \
}

4
include/linux/sched.h
View File

@ -1139,6 +1139,10 @@ struct task_struct {
void *security;
#endif
struct audit_context *audit_context;
#ifdef CONFIG_AUDITSYSCALL
uid_t loginuid;
unsigned int sessionid;
#endif
seccomp_t seccomp;
/* Thread group tracking */

442
kernel/audit.c
View File

@ -66,10 +66,11 @@
* (Initialization happens after skb_init is called.) */
static int audit_initialized;
/* 0 - no auditing
* 1 - auditing enabled
* 2 - auditing enabled and configuration is locked/unchangeable. */
#define AUDIT_OFF 0
#define AUDIT_ON 1
#define AUDIT_LOCKED 2
int audit_enabled;
int audit_ever_enabled;
/* Default state when kernel boots without any parameters. */
static int audit_default;
@ -152,8 +153,10 @@ struct audit_buffer {
static void audit_set_pid(struct audit_buffer *ab, pid_t pid)
{
struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
nlh->nlmsg_pid = pid;
if (ab) {
struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
nlh->nlmsg_pid = pid;
}
}
void audit_panic(const char *message)
@ -163,7 +166,8 @@ void audit_panic(const char *message)
case AUDIT_FAIL_SILENT:
break;
case AUDIT_FAIL_PRINTK:
printk(KERN_ERR "audit: %s\n", message);
if (printk_ratelimit())
printk(KERN_ERR "audit: %s\n", message);
break;
case AUDIT_FAIL_PANIC:
panic("audit: %s\n", message);
@ -231,161 +235,107 @@ void audit_log_lost(const char *message)
}
if (print) {
printk(KERN_WARNING
"audit: audit_lost=%d audit_rate_limit=%d audit_backlog_limit=%d\n",
atomic_read(&audit_lost),
audit_rate_limit,
audit_backlog_limit);
if (printk_ratelimit())
printk(KERN_WARNING
"audit: audit_lost=%d audit_rate_limit=%d "
"audit_backlog_limit=%d\n",
atomic_read(&audit_lost),
audit_rate_limit,
audit_backlog_limit);
audit_panic(message);
}
}
static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
static int audit_log_config_change(char *function_name, int new, int old,
uid_t loginuid, u32 sid, int allow_changes)
{
int res, rc = 0, old = audit_rate_limit;
/* check if we are locked */
if (audit_enabled == 2)
res = 0;
else
res = 1;
struct audit_buffer *ab;
int rc = 0;
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
audit_log_format(ab, "%s=%d old=%d by auid=%u", function_name, new,
old, loginuid);
if (sid) {
char *ctx = NULL;
u32 len;
if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_rate_limit=%d old=%d by auid=%u"
" subj=%s res=%d",
limit, old, loginuid, ctx, res);
rc = selinux_sid_to_string(sid, &ctx, &len);
if (rc) {
audit_log_format(ab, " sid=%u", sid);
allow_changes = 0; /* Something weird, deny request */
} else {
audit_log_format(ab, " subj=%s", ctx);
kfree(ctx);
} else
res = 0; /* Something weird, deny request */
}
}
audit_log_format(ab, " res=%d", allow_changes);
audit_log_end(ab);
return rc;
}
static int audit_do_config_change(char *function_name, int *to_change,
int new, uid_t loginuid, u32 sid)
{
int allow_changes, rc = 0, old = *to_change;
/* check if we are locked */
if (audit_enabled == AUDIT_LOCKED)
allow_changes = 0;
else
allow_changes = 1;
if (audit_enabled != AUDIT_OFF) {
rc = audit_log_config_change(function_name, new, old,
loginuid, sid, allow_changes);
if (rc)
allow_changes = 0;
}
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_rate_limit=%d old=%d by auid=%u res=%d",
limit, old, loginuid, res);
/* If we are allowed, make the change */
if (res == 1)
audit_rate_limit = limit;
if (allow_changes == 1)
*to_change = new;
/* Not allowed, update reason */
else if (rc == 0)
rc = -EPERM;
return rc;
}
static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
{
return audit_do_config_change("audit_rate_limit", &audit_rate_limit,
limit, loginuid, sid);
}
static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)
{
int res, rc = 0, old = audit_backlog_limit;
/* check if we are locked */
if (audit_enabled == 2)
res = 0;
else
res = 1;
if (sid) {
char *ctx = NULL;
u32 len;
if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_backlog_limit=%d old=%d by auid=%u"
" subj=%s res=%d",
limit, old, loginuid, ctx, res);
kfree(ctx);
} else
res = 0; /* Something weird, deny request */
}
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_backlog_limit=%d old=%d by auid=%u res=%d",
limit, old, loginuid, res);
/* If we are allowed, make the change */
if (res == 1)
audit_backlog_limit = limit;
/* Not allowed, update reason */
else if (rc == 0)
rc = -EPERM;
return rc;
return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit,
limit, loginuid, sid);
}
static int audit_set_enabled(int state, uid_t loginuid, u32 sid)
{
int res, rc = 0, old = audit_enabled;
if (state < 0 || state > 2)
int rc;
if (state < AUDIT_OFF || state > AUDIT_LOCKED)
return -EINVAL;
/* check if we are locked */
if (audit_enabled == 2)
res = 0;
else
res = 1;
rc = audit_do_config_change("audit_enabled", &audit_enabled, state,
loginuid, sid);
if (sid) {
char *ctx = NULL;
u32 len;
if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_enabled=%d old=%d by auid=%u"
" subj=%s res=%d",
state, old, loginuid, ctx, res);
kfree(ctx);
} else
res = 0; /* Something weird, deny request */
}
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_enabled=%d old=%d by auid=%u res=%d",
state, old, loginuid, res);
if (!rc)
audit_ever_enabled |= !!state;
/* If we are allowed, make the change */
if (res == 1)
audit_enabled = state;
/* Not allowed, update reason */
else if (rc == 0)
rc = -EPERM;
return rc;
}
static int audit_set_failure(int state, uid_t loginuid, u32 sid)
{
int res, rc = 0, old = audit_failure;
if (state != AUDIT_FAIL_SILENT
&& state != AUDIT_FAIL_PRINTK
&& state != AUDIT_FAIL_PANIC)
return -EINVAL;
/* check if we are locked */
if (audit_enabled == 2)
res = 0;
else
res = 1;
if (sid) {
char *ctx = NULL;
u32 len;
if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_failure=%d old=%d by auid=%u"
" subj=%s res=%d",
state, old, loginuid, ctx, res);
kfree(ctx);
} else
res = 0; /* Something weird, deny request */
}
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_failure=%d old=%d by auid=%u res=%d",
state, old, loginuid, res);
/* If we are allowed, make the change */
if (res == 1)
audit_failure = state;
/* Not allowed, update reason */
else if (rc == 0)
rc = -EPERM;
return rc;
return audit_do_config_change("audit_failure", &audit_failure, state,
loginuid, sid);
}
static int kauditd_thread(void *dummy)
@ -405,7 +355,11 @@ static int kauditd_thread(void *dummy)
audit_pid = 0;
}
} else {
printk(KERN_NOTICE "%s\n", skb->data + NLMSG_SPACE(0));
if (printk_ratelimit())
printk(KERN_NOTICE "%s\n", skb->data +
NLMSG_SPACE(0));
else
audit_log_lost("printk limit exceeded\n");
kfree_skb(skb);
}
} else {
@ -573,6 +527,33 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
return err;
}
static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
u32 pid, u32 uid, uid_t auid, u32 sid)
{
int rc = 0;
char *ctx = NULL;
u32 len;
if (!audit_enabled) {
*ab = NULL;
return rc;
}
*ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
audit_log_format(*ab, "user pid=%d uid=%u auid=%u",
pid, uid, auid);
if (sid) {
rc = selinux_sid_to_string(sid, &ctx, &len);
if (rc)
audit_log_format(*ab, " ssid=%u", sid);
else
audit_log_format(*ab, " subj=%s", ctx);
kfree(ctx);
}
return rc;
}
static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
{
u32 uid, pid, seq, sid;
@ -583,7 +564,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
u16 msg_type = nlh->nlmsg_type;
uid_t loginuid; /* loginuid of sender */
struct audit_sig_info *sig_data;
char *ctx;
char *ctx = NULL;
u32 len;
err = audit_netlink_ok(skb, msg_type);
@ -634,23 +615,14 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
if (err < 0) return err;
}
if (status_get->mask & AUDIT_STATUS_PID) {
int old = audit_pid;
if (sid) {
if ((err = selinux_sid_to_string(
sid, &ctx, &len)))
return err;
else
audit_log(NULL, GFP_KERNEL,
AUDIT_CONFIG_CHANGE,
"audit_pid=%d old=%d by auid=%u subj=%s",
status_get->pid, old,
loginuid, ctx);
kfree(ctx);
} else
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_pid=%d old=%d by auid=%u",
status_get->pid, old, loginuid);
audit_pid = status_get->pid;
int new_pid = status_get->pid;
if (audit_enabled != AUDIT_OFF)
audit_log_config_change("audit_pid", new_pid,
audit_pid, loginuid,
sid, 1);
audit_pid = new_pid;
}
if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
err = audit_set_rate_limit(status_get->rate_limit,
@ -673,64 +645,35 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
if (err)
break;
}
ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
if (ab) {
audit_log_format(ab,
"user pid=%d uid=%u auid=%u",
pid, uid, loginuid);
if (sid) {
if (selinux_sid_to_string(
sid, &ctx, &len)) {
audit_log_format(ab,
" ssid=%u", sid);
/* Maybe call audit_panic? */
} else
audit_log_format(ab,
" subj=%s", ctx);
kfree(ctx);
}
if (msg_type != AUDIT_USER_TTY)
audit_log_format(ab, " msg='%.1024s'",
(char *)data);
else {
int size;
audit_log_common_recv_msg(&ab, msg_type, pid, uid,
loginuid, sid);
audit_log_format(ab, " msg=");
size = nlmsg_len(nlh);
audit_log_n_untrustedstring(ab, size,
data);
}
audit_set_pid(ab, pid);
audit_log_end(ab);
if (msg_type != AUDIT_USER_TTY)
audit_log_format(ab, " msg='%.1024s'",
(char *)data);
else {
int size;
audit_log_format(ab, " msg=");
size = nlmsg_len(nlh);
audit_log_n_untrustedstring(ab, size,
data);
}
audit_set_pid(ab, pid);
audit_log_end(ab);
}
break;
case AUDIT_ADD:
case AUDIT_DEL:
if (nlmsg_len(nlh) < sizeof(struct audit_rule))
return -EINVAL;
if (audit_enabled == 2) {
ab = audit_log_start(NULL, GFP_KERNEL,
AUDIT_CONFIG_CHANGE);
if (ab) {
audit_log_format(ab,
"pid=%d uid=%u auid=%u",
pid, uid, loginuid);
if (sid) {
if (selinux_sid_to_string(
sid, &ctx, &len)) {
audit_log_format(ab,
" ssid=%u", sid);
/* Maybe call audit_panic? */
} else
audit_log_format(ab,
" subj=%s", ctx);
kfree(ctx);
}
audit_log_format(ab, " audit_enabled=%d res=0",
audit_enabled);
audit_log_end(ab);
}
if (audit_enabled == AUDIT_LOCKED) {
audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
uid, loginuid, sid);
audit_log_format(ab, " audit_enabled=%d res=0",
audit_enabled);
audit_log_end(ab);
return -EPERM;
}
/* fallthrough */
@ -743,28 +686,13 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
case AUDIT_DEL_RULE:
if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
return -EINVAL;
if (audit_enabled == 2) {
ab = audit_log_start(NULL, GFP_KERNEL,
AUDIT_CONFIG_CHANGE);
if (ab) {
audit_log_format(ab,
"pid=%d uid=%u auid=%u",
pid, uid, loginuid);
if (sid) {
if (selinux_sid_to_string(
sid, &ctx, &len)) {
audit_log_format(ab,
" ssid=%u", sid);
/* Maybe call audit_panic? */
} else
audit_log_format(ab,
" subj=%s", ctx);
kfree(ctx);
}
audit_log_format(ab, " audit_enabled=%d res=0",
audit_enabled);
audit_log_end(ab);
}
if (audit_enabled == AUDIT_LOCKED) {
audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
uid, loginuid, sid);
audit_log_format(ab, " audit_enabled=%d res=0",
audit_enabled);
audit_log_end(ab);
return -EPERM;
}
/* fallthrough */
@ -775,19 +703,10 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
break;
case AUDIT_TRIM:
audit_trim_trees();
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
if (!ab)
break;
audit_log_format(ab, "auid=%u", loginuid);
if (sid) {
u32 len;
ctx = NULL;
if (selinux_sid_to_string(sid, &ctx, &len))
audit_log_format(ab, " ssid=%u", sid);
else
audit_log_format(ab, " subj=%s", ctx);
kfree(ctx);
}
audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
uid, loginuid, sid);
audit_log_format(ab, " op=trim res=1");
audit_log_end(ab);
break;
@ -817,22 +736,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
/* OK, here comes... */
err = audit_tag_tree(old, new);
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
if (!ab) {
kfree(old);
kfree(new);
break;
}
audit_log_format(ab, "auid=%u", loginuid);
if (sid) {
u32 len;
ctx = NULL;
if (selinux_sid_to_string(sid, &ctx, &len))
audit_log_format(ab, " ssid=%u", sid);
else
audit_log_format(ab, " subj=%s", ctx);
kfree(ctx);
}
audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
uid, loginuid, sid);
audit_log_format(ab, " op=make_equiv old=");
audit_log_untrustedstring(ab, old);
audit_log_format(ab, " new=");
@ -965,6 +871,7 @@ static int __init audit_init(void)
skb_queue_head_init(&audit_skb_queue);
audit_initialized = 1;
audit_enabled = audit_default;
audit_ever_enabled |= !!audit_default;
/* Register the callback with selinux. This callback will be invoked
* when a new policy is loaded. */
@ -992,8 +899,10 @@ static int __init audit_enable(char *str)
printk(KERN_INFO "audit: %s%s\n",
audit_default ? "enabled" : "disabled",
audit_initialized ? "" : " (after initialization)");
if (audit_initialized)
if (audit_initialized) {
audit_enabled = audit_default;
audit_ever_enabled |= !!audit_default;
}
return 1;
}
@ -1130,7 +1039,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
{
struct audit_buffer *ab = NULL;
struct timespec t;
unsigned int serial;
unsigned int uninitialized_var(serial);
int reserve;
unsigned long timeout_start = jiffies;
@ -1164,7 +1073,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
remove_wait_queue(&audit_backlog_wait, &wait);
continue;
}
if (audit_rate_check())
if (audit_rate_check() && printk_ratelimit())
printk(KERN_WARNING
"audit: audit_backlog=%d > "
"audit_backlog_limit=%d\n",
@ -1249,6 +1158,7 @@ static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
goto out;
len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args2);
}
va_end(args2);
if (len > 0)
skb_put(skb, len);
out:
@ -1349,6 +1259,21 @@ static void audit_log_n_string(struct audit_buffer *ab, size_t slen,
skb_put(skb, slen + 2); /* don't include null terminator */
}
/**
* audit_string_contains_control - does a string need to be logged in hex
* @string - string to be checked
* @len - max length of the string to check
*/
int audit_string_contains_control(const char *string, size_t len)
{
const unsigned char *p;
for (p = string; p < (const unsigned char *)string + len && *p; p++) {
if (*p == '"' || *p < 0x21 || *p > 0x7f)
return 1;
}
return 0;
}
/**
* audit_log_n_untrustedstring - log a string that may contain random characters
* @ab: audit_buffer
@ -1363,19 +1288,13 @@ static void audit_log_n_string(struct audit_buffer *ab, size_t slen,
* The caller specifies the number of characters in the string to log, which may
* or may not be the entire string.
*/
const char *audit_log_n_untrustedstring(struct audit_buffer *ab, size_t len,
const char *string)
void audit_log_n_untrustedstring(struct audit_buffer *ab, size_t len,
const char *string)
{
const unsigned char *p;
for (p = string; p < (const unsigned char *)string + len && *p; p++) {
if (*p == '"' || *p < 0x21 || *p > 0x7f) {
audit_log_hex(ab, string, len);
return string + len + 1;
}
}
audit_log_n_string(ab, len, string);
return p + 1;
if (audit_string_contains_control(string, len))
audit_log_hex(ab, string, len);
else
audit_log_n_string(ab, len, string);
}
/**
@ -1386,9 +1305,9 @@ const char *audit_log_n_untrustedstring(struct audit_buffer *ab, size_t len,
* Same as audit_log_n_untrustedstring(), except that strlen is used to
* determine string length.
*/
const char *audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
void audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
{
return audit_log_n_untrustedstring(ab, strlen(string), string);
audit_log_n_untrustedstring(ab, strlen(string), string);
}
/* This is a helper-function to print the escaped d_path */
@ -1437,8 +1356,11 @@ void audit_log_end(struct audit_buffer *ab)
skb_queue_tail(&audit_skb_queue, ab->skb);
ab->skb = NULL;
wake_up_interruptible(&kauditd_wait);
} else if (printk_ratelimit()) {
struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
printk(KERN_NOTICE "type=%d %s\n", nlh->nlmsg_type, ab->skb->data + NLMSG_SPACE(0));
} else {
printk(KERN_NOTICE "%s\n", ab->skb->data + NLMSG_SPACE(0));
audit_log_lost("printk limit exceeded\n");
}
}
audit_buffer_free(ab);

54
kernel/auditfilter.c
View File

@ -95,6 +95,8 @@ extern struct inotify_handle *audit_ih;
/* Inotify events we care about. */
#define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF
extern int audit_enabled;
void audit_free_parent(struct inotify_watch *i_watch)
{
struct audit_parent *parent;
@ -974,7 +976,6 @@ static void audit_update_watch(struct audit_parent *parent,
struct audit_watch *owatch, *nwatch, *nextw;
struct audit_krule *r, *nextr;
struct audit_entry *oentry, *nentry;
struct audit_buffer *ab;
mutex_lock(&audit_filter_mutex);
list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) {
@ -1014,13 +1015,18 @@ static void audit_update_watch(struct audit_parent *parent,
call_rcu(&oentry->rcu, audit_free_rule_rcu);
}
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
audit_log_format(ab, "op=updated rules specifying path=");
audit_log_untrustedstring(ab, owatch->path);
audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino);
audit_log_format(ab, " list=%d res=1", r->listnr);
audit_log_end(ab);
if (audit_enabled) {
struct audit_buffer *ab;
ab = audit_log_start(NULL, GFP_KERNEL,
AUDIT_CONFIG_CHANGE);
audit_log_format(ab,
"op=updated rules specifying path=");
audit_log_untrustedstring(ab, owatch->path);
audit_log_format(ab, " with dev=%u ino=%lu\n",
dev, ino);
audit_log_format(ab, " list=%d res=1", r->listnr);
audit_log_end(ab);
}
audit_remove_watch(owatch);
goto add_watch_to_parent; /* event applies to a single watch */
}
@ -1039,25 +1045,28 @@ static void audit_remove_parent_watches(struct audit_parent *parent)
struct audit_watch *w, *nextw;
struct audit_krule *r, *nextr;
struct audit_entry *e;
struct audit_buffer *ab;
mutex_lock(&audit_filter_mutex);
parent->flags |= AUDIT_PARENT_INVALID;
list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
e = container_of(r, struct audit_entry, rule);
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
audit_log_format(ab, "op=remove rule path=");
audit_log_untrustedstring(ab, w->path);
if (r->filterkey) {
audit_log_format(ab, " key=");
audit_log_untrustedstring(ab, r->filterkey);
} else
audit_log_format(ab, " key=(null)");
audit_log_format(ab, " list=%d res=1", r->listnr);
audit_log_end(ab);
if (audit_enabled) {
struct audit_buffer *ab;
ab = audit_log_start(NULL, GFP_KERNEL,
AUDIT_CONFIG_CHANGE);
audit_log_format(ab, "op=remove rule path=");
audit_log_untrustedstring(ab, w->path);
if (r->filterkey) {
audit_log_format(ab, " key=");
audit_log_untrustedstring(ab,
r->filterkey);
} else
audit_log_format(ab, " key=(null)");
audit_log_format(ab, " list=%d res=1",
r->listnr);
audit_log_end(ab);
}
list_del(&r->rlist);
list_del_rcu(&e->list);
call_rcu(&e->rcu, audit_free_rule_rcu);
@ -1495,6 +1504,9 @@ static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action,
{
struct audit_buffer *ab;
if (!audit_enabled)
return;
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
if (!ab)
return;

355
kernel/auditsc.c
View File

@ -70,6 +70,7 @@
#include "audit.h"
extern struct list_head audit_filter_list[];
extern int audit_ever_enabled;
/* AUDIT_NAMES is the number of slots we reserve in the audit_context
* for saving names from getname(). */
@ -78,6 +79,9 @@ extern struct list_head audit_filter_list[];
/* Indicates that audit should log the full pathname. */
#define AUDIT_NAME_FULL -1
/* no execve audit message should be longer than this (userspace limits) */
#define MAX_EXECVE_AUDIT_LEN 7500
/* number of audit rules */
int audit_n_rules;
@ -176,7 +180,11 @@ struct audit_aux_data_fd_pair {
struct audit_aux_data_pids {
struct audit_aux_data d;
pid_t target_pid[AUDIT_AUX_PIDS];
uid_t target_auid[AUDIT_AUX_PIDS];
uid_t target_uid[AUDIT_AUX_PIDS];
unsigned int target_sessionid[AUDIT_AUX_PIDS];
u32 target_sid[AUDIT_AUX_PIDS];
char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
int pid_count;
};
@ -192,7 +200,6 @@ struct audit_context {
enum audit_state state;
unsigned int serial; /* serial number for record */
struct timespec ctime; /* time of syscall entry */
uid_t loginuid; /* login uid (identity) */
int major; /* syscall number */
unsigned long argv[4]; /* syscall arguments */
int return_valid; /* return code is valid */
@ -215,7 +222,11 @@ struct audit_context {
int arch;
pid_t target_pid;
uid_t target_auid;
uid_t target_uid;
unsigned int target_sessionid;
u32 target_sid;
char target_comm[TASK_COMM_LEN];
struct audit_tree_refs *trees, *first_trees;
int tree_count;
@ -506,7 +517,7 @@ static int audit_filter_rules(struct task_struct *tsk,
case AUDIT_LOGINUID:
result = 0;
if (ctx)
result = audit_comparator(ctx->loginuid, f->op, f->val);
result = audit_comparator(tsk->loginuid, f->op, f->val);
break;
case AUDIT_SUBJ_USER:
case AUDIT_SUBJ_ROLE:
@ -702,7 +713,24 @@ static inline struct audit_context *audit_get_context(struct task_struct *tsk,
if (likely(!context))
return NULL;
context->return_valid = return_valid;
context->return_code = return_code;
/*
* we need to fix up the return code in the audit logs if the actual
* return codes are later going to be fixed up by the arch specific
* signal handlers
*
* This is actually a test for:
* (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||
* (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)
*
* but is faster than a bunch of ||
*/
if (unlikely(return_code <= -ERESTARTSYS) &&
(return_code >= -ERESTART_RESTARTBLOCK) &&
(return_code != -ENOIOCTLCMD))
context->return_code = -EINTR;
else
context->return_code = return_code;
if (context->in_syscall && !context->dummy && !context->auditable) {
enum audit_state state;
@ -783,11 +811,8 @@ static inline void audit_free_aux(struct audit_context *context)
static inline void audit_zero_context(struct audit_context *context,
enum audit_state state)
{
uid_t loginuid = context->loginuid;
memset(context, 0, sizeof(*context));
context->state = state;
context->loginuid = loginuid;
}
static inline struct audit_context *audit_alloc_context(enum audit_state state)
@ -814,7 +839,7 @@ int audit_alloc(struct task_struct *tsk)
struct audit_context *context;
enum audit_state state;
if (likely(!audit_enabled))
if (likely(!audit_ever_enabled))
return 0; /* Return if not auditing. */
state = audit_filter_task(tsk);
@ -826,11 +851,6 @@ int audit_alloc(struct task_struct *tsk)
return -ENOMEM;
}
/* Preserve login uid */
context->loginuid = -1;
if (current->audit_context)
context->loginuid = current->audit_context->loginuid;
tsk->audit_context = context;
set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
return 0;
@ -922,7 +942,8 @@ static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk
}
static int audit_log_pid_context(struct audit_context *context, pid_t pid,
u32 sid)
uid_t auid, uid_t uid, unsigned int sessionid,
u32 sid, char *comm)
{
struct audit_buffer *ab;
char *s = NULL;
@ -931,52 +952,71 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
if (!ab)
return 1;
return rc;
audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid,
uid, sessionid);
if (selinux_sid_to_string(sid, &s, &len)) {
audit_log_format(ab, "opid=%d obj=(none)", pid);
audit_log_format(ab, " obj=(none)");
rc = 1;
} else
audit_log_format(ab, "opid=%d obj=%s", pid, s);
audit_log_format(ab, " obj=%s", s);
audit_log_format(ab, " ocomm=");
audit_log_untrustedstring(ab, comm);
audit_log_end(ab);
kfree(s);
return rc;
}
static void audit_log_execve_info(struct audit_buffer *ab,
struct audit_aux_data_execve *axi)
/*
* to_send and len_sent accounting are very loose estimates. We aren't
* really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being
* within about 500 bytes (next page boundry)
*
* why snprintf? an int is up to 12 digits long. if we just assumed when
* logging that a[%d]= was going to be 16 characters long we would be wasting
* space in every audit message. In one 7500 byte message we can log up to
* about 1000 min size arguments. That comes down to about 50% waste of space
* if we didn't do the snprintf to find out how long arg_num_len was.
*/
static int audit_log_single_execve_arg(struct audit_context *context,
struct audit_buffer **ab,
int arg_num,
size_t *len_sent,
const char __user *p,
char *buf)
{
int i;
long len, ret;
const char __user *p;
char *buf;
char arg_num_len_buf[12];
const char __user *tmp_p = p;
/* how many digits are in arg_num? 3 is the length of a=\n */
size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 3;
size_t len, len_left, to_send;
size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
unsigned int i, has_cntl = 0, too_long = 0;
int ret;
if (axi->mm != current->mm)
return; /* execve failed, no additional info */
/* strnlen_user includes the null we don't want to send */
len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1;
p = (const char __user *)axi->mm->arg_start;
/*
* We just created this mm, if we can't find the strings
* we just copied into it something is _very_ wrong. Similar
* for strings that are too long, we should not have created
* any.
*/
if (unlikely((len = -1) || len > MAX_ARG_STRLEN - 1)) {
WARN_ON(1);
send_sig(SIGKILL, current, 0);
}
for (i = 0; i < axi->argc; i++, p += len) {
len = strnlen_user(p, MAX_ARG_STRLEN);
/*
* We just created this mm, if we can't find the strings
* we just copied into it something is _very_ wrong. Similar
* for strings that are too long, we should not have created
* any.
*/
if (!len || len > MAX_ARG_STRLEN) {
WARN_ON(1);
send_sig(SIGKILL, current, 0);
}
buf = kmalloc(len, GFP_KERNEL);
if (!buf) {
audit_panic("out of memory for argv string\n");
break;
}
ret = copy_from_user(buf, p, len);
/* walk the whole argument looking for non-ascii chars */
do {
if (len_left > MAX_EXECVE_AUDIT_LEN)
to_send = MAX_EXECVE_AUDIT_LEN;
else
to_send = len_left;
ret = copy_from_user(buf, tmp_p, to_send);
/*
* There is no reason for this copy to be short. We just
* copied them here, and the mm hasn't been exposed to user-
@ -986,13 +1026,130 @@ static void audit_log_execve_info(struct audit_buffer *ab,
WARN_ON(1);
send_sig(SIGKILL, current, 0);
}
buf[to_send] = '\0';
has_cntl = audit_string_contains_control(buf, to_send);
if (has_cntl) {
/*
* hex messages get logged as 2 bytes, so we can only
* send half as much in each message
*/
max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2;
break;
}
len_left -= to_send;
tmp_p += to_send;
} while (len_left > 0);
audit_log_format(ab, "a%d=", i);
audit_log_untrustedstring(ab, buf);
audit_log_format(ab, "\n");
len_left = len;
kfree(buf);
if (len > max_execve_audit_len)
too_long = 1;
/* rewalk the argument actually logging the message */
for (i = 0; len_left > 0; i++) {
int room_left;
if (len_left > max_execve_audit_len)
to_send = max_execve_audit_len;
else
to_send = len_left;
/* do we have space left to send this argument in this ab? */
room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent;
if (has_cntl)
room_left -= (to_send * 2);
else
room_left -= to_send;
if (room_left < 0) {
*len_sent = 0;
audit_log_end(*ab);
*ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
if (!*ab)
return 0;
}
/*
* first record needs to say how long the original string was
* so we can be sure nothing was lost.
*/
if ((i == 0) && (too_long))
audit_log_format(*ab, "a%d_len=%ld ", arg_num,
has_cntl ? 2*len : len);
/*
* normally arguments are small enough to fit and we already
* filled buf above when we checked for control characters
* so don't bother with another copy_from_user
*/
if (len >= max_execve_audit_len)
ret = copy_from_user(buf, p, to_send);
else
ret = 0;
if (ret) {
WARN_ON(1);
send_sig(SIGKILL, current, 0);
}
buf[to_send] = '\0';
/* actually log it */
audit_log_format(*ab, "a%d", arg_num);
if (too_long)
audit_log_format(*ab, "[%d]", i);
audit_log_format(*ab, "=");
if (has_cntl)
audit_log_hex(*ab, buf, to_send);
else
audit_log_format(*ab, "\"%s\"", buf);
audit_log_format(*ab, "\n");
p += to_send;
len_left -= to_send;
*len_sent += arg_num_len;
if (has_cntl)
*len_sent += to_send * 2;
else
*len_sent += to_send;
}
/* include the null we didn't log */
return len + 1;
}
static void audit_log_execve_info(struct audit_context *context,
struct audit_buffer **ab,
struct audit_aux_data_execve *axi)
{
int i;
size_t len, len_sent = 0;
const char __user *p;
char *buf;
if (axi->mm != current->mm)
return; /* execve failed, no additional info */
p = (const char __user *)axi->mm->arg_start;
audit_log_format(*ab, "argc=%d ", axi->argc);
/*
* we need some kernel buffer to hold the userspace args. Just
* allocate one big one rather than allocating one of the right size
* for every single argument inside audit_log_single_execve_arg()
* should be <8k allocation so should be pretty safe.
*/
buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
if (!buf) {
audit_panic("out of memory for argv string\n");
return;
}
for (i = 0; i < axi->argc; i++) {
len = audit_log_single_execve_arg(context, ab, i,
&len_sent, p, buf);
if (len <= 0)
break;
p += len;
}
kfree(buf);
}
static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
@ -1039,7 +1196,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
" a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
" ppid=%d pid=%d auid=%u uid=%u gid=%u"
" euid=%u suid=%u fsuid=%u"
" egid=%u sgid=%u fsgid=%u tty=%s",
" egid=%u sgid=%u fsgid=%u tty=%s ses=%u",
context->argv[0],
context->argv[1],
context->argv[2],
@ -1047,11 +1204,12 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
context->name_count,
context->ppid,
context->pid,
context->loginuid,
tsk->loginuid,
context->uid,
context->gid,
context->euid, context->suid, context->fsuid,
context->egid, context->sgid, context->fsgid, tty);
context->egid, context->sgid, context->fsgid, tty,
tsk->sessionid);
mutex_unlock(&tty_mutex);
@ -1135,7 +1293,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
case AUDIT_EXECVE: {
struct audit_aux_data_execve *axi = (void *)aux;
audit_log_execve_info(ab, axi);
audit_log_execve_info(context, &ab, axi);
break; }
case AUDIT_SOCKETCALL: {
@ -1168,13 +1326,19 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
for (i = 0; i < axs->pid_count; i++)
if (audit_log_pid_context(context, axs->target_pid[i],
axs->target_sid[i]))
axs->target_auid[i],
axs->target_uid[i],
axs->target_sessionid[i],
axs->target_sid[i],
axs->target_comm[i]))
call_panic = 1;
}
if (context->target_pid &&
audit_log_pid_context(context, context->target_pid,
context->target_sid))
context->target_auid, context->target_uid,
context->target_sessionid,
context->target_sid, context->target_comm))
call_panic = 1;
if (context->pwd && context->pwdmnt) {
@ -1242,6 +1406,11 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
audit_log_end(ab);
}
/* Send end of event record to help user space know we are finished */
ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
if (ab)
audit_log_end(ab);
if (call_panic)
audit_panic("error converting sid to string");
}
@ -1766,6 +1935,9 @@ void auditsc_get_stamp(struct audit_context *ctx,
ctx->auditable = 1;
}
/* global counter which is incremented every time something logs in */
static atomic_t session_id = ATOMIC_INIT(0);
/**
* audit_set_loginuid - set a task's audit_context loginuid
* @task: task whose audit context is being modified
@ -1777,40 +1949,28 @@ void auditsc_get_stamp(struct audit_context *ctx,
*/
int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
{
unsigned int sessionid = atomic_inc_return(&session_id);
struct audit_context *context = task->audit_context;
if (context) {
/* Only log if audit is enabled */
if (context->in_syscall) {
struct audit_buffer *ab;
if (context && context->in_syscall) {
struct audit_buffer *ab;
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
if (ab) {
audit_log_format(ab, "login pid=%d uid=%u "
"old auid=%u new auid=%u",
task->pid, task->uid,
context->loginuid, loginuid);
audit_log_end(ab);
}
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
if (ab) {
audit_log_format(ab, "login pid=%d uid=%u "
"old auid=%u new auid=%u"
" old ses=%u new ses=%u",
task->pid, task->uid,
task->loginuid, loginuid,
task->sessionid, sessionid);
audit_log_end(ab);
}
context->loginuid = loginuid;
}
task->sessionid = sessionid;
task->loginuid = loginuid;
return 0;
}
/**
* audit_get_loginuid - get the loginuid for an audit_context
* @ctx: the audit_context
*
* Returns the context's loginuid or -1 if @ctx is NULL.
*/
uid_t audit_get_loginuid(struct audit_context *ctx)
{
return ctx ? ctx->loginuid : -1;
}
EXPORT_SYMBOL(audit_get_loginuid);
/**
* __audit_mq_open - record audit data for a POSIX MQ open
* @oflag: open flag
@ -2070,8 +2230,6 @@ int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode
return 0;
}
int audit_argv_kb = 32;
int audit_bprm(struct linux_binprm *bprm)
{
struct audit_aux_data_execve *ax;
@ -2080,14 +2238,6 @@ int audit_bprm(struct linux_binprm *bprm)
if (likely(!audit_enabled || !context || context->dummy))
return 0;
/*
* Even though the stack code doesn't limit the arg+env size any more,
* the audit code requires that _all_ arguments be logged in a single
* netlink skb. Hence cap it :-(
*/
if (bprm->argv_len > (audit_argv_kb << 10))
return -E2BIG;
ax = kmalloc(sizeof(*ax), GFP_KERNEL);
if (!ax)
return -ENOMEM;
@ -2193,7 +2343,11 @@ void __audit_ptrace(struct task_struct *t)
struct audit_context *context = current->audit_context;
context->target_pid = t->pid;
context->target_auid = audit_get_loginuid(t);
context->target_uid = t->uid;
context->target_sessionid = audit_get_sessionid(t);
selinux_get_task_sid(t, &context->target_sid);
memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
}
/**
@ -2216,8 +2370,8 @@ int __audit_signal_info(int sig, struct task_struct *t)
if (audit_pid && t->tgid == audit_pid) {
if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1) {
audit_sig_pid = tsk->pid;
if (ctx)
audit_sig_uid = ctx->loginuid;
if (tsk->loginuid != -1)
audit_sig_uid = tsk->loginuid;
else
audit_sig_uid = tsk->uid;
selinux_get_task_sid(tsk, &audit_sig_sid);
@ -2230,7 +2384,11 @@ int __audit_signal_info(int sig, struct task_struct *t)
* in audit_context */
if (!ctx->target_pid) {
ctx->target_pid = t->tgid;
ctx->target_auid = audit_get_loginuid(t);
ctx->target_uid = t->uid;
ctx->target_sessionid = audit_get_sessionid(t);
selinux_get_task_sid(t, &ctx->target_sid);
memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
return 0;
}
@ -2247,7 +2405,11 @@ int __audit_signal_info(int sig, struct task_struct *t)
BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
axp->target_pid[axp->pid_count] = t->tgid;
axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
axp->target_uid[axp->pid_count] = t->uid;
axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
selinux_get_task_sid(t, &axp->target_sid[axp->pid_count]);
memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
axp->pid_count++;
return 0;
@ -2264,6 +2426,8 @@ void audit_core_dumps(long signr)
{
struct audit_buffer *ab;
u32 sid;
uid_t auid = audit_get_loginuid(current);
unsigned int sessionid = audit_get_sessionid(current);
if (!audit_enabled)
return;
@ -2272,9 +2436,8 @@ void audit_core_dumps(long signr)
return;
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
audit_log_format(ab, "auid=%u uid=%u gid=%u",
audit_get_loginuid(current->audit_context),
current->uid, current->gid);
audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
auid, current->uid, current->gid, sessionid);
selinux_get_task_sid(current, &sid);
if (sid) {
char *ctx = NULL;

11
kernel/sysctl.c
View File

@ -81,7 +81,6 @@ extern int percpu_pagelist_fraction;
extern int compat_log;
extern int maps_protect;
extern int sysctl_stat_interval;
extern int audit_argv_kb;
extern int latencytop_enabled;
/* Constants used for minimum and maximum */
@ -390,16 +389,6 @@ static struct ctl_table kern_table[] = {
.mode = 0644,
.proc_handler = &proc_dointvec,
},
#ifdef CONFIG_AUDITSYSCALL
{
.ctl_name = CTL_UNNUMBERED,
.procname = "audit_argv_kb",
.data = &audit_argv_kb,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = &proc_dointvec,
},
#endif
{
.ctl_name = KERN_CORE_PATTERN,
.procname = "core_pattern",

15
net/core/dev.c
View File

@ -2752,12 +2752,15 @@ static void __dev_set_promiscuity(struct net_device *dev, int inc)
printk(KERN_INFO "device %s %s promiscuous mode\n",
dev->name, (dev->flags & IFF_PROMISC) ? "entered" :
"left");
audit_log(current->audit_context, GFP_ATOMIC,
AUDIT_ANOM_PROMISCUOUS,
"dev=%s prom=%d old_prom=%d auid=%u",
dev->name, (dev->flags & IFF_PROMISC),
(old_flags & IFF_PROMISC),
audit_get_loginuid(current->audit_context));
if (audit_enabled)
audit_log(current->audit_context, GFP_ATOMIC,
AUDIT_ANOM_PROMISCUOUS,
"dev=%s prom=%d old_prom=%d auid=%u uid=%u gid=%u ses=%u",
dev->name, (dev->flags & IFF_PROMISC),
(old_flags & IFF_PROMISC),
audit_get_loginuid(current),
current->uid, current->gid,
audit_get_sessionid(current));
if (dev->change_rx_flags)
dev->change_rx_flags(dev, IFF_PROMISC);

14
net/key/af_key.c
View File

@ -1466,7 +1466,7 @@ static int pfkey_add(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr,
err = xfrm_state_update(x);
xfrm_audit_state_add(x, err ? 0 : 1,
audit_get_loginuid(current->audit_context), 0);
audit_get_loginuid(current), 0);
if (err < 0) {
x->km.state = XFRM_STATE_DEAD;
@ -1520,7 +1520,7 @@ static int pfkey_delete(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h
km_state_notify(x, &c);
out:
xfrm_audit_state_delete(x, err ? 0 : 1,
audit_get_loginuid(current->audit_context), 0);
audit_get_loginuid(current), 0);
xfrm_state_put(x);
return err;
@ -1695,7 +1695,7 @@ static int pfkey_flush(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hd
if (proto == 0)
return -EINVAL;
audit_info.loginuid = audit_get_loginuid(current->audit_context);
audit_info.loginuid = audit_get_loginuid(current);
audit_info.secid = 0;
err = xfrm_state_flush(proto, &audit_info);
if (err)
@ -2273,7 +2273,7 @@ static int pfkey_spdadd(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h
hdr->sadb_msg_type != SADB_X_SPDUPDATE);
xfrm_audit_policy_add(xp, err ? 0 : 1,
audit_get_loginuid(current->audit_context), 0);
audit_get_loginuid(current), 0);
if (err)
goto out;
@ -2356,7 +2356,7 @@ static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, struct sadb_msg
return -ENOENT;
xfrm_audit_policy_delete(xp, err ? 0 : 1,
audit_get_loginuid(current->audit_context), 0);
audit_get_loginuid(current), 0);
if (err)
goto out;
@ -2617,7 +2617,7 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h
if (delete) {
xfrm_audit_policy_delete(xp, err ? 0 : 1,
audit_get_loginuid(current->audit_context), 0);
audit_get_loginuid(current), 0);
if (err)
goto out;
@ -2694,7 +2694,7 @@ static int pfkey_spdflush(struct sock *sk, struct sk_buff *skb, struct sadb_msg
struct xfrm_audit audit_info;
int err;
audit_info.loginuid = audit_get_loginuid(current->audit_context);
audit_info.loginuid = audit_get_loginuid(current);
audit_info.secid = 0;
err = xfrm_policy_flush(XFRM_POLICY_TYPE_MAIN, &audit_info);
if (err)

2
net/netlink/af_netlink.c
View File

@ -1238,7 +1238,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
NETLINK_CB(skb).pid = nlk->pid;
NETLINK_CB(skb).dst_group = dst_group;
NETLINK_CB(skb).loginuid = audit_get_loginuid(current->audit_context);
NETLINK_CB(skb).loginuid = audit_get_loginuid(current);
selinux_get_task_sid(current, &(NETLINK_CB(skb).sid));
memcpy(NETLINK_CREDS(skb), &siocb->scm->creds, sizeof(struct ucred));

2
net/xfrm/xfrm_state.c
View File

@ -493,7 +493,7 @@ expired:
km_state_expired(x, 1, 0);
xfrm_audit_state_delete(x, err ? 0 : 1,
audit_get_loginuid(current->audit_context), 0);
audit_get_loginuid(current), 0);
out:
spin_unlock(&x->lock);

17
security/selinux/selinuxfs.c
View File

@ -172,9 +172,10 @@ static ssize_t sel_write_enforce(struct file * file, const char __user * buf,
if (length)
goto out;
audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
"enforcing=%d old_enforcing=%d auid=%u", new_value,
selinux_enforcing,
audit_get_loginuid(current->audit_context));
"enforcing=%d old_enforcing=%d auid=%u ses=%u",
new_value, selinux_enforcing,
audit_get_loginuid(current),
audit_get_sessionid(current));
selinux_enforcing = new_value;
if (selinux_enforcing)
avc_ss_reset(0);
@ -243,8 +244,9 @@ static ssize_t sel_write_disable(struct file * file, const char __user * buf,
if (length < 0)
goto out;
audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
"selinux=0 auid=%u",
audit_get_loginuid(current->audit_context));
"selinux=0 auid=%u ses=%u",
audit_get_loginuid(current),
audit_get_sessionid(current));
}
length = count;
@ -356,8 +358,9 @@ out1:
(security_get_allow_unknown() ? "allow" : "deny")));
audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
"policy loaded auid=%u",
audit_get_loginuid(current->audit_context));
"policy loaded auid=%u ses=%u",
audit_get_loginuid(current),
audit_get_sessionid(current));
out:
mutex_unlock(&sel_mutex);
vfree(data);

5
security/selinux/ss/services.c
View File

@ -1905,11 +1905,12 @@ int security_set_bools(int len, int *values)
if (!!values[i] != policydb.bool_val_to_struct[i]->state) {
audit_log(current->audit_context, GFP_ATOMIC,
AUDIT_MAC_CONFIG_CHANGE,
"bool=%s val=%d old_val=%d auid=%u",
"bool=%s val=%d old_val=%d auid=%u ses=%u",
policydb.p_bool_val_to_name[i],
!!values[i],
policydb.bool_val_to_struct[i]->state,
audit_get_loginuid(current->audit_context));
audit_get_loginuid(current),
audit_get_sessionid(current));
}
if (values[i]) {
policydb.bool_val_to_struct[i]->state = 1;